@better-update/cli 0.42.1 → 0.44.0

package/dist/index.mjs

@@ -23,7 +23,7 @@ import os, { tmpdir } from "node:os";
 import { fileURLToPath } from "node:url";
 import { maxBy, uniqBy } from "es-toolkit";
 import forge from "node-forge";
-import { AndroidConfig } from "@expo/config-plugins";
+import configPlugins from "@expo/config-plugins";
 import plistMod from "@expo/plist";
 import { ExpoRunFormatter } from "@expo/xcpretty";
 import { Buffer as Buffer$1 } from "node:buffer";
@@ -35,7 +35,7 @@ var __require = /* #__PURE__ */ (() => createRequire(import.meta.url))();
 
 //#endregion
 //#region package.json
-var version = "0.42.1";
+var version = "0.44.0";
 
 //#endregion
 //#region src/lib/interactive-mode.ts
@@ -133,6 +133,148 @@ const UploadHeaders = Schema.Record({
 	value: Schema.String
 });
 
+//#endregion
+//#region ../../packages/api/src/domain/user-encryption-key.ts
+/**
+* A recipient key's role. A `device` key is user-owned (works across the user's
+* orgs); `recovery` (offline break-glass) and `machine` (CI) keys are org-owned
+* and have no `userId`.
+*/
+const EncryptionKeyKind = Schema.Literal("device", "recovery", "machine");
+/** An age recipient string (`age1...`) — a public key safe for the server to hold. */
+const AgeRecipient = Schema.String.pipe(Schema.minLength(1), Schema.startsWith("age1")).annotations({ description: "age recipient public key (age1...)" });
+/** An SSH-style key fingerprint (`SHA256:...`) shown for out-of-band verification. */
+const KeyFingerprint = Schema.String.pipe(Schema.startsWith("SHA256:"), Schema.minLength(8)).annotations({ description: "SSH-style key fingerprint (SHA256:...)" });
+/**
+* A registered public recipient. Private keys never leave the owner's machine;
+* the server only ever holds the public half.
+*/
+var UserEncryptionKey = class extends Schema.Class("UserEncryptionKey")({
+	id: Id,
+	userId: Schema.NullOr(Id),
+	organizationId: Schema.NullOr(Id),
+	kind: EncryptionKeyKind,
+	publicKey: AgeRecipient,
+	label: Name120,
+	fingerprint: KeyFingerprint,
+	createdAt: DateTimeString,
+	lastUsedAt: Schema.NullOr(DateTimeString),
+	revokedAt: Schema.NullOr(DateTimeString)
+}) {};
+/** Register a new public recipient (device on first use, or a CI/recovery key). */
+const RegisterEncryptionKeyBody = Schema.Struct({
+	kind: EncryptionKeyKind,
+	publicKey: AgeRecipient,
+	label: Name120,
+	fingerprint: KeyFingerprint
+});
+
+//#endregion
+//#region ../../packages/api/src/domain/account-key.ts
+/**
+* Argon2id cost parameters carried in an account-key escrow header. The browser
+* re-derives the KEK with these to open the escrow, so they travel with the blob
+* (an enrollment can use heavier params without a format change).
+*/
+const AccountKeyKdfParams = Schema.Struct({
+	time: Schema.Number.pipe(Schema.int(), Schema.positive()),
+	memory: Schema.Number.pipe(Schema.int(), Schema.positive()),
+	parallelism: Schema.Number.pipe(Schema.int(), Schema.positive())
+});
+/** A base64 Ed25519 public key — reserved for the deferred signed-roster integrity layer. */
+const Ed25519PublicKey = Schema.String.pipe(Schema.minLength(1)).annotations({ description: "base64-encoded Ed25519 public key (reserved for signed-roster integrity)" });
+/**
+* A per-user account key's PUBLIC view (no escrow ciphertext). The age public key
+* is the env-vault recipient the browser unwraps with; the escrow that holds the
+* private halves is served only by the gated {@link AccountKeyEscrow} endpoint.
+*/
+var AccountKey = class extends Schema.Class("AccountKey")({
+	id: Id,
+	userId: Id,
+	agePublicKey: AgeRecipient,
+	ed25519PublicKey: Ed25519PublicKey,
+	fingerprint: KeyFingerprint,
+	createdAt: DateTimeString,
+	lastUsedAt: Schema.NullOr(DateTimeString),
+	revokedAt: Schema.NullOr(DateTimeString)
+}) {};
+/**
+* The full passphrase-sealed escrow for the caller — everything the browser needs
+* to open it locally ({@link AccountKeyKdfParams} + salt + ciphertext). The server
+* stores it opaquely and can never open it. Served by the `getMe` endpoint, which
+* is gated on `vaultAccess:read`; a 2FA step-up for browser sessions is REQUIRED
+* before any web consumer ships but is not yet implemented (P4). The contents stay
+* passphrase-sealed regardless. `version`/`kdf`/`cipher` are the fixed v1 envelope
+* constants, echoed so the browser can rebuild the crypto envelope.
+*/
+var AccountKeyEscrow = class extends Schema.Class("AccountKeyEscrow")({
+	id: Id,
+	version: Schema.Literal(1),
+	agePublicKey: AgeRecipient,
+	ed25519PublicKey: Ed25519PublicKey,
+	fingerprint: KeyFingerprint,
+	kdf: Schema.Literal("argon2id"),
+	kdfParams: AccountKeyKdfParams,
+	salt: Schema.String.pipe(Schema.minLength(1)),
+	cipher: Schema.Literal("xchacha20poly1305"),
+	escrowCt: Schema.String.pipe(Schema.minLength(1)),
+	createdAt: DateTimeString
+}) {};
+/**
+* Register the caller's account key. The CLI generates the keypair and seals the
+* private halves under the passphrase BEFORE calling this — the server only ever
+* receives the public keys + the opaque escrow ciphertext + its KDF header.
+*/
+const RegisterAccountKeyBody = Schema.Struct({
+	agePublicKey: AgeRecipient,
+	ed25519PublicKey: Ed25519PublicKey,
+	fingerprint: KeyFingerprint,
+	kdfParams: AccountKeyKdfParams,
+	salt: Schema.String.pipe(Schema.minLength(1)),
+	escrowCt: Schema.String.pipe(Schema.minLength(1))
+});
+/**
+* The org's members' live account keys (public view). The env-vault cutover and
+* rotation fetch it to enumerate the account-key recipients and resolve each
+* `account_keys.id` to the `age` recipient the new env key is wrapped to.
+*/
+const AccountKeyList = Schema.Struct({ items: Schema.Array(AccountKey) });
+/**
+* Re-seal the caller's account-key escrow under a new passphrase (the CLI
+* `passphrase change` flow). The keypair itself is unchanged — only the
+* passphrase-derived seal — so every env-vault wrap to it stays valid.
+*/
+const ResealAccountKeyBody = Schema.Struct({
+	kdfParams: AccountKeyKdfParams,
+	salt: Schema.String.pipe(Schema.minLength(1)),
+	escrowCt: Schema.String.pipe(Schema.minLength(1))
+});
+
+//#endregion
+//#region ../../packages/api/src/domain/errors.ts
+var BadRequest = class extends Schema.TaggedError()("BadRequest", { message: Schema.String }, HttpApiSchema.annotations({ status: 400 })) {};
+var Conflict = class extends Schema.TaggedError()("Conflict", { message: Schema.String }, HttpApiSchema.annotations({ status: 409 })) {};
+var NotAcceptable = class extends Schema.TaggedError()("NotAcceptable", { message: Schema.String }, HttpApiSchema.annotations({ status: 406 })) {};
+
+//#endregion
+//#region ../../packages/api/src/groups/account-keys.ts
+var AccountKeysGroup = class extends HttpApiGroup.make("accountKeys").add(HttpApiEndpoint.post("register", "/api/account-keys").setPayload(RegisterAccountKeyBody).addSuccess(AccountKey, { status: 201 }).annotateContext(OpenApi.annotations({
+	title: "Register account key",
+	description: "Register the caller's per-user account key — the env-vault recipient the browser unwraps with. The CLI seals the private halves under the passphrase first; the server stores the escrow opaquely."
+}))).add(HttpApiEndpoint.get("list", "/api/account-keys").addSuccess(AccountKeyList).annotateContext(OpenApi.annotations({
+	title: "List org account keys",
+	description: "List the live account keys of the org's members (public view, admin) — the env-vault cutover/rotate uses it to enumerate the account-key recipients and resolve each id to its age recipient."
+}))).add(HttpApiEndpoint.patch("reseal", "/api/account-keys/me").setPayload(ResealAccountKeyBody).addSuccess(AccountKey).annotateContext(OpenApi.annotations({
+	title: "Re-seal account-key escrow",
+	description: "Re-seal the caller's account-key escrow under a new passphrase (the CLI `passphrase change` flow). The keypair is unchanged, so every env-vault wrap to it stays valid."
+}))).add(HttpApiEndpoint.get("getMe", "/api/account-keys/me").addSuccess(AccountKeyEscrow).annotateContext(OpenApi.annotations({
+	title: "Get my account-key escrow",
+	description: "Return the caller's passphrase-sealed account-key escrow for local unlock. The contents stay passphrase-sealed regardless of caller. Browser (cookie) callers must first complete a WebAuthn step-up via /api/web-vault/step-up; CLI bearer callers are exempt."
+}))).addError(NotFound).addError(Conflict).addError(BadRequest).addError(Forbidden).annotateContext(OpenApi.annotations({
+	title: "Account Keys",
+	description: "Per-user account keys for browser-side env-vault access"
+})) {};
+
 //#endregion
 //#region ../../packages/api/src/domain/admin.ts
 /**
@@ -270,12 +412,6 @@ var AndroidApplicationIdentifier = class extends Schema.Class("AndroidApplicatio
 const CreateAndroidApplicationIdentifierBody = Schema.Struct({ packageName: AndroidPackageName });
 const DeleteAndroidApplicationIdentifierResult = DeletedResult;
 
-//#endregion
-//#region ../../packages/api/src/domain/errors.ts
-var BadRequest = class extends Schema.TaggedError()("BadRequest", { message: Schema.String }, HttpApiSchema.annotations({ status: 400 })) {};
-var Conflict = class extends Schema.TaggedError()("Conflict", { message: Schema.String }, HttpApiSchema.annotations({ status: 409 })) {};
-var NotAcceptable = class extends Schema.TaggedError()("NotAcceptable", { message: Schema.String }, HttpApiSchema.annotations({ status: 406 })) {};
-
 //#endregion
 //#region ../../packages/api/src/groups/android-application-identifiers.ts
 const projectIdParam$6 = HttpApiSchema.param("projectId", Schema.String);
@@ -364,7 +500,17 @@ var OrgVault = class extends Schema.Class("OrgVault")({
 	*/
 	rotationPending: Schema.Boolean,
 	rotationPendingSince: Schema.NullOr(DateTimeString),
-	rotationPendingReason: Schema.NullOr(Schema.String)
+	rotationPendingReason: Schema.NullOr(Schema.String),
+	/**
+	* Env-vault (EV) state from the two-vault split. `envVaultCutoverAt` is `null`
+	* until the org forks its env values into a separate key; while `null`,
+	* `envVaultVersion` is unused and env stays part of the credentials vault.
+	*/
+	envVaultVersion: VaultVersion,
+	envRotationPending: Schema.Boolean,
+	envRotationPendingSince: Schema.NullOr(DateTimeString),
+	envRotationPendingReason: Schema.NullOr(Schema.String),
+	envVaultCutoverAt: Schema.NullOr(DateTimeString)
 }) {};
 /**
 * One wrap of the org vault key to a recipient's public key — an `age` blob the
@@ -403,10 +549,32 @@ const VaultWrapInput = Schema.Struct({
 	wrappedKey: Schema.String.pipe(Schema.minLength(1))
 });
 /**
-* Bootstrap the org vault on the first upload: the initial wrap rows, which must
-* include the uploader's own recipient and the offline recovery recipient.
+* An env-vault recipient kind. Superset of the credentials-vault recipient kinds
+* plus `account` — the per-user account key the browser unwraps the env vault
+* with. `recipientId` references `user_encryption_keys.id` for the first three and
+* `account_keys.id` for `account` (polymorphic; see migration 0071). Defined here
+* (alongside `VaultWrapInput`) rather than in `env-vault.ts` so `BootstrapVaultBody`
+* can carry env wraps without a circular import (`env-vault.ts` → `org-vault.ts`).
 */
-const BootstrapVaultBody = Schema.Struct({ wraps: Schema.Array(VaultWrapInput).pipe(Schema.minItems(1)) });
+const EnvVaultRecipientKind = Schema.Literal("device", "recovery", "machine", "account");
+/** One recipient's env-vault wrap row in a bootstrap / cutover / grant / rotate submission (age blob, base64). */
+const EnvVaultWrapInput = Schema.Struct({
+	recipientKind: EnvVaultRecipientKind,
+	recipientId: Id,
+	wrappedKey: Schema.String.pipe(Schema.minLength(1))
+});
+/**
+* Bootstrap the org vault: the initial credential-vault wrap rows AND the initial
+* env-vault wrap rows, each of which must include the uploader's own recipient and
+* the offline recovery recipient. Orgs are "born forked" — the env vault is set up
+* at bootstrap (server stamps the cutover + env version), so a separate
+* `env-vault migrate` step is never needed. `envWraps` is required: a client that
+* cannot produce them is too old to bootstrap.
+*/
+const BootstrapVaultBody = Schema.Struct({
+	wraps: Schema.Array(VaultWrapInput).pipe(Schema.minItems(1)),
+	envWraps: Schema.Array(EnvVaultWrapInput).pipe(Schema.minItems(1))
+});
 /**
 * Add a single wrap row at the current vault version (grant another user, or
 * self-link your own device). Authz is enforced server-side; the wrap itself is
@@ -1650,10 +1818,18 @@ const EnvVarListScope = Schema.Literal("all", "project", "global");
 * AAD `credentialId` when sealing; the envelope fields are the opaque ciphertext,
 * wrapped DEK, and vault version. The server stores these and never decrypts —
 * env var values are end-to-end encrypted, like credentials.
+*
+* `vaultKind` names which vault the DEK was sealed under. It is OPTIONAL for
+* back-compat: a pre-split CLI omits it (the server treats absence as
+* `"credentials"`). Once an org cuts over to a separate env vault, the server
+* requires `"env"` here — without it a credentials-keyed blob from an un-upgraded
+* (or racing) CLI would otherwise be silently stored into an env-vault row and be
+* permanently undecryptable. See `assertEnvVaultWriteAllowed`.
 */
 const EnvVarValueEnvelope = Schema.Struct({
 	id: Id,
-	...encryptedEnvelopeFields
+	...encryptedEnvelopeFields,
+	vaultKind: Schema.optional(Schema.Literal("credentials", "env"))
 });
 /**
 * Env var metadata. The value is **not** here — it lives encrypted in the
@@ -1751,6 +1927,9 @@ var EnvVarsGroup = class extends HttpApiGroup.make("env-vars").add(HttpApiEndpoi
 }))).add(HttpApiEndpoint.get("get")`/api/env-vars/${idParam}`.addSuccess(EnvVar).annotateContext(OpenApi.annotations({
 	title: "Get environment variable",
 	description: "Get an environment variable's metadata by ID (no value)"
+}))).add(HttpApiEndpoint.get("getValue")`/api/env-vars/${idParam}/value`.addSuccess(EnvVarValueEnvelope).annotateContext(OpenApi.annotations({
+	title: "Get sealed env-var value",
+	description: "Return the active value's sealed envelope (ciphertext, wrapped DEK, vault version) for client-side decryption in the browser env-vault. Browser (cookie) callers must first complete a WebAuthn step-up; CLI bearer callers use the bulk export instead."
 }))).add(HttpApiEndpoint.patch("update")`/api/env-vars/${idParam}`.setPayload(UpdateEnvVarBody).addSuccess(EnvVar).annotateContext(OpenApi.annotations({
 	title: "Update environment variable",
 	description: "Change the value (a new sealed revision) and/or the visibility tier. The environment is immutable."
@@ -1777,6 +1956,105 @@ var EnvVarsGroup = class extends HttpApiGroup.make("env-vars").add(HttpApiEndpoi
 	description: "Manage end-to-end encrypted, versioned environment variables for project builds"
 })) {};
 
+//#endregion
+//#region ../../packages/api/src/domain/env-vault.ts
+/** One wrap of the env-vault key to a recipient (an opaque `age` blob). */
+var OrgEnvVaultKeyWrap = class extends Schema.Class("OrgEnvVaultKeyWrap")({
+	organizationId: Id,
+	envVaultVersion: VaultVersion,
+	recipientKind: EnvVaultRecipientKind,
+	recipientId: Id,
+	wrappedKey: Schema.String,
+	createdAt: DateTimeString
+}) {};
+/** The wrapped env-vault key for the calling recipient — fetched, then unwrapped client-side. */
+const RecipientEnvVaultKey = Schema.Struct({
+	envVaultVersion: VaultVersion,
+	wrappedKey: Schema.String
+});
+/** A recipient currently holding the env-vault key (kind + id + when wrapped). */
+const EnvVaultRecipientRef = Schema.Struct({
+	recipientKind: EnvVaultRecipientKind,
+	recipientId: Id,
+	createdAt: DateTimeString
+});
+/** Every recipient holding the env-vault key at the current version. */
+const EnvVaultRecipients = Schema.Struct({
+	envVaultVersion: VaultVersion,
+	recipients: Schema.Array(EnvVaultRecipientRef)
+});
+/** Add a single env wrap at the current env version (grant or self-link). */
+const AddEnvVaultWrapBody = Schema.Struct({
+	envVaultVersion: VaultVersion,
+	wrap: EnvVaultWrapInput
+});
+/** One env-var revision's DEK re-wrapped under the env-vault key (cutover/rotation). */
+const EnvVaultDekUpdate = Schema.Struct({
+	credentialId: Id,
+	wrappedDek: WrappedDek
+});
+/** One env-var revision's currently-stored wrapped DEK + version (the rotation source). */
+const EnvVaultDekRef = Schema.Struct({
+	credentialId: Id,
+	wrappedDek: WrappedDek,
+	vaultVersion: VaultVersion
+});
+/** Every wrapped env DEK + the current env-vault version (the rotation source set). */
+const EnvVaultCredentialDeks = Schema.Struct({
+	envVaultVersion: VaultVersion,
+	deks: Schema.Array(EnvVaultDekRef)
+});
+/**
+* The one-shot cutover: fork the org's env values into a separate env vault. The
+* client generates the env key, wraps it to every recipient (device/recovery/
+* machine + each member's account key), and re-keys every env DEK from the
+* credentials key to the env key. Must include an offline recovery recipient and
+* re-key every env-var revision.
+*/
+const CutoverEnvVaultBody = Schema.Struct({
+	wraps: Schema.Array(EnvVaultWrapInput).pipe(Schema.minItems(1)),
+	envDeks: Schema.Array(EnvVaultDekUpdate)
+});
+/**
+* Rotate (or revoke) the env-vault key. The client generates a new key at
+* `fromVersion + 1`, re-wraps every env DEK under it, and re-wraps the new key to
+* the surviving recipients. Applied atomically with compare-and-swap on
+* `fromVersion`; must re-key every env-var revision.
+*/
+const RotateEnvVaultBody = Schema.Struct({
+	fromVersion: VaultVersion,
+	wraps: Schema.Array(EnvVaultWrapInput).pipe(Schema.minItems(1)),
+	envDeks: Schema.Array(EnvVaultDekUpdate)
+});
+
+//#endregion
+//#region ../../packages/api/src/groups/env-vault.ts
+/** `:recipientKind` / `:recipientId` path params for a polymorphic env recipient. */
+const recipientKindParam = HttpApiSchema.param("recipientKind", EnvVaultRecipientKind);
+const recipientIdParam = HttpApiSchema.param("recipientId", Id);
+var EnvVaultGroup = class extends HttpApiGroup.make("envVault").add(HttpApiEndpoint.post("cutover", "/api/env-vault/cutover").setPayload(CutoverEnvVaultBody).addSuccess(OrgVault).annotateContext(OpenApi.annotations({
+	title: "Cut over to the env vault",
+	description: "One-shot fork of the org's env values into a separate env vault: wrap the new env key to every recipient and re-key every env DEK in place. Idempotent (compare-and-swap on the cutover sentinel)."
+}))).add(HttpApiEndpoint.get("listWraps", "/api/env-vault/wraps").addSuccess(EnvVaultRecipients).annotateContext(OpenApi.annotations({
+	title: "List env-vault recipients",
+	description: "List the recipients holding the env-vault key at the current version"
+}))).add(HttpApiEndpoint.post("addWrap", "/api/env-vault/wraps").setPayload(AddEnvVaultWrapBody).addSuccess(OrgEnvVaultKeyWrap, { status: 201 }).annotateContext(OpenApi.annotations({
+	title: "Add env-vault wrap",
+	description: "Wrap the env-vault key to a recipient — granting a member's account key (admin) or self-linking your own device/account key"
+}))).add(HttpApiEndpoint.get("getWrap")`/api/env-vault/wraps/${recipientKindParam}/${recipientIdParam}`.addSuccess(RecipientEnvVaultKey).annotateContext(OpenApi.annotations({
+	title: "Get env-vault wrap",
+	description: "Fetch the wrapped env-vault key for a recipient to unwrap locally"
+}))).add(HttpApiEndpoint.get("listCredentialDeks", "/api/env-vault/credential-deks").addSuccess(EnvVaultCredentialDeks).annotateContext(OpenApi.annotations({
+	title: "List wrapped env DEKs",
+	description: "Every wrapped env DEK + the current env-vault version — fetched to re-wrap under a new key during a rotation"
+}))).add(HttpApiEndpoint.post("rotate", "/api/env-vault/rotate").setPayload(RotateEnvVaultBody).addSuccess(OrgVault).annotateContext(OpenApi.annotations({
+	title: "Rotate env-vault key",
+	description: "Revoke or rotate (admin): bump the env-vault version, re-wrap every env DEK, and re-wrap the new key to the surviving recipients — applied atomically with compare-and-swap"
+}))).addError(NotFound).addError(Conflict).addError(BadRequest).addError(Forbidden).annotateContext(OpenApi.annotations({
+	title: "Env Vault",
+	description: "Manage the organization's separate end-to-end encrypted env-vault key wraps"
+})) {};
+
 //#endregion
 //#region ../../packages/api/src/groups/environments.ts
 /** `:name` path parameter — the environment name (built-in or user-defined). */
@@ -2670,42 +2948,6 @@ var UpdatesGroup = class extends HttpApiGroup.make("updates").add(HttpApiEndpoin
 	description: "Update publishing, deletion, republish, and per-update rollout endpoints"
 })) {};
 
-//#endregion
-//#region ../../packages/api/src/domain/user-encryption-key.ts
-/**
-* A recipient key's role. A `device` key is user-owned (works across the user's
-* orgs); `recovery` (offline break-glass) and `machine` (CI) keys are org-owned
-* and have no `userId`.
-*/
-const EncryptionKeyKind = Schema.Literal("device", "recovery", "machine");
-/** An age recipient string (`age1...`) — a public key safe for the server to hold. */
-const AgeRecipient = Schema.String.pipe(Schema.minLength(1), Schema.startsWith("age1")).annotations({ description: "age recipient public key (age1...)" });
-/** An SSH-style key fingerprint (`SHA256:...`) shown for out-of-band verification. */
-const KeyFingerprint = Schema.String.pipe(Schema.startsWith("SHA256:"), Schema.minLength(8)).annotations({ description: "SSH-style key fingerprint (SHA256:...)" });
-/**
-* A registered public recipient. Private keys never leave the owner's machine;
-* the server only ever holds the public half.
-*/
-var UserEncryptionKey = class extends Schema.Class("UserEncryptionKey")({
-	id: Id,
-	userId: Schema.NullOr(Id),
-	organizationId: Schema.NullOr(Id),
-	kind: EncryptionKeyKind,
-	publicKey: AgeRecipient,
-	label: Name120,
-	fingerprint: KeyFingerprint,
-	createdAt: DateTimeString,
-	lastUsedAt: Schema.NullOr(DateTimeString),
-	revokedAt: Schema.NullOr(DateTimeString)
-}) {};
-/** Register a new public recipient (device on first use, or a CI/recovery key). */
-const RegisterEncryptionKeyBody = Schema.Struct({
-	kind: EncryptionKeyKind,
-	publicKey: AgeRecipient,
-	label: Name120,
-	fingerprint: KeyFingerprint
-});
-
 //#endregion
 //#region ../../packages/api/src/groups/user-encryption-keys.ts
 var UserEncryptionKeysGroup = class extends HttpApiGroup.make("userEncryptionKeys").add(HttpApiEndpoint.get("list", "/api/encryption-keys").addSuccess(Schema.Struct({ items: Schema.Array(UserEncryptionKey) })).annotateContext(OpenApi.annotations({
@@ -2719,6 +2961,44 @@ var UserEncryptionKeysGroup = class extends HttpApiGroup.make("userEncryptionKey
 	description: "Register and list end-to-end encryption recipient public keys"
 })) {};
 
+//#endregion
+//#region ../../packages/api/src/domain/web-vault.ts
+/**
+* A WebAuthn authentication assertion, JSON-stringified by the browser
+* (`@better-auth/passkey/client` drives `navigator.credentials.get()`), carried
+* as a single string so the wire payload stays a plain object with no opaque
+* `unknown` fields. The step-up handler parses it and hands it to better-auth's
+* `verifyPasskeyAuthentication`; the exact inner shape is the plugin's contract,
+* not ours.
+*/
+const PasskeyStepUpBody = Schema.Struct({ assertionJson: Schema.String });
+/**
+* Result of a successful step-up: the ISO instant the server recorded, which the
+* env-vault gate now treats as the start of the step-up TTL window for this
+* session.
+*/
+const PasskeyStepUpResult = Schema.Struct({ verifiedAt: Schema.String });
+
+//#endregion
+//#region ../../packages/api/src/groups/web-vault.ts
+/**
+* Web-vault step-up: the WebAuthn re-authentication a browser session performs
+* before it may read/write env values (the "2FA mandatory before web env access"
+* rule, spec §P4). The browser fetches a challenge from better-auth's
+* `generate-authenticate-options`, runs the passkey ceremony, then POSTs the
+* assertion here; the server verifies it via the passkey plugin and records a
+* fresh step-up for THIS session. The env-vault write gate
+* (assert-web-env-step-up) consults that record. CLI/CI (bearer) callers never
+* need this — they are exempt from the gate.
+*/
+var WebVaultGroup = class extends HttpApiGroup.make("webVault").add(HttpApiEndpoint.post("stepUp", "/api/web-vault/step-up").setPayload(PasskeyStepUpBody).addSuccess(PasskeyStepUpResult).annotateContext(OpenApi.annotations({
+	title: "WebAuthn step-up",
+	description: "Verify a fresh passkey assertion for the current browser session and record the step-up. Required before browser env-value reads/writes; cookie transport only."
+}))).addError(BadRequest).addError(Forbidden).annotateContext(OpenApi.annotations({
+	title: "Web Vault",
+	description: "WebAuthn step-up for browser env-vault access"
+})) {};
+
 //#endregion
 //#region ../../packages/api/src/domain/webhook.ts
 const WebhookEventName = Schema.Literal("update.published", "build.completed");
@@ -2775,7 +3055,7 @@ var WebhooksGroup = class extends HttpApiGroup.make("webhooks").add(HttpApiEndpo
 
 //#endregion
 //#region ../../packages/api/src/api.ts
-var ManagementApi = class extends HttpApi.make("management-api").add(ProjectsGroup).add(BranchesGroup).add(ChannelsGroup).add(EnvironmentsGroup).add(UpdatesGroup).add(AssetsGroup).add(AnalyticsGroup).add(BuildsGroup).add(RuntimesGroup).add(EnvVarsGroup).add(FingerprintsGroup).add(AuditLogsGroup).add(DevicesGroup).add(AppleTeamsGroup).add(AppleDistributionCertificatesGroup).add(ApplePushKeysGroup).add(ApplePushCertificatesGroup).add(ApplePayCertificatesGroup).add(ApplePassTypeCertificatesGroup).add(AscApiKeysGroup).add(AppleProvisioningProfilesGroup).add(GoogleServiceAccountKeysGroup).add(IosBundleConfigurationsGroup).add(IosAppMetadataGroup).add(SubmissionsGroup).add(AndroidApplicationIdentifiersGroup).add(AndroidUploadKeystoresGroup).add(AndroidBuildCredentialsGroup).add(BuildCredentialsGroup).add(UserEncryptionKeysGroup).add(OrgVaultGroup).add(MeGroup).add(WebhooksGroup).add(PoliciesGroup).add(GroupsGroup).add(PolicyAttachmentsGroup).add(ApiKeysGroup).add(InvitationsGroup).add(MembersGroup).add(OrganizationGroup).add(AdminGroup).middleware(Authentication).annotateContext(OpenApi.annotations({
+var ManagementApi = class extends HttpApi.make("management-api").add(ProjectsGroup).add(BranchesGroup).add(ChannelsGroup).add(EnvironmentsGroup).add(UpdatesGroup).add(AssetsGroup).add(AnalyticsGroup).add(BuildsGroup).add(RuntimesGroup).add(EnvVarsGroup).add(FingerprintsGroup).add(AuditLogsGroup).add(DevicesGroup).add(AppleTeamsGroup).add(AppleDistributionCertificatesGroup).add(ApplePushKeysGroup).add(ApplePushCertificatesGroup).add(ApplePayCertificatesGroup).add(ApplePassTypeCertificatesGroup).add(AscApiKeysGroup).add(AppleProvisioningProfilesGroup).add(GoogleServiceAccountKeysGroup).add(IosBundleConfigurationsGroup).add(IosAppMetadataGroup).add(SubmissionsGroup).add(AndroidApplicationIdentifiersGroup).add(AndroidUploadKeystoresGroup).add(AndroidBuildCredentialsGroup).add(BuildCredentialsGroup).add(UserEncryptionKeysGroup).add(OrgVaultGroup).add(AccountKeysGroup).add(EnvVaultGroup).add(WebVaultGroup).add(MeGroup).add(WebhooksGroup).add(PoliciesGroup).add(GroupsGroup).add(PolicyAttachmentsGroup).add(ApiKeysGroup).add(InvitationsGroup).add(MembersGroup).add(OrganizationGroup).add(AdminGroup).middleware(Authentication).annotateContext(OpenApi.annotations({
 	title: "Better Update Management API",
 	version: "1.0.0",
 	description: "Management API for OTA update publishing, deployment, and analytics"
@@ -3731,8 +4011,16 @@ const VAULT_CACHE_TTL_MS = 900 * 1e3;
 /** Bounds for a user-chosen TTL (`credentials unlock --duration`). */
 const VAULT_CACHE_TTL_MIN_MS = 60 * 1e3;
 const VAULT_CACHE_TTL_MAX_MS = 1440 * 60 * 1e3;
-/** Keychain service name; the account is the recipient's public key. */
+/** Keychain service name; the account is the recipient's public key (per {@link cacheAccount}). */
 const KEYCHAIN_SERVICE = "better-update-vault";
+/**
+* The keychain account a recipient's cached key is stored under, namespaced by
+* vault kind so the credentials and env vaults cache independently. The
+* credentials vault keeps the bare public key — byte-identical to entries written
+* before the two-vault split, so an upgrade keeps any live unlock — while the env
+* vault is prefixed.
+*/
+const cacheAccount = (publicKey, vaultKind = "credentials") => vaultKind === "env" ? `env:${publicKey}` : publicKey;
 const isCachedVaultEntry = (value) => isRecord$1(value) && typeof value["vaultKey"] === "string" && typeof value["vaultVersion"] === "number" && typeof value["keyId"] === "string" && typeof value["exp"] === "number";
 /** Serialize an unlocked vault into a keychain blob, stamping a TTL from `now`. */
 const encodeCacheEntry = (vault, now, ttlMs = VAULT_CACHE_TTL_MS) => JSON.stringify({
@@ -3765,28 +4053,30 @@ const VaultCacheLive = Layer.effect(VaultCache, Effect.gen(function* () {
 		const flag = yield* runtime.getEnv("BETTER_UPDATE_NO_CACHE");
 		return flag !== void 0 && flag.length > 0 && flag !== "0" && flag !== "false";
 	});
-	const readRaw = (publicKey) => Effect.try(() => new Entry(KEYCHAIN_SERVICE, publicKey).getPassword()).pipe(Effect.orElseSucceed(() => null));
-	const writeRaw = (publicKey, blob) => Effect.try(() => {
-		new Entry(KEYCHAIN_SERVICE, publicKey).setPassword(blob);
+	const readRaw = (account) => Effect.try(() => new Entry(KEYCHAIN_SERVICE, account).getPassword()).pipe(Effect.orElseSucceed(() => null));
+	const writeRaw = (account, blob) => Effect.try(() => {
+		new Entry(KEYCHAIN_SERVICE, account).setPassword(blob);
 	}).pipe(Effect.ignore);
-	const deleteRaw = (publicKey) => Effect.try(() => new Entry(KEYCHAIN_SERVICE, publicKey).deletePassword()).pipe(Effect.ignore);
+	const deleteRaw = (account) => Effect.try(() => new Entry(KEYCHAIN_SERVICE, account).deletePassword()).pipe(Effect.ignore);
 	return {
-		get: (publicKey) => Effect.gen(function* () {
+		get: (publicKey, vaultKind) => Effect.gen(function* () {
 			if (yield* cacheDisabled) return;
-			const raw = yield* readRaw(publicKey);
+			const account = cacheAccount(publicKey, vaultKind);
+			const raw = yield* readRaw(account);
 			if (raw === null) return;
 			const decoded = decodeCacheEntry(raw, yield* Clock.currentTimeMillis);
 			if (decoded === void 0) {
-				yield* deleteRaw(publicKey);
+				yield* deleteRaw(account);
 				return;
 			}
 			return decoded;
 		}),
-		set: (publicKey, vault, ttlMs) => Effect.gen(function* () {
+		set: (publicKey, vault, opts) => Effect.gen(function* () {
 			if (yield* cacheDisabled) return;
-			yield* writeRaw(publicKey, encodeCacheEntry(vault, yield* Clock.currentTimeMillis, ttlMs));
+			const now = yield* Clock.currentTimeMillis;
+			yield* writeRaw(cacheAccount(publicKey, opts?.vaultKind), encodeCacheEntry(vault, now, opts?.ttlMs));
 		}),
-		clear: (publicKey) => deleteRaw(publicKey)
+		clear: (publicKey, vaultKind) => deleteRaw(cacheAccount(publicKey, vaultKind))
 	};
 }));
 
@@ -5764,7 +6054,7 @@ const listCommand$9 = defineCommand({
 		]), "No branches found.");
 	}))
 });
-const createCommand$5 = defineCommand({
+const createCommand$6 = defineCommand({
 	meta: {
 		name: "create",
 		description: "Create a branch"
@@ -5872,7 +6162,7 @@ const branchesCommand = defineCommand({
 	subCommands: {
 		list: listCommand$9,
 		view: viewCommand$3,
-		create: createCommand$5,
+		create: createCommand$6,
 		rename: renameCommand$2,
 		delete: deleteCommand$7
 	}
@@ -9007,7 +9297,7 @@ const sha512 = /* @__PURE__ */ createHasher$1(() => new _SHA512(), /* @__PURE__
 //#endregion
 //#region ../../packages/credentials-crypto/src/aead.ts
 const aead = managedNonce(xchacha20poly1305);
-const textEncoder$2 = new TextEncoder();
+const textEncoder$3 = new TextEncoder();
 const KEY_BYTES$1 = 32;
 const LENGTH_PREFIX_BYTES = 4;
 /** A fresh 32-byte symmetric key — an org vault key or a per-credential DEK. */
@@ -9029,7 +9319,7 @@ const aeadDecrypt = (key, sealed, aad) => aead(key, aad).decrypt(sealed);
 * ever encode to the same bytes (prevents cross-binding confusion).
 */
 const encodeAad = (domain, parts) => {
-	const segments = [domain, ...parts.map(String)].map((text) => textEncoder$2.encode(text));
+	const segments = [domain, ...parts.map(String)].map((text) => textEncoder$3.encode(text));
 	const size = segments.reduce((total, seg) => total + LENGTH_PREFIX_BYTES + seg.length, 0);
 	const out = new Uint8Array(size);
 	const view = new DataView(out.buffer);
@@ -9041,7 +9331,7 @@ const encodeAad = (domain, parts) => {
 	return out;
 };
 /** SSH-style fingerprint of an age recipient string: `SHA256:<base64, no padding>`. */
-const fingerprint = (recipient) => `SHA256:${toBase64(sha256$1(textEncoder$2.encode(recipient))).replace(/=+$/u, "")}`;
+const fingerprint = (recipient) => `SHA256:${toBase64(sha256$1(textEncoder$3.encode(recipient))).replace(/=+$/u, "")}`;
 
 //#endregion
 //#region ../../node_modules/.bun/@noble+hashes@2.2.0/node_modules/@noble/hashes/_blake.js
@@ -17823,6 +18113,191 @@ var PrimeEdwardsPoint = class {
 		return this;
 	}
 };
+/**
+* Initializes EdDSA signatures over given Edwards curve.
+* @param Point - Edwards point constructor.
+* @param cHash - Hash function.
+* @param eddsaOpts - Optional signature helpers. See {@link EdDSAOpts}.
+* @returns EdDSA helper namespace.
+* @throws If the hash function, options, or derived point operations are invalid. {@link Error}
+* @example
+* Initializes EdDSA signatures over given Edwards curve.
+*
+* ```ts
+* import { eddsa } from '@noble/curves/abstract/edwards.js';
+* import { jubjub } from '@noble/curves/misc.js';
+* import { sha512 } from '@noble/hashes/sha2.js';
+* const sigs = eddsa(jubjub.Point, sha512);
+* const { secretKey, publicKey } = sigs.keygen();
+* const msg = new TextEncoder().encode('hello noble');
+* const sig = sigs.sign(msg, secretKey);
+* const isValid = sigs.verify(sig, msg, publicKey);
+* ```
+*/
+function eddsa(Point, cHash, eddsaOpts = {}) {
+	if (typeof cHash !== "function") throw new Error("\"hash\" function param is required");
+	const hash = cHash;
+	const opts = eddsaOpts;
+	validateObject(opts, {}, {
+		adjustScalarBytes: "function",
+		randomBytes: "function",
+		domain: "function",
+		prehash: "function",
+		zip215: "boolean",
+		mapToCurve: "function"
+	});
+	const { prehash } = opts;
+	const { BASE, Fp, Fn } = Point;
+	const outputLen = hash.outputLen;
+	const expectedLen = 2 * Fp.BYTES;
+	if (outputLen !== void 0) {
+		asafenumber(outputLen, "hash.outputLen");
+		if (outputLen !== expectedLen) throw new Error(`hash.outputLen must be ${expectedLen}, got ${outputLen}`);
+	}
+	const randomBytes = opts.randomBytes === void 0 ? randomBytes$1 : opts.randomBytes;
+	const adjustScalarBytes = opts.adjustScalarBytes === void 0 ? (bytes) => bytes : opts.adjustScalarBytes;
+	const domain = opts.domain === void 0 ? (data, ctx, phflag) => {
+		abool(phflag, "phflag");
+		if (ctx.length || phflag) throw new Error("Contexts/pre-hash are not supported");
+		return data;
+	} : opts.domain;
+	function modN_LE(hash) {
+		return Fn.create(bytesToNumberLE(hash));
+	}
+	function getPrivateScalar(key) {
+		const len = lengths.secretKey;
+		abytes(key, lengths.secretKey, "secretKey");
+		const hashed = abytes(hash(key), 2 * len, "hashedSecretKey");
+		const head = adjustScalarBytes(hashed.slice(0, len));
+		return {
+			head,
+			prefix: hashed.slice(len, 2 * len),
+			scalar: modN_LE(head)
+		};
+	}
+	/** Convenience method that creates public key from scalar. RFC8032 5.1.5
+	* Also exposes the derived scalar/prefix tuple and point form reused by sign().
+	*/
+	function getExtendedPublicKey(secretKey) {
+		const { head, prefix, scalar } = getPrivateScalar(secretKey);
+		const point = BASE.multiply(scalar);
+		return {
+			head,
+			prefix,
+			scalar,
+			point,
+			pointBytes: point.toBytes()
+		};
+	}
+	/** Calculates EdDSA pub key. RFC8032 5.1.5. */
+	function getPublicKey(secretKey) {
+		return getExtendedPublicKey(secretKey).pointBytes;
+	}
+	function hashDomainToScalar(context = Uint8Array.of(), ...msgs) {
+		return modN_LE(hash(domain(concatBytes(...msgs), abytes(context, void 0, "context"), !!prehash)));
+	}
+	/** Signs message with secret key. RFC8032 5.1.6 */
+	function sign(msg, secretKey, options = {}) {
+		msg = abytes(msg, void 0, "message");
+		if (prehash) msg = prehash(msg);
+		const { prefix, scalar, pointBytes } = getExtendedPublicKey(secretKey);
+		const r = hashDomainToScalar(options.context, prefix, msg);
+		const R = BASE.multiply(r).toBytes();
+		const k = hashDomainToScalar(options.context, R, pointBytes, msg);
+		const s = Fn.create(r + k * scalar);
+		if (!Fn.isValid(s)) throw new Error("sign failed: invalid s");
+		return abytes(concatBytes(R, Fn.toBytes(s)), lengths.signature, "result");
+	}
+	const verifyOpts = { zip215: opts.zip215 };
+	/**
+	* Verifies EdDSA signature against message and public key. RFC 8032 §§5.1.7 and 5.2.7.
+	* A cofactored verification equation is checked.
+	*/
+	function verify(sig, msg, publicKey, options = verifyOpts) {
+		const { context } = options;
+		const zip215 = options.zip215 === void 0 ? !!verifyOpts.zip215 : options.zip215;
+		const len = lengths.signature;
+		sig = abytes(sig, len, "signature");
+		msg = abytes(msg, void 0, "message");
+		publicKey = abytes(publicKey, lengths.publicKey, "publicKey");
+		if (zip215 !== void 0) abool(zip215, "zip215");
+		if (prehash) msg = prehash(msg);
+		const mid = len / 2;
+		const r = sig.subarray(0, mid);
+		const s = bytesToNumberLE(sig.subarray(mid, len));
+		let A, R, SB;
+		try {
+			A = Point.fromBytes(publicKey, zip215);
+			R = Point.fromBytes(r, zip215);
+			SB = BASE.multiplyUnsafe(s);
+		} catch (error) {
+			return false;
+		}
+		if (!zip215 && A.isSmallOrder()) return false;
+		const k = hashDomainToScalar(context, r, publicKey, msg);
+		return R.add(A.multiplyUnsafe(k)).subtract(SB).clearCofactor().is0();
+	}
+	const _size = Fp.BYTES;
+	const lengths = {
+		secretKey: _size,
+		publicKey: _size,
+		signature: 2 * _size,
+		seed: _size
+	};
+	function randomSecretKey(seed) {
+		seed = seed === void 0 ? randomBytes(lengths.seed) : seed;
+		return abytes(seed, lengths.seed, "seed");
+	}
+	function isValidSecretKey(key) {
+		return isBytes(key) && key.length === lengths.secretKey;
+	}
+	function isValidPublicKey(key, zip215) {
+		try {
+			return !!Point.fromBytes(key, zip215 === void 0 ? verifyOpts.zip215 : zip215);
+		} catch (error) {
+			return false;
+		}
+	}
+	const utils = {
+		getExtendedPublicKey,
+		randomSecretKey,
+		isValidSecretKey,
+		isValidPublicKey,
+		/**
+		* Converts ed public key to x public key. Uses formula:
+		* - ed25519:
+		*   - `(u, v) = ((1+y)/(1-y), sqrt(-486664)*u/x)`
+		*   - `(x, y) = (sqrt(-486664)*u/v, (u-1)/(u+1))`
+		* - ed448:
+		*   - `(u, v) = ((y-1)/(y+1), sqrt(156324)*u/x)`
+		*   - `(x, y) = (sqrt(156324)*u/v, (1+u)/(1-u))`
+		*/
+		toMontgomery(publicKey) {
+			const { y } = Point.fromBytes(publicKey);
+			const size = lengths.publicKey;
+			const is25519 = size === 32;
+			if (!is25519 && size !== 57) throw new Error("only defined for 25519 and 448");
+			const u = is25519 ? Fp.div(_1n$2 + y, _1n$2 - y) : Fp.div(y - _1n$2, y + _1n$2);
+			return Fp.toBytes(u);
+		},
+		toMontgomerySecret(secretKey) {
+			const size = lengths.secretKey;
+			abytes(secretKey, size);
+			return adjustScalarBytes(hash(secretKey.subarray(0, size))).subarray(0, size);
+		}
+	};
+	Object.freeze(lengths);
+	Object.freeze(utils);
+	return Object.freeze({
+		keygen: createKeygen(randomSecretKey, getPublicKey),
+		getPublicKey,
+		sign,
+		verify,
+		utils,
+		Point,
+		lengths
+	});
+}
 
 //#endregion
 //#region ../../node_modules/.bun/@noble+curves@2.2.0/node_modules/@noble/curves/abstract/montgomery.js
@@ -18033,6 +18508,31 @@ function uvRatio(u, v) {
 const ed25519_Point = /* @__PURE__ */ edwards(ed25519_CURVE, { uvRatio });
 const Fp = /* @__PURE__ */ (() => ed25519_Point.Fp)();
 const Fn = /* @__PURE__ */ (() => ed25519_Point.Fn)();
+function ed(opts) {
+	return eddsa(ed25519_Point, sha512, Object.assign({
+		adjustScalarBytes,
+		zip215: true
+	}, opts));
+}
+/**
+* ed25519 curve with EdDSA signatures.
+* Seeded `keygen(seed)` / `utils.randomSecretKey(seed)` reuse the provided
+* 32-byte seed buffer instead of copying it.
+* @example
+* Generate one Ed25519 keypair, sign a message, and verify it.
+*
+* ```js
+* import { ed25519 } from '@noble/curves/ed25519.js';
+* const { secretKey, publicKey } = ed25519.keygen();
+* // const publicKey = ed25519.getPublicKey(secretKey);
+* const msg = new TextEncoder().encode('hello noble');
+* const sig = ed25519.sign(msg, secretKey);
+* const isValid = ed25519.verify(sig, msg, publicKey); // ZIP215
+* // RFC8032 / FIPS 186-5
+* const isValid2 = ed25519.verify(sig, msg, publicKey, { zip215: false });
+* ```
+*/
+const ed25519 = /* @__PURE__ */ ed({});
 /**
 * ECDH using curve25519 aka x25519.
 * `getSharedSecret()` rejects low-order peer inputs by default, and seeded
@@ -19113,8 +19613,9 @@ function isCryptoKey(key) {
 
 //#endregion
 //#region ../../packages/credentials-crypto/src/identity.ts
-const textEncoder$1 = new TextEncoder();
-const textDecoder$1 = new TextDecoder();
+const textEncoder$2 = new TextEncoder();
+const textDecoder$2 = new TextDecoder();
+/** Salt length for the passphrase KDF (shared by the identity + account-key seals). */
 const SALT_BYTES = 16;
 const KEY_BYTES = 32;
 /** OWASP-recommended Argon2id defaults (~64 MiB), tuned for ~250–500 ms. */
@@ -19135,6 +19636,7 @@ const generateIdentity = async () => {
 };
 /** Derive the age recipient (`age1...`) from an identity private key. */
 const deriveRecipient = async (privateKey) => identityToRecipient(privateKey);
+/** Argon2id(passphrase, salt) → 32-byte KEK. Shared by the identity + account-key seals. */
 const deriveKek = (passphrase, salt, params) => {
 	return argon2id(passphrase, salt, {
 		t: params.time,
@@ -19155,8 +19657,8 @@ const sealIdentity = async (args) => {
 	const publicKey = await identityToRecipient(args.privateKey);
 	const kdfParams = args.kdfParams ?? DEFAULT_ARGON2_PARAMS;
 	const fp = fingerprint(publicKey);
-	const salt = randomBytes$5(SALT_BYTES);
-	const ct = aeadEncrypt(deriveKek(args.passphrase, salt, kdfParams), textEncoder$1.encode(args.privateKey), sealAad({
+	const salt = randomBytes$5(16);
+	const ct = aeadEncrypt(deriveKek(args.passphrase, salt, kdfParams), textEncoder$2.encode(args.privateKey), sealAad({
 		publicKey,
 		fingerprint: fp,
 		kdfParams
@@ -19181,7 +19683,7 @@ const sealIdentity = async (args) => {
 const openIdentity = async (args) => {
 	const { file } = args;
 	const kek = deriveKek(args.passphrase, fromBase64(file.salt), file.kdfParams);
-	const privateKey = textDecoder$1.decode(aeadDecrypt(kek, fromBase64(file.ct), sealAad(file)));
+	const privateKey = textDecoder$2.decode(aeadDecrypt(kek, fromBase64(file.ct), sealAad(file)));
 	const publicKey = await identityToRecipient(privateKey);
 	return {
 		privateKey,
@@ -19211,7 +19713,12 @@ const unwrapVaultKey = async (args) => {
 	decrypter.addIdentity(args.privateKey);
 	return decrypter.decrypt(args.wrapped);
 };
-const dekAad = (binding) => encodeAad("better-update/dek", [
+const dekAad = (binding) => binding.vaultKind === "env" ? encodeAad("better-update/dek", [
+	binding.orgId,
+	binding.credentialId,
+	binding.vaultVersion,
+	"env"
+]) : encodeAad("better-update/dek", [
 	binding.orgId,
 	binding.credentialId,
 	binding.vaultVersion
@@ -19227,8 +19734,8 @@ const unwrapDek = (args) => aeadDecrypt(args.vaultKey, args.wrappedDek, dekAad(a
 
 //#endregion
 //#region ../../packages/credentials-crypto/src/credential.ts
-const textEncoder = new TextEncoder();
-const textDecoder = new TextDecoder();
+const textEncoder$1 = new TextEncoder();
+const textDecoder$1 = new TextDecoder();
 const blobAad = (binding) => encodeAad("better-update/credential", [
 	binding.orgId,
 	binding.credentialId,
@@ -19236,7 +19743,7 @@ const blobAad = (binding) => encodeAad("better-update/credential", [
 	binding.schemaVersion
 ]);
 /** Encrypt a credential payload with its DEK, binding its identity as AAD. */
-const sealCredential = (args) => aeadEncrypt(args.dek, textEncoder.encode(JSON.stringify(args.payload)), blobAad(args.payload));
+const sealCredential = (args) => aeadEncrypt(args.dek, textEncoder$1.encode(JSON.stringify(args.payload)), blobAad(args.payload));
 /**
 * Decrypt a credential blob with its DEK. The AAD binds the blob to `expect`, so
 * a blob for another (org, credential, type, schema) fails the tag instead of
@@ -19246,7 +19753,99 @@ const sealCredential = (args) => aeadEncrypt(args.dek, textEncoder.encode(JSON.s
 */
 const openCredential = (args) => {
 	const plaintext = aeadDecrypt(args.dek, args.ciphertext, blobAad(args.expect));
-	return JSON.parse(textDecoder.decode(plaintext));
+	return JSON.parse(textDecoder$1.decode(plaintext));
+};
+
+//#endregion
+//#region ../../packages/credentials-crypto/src/account-key.ts
+const textEncoder = new TextEncoder();
+const textDecoder = new TextDecoder();
+/**
+* Argon2id cost for the ACCOUNT escrow. Deliberately heavier than the on-disk
+* identity default (`DEFAULT_ARGON2_PARAMS`, ~64 MiB): the escrow blob is stored
+* server-side, so it is more exposed than a local `identity.json` and warrants a
+* costlier KDF. ~128 MiB. The params live in the envelope, so an enrollment can be
+* re-tuned without a format change — validate pure-JS Argon2id perf in the browser
+* before raising this. See docs/specs/build/11-two-vault-split-and-web-env-crud.md §3.2.
+*/
+const ACCOUNT_ARGON2_PARAMS = {
+	time: 3,
+	memory: 131072,
+	parallelism: 1
+};
+/** Narrow a decrypted escrow payload to {@link SealedAccountSecret} without an unsafe cast. */
+const isSealedAccountSecret = (value) => typeof value === "object" && value !== null && "agePrivateKey" in value && typeof value.agePrivateKey === "string" && "ed25519PrivateKey" in value && typeof value.ed25519PrivateKey === "string";
+/** Generate a fresh account keypair: an age X25519 key plus an Ed25519 signing key. */
+const generateAccountKey = async () => {
+	const agePrivateKey = await generateIdentity$1();
+	const agePublicKey = await identityToRecipient(agePrivateKey);
+	const ed = ed25519.keygen();
+	return {
+		agePrivateKey,
+		agePublicKey,
+		ed25519PrivateKey: toBase64(ed.secretKey),
+		ed25519PublicKey: toBase64(ed.publicKey),
+		fingerprint: fingerprint(agePublicKey)
+	};
+};
+const escrowAad = (header) => encodeAad("better-update/account-key", [
+	header.agePublicKey,
+	header.ed25519PublicKey,
+	header.fingerprint,
+	header.kdfParams.time,
+	header.kdfParams.memory,
+	header.kdfParams.parallelism
+]);
+/** Seal an account keypair into its escrow envelope with a passphrase. */
+const sealAccountKey = (args) => {
+	const kdfParams = args.kdfParams ?? ACCOUNT_ARGON2_PARAMS;
+	const salt = randomBytes$5(16);
+	const kek = deriveKek(args.passphrase, salt, kdfParams);
+	const header = {
+		agePublicKey: args.material.agePublicKey,
+		ed25519PublicKey: args.material.ed25519PublicKey,
+		fingerprint: args.material.fingerprint,
+		kdfParams
+	};
+	const secret = {
+		agePrivateKey: args.material.agePrivateKey,
+		ed25519PrivateKey: args.material.ed25519PrivateKey
+	};
+	const ct = aeadEncrypt(kek, textEncoder.encode(JSON.stringify(secret)), escrowAad(header));
+	return {
+		version: 1,
+		agePublicKey: header.agePublicKey,
+		ed25519PublicKey: header.ed25519PublicKey,
+		fingerprint: header.fingerprint,
+		kdf: "argon2id",
+		kdfParams,
+		salt: toBase64(salt),
+		cipher: "xchacha20poly1305",
+		ct: toBase64(ct)
+	};
+};
+/**
+* Open an account escrow envelope. Throws (propagated AEAD failure) on a wrong
+* passphrase or a tampered envelope — the seal binds both public keys, the
+* fingerprint, and the KDF params as AAD. The returned public halves are
+* **re-derived from the decrypted private keys**, so they always match the keys
+* they unlock (mirrors `openIdentity`).
+*/
+const openAccountKey = async (args) => {
+	const { envelope } = args;
+	const plaintext = aeadDecrypt(deriveKek(args.passphrase, fromBase64(envelope.salt), envelope.kdfParams), fromBase64(envelope.ct), escrowAad(envelope));
+	const parsed = JSON.parse(textDecoder.decode(plaintext));
+	if (!isSealedAccountSecret(parsed)) throw new Error("Account escrow payload has an unexpected shape.");
+	const secret = parsed;
+	const agePublicKey = await identityToRecipient(secret.agePrivateKey);
+	const ed25519PublicKey = toBase64(ed25519.getPublicKey(fromBase64(secret.ed25519PrivateKey)));
+	return {
+		agePrivateKey: secret.agePrivateKey,
+		agePublicKey,
+		ed25519PrivateKey: secret.ed25519PrivateKey,
+		ed25519PublicKey,
+		fingerprint: fingerprint(agePublicKey)
+	};
 };
 
 //#endregion
@@ -19423,7 +20022,7 @@ const unlockVaultKeyInteractive = (api, options) => Effect.gen(function* () {
 	const cached = yield* cache.get(recipient.publicKey);
 	if (cached !== void 0) return cached.vault;
 	const vault = yield* unlockVaultKey(api, yield* promptPassword("Passphrase to unlock this device's identity:"));
-	yield* cache.set(recipient.publicKey, vault, options?.cacheTtlMs);
+	yield* cache.set(recipient.publicKey, vault, { ttlMs: options?.cacheTtlMs });
 	return vault;
 }).pipe(Effect.provide(VaultCacheLive));
 /**
@@ -19484,7 +20083,8 @@ const getActiveOrgId = (api) => Effect.gen(function* () {
 const openVaultSessionInteractive = (api) => Effect.gen(function* () {
 	return {
 		orgId: yield* getActiveOrgId(api),
-		vault: yield* unlockVaultKeyInteractive(api)
+		vault: yield* unlockVaultKeyInteractive(api),
+		vaultKind: "credentials"
 	};
 });
 /** Reshape a sealed envelope into the `{ id, …opaque fields }` an upload body carries. */
@@ -19500,7 +20100,7 @@ const toUploadEnvelope = (envelope) => ({
 * `(org, credentialId, type, schemaVersion)` so the server cannot mix envelopes.
 */
 const sealForUpload = (args) => Effect.gen(function* () {
-	const { orgId, vault } = args.session;
+	const { orgId, vault, vaultKind } = args.session;
 	const credentialId = crypto.randomUUID();
 	const dek = generateDek();
 	const payload = {
@@ -19523,7 +20123,8 @@ const sealForUpload = (args) => Effect.gen(function* () {
 				binding: {
 					orgId,
 					credentialId,
-					vaultVersion: vault.vaultVersion
+					vaultVersion: vault.vaultVersion,
+					vaultKind
 				}
 			})
 		}),
@@ -19542,7 +20143,7 @@ const sealForUpload = (args) => Effect.gen(function* () {
 * also serves the build-resolve flow whose result carries the id out-of-band.
 */
 const openEnvelope = (args) => Effect.gen(function* () {
-	const { orgId, vault } = args.session;
+	const { orgId, vault, vaultKind } = args.session;
 	const dek = yield* Effect.try({
 		try: () => unwrapDek({
 			wrappedDek: fromBase64(args.envelope.wrappedDek),
@@ -19550,7 +20151,8 @@ const openEnvelope = (args) => Effect.gen(function* () {
 			binding: {
 				orgId,
 				credentialId: args.credentialId,
-				vaultVersion: args.envelope.vaultVersion
+				vaultVersion: args.envelope.vaultVersion,
+				vaultKind
 			}
 		}),
 		catch: () => new IdentityError({ message: "Could not unwrap this credential's key — vault access may have been rotated or revoked." })
@@ -19602,6 +20204,84 @@ const openFromDownload = (args) => {
 	});
 };
 
+//#endregion
+//#region src/application/env-vault-access.ts
+/**
+* Guidance when this device holds no env-vault wrap. Post-cutover the env vault is
+* a SEPARATE key from the credentials vault, so even a device that can read
+* credentials may not be an env recipient yet — it self-links by enrolling an
+* account key, or an admin re-runs the env-vault migration / rotation to include
+* it.
+*/
+const ENV_VAULT_NOT_RECIPIENT_GUIDANCE = "This device isn't an env-vault recipient. Run `better-update credentials account create` to enroll, or ask an admin to re-run `better-update credentials env-vault rotate` to include it.";
+/**
+* Unlock the ENV-vault key for this device via its env wrap (post-cutover). The
+* env vault holds a DIFFERENT key from the credentials vault — wrapped to the same
+* device/recovery/machine recipients PLUS per-user account keys — so this mirrors
+* {@link unlockVaultKey} but reads the polymorphic `org_env_vault_key_wraps` row
+* keyed by this device's `(recipientKind, keyId)`.
+*/
+const unlockEnvVaultKey = (api, passphrase) => Effect.gen(function* () {
+	const recipient = yield* activeRecipient;
+	const privateKey = yield* unlockActivePrivateKey(passphrase);
+	const { items } = yield* api.userEncryptionKeys.list();
+	const own = items.find((key) => key.publicKey === recipient.publicKey);
+	if (!own) return yield* new IdentityError({ message: "This device's encryption key is not registered. Run `better-update credentials identity register` first." });
+	const wrap = yield* api.envVault.getWrap({ path: {
+		recipientKind: recipientKind(recipient.source),
+		recipientId: own.id
+	} }).pipe(Effect.catchTag("NotFound", () => new IdentityError({ message: ENV_VAULT_NOT_RECIPIENT_GUIDANCE })));
+	return {
+		vaultKey: yield* Effect.tryPromise({
+			try: async () => unwrapVaultKey({
+				wrapped: fromBase64(wrap.wrappedKey),
+				privateKey
+			}),
+			catch: () => new IdentityError({ message: "This device could not unwrap the env-vault key — its env access may have been revoked or rotated. Re-enroll or ask an admin to re-grant access." })
+		}),
+		vaultVersion: wrap.envVaultVersion,
+		keyId: own.id
+	};
+});
+/**
+* Cache-aware env-vault unlock, mirroring {@link unlockVaultKeyInteractive} but on
+* the `"env"` cache namespace so the credentials and env vaults cache (and lock)
+* independently. CI's `BETTER_UPDATE_IDENTITY` key is never cached.
+*/
+const unlockEnvVaultKeyInteractive = (api) => Effect.gen(function* () {
+	const recipient = yield* activeRecipient;
+	if (recipient.source !== "file") return yield* unlockEnvVaultKey(api, void 0);
+	const cache = yield* VaultCache;
+	const cached = yield* cache.get(recipient.publicKey, "env");
+	if (cached !== void 0) return cached.vault;
+	const vault = yield* unlockEnvVaultKey(api, yield* promptPassword("Passphrase to unlock this device's identity:"));
+	yield* cache.set(recipient.publicKey, vault, { vaultKind: "env" });
+	return vault;
+}).pipe(Effect.provide(VaultCacheLive));
+/** Forget this device's cached env-vault key — called after an env rotation re-keys it. */
+const forgetCachedEnvVaultKey = Effect.gen(function* () {
+	const recipient = yield* activeRecipient;
+	yield* (yield* VaultCache).clear(recipient.publicKey, "env");
+}).pipe(Effect.provide(VaultCacheLive));
+/**
+* Resolve the vault session env VALUES are sealed under, branched on the org's
+* cutover state. Pre-cutover (or no vault yet) env lives in the CREDENTIALS vault —
+* `openVaultSessionInteractive` returns a `"credentials"`-kind session, byte-for-
+* byte the pre-split behaviour. Once the org has cut over, env lives in its own
+* vault: unlock the env key and return an `"env"`-kind session so seal/open bind
+* the DEK to the env vault. Every env command (`set/get/pull/push/export/import`)
+* goes through this, so the cutover is transparent to them.
+*/
+const openEnvVaultSessionInteractive = (api) => Effect.gen(function* () {
+	const vault = yield* api.orgVault.get().pipe(Effect.catchTag("NotFound", () => Effect.succeed(null)));
+	if ((vault === null ? null : vault.envVaultCutoverAt) === null) return yield* openVaultSessionInteractive(api);
+	return {
+		orgId: yield* getActiveOrgId(api),
+		vault: yield* unlockEnvVaultKeyInteractive(api),
+		vaultKind: "env"
+	};
+});
+
 //#endregion
 //#region src/lib/credential-secret.ts
 /**
@@ -19643,7 +20323,7 @@ const exportDecryptedEnvVars = (api, projectId, environment) => Effect.gen(funct
 		environment
 	} }).pipe(Effect.mapError((cause) => new EnvExportError({ message: `Failed to export environment variables for "${environment}": ${String(cause)}` })));
 	if (result.items.length === 0) return [];
-	return yield* decryptEnvVars(yield* openVaultSessionInteractive(api).pipe(Effect.mapError((cause) => new EnvExportError({ message: `Could not unlock the credential vault to decrypt environment variables: ${cause.message}` }))), result.items);
+	return yield* decryptEnvVars(yield* openEnvVaultSessionInteractive(api).pipe(Effect.mapError((cause) => new EnvExportError({ message: `Could not unlock the credential vault to decrypt environment variables: ${cause.message}` }))), result.items);
 });
 /**
 * Pull + decrypt environment variables flattened into a key/value map for
@@ -19662,7 +20342,7 @@ const pullEnvVars = (api, { projectId, environment }) => Effect.gen(function* ()
 * vault once; the server stores only the sealed envelopes (never the plaintext).
 */
 const uploadEnvVars = (api, params) => Effect.gen(function* () {
-	const session = yield* openVaultSessionInteractive(api);
+	const session = yield* openEnvVaultSessionInteractive(api);
 	const pairs = params.environments.flatMap((environment) => params.entries.map((entry) => ({
 		...entry,
 		environment
@@ -19683,7 +20363,8 @@ const uploadEnvVars = (api, params) => Effect.gen(function* () {
 			id: envelope.id,
 			ciphertext: envelope.ciphertext,
 			wrappedDek: envelope.wrappedDek,
-			vaultVersion: envelope.vaultVersion
+			vaultVersion: envelope.vaultVersion,
+			vaultKind: session.vaultKind
 		}
 	})), { concurrency: 8 });
 	return yield* api["env-vars"].bulkImport({ payload: {
@@ -21850,6 +22531,17 @@ const parseCert = (certDerBytes) => {
 	return forge.pki.certificateFromAsn1(asn1);
 };
 const generatePassword = () => forge.util.encode64(forge.random.getBytesSync(16));
+/**
+* Normalize an Apple certificate serial number for comparison.
+*
+* The serial read from a certificate's X.509 DER (via node-forge) keeps any
+* leading zero byte (e.g. `02C4E489…`), whereas the App Store Connect API
+* reports the same serial with leading zeros stripped (e.g. `2C4E489…`).
+* Comparing the two representations verbatim makes a present certificate look
+* absent ("not present on Apple Developer Portal"), so normalize both sides:
+* uppercase and drop leading zeros.
+*/
+const normalizeAppleSerial = (serial) => serial.toUpperCase().replace(/^0+/u, "");
 const extractCertMetadata = (cert) => Effect.gen(function* () {
 	const appleTeamId = extractTeamId$1(cert);
 	if (appleTeamId === null) return yield* new CertParseError({ message: "Could not extract Apple team identifier from certificate subject" });
@@ -22089,9 +22781,9 @@ const revokeLocalDistributionCertificate = (api, input) => Effect.gen(function*
 		issuerId: creds.issuerId,
 		p8Pem: creds.p8Pem
 	};
-	const targetSerial = local.serialNumber.toUpperCase();
+	const targetSerial = normalizeAppleSerial(local.serialNumber);
 	const matching = yield* Effect.all([listCertificates(ascCreds, { certificateType: "IOS_DISTRIBUTION" }), listCertificates(ascCreds, { certificateType: "IOS_DEVELOPMENT" })], { concurrency: 2 }).pipe(Effect.mapError(wrapAscError("apple-list-certificates")));
-	const ascMatch = [...matching[0], ...matching[1]].find((entry) => entry.serialNumber.toUpperCase() === targetSerial);
+	const ascMatch = [...matching[0], ...matching[1]].find((entry) => normalizeAppleSerial(entry.serialNumber) === targetSerial);
 	let revokedOnApple = false;
 	if (ascMatch !== void 0) {
 		yield* deleteCertificate(ascCreds, ascMatch.id).pipe(Effect.mapError(wrapAscError("apple-revoke-certificate")));
@@ -22118,7 +22810,9 @@ const listAppleCertificates = (api, input) => Effect.gen(function* () {
 	}, compact({ certificateType: input.certificateType })).pipe(Effect.mapError(wrapAscError("apple-list-certificates")));
 });
 const resolveCertAscId = (creds, serialNumber, certificateType) => Effect.gen(function* () {
-	const match = (yield* listCertificates(creds, { certificateType }).pipe(Effect.mapError(wrapAscError("apple-list-certificates")))).find((entry) => entry.serialNumber.toUpperCase() === serialNumber);
+	const certs = yield* listCertificates(creds, { certificateType }).pipe(Effect.mapError(wrapAscError("apple-list-certificates")));
+	const target = normalizeAppleSerial(serialNumber);
+	const match = certs.find((entry) => normalizeAppleSerial(entry.serialNumber) === target);
 	if (match === void 0) return yield* new GenerateFailedError({
 		step: "match-apple-certificate",
 		message: `Distribution certificate ${serialNumber} not present on Apple Developer Portal; upload or re-generate it`
@@ -22682,6 +23376,7 @@ const parsePlist = (data) => data.subarray(0, 8).equals(BPLIST_MAGIC) ? parsePli
 
 //#endregion
 //#region src/lib/update-channel-native.ts
+const { AndroidConfig } = configPlugins;
 /**
 * EAS parity: after `expo prebuild`, bake the build profile's `channel` into
 * the generated native projects as the `expo-channel-name` request header —
@@ -23093,8 +23788,8 @@ const findOrCreateBundleId = (ctx, bundleIdentifier) => Effect.gen(function* ()
 });
 const findAscCertificateId = (ctx, serialNumber, certificateType) => Effect.gen(function* () {
 	const certs = yield* wrap("apple-list-certificates", async () => AppleUtils.Certificate.getAsync(ctx, { query: { filter: { certificateType } } }));
-	const upper = serialNumber.toUpperCase();
-	const match = certs.find((entry) => entry.attributes.serialNumber.toUpperCase() === upper);
+	const target = normalizeAppleSerial(serialNumber);
+	const match = certs.find((entry) => normalizeAppleSerial(entry.attributes.serialNumber) === target);
 	if (match === void 0) return yield* new AppleIdGenerateFailedError({
 		step: "match-apple-certificate",
 		message: `Distribution certificate ${serialNumber} not present on Apple Developer Portal; upload or re-generate it`
@@ -26172,7 +26867,7 @@ const resolveNamedResourceId$1 = (params) => resolveNamedResourceId$2(params, (m
 
 //#endregion
 //#region src/commands/channels/create.ts
-const createCommand$4 = defineCommand({
+const createCommand$5 = defineCommand({
 	meta: {
 		name: "create",
 		description: "Create a channel"
@@ -26390,7 +27085,7 @@ const completeCommand$1 = defineCommand({
 
 //#endregion
 //#region src/commands/channels/rollout/create.ts
-const createCommand$3 = defineCommand({
+const createCommand$4 = defineCommand({
 	meta: {
 		name: "create",
 		description: "Start a branch rollout on a channel"
@@ -26510,7 +27205,7 @@ const rolloutCommand$1 = defineCommand({
 		description: "Manage channel branch rollouts"
 	},
 	subCommands: {
-		create: createCommand$3,
+		create: createCommand$4,
 		update: updateCommand$3,
 		complete: completeCommand$1,
 		revert: revertCommand$2
@@ -26624,7 +27319,7 @@ const channelsCommand = defineCommand({
 	subCommands: {
 		list: listCommand$7,
 		view: viewCommand$2,
-		create: createCommand$4,
+		create: createCommand$5,
 		update: updateCommand$2,
 		pause: pauseCommand,
 		resume: resumeCommand,
@@ -28223,7 +28918,8 @@ const rotateVaultTo = (args) => Effect.gen(function* () {
 				binding: {
 					orgId,
 					credentialId: dek.credentialId,
-					vaultVersion: dek.vaultVersion
+					vaultVersion: dek.vaultVersion,
+					vaultKind: "credentials"
 				}
 			});
 			return {
@@ -28235,7 +28931,8 @@ const rotateVaultTo = (args) => Effect.gen(function* () {
 					binding: {
 						orgId,
 						credentialId: dek.credentialId,
-						vaultVersion: newVersion
+						vaultVersion: newVersion,
+						vaultKind: "credentials"
 					}
 				}))
 			};
@@ -28381,7 +29078,7 @@ const grantCommand = defineCommand({
 	}), { json: "value" })
 });
 const confirmRecipients = (recipients, skip) => Effect.forEach(recipients, (recipient) => confirmFingerprint(recipient, skip), { discard: true });
-const rotateCommand = defineCommand({
+const rotateCommand$1 = defineCommand({
 	meta: {
 		name: "rotate",
 		description: "Rotate the vault key, re-wrapping every credential to the same recipients (admin)"
@@ -28541,7 +29238,7 @@ const accessCommand = defineCommand({
 	subCommands: {
 		list: listCommand$6,
 		grant: grantCommand,
-		rotate: rotateCommand,
+		rotate: rotateCommand$1,
 		revoke: revokeCommand$1,
 		recover: recoverCommand,
 		recovery: recoveryCommand
@@ -28549,6 +29246,251 @@ const accessCommand = defineCommand({
 	default: "list"
 });
 
+//#endregion
+//#region src/application/passphrase-change.ts
+/** Rebuild the {@link AccountKeyEnvelope} from the server escrow view (escrowCt → ct). */
+const escrowToEnvelope = (escrow) => ({
+	version: escrow.version,
+	agePublicKey: escrow.agePublicKey,
+	ed25519PublicKey: escrow.ed25519PublicKey,
+	fingerprint: escrow.fingerprint,
+	kdf: escrow.kdf,
+	kdfParams: escrow.kdfParams,
+	salt: escrow.salt,
+	cipher: escrow.cipher,
+	ct: escrow.escrowCt
+});
+/**
+* Re-seal the caller's account-key escrow under `newPassphrase`. BEST-EFFORT and
+* total: it never fails the surrounding flow — it reports an {@link
+* AccountResealOutcome} so the caller can warn. This matters because the account
+* escrow is a single per-USER secret shared across every device, while device
+* identities are per-device: another device may already have moved the escrow to a
+* different passphrase, so opening it with THIS device's old passphrase can
+* legitimately fail (`passphrase-mismatch`) without blocking the device change.
+*/
+const resealAccountKey = (api, oldPassphrase, newPassphrase) => Effect.gen(function* () {
+	const escrowResult = yield* api.accountKeys.getMe().pipe(Effect.either);
+	if (Either.isLeft(escrowResult)) return escrowResult.left._tag === "NotFound" ? "absent" : "error";
+	const materialResult = yield* Effect.tryPromise(async () => openAccountKey({
+		envelope: escrowToEnvelope(escrowResult.right),
+		passphrase: oldPassphrase
+	})).pipe(Effect.either);
+	if (Either.isLeft(materialResult)) return "passphrase-mismatch";
+	const next = sealAccountKey({
+		material: materialResult.right,
+		passphrase: newPassphrase
+	});
+	const resealResult = yield* api.accountKeys.reseal({ payload: {
+		kdfParams: next.kdfParams,
+		salt: next.salt,
+		escrowCt: next.ct
+	} }).pipe(Effect.either);
+	return Either.isLeft(resealResult) ? "error" : "resealed";
+});
+/**
+* Change the device passphrase. The local device identity is the PRIMARY, and is
+* saved FIRST: it is purely local and authoritative for this device, so on success
+* the device is on the new passphrase regardless of what happens to the shared
+* account escrow. Ordering is deliberate — if the local save fails, nothing was
+* mutated (the server escrow is untouched); the account escrow re-seal then runs
+* best-effort and its {@link AccountResealOutcome} is returned for the caller to
+* surface, so a network/passphrase issue degrades to a warning, never a hard block
+* or a silent split. The vault keys are unchanged, so cached unlocks and every
+* wrap stay valid.
+*/
+const changePassphrase = (api, params) => Effect.gen(function* () {
+	const store = yield* IdentityStore;
+	const file = yield* loadIdentityFileOrFail;
+	const identity = yield* Effect.tryPromise({
+		try: async () => openIdentity({
+			file,
+			passphrase: params.oldPassphrase
+		}),
+		catch: () => new IdentityError({ message: "Wrong current passphrase — could not unlock this device's identity." })
+	});
+	const nextFile = yield* Effect.promise(async () => sealIdentity({
+		privateKey: identity.privateKey,
+		passphrase: params.newPassphrase
+	}));
+	yield* store.save(nextFile);
+	return { account: yield* resealAccountKey(api, params.oldPassphrase, params.newPassphrase) };
+});
+
+//#endregion
+//#region src/commands/credentials/account.ts
+/** `true` once the org has cut over to its separate env vault. */
+const orgHasCutOver = (api) => api.orgVault.get().pipe(Effect.map((vault) => vault.envVaultCutoverAt !== null), Effect.catchTag("NotFound", () => Effect.succeed(false)));
+/** The caller's live account key (public escrow view), or `null` if not enrolled. */
+const findOwnAccountKey = (api) => api.accountKeys.getMe().pipe(Effect.catchTag("NotFound", () => Effect.succeed(null)));
+/**
+* Wrap the env-vault key to the caller's OWN account key (self-link). Unlocks the
+* env vault via this device's env wrap, so it works for any member whose device is
+* already an env recipient — the account key inherits env access without an admin.
+* Requires the org to have cut over (there is no env vault before that).
+*/
+const linkAccountKeyToEnv = (api, params) => Effect.gen(function* () {
+	const ev = yield* unlockEnvVaultKeyInteractive(api);
+	const wrapped = yield* Effect.promise(async () => wrapVaultKey({
+		vaultKey: ev.vaultKey,
+		recipient: params.agePublicKey
+	}));
+	yield* api.envVault.addWrap({ payload: {
+		envVaultVersion: ev.vaultVersion,
+		wrap: {
+			recipientKind: "account",
+			recipientId: params.accountKeyId,
+			wrappedKey: toBase64(wrapped)
+		}
+	} });
+});
+/**
+* Prompt for — and verify — the device passphrase, so the account escrow is sealed
+* under the SAME passphrase as the device identity (the "one passphrase" promise:
+* a later `passphrase change` re-seals both). Verifying via `openIdentity` also
+* stops a typo from minting an escrow no one can open.
+*/
+const promptVerifiedDevicePassphrase = Effect.gen(function* () {
+	const file = yield* loadIdentityFileOrFail;
+	const passphrase = yield* promptPassword("Passphrase for this device's identity (the account key uses the same one):");
+	yield* Effect.tryPromise({
+		try: async () => openIdentity({
+			file,
+			passphrase
+		}),
+		catch: () => new IdentityError({ message: "Wrong passphrase — could not unlock this device's identity." })
+	});
+	return passphrase;
+});
+const createCommand$3 = defineCommand({
+	meta: {
+		name: "create",
+		description: "Enroll this user's account key — the env-vault recipient that unlocks env values from the browser"
+	},
+	run: async () => runEffect(Effect.gen(function* () {
+		const api = yield* apiClient;
+		if ((yield* findOwnAccountKey(api)) !== null) return yield* new IdentityError({ message: "An account key is already enrolled for this user. Use `better-update credentials passphrase change` to re-seal it, or `better-update credentials account link` to (re)grant it env access." });
+		const passphrase = yield* promptVerifiedDevicePassphrase;
+		const envelope = sealAccountKey({
+			material: yield* Effect.promise(async () => generateAccountKey()),
+			passphrase
+		});
+		const registered = yield* api.accountKeys.register({ payload: {
+			agePublicKey: envelope.agePublicKey,
+			ed25519PublicKey: envelope.ed25519PublicKey,
+			fingerprint: envelope.fingerprint,
+			kdfParams: envelope.kdfParams,
+			salt: envelope.salt,
+			escrowCt: envelope.ct
+		} });
+		const cutOver = yield* orgHasCutOver(api);
+		if (cutOver) yield* linkAccountKeyToEnv(api, {
+			accountKeyId: registered.id,
+			agePublicKey: registered.agePublicKey
+		});
+		yield* printKeyValue([["Account key fingerprint", registered.fingerprint], ["Env access", cutOver ? "granted (self-linked)" : "pending — vault not initialized"]]);
+		yield* printHuman(cutOver ? "Account key enrolled. You can now unlock env values from the browser after a 2FA step-up." : "Account key enrolled. It gains env access once the org vault is initialized (`better-update credentials identity init`).");
+		return {
+			fingerprint: registered.fingerprint,
+			envAccess: cutOver
+		};
+	}), { json: "value" })
+});
+const linkCommand$1 = defineCommand({
+	meta: {
+		name: "link",
+		description: "Grant your already-enrolled account key access to the env vault (after a rotation)"
+	},
+	run: async () => runEffect(Effect.gen(function* () {
+		const api = yield* apiClient;
+		const own = yield* findOwnAccountKey(api);
+		if (own === null) return yield* new IdentityError({ message: "No account key enrolled. Run `better-update credentials account create` first." });
+		if (!(yield* orgHasCutOver(api))) return yield* new IdentityError({ message: "This organization's vault is not initialized. Run `better-update credentials identity init` first." });
+		yield* linkAccountKeyToEnv(api, {
+			accountKeyId: own.id,
+			agePublicKey: own.agePublicKey
+		});
+		yield* printHuman(`Linked account key ${own.fingerprint} to the env vault.`);
+		return {
+			linked: true,
+			fingerprint: own.fingerprint
+		};
+	}), { json: "value" })
+});
+const promptNewAccountPassphrase = Effect.gen(function* () {
+	const first = yield* promptPassword("New passphrase (use this device's passphrase to keep them in sync):");
+	if (first.length === 0) return yield* new IdentityError({ message: "Passphrase must not be empty." });
+	if (first !== (yield* promptPassword("Confirm new passphrase:"))) return yield* new IdentityError({ message: "Passphrases did not match." });
+	return first;
+});
+const resealCommand = defineCommand({
+	meta: {
+		name: "reseal",
+		description: "Re-seal your account key under a new passphrase — repair after a passphrase change on another device, or a reseal that failed mid-change"
+	},
+	run: async () => runEffect(Effect.gen(function* () {
+		const api = yield* apiClient;
+		const own = yield* findOwnAccountKey(api);
+		if (own === null) return yield* new IdentityError({ message: "No account key enrolled. Run `better-update credentials account create` first." });
+		const current = yield* promptPassword("Current account-key passphrase:");
+		const sealed = sealAccountKey({
+			material: yield* Effect.tryPromise({
+				try: async () => openAccountKey({
+					envelope: escrowToEnvelope(own),
+					passphrase: current
+				}),
+				catch: () => new IdentityError({ message: "Wrong current account-key passphrase." })
+			}),
+			passphrase: yield* promptNewAccountPassphrase
+		});
+		yield* api.accountKeys.reseal({ payload: {
+			kdfParams: sealed.kdfParams,
+			salt: sealed.salt,
+			escrowCt: sealed.ct
+		} });
+		yield* printHuman(`Re-sealed account key ${own.fingerprint} under the new passphrase.`);
+		return {
+			resealed: true,
+			fingerprint: own.fingerprint
+		};
+	}), { json: "value" })
+});
+const showCommand$1 = defineCommand({
+	meta: {
+		name: "show",
+		description: "Show this user's enrolled account key (fingerprint + status)"
+	},
+	run: async () => runEffect(Effect.gen(function* () {
+		const own = yield* findOwnAccountKey(yield* apiClient);
+		if (own === null) {
+			yield* printHuman("No account key enrolled for this user. Run `better-update credentials account create` to enroll one.");
+			return { enrolled: false };
+		}
+		yield* printKeyValue([
+			["Account key fingerprint", own.fingerprint],
+			["Age recipient (public)", own.agePublicKey],
+			["Enrolled at", own.createdAt]
+		]);
+		return {
+			enrolled: true,
+			fingerprint: own.fingerprint
+		};
+	}), { json: "value" })
+});
+const accountCommand = defineCommand({
+	meta: {
+		name: "account",
+		description: "Manage your per-user account key for browser-side env-vault access"
+	},
+	subCommands: {
+		create: createCommand$3,
+		link: linkCommand$1,
+		reseal: resealCommand,
+		show: showCommand$1
+	},
+	default: "show"
+});
+
 //#endregion
 //#region src/commands/credentials/configure.ts
 /**
@@ -29247,6 +30189,170 @@ const downloadCommand = defineCommand({
 	}), { json: "value" })
 });
 
+//#endregion
+//#region src/application/env-vault-rekey.ts
+/**
+* Re-wrap a single env DEK from one vault key to another, rebinding it to the
+* destination vault version + kind. Pure crypto — throws (propagated AEAD failure)
+* if the source key/binding is wrong. Shared by the cutover (credentials→env) and
+* the env rotation (env→env).
+*/
+const rekeyEnvDek = (args) => {
+	const raw = unwrapDek({
+		wrappedDek: fromBase64(args.wrappedDek),
+		vaultKey: args.from,
+		binding: {
+			orgId: args.orgId,
+			credentialId: args.credentialId,
+			vaultVersion: args.fromVersion,
+			vaultKind: args.fromKind
+		}
+	});
+	return {
+		credentialId: args.credentialId,
+		wrappedDek: toBase64(wrapDek({
+			dek: raw,
+			vaultKey: args.to,
+			binding: {
+				orgId: args.orgId,
+				credentialId: args.credentialId,
+				vaultVersion: args.toVersion,
+				vaultKind: args.toKind
+			}
+		}))
+	};
+};
+/** Seal the env key to each recipient, producing the wrap rows for a cutover / rotation. */
+const wrapEnvKeyToRecipients = (evKey, recipients) => Effect.forEach(recipients, (entry) => Effect.promise(async () => ({
+	recipientKind: entry.recipientKind,
+	recipientId: entry.recipientId,
+	wrappedKey: toBase64(await wrapVaultKey({
+		vaultKey: evKey,
+		recipient: entry.recipient
+	}))
+})), { concurrency: "unbounded" });
+
+//#endregion
+//#region src/application/env-vault-rotation.ts
+/**
+* Resolve the env vault's CURRENT recipients to the age recipients the new key is
+* wrapped to. The recipient set comes from `envVault.listWraps` (a member removal
+* already dropped the departing user's wraps server-side), and each id is resolved
+* to its public key: device/recovery/machine via `userEncryptionKeys`, account via
+* `accountKeys`. An id that no longer resolves (revoked) is dropped — the server
+* still enforces that a recovery recipient remains.
+*/
+const rewrapSurvivingRecipients = (api, evKey) => Effect.gen(function* () {
+	const { recipients } = yield* api.envVault.listWraps();
+	const [{ items: keys }, { items: accounts }] = yield* Effect.all([api.userEncryptionKeys.list(), api.accountKeys.list()]);
+	const keyById = new Map(keys.map((key) => [key.id, key.publicKey]));
+	const accountById = new Map(accounts.map((account) => [account.id, account.agePublicKey]));
+	return yield* wrapEnvKeyToRecipients(evKey, recipients.flatMap((wrap) => {
+		const recipient = wrap.recipientKind === "account" ? accountById.get(wrap.recipientId) : keyById.get(wrap.recipientId);
+		return recipient === void 0 ? [] : [{
+			recipientKind: wrap.recipientKind,
+			recipientId: wrap.recipientId,
+			recipient
+		}];
+	}));
+});
+/** Re-key every env DEK under the new env key, bumping it to the next env version. */
+const rekeyEnvDeksForRotation = (api, params) => Effect.gen(function* () {
+	const { deks } = yield* api.envVault.listCredentialDeks();
+	return yield* Effect.forEach(deks, (dek) => Effect.try({
+		try: () => rekeyEnvDek({
+			orgId: params.orgId,
+			credentialId: dek.credentialId,
+			wrappedDek: dek.wrappedDek,
+			from: params.fromKey,
+			fromVersion: dek.vaultVersion,
+			fromKind: "env",
+			to: params.toKey,
+			toVersion: params.toVersion,
+			toKind: "env"
+		}),
+		catch: () => new IdentityError({ message: "Failed to re-key an env value during rotation — re-unlock the env vault and retry." })
+	}), { concurrency: "unbounded" });
+});
+/**
+* Rotate the env vault key: generate a new key at version+1, re-wrap it to the
+* current recipients, re-key every env DEK, and submit atomically (the server
+* compare-and-swaps on the env version). Clears the env rotation-pending flag a
+* member removal raised. Drops the now-stale cached env key afterwards.
+*/
+const rotateEnvVault = (api) => Effect.gen(function* () {
+	const orgId = yield* getActiveOrgId(api);
+	if ((yield* api.orgVault.get().pipe(Effect.catchTag("NotFound", () => new IdentityError({ message: "This organization has no credential vault yet." })))).envVaultCutoverAt === null) return yield* new IdentityError({ message: "This organization's env vault is not initialized." });
+	const current = yield* unlockEnvVaultKeyInteractive(api);
+	const toVersion = current.vaultVersion + 1;
+	const newEvKey = generateVaultKey();
+	const wraps = yield* rewrapSurvivingRecipients(api, newEvKey);
+	const envDeks = yield* rekeyEnvDeksForRotation(api, {
+		orgId,
+		fromKey: current.vaultKey,
+		toKey: newEvKey,
+		toVersion
+	});
+	const rotated = yield* api.envVault.rotate({ payload: {
+		fromVersion: current.vaultVersion,
+		wraps,
+		envDeks
+	} });
+	yield* forgetCachedEnvVaultKey;
+	return rotated;
+});
+
+//#endregion
+//#region src/commands/credentials/env-vault.ts
+const rotateCommand = defineCommand({
+	meta: {
+		name: "rotate",
+		description: "Rotate the env-vault key, re-wrapping to the current recipients — clears a pending flag after a member is removed (admin)"
+	},
+	run: async () => runEffect(Effect.gen(function* () {
+		const vault = yield* rotateEnvVault(yield* apiClient);
+		yield* printHuman(`Rotated the env vault to version ${String(vault.envVaultVersion)}.`);
+		return { envVaultVersion: vault.envVaultVersion };
+	}), { json: "value" })
+});
+const statusCommand$2 = defineCommand({
+	meta: {
+		name: "status",
+		description: "Show whether the org has cut over to a separate env vault, and its version/state"
+	},
+	run: async () => runEffect(Effect.gen(function* () {
+		const vault = yield* (yield* apiClient).orgVault.get().pipe(Effect.catchTag("NotFound", () => Effect.succeed(null)));
+		if (vault === null) {
+			yield* printHuman("This organization has no credential vault yet.");
+			return { vaultExists: false };
+		}
+		const cutOver = vault.envVaultCutoverAt !== null;
+		yield* printKeyValue([
+			["Env vault", cutOver ? "separate (migrated)" : "shared with credentials vault"],
+			["Env vault version", cutOver ? String(vault.envVaultVersion) : "—"],
+			["Env rotation pending", vault.envRotationPending ? "yes" : "no"]
+		]);
+		if (vault.envRotationPending) yield* printHuman("⚠ Env rotation pending — run `better-update credentials env-vault rotate` to re-key and restore env access.");
+		return {
+			vaultExists: true,
+			cutOver,
+			envVaultVersion: cutOver ? vault.envVaultVersion : null,
+			envRotationPending: vault.envRotationPending
+		};
+	}), { json: "value" })
+});
+const envVaultCommand = defineCommand({
+	meta: {
+		name: "env-vault",
+		description: "Manage the organization's env-vault (rotate, status)"
+	},
+	subCommands: {
+		rotate: rotateCommand,
+		status: statusCommand$2
+	},
+	default: "status"
+});
+
 //#endregion
 //#region src/lib/credentials-generator-merchant.ts
 /**
@@ -29761,13 +30867,16 @@ const RECOVERY_LABEL = "Offline recovery key";
 /**
 * Bootstrap the org vault on first use: generate the org vault key locally, mint
 * an offline recovery recipient, wrap the vault key to BOTH the caller's device
-* and the recovery key, and POST the two initial wrap rows. The server requires
-* the bootstrap to include a `recovery` recipient (break-glass), so both wraps go
-* up together. Returns the unlocked vault key plus the recovery private key for a
-* one-time, offline-only display.
+* and the recovery key, and POST the initial wrap rows. The org is "born forked" —
+* a second, INDEPENDENT env-vault key is generated and wrapped to the same device +
+* recovery recipients in the same call, so the env vault is the default and
+* `env-vault migrate` is never needed. The server requires both a `recovery`
+* recipient (break-glass) and the env wraps. Returns the unlocked vault key plus
+* the recovery private key for a one-time, offline-only display.
 */
 const bootstrapVault = (args) => Effect.gen(function* () {
 	const vaultKey = generateVaultKey();
+	const envVaultKey = generateVaultKey();
 	const recovery = yield* Effect.promise(async () => generateIdentity());
 	const recoveryKey = yield* args.api.userEncryptionKeys.register({ payload: {
 		kind: "recovery",
@@ -29782,15 +30891,27 @@ const bootstrapVault = (args) => Effect.gen(function* () {
 		vaultKey,
 		recipient: recovery.publicKey
 	}))]);
+	const envWraps = yield* wrapEnvKeyToRecipients(envVaultKey, [{
+		recipientKind: "device",
+		recipientId: args.deviceKeyId,
+		recipient: args.deviceRecipient
+	}, {
+		recipientKind: "recovery",
+		recipientId: recoveryKey.id,
+		recipient: recovery.publicKey
+	}]);
 	return {
 		vaultKey,
-		vaultVersion: (yield* args.api.orgVault.bootstrap({ payload: { wraps: [{
-			userEncryptionKeyId: args.deviceKeyId,
-			wrappedKey: toBase64(deviceWrap)
-		}, {
-			userEncryptionKeyId: recoveryKey.id,
-			wrappedKey: toBase64(recoveryWrap)
-		}] } })).vaultVersion,
+		vaultVersion: (yield* args.api.orgVault.bootstrap({ payload: {
+			wraps: [{
+				userEncryptionKeyId: args.deviceKeyId,
+				wrappedKey: toBase64(deviceWrap)
+			}, {
+				userEncryptionKeyId: recoveryKey.id,
+				wrappedKey: toBase64(recoveryWrap)
+			}],
+			envWraps
+		} })).vaultVersion,
 		keyId: args.deviceKeyId,
 		recoveryPrivateKey: recovery.privateKey,
 		recoveryFingerprint: recovery.fingerprint
@@ -29803,7 +30924,7 @@ const resolveLabel = (flag) => Effect.gen(function* () {
 	if (flag && flag.trim().length > 0) return flag.trim();
 	return yield* promptText("Label for this device key", { defaultValue: yield* (yield* CliRuntime).userName });
 });
-const promptNewPassphrase = Effect.gen(function* () {
+const promptNewPassphrase$1 = Effect.gen(function* () {
 	const first = yield* promptPassword("Choose a passphrase to protect this device key:");
 	if (first.length === 0) return yield* new IdentityError({ message: "Passphrase must not be empty." });
 	if (first !== (yield* promptPassword("Confirm passphrase:"))) return yield* new IdentityError({ message: "Passphrases did not match." });
@@ -29825,7 +30946,7 @@ const createCommand$2 = defineCommand({
 	} },
 	run: async ({ args }) => runEffect(Effect.gen(function* () {
 		const label = yield* resolveLabel(args.label);
-		const identity = yield* createLocalIdentity(yield* promptNewPassphrase);
+		const identity = yield* createLocalIdentity(yield* promptNewPassphrase$1);
 		const api = yield* apiClient;
 		yield* printRecipient(yield* registerRecipient(api, {
 			kind: "device",
@@ -29958,6 +31079,47 @@ const listCommand$4 = defineCommand({
 	}))
 });
 
+//#endregion
+//#region src/commands/credentials/passphrase.ts
+/** Human result for each account-escrow outcome of a device passphrase change. */
+const ACCOUNT_OUTCOME_MESSAGE = {
+	resealed: "Passphrase changed — this device's identity and your account key were both re-sealed.",
+	absent: "Passphrase changed — this device's identity was re-sealed (no account key enrolled).",
+	"passphrase-mismatch": "Passphrase changed for this device — but your account key is sealed under a DIFFERENT passphrase (likely changed on another device) and was left unchanged. Run `better-update credentials account reseal` to bring it onto this passphrase.",
+	error: "Passphrase changed for this device — but your account key could not be re-sealed (the server was unreachable). Run `better-update credentials account reseal` to retry."
+};
+const promptNewPassphrase = Effect.gen(function* () {
+	const first = yield* promptPassword("Choose a new passphrase:");
+	if (first.length === 0) return yield* new IdentityError({ message: "Passphrase must not be empty." });
+	if (first !== (yield* promptPassword("Confirm new passphrase:"))) return yield* new IdentityError({ message: "Passphrases did not match." });
+	return first;
+});
+const changeCommand = defineCommand({
+	meta: {
+		name: "change",
+		description: "Change this device's passphrase, re-sealing the device identity and (if enrolled) your account key under it"
+	},
+	run: async () => runEffect(Effect.gen(function* () {
+		const { account } = yield* changePassphrase(yield* apiClient, {
+			oldPassphrase: yield* promptPassword("Current passphrase:"),
+			newPassphrase: yield* promptNewPassphrase
+		});
+		yield* printHuman(ACCOUNT_OUTCOME_MESSAGE[account]);
+		return {
+			changed: true,
+			account
+		};
+	}), { json: "value" })
+});
+const passphraseCommand = defineCommand({
+	meta: {
+		name: "passphrase",
+		description: "Manage this device's identity passphrase"
+	},
+	subCommands: { change: changeCommand },
+	default: "change"
+});
+
 //#endregion
 //#region src/commands/credentials/regenerate-profile.ts
 const REGENERATE_EXIT_EXTRAS = {
@@ -31323,6 +32485,9 @@ const credentialsCommand = defineCommand({
 		manager: managerCommand,
 		identity: identityCommand,
 		access: accessCommand,
+		account: accountCommand,
+		"env-vault": envVaultCommand,
+		passphrase: passphraseCommand,
 		device: deviceCommand,
 		unlock: unlockCommand,
 		lock: lockCommand,
@@ -32614,8 +33779,9 @@ const updateCommand$1 = defineCommand({
 			payload: compact({ visibility })
 		});
 		else {
+			const session = yield* openEnvVaultSessionInteractive(api);
 			const envelope = yield* sealForUpload({
-				session: yield* openVaultSessionInteractive(api),
+				session,
 				credentialType: "envVarValue",
 				metadata: {
 					key,
@@ -32630,7 +33796,8 @@ const updateCommand$1 = defineCommand({
 						id: envelope.id,
 						ciphertext: envelope.ciphertext,
 						wrappedDek: envelope.wrappedDek,
-						vaultVersion: envelope.vaultVersion
+						vaultVersion: envelope.vaultVersion,
+						vaultKind: session.vaultKind
 					},
 					...compact({ visibility })
 				}