@cimplify/cli 0.3.0 → 0.4.0

package/dist/{chunk-YQVMG62Z.mjs → chunk-ASZVWVMM.mjs}

@@ -2,7 +2,7 @@
 // package.json
 var package_default = {
   name: "@cimplify/cli",
-  version: "0.3.0",
+  version: "0.4.0",
   description: "Cimplify CLI \u2014 deploy, manage env vars, link projects, and scaffold storefronts",
   keywords: [
     "cimplify",

package/dist/{chunk-YI7UMMM7.mjs → chunk-DBZ3UOQ2.mjs}

@@ -1,5 +1,5 @@
 #!/usr/bin/env node
-import { CliError, CLI_ERROR_CODE } from './chunk-I3XQSSOT.mjs';
+import { CliError, CLI_ERROR_CODE } from './chunk-E2T2SBP5.mjs';
 
 // src/envfile.ts
 var COMMENT_CHAR = "#";

package/dist/{chunk-I3XQSSOT.mjs → chunk-E2T2SBP5.mjs}

@@ -16,7 +16,9 @@ var CLI_ERROR_CODE = {
   /** Operation needs interactive confirmation and the shell is non-interactive. */
   INTERACTIVE_REQUIRED: "INTERACTIVE_REQUIRED",
   /** Generic resource-not-found (e.g. unknown registry component, missing local fixture). */
-  NOT_FOUND: "NOT_FOUND"
+  NOT_FOUND: "NOT_FOUND",
+  /** Destructive op needs a fresh user re-auth — run `cimplify auth step-up`. */
+  STEP_UP_REQUIRED: "STEP_UP_REQUIRED"
 };
 var EXIT_CODE = {
   OK: 0,
@@ -35,6 +37,7 @@ var EXIT_CODE = {
   NOT_LOGGED_IN: 20,
   AUTH_FAILED: 21,
   UNAUTHORIZED: 22,
+  STEP_UP_REQUIRED: 23,
   INVALID_INPUT: 30
 };
 var EXIT_CODE_FOR = {
@@ -51,7 +54,8 @@ var EXIT_CODE_FOR = {
   UNAUTHORIZED: EXIT_CODE.UNAUTHORIZED,
   TIMEOUT: EXIT_CODE.TIMEOUT,
   INTERACTIVE_REQUIRED: EXIT_CODE.INTERACTIVE_REQUIRED,
-  NOT_FOUND: EXIT_CODE.NOT_FOUND
+  NOT_FOUND: EXIT_CODE.NOT_FOUND,
+  STEP_UP_REQUIRED: EXIT_CODE.STEP_UP_REQUIRED
 };
 var CliError = class extends Error {
   code;

package/dist/{login-WSAW4BEA.mjs → chunk-GLXONXS3.mjs}

@@ -1,9 +1,5 @@
 #!/usr/bin/env node
-import { parseArgs, flagString, flagBool } from './chunk-C4M3DXKC.mjs';
-import { resolveBaseUrl, ApiClient } from './chunk-D7WMSGKK.mjs';
-import { writeAuth } from './chunk-LS2VTSMQ.mjs';
-import { CliError, CLI_ERROR_CODE, success, result, isJsonMode, step, info, dim } from './chunk-I3XQSSOT.mjs';
-import os from 'os';
+import { CliError, CLI_ERROR_CODE } from './chunk-E2T2SBP5.mjs';
 import { randomBytes, createHash } from 'crypto';
 import { createServer } from 'http';
 import { spawn } from 'child_process';
@@ -73,6 +69,7 @@ async function startLoopbackServer(apiBaseUrl) {
       return;
     }
     const code = parsed.searchParams.get("code");
+    const stepUpToken = parsed.searchParams.get("step_up_token");
     const state = parsed.searchParams.get("state");
     const error = parsed.searchParams.get("error");
     if (error) {
@@ -80,13 +77,17 @@ async function startLoopbackServer(apiBaseUrl) {
       rejectCb?.(new CliError(CLI_ERROR_CODE.UNAUTHORIZED, `OAuth error: ${error}`));
       return;
     }
-    if (!code || !state) {
-      res.writeHead(400, { "Content-Type": "text/html; charset=utf-8" }).end(HTML_ERROR("Missing code or state in callback"));
+    if (!state || !code && !stepUpToken) {
+      res.writeHead(400, { "Content-Type": "text/html; charset=utf-8" }).end(HTML_ERROR("Missing code or token in callback"));
       rejectCb?.(new CliError(CLI_ERROR_CODE.UNAUTHORIZED, "Malformed callback"));
       return;
     }
     res.writeHead(200, { "Content-Type": "text/html; charset=utf-8" }).end(HTML_SUCCESS(apiBaseUrl));
-    resolveCb?.({ code, state });
+    resolveCb?.({
+      code: code ?? void 0,
+      step_up_token: stepUpToken ?? void 0,
+      state
+    });
   });
   await new Promise((resolve, reject) => {
     server.once("error", reject);
@@ -150,127 +151,4 @@ function openBrowser(url) {
   }
 }
 
-// src/commands/login.ts
-var FLAG_API_KEY = "api-key";
-var FLAG_BASE_URL = "base-url";
-var FLAG_NO_BROWSER = "no-browser";
-var ENDPOINT_AUTH_ME = "/v1/auth/me";
-var ENDPOINT_CLI_START = "/v1/auth/cli/start";
-var ENDPOINT_CLI_TOKEN = "/v1/auth/cli/token";
-var KEY_PREFIX_DK = "dk_";
-var KEY_PREFIX_SK = "sk_";
-var PRODUCT_NAME = "cimplify-cli";
-async function run(argv) {
-  const args = parseArgs(argv);
-  const baseUrl = resolveBaseUrl(flagString(args, FLAG_BASE_URL));
-  const explicitKey = flagString(args, FLAG_API_KEY);
-  if (explicitKey) {
-    await loginWithKey(baseUrl, explicitKey);
-    return;
-  }
-  await loginWithBrowser(baseUrl, flagBool(args, FLAG_NO_BROWSER));
-}
-async function loginWithKey(baseUrl, apiKey) {
-  if (!apiKey.startsWith(KEY_PREFIX_DK) && !apiKey.startsWith(KEY_PREFIX_SK)) {
-    throw new CliError(
-      CLI_ERROR_CODE.INVALID_INPUT,
-      `API key must start with "${KEY_PREFIX_DK}" or "${KEY_PREFIX_SK}".`
-    );
-  }
-  const client = ApiClient.withKey(apiKey, baseUrl);
-  const me = await client.get(ENDPOINT_AUTH_ME);
-  await writeAuth({
-    apiKey,
-    apiBaseUrl: baseUrl,
-    accountId: me.id,
-    businessId: me.business_id,
-    email: me.email,
-    name: me.name,
-    savedAt: (/* @__PURE__ */ new Date()).toISOString()
-  });
-  success(`Logged in as ${me.email ?? me.name ?? me.id} (business ${me.business_id})`);
-  result({
-    logged_in: true,
-    account: { id: me.id, email: me.email ?? null, name: me.name ?? null },
-    business: { id: me.business_id },
-    method: "api_key"
-  });
-}
-async function loginWithBrowser(baseUrl, noBrowser) {
-  if (isJsonMode()) {
-    throw new CliError(
-      CLI_ERROR_CODE.INTERACTIVE_REQUIRED,
-      "browser login is not supported in --json mode",
-      { remediation: "pass --api-key dk_\u2026 (create one in the dashboard or via `cimplify auth keys create`)" }
-    );
-  }
-  const pkce = generatePkcePair();
-  const state = generateState();
-  const loopback = await startLoopbackServer(baseUrl);
-  const startBody = {
-    code_challenge: pkce.codeChallenge,
-    code_challenge_method: pkce.codeChallengeMethod,
-    redirect_uri: loopback.redirectUri,
-    state,
-    client_meta: {
-      hostname: os.hostname(),
-      platform: process.platform,
-      arch: process.arch,
-      node_version: process.version,
-      product: PRODUCT_NAME
-    }
-  };
-  const unauthClient = ApiClient.unauthenticated(baseUrl);
-  const startResponse = await unauthClient.post(
-    ENDPOINT_CLI_START,
-    startBody
-  );
-  step("Opening browser to authorize this CLI...");
-  info(dim(startResponse.approval_url));
-  if (!noBrowser) {
-    openBrowser(startResponse.approval_url);
-  } else {
-    info("");
-    info(dim("Open the URL above in any browser to continue."));
-  }
-  let callback;
-  try {
-    callback = await loopback.awaitCallback(startResponse.expires_in_secs * 1e3);
-  } catch (err) {
-    loopback.close();
-    throw err;
-  }
-  if (callback.state !== state) {
-    throw new CliError(
-      CLI_ERROR_CODE.UNAUTHORIZED,
-      "OAuth state mismatch. Possible CSRF attempt \u2014 try again."
-    );
-  }
-  const token = await unauthClient.post(ENDPOINT_CLI_TOKEN, {
-    auth_code: callback.code,
-    code_verifier: pkce.codeVerifier,
-    redirect_uri: loopback.redirectUri
-  });
-  const meClient = ApiClient.withKey(token.access_token, baseUrl);
-  const me = await meClient.get(ENDPOINT_AUTH_ME);
-  await writeAuth({
-    apiKey: token.access_token,
-    apiBaseUrl: baseUrl,
-    accountId: me.id,
-    businessId: me.business_id,
-    email: me.email,
-    name: me.name,
-    savedAt: (/* @__PURE__ */ new Date()).toISOString()
-  });
-  success(
-    `Logged in as ${me.email ?? me.name ?? me.id} (business ${me.business_id})`
-  );
-  result({
-    logged_in: true,
-    account: { id: me.id, email: me.email ?? null, name: me.name ?? null },
-    business: { id: me.business_id },
-    method: "oauth_pkce"
-  });
-}
-
-export { run as default };
+export { generatePkcePair, generateState, openBrowser, startLoopbackServer };

package/dist/{chunk-RZQTHTXX.mjs → chunk-ITAFAORS.mjs}

@@ -1,5 +1,5 @@
 #!/usr/bin/env node
-import { isAutoYes, isInteractive, CliError, CLI_ERROR_CODE } from './chunk-I3XQSSOT.mjs';
+import { isAutoYes, isInteractive, CliError, CLI_ERROR_CODE } from './chunk-E2T2SBP5.mjs';
 import readline from 'readline';
 
 async function promptLine(question) {

package/dist/{chunk-RRY3NEZZ.mjs → chunk-K5464A3L.mjs}

@@ -1,5 +1,5 @@
 #!/usr/bin/env node
-import { CliError, CLI_ERROR_CODE } from './chunk-I3XQSSOT.mjs';
+import { CliError, CLI_ERROR_CODE } from './chunk-E2T2SBP5.mjs';
 import { spawn } from 'child_process';
 
 var GIT_BINARY = "git";

package/dist/{chunk-D7WMSGKK.mjs → chunk-MAOO6ZZ5.mjs}

@@ -1,11 +1,12 @@
 #!/usr/bin/env node
-import { CliError, CLI_ERROR_CODE } from './chunk-I3XQSSOT.mjs';
+import { CliError, CLI_ERROR_CODE } from './chunk-E2T2SBP5.mjs';
 
 // src/api-client.ts
 var DEFAULT_API_BASE_URL = "https://api.cimplify.io";
 var ENV_API_BASE_URL = "CIMPLIFY_API_URL";
 var DEFAULT_TIMEOUT_MS = 3e4;
 var HEADER_AUTHORIZATION = "Authorization";
+var HEADER_STEP_UP = "X-Step-Up-Authorization";
 var HEADER_CONTENT_TYPE = "Content-Type";
 var HEADER_ACCEPT = "Accept";
 var HEADER_USER_AGENT = "User-Agent";
@@ -25,12 +26,20 @@ var STATUS_SERVER_ERROR_MIN = 500;
 var ApiClient = class _ApiClient {
   baseUrl;
   apiKey;
+  stepUpToken = null;
   constructor(baseUrl, apiKey) {
     this.baseUrl = baseUrl.replace(/\/+$/, "");
     this.apiKey = apiKey;
   }
-  static fromAuth(auth) {
-    return new _ApiClient(auth.apiBaseUrl, auth.apiKey);
+  /** Attach a step-up JWT to subsequent requests via X-Step-Up-Authorization. */
+  withStepUp(token) {
+    this.stepUpToken = token;
+    return this;
+  }
+  static fromAuth(auth, stepUpToken = null) {
+    const client = new _ApiClient(auth.apiBaseUrl, auth.apiKey);
+    if (stepUpToken) client.withStepUp(stepUpToken);
+    return client;
   }
   static unauthenticated(baseUrl = resolveBaseUrl()) {
     return new _ApiClient(baseUrl, "");
@@ -59,6 +68,9 @@ var ApiClient = class _ApiClient {
     if (this.apiKey) {
       headers[HEADER_AUTHORIZATION] = `${BEARER_PREFIX}${this.apiKey}`;
     }
+    if (this.stepUpToken) {
+      headers[HEADER_STEP_UP] = `${BEARER_PREFIX}${this.stepUpToken}`;
+    }
     let payload;
     if (body !== void 0) {
       headers[HEADER_CONTENT_TYPE] = CONTENT_TYPE_JSON;
@@ -120,6 +132,13 @@ async function parseResponse(response) {
   }
   const code = mapStatusToCode(response.status);
   const message = extractErrorMessage(body, response.status);
+  if (response.status === STATUS_UNAUTHORIZED && /step_up_required/i.test(message)) {
+    throw new CliError(
+      CLI_ERROR_CODE.STEP_UP_REQUIRED,
+      "This action requires fresh re-authentication. Run `cimplify auth step-up`, then retry.",
+      { remediation: "cimplify auth step-up" }
+    );
+  }
   throw new CliError(code, message);
 }
 function mapStatusToCode(status) {

package/dist/{chunk-QGBXGDA5.mjs → chunk-R3FDBXR6.mjs}

@@ -1,10 +1,10 @@
 #!/usr/bin/env node
-import { promptYesNo } from './chunk-RZQTHTXX.mjs';
+import { promptYesNo } from './chunk-ITAFAORS.mjs';
 import { TOKEN_PURPOSE, REPO_PROVIDER, REPO_PROVIDER_VALUES } from './chunk-MXYUAJEW.mjs';
 import { parseArgs, flagString, flagBool } from './chunk-C4M3DXKC.mjs';
-import { ApiClient } from './chunk-D7WMSGKK.mjs';
-import { readAuth, readProjectLink } from './chunk-LS2VTSMQ.mjs';
-import { CliError, CLI_ERROR_CODE, isJsonMode, result, dim, success, info, bold } from './chunk-I3XQSSOT.mjs';
+import { ApiClient } from './chunk-MAOO6ZZ5.mjs';
+import { readAuth, readProjectLink } from './chunk-UBAI443T.mjs';
+import { CliError, CLI_ERROR_CODE, isJsonMode, result, dim, success, info, bold } from './chunk-E2T2SBP5.mjs';
 
 // src/commands/repo.ts
 var SUB_PROVISION = "provision";

package/dist/{chunk-5IAYN7AJ.mjs → chunk-SDSOORT6.mjs}

@@ -1,10 +1,10 @@
 #!/usr/bin/env node
-import { gitDetectRoot, gitCurrentBranch, gitCurrentSha, gitStatusPorcelain } from './chunk-RRY3NEZZ.mjs';
-import { parseEnvFile } from './chunk-YI7UMMM7.mjs';
-import { package_default } from './chunk-YQVMG62Z.mjs';
+import { gitDetectRoot, gitCurrentBranch, gitCurrentSha, gitStatusPorcelain } from './chunk-K5464A3L.mjs';
+import { parseEnvFile } from './chunk-DBZ3UOQ2.mjs';
+import { package_default } from './chunk-ASZVWVMM.mjs';
 import { parseArgs } from './chunk-C4M3DXKC.mjs';
-import { readAuthOrNull, readProjectLinkOrNull, readProjectState } from './chunk-LS2VTSMQ.mjs';
-import { bold, dim, yellow, green, info, result, red } from './chunk-I3XQSSOT.mjs';
+import { readAuthOrNull, readProjectLinkOrNull, readProjectState } from './chunk-UBAI443T.mjs';
+import { bold, dim, yellow, green, info, result, red } from './chunk-E2T2SBP5.mjs';
 import { promises } from 'fs';
 import path from 'path';
 

package/dist/{chunk-LS2VTSMQ.mjs → chunk-UBAI443T.mjs}

@@ -1,10 +1,11 @@
 #!/usr/bin/env node
-import { CliError, CLI_ERROR_CODE } from './chunk-I3XQSSOT.mjs';
+import { CliError, CLI_ERROR_CODE } from './chunk-E2T2SBP5.mjs';
 import { promises } from 'fs';
 import os from 'os';
 import path from 'path';
 
 var AUTH_FILE_NAME = "auth.json";
+var STEP_UP_FILE_NAME = "step-up.json";
 var PROJECT_FILE_NAME = "project.json";
 var STATE_FILE_NAME = "state.json";
 var PROJECT_DIR_NAME = ".cimplify";
@@ -24,6 +25,9 @@ function authConfigDir() {
 function authConfigPath() {
   return path.join(authConfigDir(), AUTH_FILE_NAME);
 }
+function stepUpConfigPath() {
+  return path.join(authConfigDir(), STEP_UP_FILE_NAME);
+}
 function projectConfigDir(cwd = process.cwd()) {
   return path.join(cwd, PROJECT_DIR_NAME);
 }
@@ -76,6 +80,9 @@ async function clearAuth() {
     throw err;
   }
 }
+async function writeStepUp(token) {
+  await writeJsonFile(stepUpConfigPath(), token, FILE_MODE_PRIVATE);
+}
 async function readProjectLink(cwd = process.cwd()) {
   const data = await readJsonFile(projectConfigPath(cwd));
   if (!data) {
@@ -130,4 +137,4 @@ ${STATE_GITIGNORE_LINE}
   await promises.writeFile(gitignore, next, ENCODING_UTF8);
 }
 
-export { clearAuth, clearProjectLink, readAuth, readAuthOrNull, readProjectLink, readProjectLinkOrNull, readProjectState, writeAuth, writeProjectLink, writeProjectState };
+export { clearAuth, clearProjectLink, readAuth, readAuthOrNull, readProjectLink, readProjectLinkOrNull, readProjectState, writeAuth, writeProjectLink, writeProjectState, writeStepUp };

package/dist/{chunk-MOZQODQS.mjs → chunk-VTR5R5NQ.mjs}

@@ -1,6 +1,6 @@
 #!/usr/bin/env node
 import { TERMINAL_DEPLOYMENT_STATUSES, DEPLOYMENT_STATUS } from './chunk-MXYUAJEW.mjs';
-import { dim, CliError, CLI_ERROR_CODE, failure, success, isJsonMode } from './chunk-I3XQSSOT.mjs';
+import { dim, CliError, CLI_ERROR_CODE, failure, success, isJsonMode } from './chunk-E2T2SBP5.mjs';
 
 // src/progress.ts
 var POLL_INTERVAL_MS = 1e3;

package/dist/{deploy-UKOOPJAE.mjs → deploy-3IFXUWPM.mjs}

@@ -1,13 +1,13 @@
 #!/usr/bin/env node
-import { pollDeployment } from './chunk-MOZQODQS.mjs';
-import { gitDetectRoot, gitStatusPorcelain, gitCurrentBranch, gitCurrentSha, gitGetRemoteUrl, isFreestyleRemote, gitPushToUrl, gitPush } from './chunk-RRY3NEZZ.mjs';
-import { fetchCloneToken } from './chunk-QGBXGDA5.mjs';
-import { promptYesNo } from './chunk-RZQTHTXX.mjs';
+import { pollDeployment } from './chunk-VTR5R5NQ.mjs';
+import { gitDetectRoot, gitStatusPorcelain, gitCurrentBranch, gitCurrentSha, gitGetRemoteUrl, isFreestyleRemote, gitPushToUrl, gitPush } from './chunk-K5464A3L.mjs';
+import { fetchCloneToken } from './chunk-R3FDBXR6.mjs';
+import { promptYesNo } from './chunk-ITAFAORS.mjs';
 import { TOKEN_PURPOSE, ENV_SCOPE, DEPLOY_TRIGGER, DEPLOYMENT_STATUS } from './chunk-MXYUAJEW.mjs';
 import { parseArgs, flagBool, flagString } from './chunk-C4M3DXKC.mjs';
-import { ApiClient } from './chunk-D7WMSGKK.mjs';
-import { readAuth, readProjectLink, writeProjectState } from './chunk-LS2VTSMQ.mjs';
-import { CliError, CLI_ERROR_CODE, step, info, dim, success, result, EXIT_CODE } from './chunk-I3XQSSOT.mjs';
+import { ApiClient } from './chunk-MAOO6ZZ5.mjs';
+import { readAuth, readProjectLink, writeProjectState } from './chunk-UBAI443T.mjs';
+import { CliError, CLI_ERROR_CODE, step, info, dim, success, result, EXIT_CODE } from './chunk-E2T2SBP5.mjs';
 
 // src/commands/deploy.ts
 var FLAG_PROD = "prod";

package/dist/{dev-FD4PM3UD.mjs → dev-ONW2S77K.mjs}

@@ -1,10 +1,10 @@
 #!/usr/bin/env node
-import { parseEnvFile, formatEnvFile } from './chunk-YI7UMMM7.mjs';
+import { parseEnvFile, formatEnvFile } from './chunk-DBZ3UOQ2.mjs';
 import { ENV_SCOPE, PUBLIC_ENV_PREFIX } from './chunk-MXYUAJEW.mjs';
 import { parseArgs, flagBool } from './chunk-C4M3DXKC.mjs';
-import { ApiClient } from './chunk-D7WMSGKK.mjs';
-import { readAuth, readProjectLink } from './chunk-LS2VTSMQ.mjs';
-import { info, CliError, CLI_ERROR_CODE, dim } from './chunk-I3XQSSOT.mjs';
+import { ApiClient } from './chunk-MAOO6ZZ5.mjs';
+import { readAuth, readProjectLink } from './chunk-UBAI443T.mjs';
+import { info, CliError, CLI_ERROR_CODE, dim } from './chunk-E2T2SBP5.mjs';
 import { spawn } from 'child_process';
 import { promises } from 'fs';
 import path from 'path';

package/dist/dispatcher.mjs

@@ -1,6 +1,6 @@
 #!/usr/bin/env node
-import { TEMPLATES } from './chunk-MHK4WVNF.mjs';
-import { package_default } from './chunk-YQVMG62Z.mjs';
+import { TEMPLATES } from './chunk-42PFJBC6.mjs';
+import { package_default } from './chunk-ASZVWVMM.mjs';
 
 // src/dispatcher.ts
 var VERSION = package_default.version ?? "unknown";
@@ -121,28 +121,32 @@ Need the mock storefront server? It ships with @cimplify/sdk:
   bunx @cimplify/sdk mock [flags]            Boot the local Cimplify API mock
 `;
 var COMMANDS = {
-  login: () => import('./login-WSAW4BEA.mjs'),
-  logout: () => import('./logout-DJDINVDF.mjs'),
-  whoami: () => import('./whoami-LACWBSNL.mjs'),
-  projects: () => import('./projects-364HGWHO.mjs'),
-  link: () => import('./link-X3E4UZBF.mjs'),
-  unlink: () => import('./unlink-HIIW57OO.mjs'),
-  deploy: () => import('./deploy-UKOOPJAE.mjs'),
-  rollback: () => import('./rollback-5YALPQXL.mjs'),
-  env: () => import('./env-EVMYQUIK.mjs'),
-  domains: () => import('./domains-JQMV6GAP.mjs'),
-  logs: () => import('./logs-KUKGEXR2.mjs'),
-  status: () => import('./status-W4HW3CX3.mjs'),
-  dev: () => import('./dev-FD4PM3UD.mjs'),
-  introspect: () => import('./introspect-PFBI3JHO.mjs'),
-  doctor: () => import('./doctor-5LBLYT7M.mjs'),
-  explain: () => import('./explain-3KBMWL6M.mjs'),
-  assets: () => import('./assets-DMK2QOPD.mjs'),
-  repo: () => import('./repo-26N2CHF6.mjs'),
-  list: () => import('./list-TE54SJIB.mjs'),
-  add: () => import('./add-ZJNXWN2B.mjs'),
-  update: () => import('./update-5MRKRVZC.mjs'),
-  upgrade: () => import('./update-5MRKRVZC.mjs')
+  login: () => import('./login-3OD4ND2H.mjs'),
+  logout: () => import('./logout-3RLBZ33M.mjs'),
+  whoami: () => import('./whoami-DNZ7RUTH.mjs'),
+  projects: () => import('./projects-JSEC2YCX.mjs'),
+  link: () => import('./link-DZSILT5N.mjs'),
+  unlink: () => import('./unlink-RFK74SFP.mjs'),
+  deploy: () => import('./deploy-3IFXUWPM.mjs'),
+  rollback: () => import('./rollback-DD4RNRFM.mjs'),
+  env: () => import('./env-7ISJ73YI.mjs'),
+  domains: () => import('./domains-AHH56CL7.mjs'),
+  logs: () => import('./logs-YNN2PQ24.mjs'),
+  status: () => import('./status-JSYXM5RT.mjs'),
+  dev: () => import('./dev-ONW2S77K.mjs'),
+  introspect: () => import('./introspect-IVI65FEV.mjs'),
+  doctor: () => import('./doctor-BC6CMVRW.mjs'),
+  explain: () => import('./explain-MZOCDFZE.mjs'),
+  assets: () => import('./assets-EBEMMENZ.mjs'),
+  repo: () => import('./repo-WOBWKEAO.mjs'),
+  list: () => import('./list-JOQRPYX4.mjs'),
+  add: () => import('./add-KKIYBATR.mjs'),
+  update: () => import('./update-EDTG73FK.mjs'),
+  upgrade: () => import('./update-EDTG73FK.mjs'),
+  "auth-step-up": () => import('./auth-step-up-BIUYQJP6.mjs')
+};
+var COMMAND_PREFIXES = {
+  auth: { "step-up": "auth-step-up" }
 };
 var GLOBAL_FLAGS = /* @__PURE__ */ new Set(["--json", "--yes", "-y"]);
 function extractGlobalFlags(argv) {
@@ -180,12 +184,21 @@ async function main() {
   if (TOP_LEVEL_FLAGS.has(maybeSub)) {
     return await runDispatcherFlag(maybeSub, cleaned.json);
   }
-  const sub = maybeSub;
-  const args = rest;
+  let sub = maybeSub;
+  let args = rest;
   if (sub === "init") {
     await runInit(args);
     return;
   }
+  const prefixMap = COMMAND_PREFIXES[sub];
+  if (prefixMap && args.length > 0) {
+    const sub2 = args[0];
+    const mapped = prefixMap[sub2];
+    if (mapped) {
+      sub = mapped;
+      args = args.slice(1);
+    }
+  }
   const loader = COMMANDS[sub];
   if (!loader) {
     console.error(`cimplify: unknown command "${sub}"`);

package/dist/{doctor-5LBLYT7M.mjs → doctor-BC6CMVRW.mjs}

@@ -1,12 +1,12 @@
 #!/usr/bin/env node
-import { gatherIntrospection } from './chunk-5IAYN7AJ.mjs';
-import './chunk-RRY3NEZZ.mjs';
-import './chunk-YI7UMMM7.mjs';
-import './chunk-YQVMG62Z.mjs';
+import { gatherIntrospection } from './chunk-SDSOORT6.mjs';
+import './chunk-K5464A3L.mjs';
+import './chunk-DBZ3UOQ2.mjs';
+import './chunk-ASZVWVMM.mjs';
 import { parseArgs, flagBool } from './chunk-C4M3DXKC.mjs';
-import { ApiClient } from './chunk-D7WMSGKK.mjs';
-import { readAuthOrNull } from './chunk-LS2VTSMQ.mjs';
-import { bold, dim, info, result, isCliError, CLI_ERROR_CODE, red, yellow, green } from './chunk-I3XQSSOT.mjs';
+import { ApiClient } from './chunk-MAOO6ZZ5.mjs';
+import { readAuthOrNull } from './chunk-UBAI443T.mjs';
+import { bold, dim, info, result, isCliError, CLI_ERROR_CODE, red, yellow, green } from './chunk-E2T2SBP5.mjs';
 import { promises } from 'fs';
 import path from 'path';
 
@@ -200,7 +200,7 @@ async function runRemoteChecks(snapshot, auth) {
   let authValid;
   try {
     const me = await client.get(ENDPOINT_AUTH_ME);
-    const env = auth.apiKey.startsWith("dk_test_") || auth.apiKey.startsWith("sk_test_") ? "test" : "live";
+    const env = auth.apiKey.includes("_test_") ? "test" : "live";
     authValid = ok("auth_valid", `${env} token \xB7 business ${me.business_id}`);
   } catch (err) {
     if (isCliError(err) && err.code === CLI_ERROR_CODE.AUTH_FAILED) {

package/dist/{domains-JQMV6GAP.mjs → domains-AHH56CL7.mjs}

@@ -1,10 +1,10 @@
 #!/usr/bin/env node
-import { promptYesNo } from './chunk-RZQTHTXX.mjs';
+import { promptYesNo } from './chunk-ITAFAORS.mjs';
 import { ENV_SCOPE, DOMAIN_TYPE } from './chunk-MXYUAJEW.mjs';
 import { parseArgs, flagBool, flagString } from './chunk-C4M3DXKC.mjs';
-import { ApiClient } from './chunk-D7WMSGKK.mjs';
-import { readAuth, readProjectLink } from './chunk-LS2VTSMQ.mjs';
-import { CliError, CLI_ERROR_CODE, info, dim, result, bold, success } from './chunk-I3XQSSOT.mjs';
+import { ApiClient } from './chunk-MAOO6ZZ5.mjs';
+import { readAuth, readProjectLink } from './chunk-UBAI443T.mjs';
+import { CliError, CLI_ERROR_CODE, info, dim, result, bold, success } from './chunk-E2T2SBP5.mjs';
 
 // src/commands/domains.ts
 var SUB_LS = "ls";

package/dist/{env-EVMYQUIK.mjs → env-7ISJ73YI.mjs}

@@ -1,11 +1,11 @@
 #!/usr/bin/env node
-import { formatEnvFile, parseEnvFile, parseKeyValueArg } from './chunk-YI7UMMM7.mjs';
-import { promptYesNo } from './chunk-RZQTHTXX.mjs';
+import { formatEnvFile, parseEnvFile, parseKeyValueArg } from './chunk-DBZ3UOQ2.mjs';
+import { promptYesNo } from './chunk-ITAFAORS.mjs';
 import { ENV_SCOPE, PUBLIC_ENV_PREFIX, SECRET_MASK } from './chunk-MXYUAJEW.mjs';
 import { parseArgs, flagString, flagBool } from './chunk-C4M3DXKC.mjs';
-import { ApiClient } from './chunk-D7WMSGKK.mjs';
-import { readAuth, readProjectLink } from './chunk-LS2VTSMQ.mjs';
-import { CliError, CLI_ERROR_CODE, info, dim, result, bold, success } from './chunk-I3XQSSOT.mjs';
+import { ApiClient } from './chunk-MAOO6ZZ5.mjs';
+import { readAuth, readProjectLink } from './chunk-UBAI443T.mjs';
+import { CliError, CLI_ERROR_CODE, info, dim, result, bold, success } from './chunk-E2T2SBP5.mjs';
 import { promises } from 'fs';
 import path from 'path';
 

package/dist/{explain-3KBMWL6M.mjs → explain-MZOCDFZE.mjs}

@@ -1,7 +1,7 @@
 #!/usr/bin/env node
-import { package_default } from './chunk-YQVMG62Z.mjs';
+import { package_default } from './chunk-ASZVWVMM.mjs';
 import { parseArgs } from './chunk-C4M3DXKC.mjs';
-import { bold, dim, info, result, CliError, CLI_ERROR_CODE } from './chunk-I3XQSSOT.mjs';
+import { bold, dim, info, result, CliError, CLI_ERROR_CODE } from './chunk-E2T2SBP5.mjs';
 
 // src/embedded-docs.ts
 var TOPICS = [

package/dist/introspect-IVI65FEV.mjs

@@ -0,0 +1,8 @@
+#!/usr/bin/env node
+export { run as default, extractMockSeed, gatherIntrospection, renderIntrospection } from './chunk-SDSOORT6.mjs';
+import './chunk-K5464A3L.mjs';
+import './chunk-DBZ3UOQ2.mjs';
+import './chunk-ASZVWVMM.mjs';
+import './chunk-C4M3DXKC.mjs';
+import './chunk-UBAI443T.mjs';
+import './chunk-E2T2SBP5.mjs';

package/dist/{link-X3E4UZBF.mjs → link-DZSILT5N.mjs}

@@ -1,8 +1,8 @@
 #!/usr/bin/env node
 import { parseArgs } from './chunk-C4M3DXKC.mjs';
-import { ApiClient } from './chunk-D7WMSGKK.mjs';
-import { readAuth, writeProjectLink } from './chunk-LS2VTSMQ.mjs';
-import { CliError, CLI_ERROR_CODE, success, info, dim, result } from './chunk-I3XQSSOT.mjs';
+import { ApiClient } from './chunk-MAOO6ZZ5.mjs';
+import { readAuth, writeProjectLink } from './chunk-UBAI443T.mjs';
+import { CliError, CLI_ERROR_CODE, success, info, dim, result } from './chunk-E2T2SBP5.mjs';
 
 // src/commands/link.ts
 function projectEndpoint(businessId, projectId) {

package/dist/{list-TE54SJIB.mjs → list-JOQRPYX4.mjs}

@@ -1,7 +1,7 @@
 #!/usr/bin/env node
-import { REGISTRY_INDEX } from './chunk-MHK4WVNF.mjs';
+import { REGISTRY_INDEX } from './chunk-42PFJBC6.mjs';
 import { parseArgs, flagBool } from './chunk-C4M3DXKC.mjs';
-import { CliError, CLI_ERROR_CODE, info, bold, dim, green, result } from './chunk-I3XQSSOT.mjs';
+import { CliError, CLI_ERROR_CODE, info, bold, dim, green, result } from './chunk-E2T2SBP5.mjs';
 
 // src/commands/list.ts
 async function run(argv) {