@comergehq/cli 0.1.4 → 0.1.6

package/dist/cli.js

@@ -5,14 +5,10 @@ import { Command } from "commander";
 import pc10 from "picocolors";
 import { createRequire } from "module";
 
-// src/commands/shellInit.ts
-import path5 from "path";
-import os from "os";
+// src/commands/login.ts
 import pc from "picocolors";
-import prompts from "prompts";
-import fse4 from "fs-extra";
 
-// src/lib/errors.ts
+// src/errors/cliError.ts
 var CliError = class extends Error {
   exitCode;
   hint;
@@ -24,71 +20,245 @@ var CliError = class extends Error {
   }
 };
 
-// src/lib/packageJson.ts
-import fs from "fs/promises";
-async function readPackageJson(projectRoot) {
-  const raw = await fs.readFile(`${projectRoot}/package.json`, "utf8").catch(() => null);
-  if (!raw) {
-    throw new CliError("package.json not found", { exitCode: 2 });
-  }
+// src/config/config.ts
+import { z } from "zod";
+var API_URL = "https://comerge.ai";
+var SUPABASE_URL = "https://xtfxwbckjpfmqubnsusu.supabase.co";
+var SUPABASE_ANON_KEY = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJzdXBhYmFzZSIsInJlZiI6Inh0Znh3YmNranBmbXF1Ym5zdXN1Iiwicm9sZSI6ImFub24iLCJpYXQiOjE3NjA2MDEyMzAsImV4cCI6MjA3NjE3NzIzMH0.dzWGAWrK4CvrmHVHzf8w7JlUZohdap0ZPnLZnABMV8s";
+function isValidUrl(value) {
   try {
-    return JSON.parse(raw);
+    new URL(value);
+    return true;
   } catch {
-    throw new CliError("Failed to parse package.json", { exitCode: 2 });
+    return false;
   }
 }
-var STUDIO_PEERS = [
-  "@callstack/liquid-glass",
-  "@supabase/supabase-js",
-  "@gorhom/bottom-sheet",
-  "expo-file-system",
-  "expo-haptics",
-  "expo-linear-gradient",
-  "lucide-react-native",
-  "react-native-gesture-handler",
-  "react-native-reanimated",
-  "react-native-safe-area-context",
-  "react-native-svg",
-  "react-native-view-shot"
-];
-function buildShellPackageJson(params) {
-  const orig = params.original;
-  const warnings = [];
-  const info = [];
-  const dependencies = { ...orig.dependencies ?? {} };
-  const devDependencies = { ...orig.devDependencies ?? {} };
-  const main2 = "expo-router/entry";
-  dependencies["@comergehq/studio"] = params.studioVersion || "latest";
-  dependencies["@comergehq/runtime"] = params.studioVersion || "latest";
-  if (!dependencies["expo-router"] && !devDependencies["expo-router"]) {
-    dependencies["expo-router"] = "latest";
-    warnings.push("Added missing dependency expo-router@latest");
+var urlSchema = z.string().min(1).transform((s) => s.trim()).refine((s) => isValidUrl(s), "Invalid URL.").transform((s) => s.replace(/\/+$/, ""));
+var configSchema = z.object({
+  apiUrl: urlSchema,
+  supabaseUrl: urlSchema,
+  supabaseAnonKey: z.string().min(1)
+});
+var cachedConfig = null;
+async function resolveConfig(_opts) {
+  if (cachedConfig) return cachedConfig;
+  const cfgRaw = {
+    apiUrl: API_URL,
+    supabaseUrl: SUPABASE_URL,
+    supabaseAnonKey: SUPABASE_ANON_KEY
+  };
+  const parsedCfg = configSchema.safeParse(cfgRaw);
+  if (!parsedCfg.success) {
+    throw new CliError("Invalid CLI configuration.", {
+      exitCode: 1,
+      hint: parsedCfg.error.issues.map((i) => `${i.path.join(".") || "config"}: ${i.message}`).join("; ")
+    });
   }
-  for (const dep of STUDIO_PEERS) {
-    if (dependencies[dep] || devDependencies[dep]) continue;
-    dependencies[dep] = "latest";
-    info.push(`Added missing peer dependency ${dep}@latest`);
+  cachedConfig = parsedCfg.data;
+  return parsedCfg.data;
+}
+
+// src/services/oauthCallbackServer.ts
+import http from "http";
+async function startOAuthCallbackServer(params) {
+  const timeoutMs = params?.timeoutMs ?? 3 * 6e4;
+  const requestedPort = params?.port ?? null;
+  let resolveCode = null;
+  let rejectCode = null;
+  const codePromise = new Promise((resolve, reject) => {
+    resolveCode = resolve;
+    rejectCode = reject;
+  });
+  const server = http.createServer((req, res) => {
+    try {
+      const base = `http://127.0.0.1`;
+      const u = new URL(req.url ?? "/", base);
+      const errorDescription = u.searchParams.get("error_description");
+      const error = u.searchParams.get("error");
+      const code = u.searchParams.get("code");
+      if (errorDescription || error) {
+        res.writeHead(400, { "Content-Type": "text/html; charset=utf-8" });
+        res.end(
+          `<html><body><h3>Sign-in failed</h3><p>${escapeHtml(errorDescription ?? error ?? "Unknown error")}</p></body></html>`
+        );
+        rejectCode?.(new CliError("Sign-in failed.", { exitCode: 1, hint: errorDescription ?? error ?? void 0 }));
+        return;
+      }
+      if (!code) {
+        res.writeHead(400, { "Content-Type": "text/html; charset=utf-8" });
+        res.end(`<html><body><h3>Missing code</h3><p>No authorization code was provided.</p></body></html>`);
+        return;
+      }
+      res.writeHead(200, { "Content-Type": "text/html; charset=utf-8" });
+      res.end(
+        `<html><body><h3>Sign-in complete</h3><p>You can close this tab and return to the terminal.</p></body></html>`
+      );
+      resolveCode?.(code);
+    } catch (err) {
+      rejectCode?.(err);
+      res.writeHead(500, { "Content-Type": "text/plain; charset=utf-8" });
+      res.end("Internal error.");
+    } finally {
+      try {
+        server.close();
+      } catch {
+      }
+    }
+  });
+  const listenPort = typeof requestedPort === "number" ? requestedPort : 0;
+  await new Promise((resolve, reject) => {
+    server.once("error", reject);
+    server.listen(listenPort, "127.0.0.1", () => resolve());
+  });
+  const addr = server.address();
+  if (!addr || typeof addr === "string") {
+    server.close();
+    throw new CliError("Failed to start the local callback server.", { exitCode: 1 });
   }
-  const pkg = {
-    ...orig,
-    name: orig.name ? `${orig.name}-comerge-shell` : "comerge-shell",
-    private: true,
-    main: main2,
-    scripts: {
-      dev: "expo start -c",
-      ios: "expo start -c --ios",
-      android: "expo start -c --android",
-      web: "expo start -c --web",
-      ...orig.scripts ?? {}
+  const redirectTo = `http://127.0.0.1:${addr.port}/callback`;
+  const timeout = setTimeout(() => {
+    rejectCode?.(
+      new CliError("Sign-in timed out.", {
+        exitCode: 1,
+        hint: "Try running `comerge login` again."
+      })
+    );
+    try {
+      server.close();
+    } catch {
+    }
+  }, timeoutMs).unref();
+  const waitForCode = async () => {
+    try {
+      return await codePromise;
+    } finally {
+      clearTimeout(timeout);
+    }
+  };
+  const close = async () => {
+    clearTimeout(timeout);
+    await new Promise((resolve) => server.close(() => resolve())).catch(() => {
+    });
+  };
+  return { redirectTo, waitForCode, close };
+}
+function escapeHtml(input) {
+  return input.replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;").replace(/\"/g, "&quot;").replace(/'/g, "&#039;");
+}
+
+// src/utils/browser.ts
+import { execa } from "execa";
+async function openBrowser(url) {
+  const platform = process.platform;
+  try {
+    if (platform === "darwin") {
+      await execa("open", [url], { stdio: "ignore" });
+      return;
+    }
+    if (platform === "win32") {
+      await execa("cmd", ["/c", "start", "", url], { stdio: "ignore", windowsHide: true });
+      return;
+    }
+    await execa("xdg-open", [url], { stdio: "ignore" });
+  } catch (err) {
+    throw new CliError("Could not open a browser automatically.", {
+      exitCode: 1,
+      hint: `Open this URL in a browser:
+${url}
+
+${err?.message ?? String(err)}`
+    });
+  }
+}
+
+// src/clients/supabase.ts
+import { createClient } from "@supabase/supabase-js";
+function createInMemoryStorage() {
+  const map = /* @__PURE__ */ new Map();
+  return {
+    getItem: (k) => map.get(k) ?? null,
+    setItem: (k, v) => {
+      map.set(k, v);
     },
-    dependencies,
-    devDependencies
+    removeItem: (k) => {
+      map.delete(k);
+    }
+  };
+}
+function createSupabaseClient(config, storage) {
+  return createClient(config.supabaseUrl, config.supabaseAnonKey, {
+    auth: {
+      flowType: "pkce",
+      persistSession: false,
+      autoRefreshToken: false,
+      detectSessionInUrl: false,
+      storage
+    },
+    global: {
+      headers: {
+        "X-Requested-By": "comerge-cli"
+      }
+    }
+  });
+}
+function toStoredSession(session) {
+  if (!session.access_token || !session.refresh_token || !session.expires_at) {
+    throw new CliError("Supabase session is missing required fields.", { exitCode: 1 });
+  }
+  return {
+    access_token: session.access_token,
+    refresh_token: session.refresh_token,
+    expires_at: session.expires_at,
+    token_type: session.token_type ?? void 0,
+    user: session.user ? { id: session.user.id, email: session.user.email ?? null } : void 0
+  };
+}
+function createSupabaseAuthHelpers(config) {
+  const storage = createInMemoryStorage();
+  const supabase = createSupabaseClient(config, storage);
+  return {
+    async startGoogleLogin(params) {
+      const { data, error } = await supabase.auth.signInWithOAuth({
+        provider: "google",
+        options: {
+          redirectTo: params.redirectTo,
+          skipBrowserRedirect: true,
+          queryParams: {
+            access_type: "offline",
+            prompt: "consent"
+          }
+        }
+      });
+      if (error) throw error;
+      if (!data?.url) throw new CliError("Supabase did not return an OAuth URL.", { exitCode: 1 });
+      return { url: data.url };
+    },
+    async exchangeCode(params) {
+      const { data, error } = await supabase.auth.exchangeCodeForSession(params.code);
+      if (error) throw error;
+      if (!data?.session) throw new CliError("Supabase did not return a session.", { exitCode: 1 });
+      return toStoredSession(data.session);
+    },
+    async refreshWithStoredSession(params) {
+      const { data, error } = await supabase.auth.setSession({
+        access_token: params.session.access_token,
+        refresh_token: params.session.refresh_token
+      });
+      if (error) throw error;
+      if (!data?.session) throw new CliError("No session returned after refresh.", { exitCode: 1 });
+      return toStoredSession(data.session);
+    }
   };
-  return { pkg, warnings, info };
 }
 
-// src/lib/fs.ts
+// src/services/sessionStore.ts
 import fs2 from "fs/promises";
+import os from "os";
+import path2 from "path";
+import { z as z2 } from "zod";
+
+// src/utils/fs.ts
+import fs from "fs/promises";
 import path from "path";
 import fse from "fs-extra";
 async function findAvailableDirPath(preferredDir) {
@@ -100,7 +270,7 @@ async function findAvailableDirPath(preferredDir) {
     const candidate = path.join(parent, `${base}-${i}`);
     if (!await fse.pathExists(candidate)) return candidate;
   }
-  throw new CliError("Could not find an available output directory name", {
+  throw new CliError("No available output directory name.", {
     exitCode: 2,
     hint: `Tried ${base}-2 through ${base}-1000 under ${parent}.`
   });
@@ -108,7 +278,7 @@ async function findAvailableDirPath(preferredDir) {
 async function ensureEmptyDir(dir) {
   const exists2 = await fse.pathExists(dir);
   if (exists2) {
-    throw new CliError("Output directory already exists", {
+    throw new CliError("Output directory already exists.", {
       hint: `Choose a new --out directory or delete: ${dir}`,
       exitCode: 2
     });
@@ -119,1640 +289,1860 @@ async function writeJsonAtomic(filePath, value) {
   const dir = path.dirname(filePath);
   await fse.mkdirp(dir);
   const tmp = `${filePath}.tmp-${Date.now()}`;
-  await fs2.writeFile(tmp, JSON.stringify(value, null, 2) + "\n", "utf8");
-  await fs2.rename(tmp, filePath);
+  await fs.writeFile(tmp, JSON.stringify(value, null, 2) + "\n", "utf8");
+  await fs.rename(tmp, filePath);
 }
 async function writeTextAtomic(filePath, contents) {
   const dir = path.dirname(filePath);
   await fse.mkdirp(dir);
   const tmp = `${filePath}.tmp-${Date.now()}`;
-  await fs2.writeFile(tmp, contents, "utf8");
-  await fs2.rename(tmp, filePath);
+  await fs.writeFile(tmp, contents, "utf8");
+  await fs.rename(tmp, filePath);
 }
 
-// src/lib/projectDetect.ts
-import fs3 from "fs/promises";
-import path2 from "path";
-async function fileExists(p) {
-  try {
-    const st = await fs3.stat(p);
-    return st.isFile();
-  } catch {
-    return false;
-  }
-}
-async function findExpoProjectRoot(startDir) {
-  let cur = path2.resolve(startDir);
-  while (true) {
-    const pkg = path2.join(cur, "package.json");
-    if (await fileExists(pkg)) {
-      const hasAppJson = await fileExists(path2.join(cur, "app.json"));
-      const hasAppConfig = await fileExists(path2.join(cur, "app.config.js")) || await fileExists(path2.join(cur, "app.config.ts"));
-      if (!hasAppJson && !hasAppConfig) {
-      } else {
-        return cur;
-      }
-    }
-    const parent = path2.dirname(cur);
-    if (parent === cur) break;
-    cur = parent;
-  }
-  throw new CliError("Not inside an Expo project", {
-    hint: "Run this command from the root of your Expo project repository.",
-    exitCode: 2
-  });
-}
-
-// src/lib/templates.ts
-function shellLayoutTsx() {
-  return `import { Stack } from 'expo-router';
-import { GestureHandlerRootView } from 'react-native-gesture-handler';
-
-export default function Layout() {
-  return (
-    <GestureHandlerRootView style={{ flex: 1 }}>
-      <Stack screenOptions={{ headerShown: false }} />
-    </GestureHandlerRootView>
-  );
-}
-`;
-}
-function shellIndexTsx() {
-  return `import * as React from 'react';
-import { View } from 'react-native';
-import { Stack } from 'expo-router';
-import { ComergeStudio } from '@comergehq/studio';
-
-// eslint-disable-next-line @typescript-eslint/ban-ts-comment
-// @ts-ignore
-import config from '../comerge.config.json';
-
-export default function Index() {
-  const appId = String((config as any)?.appId || '');
-  const appKey = String((config as any)?.appKey || 'MicroMain');
-  const apiKey = String((config as any)?.apiKey || '');
-  return (
-    <>
-      <Stack.Screen options={{ headerShown: false }} />
-      <View style={{ flex: 1 }}>
-        {appId ? <ComergeStudio appId={appId} apiKey={apiKey} appKey={appKey} /> : null}
-      </View>
-    </>
-  );
-}
-`;
-}
-function shellBabelConfigJs() {
-  return `module.exports = function (api) {
-  api.cache(true);
-  return {
-    presets: ['babel-preset-expo'],
-    plugins: ['react-native-reanimated/plugin'],
-  };
-};
-`;
+// src/services/sessionStore.ts
+var storedSessionSchema = z2.object({
+  access_token: z2.string().min(1),
+  refresh_token: z2.string().min(1),
+  expires_at: z2.number().int().positive(),
+  token_type: z2.string().min(1).optional(),
+  user: z2.object({
+    id: z2.string().min(1),
+    email: z2.string().email().optional().nullable()
+  }).optional()
+});
+var KEYTAR_SERVICE = "comerge-cli";
+var KEYTAR_ACCOUNT = "default";
+function xdgConfigHome() {
+  const v = process.env.XDG_CONFIG_HOME;
+  if (typeof v === "string" && v.trim().length > 0) return v;
+  return path2.join(os.homedir(), ".config");
 }
-function shellMetroConfigJs() {
-  return `const { getDefaultConfig } = require('expo/metro-config');
-
-const config = getDefaultConfig(__dirname);
-
-module.exports = config;
-`;
+function sessionFilePath() {
+  return path2.join(xdgConfigHome(), "comerge", "session.json");
 }
-
-// src/lib/packageManager.ts
-import fs4 from "fs/promises";
-async function exists(p) {
+async function maybeLoadKeytar() {
   try {
-    await fs4.stat(p);
-    return true;
+    const mod = await import("keytar");
+    const candidates = [mod?.default, mod].filter(Boolean);
+    for (const c of candidates) {
+      if (c && typeof c.getPassword === "function" && typeof c.setPassword === "function" && typeof c.deletePassword === "function") {
+        return c;
+      }
+    }
+    return null;
   } catch {
-    return false;
+    return null;
   }
 }
-async function detectPackageManager(projectRoot) {
-  if (await exists(`${projectRoot}/pnpm-lock.yaml`)) return "pnpm";
-  if (await exists(`${projectRoot}/yarn.lock`)) return "yarn";
-  if (await exists(`${projectRoot}/package-lock.json`)) return "npm";
-  if (await exists(`${projectRoot}/bun.lockb`)) return "bun";
-  return "npm";
-}
-function installCommand(pm) {
-  switch (pm) {
-    case "pnpm":
-      return { cmd: "pnpm", args: ["install"] };
-    case "yarn":
-      return { cmd: "yarn", args: ["install"] };
-    case "bun":
-      return { cmd: "bun", args: ["install"] };
-    case "npm":
-    default:
-      return { cmd: "npm", args: ["install"] };
+async function ensurePathPermissions(filePath) {
+  const dir = path2.dirname(filePath);
+  await fs2.mkdir(dir, { recursive: true });
+  try {
+    await fs2.chmod(dir, 448);
+  } catch {
+  }
+  try {
+    await fs2.chmod(filePath, 384);
+  } catch {
   }
 }
-
-// src/commands/shellInit.ts
-import { execa } from "execa";
-
-// src/lib/copyProject.ts
-import path3 from "path";
-import fse2 from "fs-extra";
-var ALWAYS_EXCLUDE_DIRS = /* @__PURE__ */ new Set([
-  "node_modules",
-  ".git",
-  ".expo",
-  "dist",
-  "build"
-]);
-function normalizeRel(relPath) {
-  return relPath.replace(/\\/g, "/").replace(/^\/+/, "");
+async function getSession() {
+  const keytar = await maybeLoadKeytar();
+  if (keytar) {
+    const raw2 = await keytar.getPassword(KEYTAR_SERVICE, KEYTAR_ACCOUNT);
+    if (!raw2) return null;
+    try {
+      const parsed = storedSessionSchema.safeParse(JSON.parse(raw2));
+      if (!parsed.success) return null;
+      return parsed.data;
+    } catch {
+      return null;
+    }
+  }
+  const fp = sessionFilePath();
+  const raw = await fs2.readFile(fp, "utf8").catch(() => null);
+  if (!raw) return null;
+  try {
+    const parsed = storedSessionSchema.safeParse(JSON.parse(raw));
+    if (!parsed.success) return null;
+    await ensurePathPermissions(fp);
+    return parsed.data;
+  } catch {
+    return null;
+  }
 }
-function shouldExclude(relPath) {
-  const rel = normalizeRel(relPath);
-  const parts = rel.split("/").filter(Boolean);
-  const top = parts[0] ?? "";
-  if (!top) return false;
-  if (ALWAYS_EXCLUDE_DIRS.has(top)) return true;
-  if (top.startsWith("comerge-shell")) return true;
-  if (rel.startsWith("ios/build/") || rel === "ios/build") return true;
-  if (rel.startsWith("android/build/") || rel === "android/build") return true;
-  return false;
+async function setSession(session) {
+  const parsed = storedSessionSchema.safeParse(session);
+  if (!parsed.success) {
+    throw new CliError("Session data is invalid and was not stored.", { exitCode: 1 });
+  }
+  const keytar = await maybeLoadKeytar();
+  if (keytar) {
+    await keytar.setPassword(KEYTAR_SERVICE, KEYTAR_ACCOUNT, JSON.stringify(parsed.data));
+    return;
+  }
+  const fp = sessionFilePath();
+  await writeJsonAtomic(fp, parsed.data);
+  await ensurePathPermissions(fp);
 }
-async function copyProject(params) {
-  const src = path3.resolve(params.projectRoot);
-  const dest = path3.resolve(params.outRoot);
-  const srcExists = await fse2.pathExists(src);
-  if (!srcExists) {
-    throw new CliError("Project root does not exist", { exitCode: 2 });
+async function clearSession() {
+  const keytar = await maybeLoadKeytar();
+  if (keytar) {
+    await keytar.deletePassword(KEYTAR_SERVICE, KEYTAR_ACCOUNT);
+    return;
   }
-  await fse2.copy(src, dest, {
-    dereference: true,
-    preserveTimestamps: true,
-    filter: (srcPath) => {
-      const rel = path3.relative(src, srcPath);
-      if (!rel) return true;
-      return !shouldExclude(rel);
-    }
+  const fp = sessionFilePath();
+  await fs2.rm(fp, { force: true }).catch(() => {
   });
 }
 
-// src/lib/stripProject.ts
-import path4 from "path";
-import fse3 from "fs-extra";
-var DEFAULT_STRIP_DIRS = ["app", "src", "components", "lib", "hooks", "providers"];
-async function stripProject(params) {
-  const dirs = params.dirs ?? DEFAULT_STRIP_DIRS;
-  await Promise.all(
-    dirs.map(async (d) => {
-      const p = path4.join(params.outRoot, d);
-      const exists2 = await fse3.pathExists(p);
-      if (!exists2) return;
-      await fse3.remove(p);
-    })
-  );
-}
-
-// src/commands/shellInit.ts
-import fs7 from "fs/promises";
-
-// src/lib/appJsonPatch.ts
-import fs5 from "fs/promises";
-function pluginName(entry) {
-  if (Array.isArray(entry)) return typeof entry[0] === "string" ? entry[0] : null;
-  return typeof entry === "string" ? entry : null;
+// src/clients/api.ts
+function shouldRefreshSoon(session, skewSeconds = 60) {
+  const nowSec = Math.floor(Date.now() / 1e3);
+  return session.expires_at <= nowSec + skewSeconds;
 }
-async function ensureComergeShellPlugins(appJsonPath) {
-  let raw;
-  try {
-    raw = await fs5.readFile(appJsonPath, "utf8");
-  } catch {
-    return false;
-  }
-  let parsed;
+async function readJsonSafe(res) {
+  const ct = res.headers.get("content-type") ?? "";
+  if (!ct.toLowerCase().includes("application/json")) return null;
   try {
-    parsed = JSON.parse(raw);
+    return await res.json();
   } catch {
-    throw new CliError("Failed to parse app.json in generated shell", { exitCode: 2 });
+    return null;
   }
-  const expo = parsed.expo;
-  if (!expo || typeof expo !== "object") return false;
-  const plugins = Array.isArray(expo.plugins) ? [...expo.plugins] : [];
-  const routerEntry = plugins.find((p) => pluginName(p) === "expo-router");
-  const runtimeEntry = plugins.find((p) => pluginName(p) === "@comergehq/runtime");
-  const needsRouter = !routerEntry;
-  const needsRuntime = !runtimeEntry;
-  if (!needsRouter && !needsRuntime) return false;
-  const rest = plugins.filter((p) => {
-    const name = pluginName(p);
-    return name !== "expo-router" && name !== "@comergehq/runtime";
-  });
-  expo.plugins = [routerEntry ?? "expo-router", runtimeEntry ?? "@comergehq/runtime", ...rest];
-  await fs5.writeFile(appJsonPath, JSON.stringify({ expo }, null, 2) + "\n", "utf8");
-  return true;
-}
-
-// src/lib/reanimated.ts
-import fs6 from "fs/promises";
-async function ensureReanimatedBabelPlugin(babelConfigPath) {
-  const raw = await fs6.readFile(babelConfigPath, "utf8").catch(() => null);
-  if (!raw) return false;
-  if (raw.includes("react-native-reanimated/plugin")) return false;
-  const patched = patchBabelConfigAddReanimatedPlugin(raw);
-  if (patched === raw) return false;
-  await fs6.writeFile(babelConfigPath, patched, "utf8");
-  return true;
 }
-function patchBabelConfigAddReanimatedPlugin(raw) {
-  const pluginsMatch = /(^|\n)([ \t]*)plugins\s*:\s*\[/m.exec(raw);
-  if (pluginsMatch) {
-    const matchIdx = pluginsMatch.index + pluginsMatch[1].length;
-    const indent = pluginsMatch[2] ?? "";
-    const bracketIdx = raw.indexOf("[", matchIdx);
-    if (bracketIdx >= 0) {
-      const closeIdx = findMatchingBracket(raw, bracketIdx, "[", "]");
-      if (closeIdx >= 0) {
-        const inner = raw.slice(bracketIdx + 1, closeIdx);
-        const innerTrim = inner.trim();
-        const innerTrimEnd = inner.replace(/[ \t\r\n]+$/g, "");
-        const elementIndent = indent + "  ";
-        let insert = "";
-        if (!innerTrim) {
-          insert = `
-${elementIndent}'react-native-reanimated/plugin'
-${indent}`;
-        } else if (innerTrimEnd.endsWith(",")) {
-          insert = `
-${elementIndent}'react-native-reanimated/plugin'`;
-        } else {
-          insert = `,
-${elementIndent}'react-native-reanimated/plugin'`;
-        }
-        return raw.slice(0, closeIdx) + insert + raw.slice(closeIdx);
-      }
-    }
+async function getAuthToken(config) {
+  const envToken = process.env.COMERGE_ACCESS_TOKEN;
+  if (typeof envToken === "string" && envToken.trim().length > 0) {
+    return { token: envToken.trim(), session: null, fromEnv: true };
   }
-  const presetsMatch = /(^|\n)([ \t]*)presets\s*:\s*\[[^\]]*\]\s*,?/m.exec(raw);
-  if (presetsMatch) {
-    const indent = presetsMatch[2] ?? "";
-    const insertAt = presetsMatch.index + presetsMatch[0].length;
-    const insertion = `
-${indent}// Required by react-native-reanimated. Must be listed last.
-${indent}plugins: ['react-native-reanimated/plugin'],`;
-    return raw.slice(0, insertAt) + insertion + raw.slice(insertAt);
+  let session = await getSession();
+  if (!session) {
+    throw new CliError("Not signed in.", {
+      exitCode: 2,
+      hint: "Run `comerge login`, or set COMERGE_ACCESS_TOKEN for CI."
+    });
   }
-  return raw;
-}
-function findMatchingBracket(text, openIdx, open, close) {
-  let depth = 0;
-  let inSingle = false;
-  let inDouble = false;
-  let inTemplate = false;
-  let inLineComment = false;
-  let inBlockComment = false;
-  for (let i = openIdx; i < text.length; i++) {
-    const ch = text[i];
-    const next = text[i + 1];
-    if (inLineComment) {
-      if (ch === "\n") inLineComment = false;
-      continue;
-    }
-    if (inBlockComment) {
-      if (ch === "*" && next === "/") {
-        inBlockComment = false;
-        i++;
-      }
-      continue;
-    }
-    if (!inSingle && !inDouble && !inTemplate) {
-      if (ch === "/" && next === "/") {
-        inLineComment = true;
-        i++;
-        continue;
-      }
-      if (ch === "/" && next === "*") {
-        inBlockComment = true;
-        i++;
-        continue;
-      }
-    }
-    if (!inDouble && !inTemplate && ch === "'" && text[i - 1] !== "\\") {
-      inSingle = !inSingle;
-      continue;
-    }
-    if (!inSingle && !inTemplate && ch === `"` && text[i - 1] !== "\\") {
-      inDouble = !inDouble;
-      continue;
+  if (shouldRefreshSoon(session)) {
+    try {
+      const supabase = createSupabaseAuthHelpers(config);
+      session = await supabase.refreshWithStoredSession({ session });
+      await setSession(session);
+    } catch (err) {
+      void err;
     }
-    if (!inSingle && !inDouble && ch === "`" && text[i - 1] !== "\\") {
-      inTemplate = !inTemplate;
-      continue;
+  }
+  return { token: session.access_token, session, fromEnv: false };
+}
+function createApiClient(config, opts) {
+  const cfg = config;
+  const apiKey = (opts?.apiKey ?? "").trim();
+  const CLIENT_KEY_HEADER = "x-comerge-api-key";
+  async function request(path13, init) {
+    const { token, session, fromEnv } = await getAuthToken(cfg);
+    const url = new URL(path13, cfg.apiUrl).toString();
+    const doFetch = async (bearer) => {
+      const res2 = await fetch(url, {
+        ...init,
+        headers: {
+          Accept: "application/json",
+          "Content-Type": "application/json",
+          ...init?.headers ?? {},
+          Authorization: `Bearer ${bearer}`,
+          ...apiKey ? { [CLIENT_KEY_HEADER]: apiKey } : {}
+        }
+      });
+      return res2;
+    };
+    let res = await doFetch(token);
+    if (res.status === 401 && !fromEnv && session?.refresh_token) {
+      const supabase = createSupabaseAuthHelpers(cfg);
+      const refreshed = await supabase.refreshWithStoredSession({ session });
+      await setSession(refreshed);
+      res = await doFetch(refreshed.access_token);
     }
-    if (inSingle || inDouble || inTemplate) continue;
-    if (ch === open) depth++;
-    if (ch === close) {
-      depth--;
-      if (depth === 0) return i;
+    if (!res.ok) {
+      const body = await readJsonSafe(res);
+      const msg = (body && typeof body === "object" && body && "message" in body && typeof body.message === "string" ? body.message : null) ?? `Request failed (status ${res.status})`;
+      throw new CliError(msg, { exitCode: 1, hint: body ? JSON.stringify(body, null, 2) : null });
     }
+    const json = await readJsonSafe(res);
+    return json ?? null;
   }
-  return -1;
+  return {
+    getMe: () => request("/v1/me", { method: "GET" }),
+    listOrganizations: () => request("/v1/organizations", { method: "GET" }),
+    autoEnableDeveloper: () => request("/v1/developer/auto-enable", { method: "POST" }),
+    listClientApps: (params) => {
+      const qs = params?.orgId ? `?orgId=${encodeURIComponent(params.orgId)}` : "";
+      return request(`/v1/developer/client-apps${qs}`, { method: "GET" });
+    },
+    createClientApp: (payload) => request("/v1/developer/client-apps", { method: "POST", body: JSON.stringify(payload) }),
+    createClientAppKey: (clientAppId, payload) => request(`/v1/developer/client-apps/${encodeURIComponent(clientAppId)}/keys`, {
+      method: "POST",
+      body: JSON.stringify(payload ?? {})
+    }),
+    getApp: (appId) => request(`/v1/apps/${encodeURIComponent(appId)}`, { method: "GET" }),
+    presignImportUpload: (payload) => request("/v1/apps/import/upload/presign", { method: "POST", body: JSON.stringify(payload) }),
+    importFromUpload: (payload) => request("/v1/apps/import/upload", { method: "POST", body: JSON.stringify(payload) }),
+    initiateBundle: (appId, payload) => request(`/v1/apps/${encodeURIComponent(appId)}/bundles`, { method: "POST", body: JSON.stringify(payload) }),
+    getBundle: (appId, bundleId) => request(`/v1/apps/${encodeURIComponent(appId)}/bundles/${encodeURIComponent(bundleId)}`, { method: "GET" }),
+    getBundleDownloadUrl: (appId, bundleId, options) => request(
+      `/v1/apps/${encodeURIComponent(appId)}/bundles/${encodeURIComponent(bundleId)}/download?redirect=${options?.redirect ?? false}`,
+      { method: "GET" }
+    )
+  };
 }
 
-// src/commands/shellInit.ts
-async function shellInit(params) {
-  const projectRoot = await findExpoProjectRoot(process.cwd());
-  const outDirDefault = params.outDir || "comerge-shell";
-  let outDir = outDirDefault;
-  let appId = params.appId ?? "";
-  let apiKey = params.apiKey ?? "";
-  let appKey = params.appKey ?? "MicroMain";
-  if (!params.yes) {
-    const res = await prompts(
-      [
-        {
-          type: "text",
-          name: "outDir",
-          message: "Output directory",
-          initial: outDir
-        },
-        {
-          type: "text",
-          name: "appKey",
-          message: "App key",
-          initial: appKey
-        },
-        {
-          type: "text",
-          name: "appId",
-          message: "Comerge appId",
-          initial: appId,
-          validate: (value) => String(value || "").trim().length > 0 ? true : "appId is required"
-        },
-        {
-          type: "password",
-          name: "apiKey",
-          message: "Comerge apiKey",
-          initial: apiKey,
-          validate: (value) => String(value || "").trim().length > 0 ? true : "apiKey is required"
-        }
-      ],
-      {
-        onCancel: () => {
-          throw new CliError("Cancelled", { exitCode: 130 });
-        }
-      }
-    );
-    outDir = String(res.outDir || outDir);
-    appKey = String(res.appKey || appKey);
-    appId = String(res.appId || appId);
-    apiKey = String(res.apiKey || apiKey);
-  }
-  appId = String(appId || "").trim();
-  apiKey = String(apiKey || "").trim();
-  if (!appId) {
-    throw new CliError("Missing required appId", {
-      hint: "Pass --app-id <uuid> (or omit --yes to be prompted).",
-      exitCode: 2
-    });
-  }
-  if (!apiKey) {
-    throw new CliError("Missing required apiKey", {
-      hint: "Pass --api-key <key> (or omit --yes to be prompted).",
-      exitCode: 2
+// src/commands/login.ts
+function registerLoginCommand(program) {
+  program.command("login").description("Sign in to Comerge").option("--no-browser", "Do not open a browser; print the URL").option("--port <port>", "Local callback port (default: random available port)").option("--yes", "Run non-interactively", false).option("--json", "Output JSON", false).action(async (opts) => {
+    const config = await resolveConfig({
+      yes: Boolean(opts.yes)
     });
-  }
-  const requestedOutputPath = path5.resolve(projectRoot, outDir);
-  const outputPath = await findAvailableDirPath(requestedOutputPath);
-  console.log(pc.dim(`Project: ${projectRoot}`));
-  if (outputPath !== requestedOutputPath) {
-    console.log(pc.dim(`Output:  ${requestedOutputPath} (exists)`));
-    console.log(pc.dim(`Using:   ${outputPath}`));
-  } else {
-    console.log(pc.dim(`Output:  ${outputPath}`));
-  }
-  const outputIsInsideProject = outputPath === projectRoot || outputPath.startsWith(projectRoot + path5.sep);
-  const stagingPath = outputIsInsideProject ? await fs7.mkdtemp(path5.join(os.tmpdir(), "comerge-shell-")) : outputPath;
-  let movedToFinal = false;
-  try {
-    if (!outputIsInsideProject) {
-      await ensureEmptyDir(stagingPath);
-    }
-    await copyProject({ projectRoot, outRoot: stagingPath });
-    await stripProject({ outRoot: stagingPath });
-    try {
-      const didPatch = await ensureComergeShellPlugins(path5.join(stagingPath, "app.json"));
-      if (didPatch) {
-        console.log(pc.dim("Patched app.json to include required Comerge shell plugins."));
+    const portRaw = typeof opts.port === "string" ? opts.port.trim() : "";
+    let port = null;
+    if (portRaw) {
+      const parsed = Number(portRaw);
+      if (!Number.isFinite(parsed) || parsed <= 0 || !Number.isInteger(parsed)) {
+        throw new CliError("Invalid --port value", { exitCode: 2, hint: "Example: --port 8085" });
       }
-    } catch {
+      port = parsed;
     }
-    await writeJsonAtomic(path5.join(stagingPath, "comerge.config.json"), {
-      appId,
-      appKey: appKey || "MicroMain",
-      apiKey
-    });
-    await writeTextAtomic(path5.join(stagingPath, "app/_layout.tsx"), shellLayoutTsx());
-    await writeTextAtomic(path5.join(stagingPath, "app/index.tsx"), shellIndexTsx());
-    await ensureTextFile(path5.join(stagingPath, "babel.config.js"), shellBabelConfigJs());
-    await ensureTextFile(path5.join(stagingPath, "metro.config.js"), shellMetroConfigJs());
+    const server = await startOAuthCallbackServer({ port });
     try {
-      const didPatch = await ensureReanimatedBabelPlugin(path5.join(stagingPath, "babel.config.js"));
-      if (didPatch) console.log(pc.dim("Patched babel.config.js to include react-native-reanimated/plugin."));
-    } catch {
-    }
-    await ensureTextFile(
-      path5.join(stagingPath, "tsconfig.json"),
-      JSON.stringify(
-        {
-          extends: "expo/tsconfig.base",
-          compilerOptions: { strict: true, resolveJsonModule: true }
-        },
-        null,
-        2
-      ) + "\n"
-    );
-    const originalPkg = await readPackageJson(stagingPath);
-    const { pkg: shellPkg, warnings, info } = buildShellPackageJson({
-      original: originalPkg,
-      studioVersion: params.studioVersion
-    });
-    await writeJsonAtomic(path5.join(stagingPath, "package.json"), shellPkg);
-    for (const w of warnings) console.log(pc.yellow(`Warning: ${w}`));
-    for (const i of info) console.log(pc.dim(`Info: ${i}`));
-    if (outputIsInsideProject) {
-      await fse4.move(stagingPath, outputPath, { overwrite: false });
-      movedToFinal = true;
-    }
-    const finalPath = outputIsInsideProject ? outputPath : stagingPath;
-    if (params.install) {
-      const pm = params.packageManager ?? await detectPackageManager(projectRoot);
-      const { cmd, args } = installCommand(pm);
-      console.log(pc.dim(`Installing deps with ${cmd}...`));
-      const res = await execa(cmd, args, { cwd: finalPath, stdio: "inherit" });
-      if (res.exitCode !== 0) {
-        throw new CliError("Dependency install failed", { exitCode: res.exitCode ?? 1 });
-      }
-      console.log(pc.dim("Running expo prebuild..."));
-      const prebuild = await execa("npx", ["expo", "prebuild"], { cwd: finalPath, stdio: "inherit" });
-      if (prebuild.exitCode !== 0) {
-        throw new CliError("expo prebuild failed", { exitCode: prebuild.exitCode ?? 1 });
+      const supabase = createSupabaseAuthHelpers(config);
+      const { url } = await supabase.startGoogleLogin({ redirectTo: server.redirectTo });
+      const shouldOpenBrowser = Boolean(opts.browser ?? true);
+      if (shouldOpenBrowser) {
+        try {
+          await openBrowser(url);
+          console.log(pc.dim("Opened a browser for sign-in."));
+        } catch (err) {
+          console.error(pc.yellow("Could not open a browser automatically."));
+          console.error(pc.dim(err?.message ?? String(err)));
+          console.log(`Open this URL in a browser:
+${url}`);
+        }
+      } else {
+        console.log(`Open this URL to sign in:
+${url}`);
       }
-    }
-    console.log(pc.green("Shell app generated."));
-    const rel = path5.relative(process.cwd(), finalPath) || ".";
-    console.log(pc.dim(`Shell:  ${rel}`));
-    console.log(pc.dim("Next steps:"));
-    console.log(pc.dim(`  cd ${rel}`));
-    console.log(pc.dim(`  npx expo run:ios`));
-    console.log(pc.dim(`  npx expo run:android`));
-  } finally {
-    if (outputIsInsideProject && !movedToFinal) {
+      const code = await server.waitForCode();
+      const session = await supabase.exchangeCode({ code });
+      await setSession(session);
+      let me = null;
       try {
-        await fse4.remove(stagingPath);
-      } catch {
+        const api = createApiClient(config);
+        me = await api.getMe();
+      } catch (err) {
+        await clearSession().catch(() => {
+        });
+        throw err;
+      }
+      if (opts.json) {
+        console.log(JSON.stringify({ success: true, me }, null, 2));
+      } else {
+        const profile = me?.responseObject;
+        const label = profile?.email ? `${profile.email}` : profile?.id ? `user ${profile.id}` : "user";
+        console.log(pc.green(`Signed in as ${label}.`));
       }
+    } finally {
+      await server.close();
     }
-  }
-}
-async function ensureTextFile(filePath, contents) {
-  try {
-    await fs7.access(filePath);
-    return;
-  } catch {
-  }
-  await writeTextAtomic(filePath, contents);
+  });
 }
 
-// src/commands/shell.ts
-function registerShellCommands(program) {
-  const shell = program.command("shell").description("Shell app utilities");
-  shell.command("init").description("Generate an Expo Router shell app that renders Comerge Studio").option("--out <dir>", "Output directory", "comerge-shell").requiredOption("--app-id <uuid>", "Comerge appId (required)").requiredOption("--api-key <key>", "Comerge apiKey (required)").option("--app-key <key>", "Bundle app key (default MicroMain)", "MicroMain").option("--yes", "Non-interactive; use defaults", false).option("--no-install", "Skip dependency install + expo prebuild").option(
-    "--package-manager <pm>",
-    "Override package manager detection (pnpm|npm|yarn|bun)"
-  ).option("--studio-version <ver>", "Version to use for @comergehq/studio", "latest").action(async (opts) => {
-    await shellInit({
-      outDir: String(opts.out),
-      appId: String(opts.appId ?? ""),
-      apiKey: String(opts.apiKey ?? ""),
-      appKey: String(opts.appKey ?? "MicroMain"),
-      yes: Boolean(opts.yes),
-      install: Boolean(opts.install),
-      packageManager: opts.packageManager ? String(opts.packageManager) : null,
-      studioVersion: String(opts.studioVersion ?? "latest")
+// src/commands/logout.ts
+import pc2 from "picocolors";
+function registerLogoutCommand(program) {
+  program.command("logout").description("Clear the local Comerge session").option("--json", "Output JSON", false).action(async (opts) => {
+    await clearSession();
+    const envToken = process.env.COMERGE_ACCESS_TOKEN;
+    if (opts.json) {
+      console.log(JSON.stringify({ success: true, cleared: true, envTokenPresent: Boolean(envToken) }, null, 2));
+      return;
+    }
+    console.log(pc2.green("Signed out."));
+    if (envToken) {
+      console.log(pc2.dim("Note: COMERGE_ACCESS_TOKEN is set and will still authenticate requests."));
+    }
+  });
+}
+
+// src/commands/whoami.ts
+import pc3 from "picocolors";
+function registerWhoamiCommand(program) {
+  program.command("whoami").description("Show the current Comerge user").option("--yes", "Run non-interactively", false).option("--json", "Output JSON", false).action(async (opts) => {
+    const config = await resolveConfig({
+      yes: Boolean(opts.yes)
     });
+    const api = createApiClient(config);
+    const me = await api.getMe();
+    if (opts.json) {
+      console.log(JSON.stringify(me, null, 2));
+      return;
+    }
+    const profile = me?.responseObject;
+    const label = profile?.email ? `${profile.email}` : profile?.id ? `user ${profile.id}` : "unknown";
+    console.log(pc3.green(`Signed in as ${label}.`));
   });
 }
 
-// src/commands/login.ts
-import pc2 from "picocolors";
+// src/commands/init.ts
+import pc9 from "picocolors";
 
-// src/lib/config.ts
-import { z } from "zod";
+// src/services/initLocal.ts
+import os5 from "os";
+import pc8 from "picocolors";
+import prompts from "prompts";
+
+// src/services/ensureAuth.ts
+import pc4 from "picocolors";
 
-// src/lib/apiKey.ts
-import prompts2 from "prompts";
+// src/utils/tty.ts
 function isInteractive() {
   return Boolean(process.stdin.isTTY && process.stdout.isTTY);
 }
-var cachedApiKey = null;
-async function resolveStudioApiKey(params) {
-  if (cachedApiKey) return cachedApiKey;
-  const fromFlag = (params.flagApiKey ?? "").trim();
-  if (fromFlag) {
-    cachedApiKey = fromFlag;
-    return fromFlag;
-  }
-  const fromEnv = (process.env.COMERGE_API_KEY ?? "").trim();
-  if (fromEnv) {
-    cachedApiKey = fromEnv;
-    return fromEnv;
-  }
-  if (params.yes || !isInteractive()) {
-    throw new CliError("Missing required API Key", {
+
+// src/services/ensureAuth.ts
+async function validateBackendSession(params) {
+  const cfg = await resolveConfig({ yes: Boolean(params?.yes) });
+  const api = createApiClient(cfg);
+  await api.getMe();
+}
+async function ensureAuth(params) {
+  const envToken = process.env.COMERGE_ACCESS_TOKEN;
+  if (typeof envToken === "string" && envToken.trim().length > 0) return;
+  const existing = await getSession();
+  if (existing) {
+    try {
+      await validateBackendSession({ yes: params?.yes });
+      return;
+    } catch {
+    }
+  }
+  const interactive = isInteractive();
+  const yes = Boolean(params?.yes);
+  if (!interactive || yes) {
+    throw new CliError("Not signed in.", {
       exitCode: 2,
-      hint: "Pass --api-key <pk_...> or set COMERGE_API_KEY."
+      hint: "Run `comerge login`, or set COMERGE_ACCESS_TOKEN for CI."
     });
   }
-  const res = await prompts2(
-    [
-      {
-        type: "password",
-        name: "apiKey",
-        message: "API Key",
-        validate: (v) => String(v || "").trim().length > 0 ? true : "apiKey is required"
-      }
-    ],
-    {
-      onCancel: () => {
-        throw new CliError("Cancelled", { exitCode: 130 });
+  const cfg = await resolveConfig({ yes: Boolean(params?.yes) });
+  const server = await startOAuthCallbackServer({ port: null });
+  try {
+    const supabase = createSupabaseAuthHelpers(cfg);
+    const { url } = await supabase.startGoogleLogin({ redirectTo: server.redirectTo });
+    try {
+      await openBrowser(url);
+      if (!params?.json) console.log(pc4.dim("Opened a browser for sign-in."));
+    } catch {
+      if (!params?.json) {
+        console.log(pc4.yellow("Could not open a browser automatically."));
+        console.log(`Open this URL in a browser:
+${url}`);
       }
     }
-  );
-  const apiKey = String(res.apiKey ?? "").trim();
-  if (!apiKey) {
-    throw new CliError("Missing required API Key", { exitCode: 2 });
+    const code = await server.waitForCode();
+    const session = await supabase.exchangeCode({ code });
+    await setSession(session);
+    try {
+      await validateBackendSession({ yes: params?.yes });
+    } catch (err) {
+      await clearSession().catch(() => {
+      });
+      throw err;
+    }
+  } finally {
+    await server.close();
   }
-  cachedApiKey = apiKey;
-  return apiKey;
 }
 
-// src/lib/config.ts
-var API_URL = "https://comerge.ai";
-var CLIENT_KEY_HEADER = "x-comerge-api-key";
-var urlSchema = z.string().min(1).transform((s) => s.trim()).refine((s) => {
+// src/services/importLocal.ts
+import path6 from "path";
+import pc5 from "picocolors";
+
+// src/utils/projectDetect.ts
+import fs3 from "fs/promises";
+import path3 from "path";
+async function fileExists(p) {
   try {
-    new URL(s);
-    return true;
+    const st = await fs3.stat(p);
+    return st.isFile();
   } catch {
     return false;
   }
-}, "Invalid URL").transform((s) => s.replace(/\/+$/, ""));
-var configSchema = z.object({
-  apiUrl: urlSchema,
-  supabaseUrl: urlSchema,
-  supabaseAnonKey: z.string().min(1)
-});
-var studioConfigResponseSchema = z.object({
-  success: z.boolean(),
-  message: z.string(),
-  responseObject: z.object({
-    url: urlSchema,
-    anonKey: z.string().min(1)
-  }).optional(),
-  statusCode: z.number()
-});
-var cachedByApiKey = null;
-var inFlight = null;
-async function readJsonSafe(res) {
-  const ct = res.headers.get("content-type") ?? "";
-  if (!ct.toLowerCase().includes("application/json")) return null;
-  try {
-    return await res.json();
-  } catch {
-    return null;
-  }
 }
-async function resolveConfig(opts) {
-  const yes = Boolean(opts?.yes);
-  const apiKey = await resolveStudioApiKey({ flagApiKey: opts?.apiKey ?? null, yes });
-  if (cachedByApiKey?.apiKey === apiKey) return cachedByApiKey.cfg;
-  if (inFlight) return inFlight;
-  inFlight = (async () => {
-    const apiUrl = API_URL;
-    const url = new URL("/v1/public/studio-config", apiUrl).toString();
-    const res = await fetch(url, {
-      method: "GET",
-      headers: {
-        Accept: "application/json",
-        [CLIENT_KEY_HEADER]: apiKey
+async function findExpoProjectRoot(startDir) {
+  let cur = path3.resolve(startDir);
+  while (true) {
+    const pkg = path3.join(cur, "package.json");
+    if (await fileExists(pkg)) {
+      const hasAppJson = await fileExists(path3.join(cur, "app.json"));
+      const hasAppConfig = await fileExists(path3.join(cur, "app.config.js")) || await fileExists(path3.join(cur, "app.config.ts"));
+      if (!hasAppJson && !hasAppConfig) {
+      } else {
+        return cur;
       }
-    });
-    const body = await readJsonSafe(res);
-    if (!res.ok) {
-      const msg = (body && typeof body === "object" && body && "message" in body && typeof body.message === "string" ? body.message : null) ?? `Failed to fetch studio config (${res.status})`;
-      throw new CliError(msg, {
-        exitCode: 1,
-        hint: body ? JSON.stringify(body, null, 2) : "Check your API Key and backend connectivity."
-      });
-    }
-    const parsedResp = studioConfigResponseSchema.safeParse(body);
-    if (!parsedResp.success || !parsedResp.data.success || !parsedResp.data.responseObject) {
-      throw new CliError("Invalid studio-config response", {
-        exitCode: 1,
-        hint: body ? JSON.stringify(body, null, 2) : null
-      });
-    }
-    const cfgRaw = {
-      apiUrl,
-      supabaseUrl: parsedResp.data.responseObject.url,
-      supabaseAnonKey: parsedResp.data.responseObject.anonKey
-    };
-    const parsedCfg = configSchema.safeParse(cfgRaw);
-    if (!parsedCfg.success) {
-      throw new CliError("Invalid CLI configuration", {
-        exitCode: 1,
-        hint: parsedCfg.error.issues.map((i) => `${i.path.join(".") || "config"}: ${i.message}`).join("; ")
-      });
     }
-    cachedByApiKey = { apiKey, cfg: parsedCfg.data };
-    return parsedCfg.data;
-  })().finally(() => {
-    inFlight = null;
+    const parent = path3.dirname(cur);
+    if (parent === cur) break;
+    cur = parent;
+  }
+  throw new CliError("Not inside an Expo project.", {
+    hint: "Run this command from the root of your Expo project.",
+    exitCode: 2
   });
-  return inFlight;
 }
 
-// src/lib/oauthCallbackServer.ts
-import http from "http";
-async function startOAuthCallbackServer(params) {
-  const timeoutMs = params?.timeoutMs ?? 3 * 6e4;
-  const requestedPort = params?.port ?? null;
-  let resolveCode = null;
-  let rejectCode = null;
-  const codePromise = new Promise((resolve, reject) => {
-    resolveCode = resolve;
-    rejectCode = reject;
-  });
-  const server = http.createServer((req, res) => {
-    try {
-      const base = `http://127.0.0.1`;
-      const u = new URL(req.url ?? "/", base);
-      const errorDescription = u.searchParams.get("error_description");
-      const error = u.searchParams.get("error");
-      const code = u.searchParams.get("code");
-      if (errorDescription || error) {
-        res.writeHead(400, { "Content-Type": "text/html; charset=utf-8" });
-        res.end(`<html><body><h3>Login failed</h3><p>${escapeHtml(errorDescription ?? error ?? "Unknown error")}</p></body></html>`);
-        rejectCode?.(new CliError("Login failed", { exitCode: 1, hint: errorDescription ?? error ?? void 0 }));
-        return;
-      }
-      if (!code) {
-        res.writeHead(400, { "Content-Type": "text/html; charset=utf-8" });
-        res.end(`<html><body><h3>Missing code</h3><p>No authorization code was provided.</p></body></html>`);
-        return;
-      }
-      res.writeHead(200, { "Content-Type": "text/html; charset=utf-8" });
-      res.end(
-        `<html><body><h3>Login complete</h3><p>You can close this tab and return to the terminal.</p></body></html>`
-      );
-      resolveCode?.(code);
-    } catch (err) {
-      rejectCode?.(err);
-      res.writeHead(500, { "Content-Type": "text/plain; charset=utf-8" });
-      res.end("Internal error");
-    } finally {
-      try {
-        server.close();
-      } catch {
-      }
-    }
-  });
-  const listenPort = typeof requestedPort === "number" ? requestedPort : 0;
-  await new Promise((resolve, reject) => {
-    server.once("error", reject);
-    server.listen(listenPort, "127.0.0.1", () => resolve());
-  });
-  const addr = server.address();
-  if (!addr || typeof addr === "string") {
-    server.close();
-    throw new CliError("Failed to start callback server", { exitCode: 1 });
+// src/utils/gitFiles.ts
+import { execa as execa2 } from "execa";
+async function canUseGit(cwd) {
+  try {
+    const res = await execa2("git", ["rev-parse", "--is-inside-work-tree"], { cwd, stdio: "ignore" });
+    return res.exitCode === 0;
+  } catch {
+    return false;
   }
-  const redirectTo = `http://127.0.0.1:${addr.port}/callback`;
-  const timeout = setTimeout(() => {
-    rejectCode?.(
-      new CliError("Login timed out", {
-        exitCode: 1,
-        hint: "Try running `comerge login` again."
-      })
-    );
-    try {
-      server.close();
-    } catch {
-    }
-  }, timeoutMs).unref();
-  const waitForCode = async () => {
-    try {
-      return await codePromise;
-    } finally {
-      clearTimeout(timeout);
-    }
-  };
-  const close = async () => {
-    clearTimeout(timeout);
-    await new Promise((resolve) => server.close(() => resolve())).catch(() => {
-    });
-  };
-  return { redirectTo, waitForCode, close };
 }
-function escapeHtml(input) {
-  return input.replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;").replace(/\"/g, "&quot;").replace(/'/g, "&#039;");
+function parseGitLsFilesZ(buf) {
+  return buf.toString("utf8").split("\0").map((s) => s.trim()).filter((s) => s.length > 0);
 }
-
-// src/lib/browser.ts
-import { execa as execa2 } from "execa";
-async function openBrowser(url) {
-  const platform = process.platform;
-  try {
-    if (platform === "darwin") {
-      await execa2("open", [url], { stdio: "ignore" });
-      return;
-    }
-    if (platform === "win32") {
-      await execa2("cmd", ["/c", "start", "", url], { stdio: "ignore", windowsHide: true });
-      return;
-    }
-    await execa2("xdg-open", [url], { stdio: "ignore" });
-  } catch (err) {
-    throw new CliError("Failed to open browser automatically", {
-      exitCode: 1,
-      hint: `Open this URL manually:
-${url}
-
-${err?.message ?? String(err)}`
-    });
+async function listFilesGit(params) {
+  const args = ["ls-files", "-z", "--cached", "--others", "--exclude-standard"];
+  if (params.pathspec) {
+    args.push("--", params.pathspec);
   }
+  const res = await execa2("git", args, { cwd: params.cwd, stdout: "pipe", stderr: "ignore" });
+  return parseGitLsFilesZ(Buffer.from(res.stdout ?? "", "utf8"));
 }
 
-// src/lib/supabase.ts
-import { createClient } from "@supabase/supabase-js";
-function createInMemoryStorage() {
-  const map = /* @__PURE__ */ new Map();
-  return {
-    getItem: (k) => map.get(k) ?? null,
-    setItem: (k, v) => {
-      map.set(k, v);
-    },
-    removeItem: (k) => {
-      map.delete(k);
-    }
-  };
-}
-function createSupabaseClient(config, storage) {
-  return createClient(config.supabaseUrl, config.supabaseAnonKey, {
-    auth: {
-      flowType: "pkce",
-      persistSession: false,
-      autoRefreshToken: false,
-      detectSessionInUrl: false,
-      storage
-    },
-    global: {
-      headers: {
-        "X-Requested-By": "comerge-cli"
-      }
-    }
+// src/utils/fileSelection.ts
+import fs4 from "fs/promises";
+import path4 from "path";
+import fg from "fast-glob";
+import ignore from "ignore";
+var BUILTIN_IGNORES = [
+  "**/node_modules/**",
+  "**/.git/**",
+  "**/.expo/**",
+  "**/dist/**",
+  "**/build/**",
+  "**/coverage/**",
+  "**/.turbo/**",
+  "**/.next/**",
+  "**/ios/build/**",
+  "**/android/build/**",
+  "**/.pnpm-store/**",
+  "**/comerge-shell*/**"
+];
+function normalizeRel(p) {
+  return p.replace(/\\/g, "/").replace(/^\/+/, "");
+}
+async function readGitignore(root) {
+  const fp = path4.join(root, ".gitignore");
+  return await fs4.readFile(fp, "utf8").catch(() => "");
+}
+async function listFilesFs(params) {
+  const ig = ignore();
+  const raw = await readGitignore(params.root);
+  if (raw) ig.add(raw);
+  const entries = await fg(["**/*"], {
+    cwd: params.root,
+    onlyFiles: true,
+    dot: true,
+    followSymbolicLinks: false,
+    unique: true,
+    ignore: [...BUILTIN_IGNORES]
+  });
+  const filtered = entries.filter((p) => {
+    const rel = normalizeRel(p);
+    if (!params.includeDotenv && path4.posix.basename(rel).startsWith(".env")) return false;
+    return !ig.ignores(rel);
   });
+  return filtered.map(normalizeRel);
 }
-function toStoredSession(session) {
-  if (!session.access_token || !session.refresh_token || !session.expires_at) {
-    throw new CliError("Supabase session missing required fields", { exitCode: 1 });
+
+// src/utils/zip.ts
+import crypto from "crypto";
+import fs5 from "fs";
+import fsp from "fs/promises";
+import os2 from "os";
+import path5 from "path";
+import archiver from "archiver";
+var MAX_IMPORT_ZIP_BYTES = 50 * 1024 * 1024;
+var MAX_IMPORT_FILE_COUNT = 25e3;
+function normalizeRel2(p) {
+  return p.replace(/\\/g, "/").replace(/\/+/g, "/").replace(/^\/+/, "");
+}
+function validateRelPath(rel) {
+  const p = normalizeRel2(rel);
+  if (!p) throw new CliError("Invalid file path.", { exitCode: 1 });
+  if (p.startsWith("../") || p.includes("/../") || p === "..") {
+    throw new CliError("Refusing to add a path traversal entry.", { exitCode: 1, hint: p });
+  }
+  if (p.startsWith("/")) {
+    throw new CliError("Refusing to add an absolute path.", { exitCode: 1, hint: p });
+  }
+  return p;
+}
+async function computeStats(params) {
+  const largestN = params.largestN ?? 10;
+  if (params.files.length > MAX_IMPORT_FILE_COUNT) {
+    throw new CliError("Too many files to import.", {
+      exitCode: 2,
+      hint: `File count ${params.files.length} exceeds limit ${MAX_IMPORT_FILE_COUNT}. Use --path or add ignores.`
+    });
+  }
+  let totalBytes = 0;
+  const largest = [];
+  for (const rel0 of params.files) {
+    const rel = validateRelPath(rel0);
+    const abs = path5.join(params.root, rel);
+    const st = await fsp.stat(abs);
+    if (!st.isFile()) continue;
+    const bytes = st.size;
+    totalBytes += bytes;
+    if (largestN > 0) {
+      largest.push({ path: rel, bytes });
+    }
   }
+  largest.sort((a, b) => b.bytes - a.bytes);
   return {
-    access_token: session.access_token,
-    refresh_token: session.refresh_token,
-    expires_at: session.expires_at,
-    token_type: session.token_type ?? void 0,
-    user: session.user ? { id: session.user.id, email: session.user.email ?? null } : void 0
+    fileCount: params.files.length,
+    totalBytes,
+    largestFiles: largest.slice(0, largestN)
   };
 }
-function createSupabaseAuthHelpers(config) {
-  const storage = createInMemoryStorage();
-  const supabase = createSupabaseClient(config, storage);
-  return {
-    async startGoogleLogin(params) {
-      const { data, error } = await supabase.auth.signInWithOAuth({
-        provider: "google",
-        options: {
-          redirectTo: params.redirectTo,
-          skipBrowserRedirect: true,
-          queryParams: {
-            access_type: "offline",
-            prompt: "consent"
-          }
-        }
-      });
-      if (error) throw error;
-      if (!data?.url) throw new CliError("Supabase did not return an OAuth URL", { exitCode: 1 });
-      return { url: data.url };
-    },
-    async exchangeCode(params) {
-      const { data, error } = await supabase.auth.exchangeCodeForSession(params.code);
-      if (error) throw error;
-      if (!data?.session) throw new CliError("No session returned from Supabase", { exitCode: 1 });
-      return toStoredSession(data.session);
-    },
-    async refreshWithStoredSession(params) {
-      const { data, error } = await supabase.auth.setSession({
-        access_token: params.session.access_token,
-        refresh_token: params.session.refresh_token
-      });
-      if (error) throw error;
-      if (!data?.session) throw new CliError("No session returned after refresh", { exitCode: 1 });
-      return toStoredSession(data.session);
+async function createZip(params) {
+  const zipName = (params.zipName ?? "import.zip").replace(/[^a-zA-Z0-9._-]+/g, "_");
+  const tmpDir = await fsp.mkdtemp(path5.join(os2.tmpdir(), "comerge-import-"));
+  const zipPath = path5.join(tmpDir, zipName);
+  await new Promise((resolve, reject) => {
+    const output = fs5.createWriteStream(zipPath);
+    const archive = archiver("zip", { zlib: { level: 9 } });
+    output.on("close", () => resolve());
+    output.on("error", (err) => reject(err));
+    archive.on("warning", (err) => {
+      reject(err);
+    });
+    archive.on("error", (err) => reject(err));
+    archive.pipe(output);
+    for (const rel0 of params.files) {
+      const rel = validateRelPath(rel0);
+      const abs = path5.join(params.root, rel);
+      archive.file(abs, { name: rel });
     }
-  };
+    void archive.finalize();
+  });
+  const st = await fsp.stat(zipPath);
+  if (st.size > MAX_IMPORT_ZIP_BYTES) {
+    throw new CliError("Archive exceeds the upload size limit.", {
+      exitCode: 2,
+      hint: `Zip size ${st.size} bytes exceeds limit ${MAX_IMPORT_ZIP_BYTES} bytes. Use --path or add ignores.`
+    });
+  }
+  return { zipPath };
+}
+async function sha256FileHex(filePath) {
+  const hash = crypto.createHash("sha256");
+  await new Promise((resolve, reject) => {
+    const s = fs5.createReadStream(filePath);
+    s.on("data", (chunk) => hash.update(chunk));
+    s.on("error", reject);
+    s.on("end", () => resolve());
+  });
+  return hash.digest("hex");
 }
 
-// src/lib/sessionStore.ts
-import fs8 from "fs/promises";
-import os2 from "os";
-import path6 from "path";
-import { z as z2 } from "zod";
-var storedSessionSchema = z2.object({
-  access_token: z2.string().min(1),
-  refresh_token: z2.string().min(1),
-  expires_at: z2.number().int().positive(),
-  token_type: z2.string().min(1).optional(),
-  user: z2.object({
-    id: z2.string().min(1),
-    email: z2.string().email().optional().nullable()
-  }).optional()
-});
-var KEYTAR_SERVICE = "comerge-cli";
-var KEYTAR_ACCOUNT = "default";
-function xdgConfigHome() {
-  const v = process.env.XDG_CONFIG_HOME;
-  if (typeof v === "string" && v.trim().length > 0) return v;
-  return path6.join(os2.homedir(), ".config");
+// src/clients/upload.ts
+import fs6 from "fs";
+import { PassThrough } from "stream";
+async function uploadPresigned(params) {
+  const st = await fs6.promises.stat(params.filePath).catch(() => null);
+  if (!st || !st.isFile()) throw new CliError("Upload file not found.", { exitCode: 2 });
+  const totalBytes = st.size;
+  const fileStream = fs6.createReadStream(params.filePath);
+  const pass = new PassThrough();
+  let sent = 0;
+  fileStream.on("data", (chunk) => {
+    sent += chunk.length;
+    params.onProgress?.({ sentBytes: sent, totalBytes });
+  });
+  fileStream.on("error", (err) => pass.destroy(err));
+  fileStream.pipe(pass);
+  const res = await fetch(params.uploadUrl, {
+    method: "PUT",
+    headers: params.headers,
+    body: pass,
+    duplex: "half"
+  });
+  if (!res.ok) {
+    const text = await res.text().catch(() => "");
+    throw new CliError("Upload failed.", {
+      exitCode: 1,
+      hint: `Status: ${res.status}
+${text}`.trim() || null
+    });
+  }
 }
-function sessionFilePath() {
-  return path6.join(xdgConfigHome(), "comerge", "session.json");
+
+// src/services/importLocal.ts
+var SAFE_PATH_RE = /^[A-Za-z0-9._/-]+$/;
+var COMERGE_SHELL_SEGMENT_RE = /(^|\/)comerge-shell[^/]*(\/|$)/;
+function sleep(ms) {
+  return new Promise((r) => setTimeout(r, ms));
 }
-async function maybeLoadKeytar() {
-  try {
-    const mod = await import("keytar");
-    const candidates = [mod?.default, mod].filter(Boolean);
-    for (const c of candidates) {
-      if (c && typeof c.getPassword === "function" && typeof c.setPassword === "function" && typeof c.deletePassword === "function") {
-        return c;
+function formatBytes(bytes) {
+  const units = ["B", "KB", "MB", "GB"];
+  let v = bytes;
+  let i = 0;
+  while (v >= 1024 && i < units.length - 1) {
+    v /= 1024;
+    i++;
+  }
+  return `${v.toFixed(i === 0 ? 0 : 1)} ${units[i]}`;
+}
+function deriveAppName(projectRoot) {
+  const base = path6.basename(projectRoot);
+  return base || "Imported App";
+}
+function validateOptionalSubdir(subdir) {
+  if (!subdir) return null;
+  const s = subdir.trim().replace(/^\/+/, "").replace(/\\/g, "/");
+  if (!s) return null;
+  if (!SAFE_PATH_RE.test(s) || s.includes("..")) {
+    throw new CliError("Invalid --path value.", {
+      exitCode: 2,
+      hint: "Use a safe subdirectory such as packages/mobile-app (letters, numbers, ., _, -, / only)."
+    });
+  }
+  return s;
+}
+function getAppStatus(appResp) {
+  const obj = appResp?.responseObject;
+  const status = typeof obj?.status === "string" ? obj.status : null;
+  const statusError = typeof obj?.statusError === "string" ? obj.statusError : null;
+  return { status, statusError };
+}
+async function importLocal(params) {
+  const noWait = Boolean(params.noWait);
+  const maxWaitMs = 1200 * 1e3;
+  const apiKey = String(params.apiKey || "").trim();
+  if (!apiKey && !params.dryRun) {
+    throw new CliError("Missing client key.", { exitCode: 2, hint: "Sign in and rerun `comerge init`." });
+  }
+  const cfg = await resolveConfig({ yes: Boolean(params.yes) });
+  const api = createApiClient(cfg, { apiKey });
+  const projectRoot = await findExpoProjectRoot(process.cwd());
+  const subdir = validateOptionalSubdir(params.subdir);
+  const importRoot = subdir ? path6.join(projectRoot, subdir) : projectRoot;
+  const appName = (params.appName ?? "").trim() || deriveAppName(projectRoot);
+  const log = (msg) => {
+    if (params.json) return;
+    console.log(msg);
+  };
+  log(pc5.dim(`Project: ${projectRoot}`));
+  if (subdir) log(pc5.dim(`Import path: ${subdir}`));
+  let files = [];
+  const useGit = await canUseGit(projectRoot);
+  if (useGit) {
+    const gitPaths = await listFilesGit({ cwd: projectRoot, pathspec: subdir ?? null });
+    files = gitPaths.filter((p) => !COMERGE_SHELL_SEGMENT_RE.test(p.replace(/\\/g, "/")));
+    if (!params.includeDotenv) {
+      files = files.filter((p) => !path6.posix.basename(p).startsWith(".env"));
+    }
+  } else {
+    files = await listFilesFs({ root: importRoot, includeDotenv: params.includeDotenv });
+    if (subdir) {
+      files = files.map((p) => path6.posix.join(subdir, p));
+    }
+  }
+  if (files.length === 0) {
+    throw new CliError("No files found to upload.", {
+      exitCode: 2,
+      hint: "Check .gitignore or try without --path."
+    });
+  }
+  const stats = await computeStats({ root: projectRoot, files, largestN: 10 });
+  log(pc5.dim(`Files: ${stats.fileCount}  Total: ${formatBytes(stats.totalBytes)}`));
+  if (params.dryRun) {
+    const top = stats.largestFiles.slice(0, 10);
+    if (top.length > 0) {
+      log(pc5.dim("Largest files:"));
+      for (const f of top) {
+        log(pc5.dim(`  ${formatBytes(f.bytes)}  ${f.path}`));
+      }
+    }
+    return { uploadId: "dry-run", appId: "dry-run", status: "dry-run" };
+  }
+  log(pc5.dim("Creating archive..."));
+  const { zipPath } = await createZip({ root: projectRoot, files, zipName: "import.zip" });
+  const zipSha = await sha256FileHex(zipPath);
+  const zipSize = (await (await import("fs/promises")).stat(zipPath)).size;
+  log(pc5.dim("Requesting upload URL..."));
+  const presignResp = await api.presignImportUpload({
+    file: {
+      name: "import.zip",
+      mimeType: "application/zip",
+      size: zipSize,
+      checksumSha256: zipSha
+    }
+  });
+  const presign = presignResp?.responseObject;
+  const uploadId = String(presign?.uploadId ?? "");
+  const uploadUrl = String(presign?.uploadUrl ?? "");
+  const headers = presign?.headers ?? {};
+  if (!uploadId || !uploadUrl) {
+    throw new CliError("Upload URL response is missing required fields.", {
+      exitCode: 1,
+      hint: JSON.stringify(presignResp, null, 2)
+    });
+  }
+  log(pc5.dim("Uploading archive..."));
+  let lastPct = -1;
+  await uploadPresigned({
+    uploadUrl,
+    headers,
+    filePath: zipPath,
+    onProgress: ({ sentBytes, totalBytes }) => {
+      if (params.json) return;
+      const pct = totalBytes > 0 ? Math.floor(sentBytes / totalBytes * 100) : 0;
+      if (pct !== lastPct && (pct % 5 === 0 || pct === 100)) {
+        lastPct = pct;
+        process.stdout.write(pc5.dim(`Upload ${pct}%\r`));
       }
     }
-    return null;
-  } catch {
-    return null;
-  }
-}
-async function ensurePathPermissions(filePath) {
-  const dir = path6.dirname(filePath);
-  await fs8.mkdir(dir, { recursive: true });
-  try {
-    await fs8.chmod(dir, 448);
-  } catch {
+  });
+  if (!params.json) process.stdout.write("\n");
+  log(pc5.dim("Starting import..."));
+  const importResp = await api.importFromUpload({
+    uploadId,
+    appName,
+    path: subdir ?? void 0
+  });
+  const importObj = importResp?.responseObject;
+  const appId = String(importObj?.appId ?? "");
+  const projectId = importObj?.projectId ? String(importObj.projectId) : void 0;
+  const threadId = importObj?.threadId ? String(importObj.threadId) : void 0;
+  if (!appId) {
+    throw new CliError("Import response is missing the app ID.", {
+      exitCode: 1,
+      hint: JSON.stringify(importResp, null, 2)
+    });
   }
-  try {
-    await fs8.chmod(filePath, 384);
-  } catch {
+  if (noWait) {
+    return { uploadId, appId, projectId, threadId, status: "accepted" };
   }
-}
-async function getSession() {
-  const keytar = await maybeLoadKeytar();
-  if (keytar) {
-    const raw2 = await keytar.getPassword(KEYTAR_SERVICE, KEYTAR_ACCOUNT);
-    if (!raw2) return null;
-    try {
-      const parsed = storedSessionSchema.safeParse(JSON.parse(raw2));
-      if (!parsed.success) return null;
-      return parsed.data;
-    } catch {
-      return null;
+  log(pc5.dim("Waiting for import to finish..."));
+  const startedAt = Date.now();
+  let delay = 2e3;
+  let lastStatus = null;
+  while (Date.now() - startedAt < maxWaitMs) {
+    const appResp = await api.getApp(appId);
+    const { status, statusError } = getAppStatus(appResp);
+    if (status && status !== lastStatus) {
+      lastStatus = status;
+      log(pc5.dim(`Status: ${status}`));
     }
+    if (status === "ready") {
+      return { uploadId, appId, projectId, threadId, status };
+    }
+    if (status === "error") {
+      throw new CliError("Import failed.", { exitCode: 1, hint: statusError ?? "App status is error." });
+    }
+    await sleep(delay);
+    delay = Math.min(1e4, Math.floor(delay * 1.4));
   }
-  const fp = sessionFilePath();
-  const raw = await fs8.readFile(fp, "utf8").catch(() => null);
-  if (!raw) return null;
-  try {
-    const parsed = storedSessionSchema.safeParse(JSON.parse(raw));
-    if (!parsed.success) return null;
-    await ensurePathPermissions(fp);
-    return parsed.data;
-  } catch {
-    return null;
-  }
-}
-async function setSession(session) {
-  const parsed = storedSessionSchema.safeParse(session);
-  if (!parsed.success) {
-    throw new CliError("Refusing to store invalid session", { exitCode: 1 });
-  }
-  const keytar = await maybeLoadKeytar();
-  if (keytar) {
-    await keytar.setPassword(KEYTAR_SERVICE, KEYTAR_ACCOUNT, JSON.stringify(parsed.data));
-    return;
-  }
-  const fp = sessionFilePath();
-  await writeJsonAtomic(fp, parsed.data);
-  await ensurePathPermissions(fp);
-}
-async function clearSession() {
-  const keytar = await maybeLoadKeytar();
-  if (keytar) {
-    await keytar.deletePassword(KEYTAR_SERVICE, KEYTAR_ACCOUNT);
-    return;
-  }
-  const fp = sessionFilePath();
-  await fs8.rm(fp, { force: true }).catch(() => {
+  throw new CliError("Timed out waiting for import.", {
+    exitCode: 1,
+    hint: "Check app status with: comerge import local --no-wait"
   });
 }
 
-// src/lib/api.ts
-function shouldRefreshSoon(session, skewSeconds = 60) {
-  const nowSec = Math.floor(Date.now() / 1e3);
-  return session.expires_at <= nowSec + skewSeconds;
-}
-async function readJsonSafe2(res) {
-  const ct = res.headers.get("content-type") ?? "";
-  if (!ct.toLowerCase().includes("application/json")) return null;
+// src/commands/shellInit.ts
+import path10 from "path";
+import os3 from "os";
+import pc7 from "picocolors";
+import fse4 from "fs-extra";
+
+// src/utils/packageJson.ts
+import fs7 from "fs/promises";
+async function readPackageJson(projectRoot) {
+  const raw = await fs7.readFile(`${projectRoot}/package.json`, "utf8").catch(() => null);
+  if (!raw) {
+    throw new CliError("package.json not found.", { exitCode: 2 });
+  }
   try {
-    return await res.json();
+    return JSON.parse(raw);
   } catch {
-    return null;
+    throw new CliError("Failed to parse package.json.", { exitCode: 2 });
   }
 }
-async function getAuthToken(config) {
-  const envToken = process.env.COMERGE_ACCESS_TOKEN;
-  if (typeof envToken === "string" && envToken.trim().length > 0) {
-    return { token: envToken.trim(), session: null, fromEnv: true };
-  }
-  let session = await getSession();
-  if (!session) {
-    throw new CliError("Not logged in", {
-      exitCode: 2,
-      hint: "Run `comerge login` first, or set COMERGE_ACCESS_TOKEN for CI."
-    });
-  }
-  if (shouldRefreshSoon(session)) {
-    try {
-      const supabase = createSupabaseAuthHelpers(config);
-      session = await supabase.refreshWithStoredSession({ session });
-      await setSession(session);
-    } catch (err) {
-      void err;
-    }
+var STUDIO_PEERS = [
+  "@callstack/liquid-glass",
+  "@supabase/supabase-js",
+  "@gorhom/bottom-sheet",
+  "expo-file-system",
+  "expo-haptics",
+  "expo-linear-gradient",
+  "lucide-react-native",
+  "react-native-gesture-handler",
+  "react-native-reanimated",
+  "react-native-safe-area-context",
+  "react-native-svg",
+  "react-native-view-shot"
+];
+function buildShellPackageJson(params) {
+  const orig = params.original;
+  const warnings = [];
+  const info = [];
+  const dependencies = { ...orig.dependencies ?? {} };
+  const devDependencies = { ...orig.devDependencies ?? {} };
+  const main2 = "expo-router/entry";
+  dependencies["@comergehq/studio"] = "latest";
+  dependencies["@comergehq/runtime"] = "latest";
+  if (!dependencies["expo-router"] && !devDependencies["expo-router"]) {
+    dependencies["expo-router"] = "latest";
+    warnings.push("Added missing dependency expo-router@latest.");
   }
-  return { token: session.access_token, session, fromEnv: false };
-}
-function createApiClient(config, opts) {
-  const cfg = config;
-  const apiKey = (opts?.apiKey ?? "").trim();
-  const CLIENT_KEY_HEADER2 = "x-comerge-api-key";
-  async function request(path10, init) {
-    const { token, session, fromEnv } = await getAuthToken(cfg);
-    const url = new URL(path10, cfg.apiUrl).toString();
-    const doFetch = async (bearer) => {
-      const res2 = await fetch(url, {
-        ...init,
-        headers: {
-          Accept: "application/json",
-          "Content-Type": "application/json",
-          ...init?.headers ?? {},
-          Authorization: `Bearer ${bearer}`,
-          ...apiKey ? { [CLIENT_KEY_HEADER2]: apiKey } : {}
-        }
-      });
-      return res2;
-    };
-    let res = await doFetch(token);
-    if (res.status === 401 && !fromEnv && session?.refresh_token) {
-      const supabase = createSupabaseAuthHelpers(cfg);
-      const refreshed = await supabase.refreshWithStoredSession({ session });
-      await setSession(refreshed);
-      res = await doFetch(refreshed.access_token);
-    }
-    if (!res.ok) {
-      const body = await readJsonSafe2(res);
-      const msg = (body && typeof body === "object" && body && "message" in body && typeof body.message === "string" ? body.message : null) ?? `Request failed (${res.status})`;
-      throw new CliError(msg, { exitCode: 1, hint: body ? JSON.stringify(body, null, 2) : null });
-    }
-    const json = await readJsonSafe2(res);
-    return json ?? null;
+  for (const dep of STUDIO_PEERS) {
+    if (dependencies[dep] || devDependencies[dep]) continue;
+    dependencies[dep] = "latest";
+    info.push(`Added missing peer dependency ${dep}@latest.`);
   }
-  return {
-    getMe: () => request("/v1/me", { method: "GET" }),
-    getApp: (appId) => request(`/v1/apps/${encodeURIComponent(appId)}`, { method: "GET" }),
-    presignImportUpload: (payload) => request("/v1/apps/import/upload/presign", { method: "POST", body: JSON.stringify(payload) }),
-    importFromUpload: (payload) => request("/v1/apps/import/upload", { method: "POST", body: JSON.stringify(payload) })
+  const pkg = {
+    ...orig,
+    name: orig.name ? `${orig.name}-comerge-shell` : "comerge-shell",
+    private: true,
+    main: main2,
+    scripts: {
+      dev: "expo start -c",
+      ios: "expo start -c --ios",
+      android: "expo start -c --android",
+      web: "expo start -c --web",
+      ...orig.scripts ?? {}
+    },
+    dependencies,
+    devDependencies
   };
+  return { pkg, warnings, info };
 }
 
-// src/commands/login.ts
-function registerLoginCommand(program) {
-  program.command("login").description("Authenticate with Comerge").option("--api-key <pk>", "API Key (or set COMERGE_API_KEY)").option("--no-browser", "Do not open browser automatically; print the URL").option("--port <port>", "Local callback port (default: random available port)").option("--yes", "Non-interactive; do not prompt", false).option("--json", "Output machine-readable JSON", false).action(async (opts) => {
-    const config = await resolveConfig({
-      apiKey: opts.apiKey ? String(opts.apiKey) : null,
-      yes: Boolean(opts.yes)
-    });
-    const portRaw = typeof opts.port === "string" ? opts.port.trim() : "";
-    let port = null;
-    if (portRaw) {
-      const parsed = Number(portRaw);
-      if (!Number.isFinite(parsed) || parsed <= 0 || !Number.isInteger(parsed)) {
-        throw new CliError("Invalid --port", { exitCode: 2, hint: "Example: --port 8085" });
-      }
-      port = parsed;
-    }
-    const server = await startOAuthCallbackServer({ port });
-    try {
-      const supabase = createSupabaseAuthHelpers(config);
-      const { url } = await supabase.startGoogleLogin({ redirectTo: server.redirectTo });
-      const shouldOpenBrowser = Boolean(opts.browser ?? true);
-      if (shouldOpenBrowser) {
-        try {
-          await openBrowser(url);
-          console.log(pc2.dim("Opened browser for login..."));
-        } catch (err) {
-          console.error(pc2.yellow("Could not open the browser automatically."));
-          console.error(pc2.dim(err?.message ?? String(err)));
-          console.log(`Open this URL manually:
-${url}`);
-        }
-      } else {
-        console.log(`Open this URL to login:
-${url}`);
-      }
-      const code = await server.waitForCode();
-      const session = await supabase.exchangeCode({ code });
-      await setSession(session);
-      let me = null;
-      try {
-        const api = createApiClient(config);
-        me = await api.getMe();
-      } catch (err) {
-        await clearSession().catch(() => {
-        });
-        throw err;
-      }
-      if (opts.json) {
-        console.log(JSON.stringify({ success: true, me }, null, 2));
-      } else {
-        const profile = me?.responseObject;
-        const label = profile?.email ? `${profile.email}` : profile?.id ? `user ${profile.id}` : "user";
-        console.log(pc2.green(`Logged in as ${label}.`));
-      }
-    } finally {
-      await server.close();
-    }
-  });
+// src/utils/templates.ts
+function shellLayoutTsx() {
+  return `import { Stack } from 'expo-router';
+import { GestureHandlerRootView } from 'react-native-gesture-handler';
+
+export default function Layout() {
+  return (
+    <GestureHandlerRootView style={{ flex: 1 }}>
+      <Stack screenOptions={{ headerShown: false }} />
+    </GestureHandlerRootView>
+  );
 }
-
-// src/commands/logout.ts
-import pc3 from "picocolors";
-function registerLogoutCommand(program) {
-  program.command("logout").description("Clear local Comerge authentication session").option("--json", "Output machine-readable JSON", false).action(async (opts) => {
-    await clearSession();
-    const envToken = process.env.COMERGE_ACCESS_TOKEN;
-    if (opts.json) {
-      console.log(JSON.stringify({ success: true, cleared: true, envTokenPresent: Boolean(envToken) }, null, 2));
-      return;
-    }
-    console.log(pc3.green("Logged out (local session cleared)."));
-    if (envToken) {
-      console.log(pc3.dim("Note: COMERGE_ACCESS_TOKEN is set in your environment; it will still authenticate requests."));
-    }
-  });
+`;
 }
+function shellIndexTsx() {
+  return `import * as React from 'react';
+import { View } from 'react-native';
+import { Stack } from 'expo-router';
+import { ComergeStudio } from '@comergehq/studio';
 
-// src/commands/whoami.ts
-import pc4 from "picocolors";
-function registerWhoamiCommand(program) {
-  program.command("whoami").description("Show the currently authenticated Comerge user").option("--api-key <pk>", "API Key (or set COMERGE_API_KEY)").option("--yes", "Non-interactive; do not prompt", false).option("--json", "Output machine-readable JSON", false).action(async (opts) => {
-    const config = await resolveConfig({
-      apiKey: opts.apiKey ? String(opts.apiKey) : null,
-      yes: Boolean(opts.yes)
-    });
-    const api = createApiClient(config);
-    const me = await api.getMe();
-    if (opts.json) {
-      console.log(JSON.stringify(me, null, 2));
-      return;
-    }
-    const profile = me?.responseObject;
-    const label = profile?.email ? `${profile.email}` : profile?.id ? `user ${profile.id}` : "unknown user";
-    console.log(pc4.green(label));
-  });
+// eslint-disable-next-line @typescript-eslint/ban-ts-comment
+// @ts-ignore
+import config from '../comerge.config.json';
+// eslint-disable-next-line @typescript-eslint/ban-ts-comment
+// @ts-ignore
+import embeddedMeta from '../assets/comerge/base.meta.json';
+
+export default function Index() {
+  const appId = String((config as any)?.appId || '');
+  const appKey = String((config as any)?.appKey || 'MicroMain');
+  const apiKey = String((config as any)?.apiKey || '');
+  const embeddedBaseBundles = {
+    ios: { module: require('../assets/comerge/base.ios.jsbundle'), meta: (embeddedMeta as any)?.ios },
+    android: { module: require('../assets/comerge/base.android.jsbundle'), meta: (embeddedMeta as any)?.android },
+  };
+  return (
+    <>
+      <Stack.Screen options={{ headerShown: false }} />
+      <View style={{ flex: 1 }}>
+        {appId ? (
+          <ComergeStudio appId={appId} apiKey={apiKey} appKey={appKey} embeddedBaseBundles={embeddedBaseBundles} />
+        ) : null}
+      </View>
+    </>
+  );
+}
+`;
+}
+function shellBabelConfigJs() {
+  return `module.exports = function (api) {
+  api.cache(true);
+  return {
+    presets: ['babel-preset-expo'],
+    plugins: ['react-native-reanimated/plugin'],
+  };
+};
+`;
 }
+function shellMetroConfigJs() {
+  return `const { getDefaultConfig } = require('expo/metro-config');
 
-// src/commands/import.ts
-import pc6 from "picocolors";
+const config = getDefaultConfig(__dirname);
+const resolver = config.resolver || {};
+const assetExts = resolver.assetExts || [];
+if (!assetExts.includes('jsbundle')) {
+  resolver.assetExts = [...assetExts, 'jsbundle'];
+}
+config.resolver = resolver;
 
-// src/lib/importLocal.ts
-import path9 from "path";
-import pc5 from "picocolors";
+module.exports = config;
+`;
+}
 
-// src/lib/gitFiles.ts
-import { execa as execa3 } from "execa";
-async function canUseGit(cwd) {
+// src/utils/packageManager.ts
+import fs8 from "fs/promises";
+async function exists(p) {
   try {
-    const res = await execa3("git", ["rev-parse", "--is-inside-work-tree"], { cwd, stdio: "ignore" });
-    return res.exitCode === 0;
+    await fs8.stat(p);
+    return true;
   } catch {
     return false;
   }
 }
-function parseGitLsFilesZ(buf) {
-  return buf.toString("utf8").split("\0").map((s) => s.trim()).filter((s) => s.length > 0);
+async function detectPackageManager(projectRoot) {
+  if (await exists(`${projectRoot}/pnpm-lock.yaml`)) return "pnpm";
+  if (await exists(`${projectRoot}/yarn.lock`)) return "yarn";
+  if (await exists(`${projectRoot}/package-lock.json`)) return "npm";
+  if (await exists(`${projectRoot}/bun.lockb`)) return "bun";
+  return "npm";
 }
-async function listFilesGit(params) {
-  const args = ["ls-files", "-z", "--cached", "--others", "--exclude-standard"];
-  if (params.pathspec) {
-    args.push("--", params.pathspec);
+function installCommand(pm) {
+  switch (pm) {
+    case "pnpm":
+      return { cmd: "pnpm", args: ["install"] };
+    case "yarn":
+      return { cmd: "yarn", args: ["install"] };
+    case "bun":
+      return { cmd: "bun", args: ["install"] };
+    case "npm":
+    default:
+      return { cmd: "npm", args: ["install"] };
   }
-  const res = await execa3("git", args, { cwd: params.cwd, stdout: "pipe", stderr: "ignore" });
-  return parseGitLsFilesZ(Buffer.from(res.stdout ?? "", "utf8"));
 }
 
-// src/lib/fileSelection.ts
-import fs9 from "fs/promises";
+// src/commands/shellInit.ts
+import { execa as execa3 } from "execa";
+
+// src/utils/copyProject.ts
 import path7 from "path";
-import fg from "fast-glob";
-import ignore from "ignore";
-var BUILTIN_IGNORES = [
-  "**/node_modules/**",
-  "**/.git/**",
-  "**/.expo/**",
-  "**/dist/**",
-  "**/build/**",
-  "**/coverage/**",
-  "**/.turbo/**",
-  "**/.next/**",
-  "**/ios/build/**",
-  "**/android/build/**",
-  "**/.pnpm-store/**",
-  "**/comerge-shell*/**"
-];
-function normalizeRel2(p) {
-  return p.replace(/\\/g, "/").replace(/^\/+/, "");
+import fse2 from "fs-extra";
+var ALWAYS_EXCLUDE_DIRS = /* @__PURE__ */ new Set([
+  "node_modules",
+  ".git",
+  ".expo",
+  "dist",
+  "build"
+]);
+function normalizeRel3(relPath) {
+  return relPath.replace(/\\/g, "/").replace(/^\/+/, "");
 }
-async function readGitignore(root) {
-  const fp = path7.join(root, ".gitignore");
-  return await fs9.readFile(fp, "utf8").catch(() => "");
+function shouldExclude(relPath) {
+  const rel = normalizeRel3(relPath);
+  const parts = rel.split("/").filter(Boolean);
+  const top = parts[0] ?? "";
+  if (!top) return false;
+  if (ALWAYS_EXCLUDE_DIRS.has(top)) return true;
+  if (top.startsWith("comerge-shell")) return true;
+  if (rel.startsWith("ios/build/") || rel === "ios/build") return true;
+  if (rel.startsWith("android/build/") || rel === "android/build") return true;
+  return false;
 }
-async function listFilesFs(params) {
-  const ig = ignore();
-  const raw = await readGitignore(params.root);
-  if (raw) ig.add(raw);
-  const entries = await fg(["**/*"], {
-    cwd: params.root,
-    onlyFiles: true,
-    dot: true,
-    followSymbolicLinks: false,
-    unique: true,
-    ignore: [...BUILTIN_IGNORES]
-  });
-  const filtered = entries.filter((p) => {
-    const rel = normalizeRel2(p);
-    if (!params.includeDotenv && path7.posix.basename(rel).startsWith(".env")) return false;
-    return !ig.ignores(rel);
+async function copyProject(params) {
+  const src = path7.resolve(params.projectRoot);
+  const dest = path7.resolve(params.outRoot);
+  const srcExists = await fse2.pathExists(src);
+  if (!srcExists) {
+    throw new CliError("Project root not found.", { exitCode: 2 });
+  }
+  await fse2.copy(src, dest, {
+    dereference: true,
+    preserveTimestamps: true,
+    filter: (srcPath) => {
+      const rel = path7.relative(src, srcPath);
+      if (!rel) return true;
+      return !shouldExclude(rel);
+    }
   });
-  return filtered.map(normalizeRel2);
 }
 
-// src/lib/zip.ts
-import crypto from "crypto";
-import fs10 from "fs";
-import fsp from "fs/promises";
-import os3 from "os";
+// src/utils/stripProject.ts
 import path8 from "path";
-import archiver from "archiver";
-var MAX_IMPORT_ZIP_BYTES = 50 * 1024 * 1024;
-var MAX_IMPORT_FILE_COUNT = 25e3;
-function normalizeRel3(p) {
-  return p.replace(/\\/g, "/").replace(/\/+/g, "/").replace(/^\/+/, "");
+import fse3 from "fs-extra";
+var DEFAULT_STRIP_DIRS = ["app", "src", "components", "lib", "hooks", "providers"];
+async function stripProject(params) {
+  const dirs = params.dirs ?? DEFAULT_STRIP_DIRS;
+  await Promise.all(
+    dirs.map(async (d) => {
+      const p = path8.join(params.outRoot, d);
+      const exists2 = await fse3.pathExists(p);
+      if (!exists2) return;
+      await fse3.remove(p);
+    })
+  );
 }
-function validateRelPath(rel) {
-  const p = normalizeRel3(rel);
-  if (!p) throw new CliError("Invalid file path", { exitCode: 1 });
-  if (p.startsWith("../") || p.includes("/../") || p === "..") {
-    throw new CliError("Refusing to zip path traversal entry", { exitCode: 1, hint: p });
+
+// src/commands/shellInit.ts
+import fs12 from "fs/promises";
+
+// src/utils/appJsonPatch.ts
+import fs9 from "fs/promises";
+function pluginName(entry) {
+  if (Array.isArray(entry)) return typeof entry[0] === "string" ? entry[0] : null;
+  return typeof entry === "string" ? entry : null;
+}
+async function ensureComergeShellPlugins(appJsonPath) {
+  let raw;
+  try {
+    raw = await fs9.readFile(appJsonPath, "utf8");
+  } catch {
+    return false;
+  }
+  let parsed;
+  try {
+    parsed = JSON.parse(raw);
+  } catch {
+    throw new CliError("Failed to parse app.json in the generated shell.", { exitCode: 2 });
+  }
+  const expo = parsed.expo;
+  if (!expo || typeof expo !== "object") return false;
+  const plugins = Array.isArray(expo.plugins) ? [...expo.plugins] : [];
+  const routerEntry = plugins.find((p) => pluginName(p) === "expo-router");
+  const runtimeEntry = plugins.find((p) => pluginName(p) === "@comergehq/runtime");
+  const needsRouter = !routerEntry;
+  const needsRuntime = !runtimeEntry;
+  if (!needsRouter && !needsRuntime) return false;
+  const rest = plugins.filter((p) => {
+    const name = pluginName(p);
+    return name !== "expo-router" && name !== "@comergehq/runtime";
+  });
+  expo.plugins = [routerEntry ?? "expo-router", runtimeEntry ?? "@comergehq/runtime", ...rest];
+  await fs9.writeFile(appJsonPath, JSON.stringify({ expo }, null, 2) + "\n", "utf8");
+  return true;
+}
+
+// src/utils/reanimated.ts
+import fs10 from "fs/promises";
+async function ensureReanimatedBabelPlugin(babelConfigPath) {
+  const raw = await fs10.readFile(babelConfigPath, "utf8").catch(() => null);
+  if (!raw) return false;
+  if (raw.includes("react-native-reanimated/plugin")) return false;
+  const patched = patchBabelConfigAddReanimatedPlugin(raw);
+  if (patched === raw) return false;
+  await fs10.writeFile(babelConfigPath, patched, "utf8");
+  return true;
+}
+function patchBabelConfigAddReanimatedPlugin(raw) {
+  const pluginsMatch = /(^|\n)([ \t]*)plugins\s*:\s*\[/m.exec(raw);
+  if (pluginsMatch) {
+    const matchIdx = pluginsMatch.index + pluginsMatch[1].length;
+    const indent = pluginsMatch[2] ?? "";
+    const bracketIdx = raw.indexOf("[", matchIdx);
+    if (bracketIdx >= 0) {
+      const closeIdx = findMatchingBracket(raw, bracketIdx, "[", "]");
+      if (closeIdx >= 0) {
+        const inner = raw.slice(bracketIdx + 1, closeIdx);
+        const innerTrim = inner.trim();
+        const innerTrimEnd = inner.replace(/[ \t\r\n]+$/g, "");
+        const elementIndent = indent + "  ";
+        let insert = "";
+        if (!innerTrim) {
+          insert = `
+${elementIndent}'react-native-reanimated/plugin'
+${indent}`;
+        } else if (innerTrimEnd.endsWith(",")) {
+          insert = `
+${elementIndent}'react-native-reanimated/plugin'`;
+        } else {
+          insert = `,
+${elementIndent}'react-native-reanimated/plugin'`;
+        }
+        return raw.slice(0, closeIdx) + insert + raw.slice(closeIdx);
+      }
+    }
   }
-  if (p.startsWith("/")) {
-    throw new CliError("Refusing to zip absolute path", { exitCode: 1, hint: p });
+  const presetsMatch = /(^|\n)([ \t]*)presets\s*:\s*\[[^\]]*\]\s*,?/m.exec(raw);
+  if (presetsMatch) {
+    const indent = presetsMatch[2] ?? "";
+    const insertAt = presetsMatch.index + presetsMatch[0].length;
+    const insertion = `
+${indent}// Required by react-native-reanimated. Must be listed last.
+${indent}plugins: ['react-native-reanimated/plugin'],`;
+    return raw.slice(0, insertAt) + insertion + raw.slice(insertAt);
   }
-  return p;
+  return raw;
 }
-async function computeStats(params) {
-  const largestN = params.largestN ?? 10;
-  if (params.files.length > MAX_IMPORT_FILE_COUNT) {
-    throw new CliError("Too many files to import", {
-      exitCode: 2,
-      hint: `File count ${params.files.length} exceeds limit ${MAX_IMPORT_FILE_COUNT}. Use --path or add ignores.`
-    });
-  }
-  let totalBytes = 0;
-  const largest = [];
-  for (const rel0 of params.files) {
-    const rel = validateRelPath(rel0);
-    const abs = path8.join(params.root, rel);
-    const st = await fsp.stat(abs);
-    if (!st.isFile()) continue;
-    const bytes = st.size;
-    totalBytes += bytes;
-    if (largestN > 0) {
-      largest.push({ path: rel, bytes });
+function findMatchingBracket(text, openIdx, open, close) {
+  let depth = 0;
+  let inSingle = false;
+  let inDouble = false;
+  let inTemplate = false;
+  let inLineComment = false;
+  let inBlockComment = false;
+  for (let i = openIdx; i < text.length; i++) {
+    const ch = text[i];
+    const next = text[i + 1];
+    if (inLineComment) {
+      if (ch === "\n") inLineComment = false;
+      continue;
     }
-  }
-  largest.sort((a, b) => b.bytes - a.bytes);
-  return {
-    fileCount: params.files.length,
-    totalBytes,
-    largestFiles: largest.slice(0, largestN)
-  };
-}
-async function createZip(params) {
-  const zipName = (params.zipName ?? "import.zip").replace(/[^a-zA-Z0-9._-]+/g, "_");
-  const tmpDir = await fsp.mkdtemp(path8.join(os3.tmpdir(), "comerge-import-"));
-  const zipPath = path8.join(tmpDir, zipName);
-  await new Promise((resolve, reject) => {
-    const output = fs10.createWriteStream(zipPath);
-    const archive = archiver("zip", { zlib: { level: 9 } });
-    output.on("close", () => resolve());
-    output.on("error", (err) => reject(err));
-    archive.on("warning", (err) => {
-      reject(err);
-    });
-    archive.on("error", (err) => reject(err));
-    archive.pipe(output);
-    for (const rel0 of params.files) {
-      const rel = validateRelPath(rel0);
-      const abs = path8.join(params.root, rel);
-      archive.file(abs, { name: rel });
+    if (inBlockComment) {
+      if (ch === "*" && next === "/") {
+        inBlockComment = false;
+        i++;
+      }
+      continue;
+    }
+    if (!inSingle && !inDouble && !inTemplate) {
+      if (ch === "/" && next === "/") {
+        inLineComment = true;
+        i++;
+        continue;
+      }
+      if (ch === "/" && next === "*") {
+        inBlockComment = true;
+        i++;
+        continue;
+      }
+    }
+    if (!inDouble && !inTemplate && ch === "'" && text[i - 1] !== "\\") {
+      inSingle = !inSingle;
+      continue;
+    }
+    if (!inSingle && !inTemplate && ch === `"` && text[i - 1] !== "\\") {
+      inDouble = !inDouble;
+      continue;
+    }
+    if (!inSingle && !inDouble && ch === "`" && text[i - 1] !== "\\") {
+      inTemplate = !inTemplate;
+      continue;
+    }
+    if (inSingle || inDouble || inTemplate) continue;
+    if (ch === open) depth++;
+    if (ch === close) {
+      depth--;
+      if (depth === 0) return i;
     }
-    void archive.finalize();
-  });
-  const st = await fsp.stat(zipPath);
-  if (st.size > MAX_IMPORT_ZIP_BYTES) {
-    throw new CliError("Archive exceeds max upload size", {
-      exitCode: 2,
-      hint: `Zip size ${st.size} bytes exceeds limit ${MAX_IMPORT_ZIP_BYTES} bytes. Use --path or add ignores.`
-    });
   }
-  return { zipPath };
-}
-async function sha256FileHex(filePath) {
-  const hash = crypto.createHash("sha256");
-  await new Promise((resolve, reject) => {
-    const s = fs10.createReadStream(filePath);
-    s.on("data", (chunk) => hash.update(chunk));
-    s.on("error", reject);
-    s.on("end", () => resolve());
-  });
-  return hash.digest("hex");
+  return -1;
 }
 
-// src/lib/upload.ts
+// src/services/bundles.ts
 import fs11 from "fs";
-import { PassThrough } from "stream";
-async function uploadPresigned(params) {
-  const st = await fs11.promises.stat(params.filePath).catch(() => null);
-  if (!st || !st.isFile()) throw new CliError("Upload file not found", { exitCode: 2 });
-  const totalBytes = st.size;
-  const fileStream = fs11.createReadStream(params.filePath);
-  const pass = new PassThrough();
-  let sent = 0;
-  fileStream.on("data", (chunk) => {
-    sent += chunk.length;
-    params.onProgress?.({ sentBytes: sent, totalBytes });
-  });
-  fileStream.on("error", (err) => pass.destroy(err));
-  fileStream.pipe(pass);
-  const res = await fetch(params.uploadUrl, {
-    method: "PUT",
-    headers: params.headers,
-    body: pass,
-    duplex: "half"
-  });
-  if (!res.ok) {
-    const text = await res.text().catch(() => "");
-    throw new CliError("Upload failed", {
-      exitCode: 1,
-      hint: `Status: ${res.status}
-${text}`.trim() || null
-    });
-  }
-}
-
-// src/lib/importLocal.ts
-var SAFE_PATH_RE = /^[A-Za-z0-9._/-]+$/;
-var COMERGE_SHELL_SEGMENT_RE = /(^|\/)comerge-shell[^/]*(\/|$)/;
-function sleep(ms) {
+import fsPromises from "fs/promises";
+import path9 from "path";
+import { Readable } from "stream";
+import { pipeline } from "stream/promises";
+import pc6 from "picocolors";
+function sleep2(ms) {
   return new Promise((r) => setTimeout(r, ms));
 }
-function formatBytes(bytes) {
-  const units = ["B", "KB", "MB", "GB"];
-  let v = bytes;
-  let i = 0;
-  while (v >= 1024 && i < units.length - 1) {
-    v /= 1024;
-    i++;
-  }
-  return `${v.toFixed(i === 0 ? 0 : 1)} ${units[i]}`;
-}
-function deriveAppName(projectRoot) {
-  const base = path9.basename(projectRoot);
-  return base || "Imported App";
-}
-function validateOptionalSubdir(subdir) {
-  if (!subdir) return null;
-  const s = subdir.trim().replace(/^\/+/, "").replace(/\\/g, "/");
-  if (!s) return null;
-  if (!SAFE_PATH_RE.test(s) || s.includes("..")) {
-    throw new CliError("Invalid --path", {
-      exitCode: 2,
-      hint: "Use a safe subdirectory like packages/mobile-app (letters/numbers/._-/ only)."
-    });
-  }
-  return s;
-}
-function getAppStatus(appResp) {
-  const obj = appResp?.responseObject;
-  const status = typeof obj?.status === "string" ? obj.status : null;
-  const statusError = typeof obj?.statusError === "string" ? obj.statusError : null;
-  return { status, statusError };
+function isRetryableNetworkError(e) {
+  const err = e;
+  const code = typeof err?.code === "string" ? err.code : "";
+  const message = typeof err?.message === "string" ? err.message : "";
+  if (code === "ERR_NETWORK" || code === "ECONNABORTED" || code === "ETIMEDOUT") return true;
+  if (message.toLowerCase().includes("network error")) return true;
+  if (message.toLowerCase().includes("timeout")) return true;
+  return false;
 }
-async function importLocal(params) {
-  const studioApiKey = await resolveStudioApiKey({ flagApiKey: params.apiKey ?? null, yes: Boolean(params.yes) });
-  const cfg = await resolveConfig({ apiKey: params.apiKey ?? null, yes: Boolean(params.yes) });
-  const api = createApiClient(cfg, { apiKey: studioApiKey });
-  const projectRoot = await findExpoProjectRoot(process.cwd());
-  const subdir = validateOptionalSubdir(params.subdir);
-  const importRoot = subdir ? path9.join(projectRoot, subdir) : projectRoot;
-  const appName = (params.appName ?? "").trim() || deriveAppName(projectRoot);
-  const log = (msg) => {
-    if (params.json) return;
-    console.log(msg);
-  };
-  log(pc5.dim(`Project: ${projectRoot}`));
-  if (subdir) log(pc5.dim(`Import path: ${subdir}`));
-  let files = [];
-  const useGit = await canUseGit(projectRoot);
-  if (useGit) {
-    const gitPaths = await listFilesGit({ cwd: projectRoot, pathspec: subdir ?? null });
-    files = gitPaths.filter((p) => !COMERGE_SHELL_SEGMENT_RE.test(p.replace(/\\/g, "/")));
-    if (!params.includeDotenv) {
-      files = files.filter((p) => !path9.posix.basename(p).startsWith(".env"));
-    }
-  } else {
-    files = await listFilesFs({ root: importRoot, includeDotenv: params.includeDotenv });
-    if (subdir) {
-      files = files.map((p) => path9.posix.join(subdir, p));
+async function withRetry(fn, opts) {
+  let lastErr = null;
+  for (let attempt = 1; attempt <= opts.attempts; attempt += 1) {
+    try {
+      return await fn();
+    } catch (e) {
+      lastErr = e;
+      const retryable = isRetryableNetworkError(e);
+      if (!retryable || attempt >= opts.attempts) {
+        throw e;
+      }
+      const exp = Math.min(opts.maxDelayMs, opts.baseDelayMs * Math.pow(2, attempt - 1));
+      const jitter = Math.floor(Math.random() * 250);
+      await sleep2(exp + jitter);
     }
   }
-  if (files.length === 0) {
-    throw new CliError("No files found to upload", { exitCode: 2, hint: "Check .gitignore rules or try without --path." });
+  throw lastErr;
+}
+function unwrapResponseObject(resp, label) {
+  const obj = resp?.responseObject;
+  if (obj === void 0 || obj === null) {
+    const message = typeof resp?.message === "string" && resp.message.trim().length > 0 ? resp.message : `Missing ${label} response`;
+    throw new CliError(message, { exitCode: 1, hint: resp ? JSON.stringify(resp, null, 2) : null });
   }
-  const stats = await computeStats({ root: projectRoot, files, largestN: 10 });
-  log(pc5.dim(`Files: ${stats.fileCount}  Total: ${formatBytes(stats.totalBytes)}`));
-  if (params.dryRun) {
-    const top = stats.largestFiles.slice(0, 10);
-    if (top.length > 0) {
-      log(pc5.dim("Largest files:"));
-      for (const f of top) {
-        log(pc5.dim(`  ${formatBytes(f.bytes)}  ${f.path}`));
+  return obj;
+}
+async function pollBundle(api, appId, bundleId, opts) {
+  const start = Date.now();
+  while (true) {
+    try {
+      const bundleResp = await api.getBundle(appId, bundleId);
+      const bundle = unwrapResponseObject(bundleResp, "bundle");
+      if (bundle.status === "succeeded" || bundle.status === "failed") return bundle;
+    } catch (e) {
+      if (!isRetryableNetworkError(e)) {
+        throw e;
       }
     }
-    return { uploadId: "dry-run", appId: "dry-run", status: "dry-run" };
-  }
-  log(pc5.dim("Creating zip..."));
-  const { zipPath } = await createZip({ root: projectRoot, files, zipName: "import.zip" });
-  const zipSha = await sha256FileHex(zipPath);
-  const zipSize = (await (await import("fs/promises")).stat(zipPath)).size;
-  log(pc5.dim("Requesting upload URL..."));
-  const presignResp = await api.presignImportUpload({
-    file: {
-      name: "import.zip",
-      mimeType: "application/zip",
-      size: zipSize,
-      checksumSha256: zipSha
+    if (Date.now() - start > opts.timeoutMs) {
+      throw new Error("Bundle build timed out.");
     }
-  });
-  const presign = presignResp?.responseObject;
-  const uploadId = String(presign?.uploadId ?? "");
-  const uploadUrl = String(presign?.uploadUrl ?? "");
-  const headers = presign?.headers ?? {};
-  if (!uploadId || !uploadUrl) {
-    throw new CliError("Presign response missing upload fields", { exitCode: 1, hint: JSON.stringify(presignResp, null, 2) });
-  }
-  log(pc5.dim("Uploading zip..."));
-  let lastPct = -1;
-  await uploadPresigned({
-    uploadUrl,
-    headers,
-    filePath: zipPath,
-    onProgress: ({ sentBytes, totalBytes }) => {
-      if (params.json) return;
-      const pct = totalBytes > 0 ? Math.floor(sentBytes / totalBytes * 100) : 0;
-      if (pct !== lastPct && (pct % 5 === 0 || pct === 100)) {
-        lastPct = pct;
-        process.stdout.write(pc5.dim(`Upload ${pct}%\r`));
+    await sleep2(opts.intervalMs);
+  }
+}
+async function downloadToFile(url, targetPath) {
+  const dir = path9.dirname(targetPath);
+  await fsPromises.mkdir(dir, { recursive: true });
+  const tmpPath = `${targetPath}.tmp-${Date.now()}`;
+  await withRetry(
+    async () => {
+      const res = await fetch(url);
+      if (!res.ok) {
+        throw new Error(`Download failed (status ${res.status})`);
       }
-    }
+      if (!res.body) {
+        throw new Error("Download response has no body.");
+      }
+      const body = Readable.fromWeb(res.body);
+      const out = fs11.createWriteStream(tmpPath);
+      await pipeline(body, out);
+    },
+    { attempts: 3, baseDelayMs: 500, maxDelayMs: 4e3 }
+  );
+  const stat = await fsPromises.stat(tmpPath);
+  if (!stat.size || stat.size <= 0) {
+    await fsPromises.unlink(tmpPath).catch(() => {
+    });
+    throw new Error("Downloaded bundle is empty.");
+  }
+  await fsPromises.rename(tmpPath, targetPath);
+}
+async function downloadBundle(api, appId, platform, targetPath) {
+  const initiateResp = await api.initiateBundle(appId, {
+    platform,
+    idempotencyKey: `${appId}:head:${platform}`
   });
-  if (!params.json) process.stdout.write("\n");
-  log(pc5.dim("Triggering import..."));
-  const importResp = await api.importFromUpload({
-    uploadId,
-    appName,
-    path: subdir ?? void 0
+  const initiate = unwrapResponseObject(initiateResp, "bundle initiate");
+  const finalBundle = initiate.status === "succeeded" || initiate.status === "failed" ? initiate : await pollBundle(api, appId, initiate.id, { timeoutMs: 3 * 60 * 1e3, intervalMs: 1200 });
+  if (finalBundle.status === "failed") {
+    throw new Error("Bundle build failed.");
+  }
+  const signedResp = await api.getBundleDownloadUrl(appId, finalBundle.id, { redirect: false });
+  const signed = unwrapResponseObject(signedResp, "bundle download url");
+  const url = String(signed.url || "").trim();
+  if (!url) throw new Error("Download URL is missing.");
+  await downloadToFile(url, targetPath);
+  const fingerprint = finalBundle.checksumSha256 ?? `id:${finalBundle.id}`;
+  const meta = {
+    fingerprint,
+    bundleId: finalBundle.id,
+    checksumSha256: finalBundle.checksumSha256 ?? null,
+    size: finalBundle.size ?? null,
+    updatedAt: (/* @__PURE__ */ new Date()).toISOString()
+  };
+  return { platform, bundlePath: targetPath, meta };
+}
+async function downloadEmbeddedBundles(params) {
+  const log = params.log ?? (() => {
   });
-  const importObj = importResp?.responseObject;
-  const appId = String(importObj?.appId ?? "");
-  const projectId = importObj?.projectId ? String(importObj.projectId) : void 0;
-  const threadId = importObj?.threadId ? String(importObj.threadId) : void 0;
+  const baseDir = path9.join(params.outRoot, "assets", "comerge");
+  const iosPath = path9.join(baseDir, "base.ios.jsbundle");
+  const androidPath = path9.join(baseDir, "base.android.jsbundle");
+  log(pc6.dim("Downloading base bundles for shell..."));
+  const results = await Promise.allSettled([
+    downloadBundle(params.api, params.appId, "ios", iosPath),
+    downloadBundle(params.api, params.appId, "android", androidPath)
+  ]);
+  const meta = {};
+  for (const res of results) {
+    if (res.status === "fulfilled") {
+      meta[res.value.platform] = res.value.meta;
+    } else {
+      log(pc6.yellow(`Warning: failed to download ${res.reason?.message ?? res.reason}`));
+    }
+  }
+  await fsPromises.mkdir(baseDir, { recursive: true });
+  await fsPromises.writeFile(path9.join(baseDir, "base.meta.json"), JSON.stringify(meta, null, 2) + "\n", "utf8");
+  return meta;
+}
+
+// src/commands/shellInit.ts
+async function shellInit(params) {
+  const projectRoot = await findExpoProjectRoot(process.cwd());
+  const outDirDefault = params.outDir || "comerge-shell";
+  let outDir = outDirDefault;
+  let appId = params.appId ?? "";
+  let apiKey = params.apiKey ?? "";
+  let appKey = params.appKey ?? "MicroMain";
+  appId = String(appId || "").trim();
+  apiKey = String(apiKey || "").trim();
   if (!appId) {
-    throw new CliError("Import response missing appId", { exitCode: 1, hint: JSON.stringify(importResp, null, 2) });
+    throw new CliError("Missing app ID.", {
+      hint: "Pass --app-id <uuid>.",
+      exitCode: 2
+    });
   }
-  if (params.noWait) {
-    return { uploadId, appId, projectId, threadId, status: "accepted" };
+  if (!apiKey) {
+    throw new CliError("Missing client key.", {
+      hint: "Pass --api-key <key>.",
+      exitCode: 2
+    });
   }
-  log(pc5.dim("Waiting for build..."));
-  const startedAt = Date.now();
-  let delay = 2e3;
-  let lastStatus = null;
-  while (Date.now() - startedAt < params.maxWaitMs) {
-    const appResp = await api.getApp(appId);
-    const { status, statusError } = getAppStatus(appResp);
-    if (status && status !== lastStatus) {
-      lastStatus = status;
-      log(pc5.dim(`Status: ${status}`));
+  const requestedOutputPath = path10.resolve(projectRoot, outDir);
+  const outputPath = await findAvailableDirPath(requestedOutputPath);
+  console.log(pc7.dim(`Project: ${projectRoot}`));
+  if (outputPath !== requestedOutputPath) {
+    console.log(pc7.dim(`Output:  ${requestedOutputPath} (already exists)`));
+    console.log(pc7.dim(`Using:   ${outputPath}`));
+  } else {
+    console.log(pc7.dim(`Output:  ${outputPath}`));
+  }
+  const outputIsInsideProject = outputPath === projectRoot || outputPath.startsWith(projectRoot + path10.sep);
+  const stagingPath = outputIsInsideProject ? await fs12.mkdtemp(path10.join(os3.tmpdir(), "comerge-shell-")) : outputPath;
+  let movedToFinal = false;
+  try {
+    if (!outputIsInsideProject) {
+      await ensureEmptyDir(stagingPath);
     }
-    if (status === "ready") {
-      return { uploadId, appId, projectId, threadId, status };
+    await copyProject({ projectRoot, outRoot: stagingPath });
+    await stripProject({ outRoot: stagingPath });
+    try {
+      const didPatch = await ensureComergeShellPlugins(path10.join(stagingPath, "app.json"));
+      if (didPatch) {
+        console.log(pc7.dim("Updated app.json with required Comerge shell plugins."));
+      }
+    } catch {
     }
-    if (status === "error") {
-      throw new CliError("Import failed", { exitCode: 1, hint: statusError ?? "App status is error" });
+    await writeJsonAtomic(path10.join(stagingPath, "comerge.config.json"), {
+      appId,
+      appKey: appKey || "MicroMain",
+      apiKey
+    });
+    try {
+      const cfg = await resolveConfig({ yes: true });
+      const api = createApiClient(cfg, { apiKey });
+      await downloadEmbeddedBundles({
+        api,
+        appId,
+        outRoot: stagingPath,
+        log: (msg) => console.log(msg)
+      });
+    } catch (e) {
+      console.log(pc7.yellow(`Warning: failed to embed base bundles: ${e instanceof Error ? e.message : String(e)}`));
+    }
+    await writeTextAtomic(path10.join(stagingPath, "app/_layout.tsx"), shellLayoutTsx());
+    await writeTextAtomic(path10.join(stagingPath, "app/index.tsx"), shellIndexTsx());
+    await ensureTextFile(path10.join(stagingPath, "babel.config.js"), shellBabelConfigJs());
+    await ensureTextFile(path10.join(stagingPath, "metro.config.js"), shellMetroConfigJs());
+    try {
+      const didPatch = await ensureReanimatedBabelPlugin(path10.join(stagingPath, "babel.config.js"));
+      if (didPatch) console.log(pc7.dim("Updated babel.config.js to include react-native-reanimated/plugin."));
+    } catch {
+    }
+    await ensureTextFile(
+      path10.join(stagingPath, "tsconfig.json"),
+      JSON.stringify(
+        {
+          extends: "expo/tsconfig.base",
+          compilerOptions: { strict: true, resolveJsonModule: true }
+        },
+        null,
+        2
+      ) + "\n"
+    );
+    const originalPkg = await readPackageJson(stagingPath);
+    const { pkg: shellPkg, warnings, info } = buildShellPackageJson({
+      original: originalPkg
+    });
+    await writeJsonAtomic(path10.join(stagingPath, "package.json"), shellPkg);
+    for (const w of warnings) console.log(pc7.yellow(`Warning: ${w}`));
+    for (const i of info) console.log(pc7.dim(`Info: ${i}`));
+    if (outputIsInsideProject) {
+      await fse4.move(stagingPath, outputPath, { overwrite: false });
+      movedToFinal = true;
+    }
+    const finalPath = outputIsInsideProject ? outputPath : stagingPath;
+    const pm = params.packageManager ?? await detectPackageManager(projectRoot);
+    const { cmd, args } = installCommand(pm);
+    console.log(pc7.dim(`Installing dependencies with ${cmd}...`));
+    const res = await execa3(cmd, args, { cwd: finalPath, stdio: "inherit" });
+    if (res.exitCode !== 0) {
+      throw new CliError("Dependency installation failed.", { exitCode: res.exitCode ?? 1 });
+    }
+    console.log(pc7.dim("Running Expo prebuild..."));
+    const prebuild = await execa3("npx", ["expo", "prebuild"], { cwd: finalPath, stdio: "inherit" });
+    if (prebuild.exitCode !== 0) {
+      throw new CliError("Expo prebuild failed.", { exitCode: prebuild.exitCode ?? 1 });
+    }
+    console.log(pc7.green("Comerge has been installed successfully."));
+    console.log(pc7.dim("You can now open the app from the My apps page in the Comerge app."));
+  } finally {
+    if (outputIsInsideProject && !movedToFinal) {
+      try {
+        await fse4.remove(stagingPath);
+      } catch {
+      }
     }
-    await sleep(delay);
-    delay = Math.min(1e4, Math.floor(delay * 1.4));
   }
-  throw new CliError("Timed out waiting for import", {
-    exitCode: 1,
-    hint: `Try again with --max-wait or check app status with: comerge import local --no-wait`
-  });
+}
+async function ensureTextFile(filePath, contents) {
+  try {
+    await fs12.access(filePath);
+    return;
+  } catch {
+  }
+  await writeTextAtomic(filePath, contents);
 }
 
-// src/commands/import.ts
-function registerImportCommands(program) {
-  const imp = program.command("import").description("Import source code into Comerge");
-  imp.command("local").description("Import the current local Expo project").option("--api-key <pk>", "API Key (or set COMERGE_API_KEY)").option("--yes", "Non-interactive; do not prompt", false).option("--name <appName>", "Override app name (default: derived from Expo config / folder name)").option("--path <subdir>", "Optional subdirectory to import").option("--max-wait <sec>", "Max time to wait for import to finish (default: 1200)", "1200").option("--json", "Output machine-readable JSON", false).option("--no-wait", "Do not poll for completion; return immediately after enqueue", false).option("--no-include-dotenv", "Exclude .env* files from the uploaded archive", false).option("--dry-run", "Show what would be uploaded (no upload)", false).action(async (opts) => {
-    const maxWaitSec = Number(String(opts.maxWait ?? "1200").trim());
-    if (!Number.isFinite(maxWaitSec) || maxWaitSec <= 0) {
-      throw new CliError("Invalid --max-wait", { exitCode: 2, hint: "Example: --max-wait 1200" });
-    }
-    const res = await importLocal({
-      apiKey: opts.apiKey ? String(opts.apiKey) : null,
-      yes: Boolean(opts.yes),
-      appName: opts.name ? String(opts.name) : null,
-      subdir: opts.path ? String(opts.path) : null,
-      maxWaitMs: Math.floor(maxWaitSec * 1e3),
-      noWait: Boolean(opts.noWait),
-      json: Boolean(opts.json),
-      includeDotenv: Boolean(opts.includeDotenv),
-      dryRun: Boolean(opts.dryRun)
-    });
-    if (Boolean(opts.json)) {
-      console.log(JSON.stringify(res, null, 2));
-      return;
+// src/utils/appDefaults.ts
+import fs13 from "fs/promises";
+import path11 from "path";
+import fg2 from "fast-glob";
+import { execa as execa4 } from "execa";
+function normalizeString(value) {
+  if (typeof value !== "string") return null;
+  const trimmed = value.trim();
+  return trimmed ? trimmed : null;
+}
+function normalizeSlug(value) {
+  if (!value) return null;
+  const cleaned = value.trim().toLowerCase().replace(/[^a-z0-9.-]+/g, "-").replace(/^-+|-+$/g, "");
+  return cleaned || null;
+}
+function suggestBundleId(slug) {
+  if (!slug) return null;
+  return `com.example.${slug}`;
+}
+function derivePlatforms(config, iosBundleId, androidPackageName) {
+  const platforms = Array.isArray(config.platforms) ? config.platforms.map(String) : null;
+  const iosEnabled = platforms ? platforms.includes("ios") : iosBundleId ? true : null;
+  const androidEnabled = platforms ? platforms.includes("android") : androidPackageName ? true : null;
+  return { iosEnabled, androidEnabled };
+}
+async function loadExpoConfig(projectRoot) {
+  try {
+    const res = await execa4("npx", ["expo", "config", "--json"], { cwd: projectRoot });
+    const parsed = JSON.parse(res.stdout);
+    if (parsed && typeof parsed === "object" && "expo" in parsed) {
+      return parsed.expo ?? {};
     }
-    console.log(pc6.green(`Import accepted. appId=${res.appId}`));
-    if (res.status && !opts.noWait) {
-      console.log(pc6.dim(`Final status: ${res.status}`));
+    return parsed;
+  } catch {
+  }
+  const appJsonPath = path11.join(projectRoot, "app.json");
+  const rawAppJson = await fs13.readFile(appJsonPath, "utf8").catch(() => null);
+  if (!rawAppJson) return {};
+  try {
+    const parsed = JSON.parse(rawAppJson);
+    if (parsed && typeof parsed === "object" && "expo" in parsed) {
+      return parsed.expo ?? {};
     }
+  } catch {
+  }
+  return {};
+}
+async function findIosBundleId(projectRoot) {
+  const pbxprojMatches = await fg2("ios/**/*.xcodeproj/project.pbxproj", {
+    cwd: projectRoot,
+    absolute: true,
+    suppressErrors: true
   });
+  for (const file of pbxprojMatches) {
+    const raw = await fs13.readFile(file, "utf8").catch(() => null);
+    if (!raw) continue;
+    const match = raw.match(/PRODUCT_BUNDLE_IDENTIFIER\s*=\s*([A-Za-z0-9.\-]+)\s*;/);
+    if (match && match[1]) return match[1];
+  }
+  const plistMatches = await fg2("ios/**/Info.plist", {
+    cwd: projectRoot,
+    absolute: true,
+    suppressErrors: true
+  });
+  for (const file of plistMatches) {
+    const raw = await fs13.readFile(file, "utf8").catch(() => null);
+    if (!raw) continue;
+    const match = raw.match(/<key>CFBundleIdentifier<\/key>\s*<string>([^<]+)<\/string>/);
+    if (match && match[1] && !match[1].includes("$")) return match[1];
+  }
+  return null;
+}
+async function findAndroidPackageName(projectRoot) {
+  const gradlePaths = ["android/app/build.gradle", "android/app/build.gradle.kts"];
+  for (const rel of gradlePaths) {
+    const file = path11.join(projectRoot, rel);
+    const raw = await fs13.readFile(file, "utf8").catch(() => null);
+    if (!raw) continue;
+    const match = raw.match(/applicationId\s+["']([^"']+)["']/) || raw.match(/applicationId\s*=\s*["']([^"']+)["']/);
+    if (match && match[1]) return match[1];
+  }
+  const manifestMatches = await fg2("android/**/AndroidManifest.xml", {
+    cwd: projectRoot,
+    absolute: true,
+    suppressErrors: true
+  });
+  for (const file of manifestMatches) {
+    const raw = await fs13.readFile(file, "utf8").catch(() => null);
+    if (!raw) continue;
+    const match = raw.match(/<manifest[^>]*\spackage="([^"]+)"/);
+    if (match && match[1] && !match[1].includes("$")) return match[1];
+  }
+  return null;
+}
+async function inferExpoAppDefaults(projectRoot) {
+  const expoConfig = await loadExpoConfig(projectRoot);
+  const name = normalizeString(expoConfig.name);
+  const slug = normalizeSlug(normalizeString(expoConfig.slug));
+  const iosBundleId = normalizeString(expoConfig.ios?.bundleIdentifier);
+  const androidPackageName = normalizeString(expoConfig.android?.package);
+  const platforms = derivePlatforms(expoConfig, iosBundleId, androidPackageName);
+  let fallbackName = name;
+  if (!fallbackName) {
+    const pkg = await readPackageJson(projectRoot).catch(() => null);
+    fallbackName = normalizeString(pkg?.name ?? null);
+  }
+  if (!fallbackName) {
+    fallbackName = normalizeString(path11.basename(projectRoot));
+  }
+  const resolvedSlug = slug ?? normalizeSlug(fallbackName ?? null) ?? normalizeSlug(path11.basename(projectRoot));
+  const suggestedBundleId = suggestBundleId(resolvedSlug);
+  const nativeIosBundleId = iosBundleId ?? await findIosBundleId(projectRoot);
+  const nativeAndroidPackage = androidPackageName ?? await findAndroidPackageName(projectRoot);
+  return {
+    name: fallbackName,
+    slug: resolvedSlug,
+    iosBundleId: nativeIosBundleId,
+    androidPackageName: nativeAndroidPackage,
+    iosEnabled: platforms.iosEnabled,
+    androidEnabled: platforms.androidEnabled,
+    suggestedBundleId
+  };
 }
 
-// src/commands/init.ts
-import pc9 from "picocolors";
-
-// src/lib/initLocal.ts
-import pc8 from "picocolors";
-
-// src/lib/ensureAuth.ts
-import pc7 from "picocolors";
-function isInteractive2() {
-  return Boolean(process.stdin.isTTY && process.stdout.isTTY);
+// src/services/apiKeyStore.ts
+import fs14 from "fs/promises";
+import os4 from "os";
+import path12 from "path";
+var KEYTAR_SERVICE2 = "comerge-cli-api-keys";
+function xdgConfigHome2() {
+  const v = process.env.XDG_CONFIG_HOME;
+  if (typeof v === "string" && v.trim().length > 0) return v;
+  return path12.join(os4.homedir(), ".config");
 }
-async function validateBackendSession(params) {
-  const cfg = await resolveConfig({ apiKey: params?.apiKey ?? null, yes: Boolean(params?.yes) });
-  const api = createApiClient(cfg);
-  await api.getMe();
+function apiKeyFilePath() {
+  return path12.join(xdgConfigHome2(), "comerge", "api-keys.json");
 }
-async function ensureAuth(params) {
-  const envToken = process.env.COMERGE_ACCESS_TOKEN;
-  if (typeof envToken === "string" && envToken.trim().length > 0) return;
-  const existing = await getSession();
-  if (existing) {
-    try {
-      await validateBackendSession({ apiKey: params?.apiKey ?? null, yes: params?.yes });
-      return;
-    } catch {
-    }
+async function ensurePathPermissions2(filePath) {
+  const dir = path12.dirname(filePath);
+  await fs14.mkdir(dir, { recursive: true });
+  try {
+    await fs14.chmod(dir, 448);
+  } catch {
   }
-  const interactive = isInteractive2();
-  const yes = Boolean(params?.yes);
-  if (!interactive || yes) {
-    throw new CliError("Not logged in", {
-      exitCode: 2,
-      hint: "Run `comerge login` first, or set COMERGE_ACCESS_TOKEN for CI."
-    });
+  try {
+    await fs14.chmod(filePath, 384);
+  } catch {
   }
-  const cfg = await resolveConfig({ apiKey: params?.apiKey ?? null, yes: Boolean(params?.yes) });
-  const server = await startOAuthCallbackServer({ port: null });
+}
+async function maybeLoadKeytar2() {
   try {
-    const supabase = createSupabaseAuthHelpers(cfg);
-    const { url } = await supabase.startGoogleLogin({ redirectTo: server.redirectTo });
-    try {
-      await openBrowser(url);
-      if (!params?.json) console.log(pc7.dim("Opened browser for login..."));
-    } catch {
-      if (!params?.json) {
-        console.log(pc7.yellow("Could not open the browser automatically."));
-        console.log(`Open this URL manually:
-${url}`);
+    const mod = await import("keytar");
+    const candidates = [mod?.default, mod].filter(Boolean);
+    for (const c of candidates) {
+      if (c && typeof c.getPassword === "function" && typeof c.setPassword === "function") {
+        return c;
       }
     }
-    const code = await server.waitForCode();
-    const session = await supabase.exchangeCode({ code });
-    await setSession(session);
-    try {
-      await validateBackendSession({ apiKey: params?.apiKey ?? null, yes: params?.yes });
-    } catch (err) {
-      await clearSession().catch(() => {
-      });
-      throw err;
-    }
-  } finally {
-    await server.close();
+    return null;
+  } catch {
+    return null;
   }
 }
+function keyId(orgId, clientAppId) {
+  return `${orgId}:${clientAppId}`;
+}
+async function readKeyFile() {
+  const fp = apiKeyFilePath();
+  const raw = await fs14.readFile(fp, "utf8").catch(() => null);
+  if (!raw) return {};
+  try {
+    const parsed = JSON.parse(raw);
+    if (!parsed || typeof parsed !== "object" || Array.isArray(parsed)) return {};
+    return parsed;
+  } catch {
+    return {};
+  }
+}
+async function getStoredApiKey(orgId, clientAppId) {
+  const account = keyId(orgId, clientAppId);
+  const keytar = await maybeLoadKeytar2();
+  if (keytar) {
+    const raw = await keytar.getPassword(KEYTAR_SERVICE2, account);
+    return raw && raw.trim() ? raw.trim() : null;
+  }
+  const map = await readKeyFile();
+  const key = map[account];
+  return key && key.trim() ? key.trim() : null;
+}
+async function setStoredApiKey(orgId, clientAppId, apiKey) {
+  const account = keyId(orgId, clientAppId);
+  const trimmed = String(apiKey || "").trim();
+  if (!trimmed) {
+    throw new CliError("API key is empty and was not stored.", { exitCode: 1 });
+  }
+  const keytar = await maybeLoadKeytar2();
+  if (keytar) {
+    await keytar.setPassword(KEYTAR_SERVICE2, account, trimmed);
+    return;
+  }
+  const fp = apiKeyFilePath();
+  const map = await readKeyFile();
+  map[account] = trimmed;
+  await writeJsonAtomic(fp, map);
+  await ensurePathPermissions2(fp);
+}
 
-// src/lib/initLocal.ts
-async function initLocal(params) {
-  if (params.dryRun) {
-    const res = await importLocal({
-      apiKey: params.apiKey,
-      yes: params.yes,
-      appName: params.appName,
-      subdir: params.subdir,
-      maxWaitMs: params.maxWaitMs,
-      noWait: true,
-      json: params.json,
-      includeDotenv: params.includeDotenv,
-      dryRun: true
-    });
+// src/services/initLocal.ts
+function unwrapResponseObject2(resp, label) {
+  const obj = resp?.responseObject;
+  if (obj === void 0 || obj === null) {
+    const message = typeof resp?.message === "string" && resp.message.trim().length > 0 ? resp.message : `Missing ${label} response`;
+    throw new CliError(message, { exitCode: 1, hint: resp ? JSON.stringify(resp, null, 2) : null });
+  }
+  return obj;
+}
+async function selectOrganization(orgs, yes) {
+  if (orgs.length === 0) {
+    throw new CliError("No organizations found for your account.", { exitCode: 1 });
+  }
+  if (orgs.length === 1) return orgs[0];
+  if (yes || !isInteractive()) {
+    throw new CliError("Multiple organizations found. Re-run without --yes to select one.", { exitCode: 2 });
+  }
+  const res = await prompts(
+    [
+      {
+        type: "select",
+        name: "orgId",
+        message: "Select an organization",
+        choices: orgs.map((org) => ({
+          title: org.name ? `${org.name} (${org.id})` : org.id,
+          value: org.id
+        }))
+      }
+    ],
+    {
+      onCancel: () => {
+        throw new CliError("Cancelled by user.", { exitCode: 130 });
+      }
+    }
+  );
+  const selected = orgs.find((org) => org.id === res.orgId);
+  if (!selected) throw new CliError("Invalid organization selection.", { exitCode: 1 });
+  return selected;
+}
+async function selectClientApp(apps, yes) {
+  if (apps.length === 0) {
+    if (yes || !isInteractive()) {
+      return { app: null };
+    }
+    console.log(
+      pc8.dim(
+        "No apps found. Create one here or in the Comerge dashboard at dashboard.comerge.ai."
+      )
+    );
+    const res2 = await prompts(
+      [
+        {
+          type: "select",
+          name: "appId",
+          message: "Select an app or create a new one:",
+          choices: [{ title: "Create a new app", value: "__create_new__" }]
+        }
+      ],
+      {
+        onCancel: () => {
+          throw new CliError("Cancelled by user.", { exitCode: 130 });
+        }
+      }
+    );
+    if (res2.appId === "__create_new__") return { app: null };
+    throw new CliError("Invalid app selection.", { exitCode: 1 });
+  }
+  if (yes || !isInteractive()) {
+    throw new CliError("Multiple apps found. Re-run without --yes to select one.", { exitCode: 2 });
+  }
+  const res = await prompts(
+    [
+      {
+        type: "select",
+        name: "appId",
+        message: "Select an app or create a new one:",
+        choices: [
+          ...apps.map((app) => ({
+            title: app.name ? `${app.name} (${app.id})` : app.id,
+            value: app.id
+          })),
+          { title: "Create a new app", value: "__create_new__" }
+        ]
+      }
+    ],
+    {
+      onCancel: () => {
+        throw new CliError("Cancelled by user.", { exitCode: 130 });
+      }
+    }
+  );
+  if (res.appId === "__create_new__") return { app: null };
+  const selected = apps.find((app) => app.id === res.appId);
+  if (!selected) throw new CliError("Invalid app selection.", { exitCode: 1 });
+  return { app: selected };
+}
+async function promptNewAppDetails(projectRoot, yes) {
+  const defaults = await inferExpoAppDefaults(projectRoot);
+  const defaultName = defaults.name || "My App";
+  const iosEnabled = true;
+  const androidEnabled = true;
+  if (yes || !isInteractive()) {
     return {
-      appId: res.appId,
-      uploadId: res.uploadId,
-      projectId: res.projectId,
-      threadId: res.threadId,
-      status: res.status,
-      shellOutDir: params.outDir,
-      noWait: params.noWait
+      name: defaultName,
+      iosEnabled,
+      androidEnabled,
+      iosBundleId: defaults.iosBundleId || defaults.suggestedBundleId || "com.example.app",
+      androidPackageName: defaults.androidPackageName || defaults.suggestedBundleId || "com.example.app"
     };
   }
-  const apiKey = await resolveStudioApiKey({ flagApiKey: params.apiKey, yes: params.yes });
-  await ensureAuth({ apiKey, yes: params.yes, json: params.json });
+  const answers = await prompts(
+    [
+      {
+        type: "text",
+        name: "name",
+        message: "App name",
+        initial: defaultName,
+        validate: (v) => String(v || "").trim() ? true : "App name is required."
+      }
+    ],
+    {
+      onCancel: () => {
+        throw new CliError("Cancelled by user.", { exitCode: 130 });
+      }
+    }
+  );
+  const bundlePrompts = [
+    iosEnabled ? {
+      type: "text",
+      name: "iosBundleId",
+      message: "iOS bundle ID",
+      initial: defaults.iosBundleId || defaults.suggestedBundleId || "com.example.app",
+      validate: (v) => String(v || "").trim() ? true : "iOS bundle ID is required."
+    } : null,
+    androidEnabled ? {
+      type: "text",
+      name: "androidPackageName",
+      message: "Android package name",
+      initial: defaults.androidPackageName || defaults.suggestedBundleId || "com.example.app",
+      validate: (v) => String(v || "").trim() ? true : "Android package name is required."
+    } : null
+  ].filter(Boolean);
+  const bundleAnswers = await prompts(bundlePrompts, {
+    onCancel: () => {
+      throw new CliError("Cancelled by user.", { exitCode: 130 });
+    }
+  });
+  return {
+    name: String(answers.name || defaultName).trim(),
+    iosEnabled,
+    androidEnabled,
+    iosBundleId: iosEnabled ? String(bundleAnswers.iosBundleId || "").trim() : null,
+    androidPackageName: androidEnabled ? String(bundleAnswers.androidPackageName || "").trim() : null
+  };
+}
+function buildKeyName(params) {
+  const rawUser = params.email && params.email.includes("@") ? params.email.split("@")[0] : params.id || "user";
+  const user = rawUser.trim().replace(/\s+/g, "-");
+  const hostname = os5.hostname().trim().replace(/\s+/g, "-");
+  const ts = Math.floor(Date.now() / 1e3);
+  return `cli_${user}_${hostname}_${ts}`;
+}
+async function initLocal(params) {
+  await ensureAuth({ yes: params.yes, json: params.json });
+  const cfg = await resolveConfig({ yes: params.yes });
+  const api = createApiClient(cfg);
   const appKey = String(params.appKey || "MicroMain").trim() || "MicroMain";
+  try {
+    await api.autoEnableDeveloper();
+  } catch {
+  }
+  const orgs = unwrapResponseObject2(await api.listOrganizations(), "organizations");
+  const selectedOrg = await selectOrganization(orgs, params.yes);
+  const apps = unwrapResponseObject2(
+    await api.listClientApps({ orgId: selectedOrg.id }),
+    "client apps"
+  );
+  const selectedAppResult = await selectClientApp(apps, params.yes);
+  let clientApp = selectedAppResult.app;
+  let importAppName = clientApp?.name ?? null;
+  if (!clientApp) {
+    const projectRoot = await findExpoProjectRoot(process.cwd());
+    const details = await promptNewAppDetails(projectRoot, params.yes);
+    const createdResp = await api.createClientApp({
+      orgId: selectedOrg.id,
+      name: details.name,
+      type: "wrapper",
+      environment: "production",
+      platform: "expo",
+      iosBundleId: details.iosEnabled ? details.iosBundleId ?? void 0 : void 0,
+      androidPackageName: details.androidEnabled ? details.androidPackageName ?? void 0 : void 0
+    });
+    clientApp = unwrapResponseObject2(createdResp, "client app");
+    importAppName = details.name;
+  }
+  const clientAppId = String(clientApp.id || "").trim();
+  if (!clientAppId) {
+    throw new CliError("Missing client app ID.", { exitCode: 1 });
+  }
+  let apiKey = await getStoredApiKey(selectedOrg.id, clientAppId);
+  if (!apiKey) {
+    const me = unwrapResponseObject2(await api.getMe(), "user");
+    const keyName = buildKeyName({ email: me.email ?? null, id: me.id ?? null });
+    const createdKeyResp = await api.createClientAppKey(clientAppId, { name: keyName });
+    const keyPayload = unwrapResponseObject2(createdKeyResp, "client key");
+    apiKey = String(keyPayload.key || "").trim();
+    if (!apiKey) {
+      throw new CliError("Server did not return a client key.", { exitCode: 1 });
+    }
+    await setStoredApiKey(selectedOrg.id, clientAppId, apiKey);
+  }
   if (!params.json) console.log(pc8.dim("Importing project..."));
   const imported = await importLocal({
     apiKey,
     yes: params.yes,
-    appName: params.appName,
+    appName: importAppName,
     subdir: params.subdir,
-    maxWaitMs: params.maxWaitMs,
-    noWait: params.noWait,
     json: params.json,
     includeDotenv: params.includeDotenv,
     dryRun: false
   });
-  if (!params.json) console.log(pc8.dim("Generating shell..."));
+  if (!params.json) console.log(pc8.dim("Generating shell app..."));
   await shellInit({
     outDir: params.outDir,
     appId: imported.appId,
     apiKey,
     appKey,
-    yes: true,
-    install: params.install,
-    packageManager: params.packageManager,
-    studioVersion: params.studioVersion
+    packageManager: params.packageManager
   });
   return {
     appId: imported.appId,
@@ -1760,32 +2150,20 @@ async function initLocal(params) {
     projectId: imported.projectId,
     threadId: imported.threadId,
     status: imported.status,
-    shellOutDir: params.outDir,
-    noWait: params.noWait
+    shellOutDir: params.outDir
   };
 }
 
 // src/commands/init.ts
 function registerInitCommands(program) {
-  const init = program.command("init").description("Import to Comerge + generate shell wrapper");
-  init.command("local").description("Login if needed, import the local Expo project, then generate the shell wrapper").option("--api-key <pk>", "API Key (or set COMERGE_API_KEY)").option("--app-key <key>", "Bundle app key", "MicroMain").option("--out <dir>", "Output directory for shell wrapper", "comerge-shell").option("--no-install", "Skip dependency install + expo prebuild in generated shell").option("--package-manager <pm>", "Override package manager detection (pnpm|npm|yarn|bun)").option("--studio-version <ver>", "Version to use for @comergehq/studio", "latest").option("--name <appName>", "Override imported app name").option("--path <subdir>", "Optional subdirectory to import").option("--max-wait <sec>", "Max time to wait for import to finish (default: 1200)", "1200").option("--no-wait", "Do not poll for completion; generate shell immediately", false).option("--no-include-dotenv", "Exclude .env* files from the uploaded archive").option("--dry-run", "Show what would be uploaded (no login/import/shell)", false).option("--yes", "Non-interactive; do not prompt", false).option("--json", "Output machine-readable JSON", false).action(async (opts) => {
-    const maxWaitSec = Number(String(opts.maxWait ?? "1200").trim());
-    if (!Number.isFinite(maxWaitSec) || maxWaitSec <= 0) {
-      throw new CliError("Invalid --max-wait", { exitCode: 2, hint: "Example: --max-wait 1200" });
-    }
+  const init = program.command("init").description("Import into Comerge and generate the shell wrapper");
+  init.description("Sign in if needed, import the local Expo project, then generate the shell wrapper").option("--out <dir>", "Output directory for the shell wrapper", "comerge-shell").option("--package-manager <pm>", "Override package manager detection (pnpm|npm|yarn|bun)").option("--path <subdir>", "Optional subdirectory to import").option("--no-include-dotenv", "Exclude .env* files from the upload").option("--yes", "Run non-interactively", false).option("--json", "Output JSON", false).action(async (opts) => {
     const res = await initLocal({
-      apiKey: opts.apiKey ? String(opts.apiKey) : null,
-      appKey: opts.appKey ? String(opts.appKey) : "MicroMain",
+      appKey: "MicroMain",
       outDir: opts.out ? String(opts.out) : "comerge-shell",
-      install: Boolean(opts.install),
       packageManager: opts.packageManager ? String(opts.packageManager) : null,
-      studioVersion: opts.studioVersion ? String(opts.studioVersion) : "latest",
-      appName: opts.name ? String(opts.name) : null,
       subdir: opts.path ? String(opts.path) : null,
-      maxWaitMs: Math.floor(maxWaitSec * 1e3),
-      noWait: Boolean(opts.noWait),
       includeDotenv: Boolean(opts.includeDotenv),
-      dryRun: Boolean(opts.dryRun),
       yes: Boolean(opts.yes),
       json: Boolean(opts.json)
     });
@@ -1793,9 +2171,8 @@ function registerInitCommands(program) {
       console.log(JSON.stringify(res, null, 2));
       return;
     }
-    console.log(pc9.green(`Done. appId=${res.appId}`));
+    console.log(pc9.green(`Completed. appId=${res.appId}`));
     if (res.status) console.log(pc9.dim(`Status: ${res.status}`));
-    if (res.noWait) console.log(pc9.yellow("Note: --no-wait was used; bundles may still be building."));
   });
 }
 
@@ -1805,11 +2182,9 @@ var { version } = require2("../package.json");
 async function main(argv) {
   const program = new Command();
   program.name("comerge").description("Comerge CLI").version(version);
-  registerShellCommands(program);
   registerLoginCommand(program);
   registerWhoamiCommand(program);
   registerLogoutCommand(program);
-  registerImportCommands(program);
   registerInitCommands(program);
   program.configureOutput({
     outputError: (str, write) => write(pc10.red(str))