npm - @dotlabshq/orbseal - Versions diffs - 0.1.0 - Mend

@dotlabshq/orbseal 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/bin/orbseal.mjs ADDED Viewed

@@ -0,0 +1,1844 @@
+#!/usr/bin/env node
+// orbseal CLI — single executable, no external dependencies.
+// Config: ~/.orbseal/config.json  { token, apiBase }
+import { readFileSync, writeFileSync, mkdirSync, existsSync } from 'fs';
+import { homedir }        from 'os';
+import { join, dirname }  from 'path';
+import { fileURLToPath }  from 'url';
+import { createInterface } from 'readline';
+import {
+  randomBytes, pbkdf2Sync, createHash,
+  createPrivateKey, createPublicKey,
+} from 'node:crypto';
+const __dir = dirname(fileURLToPath(import.meta.url));
+// ─── Base58 ──────────────────────────────────────────────────────────────────
+const B58_ALPHA = '123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz';
+function b58enc(buf) {
+  let n = BigInt('0x' + Buffer.from(buf).toString('hex'));
+  let s = '';
+  while (n > 0n) { s = B58_ALPHA[Number(n % 58n)] + s; n /= 58n; }
+  for (const b of buf) { if (b) break; s = '1' + s; }
+  return s;
+}
+function b58dec(s) {
+  let n = 0n;
+  for (const ch of s) {
+    const i = B58_ALPHA.indexOf(ch);
+    if (i < 0) throw new Error(`Invalid base58 character: ${ch}`);
+    n = n * 58n + BigInt(i);
+  }
+  const hex = n.toString(16);
+  return Buffer.from(hex.length % 2 ? '0' + hex : hex, 'hex');
+}
+// Format: "orbpk-<base58>" / "orbsk-<base58>"
+function encodeKey(prefix, raw32) { return `${prefix}-${b58enc(raw32)}`; }
+function decodeKey(str) {
+  const dash = str.indexOf('-');
+  return b58dec(str.slice(dash + 1));
+}
+// Accept orbpk-... or raw base64 (backwards compat)
+function parsePublicKey(s) {
+  if (s.startsWith('orbpk-')) return decodeKey(s);
+  return Buffer.from(s, 'base64'); // legacy base64
+}
+// ─── BIP39 mnemonic ───────────────────────────────────────────────────────────
+async function loadWordlist() {
+  const { default: words } = await import(join(__dir, 'bip39en.mjs'));
+  return words;
+}
+async function mnemonicFromEntropy(entropy16) {
+  const words = await loadWordlist();
+  // SHA256 checksum — first 4 bits appended
+  const hash = createHash('sha256').update(entropy16).digest();
+  const bits =
+    [...entropy16].map(b => b.toString(2).padStart(8, '0')).join('') +
+    (hash[0] >> 4).toString(2).padStart(4, '0');          // 128 + 4 = 132 bits
+  return Array.from({ length: 12 }, (_, i) =>
+    words[parseInt(bits.slice(i * 11, (i + 1) * 11), 2)]
+  ).join(' ');
+}
+async function validateMnemonic(phrase) {
+  const words = await loadWordlist();
+  const parts = phrase.trim().split(/\s+/);
+  if (parts.length !== 12) return 'mnemonic must be exactly 12 words';
+  const bad = parts.filter(w => !words.includes(w));
+  if (bad.length) return `unknown words: ${bad.join(', ')}`;
+  return null;
+}
+// mnemonic → 32-byte seed (domain-separated from Bitcoin wallets)
+function seedFromMnemonic(phrase) {
+  return pbkdf2Sync(phrase.normalize('NFKD'), 'orbseal', 2048, 32, 'sha512');
+}
+// ─── X25519 keypair from 32-byte seed ────────────────────────────────────────
+const PKCS8_HEADER = Buffer.from('302e020100300506032b656e04220420', 'hex');
+function keypairFromSeed(seed32) {
+  const pkcs8   = Buffer.concat([PKCS8_HEADER, seed32]);
+  const privObj = createPrivateKey({ key: pkcs8, format: 'der', type: 'pkcs8' });
+  const pubObj  = createPublicKey(privObj);
+  const pubRaw  = pubObj.export({ type: 'spki', format: 'der' }).slice(-32);
+  return {
+    publicKey:    encodeKey('orbpk', pubRaw),
+    privateKey:   encodeKey('orbsk', seed32),
+    publicKeyB64: pubRaw.toString('base64'),   // for API use
+  };
+}
+async function keypairFromMnemonic(phrase) {
+  return keypairFromSeed(seedFromMnemonic(phrase));
+}
+// ─── Config ──────────────────────────────────────────────────────────────────
+const CONFIG_DIR  = join(homedir(), '.orbseal');
+const CONFIG_FILE = join(CONFIG_DIR, 'config.json');
+const KEY_FILE    = join(CONFIG_DIR, 'key');          // stores 12-word mnemonic
+const DEFAULT_API = 'https://api.orbseal.com';
+/** Save mnemonic to ~/.orbseal/key (mode 600, owner-only). */
+function saveMnemonic(mnemonic) {
+  mkdirSync(CONFIG_DIR, { recursive: true });
+  writeFileSync(KEY_FILE, mnemonic + '\n', { mode: 0o600 });
+}
+/** Load mnemonic from ~/.orbseal/key. Returns null if not found. */
+function loadMnemonic() {
+  if (!existsSync(KEY_FILE)) return null;
+  try { return readFileSync(KEY_FILE, 'utf8').trim(); } catch { return null; }
+}
+/** Generate a fresh keypair, persist it, and return { mnemonic, kp }. */
+async function generateAndSaveKeypair() {
+  const entropy  = randomBytes(16);
+  const mnemonic = await mnemonicFromEntropy(entropy);
+  const kp       = await keypairFromMnemonic(mnemonic);
+  saveMnemonic(mnemonic);
+  return { mnemonic, kp };
+}
+/** Display the recovery phrase with a safe-environment prompt. */
+async function showRecoveryPhrase(mnemonic, kp) {
+  const words = mnemonic.split(' ');
+  console.log();
+  console.log(`  ${c.bold}┌─ Recovery Phrase ────────────────────────────────────────┐${c.reset}`);
+  console.log(`  ${c.bold}│${c.reset}                                                            ${c.bold}│${c.reset}`);
+  // Print words in 3 columns of 4
+  for (let row = 0; row < 4; row++) {
+    const trio = [0, 1, 2].map(col => {
+      const idx  = row + col * 4;
+      const num  = String(idx + 1).padStart(2, ' ');
+      const word = (words[idx] ?? '').padEnd(10, ' ');
+      return `${c.dim}${num}.${c.reset} ${c.yellow}${c.bold}${word}${c.reset}`;
+    }).join('   ');
+    console.log(`  ${c.bold}│${c.reset}  ${trio}  ${c.bold}│${c.reset}`);
+  }
+  console.log(`  ${c.bold}│${c.reset}                                                            ${c.bold}│${c.reset}`);
+  console.log(`  ${c.bold}└────────────────────────────────────────────────────────────┘${c.reset}`);
+  console.log();
+  kv([
+    ['public key', c.cyan + kp.publicKey + c.reset],
+  ]);
+  console.log();
+  console.log(`  ${c.dim}Your private key never leaves this machine. OrbSeal never sees it.${c.reset}`);
+  console.log(`  ${c.dim}This phrase is saved at: ~/.orbseal/key${c.reset}`);
+  console.log(`  ${c.dim}View again anytime:  ${c.reset}orbseal keys show`);
+  console.log(`  ${c.dim}Restore on new device: ${c.reset}orbseal keys restore`);
+  console.log();
+  await prompt('  Press Enter to confirm you have saved this phrase…');
+}
+function loadConfig() {
+  if (!existsSync(CONFIG_FILE)) return {};
+  try { return JSON.parse(readFileSync(CONFIG_FILE, 'utf8')); } catch { return {}; }
+}
+function saveConfig(cfg) {
+  mkdirSync(CONFIG_DIR, { recursive: true });
+  writeFileSync(CONFIG_FILE, JSON.stringify(cfg, null, 2) + '\n', { mode: 0o600 });
+}
+// ─── HTTP ────────────────────────────────────────────────────────────────────
+// Resolves workspace / project / env from args, falling back to saved context.
+// Call: const [ws, proj, env] = resolveCtx(rest, 'ws', 'proj', 'env?')
+// Slots marked with '?' are optional (won't fatal if missing from both).
+function resolveCtx(positional, ...slots) {
+  const ctx     = loadConfig().context ?? {};
+  const ctxVals = { ws: ctx.workspace, proj: ctx.project, env: ctx.env };
+  const result  = [];
+  let   posIdx  = 0; // positional args consumed so far
+  for (const slot of slots) {
+    const optional = slot.endsWith('?');
+    const key      = optional ? slot.slice(0, -1) : slot;
+    if (ctxVals[key]) {
+      // Context covers this slot — don't consume a positional arg
+      result.push(ctxVals[key]);
+    } else if (positional[posIdx] !== undefined) {
+      // No context for this slot — consume next positional arg
+      result.push(positional[posIdx++]);
+    } else if (!optional) {
+      const hint = ctx.workspace || ctx.project
+        ? `\n  ${c.dim}Context: ${[ctx.workspace, ctx.project].filter(Boolean).join('/')}${c.reset}`
+        : '';
+      fatal(`'${key}' required — pass it as an argument or run ${c.bold}orbseal use <org>/<workspace>[/<project>]${c.reset}${hint}`);
+    } else {
+      result.push(null);
+    }
+  }
+  // Expose how many positional args were consumed so callers can slice the rest
+  result.consumed = posIdx;
+  return result;
+}
+async function api(method, path, body, contentType) {
+  const cfg   = loadConfig();
+  const token = cfg.token;
+  const base  = (cfg.apiBase ?? DEFAULT_API).replace(/\/$/, '');
+  if (!token) fatal('Not logged in. Run: orbseal login');
+  const isRaw = typeof body === 'string';
+  const ct    = contentType ?? (isRaw ? 'text/plain' : 'application/json');
+  const res = await fetch(`${base}${path}`, {
+    method,
+    headers: {
+      'Authorization': `Bearer ${token}`,
+      ...(body !== undefined ? { 'Content-Type': ct } : {}),
+    },
+    ...(body !== undefined ? { body: isRaw ? body : JSON.stringify(body) } : {}),
+  });
+  if (res.status === 204) return null;
+  const text = await res.text();
+  let data;
+  try { data = JSON.parse(text); } catch { fatal(`Unexpected response (${res.status}): ${text}`); }
+  if (!res.ok) fatal(`${res.status} ${data?.code ?? ''}: ${data?.error ?? text}`);
+  return data;
+}
+// ─── UI ──────────────────────────────────────────────────────────────────────
+const isTTY = process.stdout.isTTY;
+const c = {
+  reset:  isTTY ? '\x1b[0m'  : '',
+  bold:   isTTY ? '\x1b[1m'  : '',
+  dim:    isTTY ? '\x1b[2m'  : '',
+  green:  isTTY ? '\x1b[32m' : '',
+  yellow: isTTY ? '\x1b[33m' : '',
+  cyan:   isTTY ? '\x1b[36m' : '',
+  red:    isTTY ? '\x1b[31m' : '',
+};
+function table(rows, cols) {
+  // cols: [{ key, label, fmt? }]
+  if (!rows.length) { console.log(`${c.dim}  (none)${c.reset}`); return; }
+  const widths = cols.map(col =>
+    Math.max(col.label.length, ...rows.map(r => String(col.fmt ? col.fmt(r[col.key], r) : (r[col.key] ?? '—')).replace(/\x1b\[[0-9;]*m/g, '').length))
+  );
+  const header = cols.map((col, i) => pad(c.bold + c.dim + col.label + c.reset, widths[i])).join('  ');
+  console.log('  ' + header);
+  console.log('  ' + widths.map(w => '─'.repeat(w)).join('  '));
+  for (const row of rows) {
+    const line = cols.map((col, i) => {
+      const raw = col.fmt ? col.fmt(row[col.key], row) : (row[col.key] ?? '—');
+      const visible = String(raw).replace(/\x1b\[[0-9;]*m/g, '');
+      return String(raw) + ' '.repeat(Math.max(0, widths[i] - visible.length));
+    }).join('  ');
+    console.log('  ' + line);
+  }
+}
+function kv(pairs) {
+  const w = Math.max(...pairs.map(([k]) => k.length));
+  for (const [k, v] of pairs) {
+    console.log(`  ${c.dim}${k.padEnd(w)}${c.reset}  ${v}`);
+  }
+}
+function success(msg) {
+  console.log(`${c.green}✓${c.reset} ${msg}`);
+}
+function pad(str, width) {
+  const visible = str.replace(/\x1b\[[0-9;]*m/g, '');
+  return str + ' '.repeat(Math.max(0, width - visible.length));
+}
+function fmtDate(val) {
+  if (!val) return c.dim + '—' + c.reset;
+  // Accept both ISO string and unix ms timestamp
+  const d = typeof val === 'number' ? new Date(val) : new Date(val);
+  if (isNaN(d.getTime())) return c.dim + '—' + c.reset;
+  return c.dim + d.toISOString().slice(0, 10) + c.reset;
+}
+function fmtRole(role) {
+  if (role === 'admin')  return c.yellow + 'admin'  + c.reset;
+  if (role === 'member') return 'member';
+  return c.dim + role + c.reset;
+}
+function fmtStatus(revoked_at) {
+  return revoked_at ? c.dim + 'revoked' + c.reset : c.green + 'active' + c.reset;
+}
+function fatal(msg) {
+  console.error(`${c.red}error:${c.reset} ${msg}`);
+  process.exit(1);
+}
+function prompt(question) {
+  return new Promise(resolve => {
+    const rl = createInterface({ input: process.stdin, output: process.stderr });
+    rl.question(question, ans => { rl.close(); resolve(ans.trim()); });
+  });
+}
+async function promptSecret(question) {
+  const { execSync } = await import('node:child_process');
+  return new Promise(resolve => {
+    process.stderr.write(question);
+    if (process.stdin.isTTY) {
+      try { execSync('stty -echo', { stdio: ['inherit', 'inherit', 'ignore'] }); } catch {}
+    }
+    process.stdin.setEncoding('utf8');
+    process.stdin.resume();
+    process.stdin.once('data', chunk => {
+      const value = chunk.toString().replace(/[\r\n]+$/, '');
+      if (process.stdin.isTTY) {
+        try { execSync('stty echo', { stdio: ['inherit', 'inherit', 'ignore'] }); } catch {}
+        process.stderr.write('\n');
+      }
+      process.stdin.pause();
+      resolve(value);
+    });
+  });
+}
+// ─── Help ────────────────────────────────────────────────────────────────────
+const HELP = `
+orbseal <command> [args]
+  ls                          Show org/workspace/project tree (respects context)
+  status                      Full status: org tree + definitions + release info
+Context
+  use <org>[/<ws>[/<proj>]] [--public-key <key>]  Set active context
+  use --public-key <key>                          Save public key to context only
+  use --clear                                     Clear context (including public key)
+Auth
+  login <token>               Save token — admin (orb_admin_) and app (orb_live_) slots kept separately
+  switch admin | app          Switch between saved admin and app-key tokens
+  logout                      Remove active token
+  whoami  (alias: wh)         Show active token, mode, and saved slots
+Aliases:  ws = workspaces   proj = projects   env = envs
+Tokens
+  tokens list                 List your admin tokens
+  tokens create [label]       Create a new token (shown once)
+  tokens revoke <id>          Revoke a token
+Releases
+  release <workspace> <project> <environment>                               Cut a new immutable release
+  releases list <workspace> <project> <environment>                        List releases
+  releases get <workspace> <project> <environment> [version|latest]        Show a release
+Secrets
+  seal <workspace> <project> <plugin:key> --public-key <key> --scope <s> --ref <r>   Seal & store a secret
+Config  (runtime — requires app key token)
+  resolve [--user=<id>]                            Resolve config for the current app key
+  settings list <user_id>                          List user's overridable settings + current values
+  settings set <user_id> <plugin:key> <value>      Save a user preference
+  settings reset <user_id> <plugin:key>            Reset to default
+Keypair
+  keygen                                                                              Generate keypair + 12-word recovery phrase (saved to ~/.orbseal/key)
+  keys show                                                                           Display your recovery phrase
+  keys restore                                                                        Restore keypair from a 12-word recovery phrase
+App Keys
+  keys list <workspace> <project>                                                     List app keys
+  keys create <workspace> <project> <name> --public-key <key> [--env <slug>]         Create an app key (token shown once)
+  keys revoke <workspace> <project> <id>                                              Revoke an app key
+Audit Log
+  audit list [workspace] [project]                                                    List audit events (org-level or project-level)
+             [--type <action>]                                                         Filter by action type
+             [--actor <user_id>]                                                       Filter by actor
+             [--key <plugin:key>]                                                      Filter by config key
+             [--from <date>] [--to <date>]                                             Date range (ISO 8601)
+             [--limit <n>] [--cursor <token>]                                          Pagination
+             [--json]                                                                  Raw JSON output
+Values
+  values list <workspace> <project>                                                 List all set values
+  values set <ws> <proj> <plugin:key> <value> [--scope <s>] [--ref <r>]            Set a value
+  values delete <ws> <proj> <plugin:key> --scope <s> --ref <r>                     Delete a value
+Schema
+  sync <workspace> <project> [orb.yaml]                    Sync orb.yaml to project (default: ./orb.yaml)
+  schema list <workspace> <project>                        List all definitions
+  schema get <workspace> <project> <plugin:key>            Show a single definition
+Environments
+  envs list <workspace> <project>                           List environments
+  envs create <workspace> <project> <name>                  Create an environment
+  envs get <workspace> <project> <slug>                    Show environment details
+  envs rename <workspace> <project> <slug> <name>          Rename an environment
+  envs delete <workspace> <project> <slug>                 Delete an empty environment
+Projects
+  projects list <workspace>                       List projects in a workspace
+  projects create <workspace> <name>              Create a project
+  projects get <workspace> <slug>                 Show project details
+  projects rename <workspace> <slug> <name>       Rename a project
+  projects delete <workspace> <slug>              Delete an empty project
+Workspaces
+  workspaces list                     List workspaces in your org
+  workspaces create <name>            Create a workspace
+  workspaces get <slug>               Show workspace details
+  workspaces rename <slug> <name>     Rename a workspace
+  workspaces delete <slug>            Delete an empty workspace
+Orgs
+  orgs list                   List orgs you belong to
+  orgs create <slug> <name>   Create a new org
+  orgs get <slug>             Show org details
+  orgs rename <slug> <name>   Rename an org (admin)
+  orgs members list <slug>                        List org members
+  orgs members add <slug> <email> [role]          Add member (role: admin|member|viewer)
+  orgs members set-role <slug> <userId> <role>    Change member role
+  orgs members remove <slug> <userId>             Remove member
+`.trim();
+// ─── Commands ────────────────────────────────────────────────────────────────
+const commands = {
+  // ── Auth ──────────────────────────────────────────────────────────────────
+  async login(args) {
+    const cfg   = loadConfig();
+    const token = args[0];
+    const apiBase = cfg.apiBase ?? DEFAULT_API;
+    // ── Direct token save (backward compat) ───────────────────────────────────
+    if (token) {
+      if (!token.startsWith('orb_admin_') && !token.startsWith('orb_live_')) {
+        fatal(
+          `"${token}" is not a valid token.\n` +
+          `  Admin tokens start with  ${c.green}orb_admin_${c.reset}\n` +
+          `  App keys start with      ${c.yellow}orb_live_${c.reset}\n\n` +
+          `  For browser-based login run:  ${c.bold}orbseal login${c.reset}  (no args)`
+        );
+      }
+      const next = { ...cfg, token };
+      if (token.startsWith('orb_admin_')) next.admin_token = token;
+      if (token.startsWith('orb_live_'))  next.app_token   = token;
+      saveConfig(next);
+      const mode = token.startsWith('orb_live_') ? c.yellow + 'app key' + c.reset : c.green + 'admin' + c.reset;
+      success(`Logged in  ${c.dim}${apiBase}${c.reset}  (${mode})`);
+      return;
+    }
+    // ── Browser-based PKCE login flow ─────────────────────────────────────────
+    console.log(`\n  ${c.bold}Starting login…${c.reset}\n`);
+    // 1. Get state + URL from API
+    let startData;
+    try {
+      const res = await fetch(`${apiBase}/v1/auth/start`);
+      if (!res.ok) fatal(`Auth start failed: ${res.status} ${res.statusText}`);
+      startData = await res.json();
+    } catch (e) {
+      fatal(`Connection error: ${e.message}\n  API: ${apiBase}`);
+    }
+    const { state, url, expires_in } = startData;
+    const expiresMin = Math.round(expires_in / 60);
+    console.log(`  Open this URL in your browser:\n`);
+    console.log(`  ${c.bold}${c.green}${url}${c.reset}\n`);
+    console.log(`  ${c.dim}This link expires in ${expiresMin} minutes.${c.reset}\n`);
+    // Try to open browser automatically
+    try {
+      const { execSync } = await import('node:child_process');
+      const cmd = process.platform === 'darwin' ? 'open'
+                : process.platform === 'win32'  ? 'start'
+                : 'xdg-open';
+      execSync(`${cmd} "${url}"`, { stdio: 'ignore' });
+      console.log(`  ${c.dim}Browser opened automatically. If it didn't open, paste the URL manually.${c.reset}\n`);
+    } catch {
+      // Ignore — user will open manually
+    }
+    // 2. Poll until done
+    process.stdout.write(`  Waiting`);
+    const deadline   = Date.now() + (expires_in * 1000);
+    const intervalMs = 2000;
+    let authToken    = null;
+    let isNewAccount = false;
+    while (Date.now() < deadline) {
+      await new Promise(r => setTimeout(r, intervalMs));
+      process.stdout.write('.');
+      try {
+        const res  = await fetch(`${apiBase}/v1/auth/poll/${state}`);
+        const data = await res.json();
+        if (data.status === 'done' && data.token) {
+          authToken    = data.token;
+          isNewAccount = data.new_account === true;
+          break;
+        }
+        if (data.status === 'expired') {
+          process.stdout.write('\n');
+          fatal('Session expired. Try again: orbseal login');
+        }
+      } catch {
+        // Network hiccup — keep polling
+      }
+    }
+    process.stdout.write('\n\n');
+    if (!authToken) {
+      fatal('Timed out — browser flow not completed.\n  Try again: orbseal login');
+    }
+    // 3. Save token
+    const next = { ...cfg, token: authToken, admin_token: authToken };
+    saveConfig(next);
+    success(`Logged in  ${c.dim}${apiBase}${c.reset}  (${c.green}admin${c.reset})`);
+    console.log(`  ${c.dim}Token saved to ~/.orbseal/config.json${c.reset}\n`);
+    // 4. Keypair — three scenarios
+    const existing = loadMnemonic();
+    if (existing) {
+      // Scenario A: key exists on this device — all good
+      const kp = await keypairFromMnemonic(existing);
+      console.log(`  ${c.dim}Encryption keypair loaded  (${c.cyan}${kp.publicKey.slice(0, 18)}…${c.reset}${c.dim})${c.reset}`);
+      console.log(`  ${c.dim}View recovery phrase:  ${c.reset}orbseal keys show\n`);
+    } else if (isNewAccount) {
+      // Scenario B: brand new account, no secrets yet — safe to auto-generate
+      console.log(`  ${c.bold}Generating encryption keypair…${c.reset}\n`);
+      const { mnemonic, kp } = await generateAndSaveKeypair();
+      console.log(`  ${c.yellow}⚠  Save your recovery phrase — this is the only backup of your encryption key.${c.reset}\n`);
+      await showRecoveryPhrase(mnemonic, kp);
+    } else {
+      // Scenario C: returning user on a new device — DO NOT auto-generate
+      console.log();
+      console.log(`  ${c.yellow}${c.bold}⚠  No encryption keypair found on this device.${c.reset}`);
+      console.log();
+      console.log(`  ${c.bold}If you have your recovery phrase from a previous device:${c.reset}`);
+      console.log(`    orbseal keys restore`);
+      console.log();
+      console.log(`  ${c.bold}If you have never set up a keypair before:${c.reset}`);
+      console.log(`    orbseal keygen`);
+      console.log();
+      console.log(`  ${c.red}${c.bold}Do NOT run keygen if you have existing sealed secrets —`);
+      console.log(`  they will become permanently inaccessible.${c.reset}`);
+      console.log();
+    }
+  },
+  logout() {
+    const cfg = loadConfig();
+    delete cfg.token;
+    saveConfig(cfg);
+    success('Logged out.');
+  },
+  // ── Switch between saved admin / app-key tokens ───────────────────────────
+  switchToken(args) {
+    const target = (args[0] ?? '').toLowerCase();
+    const cfg    = loadConfig();
+    if (target === 'admin') {
+      if (!cfg.admin_token) fatal('No admin token saved. Run: orbseal login orb_admin_...');
+      cfg.token = cfg.admin_token;
+      saveConfig(cfg);
+      success(`Switched to ${c.green}admin${c.reset}  ${c.dim}${cfg.admin_token.slice(0, 18)}…${c.reset}`);
+      return;
+    }
+    if (target === 'app' || target === 'live') {
+      if (!cfg.app_token) fatal('No app token saved. Run: orbseal login orb_live_...');
+      cfg.token = cfg.app_token;
+      saveConfig(cfg);
+      success(`Switched to ${c.yellow}app key${c.reset}  ${c.dim}${cfg.app_token.slice(0, 18)}…${c.reset}`);
+      return;
+    }
+    // No arg — show available slots
+    console.log();
+    kv([
+      ['active',      c.cyan + (cfg.token?.slice(0, 18) ?? '—') + '…' + c.reset],
+      ['admin_token', cfg.admin_token ? c.green + cfg.admin_token.slice(0, 18) + '…' + c.reset : c.dim + '(none)' + c.reset],
+      ['app_token',   cfg.app_token   ? c.yellow + cfg.app_token.slice(0, 18)  + '…' + c.reset : c.dim + '(none)' + c.reset],
+    ]);
+    console.log(`\n  ${c.dim}Usage: orbseal switch admin | app${c.reset}`);
+  },
+  whoami() {
+    const cfg = loadConfig();
+    if (!cfg.token) fatal('Not logged in.');
+    const ctx  = cfg.context ?? {};
+    const mode = cfg.token.startsWith('orb_live_')
+      ? c.yellow + 'app key' + c.reset
+      : c.green + 'admin' + c.reset;
+    const rows = [
+      ['token', c.cyan + cfg.token.slice(0, 18) + '…' + c.reset + '  ' + mode],
+      ['api',   cfg.apiBase ?? DEFAULT_API],
+    ];
+    if (cfg.admin_token && cfg.token !== cfg.admin_token)
+      rows.push(['admin',  c.dim + cfg.admin_token.slice(0, 18) + '… (saved)' + c.reset]);
+    if (cfg.app_token && cfg.token !== cfg.app_token)
+      rows.push(['app key', c.dim + cfg.app_token.slice(0, 18) + '… (saved)' + c.reset]);
+    const path = [ctx.org, ctx.workspace, ctx.project, ctx.env].filter(Boolean).join('/');
+    if (path) rows.push(['context', c.bold + path + c.reset]);
+    if (ctx.public_key) rows.push(['public key', c.dim + ctx.public_key.slice(0, 24) + '…' + c.reset]);
+    kv(rows);
+  },
+  // ── Status ────────────────────────────────────────────────────────────────
+  async status(_args) {
+    const cfg = loadConfig();
+    if (!cfg.token) fatal('Not logged in. Run: orbseal login');
+    const isApp = cfg.token.startsWith('orb_live_');
+    console.log();
+    kv([
+      ['token',  c.cyan + cfg.token.slice(0, 18) + '…' + c.reset],
+      ['api',    cfg.apiBase ?? DEFAULT_API],
+      ['mode',   isApp ? c.yellow + 'runtime (app key)' + c.reset : c.green + 'admin' + c.reset],
+    ]);
+    if (isApp) {
+      console.log();
+      console.log(`  ${c.dim}Runtime mode — use ${c.reset}${c.bold}orbseal resolve${c.reset}${c.dim} to fetch config.${c.reset}`);
+      console.log();
+      return;
+    }
+    // Admin mode — fetch org tree
+    console.log();
+    let orgs;
+    try { orgs = (await api('GET', '/v1/orgs')).orgs; }
+    catch { console.log(`  ${c.red}Could not fetch orgs — check token.${c.reset}\n`); return; }
+    for (const org of orgs) {
+      console.log(`  ${c.bold}${c.green}●${c.reset} ${c.bold}${org.slug}${c.reset}  ${c.dim}${org.name}${c.reset}  ${fmtRole(org.role)}`);
+      let workspaces;
+      try { workspaces = (await api('GET', '/v1/workspaces')).workspaces; }
+      catch { continue; }
+      for (let wi = 0; wi < workspaces.length; wi++) {
+        const ws      = workspaces[wi];
+        const isLastWs = wi === workspaces.length - 1;
+        const wsPfx   = isLastWs ? '    └──' : '    ├──';
+        const wsPad   = isLastWs ? '       ' : '    │  ';
+        console.log(`${wsPfx} ${c.bold}${ws.slug}${c.reset}  ${c.dim}${ws.name}  workspace${c.reset}`);
+        let projects;
+        try { projects = (await api('GET', `/v1/workspaces/${ws.slug}/projects`)).projects; }
+        catch { continue; }
+        for (let pi = 0; pi < projects.length; pi++) {
+          const proj     = projects[pi];
+          const isLastP  = pi === projects.length - 1;
+          const pPfx     = isLastP ? `${wsPad}└──` : `${wsPad}├──`;
+          const pPad     = isLastP ? `${wsPad}   ` : `${wsPad}│  `;
+          let envs, defs, keys, latestRelease;
+          try {
+            [envs, defs, keys] = await Promise.all([
+              api('GET', `/v1/workspaces/${ws.slug}/projects/${proj.slug}/environments`).then(r => r.environments),
+              api('GET', `/v1/workspaces/${ws.slug}/projects/${proj.slug}/schema`).then(r => r.definitions),
+              api('GET', `/v1/workspaces/${ws.slug}/projects/${proj.slug}/keys`).then(r => r.keys),
+            ]);
+            if (envs.length) {
+              const env = envs[0];
+              const rels = await api('GET', `/v1/workspaces/${ws.slug}/projects/${proj.slug}/environments/${env.slug}/releases`).then(r => r.releases).catch(() => []);
+              latestRelease = rels[0];
+            }
+          } catch { envs = []; defs = []; keys = []; }
+          const activeKeys = (keys ?? []).filter(k => !k.revoked_at).length;
+          const envNames   = (envs ?? []).map(e => e.slug).join(', ') || c.dim + 'none' + c.reset;
+          const defCount   = (defs ?? []).length;
+          const relInfo    = latestRelease
+            ? `v${latestRelease.version}  ${c.dim}${String(latestRelease.created_at ?? '').slice(0,10)}${c.reset}`
+            : c.dim + 'no releases' + c.reset;
+          console.log(`${pPfx} ${c.bold}${proj.slug}${c.reset}  ${c.dim}${proj.name}${c.reset}`);
+          console.log(`${pPad}  envs        ${envNames}`);
+          console.log(`${pPad}  definitions ${defCount}`);
+          console.log(`${pPad}  app keys    ${activeKeys} active`);
+          console.log(`${pPad}  latest      ${relInfo}`);
+        }
+      }
+    }
+    console.log();
+  },
+  // ── Release ───────────────────────────────────────────────────────────────
+  async release(args) {
+    const [ws, proj, env] = resolveCtx(args, 'ws', 'proj', 'env');
+    const data = await api('POST', `/v1/workspaces/${ws}/projects/${proj}/environments/${env}/release`);
+    success(`Release ${c.bold}v${data.version}${c.reset}  ${c.dim}etag: ${data.etag}${c.reset}`);
+    console.log();
+    kv([
+      ['project',     proj],
+      ['environment', env],
+      ['version',     c.bold + String(data.version) + c.reset],
+      ['etag',        data.etag],
+      ['released_at', data.released_at],
+      ['config keys', String(Object.keys(data.config ?? {}).length)],
+      ['secret keys', String((data.secret_keys ?? []).length)],
+    ]);
+    if (Object.keys(data.config ?? {}).length) {
+      console.log(`\n  ${c.dim}Config snapshot:${c.reset}`);
+      for (const [k, v] of Object.entries(data.config)) {
+        console.log(`    ${c.dim}${k.padEnd(36)}${c.reset}  ${c.cyan}${JSON.stringify(v)}${c.reset}`);
+      }
+    }
+  },
+  async releases(args) {
+    const [sub, ...rest] = args;
+    if (!sub || sub === 'list') {
+      const [ws, proj, env] = resolveCtx(rest, 'ws', 'proj', 'env');
+      const data = await api('GET', `/v1/workspaces/${ws}/projects/${proj}/environments/${env}/releases`);
+      table(data.releases, [
+        { key: 'version',    label: 'VER',       fmt: v => c.bold + String(v) + c.reset },
+        { key: 'etag',       label: 'ETAG',      fmt: v => c.dim + String(v) + c.reset },
+        { key: 'created_by', label: 'BY',        fmt: v => c.dim + String(v).slice(0, 8) + '…' + c.reset },
+        { key: 'created_at', label: 'RELEASED',  fmt: fmtDate },
+      ]);
+      return;
+    }
+    if (sub === 'get') {
+      const [ws, proj, env] = resolveCtx(rest, 'ws', 'proj', 'env');
+      const ver = rest[3] ?? 'latest';
+      const data = await api('GET', `/v1/workspaces/${ws}/projects/${proj}/environments/${env}/releases/${ver}`);
+      kv([
+        ['version',     c.bold + String(data.version) + c.reset],
+        ['etag',        c.dim  + data.etag + c.reset],
+        ['environment', data.environment],
+        ['released_at', data.released_at],
+      ]);
+      if (data.config) {
+        console.log(`\n  ${c.bold}Config${c.reset}`);
+        for (const [k, v] of Object.entries(data.config)) {
+          console.log(`    ${c.dim}${k.padEnd(36)}${c.reset}  ${c.cyan}${JSON.stringify(v)}${c.reset}`);
+        }
+      }
+      if (data.secret_keys?.length) {
+        console.log(`\n  ${c.bold}Secrets${c.reset} ${c.dim}(resolved at runtime)${c.reset}`);
+        for (const k of data.secret_keys) {
+          console.log(`    ${c.dim}${k}${c.reset}`);
+        }
+      }
+      return;
+    }
+    fatal(`unknown subcommand: releases ${sub}`);
+  },
+  // ── Audit log ─────────────────────────────────────────────────────────────
+  async audit(args) {
+    // orbseal audit list [ws] [proj] [--type <action>] [--actor <id>]
+    //                                [--key <plugin:key>] [--from <date>] [--to <date>]
+    //                                [--limit <n>] [--cursor <token>] [--json]
+    const sub = args[0];
+    if (sub !== 'list' && sub !== undefined) {
+      fatal(`unknown subcommand: audit ${sub}\n  Usage: orbseal audit list [workspace] [project] [--type value_set] [--key plugin:key]`);
+    }
+    const rest = sub === 'list' ? args.slice(1) : args;
+    // parse flags first so resolveCtx gets the positional-only slice
+    const flagArgs   = rest.filter(a => a.startsWith('--'));
+    const posArgs    = rest.filter(a => !a.startsWith('--'));
+    const getFlag = (name) => {
+      const f = flagArgs.find(a => a.startsWith(`--${name}=`));
+      if (f) return f.slice(name.length + 3);
+      const i = flagArgs.indexOf(`--${name}`);
+      return i !== -1 ? flagArgs[i + 1] : null;
+    };
+    const resolved = resolveCtx(posArgs, 'ws?', 'proj?');
+    const [ws, proj] = resolved;
+    const typeFilter   = getFlag('type');
+    const actorFilter  = getFlag('actor');
+    const keyFilter    = getFlag('key');
+    const fromFilter   = getFlag('from');
+    const toFilter     = getFlag('to');
+    const limitFilter  = getFlag('limit') ?? '50';
+    const cursorArg    = getFlag('cursor');
+    const jsonOut      = flagArgs.includes('--json');
+    let url, data;
+    if (ws && proj) {
+      // Project-level audit
+      const q = new URLSearchParams({ limit: limitFilter });
+      if (typeFilter)  q.set('type',   typeFilter);
+      if (actorFilter) q.set('actor',  actorFilter);
+      if (keyFilter)   q.set('key',    keyFilter);
+      if (fromFilter)  q.set('from',   fromFilter);
+      if (toFilter)    q.set('to',     toFilter);
+      if (cursorArg)   q.set('cursor', cursorArg);
+      url  = `/v1/workspaces/${ws}/projects/${proj}/audit?${q}`;
+      data = await api('GET', url);
+    } else {
+      // Org-level audit
+      const q = new URLSearchParams({ limit: limitFilter });
+      if (typeFilter)  q.set('type',   typeFilter);
+      if (actorFilter) q.set('actor',  actorFilter);
+      if (fromFilter)  q.set('from',   fromFilter);
+      if (toFilter)    q.set('to',     toFilter);
+      if (cursorArg)   q.set('cursor', cursorArg);
+      url  = `/v1/audit?${q}`;
+      data = await api('GET', url);
+    }
+    if (jsonOut) {
+      console.log(JSON.stringify(data, null, 2));
+      return;
+    }
+    const events = data.events ?? [];
+    if (!events.length) {
+      console.log(`\n  ${c.dim}no audit events found${c.reset}\n`);
+      return;
+    }
+    // Action → color
+    const actionColor = (action) => {
+      if (action.endsWith('_deleted') || action.endsWith('_revoked')) return c.red + action + c.reset;
+      if (action === 'release_created') return c.green + action + c.reset;
+      if (action.startsWith('secret'))  return c.yellow + action + c.reset;
+      return c.dim + action + c.reset;
+    };
+    console.log();
+    const rows = events.map(e => {
+      const key    = e.plugin && e.key ? `  ${c.dim}${e.plugin}:${e.key}${c.reset}` : '';
+      const scope  = e.scope ? `  ${c.dim}${e.scope}/${e.scope_ref ?? ''}${c.reset}` : '';
+      const actor  = e.actor ? e.actor.slice(0, 8) + '…' : '—';
+      const date   = fmtDate(e.created_at);
+      return [date, actionColor(e.action), actor, key + scope].join('  ');
+    });
+    rows.forEach(r => console.log(`  ${r}`));
+    if (data.has_more && data.next_cursor) {
+      console.log(`\n  ${c.dim}More results — fetch next page:${c.reset}`);
+      console.log(`  ${c.bold}orbseal audit list --cursor ${data.next_cursor}${c.reset}`);
+    }
+    console.log();
+  },
+  // ── Seal (set a secret) ───────────────────────────────────────────────────
+  async seal(args) {
+    // orbseal seal [ws] [proj] <plugin:key> --public-key <key> --scope <s> --ref <r>
+    const resolved = resolveCtx(args, 'ws', 'proj');
+    const [ws, proj] = resolved;
+    const remaining = args.slice(resolved.consumed);
+    const [pluginKey, ...flags] = remaining;
+    if (!pluginKey) {
+      fatal('usage: seal [workspace] [project] <plugin:key> --scope <scope> --ref <scope_ref> [--public-key <key>]');
+    }
+    const [plugin, key] = pluginKey.split(':');
+    if (!plugin || !key) fatal('plugin:key format required, e.g. email:smtp_password');
+    const cfg = loadConfig();
+    let publicKey = cfg.context?.public_key ?? '';
+    let scope = 'environment', scopeRef = '';
+    for (let i = 0; i < flags.length; i++) {
+      if (flags[i] === '--public-key' && flags[i+1]) { publicKey = flags[++i]; }
+      if (flags[i] === '--scope'      && flags[i+1]) { scope     = flags[++i]; }
+      if (flags[i] === '--ref'        && flags[i+1]) { scopeRef  = flags[++i]; }
+    }
+    if (!publicKey) fatal('--public-key required (or run: orbseal use --public-key <key>)');
+    if (!scopeRef)  fatal('--ref is required (e.g. --ref production)');
+    // Prompt for secret value — hidden input
+    const value = await promptSecret('Secret value: ');
+    if (!value) fatal('value cannot be empty');
+    // Decode key (orbpk-... or legacy base64) → raw bytes → base64 for libsodium
+    const pubKeyRaw = parsePublicKey(publicKey);
+    const pubKeyB64 = pubKeyRaw.toString('base64');
+    // Seal using libsodium CJS (avoids ESM WASM resolution issue in Node.js)
+    let ciphertext;
+    try {
+      const { createRequire } = await import('node:module');
+      const req    = createRequire(import.meta.url);
+      const sodium = req('libsodium-wrappers');
+      await sodium.ready;
+      const pk = sodium.from_base64(pubKeyB64, sodium.base64_variants.ORIGINAL);
+      const ct = sodium.crypto_box_seal(sodium.from_string(value), pk);
+      ciphertext = sodium.to_base64(ct, sodium.base64_variants.ORIGINAL);
+    } catch (e) {
+      fatal(`seal failed: ${e?.message ?? e}`);
+    }
+    await api('PUT', `/v1/workspaces/${ws}/projects/${proj}/secrets/${plugin}/${key}`, {
+      ciphertext,
+      public_key: pubKeyB64,
+      scope,
+      scope_ref:  scopeRef,
+    });
+    success(`Sealed ${c.bold}${pluginKey}${c.reset}  ${c.dim}scope=${scope} ref=${scopeRef}${c.reset}`);
+  },
+  // ── User settings (app key) ───────────────────────────────────────────────
+  async settings(args) {
+    const [sub, ...rest] = args;
+    if (!sub || sub === 'list') {
+      const [userId] = rest;
+      if (!userId) fatal('usage: settings list <user_id>');
+      const data = await api('GET', `/v1/config/user-values?user_id=${encodeURIComponent(userId)}`);
+      console.log(`\n  ${c.dim}user: ${userId}${c.reset}\n`);
+      table(data.settings, [
+        { key: 'plugin',      label: 'PLUGIN' },
+        { key: 'key',         label: 'KEY' },
+        { key: 'label',       label: 'LABEL',     fmt: v => v ?? c.dim + '—' + c.reset },
+        { key: 'value',       label: 'VALUE',      fmt: v => c.cyan + JSON.stringify(v) + c.reset },
+        { key: 'is_override', label: 'OVERRIDE',   fmt: v => v ? c.yellow + 'yes' + c.reset : c.dim + 'no' + c.reset },
+        { key: 'type',        label: 'TYPE' },
+        { key: 'component',   label: 'COMPONENT',  fmt: v => v ? String(v) : c.dim + '—' + c.reset },
+      ]);
+      return;
+    }
+    if (sub === 'set') {
+      const [userId, pluginKey, val] = rest;
+      if (!userId || !pluginKey || val === undefined) {
+        fatal('usage: settings set <user_id> <plugin:key> <value>');
+      }
+      const [plugin, key] = pluginKey.split(':');
+      if (!plugin || !key) fatal('plugin:key format required, e.g. taskflow:theme');
+      let parsed;
+      try { parsed = JSON.parse(val); } catch { parsed = val; }
+      await api('PUT', `/v1/config/user-values/${plugin}/${key}`, { value: parsed, user_id: userId });
+      success(`Set ${c.bold}${pluginKey}${c.reset} = ${c.cyan}${JSON.stringify(parsed)}${c.reset}  ${c.dim}for user ${userId}${c.reset}`);
+      return;
+    }
+    if (sub === 'reset') {
+      const [userId, pluginKey] = rest;
+      if (!userId || !pluginKey) fatal('usage: settings reset <user_id> <plugin:key>');
+      const [plugin, key] = pluginKey.split(':');
+      await api('DELETE', `/v1/config/user-values/${plugin}/${key}?user_id=${encodeURIComponent(userId)}`);
+      success(`Reset ${c.bold}${pluginKey}${c.reset} to default for user ${userId}`);
+      return;
+    }
+    fatal(`unknown subcommand: settings ${sub}`);
+  },
+  // ── Resolve ───────────────────────────────────────────────────────────────
+  async resolve(args) {
+    const [userFlag] = args;
+    const userId = userFlag?.startsWith('--user=') ? userFlag.slice(7) : null;
+    const qs     = userId ? `?user=${encodeURIComponent(userId)}` : '';
+    const cfg = loadConfig();
+    if (!cfg.token?.startsWith('orb_live_')) {
+      fatal('resolve requires an app key (orb_live_xxx). Login with an app key: orbseal login <token>');
+    }
+    const data = await api('GET', `/v1/config/resolve${qs}`);
+    console.log(`\n  ${c.bold}${c.dim}etag: ${data.etag}  resolved: ${data.resolved_at}${c.reset}\n`);
+    console.log(`  ${c.bold}Config${c.reset}`);
+    for (const [k, v] of Object.entries(data.config)) {
+      const display = v === null ? c.red + 'MISSING' + c.reset : c.cyan + JSON.stringify(v) + c.reset;
+      console.log(`    ${c.dim}${k.padEnd(36)}${c.reset}  ${display}`);
+    }
+    if (Object.keys(data.secrets).length) {
+      console.log(`\n  ${c.bold}Secrets${c.reset} ${c.dim}(ciphertext)${c.reset}`);
+      for (const [k, v] of Object.entries(data.secrets)) {
+        const display = v ? c.yellow + v.slice(0, 20) + '…' + c.reset : c.red + 'MISSING' + c.reset;
+        console.log(`    ${c.dim}${k.padEnd(36)}${c.reset}  ${display}`);
+      }
+    }
+    console.log();
+  },
+  // ── Keygen ────────────────────────────────────────────────────────────────
+  async keygen(_args) {
+    // Generate 128-bit entropy → 12-word BIP39 mnemonic → X25519 keypair
+    const existing = loadMnemonic();
+    if (existing) {
+      const existingKp = await keypairFromMnemonic(existing);
+      console.log();
+      console.log(`  ${c.yellow}${c.bold}⚠  A keypair already exists on this device.${c.reset}`);
+      console.log();
+      console.log(`  Current public key: ${c.cyan}${existingKp.publicKey}${c.reset}`);
+      console.log();
+      console.log(`  Why do you want to generate a new keypair?`);
+      console.log();
+      console.log(`  ${c.bold}[1]${c.reset} I lost my key / starting fresh`);
+      console.log(`      ${c.dim}Old secrets sealed with the current key become inaccessible.${c.reset}`);
+      console.log();
+      console.log(`  ${c.bold}[2]${c.reset} Planned rotation — I want to export my current phrase first`);
+      console.log(`      ${c.dim}Export current recovery phrase → generate new key.${c.reset}`);
+      console.log(`      ${c.dim}Old key remains restorable via: orbseal keys restore${c.reset}`);
+      console.log();
+      const choice = (await prompt(`  Choose [1/2] or Enter to cancel: `)).trim();
+      if (choice === '2') {
+        // ── Rotation path: show current phrase before overwriting ──────────
+        console.log();
+        console.log(`  ${c.yellow}${c.bold}Export your current recovery phrase now.${c.reset}`);
+        console.log(`  ${c.dim}After you generate a new key, you can restore the old one anytime with:${c.reset}`);
+        console.log(`  ${c.dim}  orbseal keys restore${c.reset}`);
+        await showRecoveryPhrase(existing, existingKp);
+        console.log();
+        const confirm = (await prompt(`  Type ${c.bold}ROTATE${c.reset} to generate new keypair: `)).trim();
+        if (confirm !== 'ROTATE') {
+          console.log(`\n  ${c.dim}Cancelled. Existing keypair kept.${c.reset}\n`);
+          return;
+        }
+      } else if (choice === '1') {
+        // ── Lost key path: warn about permanent data loss ─────────────────
+        console.log();
+        console.log(`  ${c.red}${c.bold}All secrets sealed with the current public key will be`);
+        console.log(`  permanently inaccessible — there is no way to recover them.${c.reset}`);
+        console.log();
+        const confirm = (await prompt(`  Type ${c.bold}LOST${c.reset} to confirm and generate new keypair: `)).trim();
+        if (confirm !== 'LOST') {
+          console.log(`\n  ${c.dim}Cancelled. Existing keypair kept.${c.reset}\n`);
+          return;
+        }
+      } else {
+        console.log(`\n  ${c.dim}Cancelled. Existing keypair kept.${c.reset}\n`);
+        return;
+      }
+      console.log();
+    }
+    const { mnemonic, kp } = await generateAndSaveKeypair();
+    console.log(`\n  ${c.yellow}⚠  Save your recovery phrase — this is the only backup of your encryption key.${c.reset}\n`);
+    await showRecoveryPhrase(mnemonic, kp);
+    console.log(`  ${c.dim}Use public key when creating an app key:${c.reset}`);
+    console.log(`  orbseal keys create ... --public-key "${kp.publicKey}"\n`);
+  },
+  async recover(args) {
+    if (!args.length) fatal('usage: recover "word1 word2 ... word12"');
+    const phrase = args.join(' ');
+    const err    = await validateMnemonic(phrase);
+    if (err) fatal(err);
+    const kp = await keypairFromMnemonic(phrase);
+    console.log();
+    console.log(`  ${c.bold}Keypair recovered:${c.reset}`);
+    console.log();
+    kv([
+      ['public key ', c.cyan + kp.publicKey  + c.reset],
+      ['private key', c.dim  + kp.privateKey + c.reset],
+    ]);
+    console.log();
+  },
+  // ── App Keys + Keypair management ─────────────────────────────────────────
+  async keys(args) {
+    const [sub, ...rest] = args;
+    // ── keys show ────────────────────────────────────────────────────────────
+    if (sub === 'show') {
+      const mnemonic = loadMnemonic();
+      if (!mnemonic) {
+        fatal(
+          'No keypair found at ~/.orbseal/key\n' +
+          `  Generate one:  ${c.bold}orbseal keygen${c.reset}\n` +
+          `  Restore one:   ${c.bold}orbseal keys restore${c.reset}`
+        );
+      }
+      const kp = await keypairFromMnemonic(mnemonic);
+      console.log();
+      console.log(`  ${c.yellow}⚠  Make sure no one can see your screen.${c.reset}\n`);
+      const answer = await prompt('  Show recovery phrase? [y/N] ');
+      if (answer.trim().toLowerCase() !== 'y') {
+        console.log(`\n  ${c.dim}Cancelled.${c.reset}\n`);
+        return;
+      }
+      await showRecoveryPhrase(mnemonic, kp);
+      return;
+    }
+    // ── keys restore ─────────────────────────────────────────────────────────
+    if (sub === 'restore') {
+      console.log(`\n  Enter your 12-word recovery phrase:\n`);
+      const phrase = (await prompt('  > ')).trim();
+      const validErr = await validateMnemonic(phrase);
+      if (validErr) fatal(validErr);
+      const kp = await keypairFromMnemonic(phrase);
+      const existing = loadMnemonic();
+      if (existing) {
+        const answer = await prompt(`\n  A keypair already exists. Overwrite? [y/N] `);
+        if (answer.trim().toLowerCase() !== 'y') {
+          console.log(`\n  ${c.dim}Cancelled.${c.reset}\n`);
+          return;
+        }
+      }
+      saveMnemonic(phrase);
+      console.log();
+      success('Keypair restored and saved to ~/.orbseal/key');
+      kv([['public key', c.cyan + kp.publicKey + c.reset]]);
+      console.log();
+      return;
+    }
+    if (!sub || sub === 'list') {
+      const [ws, proj] = resolveCtx(rest, 'ws', 'proj');
+      const data = await api('GET', `/v1/workspaces/${ws}/projects/${proj}/keys`);
+      table(data.keys, [
+        { key: 'name',        label: 'NAME' },
+        { key: 'key_prefix',  label: 'PREFIX' },
+        { key: 'public_key',  label: 'PUBLIC KEY', fmt: v => c.dim + String(v).slice(0, 12) + '…' + c.reset },
+        { key: 'created_at',  label: 'CREATED',    fmt: fmtDate },
+        { key: 'last_used_at',label: 'LAST USED',  fmt: fmtDate },
+        { key: 'revoked_at',  label: 'STATUS',     fmt: (v) => fmtStatus(v) },
+      ]);
+      return;
+    }
+    if (sub === 'create') {
+      const resolved = resolveCtx(rest, 'ws', 'proj');
+      const [ws, proj] = resolved;
+      const [name, ...flags] = rest.slice(resolved.consumed);
+      if (!name) fatal('usage: keys create [workspace] [project] <name> --public-key <key> [--env <slug>]');
+      let publicKey = '', envSlug = '';
+      for (let i = 0; i < flags.length; i++) {
+        if (flags[i] === '--public-key' && flags[i+1]) { publicKey = flags[++i]; }
+        if (flags[i] === '--env'        && flags[i+1]) { envSlug  = flags[++i]; }
+      }
+      if (!publicKey) fatal('--public-key is required (run: orbseal keygen)');
+      // Accept orbpk-... or legacy base64
+      const pubKeyB64 = parsePublicKey(publicKey).toString('base64');
+      const body = { name, public_key: pubKeyB64, ...(envSlug ? { environment: envSlug } : {}) };
+      const data = await api('POST', `/v1/workspaces/${ws}/projects/${proj}/keys`, body);
+      console.log(`\n  ${c.bold}App key created — save the token, it won't be shown again:${c.reset}\n`);
+      console.log(`  ${c.cyan}${c.bold}${data.token}${c.reset}\n`);
+      kv([
+        ['id',         data.id],
+        ['prefix',     data.key_prefix],
+        ['name',       data.name],
+        ['public_key', c.dim + data.public_key.slice(0, 16) + '…' + c.reset],
+        ['env',        data.environment_id ?? c.dim + 'all environments' + c.reset],
+      ]);
+      return;
+    }
+    if (sub === 'revoke') {
+      const resolved = resolveCtx(rest, 'ws', 'proj');
+      const [ws, proj] = resolved;
+      const [id] = rest.slice(resolved.consumed);
+      if (!id) fatal('usage: keys revoke [workspace] [project] <id>');
+      await api('DELETE', `/v1/workspaces/${ws}/projects/${proj}/keys/${id}`);
+      success('App key revoked.');
+      return;
+    }
+    fatal(`unknown subcommand: keys ${sub}`);
+  },
+  // ── Tokens ────────────────────────────────────────────────────────────────
+  async tokens(args) {
+    const [sub, ...rest] = args;
+    if (!sub || sub === 'list') {
+      const data = await api('GET', '/v1/tokens');
+      table(data.tokens, [
+        { key: 'key_prefix',   label: 'PREFIX' },
+        { key: 'name',         label: 'NAME',      fmt: v => v || c.dim + '—' + c.reset },
+        { key: 'last_used_at', label: 'LAST USED', fmt: fmtDate },
+        { key: 'created_at',   label: 'CREATED',   fmt: fmtDate },
+        { key: 'revoked_at',   label: 'STATUS',    fmt: (v) => fmtStatus(v) },
+      ]);
+      return;
+    }
+    if (sub === 'create') {
+      const name = rest.join(' ') || '';
+      const data  = await api('POST', '/v1/tokens', { name });
+      console.log();
+      console.log(`  ${c.bold}Token created — save it now, it won't be shown again:${c.reset}`);
+      console.log();
+      console.log(`  ${c.cyan}${c.bold}${data.token}${c.reset}`);
+      console.log();
+      kv([
+        ['id',     data.id],
+        ['prefix', data.key_prefix],
+        ['name',   data.name || c.dim + '(none)' + c.reset],
+        ['org',    data.org_id],
+      ]);
+      return;
+    }
+    if (sub === 'revoke') {
+      const [id] = rest;
+      if (!id) fatal('usage: tokens revoke <id>');
+      await api('DELETE', `/v1/tokens/${id}`);
+      success('Token revoked.');
+      return;
+    }
+    fatal(`unknown subcommand: tokens ${sub}`);
+  },
+  // ── Workspaces ────────────────────────────────────────────────────────────
+  async workspaces(args) {
+    const [sub, ...rest] = args;
+    if (!sub || sub === 'list') {
+      const data = await api('GET', '/v1/workspaces');
+      table(data.workspaces, [
+        { key: 'short_id',      label: 'ID' },
+        { key: 'slug',          label: 'SLUG' },
+        { key: 'name',          label: 'NAME' },
+        { key: 'project_count', label: 'PROJECTS', fmt: v => String(v) },
+        { key: 'created_at',    label: 'CREATED',  fmt: fmtDate },
+      ]);
+      return;
+    }
+    if (sub === 'create') {
+      const name = rest.join(' ');
+      if (!name) fatal('usage: workspaces create <name>');
+      const data = await api('POST', '/v1/workspaces', { name });
+      success(`Workspace created: ${c.bold}${data.slug}${c.reset}  ${c.dim}(id: ${data.short_id ?? '—'})${c.reset}`);
+      return;
+    }
+    if (sub === 'get') {
+      const [slug] = rest;
+      if (!slug) fatal('usage: workspaces get <slug|short_id>');
+      const data = await api('GET', `/v1/workspaces/${slug}`);
+      kv([
+        ['id',       c.dim + data.id + c.reset],
+        ['short_id', c.bold + data.short_id + c.reset],
+        ['slug',     c.bold + data.slug + c.reset],
+        ['name',     data.name],
+        ['projects', String(data.project_count)],
+        ['created',  fmtDate(data.created_at)],
+      ]);
+      return;
+    }
+    if (sub === 'rename') {
+      const [slug, ...nameParts] = rest;
+      const name = nameParts.join(' ');
+      if (!slug || !name) fatal('usage: workspaces rename <slug> <name>');
+      await api('PATCH', `/v1/workspaces/${slug}`, { name });
+      success(`Workspace renamed to ${c.bold}${name}${c.reset}`);
+      return;
+    }
+    if (sub === 'delete') {
+      const [slug] = rest;
+      if (!slug) fatal('usage: workspaces delete <slug>');
+      await api('DELETE', `/v1/workspaces/${slug}`);
+      success(`Workspace ${c.bold}${slug}${c.reset} deleted.`);
+      return;
+    }
+    fatal(`unknown subcommand: workspaces ${sub}`);
+  },
+  // ── Values ────────────────────────────────────────────────────────────────
+  async values(args) {
+    const [sub, ...rest] = args;
+    if (!sub || sub === 'list') {
+      const [ws, proj] = resolveCtx(rest, 'ws', 'proj');
+      const data = await api('GET', `/v1/workspaces/${ws}/projects/${proj}/values`);
+      table(data.values, [
+        { key: 'plugin',    label: 'PLUGIN' },
+        { key: 'key',       label: 'KEY' },
+        { key: 'scope',     label: 'SCOPE' },
+        { key: 'scope_ref', label: 'SCOPE REF', fmt: v => c.dim + String(v).slice(0, 8) + '…' + c.reset },
+        { key: 'value',     label: 'VALUE',     fmt: v => String(v).slice(0, 40) },
+        { key: 'version',   label: 'VER',       fmt: v => c.dim + String(v) + c.reset },
+      ]);
+      return;
+    }
+    if (sub === 'set') {
+      // values set <ws> <proj> <plugin:key> <value> --scope <scope> --ref <scope_ref>
+      const resolved = resolveCtx(rest, 'ws', 'proj');
+      const [ws, proj] = resolved;
+      const remaining = rest.slice(resolved.consumed);
+      const [pluginKey, val, ...flags] = remaining;
+      if (!pluginKey || val === undefined) {
+        fatal('usage: values set [workspace] [project] <plugin:key> <value> [--scope <scope>] [--ref <scope_ref>]');
+      }
+      const [plugin, key] = pluginKey.split(':');
+      if (!plugin || !key) fatal('plugin:key format required, e.g. email:smtp_host');
+      // Parse --scope and --ref flags
+      let scope    = 'project';
+      let scopeRef = proj;
+      for (let i = 0; i < flags.length; i++) {
+        if (flags[i] === '--scope' && flags[i+1]) { scope    = flags[++i]; }
+        if (flags[i] === '--ref'   && flags[i+1]) { scopeRef = flags[++i]; }
+      }
+      // Try to parse value as JSON, fall back to string
+      let parsed;
+      try { parsed = JSON.parse(val); } catch { parsed = val; }
+      await api('PUT', `/v1/workspaces/${ws}/projects/${proj}/values/${plugin}/${key}`, {
+        value: parsed, scope, scope_ref: scopeRef,
+      });
+      success(`Set ${c.bold}${pluginKey}${c.reset}  ${c.dim}scope=${scope} ref=${scopeRef}${c.reset}`);
+      return;
+    }
+    if (sub === 'delete') {
+      const resolved = resolveCtx(rest, 'ws', 'proj');
+      const [ws, proj] = resolved;
+      const [pluginKey, ...flags] = rest.slice(resolved.consumed);
+      if (!pluginKey) fatal('usage: values delete [workspace] [project] <plugin:key> --scope <scope> --ref <scope_ref>');
+      const [plugin, key] = pluginKey.split(':');
+      let scope = 'project', scopeRef = proj;
+      for (let i = 0; i < flags.length; i++) {
+        if (flags[i] === '--scope' && flags[i+1]) { scope    = flags[++i]; }
+        if (flags[i] === '--ref'   && flags[i+1]) { scopeRef = flags[++i]; }
+      }
+      await api('DELETE', `/v1/workspaces/${ws}/projects/${proj}/values/${plugin}/${key}?scope=${scope}&scope_ref=${scopeRef}`);
+      success('Value deleted.');
+      return;
+    }
+    fatal(`unknown subcommand: values ${sub}`);
+  },
+  // ── Schema ────────────────────────────────────────────────────────────────
+  async sync(args) {
+    const resolved = resolveCtx(args, 'ws', 'proj');
+    const [ws, proj] = resolved;
+    const filePath = args[resolved.consumed] ?? 'orb.yaml';
+    const { readFileSync } = await import('fs');
+    let yaml;
+    try {
+      yaml = readFileSync(filePath, 'utf8');
+    } catch {
+      fatal(`cannot read ${filePath}`);
+    }
+    const data = await api('POST', `/v1/workspaces/${ws}/projects/${proj}/schema/sync`, yaml, 'text/plain');
+    if (data.errors?.length) {
+      console.log(`\n  ${c.red}Breaking changes blocked:${c.reset}`);
+      for (const e of data.errors) console.log(`    ${c.dim}✗${c.reset} ${e}`);
+    }
+    console.log();
+    kv([
+      ['plugin',    c.bold + data.plugin + c.reset],
+      ['created',   c.green + String(data.created)   + c.reset],
+      ['updated',   c.cyan  + String(data.updated)   + c.reset],
+      ['unchanged', c.dim   + String(data.unchanged) + c.reset],
+      ['errors',    data.errors?.length ? c.red + String(data.errors.length) + c.reset : c.dim + '0' + c.reset],
+    ]);
+    return;
+  },
+  async schema(args) {
+    const [sub, ...rest] = args;
+    if (!sub || sub === 'list') {
+      const [ws, proj] = resolveCtx(rest, 'ws', 'proj');
+      const data = await api('GET', `/v1/workspaces/${ws}/projects/${proj}/schema`);
+      table(data.definitions, [
+        { key: 'plugin',     label: 'PLUGIN' },
+        { key: 'key',        label: 'KEY' },
+        { key: 'type',       label: 'TYPE' },
+        { key: 'scope',      label: 'SCOPE' },
+        { key: 'required',   label: 'REQ',  fmt: v => v ? c.yellow + 'yes' + c.reset : c.dim + 'no'  + c.reset },
+        { key: 'is_secret',  label: 'SEC',  fmt: v => v ? c.red    + 'yes' + c.reset : c.dim + 'no'  + c.reset },
+        { key: 'version',    label: 'VER',  fmt: v => c.dim + String(v) + c.reset },
+      ]);
+      return;
+    }
+    if (sub === 'get') {
+      const resolved = resolveCtx(rest, 'ws', 'proj');
+      const [ws, proj] = resolved;
+      const [key] = rest.slice(resolved.consumed);
+      if (!key) fatal('usage: schema get [workspace] [project] <plugin:key>');
+      const data = await api('GET', `/v1/workspaces/${ws}/projects/${proj}/schema/${key}`);
+      kv(Object.entries(data).map(([k, v]) => [k, c.dim + JSON.stringify(v) + c.reset]));
+      return;
+    }
+    fatal(`unknown subcommand: schema ${sub}`);
+  },
+  // ── Environments ──────────────────────────────────────────────────────────
+  async envs(args) {
+    const [sub, ...rest] = args;
+    if (!sub || sub === 'list') {
+      const [ws, proj] = resolveCtx(rest, 'ws', 'proj');
+      const data = await api('GET', `/v1/workspaces/${ws}/projects/${proj}/environments`);
+      table(data.environments, [
+        { key: 'short_id',   label: 'ID' },
+        { key: 'slug',       label: 'SLUG' },
+        { key: 'name',       label: 'NAME' },
+        { key: 'created_at', label: 'CREATED', fmt: fmtDate },
+      ]);
+      return;
+    }
+    if (sub === 'create') {
+      // With context: envs create <name>
+      // Without context: envs create <workspace> <project> <name>
+      const resolved = resolveCtx(rest, 'ws', 'proj');
+      const [ws, proj] = resolved;
+      const name = rest.slice(resolved.consumed).join(' ');
+      if (!name) fatal('usage: envs create [workspace] [project] <name>');
+      const data = await api('POST', `/v1/workspaces/${ws}/projects/${proj}/environments`, { name });
+      success(`Environment created: ${c.bold}${data.slug}${c.reset}  ${c.dim}in ${ws}/${proj}${c.reset}`);
+      return;
+    }
+    if (sub === 'get') {
+      const [ws, proj, slug] = resolveCtx(rest, 'ws', 'proj', 'env');
+      const data = await api('GET', `/v1/workspaces/${ws}/projects/${proj}/environments/${slug}`);
+      kv([
+        ['id',      c.dim + data.id + c.reset],
+        ['slug',    c.bold + data.slug + c.reset],
+        ['name',    data.name],
+        ['created', fmtDate(data.created_at)],
+      ]);
+      return;
+    }
+    if (sub === 'rename') {
+      const [ws, proj, slug, ...nameParts] = resolveCtx(rest, 'ws', 'proj', 'env');
+      const name = nameParts.join(' ');
+      if (!slug || !name) fatal('usage: envs rename [workspace] [project] <slug> <name>');
+      await api('PATCH', `/v1/workspaces/${ws}/projects/${proj}/environments/${slug}`, { name });
+      success(`Environment renamed to ${c.bold}${name}${c.reset}`);
+      return;
+    }
+    if (sub === 'delete') {
+      const [ws, proj, slug] = resolveCtx(rest, 'ws', 'proj', 'env');
+      if (!slug) fatal('usage: envs delete [workspace] [project] <slug>');
+      await api('DELETE', `/v1/workspaces/${ws}/projects/${proj}/environments/${slug}`);
+      success(`Environment ${c.bold}${slug}${c.reset} deleted.`);
+      return;
+    }
+    fatal(`unknown subcommand: envs ${sub}`);
+  },
+  // ── Projects ──────────────────────────────────────────────────────────────
+  async projects(args) {
+    const [sub, ...rest] = args;
+    if (!sub || sub === 'list') {
+      const [ws] = resolveCtx(rest, 'ws');
+      const data = await api('GET', `/v1/workspaces/${ws}/projects`);
+      table(data.projects, [
+        { key: 'short_id',   label: 'ID' },
+        { key: 'slug',       label: 'SLUG' },
+        { key: 'name',       label: 'NAME' },
+        { key: 'env_count',  label: 'ENVS',    fmt: v => String(v) },
+        { key: 'created_at', label: 'CREATED', fmt: fmtDate },
+      ]);
+      return;
+    }
+    if (sub === 'create') {
+      const [ws] = resolveCtx(rest, 'ws');
+      const name = rest.slice(1).join(' ') || rest[0];
+      // If ws came from context, all of rest is the name
+      const ctxWs = (loadConfig().context ?? {}).workspace;
+      const projName = ctxWs ? rest.join(' ') : rest.slice(1).join(' ');
+      if (!projName) fatal('usage: projects create [workspace] <name>');
+      const data = await api('POST', `/v1/workspaces/${ws}/projects`, { name: projName });
+      success(`Project created: ${c.bold}${data.slug}${c.reset}  ${c.dim}(id: ${data.short_id ?? '—'})  in ${ws}${c.reset}`);
+      return;
+    }
+    if (sub === 'get') {
+      const [ws, slug] = resolveCtx(rest, 'ws', 'proj');
+      const data = await api('GET', `/v1/workspaces/${ws}/projects/${slug}`);
+      kv([
+        ['id',       c.dim + data.id + c.reset],
+        ['short_id', c.bold + data.short_id + c.reset],
+        ['slug',     c.bold + data.slug + c.reset],
+        ['name',     data.name],
+        ['envs',     String(data.env_count)],
+        ['created',  fmtDate(data.created_at)],
+      ]);
+      return;
+    }
+    if (sub === 'rename') {
+      const [ws, slug, ...nameParts] = rest;
+      const [wsR] = resolveCtx([ws], 'ws');
+      const name = nameParts.join(' ');
+      if (!slug || !name) fatal('usage: projects rename [workspace] <slug> <name>');
+      await api('PATCH', `/v1/workspaces/${wsR}/projects/${slug}`, { name });
+      success(`Project renamed to ${c.bold}${name}${c.reset}`);
+      return;
+    }
+    if (sub === 'delete') {
+      const [ws, slug] = resolveCtx(rest, 'ws', 'proj');
+      await api('DELETE', `/v1/workspaces/${ws}/projects/${slug}`);
+      success(`Project ${c.bold}${slug}${c.reset} deleted.`);
+      return;
+    }
+    fatal(`unknown subcommand: projects ${sub}`);
+  },
+  // ── Orgs ──────────────────────────────────────────────────────────────────
+  async orgs(args) {
+    const [sub, ...rest] = args;
+    if (!sub || sub === 'list') {
+      const data = await api('GET', '/v1/orgs');
+      table(data.orgs, [
+        { key: 'slug',       label: 'SLUG' },
+        { key: 'name',       label: 'NAME' },
+        { key: 'role',       label: 'ROLE',    fmt: fmtRole },
+        { key: 'created_at', label: 'CREATED', fmt: fmtDate },
+      ]);
+      return;
+    }
+    if (sub === 'create') {
+      const [slug, ...nameParts] = rest;
+      const name = nameParts.join(' ');
+      if (!slug || !name) fatal('usage: orgs create <slug> <name>');
+      const data = await api('POST', '/v1/orgs', { slug, name });
+      success(`Org created: ${c.bold}${data.slug}${c.reset}`);
+      return;
+    }
+    if (sub === 'get') {
+      const [slug] = rest;
+      if (!slug) fatal('usage: orgs get <slug>');
+      const data = await api('GET', `/v1/orgs/${slug}`);
+      kv([
+        ['id',      c.dim + data.id + c.reset],
+        ['slug',    c.bold + data.slug + c.reset],
+        ['name',    data.name],
+        ['role',    fmtRole(data.role)],
+        ['created', fmtDate(data.created_at)],
+      ]);
+      return;
+    }
+    if (sub === 'rename') {
+      const [slug, ...nameParts] = rest;
+      const name = nameParts.join(' ');
+      if (!slug || !name) fatal('usage: orgs rename <slug> <name>');
+      await api('PATCH', `/v1/orgs/${slug}`, { name });
+      success(`Org renamed to ${c.bold}${name}${c.reset}`);
+      return;
+    }
+    if (sub === 'members') {
+      const [action, ...mrest] = rest;
+      if (!action || action === 'list') {
+        const [slug] = mrest;
+        if (!slug) fatal('usage: orgs members list <slug>');
+        const data = await api('GET', `/v1/orgs/${slug}/members`);
+        table(data.members, [
+          { key: 'email',      label: 'EMAIL' },
+          { key: 'name',       label: 'NAME',   fmt: v => v || c.dim + '—' + c.reset },
+          { key: 'role',       label: 'ROLE',   fmt: fmtRole },
+          { key: 'created_at', label: 'SINCE',  fmt: fmtDate },
+        ]);
+        return;
+      }
+      if (action === 'add') {
+        const [slug, email, role = 'member'] = mrest;
+        if (!slug || !email) fatal('usage: orgs members add <slug> <email> [role]');
+        await api('POST', `/v1/orgs/${slug}/members`, { email, role });
+        success(`Added ${c.bold}${email}${c.reset} as ${fmtRole(role)}`);
+        return;
+      }
+      if (action === 'set-role') {
+        const [slug, userId, role] = mrest;
+        if (!slug || !userId || !role) fatal('usage: orgs members set-role <slug> <userId> <role>');
+        await api('PATCH', `/v1/orgs/${slug}/members/${userId}`, { role });
+        success(`Role updated to ${fmtRole(role)}`);
+        return;
+      }
+      if (action === 'remove') {
+        const [slug, userId] = mrest;
+        if (!slug || !userId) fatal('usage: orgs members remove <slug> <userId>');
+        await api('DELETE', `/v1/orgs/${slug}/members/${userId}`);
+        success('Member removed.');
+        return;
+      }
+      fatal(`unknown subcommand: orgs members ${action}`);
+    }
+    fatal(`unknown subcommand: orgs ${sub}`);
+  },
+  // ── Context ───────────────────────────────────────────────────────────────
+  // orbseal use <org>/<workspace>/<project>
+  // orbseal use <org>/<workspace>
+  // orbseal use <org>
+  // orbseal use --public-key <key>
+  // orbseal use --clear
+  use(args) {
+    if (args[0] === '--clear' || args[0] === 'clear') {
+      const cfg = loadConfig();
+      delete cfg.context;
+      saveConfig(cfg);
+      success('Context cleared (including public key).');
+      return;
+    }
+    // Extract --public-key flag (can be combined with path or standalone)
+    let publicKey = null;
+    const filtered = [];
+    for (let i = 0; i < args.length; i++) {
+      if ((args[i] === '--public-key' || args[i] === '--pk') && args[i + 1]) {
+        publicKey = args[++i];
+      } else {
+        filtered.push(args[i]);
+      }
+    }
+    const cfg = loadConfig();
+    cfg.context = cfg.context ?? {};
+    // Set public key in context if provided
+    if (publicKey) {
+      cfg.context.public_key = publicKey;
+      saveConfig(cfg);
+      if (!filtered[0]) {
+        success(`Public key saved to context.`);
+        console.log(`  ${c.dim}${publicKey.slice(0, 24)}…${c.reset}`);
+        return;
+      }
+    }
+    const input = filtered[0] ?? '';
+    if (!input && !publicKey) fatal('usage: orbseal use <org>[/<ws>[/<proj>[/<env>]]] [--public-key <key>]  or  orbseal use --clear');
+    if (input) {
+      const parts = input.split('/').filter(Boolean);
+      if (parts[0]) cfg.context.org       = parts[0];
+      if (parts[1]) cfg.context.workspace  = parts[1];
+      if (parts[2]) cfg.context.project    = parts[2];
+      if (parts[3]) cfg.context.env        = parts[3];
+    }
+    saveConfig(cfg);
+    const ctx = cfg.context;
+    const pathDisplay = [ctx.org, ctx.workspace, ctx.project, ctx.env].filter(Boolean).join(c.dim + ' / ' + c.reset + c.bold);
+    success(`Context set to ${c.bold}${pathDisplay}${c.reset}`);
+    if (ctx.public_key) {
+      console.log(`  ${c.dim}public key  ${ctx.public_key.slice(0, 24)}…${c.reset}`);
+    }
+    console.log(`  ${c.dim}Tip: run ${c.reset}orbseal ls${c.dim} to see the full tree${c.reset}`);
+  },
+  // ── ls (tree view of current context) ────────────────────────────────────
+  async ls(_args) {
+    const cfg = loadConfig();
+    if (!cfg.token) fatal('Not logged in. Run: orbseal login');
+    const ctx = cfg.context ?? {};
+    let orgs;
+    try { orgs = (await api('GET', '/v1/orgs')).orgs; }
+    catch { fatal('Could not fetch orgs — check token.'); }
+    // Filter to context org if set; fall back to all orgs if not found
+    let filtered = orgs;
+    if (ctx.org) {
+      const match = orgs.filter(o => o.slug === ctx.org || o.short_id === ctx.org);
+      if (match.length) {
+        filtered = match;
+      } else {
+        console.log(`  ${c.yellow}⚠${c.reset}  Context org ${c.bold}${ctx.org}${c.reset} not found — showing all orgs\n`);
+      }
+    }
+    for (const org of filtered) {
+      console.log(`\n  ${c.green}${c.bold}●${c.reset} ${c.bold}${org.slug}${c.reset}  ${c.dim}${org.name}  ${fmtRole(org.role)}${c.reset}`);
+      let workspaces;
+      try { workspaces = (await api('GET', '/v1/workspaces')).workspaces; }
+      catch { continue; }
+      // Filter to context workspace if set
+      const wsList = ctx.workspace
+        ? workspaces.filter(w => w.slug === ctx.workspace || w.short_id === ctx.workspace)
+        : workspaces;
+      for (let wi = 0; wi < wsList.length; wi++) {
+        const ws       = wsList[wi];
+        const lastWs   = wi === wsList.length - 1;
+        const wsPfx    = lastWs ? '    └──' : '    ├──';
+        const wsPad    = lastWs ? '       ' : '    │  ';
+        const wsMarker = ctx.workspace && (ws.slug === ctx.workspace || ws.short_id === ctx.workspace)
+          ? c.cyan + ' ◀' + c.reset : '';
+        console.log(`${wsPfx} ${c.bold}${ws.slug}${c.reset}  ${c.dim}${ws.name}${c.reset}${wsMarker}`);
+        let projects;
+        try { projects = (await api('GET', `/v1/workspaces/${ws.short_id}/projects`)).projects; }
+        catch { continue; }
+        const projList = ctx.project
+          ? projects.filter(p => p.slug === ctx.project || p.short_id === ctx.project)
+          : projects;
+        for (let pi = 0; pi < projList.length; pi++) {
+          const proj    = projList[pi];
+          const lastP   = pi === projList.length - 1;
+          const pPfx    = lastP ? `${wsPad}└──` : `${wsPad}├──`;
+          const pPad    = lastP ? `${wsPad}   ` : `${wsPad}│  `;
+          const pMarker = ctx.project && (proj.slug === ctx.project || proj.short_id === ctx.project)
+            ? c.cyan + ' ◀' + c.reset : '';
+          let envs = [];
+          try { envs = (await api('GET', `/v1/workspaces/${ws.short_id}/projects/${proj.short_id}/environments`)).environments; }
+          catch { /* ignore */ }
+          const envNames = envs.length
+            ? envs.map(e => {
+                const active = ctx.env && (e.slug === ctx.env || e.short_id === ctx.env);
+                return active
+                  ? c.bold + e.slug + c.reset + c.cyan + ' ◀' + c.reset
+                  : c.dim + e.slug + c.reset;
+              }).join('  ')
+            : c.dim + 'no environments' + c.reset;
+          console.log(`${pPfx} ${c.bold}${proj.slug}${c.reset}  ${c.dim}${proj.name}${c.reset}${pMarker}`);
+          console.log(`${pPad}  ${c.dim}envs  ${c.reset}${envNames}`);
+        }
+      }
+    }
+    console.log();
+  },
+};
+// ─── Router ──────────────────────────────────────────────────────────────────
+const ALIASES = {
+  'ws':     'workspaces',
+  'proj':   'projects',
+  'env':    'envs',
+  'wh':     'whoami',
+  'switch': 'switchToken',
+};
+const [,, rawCmd, ...args] = process.argv;
+const cmd = ALIASES[rawCmd] ?? rawCmd;
+if (!cmd || cmd === 'help' || cmd === '--help' || cmd === '-h') {
+  console.log(HELP);
+  process.exit(0);
+}
+if (!commands[cmd]) {
+  console.error(`${c.red}error:${c.reset} unknown command "${cmd}"\n`);
+  console.log(HELP);
+  process.exit(1);
+}
+Promise.resolve(commands[cmd](args)).catch(e => fatal(e?.message ?? String(e)));