npm - @dragonmastery/tamer - Versions diffs - 0.29.0 → 0.31.0 - Mend

@dragonmastery/tamer 0.29.0 → 0.31.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (94) hide show

package/dist/tamer.mjs CHANGED Viewed

@@ -1,4 +1,9 @@
 #!/usr/bin/env node
+import { c as TAMER_OVERLAY_ENV_KEY, f as getDispatchNamespaces, n as materializeTamerResolvable, r as materializeVars, t as materializeCloudflareBindings } from "./normalize-DVSTRZhO.mjs";
+import { basename, dirname, resolve } from "path";
+import { existsSync, readFileSync } from "fs";
+import * as readline from "readline/promises";
 //#region node_modules/zod/v4/core/core.js
 /** A special constant with type `never` */
 const NEVER = Object.freeze({ status: "aborted" });
@@ -150,7 +155,7 @@ const allowsEval = cached(() => {
 		return false;
 	}
 });
-function isPlainObject(o) {
+function isPlainObject$1(o) {
 	if (isObject(o) === false) return false;
 	const ctor = o.constructor;
 	if (ctor === void 0) return true;
@@ -161,7 +166,7 @@ function isPlainObject(o) {
 	return true;
 }
 function shallowClone(o) {
-	if (isPlainObject(o)) return { ...o };
+	if (isPlainObject$1(o)) return { ...o };
 	if (Array.isArray(o)) return [...o];
 	return o;
 }
@@ -242,7 +247,7 @@ function omit(schema, mask) {
 	}));
 }
 function extend(schema, shape) {
-	if (!isPlainObject(shape)) throw new Error("Invalid input to extend: expected a plain object");
+	if (!isPlainObject$1(shape)) throw new Error("Invalid input to extend: expected a plain object");
 	const checks = schema._zod.def.checks;
 	if (checks && checks.length > 0) {
 		const existingShape = schema._zod.def.shape;
@@ -258,7 +263,7 @@ function extend(schema, shape) {
 	} }));
 }
 function safeExtend(schema, shape) {
-	if (!isPlainObject(shape)) throw new Error("Invalid input to safeExtend: expected a plain object");
+	if (!isPlainObject$1(shape)) throw new Error("Invalid input to safeExtend: expected a plain object");
 	return clone(schema, mergeDefs(schema._zod.def, { get shape() {
 		const _shape = {
 			...schema._zod.def.shape,
@@ -1777,7 +1782,7 @@ function mergeValues(a, b) {
 		valid: true,
 		data: a
 	};
-	if (isPlainObject(a) && isPlainObject(b)) {
+	if (isPlainObject$1(a) && isPlainObject$1(b)) {
 		const bKeys = Object.keys(b);
 		const sharedKeys = Object.keys(a).filter((key) => bKeys.indexOf(key) !== -1);
 		const newObj = {
@@ -1853,7 +1858,7 @@ const $ZodRecord = /* @__PURE__ */ $constructor("$ZodRecord", (inst, def) => {
 	$ZodType.init(inst, def);
 	inst._zod.parse = (payload, ctx) => {
 		const input = payload.value;
-		if (!isPlainObject(input)) {
+		if (!isPlainObject$1(input)) {
 			payload.issues.push({
 				expected: "record",
 				code: "invalid_type",
@@ -2723,6 +2728,17 @@ function _array(Class, element, params) {
 	});
 }
 /* @__NO_SIDE_EFFECTS__ */
+function _custom(Class, fn, _params) {
+	const norm = normalizeParams(_params);
+	norm.abort ?? (norm.abort = true);
+	return new Class({
+		type: "custom",
+		check: "custom",
+		fn,
+		...norm
+	});
+}
+/* @__NO_SIDE_EFFECTS__ */
 function _refine(Class, fn, _params) {
 	return new Class({
 		type: "custom",
@@ -4020,6 +4036,9 @@ const ZodCustom = /* @__PURE__ */ $constructor("ZodCustom", (inst, def) => {
 	ZodType.init(inst, def);
 	inst._zod.processJSONSchema = (ctx, json, params) => customProcessor(inst, ctx, json, params);
 });
+function custom(fn, _params) {
+	return _custom(ZodCustom, fn ?? (() => true), _params);
+}
 function refine(fn, _params = {}) {
 	return _refine(ZodCustom, fn, _params);
 }
@@ -4036,198 +4055,4391 @@ function number(params) {
 }
 //#endregion
-//#region src/cli/args.ts
-const BaseArgsSchema = object({
-	env: string().optional(),
-	config: string().optional(),
-	worker: string().optional()
-});
-const ApplyArgsSchema = BaseArgsSchema.extend({
-	add_shard: string().optional(),
-	plan: string().optional(),
-	allow_stale: boolean().optional(),
-	rollback_on_failure: boolean().optional(),
-	target: string().optional()
-});
-const DestroyArgsSchema = BaseArgsSchema.extend({
-	env: string().min(1, { error: "env is required for destroy" }),
-	force: boolean().optional(),
-	skip_workers: boolean().optional(),
-	confirm_env: string().optional(),
-	wipe_metadata: boolean().optional(),
-	plan: string().optional(),
-	allow_stale: boolean().optional()
-});
-const BootstrapArgsSchema = object({
-	env: string().min(1, { error: "env is required for bootstrap" }),
-	config: string().optional()
-});
-const DriftArgsSchema = BaseArgsSchema.extend({ json: boolean().optional() });
-const PlanArgsSchema = BaseArgsSchema.extend({
-	json: boolean().optional(),
-	detailed_exitcode: boolean().optional(),
-	out: string().optional(),
-	destroy: boolean().optional(),
-	target: string().optional()
-});
-const ImportArgsSchema = object({
-	env: string().min(1, { error: "env is required for import" }),
-	config: string().optional(),
-	kind: _enum([
-		"d1",
-		"r2",
-		"kv",
-		"queue",
-		"hyperdrive",
-		"vectorize",
-		"ai_gateway",
-		"pipeline",
-		"workflow",
-		"secret_store",
-		"dns_record",
-		"dispatch_namespace",
-		"worker_route"
-	], { error: "kind must be one of d1 | r2 | kv | queue | hyperdrive | vectorize | ai_gateway | pipeline | workflow | secret_store | dns_record | dispatch_namespace | worker_route" }),
-	logical: string().min(1, { error: "logical is required" }),
-	cf_id: string().optional(),
-	shard_date: string().optional(),
-	created_date: string().optional(),
-	route_id: string().optional(),
-	zone_name: string().optional()
-});
-const StatusArgsSchema = BaseArgsSchema.extend({ tenant: string().optional() });
-const EventsArgsSchema = BaseArgsSchema.extend({
-	json: boolean().optional(),
-	limit: number().int().min(1).max(100).optional()
-});
-const DoctorArgsSchema = object({ json: boolean().optional() });
-const ProvisionTenantArgsSchema = object({
-	env: string().min(1, { error: "env is required" }),
-	product: string().min(1, { error: "product is required" }),
-	workspace: string().min(1, { error: "workspace is required" }),
-	main: string().optional(),
-	artifact_key: string().optional(),
-	module_name: string().optional(),
-	config: string().optional(),
-	compatibility_date: string().optional(),
-	compat_flags: string().optional(),
-	shards: string().optional(),
-	json: boolean().optional()
-}).refine((d) => !!(d.main || d.artifact_key), { message: "Provide --main <file> or --artifact-key <r2-key> (under tamer-artifacts-{env})" });
-const DestroyTenantArgsSchema = object({
-	env: string().min(1, { error: "env is required" }),
-	product: string().min(1, { error: "product is required" }),
-	workspace: string().min(1, { error: "workspace is required" }),
-	force: boolean().optional(),
-	confirm_tenant: string().optional(),
-	config: string().optional(),
-	json: boolean().optional()
-});
-const DeployArgsSchema = BaseArgsSchema.extend({ dispatch_namespace: string().optional() });
-const DevArgsSchema = BaseArgsSchema.extend({ all: boolean().optional() });
-function parseArgs(argv) {
-	const opts = {};
-	for (let i = 0; i < argv.length; i++) {
-		const arg = argv[i];
-		if (arg.startsWith("--")) {
-			const key = arg.slice(2).replace(/-/g, "_");
-			const next = argv[i + 1];
-			if (next && !next.startsWith("--")) {
-				opts[key] = next;
-				i++;
-			} else opts[key] = true;
+//#region src/core/config/merge-project-overlay.ts
+/**
+* Deep-merge `tamer/env/<env>.config.ts` onto `tamer/project.config.ts`.
+* See docs/design-tamer-project-config.md.
+*/
+function isPlainObject(v) {
+	return v !== null && typeof v === "object" && !Array.isArray(v) && !(v instanceof Date);
+}
+function validateOverlayWorkers(projectWorkers, overlayWorkers) {
+	for (const k of Object.keys(overlayWorkers)) if (!(k in projectWorkers)) throw new Error(`Tamer env overlay: unknown worker key "${k}". Declare "${k}" in tamer/project.config.ts first — overlays may only patch existing workers.`);
+}
+function mergeWorkerResources(base, patch) {
+	const out = { ...base };
+	for (const k of Object.keys(patch)) {
+		const pk = patch[k];
+		if (pk !== void 0) out[k] = pk;
+	}
+	return out;
+}
+function mergeEnvMap(base, patch) {
+	const out = { ...base };
+	for (const k of Object.keys(patch)) {
+		const b = base[k];
+		const p = patch[k];
+		if (isPlainObject(b) && isPlainObject(p)) out[k] = mergeWorkerConfig(b, p);
+		else out[k] = p;
+	}
+	return out;
+}
+function mergeWorkerConfig(base, patch) {
+	const out = { ...base };
+	for (const key of Object.keys(patch)) {
+		const pv = patch[key];
+		if (pv === void 0) continue;
+		if (key === "vars") {
+			const bv = isPlainObject(base.vars) ? base.vars : {};
+			const ov = isPlainObject(patch.vars) ? patch.vars : {};
+			out.vars = {
+				...bv,
+				...ov
+			};
+			continue;
+		}
+		if (key === "tamerRoutes") {
+			out.tamerRoutes = pv;
+			continue;
+		}
+		if (key === "tamerStaleRouteSweepZones") {
+			out.tamerStaleRouteSweepZones = pv;
+			continue;
+		}
+		if (key === "resources") {
+			if (isPlainObject(base.resources) && isPlainObject(pv)) out.resources = mergeWorkerResources(base.resources, pv);
+			else out.resources = pv;
+			continue;
+		}
+		if (key === "env") {
+			if (isPlainObject(base.env) && isPlainObject(pv)) out.env = mergeEnvMap(base.env, pv);
+			else out.env = pv;
+			continue;
+		}
+		if (key === "local") {
+			if (isPlainObject(base.local) && isPlainObject(pv)) out.local = mergeWorkerConfig(base.local, pv);
+			else out.local = pv;
+			continue;
 		}
+		out[key] = pv;
 	}
-	return opts;
+	return out;
+}
+function mergeWorkersRecord(base, patch) {
+	const out = { ...base };
+	for (const k of Object.keys(patch)) {
+		const b = base[k];
+		const p = patch[k];
+		if (isPlainObject(b) && isPlainObject(p)) out[k] = mergeWorkerConfig(b, p);
+		else out[k] = p;
+	}
+	return out;
 }
-function toOpts(raw) {
-	const opts = {};
-	for (const [k, v] of Object.entries(raw)) opts[k] = v;
-	return opts;
+/**
+* Merge env overlay onto project config (both plain objects from `default` exports).
+* Does not run {@link materializeCloudflareBindings} — caller does that on the result.
+*/
+function mergeProjectOverlay(project, overlay) {
+	const out = { ...project };
+	for (const key of Object.keys(overlay)) {
+		const ov = overlay[key];
+		if (ov === void 0) continue;
+		const pv = project[key];
+		switch (key) {
+			case "tenant":
+				if (isPlainObject(pv) && isPlainObject(ov)) out[key] = {
+					...pv,
+					...ov
+				};
+				else out[key] = ov;
+				break;
+			case "naming":
+				out[key] = ov;
+				break;
+			case "workers":
+				if (!isPlainObject(pv) || !isPlainObject(ov)) {
+					out[key] = ov;
+					break;
+				}
+				validateOverlayWorkers(pv, ov);
+				out[key] = mergeWorkersRecord(pv, ov);
+				break;
+			case "worker":
+				if (isPlainObject(pv) && isPlainObject(ov)) out[key] = mergeWorkerConfig(pv, ov);
+				else out[key] = ov;
+				break;
+			case "outputs":
+				if (isPlainObject(pv) && isPlainObject(ov)) out[key] = {
+					...pv,
+					...ov
+				};
+				else out[key] = ov;
+				break;
+			case "logpushJobs":
+			case "dispatchNamespaces":
+			case "dnsRecords":
+				out[key] = ov;
+				break;
+			default: out[key] = ov;
+		}
+	}
+	return out;
 }
-function formatZodError(error) {
-	return error.issues.map((e) => e.path.length ? `${e.path.join(".")}: ${e.message}` : e.message).join("; ");
+//#endregion
+//#region src/core/config/resolve-config-sources.ts
+function isProjectFileName(file) {
+	return file === "project.config.ts" || file === "tamer.project.config.ts";
 }
-function parseSyncArgs(argv) {
-	const parsed = BaseArgsSchema.safeParse(toOpts(parseArgs(argv)));
-	if (!parsed.success) throw new Error(`Invalid arguments: ${formatZodError(parsed.error)}`);
-	return {
-		env: parsed.data.env,
-		configPath: parsed.data.config
-	};
+function projectDirForMergedEntry(absProject) {
+	const dir = dirname(absProject);
+	if (basename(absProject) === "project.config.ts") return dir;
+	return dir;
 }
-function parseApplyArgs(argv) {
-	const parsed = ApplyArgsSchema.safeParse(toOpts(parseArgs(argv)));
-	if (!parsed.success) throw new Error(`Invalid arguments: ${formatZodError(parsed.error)}`);
-	return {
-		env: parsed.data.env,
-		addShard: parsed.data.add_shard,
-		configPath: parsed.data.config,
-		planFile: parsed.data.plan,
-		allowStale: parsed.data.allow_stale,
-		rollbackOnFailure: parsed.data.rollback_on_failure,
-		target: parsed.data.target
-	};
+function overlayPathForNestedLayout(projectDir, env) {
+	return resolve(projectDir, "env", `${env}.config.ts`);
 }
-function parseDevArgs(argv) {
-	const parsed = DevArgsSchema.safeParse(toOpts(parseArgs(argv)));
-	if (!parsed.success) throw new Error(`Invalid arguments: ${formatZodError(parsed.error)}`);
-	return {
-		worker: parsed.data.worker,
-		env: parsed.data.env,
-		configPath: parsed.data.config,
-		all: parsed.data.all
-	};
+function overlayPathForFlatLayout(projectRoot, env) {
+	return resolve(projectRoot, `tamer.env.${env}.ts`);
 }
-function parseDeployArgs(argv) {
-	const parsed = DeployArgsSchema.safeParse(toOpts(parseArgs(argv)));
-	if (!parsed.success) throw new Error(`Invalid arguments: ${formatZodError(parsed.error)}`);
-	return {
-		worker: parsed.data.worker,
-		env: parsed.data.env,
-		configPath: parsed.data.config,
-		dispatchNamespace: parsed.data.dispatch_namespace
-	};
+function rejectLegacyTamerConfigFile(context) {
+	throw new Error(`${context}: tamer.config.ts is not supported. Move the default export to tamer/project.config.ts and optional per-env overlays to tamer/env/<env>.config.ts (or use tamer.project.config.ts at the repo root with optional tamer.env.<env>.ts).`);
 }
-function parseMigrateArgs(argv) {
-	const parsed = BaseArgsSchema.safeParse(toOpts(parseArgs(argv)));
-	if (!parsed.success) throw new Error(`Invalid arguments: ${formatZodError(parsed.error)}`);
-	return {
-		worker: parsed.data.worker,
-		env: parsed.data.env,
-		configPath: parsed.data.config
-	};
+/**
+* Resolve which config file(s) to load. See docs/design-tamer-project-config.md.
+*
+* - **Merged:** `tamer/project.config.ts` or `tamer.project.config.ts`, plus optional env overlay.
+* - **Single:** explicit `--config` path to any `.ts` file **except** `tamer.config.ts` (e.g. alternate snapshots in tests).
+*/
+function resolveConfigSources(cwd, explicitConfigPath, env) {
+	if (explicitConfigPath) {
+		const abs = resolve(cwd, explicitConfigPath);
+		const file = basename(abs);
+		if (file === "tamer.config.ts") rejectLegacyTamerConfigFile("--config");
+		if (isProjectFileName(file)) {
+			const projectDir = projectDirForMergedEntry(abs);
+			let overlay = null;
+			if (env) if (file === "project.config.ts") {
+				const candidate = overlayPathForNestedLayout(projectDir, env);
+				if (existsSync(candidate)) overlay = candidate;
+			} else {
+				const candidate = overlayPathForFlatLayout(dirname(abs), env);
+				if (existsSync(candidate)) overlay = candidate;
+			}
+			return {
+				mode: "merged",
+				projectPath: abs,
+				overlayPath: overlay
+			};
+		}
+		return {
+			mode: "single",
+			path: abs
+		};
+	}
+	const nestedProject = resolve(cwd, "tamer", "project.config.ts");
+	if (existsSync(nestedProject)) {
+		let overlay = null;
+		if (env) {
+			const candidate = overlayPathForNestedLayout(dirname(nestedProject), env);
+			if (existsSync(candidate)) overlay = candidate;
+		}
+		return {
+			mode: "merged",
+			projectPath: nestedProject,
+			overlayPath: overlay
+		};
+	}
+	const flatProject = resolve(cwd, "tamer.project.config.ts");
+	if (existsSync(flatProject)) {
+		let overlay = null;
+		if (env) {
+			const candidate = overlayPathForFlatLayout(cwd, env);
+			if (existsSync(candidate)) overlay = candidate;
+		}
+		return {
+			mode: "merged",
+			projectPath: flatProject,
+			overlayPath: overlay
+		};
+	}
+	if (existsSync(resolve(cwd, "tamer.config.ts"))) rejectLegacyTamerConfigFile("Config discovery");
+	throw new Error(`No Tamer project config under ${cwd}. Create tamer/project.config.ts (or tamer.project.config.ts at the repo root).`);
 }
-function parseTypesArgs(argv) {
-	const parsed = BaseArgsSchema.safeParse(toOpts(parseArgs(argv)));
-	if (!parsed.success) throw new Error(`Invalid arguments: ${formatZodError(parsed.error)}`);
-	return {
-		worker: parsed.data.worker,
-		env: parsed.data.env,
-		configPath: parsed.data.config
-	};
+//#endregion
+//#region src/core/config/loader.ts
+const TENANT_SHARD_ROLE_RE = /^[a-z][a-z0-9_-]*$/;
+const TenantMetaSchema = object({
+	id: string().min(1),
+	name: string().min(1),
+	slug: string().min(1),
+	d1Shards: array(string().min(1).refine((s) => TENANT_SHARD_ROLE_RE.test(s), { error: "tenant.d1Shards entries must be lowercase ASCII (letters, digits, `_`, `-`) and start with a letter" })).optional().refine((arr) => !arr || new Set(arr).size === arr.length, "tenant.d1Shards must not contain duplicate roles"),
+	protectedEnvs: array(string().min(1)).optional(),
+	ephemeralEnvPattern: string().min(1).optional().refine((s) => {
+		if (s == null) return true;
+		try {
+			new RegExp(s);
+			return true;
+		} catch {
+			return false;
+		}
+	}, "tenant.ephemeralEnvPattern must be a valid JavaScript RegExp source string")
+});
+const CloudflareNameFnSchema = custom((v) => v === void 0 || typeof v === "function").optional();
+const D1ResourceConfigSchema = object({
+	logicalName: string().min(1),
+	type: _enum(["single", "sharded"]),
+	cloudflareName: CloudflareNameFnSchema,
+	ownership: _enum(["managed", "external"]).optional(),
+	databaseName: string().optional(),
+	binding: string().optional(),
+	migrationsDir: string().optional(),
+	migrationsTable: string().optional(),
+	preserveOnDestroy: boolean().optional()
+}).refine((d) => d.ownership !== "external" || typeof d.databaseName === "string" && d.databaseName.length > 0, { error: "resources.d1: ownership 'external' requires non-empty databaseName" }).refine((d) => d.ownership !== "external" || d.type === "single", { error: "resources.d1: ownership 'external' only supports type 'single'" });
+const R2ResourceConfigSchema = object({
+	logicalName: string().min(1),
+	cloudflareName: CloudflareNameFnSchema,
+	binding: string().optional()
+});
+const KVResourceConfigSchema = object({
+	logicalName: string().min(1),
+	cloudflareName: CloudflareNameFnSchema,
+	binding: string().optional()
+});
+const QueueResourceConfigSchema = object({
+	logicalName: string().min(1),
+	cloudflareName: CloudflareNameFnSchema,
+	binding: string().optional(),
+	consumerOnly: boolean().optional()
+});
+const HyperdriveSecretSchema = union([string(), object({ fromEnv: string().min(1) })]);
+const HyperdriveOriginSchema = object({
+	scheme: _enum([
+		"postgres",
+		"postgresql",
+		"mysql"
+	]),
+	host: string().min(1),
+	port: number$1().optional(),
+	database: string().min(1),
+	user: string().min(1),
+	password: HyperdriveSecretSchema,
+	access_client_id: string().optional(),
+	access_client_secret: HyperdriveSecretSchema.optional()
+});
+const HyperdriveResourceConfigSchema = object({
+	logicalName: string().min(1),
+	cloudflareName: CloudflareNameFnSchema,
+	binding: string().optional(),
+	origin: HyperdriveOriginSchema,
+	caching: object({
+		disabled: boolean().optional(),
+		max_age: number$1().optional(),
+		stale_while_revalidate: number$1().optional()
+	}).optional(),
+	mtls: object({
+		ca_certificate_id: string().optional(),
+		mtls_certificate_id: string().optional()
+	}).optional(),
+	localConnectionString: string().optional()
+});
+const VectorizeResourceConfigSchema = object({
+	logicalName: string().min(1),
+	cloudflareName: CloudflareNameFnSchema,
+	binding: string().optional(),
+	dimensions: number$1().int().positive(),
+	metric: _enum([
+		"cosine",
+		"euclidean",
+		"dot-product"
+	]),
+	description: string().optional()
+});
+const AIGatewayResourceConfigSchema = object({
+	logicalName: string().min(1),
+	cloudflareName: CloudflareNameFnSchema,
+	cacheTtl: number$1().int().nonnegative().optional(),
+	cacheInvalidateOnUpdate: boolean().optional(),
+	collectLogs: boolean().optional(),
+	authentication: boolean().optional(),
+	rateLimitingInterval: number$1().int().nonnegative().optional(),
+	rateLimitingLimit: number$1().int().nonnegative().optional(),
+	rateLimitingTechnique: _enum(["fixed", "sliding"]).optional()
+});
+const DispatchNamespaceResourceSchema = object({
+	logicalName: string().min(1),
+	namespace: string().min(1),
+	envSuffix: boolean().optional()
+});
+const LogpushJobR2DestinationSchema = object({
+	bucketLogicalName: string().min(1),
+	pathPrefix: string().optional(),
+	accessKeyIdEnv: string().min(1),
+	secretAccessKeyEnv: string().min(1)
+});
+const LogpushJobPipelinesIngestSchema = object({
+	streamId: string().min(1),
+	pipelineId: string().min(1),
+	bearerTokenEnv: string().min(1)
+});
+const LogpushJobPipelinesAutoSchema = object({
+	catalogBucketLogicalName: string().min(1),
+	tableName: string().min(1),
+	namespace: string().min(1).optional(),
+	tableNameAppendTimestamp: boolean().optional(),
+	sinkRowGroupBytes: number$1().int().positive().optional(),
+	sinkRollingFileSizeBytes: number$1().int().positive().optional(),
+	sinkRollingIntervalSeconds: number$1().int().positive().optional()
+});
+const LogpushJobResourceConfigSchema = object({
+	logicalName: string().min(1),
+	dataset: literal("workers_trace_events"),
+	jobName: string().optional(),
+	r2: LogpushJobR2DestinationSchema.optional(),
+	pipelinesIngest: LogpushJobPipelinesIngestSchema.optional(),
+	pipelinesAuto: LogpushJobPipelinesAutoSchema.optional(),
+	destinationConfEnv: string().min(1).optional(),
+	destinationConfFromJobId: number$1().int().positive().optional(),
+	destinationConfFromJobIdEnv: string().min(1).optional(),
+	filter: string().min(1).optional(),
+	fieldNames: array(string()).optional(),
+	enabled: boolean().optional()
+}).refine((d) => {
+	const hasR2 = Boolean(d.r2);
+	const n = (d.destinationConfEnv ? 1 : 0) + (d.destinationConfFromJobId != null ? 1 : 0) + (d.destinationConfFromJobIdEnv ? 1 : 0) + (d.pipelinesIngest ? 1 : 0) + (d.pipelinesAuto ? 1 : 0);
+	if (hasR2) return n === 0;
+	return n === 1;
+}, { error: "logpushJobs: set exactly one of r2 | pipelinesIngest | pipelinesAuto | destinationConfEnv | destinationConfFromJobId | destinationConfFromJobIdEnv" }).refine((d) => !(d.destinationConfFromJobId != null && d.destinationConfFromJobIdEnv), { error: "logpushJobs: use only one of destinationConfFromJobId or destinationConfFromJobIdEnv" }).refine((d) => !(d.pipelinesIngest && d.pipelinesAuto), { error: "logpushJobs: use only one of pipelinesIngest or pipelinesAuto" });
+const DnsRecordResourceConfigSchema = object({
+	logicalName: string().min(1),
+	zoneId: string().min(1),
+	type: _enum([
+		"A",
+		"AAAA",
+		"CNAME",
+		"TXT",
+		"MX",
+		"NS",
+		"CAA",
+		"SRV",
+		"PTR",
+		"HTTPS",
+		"SVCB"
+	]),
+	name: string().min(1),
+	content: string().min(1),
+	ttl: number$1().int().positive().optional(),
+	proxied: boolean().optional(),
+	priority: number$1().int().nonnegative().optional(),
+	comment: string().optional(),
+	skipEnvs: array(string()).optional(),
+	preserveOnDestroy: boolean().optional()
+});
+const PipelineResourceConfigSchema = object({
+	logicalName: string().min(1),
+	cloudflareName: CloudflareNameFnSchema,
+	sql: string().min(1),
+	binding: string().min(1).optional()
+});
+const WorkflowResourceConfigSchema = object({
+	logicalName: string().min(1),
+	cloudflareName: CloudflareNameFnSchema,
+	className: string().min(1),
+	scriptName: string().min(1).optional(),
+	binding: string().min(1).optional(),
+	limits: object({ steps: number$1().int().positive().optional() }).optional()
+});
+const SecretsStoreResourceConfigSchema = object({
+	logicalName: string().min(1),
+	cloudflareName: CloudflareNameFnSchema
+});
+const SecretsStoreSecretBindingSchema = object({
+	binding: string().min(1),
+	store: string().min(1),
+	secretName: string().min(1)
+});
+const WorkerSecretsConfigSchema = object({ required: array(string().min(1)) });
+const WorkerResourcesSchema = object({
+	d1: array(D1ResourceConfigSchema).optional(),
+	r2: array(R2ResourceConfigSchema).optional(),
+	kv: array(KVResourceConfigSchema).optional(),
+	queues: array(QueueResourceConfigSchema).optional(),
+	hyperdrive: array(HyperdriveResourceConfigSchema).optional(),
+	vectorize: array(VectorizeResourceConfigSchema).optional(),
+	aiGateway: array(AIGatewayResourceConfigSchema).optional(),
+	pipelines: array(PipelineResourceConfigSchema).optional(),
+	workflows: array(WorkflowResourceConfigSchema).optional(),
+	secretsStores: array(SecretsStoreResourceConfigSchema).optional(),
+	secretsStoreSecrets: array(SecretsStoreSecretBindingSchema).optional()
+});
+const WranglerRouteSchema = object({
+	pattern: string(),
+	custom_domain: boolean().optional(),
+	zone_name: string().optional(),
+	zone_id: string().optional()
+});
+const WranglerAssetsSchema = object({
+	directory: string(),
+	binding: string().optional(),
+	not_found_handling: _enum(["single-page-application", "return-404"]).optional()
+});
+const EnvOverrideSchema = object({
+	vars: record(string(), string()).optional(),
+	scriptName: string().optional(),
+	wranglerOutFile: string().optional(),
+	route: union([WranglerRouteSchema, array(WranglerRouteSchema)]).optional(),
+	routes: array(WranglerRouteSchema).optional()
+}).passthrough();
+const WorkerConfigSchema = object({
+	path: string().optional(),
+	config: string().optional(),
+	scriptName: string().optional(),
+	wranglerOutFile: string().optional(),
+	dispatchNamespace: string().optional(),
+	main: string().optional(),
+	compatibility_date: string().optional(),
+	compatibility_flags: array(string()).optional(),
+	limits: record(string(), union([number$1(), string()])).optional(),
+	workers_dev: boolean().optional(),
+	preview_urls: boolean().optional(),
+	resources: WorkerResourcesSchema.optional(),
+	secrets: WorkerSecretsConfigSchema.optional(),
+	alias: record(string(), string()).optional(),
+	vars: record(string(), string()).optional(),
+	local: EnvOverrideSchema.optional(),
+	env: record(string(), EnvOverrideSchema).optional(),
+	assets: WranglerAssetsSchema.optional(),
+	route: union([WranglerRouteSchema, array(WranglerRouteSchema)]).optional(),
+	routes: array(WranglerRouteSchema).optional()
+}).passthrough();
+const CfiConfigSchema = object({
+	tenant: TenantMetaSchema,
+	account_id: string().optional(),
+	compatibility_date: string().optional(),
+	naming: any().optional(),
+	dispatchNamespaces: array(DispatchNamespaceResourceSchema).optional(),
+	dnsRecords: array(DnsRecordResourceConfigSchema).optional(),
+	logpushJobs: array(LogpushJobResourceConfigSchema).optional(),
+	stack: object({
+		name: string().regex(/^[a-zA-Z][a-zA-Z0-9_-]*$/, { error: "stack.name must match /^[a-zA-Z][a-zA-Z0-9_-]*$/ (CloudFormation-style identifier)" }).optional(),
+		description: string().min(1).optional()
+	}).optional(),
+	outputs: record(string().regex(/^[a-zA-Z][a-zA-Z0-9_-]*$/, { error: "outputs key must match /^[a-zA-Z][a-zA-Z0-9_-]*$/ (CloudFormation-style identifier)" }), string().min(1)).optional(),
+	worker: WorkerConfigSchema.optional(),
+	workers: record(string(), WorkerConfigSchema).optional()
+}).refine((data) => (data.worker ?? data.workers) && !(data.worker && data.workers), { error: "Must have either worker or workers, not both" });
+async function loadConfig(configPath, options = {}) {
+	const sources = resolveConfigSources(options.cwd ?? process.cwd(), configPath, options.env);
+	let raw;
+	if (sources.mode === "single") {
+		raw = (await import(sources.path)).default;
+		if (!raw) throw new Error(`No default export in ${sources.path}`);
+	} else {
+		const projectRaw = (await import(sources.projectPath)).default;
+		if (!projectRaw || typeof projectRaw !== "object") throw new Error(`No default export in ${sources.projectPath}`);
+		let merged = projectRaw;
+		if (sources.overlayPath) {
+			const overlayRaw = (await import(sources.overlayPath)).default;
+			if (!overlayRaw || typeof overlayRaw !== "object") throw new Error(`Env overlay must default-export an object: ${sources.overlayPath}`);
+			const overlayObj = overlayRaw;
+			const declaredEnv = overlayObj[TAMER_OVERLAY_ENV_KEY];
+			if (declaredEnv !== void 0) {
+				if (typeof declaredEnv !== "string") throw new Error(`Env overlay ${sources.overlayPath}: ${TAMER_OVERLAY_ENV_KEY} must be a string`);
+				if (options.env !== declaredEnv) throw new Error(`Env overlay ${sources.overlayPath} sets ${TAMER_OVERLAY_ENV_KEY} "${declaredEnv}" but this load uses --env "${options.env ?? "(none)"}".`);
+			}
+			const { [TAMER_OVERLAY_ENV_KEY]: _strip, ...overlayRest } = overlayObj;
+			merged = mergeProjectOverlay(merged, overlayRest);
+		}
+		raw = merged;
+	}
+	const parsed = CfiConfigSchema.safeParse(materializeCloudflareBindings(raw));
+	if (!parsed.success) throw new Error(`Invalid Tamer project config: ${parsed.error.message}`);
+	return parsed.data;
+}
+async function getWorkers(config$1, baseDir) {
+	const cwd = baseDir ?? process.cwd();
+	if ("worker" in config$1 && config$1.worker) return [["default", await resolveWorkerConfigRef(config$1.worker, cwd)]];
+	if ("workers" in config$1 && config$1.workers) {
+		const entries = [];
+		for (const [key, wc] of Object.entries(config$1.workers)) entries.push([key, await resolveWorkerConfigRef(wc, cwd)]);
+		return entries;
+	}
+	return [];
 }
-function parseStatusArgs(argv) {
-	const parsed = StatusArgsSchema.safeParse(toOpts(parseArgs(argv)));
-	if (!parsed.success) throw new Error(`Invalid arguments: ${formatZodError(parsed.error)}`);
+async function resolveWorkerConfigRef(wc, baseDir) {
+	if (!wc.config) return wc;
+	const configPath = resolve(baseDir, wc.config);
+	const loaded = (await import(configPath)).default;
+	if (!loaded) throw new Error(`No default export in ${configPath}`);
 	return {
-		env: parsed.data.env,
-		configPath: parsed.data.config,
-		tenant: parsed.data.tenant
+		...loaded,
+		path: wc.path,
+		config: wc.config
 	};
 }
-function parseEventsArgs(argv) {
-	const parsed = EventsArgsSchema.safeParse(toOpts(parseArgs(argv)));
-	if (!parsed.success) throw new Error(`Invalid arguments: ${formatZodError(parsed.error)}`);
-	return {
-		env: parsed.data.env,
-		configPath: parsed.data.config,
-		limit: parsed.data.limit,
-		json: parsed.data.json
-	};
+//#endregion
+//#region src/core/cloudflareEnv.ts
+/**
+* Wrangler-aligned Cloudflare credentials (same names as `wrangler` CLI).
+* @see https://developers.cloudflare.com/workers/wrangler/system-environment-variables/
+*/
+function cloudflareAccountIdFromEnv() {
+	return process.env.CLOUDFLARE_ACCOUNT_ID;
 }
-function parseDoctorArgs(argv) {
-	const parsed = DoctorArgsSchema.safeParse(toOpts(parseArgs(argv)));
+function cloudflareApiTokenFromEnv() {
+	return process.env.CLOUDFLARE_API_TOKEN ?? "";
+}
+//#endregion
+//#region src/core/api/pipelinesV1PathId.ts
+/**
+* Pipelines v1 path segments (streams, sinks, SQL pipelines) expect **stream_id**
+* / **sink_id** as **exactly 32 lower-case hex characters** (no hyphens). The API
+* returns 400 if the URL contains a hyphenated UUID (36 chars) — see
+* `stream_id: String must contain exactly 32 character(s)`.
+*
+* State and list APIs may return ids with or without hyphens; we normalize to 32-hex
+* for GET/DELETE paths.
+*/
+function pipelinesV1IdForPath(id) {
+	const c = id.trim().toLowerCase().replace(/-/g, "");
+	if (!/^[0-9a-f]{32}$/.test(c)) return id.trim();
+	return c;
+}
+//#endregion
+//#region src/core/api/CFApiClient.ts
+const CF_API_BASE = "https://api.cloudflare.com/client/v4";
+/**
+* Renders the Cloudflare API `errors` / `messages` array into a single string
+* (message, error code, documentation URL, JSON pointer) for operator-friendly logs.
+*/
+function describeCloudflareErrorItem(e) {
+	if (e == null) return "null";
+	if (typeof e === "string") return e;
+	if (typeof e !== "object") return String(e);
+	const o = e;
+	const parts = [];
+	if (typeof o.message === "string" && o.message) parts.push(o.message);
+	if (typeof o.code === "number") parts.push(`[code: ${o.code}]`);
+	if (typeof o.code === "string" && o.code) parts.push(`[code: ${o.code}]`);
+	if (typeof o.documentation_url === "string" && o.documentation_url) parts.push(o.documentation_url);
+	const src = o.source;
+	if (src && typeof src === "object" && "pointer" in src) {
+		const p = src.pointer;
+		if (typeof p === "string" && p) parts.push(`(field: ${p})`);
+	}
+	if (Array.isArray(o.error_chain) && o.error_chain.length > 0) parts.push(`[chain: ${o.error_chain.map(describeCloudflareErrorItem).join(" → ")}]`);
+	if (parts.length) return parts.join(" ");
+	try {
+		return JSON.stringify(e);
+	} catch {
+		return String(e);
+	}
+}
+function formatCloudflareErrorBody(errors, messages, fallback) {
+	const errList = formatCloudflareList(errors) || fallback;
+	const msgList = formatCloudflareList(messages);
+	if (msgList) return `${errList} — messages: ${msgList}`;
+	return errList;
+}
+function formatCloudflareList(v) {
+	if (!Array.isArray(v) || v.length === 0) return "";
+	return v.map(describeCloudflareErrorItem).join(" | ");
+}
+var CFApiClient = class {
+	accountId;
+	apiToken;
+	constructor(accountId, apiToken) {
+		this.accountId = accountId;
+		this.apiToken = apiToken ?? cloudflareApiTokenFromEnv();
+		if (!this.apiToken) throw new Error("CLOUDFLARE_API_TOKEN is required");
+	}
+	getAccountId() {
+		return this.accountId;
+	}
+	/** Lightweight account read — validates token + account scope. */
+	async accountRead() {
+		return (await this.request(`/accounts/${this.accountId}`)).result;
+	}
+	/**
+	* Get a single Worker script by name (account-scoped, **not** dispatch).
+	* Returns `undefined` when Cloudflare responds 404 so callers can treat it
+	* as "not deployed" without try/catch on the message.
+	*
+	* @see https://developers.cloudflare.com/api/resources/workers/subresources/scripts/methods/get/
+	*/
+	async workersScriptGet(scriptName) {
+		const url = `${CF_API_BASE}/accounts/${this.accountId}/workers/scripts/${encodeURIComponent(scriptName)}`;
+		const res = await fetch(url, { headers: {
+			Authorization: `Bearer ${this.apiToken}`,
+			"Content-Type": "application/json"
+		} });
+		if (res.status === 404) return void 0;
+		const data = await res.json();
+		if (!res.ok) {
+			const msg = data?.errors?.map((e) => e.message).join("; ") ?? res.statusText;
+			throw new Error(`CF API error (workers script get): ${msg}`);
+		}
+		return data.result;
+	}
+	/**
+	* Upsert a plain-text secret binding on a Worker script.
+	* @see https://developers.cloudflare.com/api/resources/workers/subresources/scripts/subresources/secrets/methods/update/
+	*/
+	async workersSecretPut(scriptName, secret) {
+		return (await this.request(`/accounts/${this.accountId}/workers/scripts/${encodeURIComponent(scriptName)}/secrets`, {
+			method: "PUT",
+			body: JSON.stringify({
+				name: secret.name,
+				text: secret.text,
+				type: "secret_text"
+			})
+		})).result;
+	}
+	/**
+	* List secret binding names on a Worker script. Values are write-only and
+	* are not returned by the Cloudflare API.
+	* @see https://developers.cloudflare.com/api/resources/workers/subresources/scripts/subresources/secrets/methods/list/
+	*/
+	async workersSecretsList(scriptName) {
+		return ((await this.request(`/accounts/${this.accountId}/workers/scripts/${encodeURIComponent(scriptName)}/secrets`)).result ?? []).map((s) => s.name);
+	}
+	/**
+	* Remove a secret binding from a Worker script.
+	* @see https://developers.cloudflare.com/api/resources/workers/subresources/scripts/subresources/secrets/methods/delete/
+	*/
+	async workersSecretDelete(scriptName, name) {
+		await this.request(`/accounts/${this.accountId}/workers/scripts/${encodeURIComponent(scriptName)}/secrets/${encodeURIComponent(name)}`, { method: "DELETE" });
+	}
+	async request(path, options = {}) {
+		const method = (options.method ?? "GET").toUpperCase();
+		const url = `${CF_API_BASE}${path}`;
+		const res = await fetch(url, {
+			...options,
+			headers: {
+				Authorization: `Bearer ${this.apiToken}`,
+				"Content-Type": "application/json",
+				...options.headers
+			}
+		});
+		let parsed;
+		try {
+			parsed = await res.json();
+		} catch {
+			throw new Error(`CF API error: ${method} \`${path}\` → HTTP ${res.status} (response was not valid JSON)`);
+		}
+		/** Some endpoints (e.g. R2 catalog disable) respond `200` with literal JSON `null`. */
+		const data = parsed !== null && typeof parsed === "object" ? parsed : {};
+		const httpError = !res.ok;
+		const bodySuccessFalse = data.success === false;
+		if (httpError || bodySuccessFalse) {
+			const detail = formatCloudflareErrorBody(data.errors, data.messages, res.statusText || "no error array in body");
+			throw new Error(`CF API error: ${method} \`${path}\` → HTTP ${res.status}. ${detail}`);
+		}
+		return data;
+	}
+	async d1ListAll() {
+		const all = [];
+		let page = 1;
+		const perPage = 100;
+		while (true) {
+			const data = await this.request(`/accounts/${this.accountId}/d1/database?per_page=${perPage}&page=${page}`);
+			all.push(...data.result);
+			const info = data.result_info;
+			if (!info || info.count < perPage) break;
+			page++;
+		}
+		return all;
+	}
+	async r2ListAll() {
+		const all = [];
+		const perPage = 100;
+		let cursor;
+		while (true) {
+			const qs = new URLSearchParams({ per_page: String(perPage) });
+			if (cursor) qs.set("cursor", cursor);
+			const data = await this.request(`/accounts/${this.accountId}/r2/buckets?${qs.toString()}`);
+			const buckets = data.result?.buckets ?? [];
+			all.push(...buckets.map((b) => ({
+				name: b.name ?? "",
+				creation_date: b.creation_date ?? ""
+			})));
+			const next = data.result_info?.cursor;
+			if (!next) break;
+			cursor = next;
+		}
+		return all;
+	}
+	async kvListAll() {
+		const all = [];
+		let page = 1;
+		const perPage = 100;
+		while (true) {
+			const data = await this.request(`/accounts/${this.accountId}/storage/kv/namespaces?per_page=${perPage}&page=${page}`);
+			all.push(...data.result);
+			const info = data.result_info;
+			if (!info || info.count < perPage) break;
+			page++;
+		}
+		return all;
+	}
+	async d1Create(name) {
+		return (await this.request(`/accounts/${this.accountId}/d1/database`, {
+			method: "POST",
+			body: JSON.stringify({ name })
+		})).result;
+	}
+	async r2Create(name, location = "auto") {
+		await this.request(`/accounts/${this.accountId}/r2/buckets`, {
+			method: "POST",
+			body: JSON.stringify({
+				name,
+				location
+			})
+		});
+	}
+	async kvCreate(title) {
+		return (await this.request(`/accounts/${this.accountId}/storage/kv/namespaces`, {
+			method: "POST",
+			body: JSON.stringify({ title })
+		})).result;
+	}
+	async d1Delete(databaseId) {
+		await this.request(`/accounts/${this.accountId}/d1/database/${databaseId}`, { method: "DELETE" });
+	}
+	/**
+	* Run SQL against a D1 database (HTTP API).
+	* @see https://developers.cloudflare.com/d1/build-with-d1/rest-api/
+	*/
+	async d1Query(databaseId, sql, params = []) {
+		return { rows: (await this.request(`/accounts/${this.accountId}/d1/database/${databaseId}/query`, {
+			method: "POST",
+			body: JSON.stringify({
+				sql,
+				params
+			})
+		})).result?.[0]?.results ?? [] };
+	}
+	async r2Delete(bucketName) {
+		await this.request(`/accounts/${this.accountId}/r2/buckets/${bucketName}`, { method: "DELETE" });
+	}
+	/**
+	* Download an object from R2 (HTTP API).
+	* @see https://developers.cloudflare.com/api/resources/r2/subresources/buckets/subresources/objects/methods/get/
+	*/
+	async r2GetObject(bucketName, objectKey) {
+		const pathEncoded = objectKey.split("/").map((seg) => encodeURIComponent(seg)).join("/");
+		const url = `${CF_API_BASE}/accounts/${this.accountId}/r2/buckets/${encodeURIComponent(bucketName)}/objects/${pathEncoded}`;
+		const res = await fetch(url, { headers: { Authorization: `Bearer ${this.apiToken}` } });
+		if (!res.ok) {
+			let errMsg = res.statusText;
+			try {
+				errMsg = (await res.json())?.errors?.map((e) => e.message).join("; ") ?? errMsg;
+			} catch {}
+			throw new Error(`CF API error (R2 get): ${errMsg}`);
+		}
+		return res.arrayBuffer();
+	}
+	async kvDelete(namespaceId) {
+		await this.request(`/accounts/${this.accountId}/storage/kv/namespaces/${namespaceId}`, { method: "DELETE" });
+	}
+	/**
+	* List every Cloudflare Queue in the account.
+	* @see https://developers.cloudflare.com/api/resources/queues/methods/list/
+	*/
+	async queuesListAll() {
+		const all = [];
+		let page = 1;
+		const perPage = 100;
+		while (true) {
+			const batch = (await this.request(`/accounts/${this.accountId}/queues?per_page=${perPage}&page=${page}`)).result ?? [];
+			all.push(...batch);
+			if (batch.length < perPage) break;
+			page++;
+		}
+		return all;
+	}
+	/**
+	* Create a new Cloudflare Queue.
+	* @see https://developers.cloudflare.com/api/resources/queues/methods/create/
+	*/
+	async queueCreate(queueName) {
+		return (await this.request(`/accounts/${this.accountId}/queues`, {
+			method: "POST",
+			body: JSON.stringify({ queue_name: queueName })
+		})).result;
+	}
+	/**
+	* Delete a Cloudflare Queue by id.
+	* @see https://developers.cloudflare.com/api/resources/queues/methods/delete/
+	*/
+	async queueDelete(queueId) {
+		await this.request(`/accounts/${this.accountId}/queues/${encodeURIComponent(queueId)}`, { method: "DELETE" });
+	}
+	/**
+	* List every Hyperdrive config in the account.
+	* @see https://developers.cloudflare.com/api/resources/hyperdrive/subresources/configs/methods/list/
+	*/
+	async hyperdriveListAll() {
+		return (await this.request(`/accounts/${this.accountId}/hyperdrive/configs`)).result ?? [];
+	}
+	/**
+	* Create a Hyperdrive config.
+	* @see https://developers.cloudflare.com/api/resources/hyperdrive/subresources/configs/methods/create/
+	*/
+	async hyperdriveCreate(body) {
+		return (await this.request(`/accounts/${this.accountId}/hyperdrive/configs`, {
+			method: "POST",
+			body: JSON.stringify(body)
+		})).result;
+	}
+	/**
+	* Patch an existing Hyperdrive configuration in place. Cloudflare accepts
+	* partial updates here (true `PATCH`), so callers may send only the
+	* fields that drifted. Origin patches must include the full origin
+	* payload (the password is write-only and never returned, so Tamer
+	* reads it back from the resource config every apply).
+	* @see https://developers.cloudflare.com/api/resources/hyperdrive/subresources/configs/methods/edit/
+	*/
+	async hyperdrivePatch(configId, body) {
+		await this.request(`/accounts/${this.accountId}/hyperdrive/configs/${encodeURIComponent(configId)}`, {
+			method: "PATCH",
+			body: JSON.stringify(body)
+		});
+	}
+	/**
+	* Delete a Hyperdrive config by id.
+	* @see https://developers.cloudflare.com/api/resources/hyperdrive/subresources/configs/methods/delete/
+	*/
+	async hyperdriveDelete(configId) {
+		await this.request(`/accounts/${this.accountId}/hyperdrive/configs/${encodeURIComponent(configId)}`, { method: "DELETE" });
+	}
+	/**
+	* List every Vectorize index in the account (v2 storage subsystem).
+	* @see https://developers.cloudflare.com/api/resources/vectorize/subresources/indexes/methods/list/
+	*/
+	async vectorizeListAll() {
+		return (await this.request(`/accounts/${this.accountId}/vectorize/v2/indexes`)).result ?? [];
+	}
+	/**
+	* Create a Vectorize v2 index. `dimensions` and `metric` are immutable.
+	* @see https://developers.cloudflare.com/api/resources/vectorize/subresources/indexes/methods/create/
+	*/
+	async vectorizeCreate(body) {
+		return (await this.request(`/accounts/${this.accountId}/vectorize/v2/indexes`, {
+			method: "POST",
+			body: JSON.stringify(body)
+		})).result;
+	}
+	/**
+	* Delete a Vectorize index by name.
+	* @see https://developers.cloudflare.com/api/resources/vectorize/subresources/indexes/methods/delete/
+	*/
+	async vectorizeDelete(indexName) {
+		await this.request(`/accounts/${this.accountId}/vectorize/v2/indexes/${encodeURIComponent(indexName)}`, { method: "DELETE" });
+	}
+	/**
+	* List every AI Gateway in the account.
+	* @see https://developers.cloudflare.com/api/resources/ai_gateway/methods/list/
+	*/
+	async aiGatewayListAll() {
+		return (await this.request(`/accounts/${this.accountId}/ai-gateway/gateways?per_page=100`)).result ?? [];
+	}
+	/**
+	* Create an AI Gateway. The gateway `id` is user-supplied and acts as both
+	* primary key and routing slug under `https://gateway.ai.cloudflare.com/`.
+	* @see https://developers.cloudflare.com/api/resources/ai_gateway/methods/create/
+	*/
+	async aiGatewayCreate(body) {
+		return (await this.request(`/accounts/${this.accountId}/ai-gateway/gateways`, {
+			method: "POST",
+			body: JSON.stringify(body)
+		})).result;
+	}
+	/**
+	* Update an existing AI Gateway in place. The Cloudflare API uses `PUT`
+	* (not PATCH) and is full-replace on the listed fields, so callers must
+	* supply the complete desired state — Tamer's `apply` reads the recorded
+	* state row and merges declared overrides before calling this.
+	* @see https://developers.cloudflare.com/api/resources/ai_gateway/methods/update/
+	*/
+	async aiGatewayUpdate(gatewayId, body) {
+		await this.request(`/accounts/${this.accountId}/ai-gateway/gateways/${encodeURIComponent(gatewayId)}`, {
+			method: "PUT",
+			body: JSON.stringify(body)
+		});
+	}
+	/**
+	* Delete an AI Gateway by id.
+	* @see https://developers.cloudflare.com/api/resources/ai_gateway/methods/delete/
+	*/
+	async aiGatewayDelete(gatewayId) {
+		await this.request(`/accounts/${this.accountId}/ai-gateway/gateways/${encodeURIComponent(gatewayId)}`, { method: "DELETE" });
+	}
+	/**
+	* List every Pipeline in the account (paginated, 100/page). Uses the V1
+	* SQL pipelines endpoint; the deprecated `/accounts/{id}/pipelines`
+	* (HTTP/binding sources) is not used.
+	* @see https://developers.cloudflare.com/api/resources/pipelines/methods/list_v1/
+	*/
+	async pipelineListAll() {
+		const all = [];
+		let page = 1;
+		const perPage = 100;
+		while (true) {
+			const batch = (await this.request(`/accounts/${this.accountId}/pipelines/v1/pipelines?per_page=${perPage}&page=${page}`)).result ?? [];
+			all.push(...batch);
+			if (batch.length < perPage) break;
+			page += 1;
+		}
+		return all;
+	}
+	/**
+	* Create a Pipeline. Server assigns the `id`; `name` is user-supplied
+	* and uniquely identifies the pipeline within the account.
+	* @see https://developers.cloudflare.com/api/resources/pipelines/methods/create_v1/
+	*/
+	async pipelineCreate(body) {
+		return (await this.request(`/accounts/${this.accountId}/pipelines/v1/pipelines`, {
+			method: "POST",
+			body: JSON.stringify(body)
+		})).result;
+	}
+	/**
+	* Delete a Pipeline by server-assigned id.
+	* @see https://developers.cloudflare.com/api/resources/pipelines/methods/delete_v1/
+	*/
+	async pipelineDelete(pipelineId) {
+		const pathId = pipelinesV1IdForPath(pipelineId);
+		await this.request(`/accounts/${this.accountId}/pipelines/v1/pipelines/${encodeURIComponent(pathId)}`, { method: "DELETE" });
+	}
+	/**
+	* @see https://developers.cloudflare.com/api/resources/pipelines/subresources/streams/methods/list/
+	*/
+	async pipelinesV1StreamListAll() {
+		const all = [];
+		let page = 1;
+		const perPage = 100;
+		while (true) {
+			const batch = (await this.request(`/accounts/${this.accountId}/pipelines/v1/streams?per_page=${perPage}&page=${page}`)).result ?? [];
+			all.push(...batch);
+			if (batch.length < perPage) break;
+			page += 1;
+		}
+		return all;
+	}
+	/**
+	* @see https://developers.cloudflare.com/api/resources/pipelines/subresources/streams/methods/create/
+	*/
+	async pipelinesV1StreamCreate(body) {
+		return (await this.request(`/accounts/${this.accountId}/pipelines/v1/streams`, {
+			method: "POST",
+			body: JSON.stringify(body)
+		})).result;
+	}
+	/**
+	* Path id: 32 lower-case hex chars (no hyphens). The dashboard issues a
+	* plain `DELETE` with no query string; pass `{ force: true }` only if the API
+	* docs require it for your case.
+	*
+	* @see https://developers.cloudflare.com/api/resources/pipelines/subresources/streams/methods/delete/
+	*/
+	async pipelinesV1StreamDelete(streamId, query) {
+		const pathId = pipelinesV1IdForPath(streamId);
+		const qs = new URLSearchParams();
+		if (query?.force) qs.set("force", "true");
+		const tail = qs.toString() ? `?${qs.toString()}` : "";
+		await this.request(`/accounts/${this.accountId}/pipelines/v1/streams/${encodeURIComponent(pathId)}${tail}`, { method: "DELETE" });
+	}
+	/**
+	* @see https://developers.cloudflare.com/api/resources/pipelines/subresources/sinks/methods/list/
+	*/
+	async pipelinesV1SinkListAll() {
+		const all = [];
+		let page = 1;
+		const perPage = 100;
+		while (true) {
+			const batch = (await this.request(`/accounts/${this.accountId}/pipelines/v1/sinks?per_page=${perPage}&page=${page}`)).result ?? [];
+			all.push(...batch);
+			if (batch.length < perPage) break;
+			page += 1;
+		}
+		return all;
+	}
+	/**
+	* R2 Data Catalog sink `config` includes `table_name` and `namespace` as
+	* Cloudflare has registered them (may differ from the name sent at create).
+	*
+	* @see https://developers.cloudflare.com/api/resources/pipelines/subresources/sinks/methods/get/
+	*/
+	async pipelinesV1SinkGet(sinkId) {
+		const pathId = pipelinesV1IdForPath(sinkId);
+		return (await this.request(`/accounts/${this.accountId}/pipelines/v1/sinks/${encodeURIComponent(pathId)}`)).result;
+	}
+	/**
+	* @see https://developers.cloudflare.com/api/resources/pipelines/subresources/sinks/methods/create/
+	*/
+	async pipelinesV1SinkCreate(body) {
+		return (await this.request(`/accounts/${this.accountId}/pipelines/v1/sinks`, {
+			method: "POST",
+			body: JSON.stringify(body)
+		})).result;
+	}
+	/**
+	* Path id: 32 lower-case hex chars (no hyphens). Optional `{ force: true }`
+	* matches `?force=true` when the product requires it (e.g. some sink types).
+	*
+	* @see https://developers.cloudflare.com/api/resources/pipelines/subresources/sinks/methods/delete/
+	*/
+	async pipelinesV1SinkDelete(sinkId, query) {
+		const pathId = pipelinesV1IdForPath(sinkId);
+		const qs = new URLSearchParams();
+		if (query?.force) qs.set("force", "true");
+		const tail = qs.toString() ? `?${qs.toString()}` : "";
+		await this.request(`/accounts/${this.accountId}/pipelines/v1/sinks/${encodeURIComponent(pathId)}${tail}`, { method: "DELETE" });
+	}
+	/**
+	* @see https://developers.cloudflare.com/api/resources/r2_data_catalog/methods/list/
+	*/
+	async r2DataCatalogList() {
+		return { warehouses: (await this.request(`/accounts/${this.accountId}/r2-catalog`)).result?.warehouses ?? [] };
+	}
+	/**
+	* @see https://developers.cloudflare.com/api/resources/r2_data_catalog/methods/enable/
+	*/
+	async r2DataCatalogEnable(bucketName) {
+		await this.request(`/accounts/${this.accountId}/r2-catalog/${encodeURIComponent(bucketName)}/enable`, { method: "POST" });
+	}
+	/**
+	* @see https://developers.cloudflare.com/api/resources/r2_data_catalog/methods/update/
+	* (Store catalog credentials)
+	*/
+	async r2DataCatalogStoreCredential(bucketName, token) {
+		await this.request(`/accounts/${this.accountId}/r2-catalog/${encodeURIComponent(bucketName)}/credential`, {
+			method: "POST",
+			body: JSON.stringify({ token })
+		});
+	}
+	/**
+	* Deactivates the R2 Data Catalog for a bucket (metadata files remain in R2
+	* until the bucket is emptied or objects are removed). Next `apply` will
+	* re-enable the catalog as part of `pipelinesAuto` when needed.
+	*
+	* @see https://developers.cloudflare.com/api/resources/r2_data_catalog/methods/disable/
+	*/
+	async r2DataCatalogDisable(bucketName) {
+		await this.request(`/accounts/${this.accountId}/r2-catalog/${encodeURIComponent(bucketName)}/disable`, { method: "POST" });
+	}
+	/**
+	* List every Workflow registered on the account (paginated, 100/page).
+	* Cloudflare returns the configured class + script binding plus
+	* aggregate instance counts; we only consume the registration metadata.
+	* @see https://developers.cloudflare.com/api/resources/workflows/methods/list/
+	*/
+	async workflowListAll() {
+		const all = [];
+		let page = 1;
+		while (true) {
+			const data = await this.request(`/accounts/${this.accountId}/workflows?page=${page}&per_page=100`);
+			const batch = data.result ?? [];
+			all.push(...batch);
+			const totalPages = data.result_info?.total_pages ?? 1;
+			if (page >= totalPages || batch.length === 0) break;
+			page += 1;
+		}
+		return all;
+	}
+	/**
+	* Create or update a Workflow registration. Cloudflare's `PUT` is upsert:
+	* if `workflow_name` exists it patches `class_name` / `script_name` /
+	* `limits`, otherwise it creates a new one. The bound class must already
+	* be deployed in `script_name`'s code (PUT against an unknown class
+	* succeeds at registration time but fails at first instance create).
+	* @see https://developers.cloudflare.com/api/resources/workflows/methods/update/
+	*/
+	async workflowUpsert(name, body) {
+		return (await this.request(`/accounts/${this.accountId}/workflows/${encodeURIComponent(name)}`, {
+			method: "PUT",
+			body: JSON.stringify(body)
+		})).result;
+	}
+	/**
+	* Delete a Workflow registration by name. Per Cloudflare's docs this only
+	* removes the workflow itself — the worker that hosts the class is
+	* untouched and existing in-flight instances continue to run.
+	* @see https://developers.cloudflare.com/api/resources/workflows/methods/delete/
+	*/
+	async workflowDelete(name) {
+		await this.request(`/accounts/${this.accountId}/workflows/${encodeURIComponent(name)}`, { method: "DELETE" });
+	}
+	/**
+	* List every Secrets Store store on the account (paginated, 100/page).
+	* Stores are account-scoped containers; their internal secret entries
+	* are listed via {@link secretsStoreSecretListAll}.
+	* @see https://developers.cloudflare.com/api/resources/secrets_store/subresources/stores/methods/list/
+	*/
+	async secretsStoreListAll() {
+		const all = [];
+		let page = 1;
+		while (true) {
+			const data = await this.request(`/accounts/${this.accountId}/secrets_store/stores?page=${page}&per_page=100`);
+			const batch = data.result ?? [];
+			all.push(...batch);
+			const totalPages = data.result_info?.total_pages ?? 1;
+			if (page >= totalPages || batch.length === 0) break;
+			page += 1;
+		}
+		return all;
+	}
+	/**
+	* Create a new Secrets Store. Per the API a store name uniquely identifies
+	* the container within an account but is **not** itself a primary key —
+	* the assigned `id` is. Tamer enforces uniqueness via the derived
+	* `sec-{logical}-t-{tenantId}-{env}` name and short-circuits to the
+	* existing id when it finds a match in `secretsStoreListAll`.
+	* @see https://developers.cloudflare.com/api/resources/secrets_store/subresources/stores/methods/create/
+	*/
+	async secretsStoreCreate(name) {
+		return (await this.request(`/accounts/${this.accountId}/secrets_store/stores`, {
+			method: "POST",
+			body: JSON.stringify({ name })
+		})).result;
+	}
+	/**
+	* Delete a Secrets Store by id. Cloudflare cascades the deletion to all
+	* secrets inside the store, so callers should ensure no live worker is
+	* still binding into this store before invoking.
+	* @see https://developers.cloudflare.com/api/resources/secrets_store/subresources/stores/methods/delete/
+	*/
+	async secretsStoreDelete(storeId) {
+		await this.request(`/accounts/${this.accountId}/secrets_store/stores/${encodeURIComponent(storeId)}`, { method: "DELETE" });
+	}
+	async dispatchNamespaceListAll() {
+		return (await this.request(`/accounts/${this.accountId}/workers/dispatch/namespaces`)).result ?? [];
+	}
+	async dispatchNamespaceCreate(namespaceName) {
+		await this.request(`/accounts/${this.accountId}/workers/dispatch/namespaces`, {
+			method: "POST",
+			body: JSON.stringify({ name: namespaceName })
+		});
+	}
+	async dispatchNamespaceDelete(namespaceName) {
+		await this.request(`/accounts/${this.accountId}/workers/dispatch/namespaces/${encodeURIComponent(namespaceName)}`, { method: "DELETE" });
+	}
+	/**
+	* Upload a user Worker module to a Workers for Platforms dispatch namespace (multipart).
+	* @see https://developers.cloudflare.com/api/operations/namespace-worker-script-upload-worker-module
+	*/
+	async dispatchNamespaceScriptPut(dispatchNamespace, scriptName, formData) {
+		const url = `${CF_API_BASE}/accounts/${this.accountId}/workers/dispatch/namespaces/${encodeURIComponent(dispatchNamespace)}/scripts/${encodeURIComponent(scriptName)}`;
+		const res = await fetch(url, {
+			method: "PUT",
+			headers: { Authorization: `Bearer ${this.apiToken}` },
+			body: formData
+		});
+		const data = await res.json();
+		if (!res.ok) {
+			const errMsg = data?.errors?.map((e) => e.message).join("; ") ?? res.statusText;
+			throw new Error(`CF API error: ${errMsg}`);
+		}
+	}
+	/**
+	* List every script inside a dispatch namespace.
+	* @see https://developers.cloudflare.com/api/resources/workers_for_platforms/subresources/dispatch/subresources/namespaces/subresources/scripts/methods/list/
+	*/
+	async dispatchNamespaceScriptList(dispatchNamespace) {
+		return (await this.request(`/accounts/${this.accountId}/workers/dispatch/namespaces/${encodeURIComponent(dispatchNamespace)}/scripts`)).result ?? [];
+	}
+	/**
+	* Remove a script from a Workers for Platforms dispatch namespace.
+	* @see https://developers.cloudflare.com/api/resources/workers_for_platforms/subresources/dispatch/subresources/namespaces/subresources/scripts/methods/delete/
+	*/
+	async dispatchNamespaceScriptDelete(dispatchNamespace, scriptName, options) {
+		const q = options?.force ? "?force=true" : "";
+		const url = `${CF_API_BASE}/accounts/${this.accountId}/workers/dispatch/namespaces/${encodeURIComponent(dispatchNamespace)}/scripts/${encodeURIComponent(scriptName)}${q}`;
+		const res = await fetch(url, {
+			method: "DELETE",
+			headers: { Authorization: `Bearer ${this.apiToken}` }
+		});
+		if (!res.ok) {
+			let errMsg = res.statusText;
+			try {
+				errMsg = (await res.json())?.errors?.map((e) => e.message).join("; ") ?? errMsg;
+			} catch {}
+			throw new Error(`CF API error: ${errMsg}`);
+		}
+	}
+	/**
+	* @see https://developers.cloudflare.com/api/resources/workers/subresources/routes/methods/list/
+	*/
+	async zoneWorkerRoutesList(zoneId) {
+		return (await this.request(`/zones/${zoneId}/workers/routes`)).result ?? [];
+	}
+	/**
+	* @see https://developers.cloudflare.com/api/resources/workers/subresources/routes/methods/create/
+	*/
+	async zoneWorkerRouteCreate(zoneId, body) {
+		return (await this.request(`/zones/${zoneId}/workers/routes`, {
+			method: "POST",
+			body: JSON.stringify(body)
+		})).result;
+	}
+	/**
+	* @see https://developers.cloudflare.com/api/resources/workers/subresources/routes/methods/delete/
+	*/
+	async zoneWorkerRouteDelete(zoneId, routeId) {
+		await this.request(`/zones/${zoneId}/workers/routes/${encodeURIComponent(routeId)}`, { method: "DELETE" });
+	}
+	/**
+	* List every DNS record on a zone (paginated, 100/page). Returns the
+	* subset of fields Tamer cares about — the full Cloudflare object also
+	* carries `meta`, `proxiable`, `created_on`, `modified_on`, etc., none of
+	* which we persist in state.
+	*
+	* @see https://developers.cloudflare.com/api/resources/dns/subresources/records/methods/list/
+	*/
+	async zoneDnsRecordListAll(zoneId) {
+		const all = [];
+		let page = 1;
+		while (true) {
+			const data = await this.request(`/zones/${zoneId}/dns_records?page=${page}&per_page=100`);
+			const batch = data.result ?? [];
+			all.push(...batch);
+			const totalPages = data.result_info?.total_pages ?? 1;
+			if (page >= totalPages || batch.length === 0) break;
+			page += 1;
+		}
+		return all;
+	}
+	/**
+	* Create a DNS record on a zone. The Cloudflare API rejects duplicate
+	* `(type, name, content)` triples for record types where that combination
+	* is meaningful (CNAME, A, AAAA), so callers should pre-check via
+	* {@link zoneDnsRecordListAll}.
+	*
+	* @see https://developers.cloudflare.com/api/resources/dns/subresources/records/methods/create/
+	*/
+	async zoneDnsRecordCreate(zoneId, body) {
+		return (await this.request(`/zones/${zoneId}/dns_records`, {
+			method: "POST",
+			body: JSON.stringify(body)
+		})).result;
+	}
+	/**
+	* Patch a DNS record in place. Cloudflare's PATCH endpoint accepts any
+	* subset of mutable fields (`content`, `ttl`, `proxied`, `priority`,
+	* `comment`) but rejects `type` changes — Tamer falls back to
+	* delete-and-recreate when the type drifts.
+	*
+	* @see https://developers.cloudflare.com/api/resources/dns/subresources/records/methods/edit/
+	*/
+	async zoneDnsRecordPatch(zoneId, recordId, body) {
+		await this.request(`/zones/${zoneId}/dns_records/${encodeURIComponent(recordId)}`, {
+			method: "PATCH",
+			body: JSON.stringify(body)
+		});
+	}
+	/**
+	* @see https://developers.cloudflare.com/api/resources/dns/subresources/records/methods/delete/
+	*/
+	async zoneDnsRecordDelete(zoneId, recordId) {
+		await this.request(`/zones/${zoneId}/dns_records/${encodeURIComponent(recordId)}`, { method: "DELETE" });
+	}
+	/**
+	* Look up zones by exact name.
+	*
+	* Account-scoped tokens with `Zone Read` see every zone under the account.
+	* Returns an array because Cloudflare allows the same name across accounts;
+	* the caller normally takes `[0]`.
+	*
+	* @see https://developers.cloudflare.com/api/operations/zones-get
+	*/
+	async zonesListByName(name) {
+		const qs = new URLSearchParams({
+			name,
+			"account.id": this.accountId,
+			per_page: "50"
+		});
+		return (await this.request(`/zones?${qs.toString()}`)).result ?? [];
+	}
+	/**
+	* List account-scoped Logpush jobs (includes `workers_trace_events`).
+	* @see https://developers.cloudflare.com/api/resources/logpush/subresources/jobs/methods/list/
+	*/
+	async logpushAccountJobsList() {
+		return (await this.request(`/accounts/${this.accountId}/logpush/jobs`)).result ?? [];
+	}
+	/**
+	* Fetch one account-scoped Logpush job (includes `destination_conf`).
+	* @see https://developers.cloudflare.com/api/resources/logpush/subresources/jobs/methods/get/
+	*/
+	async logpushAccountJobGet(jobId) {
+		const data = await this.request(`/accounts/${this.accountId}/logpush/jobs/${jobId}`);
+		if (!data.result?.id) throw new Error(`Logpush job GET ${jobId}: missing result (job may not exist on this account)`);
+		return data.result;
+	}
+	/**
+	* Create an account Logpush job. Caller supplies `destination_conf` and dataset.
+	* @see https://developers.cloudflare.com/api/resources/logpush/subresources/jobs/methods/create/
+	*/
+	async logpushAccountJobCreate(body) {
+		return (await this.request(`/accounts/${this.accountId}/logpush/jobs`, {
+			method: "POST",
+			body: JSON.stringify(body)
+		})).result;
+	}
+	/**
+	* Update mutable Logpush job fields in place.
+	* @see https://developers.cloudflare.com/api/resources/logpush/subresources/jobs/methods/update/
+	*/
+	async logpushAccountJobUpdate(jobId, body) {
+		await this.request(`/accounts/${this.accountId}/logpush/jobs/${jobId}`, {
+			method: "PUT",
+			body: JSON.stringify(body)
+		});
+	}
+	/**
+	* Delete a Logpush job by numeric id.
+	* @see https://developers.cloudflare.com/api/resources/logpush/subresources/jobs/methods/delete/
+	*/
+	async logpushAccountJobDelete(jobId) {
+		await this.request(`/accounts/${this.accountId}/logpush/jobs/${jobId}`, { method: "DELETE" });
+	}
+	/**
+	* List all permission groups for account-owned API tokens (paginated).
+	* @see https://developers.cloudflare.com/api/resources/accounts/subresources/tokens/subresources/permission_groups/methods/list/
+	*/
+	async accountTokenPermissionGroupsListAll() {
+		const all = [];
+		const seen = /* @__PURE__ */ new Set();
+		let page = 1;
+		const perPage = 100;
+		/** Failsafe: pagination must always terminate even if the API omits `total_count` or repeats pages. */
+		const maxPage = 500;
+		while (true) {
+			if (page > maxPage) throw new Error(`Account token permission groups: exceeded ${maxPage} pages (partial count ${all.length}) — refusing to paginate further (check Cloudflare API or file a bug)`);
+			const data = await this.request(`/accounts/${this.accountId}/tokens/permission_groups?per_page=${perPage}&page=${page}`);
+			const batch = data.result ?? [];
+			if (batch.length === 0) break;
+			const newRows = batch.filter((g) => g.id && !seen.has(g.id));
+			for (const g of newRows) seen.add(g.id);
+			if (newRows.length === 0) break;
+			all.push(...newRows);
+			if (batch.length < perPage) break;
+			const total = data.result_info?.total_count;
+			if (typeof total === "number" && all.length >= total) break;
+			page++;
+		}
+		return all;
+	}
+	/**
+	* List all account-owned API tokens (paginated).
+	* @see https://developers.cloudflare.com/api/resources/accounts/subresources/tokens/methods/list/
+	*/
+	async accountTokenListAll() {
+		const all = [];
+		let page = 1;
+		const perPage = 50;
+		const maxPage = 500;
+		while (page <= maxPage) {
+			const data = await this.request(`/accounts/${this.accountId}/tokens?per_page=${perPage}&page=${page}`);
+			const batch = data.result ?? [];
+			all.push(...batch);
+			const total = data.result_info?.total_count;
+			if (typeof total === "number" && all.length >= total) break;
+			if (batch.length < perPage) break;
+			page += 1;
+		}
+		return all;
+	}
+	/**
+	* Create an account-owned API token. `result.value` is only returned on create.
+	* @see https://developers.cloudflare.com/api/resources/accounts/subresources/tokens/methods/create/
+	*/
+	async accountTokenCreate(body) {
+		return (await this.request(`/accounts/${this.accountId}/tokens`, {
+			method: "POST",
+			body: JSON.stringify(body)
+		})).result;
+	}
+	/**
+	* Delete (revoke) an account-owned API token.
+	* @see https://developers.cloudflare.com/api/resources/accounts/subresources/tokens/methods/delete/
+	*/
+	async accountTokenDelete(tokenId) {
+		await this.request(`/accounts/${this.accountId}/tokens/${encodeURIComponent(tokenId)}`, { method: "DELETE" });
+	}
+};
+//#endregion
+//#region src/core/secrets/secretsDb.ts
+/** Max audit rows retained per secret name (oldest dropped on insert). */
+const SECRET_HISTORY_CAP = 50;
+/** Cloudflare D1 database for encrypted secrets (`tamer-secrets-dev`, …). */
+function tamerSecretsDatabaseName(env) {
+	return `tamer-secrets-${env}`;
+}
+async function findTamerSecretsDatabaseUuid(api, env) {
+	const name = tamerSecretsDatabaseName(env);
+	return (await api.d1ListAll()).find((d) => d.name === name)?.uuid;
+}
+const SECRETS_TABLE_DDL = `CREATE TABLE IF NOT EXISTS secrets (
+  name        TEXT PRIMARY KEY,
+  ciphertext  BLOB NOT NULL,
+  iv          BLOB NOT NULL,
+  wrapped_dek BLOB NOT NULL,
+  dek_iv      BLOB NOT NULL,
+  value_hash  TEXT NOT NULL,
+  updated_at  TEXT NOT NULL,
+  updated_by  TEXT
+)`;
+const SECRET_HISTORY_TABLE_DDL = `CREATE TABLE IF NOT EXISTS secret_history (
+  name        TEXT NOT NULL,
+  value_hash  TEXT NOT NULL,
+  updated_at  TEXT NOT NULL,
+  updated_by  TEXT
+)`;
+/**
+* Create `tamer-secrets-{env}` if missing and ensure `secrets` / `secret_history`
+* tables. Idempotent — safe to call on every bootstrap or first vault touch.
+*/
+async function ensureTamerSecretsDatabase(api, env) {
+	let uuid$1 = await findTamerSecretsDatabaseUuid(api, env);
+	if (!uuid$1) uuid$1 = (await api.d1Create(tamerSecretsDatabaseName(env))).uuid;
+	await api.d1Query(uuid$1, SECRETS_TABLE_DDL);
+	await api.d1Query(uuid$1, SECRET_HISTORY_TABLE_DDL);
+	return uuid$1;
+}
+//#endregion
+//#region src/core/secrets/masterKey.ts
+const MASTER_KEY_BYTE_LENGTH = 32;
+const MASTER_KEY_ENV_PREFIX = "TAMER_SECRETS_KEY_";
+/** Env var name for the per-env master key (e.g. `TAMER_SECRETS_KEY_dev`). */
+function masterKeyEnvVarName(env) {
+	return `${MASTER_KEY_ENV_PREFIX}${env}`;
+}
+/** Generate a fresh 256-bit master key as base64 (print once, store externally). */
+function generateMasterKey() {
+	return bytesToBase64(crypto.getRandomValues(new Uint8Array(MASTER_KEY_BYTE_LENGTH)));
+}
+/** Parse and validate a base64 master key string into raw key material. */
+function parseMasterKey(base64$1) {
+	const trimmed = base64$1.trim();
+	if (!trimmed) throw new Error("secrets: master key must be a non-empty base64 string");
+	const bytes = base64ToBytes(trimmed);
+	if (bytes.length !== MASTER_KEY_BYTE_LENGTH) throw new Error(`secrets: master key must decode to ${MASTER_KEY_BYTE_LENGTH} bytes (got ${bytes.length})`);
+	return bytes;
+}
+/**
+* Read the master key for `env` from `process.env`.
+* Never logs or returns the env var name together with the key value.
+*/
+function readMasterKeyFromEnv(env) {
+	const varName = masterKeyEnvVarName(env);
+	const raw = process.env[varName];
+	if (!raw) throw new Error(`secrets: master key requires env var ${varName} (set it before running secrets commands)`);
+	return parseMasterKey(raw);
+}
+function bytesToBase64(bytes) {
+	return Buffer.from(bytes).toString("base64");
+}
+function base64ToBytes(base64$1) {
+	if (!/^[A-Za-z0-9+/]*={0,2}$/.test(base64$1)) throw new Error("secrets: master key is not valid base64");
+	return new Uint8Array(Buffer.from(base64$1, "base64"));
+}
+//#endregion
+//#region src/core/naming/NamingEngine.ts
+function reLiteral(s) {
+	return s.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
+}
+var NamingEngine = class {
+	constructor(tenant, conventions) {
+		this.tenant = tenant;
+		this.conventions = conventions;
+	}
+	/** Tenant id for per-resource {@link CloudflareNameFn} overrides. */
+	get tenantId() {
+		return this.tenant.id;
+	}
+	d1SingleName(logicalName, env) {
+		if (this.conventions?.d1Single) return this.conventions.d1Single(logicalName, this.tenant.id, env);
+		return `db_${logicalName}_t_${this.tenant.id}_${env}`;
+	}
+	d1ShardName(logicalName, shardDate, env) {
+		if (this.conventions?.d1Shard) return this.conventions.d1Shard(logicalName, shardDate, this.tenant.id, env);
+		const dateNoDashes = shardDate.replace(/-/g, "");
+		if (logicalName === "default" || logicalName === "") return `db_${dateNoDashes}_t_${this.tenant.id}_${env}`;
+		return `db_${logicalName}_${dateNoDashes}_t_${this.tenant.id}_${env}`;
+	}
+	d1SingleBindingKey(logicalName) {
+		return `DB_${logicalName.toUpperCase().replace(/-/g, "_")}_T_${this.tenant.id.toUpperCase()}`;
+	}
+	d1ShardBindingKey(logicalName, shardDate) {
+		const dateNoDashes = shardDate.replace(/-/g, "");
+		return `DB_${logicalName.toUpperCase().replace(/-/g, "_")}_${dateNoDashes}_T_${this.tenant.id.toUpperCase()}`;
+	}
+	r2BucketName(logicalName, env) {
+		if (this.conventions?.r2Bucket) {
+			const dateNoDashes = (/* @__PURE__ */ new Date()).toISOString().slice(0, 10).replace(/-/g, "");
+			return this.conventions.r2Bucket(logicalName, dateNoDashes, this.tenant.id, env);
+		}
+		return `r2-${logicalName}-t-${this.tenant.id}-${env}`;
+	}
+	/**
+	* Wrangler `r2_buckets[].binding`: logical + tenant only (same idea as {@link kvBindingKey}).
+	* Stable across envs; default {@link r2BucketName} is `r2-{logical}-t-{tenant}-{env}`.
+	*/
+	r2BindingKey(logicalName) {
+		return `R2_${logicalName.toUpperCase().replace(/-/g, "_")}_T_${this.tenant.id.toUpperCase()}`;
+	}
+	kvNamespaceName(logicalName, env) {
+		return `kv_${logicalName}_t_${this.tenant.id}_${env}`;
+	}
+	kvBindingKey(logicalName) {
+		return `KV_${logicalName.toUpperCase().replace(/-/g, "_")}_T_${this.tenant.id.toUpperCase()}`;
+	}
+	queueName(logicalName, env) {
+		return `q-${logicalName}-t-${this.tenant.id}-${env}`;
+	}
+	queueBindingKey(logicalName) {
+		return `Q_${logicalName.toUpperCase().replace(/-/g, "_")}_T_${this.tenant.id.toUpperCase()}`;
+	}
+	hyperdriveName(logicalName, env) {
+		return `hd-${logicalName}-t-${this.tenant.id}-${env}`;
+	}
+	hyperdriveBindingKey(logicalName) {
+		return `HD_${logicalName.toUpperCase().replace(/-/g, "_")}_T_${this.tenant.id.toUpperCase()}`;
+	}
+	vectorizeName(logicalName, env) {
+		return `vec-${logicalName}-t-${this.tenant.id}-${env}`;
+	}
+	vectorizeBindingKey(logicalName) {
+		return `VEC_${logicalName.toUpperCase().replace(/-/g, "_")}_T_${this.tenant.id.toUpperCase()}`;
+	}
+	/**
+	* AI Gateway slug (== Cloudflare gateway id). Per the Cloudflare API,
+	* gateway ids are case-sensitive lowercase ascii with `-`/`_`. Format:
+	* `aigw-{logical}-t-{tenantId}-{env}`.
+	*/
+	aiGatewayId(logicalName, env) {
+		return `aigw-${logicalName}-t-${this.tenant.id}-${env}`.toLowerCase();
+	}
+	/**
+	* Stable cross-reference binding key for AI Gateway. AI Gateway has no
+	* Wrangler binding kind today, so this is only consumed by
+	* `${tamer:ai_gateway:<logical>.binding}` interpolations.
+	*/
+	aiGatewayBindingKey(logicalName) {
+		return `AI_GW_${logicalName.toUpperCase().replace(/-/g, "_")}_T_${this.tenant.id.toUpperCase()}`;
+	}
+	/**
+	* Cloudflare-side pipeline name. Pipelines V1 names must be lowercase
+	* alphanumerics + hyphens (no underscores), so we mirror the R2 scheme.
+	* Pattern: `pipe-{logical}-t-{tenantId}-{env}`.
+	*/
+	pipelineName(logicalName, env) {
+		return `pipe-${logicalName}-t-${this.tenant.id}-${env}`.toLowerCase();
+	}
+	/**
+	* Wrangler binding key emitted in `pipelines[]`. Uppercased logical with
+	* the tenant id appended so two tenants can share a worker namespace
+	* without colliding bindings.
+	*/
+	pipelineBindingKey(logicalName) {
+		return `PIPE_${logicalName.toUpperCase().replace(/-/g, "_")}_T_${this.tenant.id.toUpperCase()}`;
+	}
+	pipelineMatchPattern(logicalName, env) {
+		const exact = this.pipelineName(logicalName, env);
+		return (name) => name === exact;
+	}
+	/**
+	* Cloudflare-side workflow name. Workflow names accept lowercase
+	* alphanumerics + hyphens; we mirror the pipelines/AI-Gateway hyphen
+	* scheme. Pattern: `wf-{logical}-t-{tenantId}-{env}`.
+	*/
+	workflowName(logicalName, env) {
+		if (this.conventions?.workflow) return this.conventions.workflow(logicalName, this.tenant.id, env);
+		return `wf-${logicalName}-t-${this.tenant.id}-${env}`.toLowerCase();
+	}
+	/**
+	* Wrangler binding key emitted in `workflows[]`. Uppercased logical with
+	* the tenant id appended so two tenants sharing a script can't collide.
+	*/
+	workflowBindingKey(logicalName) {
+		return `WF_${logicalName.toUpperCase().replace(/-/g, "_")}_T_${this.tenant.id.toUpperCase()}`;
+	}
+	workflowMatchPattern(logicalName, env) {
+		const exact = this.workflowName(logicalName, env);
+		return (name) => name === exact;
+	}
+	/**
+	* Cloudflare Secrets Store name. Account-scoped — the API allows free-form
+	* names (the dashboard examples use both `service_x_keys` and dashed
+	* variants), so we mirror our hyphen convention for consistency with
+	* pipelines / workflows / AI Gateway. Pattern:
+	* `sec-{logical}-t-{tenantId}-{env}`.
+	*/
+	secretsStoreName(logicalName, env) {
+		return `sec-${logicalName}-t-${this.tenant.id}-${env}`.toLowerCase();
+	}
+	/**
+	* Stable cross-reference key for the store. Secrets Store has no Wrangler
+	* binding kind directly — `secrets_store_secrets[]` references the
+	* resolved `store_id`, not the store name — so this only powers
+	* `${tamer:secret_store:<n>.binding}` interpolations.
+	*/
+	secretsStoreBindingKey(logicalName) {
+		return `SEC_${logicalName.toUpperCase().replace(/-/g, "_")}_T_${this.tenant.id.toUpperCase()}`;
+	}
+	secretsStoreMatchPattern(logicalName, env) {
+		const exact = this.secretsStoreName(logicalName, env);
+		return (name) => name === exact;
+	}
+	workerName(workerKey, env) {
+		if (this.conventions?.workerName) return this.conventions.workerName(this.tenant.slug, workerKey, env, this.tenant.id);
+		if (env === "local") return `${this.tenant.slug}-${workerKey}-${this.tenant.id}`;
+		return `${this.tenant.slug}-${workerKey}-${env}-${this.tenant.id}`;
+	}
+	/** Whether stack {@link NamingConventions.d1Shard} is configured. */
+	hasD1ShardConvention() {
+		return Boolean(this.conventions?.d1Shard);
+	}
+	d1MatchPattern(logicalName, env) {
+		if (this.conventions?.d1Shard) return (name) => {
+			const shardDate = this.extractD1ShardDate(name);
+			if (!shardDate) return false;
+			return this.d1ShardName(logicalName, shardDate, env) === name;
+		};
+		const suffix = `_t_${this.tenant.id}_${env}`;
+		if (logicalName === "default" || logicalName === "") return (name) => /^db_\d{8}_t_/.test(name) && name.endsWith(suffix);
+		const prefix = `db_${logicalName}_`;
+		return (name) => name.startsWith(prefix) && name.endsWith(suffix);
+	}
+	/**
+	* Default: exact {@link r2BucketName}, or legacy dated buckets
+	* `r2-{logical}-{YYYYMMDD}-t-{tenant}-{env}` from older Tamer versions.
+	* Custom {@link NamingConventions.r2Bucket}: exact name only (uses today's date
+	* when calling the hook, same as apply).
+	*/
+	r2MatchPattern(logicalName, env) {
+		if (this.conventions?.r2Bucket) {
+			const expected = this.r2BucketName(logicalName, env);
+			return (name) => name === expected;
+		}
+		const exactNew = `r2-${logicalName}-t-${this.tenant.id}-${env}`;
+		const legacyDated = /* @__PURE__ */ new RegExp(`^r2-${reLiteral(logicalName)}-\\d{8}-t-${reLiteral(this.tenant.id)}-${reLiteral(env)}$`);
+		return (name) => name === exactNew || legacyDated.test(name);
+	}
+	extractD1ShardDate(name) {
+		const compact = name.match(/_(\d{8})_t_/);
+		if (compact) {
+			const d = compact[1];
+			return `${d.slice(0, 4)}-${d.slice(4, 6)}-${d.slice(6, 8)}`;
+		}
+		const underscored = name.match(/_(\d{4})_(\d{2})_(\d{2})_t_/);
+		if (underscored) return `${underscored[1]}-${underscored[2]}-${underscored[3]}`;
+		return null;
+	}
+	extractR2Date(name) {
+		const match = name.match(/r2-\w+-(\d{8})-t-/);
+		if (match) {
+			const d = match[1];
+			return `${d.slice(0, 4)}-${d.slice(4, 6)}-${d.slice(6, 8)}`;
+		}
+		return null;
+	}
+};
+//#endregion
+//#region src/core/config/namingFromConfig.ts
+function namingFromConfig(config$1) {
+	const conventions = "naming" in config$1 && config$1.naming ? config$1.naming : void 0;
+	return new NamingEngine(config$1.tenant, conventions);
+}
+//#endregion
+//#region src/features/dispatch-namespace/dispatch-namespace.resolve.ts
+const ephemeralPredicateCache = /* @__PURE__ */ new WeakMap();
+function ephemeralPredicateFor(tenant) {
+	if (ephemeralPredicateCache.has(tenant)) return ephemeralPredicateCache.get(tenant) ?? null;
+	const pat = tenant.ephemeralEnvPattern;
+	const compiled = pat ? new RegExp(pat) : null;
+	ephemeralPredicateCache.set(tenant, compiled);
+	return compiled;
+}
+/**
+* `true` when `env` matches `tenant.ephemeralEnvPattern` (e.g.
+* `"^pr-"` for PR previews, `"^(pr|feature)-"` for branch previews).
+*
+* Ephemeral envs share **one** dispatch namespace
+* (`{ns}-ephemeral`) so we don't churn dispatch-namespace creates per
+* preview, and dispatch-script names carry the env suffix
+* (`{product}-{workspace}-{env}`) so multiple previews can coexist
+* inside that shared namespace. When the config doesn't pin a
+* pattern, no env is ephemeral — every env gets its own dispatch
+* namespace `{ns}-{env}`.
+*/
+function isEphemeralEnv(env, tenant) {
+	const re = ephemeralPredicateFor(tenant);
+	if (!re) return false;
+	return re.test(env);
+}
+/** Resolved Cloudflare dispatch namespace name for the given env. */
+function effectiveDispatchNamespaceName(config$1, env, tenant) {
+	if (config$1.envSuffix) {
+		if (env === "local") return config$1.namespace;
+		if (isEphemeralEnv(env, tenant)) return `${config$1.namespace}-ephemeral`;
+		return `${config$1.namespace}-${env}`;
+	}
+	return config$1.namespace;
+}
+//#endregion
+//#region src/core/routes/routes.resolve.ts
+const DEFAULT_PROD_ENVS = ["prod", "production"];
+const DEFAULT_SKIP_ENVS = ["local"];
+/**
+* Per `docs/handoff.md` §6:
+*   - prod / production → bare apex (`todo.com`)
+*   - any other env (including ephemeral `pr-*`) → `{env}.{apex}`
+*   - `local` (or anything in `skipEnvs`) → no route
+*
+* The resource-name `-{env}` suffix on workers/D1/R2/KV is decoupled from
+* URLs; this function only computes the URL.
+*/
+function effectiveHostForEnv(route, env) {
+	if ((route.skipEnvs ?? DEFAULT_SKIP_ENVS).includes(env)) return void 0;
+	if ((route.prodEnvs ?? DEFAULT_PROD_ENVS).includes(env)) return route.host;
+	return `${env}.${route.host}`;
+}
+/**
+* Expand one Tamer route into a wrangler `Route` (or `undefined` if the env
+* should not receive the route at all).
+*/
+function expandRouteForEnv(route, env) {
+	const host = effectiveHostForEnv(route, env);
+	if (!host) return void 0;
+	const zone = route.zone ?? route.host;
+	if (route.customDomain) return {
+		pattern: host,
+		custom_domain: true
+	};
+	return {
+		pattern: `${host}${route.path ?? "/*"}`,
+		zone_name: zone
+	};
+}
+/**
+* Expand `tamerRoutes` for the given env, dropping any that resolve to
+* `undefined` (`local`, `skipEnvs`).
+*
+* Note: ephemeral envs (matching `tenant.ephemeralEnvPattern`) follow the
+* same `{env}.{apex}` prefix rule as any non-prod env — e.g. an env named
+* `pr-1234` resolves to `pr-1234.todo.com`. Callers that want a different
+* URL scheme for ephemeral envs should special-case before calling.
+*/
+function effectiveRoutesForEnv(tamerRoutes, env) {
+	if (!tamerRoutes || tamerRoutes.length === 0) return [];
+	const out = [];
+	for (const r of tamerRoutes) {
+		const expanded = expandRouteForEnv(r, env);
+		if (expanded) out.push(expanded);
+	}
+	return out;
+}
+/**
+* Zone-name routes are attached via the Cloudflare Workers Routes HTTP API
+* (`/zones/{id}/workers/routes`), not via `wrangler.json`, so deploys stay
+* consistent with `tamer drift` / destroy.
+*/
+function isApiManagedZoneRoute(r) {
+	return typeof r === "object" && r !== null && "zone_name" in r && typeof r.zone_name === "string" && "pattern" in r && typeof r.pattern === "string" && !("custom_domain" in r && r.custom_domain === true);
+}
+/** Custom-domain `tamerRoutes` stay in wrangler until a dedicated API path exists. */
+function isWranglerOnlyTamerRoute(r) {
+	return typeof r === "object" && r !== null && "custom_domain" in r && r.custom_domain === true;
+}
+//#endregion
+//#region src/core/wrangler/wranglerOutFile.ts
+/** Reject path segments in generated Wrangler config filename. */
+function assertSafeWranglerOutFile(name) {
+	const trimmed = name.trim();
+	if (!trimmed) throw new Error("wranglerOutFile cannot be empty");
+	if (trimmed.includes("/") || trimmed.includes("\\") || trimmed.startsWith("..")) throw new Error(`Invalid wranglerOutFile "${name}": use a basename only (e.g. wrangler.json)`);
+	return trimmed;
+}
+/** Extra CLI args so Wrangler uses a non-default config file. */
+function wranglerConfigCliArgs(outFile) {
+	if (outFile === "wrangler.json") return [];
+	return ["--config", outFile];
+}
+//#endregion
+//#region src/core/references/references.ts
+var TamerReferenceError = class extends Error {
+	constructor(message, fieldPath) {
+		super(`${message} (at ${fieldPath})`);
+		this.fieldPath = fieldPath;
+		this.name = "TamerReferenceError";
+	}
+};
+const REF_RE = /\$\{tamer:([a-z0-9_]+):([a-zA-Z0-9_-]+)\.([a-zA-Z0-9_-]+)\}/g;
+/**
+* Scan a string for any `${tamer:...}` references. Returns true when at
+* least one reference is present (used for cheap pre-checks).
+*/
+function stringHasReference(s) {
+	REF_RE.lastIndex = 0;
+	return REF_RE.test(s);
+}
+/**
+* Resolve every `${tamer:...}` reference in `value`. Replacement preserves
+* surrounding text for partial-string interpolation. `fieldPath` is included
+* in any thrown {@link TamerReferenceError} for actionable diagnostics.
+*/
+function resolveReferencesInString(value, ctx, fieldPath) {
+	if (!stringHasReference(value)) return value;
+	return value.replace(REF_RE, (match, kind, logicalName, field) => {
+		try {
+			return lookupReference(kind, logicalName, field, ctx, fieldPath);
+		} catch (err) {
+			if (ctx.tolerant && err instanceof TamerReferenceError) return match;
+			throw err;
+		}
+	});
+}
+/**
+* Walk a `vars` record (or any flat string→string map) replacing references
+* in every value. Returns a new object; the input is not mutated.
+*/
+function resolveReferencesInVars(vars, ctx, fieldPathPrefix) {
+	if (!vars) return vars;
+	const out = {};
+	for (const [key, value] of Object.entries(vars)) {
+		if (typeof value !== "string") {
+			out[key] = value;
+			continue;
+		}
+		out[key] = resolveReferencesInString(value, ctx, `${fieldPathPrefix}.${key}`);
+	}
+	return out;
+}
+function lookupReference(kind, logicalName, field, ctx, fieldPath) {
+	switch (kind) {
+		case "d1": return lookupResource(ctx, kind, logicalName, field, fieldPath, (entry) => entry.type === "d1_database" && entry.logicalName === logicalName);
+		case "r2": return lookupResource(ctx, kind, logicalName, field, fieldPath, (entry) => entry.type === "r2_bucket" && entry.logicalName === logicalName);
+		case "kv": return lookupResource(ctx, kind, logicalName, field, fieldPath, (entry) => entry.type === "kv_namespace" && entry.logicalName === logicalName);
+		case "queue": return lookupResource(ctx, kind, logicalName, field, fieldPath, (entry) => entry.type === "queue" && entry.logicalName === logicalName);
+		case "hyperdrive": return lookupResource(ctx, kind, logicalName, field, fieldPath, (entry) => entry.type === "hyperdrive" && entry.logicalName === logicalName);
+		case "vectorize": return lookupResource(ctx, kind, logicalName, field, fieldPath, (entry) => entry.type === "vectorize" && entry.logicalName === logicalName);
+		case "ai_gateway": return lookupResource(ctx, kind, logicalName, field, fieldPath, (entry) => entry.type === "ai_gateway" && entry.logicalName === logicalName);
+		case "pipeline": return lookupResource(ctx, kind, logicalName, field, fieldPath, (entry) => entry.type === "pipeline" && entry.logicalName === logicalName);
+		case "workflow": return lookupResource(ctx, kind, logicalName, field, fieldPath, (entry) => entry.type === "workflow" && entry.logicalName === logicalName);
+		case "secret_store": return lookupResource(ctx, kind, logicalName, field, fieldPath, (entry) => entry.type === "secrets_store" && entry.logicalName === logicalName);
+		case "dispatch_namespace": return lookupDispatchNamespace(ctx, logicalName, field, fieldPath);
+		case "worker": return lookupWorker(ctx, logicalName, field, fieldPath);
+		case "import": return lookupImport(ctx, logicalName, field, fieldPath);
+		case "logpush_pipelines": return lookupLogpushPipelines(ctx, logicalName, field, fieldPath);
+		case "config": return lookupConfigField(ctx, logicalName, field, fieldPath);
+		default: throw new TamerReferenceError(`Unknown reference kind "${kind}" — expected one of d1 | r2 | kv | queue | hyperdrive | vectorize | ai_gateway | pipeline | workflow | secret_store | dispatch_namespace | worker | import | logpush_pipelines | config`, fieldPath);
+	}
+}
+function lookupConfigField(ctx, _logicalName, field, fieldPath) {
+	if (field === "account_id") {
+		const id = (ctx.accountId ?? ctx.config.account_id ?? "").trim();
+		if (!id) throw new TamerReferenceError(`Reference \${tamer:config:stack.account_id} needs the stack Cloudflare account id — set top-level account_id in tamer/project.config.ts or pass CLOUDFLARE_ACCOUNT_ID when running tamer.`, fieldPath);
+		return id;
+	}
+	throw new TamerReferenceError(`Unknown field "${field}" on config reference — expected account_id`, fieldPath);
+}
+function getLogpushPipelinesEntry(ctx, logicalName, fieldPath) {
+	const all = ctx.state.getAll();
+	const entry = Object.values(all).find((e) => e.type === "logpush_pipelines" && e.logicalName === logicalName);
+	if (!entry) throw new TamerReferenceError(`Reference \${tamer:logpush_pipelines:${logicalName}.…} cannot be resolved — no pipelines graph in state for logpush job "${logicalName}". Run a full \`tamer apply\` (including the Logpush / pipelinesAuto step) for env "${ctx.env}" first.`, fieldPath);
+	return entry;
+}
+/**
+* Exposes fields from the `logpush_pipelines:*` D1 state row (after
+* `ensurePipelinesLogpushProvision` has run) for `outputs` and `vars`, e.g.
+* `${tamer:logpush_pipelines:workers-trace.r2_data_catalog_table_name}`.
+*/
+function lookupLogpushPipelines(ctx, logicalName, field, fieldPath) {
+	const entry = getLogpushPipelinesEntry(ctx, logicalName, fieldPath);
+	switch (field) {
+		case "r2_data_catalog_table_name":
+		case "iceberg_table": {
+			const v = entry.r2DataCatalogTableName?.trim();
+			if (!v) throw new TamerReferenceError(`logpush_pipelines state for "${logicalName}" has no r2DataCatalogTableName (sink not yet created, or pre-upgrade state). Re-run a full \`tamer apply\` for env "${ctx.env}" after pipelinesAuto provisions the sink, or set table manually in consuming stack.`, fieldPath);
+			return v;
+		}
+		case "r2_data_catalog_table_name_pipelines":
+		case "iceberg_table_pipelines": {
+			const v = entry.r2DataCatalogTableNamePipelines?.trim();
+			if (v) return v;
+			const fallback = entry.r2DataCatalogTableName?.trim();
+			if (!fallback) throw new TamerReferenceError(`logpush_pipelines state for "${logicalName}" has no table name (sink not yet created). Re-run \`tamer apply\` for env "${ctx.env}".`, fieldPath);
+			return fallback;
+		}
+		case "r2_data_catalog_namespace":
+		case "iceberg_namespace": return (entry.r2DataCatalogNamespace ?? "default").trim() || "default";
+		case "name": return entry.pipelineName;
+		case "id": return entry.pipelineId;
+		default: throw new TamerReferenceError(`Unknown field "${field}" on logpush_pipelines reference — expected r2_data_catalog_table_name | r2_data_catalog_table_name_pipelines | r2_data_catalog_namespace | name | id | iceberg_table | iceberg_table_pipelines | iceberg_namespace`, fieldPath);
+	}
+}
+/**
+* Resolve a `${tamer:import:<stack>.<output>}` against pre-fetched sibling
+* stack outputs. The pre-fetch (`fetchStackImports`) loads every imported
+* stack's `cfi_state:{stack}` row before resolution begins; this lookup is
+* pure map access. Throws if the stack isn't in `ctx.imports` (config
+* never declared it / pre-fetch wasn't wired in for this command) or if
+* the named output hasn't been published yet (sibling stack hasn't run
+* `apply` since the output was declared, or has been destroyed).
+*/
+function lookupImport(ctx, stackName, outputName, fieldPath) {
+	const imports = ctx.imports;
+	if (!imports || !(stackName in imports)) throw new TamerReferenceError(`Reference \${tamer:import:${stackName}.${outputName}} cannot be resolved — no imported stack "${stackName}" available. Ensure stack "${stackName}" exists in env "${ctx.env}" (run 'tamer apply' there first) and that the current command pre-fetches sibling stacks.`, fieldPath);
+	const stackOutputs = imports[stackName];
+	if (!(outputName in stackOutputs)) {
+		const available = Object.keys(stackOutputs).sort();
+		throw new TamerReferenceError(`Reference \${tamer:import:${stackName}.${outputName}} cannot be resolved — output "${outputName}" not found on imported stack "${stackName}".${available.length > 0 ? ` Available outputs on stack "${stackName}": ${available.join(", ")}.` : ` Stack "${stackName}" has no published outputs — run 'tamer apply' there with an \`outputs:\` block.`}`, fieldPath);
+	}
+	return stackOutputs[outputName];
+}
+function lookupResource(ctx, kind, logicalName, field, fieldPath, predicate) {
+	const all = ctx.state.getAll();
+	const entry = Object.values(all).find(predicate);
+	if (!entry) throw new TamerReferenceError(`Reference \${tamer:${kind}:${logicalName}.${field}} cannot be resolved — no ${kind} resource named "${logicalName}" in state. Run 'tamer apply --env ${ctx.env}' first.`, fieldPath);
+	switch (field) {
+		case "name": return resourceName(entry);
+		case "id": return resourceId(entry, kind, logicalName, fieldPath);
+		case "binding": return resourceBinding(entry);
+		default: throw new TamerReferenceError(`Unknown field "${field}" on ${kind} reference — expected name | id | binding`, fieldPath);
+	}
+}
+function resourceName(entry) {
+	switch (entry.type) {
+		case "d1_database":
+		case "kv_namespace":
+		case "queue":
+		case "hyperdrive":
+		case "vectorize":
+		case "ai_gateway":
+		case "pipeline":
+		case "workflow":
+		case "secrets_store":
+		case "dispatch_namespace":
+		case "r2_bucket": return entry.derivedName;
+		case "dns_record": return entry.name;
+		case "logpush_job": return entry.derivedName;
+		case "logpush_pipelines": return entry.pipelineName;
+		case "worker_route": return entry.pattern;
+		case "secret": throw new Error("internal: secret state entries have no .name reference — secrets are not cross-referenced via ${tamer:…}");
+	}
+}
+function resourceId(entry, kind, logicalName, fieldPath) {
+	switch (entry.type) {
+		case "d1_database":
+		case "kv_namespace":
+		case "queue":
+		case "hyperdrive":
+		case "vectorize":
+		case "ai_gateway":
+		case "pipeline":
+		case "workflow":
+		case "secrets_store": return entry.cfId;
+		case "r2_bucket": throw new TamerReferenceError(`R2 bucket "${logicalName}" has no .id (R2 buckets are addressed by name); use \${tamer:${kind}:${logicalName}.name}`, fieldPath);
+		case "dispatch_namespace": return entry.derivedName;
+		case "dns_record": return entry.recordId;
+		case "logpush_job": return String(entry.cfJobId);
+		case "logpush_pipelines": return entry.pipelineId;
+		case "worker_route": return entry.routeId;
+		case "secret": throw new Error("internal: secret state entries have no .id — secrets are not cross-referenced via ${tamer:…}");
+	}
+}
+function resourceBinding(entry) {
+	switch (entry.type) {
+		case "d1_database":
+		case "r2_bucket":
+		case "kv_namespace":
+		case "queue":
+		case "hyperdrive":
+		case "vectorize":
+		case "ai_gateway":
+		case "pipeline":
+		case "workflow":
+		case "secrets_store": return entry.bindingKey;
+		case "dispatch_namespace": return entry.derivedName;
+		case "dns_record": throw new Error("internal: dns_record has no .binding — use .name or .id in config references");
+		case "logpush_job": throw new Error("internal: logpush_job has no .binding — use .name or .id in config references");
+		case "logpush_pipelines": throw new Error("internal: logpush_pipelines has no .binding — use .name or .id in config references");
+		case "worker_route": return entry.routeId;
+		case "secret": throw new Error("internal: secret state entries have no .binding — secrets are not cross-referenced via ${tamer:…}");
+	}
+}
+function lookupDispatchNamespace(ctx, logicalName, field, fieldPath) {
+	if (!getDispatchNamespaces(ctx.config).find((d) => d.logicalName === logicalName)) throw new TamerReferenceError(`Reference \${tamer:dispatch_namespace:${logicalName}.${field}} cannot be resolved — no dispatchNamespaces entry named "${logicalName}" in the Tamer project config`, fieldPath);
+	if (field !== "name" && field !== "id") throw new TamerReferenceError(`Unknown field "${field}" on dispatch_namespace reference — expected name | id`, fieldPath);
+	const all = ctx.state.getAll();
+	const stateEntry = Object.values(all).find((e) => e.type === "dispatch_namespace" && e.logicalName === logicalName);
+	if (!stateEntry || stateEntry.type !== "dispatch_namespace") throw new TamerReferenceError(`Reference \${tamer:dispatch_namespace:${logicalName}.${field}} unresolved — no state entry. Run 'tamer apply --env ${ctx.env}' first.`, fieldPath);
+	return stateEntry.derivedName;
+}
+function lookupWorker(ctx, workerKey, field, fieldPath) {
+	let target;
+	if (ctx.config.workers && ctx.config.workers[workerKey]) target = ctx.config.workers[workerKey];
+	else if (ctx.config.worker && workerKey === "default") target = ctx.config.worker;
+	if (!target) throw new TamerReferenceError(`Reference \${tamer:worker:${workerKey}.${field}} cannot be resolved — no worker key "${workerKey}" in the Tamer project config`, fieldPath);
+	if (field !== "name") throw new TamerReferenceError(`Unknown field "${field}" on worker reference — only "name" is supported (the env-suffixed deployed script name)`, fieldPath);
+	return resolveDeployedWorkerName(ctx.config, workerKey, target, ctx.env, ctx.naming);
+}
+//#endregion
+//#region src/core/config/resolver.ts
+/** Wrangler script name after env suffix rules (matches `tamer deploy`). */
+function resolveDeployedWorkerName(_config, workerKey, workerConfig, env, naming) {
+	const sn = workerConfig.scriptName?.trim();
+	if (sn) {
+		if (env === "local") return sn;
+		return `${sn}-${env}`;
+	}
+	return naming.workerName(workerKey, env);
+}
+/**
+* Map from base service-binding target name (`scriptName` for envs other than
+* `local`, or the local-deployed name) → env-suffixed deployed name for every
+* worker in `config`. Used to auto-rewrite intra-stack `services[].service`
+* fields so fixtures don't have to repeat env overrides for every env.
+*/
+function buildIntraStackScriptNameMap(config$1, env, naming) {
+	const map = /* @__PURE__ */ new Map();
+	if (config$1.workers) for (const [key, wc] of Object.entries(config$1.workers)) {
+		const baseName = wc.scriptName?.trim() ?? naming.workerName(key, "local");
+		const deployed = resolveDeployedWorkerName(config$1, key, wc, env, naming);
+		map.set(baseName, deployed);
+	}
+	if (config$1.worker) {
+		const w = config$1.worker;
+		const baseName = w.scriptName?.trim() ?? naming.workerName("default", "local");
+		const deployed = resolveDeployedWorkerName(config$1, "default", w, env, naming);
+		map.set(baseName, deployed);
+	}
+	return map;
+}
+/** Returns a worker config copy whose `services[].service` is rewritten to env-suffixed deployed names. */
+function rewriteIntraStackServiceTargets(workerConfig, baseToDeployed) {
+	const services = workerConfig.services;
+	if (!services || services.length === 0) return workerConfig;
+	let rewroteAny = false;
+	const rewritten = services.map((s) => {
+		const target = baseToDeployed.get(s.service);
+		if (!target || target === s.service) return s;
+		rewroteAny = true;
+		return {
+			...s,
+			service: target
+		};
+	});
+	if (!rewroteAny) return workerConfig;
+	return {
+		...workerConfig,
+		services: rewritten
+	};
+}
+function mergeVars(base = {}, override = {}) {
+	return {
+		...base,
+		...override
+	};
+}
+/** Same env merge as `resolveWorkerConfig` (for deploy topo-sort service edges). */
+function mergedWorkerConfigForEnv(workerConfig, env, tenant) {
+	let merged = { ...workerConfig };
+	if (env === "local" && workerConfig.local) merged = {
+		...merged,
+		...workerConfig.local,
+		vars: mergeVars(workerConfig.vars, workerConfig.local.vars)
+	};
+	else if (workerConfig.env?.[env]) {
+		const envOverride = workerConfig.env[env];
+		merged = {
+			...merged,
+			...envOverride,
+			vars: mergeVars(workerConfig.vars, envOverride.vars)
+		};
+	}
+	const mv = merged.vars;
+	if (mv && Object.prototype.hasOwnProperty.call(mv, "BRANCH_SUFFIX")) merged = {
+		...merged,
+		vars: {
+			...mv,
+			BRANCH_SUFFIX: isEphemeralEnv(env, tenant) ? env : ""
+		}
+	};
+	return merged;
+}
+/**
+* Align `dispatch_namespaces[].namespace` and `vars.WFP_NAMESPACE` with
+* {@link effectiveDispatchNamespaceName} for envs that have no explicit
+* `worker.env[env]` block (e.g. `pr-*` shared namespace).
+*/
+function applyDispatchNamespaceEnvOverrides(config$1, merged, env) {
+	const dns = getDispatchNamespaces(config$1);
+	if (dns.length === 0) return merged;
+	const resolved = effectiveDispatchNamespaceName(dns[0], env, config$1.tenant);
+	const m = merged;
+	let next = merged;
+	if (m.dispatch_namespaces?.length) next = {
+		...next,
+		dispatch_namespaces: m.dispatch_namespaces.map((d) => ({
+			...d,
+			namespace: resolved
+		}))
+	};
+	if (m.vars && typeof m.vars.WFP_NAMESPACE === "string" && m.vars.WFP_NAMESPACE === dns[0].namespace) {
+		const v = next.vars;
+		next = {
+			...next,
+			vars: {
+				...v,
+				WFP_NAMESPACE: resolved
+			}
+		};
+	}
+	return next;
+}
+/**
+* Walk the merged worker config and replace `${tamer:<kind>:<logical>.<field>}`
+* references in `vars` and `tamerRoutes[].host` / `.zone` against the current
+* state snapshot. Also resolves `r2_buckets[].bucket_name`,
+* **`services[].service`**, **`dispatch_namespaces[].namespace`**, and
+* `resources.d1[].databaseName` when `ownership` is `external`. Throws
+* `TamerReferenceError` (with field path) if any
+* reference is unresolved — bubbles up to the caller as a fatal.
+*/
+function resolveCrossResourceReferences(merged, ctx) {
+	const refCtx = {
+		config: ctx.config,
+		env: ctx.env,
+		state: ctx.state,
+		naming: ctx.naming,
+		tolerant: ctx.tolerant,
+		imports: ctx.imports,
+		accountId: ctx.accountId
+	};
+	const m = merged;
+	let next = merged;
+	if (m.vars) {
+		const resolvedVars = resolveReferencesInVars(materializeVars(m.vars), refCtx, `worker[${ctx.workerKey}].vars`);
+		if (resolvedVars && resolvedVars !== m.vars) next = {
+			...next,
+			vars: resolvedVars
+		};
+	}
+	const tamerRoutes = next.tamerRoutes;
+	if (tamerRoutes && tamerRoutes.length > 0) {
+		let mutated = false;
+		const resolvedRoutes = tamerRoutes.map((r, idx) => {
+			const fieldBase = `worker[${ctx.workerKey}].tamerRoutes[${idx}]`;
+			const host = resolveReferencesInString(r.host, refCtx, `${fieldBase}.host`);
+			const zone = r.zone ? resolveReferencesInString(r.zone, refCtx, `${fieldBase}.zone`) : r.zone;
+			if (host !== r.host || zone !== r.zone) mutated = true;
+			return {
+				...r,
+				host,
+				...zone !== void 0 ? { zone } : {}
+			};
+		});
+		if (mutated) next = {
+			...next,
+			tamerRoutes: resolvedRoutes
+		};
+	}
+	const r2Buckets = next.r2_buckets;
+	if (r2Buckets && r2Buckets.length > 0) {
+		let mutated = false;
+		const resolvedBuckets = r2Buckets.map((b, idx) => {
+			const raw = b.bucket_name;
+			if (raw === void 0) return b;
+			const fieldBase = `worker[${ctx.workerKey}].r2_buckets[${idx}].bucket_name`;
+			const bucket_name = resolveReferencesInString(materializeTamerResolvable(raw), refCtx, fieldBase);
+			if (bucket_name !== raw) mutated = true;
+			return {
+				...b,
+				bucket_name
+			};
+		});
+		if (mutated) next = {
+			...next,
+			r2_buckets: resolvedBuckets
+		};
+	}
+	const svc = next.services;
+	if (svc && svc.length > 0) {
+		let mutated = false;
+		const resolvedSvc = svc.map((s, idx) => {
+			const raw = s.service;
+			const fieldBase = `worker[${ctx.workerKey}].services[${idx}].service`;
+			const service = resolveReferencesInString(materializeTamerResolvable(raw), refCtx, fieldBase);
+			if (service !== raw) mutated = true;
+			return {
+				...s,
+				service
+			};
+		});
+		if (mutated) next = {
+			...next,
+			services: resolvedSvc
+		};
+	}
+	const dispatchNsMerged = next.dispatch_namespaces;
+	if (dispatchNsMerged && dispatchNsMerged.length > 0) {
+		let mutated = false;
+		const resolvedDn = dispatchNsMerged.map((d, idx) => {
+			const raw = d.namespace;
+			const fieldBase = `worker[${ctx.workerKey}].dispatch_namespaces[${idx}].namespace`;
+			const namespace = resolveReferencesInString(materializeTamerResolvable(raw), refCtx, fieldBase);
+			if (namespace !== raw) mutated = true;
+			return {
+				...d,
+				namespace
+			};
+		});
+		if (mutated) next = {
+			...next,
+			dispatch_namespaces: resolvedDn
+		};
+	}
+	const resBlock = next.resources;
+	if (resBlock?.d1 && resBlock.d1.length > 0) {
+		let mutated = false;
+		const d1Resolved = resBlock.d1.map((d1c, idx) => {
+			if (d1c.ownership !== "external" || !d1c.databaseName) return d1c;
+			const fieldBase = `worker[${ctx.workerKey}].resources.d1[${idx}].databaseName`;
+			const databaseName = resolveReferencesInString(materializeTamerResolvable(d1c.databaseName), refCtx, fieldBase);
+			if (databaseName !== d1c.databaseName) mutated = true;
+			return {
+				...d1c,
+				databaseName
+			};
+		});
+		if (mutated) next = {
+			...next,
+			resources: {
+				...resBlock,
+				d1: d1Resolved
+			}
+		};
+	}
+	return next;
+}
+function stripTamerFields(config$1) {
+	const { path, config: configPath, resources, local, env, scriptName: _scriptName, wranglerOutFile: _out, dispatchNamespace: _dispatchNs, tamerRoutes: _tamerRoutes, tamerStaleRouteSweepZones: _tamerStaleRouteSweepZones, ...rest$1 } = config$1;
+	return rest$1;
+}
+/**
+* Env merge + intra-stack `services` rewrite + sibling-stack resolution for
+* **`resources.d1[].databaseName` only** when `ownership: "external"`.
+*
+* Use before {@link ResourceModule.pickResources} during `apply` / `sync` /
+* `drift` so imported D1 names are known **without** resolving worker `vars`
+* (those references often need resources created earlier in the same `apply`).
+*/
+function mergeWorkerConfigForResourcePick(config$1, workerKey, workerConfig, env, accountId, naming, state, opts = {}) {
+	let merged = mergedWorkerConfigForEnv(workerConfig, env, config$1.tenant);
+	merged = applyDispatchNamespaceEnvOverrides(config$1, merged, env);
+	const intraMap = buildIntraStackScriptNameMap(config$1, env, naming);
+	merged = rewriteIntraStackServiceTargets(merged, intraMap);
+	const refCtx = {
+		config: config$1,
+		env,
+		state,
+		naming,
+		tolerant: opts.referencesMode === "tolerant",
+		imports: opts.imports,
+		accountId
+	};
+	const resBlock = merged.resources;
+	if (!resBlock?.d1?.length) return merged;
+	const d1Resolved = resBlock.d1.map((d1c, idx) => {
+		if (d1c.ownership !== "external" || !d1c.databaseName) return d1c;
+		const fieldBase = `worker[${workerKey}].resources.d1[${idx}].databaseName`;
+		const databaseName = resolveReferencesInString(materializeTamerResolvable(d1c.databaseName), refCtx, fieldBase);
+		return {
+			...d1c,
+			databaseName
+		};
+	});
+	return {
+		...merged,
+		resources: {
+			...resBlock,
+			d1: d1Resolved
+		}
+	};
+}
+/**
+* Env-merged worker config with every `${tamer:…}` site resolved for wrangler
+* (`vars`, `tamerRoutes`, `r2_buckets[].bucket_name`, external D1 names).
+* Used by {@link resolveWorkerConfig} after resource state is up to date.
+*/
+function mergeWorkerConfigWithResolvedRefs(config$1, workerKey, workerConfig, env, accountId, naming, state, opts = {}) {
+	let merged = mergedWorkerConfigForEnv(workerConfig, env, config$1.tenant);
+	merged = applyDispatchNamespaceEnvOverrides(config$1, merged, env);
+	const intraMap = buildIntraStackScriptNameMap(config$1, env, naming);
+	merged = rewriteIntraStackServiceTargets(merged, intraMap);
+	return resolveCrossResourceReferences(merged, {
+		config: config$1,
+		env,
+		state,
+		naming,
+		workerKey,
+		tolerant: opts.referencesMode === "tolerant",
+		imports: opts.imports,
+		accountId
+	});
+}
+async function resolveWorkerConfig(config$1, workerKey, workerConfig, env, baseDir, accountId, naming, state, opts = {}) {
+	const merged = mergeWorkerConfigWithResolvedRefs(config$1, workerKey, workerConfig, env, accountId, naming, state, opts);
+	const workerDir = workerConfig.path ? resolve(baseDir, workerConfig.path) : baseDir;
+	const m = merged;
+	const workerName = resolveDeployedWorkerName(config$1, workerKey, merged, env, naming);
+	const wranglerOutFile = assertSafeWranglerOutFile(m.wranglerOutFile?.trim() || "wrangler.json");
+	const dispatchNamespace = m.dispatchNamespace?.trim() || void 0;
+	const stripped = stripTamerFields(merged);
+	const tamerRoutes = merged.tamerRoutes;
+	const expandedRoutes = effectiveRoutesForEnv(tamerRoutes, env);
+	const apiManagedRoutes = expandedRoutes.filter(isApiManagedZoneRoute);
+	const wranglerTamerRoutes = expandedRoutes.filter(isWranglerOnlyTamerRoute);
+	const mergedRoutes = [...stripped.routes ?? [], ...wranglerTamerRoutes];
+	/** Non-local deploys emit `routes: []` when there are none — omitting `routes` can leave stale Wrangler-published custom domains attached from a prior config. */
+	const wranglerRoutes = mergedRoutes.length > 0 ? mergedRoutes : env === "local" ? void 0 : [];
+	return {
+		workerKey,
+		workerName,
+		workerDir,
+		env,
+		wranglerOutFile,
+		dispatchNamespace,
+		wranglerConfig: {
+			...stripped,
+			...wranglerRoutes !== void 0 ? { routes: wranglerRoutes } : {},
+			name: workerName,
+			account_id: accountId,
+			compatibility_date: stripped.compatibility_date ?? config$1.compatibility_date
+		},
+		resources: merged.resources ?? workerConfig.resources ?? {},
+		apiManagedRoutes
+	};
+}
+//#endregion
+//#region src/core/state/stateSchema.ts
+const D1StateEntrySchema = object({
+	type: literal("d1_database"),
+	logicalName: string(),
+	shardDate: string().optional(),
+	derivedName: string(),
+	bindingKey: string(),
+	cfId: string(),
+	migrationsDir: string().optional(),
+	preserveOnDestroy: boolean().optional(),
+	createdAt: string(),
+	updatedAt: string()
+});
+const R2StateEntrySchema = object({
+	type: literal("r2_bucket"),
+	logicalName: string(),
+	createdDate: string(),
+	derivedName: string(),
+	bindingKey: string(),
+	createdAt: string(),
+	updatedAt: string()
+});
+const KVStateEntrySchema = object({
+	type: literal("kv_namespace"),
+	logicalName: string(),
+	derivedName: string(),
+	bindingKey: string(),
+	cfId: string(),
+	createdAt: string(),
+	updatedAt: string()
+});
+const QueueStateEntrySchema = object({
+	type: literal("queue"),
+	logicalName: string(),
+	derivedName: string(),
+	bindingKey: string(),
+	cfId: string(),
+	producerBinding: boolean(),
+	createdAt: string(),
+	updatedAt: string()
+});
+const VectorizeStateEntrySchema = object({
+	type: literal("vectorize"),
+	logicalName: string(),
+	derivedName: string(),
+	bindingKey: string(),
+	cfId: string(),
+	dimensions: number$1(),
+	metric: _enum([
+		"cosine",
+		"euclidean",
+		"dot-product"
+	]),
+	createdAt: string(),
+	updatedAt: string()
+});
+const AIGatewayStateEntrySchema = object({
+	type: literal("ai_gateway"),
+	logicalName: string(),
+	derivedName: string(),
+	bindingKey: string(),
+	cfId: string(),
+	cacheTtl: number$1(),
+	cacheInvalidateOnUpdate: boolean(),
+	collectLogs: boolean(),
+	authentication: boolean(),
+	rateLimitingInterval: number$1(),
+	rateLimitingLimit: number$1(),
+	rateLimitingTechnique: _enum(["fixed", "sliding"]),
+	createdAt: string(),
+	updatedAt: string()
+});
+const PipelineStateEntrySchema = object({
+	type: literal("pipeline"),
+	logicalName: string(),
+	derivedName: string(),
+	bindingKey: string(),
+	cfId: string(),
+	sql: string(),
+	status: string().optional(),
+	createdAt: string(),
+	updatedAt: string()
+});
+const WorkflowStateEntrySchema = object({
+	type: literal("workflow"),
+	logicalName: string(),
+	derivedName: string(),
+	bindingKey: string(),
+	cfId: string(),
+	className: string(),
+	scriptName: string(),
+	limits: object({ steps: number$1().int().positive().optional() }).optional(),
+	createdAt: string(),
+	updatedAt: string()
+});
+const SecretsStoreStateEntrySchema = object({
+	type: literal("secrets_store"),
+	logicalName: string(),
+	derivedName: string(),
+	bindingKey: string(),
+	cfId: string(),
+	createdAt: string(),
+	updatedAt: string()
+});
+const HyperdriveStateEntrySchema = object({
+	type: literal("hyperdrive"),
+	logicalName: string(),
+	derivedName: string(),
+	bindingKey: string(),
+	cfId: string(),
+	scheme: _enum([
+		"postgres",
+		"postgresql",
+		"mysql"
+	]),
+	originHost: string(),
+	originDatabase: string(),
+	createdAt: string(),
+	updatedAt: string()
+});
+const DnsRecordTypeSchema = _enum([
+	"A",
+	"AAAA",
+	"CNAME",
+	"TXT",
+	"MX",
+	"NS",
+	"CAA",
+	"SRV",
+	"PTR",
+	"HTTPS",
+	"SVCB"
+]);
+const DnsRecordStateEntrySchema = object({
+	type: literal("dns_record"),
+	logicalName: string(),
+	zoneId: string(),
+	recordType: DnsRecordTypeSchema,
+	name: string(),
+	content: string(),
+	ttl: number$1(),
+	proxied: boolean(),
+	priority: number$1().optional(),
+	comment: string(),
+	recordId: string(),
+	createdAt: string(),
+	updatedAt: string()
+});
+const DispatchNamespaceStateEntrySchema = object({
+	type: literal("dispatch_namespace"),
+	logicalName: string(),
+	derivedName: string(),
+	createdAt: string(),
+	updatedAt: string()
+});
+const LogpushJobStateEntrySchema = object({
+	type: literal("logpush_job"),
+	logicalName: string(),
+	derivedName: string(),
+	cfJobId: number$1(),
+	dataset: string(),
+	createdAt: string(),
+	updatedAt: string()
+});
+const LogpushPipelinesStateEntrySchema = object({
+	type: literal("logpush_pipelines"),
+	logicalName: string(),
+	streamId: string(),
+	streamIngestBaseUrl: string().optional(),
+	sinkId: string(),
+	pipelineId: string(),
+	streamName: string(),
+	sinkName: string(),
+	pipelineName: string(),
+	r2DataCatalogTableName: string().optional(),
+	r2DataCatalogTableNamePipelines: string().optional(),
+	r2DataCatalogNamespace: string().optional(),
+	catalogBucketDerivedName: string(),
+	mintedR2CatalogTokenId: string().optional(),
+	mintedR2CatalogTokenValue: string().optional(),
+	mintedPipelinesSendTokenId: string().optional(),
+	mintedPipelinesSendTokenValue: string().optional(),
+	createdAt: string(),
+	updatedAt: string()
+});
+const WorkerRouteStateEntrySchema = object({
+	type: literal("worker_route"),
+	workerKey: string(),
+	workerName: string(),
+	zoneId: string(),
+	zoneName: string(),
+	routeId: string(),
+	pattern: string(),
+	createdAt: string(),
+	updatedAt: string()
+});
+const SecretStateEntrySchema = object({
+	type: literal("secret"),
+	worker: string(),
+	name: string(),
+	lastPushedHash: string(),
+	lastPushedAt: string()
+});
+const StateEntrySchema = discriminatedUnion("type", [
+	D1StateEntrySchema,
+	R2StateEntrySchema,
+	KVStateEntrySchema,
+	QueueStateEntrySchema,
+	HyperdriveStateEntrySchema,
+	VectorizeStateEntrySchema,
+	AIGatewayStateEntrySchema,
+	PipelineStateEntrySchema,
+	WorkflowStateEntrySchema,
+	SecretsStoreStateEntrySchema,
+	DnsRecordStateEntrySchema,
+	DispatchNamespaceStateEntrySchema,
+	LogpushJobStateEntrySchema,
+	LogpushPipelinesStateEntrySchema,
+	WorkerRouteStateEntrySchema,
+	SecretStateEntrySchema
+]);
+const ProvisioningStatusSchema = _enum([
+	"pending",
+	"d1_created",
+	"migrations_applied",
+	"script_uploaded",
+	"ready",
+	"tombstoned"
+]);
+const TenantD1ShardRefSchema = object({
+	role: string(),
+	derivedName: string(),
+	cfId: string()
+});
+const TenantStateEntrySchema = object({
+	product: string(),
+	workspace: string(),
+	provisioningStatus: ProvisioningStatusSchema,
+	dispatchNamespaceName: string(),
+	scriptName: string(),
+	d1Shards: array(TenantD1ShardRefSchema).optional(),
+	createdAt: string(),
+	updatedAt: string()
+});
+const CfiStackMetaSchema = object({
+	name: string().optional(),
+	owner: string().optional()
+});
+const CfiOperationNameSchema = _enum([
+	"bootstrap",
+	"apply",
+	"deploy",
+	"destroy",
+	"provision-tenant",
+	"destroy-tenant",
+	"import",
+	"sync"
+]);
+const CfiOperationStatusSchema = _enum([
+	"in_progress",
+	"succeeded",
+	"failed"
+]);
+const CfiStackOutputValueSchema = object({
+	value: string(),
+	source: string(),
+	resolvedAt: string()
+});
+const CfiOperationRecordSchema = object({
+	command: CfiOperationNameSchema,
+	status: CfiOperationStatusSchema,
+	startedAt: string(),
+	completedAt: string().optional(),
+	errorMessage: string().optional(),
+	detail: string().optional()
+});
+const CfiStateSchema = object({
+	tenantId: string(),
+	env: string(),
+	schemaVersion: number$1(),
+	syncedAt: string(),
+	resources: record(string(), StateEntrySchema),
+	revision: number$1().optional(),
+	tenants: record(string(), TenantStateEntrySchema).optional(),
+	stack: CfiStackMetaSchema.optional(),
+	stackOutputs: record(string(), CfiStackOutputValueSchema).optional(),
+	lastOperation: CfiOperationRecordSchema.optional(),
+	operationHistory: array(CfiOperationRecordSchema).optional()
+});
+//#endregion
+//#region src/core/state/stackName.ts
+const DEFAULT_STACK_NAME = "default";
+function stackNameForConfig(config$1) {
+	return config$1.stack?.name ?? config$1.tenant.slug ?? DEFAULT_STACK_NAME;
+}
+//#endregion
+//#region src/core/state/tamerStateDb.ts
+/**
+* Schema versions:
+*   2: original (resources only).
+*   3: + `tenants` map, + `revision` for optimistic concurrency.
+*   4: + `stack` metadata, + `lastOperation` (CloudFormation-style stack info).
+*      All v4 additions are optional; existing v3 documents are upgraded
+*      in-place during parse with no data loss.
+*   5: + `secret` state entries (fingerprints only; additive resource rows).
+*/
+const STATE_SCHEMA_VERSION = 5;
+/** Cloudflare D1 database that holds JSON state for an env (`tamer-state-dev`, …). */
+function tamerStateDatabaseName(env) {
+	return `tamer-state-${env}`;
+}
+function createEmptyCfiState(tenantId, env) {
+	return {
+		tenantId,
+		env,
+		schemaVersion: STATE_SCHEMA_VERSION,
+		syncedAt: (/* @__PURE__ */ new Date()).toISOString(),
+		resources: {},
+		revision: 0,
+		tenants: {}
+	};
+}
+/** In-place upgrade for parsed JSON before Zod validation. */
+function migrateRawCfiStateInPlace(raw) {
+	const v = raw.schemaVersion;
+	if (typeof v !== "number") throw new Error("tamer state: schemaVersion must be a number");
+	if (v < 2) throw new Error(`tamer state: unsupported schemaVersion ${v}`);
+	if (v > STATE_SCHEMA_VERSION) throw new Error(`tamer state: unknown schemaVersion ${v} (engine supports up to ${STATE_SCHEMA_VERSION})`);
+	if (v === 2) {
+		raw.tenants = {};
+		raw.revision = 0;
+		raw.schemaVersion = 3;
+	}
+	if (!raw.tenants || typeof raw.tenants !== "object") raw.tenants = {};
+	if (typeof raw.revision !== "number") raw.revision = 0;
+	if (raw.schemaVersion === 3) raw.schemaVersion = 4;
+	if (raw.schemaVersion === 4) raw.schemaVersion = STATE_SCHEMA_VERSION;
+}
+async function findTamerStateDatabaseUuid(api, env) {
+	const name = tamerStateDatabaseName(env);
+	return (await api.d1ListAll()).find((d) => d.name === name)?.uuid;
+}
+/**
+* Create `tamer-state-{env}` if missing, ensure `tamer_kv` table, and seed an
+* initial empty `cfi_state:{stackName}` row when this stack has no row yet.
+* Idempotent — re-running for the same stack is a no-op; re-running for a
+* different stack against the same env D1 just adds another row.
+*/
+async function ensureTamerStateDatabase(api, tenantId, env, stackName = DEFAULT_STACK_NAME) {
+	let uuid$1 = await findTamerStateDatabaseUuid(api, env);
+	if (!uuid$1) uuid$1 = (await api.d1Create(tamerStateDatabaseName(env))).uuid;
+	await api.d1Query(uuid$1, `CREATE TABLE IF NOT EXISTS tamer_kv (
+      k TEXT PRIMARY KEY,
+      v TEXT NOT NULL
+    )`);
+	const rowKey = `cfi_state:${stackName}`;
+	const { rows } = await api.d1Query(uuid$1, `SELECT v FROM tamer_kv WHERE k = ?`, [rowKey]);
+	if (rows.length === 0) {
+		const initial = createEmptyCfiState(tenantId, env);
+		await api.d1Query(uuid$1, `INSERT INTO tamer_kv (k, v) VALUES (?, ?)`, [rowKey, JSON.stringify(initial)]);
+	}
+	return uuid$1;
+}
+function parseCfiStateJson(json) {
+	const raw = JSON.parse(json);
+	migrateRawCfiStateInPlace(raw);
+	const result = CfiStateSchema.safeParse(raw);
+	if (!result.success) throw new Error(`Invalid tamer state JSON: ${result.error.message}`);
+	return result.data;
+}
+async function destroyTamerStateDatabase(api, env) {
+	const uuid$1 = await findTamerStateDatabaseUuid(api, env);
+	if (!uuid$1) return false;
+	await api.d1Delete(uuid$1);
+	return true;
+}
+//#endregion
+//#region src/core/tenant/tenantKeys.ts
+/** Stable map key for `CfiState.tenants` (workspace-scoped product tenant). */
+function tenantStateKey(product, workspace) {
+	return `${product}:${workspace}`;
+}
+/**
+* Dispatch-namespace script name per `docs/handoff.md` §6: non-ephemeral
+* envs collapse to `{product}-{workspace}` (one script per workspace);
+* ephemeral envs (matching `tenant.ephemeralEnvPattern`) carry the env
+* in the script name (`{product}-{workspace}-{env}`) so multiple
+* previews can coexist in the shared `{ns}-ephemeral` namespace.
+*/
+function tenantDispatchScriptName(product, workspace, env, tenant) {
+	if (isEphemeralEnv(env, tenant)) return `${product}-${workspace}-${env}`;
+	return `${product}-${workspace}`;
+}
+const SAFE = /[^a-z0-9_-]/gi;
+/**
+* Per-shard D1 database name for a tenant. Stable across `provision-tenant`
+* runs and across env so re-provisioning + drift detection can match by
+* name. Format: `db_{role}_{w}_{p}_t_{tid}_{env}`.
+*
+*   db_system_acme_todo_t_platform_prod
+*   db_app_acme_todo_t_platform_prod
+*
+* `role` is whatever the operator declared in `tenant.d1Shards` in
+* `tamer.config.ts`. Tamer is opinion-free about the shard layout — a
+* Dragoncore-style product picks `["system", "app", "history"]`, a
+* single-DB tenant picks `["main"]`, an audit-only tenant picks
+* `["audit"]`, etc. The role itself is validated by the loader (lowercase
+* ASCII subset) so it slots cleanly into the D1 naming scheme.
+*
+* D1 names are length-bounded (Cloudflare currently allows up to 64
+* chars), and this scheme keeps every shard well under that limit even
+* for long workspace + product slugs.
+*/
+function tenantShardDatabaseName(role, workspace, product, platformTenantId, env) {
+	return `db_${role}_${workspace.replace(SAFE, "_").toLowerCase()}_${product.replace(SAFE, "_").toLowerCase()}_t_${platformTenantId}_${env}`;
+}
+/**
+* Parse + validate a `--shards a,b,c` CLI argument against the configured
+* shard set in `tamer.config.ts`. The CLI flag may only **trim** the
+* configured layout (e.g. `--shards system` on a stack whose config
+* declares `["system","app","history"]` provisions just the system
+* shard for an ephemeral preview); it cannot extend it, because the
+* config is the source of truth that `apply` / `drift` / `destroy`
+* other operators read.
+*
+* Returns the requested roles in canonical order (matches `allowed`
+* order, regardless of input order) so plan/apply output is
+* deterministic and partial-failure resumes pick up at the next
+* canonical role.
+*/
+function parseTenantShardRoles(raw, allowed) {
+	const allowedSet = new Set(allowed);
+	const requested = raw.split(",").map((s) => s.trim().toLowerCase()).filter(Boolean);
+	const unknown$1 = requested.filter((r) => !allowedSet.has(r));
+	if (unknown$1.length > 0) {
+		const list = allowed.length > 0 ? allowed.join(", ") : "(none configured)";
+		throw new Error(`unknown tenant shard role(s) "${unknown$1.join(", ")}"; must be a subset of tenant.d1Shards in the Tamer project config: ${list}`);
+	}
+	const seen = new Set(requested);
+	return allowed.filter((r) => seen.has(r));
+}
+//#endregion
+//#region src/core/state/StateConflictError.ts
+/** Thrown when D1 `cfi_state` was updated by another writer since {@link StateManager.hydrate}. */
+var StateConflictError = class extends Error {
+	code = "STATE_CONFLICT";
+	constructor(message) {
+		super(message);
+		this.name = "StateConflictError";
+	}
+};
+//#endregion
+//#region src/core/state/StateManager.ts
+/** D1 `tamer_kv.k` value for a given stack's state row. */
+function stateRowKey(stackName) {
+	return `cfi_state:${stackName}`;
+}
+const OPERATION_HISTORY_CAP = 50;
+/**
+* Authoritative deployment state for an env.
+*
+* - **Non-local:** stored as JSON in Cloudflare D1 (`tamer-state-{env}`).
+*   Call {@link hydrate} before {@link load}, then {@link persist} after mutations.
+* - **local:** in-memory only (no persistence).
+*/
+var StateManager = class {
+	state = null;
+	dirty = false;
+	/** Set when {@link hydrate} loads remote state. */
+	tamerStateDbUuid = null;
+	/**
+	* Remote `revision` at last hydrate (or last successful persist). Used for
+	* optimistic concurrency on D1 persist.
+	*/
+	baselineRevision = 0;
+	/**
+	* @param tenantId  `config.tenant.id` — recorded on the state row for
+	*                  diagnostics; not part of the row key.
+	* @param env       Cloudflare environment name; selects the
+	*                  `tamer-state-{env}` D1 database.
+	* @param stackName Stack identity (`config.stack.name ?? tenant.slug`).
+	*                  The state row in D1 is keyed `cfi_state:{stackName}`,
+	*                  so multiple stacks coexist in one env D1 without
+	*                  clobbering each other. Defaults to `"default"` —
+	*                  unit tests that synthesize a StateManager without
+	*                  a config get a stable key without extra plumbing.
+	*/
+	constructor(tenantId, env, stackName = DEFAULT_STACK_NAME) {
+		this.tenantId = tenantId;
+		this.env = env;
+		this.stackName = stackName;
+	}
+	/**
+	* Load state from D1 (remote) or allocate empty state (local).
+	* Required before {@link load} for every command.
+	*/
+	async hydrate(api) {
+		if (this.state) return;
+		if (this.env === "local") {
+			this.state = createEmptyCfiState(this.tenantId, this.env);
+			this.baselineRevision = this.state.revision ?? 0;
+			return;
+		}
+		const name = tamerStateDatabaseName(this.env);
+		const uuid$1 = await findTamerStateDatabaseUuid(api, this.env);
+		if (!uuid$1) throw new Error(`Tamer state database "${name}" not found. Run: tamer bootstrap --env ${this.env}`);
+		this.tamerStateDbUuid = uuid$1;
+		const rowKey = stateRowKey(this.stackName);
+		const { rows } = await api.d1Query(uuid$1, `SELECT v FROM tamer_kv WHERE k = ?`, [rowKey]);
+		if (rows.length === 0) {
+			this.state = createEmptyCfiState(this.tenantId, this.env);
+			this.baselineRevision = this.state.revision ?? 0;
+			this.dirty = true;
+			return;
+		}
+		const v = rows[0]["v"];
+		if (typeof v !== "string") throw new Error(`tamer_kv.${rowKey} must be a string column`);
+		this.state = parseCfiStateJson(v);
+		this.baselineRevision = this.state.revision ?? 0;
+	}
+	/**
+	* Stack identifier this manager is bound to (the `cfi_state:{name}` row
+	* key suffix). Exposed so `fetchStackImports` and diagnostics can show
+	* the operator which row this manager owns.
+	*/
+	getStackName() {
+		return this.stackName;
+	}
+	/**
+	* Allocate empty in-memory state without touching D1. Use for read-only
+	* "what-would-state-look-like" snapshots (e.g. drift-aware plan refresh)
+	* where we want to drive the module `sync` hooks against a fresh slate
+	* and then discard the result. {@link persist} is unsafe afterwards
+	* because there is no D1 baseline to compare against.
+	*/
+	hydrateInMemory() {
+		if (this.state) return;
+		this.state = createEmptyCfiState(this.tenantId, this.env);
+		this.baselineRevision = this.state.revision ?? 0;
+	}
+	/** Clear cached state so the next {@link hydrate} reloads from D1. */
+	reset() {
+		this.state = null;
+		this.tamerStateDbUuid = null;
+		this.dirty = false;
+		this.baselineRevision = 0;
+	}
+	load() {
+		if (!this.state) throw new Error("StateManager: call await hydrate(api) before load()");
+		return this.state;
+	}
+	get(derivedName) {
+		return this.load().resources[derivedName];
+	}
+	set(derivedName, entry) {
+		const s = this.load();
+		s.resources[derivedName] = entry;
+		s.syncedAt = (/* @__PURE__ */ new Date()).toISOString();
+		this.dirty = true;
+	}
+	delete(derivedName) {
+		const s = this.load();
+		delete s.resources[derivedName];
+		s.syncedAt = (/* @__PURE__ */ new Date()).toISOString();
+		this.dirty = true;
+	}
+	getAll() {
+		return this.load().resources;
+	}
+	getTenant(product, workspace) {
+		return this.load().tenants?.[tenantStateKey(product, workspace)];
+	}
+	setTenant(entry) {
+		const s = this.load();
+		if (!s.tenants) s.tenants = {};
+		s.tenants[tenantStateKey(entry.product, entry.workspace)] = entry;
+		s.syncedAt = (/* @__PURE__ */ new Date()).toISOString();
+		this.dirty = true;
+	}
+	deleteTenant(product, workspace) {
+		const s = this.load();
+		if (!s.tenants) return;
+		delete s.tenants[tenantStateKey(product, workspace)];
+		s.syncedAt = (/* @__PURE__ */ new Date()).toISOString();
+		this.dirty = true;
+	}
+	listTenants() {
+		return Object.values(this.load().tenants ?? {});
+	}
+	/** CloudFormation-style stack metadata (name, owner). Returns a copy. */
+	getStackMeta() {
+		const s = this.load().stack;
+		return s ? { ...s } : void 0;
+	}
+	/**
+	* Set or merge stack metadata. Pass `undefined` fields to clear them; only
+	* provided keys are written, so callers can update one field at a time.
+	*/
+	setStackMeta(meta$2) {
+		const s = this.load();
+		s.stack = {
+			...s.stack ?? {},
+			...meta$2
+		};
+		s.syncedAt = (/* @__PURE__ */ new Date()).toISOString();
+		this.dirty = true;
+	}
+	/**
+	* Resolved + persisted `outputs:` for this stack. Returns `{}` when none
+	* have been recorded yet (e.g. before the first successful `apply`). The
+	* returned object is a shallow copy — mutate via {@link replaceStackOutputs}.
+	*/
+	getStackOutputs() {
+		return { ...this.load().stackOutputs ?? {} };
+	}
+	/**
+	* Replace this stack's `stackOutputs` map wholesale. Pass `{}` to clear
+	* (e.g. when `outputs` is removed from `tamer.config.ts`); pass a fresh
+	* map keyed by output name to commit a successful apply's resolved values.
+	* No-op when the new map is structurally identical to the existing one
+	* (avoids gratuitous `revision` bumps on no-op applies).
+	*/
+	replaceStackOutputs(next) {
+		const s = this.load();
+		if (stackOutputsEqual(s.stackOutputs ?? {}, next)) return;
+		if (Object.keys(next).length === 0) delete s.stackOutputs;
+		else s.stackOutputs = { ...next };
+		s.syncedAt = (/* @__PURE__ */ new Date()).toISOString();
+		this.dirty = true;
+	}
+	getLastOperation() {
+		return this.load().lastOperation;
+	}
+	/** Completed operations (`succeeded` / `failed` only), newest first. */
+	getOperationHistory() {
+		const h = this.load().operationHistory;
+		return h ? h.map((e) => ({ ...e })) : [];
+	}
+	/**
+	* Begin recording a CloudFormation-style operation marker. Sets `status:
+	* "in_progress"` and `startedAt`; pair with {@link finishOperation} on
+	* success or {@link failOperation} on error. Persist between calls if the
+	* operation may take a long time and you want concurrent operators to see
+	* the in-progress marker.
+	*/
+	beginOperation(command$1, detail) {
+		const s = this.load();
+		s.lastOperation = {
+			command: command$1,
+			status: "in_progress",
+			startedAt: (/* @__PURE__ */ new Date()).toISOString(),
+			detail
+		};
+		s.syncedAt = s.lastOperation.startedAt;
+		this.dirty = true;
+	}
+	finishOperation(detail) {
+		const s = this.load();
+		if (!s.lastOperation) return;
+		s.lastOperation.status = "succeeded";
+		s.lastOperation.completedAt = (/* @__PURE__ */ new Date()).toISOString();
+		if (detail !== void 0) s.lastOperation.detail = detail;
+		s.syncedAt = s.lastOperation.completedAt;
+		this.appendTerminalOperationToHistory(s.lastOperation);
+		this.dirty = true;
+	}
+	failOperation(errorMessage) {
+		const s = this.load();
+		if (!s.lastOperation) return;
+		s.lastOperation.status = "failed";
+		s.lastOperation.completedAt = (/* @__PURE__ */ new Date()).toISOString();
+		s.lastOperation.errorMessage = errorMessage;
+		s.syncedAt = s.lastOperation.completedAt;
+		this.appendTerminalOperationToHistory(s.lastOperation);
+		this.dirty = true;
+	}
+	appendTerminalOperationToHistory(op) {
+		if (op.status !== "succeeded" && op.status !== "failed") return;
+		const s = this.load();
+		s.operationHistory = [{
+			command: op.command,
+			status: op.status,
+			startedAt: op.startedAt,
+			completedAt: op.completedAt,
+			errorMessage: op.errorMessage,
+			detail: op.detail
+		}, ...s.operationHistory ?? []].slice(0, OPERATION_HISTORY_CAP);
+	}
+	/**
+	* Persist to D1 (no-op for local). Uses optimistic concurrency: re-reads
+	* `revision` before write; throws {@link StateConflictError} if another
+	* writer advanced the row since {@link hydrate}.
+	*/
+	async persist(api) {
+		if (this.env === "local") {
+			this.dirty = false;
+			return;
+		}
+		if (!this.dirty || !this.state || !this.tamerStateDbUuid) return;
+		const rowKey = stateRowKey(this.stackName);
+		const { rows } = await api.d1Query(this.tamerStateDbUuid, `SELECT v FROM tamer_kv WHERE k = ?`, [rowKey]);
+		let remoteRev = 0;
+		if (rows.length > 0) {
+			const v = rows[0]["v"];
+			if (typeof v === "string") remoteRev = parseCfiStateJson(v).revision ?? 0;
+		}
+		if (remoteRev !== this.baselineRevision) throw new StateConflictError(`Tamer state conflict (stack=${this.stackName}): remote revision ${remoteRev} !== expected ${this.baselineRevision}. Re-run after refresh.`);
+		this.state.revision = remoteRev + 1;
+		this.state.syncedAt = (/* @__PURE__ */ new Date()).toISOString();
+		const json = JSON.stringify(this.state);
+		await api.d1Query(this.tamerStateDbUuid, `INSERT INTO tamer_kv (k, v) VALUES (?, ?)
+       ON CONFLICT(k) DO UPDATE SET v = excluded.v`, [rowKey, json]);
+		this.baselineRevision = this.state.revision;
+		this.dirty = false;
+	}
+	/** Mark clean without writing (e.g. before deleting the state database). */
+	clearDirty() {
+		this.dirty = false;
+	}
+};
+function stackOutputsEqual(a, b) {
+	const ak = Object.keys(a).sort();
+	const bk = Object.keys(b).sort();
+	if (ak.length !== bk.length) return false;
+	for (let i = 0; i < ak.length; i++) {
+		if (ak[i] !== bk[i]) return false;
+		const k = ak[i];
+		const av = a[k];
+		const bv = b[k];
+		if (av.value !== bv.value || av.source !== bv.source) return false;
+	}
+	return true;
+}
+//#endregion
+//#region src/core/imports/fetchStackImports.ts
+const IMPORT_RE = /\$\{tamer:import:([a-zA-Z0-9_-]+)\.([a-zA-Z0-9_-]+)\}/g;
+/**
+* Walk the merged `CfiConfig` and collect every `${tamer:import:…}` ref
+* site along with where it was found. Used both to drive the pre-fetch
+* (which sibling stacks to load) and by `tamer status` to render an
+* "inbound imports" panel even before any `apply` has run.
+*
+* Self-imports (current stack importing from its own name) are filtered
+* out — they are almost always a config typo and would otherwise
+* silently resolve via the same row this command is about to write.
+*/
+function scanConfigForImports(config$1) {
+	const selfStack = stackNameForConfig(config$1);
+	const refs = [];
+	const seen = /* @__PURE__ */ new Set();
+	const push = (raw, fieldPath) => {
+		if (!raw) return;
+		IMPORT_RE.lastIndex = 0;
+		let m;
+		while ((m = IMPORT_RE.exec(raw)) !== null) {
+			const stack = m[1];
+			const output = m[2];
+			if (stack === selfStack) continue;
+			const key = `${fieldPath}::${stack}.${output}`;
+			if (seen.has(key)) continue;
+			seen.add(key);
+			refs.push({
+				stack,
+				output,
+				fieldPath
+			});
+		}
+	};
+	const walkVars = (vars, pathPrefix) => {
+		if (!vars) return;
+		for (const [k, v] of Object.entries(vars)) push(materializeTamerResolvable(v), `${pathPrefix}.${k}`);
+	};
+	const walkR2BucketNames = (w, pathPrefix) => {
+		if (!w.r2_buckets) return;
+		w.r2_buckets.forEach((b, i) => {
+			if (b.bucket_name === void 0) return;
+			push(materializeTamerResolvable(b.bucket_name), `${pathPrefix}.r2_buckets[${i}].bucket_name`);
+		});
+	};
+	const walkD1DatabaseNames = (w, pathPrefix) => {
+		const d1 = w.resources?.d1;
+		if (!d1) return;
+		d1.forEach((d, i) => {
+			if (d.databaseName === void 0) return;
+			push(materializeTamerResolvable(d.databaseName), `${pathPrefix}.resources.d1[${i}].databaseName`);
+		});
+	};
+	/** Service bindings / WfP namespace strings may carry `${tamer:import:…}`. */
+	const walkBindingsWithRefs = (w, pathPrefix) => {
+		w.services?.forEach((s, i) => {
+			if (s.service === void 0) return;
+			push(materializeTamerResolvable(s.service), `${pathPrefix}.services[${i}].service`);
+		});
+		w.dispatch_namespaces?.forEach((d, i) => {
+			if (d.namespace === void 0) return;
+			push(materializeTamerResolvable(d.namespace), `${pathPrefix}.dispatch_namespaces[${i}].namespace`);
+		});
+	};
+	if (config$1.worker) {
+		walkVars(config$1.worker.vars, "worker.vars");
+		walkR2BucketNames(config$1.worker, "worker");
+		walkD1DatabaseNames(config$1.worker, "worker");
+		walkBindingsWithRefs(config$1.worker, "worker");
+		if (config$1.worker.tamerRoutes) config$1.worker.tamerRoutes.forEach((r, i) => {
+			push(r.host, `worker.tamerRoutes[${i}].host`);
+			push(r.zone, `worker.tamerRoutes[${i}].zone`);
+		});
+	}
+	if (config$1.workers) for (const [key, w] of Object.entries(config$1.workers)) {
+		walkVars(w.vars, `worker[${key}].vars`);
+		walkR2BucketNames(w, `worker[${key}]`);
+		walkD1DatabaseNames(w, `worker[${key}]`);
+		walkBindingsWithRefs(w, `worker[${key}]`);
+		if (w.tamerRoutes) w.tamerRoutes.forEach((r, i) => {
+			push(r.host, `worker[${key}].tamerRoutes[${i}].host`);
+			push(r.zone, `worker[${key}].tamerRoutes[${i}].zone`);
+		});
+	}
+	if (config$1.outputs) for (const [name, source] of Object.entries(config$1.outputs)) push(materializeTamerResolvable(source), `outputs.${name}`);
+	return refs;
+}
+/** Distinct sibling stack names referenced anywhere in `config`. */
+function importedStackNames(config$1) {
+	const refs = scanConfigForImports(config$1);
+	return [...new Set(refs.map((r) => r.stack))].sort();
+}
+/**
+* Hydrate every imported sibling stack's persisted outputs and return
+* them shaped for {@link ReferenceContext.imports}.
+*
+* - `local` env: returns `{}` immediately. Local mode never persists
+*   state, so cross-stack imports are inherently unresolvable. Callers
+*   running in tolerant mode (`plan`, `status`) will see the placeholder
+*   verbatim; strict callers (`apply`, `deploy`) will fail at resolution
+*   with a clear "no imported stack" message.
+* - Missing sibling state row: recorded as an empty outputs map, so
+*   `lookupImport` can produce a "no published outputs" diagnostic
+*   (vs. the generic "stack not pre-fetched" error).
+*
+* The {@link CFApiClient} is shared with the caller for socket reuse.
+*/
+async function fetchStackImports(api, config$1, env) {
+	const stacks = importedStackNames(config$1);
+	if (stacks.length === 0 || env === "local") return {};
+	const out = {};
+	for (const stack of stacks) {
+		const sibling = new StateManager(config$1.tenant.id, env, stack);
+		try {
+			await sibling.hydrate(api);
+		} catch (err) {
+			throw new Error(`Failed to hydrate imported stack "${stack}" from env "${env}": ${err instanceof Error ? err.message : String(err)}`);
+		}
+		const persisted = sibling.getStackOutputs();
+		const flat = {};
+		for (const [name, v] of Object.entries(persisted)) flat[name] = v.value;
+		out[stack] = flat;
+	}
+	return out;
+}
+//#endregion
+//#region src/core/secrets/declared.ts
+/** Declared secret names for a worker; empty when `secrets` is absent. */
+function requiredSecretsForWorker(workerConfig) {
+	return workerConfig.secrets?.required ?? [];
+}
+//#endregion
+//#region src/core/secrets/SecretsVault.ts
+/**
+* Encrypted secrets vault backed by `tamer-secrets-{env}` D1.
+* Stores ciphertext only — never plaintext.
+*/
+var SecretsVault = class {
+	databaseId;
+	constructor(api, env, databaseId) {
+		this.api = api;
+		this.env = env;
+		this.databaseId = databaseId;
+	}
+	async dbId() {
+		if (this.databaseId) return this.databaseId;
+		const uuid$1 = await findTamerSecretsDatabaseUuid(this.api, this.env);
+		if (!uuid$1) throw new Error(`secrets vault not provisioned for env "${this.env}" (expected D1 ${tamerSecretsDatabaseName(this.env)}); run tamer bootstrap`);
+		this.databaseId = uuid$1;
+		return uuid$1;
+	}
+	async upsert(name, encrypted, valueHash, options) {
+		const updatedAt = (/* @__PURE__ */ new Date()).toISOString();
+		const updatedBy = options?.updatedBy;
+		const db = await this.dbId();
+		await this.api.d1Query(db, `INSERT INTO secrets (
+        name, ciphertext, iv, wrapped_dek, dek_iv, value_hash, updated_at, updated_by
+      ) VALUES (?, ?, ?, ?, ?, ?, ?, ?)
+      ON CONFLICT(name) DO UPDATE SET
+        ciphertext = excluded.ciphertext,
+        iv = excluded.iv,
+        wrapped_dek = excluded.wrapped_dek,
+        dek_iv = excluded.dek_iv,
+        value_hash = excluded.value_hash,
+        updated_at = excluded.updated_at,
+        updated_by = excluded.updated_by`, [
+			name,
+			blobParam(encrypted.ciphertext),
+			blobParam(encrypted.iv),
+			blobParam(encrypted.wrappedDek),
+			blobParam(encrypted.dekIv),
+			valueHash,
+			updatedAt,
+			updatedBy ?? null
+		]);
+		await this.api.d1Query(db, `INSERT INTO secret_history (name, value_hash, updated_at, updated_by)
+       VALUES (?, ?, ?, ?)`, [
+			name,
+			valueHash,
+			updatedAt,
+			updatedBy ?? null
+		]);
+		await this.api.d1Query(db, `DELETE FROM secret_history
+       WHERE name = ?
+       AND rowid IN (
+         SELECT rowid FROM (
+           SELECT rowid FROM secret_history
+           WHERE name = ?
+           ORDER BY updated_at DESC
+           LIMIT -1 OFFSET ?
+         )
+       )`, [
+			name,
+			name,
+			SECRET_HISTORY_CAP
+		]);
+	}
+	async get(name) {
+		const db = await this.dbId();
+		const { rows } = await this.api.d1Query(db, `SELECT name, ciphertext, iv, wrapped_dek, dek_iv, value_hash, updated_at, updated_by
+       FROM secrets WHERE name = ?`, [name]);
+		if (rows.length === 0) return void 0;
+		return rowToVaultSecret(rows[0]);
+	}
+	async list() {
+		const db = await this.dbId();
+		const { rows } = await this.api.d1Query(db, `SELECT name, value_hash, updated_at, updated_by
+       FROM secrets ORDER BY name`);
+		return rows.map((row) => ({
+			name: String(row.name),
+			valueHash: row.value_hash,
+			updatedAt: String(row.updated_at),
+			updatedBy: row.updated_by != null ? String(row.updated_by) : void 0
+		}));
+	}
+	async delete(name) {
+		const db = await this.dbId();
+		const { rows } = await this.api.d1Query(db, `DELETE FROM secrets WHERE name = ? RETURNING name`, [name]);
+		return rows.length > 0;
+	}
+	/** Append an audit row (e.g. after `secrets get`) without changing the secret. */
+	async appendAudit(name, options) {
+		const record$1 = await this.get(name);
+		if (!record$1) throw new Error(`secret "${name}" not found in vault`);
+		const updatedAt = (/* @__PURE__ */ new Date()).toISOString();
+		const updatedBy = options?.updatedBy;
+		const db = await this.dbId();
+		await this.api.d1Query(db, `INSERT INTO secret_history (name, value_hash, updated_at, updated_by)
+       VALUES (?, ?, ?, ?)`, [
+			name,
+			record$1.valueHash,
+			updatedAt,
+			updatedBy ?? null
+		]);
+		await this.api.d1Query(db, `DELETE FROM secret_history
+       WHERE name = ?
+       AND rowid IN (
+         SELECT rowid FROM (
+           SELECT rowid FROM secret_history
+           WHERE name = ?
+           ORDER BY updated_at DESC
+           LIMIT -1 OFFSET ?
+         )
+       )`, [
+			name,
+			name,
+			SECRET_HISTORY_CAP
+		]);
+	}
+	async history(name) {
+		const db = await this.dbId();
+		const { rows } = await this.api.d1Query(db, `SELECT name, value_hash, updated_at, updated_by
+       FROM secret_history
+       WHERE name = ?
+       ORDER BY updated_at DESC`, [name]);
+		return rows.map((row) => ({
+			name: String(row.name),
+			valueHash: row.value_hash,
+			updatedAt: String(row.updated_at),
+			updatedBy: row.updated_by != null ? String(row.updated_by) : void 0
+		}));
+	}
+};
+function rowToVaultSecret(row) {
+	return {
+		name: String(row.name),
+		ciphertext: blobFromRow(row.ciphertext),
+		iv: blobFromRow(row.iv),
+		wrappedDek: blobFromRow(row.wrapped_dek),
+		dekIv: blobFromRow(row.dek_iv),
+		valueHash: row.value_hash,
+		updatedAt: String(row.updated_at),
+		updatedBy: row.updated_by != null ? String(row.updated_by) : void 0
+	};
+}
+/** D1 HTTP API accepts base64 for BLOB bind parameters. */
+function blobParam(bytes) {
+	return Buffer.from(bytes).toString("base64");
+}
+function blobFromRow(value) {
+	if (value instanceof Uint8Array) return value;
+	if (typeof value === "string") return new Uint8Array(Buffer.from(value, "base64"));
+	if (Array.isArray(value)) return new Uint8Array(value);
+	throw new Error("secrets vault: invalid BLOB column value");
+}
+//#endregion
+//#region src/cli/commands/secrets/context.ts
+function resolveSecretsEnv(env) {
+	const resolved = env ?? "dev";
+	if (resolved === "local") throw new Error("secrets commands require a remote env (e.g. --env dev); \"local\" has no vault");
+	return resolved;
+}
+/** Operator identity for vault audit rows (`USER` / `USERNAME` / `cli`). */
+function cliUpdatedBy() {
+	return process.env.USER ?? process.env.USERNAME ?? "cli";
+}
+function vaultReaderFromVault(vault) {
+	return { async get(name) {
+		const row = await vault.get(name);
+		if (!row) return void 0;
+		return {
+			name: row.name,
+			valueHash: row.valueHash
+		};
+	} };
+}
+async function createSecretsContext(options) {
+	const env = resolveSecretsEnv(options.env);
+	const config$1 = await loadConfig(options.configPath, { env });
+	const accountId = config$1.account_id ?? cloudflareAccountIdFromEnv();
+	if (!accountId) throw new Error("account_id required in config or CLOUDFLARE_ACCOUNT_ID env var");
+	const api = new CFApiClient(accountId);
+	const vault = new SecretsVault(api, env, await ensureTamerSecretsDatabase(api, env));
+	const state = new StateManager(config$1.tenant.id, env, stackNameForConfig(config$1));
+	await state.hydrate(api);
+	const masterKey = readMasterKeyFromEnv(env);
+	return {
+		env,
+		config: config$1,
+		api,
+		vault,
+		state,
+		naming: namingFromConfig(config$1),
+		accountId,
+		masterKey
+	};
+}
+async function collectSecretWorkers(ctx, workerFilter) {
+	const workers = await getWorkers(ctx.config);
+	const imports = await fetchStackImports(ctx.api, ctx.config, ctx.env).catch(() => ({}));
+	const out = [];
+	for (const [workerKey, workerConfig] of workers) {
+		if (workerFilter && workerKey !== workerFilter) continue;
+		const required$1 = requiredSecretsForWorker(mergeWorkerConfigForResourcePick(ctx.config, workerKey, workerConfig, ctx.env, ctx.accountId, ctx.naming, ctx.state, {
+			referencesMode: "tolerant",
+			imports
+		}));
+		if (required$1.length === 0) continue;
+		const deployedName = resolveDeployedWorkerName(ctx.config, workerKey, workerConfig, ctx.env, ctx.naming);
+		let workerSecretNames = [];
+		try {
+			workerSecretNames = await ctx.api.workersSecretsList(deployedName);
+		} catch {
+			workerSecretNames = [];
+		}
+		out.push({
+			workerKey,
+			required: required$1,
+			workerSecretNames,
+			deployedName
+		});
+	}
+	return out;
+}
+function assertSecretName(name) {
+	const trimmed = name?.trim();
+	if (!trimmed) throw new Error("secret name is required");
+	return trimmed;
+}
+/** Vault + master key for deploy auto-push (remote envs only). */
+async function createDeploySecretsResources(api, env) {
+	const resolvedEnv = resolveSecretsEnv(env);
+	return {
+		vault: new SecretsVault(api, resolvedEnv, await ensureTamerSecretsDatabase(api, resolvedEnv)),
+		masterKey: readMasterKeyFromEnv(resolvedEnv)
+	};
+}
+//#endregion
+//#region src/cli/commands/secrets/init.ts
+async function runSecretsInit(options) {
+	const env = resolveSecretsEnv(options.env);
+	const accountId = (await loadConfig(options.configPath, { env })).account_id ?? cloudflareAccountIdFromEnv();
+	if (!accountId) throw new Error("account_id required in config or CLOUDFLARE_ACCOUNT_ID env var");
+	const masterKey = generateMasterKey();
+	const varName = masterKeyEnvVarName(env);
+	const uuid$1 = await ensureTamerSecretsDatabase(new CFApiClient(accountId), env);
+	console.log(`Secrets vault ready: D1 uuid=${uuid$1} name=${tamerSecretsDatabaseName(env)}`);
+	console.log("");
+	console.log(`Generated master key for env "${env}" (store in two durable places — CI + password manager):`);
+	console.log("");
+	console.log(`${varName}=${masterKey}`);
+	console.log("");
+	console.log("This key is shown once. Tamer never persists it.");
+}
+//#endregion
+//#region src/core/secrets/crypto.ts
+const AES_GCM = "AES-GCM";
+const AES_KEY_LENGTH = 256;
+const IV_BYTE_LENGTH = 12;
+function toArrayBuffer(bytes) {
+	return bytes.buffer.slice(bytes.byteOffset, bytes.byteOffset + bytes.byteLength);
+}
+/** Thrown when decrypt or re-wrap fails (wrong key, tampered ciphertext, etc.). */
+var SecretsCryptoError = class extends Error {
+	code = "SECRETS_CRYPTO_ERROR";
+	constructor(message) {
+		super(message);
+		this.name = "SecretsCryptoError";
+	}
+};
+/** Envelope-encrypt a secret value under the master key. */
+async function encryptSecretValue(plaintext, masterKey) {
+	const kek = await importAesKey(masterKey, ["wrapKey"]);
+	const dek = await crypto.subtle.generateKey({
+		name: AES_GCM,
+		length: AES_KEY_LENGTH
+	}, true, ["encrypt", "decrypt"]);
+	const iv = crypto.getRandomValues(new Uint8Array(IV_BYTE_LENGTH));
+	const dekIv = crypto.getRandomValues(new Uint8Array(IV_BYTE_LENGTH));
+	const plaintextBytes = new TextEncoder().encode(plaintext);
+	const ciphertextBuffer = await crypto.subtle.encrypt({
+		name: AES_GCM,
+		iv
+	}, dek, plaintextBytes);
+	const wrappedDekBuffer = await crypto.subtle.wrapKey("raw", dek, kek, {
+		name: AES_GCM,
+		iv: dekIv
+	});
+	return {
+		ciphertext: new Uint8Array(ciphertextBuffer),
+		iv,
+		wrappedDek: new Uint8Array(wrappedDekBuffer),
+		dekIv
+	};
+}
+/** Decrypt an envelope-encrypted secret value. */
+async function decryptSecretValue(encrypted, masterKey) {
+	try {
+		const kek = await importAesKey(masterKey, ["unwrapKey"]);
+		const dek = await crypto.subtle.unwrapKey("raw", toArrayBuffer(encrypted.wrappedDek), kek, {
+			name: AES_GCM,
+			iv: toArrayBuffer(encrypted.dekIv)
+		}, {
+			name: AES_GCM,
+			length: AES_KEY_LENGTH
+		}, false, ["decrypt"]);
+		const plaintextBuffer = await crypto.subtle.decrypt({
+			name: AES_GCM,
+			iv: toArrayBuffer(encrypted.iv)
+		}, dek, toArrayBuffer(encrypted.ciphertext));
+		return new TextDecoder().decode(plaintextBuffer);
+	} catch {
+		throw new SecretsCryptoError("Failed to decrypt secret (wrong master key or corrupted ciphertext)");
+	}
+}
+async function importAesKey(rawKey, usages) {
+	return crypto.subtle.importKey("raw", toArrayBuffer(rawKey), {
+		name: AES_GCM,
+		length: AES_KEY_LENGTH
+	}, false, usages);
+}
+//#endregion
+//#region src/core/secrets/fingerprint.ts
+/** SHA-256 fingerprint of secret plaintext (non-reversible). */
+async function secretValueFingerprint(plaintext) {
+	const bytes = new TextEncoder().encode(plaintext);
+	const hashBuffer = await crypto.subtle.digest("SHA-256", bytes);
+	return `sha256:${bytesToHex(new Uint8Array(hashBuffer))}`;
+}
+function bytesToHex(bytes) {
+	return [...bytes].map((b) => b.toString(16).padStart(2, "0")).join("");
+}
+//#endregion
+//#region src/cli/commands/secrets/stdin.ts
+/**
+* Read a secret value from stdin (pipe only — avoids shell history / argv).
+* Interactive prompt is intentionally not supported in v1.
+*/
+async function readSecretValueFromStdin() {
+	if (process.stdin.isTTY) throw new Error("secrets set: pipe the value on stdin (e.g. echo -n 'value' | tamer secrets set NAME --env dev); interactive entry is not supported yet");
+	const chunks = [];
+	for await (const chunk of process.stdin) chunks.push(Buffer.from(chunk));
+	let value = Buffer.concat(chunks).toString("utf8");
+	if (value.endsWith("\n")) value = value.slice(0, -1);
+	if (value.endsWith("\r")) value = value.slice(0, -1);
+	if (!value) throw new Error("secrets set: empty value on stdin");
+	return value;
+}
+//#endregion
+//#region src/cli/commands/secrets/set.ts
+async function runSecretsSet(options) {
+	const name = assertSecretName(options.name);
+	const ctx = await createSecretsContext({
+		env: options.env,
+		configPath: options.configPath
+	});
+	const plaintext = options.readValue ? await options.readValue() : await readSecretValueFromStdin();
+	const encrypted = await encryptSecretValue(plaintext, ctx.masterKey);
+	const valueHash = await secretValueFingerprint(plaintext);
+	await ctx.vault.upsert(name, encrypted, valueHash, { updatedBy: cliUpdatedBy() });
+	console.log(`secrets: stored ${name} (${valueHash}) in ${ctx.env} vault`);
+}
+//#endregion
+//#region src/cli/commands/secrets/dotenv.ts
+/** Parse a dotenv-style file into key/value pairs (no variable expansion). */
+function parseDotenvContent(content) {
+	const result = {};
+	for (const rawLine of content.split(/\r?\n/)) {
+		const line = rawLine.trim();
+		if (!line || line.startsWith("#")) continue;
+		const eq = line.indexOf("=");
+		if (eq <= 0) continue;
+		const key = line.slice(0, eq).trim();
+		let value = line.slice(eq + 1).trim();
+		if (value.startsWith("\"") && value.endsWith("\"") || value.startsWith("'") && value.endsWith("'")) value = value.slice(1, -1);
+		if (key) result[key] = value;
+	}
+	return result;
+}
+function readDotenvFile(filePath) {
+	return parseDotenvContent(readFileSync(resolve(process.cwd(), filePath), "utf8"));
+}
+/**
+* Merge env vars for bulk load: all keys from `process.env`, then file
+* entries overwrite on duplicate keys (file wins).
+*/
+function mergeLoadSources(fileEntries) {
+	const merged = {};
+	for (const [key, value] of Object.entries(process.env)) if (value != null && value !== "") merged[key] = value;
+	for (const [key, value] of Object.entries(fileEntries)) merged[key] = value;
+	return merged;
+}
+//#endregion
+//#region src/cli/commands/secrets/load.ts
+async function runSecretsLoad(options) {
+	if (!options.file?.trim()) throw new Error("usage: tamer secrets load --file <path> --env <env>");
+	const ctx = await createSecretsContext({
+		env: options.env,
+		configPath: options.configPath
+	});
+	const merged = mergeLoadSources(readDotenvFile(options.file));
+	const names = Object.keys(merged).sort();
+	if (names.length === 0) {
+		console.log("secrets load: no entries to import");
+		return;
+	}
+	let count = 0;
+	for (const name of names) {
+		const plaintext = merged[name];
+		const encrypted = await encryptSecretValue(plaintext, ctx.masterKey);
+		const valueHash = await secretValueFingerprint(plaintext);
+		await ctx.vault.upsert(name, encrypted, valueHash, { updatedBy: cliUpdatedBy() });
+		count += 1;
+	}
+	console.log(`secrets: loaded ${count} secret(s) into ${ctx.env} vault from ${options.file}`);
+}
+//#endregion
+//#region src/cli/commands/secrets/get.ts
+async function defaultConfirm(prompt) {
+	if (!process.stdin.isTTY || !process.stdout.isTTY) throw new Error("secrets get: confirmation required; run in an interactive terminal or use a test hook");
+	const rl = readline.createInterface({
+		input: process.stdin,
+		output: process.stdout
+	});
+	try {
+		const normalized = (await rl.question(`${prompt} [y/N] `)).trim().toLowerCase();
+		return normalized === "y" || normalized === "yes";
+	} finally {
+		rl.close();
+	}
+}
+async function runSecretsGet(options) {
+	const name = assertSecretName(options.name);
+	const ctx = await createSecretsContext({
+		env: options.env,
+		configPath: options.configPath
+	});
+	const record$1 = await ctx.vault.get(name);
+	if (!record$1) throw new Error(`secret "${name}" not found in vault`);
+	const confirm = options.confirm ?? defaultConfirm;
+	if (!options.yes) {
+		if (!await confirm(`Reveal secret "${name}" from ${ctx.env} vault? This action is audit-logged.`)) {
+			console.log("secrets get: cancelled");
+			return;
+		}
+	}
+	await ctx.vault.appendAudit(name, { updatedBy: cliUpdatedBy() });
+	const plaintext = await decryptSecretValue({
+		ciphertext: record$1.ciphertext,
+		iv: record$1.iv,
+		wrappedDek: record$1.wrappedDek,
+		dekIv: record$1.dekIv
+	}, ctx.masterKey);
+	process.stdout.write(plaintext);
+	if (!plaintext.endsWith("\n")) process.stdout.write("\n");
+}
+//#endregion
+//#region src/cli/commands/secrets/list.ts
+async function runSecretsList(options) {
+	const ctx = await createSecretsContext({
+		env: options.env,
+		configPath: options.configPath
+	});
+	const items = await ctx.vault.list();
+	if (items.length === 0) {
+		console.log(`secrets (${ctx.env}): (empty)`);
+		return;
+	}
+	console.log(`secrets (${ctx.env}):`);
+	for (const item of items) {
+		const by = item.updatedBy ? ` by ${item.updatedBy}` : "";
+		console.log(`  ${item.name}  ${item.valueHash}  last-set ${item.updatedAt}${by}`);
+	}
+}
+//#endregion
+//#region src/cli/commands/secrets/rm.ts
+async function runSecretsRm(options) {
+	const name = assertSecretName(options.name);
+	const ctx = await createSecretsContext({
+		env: options.env,
+		configPath: options.configPath
+	});
+	if (!await ctx.vault.delete(name)) throw new Error(`secret "${name}" not found in vault`);
+	console.log(`secrets: removed ${name} from ${ctx.env} vault`);
+}
+//#endregion
+//#region src/core/secrets/reconcile.ts
+/** State row key: `secret:{worker}:{name}`. */
+function secretStateKey(worker, name) {
+	return `secret:${worker}:${name}`;
+}
+/** Plan/drift derived identifier: `{worker}:{name}`. */
+function secretDerivedName(worker, name) {
+	return `${worker}:${name}`;
+}
+/**
+* Compare declared secrets × vault fingerprints × state last-pushed hashes ×
+* worker presence. Returns one entry per relevant secret×worker pair.
+*/
+async function reconcileSecrets(input) {
+	const { workers, vault, state } = input;
+	const allState = state.getAll();
+	const secretStateByKey = /* @__PURE__ */ new Map();
+	for (const [key, entry] of Object.entries(allState)) if (entry.type === "secret") secretStateByKey.set(key, entry);
+	const entries = [];
+	const seen = /* @__PURE__ */ new Set();
+	function push(entry) {
+		const key = secretStateKey(entry.worker, entry.name);
+		if (seen.has(key)) return;
+		seen.add(key);
+		entries.push(entry);
+	}
+	for (const { workerKey, required: required$1, workerSecretNames } of workers) {
+		const onWorkerSet = new Set(workerSecretNames);
+		for (const name of required$1) {
+			const vaultEntry = await vault.get(name);
+			const stateEntry = secretStateByKey.get(secretStateKey(workerKey, name));
+			push(classifyDeclaredSecret({
+				worker: workerKey,
+				name,
+				vaultHash: vaultEntry?.valueHash,
+				lastPushedHash: stateEntry?.lastPushedHash,
+				onWorker: onWorkerSet.has(name)
+			}));
+		}
+		for (const name of workerSecretNames) {
+			if (required$1.includes(name)) continue;
+			const stateKey = secretStateKey(workerKey, name);
+			if (seen.has(stateKey)) continue;
+			const stateEntry = secretStateByKey.get(stateKey);
+			const vaultEntry = await vault.get(name);
+			if (stateEntry?.lastPushedHash && !vaultEntry) {
+				push({
+					worker: workerKey,
+					name,
+					status: "removed_from_vault",
+					lastPushedHash: stateEntry.lastPushedHash,
+					onWorker: true
+				});
+				continue;
+			}
+			push({
+				worker: workerKey,
+				name,
+				status: "undeclared_on_worker",
+				onWorker: true
+			});
+		}
+	}
+	for (const [key, stateEntry] of secretStateByKey) {
+		if (seen.has(key)) continue;
+		if (await vault.get(stateEntry.name)) continue;
+		push({
+			worker: stateEntry.worker,
+			name: stateEntry.name,
+			status: "removed_from_vault",
+			lastPushedHash: stateEntry.lastPushedHash,
+			onWorker: workers.some((w) => w.workerKey === stateEntry.worker && w.workerSecretNames.includes(stateEntry.name))
+		});
+	}
+	return entries;
+}
+function classifyDeclaredSecret(args$1) {
+	const { worker, name, vaultHash, lastPushedHash, onWorker } = args$1;
+	if (!vaultHash) return {
+		worker,
+		name,
+		status: "declared_no_value",
+		lastPushedHash,
+		onWorker
+	};
+	if (!lastPushedHash) return {
+		worker,
+		name,
+		status: "never_deployed",
+		vaultHash,
+		onWorker
+	};
+	if (vaultHash !== lastPushedHash) return {
+		worker,
+		name,
+		status: "rotated_not_deployed",
+		vaultHash,
+		lastPushedHash,
+		onWorker
+	};
+	if (!onWorker) return {
+		worker,
+		name,
+		status: "never_deployed",
+		vaultHash,
+		lastPushedHash,
+		onWorker: false
+	};
+	return {
+		worker,
+		name,
+		status: "in_sync",
+		vaultHash,
+		lastPushedHash,
+		onWorker: true
+	};
+}
+function secretsDrift(entries) {
+	const drift = {
+		kind: "secret",
+		missingFromCloudflare: [],
+		unrecordedInState: [],
+		undeployed: []
+	};
+	for (const e of entries) {
+		if (e.status === "in_sync") continue;
+		const derivedName = secretDerivedName(e.worker, e.name);
+		switch (e.status) {
+			case "declared_no_value":
+				drift.undeployed.push({
+					logicalName: e.name,
+					derivedName,
+					detail: "declared, no vault value"
+				});
+				break;
+			case "never_deployed":
+				drift.undeployed.push({
+					logicalName: e.name,
+					derivedName,
+					detail: "never deployed"
+				});
+				break;
+			case "rotated_not_deployed":
+				drift.undeployed.push({
+					logicalName: e.name,
+					derivedName,
+					detail: "rotated, not deployed"
+				});
+				break;
+			case "removed_from_vault":
+				drift.missingFromCloudflare.push({
+					logicalName: e.name,
+					derivedName,
+					detail: "removed from vault"
+				});
+				break;
+			case "undeclared_on_worker":
+				drift.unrecordedInState.push({
+					logicalName: e.name,
+					derivedName,
+					detail: "undeclared on worker"
+				});
+				break;
+		}
+	}
+	return drift;
+}
+function secretsPlanItems(entries) {
+	const items = [];
+	for (const e of entries) {
+		const derivedName = secretDerivedName(e.worker, e.name);
+		switch (e.status) {
+			case "never_deployed":
+				items.push({
+					kind: "secret",
+					action: "create",
+					logicalName: e.name,
+					derivedName,
+					detail: "never deployed"
+				});
+				break;
+			case "rotated_not_deployed":
+				items.push({
+					kind: "secret",
+					action: "update",
+					logicalName: e.name,
+					derivedName,
+					detail: "rotated, not deployed",
+					changes: [{
+						field: "lastPushedHash",
+						from: e.lastPushedHash,
+						to: e.vaultHash,
+						kind: "mutable"
+					}]
+				});
+				break;
+			default: break;
+		}
+	}
+	return items;
+}
+/** In-memory vault stub for tests and pre-WS1 integration. */
+function vaultReaderFromMap(secrets) {
+	const map = secrets instanceof Map ? secrets : new Map(Object.entries(secrets).map(([name, meta$2]) => [name, meta$2]));
+	return { async get(name) {
+		return map.get(name);
+	} };
+}
+//#endregion
+//#region src/cli/commands/secrets/verify.ts
+const STATUS_LABEL = {
+	in_sync: "in sync",
+	declared_no_value: "declared, no vault value",
+	never_deployed: "never deployed",
+	rotated_not_deployed: "rotated, not deployed",
+	removed_from_vault: "removed from vault",
+	undeclared_on_worker: "undeclared on worker"
+};
+async function runSecretsVerify(options) {
+	const ctx = await createSecretsContext({
+		env: options.env,
+		configPath: options.configPath
+	});
+	const workers = await collectSecretWorkers(ctx);
+	if (workers.length === 0) {
+		console.log(`secrets verify (${ctx.env}): no workers declare secrets.required`);
+		return 0;
+	}
+	const entries = await reconcileSecrets({
+		workers: workers.map((w) => ({
+			workerKey: w.workerKey,
+			required: w.required,
+			workerSecretNames: w.workerSecretNames
+		})),
+		vault: vaultReaderFromVault(ctx.vault),
+		state: ctx.state
+	});
+	console.log(`\nSecrets verify — env ${ctx.env}\n`);
+	if (entries.length === 0) {
+		console.log("  (no declared secrets)\n");
+		return 0;
+	}
+	let issues = 0;
+	for (const entry of entries.sort((a, b) => secretDerivedName(a.worker, a.name).localeCompare(secretDerivedName(b.worker, b.name)))) {
+		const label = STATUS_LABEL[entry.status];
+		const id = secretDerivedName(entry.worker, entry.name);
+		const workerFlag = entry.onWorker ? "on worker" : "not on worker";
+		console.log(`  ${id}  ${label} (${workerFlag})`);
+		if (entry.status !== "in_sync") issues += 1;
+	}
+	console.log(issues === 0 ? "\nAll declared secrets in sync.\n" : `\n${issues} secret(s) need attention.\n`);
+	return issues === 0 ? 0 : 1;
+}
+//#endregion
+//#region src/cli/commands/secrets/push.ts
+/**
+* Push stale/new required secrets for one worker via the CF API.
+* Skips secrets whose vault hash matches `lastPushedHash` in state.
+*/
+async function pushSecretsForDeploy(options) {
+	const { workerKey, deployedName, required: required$1, vault, state, api, masterKey, logPushes = false } = options;
+	if (required$1.length === 0) return {
+		pushed: 0,
+		skipped: 0
+	};
+	let pushed = 0;
+	let skipped = 0;
+	for (const secretName of required$1) {
+		const vaultRow = await vault.get(secretName);
+		if (!vaultRow) throw new Error(`secret "${secretName}" required by worker "${workerKey}" is missing from vault; run tamer secrets set ${secretName}`);
+		const stateKey = secretStateKey(workerKey, secretName);
+		const stateEntry = state.get(stateKey);
+		if ((stateEntry?.type === "secret" ? stateEntry.lastPushedHash : void 0) === vaultRow.valueHash) {
+			skipped += 1;
+			continue;
+		}
+		const plaintext = await decryptSecretValue({
+			ciphertext: vaultRow.ciphertext,
+			iv: vaultRow.iv,
+			wrappedDek: vaultRow.wrappedDek,
+			dekIv: vaultRow.dekIv
+		}, masterKey);
+		await api.workersSecretPut(deployedName, {
+			name: secretName,
+			text: plaintext
+		});
+		const now = (/* @__PURE__ */ new Date()).toISOString();
+		state.set(stateKey, {
+			type: "secret",
+			worker: workerKey,
+			name: secretName,
+			lastPushedHash: vaultRow.valueHash,
+			lastPushedAt: now
+		});
+		pushed += 1;
+		if (logPushes) console.log(`secrets push: ${workerKey}:${secretName} → ${deployedName}`);
+	}
+	return {
+		pushed,
+		skipped
+	};
+}
+async function runSecretsPush(options) {
+	const ctx = await createSecretsContext({
+		env: options.env,
+		configPath: options.configPath
+	});
+	const workers = await collectSecretWorkers(ctx, options.worker);
+	if (workers.length === 0) {
+		const hint = options.worker ? `worker "${options.worker}" has no secrets.required` : "no workers declare secrets.required";
+		console.log(`secrets push (${ctx.env}): ${hint}`);
+		return;
+	}
+	let pushed = 0;
+	let skipped = 0;
+	for (const worker of workers) {
+		const result = await pushSecretsForDeploy({
+			workerKey: worker.workerKey,
+			deployedName: worker.deployedName,
+			required: worker.required,
+			vault: ctx.vault,
+			state: ctx.state,
+			api: ctx.api,
+			masterKey: ctx.masterKey,
+			logPushes: true
+		});
+		pushed += result.pushed;
+		skipped += result.skipped;
+	}
+	if (pushed > 0) await ctx.state.persist(ctx.api);
+	console.log(`secrets push (${ctx.env}): ${pushed} pushed, ${skipped} already current`);
+}
+//#endregion
+//#region src/cli/commands/secrets/index.ts
+const SECRETS_USAGE = `usage:
+  tamer secrets init --env <env> [--config <path>]
+  tamer secrets set <NAME> --env <env> [--config <path>]   # value on stdin (pipe only)
+  tamer secrets load --file <path> --env <env> [--config <path>]
+  tamer secrets get <NAME> --env <env> [--config <path>]   # confirmation + audit log
+  tamer secrets list --env <env> [--config <path>]
+  tamer secrets rm <NAME> --env <env> [--config <path>]
+  tamer secrets verify --env <env> [--config <path>]
+  tamer secrets push --env <env> [--worker <name>] [--config <path>]`;
+function parseSecretsArgs(argv) {
+	const positional = [];
+	const opts = {};
+	for (let i = 0; i < argv.length; i++) {
+		const arg = argv[i];
+		if (arg.startsWith("--")) {
+			const key = arg.slice(2).replace(/-/g, "_");
+			const next = argv[i + 1];
+			if (next && !next.startsWith("--")) {
+				opts[key] = next;
+				i++;
+			} else opts[key] = true;
+		} else positional.push(arg);
+	}
+	return {
+		subcommand: positional[0],
+		name: positional[1],
+		env: opts.env,
+		configPath: opts.config,
+		file: opts.file,
+		worker: opts.worker,
+		yes: opts.yes === true
+	};
+}
+async function runSecrets(argv) {
+	const parsed = parseSecretsArgs(argv);
+	const { subcommand } = parsed;
+	switch (subcommand) {
+		case "init":
+			await runSecretsInit({
+				env: parsed.env,
+				configPath: parsed.configPath
+			});
+			return 0;
+		case "set":
+			await runSecretsSet({
+				name: parsed.name,
+				env: parsed.env,
+				configPath: parsed.configPath
+			});
+			return 0;
+		case "load":
+			if (!parsed.file) throw new Error("secrets load requires --file <path>");
+			await runSecretsLoad({
+				file: parsed.file,
+				env: parsed.env,
+				configPath: parsed.configPath
+			});
+			return 0;
+		case "get":
+			await runSecretsGet({
+				name: parsed.name,
+				env: parsed.env,
+				configPath: parsed.configPath,
+				yes: parsed.yes
+			});
+			return 0;
+		case "list":
+			await runSecretsList({
+				env: parsed.env,
+				configPath: parsed.configPath
+			});
+			return 0;
+		case "rm":
+			await runSecretsRm({
+				name: parsed.name,
+				env: parsed.env,
+				configPath: parsed.configPath
+			});
+			return 0;
+		case "verify": return runSecretsVerify({
+			env: parsed.env,
+			configPath: parsed.configPath
+		});
+		case "push":
+			await runSecretsPush({
+				env: parsed.env,
+				configPath: parsed.configPath,
+				worker: parsed.worker
+			});
+			return 0;
+		default:
+			console.error(SECRETS_USAGE);
+			return 1;
+	}
+}
+//#endregion
+//#region src/cli/args.ts
+const BaseArgsSchema = object({
+	env: string().optional(),
+	config: string().optional(),
+	worker: string().optional()
+});
+const ApplyArgsSchema = BaseArgsSchema.extend({
+	add_shard: string().optional(),
+	plan: string().optional(),
+	allow_stale: boolean().optional(),
+	rollback_on_failure: boolean().optional(),
+	target: string().optional()
+});
+const DestroyArgsSchema = BaseArgsSchema.extend({
+	env: string().min(1, { error: "env is required for destroy" }),
+	force: boolean().optional(),
+	skip_workers: boolean().optional(),
+	confirm_env: string().optional(),
+	wipe_metadata: boolean().optional(),
+	plan: string().optional(),
+	allow_stale: boolean().optional()
+});
+const BootstrapArgsSchema = object({
+	env: string().min(1, { error: "env is required for bootstrap" }),
+	config: string().optional()
+});
+const DriftArgsSchema = BaseArgsSchema.extend({ json: boolean().optional() });
+const PlanArgsSchema = BaseArgsSchema.extend({
+	json: boolean().optional(),
+	detailed_exitcode: boolean().optional(),
+	out: string().optional(),
+	destroy: boolean().optional(),
+	target: string().optional()
+});
+const ImportArgsSchema = object({
+	env: string().min(1, { error: "env is required for import" }),
+	config: string().optional(),
+	kind: _enum([
+		"d1",
+		"r2",
+		"kv",
+		"queue",
+		"hyperdrive",
+		"vectorize",
+		"ai_gateway",
+		"pipeline",
+		"workflow",
+		"secret_store",
+		"dns_record",
+		"dispatch_namespace",
+		"worker_route"
+	], { error: "kind must be one of d1 | r2 | kv | queue | hyperdrive | vectorize | ai_gateway | pipeline | workflow | secret_store | dns_record | dispatch_namespace | worker_route" }),
+	logical: string().min(1, { error: "logical is required" }),
+	cf_id: string().optional(),
+	shard_date: string().optional(),
+	created_date: string().optional(),
+	route_id: string().optional(),
+	zone_name: string().optional()
+});
+const StatusArgsSchema = BaseArgsSchema.extend({ tenant: string().optional() });
+const EventsArgsSchema = BaseArgsSchema.extend({
+	json: boolean().optional(),
+	limit: number().int().min(1).max(100).optional()
+});
+const DoctorArgsSchema = object({ json: boolean().optional() });
+const ProvisionTenantArgsSchema = object({
+	env: string().min(1, { error: "env is required" }),
+	product: string().min(1, { error: "product is required" }),
+	workspace: string().min(1, { error: "workspace is required" }),
+	main: string().optional(),
+	artifact_key: string().optional(),
+	module_name: string().optional(),
+	config: string().optional(),
+	compatibility_date: string().optional(),
+	compat_flags: string().optional(),
+	shards: string().optional(),
+	json: boolean().optional()
+}).refine((d) => !!(d.main || d.artifact_key), { message: "Provide --main <file> or --artifact-key <r2-key> (under tamer-artifacts-{env})" });
+const DestroyTenantArgsSchema = object({
+	env: string().min(1, { error: "env is required" }),
+	product: string().min(1, { error: "product is required" }),
+	workspace: string().min(1, { error: "workspace is required" }),
+	force: boolean().optional(),
+	confirm_tenant: string().optional(),
+	config: string().optional(),
+	json: boolean().optional()
+});
+const DeployArgsSchema = BaseArgsSchema.extend({ dispatch_namespace: string().optional() });
+const DevArgsSchema = BaseArgsSchema.extend({ all: boolean().optional() });
+function parseArgs(argv) {
+	const opts = {};
+	for (let i = 0; i < argv.length; i++) {
+		const arg = argv[i];
+		if (arg.startsWith("--")) {
+			const key = arg.slice(2).replace(/-/g, "_");
+			const next = argv[i + 1];
+			if (next && !next.startsWith("--")) {
+				opts[key] = next;
+				i++;
+			} else opts[key] = true;
+		}
+	}
+	return opts;
+}
+function toOpts(raw) {
+	const opts = {};
+	for (const [k, v] of Object.entries(raw)) opts[k] = v;
+	return opts;
+}
+function formatZodError(error) {
+	return error.issues.map((e) => e.path.length ? `${e.path.join(".")}: ${e.message}` : e.message).join("; ");
+}
+function parseSyncArgs(argv) {
+	const parsed = BaseArgsSchema.safeParse(toOpts(parseArgs(argv)));
+	if (!parsed.success) throw new Error(`Invalid arguments: ${formatZodError(parsed.error)}`);
+	return {
+		env: parsed.data.env,
+		configPath: parsed.data.config
+	};
+}
+function parseApplyArgs(argv) {
+	const parsed = ApplyArgsSchema.safeParse(toOpts(parseArgs(argv)));
+	if (!parsed.success) throw new Error(`Invalid arguments: ${formatZodError(parsed.error)}`);
+	return {
+		env: parsed.data.env,
+		addShard: parsed.data.add_shard,
+		configPath: parsed.data.config,
+		planFile: parsed.data.plan,
+		allowStale: parsed.data.allow_stale,
+		rollbackOnFailure: parsed.data.rollback_on_failure,
+		target: parsed.data.target
+	};
+}
+function parseDevArgs(argv) {
+	const parsed = DevArgsSchema.safeParse(toOpts(parseArgs(argv)));
+	if (!parsed.success) throw new Error(`Invalid arguments: ${formatZodError(parsed.error)}`);
+	return {
+		worker: parsed.data.worker,
+		env: parsed.data.env,
+		configPath: parsed.data.config,
+		all: parsed.data.all
+	};
+}
+function parseDeployArgs(argv) {
+	const parsed = DeployArgsSchema.safeParse(toOpts(parseArgs(argv)));
+	if (!parsed.success) throw new Error(`Invalid arguments: ${formatZodError(parsed.error)}`);
+	return {
+		worker: parsed.data.worker,
+		env: parsed.data.env,
+		configPath: parsed.data.config,
+		dispatchNamespace: parsed.data.dispatch_namespace
+	};
+}
+function parseMigrateArgs(argv) {
+	const parsed = BaseArgsSchema.safeParse(toOpts(parseArgs(argv)));
+	if (!parsed.success) throw new Error(`Invalid arguments: ${formatZodError(parsed.error)}`);
+	return {
+		worker: parsed.data.worker,
+		env: parsed.data.env,
+		configPath: parsed.data.config
+	};
+}
+function parseTypesArgs(argv) {
+	const parsed = BaseArgsSchema.safeParse(toOpts(parseArgs(argv)));
+	if (!parsed.success) throw new Error(`Invalid arguments: ${formatZodError(parsed.error)}`);
+	return {
+		worker: parsed.data.worker,
+		env: parsed.data.env,
+		configPath: parsed.data.config
+	};
+}
+function parseStatusArgs(argv) {
+	const parsed = StatusArgsSchema.safeParse(toOpts(parseArgs(argv)));
+	if (!parsed.success) throw new Error(`Invalid arguments: ${formatZodError(parsed.error)}`);
+	return {
+		env: parsed.data.env,
+		configPath: parsed.data.config,
+		tenant: parsed.data.tenant
+	};
+}
+function parseEventsArgs(argv) {
+	const parsed = EventsArgsSchema.safeParse(toOpts(parseArgs(argv)));
+	if (!parsed.success) throw new Error(`Invalid arguments: ${formatZodError(parsed.error)}`);
+	return {
+		env: parsed.data.env,
+		configPath: parsed.data.config,
+		limit: parsed.data.limit,
+		json: parsed.data.json
+	};
+}
+function parseDoctorArgs(argv) {
+	const parsed = DoctorArgsSchema.safeParse(toOpts(parseArgs(argv)));
 	if (!parsed.success) throw new Error(`Invalid arguments: ${formatZodError(parsed.error)}`);
 	return { json: parsed.data.json };
 }
@@ -4325,17 +8537,6 @@ function parseBootstrapArgs(argv) {
 	};
 }
-//#endregion
-//#region src/core/state/StateConflictError.ts
-/** Thrown when D1 `cfi_state` was updated by another writer since {@link StateManager.hydrate}. */
-var StateConflictError = class extends Error {
-	code = "STATE_CONFLICT";
-	constructor(message) {
-		super(message);
-		this.name = "StateConflictError";
-	}
-};
 //#endregion
 //#region src/cli/index.ts
 const args = process.argv.slice(2);
@@ -4346,14 +8547,14 @@ async function main() {
 	try {
 		switch (command) {
 			case "bootstrap":
-				await import("./bootstrap-BxwxC_2Z.mjs").then((m) => m.runBootstrap(parseBootstrapArgs(rest)));
+				await import("./bootstrap-D__dHw1w.mjs").then((m) => m.runBootstrap(parseBootstrapArgs(rest)));
 				break;
 			case "sync":
-				await import("./sync-B_pyPi7Z.mjs").then((m) => m.runSync(parseSyncArgs(rest)));
+				await import("./sync-CpfxqlOx.mjs").then((m) => m.runSync(parseSyncArgs(rest)));
 				break;
 			case "apply": {
 				const a = parseApplyArgs(rest);
-				await import("./apply-BOABC3UB.mjs").then((m) => m.runApply({
+				await import("./apply-BjrYbyHn.mjs").then((m) => m.runApply({
 					env: a.env,
 					addShard: a.addShard,
 					configPath: a.configPath,
@@ -4365,11 +8566,11 @@ async function main() {
 				break;
 			}
 			case "dev":
-				await import("./dev-CZbKfdFw.mjs").then((m) => m.runDev(parseDevArgs(rest)));
+				await import("./dev-BLthyLml.mjs").then((m) => m.runDev(parseDevArgs(rest)));
 				break;
 			case "deploy": {
 				const d = parseDeployArgs(rest);
-				await import("./deploy-C0edCpn9.mjs").then((m) => m.runDeploy({
+				await import("./deploy-C6fX9td0.mjs").then((m) => m.runDeploy({
 					worker: d.worker,
 					env: d.env,
 					configPath: d.configPath,
@@ -4378,23 +8579,23 @@ async function main() {
 				break;
 			}
 			case "migrate":
-				await import("./migrate-BpW6JkIg.mjs").then((m) => m.runMigrate(parseMigrateArgs(rest)));
+				await import("./migrate-CroDjbJz.mjs").then((m) => m.runMigrate(parseMigrateArgs(rest)));
 				break;
 			case "types":
-				await import("./types-JrdlG7Dy.mjs").then((m) => m.runTypes(parseTypesArgs(rest)));
+				await import("./types-BzzHwIdw.mjs").then((m) => m.runTypes(parseTypesArgs(rest)));
 				break;
 			case "status":
-				await import("./status-D5GLpWyn.mjs").then((m) => m.runStatus(parseStatusArgs(rest)));
+				await import("./status-DkkS5lc9.mjs").then((m) => m.runStatus(parseStatusArgs(rest)));
 				break;
 			case "events":
-				await import("./events-BIznt8Sj.mjs").then((m) => m.runEvents(parseEventsArgs(rest)));
+				await import("./events-otk0l3aJ.mjs").then((m) => m.runEvents(parseEventsArgs(rest)));
 				break;
 			case "drift":
-				exitStatus = await import("./drift-BNa92AK5.mjs").then((m) => m.runDrift(parseDriftArgs(rest)));
+				exitStatus = await import("./drift-BCxWdYHG.mjs").then((m) => m.runDrift(parseDriftArgs(rest)));
 				break;
 			case "plan": {
 				const p = parsePlanArgs(rest);
-				exitStatus = await import("./plan-Do5rE-c5.mjs").then((m) => m.runPlan({
+				exitStatus = await import("./plan-C2urqJOz.mjs").then((m) => m.runPlan({
 					env: p.env,
 					configPath: p.configPath,
 					json: p.json,
@@ -4406,14 +8607,14 @@ async function main() {
 				break;
 			}
 			case "import":
-				await import("./import-B0dlwKoQ.mjs").then((m) => m.runImport(parseImportArgs(rest)));
+				await import("./import-OvohE-H2.mjs").then((m) => m.runImport(parseImportArgs(rest)));
 				break;
 			case "doctor":
-				exitStatus = await import("./doctor-C_hs7k2D.mjs").then((m) => m.runDoctor(parseDoctorArgs(rest)));
+				exitStatus = await import("./doctor-32YLAXXl.mjs").then((m) => m.runDoctor(parseDoctorArgs(rest)));
 				break;
 			case "provision-tenant": {
 				const p = parseProvisionTenantArgs(rest);
-				await import("./provision-tenant-Wfck-2Oa.mjs").then((m) => m.runProvisionTenant({
+				await import("./provision-tenant-BJ1KugON.mjs").then((m) => m.runProvisionTenant({
 					env: p.env,
 					product: p.product,
 					workspace: p.workspace,
@@ -4430,7 +8631,7 @@ async function main() {
 			}
 			case "destroy-tenant": {
 				const t = parseDestroyTenantArgs(rest);
-				await import("./destroy-tenant-U0t7BeJ0.mjs").then((m) => m.runDestroyTenant({
+				await import("./destroy-tenant-T_94ed9x.mjs").then((m) => m.runDestroyTenant({
 					env: t.env,
 					product: t.product,
 					workspace: t.workspace,
@@ -4443,7 +8644,7 @@ async function main() {
 			}
 			case "destroy": {
 				const d = parseDestroyArgs(rest);
-				await import("./destroy-DzgA4lCA.mjs").then((m) => m.runDestroy({
+				await import("./destroy-vfk2Zbfj.mjs").then((m) => m.runDestroy({
 					env: d.env,
 					force: d.force,
 					skipWorkers: d.skipWorkers,
@@ -4458,18 +8659,21 @@ async function main() {
 			case "wfp": {
 				const [sub, ...wfpRest] = rest;
 				if (sub === "put") {
-					const { parseWfpPutArgs, runWfpPut } = await import("./wfp-put-DL0mJNNz.mjs");
+					const { parseWfpPutArgs, runWfpPut } = await import("./wfp-put-BrwICc9i.mjs");
 					await runWfpPut(parseWfpPutArgs(wfpRest));
 					break;
 				}
 				if (sub === "delete") {
-					const { parseWfpDeleteArgs, runWfpDelete } = await import("./wfp-delete-BhuUrBUA.mjs");
+					const { parseWfpDeleteArgs, runWfpDelete } = await import("./wfp-delete-CDBFqmrM.mjs");
 					await runWfpDelete(parseWfpDeleteArgs(wfpRest));
 					break;
 				}
 				console.error("usage:\n  tamer wfp put --namespace <n> --script-name <s> --main <file> [--compatibility-date <d>] [--compat-flags a,b] [--config <path>]\n  tamer wfp delete --namespace <n> --script-name <s> [--force] [--config <path>]");
 				process.exit(1);
 			}
+			case "secrets":
+				exitStatus = await import("./secrets-CnzjvndT.mjs").then((m) => m.runSecrets(rest));
+				break;
 			case "help":
 			case "-h":
 			case "--help":
@@ -4496,6 +8700,7 @@ Commands:
   provision-tenant  Runtime: create per-tenant D1 shards declared in tenant.d1Shards + upload dispatch script (--main or --artifact-key); --shards a,b trims to a subset of the configured layout (omit for all); --json emits machine-readable result for Cloudflare Container callers
   destroy-tenant    Runtime: remove tenant script + D1 + state (shared envs need --confirm-tenant); --json emits machine-readable result
   destroy   Delete all resources for an env (use with caution)
+  secrets   Encrypted secrets vault (init, set, load, get, list, rm, verify, push)
   wfp put    Upload a single-module user Worker to a dispatch namespace (multipart API)
   wfp delete Delete a user Worker from a dispatch namespace
@@ -4522,6 +8727,16 @@ Options:
   --route-id <id>  import worker_route: route id from /zones/{id}/workers/routes
   --zone-name <z>  import worker_route: optional zone hint when a worker has multiple routes
+Secrets (requires TAMER_SECRETS_KEY_{env} master key env var):
+  tamer secrets init --env <env>              Generate master key (print once) + provision vault
+  tamer secrets set <NAME> --env <env>        Encrypt value from stdin into vault (pipe only)
+  tamer secrets load --file .dev.vars --env <env>  Bulk import; file wins over process.env
+  tamer secrets get <NAME> --env <env>        Decrypt + print (confirmation + audit log)
+  tamer secrets list --env <env>              Names + fingerprints + last-set (never values)
+  tamer secrets rm <NAME> --env <env>         Remove from vault
+  tamer secrets verify --env <env>            Reconcile declared vs vault vs pushed vs worker
+  tamer secrets push --env <env>              Push stale/new secrets to workers via CF API
 Environment variables (same as Wrangler):
   CLOUDFLARE_ACCOUNT_ID  Cloudflare account ID
   CLOUDFLARE_API_TOKEN   Cloudflare API token
@@ -4549,5 +8764,5 @@ Environment variables (same as Wrangler):
 main();
 //#endregion
-export { boolean as a, number$1 as c, string as d, union as f, array as i, object as l, _enum as n, discriminatedUnion as o, any as r, literal as s, StateConflictError as t, record as u };
+export { resolveReferencesInString as A, getWorkers as B, stackNameForConfig as C, resolveDeployedWorkerName as D, mergedWorkerConfigForEnv as E, ensureTamerSecretsDatabase as F, tamerSecretsDatabaseName as I, CFApiClient as L, effectiveDispatchNamespaceName as M, isEphemeralEnv as N, resolveWorkerConfig as O, namingFromConfig as P, cloudflareAccountIdFromEnv as R, tamerStateDatabaseName as S, mergeWorkerConfigForResourcePick as T, loadConfig as V, tenantShardDatabaseName as _, reconcileSecrets as a, destroyTamerStateDatabase as b, vaultReaderFromMap as c, fetchStackImports as d, importedStackNames as f, tenantDispatchScriptName as g, parseTenantShardRoles as h, pushSecretsForDeploy as i, wranglerConfigCliArgs as j, rewriteIntraStackServiceTargets as k, createDeploySecretsResources as l, StateManager as m, parseSecretsArgs as n, secretsDrift as o, scanConfigForImports as p, runSecrets as r, secretsPlanItems as s, SECRETS_USAGE as t, requiredSecretsForWorker as u, tenantStateKey as v, buildIntraStackScriptNameMap as w, ensureTamerStateDatabase as x, createEmptyCfiState as y, cloudflareApiTokenFromEnv as z };
 //# sourceMappingURL=tamer.mjs.map