@dragonmastery/tamer 0.34.1 → 0.35.1

package/dist/tamer.mjs

@@ -5495,12 +5495,19 @@ var CFApiClient = class {
 //#region src/core/secrets/secretsDb.ts
 /** Max audit rows retained per secret name (oldest dropped on insert). */
 const SECRET_HISTORY_CAP = 50;
-/** Cloudflare D1 database for encrypted secrets (`tamer-secrets-dev`, …). */
-function tamerSecretsDatabaseName(env) {
-	return `tamer-secrets-${env}`;
+/**
+* Account-scoped D1 database for encrypted secrets (`tamer-secrets`).
+* Each env's secrets are isolated by row key: `{env}:{secretName}`.
+*/
+function tamerSecretsDatabaseName() {
+	return "tamer-secrets";
 }
-async function findTamerSecretsDatabaseUuid(api, env) {
-	const name = tamerSecretsDatabaseName(env);
+/** Row key for a secret in the shared D1: `{env}:{secretName}`. */
+function secretRowKey(env, secretName) {
+	return `${env}:${secretName}`;
+}
+async function findTamerSecretsDatabaseUuid(api) {
+	const name = tamerSecretsDatabaseName();
 	return (await api.d1ListAll()).find((d) => d.name === name)?.uuid;
 }
 const SECRETS_TABLE_DDL = `CREATE TABLE IF NOT EXISTS secrets (
@@ -5520,16 +5527,28 @@ const SECRET_HISTORY_TABLE_DDL = `CREATE TABLE IF NOT EXISTS secret_history (
   updated_by  TEXT
 )`;
 /**
-* Create `tamer-secrets-{env}` if missing and ensure `secrets` / `secret_history`
-* tables. Idempotent — safe to call on every bootstrap or first vault touch.
+* Create `tamer-secrets` (account-scoped) if missing and ensure `secrets` /
+* `secret_history` tables. Idempotent — safe to call on every bootstrap or
+* first vault touch.
 */
-async function ensureTamerSecretsDatabase(api, env) {
-	let uuid$1 = await findTamerSecretsDatabaseUuid(api, env);
-	if (!uuid$1) uuid$1 = (await api.d1Create(tamerSecretsDatabaseName(env))).uuid;
+async function ensureTamerSecretsDatabase(api) {
+	let uuid$1 = await findTamerSecretsDatabaseUuid(api);
+	if (!uuid$1) uuid$1 = (await api.d1Create(tamerSecretsDatabaseName())).uuid;
 	await api.d1Query(uuid$1, SECRETS_TABLE_DDL);
 	await api.d1Query(uuid$1, SECRET_HISTORY_TABLE_DDL);
 	return uuid$1;
 }
+/**
+* Delete all secret rows for a specific env from the shared account-scoped D1.
+* Used by `tamer destroy --wipe-metadata`.
+*/
+async function deleteEnvSecretRows(api, env) {
+	const uuid$1 = await findTamerSecretsDatabaseUuid(api);
+	if (!uuid$1) return false;
+	await api.d1Query(uuid$1, `DELETE FROM secrets WHERE name LIKE ?`, [`${env}:%`]);
+	await api.d1Query(uuid$1, `DELETE FROM secret_history WHERE name LIKE ?`, [`${env}:%`]);
+	return true;
+}
 
 //#endregion
 //#region src/core/secrets/masterKey.ts
@@ -6556,9 +6575,21 @@ function stackNameForConfig(config$1) {
 *   5: + `secret` state entries (fingerprints only; additive resource rows).
 */
 const STATE_SCHEMA_VERSION = 5;
-/** Cloudflare D1 database that holds JSON state for an env (`tamer-state-dev`, …). */
-function tamerStateDatabaseName(env) {
-	return `tamer-state-${env}`;
+/**
+* Account-scoped D1 database that holds JSON state for **all** envs
+* (`tamer-state`). Each env's state is isolated by row key:
+* `cfi_state:{env}:{stackName}`.
+*/
+function tamerStateDatabaseName() {
+	return "tamer-state";
+}
+/**
+* D1 `tamer_kv.k` value for a given env + stack's state row.
+* Format: `cfi_state:{env}:{stackName}` — env namespacing ensures
+* cross-env isolation within the shared account-scoped D1.
+*/
+function stateRowKey(env, stackName) {
+	return `cfi_state:${env}:${stackName}`;
 }
 function createEmptyCfiState(tenantId, env) {
 	return {
@@ -6587,24 +6618,28 @@ function migrateRawCfiStateInPlace(raw) {
 	if (raw.schemaVersion === 3) raw.schemaVersion = 4;
 	if (raw.schemaVersion === 4) raw.schemaVersion = STATE_SCHEMA_VERSION;
 }
-async function findTamerStateDatabaseUuid(api, env) {
-	const name = tamerStateDatabaseName(env);
+async function findTamerStateDatabaseUuid(api) {
+	const name = tamerStateDatabaseName();
 	return (await api.d1ListAll()).find((d) => d.name === name)?.uuid;
 }
 /**
-* Create `tamer-state-{env}` if missing, ensure `tamer_kv` table, and seed an
-* initial empty `cfi_state:{stackName}` row when this stack has no row yet.
-* Idempotent — re-running for the same stack is a no-op; re-running for a
-* different stack against the same env D1 just adds another row.
+* Create `tamer-state` (account-scoped) if missing, ensure `tamer_kv` table.
+* When `env` is provided, also seeds an initial empty
+* `cfi_state:{env}:{stackName}` row for that stack. When `env` is omitted
+* (e.g. from `tamer bootstrap`), only creates the D1 + table — the first
+* `tamer apply` will seed the row automatically via the StateManager.
+*
+* Idempotent — re-running is always safe.
 */
 async function ensureTamerStateDatabase(api, tenantId, env, stackName = DEFAULT_STACK_NAME) {
-	let uuid$1 = await findTamerStateDatabaseUuid(api, env);
-	if (!uuid$1) uuid$1 = (await api.d1Create(tamerStateDatabaseName(env))).uuid;
+	let uuid$1 = await findTamerStateDatabaseUuid(api);
+	if (!uuid$1) uuid$1 = (await api.d1Create(tamerStateDatabaseName())).uuid;
 	await api.d1Query(uuid$1, `CREATE TABLE IF NOT EXISTS tamer_kv (
       k TEXT PRIMARY KEY,
       v TEXT NOT NULL
     )`);
-	const rowKey = `cfi_state:${stackName}`;
+	if (!env) return uuid$1;
+	const rowKey = stateRowKey(env, stackName);
 	const { rows } = await api.d1Query(uuid$1, `SELECT v FROM tamer_kv WHERE k = ?`, [rowKey]);
 	if (rows.length === 0) {
 		const initial = createEmptyCfiState(tenantId, env);
@@ -6619,10 +6654,19 @@ function parseCfiStateJson(json) {
 	if (!result.success) throw new Error(`Invalid tamer state JSON: ${result.error.message}`);
 	return result.data;
 }
-async function destroyTamerStateDatabase(api, env) {
-	const uuid$1 = await findTamerStateDatabaseUuid(api, env);
+/**
+* Delete all state rows for a specific env from the shared account-scoped D1.
+* Used by `tamer destroy --wipe-metadata` to clean up an env's state without
+* affecting other envs that share the same `tamer-state` database.
+*
+* Note: this does NOT delete the D1 database itself — the shared `tamer-state`
+* database persists for other envs. To remove Tamer entirely from an account,
+* delete the D1/R2 resources manually via the Cloudflare dashboard.
+*/
+async function deleteEnvStateRows(api, env) {
+	const uuid$1 = await findTamerStateDatabaseUuid(api);
 	if (!uuid$1) return false;
-	await api.d1Delete(uuid$1);
+	await api.d1Query(uuid$1, `DELETE FROM tamer_kv WHERE k LIKE ?`, [`cfi_state:${env}:%`]);
 	return true;
 }
 
@@ -6705,15 +6749,13 @@ var StateConflictError = class extends Error {
 
 //#endregion
 //#region src/core/state/StateManager.ts
-/** D1 `tamer_kv.k` value for a given stack's state row. */
-function stateRowKey(stackName) {
-	return `cfi_state:${stackName}`;
-}
 const OPERATION_HISTORY_CAP = 50;
 /**
 * Authoritative deployment state for an env.
 *
-* - **Non-local:** stored as JSON in Cloudflare D1 (`tamer-state-{env}`).
+* - **Non-local:** stored as JSON in Cloudflare D1 (`tamer-state`,
+*   account-scoped). Each env's state is isolated by row key:
+*   `cfi_state:{env}:{stackName}`.
 *   Call {@link hydrate} before {@link load}, then {@link persist} after mutations.
 * - **local:** in-memory only (no persistence).
 */
@@ -6730,14 +6772,13 @@ var StateManager = class {
 	/**
 	* @param tenantId  `config.tenant.id` — recorded on the state row for
 	*                  diagnostics; not part of the row key.
-	* @param env       Cloudflare environment name; selects the
-	*                  `tamer-state-{env}` D1 database.
+	* @param env       Cloudflare environment name; included in the D1 row key
+	*                  (`cfi_state:{env}:{stackName}`) for isolation within the
+	*                  shared account-scoped `tamer-state` database.
 	* @param stackName Stack identity (`config.stack.name ?? tenant.slug`).
-	*                  The state row in D1 is keyed `cfi_state:{stackName}`,
-	*                  so multiple stacks coexist in one env D1 without
-	*                  clobbering each other. Defaults to `"default"` —
-	*                  unit tests that synthesize a StateManager without
-	*                  a config get a stable key without extra plumbing.
+	*                  Combined with env to form the D1 row key, so multiple
+	*                  stacks and multiple envs coexist in one D1 without
+	*                  clobbering each other. Defaults to `"default"`.
 	*/
 	constructor(tenantId, env, stackName = DEFAULT_STACK_NAME) {
 		this.tenantId = tenantId;
@@ -6755,11 +6796,10 @@ var StateManager = class {
 			this.baselineRevision = this.state.revision ?? 0;
 			return;
 		}
-		const name = tamerStateDatabaseName(this.env);
-		const uuid$1 = await findTamerStateDatabaseUuid(api, this.env);
-		if (!uuid$1) throw new Error(`Tamer state database "${name}" not found. Run: tamer bootstrap --env ${this.env}`);
+		const uuid$1 = await findTamerStateDatabaseUuid(api);
+		if (!uuid$1) throw new Error(`Tamer state database "tamer-state" not found. Run: tamer bootstrap --env ${this.env}`);
 		this.tamerStateDbUuid = uuid$1;
-		const rowKey = stateRowKey(this.stackName);
+		const rowKey = stateRowKey(this.env, this.stackName);
 		const { rows } = await api.d1Query(uuid$1, `SELECT v FROM tamer_kv WHERE k = ?`, [rowKey]);
 		if (rows.length === 0) {
 			this.state = createEmptyCfiState(this.tenantId, this.env);
@@ -6951,7 +6991,7 @@ var StateManager = class {
 			return;
 		}
 		if (!this.dirty || !this.state || !this.tamerStateDbUuid) return;
-		const rowKey = stateRowKey(this.stackName);
+		const rowKey = stateRowKey(this.env, this.stackName);
 		const { rows } = await api.d1Query(this.tamerStateDbUuid, `SELECT v FROM tamer_kv WHERE k = ?`, [rowKey]);
 		let remoteRev = 0;
 		if (rows.length > 0) {
@@ -7333,7 +7373,8 @@ function namingFromConfig(config$1) {
 //#endregion
 //#region src/core/secrets/SecretsVault.ts
 /**
-* Encrypted secrets vault backed by `tamer-secrets-{env}` D1.
+* Encrypted secrets vault backed by account-scoped `tamer-secrets` D1.
+* Each env's secrets are isolated by row key: `{env}:{secretName}`.
 * Stores ciphertext only — never plaintext.
 */
 var SecretsVault = class {
@@ -7343,10 +7384,19 @@ var SecretsVault = class {
 		this.env = env;
 		this.databaseId = databaseId;
 	}
+	/** Convert a logical secret name to its D1 row key: `{env}:{name}`. */
+	key(name) {
+		return secretRowKey(this.env, name);
+	}
+	/** Reverse: strip the `{env}:` prefix from a D1 row key. */
+	unkey(rowKey) {
+		const prefix = `${this.env}:`;
+		return rowKey.startsWith(prefix) ? rowKey.slice(prefix.length) : rowKey;
+	}
 	async dbId() {
 		if (this.databaseId) return this.databaseId;
-		const uuid$1 = await findTamerSecretsDatabaseUuid(this.api, this.env);
-		if (!uuid$1) throw new Error(`secrets vault not provisioned for env "${this.env}" (expected D1 ${tamerSecretsDatabaseName(this.env)}); run tamer bootstrap`);
+		const uuid$1 = await findTamerSecretsDatabaseUuid(this.api);
+		if (!uuid$1) throw new Error(`secrets vault not provisioned (expected D1 "tamer-secrets"); run tamer bootstrap`);
 		this.databaseId = uuid$1;
 		return uuid$1;
 	}
@@ -7354,6 +7404,7 @@ var SecretsVault = class {
 		const updatedAt = (/* @__PURE__ */ new Date()).toISOString();
 		const updatedBy = options?.updatedBy;
 		const db = await this.dbId();
+		const key = this.key(name);
 		await this.api.d1Query(db, `INSERT INTO secrets (
         name, ciphertext, iv, wrapped_dek, dek_iv, value_hash, updated_at, updated_by
       ) VALUES (?, ?, ?, ?, ?, ?, ?, ?)
@@ -7365,7 +7416,7 @@ var SecretsVault = class {
         value_hash = excluded.value_hash,
         updated_at = excluded.updated_at,
         updated_by = excluded.updated_by`, [
-			name,
+			key,
 			blobParam(encrypted.ciphertext),
 			blobParam(encrypted.iv),
 			blobParam(encrypted.wrappedDek),
@@ -7376,7 +7427,7 @@ var SecretsVault = class {
 		]);
 		await this.api.d1Query(db, `INSERT INTO secret_history (name, value_hash, updated_at, updated_by)
        VALUES (?, ?, ?, ?)`, [
-			name,
+			key,
 			valueHash,
 			updatedAt,
 			updatedBy ?? null
@@ -7391,24 +7442,24 @@ var SecretsVault = class {
            LIMIT -1 OFFSET ?
          )
        )`, [
-			name,
-			name,
+			key,
+			key,
 			SECRET_HISTORY_CAP
 		]);
 	}
 	async get(name) {
 		const db = await this.dbId();
 		const { rows } = await this.api.d1Query(db, `SELECT name, ciphertext, iv, wrapped_dek, dek_iv, value_hash, updated_at, updated_by
-       FROM secrets WHERE name = ?`, [name]);
+       FROM secrets WHERE name = ?`, [this.key(name)]);
 		if (rows.length === 0) return void 0;
-		return rowToVaultSecret(rows[0]);
+		return rowToVaultSecret(rows[0], this.env);
 	}
 	async list() {
 		const db = await this.dbId();
 		const { rows } = await this.api.d1Query(db, `SELECT name, value_hash, updated_at, updated_by
-       FROM secrets ORDER BY name`);
+       FROM secrets WHERE name LIKE ? ORDER BY name`, [`${this.env}:%`]);
 		return rows.map((row) => ({
-			name: String(row.name),
+			name: this.unkey(String(row.name)),
 			valueHash: row.value_hash,
 			updatedAt: String(row.updated_at),
 			updatedBy: row.updated_by != null ? String(row.updated_by) : void 0
@@ -7416,7 +7467,7 @@ var SecretsVault = class {
 	}
 	async delete(name) {
 		const db = await this.dbId();
-		const { rows } = await this.api.d1Query(db, `DELETE FROM secrets WHERE name = ? RETURNING name`, [name]);
+		const { rows } = await this.api.d1Query(db, `DELETE FROM secrets WHERE name = ? RETURNING name`, [this.key(name)]);
 		return rows.length > 0;
 	}
 	/** Append an audit row (e.g. after `secrets get`) without changing the secret. */
@@ -7426,9 +7477,10 @@ var SecretsVault = class {
 		const updatedAt = (/* @__PURE__ */ new Date()).toISOString();
 		const updatedBy = options?.updatedBy;
 		const db = await this.dbId();
+		const key = this.key(name);
 		await this.api.d1Query(db, `INSERT INTO secret_history (name, value_hash, updated_at, updated_by)
        VALUES (?, ?, ?, ?)`, [
-			name,
+			key,
 			record$1.valueHash,
 			updatedAt,
 			updatedBy ?? null
@@ -7443,8 +7495,8 @@ var SecretsVault = class {
            LIMIT -1 OFFSET ?
          )
        )`, [
-			name,
-			name,
+			key,
+			key,
 			SECRET_HISTORY_CAP
 		]);
 	}
@@ -7453,18 +7505,20 @@ var SecretsVault = class {
 		const { rows } = await this.api.d1Query(db, `SELECT name, value_hash, updated_at, updated_by
        FROM secret_history
        WHERE name = ?
-       ORDER BY updated_at DESC`, [name]);
+       ORDER BY updated_at DESC`, [this.key(name)]);
 		return rows.map((row) => ({
-			name: String(row.name),
+			name: this.unkey(String(row.name)),
 			valueHash: row.value_hash,
 			updatedAt: String(row.updated_at),
 			updatedBy: row.updated_by != null ? String(row.updated_by) : void 0
 		}));
 	}
 };
-function rowToVaultSecret(row) {
+function rowToVaultSecret(row, env) {
+	const rawName = String(row.name);
+	const prefix = `${env}:`;
 	return {
-		name: String(row.name),
+		name: rawName.startsWith(prefix) ? rawName.slice(prefix.length) : rawName,
 		ciphertext: blobFromRow(row.ciphertext),
 		iv: blobFromRow(row.iv),
 		wrappedDek: blobFromRow(row.wrapped_dek),
@@ -7512,7 +7566,7 @@ async function createSecretsContext(options) {
 	const accountId = config$1.account_id ?? cloudflareAccountIdFromEnv();
 	if (!accountId) throw new Error("account_id required in config or CLOUDFLARE_ACCOUNT_ID env var");
 	const api = new CFApiClient(accountId);
-	const vault = new SecretsVault(api, env, await ensureTamerSecretsDatabase(api, env));
+	const vault = new SecretsVault(api, env, await ensureTamerSecretsDatabase(api));
 	const state = new StateManager(config$1.tenant.id, env, stackNameForConfig(config$1));
 	await state.hydrate(api);
 	const masterKey = readMasterKeyFromEnv(env);
@@ -7593,7 +7647,7 @@ function displayPathFromCwd(absOrRel) {
 async function createDeploySecretsResources(api, env) {
 	const resolvedEnv = resolveSecretsEnv(env);
 	return {
-		vault: new SecretsVault(api, resolvedEnv, await ensureTamerSecretsDatabase(api, resolvedEnv)),
+		vault: new SecretsVault(api, resolvedEnv, await ensureTamerSecretsDatabase(api)),
 		masterKey: readMasterKeyFromEnv(resolvedEnv)
 	};
 }
@@ -7606,8 +7660,8 @@ async function runSecretsInit(options) {
 	if (!accountId) throw new Error("account_id required in config or CLOUDFLARE_ACCOUNT_ID env var");
 	const masterKey = generateMasterKey();
 	const varName = masterKeyEnvVarName(env);
-	const uuid$1 = await ensureTamerSecretsDatabase(new CFApiClient(accountId), env);
-	console.log(`Secrets vault ready: D1 uuid=${uuid$1} name=${tamerSecretsDatabaseName(env)}`);
+	const uuid$1 = await ensureTamerSecretsDatabase(new CFApiClient(accountId));
+	console.log(`Secrets vault ready: D1 uuid=${uuid$1} name=${tamerSecretsDatabaseName()}`);
 	console.log("");
 	console.log(`Generated master key for env "${env}" (store in two durable places — CI + password manager):`);
 	console.log("");
@@ -8377,10 +8431,7 @@ const DestroyArgsSchema = BaseArgsSchema.extend({
 	plan: string().optional(),
 	allow_stale: boolean().optional()
 });
-const BootstrapArgsSchema = object({
-	env: string().min(1, { error: "env is required for bootstrap" }),
-	config: string().optional()
-});
+const BootstrapArgsSchema = object({ config: string().optional() });
 const DriftArgsSchema = BaseArgsSchema.extend({ json: boolean().optional() });
 const PlanArgsSchema = BaseArgsSchema.extend({
 	json: boolean().optional(),
@@ -8638,10 +8689,7 @@ function parseImportArgs(argv) {
 function parseBootstrapArgs(argv) {
 	const parsed = BootstrapArgsSchema.safeParse(toOpts(parseArgs(argv)));
 	if (!parsed.success) throw new Error(`Invalid arguments: ${formatZodError(parsed.error)}`);
-	return {
-		env: parsed.data.env,
-		configPath: parsed.data.config
-	};
+	return { configPath: parsed.data.config };
 }
 
 //#endregion
@@ -8654,14 +8702,14 @@ async function main() {
 	try {
 		switch (command) {
 			case "bootstrap":
-				await import("./bootstrap-CV6OT-c9.mjs").then((m) => m.runBootstrap(parseBootstrapArgs(rest)));
+				await import("./bootstrap-CsL4IT9Z.mjs").then((m) => m.runBootstrap(parseBootstrapArgs(rest)));
 				break;
 			case "sync":
-				await import("./sync-YKZ5HD8v.mjs").then((m) => m.runSync(parseSyncArgs(rest)));
+				await import("./sync-C5RjLfgk.mjs").then((m) => m.runSync(parseSyncArgs(rest)));
 				break;
 			case "apply": {
 				const a = parseApplyArgs(rest);
-				await import("./apply-BsVQ9cbK.mjs").then((m) => m.runApply({
+				await import("./apply-Cz1lxAOp.mjs").then((m) => m.runApply({
 					env: a.env,
 					addShard: a.addShard,
 					configPath: a.configPath,
@@ -8673,11 +8721,11 @@ async function main() {
 				break;
 			}
 			case "dev":
-				await import("./dev-Bug5l5OZ.mjs").then((m) => m.runDev(parseDevArgs(rest)));
+				await import("./dev-vGQIP7tD.mjs").then((m) => m.runDev(parseDevArgs(rest)));
 				break;
 			case "deploy": {
 				const d = parseDeployArgs(rest);
-				await import("./deploy-dNygCucr.mjs").then((m) => m.runDeploy({
+				await import("./deploy-D2tQrtN9.mjs").then((m) => m.runDeploy({
 					worker: d.worker,
 					env: d.env,
 					configPath: d.configPath,
@@ -8686,23 +8734,23 @@ async function main() {
 				break;
 			}
 			case "migrate":
-				await import("./migrate-DWyUVN1I.mjs").then((m) => m.runMigrate(parseMigrateArgs(rest)));
+				await import("./migrate-DDBMzPtR.mjs").then((m) => m.runMigrate(parseMigrateArgs(rest)));
 				break;
 			case "types":
-				await import("./types-CADr4Kck.mjs").then((m) => m.runTypes(parseTypesArgs(rest)));
+				await import("./types-CqmFeIBf.mjs").then((m) => m.runTypes(parseTypesArgs(rest)));
 				break;
 			case "status":
-				await import("./status-PlMHsDzT.mjs").then((m) => m.runStatus(parseStatusArgs(rest)));
+				await import("./status-_k3a77Fw.mjs").then((m) => m.runStatus(parseStatusArgs(rest)));
 				break;
 			case "events":
-				await import("./events-B7Lencm8.mjs").then((m) => m.runEvents(parseEventsArgs(rest)));
+				await import("./events-yk4J3l0M.mjs").then((m) => m.runEvents(parseEventsArgs(rest)));
 				break;
 			case "drift":
-				exitStatus = await import("./drift-DENAf1Oe.mjs").then((m) => m.runDrift(parseDriftArgs(rest)));
+				exitStatus = await import("./drift-C3wIrNyg.mjs").then((m) => m.runDrift(parseDriftArgs(rest)));
 				break;
 			case "plan": {
 				const p = parsePlanArgs(rest);
-				exitStatus = await import("./plan-Blxn-yKr.mjs").then((m) => m.runPlan({
+				exitStatus = await import("./plan-Dot2VV7R.mjs").then((m) => m.runPlan({
 					env: p.env,
 					configPath: p.configPath,
 					json: p.json,
@@ -8714,14 +8762,14 @@ async function main() {
 				break;
 			}
 			case "import":
-				await import("./import-Ciq9MN3v.mjs").then((m) => m.runImport(parseImportArgs(rest)));
+				await import("./import-CZ6509_t.mjs").then((m) => m.runImport(parseImportArgs(rest)));
 				break;
 			case "doctor":
-				exitStatus = await import("./doctor-BwuEPYM6.mjs").then((m) => m.runDoctor(parseDoctorArgs(rest)));
+				exitStatus = await import("./doctor-BnsOxqnA.mjs").then((m) => m.runDoctor(parseDoctorArgs(rest)));
 				break;
 			case "provision-tenant": {
 				const p = parseProvisionTenantArgs(rest);
-				await import("./provision-tenant-BHDWTC2U.mjs").then((m) => m.runProvisionTenant({
+				await import("./provision-tenant-C2EL79oz.mjs").then((m) => m.runProvisionTenant({
 					env: p.env,
 					product: p.product,
 					workspace: p.workspace,
@@ -8738,7 +8786,7 @@ async function main() {
 			}
 			case "destroy-tenant": {
 				const t = parseDestroyTenantArgs(rest);
-				await import("./destroy-tenant-hyEb1gEz.mjs").then((m) => m.runDestroyTenant({
+				await import("./destroy-tenant-Ugu7Y1EH.mjs").then((m) => m.runDestroyTenant({
 					env: t.env,
 					product: t.product,
 					workspace: t.workspace,
@@ -8751,7 +8799,7 @@ async function main() {
 			}
 			case "destroy": {
 				const d = parseDestroyArgs(rest);
-				await import("./destroy-C0cKkpWe.mjs").then((m) => m.runDestroy({
+				await import("./destroy-CEv14T0X.mjs").then((m) => m.runDestroy({
 					env: d.env,
 					force: d.force,
 					skipWorkers: d.skipWorkers,
@@ -8766,12 +8814,12 @@ async function main() {
 			case "wfp": {
 				const [sub, ...wfpRest] = rest;
 				if (sub === "put") {
-					const { parseWfpPutArgs, runWfpPut } = await import("./wfp-put-CVw8cloM.mjs");
+					const { parseWfpPutArgs, runWfpPut } = await import("./wfp-put-D0tDs0J5.mjs");
 					await runWfpPut(parseWfpPutArgs(wfpRest));
 					break;
 				}
 				if (sub === "delete") {
-					const { parseWfpDeleteArgs, runWfpDelete } = await import("./wfp-delete-CQc9tveU.mjs");
+					const { parseWfpDeleteArgs, runWfpDelete } = await import("./wfp-delete-C-1pIY3Z.mjs");
 					await runWfpDelete(parseWfpDeleteArgs(wfpRest));
 					break;
 				}
@@ -8791,7 +8839,7 @@ tamer — Cloudflare Workers infrastructure manager
 Usage: tamer <command> [options]
 
 Commands:
-  bootstrap Create per-env Tamer metadata: tamer-state-<env> (D1) and tamer-artifacts-<env> (R2)
+  bootstrap Create account-scoped Tamer metadata: tamer-state (D1), tamer-artifacts (R2), tamer-secrets (D1). Run once per account.
   sync      Sync state from Cloudflare API
   apply     Provision missing resources
   dev       Start wrangler dev (use --all for every worker)
@@ -8871,5 +8919,5 @@ Environment variables (same as Wrangler):
 main();
 
 //#endregion
-export { rewriteIntraStackServiceTargets as A, getWorkers as B, tamerStateDatabaseName as C, mergedWorkerConfigForEnv as D, mergeWorkerConfigForResourcePick as E, ensureTamerSecretsDatabase as F, tamerSecretsDatabaseName as I, CFApiClient as L, wranglerConfigCliArgs as M, effectiveDispatchNamespaceName as N, resolveDeployedWorkerName as O, isEphemeralEnv as P, cloudflareAccountIdFromEnv as R, ensureTamerStateDatabase as S, buildIntraStackScriptNameMap as T, loadConfig as V, tenantDispatchScriptName as _, reconcileSecrets as a, createEmptyCfiState as b, vaultReaderFromMap as c, requiredSecretsForWorker as d, fetchStackImports as f, parseTenantShardRoles as g, StateManager as h, pushSecretsForDeploy as i, resolveReferencesInString as j, resolveWorkerConfig as k, createDeploySecretsResources as l, scanConfigForImports as m, parseSecretsArgs as n, secretsDrift as o, importedStackNames as p, runSecrets as r, secretsPlanItems as s, SECRETS_USAGE as t, namingFromConfig as u, tenantShardDatabaseName as v, stackNameForConfig as w, destroyTamerStateDatabase as x, tenantStateKey as y, cloudflareApiTokenFromEnv as z };
+export { resolveReferencesInString as A, loadConfig as B, stackNameForConfig as C, resolveDeployedWorkerName as D, mergedWorkerConfigForEnv as E, ensureTamerSecretsDatabase as F, CFApiClient as I, cloudflareAccountIdFromEnv as L, effectiveDispatchNamespaceName as M, isEphemeralEnv as N, resolveWorkerConfig as O, deleteEnvSecretRows as P, cloudflareApiTokenFromEnv as R, ensureTamerStateDatabase as S, mergeWorkerConfigForResourcePick as T, tenantDispatchScriptName as _, reconcileSecrets as a, createEmptyCfiState as b, vaultReaderFromMap as c, requiredSecretsForWorker as d, fetchStackImports as f, parseTenantShardRoles as g, StateManager as h, pushSecretsForDeploy as i, wranglerConfigCliArgs as j, rewriteIntraStackServiceTargets as k, createDeploySecretsResources as l, scanConfigForImports as m, parseSecretsArgs as n, secretsDrift as o, importedStackNames as p, runSecrets as r, secretsPlanItems as s, SECRETS_USAGE as t, namingFromConfig as u, tenantShardDatabaseName as v, buildIntraStackScriptNameMap as w, deleteEnvStateRows as x, tenantStateKey as y, getWorkers as z };
 //# sourceMappingURL=tamer.mjs.map