@dreamboard-games/cli 0.1.30-alpha.30 → 0.1.30-alpha.32

package/README.md

@@ -1,6 +1,6 @@
 # dreamboard
 
-Dreamboard CLI for working with Dreamboard games from your own editor/tooling.
+Dreamboard for working with Dreamboard games from your own editor/tooling.
 
 Dreamboard is built to take you from napkin sketch to playable prototype without the paper cuts:
 
@@ -18,7 +18,7 @@ Published npm package:
 npm install -g dreamboard
 ```
 
-The published CLI targets Node 20+.
+The published `dreamboard` package targets Node 20+.
 
 ## Why Dreamboard
 
@@ -35,11 +35,11 @@ Use browser login:
 dreamboard auth login
 ```
 
-The CLI stores your refreshable session in `~/.dreamboard/auth.json` by default. The file is written atomically with owner-only permissions (`0600`).
+Dreamboard stores your refreshable session in `~/.dreamboard/auth.json` by default. The file is written atomically with owner-only permissions (`0600`).
 
 The operating system keychain is optional. Set `"credentialBackend": "keychain"` in `~/.dreamboard/config.json`, or use `DREAMBOARD_CREDENTIAL_BACKEND=keychain`, to opt in.
 
-That stored session includes the Clerk refresh token the CLI needs to renew and exchange for short-lived Dreamboard API tokens automatically. Direct JWT injection is intentionally not part of the published CLI flow.
+That stored session includes the Clerk refresh token Dreamboard needs to renew and exchange for short-lived Dreamboard API tokens automatically. Direct JWT injection is intentionally not part of the published Dreamboard flow.
 
 ## Source Checkout Setup
 
@@ -112,15 +112,15 @@ dreamboard dev
 ## Notes
 
 - Project state lives in `.dreamboard/project.json`.
-- Published/public CLI installs target Node 20+ and support commit-scoped
+- Published/public `dreamboard` installs target Node 20+ and support commit-scoped
   build, preview, release, and status workflows.
-- Published/public CLI builds are production-only; they do not support environment overrides or direct JWT injection.
+- Published stable `dreamboard` builds are production-only and do not support environment overrides or direct JWT injection. Published alpha builds allow `--env <local|staging|prod>` for operator verification, but still reject direct JWT injection.
 - Local embedded-harness testing remains Bun-only and requires a source checkout with local backend support.
-- Internal source-checkout builds may expose extra auth and environment helpers, but those are not part of the published CLI contract.
+- Internal source-checkout builds may expose extra auth and environment helpers, but those are not part of the published Dreamboard contract.
 
 ## Skill Source
 
 - Public skill source lives under `skills/dreamboard/`.
 - `skills/dreamboard/references/*.md` are generated from `docs/` via `pnpm run sync:skill-docs`.
 - `dreamboard project create` installs the bundled skill into `.agents/skills/dreamboard/` in the generated game project.
-- Public GitHub repo for the CLI is [dreamboard-games/dreamboard-cli](https://github.com/dreamboard-games/dreamboard-cli).
+- Public GitHub repo for Dreamboard is [dreamboard-games/dreamboard](https://github.com/dreamboard-games/dreamboard).

package/dist/agent-verifier/agent-workspace-verifier.mjs

@@ -4,11 +4,10 @@ import {
   loadProjectConfig
 } from "./chunk-M6YNQZCC.mjs";
 import {
-  clearCredentials,
   getStoredSession,
   loadGlobalConfig,
   withCredentialLock
-} from "./chunk-FNSHNMDY.mjs";
+} from "./chunk-MIRGCMUC.mjs";
 import "./chunk-GWRZRWCF.mjs";
 import {
   readJsonFile,
@@ -1130,10 +1129,29 @@ var consola = createConsola2();
 
 // src/build-target.ts
 var injectedBuildChannel = true ? "development" : void 0;
+var injectedPackageVersion = typeof __DREAMBOARD_PACKAGE_VERSION__ === "string" ? __DREAMBOARD_PACKAGE_VERSION__ : void 0;
 var BUILD_CHANNEL = injectedBuildChannel === "published" ? "published" : "development";
+var PACKAGE_VERSION = injectedPackageVersion ?? "0.0.0-development";
+function isAlphaReleaseVersion(version) {
+  return /(?:^|-|\.)alpha(?:$|-|\.)/.test(version);
+}
 var IS_PUBLISHED_BUILD = BUILD_CHANNEL === "published";
+var IS_ALPHA_RELEASE = isAlphaReleaseVersion(PACKAGE_VERSION);
+var CAN_SELECT_ENVIRONMENT = !IS_PUBLISHED_BUILD || IS_ALPHA_RELEASE;
 var PUBLISHED_ENVIRONMENT = "prod";
 
+// src/auth/refresh-error.ts
+function classifyRefreshError(error) {
+  const message = error.message?.toLowerCase() ?? "";
+  if (error.status === 400 || error.status === 401 || message.includes("invalid_grant") || message.includes("refresh token") || message.includes("expired") || message.includes("revoked")) {
+    return { kind: "permanent_invalid", reason: error.message };
+  }
+  if (error.status === 408 || error.status === 429 || typeof error.status === "number" && error.status >= 500 || message.includes("timeout") || message.includes("network") || message.includes("fetch failed")) {
+    return { kind: "transient", reason: error.message };
+  }
+  return { kind: "unknown", reason: error.message };
+}
+
 // src/auth/clerk-oauth.ts
 import crypto from "crypto";
 async function refreshClerkOAuthToken(input) {
@@ -1241,75 +1259,183 @@ async function exchangeDreamboardUserToken(input) {
   };
 }
 
-// src/auth/user-token-manager.ts
-var TOKEN_REFRESH_WINDOW_MS = 60 * 1e3;
-function createUserTokenManager(config) {
+// src/auth/user-session-manager.ts
+var DEFAULT_TOKEN_MIN_VALIDITY_MS = 60 * 1e3;
+function createUserSessionManager(config) {
   return {
-    async resolveApiToken() {
-      const localOrInjected = resolveNonStoredToken(config, "dreamboard-api");
-      if (localOrInjected) return localOrInjected;
-      if (!usesStoredSession(config)) return null;
+    async establishRefreshableSession(session) {
       return withCredentialLock(async (ops) => {
-        const stored = await ops.read();
-        const apiToken = freshStoredApiToken(stored);
-        if (apiToken) return apiToken;
-        const clerk = await resolveFreshClerkAccessToken(config, stored);
+        const credentials = credentialsFromRefreshableSession(session);
+        await ops.writeFull(credentials);
         const exchanged = await exchangeDreamboardUserToken({
           apiBaseUrl: config.apiBaseUrl,
-          clerkAccessToken: clerk.accessToken,
+          clerkAccessToken: credentials.accessToken,
           audience: "dreamboard-api"
         });
-        await ops.writeFull({
-          ...clerk,
-          dreamboardApiToken: exchanged.accessToken,
-          dreamboardApiExpiresAt: exchanged.expiresAt
-        });
-        return {
-          token: exchanged.accessToken,
-          expiresAt: exchanged.expiresAt,
-          audience: "dreamboard-api"
-        };
+        const apiToken = toAccessToken(exchanged);
+        await ops.writeFull(withApiToken(credentials, apiToken));
+        return apiToken;
+      });
+    },
+    async establishAccessOnlySession(accessToken) {
+      await withCredentialLock((ops) => ops.writeAccessOnly(accessToken));
+    },
+    async resolveApiToken(options) {
+      const localOrInjected = resolveNonStoredToken(config, "dreamboard-api");
+      if (localOrInjected) return localOrInjected;
+      if (!usesStoredSession(config)) return null;
+      const minValidityMs = options?.minValiditySeconds === void 0 ? DEFAULT_TOKEN_MIN_VALIDITY_MS : Math.max(0, options.minValiditySeconds * 1e3);
+      return withCredentialLock(async (ops) => {
+        const stored = await ops.read();
+        return resolveStoredApiToken(ops, config, stored, minValidityMs);
       });
     },
     async resolveGitToken() {
-      if (!usesStoredSession(config) && config.authToken) {
-        const exchanged = await exchangeDreamboardUserToken({
-          apiBaseUrl: config.apiBaseUrl,
-          clerkAccessToken: config.authToken,
-          audience: "dreamboard-git"
-        });
-        return {
-          token: exchanged.accessToken,
-          expiresAt: exchanged.expiresAt,
-          audience: "dreamboard-git"
-        };
-      }
+      const localOrInjected = resolveNonStoredToken(config, "dreamboard-git");
+      if (localOrInjected) return localOrInjected;
       if (!usesStoredSession(config)) {
-        throw new Error(
-          "Missing Dreamboard session. Run `dreamboard auth login` to authenticate."
+        throw missingSessionError();
+      }
+      return withCredentialLock(async (ops) => {
+        const stored = await ops.read();
+        const clerk = await resolveFreshClerkSession(ops, config, stored);
+        return toAccessToken(
+          await exchangeDreamboardUserToken({
+            apiBaseUrl: config.apiBaseUrl,
+            clerkAccessToken: clerk.accessToken,
+            audience: "dreamboard-git"
+          })
         );
+      });
+    },
+    async inspectSession() {
+      const localOrInjected = resolveNonStoredToken(config, "dreamboard-api");
+      if (localOrInjected) {
+        return inspectAccessOnlyToken(localOrInjected);
+      }
+      if (!usesStoredSession(config)) {
+        return { kind: "none" };
       }
       return withCredentialLock(async (ops) => {
         const stored = await ops.read();
-        const clerk = await resolveFreshClerkAccessToken(config, stored);
-        const exchanged = await exchangeDreamboardUserToken({
-          apiBaseUrl: config.apiBaseUrl,
-          clerkAccessToken: clerk.accessToken,
-          audience: "dreamboard-git"
-        });
-        await ops.writeFull(clerk);
-        return {
-          token: exchanged.accessToken,
-          expiresAt: exchanged.expiresAt,
-          audience: "dreamboard-git"
-        };
+        if (!stored) return { kind: "none" };
+        const cached = freshStoredApiToken(
+          stored,
+          DEFAULT_TOKEN_MIN_VALIDITY_MS
+        );
+        if (cached) {
+          return activeStatus("refreshable", cached, false);
+        }
+        try {
+          const token = await resolveStoredApiToken(
+            ops,
+            config,
+            stored,
+            DEFAULT_TOKEN_MIN_VALIDITY_MS
+          );
+          return activeStatus("refreshable", token, true);
+        } catch (error) {
+          return failedRefreshableStatus(error);
+        }
       });
     },
     async logout() {
-      await clearCredentials("user_token_manager_logout");
+      await withCredentialLock((ops) => ops.clear("logout_command"));
     }
   };
 }
+async function resolveStoredApiToken(ops, config, stored, minValidityMs) {
+  const cached = freshStoredApiToken(stored, minValidityMs);
+  if (cached) return cached;
+  const clerk = await resolveFreshClerkSession(ops, config, stored);
+  const exchanged = await exchangeDreamboardUserToken({
+    apiBaseUrl: config.apiBaseUrl,
+    clerkAccessToken: clerk.accessToken,
+    audience: "dreamboard-api"
+  });
+  const apiToken = toAccessToken(exchanged);
+  await ops.writeFull(withApiToken(clerk, apiToken));
+  return apiToken;
+}
+async function resolveFreshClerkSession(ops, config, stored) {
+  if (!stored) {
+    throw missingSessionError();
+  }
+  if (!stored.refreshToken) {
+    throw new Error(
+      "Stored Dreamboard session is missing its refresh token. Run `dreamboard auth login` to authenticate again."
+    );
+  }
+  if (stored.accessToken && isFresh(
+    stored.tokenExpiresAt,
+    stored.accessToken,
+    DEFAULT_TOKEN_MIN_VALIDITY_MS
+  )) {
+    return credentialsFromStored(config, stored);
+  }
+  const payload = await refreshClerkOAuthToken({
+    config: {
+      issuer: stored.clerkOAuthIssuer ?? config.clerkOAuthIssuer,
+      clientId: stored.clerkOAuthClientId ?? config.clerkOAuthClientId,
+      tokenUrl: stored.clerkOAuthTokenUrl ?? config.clerkOAuthTokenUrl
+    },
+    refreshToken: stored.refreshToken
+  });
+  const refreshed = {
+    accessToken: payload.accessToken,
+    refreshToken: payload.refreshToken,
+    tokenExpiresAt: payload.expiresAt,
+    dreamboardApiToken: stored.dreamboardApiToken,
+    dreamboardApiExpiresAt: stored.dreamboardApiExpiresAt,
+    clerkOAuthIssuer: stored.clerkOAuthIssuer ?? config.clerkOAuthIssuer,
+    clerkOAuthClientId: stored.clerkOAuthClientId ?? config.clerkOAuthClientId,
+    clerkOAuthTokenUrl: payload.tokenUrl,
+    environment: stored.environment ?? config.environment
+  };
+  await ops.writeFull(refreshed);
+  return refreshed;
+}
+function credentialsFromStored(config, stored) {
+  if (!stored.accessToken || !stored.refreshToken) {
+    throw missingSessionError();
+  }
+  return {
+    accessToken: stored.accessToken,
+    refreshToken: stored.refreshToken,
+    tokenExpiresAt: stored.tokenExpiresAt,
+    dreamboardApiToken: stored.dreamboardApiToken,
+    dreamboardApiExpiresAt: stored.dreamboardApiExpiresAt,
+    clerkOAuthIssuer: stored.clerkOAuthIssuer ?? config.clerkOAuthIssuer,
+    clerkOAuthClientId: stored.clerkOAuthClientId ?? config.clerkOAuthClientId,
+    clerkOAuthTokenUrl: stored.clerkOAuthTokenUrl ?? config.clerkOAuthTokenUrl,
+    environment: stored.environment ?? config.environment
+  };
+}
+function credentialsFromRefreshableSession(session) {
+  return {
+    accessToken: session.clerkAccessToken,
+    refreshToken: session.refreshToken,
+    tokenExpiresAt: session.clerkAccessExpiresAt,
+    clerkOAuthIssuer: session.clerkOAuthIssuer,
+    clerkOAuthClientId: session.clerkOAuthClientId,
+    clerkOAuthTokenUrl: session.clerkOAuthTokenUrl,
+    environment: session.environment
+  };
+}
+function withApiToken(credentials, token) {
+  return {
+    ...credentials,
+    dreamboardApiToken: token.token,
+    dreamboardApiExpiresAt: token.expiresAt
+  };
+}
+function toAccessToken(token) {
+  return {
+    token: token.accessToken,
+    expiresAt: token.expiresAt,
+    audience: token.audience
+  };
+}
 function resolveNonStoredToken(config, audience) {
   if (usesStoredSession(config)) return null;
   if (!config.authToken) return null;
@@ -1319,9 +1445,13 @@ function resolveNonStoredToken(config, audience) {
     audience
   };
 }
-function freshStoredApiToken(stored) {
+function freshStoredApiToken(stored, minValidityMs) {
   if (!stored?.dreamboardApiToken) return null;
-  if (isFresh(stored.dreamboardApiExpiresAt, stored.dreamboardApiToken)) {
+  if (isFresh(
+    stored.dreamboardApiExpiresAt,
+    stored.dreamboardApiToken,
+    minValidityMs
+  )) {
     return {
       token: stored.dreamboardApiToken,
       expiresAt: stored.dreamboardApiExpiresAt,
@@ -1330,49 +1460,60 @@ function freshStoredApiToken(stored) {
   }
   return null;
 }
-async function resolveFreshClerkAccessToken(config, stored) {
-  const accessToken = stored?.accessToken ?? config.clerkAccessToken;
-  const refreshToken = stored?.refreshToken ?? config.refreshToken;
-  const tokenExpiresAt = stored?.tokenExpiresAt ?? config.clerkAccessExpiresAt;
-  if (!refreshToken) {
-    throw new Error(
-      "Stored Dreamboard session is missing its refresh token. Run `dreamboard auth login` to authenticate again."
-    );
-  }
-  if (accessToken && isFresh(tokenExpiresAt, accessToken)) {
+function inspectAccessOnlyToken(token) {
+  const expiry = resolveExpiry(token.expiresAt, token.token);
+  if (expiry && expiry.getTime() <= Date.now()) {
     return {
-      accessToken,
-      refreshToken,
-      tokenExpiresAt,
-      dreamboardApiToken: stored?.dreamboardApiToken,
-      dreamboardApiExpiresAt: stored?.dreamboardApiExpiresAt,
-      clerkOAuthIssuer: stored?.clerkOAuthIssuer ?? config.clerkOAuthIssuer,
-      clerkOAuthClientId: stored?.clerkOAuthClientId ?? config.clerkOAuthClientId,
-      clerkOAuthTokenUrl: stored?.clerkOAuthTokenUrl ?? config.clerkOAuthTokenUrl,
-      environment: stored?.environment ?? config.environment
+      kind: "invalid",
+      sessionKind: "access-only",
+      message: "Stored Dreamboard access token is expired. Run `dreamboard auth login` to authenticate again."
     };
   }
-  const payload = await refreshClerkOAuthToken({
-    config: {
-      issuer: stored?.clerkOAuthIssuer ?? config.clerkOAuthIssuer,
-      clientId: stored?.clerkOAuthClientId ?? config.clerkOAuthClientId,
-      tokenUrl: stored?.clerkOAuthTokenUrl ?? config.clerkOAuthTokenUrl
-    },
-    refreshToken
+  return activeStatus("access-only", token, false);
+}
+function failedRefreshableStatus(error) {
+  const message = error instanceof Error ? error.message : String(error);
+  const errorStatus = typeof error === "object" && error !== null && "status" in error ? error.status : void 0;
+  const classification = classifyRefreshError({
+    message,
+    status: typeof errorStatus === "number" ? errorStatus : void 0
   });
+  if (classification.kind === "permanent_invalid") {
+    return {
+      kind: "invalid",
+      sessionKind: "refreshable",
+      message
+    };
+  }
   return {
-    accessToken: payload.accessToken,
-    refreshToken: payload.refreshToken,
-    tokenExpiresAt: payload.expiresAt,
-    clerkOAuthIssuer: stored?.clerkOAuthIssuer ?? config.clerkOAuthIssuer,
-    clerkOAuthClientId: stored?.clerkOAuthClientId ?? config.clerkOAuthClientId,
-    clerkOAuthTokenUrl: payload.tokenUrl,
-    environment: stored?.environment ?? config.environment
+    kind: "degraded",
+    sessionKind: "refreshable",
+    message
   };
 }
-function isFresh(expiresAt, token) {
-  const expiry = expiresAt ? new Date(expiresAt) : getJwtExpiry(token);
-  return expiry !== null && Number.isFinite(expiry.getTime()) && expiry.getTime() > Date.now() + TOKEN_REFRESH_WINDOW_MS;
+function activeStatus(sessionKind, apiToken, repaired) {
+  return {
+    kind: "active",
+    sessionKind,
+    apiToken,
+    repaired
+  };
+}
+function missingSessionError() {
+  return new Error(
+    "Missing Dreamboard session. Run `dreamboard auth login` to authenticate."
+  );
+}
+function isFresh(expiresAt, token, minValidityMs) {
+  const expiry = resolveExpiry(expiresAt, token);
+  return expiry !== null && Number.isFinite(expiry.getTime()) && expiry.getTime() > Date.now() + minValidityMs;
+}
+function resolveExpiry(expiresAt, token) {
+  if (expiresAt) {
+    const parsed = new Date(expiresAt);
+    return Number.isFinite(parsed.getTime()) ? parsed : null;
+  }
+  return getJwtExpiry(token);
 }
 function getJwtExpiry(accessToken) {
   if (!accessToken) return null;
@@ -1479,21 +1620,20 @@ function isLocalAwsUrl(rawUrl) {
 }
 
 // src/config/resolve.ts
-var DEFAULT_REFRESH_WINDOW_MS = 5 * 60 * 1e3;
 var TRANSIENT_READ_RETRY_DELAYS_MS = [100, 300];
 function resolveConfig(globalConfig, flags, project, credentials) {
   if (IS_PUBLISHED_BUILD) {
     assertPublicRuntimeFlags(flags);
   }
-  const envEnvironment = IS_PUBLISHED_BUILD ? void 0 : environmentFromProcess();
-  const projectEnvironment = IS_PUBLISHED_BUILD ? void 0 : project?.environment;
-  const environment = IS_PUBLISHED_BUILD ? PUBLISHED_ENVIRONMENT : flags.env || envEnvironment || projectEnvironment || globalConfig.environment || "staging";
+  const envEnvironment = CAN_SELECT_ENVIRONMENT ? environmentFromProcess() : void 0;
+  const projectEnvironment = CAN_SELECT_ENVIRONMENT ? project?.environment : void 0;
+  const environment = CAN_SELECT_ENVIRONMENT ? flags.env || envEnvironment || projectEnvironment || globalConfig.environment || (IS_PUBLISHED_BUILD ? PUBLISHED_ENVIRONMENT : "staging") : PUBLISHED_ENVIRONMENT;
   const envConfig = ENVIRONMENT_CONFIGS[environment];
   const publishedEnvConfig = ENVIRONMENT_CONFIGS[PUBLISHED_ENVIRONMENT];
-  const hasExplicitEnvironmentOverride = !IS_PUBLISHED_BUILD && Boolean(flags.env || envEnvironment || projectEnvironment);
-  const resolvedApiBaseUrl = IS_PUBLISHED_BUILD ? publishedEnvConfig?.apiBaseUrl ?? DEFAULT_API_BASE_URL : hasExplicitEnvironmentOverride ? projectLocalBaseUrl(project?.apiBaseUrl, environment) || envConfig?.apiBaseUrl || DEFAULT_API_BASE_URL : project?.apiBaseUrl || envConfig?.apiBaseUrl || DEFAULT_API_BASE_URL;
+  const hasExplicitEnvironmentOverride = CAN_SELECT_ENVIRONMENT && Boolean(flags.env || envEnvironment || projectEnvironment);
+  const resolvedApiBaseUrl = IS_PUBLISHED_BUILD && !CAN_SELECT_ENVIRONMENT ? publishedEnvConfig?.apiBaseUrl ?? DEFAULT_API_BASE_URL : hasExplicitEnvironmentOverride ? projectLocalBaseUrl(project?.apiBaseUrl, environment) || envConfig?.apiBaseUrl || DEFAULT_API_BASE_URL : project?.apiBaseUrl || envConfig?.apiBaseUrl || DEFAULT_API_BASE_URL;
   const apiBaseUrl = valueOrUndefined(process.env.DREAMBOARD_API_BASE_URL) ?? resolvedApiBaseUrl;
-  const resolvedWebBaseUrl = IS_PUBLISHED_BUILD ? publishedEnvConfig?.webBaseUrl ?? DEFAULT_WEB_BASE_URL : hasExplicitEnvironmentOverride ? projectLocalBaseUrl(project?.webBaseUrl, environment) || envConfig?.webBaseUrl || DEFAULT_WEB_BASE_URL : project?.webBaseUrl || envConfig?.webBaseUrl || DEFAULT_WEB_BASE_URL;
+  const resolvedWebBaseUrl = IS_PUBLISHED_BUILD && !CAN_SELECT_ENVIRONMENT ? publishedEnvConfig?.webBaseUrl ?? DEFAULT_WEB_BASE_URL : hasExplicitEnvironmentOverride ? projectLocalBaseUrl(project?.webBaseUrl, environment) || envConfig?.webBaseUrl || DEFAULT_WEB_BASE_URL : project?.webBaseUrl || envConfig?.webBaseUrl || DEFAULT_WEB_BASE_URL;
   const webBaseUrl = valueOrUndefined(process.env.DREAMBOARD_WEB_BASE_URL) ?? resolvedWebBaseUrl;
   const snapshot = buildCredentialSnapshot(flags, credentials, environment);
   const oauthConfig = resolveEnvironmentOAuthConfig(environment, envConfig);
@@ -1598,9 +1738,10 @@ function projectLocalBaseUrl(rawUrl, environment) {
     return void 0;
   }
 }
-function assertPublicRuntimeFlags(flags) {
-  const argv2 = process.argv.slice(2);
-  if (flags.env || argv2.includes("--env")) {
+function assertPublicRuntimeFlags(flags, options = {}) {
+  const canSelectEnvironment = options.canSelectEnvironment ?? CAN_SELECT_ENVIRONMENT;
+  const argv2 = options.argv ?? process.argv.slice(2);
+  if (!canSelectEnvironment && (flags.env || argv2.includes("--env"))) {
     throw new Error(
       "The published Dreamboard CLI is production-only and does not accept `--env`."
     );
@@ -1618,7 +1759,7 @@ function assertPublicRuntimeFlags(flags) {
 }
 async function configureClient(config) {
   const localHarnessToken = resolveLocalHarnessAccessToken(config);
-  const resolvedToken = localHarnessToken ? { token: localHarnessToken } : await createUserTokenManager(config).resolveApiToken();
+  const resolvedToken = localHarnessToken ? { token: localHarnessToken } : await createUserSessionManager(config).resolveApiToken();
   const effectiveAccessToken = resolvedToken?.token;
   client.setConfig({
     baseUrl: config.apiBaseUrl,
@@ -1879,7 +2020,7 @@ Usage:
 }
 async function materializePreparedWorkspace(args) {
   const inputPath = readRequiredOption(args, "--input");
-  const { materializeWorkspaceProject } = await import("./materialize-workspace-K4WYFG5E.mjs");
+  const { materializeWorkspaceProject } = await import("./materialize-workspace-J2S4XIIC.mjs");
   const input = JSON.parse(await readFile(inputPath, "utf8"));
   await materializeWorkspaceProject({
     ...input,
@@ -1947,7 +2088,7 @@ async function runCloudLocalVerification(projectRoot, projectConfig, config) {
     { assertReducerContractPreflight },
     { getProjectLocalMaintainerRegistry }
   ] = await Promise.all([
-    import("./static-scaffold-MHVM63HU.mjs"),
+    import("./static-scaffold-56QBCO6P.mjs"),
     import("./local-files-OF4QFISU.mjs"),
     import("./workspace-codegen-SPPVHURX.mjs"),
     import("./workspace-dependencies-5HEEKZFP.mjs"),