@elevasis/sdk 0.4.9 → 0.4.10

package/dist/cli.cjs

@@ -43780,6 +43780,38 @@ async function apiPost(endpoint, body, apiUrl = resolveApiUrl()) {
   }
   return response.json();
 }
+async function apiPatch(endpoint, body, apiUrl = resolveApiUrl()) {
+  const response = await fetch(`${apiUrl}${endpoint}`, {
+    method: "PATCH",
+    headers: {
+      Authorization: `Bearer ${getApiKey()}`,
+      "Content-Type": "application/json"
+    },
+    body: JSON.stringify(body)
+  });
+  if (!response.ok) {
+    const errorText = await response.text();
+    throw new Error(`API request failed (${response.status}): ${errorText}`);
+  }
+  if (response.status === 204) {
+    return {};
+  }
+  return response.json();
+}
+async function apiDelete(endpoint, apiUrl = resolveApiUrl()) {
+  const response = await fetch(`${apiUrl}${endpoint}`, {
+    method: "DELETE",
+    headers: { Authorization: `Bearer ${getApiKey()}` }
+  });
+  if (!response.ok) {
+    const errorText = await response.text();
+    throw new Error(`API request failed (${response.status}): ${errorText}`);
+  }
+  if (response.status === 204) {
+    return {};
+  }
+  return response.json();
+}
 
 // package.json
 var package_default = {
@@ -44498,7 +44530,7 @@ function registerDescribeCommand(program3) {
 // src/cli/commands/init.ts
 var import_path3 = require("path");
 var import_promises2 = require("fs/promises");
-var TEMPLATE_VERSION = 5;
+var TEMPLATE_VERSION = 9;
 var INIT_ONLY_FILES = [
   "package.json",
   "pnpm-workspace.yaml",
@@ -44528,7 +44560,9 @@ var MANAGED_FILES = [
   ".claude/commands/database.md",
   ".claude/commands/agent.md",
   ".claude/commands/profile.md",
-  ".claude/commands/meta.md"
+  ".claude/commands/meta.md",
+  ".claude/commands/work.md",
+  ".claude/skills/creds/SKILL.md"
 ];
 var SCAFFOLD_FILES = [...INIT_ONLY_FILES, ...MANAGED_FILES];
 function registerInitCommand(program3) {
@@ -44558,6 +44592,7 @@ function registerInitCommand(program3) {
     await (0, import_promises2.mkdir)((0, import_path3.resolve)(targetDir, "src/shared"), { recursive: true });
     await (0, import_promises2.mkdir)((0, import_path3.resolve)(targetDir, "docs/in-progress"), { recursive: true });
     await (0, import_promises2.mkdir)((0, import_path3.resolve)(targetDir, ".claude/commands"), { recursive: true });
+    await (0, import_promises2.mkdir)((0, import_path3.resolve)(targetDir, ".claude/skills/creds"), { recursive: true });
     const files = {
       "elevasis.config.ts": configTemplate(),
       "package.json": packageJsonTemplate(orgSlug),
@@ -44585,7 +44620,9 @@ function registerInitCommand(program3) {
       ".claude/commands/database.md": claudeDatabaseCommandTemplate(),
       ".claude/commands/agent.md": claudeAgentCommandTemplate(),
       ".claude/commands/profile.md": claudeProfileCommandTemplate(),
-      ".claude/commands/meta.md": claudeMetaCommandTemplate()
+      ".claude/commands/meta.md": claudeMetaCommandTemplate(),
+      ".claude/commands/work.md": claudeWorkCommandTemplate(),
+      ".claude/skills/creds/SKILL.md": claudeCredsSkillTemplate()
     };
     for (const [filePath, content] of Object.entries(files)) {
       await (0, import_promises2.writeFile)((0, import_path3.resolve)(targetDir, filePath), content, "utf-8");
@@ -44725,7 +44762,7 @@ elevasis executions <resourceId>      # View execution history
 ### Platform Status Workflow (\`src/operations/\`)
 
 A multi-step workflow that queries platform status and compiles a natural language
-summary using an LLM. Demonstrates real platform API usage with \`platform.call()\`.
+summary using an LLM. Demonstrates platform API usage with the \`llm\` typed adapter and \`platform.call()\`.
 
 \`\`\`bash
 elevasis exec platform-status --input '{"timeRange": "24h"}'
@@ -44798,6 +44835,7 @@ proactivity -- to their assessed levels.
 | Credential model | \`reference/security/credentials.mdx\` | Setting up integrations or tool access |
 | Interaction guidance | \`reference/developer/interaction-guidance.mdx\` | Unsure how to adapt for a skill combination |
 | Error history | \`.claude/memory/errors/index.md\` | Debugging errors, checking past fixes |
+| Command View model | \`reference/deployment/command-view.mdx\` | Deploying or building resources that invoke other resources |
 | SDK error reference | \`reference/troubleshooting/common-errors.mdx\` | Unknown error not in workspace memory |
 | Project resource map | \`docs/navigation.mdx\` | Understanding what's deployed |
 | Project priorities | \`docs/priorities.mdx\` | Deciding what to work on next |
@@ -44817,7 +44855,7 @@ All \`reference/\` paths resolve to \`node_modules/@elevasis/sdk/reference/\`.
 - \`StepType\`, \`ExecutionError\`, \`ToolingError\` are runtime imports from \`'@elevasis/sdk'\`
 - \`platform\`, \`PlatformToolError\` are runtime imports from \`'@elevasis/sdk/worker'\`
 - \`.env\` is for CLI authentication only (\`ELEVASIS_API_KEY\`) -- never deployed, never in workers
-- Integration credentials are managed via the platform credential system (command center UI)
+- Integration credentials are managed via the \`creds\` skill (auto-triggers when you mention credentials) or the Command Center UI
 - Documentation goes in \`docs/\` as \`.mdx\` files
 - \`dist/\` is generated by deploy -- never commit it
 - \`resourceId\` must be lowercase with hyphens, unique per organization
@@ -44851,7 +44889,8 @@ For detailed per-dimension adaptation rules, read
 | Command | Purpose |
 | --- | --- |
 | \`/meta\` | Project lifecycle: init, status, update, fix, deploy, health, develop |
-| \`/docs\` | Documentation lifecycle: create, checkpoint, cleanup, resume, verify |
+| \`/docs\` | Documentation lifecycle: create, review, verify |
+| \`/work\` | Task tracking: start, save, resume, done, list |
 | \`/database\` | Database operations: init, browse, query, schema, import |
 | \`/resource\` | Scaffold a new workflow or agent |
 | \`/templates\` | Discover and apply workflow templates |
@@ -44860,6 +44899,14 @@ For detailed per-dimension adaptation rules, read
 | \`/help\` | Command tree and navigation map |
 | \`/profile\` | View and update developer profile |
 
+## Skills
+
+Skills auto-trigger based on conversation context. You do not need to invoke them manually.
+
+| Skill | Triggers When |
+| --- | --- |
+| \`creds\` | You mention credentials, API keys, secrets, webhook secrets, or setting up integrations |
+
 ## Maintaining Memory
 
 ### What Memory Is
@@ -44918,21 +44965,6 @@ Populate with content based on the resource definitions in src/.
 **\`review\`:** Review all docs/ files for accuracy against the actual resource
 definitions. Flag mismatches between documented schemas and code.
 
-**\`checkpoint\`:** Save current work progress for session resume.
-Create or update \`docs/in-progress/<topic>.mdx\` with:
-- Current state and decisions made
-- Remaining work and blockers
-- Update \`docs/priorities.mdx\` with task status
-
-**\`cleanup\`:** Move completed documents from \`docs/in-progress/\` to their
-final location in \`docs/\`. Review each in-progress doc to determine if it's
-complete. Incomplete docs remain in \`docs/in-progress/\`.
-Also rebuild \`docs/navigation.mdx\` from the current project state.
-
-**\`resume\`:** Start-of-session command. Review in-progress docs, priorities,
-and recent deployment state. Present a summary: what's in progress, what's
-blocking, what's next. Offer to continue the highest-priority item.
-
 **\`verify [path]\`:** Cross-reference documentation with the codebase.
 Read the specified doc (or all docs if no path), compare claims against actual
 code (resource IDs, schema fields, platform tools used), and report
@@ -44986,10 +45018,14 @@ cannot specify schemas directly.
 - Add to \`src/index.ts\` registry
 
 **\`tool-step <name>\`:** Create a step that calls a platform tool:
-- Import \`{ platform, PlatformToolError }\` from '@elevasis/sdk/worker'
-- Use \`await platform.call({ tool, method, params, credential })\`
+- Prefer typed adapters: \`import { createAttioAdapter, scheduler, llm } from '@elevasis/sdk/worker'\`
+- Integration tools: \`const attio = createAttioAdapter('cred'); await attio.listRecords({...})\`
+- Platform singletons: \`await scheduler.createSchedule({...})\`, \`await llm.generate({...})\`
+- Fallback for tools without adapters: \`await platform.call({ tool, method, params, credential })\`
+- Import \`{ PlatformToolError }\` from '@elevasis/sdk/worker' for error handling
 - Wrap in try/catch for PlatformToolError
 - Note: 60s timeout per call, credential required for integration tools
+- See reference/platform-tools/adapters.mdx for the full adapter API
 `;
 }
 function claudeTutorialCommandTemplate() {
@@ -45042,7 +45078,10 @@ Observation focus: optional fields, types, suggesting own fields.
 **Lesson 4: Using Platform Tools**
 Explain platform tools (concepts page). Browse available tools via
 reference/platform-tools/index.mdx. Pick a tool based on user's goals.
-Build: add a platform.call() step. Explain credential setup.
+Build: add a tool step using typed adapters (preferred) or platform.call().
+Show adapter pattern: \`const attio = createAttioAdapter('cred')\`.
+Show singleton pattern: \`import { scheduler, llm } from '@elevasis/sdk/worker'\`.
+Explain credential setup. See reference/platform-tools/adapters.mdx for full API.
 Observation focus: credential model, async/await.
 
 **Lesson 5: Multi-Step Workflows**
@@ -45103,11 +45142,17 @@ Available Commands:
 /docs            Documentation lifecycle
   /docs            Show documentation status
   /docs create     Create new documentation page
-  /docs checkpoint Save progress for session resume
-  /docs cleanup    Move completed docs, rebuild navigation maps
-  /docs resume     Review in-progress work and priorities
+  /docs review     Review docs for accuracy
   /docs verify     Cross-reference docs with codebase for accuracy
 
+/work            Task tracking
+  /work            Show current tasks
+  /work start      Create new task
+  /work save       Save progress for session resume
+  /work resume     Resume in-progress work
+  /work done       Complete and move task
+  /work list       List all tasks with status
+
 /database        Database operations
   /database init     Connect Supabase project
   /database browse   Query and display table contents
@@ -45234,14 +45279,14 @@ You are an agent development assistant for this Elevasis workspace.
 
 Agent definitions are accepted by the SDK and appear in the registry.
 Autonomous agent execution (multi-turn tool use loops) is deferred.
-LLM calls are available via \`platform.call({ tool: 'llm' })\` as a workaround.
+LLM calls are available via the \`llm\` typed adapter: \`import { llm } from '@elevasis/sdk/worker'\`, then \`await llm.generate({ messages: [...] })\`.
 
 ## Operations
 
 **\`/agent\` (no args):** Explain the current state:
 - Agent definitions are accepted by the SDK and appear in the registry
 - Autonomous agent execution (multi-turn tool use loops) is deferred
-- LLM calls are available via platform.call({ tool: 'llm' }) as a workaround
+- LLM calls are available via the \`llm\` typed adapter (\`import { llm } from '@elevasis/sdk/worker'\`)
 - Show the AgentDefinition pattern for future use
 
 **\`/agent scaffold <name>\`:** Create an agent definition with:
@@ -45398,6 +45443,9 @@ Detect and repair drift without a version upgrade:
 
 ### \`/meta deploy\` -- Full Deploy Pipeline
 
+0. Read \`reference/deployment/command-view.mdx\` -- understand the Command View
+   model, relationship declarations, and what deploy-time validation checks.
+   This context is essential for diagnosing validation failures in steps 1-2.
 1. Run \`elevasis check\` (validation)
 2. Type check if \`tsconfig.json\` exists
 3. Verify docs reflect current resources
@@ -45409,6 +45457,8 @@ Detect and repair drift without a version upgrade:
 9. If git configured and remote exists: optionally push
 
 Each step reports its result. Pipeline stops on failure with suggested fix.
+If validation fails with relationship errors, re-read \`reference/deployment/command-view.mdx\`
+for the enforcement model and common fixes.
 
 ### \`/meta health\` -- Execution Debugging
 
@@ -45447,6 +45497,147 @@ The agent reads current templates from the installed SDK:
 \`@elevasis/sdk/templates\` subpath exports all template functions.
 `;
 }
+function claudeWorkCommandTemplate() {
+  return `# /work command
+
+You are a task tracking assistant for this Elevasis workspace.
+
+## Context
+
+Read \`docs/priorities.mdx\` if it exists for current priorities.
+Scan \`docs/in-progress/\` for task documents with \`status\` frontmatter.
+
+## Operations
+
+**No arguments (default):** Show tasks from \`docs/in-progress/\` with status
+from frontmatter, cross-referenced with \`docs/priorities.mdx\`.
+
+**\`start <description>\`:** Create a task doc in \`docs/in-progress/<name>.mdx\`:
+1. Derive a kebab-case filename from the description
+2. Create the file with frontmatter (\`status: in-progress\`)
+3. Add sections: Objective, Plan, Progress, Resume Context
+4. Update \`docs/priorities.mdx\` with the new task
+5. Report what was created
+
+**\`save\`:** Update the current task doc's Progress and Resume Context sections:
+1. Identify the current task from conversation context
+2. Update Progress section (completed steps, files changed, decisions)
+3. Update Resume Context section with:
+   - Current State (date, what was done, what's next)
+   - Files Modified (table of changed files)
+   - Key docs to read on resume (file paths)
+   - To continue (copy-pasteable prompt)
+4. Set \`status\` appropriately
+
+**\`resume [name]\`:** Resume in-progress work:
+1. If name given, find matching doc in \`docs/in-progress/\`
+2. If no name, scan for docs with \`status: in-progress\`, ask if multiple
+3. Parse Resume Context section
+4. Present: "Resuming [task]. Last completed: [step]. Next: [step]."
+
+**\`done [name]\`:** Mark task complete:
+1. Find the task doc
+2. Set \`status: complete\` in frontmatter
+3. Move from \`docs/in-progress/\` to final \`docs/\` location
+4. Update \`docs/priorities.mdx\`
+
+**\`list\`:** Show all tasks with status:
+1. Scan \`docs/in-progress/*.mdx\` for frontmatter
+2. Display status table sorted by status (in-progress first)
+`;
+}
+function claudeCredsSkillTemplate() {
+  return `---
+name: creds
+description: "Credential management assistant. TRIGGER when: user mentions credentials, API keys, secrets, webhook secrets, or asks to set up integrations that need authentication. DO NOT TRIGGER when: user is discussing code that references credentials without needing to manage them."
+---
+
+# Credential Management
+
+You are a credential management assistant for this Elevasis workspace.
+
+## Context
+
+Credentials are stored encrypted (AES-256-GCM) on the Elevasis platform and scoped to your
+organization. They are used by workflows and agents at runtime via \`platform.getCredential()\`
+or the \`credential:\` field on tool steps.
+
+The SDK CLI (\`elevasis-sdk creds\`) manages credentials via API key authentication.
+Your \`ELEVASIS_API_KEY\` in \`.env\` determines the organization.
+
+## Credential Types
+
+| Type | Value Format | Example Providers |
+| --- | --- | --- |
+| \`api-key\` | \`{"apiKey": "sk-..."}\` | Stripe, Resend, Apify, Attio, Instantly |
+| \`webhook-secret\` | \`{"signingSecret": "whsec_..."}\` | Cal.com, Stripe webhooks |
+| \`trello\` | \`{"apiKey": "...", "token": "..."}\` | Trello |
+| \`oauth\` | N/A (browser flow only) | Notion, Google Sheets, Dropbox |
+
+OAuth credentials **cannot** be created via CLI. Redirect the user to the Command Center UI.
+
+## Naming Rules
+
+- Lowercase letters, digits, and hyphens only (\`[a-z0-9-]\`)
+- No consecutive hyphens (\`--\`)
+- 1-100 characters
+- Convention: \`{org}-{provider}\` (e.g., \`tester-stripe-key\`, \`my-project-resend\`)
+
+## Operations
+
+**No arguments (default):** Show this reference and list credentials.
+
+**\`list\`:** List all credentials for the organization.
+\`\`\`bash
+elevasis-sdk creds list
+\`\`\`
+Display the output. Note which are \`oauth\` (not modifiable via CLI).
+
+**\`create\`:** Guided credential creation flow:
+1. Ask credential type (\`api-key\`, \`webhook-secret\`, or \`trello\`). Not \`oauth\`.
+2. Ask credential name. Validate naming rules before proceeding.
+3. Ask the user to paste the credential value directly in chat.
+   - For \`api-key\`: ask for the API key, construct \`{"apiKey": "..."}\`
+   - For \`webhook-secret\`: ask for the signing secret, construct \`{"signingSecret": "..."}\`
+   - For \`trello\`: ask for API key AND user token, construct \`{"apiKey": "...", "token": "..."}\`
+4. Pipe to CLI: \`echo '{"apiKey":"..."}' | elevasis-sdk creds create --name {name} --type {type}\`
+5. Confirm success. **NEVER echo the credential value back.**
+
+**\`update\`:** Update credential value:
+1. Run \`elevasis-sdk creds list\` to confirm the credential exists.
+2. Ask the user to paste the new value.
+3. Pipe to CLI: \`echo '{"apiKey":"..."}' | elevasis-sdk creds update {name}\`
+4. Confirm success. **NEVER echo the value.**
+
+**\`rename\`:** Rename a credential:
+1. Run \`elevasis-sdk creds list\` to confirm it exists.
+2. Ask for the new name. Validate naming rules.
+3. Run: \`elevasis-sdk creds rename {name} --to {newName}\`
+
+**\`delete\`:** Delete a credential:
+1. Run \`elevasis-sdk creds list\` to confirm it exists.
+2. Confirm with user before proceeding.
+3. Run: \`elevasis-sdk creds delete {name} --force\`
+
+**\`webhook-url\`:** Generate a webhook URL:
+Ask for provider, org UUID, resource ID, and credential name. Construct:
+\`POST https://api.elevasis.io/api/webhooks/{provider}?org={uuid}&resource={resourceId}&credential={credentialName}\`
+
+**\`audit\`:** Scan project for credential references:
+1. Search \`src/**/*.ts\` for \`credential:\` patterns and \`platform.getCredential()\` calls.
+2. Extract all credential names referenced.
+3. Run \`elevasis-sdk creds list\` to get the actual credential list.
+4. Report: missing credentials (referenced but not created), unused credentials (created but not referenced).
+
+## Security Rules (MANDATORY)
+
+- **NEVER** log, repeat, or display credential values after the user provides them
+- **NEVER** store credential values in files, memory, or command history
+- If an API call fails, ask the user to **re-paste** rather than retrying with a cached value
+- Always confirm name and type **before** asking for the value
+- OAuth credentials cannot be created via CLI -- redirect to Command Center UI
+`;
+}
 function starterTemplate() {
   return `import type { OrganizationResources } from '@elevasis/sdk'
 import * as operations from './operations/index.js'
@@ -45508,6 +45699,7 @@ function platformStatusTemplate() {
   return `import type { WorkflowDefinition } from '@elevasis/sdk'
 import { StepType } from '@elevasis/sdk'
 import { platform } from '@elevasis/sdk/worker'
+import { llm } from '@elevasis/sdk/worker'
 import { z } from 'zod'
 
 const input = z.object({
@@ -45559,33 +45751,29 @@ export const platformStatus: WorkflowDefinition = {
       description: 'Generates a natural language summary from raw status data',
       handler: async (rawInput) => {
         const { raw } = rawInput as z.infer<typeof statusData>
-        const result = await platform.call({
-          tool: 'llm',
-          method: 'generate',
-          params: {
-            provider: 'google',
-            model: 'gemini-3-flash-preview',
-            messages: [
-              {
-                role: 'user',
-                content: [
-                  'Summarize this platform status overview in 3-5 concise bullet points.',
-                  'Focus on: execution health, pending items needing attention, upcoming schedules, and credential coverage.',
-                  'Be specific with numbers. Flag any issues.',
-                  '',
-                  JSON.stringify(raw, null, 2),
-                ].join('\\n'),
-              },
-            ],
-            responseSchema: {
-              type: 'object',
-              properties: {
-                summary: { type: 'string', description: 'Natural language status summary with bullet points' },
-              },
-              required: ['summary'],
+        const result = await llm.generate({
+          provider: 'google',
+          model: 'gemini-3-flash-preview',
+          messages: [
+            {
+              role: 'user',
+              content: [
+                'Summarize this platform status overview in 3-5 concise bullet points.',
+                'Focus on: execution health, pending items needing attention, upcoming schedules, and credential coverage.',
+                'Be specific with numbers. Flag any issues.',
+                '',
+                JSON.stringify(raw, null, 2),
+              ].join('\\n'),
+            },
+          ],
+          responseSchema: {
+            type: 'object',
+            properties: {
+              summary: { type: 'string', description: 'Natural language status summary with bullet points' },
             },
-            temperature: 0,
+            required: ['summary'],
           },
+          temperature: 0,
         })
         const summary = (result as any)?.summary ?? String(result)
         return { raw, summary }
@@ -45648,7 +45836,8 @@ function registerUpdateCommand(program3) {
       ".claude/commands/database.md": claudeDatabaseCommandTemplate,
       ".claude/commands/agent.md": claudeAgentCommandTemplate,
       ".claude/commands/profile.md": claudeProfileCommandTemplate,
-      ".claude/commands/meta.md": claudeMetaCommandTemplate
+      ".claude/commands/meta.md": claudeMetaCommandTemplate,
+      ".claude/commands/work.md": claudeWorkCommandTemplate
     };
     const added = [];
     const flagged = [];
@@ -45756,6 +45945,216 @@ function registerUpdateCommand(program3) {
   }));
 }
 
+// src/cli/commands/creds/creds-list.ts
+async function listCreds(apiUrl, json2) {
+  const spinner = ora("Fetching credentials...").start();
+  const data = await apiGet("/api/external/credentials", apiUrl);
+  spinner.stop();
+  if (json2) {
+    console.log(JSON.stringify(data.credentials, null, 2));
+    return;
+  }
+  if (data.credentials.length === 0) {
+    console.log(source_default.yellow("No credentials found."));
+    console.log(source_default.gray("Create one with: elevasis creds create --name my-key --type api-key"));
+    return;
+  }
+  console.log(source_default.cyan(`
+Credentials (${data.credentials.length}):
+`));
+  for (const cred of data.credentials) {
+    const provider = cred.provider ? source_default.gray(` (${cred.provider})`) : "";
+    console.log(`  ${source_default.bold(cred.name)}  ${source_default.dim(cred.type)}${provider}`);
+    console.log(source_default.gray(`    Created: ${new Date(cred.createdAt).toLocaleDateString()}`));
+  }
+  console.log();
+}
+
+// src/cli/commands/creds/creds-create.ts
+var CREDENTIAL_NAME_REGEX = /^[a-z0-9]+(-[a-z0-9]+)*$/;
+var VALID_TYPES = ["api-key", "webhook-secret", "trello"];
+async function createCreds(apiUrl, name, type, valueJson) {
+  if (!name || name.length < 1 || name.length > 100) {
+    throw new Error("Credential name must be 1-100 characters");
+  }
+  if (!CREDENTIAL_NAME_REGEX.test(name)) {
+    throw new Error(
+      "Invalid credential name. Must be lowercase letters, digits, and hyphens only.\nNo consecutive hyphens allowed. Examples: my-api-key, stripe-prod, cal-webhook"
+    );
+  }
+  if (!VALID_TYPES.includes(type)) {
+    throw new Error(
+      `Invalid credential type: ${type}
+Valid types: ${VALID_TYPES.join(", ")}
+Note: OAuth credentials must be created through the Command Center UI`
+    );
+  }
+  if (!valueJson) {
+    throw new Error(
+      `Credential value is required. Provide it with --value '{"apiKey":"sk-..."}'
+Value must be a valid JSON object.`
+    );
+  }
+  let value;
+  try {
+    value = JSON.parse(valueJson);
+  } catch {
+    throw new Error(
+      `Invalid JSON in --value. Must be a valid JSON object.
+Example: --value '{"apiKey":"sk-abc123"}'`
+    );
+  }
+  if (typeof value !== "object" || value === null || Array.isArray(value)) {
+    throw new Error("Credential value must be a JSON object (not array or primitive)");
+  }
+  if (Object.keys(value).length === 0) {
+    throw new Error("Credential value must not be empty");
+  }
+  const spinner = ora("Creating credential...").start();
+  const result = await apiPost(
+    "/api/external/credentials",
+    { name, type, value },
+    apiUrl
+  );
+  spinner.stop();
+  console.log(source_default.green(`
+Credential created successfully!`));
+  console.log(`  ${source_default.bold("Name:")} ${result.name}`);
+  console.log(`  ${source_default.bold("ID:")}   ${result.id}`);
+  console.log(`  ${source_default.bold("Type:")} ${type}`);
+}
+
+// src/cli/commands/creds/creds-update.ts
+async function updateCreds(apiUrl, name, valueJson) {
+  let value;
+  try {
+    value = JSON.parse(valueJson);
+  } catch {
+    throw new Error(
+      `Invalid JSON in --value. Must be a valid JSON object.
+Example: --value '{"apiKey":"sk-new-key"}'`
+    );
+  }
+  if (typeof value !== "object" || value === null || Array.isArray(value)) {
+    throw new Error("Credential value must be a JSON object (not array or primitive)");
+  }
+  if (Object.keys(value).length === 0) {
+    throw new Error("Credential value must not be empty");
+  }
+  const spinner = ora("Updating credential...").start();
+  const data = await apiGet("/api/external/credentials", apiUrl);
+  const credential = data.credentials.find((c) => c.name === name);
+  if (!credential) {
+    spinner.stop();
+    throw new Error(
+      `Credential '${name}' not found.
+Run "elevasis creds list" to see available credentials.`
+    );
+  }
+  await apiPatch(`/api/external/credentials/${credential.id}`, { value }, apiUrl);
+  spinner.stop();
+  console.log(source_default.green(`
+Credential '${name}' updated successfully!`));
+}
+
+// src/cli/commands/creds/creds-rename.ts
+var CREDENTIAL_NAME_REGEX2 = /^[a-z0-9]+(-[a-z0-9]+)*$/;
+async function renameCreds(apiUrl, name, newName) {
+  if (!newName || newName.length < 1 || newName.length > 100) {
+    throw new Error("New credential name must be 1-100 characters");
+  }
+  if (!CREDENTIAL_NAME_REGEX2.test(newName)) {
+    throw new Error(
+      "Invalid new credential name. Must be lowercase letters, digits, and hyphens only.\nNo consecutive hyphens allowed. Examples: my-api-key, stripe-prod, cal-webhook"
+    );
+  }
+  const spinner = ora("Renaming credential...").start();
+  const data = await apiGet("/api/external/credentials", apiUrl);
+  const credential = data.credentials.find((c) => c.name === name);
+  if (!credential) {
+    spinner.stop();
+    throw new Error(
+      `Credential '${name}' not found.
+Run "elevasis creds list" to see available credentials.`
+    );
+  }
+  const conflict = data.credentials.find((c) => c.name === newName);
+  if (conflict) {
+    spinner.stop();
+    throw new Error(`Credential '${newName}' already exists. Choose a different name.`);
+  }
+  await apiPatch(`/api/external/credentials/${credential.id}`, { name: newName }, apiUrl);
+  spinner.stop();
+  console.log(source_default.green(`
+Credential renamed successfully!`));
+  console.log(`  ${source_default.dim(name)} ${source_default.gray("->")} ${source_default.bold(newName)}`);
+}
+
+// src/cli/commands/creds/creds-delete.ts
+var import_readline = require("readline");
+function confirm(message) {
+  const rl = (0, import_readline.createInterface)({ input: process.stdin, output: process.stdout });
+  return new Promise((resolve6) => {
+    rl.question(message, (answer) => {
+      rl.close();
+      resolve6(answer.toLowerCase() === "y" || answer.toLowerCase() === "yes");
+    });
+  });
+}
+async function deleteCreds(apiUrl, name, force) {
+  const spinner = ora("Looking up credential...").start();
+  const data = await apiGet("/api/external/credentials", apiUrl);
+  const credential = data.credentials.find((c) => c.name === name);
+  if (!credential) {
+    spinner.stop();
+    throw new Error(
+      `Credential '${name}' not found.
+Run "elevasis creds list" to see available credentials.`
+    );
+  }
+  spinner.stop();
+  if (!force) {
+    console.log(source_default.yellow(`
+About to delete credential:`));
+    console.log(`  ${source_default.bold("Name:")} ${credential.name}`);
+    console.log(`  ${source_default.bold("Type:")} ${credential.type}`);
+    if (credential.provider) {
+      console.log(`  ${source_default.bold("Provider:")} ${credential.provider}`);
+    }
+    console.log();
+    const confirmed = await confirm(source_default.red("Are you sure? This cannot be undone. (y/N) "));
+    if (!confirmed) {
+      console.log(source_default.gray("Cancelled."));
+      return;
+    }
+  }
+  const deleteSpinner = ora("Deleting credential...").start();
+  await apiDelete(`/api/external/credentials/${credential.id}`, apiUrl);
+  deleteSpinner.stop();
+  console.log(source_default.green(`
+Credential '${name}' deleted successfully.`));
+}
+
+// src/cli/commands/creds/creds.ts
+function registerCredsCommand(program3) {
+  const creds = program3.command("creds").description("Manage organization credentials");
+  creds.command("list").description("List all credentials (metadata only, no secrets)").option("--api-url <url>", "API URL").option("--json", "Output as JSON").action(wrapAction("creds list", async (options2) => {
+    await listCreds(resolveApiUrl(options2.apiUrl), options2.json);
+  }));
+  creds.command("create").description("Create a new credential").requiredOption("--name <name>", "Credential name (lowercase, digits, hyphens)").requiredOption("--type <type>", "Credential type (api-key, webhook-secret, trello)").option("--value <json>", "Credential value as JSON string").option("--api-url <url>", "API URL").action(wrapAction("creds create", async (options2) => {
+    await createCreds(resolveApiUrl(options2.apiUrl), options2.name, options2.type, options2.value);
+  }));
+  creds.command("update <name>").description("Update a credential value").requiredOption("--value <json>", "New credential value as JSON string").option("--api-url <url>", "API URL").action(wrapAction("creds update", async (name, options2) => {
+    await updateCreds(resolveApiUrl(options2.apiUrl), name, options2.value);
+  }));
+  creds.command("rename <name>").description("Rename a credential").requiredOption("--to <newName>", "New credential name").option("--api-url <url>", "API URL").action(wrapAction("creds rename", async (name, options2) => {
+    await renameCreds(resolveApiUrl(options2.apiUrl), name, options2.to);
+  }));
+  creds.command("delete <name>").description("Delete a credential").option("--force", "Skip confirmation prompt").option("--api-url <url>", "API URL").action(wrapAction("creds delete", async (name, options2) => {
+    await deleteCreds(resolveApiUrl(options2.apiUrl), name, options2.force);
+  }));
+}
+
 // src/cli/index.ts
 (0, import_dotenv.config)({ path: (0, import_path5.resolve)(process.cwd(), ".env"), override: false });
 var program2 = new Command();
@@ -45786,6 +46185,7 @@ registerDescribeCommand(program2);
 registerDeploymentsCommand(program2);
 registerInitCommand(program2);
 registerUpdateCommand(program2);
+registerCredsCommand(program2);
 program2.parse();
 /*! Bundled license information: