@envshipcom/cli 0.2.0

package/dist/index.js

@@ -0,0 +1,2192 @@
+#!/usr/bin/env node
+
+// src/index.ts
+import { spawn } from "node:child_process";
+import { existsSync, readFileSync } from "node:fs";
+import { chmod, mkdir, mkdtemp, readFile, rename, rm, writeFile } from "node:fs/promises";
+import { homedir, tmpdir } from "node:os";
+import { dirname, isAbsolute, join, normalize, parse, resolve } from "node:path";
+import { Command, Option } from "commander";
+
+// ../crypto/src/index.ts
+function canonicalize(value) {
+  return JSON.stringify(sortJson(value));
+}
+async function sha256Base64url(value) {
+  const bytes = typeof value === "string" ? new TextEncoder().encode(value) : value;
+  const input = new ArrayBuffer(bytes.byteLength);
+  new Uint8Array(input).set(bytes);
+  const hash = await crypto.subtle.digest("SHA-256", input);
+  return encodeBase64url(new Uint8Array(hash));
+}
+function encodeBase64url(bytes) {
+  let binary = "";
+  for (const byte of bytes) binary += String.fromCharCode(byte);
+  return btoa(binary).replaceAll("+", "-").replaceAll("/", "_").replace(/=+$/u, "");
+}
+function decodeBase64url(value) {
+  const normalized = value.replaceAll("-", "+").replaceAll("_", "/");
+  const padded = normalized.padEnd(Math.ceil(normalized.length / 4) * 4, "=");
+  const binary = atob(padded);
+  return Uint8Array.from(binary, (char) => char.charCodeAt(0));
+}
+function ownedBytes(bytes) {
+  const copy = new Uint8Array(bytes.byteLength);
+  copy.set(bytes);
+  return copy;
+}
+async function generateEncryptedKeyFile(label, passphrase) {
+  if (!passphrase) throw new Error("Add a KeyFile passphrase before creating the encrypted backup.");
+  const keyset = await generatePlainKeyset(label);
+  return { filename: `${label}.envship-keyfile.json`, keyFile: await createEncryptedKeyFileFromKeyset(keyset, passphrase), keyset };
+}
+async function createEncryptedKeyFileFromKeyset(keyset, passphrase) {
+  if (!passphrase) throw new Error("Add a KeyFile passphrase before creating the encrypted backup.");
+  const salt = crypto.getRandomValues(new Uint8Array(16));
+  const iv = crypto.getRandomValues(new Uint8Array(12));
+  const passphraseKey = await crypto.subtle.importKey("raw", new TextEncoder().encode(passphrase), "PBKDF2", false, ["deriveKey"]);
+  const wrappingKey = await crypto.subtle.deriveKey(
+    { name: "PBKDF2", salt, iterations: 25e4, hash: "SHA-256" },
+    passphraseKey,
+    { name: "AES-GCM", length: 256 },
+    false,
+    ["encrypt"]
+  );
+  const ciphertext = await crypto.subtle.encrypt({ name: "AES-GCM", iv }, wrappingKey, new TextEncoder().encode(JSON.stringify(keyset)));
+  return {
+    type: "envship.encrypted_keyfile.v1",
+    keyset_id: keyset.keyset_id,
+    label: keyset.label,
+    encryption_key_id: keyset.encryption_key_id,
+    signing_key_id: keyset.signing_key_id,
+    kdf: { name: "PBKDF2", hash: "SHA-256", iterations: 25e4, salt_b64u: encodeBase64url(salt) },
+    cipher: { name: "AES-GCM", iv_b64u: encodeBase64url(iv), ciphertext_b64u: encodeBase64url(new Uint8Array(ciphertext)) },
+    public_metadata: { encryption_public_jwk: keyset.encryption_public_jwk, signing_public_jwk: keyset.signing_public_jwk },
+    created_at: keyset.created_at
+  };
+}
+async function generatePlainKeyset(label) {
+  const [encryptionPair, signingPair] = await Promise.all([
+    crypto.subtle.generateKey(
+      { name: "RSA-OAEP", modulusLength: 3072, publicExponent: new Uint8Array([1, 0, 1]), hash: "SHA-256" },
+      true,
+      ["encrypt", "decrypt"]
+    ),
+    crypto.subtle.generateKey({ name: "ECDSA", namedCurve: "P-256" }, true, ["sign", "verify"])
+  ]);
+  const [encryptionPrivateJwk, encryptionPublicJwk, signingPrivateJwk, signingPublicJwk] = await Promise.all([
+    crypto.subtle.exportKey("jwk", encryptionPair.privateKey),
+    crypto.subtle.exportKey("jwk", encryptionPair.publicKey),
+    crypto.subtle.exportKey("jwk", signingPair.privateKey),
+    crypto.subtle.exportKey("jwk", signingPair.publicKey)
+  ]);
+  return {
+    type: "envship.private_keyset.v1",
+    keyset_id: `kst_${crypto.randomUUID()}`,
+    label,
+    encryption_key_id: `enc_${(await sha256Base64url(canonicalize(encryptionPublicJwk))).slice(0, 18)}`,
+    encryption_private_jwk: encryptionPrivateJwk,
+    encryption_public_jwk: encryptionPublicJwk,
+    signing_key_id: `sig_${(await sha256Base64url(canonicalize(signingPublicJwk))).slice(0, 18)}`,
+    signing_private_jwk: signingPrivateJwk,
+    signing_public_jwk: signingPublicJwk,
+    created_at: (/* @__PURE__ */ new Date()).toISOString()
+  };
+}
+async function unlockKeyFile(keyFile, passphrase) {
+  const passphraseKey = await crypto.subtle.importKey("raw", new TextEncoder().encode(passphrase), "PBKDF2", false, ["deriveKey"]);
+  const wrappingKey = await crypto.subtle.deriveKey(
+    { name: "PBKDF2", salt: ownedBytes(decodeBase64url(keyFile.kdf.salt_b64u)), iterations: keyFile.kdf.iterations, hash: keyFile.kdf.hash },
+    passphraseKey,
+    { name: "AES-GCM", length: 256 },
+    false,
+    ["decrypt"]
+  );
+  const plaintext = await crypto.subtle.decrypt(
+    { name: "AES-GCM", iv: ownedBytes(decodeBase64url(keyFile.cipher.iv_b64u)) },
+    wrappingKey,
+    ownedBytes(decodeBase64url(keyFile.cipher.ciphertext_b64u))
+  );
+  return JSON.parse(new TextDecoder().decode(plaintext));
+}
+async function encryptEnvBundleForRecipients(env, recipients, channelRef) {
+  if (recipients.length === 0) throw new Error("No active recipients are available for this channel.");
+  const dataKey = await crypto.subtle.generateKey({ name: "AES-GCM", length: 256 }, true, ["encrypt", "decrypt"]);
+  const exportedDataKey = await crypto.subtle.exportKey("raw", dataKey);
+  const wrappedRecipients = await Promise.all(recipients.map(async (recipient) => {
+    const recipientPublicKey = await crypto.subtle.importKey(
+      "jwk",
+      recipient.encryption_public_jwk,
+      { name: "RSA-OAEP", hash: "SHA-256" },
+      false,
+      ["encrypt"]
+    );
+    const wrappedKey = await crypto.subtle.encrypt({ name: "RSA-OAEP" }, recipientPublicKey, exportedDataKey);
+    return {
+      encryption_key_id: recipient.encryption_key_id,
+      wrapped_key_b64u: encodeBase64url(new Uint8Array(wrappedKey))
+    };
+  }));
+  const iv = crypto.getRandomValues(new Uint8Array(12));
+  const plaintext = new TextEncoder().encode(JSON.stringify({ type: "envship.env_map.v1", env }));
+  const ciphertext = await crypto.subtle.encrypt({ name: "AES-GCM", iv }, dataKey, plaintext);
+  return {
+    type: "envship.encrypted_env_bundle.v1",
+    algorithm: {
+      content: "AES-GCM-256",
+      recipient_wrap: "RSA-OAEP-SHA-256"
+    },
+    recipients: wrappedRecipients,
+    cipher: {
+      iv_b64u: encodeBase64url(iv),
+      ciphertext_b64u: encodeBase64url(new Uint8Array(ciphertext))
+    },
+    aad: {
+      channel_ref: channelRef,
+      created_at: (/* @__PURE__ */ new Date()).toISOString()
+    }
+  };
+}
+async function decryptEnvBundle(bundle, keyset) {
+  if (bundle.type !== "envship.encrypted_env_bundle.v1") throw new Error("Unsupported EnvShip bundle format.");
+  const recipient = bundle.recipients.find((item) => item.encryption_key_id === keyset.encryption_key_id);
+  if (!recipient) throw new Error("This KeyFile is not included in the encrypted bundle recipients.");
+  const recipientPrivateKey = await crypto.subtle.importKey(
+    "jwk",
+    keyset.encryption_private_jwk,
+    { name: "RSA-OAEP", hash: "SHA-256" },
+    false,
+    ["decrypt"]
+  );
+  const rawDataKey = await crypto.subtle.decrypt(
+    { name: "RSA-OAEP" },
+    recipientPrivateKey,
+    ownedBytes(decodeBase64url(recipient.wrapped_key_b64u))
+  );
+  const dataKey = await crypto.subtle.importKey("raw", rawDataKey, { name: "AES-GCM" }, false, ["decrypt"]);
+  const plaintext = await crypto.subtle.decrypt(
+    { name: "AES-GCM", iv: ownedBytes(decodeBase64url(bundle.cipher.iv_b64u)) },
+    dataKey,
+    ownedBytes(decodeBase64url(bundle.cipher.ciphertext_b64u))
+  );
+  const decoded = JSON.parse(new TextDecoder().decode(plaintext));
+  if (decoded.type !== "envship.env_map.v1" || !decoded.env || typeof decoded.env !== "object") {
+    throw new Error("Encrypted bundle decrypted, but its plaintext format was invalid.");
+  }
+  return decoded.env;
+}
+async function signManifest(manifest, keyset) {
+  const signingKey = await crypto.subtle.importKey(
+    "jwk",
+    keyset.signing_private_jwk,
+    { name: "ECDSA", namedCurve: "P-256" },
+    false,
+    ["sign"]
+  );
+  const signature = await crypto.subtle.sign(
+    { name: "ECDSA", hash: "SHA-256" },
+    signingKey,
+    new TextEncoder().encode(canonicalize(manifest))
+  );
+  return {
+    ...manifest,
+    signature: {
+      algorithm: "ECDSA-P256-SHA-256",
+      signature_b64u: encodeBase64url(new Uint8Array(signature))
+    }
+  };
+}
+async function verifyRuntimeVersionDescriptorSignature(descriptor, signingPublicJwk) {
+  if (!descriptor.signature) return false;
+  const { signature, ...payload } = descriptor;
+  const expectedPayloadHash = await sha256Base64url(canonicalize({
+    type: payload.type,
+    package_name: payload.package_name,
+    release_channel: payload.release_channel,
+    latest_version: payload.latest_version,
+    recommended_version: payload.recommended_version,
+    minimum_supported_version: payload.minimum_supported_version,
+    release_notes_url: payload.release_notes_url,
+    generated_at: payload.generated_at,
+    compatibility_warnings: payload.compatibility_warnings
+  }));
+  if (expectedPayloadHash !== payload.payload_sha256_b64u) return false;
+  const signingKey = await crypto.subtle.importKey(
+    "jwk",
+    signingPublicJwk,
+    { name: "ECDSA", namedCurve: "P-256" },
+    false,
+    ["verify"]
+  );
+  return crypto.subtle.verify(
+    { name: "ECDSA", hash: "SHA-256" },
+    signingKey,
+    ownedBytes(decodeBase64url(signature.signature_b64u)),
+    new TextEncoder().encode(canonicalize(payload))
+  );
+}
+function mergeEnvOverlay(base, overlay) {
+  return { ...base, ...overlay };
+}
+async function deriveDeployTokenSnapshotKey(tokenSecret, lookupId, usages) {
+  const input = await crypto.subtle.importKey("raw", new TextEncoder().encode(tokenSecret), "HKDF", false, ["deriveKey"]);
+  return crypto.subtle.deriveKey(
+    { name: "HKDF", hash: "SHA-256", salt: new TextEncoder().encode(lookupId), info: new TextEncoder().encode("envship deploy token runtime snapshot v1") },
+    input,
+    { name: "AES-GCM", length: 256 },
+    false,
+    usages
+  );
+}
+async function decryptDeployTokenRuntimeSnapshot(encrypted, tokenSecret) {
+  const key = await deriveDeployTokenSnapshotKey(tokenSecret, encrypted.lookup_id, ["decrypt"]);
+  const plaintext = await crypto.subtle.decrypt(
+    { name: "AES-GCM", iv: ownedBytes(decodeBase64url(encrypted.cipher.iv_b64u)), additionalData: new TextEncoder().encode(canonicalize(encrypted.aad)) },
+    key,
+    ownedBytes(decodeBase64url(encrypted.cipher.ciphertext_b64u))
+  );
+  return JSON.parse(new TextDecoder().decode(plaintext));
+}
+async function generateMachineSigningKey(label) {
+  const signingPair = await crypto.subtle.generateKey({ name: "ECDSA", namedCurve: "P-256" }, true, ["sign", "verify"]);
+  const [privateJwk, publicJwk] = await Promise.all([
+    crypto.subtle.exportKey("jwk", signingPair.privateKey),
+    crypto.subtle.exportKey("jwk", signingPair.publicKey)
+  ]);
+  return {
+    signing_key_id: `msig_${(await sha256Base64url(canonicalize(publicJwk))).slice(0, 18)}`,
+    signing_private_jwk: privateJwk,
+    signing_public_jwk: publicJwk,
+    label,
+    created_at: (/* @__PURE__ */ new Date()).toISOString()
+  };
+}
+async function signMachineRequest(input, signingPrivateJwk) {
+  const signingKey = await crypto.subtle.importKey(
+    "jwk",
+    signingPrivateJwk,
+    { name: "ECDSA", namedCurve: "P-256" },
+    false,
+    ["sign"]
+  );
+  const signature = await crypto.subtle.sign(
+    { name: "ECDSA", hash: "SHA-256" },
+    signingKey,
+    new TextEncoder().encode(canonicalize(input))
+  );
+  return encodeBase64url(new Uint8Array(signature));
+}
+function parseDotenv(input) {
+  const env = {};
+  for (const rawLine of input.split(/\r?\n/u)) {
+    const line = rawLine.trim();
+    if (!line || line.startsWith("#")) continue;
+    const match = /^([A-Za-z_][A-Za-z0-9_]*)=(.*)$/u.exec(line);
+    if (!match) throw new Error(`Invalid dotenv line: ${rawLine}`);
+    let value = match[2] ?? "";
+    if (value.startsWith('"') && value.endsWith('"') || value.startsWith("'") && value.endsWith("'")) {
+      value = value.slice(1, -1);
+    }
+    env[match[1]] = value;
+  }
+  return env;
+}
+function stringifyDotenv(env) {
+  return Object.entries(env).sort(([a], [b]) => a.localeCompare(b)).map(([key, value]) => `${key}=${/[\s#"']/u.test(value) ? JSON.stringify(value) : value}`).join("\n") + "\n";
+}
+function sortJson(value) {
+  if (value === null || typeof value === "string" || typeof value === "number" || typeof value === "boolean") {
+    return value;
+  }
+  if (Array.isArray(value)) return value.map(sortJson);
+  if (typeof value === "object") {
+    return Object.fromEntries(
+      Object.entries(value).filter(([, item]) => item !== void 0).sort(([a], [b]) => a.localeCompare(b)).map(([key, item]) => [key, sortJson(item)])
+    );
+  }
+  throw new TypeError(`Unsupported canonical JSON value: ${typeof value}`);
+}
+
+// src/cliCore.ts
+function channelParts(channel2) {
+  const [bundle, name, extra] = channel2.split("/");
+  if (!bundle || !name || extra) throw new Error("Use channel format bundle/channel, for example web/staging.");
+  if (!/^[a-z0-9][a-z0-9_-]{0,63}$/u.test(bundle) || !/^[a-z0-9][a-z0-9_-]{0,63}$/u.test(name)) {
+    throw new Error("Channel names must use lowercase letters, numbers, underscores, or hyphens.");
+  }
+  return { bundle, name };
+}
+function isLocalTestApi(apiBaseUrl) {
+  try {
+    const hostname = new URL(apiBaseUrl).hostname;
+    return hostname === "localhost" || hostname === "127.0.0.1" || hostname.endsWith(".test");
+  } catch {
+    return false;
+  }
+}
+function redactCliError(message) {
+  return message.replace(/([A-Z_]*(?:SECRET|TOKEN|KEY|COOKIE|SESSION|PASSWORD|PASSPHRASE)[A-Z0-9_]*=)[^\s]+/giu, "$1[redacted]").replace(/((?:passphrase|password|token|session|cookie)(?:=|:)\s*)[^\s]+/giu, "$1[redacted]").replace(/("(?:d|p|q|dp|dq|qi|k|private_jwk|signing_private_jwk|session|cookie|token|passphrase|password)"\s*:\s*")[^"]+/giu, "$1[redacted]");
+}
+function isSensitiveKey(key) {
+  return /(^|_)(session|cookie|token|secret|password|passphrase)$/iu.test(key) || key === "signing_private_jwk" || key === "private_jwk";
+}
+function looksLikeDotenvSecret(key) {
+  return /^[A-Z_][A-Z0-9_]*(SECRET|TOKEN|KEY|COOKIE|SESSION|PASSWORD|PASSPHRASE)[A-Z0-9_]*$/u.test(key);
+}
+function isShowOnceDeployToken(path, key) {
+  return key === "token" && path.at(-1) === "deploy_token";
+}
+function sanitizeCliData(value, parentKey = "", path = []) {
+  if (value === null || value === void 0) return value;
+  if (typeof value === "string") {
+    if (isSensitiveKey(parentKey) || looksLikeDotenvSecret(parentKey)) return "[redacted]";
+    return redactCliError(value);
+  }
+  if (typeof value !== "object") return value;
+  if (Array.isArray(value)) return value.map((item) => sanitizeCliData(item, parentKey));
+  const output = {};
+  for (const [key, item] of Object.entries(value)) {
+    if (isShowOnceDeployToken(path, key)) {
+      output[key] = item;
+    } else if (key === "deploy_token") {
+      output[key] = sanitizeCliData(item, key, [...path, key]);
+    } else {
+      output[key] = isSensitiveKey(key) || looksLikeDotenvSecret(key) ? "[redacted]" : sanitizeCliData(item, key, [...path, key]);
+    }
+  }
+  return output;
+}
+function errorCodeFromMessage(message) {
+  const normalized = message.toLowerCase();
+  if (normalized.includes("unauthenticated") || normalized.includes("401")) return "unauthenticated";
+  if (normalized.includes("forbidden") || normalized.includes("403")) return "forbidden";
+  if (normalized.includes("not found") || normalized.includes("not_found") || normalized.includes("404")) return "not_found";
+  if (normalized.includes("rate_limited") || normalized.includes("rate limited")) return "rate_limited";
+  if (normalized.includes("passphrase")) return "passphrase_required";
+  if (normalized.includes("keyfile")) return "keyfile_error";
+  return normalized.replace(/[^a-z0-9]+/gu, "_").replace(/^_|_$/gu, "").slice(0, 64) || "cli_error";
+}
+
+// src/index.ts
+var CliError = class extends Error {
+  code;
+  hint;
+  retryAfterSeconds;
+  exitCode;
+  details;
+  constructor(code, message, options = {}) {
+    super(message);
+    this.code = code;
+    this.hint = options.hint;
+    this.retryAfterSeconds = options.retryAfterSeconds;
+    this.exitCode = options.exitCode ?? 1;
+    this.details = options.details;
+  }
+};
+var ChildExitError = class extends CliError {
+  constructor(code, signal) {
+    super("child_process_failed", signal ? `Command terminated by ${signal}.` : `Command exited with ${code ?? 1}.`, { exitCode: code ?? 1 });
+  }
+};
+var defaultApiBaseUrl = process.env.ENVSHIP_API_BASE_URL ?? "https://api.envship.com";
+var defaultAppBaseUrl = process.env.ENVSHIP_APP_URL ?? "https://envship.com";
+var configPath = join(homedir(), ".envship", "config.json");
+var program = new Command();
+var sessionCookieName = "__Host-envship_session";
+var cliVersion = "0.2.0";
+function isMutationMethod(method) {
+  return ["POST", "PUT", "DELETE"].includes((method ?? "GET").toUpperCase());
+}
+function readConfig() {
+  if (!existsSync(configPath)) return { apiBaseUrl: defaultApiBaseUrl, appBaseUrl: defaultAppBaseUrl };
+  try {
+    const value = JSON.parse(readFileSync(configPath, "utf8"));
+    return {
+      apiBaseUrl: process.env.ENVSHIP_API_BASE_URL ?? value.apiBaseUrl ?? defaultApiBaseUrl,
+      appBaseUrl: process.env.ENVSHIP_APP_URL ?? value.appBaseUrl ?? defaultAppBaseUrl,
+      session: process.env.ENVSHIP_SESSION ?? value.session,
+      workstation: value.workstation,
+      keyfilePath: process.env.ENVSHIP_KEYFILE ?? value.keyfilePath,
+      machine: value.machine,
+      envsync: value.envsync
+    };
+  } catch {
+    return { apiBaseUrl: defaultApiBaseUrl, appBaseUrl: defaultAppBaseUrl };
+  }
+}
+function localWorkstation(config) {
+  if (config.workstation?.id && /^[A-Za-z0-9_-]{16,96}$/u.test(config.workstation.id)) return config.workstation;
+  return {
+    id: `cw_${crypto.randomUUID().replace(/-/gu, "")}`,
+    label: `${process.env.COMPUTERNAME ?? process.env.HOSTNAME ?? "local"}`
+  };
+}
+function runtimeAnalyticsContext(config) {
+  if (config.machine?.analytics_client_id && /^acl_[A-Za-z0-9_-]{32,96}$/u.test(config.machine.analytics_client_id)) {
+    return { clientId: config.machine.analytics_client_id, type: "machine" };
+  }
+  if (config.workstation?.analytics_client_id && /^acl_[A-Za-z0-9_-]{32,96}$/u.test(config.workstation.analytics_client_id)) {
+    return { clientId: config.workstation.analytics_client_id, type: "workstation" };
+  }
+  return null;
+}
+function decorateRuntimeCdnUrl(parsedUrl) {
+  if (!["/p/", "/v/", "/rt/"].some((prefix) => parsedUrl.pathname.startsWith(prefix))) return;
+  const analytics = runtimeAnalyticsContext(readConfig());
+  if (!analytics) return;
+  parsedUrl.searchParams.set("es_client", analytics.clientId);
+  parsedUrl.searchParams.set("es_type", analytics.type);
+  parsedUrl.searchParams.set("es_v", "1");
+  parsedUrl.searchParams.set("es_cli_v", cliVersion);
+}
+function parseDeployTokenV2(token) {
+  const match = /^edt2_([A-Za-z0-9_-]{16,96})_([A-Za-z0-9_-]{32,160})$/u.exec(token);
+  return match ? { lookupId: match[1], secret: match[2] } : null;
+}
+function cdnBaseFromApi(apiBaseUrl) {
+  const url = new URL(apiBaseUrl);
+  if (url.hostname === "api-staging.envship.com") return "https://cdnstaging.envship.com";
+  if (url.hostname === "api.envship.com") return "https://cdn.envship.com";
+  return `${url.protocol}//${url.host}`;
+}
+function deployTokenSnapshotUrl(apiBaseUrl, lookupId) {
+  return `${cdnBaseFromApi(apiBaseUrl).replace(/\/+$/u, "")}/rt/deploy-tokens/${lookupId}.json`;
+}
+function runtimeVersionDescriptorUrl(apiBaseUrl) {
+  return `${cdnBaseFromApi(apiBaseUrl).replace(/\/+$/u, "")}/meta/cli/current.json`;
+}
+function compareVersions(a, b) {
+  const left = a.split(/[.-]/u).map((part) => Number.parseInt(part, 10)).map((part) => Number.isFinite(part) ? part : 0);
+  const right = b.split(/[.-]/u).map((part) => Number.parseInt(part, 10)).map((part) => Number.isFinite(part) ? part : 0);
+  const length = Math.max(left.length, right.length, 3);
+  for (let index = 0; index < length; index += 1) {
+    const delta = (left[index] ?? 0) - (right[index] ?? 0);
+    if (delta !== 0) return delta < 0 ? -1 : 1;
+  }
+  return 0;
+}
+async function runtimeVersionDescriptor(ctx) {
+  const response = await fetchPublicJson(ctx, runtimeVersionDescriptorUrl(ctx.apiBaseUrl));
+  const descriptor = response.body;
+  if (!descriptor || descriptor.type !== "envship.runtime_version_descriptor.v1" || descriptor.package_name !== "@envshipcom/cli") {
+    throw new CliError("runtime_version_descriptor_invalid", "EnvShip runtime version metadata is invalid.");
+  }
+  const publicJwk = process.env.ENVSHIP_RUNTIME_VERSION_SIGNING_PUBLIC_JWK;
+  if (publicJwk) {
+    const ok = await verifyRuntimeVersionDescriptorSignature(descriptor, JSON.parse(publicJwk));
+    if (!ok) throw new CliError("runtime_version_signature_invalid", "EnvShip runtime version metadata signature is invalid.");
+  }
+  return descriptor;
+}
+async function versionWarnings(ctx) {
+  try {
+    const descriptor = await runtimeVersionDescriptor(ctx);
+    const warnings = [];
+    if (compareVersions(cliVersion, descriptor.minimum_supported_version) < 0) {
+      throw new CliError("cli_version_unsupported", `EnvShip CLI ${cliVersion} is below the minimum supported version ${descriptor.minimum_supported_version}.`, {
+        hint: `Update @envshipcom/cli to ${descriptor.recommended_version} or newer.`
+      });
+    }
+    if (compareVersions(cliVersion, descriptor.recommended_version) < 0) {
+      warnings.push(`EnvShip CLI ${cliVersion} is behind recommended ${descriptor.recommended_version}. Run your package manager update when convenient.`);
+    }
+    return { descriptor, warnings };
+  } catch (error) {
+    if (error instanceof CliError && error.code === "cli_version_unsupported") throw error;
+    return { descriptor: null, warnings: [] };
+  }
+}
+async function saveConfig(config) {
+  await mkdir(dirname(configPath), { recursive: true, mode: 448 });
+  await chmod(dirname(configPath), 448).catch(() => void 0);
+  await writeFile(configPath, JSON.stringify(config, null, 2), { mode: 384 });
+  await chmod(configPath, 384).catch(() => void 0);
+}
+function openBrowser(url) {
+  const platform = process.platform;
+  const command2 = platform === "win32" ? "cmd" : platform === "darwin" ? "open" : "xdg-open";
+  const args = platform === "win32" ? ["/c", "start", "", url] : [url];
+  spawn(command2, args, { detached: true, stdio: "ignore" }).unref();
+}
+function commandPath(command2) {
+  const names = [];
+  let current = command2;
+  while (current) {
+    if (current.name()) names.unshift(current.name());
+    current = current.parent ?? null;
+  }
+  return names.join(" ");
+}
+function toBoolean(value) {
+  return value === true;
+}
+function createContext(command2) {
+  const config = readConfig();
+  const options = command2.optsWithGlobals();
+  const apiBaseUrl = validateOriginUrl(String(options.apiUrl ?? config.apiBaseUrl), "api-url");
+  const appBaseUrl = validateOriginUrl(String(options.appUrl ?? config.appBaseUrl), "app-url");
+  return {
+    command: command2,
+    commandName: commandPath(command2),
+    options,
+    json: toBoolean(options.json),
+    quiet: toBoolean(options.quiet),
+    noInput: toBoolean(options.noInput),
+    yes: toBoolean(options.yes),
+    apiBaseUrl,
+    appBaseUrl,
+    info(message) {
+      if (!toBoolean(options.quiet) && !toBoolean(options.json)) process.stderr.write(`${message}
+`);
+    },
+    data(message) {
+      process.stdout.write(`${message.endsWith("\n") ? message : `${message}
+`}`);
+    }
+  };
+}
+function validateOriginUrl(value, label) {
+  let url;
+  try {
+    url = new URL(value);
+  } catch {
+    throw new CliError(`${label.replace("-", "_")}_invalid`, `${label} must be a valid http or https origin.`);
+  }
+  if (!["http:", "https:"].includes(url.protocol)) throw new CliError(`${label.replace("-", "_")}_invalid`, `${label} must use http or https.`);
+  if (url.username || url.password || url.search || url.hash || url.pathname && url.pathname !== "/") {
+    throw new CliError(`${label.replace("-", "_")}_invalid`, `${label} must be an origin only, for example https://api.envship.com.`);
+  }
+  return url.origin;
+}
+function validateEnvVarName(value) {
+  if (value && !/^[A-Z_][A-Z0-9_]{0,127}$/u.test(value)) {
+    throw new CliError("env_var_name_invalid", "Environment variable names must use uppercase letters, numbers, and underscores.");
+  }
+}
+function validateCliBootstrapCode(value) {
+  if (!/^cli_[A-Za-z0-9_-]{20,80}$/u.test(value)) {
+    throw new CliError("cli_bootstrap_code_invalid", "CLI setup codes must start with cli_ and contain only URL-safe characters.");
+  }
+  return value;
+}
+function validateSafeLocalPath(path, options) {
+  if (path === "-") {
+    if (options.allowStdout) return path;
+    throw new CliError(`${options.label}_invalid`, `${options.label} cannot be stdout here.`);
+  }
+  const hasUrlScheme = /^[a-z][a-z0-9+.-]*:/iu.test(path) && !/^[a-z]:[\\/]/iu.test(path);
+  if (path.includes("\0") || hasUrlScheme) throw new CliError(`${options.label}_invalid`, `${options.label} must be a local filesystem path.`);
+  const normalized = normalize(path);
+  const segments = normalized.split(/[\\/]+/u);
+  if (!options.force && !isAbsolute(normalized) && segments.includes("..")) {
+    throw new CliError("path_traversal_requires_force", `${options.label} uses a parent-directory segment.`, { hint: "Use an explicit output path inside this workspace, or rerun with --force after verifying the target." });
+  }
+  return resolve(path);
+}
+function validateChildCommand(commandName, args) {
+  const parsed = parse(commandName);
+  if (!parsed.base || parsed.dir.includes("..") || /[;&|`$<>^"\n\r]/u.test(commandName)) {
+    throw new CliError("command_invalid", "Command name contains unsafe shell metacharacters or path traversal.");
+  }
+  for (const arg of args) {
+    if (arg.includes("\0")) throw new CliError("command_arg_invalid", "Command arguments cannot contain NUL bytes.");
+  }
+}
+function shouldUseWindowsShell(commandName) {
+  return process.platform === "win32" && !/\.(?:exe|com)$/iu.test(commandName);
+}
+function spawnSafe(commandName, args, options) {
+  if (shouldUseWindowsShell(commandName)) {
+    return spawn("cmd.exe", ["/d", "/c", commandName, ...args], { ...options, shell: false });
+  }
+  return spawn(commandName, args, { ...options, shell: false });
+}
+function writeJson(value, stream = process.stdout) {
+  stream.write(`${JSON.stringify(value, null, 2)}
+`);
+}
+function commandAction(handler) {
+  return async (...args) => {
+    const command2 = args.at(-1);
+    let ctx;
+    try {
+      ctx = createContext(command2);
+      const result = await handler(ctx, ...args.slice(0, -1));
+      const warnings = result?.warnings ?? [];
+      if (ctx.json) {
+        writeJson({ ok: true, command: ctx.commandName, data: sanitizeCliData(result?.data ?? null), warnings: sanitizeCliData(warnings) });
+        if (result?.exitCode) process.exitCode = result.exitCode;
+        return;
+      }
+      if (result?.stdout) ctx.data(result.stdout);
+      for (const warning of warnings) ctx.info(`Warning: ${warning}`);
+      if (result?.message) ctx.info(result.message);
+      if (result?.exitCode) process.exitCode = result.exitCode;
+    } catch (error) {
+      const cliError = normalizeError(error);
+      const json = (() => {
+        try {
+          return toBoolean(command2.optsWithGlobals().json);
+        } catch {
+          return false;
+        }
+      })();
+      if (json) {
+        writeJson({
+          ok: false,
+          error: cliError.code,
+          message: redactCliError(cliError.message),
+          hint: cliError.hint ? redactCliError(cliError.hint) : void 0,
+          retry_after_seconds: cliError.retryAfterSeconds
+        }, process.stderr);
+      } else {
+        process.stderr.write(`${redactCliError(cliError.message)}
+`);
+        if (cliError.hint) process.stderr.write(`Hint: ${redactCliError(cliError.hint)}
+`);
+      }
+      process.exitCode = cliError.exitCode;
+    }
+  };
+}
+function normalizeError(error) {
+  if (error instanceof CliError) return error;
+  const message = error instanceof Error ? error.message : String(error);
+  return new CliError(errorCodeFromMessage(message), message);
+}
+function addGlobalOptions(command2) {
+  return command2.option("--json", "write a stable JSON response").option("--quiet", "suppress human progress messages").option("--no-input", "disable interactive prompts").option("--yes", "confirm destructive or risky actions").option("--api-url <url>", "EnvShip API origin").option("--app-url <url>", "EnvShip app origin");
+}
+function addKeyFileOptions(command2) {
+  return command2.addOption(new Option("--keyfile <path>", "encrypted credential path").hideHelp()).addOption(new Option("--passphrase-env <name>", "environment variable containing the credential passphrase").hideHelp()).addOption(new Option("--passphrase <value>", "credential passphrase").hideHelp());
+}
+function withExamples(command2, examples) {
+  command2.addHelpText("after", `
+Examples:
+${examples.map((item) => `  ${item}`).join("\n")}
+
+Docs: https://envship.com/docs
+Support: https://github.com/envshipcom/envship/issues
+`);
+  return command2;
+}
+async function api(ctx, path, init = {}) {
+  const config = readConfig();
+  const headers = new Headers(init.headers);
+  if (isLocalTestApi(ctx.apiBaseUrl) && !headers.has("Origin")) headers.set("Origin", ctx.appBaseUrl);
+  if (!headers.has("Content-Type") && init.body) headers.set("Content-Type", "application/json");
+  if (config.session) {
+    headers.set("Cookie", `${sessionCookieName}=${config.session}`);
+    if (isMutationMethod(init.method)) headers.set("X-EnvShip-CSRF", "1");
+  }
+  const response = await fetch(`${ctx.apiBaseUrl}${path}`, { ...init, headers });
+  const body = await response.json().catch(() => ({}));
+  if (!response.ok) {
+    throw new CliError(body.error ?? `http_${response.status}`, body.error ?? `EnvShip API failed: ${response.status}`, {
+      retryAfterSeconds: body.retry_after_seconds,
+      hint: response.status === 401 ? "Run envship auth login, or set ENVSHIP_SESSION for automation." : void 0,
+      details: body
+    });
+  }
+  return body;
+}
+async function machineHeaders(path, method = "GET", body = "") {
+  const config = readConfig();
+  if (!config.machine) return new Headers();
+  const timestamp = (/* @__PURE__ */ new Date()).toISOString();
+  const nonce = crypto.randomUUID();
+  const bodyHash = await sha256Base64url(body);
+  const signature = await signMachineRequest({
+    method: method.toUpperCase(),
+    path,
+    body_sha256_b64u: bodyHash,
+    timestamp,
+    nonce
+  }, config.machine.signing_private_jwk);
+  const headers = new Headers();
+  headers.set("X-EnvShip-Key-Id", config.machine.signing_key_id);
+  headers.set("X-EnvShip-Timestamp", timestamp);
+  headers.set("X-EnvShip-Nonce", nonce);
+  headers.set("X-EnvShip-Body-SHA256", bodyHash);
+  headers.set("X-EnvShip-Signature", signature);
+  return headers;
+}
+async function reportRuntimeClient(ctx, input = {}) {
+  const config = readConfig();
+  const analytics = runtimeAnalyticsContext(config);
+  if (!analytics) return;
+  const workspaceId = config.workstation?.workspace_id ?? config.machine?.workspace_id ?? null;
+  const body = {
+    analytics_client_id: analytics.clientId,
+    workspace_id: workspaceId,
+    client_version: cliVersion,
+    last_deploy_sync_at: input.lastDeploySyncAt,
+    autoupdate_enabled: analytics.type === "machine" ? config.machine?.autoupdate_enabled !== false : config.workstation?.autoupdate_enabled !== false,
+    envsync_mode: input.envsyncMode,
+    envsync_interval_seconds: input.envsyncIntervalSeconds
+  };
+  if (!body.workspace_id) return;
+  const headers = analytics.type === "machine" ? await machineHeaders("/v1/runtime-clients/report", "POST", JSON.stringify(body)) : new Headers();
+  try {
+    await api(ctx, "/v1/runtime-clients/report", { method: "POST", headers, body: JSON.stringify(body) });
+  } catch {
+  }
+}
+async function fetchJson(ctx, url) {
+  const parsedUrl = new URL(url);
+  if (parsedUrl.hostname === "api.envship.com" && ctx.apiBaseUrl !== "https://api.envship.com") {
+    const localBase = new URL(ctx.apiBaseUrl);
+    parsedUrl.protocol = localBase.protocol;
+    parsedUrl.host = localBase.host;
+  }
+  decorateRuntimeCdnUrl(parsedUrl);
+  const headers = parsedUrl.pathname.startsWith("/v1/bundle-objects/") ? await machineHeaders(`${parsedUrl.pathname}${parsedUrl.search}`) : new Headers();
+  if (isLocalTestApi(ctx.apiBaseUrl) && !headers.has("Origin")) headers.set("Origin", ctx.appBaseUrl);
+  const config = readConfig();
+  if (config.session) {
+    headers.set("Cookie", `${sessionCookieName}=${config.session}`);
+  }
+  const response = await fetch(parsedUrl.toString(), { headers });
+  const body = await response.json().catch(() => ({}));
+  if (!response.ok) throw new CliError(body.error ?? `http_${response.status}`, body.error ?? `EnvShip download failed: ${response.status}`);
+  return body;
+}
+async function fetchPublicJson(ctx, url, headers) {
+  const parsedUrl = new URL(url);
+  if (parsedUrl.hostname === "api.envship.com" && ctx.apiBaseUrl !== "https://api.envship.com") {
+    const localBase = new URL(ctx.apiBaseUrl);
+    parsedUrl.protocol = localBase.protocol;
+    parsedUrl.host = localBase.host;
+  }
+  decorateRuntimeCdnUrl(parsedUrl);
+  const response = await fetch(parsedUrl.toString(), { headers });
+  if (response.status === 304) {
+    return { status: 304, body: null, etag: response.headers.get("etag"), lastModified: response.headers.get("last-modified") };
+  }
+  const body = await response.json().catch(() => null);
+  if (!response.ok) {
+    const maybeError = body && typeof body === "object" && "error" in body ? String(body.error) : `http_${response.status}`;
+    throw new CliError(maybeError, `EnvShip CDN fetch failed: ${response.status}`);
+  }
+  return { status: response.status, body, etag: response.headers.get("etag"), lastModified: response.headers.get("last-modified") };
+}
+async function promptLine(message) {
+  process.stderr.write(message);
+  return new Promise((resolvePromise) => {
+    process.stdin.resume();
+    process.stdin.once("data", (data) => {
+      process.stdin.pause();
+      resolvePromise(String(data).trim());
+    });
+  });
+}
+async function promptHidden(message) {
+  if (!process.stdin.isTTY || !process.stdin.setRawMode) return promptLine(message);
+  process.stderr.write(message);
+  process.stdin.setRawMode(true);
+  process.stdin.resume();
+  return new Promise((resolvePromise, reject) => {
+    let value = "";
+    const onData = (buffer) => {
+      const text = buffer.toString("utf8");
+      if (text === "") {
+        process.stdin.setRawMode(false);
+        process.stdin.pause();
+        process.stderr.write("\n");
+        reject(new CliError("cancelled", "Cancelled."));
+        return;
+      }
+      if (text === "\r" || text === "\n") {
+        process.stdin.setRawMode(false);
+        process.stdin.pause();
+        process.stdin.off("data", onData);
+        process.stderr.write("\n");
+        resolvePromise(value);
+        return;
+      }
+      if (text === "\x7F") value = value.slice(0, -1);
+      else value += text;
+    };
+    process.stdin.on("data", onData);
+  });
+}
+async function resolvePassphrase(ctx, options) {
+  validateEnvVarName(options.passphraseEnv);
+  if (options.passphraseEnv) {
+    const value = process.env[options.passphraseEnv];
+    if (!value) throw new CliError("passphrase_env_empty", `Environment variable ${options.passphraseEnv} is not set.`, { hint: "Set it or use an interactive terminal." });
+    return value;
+  }
+  if (options.passphrase) return options.passphrase;
+  if (process.env.ENVSHIP_KEYFILE_PASSPHRASE) return process.env.ENVSHIP_KEYFILE_PASSPHRASE;
+  if (ctx.noInput || !process.stdin.isTTY) {
+    throw new CliError("passphrase_required", "A KeyFile passphrase is required.", { hint: "Use --passphrase-env ENVSHIP_KEYFILE_PASSPHRASE or set ENVSHIP_KEYFILE_PASSPHRASE." });
+  }
+  return promptHidden("KeyFile passphrase: ");
+}
+async function loadKeyFile(ctx, options) {
+  const config = readConfig();
+  const keyfilePath = options.keyfile ?? config.keyfilePath;
+  if (!keyfilePath) throw new CliError("keyfile_required", "A KeyFile path is required.", { hint: "Use --keyfile or set ENVSHIP_KEYFILE." });
+  const keyFile = JSON.parse(await readFile(validateSafeLocalPath(keyfilePath, { label: "keyfile" }), "utf8"));
+  const keyset = await unlockKeyFile(keyFile, await resolvePassphrase(ctx, options));
+  return { keyFile, keyset, keyfilePath: resolve(keyfilePath) };
+}
+async function readKeyFile(path) {
+  const config = readConfig();
+  const keyfilePath = path ?? config.keyfilePath;
+  if (!keyfilePath) throw new CliError("keyfile_required", "A KeyFile path is required.", { hint: "Use --keyfile or set ENVSHIP_KEYFILE." });
+  const resolved = validateSafeLocalPath(keyfilePath, { label: "keyfile" });
+  return { keyFile: JSON.parse(await readFile(resolved, "utf8")), keyfilePath: resolved };
+}
+async function findChannel(ctx, channel2) {
+  channelParts(channel2);
+  const state = await dashboardState(ctx);
+  const found = state.channels.find((item) => item.channel_ref === channel2);
+  if (!found) throw new CliError("channel_not_found", `Channel ${channel2} was not found or is not visible to this session.`);
+  return found;
+}
+async function dashboardState(ctx) {
+  return api(ctx, "/v1/dashboard/state");
+}
+async function resolveChannel(ctx, channel2) {
+  const path = `/v1/channel-resolve?channel=${encodeURIComponent(channel2)}`;
+  const config = readConfig();
+  const headers = config.machine ? await machineHeaders(path) : new Headers();
+  return api(ctx, path, { headers });
+}
+async function publicPullDescriptor(ctx, url) {
+  return fetchJson(ctx, url);
+}
+async function publicManifest(ctx, url) {
+  return fetchJson(ctx, url);
+}
+async function deployTokenRuntimeSnapshot(ctx, token) {
+  const parsed = parseDeployTokenV2(token);
+  if (!parsed) throw new CliError("deploy_token_v2_required", "Offline deploy-token bootstrap requires a v2 deploy token.");
+  const raw = await fetchJson(ctx, deployTokenSnapshotUrl(ctx.apiBaseUrl, parsed.lookupId));
+  if (raw.type === "envship.deploy_token_runtime_snapshot_revoked.v1") {
+    throw new CliError("deploy_token_revoked", "Deploy token has been revoked.");
+  }
+  if (raw.type !== "envship.deploy_token_runtime_snapshot.v1") {
+    throw new CliError("runtime_snapshot_invalid", "Deploy token runtime snapshot format is invalid.");
+  }
+  const encrypted = raw;
+  const secretHash = await sha256Base64url(parsed.secret);
+  const snapshot = await decryptDeployTokenRuntimeSnapshot(encrypted, secretHash);
+  if (snapshot.status !== "active" || snapshot.subject_type !== "deploy_token") {
+    throw new CliError("runtime_snapshot_revoked", "Deploy token runtime snapshot is not active.");
+  }
+  return { snapshot, snapshotUrl: deployTokenSnapshotUrl(ctx.apiBaseUrl, parsed.lookupId) };
+}
+async function resolutionFromRuntimeChannels(ctx, channel2, channels) {
+  const cached = channels.find((item) => item.channel_ref === channel2);
+  if (!cached) throw new CliError("channel_not_authorized", `Channel ${channel2} is not available in the local runtime snapshot.`);
+  const descriptor = await publicPullDescriptor(ctx, cached.descriptor_url);
+  const manifest = await publicManifest(ctx, descriptor.manifest_url);
+  return {
+    channel_ref: descriptor.channel_ref,
+    version_id: descriptor.current_version_id,
+    version: descriptor.version,
+    manifest,
+    bundle_sha256_b64u: descriptor.bundle_sha256_b64u,
+    bundle_url: descriptor.bundle_url,
+    public_descriptor_url: cached.descriptor_url,
+    public_bundle_url: descriptor.bundle_url,
+    snapshot_updated_at: descriptor.updated_at
+  };
+}
+async function identityOverlay(ctx, channel2, keyset) {
+  const config = readConfig();
+  const identity = config.machine ? { type: "machine", id: config.machine.machine_id, workspaceId: config.machine.workspace_id ?? null } : config.workstation ? { type: "workstation", id: config.workstation.id, workspaceId: config.workstation.workspace_id ?? null } : null;
+  if (!identity?.workspaceId) return null;
+  const path = `/v1/channel-overlays?channel=${encodeURIComponent(channel2)}&workspace_id=${encodeURIComponent(identity.workspaceId)}&identity_type=${identity.type}&identity_id=${encodeURIComponent(identity.id)}`;
+  const headers = config.machine ? await machineHeaders(path) : new Headers();
+  const response = await api(ctx, path, { headers });
+  if (!response.overlay) return null;
+  const hash = await sha256Base64url(canonicalize(response.overlay.overlay_bundle));
+  if (hash !== response.overlay.overlay_sha256_b64u) throw new CliError("identity_overlay_hash_mismatch", "Identity overlay hash mismatch. Refusing to merge overlay.");
+  const env = await decryptEnvBundle(response.overlay.overlay_bundle, keyset);
+  return { env, version: response.overlay.version };
+}
+async function channelRecipients(ctx, channelId) {
+  return api(ctx, `/v1/channels/${channelId}/recipients`);
+}
+async function pullEnv(ctx, channel2, options) {
+  const { keyset } = await loadKeyFile(ctx, options);
+  const currentConfig = readConfig();
+  let resolution;
+  let runtimeSource = "control_plane_handoff";
+  const runtimeChannels = currentConfig.machine?.runtime?.channels ?? [];
+  if (runtimeChannels.length) {
+    try {
+      resolution = await resolutionFromRuntimeChannels(ctx, channel2, runtimeChannels);
+      runtimeSource = "r2_cdn";
+    } catch (error) {
+      const cliError = normalizeError(error);
+      if (currentConfig.machine && cliError.code === "channel_not_authorized") {
+        throw cliError;
+      }
+      resolution = await resolveChannel(ctx, channel2);
+    }
+  } else {
+    resolution = await resolveChannel(ctx, channel2);
+  }
+  const descriptor = resolution.public_descriptor_url ? await publicPullDescriptor(ctx, resolution.public_descriptor_url).catch(() => null) : null;
+  const config = readConfig();
+  if (config.machine && !descriptor && !isLocalTestApi(ctx.apiBaseUrl) && process.env.ENVSHIP_ALLOW_WORKER_PULL_FALLBACK !== "true") {
+    throw new CliError("public_pull_descriptor_required", "Production machine pulls require the public encrypted CDN descriptor.", {
+      hint: "Publish the channel and wait for deploy status to become ready, or set ENVSHIP_ALLOW_WORKER_PULL_FALLBACK=true only for local/debug use."
+    });
+  }
+  const bundleUrl = descriptor?.bundle_url ?? resolution.bundle_url;
+  const expectedHash = descriptor?.bundle_sha256_b64u ?? resolution.bundle_sha256_b64u;
+  const encryptedBundle = await fetchJson(ctx, bundleUrl);
+  const actualHash = await sha256Base64url(canonicalize(encryptedBundle));
+  if (actualHash !== expectedHash) {
+    throw new CliError("bundle_hash_mismatch", "Encrypted bundle hash mismatch. Refusing to decrypt.");
+  }
+  if (config.machine && resolution.public_descriptor_url && descriptor) {
+    await saveConfig({
+      ...config,
+      machine: {
+        ...config.machine,
+        runtime: {
+          ...config.machine.runtime,
+          channels: [
+            ...(config.machine.runtime?.channels ?? []).filter((item) => item.channel_ref !== resolution.channel_ref),
+            {
+              channel_ref: resolution.channel_ref,
+              descriptor_url: resolution.public_descriptor_url,
+              version_id: descriptor.current_version_id,
+              version: descriptor.version,
+              bundle_sha256_b64u: descriptor.bundle_sha256_b64u,
+              updated_at: descriptor.updated_at
+            }
+          ],
+          updated_at: (/* @__PURE__ */ new Date()).toISOString()
+        }
+      }
+    });
+  }
+  const baseEnv = await decryptEnvBundle(encryptedBundle, keyset);
+  const overlay = await identityOverlay(ctx, channel2, keyset).catch((error) => {
+    const cliError = normalizeError(error);
+    if (cliError.code === "identity_overlay_hash_mismatch") throw cliError;
+    return null;
+  });
+  const env = overlay ? mergeEnvOverlay(baseEnv, overlay.env) : baseEnv;
+  void reportRuntimeClient(ctx, { lastDeploySyncAt: (/* @__PURE__ */ new Date()).toISOString() });
+  return { env, resolution, runtimeSource };
+}
+async function readInput(path) {
+  if (path === "-") {
+    return new Promise((resolvePromise, reject) => {
+      let body = "";
+      process.stdin.setEncoding("utf8");
+      process.stdin.on("data", (chunk) => {
+        body += chunk;
+      });
+      process.stdin.on("end", () => resolvePromise(body));
+      process.stdin.on("error", reject);
+    });
+  }
+  return readFile(validateSafeLocalPath(path, { allowStdout: true, force: true, label: "input" }), "utf8");
+}
+async function writeOutput(path, value, force = false) {
+  if (path === "-") {
+    process.stdout.write(value);
+    return;
+  }
+  const outPath = validateSafeLocalPath(path, { allowStdout: true, force, label: "output" });
+  if (!force && existsSync(outPath)) {
+    throw new CliError("output_exists", `${outPath} already exists.`, { hint: "Use --force to overwrite it." });
+  }
+  await writeFile(outPath, value);
+}
+async function writeAtomicOutput(path, value, force = false) {
+  const outPath = validateSafeLocalPath(path, { allowStdout: false, force, label: "output" });
+  if (!force && existsSync(outPath)) {
+    throw new CliError("output_exists", `${outPath} already exists.`, { hint: "Use --force to overwrite it." });
+  }
+  await mkdir(dirname(outPath), { recursive: true });
+  const tempPath = join(dirname(outPath), `.envship-${parse(outPath).base}-${crypto.randomUUID()}.tmp`);
+  await writeFile(tempPath, value, { mode: 384 });
+  await chmod(tempPath, 384).catch(() => void 0);
+  await rename(tempPath, outPath);
+  await chmod(outPath, 384).catch(() => void 0);
+}
+async function confirmAction(ctx, message) {
+  if (ctx.yes) return;
+  if (ctx.noInput || !process.stdin.isTTY) {
+    throw new CliError("confirmation_required", message, { hint: "Rerun with --yes after verifying the target." });
+  }
+  const answer = (await promptLine(`${message} Type yes to continue: `)).toLowerCase();
+  if (answer !== "yes") throw new CliError("cancelled", "Cancelled.");
+}
+function table(rows, columns) {
+  if (rows.length === 0) return "";
+  const widths = columns.map((column) => Math.max(column.length, ...rows.map((row) => String(row[column] ?? "").length)));
+  const line = (values) => values.map((value, index) => value.padEnd(widths[index] ?? 0)).join("  ").trimEnd();
+  return [line(columns), line(columns.map((column, index) => "-".repeat(widths[index] ?? column.length))), ...rows.map((row) => line(columns.map((column) => String(row[column] ?? ""))))].join("\n");
+}
+function safeConfig(config) {
+  return {
+    apiBaseUrl: config.apiBaseUrl,
+    appBaseUrl: config.appBaseUrl,
+    keyfilePath: config.keyfilePath ?? null,
+    workstation: config.workstation ? { id: config.workstation.id, label: config.workstation.label } : null,
+    authenticated: Boolean(config.session),
+    machine: config.machine ? {
+      machine_id: config.machine.machine_id,
+      signing_key_id: config.machine.signing_key_id,
+      channels: config.machine.channels,
+      public_pull_base_url: config.machine.public_pull_base_url ?? null
+    } : null,
+    envsync: config.envsync ? {
+      services: Object.fromEntries(Object.entries(config.envsync.services ?? {}).map(([name, service]) => [name, {
+        name: service.name,
+        channel: service.channel,
+        out: service.out,
+        interval_seconds: service.interval_seconds,
+        mode: service.mode,
+        hook_configured: Boolean(service.hook?.length),
+        last_status: service.last_status ?? null
+      }]))
+    } : null
+  };
+}
+function activeWorkspaceId(state, workspace) {
+  const id = workspace ?? state.active_workspace_id;
+  if (!id) throw new CliError("workspace_required", "No active workspace was found.", { hint: "Run envship setup first or pass --workspace." });
+  return id;
+}
+async function registerKeyFile(ctx, options) {
+  const state = await dashboardState(ctx);
+  const workspaceId = activeWorkspaceId(state, options.workspace);
+  const { keyFile } = await readKeyFile(options.keyfile);
+  const result = await api(ctx, "/v1/keysets/register", {
+    method: "POST",
+    body: JSON.stringify({
+      workspace_id: workspaceId,
+      keyset_id: keyFile.keyset_id,
+      label: keyFile.label,
+      encryption_key_id: keyFile.encryption_key_id,
+      encryption_public_jwk: keyFile.public_metadata.encryption_public_jwk,
+      signing_key_id: keyFile.signing_key_id,
+      signing_public_jwk: keyFile.public_metadata.signing_public_jwk,
+      created_at: keyFile.created_at
+    })
+  });
+  return { workspaceId, keyset_id: keyFile.keyset_id, status: result.status };
+}
+async function publishChannel(ctx, channel2, options) {
+  const target = await findChannel(ctx, channel2);
+  const { keyset } = await loadKeyFile(ctx, options);
+  const env = parseDotenv(await readInput(options.in));
+  const recipientResponse = await channelRecipients(ctx, target.id);
+  const recipients = recipientResponse.recipients.length ? recipientResponse.recipients : [{ encryption_key_id: keyset.encryption_key_id, encryption_public_jwk: keyset.encryption_public_jwk }];
+  const encryptedBundle = await encryptEnvBundleForRecipients(env, recipients, channel2);
+  const bundleHash = await sha256Base64url(canonicalize(encryptedBundle));
+  const manifest = await signManifest({
+    type: "envship.signed_manifest.v1",
+    channel_ref: channel2,
+    bundle_sha256_b64u: bundleHash,
+    publisher_signing_key_id: keyset.signing_key_id,
+    created_at: (/* @__PURE__ */ new Date()).toISOString()
+  }, keyset);
+  const planned = {
+    channel: channel2,
+    channel_id: target.id,
+    expected_current_version_id: recipientResponse.expected_current_version_id ?? target.current_version_id ?? null,
+    recipient_count: recipients.length,
+    key_count: Object.keys(env).length,
+    bundle_sha256_b64u: bundleHash
+  };
+  if (options.dryRun) return { planned };
+  let result;
+  try {
+    result = await api(ctx, "/v1/versions/publish", {
+      method: "POST",
+      body: JSON.stringify({
+        channel_id: target.id,
+        expected_current_version_id: planned.expected_current_version_id,
+        publisher_signing_key_id: keyset.signing_key_id,
+        manifest,
+        encrypted_bundle: encryptedBundle,
+        bundle_sha256_b64u: bundleHash
+      })
+    });
+  } catch (error) {
+    const cliError = normalizeError(error);
+    if (cliError.code === "version_conflict") throw publishConflictError(cliError, channel2);
+    throw error;
+  }
+  return { ...planned, ...result };
+}
+function publishConflictError(error, channel2) {
+  const details = error.details;
+  const latest = details?.latest;
+  const publisher = latest?.publisher;
+  const name = [publisher?.first_name, publisher?.last_name].filter(Boolean).join(" ").trim();
+  const byline = publisher?.email ? `${name ? `${name} ` : ""}<${publisher.email}>` : name || "another user";
+  const versionText = latest?.version ? ` version ${latest.version}` : " a newer version";
+  return new CliError(
+    "version_conflict",
+    `Cannot publish ${channel2}: ${byline} published${versionText}${latest?.published_at ? ` at ${latest.published_at}` : ""}. Pull the latest encrypted version, review your local diff, then retry.`,
+    { hint: `Run envship channel pull ${channel2} --out <review-file> and merge your changes before publishing again.`, details: error.details }
+  );
+}
+async function rewrapChannel(ctx, channel2, options) {
+  const { env, resolution } = await pullEnv(ctx, channel2, options);
+  const target = await findChannel(ctx, channel2);
+  const { keyset } = await loadKeyFile(ctx, options);
+  const recipientResponse = await channelRecipients(ctx, target.id);
+  const encryptedBundle = await encryptEnvBundleForRecipients(env, recipientResponse.recipients, channel2);
+  const bundleHash = await sha256Base64url(canonicalize(encryptedBundle));
+  const planned = {
+    channel: channel2,
+    channel_id: target.id,
+    expected_current_version_id: recipientResponse.expected_current_version_id ?? resolution.version_id,
+    recipient_count: recipientResponse.recipients.length,
+    key_count: Object.keys(env).length,
+    bundle_sha256_b64u: bundleHash
+  };
+  if (options.dryRun) return { planned };
+  const manifest = await signManifest({
+    type: "envship.signed_manifest.v1",
+    channel_ref: channel2,
+    bundle_sha256_b64u: bundleHash,
+    publisher_signing_key_id: keyset.signing_key_id,
+    created_at: (/* @__PURE__ */ new Date()).toISOString()
+  }, keyset);
+  let result;
+  try {
+    result = await api(ctx, "/v1/versions/publish", {
+      method: "POST",
+      body: JSON.stringify({
+        channel_id: target.id,
+        expected_current_version_id: planned.expected_current_version_id,
+        publisher_signing_key_id: keyset.signing_key_id,
+        manifest,
+        encrypted_bundle: encryptedBundle,
+        bundle_sha256_b64u: bundleHash
+      })
+    });
+  } catch (error) {
+    const cliError = normalizeError(error);
+    if (cliError.code === "version_conflict") throw publishConflictError(cliError, channel2);
+    throw error;
+  }
+  return { ...planned, ...result };
+}
+function parseRunCommand(cmd, options) {
+  const keyFileOptions = { ...options };
+  const commandParts = [];
+  let inChildCommand = false;
+  for (let index = 0; index < cmd.length; index += 1) {
+    const part = cmd[index];
+    if (!inChildCommand && part === "--") {
+      inChildCommand = true;
+      continue;
+    }
+    if (!inChildCommand && (part === "--keyfile" || part === "--passphrase-env" || part === "--passphrase")) {
+      const value = cmd[index + 1];
+      if (!value) throw new CliError("option_value_required", `${part} requires a value.`);
+      if (part === "--keyfile") keyFileOptions.keyfile = value;
+      if (part === "--passphrase-env") keyFileOptions.passphraseEnv = value;
+      if (part === "--passphrase") keyFileOptions.passphrase = value;
+      index += 1;
+      continue;
+    }
+    commandParts.push(part);
+  }
+  return { commandParts, keyFileOptions };
+}
+function parseDurationSeconds(value, fallback) {
+  if (!value) return fallback;
+  const match = /^(\d+)(s|m|h)?$/iu.exec(value.trim());
+  if (!match) throw new CliError("interval_invalid", "Intervals must look like 30s, 5m, or 1h.");
+  const amount = Number(match[1]);
+  const unit = (match[2] ?? "s").toLowerCase();
+  const seconds = amount * (unit === "h" ? 3600 : unit === "m" ? 60 : 1);
+  if (!Number.isSafeInteger(seconds) || seconds <= 0) throw new CliError("interval_invalid", "Interval must be a positive duration.");
+  return seconds;
+}
+function envSyncPlan() {
+  const plan = String(process.env.ENVSHIP_PLAN ?? process.env.ENVSHIP_ENVSYNC_PLAN ?? "pro").toLowerCase();
+  if (["free", "freeenv"].includes(plan)) return "free";
+  if (["team", "business"].includes(plan)) return "team";
+  if (plan === "enterprise") return "enterprise";
+  return "pro";
+}
+function envSyncLimits(mode) {
+  const plan = envSyncPlan();
+  if (plan === "free") {
+    if (mode === "daemon") throw new CliError("envsync_daemon_unavailable", "EnvSync daemon is not available on the Free/FreeEnv baseline after trial.", { hint: "Use envsync watch with a 300s or higher interval, or upgrade to EnvShip Pro." });
+    return { min: 300, recommended: 600, max: 3600, plan };
+  }
+  if (plan === "team") return mode === "watch" ? { min: 15, recommended: 30, max: 600, plan } : { min: 30, recommended: 60, max: 600, plan };
+  if (plan === "enterprise") return { min: 15, recommended: mode === "watch" ? 30 : 60, max: 600, plan };
+  return mode === "watch" ? { min: 30, recommended: 60, max: 900, plan } : { min: 60, recommended: 120, max: 900, plan };
+}
+function enforceEnvSyncInterval(mode, value) {
+  const limits = envSyncLimits(mode);
+  const seconds = parseDurationSeconds(value, limits.recommended);
+  if (seconds < limits.min) throw new CliError("envsync_interval_too_low", `EnvSync ${mode} interval must be at least ${limits.min}s for the current plan.`, { hint: `Recommended interval: ${limits.recommended}s.` });
+  if (seconds > limits.max) throw new CliError("envsync_interval_too_high", `EnvSync ${mode} interval must be ${limits.max}s or lower.`, { hint: "Use a value inside the supported plan range." });
+  return { seconds, limits };
+}
+function jitteredDelayMs(seconds, attempt) {
+  const backoffSeconds = Math.min(seconds * 2 ** Math.max(0, attempt - 1), 15 * 60);
+  const jitter = 0.9 + Math.random() * 0.2;
+  return Math.round(backoffSeconds * jitter * 1e3);
+}
+function envSyncServices(config = readConfig()) {
+  return config.envsync?.services ?? {};
+}
+function defaultEnvSyncName(channel2) {
+  return channel2.replace(/[^A-Za-z0-9_-]+/gu, "-").replace(/^-|-$/gu, "") || "default";
+}
+function envSyncConfigPath(name) {
+  const safeName = name.replace(/[^A-Za-z0-9_-]/gu, "-");
+  return join(homedir(), ".envship", "envsync", `${safeName}.json`);
+}
+function envSyncServiceFilePath(name) {
+  const safeName = name.replace(/[^A-Za-z0-9_-]/gu, "-");
+  const base = join(homedir(), ".envship", "envsync");
+  if (process.platform === "win32") return join(base, `${safeName}.service.json`);
+  if (process.platform === "darwin") return join(base, `com.envship.${safeName}.plist`);
+  return join(base, `envship-${safeName}.service`);
+}
+function validateEnvSyncName(value) {
+  if (!/^[A-Za-z0-9_-]{1,64}$/u.test(value)) throw new CliError("envsync_name_invalid", "EnvSync names may contain letters, numbers, dashes, and underscores.");
+  return value;
+}
+function parseHook(parts, daemon = false) {
+  const cleanParts = parts?.[0] === "--" ? parts.slice(1) : parts;
+  if (!cleanParts?.length) return void 0;
+  const [commandName, ...args] = cleanParts;
+  if (!commandName) return void 0;
+  if (daemon && !isAbsolute(commandName)) {
+    throw new CliError("envsync_hook_absolute_required", "EnvSync daemon hooks must use an absolute executable path.");
+  }
+  validateChildCommand(commandName, args);
+  return [commandName, ...args];
+}
+async function runEnvSyncHook(hook, metadata, timeoutMs = 3e4) {
+  if (!hook?.length) return "not_configured";
+  const [commandName, ...args] = hook;
+  validateChildCommand(commandName, args);
+  return new Promise((resolvePromise) => {
+    const child = spawnSafe(commandName, args, {
+      stdio: "ignore",
+      env: {
+        ...process.env,
+        ENVSHIP_ENVSYNC_CHANNEL: metadata.channel,
+        ENVSHIP_ENVSYNC_VERSION: metadata.version,
+        ENVSHIP_ENVSYNC_VERSION_ID: metadata.version_id,
+        ENVSHIP_ENVSYNC_BUNDLE_SHA256: metadata.bundle_sha256_b64u,
+        ENVSHIP_ENVSYNC_OUTPUT: metadata.out
+      }
+    });
+    const timer = setTimeout(() => {
+      child.kill();
+      resolvePromise("timeout");
+    }, timeoutMs);
+    child.on("error", () => {
+      clearTimeout(timer);
+      resolvePromise("failed");
+    });
+    child.on("exit", (code) => {
+      clearTimeout(timer);
+      resolvePromise(code === 0 ? "passed" : "failed");
+    });
+  });
+}
+function serviceFileBody(config) {
+  const args = ["envsync", "watch", "--channel", config.channel, "--out", config.out, "--interval", `${config.interval_seconds}s`, "--name", config.name];
+  if (config.hook?.length) args.push("--on-change", "--", ...config.hook);
+  if (process.platform === "win32") return JSON.stringify({ service: "EnvShip EnvSync", name: config.name, command: "envship", args }, null, 2);
+  if (process.platform === "darwin") return `<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0"><dict>
+<key>Label</key><string>com.envship.${config.name}</string>
+<key>ProgramArguments</key><array>${["envship", ...args].map((item) => `<string>${item.replace(/&/gu, "&amp;").replace(/</gu, "&lt;")}</string>`).join("")}</array>
+<key>RunAtLoad</key><true/>
+<key>KeepAlive</key><true/>
+</dict></plist>
+`;
+  return `[Unit]
+Description=EnvShip EnvSync ${config.name}
+After=network-online.target
+
+[Service]
+Type=simple
+ExecStart=envship ${args.map((item) => item.replace(/(["\\$`])/gu, "\\$1")).join(" ")}
+Restart=on-failure
+RestartSec=30
+StartLimitBurst=5
+NoNewPrivileges=true
+PrivateTmp=true
+
+[Install]
+WantedBy=default.target
+`;
+}
+async function loadEnvSyncService(name) {
+  const service = envSyncServices()[name];
+  if (!service) throw new CliError("envsync_service_not_found", `EnvSync service ${name} is not configured.`);
+  return service;
+}
+async function saveEnvSyncService(service) {
+  const config = readConfig();
+  const services = { ...config.envsync?.services ?? {}, [service.name]: service };
+  await saveConfig({ ...config, envsync: { services } });
+  await mkdir(dirname(envSyncConfigPath(service.name)), { recursive: true, mode: 448 });
+  await writeFile(envSyncConfigPath(service.name), JSON.stringify(service, null, 2), { mode: 384 });
+  await chmod(envSyncConfigPath(service.name), 384).catch(() => void 0);
+}
+async function removeEnvSyncService(name) {
+  const config = readConfig();
+  const services = { ...config.envsync?.services ?? {} };
+  const service = services[name];
+  delete services[name];
+  await saveConfig({ ...config, envsync: { services } });
+  await rm(envSyncConfigPath(name), { force: true });
+  if (service?.service_file) await rm(service.service_file, { force: true });
+}
+async function envSyncRuntimeCheck(ctx, service, options) {
+  const runtimeChannels = readConfig().machine?.runtime?.channels ?? [];
+  const cached = runtimeChannels.find((item) => item.channel_ref === service.channel);
+  if (!cached) throw new CliError("runtime_profile_required", "EnvSync requires a scoped local runtime profile for this channel.", { hint: "Install a machine or deploy token for the channel first." });
+  const headers = new Headers();
+  if (service.etag) headers.set("If-None-Match", service.etag);
+  if (service.last_modified) headers.set("If-Modified-Since", service.last_modified);
+  const descriptorResponse = await fetchPublicJson(ctx, cached.descriptor_url, headers);
+  if (descriptorResponse.status === 304) {
+    return {
+      service: { ...service, updated_at: (/* @__PURE__ */ new Date()).toISOString() },
+      status: {
+        state: "not_modified",
+        channel: service.channel,
+        checked_at: (/* @__PURE__ */ new Date()).toISOString(),
+        version: cached.version ?? void 0,
+        version_id: cached.version_id ?? void 0,
+        runtime_source: "r2_cdn",
+        descriptor_url: cached.descriptor_url,
+        hook_status: "not_configured"
+      }
+    };
+  }
+  const descriptor = descriptorResponse.body;
+  if (!descriptor || descriptor.type !== "envship.public_pull_descriptor.v1" || descriptor.channel_ref !== service.channel) {
+    throw new CliError("descriptor_invalid", "EnvSync descriptor did not match the expected channel.");
+  }
+  const previousUnchanged = descriptor.current_version_id === cached.version_id && descriptor.bundle_sha256_b64u === cached.bundle_sha256_b64u;
+  if (previousUnchanged) {
+    return {
+      service: { ...service, etag: descriptorResponse.etag, last_modified: descriptorResponse.lastModified, updated_at: (/* @__PURE__ */ new Date()).toISOString() },
+      status: {
+        state: "not_modified",
+        channel: service.channel,
+        checked_at: (/* @__PURE__ */ new Date()).toISOString(),
+        version: descriptor.version,
+        version_id: descriptor.current_version_id,
+        runtime_source: "r2_cdn",
+        descriptor_url: cached.descriptor_url,
+        hook_status: "not_configured"
+      }
+    };
+  }
+  const { keyset } = await loadKeyFile(ctx, options);
+  const encryptedBundle = await fetchJson(ctx, descriptor.bundle_url);
+  const actualHash = await sha256Base64url(canonicalize(encryptedBundle));
+  if (actualHash !== descriptor.bundle_sha256_b64u) throw new CliError("bundle_hash_mismatch", "Encrypted bundle hash mismatch. Refusing to update EnvSync output.");
+  const baseEnv = await decryptEnvBundle(encryptedBundle, keyset);
+  const overlay = await identityOverlay(ctx, service.channel, keyset).catch((error) => {
+    const cliError = normalizeError(error);
+    if (cliError.code === "identity_overlay_hash_mismatch") throw cliError;
+    return null;
+  });
+  const env = overlay ? mergeEnvOverlay(baseEnv, overlay.env) : baseEnv;
+  await writeAtomicOutput(service.out, stringifyDotenv(env), options.force ?? true);
+  const hookStatus = await runEnvSyncHook(service.hook, {
+    channel: service.channel,
+    version: String(descriptor.version),
+    version_id: descriptor.current_version_id,
+    bundle_sha256_b64u: descriptor.bundle_sha256_b64u,
+    out: service.out
+  });
+  const nextConfig = readConfig();
+  if (nextConfig.machine?.runtime?.channels) {
+    await saveConfig({
+      ...nextConfig,
+      machine: {
+        ...nextConfig.machine,
+        runtime: {
+          ...nextConfig.machine.runtime,
+          channels: [
+            ...nextConfig.machine.runtime.channels.filter((item) => item.channel_ref !== service.channel),
+            {
+              channel_ref: service.channel,
+              descriptor_url: cached.descriptor_url,
+              version_id: descriptor.current_version_id,
+              version: descriptor.version,
+              bundle_sha256_b64u: descriptor.bundle_sha256_b64u,
+              updated_at: descriptor.updated_at
+            }
+          ],
+          updated_at: (/* @__PURE__ */ new Date()).toISOString()
+        }
+      }
+    });
+  }
+  return {
+    service: { ...service, etag: descriptorResponse.etag, last_modified: descriptorResponse.lastModified, updated_at: (/* @__PURE__ */ new Date()).toISOString() },
+    status: {
+      state: hookStatus === "failed" || hookStatus === "timeout" ? "hook_failed" : "bundle_updated",
+      channel: service.channel,
+      checked_at: (/* @__PURE__ */ new Date()).toISOString(),
+      version: descriptor.version,
+      version_id: descriptor.current_version_id,
+      runtime_source: "r2_cdn",
+      descriptor_url: cached.descriptor_url,
+      hook_status: hookStatus
+    }
+  };
+}
+async function setupWorkspace(ctx, options) {
+  const result = await api(ctx, "/v1/dashboard/setup", {
+    method: "POST",
+    body: JSON.stringify({
+      workspace_name: options.workspace,
+      project_name: options.project,
+      bundle_name: options.bundle,
+      channels: options.channels.split(",").map((item) => item.trim()).filter(Boolean)
+    })
+  });
+  const data = { ...result };
+  const passphraseSupplied = Boolean(options.passphrase || options.passphraseEnv || process.env.ENVSHIP_KEYFILE_PASSPHRASE);
+  if (options.registerKeyfile || options.publishEmpty || passphraseSupplied) {
+    let keyfilePath = options.keyfile;
+    if (!keyfilePath) {
+      const passphrase = await resolvePassphrase(ctx, options);
+      const generated = await generateEncryptedKeyFile(options.label, passphrase);
+      keyfilePath = resolve(generated.filename);
+      if (!options.force && existsSync(keyfilePath)) throw new CliError("output_exists", `${keyfilePath} already exists.`, { hint: "Use --force or --keyfile." });
+      await writeFile(keyfilePath, JSON.stringify(generated.keyFile, null, 2));
+      await saveConfig({ ...readConfig(), keyfilePath });
+      data.keyfile_path = keyfilePath;
+      data.keyset_id = generated.keyFile.keyset_id;
+    }
+    const registered = await registerKeyFile(ctx, { workspace: result.workspace_id, keyfile: keyfilePath });
+    data.keyset_id = registered.keyset_id;
+    const primaryChannel = `${options.bundle}/${options.channels.split(",").map((item) => item.trim()).filter(Boolean)[0] ?? "staging"}`;
+    const grant2 = await createGrant(ctx, primaryChannel, { keyset: registered.keyset_id, preset: "editor" });
+    data.initial_grant = grant2;
+    if (options.publishEmpty) {
+      const emptyPath = join(tmpdir(), `envship-empty-${crypto.randomUUID()}.env`);
+      await writeFile(emptyPath, "");
+      data.initial_publish = await publishChannel(ctx, primaryChannel, { ...options, in: emptyPath, keyfile: keyfilePath });
+      await rm(emptyPath, { force: true });
+    }
+  }
+  return data;
+}
+async function createGrant(ctx, channel2, options) {
+  const target = await findChannel(ctx, channel2);
+  const payload = { channel_id: target.id, keyset_id: options.keyset, preset: options.preset };
+  if (options.dryRun) return { dry_run: true, channel: channel2, ...payload };
+  return api(ctx, "/v1/channel-grants", {
+    method: "POST",
+    body: JSON.stringify(payload)
+  });
+}
+program.name("envship").description("EnvShip encrypts, ships, and runs environment bundles without sending plaintext secrets to the cloud.").version(cliVersion).enablePositionalOptions().showHelpAfterError().showSuggestionAfterError().configureHelp({ sortSubcommands: true, sortOptions: true });
+addGlobalOptions(program);
+program.addHelpText("after", `
+Examples:
+  envship auth login
+  envship auth connect --code cli_xxxxx
+  envship setup --workspace Acme --project Web --bundle web --channels staging,production
+  envship machine install --name web-production --channel web/production
+  envship machine deploy-token-create --project <project-id> --channel web/production
+  envship machine install --deploy-token "$ENVSHIP_DEPLOY_TOKEN" --name web-production
+  envship envsync watch --channel web/production --out .env
+  envship update check
+  envship channel run web/production -- npm start
+
+Next step: run envship auth login, then envship setup.
+Docs: https://envship.com/docs
+Support: https://github.com/envshipcom/envship/issues
+`);
+function command(parent, signature, description, examples) {
+  const created = parent.command(signature).description(description).showHelpAfterError();
+  addGlobalOptions(created);
+  return withExamples(created, examples);
+}
+function group(name, description) {
+  const created = program.command(name).description(description).enablePositionalOptions().showHelpAfterError();
+  addGlobalOptions(created);
+  return withExamples(created, [`envship ${name} --help`]);
+}
+var auth = group("auth", "Authenticate and inspect the local EnvShip session");
+command(auth, "whoami", "Show the current EnvShip session", ["envship auth whoami", "envship auth whoami --json"]).action(commandAction(async (ctx) => {
+  const me = await api(ctx, "/v1/me");
+  const config = readConfig();
+  const data = { user: me.user, api: ctx.apiBaseUrl, machine: config.machine ? { machine_id: config.machine.machine_id, signing_key_id: config.machine.signing_key_id, channels: config.machine.channels } : null };
+  return { data, stdout: table([{ email: me.user?.email ?? "unknown", api: ctx.apiBaseUrl, machine: config.machine?.machine_id ?? "none" }], ["email", "api", "machine"]) };
+}));
+command(auth, "logout", "Remove the local EnvShip session and machine credential", ["envship auth logout"]).action(commandAction(async () => {
+  const config = readConfig();
+  try {
+    if (config.session) await fetch(`${config.apiBaseUrl}/v1/logout`, { method: "POST", headers: { Cookie: `${sessionCookieName}=${config.session}`, "X-EnvShip-CSRF": "1" } });
+  } catch {
+  }
+  await saveConfig({ apiBaseUrl: config.apiBaseUrl, appBaseUrl: config.appBaseUrl, keyfilePath: config.keyfilePath });
+  return { data: { logged_out: true }, message: "Local EnvShip session removed." };
+}));
+command(auth, "login", "Authorize this device with EnvShip", ["envship auth login", "envship auth login --headless"]).option("--headless", "print a 1-hour approval code instead of opening a browser").action(commandAction(async (ctx, options) => {
+  const machineKey = await generateMachineSigningKey("envship-cli-device");
+  const code = await api(ctx, "/v1/device-codes", {
+    method: "POST",
+    body: JSON.stringify({ signing_key_id: machineKey.signing_key_id, public_key: machineKey.signing_public_jwk, device_name: "EnvShip CLI" })
+  });
+  const approvalUrl = `${ctx.appBaseUrl}/authorize-code?code=${encodeURIComponent(code.user_code)}`;
+  if (options.headless) ctx.info(`Go to ${code.verification_uri} and enter code ${code.user_code}`);
+  else {
+    openBrowser(approvalUrl);
+    ctx.info(`Opened ${approvalUrl}`);
+    ctx.info(`Headless fallback: ${code.verification_uri} code ${code.user_code}`);
+  }
+  const deadline = Date.now() + 60 * 60 * 1e3;
+  const pollStartedAt = Date.now();
+  while (Date.now() < deadline) {
+    const elapsedMs = Date.now() - pollStartedAt;
+    const pollIntervalSeconds = elapsedMs < 6e4 ? code.interval_seconds : elapsedMs < 5 * 6e4 ? Math.max(code.interval_seconds, 10) : 30;
+    await new Promise((resolvePromise) => setTimeout(resolvePromise, pollIntervalSeconds * 1e3));
+    const poll = await api(ctx, `/v1/device-codes/${encodeURIComponent(code.device_code)}`);
+    if (poll.status === "expired") throw new CliError("device_code_expired", "Device code expired before approval.");
+    if (poll.status === "approved") {
+      await saveConfig({
+        ...readConfig(),
+        apiBaseUrl: ctx.apiBaseUrl,
+        appBaseUrl: ctx.appBaseUrl,
+        session: poll.session,
+        machine: poll.machine ? {
+          machine_id: poll.machine.machine_id,
+          signing_key_id: machineKey.signing_key_id,
+          signing_private_jwk: machineKey.signing_private_jwk,
+          channels: poll.machine.channels
+        } : void 0
+      });
+      return { data: { approved: true, machine: poll.machine ?? null }, message: "EnvShip device approved and saved locally." };
+    }
+  }
+  throw new CliError("device_code_timeout", "Timed out waiting for device approval.");
+}));
+command(auth, "connect", "Connect this development environment with a Dashboard setup code", ["envship auth connect --code cli_xxxxx"]).requiredOption("--code <code>", "pre-generated Dashboard CLI setup code").action(commandAction(async (ctx, options) => {
+  const code = validateCliBootstrapCode(options.code.trim());
+  const currentConfig = readConfig();
+  const workstation = localWorkstation(currentConfig);
+  const data = await api(ctx, "/v1/cli-bootstrap-codes/consume", {
+    method: "POST",
+    body: JSON.stringify({ code, workstation_id: workstation.id, label: workstation.label })
+  });
+  await saveConfig({
+    ...currentConfig,
+    apiBaseUrl: ctx.apiBaseUrl,
+    appBaseUrl: ctx.appBaseUrl,
+    session: data.session,
+    workstation: {
+      ...workstation,
+      analytics_client_id: data.cli_workstation?.analytics_client_id ?? workstation.analytics_client_id ?? null,
+      workspace_id: data.workspace_id ?? workstation.workspace_id ?? null,
+      project_id: data.project_id ?? workstation.project_id ?? null,
+      autoupdate_enabled: workstation.autoupdate_enabled ?? true
+    }
+  });
+  void reportRuntimeClient(ctx);
+  return {
+    data: {
+      connected: true,
+      user_email: data.user?.email ?? null,
+      workspace_id: data.workspace_id ?? null,
+      project_id: data.project_id ?? null,
+      source: data.source ?? null,
+      workstation: { ...workstation, analytics_client_id: data.cli_workstation?.analytics_client_id ?? workstation.analytics_client_id ?? null, workspace_id: data.workspace_id ?? null, project_id: data.project_id ?? null },
+      cli_workstations: data.cli_workstations ?? null
+    },
+    message: `CLI Workstation connected${data.user?.email ? ` for ${data.user.email}` : ""}.`
+  };
+}));
+var setup = command(program, "setup", "Create workspace/project/bundle/channel setup", ["envship setup --workspace Acme --project Web --bundle web --channels staging,production"]).option("--workspace <name>", "workspace name", "My Workspace").option("--project <name>", "project name", "My First Project").option("--bundle <name>", "bundle name", "web").option("--channels <csv>", "comma-separated channels", "staging,production").option("--label <label>", "KeyFile label when generating one", "envship-cli-key").option("--register-keyfile", "register the supplied or generated KeyFile public metadata").option("--publish-empty", "publish an initial encrypted empty version after registering and granting").option("--force", "overwrite generated KeyFile output if needed");
+addKeyFileOptions(setup);
+setup.action(commandAction(async (ctx, options) => {
+  const data = await setupWorkspace(ctx, options);
+  return { data, message: `Workspace ready: ${data.workspace_id}` };
+}));
+var keyfile = program.command("keyfile", { hidden: true }).description("Compatibility commands for local encrypted credential files").enablePositionalOptions().showHelpAfterError();
+addGlobalOptions(keyfile);
+withExamples(keyfile, ["envship keyfile --help"]);
+var keyfileCreate = command(keyfile, "create", "Create an encrypted private KeyFile locally", ["envship keyfile create --label laptop --passphrase-env ENVSHIP_KEYFILE_PASSPHRASE"]).option("--label <label>", "KeyFile label", "envship-cli-key").option("--out <path>", "output path").option("--force", "overwrite output path");
+addKeyFileOptions(keyfileCreate);
+keyfileCreate.action(commandAction(async (ctx, options) => {
+  const passphrase = await resolvePassphrase(ctx, options);
+  const generated = await generateEncryptedKeyFile(options.label, passphrase);
+  const outPath = resolve(options.out ?? generated.filename);
+  if (!options.force && existsSync(outPath)) throw new CliError("output_exists", `${outPath} already exists.`, { hint: "Use --force to overwrite it." });
+  await writeFile(outPath, JSON.stringify(generated.keyFile, null, 2));
+  await saveConfig({ ...readConfig(), keyfilePath: outPath });
+  return { data: { keyfile_path: outPath, keyset_id: generated.keyFile.keyset_id, encryption_key_id: generated.keyFile.encryption_key_id, signing_key_id: generated.keyFile.signing_key_id }, message: `Encrypted KeyFile written to ${outPath}` };
+}));
+command(keyfile, "register", "Register public KeyFile metadata with the active workspace", ["envship keyfile register --keyfile laptop.envship-keyfile.json"]).option("--workspace <workspaceId>", "workspace id").option("--keyfile <path>", "encrypted KeyFile path").action(commandAction(async (ctx, options) => {
+  const data = await registerKeyFile(ctx, options);
+  return { data, message: `Registered KeyFile ${data.keyset_id}: ${data.status}` };
+}));
+var keyfileUnlock = command(keyfile, "unlock", "Verify a local encrypted KeyFile can be unlocked", ["envship keyfile unlock --keyfile laptop.envship-keyfile.json"]);
+addKeyFileOptions(keyfileUnlock);
+keyfileUnlock.action(commandAction(async (ctx, options) => {
+  const { keyset, keyfilePath } = await loadKeyFile(ctx, options);
+  return { data: { keyfile_path: keyfilePath, keyset_id: keyset.keyset_id, label: keyset.label, signing_key_id: keyset.signing_key_id }, message: `Unlocked KeyFile ${keyset.label}` };
+}));
+command(keyfile, "status", "List registered KeyFiles for the active workspace", ["envship keyfile status", "envship keyfile status --json"]).action(commandAction(async (ctx) => {
+  const state = await dashboardState(ctx);
+  const rows = state.keysets.map((item) => ({ keyset: item.keyset_id, label: item.label, status: item.status, signing: item.signing_key_id }));
+  return { data: { keysets: state.keysets }, stdout: table(rows, ["keyset", "label", "status", "signing"]) || "No KeyFiles registered." };
+}));
+for (const [name, status] of [["mark-lost", "lost"], ["revoke", "revoked"]]) {
+  command(keyfile, `${name} <keysetId>`, `${name === "mark-lost" ? "Mark" : "Revoke"} a registered KeyFile`, [`envship keyfile ${name} kst_example --workspace <workspace-id> --yes`]).requiredOption("--workspace <workspaceId>", "workspace id").action(commandAction(async (ctx, keysetId, options) => {
+    await confirmAction(ctx, `${name === "mark-lost" ? "Mark" : "Revoke"} KeyFile ${keysetId}?`);
+    const data = await api(ctx, `/v1/keysets/${encodeURIComponent(keysetId)}/status`, { method: "POST", body: JSON.stringify({ workspace_id: options.workspace, status }) });
+    return { data, message: `KeyFile ${keysetId} ${status}.` };
+  }));
+}
+var channel = group("channel", "Publish, pull, run, edit, and inspect channel versions");
+command(channel, "list", "List channels visible to the current session", ["envship channel list"]).action(commandAction(async (ctx) => {
+  const state = await dashboardState(ctx);
+  const rows = state.channels.map((item) => ({ channel: item.channel_ref, version: item.current_version ?? "none" }));
+  return { data: { channels: state.channels }, stdout: table(rows, ["channel", "version"]) || "No channels found." };
+}));
+command(channel, "versions <channel>", "List immutable versions for a channel", ["envship channel versions web/staging"]).action(commandAction(async (ctx, channelRef) => {
+  const target = await findChannel(ctx, channelRef);
+  const response = await api(ctx, `/v1/channels/${target.id}/versions`);
+  const rows = response.versions.map((item) => ({ version: item.version, id: item.id, current: item.is_current ? "yes" : "", created: item.created_at }));
+  return { data: response, stdout: table(rows, ["version", "id", "current", "created"]) || "No versions found." };
+}));
+var channelPublish = command(channel, "publish <channel>", "Encrypt and publish an env file to a channel", ["envship channel publish web/production --in .env.production", "cat .env | envship channel publish web/staging --in -"]);
+channelPublish.option("--in <path>", "dotenv input path or - for stdin", ".env").option("--dry-run", "validate and show publish plan without writing");
+addKeyFileOptions(channelPublish);
+channelPublish.action(commandAction(async (ctx, channelRef, options) => {
+  const data = await publishChannel(ctx, channelRef, options);
+  return { data, message: options.dryRun ? `Publish dry-run ready for ${channelRef}.` : `Published ${channelRef} version ${data.version}.` };
+}));
+var channelPull = command(channel, "pull <channel>", "Fetch, verify, decrypt, and write dotenv output", ["envship channel pull web/staging --out .env.local", "envship channel pull web/staging --out -"]);
+channelPull.option("--out <path>", "output path or - for stdout", ".env").option("--force", "overwrite output path");
+addKeyFileOptions(channelPull);
+channelPull.action(commandAction(async (ctx, channelRef, options) => {
+  if (ctx.json && options.out === "-") {
+    throw new CliError("json_stdout_conflict", "Cannot combine --json with --out - because decrypted dotenv output also uses stdout.", { hint: "Write dotenv output to a file, or omit --json." });
+  }
+  const { env, resolution, runtimeSource } = await pullEnv(ctx, channelRef, options);
+  const versionCheck = await versionWarnings(ctx);
+  await writeOutput(options.out, stringifyDotenv(env), options.force);
+  return {
+    data: { channel: channelRef, version: resolution.version, out: options.out, runtime_source: runtimeSource },
+    warnings: [
+      ...runtimeSource === "control_plane_handoff" ? ["Used control-plane metadata to refresh the local runtime profile; future pulls should use the R2/CDN descriptor while it remains current."] : [],
+      ...versionCheck.warnings
+    ],
+    message: options.out === "-" ? void 0 : `Resolved ${channelRef} version ${resolution.version} to ${options.out} via ${runtimeSource === "r2_cdn" ? "R2/CDN runtime profile" : "control-plane handoff"}`
+  };
+}));
+var channelRun = command(channel, "run <channel> [cmd...]", "Run a command with locally decrypted EnvShip env values", ["envship channel run web/production -- npm start"]);
+channelRun.allowUnknownOption(true).passThroughOptions();
+addKeyFileOptions(channelRun);
+channelRun.action(commandAction(async (ctx, channelRef, cmd, options) => {
+  const parsed = parseRunCommand(cmd, options);
+  const { env, runtimeSource } = await pullEnv(ctx, channelRef, parsed.keyFileOptions);
+  const versionCheck = await versionWarnings(ctx);
+  const [commandName, ...args] = parsed.commandParts;
+  if (!commandName) throw new CliError("command_required", "Pass a command after the channel.", { hint: "Example: envship channel run web/staging -- npm start" });
+  validateChildCommand(commandName, args);
+  const child = spawnSafe(commandName, args, { stdio: "inherit", env: { ...process.env, ...env, ENVSHIP_CHANNEL: channelRef } });
+  await new Promise((resolvePromise, reject) => {
+    child.on("error", reject);
+    child.on("exit", (code, signal) => code === 0 ? resolvePromise() : reject(new ChildExitError(code, signal)));
+  });
+  return {
+    data: { channel: channelRef, command: [commandName, ...args], runtime_source: runtimeSource },
+    warnings: [
+      ...runtimeSource === "control_plane_handoff" ? ["Used control-plane metadata to refresh the local runtime profile before running the command."] : [],
+      ...versionCheck.warnings
+    ]
+  };
+}));
+var channelEdit = command(channel, "edit <channel>", "Open a channel in the local editor, then encrypt and publish", ["envship channel edit web/staging"]);
+channelEdit.option("--keep-temp-on-error", "keep temporary dotenv file if edit/publish fails");
+addKeyFileOptions(channelEdit);
+channelEdit.action(commandAction(async (ctx, channelRef, options) => {
+  const dir = await mkdtemp(join(tmpdir(), "envship-"));
+  await chmod(dir, 448).catch(() => void 0);
+  const file = join(dir, `${channelRef.replace("/", "-")}.env`);
+  try {
+    const { env } = await pullEnv(ctx, channelRef, options);
+    await writeFile(file, stringifyDotenv(env), { mode: 384 });
+    const editor = process.env.EDITOR ?? (process.platform === "win32" ? "notepad" : "vi");
+    validateChildCommand(editor, [file]);
+    await new Promise((resolvePromise, reject) => {
+      const child = spawnSafe(editor, [file], { stdio: "inherit" });
+      child.on("error", reject);
+      child.on("exit", (code) => code === 0 ? resolvePromise() : reject(new CliError("editor_failed", `${editor} exited with ${code}.`)));
+    });
+    const tempPublishFile = file;
+    const data = await publishChannel(ctx, channelRef, { ...options, in: tempPublishFile });
+    await rm(dir, { recursive: true, force: true });
+    return { data, message: `Edited and published ${channelRef} version ${data.version}.` };
+  } catch (error) {
+    if (!options.keepTempOnError) await rm(dir, { recursive: true, force: true });
+    else ctx.info(`Kept temporary edit file at ${file}`);
+    throw error;
+  }
+}));
+var channelRewrap = command(channel, "rewrap <channel>", "Update encrypted access for active recipients", ["envship channel rewrap web/staging"]);
+channelRewrap.option("--dry-run", "validate and show rewrap plan without writing");
+addKeyFileOptions(channelRewrap);
+channelRewrap.action(commandAction(async (ctx, channelRef, options) => {
+  const data = await rewrapChannel(ctx, channelRef, options);
+  return { data, message: options.dryRun ? `Rewrap dry-run ready for ${channelRef}.` : `Rewrapped ${channelRef} version ${data.version}.` };
+}));
+command(channel, "rollback <channel>", "Move a channel pointer back to a previous immutable version", ["envship channel rollback web/staging --version-id <id> --yes"]).requiredOption("--version-id <id>", "bundle version id to make current").option("--dry-run", "show rollback target without writing").action(commandAction(async (ctx, channelRef, options) => {
+  const target = await findChannel(ctx, channelRef);
+  const planned = { channel: channelRef, channel_id: target.id, version_id: options.versionId };
+  if (options.dryRun) return { data: planned, message: `Rollback dry-run ready for ${channelRef}.` };
+  await confirmAction(ctx, `Rollback ${channelRef} to ${options.versionId}?`);
+  const data = await api(ctx, `/v1/channels/${target.id}/rollback`, { method: "POST", body: JSON.stringify({ version_id: options.versionId }) });
+  return { data, message: `Rolled ${channelRef} back.` };
+}));
+var envsync = group("envsync", "Watch encrypted env changes from R2/CDN runtime descriptors");
+var envsyncWatch = command(envsync, "watch [cmd...]", "Foreground autopull for a scoped channel", ["envship envsync watch --channel web/production --out .env", "envship envsync watch --channel web/production --out .env --on-change -- npm run reload"]).requiredOption("--channel <channel>", "bundle/channel ref to watch").requiredOption("--out <path>", "dotenv output path").option("--interval <duration>", "poll interval, for example 60s or 5m").option("--name <name>", "EnvSync service/status name").option("--on-change", "run the command after -- when a verified update is written").option("--force", "overwrite output path").addOption(new Option("--once", "run one check and exit").hideHelp());
+envsyncWatch.allowUnknownOption(true).passThroughOptions();
+addKeyFileOptions(envsyncWatch);
+envsyncWatch.action(commandAction(async (ctx, cmd, options) => {
+  channelParts(options.channel);
+  const { seconds } = enforceEnvSyncInterval("watch", options.interval);
+  const name = validateEnvSyncName(options.name ?? defaultEnvSyncName(options.channel));
+  const hook = options.onChange ? parseHook(cmd) : void 0;
+  if (options.onChange && !hook) throw new CliError("envsync_hook_required", "Pass a command after -- when using --on-change.");
+  const existing = envSyncServices()[name];
+  let service = {
+    ...existing ?? {},
+    name,
+    channel: options.channel,
+    out: validateSafeLocalPath(options.out, { label: "output", force: true }),
+    interval_seconds: seconds,
+    mode: "watch",
+    hook,
+    created_at: existing?.created_at ?? (/* @__PURE__ */ new Date()).toISOString(),
+    updated_at: (/* @__PURE__ */ new Date()).toISOString()
+  };
+  let attempt = 0;
+  while (true) {
+    try {
+      const result = await envSyncRuntimeCheck(ctx, service, { ...options, force: options.force ?? true });
+      service = { ...result.service, last_status: result.status };
+      await saveEnvSyncService(service);
+      void reportRuntimeClient(ctx, { lastDeploySyncAt: result.status.state === "bundle_updated" ? result.status.checked_at : void 0, envsyncMode: "watch", envsyncIntervalSeconds: service.interval_seconds });
+      attempt = 0;
+      if (ctx.json || options.once) {
+        return { data: { service, status: result.status }, message: result.status.state === "bundle_updated" ? `EnvSync updated ${service.channel} version ${result.status.version}.` : `EnvSync checked ${service.channel}: ${result.status.state}.` };
+      }
+      ctx.info(`EnvSync ${result.status.state}: ${service.channel}${result.status.version ? ` v${result.status.version}` : ""}`);
+    } catch (error) {
+      attempt += 1;
+      const cliError = normalizeError(error);
+      const status = {
+        state: cliError.code === "descriptor_invalid" ? "descriptor_invalid" : cliError.code.includes("signature") ? "signature_failed" : "control_plane_unavailable_read_only",
+        channel: service.channel,
+        checked_at: (/* @__PURE__ */ new Date()).toISOString(),
+        runtime_source: "r2_cdn",
+        error: cliError.code
+      };
+      service = { ...service, last_status: status, updated_at: (/* @__PURE__ */ new Date()).toISOString() };
+      await saveEnvSyncService(service);
+      if (ctx.json || options.once) return { data: { service, status }, warnings: [cliError.message], exitCode: 1 };
+      ctx.info(`Warning: EnvSync ${status.state}: ${cliError.message}`);
+    }
+    await new Promise((resolvePromise) => setTimeout(resolvePromise, jitteredDelayMs(seconds, attempt)));
+  }
+}));
+var envsyncInstall = command(envsync, "install [cmd...]", "Create an EnvSync daemon service config", ["envship envsync install --channel web/production --out /etc/envship/web.env --interval 60s", "envship envsync install --channel web/production --out /etc/envship/web.env --on-change -- /usr/bin/systemctl reload app"]).requiredOption("--channel <channel>", "bundle/channel ref to watch").requiredOption("--out <path>", "dotenv output path").option("--interval <duration>", "poll interval, for example 120s or 5m").option("--name <name>", "EnvSync service name").option("--on-change", "run the command after -- when a verified update is written").option("--force", "overwrite existing EnvSync service config");
+envsyncInstall.allowUnknownOption(true).passThroughOptions();
+envsyncInstall.action(commandAction(async (_ctx, cmd, options) => {
+  channelParts(options.channel);
+  const { seconds, limits } = enforceEnvSyncInterval("daemon", options.interval);
+  const name = validateEnvSyncName(options.name ?? defaultEnvSyncName(options.channel));
+  const hook = options.onChange ? parseHook(cmd, true) : void 0;
+  if (options.onChange && !hook) throw new CliError("envsync_hook_required", "Pass a command after -- when using --on-change.");
+  const services = envSyncServices();
+  if (services[name] && !options.force) throw new CliError("envsync_service_exists", `EnvSync service ${name} already exists.`, { hint: "Use --force to replace it." });
+  const serviceFile = envSyncServiceFilePath(name);
+  const service = {
+    name,
+    channel: options.channel,
+    out: validateSafeLocalPath(options.out, { label: "output", force: true }),
+    interval_seconds: seconds,
+    mode: "daemon",
+    hook,
+    service_file: serviceFile,
+    created_at: services[name]?.created_at ?? (/* @__PURE__ */ new Date()).toISOString(),
+    updated_at: (/* @__PURE__ */ new Date()).toISOString(),
+    last_status: services[name]?.last_status ?? {
+      state: "not_checked",
+      channel: options.channel,
+      checked_at: (/* @__PURE__ */ new Date()).toISOString(),
+      runtime_source: "r2_cdn",
+      hook_status: hook ? void 0 : "not_configured"
+    }
+  };
+  await saveEnvSyncService(service);
+  await mkdir(dirname(serviceFile), { recursive: true, mode: 448 });
+  await writeFile(serviceFile, serviceFileBody(service), { mode: 384 });
+  await chmod(serviceFile, 384).catch(() => void 0);
+  return {
+    data: { service, limits, service_file: serviceFile },
+    message: `EnvSync daemon config written to ${serviceFile}. Install it with your OS service manager when ready.`
+  };
+}));
+command(envsync, "status", "Show EnvSync watcher/daemon status", ["envship envsync status", "envship envsync status --name web-production"]).option("--name <name>", "EnvSync service name").action(commandAction(async (_ctx, options) => {
+  const services = envSyncServices();
+  const rows = Object.values(services).filter((service) => !options.name || service.name === options.name).map((service) => ({
+    name: service.name,
+    channel: service.channel,
+    mode: service.mode,
+    interval: `${service.interval_seconds}s`,
+    state: service.last_status?.state ?? "not_checked",
+    version: service.last_status?.version ?? ""
+  }));
+  if (options.name && rows.length === 0) throw new CliError("envsync_service_not_found", `EnvSync service ${options.name} is not configured.`);
+  return { data: { services: Object.values(services).filter((service) => !options.name || service.name === options.name) }, stdout: table(rows, ["name", "channel", "mode", "interval", "state", "version"]) || "No EnvSync services configured." };
+}));
+command(envsync, "uninstall", "Remove an EnvSync daemon service config", ["envship envsync uninstall --name web-production --yes"]).requiredOption("--name <name>", "EnvSync service name").action(commandAction(async (ctx, options) => {
+  const name = validateEnvSyncName(options.name);
+  const service = await loadEnvSyncService(name);
+  await confirmAction(ctx, `Remove EnvSync service ${name}?`);
+  await removeEnvSyncService(name);
+  return { data: { removed: true, service }, message: `EnvSync service removed: ${name}` };
+}));
+var grant = group("grant", "Create, inspect, update, and revoke channel grants");
+command(grant, "create <channel>", "Grant channel access to a registered user key", ["envship grant create web/staging --keyset kst_example --preset editor"]).requiredOption("--keyset <keysetId>", "target registered keyset id").option("--preset <preset>", "metadata-only, pull-only, editor, publisher, channel-admin", "editor").option("--dry-run", "show grant payload without writing").action(commandAction(async (ctx, channelRef, options) => {
+  const data = await createGrant(ctx, channelRef, options);
+  return { data, message: options.dryRun ? `Grant dry-run ready for ${channelRef}.` : `Granted ${channelRef}.` };
+}));
+command(grant, "list", "List channel grants in the active workspace", ["envship grant list"]).action(commandAction(async (ctx) => {
+  const state = await dashboardState(ctx);
+  const rows = state.grants.map((item) => ({ id: item.id, channel: item.channel_ref, keyset: item.keyset_id, status: item.grant_status, capabilities: item.capabilities.join(",") }));
+  return { data: { grants: state.grants }, stdout: table(rows, ["id", "channel", "keyset", "status", "capabilities"]) || "No grants found." };
+}));
+command(grant, "update <grantId>", "Update a channel grant preset", ["envship grant update <grant-id> --preset pull-only"]).requiredOption("--preset <preset>", "metadata-only, pull-only, editor, publisher, channel-admin").action(commandAction(async (ctx, grantId, options) => {
+  const data = await api(ctx, `/v1/channel-grants/${grantId}/update`, { method: "POST", body: JSON.stringify({ preset: options.preset }) });
+  return { data, message: `Updated grant ${grantId}.` };
+}));
+command(grant, "revoke <grantId>", "Revoke a channel grant", ["envship grant revoke <grant-id> --yes"]).action(commandAction(async (ctx, grantId) => {
+  await confirmAction(ctx, `Revoke grant ${grantId}?`);
+  const data = await api(ctx, `/v1/channel-grants/${grantId}/revoke`, { method: "POST" });
+  return { data, message: `Revoked grant ${grantId}.` };
+}));
+var machine = group("machine", "Manage machine identities and reusable deploy tokens that share Runtime slots");
+command(machine, "install", "Install a scoped machine identity on CI/VPS", ["envship machine install --name github-actions --channel web/production"]).option("--workspace <workspaceId>", "workspace id").option("--name <name>", "machine name", "envship-machine").option("--channel <channel...>", "allowed channel refs").option("--deploy-token <token>", "reusable deploy token for fresh machine installs and autoscaling").action(commandAction(async (ctx, options) => {
+  const machineKey = await generateMachineSigningKey(options.name);
+  if (options.deployToken) {
+    if (!/^(edt|edt2)_[A-Za-z0-9_-]{16,256}$/u.test(options.deployToken)) throw new CliError("deploy_token_invalid", "Deploy token format is invalid.");
+    try {
+      const data2 = await api(ctx, "/v1/deploy-token-install", {
+        method: "POST",
+        body: JSON.stringify({ token: options.deployToken, name: options.name, signing_key_id: machineKey.signing_key_id, signing_public_jwk: machineKey.signing_public_jwk })
+      });
+      await saveConfig({ ...readConfig(), machine: { machine_id: data2.machine_id, workspace_id: data2.workspace_id ?? null, project_id: data2.project_id ?? null, signing_key_id: machineKey.signing_key_id, signing_private_jwk: machineKey.signing_private_jwk, channels: data2.channels, analytics_client_id: data2.runtime?.analytics_client_id ?? null, autoupdate_enabled: true, runtime: { snapshot_url: data2.runtime?.machine_snapshot_url ?? null, channels: data2.runtime?.channels ?? [], updated_at: (/* @__PURE__ */ new Date()).toISOString() } } });
+      void reportRuntimeClient(ctx);
+      return { data: { ...data2, signing_key_id: machineKey.signing_key_id }, message: `Machine installed from deploy token: ${data2.machine_id}` };
+    } catch (error) {
+      if (!parseDeployTokenV2(options.deployToken)) throw error;
+      const { snapshot, snapshotUrl } = await deployTokenRuntimeSnapshot(ctx, options.deployToken);
+      const machineId = `pending_${machineKey.signing_key_id}`;
+      await saveConfig({
+        ...readConfig(),
+        machine: {
+          machine_id: machineId,
+          workspace_id: snapshot.workspace_id,
+          project_id: snapshot.project_id ?? null,
+          signing_key_id: machineKey.signing_key_id,
+          signing_private_jwk: machineKey.signing_private_jwk,
+          channels: snapshot.channels.map((item) => item.channel_ref),
+          analytics_client_id: snapshot.analytics_client_id ?? null,
+          autoupdate_enabled: true,
+          runtime: {
+            snapshot_url: snapshotUrl,
+            channels: snapshot.channels,
+            updated_at: (/* @__PURE__ */ new Date()).toISOString(),
+            pending_offline_install: true
+          }
+        }
+      });
+      void reportRuntimeClient(ctx);
+      return {
+        data: { machine_id: machineId, channels: snapshot.channels.map((item) => item.channel_ref), signing_key_id: machineKey.signing_key_id, runtime_snapshot_url: snapshotUrl, pending_offline_install: true },
+        warnings: ["Control plane was unavailable; installed from encrypted CDN deploy-token snapshot and will reconcile later."],
+        message: `Machine installed from deploy-token snapshot: ${machineId}`
+      };
+    }
+  }
+  const state = await dashboardState(ctx);
+  const workspaceId = activeWorkspaceId(state, options.workspace);
+  const data = await api(ctx, "/v1/machines", {
+    method: "POST",
+    body: JSON.stringify({ workspace_id: workspaceId, name: options.name, signing_key_id: machineKey.signing_key_id, signing_public_jwk: machineKey.signing_public_jwk, channels: options.channel ?? [] })
+  });
+  await saveConfig({ ...readConfig(), machine: { machine_id: data.machine_id, workspace_id: data.workspace_id ?? workspaceId, project_id: data.project_id ?? null, signing_key_id: machineKey.signing_key_id, signing_private_jwk: machineKey.signing_private_jwk, channels: options.channel ?? [], analytics_client_id: data.runtime?.analytics_client_id ?? null, autoupdate_enabled: true, runtime: { snapshot_url: data.runtime?.machine_snapshot_url ?? null, channels: data.runtime?.channels ?? [], updated_at: (/* @__PURE__ */ new Date()).toISOString() } } });
+  void reportRuntimeClient(ctx);
+  return { data: { ...data, signing_key_id: machineKey.signing_key_id, channels: options.channel ?? [] }, message: `Machine installed: ${data.machine_id}` };
+}));
+command(machine, "status", "Show the local machine credential", ["envship machine status"]).action(commandAction(async () => {
+  const config = readConfig();
+  if (!config.machine) throw new CliError("machine_not_installed", "No local machine credential is installed.");
+  const machine2 = { machine_id: config.machine.machine_id, signing_key_id: config.machine.signing_key_id, channels: config.machine.channels };
+  return { data: { machine: machine2 }, stdout: table([{ machine: machine2.machine_id, signing: machine2.signing_key_id, channels: machine2.channels.join(",") || "none" }], ["machine", "signing", "channels"]) };
+}));
+command(machine, "deploy-token-create", "Create a reusable deploy token for fresh installs/autoscaling", ["envship machine deploy-token-create --project <project-id> --channel web/production"]).requiredOption("--project <projectId>", "project id").option("--name <name>", "deploy token name", "Deploy token").option("--channel <channel...>", "allowed channel refs").action(commandAction(async (ctx, options) => {
+  const data = await api(ctx, `/v1/projects/${options.project}/deploy-tokens`, {
+    method: "POST",
+    body: JSON.stringify({ name: options.name, channels: options.channel ?? [] })
+  });
+  return { data, message: "Deploy token created. Store it now; EnvShip will not show the token again." };
+}));
+command(machine, "deploy-token-list", "List reusable deploy tokens for a project without showing token values", ["envship machine deploy-token-list --project <project-id>"]).requiredOption("--project <projectId>", "project id").action(commandAction(async (ctx, options) => {
+  const data = await api(ctx, `/v1/projects/${options.project}/deploy-tokens`);
+  return { data, stdout: table(data.deploy_tokens.map((token) => ({ id: token.id, name: token.name, status: token.status, channels: token.channels.join(",") })), ["id", "name", "status", "channels"]) || "No deploy tokens." };
+}));
+for (const action of ["revoke", "rotate"]) {
+  command(machine, `deploy-token-${action} <tokenId>`, `${action === "revoke" ? "Revoke" : "Rotate"} a reusable deploy token`, [`envship machine deploy-token-${action} <token-id> --yes`]).action(commandAction(async (ctx, tokenId) => {
+    if (action === "revoke") await confirmAction(ctx, `Revoke deploy token ${tokenId}?`);
+    const data = await api(ctx, `/v1/deploy-tokens/${tokenId}/${action}`, { method: "POST" });
+    return { data, message: `Deploy token ${action === "revoke" ? "revoked" : "rotated"}: ${tokenId}` };
+  }));
+}
+var update = group("update", "Check CLI/runtime compatibility and AutoUpdate preferences");
+command(update, "check", "Check the signed EnvShip CLI runtime version descriptor", ["envship update check"]).action(commandAction(async (ctx) => {
+  const { descriptor, warnings } = await versionWarnings(ctx);
+  if (!descriptor) throw new CliError("runtime_version_unavailable", "Runtime version metadata is temporarily unavailable.");
+  const rows = [{
+    installed: cliVersion,
+    recommended: descriptor.recommended_version,
+    minimum: descriptor.minimum_supported_version,
+    latest: descriptor.latest_version,
+    channel: descriptor.release_channel
+  }];
+  return {
+    data: { installed_version: cliVersion, descriptor },
+    stdout: table(rows, ["installed", "recommended", "minimum", "latest", "channel"]),
+    warnings,
+    message: warnings.length ? void 0 : "EnvShip CLI is compatible."
+  };
+}));
+command(update, "autoupdate <state>", "Set AutoUpdate preference for this workstation or machine", ["envship update autoupdate on", "envship update autoupdate off"]).action(commandAction(async (ctx, state) => {
+  if (!["on", "off"].includes(state)) throw new CliError("autoupdate_state_invalid", "Use 'on' or 'off'.");
+  const config = readConfig();
+  const enabled = state === "on";
+  if (config.machine) {
+    await saveConfig({ ...config, machine: { ...config.machine, autoupdate_enabled: enabled } });
+  } else {
+    const workstation = localWorkstation(config);
+    await saveConfig({ ...config, workstation: { ...workstation, autoupdate_enabled: enabled } });
+  }
+  void reportRuntimeClient(ctx);
+  return {
+    data: { autoupdate_enabled: enabled, scope: config.machine ? "machine" : "workstation" },
+    warnings: enabled ? [] : ["Pinned or disabled AutoUpdate can cause future compatibility warnings when EnvShip raises the minimum supported runtime version."],
+    message: `AutoUpdate ${enabled ? "enabled" : "disabled"} for this ${config.machine ? "machine" : "CLI Workstation"}.`
+  };
+}));
+command(machine, "revoke", "Revoke a machine identity through the API", ["envship machine revoke --yes", "envship machine revoke --id <machine-id> --yes"]).option("--id <machineId>", "machine id; defaults to the locally installed machine").action(commandAction(async (ctx, options) => {
+  const config = readConfig();
+  const machineId = options.id ?? config.machine?.machine_id;
+  if (!machineId) throw new CliError("machine_id_required", "Pass --id or install a local machine first.");
+  await confirmAction(ctx, `Revoke machine ${machineId}?`);
+  const data = await api(ctx, `/v1/machines/${machineId}/revoke`, { method: "POST" });
+  if (config.machine?.machine_id === machineId) await saveConfig({ ...config, machine: void 0 });
+  return { data, message: `Machine revoked: ${machineId}` };
+}));
+var invite = group("invite", "Manage workspace invitations");
+command(invite, "create", "Create a workspace invite", ["envship invite create --email teammate@example.com --role viewer"]).option("--workspace <workspaceId>", "workspace id").requiredOption("--email <email>", "invitee email").option("--role <role>", "owner, admin, developer, or viewer", "viewer").option("--send-email", "send invite email if email provider is configured").action(commandAction(async (ctx, options) => {
+  const state = await dashboardState(ctx);
+  const workspaceId = activeWorkspaceId(state, options.workspace);
+  const data = await api(ctx, `/v1/workspaces/${workspaceId}/invitations`, { method: "POST", body: JSON.stringify({ email: options.email, role: options.role, send_email: Boolean(options.sendEmail) }) });
+  return { data, message: `Invite created for ${options.email}.` };
+}));
+command(invite, "list", "List pending workspace invitations", ["envship invite list"]).option("--workspace <workspaceId>", "workspace id").action(commandAction(async (ctx, options) => {
+  const state = await dashboardState(ctx);
+  const workspaceId = activeWorkspaceId(state, options.workspace);
+  const data = await api(ctx, `/v1/workspaces/${workspaceId}/invitations`);
+  const rows = data.invitations.map((item) => ({ id: item.id, email: item.email, role: item.role, status: item.status, expires: item.expires_at }));
+  return { data, stdout: table(rows, ["id", "email", "role", "status", "expires"]) || "No pending invites." };
+}));
+for (const action of ["resend", "revoke"]) {
+  command(invite, `${action} <inviteId>`, `${action === "resend" ? "Resend" : "Revoke"} an invite`, [`envship invite ${action} <invite-id> --workspace <workspace-id>${action === "revoke" ? " --yes" : ""}`]).requiredOption("--workspace <workspaceId>", "workspace id").action(commandAction(async (ctx, inviteId, options) => {
+    if (action === "revoke") await confirmAction(ctx, `Revoke invite ${inviteId}?`);
+    const data = await api(ctx, `/v1/workspaces/${options.workspace}/invitations/${inviteId}/${action}`, { method: "POST" });
+    return { data, message: `Invite ${action === "resend" ? "resent" : "revoked"}: ${inviteId}` };
+  }));
+}
+var member = group("member", "Inspect and manage workspace members");
+command(member, "list", "List workspace members", ["envship member list"]).option("--workspace <workspaceId>", "workspace id").action(commandAction(async (ctx, options) => {
+  const state = await dashboardState(ctx);
+  const workspaceId = activeWorkspaceId(state, options.workspace);
+  const data = await api(ctx, `/v1/workspaces/${workspaceId}/members`);
+  const rows = data.members.map((item) => ({ user: item.user_id, email: item.email, role: item.role, status: item.status }));
+  return { data, stdout: table(rows, ["user", "email", "role", "status"]) || "No members found." };
+}));
+command(member, "role <userId>", "Update a workspace member role", ["envship member role <user-id> --role developer --workspace <workspace-id>"]).requiredOption("--workspace <workspaceId>", "workspace id").requiredOption("--role <role>", "owner, admin, developer, or viewer").action(commandAction(async (ctx, userId, options) => {
+  const data = await api(ctx, `/v1/workspaces/${options.workspace}/members/${userId}/role`, { method: "POST", body: JSON.stringify({ role: options.role }) });
+  return { data, message: `Updated member ${userId}.` };
+}));
+command(member, "remove <userId>", "Deactivate a workspace member", ["envship member remove <user-id> --workspace <workspace-id> --yes"]).requiredOption("--workspace <workspaceId>", "workspace id").action(commandAction(async (ctx, userId, options) => {
+  await confirmAction(ctx, `Remove member ${userId}?`);
+  const data = await api(ctx, `/v1/workspaces/${options.workspace}/members/${userId}/deactivate`, { method: "POST" });
+  return { data, message: `Removed member ${userId}.` };
+}));
+var project = group("project", "Inspect and manage project assignments");
+command(project, "list", "List visible projects", ["envship project list"]).action(commandAction(async (ctx) => {
+  const state = await dashboardState(ctx);
+  const rows = state.projects.map((item) => ({ id: item.id, name: item.name, slug: item.slug, role: item.role ?? "" }));
+  return { data: { projects: state.projects }, stdout: table(rows, ["id", "name", "slug", "role"]) || "No projects found." };
+}));
+command(project, "assign <userId>", "Assign a member to a project", ["envship project assign <user-id> --project <project-id> --role developer"]).requiredOption("--project <projectId>", "project id").option("--role <role>", "manager, developer, or viewer", "developer").action(commandAction(async (ctx, userId, options) => {
+  const data = await api(ctx, `/v1/projects/${options.project}/assignments`, { method: "POST", body: JSON.stringify({ user_id: userId, role: options.role }) });
+  return { data, message: `Assigned ${userId} to project ${options.project}.` };
+}));
+command(project, "remove <userId>", "Remove a member project assignment", ["envship project remove <user-id> --project <project-id>"]).requiredOption("--project <projectId>", "project id").action(commandAction(async (ctx, userId, options) => {
+  const data = await api(ctx, `/v1/projects/${options.project}/assignments/${userId}/remove`, { method: "POST" });
+  return { data, message: `Removed ${userId} from project ${options.project}.` };
+}));
+var audit = group("audit", "Inspect and export audit history");
+command(audit, "list", "List recent audit events", ["envship audit list"]).option("--workspace <workspaceId>", "workspace id").action(commandAction(async (ctx, options) => {
+  const state = await dashboardState(ctx);
+  const workspaceId = activeWorkspaceId(state, options.workspace);
+  const data = await api(ctx, `/v1/workspaces/${workspaceId}/audit`);
+  const rows = data.audit_events.map((item) => ({ id: item.id, action: item.action, subject: `${item.subject_type}:${item.subject_id ?? ""}`, created: item.created_at }));
+  return { data, stdout: table(rows, ["id", "action", "subject", "created"]) || "No audit events." };
+}));
+command(audit, "export", "Export audit history as JSON", ["envship audit export --out audit.json"]).option("--workspace <workspaceId>", "workspace id").option("--out <path>", "output path or - for stdout", "-").option("--force", "overwrite output path").action(commandAction(async (ctx, options) => {
+  const state = await dashboardState(ctx);
+  const workspaceId = activeWorkspaceId(state, options.workspace);
+  const data = await api(ctx, `/v1/workspaces/${workspaceId}/audit/export`, { method: "POST" });
+  await writeOutput(options.out, JSON.stringify(data, null, 2), options.force);
+  return { data, message: options.out === "-" ? void 0 : `Audit export written to ${options.out}.` };
+}));
+var billing = group("billing", "Inspect and open PayPal subscription billing actions");
+command(billing, "status", "Show workspace billing status", ["envship billing status"]).option("--workspace <workspaceId>", "workspace id").action(commandAction(async (ctx, options) => {
+  const state = await dashboardState(ctx);
+  const workspaceId = activeWorkspaceId(state, options.workspace);
+  const data = await api(ctx, `/v1/workspaces/${workspaceId}/billing`);
+  return {
+    data,
+    stdout: table([{
+      plan: data.plan,
+      paypal: data.paypal_configured ? "configured" : "setup_blocked",
+      receiver: data.paypal_receiver_email ?? "not_configured",
+      cli_workstations: `${data.cli_workstation_billing?.workstations_included_per_user ?? "?"}/user`
+    }], ["plan", "paypal", "receiver", "cli_workstations"])
+  };
+}));
+command(billing, "checkout", "Open a PayPal subscription checkout link", ["envship billing checkout --workspace <workspace-id> --plan pro", "envship billing checkout --workspace <workspace-id> --addon cli_workstations_5 --user <user-id>"]).option("--workspace <workspaceId>", "workspace id").option("--plan <plan>", "paid plan", "pro").option("--addon <addon>", "add-on type, for example cli_workstations_5").option("--user <userId>", "user id for per-user add-ons").action(commandAction(async (ctx, options) => {
+  const state = await dashboardState(ctx);
+  const workspaceId = activeWorkspaceId(state, options.workspace);
+  const data = await api(ctx, `/v1/workspaces/${workspaceId}/billing/checkout`, { method: "POST", body: JSON.stringify(options.addon ? { addon: options.addon, user_id: options.user } : { plan: options.plan }) });
+  return { data, message: "PayPal subscription checkout link created." };
+}));
+var configCommand = group("config", "Inspect and update local CLI config");
+command(configCommand, "path", "Print the local config path", ["envship config path"]).action(commandAction(async () => ({ data: { path: configPath }, stdout: configPath })));
+command(configCommand, "get [key]", "Read safe local CLI config", ["envship config get", "envship config get apiBaseUrl"]).action(commandAction(async (_ctx, key) => {
+  const config = safeConfig(readConfig());
+  const allowed = new Set(Object.keys(config));
+  if (key && !allowed.has(key)) throw new CliError("config_key_unsafe", `Config key ${key} is not available through config get.`, { hint: `Safe keys: ${Array.from(allowed).join(", ")}.` });
+  const data = key ? { key, value: config[key] ?? null } : config;
+  return { data, stdout: JSON.stringify(sanitizeCliData(data), null, 2) };
+}));
+command(configCommand, "set <key> <value>", "Write a local CLI config value", ["envship config set apiBaseUrl https://api.envship.com"]).action(commandAction(async (_ctx, key, value) => {
+  const allowed = /* @__PURE__ */ new Set(["apiBaseUrl", "appBaseUrl", "keyfilePath"]);
+  if (!allowed.has(key)) throw new CliError("config_key_unknown", `Unknown config key ${key}.`, { hint: "Allowed keys: apiBaseUrl, appBaseUrl, keyfilePath." });
+  if (key === "apiBaseUrl" || key === "appBaseUrl") value = validateOriginUrl(value, key);
+  if (key === "keyfilePath") value = validateSafeLocalPath(value, { label: "keyfilePath" });
+  const next = { ...readConfig(), [key]: value };
+  await saveConfig(next);
+  return { data: { key, value }, message: `Config ${key} updated.` };
+}));
+command(program, "doctor", "Check API, auth, workspace, CLI Workstation, and machine readiness", ["envship doctor", "envship doctor --json"]).addOption(new Option("--keyfile <path>", "encrypted credential path").hideHelp()).addOption(new Option("--passphrase-env <name>", "environment variable containing the credential passphrase").hideHelp()).addOption(new Option("--passphrase <value>", "credential passphrase").hideHelp()).action(commandAction(async (ctx, options) => {
+  const checks = [];
+  try {
+    await fetch(`${ctx.apiBaseUrl}/health`);
+    checks.push({ name: "api", ok: true, message: ctx.apiBaseUrl });
+  } catch {
+    checks.push({ name: "api", ok: false, message: "API is not reachable." });
+  }
+  try {
+    const me = await api(ctx, "/v1/me");
+    checks.push({ name: "auth", ok: true, message: me.user?.email ?? "signed in" });
+  } catch (error) {
+    checks.push({ name: "auth", ok: false, message: normalizeError(error).message });
+  }
+  try {
+    const state = await dashboardState(ctx);
+    checks.push({ name: "workspace", ok: Boolean(state.active_workspace_id), message: state.active_workspace_id ?? "No active workspace." });
+  } catch (error) {
+    checks.push({ name: "workspace", ok: false, message: normalizeError(error).message });
+  }
+  try {
+    if (options.keyfile || readConfig().keyfilePath) {
+      const loaded = await loadKeyFile(ctx, options);
+      checks.push({ name: "keyfile", ok: true, message: loaded.keyset.label });
+    } else {
+      checks.push({ name: "keyfile", ok: false, message: "No local KeyFile configured." });
+    }
+  } catch (error) {
+    checks.push({ name: "keyfile", ok: false, message: normalizeError(error).message });
+  }
+  const config = readConfig();
+  checks.push({ name: "machine", ok: Boolean(config.machine), message: config.machine?.machine_id ?? "No local machine credential." });
+  const ok = checks.every((check) => check.ok);
+  return { data: { ok, checks }, stdout: table(checks.map((check) => ({ check: check.name, ok: check.ok ? "yes" : "no", message: check.message })), ["check", "ok", "message"]), exitCode: ok ? 0 : 1 };
+}));
+var removedTopLevelCommands = /* @__PURE__ */ new Set(["login", "init", "publish", "pull", "run", "edit", "rewrap", "rollback", "whoami", "logout", "channels", "versions"]);
+if (removedTopLevelCommands.has(process.argv[2] ?? "")) {
+  const replacements = {
+    login: "envship auth login",
+    init: "envship setup",
+    publish: "envship channel publish",
+    pull: "envship channel pull",
+    run: "envship channel run",
+    edit: "envship channel edit",
+    rewrap: "envship channel rewrap",
+    rollback: "envship channel rollback",
+    whoami: "envship auth whoami",
+    logout: "envship auth logout",
+    channels: "envship channel list",
+    versions: "envship channel versions"
+  };
+  const commandName = process.argv[2] ?? "";
+  process.stderr.write(`Unknown command '${commandName}'. Use '${replacements[commandName]}' instead.
+`);
+  process.exitCode = 1;
+} else {
+  program.parseAsync().catch((error) => {
+    const cliError = normalizeError(error);
+    process.stderr.write(`${redactCliError(cliError.message)}
+`);
+    if (cliError.hint) process.stderr.write(`Hint: ${redactCliError(cliError.hint)}
+`);
+    process.exitCode = cliError.exitCode;
+  }).finally(() => {
+    if (process.env.ENVSHIP_CLI_FORCE_EXIT === "1") process.exit(process.exitCode ?? 0);
+  });
+}