@eve-horizon/cli 0.2.20 → 0.2.22

package/dist/index.js

@@ -9811,8 +9811,8 @@ var require_sync = __commonJS({
       }
       return x;
     };
-    var defaultReadPackageSync = function defaultReadPackageSync2(readFileSync20, pkgfile) {
-      var body = readFileSync20(pkgfile);
+    var defaultReadPackageSync = function defaultReadPackageSync2(readFileSync21, pkgfile) {
+      var body = readFileSync21(pkgfile);
       try {
         var pkg = JSON.parse(body);
         return pkg;
@@ -9832,7 +9832,7 @@ var require_sync = __commonJS({
       }
       var opts = normalizeOptions(x, options);
       var isFile = opts.isFile || defaultIsFile;
-      var readFileSync20 = opts.readFileSync || fs4.readFileSync;
+      var readFileSync21 = opts.readFileSync || fs4.readFileSync;
       var isDirectory = opts.isDirectory || defaultIsDir;
       var realpathSync = opts.realpathSync || defaultRealpathSync;
       var readPackageSync = opts.readPackageSync || defaultReadPackageSync;
@@ -9889,7 +9889,7 @@ var require_sync = __commonJS({
         if (!isFile(pkgfile)) {
           return loadpkg(path6.dirname(dir));
         }
-        var pkg = readPackageSync(readFileSync20, pkgfile);
+        var pkg = readPackageSync(readFileSync21, pkgfile);
         if (pkg && opts.packageFilter) {
           pkg = opts.packageFilter(
             pkg,
@@ -9903,7 +9903,7 @@ var require_sync = __commonJS({
         var pkgfile = path6.join(maybeRealpathSync(realpathSync, x2, opts), "/package.json");
         if (isFile(pkgfile)) {
           try {
-            var pkg = readPackageSync(readFileSync20, pkgfile);
+            var pkg = readPackageSync(readFileSync21, pkgfile);
           } catch (e) {
           }
           if (pkg && opts.packageFilter) {
@@ -13197,8 +13197,8 @@ var require_utils3 = __commonJS({
         const connectOptions = url;
         const protocol = getProtocol(connectOptions === null || connectOptions === void 0 ? void 0 : connectOptions.protocol);
         Object.assign(attributes, Object.assign({}, extractConnectionAttributeOrLog(url, semantic_conventions_1.SEMATTRS_MESSAGING_PROTOCOL, protocol, "protocol")));
-        const hostname = getHostname(connectOptions === null || connectOptions === void 0 ? void 0 : connectOptions.hostname);
-        Object.assign(attributes, Object.assign({}, extractConnectionAttributeOrLog(url, semantic_conventions_1.SEMATTRS_NET_PEER_NAME, hostname, "hostname")));
+        const hostname2 = getHostname(connectOptions === null || connectOptions === void 0 ? void 0 : connectOptions.hostname);
+        Object.assign(attributes, Object.assign({}, extractConnectionAttributeOrLog(url, semantic_conventions_1.SEMATTRS_NET_PEER_NAME, hostname2, "hostname")));
         const port = getPort(connectOptions.port, protocol);
         Object.assign(attributes, Object.assign({}, extractConnectionAttributeOrLog(url, semantic_conventions_1.SEMATTRS_NET_PEER_PORT, port, "port")));
       } else {
@@ -13208,8 +13208,8 @@ var require_utils3 = __commonJS({
           const urlParts = new URL(censoredUrl);
           const protocol = getProtocol(urlParts.protocol);
           Object.assign(attributes, Object.assign({}, extractConnectionAttributeOrLog(censoredUrl, semantic_conventions_1.SEMATTRS_MESSAGING_PROTOCOL, protocol, "protocol")));
-          const hostname = getHostname(urlParts.hostname);
-          Object.assign(attributes, Object.assign({}, extractConnectionAttributeOrLog(censoredUrl, semantic_conventions_1.SEMATTRS_NET_PEER_NAME, hostname, "hostname")));
+          const hostname2 = getHostname(urlParts.hostname);
+          Object.assign(attributes, Object.assign({}, extractConnectionAttributeOrLog(censoredUrl, semantic_conventions_1.SEMATTRS_NET_PEER_NAME, hostname2, "hostname")));
           const port = getPort(urlParts.port ? parseInt(urlParts.port) : void 0, protocol);
           Object.assign(attributes, Object.assign({}, extractConnectionAttributeOrLog(censoredUrl, semantic_conventions_1.SEMATTRS_NET_PEER_PORT, port, "port")));
         } catch (err) {
@@ -19754,7 +19754,7 @@ var require_OpenTelemetryBunyanStream = __commonJS({
           msg,
           v,
           // eslint-disable-line @typescript-eslint/no-unused-vars
-          hostname,
+          hostname: hostname2,
           // eslint-disable-line @typescript-eslint/no-unused-vars
           pid,
           // eslint-disable-line @typescript-eslint/no-unused-vars
@@ -21171,9 +21171,9 @@ var require_instrumentation9 = __commonJS({
        */
       _getPatchLookupFunction(original) {
         const plugin = this;
-        return function patchedLookup(hostname, ...args) {
-          if (utils.isIgnored(hostname, plugin.getConfig().ignoreHostnames, (e) => api_1.diag.error("caught ignoreHostname error: ", e))) {
-            return original.apply(this, [hostname, ...args]);
+        return function patchedLookup(hostname2, ...args) {
+          if (utils.isIgnored(hostname2, plugin.getConfig().ignoreHostnames, (e) => api_1.diag.error("caught ignoreHostname error: ", e))) {
+            return original.apply(this, [hostname2, ...args]);
           }
           const argsCount = args.length;
           api_1.diag.debug("wrap lookup callback function and starts span");
@@ -21184,7 +21184,7 @@ var require_instrumentation9 = __commonJS({
           const originalCallback = args[argsCount - 1];
           if (typeof originalCallback === "function") {
             args[argsCount - 1] = plugin._wrapLookupCallback(originalCallback, span);
-            return (0, instrumentation_1.safeExecuteInTheMiddle)(() => original.apply(this, [hostname, ...args]), (error) => {
+            return (0, instrumentation_1.safeExecuteInTheMiddle)(() => original.apply(this, [hostname2, ...args]), (error) => {
               if (error != null) {
                 utils.setError(error, span);
                 span.end();
@@ -21192,7 +21192,7 @@ var require_instrumentation9 = __commonJS({
             });
           } else {
             const promise = (0, instrumentation_1.safeExecuteInTheMiddle)(() => original.apply(this, [
-              hostname,
+              hostname2,
               ...args
             ]), (error) => {
               if (error != null) {
@@ -28558,8 +28558,8 @@ var require_utils14 = __commonJS({
         if (!pathname && optionsParsed.path) {
           pathname = url.parse(optionsParsed.path).pathname || "/";
         }
-        const hostname = optionsParsed.host || (optionsParsed.port != null ? `${optionsParsed.hostname}${optionsParsed.port}` : optionsParsed.hostname);
-        origin = `${optionsParsed.protocol || "http:"}//${hostname}`;
+        const hostname2 = optionsParsed.host || (optionsParsed.port != null ? `${optionsParsed.hostname}${optionsParsed.port}` : optionsParsed.hostname);
+        origin = `${optionsParsed.protocol || "http:"}//${hostname2}`;
       }
       const method = optionsParsed.method ? optionsParsed.method.toUpperCase() : "GET";
       return { origin, pathname, method, optionsParsed };
@@ -28579,7 +28579,7 @@ var require_utils14 = __commonJS({
         return { hostname: requestOptions.hostname, port: requestOptions.port };
       }
       const matches = ((_a = requestOptions.host) === null || _a === void 0 ? void 0 : _a.match(/^([^:/ ]+)(:\d{1,5})?/)) || null;
-      const hostname = requestOptions.hostname || (matches === null ? "localhost" : matches[1]);
+      const hostname2 = requestOptions.hostname || (matches === null ? "localhost" : matches[1]);
       let port = requestOptions.port;
       if (!port) {
         if (matches && matches[2]) {
@@ -28588,12 +28588,12 @@ var require_utils14 = __commonJS({
           port = requestOptions.protocol === "https:" ? "443" : "80";
         }
       }
-      return { hostname, port };
+      return { hostname: hostname2, port };
     };
     exports2.extractHostnameAndPort = extractHostnameAndPort;
     var getOutgoingRequestAttributes = (requestOptions, options, semconvStability) => {
       var _a, _b;
-      const hostname = options.hostname;
+      const hostname2 = options.hostname;
       const port = options.port;
       const method = (_a = requestOptions.method) !== null && _a !== void 0 ? _a : "GET";
       const normalizedMethod = normalizeMethod(method);
@@ -28604,13 +28604,13 @@ var require_utils14 = __commonJS({
         [semantic_conventions_1.SEMATTRS_HTTP_URL]: urlFull,
         [semantic_conventions_1.SEMATTRS_HTTP_METHOD]: method,
         [semantic_conventions_1.SEMATTRS_HTTP_TARGET]: requestOptions.path || "/",
-        [semantic_conventions_1.SEMATTRS_NET_PEER_NAME]: hostname,
-        [semantic_conventions_1.SEMATTRS_HTTP_HOST]: (_b = headers.host) !== null && _b !== void 0 ? _b : `${hostname}:${port}`
+        [semantic_conventions_1.SEMATTRS_NET_PEER_NAME]: hostname2,
+        [semantic_conventions_1.SEMATTRS_HTTP_HOST]: (_b = headers.host) !== null && _b !== void 0 ? _b : `${hostname2}:${port}`
       };
       const newAttributes = {
         // Required attributes
         [semantic_conventions_1.ATTR_HTTP_REQUEST_METHOD]: normalizedMethod,
-        [semantic_conventions_1.ATTR_SERVER_ADDRESS]: hostname,
+        [semantic_conventions_1.ATTR_SERVER_ADDRESS]: hostname2,
         [semantic_conventions_1.ATTR_SERVER_PORT]: Number(port),
         [semantic_conventions_1.ATTR_URL_FULL]: urlFull
         // leaving out protocol version, it is not yet negotiated
@@ -28785,7 +28785,7 @@ var require_utils14 = __commonJS({
       const httpVersion = request.httpVersion;
       const requestUrl = request.url ? url.parse(request.url) : null;
       const host = (requestUrl === null || requestUrl === void 0 ? void 0 : requestUrl.host) || headers.host;
-      const hostname = (requestUrl === null || requestUrl === void 0 ? void 0 : requestUrl.hostname) || (host === null || host === void 0 ? void 0 : host.replace(/^(.*)(:[0-9]{1,5})/, "$1")) || "localhost";
+      const hostname2 = (requestUrl === null || requestUrl === void 0 ? void 0 : requestUrl.hostname) || (host === null || host === void 0 ? void 0 : host.replace(/^(.*)(:[0-9]{1,5})/, "$1")) || "localhost";
       const method = request.method;
       const normalizedMethod = normalizeMethod(method);
       const serverAddress = getServerAddress(request, options.component);
@@ -28815,7 +28815,7 @@ var require_utils14 = __commonJS({
       const oldAttributes = {
         [semantic_conventions_1.SEMATTRS_HTTP_URL]: (0, exports2.getAbsoluteUrl)(requestUrl, headers, `${options.component}:`),
         [semantic_conventions_1.SEMATTRS_HTTP_HOST]: host,
-        [semantic_conventions_1.SEMATTRS_NET_HOST_NAME]: hostname,
+        [semantic_conventions_1.SEMATTRS_NET_HOST_NAME]: hostname2,
         [semantic_conventions_1.SEMATTRS_HTTP_METHOD]: method,
         [semantic_conventions_1.SEMATTRS_HTTP_SCHEME]: options.component
       };
@@ -29368,11 +29368,11 @@ var require_http = __commonJS({
           }, true)) {
             return original.apply(this, [optionsParsed, ...args]);
           }
-          const { hostname, port } = (0, utils_1.extractHostnameAndPort)(optionsParsed);
+          const { hostname: hostname2, port } = (0, utils_1.extractHostnameAndPort)(optionsParsed);
           const attributes = (0, utils_1.getOutgoingRequestAttributes)(optionsParsed, {
             component,
             port,
-            hostname,
+            hostname: hostname2,
             hookAttributes: instrumentation._callStartSpanHook(optionsParsed, instrumentation.getConfig().startOutgoingSpanHook)
           }, instrumentation._semconvStability);
           const startTime = (0, core_1.hrTime)();
@@ -36012,7 +36012,7 @@ var require_log_sending_utils = __commonJS({
           // depends on the user using the OpenTelemetry HostDetector and
           // ProcessDetector.
           // https://getpino.io/#/docs/api?id=opt-base
-          hostname,
+          hostname: hostname2,
           // eslint-disable-line @typescript-eslint/no-unused-vars
           pid,
           // eslint-disable-line @typescript-eslint/no-unused-vars
@@ -39634,7 +39634,7 @@ var require_AlibabaCloudEcsDetector = __commonJS({
       /** Gets identity and host info and returns them as attribs. Empty object if fails */
       async _getAttributes(_config) {
         const { "owner-account-id": accountId, "instance-id": instanceId, "instance-type": instanceType, "region-id": region, "zone-id": availabilityZone } = await this._fetchIdentity();
-        const hostname = await this._fetchHost();
+        const hostname2 = await this._fetchHost();
         return {
           [semantic_conventions_1.SEMRESATTRS_CLOUD_PROVIDER]: semantic_conventions_1.CLOUDPROVIDERVALUES_ALIBABA_CLOUD,
           [semantic_conventions_1.SEMRESATTRS_CLOUD_PLATFORM]: semantic_conventions_1.CLOUDPLATFORMVALUES_ALIBABA_CLOUD_ECS,
@@ -39643,7 +39643,7 @@ var require_AlibabaCloudEcsDetector = __commonJS({
           [semantic_conventions_1.SEMRESATTRS_CLOUD_AVAILABILITY_ZONE]: availabilityZone,
           [semantic_conventions_1.SEMRESATTRS_HOST_ID]: instanceId,
           [semantic_conventions_1.SEMRESATTRS_HOST_TYPE]: instanceType,
-          [semantic_conventions_1.SEMRESATTRS_HOST_NAME]: hostname
+          [semantic_conventions_1.SEMRESATTRS_HOST_NAME]: hostname2
         };
       }
       /**
@@ -39888,7 +39888,7 @@ var require_AwsEc2DetectorSync = __commonJS({
         try {
           const token = await this._fetchToken();
           const { accountId, instanceId, instanceType, region, availabilityZone } = await this._fetchIdentity(token);
-          const hostname = await this._fetchHost(token);
+          const hostname2 = await this._fetchHost(token);
           return {
             [semconv_1.ATTR_CLOUD_PROVIDER]: semconv_1.CLOUD_PROVIDER_VALUE_AWS,
             [semconv_1.ATTR_CLOUD_PLATFORM]: semconv_1.CLOUD_PLATFORM_VALUE_AWS_EC2,
@@ -39897,7 +39897,7 @@ var require_AwsEc2DetectorSync = __commonJS({
             [semconv_1.ATTR_CLOUD_AVAILABILITY_ZONE]: availabilityZone,
             [semconv_1.ATTR_HOST_ID]: instanceId,
             [semconv_1.ATTR_HOST_TYPE]: instanceType,
-            [semconv_1.ATTR_HOST_NAME]: hostname
+            [semconv_1.ATTR_HOST_NAME]: hostname2
           };
         } catch (_a) {
           return {};
@@ -47946,7 +47946,7 @@ var require_GcpDetector = __commonJS({
           api_1.diag.debug("GcpDetector failed: GCP Metadata unavailable.");
           return {};
         }
-        const [projectId, instanceId, zoneId, clusterName, hostname] = await Promise.all([
+        const [projectId, instanceId, zoneId, clusterName, hostname2] = await Promise.all([
           this._getProjectId(),
           this._getInstanceId(),
           this._getZone(),
@@ -47956,7 +47956,7 @@ var require_GcpDetector = __commonJS({
         const attributes = {};
         attributes[semantic_conventions_1.SEMRESATTRS_CLOUD_ACCOUNT_ID] = projectId;
         attributes[semantic_conventions_1.SEMRESATTRS_HOST_ID] = instanceId;
-        attributes[semantic_conventions_1.SEMRESATTRS_HOST_NAME] = hostname;
+        attributes[semantic_conventions_1.SEMRESATTRS_HOST_NAME] = hostname2;
         attributes[semantic_conventions_1.SEMRESATTRS_CLOUD_AVAILABILITY_ZONE] = zoneId;
         attributes[semantic_conventions_1.SEMRESATTRS_CLOUD_PROVIDER] = semantic_conventions_1.CLOUDPROVIDERVALUES_GCP;
         if ((0, core_2.getEnv)().KUBERNETES_SERVICE_HOST)
@@ -48734,6 +48734,23 @@ function resolveContext(flags, credentials) {
     profileSource
   };
 }
+function resolveContextForProfile(profileName, profile, credentials) {
+  const apiUrl = profile.api_url || DEFAULT_API_URL;
+  const authKey = toAuthKey(apiUrl);
+  const tokenEntry = credentials.tokens[authKey] || credentials.profiles?.[profileName];
+  return {
+    apiUrl,
+    orgId: profile.org_id,
+    projectId: profile.project_id,
+    profileName,
+    profile,
+    authKey,
+    token: tokenEntry?.access_token,
+    refreshToken: tokenEntry?.refresh_token,
+    expiresAt: tokenEntry?.expires_at,
+    profileSource: "local"
+  };
+}
 function normalizeRepoProfiles(parsed) {
   if (!parsed || typeof parsed !== "object") {
     return { profiles: {} };
@@ -48884,6 +48901,20 @@ var HELP = {
           "eve project sync --path ./custom-manifest.yaml"
         ]
       },
+      status: {
+        description: "Show deployment status across all profiles with revision info, service URLs, and deploy age",
+        usage: "eve project status [--profile <name>] [--env <name>] [--json]",
+        options: [
+          "--profile <name>     Show only this profile",
+          "--env <name>         Show only this environment",
+          "--json               Machine-readable JSON output"
+        ],
+        examples: [
+          "eve project status",
+          "eve project status --profile staging",
+          "eve project status --env sandbox --json"
+        ]
+      },
       members: {
         description: "Manage project members (list, add, remove)",
         usage: "eve project members [list|add|remove] [options]",
@@ -49619,34 +49650,63 @@ for cloud deployments. Credentials are stored globally per API URL.`,
     subcommands: {
       can: {
         description: "Check if a principal can perform an action",
-        usage: "eve access can --org <org_id> --user <user_id> --permission <perm> [--project <project_id>]",
+        usage: "eve access can --org <org_id> (--user <id>|--service-principal <id>|--group <id>) --permission <perm> [--project <project_id>] [--resource-type <type> --resource <id> --action <read|write|admin>]",
         options: [
           "--org <org_id>                Org scope (uses profile default if omitted)",
-          "--user <user_id>              User to check (mutually exclusive with --service-principal)",
-          "--service-principal <sp_id>   Service principal to check (mutually exclusive with --user)",
+          "--user <user_id>              User to check (mutually exclusive with --service-principal/--group)",
+          "--service-principal <sp_id>   Service principal to check (mutually exclusive with --user/--group)",
+          "--group <group_id>            Group to check directly (mutually exclusive with --user/--service-principal)",
           "--permission <perm>           Permission to check (e.g., chat:write, jobs:admin)",
-          "--project <project_id>        Optional project scope for the check"
+          "--project <project_id>        Optional project scope for the check",
+          "--resource-type <type>        Optional resource type: orgfs|orgdocs|envdb",
+          "--resource <id>               Optional resource id/path (required when --resource-type used)",
+          "--action <action>             Optional action: read|write|admin"
         ],
         examples: [
           "eve access can --org org_xxx --user user_abc --permission chat:write",
           "eve access can --org org_xxx --user user_abc --project proj_xxx --permission jobs:admin",
-          "eve access can --org org_xxx --service-principal sp_xxx --permission jobs:read"
+          "eve access can --org org_xxx --service-principal sp_xxx --permission jobs:read",
+          "eve access can --org org_xxx --user user_abc --permission orgfs:read --resource-type orgfs --resource /groups/pm/spec.md --action read"
         ]
       },
       explain: {
         description: "Explain the permission resolution chain",
-        usage: "eve access explain --org <org_id> --user <user_id> --permission <perm> [--project <project_id>]",
+        usage: "eve access explain --org <org_id> (--user <id>|--service-principal <id>|--group <id>) --permission <perm> [--project <project_id>] [--resource-type <type> --resource <id> --action <read|write|admin>]",
         options: [
           "--org <org_id>                Org scope (uses profile default if omitted)",
-          "--user <user_id>              User to explain (mutually exclusive with --service-principal)",
-          "--service-principal <sp_id>   Service principal to explain (mutually exclusive with --user)",
+          "--user <user_id>              User to explain (mutually exclusive with --service-principal/--group)",
+          "--service-principal <sp_id>   Service principal to explain (mutually exclusive with --user/--group)",
+          "--group <group_id>            Group to explain directly (mutually exclusive with --user/--service-principal)",
           "--permission <perm>           Permission to explain (e.g., chat:write, jobs:admin)",
-          "--project <project_id>        Optional project scope for the explanation"
+          "--project <project_id>        Optional project scope for the explanation",
+          "--resource-type <type>        Optional resource type: orgfs|orgdocs|envdb",
+          "--resource <id>               Optional resource id/path (required when --resource-type used)",
+          "--action <action>             Optional action: read|write|admin"
         ],
         examples: [
           "eve access explain --org org_xxx --user user_abc --permission jobs:admin",
           "eve access explain --org org_xxx --user user_abc --project proj_xxx --permission jobs:admin",
-          "eve access explain --org org_xxx --service-principal sp_xxx --permission jobs:read"
+          "eve access explain --org org_xxx --service-principal sp_xxx --permission jobs:read",
+          "eve access explain --org org_xxx --user user_abc --permission orgfs:read --resource-type orgfs --resource /groups/pm/spec.md --action read"
+        ]
+      },
+      groups: {
+        description: "Manage access groups and members",
+        usage: "eve access groups <create|list|show|update|delete|members> [args]",
+        examples: [
+          'eve access groups create "Product Management" --org org_xxx --slug pm-team',
+          "eve access groups list --org org_xxx",
+          "eve access groups members add pm-team --org org_xxx --user user_abc",
+          "eve access groups members list pm-team --org org_xxx"
+        ]
+      },
+      memberships: {
+        description: "Inspect memberships, effective bindings, and effective scopes for a principal",
+        usage: "eve access memberships --org <org_id> (--user <id>|--service-principal <id>|--group <id>)",
+        examples: [
+          "eve access memberships --org org_xxx --user user_abc",
+          "eve access memberships --org org_xxx --service-principal sp_abc",
+          "eve access memberships --org org_xxx --group grp_abc"
         ]
       },
       validate: {
@@ -49904,10 +49964,15 @@ for cloud deployments. Credentials are stored globally per API URL.`,
         examples: ["eve db schema --env staging"]
       },
       rls: {
-        description: "Show RLS policies and tables for an environment",
-        usage: "eve db rls --env <name> [--project <id>]",
-        options: ["--env <name>          Environment name (required)"],
-        examples: ["eve db rls --env staging"]
+        description: "Show RLS policies or scaffold helper SQL",
+        usage: "eve db rls --env <name> [--project <id>] | eve db rls init --with-groups [--out <path>] [--force]",
+        options: [
+          "--env <name>          Environment name (required for inspect mode)",
+          "--with-groups         Generate app.current_group_ids()/app.has_group() helper SQL (init mode)",
+          "--out <path>          Output file for init mode (default: db/rls/helpers.sql)",
+          "--force               Overwrite output file when it already exists"
+        ],
+        examples: ["eve db rls --env staging", "eve db rls init --with-groups"]
       },
       sql: {
         description: "Run parameterized SQL as the calling user",
@@ -50663,6 +50728,33 @@ eve-new-project-setup skill to complete configuration.`,
       'eve docs query --org org_xxx --where "metadata.feature_status in draft,review"'
     ]
   },
+  fs: {
+    description: "Manage org filesystem sync links, events, and diagnostics.",
+    usage: "eve fs sync <subcommand> [options]",
+    subcommands: {
+      sync: {
+        description: "Org filesystem sync operations",
+        usage: "eve fs sync <init|status|logs|pause|resume|disconnect|mode|conflicts|resolve|doctor> [options]",
+        options: [
+          "init: --org <id> --local <path> [--mode two-way|push-only|pull-only]",
+          "status: --org <id>",
+          "logs: --org <id> [--after <seq>] [--limit <n>] [--follow]",
+          "pause|resume|disconnect: --org <id> [--link <link_id>]",
+          "mode: --org <id> --set <two-way|push-only|pull-only> [--link <link_id>]",
+          "conflicts: --org <id> [--open-only]",
+          "resolve: --org <id> --conflict <id> --strategy <pick-remote|pick-local|manual>",
+          "doctor: --org <id>"
+        ]
+      }
+    },
+    examples: [
+      "eve fs sync init --org org_xxx --local ~/Eve/acme --mode two-way",
+      "eve fs sync status --org org_xxx",
+      "eve fs sync logs --org org_xxx --follow",
+      "eve fs sync mode --org org_xxx --set pull-only",
+      "eve fs sync doctor --org org_xxx"
+    ]
+  },
   resources: {
     description: "Resolve resource URIs into content snapshots.",
     usage: "eve resources <subcommand> [options]",
@@ -50951,6 +51043,7 @@ function showMainHelp() {
   console.log("  workflow   Inspect manifest workflows (list, show)");
   console.log("  event      Emit and inspect events (app integration)");
   console.log("  docs       Manage org documents");
+  console.log("  fs         Manage org filesystem sync");
   console.log("  resources  Resolve org/job resources");
   console.log("  secrets    Manage secrets (project/org/user scope)");
   console.log("  harness    Inspect harnesses and auth status");
@@ -51666,8 +51759,201 @@ async function handleProject(subcommand, positionals, flags, context2) {
       }
       return;
     }
+    case "status":
+      return handleStatus(flags, context2, json);
     default:
-      throw new Error("Usage: eve project <ensure|list|get|spend|update|sync|members|bootstrap>");
+      throw new Error("Usage: eve project <ensure|list|get|spend|update|sync|members|bootstrap|status>");
+  }
+}
+async function handleStatus(flags, currentContext, json) {
+  const repoProfiles = loadRepoProfiles();
+  const credentials = loadCredentials();
+  const profileFilter = getStringFlag(flags, ["profile"]);
+  const envFilter = getStringFlag(flags, ["env"]);
+  const profileEntries = Object.entries(repoProfiles.profiles);
+  if (profileEntries.length === 0) {
+    throw new Error(
+      "No profiles configured. Use `eve profile create <name> --api-url <url> --project <id>` to add one."
+    );
+  }
+  const results = [];
+  for (const [name, profile] of profileEntries) {
+    if (profileFilter && name !== profileFilter) continue;
+    const active = name === repoProfiles.activeProfile;
+    const ctx = resolveContextForProfile(name, profile, credentials);
+    if (!ctx.projectId) {
+      results.push({ name, active, api_url: ctx.apiUrl, error: "No project_id configured" });
+      continue;
+    }
+    if (!ctx.token) {
+      results.push({
+        name,
+        active,
+        api_url: ctx.apiUrl,
+        project_id: ctx.projectId,
+        error: "Not authenticated (run: eve auth login --profile " + name + ")"
+      });
+      continue;
+    }
+    try {
+      const result = await fetchProfileStatus(ctx, envFilter);
+      results.push({ name, active, ...result });
+    } catch (err) {
+      results.push({
+        name,
+        active,
+        api_url: ctx.apiUrl,
+        project_id: ctx.projectId,
+        error: err instanceof Error ? err.message : String(err)
+      });
+    }
+  }
+  if (json) {
+    outputJson({ profiles: results }, json);
+    return;
+  }
+  formatStatusOutput(results);
+}
+async function fetchProfileStatus(ctx, envFilter) {
+  const [project, releasesResponse] = await Promise.all([
+    requestJson(ctx, `/projects/${ctx.projectId}`),
+    requestJson(ctx, `/projects/${ctx.projectId}/releases?limit=50`).catch(() => ({ data: [] }))
+  ]);
+  const releasesById = new Map(releasesResponse.data.map((r) => [r.id, r]));
+  const envResponse = await requestJson(ctx, `/projects/${ctx.projectId}/envs?limit=50`);
+  const domain = inferDomain(ctx.apiUrl);
+  const environments = [];
+  for (const env of envResponse.data) {
+    if (envFilter && env.name !== envFilter) continue;
+    const status = env.suspended_at ? "suspended" : "active";
+    let release = null;
+    if (env.current_release_id) {
+      const r = releasesById.get(env.current_release_id);
+      if (r) {
+        release = {
+          git_sha: r.git_sha,
+          version: r.version,
+          tag: r.tag,
+          deployed_at: r.created_at,
+          created_by: r.created_by
+        };
+      }
+    }
+    if (env.suspended_at) {
+      environments.push({
+        name: env.name,
+        type: env.type,
+        status,
+        namespace: env.namespace,
+        release,
+        services: []
+      });
+      continue;
+    }
+    let services = [];
+    try {
+      const diagnose = await requestJson(ctx, `/projects/${ctx.projectId}/envs/${env.name}/diagnose`);
+      services = buildStatusServices(diagnose.pods, diagnose.namespace ?? env.namespace, domain);
+    } catch {
+    }
+    environments.push({
+      name: env.name,
+      type: env.type,
+      status,
+      namespace: env.namespace,
+      release,
+      services
+    });
+  }
+  return {
+    api_url: ctx.apiUrl,
+    project_id: project.id,
+    project_name: project.name,
+    environments
+  };
+}
+function buildStatusServices(pods, namespace, domain) {
+  const services = /* @__PURE__ */ new Map();
+  for (const pod of pods) {
+    const component = pod.labels["eve.component"] || pod.labels["app.kubernetes.io/name"] || pod.labels["app"] || pod.labels["component"] || "unknown";
+    const existing = services.get(component) ?? { ready: 0, total: 0, phases: /* @__PURE__ */ new Set() };
+    existing.total += 1;
+    if (pod.ready) existing.ready += 1;
+    existing.phases.add(pod.phase);
+    services.set(component, existing);
+  }
+  return Array.from(services.entries()).sort(([a], [b]) => a.localeCompare(b)).map(([name, info]) => {
+    const allDone = info.phases.size > 0 && [...info.phases].every((p) => p === "Succeeded" || p === "Failed");
+    const status = allDone ? "completed" : info.ready === info.total ? "ready" : "not-ready";
+    const url = !allDone && namespace && domain ? buildServiceUrl(name, namespace, domain) : null;
+    return {
+      name,
+      pods_ready: info.ready,
+      pods_total: info.total,
+      status,
+      url
+    };
+  });
+}
+function inferDomain(apiUrl) {
+  try {
+    const host = new URL(apiUrl).hostname;
+    if (host.startsWith("api.eve.")) return host.slice("api.eve.".length);
+    if (host.startsWith("api.")) return host.slice("api.".length);
+    return null;
+  } catch {
+    return null;
+  }
+}
+function buildServiceUrl(component, namespace, domain) {
+  const slug = namespace.startsWith("eve-") ? namespace.slice(4) : namespace;
+  const secure = !domain.includes("lvh.me") && !domain.includes("localhost");
+  return `${secure ? "https" : "http"}://${component}.${slug}.${domain}`;
+}
+function formatStatusOutput(results) {
+  for (let i = 0; i < results.length; i++) {
+    const r = results[i];
+    if (i > 0) console.log("");
+    const marker = r.active ? " (active)" : "";
+    console.log(`${r.name}${marker}  ${r.api_url}`);
+    if (r.error) {
+      console.log(`  error: ${r.error}`);
+      continue;
+    }
+    const label = r.project_name ? `${r.project_id} (${r.project_name})` : r.project_id;
+    console.log(`  project: ${label}`);
+    if (!r.environments || r.environments.length === 0) {
+      console.log("  (no environments)");
+      continue;
+    }
+    for (const env of r.environments) {
+      console.log("");
+      console.log(`  ${env.name}  ${env.status}  ${env.type}`);
+      if (env.release) {
+        const sha = env.release.git_sha.substring(0, 8);
+        const age = formatAge(env.release.deployed_at);
+        const ver = env.release.tag ?? env.release.version ?? "";
+        const verPart = ver ? `  ${ver}` : "";
+        console.log(`    revision: ${sha}${verPart}  deployed ${age}`);
+      }
+      if (env.services.length === 0) {
+        if (env.status === "suspended") {
+          console.log("    (suspended)");
+        } else {
+          console.log("    (no services)");
+        }
+        continue;
+      }
+      const nameW = Math.max(...env.services.map((s) => s.name.length));
+      const podsW = Math.max(...env.services.map((s) => `${s.pods_ready}/${s.pods_total}`.length));
+      for (const svc of env.services) {
+        const pods = `${svc.pods_ready}/${svc.pods_total}`;
+        const urlPart = svc.url ? `  ${svc.url}` : "";
+        console.log(
+          `    ${padRight(svc.name, nameW)}  ${padRight(pods, podsW)}  ${padRight(svc.status, 9)}${urlPart}`
+        );
+      }
+    }
   }
 }
 function parseSinceValue2(since) {
@@ -51697,6 +51983,21 @@ function parseSinceValue2(since) {
   }
   return now.toISOString();
 }
+function formatAge(isoDate) {
+  const ms = Date.now() - new Date(isoDate).getTime();
+  if (ms < 0) return "just now";
+  const secs = Math.floor(ms / 1e3);
+  if (secs < 60) return `${secs}s ago`;
+  const mins = Math.floor(secs / 60);
+  if (mins < 60) return `${mins}m ago`;
+  const hours = Math.floor(mins / 60);
+  if (hours < 24) return `${hours}h ago`;
+  const days = Math.floor(hours / 24);
+  return `${days}d ago`;
+}
+function padRight(str, width) {
+  return str.length >= width ? str : str + " ".repeat(width - str.length);
+}
 function buildQuery2(params) {
   const search = new URLSearchParams();
   Object.entries(params).forEach(([key, value]) => {
@@ -55834,6 +56135,8 @@ var configSchema = external_exports.object({
   EVE_GITHUB_TOKEN: external_exports.string().optional(),
   EVE_SLACK_SIGNING_SECRET: external_exports.string().optional(),
   EVE_INTERNAL_API_KEY: external_exports.string().optional(),
+  EVE_ORG_FS_LINK_TOKEN_SECRET: external_exports.string().optional(),
+  EVE_ORG_FS_LINK_TOKEN_TTL_SECONDS: external_exports.coerce.number().int().min(60).default(900),
   EVE_SECRETS_MASTER_KEY: external_exports.string().optional(),
   EVE_DEFAULT_DOMAIN: external_exports.string().optional(),
   // Cluster-level default domain for Ingress (e.g., lvh.me, apps.example.com)
@@ -56961,56 +57264,179 @@ var AccessRoleResponseSchema = external_exports.object({
   updated_at: external_exports.string()
 });
 var AccessRoleListResponseSchema = createApiListResponseSchema(AccessRoleResponseSchema);
+var AccessPrincipalTypeSchema = external_exports.enum(["user", "service_principal", "group"]);
+var AccessGroupMemberPrincipalTypeSchema = external_exports.enum(["user", "service_principal"]);
+var AccessScopePrefixesSchema = external_exports.object({
+  allow_prefixes: external_exports.array(external_exports.string()).optional(),
+  read_only_prefixes: external_exports.array(external_exports.string()).optional()
+}).strict();
+var AccessScopeEnvDbSchema = external_exports.object({
+  schemas: external_exports.array(external_exports.string()).optional(),
+  tables: external_exports.array(external_exports.string()).optional()
+}).strict();
+var AccessBindingScopeSchema = external_exports.object({
+  orgfs: AccessScopePrefixesSchema.optional(),
+  orgdocs: AccessScopePrefixesSchema.optional(),
+  envdb: AccessScopeEnvDbSchema.optional()
+}).strict();
 var CreateAccessBindingRequestSchema = external_exports.object({
   role_name: external_exports.string().min(1),
-  principal_type: external_exports.enum(["user", "service_principal"]),
+  principal_type: AccessPrincipalTypeSchema,
   principal_id: external_exports.string().min(1),
-  project_id: external_exports.string().optional()
+  project_id: external_exports.string().optional(),
+  scope_json: AccessBindingScopeSchema.optional()
 });
 var AccessBindingResponseSchema = external_exports.object({
   id: external_exports.string(),
   role_id: external_exports.string(),
   role_name: external_exports.string(),
-  principal_type: external_exports.string(),
+  principal_type: AccessPrincipalTypeSchema,
   principal_id: external_exports.string(),
   project_id: external_exports.string().nullable(),
+  scope_json: AccessBindingScopeSchema.nullable().optional(),
   created_by: external_exports.string().nullable(),
   created_at: external_exports.string()
 });
 var AccessBindingListResponseSchema = createApiListResponseSchema(AccessBindingResponseSchema);
+var CreateAccessGroupRequestSchema = external_exports.object({
+  name: external_exports.string().min(1).max(100),
+  slug: external_exports.string().min(1).max(100).regex(/^[a-z0-9][a-z0-9-_]*$/).optional(),
+  description: external_exports.string().max(500).optional()
+});
+var UpdateAccessGroupRequestSchema = external_exports.object({
+  name: external_exports.string().min(1).max(100).optional(),
+  slug: external_exports.string().min(1).max(100).regex(/^[a-z0-9][a-z0-9-_]*$/).optional(),
+  description: external_exports.string().max(500).nullable().optional()
+}).refine((value) => Object.keys(value).length > 0, {
+  message: "At least one field is required"
+});
+var AccessGroupResponseSchema = external_exports.object({
+  id: external_exports.string(),
+  org_id: external_exports.string(),
+  name: external_exports.string(),
+  slug: external_exports.string(),
+  description: external_exports.string().nullable(),
+  created_by: external_exports.string().nullable(),
+  created_at: external_exports.string(),
+  updated_at: external_exports.string()
+});
+var AccessGroupListResponseSchema = createApiListResponseSchema(AccessGroupResponseSchema);
+var CreateAccessGroupMemberRequestSchema = external_exports.object({
+  principal_type: AccessGroupMemberPrincipalTypeSchema,
+  principal_id: external_exports.string().min(1)
+});
+var AccessGroupMemberResponseSchema = external_exports.object({
+  group_id: external_exports.string(),
+  principal_type: AccessGroupMemberPrincipalTypeSchema,
+  principal_id: external_exports.string(),
+  added_by: external_exports.string().nullable(),
+  created_at: external_exports.string()
+});
+var AccessGroupMemberListResponseSchema = createApiListResponseSchema(AccessGroupMemberResponseSchema);
 var AccessCanResponseSchema = external_exports.object({
   allowed: external_exports.boolean(),
-  source: external_exports.string()
+  source: external_exports.string(),
+  resource: external_exports.object({
+    type: external_exports.enum(["orgfs", "orgdocs", "envdb"]),
+    id: external_exports.string(),
+    action: external_exports.enum(["read", "write", "admin"]),
+    scope_required: external_exports.boolean(),
+    scope_matched: external_exports.boolean()
+  }).optional()
 });
 var AccessExplainGrantSchema = external_exports.object({
   source: external_exports.string(),
   role: external_exports.string().optional(),
   permissions: external_exports.array(external_exports.string()),
-  has_permission: external_exports.boolean()
+  has_permission: external_exports.boolean(),
+  scope_json: AccessBindingScopeSchema.nullable().optional(),
+  scope_match: external_exports.boolean().optional(),
+  scope_reason: external_exports.string().optional()
 });
 var AccessExplainResponseSchema = external_exports.object({
   permission: external_exports.string(),
   result: external_exports.enum(["ALLOWED", "DENIED"]),
   grants: external_exports.array(AccessExplainGrantSchema),
-  missing_reason: external_exports.string().optional()
+  missing_reason: external_exports.string().optional(),
+  resource: external_exports.object({
+    type: external_exports.enum(["orgfs", "orgdocs", "envdb"]),
+    id: external_exports.string(),
+    action: external_exports.enum(["read", "write", "admin"]),
+    scope_required: external_exports.boolean(),
+    scope_matched: external_exports.boolean()
+  }).optional()
+});
+var AccessMembershipBaseSchema = external_exports.object({
+  org_role: external_exports.enum(["owner", "admin", "member"]).nullable(),
+  project_roles: external_exports.array(external_exports.object({
+    project_id: external_exports.string(),
+    role: external_exports.enum(["owner", "admin", "member"])
+  })),
+  token_scopes: external_exports.array(external_exports.string())
+});
+var AccessGroupSummarySchema = external_exports.object({
+  id: external_exports.string(),
+  slug: external_exports.string(),
+  name: external_exports.string()
+});
+var AccessResolvedBindingSchema = AccessBindingResponseSchema.extend({
+  role_permissions: external_exports.array(external_exports.string()),
+  matched_via: external_exports.enum(["direct", "group"]).optional(),
+  matched_group_id: external_exports.string().nullable().optional(),
+  matched_group_slug: external_exports.string().nullable().optional()
+});
+var AccessEffectiveScopeSummarySchema = external_exports.object({
+  orgfs: external_exports.object({
+    allow_prefixes: external_exports.array(external_exports.string()),
+    read_only_prefixes: external_exports.array(external_exports.string())
+  }),
+  orgdocs: external_exports.object({
+    allow_prefixes: external_exports.array(external_exports.string()),
+    read_only_prefixes: external_exports.array(external_exports.string())
+  }),
+  envdb: external_exports.object({
+    schemas: external_exports.array(external_exports.string()),
+    tables: external_exports.array(external_exports.string())
+  })
+});
+var AccessPrincipalMembershipsResponseSchema = external_exports.object({
+  org_id: external_exports.string(),
+  principal_type: AccessPrincipalTypeSchema,
+  principal_id: external_exports.string(),
+  base: AccessMembershipBaseSchema,
+  groups: external_exports.array(AccessGroupSummarySchema),
+  direct_bindings: external_exports.array(AccessBindingResponseSchema),
+  effective_bindings: external_exports.array(AccessResolvedBindingSchema),
+  effective_permissions: external_exports.array(external_exports.string()),
+  effective_scopes: AccessEffectiveScopeSummarySchema
 });
 var AccessYamlRoleSchema = external_exports.object({
   scope: external_exports.enum(["org", "project"]),
   description: external_exports.string().optional(),
   permissions: external_exports.array(external_exports.string()).min(1)
 });
+var AccessYamlGroupMemberSchema = external_exports.object({
+  type: AccessGroupMemberPrincipalTypeSchema,
+  id: external_exports.string().min(1)
+});
+var AccessYamlGroupSchema = external_exports.object({
+  name: external_exports.string().min(1).max(100).optional(),
+  description: external_exports.string().max(500).optional(),
+  members: external_exports.array(AccessYamlGroupMemberSchema).optional()
+});
 var AccessYamlBindingSchema = external_exports.object({
-  scope: external_exports.enum(["org", "project"]),
   project_id: external_exports.string().optional(),
   subject: external_exports.object({
-    type: external_exports.enum(["user", "service_principal"]),
+    type: AccessPrincipalTypeSchema,
     id: external_exports.string()
   }),
-  roles: external_exports.array(external_exports.string()).min(1)
+  roles: external_exports.array(external_exports.string()).min(1),
+  scope: AccessBindingScopeSchema.optional()
 });
 var AccessYamlSchema = external_exports.object({
-  version: external_exports.literal(1),
+  version: external_exports.literal(2),
   access: external_exports.object({
+    groups: external_exports.record(external_exports.string().regex(/^[a-z0-9][a-z0-9-_]*$/), AccessYamlGroupSchema).optional(),
     roles: external_exports.record(external_exports.string(), AccessYamlRoleSchema).optional(),
     bindings: external_exports.array(AccessYamlBindingSchema).optional()
   })
@@ -57561,8 +57987,21 @@ var DbRlsTableSchema = external_exports.object({
   rls_enabled: external_exports.boolean(),
   policies: external_exports.array(DbPolicySchema)
 });
+var DbRlsDiagnosticsContextSchema = external_exports.object({
+  user_id: external_exports.string().nullable(),
+  principal_type: external_exports.enum(["user", "service_principal"]).nullable(),
+  org_id: external_exports.string().nullable(),
+  project_id: external_exports.string().nullable(),
+  env_name: external_exports.string().nullable(),
+  group_ids: external_exports.array(external_exports.string()),
+  permissions: external_exports.array(external_exports.string())
+});
+var DbRlsDiagnosticsSchema = external_exports.object({
+  context: DbRlsDiagnosticsContextSchema
+});
 var DbRlsResponseSchema = external_exports.object({
-  tables: external_exports.array(DbRlsTableSchema)
+  tables: external_exports.array(DbRlsTableSchema),
+  diagnostics: DbRlsDiagnosticsSchema
 });
 var DbSqlRequestSchema = external_exports.object({
   sql: external_exports.string().min(1),
@@ -58363,6 +58802,186 @@ var OrgDocumentQueryResponseSchema = external_exports.object({
   })
 });
 
+// ../shared/dist/schemas/org-fs-sync.js
+var OrgFsSyncModeSchema = external_exports.enum(["two_way", "push_only", "pull_only"]);
+var OrgFsLinkStatusSchema = external_exports.enum(["active", "paused", "revoked"]);
+var OrgFsDeviceStatusSchema = external_exports.enum(["active", "revoked"]);
+var OrgFsEventSourceSideSchema = external_exports.enum(["local", "remote", "system"]);
+var OrgFsOwnerPrincipalTypeSchema = external_exports.enum(["user", "service_principal", "system"]);
+var OrgFsLinkScopeSchema = external_exports.object({
+  allow_prefixes: external_exports.array(external_exports.string().min(1)),
+  read_only_prefixes: external_exports.array(external_exports.string().min(1)).optional()
+}).passthrough();
+var OrgFsDeviceSchema = external_exports.object({
+  id: external_exports.string(),
+  org_id: external_exports.string(),
+  device_name: external_exports.string(),
+  platform: external_exports.string().nullable(),
+  client_version: external_exports.string().nullable(),
+  public_key: external_exports.string(),
+  status: OrgFsDeviceStatusSchema,
+  last_seen_at: external_exports.string().nullable(),
+  created_at: external_exports.string(),
+  updated_at: external_exports.string()
+});
+var OrgFsEnrollmentSchema = external_exports.object({
+  token: external_exports.string(),
+  expires_at: external_exports.string(),
+  gateway_url: external_exports.string().url()
+});
+var OrgFsEnrollDeviceRequestSchema = external_exports.object({
+  device_name: external_exports.string().min(1),
+  platform: external_exports.string().optional(),
+  client_version: external_exports.string().optional(),
+  public_key: external_exports.string().optional()
+});
+var OrgFsEnrollDeviceResponseSchema = external_exports.object({
+  device: OrgFsDeviceSchema,
+  enrollment: OrgFsEnrollmentSchema
+});
+var OrgFsLinkSchema = external_exports.object({
+  id: external_exports.string(),
+  org_id: external_exports.string(),
+  device_id: external_exports.string(),
+  owner_principal_type: OrgFsOwnerPrincipalTypeSchema,
+  owner_principal_id: external_exports.string().nullable(),
+  mode: OrgFsSyncModeSchema,
+  status: OrgFsLinkStatusSchema,
+  local_path: external_exports.string(),
+  remote_path: external_exports.string(),
+  scope_json: OrgFsLinkScopeSchema,
+  includes: external_exports.array(external_exports.string()),
+  excludes: external_exports.array(external_exports.string()),
+  last_cursor: external_exports.number().int().nonnegative(),
+  lag_ms: external_exports.number().int().nonnegative().nullable().optional(),
+  backlog: external_exports.number().int().nonnegative().optional(),
+  last_synced_at: external_exports.string().nullable(),
+  last_heartbeat_at: external_exports.string().nullable(),
+  updated_at: external_exports.string(),
+  created_at: external_exports.string()
+});
+var OrgFsCreateLinkRequestSchema = external_exports.object({
+  device_id: external_exports.string().min(1),
+  mode: OrgFsSyncModeSchema.default("two_way"),
+  local_path: external_exports.string().min(1),
+  remote_path: external_exports.string().min(1).default("/"),
+  allow_prefixes: external_exports.array(external_exports.string().min(1)).min(1).optional(),
+  includes: external_exports.array(external_exports.string()).optional(),
+  excludes: external_exports.array(external_exports.string()).optional()
+});
+var OrgFsLinkGatewayTokenSchema = external_exports.object({
+  token: external_exports.string(),
+  expires_at: external_exports.string(),
+  header: external_exports.string().default("x-eve-internal-token"),
+  link_id: external_exports.string(),
+  mode: OrgFsSyncModeSchema,
+  allow_prefixes: external_exports.array(external_exports.string())
+});
+var OrgFsCreateLinkResponseSchema = external_exports.object({
+  link: OrgFsLinkSchema,
+  runtime: external_exports.object({
+    sync_engine: external_exports.literal("syncthing"),
+    profile: external_exports.string(),
+    gateway: OrgFsLinkGatewayTokenSchema
+  })
+});
+var OrgFsRotateLinkTokenResponseSchema = external_exports.object({
+  gateway: OrgFsLinkGatewayTokenSchema
+});
+var OrgFsListLinksResponseSchema = external_exports.object({
+  data: external_exports.array(OrgFsLinkSchema)
+});
+var OrgFsUpdateLinkRequestSchema = external_exports.object({
+  mode: OrgFsSyncModeSchema.optional(),
+  status: OrgFsLinkStatusSchema.optional(),
+  allow_prefixes: external_exports.array(external_exports.string().min(1)).min(1).optional(),
+  includes: external_exports.array(external_exports.string()).optional(),
+  excludes: external_exports.array(external_exports.string()).optional()
+}).refine((value) => Object.keys(value).length > 0, {
+  message: "At least one field is required"
+});
+var OrgFsDeleteLinkResponseSchema = external_exports.object({
+  success: external_exports.boolean()
+});
+var OrgFsStatusResponseSchema = external_exports.object({
+  org_id: external_exports.string(),
+  gateway: external_exports.object({
+    status: external_exports.enum(["healthy", "degraded", "offline"]),
+    last_heartbeat_at: external_exports.string().nullable()
+  }),
+  links: external_exports.object({
+    active: external_exports.number().int().nonnegative(),
+    paused: external_exports.number().int().nonnegative(),
+    revoked: external_exports.number().int().nonnegative()
+  }),
+  events: external_exports.object({
+    latest_seq: external_exports.number().int().nonnegative()
+  })
+});
+var OrgFsEventSchema = external_exports.object({
+  seq: external_exports.number().int().nonnegative(),
+  event_id: external_exports.string(),
+  org_id: external_exports.string(),
+  link_id: external_exports.string().nullable().optional(),
+  device_id: external_exports.string().nullable().optional(),
+  event_type: external_exports.string(),
+  path: external_exports.string(),
+  content_hash: external_exports.string().nullable().optional(),
+  size_bytes: external_exports.number().int().nonnegative().nullable().optional(),
+  source_side: OrgFsEventSourceSideSchema,
+  metadata: external_exports.record(external_exports.unknown()).optional(),
+  created_at: external_exports.string()
+});
+var OrgFsEventListResponseSchema = external_exports.object({
+  data: external_exports.array(OrgFsEventSchema),
+  pagination: external_exports.object({
+    limit: external_exports.number().int().positive(),
+    next_after_seq: external_exports.number().int().nonnegative().nullable()
+  })
+});
+var OrgFsConflictSchema = external_exports.object({
+  id: external_exports.string(),
+  org_id: external_exports.string(),
+  link_id: external_exports.string().nullable(),
+  path: external_exports.string(),
+  local_hash: external_exports.string().nullable(),
+  remote_hash: external_exports.string().nullable(),
+  status: external_exports.enum(["open", "resolved"]),
+  resolution: external_exports.enum(["pick_local", "pick_remote", "manual"]).nullable(),
+  resolved_by: external_exports.string().nullable(),
+  resolved_at: external_exports.string().nullable(),
+  created_at: external_exports.string()
+});
+var OrgFsListConflictsResponseSchema = external_exports.object({
+  data: external_exports.array(OrgFsConflictSchema)
+});
+var OrgFsResolveConflictRequestSchema = external_exports.object({
+  strategy: external_exports.enum(["pick_local", "pick_remote", "manual"]),
+  merged_content: external_exports.string().optional()
+});
+var OrgFsResolveConflictResponseSchema = external_exports.object({
+  conflict: OrgFsConflictSchema
+});
+var OrgFsInternalIngestEventRequestSchema = external_exports.object({
+  event_id: external_exports.string(),
+  link_id: external_exports.string().optional(),
+  device_id: external_exports.string().optional(),
+  event_type: external_exports.string(),
+  path: external_exports.string(),
+  content_hash: external_exports.string().optional(),
+  size_bytes: external_exports.number().int().nonnegative().optional(),
+  source_side: OrgFsEventSourceSideSchema,
+  metadata: external_exports.record(external_exports.unknown()).optional()
+});
+var OrgFsInternalHeartbeatRequestSchema = external_exports.object({
+  cursor: external_exports.number().int().nonnegative().optional(),
+  backlog: external_exports.number().int().nonnegative().optional(),
+  lag_ms: external_exports.number().int().nonnegative().optional()
+});
+var OrgFsInternalMetricsRequestSchema = external_exports.object({
+  metrics: external_exports.record(external_exports.unknown())
+});
+
 // ../shared/dist/schemas/resource.js
 var ResolveResourcesRequestSchema = external_exports.object({
   uris: external_exports.array(external_exports.string().min(1)),
@@ -60767,6 +61386,14 @@ var ALL_PERMISSIONS = [
   // Env DB
   "envdb:read",
   "envdb:write",
+  // Org filesystem data plane
+  "orgfs:read",
+  "orgfs:write",
+  "orgfs:admin",
+  // Org document data plane
+  "orgdocs:read",
+  "orgdocs:write",
+  "orgdocs:admin",
   // Secrets
   "secrets:read",
   "secrets:write",
@@ -61688,11 +62315,11 @@ function formatJobsTable(jobs) {
   const phaseWidth = Math.max(5, ...jobs.map((j) => j.phase.length));
   const titleWidth = Math.min(50, Math.max(5, ...jobs.map((j) => j.title.length)));
   const header = [
-    padRight("ID", idWidth),
-    padRight("P", 2),
-    padRight("Phase", phaseWidth),
-    padRight("Type", 8),
-    padRight("Title", titleWidth),
+    padRight2("ID", idWidth),
+    padRight2("P", 2),
+    padRight2("Phase", phaseWidth),
+    padRight2("Type", 8),
+    padRight2("Title", titleWidth),
     "Assignee"
   ].join("  ");
   console.log(header);
@@ -61700,11 +62327,11 @@ function formatJobsTable(jobs) {
   for (const job of jobs) {
     const title = job.title.length > titleWidth ? job.title.slice(0, titleWidth - 3) + "..." : job.title;
     const row = [
-      padRight(job.id, idWidth),
-      padRight(`P${job.priority}`, 2),
-      padRight(job.phase, phaseWidth),
-      padRight(job.issue_type, 8),
-      padRight(title, titleWidth),
+      padRight2(job.id, idWidth),
+      padRight2(`P${job.priority}`, 2),
+      padRight2(job.phase, phaseWidth),
+      padRight2(job.issue_type, 8),
+      padRight2(title, titleWidth),
       job.assignee ?? "-"
     ].join("  ");
     console.log(row);
@@ -63344,7 +63971,7 @@ function formatDuration(startStr, endStr) {
     return "unknown";
   }
 }
-function padRight(str, width) {
+function padRight2(str, width) {
   if (str.length >= width) return str;
   return str + " ".repeat(width - str.length);
 }
@@ -63938,11 +64565,11 @@ Permissions (${data.permissions.length}):`);
       }
       if (status) {
         if (status.completed) {
-          throw new Error("Bootstrap already completed. Use eve auth login instead.");
+          console.log("Bootstrap already completed. Attempting server-side recovery flow.");
         }
-        if (!status.requires_token && status.window_open) {
+        if (!status.completed && !status.requires_token && status.window_open) {
           console.log(`Bootstrap window open (${status.mode} mode). Token not required.`);
-        } else if (status.requires_token && !token) {
+        } else if (!status.completed && status.requires_token && !token) {
           throw new Error("Bootstrap token required. Use --token <token> or set EVE_BOOTSTRAP_TOKEN");
         }
       } else if (!token) {
@@ -64977,10 +65604,10 @@ function renderDiscoveredModels(response) {
 ${response.models.length} model(s) discovered`);
 }
 function formatRow2(columns, widths) {
-  const cells = columns.map((value, idx) => ` ${padRight2(value, widths[idx])} `);
+  const cells = columns.map((value, idx) => ` ${padRight3(value, widths[idx])} `);
   return `|${cells.join("|")}|`;
 }
-function padRight2(value, width) {
+function padRight3(value, width) {
   return value.length >= width ? value : `${value}${" ".repeat(width - value.length)}`;
 }
 
@@ -65195,7 +65822,7 @@ async function handleSystem(subcommand, positionals, flags, context2) {
   const json = Boolean(flags.json);
   switch (subcommand) {
     case "status":
-      return handleStatus(context2, json);
+      return handleStatus2(context2, json);
     case "health":
       return handleHealth(context2, json);
     case "jobs":
@@ -65218,7 +65845,7 @@ async function handleSystem(subcommand, positionals, flags, context2) {
       throw new Error("Usage: eve system <status|health|jobs|envs|logs|pods|events|config|settings|orchestrator>");
   }
 }
-async function handleStatus(context2, json) {
+async function handleStatus2(context2, json) {
   try {
     const status = await requestJson(context2, "/system/status");
     if (json) {
@@ -65584,11 +66211,11 @@ function formatJobsTable2(jobs) {
   const phaseWidth = Math.max(5, ...jobs.map((j) => j.phase.length));
   const titleWidth = Math.min(40, Math.max(5, ...jobs.map((j) => j.title.length)));
   const header = [
-    padRight3("Job ID", idWidth),
-    padRight3("Project", projectWidth),
-    padRight3("Phase", phaseWidth),
-    padRight3("P", 2),
-    padRight3("Title", titleWidth),
+    padRight4("Job ID", idWidth),
+    padRight4("Project", projectWidth),
+    padRight4("Phase", phaseWidth),
+    padRight4("P", 2),
+    padRight4("Title", titleWidth),
     "Assignee"
   ].join("  ");
   console.log(header);
@@ -65596,11 +66223,11 @@ function formatJobsTable2(jobs) {
   for (const job of jobs) {
     const title = job.title.length > titleWidth ? job.title.slice(0, titleWidth - 3) + "..." : job.title;
     const row = [
-      padRight3(job.id, idWidth),
-      padRight3(job.project_id, projectWidth),
-      padRight3(job.phase, phaseWidth),
-      padRight3(`P${job.priority}`, 2),
-      padRight3(title, titleWidth),
+      padRight4(job.id, idWidth),
+      padRight4(job.project_id, projectWidth),
+      padRight4(job.phase, phaseWidth),
+      padRight4(`P${job.priority}`, 2),
+      padRight4(title, titleWidth),
       job.assignee ?? "-"
     ].join("  ");
     console.log(row);
@@ -65619,21 +66246,21 @@ function formatEnvsTable(envs) {
   const namespaceWidth = Math.max(9, ...envs.map((e) => (e.namespace ?? "-").length));
   const releaseWidth = Math.max(7, ...envs.map((e) => (e.current_release ?? "-").length));
   const header = [
-    padRight3("Project", projectWidth),
-    padRight3("Environment", nameWidth),
-    padRight3("Type", typeWidth),
-    padRight3("Namespace", namespaceWidth),
-    padRight3("Release", releaseWidth)
+    padRight4("Project", projectWidth),
+    padRight4("Environment", nameWidth),
+    padRight4("Type", typeWidth),
+    padRight4("Namespace", namespaceWidth),
+    padRight4("Release", releaseWidth)
   ].join("  ");
   console.log(header);
   console.log("-".repeat(header.length));
   for (const env of envs) {
     const row = [
-      padRight3(env.project_id, projectWidth),
-      padRight3(env.name, nameWidth),
-      padRight3(env.type, typeWidth),
-      padRight3(env.namespace ?? "-", namespaceWidth),
-      padRight3(env.current_release ?? "-", releaseWidth)
+      padRight4(env.project_id, projectWidth),
+      padRight4(env.name, nameWidth),
+      padRight4(env.type, typeWidth),
+      padRight4(env.namespace ?? "-", namespaceWidth),
+      padRight4(env.current_release ?? "-", releaseWidth)
     ].join("  ");
     console.log(row);
   }
@@ -65652,12 +66279,12 @@ function formatPodsTable(pods) {
   const restartsWidth = Math.max(8, ...pods.map((p) => String(p.restarts).length));
   const ageWidth = Math.max(3, ...pods.map((p) => p.age.length));
   const header = [
-    padRight3("Name", nameWidth),
-    padRight3("Namespace", nsWidth),
-    padRight3("Phase", phaseWidth),
-    padRight3("Ready", readyWidth),
-    padRight3("Restarts", restartsWidth),
-    padRight3("Age", ageWidth),
+    padRight4("Name", nameWidth),
+    padRight4("Namespace", nsWidth),
+    padRight4("Phase", phaseWidth),
+    padRight4("Ready", readyWidth),
+    padRight4("Restarts", restartsWidth),
+    padRight4("Age", ageWidth),
     "Component",
     "Org",
     "Project",
@@ -65667,20 +66294,20 @@ function formatPodsTable(pods) {
   console.log("-".repeat(header.length));
   for (const pod of pods) {
     console.log([
-      padRight3(pod.name, nameWidth),
-      padRight3(pod.namespace, nsWidth),
-      padRight3(pod.phase, phaseWidth),
-      padRight3(pod.ready ? "yes" : "no", readyWidth),
-      padRight3(String(pod.restarts), restartsWidth),
-      padRight3(pod.age, ageWidth),
-      padRight3(pod.component ?? "-", 10),
-      padRight3(pod.orgId ?? "-", 10),
-      padRight3(pod.projectId ?? "-", 10),
-      padRight3(pod.env ?? "-", 10)
+      padRight4(pod.name, nameWidth),
+      padRight4(pod.namespace, nsWidth),
+      padRight4(pod.phase, phaseWidth),
+      padRight4(pod.ready ? "yes" : "no", readyWidth),
+      padRight4(String(pod.restarts), restartsWidth),
+      padRight4(pod.age, ageWidth),
+      padRight4(pod.component ?? "-", 10),
+      padRight4(pod.orgId ?? "-", 10),
+      padRight4(pod.projectId ?? "-", 10),
+      padRight4(pod.env ?? "-", 10)
     ].join("  "));
   }
 }
-function padRight3(str, width) {
+function padRight4(str, width) {
   if (str.length >= width) return str;
   return str + " ".repeat(width - str.length);
 }
@@ -65897,6 +66524,8 @@ function stripFilePath(filePath) {
 }
 
 // src/commands/env.ts
+var import_node_fs7 = require("node:fs");
+var import_node_path7 = require("node:path");
 var readline2 = __toESM(require("node:readline/promises"));
 async function handleEnv(subcommand, positionals, flags, context2) {
   const json = Boolean(flags.json);
@@ -66048,12 +66677,47 @@ async function handleDeploy(positionals, flags, context2, json) {
   if (!json) {
     console.log(`Deploying commit ${gitSha.substring(0, 8)} to ${envName}...`);
   }
-  const manifest = await requestJson(
-    context2,
-    `/projects/${projectId}/manifest`
-  );
-  if (!json) {
-    console.log(`Using manifest ${manifest.manifest_hash.substring(0, 8)}...`);
+  let manifestHash;
+  if (repoDir) {
+    const manifestPath = (0, import_node_path7.join)(repoDir, ".eve", "manifest.yaml");
+    if ((0, import_node_fs7.existsSync)(manifestPath)) {
+      const manifestYaml = (0, import_node_fs7.readFileSync)(manifestPath, "utf-8");
+      const branch = getGitBranch(repoDir);
+      const syncResponse = await requestJson(
+        context2,
+        `/projects/${projectId}/manifest`,
+        {
+          method: "POST",
+          body: {
+            yaml: manifestYaml,
+            git_sha: gitSha,
+            branch
+          }
+        }
+      );
+      manifestHash = syncResponse.manifest_hash;
+      if (!json) {
+        console.log(`Synced manifest ${manifestHash.substring(0, 8)}...`);
+      }
+    } else {
+      const manifest = await requestJson(
+        context2,
+        `/projects/${projectId}/manifest`
+      );
+      manifestHash = manifest.manifest_hash;
+      if (!json) {
+        console.log(`Using manifest ${manifestHash.substring(0, 8)}...`);
+      }
+    }
+  } else {
+    const manifest = await requestJson(
+      context2,
+      `/projects/${projectId}/manifest`
+    );
+    manifestHash = manifest.manifest_hash;
+    if (!json) {
+      console.log(`Using manifest ${manifestHash.substring(0, 8)}...`);
+    }
   }
   const direct = Boolean(flags.direct);
   let inputs;
@@ -66074,7 +66738,7 @@ Example: --inputs '{"release_id":"rel_xxx","smoke_test":false}'`
   const imageTag = getStringFlag(flags, ["image-tag", "image_tag", "imageTag"]);
   const body = {
     git_sha: gitSha,
-    manifest_hash: manifest.manifest_hash
+    manifest_hash: manifestHash
   };
   if (direct) {
     body.direct = true;
@@ -66351,9 +67015,9 @@ function formatEnvironmentsTable(environments) {
   const typeWidth = Math.max(4, ...environments.map((e) => e.type.length));
   const namespaceWidth = Math.max(9, ...environments.map((e) => e.namespace?.length ?? 0));
   const header = [
-    padRight4("Name", nameWidth),
-    padRight4("Type", typeWidth),
-    padRight4("Namespace", namespaceWidth),
+    padRight5("Name", nameWidth),
+    padRight5("Type", typeWidth),
+    padRight5("Namespace", namespaceWidth),
     "Current Release"
   ].join("  ");
   console.log(header);
@@ -66361,9 +67025,9 @@ function formatEnvironmentsTable(environments) {
   for (const env of environments) {
     const releaseDisplay = env.current_release_id ? env.current_release_id.substring(0, 12) + "..." : "-";
     const row = [
-      padRight4(env.name, nameWidth),
-      padRight4(env.type, typeWidth),
-      padRight4(env.namespace || "-", namespaceWidth),
+      padRight5(env.name, nameWidth),
+      padRight5(env.type, typeWidth),
+      padRight5(env.namespace || "-", namespaceWidth),
       releaseDisplay
     ].join("  ");
     console.log(row);
@@ -66455,21 +67119,21 @@ function formatEnvServices(report, services) {
     const restartsWidth = Math.max(8, ...services.map((s) => String(s.restarts).length));
     const phasesWidth = Math.max(6, ...services.map((s) => s.phases.join(", ").length));
     const header = [
-      padRight4("Service", nameWidth),
-      padRight4("Pods", totalWidth),
-      padRight4("Ready", readyWidth),
-      padRight4("Restarts", restartsWidth),
-      padRight4("Phases", phasesWidth)
+      padRight5("Service", nameWidth),
+      padRight5("Pods", totalWidth),
+      padRight5("Ready", readyWidth),
+      padRight5("Restarts", restartsWidth),
+      padRight5("Phases", phasesWidth)
     ].join("  ");
     console.log(header);
     console.log("-".repeat(header.length));
     for (const service of services) {
       console.log([
-        padRight4(service.name, nameWidth),
-        padRight4(String(service.pods_total), totalWidth),
-        padRight4(String(service.pods_ready), readyWidth),
-        padRight4(String(service.restarts), restartsWidth),
-        padRight4(service.phases.join(", "), phasesWidth)
+        padRight5(service.name, nameWidth),
+        padRight5(String(service.pods_total), totalWidth),
+        padRight5(String(service.pods_ready), readyWidth),
+        padRight5(String(service.restarts), restartsWidth),
+        padRight5(service.phases.join(", "), phasesWidth)
       ].join("  "));
     }
   }
@@ -66479,8 +67143,8 @@ function formatEnvServices(report, services) {
     const nameWidth = Math.max(4, ...report.deployments.map((d) => d.name.length));
     const readyWidth = Math.max(5, ...report.deployments.map((d) => `${d.available_replicas}/${d.desired_replicas}`.length));
     const header = [
-      padRight4("Name", nameWidth),
-      padRight4("Ready", readyWidth),
+      padRight5("Name", nameWidth),
+      padRight5("Ready", readyWidth),
       "Status"
     ].join("  ");
     console.log(header);
@@ -66489,8 +67153,8 @@ function formatEnvServices(report, services) {
       const readiness = `${deployment.available_replicas}/${deployment.desired_replicas}`;
       const status = deployment.ready ? "ready" : "not-ready";
       console.log([
-        padRight4(deployment.name, nameWidth),
-        padRight4(readiness, readyWidth),
+        padRight5(deployment.name, nameWidth),
+        padRight5(readiness, readyWidth),
         status
       ].join("  "));
     }
@@ -66519,8 +67183,8 @@ function formatEnvDiagnose(report) {
     const nameWidth = Math.max(4, ...report.deployments.map((d) => d.name.length));
     const readyWidth = Math.max(5, ...report.deployments.map((d) => `${d.available_replicas}/${d.desired_replicas}`.length));
     const header = [
-      padRight4("Name", nameWidth),
-      padRight4("Ready", readyWidth),
+      padRight5("Name", nameWidth),
+      padRight5("Ready", readyWidth),
       "Status"
     ].join("  ");
     console.log(header);
@@ -66529,8 +67193,8 @@ function formatEnvDiagnose(report) {
       const readiness = `${deployment.available_replicas}/${deployment.desired_replicas}`;
       const status = deployment.ready ? "ready" : "not-ready";
       console.log([
-        padRight4(deployment.name, nameWidth),
-        padRight4(readiness, readyWidth),
+        padRight5(deployment.name, nameWidth),
+        padRight5(readiness, readyWidth),
         status
       ].join("  "));
     }
@@ -66542,9 +67206,9 @@ function formatEnvDiagnose(report) {
     const phaseWidth = Math.max(5, ...report.pods.map((p) => p.phase.length));
     const restartsWidth = Math.max(8, ...report.pods.map((p) => String(p.restarts).length));
     const header = [
-      padRight4("Name", nameWidth),
-      padRight4("Phase", phaseWidth),
-      padRight4("Restarts", restartsWidth),
+      padRight5("Name", nameWidth),
+      padRight5("Phase", phaseWidth),
+      padRight5("Restarts", restartsWidth),
       "Ready",
       "Age"
     ].join("  ");
@@ -66552,9 +67216,9 @@ function formatEnvDiagnose(report) {
     console.log("-".repeat(header.length));
     for (const pod of report.pods) {
       console.log([
-        padRight4(pod.name, nameWidth),
-        padRight4(pod.phase, phaseWidth),
-        padRight4(String(pod.restarts), restartsWidth),
+        padRight5(pod.name, nameWidth),
+        padRight5(pod.phase, phaseWidth),
+        padRight5(String(pod.restarts), restartsWidth),
         pod.ready ? "yes" : "no",
         pod.age
       ].join("  "));
@@ -66654,7 +67318,7 @@ function formatDate2(dateStr) {
     return dateStr;
   }
 }
-function padRight4(str, width) {
+function padRight5(str, width) {
   if (str.length >= width) return str;
   return str + " ".repeat(width - str.length);
 }
@@ -67552,8 +68216,8 @@ function formatLifecycleMeta2(phase, meta) {
 }
 
 // src/commands/api.ts
-var import_node_fs7 = require("node:fs");
-var import_node_path7 = require("node:path");
+var import_node_fs8 = require("node:fs");
+var import_node_path8 = require("node:path");
 var import_node_child_process6 = require("node:child_process");
 var import_node_os4 = require("node:os");
 async function handleApi(subcommand, positionals, flags, context2) {
@@ -67672,7 +68336,7 @@ async function handleExamples(positionals, flags, context2, jsonOutput) {
 async function handleGenerate(positionals, flags, jsonOutput) {
   const outDir = getStringFlag(flags, ["out"]) ?? positionals[0];
   const repoRoot = resolveRepoRoot();
-  const outputDir = outDir ? (0, import_node_path7.resolve)(repoRoot, outDir) : (0, import_node_path7.resolve)(repoRoot, "docs/system");
+  const outputDir = outDir ? (0, import_node_path8.resolve)(repoRoot, outDir) : (0, import_node_path8.resolve)(repoRoot, "docs/system");
   runOpenApiExport(repoRoot, outputDir);
   outputJson({ ok: true, output_dir: outputDir }, jsonOutput, `OpenAPI exported to ${outputDir}`);
 }
@@ -67680,13 +68344,13 @@ async function handleDiff(positionals, flags, jsonOutput) {
   const exitCode = Boolean(flags["exit-code"]);
   const repoRoot = resolveRepoRoot();
   const expectedDir = getStringFlag(flags, ["out"]) ?? positionals[0];
-  const targetDir = expectedDir ? (0, import_node_path7.resolve)(repoRoot, expectedDir) : (0, import_node_path7.resolve)(repoRoot, "docs/system");
-  const tempDir = (0, import_node_fs7.mkdtempSync)((0, import_node_path7.join)((0, import_node_os4.tmpdir)(), "eve-openapi-"));
+  const targetDir = expectedDir ? (0, import_node_path8.resolve)(repoRoot, expectedDir) : (0, import_node_path8.resolve)(repoRoot, "docs/system");
+  const tempDir = (0, import_node_fs8.mkdtempSync)((0, import_node_path8.join)((0, import_node_os4.tmpdir)(), "eve-openapi-"));
   try {
     runOpenApiExport(repoRoot, tempDir);
-    const actualPath = (0, import_node_path7.resolve)(tempDir, "openapi.yaml");
-    const expectedPath = (0, import_node_path7.resolve)(targetDir, "openapi.yaml");
-    if (!(0, import_node_fs7.existsSync)(expectedPath)) {
+    const actualPath = (0, import_node_path8.resolve)(tempDir, "openapi.yaml");
+    const expectedPath = (0, import_node_path8.resolve)(targetDir, "openapi.yaml");
+    if (!(0, import_node_fs8.existsSync)(expectedPath)) {
       throw new Error(`Missing expected OpenAPI spec at ${expectedPath}`);
     }
     const diff = (0, import_node_child_process6.spawnSync)("diff", ["-u", expectedPath, actualPath], { stdio: "inherit" });
@@ -67696,7 +68360,7 @@ async function handleDiff(positionals, flags, jsonOutput) {
     }
     outputJson({ ok: !hasDiff }, jsonOutput, hasDiff ? "OpenAPI spec drift detected" : "OpenAPI spec matches");
   } finally {
-    (0, import_node_fs7.rmSync)(tempDir, { recursive: true, force: true });
+    (0, import_node_fs8.rmSync)(tempDir, { recursive: true, force: true });
   }
 }
 async function handleCall(positionals, flags, context2) {
@@ -67985,10 +68649,10 @@ function stripTrailingSlash(url) {
 function resolveRepoRoot() {
   let current = process.cwd();
   while (true) {
-    if ((0, import_node_fs7.existsSync)((0, import_node_path7.resolve)(current, "pnpm-workspace.yaml"))) {
+    if ((0, import_node_fs8.existsSync)((0, import_node_path8.resolve)(current, "pnpm-workspace.yaml"))) {
       return current;
     }
-    const parent = (0, import_node_path7.dirname)(current);
+    const parent = (0, import_node_path8.dirname)(current);
     if (parent === current) {
       break;
     }
@@ -67997,9 +68661,9 @@ function resolveRepoRoot() {
   throw new Error("Unable to locate repo root (pnpm-workspace.yaml not found).");
 }
 function runOpenApiExport(repoRoot, outputDir) {
-  const scriptPath = (0, import_node_path7.resolve)(repoRoot, "apps/api/dist/scripts/export-openapi.js");
-  if (!(0, import_node_fs7.existsSync)(scriptPath)) {
-    const build = (0, import_node_child_process6.spawnSync)("pnpm", ["-C", (0, import_node_path7.resolve)(repoRoot, "apps/api"), "build"], { stdio: "inherit" });
+  const scriptPath = (0, import_node_path8.resolve)(repoRoot, "apps/api/dist/scripts/export-openapi.js");
+  if (!(0, import_node_fs8.existsSync)(scriptPath)) {
+    const build = (0, import_node_child_process6.spawnSync)("pnpm", ["-C", (0, import_node_path8.resolve)(repoRoot, "apps/api"), "build"], { stdio: "inherit" });
     if (build.status !== 0) {
       throw new Error("Failed to build API before exporting OpenAPI spec");
     }
@@ -68035,14 +68699,14 @@ function resolveJsonInput(value) {
 }
 function resolveTextInput(value) {
   if (value.startsWith("@")) {
-    const filePath = (0, import_node_path7.resolve)(value.slice(1));
-    return (0, import_node_fs7.readFileSync)(filePath, "utf-8");
+    const filePath = (0, import_node_path8.resolve)(value.slice(1));
+    return (0, import_node_fs8.readFileSync)(filePath, "utf-8");
   }
   if (value.trim().startsWith("{") || value.trim().startsWith("[")) {
     return value;
   }
-  if ((0, import_node_fs7.existsSync)(value)) {
-    return (0, import_node_fs7.readFileSync)((0, import_node_path7.resolve)(value), "utf-8");
+  if ((0, import_node_fs8.existsSync)(value)) {
+    return (0, import_node_fs8.readFileSync)((0, import_node_path8.resolve)(value), "utf-8");
   }
   return value;
 }
@@ -68085,8 +68749,8 @@ function buildCurlCommand(options) {
 }
 
 // src/commands/db.ts
-var import_node_fs8 = require("node:fs");
-var import_node_path8 = require("node:path");
+var import_node_fs9 = require("node:fs");
+var import_node_path9 = require("node:path");
 var MIGRATION_REGEX = /^(\d{14})_([a-z0-9_]+)\.sql$/;
 async function handleDb(subcommand, positionals, flags, context2) {
   const jsonOutput = Boolean(flags.json);
@@ -68104,7 +68768,7 @@ async function handleDb(subcommand, positionals, flags, context2) {
     case "new":
       return handleNew(positionals, flags);
     case "status":
-      return handleStatus2(positionals, flags, context2, jsonOutput);
+      return handleStatus3(positionals, flags, context2, jsonOutput);
     case "rotate-credentials":
       return handleRotateCredentials(positionals, flags, context2, jsonOutput);
     case "scale":
@@ -68113,7 +68777,7 @@ async function handleDb(subcommand, positionals, flags, context2) {
       return handleDestroy(positionals, flags, context2, jsonOutput);
     default:
       throw new Error(
-        "Usage: eve db <command> [options]\n\nCommands:\n  schema              --env <name>                 Show DB schema info\n  rls                 --env <name>                 Show RLS policies and tables\n  sql                 --env <name> --sql <stmt>    Run parameterized SQL\n  migrate             --env <name> [--path <dir>]  Apply pending migrations\n  migrations          --env <name>                 List applied migrations\n  new                 <description>                Create new migration file\n  status              --env <name>                 Show managed DB status\n  rotate-credentials  --env <name>                 Rotate managed DB credentials\n  scale               --env <name> --class <cls>   Scale managed DB class\n  destroy             --env <name> --force          Destroy managed DB"
+        "Usage: eve db <command> [options]\n\nCommands:\n  schema              --env <name>                 Show DB schema info\n  rls                 --env <name>                 Show RLS policies and tables\n  rls init            --with-groups               Scaffold group-aware RLS helper SQL\n  sql                 --env <name> --sql <stmt>    Run parameterized SQL\n  migrate             --env <name> [--path <dir>]  Apply pending migrations\n  migrations          --env <name>                 List applied migrations\n  new                 <description>                Create new migration file\n  status              --env <name>                 Show managed DB status\n  rotate-credentials  --env <name>                 Rotate managed DB credentials\n  scale               --env <name> --class <cls>   Scale managed DB class\n  destroy             --env <name> --force          Destroy managed DB"
       );
   }
 }
@@ -68123,9 +68787,109 @@ async function handleSchema(positionals, flags, context2, jsonOutput) {
   outputJson(response, jsonOutput);
 }
 async function handleRls(positionals, flags, context2, jsonOutput) {
+  if (positionals[0] === "init") {
+    return handleRlsInit(flags, jsonOutput);
+  }
   const { projectId, envName } = resolveProjectEnv(positionals, flags, context2);
   const response = await requestJson(context2, `/projects/${projectId}/envs/${envName}/db/rls`);
-  outputJson(response, jsonOutput);
+  if (jsonOutput) {
+    outputJson(response, true);
+    return;
+  }
+  printRlsResponse(response);
+}
+function handleRlsInit(flags, jsonOutput) {
+  const withGroups = toBoolean(flags["with-groups"]) ?? false;
+  const force = toBoolean(flags.force) ?? false;
+  if (!withGroups) {
+    throw new Error("Usage: eve db rls init --with-groups [--out <path>] [--force]");
+  }
+  const outPath = getStringFlag(flags, ["out"]) ?? "db/rls/helpers.sql";
+  const fullPath = (0, import_node_path9.resolve)(outPath);
+  if ((0, import_node_fs9.existsSync)(fullPath) && !force) {
+    throw new Error(`RLS helper file already exists: ${fullPath}
+Use --force to overwrite.`);
+  }
+  (0, import_node_fs9.mkdirSync)((0, import_node_path9.dirname)(fullPath), { recursive: true });
+  (0, import_node_fs9.writeFileSync)(fullPath, renderRlsHelperTemplate());
+  const payload = {
+    path: fullPath,
+    with_groups: true
+  };
+  outputJson(payload, jsonOutput, `Created group-aware RLS helpers at ${fullPath}`);
+}
+function renderRlsHelperTemplate() {
+  return `-- Eve RLS helpers generated by "eve db rls init --with-groups"
+-- Usage:
+--   1. Apply this SQL in your target environment DB.
+--   2. Reference app.current_user_id()/app.current_group_ids()/app.has_group() in policies.
+--
+-- Example:
+--   CREATE POLICY notes_group_read
+--   ON notes
+--   FOR SELECT
+--   USING (group_id = ANY(app.current_group_ids()));
+
+CREATE SCHEMA IF NOT EXISTS app;
+
+CREATE OR REPLACE FUNCTION app.current_user_id()
+RETURNS text
+LANGUAGE sql
+STABLE
+AS $$
+  SELECT NULLIF(current_setting('app.user_id', true), '');
+$$;
+
+CREATE OR REPLACE FUNCTION app.current_group_ids()
+RETURNS text[]
+LANGUAGE sql
+STABLE
+AS $$
+  WITH raw AS (
+    SELECT NULLIF(current_setting('app.group_ids', true), '') AS value
+  )
+  SELECT COALESCE(
+    ARRAY(
+      SELECT jsonb_array_elements_text(COALESCE(raw.value::jsonb, '[]'::jsonb))
+      FROM raw
+    ),
+    ARRAY[]::text[]
+  );
+$$;
+
+CREATE OR REPLACE FUNCTION app.has_group(group_id text)
+RETURNS boolean
+LANGUAGE sql
+STABLE
+AS $$
+  SELECT group_id = ANY(app.current_group_ids());
+$$;
+`;
+}
+function printRlsResponse(response) {
+  const diagnostics = response.diagnostics?.context;
+  if (diagnostics) {
+    const groups = diagnostics.group_ids ?? [];
+    const permissions = diagnostics.permissions ?? [];
+    console.log("Context:");
+    console.log(`  Principal: ${diagnostics.principal_type ?? "unknown"} ${diagnostics.user_id ?? "(none)"}`);
+    console.log(`  Org: ${diagnostics.org_id ?? "(none)"}`);
+    console.log(`  Project: ${diagnostics.project_id ?? "(none)"}`);
+    console.log(`  Env: ${diagnostics.env_name ?? "(none)"}`);
+    console.log(`  Groups (${groups.length}): ${groups.length > 0 ? groups.join(", ") : "(none)"}`);
+    console.log(`  Permissions (${permissions.length}): ${permissions.length > 0 ? permissions.join(", ") : "(none)"}`);
+    console.log("");
+  }
+  const tables = response.tables ?? [];
+  if (tables.length === 0) {
+    console.log("No user tables/views found.");
+    return;
+  }
+  console.log(`RLS tables (${tables.length}):`);
+  for (const table of tables) {
+    const state = table.rls_enabled ? "enabled" : "disabled";
+    console.log(`  - ${table.schema}.${table.name} (${state}, ${table.policies.length} policies)`);
+  }
 }
 async function handleSql(positionals, flags, context2, jsonOutput) {
   const projectId = getStringFlag(flags, ["project"]) ?? context2.projectId;
@@ -68137,7 +68901,7 @@ async function handleSql(positionals, flags, context2, jsonOutput) {
   const sqlPositionals = envFromFlag ? positionals : positionals.slice(1);
   const sqlInput = getStringFlag(flags, ["sql"]) ?? sqlPositionals.join(" ");
   const fileInput = getStringFlag(flags, ["file"]);
-  const sqlText = fileInput ? (0, import_node_fs8.readFileSync)((0, import_node_path8.resolve)(fileInput), "utf-8") : sqlInput;
+  const sqlText = fileInput ? (0, import_node_fs9.readFileSync)((0, import_node_path9.resolve)(fileInput), "utf-8") : sqlInput;
   if (!sqlText) {
     throw new Error("Usage: eve db sql --env <name> --sql <statement> [--params <json>] [--write]");
   }
@@ -68176,11 +68940,11 @@ function parseJson(value, label) {
 async function handleMigrate(positionals, flags, context2, jsonOutput) {
   const { projectId, envName } = resolveProjectEnv(positionals, flags, context2);
   const migrationsPath = getStringFlag(flags, ["path"]) ?? "db/migrations";
-  const fullPath = (0, import_node_path8.resolve)(migrationsPath);
-  if (!(0, import_node_fs8.existsSync)(fullPath)) {
+  const fullPath = (0, import_node_path9.resolve)(migrationsPath);
+  if (!(0, import_node_fs9.existsSync)(fullPath)) {
     throw new Error(`Migrations directory not found: ${fullPath}`);
   }
-  const files = (0, import_node_fs8.readdirSync)(fullPath).filter((f) => f.endsWith(".sql")).sort();
+  const files = (0, import_node_fs9.readdirSync)(fullPath).filter((f) => f.endsWith(".sql")).sort();
   if (files.length === 0) {
     console.log("No migration files found");
     return;
@@ -68196,7 +68960,7 @@ Example: 20260128100000_create_users.sql`
   }
   const migrations = files.map((file) => ({
     name: file,
-    sql: (0, import_node_fs8.readFileSync)((0, import_node_path8.join)(fullPath, file), "utf-8")
+    sql: (0, import_node_fs9.readFileSync)((0, import_node_path9.join)(fullPath, file), "utf-8")
   }));
   console.log(`Found ${migrations.length} migration files`);
   const response = await requestJson(context2, `/projects/${projectId}/envs/${envName}/db/migrate`, {
@@ -68258,12 +69022,12 @@ function handleNew(positionals, flags) {
   ].join("");
   const filename = `${timestamp}_${normalizedDescription}.sql`;
   const migrationsPath = getStringFlag(flags, ["path"]) ?? "db/migrations";
-  const fullPath = (0, import_node_path8.resolve)(migrationsPath);
-  if (!(0, import_node_fs8.existsSync)(fullPath)) {
-    (0, import_node_fs8.mkdirSync)(fullPath, { recursive: true });
+  const fullPath = (0, import_node_path9.resolve)(migrationsPath);
+  if (!(0, import_node_fs9.existsSync)(fullPath)) {
+    (0, import_node_fs9.mkdirSync)(fullPath, { recursive: true });
   }
-  const filePath = (0, import_node_path8.join)(fullPath, filename);
-  if ((0, import_node_fs8.existsSync)(filePath)) {
+  const filePath = (0, import_node_path9.join)(fullPath, filename);
+  if ((0, import_node_fs9.existsSync)(filePath)) {
     throw new Error(`Migration file already exists: ${filePath}`);
   }
   const template = `-- Migration: ${normalizedDescription}
@@ -68272,10 +69036,10 @@ function handleNew(positionals, flags) {
 -- Write your SQL migration here
 
 `;
-  (0, import_node_fs8.writeFileSync)(filePath, template);
+  (0, import_node_fs9.writeFileSync)(filePath, template);
   console.log(`Created: ${filePath}`);
 }
-async function handleStatus2(positionals, flags, context2, jsonOutput) {
+async function handleStatus3(positionals, flags, context2, jsonOutput) {
   const { projectId, envName } = resolveProjectEnv(positionals, flags, context2);
   const response = await requestJson(context2, `/projects/${projectId}/envs/${envName}/db/managed`);
   if (jsonOutput) {
@@ -68509,24 +69273,24 @@ function formatEventsTable(events) {
   const sourceWidth = Math.max(6, ...events.map((e) => e.source.length));
   const statusWidth = Math.max(6, ...events.map((e) => e.status.length));
   const header = [
-    padRight5("ID", idWidth),
-    padRight5("Type", typeWidth),
-    padRight5("Source", sourceWidth),
-    padRight5("Status", statusWidth),
-    padRight5("Env", 12),
-    padRight5("Branch", 20),
+    padRight6("ID", idWidth),
+    padRight6("Type", typeWidth),
+    padRight6("Source", sourceWidth),
+    padRight6("Status", statusWidth),
+    padRight6("Env", 12),
+    padRight6("Branch", 20),
     "Created"
   ].join("  ");
   console.log(header);
   console.log("-".repeat(header.length));
   for (const event of events) {
     const row = [
-      padRight5(event.id, idWidth),
-      padRight5(event.type, typeWidth),
-      padRight5(event.source, sourceWidth),
-      padRight5(event.status, statusWidth),
-      padRight5(event.env_name || "-", 12),
-      padRight5(event.ref_branch || "-", 20),
+      padRight6(event.id, idWidth),
+      padRight6(event.type, typeWidth),
+      padRight6(event.source, sourceWidth),
+      padRight6(event.status, statusWidth),
+      padRight6(event.env_name || "-", 12),
+      padRight6(event.ref_branch || "-", 20),
       formatDate3(event.created_at)
     ].join("  ");
     console.log(row);
@@ -68579,7 +69343,7 @@ function formatDate3(dateStr) {
     return dateStr;
   }
 }
-function padRight5(str, width) {
+function padRight6(str, width) {
   if (str.length >= width) return str;
   return str + " ".repeat(width - str.length);
 }
@@ -69391,11 +70155,11 @@ async function fetchGitHubKeys2(username) {
 
 // src/commands/agents.ts
 var import_node_child_process8 = require("node:child_process");
-var import_node_fs9 = require("node:fs");
-var import_node_path9 = require("node:path");
+var import_node_fs10 = require("node:fs");
+var import_node_path10 = require("node:path");
 var import_yaml3 = require("yaml");
 function readYamlFile(filePath) {
-  const raw = (0, import_node_fs9.readFileSync)(filePath, "utf-8");
+  const raw = (0, import_node_fs10.readFileSync)(filePath, "utf-8");
   const parsed = (0, import_yaml3.parse)(raw);
   if (!parsed || typeof parsed !== "object") {
     throw new Error(`Invalid YAML in ${filePath}`);
@@ -69407,9 +70171,9 @@ function resolveAgentsConfigPaths(repoRoot, manifest) {
   const agentsBlock = xEve["agents"] || {};
   const chatBlock = xEve["chat"] || {};
   const manifestChat = manifest["chat"] || {};
-  const agentsPath = (0, import_node_path9.resolve)(repoRoot, pickString(agentsBlock.config_path) ?? "agents/agents.yaml");
-  const teamsPath = (0, import_node_path9.resolve)(repoRoot, pickString(agentsBlock.teams_path) ?? "agents/teams.yaml");
-  const chatPath = (0, import_node_path9.resolve)(
+  const agentsPath = (0, import_node_path10.resolve)(repoRoot, pickString(agentsBlock.config_path) ?? "agents/agents.yaml");
+  const teamsPath = (0, import_node_path10.resolve)(repoRoot, pickString(agentsBlock.teams_path) ?? "agents/teams.yaml");
+  const chatPath = (0, import_node_path10.resolve)(
     repoRoot,
     pickString(chatBlock.config_path) ?? pickString(manifestChat.config_path) ?? "agents/chat.yaml"
   );
@@ -69419,7 +70183,7 @@ function pickString(value) {
   return typeof value === "string" && value.trim().length > 0 ? value : void 0;
 }
 function ensureFileExists(path6, label) {
-  if (!(0, import_node_fs9.existsSync)(path6)) {
+  if (!(0, import_node_fs10.existsSync)(path6)) {
     throw new Error(`Missing ${label} at ${path6}. Update manifest config_path or add the file.`);
   }
   return path6;
@@ -69434,9 +70198,9 @@ function isLocalApiUrl(apiUrl) {
   }
 }
 function loadAgentsConfig(repoRoot) {
-  const eveDir = (0, import_node_path9.join)(repoRoot, ".eve");
-  const manifestPath = (0, import_node_path9.join)(eveDir, "manifest.yaml");
-  if ((0, import_node_fs9.existsSync)(manifestPath)) {
+  const eveDir = (0, import_node_path10.join)(repoRoot, ".eve");
+  const manifestPath = (0, import_node_path10.join)(eveDir, "manifest.yaml");
+  if ((0, import_node_fs10.existsSync)(manifestPath)) {
     const manifest = readYamlFile(manifestPath);
     const xEve = manifest["x-eve"] || manifest["x_eve"] || {};
     const policy = xEve["agents"] || null;
@@ -69486,16 +70250,16 @@ async function resolvePacksAndMerge(repoRoot, manifest, projectSlug) {
     }
   }
   const configPaths = resolveAgentsConfigPaths(repoRoot, manifest);
-  if ((0, import_node_fs9.existsSync)(configPaths.agentsPath)) {
-    const projectAgents = (0, import_yaml3.parse)((0, import_node_fs9.readFileSync)(configPaths.agentsPath, "utf-8")) ?? {};
+  if ((0, import_node_fs10.existsSync)(configPaths.agentsPath)) {
+    const projectAgents = (0, import_yaml3.parse)((0, import_node_fs10.readFileSync)(configPaths.agentsPath, "utf-8")) ?? {};
     mergedAgents = mergeMapConfig(mergedAgents, projectAgents);
   }
-  if ((0, import_node_fs9.existsSync)(configPaths.teamsPath)) {
-    const projectTeams = (0, import_yaml3.parse)((0, import_node_fs9.readFileSync)(configPaths.teamsPath, "utf-8")) ?? {};
+  if ((0, import_node_fs10.existsSync)(configPaths.teamsPath)) {
+    const projectTeams = (0, import_yaml3.parse)((0, import_node_fs10.readFileSync)(configPaths.teamsPath, "utf-8")) ?? {};
     mergedTeams = mergeMapConfig(mergedTeams, projectTeams);
   }
-  if ((0, import_node_fs9.existsSync)(configPaths.chatPath)) {
-    const projectChat = (0, import_yaml3.parse)((0, import_node_fs9.readFileSync)(configPaths.chatPath, "utf-8")) ?? {};
+  if ((0, import_node_fs10.existsSync)(configPaths.chatPath)) {
+    const projectChat = (0, import_yaml3.parse)((0, import_node_fs10.readFileSync)(configPaths.chatPath, "utf-8")) ?? {};
     mergedChat = mergeChatConfig(
       mergedChat,
       projectChat
@@ -69524,10 +70288,10 @@ async function resolvePacksAndMerge(repoRoot, manifest, projectSlug) {
       chat_hash: simpleHash(JSON.stringify(mergedChat))
     }
   };
-  const eveDir = (0, import_node_path9.join)(repoRoot, ".eve");
-  (0, import_node_fs9.mkdirSync)(eveDir, { recursive: true });
-  const lockfilePath = (0, import_node_path9.join)(eveDir, "packs.lock.yaml");
-  (0, import_node_fs9.writeFileSync)(lockfilePath, (0, import_yaml3.stringify)(lockfile), "utf-8");
+  const eveDir = (0, import_node_path10.join)(repoRoot, ".eve");
+  (0, import_node_fs10.mkdirSync)(eveDir, { recursive: true });
+  const lockfilePath = (0, import_node_path10.join)(eveDir, "packs.lock.yaml");
+  (0, import_node_fs10.writeFileSync)(lockfilePath, (0, import_yaml3.stringify)(lockfile), "utf-8");
   console.log(`  \u2713 Lockfile written: .eve/packs.lock.yaml`);
   const packRefs = resolvedPacks.map((p) => ({ id: p.id, source: p.source, ref: p.ref }));
   return {
@@ -69600,7 +70364,7 @@ async function handleAgents(subcommand, positionals, flags, context2) {
   const command = subcommand ?? "config";
   const json = Boolean(flags.json);
   const includeHarnesses = !(getBooleanFlag(flags, ["no-harnesses"]) ?? false);
-  const repoRoot = (0, import_node_path9.resolve)(getStringFlag(flags, ["repo-dir", "repo_dir", "dir", "path"]) ?? process.cwd());
+  const repoRoot = (0, import_node_path10.resolve)(getStringFlag(flags, ["repo-dir", "repo_dir", "dir", "path"]) ?? process.cwd());
   switch (command) {
     case "config": {
       const result = loadAgentsConfig(repoRoot);
@@ -69669,8 +70433,8 @@ async function handleAgents(subcommand, positionals, flags, context2) {
       if (dirty && !allowDirty) {
         throw new Error("Working tree is dirty. Commit changes or pass --allow-dirty to sync anyway.");
       }
-      const manifestPath = (0, import_node_path9.join)(repoRoot, ".eve", "manifest.yaml");
-      if (!(0, import_node_fs9.existsSync)(manifestPath)) {
+      const manifestPath = (0, import_node_path10.join)(repoRoot, ".eve", "manifest.yaml");
+      if (!(0, import_node_fs10.existsSync)(manifestPath)) {
         throw new Error(`Missing manifest at ${manifestPath}. Expected .eve/manifest.yaml.`);
       }
       const manifest = readYamlFile(manifestPath);
@@ -69699,9 +70463,9 @@ async function handleAgents(subcommand, positionals, flags, context2) {
         packRefs = packResult.packRefs;
       } else {
         const configPaths = resolveAgentsConfigPaths(repoRoot, manifest);
-        agentsYaml = (0, import_node_fs9.readFileSync)(ensureFileExists(configPaths.agentsPath, "agents config"), "utf-8");
-        teamsYaml = (0, import_node_fs9.readFileSync)(ensureFileExists(configPaths.teamsPath, "teams config"), "utf-8");
-        chatYaml = (0, import_node_fs9.readFileSync)(ensureFileExists(configPaths.chatPath, "chat config"), "utf-8");
+        agentsYaml = (0, import_node_fs10.readFileSync)(ensureFileExists(configPaths.agentsPath, "agents config"), "utf-8");
+        teamsYaml = (0, import_node_fs10.readFileSync)(ensureFileExists(configPaths.teamsPath, "teams config"), "utf-8");
+        chatYaml = (0, import_node_fs10.readFileSync)(ensureFileExists(configPaths.chatPath, "chat config"), "utf-8");
       }
       let gitSha;
       let branch;
@@ -69784,10 +70548,10 @@ function formatAgentRuntimeStatus(response, orgId) {
   const ageWidth = Math.max(3, ...response.pods.map((pod) => formatAgeSeconds(pod.last_heartbeat_at).length));
   console.log("");
   const header = [
-    padRight6("Pod", nameWidth),
-    padRight6("Status", statusWidth),
-    padRight6("Capacity", capacityWidth),
-    padRight6("Age", ageWidth),
+    padRight7("Pod", nameWidth),
+    padRight7("Status", statusWidth),
+    padRight7("Capacity", capacityWidth),
+    padRight7("Age", ageWidth),
     "Last Heartbeat"
   ].join("  ");
   console.log(header);
@@ -69795,15 +70559,15 @@ function formatAgentRuntimeStatus(response, orgId) {
   for (const pod of response.pods) {
     const age = formatAgeSeconds(pod.last_heartbeat_at);
     console.log([
-      padRight6(pod.pod_name, nameWidth),
-      padRight6(pod.status, statusWidth),
-      padRight6(String(pod.capacity), capacityWidth),
-      padRight6(age, ageWidth),
+      padRight7(pod.pod_name, nameWidth),
+      padRight7(pod.status, statusWidth),
+      padRight7(String(pod.capacity), capacityWidth),
+      padRight7(age, ageWidth),
       pod.last_heartbeat_at
     ].join("  "));
   }
 }
-function padRight6(value, width) {
+function padRight7(value, width) {
   return value.length >= width ? value : `${value}${" ".repeat(width - value.length)}`;
 }
 function formatAgeSeconds(isoDate) {
@@ -70044,8 +70808,8 @@ function ensureSkillsSymlink2(projectRoot) {
 }
 
 // src/commands/release.ts
-var import_node_fs10 = require("node:fs");
-var import_node_path10 = require("node:path");
+var import_node_fs11 = require("node:fs");
+var import_node_path11 = require("node:path");
 async function handleRelease2(subcommand, positionals, flags, context2) {
   const json = Boolean(flags.json);
   switch (subcommand) {
@@ -70057,9 +70821,9 @@ async function handleRelease2(subcommand, positionals, flags, context2) {
       let projectId = typeof flags.project === "string" ? flags.project : context2.projectId;
       if (!projectId) {
         const dir = typeof flags.dir === "string" ? flags.dir : process.cwd();
-        const manifestPath = (0, import_node_path10.join)(dir, ".eve", "manifest.yaml");
+        const manifestPath = (0, import_node_path11.join)(dir, ".eve", "manifest.yaml");
         try {
-          const yaml = (0, import_node_fs10.readFileSync)(manifestPath, "utf-8");
+          const yaml = (0, import_node_fs11.readFileSync)(manifestPath, "utf-8");
           const projectMatch = yaml.match(/^project:\s*(\S+)/m);
           if (projectMatch) {
             projectId = projectMatch[1];
@@ -70108,8 +70872,8 @@ Make sure the release exists and the tag is correct.`
 }
 
 // src/commands/manifest.ts
-var import_node_fs11 = require("node:fs");
-var import_node_path11 = require("node:path");
+var import_node_fs12 = require("node:fs");
+var import_node_path12 = require("node:path");
 async function handleManifest(subcommand, positionals, flags, context2) {
   const json = Boolean(flags.json);
   switch (subcommand) {
@@ -70119,11 +70883,11 @@ async function handleManifest(subcommand, positionals, flags, context2) {
       const validateSecretsFlag = flags["validate-secrets"] ?? flags.validate_secrets;
       const validateSecrets = toBoolean(validateSecretsFlag) ?? false;
       const dir = typeof flags.dir === "string" ? flags.dir : process.cwd();
-      const manifestPath = getStringFlag(flags, ["path"]) ?? (0, import_node_path11.join)(dir, ".eve", "manifest.yaml");
+      const manifestPath = getStringFlag(flags, ["path"]) ?? (0, import_node_path12.join)(dir, ".eve", "manifest.yaml");
       let manifestYaml;
       if (!useLatest) {
         try {
-          manifestYaml = (0, import_node_fs11.readFileSync)(manifestPath, "utf-8");
+          manifestYaml = (0, import_node_fs12.readFileSync)(manifestPath, "utf-8");
         } catch (error) {
           throw new Error(`Failed to read manifest at ${manifestPath}: ${error.message}`);
         }
@@ -70191,11 +70955,11 @@ async function handleManifest(subcommand, positionals, flags, context2) {
 }
 
 // src/commands/packs.ts
-var import_node_fs12 = require("node:fs");
-var import_node_path12 = require("node:path");
+var import_node_fs13 = require("node:fs");
+var import_node_path13 = require("node:path");
 var import_yaml4 = require("yaml");
 async function handlePacks(subcommand, _rest, flags, _context) {
-  const repoRoot = (0, import_node_path12.resolve)(getStringFlag(flags, ["repo-dir", "repo_dir", "dir", "path"]) ?? process.cwd());
+  const repoRoot = (0, import_node_path13.resolve)(getStringFlag(flags, ["repo-dir", "repo_dir", "dir", "path"]) ?? process.cwd());
   switch (subcommand) {
     case "status": {
       printPacksStatus(repoRoot);
@@ -70211,14 +70975,14 @@ async function handlePacks(subcommand, _rest, flags, _context) {
   }
 }
 function printPacksStatus(repoRoot) {
-  const lockfilePath = (0, import_node_path12.join)(repoRoot, ".eve", "packs.lock.yaml");
-  const manifestPath = (0, import_node_path12.join)(repoRoot, ".eve", "manifest.yaml");
-  if (!(0, import_node_fs12.existsSync)(lockfilePath)) {
+  const lockfilePath = (0, import_node_path13.join)(repoRoot, ".eve", "packs.lock.yaml");
+  const manifestPath = (0, import_node_path13.join)(repoRoot, ".eve", "manifest.yaml");
+  if (!(0, import_node_fs13.existsSync)(lockfilePath)) {
     console.log("No lockfile found at .eve/packs.lock.yaml");
     console.log('Run "eve agents sync" to resolve packs and generate the lockfile.');
     return;
   }
-  const lockRaw = (0, import_node_fs12.readFileSync)(lockfilePath, "utf-8");
+  const lockRaw = (0, import_node_fs13.readFileSync)(lockfilePath, "utf-8");
   const lock = (0, import_yaml4.parse)(lockRaw);
   if (!lock || !lock.packs) {
     console.log("Lockfile is empty or malformed.");
@@ -70234,16 +70998,16 @@ function printPacksStatus(repoRoot) {
     const idWidth = Math.max(4, ...lock.packs.map((p) => p.id.length));
     const sourceWidth = Math.max(6, ...lock.packs.map((p) => p.source.length));
     const header = [
-      padRight7("Pack", idWidth),
-      padRight7("Source", sourceWidth),
+      padRight8("Pack", idWidth),
+      padRight8("Source", sourceWidth),
       "Ref"
     ].join("  ");
     console.log(header);
     console.log("-".repeat(header.length + 12));
     for (const pack of lock.packs) {
       console.log([
-        padRight7(pack.id, idWidth),
-        padRight7(pack.source, sourceWidth),
+        padRight8(pack.id, idWidth),
+        padRight8(pack.source, sourceWidth),
         pack.ref.substring(0, 12)
       ].join("  "));
     }
@@ -70253,8 +71017,8 @@ function printPacksStatus(repoRoot) {
   console.log(`  Agents: ${lock.effective.agents_count}`);
   console.log(`  Teams:  ${lock.effective.teams_count}`);
   console.log(`  Routes: ${lock.effective.routes_count}`);
-  if ((0, import_node_fs12.existsSync)(manifestPath)) {
-    const manifestRaw = (0, import_node_fs12.readFileSync)(manifestPath, "utf-8");
+  if ((0, import_node_fs13.existsSync)(manifestPath)) {
+    const manifestRaw = (0, import_node_fs13.readFileSync)(manifestPath, "utf-8");
     const manifest = (0, import_yaml4.parse)(manifestRaw);
     if (manifest) {
       const xEve = manifest["x-eve"] ?? manifest["x_eve"] ?? {};
@@ -70299,12 +71063,12 @@ function detectDrift(lock, manifestPacks) {
 }
 function printPacksResolve(repoRoot, dryRun) {
   if (dryRun) {
-    const lockfilePath = (0, import_node_path12.join)(repoRoot, ".eve", "packs.lock.yaml");
-    const manifestPath = (0, import_node_path12.join)(repoRoot, ".eve", "manifest.yaml");
-    if (!(0, import_node_fs12.existsSync)(manifestPath)) {
+    const lockfilePath = (0, import_node_path13.join)(repoRoot, ".eve", "packs.lock.yaml");
+    const manifestPath = (0, import_node_path13.join)(repoRoot, ".eve", "manifest.yaml");
+    if (!(0, import_node_fs13.existsSync)(manifestPath)) {
       throw new Error("No manifest found at .eve/manifest.yaml");
     }
-    const manifestRaw = (0, import_node_fs12.readFileSync)(manifestPath, "utf-8");
+    const manifestRaw = (0, import_node_fs13.readFileSync)(manifestPath, "utf-8");
     const manifest = (0, import_yaml4.parse)(manifestRaw);
     if (!manifest) {
       throw new Error("Manifest is empty or malformed.");
@@ -70322,8 +71086,8 @@ function printPacksResolve(repoRoot, dryRun) {
       const refShort = mp.ref ? mp.ref.substring(0, 12) : "(local)";
       console.log(`  - ${mp.source} @ ${refShort}`);
     }
-    if ((0, import_node_fs12.existsSync)(lockfilePath)) {
-      const lockRaw = (0, import_node_fs12.readFileSync)(lockfilePath, "utf-8");
+    if ((0, import_node_fs13.existsSync)(lockfilePath)) {
+      const lockRaw = (0, import_node_fs13.readFileSync)(lockfilePath, "utf-8");
       const lock = (0, import_yaml4.parse)(lockRaw);
       if (lock?.packs) {
         const drift = detectDrift(lock, manifestPacks);
@@ -70352,7 +71116,7 @@ function printPacksResolve(repoRoot, dryRun) {
   console.log("");
   console.log("This will resolve packs, merge configs, write the lockfile, and sync to the API.");
 }
-function padRight7(value, width) {
+function padRight8(value, width) {
   return value.length >= width ? value : `${value}${" ".repeat(width - value.length)}`;
 }
 
@@ -71178,8 +71942,8 @@ Cursor: ${result.cursor}`);
 }
 
 // src/commands/migrate.ts
-var import_node_fs13 = require("node:fs");
-var import_node_path13 = require("node:path");
+var import_node_fs14 = require("node:fs");
+var import_node_path14 = require("node:path");
 var import_yaml5 = require("yaml");
 async function handleMigrate2(subcommand, _rest, _flags) {
   switch (subcommand) {
@@ -71199,12 +71963,12 @@ async function migrateSkillsToPacks() {
   if (!repoRoot) {
     throw new Error("Not in a git repository. Run this from your project root.");
   }
-  const skillsTxtPath = (0, import_node_path13.join)(repoRoot, "skills.txt");
-  if (!(0, import_node_fs13.existsSync)(skillsTxtPath)) {
+  const skillsTxtPath = (0, import_node_path14.join)(repoRoot, "skills.txt");
+  if (!(0, import_node_fs14.existsSync)(skillsTxtPath)) {
     console.log("No skills.txt found at repository root. Nothing to migrate.");
     return;
   }
-  const content = (0, import_node_fs13.readFileSync)(skillsTxtPath, "utf-8");
+  const content = (0, import_node_fs14.readFileSync)(skillsTxtPath, "utf-8");
   const lines = content.split("\n");
   const localSources = [];
   const remoteSources = [];
@@ -71313,9 +72077,9 @@ async function handleList8(flags, context2, json) {
   const nameWidth = Math.max(12, ...response.managed.map((m) => m.display_name.length));
   const providerWidth = Math.max(8, ...response.managed.map((m) => m.inference_provider.length));
   const header = [
-    padRight8("Model Spec", specWidth),
-    padRight8("Display Name", nameWidth),
-    padRight8("Provider", providerWidth),
+    padRight9("Model Spec", specWidth),
+    padRight9("Display Name", nameWidth),
+    padRight9("Provider", providerWidth),
     "Capabilities"
   ].join("  ");
   console.log(header);
@@ -71326,9 +72090,9 @@ async function handleList8(flags, context2, json) {
     if (model.capabilities.tool_calling) caps.push("tools");
     if (model.capabilities.reasoning) caps.push("reason");
     const row = [
-      padRight8(model.model_spec, specWidth),
-      padRight8(model.display_name, nameWidth),
-      padRight8(model.inference_provider, providerWidth),
+      padRight9(model.model_spec, specWidth),
+      padRight9(model.display_name, nameWidth),
+      padRight9(model.inference_provider, providerWidth),
       caps.join(", ")
     ].join("  ");
     console.log(row);
@@ -71338,16 +72102,95 @@ async function handleList8(flags, context2, json) {
   console.log("");
   console.log('Usage: Set harness_options.model to the model spec (e.g. "managed/deepseek-r1")');
 }
-function padRight8(str, width) {
+function padRight9(str, width) {
   if (str.length >= width) return str;
   return str + " ".repeat(width - str.length);
 }
 
 // src/commands/access.ts
-var import_node_fs14 = require("node:fs");
-var import_node_path14 = require("node:path");
+var import_node_fs15 = require("node:fs");
+var import_node_path15 = require("node:path");
 var readline3 = __toESM(require("node:readline/promises"));
 var import_yaml6 = require("yaml");
+function resolvePrincipalSelection(flags, options) {
+  const userId = getStringFlag(flags, ["user"]);
+  const spId = getStringFlag(flags, ["service-principal", "sp"]);
+  const groupId = options?.allowGroup ? getStringFlag(flags, ["group"]) : void 0;
+  const selected = [
+    userId ? "user" : null,
+    spId ? "service_principal" : null,
+    groupId ? "group" : null
+  ].filter(Boolean);
+  if (selected.length === 0) {
+    const groupHint = options?.allowGroup ? " or --group <group_id>" : "";
+    throw new Error(`--user <user_id> or --service-principal <sp_id>${groupHint} is required`);
+  }
+  if (selected.length > 1) {
+    throw new Error("Specify exactly one principal selector: --user, --service-principal, or --group");
+  }
+  if (userId) {
+    return { principalType: "user", principalId: userId };
+  }
+  if (spId) {
+    return { principalType: "service_principal", principalId: spId };
+  }
+  return { principalType: "group", principalId: groupId };
+}
+function parseScopeJsonFlag(flags) {
+  const raw = getStringFlag(flags, ["scope-json"]);
+  if (!raw) {
+    return void 0;
+  }
+  try {
+    const parsed = JSON.parse(raw);
+    if (!parsed || typeof parsed !== "object" || Array.isArray(parsed)) {
+      throw new Error("must be a JSON object");
+    }
+    return parsed;
+  } catch (error) {
+    const message = error instanceof Error ? error.message : String(error);
+    throw new Error(`Invalid --scope-json: ${message}`);
+  }
+}
+function normalizeBindingScope(scope) {
+  if (!scope) {
+    return void 0;
+  }
+  const normalized = {};
+  if (scope.orgfs) {
+    const allow = [...new Set(scope.orgfs.allow_prefixes ?? [])].sort();
+    const readOnly = [...new Set(scope.orgfs.read_only_prefixes ?? [])].sort();
+    if (allow.length > 0 || readOnly.length > 0) {
+      normalized.orgfs = {};
+      if (allow.length > 0) normalized.orgfs.allow_prefixes = allow;
+      if (readOnly.length > 0) normalized.orgfs.read_only_prefixes = readOnly;
+    }
+  }
+  if (scope.orgdocs) {
+    const allow = [...new Set(scope.orgdocs.allow_prefixes ?? [])].sort();
+    const readOnly = [...new Set(scope.orgdocs.read_only_prefixes ?? [])].sort();
+    if (allow.length > 0 || readOnly.length > 0) {
+      normalized.orgdocs = {};
+      if (allow.length > 0) normalized.orgdocs.allow_prefixes = allow;
+      if (readOnly.length > 0) normalized.orgdocs.read_only_prefixes = readOnly;
+    }
+  }
+  if (scope.envdb) {
+    const schemas = [...new Set(scope.envdb.schemas ?? [])].sort();
+    const tables = [...new Set(scope.envdb.tables ?? [])].sort();
+    if (schemas.length > 0 || tables.length > 0) {
+      normalized.envdb = {};
+      if (schemas.length > 0) normalized.envdb.schemas = schemas;
+      if (tables.length > 0) normalized.envdb.tables = tables;
+    }
+  }
+  return Object.keys(normalized).length > 0 ? normalized : void 0;
+}
+function scopeEquals(left, right) {
+  const normalizedLeft = normalizeBindingScope(left);
+  const normalizedRight = normalizeBindingScope(right);
+  return JSON.stringify(normalizedLeft ?? null) === JSON.stringify(normalizedRight ?? null);
+}
 async function handleAccess(subcommand, rest, flags, context2) {
   const json = Boolean(flags.json);
   switch (subcommand) {
@@ -71363,6 +72206,10 @@ async function handleAccess(subcommand, rest, flags, context2) {
       return handleUnbind(flags, context2, json);
     case "bindings":
       return handleBindings(rest[0], flags, context2, json);
+    case "groups":
+      return handleGroups(rest[0], rest.slice(1), flags, context2, json);
+    case "memberships":
+      return handleMemberships(flags, context2, json);
     case "validate":
       return handleValidate(flags, json);
     case "plan":
@@ -71371,38 +72218,44 @@ async function handleAccess(subcommand, rest, flags, context2) {
       return handleSync(flags, context2, json);
     default:
       throw new Error(
-        "Usage: eve access <subcommand> [flags]\n\nCommands:\n  can        Check if a principal can perform an action\n  explain    Explain permission resolution chain\n  roles      Manage custom access roles (create|list|show|update|delete)\n  bind       Bind a custom role to a principal\n  unbind     Remove a role binding from a principal\n  bindings   List access bindings\n  validate   Validate an .eve/access.yaml file\n  plan       Show changes needed to sync access.yaml to an org\n  sync       Apply access.yaml to an org (create/update/prune)"
+        "Usage: eve access <subcommand> [flags]\n\nCommands:\n  can        Check if a principal can perform an action\n  explain    Explain permission resolution chain\n  roles      Manage custom access roles (create|list|show|update|delete)\n  bind       Bind a custom role to a principal\n  unbind     Remove a role binding from a principal\n  bindings   List access bindings\n  groups     Manage access groups and members\n  memberships Inspect principal memberships and effective scopes\n  validate   Validate an .eve/access.yaml file\n  plan       Show changes needed to sync access.yaml to an org\n  sync       Apply access.yaml to an org (create/update/prune)"
       );
   }
 }
 async function handleCan(flags, context2, json) {
   const orgId = getStringFlag(flags, ["org"]) ?? context2.orgId;
-  const userId = getStringFlag(flags, ["user"]);
-  const spId = getStringFlag(flags, ["service-principal", "sp"]);
   const projectId = getStringFlag(flags, ["project"]) ?? context2.projectId;
   const permission = getStringFlag(flags, ["permission"]);
+  const resourceType = getStringFlag(flags, ["resource-type"]);
+  const resourceId = getStringFlag(flags, ["resource", "resource-id"]);
+  const action = getStringFlag(flags, ["action"]);
   if (!orgId) {
     throw new Error("--org is required (or set a default org in your profile)");
   }
   if (!permission) {
     throw new Error("--permission is required");
   }
-  if (!userId && !spId) {
-    throw new Error("--user <user_id> or --service-principal <sp_id> is required");
-  }
-  if (userId && spId) {
-    throw new Error("Specify either --user or --service-principal, not both");
+  const principal = resolvePrincipalSelection(flags, { allowGroup: true });
+  if ((resourceType || action) && !resourceId) {
+    throw new Error("--resource is required when --resource-type or --action is provided");
   }
-  const principalType = userId ? "user" : "service_principal";
-  const principalId = userId ?? spId;
   const params = new URLSearchParams({
-    principal_type: principalType,
-    principal_id: principalId,
+    principal_type: principal.principalType,
+    principal_id: principal.principalId,
     permission
   });
   if (projectId) {
     params.set("project_id", projectId);
   }
+  if (resourceType) {
+    params.set("resource_type", resourceType);
+  }
+  if (resourceId) {
+    params.set("resource_id", resourceId);
+  }
+  if (action) {
+    params.set("action", action);
+  }
   const response = await requestJson(
     context2,
     `/orgs/${orgId}/access/can?${params.toString()}`
@@ -71413,35 +72266,47 @@ async function handleCan(flags, context2, json) {
   }
   const label = response.allowed ? "ALLOWED" : "DENIED";
   console.log(`${label} (source: ${response.source})`);
+  if (response.resource) {
+    const resourceStatus = response.resource.scope_matched ? "scope match" : "scope denied";
+    console.log(
+      `Resource: ${response.resource.type}:${response.resource.id} [${response.resource.action}] (${resourceStatus})`
+    );
+  }
 }
 async function handleExplain(flags, context2, json) {
   const orgId = getStringFlag(flags, ["org"]) ?? context2.orgId;
-  const userId = getStringFlag(flags, ["user"]);
-  const spId = getStringFlag(flags, ["service-principal", "sp"]);
   const projectId = getStringFlag(flags, ["project"]) ?? context2.projectId;
   const permission = getStringFlag(flags, ["permission"]);
+  const resourceType = getStringFlag(flags, ["resource-type"]);
+  const resourceId = getStringFlag(flags, ["resource", "resource-id"]);
+  const action = getStringFlag(flags, ["action"]);
   if (!orgId) {
     throw new Error("--org is required (or set a default org in your profile)");
   }
   if (!permission) {
     throw new Error("--permission is required");
   }
-  if (!userId && !spId) {
-    throw new Error("--user <user_id> or --service-principal <sp_id> is required");
-  }
-  if (userId && spId) {
-    throw new Error("Specify either --user or --service-principal, not both");
+  const principal = resolvePrincipalSelection(flags, { allowGroup: true });
+  if ((resourceType || action) && !resourceId) {
+    throw new Error("--resource is required when --resource-type or --action is provided");
   }
-  const principalType = userId ? "user" : "service_principal";
-  const principalId = userId ?? spId;
   const params = new URLSearchParams({
-    principal_type: principalType,
-    principal_id: principalId,
+    principal_type: principal.principalType,
+    principal_id: principal.principalId,
     permission
   });
   if (projectId) {
     params.set("project_id", projectId);
   }
+  if (resourceType) {
+    params.set("resource_type", resourceType);
+  }
+  if (resourceId) {
+    params.set("resource_id", resourceId);
+  }
+  if (action) {
+    params.set("action", action);
+  }
   const response = await requestJson(
     context2,
     `/orgs/${orgId}/access/explain?${params.toString()}`
@@ -71452,13 +72317,20 @@ async function handleExplain(flags, context2, json) {
   }
   console.log(`Permission: ${response.permission}`);
   console.log(`Result: ${response.result}`);
+  if (response.resource) {
+    const resourceStatus = response.resource.scope_matched ? "scope match" : "scope denied";
+    console.log(
+      `Resource: ${response.resource.type}:${response.resource.id} [${response.resource.action}] (${resourceStatus})`
+    );
+  }
   if (response.grants.length > 0) {
     console.log("Grants found:");
     for (const grant of response.grants) {
       const roleLabel = grant.role ? `: ${grant.role}` : "";
       const permCount = grant.permissions.length;
       const status = grant.has_permission ? "has permission" : `missing ${response.permission}`;
-      console.log(`  - ${grant.source}${roleLabel} -> [${permCount} permissions] (${status})`);
+      const scopeSuffix = grant.scope_match === void 0 ? "" : grant.scope_match ? " [scope:match]" : ` [scope:deny${grant.scope_reason ? `: ${grant.scope_reason}` : ""}]`;
+      console.log(`  - ${grant.source}${roleLabel} -> [${permCount} permissions] (${status})${scopeSuffix}`);
     }
   } else {
     console.log("Grants found: none");
@@ -71638,32 +72510,27 @@ async function handleRoles(action, positionals, flags, context2, json) {
 }
 async function handleBind(flags, context2, json) {
   const orgId = getStringFlag(flags, ["org"]) ?? context2.orgId;
-  const userId = getStringFlag(flags, ["user"]);
-  const spId = getStringFlag(flags, ["service-principal", "sp"]);
   const projectId = getStringFlag(flags, ["project"]) ?? context2.projectId;
   const roleName = getStringFlag(flags, ["role"]);
+  const scopeJson = parseScopeJsonFlag(flags);
   if (!orgId) {
     throw new Error("--org is required (or set a default org in your profile)");
   }
   if (!roleName) {
     throw new Error("--role <role_name> is required");
   }
-  if (!userId && !spId) {
-    throw new Error("--user <user_id> or --service-principal <sp_id> is required");
-  }
-  if (userId && spId) {
-    throw new Error("Specify either --user or --service-principal, not both");
-  }
-  const principalType = userId ? "user" : "service_principal";
-  const principalId = userId ?? spId;
+  const principal = resolvePrincipalSelection(flags, { allowGroup: true });
   const body = {
     role_name: roleName,
-    principal_type: principalType,
-    principal_id: principalId
+    principal_type: principal.principalType,
+    principal_id: principal.principalId
   };
   if (projectId) {
     body.project_id = projectId;
   }
+  if (scopeJson) {
+    body.scope_json = scopeJson;
+  }
   const response = await requestJson(
     context2,
     `/orgs/${orgId}/access/bindings`,
@@ -71674,12 +72541,10 @@ async function handleBind(flags, context2, json) {
     return;
   }
   const scopeLabel = response.project_id ? `project ${response.project_id}` : `org ${orgId}`;
-  console.log(`Bound role '${response.role_name}' to ${principalType} ${principalId} on ${scopeLabel}`);
+  console.log(`Bound role '${response.role_name}' to ${principal.principalType} ${principal.principalId} on ${scopeLabel}`);
 }
 async function handleUnbind(flags, context2, json) {
   const orgId = getStringFlag(flags, ["org"]) ?? context2.orgId;
-  const userId = getStringFlag(flags, ["user"]);
-  const spId = getStringFlag(flags, ["service-principal", "sp"]);
   const projectId = getStringFlag(flags, ["project"]) ?? context2.projectId;
   const roleName = getStringFlag(flags, ["role"]);
   if (!orgId) {
@@ -71688,17 +72553,10 @@ async function handleUnbind(flags, context2, json) {
   if (!roleName) {
     throw new Error("--role <role_name> is required");
   }
-  if (!userId && !spId) {
-    throw new Error("--user <user_id> or --service-principal <sp_id> is required");
-  }
-  if (userId && spId) {
-    throw new Error("Specify either --user or --service-principal, not both");
-  }
-  const principalType = userId ? "user" : "service_principal";
-  const principalId = userId ?? spId;
+  const principal = resolvePrincipalSelection(flags, { allowGroup: true });
   const params = new URLSearchParams({
-    principal_type: principalType,
-    principal_id: principalId
+    principal_type: principal.principalType,
+    principal_id: principal.principalId
   });
   if (projectId) {
     params.set("project_id", projectId);
@@ -71710,14 +72568,14 @@ async function handleUnbind(flags, context2, json) {
   const bindings = unwrapListResponse(bindingsResponse);
   const matching = bindings.find((b) => {
     if (b.role_name !== roleName) return false;
-    if (b.principal_type !== principalType) return false;
-    if (b.principal_id !== principalId) return false;
+    if (b.principal_type !== principal.principalType) return false;
+    if (b.principal_id !== principal.principalId) return false;
     if (projectId) return b.project_id === projectId;
     return b.project_id === null;
   });
   if (!matching) {
     throw new Error(
-      `No binding found for role '${roleName}' on ${principalType} ${principalId}` + (projectId ? ` in project ${projectId}` : " at org level")
+      `No binding found for role '${roleName}' on ${principal.principalType} ${principal.principalId}` + (projectId ? ` in project ${projectId}` : " at org level")
     );
   }
   await requestJson(
@@ -71730,7 +72588,7 @@ async function handleUnbind(flags, context2, json) {
     return;
   }
   const scopeLabel = projectId ? `project ${projectId}` : `org ${orgId}`;
-  console.log(`Unbound role '${roleName}' from ${principalType} ${principalId} on ${scopeLabel}`);
+  console.log(`Unbound role '${roleName}' from ${principal.principalType} ${principal.principalId} on ${scopeLabel}`);
 }
 async function handleBindings(action, flags, context2, json) {
   if (action && action !== "list") {
@@ -71762,16 +72620,262 @@ async function handleBindings(action, flags, context2, json) {
     console.log(`${b.role_name} -> ${b.principal_type} ${b.principal_id} (${scope})`);
   }
 }
+async function handleGroups(action, positionals, flags, context2, json) {
+  const orgId = getStringFlag(flags, ["org"]) ?? context2.orgId;
+  if (!orgId) {
+    throw new Error("--org is required (or set a default org in your profile)");
+  }
+  if (action === "members") {
+    return handleGroupMembers(positionals[0], positionals.slice(1), flags, context2, json);
+  }
+  switch (action) {
+    case "create": {
+      const name = positionals[0] ?? getStringFlag(flags, ["name"]);
+      const slug = getStringFlag(flags, ["slug"]);
+      const description = getStringFlag(flags, ["description"]);
+      if (!name) {
+        throw new Error("Usage: eve access groups create <name> --org <org_id> [--slug <slug>] [--description <text>]");
+      }
+      const response = await requestJson(context2, `/orgs/${orgId}/access/groups`, {
+        method: "POST",
+        body: { name, slug, description }
+      });
+      if (json) {
+        outputJson(response, json);
+        return;
+      }
+      console.log(`Created group '${response.name}' (${response.id})`);
+      console.log(`  Slug: ${response.slug}`);
+      if (response.description) {
+        console.log(`  Description: ${response.description}`);
+      }
+      return;
+    }
+    case "list": {
+      const listResponse = await requestJson(
+        context2,
+        `/orgs/${orgId}/access/groups`
+      );
+      const groups = unwrapListResponse(listResponse);
+      if (json) {
+        outputJson({ data: groups }, json);
+        return;
+      }
+      if (groups.length === 0) {
+        console.log("No access groups found.");
+        return;
+      }
+      for (const group of groups) {
+        const desc = group.description ? ` - ${group.description}` : "";
+        console.log(`${group.slug} (${group.id})${desc}`);
+      }
+      return;
+    }
+    case "show": {
+      const group = positionals[0] ?? getStringFlag(flags, ["group"]);
+      if (!group) {
+        throw new Error("Usage: eve access groups show <group_id_or_slug> --org <org_id>");
+      }
+      const response = await requestJson(
+        context2,
+        `/orgs/${orgId}/access/groups/${encodeURIComponent(group)}`
+      );
+      if (json) {
+        outputJson(response, json);
+        return;
+      }
+      console.log(`Name: ${response.name}`);
+      console.log(`ID: ${response.id}`);
+      console.log(`Slug: ${response.slug}`);
+      if (response.description) {
+        console.log(`Description: ${response.description}`);
+      }
+      console.log(`Created: ${response.created_at}`);
+      console.log(`Updated: ${response.updated_at}`);
+      return;
+    }
+    case "update": {
+      const group = positionals[0] ?? getStringFlag(flags, ["group"]);
+      if (!group) {
+        throw new Error("Usage: eve access groups update <group_id_or_slug> --org <org_id> [--name <name>] [--slug <slug>] [--description <text>]");
+      }
+      const name = getStringFlag(flags, ["name"]);
+      const slug = getStringFlag(flags, ["slug"]);
+      const description = getStringFlag(flags, ["description"]);
+      if (name === void 0 && slug === void 0 && description === void 0) {
+        throw new Error("Nothing to update. Use --name, --slug, or --description");
+      }
+      const response = await requestJson(
+        context2,
+        `/orgs/${orgId}/access/groups/${encodeURIComponent(group)}`,
+        {
+          method: "PATCH",
+          body: {
+            name,
+            slug,
+            description
+          }
+        }
+      );
+      if (json) {
+        outputJson(response, json);
+        return;
+      }
+      console.log(`Updated group '${response.name}' (${response.id})`);
+      console.log(`  Slug: ${response.slug}`);
+      if (response.description) {
+        console.log(`  Description: ${response.description}`);
+      }
+      return;
+    }
+    case "delete": {
+      const group = positionals[0] ?? getStringFlag(flags, ["group"]);
+      if (!group) {
+        throw new Error("Usage: eve access groups delete <group_id_or_slug> --org <org_id>");
+      }
+      await requestJson(context2, `/orgs/${orgId}/access/groups/${encodeURIComponent(group)}`, {
+        method: "DELETE"
+      });
+      if (json) {
+        outputJson({ deleted: true, group }, json);
+        return;
+      }
+      console.log(`Deleted group '${group}'`);
+      return;
+    }
+    default:
+      throw new Error(
+        'Usage: eve access groups <create|list|show|update|delete|members> [args] [flags]\n\nExamples:\n  eve access groups create "Product Management" --org org_xxx\n  eve access groups list --org org_xxx\n  eve access groups members list pm-team --org org_xxx'
+      );
+  }
+}
+async function handleGroupMembers(action, positionals, flags, context2, json) {
+  const orgId = getStringFlag(flags, ["org"]) ?? context2.orgId;
+  if (!orgId) {
+    throw new Error("--org is required (or set a default org in your profile)");
+  }
+  switch (action) {
+    case "add": {
+      const group = positionals[0] ?? getStringFlag(flags, ["group"]);
+      if (!group) {
+        throw new Error("Usage: eve access groups members add <group> --org <org_id> (--user <user_id> | --service-principal <sp_id>)");
+      }
+      const principal = resolvePrincipalSelection(flags);
+      const response = await requestJson(
+        context2,
+        `/orgs/${orgId}/access/groups/${encodeURIComponent(group)}/members`,
+        {
+          method: "POST",
+          body: {
+            principal_type: principal.principalType,
+            principal_id: principal.principalId
+          }
+        }
+      );
+      if (json) {
+        outputJson(response, json);
+        return;
+      }
+      console.log(`Added ${response.principal_type} ${response.principal_id} to group ${group}`);
+      return;
+    }
+    case "list": {
+      const group = positionals[0] ?? getStringFlag(flags, ["group"]);
+      if (!group) {
+        throw new Error("Usage: eve access groups members list <group> --org <org_id>");
+      }
+      const membersResponse = await requestJson(
+        context2,
+        `/orgs/${orgId}/access/groups/${encodeURIComponent(group)}/members`
+      );
+      const members = unwrapListResponse(membersResponse);
+      if (json) {
+        outputJson({ data: members }, json);
+        return;
+      }
+      if (members.length === 0) {
+        console.log("No group members found.");
+        return;
+      }
+      for (const member of members) {
+        console.log(`${member.principal_type} ${member.principal_id}`);
+      }
+      return;
+    }
+    case "remove": {
+      const group = positionals[0] ?? getStringFlag(flags, ["group"]);
+      if (!group) {
+        throw new Error("Usage: eve access groups members remove <group> --org <org_id> (--user <user_id> | --service-principal <sp_id>)");
+      }
+      const principal = resolvePrincipalSelection(flags);
+      await requestJson(
+        context2,
+        `/orgs/${orgId}/access/groups/${encodeURIComponent(group)}/members/${principal.principalType}/${principal.principalId}`,
+        { method: "DELETE" }
+      );
+      if (json) {
+        outputJson({ removed: true, group, principal: principal.principalId }, json);
+        return;
+      }
+      console.log(`Removed ${principal.principalType} ${principal.principalId} from group ${group}`);
+      return;
+    }
+    default:
+      throw new Error(
+        "Usage: eve access groups members <add|list|remove> <group> --org <org_id> [--user <id> | --service-principal <id>]"
+      );
+  }
+}
+async function handleMemberships(flags, context2, json) {
+  const orgId = getStringFlag(flags, ["org"]) ?? context2.orgId;
+  if (!orgId) {
+    throw new Error("--org is required (or set a default org in your profile)");
+  }
+  const principal = resolvePrincipalSelection(flags, { allowGroup: true });
+  const response = await requestJson(
+    context2,
+    `/orgs/${orgId}/access/principals/${principal.principalType}/${principal.principalId}/memberships`
+  );
+  if (json) {
+    outputJson(response, json);
+    return;
+  }
+  console.log(`Principal: ${response.principal_type} ${response.principal_id}`);
+  if (response.base.org_role) {
+    console.log(`Org role: ${response.base.org_role}`);
+  }
+  if (response.base.project_roles.length > 0) {
+    console.log(`Project roles: ${response.base.project_roles.length}`);
+  }
+  if (response.groups.length > 0) {
+    console.log(`Groups: ${response.groups.map((group) => group.slug).join(", ")}`);
+  } else {
+    console.log("Groups: none");
+  }
+  console.log(`Effective permissions: ${response.effective_permissions.length}`);
+  if (response.effective_scopes.orgfs.allow_prefixes.length > 0) {
+    console.log(`orgfs allow: ${response.effective_scopes.orgfs.allow_prefixes.join(", ")}`);
+  }
+  if (response.effective_scopes.orgdocs.allow_prefixes.length > 0) {
+    console.log(`orgdocs allow: ${response.effective_scopes.orgdocs.allow_prefixes.join(", ")}`);
+  }
+  if (response.effective_scopes.envdb.schemas.length > 0 || response.effective_scopes.envdb.tables.length > 0) {
+    const schemas = response.effective_scopes.envdb.schemas.join(", ") || "-";
+    const tables = response.effective_scopes.envdb.tables.join(", ") || "-";
+    console.log(`envdb schemas: ${schemas}`);
+    console.log(`envdb tables: ${tables}`);
+  }
+}
 var DEFAULT_ACCESS_YAML = ".eve/access.yaml";
 function resolveFilePath(flags) {
   const filePath = getStringFlag(flags, ["file", "f"]) ?? DEFAULT_ACCESS_YAML;
-  return (0, import_node_path14.resolve)(process.cwd(), filePath);
+  return (0, import_node_path15.resolve)(process.cwd(), filePath);
 }
 function loadAccessYaml(filePath) {
-  if (!(0, import_node_fs14.existsSync)(filePath)) {
+  if (!(0, import_node_fs15.existsSync)(filePath)) {
     throw new Error(`File not found: ${filePath}`);
   }
-  const raw = (0, import_node_fs14.readFileSync)(filePath, "utf-8");
+  const raw = (0, import_node_fs15.readFileSync)(filePath, "utf-8");
   let parsed;
   try {
     parsed = (0, import_yaml6.parse)(raw);
@@ -71789,10 +72893,62 @@ ${issues.join("\n")}`);
   }
   return result.data;
 }
+function permissionScopeType(permission) {
+  if (permission.startsWith("orgfs:")) return "orgfs";
+  if (permission.startsWith("orgdocs:")) return "orgdocs";
+  if (permission.startsWith("envdb:")) return "envdb";
+  return null;
+}
+function hasPrefixScope(scope, resourceType, requireWritable) {
+  const resourceScope = scope?.[resourceType];
+  if (!resourceScope) {
+    return false;
+  }
+  const allowCount = resourceScope.allow_prefixes?.length ?? 0;
+  const readOnlyCount = resourceScope.read_only_prefixes?.length ?? 0;
+  if (requireWritable) {
+    return allowCount > 0;
+  }
+  return allowCount > 0 || readOnlyCount > 0;
+}
+function hasEnvDbScope(scope) {
+  const envdb = scope?.envdb;
+  if (!envdb) {
+    return false;
+  }
+  return (envdb.schemas?.length ?? 0) > 0 || (envdb.tables?.length ?? 0) > 0;
+}
+function groupDefaultName(slug) {
+  return slug.split("-").filter(Boolean).map((part) => part.charAt(0).toUpperCase() + part.slice(1)).join(" ");
+}
+function declaredMemberKey(member) {
+  return `${member.type}:${member.id}`;
+}
+function apiMemberKey(member) {
+  return `${member.principal_type}:${member.principal_id}`;
+}
+function bindingIdentityKey(roleName, principalType, principalId, projectId) {
+  const scope = projectId ?? "org";
+  return `${roleName}|${principalType}|${principalId}|${scope}`;
+}
+function bindingMatchKey(roleName, principalType, principalId, projectId, scope) {
+  const normalizedScope = normalizeBindingScope(scope);
+  return `${bindingIdentityKey(roleName, principalType, principalId, projectId)}|${JSON.stringify(normalizedScope ?? null)}`;
+}
+function formatBindingScope(scope) {
+  const normalized = normalizeBindingScope(scope);
+  if (!normalized) {
+    return "(none)";
+  }
+  return JSON.stringify(normalized);
+}
 function semanticValidate(yaml) {
   const errors = [];
-  const roleNames = new Set(Object.keys(yaml.access.roles ?? {}));
-  for (const [name, role] of Object.entries(yaml.access.roles ?? {})) {
+  const roles = yaml.access.roles ?? {};
+  const groups = yaml.access.groups ?? {};
+  const roleNames = new Set(Object.keys(roles));
+  const groupSlugs = new Set(Object.keys(groups));
+  for (const [name, role] of Object.entries(roles)) {
     for (const perm of role.permissions) {
       if (!PERMISSION_SET.has(perm)) {
         errors.push({
@@ -71802,6 +72958,23 @@ function semanticValidate(yaml) {
       }
     }
   }
+  for (const [slug, group] of Object.entries(groups)) {
+    const seenMembers = /* @__PURE__ */ new Set();
+    const members = group.members ?? [];
+    for (let i = 0; i < members.length; i++) {
+      const member = members[i];
+      const key = declaredMemberKey(member);
+      if (seenMembers.has(key)) {
+        errors.push({
+          path: `access.groups.${slug}.members[${i}]`,
+          message: `Duplicate group member '${key}'`
+        });
+        continue;
+      }
+      seenMembers.add(key);
+    }
+  }
+  const seenBindingKeys = /* @__PURE__ */ new Set();
   const bindings = yaml.access.bindings ?? [];
   for (let i = 0; i < bindings.length; i++) {
     const binding = bindings[i];
@@ -71813,18 +72986,73 @@ function semanticValidate(yaml) {
         });
       }
     }
-    if (binding.scope === "project" && !binding.project_id) {
+    if (binding.project_id !== void 0 && binding.project_id.trim() === "") {
+      errors.push({
+        path: `access.bindings[${i}].project_id`,
+        message: "project_id cannot be empty when provided"
+      });
+    }
+    if (binding.subject.type === "group" && !groupSlugs.has(binding.subject.id)) {
+      errors.push({
+        path: `access.bindings[${i}].subject.id`,
+        message: `Group '${binding.subject.id}' is not defined in access.groups`
+      });
+    }
+    const normalizedScope = normalizeBindingScope(binding.scope);
+    const requiredScopeTypes = /* @__PURE__ */ new Set();
+    let needsWritableOrgFsScope = false;
+    let needsWritableOrgDocsScope = false;
+    for (const roleName of binding.roles) {
+      const role = roles[roleName];
+      if (!role) continue;
+      for (const permission of role.permissions) {
+        const scopeType = permissionScopeType(permission);
+        if (scopeType) {
+          requiredScopeTypes.add(scopeType);
+        }
+        if (permission === "orgfs:write" || permission === "orgfs:admin") {
+          needsWritableOrgFsScope = true;
+        }
+        if (permission === "orgdocs:write" || permission === "orgdocs:admin") {
+          needsWritableOrgDocsScope = true;
+        }
+      }
+    }
+    if (requiredScopeTypes.has("orgfs") && !hasPrefixScope(normalizedScope, "orgfs", needsWritableOrgFsScope)) {
+      errors.push({
+        path: `access.bindings[${i}].scope`,
+        message: needsWritableOrgFsScope ? "Binding includes orgfs write/admin permissions but scope.orgfs.allow_prefixes is missing" : "Binding includes orgfs permissions but scope.orgfs prefixes are missing"
+      });
+    }
+    if (requiredScopeTypes.has("orgdocs") && !hasPrefixScope(normalizedScope, "orgdocs", needsWritableOrgDocsScope)) {
       errors.push({
-        path: `access.bindings[${i}]`,
-        message: "Project-scoped binding requires a project_id"
+        path: `access.bindings[${i}].scope`,
+        message: needsWritableOrgDocsScope ? "Binding includes orgdocs write/admin permissions but scope.orgdocs.allow_prefixes is missing" : "Binding includes orgdocs permissions but scope.orgdocs prefixes are missing"
       });
     }
-    if (binding.scope === "org" && binding.project_id) {
+    if (requiredScopeTypes.has("envdb") && !hasEnvDbScope(normalizedScope)) {
       errors.push({
-        path: `access.bindings[${i}]`,
-        message: "Org-scoped binding should not have a project_id"
+        path: `access.bindings[${i}].scope`,
+        message: "Binding includes envdb permissions but scope.envdb.schemas/tables is missing"
       });
     }
+    for (const roleName of binding.roles) {
+      const dedupeKey = bindingMatchKey(
+        roleName,
+        binding.subject.type,
+        binding.subject.id,
+        binding.project_id ?? null,
+        normalizedScope
+      );
+      if (seenBindingKeys.has(dedupeKey)) {
+        errors.push({
+          path: `access.bindings[${i}]`,
+          message: `Duplicate binding tuple for role '${roleName}' and subject '${binding.subject.type}:${binding.subject.id}'`
+        });
+      } else {
+        seenBindingKeys.add(dedupeKey);
+      }
+    }
   }
   return errors;
 }
@@ -71837,7 +73065,9 @@ async function handleValidate(flags, json) {
       valid: errors.length === 0,
       file: filePath,
       errors,
+      groups: Object.keys(yaml.access.groups ?? {}).length,
       roles: Object.keys(yaml.access.roles ?? {}).length,
+      members: Object.values(yaml.access.groups ?? {}).reduce((acc, group) => acc + (group.members?.length ?? 0), 0),
       bindings: (yaml.access.bindings ?? []).length
     }, json);
     return;
@@ -71850,28 +73080,124 @@ async function handleValidate(flags, json) {
     }
     process.exit(1);
   }
+  const groupCount = Object.keys(yaml.access.groups ?? {}).length;
   const roleCount = Object.keys(yaml.access.roles ?? {}).length;
+  const memberCount = Object.values(yaml.access.groups ?? {}).reduce((acc, group) => acc + (group.members?.length ?? 0), 0);
   const bindingCount = (yaml.access.bindings ?? []).length;
-  console.log(`Valid (${roleCount} roles, ${bindingCount} bindings)`);
+  console.log(`Valid (${groupCount} groups, ${memberCount} members, ${roleCount} roles, ${bindingCount} bindings)`);
 }
-function bindingKey(roleName, principalType, principalId, projectId) {
-  const scope = projectId ?? "org";
-  return `${roleName}|${principalType}|${principalId}|${scope}`;
+function resolveGroupPrincipalId(groupRef, groupsById, groupsBySlug) {
+  if (groupsById.has(groupRef)) {
+    return groupRef;
+  }
+  return groupsBySlug.get(groupRef)?.id ?? null;
 }
 async function computePlan(yaml, orgId, context2) {
-  const [apiRolesResponse, apiBindingsResponse] = await Promise.all([
+  const [apiGroupsResponse, apiRolesResponse, apiBindingsResponse] = await Promise.all([
+    requestJson(context2, `/orgs/${orgId}/access/groups`),
     requestJson(context2, `/orgs/${orgId}/access/roles`),
     requestJson(context2, `/orgs/${orgId}/access/bindings`)
   ]);
+  const apiGroups = unwrapListResponse(apiGroupsResponse);
   const apiRoles = unwrapListResponse(apiRolesResponse);
   const apiBindings = unwrapListResponse(apiBindingsResponse);
+  const groupMemberEntries = await Promise.all(
+    apiGroups.map(async (group) => {
+      const membersResponse = await requestJson(
+        context2,
+        `/orgs/${orgId}/access/groups/${encodeURIComponent(group.id)}/members`
+      );
+      return [group.id, unwrapListResponse(membersResponse)];
+    })
+  );
+  const membersByGroupId = new Map(
+    groupMemberEntries.map(([groupId, members]) => [groupId, members])
+  );
+  const groupsBySlug = new Map(apiGroups.map((group) => [group.slug, group]));
+  const groupsById = new Map(apiGroups.map((group) => [group.id, group]));
   const rolesByName = new Map(apiRoles.map((r) => [r.name, r]));
   const plan = {
+    groups: [],
+    group_members: [],
     roles: [],
     bindings: [],
+    unchanged_groups: 0,
+    unchanged_group_members: 0,
     unchanged_roles: 0,
     unchanged_bindings: 0
   };
+  const declaredGroupSlugs = /* @__PURE__ */ new Set();
+  for (const [slug, declaredGroup] of Object.entries(yaml.access.groups ?? {})) {
+    declaredGroupSlugs.add(slug);
+    const existing = groupsBySlug.get(slug);
+    const desiredMembers = declaredGroup.members ?? [];
+    if (!existing) {
+      plan.groups.push({ action: "create", slug, group: declaredGroup });
+      for (const member of desiredMembers) {
+        plan.group_members.push({
+          action: "add",
+          groupSlug: slug,
+          member
+        });
+      }
+      continue;
+    }
+    const changes = [];
+    const desiredName = declaredGroup.name ?? groupDefaultName(slug);
+    const desiredDescription = declaredGroup.description ?? null;
+    if (desiredName !== existing.name) {
+      changes.push(`name: "${existing.name}" -> "${desiredName}"`);
+    }
+    if (desiredDescription !== (existing.description ?? null)) {
+      changes.push(`description: "${existing.description ?? "(none)"}" -> "${desiredDescription ?? "(none)"}"`);
+    }
+    if (changes.length > 0) {
+      plan.groups.push({
+        action: "update",
+        slug,
+        id: existing.id,
+        group: declaredGroup,
+        changes
+      });
+    } else {
+      plan.unchanged_groups++;
+    }
+    const existingMembers = membersByGroupId.get(existing.id) ?? [];
+    const existingMemberKeys = new Set(existingMembers.map(apiMemberKey));
+    const desiredMemberKeys = new Set(desiredMembers.map(declaredMemberKey));
+    for (const member of desiredMembers) {
+      const key = declaredMemberKey(member);
+      if (existingMemberKeys.has(key)) {
+        plan.unchanged_group_members++;
+      } else {
+        plan.group_members.push({
+          action: "add",
+          groupSlug: slug,
+          member
+        });
+      }
+    }
+    for (const member of existingMembers) {
+      const key = apiMemberKey(member);
+      if (!desiredMemberKeys.has(key)) {
+        plan.group_members.push({
+          action: "remove",
+          groupSlug: slug,
+          groupId: existing.id,
+          member
+        });
+      }
+    }
+  }
+  for (const apiGroup of apiGroups) {
+    if (!declaredGroupSlugs.has(apiGroup.slug)) {
+      plan.groups.push({
+        action: "prune",
+        slug: apiGroup.slug,
+        id: apiGroup.id
+      });
+    }
+  }
   const declaredRoleNames = /* @__PURE__ */ new Set();
   for (const [name, declaredRole] of Object.entries(yaml.access.roles ?? {})) {
     declaredRoleNames.add(name);
@@ -71908,49 +73234,146 @@ async function computePlan(yaml, orgId, context2) {
       plan.roles.push({ action: "prune", name: apiRole.name, id: apiRole.id });
     }
   }
-  const existingBindingKeys = /* @__PURE__ */ new Map();
+  const existingBindingByMatchKey = /* @__PURE__ */ new Map();
+  const existingBindingByIdentityKey = /* @__PURE__ */ new Map();
   for (const ab of apiBindings) {
-    const key = bindingKey(ab.role_name, ab.principal_type, ab.principal_id, ab.project_id);
-    existingBindingKeys.set(key, ab);
+    const identityKey = bindingIdentityKey(ab.role_name, ab.principal_type, ab.principal_id, ab.project_id);
+    existingBindingByIdentityKey.set(identityKey, ab);
+    const matchKey = bindingMatchKey(
+      ab.role_name,
+      ab.principal_type,
+      ab.principal_id,
+      ab.project_id,
+      ab.scope_json
+    );
+    existingBindingByMatchKey.set(matchKey, ab);
   }
-  const matchedApiBindingKeys = /* @__PURE__ */ new Set();
+  const matchedApiBindingIds = /* @__PURE__ */ new Set();
+  const groupsMarkedForPrune = new Set(
+    plan.groups.filter((group) => group.action === "prune").map((group) => group.id)
+  );
   for (const declaredBinding of yaml.access.bindings ?? []) {
-    for (const roleName of declaredBinding.roles) {
-      const projectId = declaredBinding.scope === "project" ? declaredBinding.project_id : void 0;
-      const key = bindingKey(
+    const normalizedDeclaredScope = normalizeBindingScope(declaredBinding.scope);
+    const principalType = declaredBinding.subject.type;
+    let principalIdHint = declaredBinding.subject.id;
+    if (principalType === "group") {
+      const resolvedGroupId = resolveGroupPrincipalId(declaredBinding.subject.id, groupsById, groupsBySlug);
+      if (resolvedGroupId) {
+        principalIdHint = resolvedGroupId;
+      }
+    }
+    for (const roleName of [...new Set(declaredBinding.roles)]) {
+      const identityKey = bindingIdentityKey(
         roleName,
-        declaredBinding.subject.type,
-        declaredBinding.subject.id,
-        projectId ?? null
+        principalType,
+        principalIdHint,
+        declaredBinding.project_id ?? null
       );
-      if (existingBindingKeys.has(key)) {
-        matchedApiBindingKeys.add(key);
+      const matchKey = bindingMatchKey(
+        roleName,
+        principalType,
+        principalIdHint,
+        declaredBinding.project_id ?? null,
+        normalizedDeclaredScope
+      );
+      const exactMatch = existingBindingByMatchKey.get(matchKey);
+      if (exactMatch) {
+        matchedApiBindingIds.add(exactMatch.id);
         plan.unchanged_bindings++;
-      } else {
-        plan.bindings.push({ action: "create", binding: declaredBinding, roleName });
+        continue;
       }
+      const identityMatch = existingBindingByIdentityKey.get(identityKey);
+      if (identityMatch) {
+        matchedApiBindingIds.add(identityMatch.id);
+        const changes = [];
+        if (!scopeEquals(identityMatch.scope_json, normalizedDeclaredScope)) {
+          changes.push(
+            `scope: ${formatBindingScope(identityMatch.scope_json)} -> ${formatBindingScope(normalizedDeclaredScope)}`
+          );
+        }
+        plan.bindings.push({
+          action: "replace",
+          existing: identityMatch,
+          binding: declaredBinding,
+          roleName,
+          principalIdHint,
+          changes
+        });
+        continue;
+      }
+      plan.bindings.push({
+        action: "create",
+        binding: declaredBinding,
+        roleName,
+        principalIdHint
+      });
     }
   }
-  for (const [key, ab] of existingBindingKeys) {
-    if (!matchedApiBindingKeys.has(key)) {
-      plan.bindings.push({ action: "prune", binding: ab });
+  for (const ab of apiBindings) {
+    if (matchedApiBindingIds.has(ab.id)) {
+      continue;
     }
+    if (ab.principal_type === "group" && groupsMarkedForPrune.has(ab.principal_id)) {
+      continue;
+    }
+    plan.bindings.push({ action: "prune", binding: ab });
   }
   return plan;
 }
 function hasChanges(plan, prune) {
+  const groupChanges = plan.groups.filter(
+    (g) => g.action === "create" || g.action === "update" || g.action === "prune" && prune
+  );
+  const memberChanges = plan.group_members.filter(
+    (m) => m.action === "add" || m.action === "remove"
+  );
   const roleChanges = plan.roles.filter(
     (r) => r.action === "create" || r.action === "update" || r.action === "prune" && prune
   );
   const bindingChanges = plan.bindings.filter(
-    (b) => b.action === "create" || b.action === "prune" && prune
+    (b) => b.action === "create" || b.action === "replace" || b.action === "prune" && prune
   );
-  return roleChanges.length > 0 || bindingChanges.length > 0;
+  return groupChanges.length > 0 || memberChanges.length > 0 || roleChanges.length > 0 || bindingChanges.length > 0;
 }
 function printPlan(plan, orgId, prune) {
   console.log(`
 Access Plan for ${orgId}:
 `);
+  const groupCreates = plan.groups.filter((g) => g.action === "create");
+  const groupUpdates = plan.groups.filter((g) => g.action === "update");
+  const groupPrunes = plan.groups.filter((g) => g.action === "prune");
+  if (groupCreates.length > 0 || groupUpdates.length > 0 || groupPrunes.length > 0) {
+    console.log("Groups:");
+    for (const group of groupCreates) {
+      const name = group.group.name ?? groupDefaultName(group.slug);
+      console.log(`  + CREATE ${group.slug} (${name})`);
+    }
+    for (const group of groupUpdates) {
+      console.log(`  ~ UPDATE ${group.slug}: ${group.changes.join("; ")}`);
+    }
+    if (groupPrunes.length > 0) {
+      if (prune) {
+        for (const group of groupPrunes) {
+          console.log(`  - DELETE ${group.slug} (${group.id})`);
+        }
+      } else {
+        console.log(`  ? Undeclared (not pruned): ${groupPrunes.map((group) => group.slug).join(", ")}`);
+      }
+    }
+    console.log("");
+  }
+  const memberAdds = plan.group_members.filter((m) => m.action === "add");
+  const memberRemoves = plan.group_members.filter((m) => m.action === "remove");
+  if (memberAdds.length > 0 || memberRemoves.length > 0) {
+    console.log("Group Memberships:");
+    for (const member of memberAdds) {
+      console.log(`  + ADD ${member.member.type}:${member.member.id} -> ${member.groupSlug}`);
+    }
+    for (const member of memberRemoves) {
+      console.log(`  - REMOVE ${member.member.principal_type}:${member.member.principal_id} -> ${member.groupSlug}`);
+    }
+    console.log("");
+  }
   const roleCreates = plan.roles.filter((r) => r.action === "create");
   const roleUpdates = plan.roles.filter((r) => r.action === "update");
   const rolePrunes = plan.roles.filter((r) => r.action === "prune");
@@ -71974,12 +73397,21 @@ Access Plan for ${orgId}:
     console.log("");
   }
   const bindingCreates = plan.bindings.filter((b) => b.action === "create");
+  const bindingReplaces = plan.bindings.filter((b) => b.action === "replace");
   const bindingPrunes = plan.bindings.filter((b) => b.action === "prune");
-  if (bindingCreates.length > 0 || bindingPrunes.length > 0) {
+  if (bindingCreates.length > 0 || bindingReplaces.length > 0 || bindingPrunes.length > 0) {
     console.log("Bindings:");
     for (const b of bindingCreates) {
-      const scopeLabel = b.binding.scope === "project" ? `project: ${b.binding.project_id}` : "org-wide";
-      console.log(`  + BIND ${b.roleName} -> ${b.binding.subject.type}:${b.binding.subject.id} (${scopeLabel})`);
+      const scopeLabel = b.binding.project_id ? `project: ${b.binding.project_id}` : "org-wide";
+      console.log(
+        `  + BIND ${b.roleName} -> ${b.binding.subject.type}:${b.binding.subject.id} (${scopeLabel}, scope=${formatBindingScope(b.binding.scope)})`
+      );
+    }
+    for (const b of bindingReplaces) {
+      const scopeLabel = b.binding.project_id ? `project: ${b.binding.project_id}` : "org-wide";
+      console.log(
+        `  ~ REPLACE ${b.roleName} -> ${b.binding.subject.type}:${b.binding.subject.id} (${scopeLabel}): ${b.changes.join("; ")}`
+      );
     }
     if (bindingPrunes.length > 0) {
       if (prune) {
@@ -71993,9 +73425,11 @@ Access Plan for ${orgId}:
     }
     console.log("");
   }
-  const totalUnchanged = plan.unchanged_roles + plan.unchanged_bindings;
+  const totalUnchanged = plan.unchanged_groups + plan.unchanged_group_members + plan.unchanged_roles + plan.unchanged_bindings;
   if (totalUnchanged > 0) {
-    console.log(`Unchanged: ${plan.unchanged_roles} role(s), ${plan.unchanged_bindings} binding(s)`);
+    console.log(
+      `Unchanged: ${plan.unchanged_groups} group(s), ${plan.unchanged_group_members} member(s), ${plan.unchanged_roles} role(s), ${plan.unchanged_bindings} binding(s)`
+    );
   }
   if (!hasChanges(plan, prune)) {
     console.log("No changes needed.");
@@ -72004,6 +73438,52 @@ Access Plan for ${orgId}:
 function planToJson(plan, orgId) {
   return {
     org_id: orgId,
+    groups: {
+      create: plan.groups.filter((group) => group.action === "create").map((group) => {
+        const create = group;
+        return {
+          slug: create.slug,
+          name: create.group.name ?? groupDefaultName(create.slug),
+          description: create.group.description ?? null
+        };
+      }),
+      update: plan.groups.filter((group) => group.action === "update").map((group) => {
+        const update = group;
+        return {
+          slug: update.slug,
+          id: update.id,
+          changes: update.changes
+        };
+      }),
+      prune: plan.groups.filter((group) => group.action === "prune").map((group) => {
+        const prune = group;
+        return {
+          slug: prune.slug,
+          id: prune.id
+        };
+      }),
+      unchanged: plan.unchanged_groups
+    },
+    group_members: {
+      add: plan.group_members.filter((member) => member.action === "add").map((member) => {
+        const add = member;
+        return {
+          group_slug: add.groupSlug,
+          principal_type: add.member.type,
+          principal_id: add.member.id
+        };
+      }),
+      remove: plan.group_members.filter((member) => member.action === "remove").map((member) => {
+        const remove = member;
+        return {
+          group_slug: remove.groupSlug,
+          group_id: remove.groupId,
+          principal_type: remove.member.principal_type,
+          principal_id: remove.member.principal_id
+        };
+      }),
+      unchanged: plan.unchanged_group_members
+    },
     roles: {
       create: plan.roles.filter((r) => r.action === "create").map((r) => {
         const cr = r;
@@ -72026,10 +73506,22 @@ function planToJson(plan, orgId) {
           role: cb.roleName,
           subject_type: cb.binding.subject.type,
           subject_id: cb.binding.subject.id,
-          scope: cb.binding.scope,
+          scope: normalizeBindingScope(cb.binding.scope) ?? null,
           project_id: cb.binding.project_id
         };
       }),
+      replace: plan.bindings.filter((b) => b.action === "replace").map((b) => {
+        const rb = b;
+        return {
+          id: rb.existing.id,
+          role: rb.roleName,
+          subject_type: rb.binding.subject.type,
+          subject_id: rb.binding.subject.id,
+          scope: normalizeBindingScope(rb.binding.scope) ?? null,
+          project_id: rb.binding.project_id,
+          changes: rb.changes
+        };
+      }),
       prune: plan.bindings.filter((b) => b.action === "prune").map((b) => {
         const pb = b;
         return {
@@ -72064,6 +73556,26 @@ ${lines.join("\n")}`);
   }
   printPlan(plan, orgId, false);
 }
+async function fetchOrgGroups(orgId, context2) {
+  const groupsResponse = await requestJson(
+    context2,
+    `/orgs/${orgId}/access/groups`
+  );
+  return unwrapListResponse(groupsResponse);
+}
+function resolveBindingPrincipalIdForApply(principalType, principalIdHint, groupIdsBySlug, groupIds) {
+  if (principalType !== "group") {
+    return principalIdHint;
+  }
+  if (groupIds.has(principalIdHint)) {
+    return principalIdHint;
+  }
+  const fromSlug = groupIdsBySlug.get(principalIdHint);
+  if (fromSlug) {
+    return fromSlug;
+  }
+  throw new Error(`Group '${principalIdHint}' does not exist in the target org`);
+}
 async function handleSync(flags, context2, json) {
   const orgId = getStringFlag(flags, ["org"]) ?? context2.orgId;
   if (!orgId) {
@@ -72103,10 +73615,16 @@ ${lines.join("\n")}`);
     }
   }
   const applied = {
+    groups_created: 0,
+    groups_updated: 0,
+    groups_deleted: 0,
+    group_members_added: 0,
+    group_members_removed: 0,
     roles_created: 0,
     roles_updated: 0,
     roles_deleted: 0,
     bindings_created: 0,
+    bindings_replaced: 0,
     bindings_deleted: 0
   };
   for (const ra of plan.roles) {
@@ -72146,25 +73664,123 @@ ${lines.join("\n")}`);
       if (!json) console.log(`  ~ Updated role '${ra.name}'`);
     }
   }
-  for (const ba of plan.bindings) {
-    if (ba.action === "create") {
-      const body = {
-        role_name: ba.roleName,
-        principal_type: ba.binding.subject.type,
-        principal_id: ba.binding.subject.id
+  for (const ga of plan.groups) {
+    if (ga.action === "create") {
+      const payload = {
+        name: ga.group.name ?? groupDefaultName(ga.slug),
+        slug: ga.slug,
+        description: ga.group.description
+      };
+      await requestJson(
+        context2,
+        `/orgs/${orgId}/access/groups`,
+        {
+          method: "POST",
+          body: payload
+        }
+      );
+      applied.groups_created++;
+      if (!json) console.log(`  + Created group '${ga.slug}'`);
+      continue;
+    }
+    if (ga.action === "update") {
+      const payload = {
+        name: ga.group.name ?? groupDefaultName(ga.slug),
+        description: ga.group.description ?? null
       };
-      if (ba.binding.scope === "project" && ba.binding.project_id) {
-        body.project_id = ba.binding.project_id;
+      await requestJson(
+        context2,
+        `/orgs/${orgId}/access/groups/${encodeURIComponent(ga.id)}`,
+        {
+          method: "PATCH",
+          body: payload
+        }
+      );
+      applied.groups_updated++;
+      if (!json) console.log(`  ~ Updated group '${ga.slug}'`);
+    }
+  }
+  const groupsAfterCreateUpdate = await fetchOrgGroups(orgId, context2);
+  const groupIdsBySlug = new Map(groupsAfterCreateUpdate.map((group) => [group.slug, group.id]));
+  const groupIds = new Set(groupsAfterCreateUpdate.map((group) => group.id));
+  for (const ma of plan.group_members) {
+    if (ma.action === "add") {
+      const groupId2 = groupIdsBySlug.get(ma.groupSlug);
+      if (!groupId2) {
+        throw new Error(`Cannot add member: group '${ma.groupSlug}' does not exist in org '${orgId}'`);
       }
       await requestJson(
         context2,
-        `/orgs/${orgId}/access/bindings`,
-        { method: "POST", body }
+        `/orgs/${orgId}/access/groups/${encodeURIComponent(groupId2)}/members`,
+        {
+          method: "POST",
+          body: {
+            principal_type: ma.member.type,
+            principal_id: ma.member.id
+          }
+        }
+      );
+      applied.group_members_added++;
+      if (!json) console.log(`  + Added ${ma.member.type}:${ma.member.id} to group '${ma.groupSlug}'`);
+      continue;
+    }
+    const groupId = groupIdsBySlug.get(ma.groupSlug) ?? ma.groupId;
+    await requestJson(
+      context2,
+      `/orgs/${orgId}/access/groups/${encodeURIComponent(groupId)}/members/${ma.member.principal_type}/${encodeURIComponent(ma.member.principal_id)}`,
+      { method: "DELETE" }
+    );
+    applied.group_members_removed++;
+    if (!json) console.log(`  - Removed ${ma.member.principal_type}:${ma.member.principal_id} from group '${ma.groupSlug}'`);
+  }
+  for (const ba of plan.bindings) {
+    if (ba.action !== "create" && ba.action !== "replace") {
+      continue;
+    }
+    const principalId = resolveBindingPrincipalIdForApply(
+      ba.binding.subject.type,
+      ba.principalIdHint,
+      groupIdsBySlug,
+      groupIds
+    );
+    if (ba.action === "replace") {
+      await requestJson(
+        context2,
+        `/orgs/${orgId}/access/bindings/${ba.existing.id}`,
+        { method: "DELETE" }
       );
+    }
+    const body = {
+      role_name: ba.roleName,
+      principal_type: ba.binding.subject.type,
+      principal_id: principalId
+    };
+    if (ba.binding.project_id) {
+      body.project_id = ba.binding.project_id;
+    }
+    const normalizedScope = normalizeBindingScope(ba.binding.scope);
+    if (normalizedScope) {
+      body.scope_json = normalizedScope;
+    }
+    await requestJson(
+      context2,
+      `/orgs/${orgId}/access/bindings`,
+      { method: "POST", body }
+    );
+    const scopeLabel = ba.binding.project_id ? `project: ${ba.binding.project_id}` : "org-wide";
+    if (ba.action === "create") {
       applied.bindings_created++;
       if (!json) {
-        const scopeLabel = ba.binding.scope === "project" ? `project: ${ba.binding.project_id}` : "org-wide";
-        console.log(`  + Bound ${ba.roleName} -> ${ba.binding.subject.type}:${ba.binding.subject.id} (${scopeLabel})`);
+        console.log(
+          `  + Bound ${ba.roleName} -> ${ba.binding.subject.type}:${principalId} (${scopeLabel}, scope=${formatBindingScope(ba.binding.scope)})`
+        );
+      }
+    } else {
+      applied.bindings_replaced++;
+      if (!json) {
+        console.log(
+          `  ~ Rebound ${ba.roleName} -> ${ba.binding.subject.type}:${principalId} (${scopeLabel}, scope=${formatBindingScope(ba.binding.scope)})`
+        );
       }
     }
   }
@@ -72183,6 +73799,17 @@ ${lines.join("\n")}`);
         }
       }
     }
+    for (const ga of plan.groups) {
+      if (ga.action === "prune") {
+        await requestJson(
+          context2,
+          `/orgs/${orgId}/access/groups/${encodeURIComponent(ga.id)}`,
+          { method: "DELETE" }
+        );
+        applied.groups_deleted++;
+        if (!json) console.log(`  - Deleted group '${ga.slug}'`);
+      }
+    }
     for (const ra of plan.roles) {
       if (ra.action === "prune") {
         await requestJson(
@@ -72200,18 +73827,24 @@ ${lines.join("\n")}`);
     return;
   }
   const parts = [];
+  if (applied.groups_created > 0) parts.push(`${applied.groups_created} group(s) created`);
+  if (applied.groups_updated > 0) parts.push(`${applied.groups_updated} group(s) updated`);
+  if (applied.groups_deleted > 0) parts.push(`${applied.groups_deleted} group(s) deleted`);
+  if (applied.group_members_added > 0) parts.push(`${applied.group_members_added} group member(s) added`);
+  if (applied.group_members_removed > 0) parts.push(`${applied.group_members_removed} group member(s) removed`);
   if (applied.roles_created > 0) parts.push(`${applied.roles_created} role(s) created`);
   if (applied.roles_updated > 0) parts.push(`${applied.roles_updated} role(s) updated`);
   if (applied.roles_deleted > 0) parts.push(`${applied.roles_deleted} role(s) deleted`);
   if (applied.bindings_created > 0) parts.push(`${applied.bindings_created} binding(s) created`);
+  if (applied.bindings_replaced > 0) parts.push(`${applied.bindings_replaced} binding(s) replaced`);
   if (applied.bindings_deleted > 0) parts.push(`${applied.bindings_deleted} binding(s) deleted`);
   console.log(`
 Sync complete: ${parts.join(", ")}`);
 }
 
 // src/commands/docs.ts
-var import_node_fs15 = require("node:fs");
-var import_node_path15 = require("node:path");
+var import_node_fs16 = require("node:fs");
+var import_node_path16 = require("node:path");
 function encodeDocPathParam(path6) {
   const trimmed = path6.startsWith("/") ? path6.slice(1) : path6;
   return encodeURIComponent(trimmed);
@@ -72270,9 +73903,9 @@ async function handleDocs(subcommand, positionals, flags, context2) {
       const filePath = getStringFlag(flags, ["file"]);
       const useStdin = flags.stdin === true || flags.stdin === "true";
       if (filePath) {
-        content = (0, import_node_fs15.readFileSync)((0, import_node_path15.resolve)(filePath), "utf-8");
+        content = (0, import_node_fs16.readFileSync)((0, import_node_path16.resolve)(filePath), "utf-8");
       } else if (useStdin) {
-        content = (0, import_node_fs15.readFileSync)(0, "utf-8");
+        content = (0, import_node_fs16.readFileSync)(0, "utf-8");
       } else {
         throw new Error("Provide --file <path> or --stdin to supply document content");
       }
@@ -72721,6 +74354,9 @@ function formatDuration2(seconds) {
 function pad(label, value, width = 12) {
   return `  ${label.padEnd(width)}${value}`;
 }
+function parseAvgDurationSeconds(stats) {
+  return stats.avg_duration_seconds ?? stats.avg_duration_s ?? 0;
+}
 async function analyticsSummary(flags, context2, orgId) {
   const json = Boolean(flags.json);
   const window2 = getStringFlag(flags, ["window"]) ?? "7d";
@@ -72747,7 +74383,7 @@ async function analyticsSummary(flags, context2, orgId) {
   console.log("Pipelines");
   console.log(pad("Runs:", pipelines.runs));
   console.log(pad("Success Rate:", `${pipelines.success_rate.toFixed(1)}%`));
-  console.log(pad("Avg Duration:", formatDuration2(pipelines.avg_duration_seconds)));
+  console.log(pad("Avg Duration:", formatDuration2(parseAvgDurationSeconds(pipelines))));
   console.log("");
   console.log("Environments");
   console.log(pad("Total:", environments.total));
@@ -72766,17 +74402,15 @@ async function analyticsJobs(flags, context2, orgId) {
     outputJson(data, true);
     return;
   }
-  console.log(`Job Analytics (${data.window || window2} window)`);
+  console.log(`Job Analytics (${window2} window)`);
   console.log("\u2550".repeat(36));
-  if (data.jobs.length === 0) {
-    console.log("  No jobs in this window.");
-    return;
-  }
-  for (const job of data.jobs) {
-    const duration = job.duration_seconds != null ? ` (${formatDuration2(job.duration_seconds)})` : "";
-    const desc = job.description ? `  ${job.description}` : "";
-    console.log(`  ${job.id}  ${job.phase}${duration}${desc}`);
-  }
+  console.log(pad("As of:", data.as_of));
+  console.log("");
+  console.log("Jobs");
+  console.log(pad("Created:", data.created));
+  console.log(pad("Completed:", data.completed));
+  console.log(pad("Failed:", data.failed));
+  console.log(pad("Active:", data.active));
 }
 async function analyticsPipelines(flags, context2, orgId) {
   const json = Boolean(flags.json);
@@ -72789,22 +74423,14 @@ async function analyticsPipelines(flags, context2, orgId) {
     outputJson(data, true);
     return;
   }
-  console.log(`Pipeline Analytics (${data.window || window2} window)`);
+  console.log(`Pipeline Analytics (${window2} window)`);
   console.log("\u2550".repeat(36));
-  if (data.pipelines.length === 0) {
-    console.log("  No pipeline runs in this window.");
-    return;
-  }
-  for (const p of data.pipelines) {
-    console.log(`  ${p.name}`);
-    console.log(pad("Runs:", p.runs, 16));
-    console.log(pad("Success Rate:", `${p.success_rate.toFixed(1)}%`, 16));
-    console.log(pad("Avg Duration:", formatDuration2(p.avg_duration_seconds), 16));
-    if (p.last_run_at) {
-      console.log(pad("Last Run:", p.last_run_at, 16));
-    }
-    console.log("");
-  }
+  console.log(pad("As of:", data.as_of));
+  console.log("");
+  console.log("Pipelines");
+  console.log(pad("Runs:", data.runs));
+  console.log(pad("Success Rate:", `${data.success_rate.toFixed(1)}%`));
+  console.log(pad("Avg Duration:", formatDuration2(parseAvgDurationSeconds(data))));
 }
 async function analyticsEnvHealth(flags, context2, orgId) {
   const json = Boolean(flags.json);
@@ -72818,15 +74444,12 @@ async function analyticsEnvHealth(flags, context2, orgId) {
   }
   console.log("Environment Health");
   console.log("\u2550".repeat(36));
-  if (data.environments.length === 0) {
-    console.log("  No environments found.");
-    return;
-  }
-  for (const env of data.environments) {
-    const lastDeploy = env.last_deploy_at ? `  last deploy: ${env.last_deploy_at}` : "";
-    const pods = env.pod_count != null ? `  pods: ${env.pod_count}` : "";
-    console.log(`  ${env.name}  [${env.status}]${pods}${lastDeploy}`);
-  }
+  console.log("");
+  console.log(pad("As of:", data.as_of));
+  console.log(pad("Total:", data.total));
+  console.log(pad("Healthy:", data.healthy));
+  console.log(pad("Degraded:", data.degraded));
+  console.log(pad("Unknown:", data.unknown));
 }
 async function handleAnalytics(subcommand, _positionals, flags, context2) {
   const orgId = getStringFlag(flags, ["org", "org-id", "org_id"]) ?? context2.orgId;
@@ -72844,7 +74467,7 @@ async function handleAnalytics(subcommand, _positionals, flags, context2) {
       return analyticsEnvHealth(flags, context2, orgId);
     default:
       throw new Error(
-        "Usage: eve analytics <summary|jobs|pipelines|env-health>\n\n  summary     Org-wide activity summary\n  jobs        Job breakdown for the window\n  pipelines   Pipeline success rates and durations\n  env-health  Current environment health snapshot"
+        "Usage: eve analytics <summary|jobs|pipelines|env-health>\n\n  summary     Org-wide activity summary\n  jobs        Job counters for the window\n  pipelines   Pipeline success rates and durations\n  env-health  Current environment health snapshot"
       );
   }
 }
@@ -73217,6 +74840,284 @@ async function handleOllama(subcommand, positionals, flags, context2) {
   }
 }
 
+// src/commands/fs.ts
+var import_promises = require("node:fs/promises");
+var import_node_fs17 = require("node:fs");
+var import_node_os5 = require("node:os");
+function getOrgOrThrow(flags, context2) {
+  const orgId = getStringFlag(flags, ["org", "org-id", "org_id"]) ?? context2.orgId;
+  if (!orgId) {
+    throw new Error("Missing org id. Provide --org or set a profile default.");
+  }
+  return orgId;
+}
+function parseModeFlag(value) {
+  const raw = (value ?? "two-way").trim().toLowerCase();
+  if (raw === "two-way" || raw === "two_way") return "two_way";
+  if (raw === "push-only" || raw === "push_only") return "push_only";
+  if (raw === "pull-only" || raw === "pull_only") return "pull_only";
+  throw new Error(`Invalid mode: ${value}. Use two-way, push-only, or pull-only.`);
+}
+function parseStrategyFlag(value) {
+  const raw = (value ?? "").trim().toLowerCase();
+  if (raw === "pick-local" || raw === "pick_local") return "pick_local";
+  if (raw === "pick-remote" || raw === "pick_remote") return "pick_remote";
+  if (raw === "manual") return "manual";
+  throw new Error(`Invalid strategy: ${value}. Use pick-local, pick-remote, or manual.`);
+}
+function parseGlobList(value) {
+  if (!value) return void 0;
+  return value.split(",").map((item) => item.trim()).filter(Boolean);
+}
+async function resolveLinkId(context2, orgId, flags) {
+  const explicit = getStringFlag(flags, ["link", "link-id", "link_id"]);
+  const links = await requestJson(context2, `/orgs/${orgId}/fs/links`);
+  if (explicit) {
+    const found = links.data.find((item) => item.id === explicit);
+    if (!found) {
+      throw new Error(`Link not found: ${explicit}`);
+    }
+    return found.id;
+  }
+  if (links.data.length === 0) {
+    throw new Error("No sync links found. Run: eve fs sync init --org <org> --local <path>");
+  }
+  return links.data[0].id;
+}
+async function streamFsEvents(context2, orgId, afterSeq) {
+  const headers = {
+    Accept: "text/event-stream"
+  };
+  if (context2.token) {
+    headers.Authorization = `Bearer ${context2.token}`;
+  }
+  const response = await fetch(`${context2.apiUrl}/orgs/${orgId}/fs/events/stream?after_seq=${afterSeq}`, {
+    method: "GET",
+    headers
+  });
+  if (!response.ok || !response.body) {
+    const body = await response.text();
+    throw new Error(`HTTP ${response.status}: ${body}`);
+  }
+  const reader = response.body.getReader();
+  const decoder = new TextDecoder();
+  let buffer = "";
+  let currentEvent = "";
+  let currentData = "";
+  while (true) {
+    const { done, value } = await reader.read();
+    if (done) break;
+    buffer += decoder.decode(value, { stream: true });
+    const events = buffer.split("\n\n");
+    buffer = events.pop() ?? "";
+    for (const eventBlock of events) {
+      const lines = eventBlock.split("\n");
+      for (const line of lines) {
+        if (line.startsWith("event:")) {
+          currentEvent = line.slice(6).trim();
+        } else if (line.startsWith("data:")) {
+          currentData += `${line.slice(5).trim()}
+`;
+        }
+      }
+      if (currentData) {
+        const payload = currentData.trim();
+        if (currentEvent === "fs_event") {
+          try {
+            const parsed = JSON.parse(payload);
+            console.log(`[${parsed.seq}] ${parsed.event_type} ${parsed.path} (${parsed.source_side}) ${parsed.created_at}`);
+          } catch {
+            console.log(payload);
+          }
+        } else if (currentEvent === "error") {
+          console.error(payload);
+        }
+      }
+      currentEvent = "";
+      currentData = "";
+    }
+  }
+}
+async function handleSync2(action, positionals, flags, context2) {
+  const json = Boolean(flags.json);
+  const orgId = getOrgOrThrow(flags, context2);
+  switch (action) {
+    case "init": {
+      const localPath = getStringFlag(flags, ["local", "path"]);
+      if (!localPath) {
+        throw new Error("Usage: eve fs sync init --org <org_id> --local <path> [--mode two-way]");
+      }
+      const mode = parseModeFlag(getStringFlag(flags, ["mode"]));
+      const includes = parseGlobList(getStringFlag(flags, ["include", "includes"]));
+      const excludes = parseGlobList(getStringFlag(flags, ["exclude", "excludes"]));
+      const publicKey = getStringFlag(flags, ["public-key", "public_key"]);
+      const enroll = await requestJson(context2, `/orgs/${orgId}/fs/devices/enroll`, {
+        method: "POST",
+        body: {
+          device_name: getStringFlag(flags, ["device-name", "device_name"]) ?? (0, import_node_os5.hostname)(),
+          platform: process.platform,
+          client_version: "dev",
+          ...publicKey ? { public_key: publicKey } : {}
+        }
+      });
+      const link = await requestJson(context2, `/orgs/${orgId}/fs/links`, {
+        method: "POST",
+        body: {
+          device_id: enroll.device.id,
+          mode,
+          local_path: localPath,
+          remote_path: getStringFlag(flags, ["remote-path", "remote_path"]) ?? "/",
+          ...includes ? { includes } : {},
+          ...excludes ? { excludes } : {}
+        }
+      });
+      outputJson({
+        device: enroll.device,
+        enrollment: enroll.enrollment,
+        link: link.link,
+        runtime: link.runtime
+      }, json, `Sync initialized for ${orgId}`);
+      return;
+    }
+    case "status": {
+      const [status, links] = await Promise.all([
+        requestJson(context2, `/orgs/${orgId}/fs/status`),
+        requestJson(context2, `/orgs/${orgId}/fs/links`)
+      ]);
+      if (json) {
+        outputJson({ ...status, links_detail: links.data }, true);
+        return;
+      }
+      console.log(`Org: ${orgId}`);
+      console.log(`Gateway: ${status.gateway.status}`);
+      if (status.gateway.last_heartbeat_at) console.log(`Last heartbeat: ${status.gateway.last_heartbeat_at}`);
+      console.log(`Links: active=${status.links.active} paused=${status.links.paused} revoked=${status.links.revoked}`);
+      console.log(`Latest seq: ${status.events.latest_seq}`);
+      if (links.data.length > 0) {
+        console.log("");
+        for (const link of links.data) {
+          console.log(`${link.id} ${link.mode} ${link.status} cursor=${link.last_cursor} lag_ms=${link.lag_ms ?? "n/a"} backlog=${link.backlog ?? 0}`);
+        }
+      }
+      return;
+    }
+    case "logs": {
+      const afterSeq = Number(getStringFlag(flags, ["after", "after-seq", "after_seq"]) ?? "0");
+      const limit = Number(getStringFlag(flags, ["limit"]) ?? "200");
+      const follow = flags.follow === true || flags.follow === "true";
+      if (follow) {
+        await streamFsEvents(context2, orgId, Number.isFinite(afterSeq) ? afterSeq : 0);
+        return;
+      }
+      const events = await requestJson(
+        context2,
+        `/orgs/${orgId}/fs/events?after_seq=${Number.isFinite(afterSeq) ? afterSeq : 0}&limit=${Number.isFinite(limit) ? limit : 200}`
+      );
+      outputJson(events, json);
+      return;
+    }
+    case "pause":
+    case "resume":
+    case "disconnect": {
+      const linkId = await resolveLinkId(context2, orgId, flags);
+      const nextStatus = action === "pause" ? "paused" : action === "resume" ? "active" : "revoked";
+      const updated = await requestJson(context2, `/orgs/${orgId}/fs/links/${linkId}`, {
+        method: "PATCH",
+        body: { status: nextStatus }
+      });
+      outputJson(updated, json, `Link ${linkId} ${nextStatus}`);
+      return;
+    }
+    case "mode": {
+      const modeValue = getStringFlag(flags, ["set", "mode"]);
+      if (!modeValue) {
+        throw new Error("Usage: eve fs sync mode --org <org_id> --set <two-way|push-only|pull-only>");
+      }
+      const linkId = await resolveLinkId(context2, orgId, flags);
+      const updated = await requestJson(context2, `/orgs/${orgId}/fs/links/${linkId}`, {
+        method: "PATCH",
+        body: { mode: parseModeFlag(modeValue) }
+      });
+      outputJson(updated, json, `Link ${linkId} mode updated`);
+      return;
+    }
+    case "conflicts": {
+      const openOnly = flags["open-only"] === true || flags["open_only"] === true || flags["open-only"] === "true" || flags["open_only"] === "true";
+      const result = await requestJson(
+        context2,
+        `/orgs/${orgId}/fs/conflicts${openOnly ? "?open_only=true" : ""}`
+      );
+      outputJson(result, json);
+      return;
+    }
+    case "resolve": {
+      const conflictId = getStringFlag(flags, ["conflict", "conflict-id", "conflict_id"]) ?? positionals[0];
+      if (!conflictId) {
+        throw new Error("Usage: eve fs sync resolve --org <org_id> --conflict <conflict_id> --strategy <pick-remote|pick-local|manual>");
+      }
+      const strategy = parseStrategyFlag(getStringFlag(flags, ["strategy"]));
+      const mergedContent = getStringFlag(flags, ["merged-content", "merged_content"]);
+      const result = await requestJson(context2, `/orgs/${orgId}/fs/conflicts/${conflictId}/resolve`, {
+        method: "POST",
+        body: {
+          strategy,
+          ...mergedContent ? { merged_content: mergedContent } : {}
+        }
+      });
+      outputJson(result, json, `Conflict ${conflictId} resolved`);
+      return;
+    }
+    case "doctor": {
+      const status = await requestJson(context2, `/orgs/${orgId}/fs/status`);
+      const links = await requestJson(context2, `/orgs/${orgId}/fs/links`);
+      const health = {
+        auth: "ok",
+        gateway_status: status.gateway.status,
+        links: links.data.length,
+        active_links: links.data.filter((item) => item.status === "active").length,
+        cursor_drift: 0,
+        local_path_checks: []
+      };
+      if (links.data.length > 0) {
+        const minCursor = links.data.reduce((min, item) => Math.min(min, item.last_cursor), Number.POSITIVE_INFINITY);
+        const cursorBase = Number.isFinite(minCursor) ? minCursor : 0;
+        health.cursor_drift = Math.max(0, status.events.latest_seq - cursorBase);
+      }
+      for (const link of links.data) {
+        let writable = false;
+        try {
+          await (0, import_promises.access)(link.local_path, import_node_fs17.constants.R_OK | import_node_fs17.constants.W_OK);
+          writable = true;
+        } catch {
+          writable = false;
+        }
+        health.local_path_checks.push({
+          link_id: link.id,
+          local_path: link.local_path,
+          writable
+        });
+      }
+      outputJson(health, json, `FS sync doctor completed for ${orgId}`);
+      return;
+    }
+    default:
+      throw new Error(
+        "Usage: eve fs sync <init|status|logs|pause|resume|disconnect|mode|conflicts|resolve|doctor>\n\n  init       --org <org> --local <path> [--mode two-way|push-only|pull-only]\n  status     --org <org>\n  logs       --org <org> [--after N] [--limit N] [--follow]\n  pause      --org <org> [--link <link_id>]\n  resume     --org <org> [--link <link_id>]\n  disconnect --org <org> [--link <link_id>]\n  mode       --org <org> --set <two-way|push-only|pull-only> [--link <link_id>]\n  conflicts  --org <org> [--open-only]\n  resolve    --org <org> --conflict <id> --strategy <pick-remote|pick-local|manual>\n  doctor     --org <org>"
+      );
+  }
+}
+async function handleFs(subcommand, positionals, flags, context2) {
+  switch (subcommand) {
+    case "sync": {
+      const action = positionals[0];
+      await handleSync2(action, positionals.slice(1), flags, context2);
+      return;
+    }
+    default:
+      throw new Error("Usage: eve fs sync <init|status|logs|pause|resume|disconnect|mode|conflicts|resolve|doctor>");
+  }
+}
+
 // src/index.ts
 async function main() {
   const { flags, positionals } = parseArgs(process.argv.slice(2));
@@ -73343,6 +75244,9 @@ async function main() {
     case "ollama":
       await handleOllama(subcommand, rest, flags, context2);
       return;
+    case "fs":
+      await handleFs(subcommand, rest, flags, context2);
+      return;
     default:
       showMainHelp();
   }