@freecodecamp/universe-cli 0.1.1 → 0.3.0

package/dist/index.js

@@ -1,172 +1,90 @@
 #!/usr/bin/env node
-var __defProp = Object.defineProperty;
-var __getOwnPropNames = Object.getOwnPropertyNames;
-var __esm = (fn, res) => function __init() {
-  return fn && (res = (0, fn[__getOwnPropNames(fn)[0]])(fn = 0)), res;
-};
-var __export = (target, all) => {
-  for (var name in all)
-    __defProp(target, name, { get: all[name], enumerable: true });
-};
-
-// src/output/envelope.ts
-function buildEnvelope(command, success, data) {
-  return {
-    schemaVersion: "1",
-    command,
-    success,
-    timestamp: (/* @__PURE__ */ new Date()).toISOString(),
-    ...data
-  };
-}
-function buildErrorEnvelope(command, code, message, issues) {
-  const error = {
-    code,
-    message
-  };
-  if (issues !== void 0) {
-    error.issues = issues;
-  }
-  return {
-    schemaVersion: "1",
-    command,
-    success: false,
-    timestamp: (/* @__PURE__ */ new Date()).toISOString(),
-    error
-  };
-}
-var init_envelope = __esm({
-  "src/output/envelope.ts"() {
-    "use strict";
-  }
-});
-
-// src/output/redact.ts
-function maskAkia(match) {
-  return match.slice(0, 4) + "****" + match.slice(-4);
-}
-function maskUrlCreds(match) {
-  const atIndex = match.lastIndexOf("@");
-  const protocolEnd = match.indexOf("://") + 3;
-  return match.slice(0, protocolEnd) + "****:****@" + match.slice(atIndex + 1);
-}
-function redact(value) {
-  let result = value;
-  result = result.replace(URL_CREDS_PATTERN, maskUrlCreds);
-  result = result.replace(AKIA_PATTERN, maskAkia);
-  result = result.replace(
-    CREDENTIAL_CONTEXT_PATTERN,
-    (_match, _secret, _offset, _full) => {
-      const eqIndex = _match.indexOf("=");
-      const colonIndex = _match.indexOf(":");
-      const sepIndex = eqIndex >= 0 && colonIndex >= 0 ? Math.min(eqIndex, colonIndex) : eqIndex >= 0 ? eqIndex : colonIndex;
-      const prefix = _match.slice(0, sepIndex + 1);
-      return prefix + "****";
-    }
-  );
-  result = result.replace(HEX_CREDENTIAL_CONTEXT_PATTERN, (_match, _secret) => {
-    const eqIndex = _match.indexOf("=");
-    const colonIndex = _match.indexOf(":");
-    const sepIndex = eqIndex >= 0 && colonIndex >= 0 ? Math.min(eqIndex, colonIndex) : eqIndex >= 0 ? eqIndex : colonIndex;
-    const prefix = _match.slice(0, sepIndex + 1);
-    return prefix + "****";
-  });
-  return result;
-}
-var AKIA_PATTERN, URL_CREDS_PATTERN, CREDENTIAL_CONTEXT_PATTERN, HEX_CREDENTIAL_CONTEXT_PATTERN;
-var init_redact = __esm({
-  "src/output/redact.ts"() {
-    "use strict";
-    AKIA_PATTERN = /AKIA[A-Z0-9]{12,}/g;
-    URL_CREDS_PATTERN = /https?:\/\/[^@\s]+@/g;
-    CREDENTIAL_CONTEXT_PATTERN = /(?:secret|password|token|key|credential|auth)[=:]\s*([A-Za-z0-9/+=]{21,})/gi;
-    HEX_CREDENTIAL_CONTEXT_PATTERN = /(?:secret|password|token|key|credential|auth|access_key_id|secret_access_key)[=:]\s*([a-f0-9]{32,})/gi;
-  }
-});
 
-// src/output/format.ts
-import { log } from "@clack/prompts";
-function outputSuccess(ctx, humanMessage, data) {
-  if (ctx.json) {
-    const envelope = buildEnvelope(ctx.command, true, data);
-    process.stdout.write(JSON.stringify(envelope) + "\n");
-  } else {
-    log.success(humanMessage);
-  }
-}
-function outputError(ctx, code, message, issues) {
-  const redactedMessage = redact(message);
-  const redactedIssues = issues?.map(redact);
-  if (ctx.json) {
-    const envelope = buildErrorEnvelope(
-      ctx.command,
-      code,
-      redactedMessage,
-      redactedIssues
-    );
-    process.stdout.write(JSON.stringify(envelope) + "\n");
-  } else {
-    log.error(redactedMessage);
-  }
-}
-var init_format = __esm({
-  "src/output/format.ts"() {
-    "use strict";
-    init_envelope();
-    init_redact();
-  }
-});
+// src/cli.ts
+import { cac } from "cac";
 
 // src/output/exit-codes.ts
+var EXIT_USAGE = 10;
+var EXIT_CONFIG = 11;
+var EXIT_CREDENTIAL = 12;
+var EXIT_STORAGE = 13;
+var EXIT_OUTPUT_DIR = 14;
+var EXIT_GIT = 15;
+var EXIT_ALIAS = 16;
+var EXIT_DEPLOY_NOT_FOUND = 17;
+var EXIT_CONFIRM = 18;
+var EXIT_PARTIAL = 19;
 function exitWithCode(code, message) {
   if (message !== void 0) {
     process.stderr.write(message + "\n");
   }
   process.exit(code);
 }
-var EXIT_USAGE, EXIT_OUTPUT_DIR, EXIT_GIT, EXIT_ALIAS, EXIT_DEPLOY_NOT_FOUND, EXIT_CONFIRM, EXIT_PARTIAL;
-var init_exit_codes = __esm({
-  "src/output/exit-codes.ts"() {
-    "use strict";
-    EXIT_USAGE = 10;
-    EXIT_OUTPUT_DIR = 14;
-    EXIT_GIT = 15;
-    EXIT_ALIAS = 16;
-    EXIT_DEPLOY_NOT_FOUND = 17;
-    EXIT_CONFIRM = 18;
-    EXIT_PARTIAL = 19;
+
+// src/errors.ts
+var CliError = class extends Error {
+  constructor(message) {
+    super(message);
+    this.name = new.target.name;
   }
-});
+};
+var ConfigError = class extends CliError {
+  exitCode = EXIT_CONFIG;
+};
+var CredentialError = class extends CliError {
+  exitCode = EXIT_CREDENTIAL;
+};
+var StorageError = class extends CliError {
+  exitCode = EXIT_STORAGE;
+};
+var GitError = class extends CliError {
+  exitCode = EXIT_GIT;
+};
+
+// src/config/loader.ts
+import { readFileSync } from "fs";
+import { isAbsolute, relative, resolve, sep } from "path";
+import { parse as parseYaml } from "yaml";
 
 // src/config/schema.ts
 import { z } from "zod";
-var staticSchema, domainSchema, platformSchema;
-var init_schema = __esm({
-  "src/config/schema.ts"() {
-    "use strict";
-    staticSchema = z.object({
-      output_dir: z.string().min(1).default("dist"),
-      bucket: z.string().min(1).default("gxy-static-1"),
-      rclone_remote: z.string().min(1).default("gxy-static"),
-      region: z.string().min(1).default("auto")
-    }).default({});
-    domainSchema = z.object({
-      production: z.string().min(1),
-      preview: z.string().min(1)
-    });
-    platformSchema = z.object({
-      name: z.string().min(1).regex(/^[a-z0-9]([a-z0-9._-]*[a-z0-9])?$/i),
-      stack: z.literal("static"),
-      domain: domainSchema,
-      static: staticSchema
-    });
-  }
+var staticSchema = z.object({
+  output_dir: z.string().min(1).default("dist"),
+  bucket: z.string().min(1).default("gxy-static-1"),
+  rclone_remote: z.string().min(1).default("gxy-static"),
+  region: z.string().min(1).default("auto")
+}).prefault({});
+var domainSchema = z.object({
+  production: z.string().min(1),
+  preview: z.string().min(1)
+});
+var platformSchema = z.object({
+  name: z.string().min(1).regex(/^[a-z0-9]([a-z0-9._-]*[a-z0-9])?$/i),
+  stack: z.literal("static"),
+  domain: domainSchema,
+  static: staticSchema
 });
 
 // src/config/loader.ts
-import { readFileSync } from "fs";
-import { resolve } from "path";
-import { parse as parseYaml } from "yaml";
+function assertSafeOutputDir(outputDir, cwd) {
+  if (isAbsolute(outputDir)) {
+    throw new ConfigError(
+      `output_dir must be relative to the project root; absolute paths are rejected: ${outputDir}`
+    );
+  }
+  const resolved = resolve(cwd, outputDir);
+  const rel = relative(cwd, resolved);
+  if (rel === "..") {
+    throw new ConfigError(
+      `output_dir resolves outside the project root: ${outputDir}`
+    );
+  }
+  if (rel.startsWith(`..${sep}`)) {
+    throw new ConfigError(
+      `output_dir resolves outside the project root: ${outputDir}`
+    );
+  }
+}
 function readEnvOverrides() {
   const overrides = {};
   if (process.env.UNIVERSE_STATIC_OUTPUT_DIR) {
@@ -200,14 +118,26 @@ function loadConfig(options = {}) {
     raw = readFileSync(configPath, "utf-8");
   } catch (err) {
     if (err instanceof Error && err.code === "ENOENT") {
-      throw new Error(
+      throw new ConfigError(
         `platform.yaml not found at ${configPath}. See STAFF-GUIDE.md for the required format.`
       );
     }
     throw err;
   }
   const parsed = parseYaml(raw);
-  const yamlValidated = platformSchema.parse(parsed);
+  const parseResult = platformSchema.safeParse(parsed);
+  if (!parseResult.success) {
+    const issues = parseResult.error.issues.map((issue) => {
+      const path = issue.path.length > 0 ? issue.path.join(".") : "(root)";
+      return `  - ${path}: ${issue.message}`;
+    }).join("\n");
+    throw new ConfigError(
+      `platform.yaml is invalid:
+${issues}
+See STAFF-GUIDE.md for the required format.`
+    );
+  }
+  const yamlValidated = parseResult.data;
   const envOverrides = readEnvOverrides();
   const flagOverrides = readFlagOverrides(options.flags);
   const merged = {
@@ -218,17 +148,82 @@ function loadConfig(options = {}) {
       ...flagOverrides
     }
   };
+  assertSafeOutputDir(merged.static.output_dir, cwd);
   return merged;
 }
-var init_loader = __esm({
-  "src/config/loader.ts"() {
-    "use strict";
-    init_schema();
-  }
-});
 
 // src/credentials/resolver.ts
 import { execSync } from "child_process";
+
+// src/output/redact.ts
+var AWS_KEY_PREFIX_PATTERN = /(?:AKIA|ASIA|AROA|AIDA|ACCA|ANPA|ABIA|AGPA)[A-Z0-9]{12,}/g;
+var URL_CREDS_PATTERN = /https?:\/\/[^@\s]+@/g;
+var CREDENTIAL_CONTEXT_PATTERN = /(?:access_key_id|secret_access_key|accessKeyId|secretAccessKey|secret|password|token|key|credential|auth)\s*[=:]\s*([A-Za-z0-9/+=]{21,})/gi;
+var HEX_CREDENTIAL_CONTEXT_PATTERN = /(?:secret|password|token|key|credential|auth|access_key_id|secret_access_key)\s*[=:]\s*([a-f0-9]{32,})/gi;
+var JSON_CREDENTIAL_PATTERN = /"(?:secret|password|token|key|credential|auth|access_key_id|secret_access_key|accessKeyId|secretAccessKey)"\s*:\s*"[^"]+"/gi;
+var BEARER_PATTERN = /\bBearer\s+[A-Za-z0-9._~+/=-]+/gi;
+function maskAwsKey(match) {
+  return match.slice(0, 4) + "****" + match.slice(-4);
+}
+function maskUrlCreds(match) {
+  const atIndex = match.lastIndexOf("@");
+  const protocolEnd = match.indexOf("://") + 3;
+  return match.slice(0, protocolEnd) + "****:****@" + match.slice(atIndex + 1);
+}
+function redact(value) {
+  let result = value;
+  result = result.replace(URL_CREDS_PATTERN, maskUrlCreds);
+  result = result.replace(AWS_KEY_PREFIX_PATTERN, maskAwsKey);
+  result = result.replace(BEARER_PATTERN, "Bearer ****");
+  result = result.replace(JSON_CREDENTIAL_PATTERN, (match) => {
+    const colonIndex = match.indexOf(":");
+    return match.slice(0, colonIndex + 1) + '"****"';
+  });
+  result = result.replace(
+    CREDENTIAL_CONTEXT_PATTERN,
+    (_match, _secret, _offset, _full) => {
+      const eqIndex = _match.indexOf("=");
+      const colonIndex = _match.indexOf(":");
+      const sepIndex = eqIndex >= 0 && colonIndex >= 0 ? Math.min(eqIndex, colonIndex) : eqIndex >= 0 ? eqIndex : colonIndex;
+      const prefix = _match.slice(0, sepIndex + 1);
+      return prefix + "****";
+    }
+  );
+  result = result.replace(HEX_CREDENTIAL_CONTEXT_PATTERN, (_match, _secret) => {
+    const eqIndex = _match.indexOf("=");
+    const colonIndex = _match.indexOf(":");
+    const sepIndex = eqIndex >= 0 && colonIndex >= 0 ? Math.min(eqIndex, colonIndex) : eqIndex >= 0 ? eqIndex : colonIndex;
+    const prefix = _match.slice(0, sepIndex + 1);
+    return prefix + "****";
+  });
+  return result;
+}
+
+// src/credentials/resolver.ts
+var LOCAL_HOSTS = /* @__PURE__ */ new Set(["localhost", "127.0.0.1", "[::1]", "::1"]);
+function validateEndpoint(endpoint) {
+  let url;
+  try {
+    url = new URL(endpoint);
+  } catch {
+    throw new CredentialError(`S3_ENDPOINT is not a valid URL: ${endpoint}`);
+  }
+  if (url.username !== "" || url.password !== "") {
+    throw new CredentialError(
+      "S3_ENDPOINT must not contain credentials in the URL (user:pass@host). Use S3_ACCESS_KEY_ID / S3_SECRET_ACCESS_KEY instead."
+    );
+  }
+  if (url.protocol !== "https:" && url.protocol !== "http:") {
+    throw new CredentialError(
+      `S3_ENDPOINT must use http or https, got: ${url.protocol}`
+    );
+  }
+  if (url.protocol === "http:" && !LOCAL_HOSTS.has(url.hostname)) {
+    throw new CredentialError(
+      `S3_ENDPOINT must use https for non-localhost hosts. Plaintext http is only allowed for localhost/127.0.0.1. Got: ${endpoint}`
+    );
+  }
+}
 function tryEnvCredentials() {
   const key = process.env.S3_ACCESS_KEY_ID;
   const secret = process.env.S3_SECRET_ACCESS_KEY;
@@ -237,6 +232,7 @@ function tryEnvCredentials() {
   const present = [key, secret, endpoint].filter(Boolean);
   if (present.length === 0) return "none";
   if (present.length < 3) return "partial";
+  validateEndpoint(endpoint);
   const creds = {
     accessKeyId: key,
     secretAccessKey: secret,
@@ -251,11 +247,11 @@ function fromRclone(remoteName) {
     output = execSync("rclone config dump", { stdio: "pipe" });
   } catch (err) {
     if (err instanceof Error && err.code === "ENOENT") {
-      throw new Error(
+      throw new CredentialError(
         "rclone not found \u2014 install rclone or provide S3 credentials via environment variables"
       );
     }
-    throw new Error(
+    throw new CredentialError(
       `Failed to run rclone config dump: ${redact(err instanceof Error ? err.message : "unknown error")}`
     );
   }
@@ -263,12 +259,14 @@ function fromRclone(remoteName) {
   try {
     parsed = JSON.parse(output.toString("utf-8"));
   } catch {
-    throw new Error(`Failed to parse rclone config for remote ${remoteName}`);
+    throw new CredentialError(
+      `Failed to parse rclone config for remote ${remoteName}`
+    );
   }
   output = null;
   const remote = parsed[remoteName];
   if (!remote) {
-    throw new Error(
+    throw new CredentialError(
       `Remote "${remoteName}" not found in rclone config. Available remotes: ${Object.keys(parsed).join(", ") || "(none)"}`
     );
   }
@@ -277,7 +275,7 @@ function fromRclone(remoteName) {
   if (!remote.secret_access_key) missing.push("secret_access_key");
   if (!remote.endpoint) missing.push("endpoint");
   if (missing.length > 0) {
-    throw new Error(
+    throw new CredentialError(
       `Rclone remote "${remoteName}" is missing required fields: ${missing.join(", ")}`
     );
   }
@@ -292,7 +290,7 @@ function fromRclone(remoteName) {
 function resolveCredentials(options) {
   const envResult = tryEnvCredentials();
   if (envResult === "partial") {
-    throw new Error(
+    throw new CredentialError(
       "Partial S3 credentials in environment. Set all three: S3_ACCESS_KEY_ID, S3_SECRET_ACCESS_KEY, S3_ENDPOINT \u2014 or remove all to use rclone fallback."
     );
   }
@@ -301,12 +299,6 @@ function resolveCredentials(options) {
   }
   return fromRclone(options.remoteName);
 }
-var init_resolver = __esm({
-  "src/credentials/resolver.ts"() {
-    "use strict";
-    init_redact();
-  }
-});
 
 // src/storage/client.ts
 import { S3Client } from "@aws-sdk/client-s3";
@@ -321,11 +313,6 @@ function createS3Client(credentials) {
     forcePathStyle: true
   });
 }
-var init_client = __esm({
-  "src/storage/client.ts"() {
-    "use strict";
-  }
-});
 
 // src/storage/operations.ts
 import {
@@ -336,6 +323,8 @@ import {
   DeleteObjectCommand,
   DeleteObjectsCommand
 } from "@aws-sdk/client-s3";
+var MAX_RETRIES = 3;
+var BASE_DELAY_MS = 500;
 function isTransientError(error) {
   if (!(error instanceof Error)) return false;
   const meta = error.$metadata;
@@ -421,14 +410,6 @@ async function listObjects(client, params) {
   } while (continuationToken);
   return allItems;
 }
-var MAX_RETRIES, BASE_DELAY_MS;
-var init_operations = __esm({
-  "src/storage/operations.ts"() {
-    "use strict";
-    MAX_RETRIES = 3;
-    BASE_DELAY_MS = 500;
-  }
-});
 
 // src/storage/aliases.ts
 async function readAlias(client, bucket, site, aliasName) {
@@ -446,18 +427,12 @@ async function writeAlias(client, bucket, site, aliasName, deployId) {
     contentType: "text/plain"
   });
 }
-var init_aliases = __esm({
-  "src/storage/aliases.ts"() {
-    "use strict";
-    init_operations();
-  }
-});
 
 // src/deploy/id.ts
 function generateDeployId(gitHash, force = false) {
   if (gitHash === void 0) {
     if (!force) {
-      throw new Error("git hash is required unless --force is set");
+      throw new GitError("git hash is required unless --force is set");
     }
     return formatId("nogit");
   }
@@ -473,11 +448,6 @@ function formatId(suffix) {
   const s = String(now.getUTCSeconds()).padStart(2, "0");
   return `${y}${mo}${d}-${h}${mi}${s}-${suffix}`;
 }
-var init_id = __esm({
-  "src/deploy/id.ts"() {
-    "use strict";
-  }
-});
 
 // src/deploy/git.ts
 import { execSync as execSync2 } from "child_process";
@@ -490,50 +460,77 @@ function getGitState() {
     return { hash: null, dirty: false, error: "not a git repository" };
   }
 }
-var init_git = __esm({
-  "src/deploy/git.ts"() {
-    "use strict";
+
+// src/deploy/preflight.ts
+import { existsSync, statSync as statSync2 } from "fs";
+
+// src/deploy/walk.ts
+import { readdirSync, realpathSync, statSync } from "fs";
+import { join, relative as relative2, sep as sep2 } from "path";
+function walkFiles(base) {
+  const baseReal = realpathSync(base);
+  const entries = readdirSync(base, { recursive: true, withFileTypes: true });
+  const files = [];
+  for (const entry of entries) {
+    const full = join(entry.parentPath, entry.name);
+    const relPath = relative2(base, full);
+    let targetIsFile;
+    try {
+      targetIsFile = statSync(full).isFile();
+    } catch {
+      throw new StorageError(
+        `"${relPath}" could not be stat'd (dangling symlink?)`
+      );
+    }
+    if (!targetIsFile) continue;
+    let resolved;
+    try {
+      resolved = realpathSync(full);
+    } catch {
+      throw new StorageError(
+        `"${relPath}" could not be resolved (dangling symlink?)`
+      );
+    }
+    const rel = relative2(baseReal, resolved);
+    if (rel === ".." || rel.startsWith(`..${sep2}`)) {
+      throw new StorageError(
+        `"${relPath}" resolves outside the output directory (symlink escape). Resolved to: ${resolved}`
+      );
+    }
+    files.push({ relPath, absPath: full });
   }
-});
+  return files;
+}
 
 // src/deploy/preflight.ts
-import { existsSync, statSync, readdirSync } from "fs";
-import { join } from "path";
 function validateOutputDir(dir) {
   if (!existsSync(dir)) {
     return { valid: false, fileCount: 0, error: "directory not found" };
   }
-  if (!statSync(dir).isDirectory()) {
+  if (!statSync2(dir).isDirectory()) {
     return { valid: false, fileCount: 0, error: "not a directory" };
   }
-  const fileCount = countFiles(dir);
+  let fileCount;
+  try {
+    fileCount = walkFiles(dir).length;
+  } catch (err) {
+    if (err instanceof StorageError) {
+      return { valid: false, fileCount: 0, error: err.message };
+    }
+    throw err;
+  }
   if (fileCount === 0) {
     return { valid: false, fileCount: 0, error: "directory is empty" };
   }
   return { valid: true, fileCount };
 }
-function countFiles(dir) {
-  let count = 0;
-  for (const entry of readdirSync(dir, { withFileTypes: true })) {
-    if (entry.isFile()) {
-      count++;
-    } else if (entry.isDirectory()) {
-      count += countFiles(join(dir, entry.name));
-    }
-  }
-  return count;
-}
-var init_preflight = __esm({
-  "src/deploy/preflight.ts"() {
-    "use strict";
-  }
-});
 
 // src/deploy/upload.ts
-import { readdirSync as readdirSync2, readFileSync as readFileSync2 } from "fs";
-import { extname, basename, join as join2, relative } from "path";
+import { readFileSync as readFileSync2 } from "fs";
+import { extname, basename } from "path";
 import { lookup } from "mrmime";
 import pLimit from "p-limit";
+var FINGERPRINT_RE = /[.-][a-zA-Z0-9_-]{8,}\./;
 function getContentType(filename) {
   const mime = lookup(filename);
   if (mime === void 0) {
@@ -554,25 +551,17 @@ function getCacheControl(filename) {
 async function uploadDirectory(client, bucket, site, deployId, outputDir, options) {
   const concurrency = options?.concurrency ?? 10;
   const limit = pLimit(concurrency);
-  const entries = readdirSync2(outputDir, {
-    recursive: true,
-    withFileTypes: true
-  });
-  const files = entries.filter((entry) => entry.isFile() && !entry.isSymbolicLink()).map((entry) => {
-    const full = join2(entry.parentPath ?? entry.path, entry.name);
-    return relative(outputDir, full);
-  });
+  const files = walkFiles(outputDir);
   const errors = [];
   let totalSize = 0;
   let fileCount = 0;
   const tasks = files.map(
-    (filePath) => limit(async () => {
-      const fullPath = `${outputDir}/${filePath}`;
-      const key = `${site}/deploys/${deployId}/${filePath}`;
-      const contentType = getContentType(filePath);
-      const cacheControl = getCacheControl(filePath);
+    (file) => limit(async () => {
+      const key = `${site}/deploys/${deployId}/${file.relPath}`;
+      const contentType = getContentType(file.relPath);
+      const cacheControl = getCacheControl(file.relPath);
       try {
-        const body = readFileSync2(fullPath);
+        const body = readFileSync2(file.absPath);
         totalSize += body.byteLength;
         fileCount++;
         await putObject(client, {
@@ -584,21 +573,13 @@ async function uploadDirectory(client, bucket, site, deployId, outputDir, option
         });
       } catch (err) {
         const message = err instanceof Error ? err.message : "unknown upload error";
-        errors.push(`${filePath}: ${message}`);
+        errors.push(`${file.relPath}: ${message}`);
       }
     })
   );
   await Promise.all(tasks);
   return { fileCount, totalSize, errors };
 }
-var FINGERPRINT_RE;
-var init_upload = __esm({
-  "src/deploy/upload.ts"() {
-    "use strict";
-    init_operations();
-    FINGERPRINT_RE = /[.-][a-zA-Z0-9_-]{8,}\./;
-  }
-});
 
 // src/deploy/metadata.ts
 async function writeDeployMetadata(client, bucket, site, deployId, meta) {
@@ -611,21 +592,70 @@ async function writeDeployMetadata(client, bucket, site, deployId, meta) {
     contentType: "application/json"
   });
 }
-var init_metadata = __esm({
-  "src/deploy/metadata.ts"() {
-    "use strict";
-    init_operations();
+
+// src/output/format.ts
+import { log } from "@clack/prompts";
+
+// src/output/envelope.ts
+function buildEnvelope(command, success, data) {
+  return {
+    schemaVersion: "1",
+    command,
+    success,
+    timestamp: (/* @__PURE__ */ new Date()).toISOString(),
+    ...data
+  };
+}
+function buildErrorEnvelope(command, code, message, issues) {
+  const error = {
+    code,
+    message
+  };
+  if (issues !== void 0) {
+    error.issues = issues;
   }
-});
+  return {
+    schemaVersion: "1",
+    command,
+    success: false,
+    timestamp: (/* @__PURE__ */ new Date()).toISOString(),
+    error
+  };
+}
+
+// src/output/format.ts
+function outputSuccess(ctx, humanMessage, data) {
+  if (ctx.json) {
+    const envelope = buildEnvelope(ctx.command, true, data);
+    process.stdout.write(JSON.stringify(envelope) + "\n");
+  } else {
+    log.success(humanMessage);
+  }
+}
+function outputError(ctx, code, message, issues) {
+  const redactedMessage = redact(message);
+  const redactedIssues = issues?.map(redact);
+  if (ctx.json) {
+    const envelope = buildErrorEnvelope(
+      ctx.command,
+      code,
+      redactedMessage,
+      redactedIssues
+    );
+    process.stdout.write(JSON.stringify(envelope) + "\n");
+  } else {
+    log.error(redactedMessage);
+  }
+}
 
 // src/commands/deploy.ts
-var deploy_exports = {};
-__export(deploy_exports, {
-  deploy: () => deploy
-});
+var MAX_COLLISION_RETRIES = 3;
+var COLLISION_DELAY_MS = 1e3;
 async function resolveDeployId(client, bucket, site, gitHash, force) {
+  let lastDeployId = "";
   for (let attempt = 0; attempt < MAX_COLLISION_RETRIES; attempt++) {
     const deployId = generateDeployId(gitHash, force);
+    lastDeployId = deployId;
     const prefix = `${site}/deploys/${deployId}/`;
     const existing = await listObjects(client, { bucket, prefix });
     if (existing.length === 0) {
@@ -635,7 +665,9 @@ async function resolveDeployId(client, bucket, site, gitHash, force) {
       await new Promise((resolve2) => setTimeout(resolve2, COLLISION_DELAY_MS));
     }
   }
-  return generateDeployId(gitHash, force);
+  throw new StorageError(
+    `Deploy ID collision could not be resolved after ${MAX_COLLISION_RETRIES} attempts (last attempted: ${lastDeployId}). Commit a new change and retry, or wait for the timestamp to advance.`
+  );
 }
 async function deploy(options) {
   const config = loadConfig({
@@ -738,26 +770,6 @@ async function deploy(options) {
     previewDomain
   });
 }
-var MAX_COLLISION_RETRIES, COLLISION_DELAY_MS;
-var init_deploy = __esm({
-  "src/commands/deploy.ts"() {
-    "use strict";
-    init_loader();
-    init_resolver();
-    init_client();
-    init_aliases();
-    init_operations();
-    init_id();
-    init_git();
-    init_preflight();
-    init_upload();
-    init_metadata();
-    init_format();
-    init_exit_codes();
-    MAX_COLLISION_RETRIES = 3;
-    COLLISION_DELAY_MS = 1e3;
-  }
-});
 
 // src/storage/deploys.ts
 async function listDeploys(client, bucket, site) {
@@ -778,18 +790,8 @@ async function deployExists(client, bucket, site, deployId) {
   const items = await listObjects(client, { bucket, prefix });
   return items.length > 0;
 }
-var init_deploys = __esm({
-  "src/storage/deploys.ts"() {
-    "use strict";
-    init_operations();
-  }
-});
 
 // src/commands/promote.ts
-var promote_exports = {};
-__export(promote_exports, {
-  promote: () => promote
-});
 async function promote(options) {
   const config = loadConfig();
   const credentials = resolveCredentials({
@@ -847,24 +849,8 @@ async function promote(options) {
     productionDomain
   });
 }
-var init_promote = __esm({
-  "src/commands/promote.ts"() {
-    "use strict";
-    init_loader();
-    init_resolver();
-    init_client();
-    init_aliases();
-    init_deploys();
-    init_format();
-    init_exit_codes();
-  }
-});
 
 // src/commands/rollback.ts
-var rollback_exports = {};
-__export(rollback_exports, {
-  rollback: () => rollback
-});
 import { confirm } from "@clack/prompts";
 async function rollback(options) {
   const config = loadConfig();
@@ -928,29 +914,15 @@ async function rollback(options) {
     productionDomain
   });
 }
-var init_rollback = __esm({
-  "src/commands/rollback.ts"() {
-    "use strict";
-    init_loader();
-    init_resolver();
-    init_client();
-    init_aliases();
-    init_deploys();
-    init_format();
-    init_exit_codes();
-  }
-});
 
 // src/cli.ts
-init_format();
-init_exit_codes();
-import { cac } from "cac";
-var version = true ? "0.1.0" : "0.0.0";
+var version = true ? "0.3.0" : "0.0.0";
 function handleActionError(command, json, err) {
   const ctx = { json, command };
   const message = err instanceof Error ? err.message : "unknown error";
-  outputError(ctx, EXIT_USAGE, message);
-  exitWithCode(EXIT_USAGE, message);
+  const code = err instanceof CliError ? err.exitCode : EXIT_USAGE;
+  outputError(ctx, code, message);
+  exitWithCode(code, message);
 }
 function run(argv = process.argv) {
   const args = argv.slice(2);
@@ -959,8 +931,7 @@ function run(argv = process.argv) {
     staticCli.command("deploy", "Deploy static site to S3").option("--json", "Output as JSON").option("--force", "Force deploy without git hash").option("--output-dir <dir>", "Build output directory").action(
       async (flags) => {
         try {
-          const { deploy: deploy2 } = await Promise.resolve().then(() => (init_deploy(), deploy_exports));
-          await deploy2({
+          await deploy({
             json: flags.json ?? false,
             force: flags.force ?? false,
             outputDir: flags.outputDir
@@ -973,8 +944,7 @@ function run(argv = process.argv) {
     staticCli.command("promote [deploy-id]", "Promote a deploy to production").option("--json", "Output as JSON").action(
       async (deployId, flags) => {
         try {
-          const { promote: promote2 } = await Promise.resolve().then(() => (init_promote(), promote_exports));
-          await promote2({ json: flags.json ?? false, deployId });
+          await promote({ json: flags.json ?? false, deployId });
         } catch (err) {
           handleActionError("promote", flags.json ?? false, err);
         }
@@ -982,8 +952,7 @@ function run(argv = process.argv) {
     );
     staticCli.command("rollback", "Rollback production to previous deploy").option("--json", "Output as JSON").option("--confirm", "Confirm rollback").action(async (flags) => {
       try {
-        const { rollback: rollback2 } = await Promise.resolve().then(() => (init_rollback(), rollback_exports));
-        await rollback2({
+        await rollback({
           json: flags.json ?? false,
           confirm: flags.confirm ?? false
         });