@hogsend/cli 0.19.0 → 0.21.0

package/dist/bin.js

@@ -61,13 +61,13 @@ async function request(baseUrl, key, missingKeyMessage, method, path, opts) {
     const msg = cause instanceof Error ? cause.message : String(cause);
     throw makeHttpError(`cannot reach ${baseUrl} (${msg})`, 0, void 0);
   }
-  const text3 = await res.text();
+  const text4 = await res.text();
   let parsed;
-  if (text3.length > 0) {
+  if (text4.length > 0) {
     try {
-      parsed = JSON.parse(text3);
+      parsed = JSON.parse(text4);
     } catch {
-      parsed = text3;
+      parsed = text4;
     }
   }
   if (!res.ok) {
@@ -91,6 +91,10 @@ function createAdminClient(cfg) {
       body,
       auth: true
     }),
+    put: (path, body) => request(cfg.baseUrl, cfg.adminKey, missing, "PUT", path, {
+      body,
+      auth: true
+    }),
     del: (path, body) => request(cfg.baseUrl, cfg.adminKey, missing, "DELETE", path, {
       body,
       auth: true
@@ -145,7 +149,7 @@ function renderTable(rows, columns) {
   const widths = cols.map(
     (c) => Math.max(c.length, ...rows.map((r) => cell(r[c]).length))
   );
-  const pad = (text3, width) => text3 + " ".repeat(width - text3.length);
+  const pad = (text4, width) => text4 + " ".repeat(width - text4.length);
   const header = cols.map((c, i) => color.bold(pad(c, widths[i] ?? 0))).join("  ");
   const sep4 = cols.map((_, i) => "-".repeat(widths[i] ?? 0)).join("  ");
   const body = rows.map((r) => cols.map((c, i) => pad(cell(r[c]), widths[i] ?? 0)).join("  ")).join("\n");
@@ -459,16 +463,825 @@ async function run(ctx) {
       );
   }
 }
-var campaignsCommand = {
-  name: "campaigns",
-  summary: "Queue a broadcast to a list/bucket, or check its status",
-  usage,
-  run
+var campaignsCommand = {
+  name: "campaigns",
+  summary: "Queue a broadcast to a list/bucket, or check its status",
+  usage,
+  run
+};
+
+// src/commands/connect.ts
+import { parseArgs as parseArgs2 } from "util";
+import { confirm, select, text } from "@clack/prompts";
+
+// src/lib/browser.ts
+import { spawn } from "child_process";
+function openBrowser(url) {
+  const platform = process.platform;
+  const cmd = platform === "darwin" ? "open" : platform === "win32" ? "cmd" : "xdg-open";
+  const args = platform === "win32" ? ["/c", "start", "", url] : [url];
+  try {
+    const child = spawn(cmd, args, { stdio: "ignore", detached: true });
+    child.on("error", () => {
+    });
+    child.unref();
+    return true;
+  } catch {
+    return false;
+  }
+}
+
+// src/lib/loopback.ts
+import { createServer } from "http";
+
+// src/lib/oauth.ts
+import { createHash, randomBytes } from "crypto";
+var POSTHOG_CLIENT_ID = "https://hogsend.com/.well-known/hogsend-posthog-client.json";
+var POSTHOG_SCOPES = "person:read person:write project:read organization:read hog_function:read hog_function:write feature_flag:read cohort:read cohort:write query:read insight:read event_definition:read property_definition:read";
+var LOOPBACK_PORTS = [8423, 8424, 8425];
+var CALLBACK_PATH = "/callback";
+var CALLBACK_TIMEOUT_MS = 3e5;
+var REQUIRED_ACCESS_LEVEL = "team";
+var DISCOVERY_TIMEOUT_MS = 1e4;
+function computeChallenge(verifier) {
+  return createHash("sha256").update(verifier, "ascii").digest("base64url");
+}
+function generatePkce() {
+  const verifier = randomBytes(32).toString("base64url");
+  return { verifier, challenge: computeChallenge(verifier), method: "S256" };
+}
+function generateState() {
+  return randomBytes(16).toString("base64url");
+}
+async function discoverOAuthServer(opts) {
+  const fetchImpl = opts.fetchImpl ?? fetch;
+  const url = `${opts.privateHost}/.well-known/oauth-authorization-server`;
+  let res;
+  try {
+    res = await fetchImpl(url, {
+      headers: { Accept: "application/json" },
+      signal: AbortSignal.timeout(DISCOVERY_TIMEOUT_MS)
+    });
+  } catch (cause) {
+    const msg = cause instanceof Error ? cause.message : String(cause);
+    return { status: "error", message: `OAuth discovery failed: ${msg}` };
+  }
+  if (res.status === 404 || res.status === 410) {
+    return { status: "unsupported" };
+  }
+  if (!res.ok) {
+    return {
+      status: "error",
+      message: `OAuth discovery failed (HTTP ${res.status})`
+    };
+  }
+  let doc;
+  try {
+    doc = await res.json();
+  } catch {
+    return {
+      status: "error",
+      message: "malformed discovery document (not JSON)"
+    };
+  }
+  if (typeof doc !== "object" || doc === null || typeof doc.issuer !== "string" || typeof doc.authorization_endpoint !== "string" || typeof doc.token_endpoint !== "string") {
+    return {
+      status: "error",
+      message: "malformed discovery document (missing issuer / authorization_endpoint / token_endpoint)"
+    };
+  }
+  return { status: "ok", metadata: doc };
+}
+function buildAuthorizeUrl(opts) {
+  const url = new URL(opts.authorizationEndpoint);
+  url.searchParams.set("response_type", "code");
+  url.searchParams.set("client_id", opts.clientId);
+  url.searchParams.set("redirect_uri", opts.redirectUri);
+  url.searchParams.set("scope", opts.scope);
+  url.searchParams.set("state", opts.state);
+  url.searchParams.set("code_challenge", opts.pkce.challenge);
+  url.searchParams.set("code_challenge_method", opts.pkce.method);
+  if (opts.requiredAccessLevel !== void 0) {
+    url.searchParams.set("required_access_level", opts.requiredAccessLevel);
+  }
+  return url.toString();
+}
+async function exchangeCode(opts) {
+  const fetchImpl = opts.fetchImpl ?? fetch;
+  const res = await fetchImpl(opts.tokenEndpoint, {
+    method: "POST",
+    headers: {
+      // URLSearchParams sets this automatically; explicit for clarity.
+      "Content-Type": "application/x-www-form-urlencoded",
+      Accept: "application/json"
+    },
+    body: new URLSearchParams({
+      grant_type: "authorization_code",
+      code: opts.code,
+      redirect_uri: opts.redirectUri,
+      client_id: opts.clientId,
+      code_verifier: opts.codeVerifier
+    })
+  });
+  if (!res.ok) {
+    const text4 = await res.text().catch(() => "");
+    let detail = text4;
+    try {
+      const parsed = JSON.parse(text4);
+      if (typeof parsed === "object" && parsed !== null && typeof parsed.error === "string") {
+        detail = parsed.error;
+      }
+    } catch {
+    }
+    throw new Error(
+      `token exchange failed (${res.status})${detail ? `: ${detail}` : ""}`
+    );
+  }
+  const json2 = await res.json();
+  if (typeof json2.access_token !== "string" || json2.access_token === "") {
+    throw new Error("token response missing access_token");
+  }
+  if (typeof json2.refresh_token !== "string" || json2.refresh_token === "") {
+    throw new Error(
+      "token response missing refresh_token \u2014 cannot store a long-lived credential"
+    );
+  }
+  return json2;
+}
+
+// src/lib/loopback.ts
+var LoopbackError = class extends Error {
+  reason;
+  detail;
+  constructor(reason, message, detail) {
+    super(message);
+    this.name = "LoopbackError";
+    this.reason = reason;
+    this.detail = detail;
+  }
+};
+var page = (title, body) => `<!doctype html><html><head><meta charset="utf-8"><title>Hogsend</title><style>body{font-family:system-ui,sans-serif;max-width:32rem;margin:6rem auto;padding:0 1rem;color:#1a1a1a}</style></head><body><h1>${title}</h1><p>${body}</p></body></html>`;
+var SUCCESS_HTML = page(
+  "Connected",
+  "You can close this tab and return to your terminal."
+);
+var DENIED_HTML = page(
+  "Not connected",
+  "Authorization was denied. Close this tab and re-run the command if that was a mistake."
+);
+var MISMATCH_HTML = page(
+  "Not connected",
+  "State mismatch. Close this tab and re-run the command."
+);
+var NO_CODE_HTML = page(
+  "Not connected",
+  "The callback carried no authorization code. Close this tab and re-run the command."
+);
+function tryListen(port, handler) {
+  return new Promise((resolve3, reject) => {
+    const server = createServer(handler);
+    const onError = (err) => {
+      server.close();
+      if (err.code === "EADDRINUSE") resolve3(null);
+      else reject(err);
+    };
+    server.once("error", onError);
+    server.listen({ host: "127.0.0.1", port }, () => {
+      server.removeListener("error", onError);
+      resolve3(server);
+    });
+  });
+}
+async function startLoopbackServer(opts) {
+  const callbackPath = opts.callbackPath ?? CALLBACK_PATH;
+  let settled = false;
+  let settleResolve;
+  let settleReject;
+  const settlePromise = new Promise((resolve3, reject) => {
+    settleResolve = resolve3;
+    settleReject = reject;
+  });
+  settlePromise.catch(() => {
+  });
+  const handler = (req, res) => {
+    const url = new URL(req.url ?? "/", "http://127.0.0.1");
+    if (url.pathname !== callbackPath) {
+      res.writeHead(404, { "content-type": "text/plain; charset=utf-8" });
+      res.end("Not found");
+      return;
+    }
+    if (settled) {
+      res.writeHead(410, { "content-type": "text/plain; charset=utf-8" });
+      res.end("This callback was already handled \u2014 return to your terminal.");
+      return;
+    }
+    settled = true;
+    const respond = (status, html) => {
+      res.writeHead(status, { "content-type": "text/html; charset=utf-8" });
+      res.end(html);
+    };
+    const error = url.searchParams.get("error");
+    if (error !== null) {
+      respond(200, DENIED_HTML);
+      const detail = url.searchParams.get("error_description") ?? error;
+      settleReject(
+        error === "access_denied" ? new LoopbackError(
+          "consent_denied",
+          "authorization was denied in PostHog",
+          detail
+        ) : new LoopbackError(
+          "oauth_error",
+          `the OAuth callback returned an error: ${error}`,
+          detail
+        )
+      );
+      return;
+    }
+    const state = url.searchParams.get("state");
+    if (state === null || state !== opts.state) {
+      respond(400, MISMATCH_HTML);
+      settleReject(
+        new LoopbackError(
+          "state_mismatch",
+          "state mismatch on the OAuth callback \u2014 possible CSRF; retry the command"
+        )
+      );
+      return;
+    }
+    const code = url.searchParams.get("code");
+    if (code === null || code === "") {
+      respond(400, NO_CODE_HTML);
+      settleReject(
+        new LoopbackError(
+          "oauth_error",
+          "the OAuth callback carried no authorization code"
+        )
+      );
+      return;
+    }
+    respond(200, SUCCESS_HTML);
+    settleResolve({ code });
+  };
+  let server = null;
+  for (const port2 of opts.ports) {
+    server = await tryListen(port2, handler);
+    if (server) break;
+  }
+  if (!server) {
+    throw new LoopbackError(
+      "ports_busy",
+      `ports ${opts.ports.join(", ")} on 127.0.0.1 are all in use`
+    );
+  }
+  const address = server.address();
+  const port = address !== null && typeof address === "object" ? address.port : 0;
+  const bound = server;
+  return {
+    port,
+    redirectUri: `http://127.0.0.1:${port}${callbackPath}`,
+    waitForCallback(waitOpts) {
+      const timeoutMs = waitOpts?.timeoutMs ?? CALLBACK_TIMEOUT_MS;
+      let timer2;
+      const timeout = new Promise((_, reject) => {
+        timer2 = setTimeout(() => {
+          reject(
+            new LoopbackError(
+              "timeout",
+              "timed out waiting for the OAuth callback (5 minutes)"
+            )
+          );
+        }, timeoutMs);
+      });
+      return Promise.race([settlePromise, timeout]).finally(() => {
+        clearTimeout(timer2);
+      });
+    },
+    close() {
+      return new Promise((resolve3) => {
+        bound.closeAllConnections();
+        bound.close(() => resolve3());
+      });
+    }
+  };
+}
+
+// src/lib/connect-flow.ts
+var ConnectError = class extends Error {
+  verdict;
+  hint;
+  constructor(verdict, message, hint) {
+    super(message);
+    this.name = "ConnectError";
+    this.verdict = verdict;
+    this.hint = hint;
+  }
+};
+var HINT_NOT_CONFIGURED = "Pass --posthog-host https://eu.posthog.com (or https://us.posthog.com, or your self-hosted app URL) to pick the region to authorize against. Alternatively set POSTHOG_HOST on the instance, redeploy, then re-run.";
+var POSTHOG_EU_HOST = "https://eu.posthog.com";
+var POSTHOG_US_HOST = "https://us.posthog.com";
+var normalizeHost = (host) => host.replace(/\/+$/, "");
+var hintOauthUnsupported = (privateHost) => `${privateHost} doesn't advertise an OAuth server (discovery returned 404).
+Self-hosted PostHog builds may not ship OAuth. Use a personal API key instead:
+
+  1. In PostHog: Settings -> User -> Personal API keys -> create a key scoped
+     person:read, person:write, project:read, hog_function:write
+  2. Set POSTHOG_PERSONAL_API_KEY=<key> on your Hogsend instance (api + worker)
+  3. Redeploy \u2014 person reads and loop provisioning use the key automatically.`;
+var HINT_PORTS = "Ports 8423-8425 on 127.0.0.1 are all in use \u2014 free one and re-run. The OAuth callback must land on one of these fixed ports; they are registered in Hogsend's OAuth client document.";
+var SSH_NOTE = `The consent page must open in a browser on THIS machine \u2014 the OAuth callback
+returns to 127.0.0.1 here. On a remote/SSH session this cannot complete: run
+the command from your laptop instead and point --url at the instance (the CLI
+never needs to run on the server).`;
+function isLoopbackUrl(publicUrl) {
+  try {
+    const host = new URL(publicUrl).hostname.toLowerCase();
+    return host === "localhost" || host === "127.0.0.1" || host === "0.0.0.0" || host === "[::1]" || host === "::1" || host.endsWith(".localhost");
+  } catch {
+    return false;
+  }
+}
+var LOOPBACK_URL_NOTE = `Credential stored \u2014 but this instance's API_PUBLIC_URL is a loopback
+address, so PostHog Cloud cannot deliver webhooks to it. Provisioning was
+skipped (a destination pointing at localhost would be unreachable).
+
+Once deployed, wire the loop against the real instance:
+
+  hogsend connect posthog --provision-only --url https://your-instance`;
+var errMsg = (err) => err instanceof Error ? err.message : String(err);
+var httpErrorBody = (err) => {
+  if (!isHttpError(err)) return void 0;
+  const body = err.body;
+  if (body && typeof body === "object" && "error" in body && typeof body.error === "string") {
+    return body.error;
+  }
+  return void 0;
+};
+function fromLoopbackError(err) {
+  switch (err.reason) {
+    case "consent_denied":
+      return new ConnectError(
+        "consent_denied",
+        "authorization was denied in PostHog \u2014 re-run the command if that was a mistake"
+      );
+    case "state_mismatch":
+      return new ConnectError(
+        "state_mismatch",
+        "state mismatch on the OAuth callback \u2014 possible CSRF; retry the command"
+      );
+    case "timeout":
+      return new ConnectError(
+        "callback_timeout",
+        "timed out waiting for the OAuth callback (5 minutes) \u2014 re-run when you're ready to approve in the browser"
+      );
+    case "ports_busy":
+      return new ConnectError("port_unavailable", err.message, HINT_PORTS);
+    case "oauth_error":
+      return new ConnectError("exchange_failed", err.message);
+  }
+}
+async function runProvisionOnly(deps, info, base) {
+  if (isLoopbackUrl(info.apiPublicUrl)) {
+    deps.out.note(LOOPBACK_URL_NOTE, "Instance not publicly reachable");
+    throw new ConnectError(
+      "api_public_url_unreachable",
+      `API_PUBLIC_URL is ${info.apiPublicUrl} \u2014 PostHog cannot deliver webhooks to a loopback address`
+    );
+  }
+  let result;
+  try {
+    result = await deps.out.step(
+      `POST ${base}/v1/admin/analytics/provision-loop`,
+      () => deps.http.post(
+        "/v1/admin/analytics/provision-loop",
+        {}
+      )
+    );
+  } catch (err) {
+    if (isHttpError(err) && err.status === 409 && httpErrorBody(err) === "no_posthog_credential") {
+      throw new ConnectError(
+        "no_credential",
+        "no PostHog credential is stored on this instance",
+        "run `hogsend connect posthog` first"
+      );
+    }
+    throw new ConnectError("provision_failed", errMsg(err));
+  }
+  printProvisioned(deps.out, result);
+  return {
+    verdict: "connected",
+    providerId: "posthog",
+    instance: base,
+    posthog: null,
+    credential: { stored: false },
+    provision: {
+      attempted: true,
+      ok: true,
+      created: result.created === true,
+      hogFunctionId: result.hogFunctionId ?? "",
+      webhookUrl: result.webhookUrl ?? ""
+    }
+  };
+}
+function printProvisioned(out, result) {
+  out.note(
+    [
+      "PostHog -> Hogsend loop provisioned",
+      `  webhookUrl     ${result.webhookUrl ?? "(unknown)"}`,
+      `  hogFunctionId  ${result.hogFunctionId ?? "(unknown)"}`,
+      `  created        ${result.created === true ? "yes" : "no (existing function adopted)"}`
+    ].join("\n")
+  );
+}
+async function resolvePrivateHost(deps, info, opts) {
+  if (info.privateHost !== null) {
+    return info.privateHost;
+  }
+  if (opts.posthogHost) {
+    return normalizeHost(opts.posthogHost);
+  }
+  if (deps.interactive) {
+    if (deps.selectRegion) {
+      return normalizeHost(await deps.selectRegion());
+    }
+    const useUs = await deps.confirm(
+      `Use PostHog US Cloud (${POSTHOG_US_HOST})? (No selects PostHog EU Cloud, ${POSTHOG_EU_HOST})`
+    );
+    return useUs ? POSTHOG_US_HOST : POSTHOG_EU_HOST;
+  }
+  throw new ConnectError(
+    "not_configured",
+    "this instance has no PostHog configuration",
+    HINT_NOT_CONFIGURED
+  );
+}
+async function runConnectPosthog(deps, opts) {
+  const base = deps.http.cfg.baseUrl;
+  const info = await deps.out.step(
+    `GET ${base}/v1/admin/analytics/connect-info`,
+    () => deps.http.get("/v1/admin/analytics/connect-info")
+  );
+  if (opts.provisionOnly) {
+    return runProvisionOnly(deps, info, base);
+  }
+  const privateHost = await resolvePrivateHost(deps, info, opts);
+  if (info.privateHost !== null && info.hostExplicit === false) {
+    if (deps.interactive) {
+      const proceed = await deps.confirm(
+        `No POSTHOG_HOST set on the instance \u2014 assume PostHog US Cloud (${privateHost})?`
+      );
+      if (!proceed) {
+        throw new ConnectError(
+          "not_configured",
+          "set POSTHOG_HOST on the instance to pick the right region"
+        );
+      }
+    } else {
+      deps.out.log(
+        `warning: no POSTHOG_HOST set on the instance \u2014 assuming PostHog US Cloud (${privateHost}).`
+      );
+    }
+  }
+  if (info.personalKeyConfigured === true) {
+    deps.out.log(
+      "note: POSTHOG_PERSONAL_API_KEY is set on the instance; the OAuth credential will take precedence once stored."
+    );
+  }
+  const metadata = await deps.out.step(
+    `OAuth discovery at ${privateHost}`,
+    async () => {
+      const result = await deps.discover({ privateHost });
+      if (result.status === "unsupported") {
+        throw new ConnectError(
+          "oauth_unsupported",
+          `${privateHost} doesn't advertise an OAuth server (discovery returned 404)`,
+          hintOauthUnsupported(privateHost)
+        );
+      }
+      if (result.status === "error") {
+        throw new ConnectError("discovery_failed", result.message);
+      }
+      return result.metadata;
+    }
+  );
+  try {
+    if (new URL(metadata.issuer).origin !== new URL(privateHost).origin) {
+      deps.out.log(
+        `warning: discovery issuer ${metadata.issuer} differs from ${privateHost} \u2014 continuing.`
+      );
+    }
+  } catch {
+  }
+  const pkce = generatePkce();
+  const state = generateState();
+  let server;
+  try {
+    server = await deps.startLoopback({ ports: LOOPBACK_PORTS, state });
+  } catch (err) {
+    if (err instanceof LoopbackError) throw fromLoopbackError(err);
+    throw err;
+  }
+  let code;
+  try {
+    const authorizeUrl = buildAuthorizeUrl({
+      authorizationEndpoint: metadata.authorization_endpoint,
+      clientId: POSTHOG_CLIENT_ID,
+      redirectUri: server.redirectUri,
+      scope: POSTHOG_SCOPES,
+      state,
+      pkce,
+      requiredAccessLevel: REQUIRED_ACCESS_LEVEL
+    });
+    deps.out.note(
+      [
+        "About to authorize Hogsend against PostHog",
+        `  instance   ${base}`,
+        `  posthog    ${privateHost}`,
+        `  scopes     ${POSTHOG_SCOPES}`,
+        `  callback   ${server.redirectUri}`
+      ].join("\n")
+    );
+    const opened = opts.noBrowser ? false : deps.openBrowser(authorizeUrl);
+    deps.out.log(
+      opened ? "Opening your browser. If nothing happens, open this URL yourself:" : "Open this URL in a browser on THIS machine:"
+    );
+    deps.out.log(`  ${authorizeUrl}`);
+    if (!opened) {
+      deps.out.note(SSH_NOTE);
+    }
+    const callback = await deps.out.step(
+      "Waiting for PostHog authorization (Ctrl-C aborts)",
+      () => server.waitForCallback({ timeoutMs: opts.timeoutMs })
+    );
+    code = callback.code;
+  } catch (err) {
+    if (err instanceof LoopbackError) throw fromLoopbackError(err);
+    throw err;
+  } finally {
+    await server.close();
+  }
+  const tokenEndpoint = metadata.token_endpoint;
+  let tokens;
+  try {
+    tokens = await deps.out.step(
+      `Exchanging code at ${tokenEndpoint}`,
+      () => deps.exchangeCode({
+        tokenEndpoint,
+        clientId: POSTHOG_CLIENT_ID,
+        code,
+        codeVerifier: pkce.verifier,
+        redirectUri: server.redirectUri
+      })
+    );
+  } catch (err) {
+    throw new ConnectError("exchange_failed", errMsg(err));
+  }
+  const expiresAt = new Date(
+    deps.now().getTime() + tokens.expires_in * 1e3
+  ).toISOString();
+  const scopes = (tokens.scope ?? POSTHOG_SCOPES).split(" ");
+  const scopedTeams = tokens.scoped_teams ?? [];
+  const scopedOrganizations = tokens.scoped_organizations ?? [];
+  try {
+    await deps.out.step(
+      `PUT ${base}/v1/admin/provider-credentials/posthog`,
+      () => deps.http.put("/v1/admin/provider-credentials/posthog", {
+        kind: "oauth",
+        payload: {
+          accessToken: tokens.access_token,
+          refreshToken: tokens.refresh_token,
+          expiresAt,
+          tokenEndpoint,
+          clientId: POSTHOG_CLIENT_ID,
+          scopes,
+          scopedTeams,
+          scopedOrganizations
+        }
+      })
+    );
+  } catch (err) {
+    throw new ConnectError("store_failed", errMsg(err));
+  }
+  const stored = {
+    providerId: "posthog",
+    instance: base,
+    posthog: {
+      privateHost,
+      issuer: metadata.issuer,
+      scopes: scopes.join(" "),
+      scopedTeams,
+      scopedOrganizations
+    },
+    credential: { stored: true, expiresAt }
+  };
+  const requestedScopes = POSTHOG_SCOPES.split(" ");
+  const missingScopes = requestedScopes.filter((s) => !scopes.includes(s));
+  if (missingScopes.length > 0) {
+    deps.out.log(
+      `note: PostHog granted ${scopes.length}/${requestedScopes.length} requested scope(s); missing: ${missingScopes.join(", ")}. Re-run \`hogsend connect posthog\` to grant the full set.`
+    );
+  }
+  if (opts.noProvision) {
+    return {
+      verdict: "connected_no_provision",
+      ...stored,
+      provision: { attempted: false, skipped: "no_provision_flag" }
+    };
+  }
+  if (isLoopbackUrl(info.apiPublicUrl)) {
+    deps.out.note(LOOPBACK_URL_NOTE, "Instance not publicly reachable");
+    return {
+      verdict: "connected_no_provision",
+      ...stored,
+      provision: { attempted: false, skipped: "api_public_url_unreachable" }
+    };
+  }
+  try {
+    const result = await deps.out.step(
+      `POST ${base}/v1/admin/analytics/provision-loop`,
+      () => deps.http.post(
+        "/v1/admin/analytics/provision-loop",
+        {}
+      )
+    );
+    printProvisioned(deps.out, result);
+    return {
+      verdict: "connected",
+      ...stored,
+      provision: {
+        attempted: true,
+        ok: true,
+        created: result.created === true,
+        hogFunctionId: result.hogFunctionId ?? "",
+        webhookUrl: result.webhookUrl ?? ""
+      }
+    };
+  } catch (err) {
+    const message = errMsg(err);
+    deps.out.log(
+      `The credential is stored, but provisioning the event loop failed: ${message}. Re-run with: hogsend connect posthog --provision-only`
+    );
+    return {
+      verdict: "connected_no_provision",
+      ...stored,
+      provision: { attempted: true, ok: false, error: message }
+    };
+  }
+}
+
+// src/lib/prompt.ts
+import { cancel as cancel2, isCancel } from "@clack/prompts";
+function bail(value) {
+  if (isCancel(value)) {
+    cancel2("Cancelled.");
+    process.exit(0);
+  }
+  return value;
+}
+
+// src/commands/connect.ts
+var usage2 = `hogsend connect <provider> [--posthog-host <url>] [--provision-only] [--no-provision] [--no-browser] [--json]
+
+Connect this Hogsend instance to an analytics provider via OAuth. Providers:
+
+  posthog    Authorize Hogsend against your PostHog region (PKCE, loopback
+             callback on 127.0.0.1), store the refresh token on the instance,
+             then provision the PostHog -> Hogsend event loop (a PostHog
+             destination posting to /v1/webhooks/posthog).
+
+The browser consent must happen on THIS machine (the OAuth callback lands on
+127.0.0.1). The target instance can be anywhere \u2014 point --url at it and run
+this command from your laptop, not from an SSH session on the server.
+
+Options:
+  --posthog-host     PostHog app/private host to authorize against, e.g.
+                     https://eu.posthog.com or https://us.posthog.com (NOT the
+                     i. ingestion host). Required when the instance has no
+                     PostHog config and you're running non-interactively.
+  --provision-only   Skip OAuth; (re-)provision the event loop using the
+                     already-stored credential.
+  --no-provision     Stop after storing the credential.
+  --no-browser       Don't spawn a browser; just print the authorize URL.
+  --url, --admin-key, --json, -h, --help   Global flags as usual.
+
+Exit code: 0 when a credential is stored (even if provisioning was skipped),
+1 otherwise.`;
+async function run2(ctx) {
+  const { values: values2, positionals } = parseArgs2({
+    args: ctx.argv,
+    allowPositionals: true,
+    strict: false,
+    options: {
+      "posthog-host": { type: "string" },
+      "provision-only": { type: "boolean", default: false },
+      "no-provision": { type: "boolean", default: false },
+      "no-browser": { type: "boolean", default: false },
+      help: { type: "boolean", short: "h", default: false }
+    }
+  });
+  if (values2.help) {
+    ctx.out.log(usage2);
+    return;
+  }
+  const provider = positionals[0];
+  if (!provider) {
+    ctx.out.fail("missing provider \u2014 try: hogsend connect posthog");
+  }
+  if (provider !== "posthog") {
+    ctx.out.fail(`unknown provider "${provider}" \u2014 supported: posthog`);
+  }
+  if (values2["provision-only"] && values2["no-provision"]) {
+    ctx.out.fail("--provision-only and --no-provision are mutually exclusive");
+  }
+  try {
+    const target = new URL(ctx.cfg.baseUrl);
+    if (target.protocol === "http:" && target.hostname !== "localhost" && target.hostname !== "127.0.0.1") {
+      ctx.out.log(
+        color.yellow(
+          `warning: ${ctx.cfg.baseUrl} is plain http \u2014 OAuth tokens will be sent to it unencrypted; use https for remote instances.`
+        )
+      );
+    }
+  } catch {
+  }
+  ctx.out.intro(`${color.bgMagenta(color.black(" hogsend "))} connect`);
+  const deps = {
+    http: ctx.http,
+    out: ctx.out,
+    interactive: ctx.out.interactive,
+    discover: discoverOAuthServer,
+    startLoopback: startLoopbackServer,
+    exchangeCode,
+    openBrowser,
+    confirm: async (message) => bail(await confirm({ message })),
+    selectRegion: async () => {
+      const choice = bail(
+        await select({
+          message: "Which PostHog region should Hogsend authorize against?",
+          options: [
+            { value: "https://eu.posthog.com", label: "PostHog EU Cloud" },
+            { value: "https://us.posthog.com", label: "PostHog US Cloud" },
+            { value: "custom", label: "Custom / self-hosted" }
+          ]
+        })
+      );
+      if (choice !== "custom") return choice;
+      return bail(
+        await text({
+          message: "PostHog app/private host URL (e.g. https://posthog.example.com)",
+          placeholder: "https://posthog.example.com"
+        })
+      );
+    },
+    now: () => /* @__PURE__ */ new Date()
+  };
+  try {
+    const result = await runConnectPosthog(deps, {
+      provisionOnly: Boolean(values2["provision-only"]),
+      noProvision: Boolean(values2["no-provision"]),
+      noBrowser: Boolean(values2["no-browser"]),
+      posthogHost: typeof values2["posthog-host"] === "string" ? values2["posthog-host"] : void 0
+    });
+    if (ctx.json) {
+      ctx.out.json({ ok: true, ...result });
+      return;
+    }
+    ctx.out.outro(
+      color.green(
+        `connect: posthog ${result.verdict === "connected" ? "connected" : "connected (loop not provisioned)"}`
+      )
+    );
+  } catch (error) {
+    if (error instanceof ConnectError) {
+      if (ctx.json) {
+        ctx.out.json({
+          ok: false,
+          verdict: error.verdict,
+          error: error.message,
+          hint: error.hint
+        });
+        process.exit(1);
+      }
+      ctx.out.note(
+        error.hint ? `${error.message}
+
+${error.hint}` : error.message
+      );
+      ctx.out.outro(color.red(`connect: ${error.verdict}`));
+      process.exit(1);
+    }
+    throw error;
+  }
+}
+var connectCommand = {
+  name: "connect",
+  summary: "Connect an analytics provider via OAuth (posthog)",
+  usage: usage2,
+  run: run2
 };
 
 // src/commands/contacts.ts
-import { parseArgs as parseArgs2 } from "util";
-var usage2 = `hogsend contacts <subcommand> [options]
+import { parseArgs as parseArgs3 } from "util";
+var usage3 = `hogsend contacts <subcommand> [options]
 
 Inspect contacts via the admin API (/v1/admin/contacts) and upsert them via the
 data plane (PUT /v1/contacts).
@@ -573,7 +1386,7 @@ async function fetchOrFail(ctx, label, fn) {
   }
 }
 async function runList(ctx, argv) {
-  const { values: values2 } = parseArgs2({
+  const { values: values2 } = parseArgs3({
     args: argv,
     allowPositionals: true,
     options: {
@@ -584,7 +1397,7 @@ async function runList(ctx, argv) {
     }
   });
   if (values2.help) {
-    ctx.out.log(usage2);
+    ctx.out.log(usage3);
     return;
   }
   const query = {
@@ -616,7 +1429,7 @@ async function runList(ctx, argv) {
   );
 }
 async function runGet(ctx, argv) {
-  const { values: values2, positionals } = parseArgs2({
+  const { values: values2, positionals } = parseArgs3({
     args: argv,
     allowPositionals: true,
     options: {
@@ -624,7 +1437,7 @@ async function runGet(ctx, argv) {
     }
   });
   if (values2.help) {
-    ctx.out.log(usage2);
+    ctx.out.log(usage3);
     return;
   }
   const id = positionals[1];
@@ -671,7 +1484,7 @@ async function runGet(ctx, argv) {
   ctx.out.outro(`Contact ${color.cyan(contact.externalId)}`);
 }
 async function runTimeline(ctx, argv) {
-  const { values: values2, positionals } = parseArgs2({
+  const { values: values2, positionals } = parseArgs3({
     args: argv,
     allowPositionals: true,
     options: {
@@ -682,7 +1495,7 @@ async function runTimeline(ctx, argv) {
     }
   });
   if (values2.help) {
-    ctx.out.log(usage2);
+    ctx.out.log(usage3);
     return;
   }
   const id = positionals[1];
@@ -736,7 +1549,7 @@ function summarizeTimelineEntry(entry) {
   return `${subject} [${String(d.status ?? "")}]`;
 }
 async function runUpsert(ctx, argv) {
-  const { values: values2 } = parseArgs2({
+  const { values: values2 } = parseArgs3({
     args: argv,
     allowPositionals: true,
     options: {
@@ -750,7 +1563,7 @@ async function runUpsert(ctx, argv) {
     }
   });
   if (values2.help) {
-    ctx.out.log(usage2);
+    ctx.out.log(usage3);
     return;
   }
   const email = values2.email;
@@ -790,7 +1603,7 @@ async function runUpsert(ctx, argv) {
   const verb = res.created ? "created" : "updated";
   ctx.out.outro(`Contact ${color.cyan(res.id)} ${verb}.`);
 }
-async function run2(ctx) {
+async function run3(ctx) {
   const sub = ctx.argv[0];
   switch (sub) {
     case "list":
@@ -815,21 +1628,21 @@ async function run2(ctx) {
 var contactsCommand = {
   name: "contacts",
   summary: "List, inspect, trace, and upsert contacts",
-  usage: usage2,
-  run: run2
+  usage: usage3,
+  run: run3
 };
 
 // src/commands/dev.ts
 import { spawnSync as spawnSync2 } from "child_process";
 import { existsSync as existsSync3, readFileSync as readFileSync3 } from "fs";
 import { join as join3, resolve } from "path";
-import { parseArgs as parseArgs5 } from "util";
+import { parseArgs as parseArgs6 } from "util";
 
 // src/lib/proc.ts
-import { spawn } from "child_process";
+import { spawn as spawn2 } from "child_process";
 import { createInterface } from "readline";
 function spawnManaged(opts) {
-  const child = spawn(opts.cmd, opts.args, {
+  const child = spawn2(opts.cmd, opts.args, {
     cwd: opts.cwd,
     env: { ...process.env, FORCE_COLOR: "1", ...opts.env },
     stdio: ["ignore", "pipe", "pipe"],
@@ -930,7 +1743,7 @@ async function waitForHttp(url, timeoutMs) {
 
 // src/lib/setup-steps.ts
 import { spawnSync } from "child_process";
-import { randomBytes } from "crypto";
+import { randomBytes as randomBytes2 } from "crypto";
 import { copyFileSync, existsSync as existsSync2, readFileSync as readFileSync2, writeFileSync } from "fs";
 import { connect } from "net";
 import { join as join2 } from "path";
@@ -938,10 +1751,10 @@ import { join as join2 } from "path";
 // src/lib/config.ts
 import { existsSync, readFileSync } from "fs";
 import { join } from "path";
-import { parseArgs as parseArgs3 } from "util";
+import { parseArgs as parseArgs4 } from "util";
 var DEFAULT_BASE_URL = "http://localhost:3002";
 function parseGlobalFlags(argv) {
-  const { values: values2, tokens } = parseArgs3({
+  const { values: values2, tokens } = parseArgs4({
     args: argv,
     allowPositionals: true,
     strict: false,
@@ -1022,7 +1835,7 @@ var SECRET_KEY = "BETTER_AUTH_SECRET";
 var PLACEHOLDER_PREFIX = "change-me";
 var PLACEHOLDER_PREFIXES = [PLACEHOLDER_PREFIX, "REPLACE_ME"];
 function generateSecret() {
-  return randomBytes(32).toString("hex");
+  return randomBytes2(32).toString("hex");
 }
 var COMPOSE_FILES = [
   "docker-compose.yml",
@@ -1215,8 +2028,8 @@ async function detectRunningInfra(cwd) {
 }
 
 // src/commands/events.ts
-import { parseArgs as parseArgs4 } from "util";
-var usage3 = `hogsend events <userId> [options]
+import { parseArgs as parseArgs5 } from "util";
+var usage4 = `hogsend events <userId> [options]
 hogsend events send <name> [options]
 
 Read a single user's event history (admin API), or send an event into the data
@@ -1262,14 +2075,14 @@ Examples:
   hogsend events user_123 --from 2026-01-01T00:00:00Z --json
   hogsend events send signup --user-id user_123 --prop plan=pro
   hogsend events send purchase --email a@b.com --props '{"amount":49}' --json`;
-async function run3(ctx) {
+async function run4(ctx) {
   if (ctx.argv[0] === "send") {
     return runSend2(ctx, ctx.argv.slice(1));
   }
   return runRead(ctx, ctx.argv);
 }
 async function runRead(ctx, argv) {
-  const { values: values2, positionals } = parseArgs4({
+  const { values: values2, positionals } = parseArgs5({
     args: argv,
     allowPositionals: true,
     options: {
@@ -1282,7 +2095,7 @@ async function runRead(ctx, argv) {
     }
   });
   if (values2.help) {
-    ctx.out.log(usage3);
+    ctx.out.log(usage4);
     return;
   }
   const userId = positionals[0];
@@ -1338,7 +2151,7 @@ async function runRead(ctx, argv) {
   );
 }
 async function runSend2(ctx, argv) {
-  const { values: values2, positionals } = parseArgs4({
+  const { values: values2, positionals } = parseArgs5({
     args: argv,
     allowPositionals: true,
     options: {
@@ -1356,7 +2169,7 @@ async function runSend2(ctx, argv) {
     }
   });
   if (values2.help) {
-    ctx.out.log(usage3);
+    ctx.out.log(usage4);
     return;
   }
   const name = positionals[0];
@@ -1494,12 +2307,12 @@ function summarizeProps(props) {
 var eventsCommand = {
   name: "events",
   summary: "Stream a user's event history, or send an event",
-  usage: usage3,
-  run: run3
+  usage: usage4,
+  run: run4
 };
 
 // src/commands/dev.ts
-var usage4 = `hogsend dev [options]
+var usage5 = `hogsend dev [options]
 hogsend dev --fire <event> [event-send options]
 
 Run the full local stack for a Hogsend app from one command:
@@ -1582,7 +2395,7 @@ function extractFire(argv) {
 }
 async function runFire(ctx, event, rest) {
   if (rest.includes("-h") || rest.includes("--help")) {
-    ctx.out.log(usage4);
+    ctx.out.log(usage5);
     return;
   }
   try {
@@ -1690,7 +2503,7 @@ async function prepareInfra(ctx, cwd, pkg) {
     ctx.out.log(color.dim("  no db:migrate script \u2014 skipping migrations"));
   }
 }
-async function run4(ctx) {
+async function run5(ctx) {
   const fire = extractFire(ctx.argv);
   if (fire && "error" in fire) {
     ctx.out.fail(fire.error);
@@ -1699,7 +2512,7 @@ async function run4(ctx) {
     await runFire(ctx, fire.event, fire.rest);
     return;
   }
-  const { values: values2 } = parseArgs5({
+  const { values: values2 } = parseArgs6({
     args: ctx.argv,
     allowPositionals: true,
     options: {
@@ -1710,7 +2523,7 @@ async function run4(ctx) {
     }
   });
   if (values2.help) {
-    ctx.out.log(usage4);
+    ctx.out.log(usage5);
     return;
   }
   const cwd = resolve(values2.cwd ?? process.cwd());
@@ -1817,12 +2630,12 @@ ${color.dim("Shutting down\u2026")}`);
 var devCommand = {
   name: "dev",
   summary: "Run the full local stack: infra, API + worker, health, URLs",
-  usage: usage4,
-  run: run4
+  usage: usage5,
+  run: run5
 };
 
 // src/commands/doctor.ts
-import { parseArgs as parseArgs6 } from "util";
+import { parseArgs as parseArgs7 } from "util";
 
 // src/lib/skills.ts
 import {
@@ -1973,7 +2786,7 @@ function analyticsNudge(ctx) {
     "PostHog person reads disabled"
   );
 }
-var usage5 = `hogsend doctor [--url <baseUrl>] [--admin-key <key>] [--json]
+var usage6 = `hogsend doctor [--url <baseUrl>] [--admin-key <key>] [--json]
 
 Probe a running Hogsend instance via GET /v1/health and report its health:
 component status (database, redis), two-track schema state (engine + client),
@@ -2015,8 +2828,8 @@ function trackLine(name, track) {
   const required = track.required ?? color.dim("none");
   return `${color.bold(name.padEnd(7))} applied ${applied} -> required ${required}  ${sync}`;
 }
-async function run5(ctx) {
-  const { values: values2 } = parseArgs6({
+async function run6(ctx) {
+  const { values: values2 } = parseArgs7({
     args: ctx.argv,
     allowPositionals: true,
     options: {
@@ -2026,7 +2839,7 @@ async function run5(ctx) {
     strict: false
   });
   if (values2.help) {
-    ctx.out.log(usage5);
+    ctx.out.log(usage6);
     return;
   }
   const { baseUrl } = ctx.http.cfg;
@@ -2117,13 +2930,13 @@ async function run5(ctx) {
 var doctorCommand = {
   name: "doctor",
   summary: "Probe a running instance's health (GET /v1/health)",
-  usage: usage5,
-  run: run5
+  usage: usage6,
+  run: run6
 };
 
 // src/commands/domain.ts
-import { parseArgs as parseArgs7 } from "util";
-import { confirm } from "@clack/prompts";
+import { parseArgs as parseArgs8 } from "util";
+import { confirm as confirm2 } from "@clack/prompts";
 
 // src/lib/dns.ts
 import { resolveNs as nodeResolveNs } from "dns/promises";
@@ -2417,18 +3230,8 @@ async function applyRecords(opts) {
   return applyVercel(opts, fetchImpl);
 }
 
-// src/lib/prompt.ts
-import { cancel as cancel2, isCancel } from "@clack/prompts";
-function bail(value) {
-  if (isCancel(value)) {
-    cancel2("Cancelled.");
-    process.exit(0);
-  }
-  return value;
-}
-
 // src/commands/domain.ts
-var usage6 = `hogsend domain <subcommand> [options]
+var usage7 = `hogsend domain <subcommand> [options]
 
 Manage the sending domain through the RUNNING instance's admin routes
 (/v1/admin/domain) \u2014 provider API keys never touch the CLI. Requires an admin
@@ -2536,7 +3339,7 @@ function renderStatus(ctx, status) {
   }
 }
 async function runAdd(ctx, argv) {
-  const { values: values2, positionals } = parseArgs7({
+  const { values: values2, positionals } = parseArgs8({
     args: argv,
     allowPositionals: true,
     options: {
@@ -2546,7 +3349,7 @@ async function runAdd(ctx, argv) {
     }
   });
   if (values2.help) {
-    ctx.out.log(usage6);
+    ctx.out.log(usage7);
     return;
   }
   const domain = positionals[0];
@@ -2572,7 +3375,7 @@ async function runAdd(ctx, argv) {
   const autoAvailable = canAutoApply(host.id, process.env);
   if (autoAvailable && records.length > 0) {
     const doApply = values2.apply ? true : values2["no-apply"] ? false : ctx.out.interactive ? bail(
-      await confirm({
+      await confirm2({
         message: `Apply these records via the ${host.label} API?`,
         initialValue: true
       })
@@ -2621,7 +3424,7 @@ async function runAdd(ctx, argv) {
   );
 }
 async function runCheck(ctx, argv) {
-  const { values: values2, positionals } = parseArgs7({
+  const { values: values2, positionals } = parseArgs8({
     args: argv,
     allowPositionals: true,
     options: {
@@ -2631,7 +3434,7 @@ async function runCheck(ctx, argv) {
     }
   });
   if (values2.help) {
-    ctx.out.log(usage6);
+    ctx.out.log(usage7);
     return;
   }
   const timeoutSecs = Number(values2.timeout);
@@ -2703,7 +3506,7 @@ async function runCheck(ctx, argv) {
   }
 }
 async function runStatus2(ctx, argv) {
-  const { values: values2 } = parseArgs7({
+  const { values: values2 } = parseArgs8({
     args: argv,
     allowPositionals: false,
     options: {
@@ -2712,7 +3515,7 @@ async function runStatus2(ctx, argv) {
     }
   });
   if (values2.help) {
-    ctx.out.log(usage6);
+    ctx.out.log(usage7);
     return;
   }
   const status = await getStatus(ctx, { refresh: values2.refresh });
@@ -2732,11 +3535,11 @@ async function runStatus2(ctx, argv) {
   }
   ctx.out.outro("Done.");
 }
-async function run6(ctx) {
+async function run7(ctx) {
   const sub = ctx.argv[0];
   const rest = ctx.argv.slice(1);
   if (!sub || sub === "--help" || sub === "-h" || sub === "help") {
-    ctx.out.log(usage6);
+    ctx.out.log(usage7);
     return;
   }
   switch (sub) {
@@ -2755,15 +3558,15 @@ async function run6(ctx) {
 var domainCommand = {
   name: "domain",
   summary: "Set up + verify the sending domain (DNS records, auto-apply)",
-  usage: usage6,
-  run: run6
+  usage: usage7,
+  run: run7
 };
 
 // src/commands/eject.ts
 import { existsSync as existsSync6, realpathSync } from "fs";
 import { createRequire as createRequire2 } from "module";
 import { dirname, join as join6, sep as sep2 } from "path";
-import { parseArgs as parseArgs8 } from "util";
+import { parseArgs as parseArgs9 } from "util";
 
 // src/eject.ts
 import { existsSync as existsSync5 } from "fs";
@@ -2877,7 +3680,7 @@ async function countFiles(dir) {
 }
 
 // src/commands/eject.ts
-var usage7 = `hogsend eject <package> [--force] [--cwd <dir>]
+var usage8 = `hogsend eject <package> [--force] [--cwd <dir>]
 
 Copy a @hogsend/* package's source into vendor/<name> and rewrite the consumer
 dependency to file:./vendor/<name>. Every other dependency keeps upgrading.
@@ -2905,8 +3708,8 @@ function resolveSourceDir(pkg, consumerRoot) {
   }
   return null;
 }
-async function run7(ctx) {
-  const { values: values2, positionals } = parseArgs8({
+async function run8(ctx) {
+  const { values: values2, positionals } = parseArgs9({
     args: ctx.argv,
     allowPositionals: true,
     options: {
@@ -2916,7 +3719,7 @@ async function run7(ctx) {
     }
   });
   if (values2.help) {
-    ctx.out.log(usage7);
+    ctx.out.log(usage8);
     return;
   }
   const pkg = positionals[0];
@@ -2960,13 +3763,13 @@ async function run7(ctx) {
 var ejectCommand = {
   name: "eject",
   summary: "Vendor a @hogsend/* package into vendor/<name>",
-  usage: usage7,
-  run: run7
+  usage: usage8,
+  run: run8
 };
 
 // src/commands/emails.ts
-import { parseArgs as parseArgs9 } from "util";
-var usage8 = `hogsend emails <subcommand> [options]
+import { parseArgs as parseArgs10 } from "util";
+var usage9 = `hogsend emails <subcommand> [options]
 
 Send a transactional email through the data plane (POST /v1/emails). The send
 runs through the full preferences + tracking pipeline (link-click + open).
@@ -3044,7 +3847,7 @@ function statusColor2(status) {
   }
 }
 async function runSend3(ctx, argv) {
-  const { values: values2, positionals } = parseArgs9({
+  const { values: values2, positionals } = parseArgs10({
     args: argv,
     allowPositionals: true,
     options: {
@@ -3062,7 +3865,7 @@ async function runSend3(ctx, argv) {
     }
   });
   if (values2.help) {
-    ctx.out.log(usage8);
+    ctx.out.log(usage9);
     return;
   }
   const template = positionals[0];
@@ -3118,7 +3921,7 @@ async function runSend3(ctx, argv) {
   );
   ctx.out.outro(`${template} \u2192 ${statusColor2(res.status)}.`);
 }
-async function run8(ctx) {
+async function run9(ctx) {
   const sub = ctx.argv[0];
   switch (sub) {
     case "send":
@@ -3135,12 +3938,12 @@ async function run8(ctx) {
 var emailsCommand = {
   name: "emails",
   summary: "Send a transactional email through the data plane",
-  usage: usage8,
-  run: run8
+  usage: usage9,
+  run: run9
 };
 
 // src/commands/hatchet.ts
-import { parseArgs as parseArgs10 } from "util";
+import { parseArgs as parseArgs11 } from "util";
 
 // src/lib/hatchet-token.ts
 var SLUG_RE = /^[a-z0-9](?:[a-z0-9-]*[a-z0-9])?$/;
@@ -3311,7 +4114,7 @@ async function mintHatchetToken(opts) {
 }
 
 // src/commands/hatchet.ts
-var usage9 = `hogsend hatchet token [options]
+var usage10 = `hogsend hatchet token [options]
 
 Mint a Hatchet API token (HATCHET_CLIENT_TOKEN) headlessly against a
 hatchet-lite instance. Registers the account if the instance still allows
@@ -3349,7 +4152,7 @@ public URL can create an account. On a public deployment set
 SERVER_ALLOW_SIGNUP=false (plus a real ADMIN_EMAIL/ADMIN_PASSWORD, which
 hatchet-lite seeds at boot); this command then logs in with those credentials.`;
 function parseTokenFlags(argv) {
-  const { values: values2 } = parseArgs10({
+  const { values: values2 } = parseArgs11({
     args: argv,
     allowPositionals: true,
     strict: false,
@@ -3415,15 +4218,15 @@ async function runToken(ctx, argv) {
     throw err;
   }
 }
-async function run9(ctx) {
+async function run10(ctx) {
   const sub = ctx.argv[0];
   const rest = ctx.argv.slice(1);
   if (!sub || sub === "--help" || sub === "-h" || sub === "help") {
-    ctx.out.log(usage9);
+    ctx.out.log(usage10);
     return;
   }
   if (rest.includes("-h") || rest.includes("--help")) {
-    ctx.out.log(usage9);
+    ctx.out.log(usage10);
     return;
   }
   switch (sub) {
@@ -3436,13 +4239,13 @@ async function run9(ctx) {
 var hatchetCommand = {
   name: "hatchet",
   summary: "Hatchet helpers \u2014 mint a HATCHET_CLIENT_TOKEN headlessly",
-  usage: usage9,
-  run: run9
+  usage: usage10,
+  run: run10
 };
 
 // src/commands/journeys.ts
-import { parseArgs as parseArgs11 } from "util";
-var usage10 = `hogsend journeys <subcommand> [options]
+import { parseArgs as parseArgs12 } from "util";
+var usage11 = `hogsend journeys <subcommand> [options]
 
 Inspect and toggle journeys via the admin API (/v1/admin/journeys).
 
@@ -3471,7 +4274,7 @@ function statusColor3(enabled) {
   return enabled ? color.green("enabled") : color.yellow("disabled");
 }
 async function runList2(ctx) {
-  const { values: values2 } = parseArgs11({
+  const { values: values2 } = parseArgs12({
     args: ctx.argv,
     allowPositionals: true,
     options: {
@@ -3482,7 +4285,7 @@ async function runList2(ctx) {
     }
   });
   if (values2.help) {
-    ctx.out.log(usage10);
+    ctx.out.log(usage11);
     return;
   }
   if (values2.enabled !== void 0 && !["true", "false"].includes(values2.enabled)) {
@@ -3618,7 +4421,7 @@ async function runToggle(ctx, id, enabled) {
   );
   ctx.out.outro(`${j.id} is now ${statusColor3(j.enabled)}.`);
 }
-async function run10(ctx) {
+async function run11(ctx) {
   const sub = ctx.argv[0];
   const rest = ctx.argv.slice(1);
   const subCtx = { ...ctx, argv: rest };
@@ -3630,7 +4433,7 @@ async function run10(ctx) {
       case "get": {
         const id = rest.find((a) => !a.startsWith("-"));
         if (rest.includes("--help") || rest.includes("-h")) {
-          ctx.out.log(usage10);
+          ctx.out.log(usage11);
           return;
         }
         await runGet2(subCtx, id);
@@ -3638,7 +4441,7 @@ async function run10(ctx) {
       }
       case "enable": {
         if (rest.includes("--help") || rest.includes("-h")) {
-          ctx.out.log(usage10);
+          ctx.out.log(usage11);
           return;
         }
         await runToggle(
@@ -3650,7 +4453,7 @@ async function run10(ctx) {
       }
       case "disable": {
         if (rest.includes("--help") || rest.includes("-h")) {
-          ctx.out.log(usage10);
+          ctx.out.log(usage11);
           return;
         }
         await runToggle(
@@ -3684,14 +4487,14 @@ async function run10(ctx) {
 var journeysCommand = {
   name: "journeys",
   summary: "List, inspect, enable, and disable journeys",
-  usage: usage10,
-  run: run10
+  usage: usage11,
+  run: run11
 };
 
 // src/commands/patch.ts
 import { spawnSync as spawnSync3 } from "child_process";
-import { parseArgs as parseArgs12 } from "util";
-var usage11 = `hogsend patch <package> [--cwd <dir>]
+import { parseArgs as parseArgs13 } from "util";
+var usage12 = `hogsend patch <package> [--cwd <dir>]
 
 Thin wrapper over pnpm's native patch flow. Runs \`pnpm patch <package>\`, which
 extracts the package into a temp dir and prints the path to edit. After editing,
@@ -3702,8 +4505,8 @@ This does NOT replace scripts/patch-check.sh (the patch re-apply contract).
 Options:
   --cwd <dir>    Project root to run pnpm in (defaults to current directory).
   -h, --help     Show this help.`;
-async function run11(ctx) {
-  const { values: values2, positionals } = parseArgs12({
+async function run12(ctx) {
+  const { values: values2, positionals } = parseArgs13({
     args: ctx.argv,
     allowPositionals: true,
     options: {
@@ -3712,7 +4515,7 @@ async function run11(ctx) {
     }
   });
   if (values2.help) {
-    ctx.out.log(usage11);
+    ctx.out.log(usage12);
     return;
   }
   const pkg = positionals[0];
@@ -3752,16 +4555,16 @@ async function run11(ctx) {
 var patchCommand = {
   name: "patch",
   summary: "Patch a package via pnpm's native patch flow",
-  usage: usage11,
-  run: run11
+  usage: usage12,
+  run: run12
 };
 
 // src/commands/setup.ts
 import { existsSync as existsSync7 } from "fs";
 import { join as join7 } from "path";
-import { parseArgs as parseArgs13 } from "util";
-import { confirm as confirm2 } from "@clack/prompts";
-var usage12 = `hogsend setup [--cwd <dir>] [--yes] [--json]
+import { parseArgs as parseArgs14 } from "util";
+import { confirm as confirm3 } from "@clack/prompts";
+var usage13 = `hogsend setup [--cwd <dir>] [--yes] [--json]
 
 Interactive local onboarding for a scaffolded Hogsend app. Mirrors the
 create-hogsend "next steps":
@@ -3778,8 +4581,8 @@ Options:
   -h, --help     Show this help.
 
 Run ${color.cyan("hogsend doctor")} afterwards to verify the instance is healthy.`;
-async function run12(ctx) {
-  const { values: values2 } = parseArgs13({
+async function run13(ctx) {
+  const { values: values2 } = parseArgs14({
     args: ctx.argv,
     allowPositionals: true,
     options: {
@@ -3789,7 +4592,7 @@ async function run12(ctx) {
     }
   });
   if (values2.help) {
-    ctx.out.log(usage12);
+    ctx.out.log(usage13);
     return;
   }
   const cwd = values2.cwd ?? process.cwd();
@@ -3807,7 +4610,7 @@ async function run12(ctx) {
   }
   if (ctx.out.interactive && !skipConfirm) {
     const proceed = bail(
-      await confirm2({
+      await confirm3({
         message: `Set up local infra in ${color.cyan(cwd)}? (docker compose up, .env, db:migrate)`
       })
     );
@@ -3904,16 +4707,16 @@ async function run12(ctx) {
 var setupCommand = {
   name: "setup",
   summary: "Local onboarding: docker compose up, gen secret, db:migrate",
-  usage: usage12,
-  run: run12
+  usage: usage13,
+  run: run13
 };
 
 // src/commands/skills.ts
 import { existsSync as existsSync8 } from "fs";
 import { join as join8 } from "path";
-import { parseArgs as parseArgs14 } from "util";
+import { parseArgs as parseArgs15 } from "util";
 import { multiselect } from "@clack/prompts";
-var usage13 = `hogsend skills <subcommand> [options]
+var usage14 = `hogsend skills <subcommand> [options]
 
 Manage the Claude Code skills bundled with @hogsend/cli. Bundled skills teach
 agents how to drive the hogsend CLI; \`add\` copies them into your project's
@@ -3974,7 +4777,7 @@ function runList3(ctx) {
   );
 }
 async function runAdd2(ctx, argv) {
-  const { values: values2, positionals } = parseArgs14({
+  const { values: values2, positionals } = parseArgs15({
     args: argv,
     allowPositionals: true,
     options: {
@@ -3984,7 +4787,7 @@ async function runAdd2(ctx, argv) {
     }
   });
   if (values2.help) {
-    ctx.out.log(usage13);
+    ctx.out.log(usage14);
     return;
   }
   const cwd = process.cwd();
@@ -4052,7 +4855,7 @@ async function runAdd2(ctx, argv) {
     `Installed ${installedCount} skill${installedCount === 1 ? "" : "s"}` + (skippedCount > 0 ? `, skipped ${skippedCount}.` : ".")
   );
 }
-async function run13(ctx) {
+async function run14(ctx) {
   const sub = ctx.argv[0];
   switch (sub) {
     case "list":
@@ -4064,7 +4867,7 @@ async function run13(ctx) {
     case void 0:
     case "-h":
     case "--help":
-      ctx.out.log(usage13);
+      ctx.out.log(usage14);
       return;
     default:
       ctx.out.fail(
@@ -4075,13 +4878,13 @@ async function run13(ctx) {
 var skillsCommand = {
   name: "skills",
   summary: "List + install bundled Claude Code skills into .claude/skills",
-  usage: usage13,
-  run: run13
+  usage: usage14,
+  run: run14
 };
 
 // src/commands/stats.ts
-import { parseArgs as parseArgs15 } from "util";
-var usage14 = `hogsend stats [--json]
+import { parseArgs as parseArgs16 } from "util";
+var usage15 = `hogsend stats [--json]
 
 Show system-wide overview metrics from a running Hogsend instance.
 Wraps GET /v1/admin/metrics/overview.
@@ -4103,8 +4906,8 @@ Options:
 function pct(rate) {
   return `${(rate * 100).toFixed(2)}%`;
 }
-async function run14(ctx) {
-  const { values: values2 } = parseArgs15({
+async function run15(ctx) {
+  const { values: values2 } = parseArgs16({
     args: ctx.argv,
     allowPositionals: true,
     options: {
@@ -4112,7 +4915,7 @@ async function run14(ctx) {
     }
   });
   if (values2.help) {
-    ctx.out.log(usage14);
+    ctx.out.log(usage15);
     return;
   }
   const metrics = await ctx.out.step(
@@ -4141,21 +4944,20 @@ async function run14(ctx) {
 var statsCommand = {
   name: "stats",
   summary: "Show system-wide overview metrics",
-  usage: usage14,
-  run: run14
+  usage: usage15,
+  run: run15
 };
 
 // src/commands/studio.ts
-import { spawn as spawn2 } from "child_process";
 import { createReadStream, existsSync as existsSync9, readFileSync as readFileSync5, statSync as statSync2 } from "fs";
-import { createServer } from "http";
+import { createServer as createServer2 } from "http";
 import { extname, join as join9, normalize, resolve as resolve2, sep as sep3 } from "path";
 import { fileURLToPath as fileURLToPath2 } from "url";
-import { parseArgs as parseArgs17 } from "util";
+import { parseArgs as parseArgs18 } from "util";
 
 // src/commands/studio-admin.ts
-import { parseArgs as parseArgs16 } from "util";
-import { password as passwordPrompt, text as text2 } from "@clack/prompts";
+import { parseArgs as parseArgs17 } from "util";
+import { password as passwordPrompt, text as text3 } from "@clack/prompts";
 
 // ../../node_modules/.pnpm/postgres@3.4.9/node_modules/postgres/src/index.js
 import os from "os";
@@ -4461,7 +5263,7 @@ function values(first, rest, parameters, types2, options) {
   const columns = rest.length ? rest.flat() : Object.keys(multi ? first[0] : first);
   return valuesBuilder(multi ? first : [first], parameters, types2, columns, options);
 }
-function select(first, rest, parameters, types2, options) {
+function select2(first, rest, parameters, types2, options) {
   typeof first === "string" && (first = [first].concat(rest));
   if (Array.isArray(first))
     return escapeIdentifiers(first, options);
@@ -4478,10 +5280,10 @@ var builders = Object.entries({
     const x = values(...xs);
     return x === "()" ? "(null)" : x;
   },
-  select,
-  as: select,
-  returning: select,
-  "\\(": select,
+  select: select2,
+  as: select2,
+  returning: select2,
+  "\\(": select2,
   update(first, rest, parameters, types2, options) {
     return (rest.length ? rest.flat() : Object.keys(first)).map(
       (x) => escapeIdentifier(options.transform.column.to ? options.transform.column.to(x) : x) + "=" + stringifyValue("values", first[x], parameters, types2, options)
@@ -8829,7 +9631,7 @@ var PgText = class extends PgColumn {
     return "text";
   }
 };
-function text(a, b2 = {}) {
+function text2(a, b2 = {}) {
   const { name, config } = getColumnNameAndConfig(a, b2);
   return new PgTextBuilder(name, config);
 }
@@ -9151,7 +9953,7 @@ function getPgColumnBuilders() {
     serial,
     smallint,
     smallserial,
-    text,
+    text: text2,
     time,
     timestamp,
     uuid,
@@ -10160,14 +10962,14 @@ var PgDialect = class {
     const offsetSql = offset ? sql` offset ${offset}` : void 0;
     return sql`${leftChunk}${operatorChunk}${rightChunk}${orderBySql}${limitSql}${offsetSql}`;
   }
-  buildInsertQuery({ table, values: valuesOrSelect, onConflict, returning, withList, select: select2, overridingSystemValue_ }) {
+  buildInsertQuery({ table, values: valuesOrSelect, onConflict, returning, withList, select: select3, overridingSystemValue_ }) {
     const valuesSqlList = [];
     const columns = table[Table.Symbol.Columns];
     const colEntries = Object.entries(columns).filter(([_, col]) => !col.shouldDisableInsert());
     const insertOrder = colEntries.map(
       ([, column]) => sql.identifier(this.casing.getColumnCasing(column))
     );
-    if (select2) {
+    if (select3) {
       const select22 = valuesOrSelect;
       if (is(select22, SQL)) {
         valuesSqlList.push(select22);
@@ -11740,10 +12542,10 @@ var PgSelectBase = class extends PgSelectQueryBuilderBase {
 applyMixins(PgSelectBase, [QueryPromise]);
 function createSetOperator(type, isAll) {
   return (leftSelect, rightSelect, ...restSelects) => {
-    const setOperators = [rightSelect, ...restSelects].map((select2) => ({
+    const setOperators = [rightSelect, ...restSelects].map((select3) => ({
       type,
       isAll,
-      rightSelect: select2
+      rightSelect: select3
     }));
     for (const setOperator of setOperators) {
       if (!haveSameKeys(leftSelect.getSelectedFields(), setOperator.rightSelect.getSelectedFields())) {
@@ -11799,7 +12601,7 @@ var QueryBuilder = class {
   };
   with(...queries) {
     const self = this;
-    function select2(fields) {
+    function select3(fields) {
       return new PgSelectBuilder({
         fields: fields ?? void 0,
         session: void 0,
@@ -11823,7 +12625,7 @@ var QueryBuilder = class {
         distinct: { on }
       });
     }
-    return { select: select2, selectDistinct, selectDistinctOn };
+    return { select: select3, selectDistinct, selectDistinctOn };
   }
   select(fields) {
     return new PgSelectBuilder({
@@ -12012,21 +12814,21 @@ var PgInsertBuilder = class {
     ).setToken(this.authToken);
   }
   select(selectQuery) {
-    const select2 = typeof selectQuery === "function" ? selectQuery(new QueryBuilder()) : selectQuery;
-    if (!is(select2, SQL) && !haveSameKeys(this.table[Columns], select2._.selectedFields)) {
+    const select3 = typeof selectQuery === "function" ? selectQuery(new QueryBuilder()) : selectQuery;
+    if (!is(select3, SQL) && !haveSameKeys(this.table[Columns], select3._.selectedFields)) {
       throw new Error(
         "Insert select error: selected fields are not the same or are in a different order compared to the table definition"
       );
     }
-    return new PgInsertBase(this.table, select2, this.session, this.dialect, this.withList, true);
+    return new PgInsertBase(this.table, select3, this.session, this.dialect, this.withList, true);
   }
 };
 var PgInsertBase = class extends QueryPromise {
-  constructor(table, values2, session2, dialect, withList, select2, overridingSystemValue_) {
+  constructor(table, values2, session2, dialect, withList, select3, overridingSystemValue_) {
     super();
     this.session = session2;
     this.dialect = dialect;
-    this.config = { table, values: values2, withList, select: select2, overridingSystemValue_ };
+    this.config = { table, values: values2, withList, select: select3, overridingSystemValue_ };
   }
   static [entityKind] = "PgInsert";
   config;
@@ -12729,7 +13531,7 @@ var PgDatabase = class {
    */
   with(...queries) {
     const self = this;
-    function select2(fields) {
+    function select3(fields) {
       return new PgSelectBuilder({
         fields: fields ?? void 0,
         session: self.session,
@@ -12764,7 +13566,7 @@ var PgDatabase = class {
     function delete_(table) {
       return new PgDeleteBase(table, self.session, self.dialect, queries);
     }
-    return { select: select2, selectDistinct, selectDistinctOn, update, insert, delete: delete_ };
+    return { select: select3, selectDistinct, selectDistinctOn, update, insert, delete: delete_ };
   }
   select(fields) {
     return new PgSelectBuilder({
@@ -13342,6 +14144,7 @@ __export(schema_exports, {
   memberRelations: () => memberRelations,
   organization: () => organization,
   organizationRelations: () => organizationRelations,
+  providerCredentials: () => providerCredentials,
   session: () => session,
   sessionRelations: () => sessionRelations,
   trackedLinks: () => trackedLinks,
@@ -13427,7 +14230,7 @@ var alertRules = pgTable(
   "alert_rules",
   {
     id: uuid("id").defaultRandom().primaryKey(),
-    name: text("name").notNull(),
+    name: text2("name").notNull(),
     type: alertRuleTypeEnum("type").notNull(),
     threshold: jsonb("threshold").$type().notNull(),
     channel: alertChannelEnum("channel").notNull(),
@@ -13452,8 +14255,8 @@ var alertHistory = pgTable(
     id: uuid("id").defaultRandom().primaryKey(),
     alertRuleId: uuid("alert_rule_id").notNull().references(() => alertRules.id),
     payload: jsonb("payload").$type(),
-    deliveryStatus: text("delivery_status").notNull(),
-    error: text("error"),
+    deliveryStatus: text2("delivery_status").notNull(),
+    error: text2("error"),
     ...timestamps
   },
   (table) => [
@@ -13467,12 +14270,12 @@ var apiKeys = pgTable(
   "api_keys",
   {
     id: uuid("id").defaultRandom().primaryKey(),
-    organizationId: text("organization_id"),
-    name: text("name").notNull(),
-    keyPrefix: text("key_prefix").notNull(),
-    keyHash: text("key_hash").notNull().unique(),
+    organizationId: text2("organization_id"),
+    name: text2("name").notNull(),
+    keyPrefix: text2("key_prefix").notNull(),
+    keyHash: text2("key_hash").notNull().unique(),
     scopes: jsonb("scopes").$type().notNull().default(["read"]),
-    createdBy: text("created_by"),
+    createdBy: text2("created_by"),
     lastUsedAt: timestamp("last_used_at", { withTimezone: true }),
     revokedAt: timestamp("revoked_at", { withTimezone: true }),
     expiresAt: timestamp("expires_at", { withTimezone: true }),
@@ -13489,13 +14292,13 @@ var auditLogs = pgTable(
   "audit_logs",
   {
     id: uuid("id").defaultRandom().primaryKey(),
-    actor: text("actor").notNull(),
+    actor: text2("actor").notNull(),
     actorKeyId: uuid("actor_key_id"),
-    action: text("action").notNull(),
-    resource: text("resource").notNull(),
-    resourceId: text("resource_id"),
+    action: text2("action").notNull(),
+    resource: text2("resource").notNull(),
+    resourceId: text2("resource_id"),
     detail: jsonb("detail").$type(),
-    ipAddress: text("ip_address"),
+    ipAddress: text2("ip_address"),
     ...timestamps
   },
   (table) => [
@@ -13507,71 +14310,71 @@ var auditLogs = pgTable(
 
 // ../db/src/schema/auth.ts
 var user = pgTable("user", {
-  id: text("id").primaryKey(),
-  name: text("name").notNull(),
-  email: text("email").notNull().unique(),
+  id: text2("id").primaryKey(),
+  name: text2("name").notNull(),
+  email: text2("email").notNull().unique(),
   emailVerified: boolean("email_verified").notNull().default(false),
-  image: text("image"),
+  image: text2("image"),
   ...timestamps
 });
 var session = pgTable("session", {
-  id: text("id").primaryKey(),
+  id: text2("id").primaryKey(),
   expiresAt: timestamp("expires_at", { withTimezone: true }).notNull(),
-  token: text("token").notNull().unique(),
-  ipAddress: text("ip_address"),
-  userAgent: text("user_agent"),
-  userId: text("user_id").notNull().references(() => user.id, { onDelete: "cascade" }),
-  activeOrganizationId: text("active_organization_id"),
+  token: text2("token").notNull().unique(),
+  ipAddress: text2("ip_address"),
+  userAgent: text2("user_agent"),
+  userId: text2("user_id").notNull().references(() => user.id, { onDelete: "cascade" }),
+  activeOrganizationId: text2("active_organization_id"),
   ...timestamps
 });
 var account = pgTable("account", {
-  id: text("id").primaryKey(),
-  accountId: text("account_id").notNull(),
-  providerId: text("provider_id").notNull(),
-  userId: text("user_id").notNull().references(() => user.id, { onDelete: "cascade" }),
-  accessToken: text("access_token"),
-  refreshToken: text("refresh_token"),
-  idToken: text("id_token"),
+  id: text2("id").primaryKey(),
+  accountId: text2("account_id").notNull(),
+  providerId: text2("provider_id").notNull(),
+  userId: text2("user_id").notNull().references(() => user.id, { onDelete: "cascade" }),
+  accessToken: text2("access_token"),
+  refreshToken: text2("refresh_token"),
+  idToken: text2("id_token"),
   accessTokenExpiresAt: timestamp("access_token_expires_at", {
     withTimezone: true
   }),
   refreshTokenExpiresAt: timestamp("refresh_token_expires_at", {
     withTimezone: true
   }),
-  scope: text("scope"),
-  password: text("password"),
+  scope: text2("scope"),
+  password: text2("password"),
   ...timestamps
 });
 var verification = pgTable("verification", {
-  id: text("id").primaryKey(),
-  identifier: text("identifier").notNull(),
-  value: text("value").notNull(),
+  id: text2("id").primaryKey(),
+  identifier: text2("identifier").notNull(),
+  value: text2("value").notNull(),
   expiresAt: timestamp("expires_at", { withTimezone: true }).notNull(),
   ...timestamps
 });
 var organization = pgTable("organization", {
-  id: text("id").primaryKey(),
-  name: text("name").notNull(),
-  slug: text("slug").unique(),
-  logo: text("logo"),
-  metadata: text("metadata"),
+  id: text2("id").primaryKey(),
+  name: text2("name").notNull(),
+  slug: text2("slug").unique(),
+  logo: text2("logo"),
+  metadata: text2("metadata"),
   ...timestamps
 });
 var member = pgTable("member", {
-  id: text("id").primaryKey(),
-  organizationId: text("organization_id").notNull().references(() => organization.id, { onDelete: "cascade" }),
-  userId: text("user_id").notNull().references(() => user.id, { onDelete: "cascade" }),
-  role: text("role").notNull().default("member"),
+  id: text2("id").primaryKey(),
+  organizationId: text2("organization_id").notNull().references(() => organization.id, { onDelete: "cascade" }),
+  userId: text2("user_id").notNull().references(() => user.id, { onDelete: "cascade" }),
+  role: text2("role").notNull().default("member"),
   ...timestamps
 });
 var invitation = pgTable("invitation", {
-  id: text("id").primaryKey(),
-  organizationId: text("organization_id").notNull().references(() => organization.id, { onDelete: "cascade" }),
-  email: text("email").notNull(),
-  role: text("role"),
-  status: text("status").notNull().default("pending"),
+  id: text2("id").primaryKey(),
+  organizationId: text2("organization_id").notNull().references(() => organization.id, { onDelete: "cascade" }),
+  email: text2("email").notNull(),
+  role: text2("role"),
+  status: text2("status").notNull().default("pending"),
   expiresAt: timestamp("expires_at", { withTimezone: true }).notNull(),
-  inviterId: text("inviter_id").notNull().references(() => user.id, { onDelete: "cascade" }),
+  inviterId: text2("inviter_id").notNull().references(() => user.id, { onDelete: "cascade" }),
   ...timestamps
 });
 
@@ -13580,12 +14383,12 @@ var bucketConfigs = pgTable(
   "bucket_configs",
   {
     id: uuid("id").defaultRandom().primaryKey(),
-    bucketId: text("bucket_id").notNull(),
+    bucketId: text2("bucket_id").notNull(),
     enabled: boolean("enabled").notNull().default(true),
     // Stable hash of the normalized ConditionEval, written at boot. Diffed on the
     // next boot to detect a CRITERIA CHANGE and enqueue the re-evaluation job
     // (Section 6.6 B). Nullable until the first registration.
-    criteriaHash: text("criteria_hash"),
+    criteriaHash: text2("criteria_hash"),
     ...timestamps
   },
   (table) => [uniqueIndex("bucket_configs_bucket_id_idx").on(table.bucketId)]
@@ -13597,13 +14400,13 @@ var bucketMemberships = pgTable(
   {
     id: uuid("id").defaultRandom().primaryKey(),
     // multi-tenant insurance (nullable today, NOT in the unique key — see note)
-    organizationId: text("organization_id"),
+    organizationId: text2("organization_id"),
     // logical join to contacts.externalId — NO FK (matches userEvents /
     // journeyStates; membership rows can predate a contacts row).
-    userId: text("user_id").notNull(),
-    userEmail: text("user_email"),
+    userId: text2("user_id").notNull(),
+    userEmail: text2("user_email"),
     // denormalized so emitted events carry it
-    bucketId: text("bucket_id").notNull(),
+    bucketId: text2("bucket_id").notNull(),
     status: bucketMembershipStatusEnum("status").notNull().default("active"),
     enteredAt: timestamp("entered_at", { withTimezone: true }).defaultNow().notNull(),
     leftAt: timestamp("left_at", { withTimezone: true }),
@@ -13616,7 +14419,7 @@ var bucketMemberships = pgTable(
     maxDwellAt: timestamp("max_dwell_at", { withTimezone: true }),
     lastEvaluatedAt: timestamp("last_evaluated_at", { withTimezone: true }),
     entryCount: integer("entry_count").notNull().default(1),
-    source: text("source"),
+    source: text2("source"),
     // "event" | "reconcile" | "backfill" | "manual"
     context: jsonb("context").$type().default({}),
     // Per-membership dwell bookkeeping. JSON map keyed by dwellLabel → ISO of
@@ -13684,18 +14487,18 @@ var campaigns = pgTable(
   "campaigns",
   {
     id: uuid("id").defaultRandom().primaryKey(),
-    organizationId: text("organization_id"),
-    name: text("name").notNull(),
+    organizationId: text2("organization_id"),
+    name: text2("name").notNull(),
     // queued | sending | sent | failed
-    status: text("status").notNull().default("queued"),
+    status: text2("status").notNull().default("queued"),
     // "list" | "bucket"
-    audienceKind: text("audience_kind").notNull(),
+    audienceKind: text2("audience_kind").notNull(),
     // the list id (ListRegistry) or bucket id (BucketRegistry)
-    audienceId: text("audience_id").notNull(),
-    templateKey: text("template_key").notNull(),
+    audienceId: text2("audience_id").notNull(),
+    templateKey: text2("template_key").notNull(),
     props: jsonb("props").$type().default({}),
-    fromEmail: text("from_email"),
-    subject: text("subject"),
+    fromEmail: text2("from_email"),
+    subject: text2("subject"),
     /**
      * Optional client-supplied idempotency key (POST /v1/campaigns
      * `Idempotency-Key` header / body field). A retried create with the same key
@@ -13704,7 +14507,7 @@ var campaigns = pgTable(
      * idempotency key, double-sending the blast). Uniqueness is enforced by the
      * partial-unique index below (NULL keys are unconstrained).
      */
-    idempotencyKey: text("idempotency_key"),
+    idempotencyKey: text2("idempotency_key"),
     totalRecipients: integer("total_recipients").notNull().default(0),
     sentCount: integer("sent_count").notNull().default(0),
     skippedCount: integer("skipped_count").notNull().default(0),
@@ -13728,7 +14531,7 @@ var contacts = pgTable(
   "contacts",
   {
     id: uuid("id").defaultRandom().primaryKey(),
-    organizationId: text("organization_id"),
+    organizationId: text2("organization_id"),
     /**
      * Stable external/distinct id (= the `user_id` text key joined by every
      * contact-referencing table). NULLABLE since D1: contacts can be email-only
@@ -13737,21 +14540,21 @@ var contacts = pgTable(
      * — a soft-deleted loser row must be able to keep its stale external_id
      * until a merge re-points it.
      */
-    externalId: text("external_id"),
-    email: text("email"),
+    externalId: text2("external_id"),
+    email: text2("email"),
     /**
      * Stable anonymous/distinct id for the future anonymous→identified path.
      * NULLABLE. Like external_id, uniqueness is enforced by a partial-unique
      * index scoped to live, non-deleted rows.
      */
-    anonymousId: text("anonymous_id"),
+    anonymousId: text2("anonymous_id"),
     /**
      * Opportunistic IANA-timezone cache (e.g. "America/New_York"). Populated
      * best-effort when a tz is resolved from PostHog person props. PostHog and
      * `properties` jsonb remain authoritative sources — this column sits below
      * them in the resolution precedence, so nothing is blocked on it.
      */
-    timezone: text("timezone"),
+    timezone: text2("timezone"),
     properties: jsonb("properties").$type().default({}),
     firstSeenAt: timestamp("first_seen_at", { withTimezone: true }).defaultNow().notNull(),
     lastSeenAt: timestamp("last_seen_at", { withTimezone: true }).defaultNow().notNull(),
@@ -13782,15 +14585,15 @@ var contactAliases = pgTable(
     // The SURVIVOR a stale key resolves TO.
     contactId: uuid("contact_id").notNull().references(() => contacts.id, { onDelete: "cascade" }),
     // 'email' | 'external' | 'anonymous'
-    aliasKind: text("alias_kind").notNull(),
+    aliasKind: text2("alias_kind").notNull(),
     // The stale key value (the loser's old external_id / normalized email /
     // anonymous_id).
-    aliasValue: text("alias_value").notNull(),
+    aliasValue: text2("alias_value").notNull(),
     // Provenance: the loser contact id this alias came from (nullable — a
     // 'promote' alias may have no distinct loser row).
     fromContactId: uuid("from_contact_id"),
     // 'merge' | 'promote'
-    reason: text("reason").notNull(),
+    reason: text2("reason").notNull(),
     ...timestamps
   },
   (table) => [
@@ -13808,10 +14611,10 @@ var deadLetterQueue = pgTable(
   "dead_letter_queue",
   {
     id: uuid("id").defaultRandom().primaryKey(),
-    source: text("source").notNull(),
-    sourceId: text("source_id"),
+    source: text2("source").notNull(),
+    sourceId: text2("source_id"),
     payload: jsonb("payload").$type().notNull(),
-    error: text("error").notNull(),
+    error: text2("error").notNull(),
     retryCount: integer("retry_count").notNull().default(0),
     status: dlqStatusEnum("status").notNull().default("pending"),
     retriedAt: timestamp("retried_at", { withTimezone: true }),
@@ -13829,8 +14632,8 @@ var emailPreferences = pgTable(
   "email_preferences",
   {
     id: uuid("id").defaultRandom().primaryKey(),
-    userId: text("user_id").notNull(),
-    email: text("email").notNull(),
+    userId: text2("user_id").notNull(),
+    email: text2("email").notNull(),
     unsubscribedAll: boolean("unsubscribed_all").notNull().default(false),
     suppressed: boolean("suppressed").notNull().default(false),
     bounceCount: integer("bounce_count").notNull().default(0),
@@ -13852,15 +14655,15 @@ var journeyStates = pgTable(
   "journey_states",
   {
     id: uuid("id").defaultRandom().primaryKey(),
-    organizationId: text("organization_id"),
-    userId: text("user_id").notNull(),
-    userEmail: text("user_email").notNull(),
-    journeyId: text("journey_id").notNull(),
-    currentNodeId: text("current_node_id").notNull(),
+    organizationId: text2("organization_id"),
+    userId: text2("user_id").notNull(),
+    userEmail: text2("user_email").notNull(),
+    journeyId: text2("journey_id").notNull(),
+    currentNodeId: text2("current_node_id").notNull(),
     status: journeyStatusEnum("status").notNull().default("active"),
-    hatchetRunId: text("hatchet_run_id"),
+    hatchetRunId: text2("hatchet_run_id"),
     context: jsonb("context").$type().default({}),
-    errorMessage: text("error_message"),
+    errorMessage: text2("error_message"),
     entryCount: integer("entry_count").notNull().default(1),
     completedAt: timestamp("completed_at", { withTimezone: true }),
     exitedAt: timestamp("exited_at", { withTimezone: true }),
@@ -13898,19 +14701,19 @@ var emailSends = pgTable(
   "email_sends",
   {
     id: uuid("id").defaultRandom().primaryKey(),
-    organizationId: text("organization_id"),
+    organizationId: text2("organization_id"),
     journeyStateId: uuid("journey_state_id").references(() => journeyStates.id),
     // Denormalized recipient identity, set at send time. Lets reporting attribute
     // a send to a contact without joining journey_states, and captures journeyless
     // (raw/batch) sends that have no journey linkage. Both nullable.
-    userId: text("user_id"),
-    userEmail: text("user_email"),
-    templateKey: text("template_key"),
-    messageId: text("message_id"),
-    fromEmail: text("from_email").notNull(),
-    toEmail: text("to_email").notNull(),
-    subject: text("subject").notNull(),
-    category: text("category"),
+    userId: text2("user_id"),
+    userEmail: text2("user_email"),
+    templateKey: text2("template_key"),
+    messageId: text2("message_id"),
+    fromEmail: text2("from_email").notNull(),
+    toEmail: text2("to_email").notNull(),
+    subject: text2("subject").notNull(),
+    category: text2("category"),
     status: emailSendStatusEnum("status").notNull().default("queued"),
     sentAt: timestamp("sent_at", { withTimezone: true }),
     deliveredAt: timestamp("delivered_at", { withTimezone: true }),
@@ -13919,13 +14722,13 @@ var emailSends = pgTable(
     bouncedAt: timestamp("bounced_at", { withTimezone: true }),
     complainedAt: timestamp("complained_at", { withTimezone: true }),
     // Bounce classification from the Resend webhook (hard/soft/transient + reason).
-    bounceType: text("bounce_type"),
-    bounceReason: text("bounce_reason"),
+    bounceType: text2("bounce_type"),
+    bounceReason: text2("bounce_reason"),
     // Caller-supplied idempotency key (POST /v1/emails). A retry with the same
     // key short-circuits to the prior send instead of dispatching a duplicate —
     // mirrors the user_events idempotency pattern. Nullable: journey/system sends
     // don't set it.
-    idempotencyKey: text("idempotency_key"),
+    idempotencyKey: text2("idempotency_key"),
     // Free-form per-send annotations. Set ONLY by test-mode redirected sends
     // today — `{ testMode: true, originalTo: <real recipient> }` — so Studio can
     // flag a TEST row and show who the mail was REALLY for. Nullable: normal
@@ -13961,8 +14764,8 @@ var importJobs = pgTable(
   "import_jobs",
   {
     id: uuid("id").defaultRandom().primaryKey(),
-    fileName: text("file_name"),
-    format: text("format").notNull(),
+    fileName: text2("file_name"),
+    format: text2("format").notNull(),
     status: importJobStatusEnum("status").notNull().default("pending"),
     totalRows: integer("total_rows"),
     processedRows: integer("processed_rows").notNull().default(0),
@@ -13978,7 +14781,7 @@ var journeyConfigs = pgTable(
   "journey_configs",
   {
     id: uuid("id").defaultRandom().primaryKey(),
-    journeyId: text("journey_id").notNull(),
+    journeyId: text2("journey_id").notNull(),
     enabled: boolean("enabled").notNull().default(true),
     ...timestamps
   },
@@ -13993,9 +14796,9 @@ var journeyLogs = pgTable(
   {
     id: uuid("id").defaultRandom().primaryKey(),
     journeyStateId: uuid("journey_state_id").notNull().references(() => journeyStates.id, { onDelete: "cascade" }),
-    fromNodeId: text("from_node_id"),
-    toNodeId: text("to_node_id"),
-    action: text("action").notNull(),
+    fromNodeId: text2("from_node_id"),
+    toNodeId: text2("to_node_id"),
+    action: text2("action").notNull(),
     detail: jsonb("detail").$type(),
     ...timestamps
   },
@@ -14010,12 +14813,12 @@ var trackedLinks = pgTable(
   {
     id: uuid("id").defaultRandom().primaryKey(),
     emailSendId: uuid("email_send_id").notNull().references(() => emailSends.id, { onDelete: "cascade" }),
-    originalUrl: text("original_url").notNull(),
+    originalUrl: text2("original_url").notNull(),
     clickCount: integer("click_count").notNull().default(0),
     // Semantic link metadata, lifted from the template's data-hs-* attributes
     // at send time. NULL for plain tracked links. `event` is the consumer event
     // name emitted at click time; `eventProperties` its scalar payload.
-    event: text("event"),
+    event: text2("event"),
     eventProperties: jsonb("event_properties").$type(),
     // Set exactly once by the click route when the semantic event is emitted —
     // the per-link emit-once gate today, and the provisional-then-confirm
@@ -14034,8 +14837,8 @@ var linkClicks = pgTable(
   {
     id: uuid("id").defaultRandom().primaryKey(),
     trackedLinkId: uuid("tracked_link_id").notNull().references(() => trackedLinks.id, { onDelete: "cascade" }),
-    ipAddress: text("ip_address"),
-    userAgent: text("user_agent"),
+    ipAddress: text2("ip_address"),
+    userAgent: text2("user_agent"),
     clickedAt: timestamp("clicked_at", { withTimezone: true }).defaultNow().notNull()
   },
   (table) => [
@@ -14044,16 +14847,40 @@ var linkClicks = pgTable(
   ]
 );
 
+// ../db/src/schema/provider-credentials.ts
+var providerCredentials = pgTable(
+  "provider_credentials",
+  {
+    id: uuid("id").defaultRandom().primaryKey(),
+    // e.g. "posthog" — matches an AnalyticsProvider meta.id by convention,
+    // but deliberately NOT foreign-keyed: providers are code-defined.
+    providerId: text2("provider_id").notNull(),
+    // "oauth" today; "api_key" is the anticipated future kind.
+    kind: text2("kind").notNull().default("oauth"),
+    // Encrypted JSON: base64url(iv || ciphertext || gcmTag).
+    payload: text2("payload").notNull(),
+    ...timestamps
+  },
+  (table) => [
+    // unique-per-kind: one oauth credential per provider; a future api_key
+    // credential for the same provider coexists.
+    uniqueIndex("provider_credentials_provider_kind_idx").on(
+      table.providerId,
+      table.kind
+    )
+  ]
+);
+
 // ../db/src/schema/user-events.ts
 var userEvents = pgTable(
   "user_events",
   {
     id: uuid("id").defaultRandom().primaryKey(),
-    organizationId: text("organization_id"),
-    userId: text("user_id").notNull(),
-    event: text("event").notNull(),
+    organizationId: text2("organization_id"),
+    userId: text2("user_id").notNull(),
+    event: text2("event").notNull(),
     properties: jsonb("properties").$type(),
-    idempotencyKey: text("idempotency_key"),
+    idempotencyKey: text2("idempotency_key"),
     occurredAt: timestamp("occurred_at", { withTimezone: true }).defaultNow().notNull()
   },
   (table) => [
@@ -14074,15 +14901,15 @@ var webhookEndpoints = pgTable(
   "webhook_endpoints",
   {
     id: uuid("id").defaultRandom().primaryKey(),
-    organizationId: text("organization_id"),
-    url: text("url").notNull(),
-    description: text("description"),
+    organizationId: text2("organization_id"),
+    url: text2("url").notNull(),
+    description: text2("description"),
     // The delivery adapter selector. "webhook" (the default) is the signed
     // Standard-Webhooks POST that existing subscribers receive — byte-identical
     // to before this column existed. Any other value (e.g. "posthog") selects a
     // delivery-time TRANSFORM adapter that reuses the same durable delivery
     // machinery but rewrites url/headers/body for a vendor destination.
-    kind: text("kind").notNull().default("webhook"),
+    kind: text2("kind").notNull().default("webhook"),
     // Per-destination configuration for keyed adapters (e.g. PostHog's
     // `{ apiKey, host }`). Null for `kind="webhook"` (it reads `secret` instead).
     // Keyed destinations keep their credentials HERE, not in a fake `whsec_`.
@@ -14091,9 +14918,9 @@ var webhookEndpoints = pgTable(
     // Nullable: only `kind="webhook"` carries a signing secret; keyed
     // destinations authenticate via `config` and the webhook adapter is the only
     // reader of this column.
-    secret: text("secret"),
+    secret: text2("secret"),
     // e.g. "whsec_AbCd" — safe to show on list/get. Nullable alongside `secret`.
-    secretPrefix: text("secret_prefix"),
+    secretPrefix: text2("secret_prefix"),
     eventTypes: jsonb("event_types").$type().notNull().default([]),
     disabled: boolean("disabled").notNull().default(false),
     // written by the delivery task on a successful (2xx) delivery.
@@ -14114,13 +14941,13 @@ var webhookDeliveries = pgTable(
     id: uuid("id").defaultRandom().primaryKey(),
     endpointId: uuid("endpoint_id").notNull().references(() => webhookEndpoints.id, { onDelete: "cascade" }),
     // denormalized, nullable (MT deferred).
-    organizationId: text("organization_id"),
+    organizationId: text2("organization_id"),
     // == Webhook-Id header; ONE per logical event, shared across endpoints +
     // reused across retries.
-    webhookId: text("webhook_id").notNull(),
-    eventType: text("event_type").notNull(),
+    webhookId: text2("webhook_id").notNull(),
+    eventType: text2("event_type").notNull(),
     // producer-side dedup (idempotencyKey/stateId/emailSendId/...).
-    dedupeKey: text("dedupe_key"),
+    dedupeKey: text2("dedupe_key"),
     // the EXACT signed envelope { id, type, timestamp, data }.
     payload: jsonb("payload").$type().notNull(),
     status: webhookDeliveryStatusEnum("status").notNull().default("pending"),
@@ -14129,9 +14956,9 @@ var webhookDeliveries = pgTable(
     lastAttemptAt: timestamp("last_attempt_at", { withTimezone: true }),
     responseStatus: integer("response_status"),
     // truncated to ≤1KB in app.
-    responseBodySnippet: text("response_body_snippet"),
+    responseBodySnippet: text2("response_body_snippet"),
     deliveredAt: timestamp("delivered_at", { withTimezone: true }),
-    lastError: text("last_error"),
+    lastError: text2("last_error"),
     ...timestamps
   },
   (table) => [
@@ -14539,7 +15366,7 @@ Examples:
 Security: passwords are written ONLY via better-auth (scrypt) \u2014 never raw SQL,
 never plaintext at rest, never logged. Prefer the masked prompt over --password.`;
 function parseAdminFlags(argv) {
-  const { values: values2 } = parseArgs16({
+  const { values: values2 } = parseArgs17({
     args: argv,
     allowPositionals: true,
     strict: false,
@@ -14588,7 +15415,7 @@ async function resolveEmail(ctx, flags, defaultEmail) {
     ctx.out.fail("--email is required (no TTY to prompt).");
   }
   const value = bail(
-    await text2({
+    await text3({
       message: "Admin email",
       placeholder: defaultEmail ?? "admin@example.com",
       initialValue: defaultEmail,
@@ -14740,7 +15567,7 @@ async function runStudioAdmin(ctx, argv) {
 }
 
 // src/commands/studio.ts
-var usage15 = `hogsend studio [options]
+var usage16 = `hogsend studio [options]
 
 Subcommands:
   admin create | reset | list   Shell-gated Studio admin recovery (DB + secret).
@@ -14818,24 +15645,12 @@ function indexHtml(distPath, baseUrl) {
   }
   return `${inject}${raw}`;
 }
-function openBrowser(url) {
-  const platform = process.platform;
-  const cmd = platform === "darwin" ? "open" : platform === "win32" ? "cmd" : "xdg-open";
-  const args = platform === "win32" ? ["/c", "start", "", url] : [url];
-  try {
-    const child = spawn2(cmd, args, { stdio: "ignore", detached: true });
-    child.on("error", () => {
-    });
-    child.unref();
-  } catch {
-  }
-}
-async function run15(ctx) {
+async function run16(ctx) {
   if (ctx.argv[0] === "admin") {
     await runStudioAdmin(ctx, ctx.argv.slice(1));
     return;
   }
-  const { values: values2, positionals } = parseArgs17({
+  const { values: values2, positionals } = parseArgs18({
     args: ctx.argv,
     allowPositionals: true,
     strict: false,
@@ -14848,7 +15663,7 @@ async function run15(ctx) {
     }
   });
   if (values2.help) {
-    ctx.out.log(usage15);
+    ctx.out.log(usage16);
     return;
   }
   const port = Number(values2.port ?? "3333");
@@ -14866,7 +15681,7 @@ async function run15(ctx) {
   }
   const cleanBase = baseUrl ? baseUrl.replace(/\/+$/, "") : void 0;
   const index2 = indexHtml(distPath, cleanBase);
-  const server = createServer((req, res) => {
+  const server = createServer2((req, res) => {
     const urlPath = decodeURIComponent((req.url ?? "/").split("?")[0] ?? "/");
     const rel = urlPath.replace(/^\/studio/, "");
     if (rel === "" || rel === "/") {
@@ -14934,17 +15749,17 @@ async function run15(ctx) {
 var studioCommand = {
   name: "studio",
   summary: "Serve the bundled Hogsend Studio admin SPA locally",
-  usage: usage15,
-  run: run15
+  usage: usage16,
+  run: run16
 };
 
 // src/commands/upgrade.ts
 import { spawnSync as spawnSync4 } from "child_process";
 import { existsSync as existsSync10, readFileSync as readFileSync6 } from "fs";
 import { join as join10 } from "path";
-import { parseArgs as parseArgs18 } from "util";
-import { confirm as confirm3 } from "@clack/prompts";
-var usage16 = `hogsend upgrade [--cwd <dir>] [--pm <pnpm|npm|yarn|bun>] [options]
+import { parseArgs as parseArgs19 } from "util";
+import { confirm as confirm4 } from "@clack/prompts";
+var usage17 = `hogsend upgrade [--cwd <dir>] [--pm <pnpm|npm|yarn|bun>] [options]
 
 Upgrade a scaffolded Hogsend app in one step:
   1. bump every @hogsend/* dependency to latest (or --to <version>), then
@@ -14980,8 +15795,8 @@ function hogsendDeps(cwd) {
 function addArgs(pm, specs) {
   return [pm === "npm" ? "install" : "add", ...specs];
 }
-async function run16(ctx) {
-  const { values: values2 } = parseArgs18({
+async function run17(ctx) {
+  const { values: values2 } = parseArgs19({
     args: ctx.argv,
     allowPositionals: true,
     options: {
@@ -14995,7 +15810,7 @@ async function run16(ctx) {
     }
   });
   if (values2.help) {
-    ctx.out.log(usage16);
+    ctx.out.log(usage17);
     return;
   }
   if (values2["deps-only"] && values2["skills-only"]) {
@@ -15039,7 +15854,7 @@ async function run16(ctx) {
       doSkills ? "refresh .claude/skills" : null
     ].filter(Boolean).join(" + ");
     const proceed = bail(
-      await confirm3({ message: `Upgrade ${color.cyan(cwd)}: ${plan}?` })
+      await confirm4({ message: `Upgrade ${color.cyan(cwd)}: ${plan}?` })
     );
     if (!proceed) {
       ctx.out.outro(color.dim("Nothing changed."));
@@ -15120,12 +15935,12 @@ async function run16(ctx) {
 var upgradeCommand = {
   name: "upgrade",
   summary: "Bump @hogsend/* deps to latest + refresh vendored skills",
-  usage: usage16,
-  run: run16
+  usage: usage17,
+  run: run17
 };
 
 // src/commands/webhooks.ts
-import { parseArgs as parseArgs19 } from "util";
+import { parseArgs as parseArgs20 } from "util";
 var WEBHOOK_EVENT_TYPES = [
   "contact.created",
   "contact.updated",
@@ -15142,7 +15957,7 @@ var WEBHOOK_EVENT_TYPES = [
   "bucket.entered",
   "bucket.left"
 ];
-var usage17 = `hogsend webhooks <subcommand> [options]
+var usage18 = `hogsend webhooks <subcommand> [options]
 
 Manage outbound webhook endpoints \u2014 the Svix-style signed event stream Hogsend
 emits to your URLs. Wraps the admin routes (/v1/admin/webhooks), so this command
@@ -15232,7 +16047,7 @@ ${color.bold(secret)}`,
   );
 }
 async function runList5(ctx, argv) {
-  const { values: values2 } = parseArgs19({
+  const { values: values2 } = parseArgs20({
     args: argv,
     allowPositionals: true,
     options: {
@@ -15243,7 +16058,7 @@ async function runList5(ctx, argv) {
     }
   });
   if (values2.help) {
-    ctx.out.log(usage17);
+    ctx.out.log(usage18);
     return;
   }
   const query = {
@@ -15292,13 +16107,13 @@ function renderEndpoint(ctx, ep, title) {
   );
 }
 async function runGet3(ctx, argv) {
-  const { values: values2, positionals } = parseArgs19({
+  const { values: values2, positionals } = parseArgs20({
     args: argv,
     allowPositionals: true,
     options: { help: { type: "boolean", short: "h", default: false } }
   });
   if (values2.help) {
-    ctx.out.log(usage17);
+    ctx.out.log(usage18);
     return;
   }
   const id = positionals[0];
@@ -15323,7 +16138,7 @@ async function runGet3(ctx, argv) {
   ctx.out.outro(`${res.url} \u2192 ${res.status}`);
 }
 async function runCreate2(ctx, argv) {
-  const { values: values2 } = parseArgs19({
+  const { values: values2 } = parseArgs20({
     args: argv,
     allowPositionals: true,
     options: {
@@ -15336,7 +16151,7 @@ async function runCreate2(ctx, argv) {
     }
   });
   if (values2.help) {
-    ctx.out.log(usage17);
+    ctx.out.log(usage18);
     return;
   }
   const url = values2.url;
@@ -15370,7 +16185,7 @@ async function runCreate2(ctx, argv) {
   ctx.out.outro(`${color.green("Created")} ${res.id} \u2192 ${res.url}`);
 }
 async function runUpdate(ctx, argv) {
-  const { values: values2, positionals } = parseArgs19({
+  const { values: values2, positionals } = parseArgs20({
     args: argv,
     allowPositionals: true,
     options: {
@@ -15384,7 +16199,7 @@ async function runUpdate(ctx, argv) {
     }
   });
   if (values2.help) {
-    ctx.out.log(usage17);
+    ctx.out.log(usage18);
     return;
   }
   const id = positionals[0];
@@ -15425,13 +16240,13 @@ async function runUpdate(ctx, argv) {
   ctx.out.outro(`${color.green("Updated")} ${res.id} \u2192 ${res.status}`);
 }
 async function runDelete(ctx, argv) {
-  const { values: values2, positionals } = parseArgs19({
+  const { values: values2, positionals } = parseArgs20({
     args: argv,
     allowPositionals: true,
     options: { help: { type: "boolean", short: "h", default: false } }
   });
   if (values2.help) {
-    ctx.out.log(usage17);
+    ctx.out.log(usage18);
     return;
   }
   const id = positionals[0];
@@ -15455,13 +16270,13 @@ async function runDelete(ctx, argv) {
   ctx.out.outro(`${color.green("Deleted")} ${id}`);
 }
 async function runRotate(ctx, argv) {
-  const { values: values2, positionals } = parseArgs19({
+  const { values: values2, positionals } = parseArgs20({
     args: argv,
     allowPositionals: true,
     options: { help: { type: "boolean", short: "h", default: false } }
   });
   if (values2.help) {
-    ctx.out.log(usage17);
+    ctx.out.log(usage18);
     return;
   }
   const id = positionals[0];
@@ -15490,13 +16305,13 @@ async function runRotate(ctx, argv) {
   );
 }
 async function runTest(ctx, argv) {
-  const { values: values2, positionals } = parseArgs19({
+  const { values: values2, positionals } = parseArgs20({
     args: argv,
     allowPositionals: true,
     options: { help: { type: "boolean", short: "h", default: false } }
   });
   if (values2.help) {
-    ctx.out.log(usage17);
+    ctx.out.log(usage18);
     return;
   }
   const id = positionals[0];
@@ -15522,7 +16337,7 @@ async function runTest(ctx, argv) {
     `${color.green("Enqueued")} a ${color.cyan(res.eventType)} delivery to ${id}.`
   );
 }
-async function run17(ctx) {
+async function run18(ctx) {
   const sub = ctx.argv[0];
   switch (sub) {
     case "list":
@@ -15553,8 +16368,8 @@ async function run17(ctx) {
 var webhooksCommand = {
   name: "webhooks",
   summary: "Manage outbound webhook endpoints (create, rotate, test)",
-  usage: usage17,
-  run: run17
+  usage: usage18,
+  run: run18
 };
 
 // src/commands/index.ts
@@ -15568,6 +16383,7 @@ var commands = [
   campaignsCommand,
   webhooksCommand,
   domainCommand,
+  connectCommand,
   hatchetCommand,
   studioCommand,
   devCommand,