@hs-x/cli 0.1.0

package/dist/commands/deploy.js

@@ -0,0 +1,2764 @@
+import { spawn } from 'node:child_process';
+import { createHash, randomBytes } from 'node:crypto';
+import { cp, mkdir, mkdtemp, readFile, readdir, stat, writeFile } from 'node:fs/promises';
+import { createServer } from 'node:http';
+import { tmpdir } from 'node:os';
+import { basename, dirname, join, relative, resolve } from 'node:path';
+import { pathToFileURL } from 'node:url';
+import { cloudflareResourceName, generateHubSpotRuntimeProject, generateProjectArtifacts, planPortalSchemaManagement, renderAlchemyProgram, renderCloudflareWorkerEntrypoint, } from '@hs-x/codegen';
+import { loadCreateControlPlane } from '../control-plane-loader.js';
+import { HttpClientRequest, Schema, schemas } from '@hs-x/types';
+import { validateProject } from '@hs-x/validator';
+import { Effect } from 'effect';
+import { isLinked } from '../account-store.js';
+import { resolveCloudflareCredentials } from '../cloudflare-kv.js';
+import { DEFAULT_CONTROL_PLANE_URL, formatConfigUrl, loadCliConfig, resolveControlPlaneUrl, } from '../config.js';
+import { CLI_VERSION } from '../constants.js';
+import { controlPlaneAuthHeaders } from '../control-plane-fetch.js';
+import { executeCliHttp } from '../effect-http.js';
+import { createDeployHubSpotDeveloperClient } from '../hubspot-developer-client.js';
+import { hydrateAncestorEnv } from '../load-env.js';
+import { getMachineId } from '../machine-id.js';
+import { cachePath } from '../paths.js';
+import { isInteractive, promptConfirm, promptMultiSelect, promptSelect, promptText, } from '../prompt.js';
+import { createReporter } from '../reporter/index.js';
+import { ensureTenantStateStore, preflightTenantStateCredentials, } from '../tenant-state.js';
+import { deployPromoteCommand, requestControlPlaneDeployPromotion } from './deploy-promote.js';
+async function hostedHttp(input) {
+    const headers = { ...(input.headers ?? {}) };
+    let request = HttpClientRequest.make(input.method ?? 'GET')(input.url).pipe(HttpClientRequest.setHeaders(headers));
+    if (input.body !== undefined) {
+        headers['content-type'] = headers['content-type'] ?? 'application/json';
+        request = request.pipe(HttpClientRequest.setHeaders(headers), HttpClientRequest.bodyText(typeof input.body === 'string' ? input.body : JSON.stringify(input.body), headers['content-type']));
+    }
+    return executeCliHttp(request);
+}
+async function resolveAccountIdOrPrompt(input) {
+    const fromFlag = resolveFlag(input.argv, '--account-id') ?? process.env.HSX_ACCOUNT_ID;
+    if (fromFlag && fromFlag.length > 0)
+        return { accountId: fromFlag, fromPrompt: false };
+    const { loadStore } = await import('../account-store.js');
+    const store = await loadStore();
+    const ids = Object.keys(store.accounts);
+    if (ids.length === 0)
+        return { fromPrompt: false };
+    const defaultId = store.defaultAccountId;
+    // Non-interactive, --json, or --yes: accept the configured default rather than
+    // silently degrading to "no account picked" — that path led deploy to exit 0
+    // after building artifacts only, looking like success.
+    const yes = input.argv.includes('--yes') || input.argv.includes('-y');
+    if (input.json || !isInteractive() || yes) {
+        if (defaultId && ids.includes(defaultId)) {
+            return { accountId: defaultId, fromPrompt: false };
+        }
+        return { fromPrompt: false };
+    }
+    const picked = await promptSelect({
+        message: `Which HS-X account for ${input.purpose}?`,
+        ...(defaultId && ids.includes(defaultId) ? { default: defaultId } : {}),
+        options: ids.map((id) => {
+            const a = store.accounts[id];
+            return {
+                value: id,
+                label: id,
+                description: a
+                    ? `portal ${a.hubspotPortalId} — ${a.displayName}${id === defaultId ? ' (default)' : ''}`
+                    : '',
+            };
+        }),
+    });
+    return picked ? { accountId: picked, fromPrompt: true } : { fromPrompt: false };
+}
+function missingAccountIdError(input) {
+    const code = 'HSX_E_INPUT_MISSING_ACCOUNT_ID';
+    const message = 'Missing --account-id.';
+    const hint = isInteractive()
+        ? 'Run `hs-x accounts list` to see options, then pass --account-id or set HSX_ACCOUNT_ID.'
+        : 'Pass --account-id or set HSX_ACCOUNT_ID. (In a TTY you would be prompted.)';
+    if (input.json) {
+        write(`${JSON.stringify({
+            schema_version: 1,
+            command: input.command,
+            ok: false,
+            error: { code, message, hint },
+        }, null, 2)}\n`);
+    }
+    else {
+        const reporter = createReporter({ command: input.command, argv: input.argv });
+        reporter.error(code, message, { hint, docs_url: `https://hs-x.dev/errors/${code}` });
+        reporter.done(undefined, 10);
+    }
+    return { exitCode: 10 };
+}
+async function promptMissingText(message, current, validate) {
+    if (current && current.length > 0)
+        return current;
+    const answer = await promptText({
+        message,
+        ...(validate ? { validate } : {}),
+    });
+    return answer === undefined ? undefined : answer;
+}
+/**
+ * Unlinked OAuth installs need the HubSpot app's client id + client secret so
+ * the deployed Worker's `/oauth-start` can complete the token exchange. Linked
+ * deploys read these from the control plane; unlinked supplies them via
+ * flag/env. When interactive, PROMPT for anything missing (only on the first
+ * worker, to avoid contending for stdin across the concurrent worker deploys)
+ * and persist answers to the environment so sibling workers reuse them — rather
+ * than the human having to know to pre-set the env vars, then silently shipping
+ * a Worker that 500s on /oauth-start (the run-006 papercut).
+ *
+ * We deliberately do NOT hard-fail on missing creds: the client secret is
+ * grabbed from the app's Auth page, which only exists once the first deploy has
+ * uploaded the app, so a bootstrap deploy legitimately has no secret yet. The
+ * post-deploy output points the user at that Auth URL to finish and re-deploy.
+ */
+async function resolveUnlinkedOAuthCredentials(input) {
+    // Only an interactive, unlinked OAuth, non-dry-run deploy prompts: linked
+    // reads the secret from the control plane, non-OAuth apps need none, a dry run
+    // never deploys, and non-interactive runs must supply creds via flag/env.
+    if (input.auth !== 'oauth' || input.linked || input.dryRun || !input.allowPrompt) {
+        return { clientId: input.hubSpotClientId, clientSecret: input.hubSpotClientSecret };
+    }
+    const clientId = await promptMissingText('HubSpot app client id (HSX_HUBSPOT_CLIENT_ID)', input.hubSpotClientId);
+    const clientSecret = await promptMissingText('HubSpot app client secret — copy it from the app’s Auth tab (it is not exposed via API)', input.hubSpotClientSecret);
+    if (clientId)
+        process.env.HSX_HUBSPOT_CLIENT_ID = clientId;
+    if (clientSecret)
+        process.env.HSX_HUBSPOT_CLIENT_SECRET = clientSecret;
+    return { clientId, clientSecret };
+}
+function missingProjectIdError(input) {
+    const code = 'HSX_E_INPUT_MISSING_PROJECT_ID';
+    const message = 'Missing --project-id.';
+    const hint = 'Pass --project-id, set HSX_PROJECT_ID, or add `name: "..."` to hsx.config.ts so we can derive it.';
+    if (input.json) {
+        write(`${JSON.stringify({
+            schema_version: 1,
+            command: input.command,
+            ok: false,
+            error: { code, message, hint },
+        }, null, 2)}\n`);
+    }
+    else {
+        const reporter = createReporter({ command: input.command, argv: input.argv });
+        reporter.error(code, message, { hint, docs_url: `https://hs-x.dev/errors/${code}` });
+        reporter.done(undefined, 10);
+    }
+    return { exitCode: 10 };
+}
+function inputValidationError(input) {
+    if (input.json) {
+        write(`${JSON.stringify({
+            schema_version: 1,
+            command: input.command,
+            ok: false,
+            error: {
+                code: input.code,
+                message: input.message,
+                hint: input.hint,
+                detail: input.detail,
+            },
+        }, null, 2)}\n`);
+    }
+    else {
+        const reporter = createReporter({ command: input.command, argv: input.argv });
+        reporter.error(input.code, input.message, {
+            hint: input.hint,
+            docs_url: `https://hs-x.dev/errors/${input.code}`,
+        });
+        reporter.done(undefined, 10);
+    }
+    return { exitCode: 10 };
+}
+async function readHsxConfigProjectId(root) {
+    try {
+        const contents = await readFile(join(root, 'hsx.config.ts'), 'utf8');
+        const appBody = callObjectBody(contents, 'defineApp') ?? contents;
+        const name = stringPropertyValue(appBody, 'name');
+        return name ? toProjectId(name) : undefined;
+    }
+    catch {
+        return undefined;
+    }
+}
+async function readHsxConfigHeartbeat(root) {
+    try {
+        const contents = await readFile(join(root, 'hsx.config.ts'), 'utf8');
+        const appBody = callObjectBody(contents, 'defineApp') ?? contents;
+        return booleanPropertyValue(appBody, 'heartbeat');
+    }
+    catch {
+        return undefined;
+    }
+}
+function toProjectId(value) {
+    return value
+        .trim()
+        .toLowerCase()
+        .replace(/[^a-z0-9_-]+/g, '-')
+        .replace(/^-+|-+$/g, '');
+}
+function cancelledResult(argv, command) {
+    const reporter = createReporter({ command, argv });
+    reporter.info('Cancelled.');
+    return { exitCode: 130 };
+}
+async function waitForHealthyControlPlaneDrift({ controlPlaneUrl, projectId, deployId, userId, timeoutMs, }) {
+    const startedAt = Date.now();
+    let lastState = 'unknown';
+    let lastReason;
+    do {
+        const response = await hostedHttp({
+            url: new URL(`/v1/projects/${encodeURIComponent(projectId)}/drift`, controlPlaneUrl),
+            headers: await controlPlaneAuthHeaders(userId),
+        });
+        const body = await response.json().catch(() => undefined);
+        if (response.ok) {
+            const drift = Schema.decodeUnknownSync(schemas.DriftRead)(body);
+            lastState = drift.state;
+            lastReason = drift.reason;
+            if (drift.deployId === deployId && drift.state === 'healthy') {
+                return drift;
+            }
+            if (drift.deployId === deployId &&
+                (drift.state === 'unknown_code' ||
+                    drift.state === 'resource_missing' ||
+                    drift.state === 'billing_untrusted')) {
+                throw new Error(`Deploy ${deployId} cannot be promoted; drift state is ${drift.state}${drift.reason ? `: ${drift.reason}` : ''}.`);
+            }
+        }
+        else if (response.status !== 404) {
+            throw new Error(isRecord(body) && typeof body.message === 'string'
+                ? body.message
+                : `Control-plane drift status failed with status ${response.status}`);
+        }
+        await sleep(1000);
+    } while (Date.now() - startedAt < timeoutMs);
+    throw new Error(`Timed out waiting for deploy ${deployId} to become healthy; latest drift state was ${lastState}${lastReason ? `: ${lastReason}` : ''}.`);
+}
+function isRecord(value) {
+    return typeof value === 'object' && value !== null;
+}
+export async function deployCommand({ argv, root, json, }) {
+    if (argv[1] === 'promote') {
+        return deployPromoteCommand({ argv, json });
+    }
+    // bun only auto-loads .env/.env.local from the CWD; when deploying from a
+    // nested app dir, pull in a repo-root .env.local (CLOUDFLARE_ACCOUNT_ID, etc.)
+    // so the deploy doesn't fail for vars that are set at the root.
+    hydrateAncestorEnv(root);
+    const planOnly = argv.includes('--plan') || argv.includes('--dry-run');
+    const buildOnly = argv.includes('--build-only');
+    const hubspotOnly = argv.includes('--hubspot-only');
+    const explicitHubspotUpload = argv.includes('--hubspot-upload') || argv.includes('--local-hubspot-upload');
+    const localHubspotUpload = argv.includes('--local-hubspot-upload');
+    const hubspotUploadOnly = argv.includes('--hubspot-upload-only') || argv.includes('--skip-deploy');
+    const cloudflareDeploy = argv.includes('--cloudflare-deploy');
+    const cloudflareDryRun = argv.includes('--cloudflare-dry-run');
+    const explicitCloudflareDeployRequested = cloudflareDeploy || cloudflareDryRun;
+    const noManageSchema = argv.includes('--no-manage-schema');
+    const localControlPlane = argv.includes('--local-control-plane');
+    const recordLocal = argv.includes('--record-local');
+    const promoteWhenHealthy = argv.includes('--promote-when-healthy');
+    const applySchema = argv.includes('--apply-schema');
+    const heartbeatFlag = argv.includes('--heartbeat');
+    const noHeartbeat = argv.includes('--no-heartbeat');
+    const shouldRecordControlPlane = recordLocal || promoteWhenHealthy;
+    const explicitControlPlaneUrl = resolveFlag(argv, '--control-plane-url');
+    const controlPlaneUrl = explicitControlPlaneUrl ?? (planOnly ? undefined : process.env.HSX_CONTROL_PLANE_URL);
+    const linked = await isLinked();
+    const machineId = await getMachineId();
+    const userId = resolveFlag(argv, '--user-id') ?? process.env.HSX_USER_ID ?? 'local-cli-user';
+    const resolvedAcct = await resolveAccountIdOrPrompt({
+        argv,
+        json,
+        purpose: 'this deploy',
+    });
+    const accountId = resolvedAcct.accountId;
+    const explicitProjectId = resolveFlag(argv, '--project-id') ?? process.env.HSX_PROJECT_ID;
+    let projectId = explicitProjectId;
+    const validation = await validateProject({ root });
+    const workers = await discoverWorkerManifests(root, { noManageSchema });
+    const app = await readHsxAppConfig(root);
+    const configHeartbeat = await readHsxConfigHeartbeat(root);
+    if (!projectId) {
+        projectId = await readHsxConfigProjectId(root);
+    }
+    const needsRuntime = workers.some((worker) => worker.capabilities.some((capability) => capability.runtimeNeeds.some((need) => need !== 'hubspot-only')));
+    const cloudflareDeployRequested = !buildOnly &&
+        (explicitCloudflareDeployRequested || (!planOnly && needsRuntime && !explicitHubspotUpload));
+    const hubspotUploadRequested = !buildOnly && (explicitHubspotUpload || (!planOnly && !cloudflareDryRun && Boolean(projectId)));
+    const portalSchemaRead = await readPortalSchema(argv, workers);
+    const portalSchemaPlan = portalSchemaRead
+        ? planPortalSchemaManagement({ workers, observed: portalSchemaRead.observed })
+        : undefined;
+    const willChangeAnything = !planOnly &&
+        (applySchema ||
+            shouldRecordControlPlane ||
+            hubspotUploadRequested ||
+            cloudflareDeployRequested ||
+            Boolean(controlPlaneUrl));
+    const flagYes = argv.includes('--yes') || argv.includes('-y');
+    if (!projectId && (controlPlaneUrl || shouldRecordControlPlane || promoteWhenHealthy)) {
+        if (!projectId && !json && isInteractive()) {
+            const answer = await promptText({
+                message: 'HS-X project id',
+                default: basename(root),
+                validate: (value) => (value.length > 0 ? undefined : 'Project id is required.'),
+            });
+            if (answer === undefined)
+                return cancelledResult(argv, 'deploy');
+            projectId = answer;
+        }
+    }
+    if (!json && willChangeAnything && !flagYes && isInteractive()) {
+        const summary = buildDeployPlanSummary({
+            accountId,
+            projectId,
+            workers,
+            portalSchemaPlan,
+            applySchema,
+            hubspotUpload: hubspotUploadRequested,
+            cloudflareDeployRequested,
+            cloudflareDryRun,
+            controlPlaneUrl,
+            shouldRecordControlPlane,
+            promoteWhenHealthy,
+        });
+        const reporter = createReporter({ command: 'deploy', argv });
+        reporter.header(basename(root));
+        reporter.block(summary);
+        const confirm = await promptConfirm({
+            message: 'Apply this plan?',
+            default: false,
+        });
+        if (confirm === undefined || confirm === false) {
+            return cancelledResult(argv, 'deploy');
+        }
+    }
+    const portalSchemaApply = applySchema
+        ? await applyPortalSchemaPlan({
+            argv,
+            plan: portalSchemaPlan,
+            source: portalSchemaRead?.source,
+        })
+        : undefined;
+    const manifest = await generateProjectArtifacts({
+        root,
+        workers,
+        appObjects: app.appObjects,
+        appObjectAssociations: app.appObjectAssociations,
+        appEvents: app.appEvents,
+    });
+    const shouldCreateControlPlaneRequest = !hubspotOnly && Boolean(accountId);
+    let controlPlaneRequest;
+    let resolvedProjectId = projectId;
+    if (shouldCreateControlPlaneRequest && !(explicitHubspotUpload && accountId && !projectId)) {
+        if (!accountId) {
+            return missingAccountIdError({ argv, command: 'deploy', json });
+        }
+        // projectId is only required when actually building a control-plane request.
+        // Fall back to `name` from hsx.config.ts so a user with `account set` +
+        // --yes doesn't need to repeat --project-id.
+        if (!resolvedProjectId) {
+            resolvedProjectId = await readHsxConfigProjectId(root);
+        }
+        if (!resolvedProjectId) {
+            return missingProjectIdError({ argv, command: 'deploy', json });
+        }
+        try {
+            const app = await readHsxAppConfig(root);
+            controlPlaneRequest = Schema.decodeUnknownSync(schemas.DeployPlanRequest)({
+                accountId,
+                projectId: resolvedProjectId,
+                manifest,
+                ...(app.billing ? { billing: app.billing } : {}),
+            });
+        }
+        catch (error) {
+            const detail = error instanceof Error ? error.message : String(error);
+            return inputValidationError({
+                argv,
+                command: 'deploy',
+                json,
+                code: 'HSX_E_INPUT_INVALID_DEPLOY_PLAN',
+                message: 'Deploy plan request failed validation.',
+                hint: 'Check --account-id and --project-id, and that `.hs-x/manifest.json` is well-formed.',
+                detail,
+            });
+        }
+    }
+    const controlPlanePlan = localControlPlane && controlPlaneRequest
+        ? await requestLocalControlPlaneDeployPlan(controlPlaneRequest)
+        : controlPlaneUrl && controlPlaneRequest
+            ? await requestHostedControlPlaneDeployPlan({
+                request: controlPlaneRequest,
+                controlPlaneUrl,
+                userId,
+            })
+            : !buildOnly && !hubspotOnly && projectId
+                ? createUnlinkedDeployPlan({
+                    projectId,
+                    machineId,
+                    manifest,
+                    workers,
+                })
+                : undefined;
+    const controlPlaneBackedPlan = Boolean(controlPlanePlan && controlPlaneRequest && (localControlPlane || controlPlaneUrl));
+    const unlinkedDeployPlan = Boolean(controlPlanePlan && !controlPlaneBackedPlan);
+    if (controlPlanePlan) {
+        await writeFile(join(root, '.hs-x', 'alchemy.run.ts'), renderAlchemyProgram({
+            hsXAccountId: controlPlanePlan.accountId,
+            projectId: controlPlanePlan.projectId,
+            deployId: controlPlanePlan.deployId,
+            workers,
+        }));
+    }
+    const cloudflareDeployResult = cloudflareDeployRequested && !planOnly && validation.ok && controlPlanePlan
+        ? await executeCloudflareDeploy({
+            argv,
+            root,
+            workers,
+            controlPlanePlan,
+            userId,
+            machineId,
+            heartbeatEnabled: noHeartbeat
+                ? false
+                : controlPlaneBackedPlan
+                    ? configHeartbeat !== false
+                    : heartbeatFlag || configHeartbeat === true,
+            ...(controlPlaneBackedPlan && controlPlaneUrl ? { controlPlaneUrl } : {}),
+            dryRun: cloudflareDryRun,
+        })
+        : undefined;
+    const localRecordResult = shouldRecordControlPlane && controlPlaneRequest && controlPlanePlan
+        ? localControlPlane
+            ? await requestLocalControlPlaneDeployRecordAndMaybePromote({
+                request: controlPlaneRequest,
+                plan: controlPlanePlan,
+                promoteWhenHealthy,
+            })
+            : controlPlaneUrl
+                ? await requestHostedControlPlaneDeployRecordAndMaybePromote({
+                    request: controlPlaneRequest,
+                    plan: controlPlanePlan,
+                    controlPlaneUrl,
+                    userId,
+                    promoteWhenHealthy,
+                    promotionTimeoutMs: Number(resolveFlag(argv, '--promotion-timeout-ms') ?? '60000'),
+                })
+                : undefined
+        : undefined;
+    const controlPlaneRecord = localRecordResult?.record;
+    const controlPlaneDrift = localRecordResult?.drift;
+    const controlPlanePromotion = localRecordResult?.promotion;
+    if (hubspotUploadRequested && validation.ok) {
+        await ensureHubSpotRuntimeProjectArtifacts({
+            argv,
+            root,
+            app,
+            workers,
+            cloudflareDeployResult,
+            needsRuntime,
+            ...(controlPlanePlan ? { controlPlanePlan } : {}),
+        });
+    }
+    const hubspotUploadResult = hubspotUploadRequested &&
+        !planOnly &&
+        validation.ok &&
+        !(hubspotOnly && needsRuntime) &&
+        (!needsRuntime ||
+            hubspotOnly ||
+            cloudflareDeployRequested ||
+            resolveFlag(argv, '--runtime-origin'))
+        ? await executeHubSpotOnlyUpload({
+            argv,
+            root,
+            local: localHubspotUpload,
+            uploadOnly: hubspotUploadOnly,
+        })
+        : undefined;
+    // Everything that gates a healthy deploy *except* the HubSpot upload, so we
+    // can tell a total failure apart from "the Cloudflare worker is live but the
+    // HubSpot upload failed". The CF deploy runs first and stands on its own, so
+    // a later upload failure must not erase that the worker is serving traffic.
+    const preHubSpotOk = validation.ok &&
+        !(hubspotOnly && needsRuntime) &&
+        !(portalSchemaPlan && portalSchemaPlan.errors.length > 0) &&
+        !((localControlPlane || Boolean(controlPlaneUrl && controlPlaneRequest)) &&
+            !controlPlanePlan) &&
+        !(!planOnly && cloudflareDeployRequested && !cloudflareDeployResult);
+    const hubspotUploadFailed = !planOnly && hubspotUploadRequested && !hubspotUploadResult;
+    const cloudflareDeployed = !planOnly && cloudflareDeployRequested && Boolean(cloudflareDeployResult);
+    // A live worker with only the HubSpot upload failing: not a clean success,
+    // but distinct from total failure so callers don't tear down a good worker.
+    const partial = preHubSpotOk && hubspotUploadFailed && cloudflareDeployed;
+    const plan = {
+        ok: preHubSpotOk && !hubspotUploadFailed,
+        partial,
+        command: 'deploy',
+        linkState: linked ? 'linked' : 'unlinked',
+        machineId,
+        mode: hubspotUploadResult
+            ? localHubspotUpload
+                ? 'local-hubspot-upload'
+                : 'hubspot-upload'
+            : cloudflareDeployResult
+                ? cloudflareDryRun
+                    ? 'cloudflare-dry-run'
+                    : 'cloudflare-deploy'
+                : buildOnly
+                    ? 'build-only'
+                    : localControlPlane
+                        ? 'local-control-plane-plan'
+                        : controlPlaneBackedPlan && controlPlaneUrl
+                            ? 'control-plane-plan'
+                            : planOnly
+                                ? 'plan'
+                                : 'local-artifacts',
+        root,
+        hubspotOnly,
+        needsRuntime,
+        manifest,
+        controlPlaneRequest,
+        controlPlanePlan,
+        unlinkedDeployPlan,
+        controlPlaneRecord,
+        controlPlaneDrift,
+        controlPlanePromotion,
+        cloudflareDeploy: cloudflareDeployResult,
+        hubspotUpload: hubspotUploadResult,
+        portalSchemaSource: portalSchemaRead?.source,
+        portalSchemaPlan,
+        portalSchemaApply,
+        diagnostics: validation.diagnostics,
+    };
+    if (json) {
+        write(`${JSON.stringify(plan, null, 2)}\n`);
+    }
+    else {
+        renderDeployHuman({
+            argv,
+            plan,
+            root,
+            planOnly,
+            workers,
+            portalSchemaPlan,
+            portalSchemaApply,
+            needsRuntime,
+            hubspotOnly,
+            hubspotUpload: hubspotUploadRequested,
+            cloudflareDeployRequested,
+            cloudflareDryRun,
+            validation,
+            controlPlaneRequest,
+            controlPlanePlan,
+            unlinkedDeployPlan,
+            controlPlaneRecord,
+            controlPlanePromotion,
+            cloudflareDeployResult,
+            hubspotUploadResult,
+            linked,
+            machineId,
+        });
+    }
+    // Record tenant state + emit the deploy event whenever the worker is actually
+    // live — including the partial case (HubSpot upload failed) — so a successful
+    // Cloudflare deploy is never silently dropped.
+    if ((plan.ok || plan.partial) && !linked && cloudflareDeployResult && !cloudflareDryRun) {
+        await recordTenantDeployState({
+            argv,
+            root,
+            machineId,
+            deploy: cloudflareDeployResult,
+            plan: controlPlanePlan,
+            environment: resolveFlag(argv, '--env') ?? resolveFlag(argv, '--environment') ?? 'production',
+        });
+        await emitAnonymousDeployEvent({
+            argv,
+            machineId,
+            projectId: controlPlanePlan?.projectId ?? projectId,
+            deployId: cloudflareDeployResult.deployId,
+            workerUrl: cloudflareDeployResult.workers.find((worker) => worker.url)?.url,
+            environment: resolveFlag(argv, '--env') ?? resolveFlag(argv, '--environment') ?? 'production',
+        });
+    }
+    // 0 = clean, 20 = partial (worker live, HubSpot upload failed — distinct so
+    // automation doesn't treat a serving worker as a total failure), 1 = failure.
+    return { exitCode: plan.ok ? 0 : plan.partial ? 20 : 1 };
+}
+function buildDeployPlanSummary(input) {
+    const lines = ['', 'Planned changes:'];
+    const capCount = input.workers.reduce((c, w) => c + w.capabilities.length, 0);
+    if (input.accountId)
+        lines.push(`  account:        ${input.accountId}`);
+    if (input.projectId)
+        lines.push(`  project:        ${input.projectId}`);
+    lines.push(`  workers:        ${input.workers.length} (${capCount} capabilities)`);
+    if (input.applySchema && input.portalSchemaPlan) {
+        const adds = input.portalSchemaPlan.actions.filter((item) => item.kind === 'will-create-object' || item.kind === 'will-create-property').length;
+        const updates = input.portalSchemaPlan.actions.filter((item) => item.kind === 'will-alter-property').length;
+        lines.push(`  portal schema:  apply (+${adds}, ~${updates})`);
+    }
+    else if (input.portalSchemaPlan && input.portalSchemaPlan.actions.length > 0) {
+        lines.push(`  portal schema:  ${input.portalSchemaPlan.actions.length} pending (preview only)`);
+    }
+    if (input.controlPlaneUrl) {
+        lines.push(`  control plane:  ${input.controlPlaneUrl}`);
+    }
+    if (input.shouldRecordControlPlane) {
+        lines.push(`  record:         yes${input.promoteWhenHealthy ? ' + promote-when-healthy' : ''}`);
+    }
+    if (input.cloudflareDeployRequested) {
+        lines.push(`  cloudflare:     ${input.cloudflareDryRun ? 'dry-run' : 'deploy'}`);
+    }
+    if (input.hubspotUpload)
+        lines.push('  hubspot upload: yes');
+    return lines.join('\n');
+}
+function createUnlinkedDeployPlan(input) {
+    const deployId = `deploy_${toProjectId(input.projectId)}_${Math.floor(Date.now() / 1000)}_${randomBytes(3).toString('hex').slice(0, 4)}`;
+    const ownerId = `local_${input.machineId.slice(2, 10)}`;
+    const manifestHash = `sha256:${createHash('sha256')
+        .update(JSON.stringify(input.manifest))
+        .digest('hex')
+        .slice(0, 16)}`;
+    return Schema.decodeUnknownSync(schemas.DeployPlanResponse)({
+        deployId,
+        accountId: ownerId,
+        projectId: input.projectId,
+        plannedAt: new Date().toISOString(),
+        manifestHash,
+        compatibility: 'first-deploy',
+        resources: {
+            hsXAccountId: ownerId,
+            workerNames: input.workers.map((worker) => cloudflareResourceName({
+                hsXAccountId: Schema.decodeSync(schemas.AccountId)(ownerId),
+                projectId: Schema.decodeSync(schemas.ProjectId)(input.projectId),
+                deployId: Schema.decodeSync(schemas.DeployId)(deployId),
+            }, `${input.projectId}-${worker.name}`)),
+        },
+        runtimeBindings: {
+            oauthCallbackPath: '/oauth-callback',
+            hubSpotOAuthClientIdBinding: 'HSX_HUBSPOT_CLIENT_ID',
+            hubSpotOAuthClientSecretBinding: 'HSX_HUBSPOT_CLIENT_SECRET',
+        },
+        leases: [],
+    });
+}
+async function emitAnonymousDeployEvent(input) {
+    const endpoint = new URL(`/v1/machines/${encodeURIComponent(input.machineId)}/events`, resolveControlPlaneUrl(input.argv));
+    const controller = new AbortController();
+    const timeout = setTimeout(() => controller.abort(), 350);
+    try {
+        await fetch(endpoint, {
+            method: 'POST',
+            signal: controller.signal,
+            headers: { 'content-type': 'application/json', accept: 'application/json' },
+            body: JSON.stringify({
+                schema_version: 1,
+                event: 'deploy.succeeded',
+                cli_version: CLI_VERSION,
+                ...(input.projectId ? { project_id: input.projectId } : {}),
+                deploy_id: input.deployId,
+                environment: input.environment,
+                ...(input.workerUrl ? { worker_url: input.workerUrl } : {}),
+                timestamp: new Date().toISOString(),
+            }),
+        });
+    }
+    catch {
+        // Anonymous events are best-effort and must never affect deploy success.
+    }
+    finally {
+        clearTimeout(timeout);
+    }
+}
+async function recordTenantDeployState(input) {
+    if (!input.plan)
+        return;
+    const { pointer, stateStore } = await ensureTenantStateStore({
+        argv: input.argv,
+        root: input.root,
+    });
+    const now = new Date().toISOString();
+    const existingOwnerMeta = await stateStore.getOwnerMeta();
+    await stateStore.putOwnerMeta(Schema.decodeUnknownSync(schemas.LocalOwnerMeta)({
+        ownerId: pointer.ownerId,
+        createdAt: existingOwnerMeta?.createdAt ?? now,
+        updatedAt: now,
+        machineId: existingOwnerMeta?.machineId ?? input.machineId,
+    }));
+    await stateStore.recordDeploy(Schema.decodeUnknownSync(schemas.LocalDeployEntry)({
+        ownerId: pointer.ownerId,
+        projectId: input.plan.projectId,
+        deployId: input.deploy.deployId,
+        environment: input.environment,
+        machineId: input.machineId,
+        manifestHash: input.plan.manifestHash,
+        workerNames: input.deploy.workers.map((worker) => worker.workerName),
+        workerUrls: input.deploy.workers.flatMap((worker) => (worker.url ? [worker.url] : [])),
+        status: 'deployed',
+        createdAt: now,
+        updatedAt: now,
+    }));
+    await stateStore.setActive(Schema.decodeUnknownSync(schemas.LocalActiveDeploy)({
+        ownerId: pointer.ownerId,
+        projectId: input.plan.projectId,
+        deployId: input.deploy.deployId,
+        environment: input.environment,
+        updatedAt: now,
+    }));
+}
+function renderDeployHuman(input) {
+    const reporter = createReporter({
+        command: 'deploy',
+        argv: input.argv,
+    });
+    const subject = basename(input.root);
+    reporter.header(subject);
+    const capCount = input.workers.reduce((c, w) => c + w.capabilities.length, 0);
+    reporter
+        .step('Validating project')
+        .ok(`${input.workers.length} workers, ${capCount} capabilities`);
+    const sources = input.workers.flatMap((worker) => worker.capabilities.flatMap((capability) => capability.kind === 'sync' && capability.source
+        ? [
+            `${capability.source.name} (${capability.source.kind}${capability.source.kind === 'push'
+                ? `, ${capability.source.webhookPath}`
+                : `, ${capability.schedule ?? 'manual'}`})`,
+        ]
+        : []));
+    if (sources.length > 0)
+        reporter.info(`Sources: ${sources.join(', ')}`);
+    const syncSchemaModes = input.workers.flatMap((worker) => worker.capabilities.flatMap((capability) => capability.kind === 'sync' ? [`${capability.id}: ${capability.manageSchema ?? false}`] : []));
+    if (syncSchemaModes.length > 0) {
+        reporter.info(`Portal schema management: ${syncSchemaModes.join(', ')}`);
+    }
+    if (input.portalSchemaPlan) {
+        reporter.info(renderPortalSchemaPlan(input.portalSchemaPlan).trimEnd());
+    }
+    if (input.portalSchemaApply) {
+        reporter.info(renderPortalSchemaApply(input.portalSchemaApply).trimEnd());
+    }
+    reporter.info(`Runtime: ${input.needsRuntime ? 'Cloudflare Worker required' : 'HubSpot-only compatible'}`);
+    if (input.hubspotOnly && input.needsRuntime) {
+        reporter.warn('HSX_W_DEPLOY_HUBSPOT_ONLY_INCOMPATIBLE', 'Cannot use --hubspot-only because at least one capability has a runtime handler.');
+    }
+    if (input.hubspotUpload && !input.hubspotOnly && !input.cloudflareDeployRequested) {
+        reporter.warn('HSX_W_DEPLOY_HUBSPOT_UPLOAD_WITHOUT_RUNTIME_DEPLOY', 'HubSpot upload requested without --cloudflare-deploy; runtime endpoints may still point at an older Worker.');
+    }
+    if (input.validation.diagnostics.length > 0) {
+        for (const d of input.validation.diagnostics)
+            reporter.info(formatDiagnostic(d));
+    }
+    if (input.controlPlaneRequest) {
+        const projectId = input.controlPlaneRequest.projectId;
+        reporter.info(`Control plane: ready to POST /v1/deploys/plan for ${projectId}`);
+    }
+    if (input.controlPlanePlan) {
+        reporter.info(input.unlinkedDeployPlan
+            ? `Unlinked deploy id: ${input.controlPlanePlan.deployId}`
+            : `Control plane deploy id: ${input.controlPlanePlan.deployId}`);
+        if (input.controlPlanePlan.sharedCloudflareQuota) {
+            reporter.info(`Shared Cloudflare quota: ${input.controlPlanePlan.sharedCloudflareQuota.visibleSiblingAccountIds.join(', ')}`);
+        }
+        reporter.info(`Leases: ${input.controlPlanePlan.leases.length}`);
+    }
+    if (input.controlPlaneRecord) {
+        reporter.info(`Local control plane record status: ${input.controlPlaneRecord.status}`);
+    }
+    if (input.controlPlanePromotion) {
+        reporter.info(`Promoted deploy: ${input.controlPlanePromotion.promoted.deployId}`);
+    }
+    if (input.cloudflareDeployResult) {
+        const deployed = input.cloudflareDeployResult.workers
+            .map((worker) => `${worker.workerName}${worker.dryRun ? ' (dry-run)' : ''}`)
+            .join(', ');
+        reporter.info(`Cloudflare deploy: ${deployed}`);
+    }
+    if (!input.linked && input.cloudflareDeployResult) {
+        reporter.info(`Machine dashboard: ${machineDashboardUrl(input.machineId)}`);
+    }
+    if (input.hubspotUploadResult) {
+        reporter.info(`HubSpot upload build id: ${input.hubspotUploadResult.buildId}`);
+        reporter.info(`HubSpot deploy id: ${input.hubspotUploadResult.deployId}`);
+        const authUrl = hubSpotAppAuthUrl(input.hubspotUploadResult);
+        if (!input.linked && authUrl) {
+            reporter.info(`App auth (grab client secret / configure install OAuth): ${authUrl}`);
+        }
+    }
+    reporter.info('Generated .hs-x/manifest.json and refs stubs.');
+    const firstWorkerUrl = input.cloudflareDeployResult?.workers.find((worker) => worker.url)?.url;
+    if (input.plan.partial) {
+        // The worker deployed; only the HubSpot upload failed. Say so loudly so the
+        // live worker isn't mistaken for a total failure despite the non-zero exit.
+        reporter.warn('HSX_W_DEPLOY_PARTIAL', `Cloudflare worker is live${firstWorkerUrl ? ` at ${firstWorkerUrl}` : ''}, but the HubSpot upload failed (see above). Exit code 20.`);
+    }
+    const doneMessage = input.planOnly
+        ? 'Planned'
+        : input.plan.partial
+            ? `Deployed to Cloudflare${firstWorkerUrl ? ` (${firstWorkerUrl})` : ''}; HubSpot upload failed`
+            : input.cloudflareDeployResult
+                ? input.linked
+                    ? `Deployed${firstWorkerUrl ? ` to ${firstWorkerUrl}` : ''}`
+                    : `Deployed (unlinked)${firstWorkerUrl ? ` to ${firstWorkerUrl}` : ''}; machine_id ${input.machineId}. Run \`hs-x link\` to claim this history.`
+                : input.hubspotUploadResult
+                    ? input.linked
+                        ? 'Deployed to HubSpot'
+                        : `Deployed (unlinked); machine_id ${input.machineId}. Run \`hs-x link\` to claim this history.`
+                    : 'Built artifacts';
+    reporter.done(doneMessage, input.plan.ok ? 0 : input.plan.partial ? 20 : 1);
+}
+function machineDashboardUrl(machineId) {
+    const base = process.env.HSX_DASHBOARD_URL ?? 'https://app.hs-x.dev';
+    return `${base.replace(/\/$/, '')}/m/${encodeURIComponent(machineId)}`;
+}
+/**
+ * The HubSpot developer-console URL for an uploaded app's auth tab, where a
+ * human grabs the client secret and configures install OAuth (HubSpot does not
+ * expose the secret via API). Requires the developer account id + the app uid;
+ * returns undefined when either is unknown (e.g. a control-plane lease deploy).
+ */
+function hubSpotAppAuthUrl(result) {
+    if (!result.developerAccountId || !result.appUid)
+        return undefined;
+    const base = process.env.HSX_HUBSPOT_APP_BASE_URL ?? 'https://app.hubspot.com';
+    return `${base.replace(/\/$/, '')}/developer-projects/${encodeURIComponent(result.developerAccountId)}/project/${encodeURIComponent(result.projectName)}/component/${encodeURIComponent(result.appUid)}/auth`;
+}
+function formatDiagnostic(d) {
+    if (d && typeof d === 'object') {
+        const obj = d;
+        return `${obj.code ?? 'diag'}: ${obj.message ?? JSON.stringify(d)}`;
+    }
+    return String(d);
+}
+async function readPortalSchema(argv, workers) {
+    const schemaPath = resolveFlag(argv, '--portal-schema-fixture');
+    const live = argv.includes('--portal-schema-live');
+    const local = argv.includes('--local-hubspot-schema');
+    if (schemaPath && (live || local)) {
+        throw new Error('Use only one of --portal-schema-fixture, --portal-schema-live, or --local-hubspot-schema.');
+    }
+    if (schemaPath) {
+        const value = JSON.parse(await readFile(resolve(schemaPath), 'utf8'));
+        if (!isRecord(value) || !Array.isArray(value.objects)) {
+            throw new Error('--portal-schema-fixture must point to JSON with an objects array.');
+        }
+        return { observed: value, source: 'fixture' };
+    }
+    if (!live && !local) {
+        return undefined;
+    }
+    return {
+        observed: await readLivePortalSchema(argv, workers, { local }),
+        source: local ? 'hubspot-local' : 'hubspot-live',
+    };
+}
+async function readLivePortalSchema(argv, workers, options) {
+    const client = await createDeployHubSpotDeveloperClient({
+        argv,
+        local: options.local,
+        allowedOperations: ['hubspot-schema-management'],
+    });
+    const targets = portalSchemaTargets(workers);
+    const schemas = await client.schemaManagement.listSchemas().catch(() => ({ results: [] }));
+    const schemaByName = new Map(schemas.results.flatMap((schema) => {
+        const name = hubSpotSchemaName(schema);
+        return name ? [[name, schema]] : [];
+    }));
+    const objects = [];
+    for (const objectType of targets) {
+        try {
+            const properties = await client.schemaManagement.listProperties({ objectType });
+            objects.push({
+                name: objectType,
+                properties: properties.results.map(toObservedPortalProperty),
+            });
+        }
+        catch {
+            const schema = schemaByName.get(objectType);
+            if (schema?.properties) {
+                objects.push({
+                    name: objectType,
+                    properties: schema.properties.map(toObservedPortalProperty),
+                });
+            }
+        }
+    }
+    return { objects };
+}
+function portalSchemaTargets(workers) {
+    const targets = new Set();
+    for (const worker of workers) {
+        for (const capability of worker.capabilities) {
+            if (capability.kind === 'sync' && capability.into && capability.schema) {
+                targets.add(capability.into);
+            }
+        }
+    }
+    return [...targets].sort();
+}
+function hubSpotSchemaName(schema) {
+    if (schema.name) {
+        return schema.name;
+    }
+    return schema.objectTypeId;
+}
+function toObservedPortalProperty(property) {
+    return {
+        name: property.name,
+        type: property.type,
+        ...(property.fieldType ? { fieldType: property.fieldType } : {}),
+    };
+}
+async function applyPortalSchemaPlan({ argv, plan, source, }) {
+    if (!plan) {
+        throw new Error('--apply-schema requires --portal-schema-live or --local-hubspot-schema.');
+    }
+    if (source === 'fixture') {
+        throw new Error('--apply-schema cannot apply a fixture schema plan. Use --portal-schema-live.');
+    }
+    if (plan.errors.length > 0) {
+        throw new Error('--apply-schema refused to run because the portal schema plan has errors.');
+    }
+    const local = source === 'hubspot-local';
+    const client = await createDeployHubSpotDeveloperClient({
+        argv,
+        local,
+        allowedOperations: ['hubspot-schema-management'],
+    });
+    const applied = [];
+    const skipped = [];
+    for (const action of plan.actions) {
+        if (action.kind === 'will-create-object') {
+            await client.schemaManagement.createSchema({
+                name: action.objectType,
+                labels: portalObjectLabels(action.objectType),
+            });
+            applied.push(`create-object:${action.objectType}`);
+            continue;
+        }
+        if (!action.propertyName || !action.declaredType) {
+            skipped.push(action.message);
+            continue;
+        }
+        if (action.kind === 'will-create-property') {
+            const fieldType = defaultHubSpotFieldType(action.declaredType);
+            await client.schemaManagement.createProperty({
+                objectType: action.objectType,
+                name: action.propertyName,
+                label: propertyLabel(action.propertyName),
+                type: action.declaredType,
+                ...(fieldType ? { fieldType } : {}),
+            });
+            applied.push(`create-property:${action.objectType}.${action.propertyName}`);
+            continue;
+        }
+        if (action.kind === 'will-alter-property') {
+            const fieldType = defaultHubSpotFieldType(action.declaredType);
+            await client.schemaManagement.updateProperty({
+                objectType: action.objectType,
+                propertyName: action.propertyName,
+                type: action.declaredType,
+                ...(fieldType ? { fieldType } : {}),
+            });
+            applied.push(`alter-property:${action.objectType}.${action.propertyName}`);
+        }
+    }
+    return {
+        source: local ? 'hubspot-local' : 'hubspot-live',
+        applied,
+        skipped,
+    };
+}
+function renderPortalSchemaPlan(plan) {
+    if (plan.items.length === 0) {
+        return 'Portal schema: no changes or warnings.\n';
+    }
+    const lines = ['Portal schema:'];
+    for (const item of plan.items) {
+        const prefix = item.kind === 'warning' ? 'WARN' : item.kind === 'error' ? 'ERROR' : 'PLAN';
+        lines.push(`${prefix}  ${item.message}`);
+    }
+    return `${lines.join('\n')}\n`;
+}
+function renderPortalSchemaApply(result) {
+    const lines = [`Portal schema apply (${result.source}):`];
+    for (const applied of result.applied) {
+        lines.push(`APPLIED  ${applied}`);
+    }
+    for (const skipped of result.skipped) {
+        lines.push(`SKIPPED  ${skipped}`);
+    }
+    if (result.applied.length === 0 && result.skipped.length === 0) {
+        lines.push('APPLIED  no changes');
+    }
+    return `${lines.join('\n')}\n`;
+}
+function propertyLabel(propertyName) {
+    return propertyName
+        .split(/[_-]+/)
+        .filter(Boolean)
+        .map((part) => `${part.slice(0, 1).toUpperCase()}${part.slice(1)}`)
+        .join(' ');
+}
+function portalObjectLabels(objectType) {
+    const singular = propertyLabel(objectType.replace(/s$/, '')) || objectType;
+    return { singular, plural: propertyLabel(objectType) || objectType };
+}
+function defaultHubSpotFieldType(type) {
+    switch (type) {
+        case 'number':
+        case 'currency':
+            return 'number';
+        case 'date':
+        case 'datetime':
+            return 'date';
+        case 'enumeration':
+            return 'select';
+        case 'bool':
+        case 'boolean':
+            return 'booleancheckbox';
+        default:
+            return 'text';
+    }
+}
+async function executeCloudflareDeploy({ argv, root, workers, controlPlanePlan, controlPlaneUrl, userId, machineId, heartbeatEnabled, dryRun, }) {
+    // Fail fast on missing Cloudflare credentials BEFORE deploying any Worker, so
+    // an unlinked deploy can't leave a Worker live and then error on the
+    // tenant-state write for a missing account id.
+    if (!controlPlaneUrl && !dryRun) {
+        await preflightTenantStateCredentials({ argv, root });
+    }
+    const sourcePaths = await discoverWorkerSourcePaths(root);
+    const concurrency = Math.max(1, Math.min(4, workers.length));
+    const results = await Effect.runPromise(Effect.forEach(workers.map((worker, index) => ({ worker, index })), ({ worker, index }) => Effect.promise(() => executeCloudflareWorkerDeploy({
+        argv,
+        root,
+        worker,
+        index,
+        sourcePaths,
+        controlPlanePlan,
+        userId,
+        machineId,
+        heartbeatEnabled,
+        dryRun,
+        ...(controlPlaneUrl ? { controlPlaneUrl } : {}),
+    })), { concurrency }));
+    return {
+        deployId: controlPlanePlan.deployId,
+        workers: results,
+    };
+}
+async function executeCloudflareWorkerDeploy({ argv, root, worker, index, sourcePaths, controlPlanePlan, controlPlaneUrl, userId, machineId, heartbeatEnabled, dryRun, }) {
+    const workerSourcePath = sourcePaths.get(worker.name);
+    if (!workerSourcePath) {
+        throw new Error(`Could not find source file for worker ${worker.name}.`);
+    }
+    const workerName = controlPlanePlan.resources.workerNames[index];
+    if (!workerName) {
+        throw new Error(`Control-plane deploy plan did not include a Cloudflare name for ${worker.name}.`);
+    }
+    const entrypointPath = join(root, '.hs-x', 'cloudflare', `${fileSlug(worker.name)}.entry.ts`);
+    await mkdir(dirname(entrypointPath), { recursive: true });
+    const appConfig = await readHsxAppConfig(root);
+    const environment = resolveFlag(argv, '--env') ?? resolveFlag(argv, '--environment') ?? 'production';
+    const deployCliConfig = loadCliConfig(argv);
+    const runtimeControlPlaneUrl = formatConfigUrl(deployCliConfig.runtimeControlPlaneUrl ?? new URL(DEFAULT_CONTROL_PLANE_URL));
+    await writeFile(entrypointPath, renderCloudflareWorkerEntrypoint({
+        workerImportPath: relativeImportPath(dirname(entrypointPath), workerSourcePath),
+        ...(controlPlaneUrl && appConfig.billing
+            ? {
+                billing: {
+                    controlPlaneUrl: runtimeControlPlaneUrl,
+                    accountId: controlPlanePlan.accountId,
+                    projectId: controlPlanePlan.projectId,
+                    environment,
+                },
+            }
+            : {}),
+        ...(heartbeatEnabled
+            ? {
+                heartbeat: controlPlaneUrl
+                    ? {
+                        mode: 'linked',
+                        controlPlaneUrl: runtimeControlPlaneUrl,
+                        accountId: controlPlanePlan.accountId,
+                        hsXAccountId: controlPlanePlan.accountId,
+                        projectId: controlPlanePlan.projectId,
+                        deployId: controlPlanePlan.deployId,
+                        environment,
+                        manifestHash: controlPlanePlan.manifestHash,
+                    }
+                    : {
+                        mode: 'anonymous',
+                        controlPlaneUrl: formatConfigUrl(loadCliConfig(argv).runtimeControlPlaneUrl ??
+                            new URL(DEFAULT_CONTROL_PLANE_URL)),
+                        machineId,
+                        projectId: controlPlanePlan.projectId,
+                        deployId: controlPlanePlan.deployId,
+                        environment,
+                        manifestHash: controlPlanePlan.manifestHash,
+                    },
+            }
+            : {}),
+    }));
+    const compatibilityDate = resolveFlag(argv, '--compatibility-date') ?? new Date().toISOString().slice(0, 10);
+    const hubspotAppId = readOptionalHubSpotAppId(resolveFlag(argv, '--hubspot-app-id') ?? process.env.HSX_HUBSPOT_APP_ID);
+    const installRuntimeBinding = hubspotAppId
+        ? controlPlaneUrl
+            ? await ensureDeployInstallRuntimeBinding({
+                argv,
+                root,
+                controlPlaneUrl,
+                userId,
+                accountId: controlPlanePlan.accountId,
+                projectId: controlPlanePlan.projectId,
+                environment,
+                hubSpotAppId: hubspotAppId,
+                dryRun,
+            })
+            : await ensureTenantDeployInstallRuntimeBinding({
+                argv,
+                root,
+                ownerId: controlPlanePlan.accountId,
+                projectId: controlPlanePlan.projectId,
+                environment,
+                hubSpotAppId: hubspotAppId,
+                dryRun,
+            })
+        : undefined;
+    // ADR-015/ADR-014 tenant data plane — linked deploys only (codegen emits the
+    // options solely for heartbeat.mode==='linked'). Provisions the project D1 +
+    // flags KV + grant secret, persisting the scope + secret to local state so the
+    // leaveable `hs-x flags` CLI can sign without the control plane.
+    const tenantDataPlane = installRuntimeBinding && controlPlaneUrl && hubspotAppId && !dryRun
+        ? await ensureTenantDataPlane({
+            argv,
+            root,
+            accountId: controlPlanePlan.accountId,
+            projectId: controlPlanePlan.projectId,
+            environment,
+            hubSpotAppId: hubspotAppId,
+            install: installRuntimeBinding,
+            controlPlaneUrl,
+            userId,
+        })
+        : undefined;
+    const hubSpotOAuthSecret = hubspotAppId && controlPlaneUrl
+        ? await readDeployHubSpotOAuthSecret({
+            controlPlaneUrl,
+            userId,
+            accountId: controlPlanePlan.accountId,
+            projectId: controlPlanePlan.projectId,
+            environment,
+            hubSpotAppId: hubspotAppId,
+        })
+        : undefined;
+    const hubSpotClientId = hubSpotOAuthSecret?.clientId ??
+        resolveFlag(argv, '--hubspot-client-id') ??
+        process.env.HSX_HUBSPOT_CLIENT_ID;
+    // The client secret comes from the control plane when linked; unlinked it can
+    // be supplied directly so the deployed Worker can complete the install OAuth
+    // token exchange (otherwise /oauth-start 500s with "missing HSX_HUBSPOT_CLIENT_ID").
+    const hubSpotClientSecret = hubSpotOAuthSecret?.clientSecret ??
+        resolveFlag(argv, '--hubspot-client-secret') ??
+        process.env.HSX_HUBSPOT_CLIENT_SECRET;
+    // Interactively fill the unlinked OAuth client id/secret the deployed Worker
+    // needs for /oauth-start, instead of silently shipping a Worker that 500s.
+    const { clientId: resolvedHubSpotClientId, clientSecret: resolvedHubSpotClientSecret } = await resolveUnlinkedOAuthCredentials({
+        auth: appConfig.auth,
+        linked: Boolean(controlPlaneUrl),
+        dryRun,
+        allowPrompt: index === 0,
+        hubSpotClientId,
+        hubSpotClientSecret,
+    });
+    const hubSpotScopesForRuntime = await readHsxAppScopesForDeploy(root);
+    const billingRuntimeToken = controlPlaneUrl && appConfig.billing && !dryRun
+        ? await requestDeployBillingRuntimeToken({
+            controlPlaneUrl,
+            userId,
+            accountId: controlPlanePlan.accountId,
+            projectId: controlPlanePlan.projectId,
+            environment,
+        })
+        : undefined;
+    const configPath = join(root, '.hs-x', 'cloudflare', `${fileSlug(worker.name)}.wrangler.toml`);
+    await writeFile(configPath, renderWranglerConfig({
+        workerName,
+        entrypointPath: relativeImportPath(dirname(configPath), entrypointPath),
+        compatibilityDate,
+        ...(installRuntimeBinding
+            ? { installKvNamespaceId: installRuntimeBinding.installKvNamespaceId }
+            : {}),
+        ...(tenantDataPlane
+            ? {
+                flagsKvNamespaceId: tenantDataPlane.flagsKvNamespaceId,
+                tenantD1DatabaseId: tenantDataPlane.tenantD1DatabaseId,
+                tenantD1DatabaseName: tenantDataPlane.tenantD1DatabaseName,
+                tenantMigrationsDir: relative(dirname(configPath), join(root, 'node_modules', '@hs-x', 'runtime', 'migrations')),
+            }
+            : {}),
+    }));
+    const command = [
+        'bun',
+        'x',
+        'wrangler',
+        'deploy',
+        '--config',
+        relative(root, configPath),
+        ...(controlPlaneUrl ? ['--var', `HSX_CONTROL_PLANE_URL:${runtimeControlPlaneUrl}`] : []),
+        ...(hubspotAppId ? ['--var', `HSX_APP_ID:${hubspotAppId}`] : []),
+        ...(resolvedHubSpotClientId
+            ? ['--var', `HSX_HUBSPOT_CLIENT_ID:${resolvedHubSpotClientId}`]
+            : []),
+        ...(hubSpotScopesForRuntime.length > 0
+            ? ['--var', `HSX_HUBSPOT_SCOPES:${hubSpotScopesForRuntime.join(' ')}`]
+            : []),
+        ...(dryRun ? ['--dry-run'] : []),
+    ];
+    const deployEnv = cloudflareDeployEnv(argv);
+    const output = await runCloudflareCommand(command, {
+        cwd: root,
+        env: deployEnv,
+    });
+    if (installRuntimeBinding?.tokenKeySecretValue && !dryRun) {
+        await runCloudflareCommand([
+            'bun',
+            'x',
+            'wrangler',
+            'secret',
+            'put',
+            installRuntimeBinding.tokenKeySecretName,
+            '--name',
+            workerName,
+        ], {
+            cwd: root,
+            env: deployEnv,
+            stdin: installRuntimeBinding.tokenKeySecretValue,
+        });
+    }
+    if (resolvedHubSpotClientSecret && !dryRun) {
+        await runCloudflareCommand([
+            'bun',
+            'x',
+            'wrangler',
+            'secret',
+            'put',
+            controlPlanePlan.runtimeBindings.hubSpotOAuthClientSecretBinding,
+            '--name',
+            workerName,
+        ], {
+            cwd: root,
+            env: deployEnv,
+            stdin: resolvedHubSpotClientSecret,
+        });
+    }
+    if (billingRuntimeToken && !dryRun) {
+        await runCloudflareCommand(['bun', 'x', 'wrangler', 'secret', 'put', billingRuntimeToken.binding, '--name', workerName], {
+            cwd: root,
+            env: deployEnv,
+            stdin: billingRuntimeToken.runtimeToken,
+        });
+    }
+    // ADR-015 grant-verifier secret — only set when freshly generated (a re-deploy
+    // reuses the value already on the Worker + in local state).
+    if (tenantDataPlane?.syncGrantSecretValue && !dryRun) {
+        await runCloudflareCommand([
+            'bun',
+            'x',
+            'wrangler',
+            'secret',
+            'put',
+            tenantDataPlane.syncGrantSecretName,
+            '--name',
+            workerName,
+        ], {
+            cwd: root,
+            env: deployEnv,
+            stdin: tenantDataPlane.syncGrantSecretValue,
+        });
+    }
+    // ADR-015 §5: register the deployed Worker URL control-plane-side so the
+    // CP-mediated flag-authoring conduit (dashboard/agent → CP → tenant) can reach
+    // it. The URL is only known after the deploy (the install-runtime PUT in
+    // ensureDeployInstallRuntimeBinding runs pre-deploy), so this is a best-effort
+    // post-deploy re-registration — a failure never breaks the deploy.
+    const resolvedRuntimeUrl = resolveFlag(argv, '--runtime-origin') ??
+        extractWorkerUrl(output.stdout) ??
+        extractWorkerUrl(output.stderr);
+    if (controlPlaneUrl && installRuntimeBinding && hubspotAppId && resolvedRuntimeUrl && !dryRun) {
+        try {
+            await putDeployInstallRuntimeBinding({
+                controlPlaneUrl,
+                userId,
+                accountId: controlPlanePlan.accountId,
+                projectId: controlPlanePlan.projectId,
+                environment,
+                hubSpotAppId: hubspotAppId,
+                installKvNamespaceId: installRuntimeBinding.installKvNamespaceId,
+                installKvNamespaceName: installRuntimeBinding.installKvNamespaceName,
+                tokenKeySecretName: installRuntimeBinding.tokenKeySecretName,
+                runtimeBaseUrl: resolvedRuntimeUrl,
+                ...(tenantDataPlane ? { syncGrantSecretName: tenantDataPlane.syncGrantSecretName } : {}),
+            });
+        }
+        catch (error) {
+            process.stderr.write(`warning: could not register the tenant Worker URL with the control plane: ${error instanceof Error ? error.message : String(error)}\n`);
+        }
+    }
+    return {
+        workerName,
+        workerSourcePath: relative(root, workerSourcePath),
+        entrypointPath: relative(root, entrypointPath),
+        configPath: relative(root, configPath),
+        url: extractWorkerUrl(output.stdout) ?? extractWorkerUrl(output.stderr),
+        command,
+        dryRun,
+        stdout: output.stdout,
+        stderr: output.stderr,
+    };
+}
+async function discoverWorkerSourcePaths(root) {
+    const files = await collectFiles(join(root, 'src'));
+    const sources = new Map();
+    for (const file of files) {
+        const source = await readFile(file, 'utf8');
+        const workerName = /defineWorker\s*\(\s*["'`]([^"'`]+)["'`]/.exec(source)?.[1];
+        if (workerName) {
+            sources.set(workerName, file);
+        }
+    }
+    return sources;
+}
+function relativeImportPath(fromDir, toFile) {
+    const path = relative(fromDir, toFile).replaceAll('\\', '/');
+    return path.startsWith('.') ? path : `./${path}`;
+}
+function fileSlug(value) {
+    return value.replace(/[^a-zA-Z0-9._-]+/g, '-').replace(/^-+|-+$/g, '') || 'worker';
+}
+function cloudflareDeployEnv(argv) {
+    const { apiToken, accountId } = resolveCloudflareCredentials(argv);
+    return {
+        ...(apiToken ? { CLOUDFLARE_API_TOKEN: apiToken } : {}),
+        ...(accountId ? { CLOUDFLARE_ACCOUNT_ID: accountId } : {}),
+    };
+}
+async function ensureTenantDeployInstallRuntimeBinding(input) {
+    const { pointer, stateStore } = await ensureTenantStateStore({
+        argv: input.argv,
+        root: input.root,
+    });
+    const existing = await stateStore.getBinding({
+        projectId: input.projectId,
+        environment: input.environment,
+        hubSpotAppId: input.hubSpotAppId,
+    });
+    if (existing) {
+        return {
+            installKvNamespaceId: existing.installKvNamespaceId,
+            installKvNamespaceName: existing.installKvNamespaceName,
+            tokenKeySecretName: existing.tokenKeySecretName,
+        };
+    }
+    if (input.dryRun)
+        return undefined;
+    const installKvNamespaceName = installKvNamespaceNameFor({
+        accountId: input.ownerId,
+        projectId: input.projectId,
+        environment: input.environment,
+        hubSpotAppId: input.hubSpotAppId,
+    });
+    const namespaceOutput = await runCloudflareCommand([
+        'bun',
+        'x',
+        'wrangler',
+        'kv',
+        'namespace',
+        'create',
+        installKvNamespaceName,
+        '--binding',
+        'INSTALL_KV',
+    ], {
+        cwd: input.root,
+        env: cloudflareDeployEnv(input.argv),
+    });
+    const installKvNamespaceId = extractKvNamespaceId(`${namespaceOutput.stdout}\n${namespaceOutput.stderr}`);
+    if (!installKvNamespaceId) {
+        throw new Error('Could not read Cloudflare KV namespace id from wrangler output.');
+    }
+    const tokenKeySecretName = 'HSX_TOKEN_KEY';
+    await stateStore.putBinding(Schema.decodeUnknownSync(schemas.LocalAppRuntimeBinding)({
+        ownerId: pointer.ownerId,
+        projectId: input.projectId,
+        hubSpotAppId: input.hubSpotAppId,
+        environment: input.environment,
+        installKvNamespaceId,
+        installKvNamespaceName,
+        tokenKeySecretName,
+        updatedAt: new Date().toISOString(),
+    }));
+    return {
+        installKvNamespaceId,
+        installKvNamespaceName,
+        tokenKeySecretName,
+        tokenKeySecretValue: randomBytes(32).toString('base64url'),
+    };
+}
+async function ensureDeployInstallRuntimeBinding(input) {
+    const existing = await readDeployInstallRuntimeBinding(input);
+    if (existing) {
+        return {
+            installKvNamespaceId: existing.installKvNamespaceId,
+            installKvNamespaceName: existing.installKvNamespaceName,
+            tokenKeySecretName: existing.tokenKeySecretName,
+        };
+    }
+    if (input.dryRun) {
+        return undefined;
+    }
+    const installKvNamespaceName = installKvNamespaceNameFor({
+        accountId: input.accountId,
+        projectId: input.projectId,
+        environment: input.environment,
+        hubSpotAppId: input.hubSpotAppId,
+    });
+    const namespaceOutput = await runCloudflareCommand([
+        'bun',
+        'x',
+        'wrangler',
+        'kv',
+        'namespace',
+        'create',
+        installKvNamespaceName,
+        '--binding',
+        'INSTALL_KV',
+    ], {
+        cwd: input.root,
+        env: cloudflareDeployEnv(input.argv),
+    });
+    const installKvNamespaceId = extractKvNamespaceId(`${namespaceOutput.stdout}\n${namespaceOutput.stderr}`);
+    if (!installKvNamespaceId) {
+        throw new Error('Could not read Cloudflare KV namespace id from wrangler output.');
+    }
+    const tokenKeySecretName = 'HSX_TOKEN_KEY';
+    await putDeployInstallRuntimeBinding({
+        ...input,
+        installKvNamespaceId,
+        installKvNamespaceName,
+        tokenKeySecretName,
+    });
+    return {
+        installKvNamespaceId,
+        installKvNamespaceName,
+        tokenKeySecretName,
+        tokenKeySecretValue: randomBytes(32).toString('base64url'),
+    };
+}
+async function readDeployInstallRuntimeBinding(input) {
+    const response = await hostedHttp({
+        url: new URL(`/v1/accounts/${encodeURIComponent(input.accountId)}/projects/${encodeURIComponent(input.projectId)}/hubspot-apps/${encodeURIComponent(input.hubSpotAppId)}/install-runtime?environment=${encodeURIComponent(input.environment)}`, input.controlPlaneUrl),
+        headers: await controlPlaneAuthHeaders(input.userId),
+    });
+    if (response.status === 404) {
+        return undefined;
+    }
+    const body = await response.json();
+    if (!response.ok) {
+        const message = isRecord(body) && typeof body.message === 'string'
+            ? body.message
+            : `Control plane returned ${response.status}.`;
+        throw new Error(`Could not read scoped install runtime binding: ${message}`);
+    }
+    return Schema.decodeUnknownSync(schemas.HubSpotAppInstallRuntimeMetadata)(body);
+}
+async function putDeployInstallRuntimeBinding(input) {
+    const response = await hostedHttp({
+        url: new URL(`/v1/accounts/${encodeURIComponent(input.accountId)}/projects/${encodeURIComponent(input.projectId)}/hubspot-apps/${encodeURIComponent(input.hubSpotAppId)}/install-runtime`, input.controlPlaneUrl),
+        method: 'PUT',
+        headers: await controlPlaneAuthHeaders(input.userId),
+        body: {
+            environment: input.environment,
+            installKvNamespaceId: input.installKvNamespaceId,
+            installKvNamespaceName: input.installKvNamespaceName,
+            tokenKeySecretName: input.tokenKeySecretName,
+            ...(input.runtimeBaseUrl ? { runtimeBaseUrl: input.runtimeBaseUrl } : {}),
+            ...(input.syncGrantSecretName ? { syncGrantSecretName: input.syncGrantSecretName } : {}),
+        },
+    });
+    const body = await response.json();
+    if (!response.ok) {
+        const message = isRecord(body) && typeof body.message === 'string'
+            ? body.message
+            : `Control plane returned ${response.status}.`;
+        throw new Error(`Could not store scoped install runtime binding: ${message}`);
+    }
+}
+async function requestDeployBillingRuntimeToken(input) {
+    const response = await hostedHttp({
+        url: new URL(`/v1/accounts/${encodeURIComponent(input.accountId)}/projects/${encodeURIComponent(input.projectId)}/billing/runtime-token`, input.controlPlaneUrl),
+        method: 'POST',
+        headers: await controlPlaneAuthHeaders(input.userId),
+        body: {
+            environment: input.environment,
+        },
+    });
+    const body = await response.json();
+    if (!response.ok) {
+        const message = isRecord(body) && typeof body.message === 'string'
+            ? body.message
+            : `Control plane returned ${response.status}.`;
+        throw new Error(`Could not mint billing runtime token: ${message}`);
+    }
+    if (!isRecord(body) ||
+        typeof body.runtimeToken !== 'string' ||
+        body.binding !== 'HSX_RUNTIME_TOKEN') {
+        throw new Error('Control plane returned a malformed billing runtime token response.');
+    }
+    return {
+        runtimeToken: body.runtimeToken,
+        binding: body.binding,
+    };
+}
+function installKvNamespaceNameFor(input) {
+    return truncateCloudflareResourceName(`hsx-${cloudflareNameSlug(input.accountId)}-${cloudflareNameSlug(input.projectId)}-${cloudflareNameSlug(input.environment)}-${cloudflareNameSlug(String(input.hubSpotAppId))}-install`);
+}
+function cloudflareNameSlug(value) {
+    return (value
+        .toLowerCase()
+        .replace(/[^a-z0-9]+/g, '-')
+        .replace(/^-+|-+$/g, '') || 'x');
+}
+function truncateCloudflareResourceName(value) {
+    return value.length <= 63 ? value : value.slice(0, 63).replace(/-+$/g, '');
+}
+function extractKvNamespaceId(output) {
+    return (/"id"\s*:\s*"([^"]+)"/.exec(output)?.[1] ??
+        /id\s*=\s*"([^"]+)"/.exec(output)?.[1] ??
+        /id[:\s]+([a-f0-9]{16,})/i.exec(output)?.[1]);
+}
+// ADR-015/ADR-014 tenant data plane: one project-scoped D1 (flag config +
+// installer PII + platform events) and one flags-snapshot KV per install.
+function tenantD1DatabaseNameFor(input) {
+    return truncateCloudflareResourceName(`hsx-${cloudflareNameSlug(input.accountId)}-${cloudflareNameSlug(input.projectId)}-${cloudflareNameSlug(input.environment)}-${cloudflareNameSlug(String(input.hubSpotAppId))}-tenant`);
+}
+function flagsKvNamespaceNameFor(input) {
+    return truncateCloudflareResourceName(`hsx-${cloudflareNameSlug(input.accountId)}-${cloudflareNameSlug(input.projectId)}-${cloudflareNameSlug(input.environment)}-${cloudflareNameSlug(String(input.hubSpotAppId))}-flags`);
+}
+function extractD1DatabaseId(output) {
+    return (/"database_id"\s*:\s*"([^"]+)"/.exec(output)?.[1] ??
+        /database_id\s*=\s*"([^"]+)"/.exec(output)?.[1] ??
+        /database_id[:\s]+([a-f0-9-]{16,})/i.exec(output)?.[1]);
+}
+/**
+ * ADR-015/ADR-014 §9 + §5: provision the project-scoped tenant D1 + the
+ * flags-snapshot KV for a LINKED deploy, generate the per-install
+ * HSX_SYNC_GRANT_KEY, and persist everything (including the InstallationKey
+ * scope accountId + the secret VALUE) to local state so the leaveable
+ * `hs-x flags` CLI can sign flags:write grants without the control plane.
+ *
+ * Idempotent: re-uses already-provisioned ids + an already-generated secret from
+ * local state (so a re-deploy keeps the same secret the Worker already holds).
+ * Returns `syncGrantSecretValue` only when freshly generated — the caller does
+ * a `wrangler secret put` only then. Tenant-data-plane activation is
+ * linked-only (codegen emits the options solely for heartbeat.mode==='linked'),
+ * so this is never called for unlinked direct-to-HubSpot deploys.
+ */
+async function ensureTenantDataPlane(input) {
+    const { pointer, stateStore } = await ensureTenantStateStore({
+        argv: input.argv,
+        root: input.root,
+    });
+    const existing = await stateStore.getBinding({
+        projectId: input.projectId,
+        environment: input.environment,
+        hubSpotAppId: input.hubSpotAppId,
+    });
+    const env = cloudflareDeployEnv(input.argv);
+    const tenantD1DatabaseName = existing?.tenantD1DatabaseName ?? tenantD1DatabaseNameFor(input);
+    let tenantD1DatabaseId = existing?.tenantD1DatabaseId;
+    if (!tenantD1DatabaseId) {
+        const output = await runCloudflareCommand(['bun', 'x', 'wrangler', 'd1', 'create', tenantD1DatabaseName], { cwd: input.root, env });
+        tenantD1DatabaseId = extractD1DatabaseId(`${output.stdout}\n${output.stderr}`);
+        if (!tenantD1DatabaseId) {
+            throw new Error('Could not read tenant D1 database id from wrangler output.');
+        }
+    }
+    const flagsKvNamespaceName = existing?.flagsKvNamespaceName ?? flagsKvNamespaceNameFor(input);
+    let flagsKvNamespaceId = existing?.flagsKvNamespaceId;
+    if (!flagsKvNamespaceId) {
+        const output = await runCloudflareCommand(['bun', 'x', 'wrangler', 'kv', 'namespace', 'create', flagsKvNamespaceName, '--binding', 'FLAGS_KV'], { cwd: input.root, env });
+        flagsKvNamespaceId = extractKvNamespaceId(`${output.stdout}\n${output.stderr}`);
+        if (!flagsKvNamespaceId) {
+            throw new Error('Could not read flags KV namespace id from wrangler output.');
+        }
+    }
+    const syncGrantSecretName = 'HSX_SYNC_GRANT_KEY';
+    const reusedSecret = existing?.syncGrantSecretValue;
+    const syncGrantSecretValue = reusedSecret ?? randomBytes(32).toString('base64url');
+    await stateStore.putBinding(Schema.decodeUnknownSync(schemas.LocalAppRuntimeBinding)({
+        ownerId: pointer.ownerId,
+        tenantScopeAccountId: input.accountId,
+        projectId: input.projectId,
+        hubSpotAppId: input.hubSpotAppId,
+        environment: input.environment,
+        installKvNamespaceId: input.install.installKvNamespaceId,
+        installKvNamespaceName: input.install.installKvNamespaceName,
+        tokenKeySecretName: input.install.tokenKeySecretName,
+        tenantD1DatabaseId,
+        tenantD1DatabaseName,
+        flagsKvNamespaceId,
+        flagsKvNamespaceName,
+        syncGrantSecretName,
+        syncGrantSecretValue,
+        updatedAt: new Date().toISOString(),
+    }));
+    // ADR-015 §5 "Both": register the secret control-plane-side for the (gated)
+    // dashboard/agent/sync consumers. Best-effort — the leaveable CLI-direct path
+    // reads the value from local state and needs no control plane.
+    if (input.controlPlaneUrl && input.userId) {
+        try {
+            await registerDeploySyncGrantSecret({
+                controlPlaneUrl: input.controlPlaneUrl,
+                userId: input.userId,
+                accountId: input.accountId,
+                projectId: input.projectId,
+                environment: input.environment,
+                hubSpotAppId: input.hubSpotAppId,
+                syncGrantSecret: syncGrantSecretValue,
+            });
+        }
+        catch (error) {
+            process.stderr.write(`warning: could not register the sync grant secret with the control plane: ${error instanceof Error ? error.message : String(error)}\n`);
+        }
+    }
+    return {
+        tenantD1DatabaseId,
+        tenantD1DatabaseName,
+        flagsKvNamespaceId,
+        flagsKvNamespaceName,
+        syncGrantSecretName,
+        ...(reusedSecret ? {} : { syncGrantSecretValue }),
+    };
+}
+async function registerDeploySyncGrantSecret(input) {
+    const response = await hostedHttp({
+        url: new URL(`/v1/accounts/${encodeURIComponent(input.accountId)}/projects/${encodeURIComponent(input.projectId)}/hubspot-apps/${encodeURIComponent(input.hubSpotAppId)}/sync-grant-secret`, input.controlPlaneUrl),
+        method: 'PUT',
+        headers: await controlPlaneAuthHeaders(input.userId),
+        body: {
+            environment: input.environment,
+            syncGrantSecret: input.syncGrantSecret,
+        },
+    });
+    const body = await response.json();
+    if (!response.ok) {
+        const message = isRecord(body) && typeof body.message === 'string'
+            ? body.message
+            : `Control plane returned ${response.status}.`;
+        throw new Error(`Could not register the sync grant secret: ${message}`);
+    }
+}
+export function renderWranglerConfig(input) {
+    const lines = [
+        '# Generated by hs-x. Do not edit by hand.',
+        `name = "${tomlString(input.workerName)}"`,
+        `main = "${tomlString(input.entrypointPath)}"`,
+        `compatibility_date = "${tomlString(input.compatibilityDate)}"`,
+    ];
+    if (input.installKvNamespaceId) {
+        lines.push('', '[[kv_namespaces]]', 'binding = "INSTALL_KV"', `id = "${tomlString(input.installKvNamespaceId)}"`);
+    }
+    // ADR-015 flag-snapshot KV (the eval-path hot replica).
+    if (input.flagsKvNamespaceId) {
+        lines.push('', '[[kv_namespaces]]', 'binding = "FLAGS_KV"', `id = "${tomlString(input.flagsKvNamespaceId)}"`);
+    }
+    // ADR-015/ADR-014 project-scoped tenant D1 (flag config + installer PII +
+    // platform events). migrations_dir lets wrangler auto-apply the tenant
+    // migrations on deploy.
+    if (input.tenantD1DatabaseId) {
+        lines.push('', '[[d1_databases]]', 'binding = "TENANT_DB"');
+        if (input.tenantD1DatabaseName) {
+            lines.push(`database_name = "${tomlString(input.tenantD1DatabaseName)}"`);
+        }
+        lines.push(`database_id = "${tomlString(input.tenantD1DatabaseId)}"`);
+        if (input.tenantMigrationsDir) {
+            lines.push(`migrations_dir = "${tomlString(input.tenantMigrationsDir)}"`);
+        }
+    }
+    return `${lines.join('\n')}\n`;
+}
+function tomlString(value) {
+    return value.replaceAll('\\', '\\\\').replaceAll('"', '\\"');
+}
+async function readDeployHubSpotOAuthSecret(input) {
+    const response = await hostedHttp({
+        url: new URL(`/v1/accounts/${encodeURIComponent(input.accountId)}/projects/${encodeURIComponent(input.projectId)}/hubspot-apps/${encodeURIComponent(input.hubSpotAppId)}/oauth-secret?environment=${encodeURIComponent(input.environment)}`, input.controlPlaneUrl),
+        headers: await controlPlaneAuthHeaders(input.userId),
+    });
+    if (response.status === 404) {
+        return undefined;
+    }
+    const body = await response.json();
+    if (!response.ok) {
+        const message = isRecord(body) && typeof body.message === 'string'
+            ? body.message
+            : `Control plane returned ${response.status}.`;
+        throw new Error(`Could not read scoped HubSpot OAuth secret: ${message}`);
+    }
+    return Schema.decodeUnknownSync(schemas.HubSpotAppOAuthSecretDeployValue)(body);
+}
+function extractWorkerUrl(output) {
+    return /https:\/\/[a-zA-Z0-9.-]+\.workers\.dev\b/.exec(output)?.[0];
+}
+async function ensureHubSpotRuntimeProjectArtifacts({ argv, root, app, workers, cloudflareDeployResult, needsRuntime, controlPlanePlan, }) {
+    if (!needsRuntime) {
+        return;
+    }
+    const runtimeBaseUrl = resolveFlag(argv, '--runtime-origin') ??
+        cloudflareDeployResult?.workers.find((worker) => worker.url)?.url;
+    if (!runtimeBaseUrl) {
+        throw new Error('Runtime HubSpot metadata requires a Worker URL. Pass --runtime-origin or run a non-dry-run Cloudflare deploy that reports a workers.dev URL.');
+    }
+    const oauthCallbackPath = controlPlanePlan?.runtimeBindings?.oauthCallbackPath ?? '/oauth-callback';
+    const redirectUrls = app.auth === 'oauth' && oauthCallbackPath
+        ? [`${runtimeBaseUrl.replace(/\/$/, '')}${oauthCallbackPath}`]
+        : [];
+    const generated = generateHubSpotRuntimeProject({
+        ...app,
+        workers,
+        runtimeBaseUrl,
+        redirectUrls,
+    });
+    for (const [file, contents] of Object.entries(generated.files)) {
+        const path = join(root, file);
+        await mkdir(dirname(path), { recursive: true });
+        await writeFile(path, contents);
+    }
+}
+async function readHsxAppScopesForDeploy(root) {
+    try {
+        const app = await readHsxAppConfig(root);
+        return app.scopes;
+    }
+    catch {
+        return [];
+    }
+}
+async function readHsxAppConfig(root) {
+    const raw = await readFile(join(root, 'hsx.config.ts'), 'utf8');
+    const loaded = parseHsxAppConfigLiteral(raw) ?? (await loadHsxAppConfigModule(root).catch(() => undefined));
+    return {
+        appName: loaded?.name ?? /name\s*:\s*["'`]([^"'`]+)["'`]/.exec(raw)?.[1] ?? basename(root),
+        distribution: loaded?.distribution ?? /distribution\s*:\s*["'`]([^"'`]+)["'`]/.exec(raw)?.[1] ?? 'private',
+        auth: loaded?.auth ?? /auth\s*:\s*["'`]([^"'`]+)["'`]/.exec(raw)?.[1] ?? 'oauth',
+        platformVersion: loaded?.platformVersion ??
+            /platformVersion\s*:\s*["'`]([^"'`]+)["'`]/.exec(raw)?.[1] ??
+            '2026.03',
+        scopes: loaded?.scopes ?? readStringArrayProperty(raw, 'scopes'),
+        appObjects: discoverAppObjectDeclarations(raw),
+        appObjectAssociations: discoverAppObjectAssociationDeclarations(raw),
+        appEvents: discoverAppEventDeclarations(raw),
+        ...(loaded?.billing ? { billing: loaded.billing } : {}),
+    };
+}
+function parseHsxAppConfigLiteral(source) {
+    const start = source.indexOf('defineApp(');
+    if (start < 0)
+        return undefined;
+    const objectStart = source.indexOf('{', start);
+    if (objectStart < 0)
+        return undefined;
+    let depth = 0;
+    let quote;
+    let escaped = false;
+    for (let i = objectStart; i < source.length; i += 1) {
+        const char = source[i];
+        if (!char)
+            continue;
+        if (quote) {
+            if (escaped) {
+                escaped = false;
+            }
+            else if (char === '\\') {
+                escaped = true;
+            }
+            else if (char === quote) {
+                quote = undefined;
+            }
+            continue;
+        }
+        if (char === '"' || char === "'" || char === '`') {
+            quote = char;
+            continue;
+        }
+        if (char === '{')
+            depth += 1;
+        if (char === '}') {
+            depth -= 1;
+            if (depth === 0) {
+                try {
+                    return Function(`"use strict"; return (${source.slice(objectStart, i + 1)});`)();
+                }
+                catch {
+                    return undefined;
+                }
+            }
+        }
+    }
+    return undefined;
+}
+async function loadHsxAppConfigModule(root) {
+    const url = pathToFileURL(join(root, 'hsx.config.ts'));
+    url.searchParams.set('hsxConfigLoad', String(Date.now()));
+    const mod = (await import(url.href));
+    const app = mod.default;
+    return app && typeof app === 'object'
+        ? app
+        : undefined;
+}
+function readStringArrayProperty(source, propertyName) {
+    const body = new RegExp(`${propertyName}\\s*:\\s*\\[([\\s\\S]*?)\\]`).exec(source)?.[1];
+    if (!body) {
+        return [];
+    }
+    return [...body.matchAll(/["'`]([^"'`]+)["'`]/g)].map((match) => match[1] ?? '');
+}
+function callObjectBody(source, functionName) {
+    const match = new RegExp(`\\b${functionName}\\s*\\(`).exec(source);
+    if (!match)
+        return undefined;
+    const start = source.indexOf('{', match.index + match[0].length);
+    if (start === -1)
+        return undefined;
+    const end = findMatching(source, start, '{', '}');
+    return end === -1 ? undefined : source.slice(start + 1, end);
+}
+function discoverAppObjectDeclarations(source) {
+    return declarationBodies(source, 'appObject').map(({ id, body }) => {
+        const properties = discoverDeclarationProperties(body);
+        const firstPropertyName = Object.keys(properties)[0] ?? 'name';
+        return {
+            kind: 'app-object',
+            id,
+            uid: stringPropertyValue(body, 'uid') ?? defaultUid(id),
+            name: stringPropertyValue(body, 'name') ?? defaultUid(id),
+            label: stringPropertyValue(body, 'label') ?? id,
+            singularForm: stringPropertyValue(body, 'singularForm') ?? stringPropertyValue(body, 'label') ?? id,
+            pluralForm: stringPropertyValue(body, 'pluralForm') ?? `${stringPropertyValue(body, 'label') ?? id}s`,
+            ...(stringPropertyValue(body, 'description')
+                ? { description: stringPropertyValue(body, 'description') }
+                : {}),
+            ...(stringPropertyValue(body, 'appPrefix')
+                ? { appPrefix: stringPropertyValue(body, 'appPrefix') }
+                : {}),
+            primaryDisplayLabelPropertyName: stringPropertyValue(body, 'primaryDisplayLabelPropertyName') ?? firstPropertyName,
+            ...(readStringArrayProperty(body, 'secondaryDisplayLabelPropertyNames').length
+                ? {
+                    secondaryDisplayLabelPropertyNames: readStringArrayProperty(body, 'secondaryDisplayLabelPropertyNames'),
+                }
+                : {}),
+            ...(readStringArrayProperty(body, 'requiredProperties').length
+                ? { requiredProperties: readStringArrayProperty(body, 'requiredProperties') }
+                : {}),
+            ...(readStringArrayProperty(body, 'searchableProperties').length
+                ? { searchableProperties: readStringArrayProperty(body, 'searchableProperties') }
+                : {}),
+            ...(readStringArrayProperty(body, 'defaultCreateFormFields').length
+                ? { defaultCreateFormFields: readStringArrayProperty(body, 'defaultCreateFormFields') }
+                : {}),
+            properties,
+        };
+    });
+}
+function discoverAppObjectAssociationDeclarations(source) {
+    return declarationBodies(source, 'appObjectAssociation').map(({ id, body }) => ({
+        kind: 'app-object-association',
+        id,
+        uid: stringPropertyValue(body, 'uid') ?? defaultUid(id),
+        fromObjectType: stringPropertyValue(body, 'fromObjectType') ?? 'CONTACT',
+        toObjectType: stringPropertyValue(body, 'toObjectType') ?? 'CONTACT',
+        ...(stringPropertyValue(body, 'name') ? { name: stringPropertyValue(body, 'name') } : {}),
+        ...(stringPropertyValue(body, 'label') ? { label: stringPropertyValue(body, 'label') } : {}),
+        ...(stringPropertyValue(body, 'inverseLabel')
+            ? { inverseLabel: stringPropertyValue(body, 'inverseLabel') }
+            : {}),
+    }));
+}
+function discoverAppEventDeclarations(source) {
+    return declarationBodies(source, 'appEvent').map(({ id, body }) => ({
+        kind: 'app-event',
+        id,
+        uid: stringPropertyValue(body, 'uid') ?? defaultUid(id),
+        name: stringPropertyValue(body, 'name') ?? defaultUid(id),
+        label: stringPropertyValue(body, 'label') ?? id,
+        ...(stringPropertyValue(body, 'description')
+            ? { description: stringPropertyValue(body, 'description') }
+            : {}),
+        objectType: stringPropertyValue(body, 'objectType') ?? 'CONTACT',
+        ...(booleanPropertyValue(body, 'supportsCustomObject') === undefined
+            ? {}
+            : { supportsCustomObject: booleanPropertyValue(body, 'supportsCustomObject') }),
+        ...(stringPropertyValue(body, 'headerTemplate')
+            ? { headerTemplate: stringPropertyValue(body, 'headerTemplate') }
+            : {}),
+        ...(stringPropertyValue(body, 'detailTemplate')
+            ? { detailTemplate: stringPropertyValue(body, 'detailTemplate') }
+            : {}),
+        properties: discoverDeclarationProperties(body),
+    }));
+}
+function declarationBodies(source, functionName) {
+    const declarations = [];
+    const pattern = new RegExp(`\\b${functionName}\\s*\\(\\s*["'\`]([^"'\`]+)["'\`]`, 'g');
+    for (const match of source.matchAll(pattern)) {
+        const start = source.indexOf('{', (match.index ?? 0) + match[0].length);
+        if (start === -1)
+            continue;
+        const end = findMatching(source, start, '{', '}');
+        if (end === -1)
+            continue;
+        declarations.push({ id: match[1] ?? 'unknown', body: source.slice(start + 1, end) });
+    }
+    return declarations;
+}
+function discoverDeclarationProperties(body) {
+    const propertiesBody = objectPropertyBody(body, 'properties');
+    if (!propertiesBody) {
+        return {};
+    }
+    const properties = {};
+    for (const { name, body: propertyBody } of topLevelObjectEntries(propertiesBody)) {
+        const options = readStringArrayProperty(propertyBody, 'options').map((value) => ({
+            value,
+            label: value,
+        }));
+        properties[name] = {
+            type: stringPropertyValue(propertyBody, 'type') ?? 'string',
+            label: stringPropertyValue(propertyBody, 'label') ?? name,
+            ...(options.length ? { options } : {}),
+        };
+    }
+    return properties;
+}
+function topLevelObjectEntries(source) {
+    const entries = [];
+    let index = 0;
+    let depth = 0;
+    while (index < source.length) {
+        const char = source[index];
+        if (char === '{' || char === '[' || char === '(') {
+            depth += 1;
+            index += 1;
+            continue;
+        }
+        if (char === '}' || char === ']' || char === ')') {
+            depth = Math.max(0, depth - 1);
+            index += 1;
+            continue;
+        }
+        if (depth === 0) {
+            const match = /^[\s,]*([A-Za-z_][A-Za-z0-9_]*)\s*:/.exec(source.slice(index));
+            if (match) {
+                const name = match[1] ?? 'unknown';
+                const valueStart = index + match[0].length;
+                const braceStart = source.indexOf('{', valueStart);
+                if (braceStart !== -1 && source.slice(valueStart, braceStart).trim() === '') {
+                    const braceEnd = findMatching(source, braceStart, '{', '}');
+                    if (braceEnd !== -1) {
+                        entries.push({ name, body: source.slice(braceStart + 1, braceEnd) });
+                        index = braceEnd + 1;
+                        continue;
+                    }
+                }
+            }
+        }
+        index += 1;
+    }
+    return entries;
+}
+function objectPropertyBody(source, propertyName) {
+    const match = new RegExp(`\\b${propertyName}\\s*:`).exec(source);
+    if (!match)
+        return undefined;
+    const start = source.indexOf('{', match.index + match[0].length);
+    if (start === -1)
+        return undefined;
+    const end = findMatching(source, start, '{', '}');
+    return end === -1 ? undefined : source.slice(start + 1, end);
+}
+function findMatching(source, start, open, close) {
+    let depth = 0;
+    for (let index = start; index < source.length; index += 1) {
+        const char = source[index];
+        if (char === open)
+            depth += 1;
+        if (char === close) {
+            depth -= 1;
+            if (depth === 0)
+                return index;
+        }
+    }
+    return -1;
+}
+function stringPropertyValue(source, propertyName) {
+    return new RegExp(`\\b${propertyName}\\s*:\\s*["'\`]([^"'\`]+)["'\`]`).exec(source)?.[1];
+}
+function booleanPropertyValue(source, propertyName) {
+    const value = new RegExp(`\\b${propertyName}\\s*:\\s*(true|false)\\b`).exec(source)?.[1];
+    return value === undefined ? undefined : value === 'true';
+}
+function defaultUid(id) {
+    return id
+        .trim()
+        .replace(/([a-z0-9])([A-Z])/g, '$1_$2')
+        .replace(/[^A-Za-z0-9]+/g, '_')
+        .replace(/^_+|_+$/g, '')
+        .toUpperCase();
+}
+function runCloudflareCommand(command, options) {
+    return Effect.runPromise(Effect.promise(() => new Promise((resolvePromise, rejectPromise) => {
+        const child = spawn(command[0] ?? 'bun', command.slice(1), {
+            cwd: options.cwd,
+            env: { ...process.env, ...options.env },
+            stdio: [options.stdin === undefined ? 'ignore' : 'pipe', 'pipe', 'pipe'],
+        });
+        let stdout = '';
+        let stderr = '';
+        child.stdout?.setEncoding('utf8');
+        child.stderr?.setEncoding('utf8');
+        child.stdout?.on('data', (chunk) => {
+            stdout += chunk;
+        });
+        child.stderr?.on('data', (chunk) => {
+            stderr += chunk;
+        });
+        if (options.stdin !== undefined) {
+            child.stdin?.end(`${options.stdin}\n`);
+        }
+        child.on('error', rejectPromise);
+        child.on('exit', (code) => {
+            if (code === 0) {
+                resolvePromise({ stdout, stderr });
+            }
+            else {
+                rejectPromise(new Error(`Cloudflare deploy failed with exit code ${code ?? 'unknown'}.\n${stderr || stdout}`));
+            }
+        });
+    })).pipe(Effect.withSpan('cli.deploy.cloudflare_command', {
+        attributes: {
+            executable: command[0] ?? 'bun',
+            args_count: Math.max(0, command.length - 1),
+        },
+    })));
+}
+async function executeHubSpotOnlyUpload({ argv, root, local, uploadOnly, }) {
+    const hsprojectConfig = await readHubSpotProjectConfig(root);
+    const configuredProjectName = typeof hsprojectConfig.name === 'string' && hsprojectConfig.name.length > 0
+        ? hsprojectConfig.name
+        : undefined;
+    // The HubSpot project name must match the name baked into the generated
+    // bundle (hsproject.json + app-hsmeta uid), not the on-disk directory name.
+    // Using basename(root) breaks when the project lives in a generic dir (e.g.
+    // `app/`): the upload targets a project named "app" while the bundle declares
+    // the real project id, and HubSpot rejects the mismatch with an opaque 400.
+    const projectName = resolveFlag(argv, '--hubspot-project-name') ?? configuredProjectName ?? basename(root);
+    const intermediateRepresentation = await readHubSpotProjectIntermediateRepresentation(root);
+    const appUid = readAppUidFromIntermediateRepresentation(intermediateRepresentation);
+    // For the post-deploy app Auth URL (unlinked installs). Resolved from
+    // flag/env here so the URL is correct on the unlinked path; on a
+    // control-plane lease path it stays undefined and the URL is skipped.
+    const developerAccountId = resolveFlag(argv, '--developer-account-id') ?? process.env.HSX_HUBSPOT_DEVELOPER_ACCOUNT_ID;
+    const archivePath = await writeLocalHubSpotProjectArchive(root, projectName, {
+        sourceOnly: intermediateRepresentation !== undefined,
+    });
+    const client = await createDeployHubSpotDeveloperClient({
+        argv,
+        local,
+        allowedOperations: ['hubspot-project-upload'],
+        cwd: root,
+    });
+    await client.projects.ensureProject({ projectName });
+    const upload = await client.projects.upload({
+        projectName,
+        archivePath,
+        message: resolveFlag(argv, '--message') ?? 'HS-X HubSpot-only deploy',
+        platformVersion: resolveFlag(argv, '--platform-version') ?? '2026.03',
+        intermediateRepresentation,
+    });
+    const buildStatus = await waitForHubSpotBuildStatus({
+        client,
+        projectName,
+        buildId: upload.buildId,
+        timeoutMs: Number(resolveFlag(argv, '--hubspot-build-timeout-ms') ?? '60000'),
+        intervalMs: 1000,
+    });
+    const autoDeployEnabled = readBooleanProperty(buildStatus, 'isAutoDeployEnabled');
+    if (uploadOnly || readStatus(buildStatus) !== 'SUCCESS' || autoDeployEnabled) {
+        const appId = readStatus(buildStatus) === 'SUCCESS'
+            ? await optionalHubSpotAppId(client, projectName, appUid)
+            : 0;
+        return {
+            projectName,
+            archivePath,
+            appId,
+            appUid,
+            developerAccountId,
+            buildId: upload.buildId,
+            deployId: undefined,
+            buildStatus,
+            deployStatus: undefined,
+            deploySkipped: Boolean(uploadOnly || autoDeployEnabled),
+            local,
+        };
+    }
+    const deploy = await client.projects.deployBuild({
+        projectName,
+        buildId: upload.buildId,
+        force: argv.includes('--force'),
+    });
+    const deployId = readNumericProperty(deploy, 'deployId');
+    const deployStatus = deployId === undefined
+        ? deploy
+        : await client.projects.getDeployStatus({
+            projectName,
+            deployId,
+        });
+    const appId = await optionalHubSpotAppId(client, projectName, appUid);
+    return {
+        projectName,
+        archivePath,
+        appId,
+        appUid,
+        developerAccountId,
+        buildId: upload.buildId,
+        deployId,
+        buildStatus,
+        deployStatus,
+        deploySkipped: false,
+        local,
+    };
+}
+async function optionalHubSpotAppId(client, projectName, appUid) {
+    try {
+        return await client.projects.resolveAppId(appUid === undefined ? { projectName } : { projectName, appUid });
+    }
+    catch {
+        return 0;
+    }
+}
+async function waitForHubSpotBuildStatus({ client, projectName, buildId, timeoutMs, intervalMs, }) {
+    const startedAt = Date.now();
+    let latest;
+    do {
+        latest = await client.projects.getBuildStatus({ projectName, buildId });
+        const status = readStatus(latest);
+        if (status === 'SUCCESS' || status === 'FAILURE') {
+            return latest;
+        }
+        await sleep(intervalMs);
+    } while (Date.now() - startedAt < timeoutMs);
+    return latest;
+}
+function sleep(ms) {
+    return new Promise((resolve) => setTimeout(resolve, ms));
+}
+async function writeLocalHubSpotProjectArchive(root, projectName, options = { sourceOnly: false }) {
+    const outDir = await mkdtemp(join(tmpdir(), 'hs-x-hubspot-project-'));
+    const archivePath = join(outDir, `${projectName.replace(/[^a-zA-Z0-9._-]+/g, '-')}-hubspot-project.zip`);
+    const stageDir = join(outDir, 'project');
+    await cp(root, stageDir, {
+        recursive: true,
+        filter(source) {
+            return (!source.includes(`${join(root, 'node_modules')}/`) &&
+                !source.includes(`${join(root, '.hs-x')}/`));
+        },
+    });
+    await patchHubSpotProjectName(stageDir, projectName);
+    await runZip(options.sourceOnly ? await hubSpotProjectSourceRoot(stageDir) : stageDir, archivePath);
+    return archivePath;
+}
+async function hubSpotProjectSourceRoot(root) {
+    const hsproject = await readHubSpotProjectConfig(root);
+    const srcDir = typeof hsproject.srcDir === 'string' ? hsproject.srcDir : 'src';
+    return join(root, srcDir);
+}
+async function patchHubSpotProjectName(root, projectName) {
+    const path = join(root, 'hsproject.json');
+    const raw = await readFile(path, 'utf8').catch(() => undefined);
+    if (!raw) {
+        return;
+    }
+    const parsed = JSON.parse(raw);
+    if (!isRecord(parsed)) {
+        return;
+    }
+    await writeFile(path, `${JSON.stringify({ ...parsed, name: projectName }, null, 2)}\n`);
+}
+async function readHubSpotProjectIntermediateRepresentation(root) {
+    const hsproject = await readHubSpotProjectConfig(root);
+    const srcDir = typeof hsproject.srcDir === 'string' ? hsproject.srcDir : 'src';
+    const sourceRoot = join(root, srcDir);
+    const metaFiles = await collectHubSpotMetaFiles(sourceRoot);
+    const nodes = {};
+    let appUid;
+    for (const file of metaFiles) {
+        const raw = await readFile(file, 'utf8');
+        const parsed = JSON.parse(raw);
+        if (!isRecord(parsed) || typeof parsed.uid !== 'string' || typeof parsed.type !== 'string') {
+            continue;
+        }
+        if (parsed.type === 'app') {
+            appUid = parsed.uid;
+        }
+    }
+    for (const file of metaFiles) {
+        const raw = await readFile(file, 'utf8');
+        const parsed = JSON.parse(raw);
+        if (!isRecord(parsed) ||
+            typeof parsed.uid !== 'string' ||
+            typeof parsed.type !== 'string' ||
+            !isRecord(parsed.config)) {
+            continue;
+        }
+        // Map the user-facing hsmeta `type` to HubSpot's internal component type
+        // exactly as @hubspot/project-parsing-lib's mapToInternalType does:
+        // `app` -> APPLICATION, otherwise upper-snake-case (card -> CARD,
+        // workflow-action -> WORKFLOW_ACTION). The previous app/card-only switch
+        // silently dropped workflow actions, so the IR sent to upload/new-api had
+        // no child components and HubSpot rejected the build with NO_COMPONENTS.
+        const componentType = parsed.type === 'app' ? 'APPLICATION' : parsed.type.toUpperCase().replace(/-/g, '_');
+        nodes[parsed.uid] = {
+            uid: parsed.uid,
+            config: parsed.config,
+            componentType,
+            componentDeps: componentType !== 'APPLICATION' && appUid ? { app: appUid, allAppObjects: [] } : {},
+            metaFilePath: file.slice(sourceRoot.length + 1),
+            files: {},
+        };
+    }
+    if (Object.keys(nodes).length === 0) {
+        return undefined;
+    }
+    return {
+        intermediateNodesIndexedByUid: nodes,
+        profileData: { vars: { profileVariables: {} } },
+    };
+}
+function readAppUidFromIntermediateRepresentation(value) {
+    if (!isRecord(value) || !isRecord(value.intermediateNodesIndexedByUid)) {
+        return undefined;
+    }
+    for (const node of Object.values(value.intermediateNodesIndexedByUid)) {
+        if (!isRecord(node) || node.componentType !== 'APPLICATION' || typeof node.uid !== 'string') {
+            continue;
+        }
+        return node.uid;
+    }
+    return undefined;
+}
+async function readHubSpotProjectConfig(root) {
+    const raw = await readFile(join(root, 'hsproject.json'), 'utf8').catch(() => '{}');
+    const parsed = JSON.parse(raw);
+    return isRecord(parsed) ? parsed : {};
+}
+async function collectHubSpotMetaFiles(root) {
+    const files = [];
+    async function walk(dir) {
+        let entries;
+        try {
+            entries = await readdir(dir, { withFileTypes: true });
+        }
+        catch {
+            return;
+        }
+        for (const entry of entries) {
+            const path = join(dir, entry.name);
+            if (entry.isDirectory()) {
+                await walk(path);
+            }
+            else if (entry.isFile() && entry.name.endsWith('-hsmeta.json')) {
+                files.push(path);
+            }
+        }
+    }
+    await walk(root);
+    return files.sort();
+}
+function runZip(root, archivePath) {
+    return new Promise((resolve, reject) => {
+        const child = spawn('zip', ['-qr', archivePath, '.', '-x', 'node_modules/*', '.hs-x/*'], {
+            cwd: root,
+            stdio: ['ignore', 'ignore', 'pipe'],
+        });
+        let stderr = '';
+        child.stderr?.setEncoding('utf8');
+        child.stderr?.on('data', (chunk) => {
+            stderr += chunk;
+        });
+        child.on('error', reject);
+        child.on('close', (code) => {
+            if (code === 0) {
+                resolve();
+            }
+            else {
+                reject(new Error(`Unable to create HubSpot project zip archive: ${stderr.trim()}`));
+            }
+        });
+    });
+}
+function readNumericProperty(value, key) {
+    return isRecord(value) && typeof value[key] === 'number' ? value[key] : undefined;
+}
+function readBooleanProperty(value, key) {
+    return isRecord(value) && typeof value[key] === 'boolean' ? value[key] : undefined;
+}
+function readStatus(value) {
+    return isRecord(value) && typeof value.status === 'string' ? value.status : undefined;
+}
+function hasFlag(argv, flag) {
+    return argv.includes(flag);
+}
+function readPositiveInteger(value, label) {
+    const parsed = Number.parseInt(value, 10);
+    if (!Number.isInteger(parsed) || parsed <= 0) {
+        throw new Error(`${label} must be a positive integer.`);
+    }
+    return parsed;
+}
+function readOptionalHubSpotAppId(value) {
+    if (!value)
+        return undefined;
+    const parsed = readPositiveInteger(value, '--hubspot-app-id');
+    return Schema.decodeSync(schemas.HubSpotAppId)(parsed);
+}
+function deployBundleKey(input) {
+    return Schema.decodeSync(schemas.BundleKey)(`r2://bundles/${input.projectId}/${input.deployId}.tar.gz`);
+}
+async function requestLocalControlPlaneDeployPlan(request) {
+    const controlPlane = (await loadCreateControlPlane())({
+        now: () => new Date('2026-05-18T14:00:00.000Z'),
+    });
+    const headers = {
+        'content-type': 'application/json',
+        ...(await controlPlaneAuthHeaders('local-cli-user')),
+    };
+    await seedLocalControlPlaneCredentials(controlPlane, request.accountId, headers);
+    const response = await controlPlane.fetch(new Request('https://api.hs-x.dev/v1/deploys/plan', {
+        method: 'POST',
+        headers,
+        body: JSON.stringify(request),
+    }));
+    const body = await response.json();
+    if (!response.ok) {
+        throw new Error(isRecord(body) && typeof body.message === 'string'
+            ? body.message
+            : `Local control-plane deploy plan failed with status ${response.status}`);
+    }
+    return Schema.decodeUnknownSync(schemas.DeployPlanResponse)(body);
+}
+async function requestHostedControlPlaneDeployPlan({ request, controlPlaneUrl, userId, }) {
+    const response = await hostedHttp({
+        url: new URL('/v1/deploys/plan', controlPlaneUrl),
+        method: 'POST',
+        headers: await controlPlaneAuthHeaders(userId),
+        body: request,
+    });
+    const body = await response.json();
+    if (!response.ok) {
+        throw new Error(isRecord(body) && typeof body.message === 'string'
+            ? body.message
+            : `Control-plane deploy plan failed with status ${response.status}`);
+    }
+    return Schema.decodeUnknownSync(schemas.DeployPlanResponse)(body);
+}
+async function requestLocalControlPlaneDeployRecordAndMaybePromote({ request, plan, promoteWhenHealthy, }) {
+    const controlPlane = (await loadCreateControlPlane())({
+        now: () => new Date('2026-05-18T14:00:00.000Z'),
+    });
+    const headers = {
+        'content-type': 'application/json',
+        ...(await controlPlaneAuthHeaders('local-cli-user')),
+    };
+    await seedLocalControlPlaneCredentials(controlPlane, request.accountId, headers);
+    await controlPlane.fetch(new Request('https://api.hs-x.dev/v1/deploys/plan', {
+        method: 'POST',
+        headers,
+        body: JSON.stringify(request),
+    }));
+    const response = await controlPlane.fetch(new Request(`https://api.hs-x.dev/v1/deploys/${plan.deployId}/record`, {
+        method: 'POST',
+        headers,
+        body: JSON.stringify({
+            accountId: request.accountId,
+            projectId: request.projectId,
+            manifestHash: plan.manifestHash,
+            signedManifest: request.manifest,
+            signature: `sig_${plan.deployId}`,
+            bundleKey: deployBundleKey({ projectId: request.projectId, deployId: plan.deployId }),
+        }),
+    }));
+    const body = await response.json();
+    if (!response.ok) {
+        throw new Error(isRecord(body) && typeof body.message === 'string'
+            ? body.message
+            : `Local control-plane deploy record failed with status ${response.status}`);
+    }
+    const record = Schema.decodeUnknownSync(schemas.DeployRecord)(body);
+    if (!promoteWhenHealthy) {
+        return { record };
+    }
+    const driftResponse = await controlPlane.fetch(new Request(`https://api.hs-x.dev/v1/projects/${request.projectId}/attestation`, {
+        method: 'POST',
+        headers,
+        body: JSON.stringify({
+            manifestHash: plan.manifestHash,
+            bindingFingerprint: `bindings:${plan.deployId}`,
+            sdkVersion: CLI_VERSION,
+            taggedResourceCount: Math.max(1, plan.resources.workerNames.length),
+            hsXAccountId: request.accountId,
+            projectId: request.projectId,
+            environment: 'dev',
+            deployId: plan.deployId,
+            timestamp: '2026-05-18T14:00:00.000Z',
+        }),
+    }));
+    const driftBody = await driftResponse.json();
+    if (!driftResponse.ok) {
+        throw new Error(isRecord(driftBody) && typeof driftBody.message === 'string'
+            ? driftBody.message
+            : `Local control-plane attestation failed with status ${driftResponse.status}`);
+    }
+    const drift = Schema.decodeUnknownSync(schemas.DriftRead)(driftBody);
+    if (drift.state !== 'healthy' || drift.deployId !== plan.deployId) {
+        throw new Error(`Deploy ${plan.deployId} is not healthy enough to promote; drift state is ${drift.state}.`);
+    }
+    const promotionResponse = await controlPlane.fetch(new Request(`https://api.hs-x.dev/v1/deploys/${plan.deployId}/promote`, {
+        method: 'POST',
+        headers,
+        body: JSON.stringify({ accountId: request.accountId, projectId: request.projectId }),
+    }));
+    const promotionBody = await promotionResponse.json();
+    if (!promotionResponse.ok) {
+        throw new Error(isRecord(promotionBody) && typeof promotionBody.message === 'string'
+            ? promotionBody.message
+            : `Local control-plane promotion failed with status ${promotionResponse.status}`);
+    }
+    return {
+        record,
+        drift,
+        promotion: Schema.decodeUnknownSync(schemas.DeployPromotionResult)(promotionBody),
+    };
+}
+async function requestHostedControlPlaneDeployRecordAndMaybePromote({ request, plan, controlPlaneUrl, userId, promoteWhenHealthy, promotionTimeoutMs, }) {
+    const response = await hostedHttp({
+        url: new URL(`/v1/deploys/${encodeURIComponent(plan.deployId)}/record`, controlPlaneUrl),
+        method: 'POST',
+        headers: await controlPlaneAuthHeaders(userId),
+        body: {
+            accountId: request.accountId,
+            projectId: request.projectId,
+            manifestHash: plan.manifestHash,
+            signedManifest: request.manifest,
+            signature: `sig_${plan.deployId}`,
+            bundleKey: deployBundleKey({ projectId: request.projectId, deployId: plan.deployId }),
+        },
+    });
+    const body = await response.json();
+    if (!response.ok) {
+        throw new Error(isRecord(body) && typeof body.message === 'string'
+            ? body.message
+            : `Control-plane deploy record failed with status ${response.status}`);
+    }
+    const record = Schema.decodeUnknownSync(schemas.DeployRecord)(body);
+    if (!promoteWhenHealthy) {
+        return { record };
+    }
+    const drift = await waitForHealthyControlPlaneDrift({
+        controlPlaneUrl,
+        projectId: request.projectId,
+        deployId: plan.deployId,
+        userId,
+        timeoutMs: promotionTimeoutMs,
+    });
+    const promotion = await requestControlPlaneDeployPromotion({
+        controlPlaneUrl,
+        deployId: plan.deployId,
+        accountId: request.accountId,
+        projectId: request.projectId,
+        userId,
+    });
+    return { record, drift, promotion };
+}
+async function seedLocalControlPlaneCredentials(controlPlane, accountId, headers) {
+    await controlPlane.fetch(new Request(`https://api.hs-x.dev/v1/accounts/${accountId}/hubspot/connect`, {
+        method: 'POST',
+        headers,
+        body: JSON.stringify({
+            developerAccountId: `dev-${accountId}`,
+            displayName: 'Local HubSpot Dev Account',
+            authMethod: 'pak',
+            personalAccessKey: 'pat-local-control-plane-redacted',
+        }),
+    }));
+    await controlPlane.fetch(new Request(`https://api.hs-x.dev/v1/accounts/${accountId}/cloudflare/connect`, {
+        method: 'POST',
+        headers,
+        body: JSON.stringify({
+            cloudflareAccountId: `cf-${accountId}`,
+            displayName: 'Local Cloudflare Account',
+            authMethod: 'api-token',
+            apiToken: 'cf-local-control-plane-redacted',
+        }),
+    }));
+}
+async function discoverWorkerManifests(root, options = {}) {
+    const files = await collectFiles(join(root, 'src'));
+    const workers = [];
+    for (const file of files) {
+        const source = await readFile(file, 'utf8');
+        const workerName = /defineWorker\s*\(\s*["'`]([^"'`]+)["'`]/.exec(source)?.[1];
+        if (!workerName) {
+            continue;
+        }
+        const toolCapabilities = [
+            ...source.matchAll(/(?:worker\.)?(?:tool|action)\s*\(\s*["'`]([^"'`]+)["'`]\s*,\s*\{([\s\S]*?)(?:async\s+)?handler\s*(?:[:(])/g),
+        ].map((match) => ({
+            kind: 'tool',
+            id: match[1] ?? 'unknown',
+            label: /label\s*:\s*["'`]([^"'`]+)["'`]/.exec(match[2] ?? '')?.[1] ?? match[1] ?? 'unknown',
+            objectType: /objectType\s*:\s*["'`]([^"'`]+)["'`]/.exec(match[2] ?? '')?.[1] ?? 'unknown',
+            ...objectFieldsProperty(match[2] ?? '', 'input'),
+            ...objectFieldsProperty(match[2] ?? '', 'output'),
+            runtimeNeeds: ['worker'],
+        }));
+        const cardBackendCapabilities = [
+            ...source.matchAll(/(?:worker\.)?cardBackend\s*\(\s*["'`]([^"'`]+)["'`]\s*,\s*\{([\s\S]*?)(?:async\s+)?handler\s*(?:[:(])/g),
+        ].map((match) => ({
+            kind: 'card-backend',
+            id: match[1] ?? 'unknown',
+            label: /label\s*:\s*["'`]([^"'`]+)["'`]/.exec(match[2] ?? '')?.[1] ?? match[1] ?? 'unknown',
+            runtimeNeeds: ['worker'],
+        }));
+        const sourceDefinitions = discoverSourceDefinitions(source);
+        const syncCapabilities = [
+            ...source.matchAll(/worker\.sync\s*\(\s*([^,]+)\s*,\s*\{([\s\S]*?)\}\s*\)/g),
+        ].map((match) => {
+            const sourceOrId = (match[1] ?? '').trim();
+            const definition = match[2] ?? '';
+            const id = /^["'`]([^"'`]+)["'`]$/.exec(sourceOrId)?.[1];
+            const sourceDefinition = sourceDefinitions.get(sourceOrId);
+            const sourceManifest = sourceDefinition?.kind === 'push'
+                ? {
+                    kind: 'push',
+                    name: sourceDefinition.name,
+                    webhookPath: `/webhooks/${sourceDefinition.name}`,
+                    ...(sourceDefinition.auth ? { auth: { type: sourceDefinition.auth } } : {}),
+                }
+                : sourceDefinition?.kind === 'pull'
+                    ? {
+                        kind: 'pull',
+                        name: sourceDefinition.name,
+                        ...(sourceDefinition.auth ? { auth: { type: sourceDefinition.auth } } : {}),
+                    }
+                    : undefined;
+            return {
+                kind: 'sync',
+                id: id ?? sourceManifest?.name ?? 'unknown',
+                ...(/label\s*:\s*["'`]([^"'`]+)["'`]/.exec(definition)?.[1]
+                    ? { label: /label\s*:\s*["'`]([^"'`]+)["'`]/.exec(definition)?.[1] }
+                    : {}),
+                schedule: /schedule\s*:\s*["'`]([^"'`]+)["'`]/.exec(definition)?.[1] ?? 'manual',
+                ...stringProperty(definition, 'into'),
+                ...schemaProperty(definition),
+                manageSchema: options.noManageSchema ? false : discoverManageSchemaMode(definition),
+                ...(sourceManifest ? { source: sourceManifest } : {}),
+                runtimeNeeds: sourceManifest?.kind === 'push'
+                    ? ['worker', 'durable-object', 'queue']
+                    : ['worker', 'durable-object'],
+            };
+        });
+        workers.push({
+            name: workerName,
+            capabilities: [...toolCapabilities, ...cardBackendCapabilities, ...syncCapabilities],
+        });
+    }
+    return workers;
+}
+function stringProperty(source, propertyName) {
+    const match = new RegExp(`${propertyName}\\s*:\\s*["'\`]([^"'\`]+)["'\`]`).exec(source)?.[1];
+    return match ? { [propertyName]: match } : {};
+}
+function schemaProperty(source) {
+    const body = /schema\s*:\s*\{([\s\S]*?)\}\s*(?:,|$)/.exec(source)?.[1];
+    if (!body) {
+        return {};
+    }
+    const schema = {};
+    for (const match of body.matchAll(/([A-Za-z_$][\w$]*)\s*:\s*["'`]([^"'`]+)["'`]/g)) {
+        if (match[1] && match[2]) {
+            schema[match[1]] = match[2];
+        }
+    }
+    return Object.keys(schema).length > 0 ? { schema } : {};
+}
+function objectFieldsProperty(source, propertyName) {
+    const body = objectLiteralBody(source, propertyName);
+    if (!body) {
+        return {};
+    }
+    const fields = {};
+    for (const match of body.matchAll(/([A-Za-z_$][\w$]*)\s*:\s*\{([\s\S]*?)\}\s*,?/g)) {
+        const fieldName = match[1];
+        const definition = match[2] ?? '';
+        if (!fieldName) {
+            continue;
+        }
+        fields[fieldName] = {
+            ...stringProperty(definition, 'type'),
+            ...stringProperty(definition, 'label'),
+            ...literalProperty(definition, 'default'),
+        };
+    }
+    return Object.keys(fields).length > 0 ? { [propertyName]: fields } : {};
+}
+function objectLiteralBody(source, propertyName) {
+    const start = new RegExp(`${propertyName}\\s*:\\s*\\{`).exec(source);
+    if (!start) {
+        return undefined;
+    }
+    let depth = 0;
+    const bodyStart = start.index + start[0].length;
+    for (let index = bodyStart; index < source.length; index += 1) {
+        const char = source[index];
+        if (char === '{')
+            depth += 1;
+        if (char === '}') {
+            if (depth === 0) {
+                return source.slice(bodyStart, index);
+            }
+            depth -= 1;
+        }
+    }
+    return undefined;
+}
+function literalProperty(source, propertyName) {
+    const match = new RegExp(`${propertyName}\\s*:\\s*([^,}\\n]+)`).exec(source)?.[1]?.trim();
+    if (!match) {
+        return {};
+    }
+    if (/^["'`]/.test(match)) {
+        return stringProperty(source, propertyName);
+    }
+    const numeric = Number(match);
+    if (Number.isFinite(numeric)) {
+        return { [propertyName]: numeric };
+    }
+    if (match === 'true')
+        return { [propertyName]: true };
+    if (match === 'false')
+        return { [propertyName]: false };
+    return {};
+}
+function discoverManageSchemaMode(definition) {
+    const literal = /manageSchema\s*:\s*["'`](properties|full)["'`]/.exec(definition)?.[1];
+    if (literal === 'properties' || literal === 'full') {
+        return literal;
+    }
+    return false;
+}
+function discoverSourceDefinitions(source) {
+    const definitions = new Map();
+    for (const match of source.matchAll(/(?:const|let|var)\s+([A-Za-z_$][\w$]*)\s*=\s*defineSource(\.push)?\s*\(\s*\{([\s\S]*?)\}\s*\)/g)) {
+        const variableName = match[1];
+        const body = match[3] ?? '';
+        if (!variableName) {
+            continue;
+        }
+        const name = /name\s*:\s*["'`]([^"'`]+)["'`]/.exec(body)?.[1] ?? variableName;
+        const auth = /auth\s*:\s*\{\s*type\s*:\s*["'`](bearer|oauth2|basic|hmac)["'`]/.exec(body)?.[1];
+        definitions.set(variableName, {
+            kind: match[2] ? 'push' : 'pull',
+            name,
+            ...(auth ? { auth } : {}),
+        });
+    }
+    return definitions;
+}
+async function collectFiles(root) {
+    const files = [];
+    async function walk(dir) {
+        let entries;
+        try {
+            entries = await readdir(dir, { withFileTypes: true });
+        }
+        catch {
+            return;
+        }
+        for (const entry of entries) {
+            const path = join(dir, entry.name);
+            if (entry.isDirectory()) {
+                await walk(path);
+            }
+            else if (entry.isFile() && /\.(?:ts|tsx|js|jsx)$/.test(entry.name)) {
+                files.push(path);
+            }
+        }
+    }
+    try {
+        if ((await stat(root)).isDirectory()) {
+            await walk(root);
+        }
+    }
+    catch {
+        return [];
+    }
+    return files.sort();
+}
+// as "flag not provided" so env-var fallbacks still apply.
+function isFlagValue(value) {
+    return value !== undefined && value.length > 0 && !value.startsWith('-');
+}
+function resolveFlag(argv, flag) {
+    const index = argv.indexOf(flag);
+    if (index !== -1) {
+        const next = argv[index + 1];
+        if (isFlagValue(next))
+            return next;
+    }
+    const prefix = `${flag}=`;
+    const found = argv.find((arg) => arg.startsWith(prefix));
+    if (!found)
+        return undefined;
+    const value = found.slice(prefix.length);
+    return value.length > 0 ? value : undefined;
+}
+function resolveFlags(argv, flag) {
+    const values = [];
+    const prefix = `${flag}=`;
+    for (let index = 0; index < argv.length; index += 1) {
+        const arg = argv[index];
+        if (arg === flag) {
+            const next = argv[index + 1];
+            if (isFlagValue(next)) {
+                values.push(next);
+                index += 1;
+            }
+            continue;
+        }
+        if (arg?.startsWith(prefix)) {
+            const value = arg.slice(prefix.length);
+            if (value.length > 0)
+                values.push(value);
+        }
+    }
+    return values;
+}
+function write(message) {
+    process.stdout.write(message);
+}
+//# sourceMappingURL=deploy.js.map