@insforge/cli 0.1.61 → 0.1.63

package/dist/index.js

@@ -1,11 +1,11 @@
 #!/usr/bin/env node
 
 // src/index.ts
-import { readFileSync as readFileSync7 } from "fs";
-import { join as join13, dirname } from "path";
+import { readFileSync as readFileSync8 } from "fs";
+import { join as join14, dirname as dirname2 } from "path";
 import { fileURLToPath } from "url";
 import { Command } from "commander";
-import * as clack11 from "@clack/prompts";
+import * as clack15 from "@clack/prompts";
 
 // src/lib/prompts.ts
 import * as readline from "readline";
@@ -220,6 +220,12 @@ function getLocalConfigDir() {
 function getLocalConfigFile() {
   return join(getLocalConfigDir(), "project.json");
 }
+function getParentBackupFile() {
+  return join(getLocalConfigDir(), "project.parent.json");
+}
+function getProjectConfigFile() {
+  return getLocalConfigFile();
+}
 function getProjectConfig() {
   const file = getLocalConfigFile();
   if (!existsSync(file)) {
@@ -644,7 +650,8 @@ async function refreshAccessToken(apiUrl) {
 }
 
 // src/lib/api/platform.ts
-async function platformFetch(path5, options = {}, apiUrl) {
+async function platformFetch(path6, options = {}, apiUrl) {
+  const { passThroughStatuses, ...fetchOptions } = options;
   const baseUrl = getPlatformApiUrl(apiUrl);
   const token = getAccessToken();
   if (!token) {
@@ -653,19 +660,19 @@ async function platformFetch(path5, options = {}, apiUrl) {
   const headers = {
     "Content-Type": "application/json",
     Authorization: `Bearer ${token}`,
-    ...options.headers ?? {}
+    ...fetchOptions.headers ?? {}
   };
-  const fullUrl = `${baseUrl}${path5}`;
+  const fullUrl = `${baseUrl}${path6}`;
   if (process.env.INSFORGE_DEBUG) {
-    console.error(`[DEBUG] ${options.method ?? "GET"} ${fullUrl}`);
+    console.error(`[DEBUG] ${fetchOptions.method ?? "GET"} ${fullUrl}`);
     console.error(`[DEBUG] Headers: ${JSON.stringify(headers, null, 2)}`);
-    if (options.body) {
-      console.error(`[DEBUG] Body: ${typeof options.body === "string" ? options.body : JSON.stringify(options.body)}`);
+    if (fetchOptions.body) {
+      console.error(`[DEBUG] Body: ${typeof fetchOptions.body === "string" ? fetchOptions.body : JSON.stringify(fetchOptions.body)}`);
     }
   }
   let res;
   try {
-    res = await fetch(fullUrl, { ...options, headers });
+    res = await fetch(fullUrl, { ...fetchOptions, headers });
   } catch (err) {
     throw new CLIError(formatFetchError(err, fullUrl));
   }
@@ -674,16 +681,22 @@ async function platformFetch(path5, options = {}, apiUrl) {
     headers.Authorization = `Bearer ${newToken}`;
     let retryRes;
     try {
-      retryRes = await fetch(fullUrl, { ...options, headers });
+      retryRes = await fetch(fullUrl, { ...fetchOptions, headers });
     } catch (err) {
       throw new CLIError(formatFetchError(err, fullUrl));
     }
+    if (passThroughStatuses?.includes(retryRes.status)) {
+      return retryRes;
+    }
     if (!retryRes.ok) {
       const err = await retryRes.json().catch(() => ({}));
       throw new CLIError(err.error ?? `Request failed: ${retryRes.status}`, retryRes.status === 403 ? 5 : 1);
     }
     return retryRes;
   }
+  if (passThroughStatuses?.includes(res.status)) {
+    return res;
+  }
   if (!res.ok) {
     const err = await res.json().catch(() => ({}));
     const msg = err.message ? `${err.error ?? res.status}: ${err.message}` : err.error ?? `Request failed: ${res.status}`;
@@ -811,6 +824,55 @@ async function createProject(orgId, name, region, apiUrl) {
   const data = await res.json();
   return data.project ?? data;
 }
+async function createBranchApi(parentProjectId, body, apiUrl) {
+  const res = await platformFetch(`/projects/v1/${parentProjectId}/branches`, {
+    method: "POST",
+    body: JSON.stringify(body)
+  }, apiUrl);
+  const data = await res.json();
+  return data.branch;
+}
+async function listBranchesApi(parentProjectId, apiUrl) {
+  const res = await platformFetch(`/projects/v1/${parentProjectId}/branches`, {}, apiUrl);
+  const data = await res.json();
+  return data.data ?? [];
+}
+async function getBranchApi(branchId, apiUrl) {
+  const res = await platformFetch(`/projects/v1/branches/${branchId}`, {}, apiUrl);
+  const data = await res.json();
+  return data.branch;
+}
+async function deleteBranchApi(branchId, apiUrl) {
+  await platformFetch(`/projects/v1/branches/${branchId}`, { method: "DELETE" }, apiUrl);
+}
+async function resetBranchApi(branchId, apiUrl) {
+  const res = await platformFetch(
+    `/projects/v1/branches/${branchId}/reset`,
+    { method: "POST" },
+    apiUrl
+  );
+  const data = await res.json();
+  return data.branch;
+}
+async function mergeBranchDryRunApi(branchId, apiUrl) {
+  const res = await platformFetch(
+    `/projects/v1/branches/${branchId}/merge?dryRun=true`,
+    { method: "POST" },
+    apiUrl
+  );
+  return await res.json();
+}
+async function mergeBranchExecuteApi(branchId, apiUrl) {
+  const res = await platformFetch(
+    `/projects/v1/branches/${branchId}/merge`,
+    { method: "POST", passThroughStatuses: [409] },
+    apiUrl
+  );
+  if (res.status === 409) {
+    return { ok: false, conflict: await res.json() };
+  }
+  return { ok: true, result: await res.json() };
+}
 
 // src/commands/login.ts
 function registerLoginCommand(program2) {
@@ -1098,143 +1160,6 @@ function registerProjectsCommands(projectsCmd2) {
   });
 }
 
-// src/commands/projects/link.ts
-import { exec as exec3 } from "child_process";
-import { promisify as promisify3 } from "util";
-import * as fs4 from "fs/promises";
-import * as path4 from "path";
-import * as clack8 from "@clack/prompts";
-import pc2 from "picocolors";
-
-// src/lib/skills.ts
-import { exec } from "child_process";
-import { existsSync as existsSync2, readFileSync as readFileSync2, appendFileSync } from "fs";
-import { join as join2 } from "path";
-import { promisify } from "util";
-import * as clack5 from "@clack/prompts";
-var execAsync = promisify(exec);
-var SKILL_INSTALL_TIMEOUT_MS = 6e4;
-function describeExecError(err) {
-  const e = err;
-  if (e.killed && (e.signal === "SIGTERM" || e.signal === "SIGKILL")) {
-    return `timed out after ${SKILL_INSTALL_TIMEOUT_MS / 1e3}s \u2014 the npm registry may be slow or blocked by your network`;
-  }
-  if (e.code === "ENOENT") {
-    return "`npx` is not on your PATH \u2014 install Node.js 18+ and reopen your shell";
-  }
-  const stderr = (typeof e.stderr === "string" ? e.stderr : e.stderr?.toString()) ?? "";
-  if (/ENOTFOUND|EAI_AGAIN|getaddrinfo/i.test(stderr)) return "cannot reach the npm registry (DNS lookup failed) \u2014 check your internet connection";
-  if (/ECONNREFUSED/i.test(stderr)) return "connection to the npm registry was refused \u2014 a proxy or firewall is likely blocking it";
-  if (/ETIMEDOUT|ESOCKETTIMEDOUT|network timeout/i.test(stderr)) return "the npm registry timed out \u2014 check your VPN, proxy, or corporate network";
-  if (/CERT_HAS_EXPIRED|UNABLE_TO_VERIFY_LEAF_SIGNATURE|SELF_SIGNED_CERT/i.test(stderr)) return "TLS error reaching the npm registry \u2014 a corporate proxy may be intercepting HTTPS";
-  if (/\bE404\b|404 Not Found/i.test(stderr)) return "npm returned 404 \u2014 the `skills` package or a dependency could not be found (check your npm registry config)";
-  if (/EACCES|permission denied/i.test(stderr)) return "permission denied writing files \u2014 run from a directory you own, without sudo";
-  if (/ENOSPC|no space left/i.test(stderr)) return "no disk space left to install the package";
-  if (/\b401\b|EAUTH|authentication/i.test(stderr)) return "npm authentication failed \u2014 check ~/.npmrc";
-  if (typeof e.code === "number") return `npx exited with code ${e.code}`;
-  if (typeof e.code === "string") return e.code;
-  return e.message ?? "unknown error";
-}
-var GITIGNORE_ENTRIES = [
-  ".insforge",
-  ".agent",
-  ".agents",
-  ".augment",
-  ".claude",
-  ".cline",
-  ".github/copilot*",
-  ".kilocode",
-  ".qoder",
-  ".qwen",
-  ".roo",
-  ".trae",
-  ".windsurf"
-];
-function updateGitignore() {
-  const gitignorePath = join2(process.cwd(), ".gitignore");
-  const existing = existsSync2(gitignorePath) ? readFileSync2(gitignorePath, "utf-8") : "";
-  const lines = new Set(existing.split("\n").map((l) => l.trim()));
-  const missing = GITIGNORE_ENTRIES.filter((entry) => !lines.has(entry));
-  if (!missing.length) return;
-  const block = `
-# InsForge & AI agent skills
-${missing.join("\n")}
-`;
-  appendFileSync(gitignorePath, block);
-}
-async function installSkills(json) {
-  try {
-    if (!json) clack5.log.info("Installing InsForge agent skills (global)...");
-    await execAsync("npx skills add insforge/agent-skills -g -y -a antigravity -a augment -a claude-code -a cline -a codex -a cursor -a gemini-cli -a github-copilot -a kilo -a qoder -a qwen-code -a roo -a trae -a windsurf", {
-      cwd: process.cwd(),
-      timeout: SKILL_INSTALL_TIMEOUT_MS
-    });
-    if (!json) clack5.log.success("InsForge agent skills installed.");
-  } catch (err) {
-    if (!json) {
-      clack5.log.warn(`Could not install agent skills: ${describeExecError(err)}`);
-      clack5.log.info("Run `npx skills add insforge/agent-skills` once resolved to see the full output.");
-    }
-  }
-  try {
-    if (!json) clack5.log.info("Installing find-skills (global)...");
-    await execAsync("npx skills add https://github.com/vercel-labs/skills --skill find-skills -g -y", {
-      cwd: process.cwd(),
-      timeout: SKILL_INSTALL_TIMEOUT_MS
-    });
-    if (!json) clack5.log.success("find-skills installed.");
-  } catch (err) {
-    if (!json) {
-      clack5.log.warn(`Could not install find-skills: ${describeExecError(err)}`);
-      clack5.log.info("Run `npx skills add https://github.com/vercel-labs/skills --skill find-skills` once resolved.");
-    }
-  }
-  try {
-    updateGitignore();
-  } catch {
-  }
-}
-async function reportCliUsage(toolName, success, maxRetries = 1, explicitConfig) {
-  let config = explicitConfig;
-  if (!config) {
-    try {
-      config = getProjectConfig();
-    } catch {
-      return;
-    }
-  }
-  if (!config) return;
-  const payload = JSON.stringify({
-    tool_name: toolName,
-    success,
-    timestamp: (/* @__PURE__ */ new Date()).toISOString()
-  });
-  for (let attempt = 0; attempt < maxRetries; attempt++) {
-    try {
-      const controller = new AbortController();
-      const timer = setTimeout(() => controller.abort(), 3e3);
-      try {
-        const res = await fetch(`${config.oss_host}/api/usage/mcp`, {
-          method: "POST",
-          headers: {
-            "Content-Type": "application/json",
-            "x-api-key": config.api_key
-          },
-          body: payload,
-          signal: controller.signal
-        });
-        if (res.status < 500) return;
-      } finally {
-        clearTimeout(timer);
-      }
-    } catch {
-    }
-    if (attempt < maxRetries - 1) {
-      await new Promise((r) => setTimeout(r, 5e3));
-    }
-  }
-}
-
 // src/lib/analytics.ts
 import { PostHog } from "posthog-node";
 var POSTHOG_API_KEY = "phc_ueV1ii62wdBTkH7E70ugyeqHIHu8dFDdjs0qq3TZhJz";
@@ -1269,6 +1194,17 @@ function trackDiagnose(subcommand, config) {
     oss_mode: config.project_id === FAKE_PROJECT_ID
   });
 }
+function trackPayments(subcommand, config, properties) {
+  captureEvent(config.project_id, "cli_payments_invoked", {
+    subcommand,
+    project_id: config.project_id,
+    project_name: config.project_name,
+    org_id: config.org_id,
+    region: config.region,
+    oss_mode: config.project_id === FAKE_PROJECT_ID,
+    ...properties
+  });
+}
 async function shutdownAnalytics() {
   try {
     if (client) await client.shutdown();
@@ -1276,172 +1212,982 @@ async function shutdownAnalytics() {
   }
 }
 
-// src/commands/create.ts
-import { exec as exec2 } from "child_process";
-import { tmpdir } from "os";
-import { promisify as promisify2 } from "util";
-import * as fs3 from "fs/promises";
-import * as path3 from "path";
-import * as clack7 from "@clack/prompts";
-
-// src/lib/api/oss.ts
-function requireProjectConfig() {
-  const config = getProjectConfig();
-  if (!config) {
-    throw new ProjectNotLinkedError();
+// src/commands/branch/switch.ts
+import { copyFileSync, existsSync as existsSync2, unlinkSync as unlinkSync2 } from "fs";
+async function runBranchSwitch(input) {
+  await requireAuth(input.apiUrl);
+  const current = getProjectConfig();
+  if (!current) {
+    throw new CLIError("No project linked. Run `insforge link` first.");
+  }
+  if (input.toParent && input.name) {
+    throw new CLIError("Pass either a branch name or --parent, not both.");
+  }
+  const projectFile = getProjectConfigFile();
+  const parentBackup = getParentBackupFile();
+  if (input.toParent) {
+    if (!existsSync2(parentBackup)) {
+      throw new CLIError(
+        "No parent backup found. Re-link the directory with `insforge link --project-id <parent>`."
+      );
+    }
+    copyFileSync(parentBackup, projectFile);
+    unlinkSync2(parentBackup);
+    captureEvent(current.project_id, "cli_branch_switch", { direction: "to_parent" });
+    if (!input.silent) {
+      if (input.json) {
+        outputJson({ switched: "parent" });
+      } else {
+        outputSuccess("Switched back to parent.");
+      }
+    }
+    return;
   }
-  return config;
-}
-async function runRawSql(sql, unrestricted = false) {
-  const endpoint = unrestricted ? "/api/database/advance/rawsql/unrestricted" : "/api/database/advance/rawsql";
-  const res = await ossFetch(endpoint, {
-    method: "POST",
-    body: JSON.stringify({ query: sql })
+  if (!input.name) {
+    throw new CLIError("Branch name required (or pass --parent).");
+  }
+  const parentId = current.branched_from?.project_id ?? current.project_id;
+  const branches = await listBranchesApi(parentId, input.apiUrl);
+  const target = branches.find((b) => b.name === input.name);
+  if (!target) {
+    throw new CLIError(`Branch '${input.name}' not found.`);
+  }
+  if (target.branch_state !== "ready") {
+    throw new CLIError(
+      `Branch '${input.name}' is in state '${target.branch_state}', cannot switch.`
+    );
+  }
+  if (!existsSync2(parentBackup)) {
+    copyFileSync(projectFile, parentBackup);
+  }
+  const apiKey = await getProjectApiKey(target.id, input.apiUrl);
+  const ossHost = `${target.appkey}.${target.region}.insforge.app`;
+  const branched_from = current.branched_from ?? {
+    project_id: current.project_id,
+    project_name: current.project_name
+  };
+  saveProjectConfig({
+    project_id: target.id,
+    project_name: target.name,
+    org_id: target.organization_id,
+    appkey: target.appkey,
+    region: target.region,
+    api_key: apiKey,
+    oss_host: ossHost,
+    branched_from
   });
-  const raw = await res.json();
-  const rows = raw.rows ?? raw.data ?? [];
-  return { rows, raw };
+  captureEvent(parentId, "cli_branch_switch", { direction: "to_branch" });
+  if (!input.silent) {
+    if (input.json) {
+      outputJson({ switched: "branch", branch_id: target.id });
+    } else {
+      outputSuccess(`Switched to branch '${target.name}'.`);
+    }
+  }
 }
-async function getAnonKey() {
-  const res = await ossFetch("/api/auth/tokens/anon", { method: "POST" });
-  const data = await res.json();
-  return data.accessToken;
+function registerBranchSwitchCommand(branch) {
+  branch.command("switch [name]").description("Switch this directory's context to a branch (or back with --parent)").option("--parent", "Switch back to the parent project").action(async (name, opts, cmd) => {
+    const { json, apiUrl } = getRootOpts(cmd);
+    try {
+      await runBranchSwitch({ name, toParent: opts.parent, apiUrl, json });
+    } catch (err) {
+      handleError(err, json);
+    } finally {
+      await shutdownAnalytics();
+    }
+  });
 }
-async function ossFetch(path5, options = {}) {
-  const config = requireProjectConfig();
-  const headers = {
-    "Content-Type": "application/json",
-    Authorization: `Bearer ${config.api_key}`,
-    ...options.headers ?? {}
-  };
-  const res = await fetch(`${config.oss_host}${path5}`, { ...options, headers });
-  if (!res.ok) {
-    const err = await res.json().catch(() => ({}));
-    let message = err.message ?? err.error ?? `OSS request failed: ${res.status}`;
-    if (err.nextActions) {
-      message += `
-${err.nextActions}`;
+
+// src/commands/branch/create.ts
+var POLL_INTERVAL_MS = 3e3;
+var POLL_TIMEOUT_MS = 5 * 60 * 1e3;
+function registerBranchCreateCommand(branch) {
+  branch.command("create <name>").description("Create a branch from the currently linked project").option("--mode <mode>", "full | schema-only", "full").option("--no-switch", "Do not auto-switch context after creation").action(async (name, opts, cmd) => {
+    const { json, apiUrl } = getRootOpts(cmd);
+    try {
+      await requireAuth(apiUrl);
+      const project = getProjectConfig();
+      if (!project) {
+        throw new CLIError("No project linked. Run `insforge link` first.");
+      }
+      if (project.branched_from) {
+        throw new CLIError(
+          "This directory is currently switched to a branch. Run `insforge branch switch --parent` first, then create a new branch from the parent."
+        );
+      }
+      if (opts.mode !== "full" && opts.mode !== "schema-only") {
+        throw new CLIError(`Invalid --mode: ${opts.mode} (must be "full" or "schema-only")`);
+      }
+      const mode = opts.mode;
+      const created = await createBranchApi(project.project_id, { mode, name }, apiUrl);
+      captureEvent(project.project_id, "cli_branch_create", {
+        mode,
+        parent_project_id: project.project_id
+      });
+      if (!json) {
+        outputSuccess(`Branch '${name}' created (appkey: ${created.appkey}). Provisioning\u2026`);
+      }
+      const ready = await pollUntilReady(created.id, apiUrl, !json);
+      if (opts.switch && ready.branch_state === "ready") {
+        await runBranchSwitch({ name, apiUrl, json, silent: json });
+      }
+      if (json) {
+        outputJson({ branch: ready });
+      } else if (ready.branch_state === "ready") {
+        outputSuccess(`Branch '${name}' is ready.`);
+        if (opts.switch) {
+          outputInfo(
+            "\u26A0 Re-source your dev server env (.env) to pick up the new INSFORGE_URL / ANON_KEY."
+          );
+        }
+      } else {
+        outputInfo(
+          `Branch '${name}' is still in '${ready.branch_state}' state. Run \`insforge branch list\` to check.`
+        );
+      }
+    } catch (err) {
+      handleError(err, json);
+    } finally {
+      await shutdownAnalytics();
     }
-    const isRouteLevel404 = !err.error || err.error === "NOT_FOUND";
-    if (res.status === 404 && isRouteLevel404 && path5.startsWith("/api/compute")) {
-      message = "Compute services are not available on this backend.\nSelf-hosted: upgrade your InsForge instance. Cloud: contact your InsForge admin to enable compute.";
+  });
+}
+async function pollUntilReady(branchId, apiUrl, showProgress) {
+  const start = Date.now();
+  let lastState = "";
+  while (Date.now() - start < POLL_TIMEOUT_MS) {
+    const branch2 = await getBranchApi(branchId, apiUrl);
+    if (branch2.branch_state === "ready") return branch2;
+    if (branch2.branch_state === "deleted" || branch2.branch_state === "conflicted") {
+      throw new CLIError(`Branch creation failed (state: ${branch2.branch_state})`);
     }
-    if (res.status === 404 && isRouteLevel404 && path5 === "/api/database/migrations") {
-      message = "Database migrations are not available on this backend.\nSelf-hosted: upgrade your InsForge instance. Cloud: contact your InsForge admin about database migration support.";
+    if (showProgress && branch2.branch_state !== lastState) {
+      outputInfo(`  state: ${branch2.branch_state}\u2026`);
+      lastState = branch2.branch_state;
     }
-    throw new CLIError(message);
+    await new Promise((r) => setTimeout(r, POLL_INTERVAL_MS));
   }
-  return res;
+  const branch = await getBranchApi(branchId, apiUrl);
+  if (branch.branch_state === "deleted" || branch.branch_state === "conflicted") {
+    throw new CLIError(`Branch creation failed (state: ${branch.branch_state})`);
+  }
+  return branch;
 }
 
-// src/lib/env.ts
-import * as fs from "fs/promises";
-import * as path from "path";
-async function readEnvFile(cwd) {
-  const candidates = [".env.local", ".env.production", ".env"];
-  for (const name of candidates) {
-    const filePath = path.join(cwd, name);
-    const exists = await fs.stat(filePath).catch(() => null);
-    if (!exists) continue;
-    const content = await fs.readFile(filePath, "utf-8");
-    const vars = [];
-    for (const line of content.split("\n")) {
-      const trimmed = line.trim();
-      if (!trimmed || trimmed.startsWith("#")) continue;
-      const eqIndex = trimmed.indexOf("=");
-      if (eqIndex === -1) continue;
-      const key = trimmed.slice(0, eqIndex).trim();
-      let value = trimmed.slice(eqIndex + 1).trim();
-      if (value.startsWith('"') && value.endsWith('"') || value.startsWith("'") && value.endsWith("'")) {
-        value = value.slice(1, -1);
+// src/commands/branch/list.ts
+function registerBranchListCommand(branch) {
+  branch.command("list").description("List branches of the currently linked project").action(async (_opts, cmd) => {
+    const { json, apiUrl } = getRootOpts(cmd);
+    try {
+      await requireAuth(apiUrl);
+      const project = getProjectConfig();
+      if (!project) {
+        throw new CLIError("No project linked. Run `insforge link` first.");
       }
-      if (key) vars.push({ key, value });
+      const parentId = project.branched_from?.project_id ?? project.project_id;
+      const branches = await listBranchesApi(parentId, apiUrl);
+      captureEvent(parentId, "cli_branch_list", { count: branches.length });
+      if (json) {
+        outputJson({ data: branches });
+        return;
+      }
+      if (branches.length === 0) {
+        outputInfo("No branches.");
+        return;
+      }
+      const currentBranchId = project.branched_from ? project.project_id : null;
+      const rows = branches.map((b) => [
+        b.id === currentBranchId ? "*" : " ",
+        b.name,
+        b.branch_state,
+        b.branch_metadata?.mode ?? "?",
+        new Date(b.branch_created_at).toLocaleString()
+      ]);
+      outputTable(["", "Name", "State", "Mode", "Created"], rows);
+    } catch (err) {
+      handleError(err, json);
+    } finally {
+      await shutdownAnalytics();
     }
-    return vars;
-  }
-  return [];
+  });
 }
 
-// src/commands/deployments/deploy.ts
-import * as path2 from "path";
-import * as fs2 from "fs/promises";
-import { createReadStream } from "fs";
-import { createHash as createHash2 } from "crypto";
+// src/commands/branch/merge.ts
+import { writeFileSync as writeFileSync2 } from "fs";
+import * as clack5 from "@clack/prompts";
+function registerBranchMergeCommand(branch) {
+  branch.command("merge <name>").description("Merge a branch back to its parent project").option("--dry-run", "Compute the diff and print rendered SQL; do not apply").option("-y, --yes", "Skip confirmation prompt").option("--save-sql <path>", "Write rendered SQL preview to a file").action(async (name, opts, cmd) => {
+    const { json, apiUrl } = getRootOpts(cmd);
+    try {
+      await requireAuth(apiUrl);
+      const project = getProjectConfig();
+      if (!project) throw new CLIError("No project linked. Run `insforge link` first.");
+      const parentId = project.branched_from?.project_id ?? project.project_id;
+      const branches = await listBranchesApi(parentId, apiUrl);
+      const target = branches.find((b) => b.name === name);
+      if (!target) throw new CLIError(`Branch '${name}' not found.`);
+      const diff = await mergeBranchDryRunApi(target.id, apiUrl);
+      if (opts.saveSql) {
+        writeFileSync2(opts.saveSql, diff.rendered_sql);
+        if (!json) outputInfo(`SQL preview saved to ${opts.saveSql}`);
+      }
+      if (!json) {
+        console.log(diff.rendered_sql);
+        console.log();
+        outputInfo(
+          `${diff.summary.added} added, ${diff.summary.modified} modified, ${diff.summary.conflicts} conflict(s).`
+        );
+      }
+      if (diff.summary.conflicts > 0) {
+        captureEvent(parentId, "cli_branch_merge_conflict", {
+          conflicts: diff.summary.conflicts
+        });
+        if (json) {
+          outputJson({
+            diff,
+            applied: false,
+            dryRun: !!opts.dryRun,
+            error: "merge_conflict"
+          });
+        } else {
+          outputInfo("");
+          outputInfo("Merge blocked: resolve conflicts before retrying.");
+          for (const c of diff.conflicts) {
+            outputInfo(`  - ${c.schema}.${c.object} [${c.type}] \u2014 ${c.hint}`);
+          }
+        }
+        process.exit(2);
+      }
+      if (opts.dryRun) {
+        captureEvent(parentId, "cli_branch_merge", {
+          dry_run: true,
+          conflicts: 0,
+          applied: false
+        });
+        if (json) {
+          outputJson({ diff, applied: false, dryRun: true });
+        }
+        return;
+      }
+      if (!opts.yes && !json) {
+        const parentLabel = project.branched_from?.project_name ?? project.project_name;
+        const confirmed = await clack5.confirm({
+          message: `Apply this merge to parent project '${parentLabel}'?`
+        });
+        if (clack5.isCancel(confirmed) || !confirmed) {
+          outputInfo("Merge cancelled.");
+          return;
+        }
+      }
+      const result = await mergeBranchExecuteApi(target.id, apiUrl);
+      if (!result.ok) {
+        captureEvent(parentId, "cli_branch_merge_conflict", {
+          conflicts: result.conflict.diff.summary.conflicts
+        });
+        if (json) {
+          outputJson({
+            diff: result.conflict.diff,
+            applied: false,
+            dryRun: false,
+            error: "merge_conflict"
+          });
+        } else {
+          outputInfo("Merge blocked by a conflict that appeared between dry-run and apply:");
+          for (const c of result.conflict.diff.conflicts) {
+            outputInfo(`  - ${c.schema}.${c.object} [${c.type}] \u2014 ${c.hint}`);
+          }
+        }
+        process.exit(2);
+      }
+      captureEvent(parentId, "cli_branch_merge", {
+        dry_run: false,
+        conflicts: 0,
+        applied: true
+      });
+      if (json) {
+        outputJson({ ...result.result, diff, applied: true, dryRun: false });
+      } else {
+        outputSuccess(`Merged. Branch '${name}' is now in 'merged' state.`);
+        outputInfo("\u26A0 Reminder: redeploy edge functions, website, and compute as needed.");
+      }
+    } catch (err) {
+      handleError(err, json);
+    } finally {
+      await shutdownAnalytics();
+    }
+  });
+}
+
+// src/commands/branch/reset.ts
 import * as clack6 from "@clack/prompts";
-import archiver from "archiver";
-var POLL_INTERVAL_MS = 5e3;
-var POLL_TIMEOUT_MS = 3e5;
-var DIRECT_UPLOAD_CONCURRENCY = 8;
-var EXCLUDE_PATTERNS = [
-  "node_modules",
-  ".git",
-  ".next",
-  ".env",
-  ".env.local",
-  "dist",
-  "build",
-  ".DS_Store",
+var POLL_INTERVAL_MS2 = 3e3;
+var POLL_TIMEOUT_MS2 = 5 * 60 * 1e3;
+function registerBranchResetCommand(branch) {
+  branch.command("reset <name>").description("Reset a branch's database back to T0 (the parent snapshot at branch creation)").option("-y, --yes", "Skip confirmation").action(async (name, opts, cmd) => {
+    const { json, apiUrl } = getRootOpts(cmd);
+    try {
+      await requireAuth(apiUrl);
+      const project = getProjectConfig();
+      if (!project) throw new CLIError("No project linked. Run `insforge link` first.");
+      const parentId = project.branched_from?.project_id ?? project.project_id;
+      const branches = await listBranchesApi(parentId, apiUrl);
+      const target = branches.find((b) => b.name === name);
+      if (!target) throw new CLIError(`Branch '${name}' not found.`);
+      if (target.branch_state !== "ready" && target.branch_state !== "merged") {
+        throw new CLIError(
+          `Branch '${name}' is in '${target.branch_state}' state; reset requires 'ready' or 'merged'.`
+        );
+      }
+      const entryState = target.branch_state;
+      if (!opts.yes && !json) {
+        const confirmed = await clack6.confirm({
+          message: `Reset branch '${name}' back to T0? This wipes all schema/data/policy/function/migration changes made on the branch since creation.` + (entryState === "merged" ? " (Branch is currently merged \u2014 reset will reopen it for further work.)" : "")
+        });
+        if (clack6.isCancel(confirmed) || !confirmed) {
+          outputInfo("Cancelled.");
+          return;
+        }
+      }
+      const initial = await resetBranchApi(target.id, apiUrl);
+      captureEvent(parentId, "cli_branch_reset", {
+        entry_state: entryState,
+        mode: target.branch_metadata?.mode
+      });
+      if (!json) {
+        outputSuccess(`Reset enqueued for branch '${name}'. Restoring T0\u2026`);
+      }
+      const final = await pollUntilReady2(target.id, apiUrl, !json, initial.branch_state);
+      if (json) {
+        outputJson({ branch: final });
+      } else if (final.branch_state === "ready") {
+        outputSuccess(`Branch '${name}' is back to T0 and ready.`);
+        outputInfo("\u26A0 Reminder: edge functions, website, and compute aren\u2019t touched by reset; redeploy if needed.");
+      } else {
+        outputInfo(
+          `Branch '${name}' is still in '${final.branch_state}' state. Run \`insforge branch list\` to check.`
+        );
+      }
+    } catch (err) {
+      handleError(err, json);
+    } finally {
+      await shutdownAnalytics();
+    }
+  });
+}
+async function pollUntilReady2(branchId, apiUrl, showProgress, startingState) {
+  const start = Date.now();
+  let lastState = startingState;
+  if (showProgress) outputInfo(`  state: ${startingState}\u2026`);
+  while (Date.now() - start < POLL_TIMEOUT_MS2) {
+    const branch2 = await getBranchApi(branchId, apiUrl);
+    if (branch2.branch_state === "ready") return branch2;
+    if (branch2.branch_state === "merged") return branch2;
+    if (branch2.branch_state === "deleted" || branch2.branch_state === "conflicted") {
+      throw new CLIError(`Branch reset failed (state: ${branch2.branch_state})`);
+    }
+    if (showProgress && branch2.branch_state !== lastState) {
+      outputInfo(`  state: ${branch2.branch_state}\u2026`);
+      lastState = branch2.branch_state;
+    }
+    await new Promise((r) => setTimeout(r, POLL_INTERVAL_MS2));
+  }
+  const branch = await getBranchApi(branchId, apiUrl);
+  if (branch.branch_state === "deleted" || branch.branch_state === "conflicted") {
+    throw new CLIError(`Branch reset failed (state: ${branch.branch_state})`);
+  }
+  return branch;
+}
+
+// src/commands/branch/delete.ts
+import * as clack7 from "@clack/prompts";
+function registerBranchDeleteCommand(branch) {
+  branch.command("delete <name>").description("Delete a branch").option("-y, --yes", "Skip confirmation").action(async (name, opts, cmd) => {
+    const { json, apiUrl } = getRootOpts(cmd);
+    try {
+      await requireAuth(apiUrl);
+      const project = getProjectConfig();
+      if (!project) throw new CLIError("No project linked. Run `insforge link` first.");
+      const parentId = project.branched_from?.project_id ?? project.project_id;
+      const branches = await listBranchesApi(parentId, apiUrl);
+      const target = branches.find((b) => b.name === name);
+      if (!target) throw new CLIError(`Branch '${name}' not found.`);
+      if (!opts.yes && !json) {
+        const confirmed = await clack7.confirm({
+          message: `Delete branch '${name}'? This terminates its EC2 instance.`
+        });
+        if (clack7.isCancel(confirmed) || !confirmed) {
+          outputInfo("Cancelled.");
+          return;
+        }
+      }
+      await deleteBranchApi(target.id, apiUrl);
+      captureEvent(parentId, "cli_branch_delete", {});
+      const currentlyOnDeleted = project.project_id === target.id;
+      if (currentlyOnDeleted) {
+        try {
+          await runBranchSwitch({ toParent: true, apiUrl, json, silent: json });
+        } catch (err) {
+          outputInfo(
+            `Switched-to-parent failed (${err.message}). Run \`insforge branch switch --parent\` manually.`
+          );
+        }
+      }
+      if (json) {
+        outputJson({ deleted: true, branch_id: target.id, switched_back: currentlyOnDeleted });
+      } else {
+        outputSuccess(`Branch '${name}' deletion enqueued.`);
+        if (currentlyOnDeleted) outputInfo("Switched back to parent.");
+      }
+    } catch (err) {
+      handleError(err, json);
+    } finally {
+      await shutdownAnalytics();
+    }
+  });
+}
+
+// src/commands/branch/index.ts
+function registerBranchCommands(program2) {
+  const branch = program2.command("branch").description("Manage backend branches");
+  registerBranchCreateCommand(branch);
+  registerBranchListCommand(branch);
+  registerBranchSwitchCommand(branch);
+  registerBranchMergeCommand(branch);
+  registerBranchResetCommand(branch);
+  registerBranchDeleteCommand(branch);
+}
+
+// src/commands/projects/link.ts
+import { exec as exec3 } from "child_process";
+import { promisify as promisify4 } from "util";
+import * as fs5 from "fs/promises";
+import * as path5 from "path";
+import * as clack12 from "@clack/prompts";
+import pc2 from "picocolors";
+
+// src/lib/skills.ts
+import { exec } from "child_process";
+import { existsSync as existsSync3, readFileSync as readFileSync2, appendFileSync } from "fs";
+import { join as join2 } from "path";
+import { promisify } from "util";
+import * as clack8 from "@clack/prompts";
+var execAsync = promisify(exec);
+var SKILL_INSTALL_TIMEOUT_MS = 6e4;
+function describeExecError(err) {
+  const e = err;
+  if (e.killed && (e.signal === "SIGTERM" || e.signal === "SIGKILL")) {
+    return `timed out after ${SKILL_INSTALL_TIMEOUT_MS / 1e3}s \u2014 the npm registry may be slow or blocked by your network`;
+  }
+  if (e.code === "ENOENT") {
+    return "`npx` is not on your PATH \u2014 install Node.js 18+ and reopen your shell";
+  }
+  const stderr = (typeof e.stderr === "string" ? e.stderr : e.stderr?.toString()) ?? "";
+  if (/ENOTFOUND|EAI_AGAIN|getaddrinfo/i.test(stderr)) return "cannot reach the npm registry (DNS lookup failed) \u2014 check your internet connection";
+  if (/ECONNREFUSED/i.test(stderr)) return "connection to the npm registry was refused \u2014 a proxy or firewall is likely blocking it";
+  if (/ETIMEDOUT|ESOCKETTIMEDOUT|network timeout/i.test(stderr)) return "the npm registry timed out \u2014 check your VPN, proxy, or corporate network";
+  if (/CERT_HAS_EXPIRED|UNABLE_TO_VERIFY_LEAF_SIGNATURE|SELF_SIGNED_CERT/i.test(stderr)) return "TLS error reaching the npm registry \u2014 a corporate proxy may be intercepting HTTPS";
+  if (/\bE404\b|404 Not Found/i.test(stderr)) return "npm returned 404 \u2014 the `skills` package or a dependency could not be found (check your npm registry config)";
+  if (/EACCES|permission denied/i.test(stderr)) return "permission denied writing files \u2014 run from a directory you own, without sudo";
+  if (/ENOSPC|no space left/i.test(stderr)) return "no disk space left to install the package";
+  if (/\b401\b|EAUTH|authentication/i.test(stderr)) return "npm authentication failed \u2014 check ~/.npmrc";
+  if (typeof e.code === "number") return `npx exited with code ${e.code}`;
+  if (typeof e.code === "string") return e.code;
+  return e.message ?? "unknown error";
+}
+var GITIGNORE_ENTRIES = [
   ".insforge",
-  // IDE and AI agent configs
-  ".claude",
+  ".agent",
   ".agents",
   ".augment",
+  ".claude",
+  ".cline",
+  ".github/copilot*",
   ".kilocode",
-  ".kiro",
   ".qoder",
   ".qwen",
   ".roo",
   ".trae",
-  ".windsurf",
-  ".vercel",
-  ".turbo",
-  ".cache",
-  "skills",
-  "coverage"
+  ".windsurf"
 ];
-var DirectDeploymentUnsupportedError = class extends Error {
-  constructor() {
-    super("Direct deployment endpoints are not available on this backend");
-    this.name = "DirectDeploymentUnsupportedError";
+function updateGitignore() {
+  const gitignorePath = join2(process.cwd(), ".gitignore");
+  const existing = existsSync3(gitignorePath) ? readFileSync2(gitignorePath, "utf-8") : "";
+  const lines = new Set(existing.split("\n").map((l) => l.trim()));
+  const missing = GITIGNORE_ENTRIES.filter((entry) => !lines.has(entry));
+  if (!missing.length) return;
+  const block = `
+# InsForge & AI agent skills
+${missing.join("\n")}
+`;
+  appendFileSync(gitignorePath, block);
+}
+async function installSkills(json) {
+  try {
+    if (!json) clack8.log.info("Installing InsForge agent skills (global)...");
+    await execAsync("npx skills add insforge/agent-skills -g -y -a antigravity -a augment -a claude-code -a cline -a codex -a cursor -a gemini-cli -a github-copilot -a kilo -a qoder -a qwen-code -a roo -a trae -a windsurf", {
+      cwd: process.cwd(),
+      timeout: SKILL_INSTALL_TIMEOUT_MS
+    });
+    if (!json) clack8.log.success("InsForge agent skills installed.");
+  } catch (err) {
+    if (!json) {
+      clack8.log.warn(`Could not install agent skills: ${describeExecError(err)}`);
+      clack8.log.info("Run `npx skills add insforge/agent-skills` once resolved to see the full output.");
+    }
   }
-};
-function shouldExclude(name) {
-  const normalized = name.replace(/\\/g, "/");
-  for (const pattern of EXCLUDE_PATTERNS) {
-    if (normalized === pattern || normalized.startsWith(pattern + "/") || normalized.endsWith("/" + pattern) || normalized.includes("/" + pattern + "/")) {
-      return true;
+  try {
+    if (!json) clack8.log.info("Installing find-skills (global)...");
+    await execAsync("npx skills add https://github.com/vercel-labs/skills --skill find-skills -g -y", {
+      cwd: process.cwd(),
+      timeout: SKILL_INSTALL_TIMEOUT_MS
+    });
+    if (!json) clack8.log.success("find-skills installed.");
+  } catch (err) {
+    if (!json) {
+      clack8.log.warn(`Could not install find-skills: ${describeExecError(err)}`);
+      clack8.log.info("Run `npx skills add https://github.com/vercel-labs/skills --skill find-skills` once resolved.");
     }
   }
-  if (normalized.endsWith(".log")) return true;
-  return false;
-}
-function isInsforgeCloudOssHost(ossHost) {
   try {
-    return new URL(ossHost).hostname.endsWith(".insforge.app");
+    updateGitignore();
   } catch {
-    return false;
-  }
-}
-function normalizeRelativePath(sourceDir, absolutePath) {
-  return path2.relative(sourceDir, absolutePath).split(path2.sep).join("/").replace(/\\/g, "/");
-}
-async function hashFile(filePath) {
-  const hash = createHash2("sha1");
-  let size = 0;
-  for await (const chunk of createReadStream(filePath)) {
-    const buffer = Buffer.isBuffer(chunk) ? chunk : Buffer.from(chunk);
-    size += buffer.length;
-    hash.update(buffer);
   }
-  return { sha: hash.digest("hex"), size };
+}
+async function reportCliUsage(toolName, success, maxRetries = 1, explicitConfig) {
+  let config = explicitConfig;
+  if (!config) {
+    try {
+      config = getProjectConfig();
+    } catch {
+      return;
+    }
+  }
+  if (!config) return;
+  const payload = JSON.stringify({
+    tool_name: toolName,
+    success,
+    timestamp: (/* @__PURE__ */ new Date()).toISOString()
+  });
+  for (let attempt = 0; attempt < maxRetries; attempt++) {
+    try {
+      const controller = new AbortController();
+      const timer = setTimeout(() => controller.abort(), 3e3);
+      try {
+        const res = await fetch(`${config.oss_host}/api/usage/mcp`, {
+          method: "POST",
+          headers: {
+            "Content-Type": "application/json",
+            "x-api-key": config.api_key
+          },
+          body: payload,
+          signal: controller.signal
+        });
+        if (res.status < 500) return;
+      } finally {
+        clearTimeout(timer);
+      }
+    } catch {
+    }
+    if (attempt < maxRetries - 1) {
+      await new Promise((r) => setTimeout(r, 5e3));
+    }
+  }
+}
+
+// src/auth-providers/apply.ts
+import { promises as fs } from "fs";
+import * as path from "path";
+import { tmpdir } from "os";
+import { execFile } from "child_process";
+import { promisify as promisify2 } from "util";
+import { randomBytes as randomBytes2 } from "crypto";
+import * as clack9 from "@clack/prompts";
+
+// src/lib/api/oss.ts
+function requireProjectConfig() {
+  const config = getProjectConfig();
+  if (!config) {
+    throw new ProjectNotLinkedError();
+  }
+  return config;
+}
+async function runRawSql(sql, unrestricted = false) {
+  const endpoint = unrestricted ? "/api/database/advance/rawsql/unrestricted" : "/api/database/advance/rawsql";
+  const res = await ossFetch(endpoint, {
+    method: "POST",
+    body: JSON.stringify({ query: sql })
+  });
+  const raw = await res.json();
+  const rows = raw.rows ?? raw.data ?? [];
+  return { rows, raw };
+}
+async function getAnonKey() {
+  const res = await ossFetch("/api/auth/tokens/anon", { method: "POST" });
+  const data = await res.json();
+  return data.accessToken;
+}
+async function getJwtSecret() {
+  try {
+    const res = await ossFetch("/api/secrets/JWT_SECRET");
+    const data = await res.json();
+    return typeof data.value === "string" && data.value.length > 0 ? data.value : null;
+  } catch {
+    return null;
+  }
+}
+async function ossFetch(path6, options = {}) {
+  const config = requireProjectConfig();
+  const headers = {
+    "Content-Type": "application/json",
+    Authorization: `Bearer ${config.api_key}`,
+    ...options.headers ?? {}
+  };
+  const res = await fetch(`${config.oss_host}${path6}`, { ...options, headers });
+  if (!res.ok) {
+    const err = await res.json().catch(() => ({}));
+    let message = err.message ?? err.error ?? `OSS request failed: ${res.status}`;
+    if (err.nextActions) {
+      message += `
+${err.nextActions}`;
+    }
+    const isRouteLevel404 = !err.error || err.error === "NOT_FOUND";
+    if (res.status === 404 && isRouteLevel404 && path6.startsWith("/api/compute")) {
+      message = "Compute services are not available on this backend.\nSelf-hosted: upgrade your InsForge instance. Cloud: contact your InsForge admin to enable compute.";
+    }
+    if (res.status === 404 && isRouteLevel404 && path6.startsWith("/api/payments")) {
+      message = "Payments are not available on this backend.\nSelf-hosted: upgrade your InsForge instance. Cloud/private preview: contact your InsForge admin to enable payments.";
+    }
+    if (res.status === 404 && isRouteLevel404 && path6 === "/api/database/migrations") {
+      message = "Database migrations are not available on this backend.\nSelf-hosted: upgrade your InsForge instance. Cloud: contact your InsForge admin about database migration support.";
+    }
+    throw new CLIError(message);
+  }
+  return res;
+}
+
+// src/auth-providers/apply.ts
+var execFileAsync = promisify2(execFile);
+var VALID_AUTH_PROVIDERS = ["better-auth"];
+function pathExists(p) {
+  return fs.stat(p).then(() => true, () => false);
+}
+function deepMergeKeepBase(base, patch) {
+  const out = { ...base };
+  for (const [k, v] of Object.entries(patch)) {
+    if (v && typeof v === "object" && !Array.isArray(v) && out[k] && typeof out[k] === "object" && !Array.isArray(out[k])) {
+      out[k] = deepMergeKeepBase(out[k], v);
+    } else if (out[k] === void 0) {
+      out[k] = v;
+    }
+  }
+  return out;
+}
+function extractEnvKeys(content) {
+  const keys = /* @__PURE__ */ new Set();
+  for (const line of content.split("\n")) {
+    const trimmed = line.replace(/^\s*export\s+/, "").trimStart();
+    if (!trimmed || trimmed.startsWith("#")) continue;
+    const m = trimmed.match(/^([A-Za-z_][A-Za-z0-9_]*)\s*=/);
+    if (m) keys.add(m[1]);
+  }
+  return keys;
+}
+function filterCollidingEnvLines(append, existingKeys) {
+  const dropped = [];
+  const out = [];
+  for (const line of append.split("\n")) {
+    const m = line.match(/^([A-Za-z_][A-Za-z0-9_]*)\s*=/);
+    if (m && existingKeys.has(m[1])) {
+      dropped.push(m[1]);
+      continue;
+    }
+    out.push(line);
+  }
+  return { filtered: out.join("\n"), dropped };
+}
+async function walkFiles(dir, base = dir) {
+  const out = [];
+  for (const entry of await fs.readdir(dir, { withFileTypes: true })) {
+    const full = path.join(dir, entry.name);
+    if (entry.isDirectory()) out.push(...await walkFiles(full, base));
+    else out.push(path.relative(base, full));
+  }
+  return out;
+}
+var PROVIDER_META_FILES = /* @__PURE__ */ new Set(["manifest.json", "README.md"]);
+var SAFE_REPO_PATTERN = /^(https?:\/\/|git@)[A-Za-z0-9._:/@~+-]+(\.git)?$/;
+var SAFE_BRANCH_PATTERN = /^[A-Za-z0-9._/-]+$/;
+async function fetchProviderTree(provider) {
+  const tempDir = path.join(tmpdir(), `insforge-auth-${provider}-${Date.now()}`);
+  await fs.mkdir(tempDir, { recursive: true });
+  const cleanup = () => fs.rm(tempDir, { recursive: true, force: true }).catch(() => void 0);
+  try {
+    const repo = process.env.INSFORGE_TEMPLATES_REPO ?? "https://github.com/InsForge/insforge-templates.git";
+    if (!SAFE_REPO_PATTERN.test(repo)) {
+      throw new Error(`INSFORGE_TEMPLATES_REPO has unsupported characters: ${repo}`);
+    }
+    const branch = process.env.INSFORGE_TEMPLATES_BRANCH;
+    if (branch !== void 0 && !SAFE_BRANCH_PATTERN.test(branch)) {
+      throw new Error(`INSFORGE_TEMPLATES_BRANCH has unsupported characters: ${branch}`);
+    }
+    const args = ["clone", "--depth", "1"];
+    if (branch) args.push("-b", branch);
+    args.push("--", repo, ".");
+    await execFileAsync("git", args, {
+      cwd: tempDir,
+      maxBuffer: 10 * 1024 * 1024,
+      timeout: 6e4
+    });
+    const providerDir = path.join(tempDir, "auth-providers", provider);
+    if (!await pathExists(providerDir)) {
+      await cleanup();
+      throw new Error(
+        `Auth provider "${provider}" not found in templates repo. Looked for auth-providers/${provider}/ in ${repo}${branch ? ` (branch: ${branch})` : ""}.`
+      );
+    }
+    return { dir: providerDir, cleanup };
+  } catch (err) {
+    await cleanup();
+    throw err;
+  }
+}
+async function loadManifest(providerDir) {
+  const manifestPath = path.join(providerDir, "manifest.json");
+  if (!await pathExists(manifestPath)) {
+    throw new Error(`Missing manifest.json in ${providerDir}`);
+  }
+  const parsed = JSON.parse(await fs.readFile(manifestPath, "utf-8"));
+  const missing = [];
+  if (typeof parsed.name !== "string") missing.push("name");
+  if (!Array.isArray(parsed.files)) missing.push("files (array)");
+  if (!parsed.packageJsonPatch || typeof parsed.packageJsonPatch !== "object") missing.push("packageJsonPatch (object)");
+  if (typeof parsed.envExampleAppend !== "string") missing.push("envExampleAppend (string)");
+  if (typeof parsed.nextSteps !== "string") missing.push("nextSteps (string)");
+  if (missing.length > 0) {
+    throw new Error(`Malformed manifest.json in ${providerDir} \u2014 missing or wrong-typed fields: ${missing.join(", ")}`);
+  }
+  return parsed;
+}
+async function applyAuthProvider(provider, cwd, projectConfig, json) {
+  if (!VALID_AUTH_PROVIDERS.includes(provider)) {
+    throw new Error(`Unknown auth provider: ${provider}`);
+  }
+  const fetchSpinner = !json ? clack9.spinner() : null;
+  fetchSpinner?.start(`Fetching ${provider} scaffold from templates repo...`);
+  const { dir: providerDir, cleanup } = await fetchProviderTree(provider);
+  fetchSpinner?.stop(`${provider} scaffold ready`);
+  try {
+    const manifest = await loadManifest(providerDir);
+    const result = {
+      written: [],
+      skipped: [],
+      overwritten: [],
+      packageJsonPatched: false,
+      envExampleAppended: false,
+      envLocalWritten: false,
+      envKeysSkipped: [],
+      nextSteps: manifest.nextSteps
+    };
+    const allFiles = (await walkFiles(providerDir)).filter((rel) => !PROVIDER_META_FILES.has(rel));
+    for (const rel of allFiles) {
+      const src = path.join(providerDir, rel);
+      const dest = path.join(cwd, rel);
+      const existed = await pathExists(dest);
+      await fs.mkdir(path.dirname(dest), { recursive: true });
+      await fs.copyFile(src, dest);
+      if (existed) result.overwritten.push(rel);
+      else result.written.push(rel);
+    }
+    const pkgPath = path.join(cwd, "package.json");
+    if (await pathExists(pkgPath)) {
+      const existing = JSON.parse(await fs.readFile(pkgPath, "utf-8"));
+      const merged = deepMergeKeepBase(existing, manifest.packageJsonPatch);
+      await fs.writeFile(pkgPath, JSON.stringify(merged, null, 2) + "\n");
+      result.packageJsonPatched = true;
+    } else {
+      const fresh = {
+        name: path.basename(cwd),
+        version: "0.0.1",
+        private: true,
+        ...manifest.packageJsonPatch
+      };
+      await fs.writeFile(pkgPath, JSON.stringify(fresh, null, 2) + "\n");
+      result.packageJsonPatched = true;
+    }
+    const envExamplePath = path.join(cwd, ".env.example");
+    if (await pathExists(envExamplePath)) {
+      const existing = await fs.readFile(envExamplePath, "utf-8");
+      if (!existing.includes("# \u2500\u2500\u2500 Better Auth + InsForge bridge")) {
+        const existingKeys = extractEnvKeys(existing);
+        const { filtered, dropped } = filterCollidingEnvLines(manifest.envExampleAppend, existingKeys);
+        result.envKeysSkipped = dropped;
+        await fs.writeFile(envExamplePath, existing.replace(/\n*$/, "\n\n") + filtered + "\n");
+        result.envExampleAppended = true;
+      }
+    } else {
+      await fs.writeFile(envExamplePath, manifest.envExampleAppend + "\n");
+      result.envExampleAppended = true;
+    }
+    const envLocalPath = path.join(cwd, ".env.local");
+    const envLocalExists = await pathExists(envLocalPath);
+    const existingLocal = envLocalExists ? await fs.readFile(envLocalPath, "utf-8") : "";
+    const existingLocalKeys = envLocalExists ? extractEnvKeys(existingLocal) : /* @__PURE__ */ new Set();
+    const anonKey = await getAnonKey();
+    const jwtSecret = await getJwtSecret();
+    const filled = manifest.envExampleAppend.replace(
+      /^([A-Z][A-Z0-9_]*=)(.*)$/gm,
+      (_, prefix, value) => {
+        const key = prefix.slice(0, -1);
+        if (/INSFORGE.*(URL|BASE_URL)$/.test(key)) return `${prefix}${projectConfig.oss_host}`;
+        if (/INSFORGE.*ANON_KEY$/.test(key)) return `${prefix}${anonKey}`;
+        if (key === "NEXT_PUBLIC_APP_URL") return `${prefix}https://${projectConfig.appkey}.insforge.site`;
+        if (/JWT_SECRET$/.test(key)) return `${prefix}${jwtSecret ?? value}`;
+        if (key === "BETTER_AUTH_SECRET") return `${prefix}${randomBytes2(32).toString("hex")}`;
+        return `${prefix}${value}`;
+      }
+    );
+    if (!envLocalExists) {
+      await fs.writeFile(envLocalPath, filled + "\n");
+      result.envLocalWritten = true;
+    } else {
+      const { filtered, dropped } = filterCollidingEnvLines(filled, existingLocalKeys);
+      const hasNewKey = filtered.split("\n").some((l) => /^[A-Z][A-Z0-9_]*=/.test(l));
+      if (hasNewKey) {
+        await fs.writeFile(envLocalPath, existingLocal.replace(/\n*$/, "\n\n") + filtered + "\n");
+        result.envLocalWritten = true;
+      }
+      result.envKeysSkipped = Array.from(/* @__PURE__ */ new Set([...result.envKeysSkipped, ...dropped]));
+    }
+    if (!jwtSecret && !json) {
+      clack9.log.warn("Could not auto-fill JWT_SECRET \u2014 run `npx @insforge/cli secrets get JWT_SECRET` and paste it into .env.local.");
+    }
+    if (result.envKeysSkipped.length > 0 && !json) {
+      clack9.log.warn(
+        `Kept your existing values for: ${result.envKeysSkipped.join(", ")}. If any of these need the auth-provider's defaults, see .env.example for reference.`
+      );
+    }
+    return result;
+  } finally {
+    await cleanup();
+  }
+}
+
+// src/commands/create.ts
+import { exec as exec2, execFile as execFile2 } from "child_process";
+import { tmpdir as tmpdir2 } from "os";
+import { promisify as promisify3 } from "util";
+import * as fs4 from "fs/promises";
+import * as path4 from "path";
+import * as clack11 from "@clack/prompts";
+
+// src/lib/env.ts
+import * as fs2 from "fs/promises";
+import * as path2 from "path";
+async function readEnvFile(cwd) {
+  const candidates = [".env.local", ".env.production", ".env"];
+  for (const name of candidates) {
+    const filePath = path2.join(cwd, name);
+    const exists = await fs2.stat(filePath).catch(() => null);
+    if (!exists) continue;
+    const content = await fs2.readFile(filePath, "utf-8");
+    const vars = [];
+    for (const line of content.split("\n")) {
+      const trimmed = line.trim();
+      if (!trimmed || trimmed.startsWith("#")) continue;
+      const eqIndex = trimmed.indexOf("=");
+      if (eqIndex === -1) continue;
+      const key = trimmed.slice(0, eqIndex).trim();
+      let value = trimmed.slice(eqIndex + 1).trim();
+      if (value.startsWith('"') && value.endsWith('"') || value.startsWith("'") && value.endsWith("'")) {
+        value = value.slice(1, -1);
+      }
+      if (key) vars.push({ key, value });
+    }
+    return vars;
+  }
+  return [];
+}
+
+// src/commands/deployments/deploy.ts
+import * as path3 from "path";
+import * as fs3 from "fs/promises";
+import { createReadStream } from "fs";
+import { createHash as createHash2 } from "crypto";
+import * as clack10 from "@clack/prompts";
+import archiver from "archiver";
+var POLL_INTERVAL_MS3 = 5e3;
+var POLL_TIMEOUT_MS3 = 3e5;
+var DIRECT_UPLOAD_CONCURRENCY = 8;
+var EXCLUDE_PATTERNS = [
+  "node_modules",
+  ".git",
+  ".next",
+  ".env",
+  ".env.local",
+  "dist",
+  "build",
+  ".DS_Store",
+  ".insforge",
+  // IDE and AI agent configs
+  ".claude",
+  ".agents",
+  ".augment",
+  ".kilocode",
+  ".kiro",
+  ".qoder",
+  ".qwen",
+  ".roo",
+  ".trae",
+  ".windsurf",
+  ".vercel",
+  ".turbo",
+  ".cache",
+  "skills",
+  "coverage"
+];
+var DirectDeploymentUnsupportedError = class extends Error {
+  constructor() {
+    super("Direct deployment endpoints are not available on this backend");
+    this.name = "DirectDeploymentUnsupportedError";
+  }
+};
+function shouldExclude(name) {
+  const normalized = name.replace(/\\/g, "/");
+  for (const pattern of EXCLUDE_PATTERNS) {
+    if (normalized === pattern || normalized.startsWith(pattern + "/") || normalized.endsWith("/" + pattern) || normalized.includes("/" + pattern + "/")) {
+      return true;
+    }
+  }
+  if (normalized.endsWith(".log")) return true;
+  return false;
+}
+function isInsforgeCloudOssHost(ossHost) {
+  try {
+    return new URL(ossHost).hostname.endsWith(".insforge.app");
+  } catch {
+    return false;
+  }
+}
+function normalizeRelativePath(sourceDir, absolutePath) {
+  return path3.relative(sourceDir, absolutePath).split(path3.sep).join("/").replace(/\\/g, "/");
+}
+async function hashFile(filePath) {
+  const hash = createHash2("sha1");
+  let size = 0;
+  for await (const chunk of createReadStream(filePath)) {
+    const buffer = Buffer.isBuffer(chunk) ? chunk : Buffer.from(chunk);
+    size += buffer.length;
+    hash.update(buffer);
+  }
+  return { sha: hash.digest("hex"), size };
 }
 async function collectDeploymentFiles(sourceDir) {
   const files = [];
   async function walk(currentDir) {
-    const entries = await fs2.readdir(currentDir, { withFileTypes: true });
+    const entries = await fs3.readdir(currentDir, { withFileTypes: true });
     entries.sort((a, b) => a.name.localeCompare(b.name));
     for (const entry of entries) {
-      const absolutePath = path2.join(currentDir, entry.name);
+      const absolutePath = path3.join(currentDir, entry.name);
       const normalizedPath = normalizeRelativePath(sourceDir, absolutePath);
       if (!normalizedPath || shouldExclude(normalizedPath)) {
         continue;
@@ -1547,12 +2293,12 @@ async function startDirectDeployment(deploymentId, startBody) {
   });
   await response.json();
 }
-async function pollDeployment(deploymentId, spinner7, syncBeforeRead) {
-  spinner7?.message("Building and deploying...");
+async function pollDeployment(deploymentId, spinner8, syncBeforeRead) {
+  spinner8?.message("Building and deploying...");
   const startTime = Date.now();
   let deployment = null;
-  while (Date.now() - startTime < POLL_TIMEOUT_MS) {
-    await new Promise((resolve5) => setTimeout(resolve5, POLL_INTERVAL_MS));
+  while (Date.now() - startTime < POLL_TIMEOUT_MS3) {
+    await new Promise((resolve5) => setTimeout(resolve5, POLL_INTERVAL_MS3));
     try {
       if (syncBeforeRead) {
         await ossFetch(`/api/deployments/${deploymentId}/sync`, { method: "POST" });
@@ -1564,13 +2310,13 @@ async function pollDeployment(deploymentId, spinner7, syncBeforeRead) {
         break;
       }
       if (status === "ERROR" || status === "CANCELED") {
-        spinner7?.stop("Deployment failed");
+        spinner8?.stop("Deployment failed");
         throw new CLIError(
           getDeploymentError(deployment.metadata) ?? `Deployment failed with status: ${deployment.status}`
         );
       }
       const elapsed = Math.round((Date.now() - startTime) / 1e3);
-      spinner7?.message(`Building and deploying... (${elapsed}s, status: ${deployment.status})`);
+      spinner8?.message(`Building and deploying... (${elapsed}s, status: ${deployment.status})`);
     } catch (err) {
       if (err instanceof CLIError) throw err;
     }
@@ -1580,20 +2326,20 @@ async function pollDeployment(deploymentId, spinner7, syncBeforeRead) {
   return { deploymentId, deployment, isReady, liveUrl };
 }
 async function deployProjectDirect(opts, config) {
-  const { sourceDir, startBody = {}, spinner: spinner7 } = opts;
-  spinner7?.start("Scanning source files...");
+  const { sourceDir, startBody = {}, spinner: spinner8 } = opts;
+  spinner8?.start("Scanning source files...");
   const localFiles = await collectDeploymentFiles(sourceDir);
   if (localFiles.length === 0) {
     throw new CLIError("No deployable files found in the source directory.");
   }
-  spinner7?.message("Creating deployment...");
+  spinner8?.message("Creating deployment...");
   const createResult = await createDirectDeploymentSession(
     config,
     localFiles.map(({ path: relativePath, sha, size }) => ({ path: relativePath, sha, size }))
   );
   const localFileByPath = new Map(localFiles.map((file) => [file.path, file]));
   const pendingFiles = createResult.files.filter((file) => !file.uploadedAt);
-  spinner7?.message(`Uploading ${pendingFiles.length} file${pendingFiles.length === 1 ? "" : "s"}...`);
+  spinner8?.message(`Uploading ${pendingFiles.length} file${pendingFiles.length === 1 ? "" : "s"}...`);
   await runWithConcurrency(pendingFiles, DIRECT_UPLOAD_CONCURRENCY, async (manifestFile) => {
     const localFile = localFileByPath.get(manifestFile.path);
     if (!localFile) {
@@ -1604,18 +2350,18 @@ async function deployProjectDirect(opts, config) {
     }
     await uploadDirectDeploymentFile(createResult.id, manifestFile, localFile);
   });
-  spinner7?.message("Starting deployment...");
+  spinner8?.message("Starting deployment...");
   await startDirectDeployment(createResult.id, startBody);
-  return await pollDeployment(createResult.id, spinner7, !isInsforgeCloudOssHost(config.oss_host));
+  return await pollDeployment(createResult.id, spinner8, !isInsforgeCloudOssHost(config.oss_host));
 }
 async function deployProjectLegacy(opts) {
-  const { sourceDir, startBody = {}, spinner: spinner7 } = opts;
-  spinner7?.message("Creating deployment...");
+  const { sourceDir, startBody = {}, spinner: spinner8 } = opts;
+  spinner8?.message("Creating deployment...");
   const createRes = await ossFetch("/api/deployments", { method: "POST" });
   const { id: deploymentId, uploadUrl, uploadFields } = await createRes.json();
-  spinner7?.message("Compressing source files...");
+  spinner8?.message("Compressing source files...");
   const zipBuffer = await createZipBuffer(sourceDir);
-  spinner7?.message("Uploading...");
+  spinner8?.message("Uploading...");
   const formData = new FormData();
   for (const [key, value] of Object.entries(uploadFields)) {
     formData.append(key, value);
@@ -1626,13 +2372,13 @@ async function deployProjectLegacy(opts) {
     const uploadErr = await uploadRes.text();
     throw new CLIError(`Failed to upload: ${uploadErr}`);
   }
-  spinner7?.message("Starting deployment...");
+  spinner8?.message("Starting deployment...");
   const startRes = await ossFetch(`/api/deployments/${deploymentId}/start`, {
     method: "POST",
     body: JSON.stringify(startBody)
   });
   await startRes.json();
-  return await pollDeployment(deploymentId, spinner7, false);
+  return await pollDeployment(deploymentId, spinner8, false);
 }
 async function deployProject(opts) {
   const config = getProjectConfig();
@@ -1656,18 +2402,18 @@ function registerDeploymentsDeployCommand(deploymentsCmd2) {
       await requireAuth();
       const config = getProjectConfig();
       if (!config) throw new ProjectNotLinkedError();
-      const sourceDir = path2.resolve(directory ?? ".");
-      const stats = await fs2.stat(sourceDir).catch(() => null);
+      const sourceDir = path3.resolve(directory ?? ".");
+      const stats = await fs3.stat(sourceDir).catch(() => null);
       if (!stats?.isDirectory()) {
         throw new CLIError(`"${sourceDir}" is not a valid directory.`);
       }
-      const dirName = path2.basename(sourceDir);
+      const dirName = path3.basename(sourceDir);
       if (EXCLUDE_PATTERNS.includes(dirName)) {
         throw new CLIError(
           `"${dirName}" is an excluded directory and cannot be used as a deploy source. Please specify your project root or output directory instead.`
         );
       }
-      const spinner7 = !json ? clack6.spinner() : null;
+      const spinner8 = !json ? clack10.spinner() : null;
       const startBody = {};
       if (opts.env) {
         try {
@@ -1693,19 +2439,19 @@ function registerDeploymentsDeployCommand(deploymentsCmd2) {
           throw new CLIError("Invalid --meta JSON.");
         }
       }
-      const result = await deployProject({ sourceDir, startBody, spinner: spinner7 });
+      const result = await deployProject({ sourceDir, startBody, spinner: spinner8 });
       if (result.isReady) {
-        spinner7?.stop("Deployment complete");
+        spinner8?.stop("Deployment complete");
         if (json) {
           outputJson(result.deployment);
         } else {
           if (result.liveUrl) {
-            clack6.log.success(`Live at: ${result.liveUrl}`);
+            clack10.log.success(`Live at: ${result.liveUrl}`);
           }
-          clack6.log.info(`Deployment ID: ${result.deploymentId}`);
+          clack10.log.info(`Deployment ID: ${result.deploymentId}`);
         }
       } else {
-        spinner7?.stop("Deployment is still building");
+        spinner8?.stop("Deployment is still building");
         if (json) {
           outputJson({
             id: result.deploymentId,
@@ -1713,9 +2459,9 @@ function registerDeploymentsDeployCommand(deploymentsCmd2) {
             timedOut: true
           });
         } else {
-          clack6.log.info(`Deployment ID: ${result.deploymentId}`);
-          clack6.log.warn("Deployment did not finish within 5 minutes.");
-          clack6.log.info(`Check status with: npx @insforge/cli deployments status ${result.deploymentId}`);
+          clack10.log.info(`Deployment ID: ${result.deploymentId}`);
+          clack10.log.warn("Deployment did not finish within 5 minutes.");
+          clack10.log.info(`Check status with: npx @insforge/cli deployments status ${result.deploymentId}`);
         }
       }
       await reportCliUsage("cli.deployments.deploy", true);
@@ -1727,7 +2473,10 @@ function registerDeploymentsDeployCommand(deploymentsCmd2) {
 }
 
 // src/commands/create.ts
-var execAsync2 = promisify2(exec2);
+var execAsync2 = promisify3(exec2);
+var execFileAsync2 = promisify3(execFile2);
+var SAFE_REPO_PATTERN2 = /^(https?:\/\/|git@)[A-Za-z0-9._:/@~+-]+(\.git)?$/;
+var SAFE_BRANCH_PATTERN2 = /^[A-Za-z0-9._/-]+$/;
 function buildOssHost(appkey, region) {
   return `https://${appkey}.${region}.insforge.app`;
 }
@@ -1821,31 +2570,31 @@ async function animateBanner() {
   process.stderr.write("\n");
 }
 function getDefaultProjectName() {
-  const dirName = path3.basename(process.cwd());
+  const dirName = path4.basename(process.cwd());
   const sanitized = dirName.toLowerCase().replace(/[^a-z0-9-]/g, "-").replace(/-+/g, "-").replace(/^-|-$/g, "");
   return sanitized.length >= 2 ? sanitized : "";
 }
 async function copyDir(src, dest) {
-  const entries = await fs3.readdir(src, { withFileTypes: true });
+  const entries = await fs4.readdir(src, { withFileTypes: true });
   for (const entry of entries) {
-    const srcPath = path3.join(src, entry.name);
-    const destPath = path3.join(dest, entry.name);
+    const srcPath = path4.join(src, entry.name);
+    const destPath = path4.join(dest, entry.name);
     if (entry.isDirectory()) {
-      await fs3.mkdir(destPath, { recursive: true });
+      await fs4.mkdir(destPath, { recursive: true });
       await copyDir(srcPath, destPath);
     } else {
-      await fs3.copyFile(srcPath, destPath);
+      await fs4.copyFile(srcPath, destPath);
     }
   }
 }
 function registerCreateCommand(program2) {
-  program2.command("create").description("Create a new InsForge project").option("--name <name>", "Project name").option("--org-id <id>", "Organization ID").option("--region <region>", "Deployment region (us-east, us-west, eu-central, ap-southeast)").option("--template <template>", "Template to use: react, nextjs, chatbot, crm, e-commerce, todo, or empty").action(async (opts, cmd) => {
+  program2.command("create").description("Create a new InsForge project").option("--name <name>", "Project name").option("--org-id <id>", "Organization ID").option("--region <region>", "Deployment region (us-east, us-west, eu-central, ap-southeast)").option("--template <template>", "Template to use: react, nextjs, chatbot, crm, e-commerce, todo, or empty").option("--auth <provider>", "Wire a third-party auth provider into the chosen template (currently: better-auth)").action(async (opts, cmd) => {
     const { json, apiUrl } = getRootOpts(cmd);
     try {
       await requireAuth(apiUrl, false);
       if (!json) {
         await animateBanner();
-        clack7.intro("Let's build something great");
+        clack11.intro("Let's build something great");
       }
       let orgId = opts.orgId;
       if (!orgId) {
@@ -1855,7 +2604,7 @@ function registerCreateCommand(program2) {
         }
         if (orgs.length === 1) {
           orgId = orgs[0].id;
-          if (!json) clack7.log.info(`Using organization: ${orgs[0].name}`);
+          if (!json) clack11.log.info(`Using organization: ${orgs[0].name}`);
         } else {
           if (json) {
             throw new CLIError("Multiple organizations found. Specify --org-id.");
@@ -1886,12 +2635,15 @@ function registerCreateCommand(program2) {
         if (isCancel2(name)) process.exit(0);
         projectName = name;
       }
-      projectName = path3.basename(projectName).replace(/[^a-zA-Z0-9._-]/g, "-").replace(/\.+/g, ".");
+      projectName = path4.basename(projectName).replace(/[^a-zA-Z0-9._-]/g, "-").replace(/\.+/g, ".");
       if (projectName.length < 2 || projectName === "." || projectName === "..") {
         throw new CLIError("Project name must be at least 2 safe characters (letters, numbers, hyphens).");
       }
       const validTemplates = ["react", "nextjs", "chatbot", "crm", "e-commerce", "todo", "empty"];
       let template = opts.template;
+      if (opts.auth && !VALID_AUTH_PROVIDERS.includes(opts.auth)) {
+        throw new CLIError(`Invalid --auth "${opts.auth}". Valid: ${VALID_AUTH_PROVIDERS.join(", ")}`);
+      }
       if (template && !validTemplates.includes(template)) {
         throw new CLIError(`Invalid template "${template}". Valid options: ${validTemplates.join(", ")}`);
       }
@@ -1945,27 +2697,27 @@ function registerCreateCommand(program2) {
             initialValue: projectName,
             validate: (v) => {
               if (v.length < 1) return "Directory name is required";
-              const normalized = path3.basename(v).replace(/[^a-zA-Z0-9._-]/g, "-");
+              const normalized = path4.basename(v).replace(/[^a-zA-Z0-9._-]/g, "-");
               if (!normalized || normalized === "." || normalized === "..") return "Invalid directory name";
               return void 0;
             }
           });
           if (isCancel2(inputDir)) process.exit(0);
-          dirName = path3.basename(inputDir).replace(/[^a-zA-Z0-9._-]/g, "-");
+          dirName = path4.basename(inputDir).replace(/[^a-zA-Z0-9._-]/g, "-");
         }
         if (!dirName || dirName === "." || dirName === "..") {
           throw new CLIError("Invalid directory name.");
         }
-        projectDir = path3.resolve(originalCwd, dirName);
-        const dirExists = await fs3.stat(projectDir).catch(() => null);
+        projectDir = path4.resolve(originalCwd, dirName);
+        const dirExists = await fs4.stat(projectDir).catch(() => null);
         if (dirExists) {
           throw new CLIError(`Directory "${dirName}" already exists.`);
         }
-        await fs3.mkdir(projectDir);
+        await fs4.mkdir(projectDir);
         process.chdir(projectDir);
       }
       let projectLinked = false;
-      const s = !json ? clack7.spinner() : null;
+      const s = !json ? clack11.spinner() : null;
       try {
         s?.start("Creating project...");
         const project = await createProject(orgId, projectName, opts.region, apiUrl);
@@ -1993,37 +2745,49 @@ function registerCreateCommand(program2) {
           try {
             const anonKey = await getAnonKey();
             if (!anonKey) {
-              if (!json) clack7.log.warn("Could not retrieve anon key. You can add it to .env.local manually.");
+              if (!json) clack11.log.warn("Could not retrieve anon key. You can add it to .env.local manually.");
             } else {
-              const envPath = path3.join(process.cwd(), ".env.local");
+              const envPath = path4.join(process.cwd(), ".env.local");
               const envContent = [
                 "# InsForge",
                 `NEXT_PUBLIC_INSFORGE_URL=${projectConfig.oss_host}`,
                 `NEXT_PUBLIC_INSFORGE_ANON_KEY=${anonKey}`,
                 ""
               ].join("\n");
-              await fs3.writeFile(envPath, envContent, { flag: "wx" });
+              await fs4.writeFile(envPath, envContent, { flag: "wx" });
               if (!json) {
-                clack7.log.success("Created .env.local with your InsForge credentials");
+                clack11.log.success("Created .env.local with your InsForge credentials");
               }
             }
           } catch (err) {
             const error = err;
             if (!json) {
               if (error.code === "EEXIST") {
-                clack7.log.warn(".env.local already exists; skipping InsForge key seeding.");
+                clack11.log.warn(".env.local already exists; skipping InsForge key seeding.");
               } else {
-                clack7.log.warn(`Failed to create .env.local: ${error.message}`);
+                clack11.log.warn(`Failed to create .env.local: ${error.message}`);
               }
             }
           }
         }
+        if (opts.auth) {
+          try {
+            const result = await applyAuthProvider(opts.auth, process.cwd(), projectConfig, json);
+            if (!json) {
+              clack11.log.success(`Wired in ${opts.auth}: ${result.written.length} new, ${result.overwritten.length} replaced`);
+            }
+          } catch (err) {
+            const msg = `Failed to apply --auth ${opts.auth}: ${err.message}`;
+            if (json) console.error(JSON.stringify({ warning: msg }));
+            else clack11.log.warn(msg);
+          }
+        }
         await installSkills(json);
         trackCommand("create", orgId);
         await reportCliUsage("cli.create", true, 6);
-        const templateDownloaded = hasTemplate ? await fs3.stat(path3.join(process.cwd(), "package.json")).catch(() => null) : null;
+        const templateDownloaded = hasTemplate ? await fs4.stat(path4.join(process.cwd(), "package.json")).catch(() => null) : null;
         if (templateDownloaded) {
-          const installSpinner = !json ? clack7.spinner() : null;
+          const installSpinner = !json ? clack11.spinner() : null;
           installSpinner?.start("Installing dependencies...");
           try {
             await execAsync2("npm install", { cwd: process.cwd(), maxBuffer: 10 * 1024 * 1024 });
@@ -2031,8 +2795,8 @@ function registerCreateCommand(program2) {
           } catch (err) {
             installSpinner?.stop("Failed to install dependencies");
             if (!json) {
-              clack7.log.warn(`npm install failed: ${err.message}`);
-              clack7.log.info("Run `npm install` manually to install dependencies.");
+              clack11.log.warn(`npm install failed: ${err.message}`);
+              clack11.log.info("Run `npm install` manually to install dependencies.");
             }
           }
         }
@@ -2048,7 +2812,7 @@ function registerCreateCommand(program2) {
               if (envVars.length > 0) {
                 startBody.envVars = envVars;
               }
-              const deploySpinner = clack7.spinner();
+              const deploySpinner = clack11.spinner();
               const result = await deployProject({
                 sourceDir: process.cwd(),
                 startBody,
@@ -2059,12 +2823,12 @@ function registerCreateCommand(program2) {
                 liveUrl = result.liveUrl;
               } else {
                 deploySpinner.stop("Deployment is still building");
-                clack7.log.info(`Deployment ID: ${result.deploymentId}`);
-                clack7.log.warn("Deployment did not finish within 2 minutes.");
-                clack7.log.info(`Check status with: npx @insforge/cli deployments status ${result.deploymentId}`);
+                clack11.log.info(`Deployment ID: ${result.deploymentId}`);
+                clack11.log.warn("Deployment did not finish within 2 minutes.");
+                clack11.log.info(`Check status with: npx @insforge/cli deployments status ${result.deploymentId}`);
               }
             } catch (err) {
-              clack7.log.warn(`Deploy failed: ${err.message}`);
+              clack11.log.warn(`Deploy failed: ${err.message}`);
             }
           }
         }
@@ -2081,38 +2845,38 @@ function registerCreateCommand(program2) {
             }
           });
         } else {
-          clack7.log.step(`Dashboard: ${dashboardUrl}`);
+          clack11.log.step(`Dashboard: ${dashboardUrl}`);
           if (liveUrl) {
-            clack7.log.success(`Live site: ${liveUrl}`);
+            clack11.log.success(`Live site: ${liveUrl}`);
           }
           if (templateDownloaded) {
             const steps = [
               `cd ${dirName}`,
               "npm run dev"
             ];
-            clack7.note(steps.join("\n"), "Next steps");
-            clack7.note("Open your coding agent (Claude Code, Codex, Cursor, etc.) to add new features.", "Keep building");
+            clack11.note(steps.join("\n"), "Next steps");
+            clack11.note("Open your coding agent (Claude Code, Codex, Cursor, etc.) to add new features.", "Keep building");
           } else if (hasTemplate && !templateDownloaded) {
-            clack7.log.warn("Template download failed. You can retry or set up manually.");
+            clack11.log.warn("Template download failed. You can retry or set up manually.");
           } else {
             const prompts = [
               "Build a todo app with Google OAuth sign-in",
               "Build an Instagram clone where users can upload photos, like, and comment",
               "Build an AI chatbot with conversation history"
             ];
-            clack7.note(
+            clack11.note(
               `Open your coding agent (Claude Code, Codex, Cursor, etc.) and try:
 
 ${prompts.map((p) => `\u2022 "${p}"`).join("\n")}`,
               "Start building"
             );
           }
-          clack7.outro("Done!");
+          clack11.outro("Done!");
         }
       } catch (err) {
         if (!projectLinked && hasTemplate && projectDir !== originalCwd) {
           process.chdir(originalCwd);
-          await fs3.rm(projectDir, { recursive: true, force: true }).catch(() => {
+          await fs4.rm(projectDir, { recursive: true, force: true }).catch(() => {
           });
         }
         throw err;
@@ -2126,18 +2890,18 @@ ${prompts.map((p) => `\u2022 "${p}"`).join("\n")}`,
   });
 }
 async function downloadTemplate(framework, projectConfig, projectName, json, _apiUrl) {
-  const s = !json ? clack7.spinner() : null;
+  const s = !json ? clack11.spinner() : null;
   s?.start("Downloading template...");
   try {
     const anonKey = await getAnonKey();
     if (!anonKey) {
       throw new Error("Failed to retrieve anon key from backend");
     }
-    const tempDir = tmpdir();
+    const tempDir = tmpdir2();
     const targetDir = projectName;
-    const templatePath = path3.join(tempDir, targetDir);
+    const templatePath = path4.join(tempDir, targetDir);
     try {
-      await fs3.rm(templatePath, { recursive: true, force: true });
+      await fs4.rm(templatePath, { recursive: true, force: true });
     } catch {
     }
     const frame = framework === "nextjs" ? "nextjs" : "react";
@@ -2151,41 +2915,53 @@ async function downloadTemplate(framework, projectConfig, projectName, json, _ap
     s?.message("Copying template files...");
     const cwd = process.cwd();
     await copyDir(templatePath, cwd);
-    await fs3.rm(templatePath, { recursive: true, force: true }).catch(() => {
+    await fs4.rm(templatePath, { recursive: true, force: true }).catch(() => {
     });
     s?.stop("Template files downloaded");
   } catch (err) {
     s?.stop("Template download failed");
     if (!json) {
-      clack7.log.warn(`Failed to download template: ${err.message}`);
-      clack7.log.info("You can manually set up the template later.");
+      clack11.log.warn(`Failed to download template: ${err.message}`);
+      clack11.log.info("You can manually set up the template later.");
     }
   }
 }
 async function downloadGitHubTemplate(templateName, projectConfig, json) {
-  const s = !json ? clack7.spinner() : null;
+  const s = !json ? clack11.spinner() : null;
   s?.start(`Downloading ${templateName} template...`);
-  const tempDir = path3.join(tmpdir(), `insforge-template-${Date.now()}`);
+  const tempDir = path4.join(tmpdir2(), `insforge-template-${Date.now()}`);
   try {
-    await fs3.mkdir(tempDir, { recursive: true });
-    await execAsync2(
-      "git clone --depth 1 https://github.com/InsForge/insforge-templates.git .",
-      { cwd: tempDir, maxBuffer: 10 * 1024 * 1024, timeout: 6e4 }
-    );
-    const templateDir = path3.join(tempDir, templateName);
-    const stat5 = await fs3.stat(templateDir).catch(() => null);
+    await fs4.mkdir(tempDir, { recursive: true });
+    const templatesRepo = process.env.INSFORGE_TEMPLATES_REPO ?? "https://github.com/InsForge/insforge-templates.git";
+    if (!SAFE_REPO_PATTERN2.test(templatesRepo)) {
+      throw new Error(`INSFORGE_TEMPLATES_REPO has unsupported characters: ${templatesRepo}`);
+    }
+    const templatesBranch = process.env.INSFORGE_TEMPLATES_BRANCH;
+    if (templatesBranch !== void 0 && !SAFE_BRANCH_PATTERN2.test(templatesBranch)) {
+      throw new Error(`INSFORGE_TEMPLATES_BRANCH has unsupported characters: ${templatesBranch}`);
+    }
+    const cloneArgs = ["clone", "--depth", "1"];
+    if (templatesBranch) cloneArgs.push("-b", templatesBranch);
+    cloneArgs.push("--", templatesRepo, ".");
+    await execFileAsync2("git", cloneArgs, {
+      cwd: tempDir,
+      maxBuffer: 10 * 1024 * 1024,
+      timeout: 6e4
+    });
+    const templateDir = path4.join(tempDir, templateName);
+    const stat5 = await fs4.stat(templateDir).catch(() => null);
     if (!stat5?.isDirectory()) {
       throw new Error(`Template "${templateName}" not found in repository`);
     }
     s?.message("Copying template files...");
     const cwd = process.cwd();
     await copyDir(templateDir, cwd);
-    const envExamplePath = path3.join(cwd, ".env.example");
-    const envExampleExists = await fs3.stat(envExamplePath).catch(() => null);
+    const envExamplePath = path4.join(cwd, ".env.example");
+    const envExampleExists = await fs4.stat(envExamplePath).catch(() => null);
     if (envExampleExists) {
       const anonKey = await getAnonKey();
-      const envExample = await fs3.readFile(envExamplePath, "utf-8");
-      const envContent = envExample.replace(
+      const envExample = await fs4.readFile(envExamplePath, "utf-8");
+      const envFinal = envExample.replace(
         /^([A-Z][A-Z0-9_]*=)(.*)$/gm,
         (_, prefix, _value) => {
           const key = prefix.slice(0, -1);
@@ -2195,32 +2971,32 @@ async function downloadGitHubTemplate(templateName, projectConfig, json) {
           return `${prefix}${_value}`;
         }
       );
-      const envLocalPath = path3.join(cwd, ".env.local");
+      const envLocalPath = path4.join(cwd, ".env.local");
       try {
-        await fs3.writeFile(envLocalPath, envContent, { flag: "wx" });
+        await fs4.writeFile(envLocalPath, envFinal, { flag: "wx" });
       } catch (e) {
         if (e.code === "EEXIST") {
-          if (!json) clack7.log.warn(".env.local already exists; skipping env seeding.");
+          if (!json) clack11.log.warn(".env.local already exists; skipping env seeding.");
         } else {
           throw e;
         }
       }
     }
     s?.stop(`${templateName} template downloaded`);
-    const migrationPath = path3.join(cwd, "migrations", "db_init.sql");
-    const migrationExists = await fs3.stat(migrationPath).catch(() => null);
+    const migrationPath = path4.join(cwd, "migrations", "db_init.sql");
+    const migrationExists = await fs4.stat(migrationPath).catch(() => null);
     if (migrationExists) {
-      const dbSpinner = !json ? clack7.spinner() : null;
+      const dbSpinner = !json ? clack11.spinner() : null;
       dbSpinner?.start("Running database migrations...");
       try {
-        const sql = await fs3.readFile(migrationPath, "utf-8");
+        const sql = await fs4.readFile(migrationPath, "utf-8");
         await runRawSql(sql, true);
         dbSpinner?.stop("Database migrations applied");
       } catch (err) {
         dbSpinner?.stop("Database migration failed");
         if (!json) {
-          clack7.log.warn(`Migration failed: ${err.message}`);
-          clack7.log.info('You can run the migration manually: npx @insforge/cli db query --unrestricted "$(cat migrations/db_init.sql)"');
+          clack11.log.warn(`Migration failed: ${err.message}`);
+          clack11.log.info('You can run the migration manually: npx @insforge/cli db query --unrestricted "$(cat migrations/db_init.sql)"');
         } else {
           throw err;
         }
@@ -2228,25 +3004,31 @@ async function downloadGitHubTemplate(templateName, projectConfig, json) {
     }
   } catch (err) {
     s?.stop(`${templateName} template download failed`);
-    if (!json) {
-      clack7.log.warn(`Failed to download ${templateName} template: ${err.message}`);
-      clack7.log.info("You can manually clone from: https://github.com/InsForge/insforge-templates");
+    const msg = `Failed to download ${templateName} template: ${err.message}`;
+    if (json) {
+      console.error(JSON.stringify({ warning: msg }));
+    } else {
+      clack11.log.warn(msg);
+      clack11.log.info("You can manually clone from: https://github.com/InsForge/insforge-templates");
     }
   } finally {
-    await fs3.rm(tempDir, { recursive: true, force: true }).catch(() => {
+    await fs4.rm(tempDir, { recursive: true, force: true }).catch(() => {
     });
   }
 }
 
 // src/commands/projects/link.ts
-var execAsync3 = promisify3(exec3);
+var execAsync3 = promisify4(exec3);
 function buildOssHost2(appkey, region) {
   return `https://${appkey}.${region}.insforge.app`;
 }
 function registerProjectLinkCommand(program2) {
-  program2.command("link").description("Link current directory to an InsForge project").option("--project-id <id>", "Project ID to link").option("--org-id <id>", "Organization ID").option("--template <template>", "Download a template after linking: react, nextjs, chatbot, crm, e-commerce, todo").option("--api-base-url <url>", "API Base URL for direct linking (OSS/Self-hosted)").option("--api-key <key>", "API Key for direct linking (OSS/Self-hosted)").action(async (opts, cmd) => {
+  program2.command("link").description("Link current directory to an InsForge project").option("--project-id <id>", "Project ID to link").option("--org-id <id>", "Organization ID").option("--template <template>", "Download a template after linking: react, nextjs, chatbot, crm, e-commerce, todo").option("--auth <provider>", "Wire a third-party auth provider into the chosen template (currently: better-auth)").option("--api-base-url <url>", "API Base URL for direct linking (OSS/Self-hosted)").option("--api-key <key>", "API Key for direct linking (OSS/Self-hosted)").action(async (opts, cmd) => {
     const { json, apiUrl } = getRootOpts(cmd);
     const validTemplates = ["react", "nextjs", "chatbot", "crm", "e-commerce", "todo"];
+    if (opts.auth && !VALID_AUTH_PROVIDERS.includes(opts.auth)) {
+      throw new CLIError(`Invalid --auth "${opts.auth}". Valid: ${VALID_AUTH_PROVIDERS.join(", ")}`);
+    }
     try {
       if (opts.template && !validTemplates.includes(opts.template)) {
         throw new CLIError(`Invalid template "${opts.template}". Valid options: ${validTemplates.join(", ")}`);
@@ -2281,23 +3063,23 @@ function registerProjectLinkCommand(program2) {
                 initialValue: defaultDir,
                 validate: (v) => {
                   if (v.length < 1) return "Directory name is required";
-                  const normalized = path4.basename(v).replace(/[^a-zA-Z0-9._-]/g, "-");
+                  const normalized = path5.basename(v).replace(/[^a-zA-Z0-9._-]/g, "-");
                   if (!normalized || normalized === "." || normalized === "..") return "Invalid directory name";
                   return void 0;
                 }
               });
               if (isCancel2(inputDir)) process.exit(0);
-              dirName = path4.basename(inputDir).replace(/[^a-zA-Z0-9._-]/g, "-");
+              dirName = path5.basename(inputDir).replace(/[^a-zA-Z0-9._-]/g, "-");
             }
             if (!dirName || dirName === "." || dirName === "..") {
               throw new CLIError("Invalid directory name.");
             }
-            const templateDir = path4.resolve(process.cwd(), dirName);
-            const dirExists = await fs4.stat(templateDir).catch(() => null);
+            const templateDir = path5.resolve(process.cwd(), dirName);
+            const dirExists = await fs5.stat(templateDir).catch(() => null);
             if (dirExists) {
               throw new CLIError(`Directory "${dirName}" already exists.`);
             }
-            await fs4.mkdir(templateDir);
+            await fs5.mkdir(templateDir);
             process.chdir(templateDir);
             saveProjectConfig(projectConfig2);
             if (json) {
@@ -2312,17 +3094,27 @@ function registerProjectLinkCommand(program2) {
             }
             captureEvent(FAKE_ORG_ID, "template_selected", { template: template2, source: "link_direct" });
             await downloadGitHubTemplate(template2, projectConfig2, json);
-            const templateDownloaded = await fs4.stat(path4.join(process.cwd(), "package.json")).catch(() => null);
-            if (templateDownloaded && !json) {
-              const installSpinner = clack8.spinner();
+            const templateDownloaded = await fs5.stat(path5.join(process.cwd(), "package.json")).catch(() => null);
+            if (opts.auth) {
+              try {
+                const result = await applyAuthProvider(opts.auth, process.cwd(), projectConfig2, json);
+                if (!json) clack12.log.success(`Wired in ${opts.auth}: ${result.written.length} new, ${result.overwritten.length} replaced`);
+              } catch (err) {
+                const msg = `Failed to apply --auth ${opts.auth}: ${err.message}`;
+                if (json) console.error(JSON.stringify({ warning: msg }));
+                else clack12.log.warn(msg);
+              }
+            }
+            if (templateDownloaded && !json) {
+              const installSpinner = clack12.spinner();
               installSpinner.start("Installing dependencies...");
               try {
                 await execAsync3("npm install", { cwd: process.cwd(), maxBuffer: 10 * 1024 * 1024 });
                 installSpinner.stop("Dependencies installed");
               } catch (err) {
                 installSpinner.stop("Failed to install dependencies");
-                clack8.log.warn(`npm install failed: ${err.message}`);
-                clack8.log.info("Run `npm install` manually to install dependencies.");
+                clack12.log.warn(`npm install failed: ${err.message}`);
+                clack12.log.info("Run `npm install` manually to install dependencies.");
               }
             }
             await installSkills(json);
@@ -2342,9 +3134,9 @@ function registerProjectLinkCommand(program2) {
                   `${pc2.bold("1.")} ${runCommand}`,
                   `${pc2.bold("2.")} Open ${pc2.cyan("Claude Code")} or ${pc2.cyan("Cursor")} and prompt your agent to add more features`
                 ];
-                clack8.note(steps.join("\n"), "What's next");
+                clack12.note(steps.join("\n"), "What's next");
               } else {
-                clack8.log.warn("Template download failed. You can retry or set up manually.");
+                clack12.log.warn("Template download failed. You can retry or set up manually.");
               }
             }
             return;
@@ -2355,6 +3147,31 @@ function registerProjectLinkCommand(program2) {
           } else {
             outputSuccess(`Linked to direct project at ${projectConfig2.oss_host}`);
           }
+          if (opts.auth) {
+            try {
+              const result = await applyAuthProvider(opts.auth, process.cwd(), projectConfig2, json);
+              if (!json) {
+                clack12.log.success(`Wired in ${opts.auth}: ${result.written.length} new, ${result.overwritten.length} replaced`);
+              }
+              if (result.packageJsonPatched && !json) {
+                const installSpinner = clack12.spinner();
+                installSpinner.start("Installing new dependencies...");
+                try {
+                  await execAsync3("npm install", { cwd: process.cwd(), maxBuffer: 10 * 1024 * 1024 });
+                  installSpinner.stop("Dependencies installed");
+                } catch (err) {
+                  installSpinner.stop("Failed to install dependencies");
+                  clack12.log.warn(`npm install failed: ${err.message}`);
+                  clack12.log.info("Run `npm install` manually to install dependencies.");
+                }
+              }
+              if (!json) clack12.note(result.nextSteps, "What's next");
+            } catch (err) {
+              const msg = `Failed to apply --auth ${opts.auth}: ${err.message}`;
+              if (json) console.error(JSON.stringify({ warning: msg }));
+              else clack12.log.warn(msg);
+            }
+          }
           trackCommand("link", "oss-org", { direct: true });
           await installSkills(json);
           await reportCliUsage("cli.link_direct", true, 6, projectConfig2);
@@ -2382,7 +3199,7 @@ function registerProjectLinkCommand(program2) {
         }
         if (orgs.length === 1) {
           orgId = orgs[0].id;
-          if (!json) clack8.log.info(`Using organization: ${orgs[0].name}`);
+          if (!json) clack12.log.info(`Using organization: ${orgs[0].name}`);
         } else {
           if (json) {
             throw new CLIError("Multiple organizations found. Specify --org-id.");
@@ -2468,68 +3285,91 @@ function registerProjectLinkCommand(program2) {
             initialValue: project.name,
             validate: (v) => {
               if (v.length < 1) return "Directory name is required";
-              const normalized = path4.basename(v).replace(/[^a-zA-Z0-9._-]/g, "-");
+              const normalized = path5.basename(v).replace(/[^a-zA-Z0-9._-]/g, "-");
               if (!normalized || normalized === "." || normalized === "..") return "Invalid directory name";
               return void 0;
             }
           });
           if (isCancel2(inputDir)) process.exit(0);
-          dirName = path4.basename(inputDir).replace(/[^a-zA-Z0-9._-]/g, "-");
+          dirName = path5.basename(inputDir).replace(/[^a-zA-Z0-9._-]/g, "-");
         }
         if (!dirName || dirName === "." || dirName === "..") {
           throw new CLIError("Invalid directory name.");
         }
-        const templateDir = path4.resolve(process.cwd(), dirName);
-        const dirExists = await fs4.stat(templateDir).catch(() => null);
+        const templateDir = path5.resolve(process.cwd(), dirName);
+        const dirExists = await fs5.stat(templateDir).catch(() => null);
         if (dirExists) {
           throw new CLIError(`Directory "${dirName}" already exists.`);
         }
-        await fs4.mkdir(templateDir);
+        await fs5.mkdir(templateDir);
         process.chdir(templateDir);
         saveProjectConfig(projectConfig);
         captureEvent(orgId ?? project.organization_id, "template_selected", { template, source: "link" });
         await downloadGitHubTemplate(template, projectConfig, json);
-        const templateDownloaded = await fs4.stat(path4.join(process.cwd(), "package.json")).catch(() => null);
+        const templateDownloaded = await fs5.stat(path5.join(process.cwd(), "package.json")).catch(() => null);
+        if (opts.auth) {
+          try {
+            const result = await applyAuthProvider(opts.auth, process.cwd(), projectConfig, json);
+            if (!json) clack12.log.success(`Wired in ${opts.auth}: ${result.written.length} new, ${result.overwritten.length} replaced`);
+          } catch (err) {
+            const msg = `Failed to apply --auth ${opts.auth}: ${err.message}`;
+            if (json) console.error(JSON.stringify({ warning: msg }));
+            else clack12.log.warn(msg);
+          }
+        }
         if (templateDownloaded && !json) {
-          const installSpinner = clack8.spinner();
+          const installSpinner = clack12.spinner();
           installSpinner.start("Installing dependencies...");
           try {
             await execAsync3("npm install", { cwd: process.cwd(), maxBuffer: 10 * 1024 * 1024 });
             installSpinner.stop("Dependencies installed");
           } catch (err) {
             installSpinner.stop("Failed to install dependencies");
-            clack8.log.warn(`npm install failed: ${err.message}`);
-            clack8.log.info("Run `npm install` manually to install dependencies.");
+            clack12.log.warn(`npm install failed: ${err.message}`);
+            clack12.log.info("Run `npm install` manually to install dependencies.");
           }
         }
         await installSkills(json);
         await reportCliUsage("cli.link", true, 6, projectConfig);
         if (!json) {
           const dashboardUrl = `${getFrontendUrl()}/dashboard/project/${project.id}`;
-          clack8.log.step(`Dashboard: ${pc2.underline(dashboardUrl)}`);
+          clack12.log.step(`Dashboard: ${pc2.underline(dashboardUrl)}`);
           if (templateDownloaded) {
             const runCommand = `${pc2.cyan("cd")} ${pc2.green(dirName)} ${pc2.dim("&&")} ${pc2.cyan("npm run dev")}`;
             const steps = [
               `${pc2.bold("1.")} ${runCommand}`,
               `${pc2.bold("2.")} Open ${pc2.cyan("Claude Code")} or ${pc2.cyan("Cursor")} and prompt your agent to add more features`
             ];
-            clack8.note(steps.join("\n"), "What's next");
+            clack12.note(steps.join("\n"), "What's next");
           } else {
-            clack8.log.warn("Template download failed. You can retry or set up manually.");
+            clack12.log.warn("Template download failed. You can retry or set up manually.");
           }
         }
       } else {
+        if (opts.auth) {
+          try {
+            const result = await applyAuthProvider(opts.auth, process.cwd(), projectConfig, json);
+            if (!json) {
+              clack12.log.success(`Wired in ${opts.auth}: ${result.written.length} new, ${result.overwritten.length} replaced`);
+              clack12.note(result.nextSteps, "What's next");
+            }
+          } catch (err) {
+            const msg = `Failed to apply --auth ${opts.auth}: ${err.message}`;
+            if (json) console.error(JSON.stringify({ warning: msg }));
+            else clack12.log.warn(msg);
+          }
+        }
         await installSkills(json);
         await reportCliUsage("cli.link", true, 6, projectConfig);
         if (!json) {
           const dashboardUrl = `${getFrontendUrl()}/dashboard/project/${project.id}`;
-          clack8.log.step(`Dashboard: ${dashboardUrl}`);
+          clack12.log.step(`Dashboard: ${dashboardUrl}`);
           const prompts = [
             "Build a todo app with Google OAuth sign-in",
             "Build an Instagram clone where users can upload photos, like, and comment",
             "Build an AI chatbot with conversation history and deploy it to a live URL"
           ];
-          clack8.note(
+          clack12.note(
             `Open your coding agent (Claude Code, Codex, Cursor, etc.) and try:
 
 ${prompts.map((p) => `\u2022 "${p}"`).join("\n")}`,
@@ -2769,7 +3609,7 @@ function registerDbRpcCommand(dbCmd2) {
 }
 
 // src/commands/db/export.ts
-import { writeFileSync as writeFileSync2 } from "fs";
+import { writeFileSync as writeFileSync3 } from "fs";
 function registerDbExportCommand(dbCmd2) {
   dbCmd2.command("export").description("Export database schema and/or data").option("--format <format>", "Export format: sql or json", "sql").option("--tables <tables>", "Comma-separated list of tables to export (default: all)").option("--no-data", "Exclude table data (schema only)").option("--include-functions", "Include database functions").option("--include-sequences", "Include sequences").option("--include-views", "Include views").option("--row-limit <n>", "Maximum rows per table").option("-o, --output <file>", "Output file path (default: stdout)").action(async (opts, cmd) => {
     const { json } = getRootOpts(cmd);
@@ -2809,7 +3649,7 @@ function registerDbExportCommand(dbCmd2) {
         return;
       }
       if (opts.output) {
-        writeFileSync2(opts.output, content);
+        writeFileSync3(opts.output, content);
         const tableCount = meta?.tables?.length;
         const suffix = tableCount ? ` (${tableCount} tables, format: ${meta?.format ?? opts.format})` : "";
         outputSuccess(`Exported to ${opts.output}${suffix}`);
@@ -2824,7 +3664,7 @@ function registerDbExportCommand(dbCmd2) {
 
 // src/commands/db/import.ts
 import { readFileSync as readFileSync3 } from "fs";
-import { basename as basename4 } from "path";
+import { basename as basename5 } from "path";
 function registerDbImportCommand(dbCmd2) {
   dbCmd2.command("import <file>").description("Import database from a local SQL file").option("--truncate", "Truncate existing tables before import").action(async (file, opts, cmd) => {
     const { json } = getRootOpts(cmd);
@@ -2833,7 +3673,7 @@ function registerDbImportCommand(dbCmd2) {
       const config = getProjectConfig();
       if (!config) throw new ProjectNotLinkedError();
       const fileContent = readFileSync3(file);
-      const fileName = basename4(file);
+      const fileName = basename5(file);
       const formData = new FormData();
       formData.append("file", new Blob([fileContent]), fileName);
       if (opts.truncate) {
@@ -2863,12 +3703,12 @@ function registerDbImportCommand(dbCmd2) {
 }
 
 // src/commands/db/migrations.ts
-import { existsSync as existsSync4, readFileSync as readFileSync4, writeFileSync as writeFileSync3 } from "fs";
-import { join as join8 } from "path";
+import { existsSync as existsSync5, readFileSync as readFileSync4, writeFileSync as writeFileSync4 } from "fs";
+import { join as join9 } from "path";
 
 // src/lib/migrations.ts
-import { existsSync as existsSync3, mkdirSync as mkdirSync2, readdirSync } from "fs";
-import { join as join7 } from "path";
+import { existsSync as existsSync4, mkdirSync as mkdirSync2, readdirSync } from "fs";
+import { join as join8 } from "path";
 var MIGRATION_VERSION_REGEX = /^\d{1,64}$/u;
 var MIGRATION_FILENAME_REGEX = /^(\d{1,64})_([a-z0-9-]+)\.sql$/u;
 function assertValidMigrationVersion(version) {
@@ -2932,18 +3772,18 @@ function incrementMigrationVersion(version) {
   return formatMigrationVersion(new Date(nextTimestamp));
 }
 function getMigrationsDir(cwd = process.cwd()) {
-  return join7(cwd, "migrations");
+  return join8(cwd, "migrations");
 }
 function ensureMigrationsDir(cwd = process.cwd()) {
   const migrationsDir = getMigrationsDir(cwd);
-  if (!existsSync3(migrationsDir)) {
+  if (!existsSync4(migrationsDir)) {
     mkdirSync2(migrationsDir, { recursive: true });
   }
   return migrationsDir;
 }
 function listLocalMigrationFilenames(cwd = process.cwd()) {
   const migrationsDir = getMigrationsDir(cwd);
-  if (!existsSync3(migrationsDir)) {
+  if (!existsSync4(migrationsDir)) {
     return [];
   }
   return readdirSync(migrationsDir).sort((left, right) => left.localeCompare(right));
@@ -3131,12 +3971,12 @@ function registerDbMigrationsCommand(dbCmd2) {
           migration.version,
           migration.name
         );
-        const filePath = join8(migrationsDir, filename);
-        if (existingLocalVersions.has(migration.version) || existsSync4(filePath)) {
+        const filePath = join9(migrationsDir, filename);
+        if (existingLocalVersions.has(migration.version) || existsSync5(filePath)) {
           skippedFiles.push(filename);
           continue;
         }
-        writeFileSync3(filePath, formatMigrationSql(migration.statements));
+        writeFileSync4(filePath, formatMigrationSql(migration.statements));
         createdFiles.push(filename);
         existingLocalVersions.add(migration.version);
       }
@@ -3174,9 +4014,9 @@ function registerDbMigrationsCommand(dbCmd2) {
       );
       const filename = buildMigrationFilename(nextVersion, migrationName);
       const migrationsDir = ensureMigrationsDir();
-      const filePath = join8(migrationsDir, filename);
+      const filePath = join9(migrationsDir, filename);
       try {
-        writeFileSync3(filePath, "", { flag: "wx" });
+        writeFileSync4(filePath, "", { flag: "wx" });
       } catch (error) {
         if (error.code === "EEXIST") {
           throw new CLIError(`Migration file already exists: ${filename}`);
@@ -3232,8 +4072,8 @@ function registerDbMigrationsCommand(dbCmd2) {
             `Migration ${targetMigration.filename} is not the next pending local migration. Apply ${earlierPendingMigration.filename} first, or fix/delete it locally if it is invalid or no longer needed.`
           );
         }
-        const filePath = join8(getMigrationsDir(), targetMigration.filename);
-        if (!existsSync4(filePath)) {
+        const filePath = join9(getMigrationsDir(), targetMigration.filename);
+        if (!existsSync5(filePath)) {
           throw new CLIError(`Local migration file not found: ${targetMigration.filename}`);
         }
         const sql = readFileSync4(filePath, "utf-8");
@@ -3298,8 +4138,8 @@ function registerDbMigrationsCommand(dbCmd2) {
           }
         }
         for (const migration of migrationsToApply) {
-          const filePath = join8(getMigrationsDir(), migration.filename);
-          if (!existsSync4(filePath)) {
+          const filePath = join9(getMigrationsDir(), migration.filename);
+          if (!existsSync5(filePath)) {
             throw new CLIError(`Local migration file not found: ${migration.filename}`);
           }
           const sql = readFileSync4(filePath, "utf-8");
@@ -3338,8 +4178,8 @@ function registerRecordsCommands(recordsCmd2) {
       if (opts.limit) params.set("limit", String(opts.limit));
       if (opts.offset) params.set("offset", String(opts.offset));
       const query = params.toString();
-      const path5 = `/api/database/records/${encodeURIComponent(table)}${query ? `?${query}` : ""}`;
-      const res = await ossFetch(path5);
+      const path6 = `/api/database/records/${encodeURIComponent(table)}${query ? `?${query}` : ""}`;
+      const res = await ossFetch(path6);
       const data = await res.json();
       const records = data.data ?? [];
       if (json) {
@@ -3508,18 +4348,18 @@ function registerFunctionsCommands(functionsCmd2) {
 }
 
 // src/commands/functions/deploy.ts
-import { readFileSync as readFileSync5, existsSync as existsSync5 } from "fs";
-import { join as join9 } from "path";
+import { readFileSync as readFileSync5, existsSync as existsSync6 } from "fs";
+import { join as join10 } from "path";
 function registerFunctionsDeployCommand(functionsCmd2) {
   functionsCmd2.command("deploy <slug>").description("Deploy an edge function (create or update)").option("--file <path>", "Path to the function source file").option("--name <name>", "Function display name").option("--description <desc>", "Function description").action(async (slug, opts, cmd) => {
     const { json } = getRootOpts(cmd);
     try {
       await requireAuth();
-      const filePath = opts.file ?? join9(process.cwd(), "insforge", "functions", slug, "index.ts");
-      if (!existsSync5(filePath)) {
+      const filePath = opts.file ?? join10(process.cwd(), "insforge", "functions", slug, "index.ts");
+      if (!existsSync6(filePath)) {
         throw new CLIError(
           `Source file not found: ${filePath}
-Specify --file <path> or create ${join9("insforge", "functions", slug, "index.ts")}`
+Specify --file <path> or create ${join10("insforge", "functions", slug, "index.ts")}`
         );
       }
       const code = readFileSync5(filePath, "utf-8");
@@ -3643,7 +4483,7 @@ function registerFunctionsCodeCommand(functionsCmd2) {
 }
 
 // src/commands/functions/delete.ts
-import * as clack9 from "@clack/prompts";
+import * as clack13 from "@clack/prompts";
 function registerFunctionsDeleteCommand(functionsCmd2) {
   functionsCmd2.command("delete <slug>").description("Delete an edge function").action(async (slug, _opts, cmd) => {
     const { json, yes } = getRootOpts(cmd);
@@ -3654,7 +4494,7 @@ function registerFunctionsDeleteCommand(functionsCmd2) {
           message: `Delete function "${slug}"? This cannot be undone.`
         });
         if (isCancel2(confirmed) || !confirmed) {
-          clack9.log.info("Cancelled.");
+          clack13.log.info("Cancelled.");
           return;
         }
       }
@@ -3709,8 +4549,8 @@ function registerStorageBucketsCommand(storageCmd2) {
 }
 
 // src/commands/storage/upload.ts
-import { readFileSync as readFileSync6, existsSync as existsSync6 } from "fs";
-import { basename as basename5 } from "path";
+import { readFileSync as readFileSync6, existsSync as existsSync7 } from "fs";
+import { basename as basename6 } from "path";
 function registerStorageUploadCommand(storageCmd2) {
   storageCmd2.command("upload <file>").description("Upload a file to a storage bucket").requiredOption("--bucket <name>", "Target bucket name").option("--key <objectKey>", "Object key (defaults to filename)").action(async (file, opts, cmd) => {
     const { json } = getRootOpts(cmd);
@@ -3718,11 +4558,11 @@ function registerStorageUploadCommand(storageCmd2) {
       await requireAuth();
       const config = getProjectConfig();
       if (!config) throw new ProjectNotLinkedError();
-      if (!existsSync6(file)) {
+      if (!existsSync7(file)) {
         throw new CLIError(`File not found: ${file}`);
       }
       const fileContent = readFileSync6(file);
-      const objectKey = opts.key ?? basename5(file);
+      const objectKey = opts.key ?? basename6(file);
       const bucketName = opts.bucket;
       const formData = new FormData();
       const blob = new Blob([fileContent]);
@@ -3743,7 +4583,7 @@ function registerStorageUploadCommand(storageCmd2) {
       if (json) {
         outputJson(data);
       } else {
-        outputSuccess(`Uploaded "${basename5(file)}" to bucket "${bucketName}".`);
+        outputSuccess(`Uploaded "${basename6(file)}" to bucket "${bucketName}".`);
       }
     } catch (err) {
       handleError(err, json);
@@ -3752,8 +4592,8 @@ function registerStorageUploadCommand(storageCmd2) {
 }
 
 // src/commands/storage/download.ts
-import { writeFileSync as writeFileSync4 } from "fs";
-import { join as join10, basename as basename6 } from "path";
+import { writeFileSync as writeFileSync5 } from "fs";
+import { join as join11, basename as basename7 } from "path";
 function registerStorageDownloadCommand(storageCmd2) {
   storageCmd2.command("download <objectKey>").description("Download a file from a storage bucket").requiredOption("--bucket <name>", "Source bucket name").option("--output <path>", "Output file path (defaults to current directory)").action(async (objectKey, opts, cmd) => {
     const { json } = getRootOpts(cmd);
@@ -3773,8 +4613,8 @@ function registerStorageDownloadCommand(storageCmd2) {
         throw new CLIError(err.error ?? `Download failed: ${res.status}`);
       }
       const buffer = Buffer.from(await res.arrayBuffer());
-      const outputPath = opts.output ?? join10(process.cwd(), basename6(objectKey));
-      writeFileSync4(outputPath, buffer);
+      const outputPath = opts.output ?? join11(process.cwd(), basename7(objectKey));
+      writeFileSync5(outputPath, buffer);
       if (json) {
         outputJson({ success: true, path: outputPath, size: buffer.length });
       } else {
@@ -3818,10 +4658,10 @@ function registerStorageDeleteBucketCommand(storageCmd2) {
     try {
       await requireAuth();
       if (!yes && !json) {
-        const confirm3 = await confirm2({
+        const confirm6 = await confirm2({
           message: `Delete bucket "${name}" and all its objects? This cannot be undone.`
         });
-        if (isCancel2(confirm3) || !confirm3) {
+        if (isCancel2(confirm6) || !confirm6) {
           process.exit(0);
         }
       }
@@ -4231,8 +5071,8 @@ async function listDocs(json) {
     );
   }
 }
-async function fetchDoc(path5, label, json) {
-  const res = await ossFetch(path5);
+async function fetchDoc(path6, label, json) {
+  const res = await ossFetch(path6);
   const data = await res.json();
   const doc = data.data ?? data;
   if (json) {
@@ -4372,10 +5212,10 @@ function registerSecretsDeleteCommand(secretsCmd2) {
     try {
       await requireAuth();
       if (!yes && !json) {
-        const confirm3 = await confirm2({
+        const confirm6 = await confirm2({
           message: `Delete secret "${key}"? This cannot be undone.`
         });
-        if (isCancel2(confirm3) || !confirm3) {
+        if (isCancel2(confirm6) || !confirm6) {
           process.exit(0);
         }
       }
@@ -4563,10 +5403,10 @@ function registerSchedulesDeleteCommand(schedulesCmd2) {
     try {
       await requireAuth();
       if (!yes && !json) {
-        const confirm3 = await confirm2({
+        const confirm6 = await confirm2({
           message: `Delete schedule "${id}"? This cannot be undone.`
         });
-        if (isCancel2(confirm3) || !confirm3) {
+        if (isCancel2(confirm6) || !confirm6) {
           process.exit(0);
         }
       }
@@ -4690,8 +5530,44 @@ function registerComputeGetCommand(computeCmd2) {
 }
 
 // src/commands/compute/update.ts
+var ENV_KEY_REGEX = /^[A-Z_][A-Z0-9_]*$/;
+function collect(value, previous) {
+  return previous.concat([value]);
+}
+function parseKeyValue(raw) {
+  const eq = raw.indexOf("=");
+  if (eq <= 0) {
+    throw new CLIError(
+      `Invalid --env-set "${raw}": expected KEY=VALUE (key first, then '=', then value)`
+    );
+  }
+  const key = raw.slice(0, eq);
+  const value = raw.slice(eq + 1);
+  if (!ENV_KEY_REGEX.test(key)) {
+    throw new CLIError(`Invalid env var key "${key}": must match [A-Z_][A-Z0-9_]*`);
+  }
+  return [key, value];
+}
+function assertValidKey(key) {
+  if (!ENV_KEY_REGEX.test(key)) {
+    throw new CLIError(`Invalid env var key "${key}": must match [A-Z_][A-Z0-9_]*`);
+  }
+}
 function registerComputeUpdateCommand(computeCmd2) {
-  computeCmd2.command("update <id>").description("Update a compute service").option("--image <image>", "Docker image URL").option("--port <port>", "Container port").option("--cpu <tier>", "CPU tier").option("--memory <mb>", "Memory in MB").option("--region <region>", "Fly.io region").option("--env <json>", "Environment variables as JSON object").action(async (id, opts, cmd) => {
+  computeCmd2.command("update <id>").description("Update a compute service").option("--image <image>", "Docker image URL").option("--port <port>", "Container port").option("--cpu <tier>", "CPU tier").option("--memory <mb>", "Memory in MB").option("--region <region>", "Fly.io region").option(
+    "--env <json>",
+    "Replace ALL env vars with this JSON object. To rotate one secret without restating the others, use --env-set instead."
+  ).option(
+    "--env-set <KEY=VALUE>",
+    "Set or update one env var (repeatable). Merges with existing \u2014 does not clear other vars.",
+    collect,
+    []
+  ).option(
+    "--env-unset <KEY>",
+    "Remove one env var (repeatable). Merges with existing \u2014 leaves other vars in place.",
+    collect,
+    []
+  ).action(async (id, opts, cmd) => {
     const { json } = getRootOpts(cmd);
     try {
       await requireAuth();
@@ -4711,6 +5587,14 @@ function registerComputeUpdateCommand(computeCmd2) {
         body.memory = Number(opts.memory);
       }
       if (opts.region) body.region = opts.region;
+      const envSetArgs = opts.envSet;
+      const envUnsetArgs = opts.envUnset;
+      const hasPatch = envSetArgs.length > 0 || envUnsetArgs.length > 0;
+      if (opts.env && hasPatch) {
+        throw new CLIError(
+          "--env (wholesale replace) and --env-set/--env-unset (partial merge) are mutually exclusive \u2014 pick one."
+        );
+      }
       if (opts.env) {
         try {
           body.envVars = JSON.parse(opts.env);
@@ -4718,8 +5602,22 @@ function registerComputeUpdateCommand(computeCmd2) {
           throw new CLIError("Invalid JSON for --env");
         }
       }
+      if (hasPatch) {
+        const setMap = {};
+        for (const arg of envSetArgs) {
+          const [k, v] = parseKeyValue(arg);
+          setMap[k] = v;
+        }
+        for (const k of envUnsetArgs) assertValidKey(k);
+        body.envVarsPatch = {
+          ...envSetArgs.length > 0 && { set: setMap },
+          ...envUnsetArgs.length > 0 && { unset: envUnsetArgs }
+        };
+      }
       if (Object.keys(body).length === 0) {
-        throw new CLIError("No update fields provided. Use --image, --port, --cpu, --memory, --region, or --env.");
+        throw new CLIError(
+          "No update fields provided. Use --image, --port, --cpu, --memory, --region, --env, --env-set, or --env-unset."
+        );
       }
       const res = await ossFetch(`/api/compute/services/${encodeURIComponent(id)}`, {
         method: "PATCH",
@@ -4811,46 +5709,86 @@ function registerComputeStopCommand(computeCmd2) {
   });
 }
 
-// src/commands/compute/logs.ts
-function registerComputeLogsCommand(computeCmd2) {
-  computeCmd2.command("logs <id>").description("Get compute service logs (machine events)").option("--limit <n>", "Max number of log entries", "50").action(async (id, opts, cmd) => {
+// src/commands/compute/events.ts
+function registerComputeEventsCommand(computeCmd2) {
+  computeCmd2.command("events <id>").description("Get compute service machine events (start/stop/exit/restart)").option("--limit <n>", "Max number of event entries", "50").action(async (id, opts, cmd) => {
     const { json } = getRootOpts(cmd);
     try {
       await requireAuth();
       const limit = Math.max(1, Math.min(Number(opts.limit) || 50, 1e3));
       const res = await ossFetch(
-        `/api/compute/services/${encodeURIComponent(id)}/logs?limit=${limit}`
+        `/api/compute/services/${encodeURIComponent(id)}/events?limit=${limit}`
       );
-      const logs = await res.json();
+      const events = await res.json();
       if (json) {
-        outputJson(logs);
+        outputJson(events);
       } else {
-        if (!Array.isArray(logs) || logs.length === 0) {
-          console.log("No logs found.");
-          await reportCliUsage("cli.compute.logs", true);
+        if (!Array.isArray(events) || events.length === 0) {
+          console.log("No events found.");
+          await reportCliUsage("cli.compute.events", true);
           return;
         }
-        for (const entry of logs) {
+        for (const entry of events) {
           const ts = new Date(entry.timestamp).toISOString();
           console.log(`${ts}  ${entry.message}`);
         }
       }
-      await reportCliUsage("cli.compute.logs", true);
+      await reportCliUsage("cli.compute.events", true);
     } catch (err) {
-      await reportCliUsage("cli.compute.logs", false);
+      await reportCliUsage("cli.compute.events", false);
       handleError(err, json);
     }
   });
 }
 
 // src/commands/compute/deploy.ts
-import { existsSync as existsSync8 } from "fs";
-import { join as join12, resolve as resolve4 } from "path";
+import { existsSync as existsSync9 } from "fs";
+import { join as join13, resolve as resolve4 } from "path";
+
+// src/lib/env-file.ts
+import { readFileSync as readFileSync7 } from "fs";
+var ENV_KEY_REGEX2 = /^[A-Z_][A-Z0-9_]*$/;
+function parseEnvFile(path6) {
+  let raw;
+  try {
+    raw = readFileSync7(path6, "utf-8");
+  } catch (err) {
+    const msg = err instanceof Error ? err.message : String(err);
+    throw new CLIError(`Could not read --env-file at ${path6}: ${msg}`);
+  }
+  const result = {};
+  const lines = raw.split(/\r?\n/);
+  for (let i = 0; i < lines.length; i++) {
+    const line = lines[i].trim();
+    if (line === "" || line.startsWith("#")) continue;
+    const eq = line.indexOf("=");
+    if (eq <= 0) {
+      throw new CLIError(
+        `${path6}:${i + 1}: expected KEY=VALUE, got "${line}"`
+      );
+    }
+    const key = line.slice(0, eq).trim();
+    if (!ENV_KEY_REGEX2.test(key)) {
+      throw new CLIError(
+        `${path6}:${i + 1}: invalid env var key "${key}" (must match [A-Z_][A-Z0-9_]*)`
+      );
+    }
+    let value = line.slice(eq + 1).trim();
+    if (value.startsWith('"') && value.endsWith('"') && value.length >= 2 || value.startsWith("'") && value.endsWith("'") && value.length >= 2) {
+      value = value.slice(1, -1);
+    } else {
+      const hash = value.indexOf(" #");
+      if (hash >= 0) value = value.slice(0, hash).trimEnd();
+    }
+    result[key] = value;
+  }
+  return result;
+}
 
 // src/lib/flyctl.ts
 import { spawn, spawnSync } from "child_process";
-import { existsSync as existsSync7, writeFileSync as writeFileSync5, unlinkSync as unlinkSync2 } from "fs";
-import { join as join11 } from "path";
+import { existsSync as existsSync8, writeFileSync as writeFileSync6, unlinkSync as unlinkSync3 } from "fs";
+import { join as join12 } from "path";
 function ensureFlyctlAvailable() {
   const r = spawnSync("flyctl", ["version"], {
     encoding: "utf8",
@@ -4863,8 +5801,8 @@ function ensureFlyctlAvailable() {
   }
 }
 function ensureFlyTomlStub(opts) {
-  const path5 = join11(opts.dir, "fly.toml");
-  if (existsSync7(path5)) {
+  const path6 = join12(opts.dir, "fly.toml");
+  if (existsSync8(path6)) {
     return () => {
     };
   }
@@ -4881,10 +5819,10 @@ primary_region = "${opts.region}"
   auto_start_machines = true
   min_machines_running = 0
 `;
-  writeFileSync5(path5, stub, "utf8");
+  writeFileSync6(path6, stub, "utf8");
   return () => {
     try {
-      unlinkSync2(path5);
+      unlinkSync3(path6);
     } catch {
     }
   };
@@ -4959,7 +5897,10 @@ function registerComputeDeployCommand(computeCmd2) {
     "--cpu <tier>",
     "CPU tier in <kind>-<N>x format (e.g. shared-1x, performance-2x)",
     "shared-1x"
-  ).option("--memory <mb>", "Memory in MB", "512").option("--region <region>", "Fly.io region", "iad").option("--env <json>", "Env vars as JSON object").action(async (dir, opts, cmd) => {
+  ).option("--memory <mb>", "Memory in MB", "512").option("--region <region>", "Fly.io region", "iad").option("--env <json>", "Env vars as JSON object").option(
+    "--env-file <path>",
+    "Path to a .env file (KEY=VALUE per line, #-comments + blank lines ok). Mutually exclusive with --env."
+  ).action(async (dir, opts, cmd) => {
     const { json } = getRootOpts(cmd);
     try {
       await requireAuth();
@@ -4979,6 +5920,11 @@ function registerComputeDeployCommand(computeCmd2) {
       if (!Number.isInteger(memory) || memory <= 0) {
         throw new CLIError(`Invalid --memory: ${opts.memory}`);
       }
+      if (opts.env && opts.envFile) {
+        throw new CLIError(
+          "--env and --env-file are mutually exclusive \u2014 pick one source for the env vars."
+        );
+      }
       let envVars;
       if (opts.env) {
         let parsed;
@@ -4998,6 +5944,8 @@ function registerComputeDeployCommand(computeCmd2) {
           }
         }
         envVars = parsed;
+      } else if (opts.envFile) {
+        envVars = parseEnvFile(resolve4(opts.envFile));
       }
       const baseBody = {
         name: opts.name,
@@ -5040,8 +5988,8 @@ function registerComputeDeployCommand(computeCmd2) {
         return;
       }
       const absDir = resolve4(dir);
-      const dockerfilePath = join12(absDir, "Dockerfile");
-      if (!existsSync8(dockerfilePath)) {
+      const dockerfilePath = join13(absDir, "Dockerfile");
+      if (!existsSync9(dockerfilePath)) {
         throw new CLIError(
           `No Dockerfile at ${dockerfilePath}.
   Either:
@@ -5275,7 +6223,7 @@ function formatSize2(gb) {
 
 // src/commands/diagnose/index.ts
 import * as os from "os";
-import * as clack10 from "@clack/prompts";
+import * as clack14 from "@clack/prompts";
 
 // src/commands/diagnose/metrics.ts
 var METRIC_LABELS = {
@@ -5816,10 +6764,10 @@ function registerDiagnoseCommands(diagnoseCmd2) {
         if (question.length === 0 || question.length > 2e3) {
           throw new CLIError("Question must be between 1 and 2000 characters.");
         }
-        const s = !json ? clack10.spinner() : null;
+        const s = !json ? clack14.spinner() : null;
         s?.start("Collecting diagnostic data...");
         const data2 = await collectDiagnosticData(projectId, ossMode, apiUrl);
-        const cliVersion = "0.1.61";
+        const cliVersion = "0.1.63";
         s?.stop("Data collected");
         if (!json) {
           console.log(`
@@ -5952,9 +6900,9 @@ function registerDiagnoseCommands(diagnoseCmd2) {
                 void 0,
                 apiUrl
               );
-              clack10.log.success("Thanks for your feedback!");
+              clack14.log.success("Thanks for your feedback!");
             } catch {
-              clack10.log.warn("Failed to submit rating.");
+              clack14.log.warn("Failed to submit rating.");
             }
           }
         }
@@ -6046,9 +6994,1145 @@ function formatBytesCompact(bytes) {
   return `${(bytes / (1024 * 1024)).toFixed(1)}MB`;
 }
 
+// src/lib/api/payments.ts
+function withQuery(path6, params) {
+  const query = new URLSearchParams();
+  for (const [key, value] of Object.entries(params)) {
+    if (value !== void 0) query.set(key, String(value));
+  }
+  const suffix = query.toString();
+  return suffix ? `${path6}?${suffix}` : path6;
+}
+async function readJson(res) {
+  return await res.json();
+}
+function withEnvironmentPath(environment, suffix) {
+  return `/api/payments/${encodeURIComponent(environment)}${suffix}`;
+}
+async function getPaymentsStatus() {
+  return readJson(await ossFetch("/api/payments/status"));
+}
+async function getPaymentsConfig() {
+  return readJson(await ossFetch("/api/payments/config"));
+}
+async function setStripeSecretKey(environment, secretKey) {
+  return readJson(
+    await ossFetch(withEnvironmentPath(environment, "/config"), {
+      method: "PUT",
+      body: JSON.stringify({ secretKey })
+    })
+  );
+}
+async function removeStripeSecretKey(environment) {
+  return readJson(
+    await ossFetch(withEnvironmentPath(environment, "/config"), {
+      method: "DELETE"
+    })
+  );
+}
+async function syncPayments(environment = "all") {
+  return readJson(
+    await ossFetch(
+      environment === "all" ? "/api/payments/sync" : withEnvironmentPath(environment, "/sync"),
+      { method: "POST" }
+    )
+  );
+}
+async function configurePaymentWebhook(environment) {
+  return readJson(
+    await ossFetch(withEnvironmentPath(environment, "/webhook"), {
+      method: "POST"
+    })
+  );
+}
+async function listPaymentCatalog(environment) {
+  return readJson(await ossFetch(withEnvironmentPath(environment, "/catalog")));
+}
+async function listPaymentProducts(environment) {
+  return readJson(
+    await ossFetch(withEnvironmentPath(environment, "/catalog/products"))
+  );
+}
+async function getPaymentProduct(environment, productId) {
+  return readJson(
+    await ossFetch(
+      withEnvironmentPath(
+        environment,
+        `/catalog/products/${encodeURIComponent(productId)}`
+      )
+    )
+  );
+}
+async function createPaymentProduct(environment, request) {
+  return readJson(
+    await ossFetch(withEnvironmentPath(environment, "/catalog/products"), {
+      method: "POST",
+      body: JSON.stringify(request)
+    })
+  );
+}
+async function updatePaymentProduct(environment, productId, request) {
+  return readJson(
+    await ossFetch(
+      withEnvironmentPath(
+        environment,
+        `/catalog/products/${encodeURIComponent(productId)}`
+      ),
+      {
+        method: "PATCH",
+        body: JSON.stringify(request)
+      }
+    )
+  );
+}
+async function deletePaymentProduct(environment, productId) {
+  return readJson(
+    await ossFetch(
+      withEnvironmentPath(
+        environment,
+        `/catalog/products/${encodeURIComponent(productId)}`
+      ),
+      { method: "DELETE" }
+    )
+  );
+}
+async function listPaymentPrices(environment, stripeProductId) {
+  return readJson(
+    await ossFetch(
+      withQuery(withEnvironmentPath(environment, "/catalog/prices"), {
+        stripeProductId
+      })
+    )
+  );
+}
+async function getPaymentPrice(environment, priceId) {
+  return readJson(
+    await ossFetch(
+      withEnvironmentPath(
+        environment,
+        `/catalog/prices/${encodeURIComponent(priceId)}`
+      )
+    )
+  );
+}
+async function createPaymentPrice(environment, request) {
+  return readJson(
+    await ossFetch(withEnvironmentPath(environment, "/catalog/prices"), {
+      method: "POST",
+      body: JSON.stringify(request)
+    })
+  );
+}
+async function updatePaymentPrice(environment, priceId, request) {
+  return readJson(
+    await ossFetch(
+      withEnvironmentPath(
+        environment,
+        `/catalog/prices/${encodeURIComponent(priceId)}`
+      ),
+      {
+        method: "PATCH",
+        body: JSON.stringify(request)
+      }
+    )
+  );
+}
+async function archivePaymentPrice(environment, priceId) {
+  return readJson(
+    await ossFetch(
+      withEnvironmentPath(
+        environment,
+        `/catalog/prices/${encodeURIComponent(priceId)}`
+      ),
+      { method: "DELETE" }
+    )
+  );
+}
+async function listSubscriptions(environment, request) {
+  return readJson(
+    await ossFetch(
+      withQuery(withEnvironmentPath(environment, "/subscriptions"), request)
+    )
+  );
+}
+async function listPaymentCustomers(environment, request = {}) {
+  return readJson(
+    await ossFetch(
+      withQuery(withEnvironmentPath(environment, "/customers"), request)
+    )
+  );
+}
+async function listPaymentHistory(environment, request) {
+  return readJson(
+    await ossFetch(
+      withQuery(withEnvironmentPath(environment, "/payment-history"), request)
+    )
+  );
+}
+
+// src/commands/payments/utils.ts
+function parseEnvironment(value) {
+  if (value === "test" || value === "live") return value;
+  throw new CLIError('Environment must be "test" or "live".');
+}
+function parseEnvironmentOrAll(value) {
+  if (value === "all") return value;
+  return parseEnvironment(value);
+}
+function parseBooleanOption(value, flagName) {
+  if (value === void 0) return void 0;
+  const normalized = value.toLowerCase();
+  if (normalized === "true") return true;
+  if (normalized === "false") return false;
+  throw new CLIError(`${flagName} must be "true" or "false".`);
+}
+function parseIntegerOption(value, flagName, options = {}) {
+  if (value === void 0) return void 0;
+  const parsed = Number.parseInt(value, 10);
+  if (!Number.isInteger(parsed) || String(parsed) !== value.trim()) {
+    throw new CLIError(`${flagName} must be an integer.`);
+  }
+  if (options.min !== void 0 && parsed < options.min) {
+    throw new CLIError(`${flagName} must be at least ${options.min}.`);
+  }
+  if (options.max !== void 0 && parsed > options.max) {
+    throw new CLIError(`${flagName} must be at most ${options.max}.`);
+  }
+  return parsed;
+}
+function parseMetadataOption(value) {
+  if (value === void 0) return void 0;
+  let parsed;
+  try {
+    parsed = JSON.parse(value);
+  } catch {
+    throw new CLIError("Invalid JSON for --metadata.");
+  }
+  if (!parsed || typeof parsed !== "object" || Array.isArray(parsed)) {
+    throw new CLIError("--metadata must be a JSON object.");
+  }
+  const metadata = {};
+  for (const [key, raw] of Object.entries(parsed)) {
+    if (typeof raw !== "string") {
+      throw new CLIError(`Metadata value for "${key}" must be a string.`);
+    }
+    metadata[key] = raw;
+  }
+  return metadata;
+}
+function formatDate(value) {
+  if (!value) return "-";
+  const date = new Date(value);
+  return Number.isNaN(date.getTime()) ? value : date.toLocaleString();
+}
+function formatAmount(amount, currency) {
+  if (amount === null || amount === void 0) return "-";
+  const code = currency?.toUpperCase();
+  let fractionDigits = 2;
+  if (code) {
+    try {
+      fractionDigits = new Intl.NumberFormat(void 0, {
+        style: "currency",
+        currency: code
+      }).resolvedOptions().maximumFractionDigits;
+    } catch {
+      fractionDigits = 2;
+    }
+  }
+  const divisor = 10 ** fractionDigits;
+  return `${(amount / divisor).toFixed(fractionDigits)} ${code ?? ""}`.trim();
+}
+function formatRecurring(interval, intervalCount) {
+  if (!interval) return "one-time";
+  return `${intervalCount && intervalCount > 1 ? `${intervalCount} ` : ""}${interval}`;
+}
+async function trackPaymentUsage(subcommand, success, properties = {}) {
+  try {
+    try {
+      const config = getProjectConfig();
+      if (config) {
+        trackPayments(subcommand, config, {
+          success,
+          ...properties
+        });
+      }
+    } catch {
+    }
+  } finally {
+    await shutdownAnalytics();
+  }
+}
+
+// src/commands/payments/catalog.ts
+function registerPaymentsCatalogCommand(paymentsCmd2) {
+  paymentsCmd2.command("catalog").description("List mirrored Stripe products and prices for one environment").requiredOption(
+    "--environment <environment>",
+    "Stripe environment: test or live"
+  ).action(async (opts, cmd) => {
+    const { json } = getRootOpts(cmd);
+    try {
+      const environment = parseEnvironment(opts.environment);
+      await requireAuth();
+      const data = await listPaymentCatalog(environment);
+      if (json) {
+        outputJson(data);
+      } else {
+        if (data.products.length === 0 && data.prices.length === 0) {
+          console.log("No Stripe catalog records found.");
+          await trackPaymentUsage("catalog", true, { environment });
+          return;
+        }
+        if (data.products.length > 0) {
+          console.log("Products");
+          outputTable(
+            ["Env", "Product ID", "Name", "Active", "Default Price"],
+            data.products.map((product) => [
+              product.environment,
+              product.stripeProductId,
+              product.name,
+              product.active ? "Yes" : "No",
+              product.defaultPriceId ?? "-"
+            ])
+          );
+        }
+        if (data.prices.length > 0) {
+          console.log("Prices");
+          outputTable(
+            [
+              "Env",
+              "Price ID",
+              "Product ID",
+              "Amount",
+              "Type",
+              "Active",
+              "Recurring"
+            ],
+            data.prices.map((price) => [
+              price.environment,
+              price.stripePriceId,
+              price.stripeProductId ?? "-",
+              formatAmount(price.unitAmount, price.currency),
+              price.type,
+              price.active ? "Yes" : "No",
+              formatRecurring(
+                price.recurringInterval,
+                price.recurringIntervalCount
+              )
+            ])
+          );
+        }
+      }
+      await trackPaymentUsage("catalog", true, { environment });
+    } catch (err) {
+      await trackPaymentUsage("catalog", false, {
+        environment: opts.environment
+      });
+      handleError(err, json);
+    }
+  });
+}
+
+// src/commands/payments/config.ts
+function outputConfigTable(data) {
+  if (data.keys.length === 0) {
+    console.log("No Stripe keys configured.");
+    return;
+  }
+  outputTable(
+    ["Env", "Configured", "Key"],
+    data.keys.map((key) => [
+      key.environment,
+      key.hasKey ? "Yes" : "No",
+      key.maskedKey ?? "-"
+    ])
+  );
+}
+function registerPaymentsConfigCommand(paymentsCmd2) {
+  const configCmd = paymentsCmd2.command("config").description("Manage Stripe API keys for payments").action(async (_opts, cmd) => {
+    const { json } = getRootOpts(cmd);
+    try {
+      await requireAuth();
+      const data = await getPaymentsConfig();
+      if (json) {
+        outputJson(data);
+      } else {
+        outputConfigTable(data);
+      }
+      await trackPaymentUsage("config", true);
+    } catch (err) {
+      await trackPaymentUsage("config", false);
+      handleError(err, json);
+    }
+  });
+  configCmd.command("set <environment> [secretKey]").description("Configure a Stripe secret key for test or live payments").action(async (environmentValue, secretKeyValue, _opts, cmd) => {
+    const { json } = getRootOpts(cmd);
+    try {
+      const environment = parseEnvironment(environmentValue);
+      await requireAuth();
+      let secretKey = secretKeyValue;
+      if (!secretKey) {
+        if (json) {
+          throw new CLIError("Provide secretKey when using --json.");
+        }
+        const input = await password2({
+          message: `Stripe ${environment} secret key`
+        });
+        if (isCancel2(input)) process.exit(0);
+        secretKey = input;
+      }
+      const data = await setStripeSecretKey(environment, secretKey);
+      if (json) {
+        outputJson(data);
+      } else {
+        outputSuccess(`Stripe ${environment} key configured.`);
+      }
+      await trackPaymentUsage("config.set", true, { environment });
+    } catch (err) {
+      await trackPaymentUsage("config.set", false, { environment: environmentValue });
+      handleError(err, json);
+    }
+  });
+  configCmd.command("remove <environment>").alias("delete").description("Remove a configured Stripe secret key").action(async (environmentValue, _opts, cmd) => {
+    const { json, yes } = getRootOpts(cmd);
+    try {
+      const environment = parseEnvironment(environmentValue);
+      await requireAuth();
+      if (json && !yes) {
+        throw new CLIError("Use --yes with --json to remove a Stripe key non-interactively.");
+      }
+      if (!yes) {
+        const confirm6 = await confirm2({
+          message: `Remove Stripe ${environment} key? Payment sync and mutations for this environment will stop.`
+        });
+        if (isCancel2(confirm6) || !confirm6) process.exit(0);
+      }
+      const data = await removeStripeSecretKey(environment);
+      if (json) {
+        outputJson(data);
+      } else {
+        outputSuccess(`Stripe ${environment} key removed.`);
+      }
+      await trackPaymentUsage("config.remove", true, { environment });
+    } catch (err) {
+      await trackPaymentUsage("config.remove", false, { environment: environmentValue });
+      handleError(err, json);
+    }
+  });
+}
+
+// src/commands/payments/customers.ts
+function formatPaymentMethod(customer) {
+  if (customer.paymentMethodBrand && customer.paymentMethodLast4) {
+    return `${customer.paymentMethodBrand} **** ${customer.paymentMethodLast4}`;
+  }
+  if (customer.paymentMethodBrand) {
+    return customer.paymentMethodBrand;
+  }
+  if (customer.paymentMethodLast4) {
+    return `**** ${customer.paymentMethodLast4}`;
+  }
+  return "-";
+}
+function registerPaymentsCustomersCommand(paymentsCmd2) {
+  paymentsCmd2.command("customers").description("List mirrored Stripe customers").requiredOption(
+    "--environment <environment>",
+    "Stripe environment: test or live"
+  ).option("--limit <limit>", "Maximum rows to return (1-100)", "50").action(async (opts, cmd) => {
+    const { json } = getRootOpts(cmd);
+    try {
+      const environment = parseEnvironment(opts.environment);
+      const limit = parseIntegerOption(opts.limit, "--limit", { min: 1, max: 100 }) ?? 50;
+      await requireAuth();
+      const data = await listPaymentCustomers(environment, { limit });
+      if (json) {
+        outputJson(data);
+      } else if (data.customers.length === 0) {
+        console.log("No Stripe customers found.");
+      } else {
+        outputTable(
+          [
+            "Customer ID",
+            "Email",
+            "Name",
+            "Payments",
+            "Total Spend",
+            "Last Payment",
+            "Method",
+            "Country"
+          ],
+          data.customers.map((customer) => [
+            customer.stripeCustomerId,
+            customer.email ?? "-",
+            customer.name ?? "-",
+            String(customer.paymentsCount),
+            formatAmount(customer.totalSpend, customer.totalSpendCurrency),
+            formatDate(customer.lastPaymentAt),
+            formatPaymentMethod(customer),
+            customer.countryCode?.toUpperCase() ?? "-"
+          ])
+        );
+      }
+      await trackPaymentUsage("customers", true, { environment });
+    } catch (err) {
+      await trackPaymentUsage("customers", false, {
+        environment: opts.environment
+      });
+      handleError(err, json);
+    }
+  });
+}
+
+// src/commands/payments/history.ts
+function registerPaymentsHistoryCommand(paymentsCmd2) {
+  paymentsCmd2.command("history").description("List mirrored Stripe payment history").requiredOption(
+    "--environment <environment>",
+    "Stripe environment: test or live"
+  ).option("--subject-type <type>", "Filter by billing subject type").option("--subject-id <id>", "Filter by billing subject id").option("--limit <limit>", "Maximum rows to return (1-100)", "50").action(async (opts, cmd) => {
+    const { json } = getRootOpts(cmd);
+    try {
+      const environment = parseEnvironment(opts.environment);
+      const limit = parseIntegerOption(opts.limit, "--limit", { min: 1, max: 100 }) ?? 50;
+      await requireAuth();
+      const data = await listPaymentHistory(environment, {
+        limit,
+        ...opts.subjectType !== void 0 ? { subjectType: opts.subjectType } : {},
+        ...opts.subjectId !== void 0 ? { subjectId: opts.subjectId } : {}
+      });
+      if (json) {
+        outputJson(data);
+      } else if (data.paymentHistory.length === 0) {
+        console.log("No Stripe payment history found.");
+      } else {
+        outputTable(
+          [
+            "Type",
+            "Status",
+            "Subject",
+            "Amount",
+            "Customer",
+            "Stripe Object",
+            "When"
+          ],
+          data.paymentHistory.map((entry) => [
+            entry.type,
+            entry.status,
+            entry.subjectType && entry.subjectId ? `${entry.subjectType}:${entry.subjectId}` : "-",
+            formatAmount(entry.amount, entry.currency),
+            entry.stripeCustomerId ?? "-",
+            entry.stripeCheckoutSessionId ?? entry.stripeInvoiceId ?? entry.stripePaymentIntentId ?? entry.stripeRefundId ?? "-",
+            formatDate(
+              entry.paidAt ?? entry.failedAt ?? entry.refundedAt ?? entry.stripeCreatedAt
+            )
+          ])
+        );
+      }
+      await trackPaymentUsage("history", true, { environment });
+    } catch (err) {
+      await trackPaymentUsage("history", false, {
+        environment: opts.environment
+      });
+      handleError(err, json);
+    }
+  });
+}
+
+// src/commands/payments/prices.ts
+function nullableString(value) {
+  if (value === void 0) return void 0;
+  return value === "null" ? null : value;
+}
+function parseRecurringInterval(value) {
+  if (value === void 0) {
+    return void 0;
+  }
+  if (value === "day" || value === "week" || value === "month" || value === "year") {
+    return value;
+  }
+  throw new CLIError("--interval must be one of: day, week, month, year.");
+}
+function parseTaxBehavior(value) {
+  if (value === void 0) {
+    return void 0;
+  }
+  if (value === "exclusive" || value === "inclusive" || value === "unspecified") {
+    return value;
+  }
+  throw new CLIError(
+    "--tax-behavior must be one of: exclusive, inclusive, unspecified."
+  );
+}
+function outputPricesTable(prices) {
+  if (prices.length === 0) {
+    console.log("No Stripe prices found.");
+    return;
+  }
+  outputTable(
+    [
+      "Env",
+      "Price ID",
+      "Product ID",
+      "Amount",
+      "Type",
+      "Active",
+      "Recurring",
+      "Synced At"
+    ],
+    prices.map((price) => [
+      price.environment,
+      price.stripePriceId,
+      price.stripeProductId ?? "-",
+      formatAmount(price.unitAmount, price.currency),
+      price.type,
+      price.active ? "Yes" : "No",
+      formatRecurring(price.recurringInterval, price.recurringIntervalCount),
+      formatDate(price.syncedAt)
+    ])
+  );
+}
+function registerPaymentsPricesCommand(paymentsCmd2) {
+  const pricesCmd = paymentsCmd2.command("prices").description("Manage Stripe prices");
+  pricesCmd.command("list").description("List mirrored Stripe prices").requiredOption(
+    "--environment <environment>",
+    "Stripe environment: test or live"
+  ).option("--product <productId>", "Filter by Stripe product id").action(async (opts, cmd) => {
+    const { json } = getRootOpts(cmd);
+    try {
+      const environment = parseEnvironment(opts.environment);
+      await requireAuth();
+      const data = await listPaymentPrices(environment, opts.product);
+      if (json) {
+        outputJson(data);
+      } else {
+        outputPricesTable(data.prices);
+      }
+      await trackPaymentUsage("prices.list", true, { environment });
+    } catch (err) {
+      await trackPaymentUsage("prices.list", false, {
+        environment: opts.environment
+      });
+      handleError(err, json);
+    }
+  });
+  pricesCmd.command("get <priceId>").description("Show one Stripe price").requiredOption(
+    "--environment <environment>",
+    "Stripe environment: test or live"
+  ).action(async (priceId, opts, cmd) => {
+    const { json } = getRootOpts(cmd);
+    try {
+      const environment = parseEnvironment(opts.environment);
+      await requireAuth();
+      const data = await getPaymentPrice(environment, priceId);
+      if (json) {
+        outputJson(data);
+      } else {
+        outputPricesTable([data.price]);
+      }
+      await trackPaymentUsage("prices.get", true, { environment });
+    } catch (err) {
+      await trackPaymentUsage("prices.get", false, {
+        environment: opts.environment
+      });
+      handleError(err, json);
+    }
+  });
+  pricesCmd.command("create").description("Create a Stripe one-time or recurring price").requiredOption(
+    "--environment <environment>",
+    "Stripe environment: test or live"
+  ).requiredOption("--product <productId>", "Stripe product id").requiredOption(
+    "--currency <currency>",
+    "Three-letter currency code, e.g. usd"
+  ).requiredOption(
+    "--unit-amount <amount>",
+    "Unit amount in the smallest currency unit, e.g. cents"
+  ).option(
+    "--interval <interval>",
+    "Recurring interval: day, week, month, or year"
+  ).option("--interval-count <count>", "Recurring interval count").option("--lookup-key <key>", 'Stripe lookup key, or "null"').option("--active <bool>", "Set active status (true/false)").option("--tax-behavior <behavior>", "exclusive, inclusive, or unspecified").option("--metadata <json>", "Metadata JSON object with string values").option("--idempotency-key <key>", "Caller-stable idempotency key").action(async (opts, cmd) => {
+    const { json } = getRootOpts(cmd);
+    try {
+      const environment = parseEnvironment(opts.environment);
+      await requireAuth();
+      const interval = parseRecurringInterval(opts.interval);
+      const intervalCount = parseIntegerOption(
+        opts.intervalCount,
+        "--interval-count",
+        { min: 1 }
+      );
+      if (!interval && intervalCount !== void 0) {
+        throw new CLIError("Provide --interval when using --interval-count.");
+      }
+      const request = {
+        stripeProductId: opts.product,
+        currency: opts.currency,
+        unitAmount: parseIntegerOption(opts.unitAmount, "--unit-amount", { min: 0 }) ?? 0
+      };
+      const lookupKey = nullableString(opts.lookupKey);
+      const active = parseBooleanOption(opts.active, "--active");
+      const taxBehavior = parseTaxBehavior(opts.taxBehavior);
+      const metadata = parseMetadataOption(opts.metadata);
+      if (lookupKey !== void 0) request.lookupKey = lookupKey;
+      if (active !== void 0) request.active = active;
+      if (taxBehavior !== void 0) request.taxBehavior = taxBehavior;
+      if (metadata !== void 0) request.metadata = metadata;
+      if (opts.idempotencyKey !== void 0) {
+        request.idempotencyKey = opts.idempotencyKey;
+      }
+      if (interval) {
+        request.recurring = {
+          interval,
+          ...intervalCount !== void 0 ? { intervalCount } : {}
+        };
+      }
+      const data = await createPaymentPrice(environment, request);
+      if (json) {
+        outputJson(data);
+      } else {
+        outputSuccess(`Stripe price created: ${data.price.stripePriceId}`);
+      }
+      await trackPaymentUsage("prices.create", true, { environment });
+    } catch (err) {
+      await trackPaymentUsage("prices.create", false, {
+        environment: opts.environment
+      });
+      handleError(err, json);
+    }
+  });
+  pricesCmd.command("update <priceId>").description("Update a Stripe price").requiredOption(
+    "--environment <environment>",
+    "Stripe environment: test or live"
+  ).option("--active <bool>", "Set active status (true/false)").option("--lookup-key <key>", 'Stripe lookup key, or "null"').option("--tax-behavior <behavior>", "exclusive, inclusive, or unspecified").option("--metadata <json>", "Metadata JSON object with string values").action(async (priceId, opts, cmd) => {
+    const { json } = getRootOpts(cmd);
+    try {
+      const environment = parseEnvironment(opts.environment);
+      await requireAuth();
+      const request = {};
+      const active = parseBooleanOption(opts.active, "--active");
+      const lookupKey = nullableString(opts.lookupKey);
+      const taxBehavior = parseTaxBehavior(opts.taxBehavior);
+      const metadata = parseMetadataOption(opts.metadata);
+      if (active !== void 0) request.active = active;
+      if (lookupKey !== void 0) request.lookupKey = lookupKey;
+      if (taxBehavior !== void 0) request.taxBehavior = taxBehavior;
+      if (metadata !== void 0) request.metadata = metadata;
+      if (Object.keys(request).length === 0) {
+        throw new CLIError(
+          "Provide at least one option to update (--active, --lookup-key, --tax-behavior, --metadata)."
+        );
+      }
+      const data = await updatePaymentPrice(environment, priceId, request);
+      if (json) {
+        outputJson(data);
+      } else {
+        outputSuccess(`Stripe price updated: ${data.price.stripePriceId}`);
+      }
+      await trackPaymentUsage("prices.update", true, { environment });
+    } catch (err) {
+      await trackPaymentUsage("prices.update", false, {
+        environment: opts.environment
+      });
+      handleError(err, json);
+    }
+  });
+  pricesCmd.command("archive <priceId>").alias("delete").description("Archive a Stripe price").requiredOption(
+    "--environment <environment>",
+    "Stripe environment: test or live"
+  ).action(async (priceId, opts, cmd) => {
+    const { json } = getRootOpts(cmd);
+    try {
+      const environment = parseEnvironment(opts.environment);
+      await requireAuth();
+      const data = await archivePaymentPrice(environment, priceId);
+      if (json) {
+        outputJson(data);
+      } else {
+        outputSuccess(`Stripe price archived: ${data.price.stripePriceId}`);
+      }
+      await trackPaymentUsage("prices.archive", true, { environment });
+    } catch (err) {
+      await trackPaymentUsage("prices.archive", false, {
+        environment: opts.environment
+      });
+      handleError(err, json);
+    }
+  });
+}
+
+// src/commands/payments/products.ts
+function nullableString2(value) {
+  if (value === void 0) return void 0;
+  return value === "null" ? null : value;
+}
+function outputProductsTable(products) {
+  if (products.length === 0) {
+    console.log("No Stripe products found.");
+    return;
+  }
+  outputTable(
+    ["Env", "Product ID", "Name", "Active", "Default Price", "Synced At"],
+    products.map((product) => [
+      product.environment,
+      product.stripeProductId,
+      product.name,
+      product.active ? "Yes" : "No",
+      product.defaultPriceId ?? "-",
+      formatDate(product.syncedAt)
+    ])
+  );
+}
+function registerPaymentsProductsCommand(paymentsCmd2) {
+  const productsCmd = paymentsCmd2.command("products").description("Manage Stripe products");
+  productsCmd.command("list").description("List mirrored Stripe products").requiredOption(
+    "--environment <environment>",
+    "Stripe environment: test or live"
+  ).action(async (opts, cmd) => {
+    const { json } = getRootOpts(cmd);
+    try {
+      const environment = parseEnvironment(opts.environment);
+      await requireAuth();
+      const data = await listPaymentProducts(environment);
+      if (json) {
+        outputJson(data);
+      } else {
+        outputProductsTable(data.products);
+      }
+      await trackPaymentUsage("products.list", true, { environment });
+    } catch (err) {
+      await trackPaymentUsage("products.list", false, {
+        environment: opts.environment
+      });
+      handleError(err, json);
+    }
+  });
+  productsCmd.command("get <productId>").description("Show one Stripe product and its prices").requiredOption(
+    "--environment <environment>",
+    "Stripe environment: test or live"
+  ).action(async (productId, opts, cmd) => {
+    const { json } = getRootOpts(cmd);
+    try {
+      const environment = parseEnvironment(opts.environment);
+      await requireAuth();
+      const data = await getPaymentProduct(environment, productId);
+      if (json) {
+        outputJson(data);
+      } else {
+        outputProductsTable([data.product]);
+        if (data.prices.length > 0) {
+          console.log("Prices");
+          outputTable(
+            ["Price ID", "Amount", "Type", "Active", "Lookup Key"],
+            data.prices.map((price) => [
+              price.stripePriceId,
+              formatAmount(price.unitAmount, price.currency),
+              price.type,
+              price.active ? "Yes" : "No",
+              price.lookupKey ?? "-"
+            ])
+          );
+        }
+      }
+      await trackPaymentUsage("products.get", true, { environment });
+    } catch (err) {
+      await trackPaymentUsage("products.get", false, {
+        environment: opts.environment
+      });
+      handleError(err, json);
+    }
+  });
+  productsCmd.command("create").description("Create a Stripe product").requiredOption(
+    "--environment <environment>",
+    "Stripe environment: test or live"
+  ).requiredOption("--name <name>", "Product name").option("--description <description>", 'Product description, or "null"').option("--active <bool>", "Set active status (true/false)").option("--metadata <json>", "Metadata JSON object with string values").option("--idempotency-key <key>", "Caller-stable idempotency key").action(async (opts, cmd) => {
+    const { json } = getRootOpts(cmd);
+    try {
+      const environment = parseEnvironment(opts.environment);
+      await requireAuth();
+      const request = { name: opts.name };
+      const description = nullableString2(opts.description);
+      const active = parseBooleanOption(opts.active, "--active");
+      const metadata = parseMetadataOption(opts.metadata);
+      if (description !== void 0) request.description = description;
+      if (active !== void 0) request.active = active;
+      if (metadata !== void 0) request.metadata = metadata;
+      if (opts.idempotencyKey !== void 0) {
+        request.idempotencyKey = opts.idempotencyKey;
+      }
+      const data = await createPaymentProduct(environment, request);
+      if (json) {
+        outputJson(data);
+      } else {
+        outputSuccess(
+          `Stripe product created: ${data.product.stripeProductId}`
+        );
+      }
+      await trackPaymentUsage("products.create", true, { environment });
+    } catch (err) {
+      await trackPaymentUsage("products.create", false, {
+        environment: opts.environment
+      });
+      handleError(err, json);
+    }
+  });
+  productsCmd.command("update <productId>").description("Update a Stripe product").requiredOption(
+    "--environment <environment>",
+    "Stripe environment: test or live"
+  ).option("--name <name>", "Product name").option("--description <description>", 'Product description, or "null"').option("--active <bool>", "Set active status (true/false)").option("--metadata <json>", "Metadata JSON object with string values").action(async (productId, opts, cmd) => {
+    const { json } = getRootOpts(cmd);
+    try {
+      const environment = parseEnvironment(opts.environment);
+      await requireAuth();
+      const request = {};
+      const description = nullableString2(opts.description);
+      const active = parseBooleanOption(opts.active, "--active");
+      const metadata = parseMetadataOption(opts.metadata);
+      if (opts.name !== void 0) request.name = opts.name;
+      if (description !== void 0) request.description = description;
+      if (active !== void 0) request.active = active;
+      if (metadata !== void 0) request.metadata = metadata;
+      if (Object.keys(request).length === 0) {
+        throw new CLIError(
+          "Provide at least one option to update (--name, --description, --active, --metadata)."
+        );
+      }
+      const data = await updatePaymentProduct(
+        environment,
+        productId,
+        request
+      );
+      if (json) {
+        outputJson(data);
+      } else {
+        outputSuccess(
+          `Stripe product updated: ${data.product.stripeProductId}`
+        );
+      }
+      await trackPaymentUsage("products.update", true, { environment });
+    } catch (err) {
+      await trackPaymentUsage("products.update", false, {
+        environment: opts.environment
+      });
+      handleError(err, json);
+    }
+  });
+  productsCmd.command("delete <productId>").description("Delete a Stripe product that has no prices").requiredOption(
+    "--environment <environment>",
+    "Stripe environment: test or live"
+  ).action(async (productId, opts, cmd) => {
+    const { json, yes } = getRootOpts(cmd);
+    try {
+      const environment = parseEnvironment(opts.environment);
+      await requireAuth();
+      if (json && !yes) {
+        throw new CLIError(
+          "Use --yes with --json to delete a Stripe product non-interactively."
+        );
+      }
+      if (!yes) {
+        const confirm6 = await confirm2({
+          message: `Delete Stripe ${environment} product "${productId}"?`
+        });
+        if (isCancel2(confirm6) || !confirm6) process.exit(0);
+      }
+      const data = await deletePaymentProduct(environment, productId);
+      if (json) {
+        outputJson(data);
+      } else {
+        outputSuccess(`Stripe product deleted: ${data.stripeProductId}`);
+      }
+      await trackPaymentUsage("products.delete", true, { environment });
+    } catch (err) {
+      await trackPaymentUsage("products.delete", false, {
+        environment: opts.environment
+      });
+      handleError(err, json);
+    }
+  });
+}
+
+// src/commands/payments/status.ts
+function registerPaymentsStatusCommand(paymentsCmd2) {
+  paymentsCmd2.command("status").description("Show Stripe payment connection, sync, and webhook status").action(async (_opts, cmd) => {
+    const { json } = getRootOpts(cmd);
+    try {
+      await requireAuth();
+      const data = await getPaymentsStatus();
+      if (json) {
+        outputJson(data);
+      } else if (data.connections.length === 0) {
+        console.log("No Stripe payment environments found.");
+      } else {
+        outputTable(
+          ["Env", "Status", "Key", "Account", "Webhook", "Last Sync", "Synced At"],
+          data.connections.map((connection) => [
+            connection.environment,
+            connection.status,
+            connection.maskedKey ?? "-",
+            connection.stripeAccountId ?? "-",
+            connection.webhookEndpointId ? "Configured" : "-",
+            connection.lastSyncStatus ?? "-",
+            formatDate(connection.lastSyncedAt)
+          ])
+        );
+      }
+      await trackPaymentUsage("status", true);
+    } catch (err) {
+      await trackPaymentUsage("status", false);
+      handleError(err, json);
+    }
+  });
+}
+
+// src/commands/payments/subscriptions.ts
+function registerPaymentsSubscriptionsCommand(paymentsCmd2) {
+  paymentsCmd2.command("subscriptions").description("List mirrored Stripe subscriptions").requiredOption(
+    "--environment <environment>",
+    "Stripe environment: test or live"
+  ).option("--subject-type <type>", "Filter by billing subject type").option("--subject-id <id>", "Filter by billing subject id").option("--limit <limit>", "Maximum rows to return (1-100)", "50").action(async (opts, cmd) => {
+    const { json } = getRootOpts(cmd);
+    try {
+      const environment = parseEnvironment(opts.environment);
+      const limit = parseIntegerOption(opts.limit, "--limit", { min: 1, max: 100 }) ?? 50;
+      await requireAuth();
+      const data = await listSubscriptions(environment, {
+        limit,
+        ...opts.subjectType !== void 0 ? { subjectType: opts.subjectType } : {},
+        ...opts.subjectId !== void 0 ? { subjectId: opts.subjectId } : {}
+      });
+      if (json) {
+        outputJson(data);
+      } else if (data.subscriptions.length === 0) {
+        console.log("No Stripe subscriptions found.");
+      } else {
+        outputTable(
+          [
+            "Subscription ID",
+            "Customer",
+            "Subject",
+            "Status",
+            "Items",
+            "Period End"
+          ],
+          data.subscriptions.map((subscription) => [
+            subscription.stripeSubscriptionId,
+            subscription.stripeCustomerId,
+            subscription.subjectType && subscription.subjectId ? `${subscription.subjectType}:${subscription.subjectId}` : "-",
+            subscription.status,
+            String(subscription.items?.length ?? 0),
+            formatDate(subscription.currentPeriodEnd)
+          ])
+        );
+      }
+      await trackPaymentUsage("subscriptions", true, { environment });
+    } catch (err) {
+      await trackPaymentUsage("subscriptions", false, {
+        environment: opts.environment
+      });
+      handleError(err, json);
+    }
+  });
+}
+
+// src/commands/payments/sync.ts
+function registerPaymentsSyncCommand(paymentsCmd2) {
+  paymentsCmd2.command("sync").description(
+    "Sync configured Stripe products, prices, customers, and subscriptions"
+  ).option(
+    "--environment <environment>",
+    "Stripe environment: test, live, or all",
+    "all"
+  ).action(async (opts, cmd) => {
+    const { json } = getRootOpts(cmd);
+    try {
+      const environment = parseEnvironmentOrAll(opts.environment);
+      await requireAuth();
+      const data = await syncPayments(environment);
+      if (json) {
+        outputJson(data);
+      } else if (data.results.length === 0) {
+        console.log("No configured Stripe environments to sync.");
+      } else {
+        outputTable(
+          [
+            "Env",
+            "Status",
+            "Products",
+            "Prices",
+            "Customers",
+            "Subscriptions",
+            "Unmapped",
+            "Synced At"
+          ],
+          data.results.map((result) => [
+            result.environment,
+            result.connection.lastSyncStatus ?? result.connection.status,
+            String(result.connection.lastSyncCounts.products ?? 0),
+            String(result.connection.lastSyncCounts.prices ?? 0),
+            String(result.connection.lastSyncCounts.customers ?? 0),
+            String(result.subscriptions?.synced ?? 0),
+            String(result.subscriptions?.unmapped ?? 0),
+            formatDate(result.connection.lastSyncedAt)
+          ])
+        );
+        outputSuccess("Stripe payments synced.");
+      }
+      await trackPaymentUsage("sync", true, { environment });
+    } catch (err) {
+      await trackPaymentUsage("sync", false, {
+        environment: opts.environment
+      });
+      handleError(err, json);
+    }
+  });
+}
+
+// src/commands/payments/webhooks.ts
+function registerPaymentsWebhooksCommand(paymentsCmd2) {
+  const webhooksCmd = paymentsCmd2.command("webhooks").description("Manage InsForge-managed Stripe webhooks");
+  webhooksCmd.command("configure <environment>").description("Create or recreate the managed Stripe webhook endpoint").action(async (environmentValue, _opts, cmd) => {
+    const { json } = getRootOpts(cmd);
+    try {
+      const environment = parseEnvironment(environmentValue);
+      await requireAuth();
+      const data = await configurePaymentWebhook(environment);
+      if (json) {
+        outputJson(data);
+      } else {
+        outputTable(
+          ["Env", "Webhook ID", "URL", "Configured At"],
+          [[
+            data.connection.environment,
+            data.connection.webhookEndpointId ?? "-",
+            data.connection.webhookEndpointUrl ?? "-",
+            formatDate(data.connection.webhookConfiguredAt)
+          ]]
+        );
+        outputSuccess(`Stripe ${environment} webhook configured.`);
+      }
+      await trackPaymentUsage("webhooks.configure", true, { environment });
+    } catch (err) {
+      await trackPaymentUsage("webhooks.configure", false, { environment: environmentValue });
+      handleError(err, json);
+    }
+  });
+}
+
+// src/commands/payments/index.ts
+function registerPaymentsCommands(paymentsCmd2) {
+  paymentsCmd2.description("Manage Stripe payments");
+  registerPaymentsStatusCommand(paymentsCmd2);
+  registerPaymentsConfigCommand(paymentsCmd2);
+  registerPaymentsSyncCommand(paymentsCmd2);
+  registerPaymentsWebhooksCommand(paymentsCmd2);
+  registerPaymentsCatalogCommand(paymentsCmd2);
+  registerPaymentsCustomersCommand(paymentsCmd2);
+  registerPaymentsProductsCommand(paymentsCmd2);
+  registerPaymentsPricesCommand(paymentsCmd2);
+  registerPaymentsSubscriptionsCommand(paymentsCmd2);
+  registerPaymentsHistoryCommand(paymentsCmd2);
+}
+
 // src/index.ts
-var __dirname = dirname(fileURLToPath(import.meta.url));
-var pkg = JSON.parse(readFileSync7(join13(__dirname, "../package.json"), "utf-8"));
+var __dirname = dirname2(fileURLToPath(import.meta.url));
+var pkg = JSON.parse(readFileSync8(join14(__dirname, "../package.json"), "utf-8"));
 var INSFORGE_LOGO = `
 \u2588\u2588\u2557\u2588\u2588\u2588\u2557   \u2588\u2588\u2557\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2557\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2557 \u2588\u2588\u2588\u2588\u2588\u2588\u2557 \u2588\u2588\u2588\u2588\u2588\u2588\u2557  \u2588\u2588\u2588\u2588\u2588\u2588\u2557 \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2557
 \u2588\u2588\u2551\u2588\u2588\u2588\u2588\u2557  \u2588\u2588\u2551\u2588\u2588\u2554\u2550\u2550\u2550\u2550\u255D\u2588\u2588\u2554\u2550\u2550\u2550\u2550\u255D\u2588\u2588\u2554\u2550\u2550\u2550\u2588\u2588\u2557\u2588\u2588\u2554\u2550\u2550\u2588\u2588\u2557\u2588\u2588\u2554\u2550\u2550\u2550\u2550\u255D \u2588\u2588\u2554\u2550\u2550\u2550\u2550\u255D
@@ -6072,6 +8156,7 @@ var orgsCmd = program.command("orgs", { hidden: true }).description("Manage orga
 registerOrgsCommands(orgsCmd);
 var projectsCmd = program.command("projects", { hidden: true }).description("Manage projects");
 registerProjectsCommands(projectsCmd);
+registerBranchCommands(program);
 var dbCmd = program.command("db").description("Database operations");
 registerDbCommands(dbCmd);
 registerDbTablesCommand(dbCmd);
@@ -6117,6 +8202,8 @@ registerLogsCommand(program);
 registerMetadataCommand(program);
 var diagnoseCmd = program.command("diagnose");
 registerDiagnoseCommands(diagnoseCmd);
+var paymentsCmd = program.command("payments").description("Manage Stripe payments");
+registerPaymentsCommands(paymentsCmd);
 var computeCmd = program.command("compute").description("Manage compute services (Docker containers on Fly.io)");
 registerComputeListCommand(computeCmd);
 registerComputeGetCommand(computeCmd);
@@ -6125,7 +8212,7 @@ registerComputeUpdateCommand(computeCmd);
 registerComputeDeleteCommand(computeCmd);
 registerComputeStartCommand(computeCmd);
 registerComputeStopCommand(computeCmd);
-registerComputeLogsCommand(computeCmd);
+registerComputeEventsCommand(computeCmd);
 var schedulesCmd = program.command("schedules").description("Manage scheduled tasks (cron jobs)");
 registerSchedulesListCommand(schedulesCmd);
 registerSchedulesGetCommand(schedulesCmd);
@@ -6150,7 +8237,7 @@ async function showInteractiveMenu() {
   } catch {
   }
   console.log(INSFORGE_LOGO);
-  clack11.intro(`InsForge CLI v${pkg.version}`);
+  clack15.intro(`InsForge CLI v${pkg.version}`);
   const options = [];
   if (!isLoggedIn) {
     options.push({ value: "login", label: "Log in to InsForge" });
@@ -6171,7 +8258,7 @@ async function showInteractiveMenu() {
     options
   });
   if (isCancel2(action)) {
-    clack11.cancel("Bye!");
+    clack15.cancel("Bye!");
     process.exit(0);
   }
   switch (action) {