npm - @insforge/cli - Versions diffs - 0.1.74 → 0.1.78 - Mend

@insforge/cli 0.1.74 → 0.1.78

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/dist/index.js CHANGED Viewed

@@ -1,11 +1,11 @@
 #!/usr/bin/env node
 // src/index.ts
-import { readFileSync as readFileSync11 } from "fs";
-import { join as join17, dirname as dirname3 } from "path";
+import { readFileSync as readFileSync14 } from "fs";
+import { join as join18, dirname as dirname3 } from "path";
 import { fileURLToPath } from "url";
 import { Command } from "commander";
-import * as clack17 from "@clack/prompts";
+import * as clack18 from "@clack/prompts";
 // src/lib/prompts.ts
 import * as readline from "readline";
@@ -41,8 +41,8 @@ var LineReader = class {
     this.output.write(prompt);
     if (this.queue.length > 0) return this.queue.shift();
     if (this.closed) return null;
-    return new Promise((resolve5) => {
-      this.waiter = resolve5;
+    return new Promise((resolve9) => {
+      this.waiter = resolve9;
     });
   }
   close() {
@@ -424,8 +424,8 @@ function startCallbackServer() {
   return new Promise((resolveServer) => {
     let resolveResult;
     let rejectResult;
-    const resultPromise = new Promise((resolve5, reject) => {
-      resolveResult = resolve5;
+    const resultPromise = new Promise((resolve9, reject) => {
+      resolveResult = resolve9;
       rejectResult = reject;
     });
     const server = createServer((req, res) => {
@@ -1158,7 +1158,7 @@ function registerProjectsCommands(projectsCmd2) {
         }
         outputTable(
           ["ID", "Name", "Region", "Status", "AppKey"],
-          projects.map((p) => [p.id, p.name, p.region, p.status, p.appkey])
+          projects.map((p3) => [p3.id, p3.name, p3.region, p3.status, p3.appkey])
         );
       }
     } catch (err) {
@@ -1172,7 +1172,7 @@ import * as clack5 from "@clack/prompts";
 // src/lib/analytics.ts
 import { PostHog } from "posthog-node";
-var POSTHOG_API_KEY = "phc_ueV1ii62wdBTkH7E70ugyeqHIHu8dFDdjs0qq3TZhJz";
+var POSTHOG_API_KEY = "";
 var POSTHOG_HOST = process.env.POSTHOG_HOST || "https://us.i.posthog.com";
 var client = null;
 function getClient() {
@@ -1329,36 +1329,36 @@ function registerBranchCreateCommand(branch) {
         throw new CLIError(`Invalid --mode: ${opts.mode} (must be "full" or "schema-only")`);
       }
       const mode = opts.mode;
-      const spinner10 = !json ? clack5.spinner() : null;
+      const spinner11 = !json ? clack5.spinner() : null;
       let ready;
       let provisioned = false;
       try {
-        spinner10?.start(`Creating branch '${name}'...`);
+        spinner11?.start(`Creating branch '${name}'...`);
         const created = await createBranchApi(project.project_id, { mode, name }, apiUrl);
         captureEvent(project.project_id, "cli_branch_create", {
           mode,
           parent_project_id: project.project_id
         });
-        spinner10?.message(`Branch '${name}' created (appkey: ${created.appkey}). Provisioning...`);
-        ready = await pollUntilReady(created.id, apiUrl, spinner10);
+        spinner11?.message(`Branch '${name}' created (appkey: ${created.appkey}). Provisioning...`);
+        ready = await pollUntilReady(created.id, apiUrl, spinner11);
         provisioned = ready.branch_state === "ready";
         if (provisioned && opts.switch) {
-          spinner10?.message("Branch ready. Switching context...");
+          spinner11?.message("Branch ready. Switching context...");
           await runBranchSwitch({ name, apiUrl, json, silent: true });
-          spinner10?.stop(`Branch '${name}' is ready and active`);
+          spinner11?.stop(`Branch '${name}' is ready and active`);
         } else if (provisioned) {
-          spinner10?.stop(`Branch '${name}' is ready`);
+          spinner11?.stop(`Branch '${name}' is ready`);
         } else {
-          spinner10?.stop(`Branch '${name}' is in '${ready.branch_state}' state`);
+          spinner11?.stop(`Branch '${name}' is in '${ready.branch_state}' state`);
         }
       } catch (err) {
         if (provisioned) {
-          spinner10?.stop(
+          spinner11?.stop(
             `Branch '${name}' is ready, but switching context failed \u2014 run \`insforge branch switch ${name}\` to retry`,
             1
           );
         } else {
-          spinner10?.stop(`Branch '${name}' creation failed`, 1);
+          spinner11?.stop(`Branch '${name}' creation failed`, 1);
         }
         throw err;
       }
@@ -1382,7 +1382,7 @@ function registerBranchCreateCommand(branch) {
     }
   });
 }
-async function pollUntilReady(branchId, apiUrl, spinner10) {
+async function pollUntilReady(branchId, apiUrl, spinner11) {
   const start = Date.now();
   let lastState = "";
   while (Date.now() - start < POLL_TIMEOUT_MS) {
@@ -1391,8 +1391,8 @@ async function pollUntilReady(branchId, apiUrl, spinner10) {
     if (branch2.branch_state === "deleted" || branch2.branch_state === "conflicted") {
       throw new CLIError(`Branch creation failed (state: ${branch2.branch_state})`);
     }
-    if (spinner10 && branch2.branch_state !== lastState) {
-      spinner10.message(`Provisioning branch (state: ${branch2.branch_state})...`);
+    if (spinner11 && branch2.branch_state !== lastState) {
+      spinner11.message(`Provisioning branch (state: ${branch2.branch_state})...`);
       lastState = branch2.branch_state;
     }
     await new Promise((r) => setTimeout(r, POLL_INTERVAL_MS));
@@ -1888,18 +1888,34 @@ async function getJwtSecret() {
 function spliceDatabasePassword(maskedUrl, password3) {
   return maskedUrl.replace(/^(postgresql:\/\/[^:]+:)[^@]+(@)/, `$1${password3}$2`);
 }
+function isMaskedDatabasePassword(value) {
+  return /^\*+$/.test(value);
+}
+async function fetchDatabasePasswordOnce() {
+  try {
+    const res = await ossFetch("/api/metadata/database-password");
+    const body = await res.json();
+    const pw = body.databasePassword;
+    if (typeof pw !== "string" || !pw || isMaskedDatabasePassword(pw)) return null;
+    return pw;
+  } catch {
+    return null;
+  }
+}
 async function getDatabaseConnectionString() {
   try {
-    const [urlRes, pwRes] = await Promise.all([
-      ossFetch("/api/metadata/database-connection-string"),
-      ossFetch("/api/metadata/database-password")
-    ]);
+    const urlRes = await ossFetch("/api/metadata/database-connection-string");
     const urlBody = await urlRes.json();
-    const pwBody = await pwRes.json();
     const masked = urlBody.connectionURL;
-    const password3 = pwBody.databasePassword;
     if (typeof masked !== "string" || !masked) return null;
-    if (typeof password3 !== "string" || !password3) return null;
+    let password3 = await fetchDatabasePasswordOnce();
+    const POLL_ATTEMPTS = 9;
+    const POLL_DELAY_MS = 2e3;
+    for (let attempt = 0; password3 === null && attempt < POLL_ATTEMPTS; attempt++) {
+      await new Promise((r) => setTimeout(r, POLL_DELAY_MS));
+      password3 = await fetchDatabasePasswordOnce();
+    }
+    if (password3 === null) return null;
     return spliceDatabasePassword(masked, password3);
   } catch {
     return null;
@@ -1930,6 +1946,9 @@ ${err.nextActions}`;
     if (res.status === 404 && isRouteLevel404 && path6 === "/api/database/migrations") {
       message = "Database migrations are not available on this backend.\nSelf-hosted: upgrade your InsForge instance. Cloud: contact your InsForge admin about database migration support.";
     }
+    if (res.status === 404 && isRouteLevel404 && path6.startsWith("/api/ai")) {
+      message = "AI Model Gateway setup is not available on this backend.\nUpgrade your InsForge project to a version with Model Gateway support, or keep using the legacy @insforge/sdk AI modules for projects that still rely on the older AI API surface.";
+    }
     throw new CLIError(message);
   }
   return res;
@@ -1938,8 +1957,8 @@ ${err.nextActions}`;
 // src/auth-providers/apply.ts
 var execFileAsync = promisify2(execFile);
 var VALID_AUTH_PROVIDERS = ["better-auth"];
-function pathExists(p) {
-  return fs.stat(p).then(() => true, () => false);
+function pathExists(p3) {
+  return fs.stat(p3).then(() => true, () => false);
 }
 function deepMergeKeepBase(base, patch) {
   const out = { ...base };
@@ -2330,11 +2349,11 @@ async function collectDeploymentFiles(sourceDir) {
   return files;
 }
 async function createZipBuffer(sourceDir) {
-  return new Promise((resolve5, reject) => {
+  return new Promise((resolve9, reject) => {
     const archive = archiver("zip", { zlib: { level: 9 } });
     const chunks = [];
     archive.on("data", (chunk) => chunks.push(chunk));
-    archive.on("end", () => resolve5(Buffer.concat(chunks)));
+    archive.on("end", () => resolve9(Buffer.concat(chunks)));
     archive.on("error", (err) => reject(err));
     archive.directory(sourceDir, false, (entry) => {
       if (shouldExclude(entry.name)) return false;
@@ -2411,12 +2430,12 @@ async function startDirectDeployment(deploymentId, startBody) {
   });
   await response.json();
 }
-async function pollDeployment(deploymentId, spinner10, syncBeforeRead) {
-  spinner10?.message("Building and deploying...");
+async function pollDeployment(deploymentId, spinner11, syncBeforeRead) {
+  spinner11?.message("Building and deploying...");
   const startTime = Date.now();
   let deployment = null;
   while (Date.now() - startTime < POLL_TIMEOUT_MS3) {
-    await new Promise((resolve5) => setTimeout(resolve5, POLL_INTERVAL_MS3));
+    await new Promise((resolve9) => setTimeout(resolve9, POLL_INTERVAL_MS3));
     try {
       if (syncBeforeRead) {
         await ossFetch(`/api/deployments/${deploymentId}/sync`, { method: "POST" });
@@ -2428,13 +2447,13 @@ async function pollDeployment(deploymentId, spinner10, syncBeforeRead) {
         break;
       }
       if (status === "ERROR" || status === "CANCELED") {
-        spinner10?.stop("Deployment failed");
+        spinner11?.stop("Deployment failed");
         throw new CLIError(
           getDeploymentError(deployment.metadata) ?? `Deployment failed with status: ${deployment.status}`
         );
       }
       const elapsed = Math.round((Date.now() - startTime) / 1e3);
-      spinner10?.message(`Building and deploying... (${elapsed}s, status: ${deployment.status})`);
+      spinner11?.message(`Building and deploying... (${elapsed}s, status: ${deployment.status})`);
     } catch (err) {
       if (err instanceof CLIError) throw err;
     }
@@ -2444,20 +2463,20 @@ async function pollDeployment(deploymentId, spinner10, syncBeforeRead) {
   return { deploymentId, deployment, isReady, liveUrl };
 }
 async function deployProjectDirect(opts, config) {
-  const { sourceDir, startBody = {}, spinner: spinner10 } = opts;
-  spinner10?.start("Scanning source files...");
+  const { sourceDir, startBody = {}, spinner: spinner11 } = opts;
+  spinner11?.start("Scanning source files...");
   const localFiles = await collectDeploymentFiles(sourceDir);
   if (localFiles.length === 0) {
     throw new CLIError("No deployable files found in the source directory.");
   }
-  spinner10?.message("Creating deployment...");
+  spinner11?.message("Creating deployment...");
   const createResult = await createDirectDeploymentSession(
     config,
     localFiles.map(({ path: relativePath, sha, size }) => ({ path: relativePath, sha, size }))
   );
   const localFileByPath = new Map(localFiles.map((file) => [file.path, file]));
   const pendingFiles = createResult.files.filter((file) => !file.uploadedAt);
-  spinner10?.message(`Uploading ${pendingFiles.length} file${pendingFiles.length === 1 ? "" : "s"}...`);
+  spinner11?.message(`Uploading ${pendingFiles.length} file${pendingFiles.length === 1 ? "" : "s"}...`);
   await runWithConcurrency(pendingFiles, DIRECT_UPLOAD_CONCURRENCY, async (manifestFile) => {
     const localFile = localFileByPath.get(manifestFile.path);
     if (!localFile) {
@@ -2468,18 +2487,18 @@ async function deployProjectDirect(opts, config) {
     }
     await uploadDirectDeploymentFile(createResult.id, manifestFile, localFile);
   });
-  spinner10?.message("Starting deployment...");
+  spinner11?.message("Starting deployment...");
   await startDirectDeployment(createResult.id, startBody);
-  return await pollDeployment(createResult.id, spinner10, !isInsforgeCloudOssHost(config.oss_host));
+  return await pollDeployment(createResult.id, spinner11, !isInsforgeCloudOssHost(config.oss_host));
 }
 async function deployProjectLegacy(opts) {
-  const { sourceDir, startBody = {}, spinner: spinner10 } = opts;
-  spinner10?.message("Creating deployment...");
+  const { sourceDir, startBody = {}, spinner: spinner11 } = opts;
+  spinner11?.message("Creating deployment...");
   const createRes = await ossFetch("/api/deployments", { method: "POST" });
   const { id: deploymentId, uploadUrl, uploadFields } = await createRes.json();
-  spinner10?.message("Compressing source files...");
+  spinner11?.message("Compressing source files...");
   const zipBuffer = await createZipBuffer(sourceDir);
-  spinner10?.message("Uploading...");
+  spinner11?.message("Uploading...");
   const formData = new FormData();
   for (const [key, value] of Object.entries(uploadFields)) {
     formData.append(key, value);
@@ -2490,13 +2509,13 @@ async function deployProjectLegacy(opts) {
     const uploadErr = await uploadRes.text();
     throw new CLIError(`Failed to upload: ${uploadErr}`);
   }
-  spinner10?.message("Starting deployment...");
+  spinner11?.message("Starting deployment...");
   const startRes = await ossFetch(`/api/deployments/${deploymentId}/start`, {
     method: "POST",
     body: JSON.stringify(startBody)
   });
   await startRes.json();
-  return await pollDeployment(deploymentId, spinner10, false);
+  return await pollDeployment(deploymentId, spinner11, false);
 }
 async function deployProject(opts) {
   const config = getProjectConfig();
@@ -2531,7 +2550,7 @@ function registerDeploymentsDeployCommand(deploymentsCmd2) {
           `"${dirName}" is an excluded directory and cannot be used as a deploy source. Please specify your project root or output directory instead.`
         );
       }
-      const spinner10 = !json ? clack11.spinner() : null;
+      const spinner11 = !json ? clack11.spinner() : null;
       const startBody = {};
       if (opts.env) {
         try {
@@ -2557,9 +2576,9 @@ function registerDeploymentsDeployCommand(deploymentsCmd2) {
           throw new CLIError("Invalid --meta JSON.");
         }
       }
-      const result = await deployProject({ sourceDir, startBody, spinner: spinner10 });
+      const result = await deployProject({ sourceDir, startBody, spinner: spinner11 });
       if (result.isReady) {
-        spinner10?.stop("Deployment complete");
+        spinner11?.stop("Deployment complete");
         if (json) {
           outputJson(result.deployment);
         } else {
@@ -2569,7 +2588,7 @@ function registerDeploymentsDeployCommand(deploymentsCmd2) {
           clack11.log.info(`Deployment ID: ${result.deploymentId}`);
         }
       } else {
-        spinner10?.stop("Deployment is still building");
+        spinner11?.stop("Deployment is still building");
         if (json) {
           outputJson({
             id: result.deploymentId,
@@ -2982,7 +3001,7 @@ function registerCreateCommand(program2) {
             clack12.note(
               `Open your coding agent (Claude Code, Codex, Cursor, etc.) and try:
-${prompts.map((p) => `\u2022 "${p}"`).join("\n")}`,
+${prompts.map((p3) => `\u2022 "${p3}"`).join("\n")}`,
               "Start building"
             );
           }
@@ -3135,13 +3154,13 @@ async function downloadGitHubTemplate(templateName, projectConfig, json) {
 // src/commands/projects/link.ts
 var execAsync3 = promisify4(exec3);
 async function runNpmInstall(startMessage = "Installing dependencies...") {
-  const spinner10 = clack13.spinner();
-  spinner10.start(startMessage);
+  const spinner11 = clack13.spinner();
+  spinner11.start(startMessage);
   try {
     await execAsync3("npm install", { cwd: process.cwd(), maxBuffer: 10 * 1024 * 1024 });
-    spinner10.stop("Dependencies installed");
+    spinner11.stop("Dependencies installed");
   } catch (err) {
-    spinner10.stop("Failed to install dependencies");
+    spinner11.stop("Failed to install dependencies");
     clack13.log.warn(`npm install failed: ${err.message}`);
     clack13.log.info("Run `npm install` manually to install dependencies.");
   }
@@ -3155,13 +3174,13 @@ async function runNpmSetupIfPresent() {
   } catch {
   }
   if (!hasSetup) return;
-  const spinner10 = clack13.spinner();
-  spinner10.start("Running setup (schema + migrations)...");
+  const spinner11 = clack13.spinner();
+  spinner11.start("Running setup (schema + migrations)...");
   try {
     await execAsync3("npm run setup", { cwd: process.cwd(), maxBuffer: 20 * 1024 * 1024 });
-    spinner10.stop("Setup complete");
+    spinner11.stop("Setup complete");
   } catch (err) {
-    spinner10.stop("Setup failed");
+    spinner11.stop("Setup failed");
     clack13.log.warn(`npm run setup failed: ${err.message.split("\n")[0]}`);
     clack13.log.info("Inspect the error, fix DATABASE_URL or network access, then run `npm run setup` manually.");
   }
@@ -3187,7 +3206,7 @@ function registerProjectLinkCommand(program2) {
             outputJson({ success: true, skills_only: true });
           } else {
             clack13.note(
-              `Open your coding agent (Claude Code, Codex, Cursor, etc.) and ask it to build something. It will walk you through provisioning an InsForge project when needed.`,
+              `Open your coding agent (Claude Code, Codex, Cursor, etc.) and ask it to build something. It will walk you through provisioning an InsForge project when needed. If you're not signed in yet, your browser will open for sign-in at that point.`,
               "What's next"
             );
           }
@@ -3379,9 +3398,9 @@ function registerProjectLinkCommand(program2) {
         }
         const selected = await select2({
           message: "Select a project to link:",
-          options: projects.map((p) => ({
-            value: p.id,
-            label: `${p.name} (${p.region}, ${p.status})`
+          options: projects.map((p3) => ({
+            value: p3.id,
+            label: `${p3.name} (${p3.region}, ${p3.status})`
           }))
         });
         if (isCancel2(selected)) process.exit(0);
@@ -3520,7 +3539,7 @@ function registerProjectLinkCommand(program2) {
           clack13.note(
             `Open your coding agent (Claude Code, Codex, Cursor, etc.) and try:
-${prompts.map((p) => `\u2022 "${p}"`).join("\n")}`,
+${prompts.map((p3) => `\u2022 "${p3}"`).join("\n")}`,
             "Start building"
           );
         }
@@ -3677,13 +3696,13 @@ function registerDbPoliciesCommand(dbCmd2) {
         }
         outputTable(
           ["Table", "Policy Name", "Command", "Roles", "Qual", "With Check"],
-          policies.map((p) => [
-            String(p.tableName ?? "-"),
-            String(p.policyName ?? "-"),
-            String(p.cmd ?? "-"),
-            Array.isArray(p.roles) ? p.roles.join(", ") : String(p.roles ?? "-"),
-            String(p.qual ?? "-"),
-            String(p.withCheck ?? "-")
+          policies.map((p3) => [
+            String(p3.tableName ?? "-"),
+            String(p3.policyName ?? "-"),
+            String(p3.cmd ?? "-"),
+            Array.isArray(p3.roles) ? p3.roles.join(", ") : String(p3.roles ?? "-"),
+            String(p3.qual ?? "-"),
+            String(p3.withCheck ?? "-")
           ])
         );
       }
@@ -4829,10 +4848,10 @@ function registerStorageDeleteBucketCommand(storageCmd2) {
     try {
       await requireAuth();
       if (!yes && !json) {
-        const confirm6 = await confirm2({
+        const confirm8 = await confirm2({
           message: `Delete bucket "${name}" and all its objects? This cannot be undone.`
         });
-        if (isCancel2(confirm6) || !confirm6) {
+        if (isCancel2(confirm8) || !confirm8) {
           process.exit(0);
         }
       }
@@ -4979,12 +4998,12 @@ function registerListCommand(program2) {
             id: org.id,
             name: org.name,
             type: org.type ?? null,
-            projects: projects.map((p) => ({
-              id: p.id,
-              name: p.name,
-              region: p.region,
-              status: p.status,
-              appkey: p.appkey
+            projects: projects.map((p3) => ({
+              id: p3.id,
+              name: p3.name,
+              region: p3.region,
+              status: p3.status,
+              appkey: p3.appkey
             }))
           }))
         );
@@ -4996,13 +5015,13 @@ function registerListCommand(program2) {
           rows.push([org.name, "-", "-", "-", "-"]);
         } else {
           for (let i = 0; i < projects.length; i++) {
-            const p = projects[i];
+            const p3 = projects[i];
             rows.push([
               i === 0 ? org.name : "",
-              p.name,
-              p.region,
-              p.status,
-              p.appkey
+              p3.name,
+              p3.region,
+              p3.status,
+              p3.appkey
             ]);
           }
         }
@@ -5383,10 +5402,10 @@ function registerSecretsDeleteCommand(secretsCmd2) {
     try {
       await requireAuth();
       if (!yes && !json) {
-        const confirm6 = await confirm2({
+        const confirm8 = await confirm2({
           message: `Delete secret "${key}"? This cannot be undone.`
         });
-        if (isCancel2(confirm6) || !confirm6) {
+        if (isCancel2(confirm8) || !confirm8) {
           process.exit(0);
         }
       }
@@ -5574,10 +5593,10 @@ function registerSchedulesDeleteCommand(schedulesCmd2) {
     try {
       await requireAuth();
       if (!yes && !json) {
-        const confirm6 = await confirm2({
+        const confirm8 = await confirm2({
           message: `Delete schedule "${id}"? This cannot be undone.`
         });
-        if (isCancel2(confirm6) || !confirm6) {
+        if (isCancel2(confirm8) || !confirm8) {
           process.exit(0);
         }
       }
@@ -5799,6 +5818,8 @@ function registerComputeUpdateCommand(computeCmd2) {
         outputJson(service);
       } else {
         outputSuccess(`Service "${service.name}" updated [${service.status}]`);
+        if (service.endpointUrl) console.log(`  Endpoint: ${service.endpointUrl}`);
+        if (service.port !== void 0) console.log(`  Port: ${service.port} (container must listen on this port)`);
       }
       await reportCliUsage("cli.compute.update", true);
     } catch (err) {
@@ -5999,7 +6020,7 @@ primary_region = "${opts.region}"
   };
 }
 function flyctlBuildAndPush(opts) {
-  return new Promise((resolve5, reject) => {
+  return new Promise((resolve9, reject) => {
     const cleanupStub = ensureFlyTomlStub({
       dir: opts.dir,
       appId: opts.appId,
@@ -6055,7 +6076,7 @@ function flyctlBuildAndPush(opts) {
           )
         );
       }
-      resolve5({ imageRef: `registry.fly.io/${opts.appId}@${m[1]}` });
+      resolve9({ imageRef: `registry.fly.io/${opts.appId}@${m[1]}` });
     });
   });
 }
@@ -6154,6 +6175,7 @@ function registerComputeDeployCommand(computeCmd2) {
           const verb = existing2 ? "updated" : "deployed";
           outputSuccess(`Service "${service2.name}" ${verb} [${service2.status}]`);
           if (service2.endpointUrl) console.log(`  Endpoint: ${service2.endpointUrl}`);
+          if (service2.port !== void 0) console.log(`  Port: ${service2.port} (container must listen on this port)`);
         }
         await reportCliUsage("cli.compute.deploy", true);
         return;
@@ -6249,6 +6271,7 @@ function registerComputeDeployCommand(computeCmd2) {
         const verb = existing ? "updated" : "deployed";
         outputSuccess(`Service "${service.name}" ${verb} [${service.status}]`);
         if (service.endpointUrl) console.log(`  Endpoint: ${service.endpointUrl}`);
+        if (service.port !== void 0) console.log(`  Port: ${service.port} (container must listen on this port)`);
         console.log(`  Image: ${imageRef} (built remotely; no local image to clean up)`);
       }
       await reportCliUsage("cli.compute.deploy", true);
@@ -6938,7 +6961,7 @@ function registerDiagnoseCommands(diagnoseCmd2) {
         const s = !json ? clack15.spinner() : null;
         s?.start("Collecting diagnostic data...");
         const data2 = await collectDiagnosticData(projectId, ossMode, apiUrl);
-        const cliVersion = "0.1.74";
+        const cliVersion = "0.1.78";
         s?.stop("Data collected");
         if (!json) {
           console.log(`
@@ -7572,10 +7595,10 @@ function registerPaymentsConfigCommand(paymentsCmd2) {
         throw new CLIError("Use --yes with --json to remove a Stripe key non-interactively.");
       }
       if (!yes) {
-        const confirm6 = await confirm2({
+        const confirm8 = await confirm2({
           message: `Remove Stripe ${environment} key? Payment sync and mutations for this environment will stop.`
         });
-        if (isCancel2(confirm6) || !confirm6) process.exit(0);
+        if (isCancel2(confirm8) || !confirm8) process.exit(0);
       }
       const data = await removeStripeSecretKey(environment);
       if (json) {
@@ -8098,10 +8121,10 @@ function registerPaymentsProductsCommand(paymentsCmd2) {
         );
       }
       if (!yes) {
-        const confirm6 = await confirm2({
+        const confirm8 = await confirm2({
           message: `Delete Stripe ${environment} product "${productId}"?`
         });
-        if (isCancel2(confirm6) || !confirm6) process.exit(0);
+        if (isCancel2(confirm8) || !confirm8) process.exit(0);
       }
       const data = await deletePaymentProduct(environment, productId);
       if (json) {
@@ -8452,14 +8475,14 @@ async function startPosthogCliFlow(projectId, jwt, apiUrl) {
   throw new CLIError("PostHog cli-start returned an unexpected response shape.");
 }
 function sleep(ms, signal) {
-  return new Promise((resolve5, reject) => {
+  return new Promise((resolve9, reject) => {
     if (signal?.aborted) {
       reject(new CLIError("Connection wait cancelled."));
       return;
     }
     const timer = setTimeout(() => {
       signal?.removeEventListener("abort", onAbort);
-      resolve5();
+      resolve9();
     }, ms);
     const onAbort = () => {
       clearTimeout(timer);
@@ -8762,8 +8785,8 @@ async function runConnectFlow(projectId, token, authorizeUrl, opts) {
     } catch {
     }
   }
-  const spinner10 = !opts.json && isInteractive ? clack16.spinner() : null;
-  spinner10?.start("Waiting for connection... (timeout: 15 minutes)");
+  const spinner11 = !opts.json && isInteractive ? clack16.spinner() : null;
+  spinner11?.start("Waiting for connection... (timeout: 15 minutes)");
   try {
     const conn = await pollPosthogConnection(
       projectId,
@@ -8773,20 +8796,20 @@ async function runConnectFlow(projectId, token, authorizeUrl, opts) {
         timeoutMs: POLL_TIMEOUT_MS4,
         maxTransientRetries: MAX_TRANSIENT_RETRIES,
         onTick: (elapsed) => {
-          if (spinner10) {
+          if (spinner11) {
             const secs = Math.floor(elapsed / 1e3);
             const mins = Math.floor(secs / 60);
             const remaining = `${mins}m ${secs % 60}s elapsed`;
-            spinner10.message(`Waiting for connection... (${remaining})`);
+            spinner11.message(`Waiting for connection... (${remaining})`);
           }
         }
       },
       opts.apiUrl
     );
-    spinner10?.stop("Connection received from PostHog.");
+    spinner11?.stop("Connection received from PostHog.");
     return conn;
   } catch (err) {
-    spinner10?.stop("Connection wait failed.");
+    spinner11?.stop("Connection wait failed.");
     throw err;
   }
 }
@@ -8804,14 +8827,14 @@ function resolveFramework(opts) {
 }
 async function installSdk(pm, cwd, opts) {
   const cmd = installCommand(pm, "posthog-js");
-  const spinner10 = !opts.json && isInteractive ? clack16.spinner() : null;
-  spinner10?.start(`Installing posthog-js (${cmd})...`);
+  const spinner11 = !opts.json && isInteractive ? clack16.spinner() : null;
+  spinner11?.start(`Installing posthog-js (${cmd})...`);
   try {
     await runInstall(pm, "posthog-js", cwd);
-    spinner10?.stop("Installed posthog-js.");
+    spinner11?.stop("Installed posthog-js.");
     return true;
   } catch (err) {
-    spinner10?.stop("Install failed.");
+    spinner11?.stop("Install failed.");
     if (!opts.json) {
       clack16.log.warn(
         `Could not run \`${cmd}\` automatically: ${err.message}
@@ -9027,13 +9050,907 @@ function frameworkLabel(framework) {
       return "Astro";
   }
 }
-function relative3(p) {
-  return p.replace(process.cwd() + "/", "");
+function relative3(p3) {
+  return p3.replace(process.cwd() + "/", "");
+}
+// src/commands/config/export.ts
+import { writeFileSync as writeFileSync9, existsSync as existsSync14 } from "fs";
+import { resolve as resolve5 } from "path";
+import * as p from "@clack/prompts";
+import pc4 from "picocolors";
+// src/lib/config-toml.ts
+import * as smolToml from "smol-toml";
+// src/lib/config-secrets.ts
+var ENV_REF_PATTERN = /^env\(([A-Z_][A-Z0-9_]*)\)$/;
+function parseEnvRef(value) {
+  const match = value.match(ENV_REF_PATTERN);
+  return match ? match[1] : null;
+}
+function validateSensitiveString(path6, value, suggestedSecretName) {
+  if (typeof value !== "string") {
+    throw new ConfigValidationError(path6, "must be a string");
+  }
+  if (parseEnvRef(value) !== null) {
+    return value;
+  }
+  throw new ConfigValidationError(
+    path6,
+    `sensitive field must be an env() reference; got literal value.
+  fix:
+    1. insforge secrets add ${suggestedSecretName} "<value>"
+    2. update insforge.toml:
+         ${path6.split(".").pop()} = "env(${suggestedSecretName})"
+    3. insforge config apply`
+  );
+}
+async function resolveEnvRef(envRef, fieldPath) {
+  const secretName = parseEnvRef(envRef);
+  if (!secretName) {
+    throw new ConfigValidationError(
+      fieldPath,
+      `expected env() reference, got "${envRef}"`
+    );
+  }
+  let res;
+  try {
+    res = await ossFetch(`/api/secrets/${encodeURIComponent(secretName)}`);
+  } catch (err) {
+    const message = err.message ?? "";
+    if (/not found/i.test(message)) {
+      throw new CLIError(
+        `${fieldPath} references env(${secretName}) but no such secret exists.
+  fix: insforge secrets add ${secretName} "<value>"`,
+        1,
+        "SECRET_NOT_FOUND"
+      );
+    }
+    throw new CLIError(
+      `failed to resolve env(${secretName}) for ${fieldPath}: ${message}`,
+      1,
+      "SECRET_LOOKUP_FAILED"
+    );
+  }
+  if (!res.ok) {
+    throw new CLIError(
+      `failed to resolve env(${secretName}) for ${fieldPath}: HTTP ${res.status}`,
+      1,
+      "SECRET_LOOKUP_FAILED"
+    );
+  }
+  const body = await res.json();
+  if (typeof body.value !== "string" || body.value.length === 0) {
+    throw new CLIError(
+      `env(${secretName}) resolved to an empty value (secret may be inactive).
+  fix: insforge secrets update ${secretName} --active true`,
+      1,
+      "SECRET_EMPTY"
+    );
+  }
+  return body.value;
+}
+// src/lib/config-schema.ts
+var ConfigValidationError = class extends Error {
+  constructor(path6, message) {
+    super(`config.${path6}: ${message}`);
+    this.path = path6;
+    this.name = "ConfigValidationError";
+  }
+};
+function validateConfig(input) {
+  if (input === null || typeof input !== "object" || Array.isArray(input)) {
+    throw new ConfigValidationError("", "must be an object");
+  }
+  const obj = input;
+  const out = {};
+  if ("project_id" in obj) {
+    if (typeof obj.project_id !== "string") {
+      throw new ConfigValidationError("project_id", "must be a string");
+    }
+    out.project_id = obj.project_id;
+  }
+  if ("auth" in obj) out.auth = validateAuth(obj.auth);
+  if ("deployments" in obj) out.deployments = validateDeployments(obj.deployments);
+  return out;
+}
+function validateDeployments(input) {
+  if (input === null || typeof input !== "object" || Array.isArray(input)) {
+    throw new ConfigValidationError("deployments", "must be an object");
+  }
+  const obj = input;
+  const out = {};
+  if ("subdomain" in obj) {
+    const v = obj.subdomain;
+    if (v !== null && typeof v !== "string") {
+      throw new ConfigValidationError(
+        "deployments.subdomain",
+        "must be a string or null"
+      );
+    }
+    out.subdomain = v;
+  }
+  return out;
+}
+function validateAuth(input) {
+  if (input === null || typeof input !== "object" || Array.isArray(input)) {
+    throw new ConfigValidationError("auth", "must be an object");
+  }
+  const obj = input;
+  const out = {};
+  if ("allowed_redirect_urls" in obj) {
+    const v = obj.allowed_redirect_urls;
+    if (!Array.isArray(v) || !v.every((u) => typeof u === "string")) {
+      throw new ConfigValidationError(
+        "auth.allowed_redirect_urls",
+        "must be an array of strings"
+      );
+    }
+    out.allowed_redirect_urls = v;
+  }
+  if ("smtp" in obj) out.smtp = validateSmtp(obj.smtp);
+  return out;
+}
+function validateSmtp(input) {
+  if (input === null || typeof input !== "object" || Array.isArray(input)) {
+    throw new ConfigValidationError("auth.smtp", "must be a table");
+  }
+  const obj = input;
+  const out = {};
+  if ("enabled" in obj) {
+    if (typeof obj.enabled !== "boolean") {
+      throw new ConfigValidationError("auth.smtp.enabled", "must be a boolean");
+    }
+    out.enabled = obj.enabled;
+  }
+  if ("host" in obj) {
+    if (typeof obj.host !== "string") {
+      throw new ConfigValidationError("auth.smtp.host", "must be a string");
+    }
+    out.host = obj.host;
+  }
+  if ("port" in obj) {
+    if (typeof obj.port !== "number" || !Number.isInteger(obj.port) || obj.port < 1 || obj.port > 65535) {
+      throw new ConfigValidationError(
+        "auth.smtp.port",
+        "must be an integer between 1 and 65535"
+      );
+    }
+    out.port = obj.port;
+  }
+  if ("username" in obj) {
+    if (typeof obj.username !== "string") {
+      throw new ConfigValidationError("auth.smtp.username", "must be a string");
+    }
+    out.username = obj.username;
+  }
+  if ("password" in obj) {
+    out.password = validateSensitiveString(
+      "auth.smtp.password",
+      obj.password,
+      "SMTP_PASSWORD"
+    );
+  }
+  if ("sender_email" in obj) {
+    if (typeof obj.sender_email !== "string") {
+      throw new ConfigValidationError("auth.smtp.sender_email", "must be a string");
+    }
+    out.sender_email = obj.sender_email;
+  }
+  if ("sender_name" in obj) {
+    if (typeof obj.sender_name !== "string") {
+      throw new ConfigValidationError("auth.smtp.sender_name", "must be a string");
+    }
+    out.sender_name = obj.sender_name;
+  }
+  if ("min_interval_seconds" in obj) {
+    if (typeof obj.min_interval_seconds !== "number" || !Number.isInteger(obj.min_interval_seconds) || obj.min_interval_seconds < 0) {
+      throw new ConfigValidationError(
+        "auth.smtp.min_interval_seconds",
+        "must be a non-negative integer"
+      );
+    }
+    out.min_interval_seconds = obj.min_interval_seconds;
+  }
+  return out;
+}
+// src/lib/config-toml.ts
+function parseConfigToml(input) {
+  let parsed;
+  try {
+    parsed = smolToml.parse(input);
+  } catch (err) {
+    throw new Error(`TOML parse error: ${err.message}`, { cause: err });
+  }
+  return validateConfig(parsed);
+}
+function stringifyConfigToml(config) {
+  const lines = [];
+  if (config.project_id !== void 0) {
+    lines.push(`project_id = ${JSON.stringify(config.project_id)}`);
+    lines.push("");
+  }
+  if (config.auth) {
+    lines.push("[auth]");
+    if (config.auth.allowed_redirect_urls !== void 0) {
+      const urls = config.auth.allowed_redirect_urls.map((u) => JSON.stringify(u)).join(", ");
+      lines.push(`allowed_redirect_urls = [${urls}]`);
+    }
+    lines.push("");
+    if (config.auth.smtp !== void 0) {
+      lines.push("[auth.smtp]");
+      renderSmtpFields(config.auth.smtp, lines);
+      lines.push("");
+    }
+  }
+  if (config.deployments) {
+    if (typeof config.deployments.subdomain === "string" && config.deployments.subdomain !== "") {
+      lines.push("[deployments]");
+      lines.push(`subdomain = ${JSON.stringify(config.deployments.subdomain)}`);
+      lines.push("");
+    }
+  }
+  return lines.join("\n").replace(/\n+$/, "\n");
+}
+function renderSmtpFields(smtp, lines) {
+  if (smtp.enabled !== void 0) lines.push(`enabled = ${smtp.enabled}`);
+  if (smtp.host !== void 0) lines.push(`host = ${JSON.stringify(smtp.host)}`);
+  if (smtp.port !== void 0) lines.push(`port = ${smtp.port}`);
+  if (smtp.username !== void 0) lines.push(`username = ${JSON.stringify(smtp.username)}`);
+  if (smtp.password !== void 0) {
+    const secretName = parseEnvRef(smtp.password) ?? "SMTP_PASSWORD";
+    lines.push(
+      `# password is managed via secrets \u2014 run \`insforge secrets add ${secretName} "<value>"\``
+    );
+    lines.push(`password = ${JSON.stringify(smtp.password)}`);
+  }
+  if (smtp.sender_email !== void 0) {
+    lines.push(`sender_email = ${JSON.stringify(smtp.sender_email)}`);
+  }
+  if (smtp.sender_name !== void 0) {
+    lines.push(`sender_name = ${JSON.stringify(smtp.sender_name)}`);
+  }
+  if (smtp.min_interval_seconds !== void 0) {
+    lines.push(`min_interval_seconds = ${smtp.min_interval_seconds}`);
+  }
+}
+// src/commands/config/export.ts
+function registerConfigExportCommand(cfg) {
+  cfg.command("export").description("Pull live project config and write insforge.toml").option("--out <path>", "output path", "insforge.toml").option("--force", "overwrite without confirmation").action(async (opts, cmd) => {
+    const { json } = getRootOpts(cmd);
+    try {
+      await requireAuth();
+      const target = resolve5(process.cwd(), opts.out);
+      if (existsSync14(target) && !opts.force) {
+        if (json) {
+          throw new CLIError(
+            `${opts.out} exists. Re-run with --force to overwrite.`,
+            1,
+            "OUTPUT_EXISTS"
+          );
+        }
+        const ok = await p.confirm({
+          message: `${opts.out} exists. Overwrite?`,
+          initialValue: false
+        });
+        if (!ok || p.isCancel(ok)) {
+          console.log("Aborted.");
+          return;
+        }
+      }
+      const res = await ossFetch("/api/metadata");
+      const raw = await res.json();
+      const config = {};
+      const skipped = [];
+      const authSlice = raw?.auth;
+      if (authSlice && typeof authSlice === "object" && "allowedRedirectUrls" in authSlice) {
+        config.auth = config.auth ?? {};
+        config.auth.allowed_redirect_urls = authSlice.allowedRedirectUrls ?? [];
+      } else {
+        skipped.push("auth.allowed_redirect_urls");
+      }
+      if (authSlice && typeof authSlice === "object" && "smtpConfig" in authSlice && authSlice.smtpConfig) {
+        const s = authSlice.smtpConfig;
+        config.auth = config.auth ?? {};
+        config.auth.smtp = {
+          enabled: s.enabled ?? false,
+          host: s.host ?? "",
+          port: s.port ?? 587,
+          username: s.username ?? "",
+          // When backend has a password set, emit a deterministic env()
+          // placeholder so the user knows which secret to define. We do
+          // NOT round-trip the value (it never leaves the backend).
+          // Re-applying this TOML force-resends from the secrets store
+          // — see config-diff.ts for the force-resend rationale.
+          ...s.hasPassword ? { password: "env(SMTP_PASSWORD)" } : {},
+          sender_email: s.senderEmail ?? "",
+          sender_name: s.senderName ?? "",
+          min_interval_seconds: s.minIntervalSeconds ?? 60
+        };
+      } else {
+        skipped.push("auth.smtp");
+      }
+      const deploymentsSlice = raw?.deployments;
+      if (deploymentsSlice && typeof deploymentsSlice === "object") {
+        if (typeof deploymentsSlice.customSlug === "string" && deploymentsSlice.customSlug) {
+          config.deployments = { subdomain: deploymentsSlice.customSlug };
+        }
+      } else {
+        skipped.push("deployments.subdomain");
+      }
+      const toml = stringifyConfigToml(config);
+      writeFileSync9(target, toml, "utf8");
+      if (json) {
+        console.log(JSON.stringify({ written: target, config, skipped }, null, 2));
+      } else {
+        console.log(`${pc4.green("\u2713")} Wrote ${target}`);
+        if (skipped.length) {
+          console.warn(
+            pc4.yellow(
+              `\u26A0 Skipped ${skipped.length} section(s) not supported by this backend:`
+            ) + "\n" + skipped.map((k) => `  - ${k}`).join("\n")
+          );
+        }
+      }
+      await reportCliUsage("cli.config.export", true);
+    } catch (err) {
+      await reportCliUsage("cli.config.export", false);
+      handleError(err, json);
+    }
+  });
+}
+// src/commands/config/plan.ts
+import { readFileSync as readFileSync11 } from "fs";
+import { resolve as resolve6 } from "path";
+import pc5 from "picocolors";
+// src/lib/config-diff.ts
+function diffConfig({ live, file }) {
+  const changes = [];
+  const fileAuth = file.auth;
+  const liveAuth = live.auth ?? {};
+  if (fileAuth && "allowed_redirect_urls" in fileAuth) {
+    const fromV = normalizeUrlList(liveAuth.allowed_redirect_urls);
+    const toV = normalizeUrlList(fileAuth.allowed_redirect_urls);
+    if (!arrayEquals(fromV, toV)) {
+      changes.push({
+        section: "auth",
+        op: "modify",
+        key: "allowed_redirect_urls",
+        from: fromV,
+        to: toV
+      });
+    }
+  }
+  if (fileAuth?.smtp !== void 0) {
+    const smtpChange = diffSmtp(liveAuth.smtp, fileAuth.smtp);
+    if (smtpChange) changes.push(smtpChange);
+  }
+  const fileDeployments = file.deployments;
+  const liveDeployments = live.deployments ?? {};
+  if (fileDeployments && "subdomain" in fileDeployments) {
+    const fromV = liveDeployments.subdomain ?? null;
+    const rawTo = fileDeployments.subdomain;
+    const toV = rawTo === null || rawTo === "" ? null : rawTo;
+    if (fromV !== toV) {
+      changes.push({
+        section: "deployments",
+        op: "modify",
+        key: "subdomain",
+        from: fromV,
+        to: toV
+      });
+    }
+  }
+  return { changes, summary: summarize(changes) };
+}
+function diffSmtp(live, fileSmtp) {
+  const livedView = renderLiveSmtp(live);
+  const tomlView = renderFileSmtp(fileSmtp);
+  const envRef = fileSmtp.password ? parseEnvRef(fileSmtp.password) : null;
+  const nonPasswordFieldsChanged = livedView.enabled !== tomlView.enabled || livedView.host !== tomlView.host || livedView.port !== tomlView.port || livedView.username !== tomlView.username || livedView.sender_email !== tomlView.sender_email || livedView.sender_name !== tomlView.sender_name || livedView.min_interval_seconds !== tomlView.min_interval_seconds;
+  if (!nonPasswordFieldsChanged && envRef === null) {
+    return null;
+  }
+  return {
+    section: "auth.smtp",
+    op: "modify",
+    key: "config",
+    from: livedView,
+    to: tomlView,
+    passwordEnvRef: envRef ?? void 0
+  };
+}
+function renderLiveSmtp(live) {
+  const empty = EMPTY_SMTP_VIEW;
+  if (!live) return empty;
+  return {
+    enabled: live.enabled,
+    host: live.host,
+    port: live.port,
+    username: live.username,
+    password: live.hasPassword ? "(set)" : "(unset)",
+    sender_email: live.sender_email,
+    sender_name: live.sender_name,
+    min_interval_seconds: live.min_interval_seconds
+  };
+}
+function renderFileSmtp(file) {
+  return {
+    enabled: file.enabled ?? false,
+    host: file.host ?? "",
+    port: file.port ?? 587,
+    username: file.username ?? "",
+    password: renderFilePassword(file.password),
+    sender_email: file.sender_email ?? "",
+    sender_name: file.sender_name ?? "",
+    min_interval_seconds: file.min_interval_seconds ?? 60
+  };
+}
+function renderFilePassword(value) {
+  if (value === void 0) return "(unchanged)";
+  const ref = parseEnvRef(value);
+  return ref ? `env(${ref})` : "(invalid)";
+}
+var EMPTY_SMTP_VIEW = {
+  enabled: false,
+  host: "",
+  port: 587,
+  username: "",
+  password: "(unset)",
+  sender_email: "",
+  sender_name: "",
+  min_interval_seconds: 60
+};
+function summarize(changes) {
+  const s = { add: 0, modify: 0, remove: 0, kept: 0 };
+  for (const c of changes) {
+    if (c.op === "modify") s.modify++;
+  }
+  return s;
+}
+function normalizeUrlList(input) {
+  return Array.from(new Set(input ?? [])).sort();
+}
+function arrayEquals(a, b) {
+  if (a.length !== b.length) return false;
+  return a.every((v, i) => v === b[i]);
+}
+// src/lib/config-format.ts
+function formatPlan(result) {
+  if (result.changes.length === 0) {
+    return "No changes. Live state matches insforge.toml.";
+  }
+  const bySection = /* @__PURE__ */ new Map();
+  for (const c of result.changes) {
+    const arr = bySection.get(c.section) ?? [];
+    arr.push(c);
+    bySection.set(c.section, arr);
+  }
+  const lines = [];
+  for (const [section, changes] of bySection) {
+    lines.push(`  ${section}:`);
+    for (const c of changes) {
+      lines.push(`    ${formatChange(c)}`);
+    }
+    lines.push("");
+  }
+  const s = result.summary;
+  lines.push(
+    `${s.add} add, ${s.modify} modify, ${s.remove} remove, ${s.kept} untracked kept.`
+  );
+  return lines.join("\n");
+}
+function formatChange(c) {
+  if (c.section === "auth.smtp") {
+    const lines = [`~ smtp config:`];
+    const from = c.from;
+    const to = c.to;
+    for (const key of [
+      "enabled",
+      "host",
+      "port",
+      "username",
+      "password",
+      "sender_email",
+      "sender_name",
+      "min_interval_seconds"
+    ]) {
+      if (from[key] !== to[key]) {
+        lines.push(`    ${key}: ${JSON.stringify(from[key])} \u2192 ${JSON.stringify(to[key])}`);
+      }
+    }
+    if (c.passwordEnvRef) {
+      lines.push(`    (password force-resent from env(${c.passwordEnvRef}))`);
+    }
+    return lines.join("\n    ");
+  }
+  if (c.section === "deployments" && c.key === "subdomain") {
+    const fromLabel = c.from === null ? "(unset)" : JSON.stringify(c.from);
+    const toLabel = c.to === null ? "(unset)" : JSON.stringify(c.to);
+    return `~ ${c.key}: ${fromLabel} \u2192 ${toLabel}`;
+  }
+  return `~ ${c.key}: ${JSON.stringify(c.from)} \u2192 ${JSON.stringify(c.to)}`;
+}
+// src/lib/config-capabilities.ts
+function metadataSupports(raw, change) {
+  if (change.section === "auth" && change.key === "allowed_redirect_urls") {
+    return raw?.auth !== void 0 && raw.auth !== null && typeof raw.auth === "object" && "allowedRedirectUrls" in raw.auth;
+  }
+  if (change.section === "auth.smtp") {
+    return raw?.auth !== void 0 && raw.auth !== null && typeof raw.auth === "object" && "smtpConfig" in raw.auth;
+  }
+  if (change.section === "deployments" && change.key === "subdomain") {
+    return raw?.deployments !== void 0 && raw.deployments !== null && typeof raw.deployments === "object";
+  }
+  const _exhaustive = change;
+  void _exhaustive;
+  return false;
+}
+function changePath(change) {
+  if (change.section === "auth.smtp") return "auth.smtp";
+  return `${change.section}.${change.key}`;
+}
+// src/commands/config/plan.ts
+function registerConfigPlanCommand(cfg) {
+  cfg.command("plan").description("Show diff between insforge.toml and live project state").option("--file <path>", "path to insforge.toml", "insforge.toml").action(async (opts, cmd) => {
+    const { json } = getRootOpts(cmd);
+    try {
+      await requireAuth();
+      const tomlPath = resolve6(process.cwd(), opts.file);
+      const tomlSource = readFileSync11(tomlPath, "utf8");
+      const file = parseConfigToml(tomlSource);
+      const res = await ossFetch("/api/metadata");
+      const raw = await res.json();
+      const live = {
+        auth: { allowed_redirect_urls: raw.auth?.allowedRedirectUrls ?? [] }
+      };
+      const result = diffConfig({ live, file });
+      const skipped = result.changes.filter((c) => !metadataSupports(raw, c)).map((c) => changePath(c));
+      if (json) {
+        console.log(JSON.stringify({ ...result, skipped }, null, 2));
+      } else {
+        console.log(`Plan for insforge.toml (file: ${opts.file}):
+`);
+        console.log(formatPlan(result));
+        if (skipped.length) {
+          console.warn(
+            "\n" + pc5.yellow(`\u26A0 Apply will skip ${skipped.length} section(s) \u2014 backend doesn't support them yet:`) + "\n" + skipped.map((k) => `  - ${k}`).join("\n")
+          );
+        }
+      }
+      await reportCliUsage("cli.config.plan", true);
+    } catch (err) {
+      await reportCliUsage("cli.config.plan", false);
+      handleError(err, json);
+    }
+  });
+}
+// src/commands/config/apply.ts
+import { readFileSync as readFileSync12 } from "fs";
+import { resolve as resolve7 } from "path";
+import * as p2 from "@clack/prompts";
+import pc6 from "picocolors";
+function registerConfigApplyCommand(cfg) {
+  cfg.command("apply").description("Apply insforge.toml to the live project").option("--file <path>", "path to insforge.toml", "insforge.toml").option("--dry-run", "show plan, do not apply").option("--auto-approve", "skip confirmation prompt").action(async (opts, cmd) => {
+    const { json, yes } = getRootOpts(cmd);
+    try {
+      await requireAuth();
+      const tomlPath = resolve7(process.cwd(), opts.file);
+      const tomlSource = readFileSync12(tomlPath, "utf8");
+      const file = parseConfigToml(tomlSource);
+      const res = await ossFetch("/api/metadata");
+      const raw = await res.json();
+      const live = liveFromMetadata(raw);
+      const result = diffConfig({ live, file });
+      const approved = opts.autoApprove || yes;
+      if (!json) {
+        console.log(formatPlan(result));
+      }
+      if (result.changes.length === 0 || opts.dryRun) {
+        if (json) {
+          console.log(
+            JSON.stringify({ plan: result, applied: false, dryRun: !!opts.dryRun }, null, 2)
+          );
+        }
+        await reportCliUsage("cli.config.apply", true);
+        return;
+      }
+      if (!approved) {
+        if (json) {
+          throw new CLIError(
+            "Refusing to apply in --json mode without --auto-approve or --yes.",
+            1,
+            "CONFIRMATION_REQUIRED"
+          );
+        }
+        const ok = await p2.confirm({
+          message: "Apply these changes?",
+          initialValue: false
+        });
+        if (!ok || p2.isCancel(ok)) {
+          console.log("Aborted.");
+          await reportCliUsage("cli.config.apply", true);
+          return;
+        }
+      }
+      const applied = [];
+      const skipped = [];
+      for (const change of result.changes) {
+        const path6 = changePath(change);
+        if (!metadataSupports(raw, change)) {
+          skipped.push({
+            key: path6,
+            reason: `your backend doesn't expose ${path6} \u2014 upgrade the project to apply this section`
+          });
+          continue;
+        }
+        await applyChange(change);
+        applied.push(change);
+      }
+      if (json) {
+        console.log(
+          JSON.stringify({ plan: result, applied, skipped }, null, 2)
+        );
+      } else {
+        if (skipped.length) {
+          console.warn(
+            pc6.yellow(`\u26A0 Skipped ${skipped.length} section(s):`) + "\n" + skipped.map((s) => `  - ${s.key}: ${s.reason}`).join("\n")
+          );
+        }
+        if (applied.length) {
+          console.log(
+            `${pc6.green("\u2713")} Applied ${applied.length} of ${result.changes.length} change(s).`
+          );
+        } else {
+          console.log("Nothing applied.");
+        }
+      }
+      await reportCliUsage("cli.config.apply", true);
+    } catch (err) {
+      await reportCliUsage("cli.config.apply", false);
+      handleError(err, json);
+    }
+  });
+}
+function liveFromMetadata(raw) {
+  const live = { auth: {} };
+  if (raw.auth?.allowedRedirectUrls !== void 0) {
+    live.auth.allowed_redirect_urls = raw.auth.allowedRedirectUrls;
+  }
+  if (raw.auth?.smtpConfig) {
+    const s = raw.auth.smtpConfig;
+    live.auth.smtp = {
+      enabled: s.enabled ?? false,
+      host: s.host ?? "",
+      port: s.port ?? 587,
+      username: s.username ?? "",
+      hasPassword: s.hasPassword ?? false,
+      sender_email: s.senderEmail ?? "",
+      sender_name: s.senderName ?? "",
+      min_interval_seconds: s.minIntervalSeconds ?? 60
+    };
+  }
+  if (raw.deployments) {
+    live.deployments = { subdomain: raw.deployments.customSlug ?? null };
+  }
+  return live;
+}
+async function applyChange(change) {
+  if (change.section === "auth" && change.key === "allowed_redirect_urls") {
+    await ossFetch("/api/auth/config", {
+      method: "PUT",
+      body: JSON.stringify({ allowedRedirectUrls: change.to })
+    });
+    return;
+  }
+  if (change.section === "auth.smtp") {
+    const to = change.to;
+    const body = {
+      enabled: to.enabled,
+      host: to.host,
+      port: to.port,
+      username: to.username,
+      senderEmail: to.sender_email,
+      senderName: to.sender_name,
+      minIntervalSeconds: to.min_interval_seconds
+    };
+    if (change.passwordEnvRef) {
+      const value = await resolveEnvRef(
+        `env(${change.passwordEnvRef})`,
+        "auth.smtp.password"
+      );
+      body.password = value;
+    }
+    await ossFetch("/api/auth/smtp-config", {
+      method: "PUT",
+      body: JSON.stringify(body)
+    });
+    return;
+  }
+  if (change.section === "deployments" && change.key === "subdomain") {
+    await ossFetch("/api/deployments/slug", {
+      method: "PUT",
+      body: JSON.stringify({ slug: change.to })
+    });
+    return;
+  }
+  const _exhaustive = change;
+  throw new Error(`Unsupported change: ${JSON.stringify(_exhaustive)}`);
+}
+// src/commands/config/index.ts
+function registerConfigCommand(program2) {
+  const cfg = program2.command("config").description("Manage insforge.toml (declarative project configuration)");
+  registerConfigExportCommand(cfg);
+  registerConfigPlanCommand(cfg);
+  registerConfigApplyCommand(cfg);
+}
+// src/commands/ai/setup.ts
+import { appendFileSync as appendFileSync2, existsSync as existsSync15, readFileSync as readFileSync13 } from "fs";
+import { isAbsolute, join as join17, relative as relative4, resolve as resolve8 } from "path";
+import * as clack17 from "@clack/prompts";
+import pc7 from "picocolors";
+// src/lib/api/ai.ts
+async function getOpenRouterApiKey() {
+  const res = await ossFetch("/api/ai/openrouter/api-key");
+  const data = await res.json();
+  const apiKey = typeof data.apiKey === "string" ? data.apiKey.trim() : "";
+  const maskedKey = typeof data.maskedKey === "string" ? data.maskedKey.trim() : void 0;
+  if (apiKey.length === 0) {
+    throw new CLIError(
+      "AI gateway returned no OpenRouter API key. Open the InsForge dashboard AI page and verify Model Gateway is configured."
+    );
+  }
+  return {
+    apiKey,
+    maskedKey
+  };
+}
+// src/commands/ai/setup.ts
+var DEFAULT_ENV_FILE = ".env.local";
+var OPENROUTER_ENV_KEY = "OPENROUTER_API_KEY";
+function registerAiSetupCommand(aiCmd2) {
+  aiCmd2.command("setup").description("Write the linked project OpenRouter key to a local env file").option("--env-file <path>", `Env file to update (default: ${DEFAULT_ENV_FILE})`).action(async (opts, cmd) => {
+    const { json } = getRootOpts(cmd);
+    try {
+      const result = await runAiSetup({
+        envFile: opts.envFile,
+        json
+      });
+      if (json) {
+        outputJson({ success: true, ...result });
+      }
+    } catch (err) {
+      handleError(err, json);
+    } finally {
+      await shutdownAnalytics();
+    }
+  });
+}
+async function runAiSetup(opts) {
+  const project = getProjectConfig();
+  if (!project) {
+    throw new ProjectNotLinkedError();
+  }
+  if (!opts.json) {
+    clack17.intro("AI setup");
+    outputSuccess(`Linked to InsForge project: ${project.project_name} (${project.project_id})`);
+  }
+  const spinner11 = !opts.json && isInteractive ? clack17.spinner() : null;
+  spinner11?.start("Fetching OpenRouter key...");
+  let key;
+  try {
+    key = await getOpenRouterApiKey();
+    spinner11?.stop("Fetched OpenRouter key.");
+  } catch (err) {
+    spinner11?.stop("Could not fetch OpenRouter key.");
+    throw err;
+  }
+  const envFile = opts.envFile ?? DEFAULT_ENV_FILE;
+  const envPath = resolve8(process.cwd(), envFile);
+  const envLabel = displayPath(envPath);
+  const update = upsertEnvFile(envPath, { [OPENROUTER_ENV_KEY]: key.apiKey });
+  const gitignoreUpdated = ensureLocalEnvIgnored(process.cwd(), envFile);
+  captureEvent(project.project_id, "cli_ai_setup", {
+    project_id: project.project_id,
+    project_name: project.project_name,
+    org_id: project.org_id,
+    region: project.region,
+    env_file: envLabel,
+    added: update.added.includes(OPENROUTER_ENV_KEY),
+    skipped: update.skipped.includes(OPENROUTER_ENV_KEY),
+    mismatched: update.mismatched.some((m) => m.key === OPENROUTER_ENV_KEY)
+  });
+  if (!opts.json) {
+    if (update.added.length > 0) {
+      outputSuccess(`Wrote ${envLabel}: ${update.added.join(", ")}`);
+    }
+    if (update.skipped.length > 0) {
+      outputInfo(pc7.dim(`${envLabel}: ${update.skipped.join(", ")} already set (matching) - left as-is.`));
+    }
+    for (const m of update.mismatched) {
+      clack17.log.warn(
+        `${envLabel} already has ${m.key}; left existing value untouched. Remove it or pass --env-file to write elsewhere.`
+      );
+    }
+    if (gitignoreUpdated) {
+      outputInfo(pc7.dim("Added .env*.local to .gitignore."));
+    }
+    if (!isLocalEnvFile(envFile)) {
+      clack17.log.warn(
+        `${envLabel} may be committed unless it is listed in .gitignore. Keep ${OPENROUTER_ENV_KEY} server-only.`
+      );
+    }
+    outputInfo("");
+    outputInfo("Use this key only from server-side code as process.env.OPENROUTER_API_KEY.");
+    outputInfo("For deployment, add OPENROUTER_API_KEY to your hosting provider environment.");
+    outputInfo(`Do not rename it to ${pc7.bold("NEXT_PUBLIC_")}, ${pc7.bold("VITE_")}, or ${pc7.bold("PUBLIC_")}.`);
+    clack17.outro("Done.");
+  }
+  return {
+    envFile: envLabel,
+    added: update.added,
+    skipped: update.skipped,
+    mismatched: update.mismatched.map((m) => m.key),
+    gitignoreUpdated,
+    maskedKey: key.maskedKey
+  };
+}
+function displayPath(path6) {
+  const rel = relative4(process.cwd(), path6);
+  if (!rel || rel.startsWith("..") || isAbsolute(rel)) {
+    return path6;
+  }
+  return rel;
+}
+function isLocalEnvFile(envFile) {
+  const normalized = envFile.replace(/\\/g, "/");
+  const basename8 = normalized.split("/").pop() ?? normalized;
+  return basename8 === ".env.local" || /^\.env\..+\.local$/.test(basename8);
+}
+function ensureLocalEnvIgnored(cwd, envFile) {
+  if (!isLocalEnvFile(envFile)) return false;
+  const envPath = resolve8(cwd, envFile);
+  const relEnvPath = relative4(cwd, envPath);
+  if (!relEnvPath || relEnvPath.startsWith("..") || isAbsolute(relEnvPath)) {
+    return false;
+  }
+  const gitignorePath = join17(cwd, ".gitignore");
+  const existing = existsSync15(gitignorePath) ? readFileSync13(gitignorePath, "utf-8") : "";
+  const lines = new Set(existing.split(/\r?\n/).map((line) => line.trim()));
+  const envBasename = envFile.replace(/\\/g, "/").split("/").pop() ?? envFile;
+  if (lines.has(".env*") || lines.has(".env.*") || lines.has(".env*.local") || lines.has(".env.local") && envBasename === ".env.local") {
+    return false;
+  }
+  const prefix = existing.length > 0 && !existing.endsWith("\n") ? "\n" : "";
+  const spacer = existing.length > 0 ? "\n" : "";
+  appendFileSync2(gitignorePath, `${prefix}${spacer}# Local environment secrets
+.env*.local
+`);
+  return true;
+}
+// src/commands/ai/index.ts
+function registerAiCommands(aiCmd2) {
+  registerAiSetupCommand(aiCmd2);
 }
 // src/index.ts
 var __dirname = dirname3(fileURLToPath(import.meta.url));
-var pkg = JSON.parse(readFileSync11(join17(__dirname, "../package.json"), "utf-8"));
+var pkg = JSON.parse(readFileSync14(join18(__dirname, "../package.json"), "utf-8"));
 var INSFORGE_LOGO = `
 \u2588\u2588\u2557\u2588\u2588\u2588\u2557   \u2588\u2588\u2557\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2557\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2557 \u2588\u2588\u2588\u2588\u2588\u2588\u2557 \u2588\u2588\u2588\u2588\u2588\u2588\u2557  \u2588\u2588\u2588\u2588\u2588\u2588\u2557 \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2557
 \u2588\u2588\u2551\u2588\u2588\u2588\u2588\u2557  \u2588\u2588\u2551\u2588\u2588\u2554\u2550\u2550\u2550\u2550\u255D\u2588\u2588\u2554\u2550\u2550\u2550\u2550\u255D\u2588\u2588\u2554\u2550\u2550\u2550\u2588\u2588\u2557\u2588\u2588\u2554\u2550\u2550\u2588\u2588\u2557\u2588\u2588\u2554\u2550\u2550\u2550\u2550\u255D \u2588\u2588\u2554\u2550\u2550\u2550\u2550\u255D
@@ -9117,6 +10034,8 @@ registerComputeStopCommand(computeCmd);
 registerComputeEventsCommand(computeCmd);
 var posthogCmd = program.command("posthog").description("Manage PostHog product analytics integration");
 registerPosthogSetupCommand(posthogCmd);
+var aiCmd = program.command("ai").description("Manage AI model gateway setup");
+registerAiCommands(aiCmd);
 var schedulesCmd = program.command("schedules").description("Manage scheduled tasks (cron jobs)");
 registerSchedulesListCommand(schedulesCmd);
 registerSchedulesGetCommand(schedulesCmd);
@@ -9124,6 +10043,7 @@ registerSchedulesCreateCommand(schedulesCmd);
 registerSchedulesUpdateCommand(schedulesCmd);
 registerSchedulesDeleteCommand(schedulesCmd);
 registerSchedulesLogsCommand(schedulesCmd);
+registerConfigCommand(program);
 if (process.argv.length <= 2 && process.stdout.isTTY) {
   await showInteractiveMenu();
 } else {
@@ -9141,7 +10061,7 @@ async function showInteractiveMenu() {
   } catch {
   }
   console.log(INSFORGE_LOGO);
-  clack17.intro(`InsForge CLI v${pkg.version}`);
+  clack18.intro(`InsForge CLI v${pkg.version}`);
   const options = [];
   if (!isLoggedIn) {
     options.push({ value: "login", label: "Log in to InsForge" });
@@ -9162,7 +10082,7 @@ async function showInteractiveMenu() {
     options
   });
   if (isCancel2(action)) {
-    clack17.cancel("Bye!");
+    clack18.cancel("Bye!");
     process.exit(0);
   }
   switch (action) {