@khanglvm/llm-router 1.0.5

package/src/cli/router-module.js

@@ -0,0 +1,3987 @@
+import { promises as fsPromises } from "node:fs";
+import { spawn, spawnSync } from "node:child_process";
+import { randomBytes } from "node:crypto";
+import path from "node:path";
+import { SnapTui, runPasswordPrompt } from "@levu/snap/dist/index.js";
+import {
+  applyConfigChanges,
+  buildProviderFromConfigInput,
+  buildWorkerConfigPayload,
+  parseModelListInput
+} from "../node/config-workflows.js";
+import {
+  configFileExists,
+  getDefaultConfigPath,
+  readConfigFile,
+  removeProvider,
+  writeConfigFile
+} from "../node/config-store.js";
+import { probeProvider, probeProviderEndpointMatrix } from "../node/provider-probe.js";
+import { runStartCommand } from "../node/start-command.js";
+import { installStartup, restartStartup, startupStatus, stopStartup, uninstallStartup } from "../node/startup-manager.js";
+import {
+  buildStartArgsFromState,
+  clearRuntimeState,
+  getActiveRuntimeState,
+  spawnDetachedStart,
+  stopProcessByPid
+} from "../node/instance-state.js";
+import {
+  configHasProvider,
+  DEFAULT_PROVIDER_USER_AGENT,
+  maskSecret,
+  PROVIDER_ID_PATTERN,
+  sanitizeConfigForDisplay
+} from "../runtime/config.js";
+
+const EXIT_SUCCESS = 0;
+const EXIT_FAILURE = 1;
+const EXIT_VALIDATION = 2;
+const NPM_PACKAGE_NAME = "@khanglvm/llm-router";
+const STRONG_MASTER_KEY_MIN_LENGTH = 24;
+const DEFAULT_GENERATED_MASTER_KEY_LENGTH = 48;
+const MAX_GENERATED_MASTER_KEY_LENGTH = 256;
+const WEAK_MASTER_KEY_PATTERN = /(password|changeme|default|secret|token|admin|qwerty|letmein|123456)/i;
+export const CLOUDFLARE_FREE_SECRET_SIZE_LIMIT_BYTES = 5 * 1024;
+const CLOUDFLARE_FREE_TIER_PATTERN = /\bfree\b/i;
+const CLOUDFLARE_PAID_TIER_PATTERN = /\b(pro|business|enterprise|paid|unbound)\b/i;
+const CLOUDFLARE_API_TOKEN_ENV_NAME = "CLOUDFLARE_API_TOKEN";
+const CLOUDFLARE_API_TOKEN_ALT_ENV_NAME = "CF_API_TOKEN";
+const CLOUDFLARE_ACCOUNT_ID_ENV_NAME = "CLOUDFLARE_ACCOUNT_ID";
+const CLOUDFLARE_API_TOKEN_PRESET_NAME = "Edit Cloudflare Workers";
+const CLOUDFLARE_API_TOKEN_DASHBOARD_URL = "https://dash.cloudflare.com/profile/api-tokens";
+const CLOUDFLARE_API_TOKEN_GUIDE_URL = "https://developers.cloudflare.com/fundamentals/api/get-started/create-token/";
+const CLOUDFLARE_API_BASE_URL = "https://api.cloudflare.com/client/v4";
+const CLOUDFLARE_VERIFY_TOKEN_URL = `${CLOUDFLARE_API_BASE_URL}/user/tokens/verify`;
+const CLOUDFLARE_MEMBERSHIPS_URL = `${CLOUDFLARE_API_BASE_URL}/memberships`;
+const CLOUDFLARE_ZONES_URL = `${CLOUDFLARE_API_BASE_URL}/zones`;
+const CLOUDFLARE_API_PREFLIGHT_TIMEOUT_MS = 10_000;
+
+function canPrompt() {
+  return Boolean(process.stdout.isTTY && process.stdin.isTTY);
+}
+
+function readArg(args, names, fallback = undefined) {
+  for (const name of names) {
+    if (args[name] !== undefined && args[name] !== "") return args[name];
+  }
+  return fallback;
+}
+
+function toBoolean(value, fallback = false) {
+  if (value === undefined || value === null || value === "") return fallback;
+  if (typeof value === "boolean") return value;
+  const normalized = String(value).trim().toLowerCase();
+  if (["1", "true", "yes", "y"].includes(normalized)) return true;
+  if (["0", "false", "no", "n"].includes(normalized)) return false;
+  return fallback;
+}
+
+function toNumber(value, fallback) {
+  if (value === undefined || value === null || value === "") return fallback;
+  const parsed = Number(value);
+  return Number.isFinite(parsed) ? parsed : fallback;
+}
+
+function clampMasterKeyLength(value) {
+  const parsed = Math.floor(toNumber(value, DEFAULT_GENERATED_MASTER_KEY_LENGTH));
+  if (!Number.isFinite(parsed)) return DEFAULT_GENERATED_MASTER_KEY_LENGTH;
+  return Math.min(MAX_GENERATED_MASTER_KEY_LENGTH, Math.max(parsed, STRONG_MASTER_KEY_MIN_LENGTH));
+}
+
+function normalizeMasterKeyPrefix(value) {
+  const normalized = String(value ?? "gw_")
+    .replace(/[\r\n\t]/g, "")
+    .trim();
+  if (!normalized) return "gw_";
+  return normalized.slice(0, 32);
+}
+
+function analyzeMasterKeyStrength(rawKey) {
+  const key = String(rawKey || "");
+  const reasons = [];
+  if (key.length < STRONG_MASTER_KEY_MIN_LENGTH) {
+    reasons.push(`length must be >= ${STRONG_MASTER_KEY_MIN_LENGTH}`);
+  }
+
+  const hasLower = /[a-z]/.test(key);
+  const hasUpper = /[A-Z]/.test(key);
+  const hasDigit = /[0-9]/.test(key);
+  const hasSymbol = /[^A-Za-z0-9]/.test(key);
+  const classes = [hasLower, hasUpper, hasDigit, hasSymbol].filter(Boolean).length;
+  if (classes < 3) {
+    reasons.push("use at least 3 character classes (lower/upper/digits/symbols)");
+  }
+
+  if (WEAK_MASTER_KEY_PATTERN.test(key)) {
+    reasons.push("contains common weak pattern");
+  }
+  if (/(.)\1{5,}/.test(key)) {
+    reasons.push("contains long repeated characters");
+  }
+
+  return {
+    strong: reasons.length === 0,
+    reasons
+  };
+}
+
+function generateStrongMasterKey({ length, prefix } = {}) {
+  const targetLength = clampMasterKeyLength(length);
+  const safePrefix = normalizeMasterKeyPrefix(prefix);
+  const randomLength = Math.max(
+    STRONG_MASTER_KEY_MIN_LENGTH,
+    targetLength - safePrefix.length
+  );
+
+  let fallbackKey = "";
+  for (let attempt = 0; attempt < 12; attempt += 1) {
+    const token = randomBytes(Math.ceil(randomLength * 0.8) + 16)
+      .toString("base64url")
+      .slice(0, randomLength);
+    const key = `${safePrefix}${token}`;
+    fallbackKey = key;
+    if (analyzeMasterKeyStrength(key).strong) {
+      return key;
+    }
+  }
+
+  return fallbackKey;
+}
+
+async function ensureStrongWorkerMasterKey(context, masterKey, { allowWeakMasterKey = false } = {}) {
+  const report = analyzeMasterKeyStrength(masterKey);
+  if (report.strong || allowWeakMasterKey) {
+    return { ok: true, allowWeakMasterKey };
+  }
+
+  const reasons = report.reasons.join("; ");
+  if (canPrompt()) {
+    const proceed = await context.prompts.confirm({
+      message: `Worker master key looks weak (${reasons}). Continue anyway?`,
+      initialValue: false
+    });
+    if (proceed) {
+      return { ok: true, allowWeakMasterKey: true };
+    }
+  }
+
+  return {
+    ok: false,
+    errorMessage: `Weak worker master key rejected (${reasons}). Use a stronger random key or pass --allow-weak-master-key=true to override.`
+  };
+}
+
+function parseJsonObjectArg(value, fieldName) {
+  if (value === undefined || value === null || value === "") return {};
+  if (typeof value === "object" && !Array.isArray(value)) return value;
+  try {
+    const parsed = JSON.parse(String(value));
+    if (!parsed || typeof parsed !== "object" || Array.isArray(parsed)) {
+      throw new Error("must be a JSON object");
+    }
+    return parsed;
+  } catch (error) {
+    throw new Error(`${fieldName} must be a JSON object string. ${error instanceof Error ? error.message : String(error)}`);
+  }
+}
+
+function hasHeaderName(headers, name) {
+  const lower = String(name).toLowerCase();
+  return Object.keys(headers || {}).some((key) => key.toLowerCase() === lower);
+}
+
+function applyDefaultHeaders(headers, { force = true } = {}) {
+  const source = headers && typeof headers === "object" && !Array.isArray(headers) ? headers : {};
+  const next = { ...source };
+  if (force && !hasHeaderName(next, "user-agent")) {
+    next["User-Agent"] = DEFAULT_PROVIDER_USER_AGENT;
+  }
+  return next;
+}
+
+async function promptSecretInput(context, {
+  message,
+  required = true,
+  validate
+} = {}) {
+  if (context?.prompts && typeof context.prompts.password === "function") {
+    return context.prompts.password({
+      message,
+      required,
+      validate,
+      mask: "*"
+    });
+  }
+
+  if (canPrompt()) {
+    return runPasswordPrompt({
+      message,
+      required,
+      validate,
+      mask: "*"
+    });
+  }
+
+  return context.prompts.text({
+    message,
+    required,
+    validate
+  });
+}
+
+function providerEndpointsFromConfig(provider) {
+  const values = [
+    provider?.baseUrlByFormat?.openai,
+    provider?.baseUrlByFormat?.claude,
+    provider?.baseUrl
+  ];
+  return parseModelListInput(values.filter(Boolean).join(","));
+}
+
+function normalizeNameForCompare(value) {
+  return String(value || "").trim().toLowerCase();
+}
+
+function findProviderByFriendlyName(providers, name, { excludeId = "" } = {}) {
+  const needle = normalizeNameForCompare(name);
+  if (!needle) return null;
+  const excluded = String(excludeId || "").trim();
+  return (providers || []).find((provider) => {
+    if (!provider || typeof provider !== "object") return false;
+    const sameName = normalizeNameForCompare(provider.name) === needle;
+    if (!sameName) return false;
+    if (!excluded) return true;
+    return String(provider.id || "").trim() !== excluded;
+  }) || null;
+}
+
+function printProviderInputGuidance(context) {
+  if (!canPrompt()) return;
+  const info = typeof context?.terminal?.info === "function" ? context.terminal.info.bind(context.terminal) : null;
+  const line = typeof context?.terminal?.line === "function" ? context.terminal.line.bind(context.terminal) : null;
+  const warn = typeof context?.terminal?.warn === "function" ? context.terminal.warn.bind(context.terminal) : null;
+  if (!line) return;
+
+  info?.("Provider config tips:");
+  line("  - Provider Friendly Name is shown in the management screen and must be unique.");
+  line("  - Provider ID is auto-generated by slugifying the friendly name; you can edit it.");
+  line("  - Examples:");
+  line("    Friendly Name: OpenRouter Primary, RamClouds Production");
+  line("    Provider ID: openrouterPrimary, ramcloudsProd");
+  line("    API Key: sk-or-v1-xxxxxxxx, sk-ant-api03-xxxxxxxx, sk-xxxxxxxx");
+}
+
+function trimOuterPunctuation(value) {
+  return String(value || "")
+    .trim()
+    .replace(/^[\s"'`([{<]+/, "")
+    .replace(/[\s"'`)\]}>.,;:]+$/, "")
+    .trim();
+}
+
+function dedupeList(values) {
+  return [...new Set((values || []).filter(Boolean).map((value) => String(value).trim()).filter(Boolean))];
+}
+
+function tokenizeLooseListInput(raw) {
+  if (Array.isArray(raw)) return dedupeList(raw.flatMap((item) => tokenizeLooseListInput(item)));
+  const text = String(raw || "").replace(/[;,]+/g, "\n");
+  const tokens = text
+    .split(/\r?\n/g)
+    .flatMap((line) => String(line || "").trim().split(/\s+/g));
+  return dedupeList(tokens);
+}
+
+function normalizeEndpointToken(token) {
+  let value = trimOuterPunctuation(token);
+  if (!value) return "";
+
+  value = value
+    .replace(/^(?:openaiBaseUrl|claudeBaseUrl|anthropicBaseUrl|baseUrl)\s*=\s*/i, "")
+    .replace(/^url\s*=\s*/i, "");
+
+  const urlMatch = value.match(/https?:\/\/[^\s,;'"`<>()\]]+/i);
+  if (urlMatch) value = urlMatch[0];
+
+  // Common typo: missing colon after scheme.
+  if (/^http\/\/+/i.test(value) || /^https\/\/+/i.test(value)) {
+    value = value.replace(/^http\/\/+/i, "http://").replace(/^https\/\/+/i, "https://");
+  }
+  if (/^ttps?:\/\//i.test(value)) {
+    value = `h${value}`;
+  }
+  if (/^https?:\/\/$/i.test(value)) return "";
+
+  // Accept domain-like values pasted without scheme.
+  if (!/^https?:\/\//i.test(value) && /^(?:[a-z0-9-]+\.)+[a-z]{2,}(?::\d+)?(?:\/[^\s]*)?$/i.test(value)) {
+    value = `https://${value}`;
+  }
+
+  value = value.replace(/[)\]}>.,;:]+$/g, "");
+  return /^https?:\/\/.+/i.test(value) ? value : "";
+}
+
+function parseEndpointListInput(raw) {
+  const text = Array.isArray(raw) ? raw.join("\n") : String(raw || "");
+  const extracted = [];
+
+  const urlRegex = /https?:\/\/[^\s,;'"`<>()\]]+/gi;
+  for (const match of text.matchAll(urlRegex)) {
+    extracted.push(match[0]);
+  }
+
+  const typoUrlRegex = /\bhttps?:\/\/?[^\s,;'"`<>()\]]+/gi;
+  for (const match of text.matchAll(typoUrlRegex)) {
+    extracted.push(match[0]);
+  }
+
+  const domainRegex = /\b(?:[a-z0-9-]+\.)+[a-z]{2,}(?::\d+)?(?:\/[^\s,;'"`<>()\]]*)?/gi;
+  for (const match of text.matchAll(domainRegex)) {
+    extracted.push(match[0]);
+  }
+
+  const fallbackTokens = tokenizeLooseListInput(text);
+  const normalized = dedupeList([...(extracted.length > 0 ? extracted : []), ...fallbackTokens]
+    .map(normalizeEndpointToken)
+    .filter(Boolean));
+
+  return normalized;
+}
+
+const MODEL_INPUT_NOISE_TOKENS = new Set([
+  "discover",
+  "progress",
+  "endpoint",
+  "testing",
+  "formats",
+  "format",
+  "working",
+  "supported",
+  "auto-discovery",
+  "auto",
+  "discovery",
+  "completed",
+  "started",
+  "done",
+  "openai",
+  "claude",
+  "anthropic",
+  "skip",
+  "ok",
+  "tentative",
+  "network-error",
+  "format-mismatch",
+  "model-unsupported",
+  "auth-error",
+  "unconfirmed",
+  "error",
+  "errors",
+  "warning",
+  "warnings",
+  "failed",
+  "failure",
+  "invalid",
+  "request",
+  "response",
+  "http",
+  "https",
+  "status",
+  "probe",
+  "provider",
+  "models",
+  "model",
+  "on",
+  "at"
+]);
+
+function normalizeModelToken(token) {
+  let value = trimOuterPunctuation(token);
+  if (!value) return "";
+
+  value = value
+    .replace(/^(?:models?|modelSupport|modelPreferredFormat)\s*=\s*/i, "")
+    .replace(/\[(?:openai|claude)\]?$/i, "")
+    .replace(/[)\]}>.,;:]+$/g, "")
+    .trim();
+
+  if (!value) return "";
+  if (value.includes("://")) return "";
+  if (value.includes("@")) return "";
+  if (/^\d+(?:\/\d+)?$/.test(value)) return "";
+  if (/^https?$/i.test(value)) return "";
+  if (/^(?:openai|claude|anthropic)$/i.test(value)) return "";
+  if (MODEL_INPUT_NOISE_TOKENS.has(value.toLowerCase())) return "";
+
+  // Ignore obvious prose fragments. Keep model-like IDs with delimiters.
+  if (!/[._:/-]/.test(value) && !/\d/.test(value)) return "";
+  if (!/^[A-Za-z0-9][A-Za-z0-9._:/-]*$/.test(value)) return "";
+
+  return value;
+}
+
+function parseProviderModelListInput(raw) {
+  const text = Array.isArray(raw) ? raw.join("\n") : String(raw || "");
+  const extracted = [];
+
+  // "Progress ... - <model> on <format> @ <endpoint>"
+  const progressRegex = /-\s+([A-Za-z0-9][A-Za-z0-9._:/-]*)\s+on\s+(?:openai|claude)\s+@/gi;
+  for (const match of text.matchAll(progressRegex)) {
+    extracted.push(match[1]);
+  }
+
+  // "models=foo[openai], bar[claude]"
+  const modelsLineRegex = /\bmodels?\s*=\s*([^\n\r]+)/gi;
+  for (const match of text.matchAll(modelsLineRegex)) {
+    extracted.push(...tokenizeLooseListInput(match[1]));
+  }
+
+  const fallbackTokens = tokenizeLooseListInput(text);
+  return dedupeList([...(extracted.length > 0 ? extracted : []), ...fallbackTokens]
+    .map(normalizeModelToken)
+    .filter(Boolean));
+}
+
+function normalizeQualifiedModelToken(token) {
+  const value = trimOuterPunctuation(token)
+    .replace(/[)\]}>.,;:]+$/g, "")
+    .trim();
+  if (!value) return "";
+  if (value.includes("://") || value.includes("@")) return "";
+  if (!/^[A-Za-z0-9][A-Za-z0-9._-]*\/[A-Za-z0-9][A-Za-z0-9._:/-]*$/.test(value)) return "";
+  return value;
+}
+
+function parseQualifiedModelListInput(raw) {
+  const text = Array.isArray(raw) ? raw.join("\n") : String(raw || "");
+  const tokens = tokenizeLooseListInput(text);
+  return dedupeList(tokens
+    .map(normalizeQualifiedModelToken)
+    .filter(Boolean));
+}
+
+function maybeReportInputCleanup(context, label, rawValue, cleanedValues) {
+  if (!canPrompt()) return;
+  const info = typeof context?.terminal?.info === "function" ? context.terminal.info.bind(context.terminal) : null;
+  const warn = typeof context?.terminal?.warn === "function" ? context.terminal.warn.bind(context.terminal) : null;
+  if (!info && !warn) return;
+
+  const raw = String(rawValue || "").trim();
+  if (!raw) return;
+
+  const normalizedRaw = raw.toLowerCase();
+  const looksMessy =
+    /[;\n\r\t]/.test(raw) ||
+    /\[discover\]|auto-discovery|error|warning|failed|models?=/i.test(raw) ||
+    /\s{2,}/.test(raw);
+
+  if (!looksMessy) return;
+
+  if ((cleanedValues || []).length > 0) {
+    info?.(`Cleaned ${label} input: parsed ${(cleanedValues || []).length} item(s) from free-form text.`);
+  } else {
+    warn?.(`Could not parse any ${label} from the provided text. Use comma/semicolon/space/newline-separated values.`);
+  }
+}
+
+function truncateLogText(value, max = 160) {
+  const text = String(value || "").trim();
+  if (!text) return "";
+  if (text.length <= max) return text;
+  return `${text.slice(0, max - 3)}...`;
+}
+
+function describeModelCheckStatus(event) {
+  const statusCode = Number(event.status || 0);
+  const statusSuffix = statusCode > 0 ? ` (http ${statusCode})` : "";
+  const rawMessage = event.error || event.message || "";
+  const detail = truncateLogText(rawMessage === "ok" ? "" : rawMessage);
+  const outcome = String(event.outcome || "");
+
+  if (event.confirmed) {
+    return {
+      shortLabel: "ok",
+      fullLabel: `ok${statusSuffix}`,
+      detail,
+      isOk: true
+    };
+  }
+
+  if (outcome === "runtime-error") {
+    return {
+      shortLabel: "tentative",
+      fullLabel: `tentative${statusSuffix}`,
+      detail,
+      isOk: false
+    };
+  }
+  if (outcome === "model-unsupported") {
+    return {
+      shortLabel: "model-unsupported",
+      fullLabel: `model-unsupported${statusSuffix}`,
+      detail,
+      isOk: false
+    };
+  }
+  if (outcome === "format-mismatch") {
+    return {
+      shortLabel: "format-mismatch",
+      fullLabel: `format-mismatch${statusSuffix}`,
+      detail,
+      isOk: false
+    };
+  }
+  if (outcome === "network-error") {
+    return {
+      shortLabel: "network-error",
+      fullLabel: `network-error${statusSuffix}`,
+      detail,
+      isOk: false
+    };
+  }
+  if (outcome === "auth-error") {
+    return {
+      shortLabel: "auth-error",
+      fullLabel: `auth-error${statusSuffix}`,
+      detail,
+      isOk: false
+    };
+  }
+  if (outcome === "unconfirmed") {
+    return {
+      shortLabel: "unconfirmed",
+      fullLabel: `unconfirmed${statusSuffix}`,
+      detail,
+      isOk: false
+    };
+  }
+
+  return {
+    shortLabel: event.supported ? "tentative" : "skip",
+    fullLabel: `${event.supported ? "tentative" : "skip"}${statusSuffix}`,
+    detail,
+    isOk: false
+  };
+}
+
+function probeProgressReporter(context) {
+  const line = typeof context?.terminal?.line === "function" ? context.terminal.line.bind(context.terminal) : null;
+  if (!line) return () => {};
+
+  const info = typeof context?.terminal?.info === "function" ? context.terminal.info.bind(context.terminal) : line;
+  const success = typeof context?.terminal?.success === "function" ? context.terminal.success.bind(context.terminal) : line;
+  const warn = typeof context?.terminal?.warn === "function" ? context.terminal.warn.bind(context.terminal) : line;
+  const interactiveTerminal = canPrompt();
+  const progress = interactiveTerminal && typeof SnapTui?.createProgress === "function" ? SnapTui.createProgress() : null;
+  const endpointSpinner = interactiveTerminal && typeof SnapTui?.createSpinner === "function" ? SnapTui.createSpinner() : null;
+  const PROGRESS_UI_MIN_UPDATE_MS = 120;
+  const SPINNER_UI_MIN_UPDATE_MS = 120;
+
+  let lastProgressPrinted = -1;
+  let totalChecks = 0;
+  let matrixStarted = false;
+  let endpointSpinnerRunning = false;
+  let lastProgressUiUpdateAt = 0;
+  let lastProgressUiMessage = "";
+  let lastSpinnerUiUpdateAt = 0;
+  let lastSpinnerUiMessage = "";
+
+  const clearSpinnerForLog = () => {
+    if (!endpointSpinner || !endpointSpinnerRunning) return;
+    if (typeof endpointSpinner.clear === "function") {
+      endpointSpinner.clear();
+    }
+  };
+
+  const maybeLine = (message, { forceInteractive = false } = {}) => {
+    if (!interactiveTerminal || forceInteractive) {
+      clearSpinnerForLog();
+      line(message);
+    }
+  };
+
+  const setSpinnerMessage = (message, { force = false } = {}) => {
+    if (!endpointSpinner || !endpointSpinnerRunning) return;
+    const next = String(message || "").trim();
+    if (!next) return;
+    const now = Date.now();
+    if (!force) {
+      if (next === lastSpinnerUiMessage) return;
+      if (now - lastSpinnerUiUpdateAt < SPINNER_UI_MIN_UPDATE_MS) return;
+    }
+    endpointSpinner.message(next);
+    lastSpinnerUiMessage = next;
+    lastSpinnerUiUpdateAt = now;
+  };
+
+  const setProgressMessage = (message, { force = false } = {}) => {
+    if (!progress) return;
+    const next = String(message || "").trim();
+    if (!next) return;
+    const now = Date.now();
+    if (!force) {
+      if (next === lastProgressUiMessage) return;
+      if (now - lastProgressUiUpdateAt < PROGRESS_UI_MIN_UPDATE_MS) return;
+    }
+    progress.message(next);
+    lastProgressUiMessage = next;
+    lastProgressUiUpdateAt = now;
+  };
+
+  return (event) => {
+    if (!event || typeof event !== "object") return;
+    const phase = String(event.phase || "");
+
+    if (phase === "matrix-start") {
+      const endpointCount = Number(event.endpointCount || 0);
+      const modelCount = Number(event.modelCount || 0);
+      totalChecks = endpointCount * modelCount * 2;
+      matrixStarted = true;
+
+      info(`Auto-discovery started: ${endpointCount} endpoint(s) x ${modelCount} model(s).`);
+      progress?.start(`Auto-discovery progress: 0/${totalChecks || 0}`);
+      lastProgressUiMessage = `Auto-discovery progress: 0/${totalChecks || 0}`;
+      lastProgressUiUpdateAt = Date.now();
+      return;
+    }
+    if (phase === "endpoint-start") {
+      if (endpointSpinner && endpointSpinnerRunning) {
+        endpointSpinner.stop();
+      }
+      endpointSpinner?.start(`Endpoint ${event.endpointIndex || "?"}/${event.endpointCount || "?"}: ${event.endpoint}`);
+      endpointSpinnerRunning = Boolean(endpointSpinner);
+      lastSpinnerUiMessage = `Endpoint ${event.endpointIndex || "?"}/${event.endpointCount || "?"}: ${event.endpoint}`;
+      lastSpinnerUiUpdateAt = Date.now();
+      maybeLine(`[discover] Endpoint ${event.endpointIndex || "?"}/${event.endpointCount || "?"}: ${event.endpoint}`);
+      return;
+    }
+    if (phase === "endpoint-formats") {
+      const formats = Array.isArray(event.formatsToTest) && event.formatsToTest.length > 0
+        ? event.formatsToTest.join(", ")
+        : "(none)";
+      maybeLine(`[discover] Testing formats for ${event.endpoint}: ${formats}`);
+      return;
+    }
+    if (phase === "format-start") {
+      maybeLine(`[discover] ${event.endpoint} -> ${event.format} (${event.modelCount || 0} model checks)`);
+      return;
+    }
+    if (phase === "model-check") {
+      const completed = Number(event.completedChecks || 0);
+      const total = Number(event.totalChecks || 0);
+      if (completed <= 0 || total <= 0) return;
+      const status = describeModelCheckStatus(event);
+      const shouldPrintLine = interactiveTerminal
+        ? (!status.isOk || completed === total)
+        : (!status.isOk || completed === total || completed - lastProgressPrinted >= 3);
+
+      if (matrixStarted) {
+        setProgressMessage(
+          `Auto-discovery progress: ${completed}/${total} (${event.model} on ${event.format} @ ${event.endpoint}: ${status.shortLabel})`,
+          { force: !status.isOk || completed === total }
+        );
+      }
+
+      if (shouldPrintLine) {
+        lastProgressPrinted = completed;
+        const detailSuffix = status.detail ? ` - ${status.detail}` : "";
+        maybeLine(
+          `[discover] Progress ${completed}/${total} - ${event.model} on ${event.format} @ ${event.endpoint}: ${status.fullLabel}${detailSuffix}`,
+          { forceInteractive: !status.isOk || completed === total }
+        );
+      }
+      return;
+    }
+    if (phase === "endpoint-done") {
+      const formats = Array.isArray(event.workingFormats) && event.workingFormats.length > 0
+        ? event.workingFormats.join(", ")
+        : "(none)";
+      if (endpointSpinner && endpointSpinnerRunning) {
+        endpointSpinner.stop();
+        endpointSpinnerRunning = false;
+      }
+      if (formats === "(none)") {
+        warn(`[discover] Endpoint done: ${event.endpoint} working formats=${formats}`);
+      } else {
+        success(`[discover] Endpoint done: ${event.endpoint} working formats=${formats}`);
+      }
+      return;
+    }
+      if (phase === "matrix-done") {
+      const openaiBase = event.baseUrlByFormat?.openai || "(none)";
+      const claudeBase = event.baseUrlByFormat?.claude || "(none)";
+      const formats = Array.isArray(event.workingFormats) && event.workingFormats.length > 0
+        ? event.workingFormats.join(", ")
+        : "(none)";
+      const finalMessage = `Auto-discovery completed: working formats=${formats}, models=${event.supportedModelCount || 0}, openaiBase=${openaiBase}, claudeBase=${claudeBase}`;
+      if (endpointSpinner && endpointSpinnerRunning) {
+        endpointSpinner.stop();
+        endpointSpinnerRunning = false;
+      }
+      if (matrixStarted) {
+        progress?.stop(`Auto-discovery progress: ${event.supportedModelCount || 0} model(s) confirmed`);
+        lastProgressUiMessage = "";
+      }
+      if (formats === "(none)") {
+        warn(finalMessage);
+      } else {
+        success(finalMessage);
+      }
+      matrixStarted = false;
+      totalChecks = 0;
+      lastSpinnerUiMessage = "";
+    }
+  };
+}
+
+async function promptProviderFormat(context, {
+  message = "Primary provider format",
+  initialFormat = ""
+} = {}) {
+  const preferred = initialFormat === "claude" ? "claude" : (initialFormat === "openai" ? "openai" : "");
+  const options = preferred === "claude"
+    ? [
+        { value: "claude", label: "Anthropic-compatible" },
+        { value: "openai", label: "OpenAI-compatible" }
+      ]
+    : [
+        { value: "openai", label: "OpenAI-compatible" },
+        { value: "claude", label: "Anthropic-compatible" }
+      ];
+
+  return context.prompts.select({ message, options });
+}
+
+function slugifyId(value, fallback = "provider") {
+  const slug = String(value || fallback)
+    .trim()
+    .replace(/[^a-zA-Z0-9]+/g, "-")
+    .replace(/^-+|-+$/g, "");
+  if (!slug) return fallback;
+  return /^[A-Z]/.test(slug)
+    ? slug.charAt(0).toLowerCase() + slug.slice(1)
+    : slug;
+}
+
+function summarizeConfig(config, configPath, { includeSecrets = false } = {}) {
+  const target = includeSecrets ? config : sanitizeConfigForDisplay(config);
+  const lines = [];
+  lines.push(`Config: ${configPath}`);
+  lines.push(`Default model: ${target.defaultModel || "(not set)"}`);
+  lines.push(`Master key: ${target.masterKey || "(not set)"}`);
+
+  if (!target.providers || target.providers.length === 0) {
+    lines.push("Providers: (none)");
+    return lines.join("\n");
+  }
+
+  lines.push("Providers:");
+  for (const provider of target.providers) {
+    lines.push(`- ${provider.id} (${provider.name})`);
+    lines.push(`  baseUrl=${provider.baseUrl}`);
+    if (provider.baseUrlByFormat?.openai) {
+      lines.push(`  openaiBaseUrl=${provider.baseUrlByFormat.openai}`);
+    }
+    if (provider.baseUrlByFormat?.claude) {
+      lines.push(`  claudeBaseUrl=${provider.baseUrlByFormat.claude}`);
+    }
+    lines.push(`  formats=${(provider.formats || []).join(", ") || provider.format || "unknown"}`);
+    lines.push(`  apiKey=${provider.apiKey || "(from env/hidden)"}`);
+    lines.push(`  models=${(provider.models || []).map((model) => {
+      const fallbacks = (model.fallbackModels || []).join("|");
+      return fallbacks ? `${model.id}{fallback:${fallbacks}}` : model.id;
+    }).join(", ") || "(none)"}`);
+  }
+
+  return lines.join("\n");
+}
+
+function runCommand(command, args, { cwd, input, envOverrides } = {}) {
+  const safeEnvOverrides = envOverrides && typeof envOverrides === "object"
+    ? envOverrides
+    : {};
+  const result = spawnSync(command, args, {
+    cwd,
+    encoding: "utf8",
+    input,
+    env: {
+      ...process.env,
+      ...safeEnvOverrides,
+      FORCE_COLOR: "0"
+    }
+  });
+
+  return {
+    ok: result.status === 0,
+    status: result.status ?? 1,
+    stdout: result.stdout || "",
+    stderr: result.stderr || "",
+    error: result.error
+  };
+}
+
+function runCommandAsync(command, args, { cwd, input, envOverrides } = {}) {
+  const safeEnvOverrides = envOverrides && typeof envOverrides === "object"
+    ? envOverrides
+    : {};
+
+  return new Promise((resolve) => {
+    const child = spawn(command, args, {
+      cwd,
+      env: {
+        ...process.env,
+        ...safeEnvOverrides,
+        FORCE_COLOR: "0"
+      },
+      stdio: ["pipe", "pipe", "pipe"]
+    });
+
+    let stdout = "";
+    let stderr = "";
+    let spawnError = null;
+
+    if (child.stdout) {
+      child.stdout.on("data", (chunk) => {
+        stdout += String(chunk);
+      });
+    }
+
+    if (child.stderr) {
+      child.stderr.on("data", (chunk) => {
+        stderr += String(chunk);
+      });
+    }
+
+    child.on("error", (error) => {
+      spawnError = error;
+    });
+
+    child.on("close", (code) => {
+      resolve({
+        ok: code === 0,
+        status: Number.isInteger(code) ? code : 1,
+        stdout,
+        stderr,
+        error: spawnError
+      });
+    });
+
+    if (input !== undefined && input !== null) {
+      child.stdin.write(String(input));
+    }
+    child.stdin.end();
+  });
+}
+
+function runWrangler(args, { cwd, input, envOverrides } = {}) {
+  const direct = runCommand("wrangler", args, { cwd, input, envOverrides });
+  if (!direct.error) return direct;
+
+  const npxCmd = process.platform === "win32" ? "npx.cmd" : "npx";
+  return runCommand(npxCmd, ["wrangler", ...args], { cwd, input, envOverrides });
+}
+
+async function runWranglerAsync(args, { cwd, input, envOverrides } = {}) {
+  const direct = await runCommandAsync("wrangler", args, { cwd, input, envOverrides });
+  if (!direct.error) return direct;
+
+  const npxCmd = process.platform === "win32" ? "npx.cmd" : "npx";
+  return runCommandAsync(npxCmd, ["wrangler", ...args], { cwd, input, envOverrides });
+}
+
+export function resolveCloudflareApiTokenFromEnv(env = process.env) {
+  const primary = String(env?.[CLOUDFLARE_API_TOKEN_ENV_NAME] || "").trim();
+  if (primary) {
+    return {
+      token: primary,
+      source: CLOUDFLARE_API_TOKEN_ENV_NAME
+    };
+  }
+
+  const fallback = String(env?.[CLOUDFLARE_API_TOKEN_ALT_ENV_NAME] || "").trim();
+  if (fallback) {
+    return {
+      token: fallback,
+      source: CLOUDFLARE_API_TOKEN_ALT_ENV_NAME
+    };
+  }
+
+  return {
+    token: "",
+    source: "none"
+  };
+}
+
+export function buildCloudflareApiTokenSetupGuide() {
+  return [
+    `Cloudflare deploy requires ${CLOUDFLARE_API_TOKEN_ENV_NAME}.`,
+    `Create a User Profile API token in dashboard: ${CLOUDFLARE_API_TOKEN_DASHBOARD_URL}`,
+    "Do not use Account API Tokens for this deploy flow.",
+    `Token docs: ${CLOUDFLARE_API_TOKEN_GUIDE_URL}`,
+    `Recommended preset: ${CLOUDFLARE_API_TOKEN_PRESET_NAME}.`,
+    `Then set ${CLOUDFLARE_API_TOKEN_ENV_NAME} in your shell/CI environment.`
+  ].join("\n");
+}
+
+export function validateCloudflareApiTokenInput(value) {
+  const candidate = String(value || "").trim();
+  if (!candidate) return `${CLOUDFLARE_API_TOKEN_ENV_NAME} is required for deploy.`;
+  return undefined;
+}
+
+function buildCloudflareApiTokenTroubleshooting(preflightMessage = "") {
+  return [
+    preflightMessage,
+    "Required token capabilities for wrangler deploy:",
+    "- User details: Read",
+    "- User memberships: Read",
+    `- Account preset/template: ${CLOUDFLARE_API_TOKEN_PRESET_NAME}`,
+    `Verify token manually: curl \"${CLOUDFLARE_VERIFY_TOKEN_URL}\" -H \"Authorization: Bearer $${CLOUDFLARE_API_TOKEN_ENV_NAME}\"`,
+    buildCloudflareApiTokenSetupGuide()
+  ].filter(Boolean).join("\n");
+}
+
+function normalizeCloudflareMembershipAccount(entry) {
+  if (!entry || typeof entry !== "object") return null;
+  const accountObj = entry.account && typeof entry.account === "object" ? entry.account : {};
+  const accountId = String(
+    accountObj.id
+    || entry.account_id
+    || entry.accountId
+    || entry.id
+    || ""
+  ).trim();
+  if (!accountId) return null;
+
+  const accountName = String(
+    accountObj.name
+    || entry.account_name
+    || entry.accountName
+    || entry.name
+    || `Account ${accountId.slice(0, 8)}`
+  ).trim();
+
+  return {
+    accountId,
+    accountName: accountName || `Account ${accountId.slice(0, 8)}`
+  };
+}
+
+export function extractCloudflareMembershipAccounts(payload) {
+  const list = Array.isArray(payload?.result) ? payload.result : [];
+  const map = new Map();
+  for (const entry of list) {
+    const normalized = normalizeCloudflareMembershipAccount(entry);
+    if (!normalized) continue;
+    if (!map.has(normalized.accountId)) {
+      map.set(normalized.accountId, normalized);
+    }
+  }
+  return Array.from(map.values());
+}
+
+function cloudflareErrorFromPayload(payload, fallback) {
+  const base = String(fallback || "Unknown Cloudflare API error");
+  if (!payload || typeof payload !== "object") return base;
+
+  const errors = Array.isArray(payload.errors) ? payload.errors : [];
+  const first = errors.find((entry) => entry && typeof entry === "object");
+  if (!first) return base;
+
+  const code = Number.isFinite(first.code) ? `code ${first.code}` : "";
+  const message = String(first.message || first.error || "").trim();
+  if (code && message) return `${message} (${code})`;
+  if (message) return message;
+  if (code) return code;
+  return base;
+}
+
+export function evaluateCloudflareTokenVerifyResult(payload) {
+  const status = String(payload?.result?.status || "").toLowerCase();
+  const active = payload?.success === true && status === "active";
+  if (active) {
+    return { ok: true, message: "Token is active." };
+  }
+  return {
+    ok: false,
+    message: cloudflareErrorFromPayload(
+      payload,
+      "Token verification failed. Ensure token is valid and active."
+    )
+  };
+}
+
+export function evaluateCloudflareMembershipsResult(payload) {
+  if (payload?.success !== true || !Array.isArray(payload?.result)) {
+    return {
+      ok: false,
+      message: cloudflareErrorFromPayload(
+        payload,
+        "Could not list Cloudflare memberships for this token."
+      )
+    };
+  }
+
+  if (payload.result.length === 0) {
+    return {
+      ok: false,
+      message: "Token can authenticate but has no accessible memberships."
+    };
+  }
+
+  const accounts = extractCloudflareMembershipAccounts(payload);
+  return {
+    ok: true,
+    message: `Token has access to ${payload.result.length} membership(s).`,
+    count: payload.result.length,
+    accounts
+  };
+}
+
+async function cloudflareApiGetJson(url, token) {
+  try {
+    const response = await fetch(url, {
+      method: "GET",
+      headers: {
+        Authorization: `Bearer ${token}`
+      },
+      signal: typeof AbortSignal !== "undefined" && typeof AbortSignal.timeout === "function"
+        ? AbortSignal.timeout(CLOUDFLARE_API_PREFLIGHT_TIMEOUT_MS)
+        : undefined
+    });
+    const rawText = await response.text();
+    const payload = parseJsonSafely(rawText) || {};
+    return {
+      ok: response.ok,
+      status: response.status,
+      payload
+    };
+  } catch (error) {
+    return {
+      ok: false,
+      status: 0,
+      payload: null,
+      error: error instanceof Error ? error.message : String(error)
+    };
+  }
+}
+
+async function preflightCloudflareApiToken(token) {
+  const verified = await cloudflareApiGetJson(CLOUDFLARE_VERIFY_TOKEN_URL, token);
+  if (verified.status === 0) {
+    return {
+      ok: false,
+      stage: "verify",
+      message: `Cloudflare token preflight failed while verifying token: ${verified.error || "network error"}`
+    };
+  }
+
+  const verifyEval = evaluateCloudflareTokenVerifyResult(verified.payload);
+  if (!verified.ok || !verifyEval.ok) {
+    return {
+      ok: false,
+      stage: "verify",
+      message: `Cloudflare token verification failed: ${verifyEval.message}`
+    };
+  }
+
+  const memberships = await cloudflareApiGetJson(CLOUDFLARE_MEMBERSHIPS_URL, token);
+  if (memberships.status === 0) {
+    return {
+      ok: false,
+      stage: "memberships",
+      message: `Cloudflare token preflight failed while checking memberships: ${memberships.error || "network error"}`
+    };
+  }
+
+  const membershipEval = evaluateCloudflareMembershipsResult(memberships.payload);
+  if (!memberships.ok || !membershipEval.ok) {
+    return {
+      ok: false,
+      stage: "memberships",
+      message: `Cloudflare memberships check failed: ${membershipEval.message}`
+    };
+  }
+
+  return {
+    ok: true,
+    stage: "ready",
+    message: membershipEval.message,
+    memberships: membershipEval.accounts || []
+  };
+}
+
+function buildWranglerCloudflareEnv({
+  apiToken,
+  accountId
+} = {}) {
+  const env = {};
+  const token = String(apiToken || "").trim();
+  if (token) env[CLOUDFLARE_API_TOKEN_ENV_NAME] = token;
+  const account = String(accountId || "").trim();
+  if (account) env[CLOUDFLARE_ACCOUNT_ID_ENV_NAME] = account;
+  return Object.keys(env).length > 0 ? env : undefined;
+}
+
+function formatCloudflareAccountOptions(accounts = []) {
+  return (accounts || []).map((entry) => `\`${entry.accountName}\`: \`${entry.accountId}\``);
+}
+
+export function hasNoDeployTargets(outputText = "") {
+  return /no deploy targets/i.test(String(outputText || ""));
+}
+
+function parseOptionalBoolean(value) {
+  if (value === undefined || value === null || value === "") return undefined;
+  return toBoolean(value, false);
+}
+
+function parseTomlStringField(text, key) {
+  const pattern = new RegExp(`^\\s*${key}\\s*=\\s*["']([^"']+)["']\\s*$`, "m");
+  const match = String(text || "").match(pattern);
+  return match?.[1] ? String(match[1]).trim() : "";
+}
+
+function topLevelTomlLineInfo(text = "") {
+  const lines = String(text || "").split(/\r?\n/g);
+  const info = [];
+  let currentSection = "";
+
+  for (let index = 0; index < lines.length; index += 1) {
+    const line = lines[index];
+    const trimmed = line.trim();
+    if (/^\s*\[.*\]\s*$/.test(line)) {
+      currentSection = trimmed;
+    }
+    info.push({
+      index,
+      line,
+      trimmed,
+      section: currentSection
+    });
+  }
+
+  return info;
+}
+
+export function hasWranglerDeployTargetConfigured(tomlText = "") {
+  const info = topLevelTomlLineInfo(tomlText);
+
+  const hasTopLevelWorkersDev = info.some((entry) =>
+    entry.section === "" && /^\s*workers_dev\s*=\s*true\s*$/i.test(entry.line)
+  );
+  if (hasTopLevelWorkersDev) return true;
+
+  const hasTopLevelRoute = info.some((entry) =>
+    entry.section === "" && /^\s*route\s*=\s*["'][^"']+["']\s*$/i.test(entry.line)
+  );
+  if (hasTopLevelRoute) return true;
+
+  const hasTopLevelRoutes = info.some((entry) =>
+    entry.section === "" && /^\s*routes\s*=\s*\[/i.test(entry.line)
+  );
+  if (hasTopLevelRoutes) return true;
+
+  return false;
+}
+
+function stripNonTopLevelRouteDeclarations(text = "") {
+  const lines = String(text || "").split(/\r?\n/g);
+  const output = [];
+  let currentSection = "";
+  let skippingRoutesArray = false;
+
+  for (const line of lines) {
+    const trimmed = line.trim();
+
+    if (/^\s*\[.*\]\s*$/.test(line)) {
+      currentSection = trimmed;
+      skippingRoutesArray = false;
+      output.push(line);
+      continue;
+    }
+
+    if (currentSection && /^\s*route\s*=/.test(line)) {
+      continue;
+    }
+
+    if (currentSection && /^\s*routes\s*=\s*\[/.test(line)) {
+      skippingRoutesArray = true;
+      if (line.includes("]")) {
+        skippingRoutesArray = false;
+      }
+      continue;
+    }
+
+    if (skippingRoutesArray) {
+      if (trimmed.includes("]")) {
+        skippingRoutesArray = false;
+      }
+      continue;
+    }
+
+    output.push(line);
+  }
+
+  return output.join("\n");
+}
+
+function insertTopLevelBlockBeforeFirstSection(text = "", block = "") {
+  const source = String(text || "");
+  const blockText = String(block || "").trim();
+  if (!blockText) return source;
+
+  const lines = source.split(/\r?\n/g);
+  const firstSectionIndex = lines.findIndex((line) => /^\s*\[.*\]\s*$/.test(line));
+  if (firstSectionIndex < 0) {
+    const prefix = source.trimEnd();
+    return `${prefix}${prefix ? "\n" : ""}${blockText}\n`;
+  }
+
+  const before = lines.slice(0, firstSectionIndex).join("\n").trimEnd();
+  const after = lines.slice(firstSectionIndex).join("\n").trimStart();
+  return `${before}${before ? "\n" : ""}${blockText}\n\n${after}\n`;
+}
+
+function upsertTomlBooleanField(text, key, value) {
+  const normalized = String(text || "");
+  const replacement = `${key} = ${value ? "true" : "false"}`;
+  if (new RegExp(`^\\s*${key}\\s*=`, "m").test(normalized)) {
+    return normalized.replace(new RegExp(`^\\s*${key}\\s*=.*$`, "m"), replacement);
+  }
+  return `${normalized.trimEnd()}\n${replacement}\n`;
+}
+
+function stripTopLevelRouteDeclarations(text = "") {
+  const lines = String(text || "").split(/\r?\n/g);
+  const output = [];
+  let currentSection = "";
+  let skippingRoutesArray = false;
+
+  for (const line of lines) {
+    const trimmed = line.trim();
+
+    if (/^\s*\[.*\]\s*$/.test(line)) {
+      currentSection = trimmed;
+      skippingRoutesArray = false;
+      output.push(line);
+      continue;
+    }
+
+    if (!currentSection && /^\s*route\s*=/.test(line)) {
+      continue;
+    }
+
+    if (!currentSection && /^\s*routes\s*=\s*\[/.test(line)) {
+      skippingRoutesArray = true;
+      if (line.includes("]")) {
+        skippingRoutesArray = false;
+      }
+      continue;
+    }
+
+    if (skippingRoutesArray) {
+      if (trimmed.includes("]")) {
+        skippingRoutesArray = false;
+      }
+      continue;
+    }
+
+    output.push(line);
+  }
+
+  return output.join("\n");
+}
+
+export function normalizeWranglerRoutePattern(value) {
+  const raw = String(value || "").trim();
+  if (!raw) return "";
+
+  let candidate = raw;
+  if (/^https?:\/\//i.test(candidate)) {
+    try {
+      const parsed = new URL(candidate);
+      candidate = `${parsed.hostname}${parsed.pathname || "/"}`;
+    } catch {
+      return "";
+    }
+  }
+
+  if (candidate.startsWith("/")) return "";
+  if (!candidate.includes("*")) {
+    if (candidate.endsWith("/")) candidate = `${candidate}*`;
+    else if (!candidate.includes("/")) candidate = `${candidate}/*`;
+  }
+
+  return candidate;
+}
+
+export function buildDefaultWranglerTomlForDeploy({
+  name = "llm-router-route",
+  main = "src/index.js",
+  compatibilityDate = "2024-01-01",
+  useWorkersDev = false,
+  routePattern = "",
+  zoneName = ""
+} = {}) {
+  const lines = [
+    `name = "${String(name || "llm-router-route")}"`,
+    `main = "${String(main || "src/index.js")}"`,
+    `compatibility_date = "${String(compatibilityDate || "2024-01-01")}"`,
+    `workers_dev = ${useWorkersDev ? "true" : "false"}`
+  ];
+
+  const normalizedPattern = normalizeWranglerRoutePattern(routePattern);
+  const normalizedZone = String(zoneName || "").trim();
+  if (!useWorkersDev && normalizedPattern && normalizedZone) {
+    lines.push("routes = [");
+    lines.push(`  { pattern = "${normalizedPattern}", zone_name = "${normalizedZone}" }`);
+    lines.push("]");
+  }
+
+  lines.push("preview_urls = false");
+  lines.push("");
+  lines.push("[vars]");
+  lines.push('ENVIRONMENT = "production"');
+  lines.push("");
+  return `${lines.join("\n")}`;
+}
+
+export function applyWranglerDeployTargetToToml(existingToml, {
+  useWorkersDev = false,
+  routePattern = "",
+  zoneName = "",
+  replaceExistingTarget = false
+} = {}) {
+  let next = String(existingToml || "");
+  next = stripNonTopLevelRouteDeclarations(next);
+  if (replaceExistingTarget) {
+    next = stripTopLevelRouteDeclarations(next);
+  }
+  next = upsertTomlBooleanField(next, "workers_dev", useWorkersDev);
+
+  if (!useWorkersDev) {
+    const normalizedPattern = normalizeWranglerRoutePattern(routePattern);
+    const normalizedZone = String(zoneName || "").trim();
+    if (normalizedPattern && normalizedZone && (replaceExistingTarget || !hasWranglerDeployTargetConfigured(next))) {
+      const routeBlock = `routes = [\n  { pattern = "${normalizedPattern}", zone_name = "${normalizedZone}" }\n]`;
+      next = insertTopLevelBlockBeforeFirstSection(next, routeBlock);
+    }
+  }
+
+  if (!/^\s*preview_urls\s*=/mi.test(next)) {
+    next = `${next.trimEnd()}\npreview_urls = false\n`;
+  }
+
+  return `${next.trimEnd()}\n`;
+}
+
+async function createTemporaryWranglerConfigFile(projectDir, tomlText) {
+  await fsPromises.mkdir(projectDir, { recursive: true });
+  const suffix = `${Date.now()}-${randomBytes(4).toString("hex")}`;
+  const wranglerConfigPath = path.join(projectDir, `.llm-router.deploy.${suffix}.wrangler.toml`);
+  await fsPromises.writeFile(wranglerConfigPath, String(tomlText || ""), "utf8");
+
+  let cleaned = false;
+  return {
+    wranglerConfigPath,
+    async cleanup() {
+      if (cleaned) return;
+      cleaned = true;
+      try {
+        await fsPromises.unlink(wranglerConfigPath);
+      } catch (error) {
+        if (!error || error.code !== "ENOENT") {
+          throw error;
+        }
+      }
+    }
+  };
+}
+
+async function prepareWranglerDeployConfig(context, {
+  projectDir,
+  args = {},
+  cloudflareApiToken = "",
+  cloudflareAccountId = "",
+  wait = async (_label, fn) => fn()
+} = {}) {
+  const wranglerPath = path.join(projectDir, "wrangler.toml");
+  const line = typeof context?.terminal?.line === "function"
+    ? context.terminal.line.bind(context.terminal)
+    : console.log;
+
+  let exists = false;
+  let currentToml = "";
+  try {
+    currentToml = await fsPromises.readFile(wranglerPath, "utf8");
+    exists = true;
+  } catch {
+    exists = false;
+    currentToml = "";
+  }
+
+  const workersDevArg = parseOptionalBoolean(readArg(args, ["workers-dev", "workersDev"], undefined));
+  const zoneNameArg = String(readArg(args, ["zone-name", "zoneName"], "") || "").trim();
+  const routePatternArgRaw = String(readArg(args, ["route-pattern", "routePattern"], "") || "").trim();
+  const domainArgRaw = String(readArg(args, ["domain"], "") || "").trim();
+  const routePatternArg = normalizeWranglerRoutePattern(routePatternArgRaw || domainArgRaw);
+  const hasExistingTarget = exists && hasWranglerDeployTargetConfigured(currentToml);
+  const hasExplicitTargetArgs = workersDevArg !== undefined || Boolean(routePatternArg) || Boolean(zoneNameArg);
+
+  if (workersDevArg === undefined && ((routePatternArg && !zoneNameArg) || (!routePatternArg && zoneNameArg))) {
+    return {
+      ok: false,
+      errorMessage: "Custom route deploy target requires both --route-pattern (or --domain) and --zone-name."
+    };
+  }
+
+  if (hasExistingTarget && !hasExplicitTargetArgs) {
+    const tempConfig = await createTemporaryWranglerConfigFile(projectDir, currentToml);
+    return {
+      ok: true,
+      wranglerPath,
+      wranglerConfigPath: tempConfig.wranglerConfigPath,
+      cleanup: tempConfig.cleanup,
+      changed: false,
+      message: ""
+    };
+  }
+
+  let useWorkersDev = workersDevArg === true;
+  let routePattern = routePatternArg;
+  let zoneName = zoneNameArg;
+
+  if (workersDevArg === false && (!routePattern || !zoneName)) {
+    return {
+      ok: false,
+      errorMessage: "workers-dev=false requires both --route-pattern and --zone-name."
+    };
+  }
+
+  if (workersDevArg !== true && (!routePattern || !zoneName)) {
+    if (!canPrompt()) {
+      return {
+        ok: false,
+        errorMessage: [
+          "Wrangler deploy target is not configured.",
+          "Provide one of:",
+          "- --workers-dev=true (quick public workers.dev URL), or",
+          "- --route-pattern=router.example.com/* --zone-name=example.com (custom domain route)."
+        ].join("\n")
+      };
+    }
+
+    const targetMode = await context.prompts.select({
+      message: "No deploy target found. Choose deploy target mode",
+      options: [
+        { value: "workers-dev", label: "Use workers.dev URL (quick start)" },
+        { value: "custom-route", label: "Use custom domain route (production)" }
+      ]
+    });
+
+    if (targetMode === "workers-dev") {
+      useWorkersDev = true;
+      routePattern = "";
+      zoneName = "";
+    } else {
+      const promptedHost = await context.prompts.text({
+        message: "Custom domain host (example: llm.example.com)",
+        required: true,
+        validate: (value) => {
+          const normalized = extractHostnameFromRoutePattern(value);
+          if (!normalized || !normalized.includes(".")) return "Enter a valid domain hostname.";
+          return undefined;
+        }
+      });
+
+      const normalizedHost = extractHostnameFromRoutePattern(promptedHost);
+      const suggestedRoutePattern = normalizeWranglerRoutePattern(`${normalizedHost}/*`);
+      const zones = cloudflareApiToken
+        ? await wait("Loading Cloudflare zones...", () => cloudflareListZones(cloudflareApiToken, cloudflareAccountId), { doneMessage: "Cloudflare zones loaded." })
+        : [];      const suggestedZoneFromApi = suggestZoneNameForHostname(normalizedHost, zones);
+      const suggestedZone = suggestedZoneFromApi || inferZoneNameFromHostname(normalizedHost);
+
+      const promptedRoute = await context.prompts.text({
+        message: "Route pattern (example: llm.example.com/*)",
+        required: true,
+        initialValue: suggestedRoutePattern,
+        validate: (value) => {
+          const normalized = normalizeWranglerRoutePattern(value);
+          if (!normalized) return "Enter a valid route pattern.";
+          return undefined;
+        }
+      });
+      const promptedZone = await context.prompts.text({
+        message: "Zone name (example: example.com)",
+        required: true,
+        initialValue: suggestedZone,
+        validate: (value) => String(value || "").trim() ? undefined : "Zone name is required."
+      });
+      useWorkersDev = false;
+      routePattern = normalizeWranglerRoutePattern(promptedRoute);
+      zoneName = String(promptedZone || "").trim();
+
+      const routeHost = extractHostnameFromRoutePattern(routePattern);
+      if (routeHost && zoneName && !isHostnameUnderZone(routeHost, zoneName)) {
+        const proceedMismatch = await context.prompts.confirm({
+          message: `Route host ${routeHost} does not appear under zone ${zoneName}. Continue anyway?`,
+          initialValue: false
+        });
+        if (!proceedMismatch) {
+          return {
+            ok: false,
+            errorMessage: "Cancelled due to route host and zone mismatch."
+          };
+        }
+      }
+    }
+  }
+
+  const nextToml = exists
+    ? applyWranglerDeployTargetToToml(currentToml, {
+      useWorkersDev,
+      routePattern,
+      zoneName,
+      replaceExistingTarget: hasExplicitTargetArgs
+    })
+    : buildDefaultWranglerTomlForDeploy({
+      name: parseTomlStringField(currentToml, "name") || "llm-router-route",
+      main: parseTomlStringField(currentToml, "main") || "src/index.js",
+      compatibilityDate: parseTomlStringField(currentToml, "compatibility_date") || "2024-01-01",
+      useWorkersDev,
+      routePattern,
+      zoneName
+    });
+
+  const tempConfig = await createTemporaryWranglerConfigFile(projectDir, nextToml);
+
+  if (useWorkersDev) {
+    line("Prepared temporary deploy target: workers_dev=true");
+  } else {
+    line(`Prepared temporary deploy target: route=${routePattern} zone=${zoneName}`);
+    line(buildCloudflareDnsManualGuide({
+      hostname: extractHostnameFromRoutePattern(routePattern),
+      zoneName,
+      routePattern
+    }));
+  }
+
+  return {
+    ok: true,
+    wranglerPath,
+    wranglerConfigPath: tempConfig.wranglerConfigPath,
+    cleanup: tempConfig.cleanup,
+    changed: true,
+    routePattern,
+    zoneName,
+    useWorkersDev,
+    message: useWorkersDev
+      ? "Using workers.dev deploy target (temporary config)."
+      : `Using custom route deploy target (${routePattern}) with temporary config.`
+  };
+}
+
+
+function normalizeHostname(value) {
+  return String(value || "")
+    .trim()
+    .toLowerCase()
+    .replace(/^https?:\/\//, "")
+    .replace(/\/.*$/, "")
+    .replace(/:\d+$/, "")
+    .replace(/\.$/, "");
+}
+
+export function extractHostnameFromRoutePattern(value) {
+  const route = String(value || "").trim();
+  if (!route) return "";
+
+  if (/^https?:\/\//i.test(route)) {
+    try {
+      return normalizeHostname(new URL(route).hostname);
+    } catch {
+      return "";
+    }
+  }
+
+  const left = route.split("/")[0] || "";
+  return normalizeHostname(left.replace(/\*+$/g, ""));
+}
+
+export function inferZoneNameFromHostname(hostname) {
+  const host = normalizeHostname(hostname);
+  if (!host || !host.includes(".")) return "";
+  const labels = host.split(".").filter(Boolean);
+  if (labels.length <= 2) return host;
+  return labels.slice(-2).join(".");
+}
+
+export function isHostnameUnderZone(hostname, zoneName) {
+  const host = normalizeHostname(hostname);
+  const zone = normalizeHostname(zoneName);
+  if (!host || !zone) return false;
+  return host === zone || host.endsWith(`.${zone}`);
+}
+
+export function suggestZoneNameForHostname(hostname, zones = []) {
+  const host = normalizeHostname(hostname);
+  if (!host) return "";
+
+  let best = "";
+  for (const zone of zones || []) {
+    const candidate = normalizeHostname(zone?.name || zone);
+    if (!candidate) continue;
+    if (host === candidate || host.endsWith(`.${candidate}`)) {
+      if (!best || candidate.length > best.length) {
+        best = candidate;
+      }
+    }
+  }
+  return best;
+}
+
+export function buildCloudflareDnsManualGuide({
+  hostname = "",
+  zoneName = "",
+  routePattern = ""
+} = {}) {
+  const host = normalizeHostname(hostname || extractHostnameFromRoutePattern(routePattern));
+  const zone = normalizeHostname(zoneName || inferZoneNameFromHostname(host));
+  const subdomain = host && zone && host.endsWith(`.${zone}`)
+    ? host.slice(0, -(`.${zone}`).length)
+    : "";
+  const label = subdomain || "<subdomain>";
+
+  return [
+    "Custom domain checklist:",
+    `- Route target: ${routePattern || `${host || "<host>"}/*`} (zone: ${zone || "<zone>"})`,
+    `- DNS: create/update CNAME \`${label}\` -> \`@\` in zone \`${zone || "<zone>"}\``,
+    "- Proxy status must be ON (orange cloud / proxied)",
+    host ? `- Verify DNS: dig +short ${host} @1.1.1.1` : "- Verify DNS: dig +short <host> @1.1.1.1",
+    host ? `- Verify HTTP: curl -I https://${host}/anthropic` : "- Verify HTTP: curl -I https://<host>/anthropic",
+    "- Claude base URL must NOT include :8787 for Cloudflare Worker deployments"
+  ].join("\n");
+}
+
+async function cloudflareListZones(token, accountId = "") {
+  const params = new URLSearchParams({ per_page: "50" });
+  if (accountId) params.set("account.id", accountId);
+  const result = await cloudflareApiGetJson(`${CLOUDFLARE_ZONES_URL}?${params.toString()}`, token);
+  if (!result.ok || !Array.isArray(result.payload?.result)) return [];
+  return result.payload.result
+    .map((zone) => ({ id: String(zone?.id || "").trim(), name: normalizeHostname(zone?.name || "") }))
+    .filter((zone) => zone.id && zone.name);
+}
+function parseJsonSafely(value) {
+  const text = String(value || "").trim();
+  if (!text) return null;
+  try {
+    return JSON.parse(text);
+  } catch {
+    return null;
+  }
+}
+
+function collectCloudflareTierSignals(value, out = [], depth = 0, parentKey = "") {
+  if (depth > 6 || value === null || value === undefined) return out;
+
+  if (typeof value === "string") {
+    if (/(plan|tier|subscription|type|account|membership|name)/i.test(parentKey)) {
+      const normalized = value.trim().toLowerCase();
+      if (normalized) out.push(normalized);
+    }
+    return out;
+  }
+
+  if (Array.isArray(value)) {
+    for (const item of value) {
+      collectCloudflareTierSignals(item, out, depth + 1, parentKey);
+    }
+    return out;
+  }
+
+  if (typeof value === "object") {
+    for (const [key, child] of Object.entries(value)) {
+      collectCloudflareTierSignals(child, out, depth + 1, key);
+    }
+  }
+
+  return out;
+}
+
+export function inferCloudflareTierFromWhoami(payload) {
+  if (!payload || typeof payload !== "object") {
+    return {
+      tier: "unknown",
+      reason: "invalid-payload",
+      signals: []
+    };
+  }
+
+  if (payload.loggedIn === false) {
+    return {
+      tier: "unknown",
+      reason: "not-logged-in",
+      signals: []
+    };
+  }
+
+  const signals = [...new Set(collectCloudflareTierSignals(payload))]
+    .slice(0, 12);
+  const freeSignals = signals.filter((entry) => CLOUDFLARE_FREE_TIER_PATTERN.test(entry));
+  const paidSignals = signals.filter((entry) => CLOUDFLARE_PAID_TIER_PATTERN.test(entry));
+
+  if (freeSignals.length > 0 && paidSignals.length > 0) {
+    return {
+      tier: "unknown",
+      reason: "ambiguous-tier",
+      signals
+    };
+  }
+
+  if (freeSignals.length > 0) {
+    return {
+      tier: "free",
+      reason: "detected-free",
+      signals
+    };
+  }
+
+  if (paidSignals.length > 0) {
+    return {
+      tier: "paid",
+      reason: "detected-paid",
+      signals
+    };
+  }
+
+  return {
+    tier: "unknown",
+    reason: "tier-not-found",
+    signals
+  };
+}
+
+function detectCloudflareTierViaWrangler(projectDir, cfEnv = "", apiToken = "", accountId = "") {
+  const args = ["whoami", "--json"];
+  if (cfEnv) args.push("--env", cfEnv);
+
+  const result = runWranglerWithNpx(args, {
+    cwd: projectDir,
+    envOverrides: buildWranglerCloudflareEnv({
+      apiToken,
+      accountId
+    })
+  });
+  const parsed = parseJsonSafely(result.stdout) || parseJsonSafely(result.stderr);
+  if (!parsed) {
+    const errorText = `${result.stderr || ""}\n${result.stdout || ""}`.toLowerCase();
+    const reason = errorText.includes("unknown argument: json")
+      ? "whoami-json-not-supported"
+      : (result.ok ? "whoami-unparseable" : "whoami-failed");
+    return {
+      tier: "unknown",
+      reason,
+      signals: [],
+      source: "npx wrangler whoami --json"
+    };
+  }
+
+  return {
+    ...inferCloudflareTierFromWhoami(parsed),
+    source: "npx wrangler whoami --json"
+  };
+}
+
+export function shouldConfirmLargeWorkerConfigDeploy({ payloadBytes, tier }) {
+  if (!Number.isFinite(payloadBytes)) return false;
+  if (payloadBytes <= CLOUDFLARE_FREE_SECRET_SIZE_LIMIT_BYTES) return false;
+  return String(tier || "unknown") !== "paid";
+}
+
+function formatCloudflareTierLabel(tierReport) {
+  if (tierReport?.tier === "free") return "free";
+  if (tierReport?.tier === "paid") return "paid";
+  return "unknown";
+}
+
+function buildLargeWorkerConfigWarningLines({ payloadBytes, tierReport }) {
+  const lines = [
+    `LLM_ROUTER_CONFIG_JSON payload is ${payloadBytes} bytes, above Cloudflare Free tier limit (${CLOUDFLARE_FREE_SECRET_SIZE_LIMIT_BYTES} bytes).`
+  ];
+
+  if (tierReport?.tier === "free") {
+    lines.push("Detected Cloudflare tier: free.");
+  } else if (tierReport?.tier === "paid") {
+    lines.push("Detected Cloudflare tier: paid (no free-tier block expected).");
+  } else {
+    lines.push("Could not reliably determine Cloudflare tier.");
+    lines.push(`Tier check reason: ${tierReport?.reason || "unknown"}.`);
+  }
+
+  return lines;
+}
+
+function runNpmInstallLatest(packageName) {
+  const npmCmd = process.platform === "win32" ? "npm.cmd" : "npm";
+  return runCommand(npmCmd, ["install", "-g", `${packageName}@latest`]);
+}
+
+async function stopRunningInstance() {
+  const active = await getActiveRuntimeState();
+  if (active?.managedByStartup) {
+    const stopped = await stopStartup();
+    await clearRuntimeState();
+    return {
+      ok: true,
+      mode: "startup",
+      detail: stopped
+    };
+  }
+
+  if (active) {
+    const stopped = await stopProcessByPid(active.pid);
+    if (!stopped.ok) {
+      return {
+        ok: false,
+        mode: "manual",
+        reason: stopped.reason || `Failed stopping pid ${active.pid}.`
+      };
+    }
+    await clearRuntimeState({ pid: active.pid });
+    return {
+      ok: true,
+      mode: "manual",
+      detail: {
+        pid: active.pid,
+        signal: stopped.signal || "SIGTERM"
+      }
+    };
+  }
+
+  const startup = await startupStatus();
+  if (startup.running) {
+    const stopped = await stopStartup();
+    await clearRuntimeState();
+    return {
+      ok: true,
+      mode: "startup",
+      detail: stopped
+    };
+  }
+
+  return {
+    ok: true,
+    mode: "none",
+    detail: null
+  };
+}
+
+async function reloadRunningInstance({
+  terminalLine = () => {},
+  terminalError = () => {},
+  runDetachedForManual = false
+} = {}) {
+  const active = await getActiveRuntimeState();
+  if (active?.managedByStartup) {
+    const restarted = await restartStartup();
+    await clearRuntimeState();
+    return {
+      ok: true,
+      mode: "startup",
+      detail: restarted
+    };
+  }
+
+  if (active) {
+    const stopped = await stopProcessByPid(active.pid);
+    if (!stopped.ok) {
+      return {
+        ok: false,
+        mode: "manual",
+        reason: stopped.reason || `Failed stopping pid ${active.pid}.`
+      };
+    }
+    await clearRuntimeState({ pid: active.pid });
+    const startArgs = buildStartArgsFromState(active);
+
+    if (runDetachedForManual) {
+      const pid = spawnDetachedStart({
+        cliPath: active.cliPath || process.argv[1],
+        ...startArgs
+      });
+      return {
+        ok: true,
+        mode: "manual-detached",
+        detail: {
+          pid,
+          ...startArgs
+        }
+      };
+    }
+
+    const restarted = await runStartCommand({
+      ...startArgs,
+      cliPathForWatch: process.argv[1],
+      onLine: terminalLine,
+      onError: terminalError
+    });
+
+    return {
+      ok: restarted.ok,
+      mode: "manual-inline",
+      detail: restarted
+    };
+  }
+
+  const startup = await startupStatus();
+  if (startup.running) {
+    const restarted = await restartStartup();
+    await clearRuntimeState();
+    return {
+      ok: true,
+      mode: "startup",
+      detail: restarted
+    };
+  }
+
+  return {
+    ok: false,
+    mode: "none",
+    reason: "No running llm-router instance detected."
+  };
+}
+
+function removeModelFromConfig(config, providerId, modelId) {
+  const next = structuredClone(config);
+  const provider = next.providers.find((p) => p.id === providerId);
+  if (!provider) return { config: next, changed: false, reason: `Provider '${providerId}' not found.` };
+
+  const before = provider.models.length;
+  provider.models = provider.models.filter((m) => m.id !== modelId && !(m.aliases || []).includes(modelId));
+  const changed = provider.models.length !== before;
+
+  if (!changed) {
+    return { config: next, changed: false, reason: `Model '${modelId}' not found under '${providerId}'.` };
+  }
+
+  if (next.defaultModel && next.defaultModel.startsWith(`${providerId}/`)) {
+    const exact = next.defaultModel.slice(providerId.length + 1);
+    if (exact === modelId) {
+      next.defaultModel = provider.models[0] ? `${providerId}/${provider.models[0].id}` : undefined;
+    }
+  }
+
+  return { config: next, changed: true };
+}
+
+function resolveProviderAndModel(config, providerId, modelId) {
+  const provider = (config.providers || []).find((item) => item.id === providerId);
+  if (!provider) {
+    return { provider: null, model: null, reason: `Provider '${providerId}' not found.` };
+  }
+
+  const model = (provider.models || []).find((item) => item.id === modelId || (item.aliases || []).includes(modelId));
+  if (!model) {
+    return { provider, model: null, reason: `Model '${modelId}' not found under '${providerId}'.` };
+  }
+
+  return { provider, model, reason: "" };
+}
+
+function listFallbackModelOptions(config, providerId, modelId) {
+  const self = `${providerId}/${modelId}`;
+  const options = [];
+
+  for (const provider of (config.providers || [])) {
+    for (const model of (provider.models || [])) {
+      const qualified = `${provider.id}/${model.id}`;
+      if (qualified === self) continue;
+      options.push({
+        value: qualified,
+        label: qualified
+      });
+    }
+  }
+
+  return options;
+}
+
+function setModelFallbacksInConfig(config, providerId, modelId, fallbackModels) {
+  const next = structuredClone(config);
+  const resolved = resolveProviderAndModel(next, providerId, modelId);
+  if (!resolved.provider || !resolved.model) {
+    return { config: next, changed: false, reason: resolved.reason || "Provider/model not found." };
+  }
+
+  const canonicalModelId = resolved.model.id;
+  const options = listFallbackModelOptions(next, providerId, canonicalModelId);
+  const availableSet = new Set(options.map((option) => option.value));
+  const nextFallbacks = dedupeList((fallbackModels || []).map((entry) => String(entry || "").trim()).filter(Boolean));
+  const invalidEntries = nextFallbacks.filter((entry) => !availableSet.has(entry));
+  if (invalidEntries.length > 0) {
+    return {
+      config: next,
+      changed: false,
+      reason: `Invalid fallback model(s): ${invalidEntries.join(", ")}.`,
+      invalidEntries
+    };
+  }
+
+  const currentFallbacks = dedupeList(resolved.model.fallbackModels || []);
+  const changed = currentFallbacks.join("\n") !== nextFallbacks.join("\n");
+  resolved.model.fallbackModels = nextFallbacks;
+
+  return {
+    config: next,
+    changed,
+    reason: "",
+    modelId: canonicalModelId,
+    fallbackModels: nextFallbacks
+  };
+}
+
+function setMasterKeyInConfig(config, masterKey) {
+  return {
+    ...config,
+    masterKey
+  };
+}
+
+async function resolveUpsertInput(context, existingConfig) {
+  const args = context.args || {};
+  const configPath = readArg(args, ["config", "configPath"], getDefaultConfigPath());
+  const providers = existingConfig.providers || [];
+
+  const argProviderId = String(readArg(args, ["provider-id", "providerId"], "") || "");
+  let selectedExisting = null;
+
+  if (canPrompt() && !argProviderId && providers.length > 0) {
+    const choice = await context.prompts.select({
+      message: "Provider config action",
+      options: [
+        { value: "__new__", label: "Add new provider" },
+        ...providers.map((provider) => ({
+          value: provider.id,
+          label: `Edit ${provider.id}`,
+          hint: `${provider.baseUrl}`
+        }))
+      ]
+    });
+    if (choice !== "__new__") {
+      selectedExisting = providers.find((p) => p.id === choice) || null;
+    }
+  } else if (argProviderId) {
+    selectedExisting = providers.find((p) => p.id === argProviderId) || null;
+  }
+
+  const baseProviderId = argProviderId || selectedExisting?.id || "";
+  const baseName = String(readArg(args, ["name"], selectedExisting?.name || "") || "");
+  const baseUrl = String(readArg(args, ["base-url", "baseUrl"], selectedExisting?.baseUrl || "") || "");
+  const baseEndpoints = parseEndpointListInput(readArg(
+    args,
+    ["endpoints"],
+    providerEndpointsFromConfig(selectedExisting).join(",")
+  ));
+  const baseOpenAIBaseUrl = String(readArg(
+    args,
+    ["openai-base-url", "openaiBaseUrl"],
+    selectedExisting?.baseUrlByFormat?.openai || ""
+  ) || "");
+  const baseClaudeBaseUrl = String(readArg(
+    args,
+    ["claude-base-url", "claudeBaseUrl", "anthropic-base-url", "anthropicBaseUrl"],
+    selectedExisting?.baseUrlByFormat?.claude || ""
+  ) || "");
+  const baseApiKey = String(readArg(args, ["api-key", "apiKey"], "") || "");
+  const baseModels = String(readArg(args, ["models"], (selectedExisting?.models || []).map((m) => m.id).join(",")) || "");
+  const baseFormat = String(readArg(args, ["format"], selectedExisting?.format || "") || "");
+  const baseFormats = parseModelListInput(readArg(args, ["formats"], (selectedExisting?.formats || []).join(",")));
+  const hasHeadersArg = args.headers !== undefined;
+  const baseHeaders = readArg(args, ["headers"], selectedExisting?.headers ? JSON.stringify(selectedExisting.headers) : "");
+  const shouldProbe = !toBoolean(readArg(args, ["skip-probe", "skipProbe"], false), false);
+  const setMasterKeyFlag = toBoolean(readArg(args, ["set-master-key", "setMasterKey"], false), false);
+  const providedMasterKey = String(readArg(args, ["master-key", "masterKey"], "") || "");
+  const parsedHeaders = applyDefaultHeaders(
+    parseJsonObjectArg(baseHeaders, "--headers"),
+    { force: !hasHeadersArg }
+  );
+
+  if (!canPrompt()) {
+    return {
+      configPath,
+      providerId: baseProviderId || slugifyId(baseName || "provider"),
+      name: baseName,
+      baseUrl,
+      endpoints: baseEndpoints,
+      openaiBaseUrl: baseOpenAIBaseUrl,
+      claudeBaseUrl: baseClaudeBaseUrl,
+      apiKey: baseApiKey || selectedExisting?.apiKey || "",
+      models: parseProviderModelListInput(baseModels),
+      format: baseFormat,
+      formats: baseFormats,
+      headers: parsedHeaders,
+      shouldProbe,
+      setMasterKey: setMasterKeyFlag || Boolean(providedMasterKey),
+      masterKey: providedMasterKey
+    };
+  }
+
+  printProviderInputGuidance(context);
+
+  const name = baseName || await context.prompts.text({
+    message: "Provider Friendly Name (unique, shown in management screen)",
+    required: true,
+    placeholder: "OpenRouter Primary",
+    validate: (value) => {
+      const candidate = String(value || "").trim();
+      if (!candidate) return "Provider Friendly Name is required.";
+      const duplicate = findProviderByFriendlyName(providers, candidate, { excludeId: selectedExisting?.id || baseProviderId });
+      if (duplicate) return `Provider Friendly Name '${candidate}' already exists (provider-id: ${duplicate.id}). Use a unique name.`;
+      return undefined;
+    }
+  });
+
+  const providerId = baseProviderId || await context.prompts.text({
+    message: "Provider ID (auto-slug from Friendly Name; editable)",
+    required: true,
+    initialValue: slugifyId(name),
+    placeholder: "openrouterPrimary",
+    validate: (value) => {
+      const candidate = String(value || "").trim();
+      if (!candidate) return "Provider ID is required.";
+      if (!PROVIDER_ID_PATTERN.test(candidate)) {
+        return "Use slug/camelCase with letters, numbers, underscore, dot, or hyphen (e.g. openrouterPrimary).";
+      }
+      return undefined;
+    }
+  });
+
+  const askReplaceKey = selectedExisting?.apiKey ? await context.prompts.confirm({
+    message: "Replace saved API key?",
+    initialValue: false
+  }) : true;
+
+  const apiKey = (baseApiKey || (!askReplaceKey ? selectedExisting?.apiKey : "")) || await promptSecretInput(context, {
+    message: "Provider API key",
+    required: true,
+    validate: (value) => {
+      const candidate = String(value || "").trim();
+      if (!candidate) return "Provider API key is required.";
+      return undefined;
+    }
+  });
+
+  const endpointsInput = await context.prompts.text({
+    message: "Provider endpoints (comma / ; / space / newline separated; multiline paste supported)",
+    required: true,
+    initialValue: baseEndpoints.join(","),
+    paste: true,
+    multiline: true
+  });
+  const endpoints = parseEndpointListInput(endpointsInput);
+  maybeReportInputCleanup(context, "endpoint", endpointsInput, endpoints);
+
+  const modelsInput = await context.prompts.text({
+    message: "Provider models (comma / ; / space / newline separated; multiline paste supported)",
+    required: true,
+    initialValue: baseModels,
+    paste: true,
+    multiline: true
+  });
+  const models = parseProviderModelListInput(modelsInput);
+  maybeReportInputCleanup(context, "model", modelsInput, models);
+
+  const headersInput = await context.prompts.text({
+    message: "Custom headers JSON (optional; default User-Agent included)",
+    initialValue: JSON.stringify(applyDefaultHeaders(
+      parseJsonObjectArg(baseHeaders, "Custom headers"),
+      { force: true }
+    ))
+  });
+  const interactiveHeaders = parseJsonObjectArg(headersInput, "Custom headers");
+
+  const probe = await context.prompts.confirm({
+    message: "Auto-detect endpoint formats and model support via live probe?",
+    initialValue: shouldProbe
+  });
+
+  let manualFormat = baseFormat;
+  if (!probe) {
+    manualFormat = await promptProviderFormat(context, {
+      message: "Primary provider format",
+      initialFormat: manualFormat
+    });
+  }
+
+  const setMasterKey = setMasterKeyFlag || await context.prompts.confirm({
+    message: "Set/update worker master key?",
+    initialValue: false
+  });
+  let masterKey = providedMasterKey;
+  if (setMasterKey && !masterKey) {
+    masterKey = await context.prompts.text({
+      message: "Worker master key",
+      required: true
+    });
+  }
+
+  return {
+    configPath,
+    providerId,
+    name,
+    baseUrl,
+    endpoints,
+    openaiBaseUrl: baseOpenAIBaseUrl,
+    claudeBaseUrl: baseClaudeBaseUrl,
+    apiKey,
+    models,
+    format: probe ? "" : manualFormat,
+    formats: baseFormats,
+    headers: interactiveHeaders,
+    shouldProbe: probe,
+    setMasterKey,
+    masterKey
+  };
+}
+
+async function doUpsertProvider(context) {
+  const configPath = readArg(context.args, ["config", "configPath"], getDefaultConfigPath());
+  const existingConfig = await readConfigFile(configPath);
+  const input = await resolveUpsertInput(context, existingConfig);
+
+  const endpointCandidates = parseEndpointListInput([
+    ...(input.endpoints || []),
+    input.openaiBaseUrl,
+    input.claudeBaseUrl,
+    input.baseUrl
+  ].filter(Boolean).join(","));
+  const hasAnyEndpoint = endpointCandidates.length > 0;
+  if (!input.name || !hasAnyEndpoint || !input.apiKey) {
+    return {
+      ok: false,
+      mode: context.mode,
+      exitCode: EXIT_VALIDATION,
+      errorMessage: "Missing provider inputs: provider-id, name, api-key, and at least one endpoint."
+    };
+  }
+
+  if (!PROVIDER_ID_PATTERN.test(input.providerId)) {
+    return {
+      ok: false,
+      mode: context.mode,
+      exitCode: EXIT_VALIDATION,
+      errorMessage: `Invalid provider id '${input.providerId}'. Use slug/camelCase (e.g. openrouter or myProvider).`
+    };
+  }
+
+  const duplicateFriendlyName = findProviderByFriendlyName(existingConfig.providers || [], input.name, {
+    excludeId: input.providerId
+  });
+  if (duplicateFriendlyName) {
+    return {
+      ok: false,
+      mode: context.mode,
+      exitCode: EXIT_VALIDATION,
+      errorMessage: `Provider Friendly Name '${input.name}' already exists (provider-id: ${duplicateFriendlyName.id}). Choose a unique name.`
+    };
+  }
+
+  let probe = null;
+  let selectedFormat = String(input.format || "").trim();
+  let effectiveBaseUrl = String(input.baseUrl || "").trim();
+  let effectiveOpenAIBaseUrl = String(input.openaiBaseUrl || "").trim();
+  let effectiveClaudeBaseUrl = String(input.claudeBaseUrl || "").trim();
+  let effectiveModels = [...(input.models || [])];
+
+  if (input.shouldProbe && endpointCandidates.length > 0 && effectiveModels.length === 0) {
+    return {
+      ok: false,
+      mode: context.mode,
+      exitCode: EXIT_VALIDATION,
+      errorMessage: "Model list is required for endpoint-model probe. Provide --models=modelA,modelB."
+    };
+  }
+
+  if (input.shouldProbe) {
+    const startedAt = Date.now();
+    const reportProgress = probeProgressReporter(context);
+    const canRunMatrixProbe = endpointCandidates.length > 0 && effectiveModels.length > 0;
+    if (canRunMatrixProbe) {
+      probe = await probeProviderEndpointMatrix({
+        endpoints: endpointCandidates,
+        models: effectiveModels,
+        apiKey: input.apiKey,
+        headers: input.headers,
+        onProgress: reportProgress
+      });
+      effectiveOpenAIBaseUrl = probe.baseUrlByFormat?.openai || effectiveOpenAIBaseUrl;
+      effectiveClaudeBaseUrl = probe.baseUrlByFormat?.claude || effectiveClaudeBaseUrl;
+      effectiveBaseUrl =
+        (probe.preferredFormat && probe.baseUrlByFormat?.[probe.preferredFormat]) ||
+        effectiveOpenAIBaseUrl ||
+        effectiveClaudeBaseUrl ||
+        endpointCandidates[0] ||
+        effectiveBaseUrl;
+      if ((probe.models || []).length > 0) {
+        effectiveModels = effectiveModels.length > 0
+          ? effectiveModels.filter((model) => (probe.models || []).includes(model))
+          : [...probe.models];
+      }
+    } else {
+      const probeBaseUrlByFormat = {};
+      if (effectiveOpenAIBaseUrl) probeBaseUrlByFormat.openai = effectiveOpenAIBaseUrl;
+      if (effectiveClaudeBaseUrl) probeBaseUrlByFormat.claude = effectiveClaudeBaseUrl;
+
+      probe = await probeProvider({
+        baseUrl: effectiveBaseUrl || endpointCandidates[0],
+        baseUrlByFormat: Object.keys(probeBaseUrlByFormat).length > 0 ? probeBaseUrlByFormat : undefined,
+        apiKey: input.apiKey,
+        headers: input.headers,
+        onProgress: reportProgress
+      });
+    }
+    const line = typeof context?.terminal?.line === "function" ? context.terminal.line.bind(context.terminal) : null;
+    if (line) {
+      const tookMs = Date.now() - startedAt;
+      line(`Auto-discovery finished in ${(tookMs / 1000).toFixed(1)}s.`);
+    }
+
+    if (!probe.ok) {
+      if (canPrompt()) {
+        const continueWithoutProbe = await context.prompts.confirm({
+          message: "Probe failed to confirm working endpoint/model support. Save provider anyway?",
+          initialValue: false
+        });
+        if (!continueWithoutProbe) {
+          return {
+            ok: false,
+            mode: context.mode,
+            exitCode: EXIT_FAILURE,
+            errorMessage: "Config cancelled because provider probe failed."
+          };
+        }
+
+        selectedFormat = await promptProviderFormat(context, {
+          message: "Probe could not confirm a working format. Choose primary provider format",
+          initialFormat: selectedFormat
+        });
+      } else {
+        return {
+          ok: false,
+          mode: context.mode,
+          exitCode: EXIT_FAILURE,
+          errorMessage: "Provider probe failed. Provide valid endpoints/models or use --skip-probe=true to force save."
+        };
+      }
+    } else {
+      selectedFormat = probe.preferredFormat || selectedFormat;
+    }
+  }
+
+  if (!input.shouldProbe) {
+    if (!effectiveBaseUrl && endpointCandidates.length > 0) {
+      effectiveBaseUrl = endpointCandidates[0];
+    }
+    if (!effectiveOpenAIBaseUrl && !effectiveClaudeBaseUrl && endpointCandidates.length === 1 && selectedFormat) {
+      if (selectedFormat === "openai") effectiveOpenAIBaseUrl = endpointCandidates[0];
+      if (selectedFormat === "claude") effectiveClaudeBaseUrl = endpointCandidates[0];
+    }
+    if (!effectiveOpenAIBaseUrl && !effectiveClaudeBaseUrl && endpointCandidates.length > 1) {
+      return {
+        ok: false,
+        mode: context.mode,
+        exitCode: EXIT_VALIDATION,
+        errorMessage: "Multiple endpoints require probe mode (recommended) or explicit --openai-base-url/--claude-base-url."
+      };
+    }
+  }
+
+  const effectiveFormat = selectedFormat || (input.shouldProbe ? "" : "openai");
+
+  const provider = buildProviderFromConfigInput({
+    providerId: input.providerId,
+    name: input.name,
+    baseUrl: effectiveBaseUrl,
+    openaiBaseUrl: effectiveOpenAIBaseUrl,
+    claudeBaseUrl: effectiveClaudeBaseUrl,
+    apiKey: input.apiKey,
+    models: effectiveModels,
+    format: effectiveFormat,
+    formats: input.formats,
+    headers: input.headers,
+    probe
+  });
+
+  if (!provider.models || provider.models.length === 0) {
+    return {
+      ok: false,
+      mode: context.mode,
+      exitCode: EXIT_VALIDATION,
+      errorMessage: "Provider must have at least one model. Add --models or enable probe discovery."
+    };
+  }
+
+  const nextConfig = applyConfigChanges(existingConfig, {
+    provider,
+    masterKey: input.setMasterKey ? input.masterKey : existingConfig.masterKey,
+    setDefaultModel: true
+  });
+
+  await writeConfigFile(nextConfig, input.configPath);
+  return {
+    ok: true,
+    mode: context.mode,
+    exitCode: EXIT_SUCCESS,
+    data: [
+      `Saved provider '${provider.id}' to ${input.configPath}`,
+      probe
+        ? `probe preferred=${probe.preferredFormat || "(none)"} working=${(probe.workingFormats || []).join(",") || "(none)"}`
+        : "probe=skipped",
+      provider.baseUrlByFormat?.openai ? `openaiBaseUrl=${provider.baseUrlByFormat.openai}` : "",
+      provider.baseUrlByFormat?.claude ? `claudeBaseUrl=${provider.baseUrlByFormat.claude}` : "",
+      `formats=${(provider.formats || []).join(", ") || provider.format || "unknown"}`,
+      `models=${provider.models.map((m) => `${m.id}${m.formats?.length ? `[${m.formats.join("|")}]` : ""}`).join(", ")}`,
+      `masterKey=${nextConfig.masterKey ? maskSecret(nextConfig.masterKey) : "(not set)"}`
+    ].join("\n")
+  };
+}
+
+async function doListConfig(context) {
+  const configPath = readArg(context.args, ["config", "configPath"], getDefaultConfigPath());
+  const config = await readConfigFile(configPath);
+  return {
+    ok: true,
+    mode: context.mode,
+    exitCode: EXIT_SUCCESS,
+    data: summarizeConfig(config, configPath)
+  };
+}
+
+async function doRemoveProvider(context) {
+  const args = context.args || {};
+  const configPath = readArg(args, ["config", "configPath"], getDefaultConfigPath());
+  const config = await readConfigFile(configPath);
+  let providerId = String(readArg(args, ["provider-id", "providerId"], "") || "");
+
+  if (canPrompt() && !providerId) {
+    if (!config.providers.length) {
+      return { ok: true, mode: context.mode, exitCode: EXIT_SUCCESS, data: "No providers to remove." };
+    }
+    providerId = await context.prompts.select({
+      message: "Remove provider",
+      options: config.providers.map((provider) => ({
+        value: provider.id,
+        label: provider.id,
+        hint: `${provider.models.length} model(s)`
+      }))
+    });
+  }
+
+  if (!providerId) {
+    return { ok: false, mode: context.mode, exitCode: EXIT_VALIDATION, errorMessage: "provider-id is required." };
+  }
+
+  const exists = config.providers.some((p) => p.id === providerId);
+  if (!exists) {
+    return { ok: false, mode: context.mode, exitCode: EXIT_VALIDATION, errorMessage: `Provider '${providerId}' not found.` };
+  }
+
+  if (canPrompt()) {
+    const confirm = await context.prompts.confirm({ message: `Delete provider '${providerId}'?`, initialValue: false });
+    if (!confirm) {
+      return { ok: false, mode: context.mode, exitCode: EXIT_FAILURE, errorMessage: "Cancelled." };
+    }
+  }
+
+  let nextConfig = removeProvider(config, providerId);
+  if (nextConfig.defaultModel?.startsWith(`${providerId}/`)) {
+    const fallbackProvider = nextConfig.providers[0];
+    nextConfig = {
+      ...nextConfig,
+      defaultModel: fallbackProvider?.models?.[0] ? `${fallbackProvider.id}/${fallbackProvider.models[0].id}` : undefined
+    };
+  }
+
+  await writeConfigFile(nextConfig, configPath);
+  return { ok: true, mode: context.mode, exitCode: EXIT_SUCCESS, data: `Removed provider '${providerId}'.` };
+}
+
+async function doRemoveModel(context) {
+  const args = context.args || {};
+  const configPath = readArg(args, ["config", "configPath"], getDefaultConfigPath());
+  const config = await readConfigFile(configPath);
+  let providerId = String(readArg(args, ["provider-id", "providerId"], "") || "");
+  let modelId = String(readArg(args, ["model"], "") || "");
+
+  if (canPrompt()) {
+    if (!providerId) {
+      if (!config.providers.length) {
+        return { ok: true, mode: context.mode, exitCode: EXIT_SUCCESS, data: "No providers configured." };
+      }
+      providerId = await context.prompts.select({
+        message: "Select provider",
+        options: config.providers.map((provider) => ({
+          value: provider.id,
+          label: provider.id,
+          hint: `${provider.models.length} model(s)`
+        }))
+      });
+    }
+    const provider = config.providers.find((p) => p.id === providerId);
+    if (!provider) {
+      return { ok: false, mode: context.mode, exitCode: EXIT_VALIDATION, errorMessage: `Provider '${providerId}' not found.` };
+    }
+    if (!modelId) {
+      if (!provider.models.length) {
+        return { ok: true, mode: context.mode, exitCode: EXIT_SUCCESS, data: `Provider '${providerId}' has no models.` };
+      }
+      modelId = await context.prompts.select({
+        message: `Remove model from ${providerId}`,
+        options: provider.models.map((model) => ({
+          value: model.id,
+          label: model.id
+        }))
+      });
+    }
+  }
+
+  if (!providerId || !modelId) {
+    return {
+      ok: false,
+      mode: context.mode,
+      exitCode: EXIT_VALIDATION,
+      errorMessage: "provider-id and model are required."
+    };
+  }
+
+  const removal = removeModelFromConfig(config, providerId, modelId);
+  if (!removal.changed) {
+    return { ok: false, mode: context.mode, exitCode: EXIT_VALIDATION, errorMessage: removal.reason };
+  }
+  await writeConfigFile(removal.config, configPath);
+  return {
+    ok: true,
+    mode: context.mode,
+    exitCode: EXIT_SUCCESS,
+    data: `Removed model '${modelId}' from '${providerId}'.`
+  };
+}
+
+async function doSetModelFallbacks(context) {
+  const args = context.args || {};
+  const configPath = readArg(args, ["config", "configPath"], getDefaultConfigPath());
+  const config = await readConfigFile(configPath);
+  let providerId = String(readArg(args, ["provider-id", "providerId"], "") || "");
+  let modelId = String(readArg(args, ["model"], "") || "");
+  const hasFallbackModelsArg =
+    Object.prototype.hasOwnProperty.call(args, "fallback-models") ||
+    Object.prototype.hasOwnProperty.call(args, "fallbackModels") ||
+    Object.prototype.hasOwnProperty.call(args, "fallbacks");
+  const fallbackModelsRaw = hasFallbackModelsArg
+    ? (args["fallback-models"] ?? args.fallbackModels ?? args.fallbacks ?? "")
+    : "";
+  const clearFallbacks = toBoolean(readArg(args, ["clear-fallbacks", "clearFallbacks"], false), false);
+  let selectedFallbacks = clearFallbacks ? [] : parseQualifiedModelListInput(fallbackModelsRaw);
+
+  if (canPrompt()) {
+    if (!providerId) {
+      if (!config.providers.length) {
+        return { ok: true, mode: context.mode, exitCode: EXIT_SUCCESS, data: "No providers configured." };
+      }
+      providerId = await context.prompts.select({
+        message: "Select provider for silent-fallback",
+        options: config.providers.map((provider) => ({
+          value: provider.id,
+          label: provider.id,
+          hint: `${provider.models.length} model(s)`
+        }))
+      });
+    }
+
+    const resolved = resolveProviderAndModel(config, providerId, modelId);
+    const provider = resolved.provider;
+    if (!provider) {
+      return { ok: false, mode: context.mode, exitCode: EXIT_VALIDATION, errorMessage: resolved.reason };
+    }
+
+    if (!modelId) {
+      if (!provider.models.length) {
+        return { ok: true, mode: context.mode, exitCode: EXIT_SUCCESS, data: `Provider '${providerId}' has no models.` };
+      }
+      modelId = await context.prompts.select({
+        message: `Select source model from ${providerId}`,
+        options: provider.models.map((model) => ({
+          value: model.id,
+          label: model.id
+        }))
+      });
+    } else if (!resolved.model) {
+      return { ok: false, mode: context.mode, exitCode: EXIT_VALIDATION, errorMessage: resolved.reason };
+    }
+
+    const resolvedModel = resolveProviderAndModel(config, providerId, modelId);
+    if (!resolvedModel.model) {
+      return { ok: false, mode: context.mode, exitCode: EXIT_VALIDATION, errorMessage: resolvedModel.reason };
+    }
+
+    const sourceModelId = resolvedModel.model.id;
+    const fallbackOptions = listFallbackModelOptions(config, providerId, sourceModelId);
+    const fallbackOptionSet = new Set(fallbackOptions.map((option) => option.value));
+    const currentFallbacks = dedupeList(resolvedModel.model.fallbackModels || [])
+      .filter((entry) => fallbackOptionSet.has(entry));
+    const initialValues = selectedFallbacks.length > 0
+      ? selectedFallbacks.filter((entry) => fallbackOptionSet.has(entry))
+      : currentFallbacks;
+
+    if (fallbackOptions.length === 0) {
+      selectedFallbacks = [];
+      const line = typeof context?.terminal?.line === "function" ? context.terminal.line.bind(context.terminal) : null;
+      line?.("No other models available. Silent-fallback list will be cleared.");
+    } else {
+      selectedFallbacks = await context.prompts.multiselect({
+        message: `Silent-fallback models for ${providerId}/${sourceModelId}`,
+        options: fallbackOptions,
+        initialValues,
+        required: false
+      });
+    }
+
+    modelId = sourceModelId;
+  }
+
+  if (!providerId || !modelId) {
+    return {
+      ok: false,
+      mode: context.mode,
+      exitCode: EXIT_VALIDATION,
+      errorMessage: "provider-id and model are required."
+    };
+  }
+
+  if (!canPrompt() && !hasFallbackModelsArg && !clearFallbacks) {
+    return {
+      ok: false,
+      mode: context.mode,
+      exitCode: EXIT_VALIDATION,
+      errorMessage: "fallback-models is required (or use --clear-fallbacks=true)."
+    };
+  }
+
+  const updated = setModelFallbacksInConfig(config, providerId, modelId, selectedFallbacks);
+  if (!updated.changed && updated.reason) {
+    return {
+      ok: false,
+      mode: context.mode,
+      exitCode: EXIT_VALIDATION,
+      errorMessage: updated.reason
+    };
+  }
+
+  await writeConfigFile(updated.config, configPath);
+  return {
+    ok: true,
+    mode: context.mode,
+    exitCode: EXIT_SUCCESS,
+    data: [
+      `Updated silent-fallback models for '${providerId}/${updated.modelId || modelId}'.`,
+      `fallbacks=${(updated.fallbackModels || []).join(", ") || "(none)"}`
+    ].join("\n")
+  };
+}
+
+async function doSetMasterKey(context) {
+  const args = context.args || {};
+  const configPath = readArg(args, ["config", "configPath"], getDefaultConfigPath());
+  const config = await readConfigFile(configPath);
+  let masterKey = String(readArg(args, ["master-key", "masterKey"], "") || "");
+  const generateMasterKey = toBoolean(readArg(args, ["generate-master-key", "generateMasterKey"], false), false);
+  const generatedLength = readArg(args, ["master-key-length", "masterKeyLength"], DEFAULT_GENERATED_MASTER_KEY_LENGTH);
+  const generatedPrefix = readArg(args, ["master-key-prefix", "masterKeyPrefix"], "gw_");
+  let keyGenerated = false;
+
+  if (!masterKey && generateMasterKey) {
+    masterKey = generateStrongMasterKey({ length: generatedLength, prefix: generatedPrefix });
+    keyGenerated = true;
+  }
+
+  if (canPrompt() && !masterKey) {
+    const autoGenerate = await context.prompts.confirm({
+      message: "Generate a strong master key automatically?",
+      initialValue: true
+    });
+    if (autoGenerate) {
+      masterKey = generateStrongMasterKey({
+        length: generatedLength,
+        prefix: generatedPrefix
+      });
+      keyGenerated = true;
+    } else {
+      masterKey = await context.prompts.text({
+        message: "Worker master key",
+        required: true
+      });
+    }
+  }
+
+  if (!masterKey) {
+    return { ok: false, mode: context.mode, exitCode: EXIT_VALIDATION, errorMessage: "master-key is required." };
+  }
+
+  const next = setMasterKeyInConfig(config, masterKey);
+  await writeConfigFile(next, configPath);
+  return {
+    ok: true,
+    mode: context.mode,
+    exitCode: EXIT_SUCCESS,
+    data: [
+      `Updated master key in ${configPath} (${maskSecret(masterKey)}).`,
+      keyGenerated ? `Generated key (copy now): ${masterKey}` : ""
+    ].filter(Boolean).join("\n")
+  };
+}
+
+async function doStartupInstall(context) {
+  const configPath = readArg(context.args, ["config", "configPath"], getDefaultConfigPath());
+  const host = String(readArg(context.args, ["host"], "127.0.0.1"));
+  const port = toNumber(readArg(context.args, ["port"]), 8787);
+  const watchConfig = toBoolean(readArg(context.args, ["watch-config", "watchConfig"], true), true);
+  const watchBinary = toBoolean(readArg(context.args, ["watch-binary", "watchBinary"], true), true);
+  const requireAuth = toBoolean(readArg(context.args, ["require-auth", "requireAuth"], false), false);
+
+  if (!(await configFileExists(configPath))) {
+    return {
+      ok: false,
+      mode: context.mode,
+      exitCode: EXIT_VALIDATION,
+      errorMessage: `Config not found at ${configPath}. Run 'llm-router config' first.`
+    };
+  }
+
+  const config = await readConfigFile(configPath);
+  if (!configHasProvider(config)) {
+    return {
+      ok: false,
+      mode: context.mode,
+      exitCode: EXIT_VALIDATION,
+      errorMessage: `No providers configured in ${configPath}. Run 'llm-router config'.`
+    };
+  }
+  if (requireAuth && !config.masterKey) {
+    return {
+      ok: false,
+      mode: context.mode,
+      exitCode: EXIT_VALIDATION,
+      errorMessage: `Local auth requires masterKey in ${configPath}. Run 'llm-router config --operation=set-master-key' first.`
+    };
+  }
+
+  if (canPrompt()) {
+    const confirm = await context.prompts.confirm({
+      message: `Install llm-router startup service on ${process.platform}?`,
+      initialValue: true
+    });
+    if (!confirm) {
+      return { ok: false, mode: context.mode, exitCode: EXIT_FAILURE, errorMessage: "Cancelled." };
+    }
+  }
+
+  const result = await installStartup({ configPath, host, port, watchConfig, watchBinary, requireAuth });
+  return {
+    ok: true,
+    mode: context.mode,
+    exitCode: EXIT_SUCCESS,
+    data: [
+      `Installed OS startup (${result.manager})`,
+      `service=${result.serviceId}`,
+      `file=${result.filePath}`,
+      `start target=http://${host}:${port}`,
+      `binary watch=${watchBinary ? "enabled" : "disabled"}`,
+      `local auth=${requireAuth ? "required (masterKey)" : "disabled"}`
+    ].join("\n")
+  };
+}
+
+async function doStartupUninstall(context) {
+  if (canPrompt()) {
+    const confirm = await context.prompts.confirm({
+      message: "Uninstall llm-router OS startup service?",
+      initialValue: false
+    });
+    if (!confirm) {
+      return { ok: false, mode: context.mode, exitCode: EXIT_FAILURE, errorMessage: "Cancelled." };
+    }
+  }
+
+  const result = await uninstallStartup();
+  return {
+    ok: true,
+    mode: context.mode,
+    exitCode: EXIT_SUCCESS,
+    data: [
+      `Uninstalled OS startup (${result.manager})`,
+      `service=${result.serviceId}`,
+      `file=${result.filePath}`
+    ].join("\n")
+  };
+}
+
+async function doStartupStatus(context) {
+  const status = await startupStatus();
+  return {
+    ok: true,
+    mode: context.mode,
+    exitCode: EXIT_SUCCESS,
+    data: [
+      `manager=${status.manager}`,
+      `service=${status.serviceId}`,
+      `installed=${status.installed}`,
+      `running=${status.running}`,
+      status.filePath ? `file=${status.filePath}` : "",
+      status.detail ? `detail=${String(status.detail).trim()}` : ""
+    ].filter(Boolean).join("\n")
+  };
+}
+
+async function resolveConfigOperation(context) {
+  const opArg = String(readArg(context.args, ["operation", "op"], "") || "").trim();
+  if (opArg) return opArg;
+
+  if (canPrompt()) {
+    return context.prompts.select({
+      message: "Config operation",
+      options: [
+        { value: "upsert-provider", label: "Add/Edit provider" },
+        { value: "remove-provider", label: "Remove provider" },
+        { value: "remove-model", label: "Remove model from provider" },
+        { value: "set-model-fallbacks", label: "Set model silent-fallbacks" },
+        { value: "set-master-key", label: "Set worker master key" },
+        { value: "list", label: "Show config summary" },
+        { value: "startup-install", label: "Install OS startup" },
+        { value: "startup-status", label: "Show OS startup status" },
+        { value: "startup-uninstall", label: "Uninstall OS startup" }
+      ]
+    });
+  }
+
+  return "list";
+}
+
+async function runConfigAction(context) {
+  const op = await resolveConfigOperation(context);
+
+  switch (op) {
+    case "upsert-provider":
+    case "add-provider":
+    case "edit-provider":
+      return doUpsertProvider(context);
+    case "remove-provider":
+      return doRemoveProvider(context);
+    case "remove-model":
+      return doRemoveModel(context);
+    case "set-model-fallbacks":
+    case "set-model-fallback":
+      return doSetModelFallbacks(context);
+    case "set-master-key":
+      return doSetMasterKey(context);
+    case "list":
+      return doListConfig(context);
+    case "startup-install":
+      return doStartupInstall(context);
+    case "startup-uninstall":
+      return doStartupUninstall(context);
+    case "startup-status":
+      return doStartupStatus(context);
+    default:
+      return {
+        ok: false,
+        mode: context.mode,
+        exitCode: EXIT_VALIDATION,
+        errorMessage: `Unknown config operation '${op}'.`
+      };
+  }
+}
+
+async function runStartAction(context) {
+  const args = context.args || {};
+  const result = await runStartCommand({
+    configPath: readArg(args, ["config", "configPath"], getDefaultConfigPath()),
+    host: String(readArg(args, ["host"], "127.0.0.1")),
+    port: toNumber(readArg(args, ["port"]), 8787),
+    watchConfig: toBoolean(readArg(args, ["watch-config", "watchConfig"], true), true),
+    watchBinary: toBoolean(readArg(args, ["watch-binary", "watchBinary"], true), true),
+    requireAuth: toBoolean(readArg(args, ["require-auth", "requireAuth"], false), false),
+    cliPathForWatch: process.argv[1],
+    onLine: (line) => context.terminal.line(line),
+    onError: (line) => context.terminal.error(line)
+  });
+
+  return {
+    ok: result.ok,
+    mode: context.mode,
+    exitCode: result.exitCode,
+    data: result.data,
+    errorMessage: result.errorMessage
+  };
+}
+
+async function runStopAction(context) {
+  let stopped;
+  try {
+    stopped = await stopRunningInstance();
+  } catch (error) {
+    return {
+      ok: false,
+      mode: context.mode,
+      exitCode: EXIT_FAILURE,
+      errorMessage: `Failed to stop llm-router: ${error instanceof Error ? error.message : String(error)}`
+    };
+  }
+  if (!stopped.ok) {
+    return {
+      ok: false,
+      mode: context.mode,
+      exitCode: EXIT_FAILURE,
+      errorMessage: stopped.reason || "Failed to stop llm-router."
+    };
+  }
+
+  if (stopped.mode === "startup") {
+    return {
+      ok: true,
+      mode: context.mode,
+      exitCode: EXIT_SUCCESS,
+      data: [
+        "Stopped startup-managed llm-router instance.",
+        `manager=${stopped.detail?.manager || "unknown"}`,
+        `service=${stopped.detail?.serviceId || "unknown"}`
+      ].join("\n")
+    };
+  }
+
+  if (stopped.mode === "manual") {
+    return {
+      ok: true,
+      mode: context.mode,
+      exitCode: EXIT_SUCCESS,
+      data: `Stopped llm-router process pid=${stopped.detail?.pid || "unknown"} (${stopped.detail?.signal || "SIGTERM"}).`
+    };
+  }
+
+  return {
+    ok: true,
+    mode: context.mode,
+    exitCode: EXIT_SUCCESS,
+    data: "No running llm-router instance found."
+  };
+}
+
+async function runReloadAction(context) {
+  let result;
+  try {
+    result = await reloadRunningInstance({
+      terminalLine: (line) => context.terminal.line(line),
+      terminalError: (line) => context.terminal.error(line),
+      runDetachedForManual: false
+    });
+  } catch (error) {
+    return {
+      ok: false,
+      mode: context.mode,
+      exitCode: EXIT_FAILURE,
+      errorMessage: `Failed to reload llm-router: ${error instanceof Error ? error.message : String(error)}`
+    };
+  }
+
+  if (!result.ok && result.mode !== "manual-inline") {
+    return {
+      ok: false,
+      mode: context.mode,
+      exitCode: EXIT_FAILURE,
+      errorMessage: result.reason || "Failed to reload llm-router."
+    };
+  }
+
+  if (result.mode === "startup") {
+    return {
+      ok: true,
+      mode: context.mode,
+      exitCode: EXIT_SUCCESS,
+      data: [
+        "Restarted startup-managed llm-router instance.",
+        `manager=${result.detail?.manager || "unknown"}`,
+        `service=${result.detail?.serviceId || "unknown"}`
+      ].join("\n")
+    };
+  }
+
+  if (result.mode === "manual-inline") {
+    return {
+      ok: result.detail?.ok === true,
+      mode: context.mode,
+      exitCode: result.detail?.exitCode ?? (result.detail?.ok ? EXIT_SUCCESS : EXIT_FAILURE),
+      data: result.detail?.data,
+      errorMessage: result.detail?.errorMessage || (result.detail?.ok ? undefined : "Failed to restart llm-router.")
+    };
+  }
+
+  return {
+    ok: false,
+    mode: context.mode,
+    exitCode: EXIT_FAILURE,
+    errorMessage: result.reason || "No running llm-router instance detected."
+  };
+}
+
+async function runUpdateAction(context) {
+  const line = typeof context?.terminal?.line === "function" ? context.terminal.line.bind(context.terminal) : console.log;
+  line(`Updating ${NPM_PACKAGE_NAME} to latest with npm...`);
+
+  const updateResult = runNpmInstallLatest(NPM_PACKAGE_NAME);
+  if (!updateResult.ok) {
+    return {
+      ok: false,
+      mode: context.mode,
+      exitCode: EXIT_FAILURE,
+      errorMessage: [
+        `Failed to update ${NPM_PACKAGE_NAME}.`,
+        updateResult.error ? String(updateResult.error) : "",
+        updateResult.stderr || updateResult.stdout
+      ].filter(Boolean).join("\n")
+    };
+  }
+
+  let reloadResult;
+  try {
+    reloadResult = await reloadRunningInstance({
+      runDetachedForManual: true
+    });
+  } catch (error) {
+    reloadResult = {
+      ok: false,
+      mode: "error",
+      reason: error instanceof Error ? error.message : String(error)
+    };
+  }
+
+  const details = [`Updated ${NPM_PACKAGE_NAME} successfully.`];
+  if (reloadResult.ok && reloadResult.mode === "startup") {
+    details.push("Detected startup-managed running instance and restarted it.");
+  } else if (reloadResult.ok && reloadResult.mode === "manual-detached") {
+    details.push(`Detected running terminal instance and restarted it in background (pid ${reloadResult.detail?.pid || "unknown"}).`);
+  } else if (reloadResult.mode === "none") {
+    details.push("No running instance detected; update applied for next start.");
+  } else if (!reloadResult.ok) {
+    details.push(`Update succeeded but auto-reload failed: ${reloadResult.reason || "unknown error"}`);
+  }
+
+  return {
+    ok: true,
+    mode: context.mode,
+    exitCode: EXIT_SUCCESS,
+    data: details.join("\n")
+  };
+}
+
+async function runDeployAction(context) {
+  const args = context.args || {};
+  const configPath = readArg(args, ["config", "configPath"], getDefaultConfigPath());
+  const projectDir = path.resolve(readArg(args, ["project-dir", "projectDir"], process.cwd()));
+  const dryRun = toBoolean(readArg(args, ["dry-run", "dryRun"], false), false);
+  const exportOnly = toBoolean(readArg(args, ["export-only", "exportOnly"], false), false);
+  const generateMasterKey = toBoolean(readArg(args, ["generate-master-key", "generateMasterKey"], false), false);
+  const generatedLength = readArg(args, ["master-key-length", "masterKeyLength"], DEFAULT_GENERATED_MASTER_KEY_LENGTH);
+  const generatedPrefix = readArg(args, ["master-key-prefix", "masterKeyPrefix"], "gw_");
+  let allowWeakMasterKey = toBoolean(readArg(args, ["allow-weak-master-key", "allowWeakMasterKey"], false), false);
+  const allowLargeConfig = toBoolean(readArg(args, ["allow-large-config", "allowLargeConfig"], false), false);
+  const outPath = String(readArg(args, ["out", "output"], "") || "");
+  const cfEnv = String(readArg(args, ["env"], "") || "");
+  const argAccountId = String(readArg(args, ["account-id", "accountId"], "") || "").trim();
+  let masterKey = String(readArg(args, ["master-key", "masterKey"], "") || "");
+  let generatedDeployMasterKey = false;
+  let wranglerTargetMessage = "";
+  const requiresCloudflareToken = !dryRun && !exportOnly;
+  const envToken = resolveCloudflareApiTokenFromEnv(process.env);
+  let cloudflareApiToken = envToken.token;
+  let cloudflareApiTokenSource = envToken.source;
+  const envAccountId = String(process.env?.[CLOUDFLARE_ACCOUNT_ID_ENV_NAME] || "").trim();
+  let cloudflareAccountId = argAccountId || envAccountId;
+  const line = typeof context?.terminal?.line === "function"
+    ? context.terminal.line.bind(context.terminal)
+    : console.log;
+  let wranglerConfigPath = "";
+  let cleanupWranglerConfig = null;
+  let deployRoutePattern = "";
+  let deployZoneName = "";
+  let deployUsesWorkersDev = false;
+  const longTaskSpinner = canPrompt() && typeof SnapTui?.createSpinner === "function"
+    ? SnapTui.createSpinner()
+    : null;
+  const withLongTaskSpinner = async (label, fn, { doneMessage = "" } = {}) => {
+    if (!longTaskSpinner) {
+      line(label);
+      const result = await fn();
+      if (doneMessage) line(doneMessage);
+      return result;
+    }
+
+    longTaskSpinner.start(label);
+    try {
+      const result = await fn();
+      longTaskSpinner.stop(doneMessage || `${label} done`);
+      return result;
+    } catch (error) {
+      longTaskSpinner.error("Operation failed");
+      throw error;
+    }
+  };
+
+  try {
+    if (requiresCloudflareToken && !cloudflareApiToken) {
+      const tokenGuide = buildCloudflareApiTokenSetupGuide();
+      if (canPrompt()) {
+        line(tokenGuide);
+        cloudflareApiToken = await promptSecretInput(context, {
+          message: `Cloudflare API token (${CLOUDFLARE_API_TOKEN_ENV_NAME})`,
+          required: true,
+          validate: validateCloudflareApiTokenInput
+        });
+        cloudflareApiTokenSource = "prompt";
+      } else {
+        return {
+          ok: false,
+          mode: context.mode,
+          exitCode: EXIT_VALIDATION,
+          errorMessage: [
+            tokenGuide,
+            `Set ${CLOUDFLARE_API_TOKEN_ENV_NAME} and re-run deploy.`
+          ].join("\n")
+        };
+      }
+    }
+
+  if (requiresCloudflareToken) {
+    let preflight = await withLongTaskSpinner("Verifying Cloudflare API token...", () => preflightCloudflareApiToken(cloudflareApiToken), {
+      doneMessage: "Cloudflare API token verified."
+    });
+    let attempts = 1;
+    while (!preflight.ok && canPrompt() && cloudflareApiTokenSource === "prompt" && attempts < 3) {
+      const retry = await context.prompts.confirm({
+        message: `${preflight.message} Enter a different Cloudflare API token?`,
+        initialValue: true
+      });
+      if (!retry) break;
+
+      cloudflareApiToken = await promptSecretInput(context, {
+        message: `Cloudflare API token (${CLOUDFLARE_API_TOKEN_ENV_NAME})`,
+        required: true,
+        validate: validateCloudflareApiTokenInput
+      });
+      cloudflareApiTokenSource = "prompt";
+      attempts += 1;
+      preflight = await withLongTaskSpinner("Re-validating Cloudflare API token...", () => preflightCloudflareApiToken(cloudflareApiToken), {
+        doneMessage: "Cloudflare API token re-validated."
+      });
+    }
+
+    if (!preflight.ok) {
+      return {
+        ok: false,
+        mode: context.mode,
+        exitCode: EXIT_VALIDATION,
+        errorMessage: buildCloudflareApiTokenTroubleshooting(preflight.message)
+      };
+    }
+
+    const availableAccounts = Array.isArray(preflight.memberships) ? preflight.memberships : [];
+    if (cloudflareAccountId) {
+      const matched = availableAccounts.find((entry) => entry.accountId === cloudflareAccountId);
+      if (!matched && availableAccounts.length > 0) {
+        return {
+          ok: false,
+          mode: context.mode,
+          exitCode: EXIT_VALIDATION,
+          errorMessage: [
+            `Configured ${CLOUDFLARE_ACCOUNT_ID_ENV_NAME} (${cloudflareAccountId}) is not available for this token.`,
+            "Available accounts:",
+            ...formatCloudflareAccountOptions(availableAccounts)
+          ].join("\n")
+        };
+      }
+    } else if (availableAccounts.length === 1) {
+      cloudflareAccountId = availableAccounts[0].accountId;
+      line(`Using Cloudflare account ${availableAccounts[0].accountName} (${cloudflareAccountId}) from token memberships.`);
+    } else if (availableAccounts.length > 1) {
+      if (canPrompt()) {
+        const selectedAccount = await context.prompts.select({
+          message: "Multiple Cloudflare accounts found. Select account for deploy",
+          options: availableAccounts.map((entry) => ({
+            value: entry.accountId,
+            label: `${entry.accountName} (${entry.accountId})`
+          }))
+        });
+        cloudflareAccountId = String(selectedAccount || "").trim();
+      } else {
+        return {
+          ok: false,
+          mode: context.mode,
+          exitCode: EXIT_VALIDATION,
+          errorMessage: [
+            "More than one Cloudflare account is available for this token.",
+            `Set --account-id=<id> or ${CLOUDFLARE_ACCOUNT_ID_ENV_NAME}=<id>.`,
+            "Available accounts:",
+            ...formatCloudflareAccountOptions(availableAccounts)
+          ].join("\n")
+        };
+      }
+    }
+
+    line(`Cloudflare token preflight passed (${cloudflareApiTokenSource === "prompt" ? "from prompt" : `from ${cloudflareApiTokenSource}`}).`);
+
+    const targetResolution = await prepareWranglerDeployConfig(context, {
+      projectDir,
+      args,
+      cloudflareApiToken,
+      cloudflareAccountId,
+      wait: withLongTaskSpinner
+    });
+    if (!targetResolution.ok) {
+      return {
+        ok: false,
+        mode: context.mode,
+        exitCode: EXIT_VALIDATION,
+        errorMessage: targetResolution.errorMessage || "Failed to configure wrangler deploy target."
+      };
+    }
+    wranglerConfigPath = String(targetResolution.wranglerConfigPath || "").trim();
+    cleanupWranglerConfig = typeof targetResolution.cleanup === "function"
+      ? targetResolution.cleanup
+      : null;
+    wranglerTargetMessage = targetResolution.message || "";
+    deployRoutePattern = String(targetResolution.routePattern || "").trim();
+    deployZoneName = String(targetResolution.zoneName || "").trim();
+    deployUsesWorkersDev = targetResolution.useWorkersDev === true;
+  }
+
+  const wranglerEnvOverrides = buildWranglerCloudflareEnv({
+    apiToken: cloudflareApiToken,
+    accountId: cloudflareAccountId
+  });
+  const wranglerConfigArgs = wranglerConfigPath ? ["--config", wranglerConfigPath] : [];
+
+  if (canPrompt() && !masterKey) {
+    const ask = await context.prompts.confirm({
+      message: "Set/override worker master key for this deploy?",
+      initialValue: false
+    });
+    if (ask) {
+      masterKey = await context.prompts.text({ message: "Worker master key", required: true });
+    }
+  }
+
+  const config = await readConfigFile(configPath);
+  if (!masterKey && !config.masterKey && generateMasterKey) {
+    masterKey = generateStrongMasterKey({
+      length: generatedLength,
+      prefix: generatedPrefix
+    });
+    generatedDeployMasterKey = true;
+  }
+
+  const effectiveMasterKey = String(masterKey || config.masterKey || "");
+  const keyCheck = await ensureStrongWorkerMasterKey(context, effectiveMasterKey, { allowWeakMasterKey });
+  if (!keyCheck.ok) {
+    return {
+      ok: false,
+      mode: context.mode,
+      exitCode: EXIT_VALIDATION,
+      errorMessage: keyCheck.errorMessage
+    };
+  }
+  allowWeakMasterKey = keyCheck.allowWeakMasterKey === true;
+
+  const payload = buildWorkerConfigPayload(config, { masterKey: effectiveMasterKey });
+  const payloadJson = JSON.stringify(payload);
+  const payloadBytes = Buffer.byteLength(payloadJson, "utf8");
+  const tierReport = payloadBytes > CLOUDFLARE_FREE_SECRET_SIZE_LIMIT_BYTES
+    ? detectCloudflareTierViaWrangler(projectDir, cfEnv, cloudflareApiToken, cloudflareAccountId)
+    : { tier: "unknown", reason: "size-within-free-limit", signals: [] };
+  const mustConfirmLargeConfig = shouldConfirmLargeWorkerConfigDeploy({
+    payloadBytes,
+    tier: tierReport.tier
+  });
+  const largeConfigWarningLines = mustConfirmLargeConfig
+    ? buildLargeWorkerConfigWarningLines({
+      payloadBytes,
+      tierReport
+    })
+    : [];
+
+  if (outPath || exportOnly) {
+    const finalOut = outPath || path.resolve(process.cwd(), ".llm-router.worker.json");
+    const resolvedOut = path.resolve(finalOut);
+    await fsPromises.mkdir(path.dirname(resolvedOut), { recursive: true });
+    await fsPromises.writeFile(resolvedOut, `${JSON.stringify(payload, null, 2)}\n`, "utf8");
+
+    if (exportOnly) {
+      return {
+        ok: true,
+        mode: context.mode,
+        exitCode: EXIT_SUCCESS,
+        data: [
+          ...largeConfigWarningLines,
+          mustConfirmLargeConfig
+            ? "Manual deploy may fail on Cloudflare Free tier unless you reduce config size."
+            : "",
+          `Exported worker config to ${resolvedOut}`,
+          `wrangler secret put LLM_ROUTER_CONFIG_JSON${cfEnv ? ` --env ${cfEnv}` : ""} < ${resolvedOut}`
+        ].filter(Boolean).join("\n")
+      };
+    }
+  }
+
+  if (dryRun) {
+    return {
+      ok: true,
+      mode: context.mode,
+      exitCode: EXIT_SUCCESS,
+      data: [
+        "Dry run (no deployment executed).",
+        allowWeakMasterKey ? "WARNING: weak master key override enabled." : "",
+        ...largeConfigWarningLines,
+        mustConfirmLargeConfig
+          ? "Interactive deploy requires explicit confirmation (default: No)."
+          : "",
+        mustConfirmLargeConfig
+          ? "Use --allow-large-config=true to bypass this check in non-interactive mode."
+          : "",
+        generatedDeployMasterKey ? "Generated a deploy-time master key (not written to local config)." : "",
+        `projectDir=${projectDir}`,
+        cloudflareApiTokenSource !== "none"
+          ? `cloudflareApiToken=${cloudflareApiTokenSource === "prompt" ? "provided-via-prompt" : `from-${cloudflareApiTokenSource}`}`
+          : "",
+        cloudflareAccountId ? `cloudflareAccountId=${cloudflareAccountId}` : "",
+        `cloudflareTier=${formatCloudflareTierLabel(tierReport)} (${tierReport.reason || "unknown"})`,
+        `wrangler${wranglerConfigPath ? ` --config ${wranglerConfigPath}` : ""} secret put LLM_ROUTER_CONFIG_JSON${cfEnv ? ` --env ${cfEnv}` : ""}`,
+        `wrangler${wranglerConfigPath ? ` --config ${wranglerConfigPath}` : ""} deploy${cfEnv ? ` --env ${cfEnv}` : ""}`,
+        `Payload bytes=${payloadBytes}`
+      ].filter(Boolean).join("\n")
+    };
+  }
+
+  if (mustConfirmLargeConfig && !allowLargeConfig) {
+    if (canPrompt()) {
+      const proceed = await context.prompts.confirm({
+        message: `${largeConfigWarningLines.join(" ")} Continue deploy anyway?`,
+        initialValue: false
+      });
+      if (!proceed) {
+        return {
+          ok: false,
+          mode: context.mode,
+          exitCode: EXIT_FAILURE,
+          errorMessage: "Deployment cancelled because oversized worker config was not confirmed."
+        };
+      }
+    } else {
+      return {
+        ok: false,
+        mode: context.mode,
+        exitCode: EXIT_VALIDATION,
+        errorMessage: [
+          ...largeConfigWarningLines,
+          "Non-interactive mode requires --allow-large-config=true to continue deployment."
+        ].filter(Boolean).join("\n")
+      };
+    }
+  }
+
+  if (canPrompt()) {
+    const confirm = await context.prompts.confirm({
+      message: `Deploy current config to Cloudflare Worker from ${projectDir}?`,
+      initialValue: true
+    });
+    if (!confirm) {
+      return { ok: false, mode: context.mode, exitCode: EXIT_FAILURE, errorMessage: "Deployment cancelled." };
+    }
+  }
+
+  const deploySpinner = canPrompt() && typeof SnapTui?.createSpinner === "function"
+    ? SnapTui.createSpinner()
+    : null;
+  const withDeploySpinner = async (label, fn, { doneMessage = "" } = {}) => {
+    if (!deploySpinner) {
+      line(label);
+      const result = await fn();
+      if (doneMessage) line(doneMessage);
+      return result;
+    }
+    deploySpinner.start(label);
+    try {
+      const result = await fn();
+      deploySpinner.stop(doneMessage || `${label} done`);
+      return result;
+    } catch (error) {
+      deploySpinner.error("Deploy step failed");
+      throw error;
+    }
+  };
+
+  const envArgs = cfEnv ? ["--env", cfEnv] : [];
+  const secretResult = await withDeploySpinner("Uploading worker config secret via Wrangler...", () => runWranglerAsync([...wranglerConfigArgs, "secret", "put", "LLM_ROUTER_CONFIG_JSON", ...envArgs], {
+    cwd: projectDir,
+    input: payloadJson,
+    envOverrides: wranglerEnvOverrides
+  }), { doneMessage: "Worker config secret uploaded." });
+  if (!secretResult.ok) {
+    return {
+      ok: false,
+      mode: context.mode,
+      exitCode: EXIT_FAILURE,
+      errorMessage: [
+        "Failed to upload LLM_ROUTER_CONFIG_JSON secret.",
+        secretResult.error ? String(secretResult.error) : "",
+        secretResult.stderr || secretResult.stdout
+      ].filter(Boolean).join("\n")
+    };
+  }
+
+  const deployResult = await withDeploySpinner("Deploying Cloudflare Worker via Wrangler...", () => runWranglerAsync([...wranglerConfigArgs, "deploy", ...envArgs], {
+    cwd: projectDir,
+    envOverrides: wranglerEnvOverrides
+  }), { doneMessage: "Cloudflare Worker deploy finished." });
+  if (!deployResult.ok) {
+    return {
+      ok: false,
+      mode: context.mode,
+      exitCode: EXIT_FAILURE,
+      errorMessage: [
+        "Secret uploaded but worker deploy failed.",
+        deployResult.error ? String(deployResult.error) : "",
+        deployResult.stderr || deployResult.stdout
+      ].filter(Boolean).join("\n")
+    };
+  }
+
+  const deploySummary = [deployResult.stdout, deployResult.stderr].filter(Boolean).join("\n");
+  if (hasNoDeployTargets(deploySummary)) {
+    return {
+      ok: false,
+      mode: context.mode,
+      exitCode: EXIT_VALIDATION,
+      errorMessage: [
+        "Worker upload succeeded, but no deploy target is configured.",
+        "Set one deploy target and re-run:",
+        "- `--workers-dev=true`, or",
+        "- `--route-pattern=router.example.com/* --zone-name=example.com` (or `--domain=router.example.com`).",
+        deploySummary.trim()
+      ].filter(Boolean).join("\n")
+    };
+  }
+
+  const deployHost = extractHostnameFromRoutePattern(deployRoutePattern);
+  const postDeployGuide = !deployUsesWorkersDev && deployHost
+    ? [
+      "",
+      "Post-deploy checks:",
+      `- dig +short ${deployHost} @1.1.1.1`,
+      `- curl -I https://${deployHost}/anthropic`,
+      `- Claude Code base URL: https://${deployHost}/anthropic (no :8787)`
+    ].join("\n")
+    : "";
+
+  return {
+    ok: true,
+    mode: context.mode,
+    exitCode: EXIT_SUCCESS,
+    data: [
+      "Cloudflare deployment completed.",
+      generatedDeployMasterKey ? "Generated a deploy-time master key. Persist it with `llm-router config --operation=set-master-key --master-key=...` if needed." : "",
+      wranglerTargetMessage,
+      deployZoneName ? `Deploy zone: ${deployZoneName}` : "",
+      secretResult.stdout.trim(),
+      deployResult.stdout.trim(),
+      postDeployGuide
+    ].filter(Boolean).join("\n")
+  };
+  } finally {
+    if (typeof cleanupWranglerConfig === "function") {
+      try {
+        await cleanupWranglerConfig();
+      } catch {
+        // best-effort cleanup for temporary wrangler config file
+      }
+    }
+  }
+}
+
+function parseWranglerSecretListOutput(text) {
+  const trimmed = String(text || "").trim();
+  if (!trimmed) return [];
+
+  try {
+    const parsed = JSON.parse(trimmed);
+    if (Array.isArray(parsed)) {
+      return parsed
+        .map((item) => {
+          if (typeof item === "string") return item;
+          if (item && typeof item === "object") {
+            return item.name || item.key || item.secret_name || null;
+          }
+          return null;
+        })
+        .filter(Boolean);
+    }
+  } catch {
+    // fall through to text parser
+  }
+
+  const names = new Set();
+  for (const line of trimmed.split(/\r?\n/g)) {
+    if (line.includes("LLM_ROUTER_")) {
+      for (const match of line.matchAll(/\b[A-Z][A-Z0-9_]{2,}\b/g)) {
+        names.add(match[0]);
+      }
+    }
+  }
+  return [...names];
+}
+
+async function runWorkerKeyAction(context) {
+  const args = context.args || {};
+  const configPath = readArg(args, ["config", "configPath"], getDefaultConfigPath());
+  const projectDir = path.resolve(readArg(args, ["project-dir", "projectDir"], process.cwd()));
+  const cfEnv = String(readArg(args, ["env"], "") || "");
+  const dryRun = toBoolean(readArg(args, ["dry-run", "dryRun"], false), false);
+  const useConfigKey = toBoolean(readArg(args, ["use-config-key", "useConfigKey"], true), true);
+  const generateMasterKey = toBoolean(readArg(args, ["generate-master-key", "generateMasterKey"], false), false);
+  const generatedLength = readArg(args, ["master-key-length", "masterKeyLength"], DEFAULT_GENERATED_MASTER_KEY_LENGTH);
+  const generatedPrefix = readArg(args, ["master-key-prefix", "masterKeyPrefix"], "gw_");
+  let allowWeakMasterKey = toBoolean(readArg(args, ["allow-weak-master-key", "allowWeakMasterKey"], false), false);
+  let masterKey = String(readArg(args, ["master-key", "masterKey"], "") || "");
+  let keyGenerated = false;
+
+  if (!masterKey && useConfigKey) {
+    try {
+      const config = await readConfigFile(configPath);
+      masterKey = String(config.masterKey || "");
+    } catch {
+      // allow prompting/manual input fallback
+    }
+  }
+
+  if (!masterKey && generateMasterKey) {
+    masterKey = generateStrongMasterKey({
+      length: generatedLength,
+      prefix: generatedPrefix
+    });
+    keyGenerated = true;
+  }
+
+  if (canPrompt() && !masterKey) {
+    const autoGenerate = await context.prompts.confirm({
+      message: "Generate a strong worker master key automatically?",
+      initialValue: true
+    });
+    if (autoGenerate) {
+      masterKey = generateStrongMasterKey({
+        length: generatedLength,
+        prefix: generatedPrefix
+      });
+      keyGenerated = true;
+    } else {
+      masterKey = await context.prompts.text({
+        message: "New worker master key (LLM_ROUTER_MASTER_KEY)",
+        required: true
+      });
+    }
+  }
+
+  if (!masterKey) {
+    return {
+      ok: false,
+      mode: context.mode,
+      exitCode: EXIT_VALIDATION,
+      errorMessage: "master-key is required (or set one in local config and use --use-config-key=true)."
+    };
+  }
+
+  const keyCheck = await ensureStrongWorkerMasterKey(context, masterKey, { allowWeakMasterKey });
+  if (!keyCheck.ok) {
+    return {
+      ok: false,
+      mode: context.mode,
+      exitCode: EXIT_VALIDATION,
+      errorMessage: keyCheck.errorMessage
+    };
+  }
+  allowWeakMasterKey = keyCheck.allowWeakMasterKey === true;
+
+  const envArgs = cfEnv ? ["--env", cfEnv] : [];
+  let exists = null;
+  const listResult = runWrangler(["secret", "list", ...envArgs], { cwd: projectDir });
+  if (listResult.ok) {
+    const secretNames = parseWranglerSecretListOutput(`${listResult.stdout}\n${listResult.stderr}`);
+    exists = secretNames.includes("LLM_ROUTER_MASTER_KEY");
+  }
+
+  if (dryRun) {
+    return {
+      ok: true,
+      mode: context.mode,
+      exitCode: EXIT_SUCCESS,
+      data: [
+        "Dry run (no secret update executed).",
+        allowWeakMasterKey ? "WARNING: weak master key override enabled." : "",
+        keyGenerated ? "Generated key for this operation." : "",
+        `projectDir=${projectDir}`,
+        cfEnv ? `env=${cfEnv}` : "",
+        `target=LLM_ROUTER_MASTER_KEY (${exists === null ? "existence unknown" : (exists ? "exists" : "missing")})`,
+        `wrangler secret put LLM_ROUTER_MASTER_KEY${cfEnv ? ` --env ${cfEnv}` : ""}`,
+        `masterKey=${maskSecret(masterKey)}`
+      ].filter(Boolean).join("\n")
+    };
+  }
+
+  if (canPrompt()) {
+    const confirm = await context.prompts.confirm({
+      message: `${exists === true ? "Update" : "Set"} LLM_ROUTER_MASTER_KEY on Cloudflare Worker${cfEnv ? ` (${cfEnv})` : ""}?`,
+      initialValue: true
+    });
+    if (!confirm) {
+      return { ok: false, mode: context.mode, exitCode: EXIT_FAILURE, errorMessage: "Operation cancelled." };
+    }
+  }
+
+  const putResult = runWrangler(["secret", "put", "LLM_ROUTER_MASTER_KEY", ...envArgs], {
+    cwd: projectDir,
+    input: masterKey
+  });
+  if (!putResult.ok) {
+    return {
+      ok: false,
+      mode: context.mode,
+      exitCode: EXIT_FAILURE,
+      errorMessage: [
+        "Failed to create/update LLM_ROUTER_MASTER_KEY secret.",
+        putResult.error ? String(putResult.error) : "",
+        putResult.stderr || putResult.stdout
+      ].filter(Boolean).join("\n")
+    };
+  }
+
+  return {
+    ok: true,
+    mode: context.mode,
+    exitCode: EXIT_SUCCESS,
+    data: [
+      `${exists === true ? "Updated" : "Set"} LLM_ROUTER_MASTER_KEY on Cloudflare Worker.`,
+      cfEnv ? `env=${cfEnv}` : "",
+      `projectDir=${projectDir}`,
+      `masterKey=${maskSecret(masterKey)}`,
+      keyGenerated ? `Generated key (copy now): ${masterKey}` : "",
+      putResult.stdout.trim()
+    ].filter(Boolean).join("\n")
+  };
+}
+
+const routerModule = {
+  moduleId: "router",
+  description: "LLM Router local start, config manager, and Cloudflare deploy.",
+  actions: [
+    {
+      actionId: "start",
+      description: "Start local llm-router route.",
+      tui: { steps: ["start-server"] },
+      commandline: { requiredArgs: [], optionalArgs: ["host", "port", "config", "watch-config", "watch-binary", "require-auth"] },
+      help: {
+        summary: "Start local llm-router on localhost. Hot-reloads config in memory and auto-relaunches after llm-router upgrades.",
+        args: [
+          { name: "host", required: false, description: "Listen host.", example: "--host=127.0.0.1" },
+          { name: "port", required: false, description: "Listen port.", example: "--port=8787" },
+          { name: "config", required: false, description: "Path to config file.", example: "--config=~/.llm-router.json" },
+          { name: "watch-config", required: false, description: "Hot-reload config in memory without process restart.", example: "--watch-config=true" },
+          { name: "watch-binary", required: false, description: "Watch for llm-router upgrades and relaunch the latest version.", example: "--watch-binary=true" },
+          { name: "require-auth", required: false, description: "Require local API auth using config.masterKey.", example: "--require-auth=true" }
+        ],
+        examples: ["llm-router start", "llm-router start --port=8787", "llm-router start --require-auth=true"],
+        useCases: [
+          {
+            name: "run local route",
+            description: "Serve Anthropic and OpenAI route endpoints locally.",
+            command: "llm-router start"
+          }
+        ],
+        keybindings: ["Ctrl+C stop"]
+      },
+      run: runStartAction
+    },
+    {
+      actionId: "stop",
+      description: "Stop a running llm-router instance (manual or OS startup-managed).",
+      tui: { steps: ["stop-instance"] },
+      commandline: { requiredArgs: [], optionalArgs: [] },
+      help: {
+        summary: "Stop a running llm-router instance.",
+        args: [],
+        examples: ["llm-router stop"],
+        useCases: [
+          {
+            name: "stop instance",
+            description: "Stops startup-managed service or running terminal process.",
+            command: "llm-router stop"
+          }
+        ],
+        keybindings: []
+      },
+      run: runStopAction
+    },
+    {
+      actionId: "reload",
+      description: "Force restart running llm-router instance.",
+      tui: { steps: ["reload-instance"] },
+      commandline: { requiredArgs: [], optionalArgs: [] },
+      help: {
+        summary: "Restart running llm-router: restart startup service or restart terminal instance in current terminal.",
+        args: [],
+        examples: ["llm-router reload"],
+        useCases: [
+          {
+            name: "force restart",
+            description: "Restarts currently running llm-router instance.",
+            command: "llm-router reload"
+          }
+        ],
+        keybindings: []
+      },
+      run: runReloadAction
+    },
+    {
+      actionId: "update",
+      description: "Update llm-router global package to latest and reload running instance.",
+      tui: { steps: ["npm-install", "reload-running"] },
+      commandline: { requiredArgs: [], optionalArgs: [] },
+      help: {
+        summary: "Run npm global install for latest llm-router and reload any running instance.",
+        args: [],
+        examples: ["llm-router update"],
+        useCases: [
+          {
+            name: "upgrade cli",
+            description: "Installs latest global package and reloads startup/manual running instance.",
+            command: "llm-router update"
+          }
+        ],
+        keybindings: []
+      },
+      run: runUpdateAction
+    },
+    {
+      actionId: "config",
+      description: "Config manager for providers/models/master-key/startup service.",
+      tui: { steps: ["select-operation", "execute"] },
+      commandline: {
+        requiredArgs: [],
+        optionalArgs: [
+          "operation",
+          "op",
+          "config",
+          "provider-id",
+          "name",
+          "endpoints",
+          "base-url",
+          "openai-base-url",
+          "claude-base-url",
+          "anthropic-base-url",
+          "api-key",
+          "models",
+          "format",
+          "formats",
+          "headers",
+          "skip-probe",
+          "set-master-key",
+          "master-key",
+          "generate-master-key",
+          "master-key-length",
+          "master-key-prefix",
+          "model",
+          "fallback-models",
+          "fallbacks",
+          "clear-fallbacks",
+          "host",
+          "port",
+          "watch-config",
+          "watch-binary",
+          "require-auth"
+        ]
+      },
+      help: {
+        summary: "Manage providers/models, master key, and OS startup. TUI by default; commandline via --operation.",
+        args: [
+          { name: "operation", required: false, description: "Config operation (optional; prompts if omitted).", example: "--operation=upsert-provider" },
+          { name: "provider-id", required: false, description: "Provider id (slug/camelCase).", example: "--provider-id=openrouter" },
+          { name: "name", required: false, description: "Provider Friendly Name (must be unique; shown in management screen).", example: "--name=OpenRouter Primary" },
+          { name: "endpoints", required: false, description: "Provider endpoint candidates for auto-probe (comma/semicolon/space/newline separated; TUI supports multiline paste).", example: "--endpoints=https://ramclouds.me,https://ramclouds.me/v1" },
+          { name: "base-url", required: false, description: "Provider base URL.", example: "--base-url=https://openrouter.ai/api/v1" },
+          { name: "openai-base-url", required: false, description: "OpenAI endpoint base URL (format-specific override).", example: "--openai-base-url=https://ramclouds.me/v1" },
+          { name: "claude-base-url", required: false, description: "Anthropic endpoint base URL (format-specific override).", example: "--claude-base-url=https://ramclouds.me" },
+          { name: "api-key", required: false, description: "Provider API key.", example: "--api-key=sk-or-v1-..." },
+          { name: "models", required: false, description: "Model list (comma/semicolon/space/newline separated; strips common log/error noise; TUI supports multiline paste).", example: "--models=gpt-4o,claude-3-5-sonnet-latest" },
+          { name: "model", required: false, description: "Single model id (used by remove-model).", example: "--model=gpt-4o" },
+          { name: "fallback-models", required: false, description: "Qualified fallback models for set-model-fallbacks (comma/semicolon/space separated).", example: "--fallback-models=openrouter/gpt-4o,anthropic/claude-3-7-sonnet" },
+          { name: "clear-fallbacks", required: false, description: "Clear all fallback models for set-model-fallbacks.", example: "--clear-fallbacks=true" },
+          { name: "format", required: false, description: "Manual format if probe is skipped.", example: "--format=openai" },
+          { name: "headers", required: false, description: "Custom provider headers as JSON object (default User-Agent applied when omitted).", example: "--headers={\"User-Agent\":\"Mozilla/5.0\"}" },
+          { name: "skip-probe", required: false, description: "Skip live endpoint/model probe.", example: "--skip-probe=true" },
+          { name: "master-key", required: false, description: "Worker auth token.", example: "--master-key=my-token" },
+          { name: "generate-master-key", required: false, description: "Generate a strong master key automatically (set-master-key flow).", example: "--generate-master-key=true" },
+          { name: "master-key-length", required: false, description: "Generated master key length (min 24).", example: "--master-key-length=48" },
+          { name: "master-key-prefix", required: false, description: "Generated master key prefix.", example: "--master-key-prefix=gw_" },
+          { name: "watch-binary", required: false, description: "For startup-install: detect llm-router upgrades and auto-relaunch under OS startup.", example: "--watch-binary=true" },
+          { name: "require-auth", required: false, description: "Require masterKey auth for local start/startup-install.", example: "--require-auth=true" },
+          { name: "config", required: false, description: "Path to config file.", example: "--config=~/.llm-router.json" }
+        ],
+        examples: [
+          "llm-router config",
+          "llm-router config --operation=upsert-provider --provider-id=ramclouds --name=RamClouds --api-key=sk-... --endpoints=https://ramclouds.me,https://ramclouds.me/v1 --models=claude-opus-4-6-thinking,gpt-5.3-codex",
+          "llm-router config --operation=set-model-fallbacks --provider-id=openrouter --model=gpt-4o --fallback-models=anthropic/claude-3-7-sonnet,openrouter/gpt-4.1-mini",
+          "llm-router config --operation=remove-model --provider-id=openrouter --model=gpt-4o",
+          "llm-router config --operation=startup-install"
+        ],
+        useCases: [
+          {
+            name: "interactive config",
+            description: "Add/edit/remove providers and manage startup.",
+            command: "llm-router config"
+          }
+        ],
+        keybindings: ["Enter confirm", "Esc cancel"]
+      },
+      run: runConfigAction
+    },
+    {
+      actionId: "deploy",
+      description: "Guide/deploy current config to Cloudflare Worker.",
+      tui: { steps: ["validate", "confirm", "deploy"] },
+      commandline: {
+        requiredArgs: [],
+        optionalArgs: [
+          "mode",
+          "config",
+          "project-dir",
+          "master-key",
+          "account-id",
+          "workers-dev",
+          "route-pattern",
+          "zone-name",
+          "domain",
+          "generate-master-key",
+          "master-key-length",
+          "master-key-prefix",
+          "allow-weak-master-key",
+          "allow-large-config",
+          "env",
+          "dry-run",
+          "export-only",
+          "out"
+        ]
+      },
+      help: {
+        summary: "Export worker config and/or deploy to Cloudflare Worker with Wrangler.",
+        args: [
+          { name: "mode", required: false, description: "Optional compatibility flag (ignored).", example: "--mode=run" },
+          { name: "config", required: false, description: "Path to config file.", example: "--config=~/.llm-router.json" },
+          { name: "project-dir", required: false, description: "Worker project directory (uses wrangler.toml as optional base).", example: "--project-dir=./route" },
+          { name: "master-key", required: false, description: "Override master key for deployment payload.", example: "--master-key=prod-token" },
+          { name: "account-id", required: false, description: "Cloudflare account id override (useful for multi-account tokens).", example: "--account-id=03819f97b5cb3101faecbbcb6019c4cc" },
+          { name: "workers-dev", required: false, description: "Use workers.dev deploy target in temporary runtime config.", example: "--workers-dev=true" },
+          { name: "route-pattern", required: false, description: "Route pattern for custom domain target (temporary runtime config).", example: "--route-pattern=router.example.com/*" },
+          { name: "zone-name", required: false, description: "Cloudflare zone name for route target (temporary runtime config).", example: "--zone-name=example.com" },
+          { name: "domain", required: false, description: "Convenience alias for route host (auto-converted to <domain>/*).", example: "--domain=router.example.com" },
+          { name: "generate-master-key", required: false, description: "Generate a strong master key when config has no master key.", example: "--generate-master-key=true" },
+          { name: "master-key-length", required: false, description: "Generated master key length (min 24).", example: "--master-key-length=48" },
+          { name: "master-key-prefix", required: false, description: "Generated master key prefix.", example: "--master-key-prefix=gw_" },
+          { name: "allow-weak-master-key", required: false, description: "Allow weak master key (not recommended).", example: "--allow-weak-master-key=true" },
+          { name: "allow-large-config", required: false, description: "Bypass oversized Free-tier secret confirmation (useful in CI).", example: "--allow-large-config=true" },
+          { name: "env", required: false, description: "Wrangler environment.", example: "--env=production" },
+          { name: "dry-run", required: false, description: "Print commands only.", example: "--dry-run=true" },
+          { name: "export-only", required: false, description: "Only export config JSON, no deploy.", example: "--export-only=true" },
+          { name: "out", required: false, description: "Write exported JSON to file.", example: "--out=.llm-router.worker.json" }
+        ],
+        examples: [
+          "llm-router deploy",
+          "llm-router deploy --dry-run=true",
+          "llm-router deploy --account-id=03819f97b5cb3101faecbbcb6019c4cc",
+          "llm-router deploy --workers-dev=true",
+          "llm-router deploy --route-pattern=router.example.com/* --zone-name=example.com",
+          "llm-router deploy --generate-master-key=true",
+          "llm-router deploy --export-only=true --out=.llm-router.worker.json",
+          "llm-router deploy --allow-large-config=true",
+          "llm-router deploy --env=production"
+        ],
+        useCases: [
+          {
+            name: "cloudflare deploy",
+            description: "Push LLM_ROUTER_CONFIG_JSON secret and deploy worker.",
+            command: "llm-router deploy"
+          }
+        ],
+        keybindings: ["Enter confirm", "Esc cancel"]
+      },
+      run: runDeployAction
+    },
+    {
+      actionId: "worker-key",
+      description: "Quickly create/update the LLM_ROUTER_MASTER_KEY Worker secret.",
+      tui: { steps: ["key-input", "confirm", "secret-put"] },
+      commandline: {
+        requiredArgs: [],
+        optionalArgs: [
+          "config",
+          "project-dir",
+          "master-key",
+          "generate-master-key",
+          "master-key-length",
+          "master-key-prefix",
+          "allow-weak-master-key",
+          "use-config-key",
+          "env",
+          "dry-run"
+        ]
+      },
+      help: {
+        summary: "Fast master-key rotation/update on Cloudflare Worker using LLM_ROUTER_MASTER_KEY secret (runtime override).",
+        args: [
+          { name: "master-key", required: false, description: "New worker master key. If omitted, reads local config when allowed.", example: "--master-key=prod-token-v2" },
+          { name: "generate-master-key", required: false, description: "Generate a strong worker master key automatically.", example: "--generate-master-key=true" },
+          { name: "master-key-length", required: false, description: "Generated master key length (min 24).", example: "--master-key-length=48" },
+          { name: "master-key-prefix", required: false, description: "Generated master key prefix.", example: "--master-key-prefix=gw_" },
+          { name: "allow-weak-master-key", required: false, description: "Allow weak master key (not recommended).", example: "--allow-weak-master-key=true" },
+          { name: "use-config-key", required: false, description: "Read key from local config if --master-key is omitted.", example: "--use-config-key=true" },
+          { name: "config", required: false, description: "Path to local config file.", example: "--config=~/.llm-router.json" },
+          { name: "project-dir", required: false, description: "Directory containing wrangler.toml.", example: "--project-dir=./route" },
+          { name: "env", required: false, description: "Wrangler environment.", example: "--env=production" },
+          { name: "dry-run", required: false, description: "Print commands only.", example: "--dry-run=true" }
+        ],
+        examples: [
+          "llm-router worker-key --master-key=prod-token-v2",
+          "llm-router worker-key --generate-master-key=true",
+          "llm-router worker-key --env=production --master-key=rotated-key",
+          "llm-router worker-key --use-config-key=true"
+        ],
+        useCases: [
+          {
+            name: "rotate leaked key",
+            description: "Set LLM_ROUTER_MASTER_KEY quickly without rebuilding the full worker config secret.",
+            command: "llm-router worker-key --master-key=new-secret"
+          }
+        ],
+        keybindings: ["Enter confirm", "Esc cancel"]
+      },
+      run: runWorkerKeyAction
+    }
+  ]
+};
+
+export default routerModule;