@layers/amba 0.1.1

package/dist/index.js

@@ -0,0 +1,3716 @@
+#!/usr/bin/env node
+import { Command } from "commander";
+import pc from "picocolors";
+import { access, mkdir, readFile, readdir, rm, stat, writeFile } from "node:fs/promises";
+import { basename, dirname, join, relative, resolve } from "node:path";
+import { createInterface } from "node:readline";
+import { createServer } from "node:http";
+import { homedir } from "node:os";
+import open from "open";
+import { createWriteStream } from "node:fs";
+import { build } from "esbuild";
+import { createHash } from "node:crypto";
+//#region src/_internal/shared.ts
+const DEFAULT_API_URL = "https://api.amba.dev";
+const CONSOLE_URL = "https://app.amba.dev";
+const RESERVED_COLLECTION_PREFIXES = [
+	"_amba_",
+	"pg_",
+	"coll_amba_",
+	"events_",
+	"media_",
+	"streak_",
+	"xp_",
+	"achievement_",
+	"challenge_",
+	"currency_",
+	"feed_",
+	"friend_",
+	"group_",
+	"inventory_",
+	"leaderboard_",
+	"league_",
+	"messaging_",
+	"moderation_",
+	"onboarding_",
+	"referral_",
+	"review_",
+	"role_",
+	"session_",
+	"store_"
+];
+const RESERVED_COLLECTION_EXACT_NAMES = [
+	"app_users",
+	"magic_link_tokens",
+	"remote_config",
+	"remote_configs",
+	"engagement_events",
+	"schema_migrations",
+	"segment_memberships",
+	"segments",
+	"config_versions",
+	"push_tokens",
+	"push_campaigns",
+	"push_deliveries",
+	"user_streaks",
+	"streak_definitions",
+	"streak_events",
+	"user_entitlements",
+	"app_user_sessions",
+	"content_items",
+	"content_libraries",
+	"content_schedules"
+];
+const VALID_COLLECTION_NAME_RE = /^[a-z][a-z0-9_]*$/;
+const MAX_COLLECTION_NAME_LENGTH = 50;
+/** Return why a collection name is reserved/invalid, or `null` if acceptable. */
+function getReservationReason(name) {
+	if (typeof name !== "string" || name.length === 0) return "Collection name must be a non-empty string";
+	if (name.length > MAX_COLLECTION_NAME_LENGTH) return `Collection name must be at most ${MAX_COLLECTION_NAME_LENGTH} characters`;
+	for (const prefix of RESERVED_COLLECTION_PREFIXES) if (name.startsWith(prefix)) return `Collection name starts with reserved prefix "${prefix}"`;
+	for (const exact of RESERVED_COLLECTION_EXACT_NAMES) if (name === exact) return `Collection name "${exact}" is reserved by an existing platform tenant table`;
+	if (!VALID_COLLECTION_NAME_RE.test(name)) return "Collection name must match /^[a-z][a-z0-9_]*$/ (lowercase ASCII, digits, underscore; must start with a letter)";
+	return null;
+}
+const RESERVED_BINDING_PREFIXES = ["AMBA_", "EDGE_"];
+const RESERVED_BINDING_EXACT_NAMES = [
+	"STORAGE",
+	"HYPERDRIVE",
+	"EDGE_DB_PROXY"
+];
+const VALID_BINDING_NAME_RE = /^[A-Z][A-Z0-9_]*$/;
+const MAX_BINDING_NAME_LENGTH = 64;
+/** Return why a binding name is reserved/invalid, or `null` if acceptable. */
+function getBindingReservationReason(name) {
+	if (typeof name !== "string" || name.length === 0) return "Binding name must be a non-empty string";
+	if (name.length > MAX_BINDING_NAME_LENGTH) return `Binding name must be at most ${MAX_BINDING_NAME_LENGTH} characters`;
+	for (const prefix of RESERVED_BINDING_PREFIXES) if (name.startsWith(prefix)) return `Binding name starts with reserved prefix "${prefix}" (platform namespace)`;
+	for (const exact of RESERVED_BINDING_EXACT_NAMES) if (name === exact) return `Binding name "${exact}" is reserved by a platform binding`;
+	if (!VALID_BINDING_NAME_RE.test(name)) return "Binding name must match /^[A-Z][A-Z0-9_]*$/ (uppercase ASCII, digits, underscore; must start with a letter)";
+	return null;
+}
+const RATE_LIMIT_MAX_CAP = 1e5;
+const RATE_LIMIT_MIN_WINDOW_MS = 1e3;
+const DURATION_RE = /^(\d+)(s|m|h)$/;
+const VALID_KEY_KINDS = new Set(["user_id", "ip"]);
+/** Convert `60s` / `5m` / `1h` → ms. `null` if unparseable. */
+function parseDurationToMs(window) {
+	const match = DURATION_RE.exec(window);
+	if (!match) return null;
+	const n = Number.parseInt(match[1], 10);
+	if (!Number.isFinite(n) || n <= 0) return null;
+	switch (match[2]) {
+		case "s": return n * 1e3;
+		case "m": return n * 60 * 1e3;
+		case "h": return n * 60 * 60 * 1e3;
+	}
+	return null;
+}
+/** Validate shape + values. Returns the typed config OR `{ error }`. */
+function validateRateLimitConfig(input) {
+	if (input === null || input === void 0) return { error: "rate_limit config is null or undefined" };
+	if (typeof input !== "object" || Array.isArray(input)) return { error: "rate_limit must be a JSON object" };
+	const obj = input;
+	if (typeof obj["window"] !== "string") return { error: "rate_limit.window must be a duration string (e.g. \"60s\", \"5m\", \"1h\")" };
+	const ms = parseDurationToMs(obj["window"]);
+	if (ms === null) return { error: `rate_limit.window "${obj["window"]}" is not a valid duration (expected /^\\d+(s|m|h)$/)` };
+	if (ms < 1e3) return { error: `rate_limit.window must be at least ${RATE_LIMIT_MIN_WINDOW_MS}ms` };
+	if (ms > 36e5) return { error: `rate_limit.window must be at most 1h` };
+	if (typeof obj["max"] !== "number" || !Number.isInteger(obj["max"]) || obj["max"] <= 0) return { error: "rate_limit.max must be a positive integer" };
+	if (obj["max"] > 1e5) return { error: `rate_limit.max must be at most ${RATE_LIMIT_MAX_CAP}` };
+	if (typeof obj["key"] !== "string" || !VALID_KEY_KINDS.has(obj["key"])) return { error: `rate_limit.key must be one of ${[...VALID_KEY_KINDS].join(" | ")}` };
+	return {
+		window: obj["window"],
+		max: obj["max"],
+		key: obj["key"]
+	};
+}
+//#endregion
+//#region src/auth.ts
+const AMBA_DIR = join(homedir(), ".amba");
+const CREDENTIALS_PATH = join(AMBA_DIR, "credentials.json");
+/**
+* Shape check for a PAT. The platform mints PATs as `amb_dpat_` plus 32
+* characters from the base64url alphabet (`[A-Za-z0-9_-]`) per
+* RFC 4648 §5.
+*/
+function isPatShape(token) {
+	return /^amb_dpat_[A-Za-z0-9_-]{32}$/.test(token);
+}
+/**
+* Start a temporary local HTTP server, open the browser for OAuth,
+* and wait for the redirect callback carrying the token.
+*/
+async function browserAuthFlow() {
+	return new Promise((resolve, reject) => {
+		const server = createServer((req, res) => {
+			const url = new URL(req.url ?? "/", `http://localhost`);
+			if (url.pathname !== "/callback") {
+				res.writeHead(404);
+				res.end("Not found");
+				return;
+			}
+			const accessToken = url.searchParams.get("access_token");
+			const refreshToken = url.searchParams.get("refresh_token");
+			const expiresAt = url.searchParams.get("expires_at");
+			if (!accessToken || !refreshToken || !expiresAt) {
+				res.writeHead(400, { "Content-Type": "text/html" });
+				res.end("<html><body><h2>Authentication failed</h2><p>Missing token parameters. Please try again.</p></body></html>");
+				server.close();
+				reject(/* @__PURE__ */ new Error("Missing token parameters in callback"));
+				return;
+			}
+			res.writeHead(200, { "Content-Type": "text/html" });
+			res.end("<html><body style=\"font-family:system-ui;text-align:center;padding:3rem\"><h2>Authenticated!</h2><p>You can close this window and return to the terminal.</p></body></html>");
+			const creds = {
+				access_token: accessToken,
+				refresh_token: refreshToken,
+				expires_at: expiresAt
+			};
+			server.close();
+			resolve(creds);
+		});
+		server.listen(0, "127.0.0.1", () => {
+			const addr = server.address();
+			if (!addr || typeof addr === "string") {
+				server.close();
+				reject(/* @__PURE__ */ new Error("Failed to start local auth server"));
+				return;
+			}
+			const authUrl = `${CONSOLE_URL}/cli-login?port=${addr.port}`;
+			console.log(pc.dim(`  Opening browser to authenticate...`));
+			console.log(pc.dim(`  ${authUrl}`));
+			console.log();
+			open(authUrl).catch(() => {
+				console.log(pc.yellow(`  Could not open browser automatically.`));
+				console.log(pc.yellow(`  Please open this URL manually:`));
+				console.log(`  ${pc.underline(authUrl)}`);
+			});
+			setTimeout(() => {
+				server.close();
+				reject(/* @__PURE__ */ new Error("Authentication timed out. Please try again."));
+			}, 12e4);
+		});
+	});
+}
+/**
+* Store credentials to ~/.amba/credentials.json
+*/
+async function storeCredentials(creds) {
+	await mkdir(AMBA_DIR, { recursive: true });
+	await writeFile(CREDENTIALS_PATH, JSON.stringify(creds, null, 2), "utf-8");
+}
+/**
+* Load stored credentials. Throws if not found.
+*/
+async function loadCredentials() {
+	try {
+		const raw = await readFile(CREDENTIALS_PATH, "utf-8");
+		const parsed = JSON.parse(raw);
+		if (typeof parsed !== "object" || parsed === null || !("access_token" in parsed) || !("refresh_token" in parsed) || !("expires_at" in parsed)) throw new Error("Invalid credentials format");
+		const creds = parsed;
+		if (!creds.access_token || typeof creds.access_token !== "string") throw new Error("Missing or invalid access_token in credentials");
+		return creds;
+	} catch (err) {
+		if (err instanceof Error && "code" in err && err.code === "ENOENT") throw new Error(`Credentials not found. Run ${pc.bold("amba login")} to authenticate first, or pass ${pc.bold("--token <pat>")} / set ${pc.bold("AMBA_PAT")} for headless invocations.`);
+		throw err;
+	}
+}
+/**
+* Check if the access token is expired (with 60s buffer).
+*/
+function isTokenExpired(creds) {
+	if (!creds.expires_at) return false;
+	const expiresAt = new Date(creds.expires_at).getTime();
+	return Date.now() > expiresAt - 6e4;
+}
+/**
+* Remove stored credentials.
+*/
+async function clearCredentials() {
+	try {
+		await rm(CREDENTIALS_PATH, { force: true });
+	} catch {}
+}
+/**
+* Process-scoped override for the bearer token used on admin API
+* calls. Set by the commander.js `preAction` hook in `index.ts`
+* before any subcommand runs — non-empty here means "skip stored
+* creds, use this PAT/JWT verbatim." Cleared on test teardown via
+* `__resetTokenOverride` to keep test cases isolated.
+*/
+let bearerOverride = null;
+/**
+* Set the process-scoped bearer override. Called by the global
+* `preAction` hook with the resolved value (flag → env → null).
+* `null` clears any prior override.
+*/
+function setBearerOverride(token) {
+	bearerOverride = token === null || token.length === 0 ? null : token;
+}
+/**
+* Resolve the bearer token to send on the next admin API call.
+*
+* Returns the override (PAT or JWT supplied via flag/env) when set,
+* otherwise loads + expiry-checks the stored access token. Throws
+* with an actionable error message in either failure path.
+*/
+async function resolveBearerToken() {
+	if (bearerOverride !== null) {
+		if (isPatShape(bearerOverride)) return bearerOverride;
+		return bearerOverride;
+	}
+	const creds = await loadCredentials();
+	if (isTokenExpired(creds)) throw new Error(`Session expired. Run ${pc.bold("amba login")} to re-authenticate, or pass ${pc.bold("--token <pat>")} / set ${pc.bold("AMBA_PAT")} for headless invocations.`);
+	return creds.access_token;
+}
+function resolveTokenSource(input) {
+	const flag = input.flagToken?.trim();
+	if (flag) return flag;
+	const env = input.envToken?.trim();
+	if (env) return env;
+	return null;
+}
+//#endregion
+//#region src/api-client.ts
+/**
+* Override the API base via the `AMBA_API_URL` environment variable.
+*/
+function getApiRoot() {
+	const override = process.env["AMBA_API_URL"];
+	return override && override.length > 0 ? override : DEFAULT_API_URL;
+}
+function getAdminBaseUrl() {
+	return `${getApiRoot()}/v1/admin`;
+}
+var ApiClientError = class extends Error {
+	statusCode;
+	errorCode;
+	constructor(message, statusCode, errorCode) {
+		super(message);
+		this.statusCode = statusCode;
+		this.errorCode = errorCode;
+		this.name = "ApiClientError";
+	}
+};
+/**
+* Make an authenticated request to the Amba admin API.
+*
+* The bearer token comes from `resolveBearerToken()` which honors the
+* `--token <pat>` / `AMBA_PAT` headless-auth path before falling back
+* to stored credentials at `~/.amba/credentials.json`. See
+* `auth.ts:resolveBearerToken` for the full precedence rules.
+*
+* `body` is JSON-serialized when an object/array. Pass a `FormData`
+* instance to send a multipart upload (e.g. `functions deploy` ships
+* the bundled script + metadata blob as multipart) — fetch handles
+* the boundary string + Content-Type itself in that case, so we
+* deliberately do NOT set our default `application/json` header.
+*/
+async function request(method, path, body) {
+	const token = await resolveBearerToken();
+	const url = `${getAdminBaseUrl()}${path}`;
+	const isMultipart = typeof FormData !== "undefined" && body instanceof FormData;
+	const headers = {
+		Authorization: `Bearer ${token}`,
+		"User-Agent": "amba-cli/0.1.1"
+	};
+	if (!isMultipart) headers["Content-Type"] = "application/json";
+	let wireBody;
+	if (body === void 0) wireBody = void 0;
+	else if (isMultipart) wireBody = body;
+	else wireBody = JSON.stringify(body);
+	const res = await fetch(url, {
+		method,
+		headers,
+		body: wireBody
+	});
+	if (!res.ok) {
+		let errorMessage = `API request failed: ${res.status} ${res.statusText}`;
+		let errorCode;
+		try {
+			const errorBody = await res.json();
+			if (errorBody.error?.message) {
+				errorMessage = errorBody.error.message;
+				errorCode = errorBody.error.code;
+			}
+		} catch {}
+		throw new ApiClientError(errorMessage, res.status, errorCode);
+	}
+	return await res.json();
+}
+/**
+* Generic typed GET against the admin API. Wraps `request` so callers
+* outside this module (e.g. the codegen-engine adapter in
+* `commands/types.ts`) don't need to reach into the private helper.
+*
+* Path is relative to `/admin` — leading slash required (`/projects/X`).
+*/
+async function adminGet(path) {
+	return request("GET", path);
+}
+async function listProjects() {
+	return request("GET", "/projects");
+}
+async function createProject(input) {
+	return request("POST", "/projects", input);
+}
+async function getProject(projectId) {
+	return request("GET", `/projects/${projectId}`);
+}
+async function deleteProject(projectId) {
+	return request("DELETE", `/projects/${projectId}`);
+}
+async function reprovisionProject(projectId) {
+	return request("POST", `/projects/${projectId}/reprovision`);
+}
+async function getProvisioningStatus(projectId) {
+	return request("GET", `/projects/${projectId}/provisioning-status`);
+}
+async function createApiKey(projectId, keyType, environment) {
+	return request("POST", `/projects/${projectId}/api-keys`, {
+		key_type: keyType,
+		environment
+	});
+}
+async function sendTestPush(projectId, input) {
+	return request("POST", `/projects/${projectId}/push/test`, input);
+}
+async function listConfig(projectId) {
+	return request("GET", `/projects/${projectId}/config`);
+}
+async function setConfig(projectId, input) {
+	return request("PUT", `/projects/${projectId}/config/${input.key}`, input);
+}
+async function listIntegrations(projectId) {
+	return request("GET", `/projects/${projectId}/integrations`);
+}
+async function listUsers(projectId, query = {}) {
+	const params = new URLSearchParams();
+	if (query.limit !== void 0) params.set("limit", String(query.limit));
+	const qs = params.toString();
+	return request("GET", `/projects/${projectId}/users${qs ? `?${qs}` : ""}`);
+}
+/**
+* Fetch a page of project-wide engagement events. Most-recent-first; when
+* `next_cursor` is non-null the caller should pass it back as `cursor` to
+* continue paging.
+*/
+async function listProjectEvents(projectId, query = {}) {
+	const params = new URLSearchParams();
+	if (query.since) params.set("since", query.since);
+	if (query.until) params.set("until", query.until);
+	if (query.eventName) params.set("event_name", query.eventName);
+	if (query.userId) params.set("user_id", query.userId);
+	if (query.limit !== void 0) params.set("limit", String(query.limit));
+	if (query.cursor) params.set("cursor", query.cursor);
+	const qs = params.toString();
+	return request("GET", `/projects/${projectId}/events${qs ? `?${qs}` : ""}`);
+}
+/**
+* Aggregate event counts in a time range. `groupBy` of `event_name` returns
+* the per-event-name bucket list ordered by count desc.
+*/
+async function getEventsCount(projectId, query) {
+	const params = new URLSearchParams();
+	params.set("since", query.since);
+	if (query.until) params.set("until", query.until);
+	if (query.eventName) params.set("event_name", query.eventName);
+	if (query.groupBy) params.set("group_by", query.groupBy);
+	return request("GET", `/projects/${projectId}/events/count?${params.toString()}`);
+}
+/**
+* Stream `/users/export` as line-delimited text. Yields chunks as the
+* server emits them. The endpoint always emits CSV (or NDJSON) so we don't
+* try to parse — callers either tee to disk or split lines themselves.
+*/
+async function streamUsersExport(projectId, query = {}) {
+	const token = await resolveBearerToken();
+	const params = new URLSearchParams();
+	if (query.format) params.set("format", query.format);
+	if (query.since) params.set("since", query.since);
+	const qs = params.toString();
+	const url = `${getAdminBaseUrl()}/projects/${projectId}/users/export${qs ? `?${qs}` : ""}`;
+	const res = await fetch(url, {
+		method: "GET",
+		headers: {
+			Authorization: `Bearer ${token}`,
+			"User-Agent": "amba-cli/0.1.1"
+		}
+	});
+	if (!res.ok) {
+		let errorMessage = `API request failed: ${res.status} ${res.statusText}`;
+		let errorCode;
+		try {
+			const errorBody = await res.json();
+			if (errorBody.error?.message) {
+				errorMessage = errorBody.error.message;
+				errorCode = errorBody.error.code;
+			}
+		} catch {}
+		throw new ApiClientError(errorMessage, res.status, errorCode);
+	}
+	return res;
+}
+async function listSegments(projectId) {
+	return request("GET", `/projects/${projectId}/segments`);
+}
+async function createSegment(projectId, input) {
+	return request("POST", `/projects/${projectId}/segments`, input);
+}
+async function createAchievement(projectId, input) {
+	return request("POST", `/projects/${projectId}/achievements`, input);
+}
+async function createContentLibrary(projectId, input) {
+	return request("POST", `/projects/${projectId}/content/libraries`, input);
+}
+async function addContentItems(projectId, libraryId, input) {
+	return request("POST", `/projects/${projectId}/content/libraries/${libraryId}/bulk`, input);
+}
+async function createXpRule(projectId, input) {
+	return request("POST", `/projects/${projectId}/xp`, input);
+}
+async function deployFunctionViaApi(projectId, input) {
+	const fd = new FormData();
+	fd.set("script", new Blob([input.bundleCode], { type: "application/javascript+module" }), `${input.name}.js`);
+	const metadata = {
+		name: input.name,
+		...input.rate_limit !== void 0 ? { rate_limit: input.rate_limit } : {}
+	};
+	fd.set("metadata", new Blob([JSON.stringify(metadata)], { type: "application/json" }), "metadata.json");
+	return request("POST", `/projects/${projectId}/functions/deploy`, fd);
+}
+async function listFunctionDeployments(projectId, options = {}) {
+	return request("GET", `/projects/${projectId}/functions/deployments${options.activeOnly ? "?active=1" : ""}`);
+}
+async function scheduleFunction(projectId, input) {
+	return request("POST", `/projects/${projectId}/functions/schedules`, input);
+}
+async function getFunctionLogs(projectId, functionName, options = {}) {
+	const params = new URLSearchParams();
+	if (options.since) params.set("since", options.since);
+	if (options.until) params.set("until", options.until);
+	if (options.limit !== void 0) params.set("limit", String(options.limit));
+	const qs = params.toString();
+	return request("GET", `/projects/${projectId}/functions/${functionName}/logs${qs ? `?${qs}` : ""}`);
+}
+async function upsertQueueBinding(projectId, input) {
+	return request("PUT", `/projects/${projectId}/queue/bindings`, input);
+}
+async function listQueueBindings(projectId) {
+	return request("GET", `/projects/${projectId}/queue/bindings`);
+}
+async function deleteQueueBinding(projectId, queueName) {
+	return request("DELETE", `/projects/${projectId}/queue/bindings/${queueName}?confirm=${encodeURIComponent(queueName)}`);
+}
+async function setSecretViaApi(projectId, input) {
+	return request("POST", `/projects/${projectId}/secrets`, input);
+}
+async function listSecretsViaApi(projectId) {
+	return request("GET", `/projects/${projectId}/secrets`);
+}
+async function deleteSecretViaApi(projectId, name, options) {
+	const qs = new URLSearchParams({ function: options.function });
+	return request("DELETE", `/projects/${projectId}/secrets/${encodeURIComponent(name)}?${qs.toString()}`);
+}
+async function createCollection(projectId, input) {
+	return request("POST", `/projects/${projectId}/collections`, input);
+}
+async function listCollections$1(projectId, options = {}) {
+	const params = new URLSearchParams();
+	if (options.limit !== void 0) params.set("limit", String(options.limit));
+	if (options.offset !== void 0) params.set("offset", String(options.offset));
+	const qs = params.toString();
+	return request("GET", `/projects/${projectId}/collections${qs ? `?${qs}` : ""}`);
+}
+async function alterCollection(projectId, name, patch, options = {}) {
+	return request("PATCH", `/projects/${projectId}/collections/${name}${options.confirm ? `?confirm=${encodeURIComponent(options.confirm)}` : ""}`, patch);
+}
+/**
+* Drop a collection. Requires `confirm` matching the collection name —
+* data's safety guard against typos. CLI surfaces this as `--confirm <name>`.
+*/
+async function dropCollection(projectId, name, confirm) {
+	return request("DELETE", `/projects/${projectId}/collections/${name}?confirm=${encodeURIComponent(confirm)}`);
+}
+async function registerAiProvider(projectId, input) {
+	return request("POST", `/projects/${projectId}/ai/providers`, input);
+}
+async function listAiProviders(projectId) {
+	return request("GET", `/projects/${projectId}/ai/providers`);
+}
+async function deleteAiProvider(projectId, name) {
+	return request("DELETE", `/projects/${projectId}/ai/providers/${encodeURIComponent(name)}`);
+}
+async function createSite(projectId, input) {
+	return request("POST", `/projects/${projectId}/sites`, input);
+}
+async function listSites(projectId) {
+	return request("GET", `/projects/${projectId}/sites`);
+}
+async function describeSite(projectId, name) {
+	return request("GET", `/projects/${projectId}/sites/${encodeURIComponent(name)}`);
+}
+async function deploySiteViaApi(projectId, siteName, body) {
+	return request("POST", `/projects/${projectId}/sites/${encodeURIComponent(siteName)}/deployments`, body);
+}
+async function updateSite(projectId, name, patch) {
+	return request("PATCH", `/projects/${projectId}/sites/${encodeURIComponent(name)}`, patch);
+}
+/**
+* Add a custom domain to a site. The server-side proxy registers the
+* custom hostname, persists the resulting `cf_hostname_id`, and returns
+* the CNAME target the customer should point their DNS at.
+*/
+async function addSiteDomainViaApi(projectId, siteName, hostname) {
+	return request("POST", `/projects/${projectId}/sites/${encodeURIComponent(siteName)}/domains`, { hostname });
+}
+/**
+* Remove a custom domain from a site. Idempotent — re-running on an
+* already-removed hostname returns 200 with `deleted: true`. Backend
+* 404s are treated as success at the proxy layer.
+*/
+async function removeSiteDomainViaApi(projectId, siteName, hostname) {
+	return request("DELETE", `/projects/${projectId}/sites/${encodeURIComponent(siteName)}/domains/${encodeURIComponent(hostname)}`);
+}
+/**
+* Roll a live CF Pages deployment back to a prior `deployment_id`. CF's
+* rollback creates a NEW deployment that serves the prior bundle (git-
+* revert semantics, not git-reset), so the response shape mirrors
+* `DeploySiteResult` and the new `deployment_id` is what's now live.
+*/
+async function rollbackSiteViaApi(projectId, siteName, deploymentId) {
+	return request("POST", `/projects/${projectId}/sites/${encodeURIComponent(siteName)}/rollback`, { deployment_id: deploymentId });
+}
+/**
+* Delete a site entirely. Cascade: removes attached custom hostnames,
+* tears down the CDN project, and soft-deletes the site row. Partial
+* failures surface as `503 CASCADE_PARTIAL_FAILURE` with the `cascade`
+* field telling the CLI which steps completed.
+*/
+async function deleteSiteViaApi(projectId, siteName, options) {
+	return request("DELETE", `/projects/${projectId}/sites/${encodeURIComponent(siteName)}?confirm=${encodeURIComponent(options.confirm)}`);
+}
+/**
+* Delete a function entirely. Cascade: removes the deployed script
+* (backend 404 treated as success), then marks every historical
+* deployment row as `status='disabled'` to keep history intact for
+* audit. Customer Workers stop responding immediately on cascade
+* step 1.
+*/
+async function deleteFunctionViaApi(projectId, functionName, options) {
+	return request("DELETE", `/projects/${projectId}/functions/${encodeURIComponent(functionName)}?confirm=${encodeURIComponent(options.confirm)}`);
+}
+async function listSiteDomains(projectId, siteName) {
+	return request("GET", `/projects/${projectId}/sites/${encodeURIComponent(siteName)}/domains`);
+}
+async function validateApiKey(apiKey) {
+	const res = await fetch(`${getApiRoot()}/v1/auth/validate`, {
+		method: "POST",
+		headers: {
+			"Content-Type": "application/json",
+			"User-Agent": "amba-cli/0.1.1"
+		},
+		body: JSON.stringify({ api_key: apiKey })
+	});
+	if (!res.ok) return {
+		valid: false,
+		error: `HTTP ${res.status}`
+	};
+	const { valid: _valid, ...rest } = (await res.json()).data;
+	return {
+		valid: true,
+		...rest
+	};
+}
+//#endregion
+//#region src/context-files.ts
+/**
+* Generate AMBA.md project context file for AI agents.
+*/
+function generateAmbaMarkdown(opts) {
+	const sdkPackage = opts.framework === "expo" ? "@layers/amba-expo" : "@layers/amba-client";
+	const providerExample = opts.framework === "expo" ? `
+### Client Setup
+
+\`\`\`tsx
+// app/_layout.tsx
+import { useEffect } from 'react';
+import { Slot } from 'expo-router';
+import { Amba } from '@layers/amba-expo';
+
+export default function RootLayout() {
+  useEffect(() => {
+    Amba.init({
+      projectId: process.env.EXPO_PUBLIC_AMBA_PROJECT_ID!,
+      apiKey: process.env.EXPO_PUBLIC_AMBA_API_KEY!,
+    });
+  }, []);
+
+  return <Slot />;
+}
+\`\`\`
+
+### Using the Client
+
+\`\`\`tsx
+import { Amba } from '@layers/amba-expo';
+
+export default function MyComponent() {
+  const onPress = async () => {
+    // Track an event
+    await Amba.track('lesson_completed', { lesson_id: '123' });
+
+    // Sign in with Apple (requires expo-apple-authentication)
+    await Amba.signInWithApple();
+
+    // Read remote config
+    const showBanner = Amba.configModule.get('show_promo_banner');
+
+    // Read current streaks
+    const streaks = await Amba.streaks.getAll();
+  };
+
+  // ...
+}
+\`\`\`` : `
+### Client Setup
+
+\`\`\`typescript
+import { Amba } from '@layers/amba-client';
+
+Amba.configure({
+  projectId: process.env.AMBA_PROJECT_ID!,
+  apiKey: process.env.AMBA_API_KEY!,
+});
+
+await Amba.client.init();
+
+// Track an event
+await Amba.client.track('page_viewed', { page: '/pricing' });
+
+// Get remote config
+const config = Amba.client.config.get('feature_flags');
+
+// Auth
+await Amba.client.auth.signUpWithEmail('user@example.com', 'hunter2');
+\`\`\``;
+	return `# Amba Project Context
+
+> This file provides context about the Amba integration for AI coding agents.
+
+## Project Info
+
+| Key | Value |
+|-----|-------|
+| Project ID | \`${opts.projectId}\` |
+| Project Name | ${opts.projectName} |
+| Framework | ${opts.framework} |
+| SDK | \`${sdkPackage}\` |
+
+## Environment Variables
+
+These are configured in \`.env.local\`:
+
+- \`AMBA_PROJECT_ID\` — Your project identifier
+- \`AMBA_API_KEY\` — Client API key (safe for client-side use)
+- \`AMBA_API_URL\` — API endpoint (defaults to https://api.amba.dev)
+
+## SDK Usage
+${providerExample}
+
+## Available Features
+
+- **Push Notifications** — Send targeted push notifications to user segments
+- **Remote Config** — Key-value configuration that updates without app releases
+- **Segments** — Group users by behavior, properties, or entitlements
+- **Streaks** — Track user engagement streaks (daily, weekly)
+- **Content Libraries** — Scheduled content delivery (daily tips, weekly challenges)
+- **Entitlements** — Subscription status via RevenueCat integration
+- **Analytics** — DAU, MAU, retention, and custom event tracking
+
+## API Reference
+
+- Admin API: \`https://api.amba.dev/v1/admin\`
+- Client API: \`https://api.amba.dev/v1/client\`
+- Docs: \`https://docs.amba.dev\`
+
+## CLI Commands
+
+\`\`\`bash
+amba status          # Check project health
+amba push test       # Send a test push notification
+amba config list     # List remote config values
+amba config set <key> <value>  # Set a config value
+\`\`\`
+`;
+}
+/**
+* Generate .cursor/rules/amba.mdc Cursor rules file.
+*/
+function generateCursorRules(opts) {
+	const sdk = opts.framework === "expo" ? "@layers/amba-expo" : "@layers/amba-client";
+	return `---
+description: Rules for working with the Amba SDK in this project
+globs: ["**/*.ts", "**/*.tsx", "**/*.js", "**/*.jsx"]
+---
+
+# Amba SDK Rules
+
+## Project Setup
+- Project ID: \`${opts.projectId}\`
+- SDK: \`${sdk}\`
+- API URL: \`https://api.amba.dev\`
+
+## Environment Variables
+- Always read Amba config from environment variables, never hardcode
+- Use \`process.env.AMBA_PROJECT_ID\` and \`process.env.AMBA_API_KEY\`
+- The .env.local file contains the project credentials
+
+## SDK Patterns
+${opts.framework === "expo" ? `- Import the \`Amba\` singleton from \`@layers/amba-expo\`
+- Call \`Amba.init({ projectId, apiKey })\` once in the root layout (inside a \`useEffect\`)
+- The Expo wrapper auto-wires AsyncStorage, push tokens, and Apple/Google sign-in
+- Use \`Amba.signInWithApple()\` / \`Amba.signInWithGoogle()\` for social auth one-liners
+- Call \`Amba.track()\` for engagement events, don't build custom analytics` : `- Initialize the Amba client once and export it as a singleton
+- Use \`Amba.client.track()\` for all engagement events
+- Use \`Amba.client.config.get()\` for remote configuration
+- Use \`Amba.client.auth\` for sign-up / sign-in flows`}
+
+## Push Notifications
+- Register push tokens via the SDK \`registerPushToken()\` method
+- Handle notification payloads using the SDK's notification listener
+- Don't implement custom push token management
+
+## Remote Config
+- Use remote config for feature flags and dynamic values
+- Always provide sensible defaults when reading config values
+- Config values are cached — don't fetch on every render
+
+## Streaks
+- Streaks are server-managed; the SDK provides read-only access
+- Use \`track()\` to record qualifying events — the server evaluates streaks
+- Show streak state from \`streak.current()\`, don't calculate manually
+
+## Best Practices
+- Don't store Amba API keys in source code or commit them to git
+- Use \`.env.local\` for local development credentials
+- The client API key (prefixed \`amb_dev_ck_\` or \`amb_live_ck_\`) is safe for client-side use
+- Server keys (prefixed \`amb_dev_sk_\` or \`amb_live_sk_\`) must stay server-side only
+`;
+}
+/**
+* Write both context files to the project directory.
+*/
+async function generateContextFiles(opts) {
+	const files = [];
+	await writeFile(join(opts.cwd, "AMBA.md"), generateAmbaMarkdown(opts), "utf-8");
+	files.push("AMBA.md");
+	const cursorDir = join(opts.cwd, ".cursor", "rules");
+	await mkdir(cursorDir, { recursive: true });
+	await writeFile(join(cursorDir, "amba.mdc"), generateCursorRules(opts), "utf-8");
+	files.push(".cursor/rules/amba.mdc");
+	return files;
+}
+//#endregion
+//#region src/commands/init.ts
+function prompt(question) {
+	const rl = createInterface({
+		input: process.stdin,
+		output: process.stdout
+	});
+	return new Promise((resolve) => {
+		rl.question(question, (answer) => {
+			rl.close();
+			resolve(answer.trim());
+		});
+	});
+}
+async function fileExists(path) {
+	try {
+		await access(path);
+		return true;
+	} catch {
+		return false;
+	}
+}
+async function detectFramework(cwd) {
+	try {
+		const raw = await readFile(join(cwd, "package.json"), "utf-8");
+		const pkg = JSON.parse(raw);
+		const deps = {
+			...typeof pkg.dependencies === "object" && pkg.dependencies !== null ? pkg.dependencies : {},
+			...typeof pkg.devDependencies === "object" && pkg.devDependencies !== null ? pkg.devDependencies : {}
+		};
+		if ("expo" in deps) return "expo";
+		if ("react-native" in deps) return "react-native";
+		if ("react" in deps || "next" in deps || "vue" in deps || "svelte" in deps) return "web";
+		return "unknown";
+	} catch {
+		return "unknown";
+	}
+}
+function getSdkPackage(framework) {
+	switch (framework) {
+		case "expo": return "@layers/amba-expo";
+		case "react-native": return "@layers/amba-client";
+		case "web": return "@layers/amba-client";
+		case "unknown": return "@layers/amba-client";
+	}
+}
+async function writeExampleScaffold(cwd, framework, projectName) {
+	const written = [];
+	const appTsxPath = join(cwd, "amba-example.tsx");
+	if (!await fileExists(appTsxPath)) {
+		await writeFile(appTsxPath, framework === "expo" ? `/**
+ * Amba example — ${projectName}
+ *
+ * Drop this into your Expo app (e.g. app/_layout.tsx) to initialize Amba
+ * once at startup. Requires: process.env.EXPO_PUBLIC_AMBA_PROJECT_ID
+ *                           process.env.EXPO_PUBLIC_AMBA_API_KEY
+ */
+import { useEffect } from 'react';
+import { Amba } from '@layers/amba-expo';
+
+export function AmbaExample(): null {
+  useEffect(() => {
+    void Amba.init({
+      projectId: process.env.EXPO_PUBLIC_AMBA_PROJECT_ID!,
+      apiKey: process.env.EXPO_PUBLIC_AMBA_API_KEY!,
+    });
+  }, []);
+  return null;
+}
+` : `/**
+ * Amba example — ${projectName}
+ *
+ * Call Amba.init() once at application startup (after env is loaded).
+ * Requires AMBA_PROJECT_ID + AMBA_API_KEY in your environment.
+ */
+import { Amba } from '@layers/amba-client';
+
+export async function initAmba(): Promise<void> {
+  await Amba.init({
+    projectId: process.env.AMBA_PROJECT_ID!,
+    apiKey: process.env.AMBA_API_KEY!,
+  });
+}
+`, "utf-8");
+		written.push("amba-example.tsx");
+	}
+	const readmeSnippetPath = join(cwd, "AMBA_QUICKSTART.md");
+	if (!await fileExists(readmeSnippetPath)) {
+		await writeFile(readmeSnippetPath, `# Amba quickstart — ${projectName}
+
+1. Install the SDK (see \`AMBA.md\` for the exact command for your package manager).
+2. Copy \`amba-example.tsx\` into your app and call it once at startup.
+3. Verify the integration:
+
+   \`\`\`bash
+   amba status --detailed
+   amba push test
+   \`\`\`
+
+4. Seed sample data (optional):
+
+   \`\`\`bash
+   amba seed --preset=starter
+   \`\`\`
+
+Docs: https://docs.amba.dev
+`, "utf-8");
+		written.push("AMBA_QUICKSTART.md");
+	}
+	return written;
+}
+async function initCommand(options = {}) {
+	const cwd = process.cwd();
+	const environment = options.env ?? "development";
+	console.log();
+	console.log(pc.bold("  amba init"));
+	console.log(pc.dim("  ─────────────────────────────────"));
+	console.log();
+	console.log(pc.bold("  Step 1/7 ") + pc.dim("Authenticate"));
+	console.log();
+	const headlessActive = resolveTokenSource({
+		flagToken: void 0,
+		envToken: process.env["AMBA_PAT"]
+	}) !== null || process.argv.includes("--token") && process.argv.length > 2;
+	let needsAuth = true;
+	if (headlessActive) {
+		console.log(pc.green("  ✓") + " Headless auth — using PAT from --token / AMBA_PAT");
+		console.log(pc.dim("    (browser flow skipped; no credentials written to disk)"));
+		console.log();
+		needsAuth = false;
+	} else try {
+		if (!isTokenExpired(await loadCredentials())) {
+			console.log(pc.green("  ✓") + " Already authenticated");
+			console.log();
+			needsAuth = false;
+		}
+	} catch {}
+	if (needsAuth) {
+		const creds = await browserAuthFlow();
+		console.log(pc.bold("  Step 2/7 ") + pc.dim("Store credentials"));
+		await storeCredentials(creds);
+		console.log(pc.green("  ✓") + " Credentials saved to ~/.amba/credentials.json");
+		console.log();
+	} else {
+		console.log(pc.bold("  Step 2/7 ") + pc.dim("Store credentials"));
+		if (headlessActive) console.log(pc.green("  ✓") + " (skipped — PAT supplied)");
+		else console.log(pc.green("  ✓") + " Using existing credentials");
+		console.log();
+	}
+	console.log(pc.bold("  Step 3/7 ") + pc.dim("Select project"));
+	console.log();
+	let projectId;
+	let projectName;
+	try {
+		const projects = (await listProjects()).data;
+		if (projects.length > 0) {
+			console.log("  Existing projects:");
+			projects.forEach((p, i) => {
+				console.log(pc.dim(`    ${i + 1}.`) + ` ${p.name} ` + pc.dim(`(${p.id})`));
+			});
+			console.log(pc.dim(`    ${projects.length + 1}.`) + " Create new project");
+			console.log();
+			const choice = await prompt(`  Select project (1-${projects.length + 1}): `);
+			const choiceNum = parseInt(choice, 10);
+			if (choiceNum > 0 && choiceNum <= projects.length) {
+				const selected = projects[choiceNum - 1];
+				if (!selected) throw new Error("Invalid selection");
+				projectId = selected.id;
+				projectName = selected.name;
+				console.log(pc.green("  ✓") + ` Selected: ${projectName}`);
+			} else {
+				const name = await prompt("  Project name: ");
+				if (!name) {
+					console.log(pc.red("  ✗") + " Project name is required");
+					process.exit(1);
+				}
+				projectId = (await createProject({
+					name,
+					environment
+				})).data.id;
+				projectName = name;
+				console.log(pc.green("  ✓") + ` Created: ${projectName} ${pc.dim(`(${environment})`)}`);
+			}
+		} else {
+			const name = await prompt("  Project name: ");
+			if (!name) {
+				console.log(pc.red("  ✗") + " Project name is required");
+				process.exit(1);
+			}
+			projectId = (await createProject({ name })).data.id;
+			projectName = name;
+			console.log(pc.green("  ✓") + ` Created: ${projectName}`);
+		}
+	} catch (err) {
+		if (err instanceof Error && err.message.includes("authenticate")) throw err;
+		const name = await prompt("  Project name: ");
+		if (!name) {
+			console.log(pc.red("  ✗") + " Project name is required");
+			process.exit(1);
+		}
+		projectId = (await createProject({ name })).data.id;
+		projectName = name;
+		console.log(pc.green("  ✓") + ` Created: ${projectName}`);
+	}
+	console.log();
+	console.log(pc.bold("  Step 4/7 ") + pc.dim("Generate API keys"));
+	const keyRes = await createApiKey(projectId, "client", "development");
+	const apiKey = keyRes.data.key;
+	console.log(pc.green("  ✓") + " Development client key created");
+	console.log(pc.dim(`    ${keyRes.data.key_prefix}...`));
+	console.log();
+	console.log(pc.bold("  Step 5/7 ") + pc.dim("Write environment file"));
+	const envPath = join(cwd, ".env.local");
+	const envLines = [
+		"# Amba SDK Configuration",
+		`AMBA_PROJECT_ID=${projectId}`,
+		`AMBA_API_KEY=${apiKey}`,
+		`AMBA_API_URL=https://api.amba.dev`,
+		""
+	];
+	if (await fileExists(envPath)) {
+		const existing = await readFile(envPath, "utf-8");
+		if (existing.includes("AMBA_PROJECT_ID")) {
+			console.log(pc.yellow("  !") + " .env.local already contains Amba config — updating");
+			let updated = existing;
+			updated = updated.replace(/AMBA_PROJECT_ID=.*/, `AMBA_PROJECT_ID=${projectId}`);
+			updated = updated.replace(/AMBA_API_KEY=.*/, `AMBA_API_KEY=${apiKey}`);
+			updated = updated.replace(/AMBA_API_URL=.*/, `AMBA_API_URL=https://api.amba.dev`);
+			await writeFile(envPath, updated, "utf-8");
+		} else await writeFile(envPath, existing + (existing.endsWith("\n") ? "\n" : "\n\n") + envLines.join("\n"), "utf-8");
+	} else await writeFile(envPath, envLines.join("\n"), "utf-8");
+	console.log(pc.green("  ✓") + " .env.local written");
+	console.log();
+	console.log(pc.bold("  Step 6/7 ") + pc.dim("Detect framework"));
+	const framework = await detectFramework(cwd);
+	const sdkPkg = getSdkPackage(framework);
+	if (framework !== "unknown") console.log(pc.green("  ✓") + ` Detected: ${pc.bold(framework)}`);
+	else console.log(pc.yellow("  !") + " Could not detect framework");
+	let installCmd = `npm install ${sdkPkg}`;
+	if (await fileExists(join(cwd, "bun.lockb"))) installCmd = `bun add ${sdkPkg}`;
+	else if (await fileExists(join(cwd, "pnpm-lock.yaml"))) installCmd = `pnpm add ${sdkPkg}`;
+	else if (await fileExists(join(cwd, "yarn.lock"))) installCmd = `yarn add ${sdkPkg}`;
+	console.log(pc.dim(`    Install SDK: ${installCmd}`));
+	console.log();
+	console.log(pc.bold("  Step 7/7 ") + pc.dim("Generate context files"));
+	const generatedFiles = await generateContextFiles({
+		projectId,
+		projectName,
+		apiKey,
+		framework,
+		cwd
+	});
+	for (const file of generatedFiles) console.log(pc.green("  ✓") + ` ${file}`);
+	if (options.withExample) {
+		const exampleFiles = await writeExampleScaffold(cwd, framework, projectName);
+		if (exampleFiles.length > 0) for (const file of exampleFiles) console.log(pc.green("  ✓") + ` ${file} ` + pc.dim("(example)"));
+		else console.log(pc.dim("  -") + " example files already present — skipping");
+	}
+	console.log();
+	console.log(pc.dim("  ─────────────────────────────────"));
+	console.log();
+	console.log(pc.bold(pc.green("  ✓ Project initialized!")));
+	console.log();
+	console.log("  Quick start:");
+	console.log();
+	console.log(pc.dim("    1.") + ` Install the SDK`);
+	console.log(`       ${pc.cyan(installCmd)}`);
+	console.log();
+	console.log(pc.dim("    2.") + ` Add the provider to your app`);
+	if (framework === "expo") console.log(pc.dim(`       See AMBA.md for Amba.init() setup`));
+	else if (framework === "react-native") console.log(pc.dim(`       See AMBA.md for client initialization`));
+	else console.log(pc.dim(`       See AMBA.md for client initialization`));
+	console.log();
+	console.log(pc.dim("    3.") + ` Test the integration`);
+	console.log(`       ${pc.cyan("amba status")}`);
+	console.log();
+	console.log(pc.dim("    4.") + ` Send a test notification`);
+	console.log(`       ${pc.cyan("amba push test")}`);
+	console.log();
+	console.log(`  Docs: ${pc.underline("https://docs.amba.dev")}`);
+	console.log();
+}
+//#endregion
+//#region src/commands/login.ts
+async function loginCommand() {
+	console.log();
+	console.log(pc.bold("  amba login"));
+	console.log(pc.dim("  ─────────────────────────────────"));
+	console.log();
+	try {
+		await storeCredentials(await browserAuthFlow());
+		console.log(pc.green("  ✓") + " Authenticated successfully");
+		console.log(pc.dim("    Credentials saved to ~/.amba/credentials.json"));
+		console.log();
+	} catch (err) {
+		const message = err instanceof Error ? err.message : "Unknown error";
+		console.log(pc.red("  ✗") + ` Authentication failed: ${message}`);
+		console.log();
+		process.exit(1);
+	}
+}
+//#endregion
+//#region src/commands/status.ts
+async function readEnvFile(cwd) {
+	const config = {
+		projectId: void 0,
+		apiKey: void 0,
+		apiUrl: void 0
+	};
+	for (const filename of [".env.local", ".env"]) try {
+		const raw = await readFile(join(cwd, filename), "utf-8");
+		for (const line of raw.split("\n")) {
+			const trimmed = line.trim();
+			if (trimmed.startsWith("#") || !trimmed.includes("=")) continue;
+			const eqIndex = trimmed.indexOf("=");
+			const key = trimmed.slice(0, eqIndex).trim();
+			const value = trimmed.slice(eqIndex + 1).trim();
+			if (key === "AMBA_PROJECT_ID") config.projectId = value;
+			if (key === "AMBA_API_KEY") config.apiKey = value;
+			if (key === "AMBA_API_URL") config.apiUrl = value;
+		}
+		break;
+	} catch {
+		continue;
+	}
+	return config;
+}
+async function statusCommand(opts = {}) {
+	const cwd = process.cwd();
+	console.log();
+	console.log(pc.bold("  amba status"));
+	console.log(pc.dim("  ─────────────────────────────────"));
+	console.log();
+	console.log(pc.bold("  Authentication"));
+	try {
+		if (isTokenExpired(await loadCredentials())) console.log(pc.yellow("  ! Session expired") + pc.dim(" — run `amba login`"));
+		else console.log(pc.green("  ✓ Logged in"));
+	} catch {
+		console.log(pc.red("  ✗ Not authenticated") + pc.dim(" — run `amba login`"));
+	}
+	console.log();
+	console.log(pc.bold("  Local Configuration"));
+	const env = await readEnvFile(cwd);
+	if (!env.projectId && !env.apiKey) {
+		console.log(pc.red("  ✗ No Amba config found") + pc.dim(" — run `amba init`"));
+		console.log();
+		return;
+	}
+	if (env.projectId) console.log(pc.green("  ✓") + ` Project ID: ${pc.dim(env.projectId)}`);
+	else console.log(pc.red("  ✗") + " AMBA_PROJECT_ID not set");
+	if (env.apiKey) {
+		const prefix = env.apiKey.length > 16 ? env.apiKey.slice(0, 16) + "..." : env.apiKey;
+		console.log(pc.green("  ✓") + ` API Key:    ${pc.dim(prefix)}`);
+	} else console.log(pc.red("  ✗") + " AMBA_API_KEY not set");
+	if (env.apiUrl) console.log(pc.green("  ✓") + ` API URL:    ${pc.dim(env.apiUrl)}`);
+	console.log();
+	if (env.apiKey) {
+		console.log(pc.bold("  API Key Validation"));
+		try {
+			const result = await validateApiKey(env.apiKey);
+			if (result.valid) {
+				console.log(pc.green("  ✓") + " API key is valid");
+				console.log(pc.dim(`    Environment: ${result.environment}`));
+			} else console.log(pc.red("  ✗") + ` API key is invalid: ${result.error}`);
+		} catch (err) {
+			if (err instanceof ApiClientError) console.log(pc.red("  ✗") + ` Validation failed: ${err.message}`);
+			else console.log(pc.yellow("  !") + " Could not reach API to validate key");
+		}
+		console.log();
+	}
+	if (env.projectId) {
+		console.log(pc.bold("  Project Details"));
+		try {
+			const p = (await getProject(env.projectId)).data;
+			console.log(`    Name:        ${p.name}`);
+			console.log(`    Platform:    ${p.platform}`);
+			console.log(`    Environment: ${p.environment}`);
+			if (p.bundle_id) console.log(`    Bundle ID:   ${p.bundle_id}`);
+			console.log(`    Created:     ${pc.dim(p.created_at)}`);
+		} catch (err) {
+			if (err instanceof ApiClientError && err.statusCode === 404) console.log(pc.red("  ✗") + " Project not found");
+			else if (err instanceof Error && err.message.includes("authenticate")) console.log(pc.yellow("  !") + " Login required to fetch project details");
+			else console.log(pc.yellow("  !") + " Could not fetch project details");
+		}
+		console.log();
+	}
+	console.log(pc.bold("  Context Files"));
+	for (const file of ["AMBA.md", ".cursor/rules/amba.mdc"]) try {
+		await readFile(join(cwd, file), "utf-8");
+		console.log(pc.green("  ✓") + ` ${file}`);
+	} catch {
+		console.log(pc.dim("  -") + ` ${file} ` + pc.dim("(not generated — run `amba init`)"));
+	}
+	console.log();
+	if (opts.detailed && env.projectId) {
+		const projectId = env.projectId;
+		console.log(pc.bold("  Integrations"));
+		try {
+			const integrations = (await listIntegrations(projectId)).data;
+			const expected = [
+				"apns",
+				"fcm",
+				"revenuecat",
+				"superwall"
+			];
+			const byProvider = /* @__PURE__ */ new Map();
+			for (const integ of integrations) byProvider.set(String(integ.provider).toLowerCase(), integ);
+			for (const provider of expected) {
+				const integ = byProvider.get(provider);
+				if (!integ) {
+					console.log(pc.dim("  -") + ` ${provider.toUpperCase()} ` + pc.dim("(not configured)"));
+					continue;
+				}
+				const enabled = integ.enabled !== false && integ.status !== "disabled";
+				const icon = enabled ? pc.green("  ✓") : pc.yellow("  !");
+				const label = provider.toUpperCase();
+				const statusLabel = integ.status ?? (enabled ? "active" : "inactive");
+				console.log(`${icon} ${label} ` + pc.dim(`(${statusLabel})`));
+			}
+		} catch (err) {
+			if (err instanceof ApiClientError) console.log(pc.yellow("  !") + ` Could not load integrations: ${err.message}`);
+			else console.log(pc.yellow("  !") + " Could not load integrations");
+		}
+		console.log();
+		console.log(pc.bold("  Metrics (last 24h)"));
+		try {
+			const users = await listUsers(projectId, { limit: 1 });
+			const userCount = typeof users.total === "number" ? users.total : users.data.length;
+			console.log(pc.dim("    Users:    ") + String(userCount));
+		} catch (err) {
+			const msg = err instanceof Error ? err.message : "unknown error";
+			console.log(pc.yellow("    Users:    ") + pc.dim(`(unavailable — ${msg})`));
+		}
+		try {
+			const segs = await listSegments(projectId);
+			const activeCount = segs.data.filter((s) => s.is_active !== false).length;
+			console.log(pc.dim("    Segments: ") + `${activeCount} active / ${segs.data.length} total`);
+		} catch (err) {
+			const msg = err instanceof Error ? err.message : "unknown error";
+			console.log(pc.yellow("    Segments: ") + pc.dim(`(unavailable — ${msg})`));
+		}
+		const since24h = (/* @__PURE__ */ new Date(Date.now() - 1440 * 60 * 1e3)).toISOString();
+		let eventTotal = null;
+		try {
+			eventTotal = (await getEventsCount(projectId, { since: since24h })).data.total;
+			console.log(pc.dim("    Events:   ") + String(eventTotal));
+		} catch (err) {
+			if (err instanceof ApiClientError && err.statusCode === 404) console.log(pc.dim("    Events:   ") + pc.dim("(unavailable — endpoint not deployed)"));
+			else {
+				const msg = err instanceof Error ? err.message : "unknown error";
+				console.log(pc.yellow("    Events:   ") + pc.dim(`(unavailable — ${msg})`));
+			}
+		}
+		if (eventTotal !== null && eventTotal > 0) try {
+			const top = ((await getEventsCount(projectId, {
+				since: since24h,
+				groupBy: "event_name"
+			})).data.buckets ?? []).slice(0, 5);
+			if (top.length > 0) {
+				console.log(pc.dim("    Top events (24h):"));
+				const widest = top.reduce((m, b) => Math.max(m, b.key.length), 0);
+				for (const b of top) console.log(pc.dim("      ") + b.key.padEnd(widest) + "  " + pc.dim(String(b.count)));
+			}
+		} catch (err) {
+			if (err instanceof ApiClientError && err.statusCode === 404) {} else {
+				const msg = err instanceof Error ? err.message : "unknown error";
+				console.log(pc.yellow("    Top events: ") + pc.dim(`(unavailable — ${msg})`));
+			}
+		}
+		console.log();
+	} else if (opts.detailed && !env.projectId) {
+		console.log(pc.yellow("  !") + " --detailed requires AMBA_PROJECT_ID in .env.local");
+		console.log();
+	}
+}
+//#endregion
+//#region src/commands/push.ts
+async function getProjectId$1(cwd) {
+	for (const filename of [".env.local", ".env"]) try {
+		const raw = await readFile(join(cwd, filename), "utf-8");
+		for (const line of raw.split("\n")) {
+			const trimmed = line.trim();
+			if (trimmed.startsWith("AMBA_PROJECT_ID=")) return trimmed.slice(16).trim();
+		}
+	} catch {
+		continue;
+	}
+	return null;
+}
+async function pushTestCommand() {
+	const cwd = process.cwd();
+	console.log();
+	console.log(pc.bold("  amba push test"));
+	console.log(pc.dim("  ─────────────────────────────────"));
+	console.log();
+	const projectId = await getProjectId$1(cwd);
+	if (!projectId) {
+		console.log(pc.red("  ✗") + " AMBA_PROJECT_ID not found in .env.local");
+		console.log(pc.dim("    Run `amba init` to set up your project"));
+		console.log();
+		process.exit(1);
+	}
+	console.log(pc.dim("  Sending test push notification..."));
+	console.log();
+	try {
+		const result = await sendTestPush(projectId, {
+			title: "Amba Test",
+			body: "If you see this, push notifications are working!",
+			data: { source: "cli-test" }
+		});
+		console.log(pc.green("  ✓") + ` ${result.data.message}`);
+		console.log(pc.dim(`    Sent to ${result.data.sent} device(s)`));
+		console.log();
+	} catch (err) {
+		if (err instanceof ApiClientError) if (err.statusCode === 404) {
+			console.log(pc.red("  ✗") + " Project not found");
+			console.log(pc.dim("    Check your AMBA_PROJECT_ID in .env.local"));
+		} else if (err.statusCode === 422) {
+			console.log(pc.yellow("  !") + " No push tokens registered yet");
+			console.log(pc.dim("    Install the SDK in your app and register a push token first"));
+		} else console.log(pc.red("  ✗") + ` Failed: ${err.message}`);
+		else if (err instanceof Error) console.log(pc.red("  ✗") + ` ${err.message}`);
+		console.log();
+		process.exit(1);
+	}
+}
+//#endregion
+//#region src/commands/config.ts
+async function getProjectId(cwd) {
+	for (const filename of [".env.local", ".env"]) try {
+		const raw = await readFile(join(cwd, filename), "utf-8");
+		for (const line of raw.split("\n")) {
+			const trimmed = line.trim();
+			if (trimmed.startsWith("AMBA_PROJECT_ID=")) return trimmed.slice(16).trim();
+		}
+	} catch {
+		continue;
+	}
+	return null;
+}
+function requireProjectId$1(projectId) {
+	if (!projectId) {
+		console.log(pc.red("  ✗") + " AMBA_PROJECT_ID not found in .env.local");
+		console.log(pc.dim("    Run `amba init` to set up your project"));
+		console.log();
+		process.exit(1);
+	}
+}
+function formatValue(value) {
+	if (typeof value === "string") return value;
+	if (typeof value === "number" || typeof value === "boolean") return String(value);
+	return JSON.stringify(value);
+}
+function inferValueType(raw) {
+	if (raw === "true") return {
+		value: true,
+		value_type: "boolean"
+	};
+	if (raw === "false") return {
+		value: false,
+		value_type: "boolean"
+	};
+	const num = Number(raw);
+	if (!isNaN(num) && raw.trim() !== "") return {
+		value: num,
+		value_type: "number"
+	};
+	if (raw.startsWith("{") && raw.endsWith("}") || raw.startsWith("[") && raw.endsWith("]")) try {
+		return {
+			value: JSON.parse(raw),
+			value_type: "json"
+		};
+	} catch {}
+	return {
+		value: raw,
+		value_type: "string"
+	};
+}
+async function configListCommand() {
+	const cwd = process.cwd();
+	console.log();
+	console.log(pc.bold("  amba config list"));
+	console.log(pc.dim("  ─────────────────────────────────"));
+	console.log();
+	const projectId = await getProjectId(cwd);
+	requireProjectId$1(projectId);
+	try {
+		const configs = (await listConfig(projectId)).data;
+		if (configs.length === 0) {
+			console.log(pc.dim("  No config values set"));
+			console.log(pc.dim("  Use `amba config set <key> <value>` to add one"));
+			console.log();
+			return;
+		}
+		const keyWidth = Math.max(5, ...configs.map((c) => c.key.length));
+		const typeWidth = Math.max(4, ...configs.map((c) => c.value_type.length));
+		console.log(pc.dim("  ") + pc.bold("Key".padEnd(keyWidth + 2)) + pc.bold("Type".padEnd(typeWidth + 2)) + pc.bold("Value"));
+		console.log(pc.dim("  " + "─".repeat(keyWidth + typeWidth + 30)));
+		for (const config of configs) {
+			const valueStr = formatValue(config.value);
+			const truncated = valueStr.length > 50 ? valueStr.slice(0, 47) + "..." : valueStr;
+			console.log("  " + config.key.padEnd(keyWidth + 2) + pc.dim(config.value_type.padEnd(typeWidth + 2)) + truncated);
+		}
+		console.log();
+		console.log(pc.dim(`  ${configs.length} config value${configs.length === 1 ? "" : "s"}`));
+		console.log();
+	} catch (err) {
+		if (err instanceof ApiClientError) console.log(pc.red("  ✗") + ` Failed: ${err.message}`);
+		else if (err instanceof Error) console.log(pc.red("  ✗") + ` ${err.message}`);
+		console.log();
+		process.exit(1);
+	}
+}
+async function configSetCommand(key, rawValue) {
+	const cwd = process.cwd();
+	console.log();
+	console.log(pc.bold("  amba config set"));
+	console.log(pc.dim("  ─────────────────────────────────"));
+	console.log();
+	const projectId = await getProjectId(cwd);
+	requireProjectId$1(projectId);
+	const { value, value_type } = inferValueType(rawValue);
+	try {
+		const result = await setConfig(projectId, {
+			key,
+			value,
+			value_type
+		});
+		console.log(pc.green("  ✓") + ` Set ${pc.bold(key)} = ${formatValue(result.data.value)}`);
+		console.log(pc.dim(`    Type: ${result.data.value_type}`));
+		console.log();
+	} catch (err) {
+		if (err instanceof ApiClientError) console.log(pc.red("  ✗") + ` Failed: ${err.message}`);
+		else if (err instanceof Error) console.log(pc.red("  ✗") + ` ${err.message}`);
+		console.log();
+		process.exit(1);
+	}
+}
+//#endregion
+//#region src/commands/projects.ts
+function confirm(question) {
+	const rl = createInterface({
+		input: process.stdin,
+		output: process.stdout
+	});
+	return new Promise((resolve) => {
+		rl.question(question, (answer) => {
+			rl.close();
+			resolve(/^y(es)?$/i.test(answer.trim()));
+		});
+	});
+}
+function handleError(err) {
+	if (err instanceof ApiClientError) if (err.statusCode === 401 || err.statusCode === 403) console.log(pc.red("  ✗") + " Not authenticated — run `amba login` first.");
+	else console.log(pc.red("  ✗") + ` ${err.message}`);
+	else if (err instanceof Error) console.log(pc.red("  ✗") + ` ${err.message}`);
+	else console.log(pc.red("  ✗") + " Unknown error");
+	console.log();
+	process.exit(1);
+}
+function shortDate(iso) {
+	if (!iso) return "—";
+	const d = new Date(iso);
+	if (Number.isNaN(d.getTime())) return iso;
+	return d.toISOString().slice(0, 10);
+}
+async function projectsListCommand() {
+	console.log();
+	console.log(pc.bold("  amba projects list"));
+	console.log(pc.dim("  ─────────────────────────────────"));
+	console.log();
+	try {
+		const projects = (await listProjects()).data;
+		if (projects.length === 0) {
+			console.log(pc.dim("  No projects."));
+			console.log(pc.dim("  Create one with ") + pc.cyan("amba projects create --name <name>"));
+			console.log();
+			return;
+		}
+		const rows = projects.map((p) => [
+			p.id,
+			p.name,
+			p.environment ?? "—",
+			p.status ?? "active",
+			shortDate(p.created_at)
+		]);
+		const headers = [
+			"Id",
+			"Name",
+			"Env",
+			"Status",
+			"Created"
+		];
+		const widths = headers.map((h, i) => Math.max(h.length, ...rows.map((r) => String(r[i] ?? "").length)));
+		const pad = (cells) => cells.map((cell, i) => String(cell).padEnd((widths[i] ?? 0) + 2)).join("");
+		console.log("  " + pc.bold(pad(headers)));
+		console.log("  " + pc.dim("─".repeat(widths.reduce((a, b) => a + b + 2, 0))));
+		for (const row of rows) console.log("  " + pad(row));
+		console.log();
+		console.log(pc.dim(`  ${projects.length} project${projects.length === 1 ? "" : "s"}`));
+		console.log();
+	} catch (err) {
+		handleError(err);
+	}
+}
+async function projectsCreateCommand(input) {
+	console.log();
+	console.log(pc.bold("  amba projects create"));
+	console.log(pc.dim("  ─────────────────────────────────"));
+	console.log();
+	if (!input.name) {
+		console.log(pc.red("  ✗") + " --name is required");
+		console.log();
+		process.exit(1);
+	}
+	let environment;
+	if (input.env) if (input.env === "development" || input.env === "dev") environment = "development";
+	else if (input.env === "production" || input.env === "prod") environment = "production";
+	else {
+		console.log(pc.red("  ✗") + ` --env must be 'development' or 'production' (got '${input.env}').`);
+		console.log();
+		process.exit(1);
+	}
+	try {
+		console.log(pc.dim("  Provisioning project..."));
+		const res = await createProject({
+			name: input.name,
+			bundle_id: input.bundleId,
+			platform: input.platform,
+			environment
+		});
+		const id = res.data.id;
+		console.log(pc.green("  ✓") + ` Created: ${pc.bold(res.data.name)} ${pc.dim(`(${id})`)}`);
+		console.log();
+		console.log(pc.dim("  Checking provisioning status..."));
+		try {
+			const s = (await getProvisioningStatus(id)).data;
+			console.log(pc.dim(`    Status: ${s.status}`));
+			if (s.errorMessage) console.log(pc.yellow("    !") + ` ${s.errorMessage}`);
+		} catch {
+			console.log(pc.dim("    (Provisioning runs asynchronously.)"));
+		}
+		if (environment) console.log(pc.dim(`    Environment: ${environment}`));
+		console.log();
+		console.log(pc.dim("  Next: ") + pc.cyan(`amba projects show ${id}`));
+		console.log();
+	} catch (err) {
+		handleError(err);
+	}
+}
+async function projectsShowCommand(projectId) {
+	console.log();
+	console.log(pc.bold(`  amba projects show ${projectId}`));
+	console.log(pc.dim("  ─────────────────────────────────"));
+	console.log();
+	try {
+		const res = await getProject(projectId);
+		console.log(JSON.stringify(res.data, null, 2));
+		console.log();
+	} catch (err) {
+		if (err instanceof ApiClientError && err.statusCode === 404) {
+			console.log(pc.red("  ✗") + ` Project not found: ${projectId}`);
+			console.log();
+			process.exit(1);
+		}
+		handleError(err);
+	}
+}
+async function projectsDeleteCommand(projectId, opts = {}) {
+	console.log();
+	console.log(pc.bold(`  amba projects delete ${projectId}`));
+	console.log(pc.dim("  ─────────────────────────────────"));
+	console.log();
+	if (!opts.yes) {
+		if (!await confirm(pc.yellow(`  Delete project ${projectId}? This is irreversible. (y/N) `))) {
+			console.log(pc.dim("  Aborted."));
+			console.log();
+			return;
+		}
+	}
+	try {
+		await deleteProject(projectId);
+		console.log(pc.green("  ✓") + ` Deleted ${projectId}`);
+		console.log();
+	} catch (err) {
+		if (err instanceof ApiClientError && err.statusCode === 404) {
+			console.log(pc.red("  ✗") + ` Project not found: ${projectId}`);
+			console.log();
+			process.exit(1);
+		}
+		handleError(err);
+	}
+}
+//#endregion
+//#region src/env.ts
+/**
+* Read `AMBA_PROJECT_ID` from `.env.local` / `.env` in the given directory.
+* Returns null if not found.
+*/
+async function getProjectIdFromEnv(cwd) {
+	for (const filename of [".env.local", ".env"]) try {
+		const raw = await readFile(join(cwd, filename), "utf-8");
+		for (const line of raw.split("\n")) {
+			const trimmed = line.trim();
+			if (trimmed.startsWith("AMBA_PROJECT_ID=")) return trimmed.slice(16).trim();
+		}
+	} catch {
+		continue;
+	}
+	return null;
+}
+/**
+* Resolve a project id in priority order:
+*   1. Explicit arg (e.g. `--project <id>`)
+*   2. `.env.local` / `.env` in cwd
+*
+* Prints a helpful error message and exits 1 if no id is found.
+*/
+async function requireProjectId(cwd, explicit) {
+	if (explicit) return explicit;
+	const fromEnv = await getProjectIdFromEnv(cwd);
+	if (fromEnv) return fromEnv;
+	console.log();
+	console.log(pc.red("  ✗") + " No project id");
+	console.log(pc.dim("    Pass ") + pc.cyan("--project <id>") + pc.dim(" or run ") + pc.cyan("amba init") + pc.dim(" in this directory."));
+	console.log();
+	process.exit(1);
+}
+//#endregion
+//#region src/commands/logs.ts
+const DEFAULT_TAIL_LIMIT = 100;
+const DEFAULT_POLL_INTERVAL_MS = 2e3;
+function compactProperties(props) {
+	if (!props || typeof props !== "object") return "";
+	if (Object.keys(props).length === 0) return "";
+	return JSON.stringify(props);
+}
+function formatEvent(ev) {
+	const ts = ev.occurred_at;
+	const user = ev.app_user_id;
+	const props = compactProperties(ev.properties);
+	const tail = props ? ` ${pc.dim(props)}` : "";
+	return `${pc.dim(ts)} ${pc.cyan(ev.event_name)} ${pc.dim(`user=${user}`)}${tail}`;
+}
+function emitEvent(ev, json) {
+	if (json) process.stdout.write(JSON.stringify(ev) + "\n");
+	else console.log(formatEvent(ev));
+}
+function delay(ms, signal) {
+	return new Promise((resolve) => {
+		if (signal?.aborted) {
+			resolve();
+			return;
+		}
+		const timer = setTimeout(resolve, ms);
+		if (signal) {
+			const onAbort = () => {
+				clearTimeout(timer);
+				signal.removeEventListener("abort", onAbort);
+				resolve();
+			};
+			signal.addEventListener("abort", onAbort);
+		}
+	});
+}
+async function logsTailCommand(opts = {}) {
+	const projectId = await requireProjectId(process.cwd(), opts.project);
+	const json = opts.json ?? false;
+	const limit = opts.limit ?? DEFAULT_TAIL_LIMIT;
+	const since = opts.since ?? (/* @__PURE__ */ new Date(Date.now() - 1440 * 60 * 1e3)).toISOString();
+	if (!json) {
+		console.log();
+		console.log(pc.bold("  amba logs tail"));
+		console.log(pc.dim("  ─────────────────────────────────"));
+		console.log();
+		console.log(pc.dim(`  Project: ${projectId}`));
+		console.log(pc.dim(`  Since:   ${since}`));
+		if (opts.eventName) console.log(pc.dim(`  Event:   ${opts.eventName}`));
+		if (opts.userId) console.log(pc.dim(`  User:    ${opts.userId}`));
+		console.log();
+	}
+	let page;
+	try {
+		page = await listProjectEvents(projectId, {
+			since,
+			eventName: opts.eventName,
+			userId: opts.userId,
+			limit
+		});
+	} catch (err) {
+		if (err instanceof ApiClientError) console.error(pc.red("  ✗") + ` ${err.message}`);
+		else if (err instanceof Error) console.error(pc.red("  ✗") + ` ${err.message}`);
+		else console.error(pc.red("  ✗") + " Failed to fetch events");
+		process.exit(1);
+	}
+	const initial = [...page.data].reverse();
+	if (initial.length === 0 && !json) console.log(pc.dim("  (no events in window)"));
+	else for (const ev of initial) emitEvent(ev, json);
+	if (!opts.follow) {
+		if (!json) console.log();
+		return;
+	}
+	let lastTs = initial.length > 0 ? initial[initial.length - 1].occurred_at : since;
+	const seenIds = new Set(initial.map((e) => e.id));
+	const pollMs = opts.pollIntervalMs ?? DEFAULT_POLL_INTERVAL_MS;
+	const maxIters = opts.maxFollowIterations ?? Infinity;
+	const ac = new AbortController();
+	let sigintHandler = null;
+	if (!opts.signal) {
+		sigintHandler = () => {
+			ac.abort();
+		};
+		process.once("SIGINT", sigintHandler);
+	}
+	const followSignal = opts.signal ?? ac.signal;
+	let iters = 0;
+	while (!followSignal.aborted && iters < maxIters) {
+		await delay(pollMs, followSignal);
+		if (followSignal.aborted) break;
+		iters++;
+		let newPage;
+		try {
+			newPage = await listProjectEvents(projectId, {
+				since: lastTs,
+				eventName: opts.eventName,
+				userId: opts.userId,
+				limit
+			});
+		} catch (err) {
+			if (err instanceof ApiClientError) console.error(pc.yellow("  !") + ` poll error: ${err.message}`);
+			else if (err instanceof Error) console.error(pc.yellow("  !") + ` poll error: ${err.message}`);
+			continue;
+		}
+		const fresh = [...newPage.data].reverse().filter((e) => !seenIds.has(e.id));
+		for (const ev of fresh) {
+			seenIds.add(ev.id);
+			emitEvent(ev, json);
+			lastTs = ev.occurred_at;
+		}
+	}
+	if (sigintHandler) process.removeListener("SIGINT", sigintHandler);
+	if (!json) {
+		console.log();
+		console.log(pc.dim("  (follow stopped)"));
+		console.log();
+	}
+}
+//#endregion
+//#region src/commands/seed.ts
+async function safeCreate(label, fn, result) {
+	try {
+		await fn();
+		result.created.push(label);
+		console.log(pc.green("  ✓") + ` ${label}`);
+	} catch (err) {
+		if (err instanceof ApiClientError && (err.statusCode === 409 || err.statusCode === 422)) {
+			result.skipped.push(label);
+			console.log(pc.dim("  -") + ` ${label} ` + pc.dim("(already exists)"));
+			return;
+		}
+		const message = err instanceof Error ? err.message : "unknown error";
+		result.failed.push({
+			label,
+			error: message
+		});
+		console.log(pc.red("  ✗") + ` ${label} — ${message}`);
+	}
+}
+async function seedStarter(projectId, result) {
+	await safeCreate("segment: active_users", () => createSegment(projectId, {
+		name: "Active Users",
+		description: "Users with at least one session in the last 7 days",
+		is_active: true,
+		rules: { all: [{
+			property: "last_seen_at",
+			op: "gte",
+			value: "7d_ago"
+		}] }
+	}), result);
+	await safeCreate("content library: daily_quotes", () => createContentLibrary(projectId, {
+		slug: "daily_quotes",
+		name: "Daily Quotes",
+		description: "Sample starter quotes"
+	}), result);
+	await safeCreate("xp rule: session_start +10", () => createXpRule(projectId, {
+		event_name: "session_start",
+		amount: 10,
+		description: "Award 10 XP for starting a session"
+	}), result);
+}
+async function seedGamification(projectId, result) {
+	await safeCreate("achievement: first_session", () => createAchievement(projectId, {
+		code: "first_session",
+		name: "First Session",
+		description: "Complete your first session",
+		criteria: {
+			event_name: "session_start",
+			count: 1
+		},
+		reward: { xp: 50 }
+	}), result);
+	await safeCreate("achievement: streak_7", () => createAchievement(projectId, {
+		code: "streak_7",
+		name: "Week Warrior",
+		description: "Maintain a 7-day streak",
+		criteria: {
+			streak: "daily",
+			days: 7
+		},
+		reward: { xp: 250 }
+	}), result);
+	await safeCreate("xp rule: session_complete +20", () => createXpRule(projectId, {
+		event_name: "session_complete",
+		amount: 20,
+		description: "Award 20 XP for completing a session"
+	}), result);
+	await safeCreate("xp rule: share_action +15", () => createXpRule(projectId, {
+		event_name: "share_action",
+		amount: 15,
+		description: "Award 15 XP for sharing"
+	}), result);
+}
+async function seedContent(projectId, result) {
+	let libraryId = null;
+	await safeCreate("content library: affirmations", async () => {
+		libraryId = (await createContentLibrary(projectId, {
+			slug: "affirmations",
+			name: "Affirmations",
+			description: "Sample daily affirmations"
+		})).data.id;
+	}, result);
+	if (libraryId) await safeCreate("content items x3", () => addContentItems(projectId, libraryId, { items: [
+		{
+			key: "aff_1",
+			content: { text: "You are capable of amazing things." }
+		},
+		{
+			key: "aff_2",
+			content: { text: "Every step forward counts." }
+		},
+		{
+			key: "aff_3",
+			content: { text: "Today is a fresh start." }
+		}
+	] }), result);
+}
+async function seedCommand(opts = {}) {
+	const projectId = await requireProjectId(process.cwd(), opts.project);
+	const preset = opts.preset ?? "starter";
+	console.log();
+	console.log(pc.bold(`  amba seed --preset=${preset}`));
+	console.log(pc.dim("  ─────────────────────────────────"));
+	console.log();
+	console.log(pc.dim(`  Project: ${projectId}`));
+	console.log();
+	const result = {
+		created: [],
+		skipped: [],
+		failed: []
+	};
+	switch (preset) {
+		case "starter":
+			await seedStarter(projectId, result);
+			break;
+		case "gamification":
+			await seedGamification(projectId, result);
+			break;
+		case "content":
+			await seedContent(projectId, result);
+			break;
+		default:
+			console.log(pc.red("  ✗") + ` Unknown preset: ${preset}`);
+			console.log(pc.dim("    Valid: starter, gamification, content"));
+			console.log();
+			process.exit(1);
+	}
+	console.log();
+	console.log(pc.dim(`  ${result.created.length} created · ${result.skipped.length} skipped · ${result.failed.length} failed`));
+	console.log();
+	if (result.failed.length > 0) process.exit(1);
+}
+//#endregion
+//#region src/commands/db.ts
+async function dbMigrateCommand(opts = {}) {
+	const projectId = await requireProjectId(process.cwd(), opts.project);
+	console.log();
+	console.log(pc.bold("  amba db migrate"));
+	console.log(pc.dim("  ─────────────────────────────────"));
+	console.log();
+	console.log(pc.dim(`  Project: ${projectId}`));
+	console.log();
+	console.log(pc.dim("  Running tenant migrations..."));
+	console.log();
+	try {
+		const workflowId = (await reprovisionProject(projectId)).data.workflowId;
+		console.log(pc.green("  ✓") + " Reprovision workflow started");
+		if (workflowId) console.log(pc.dim(`    workflowId: ${workflowId}`));
+		console.log();
+		try {
+			const status = await getProvisioningStatus(projectId);
+			console.log(pc.dim(`  Status: ${status.data.status}`));
+			if (status.data.errorMessage) console.log(pc.yellow("  !") + ` ${status.data.errorMessage}`);
+		} catch {}
+		console.log();
+		console.log(pc.dim("  Check again with: ") + pc.cyan(`amba projects show ${projectId}`));
+		console.log();
+	} catch (err) {
+		if (err instanceof ApiClientError) if (err.statusCode === 404) console.log(pc.red("  ✗") + ` Project not found: ${projectId}`);
+		else if (err.statusCode === 409) {
+			console.log(pc.yellow("  !") + " Reprovision already in progress (or project is archived). " + pc.dim("Nothing to do."));
+			console.log();
+			return;
+		} else console.log(pc.red("  ✗") + ` ${err.message}`);
+		else if (err instanceof Error) console.log(pc.red("  ✗") + ` ${err.message}`);
+		console.log();
+		process.exit(1);
+	}
+}
+//#endregion
+//#region src/commands/analytics.ts
+const PAGE_SIZE = 1e3;
+const PROGRESS_EVERY = 500;
+function csvEscape(value) {
+	if (value === null || value === void 0) return "";
+	let s;
+	if (typeof value === "string") s = value;
+	else if (typeof value === "number" || typeof value === "boolean") s = String(value);
+	else s = JSON.stringify(value);
+	if (s.includes("\"") || s.includes(",") || s.includes("\n") || s.includes("\r")) return `"${s.replace(/"/g, "\"\"")}"`;
+	return s;
+}
+function csvRow(values) {
+	return values.map(csvEscape).join(",") + "\n";
+}
+function makeSink(out) {
+	if (!out) return {
+		resolvedPath: null,
+		sink: {
+			write(chunk) {
+				process.stdout.write(chunk);
+			},
+			async close() {}
+		}
+	};
+	const resolvedPath = resolve(process.cwd(), out);
+	const stream = createWriteStream(resolvedPath, { encoding: "utf-8" });
+	return {
+		sink: {
+			write(chunk) {
+				stream.write(chunk);
+			},
+			close() {
+				return new Promise((res, rej) => {
+					stream.end((err) => err ? rej(err) : res());
+				});
+			}
+		},
+		resolvedPath
+	};
+}
+function progress(rowsEmitted, force = false) {
+	if (!force && rowsEmitted % PROGRESS_EVERY !== 0) return;
+	if (!process.stderr.isTTY && !force) return;
+	process.stderr.write(pc.dim(`  … ${rowsEmitted} rows emitted\r`));
+}
+async function exportUsers(projectId, opts) {
+	const fmt = opts.format ?? "csv";
+	const { sink, resolvedPath } = makeSink(opts.out);
+	let res;
+	try {
+		res = await streamUsersExport(projectId, {
+			format: fmt,
+			since: opts.since
+		});
+	} catch (err) {
+		await sink.close();
+		throw err;
+	}
+	const body = res.body;
+	if (!body) {
+		await sink.close();
+		throw new Error("Server returned an empty users export stream");
+	}
+	let bytes = 0;
+	let lines = 0;
+	let pending = "";
+	const reader = body.getReader();
+	const decoder = new TextDecoder("utf-8");
+	while (true) {
+		const { value, done } = await reader.read();
+		if (done) break;
+		const chunk = decoder.decode(value, { stream: true });
+		bytes += chunk.length;
+		pending += chunk;
+		let idx;
+		while ((idx = pending.indexOf("\n")) >= 0) {
+			lines++;
+			pending = pending.slice(idx + 1);
+			if (lines % PROGRESS_EVERY === 0) progress(lines);
+		}
+		sink.write(chunk);
+	}
+	if (pending.length > 0) sink.write(pending);
+	await sink.close();
+	if (process.stderr.isTTY) process.stderr.write("\n");
+	if (resolvedPath) {
+		console.log(pc.green("  ✓") + ` Wrote ${resolvedPath}`);
+		console.log(pc.dim(`    ${lines} line${lines === 1 ? "" : "s"} (${bytes} bytes)`));
+	}
+}
+function eventToCsv(ev) {
+	return csvRow([
+		ev.id,
+		ev.app_user_id,
+		ev.event_name,
+		ev.occurred_at,
+		JSON.stringify(ev.properties ?? {})
+	]);
+}
+async function exportEvents(projectId, opts) {
+	const fmt = opts.format ?? "csv";
+	const { sink, resolvedPath } = makeSink(opts.out);
+	const since = opts.since ?? (/* @__PURE__ */ new Date(Date.now() - 1440 * 60 * 1e3)).toISOString();
+	const until = opts.until ?? (/* @__PURE__ */ new Date()).toISOString();
+	if (fmt === "csv") sink.write(csvRow([
+		"id",
+		"app_user_id",
+		"event_name",
+		"occurred_at",
+		"properties"
+	]));
+	let cursor = null;
+	let rows = 0;
+	let pages = 0;
+	const maxPages = opts.maxPages ?? Infinity;
+	try {
+		do {
+			pages++;
+			const page = await listProjectEvents(projectId, {
+				since,
+				until,
+				limit: opts.limit ?? PAGE_SIZE,
+				cursor: cursor ?? void 0
+			});
+			for (const ev of page.data) {
+				if (fmt === "ndjson") sink.write(JSON.stringify(ev) + "\n");
+				else sink.write(eventToCsv(ev));
+				rows++;
+				if (rows % PROGRESS_EVERY === 0) progress(rows);
+			}
+			cursor = page.next_cursor;
+			if (pages >= maxPages) break;
+		} while (cursor);
+	} finally {
+		await sink.close();
+	}
+	if (process.stderr.isTTY) process.stderr.write("\n");
+	if (resolvedPath) {
+		console.log(pc.green("  ✓") + ` Wrote ${resolvedPath}`);
+		console.log(pc.dim(`    ${rows} event${rows === 1 ? "" : "s"} across ${pages} page(s)`));
+	} else if (rows > 0) process.stderr.write(pc.dim(`  ${rows} event${rows === 1 ? "" : "s"} emitted\n`));
+}
+async function analyticsExportCommand(opts) {
+	const projectId = await requireProjectId(process.cwd(), opts.project);
+	if (opts.type !== "users" && opts.type !== "events") {
+		console.log();
+		console.log(pc.red("  ✗") + ` Unknown --type: ${String(opts.type)}`);
+		console.log(pc.dim("    Valid: users, events"));
+		console.log();
+		process.exit(1);
+	}
+	if (opts.format && opts.format !== "csv" && opts.format !== "ndjson") {
+		console.log();
+		console.log(pc.red("  ✗") + ` Unknown --format: ${String(opts.format)}`);
+		console.log(pc.dim("    Valid: csv, ndjson"));
+		console.log();
+		process.exit(1);
+	}
+	process.stderr.write("\n");
+	process.stderr.write(pc.bold(`  amba analytics export --type=${opts.type}`) + "\n");
+	process.stderr.write(pc.dim("  ─────────────────────────────────") + "\n");
+	process.stderr.write(pc.dim(`  Project: ${projectId}`) + "\n");
+	process.stderr.write("\n");
+	try {
+		if (opts.type === "users") await exportUsers(projectId, opts);
+		else await exportEvents(projectId, opts);
+		console.log();
+	} catch (err) {
+		if (err instanceof ApiClientError) console.log(pc.red("  ✗") + ` ${err.message}`);
+		else if (err instanceof Error) console.log(pc.red("  ✗") + ` ${err.message}`);
+		console.log();
+		process.exit(1);
+	}
+}
+//#endregion
+//#region src/commands/schema.ts
+const SCHEMAS = {
+	achievements: {
+		name: "achievements",
+		description: "Achievement definitions — unlocked when criteria are met.",
+		fields: {
+			id: "string (uuid)",
+			code: "string — unique key per project",
+			name: "string",
+			description: "string | null",
+			criteria: "AchievementCriteria — event_name/count/props or custom",
+			reward: "{ xp?: number; currency?: Record<string, number>; items?: string[] } | null",
+			is_active: "boolean",
+			created_at: "string (ISO 8601)"
+		}
+	},
+	streaks: {
+		name: "streaks",
+		description: "Streak definitions (daily, weekly, custom cadences).",
+		fields: {
+			id: "string (uuid)",
+			code: "string",
+			name: "string",
+			description: "string | null",
+			cadence: "'daily' | 'weekly'",
+			grace_period_days: "number",
+			is_active: "boolean",
+			created_at: "string (ISO 8601)"
+		}
+	},
+	xp: {
+		name: "xp",
+		description: "XP rules — award XP on matching events.",
+		fields: {
+			id: "string (uuid)",
+			event_name: "string",
+			amount: "number",
+			description: "string | null",
+			created_at: "string (ISO 8601)"
+		}
+	},
+	leaderboards: {
+		name: "leaderboards",
+		description: "Leaderboard definitions and entries.",
+		fields: {
+			id: "string (uuid)",
+			code: "string",
+			name: "string",
+			metric: "'xp' | 'streak' | 'custom'",
+			period: "'all_time' | 'daily' | 'weekly' | 'monthly'",
+			is_active: "boolean",
+			created_at: "string (ISO 8601)"
+		}
+	},
+	challenges: {
+		name: "challenges",
+		description: "Time-boxed user goals.",
+		fields: {
+			id: "string (uuid)",
+			code: "string",
+			name: "string",
+			goal_type: "'event_count' | 'xp_earned' | 'streak_maintained'",
+			goal_value: "number",
+			starts_at: "string (ISO 8601)",
+			ends_at: "string (ISO 8601)",
+			reward: "{ xp?: number; items?: string[] } | null",
+			created_at: "string (ISO 8601)"
+		}
+	},
+	content: {
+		name: "content",
+		description: "Content libraries, items, and schedules.",
+		fields: {
+			library_id: "string (uuid)",
+			slug: "string — unique per project",
+			name: "string",
+			description: "string | null",
+			item: "{ key: string; content: unknown; locale?: string }",
+			schedule: "{ library_id: string; cron: string; channel: string; target?: SegmentTarget }",
+			created_at: "string (ISO 8601)"
+		}
+	},
+	segments: {
+		name: "segments",
+		description: "User segments — predicate-based cohorts.",
+		fields: {
+			id: "string (uuid)",
+			name: "string",
+			description: "string | null",
+			rules: "SegmentRule tree (all/any + property/cohort/date operators)",
+			is_active: "boolean",
+			created_at: "string (ISO 8601)"
+		}
+	},
+	push: {
+		name: "push",
+		description: "Push campaigns and deliveries.",
+		fields: {
+			campaign_id: "string (uuid)",
+			name: "string",
+			title: "string",
+			body: "string",
+			schedule_cron: "string | null",
+			segment_id: "string | null — null = all users",
+			data: "Record<string, unknown> | null",
+			created_at: "string (ISO 8601)"
+		}
+	}
+};
+function renderJson(domains) {
+	return JSON.stringify(domains, null, 2) + "\n";
+}
+function renderTypescript(domains) {
+	const lines = [
+		"// Auto-generated by `amba schema export --format=typescript`.",
+		"// For the canonical types, import from the @layers/amba-client SDK.",
+		""
+	];
+	for (const d of domains) {
+		lines.push(`// ${d.description}`);
+		lines.push(`export interface ${pascal(d.name)} {`);
+		for (const [field, type] of Object.entries(d.fields)) {
+			lines.push(`  /** ${type} */`);
+			lines.push(`  ${field}: unknown;`);
+		}
+		lines.push("}");
+		lines.push("");
+	}
+	return lines.join("\n");
+}
+function pascal(s) {
+	return s.charAt(0).toUpperCase() + s.slice(1);
+}
+async function schemaExportCommand(opts) {
+	const domain = opts.domain;
+	const format = opts.format ?? "json";
+	const available = Object.keys(SCHEMAS);
+	if (domain !== "all" && !available.includes(domain)) {
+		console.log();
+		console.log(pc.red("  ✗") + ` Unknown domain: ${domain}`);
+		console.log(pc.dim(`    Valid: all, ${available.join(", ")}`));
+		console.log();
+		process.exit(1);
+	}
+	if (format !== "json" && format !== "typescript") {
+		console.log();
+		console.log(pc.red("  ✗") + ` Unknown --format: ${String(format)}`);
+		console.log(pc.dim("    Valid: json, typescript"));
+		console.log();
+		process.exit(1);
+	}
+	const selected = domain === "all" ? Object.values(SCHEMAS) : [SCHEMAS[domain]];
+	const output = format === "json" ? renderJson(selected) : renderTypescript(selected);
+	process.stdout.write(output);
+}
+//#endregion
+//#region src/bundle.ts
+/**
+* Customer-function bundling for `amba functions deploy`.
+*
+* Uses esbuild (the Workers ecosystem bundler-of-record). The shared
+* runtime stdlib is marked `external` so customer bundles don't
+* re-include megabytes of `@anthropic-ai/sdk`, `postgres`, `zod`, etc.;
+* these resolve at dispatch time via platform-level bindings.
+*
+* Two checks gate the bundle before upload:
+*   1. Pre-upload size check against `BUNDLE_MAX_SIZE_BYTES` (8 MB
+*      default — the platform's 10 MB compressed cap minus 2 MB
+*      headroom) with a clear error pointing at the externalization
+*      config.
+*   2. Bundle-shape report — the CLI prints what's externalized vs
+*      bundled at deploy time so size issues are debuggable.
+*/
+/**
+* Modules customer code MUST externalize. The runtime exposes these as
+* platform-level bindings; bundling them per-script wastes hundreds of
+* KB to MBs and quickly hits the script-size cap.
+*/
+const RUNTIME_STDLIB_EXTERNALS = [
+	"@layers/amba-functions",
+	"@layers/amba-api-middleware",
+	"@anthropic-ai/sdk",
+	"postgres",
+	"zod"
+];
+var BundleSizeError = class extends Error {
+	sizeBytes;
+	maxBytes;
+	constructor(sizeBytes, maxBytes) {
+		super(`Function bundle is ${formatBytes$1(sizeBytes)} which exceeds the ${formatBytes$1(maxBytes)} cap. Externalize heavy dependencies via the runtime stdlib (see RUNTIME_STDLIB_EXTERNALS) or split your function into smaller pieces.`);
+		this.sizeBytes = sizeBytes;
+		this.maxBytes = maxBytes;
+		this.name = "BundleSizeError";
+	}
+};
+/**
+* Bundle a customer function file for upload to a Workers dispatch
+* namespace. Returns the bundled code + metadata; throws
+* `BundleSizeError` when the compressed size exceeds the cap so the CLI
+* can surface a clear error.
+*/
+async function bundleFunction(options) {
+	if (!(await stat(options.entryPoint).catch(() => null))?.isFile()) throw new Error(`Entry point not found or not a file: ${options.entryPoint}`);
+	const externals = [...RUNTIME_STDLIB_EXTERNALS, ...options.extraExternals ?? []];
+	const output = (await build({
+		entryPoints: [options.entryPoint],
+		bundle: true,
+		format: "esm",
+		platform: "browser",
+		target: "es2022",
+		external: externals,
+		minify: true,
+		sourcemap: options.sourcemap ?? "inline",
+		write: false,
+		conditions: [
+			"workerd",
+			"worker",
+			"browser",
+			"import"
+		],
+		metafile: true
+	})).outputFiles?.[0];
+	if (!output) throw new Error("esbuild produced no output");
+	const code = new TextDecoder().decode(output.contents);
+	const uncompressedSize = output.contents.byteLength;
+	const compressedSize = await gzipSizeOf(output.contents);
+	const max = options.maxSizeBytes ?? 8388608;
+	if (compressedSize > max) throw new BundleSizeError(compressedSize, max);
+	return {
+		code,
+		sha256: await hashSha256Hex(output.contents),
+		compressedSize,
+		uncompressedSize,
+		externals
+	};
+}
+/**
+* Print the bundle's externalization report to stdout. Intended to be
+* called from `amba functions deploy` after bundling so customers can
+* see what got externalized vs included at a glance.
+*/
+function printBundleReport(bundle) {
+	console.log();
+	console.log(pc.dim("  Bundle:"));
+	console.log(pc.dim("    size: ") + `${formatBytes$1(bundle.compressedSize)} compressed ` + pc.dim(`(${formatBytes$1(bundle.uncompressedSize)} raw)`));
+	console.log(pc.dim("    sha:  ") + bundle.sha256.slice(0, 16) + pc.dim("…"));
+	console.log(pc.dim("    externalized:"));
+	for (const e of bundle.externals) console.log(pc.dim("      • ") + e);
+	console.log();
+}
+async function gzipSizeOf(bytes) {
+	const { gzipSync } = await import("node:zlib");
+	return gzipSync(bytes, { level: 9 }).byteLength;
+}
+async function hashSha256Hex(bytes) {
+	const { createHash } = await import("node:crypto");
+	return createHash("sha256").update(bytes).digest("hex");
+}
+function formatBytes$1(n) {
+	if (n < 1024) return `${n}B`;
+	if (n < 1024 * 1024) return `${(n / 1024).toFixed(1)}KB`;
+	return `${(n / 1024 / 1024).toFixed(2)}MB`;
+}
+//#endregion
+//#region src/project-config.ts
+/**
+* Local project config loader.
+*
+* `amba init` writes `.env.local` with `AMBA_PROJECT_ID` + `AMBA_API_KEY`.
+* Subsequent commands resolve the active project by reading `.env.local`
+* (or the OS env if exported); fail with a clear "run amba init first"
+* error if neither is set.
+*
+* Kept tiny on purpose — the CLI's full config story (per-environment
+* dev/prod selection) is a v2 follow-up; v1 just needs project id.
+*/
+const ENV_LOCAL_FILES = [".env.local", ".env"];
+async function loadProjectConfig(cwd = process.cwd()) {
+	let projectId = process.env["AMBA_PROJECT_ID"];
+	let apiUrl = process.env["AMBA_API_URL"];
+	if (!projectId || !apiUrl) for (const filename of ENV_LOCAL_FILES) {
+		const content = await readFile(join(cwd, filename), "utf-8").catch(() => null);
+		if (!content) continue;
+		const parsed = parseEnv(content);
+		if (!projectId) projectId = parsed["AMBA_PROJECT_ID"];
+		if (!apiUrl) apiUrl = parsed["AMBA_API_URL"];
+		if (projectId && apiUrl) break;
+	}
+	if (!projectId) throw new Error(`AMBA_PROJECT_ID not found. Run ${pc.cyan("amba init")} or set it in .env.local.`);
+	return {
+		projectId,
+		apiUrl: apiUrl ?? "https://api.amba.dev"
+	};
+}
+function parseEnv(content) {
+	const out = {};
+	for (const rawLine of content.split("\n")) {
+		const line = rawLine.trim();
+		if (!line || line.startsWith("#")) continue;
+		const eq = line.indexOf("=");
+		if (eq === -1) continue;
+		const key = line.slice(0, eq).trim();
+		let value = line.slice(eq + 1).trim();
+		if (value.startsWith("\"") && value.endsWith("\"") || value.startsWith("'") && value.endsWith("'")) value = value.slice(1, -1);
+		out[key] = value;
+	}
+	return out;
+}
+//#endregion
+//#region src/commands/functions.ts
+/**
+* `amba functions ...` commands.
+*
+* `deploy` bundles the entry file with esbuild (externalizing the runtime
+* stdlib + size-checking before upload), then POSTs the bundle to the
+* platform API. The server resolves bindings, uploads the script, and
+* records the deployment in a single round-trip. The other subcommands
+* are thin shells over the admin API helpers in `api-client.ts`.
+*/
+async function functionsDeployCommand(entryPoint, options = {}) {
+	const projectId = (await loadProjectConfig()).projectId;
+	const functionName = options.name ?? basename(entryPoint).replace(/\.[^.]+$/, "");
+	validateFunctionName(functionName);
+	const rateLimit = parseRateLimitFlags(options);
+	console.log();
+	console.log(pc.bold(`  amba functions deploy ${pc.cyan(functionName)}`));
+	console.log(pc.dim("  ─────────────────────────────────"));
+	console.log();
+	console.log(pc.dim("  Bundling…"));
+	const bundle = await bundleFunction({ entryPoint });
+	printBundleReport(bundle);
+	if (options.dryRun) {
+		console.log(pc.yellow("  ! Dry run — skipping API upload."));
+		return;
+	}
+	console.log(pc.dim("  Uploading…"));
+	const result = await deployFunctionViaApi(projectId, {
+		name: functionName,
+		bundleCode: bundle.code,
+		rate_limit: rateLimit
+	});
+	console.log(pc.green("  ✓") + ` Deployed ${pc.cyan(functionName)} ${pc.dim(`v${result.data.version} (${result.data.cf_script_name})`)}`);
+	console.log(pc.green("  ✓") + ` URL: ${pc.underline(result.fn_url)}`);
+	if (rateLimit) console.log(pc.dim(`  Rate limit: ${rateLimit.max} per ${rateLimit.window} (key=${rateLimit.key}) — enforced pre-dispatch`));
+	console.log();
+}
+async function functionsListCommand() {
+	const res = await listFunctionDeployments((await loadProjectConfig()).projectId, { activeOnly: true });
+	console.log();
+	if (res.data.length === 0) {
+		console.log(pc.dim("  No functions deployed."));
+		console.log();
+		return;
+	}
+	for (const d of res.data) console.log(`  ${pc.bold(d.name)} ${pc.dim("v" + d.version)}  ` + pc.dim(`sha=${d.bundle_sha.slice(0, 12)}…  ${d.created_at}`));
+	console.log();
+}
+async function functionsDeleteCommand(name, options = {}) {
+	validateFunctionName(name);
+	if (!options.confirm || options.confirm !== name) throw new Error(`Delete is destructive. Pass --confirm ${name} to proceed. Customer Workers calling this function will start 404'ing immediately.`);
+	const cascade = (await deleteFunctionViaApi((await loadProjectConfig()).projectId, name, { confirm: name })).data.cascade;
+	console.log(pc.green("  ✓") + ` Deleted ${pc.bold(name)}.`);
+	console.log(pc.dim(`    Cascade: cf_dispatch_script_deleted=${cascade.cf_dispatch_script_deleted ?? false}, function_deployments_marked_disabled=${cascade.function_deployments_marked_disabled ?? 0}`));
+}
+async function functionsScheduleCommand(name, cron, options = {}) {
+	const projectConfig = await loadProjectConfig();
+	validateFunctionName(name);
+	const timezone = options.tz ?? "UTC";
+	const res = await scheduleFunction(projectConfig.projectId, {
+		name,
+		cron,
+		timezone
+	});
+	console.log();
+	console.log(pc.green("  ✓") + ` Scheduled ${pc.bold(name)} — ${pc.cyan(cron)} ${pc.dim(`(${timezone})`)}`);
+	console.log(pc.dim(`    schedule_id: ${res.data.schedule_id}`));
+	console.log();
+}
+/**
+* `amba functions dev` — not configured in this release. Use
+* `amba functions deploy <file>` to deploy via the platform API.
+*/
+async function functionsDevCommand(_entryPoint) {
+	console.error(pc.red("  Error: `amba functions dev` is not available in this release."));
+	console.error(pc.dim("    Use `amba functions deploy <file>` to deploy via the platform API."));
+	process.exit(1);
+}
+/**
+* `amba functions consume <queue> <function>` — bind a function as the
+* consumer for a queue. Customers send to a queue with `ctx.queue.send`;
+* the genericQueueJobWorkflow looks up the binding and invokes the
+* bound function with the payload.
+*
+* Single binding per (project, queue). Re-running with a different
+* function-name overwrites — same upsert semantics as `amba secrets set`.
+*/
+async function functionsConsumeCommand(queueName, functionName, options = {}) {
+	validateFunctionName(functionName);
+	validateFunctionName(queueName);
+	const res = await upsertQueueBinding((await loadProjectConfig()).projectId, {
+		queue_name: queueName,
+		function_name: functionName,
+		status: options.paused ? "paused" : "active"
+	});
+	console.log();
+	console.log(pc.green("  ✓") + ` Queue ${pc.cyan(queueName)} → function ${pc.cyan(functionName)} ${pc.dim(`(${res.data.status})`)}`);
+	console.log();
+}
+/**
+* `amba functions consumers list` / `amba functions consumers unbind`
+* sub-tree. Mirrors the `amba secrets list` shape so the CLI surface
+* stays consistent.
+*/
+async function functionsConsumersListCommand() {
+	const res = await listQueueBindings((await loadProjectConfig()).projectId);
+	console.log();
+	if (res.data.length === 0) {
+		console.log(pc.dim("  No queue bindings configured."));
+		console.log();
+		return;
+	}
+	for (const b of res.data) {
+		const status = b.status === "active" ? pc.green("active") : pc.yellow("paused");
+		console.log(`  ${pc.bold(b.queue_name)} → ${pc.cyan(b.function_name)}  ${status}`);
+	}
+	console.log();
+}
+async function functionsConsumersUnbindCommand(queueName) {
+	validateFunctionName(queueName);
+	await deleteQueueBinding((await loadProjectConfig()).projectId, queueName);
+	console.log(pc.green("  ✓") + ` Unbound queue ${pc.cyan(queueName)}.`);
+}
+function validateFunctionName(name) {
+	if (!/^[a-z][a-z0-9_-]*$/.test(name)) throw new Error(`Invalid function name '${name}'. Must match /^[a-z][a-z0-9_-]*$/ (lowercase ASCII, digits, underscore or hyphen; must start with a letter).`);
+	if (name.length > 58) throw new Error("Function name must be 58 characters or fewer.");
+}
+/**
+* Resolve the optional rate-limit config from CLI flags. Returns the
+* validated config if all three sub-flags are set, `null` if all three
+* are absent, or throws if a partial set was supplied.
+*
+* The "all-or-nothing" rule is intentional — defaulting any sub-flag
+* is too easy to mis-set. A customer who types `--rate-limit-max 20`
+* expecting "use a default 60s window with ip key" would silently get
+* NO rate limit instead, which is the wrong default for a security-
+* adjacent flag. Forcing all three to be explicit means the failure
+* mode is "fail loud at deploy" not "silently no rate limit."
+*/
+function parseRateLimitFlags(options) {
+	const window = options.rateLimitWindow;
+	const max = options.rateLimitMax;
+	const key = options.rateLimitKey;
+	if (window === void 0 && max === void 0 && key === void 0) return null;
+	const missing = [];
+	if (window === void 0) missing.push("--rate-limit-window");
+	if (max === void 0) missing.push("--rate-limit-max");
+	if (key === void 0) missing.push("--rate-limit-key");
+	if (missing.length > 0) throw new Error(`Rate-limit flags must be supplied together. Missing: ${missing.join(", ")}. Either provide all three or omit all three (no rate limit).`);
+	const validated = validateRateLimitConfig({
+		window,
+		max,
+		key
+	});
+	if ("error" in validated) throw new Error(`Rate-limit config invalid: ${validated.error}`);
+	return validated;
+}
+//#endregion
+//#region src/commands/functions-logs.ts
+/**
+* `amba functions logs <name>` — read recent log events.
+*
+* Two modes:
+*   - One-shot (default): fetch events in `[since, until)` and exit.
+*   - `--tail`: print the last hour's events, then poll every 3s for
+*     new events past the highest seen `EventTimestampMs`. Ctrl+C to stop.
+*
+* Output formatting:
+*   - `--json`: NDJSON to stdout (one event per line) so `| jq` works.
+*   - default: human-readable lines:
+*       2026-05-08T12:34:56.789Z scan-letter-v3 [info] "scanning"
+*       2026-05-08T12:34:57.012Z scan-letter-v3 [exception] TypeError: …
+*
+* Server-side scoping is enforced — the API filters by ScriptName
+* prefix so a developer can never read another tenant's logs.
+*/
+const TAIL_POLL_MS = 3e3;
+async function functionsLogsCommand(functionName, options = {}) {
+	const projectConfig = await loadProjectConfig();
+	if (options.tail) {
+		await runTail(projectConfig.projectId, functionName, options);
+		return;
+	}
+	const res = await getFunctionLogs(projectConfig.projectId, functionName, {
+		since: options.since,
+		until: options.until,
+		limit: options.limit
+	});
+	printEvents(res.data.events, options.json);
+	if (res.data.truncated) if (options.json) process.stderr.write(`{"truncated":true}\n`);
+	else console.error(pc.yellow(`  ! Result truncated at limit; narrow --since / --until or raise --limit.`));
+}
+async function runTail(projectId, functionName, options) {
+	let sinceMs = options.since ? Date.parse(options.since) : Date.now() - 3600 * 1e3;
+	if (Number.isNaN(sinceMs)) throw new Error("--since must be a valid ISO 8601 timestamp");
+	if (!options.json) console.error(pc.dim(`  Tailing ${functionName} — Ctrl+C to stop. Initial backfill from ${new Date(sinceMs).toISOString()}.`));
+	let highWaterMs = sinceMs;
+	for (;;) {
+		let result;
+		try {
+			result = await getFunctionLogs(projectId, functionName, {
+				since: new Date(highWaterMs).toISOString(),
+				limit: options.limit ?? 200
+			});
+		} catch (err) {
+			console.error(pc.yellow(`  ! tail fetch failed: `) + (err instanceof Error ? err.message : String(err)));
+			await sleep$1(TAIL_POLL_MS);
+			continue;
+		}
+		if (result.data.events.length > 0) {
+			printEvents(result.data.events, options.json);
+			highWaterMs = result.data.events.reduce((m, e) => Math.max(m, e.EventTimestampMs ?? 0), highWaterMs) + 1;
+		}
+		await sleep$1(TAIL_POLL_MS);
+	}
+}
+function printEvents(events, asJson) {
+	const ordered = [...events].sort((a, b) => (a.EventTimestampMs ?? 0) - (b.EventTimestampMs ?? 0));
+	if (asJson) {
+		for (const e of ordered) process.stdout.write(JSON.stringify(e) + "\n");
+		return;
+	}
+	for (const e of ordered) {
+		const ts = e.EventTimestampMs ? new Date(e.EventTimestampMs).toISOString() : "????-??-??T??:??:??Z";
+		const script = e.ScriptName ?? "<unknown-script>";
+		if (e.Logs && e.Logs.length > 0) for (const logLine of e.Logs) {
+			const level = renderLevel(logLine.Level);
+			const msg = renderMessage(logLine.Message);
+			console.log(`${pc.dim(ts)} ${pc.cyan(script)} ${level} ${msg}`);
+		}
+		if (e.Exceptions && e.Exceptions.length > 0) for (const ex of e.Exceptions) console.log(`${pc.dim(ts)} ${pc.cyan(script)} ${pc.red("[exception]")} ${ex.Name ?? "Error"}: ${ex.Message ?? ""}`);
+		if ((!e.Logs || e.Logs.length === 0) && (!e.Exceptions || e.Exceptions.length === 0) && e.Outcome && e.Outcome !== "ok") console.log(`${pc.dim(ts)} ${pc.cyan(script)} ${pc.yellow("[outcome]")} ${e.Outcome}`);
+	}
+}
+function renderLevel(level) {
+	switch (level) {
+		case "error": return pc.red("[error]");
+		case "warn": return pc.yellow("[warn]");
+		case "log":
+		case "info": return pc.green("[info]");
+		case "debug": return pc.dim("[debug]");
+		default: return pc.dim(`[${level ?? "info"}]`);
+	}
+}
+function renderMessage(parts) {
+	if (!parts || parts.length === 0) return "";
+	return parts.map((p) => {
+		if (typeof p === "string") return p;
+		try {
+			return JSON.stringify(p);
+		} catch {
+			return String(p);
+		}
+	}).join(" ");
+}
+function sleep$1(ms) {
+	return new Promise((r) => setTimeout(r, ms));
+}
+//#endregion
+//#region src/commands/ai.ts
+/**
+* `amba ai providers ...` — register / list / remove AI provider API keys.
+*
+* Wire path: CLI → platform admin API. Plaintext is stored canonically
+* server-side; the CLI never echoes plaintext back. The API returns a
+* `api_key_preview` (first-6 + last-4) for confirmation.
+*/
+const VALID_PROVIDERS = new Set(["anthropic", "openai"]);
+function assertValidProvider(name) {
+	if (!VALID_PROVIDERS.has(name)) throw new Error(`Unknown AI provider '${name}'. Supported: ${[...VALID_PROVIDERS].join(", ")}.`);
+}
+async function aiProvidersAddCommand(provider, options) {
+	assertValidProvider(provider);
+	const apiKey = await resolveSecretValue(options);
+	if (apiKey.length < 10) throw new Error("AI provider api_key must be at least 10 characters.");
+	const projectConfig = await loadProjectConfig();
+	console.log();
+	console.log(pc.bold(`  amba ai providers add ${pc.cyan(provider)}`));
+	console.log();
+	const res = await registerAiProvider(projectConfig.projectId, {
+		name: provider,
+		api_key: apiKey
+	});
+	console.log(pc.green("  ✓") + ` Registered ${provider}`);
+	if (res.data.api_key_preview) console.log(pc.dim(`    key preview: ${res.data.api_key_preview}`));
+	console.log(pc.dim(`    secret_name: ${res.data.api_key_secret_name ?? "(unset)"}`));
+	console.log();
+}
+async function aiProvidersListCommand() {
+	const res = await listAiProviders((await loadProjectConfig()).projectId);
+	console.log();
+	if (res.data.length === 0) {
+		console.log(pc.dim("  No AI providers registered."));
+		console.log(pc.dim("  Add one with: amba ai providers add anthropic --key sk-ant-...  (or --from-stdin)"));
+		console.log();
+		return;
+	}
+	for (const p of res.data) console.log(`  ${pc.bold(p.name)}  ` + pc.dim(`secret=${p.api_key_secret_name ?? "(unset)"}`) + (p.updated_at ? pc.dim(`  updated=${p.updated_at}`) : ""));
+	console.log();
+}
+async function aiProvidersDeleteCommand(provider) {
+	assertValidProvider(provider);
+	if ((await deleteAiProvider((await loadProjectConfig()).projectId, provider)).data.deleted) console.log(pc.green("  ✓") + ` Removed ${provider}`);
+}
+/**
+* Read a secret value from CLI options. Shared by `amba ai providers
+* add` and `amba secrets set` — either `--key`/`<value>` arg OR
+* `--from-stdin` for shell-history-safe input.
+*
+* Resolution order:
+*   1. `--from-stdin` → consume stdin to EOF, return trimmed value.
+*      Errors if stdin is a TTY (would hang waiting for input the
+*      caller can't see they need to type).
+*   2. `--key` (or its inline equivalent) → return as-is.
+*   3. Neither → throw with the actionable error message.
+*/
+async function resolveSecretValue(opts) {
+	if (opts.fromStdin) {
+		if (process.stdin.isTTY) throw new Error("--from-stdin was set but stdin is a TTY. Pipe the value in, e.g. `echo $KEY | amba ai providers add anthropic --from-stdin` or `amba ai providers add anthropic --from-stdin < ~/.anthropic-key`.");
+		const chunks = [];
+		for await (const chunk of process.stdin) chunks.push(typeof chunk === "string" ? Buffer.from(chunk) : chunk);
+		const value = Buffer.concat(chunks).toString("utf8").trim();
+		if (value.length === 0) throw new Error("--from-stdin: no input received on stdin.");
+		return value;
+	}
+	if (opts.key !== void 0 && opts.key.length > 0) return opts.key;
+	throw new Error("Missing API key. Provide --key <value> OR --from-stdin (and pipe the value in).");
+}
+//#endregion
+//#region src/commands/secrets.ts
+/**
+* `amba secrets ...` — write per-function secrets through the platform
+* API. The CLI sends `{name, value, function}` to the admin endpoint;
+* the server stores the value, validates reserved binding names, and
+* propagates it to the deployed Worker's binding. Sync is eventual —
+* `amba secrets list` shows progress.
+*/
+async function secretsSetCommand(name, value, options) {
+	validateSecretName(name);
+	const resolvedValue = await resolveSecretValue({
+		key: value,
+		fromStdin: options.fromStdin
+	});
+	const projectConfig = await loadProjectConfig();
+	if (options.env === "prod") console.log(pc.dim("  Note: --env is informational; prod and dev share one secret namespace per project."));
+	console.log();
+	console.log(pc.bold(`  amba secrets set ${pc.cyan(name)}`));
+	console.log(pc.dim(`  function=${options.function}  env=${options.env ?? "dev"}`));
+	console.log();
+	const res = await setSecretViaApi(projectConfig.projectId, {
+		name,
+		value: resolvedValue,
+		function: options.function
+	});
+	console.log(pc.green("  ✓") + ` Secret ${pc.cyan(name)} stored ${pc.dim(`v${res.data.version}`)}`);
+	console.log(pc.green("  ✓") + ` Workers Secret sync ${pc.dim(`(status=${res.data.sync_status})`)} queued`);
+	console.log();
+	console.log(pc.dim("  Workers Secret will be live within ~30s. Run `amba secrets list` to check sync status."));
+	console.log();
+}
+async function secretsListCommand() {
+	const res = await listSecretsViaApi((await loadProjectConfig()).projectId);
+	console.log();
+	if (res.data.length === 0) {
+		console.log(pc.dim("  No secrets configured."));
+		console.log();
+		return;
+	}
+	for (const row of res.data) {
+		const status = renderStatus(row.sync_status);
+		console.log(`  ${pc.bold(row.name)} ` + pc.dim(`(${row.function})`) + ` v${row.version}  ${status}` + (row.last_error ? pc.dim(`  — ${row.last_error}`) : ""));
+	}
+	console.log();
+}
+async function secretsUnsetCommand(name, options) {
+	validateSecretName(name);
+	await deleteSecretViaApi((await loadProjectConfig()).projectId, name, { function: options.function });
+	console.log(pc.green("  ✓") + ` Removed from GCP Secret Manager.`);
+	console.log(pc.dim("  Workers Secret on the dispatched script remains until the next deploy — redeploy to clear."));
+}
+function validateSecretName(name) {
+	const reason = getBindingReservationReason(name);
+	if (reason !== null) throw new Error(`Secret name '${name}' rejected: ${reason}`);
+}
+function renderStatus(status) {
+	switch (status) {
+		case "synced": return pc.green("synced");
+		case "syncing": return pc.cyan("syncing");
+		case "sync_failed_retrying": return pc.yellow("retrying");
+		default: return pc.dim(status);
+	}
+}
+//#endregion
+//#region src/commands/collections.ts
+/**
+* `amba collections ...` — thin shells over the admin collection routes.
+*
+* Wire shapes:
+*
+*   POST   /admin/projects/:p/collections             — create (full schema)
+*   GET    /admin/projects/:p/collections             — list
+*   PATCH  /admin/projects/:p/collections/:name       — single-op alter
+*   DELETE /admin/projects/:p/collections/:name       — drop (requires ?confirm)
+*
+* The CLI's job is to:
+*   1. Validate names / types client-side so an obviously-bad invocation
+*      doesn't round-trip.
+*   2. Translate the user-friendly CLI flag shape (`--field name:type`,
+*      `--add-field`, `--drop-field`) into the wire shape (single op per
+*      PATCH).
+*   3. Block until the server reports success.
+*   4. Surface server errors with a sensible CLI message.
+*
+* Multi-op alters are issued sequentially so the operator audit trail
+* stays one-to-one with developer actions.
+*/
+/**
+* Closed-set type catalog. Matches data's `ColumnType` exactly — keeps
+* the CLI fail-fast path aligned with the DDL emit's accepted shapes.
+*
+* The CLI accepts customer-friendly synonyms (e.g. `int` → `integer`)
+* via `normalizeColumnType` so the `--field` flag stays ergonomic
+* without the API needing to relax its closed catalog.
+*/
+const ALLOWED_TYPES = new Set([
+	"uuid",
+	"text",
+	"integer",
+	"bigint",
+	"numeric",
+	"boolean",
+	"timestamptz",
+	"date",
+	"jsonb",
+	"vector"
+]);
+const TYPE_SYNONYMS = {
+	int: "integer",
+	int4: "integer",
+	int8: "bigint",
+	bool: "boolean",
+	json: "jsonb",
+	string: "text"
+};
+async function collectionsCreateCommand(name, options) {
+	const reason = getReservationReason(name);
+	if (reason) throw new Error(`Cannot create collection '${name}': ${reason}`);
+	const columns = options.field.map(parseColumnSpec);
+	const indexes = options.index.map(parseIndexSpec);
+	const projectConfig = await loadProjectConfig();
+	console.log();
+	console.log(pc.bold(`  amba collections create ${pc.cyan(name)}`));
+	for (const c of columns) console.log(pc.dim("    ") + c.name + pc.dim(": ") + c.type + (c.nullable ? pc.dim(" NULL") : pc.dim(" NOT NULL")));
+	console.log();
+	const res = await createCollection(projectConfig.projectId, {
+		name,
+		columns,
+		indexes
+	});
+	console.log(pc.green("  ✓") + ` Created — version ${res.data.version}`);
+	console.log(pc.dim(`    workflow_id: ${res.data.workflow_id}`));
+	console.log();
+}
+async function collectionsAlterCommand(name, options) {
+	if (options.addField.length === 0 && options.dropField.length === 0 && options.addIndex.length === 0) throw new Error("amba collections alter: at least one of --add-field, --add-index, or --drop-field is required.");
+	const confirmed = new Set(options.confirm ?? []);
+	for (const col of options.dropField) if (!confirmed.has(col)) throw new Error(`Refusing to drop column '${col}' without --confirm ${col} (DROP COLUMN is destructive).`);
+	const projectConfig = await loadProjectConfig();
+	for (const fieldSpec of options.addField) {
+		const column = parseColumnSpec(fieldSpec);
+		const res = await alterCollection(projectConfig.projectId, name, { add_column: column });
+		console.log(pc.green("  ✓") + ` add column ${pc.cyan(column.name)} (${column.type}) — version ${res.data.version}`);
+	}
+	for (const indexSpec of options.addIndex) {
+		const index = parseIndexSpec(indexSpec);
+		const res = await alterCollection(projectConfig.projectId, name, { add_index: index });
+		console.log(pc.green("  ✓") + ` add index on (${index.columns.join(", ")}) — version ${res.data.version}`);
+	}
+	for (const col of options.dropField) {
+		const res = await alterCollection(projectConfig.projectId, name, { drop_column: col }, { confirm: col });
+		console.log(pc.green("  ✓") + ` drop column ${pc.cyan(col)} — version ${res.data.version}`);
+	}
+}
+async function collectionsListCommand() {
+	const res = await listCollections$1((await loadProjectConfig()).projectId, { limit: 200 });
+	console.log();
+	if (res.data.length === 0) {
+		console.log(pc.dim("  No collections defined."));
+		console.log();
+		return;
+	}
+	for (const c of res.data) console.log(`  ${pc.bold(c.name)}  ` + pc.dim(c.created_at));
+	console.log();
+}
+async function collectionsDropCommand(name, options = {}) {
+	if (options.confirm !== name) throw new Error(`Refusing to drop ${name}: pass --confirm ${name} to confirm (DROP TABLE is destructive).`);
+	await dropCollection((await loadProjectConfig()).projectId, name, name);
+	console.log(pc.green("  ✓") + ` Dropped ${name}.`);
+}
+function normalizeColumnType(raw) {
+	const baseRaw = (raw.split("(")[0] ?? raw).trim().toLowerCase();
+	const base = TYPE_SYNONYMS[baseRaw] ?? baseRaw;
+	if (!ALLOWED_TYPES.has(base)) throw new Error(`Unknown type '${raw}'. Allowed: ${[...ALLOWED_TYPES].join(", ")}.`);
+	return base;
+}
+/**
+* Parse a `--field` spec into a `CollectionColumn`.
+*
+* Accepted grammars:
+*
+*   1. **Plain column:** `name:type[:nullable]`
+*      Examples: `letter_id:uuid`, `parsed:jsonb:nullable`.
+*
+*   2. **Foreign key:** `name:type:fk(<table>[.<column>][:onDelete])`
+*      Examples:
+*        `plan_id:uuid:fk(plans)` — references `plans(id)`, default no-action
+*        `plan_id:uuid:fk(plans.id)` — explicit column
+*        `plan_id:uuid:fk(plans.id:cascade)` — ON DELETE CASCADE
+*        `parent_id:uuid:fk(comments:set_null)` — ON DELETE SET NULL
+*
+*      Note: a `user_id` FK to `app_users(id)` is auto-emitted on every
+*      collection server-side. Customers don't need to declare it.
+*
+*   3. **Vector:** `name:vector:<dim>` or `name:vector(<dim>)`
+*      Examples:
+*        `embedding:vector:1536` — OpenAI text-embedding-3-small
+*        `embedding:vector(384)` — sentence-transformers / all-MiniLM
+*      Dimension is validated client-side as 1..4096. For an HNSW /
+*      IVFFlat index on the column, supply `--index 'embedding'`
+*      separately.
+*
+*   4. **Vector + nullable:** `name:vector:<dim>:nullable`
+*      Vector columns can be nullable for "embedding generated lazily".
+*
+* Multi-arg combinations (e.g. fk + nullable on the same column) parse
+* left-to-right: the third segment is the FK / vector / nullable
+* marker; if it's an FK or vector, the optional fourth segment is
+* `nullable`. Plain columns put `nullable` in slot 3.
+*/
+function parseColumnSpec(spec) {
+	const parts = spec.replace(/^([a-z_][a-z0-9_]*):vector\((\d+)\)/i, "$1:vector:$2").replace(/fk\(([^)]+)\)/i, (_match, inner) => {
+		return `fk(${inner.replace(/:/g, "|")})`;
+	}).split(":");
+	if (parts.length < 2 || parts.length > 4) throw new Error(`Invalid field spec '${spec}'. Grammar:\n  name:type[:nullable]                          (plain)\n  name:type:fk(table[.col][:onDelete])[:nullable] (foreign key)\n  name:vector:<dim>[:nullable]                  (vector / pgvector)\nExamples: user_id:uuid, parsed:jsonb:nullable, plan_id:uuid:fk(plans),\n          embedding:vector:1536, comment_id:uuid:fk(comments.id:set_null).`);
+	const colName = parts[0];
+	const type = parts[1];
+	const slot3 = parts[2];
+	const slot4 = parts[3];
+	if (!/^[a-z_][a-z0-9_]*$/.test(colName)) throw new Error(`Invalid column name '${colName}'.`);
+	const normalizedType = normalizeColumnType(type);
+	const out = {
+		name: colName,
+		type: normalizedType
+	};
+	if (slot3 === void 0) {
+		if (normalizedType === "vector") throw new Error(`Vector column '${colName}' requires a dimension. Use ${colName}:vector:<dim> (e.g. ${colName}:vector:1536) or the paren form ${colName}:vector(<dim>).`);
+		return out;
+	}
+	if (normalizedType === "vector") {
+		const dim = Number.parseInt(slot3, 10);
+		if (!Number.isFinite(dim) || dim <= 0) throw new Error(`Invalid vector dimension '${slot3}' on column '${colName}'. Expected a positive integer (e.g. embedding:vector:1536).`);
+		if (dim > 4096) throw new Error(`Vector dimension ${dim} on column '${colName}' exceeds amba's cap of 4096.`);
+		out.dimension = dim;
+		if (slot4 !== void 0) {
+			if (slot4 !== "nullable") throw new Error(`Invalid trailing token '${slot4}' on vector column '${colName}'. Only 'nullable' is allowed after the dimension.`);
+			out.nullable = true;
+		}
+		return out;
+	}
+	if (slot3 === "nullable") {
+		out.nullable = true;
+		if (slot4 !== void 0) throw new Error(`Invalid trailing token '${slot4}' on column '${colName}'. 'nullable' must be the last segment for plain fields.`);
+		return out;
+	}
+	if (slot3.startsWith("fk(") && slot3.endsWith(")")) {
+		out.references = parseFkSpec(slot3.slice(3, -1).replace(/\|/g, ":"));
+		if (slot4 !== void 0) {
+			if (slot4 !== "nullable") throw new Error(`Invalid trailing token '${slot4}' on column '${colName}'. Only 'nullable' is allowed after fk(...).`);
+			out.nullable = true;
+		}
+		return out;
+	}
+	throw new Error(`Invalid third segment '${slot3}' on column '${colName}'. Expected 'nullable', fk(...), or — for vector columns — a positive integer dimension.`);
+}
+/**
+* Parse the `fk(...)` body into the API's `references` shape.
+* Supported inner grammars:
+*   - `<table>` → `{ table }` (FK to `<table>(id)`, no ON DELETE clause)
+*   - `<table>.<column>` → `{ table, column }`
+*   - `<table>:<onDelete>` → `{ table, onDelete }`
+*   - `<table>.<column>:<onDelete>` → `{ table, column, onDelete }`
+*
+* `onDelete` accepts case-insensitive `cascade | restrict | set_null | no_action`
+* (and the `set null` / `no action` SQL spellings) — translated to the
+* canonical uppercased form the API expects.
+*/
+function parseFkSpec(inner) {
+	const [tablePart, onDelete] = inner.includes(":") ? inner.split(":") : [inner, void 0];
+	const trimmedTable = tablePart.trim();
+	if (trimmedTable.length === 0) throw new Error(`Invalid fk(...) — table name is required.`);
+	const dotIdx = trimmedTable.indexOf(".");
+	let table;
+	let column;
+	if (dotIdx === -1) table = trimmedTable;
+	else {
+		table = trimmedTable.slice(0, dotIdx);
+		column = trimmedTable.slice(dotIdx + 1);
+	}
+	if (!/^[a-z_][a-z0-9_]*$/.test(table)) throw new Error(`Invalid fk table name '${table}'.`);
+	if (column !== void 0 && !/^[a-z_][a-z0-9_]*$/.test(column)) throw new Error(`Invalid fk column name '${column}'.`);
+	const out = { table };
+	if (column !== void 0) out.column = column;
+	if (onDelete !== void 0) out.onDelete = normalizeOnDelete(onDelete);
+	return out;
+}
+function normalizeOnDelete(raw) {
+	switch (raw.trim().toLowerCase().replace(/_/g, " ")) {
+		case "cascade": return "CASCADE";
+		case "restrict": return "RESTRICT";
+		case "set null": return "SET NULL";
+		case "no action": return "NO ACTION";
+		default: throw new Error(`Invalid onDelete '${raw}' in fk(...). Supported: cascade | restrict | set_null | no_action.`);
+	}
+}
+/**
+* Parse an index spec into the wire shape data's API expects.
+*
+* Input syntax (CLI-friendly): `"col1 [asc|desc], col2 [asc|desc]"`.
+* Wire shape (per data's contract): `{ columns: ['col1 desc', 'col2 asc'] }` —
+* direction is embedded in each column string and parsed by the DDL emit.
+*
+* Bare column names (no direction) are passed through verbatim; the
+* default sort direction is the DDL emit's responsibility.
+*/
+function parseIndexSpec(spec) {
+	const cols = [];
+	for (const part of spec.split(",")) {
+		const trimmed = part.trim();
+		if (!trimmed) throw new Error(`Invalid index spec '${spec}'.`);
+		const m = /^([a-zA-Z_][a-zA-Z0-9_]*)(?:\s+(asc|desc))?$/i.exec(trimmed);
+		if (!m) throw new Error(`Invalid index column '${trimmed}'. Expected '<col>' or '<col> asc|desc'.`);
+		const colName = m[1];
+		const direction = m[2]?.toLowerCase();
+		cols.push(direction ? `${colName} ${direction}` : colName);
+	}
+	return { columns: cols };
+}
+//#endregion
+//#region src/_internal/codegen.ts
+/** Read every collection schema and emit a single `.amba/types.d.ts` body. */
+async function generateCollectionTypes(input) {
+	const sorted = [...await listCollections(input.http, input.projectId)].sort();
+	const collections = [];
+	for (const name of sorted) collections.push(await describeCollection(input.http, input.projectId, name));
+	return {
+		declarationsTs: emitDeclarations(collections, input.bannerTimestamp),
+		collectionNames: sorted
+	};
+}
+async function listCollections(http, projectId) {
+	const { data } = await http.get(`/admin/projects/${encodeURIComponent(projectId)}/collections?limit=200`);
+	return data.data.map((c) => c.name).filter((n) => typeof n === "string");
+}
+async function describeCollection(http, projectId, name) {
+	const { data } = await http.get(`/admin/projects/${encodeURIComponent(projectId)}/collections/${encodeURIComponent(name)}`);
+	return {
+		name: data.data.name,
+		columns: data.data.columns
+	};
+}
+/**
+* Postgres `data_type` → TypeScript surface form. Names match the spelling
+* `information_schema.columns` returns.
+*/
+const PG_TYPE_TO_TS = {
+	uuid: "string",
+	text: "string",
+	"character varying": "string",
+	integer: "number",
+	bigint: "number",
+	smallint: "number",
+	numeric: "number",
+	"double precision": "number",
+	real: "number",
+	boolean: "boolean",
+	"timestamp with time zone": "string",
+	"timestamp without time zone": "string",
+	date: "string",
+	jsonb: "unknown",
+	json: "unknown"
+};
+function tsTypeForColumn(col) {
+	const base = PG_TYPE_TO_TS[col.data_type] ?? "unknown";
+	if (col.column_name === "deleted_at") return "string | null";
+	if (col.is_nullable === "YES") return `${base} | null`;
+	return base;
+}
+const HEADER_BANNER = `// .amba/types.d.ts
+// AUTO-GENERATED by \`amba types generate\` — do not edit by hand.
+//
+// This file is regenerated whenever you run the CLI. It declares one
+// interface per customer collection and module-augments @layers/amba-client +
+// @layers/amba-functions so \`Amba.collections.<name>\`, \`client.collections.<name>\`,
+// and \`ctx.collections.<name>\` (Worker side) are all statically typed.
+//
+// Commit OR gitignore at your discretion. The shape mirrors your current
+// schema — regenerate after every collection migration.`;
+function emitDeclarations(collections, bannerTimestamp) {
+	const banner = bannerTimestamp ? `${HEADER_BANNER}\n// Generated: ${bannerTimestamp}` : HEADER_BANNER;
+	const interfaces = collections.map((c) => emitInterface(c)).join("\n\n");
+	const augmentClient = collections.length ? `
+declare module '@layers/amba-client' {
+  interface CollectionsRoot {
+${collections.map((c) => `    readonly ${tsLiteralKey(c.name)}: import('@layers/amba-client').ClientCollection<Amba.collections.${tsTypeName(c.name)}>;`).join("\n")}
+  }
+}
+` : "";
+	const augmentFunctions = collections.length ? `
+declare module '@layers/amba-functions' {
+  interface CollectionsRoot {
+${collections.map((c) => `    readonly ${tsLiteralKey(c.name)}: import('@layers/amba-functions').Collection<Amba.collections.${tsTypeName(c.name)}>;`).join("\n")}
+  }
+}
+` : "";
+	return `${banner}\n\nexport {};\n\ndeclare global {\n  namespace Amba {\n    namespace collections {\n${interfaces ? indent(interfaces, 6) : "      // (no collections defined yet)"}\n    }\n  }\n}\n${augmentClient}${augmentFunctions}`;
+}
+function emitInterface(c) {
+	const fields = c.columns.map((col) => {
+		const ts = tsTypeForColumn(col);
+		const optional = col.is_nullable === "YES" ? "?" : "";
+		return `${tsLiteralKey(col.column_name)}${optional}: ${ts};`;
+	});
+	return `interface ${tsTypeName(c.name)} {\n${fields.map((f) => `  ${f}`).join("\n")}\n}`;
+}
+function indent(s, n) {
+	const pad = " ".repeat(n);
+	return s.split("\n").map((line) => line.length === 0 ? "" : pad + line).join("\n");
+}
+function tsLiteralKey(name) {
+	if (/^[a-zA-Z_$][a-zA-Z0-9_$]*$/.test(name)) return name;
+	return JSON.stringify(name);
+}
+function tsTypeName(collectionName) {
+	if (!/^[a-zA-Z_$][a-zA-Z0-9_$]*$/.test(collectionName)) return JSON.stringify(collectionName);
+	return collectionName;
+}
+//#endregion
+//#region src/commands/types.ts
+/**
+* `amba types generate [--watch]` — emits `.amba/types.d.ts`.
+*
+* One-shot is the default (CI-friendly). `--watch` is opt-in; the
+* engine emits deterministic output (no embedded timestamps unless we
+* pass `bannerTimestamp`), so the CLI compares strings to decide
+* whether to touch the file.
+*/
+async function typesGenerateCommand(options = {}) {
+	const outPath = options.out ?? join(process.cwd(), ".amba", "types.d.ts");
+	if (options.watch) {
+		console.log(pc.dim(`  Watching for collection schema changes — Ctrl+C to stop.`));
+		let last = "";
+		for (;;) {
+			try {
+				const next = await emit(outPath);
+				if (next !== last) {
+					console.log(pc.dim(`  ${(/* @__PURE__ */ new Date()).toISOString()}`) + pc.green(" regenerated"));
+					last = next;
+				}
+			} catch (err) {
+				console.error(pc.red("  Error: ") + (err instanceof Error ? err.message : String(err)));
+			}
+			await new Promise((r) => setTimeout(r, 5e3));
+		}
+	} else {
+		await emit(outPath);
+		console.log(pc.green("  ✓") + ` Wrote ${outPath}`);
+	}
+}
+async function emit(outPath) {
+	const projectConfig = await loadProjectConfig();
+	const result = await generateCollectionTypes({
+		http: makeCodegenHttpClient(),
+		projectId: projectConfig.projectId
+	});
+	await mkdir(dirname(outPath), { recursive: true });
+	await writeFile(outPath, result.declarationsTs, "utf-8");
+	return result.declarationsTs;
+}
+/**
+* Adapt the CLI's authenticated admin-API helper to the engine's
+* minimal `CodegenHttpClient` shape. The engine emits paths starting
+* with `/admin/projects/...`; our `adminGet` already prefixes
+* `/admin`, so we strip the engine's `/admin` prefix before passing
+* through.
+*/
+function makeCodegenHttpClient() {
+	return { async get(path) {
+		return adminGet(path.startsWith("/admin") ? path.slice(6) : path);
+	} };
+}
+//#endregion
+//#region src/commands/sites.ts
+/**
+* `amba sites ...` commands.
+*
+* Static-site hosting. The CLI orchestrates two halves on every deploy:
+*
+*   1. Register the site row in the control plane via the admin API so
+*      domains can attach with a stable `cert_status` for polling.
+*   2. Upload the pre-built static directory through the platform API,
+*      which proxies to the underlying CDN.
+*
+* This command does NOT build static files — accept a pre-built
+* directory (mirrors `wrangler pages deploy ./out` semantics). Dynamic
+* logic belongs in `amba functions deploy`, not in a site directory.
+*/
+const SITE_NAME_RE = /^[a-z][a-z0-9_-]{0,49}$/;
+const HOSTNAME_RE = /^(?=.{1,253}$)([a-z0-9](?:[a-z0-9-]{0,61}[a-z0-9])?\.)+[a-z]{2,63}$/i;
+function validateSiteName(name) {
+	if (!SITE_NAME_RE.test(name)) throw new Error(`Invalid site name '${name}'. Must match /^[a-z][a-z0-9_-]{0,49}$/ (lowercase ASCII, digits, underscore or hyphen; ≤50 chars).`);
+}
+function validateHostname(host) {
+	if (!HOSTNAME_RE.test(host)) throw new Error(`Invalid hostname '${host}'. Must be a DNS-shaped name (e.g. site.example.com).`);
+}
+/**
+* Per-deploy size cap. CF Pages enforces 25 MiB per file + 25k files; we
+* pre-flight at 100 MiB total so the developer sees an actionable error
+* before we spend their time on a multi-second upload. Above this, point
+* them at a Pages-only deployment outside amba.
+*/
+const MAX_DEPLOYMENT_BYTES = 100 * 1024 * 1024;
+const MAX_DEPLOYMENT_FILES = 2e4;
+const MAX_FILE_BYTES = 25 * 1024 * 1024;
+async function sitesDeployCommand(inputDir, options = {}) {
+	const projectId = (await loadProjectConfig()).projectId;
+	const siteName = options.name ?? basename(inputDir).replace(/[^a-z0-9_-]/gi, "-").toLowerCase();
+	validateSiteName(siteName);
+	console.log();
+	console.log(pc.bold(`  amba sites deploy ${pc.cyan(siteName)}`));
+	console.log(pc.dim("  ─────────────────────────────────"));
+	console.log();
+	console.log(pc.dim(`  Scanning ${inputDir}…`));
+	const dirStat = await stat(inputDir).catch(() => null);
+	if (!dirStat || !dirStat.isDirectory()) throw new Error(`'${inputDir}' is not a directory. Pass a built static site folder.`);
+	const files = await collectFiles(inputDir);
+	if (files.length === 0) throw new Error(`No files found under ${inputDir}.`);
+	if (files.length > MAX_DEPLOYMENT_FILES) throw new Error(`Too many files (${files.length} > ${MAX_DEPLOYMENT_FILES}). Pages-for-Platforms enforces a 20k-file cap.`);
+	const totalBytes = files.reduce((sum, f) => sum + f.size, 0);
+	if (totalBytes > MAX_DEPLOYMENT_BYTES) throw new Error(`Deployment too large (${formatBytes(totalBytes)} > ${formatBytes(MAX_DEPLOYMENT_BYTES)}). Trim assets or split into multiple sites.`);
+	console.log(pc.dim(`    ${files.length} files, ${formatBytes(totalBytes)}`));
+	if (options.dryRun) {
+		console.log(pc.yellow("  ! Dry run — skipping CF Pages upload + control-plane write."));
+		console.log();
+		return;
+	}
+	let cfPagesProjectName;
+	try {
+		cfPagesProjectName = (await createSite(projectId, { name: siteName })).data.cf_pages_project_name;
+		console.log(pc.green("  ✓") + ` Registered site (cf_pages_project=${cfPagesProjectName})`);
+	} catch (err) {
+		cfPagesProjectName = (await describeSite(projectId, siteName)).data.cf_pages_project_name;
+		console.log(pc.dim(`  Site already registered (cf_pages_project=${cfPagesProjectName})`));
+	}
+	console.log(pc.dim("  Uploading…"));
+	const dep = (await deploySiteViaApi(projectId, siteName, await buildPagesDeploymentForm(files))).data;
+	console.log(pc.green("  ✓") + ` Deployed ${dep.deployment_id.slice(0, 12)} ${pc.dim(`(branch=${dep.branch}, status=${dep.status})`)}`);
+	console.log(pc.green("  ✓") + ` URL: ${pc.underline(dep.url)}`);
+	if (dep.preview_url && dep.preview_url !== dep.url) console.log(pc.dim(`    preview (CF): ${dep.preview_url}`));
+	const domains = await listSiteDomains(projectId, siteName);
+	if (domains.data.length > 0) {
+		console.log();
+		console.log(pc.dim("  Domains:"));
+		for (const d of domains.data) console.log(`    ${pc.bold(d.hostname)}  ${formatCertStatus(d.cert_status)}`);
+	}
+	console.log();
+}
+async function sitesListCommand() {
+	const res = await listSites((await loadProjectConfig()).projectId);
+	console.log();
+	if (res.data.length === 0) {
+		console.log(pc.dim("  No sites deployed."));
+		console.log();
+		return;
+	}
+	for (const s of res.data) {
+		const status = s.status === "active" ? pc.green("active") : pc.yellow(s.status);
+		console.log(`  ${pc.bold(s.name)}  ${status}  ${pc.dim(`pages=${s.cf_pages_project_name}  ${s.created_at}`)}`);
+	}
+	console.log();
+}
+/**
+* `amba sites logs <name>` — not yet available via the public API. Use
+* the developer console for deployment history, or `amba sites describe`
+* for the current cert / domain state.
+*/
+async function sitesLogsCommand(name) {
+	validateSiteName(name);
+	console.log();
+	console.log(pc.yellow("  ! `amba sites logs` is not available in this release."));
+	console.log();
+	console.log(pc.dim("  Alternatives:"));
+	console.log(pc.dim("    amba sites describe <name>   (current state + domains/certs)"));
+	console.log(pc.dim("    https://app.amba.dev          (full deployment history UI)"));
+	console.log();
+}
+async function sitesRollbackCommand(name, options = {}) {
+	validateSiteName(name);
+	if (!options.to) throw new Error("sites rollback requires --to <deployment_id>. Find the target deployment in `amba sites describe` or the developer console.");
+	const dep = (await rollbackSiteViaApi((await loadProjectConfig()).projectId, name, options.to)).data;
+	console.log(pc.green("  ✓") + ` Rolled back to ${options.to.slice(0, 12)}; new deployment ${pc.cyan(dep.deployment_id.slice(0, 12))} ${pc.dim(`(status=${dep.status})`)} is now live.`);
+	console.log(pc.green("  ✓") + ` URL: ${pc.underline(dep.url)}`);
+}
+async function sitesDomainAddCommand(hostname, options) {
+	validateSiteName(options.site);
+	validateHostname(hostname);
+	const projectId = (await loadProjectConfig()).projectId;
+	console.log();
+	console.log(pc.bold(`  amba sites domain add ${pc.cyan(hostname)}`));
+	console.log(pc.dim(`  → site ${pc.cyan(options.site)}`));
+	console.log();
+	const res = await addSiteDomainViaApi(projectId, options.site, hostname);
+	console.log(pc.green("  ✓") + ` Custom Hostname registered (cf_id=${res.data.cf_hostname_id})`);
+	console.log();
+	console.log(pc.dim("  Point your DNS at:"));
+	console.log(`    ${pc.bold("CNAME")} ${hostname}  →  ${pc.cyan(res.data.dns_target)}`);
+	console.log();
+	if (options.noWait) {
+		console.log(pc.yellow("  ! --no-wait — skipping cert poll. Run `amba sites describe` later."));
+		return;
+	}
+	const timeout = (options.timeout ?? 600) * 1e3;
+	const start = Date.now();
+	let lastStatus = "";
+	while (Date.now() - start < timeout) {
+		const row = (await listSiteDomains(projectId, options.site)).data.find((d) => d.hostname === hostname);
+		if (!row) throw new Error(`Domain ${hostname} disappeared from listing — check API state.`);
+		if (row.cert_status !== lastStatus) {
+			console.log(pc.dim(`  cert_status: ${formatCertStatus(row.cert_status)}`));
+			lastStatus = row.cert_status;
+		}
+		if (row.cert_status === "active") {
+			console.log(pc.green("  ✓") + ` ${hostname} live with valid cert.`);
+			return;
+		}
+		if (row.cert_status === "error") throw new Error(`Cert provisioning failed for ${hostname}. Check that the CNAME points at ${res.data.dns_target}.`);
+		await sleep(5e3);
+	}
+	console.log(pc.yellow(`  ! Timed out after ${options.timeout ?? 600}s waiting for cert. Re-run \`amba sites describe ${options.site}\` to check status.`));
+}
+async function sitesDomainListCommand(siteName) {
+	validateSiteName(siteName);
+	const res = await listSiteDomains((await loadProjectConfig()).projectId, siteName);
+	console.log();
+	if (res.data.length === 0) {
+		console.log(pc.dim(`  No domains attached to ${siteName}.`));
+		console.log();
+		return;
+	}
+	for (const d of res.data) console.log(`  ${pc.bold(d.hostname)}  ${formatCertStatus(d.cert_status)}`);
+	console.log();
+}
+async function sitesDomainRemoveCommand(hostname, options) {
+	validateSiteName(options.site);
+	validateHostname(hostname);
+	const projectConfig = await loadProjectConfig();
+	options.zoneId;
+	await removeSiteDomainViaApi(projectConfig.projectId, options.site, hostname);
+	console.log(pc.green("  ✓") + ` Detached ${hostname} from ${options.site}.`);
+}
+async function sitesDisableCommand(name) {
+	validateSiteName(name);
+	await updateSite((await loadProjectConfig()).projectId, name, { status: "disabled" });
+	console.log(pc.green("  ✓") + ` Disabled ${name}.`);
+}
+async function sitesEnableCommand(name) {
+	validateSiteName(name);
+	await updateSite((await loadProjectConfig()).projectId, name, { status: "active" });
+	console.log(pc.green("  ✓") + ` Re-enabled ${name}.`);
+}
+async function sitesArchiveCommand(name, options = {}) {
+	validateSiteName(name);
+	if (!options.confirm || options.confirm !== name) throw new Error(`Archive is destructive. Pass --confirm ${name} to proceed. The site project will be removed and traffic will 404.`);
+	const cascade = (await deleteSiteViaApi((await loadProjectConfig()).projectId, name, { confirm: name })).data.cascade;
+	console.log(pc.green("  ✓") + ` Archived ${name}.`);
+	console.log(pc.dim(`    Cascade: domains_removed=${cascade.domains_removed ?? 0}, cf_pages_project_deleted=${cascade.cf_pages_project_deleted ?? false}`));
+}
+/**
+* Sites are static-only. Dynamic logic belongs in `amba functions deploy`;
+* Pages-Functions inputs are rejected before upload so customer code
+* cannot bypass the platform's auth/edge router by smuggling itself
+* into the static-site deployment surface.
+*/
+const BLOCKED_FILE_NAMES = new Set([
+	"_worker.js",
+	"_worker.ts",
+	"_worker.mjs",
+	"_routes.json",
+	"_middleware.js",
+	"_middleware.ts"
+]);
+const BLOCKED_DIR_NAMES = new Set(["functions"]);
+/**
+* Recursively walk `dir` and return every file, skipping common build
+* detritus (`.DS_Store`, `.git`). Dynamic-handler inputs (`_worker.*`,
+* `functions/`, `_routes.json`, `_middleware.*`) are rejected.
+*/
+async function collectFiles(dir) {
+	const out = [];
+	async function walk(current, depth) {
+		const entries = await readdir(current, { withFileTypes: true });
+		for (const e of entries) {
+			const p = join(current, e.name);
+			if (e.name === ".DS_Store" || e.name === ".git") continue;
+			if (e.isDirectory() && BLOCKED_DIR_NAMES.has(e.name) && depth === 0) throw new SitesStaticOnlyError(`Found '${e.name}/' directory at the deploy root. Dynamic handlers are not allowed in static sites.\n  → Move dynamic logic to its own function: \`amba functions deploy <entry>\`\n  → Then call it from your static site via fetch().`);
+			if (e.isFile() && BLOCKED_FILE_NAMES.has(e.name)) throw new SitesStaticOnlyError(`Found '${e.name}' in the deploy directory. Dynamic handlers are not allowed in static sites.\n  → Move dynamic logic to: \`amba functions deploy <entry>\`\n  → Then call it from your static site via fetch().`);
+			if (e.isDirectory()) await walk(p, depth + 1);
+			else if (e.isFile()) {
+				const st = await stat(p);
+				if (st.size > MAX_FILE_BYTES) throw new Error(`File ${p} is ${formatBytes(st.size)} (> ${formatBytes(MAX_FILE_BYTES)} per-file cap).`);
+				out.push({
+					relPath: relative(dir, p).split(/[\\/]/).join("/"),
+					absPath: p,
+					size: st.size
+				});
+			}
+		}
+	}
+	await walk(dir, 0);
+	return out;
+}
+/**
+* Distinct error class so tests can assert on the specific Decision
+* Log #10 rejection rather than string-matching the message. CLI's
+* `runAction` wrapper renders Errors uniformly so users still see the
+* full message.
+*/
+var SitesStaticOnlyError = class extends Error {
+	code = "SITES_STATIC_ONLY";
+};
+/**
+* Build the multipart payload the deployment proxy expects: one form
+* part per file plus a required `manifest` field mapping
+* `/relative/path` → `sha256-hex`. Leading slash on the manifest key is
+* required.
+*/
+async function buildPagesDeploymentForm(files) {
+	const fd = new FormData();
+	const manifest = {};
+	for (const f of files) {
+		const buf = await readFile(f.absPath);
+		fd.append(f.relPath, new Blob([new Uint8Array(buf)]), f.relPath);
+		const manifestKey = "/" + f.relPath.split(/[/\\]/).join("/");
+		manifest[manifestKey] = createHash("sha256").update(buf).digest("hex");
+	}
+	fd.append("manifest", JSON.stringify(manifest));
+	return fd;
+}
+function formatBytes(n) {
+	if (n < 1024) return `${n} B`;
+	if (n < 1024 * 1024) return `${(n / 1024).toFixed(1)} KiB`;
+	return `${(n / (1024 * 1024)).toFixed(1)} MiB`;
+}
+function formatCertStatus(s) {
+	if (s === "active") return pc.green(s);
+	if (s === "error") return pc.red(s);
+	return pc.yellow(s);
+}
+function sleep(ms) {
+	return new Promise((r) => setTimeout(r, ms));
+}
+//#endregion
+//#region src/index.ts
+const program = new Command();
+program.name("amba").description("amba — agent-native backend-as-a-service for mobile apps.").version("0.1.0");
+program.option("--token <pat>", "Use a Personal Access Token for headless / CI / agent use (overrides ~/.amba/credentials.json + AMBA_PAT env)");
+program.hook("preAction", (thisCommand) => {
+	setBearerOverride(resolveTokenSource({
+		flagToken: thisCommand.optsWithGlobals().token,
+		envToken: process.env["AMBA_PAT"]
+	}));
+});
+function runAction(fn) {
+	return fn().catch((err) => {
+		const message = err instanceof Error ? err.message : "Unknown error";
+		console.error(pc.red(`\n  Error: ${message}\n`));
+		process.exit(1);
+	});
+}
+program.command("init").description("Initialize Amba in the current project (mints a personal dev project by default)").option("--with-example", "Scaffold a sample app.tsx + README snippet into the current directory").option("--env <env>", "'development' (default) or 'production'").action(async (opts) => {
+	let env;
+	if (opts.env === "development" || opts.env === "dev") env = "development";
+	else if (opts.env === "production" || opts.env === "prod") env = "production";
+	else if (opts.env !== void 0) {
+		console.error(`Error: --env must be 'development' or 'production' (got '${opts.env}').`);
+		process.exit(1);
+	}
+	await runAction(() => initCommand({
+		withExample: opts.withExample,
+		env
+	}));
+});
+program.command("login").description("Authenticate with Amba").action(async () => {
+	await runAction(loginCommand);
+});
+program.command("logout").description("Clear stored credentials").action(async () => {
+	await runAction(async () => {
+		await clearCredentials();
+		console.log();
+		console.log(pc.green("  ✓") + " Logged out — credentials removed");
+		console.log();
+	});
+});
+program.command("status").description("Show project health and integration status").option("--detailed", "Include integrations, user count, and segment summary").action(async (opts) => {
+	await runAction(() => statusCommand({ detailed: opts.detailed }));
+});
+program.command("push").description("Push notification commands").command("test").description("Send a test push notification to all registered devices").action(async () => {
+	await runAction(pushTestCommand);
+});
+const config = program.command("config").description("Remote config commands");
+config.command("list").description("List all remote config values").action(async () => {
+	await runAction(configListCommand);
+});
+config.command("set <key> <value>").description("Set a remote config value").action(async (key, value) => {
+	await runAction(() => configSetCommand(key, value));
+});
+const projects = program.command("projects").description("Project management commands");
+projects.command("list").description("List all projects in the authenticated developer account").action(async () => {
+	await runAction(projectsListCommand);
+});
+projects.command("create").description("Create a new project").requiredOption("--name <name>", "Project name").option("--env <env>", "Environment hint (informational; projects start in development)").option("--bundle-id <id>", "Bundle identifier (iOS/Android)").option("--platform <platform>", "Platform: 'ios' | 'android' | 'all'").action(async (opts) => {
+	await runAction(() => projectsCreateCommand({
+		name: opts.name,
+		env: opts.env,
+		bundleId: opts.bundleId,
+		platform: opts.platform
+	}));
+});
+projects.command("show <projectId>").description("Show full project details as JSON").action(async (projectId) => {
+	await runAction(() => projectsShowCommand(projectId));
+});
+projects.command("delete <projectId>").description("Delete a project (irreversible)").option("-y, --yes", "Skip confirmation prompt").action(async (projectId, opts) => {
+	await runAction(() => projectsDeleteCommand(projectId, { yes: opts.yes }));
+});
+program.command("logs").description("Log streaming commands").command("tail").description("Tail the engagement event log for a project").option("--project <id>", "Project id (overrides .env.local)").option("--follow", "Keep the stream open and poll for new events every 2s").option("--json", "Emit raw NDJSON for piping (no decoration)").option("--since <iso>", "Only show events on or after this ISO 8601 timestamp").option("--event-name <name>", "Filter to a single event_name").option("--user-id <id>", "Filter to a single app_user_id").option("--limit <n>", "Max events per page (default 100, max 1000)", (v) => parseInt(v, 10)).action(async (opts) => {
+	await runAction(() => logsTailCommand({
+		project: opts.project,
+		follow: opts.follow,
+		json: opts.json,
+		since: opts.since,
+		eventName: opts.eventName,
+		userId: opts.userId,
+		limit: opts.limit
+	}));
+});
+program.command("seed").description("Populate test data for the current project").option("--project <id>", "Project id (overrides .env.local)").option("--preset <preset>", "Preset: 'starter' | 'gamification' | 'content'", "starter").action(async (opts) => {
+	await runAction(() => seedCommand({
+		project: opts.project,
+		preset: opts.preset ?? "starter"
+	}));
+});
+program.command("db").description("Database operations").command("migrate").description("Run tenant migrations").option("--project <id>", "Project id (overrides .env.local)").action(async (opts) => {
+	await runAction(() => dbMigrateCommand({ project: opts.project }));
+});
+program.command("analytics").description("Analytics export commands").command("export").description("Export users or events to CSV or NDJSON").requiredOption("--type <type>", "'users' | 'events'").option("--project <id>", "Project id (overrides .env.local)").option("--since <date>", "Only include rows since this ISO 8601 timestamp").option("--until <date>", "Only include rows up to this ISO 8601 timestamp").option("--out <file>", "Write output to file instead of stdout").option("--format <fmt>", "'csv' (default) | 'ndjson'").option("--limit <n>", "Per-page row limit when paginating events", (v) => parseInt(v, 10)).action(async (opts) => {
+	await runAction(() => analyticsExportCommand({
+		type: opts.type,
+		project: opts.project,
+		since: opts.since,
+		until: opts.until,
+		out: opts.out,
+		format: opts.format,
+		limit: opts.limit
+	}));
+});
+program.command("schema").description("Schema export commands").command("export").description("Dump schema definitions for domains").requiredOption("--domain <domain>", "Domain: 'all' | 'achievements' | 'streaks' | 'xp' | 'leaderboards' | 'challenges' | 'content' | 'segments' | 'push'").option("--format <format>", "'json' | 'typescript'", "json").action(async (opts) => {
+	await runAction(() => schemaExportCommand({
+		domain: opts.domain,
+		format: opts.format ?? "json"
+	}));
+});
+const functions = program.command("functions").description("Customer Worker functions (Cloudflare Workers for Platforms)");
+functions.command("deploy <file>").description("Bundle a function file and deploy to the dispatch namespace").option("--name <name>", "Function name (default: filename without extension)").option("--dry-run", "Bundle and report size without uploading").option("--rate-limit-window <duration>", "Rate-limit window: 60s | 5m | 1h").option("--rate-limit-max <int>", "Rate-limit max requests per window", (v) => Number.parseInt(v, 10)).option("--rate-limit-key <kind>", "Rate-limit bucket key: user_id | ip").action(async (file, opts) => {
+	await runAction(() => functionsDeployCommand(file, opts));
+});
+functions.command("list").description("List active functions for the current project").action(async () => {
+	await runAction(functionsListCommand);
+});
+functions.command("delete <name>").description("Disable + remove a function from the dispatch namespace").action(async (name) => {
+	await runAction(() => functionsDeleteCommand(name));
+});
+functions.command("schedule <name> <cron>").description("Register a cron schedule that invokes a deployed function").option("--tz <iana>", "IANA timezone for the schedule (default: UTC)").action(async (name, cron, opts) => {
+	await runAction(() => functionsScheduleCommand(name, cron, opts));
+});
+functions.command("dev <file>").description("Run wrangler dev --remote against your dev project").action(async (file) => {
+	await runAction(() => functionsDevCommand(file));
+});
+functions.command("logs <name>").description("Stream log events for a deployed function").option("--since <iso>", "Start of the time range (default: 1 hour ago)").option("--until <iso>", "End of the time range (default: now). Ignored on --tail.").option("--limit <n>", "Max events per fetch (default 100, max 1000)", (v) => parseInt(v, 10)).option("--tail", "Follow new events; polls every 3s. Ctrl+C to stop.").option("--follow", "Alias for --tail (kept for backwards compatibility with v1 log commands).").option("--json", "NDJSON output to stdout (one event per line)").action(async (name, opts) => {
+	await runAction(() => functionsLogsCommand(name, {
+		since: opts.since,
+		until: opts.until,
+		limit: opts.limit,
+		tail: opts.tail || opts.follow,
+		json: opts.json
+	}));
+});
+functions.command("consume <queue-name> <function-name>").description("Bind a function as the consumer for a queue").option("--paused", "Create the binding paused (the workflow DLQs payloads until resumed)").action(async (queueName, functionName, opts) => {
+	await runAction(() => functionsConsumeCommand(queueName, functionName, opts));
+});
+const consumers = functions.command("consumers").description("Manage queue → function bindings");
+consumers.command("list").description("List queue bindings for the current project").action(async () => {
+	await runAction(functionsConsumersListCommand);
+});
+consumers.command("unbind <queue-name>").description("Remove the binding for a queue (DROP)").action(async (queueName) => {
+	await runAction(() => functionsConsumersUnbindCommand(queueName));
+});
+const secrets = program.command("secrets").description("Function secrets (GCP canonical, Workers-Secret synced)");
+secrets.command("set <name> [value]").description("Write a secret to GCP Secret Manager and queue Workers Secret sync. Use --from-stdin to keep the value out of shell history.").requiredOption("--function <name>", "Function name the secret binds to. Secrets are scoped per dispatched script — there is no project-wide secret in v1; every secret belongs to exactly one function. Use the same name as the entry passed to 'amba functions deploy'.").option("--env <env>", "'dev' | 'prod' — INFORMATIONAL ONLY. Both share one secret namespace per project. Use distinct secret names (e.g. STRIPE_KEY_DEV / STRIPE_KEY_PROD) or two amba projects for real env isolation.").option("--from-stdin", "Read the secret value from stdin instead of the positional arg. Mutually exclusive with <value>. Pipe in: `echo $KEY | amba secrets set NAME --function fn --from-stdin`.").action(async (name, value, opts) => {
+	await runAction(() => secretsSetCommand(name, value, {
+		function: opts.function,
+		env: opts.env ?? "dev",
+		fromStdin: opts.fromStdin
+	}));
+});
+secrets.command("list").description("List secret sync status for the current project").action(async () => {
+	await runAction(secretsListCommand);
+});
+secrets.command("unset <name>").description("Remove a secret from GCP Secret Manager (Workers Secret cleared on next deploy)").requiredOption("--function <name>", "Function name the secret binds to").action(async (name, opts) => {
+	await runAction(() => secretsUnsetCommand(name, opts));
+});
+const collections = program.command("collections").description("Customer collections (schema-first Postgres in tenant Neon)");
+collections.command("create <name>").description("Create a collection with the given fields").option("--field <spec>", "Field spec: name:type[:nullable] (e.g. user_id:uuid, parsed:jsonb:nullable). Repeatable.", (val, prev) => [...prev ?? [], val], []).option("--index <spec>", "Index spec: \"col1 [asc|desc], col2 [asc|desc]\". Repeatable.", (val, prev) => [...prev ?? [], val], []).action(async (name, opts) => {
+	await runAction(() => collectionsCreateCommand(name, opts));
+});
+collections.command("alter <name>").description("Add columns / indexes or drop columns on an existing collection").option("--add-field <spec>", "Column to add (name:type[:nullable]). Repeatable.", (val, prev) => [...prev ?? [], val], []).option("--add-index <spec>", "Index to add (\"col [asc|desc], …\"). Repeatable.", (val, prev) => [...prev ?? [], val], []).option("--drop-field <name>", "Column to drop (DESTRUCTIVE — requires --confirm <name>). Repeatable.", (val, prev) => [...prev ?? [], val], []).option("--confirm <name>", "Confirm a destructive --drop-field <name>. Repeatable.", (val, prev) => [...prev ?? [], val], []).action(async (name, opts) => {
+	await runAction(() => collectionsAlterCommand(name, opts));
+});
+collections.command("list").description("List collections for the current project").action(async () => {
+	await runAction(collectionsListCommand);
+});
+collections.command("drop <name>").description("Drop a collection (DESTRUCTIVE — requires --confirm <name>)").option("--confirm <name>", "Pass the collection name to confirm the drop").action(async (name, opts) => {
+	await runAction(() => collectionsDropCommand(name, opts));
+});
+program.command("types").description("TypeScript codegen for collections").command("generate").description("Emit .amba/types.d.ts from the current collection schemas").option("--out <path>", "Output path (default: .amba/types.d.ts)").option("--watch", "Re-emit every 5s on schema changes").action(async (opts) => {
+	await runAction(() => typesGenerateCommand(opts));
+});
+const sites = program.command("sites").description("Static site hosting");
+sites.command("deploy <dir>").description("Upload a built static-site directory to Pages-for-Platforms").option("--name <name>", "Site name (default: basename of dir, slug-cleaned)").option("--dry-run", "Scan + size-check without uploading").action(async (dir, opts) => {
+	await runAction(() => sitesDeployCommand(dir, opts));
+});
+sites.command("list").description("List sites for the current project").action(async () => {
+	await runAction(sitesListCommand);
+});
+sites.command("logs <name>").description("List recent CF Pages deployments for a site").action(async (name) => {
+	await runAction(() => sitesLogsCommand(name));
+});
+sites.command("rollback <name>").description("Roll back a site to a previous deployment (default: previous successful)").option("--to <deployment_id>", "Specific deployment id to roll back to").action(async (name, opts) => {
+	await runAction(() => sitesRollbackCommand(name, opts));
+});
+sites.command("disable <name>").description("Disable a site (control-plane only — CF Pages project remains)").action(async (name) => {
+	await runAction(() => sitesDisableCommand(name));
+});
+sites.command("enable <name>").description("Re-enable a previously disabled site").action(async (name) => {
+	await runAction(() => sitesEnableCommand(name));
+});
+sites.command("archive <name>").description("Archive a site (DESTRUCTIVE — deletes CF Pages project + custom hostnames)").option("--confirm <name>", "Pass the site name to confirm").action(async (name, opts) => {
+	await runAction(() => sitesArchiveCommand(name, opts));
+});
+const sitesDomain = sites.command("domain").description("Manage custom hostnames per site");
+sitesDomain.command("add <hostname>").description("Attach a custom hostname (CF for SaaS — DV cert, polls until active)").requiredOption("--site <name>", "Site name to attach the hostname to").option("--zone-id <id>", "CF zone id (default: env CLOUDFLARE_AMBA_HOST_ZONE_ID)").option("--no-wait", "Skip the cert-status poll loop; return as soon as the row is recorded").option("--timeout <seconds>", "Cert poll timeout (default 600)", (v) => parseInt(v, 10)).action(async (hostname, opts) => {
+	await runAction(() => sitesDomainAddCommand(hostname, {
+		site: opts.site,
+		zoneId: opts.zoneId,
+		noWait: opts.noWait,
+		timeout: opts.timeout
+	}));
+});
+sitesDomain.command("list <site>").description("List custom hostnames attached to a site").action(async (site) => {
+	await runAction(() => sitesDomainListCommand(site));
+});
+sitesDomain.command("remove <hostname>").description("Detach a custom hostname (best-effort CF detach + control-plane row delete)").requiredOption("--site <name>", "Site name the hostname is attached to").option("--zone-id <id>", "CF zone id (default: env CLOUDFLARE_AMBA_HOST_ZONE_ID)").action(async (hostname, opts) => {
+	await runAction(() => sitesDomainRemoveCommand(hostname, {
+		site: opts.site,
+		zoneId: opts.zoneId
+	}));
+});
+const aiProviders = program.command("ai").description("AI gateway — manage provider keys + prompts").command("providers").description("Per-project provider key registration (Anthropic, OpenAI)");
+aiProviders.command("add <provider>").description("Register an AI provider key. Plaintext stored securely server-side; a preview (first-6+last-4) is printed back. Use --from-stdin to keep the key out of shell history.").option("--key <value>", "Provider API key plaintext (alternative: --from-stdin)").option("--from-stdin", "Read the key from stdin instead of --key").action(async (provider, opts) => {
+	await runAction(() => aiProvidersAddCommand(provider, opts));
+});
+aiProviders.command("list").description("List registered AI providers for the current project").action(async () => {
+	await runAction(aiProvidersListCommand);
+});
+aiProviders.command("delete <provider>").description("Remove a provider registration (refuses if active prompts reference it)").action(async (provider) => {
+	await runAction(() => aiProvidersDeleteCommand(provider));
+});
+program.parse();
+//#endregion
+export {};