@m-kopa/launchpad-cli 0.23.0 → 0.24.0

package/dist/cli.js

@@ -19,7 +19,7 @@ var __toESM = (mod, isNodeMode, target) => {
 var __require = /* @__PURE__ */ createRequire(import.meta.url);
 
 // src/version.ts
-var CLI_VERSION = "0.23.0";
+var CLI_VERSION = "0.24.0";
 
 // src/config.ts
 import * as os from "node:os";
@@ -1219,12 +1219,12 @@ function describe9(e) {
 }
 
 // src/commands/deploy.ts
-import { existsSync as existsSync3 } from "node:fs";
+import { existsSync as existsSync4 } from "node:fs";
 import * as path6 from "node:path";
 
 // src/bundle/orchestrate.ts
-import { readFileSync as readFileSync3 } from "node:fs";
-import { join as join5 } from "node:path";
+import { readFileSync as readFileSync4 } from "node:fs";
+import { join as join6 } from "node:path";
 
 // src/deploy/tar-pack.ts
 import * as fs4 from "node:fs/promises";
@@ -1777,741 +1777,656 @@ async function buildWorkerArtifact(cwd, manifestYaml, walkFiles) {
   };
 }
 
-// src/bundle/orchestrate.ts
-async function bundleAndDeploy(args) {
-  const { cfg, cwd, slug } = args;
-  const manifestPath = join5(cwd, "launchpad.yaml");
-  let manifestYaml;
-  try {
-    manifestYaml = readFileSync3(manifestPath, "utf8");
-  } catch (e) {
-    return {
-      kind: "no-manifest",
-      message: `no launchpad.yaml at ${manifestPath} — run \`launchpad init\` from inside your app directory first. ` + `(${e.message})`
-    };
+// src/bundle/boundary.ts
+import { existsSync as existsSync2, lstatSync as lstatSync2, readFileSync as readFileSync3 } from "node:fs";
+import { join as join5 } from "node:path";
+import { parse as parseYaml2 } from "yaml";
+
+// ../launchpad-engine/dist/schema.js
+import { z } from "zod";
+var APP_TYPES2 = ["static", "react", "react+api", "container"];
+var AUTH_MODES = ["access", "gateway"];
+var RUNTIMES = ["cloudflare-containers", "aca"];
+var SECRET_SOURCES = ["env-file", "platform-managed"];
+var TARGET_KINDS = ["pages", "worker"];
+var PRIMARY_TARGET = "primary";
+var SLUG_REGEX = /^[a-z0-9][a-z0-9-]*[a-z0-9]$/;
+var ENV_NAME_REGEX = /^[A-Z][A-Z0-9_]*$/;
+var SESSION_DURATION_REGEX = /^[0-9]+(s|m|h)$/;
+var MetadataSchema = z.object({
+  name: z.string().min(2).max(63).regex(SLUG_REGEX, "must be lowercase letters, digits, and hyphens; start/end alphanumeric"),
+  team: z.string().min(1),
+  owner: z.string().email(),
+  description: z.string().max(280).optional()
+}).strict();
+var DeploymentSchema = z.object({
+  type: z.enum(APP_TYPES2),
+  runtime: z.enum(RUNTIMES).optional()
+}).strict();
+var AccessSchema = z.object({
+  allowed_entra_group: z.string().min(1).optional(),
+  allowed_entra_groups: z.array(z.string().min(1)).min(1).refine((arr) => new Set(arr).size === arr.length, { message: "allowed_entra_groups must not contain duplicates" }).optional(),
+  session_duration: z.string().regex(SESSION_DURATION_REGEX, "must match Go duration format, e.g. 24h / 30m / 60s").optional()
+}).strict().superRefine((access2, ctx) => {
+  const hasSingular = access2.allowed_entra_group !== undefined;
+  const hasPlural = access2.allowed_entra_groups !== undefined;
+  if (!hasSingular && !hasPlural) {
+    ctx.addIssue({
+      code: z.ZodIssueCode.custom,
+      message: "either `allowed_entra_group` (singular, legacy) or `allowed_entra_groups` (plural, preferred) must be set",
+      path: ["allowed_entra_groups"]
+    });
   }
-  let walk;
-  try {
-    walk = walkCwd(cwd);
-  } catch (e) {
-    if (e instanceof WalkError) {
-      return { kind: "walk-error", message: e.message };
-    }
-    return {
-      kind: "walk-error",
-      message: `unexpected walk failure: ${e.message}`
-    };
+  if (hasSingular && hasPlural) {
+    ctx.addIssue({
+      code: z.ZodIssueCode.custom,
+      message: "`allowed_entra_group` (singular) and `allowed_entra_groups` (plural) are mutually exclusive; use the plural form",
+      path: ["allowed_entra_groups"]
+    });
   }
-  let packResult;
-  try {
-    packResult = await packTarGz(cwd, walk.files);
-  } catch (e) {
-    if (e instanceof TarPackError) {
-      return { kind: "pack-error", message: e.message };
-    }
-    return {
-      kind: "pack-error",
-      message: `unexpected pack failure: ${e.message}`
-    };
+});
+function allowedEntraGroups(access2) {
+  if (access2.allowed_entra_groups !== undefined) {
+    return access2.allowed_entra_groups;
   }
-  const workerBuild = await buildWorkerArtifact(cwd, manifestYaml, walk.files);
-  if (workerBuild.kind === "error") {
-    return { kind: "worker-build-error", message: workerBuild.message };
+  return [access2.allowed_entra_group];
+}
+var ContainerSchema = z.object({
+  name: z.string().min(2).max(32).regex(SLUG_REGEX, "container name must be lowercase letters, digits, and hyphens"),
+  image: z.string().min(1),
+  port: z.number().int().min(1).max(65535),
+  ingress: z.boolean().optional(),
+  healthcheck: z.string().default("/health"),
+  env: z.array(z.string().regex(ENV_NAME_REGEX, "env entries must be UPPER_SNAKE_CASE")).optional(),
+  max_instances: z.number().int().min(1).max(100).optional()
+}).strict();
+var TargetSchema = z.object({
+  kind: z.enum(TARGET_KINDS),
+  script: z.string().min(2).max(63).regex(SLUG_REGEX, "target script must be lowercase letters, digits, and hyphens").optional(),
+  schedule: z.array(z.string().min(1).max(120)).min(1).max(20).optional(),
+  d1_binding: z.string().min(1).max(64).regex(ENV_NAME_REGEX, "d1_binding must be an UPPER_SNAKE_CASE binding name").optional()
+}).strict();
+var SecretBindingSchema = z.object({
+  name: z.string().min(1).max(64).regex(ENV_NAME_REGEX, "secret binding name must be UPPER_SNAKE_CASE"),
+  source: z.enum(SECRET_SOURCES),
+  description: z.string().max(200).optional(),
+  targets: z.union([z.literal("all"), z.array(z.string().min(1)).min(1)]).optional()
+}).strict();
+var SecretsSchema = z.object({
+  bindings: z.array(SecretBindingSchema).optional()
+}).strict();
+var BuildSchema = z.object({
+  command: z.string().min(1),
+  destination_dir: z.string().min(1),
+  root_dir: z.string()
+}).strict();
+var AppBoundarySchema = z.object({
+  root: z.string().min(1).optional(),
+  include: z.array(z.string().min(1)).min(1).optional(),
+  exclude: z.array(z.string().min(1)).optional()
+}).strict();
+var ProductionEnvSchema = z.record(z.string().regex(ENV_NAME_REGEX, "production_env keys must be UPPER_SNAKE_CASE"), z.string());
+var ManifestSchema = z.object({
+  apiVersion: z.literal("launchpad.m-kopa.us/v1alpha1"),
+  kind: z.literal("App"),
+  metadata: MetadataSchema,
+  deployment: DeploymentSchema,
+  access: AccessSchema,
+  auth: z.enum(AUTH_MODES).optional(),
+  hostnames: z.array(z.string().min(1)).optional(),
+  containers: z.array(ContainerSchema).min(1).optional(),
+  secrets: SecretsSchema.optional(),
+  targets: z.array(TargetSchema).optional(),
+  build: BuildSchema.optional(),
+  production_env: ProductionEnvSchema.optional(),
+  app: AppBoundarySchema.optional()
+}).strict().superRefine((m, ctx) => {
+  const isContainer = m.deployment.type === "container";
+  if (isContainer && m.auth === "gateway") {
+    ctx.addIssue({
+      code: z.ZodIssueCode.custom,
+      path: ["auth"],
+      message: "auth: gateway is only supported for pages-app shapes (static/react/react+api); container apps stay on Cloudflare Access (ADR 0016)."
+    });
   }
-  const workerArtifact = workerBuild.kind === "ok" ? workerBuild.artifact : undefined;
-  const uploadResult = await uploadBundle(cfg, slug, manifestYaml, packResult.bytes, workerArtifact);
-  if (uploadResult.kind !== "ok") {
-    return {
-      kind: "upload-error",
-      status: uploadResult.status,
-      body: uploadResult.response
-    };
+  if (isContainer && m.containers === undefined) {
+    ctx.addIssue({
+      code: z.ZodIssueCode.custom,
+      path: ["containers"],
+      message: "containers[] is required when deployment.type is 'container'"
+    });
   }
-  return {
-    kind: "ok",
-    result: uploadResult.response,
-    walk,
-    fileCount: packResult.fileCount,
-    compressedBytes: packResult.bytes.byteLength,
-    workerScript: workerArtifact?.script ?? null
-  };
-}
-
-// src/commands/deploy.ts
-import { parse as parseYaml3 } from "yaml";
-import { readFileSync as readFileSync5 } from "node:fs";
-
-// src/deploy/git-files.ts
-import { spawn as spawn3 } from "node:child_process";
-
-class GitFilesError extends Error {
-  code = "git_files_error";
-}
-var PROTECTED_PATHS = new Set([
-  ".github/workflows/launchpad-review.yml",
-  ".github/workflows/ci.yml",
-  "wrangler.toml",
-  ".github/scripts/_gha-cmd.mjs",
-  ".github/scripts/parse-eslint.mjs",
-  ".github/scripts/parse-tsc.mjs",
-  ".github/scripts/parse-vitest.mjs",
-  ".github/scripts/parse-gitleaks.mjs",
-  ".github/scripts/parse-bun-audit.mjs"
-]);
-async function listDeployFiles(opts) {
-  const sp = opts.spawner ?? spawn3;
-  const stdout = await runGit2(sp, opts.cwd, [
-    "ls-files",
-    "-c",
-    "-o",
-    "--exclude-standard",
-    "-z"
-  ]);
-  const paths = stdout.split("\x00").filter((p) => p.length > 0 && !PROTECTED_PATHS.has(p));
-  return [...paths].sort();
-}
-function runGit2(sp, cwd, args) {
-  return new Promise((resolve5, reject) => {
-    const spawnOpts = { cwd, stdio: ["ignore", "pipe", "pipe"] };
-    const child = sp("git", [...args], spawnOpts);
-    let stdout = "";
-    let stderr = "";
-    child.stdout?.on("data", (chunk) => {
-      stdout += chunk.toString();
+  if (!isContainer && m.containers !== undefined) {
+    ctx.addIssue({
+      code: z.ZodIssueCode.custom,
+      path: ["containers"],
+      message: `containers[] is only allowed when deployment.type is 'container' (current type: '${m.deployment.type}')`
     });
-    child.stderr?.on("data", (chunk) => {
-      stderr += chunk.toString();
+  }
+  if (!isContainer && m.deployment.runtime !== undefined) {
+    ctx.addIssue({
+      code: z.ZodIssueCode.custom,
+      path: ["deployment", "runtime"],
+      message: "deployment.runtime is only meaningful when deployment.type is 'container'"
     });
-    child.once("error", (err) => {
-      reject(new GitFilesError(`could not run \`git ${args.join(" ")}\`: ${err.message} (is git installed?)`));
+  }
+  if (isContainer && m.build !== undefined) {
+    ctx.addIssue({
+      code: z.ZodIssueCode.custom,
+      path: ["build"],
+      message: "build is only allowed for pages-app deployments (static/react/react+api). Container builds live in the Dockerfile."
     });
-    child.once("close", (code) => {
-      if (code === 0) {
-        resolve5(stdout);
-        return;
-      }
-      reject(new GitFilesError(`\`git ${args.join(" ")}\` exited ${code}: ${stderr.trim()}`));
+  }
+  if (isContainer && m.production_env !== undefined) {
+    ctx.addIssue({
+      code: z.ZodIssueCode.custom,
+      path: ["production_env"],
+      message: "production_env is only allowed for pages-app deployments. Container env vars use containers[].env (names only) + the bot's secrets pipeline for values."
     });
-  });
-}
-
-// src/commands/deploy-flags.ts
-var SLUG_RE3 = /^[a-z0-9][a-z0-9-]*[a-z0-9]$/;
-var GROUP_KEY_RE2 = /^[A-Za-z_][A-Za-z0-9_]*$/;
-var GROUP_UUID_RE2 = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i;
-function parseDeployFlags(args) {
-  let mode = "content";
-  let slug = null;
-  let displayName = null;
-  let description = null;
-  let appType = null;
-  const allowedGroups = [];
-  let message = null;
-  let timeoutSeconds = null;
-  let manifestFile = null;
-  let dryRunJson = false;
-  let platformRepo = null;
-  let rePin = false;
-  let yes = false;
-  let resumePrNumber = null;
-  let timeoutMinutes = null;
-  let modeFlagsSeen = 0;
-  let i = 0;
-  while (i < args.length) {
-    const a = args[i] ?? "";
-    if (a === "--new") {
-      mode = "new";
-      modeFlagsSeen += 1;
-      i += 1;
-      continue;
-    }
-    if (a === "--dry-run") {
-      mode = "dry-run";
-      modeFlagsSeen += 1;
-      i += 1;
-      continue;
-    }
-    if (a === "--apply") {
-      mode = "apply";
-      modeFlagsSeen += 1;
-      i += 1;
-      continue;
+  }
+  if (isContainer && m.containers !== undefined && m.containers.length > 1) {
+    const ingressContainers = m.containers.filter((c) => c.ingress === true);
+    if (ingressContainers.length !== 1) {
+      ctx.addIssue({
+        code: z.ZodIssueCode.custom,
+        path: ["containers"],
+        message: `multi-container apps must mark exactly one container ingress: true (found ${ingressContainers.length})`
+      });
     }
-    if (a === "--platform-repo") {
-      const v = args[i + 1];
-      if (v === undefined || v.trim().length === 0) {
-        return `missing value for ${a}`;
+  }
+  if (isContainer && m.containers !== undefined) {
+    const declaredBindings = new Set((m.secrets?.bindings ?? []).map((b) => b.name));
+    for (let i = 0;i < m.containers.length; i++) {
+      const c = m.containers[i];
+      for (const envName of c.env ?? []) {
+        if (!declaredBindings.has(envName)) {
+          ctx.addIssue({
+            code: z.ZodIssueCode.custom,
+            path: ["containers", i, "env"],
+            message: `env reference '${envName}' has no matching entry in secrets.bindings[]`
+          });
+        }
       }
-      platformRepo = v.trim();
-      i += 2;
-      continue;
     }
-    if (a === "--re-pin") {
-      rePin = true;
-      i += 1;
-      continue;
+  }
+  if (isContainer && m.containers !== undefined) {
+    const seen = new Set;
+    for (let i = 0;i < m.containers.length; i++) {
+      const name = m.containers[i]?.name;
+      if (name === undefined)
+        continue;
+      if (seen.has(name)) {
+        ctx.addIssue({
+          code: z.ZodIssueCode.custom,
+          path: ["containers", i, "name"],
+          message: `duplicate container name '${name}' — names become DO class identifiers and must be unique`
+        });
+      }
+      seen.add(name);
     }
-    if (a === "--yes" || a === "-y") {
-      yes = true;
-      i += 1;
-      continue;
+  }
+  const bindings = m.secrets?.bindings ?? [];
+  if (bindings.length > 0) {
+    const seen = new Set;
+    for (let i = 0;i < bindings.length; i++) {
+      const name = bindings[i]?.name;
+      if (name === undefined)
+        continue;
+      if (seen.has(name)) {
+        ctx.addIssue({
+          code: z.ZodIssueCode.custom,
+          path: ["secrets", "bindings", i, "name"],
+          message: `duplicate secret binding name '${name}' — names become env-var keys and must be unique`
+        });
+      }
+      seen.add(name);
     }
-    if (a === "--resume") {
-      const v = args[i + 1];
-      if (v === undefined)
-        return `missing value for ${a}`;
-      mode = "resume";
-      slug = v;
-      modeFlagsSeen += 1;
-      i += 2;
-      continue;
+  }
+  const targets = m.targets ?? [];
+  for (let i = 0;i < targets.length; i++) {
+    const t = targets[i];
+    if (t.kind === "worker" && t.script === undefined) {
+      ctx.addIssue({
+        code: z.ZodIssueCode.custom,
+        path: ["targets", i, "script"],
+        message: "a worker target must declare a script (the sibling Workers script name)"
+      });
     }
-    if (a === "--abandon") {
-      const v = args[i + 1];
-      if (v === undefined)
-        return `missing value for ${a}`;
-      mode = "abandon";
-      slug = v;
-      modeFlagsSeen += 1;
-      i += 2;
-      continue;
+    if (t.kind === "pages" && t.script !== undefined) {
+      ctx.addIssue({
+        code: z.ZodIssueCode.custom,
+        path: ["targets", i, "script"],
+        message: "a pages target must not declare a script — the primary Pages project is the app slug"
+      });
     }
-    if (a === "--file") {
-      const v = args[i + 1];
-      if (v === undefined)
-        return `missing value for ${a}`;
-      manifestFile = v;
-      i += 2;
-      continue;
+    if (t.kind === "pages" && t.schedule !== undefined) {
+      ctx.addIssue({
+        code: z.ZodIssueCode.custom,
+        path: ["targets", i, "schedule"],
+        message: "schedule is only valid on a worker target (the cron deploy contract — ADR 0022)"
+      });
     }
-    if (a === "--json") {
-      dryRunJson = true;
-      i += 1;
+  }
+  const seenScripts = new Set;
+  let pagesTargets = 0;
+  for (let i = 0;i < targets.length; i++) {
+    const t = targets[i];
+    if (t.kind === "pages") {
+      pagesTargets++;
+      if (pagesTargets > 1) {
+        ctx.addIssue({
+          code: z.ZodIssueCode.custom,
+          path: ["targets", i, "kind"],
+          message: "at most one pages target may be declared (the primary Pages project is singular)"
+        });
+      }
       continue;
     }
-    if (a === "--slug") {
-      const v = args[i + 1];
-      if (v === undefined)
-        return `missing value for ${a}`;
-      slug = v;
-      i += 2;
+    if (t.script === undefined)
       continue;
-    }
-    if (a === "--display-name" || a === "--name") {
-      const v = args[i + 1];
-      if (v === undefined)
-        return `missing value for ${a}`;
-      displayName = v;
-      i += 2;
+    if (t.script === PRIMARY_TARGET || t.script === "pages") {
+      ctx.addIssue({
+        code: z.ZodIssueCode.custom,
+        path: ["targets", i, "script"],
+        message: `worker target script '${t.script}' is a reserved selector token — use a different script name`
+      });
       continue;
     }
-    if (a === "--description") {
-      const v = args[i + 1];
-      if (v === undefined)
-        return `missing value for ${a}`;
-      description = v;
-      i += 2;
-      continue;
+    if (seenScripts.has(t.script)) {
+      ctx.addIssue({
+        code: z.ZodIssueCode.custom,
+        path: ["targets", i, "script"],
+        message: `duplicate worker target script '${t.script}' — target scripts must be unique`
+      });
     }
-    if (a === "--app-type" || a === "--type") {
-      const v = args[i + 1];
-      if (v === undefined)
-        return `missing value for ${a}`;
-      if (!APP_TYPES.includes(v)) {
-        return `invalid --app-type "${v}" — must be one of ${APP_TYPES.join(", ")}`;
-      }
-      appType = v;
-      i += 2;
+    seenScripts.add(t.script);
+  }
+  const validRefs = new Set([PRIMARY_TARGET, ...seenScripts]);
+  if (pagesTargets > 0)
+    validRefs.add("pages");
+  for (let bi = 0;bi < bindings.length; bi++) {
+    const b = bindings[bi];
+    const sel = b?.targets;
+    if (sel === undefined || sel === "all")
       continue;
-    }
-    if (a === "--allowed-group" || a === "--group") {
-      const v = args[i + 1];
-      if (v === undefined)
-        return `missing value for ${a}`;
-      if (!GROUP_KEY_RE2.test(v) && !GROUP_UUID_RE2.test(v)) {
-        return `invalid --allowed-group "${v}" — expected a group key (HCL identifier, e.g. G_Product_Security) or an Entra Object-ID UUID`;
+    for (const ref of sel) {
+      if (!validRefs.has(ref)) {
+        ctx.addIssue({
+          code: z.ZodIssueCode.custom,
+          path: ["secrets", "bindings", bi, "targets"],
+          message: `secret binding '${b?.name}' references unknown target '${ref}' — declare it in targets[] or use "primary"`
+        });
       }
-      allowedGroups.push(v);
-      i += 2;
-      continue;
     }
-    if (a === "--message" || a === "-m") {
-      const v = args[i + 1];
-      if (v === undefined)
-        return `missing value for ${a}`;
-      message = v;
-      i += 2;
-      continue;
+  }
+});
+function parseManifest(input) {
+  const result = ManifestSchema.safeParse(input);
+  if (result.success) {
+    return { kind: "ok", manifest: result.data };
+  }
+  return {
+    kind: "schema-error",
+    issues: result.error.issues.map((issue) => ({
+      path: issue.path.map(String).join(".") || "(root)",
+      message: issue.message
+    }))
+  };
+}
+// ../launchpad-engine/dist/app-boundary.js
+var INCLUDE_EVERYTHING = ["**"];
+var COMMON_INCLUDE = [
+  "launchpad.yaml",
+  ".gitignore",
+  ".launchpadignore",
+  "package.json",
+  "package-lock.json",
+  "bun.lock",
+  "bun.lockb",
+  "yarn.lock",
+  "pnpm-lock.yaml",
+  "tsconfig.json",
+  "tsconfig.*.json",
+  "README.md",
+  "LICENSE",
+  "index.html",
+  "vite.config.*",
+  "src/**",
+  "public/**",
+  "worker/**"
+];
+function defaultIncludeForAppType(appType) {
+  switch (appType) {
+    case "static":
+      return [...COMMON_INCLUDE, "static/**", "assets/**", "css/**", "js/**", "images/**", "*.html", "*.css", "*.js"];
+    case "react":
+      return COMMON_INCLUDE;
+    case "react+api":
+      return [...COMMON_INCLUDE, "functions/**"];
+    case "container":
+      return [...COMMON_INCLUDE, "container/**", "Dockerfile", "Dockerfile.*", "wrangler.toml"];
+    default:
+      return INCLUDE_EVERYTHING;
+  }
+}
+function resolveAppBoundary(input) {
+  if (input.app === undefined) {
+    return { root: ".", include: INCLUDE_EVERYTHING, exclude: [], source: "inferred" };
+  }
+  return {
+    root: normaliseRoot(input.app.root ?? "."),
+    include: input.app.include ?? defaultIncludeForAppType(input.appType),
+    exclude: input.app.exclude ?? [],
+    source: "declared"
+  };
+}
+function normaliseRoot(root) {
+  let r = root.replace(/\\/g, "/").trim();
+  if (r.startsWith("./"))
+    r = r.slice(2);
+  while (r.endsWith("/"))
+    r = r.slice(0, -1);
+  return r === "" ? "." : r;
+}
+var APP_TYPE_SET = new Set(["static", "react", "react+api", "container"]);
+function extractBoundaryInput(parsedManifest) {
+  const m = asRecord(parsedManifest);
+  if (m === undefined) {
+    return { kind: "ok", appType: undefined, app: undefined, build: undefined };
+  }
+  const spec = asRecord(m["spec"]);
+  const v2 = spec !== undefined;
+  const rawType = v2 ? spec["appType"] : asRecord(m["deployment"])?.["type"];
+  const appType = typeof rawType === "string" && APP_TYPE_SET.has(rawType) ? rawType : undefined;
+  const rawApp = v2 ? spec["app"] : m["app"];
+  let app;
+  if (rawApp !== undefined) {
+    const parsed = AppBoundarySchema.safeParse(rawApp);
+    if (!parsed.success) {
+      return {
+        kind: "schema-error",
+        issues: parsed.error.issues.map((i) => ({
+          path: `${v2 ? "spec." : ""}app${i.path.length > 0 ? "." + i.path.map(String).join(".") : ""}`,
+          message: i.message
+        }))
+      };
     }
-    if (a === "--timeout-seconds") {
-      const v = args[i + 1];
-      if (v === undefined)
-        return `missing value for ${a}`;
-      const n = Number(v);
-      if (!Number.isFinite(n) || n <= 0 || Math.floor(n) !== n) {
-        return `invalid --timeout-seconds "${v}" — expected positive integer`;
-      }
-      timeoutSeconds = n;
-      i += 2;
-      continue;
-    }
-    if (a === "--timeout-minutes") {
-      const v = args[i + 1];
-      if (v === undefined)
-        return `missing value for ${a}`;
-      const n = Number(v);
-      if (!Number.isFinite(n) || n <= 0 || Math.floor(n) !== n) {
-        return `invalid --timeout-minutes "${v}" — expected positive integer`;
-      }
-      timeoutMinutes = n;
-      i += 2;
+    app = parsed.data;
+  }
+  const rawBuild = asRecord(v2 ? spec["build"] : m["build"]);
+  const build = rawBuild !== undefined && typeof rawBuild["command"] === "string" && typeof rawBuild["root_dir"] === "string" ? { command: rawBuild["command"], root_dir: rawBuild["root_dir"] } : undefined;
+  return { kind: "ok", appType, app, build };
+}
+function asRecord(v) {
+  return v !== null && typeof v === "object" && !Array.isArray(v) ? v : undefined;
+}
+function parseLaunchpadIgnore(content) {
+  const out = [];
+  for (const raw of content.split(/\r?\n/)) {
+    const line = raw.trim();
+    if (line === "" || line.startsWith("#") || line.startsWith("!"))
       continue;
-    }
-    if (a === "--resume-pr") {
-      const v = args[i + 1];
-      if (v === undefined)
-        return `missing value for ${a}`;
-      const n = Number(v);
-      if (!Number.isFinite(n) || n <= 0 || Math.floor(n) !== n) {
-        return `invalid --resume-pr "${v}" — expected positive integer PR number`;
+    out.push(line);
+  }
+  return out;
+}
+function globToRegExp2(glob) {
+  let re = "";
+  let i = 0;
+  while (i < glob.length) {
+    const ch = glob[i];
+    if (ch === "*") {
+      if (glob[i + 1] === "*") {
+        if (glob[i + 2] === "/") {
+          re += "(?:.*/)?";
+          i += 3;
+        } else {
+          re += ".*";
+          i += 2;
+        }
+      } else {
+        re += "[^/]*";
+        i += 1;
       }
-      resumePrNumber = n;
-      i += 2;
-      continue;
+    } else if (ch === "?") {
+      re += "[^/]";
+      i += 1;
+    } else if (ch === "/" || /[A-Za-z0-9_-]/.test(ch)) {
+      re += ch;
+      i += 1;
+    } else {
+      re += `\\${ch}`;
+      i += 1;
     }
-    return `unknown argument "${a}"`;
-  }
-  if (modeFlagsSeen > 1) {
-    return "--new, --resume, --abandon, --dry-run, and --apply are mutually exclusive";
-  }
-  if (mode === "dry-run") {
-    if (slug !== null)
-      return "--dry-run does not accept --slug (slug is read from launchpad.yaml)";
-    if (displayName !== null)
-      return "--dry-run does not accept --display-name";
-    if (description !== null)
-      return "--dry-run does not accept --description";
-    if (appType !== null)
-      return "--dry-run does not accept --app-type";
-    if (allowedGroups.length > 0)
-      return "--dry-run does not accept --allowed-group (read from launchpad.yaml)";
-    if (message !== null)
-      return "--dry-run does not accept --message";
-    if (timeoutSeconds !== null)
-      return "--dry-run does not accept --timeout-seconds";
-    if (platformRepo !== null)
-      return "--dry-run does not accept --platform-repo (apply-only)";
-    if (rePin)
-      return "--dry-run does not accept --re-pin (apply-only)";
-    if (yes)
-      return "--dry-run does not accept --yes (apply-only)";
-    return {
-      mode: { kind: "dry-run", file: manifestFile, json: dryRunJson },
-      message: null,
-      timeoutSeconds: null
-    };
   }
-  if (mode === "apply") {
-    if (slug !== null)
-      return "--apply does not accept --slug (slug is read from launchpad.yaml)";
-    if (displayName !== null)
-      return "--apply does not accept --display-name";
-    if (description !== null)
-      return "--apply does not accept --description";
-    if (appType !== null)
-      return "--apply does not accept --app-type";
-    if (allowedGroups.length > 0)
-      return "--apply does not accept --allowed-group (read from launchpad.yaml)";
-    if (message !== null)
-      return "--apply does not accept --message";
-    if (timeoutSeconds !== null)
-      return "--apply does not accept --timeout-seconds (use --timeout-minutes instead — apply polling is multi-minute)";
-    if (dryRunJson)
-      return "--apply does not accept --json";
-    return {
-      mode: {
-        kind: "apply",
-        file: manifestFile,
-        platformRepo,
-        rePin,
-        yes,
-        resumePrNumber,
-        timeoutMinutes
-      },
-      message: null,
-      timeoutSeconds: null
-    };
+  return new RegExp(`^${re}$`);
+}
+var GLOB_CHARS = /[*?]/;
+function matchContractPattern(pattern, relPath) {
+  const p = pattern.replace(/\/+$/, "");
+  if (!GLOB_CHARS.test(p)) {
+    return relPath === p || relPath.startsWith(`${p}/`);
   }
-  if (resumePrNumber !== null) {
-    return "--resume-pr is only valid with --apply";
+  return globToRegExp2(p).test(relPath);
+}
+function matchIgnorePattern(pattern, relPath) {
+  let p = pattern;
+  const dirOnly = p.endsWith("/");
+  if (dirOnly)
+    p = p.replace(/\/+$/, "");
+  const anchored = p.startsWith("/");
+  if (anchored)
+    p = p.slice(1);
+  if (!anchored && !p.includes("/")) {
+    const re2 = globToRegExp2(p);
+    const segments = relPath.split("/");
+    const candidates = dirOnly ? segments.slice(0, -1) : segments;
+    return candidates.some((seg) => re2.test(seg));
   }
-  if (timeoutMinutes !== null) {
-    return "--timeout-minutes is only valid with --apply";
+  if (!GLOB_CHARS.test(p)) {
+    return !dirOnly && relPath === p || relPath.startsWith(`${p}/`);
   }
-  if (manifestFile !== null) {
-    return "--file is only valid with --dry-run or --apply";
+  const re = globToRegExp2(p);
+  if (dirOnly)
+    return re.test(relPath.split("/").slice(0, -1).join("/"));
+  return re.test(relPath) || re.test(relPath.split("/").slice(0, -1).join("/"));
+}
+var PLATFORM_SEEDED_GITHUB_PATHS = new Set([
+  ".github/workflows/launchpad-review.yml",
+  ".github/workflows/ci.yml",
+  ".github/scripts/_gha-cmd.mjs",
+  ".github/scripts/parse-eslint.mjs",
+  ".github/scripts/parse-tsc.mjs",
+  ".github/scripts/parse-vitest.mjs",
+  ".github/scripts/parse-gitleaks.mjs",
+  ".github/scripts/parse-bun-audit.mjs"
+]);
+function checkDenyList(path6) {
+  const segments = path6.split("/");
+  const basename = segments[segments.length - 1];
+  const isExample = basename.endsWith(".example");
+  if (basename.startsWith(".env") && !isExample) {
+    return { path: path6, rule: "env-file", message: `'${path6}' is an environment file (.env*) — never shippable` };
   }
-  if (dryRunJson) {
-    return "--json is only valid with --dry-run";
+  if (basename === ".npmrc") {
+    return { path: path6, rule: "npmrc", message: `'${path6}' (.npmrc) may carry registry auth — never shippable` };
   }
-  if (platformRepo !== null) {
-    return "--platform-repo is only valid with --apply";
+  if (basename.startsWith(".dev.vars") && !isExample) {
+    return { path: path6, rule: "dev-vars", message: `'${path6}' is a wrangler dev-vars file — never shippable` };
   }
-  if (rePin) {
-    return "--re-pin is only valid with --apply";
+  if (segments.includes(".claude")) {
+    return { path: path6, rule: "claude-dir", message: `'${path6}' is under a .claude/ directory (AI-workspace state) — never shippable` };
   }
-  if (yes) {
-    return "--yes is only valid with --apply";
+  if (segments.includes(".git")) {
+    return { path: path6, rule: "git-dir", message: `'${path6}' is under .git/ — never shippable` };
   }
-  if (mode === "content") {
-    if (slug !== null && !SLUG_RE3.test(slug)) {
-      return `invalid slug "${slug}" — expected ${SLUG_RE3.source}`;
-    }
+  if (segments[0] === ".github") {
+    if (PLATFORM_SEEDED_GITHUB_PATHS.has(path6))
+      return "seeded";
     return {
-      mode: { kind: "content", slug },
-      message,
-      timeoutSeconds
+      path: path6,
+      rule: "github-dir",
+      message: `'${path6}' — repo-root .github/ is platform-owned (workflows execute under the M-KOPA Actions identity); developer-supplied .github/** is not shippable`
     };
   }
-  if (mode === "resume" || mode === "abandon") {
-    if (slug === null || !SLUG_RE3.test(slug)) {
-      return `--${mode} requires a valid slug (kebab-case)`;
+  return null;
+}
+function checkSecretShape(path6, readFileContent) {
+  const segments = path6.split("/");
+  const basename = segments[segments.length - 1];
+  const deny = (what) => ({
+    path: path6,
+    rule: "secret-shape",
+    message: `'${path6}' looks like ${what} — never shippable; if this is a false positive, rename the file`
+  });
+  if (basename.endsWith(".pem"))
+    return deny("PEM key material (*.pem)");
+  if (basename.endsWith(".key"))
+    return deny("private key material (*.key)");
+  if (basename.startsWith("id_rsa"))
+    return deny("an SSH key (id_rsa*)");
+  if (basename.endsWith(".p12") || basename.endsWith(".pfx")) {
+    return deny("a PKCS#12 key store (*.p12 / *.pfx)");
+  }
+  if (basename === "credentials.json")
+    return deny("a credentials file (credentials.json)");
+  if (segments.includes(".aws"))
+    return deny("AWS credentials (.aws/**)");
+  if (basename.endsWith(".json") && readFileContent !== undefined) {
+    const content = readFileContent(path6);
+    if (content !== undefined && /"private_key"\s*:/.test(content)) {
+      return deny('service-account-shaped JSON (carries a "private_key" field)');
     }
-    if (displayName !== null || appType !== null || allowedGroups.length > 0) {
-      return `--${mode} does not accept create-only flags (--display-name / --app-type / --allowed-group)`;
+  }
+  return null;
+}
+var ALWAYS_SHIP = "launchpad.yaml";
+function applyAppBoundary(contract, files, options = {}) {
+  const ignorePatterns = options.launchpadIgnore ?? [];
+  const included = [];
+  const excluded = [];
+  const denied = [];
+  const rootPrefix = contract.root === "." ? "" : `${contract.root}/`;
+  for (const path6 of [...files].sort()) {
+    if (path6 !== ALWAYS_SHIP) {
+      if (rootPrefix !== "" && !path6.startsWith(rootPrefix)) {
+        excluded.push({ path: path6, reason: "outside-root" });
+        continue;
+      }
+      const rel = rootPrefix === "" ? path6 : path6.slice(rootPrefix.length);
+      if (!contract.include.some((p) => matchContractPattern(p, rel))) {
+        excluded.push({ path: path6, reason: "not-included" });
+        continue;
+      }
+      if (contract.exclude.some((p) => matchContractPattern(p, rel))) {
+        excluded.push({ path: path6, reason: "exclude" });
+        continue;
+      }
+      if (ignorePatterns.some((p) => matchIgnorePattern(p, path6))) {
+        excluded.push({ path: path6, reason: "launchpadignore" });
+        continue;
+      }
     }
-    if (message !== null) {
-      return `--${mode} does not accept --message`;
+    const denial = checkDenyList(path6);
+    if (denial === "seeded") {
+      excluded.push({ path: path6, reason: "platform-seeded" });
+      continue;
     }
-    return {
-      mode: { kind: mode, slug },
-      message: null,
-      timeoutSeconds
-    };
-  }
-  if (slug === null)
-    return "--new requires --slug";
-  if (!SLUG_RE3.test(slug))
-    return `invalid slug "${slug}" — expected ${SLUG_RE3.source}`;
-  if (slug.length < 3 || slug.length > 58) {
-    return `slug length out of bounds (3–58 chars): "${slug}"`;
-  }
-  if (displayName === null || displayName.length === 0) {
-    return "--new requires --display-name";
-  }
-  if (appType === null) {
-    return `--new requires --app-type (one of ${APP_TYPES.join(", ")})`;
-  }
-  if (allowedGroups.length === 0) {
-    return "--new requires at least one --allowed-group";
+    if (denial !== null) {
+      denied.push(denial);
+      continue;
+    }
+    const secret = checkSecretShape(path6, options.readFileContent);
+    if (secret !== null) {
+      denied.push(secret);
+      continue;
+    }
+    included.push(path6);
   }
-  return {
-    mode: {
-      kind: "new",
-      slug,
-      displayName,
-      description,
-      appType,
-      allowedGroups
-    },
-    message,
-    timeoutSeconds
-  };
+  return { files: included, excluded, denied };
 }
-
-// src/deploy/apply.ts
-import { existsSync as existsSync2, rmSync } from "node:fs";
-import { resolve as resolvePath, join as join6 } from "node:path";
-import { execFileSync } from "node:child_process";
-
-// src/manifest/load.ts
-import { readFileSync as readFileSync4 } from "node:fs";
-import { parse as parseYaml2, YAMLParseError } from "yaml";
-
-// ../launchpad-engine/dist/schema.js
-import { z } from "zod";
-var APP_TYPES2 = ["static", "react", "react+api", "container"];
-var AUTH_MODES = ["access", "gateway"];
-var RUNTIMES = ["cloudflare-containers", "aca"];
-var SECRET_SOURCES = ["env-file", "platform-managed"];
-var TARGET_KINDS = ["pages", "worker"];
-var PRIMARY_TARGET = "primary";
-var SLUG_REGEX = /^[a-z0-9][a-z0-9-]*[a-z0-9]$/;
-var ENV_NAME_REGEX = /^[A-Z][A-Z0-9_]*$/;
-var SESSION_DURATION_REGEX = /^[0-9]+(s|m|h)$/;
-var MetadataSchema = z.object({
-  name: z.string().min(2).max(63).regex(SLUG_REGEX, "must be lowercase letters, digits, and hyphens; start/end alphanumeric"),
-  team: z.string().min(1),
-  owner: z.string().email(),
-  description: z.string().max(280).optional()
-}).strict();
-var DeploymentSchema = z.object({
-  type: z.enum(APP_TYPES2),
-  runtime: z.enum(RUNTIMES).optional()
-}).strict();
-var AccessSchema = z.object({
-  allowed_entra_group: z.string().min(1).optional(),
-  allowed_entra_groups: z.array(z.string().min(1)).min(1).refine((arr) => new Set(arr).size === arr.length, { message: "allowed_entra_groups must not contain duplicates" }).optional(),
-  session_duration: z.string().regex(SESSION_DURATION_REGEX, "must match Go duration format, e.g. 24h / 30m / 60s").optional()
-}).strict().superRefine((access2, ctx) => {
-  const hasSingular = access2.allowed_entra_group !== undefined;
-  const hasPlural = access2.allowed_entra_groups !== undefined;
-  if (!hasSingular && !hasPlural) {
-    ctx.addIssue({
-      code: z.ZodIssueCode.custom,
-      message: "either `allowed_entra_group` (singular, legacy) or `allowed_entra_groups` (plural, preferred) must be set",
-      path: ["allowed_entra_groups"]
-    });
-  }
-  if (hasSingular && hasPlural) {
-    ctx.addIssue({
-      code: z.ZodIssueCode.custom,
-      message: "`allowed_entra_group` (singular) and `allowed_entra_groups` (plural) are mutually exclusive; use the plural form",
-      path: ["allowed_entra_groups"]
+var PLAIN_PATH = /^(\.\/)?[A-Za-z0-9_@][A-Za-z0-9_@.\/-]*$/;
+var OPAQUE_SEGMENT = /[$`(){}<]/;
+function verifyBuildInputs(build, files) {
+  if (build === undefined)
+    return [];
+  const issues = [];
+  const fileSet = new Set(files);
+  const dirSet = new Set;
+  for (const f of files) {
+    const parts = f.split("/");
+    for (let i = 1;i < parts.length; i++) {
+      dirSet.add(parts.slice(0, i).join("/"));
+    }
+  }
+  const exists = (p) => fileSet.has(p) || dirSet.has(p);
+  const rootDir = normaliseRoot(build.root_dir === "" ? "." : build.root_dir);
+  if (rootDir !== "." && !dirSet.has(rootDir)) {
+    issues.push({
+      input: rootDir,
+      message: `build.root_dir '${rootDir}' does not exist in the bundle — the build would run in a missing directory`
     });
+    return issues;
   }
-});
-function allowedEntraGroups(access2) {
-  if (access2.allowed_entra_groups !== undefined) {
-    return access2.allowed_entra_groups;
-  }
-  return [access2.allowed_entra_group];
-}
-var ContainerSchema = z.object({
-  name: z.string().min(2).max(32).regex(SLUG_REGEX, "container name must be lowercase letters, digits, and hyphens"),
-  image: z.string().min(1),
-  port: z.number().int().min(1).max(65535),
-  ingress: z.boolean().optional(),
-  healthcheck: z.string().default("/health"),
-  env: z.array(z.string().regex(ENV_NAME_REGEX, "env entries must be UPPER_SNAKE_CASE")).optional(),
-  max_instances: z.number().int().min(1).max(100).optional()
-}).strict();
-var TargetSchema = z.object({
-  kind: z.enum(TARGET_KINDS),
-  script: z.string().min(2).max(63).regex(SLUG_REGEX, "target script must be lowercase letters, digits, and hyphens").optional(),
-  schedule: z.array(z.string().min(1).max(120)).min(1).max(20).optional(),
-  d1_binding: z.string().min(1).max(64).regex(ENV_NAME_REGEX, "d1_binding must be an UPPER_SNAKE_CASE binding name").optional()
-}).strict();
-var SecretBindingSchema = z.object({
-  name: z.string().min(1).max(64).regex(ENV_NAME_REGEX, "secret binding name must be UPPER_SNAKE_CASE"),
-  source: z.enum(SECRET_SOURCES),
-  description: z.string().max(200).optional(),
-  targets: z.union([z.literal("all"), z.array(z.string().min(1)).min(1)]).optional()
-}).strict();
-var SecretsSchema = z.object({
-  bindings: z.array(SecretBindingSchema).optional()
-}).strict();
-var BuildSchema = z.object({
-  command: z.string().min(1),
-  destination_dir: z.string().min(1),
-  root_dir: z.string()
-}).strict();
-var ProductionEnvSchema = z.record(z.string().regex(ENV_NAME_REGEX, "production_env keys must be UPPER_SNAKE_CASE"), z.string());
-var ManifestSchema = z.object({
-  apiVersion: z.literal("launchpad.m-kopa.us/v1alpha1"),
-  kind: z.literal("App"),
-  metadata: MetadataSchema,
-  deployment: DeploymentSchema,
-  access: AccessSchema,
-  auth: z.enum(AUTH_MODES).optional(),
-  hostnames: z.array(z.string().min(1)).optional(),
-  containers: z.array(ContainerSchema).min(1).optional(),
-  secrets: SecretsSchema.optional(),
-  targets: z.array(TargetSchema).optional(),
-  build: BuildSchema.optional(),
-  production_env: ProductionEnvSchema.optional()
-}).strict().superRefine((m, ctx) => {
-  const isContainer = m.deployment.type === "container";
-  if (isContainer && m.auth === "gateway") {
-    ctx.addIssue({
-      code: z.ZodIssueCode.custom,
-      path: ["auth"],
-      message: "auth: gateway is only supported for pages-app shapes (static/react/react+api); container apps stay on Cloudflare Access (ADR 0016)."
-    });
-  }
-  if (isContainer && m.containers === undefined) {
-    ctx.addIssue({
-      code: z.ZodIssueCode.custom,
-      path: ["containers"],
-      message: "containers[] is required when deployment.type is 'container'"
-    });
-  }
-  if (!isContainer && m.containers !== undefined) {
-    ctx.addIssue({
-      code: z.ZodIssueCode.custom,
-      path: ["containers"],
-      message: `containers[] is only allowed when deployment.type is 'container' (current type: '${m.deployment.type}')`
-    });
-  }
-  if (!isContainer && m.deployment.runtime !== undefined) {
-    ctx.addIssue({
-      code: z.ZodIssueCode.custom,
-      path: ["deployment", "runtime"],
-      message: "deployment.runtime is only meaningful when deployment.type is 'container'"
-    });
-  }
-  if (isContainer && m.build !== undefined) {
-    ctx.addIssue({
-      code: z.ZodIssueCode.custom,
-      path: ["build"],
-      message: "build is only allowed for pages-app deployments (static/react/react+api). Container builds live in the Dockerfile."
-    });
-  }
-  if (isContainer && m.production_env !== undefined) {
-    ctx.addIssue({
-      code: z.ZodIssueCode.custom,
-      path: ["production_env"],
-      message: "production_env is only allowed for pages-app deployments. Container env vars use containers[].env (names only) + the bot's secrets pipeline for values."
-    });
-  }
-  if (isContainer && m.containers !== undefined && m.containers.length > 1) {
-    const ingressContainers = m.containers.filter((c) => c.ingress === true);
-    if (ingressContainers.length !== 1) {
-      ctx.addIssue({
-        code: z.ZodIssueCode.custom,
-        path: ["containers"],
-        message: `multi-container apps must mark exactly one container ingress: true (found ${ingressContainers.length})`
-      });
-    }
-  }
-  if (isContainer && m.containers !== undefined) {
-    const declaredBindings = new Set((m.secrets?.bindings ?? []).map((b) => b.name));
-    for (let i = 0;i < m.containers.length; i++) {
-      const c = m.containers[i];
-      for (const envName of c.env ?? []) {
-        if (!declaredBindings.has(envName)) {
-          ctx.addIssue({
-            code: z.ZodIssueCode.custom,
-            path: ["containers", i, "env"],
-            message: `env reference '${envName}' has no matching entry in secrets.bindings[]`
-          });
-        }
-      }
-    }
-  }
-  if (isContainer && m.containers !== undefined) {
-    const seen = new Set;
-    for (let i = 0;i < m.containers.length; i++) {
-      const name = m.containers[i]?.name;
-      if (name === undefined)
-        continue;
-      if (seen.has(name)) {
-        ctx.addIssue({
-          code: z.ZodIssueCode.custom,
-          path: ["containers", i, "name"],
-          message: `duplicate container name '${name}' — names become DO class identifiers and must be unique`
-        });
-      }
-      seen.add(name);
-    }
-  }
-  const bindings = m.secrets?.bindings ?? [];
-  if (bindings.length > 0) {
-    const seen = new Set;
-    for (let i = 0;i < bindings.length; i++) {
-      const name = bindings[i]?.name;
-      if (name === undefined)
+  let cwd = rootDir === "." ? "" : rootDir;
+  const resolve5 = (p) => {
+    const cleaned = p.startsWith("./") ? p.slice(2) : p;
+    const trimmed = cleaned.replace(/\/+$/, "");
+    return cwd === "" ? trimmed : `${cwd}/${trimmed}`;
+  };
+  const segments = build.command.split(/&&|\|\||[;|\n]/);
+  for (const segment of segments) {
+    if (cwd === null)
+      break;
+    const s = segment.trim();
+    if (s === "" || OPAQUE_SEGMENT.test(s))
+      continue;
+    const tokens = s.split(/\s+/);
+    const cmd = tokens[0];
+    if (cmd === "cd") {
+      const target = tokens[1];
+      if (target === undefined || !PLAIN_PATH.test(target)) {
+        cwd = null;
         continue;
-      if (seen.has(name)) {
-        ctx.addIssue({
-          code: z.ZodIssueCode.custom,
-          path: ["secrets", "bindings", i, "name"],
-          message: `duplicate secret binding name '${name}' — names become env-var keys and must be unique`
-        });
       }
-      seen.add(name);
-    }
-  }
-  const targets = m.targets ?? [];
-  for (let i = 0;i < targets.length; i++) {
-    const t = targets[i];
-    if (t.kind === "worker" && t.script === undefined) {
-      ctx.addIssue({
-        code: z.ZodIssueCode.custom,
-        path: ["targets", i, "script"],
-        message: "a worker target must declare a script (the sibling Workers script name)"
-      });
-    }
-    if (t.kind === "pages" && t.script !== undefined) {
-      ctx.addIssue({
-        code: z.ZodIssueCode.custom,
-        path: ["targets", i, "script"],
-        message: "a pages target must not declare a script — the primary Pages project is the app slug"
-      });
-    }
-    if (t.kind === "pages" && t.schedule !== undefined) {
-      ctx.addIssue({
-        code: z.ZodIssueCode.custom,
-        path: ["targets", i, "schedule"],
-        message: "schedule is only valid on a worker target (the cron deploy contract — ADR 0022)"
-      });
-    }
-  }
-  const seenScripts = new Set;
-  let pagesTargets = 0;
-  for (let i = 0;i < targets.length; i++) {
-    const t = targets[i];
-    if (t.kind === "pages") {
-      pagesTargets++;
-      if (pagesTargets > 1) {
-        ctx.addIssue({
-          code: z.ZodIssueCode.custom,
-          path: ["targets", i, "kind"],
-          message: "at most one pages target may be declared (the primary Pages project is singular)"
+      const resolved = resolve5(target);
+      if (!dirSet.has(resolved)) {
+        issues.push({
+          input: target,
+          message: `build command segment '${s}' changes into '${resolved}', which does not exist in the bundle`
         });
+        cwd = null;
+        continue;
       }
+      cwd = resolved;
       continue;
     }
-    if (t.script === undefined)
-      continue;
-    if (t.script === PRIMARY_TARGET || t.script === "pages") {
-      ctx.addIssue({
-        code: z.ZodIssueCode.custom,
-        path: ["targets", i, "script"],
-        message: `worker target script '${t.script}' is a reserved selector token — use a different script name`
-      });
-      continue;
-    }
-    if (seenScripts.has(t.script)) {
-      ctx.addIssue({
-        code: z.ZodIssueCode.custom,
-        path: ["targets", i, "script"],
-        message: `duplicate worker target script '${t.script}' — target scripts must be unique`
-      });
-    }
-    seenScripts.add(t.script);
-  }
-  const validRefs = new Set([PRIMARY_TARGET, ...seenScripts]);
-  if (pagesTargets > 0)
-    validRefs.add("pages");
-  for (let bi = 0;bi < bindings.length; bi++) {
-    const b = bindings[bi];
-    const sel = b?.targets;
-    if (sel === undefined || sel === "all")
-      continue;
-    for (const ref of sel) {
-      if (!validRefs.has(ref)) {
-        ctx.addIssue({
-          code: z.ZodIssueCode.custom,
-          path: ["secrets", "bindings", bi, "targets"],
-          message: `secret binding '${b?.name}' references unknown target '${ref}' — declare it in targets[] or use "primary"`
-        });
+    if (cmd === "cp" || cmd === "cat") {
+      const rawArgs = [];
+      for (const t of tokens.slice(1)) {
+        if (t === ">" || t.startsWith(">"))
+          break;
+        if (t.startsWith("-"))
+          continue;
+        rawArgs.push(t);
+      }
+      const sources = cmd === "cp" ? rawArgs.slice(0, -1) : rawArgs;
+      if (cmd === "cp" && rawArgs.length < 2)
+        continue;
+      for (const src of sources) {
+        if (!PLAIN_PATH.test(src))
+          continue;
+        const resolved = resolve5(src);
+        if (!exists(resolved)) {
+          issues.push({
+            input: src,
+            message: `build command references '${src}' (resolved: '${resolved}'), which does not exist in the bundle — did the content move? (cf. sp-reloc1)`
+          });
+        }
       }
     }
   }
-});
-function parseManifest(input) {
-  const result = ManifestSchema.safeParse(input);
-  if (result.success) {
-    return { kind: "ok", manifest: result.data };
-  }
-  return {
-    kind: "schema-error",
-    issues: result.error.issues.map((issue) => ({
-      path: issue.path.map(String).join(".") || "(root)",
-      message: issue.message
-    }))
-  };
+  return issues;
 }
 // ../launchpad-engine/dist/status-author.js
 var STATUS_STATUS_KEYS = new Set([
@@ -2557,6 +2472,7 @@ var SpecSchema = z2.object({
   }).strict(),
   auth: z2.enum(AUTH_MODES).optional(),
   build: BuildSchema.optional(),
+  app: AppBoundarySchema.optional(),
   env_vars: z2.record(z2.string().regex(ENV_NAME_REGEX, "env_vars keys must be UPPER_SNAKE_CASE"), EnvVarSchema).optional(),
   containers: z2.array(ContainerSchema).min(1).optional(),
   secrets: SecretsSchema.optional(),
@@ -3151,101 +3067,635 @@ var FleetManifestSchema = z3.object({
       });
     }
   }
-});
-// ../launchpad-engine/dist/fleet-secret-sets.js
-import { z as z4 } from "zod";
-var SET_NAME_REGEX = /^[a-z0-9][a-z0-9-]*[a-z0-9]$/;
-var Slug = z4.string().regex(SLUG_REGEX, "member must be a lowercase-kebab app slug");
-var SecretName = z4.string().regex(ENV_NAME_REGEX, "secret name must be UPPER_SNAKE_CASE");
-var SecretSetExcludeSchema = z4.object({
-  member: Slug,
-  secret: SecretName
-}).strict();
-var SecretSetSchema = z4.object({
-  name: z4.string().min(1).max(64).regex(SET_NAME_REGEX, "set name must be lowercase-kebab"),
-  secrets: z4.array(SecretName).min(1),
-  members: z4.array(Slug).min(1),
-  exclude: z4.array(SecretSetExcludeSchema).optional()
-}).strict();
-var FleetSecretSetsSchema = z4.object({
-  schemaVersion: z4.literal(1),
-  secretSets: z4.array(SecretSetSchema).min(1)
-}).strict().superRefine((m, ctx) => {
-  const seenSets = new Set;
-  for (let i = 0;i < m.secretSets.length; i++) {
-    const set = m.secretSets[i];
-    if (seenSets.has(set.name)) {
-      ctx.addIssue({
-        code: "custom",
-        message: `duplicate secretSet name "${set.name}" — each set name appears once`,
-        path: ["secretSets", i, "name"]
-      });
+});
+// ../launchpad-engine/dist/fleet-secret-sets.js
+import { z as z4 } from "zod";
+var SET_NAME_REGEX = /^[a-z0-9][a-z0-9-]*[a-z0-9]$/;
+var Slug = z4.string().regex(SLUG_REGEX, "member must be a lowercase-kebab app slug");
+var SecretName = z4.string().regex(ENV_NAME_REGEX, "secret name must be UPPER_SNAKE_CASE");
+var SecretSetExcludeSchema = z4.object({
+  member: Slug,
+  secret: SecretName
+}).strict();
+var SecretSetSchema = z4.object({
+  name: z4.string().min(1).max(64).regex(SET_NAME_REGEX, "set name must be lowercase-kebab"),
+  secrets: z4.array(SecretName).min(1),
+  members: z4.array(Slug).min(1),
+  exclude: z4.array(SecretSetExcludeSchema).optional()
+}).strict();
+var FleetSecretSetsSchema = z4.object({
+  schemaVersion: z4.literal(1),
+  secretSets: z4.array(SecretSetSchema).min(1)
+}).strict().superRefine((m, ctx) => {
+  const seenSets = new Set;
+  for (let i = 0;i < m.secretSets.length; i++) {
+    const set = m.secretSets[i];
+    if (seenSets.has(set.name)) {
+      ctx.addIssue({
+        code: "custom",
+        message: `duplicate secretSet name "${set.name}" — each set name appears once`,
+        path: ["secretSets", i, "name"]
+      });
+    }
+    seenSets.add(set.name);
+    const seenMembers = new Set;
+    for (const member of set.members) {
+      if (seenMembers.has(member)) {
+        ctx.addIssue({
+          code: "custom",
+          message: `duplicate member "${member}" in set "${set.name}"`,
+          path: ["secretSets", i, "members"]
+        });
+      }
+      seenMembers.add(member);
+    }
+    const seenSecrets = new Set;
+    for (const secret of set.secrets) {
+      if (seenSecrets.has(secret)) {
+        ctx.addIssue({
+          code: "custom",
+          message: `duplicate secret "${secret}" in set "${set.name}"`,
+          path: ["secretSets", i, "secrets"]
+        });
+      }
+      seenSecrets.add(secret);
+    }
+    for (let j = 0;j < (set.exclude ?? []).length; j++) {
+      const ex = set.exclude[j];
+      if (!seenMembers.has(ex.member)) {
+        ctx.addIssue({
+          code: "custom",
+          message: `exclude references member "${ex.member}" which is not in set "${set.name}".members`,
+          path: ["secretSets", i, "exclude", j, "member"]
+        });
+      }
+      if (!seenSecrets.has(ex.secret)) {
+        ctx.addIssue({
+          code: "custom",
+          message: `exclude references secret "${ex.secret}" which is not in set "${set.name}".secrets`,
+          path: ["secretSets", i, "exclude", j, "secret"]
+        });
+      }
+    }
+  }
+});
+function parseFleetSecretSets(input) {
+  const res = FleetSecretSetsSchema.safeParse(input);
+  if (res.success)
+    return { ok: true, manifest: res.data };
+  return {
+    ok: false,
+    issues: res.error.issues.map((i) => ({
+      path: i.path.join("."),
+      message: i.message
+    }))
+  };
+}
+function membersForSecret(set, secret) {
+  const excluded = new Set((set.exclude ?? []).filter((e) => e.secret === secret).map((e) => e.member));
+  return set.members.filter((m) => !excluded.has(m));
+}
+// ../launchpad-engine/dist/redact-status.js
+var UNSAFE_KEY = new Set(["__proto__", "prototype", "constructor"]);
+// src/bundle/boundary.ts
+var MAX_CONTENT_PROBE_BYTES = 1024 * 1024;
+function applyBoundaryToFiles(args) {
+  const { cwd, manifestYaml, files } = args;
+  let parsed;
+  if (manifestYaml !== null) {
+    try {
+      parsed = parseYaml2(manifestYaml);
+    } catch {
+      parsed = undefined;
+    }
+  }
+  const input = extractBoundaryInput(parsed);
+  if (input.kind === "schema-error") {
+    const detail = input.issues.map((i) => `${i.path}: ${i.message}`).join("; ");
+    return { kind: "error", message: `launchpad.yaml app: block is invalid — ${detail}` };
+  }
+  const contract = resolveAppBoundary({ appType: input.appType, app: input.app });
+  let launchpadIgnore = [];
+  const ignorePath = join5(cwd, ".launchpadignore");
+  if (existsSync2(ignorePath)) {
+    try {
+      launchpadIgnore = parseLaunchpadIgnore(readFileSync3(ignorePath, "utf8"));
+    } catch {}
+  }
+  const result = applyAppBoundary(contract, files, {
+    launchpadIgnore,
+    readFileContent: (path6) => {
+      try {
+        const abs = join5(cwd, path6);
+        const stat = lstatSync2(abs);
+        if (!stat.isFile() || stat.size > MAX_CONTENT_PROBE_BYTES)
+          return;
+        return readFileSync3(abs, "utf8");
+      } catch {
+        return;
+      }
+    }
+  });
+  const warnings = [];
+  if (result.denied.length > 0) {
+    if (contract.source === "declared") {
+      const lines = result.denied.map((d) => `  - ${d.message}`).join(`
+`);
+      return {
+        kind: "error",
+        message: `bundle blocked — ${result.denied.length} file(s) matched by app.include can never ship:
+${lines}
+` + `  Remove the file(s) or narrow app.include / add app.exclude in launchpad.yaml.`
+      };
+    }
+    for (const d of result.denied) {
+      warnings.push(`stripped ${d.path} — ${d.message}`);
+    }
+  }
+  if (result.files.length === 0) {
+    return {
+      kind: "error",
+      message: "the app boundary excluded every file — nothing to deploy. " + "Check app.root / app.include in launchpad.yaml."
+    };
+  }
+  const buildIssues = verifyBuildInputs(input.build, result.files);
+  if (buildIssues.length > 0) {
+    const lines = buildIssues.map((i) => `  - ${i.message}`).join(`
+`);
+    return {
+      kind: "error",
+      message: `build-inputs check failed — the build command references missing inputs:
+${lines}`
+    };
+  }
+  return {
+    kind: "ok",
+    files: result.files,
+    warnings,
+    inferred: contract.source === "inferred"
+  };
+}
+
+// src/bundle/orchestrate.ts
+async function bundleAndDeploy(args) {
+  const { cfg, cwd, slug } = args;
+  const manifestPath = join6(cwd, "launchpad.yaml");
+  let manifestYaml;
+  try {
+    manifestYaml = readFileSync4(manifestPath, "utf8");
+  } catch (e) {
+    return {
+      kind: "no-manifest",
+      message: `no launchpad.yaml at ${manifestPath} — run \`launchpad init\` from inside your app directory first. ` + `(${e.message})`
+    };
+  }
+  let walk;
+  try {
+    walk = walkCwd(cwd);
+  } catch (e) {
+    if (e instanceof WalkError) {
+      return { kind: "walk-error", message: e.message };
+    }
+    return {
+      kind: "walk-error",
+      message: `unexpected walk failure: ${e.message}`
+    };
+  }
+  const boundary = applyBoundaryToFiles({ cwd, manifestYaml, files: walk.files });
+  if (boundary.kind === "error") {
+    return { kind: "boundary-error", message: boundary.message };
+  }
+  const bundleFiles = boundary.files;
+  let packResult;
+  try {
+    packResult = await packTarGz(cwd, bundleFiles);
+  } catch (e) {
+    if (e instanceof TarPackError) {
+      return { kind: "pack-error", message: e.message };
+    }
+    return {
+      kind: "pack-error",
+      message: `unexpected pack failure: ${e.message}`
+    };
+  }
+  const workerBuild = await buildWorkerArtifact(cwd, manifestYaml, bundleFiles);
+  if (workerBuild.kind === "error") {
+    return { kind: "worker-build-error", message: workerBuild.message };
+  }
+  const workerArtifact = workerBuild.kind === "ok" ? workerBuild.artifact : undefined;
+  const uploadResult = await uploadBundle(cfg, slug, manifestYaml, packResult.bytes, workerArtifact);
+  if (uploadResult.kind !== "ok") {
+    return {
+      kind: "upload-error",
+      status: uploadResult.status,
+      body: uploadResult.response
+    };
+  }
+  return {
+    kind: "ok",
+    result: uploadResult.response,
+    walk,
+    fileCount: packResult.fileCount,
+    compressedBytes: packResult.bytes.byteLength,
+    workerScript: workerArtifact?.script ?? null,
+    boundaryWarnings: boundary.warnings
+  };
+}
+
+// src/commands/deploy.ts
+import { parse as parseYaml4 } from "yaml";
+import { readFileSync as readFileSync6 } from "node:fs";
+
+// src/deploy/git-files.ts
+import { spawn as spawn3 } from "node:child_process";
+
+class GitFilesError extends Error {
+  code = "git_files_error";
+}
+var PROTECTED_PATHS = new Set([
+  ".github/workflows/launchpad-review.yml",
+  ".github/workflows/ci.yml",
+  "wrangler.toml",
+  ".github/scripts/_gha-cmd.mjs",
+  ".github/scripts/parse-eslint.mjs",
+  ".github/scripts/parse-tsc.mjs",
+  ".github/scripts/parse-vitest.mjs",
+  ".github/scripts/parse-gitleaks.mjs",
+  ".github/scripts/parse-bun-audit.mjs"
+]);
+async function listDeployFiles(opts) {
+  const sp = opts.spawner ?? spawn3;
+  const stdout = await runGit2(sp, opts.cwd, [
+    "ls-files",
+    "-c",
+    "-o",
+    "--exclude-standard",
+    "-z"
+  ]);
+  const paths = stdout.split("\x00").filter((p) => p.length > 0 && !PROTECTED_PATHS.has(p));
+  return [...paths].sort();
+}
+function runGit2(sp, cwd, args) {
+  return new Promise((resolve5, reject) => {
+    const spawnOpts = { cwd, stdio: ["ignore", "pipe", "pipe"] };
+    const child = sp("git", [...args], spawnOpts);
+    let stdout = "";
+    let stderr = "";
+    child.stdout?.on("data", (chunk) => {
+      stdout += chunk.toString();
+    });
+    child.stderr?.on("data", (chunk) => {
+      stderr += chunk.toString();
+    });
+    child.once("error", (err) => {
+      reject(new GitFilesError(`could not run \`git ${args.join(" ")}\`: ${err.message} (is git installed?)`));
+    });
+    child.once("close", (code) => {
+      if (code === 0) {
+        resolve5(stdout);
+        return;
+      }
+      reject(new GitFilesError(`\`git ${args.join(" ")}\` exited ${code}: ${stderr.trim()}`));
+    });
+  });
+}
+
+// src/commands/deploy-flags.ts
+var SLUG_RE3 = /^[a-z0-9][a-z0-9-]*[a-z0-9]$/;
+var GROUP_KEY_RE2 = /^[A-Za-z_][A-Za-z0-9_]*$/;
+var GROUP_UUID_RE2 = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i;
+function parseDeployFlags(args) {
+  let mode = "content";
+  let slug = null;
+  let displayName = null;
+  let description = null;
+  let appType = null;
+  const allowedGroups = [];
+  let message = null;
+  let timeoutSeconds = null;
+  let manifestFile = null;
+  let dryRunJson = false;
+  let platformRepo = null;
+  let rePin = false;
+  let yes = false;
+  let resumePrNumber = null;
+  let timeoutMinutes = null;
+  let modeFlagsSeen = 0;
+  let i = 0;
+  while (i < args.length) {
+    const a = args[i] ?? "";
+    if (a === "--new") {
+      mode = "new";
+      modeFlagsSeen += 1;
+      i += 1;
+      continue;
+    }
+    if (a === "--dry-run") {
+      mode = "dry-run";
+      modeFlagsSeen += 1;
+      i += 1;
+      continue;
+    }
+    if (a === "--apply") {
+      mode = "apply";
+      modeFlagsSeen += 1;
+      i += 1;
+      continue;
+    }
+    if (a === "--platform-repo") {
+      const v = args[i + 1];
+      if (v === undefined || v.trim().length === 0) {
+        return `missing value for ${a}`;
+      }
+      platformRepo = v.trim();
+      i += 2;
+      continue;
+    }
+    if (a === "--re-pin") {
+      rePin = true;
+      i += 1;
+      continue;
+    }
+    if (a === "--yes" || a === "-y") {
+      yes = true;
+      i += 1;
+      continue;
+    }
+    if (a === "--resume") {
+      const v = args[i + 1];
+      if (v === undefined)
+        return `missing value for ${a}`;
+      mode = "resume";
+      slug = v;
+      modeFlagsSeen += 1;
+      i += 2;
+      continue;
+    }
+    if (a === "--abandon") {
+      const v = args[i + 1];
+      if (v === undefined)
+        return `missing value for ${a}`;
+      mode = "abandon";
+      slug = v;
+      modeFlagsSeen += 1;
+      i += 2;
+      continue;
+    }
+    if (a === "--file") {
+      const v = args[i + 1];
+      if (v === undefined)
+        return `missing value for ${a}`;
+      manifestFile = v;
+      i += 2;
+      continue;
+    }
+    if (a === "--json") {
+      dryRunJson = true;
+      i += 1;
+      continue;
+    }
+    if (a === "--slug") {
+      const v = args[i + 1];
+      if (v === undefined)
+        return `missing value for ${a}`;
+      slug = v;
+      i += 2;
+      continue;
+    }
+    if (a === "--display-name" || a === "--name") {
+      const v = args[i + 1];
+      if (v === undefined)
+        return `missing value for ${a}`;
+      displayName = v;
+      i += 2;
+      continue;
+    }
+    if (a === "--description") {
+      const v = args[i + 1];
+      if (v === undefined)
+        return `missing value for ${a}`;
+      description = v;
+      i += 2;
+      continue;
+    }
+    if (a === "--app-type" || a === "--type") {
+      const v = args[i + 1];
+      if (v === undefined)
+        return `missing value for ${a}`;
+      if (!APP_TYPES.includes(v)) {
+        return `invalid --app-type "${v}" — must be one of ${APP_TYPES.join(", ")}`;
+      }
+      appType = v;
+      i += 2;
+      continue;
+    }
+    if (a === "--allowed-group" || a === "--group") {
+      const v = args[i + 1];
+      if (v === undefined)
+        return `missing value for ${a}`;
+      if (!GROUP_KEY_RE2.test(v) && !GROUP_UUID_RE2.test(v)) {
+        return `invalid --allowed-group "${v}" — expected a group key (HCL identifier, e.g. G_Product_Security) or an Entra Object-ID UUID`;
+      }
+      allowedGroups.push(v);
+      i += 2;
+      continue;
+    }
+    if (a === "--message" || a === "-m") {
+      const v = args[i + 1];
+      if (v === undefined)
+        return `missing value for ${a}`;
+      message = v;
+      i += 2;
+      continue;
+    }
+    if (a === "--timeout-seconds") {
+      const v = args[i + 1];
+      if (v === undefined)
+        return `missing value for ${a}`;
+      const n = Number(v);
+      if (!Number.isFinite(n) || n <= 0 || Math.floor(n) !== n) {
+        return `invalid --timeout-seconds "${v}" — expected positive integer`;
+      }
+      timeoutSeconds = n;
+      i += 2;
+      continue;
+    }
+    if (a === "--timeout-minutes") {
+      const v = args[i + 1];
+      if (v === undefined)
+        return `missing value for ${a}`;
+      const n = Number(v);
+      if (!Number.isFinite(n) || n <= 0 || Math.floor(n) !== n) {
+        return `invalid --timeout-minutes "${v}" — expected positive integer`;
+      }
+      timeoutMinutes = n;
+      i += 2;
+      continue;
+    }
+    if (a === "--resume-pr") {
+      const v = args[i + 1];
+      if (v === undefined)
+        return `missing value for ${a}`;
+      const n = Number(v);
+      if (!Number.isFinite(n) || n <= 0 || Math.floor(n) !== n) {
+        return `invalid --resume-pr "${v}" — expected positive integer PR number`;
+      }
+      resumePrNumber = n;
+      i += 2;
+      continue;
+    }
+    return `unknown argument "${a}"`;
+  }
+  if (modeFlagsSeen > 1) {
+    return "--new, --resume, --abandon, --dry-run, and --apply are mutually exclusive";
+  }
+  if (mode === "dry-run") {
+    if (slug !== null)
+      return "--dry-run does not accept --slug (slug is read from launchpad.yaml)";
+    if (displayName !== null)
+      return "--dry-run does not accept --display-name";
+    if (description !== null)
+      return "--dry-run does not accept --description";
+    if (appType !== null)
+      return "--dry-run does not accept --app-type";
+    if (allowedGroups.length > 0)
+      return "--dry-run does not accept --allowed-group (read from launchpad.yaml)";
+    if (message !== null)
+      return "--dry-run does not accept --message";
+    if (timeoutSeconds !== null)
+      return "--dry-run does not accept --timeout-seconds";
+    if (platformRepo !== null)
+      return "--dry-run does not accept --platform-repo (apply-only)";
+    if (rePin)
+      return "--dry-run does not accept --re-pin (apply-only)";
+    if (yes)
+      return "--dry-run does not accept --yes (apply-only)";
+    return {
+      mode: { kind: "dry-run", file: manifestFile, json: dryRunJson },
+      message: null,
+      timeoutSeconds: null
+    };
+  }
+  if (mode === "apply") {
+    if (slug !== null)
+      return "--apply does not accept --slug (slug is read from launchpad.yaml)";
+    if (displayName !== null)
+      return "--apply does not accept --display-name";
+    if (description !== null)
+      return "--apply does not accept --description";
+    if (appType !== null)
+      return "--apply does not accept --app-type";
+    if (allowedGroups.length > 0)
+      return "--apply does not accept --allowed-group (read from launchpad.yaml)";
+    if (message !== null)
+      return "--apply does not accept --message";
+    if (timeoutSeconds !== null)
+      return "--apply does not accept --timeout-seconds (use --timeout-minutes instead — apply polling is multi-minute)";
+    if (dryRunJson)
+      return "--apply does not accept --json";
+    return {
+      mode: {
+        kind: "apply",
+        file: manifestFile,
+        platformRepo,
+        rePin,
+        yes,
+        resumePrNumber,
+        timeoutMinutes
+      },
+      message: null,
+      timeoutSeconds: null
+    };
+  }
+  if (resumePrNumber !== null) {
+    return "--resume-pr is only valid with --apply";
+  }
+  if (timeoutMinutes !== null) {
+    return "--timeout-minutes is only valid with --apply";
+  }
+  if (manifestFile !== null) {
+    return "--file is only valid with --dry-run or --apply";
+  }
+  if (dryRunJson) {
+    return "--json is only valid with --dry-run";
+  }
+  if (platformRepo !== null) {
+    return "--platform-repo is only valid with --apply";
+  }
+  if (rePin) {
+    return "--re-pin is only valid with --apply";
+  }
+  if (yes) {
+    return "--yes is only valid with --apply";
+  }
+  if (mode === "content") {
+    if (slug !== null && !SLUG_RE3.test(slug)) {
+      return `invalid slug "${slug}" — expected ${SLUG_RE3.source}`;
     }
-    seenSets.add(set.name);
-    const seenMembers = new Set;
-    for (const member of set.members) {
-      if (seenMembers.has(member)) {
-        ctx.addIssue({
-          code: "custom",
-          message: `duplicate member "${member}" in set "${set.name}"`,
-          path: ["secretSets", i, "members"]
-        });
-      }
-      seenMembers.add(member);
+    return {
+      mode: { kind: "content", slug },
+      message,
+      timeoutSeconds
+    };
+  }
+  if (mode === "resume" || mode === "abandon") {
+    if (slug === null || !SLUG_RE3.test(slug)) {
+      return `--${mode} requires a valid slug (kebab-case)`;
     }
-    const seenSecrets = new Set;
-    for (const secret of set.secrets) {
-      if (seenSecrets.has(secret)) {
-        ctx.addIssue({
-          code: "custom",
-          message: `duplicate secret "${secret}" in set "${set.name}"`,
-          path: ["secretSets", i, "secrets"]
-        });
-      }
-      seenSecrets.add(secret);
+    if (displayName !== null || appType !== null || allowedGroups.length > 0) {
+      return `--${mode} does not accept create-only flags (--display-name / --app-type / --allowed-group)`;
     }
-    for (let j = 0;j < (set.exclude ?? []).length; j++) {
-      const ex = set.exclude[j];
-      if (!seenMembers.has(ex.member)) {
-        ctx.addIssue({
-          code: "custom",
-          message: `exclude references member "${ex.member}" which is not in set "${set.name}".members`,
-          path: ["secretSets", i, "exclude", j, "member"]
-        });
-      }
-      if (!seenSecrets.has(ex.secret)) {
-        ctx.addIssue({
-          code: "custom",
-          message: `exclude references secret "${ex.secret}" which is not in set "${set.name}".secrets`,
-          path: ["secretSets", i, "exclude", j, "secret"]
-        });
-      }
+    if (message !== null) {
+      return `--${mode} does not accept --message`;
     }
+    return {
+      mode: { kind: mode, slug },
+      message: null,
+      timeoutSeconds
+    };
+  }
+  if (slug === null)
+    return "--new requires --slug";
+  if (!SLUG_RE3.test(slug))
+    return `invalid slug "${slug}" — expected ${SLUG_RE3.source}`;
+  if (slug.length < 3 || slug.length > 58) {
+    return `slug length out of bounds (3–58 chars): "${slug}"`;
+  }
+  if (displayName === null || displayName.length === 0) {
+    return "--new requires --display-name";
+  }
+  if (appType === null) {
+    return `--new requires --app-type (one of ${APP_TYPES.join(", ")})`;
+  }
+  if (allowedGroups.length === 0) {
+    return "--new requires at least one --allowed-group";
   }
-});
-function parseFleetSecretSets(input) {
-  const res = FleetSecretSetsSchema.safeParse(input);
-  if (res.success)
-    return { ok: true, manifest: res.data };
   return {
-    ok: false,
-    issues: res.error.issues.map((i) => ({
-      path: i.path.join("."),
-      message: i.message
-    }))
+    mode: {
+      kind: "new",
+      slug,
+      displayName,
+      description,
+      appType,
+      allowedGroups
+    },
+    message,
+    timeoutSeconds
   };
 }
-function membersForSecret(set, secret) {
-  const excluded = new Set((set.exclude ?? []).filter((e) => e.secret === secret).map((e) => e.member));
-  return set.members.filter((m) => !excluded.has(m));
-}
-// ../launchpad-engine/dist/redact-status.js
-var UNSAFE_KEY = new Set(["__proto__", "prototype", "constructor"]);
+
+// src/deploy/apply.ts
+import { existsSync as existsSync3, rmSync } from "node:fs";
+import { resolve as resolvePath, join as join7 } from "node:path";
+import { execFileSync } from "node:child_process";
+
 // src/manifest/load.ts
+import { readFileSync as readFileSync5 } from "node:fs";
+import { parse as parseYaml3, YAMLParseError } from "yaml";
 function loadManifest(path6) {
   let raw;
   try {
-    raw = readFileSync4(path6, "utf8");
+    raw = readFileSync5(path6, "utf8");
   } catch (err) {
     const e = err;
     if (e.code === "ENOENT") {
@@ -3258,7 +3708,7 @@ function loadManifest(path6) {
 function parseManifest2(yamlText, path6) {
   let parsed;
   try {
-    parsed = parseYaml2(yamlText);
+    parsed = parseYaml3(yamlText);
   } catch (err) {
     const message = err instanceof YAMLParseError ? err.message : err.message ?? String(err);
     return { kind: "yaml-parse-error", path: path6, message };
@@ -3481,8 +3931,8 @@ function defaultGitHeadSha(cwd) {
   return out.trim();
 }
 function deletePinIfPresent(cfg, slug, io) {
-  const pinPath = join6(cfg.stateDir, slug, "group.json");
-  if (!existsSync2(pinPath))
+  const pinPath = join7(cfg.stateDir, slug, "group.json");
+  if (!existsSync3(pinPath))
     return;
   try {
     rmSync(pinPath, { force: true });
@@ -3974,7 +4424,7 @@ async function runDeploy(args, io) {
   }
   const cwd = process.cwd();
   const manifestPath = path6.join(cwd, "launchpad.yaml");
-  if (existsSync3(manifestPath)) {
+  if (existsSync4(manifestPath)) {
     return runModelADeploy({ cwd, manifestPath, argv: args, io });
   }
   const parsed = parseArgs2(args);
@@ -4001,12 +4451,34 @@ async function runDeploy(args, io) {
   try {
     const cfg = loadConfig();
     io.out(`Packaging working tree for ${slug} …`);
-    const files = await listDeployFiles({ cwd: process.cwd() });
-    if (files.length === 0) {
+    const rawFiles = await listDeployFiles({ cwd: process.cwd() });
+    if (rawFiles.length === 0) {
       io.err("launchpad deploy: no files to deploy (git ls-files returned empty).");
       io.err("       did you run this from inside the cloned working tree?");
       return 1;
     }
+    let contentManifestYaml = null;
+    const contentManifestPath = path6.join(process.cwd(), "launchpad.yaml");
+    if (existsSync4(contentManifestPath)) {
+      try {
+        contentManifestYaml = readFileSync6(contentManifestPath, "utf8");
+      } catch {
+        contentManifestYaml = null;
+      }
+    }
+    const boundary = applyBoundaryToFiles({
+      cwd: process.cwd(),
+      manifestYaml: contentManifestYaml,
+      files: rawFiles
+    });
+    if (boundary.kind === "error") {
+      io.err(`launchpad deploy: ${boundary.message}`);
+      return 1;
+    }
+    for (const w of boundary.warnings) {
+      io.err(`warning: ${w}`);
+    }
+    const files = boundary.files;
     const packed = await packTarGz(process.cwd(), files);
     io.out(`Packed ${packed.fileCount} files (${formatBytes2(packed.uncompressedBytes)}` + ` uncompressed, ${formatBytes2(packed.bytes.length)} gzipped)`);
     io.out(`Uploading to ${cfg.botUrl}/apps/${slug}/deploy-pr …`);
@@ -4026,6 +4498,9 @@ async function runDeploy(args, io) {
     io.out(`PR opened: ${response.reviewUrl}`);
     io.out(`Branch:    ${response.branch}`);
     io.out(`Number:    #${response.prNumber}`);
+    io.out("");
+    io.out(`Review from the CLI:  launchpad review ${response.prNumber} --slug ${slug}`);
+    io.out(`Merge when approved:  launchpad merge ${response.prNumber} --slug ${slug}`);
     if (response.bootstrapWorkflow === true) {
       io.out("");
       io.out("(first deploy: included canonical launchpad-review.yml workflow file)");
@@ -4137,7 +4612,7 @@ async function runModelADeploy(args) {
   const { cwd, manifestPath, io } = args;
   let slug;
   try {
-    const metaSlug = resolveManifestSlug(parseYaml3(readFileSync5(manifestPath, "utf8")));
+    const metaSlug = resolveManifestSlug(parseYaml4(readFileSync6(manifestPath, "utf8")));
     if (metaSlug === null) {
       io.err(`launchpad deploy: launchpad.yaml is missing metadata.slug (v2) / metadata.name (v1). ` + `Run \`launchpad init\` again to regenerate the manifest.`);
       return 64;
@@ -4178,6 +4653,9 @@ async function runModelADeploy(args) {
     case "walk-error":
       io.err(`launchpad deploy: walk failed — ${result.message}`);
       return 1;
+    case "boundary-error":
+      io.err(`launchpad deploy: ${result.message}`);
+      return 1;
     case "pack-error":
       io.err(`launchpad deploy: pack failed — ${result.message}`);
       return 1;
@@ -4213,6 +4691,9 @@ async function runModelADeploy(args) {
       return 1;
     }
     case "ok": {
+      for (const w of result.boundaryWarnings) {
+        io.err(`warning: ${w}`);
+      }
       if (result.result.status === "provisioning_started") {
         const submissionId = typeof result.result.submissionId === "string" ? result.result.submissionId : "(missing)";
         const appType = typeof result.result.appType === "string" ? result.result.appType : "(missing)";
@@ -4245,9 +4726,8 @@ async function runModelADeploy(args) {
         io.out(`  ${result.result.message}`);
       }
       io.out("");
-      io.out("Next steps:");
-      io.out(`  launchpad status ${slug}    # poll for the live URL`);
-      io.out(`  launchpad apps             # see lifecycle`);
+      io.out("Committed; build pending — Cloudflare Pages is building this deploy now.");
+      io.out(`Run \`launchpad status ${slug}\` to confirm the build outcome (success / failure + log excerpt).`);
       return 0;
     }
   }
@@ -4450,7 +4930,7 @@ function describe13(e) {
 }
 
 // src/commands/generate.ts
-import { mkdirSync, readFileSync as readFileSync6, writeFileSync } from "node:fs";
+import { mkdirSync, readFileSync as readFileSync7, writeFileSync } from "node:fs";
 import { dirname as dirname4, resolve as resolve6, relative as relative3 } from "node:path";
 var generateCommand = {
   name: "generate",
@@ -4538,7 +5018,7 @@ function applyOne(artefact, path8, out, force) {
 }
 function readIfExists(path8) {
   try {
-    return { kind: "ok", content: readFileSync6(path8, "utf8") };
+    return { kind: "ok", content: readFileSync7(path8, "utf8") };
   } catch (err) {
     const e = err;
     if (e.code === "ENOENT")
@@ -4749,13 +5229,13 @@ function parseFlags(args) {
 }
 
 // src/groups/client.ts
-import { mkdirSync as mkdirSync2, readFileSync as readFileSync7, writeFileSync as writeFileSync2 } from "node:fs";
-import { dirname as dirname5, join as join8 } from "node:path";
+import { mkdirSync as mkdirSync2, readFileSync as readFileSync8, writeFileSync as writeFileSync2 } from "node:fs";
+import { dirname as dirname5, join as join9 } from "node:path";
 var CACHE_TTL_MS = 60 * 60 * 1000;
 var CACHE_FILENAME = "groups.json";
 async function fetchGroups(cfg, opts = {}) {
   const now = opts.now ?? Date.now;
-  const cachePath = join8(cfg.cacheDir, CACHE_FILENAME);
+  const cachePath = join9(cfg.cacheDir, CACHE_FILENAME);
   if (opts.forceRefresh !== true) {
     const cached = readCache(cachePath);
     if (cached !== null) {
@@ -4793,7 +5273,7 @@ async function fetchGroups(cfg, opts = {}) {
 function readCache(path8) {
   let raw;
   try {
-    raw = readFileSync7(path8, "utf8");
+    raw = readFileSync8(path8, "utf8");
   } catch {
     return null;
   }
@@ -5294,17 +5774,17 @@ function describe17(e) {
 
 // src/commands/init.ts
 import { createInterface } from "node:readline/promises";
-import { existsSync as existsSync5, readFileSync as readFileSync9, writeFileSync as writeFileSync3 } from "node:fs";
+import { existsSync as existsSync6, readFileSync as readFileSync10, writeFileSync as writeFileSync3 } from "node:fs";
 import { resolve as resolve7 } from "node:path";
 import { stringify as yamlStringify } from "yaml";
 
 // src/detect/index.ts
-import { existsSync as existsSync4, readFileSync as readFileSync8, statSync } from "node:fs";
-import { join as join9 } from "node:path";
+import { existsSync as existsSync5, readFileSync as readFileSync9, statSync } from "node:fs";
+import { join as join10 } from "node:path";
 function detectAppShape(cwd) {
-  const hasPackageJson = existsSync4(join9(cwd, "package.json"));
-  const hasAnyLockfile = LOCKFILES.some(({ file }) => existsSync4(join9(cwd, file)));
-  const hasViteConfig = VITE_CONFIG_NAMES.some((n) => existsSync4(join9(cwd, n)));
+  const hasPackageJson = existsSync5(join10(cwd, "package.json"));
+  const hasAnyLockfile = LOCKFILES.some(({ file }) => existsSync5(join10(cwd, file)));
+  const hasViteConfig = VITE_CONFIG_NAMES.some((n) => existsSync5(join10(cwd, n)));
   if (!hasPackageJson && !hasAnyLockfile && !hasViteConfig) {
     return {
       kind: "not-applicable",
@@ -5350,7 +5830,7 @@ var LOCKFILES = [
   { file: "yarn.lock", pm: "yarn" }
 ];
 function detectPackageManager(cwd) {
-  const present = LOCKFILES.filter(({ file }) => existsSync4(join9(cwd, file)));
+  const present = LOCKFILES.filter(({ file }) => existsSync5(join10(cwd, file)));
   if (present.length === 0) {
     return {
       kind: "ambiguous",
@@ -5372,8 +5852,8 @@ function detectPackageManager(cwd) {
 }
 function detectVitePresence(cwd) {
   for (const name of VITE_CONFIG_NAMES) {
-    const p = join9(cwd, name);
-    if (existsSync4(p)) {
+    const p = join10(cwd, name);
+    if (existsSync5(p)) {
       return { kind: "ok", value: { path: p } };
     }
   }
@@ -5383,9 +5863,9 @@ function detectVitePresence(cwd) {
   };
 }
 function detectAppType(cwd) {
-  const fnDir = join9(cwd, "functions");
+  const fnDir = join10(cwd, "functions");
   let hasFunctionsDir = false;
-  if (existsSync4(fnDir)) {
+  if (existsSync5(fnDir)) {
     try {
       hasFunctionsDir = statSync(fnDir).isDirectory();
     } catch {
@@ -5395,8 +5875,8 @@ function detectAppType(cwd) {
   return { kind: "ok", value: hasFunctionsDir ? "react+api" : "react" };
 }
 function detectBuildCommand(cwd, pm) {
-  const pkgJsonPath = join9(cwd, "package.json");
-  if (!existsSync4(pkgJsonPath)) {
+  const pkgJsonPath = join10(cwd, "package.json");
+  if (!existsSync5(pkgJsonPath)) {
     return {
       kind: "ambiguous",
       reason: "no package.json at repo root. Run your package manager's `init` first."
@@ -5404,7 +5884,7 @@ function detectBuildCommand(cwd, pm) {
   }
   let pkgJson;
   try {
-    pkgJson = JSON.parse(readFileSync8(pkgJsonPath, "utf8"));
+    pkgJson = JSON.parse(readFileSync9(pkgJsonPath, "utf8"));
   } catch (e) {
     return {
       kind: "ambiguous",
@@ -5439,7 +5919,7 @@ var OUT_DIR_REGEX = /\bbuild\s*:\s*\{[^{}]*?\boutDir\s*:\s*['"]([^'"]+)['"]/s;
 function detectDestinationDir(cwd, vite) {
   let text;
   try {
-    text = readFileSync8(vite.path, "utf8");
+    text = readFileSync9(vite.path, "utf8");
   } catch (e) {
     return {
       kind: "ambiguous",
@@ -5469,7 +5949,7 @@ async function runInit(args, io, prompt) {
   }
   const { inputs, options } = parsed;
   const outPath = resolve7(process.cwd(), options.out);
-  if (existsSync5(outPath) && !options.force) {
+  if (existsSync6(outPath) && !options.force) {
     io.err(`launchpad init: ${outPath} already exists`);
     io.err("Pass --force to overwrite.");
     return 64;
@@ -5876,6 +6356,10 @@ function buildManifest(inputs, detected) {
       }
     ];
   }
+  manifest.app = {
+    root: ".",
+    include: [...defaultIncludeForAppType(inputs.type)]
+  };
   return manifest;
 }
 function renderYaml(manifest) {
@@ -5883,8 +6367,8 @@ function renderYaml(manifest) {
 }
 function ensureGitignoreEntries(path8, entries) {
   let current = "";
-  if (existsSync5(path8)) {
-    current = readFileSync9(path8, "utf8");
+  if (existsSync6(path8)) {
+    current = readFileSync10(path8, "utf8");
   }
   const lines = current.split(/\r?\n/);
   const present = new Set(lines.map((l) => l.trim()));
@@ -6016,7 +6500,7 @@ async function runLogs(args, io) {
     if (r.deployments.length === 0) {
       io.out("");
       io.out("(note: this command shows deploy history, not runtime logs —");
-      io.out("       see the portal app detail page for the link to Cf dashboard logs)");
+      io.out(`       run \`launchpad status ${slug}\` for the latest build outcome)`);
     }
     return 0;
   } catch (e) {
@@ -6184,6 +6668,8 @@ async function runMerge(args, io) {
       if (body.selfMerge) {
         io.out("Note:   self-merge (last commit author == caller)");
       }
+      io.out("");
+      io.out(`Merged; build pending — run \`launchpad status ${slug}\` to confirm the build outcome.`);
       return 0;
     }
     let env = null;
@@ -6296,7 +6782,7 @@ function renderBotError(status, env, io, prNumber = null) {
       io.err(`launchpad merge: GitHub upstream error (${detail ?? code}).`);
       return;
     case "merge_unprocessable":
-      io.err(`launchpad merge: GitHub refused the merge (422): ${detail ?? "see GitHub PR page for details"}`);
+      io.err(`launchpad merge: GitHub refused the merge (422): ${detail ?? (prNumber !== null ? `run \`launchpad review ${prNumber}\` for details` : "run `launchpad review <prNumber>` for details")}`);
       return;
     default:
       io.err(`launchpad merge: bot returned ${status} ${code}${detail !== undefined ? `: ${detail}` : ""}`);
@@ -6783,6 +7269,26 @@ async function fetchManifestStatus(cfg, slug, fetcher = fetch) {
   return apiJson(cfg, { path: path10 }, fetcher);
 }
 
+// src/deploy/deployment-status.ts
+async function fetchDeploymentStatus(cfg, slug, fetcher = fetch) {
+  let raw;
+  try {
+    raw = await apiJson(cfg, { path: `/apps/${encodeURIComponent(slug)}/deployment-status` }, fetcher);
+  } catch (e) {
+    if (e instanceof NotFoundError)
+      return null;
+    throw e;
+  }
+  if (typeof raw.supported !== "boolean")
+    return null;
+  return {
+    slug: typeof raw.slug === "string" ? raw.slug : slug,
+    supported: raw.supported,
+    liveDeployment: raw.liveDeployment ?? null,
+    lastSuccessfulDeployment: raw.lastSuccessfulDeployment ?? null
+  };
+}
+
 // src/commands/pull.ts
 var pullCommand = {
   name: "pull",
@@ -6828,6 +7334,12 @@ async function runPull(args, io) {
       includeManifest: true
     });
     if (state.manifestYaml === null || state.manifestYaml === undefined) {
+      const live = await fetchLiveDeploymentBestEffort(cfg, parsed.slug);
+      if (live?.liveDeployment != null && (live.liveDeployment.buildStatus === "success" || live.lastSuccessfulDeployment != null)) {
+        io.err(`launchpad pull: no platform-tracked manifest for "${parsed.slug}", ` + `but the app HAS live content (last deployment ${live.liveDeployment.createdOn} ` + `via ${live.liveDeployment.trigger === "git-push" ? "git push" : live.liveDeployment.trigger}, ` + `build ${live.liveDeployment.buildStatus}).`);
+        io.err(`  This app deploys outside \`launchpad deploy\`, so there is no manifest to pull. ` + `Run \`launchpad status ${parsed.slug}\` for the live deployment detail.`);
+        return 1;
+      }
       io.err(`launchpad pull: no deployed manifest for "${parsed.slug}" yet — ` + `run \`launchpad deploy\` first, or check \`launchpad status\` for the apply state.`);
       return 1;
     }
@@ -6864,6 +7376,13 @@ async function runPull(args, io) {
     return 1;
   }
 }
+async function fetchLiveDeploymentBestEffort(cfg, slug) {
+  try {
+    return await fetchDeploymentStatus(cfg, slug);
+  } catch {
+    return null;
+  }
+}
 function parseArgs8(args, cwd = process.cwd()) {
   let slug = null;
   let out = null;
@@ -6938,7 +7457,7 @@ function describe23(e) {
 }
 
 // src/commands/status.ts
-import { readFileSync as readFileSync10 } from "node:fs";
+import { readFileSync as readFileSync11 } from "node:fs";
 var statusCommand = {
   name: "status",
   summary: "show drift between local launchpad.yaml and deployed state",
@@ -6995,7 +7514,7 @@ async function runStatus(args, io) {
   }
   let localYaml;
   try {
-    localYaml = readFileSync10(parsed.file, "utf8");
+    localYaml = readFileSync11(parsed.file, "utf8");
   } catch (e) {
     io.err(`launchpad status: cannot read local manifest at ${parsed.file}: ${describe24(e)}`);
     if (lifecycle !== null && lifecycle.state === "live") {
@@ -7005,8 +7524,8 @@ async function runStatus(args, io) {
   }
   let localObj;
   try {
-    const { parse: parseYaml4 } = await import("yaml");
-    localObj = parseYaml4(localYaml);
+    const { parse: parseYaml5 } = await import("yaml");
+    localObj = parseYaml5(localYaml);
   } catch (e) {
     io.err(`launchpad status: ${parsed.file} is not valid YAML: ${describe24(e)}`);
     return 2;
@@ -7027,25 +7546,39 @@ async function runStatus(args, io) {
   } catch (e) {
     return mapBotError(e, parsed.slug, io);
   }
+  let deployment = null;
+  let deploymentKnown = false;
+  try {
+    deployment = await fetchDeploymentStatus(cfg, parsed.slug);
+    deploymentKnown = deployment !== null;
+  } catch (e) {
+    if (e instanceof UnauthenticatedError || e instanceof ForbiddenError) {
+      return mapBotError(e, parsed.slug, io);
+    }
+    io.err(`launchpad status: live deployment state unavailable (${describe24(e)}) — ` + `the report below is from the platform manifest view only.`);
+  }
   if (state.manifestYaml === null || state.manifestYaml === undefined) {
+    const live = deployment?.liveDeployment ?? null;
+    const contentIsLive = live !== null && (live.buildStatus === "success" || deployment?.lastSuccessfulDeployment != null);
     const liveButEmpty = lifecycle !== null && lifecycle.state === "live";
     const out = {
-      state: liveButEmpty ? "live_no_content" : "no_deployed_manifest",
+      state: contentIsLive ? "live_content_untracked" : liveButEmpty ? "live_no_content" : "no_deployed_manifest",
       slug: parsed.slug,
       deployedSha: state.lastAppliedManifestSha,
       headSha: state.appRepoHeadSha,
       hasOpenPr: state.openPr !== null,
       openPrNumber: state.openPr?.number ?? null,
       driftFields: [],
-      driftDetails: []
+      driftDetails: [],
+      ...deploymentKnown ? { deployment } : {}
     };
     emit3(out, parsed.json, io);
     return 0;
   }
   let deployedObj;
   try {
-    const { parse: parseYaml4 } = await import("yaml");
-    deployedObj = parseYaml4(state.manifestYaml);
+    const { parse: parseYaml5 } = await import("yaml");
+    deployedObj = parseYaml5(state.manifestYaml);
   } catch (e) {
     io.err(`launchpad status: deployed manifest at ${state.lastAppliedManifestSha} is not valid YAML: ${describe24(e)}`);
     return 2;
@@ -7068,7 +7601,8 @@ async function runStatus(args, io) {
     hasOpenPr: state.openPr !== null,
     openPrNumber: state.openPr?.number ?? null,
     driftFields: drift.map((d) => d.path),
-    driftDetails: drift
+    driftDetails: drift,
+    ...deploymentKnown ? { deployment } : {}
   };
   emit3(result, parsed.json, io);
   if (result.state === "drift" && parsed.strict) {
@@ -7154,14 +7688,22 @@ function emit3(out, asJson, io) {
     case "live_no_content":
       io.out(`${out.slug}: live — no content deployed yet. Run \`launchpad deploy\`.`);
       surfaceHeadVsDeployed(out, io);
+      surfaceDeployment(out, io);
       return;
     case "no_deployed_manifest":
       io.out(`${out.slug}: no deployed manifest yet — run \`launchpad deploy\`.`);
       surfaceHeadVsDeployed(out, io);
+      surfaceDeployment(out, io);
+      return;
+    case "live_content_untracked":
+      io.out(`${out.slug}: live — content deployed via ` + `${triggerLabel(out.deployment?.liveDeployment?.trigger)} (no platform-tracked manifest; this app deploys outside \`launchpad deploy\`).`);
+      surfaceHeadVsDeployed(out, io);
+      surfaceDeployment(out, io);
       return;
     case "in_sync":
       io.out(`${out.slug}: live, in sync` + (out.deployedSha ? ` (content @ ${out.deployedSha.slice(0, 7)})` : ""));
       surfaceHeadVsDeployed(out, io);
+      surfaceDeployment(out, io);
       return;
     case "drift":
       io.out(`${out.slug}: live, drift: ${out.driftFields.join(", ")}`);
@@ -7171,7 +7713,54 @@ function emit3(out, asJson, io) {
         io.out(`    deployed: ${formatValue(d.deployed)}`);
       }
       surfaceHeadVsDeployed(out, io);
+      surfaceDeployment(out, io);
+      return;
+  }
+}
+function triggerLabel(trigger) {
+  if (trigger === "git-push")
+    return "git push";
+  if (trigger === "bot")
+    return "launchpad deploy (bot)";
+  return "an unknown mechanism";
+}
+function surfaceDeployment(out, io) {
+  const dep = out.deployment;
+  if (dep === undefined || dep === null || !dep.supported)
+    return;
+  const live = dep.liveDeployment;
+  if (live === null) {
+    io.out("  last deployment: none — Cloudflare Pages has no production deployment yet.");
+    return;
+  }
+  const commit = live.commit !== undefined ? `, commit ${live.commit.hash.slice(0, 7)}` : "";
+  const via = triggerLabel(live.trigger);
+  switch (live.buildStatus) {
+    case "success":
+      io.out(`  last deployment: build success (${via}${commit}) at ${live.createdOn}`);
       return;
+    case "in_progress":
+      io.out(`  last deployment: build IN PROGRESS (${via}${commit}, started ${live.createdOn})`);
+      io.out("    re-run `launchpad status` shortly to confirm the build outcome.");
+      return;
+    case "failure": {
+      const stage = live.failedStage !== undefined ? ` at stage "${live.failedStage}"` : "";
+      io.out(`  last deployment: build FAILED${stage} (${via}${commit}) at ${live.createdOn}`);
+      if (live.logExcerpt !== undefined && live.logExcerpt.length > 0) {
+        io.out("    build log (excerpt):");
+        for (const line of live.logExcerpt.split(`
+`)) {
+          io.out(`      ${line}`);
+        }
+      }
+      if (dep.lastSuccessfulDeployment !== null) {
+        io.out(`    serving: previous successful deployment from ${dep.lastSuccessfulDeployment.createdOn}`);
+      } else {
+        io.out("    serving: nothing — no successful deployment exists yet.");
+      }
+      io.out("    next: fix the build locally (check build.command / build.root_dir in launchpad.yaml), then run `launchpad deploy`.");
+      return;
+    }
   }
 }
 function surfaceHeadVsDeployed(out, io) {
@@ -7451,7 +8040,7 @@ function describe25(e) {
 }
 
 // src/deploy/rollback.ts
-import { existsSync as existsSync6, readFileSync as readFileSync11, writeFileSync as writeFileSync5 } from "node:fs";
+import { existsSync as existsSync7, readFileSync as readFileSync12, writeFileSync as writeFileSync5 } from "node:fs";
 import { resolve as resolvePath2 } from "node:path";
 import { createInterface as createInterface3 } from "node:readline/promises";
 
@@ -7575,11 +8164,11 @@ async function runRollback(opts, io, deps = {}) {
   }, io, applyDeps);
 }
 function readCurrentManifest(path11) {
-  if (!existsSync6(path11))
+  if (!existsSync7(path11))
     return null;
   let raw;
   try {
-    raw = readFileSync11(path11, "utf8");
+    raw = readFileSync12(path11, "utf8");
   } catch {
     return null;
   }
@@ -7735,7 +8324,7 @@ function parseArgs11(args) {
 }
 
 // src/secrets/push.ts
-import { existsSync as existsSync7, readFileSync as readFileSync12 } from "node:fs";
+import { existsSync as existsSync8, readFileSync as readFileSync13 } from "node:fs";
 import { resolve as resolvePath3 } from "node:path";
 
 // src/secrets/env-parse.ts
@@ -7790,14 +8379,14 @@ async function runSecretsPush(opts, io, deps = {}) {
     return 0;
   }
   const envPath = resolvePath3(process.cwd(), opts.env ?? ".env");
-  if (!existsSync7(envPath)) {
+  if (!existsSync8(envPath)) {
     io.err(`launchpad secrets push: ${envPath}`);
     io.err("  .env file not found. Run `launchpad secrets template` to scaffold one.");
     return 2;
   }
   let envText;
   try {
-    envText = readFileSync12(envPath, "utf8");
+    envText = readFileSync13(envPath, "utf8");
   } catch (e) {
     io.err(`launchpad secrets push: failed to read ${envPath}: ${describe27(e)}`);
     return 2;
@@ -8069,9 +8658,9 @@ function renderManifestError5(result, io) {
 }
 
 // src/secrets/set.ts
-import { existsSync as existsSync8, readFileSync as readFileSync13 } from "node:fs";
+import { existsSync as existsSync9, readFileSync as readFileSync14 } from "node:fs";
 import { resolve as resolvePath5 } from "node:path";
-import { parse as parseYaml4 } from "yaml";
+import { parse as parseYaml5 } from "yaml";
 var CELL_LABEL2 = {
   present: "PRESENT",
   missing: "MISSING",
@@ -8079,14 +8668,14 @@ var CELL_LABEL2 = {
 };
 function loadSet(fleetFile, setName, io) {
   const path11 = resolvePath5(process.cwd(), fleetFile ?? "fleet-secret-sets.yaml");
-  if (!existsSync8(path11)) {
+  if (!existsSync9(path11)) {
     io.err(`✗ ${path11}`);
     io.err("  fleet-secret-sets.yaml not found. Run from the platform repo root or pass --fleet-file.");
     return 2;
   }
   let obj;
   try {
-    obj = parseYaml4(readFileSync13(path11, "utf8"));
+    obj = parseYaml5(readFileSync14(path11, "utf8"));
   } catch (e) {
     io.err(`✗ ${path11}`);
     io.err(`  YAML parse error: ${e instanceof Error ? e.message : String(e)}`);
@@ -8171,14 +8760,14 @@ async function runSecretsPushSet(opts, io, deps = {}) {
   if (typeof set === "number")
     return set;
   const envPath = resolvePath5(process.cwd(), opts.env ?? ".env");
-  if (!existsSync8(envPath)) {
+  if (!existsSync9(envPath)) {
     io.err(`launchpad secrets push --set: ${envPath} not found.`);
     io.err(`  Create a .env carrying the set's secrets: ${set.secrets.join(", ")}`);
     return 2;
   }
   let envText;
   try {
-    envText = readFileSync13(envPath, "utf8");
+    envText = readFileSync14(envPath, "utf8");
   } catch (e) {
     io.err(`launchpad secrets push --set: failed to read ${envPath}: ${e instanceof Error ? e.message : String(e)}`);
     return 2;
@@ -8322,7 +8911,7 @@ function setPushExit(e) {
 }
 
 // src/commands/secrets-template.ts
-import { existsSync as existsSync9, writeFileSync as writeFileSync6 } from "node:fs";
+import { existsSync as existsSync10, writeFileSync as writeFileSync6 } from "node:fs";
 import { resolve as resolve9 } from "node:path";
 async function runSecretsTemplate(args, io) {
   const flags = parseFlags4(args);
@@ -8346,7 +8935,7 @@ async function runSecretsTemplate(args, io) {
     return 0;
   }
   const outPath = resolve9(process.cwd(), flags.out);
-  if (existsSync9(outPath) && !flags.force) {
+  if (existsSync10(outPath) && !flags.force) {
     io.err(`launchpad secrets template: ${outPath} already exists`);
     io.err("Pass --force to overwrite, or --stdout to print without writing.");
     return 64;
@@ -8634,8 +9223,8 @@ function printHelp2(io) {
 
 // src/commands/skills.ts
 import { fileURLToPath } from "node:url";
-import { dirname as dirname6, join as join10, resolve as resolve10 } from "node:path";
-import { promises as fs5, existsSync as existsSync10 } from "node:fs";
+import { dirname as dirname6, join as join11, resolve as resolve10 } from "node:path";
+import { promises as fs5, existsSync as existsSync11 } from "node:fs";
 import { homedir as homedir2 } from "node:os";
 var BUNDLE_PREFIX = "launchpad-";
 var BUNDLED_SKILLS = [
@@ -8696,7 +9285,7 @@ function printHelp3(io) {
 }
 function resolveInstallEnv() {
   const bundleDir = process.env.LAUNCHPAD_SKILLS_BUNDLE_DIR ?? defaultBundleDir();
-  const userSkillsDir = process.env.LAUNCHPAD_SKILLS_TARGET_DIR ?? join10(homedir2(), ".claude", "skills");
+  const userSkillsDir = process.env.LAUNCHPAD_SKILLS_TARGET_DIR ?? join11(homedir2(), ".claude", "skills");
   return { bundleDir, userSkillsDir };
 }
 function defaultBundleDir() {
@@ -8706,7 +9295,7 @@ function defaultBundleDir() {
     resolve10(here, "..", "..", "skills")
   ];
   for (const c of candidates) {
-    if (existsSync10(join10(c, "launchpad-onboard", "SKILL.md"))) {
+    if (existsSync11(join11(c, "launchpad-onboard", "SKILL.md"))) {
       return c;
     }
   }
@@ -8727,12 +9316,12 @@ async function doInstall(io) {
   }
   let installed = 0;
   for (const skill of BUNDLED_SKILLS) {
-    const src = join10(env.bundleDir, skill);
+    const src = join11(env.bundleDir, skill);
     if (!await isDir(src)) {
       io.err(`launchpad skills install: bundled skill "${skill}" missing from ${env.bundleDir} — package is incomplete.`);
       return 1;
     }
-    const dest = join10(env.userSkillsDir, skill);
+    const dest = join11(env.userSkillsDir, skill);
     await fs5.rm(dest, { recursive: true, force: true });
     await fs5.cp(src, dest, { recursive: true });
     installed++;
@@ -8757,7 +9346,7 @@ async function doUninstall(io) {
       continue;
     if (!isBundleManaged(entry.name))
       continue;
-    const target = join10(env.userSkillsDir, entry.name);
+    const target = join11(env.userSkillsDir, entry.name);
     await fs5.rm(target, { recursive: true, force: true });
     removed++;
     io.out(`✗ removed ${target}`);
@@ -8780,7 +9369,7 @@ async function doList(io) {
   }
   const width = managedDirs.reduce((n, s) => Math.max(n, s.length), 0);
   for (const name of managedDirs) {
-    const skillFile = join10(env.userSkillsDir, name, "SKILL.md");
+    const skillFile = join11(env.userSkillsDir, name, "SKILL.md");
     const version = await readVersion(skillFile);
     io.out(`  ${name.padEnd(width + 2)}${version ?? "(no version)"}`);
   }
@@ -8815,9 +9404,9 @@ function describe28(e) {
 import { execFile, spawn as spawn5 } from "node:child_process";
 import { promisify } from "node:util";
 import { fileURLToPath as fileURLToPath2 } from "node:url";
-import { dirname as dirname7, resolve as resolve11, relative as relative4, isAbsolute as isAbsolute2, join as join11 } from "node:path";
+import { dirname as dirname7, resolve as resolve11, relative as relative4, isAbsolute as isAbsolute2, join as join12 } from "node:path";
 import { homedir as homedir3, tmpdir } from "node:os";
-import { readFileSync as readFileSync14, mkdtempSync, writeFileSync as writeFileSync7, rmSync as rmSync2 } from "node:fs";
+import { readFileSync as readFileSync15, mkdtempSync, writeFileSync as writeFileSync7, rmSync as rmSync2 } from "node:fs";
 
 // src/commands/channel-auth.ts
 import { createServer as createServer2 } from "node:http";
@@ -8938,7 +9527,7 @@ var PKG = "@m-kopa/launchpad-cli";
 var REGISTRY = "https://registry.npmjs.org";
 var CHANNEL_VERSION_URL = "https://get.launchpad.m-kopa.us/version.json";
 var CHANNEL_INSTALL_URL = "https://get.launchpad.m-kopa.us";
-var CHANNEL_MARKER = join11(homedir3(), ".launchpad", "channel");
+var CHANNEL_MARKER = join12(homedir3(), ".launchpad", "channel");
 var EXIT_UPDATE_AVAILABLE = 10;
 var UPGRADE_ARGS = {
   npm: ["install", "-g", `${PKG}@latest`],
@@ -9021,8 +9610,8 @@ async function openSystemBrowser(url) {
   await execFileAsync(opener, [url]);
 }
 async function runInstallerScript(script) {
-  const dir = mkdtempSync(join11(tmpdir(), "launchpad-update-"));
-  const file = join11(dir, "install.sh");
+  const dir = mkdtempSync(join12(tmpdir(), "launchpad-update-"));
+  const file = join12(dir, "install.sh");
   try {
     writeFileSync7(file, script, { mode: 448 });
     return await new Promise((resolvePromise) => {
@@ -9046,7 +9635,7 @@ function resolveLatestVersion() {
 }
 function detectInstallChannel() {
   try {
-    return readFileSync14(CHANNEL_MARKER, "utf8").trim() === "platform" ? "platform" : "github";
+    return readFileSync15(CHANNEL_MARKER, "utf8").trim() === "platform" ? "platform" : "github";
   } catch {
     return "github";
   }
@@ -9253,7 +9842,8 @@ function printHelp4(io) {
 }
 
 // src/commands/validate.ts
-import { resolve as resolve12 } from "node:path";
+import { readFileSync as readFileSync16 } from "node:fs";
+import { dirname as dirname8, resolve as resolve12 } from "node:path";
 var validateCommand = {
   name: "validate",
   summary: "validate launchpad.yaml against the v1alpha1 schema",
@@ -9272,9 +9862,31 @@ async function runValidate(args, io) {
   if (result.kind !== "ok") {
     return json ? renderJsonError(result, io) : renderHumanError(result, io);
   }
+  const boundary = checkBoundary(path11, result.manifest.app !== undefined);
   const groupCheck = strictGroups ? await checkGroups(allowedEntraGroups(result.manifest.access)) : { kind: "skipped" };
-  return json ? renderJsonOk(result, groupCheck, io) : renderHumanOk(result, groupCheck, io);
+  return json ? renderJsonOk(result, groupCheck, boundary, io) : renderHumanOk(result, groupCheck, boundary, io);
+}
+function checkBoundary(manifestPath, declared) {
+  const dir = dirname8(manifestPath);
+  let files;
+  try {
+    files = walkCwd(dir).files;
+  } catch {
+    return { declared, errors: [], warnings: [] };
+  }
+  let manifestYaml;
+  try {
+    manifestYaml = readFileSync16(manifestPath, "utf8");
+  } catch {
+    manifestYaml = null;
+  }
+  const r = applyBoundaryToFiles({ cwd: dir, manifestYaml, files });
+  if (r.kind === "error") {
+    return { declared, errors: [r.message], warnings: [] };
+  }
+  return { declared, errors: [], warnings: r.warnings };
 }
+var DECLARE_APP_HINT = "no app: boundary declared — deploys bundle the whole working tree minus the platform deny-list. " + "Declare app: (root / include / exclude) in launchpad.yaml — see schema/README.md.";
 async function checkGroup(allowedGroup, cfg) {
   try {
     const r = await fetchGroups(cfg);
@@ -9321,10 +9933,22 @@ async function checkGroups(groups) {
   const ok = perGroup.every((r) => r.kind === "ok");
   return ok ? { kind: "all-ok", perGroup } : { kind: "some-failed", perGroup };
 }
-function renderHumanOk(result, group, io) {
+function renderHumanOk(result, group, boundary, io) {
   io.out(`✓ ${result.manifest.metadata.name} — manifest is valid`);
   io.out(`  apiVersion: launchpad.m-kopa.us/v1alpha1`);
   io.out(`  type:       ${result.manifest.deployment.type}`);
+  if (boundary.errors.length > 0) {
+    for (const e of boundary.errors) {
+      io.err(`✗ app boundary: ${e}`);
+    }
+    return 1;
+  }
+  for (const w of boundary.warnings) {
+    io.out(`⚠ app boundary: ${w}`);
+  }
+  if (!boundary.declared) {
+    io.out(`⚠ ${DECLARE_APP_HINT}`);
+  }
   switch (group.kind) {
     case "skipped":
       return 0;
@@ -9388,11 +10012,20 @@ function renderHumanError(result, io) {
       return 1;
   }
 }
-function renderJsonOk(result, group, io) {
+function renderJsonOk(result, group, boundary, io) {
   const base = {
     name: result.manifest.metadata.name,
-    deploymentType: result.manifest.deployment.type
+    deploymentType: result.manifest.deployment.type,
+    appBoundary: {
+      declared: boundary.declared,
+      errors: boundary.errors,
+      warnings: boundary.warnings
+    }
   };
+  if (boundary.errors.length > 0) {
+    io.out(JSON.stringify({ ok: false, ...base }));
+    return 1;
+  }
   switch (group.kind) {
     case "skipped":
       io.out(JSON.stringify({ ok: true, ...base }));
@@ -9557,15 +10190,15 @@ function describe30(e) {
 // src/update-notifier.ts
 import { spawn as spawn6 } from "node:child_process";
 import { homedir as homedir4 } from "node:os";
-import { join as join12 } from "node:path";
-import { mkdirSync as mkdirSync3, readFileSync as readFileSync15, writeFileSync as writeFileSync8 } from "node:fs";
+import { join as join13 } from "node:path";
+import { mkdirSync as mkdirSync3, readFileSync as readFileSync17, writeFileSync as writeFileSync8 } from "node:fs";
 var INTERNAL_REFRESH_VERB = "__refresh-update-cache";
 var CHECK_INTERVAL_MS = 24 * 60 * 60 * 1000;
 var OPT_OUT_ENV = "LAUNCHPAD_NO_UPDATE_NOTIFIER";
-var CACHE_FILE = join12(homedir4(), ".launchpad", "update-check.json");
+var CACHE_FILE = join13(homedir4(), ".launchpad", "update-check.json");
 function readCache2() {
   try {
-    const raw = JSON.parse(readFileSync15(CACHE_FILE, "utf8"));
+    const raw = JSON.parse(readFileSync17(CACHE_FILE, "utf8"));
     if (typeof raw === "object" && raw !== null && typeof raw.checkedAt === "number") {
       const latest = raw.latest;
       return {
@@ -9578,7 +10211,7 @@ function readCache2() {
 }
 function writeCache2(state) {
   try {
-    mkdirSync3(join12(homedir4(), ".launchpad"), { recursive: true });
+    mkdirSync3(join13(homedir4(), ".launchpad"), { recursive: true });
     writeFileSync8(CACHE_FILE, `${JSON.stringify(state)}
 `, { mode: 384 });
   } catch {}