@ramonclaudio/vexpo 0.1.0 → 0.1.1

package/dist/cli.js

@@ -1,28 +1,39 @@
 #!/usr/bin/env node
-import { ascStatus, ascConnect } from './chunk-A43VGOE3.js';
+import { ensureLine, readOne, readAll, removeLines, ENV_FILE } from './chunk-3TT4CDAJ.js';
+import { ascStatus } from './chunk-VOL7YISA.js';
 import { dlx, detectPackageManager, installCmdFor } from './chunk-PYXH4J77.js';
-import { spawn, streamText, run } from './chunk-QFP5R25M.js';
-import { unansweredOlderThan, reviews } from './chunk-5JSZTHAP.js';
+import { run, spawn } from './chunk-QFP5R25M.js';
 import { Command } from 'commander';
-import { readFile, unlink, stat, mkdir, access, writeFile, rename } from 'fs/promises';
+import { readFile, access, writeFile, unlink, stat, mkdir, rename } from 'fs/promises';
 import { createInterface } from 'readline/promises';
-import { existsSync } from 'fs';
 import { homedir } from 'os';
+import { join } from 'path';
+import { existsSync, readFileSync } from 'fs';
 import { createSign } from 'crypto';
 
 // package.json
 var package_default = {
-  version: "0.1.0"};
+  version: "0.1.1"};
 function deploymentName(value) {
   if (!value) return void 0;
   const m = /^(?:dev|prod|preview):(.+)$/.exec(value);
   return m ? m[1] : value;
 }
 function targetArgs(target) {
-  if (target?.prod) return ["--prod"];
+  if (target?.prod) {
+    return target.envFile ? ["--env-file", target.envFile] : ["--prod"];
+  }
   const explicit = target?.deployment ?? deploymentName(process.env.CONVEX_DEPLOYMENT);
   return explicit ? ["--deployment", explicit] : [];
 }
+function unquoteEnvValue(value) {
+  const q = value[0];
+  if ((q === '"' || q === "'") && value.length >= 2 && value[value.length - 1] === q) {
+    const inner = value.slice(1, -1);
+    return q === '"' ? inner.replace(/\\n/g, "\n") : inner;
+  }
+  return value;
+}
 async function envMap(target) {
   const argv = [dlx(), "convex", "env", "list", ...targetArgs(target)];
   const { code, stdout } = await run(argv);
@@ -32,7 +43,7 @@ async function envMap(target) {
     const trimmed = raw.trim();
     if (!trimmed) continue;
     const eq = trimmed.indexOf("=");
-    if (eq > 0) out.set(trimmed.slice(0, eq), trimmed.slice(eq + 1));
+    if (eq > 0) out.set(trimmed.slice(0, eq), unquoteEnvValue(trimmed.slice(eq + 1)));
   }
   return out;
 }
@@ -75,6 +86,9 @@ async function isLoggedIn() {
     return false;
   }
 }
+function deploymentSlug(value) {
+  return deploymentName(value);
+}
 async function checkCli() {
   const { code, stdout } = await run([dlx(), "eas", "--version"]);
   if (code !== 0) return { ok: false };
@@ -87,19 +101,26 @@ async function whoami() {
   const text = stdout.trim();
   return text ? text.split("\n")[0].trim() : null;
 }
-async function projectIdFromAppJson() {
+async function resolveProjectId() {
   try {
-    try {
-      await access("app.json");
-    } catch {
-      return null;
-    }
+    await access("app.json");
     const json = JSON.parse(await readFile("app.json", "utf8"));
     const value = json.expo?.extra?.eas?.projectId;
-    return value && value.length > 0 ? value : null;
+    if (value && value.length > 0) return value;
+  } catch {
+  }
+  const fromProcess = process.env.EAS_PROJECT_ID;
+  if (fromProcess && fromProcess.length > 0) return fromProcess;
+  try {
+    const { readOne: readOne2 } = await import('./env-local-TW3T2PZ6.js');
+    const fromFile = await readOne2("EAS_PROJECT_ID");
+    if (fromFile && fromFile.length > 0) {
+      process.env.EAS_PROJECT_ID = fromFile;
+      return fromFile;
+    }
   } catch {
-    return null;
   }
+  return null;
 }
 async function envList(environment = "production") {
   const { code, stdout } = await run([
@@ -155,7 +176,7 @@ async function envUpdate(name, value, visibility, environments = ["production",
     visibility
   ];
   if (opts?.type) argv.push("--type", opts.type);
-  for (const env2 of environments) argv.push("--environment", env2);
+  for (const env2 of environments) argv.push("--variable-environment", env2);
   argv.push("--non-interactive");
   const { code, stderr } = await run(argv);
   if (code !== 0) {
@@ -164,18 +185,18 @@ async function envUpdate(name, value, visibility, environments = ["production",
   }
 }
 async function envPush(opts) {
-  const argv = [dlx(), "eas", "env:push"];
-  for (const env2 of opts.environments) argv.push("--environment", env2);
-  argv.push("--path", opts.path);
-  if (opts.force) argv.push("--force");
-  const { code, stderr } = await run(argv);
-  if (code !== 0) {
-    const tail = stderr.trim().split("\n").pop()?.trim() ?? `exit ${code}`;
-    throw new Error(`eas env:push failed: ${tail}`);
+  for (const env2 of opts.environments) {
+    const argv = [dlx(), "eas", "env:push", "--environment", env2, "--path", opts.path];
+    if (opts.force) argv.push("--force");
+    const { code, stderr } = await run(argv);
+    if (code !== 0) {
+      const tail = stderr.trim().split("\n").pop()?.trim() ?? `exit ${code}`;
+      throw new Error(`eas env:push (${env2}) failed: ${tail}`);
+    }
   }
 }
 async function init() {
-  const existing = await projectIdFromAppJson();
+  const existing = await resolveProjectId();
   const argv = existing ? [dlx(), "eas", "init", "--non-interactive", "--force", "--id", existing] : [dlx(), "eas", "init", "--non-interactive", "--force"];
   const proc = spawn(argv, {
     stdin: "inherit",
@@ -183,7 +204,7 @@ async function init() {
     stderr: "inherit"
   });
   if (await proc.exited !== 0) return { ok: false };
-  const id = await projectIdFromAppJson();
+  const id = await resolveProjectId();
   return { ok: !!id, projectId: id ?? void 0 };
 }
 async function diagnostics() {
@@ -323,13 +344,20 @@ async function call(method, path, key, body) {
   throw new Error(`Resend ${method} ${path} \u2192 429 after retries`);
 }
 async function probeAccess(key) {
-  const res = await fetch(`${BASE}/api-keys`, {
-    headers: { Authorization: `Bearer ${key}` }
-  });
-  if (res.ok) return "full";
-  const text = await res.text();
-  if (text.includes("restricted_api_key")) return "sending";
-  return "invalid";
+  const ctl = new AbortController();
+  const timer = setTimeout(() => ctl.abort(), REQUEST_TIMEOUT_MS);
+  try {
+    const res = await fetch(`${BASE}/api-keys`, {
+      headers: { Authorization: `Bearer ${key}` },
+      signal: ctl.signal
+    });
+    if (res.ok) return "full";
+    const text = await res.text();
+    if (text.includes("restricted_api_key")) return "sending";
+    return "invalid";
+  } finally {
+    clearTimeout(timer);
+  }
 }
 async function listDomains(key) {
   return (await call("GET", "/domains", key)).data;
@@ -385,7 +413,7 @@ async function provisionWebhook(fullKey, endpoint, events = RESEND_TRANSACTIONAL
     await deleteWebhook(fullKey, stale.id);
   }
   const created = await createWebhook(fullKey, { endpoint, events: [...events] });
-  return created.signing_secret;
+  return { id: created.id, secret: created.signing_secret };
 }
 var RESET = "\x1B[0m";
 var BOLD = "\x1B[1m";
@@ -567,10 +595,11 @@ function isStepFresh(state, name, ttlHours) {
 function checkConcurrentRun(state) {
   const updated = new Date(state.updatedAt).getTime();
   const ageMs = Date.now() - updated;
-  if (ageMs < PID_WARN_WINDOW_MS && state.lastPid !== 0 && state.lastPid !== process.pid) {
-    return { stale: false, otherPid: state.lastPid };
+  const hasOtherPid = typeof state.lastPid === "number" && Number.isFinite(state.lastPid) && state.lastPid !== 0 && state.lastPid !== process.pid;
+  if (ageMs < PID_WARN_WINDOW_MS && hasOtherPid) {
+    return { active: true, otherPid: state.lastPid };
   }
-  return { stale: true };
+  return { active: false };
 }
 function fingerprint(value) {
   let h = 0;
@@ -620,13 +649,13 @@ async function statusResend() {
       detail: "no env var"
     };
   }
-  const access14 = await probeAccess(k);
-  if (access14 === "full") return { name: "Resend", what: "full-access API key", status: "ok" };
+  const access17 = await probeAccess(k);
+  if (access17 === "full") return { name: "Resend", what: "full-access API key", status: "ok" };
   return {
     name: "Resend",
     what: "full-access API key in RESEND_FULL_ACCESS_KEY env",
     status: "missing",
-    detail: access14 === "sending" ? "key has only sending access" : "key invalid"
+    detail: access17 === "sending" ? "key has only sending access" : "key invalid"
   };
 }
 var ROW_APPLE = {
@@ -681,7 +710,7 @@ async function walkDomain() {
     lines: [
       `${BOLD}what:${RESET}   a domain you control DNS for`,
       `${BOLD}where:${RESET}  any registrar (Cloudflare, GoDaddy, Route 53, Namecheap, Vercel, \u2026)`,
-      `${BOLD}notes:${RESET}  after \`bunx vexpo resend\`, you'll add SPF/DKIM/DMARC records at your registrar`,
+      `${BOLD}notes:${RESET}  after \`npx vexpo resend\`, you'll add SPF/DKIM/DMARC records at your registrar`,
       "        Resend's dashboard shows them and verifies. vexpo doesn't automate this.",
       "vexpo doesn't register domains for you."
     ],
@@ -706,23 +735,26 @@ async function walkConvex() {
     lines: [
       `${BOLD}what:${RESET}   logged-in Convex CLI session`,
       `${BOLD}where:${RESET}  free tier at dashboard.convex.dev (instant signup)`,
-      `${BOLD}how:${RESET}    \`bunx convex login\` (browser-based OAuth)`
+      `${BOLD}how:${RESET}    \`npx convex login\` (browser-based OAuth)`
     ],
     urls: [{ label: "dashboard", url: "https://dashboard.convex.dev" }]
   });
   if (!process.stdin.isTTY) {
-    bad("non-TTY: run `bunx convex login` then re-run");
+    bad("non-TTY: run `npx convex login` then re-run");
     return;
   }
   if (await askYesNo(`Run \`${dlx()} convex login\` now?`, false)) {
     const proc = spawn([dlx(), "convex", "login"], {
       stdio: ["inherit", "inherit", "inherit"]
     });
-    if (await proc.exited !== 0) fail("convex login did not complete");
+    if (await proc.exited !== 0) {
+      yep("convex login did not complete; run `npx convex login` later");
+      return;
+    }
     if ((await statusConvex()).status === "ok") ok("Convex authenticated");
-    else fail("still not signed in");
+    else yep("still not signed in; run `npx convex login` later");
   } else {
-    nop("`bunx convex login` will prompt automatically when `bunx vexpo convex` runs");
+    nop("`npx convex login` will prompt automatically when `npx vexpo convex` runs");
   }
 }
 async function walkExpo() {
@@ -736,7 +768,7 @@ async function walkExpo() {
     lines: [
       `${BOLD}what:${RESET}   logged-in EAS CLI session`,
       `${BOLD}where:${RESET}  free tier at expo.dev/signup (instant signup)`,
-      `${BOLD}how:${RESET}    \`bunx eas login\` (browser-based OAuth)`
+      `${BOLD}how:${RESET}    \`npx eas login\` (browser-based OAuth)`
     ],
     urls: [
       { label: "signup", url: "https://expo.dev/signup" },
@@ -744,17 +776,20 @@ async function walkExpo() {
     ]
   });
   if (!process.stdin.isTTY) {
-    bad("non-TTY: run `bunx eas login` then re-run");
+    bad("non-TTY: run `npx eas login` then re-run");
     return;
   }
   if (await askYesNo(`Run \`${dlx()} eas login\` now?`, false)) {
     const proc = spawn([dlx(), "eas", "login"], { stdio: ["inherit", "inherit", "inherit"] });
-    if (await proc.exited !== 0) fail("eas login did not complete");
+    if (await proc.exited !== 0) {
+      yep("eas login did not complete; run `npx eas login` later");
+      return;
+    }
     const after = await statusExpo();
     if (after.status === "ok") ok(`signed in as ${after.detail}`);
-    else fail("still not signed in");
+    else yep("still not signed in; run `npx eas login` later");
   } else {
-    nop("`bunx eas login` will prompt automatically when the EAS phase of `bunx vexpo full` runs");
+    nop("`npx eas login` will prompt automatically when the EAS phase of `npx vexpo full` runs");
   }
 }
 async function walkResend() {
@@ -770,14 +805,14 @@ async function walkResend() {
       `${BOLD}where:${RESET}  free tier at resend.com (instant signup)`,
       `${BOLD}how:${RESET}    Create API Key \u2192 Permission: ${BOLD}Full Access${RESET} \u2192 copy \u2192 export`,
       `${BOLD}notes:${RESET}  used once to provision a scoped sending key, then discarded.`,
-      "        `bunx vexpo resend` will prompt for it interactively if env isn't set."
+      "        `npx vexpo resend` will prompt for it interactively if env isn't set."
     ],
     urls: [
       { label: "signup", url: "https://resend.com/signup" },
       { label: "API keys", url: "https://resend.com/api-keys" }
     ]
   });
-  nop("`bunx vexpo resend` handles the key prompt. Nothing to do here");
+  nop("`npx vexpo resend` handles the key prompt. Nothing to do here");
 }
 async function runAccounts(options2) {
   try {
@@ -823,7 +858,7 @@ async function runAccounts(options2) {
       `                           where: ${DIM}https://developer.apple.com/account/resources/authkeys/list${RESET}`
     );
     note(
-      `${BOLD}DNS records${RESET}                added at your registrar after \`bunx vexpo resend\``
+      `${BOLD}DNS records${RESET}                added at your registrar after \`npx vexpo resend\``
     );
     note(`                           Resend dashboard shows them + verifies them`);
     await recordStep("accounts", {
@@ -841,184 +876,658 @@ async function runAccounts(options2) {
     return 1;
   }
 }
-function expandTilde(p) {
-  if (p === "~") return homedir();
-  if (p.startsWith("~/")) return `${homedir()}${p.slice(1)}`;
-  return p;
+async function readJsonOrNull(path) {
+  try {
+    return JSON.parse(await readFile(path, "utf8"));
+  } catch {
+    return null;
+  }
 }
-
-// src/commands/apple/credentials.ts
-async function loadAscFromState() {
-  const state = await load();
-  const rec = state.steps["asc-key"];
-  if (!rec?.outputs) return null;
-  const out = rec.outputs;
-  const issuerId = out.issuerId;
-  const keyId = out.keyId;
-  const rawPath = out.p8Path;
-  if (!issuerId || !keyId || !rawPath) return null;
-  const p8Path = expandTilde(rawPath);
-  if (!existsSync(p8Path)) return null;
-  return { issuerId, keyId, p8Path };
+async function readTextOrNull(path) {
+  try {
+    await access(path);
+    return await readFile(path, "utf8");
+  } catch {
+    return null;
+  }
 }
-async function runAppleCredentials(options2) {
-  section("EAS iOS credentials");
-  const profile = options2.profile ?? "production";
-  const asc = await loadAscFromState();
-  if (!asc) {
-    yep("no cached ASC creds. Run `vexpo apple asc-key` first to validate one.");
-    return 1;
+async function pkgName() {
+  const pkg = await readJsonOrNull("package.json");
+  return typeof pkg?.name === "string" && pkg.name ? pkg.name : "app";
+}
+async function appName() {
+  const text = await readTextOrNull("app.config.ts");
+  if (text) {
+    const ternary = /name:\s*IS_DEV\s*\?\s*"[^"]+"\s*:\s*"([^"]+)"/.exec(text)?.[1];
+    if (ternary) return ternary;
+    const quoted = /\bname:\s*["']([^"']+)["']/.exec(text)?.[1];
+    if (quoted) return quoted;
   }
-  ok(`cached ASC API key found in state.json`);
-  note(`  issuerId: ${BOLD}${asc.issuerId}${RESET}`);
-  note(`  keyId:    ${BOLD}${asc.keyId}${RESET}`);
-  note(`  .p8:      ${BOLD}${asc.p8Path}${RESET}`);
-  line();
-  note("eas-cli's credentials wizard is interactive (no non-interactive path).");
-  note("It walks through:");
-  note(`  1. ${BOLD}App Store Connect: Manage your API Key${RESET}, Set up a new key`);
-  note("     paste the 3 values above when prompted");
-  note(`  2. ${BOLD}Build Credentials${RESET}, generate dist cert + provisioning profile`);
-  note(`  3. ${BOLD}Push Notifications${RESET}, generate APNs key`);
-  note("");
-  note("After this, every `eas build` + `eas submit` works without Apple Developer");
-  note("login prompts. Existing creds are detected and reused.");
-  line();
-  if (process.stdin.isTTY) {
-    if (!await askYesNo(`Run \`eas credentials -p ios -e ${profile}\` now?`, true)) {
-      nop("skipped (run `bunx eas credentials -p ios` later)");
-      return 0;
+  const name = await pkgName();
+  const clean = name.replace(/^@[^/]+\//, "");
+  const parts = clean.split(/[-_]/).filter(Boolean);
+  if (parts.length === 0) return "App";
+  return parts.map((w) => (w[0] ?? "").toUpperCase() + w.slice(1)).join(" ");
+}
+async function scheme() {
+  const text = await readTextOrNull("app.config.ts");
+  if (!text) return "app";
+  return /scheme:\s*["']([^"']+)["']/.exec(text)?.[1] ?? "app";
+}
+async function bundleIdFallback() {
+  const text = await readTextOrNull("app.config.ts");
+  if (!text) return null;
+  return /EXPO_PUBLIC_APP_BUNDLE_ID\s*\?\?\s*"([^"]+)"/.exec(text)?.[1] ?? null;
+}
+async function appleTeamIdFallback() {
+  const text = await readTextOrNull("app.config.ts");
+  if (!text) return null;
+  const value = /EXPO_PUBLIC_APPLE_TEAM_ID\s*\?\?\s*"([^"]+)"/.exec(text)?.[1] ?? null;
+  if (!value || value === "ABCDE12345") return null;
+  return value;
+}
+
+// src/commands/better-auth.ts
+function base64Secret() {
+  const buf = new Uint8Array(32);
+  crypto.getRandomValues(buf);
+  return btoa(String.fromCharCode(...buf));
+}
+async function runBetterAuth(options2) {
+  section("Better Auth env");
+  try {
+    const env2 = await envMap();
+    const siteUrl = options2.siteUrl ?? `${await scheme()}://`;
+    if (env2.has("SITE_URL") && env2.get("SITE_URL") === siteUrl) {
+      nop(`SITE_URL already set to ${siteUrl}`);
+    } else {
+      await envSet("SITE_URL", siteUrl);
+      ok(`set SITE_URL=${siteUrl}`);
     }
-  } else {
-    nop("non-TTY: skipping interactive wizard");
+    if (env2.has("BETTER_AUTH_SECRET") && !options2.rotateSecret) {
+      nop("BETTER_AUTH_SECRET already set (use --rotate-secret to regenerate)");
+    } else {
+      await envSet("BETTER_AUTH_SECRET", base64Secret());
+      ok(
+        options2.rotateSecret === true ? "rotated BETTER_AUTH_SECRET (sessions invalidated)" : "generated BETTER_AUTH_SECRET"
+      );
+    }
+    const desiredAppName = options2.appName ?? await appName();
+    if (env2.has("APP_NAME") && env2.get("APP_NAME") === desiredAppName) {
+      nop(`APP_NAME already set to ${desiredAppName}`);
+    } else {
+      await envSet("APP_NAME", desiredAppName);
+      ok(`set APP_NAME=${desiredAppName}`);
+    }
+    await recordStep("better-auth", {
+      siteUrl,
+      appName: desiredAppName,
+      rotated: options2.rotateSecret === true
+    });
     return 0;
+  } catch (err) {
+    bad(err instanceof Error ? err.message : String(err));
+    return 1;
   }
-  const env2 = {
-    ...process.env,
-    EXPO_ASC_API_KEY_PATH: asc.p8Path,
-    EXPO_ASC_KEY_ID: asc.keyId,
-    EXPO_ASC_ISSUER_ID: asc.issuerId
-  };
-  const proc = spawn([dlx(), "eas", "credentials:configure-build", "-p", "ios", "-e", profile], {
-    stdin: "inherit",
-    stdout: "inherit",
-    stderr: "inherit",
-    env: env2
-  });
-  const code = await proc.exited;
-  if (code !== 0) {
-    bad(`eas credentials exited with code ${code}`);
-    return code;
-  }
-  await recordStep("apple-credentials", {
-    profile,
-    configuredAt: (/* @__PURE__ */ new Date()).toISOString(),
-    ascIssuerId: asc.issuerId,
-    ascKeyId: asc.keyId
-  });
-  line();
-  ok("EAS credentials configured");
-  yep(`next: ${BOLD}bun run eas:dev:device${RESET} to build the dev client on a registered device`);
-  return 0;
 }
-async function readPrivateKey(source) {
-  if ("contents" in source) return source.contents;
-  const path = expandTilde(source.path);
+var BASE2 = `${process.env.CONVEX_PROVISION_HOST || "https://api.convex.dev"}/v1`;
+async function accessToken() {
   try {
-    await access(path);
+    const raw = await readFile(join(homedir(), ".convex", "config.json"), "utf8");
+    const token = JSON.parse(raw).accessToken;
+    return token && token.length > 0 ? token : null;
   } catch {
-    throw new Error(`p8 file not found at ${path}`);
+    return null;
   }
-  return readFile(path, "utf8");
 }
-async function signClientSecret(opts) {
-  const days = opts.expirationDays;
-  const now = Math.floor(Date.now() / 1e3);
-  const header = { alg: "ES256", kid: opts.keyId };
-  const payload = {
-    iss: opts.teamId,
-    iat: now,
-    exp: now + days * 86400,
-    aud: "https://appleid.apple.com",
-    sub: opts.servicesId
-  };
-  const privateKey = await readPrivateKey(opts.privateKey);
-  const headerB64 = Buffer.from(JSON.stringify(header)).toString("base64url");
-  const payloadB64 = Buffer.from(JSON.stringify(payload)).toString("base64url");
-  const signingInput = `${headerB64}.${payloadB64}`;
-  const signer = createSign("SHA256");
-  signer.update(signingInput);
-  signer.end();
-  const signature = signer.sign({ key: privateKey, dsaEncoding: "ieee-p1363" }).toString("base64url");
-  return `${signingInput}.${signature}`;
+async function checkToken() {
+  const token = await accessToken();
+  if (!token) return "no-token";
+  const ctl = new AbortController();
+  const timer = setTimeout(() => ctl.abort(), 8e3);
+  try {
+    const res = await fetch(`${BASE2}/list_personal_access_tokens`, {
+      headers: { Authorization: `Bearer ${token}`, "Convex-Client": "vexpo-cli" },
+      signal: ctl.signal
+    });
+    return res.status === 401 || res.status === 403 ? "unauthorized" : "valid";
+  } catch {
+    return "valid";
+  } finally {
+    clearTimeout(timer);
+  }
 }
-var ENV_FILE = ".env.local";
-async function fileExists2(p) {
+async function get(token, path) {
+  const ctl = new AbortController();
+  const timer = setTimeout(() => ctl.abort(), 1e4);
   try {
-    await access(p);
-    return true;
+    const res = await fetch(`${BASE2}${path}`, {
+      headers: { Authorization: `Bearer ${token}`, "Convex-Client": "vexpo-cli" },
+      signal: ctl.signal
+    });
+    if (!res.ok) return null;
+    return await res.json();
   } catch {
-    return false;
+    return null;
+  } finally {
+    clearTimeout(timer);
   }
 }
-async function readAll() {
-  const out = /* @__PURE__ */ new Map();
-  if (!await fileExists2(ENV_FILE)) return out;
-  const text = (await readFile(ENV_FILE, "utf8")).replace(/^/, "").replace(/\r\n/g, "\n");
-  const lines = text.split("\n");
-  for (let i = 0; i < lines.length; i++) {
-    const raw = lines[i];
-    const trimmed = raw.trim();
-    if (!trimmed || trimmed.startsWith("#")) continue;
-    const eq = trimmed.indexOf("=");
-    if (eq <= 0) continue;
-    const key = trimmed.slice(0, eq).trim();
-    let value = trimmed.slice(eq + 1);
-    const startQuote = value.match(/^\s*(['"])/);
-    if (startQuote) {
-      const quote = startQuote[1];
-      let rest = value.replace(/^\s*['"]/, "");
-      let endIdx = rest.indexOf(quote);
-      while (endIdx === -1 && i + 1 < lines.length) {
-        i += 1;
-        rest += `
-${lines[i]}`;
-        endIdx = rest.indexOf(quote);
-      }
-      value = endIdx === -1 ? rest : rest.slice(0, endIdx);
-      out.set(key, value);
-      continue;
+async function post(token, path, body) {
+  const ctl = new AbortController();
+  const timer = setTimeout(() => ctl.abort(), 15e3);
+  try {
+    const res = await fetch(`${BASE2}${path}`, {
+      method: "POST",
+      headers: {
+        Authorization: `Bearer ${token}`,
+        "Convex-Client": "vexpo-cli",
+        "Content-Type": "application/json"
+      },
+      body: JSON.stringify(body),
+      signal: ctl.signal
+    });
+    const text = await res.text();
+    if (!res.ok) {
+      throw new Error(`Convex Platform POST ${path} \u2192 ${res.status}: ${text.slice(0, 200)}`);
     }
-    value = value.trim();
-    const hashAt = value.search(/\s#/);
-    if (hashAt >= 0) value = value.slice(0, hashAt).trim();
-    out.set(key, value);
+    return text ? JSON.parse(text) : void 0;
+  } finally {
+    clearTimeout(timer);
   }
-  return out;
 }
-async function readOne(key) {
-  return (await readAll()).get(key);
+async function requireToken() {
+  const token = await accessToken();
+  if (!token) throw new Error("not logged in to Convex (no ~/.convex/config.json accessToken)");
+  return token;
 }
-async function ensureLine(key, value) {
-  const current = await fileExists2(ENV_FILE) ? await readFile(ENV_FILE, "utf8") : "";
-  if (new RegExp(`^${key}=`, "m").test(current)) return;
-  const needsNewline = current !== "" && !current.endsWith("\n");
-  await writeFile(ENV_FILE, `${current}${needsNewline ? "\n" : ""}${key}=${value}
-`);
+async function mintDeployKey(deploymentName2, opts) {
+  const token = await requireToken();
+  const body = { name: opts?.name ?? "vexpo" };
+  if (opts?.expiresAtMs) {
+    if (opts.expiresAtMs < Date.now() + 30 * 6e4) {
+      throw new Error("deploy key expiresAtMs must be at least 30 minutes in the future");
+    }
+    body.expiresAt = opts.expiresAtMs;
+  }
+  const res = await post(
+    token,
+    `/deployments/${deploymentName2}/create_deploy_key`,
+    body
+  );
+  if (!res?.deployKey) throw new Error("create_deploy_key returned no deployKey");
+  return res.deployKey;
+}
+async function resolveProdDeployment(anyDeploymentName) {
+  const deployments = await listProjectDeployments(anyDeploymentName);
+  if (!deployments) return null;
+  const prods = deploymentsOfType(deployments, "prod");
+  return (prods.find((d) => d.isDefault) ?? prods[0])?.name ?? null;
+}
+async function mintProdDeployKey(anyDeploymentName, name = "vexpo") {
+  const deployment = await resolveProdDeployment(anyDeploymentName);
+  if (!deployment) return null;
+  return { key: await mintDeployKey(deployment, { name }), deployment };
+}
+async function listProjectDeployments(deploymentName2) {
+  const token = await accessToken();
+  if (!token) return null;
+  const dep = await get(token, `/deployments/${deploymentName2}`);
+  if (!dep?.projectId) return null;
+  const list = await get(
+    token,
+    `/projects/${dep.projectId}/list_deployments`
+  );
+  return Array.isArray(list) ? list : null;
+}
+function deploymentsOfType(deployments, type) {
+  return deployments.filter((d) => d.deploymentType === type);
 }
-async function removeLines(keys) {
-  if (!await fileExists2(ENV_FILE)) return;
-  const text = await readFile(ENV_FILE, "utf8");
-  const drop = new Set(keys);
-  const next = text.split("\n").filter((l) => {
-    const eq = l.indexOf("=");
-    if (eq <= 0) return true;
-    return !drop.has(l.slice(0, eq).trim());
-  }).join("\n").replace(/\n{3,}/g, "\n\n");
-  await writeFile(ENV_FILE, next);
+function describeDeployment(d) {
+  return d.reference ? `${d.name} (${d.reference})` : d.name;
+}
+
+// src/commands/convex.ts
+var BUNDLE_ID_RE = /^[A-Za-z0-9.-]+$/;
+var TEAM_ID_RE = /^[A-Z0-9]{10}$/;
+function planConvexDev(options2, needsProvisioning, projectName) {
+  const devArgs = ["convex", "dev", "--once", "--tail-logs", "disable"];
+  if (needsProvisioning) {
+    devArgs.push("--configure", "new", "--project", projectName);
+    devArgs.push("--dev-deployment", options2.local ? "local" : "cloud");
+  }
+  return { selectLocalFirst: !!options2.local && !needsProvisioning, devArgs };
+}
+async function runConvex(options2) {
+  section("Convex deployment");
+  try {
+    const tokenStatus = await checkToken();
+    if (tokenStatus !== "valid") {
+      yep(
+        tokenStatus === "no-token" ? "not signed in to Convex" : "Convex token expired or revoked"
+      );
+      await helpAndWait({
+        body: "Sign in (or refresh) with `npx convex login` in another terminal:",
+        urls: [
+          { label: "Convex sign-up", url: "https://convex.dev" },
+          { label: "Convex dashboard", url: "https://dashboard.convex.dev" }
+        ],
+        allowSkip: true,
+        skipLabel: "skip"
+      });
+    }
+    const localEnv = await readAll();
+    const existing = localEnv.get("CONVEX_DEPLOYMENT");
+    if (options2.fresh) {
+      await removeLines([
+        "CONVEX_DEPLOYMENT",
+        "EXPO_PUBLIC_CONVEX_URL",
+        "EXPO_PUBLIC_CONVEX_SITE_URL"
+      ]);
+    }
+    const needsProvisioning = options2.fresh === true || !existing;
+    const projectName = options2.name ?? await pkgName();
+    const plan = planConvexDev(options2, needsProvisioning, projectName);
+    if (plan.selectLocalFirst) {
+      const sel = spawn([dlx(), "convex", "deployment", "select", "local"], {
+        stdin: "inherit",
+        stdout: "inherit",
+        stderr: "inherit"
+      });
+      if (await sel.exited !== 0) {
+        bad("convex deployment select local failed");
+        return 1;
+      }
+    }
+    const cmd = [dlx(), ...plan.devArgs];
+    if (needsProvisioning) {
+      ok(`provisioning Convex project '${projectName}'`);
+    } else {
+      ok(`connecting to existing deployment ${existing}`);
+    }
+    const proc = spawn(cmd, { stdin: "inherit", stdout: "inherit", stderr: "inherit" });
+    if (await proc.exited !== 0) {
+      bad("convex dev exited with a non-zero code");
+      return 1;
+    }
+    const refreshed = await readAll();
+    const deployment = refreshed.get("CONVEX_DEPLOYMENT");
+    if (!deployment) {
+      bad("CONVEX_DEPLOYMENT missing after convex dev ran");
+      return 1;
+    }
+    const slug2 = deployment.split("#")[0].trim().split(":")[1];
+    if (!slug2) {
+      bad(`invalid CONVEX_DEPLOYMENT: ${deployment}`);
+      return 1;
+    }
+    process.env.CONVEX_DEPLOYMENT = deployment;
+    if (refreshed.has("EXPO_PUBLIC_CONVEX_URL")) {
+      nop("EXPO_PUBLIC_CONVEX_URL already set");
+    } else {
+      await ensureLine("EXPO_PUBLIC_CONVEX_URL", `https://${slug2}.convex.cloud`);
+      ok("wrote EXPO_PUBLIC_CONVEX_URL");
+    }
+    if (refreshed.has("EXPO_PUBLIC_CONVEX_SITE_URL")) {
+      nop("EXPO_PUBLIC_CONVEX_SITE_URL already set");
+    } else {
+      await ensureLine("EXPO_PUBLIC_CONVEX_SITE_URL", `https://${slug2}.convex.site`);
+      ok("wrote EXPO_PUBLIC_CONVEX_SITE_URL");
+    }
+    if (refreshed.has("EXPO_PUBLIC_SITE_URL")) {
+      nop("EXPO_PUBLIC_SITE_URL already set");
+    } else {
+      const s = `${await scheme()}://`;
+      await ensureLine("EXPO_PUBLIC_SITE_URL", s);
+      ok(`wrote EXPO_PUBLIC_SITE_URL=${s}`);
+    }
+    await ensureIdentity(refreshed);
+    await recordStep("convex", {
+      deployment,
+      slug: slug2,
+      ...options2.local ? { local: true } : {}
+    });
+    line();
+    ok(`Convex deployment ready: ${BOLD}${slug2}${RESET}`);
+    note(`dashboard: https://dashboard.convex.dev/d/${slug2}`);
+    return 0;
+  } catch (err) {
+    bad(err instanceof Error ? err.message : String(err));
+    return 1;
+  }
+}
+async function ensureIdentity(localEnv) {
+  const haveBundle = localEnv.has("EXPO_PUBLIC_APP_BUNDLE_ID");
+  const haveTeam = localEnv.has("EXPO_PUBLIC_APPLE_TEAM_ID");
+  let bundleId = localEnv.get("EXPO_PUBLIC_APP_BUNDLE_ID");
+  let teamId = localEnv.get("EXPO_PUBLIC_APPLE_TEAM_ID");
+  if (!haveBundle) {
+    if (!process.stdin.isTTY) {
+      yep("EXPO_PUBLIC_APP_BUNDLE_ID not set (non-TTY); skipping prompt");
+      yep("set it in .env.local before running `vexpo apple` or building");
+    } else {
+      const fromConfig = await bundleIdFallback();
+      const isTemplate = !fromConfig || fromConfig.startsWith("com.example.");
+      const suggested = isTemplate ? `com.example.${await pkgName()}` : fromConfig;
+      const cachedHint = isTemplate ? "" : ` ${DIM}(from app.config.ts)${RESET}`;
+      const raw = (await ask(
+        `  iOS bundle id ${DIM}(reverse-DNS, e.g. com.you.app)${RESET}${cachedHint}
+  ${DIM}> ${suggested} ${RESET}`
+      )).trim();
+      bundleId = raw || suggested;
+      if (!BUNDLE_ID_RE.test(bundleId)) {
+        throw new Error(`invalid bundle id '${bundleId}' (allowed: A-Z a-z 0-9 . -)`);
+      }
+      await ensureLine("EXPO_PUBLIC_APP_BUNDLE_ID", bundleId);
+      ok(`wrote EXPO_PUBLIC_APP_BUNDLE_ID=${bundleId}`);
+    }
+  } else {
+    nop(`EXPO_PUBLIC_APP_BUNDLE_ID already set (${bundleId})`);
+  }
+  if (!haveTeam) {
+    if (!process.stdin.isTTY) {
+      yep("EXPO_PUBLIC_APPLE_TEAM_ID not set (non-TTY); skipping prompt");
+    } else {
+      const fromConfig = await appleTeamIdFallback();
+      const cachedHint = fromConfig ? ` ${DIM}[${fromConfig} from app.config.ts]${RESET}` : "";
+      const raw = (await ask(
+        `  Apple Team id ${DIM}(10-char alphanumeric, find at developer.apple.com/account)${RESET}${cachedHint}
+  ${DIM}> ${RESET}`
+      )).trim().toUpperCase();
+      const value = raw || (fromConfig ?? "");
+      if (!TEAM_ID_RE.test(value)) {
+        throw new Error(`invalid Apple Team id '${value}' (must be 10 uppercase alphanumeric)`);
+      }
+      teamId = value;
+      await ensureLine("EXPO_PUBLIC_APPLE_TEAM_ID", teamId);
+      ok(`wrote EXPO_PUBLIC_APPLE_TEAM_ID=${teamId}`);
+    }
+  } else {
+    nop(`EXPO_PUBLIC_APPLE_TEAM_ID already set (${teamId})`);
+  }
+  if (bundleId) {
+    await envSet("APP_BUNDLE_ID", bundleId);
+    ok(`Convex env: APP_BUNDLE_ID=${bundleId}`);
+  }
+  if (teamId) {
+    await envSet("APPLE_TEAM_ID", teamId);
+    ok(`Convex env: APPLE_TEAM_ID=${teamId}`);
+  }
+}
+
+// src/commands/adopt.ts
+function buildFinishRunbook(s) {
+  const steps = [];
+  if (!s.hasResend) {
+    steps.push({ cmd: "vexpo resend", desc: "provision the dev sending key + webhook" });
+  }
+  if (!s.hasApple) {
+    steps.push({ cmd: "vexpo apple jwt", desc: "sign Apple Sign In (or --copy-from <old>)" });
+    steps.push({ cmd: "vexpo asc:connect", desc: "link EAS to App Store Connect for submit" });
+  }
+  if (!s.hasProd) {
+    steps.push({ cmd: "npx convex deploy", desc: "provision + push to the prod deployment" });
+  }
+  steps.push({
+    cmd: `vexpo convex:migrate --from ${s.devSlug} --prod`,
+    desc: "mirror server-side env onto prod"
+  });
+  steps.push({ cmd: "vexpo env convex-key", desc: "sync the deploy key + selector to EAS" });
+  if (!s.hasEasProdUrl) {
+    steps.push({ cmd: "vexpo full", desc: "push prod/preview EAS env (or `vexpo eas`)" });
+  }
+  steps.push({ cmd: "vexpo doctor --channel prod", desc: "verify the whole chain" });
+  return steps;
+}
+async function runAdopt(options2) {
+  section("Adopt");
+  const deploymentRef = await readOne("CONVEX_DEPLOYMENT");
+  if (!deploymentRef) {
+    bad("no CONVEX_DEPLOYMENT in .env.local. nothing to adopt");
+    note("run `eas integrations:convex:connect` first, or `vexpo full` to provision from scratch");
+    return 1;
+  }
+  const devSlug = deploymentSlug(deploymentRef);
+  if (!devSlug) {
+    bad(`could not parse a deployment slug from CONVEX_DEPLOYMENT=${deploymentRef}`);
+    return 1;
+  }
+  ok(`adopting Convex deployment: ${BOLD}${devSlug}${RESET}`);
+  const deployments = await listProjectDeployments(devSlug);
+  let prodSlug;
+  if (deployments) {
+    line();
+    note("project deployments:");
+    for (const d of deployments) {
+      const mine = d.name === devSlug ? `  ${DIM}\u2190 .env.local${RESET}` : "";
+      note(`  ${describeDeployment(d)} ${DIM}[${d.deploymentType}]${RESET}${mine}`);
+    }
+    const devs = deploymentsOfType(deployments, "dev");
+    if (devs.length > 1) {
+      yep(
+        `${devs.length} dev deployments; pick one canonical and delete the rest in the dashboard`
+      );
+    }
+    prodSlug = deploymentsOfType(deployments, "prod")[0]?.name;
+  } else {
+    nop("deployment enumeration unavailable (offline or not logged in); continuing");
+  }
+  if (!options2.skipDevSteps) {
+    line();
+    const code = await runConvex({});
+    if (code !== 0) return code;
+    const devEnv2 = await envMap();
+    if (!devEnv2.has("BETTER_AUTH_SECRET")) {
+      const baCode = await runBetterAuth({});
+      if (baCode !== 0) return baCode;
+    } else {
+      nop("BETTER_AUTH_SECRET already set on the dev deployment");
+    }
+  }
+  const devEnv = await envMap();
+  const projectId = await resolveProjectId();
+  const easProd = projectId ? await envList("production").catch(() => null) : null;
+  const steps = buildFinishRunbook({
+    devSlug,
+    hasResend: devEnv.has("RESEND_API_KEY"),
+    hasApple: devEnv.has("APPLE_CLIENT_SECRET"),
+    hasProd: !!prodSlug,
+    hasEasProdUrl: !!easProd?.has("EXPO_PUBLIC_CONVEX_URL")
+  });
+  line();
+  section("Finish");
+  note("adopted the dev deployment. remaining, in order:");
+  const width = Math.max(...steps.map((s) => s.cmd.length));
+  for (const s of steps) note(`  ${BOLD}${s.cmd.padEnd(width)}${RESET}  ${DIM}${s.desc}${RESET}`);
+  line();
+  nop("prod + Apple + Resend legs need credentials/prompts, so they're listed, not auto-run");
+  return 0;
+}
+function expandTilde(p) {
+  if (p === "~") return homedir();
+  if (p.startsWith("~/")) return `${homedir()}${p.slice(1)}`;
+  return p;
+}
+
+// src/commands/apple/credentials.ts
+async function resolveBundleId(profile) {
+  const fromConfig = await bundleIdFallback();
+  if (fromConfig && !fromConfig.startsWith("com.example.")) {
+    return { source: "app.config.ts", value: fromConfig, templatePlaceholder: false };
+  }
+  try {
+    const env2 = await envList(profile);
+    const fromEnv = env2.get("EXPO_PUBLIC_APP_BUNDLE_ID");
+    if (fromEnv && !fromEnv.startsWith("com.example.")) {
+      return { source: "EAS env", value: fromEnv, templatePlaceholder: false };
+    }
+  } catch {
+  }
+  return {
+    source: fromConfig ? "app.config.ts" : null,
+    value: fromConfig,
+    templatePlaceholder: true
+  };
+}
+async function loadAscFromState() {
+  const state = await load();
+  const rec = state.steps["asc-key"];
+  if (!rec?.outputs) return null;
+  const out = rec.outputs;
+  const issuerId = out.issuerId;
+  const keyId = out.keyId;
+  const rawPath = out.p8Path;
+  if (!issuerId || !keyId || !rawPath) return null;
+  const p8Path = expandTilde(rawPath);
+  if (!existsSync(p8Path)) return null;
+  return { issuerId, keyId, p8Path };
+}
+async function runAppleCredentials(options2) {
+  section("EAS iOS credentials");
+  const profile = options2.profile ?? "production";
+  const asc = await loadAscFromState();
+  if (!asc) {
+    yep("no cached ASC creds. Run `vexpo apple asc-key` first to validate one.");
+    return 1;
+  }
+  ok(`cached ASC API key found in state.json`);
+  note(`  issuerId: ${BOLD}${asc.issuerId}${RESET}`);
+  note(`  keyId:    ${BOLD}${asc.keyId}${RESET}`);
+  note(`  .p8:      ${BOLD}${asc.p8Path}${RESET}`);
+  const bundle = await resolveBundleId(profile);
+  if (bundle.templatePlaceholder) {
+    line();
+    bad("template bundle id detected, refusing to register placeholder credentials");
+    note(
+      bundle.value ? `  app.config.ts still defaults to ${BOLD}${bundle.value}${RESET}` : `  could not resolve a bundle id from app.config.ts`
+    );
+    note(`  EAS env (${profile}) does not set EXPO_PUBLIC_APP_BUNDLE_ID either`);
+    line();
+    note("fix by running the rebrand wizard, which bakes your bundle id into app.config.ts:");
+    note(`  ${BOLD}npx vexpo rebrand${RESET}`);
+    note("alternatively, push your local env to EAS before running this step:");
+    note(`  ${BOLD}npx eas env:push --environment ${profile}${RESET}`);
+    return 1;
+  }
+  ok(`bundle id: ${BOLD}${bundle.value}${RESET} (from ${bundle.source})`);
+  line();
+  note("eas-cli's credentials wizard is interactive (no non-interactive path).");
+  note("It walks through:");
+  note(`  1. ${BOLD}App Store Connect: Manage your API Key${RESET}, Set up a new key`);
+  note("     paste the 3 values above when prompted");
+  note(`  2. ${BOLD}Build Credentials${RESET}, generate dist cert + provisioning profile`);
+  note(`  3. ${BOLD}Push Notifications${RESET}, generate APNs key`);
+  note("");
+  note("After this, every `eas build` + `eas submit` works without Apple Developer");
+  note("login prompts. Existing creds are detected and reused.");
+  line();
+  if (process.stdin.isTTY) {
+    if (!await askYesNo(`Run \`eas credentials -p ios -e ${profile}\` now?`, true)) {
+      nop("skipped (run `npx eas credentials -p ios` later)");
+      return 0;
+    }
+  } else {
+    nop("non-TTY: skipping interactive wizard");
+    return 0;
+  }
+  const env2 = {
+    ...process.env,
+    EXPO_ASC_API_KEY_PATH: asc.p8Path,
+    EXPO_ASC_KEY_ID: asc.keyId,
+    EXPO_ASC_ISSUER_ID: asc.issuerId
+  };
+  const proc = spawn([dlx(), "eas", "credentials:configure-build", "-p", "ios", "-e", profile], {
+    stdin: "inherit",
+    stdout: "inherit",
+    stderr: "inherit",
+    env: env2
+  });
+  const code = await proc.exited;
+  if (code !== 0) {
+    bad(`eas credentials exited with code ${code}`);
+    return code;
+  }
+  await recordStep("apple-credentials", {
+    profile,
+    configuredAt: (/* @__PURE__ */ new Date()).toISOString(),
+    ascIssuerId: asc.issuerId,
+    ascKeyId: asc.keyId
+  });
+  line();
+  ok("EAS credentials configured");
+  yep(`next: ${BOLD}npm run eas:dev:device${RESET} to build the dev client on a registered device`);
+  return 0;
+}
+async function readPrivateKey(source) {
+  if ("contents" in source) return source.contents;
+  const path = expandTilde(source.path);
+  try {
+    await access(path);
+  } catch {
+    throw new Error(`p8 file not found at ${path}`);
+  }
+  return readFile(path, "utf8");
+}
+async function signClientSecret(opts) {
+  const days = opts.expirationDays;
+  const now = Math.floor(Date.now() / 1e3);
+  const header = { alg: "ES256", kid: opts.keyId };
+  const payload = {
+    iss: opts.teamId,
+    iat: now,
+    exp: now + days * 86400,
+    aud: "https://appleid.apple.com",
+    sub: opts.servicesId
+  };
+  const privateKey = await readPrivateKey(opts.privateKey);
+  const headerB64 = Buffer.from(JSON.stringify(header)).toString("base64url");
+  const payloadB64 = Buffer.from(JSON.stringify(payload)).toString("base64url");
+  const signingInput = `${headerB64}.${payloadB64}`;
+  const signer = createSign("SHA256");
+  signer.update(signingInput);
+  signer.end();
+  const signature = signer.sign({ key: privateKey, dsaEncoding: "ieee-p1363" }).toString("base64url");
+  return `${signingInput}.${signature}`;
 }
 
 // src/commands/apple/jwt.ts
+var APPLE_ENV_KEYS = [
+  "APPLE_CLIENT_ID",
+  "APPLE_TEAM_ID",
+  "APPLE_KEY_ID",
+  "APPLE_CLIENT_SECRET"
+];
+async function copyAppleEnv(from) {
+  section("Apple Sign In");
+  const slug2 = deploymentSlug(from) ?? from;
+  const src = await envMap({ deployment: slug2 });
+  const present = APPLE_ENV_KEYS.filter((k) => src.has(k) && src.get(k));
+  if (present.length === 0) {
+    bad(`no APPLE_* vars on deployment ${slug2} (unreachable or not provisioned)`);
+    note("pass a deployment slug your account can reach, e.g. `--copy-from old-deployment-123`");
+    return 1;
+  }
+  const dst = await envMap();
+  let copied = 0;
+  for (const key of present) {
+    const value = src.get(key);
+    if (dst.get(key) === value) {
+      nop(`${key} already matches`);
+      continue;
+    }
+    await envSet(key, value);
+    ok(`copied ${key} from ${slug2}`);
+    copied += 1;
+  }
+  line();
+  ok(`Apple env copied from ${slug2} (${copied} changed)`);
+  if (!present.includes("APPLE_CLIENT_SECRET")) {
+    yep("source had no APPLE_CLIENT_SECRET; re-sign with `vexpo apple jwt`");
+  } else {
+    note("the copied client_secret keeps the source's expiry; re-sign before it lapses");
+  }
+  return 0;
+}
 async function promptOrEnv(envName, prompt) {
   const fromEnv = process.env[envName];
   if (fromEnv) return fromEnv;
@@ -1027,6 +1536,14 @@ async function promptOrEnv(envName, prompt) {
   return v || void 0;
 }
 async function runAppleJwt(options2) {
+  if (options2.copyFrom) {
+    try {
+      return await copyAppleEnv(options2.copyFrom);
+    } catch (err) {
+      bad(err instanceof Error ? err.message : String(err));
+      return 1;
+    }
+  }
   section("Apple Sign In");
   try {
     const env2 = await envMap();
@@ -1119,7 +1636,7 @@ async function runAppleJwt(options2) {
     });
     if (process.stdin.isTTY && !rotateOnly) {
       line();
-      if (await askYesNo("Schedule a calendar reminder ~150 days from now?", false)) {
+      if (await askYesNo("Show the renewal date and rotate command?", false)) {
         const when = new Date(Date.now() + 150 * 864e5);
         note(`renew on or before ${when.toDateString()} by running:`);
         note(`  ${BOLD}vexpo apple jwt --rotate${RESET}`);
@@ -1278,11 +1795,6 @@ function makeAscClient(creds) {
     return out;
   }
   return {
-    /**
-     * Low-level primitives. Exposed so resource-specific modules
-     * (asc-testflight.ts, asc-reviews.ts, asc-versions.ts, asc-sandbox.ts)
-     * can extend the client without re-implementing auth + retry.
-     */
     request,
     paginatedList,
     bundleIds: {
@@ -1421,8 +1933,8 @@ function makeAscClient(creds) {
 }
 async function validate(creds) {
   try {
-    const client2 = makeAscClient(creds);
-    const apps = await client2.apps.list();
+    const client = makeAscClient(creds);
+    const apps = await client.apps.list();
     return { ok: true, appCount: apps.length };
   } catch (err) {
     if (err instanceof AscApiError) {
@@ -1435,7 +1947,7 @@ async function validate(creds) {
 var SIGN_IN_WITH_APPLE_CAPABILITY = "APPLE_ID_AUTH";
 
 // src/commands/apple/asc-key.ts
-async function fileExists3(p) {
+async function fileExists2(p) {
   try {
     await access(expandTilde(p));
     return true;
@@ -1479,7 +1991,7 @@ async function promptCredsInteractive() {
     return null;
   }
   const p8Path = expandTilde(rawP8);
-  if (!await fileExists3(p8Path)) {
+  if (!await fileExists2(p8Path)) {
     bad(`.p8 not found at ${p8Path}`);
     return null;
   }
@@ -1490,20 +2002,12 @@ async function readEnvCreds() {
   const keyId = process.env.APPLE_ASC_KEY_ID;
   const p8Path = process.env.APPLE_ASC_P8_PATH;
   if (!issuerId || !keyId || !p8Path) return null;
-  if (!await fileExists3(p8Path)) {
+  if (!await fileExists2(p8Path)) {
     bad(`APPLE_ASC_P8_PATH=${p8Path} not found`);
     return null;
   }
   return { issuerId, keyId, privateKey: { path: p8Path } };
 }
-async function easAscStatus() {
-  try {
-    const status = await ascStatus();
-    return status.connected ? "connected" : "disconnected";
-  } catch {
-    return "unknown";
-  }
-}
 async function readStateCreds() {
   const state = await load();
   const rec = state.steps["asc-key"];
@@ -1513,7 +2017,7 @@ async function readStateCreds() {
   const keyId = out.keyId;
   const p8Path = out.p8Path;
   if (!issuerId || !keyId || !p8Path) return null;
-  if (!await fileExists3(p8Path)) return null;
+  if (!await fileExists2(p8Path)) return null;
   return { issuerId, keyId, privateKey: { path: p8Path } };
 }
 async function runAscKey(options2) {
@@ -1525,25 +2029,12 @@ async function runAscKey(options2) {
         bad("no cached ASC key in state.json; run without --revalidate first");
         return 1;
       }
-      const easSays = await easAscStatus();
-      if (easSays === "connected") {
-        ok("cached key valid (verified via `eas integrations:asc:status`)");
-        await recordStep("asc-key", {
-          issuerId: cached2.issuerId,
-          keyId: cached2.keyId,
-          p8Path: "path" in cached2.privateKey ? cached2.privateKey.path : void 0
-        });
-        return 0;
-      }
       const result = await validate(cached2);
       if (!result.ok) {
         bad(`cached key invalid: ${result.reason}`);
         return 1;
       }
       ok(`cached key still valid (${result.appCount} app${result.appCount === 1 ? "" : "s"})`);
-      if (easSays === "disconnected") {
-        note("EAS reports no ASC link; run `vexpo asc connect` to wire it up");
-      }
       await recordStep("asc-key", {
         issuerId: cached2.issuerId,
         keyId: cached2.keyId,
@@ -1592,7 +2083,7 @@ async function runAscKey(options2) {
     note(
       `${BOLD}This step is purely validation${RESET} ${DIM}- EAS still needs the same key uploaded:${RESET}`
     );
-    note(`  ${BOLD}bunx eas credentials -p ios${RESET}`);
+    note(`  ${BOLD}npx eas credentials -p ios${RESET}`);
     note(`  \u2192 Build Credentials \u2192 'Use existing App Store Connect API Key'`);
     note(`  \u2192 'Set up a new key' if no existing match, paste:`);
     note(`     issuer=${creds.issuerId}, keyId=${creds.keyId}`);
@@ -1611,7 +2102,7 @@ async function runEasRotationSecrets(options2) {
     existing = await envList("production");
   } catch (err) {
     bad(`could not list EAS production env: ${err instanceof Error ? err.message : err}`);
-    note("run `bunx eas login` and `bunx eas init` first");
+    note("run `npx eas login` and `npx eas init` first");
     return 1;
   }
   const teamId = await readOne("APPLE_TEAM_ID");
@@ -1635,15 +2126,14 @@ async function runEasRotationSecrets(options2) {
     note("re-run with APPLE_P8_PATH=/path/to/AuthKey.p8");
     return 1;
   }
-  let pem;
   try {
-    pem = await readFile(p8Path, "utf8");
+    await access(p8Path);
   } catch {
     bad(`.p8 file not found at ${p8Path}`);
     return 1;
   }
   const apple2 = [
-    { name: "APPLE_P8_PRIVATE_KEY", value: pem, type: "file" },
+    { name: "APPLE_P8_PRIVATE_KEY", value: p8Path, type: "file" },
     { name: "APPLE_TEAM_ID", value: teamId },
     { name: "APPLE_KEY_ID", value: keyId },
     { name: "APPLE_SERVICES_ID", value: servicesId }
@@ -1675,98 +2165,59 @@ async function runEasRotationSecrets(options2) {
   }
   if (!existing.has("CONVEX_DEPLOY_KEY") || options2.force) {
     line();
-    note("CONVEX_DEPLOY_KEY isn't set on EAS production. Generate one:");
-    await helpAndWait({
-      body: "Open the Convex dashboard for your project:",
-      urls: [
-        {
-          label: "Convex dashboard (Settings \u2192 Deploy keys)",
-          url: "https://dashboard.convex.dev"
-        }
-      ],
-      allowSkip: true,
-      skipLabel: "skip"
-    });
-    if (process.stdin.isTTY) {
-      const key = (await ask(`  Paste Convex prod deploy key ${DIM}(or Enter to skip)${RESET} > `)).trim();
-      if (key) {
-        try {
-          if (existing.has("CONVEX_DEPLOY_KEY")) {
-            await envUpdate("CONVEX_DEPLOY_KEY", key, "secret", ENVS);
-            updated += 1;
-          } else {
-            await envCreate("CONVEX_DEPLOY_KEY", key, "secret", ENVS);
-            applied += 1;
-          }
-          ok("CONVEX_DEPLOY_KEY set");
-        } catch (err) {
-          bad(`CONVEX_DEPLOY_KEY: ${err instanceof Error ? err.message : err}`);
-          return 1;
-        }
+    const setKey = async (key) => {
+      if (existing.has("CONVEX_DEPLOY_KEY")) {
+        await envUpdate("CONVEX_DEPLOY_KEY", key, "secret", ENVS);
+        updated += 1;
       } else {
-        yep("skipped CONVEX_DEPLOY_KEY (set later with `eas env:create`)");
-        skipped2 += 1;
+        await envCreate("CONVEX_DEPLOY_KEY", key, "secret", ENVS);
+        applied += 1;
       }
-    } else {
-      yep("skipped CONVEX_DEPLOY_KEY (non-interactive)");
-      skipped2 += 1;
+    };
+    let minted = false;
+    try {
+      const result = await mintProdDeployKey(
+        deploymentSlug(await readOne("CONVEX_DEPLOYMENT")) ?? "",
+        "eas-rotation"
+      );
+      if (result) {
+        await setKey(result.key);
+        ok(`minted + set CONVEX_DEPLOY_KEY for prod ${BOLD}${result.deployment}${RESET}`);
+        minted = true;
+      } else {
+        yep("couldn't resolve the prod deployment (offline or not logged in)");
+      }
+    } catch (err) {
+      yep(`couldn't mint a deploy key: ${err instanceof Error ? err.message : err}`);
     }
-  } else {
-    nop("CONVEX_DEPLOY_KEY already set");
-    skipped2 += 1;
-  }
-  line();
-  ok(`${applied} created, ${updated} updated, ${skipped2} skipped (of ${apple2.length + 1} secrets)`);
-  yep(`${BOLD}rotation cron${RESET} reads these on the next fire (every 3 months on the 1st)`);
-  return 0;
-}
-async function readJsonOrNull(path) {
-  try {
-    return JSON.parse(await readFile(path, "utf8"));
-  } catch {
-    return null;
-  }
-}
-async function readTextOrNull(path) {
-  try {
-    await access(path);
-    return await readFile(path, "utf8");
-  } catch {
-    return null;
-  }
-}
-async function pkgName() {
-  const pkg = await readJsonOrNull("package.json");
-  return typeof pkg?.name === "string" && pkg.name ? pkg.name : "app";
-}
-async function appName() {
-  const text = await readTextOrNull("app.config.ts");
-  if (text) {
-    const match = /\bname:\s*["']([^"']+)["']/.exec(text);
-    if (match) return match[1];
+    if (!minted) {
+      if (process.stdin.isTTY) {
+        const key = (await ask(`  Paste a Convex prod deploy key ${DIM}(or Enter to skip)${RESET} > `)).trim();
+        if (key) {
+          try {
+            await setKey(key);
+            ok("CONVEX_DEPLOY_KEY set");
+          } catch (err) {
+            bad(`CONVEX_DEPLOY_KEY: ${err instanceof Error ? err.message : err}`);
+            return 1;
+          }
+        } else {
+          yep("skipped CONVEX_DEPLOY_KEY (set later with `eas env:create`)");
+          skipped2 += 1;
+        }
+      } else {
+        yep("skipped CONVEX_DEPLOY_KEY (non-interactive, mint unavailable)");
+        skipped2 += 1;
+      }
+    }
+  } else {
+    nop("CONVEX_DEPLOY_KEY already set");
+    skipped2 += 1;
   }
-  const name = await pkgName();
-  const clean = name.replace(/^@[^/]+\//, "");
-  const parts = clean.split(/[-_]/).filter(Boolean);
-  if (parts.length === 0) return "App";
-  return parts.map((w) => (w[0] ?? "").toUpperCase() + w.slice(1)).join(" ");
-}
-async function scheme() {
-  const text = await readTextOrNull("app.config.ts");
-  if (!text) return "app";
-  return /scheme:\s*["']([^"']+)["']/.exec(text)?.[1] ?? "app";
-}
-async function bundleIdFallback() {
-  const text = await readTextOrNull("app.config.ts");
-  if (!text) return null;
-  return /EXPO_PUBLIC_APP_BUNDLE_ID\s*\?\?\s*"([^"]+)"/.exec(text)?.[1] ?? null;
-}
-async function appleTeamIdFallback() {
-  const text = await readTextOrNull("app.config.ts");
-  if (!text) return null;
-  const value = /EXPO_PUBLIC_APPLE_TEAM_ID\s*\?\?\s*"([^"]+)"/.exec(text)?.[1] ?? null;
-  if (!value || value === "ABCDE12345") return null;
-  return value;
+  line();
+  ok(`${applied} created, ${updated} updated, ${skipped2} skipped (of ${apple2.length + 1} secrets)`);
+  yep(`${BOLD}rotation cron${RESET} reads these on the next fire (every 3 months on the 1st)`);
+  return 0;
 }
 
 // src/commands/apple/services-id.ts
@@ -1787,23 +2238,23 @@ async function loadAscCreds() {
   if (!sIssuer || !sKey || !sPath) return null;
   return { issuerId: sIssuer, keyId: sKey, privateKey: { path: sPath } };
 }
-async function findOrCreateBundleId(client2, args) {
-  const all = await client2.bundleIds.list({ identifier: args.identifier });
+async function findOrCreateBundleId(client, args) {
+  const all = await client.bundleIds.list({ identifier: args.identifier });
   const existing = all.find((b) => {
     if (b.attributes.identifier !== args.identifier) return false;
     if (args.platform === "SERVICES") return b.attributes.platform === "SERVICES";
     return b.attributes.platform !== "SERVICES";
   });
   if (existing) return existing;
-  return client2.bundleIds.create({
+  return client.bundleIds.create({
     identifier: args.identifier,
     name: args.name,
     platform: args.platform
   });
 }
-async function findServicesIdOrPromptManual(client2, identifier) {
+async function findServicesIdOrPromptManual(client, identifier) {
   const lookup = async () => {
-    const matches = await client2.bundleIds.list({ identifier });
+    const matches = await client.bundleIds.list({ identifier });
     return matches.find((b) => b.attributes.identifier === identifier) ?? null;
   };
   const found = await lookup();
@@ -1862,26 +2313,26 @@ async function runServicesId(options2) {
     ok(
       `ASC API authenticated (${validation.appCount} app${validation.appCount === 1 ? "" : "s"} on team)`
     );
-    const client2 = makeAscClient(creds);
+    const client = makeAscClient(creds);
     const servicesId = options2.servicesId ?? process.env.APPLE_SERVICES_ID ?? `${bundleId}.signin`;
     const name = await appName();
-    const appBundle = await findOrCreateBundleId(client2, {
+    const appBundle = await findOrCreateBundleId(client, {
       identifier: bundleId,
       name,
       platform: "IOS"
     });
     ok(`app bundle id resource: ${appBundle.id} (${appBundle.attributes.identifier})`);
-    const sid = await findServicesIdOrPromptManual(client2, servicesId);
+    const sid = await findServicesIdOrPromptManual(client, servicesId);
     if (!sid) return 1;
     ok(`services id resource: ${sid.id} (${servicesId})`);
-    const caps = await client2.bundleIdCapabilities.list(appBundle.id);
+    const caps = await client.bundleIdCapabilities.list(appBundle.id);
     const siwaCap = caps.find((c) => c.attributes.capabilityType === SIGN_IN_WITH_APPLE_CAPABILITY);
     let siwaCapId;
     if (siwaCap) {
       siwaCapId = siwaCap.id;
       nop("Sign In with Apple capability already enabled on app bundle id");
     } else {
-      const created = await client2.bundleIdCapabilities.create({
+      const created = await client.bundleIdCapabilities.create({
         bundleIdResourceId: appBundle.id,
         capabilityType: SIGN_IN_WITH_APPLE_CAPABILITY
       });
@@ -1905,6 +2356,144 @@ async function runServicesId(options2) {
     return 1;
   }
 }
+
+// src/lib/eas-submit.ts
+function isObject(value) {
+  return typeof value === "object" && value !== null && !Array.isArray(value);
+}
+function submitProfilesMissingAscAppId(easJson) {
+  let cfg;
+  try {
+    cfg = JSON.parse(easJson);
+  } catch {
+    return [];
+  }
+  return Object.entries(cfg.submit ?? {}).filter(([, p]) => isObject(p?.ios) && !p.ios.ascAppId).map(([name]) => name);
+}
+function needsAscAppId(easJson, ascAppId) {
+  let cfg;
+  try {
+    cfg = JSON.parse(easJson);
+  } catch {
+    return false;
+  }
+  return Object.values(cfg.submit ?? {}).some(
+    (p) => isObject(p?.ios) && p.ios.ascAppId !== ascAppId
+  );
+}
+function withAscAppId(easJson, ascAppId) {
+  if (!needsAscAppId(easJson, ascAppId)) return easJson;
+  const cfg = JSON.parse(easJson);
+  for (const profile of Object.values(cfg.submit ?? {})) {
+    if (isObject(profile?.ios)) profile.ios.ascAppId = ascAppId;
+  }
+  return JSON.stringify(cfg, null, 2) + "\n";
+}
+
+// src/commands/asc.ts
+async function loadAscFromState2() {
+  const state = await load();
+  const rec = state.steps["asc-key"];
+  if (!rec?.outputs) return null;
+  const out = rec.outputs;
+  const issuerId = out.issuerId;
+  const keyId = out.keyId;
+  const rawPath = out.p8Path;
+  if (!issuerId || !keyId || !rawPath) return null;
+  const p8Path = expandTilde(rawPath);
+  if (!existsSync(p8Path)) return null;
+  return { issuerId, keyId, p8Path };
+}
+async function runAscConnect(opts = {}) {
+  section("ASC connect");
+  if (!opts.force) {
+    try {
+      const status = await ascStatus();
+      if (status.status === "connected" && status.appStoreConnectApp) {
+        const label = status.appStoreConnectApp.bundleIdentifier ?? status.appStoreConnectApp.ascAppIdentifier;
+        nop(`already connected (${label})`);
+        await recordStep("apple-asc-link", {
+          ascAppId: status.appStoreConnectApp.ascAppIdentifier,
+          ascAppEasId: status.appStoreConnectApp.id,
+          bundleId: status.appStoreConnectApp.bundleIdentifier,
+          connectedAt: (/* @__PURE__ */ new Date()).toISOString()
+        });
+        return 0;
+      }
+    } catch {
+    }
+  }
+  const asc = await loadAscFromState2();
+  if (!asc) {
+    bad("no cached ASC creds. Run `vexpo apple asc-key` first to validate one.");
+    return 1;
+  }
+  ok("cached ASC API key found in state.json");
+  note(`  issuerId: ${BOLD}${asc.issuerId}${RESET}`);
+  note(`  keyId:    ${BOLD}${asc.keyId}${RESET}`);
+  note(`  .p8:      ${BOLD}${asc.p8Path}${RESET}`);
+  const bundleId = await readOne("EXPO_PUBLIC_APP_BUNDLE_ID");
+  if (!bundleId) {
+    bad("no EXPO_PUBLIC_APP_BUNDLE_ID in .env.local. Run `vexpo convex` first.");
+    return 1;
+  }
+  ok(`bundle id: ${BOLD}${bundleId}${RESET}`);
+  if (!process.stdin.isTTY) {
+    bad("ASC connect needs a TTY: eas integrations:asc:connect can't run headless");
+    note("run `vexpo asc:connect` in an interactive terminal to finish the EAS\u2194ASC link");
+    return 1;
+  }
+  const env2 = {
+    ...process.env,
+    EXPO_ASC_API_KEY_PATH: asc.p8Path,
+    EXPO_ASC_KEY_ID: asc.keyId,
+    EXPO_ASC_ISSUER_ID: asc.issuerId
+  };
+  line();
+  note("spawning `eas integrations:asc:connect`. Most likely flow:");
+  note("  1. Press Y to generate a new ASC API key (default)");
+  note("  2. Press Enter to accept ADMIN role (default)");
+  note("EXPO_ASC_API_KEY_* env vars are set so eas-cli uses our cached key");
+  note("for the Apple auth step, no Apple ID + password prompt.");
+  const proc = spawn([dlx(), "eas", "integrations:asc:connect", "--bundle-id", bundleId], {
+    stdin: "inherit",
+    stdout: "inherit",
+    stderr: "inherit",
+    env: env2
+  });
+  const code = await proc.exited;
+  if (code !== 0) {
+    bad(`eas integrations:asc:connect exited with code ${code}`);
+    return code;
+  }
+  ok("EAS project linked to ASC app");
+  await recordStep("apple-asc-link", {
+    bundleId,
+    ascIssuerId: asc.issuerId,
+    ascKeyId: asc.keyId,
+    connectedAt: (/* @__PURE__ */ new Date()).toISOString()
+  });
+  if (existsSync("eas.json")) {
+    try {
+      const ascAppId = (await ascStatus()).appStoreConnectApp?.ascAppIdentifier;
+      if (ascAppId) {
+        const before = await readFile("eas.json", "utf8");
+        const after = withAscAppId(before, ascAppId);
+        if (after !== before) {
+          await writeFile("eas.json", after);
+          ok(`wrote ascAppId ${BOLD}${ascAppId}${RESET} to eas.json submit profiles`);
+          note("commit this in your fork: non-interactive `eas submit` (CI) needs it");
+        } else {
+          nop("eas.json submit profiles already carry ascAppId");
+        }
+      }
+    } catch (err) {
+      yep(`couldn't write ascAppId to eas.json: ${err instanceof Error ? err.message : err}`);
+      note("non-interactive submit will need `ascAppId` set manually in eas.json");
+    }
+  }
+  return 0;
+}
 async function loadAscCreds2() {
   const state = await load();
   const rec = state.steps["asc-key"];
@@ -1923,459 +2512,330 @@ async function ascBootstrap() {
   if (!creds) {
     throw new Error("no cached ASC creds. run `vexpo apple asc-key` first");
   }
-  const client2 = makeAscClient(creds);
+  const client = makeAscClient(creds);
   const bundleId = await readOne("EXPO_PUBLIC_APP_BUNDLE_ID") ?? await readOne("APP_BUNDLE_ID") ?? void 0;
   let ascAppId;
   if (bundleId) {
     try {
-      const apps = await client2.paginatedList("/v1/apps", { "filter[bundleId]": bundleId }, 5);
+      const apps = await client.paginatedList("/v1/apps", { "filter[bundleId]": bundleId }, 5);
       ascAppId = apps[0]?.id;
     } catch {
     }
   }
-  return { client: client2, bundleId, ascAppId, creds };
-}
-
-// src/lib/asc-versions.ts
-function versions(client2) {
-  return {
-    /* app store versions ------------------------------------------------ */
-    appStoreVersions: {
-      list(filter) {
-        const query = {};
-        if (filter?.platform) query["filter[platform]"] = filter.platform;
-        if (filter?.versionString) query["filter[versionString]"] = filter.versionString;
-        if (filter?.state) query["filter[appStoreState]"] = filter.state;
-        const path = filter?.appId ? `/v1/apps/${filter.appId}/appStoreVersions` : "/v1/appStoreVersions";
-        return client2.paginatedList(path, query, filter?.limit ?? 25);
-      },
-      async get(id) {
-        const res = await client2.request(
-          "GET",
-          `/v1/appStoreVersions/${id}`
-        );
-        return res.data;
-      },
-      async getBuild(versionId) {
-        try {
-          return await client2.request(
-            "GET",
-            `/v1/appStoreVersions/${versionId}/relationships/build`
-          );
-        } catch {
-          return null;
-        }
-      }
-    },
-    /* review submissions ------------------------------------------------ */
-    reviewSubmissions: {
-      list(filter) {
-        const query = {};
-        if (filter?.appId) query["filter[app]"] = filter.appId;
-        if (filter?.platform) query["filter[platform]"] = filter.platform;
-        if (filter?.state) query["filter[state]"] = filter.state;
-        return client2.paginatedList("/v1/reviewSubmissions", query);
-      },
-      async get(id) {
-        const res = await client2.request(
-          "GET",
-          `/v1/reviewSubmissions/${id}`
-        );
-        return res.data;
-      }
-    },
-    /* phased release ---------------------------------------------------- */
-    phasedReleases: {
-      async getForVersion(versionId) {
-        try {
-          const res = await client2.request(
-            "GET",
-            `/v1/appStoreVersions/${versionId}/appStoreVersionPhasedRelease`
-          );
-          return res.data;
-        } catch {
-          return null;
-        }
-      },
-      async pause(id) {
-        const body = {
-          data: {
-            type: "appStoreVersionPhasedReleases",
-            id,
-            attributes: { phasedReleaseState: "PAUSED" }
-          }
-        };
-        const res = await client2.request(
-          "PATCH",
-          `/v1/appStoreVersionPhasedReleases/${id}`,
-          body
-        );
-        return res.data;
-      },
-      async resume(id) {
-        const body = {
-          data: {
-            type: "appStoreVersionPhasedReleases",
-            id,
-            attributes: { phasedReleaseState: "ACTIVE" }
-          }
-        };
-        const res = await client2.request(
-          "PATCH",
-          `/v1/appStoreVersionPhasedReleases/${id}`,
-          body
-        );
-        return res.data;
-      },
-      async complete(id) {
-        const body = {
-          data: {
-            type: "appStoreVersionPhasedReleases",
-            id,
-            attributes: { phasedReleaseState: "COMPLETE" }
-          }
-        };
-        const res = await client2.request(
-          "PATCH",
-          `/v1/appStoreVersionPhasedReleases/${id}`,
-          body
-        );
-        return res.data;
-      }
-    }
-  };
+  return { client, bundleId, ascAppId, creds };
 }
 
-// src/commands/asc-version.ts
-async function bootstrap() {
-  const { client: client2, ascAppId, bundleId } = await ascBootstrap();
-  if (!ascAppId) {
-    throw new Error(
-      `no ASC app for bundle id ${bundleId ?? "(unset)"}; run \`vexpo apple credentials\` first`
-    );
-  }
-  return { v: versions(client2), ascAppId };
-}
-async function runVersionList(opts) {
-  try {
-    const { v, ascAppId } = await bootstrap();
-    const list = await v.appStoreVersions.list({
-      appId: ascAppId,
-      platform: opts.platform,
-      state: opts.state,
-      limit: opts.limit
-    });
-    if (opts.json) {
-      process.stdout.write(JSON.stringify(list, null, 2) + "\n");
-      return 0;
-    }
-    section("App Store versions");
-    if (list.length === 0) {
-      nop("none");
-      return 0;
-    }
-    for (const ver of list) {
-      line(
-        `  ${BOLD}${ver.attributes.versionString ?? "?"}${RESET}  ${ver.attributes.platform ?? "?"}  ${DIM}${ver.attributes.appStoreState ?? "?"}${RESET}`
-      );
-    }
-    return 0;
-  } catch (err) {
-    bad(err instanceof Error ? err.message : String(err));
-    return 1;
-  }
-}
-async function runVersionView(versionId, opts) {
-  try {
-    const { v } = await bootstrap();
-    const ver = await v.appStoreVersions.get(versionId);
-    const phased = await v.phasedReleases.getForVersion(versionId).catch(() => null);
-    if (opts.json) {
-      process.stdout.write(JSON.stringify({ version: ver, phasedRelease: phased }, null, 2) + "\n");
-      return 0;
-    }
-    section(`Version ${ver.attributes.versionString ?? versionId}`);
-    line(`  state:    ${ver.attributes.appStoreState ?? "?"}`);
-    line(`  platform: ${ver.attributes.platform ?? "?"}`);
-    if (ver.attributes.releaseType) line(`  release:  ${ver.attributes.releaseType}`);
-    if (ver.attributes.earliestReleaseDate)
-      line(`  earliest: ${ver.attributes.earliestReleaseDate}`);
-    if (phased) {
-      line(`  phased:   ${phased.attributes.phasedReleaseState ?? "?"}`);
-      if (phased.attributes.startDate) line(`            started ${phased.attributes.startDate}`);
-    }
-    return 0;
-  } catch (err) {
-    bad(err instanceof Error ? err.message : String(err));
-    return 1;
-  }
-}
-async function runSubmissionsList(opts) {
-  try {
-    const { v, ascAppId } = await bootstrap();
-    const submissions = await v.reviewSubmissions.list({
-      appId: ascAppId,
-      platform: opts.platform,
-      state: opts.state
+// src/lib/asc-accessibility.ts
+var ACCESSIBILITY_FEATURES = [
+  "VOICE_OVER",
+  "VOICE_CONTROL",
+  "LARGER_TEXT",
+  "DARK_INTERFACE",
+  "SUFFICIENT_CONTRAST",
+  "DIFFERENTIATION_WITHOUT_COLOR_ALONE",
+  "REDUCED_MOTION",
+  "CAPTIONS",
+  "AUDIO_DESCRIPTIONS"
+];
+var ACCESSIBILITY_LEVELS = [
+  "FULLY_SUPPORTS",
+  "PARTIAL",
+  "DOES_NOT_SUPPORT",
+  "NOT_APPLICABLE"
+];
+var ACCESSIBILITY_DEVICE_FAMILIES = [
+  "IPHONE",
+  "IPAD",
+  "MAC",
+  "APPLE_TV",
+  "APPLE_WATCH",
+  "VISION"
+];
+function lintAccessibilityConfig(config) {
+  const issues = [];
+  if (!isRecord(config)) {
+    issues.push({ severity: "error", message: "config must be a JSON object" });
+    return issues;
+  }
+  if (!Array.isArray(config.entries)) {
+    issues.push({ severity: "error", message: "`entries` must be an array" });
+    return issues;
+  }
+  if (config.entries.length === 0) {
+    issues.push({
+      severity: "warning",
+      message: "`entries` is empty; declare at least one device family."
     });
-    if (opts.json) {
-      process.stdout.write(JSON.stringify(submissions, null, 2) + "\n");
-      return 0;
-    }
-    section("Review submissions");
-    if (submissions.length === 0) {
-      nop("none");
-      return 0;
-    }
-    for (const s of submissions) {
-      line(
-        `  ${BOLD}${s.id.slice(0, 8)}${RESET}  ${s.attributes.state ?? "?"}  ${DIM}${s.attributes.submittedDate ?? ""}${RESET}`
-      );
-    }
-    return 0;
-  } catch (err) {
-    bad(err instanceof Error ? err.message : String(err));
-    return 1;
-  }
-}
-async function runPhasedRelease(opts) {
-  try {
-    const { v } = await bootstrap();
-    const phased = await v.phasedReleases.getForVersion(opts.versionId);
-    if (!phased) {
-      bad(`no phased release for version ${opts.versionId}`);
-      return 1;
-    }
-    const next = opts.action === "pause" ? await v.phasedReleases.pause(phased.id) : opts.action === "resume" ? await v.phasedReleases.resume(phased.id) : await v.phasedReleases.complete(phased.id);
-    section(`Phased release ${opts.action}d`);
-    ok(next.attributes.phasedReleaseState ?? "ok");
-    return 0;
-  } catch (err) {
-    bad(err instanceof Error ? err.message : String(err));
-    return 1;
   }
-}
-
-// src/commands/reviews.ts
-async function bootstrap2() {
-  const { client: client2, ascAppId, bundleId } = await ascBootstrap();
-  if (!ascAppId) {
-    throw new Error(
-      `no ASC app for bundle id ${bundleId ?? "(unset)"}; run \`vexpo apple credentials\` first`
-    );
-  }
-  return { r: reviews(client2), ascAppId };
-}
-function stars(n) {
-  if (!n) return "";
-  const filled = "\u2605".repeat(n);
-  const empty2 = "\u2606".repeat(5 - n);
-  return `${filled}${empty2}`;
-}
-async function runReviewsList(opts) {
-  try {
-    const { r, ascAppId } = await bootstrap2();
-    const list = await r.customerReviews.list({
-      appId: ascAppId,
-      territory: opts.territory,
-      rating: opts.rating,
-      limit: opts.limit
-    });
-    if (opts.json) {
-      process.stdout.write(JSON.stringify(list, null, 2) + "\n");
-      return 0;
+  const seen = /* @__PURE__ */ new Set();
+  config.entries.forEach((raw, index) => {
+    if (!isRecord(raw)) {
+      issues.push({ severity: "error", message: `entry[${index}] must be an object` });
+      return;
+    }
+    const family = raw.deviceFamily;
+    if (typeof family !== "string" || !ACCESSIBILITY_DEVICE_FAMILIES.includes(family)) {
+      issues.push({
+        severity: "error",
+        message: `entry[${index}].deviceFamily '${String(family)}' is not a valid AccessibilityDeviceFamily. Allowed: ${ACCESSIBILITY_DEVICE_FAMILIES.join(", ")}`
+      });
+    } else if (seen.has(family)) {
+      issues.push({
+        severity: "warning",
+        message: `entry[${index}].deviceFamily '${family}' is duplicated; only the last entry counts.`
+      });
+    } else {
+      seen.add(family);
     }
-    section("Customer reviews");
-    if (list.length === 0) {
-      nop("none");
-      return 0;
+    if (!isRecord(raw.features)) {
+      issues.push({ severity: "error", message: `entry[${index}].features must be an object` });
+      return;
     }
-    for (const rev of list) {
-      const responded = rev.relationships?.response?.data ? "\u2713" : " ";
-      const created = rev.attributes.createdDate?.slice(0, 10) ?? "";
-      line(
-        `  ${responded} ${stars(rev.attributes.rating)}  ${DIM}${created} ${rev.attributes.territory ?? ""}${RESET}  ${BOLD}${rev.attributes.title ?? ""}${RESET}`
-      );
-      if (rev.attributes.body) {
-        const truncated = rev.attributes.body.split("\n")[0];
-        line(
-          `        ${DIM}${truncated.slice(0, 100)}${truncated.length > 100 ? "\u2026" : ""}${RESET}`
-        );
+    for (const [feature, level] of Object.entries(raw.features)) {
+      if (!ACCESSIBILITY_FEATURES.includes(feature)) {
+        issues.push({
+          severity: "error",
+          message: `entry[${index}].features['${feature}'] is not a valid AccessibilityFeature. Allowed: ${ACCESSIBILITY_FEATURES.join(", ")}`
+        });
+      }
+      if (typeof level !== "string" || !ACCESSIBILITY_LEVELS.includes(level)) {
+        issues.push({
+          severity: "error",
+          message: `entry[${index}].features['${feature}'] level '${String(level)}' is not a valid AccessibilityLevel. Allowed: ${ACCESSIBILITY_LEVELS.join(", ")}`
+        });
       }
-      line(`        ${DIM}id ${rev.id}${RESET}`);
     }
-    return 0;
-  } catch (err) {
-    bad(err instanceof Error ? err.message : String(err));
-    return 1;
-  }
+  });
+  return issues;
+}
+async function fetchAccessibilityDeclarations(client, appId) {
+  return client.request("GET", `/v1/apps/${appId}/accessibilityDeclarations`);
+}
+function isRecord(value) {
+  return typeof value === "object" && value !== null && !Array.isArray(value);
 }
-async function runReviewsUnanswered(opts) {
+
+// src/commands/asc-accessibility.ts
+async function runAccessibilityShow(opts) {
   try {
-    const { r, ascAppId } = await bootstrap2();
-    const all = await r.customerReviews.list({ appId: ascAppId, limit: opts.limit ?? 200 });
-    const unresponded = unansweredOlderThan(all, opts.days ?? 0);
-    if (opts.json) {
-      process.stdout.write(JSON.stringify(unresponded, null, 2) + "\n");
-      return 0;
+    const { client, ascAppId, bundleId } = await ascBootstrap();
+    if (!ascAppId) {
+      bad(`no ASC app for bundle id ${bundleId ?? "(unset)"}`);
+      return 1;
     }
-    section(
-      `Unanswered reviews${opts.days ? ` (older than ${opts.days} day${opts.days === 1 ? "" : "s"})` : ""}`
-    );
-    if (unresponded.length === 0) {
-      ok("all caught up");
+    const decls = await fetchAccessibilityDeclarations(client, ascAppId);
+    if (opts.json) {
+      process.stdout.write(JSON.stringify(decls, null, 2) + "\n");
       return 0;
     }
-    for (const rev of unresponded) {
-      const created = rev.attributes.createdDate?.slice(0, 10) ?? "";
-      line(
-        `  ${stars(rev.attributes.rating)}  ${DIM}${created} ${rev.attributes.territory ?? ""}${RESET}  ${BOLD}${rev.attributes.title ?? ""}${RESET}`
-      );
-      line(`        ${DIM}respond: vexpo reviews respond ${rev.id} "..."${RESET}`);
-    }
+    section("Accessibility declarations");
+    line(JSON.stringify(decls, null, 2));
     return 0;
   } catch (err) {
     bad(err instanceof Error ? err.message : String(err));
     return 1;
   }
 }
-async function runReviewsRespond(opts) {
+async function runAccessibilityLint(filePath) {
+  let parsed;
   try {
-    const { r } = await bootstrap2();
-    const response = await r.customerReviewResponses.create({
-      reviewId: opts.reviewId,
-      responseBody: opts.body
-    });
-    section(`Responded to ${opts.reviewId}`);
-    ok(`response ${response.id}  ${DIM}${response.attributes.state ?? ""}${RESET}`);
-    return 0;
+    parsed = JSON.parse(readFileSync(filePath, "utf8"));
   } catch (err) {
-    bad(err instanceof Error ? err.message : String(err));
+    bad(`failed to read ${filePath}: ${err instanceof Error ? err.message : String(err)}`);
     return 1;
   }
-}
-async function runReviewsDeleteResponse(responseId) {
-  try {
-    const { r } = await bootstrap2();
-    await r.customerReviewResponses.delete(responseId);
-    section(`Deleted response ${responseId}`);
-    ok("done");
+  const issues = lintAccessibilityConfig(parsed);
+  const errors = issues.filter((i) => i.severity === "error");
+  const warnings = issues.filter((i) => i.severity === "warning");
+  section(`Accessibility lint: ${filePath}`);
+  for (const i of issues) {
+    const tag = i.severity === "error" ? `${RED}error${RESET}` : `${YELLOW}warn${RESET}`;
+    line(`  ${tag}  ${i.message}`);
+  }
+  if (errors.length === 0 && warnings.length === 0) {
+    ok("clean");
     return 0;
-  } catch (err) {
-    bad(err instanceof Error ? err.message : String(err));
-    return 1;
   }
+  line(`${BOLD}${errors.length}${RESET} error(s), ${BOLD}${warnings.length}${RESET} warning(s)`);
+  return errors.length > 0 ? 1 : 0;
 }
 
-// src/lib/asc-sandbox.ts
-function sandbox(client2) {
-  return {
-    sandboxTesters: {
-      list() {
-        return client2.paginatedList("/v1/sandboxTesters");
-      },
-      async get(id) {
-        const res = await client2.request(
-          "GET",
-          `/v1/sandboxTesters/${id}`
-        );
-        return res.data;
-      },
-      async create(args) {
-        const body = {
-          data: {
-            type: "sandboxTesters",
-            attributes: {
-              firstName: args.firstName,
-              lastName: args.lastName,
-              email: args.email,
-              password: args.password,
-              territory: args.territory
-            }
-          }
-        };
-        const res = await client2.request(
-          "POST",
-          "/v1/sandboxTesters",
-          body
-        );
-        return res.data;
-      },
-      async delete(id) {
-        await client2.request("DELETE", `/v1/sandboxTesters/${id}`);
-      }
+// src/lib/asc-privacy.ts
+var PRIVACY_DATA_TYPES = [
+  "CONTACT_INFO",
+  "HEALTH_FITNESS",
+  "FINANCIAL_INFO",
+  "LOCATION",
+  "SENSITIVE_INFO",
+  "CONTACTS",
+  "USER_CONTENT",
+  "BROWSING_HISTORY",
+  "SEARCH_HISTORY",
+  "IDENTIFIERS",
+  "PURCHASES",
+  "USAGE_DATA",
+  "DIAGNOSTICS",
+  "OTHER_DATA"
+];
+var PRIVACY_PURPOSES = [
+  "THIRD_PARTY_ADVERTISING",
+  "DEVELOPER_ADVERTISING",
+  "ANALYTICS",
+  "PRODUCT_PERSONALIZATION",
+  "APP_FUNCTIONALITY",
+  "OTHER"
+];
+function lintPrivacyConfig(config) {
+  const issues = [];
+  if (!isRecord2(config)) {
+    issues.push({ severity: "error", message: "config must be a JSON object" });
+    return issues;
+  }
+  if (typeof config.collectsData !== "boolean") {
+    issues.push({ severity: "error", message: "`collectsData` must be a boolean" });
+  }
+  if (!Array.isArray(config.entries)) {
+    issues.push({ severity: "error", message: "`entries` must be an array" });
+    return issues;
+  }
+  if (config.collectsData === false && config.entries.length > 0) {
+    issues.push({
+      severity: "warning",
+      message: "`collectsData` is false but `entries` is non-empty; entries will be ignored."
+    });
+  }
+  if (config.collectsData === true && config.entries.length === 0) {
+    issues.push({
+      severity: "error",
+      message: "`collectsData` is true but `entries` is empty; declare at least one data type."
+    });
+  }
+  const seenCategories = /* @__PURE__ */ new Set();
+  config.entries.forEach((raw, index) => {
+    if (!isRecord2(raw)) {
+      issues.push({ severity: "error", message: `entry[${index}] must be an object` });
+      return;
+    }
+    const category = raw.category;
+    if (typeof category !== "string" || !PRIVACY_DATA_TYPES.includes(category)) {
+      issues.push({
+        severity: "error",
+        message: `entry[${index}].category '${String(category)}' is not a valid PrivacyDataType. Allowed: ${PRIVACY_DATA_TYPES.join(", ")}`
+      });
+    } else if (seenCategories.has(category)) {
+      issues.push({
+        severity: "warning",
+        message: `entry[${index}].category '${category}' is duplicated; only the last entry counts.`
+      });
+    } else {
+      seenCategories.add(category);
     }
-  };
-}
-
-// src/commands/sandbox.ts
-async function client() {
-  const { client: ascClient } = await ascBootstrap();
-  return sandbox(ascClient);
-}
-async function runSandboxList(opts = {}) {
-  try {
-    const s = await client();
-    const list = await s.sandboxTesters.list();
-    if (opts.json) {
-      process.stdout.write(JSON.stringify(list, null, 2) + "\n");
-      return 0;
+    if (typeof raw.collected !== "boolean") {
+      issues.push({ severity: "error", message: `entry[${index}].collected must be a boolean` });
     }
-    section("Sandbox testers");
-    if (list.length === 0) {
-      nop("none");
-      return 0;
+    if (typeof raw.usedForTracking !== "boolean") {
+      issues.push({
+        severity: "error",
+        message: `entry[${index}].usedForTracking must be a boolean`
+      });
     }
-    for (const t of list) {
-      const name = `${t.attributes.firstName ?? ""} ${t.attributes.lastName ?? ""}`.trim();
-      line(
-        `  ${BOLD}${t.attributes.email ?? "(no email)"}${RESET}  ${DIM}${t.attributes.territory ?? ""}  ${name}${RESET}`
-      );
+    if (typeof raw.linkedToUser !== "boolean") {
+      issues.push({
+        severity: "error",
+        message: `entry[${index}].linkedToUser must be a boolean`
+      });
     }
+    if (!Array.isArray(raw.purposes)) {
+      issues.push({ severity: "error", message: `entry[${index}].purposes must be an array` });
+    } else {
+      raw.purposes.forEach((purpose, j) => {
+        if (typeof purpose !== "string" || !PRIVACY_PURPOSES.includes(purpose)) {
+          issues.push({
+            severity: "error",
+            message: `entry[${index}].purposes[${j}] '${String(purpose)}' is not a valid PrivacyPurpose. Allowed: ${PRIVACY_PURPOSES.join(", ")}`
+          });
+        }
+      });
+    }
+  });
+  return issues;
+}
+function isRecord2(value) {
+  return typeof value === "object" && value !== null && !Array.isArray(value);
+}
+
+// src/commands/asc-privacy.ts
+var ASC_PRIVACY_URL = "https://appstoreconnect.apple.com";
+async function runPrivacyShow(file, opts = {}) {
+  if (!existsSync(file)) {
+    section("Privacy details");
+    note(`no local ${file}. Apple's API can't read the live label; set it in App Store Connect:`);
+    note(`  ${ASC_PRIVACY_URL} -> your app -> App Privacy`);
     return 0;
-  } catch (err) {
-    bad(err instanceof Error ? err.message : String(err));
-    return 1;
   }
-}
-async function runSandboxCreate(opts) {
+  let parsed;
   try {
-    const s = await client();
-    const created = await s.sandboxTesters.create(opts);
-    section(`Sandbox tester ${opts.email}`);
-    ok(`id ${created.id}`);
-    return 0;
+    parsed = JSON.parse(readFileSync(file, "utf8"));
   } catch (err) {
-    bad(err instanceof Error ? err.message : String(err));
+    bad(`failed to read ${file}: ${err instanceof Error ? err.message : String(err)}`);
     return 1;
   }
+  if (opts.json) {
+    process.stdout.write(JSON.stringify(parsed, null, 2) + "\n");
+    return 0;
+  }
+  section(`Privacy details (declared in ${file})`);
+  const config = parsed;
+  if (!config.collectsData) {
+    line(`  ${BOLD}Data Not Collected${RESET}`);
+    return 0;
+  }
+  for (const e of config.entries ?? []) {
+    const flags = [
+      e.usedForTracking ? "tracking" : "",
+      e.linkedToUser ? "linked" : "",
+      Array.isArray(e.purposes) ? e.purposes.join(",") : ""
+    ].filter(Boolean).join(" \xB7 ");
+    line(`  ${BOLD}${String(e.category)}${RESET}  ${DIM}${flags}${RESET}`);
+  }
+  return 0;
 }
-async function runSandboxDelete(id) {
+async function runPrivacyLint(filePath) {
+  let parsed;
   try {
-    const s = await client();
-    await s.sandboxTesters.delete(id);
-    section(`Deleted sandbox tester ${id}`);
-    ok("done");
-    return 0;
+    parsed = JSON.parse(readFileSync(filePath, "utf8"));
   } catch (err) {
-    bad(err instanceof Error ? err.message : String(err));
+    bad(`failed to read ${filePath}: ${err instanceof Error ? err.message : String(err)}`);
     return 1;
   }
+  const issues = lintPrivacyConfig(parsed);
+  const errors = issues.filter((i) => i.severity === "error");
+  const warnings = issues.filter((i) => i.severity === "warning");
+  section(`Privacy lint: ${filePath}`);
+  for (const i of issues) {
+    const tag = i.severity === "error" ? `${RED}error${RESET}` : `${YELLOW}warn${RESET}`;
+    line(`  ${tag}  ${i.message}`);
+  }
+  if (errors.length === 0 && warnings.length === 0) {
+    ok("clean");
+    return 0;
+  }
+  line(`${BOLD}${errors.length}${RESET} error(s), ${BOLD}${warnings.length}${RESET} warning(s)`);
+  return errors.length > 0 ? 1 : 0;
 }
 
 // src/lib/asc-testflight.ts
-function testflight(client2) {
+function testflight(client) {
   return {
-    /* beta groups -------------------------------------------------------- */
     betaGroups: {
       list(filter) {
         const query = {};
         if (filter?.appId) query["filter[app]"] = filter.appId;
         if (filter?.name) query["filter[name]"] = filter.name;
-        return client2.paginatedList("/v1/betaGroups", query);
+        return client.paginatedList("/v1/betaGroups", query);
       },
       async get(id) {
-        const res = await client2.request("GET", `/v1/betaGroups/${id}`);
+        const res = await client.request("GET", `/v1/betaGroups/${id}`);
         return res.data;
       },
       async create(args) {
@@ -2384,8 +2844,6 @@ function testflight(client2) {
             type: "betaGroups",
             attributes: {
               name: args.name,
-              ...args.publicLinkEnabled !== void 0 ? { publicLinkEnabled: args.publicLinkEnabled } : {},
-              ...args.publicLinkLimit !== void 0 ? { publicLinkLimit: args.publicLinkLimit, publicLinkLimitEnabled: true } : {},
               ...args.feedbackEnabled !== void 0 ? { feedbackEnabled: args.feedbackEnabled } : {}
             },
             relationships: {
@@ -2393,39 +2851,30 @@ function testflight(client2) {
             }
           }
         };
-        const res = await client2.request("POST", "/v1/betaGroups", body);
+        const res = await client.request("POST", "/v1/betaGroups", body);
         return res.data;
       },
       async delete(id) {
-        await client2.request("DELETE", `/v1/betaGroups/${id}`);
+        await client.request("DELETE", `/v1/betaGroups/${id}`);
       },
       async listTesters(groupId) {
-        return client2.paginatedList(`/v1/betaGroups/${groupId}/betaTesters`);
+        return client.paginatedList(`/v1/betaGroups/${groupId}/betaTesters`);
       },
       async addTesters(groupId, testerIds) {
         const body = { data: testerIds.map((id) => ({ type: "betaTesters", id })) };
-        await client2.request(
+        await client.request(
           "POST",
           `/v1/betaGroups/${groupId}/relationships/betaTesters`,
           body
         );
-      },
-      async removeTesters(groupId, testerIds) {
-        const body = { data: testerIds.map((id) => ({ type: "betaTesters", id })) };
-        await client2.request(
-          "DELETE",
-          `/v1/betaGroups/${groupId}/relationships/betaTesters`,
-          body
-        );
       }
     },
-    /* beta testers ------------------------------------------------------- */
     betaTesters: {
       list(filter) {
         const query = {};
         if (filter?.email) query["filter[email]"] = filter.email;
         if (filter?.appId) query["filter[apps]"] = filter.appId;
-        return client2.paginatedList("/v1/betaTesters", query);
+        return client.paginatedList("/v1/betaTesters", query);
       },
       async create(args) {
         const body = {
@@ -2450,14 +2899,10 @@ function testflight(client2) {
             }
           }
         };
-        const res = await client2.request("POST", "/v1/betaTesters", body);
+        const res = await client.request("POST", "/v1/betaTesters", body);
         return res.data;
-      },
-      async delete(id) {
-        await client2.request("DELETE", `/v1/betaTesters/${id}`);
       }
     },
-    /* invitations -------------------------------------------------------- */
     betaTesterInvitations: {
       async create(args) {
         const body = {
@@ -2469,7 +2914,7 @@ function testflight(client2) {
             }
           }
         };
-        const res = await client2.request(
+        const res = await client.request(
           "POST",
           "/v1/betaTesterInvitations",
           body
@@ -2477,15 +2922,9 @@ function testflight(client2) {
         return res.data;
       }
     },
-    /* beta build localizations ------------------------------------------ */
     betaBuildLocalizations: {
-      list(buildId) {
-        return client2.paginatedList(
-          `/v1/builds/${buildId}/betaBuildLocalizations`
-        );
-      },
       async upsert(args) {
-        const existing = await client2.paginatedList(
+        const existing = await client.paginatedList(
           `/v1/builds/${args.buildId}/betaBuildLocalizations`,
           { "filter[locale]": args.locale }
         );
@@ -2497,7 +2936,7 @@ function testflight(client2) {
               attributes: { whatsNew: args.whatsNew }
             }
           };
-          const res2 = await client2.request(
+          const res2 = await client.request(
             "PATCH",
             `/v1/betaBuildLocalizations/${existing[0].id}`,
             body2
@@ -2513,44 +2952,30 @@ function testflight(client2) {
             }
           }
         };
-        const res = await client2.request(
+        const res = await client.request(
           "POST",
           "/v1/betaBuildLocalizations",
           body
         );
         return res.data;
       }
-    },
-    /* builds (read-only) ------------------------------------------------- */
-    builds: {
-      list(filter) {
-        const query = {};
-        if (filter?.appId) query["filter[app]"] = filter.appId;
-        if (filter?.version) query["filter[version]"] = filter.version;
-        if (filter?.processingState) query["filter[processingState]"] = filter.processingState;
-        return client2.paginatedList("/v1/builds", query, filter?.limit ?? 50);
-      },
-      async get(id) {
-        const res = await client2.request("GET", `/v1/builds/${id}`);
-        return res.data;
-      }
     }
   };
 }
 
 // src/commands/testflight.ts
-async function bootstrap3() {
-  const { client: client2, ascAppId, bundleId } = await ascBootstrap();
+async function bootstrap() {
+  const { client, ascAppId, bundleId } = await ascBootstrap();
   if (!ascAppId) {
     throw new Error(
       `no ASC app found for bundle id ${bundleId ?? "(unset)"}; run \`vexpo apple credentials\` first`
     );
   }
-  return { tf: testflight(client2), ascAppId };
+  return { tf: testflight(client), ascAppId };
 }
 async function runTestflightGroupsList(opts = {}) {
   try {
-    const { tf, ascAppId } = await bootstrap3();
+    const { tf, ascAppId } = await bootstrap();
     const groups = await tf.betaGroups.list({ appId: ascAppId });
     if (opts.json) {
       process.stdout.write(JSON.stringify(groups, null, 2) + "\n");
@@ -2574,17 +2999,14 @@ async function runTestflightGroupsList(opts = {}) {
 }
 async function runTestflightGroupsCreate(opts) {
   try {
-    const { tf, ascAppId } = await bootstrap3();
+    const { tf, ascAppId } = await bootstrap();
     const created = await tf.betaGroups.create({
       name: opts.name,
       appId: ascAppId,
-      publicLinkEnabled: opts.publicLink,
-      publicLinkLimit: opts.publicLimit,
       feedbackEnabled: opts.feedback
     });
     section(`Beta group ${created.attributes.name}`);
     ok(`id ${created.id}`);
-    if (created.attributes.publicLink) line(`  public link: ${created.attributes.publicLink}`);
     return 0;
   } catch (err) {
     bad(err instanceof Error ? err.message : String(err));
@@ -2593,7 +3015,7 @@ async function runTestflightGroupsCreate(opts) {
 }
 async function runTestflightGroupsView(groupId, opts) {
   try {
-    const { tf } = await bootstrap3();
+    const { tf } = await bootstrap();
     const [group, testers] = await Promise.all([
       tf.betaGroups.get(groupId),
       tf.betaGroups.listTesters(groupId).catch(() => [])
@@ -2618,298 +3040,89 @@ async function runTestflightGroupsView(groupId, opts) {
     return 1;
   }
 }
-async function runTestflightGroupsDelete(groupId) {
-  try {
-    const { tf } = await bootstrap3();
-    await tf.betaGroups.delete(groupId);
-    section(`Group ${groupId} deleted`);
-    ok("done");
-    return 0;
-  } catch (err) {
-    bad(err instanceof Error ? err.message : String(err));
-    return 1;
-  }
-}
-async function runTestflightTestersList(opts) {
-  try {
-    const { tf, ascAppId } = await bootstrap3();
-    const testers = await tf.betaTesters.list({ appId: ascAppId, email: opts.email });
-    if (opts.json) {
-      process.stdout.write(JSON.stringify(testers, null, 2) + "\n");
-      return 0;
-    }
-    section("Beta testers");
-    if (testers.length === 0) {
-      nop("none");
-      return 0;
-    }
-    for (const t of testers) {
-      const name = `${t.attributes.firstName ?? ""} ${t.attributes.lastName ?? ""}`.trim();
-      line(
-        `  ${BOLD}${t.attributes.email ?? "(no email)"}${RESET}  ${name ? DIM + name + RESET + "  " : ""}${DIM}${t.attributes.state ?? ""}${RESET}`
-      );
-    }
-    return 0;
-  } catch (err) {
-    bad(err instanceof Error ? err.message : String(err));
-    return 1;
-  }
-}
-async function runTestflightInvite(opts) {
-  try {
-    const { tf, ascAppId } = await bootstrap3();
-    const existing = await tf.betaTesters.list({ email: opts.email, appId: ascAppId });
-    let testerId = existing[0]?.id;
-    if (!testerId) {
-      const created = await tf.betaTesters.create({
-        email: opts.email,
-        firstName: opts.firstName,
-        lastName: opts.lastName,
-        appIds: [ascAppId],
-        groupIds: opts.groupId ? [opts.groupId] : []
-      });
-      testerId = created.id;
-      ok(`tester ${opts.email} added`);
-    } else {
-      ok(`tester ${opts.email} already exists (${testerId})`);
-      if (opts.groupId) await tf.betaGroups.addTesters(opts.groupId, [testerId]);
-    }
-    const inv = await tf.betaTesterInvitations.create({ appId: ascAppId, testerId });
-    section(`Invited ${opts.email}`);
-    ok(`invitation ${inv.id}`);
-    return 0;
-  } catch (err) {
-    bad(err instanceof Error ? err.message : String(err));
-    return 1;
-  }
-}
-async function runTestflightRemove(email) {
-  try {
-    const { tf, ascAppId } = await bootstrap3();
-    const matches = await tf.betaTesters.list({ email, appId: ascAppId });
-    if (matches.length === 0) {
-      bad(`no tester with email ${email}`);
-      return 1;
-    }
-    for (const t of matches) await tf.betaTesters.delete(t.id);
-    section(`Removed ${matches.length} tester${matches.length === 1 ? "" : "s"}`);
-    ok("done");
-    return 0;
-  } catch (err) {
-    bad(err instanceof Error ? err.message : String(err));
-    return 1;
-  }
-}
-async function runTestflightWhatsNew(opts) {
-  try {
-    const { tf } = await bootstrap3();
-    const loc = await tf.betaBuildLocalizations.upsert({
-      buildId: opts.buildId,
-      locale: opts.locale,
-      whatsNew: opts.text
-    });
-    section(`What's new for build ${opts.buildId}`);
-    ok(`upserted (${loc.attributes.locale})`);
-    return 0;
-  } catch (err) {
-    bad(err instanceof Error ? err.message : String(err));
-    return 1;
-  }
-}
-
-// src/commands/better-auth.ts
-function base64Secret() {
-  const buf = new Uint8Array(32);
-  crypto.getRandomValues(buf);
-  return btoa(String.fromCharCode(...buf));
-}
-async function runBetterAuth(options2) {
-  section("Better Auth env");
-  try {
-    const env2 = await envMap();
-    const siteUrl = options2.siteUrl ?? `${await scheme()}://`;
-    if (env2.has("SITE_URL") && env2.get("SITE_URL") === siteUrl) {
-      nop(`SITE_URL already set to ${siteUrl}`);
-    } else {
-      await envSet("SITE_URL", siteUrl);
-      ok(`set SITE_URL=${siteUrl}`);
-    }
-    if (env2.has("BETTER_AUTH_SECRET") && !options2.rotateSecret) {
-      nop("BETTER_AUTH_SECRET already set (use --rotate-secret to regenerate)");
-    } else {
-      await envSet("BETTER_AUTH_SECRET", base64Secret());
-      ok(
-        options2.rotateSecret === true ? "rotated BETTER_AUTH_SECRET (sessions invalidated)" : "generated BETTER_AUTH_SECRET"
-      );
-    }
-    const desiredAppName = options2.appName ?? await appName();
-    if (env2.has("APP_NAME") && env2.get("APP_NAME") === desiredAppName) {
-      nop(`APP_NAME already set to ${desiredAppName}`);
-    } else {
-      await envSet("APP_NAME", desiredAppName);
-      ok(`set APP_NAME=${desiredAppName}`);
-    }
-    await recordStep("better-auth", {
-      siteUrl,
-      appName: desiredAppName,
-      rotated: options2.rotateSecret === true
-    });
-    return 0;
-  } catch (err) {
-    bad(err instanceof Error ? err.message : String(err));
-    return 1;
-  }
-}
-
-// src/commands/convex.ts
-var BUNDLE_ID_RE = /^[A-Za-z0-9.-]+$/;
-var TEAM_ID_RE = /^[A-Z0-9]{10}$/;
-async function runConvex(options2) {
-  section("Convex deployment");
+async function runTestflightGroupsDelete(groupId) {
   try {
-    if (!await isLoggedIn()) {
-      yep("not signed in to Convex");
-      await helpAndWait({
-        body: "Sign up free and run `bunx convex login` in another terminal:",
-        urls: [
-          { label: "Convex sign-up", url: "https://convex.dev" },
-          { label: "Convex dashboard", url: "https://dashboard.convex.dev" }
-        ],
-        allowSkip: true,
-        skipLabel: "skip"
-      });
-    }
-    const localEnv = await readAll();
-    const existing = localEnv.get("CONVEX_DEPLOYMENT");
-    if (options2.fresh) {
-      await removeLines([
-        "CONVEX_DEPLOYMENT",
-        "EXPO_PUBLIC_CONVEX_URL",
-        "EXPO_PUBLIC_CONVEX_SITE_URL"
-      ]);
-    }
-    const needsProvisioning = options2.fresh === true || !existing;
-    const projectName = options2.name ?? await pkgName();
-    const cmd = [dlx(), "convex", "dev", "--once", "--tail-logs", "disable"];
-    if (options2.local) cmd.push("--local");
-    if (needsProvisioning) cmd.push("--configure", "new", "--project", projectName);
-    if (needsProvisioning) {
-      ok(`provisioning Convex project '${projectName}'`);
-    } else {
-      ok(`connecting to existing deployment ${existing}`);
-    }
-    const proc = spawn(cmd, { stdin: "inherit", stdout: "inherit", stderr: "inherit" });
-    if (await proc.exited !== 0) {
-      bad("convex dev exited with a non-zero code");
-      return 1;
-    }
-    const refreshed = await readAll();
-    const deployment = refreshed.get("CONVEX_DEPLOYMENT");
-    if (!deployment) {
-      bad("CONVEX_DEPLOYMENT missing after convex dev ran");
-      return 1;
-    }
-    const slug2 = deployment.split("#")[0].trim().split(":")[1];
-    if (!slug2) {
-      bad(`invalid CONVEX_DEPLOYMENT: ${deployment}`);
-      return 1;
-    }
-    process.env.CONVEX_DEPLOYMENT = deployment;
-    if (refreshed.has("EXPO_PUBLIC_CONVEX_URL")) {
-      nop("EXPO_PUBLIC_CONVEX_URL already set");
-    } else {
-      await ensureLine("EXPO_PUBLIC_CONVEX_URL", `https://${slug2}.convex.cloud`);
-      ok("wrote EXPO_PUBLIC_CONVEX_URL");
+    const { tf } = await bootstrap();
+    await tf.betaGroups.delete(groupId);
+    section(`Group ${groupId} deleted`);
+    ok("done");
+    return 0;
+  } catch (err) {
+    bad(err instanceof Error ? err.message : String(err));
+    return 1;
+  }
+}
+async function runTestflightTestersList(opts) {
+  try {
+    const { tf, ascAppId } = await bootstrap();
+    const testers = await tf.betaTesters.list({ appId: ascAppId, email: opts.email });
+    if (opts.json) {
+      process.stdout.write(JSON.stringify(testers, null, 2) + "\n");
+      return 0;
     }
-    if (refreshed.has("EXPO_PUBLIC_CONVEX_SITE_URL")) {
-      nop("EXPO_PUBLIC_CONVEX_SITE_URL already set");
-    } else {
-      await ensureLine("EXPO_PUBLIC_CONVEX_SITE_URL", `https://${slug2}.convex.site`);
-      ok("wrote EXPO_PUBLIC_CONVEX_SITE_URL");
+    section("Beta testers");
+    if (testers.length === 0) {
+      nop("none");
+      return 0;
     }
-    if (refreshed.has("EXPO_PUBLIC_SITE_URL")) {
-      nop("EXPO_PUBLIC_SITE_URL already set");
-    } else {
-      const s = `${await scheme()}://`;
-      await ensureLine("EXPO_PUBLIC_SITE_URL", s);
-      ok(`wrote EXPO_PUBLIC_SITE_URL=${s}`);
+    for (const t of testers) {
+      const name = `${t.attributes.firstName ?? ""} ${t.attributes.lastName ?? ""}`.trim();
+      line(
+        `  ${BOLD}${t.attributes.email ?? "(no email)"}${RESET}  ${name ? DIM + name + RESET + "  " : ""}${DIM}${t.attributes.state ?? ""}${RESET}`
+      );
     }
-    await ensureIdentity(refreshed);
-    await recordStep("convex", {
-      deployment,
-      slug: slug2,
-      ...options2.local ? { local: true } : {}
-    });
-    line();
-    ok(`Convex deployment ready: ${BOLD}${slug2}${RESET}`);
-    note(`dashboard: https://dashboard.convex.dev/d/${slug2}`);
     return 0;
   } catch (err) {
     bad(err instanceof Error ? err.message : String(err));
     return 1;
   }
 }
-async function ensureIdentity(localEnv) {
-  const haveBundle = localEnv.has("EXPO_PUBLIC_APP_BUNDLE_ID");
-  const haveTeam = localEnv.has("EXPO_PUBLIC_APPLE_TEAM_ID");
-  let bundleId = localEnv.get("EXPO_PUBLIC_APP_BUNDLE_ID");
-  let teamId = localEnv.get("EXPO_PUBLIC_APPLE_TEAM_ID");
-  if (!haveBundle) {
-    if (!process.stdin.isTTY) {
-      yep("EXPO_PUBLIC_APP_BUNDLE_ID not set (non-TTY); skipping prompt");
-      yep("set it in .env.local before running `vexpo apple` or building");
-    } else {
-      const fromConfig = await bundleIdFallback();
-      const isTemplate = !fromConfig || fromConfig.startsWith("com.example.");
-      const suggested = isTemplate ? `com.example.${await pkgName()}` : fromConfig;
-      const cachedHint = isTemplate ? "" : ` ${DIM}(from app.config.ts)${RESET}`;
-      const raw = (await ask(
-        `  iOS bundle id ${DIM}(reverse-DNS, e.g. com.you.app)${RESET}${cachedHint}
-  ${DIM}> ${suggested} ${RESET}`
-      )).trim();
-      bundleId = raw || suggested;
-      if (!BUNDLE_ID_RE.test(bundleId)) {
-        throw new Error(`invalid bundle id '${bundleId}' (allowed: A-Z a-z 0-9 . -)`);
-      }
-      await ensureLine("EXPO_PUBLIC_APP_BUNDLE_ID", bundleId);
-      ok(`wrote EXPO_PUBLIC_APP_BUNDLE_ID=${bundleId}`);
-    }
-  } else {
-    nop(`EXPO_PUBLIC_APP_BUNDLE_ID already set (${bundleId})`);
-  }
-  if (!haveTeam) {
-    if (!process.stdin.isTTY) {
-      yep("EXPO_PUBLIC_APPLE_TEAM_ID not set (non-TTY); skipping prompt");
+async function runTestflightInvite(opts) {
+  try {
+    const { tf, ascAppId } = await bootstrap();
+    const existing = await tf.betaTesters.list({ email: opts.email, appId: ascAppId });
+    let testerId = existing[0]?.id;
+    if (!testerId) {
+      const created = await tf.betaTesters.create({
+        email: opts.email,
+        firstName: opts.firstName,
+        lastName: opts.lastName,
+        appIds: [ascAppId],
+        groupIds: opts.groupId ? [opts.groupId] : []
+      });
+      testerId = created.id;
+      ok(`tester ${opts.email} added`);
     } else {
-      const fromConfig = await appleTeamIdFallback();
-      const cachedHint = fromConfig ? ` ${DIM}[${fromConfig} from app.config.ts]${RESET}` : "";
-      const raw = (await ask(
-        `  Apple Team id ${DIM}(10-char alphanumeric, find at developer.apple.com/account)${RESET}${cachedHint}
-  ${DIM}> ${RESET}`
-      )).trim().toUpperCase();
-      const value = raw || (fromConfig ?? "");
-      if (!TEAM_ID_RE.test(value)) {
-        throw new Error(`invalid Apple Team id '${value}' (must be 10 uppercase alphanumeric)`);
-      }
-      teamId = value;
-      await ensureLine("EXPO_PUBLIC_APPLE_TEAM_ID", teamId);
-      ok(`wrote EXPO_PUBLIC_APPLE_TEAM_ID=${teamId}`);
+      ok(`tester ${opts.email} already exists (${testerId})`);
+      if (opts.groupId) await tf.betaGroups.addTesters(opts.groupId, [testerId]);
     }
-  } else {
-    nop(`EXPO_PUBLIC_APPLE_TEAM_ID already set (${teamId})`);
-  }
-  if (bundleId) {
-    await envSet("APP_BUNDLE_ID", bundleId);
-    ok(`Convex env: APP_BUNDLE_ID=${bundleId}`);
+    const inv = await tf.betaTesterInvitations.create({ appId: ascAppId, testerId });
+    section(`Invited ${opts.email}`);
+    ok(`invitation ${inv.id}`);
+    return 0;
+  } catch (err) {
+    bad(err instanceof Error ? err.message : String(err));
+    return 1;
   }
-  if (teamId) {
-    await envSet("APPLE_TEAM_ID", teamId);
-    ok(`Convex env: APPLE_TEAM_ID=${teamId}`);
+}
+async function runTestflightWhatsNew(opts) {
+  try {
+    const { tf } = await bootstrap();
+    const loc = await tf.betaBuildLocalizations.upsert({
+      buildId: opts.buildId,
+      locale: opts.locale,
+      whatsNew: opts.text
+    });
+    section(`What's new for build ${opts.buildId}`);
+    ok(`upserted (${loc.attributes.locale})`);
+    return 0;
+  } catch (err) {
+    bad(err instanceof Error ? err.message : String(err));
+    return 1;
   }
 }
 var easEnvFor = (channel) => channel === "prod" ? ["production", "preview"] : ["development"];
 var ROUTING = {
-  // EAS-only (build-time public)
   EXPO_PUBLIC_CONVEX_URL: {
     routes: (c) => [{ type: "eas", key: "EXPO_PUBLIC_CONVEX_URL", environments: easEnvFor(c) }]
   },
@@ -2930,7 +3143,6 @@ var ROUTING = {
   EXPO_PUBLIC_EXPO_OWNER: {
     routes: (c) => [{ type: "eas", key: "EXPO_PUBLIC_EXPO_OWNER", environments: easEnvFor(c) }]
   },
-  // Convex-bound server-side
   SITE_URL: { routes: (c) => [{ type: "convex", key: "SITE_URL", channel: c }] },
   BETTER_AUTH_SECRET: {
     routes: (c) => [{ type: "convex", key: "BETTER_AUTH_SECRET", channel: c }]
@@ -2967,7 +3179,7 @@ var MANUAL_EAS_SECRETS = {
   APPLE_P8_PRIVATE_KEY: "eas env:create --name APPLE_P8_PRIVATE_KEY --value-file <path>.p8 --environment production --visibility secret",
   CONVEX_DEPLOY_KEY: "eas env:create --name CONVEX_DEPLOY_KEY --value <prod-deploy-key> --environment production --visibility secret"
 };
-async function fileExists4(p) {
+async function fileExists3(p) {
   try {
     await access(p);
     return true;
@@ -2977,7 +3189,7 @@ async function fileExists4(p) {
 }
 async function readEnvFile(path) {
   const out = /* @__PURE__ */ new Map();
-  if (!await fileExists4(path)) return out;
+  if (!await fileExists3(path)) return out;
   const text = await readFile(path, "utf8");
   let buffer = "";
   let pendingKey = null;
@@ -3026,13 +3238,13 @@ async function readSources(paths) {
   const local = paths?.local ?? ".env.local";
   const prodCandidates = paths?.prod ? [paths.prod] : [".env.prod", ".env.production"];
   const sources = [];
-  if (await fileExists4(local)) {
+  if (await fileExists3(local)) {
     sources.push({ path: local, channel: "dev", entries: await readEnvFile(local) });
   } else if (paths?.local) {
     throw new Error(`--local-file path does not exist: ${paths.local}`);
   }
   for (const p of prodCandidates) {
-    if (await fileExists4(p)) {
+    if (await fileExists3(p)) {
       sources.push({ path: p, channel: "prod", entries: await readEnvFile(p) });
       break;
     }
@@ -3082,7 +3294,90 @@ function missingKeys(sources) {
   return { dev: [...dev].toSorted(), prod: [...prod].toSorted() };
 }
 
-// src/lib/verify.ts
+// src/commands/convex-migrate.ts
+function selectMigratableEnv(src, dst) {
+  const out = [];
+  for (const [key, value] of src) {
+    if (key.startsWith("CONVEX_")) continue;
+    if (dst.get(key) === value) continue;
+    out.push([key, value]);
+  }
+  return out;
+}
+async function fileExists4(p) {
+  try {
+    await access(p);
+    return true;
+  } catch {
+    return false;
+  }
+}
+async function runConvexMigrate(options2) {
+  const channel = options2.prod ? "prod" : "dev";
+  section(`Convex migrate (${channel})`);
+  if (!options2.from) {
+    bad("--from <deployment> is required (the source deployment slug)");
+    return 1;
+  }
+  const fromSlug = deploymentSlug(options2.from) ?? options2.from;
+  let target;
+  if (options2.prod) {
+    const prodFile = await fileExists4(".env.prod") ? ".env.prod" : ".env.production";
+    const prodEnv = await readEnvFile(prodFile);
+    const deployKey = prodEnv.get("CONVEX_DEPLOY_KEY") ?? "";
+    const selector = prodEnv.get("CONVEX_DEPLOYMENT") ?? "";
+    if (!deployKey.startsWith("prod:") && !selector.startsWith("prod:")) {
+      bad(`${prodFile} has no prod-scoped CONVEX_DEPLOY_KEY or CONVEX_DEPLOYMENT`);
+      note("the copy would land on the DEV deployment (the dev key shadows --prod)");
+      return 1;
+    }
+    target = { prod: true, envFile: prodFile };
+  }
+  const src = await envMap({ deployment: fromSlug });
+  if (src.size === 0) {
+    bad(`no env on source deployment ${fromSlug} (unreachable or empty)`);
+    note("pass a deployment slug your account can reach, e.g. `--from old-deployment-123`");
+    return 1;
+  }
+  const dst = await envMap(target);
+  const toMove = selectMigratableEnv(src, dst);
+  if (toMove.length === 0) {
+    ok(`target already matches ${fromSlug} (nothing to copy)`);
+    return 0;
+  }
+  line();
+  note(
+    `${BOLD}${toMove.length}${RESET} server-side var${toMove.length === 1 ? "" : "s"} to copy from ${fromSlug}:`
+  );
+  for (const [key] of toMove) note(`  ${key}`);
+  if (options2.dryRun) {
+    line();
+    note("--dry-run; exiting without changes");
+    return 0;
+  }
+  let failed = 0;
+  for (const [key, value] of toMove) {
+    try {
+      await envSet(key, value, target);
+      ok(`copied ${key}`);
+    } catch (err) {
+      bad(`${key} failed: ${err instanceof Error ? err.message : err}`);
+      failed += 1;
+    }
+  }
+  line();
+  if (failed > 0) {
+    bad(`${failed} write${failed === 1 ? "" : "s"} failed`);
+    return 1;
+  }
+  ok(
+    `migrated ${toMove.length} var${toMove.length === 1 ? "" : "s"} onto the ${channel} deployment`
+  );
+  note(`next: ${BOLD}vexpo env convex-key${RESET} (EAS deploy key + selector)`);
+  note(`      ${BOLD}vexpo resend --repoint${options2.prod ? " --prod" : ""}${RESET} (webhook)`);
+  note(`then: ${BOLD}vexpo doctor --channel ${channel}${RESET}`);
+  return 0;
+}
 var ok2 = (category, name, message, details) => ({
   category,
   name,
@@ -3150,6 +3445,16 @@ async function verifyConvex(ctx) {
   const checks = [];
   const env2 = ctx.channel === "prod" ? ctx.convexProdEnv : ctx.convexEnv;
   const local = ctx.channel === "prod" ? ctx.envProd : ctx.envLocal;
+  if (local.get("CONVEX_DEPLOYMENT")) {
+    const status = await checkToken();
+    if (status === "unauthorized") {
+      checks.push(
+        fail2("convex", "login", "Convex token expired or revoked", "run `npx convex login`")
+      );
+    } else if (status === "valid") {
+      checks.push(ok2("convex", "login", "token valid"));
+    }
+  }
   const cloudUrl = local.get("EXPO_PUBLIC_CONVEX_URL");
   const siteUrl = local.get("EXPO_PUBLIC_CONVEX_SITE_URL");
   if (cloudUrl) {
@@ -3201,6 +3506,25 @@ async function verifyConvex(ctx) {
   } else {
     checks.push(fail2("convex", "better-auth-secret", `not set on Convex (${ctx.channel})`));
   }
+  const deploymentName2 = deploymentSlug(local.get("CONVEX_DEPLOYMENT"));
+  if (deploymentName2) {
+    const deployments = await listProjectDeployments(deploymentName2);
+    if (deployments) {
+      const devs = deploymentsOfType(deployments, "dev");
+      if (devs.length > 1) {
+        checks.push(
+          warn(
+            "convex",
+            "deployments",
+            `${devs.length} dev deployments in this project`,
+            `${devs.map(describeDeployment).join(", ")} \u2014 pick one canonical, delete the others`
+          )
+        );
+      } else {
+        checks.push(ok2("convex", "deployments", `${deployments.length} total, 1 dev`));
+      }
+    }
+  }
   return checks;
 }
 async function verifyResend(ctx) {
@@ -3213,21 +3537,21 @@ async function verifyResend(ctx) {
   if (!apiKey) {
     const requireEmailVerification = env2.get("REQUIRE_EMAIL_VERIFICATION");
     if (!requireEmailVerification || requireEmailVerification === "false") {
-      checks.push(skip("resend", "api-key-set", "lite mode (run `bunx vexpo full` to provision)"));
+      checks.push(skip("resend", "api-key-set", "lite mode (run `npx vexpo full` to provision)"));
       return checks;
     }
     checks.push(fail2("resend", "api-key-set", `RESEND_API_KEY not set on Convex (${ctx.channel})`));
     return checks;
   }
-  const access14 = await probeAccess(apiKey);
-  if (access14 === "invalid") {
+  const access17 = await probeAccess(apiKey);
+  if (access17 === "invalid") {
     checks.push(fail2("resend", "api-key-valid", "RESEND_API_KEY rejected by Resend"));
     return checks;
   }
-  checks.push(ok2("resend", "api-key-valid", `key authenticated (access=${access14})`));
+  checks.push(ok2("resend", "api-key-valid", `key authenticated (access=${access17})`));
   let domains = [];
   let webhooks = [];
-  if (access14 === "full") {
+  if (access17 === "full") {
     try {
       domains = await listDomains(apiKey);
     } catch (e) {
@@ -3295,15 +3619,29 @@ async function verifyResend(ctx) {
     const expectedEndpoint = `${expectedSiteUrl.replace(/\/$/, "")}/resend-webhook`;
     const match = webhooks.find((w) => w.endpoint === expectedEndpoint);
     if (!match) {
-      const others = webhooks.map((w) => w.endpoint).join(", ");
-      checks.push(
-        warn(
-          "resend",
-          "webhook-endpoint",
-          `no webhook pointing at ${expectedEndpoint}`,
-          others ? `existing: ${others}` : void 0
-        )
+      const others = webhooks.map((w) => w.endpoint);
+      const staleConvex = others.filter(
+        (e) => e.includes(".convex.site") && e.endsWith("/resend-webhook")
       );
+      if (staleConvex.length > 0) {
+        checks.push(
+          warn(
+            "resend",
+            "webhook-endpoint",
+            `no webhook for this deployment; ${staleConvex.length} point at other convex.site deployments (stale after a deployment migration)`,
+            `run \`vexpo resend --repoint${ctx.channel === "prod" ? " --prod" : ""}\` to move it to ${expectedEndpoint} and realign RESEND_WEBHOOK_SECRET. stale: ${staleConvex.join(", ")}`
+          )
+        );
+      } else {
+        checks.push(
+          warn(
+            "resend",
+            "webhook-endpoint",
+            `no webhook pointing at ${expectedEndpoint}`,
+            others.length ? `existing: ${others.join(", ")}` : void 0
+          )
+        );
+      }
     } else if (match.status !== "enabled" && match.status !== "active") {
       checks.push(warn("resend", "webhook-endpoint", `webhook ${match.id} status=${match.status}`));
     } else {
@@ -3321,7 +3659,7 @@ async function verifyResend(ctx) {
             "resend",
             "webhook-events",
             `webhook missing ${missing.join(", ")}`,
-            "re-run `bunx vexpo resend` to refresh subscription"
+            "re-run `npx vexpo resend` to refresh subscription"
           )
         );
     }
@@ -3398,10 +3736,10 @@ async function verifyApple(ctx) {
     const v = await validate(ctx.ascCreds);
     if (v.ok) {
       checks.push(ok2("apple", "asc-key-valid", `${v.appCount} app${v.appCount === 1 ? "" : "s"}`));
-      const client2 = makeAscClient(ctx.ascCreds);
+      const client = makeAscClient(ctx.ascCreds);
       if (servicesId) {
         try {
-          const matches = await client2.bundleIds.list({ identifier: servicesId });
+          const matches = await client.bundleIds.list({ identifier: servicesId });
           if (matches.length > 0)
             checks.push(ok2("apple", "services-id-exists", `${servicesId} found in ASC`));
           else
@@ -3410,7 +3748,7 @@ async function verifyApple(ctx) {
                 "apple",
                 "services-id-exists",
                 `${servicesId} not found in App Store Connect`,
-                "run `bunx vexpo apple services-id` to provision it"
+                "run `npx vexpo apple services-id` to provision it"
               )
             );
         } catch (e) {
@@ -3423,44 +3761,12 @@ async function verifyApple(ctx) {
           );
         }
       }
-      const bundleId = ctx.envLocal.get("EXPO_PUBLIC_APP_BUNDLE_ID") ?? ctx.appConfig.bundleIdFallback ?? void 0;
-      if (bundleId) {
-        try {
-          const apps = await client2.paginatedList(
-            "/v1/apps",
-            { "filter[bundleId]": bundleId },
-            5
-          );
-          const ascAppId = apps[0]?.id;
-          if (ascAppId) {
-            const { reviews: reviewsApi, unansweredOlderThan: unansweredOlderThan2 } = await import('./asc-reviews-OPKN34SB.js');
-            const all = await reviewsApi(client2).customerReviews.list({
-              appId: ascAppId,
-              limit: 100
-            });
-            const stale = unansweredOlderThan2(all, 7);
-            if (stale.length === 0)
-              checks.push(ok2("apple", "reviews-answered", "no stale reviews"));
-            else
-              checks.push(
-                warn(
-                  "apple",
-                  "reviews-answered",
-                  `${stale.length} review${stale.length === 1 ? "" : "s"} unanswered for >7 days`,
-                  "run `vexpo reviews unanswered --days 7` to triage"
-                )
-              );
-          }
-        } catch {
-          checks.push(skip("apple", "reviews-answered", "could not query customer reviews"));
-        }
-      }
     } else {
       checks.push(fail2("apple", "asc-key-valid", v.reason));
     }
   } else {
     checks.push(
-      skip("apple", "asc-key-valid", "no cached ASC creds (run `bunx vexpo apple asc-key`)")
+      skip("apple", "asc-key-valid", "no cached ASC creds (run `npx vexpo apple asc-key`)")
     );
   }
   return checks;
@@ -3469,100 +3775,84 @@ async function verifyEas(ctx) {
   const checks = [];
   let projectId = null;
   try {
-    projectId = await projectIdFromAppJson();
+    projectId = await resolveProjectId();
   } catch {
-    checks.push(skip("eas", "project-id", "couldn't read app.json"));
-    return checks;
   }
   if (!projectId) {
     const env2 = ctx.channel === "prod" ? ctx.convexProdEnv : ctx.convexEnv;
-    const requireEmailVerification = env2.get("REQUIRE_EMAIL_VERIFICATION");
-    if (!requireEmailVerification || requireEmailVerification === "false") {
-      checks.push(skip("eas", "project-id", "lite mode (run `bunx vexpo full` to init EAS)"));
+    const rev = env2.get("REQUIRE_EMAIL_VERIFICATION");
+    if (!rev || rev === "false") {
+      checks.push(skip("eas", "project-id", "lite mode (run `npx vexpo full` to init EAS)"));
       return checks;
     }
-    checks.push(fail2("eas", "project-id", "no projectId in app.json"));
-    return checks;
   }
-  checks.push(ok2("eas", "project-id", projectId));
-  let who = null;
-  try {
-    who = await whoami();
-  } catch {
-    checks.push(skip("eas", "signed-in", "eas CLI not available"));
-    return checks;
+  const envNames = ["production", "preview", "development"];
+  const envMaps = /* @__PURE__ */ new Map();
+  for (const e of envNames) {
+    try {
+      envMaps.set(e, await envList(e));
+    } catch {
+      envMaps.set(e, null);
+    }
   }
-  if (!who) {
-    checks.push(warn("eas", "signed-in", "not signed in (run `bunx eas login`)"));
+  const provisioned = [...envMaps.values()].some((m) => m !== null && m.size > 0);
+  if (projectId) {
+    checks.push(ok2("eas", "project-id", projectId));
+  } else if (provisioned) {
+    checks.push(
+      warn(
+        "eas",
+        "project-id",
+        "EAS env is provisioned but projectId is unresolved",
+        "set EAS_PROJECT_ID in .env.local (app.json is intentionally stubbed)"
+      )
+    );
+  } else {
+    checks.push(
+      fail2("eas", "project-id", "no projectId in app.json, EAS_PROJECT_ID env, or .env.local")
+    );
     return checks;
   }
-  checks.push(ok2("eas", "signed-in", who));
-  try {
-    const info = await projectInfo();
-    if (info) {
-      if (info.id === projectId) {
-        checks.push(ok2("eas", "project-info", info.fullName));
-      } else {
+  if (projectId) {
+    try {
+      const who = await whoami();
+      checks.push(
+        who ? ok2("eas", "signed-in", who) : warn("eas", "signed-in", "not signed in (run `npx eas login`)")
+      );
+    } catch {
+      checks.push(skip("eas", "signed-in", "eas CLI not available"));
+    }
+    try {
+      const info = await projectInfo();
+      if (info && info.id === projectId) checks.push(ok2("eas", "project-info", info.fullName));
+      else if (info)
         checks.push(
           fail2(
             "eas",
             "project-info",
-            `app.json projectId (${projectId}) doesn't match resolved project (${info.id})`,
+            `local projectId (${projectId}) doesn't match resolved project (${info.id})`,
             "run `vexpo eas` to re-link"
           )
         );
-      }
-    } else {
-      checks.push(
-        warn(
-          "eas",
-          "project-info",
-          "eas project:info failed (project may have been deleted or transferred)"
-        )
-      );
-    }
-  } catch {
-    checks.push(skip("eas", "project-info", "eas-cli not available"));
-  }
-  try {
-    const diag = await diagnostics();
-    if (diag.ok) {
-      checks.push(ok2("eas", "diagnostics", "eas-cli health ok"));
-    } else {
-      checks.push(warn("eas", "diagnostics", diag.error));
+      else
+        checks.push(
+          warn("eas", "project-info", "eas project:info failed (project deleted or transferred?)")
+        );
+    } catch {
+      checks.push(skip("eas", "project-info", "eas-cli not available"));
     }
-  } catch {
-    checks.push(skip("eas", "diagnostics", "eas-cli not available"));
-  }
-  try {
-    const { ascStatus: ascStatus2 } = await import('./eas-integrations-TIYBWWKC.js');
-    const asc = await ascStatus2();
-    if (asc.connected) {
-      const label = asc.ascApp?.bundleId ?? asc.ascApp?.id ?? "ok";
-      checks.push(ok2("eas", "asc-integration", String(label)));
-    } else {
+    try {
+      const diag = await diagnostics();
       checks.push(
-        warn(
-          "eas",
-          "asc-integration",
-          "no ASC integration on EAS",
-          "run `vexpo asc connect` to link"
-        )
+        diag.ok ? ok2("eas", "diagnostics", "eas-cli health ok") : warn("eas", "diagnostics", diag.error)
       );
+    } catch {
+      checks.push(skip("eas", "diagnostics", "eas-cli not available"));
     }
-  } catch {
-    checks.push(skip("eas", "asc-integration", "eas integrations:asc:status unavailable"));
   }
-  const envs = [
-    "production",
-    "preview",
-    "development"
-  ];
-  for (const env2 of envs) {
-    let list;
-    try {
-      list = await envList(env2);
-    } catch {
+  for (const env2 of envNames) {
+    const list = envMaps.get(env2) ?? null;
+    if (!list) {
       checks.push(skip("eas", `env-${env2}`, "eas env:list unavailable"));
       continue;
     }
@@ -3575,9 +3865,29 @@ async function verifyEas(ctx) {
           "eas",
           `env-${env2}`,
           `missing ${missing.join(", ")}`,
-          "run `bunx vexpo full` to init EAS + mirror env"
+          "run `npx vexpo full` to init EAS + mirror env"
         )
       );
+    const expected = (env2 === "development" ? ctx.envLocal : ctx.envProd).get(
+      "EXPO_PUBLIC_CONVEX_URL"
+    );
+    const actual = list.get("EXPO_PUBLIC_CONVEX_URL");
+    if (expected && actual) {
+      const expSlug = deploymentSlugFromHost(hostnameOf(expected) ?? "");
+      const actSlug = deploymentSlugFromHost(hostnameOf(actual) ?? "");
+      if (expSlug && actSlug && expSlug !== actSlug) {
+        checks.push(
+          fail2(
+            "eas",
+            `convex-url-${env2}`,
+            `EAS points at ${actSlug}, local at ${expSlug}`,
+            "run `vexpo env push` + `vexpo env convex-key` to repoint EAS at the active deployment"
+          )
+        );
+      } else if (expSlug && actSlug) {
+        checks.push(ok2("eas", `convex-url-${env2}`, `points at ${actSlug}`));
+      }
+    }
     if (env2 === "production") {
       const rotationSecrets = [
         "CONVEX_DEPLOY_KEY",
@@ -3600,6 +3910,38 @@ async function verifyEas(ctx) {
         );
     }
   }
+  try {
+    const status = await ascStatus();
+    if (status.status === "connected") {
+      checks.push(
+        ok2("eas", "asc-integration", status.appStoreConnectApp?.bundleIdentifier ?? "connected")
+      );
+      const missing = existsSync("eas.json") ? submitProfilesMissingAscAppId(readFileSync("eas.json", "utf8")) : [];
+      if (missing.length > 0) {
+        checks.push(
+          warn(
+            "eas",
+            "asc-submit-id",
+            `submit profile${missing.length === 1 ? "" : "s"} ${missing.join(", ")} missing ascAppId`,
+            "run `vexpo asc` to write it; non-interactive `eas submit` (CI) fails without it"
+          )
+        );
+      } else if (existsSync("eas.json")) {
+        checks.push(ok2("eas", "asc-submit-id", "submit profiles carry ascAppId"));
+      }
+    } else {
+      checks.push(
+        warn(
+          "eas",
+          "asc-integration",
+          `not connected (${status.status})`,
+          "run `vexpo asc:connect` so `eas submit` resolves the app from the bundle id"
+        )
+      );
+    }
+  } catch {
+    checks.push(skip("eas", "asc-integration", "eas integrations:asc:status unavailable"));
+  }
   return checks;
 }
 function verifyCoherence(ctx) {
@@ -3715,12 +4057,15 @@ function verifyFiles(ctx) {
   return checks;
 }
 async function readContext(channel) {
+  const prodEnvFile = existsSync(".env.prod") ? ".env.prod" : existsSync(".env.production") ? ".env.production" : void 0;
   const [envLocal, envProd, convexEnv, convexProdEnv, appConfigFacts, ascCreds] = await Promise.all(
     [
       readEnvFile(".env.local"),
       readEnvFile(".env.prod").then(async (m) => m.size > 0 ? m : readEnvFile(".env.production")),
       envMap().catch(() => /* @__PURE__ */ new Map()),
-      envMap({ prod: true }).catch(() => /* @__PURE__ */ new Map()),
+      prodEnvFile ? envMap({ prod: true, envFile: prodEnvFile }).catch(
+        () => /* @__PURE__ */ new Map()
+      ) : Promise.resolve(/* @__PURE__ */ new Map()),
       readAppConfigFacts(),
       loadAscCreds3()
     ]
@@ -3884,6 +4229,113 @@ async function runDoctor(options2) {
     return 2;
   }
 }
+async function fileExists5(p) {
+  try {
+    await access(p);
+    return true;
+  } catch {
+    return false;
+  }
+}
+async function upsert(name, value, visibility, env2) {
+  const existing = await envList(env2);
+  if (existing.has(name)) await envUpdate(name, value, visibility, [env2]);
+  else await envCreate(name, value, visibility, [env2]);
+}
+async function runConvexKey(options2) {
+  section("EAS Convex key");
+  const projectId = await resolveProjectId();
+  if (!projectId) {
+    bad("no EAS projectId. run `eas init` (or `vexpo full`) first");
+    return 1;
+  }
+  ok(`EAS project: ${BOLD}${projectId}${RESET}`);
+  const localFile = options2.localFile ?? ".env.local";
+  const prodFile = options2.prodFile ?? (await fileExists5(".env.prod") ? ".env.prod" : ".env.production");
+  const local = await readEnvFile(localFile);
+  const prod = await readEnvFile(prodFile);
+  const devKey = options2.devKey ?? local.get("CONVEX_DEPLOY_KEY");
+  let prodKey = options2.prodKey ?? prod.get("CONVEX_DEPLOY_KEY");
+  const devSel = local.get("CONVEX_DEPLOYMENT");
+  const prodSel = prod.get("CONVEX_DEPLOYMENT");
+  if (options2.mint && !prodKey) {
+    const easProd = await envList("production").catch(() => /* @__PURE__ */ new Map());
+    if (easProd.has("CONVEX_DEPLOY_KEY")) {
+      note("prod CONVEX_DEPLOY_KEY already on EAS; skipping mint");
+    } else {
+      const slug2 = deploymentSlug(prodSel ?? devSel);
+      const minted = slug2 ? await mintProdDeployKey(slug2, "convex-key").catch(() => null) : null;
+      if (minted) {
+        prodKey = minted.key;
+        ok(`minted prod deploy key for ${BOLD}${minted.deployment}${RESET}`);
+      } else {
+        yep("--mint: couldn't resolve the prod deployment to mint a key");
+      }
+    }
+  }
+  if (devKey && !devKey.startsWith("dev:"))
+    yep("dev deploy key is not dev-scoped (expected dev:\u2026)");
+  if (prodKey && !prodKey.startsWith("prod:"))
+    yep("prod deploy key is not prod-scoped (expected prod:\u2026)");
+  const writes = [];
+  if (devKey)
+    writes.push({
+      name: "CONVEX_DEPLOY_KEY",
+      value: devKey,
+      visibility: "secret",
+      envs: ["development"],
+      label: "dev deploy key"
+    });
+  if (prodKey)
+    writes.push({
+      name: "CONVEX_DEPLOY_KEY",
+      value: prodKey,
+      visibility: "secret",
+      envs: ["production"],
+      label: "prod deploy key"
+    });
+  if (devSel)
+    writes.push({
+      name: "CONVEX_DEPLOYMENT",
+      value: devSel,
+      visibility: "plaintext",
+      envs: ["development"],
+      label: "dev selector"
+    });
+  if (prodSel)
+    writes.push({
+      name: "CONVEX_DEPLOYMENT",
+      value: prodSel,
+      visibility: "plaintext",
+      envs: ["production", "preview"],
+      label: "prod selector"
+    });
+  if (writes.length === 0) {
+    yep("no CONVEX_DEPLOY_KEY / CONVEX_DEPLOYMENT found in env files or flags");
+    note("pass --dev-key / --prod-key, or set them in .env.local / .env.prod");
+    return 1;
+  }
+  let failed = 0;
+  for (const w of writes) {
+    for (const env2 of w.envs) {
+      try {
+        await upsert(w.name, w.value, w.visibility, env2);
+        ok(`${env2}: ${w.name} ${DIM}(${w.label})${RESET}`);
+      } catch (err) {
+        bad(`${env2}: ${w.name} failed: ${err instanceof Error ? err.message : err}`);
+        failed += 1;
+      }
+    }
+  }
+  line();
+  if (failed > 0) {
+    bad(`${failed} write${failed === 1 ? "" : "s"} failed`);
+    return 1;
+  }
+  ok("EAS Convex key + selector synced");
+  note("`vexpo doctor` to confirm EAS now points at the active deployment");
+  return 0;
+}
 
 // src/commands/env/push.ts
 function shortValue(v) {
@@ -3894,12 +4346,12 @@ function describeDest(d) {
   if (d.type === "convex") return `convex env (${d.channel}) \u2192 ${d.key}`;
   return `eas env (${d.environments.join(",")}) \u2192 ${d.key}`;
 }
-async function readRemoteState() {
-  const projectId = await projectIdFromAppJson();
+async function readRemoteState(prodEnvFile) {
+  const projectId = await resolveProjectId();
   const hasEasProject = !!projectId;
   const [convexDev, convexProd, easDev, easPreview, easProd] = await Promise.all([
     envMap().catch(() => /* @__PURE__ */ new Map()),
-    envMap({ prod: true }).catch(() => /* @__PURE__ */ new Map()),
+    envMap({ prod: true, envFile: prodEnvFile }).catch(() => /* @__PURE__ */ new Map()),
     hasEasProject ? envList("development").catch(() => /* @__PURE__ */ new Map()) : Promise.resolve(/* @__PURE__ */ new Map()),
     hasEasProject ? envList("preview").catch(() => /* @__PURE__ */ new Map()) : Promise.resolve(/* @__PURE__ */ new Map()),
     hasEasProject ? envList("production").catch(() => /* @__PURE__ */ new Map()) : Promise.resolve(/* @__PURE__ */ new Map())
@@ -3997,15 +4449,22 @@ async function applyPlan(plan, opts = {}) {
   }
   let applied = 0;
   let failed = 0;
-  const { writeFile: writeFile4, unlink: unlink2 } = await import('fs/promises');
+  const { writeFile: writeFile4, unlink: unlink2, mkdtemp, rmdir } = await import('fs/promises');
+  const { tmpdir } = await import('os');
+  const { join: join2 } = await import('path');
   for (const [channel, entries] of convexBatches) {
     if (entries.length === 0) continue;
-    const tmp = `.tmp-convex-${channel}-${process.pid}.env`;
+    const dir = await mkdtemp(join2(tmpdir(), "vexpo-env-"));
+    const tmp = join2(dir, "convex.env");
     try {
-      await writeFile4(tmp, entries.map(([k, v]) => `${k}=${v}`).join("\n") + "\n");
-      await envSetFromFile(tmp, channel === "prod" ? { prod: true } : void 0, {
-        force: opts.force ?? false
+      await writeFile4(tmp, entries.map(([k, v]) => `${k}=${v}`).join("\n") + "\n", {
+        mode: 384
       });
+      await envSetFromFile(
+        tmp,
+        channel === "prod" ? { prod: true, envFile: plan.sourceFile } : void 0,
+        { force: opts.force ?? false }
+      );
       ok(`convex(${channel}) bulk-set ${entries.length} var${entries.length === 1 ? "" : "s"}`);
       for (const [k] of entries) note(`  ${k}`);
       applied += entries.length;
@@ -4015,13 +4474,18 @@ async function applyPlan(plan, opts = {}) {
     } finally {
       await unlink2(tmp).catch(() => {
       });
+      await rmdir(dir).catch(() => {
+      });
     }
   }
   for (const { envs, entries } of easBatches.values()) {
     if (entries.length === 0) continue;
-    const tmp = `.tmp-eas-${envs.join("-")}-${process.pid}.env`;
+    const dir = await mkdtemp(join2(tmpdir(), "vexpo-env-"));
+    const tmp = join2(dir, "eas.env");
     try {
-      await writeFile4(tmp, entries.map(([k, v]) => `${k}=${v}`).join("\n") + "\n");
+      await writeFile4(tmp, entries.map(([k, v]) => `${k}=${v}`).join("\n") + "\n", {
+        mode: 384
+      });
       await envPush({ path: tmp, environments: envs, force: true });
       ok(`eas(${envs.join(",")}) pushed ${entries.length} var${entries.length === 1 ? "" : "s"}`);
       for (const [k] of entries) note(`  ${k}`);
@@ -4032,12 +4496,19 @@ async function applyPlan(plan, opts = {}) {
     } finally {
       await unlink2(tmp).catch(() => {
       });
+      await rmdir(dir).catch(() => {
+      });
     }
   }
   return { applied, failed };
 }
 async function runEnvPush(options2) {
   section("Env push");
+  if (await checkToken() === "unauthorized") {
+    bad("Convex login expired or revoked");
+    note("run `npx convex login` to refresh, then re-run");
+    return 1;
+  }
   const sources = await readSources({ local: options2.localFile, prod: options2.prodFile });
   if (sources.length === 0) {
     yep("no source files found");
@@ -4069,18 +4540,23 @@ async function runEnvPush(options2) {
       );
     }
   }
-  const remote = await readRemoteState();
+  const prodEnvFile = sources.find((s) => s.channel === "prod")?.path;
+  const remote = await readRemoteState(prodEnvFile);
   if (!remote.hasEasProject) yep("no EAS projectId in app.json. EAS env routes will be blocked");
-  const prodSource = sources.find((s) => s.channel === "prod");
-  const manualHits = prodSource ? Object.keys(MANUAL_EAS_SECRETS).filter((k) => prodSource.entries.has(k)) : [];
+  const manualHits = [];
+  for (const s of sources) {
+    for (const k of Object.keys(MANUAL_EAS_SECRETS)) {
+      if (s.entries.has(k)) manualHits.push({ key: k, file: s.path });
+    }
+  }
   if (manualHits.length > 0) {
     line();
     yep(
       `${manualHits.length} secret-visibility key${manualHits.length === 1 ? "" : "s"} detected. set manually:`
     );
-    for (const k of manualHits) {
-      note(`  ${BOLD}${k}${RESET}`);
-      note(`    ${DIM}${MANUAL_EAS_SECRETS[k]}${RESET}`);
+    for (const { key, file } of manualHits) {
+      note(`  ${BOLD}${key}${RESET} ${DIM}(${file})${RESET}`);
+      note(`    ${DIM}${MANUAL_EAS_SECRETS[key]}${RESET}`);
     }
     note(`${DIM}lite skips these to avoid pushing secrets at default visibility${RESET}`);
   }
@@ -4122,6 +4598,21 @@ async function runEnvPush(options2) {
     await recordStep("accounts", { mode: "lite", verifiedAt: (/* @__PURE__ */ new Date()).toISOString() });
     return 0;
   }
+  const prodConvexWrites = entries.some(
+    (e) => e.channel === "prod" && e.destinations.some((d) => d.type === "convex")
+  );
+  if (prodConvexWrites) {
+    const pf = sources.find((s) => s.channel === "prod");
+    const deployKey = pf?.entries.get("CONVEX_DEPLOY_KEY") ?? "";
+    const selector = pf?.entries.get("CONVEX_DEPLOYMENT") ?? "";
+    if (!deployKey.startsWith("prod:") && !selector.startsWith("prod:")) {
+      line();
+      bad(`${pf?.path ?? "prod source"} has no prod-scoped CONVEX_DEPLOY_KEY or CONVEX_DEPLOYMENT`);
+      note("prod env would silently write to the DEV deployment (the dev key shadows --prod)");
+      note("add a `prod:` CONVEX_DEPLOY_KEY (or CONVEX_DEPLOYMENT) to the prod file and re-run");
+      return 1;
+    }
+  }
   line();
   if (totalConflicts > 0) {
     note(
@@ -4190,7 +4681,7 @@ async function runEnvPush(options2) {
 }
 function printVerifyResults(checks) {
   const w = Math.max(...checks.map((c) => c.name.length));
-  const order = ["files", "convex", "resend", "apple", "eas", "github", "coherence"];
+  const order = ["files", "convex", "resend", "apple", "eas", "coherence"];
   const grouped = /* @__PURE__ */ new Map();
   for (const c of checks) {
     if (!grouped.has(c.category)) grouped.set(c.category, []);
@@ -4458,6 +4949,10 @@ async function runRebrand(options2) {
     await rewriteAppJson();
     await rewritePackageJson(inputs);
     await rewriteStoreConfig(inputs);
+    if (inputs.expoOwner) {
+      await ensureLine("EXPO_PUBLIC_EXPO_OWNER", inputs.expoOwner);
+      ok(`wrote EXPO_PUBLIC_EXPO_OWNER=${inputs.expoOwner} to .env.local`);
+    }
     await recordStep("rebrand", {
       appName: inputs.appName,
       packageName: inputs.packageName,
@@ -4508,7 +5003,27 @@ function formatElapsed(ms) {
 }
 
 // src/commands/resend.ts
+async function fileExists6(p) {
+  try {
+    await access(p);
+    return true;
+  } catch {
+    return false;
+  }
+}
+async function resolveFullKey() {
+  const fromEnv = process.env.RESEND_FULL_ACCESS_KEY;
+  if (fromEnv) return fromEnv;
+  if (!process.stdin.isTTY) return null;
+  line();
+  note("Need a Resend full-access API key. Create one at:");
+  note(`  ${BOLD}https://resend.com/api-keys${RESET} \u2192 Create API Key \u2192 Permission: Full Access`);
+  note("Used once, never persisted.");
+  const pasted = await ask(`  RESEND_FULL_ACCESS_KEY > `);
+  return pasted || null;
+}
 async function runResend(options2) {
+  if (options2.repoint) return runResendRepoint(options2);
   section("Resend provisioning");
   const siteUrl = await readOne("EXPO_PUBLIC_CONVEX_SITE_URL");
   if (!siteUrl) {
@@ -4535,9 +5050,9 @@ async function runResend(options2) {
       return 1;
     }
   }
-  const access14 = await probeAccess(fullKey);
-  if (access14 !== "full") {
-    bad(`provided key has '${access14}' access; need 'full'`);
+  const keyAccess = await probeAccess(fullKey);
+  if (keyAccess !== "full") {
+    bad(`provided key has '${keyAccess}' access; need 'full'`);
     return 1;
   }
   ok("full-access key verified");
@@ -4619,7 +5134,7 @@ async function runResend(options2) {
   const token = await provisionSendingKey(fullKey, name, domain.id);
   ok(`scoped sending key '${name}' provisioned`);
   const endpoint = `${siteUrl.replace(/\/$/, "")}/resend-webhook`;
-  const secret = await provisionWebhook(fullKey, endpoint);
+  const { id: webhookId, secret } = await provisionWebhook(fullKey, endpoint);
   ok(`webhook \u2192 ${endpoint}`);
   const fromAddr = options2.from ?? `${name}@${domain.name}`;
   await envSet("RESEND_API_KEY", token);
@@ -4637,7 +5152,8 @@ async function runResend(options2) {
     domainName: domain.name,
     keyName: name,
     fromAddress: fromAddr,
-    webhookEndpoint: endpoint
+    webhookEndpoint: endpoint,
+    webhookId
   });
   line();
   ok("Resend provisioning complete");
@@ -4648,6 +5164,64 @@ async function runResend(options2) {
   );
   return 0;
 }
+async function runResendRepoint(options2) {
+  const channel = options2.prod ? "prod" : "dev";
+  section(`Resend repoint (${channel})`);
+  let siteUrl;
+  let convexTarget;
+  if (options2.prod) {
+    const prodFile = await fileExists6(".env.prod") ? ".env.prod" : ".env.production";
+    siteUrl = (await readEnvFile(prodFile)).get("EXPO_PUBLIC_CONVEX_SITE_URL");
+    convexTarget = { prod: true, envFile: prodFile };
+  } else {
+    siteUrl = await readOne("EXPO_PUBLIC_CONVEX_SITE_URL") ?? void 0;
+  }
+  if (!siteUrl) {
+    bad(`EXPO_PUBLIC_CONVEX_SITE_URL missing from ${options2.prod ? ".env.prod" : ".env.local"}`);
+    note("run `vexpo convex` (and a prod deploy) so the site URL is populated, then re-run");
+    return 1;
+  }
+  const endpoint = `${siteUrl.replace(/\/$/, "")}/resend-webhook`;
+  ok(`target endpoint: ${endpoint}`);
+  const fullKey = await resolveFullKey();
+  if (!fullKey) {
+    bad("no RESEND_FULL_ACCESS_KEY env var and no TTY for paste");
+    return 1;
+  }
+  if (await probeAccess(fullKey) !== "full") {
+    bad("provided key does not have full access");
+    return 1;
+  }
+  const hooks = await listWebhooks(fullKey);
+  const atNew = hooks.find((w) => w.endpoint === endpoint);
+  const stale = hooks.filter(
+    (w) => w.endpoint !== endpoint && w.endpoint.endsWith("/resend-webhook")
+  );
+  let webhookId;
+  if (atNew && !options2.force) {
+    ok(`webhook already points at ${endpoint}`);
+    note("its secret can't be read back; pass --force to recreate + realign RESEND_WEBHOOK_SECRET");
+    webhookId = atNew.id;
+  } else {
+    const { id, secret } = await provisionWebhook(fullKey, endpoint);
+    webhookId = id;
+    ok(`webhook \u2192 ${endpoint}`);
+    await envSet("RESEND_WEBHOOK_SECRET", secret, convexTarget);
+    ok(`RESEND_WEBHOOK_SECRET aligned on the ${channel} deployment`);
+  }
+  let retired = 0;
+  for (const w of stale) {
+    await deleteWebhook(fullKey, w.id);
+    note(`retired stale webhook \u2192 ${w.endpoint}`);
+    retired += 1;
+  }
+  const prev = (await load()).steps.resend?.outputs ?? {};
+  await recordStep("resend", { ...prev, webhookEndpoint: endpoint, webhookId });
+  line();
+  ok(`repoint complete${retired ? ` (${retired} stale retired)` : ""}`);
+  nop("sending key and REQUIRE_EMAIL_VERIFICATION left unchanged");
+  return 0;
+}
 async function runReviewAccount(options2) {
   section("App Review demo account");
   try {
@@ -4668,27 +5242,17 @@ async function runReviewAccount(options2) {
       name,
       ...options2.username ? { username: options2.username } : {}
     });
-    const tryRun = async (extraArgs) => {
-      const proc = spawn(
-        [dlx(), "convex", "run", ...extraArgs, "admin:createReviewAccount", payload],
-        { stdin: "ignore", stdout: "pipe", stderr: "pipe" }
-      );
-      const code = await proc.exited;
-      return {
-        ok: code === 0,
-        out: await streamText(proc.stdout),
-        err: await streamText(proc.stderr)
-      };
-    };
-    let result = await tryRun(["--component-function"]);
-    if (!result.ok) result = await tryRun([]);
-    if (!result.ok) {
+    const { code, stdout, stderr } = await run(
+      [dlx(), "convex", "run", "admin:createReviewAccount", payload],
+      { stdin: "ignore" }
+    );
+    if (code !== 0) {
       bad("convex run failed");
-      const stderr = result.err.trim();
-      if (stderr) note(stderr);
+      const trimmed = stderr.trim();
+      if (trimmed) note(trimmed);
       return 1;
     }
-    process.stderr.write(result.out);
+    process.stderr.write(stdout);
     line();
     ok("review account ready, Apple's reviewer can now sign in");
     note(`email:    ${email}`);
@@ -4700,61 +5264,7 @@ async function runReviewAccount(options2) {
     return 1;
   }
 }
-
-// src/commands/asc.ts
-async function runAscConnect(opts) {
-  section("ASC connect");
-  if (!opts.force) {
-    try {
-      const status = await ascStatus();
-      if (status.connected) {
-        const label = status.ascApp?.bundleId ?? status.ascApp?.id ?? "ok";
-        nop(`already connected (${label})`);
-        await recordStep("apple-asc-link", {
-          ascAppId: status.ascApp?.id,
-          bundleId: status.ascApp?.bundleId,
-          connectedAt: (/* @__PURE__ */ new Date()).toISOString()
-        });
-        return 0;
-      }
-    } catch {
-    }
-  }
-  const apiKeyId = opts.apiKeyId ?? await ascKeyIdFromState();
-  const bundleId = opts.bundleId ?? await readOne("EXPO_PUBLIC_APP_BUNDLE_ID");
-  if (!apiKeyId) {
-    yep("no --api-key-id and no cached ASC key id in state.json");
-    note("run `vexpo apple asc-key` first, or pass --api-key-id");
-  }
-  if (!bundleId) {
-    yep("no --bundle-id and no EXPO_PUBLIC_APP_BUNDLE_ID in .env.local");
-    note("run `vexpo convex` first, or pass --bundle-id");
-  }
-  const exit = await ascConnect({
-    apiKeyId,
-    ascAppId: opts.ascAppId,
-    bundleId
-  });
-  if (exit !== 0) {
-    bad(`eas integrations:asc:connect exited with ${exit}`);
-    return exit;
-  }
-  ok("EAS project linked to ASC app");
-  await recordStep("apple-asc-link", {
-    ascApiKeyId: apiKeyId,
-    bundleId,
-    connectedAt: (/* @__PURE__ */ new Date()).toISOString()
-  });
-  return 0;
-}
-async function ascKeyIdFromState() {
-  const state = await load();
-  const rec = state.steps["asc-key"];
-  if (!rec?.outputs) return void 0;
-  const keyId = rec.outputs.keyId;
-  return typeof keyId === "string" ? keyId : void 0;
-}
-async function fileExists5(p) {
+async function fileExists7(p) {
   try {
     await access(p);
     return true;
@@ -4762,19 +5272,42 @@ async function fileExists5(p) {
     return false;
   }
 }
+async function pushEasRoutedKeys(file, environments) {
+  const entries = await readEnvFile(file);
+  const easKeys = [];
+  for (const [key, value] of entries) {
+    if (ROUTING[key]?.routes("dev").some((d) => d.type === "eas")) easKeys.push([key, value]);
+  }
+  if (easKeys.length === 0) return [];
+  const { writeFile: writeFile4, unlink: unlink2, mkdtemp, rmdir } = await import('fs/promises');
+  const { tmpdir } = await import('os');
+  const { join: join2 } = await import('path');
+  const dir = await mkdtemp(join2(tmpdir(), "vexpo-env-"));
+  const tmp = join2(dir, "eas.env");
+  try {
+    await writeFile4(tmp, easKeys.map(([k, v]) => `${k}=${v}`).join("\n") + "\n", { mode: 384 });
+    await envPush({ path: tmp, environments, force: true });
+    return easKeys.map(([k]) => k);
+  } finally {
+    await unlink2(tmp).catch(() => {
+    });
+    await rmdir(dir).catch(() => {
+    });
+  }
+}
 async function runEas(options2) {
   section("EAS");
   try {
     const cli = await checkCli();
     if (!cli.ok) {
-      bad("eas CLI not available. install with `bun add -g eas-cli`");
+      bad("eas CLI not available. install with `npm install -g eas-cli`");
       return 1;
     }
     ok(`eas-cli ${cli.version}`);
     const who = await whoami();
     if (!who) {
       if (!process.stdin.isTTY) {
-        bad("non-TTY: run `bunx eas login` then re-run");
+        bad("non-TTY: run `npx eas login` then re-run");
         return 1;
       }
       yep("not signed in to Expo");
@@ -4792,7 +5325,7 @@ async function runEas(options2) {
     } else {
       ok(`signed in as ${BOLD}${who}${RESET}`);
     }
-    let projectId = await projectIdFromAppJson();
+    let projectId = await resolveProjectId();
     if (!options2.skipInit) {
       if (projectId) {
         ok(`EAS project linked: ${projectId}`);
@@ -4815,10 +5348,16 @@ async function runEas(options2) {
       else nop(`branches already exist (${branches.join(", ")})`);
     }
     if (!options2.skipEnv) {
-      if (await fileExists5(".env.local")) {
+      if (await fileExists7(".env.local")) {
         try {
-          await envPush({ path: ".env.local", environments: ["development"], force: true });
-          ok(`pushed .env.local \u2192 EAS env (development)`);
+          const pushed = await pushEasRoutedKeys(".env.local", ["development"]);
+          if (pushed.length > 0) {
+            ok(
+              `pushed ${pushed.length} EXPO_PUBLIC_* var${pushed.length === 1 ? "" : "s"} \u2192 EAS env (development)`
+            );
+          } else {
+            nop(".env.local has no EAS-routed keys yet (run `vexpo convex` first)");
+          }
         } catch (err) {
           bad(err instanceof Error ? err.message : String(err));
         }
@@ -4826,15 +5365,17 @@ async function runEas(options2) {
         nop(".env.local missing. skipping development env push (run `vexpo convex` first)");
       }
       if (options2.withProd) {
-        const prodFile = await fileExists5(".env.prod") ? ".env.prod" : await fileExists5(".env.production") ? ".env.production" : null;
+        const prodFile = await fileExists7(".env.prod") ? ".env.prod" : await fileExists7(".env.production") ? ".env.production" : null;
         if (prodFile) {
           try {
-            await envPush({
-              path: prodFile,
-              environments: ["production", "preview"],
-              force: true
-            });
-            ok(`pushed ${prodFile} \u2192 EAS env (production, preview)`);
+            const pushed = await pushEasRoutedKeys(prodFile, ["production", "preview"]);
+            if (pushed.length > 0) {
+              ok(
+                `pushed ${pushed.length} EXPO_PUBLIC_* var${pushed.length === 1 ? "" : "s"} \u2192 EAS env (production, preview)`
+              );
+            } else {
+              nop(`${prodFile} has no EAS-routed keys`);
+            }
           } catch (err) {
             bad(err instanceof Error ? err.message : String(err));
           }
@@ -4842,6 +5383,9 @@ async function runEas(options2) {
           nop("--with-prod set but no .env.prod or .env.production found");
         }
       }
+      note(
+        `server-side secrets route to Convex, not EAS. run ${BOLD}vexpo env push${RESET} to sync those`
+      );
     }
     if (projectId) {
       await recordStep("eas", {
@@ -4853,16 +5397,14 @@ async function runEas(options2) {
     line();
     note(`${BOLD}Next, eas-cli (we don't replace these)${RESET}`);
     note(
-      `  ${BOLD}bunx eas credentials -p ios${RESET}     dist cert + profile + push key + ASC API key`
+      `  ${BOLD}npx eas credentials -p ios${RESET}     dist cert + profile + push key + ASC API key`
     );
-    note(`  ${BOLD}bunx eas build -p ios --profile production${RESET}`);
+    note(`  ${BOLD}npx eas build -p ios --profile production${RESET}`);
     note(
-      `  ${BOLD}bunx eas submit -p ios --profile production${RESET}  (auto-creates App Store record)`
-    );
-    note(`  ${BOLD}bunx eas metadata:push${RESET}          push store.config.json`);
-    note(
-      `  ${BOLD}bunx eas workflow:run .eas/workflows/<file>${RESET}  trigger a workflow locally`
+      `  ${BOLD}npx eas submit -p ios --profile production${RESET}  (auto-creates App Store record)`
     );
+    note(`  ${BOLD}npx eas metadata:push${RESET}          push store.config.json`);
+    note(`  ${BOLD}npx eas workflow:run .eas/workflows/<file>${RESET}  trigger a workflow locally`);
     line();
     note(`${BOLD}Stack-specific (ours, not eas-cli's)${RESET}`);
     note(`  ${BOLD}vexpo apple asc-key${RESET}        validate ASC API key against /v1/apps`);
@@ -4880,10 +5422,6 @@ function computeScope(o) {
   const lite = o.lite === true;
   const isNew = o.isNew === true;
   return {
-    // Accounts walkthrough is educational only. Default mode skips it because
-    // users with existing accounts don't need it. `--new` opts in. In lite
-    // mode + --new, the walkthrough is limited to the Convex signup (runAccounts
-    // gets `lite: true` and short-circuits past Apple/Domain/Expo/Resend).
     accounts: isNew,
     rebrand: !lite && !o.skipRebrand,
     resend: !lite,
@@ -4901,7 +5439,7 @@ async function isXcodeInstalled() {
   });
   return await proc.exited === 0;
 }
-async function fileExists6(p) {
+async function fileExists8(p) {
   try {
     await access(p);
     return true;
@@ -4928,7 +5466,7 @@ async function trashPaths(paths) {
 }
 async function wipeMetroCaches(tmpdir) {
   const { readdir } = await import('fs/promises');
-  const { join } = await import('path');
+  const { join: join2 } = await import('path');
   let entries = [];
   try {
     entries = await readdir(tmpdir);
@@ -4936,11 +5474,11 @@ async function wipeMetroCaches(tmpdir) {
     return;
   }
   const matchers = [/^metro-/, /^haste-map-/, /^react-/, /^node-compile-cache$/];
-  const targets = entries.filter((e) => matchers.some((m) => m.test(e))).map((e) => join(tmpdir, e));
+  const targets = entries.filter((e) => matchers.some((m) => m.test(e))).map((e) => join2(tmpdir, e));
   await trashPaths(targets);
 }
 async function nodeModulesPresent() {
-  return await fileExists6("node_modules/.package-lock.json") || await fileExists6("node_modules/.bin/expo") || await fileExists6("node_modules/expo/package.json");
+  return await fileExists8("node_modules/.package-lock.json") || await fileExists8("node_modules/.bin/expo") || await fileExists8("node_modules/expo/package.json");
 }
 var STEP_TTL_HOURS = {
   accounts: 24,
@@ -4954,8 +5492,8 @@ var STEP_TTL_HOURS = {
   // EAS credentials don't drift; once configured, they stay until you rotate.
   "apple-credentials": Infinity,
   // ASC project link via `eas integrations:asc:connect`. Live-checked through
-  // `eas integrations:asc:status` so the cache TTL is short. drift would
-  // mean someone disconnected via the EAS dashboard.
+  // `eas integrations:asc:status` so cache TTL is short. Drift would mean
+  // someone disconnected via the EAS dashboard.
   "apple-asc-link": 24,
   // No cache for the rotation secrets phase. EAS env state is the source of
   // truth, and the secrets list query takes ~1s.
@@ -4976,6 +5514,9 @@ async function shouldRun(step, liveCheck) {
     return { step, label: step, status: "cached" };
   }
   const live = await liveCheck();
+  if (live && !options.dryRun && !options.plan && !options.noState) {
+    await recordStep(step, { source: "live-check" });
+  }
   return { step, label: step, status: live ? "live" : "missing" };
 }
 async function liveCheckBetterAuth(env2) {
@@ -4995,7 +5536,7 @@ async function liveCheckApple(env2) {
   );
 }
 async function liveCheckEas() {
-  const projectId = await projectIdFromAppJson();
+  const projectId = await resolveProjectId();
   if (!projectId) return false;
   const eas = await envList("production").catch(() => /* @__PURE__ */ new Map());
   return ["EXPO_PUBLIC_CONVEX_URL", "EXPO_PUBLIC_CONVEX_SITE_URL", "EXPO_PUBLIC_SITE_URL"].every(
@@ -5004,15 +5545,15 @@ async function liveCheckEas() {
 }
 async function liveCheckAscLink() {
   try {
-    const { ascStatus: ascStatus2 } = await import('./eas-integrations-TIYBWWKC.js');
+    const { ascStatus: ascStatus2 } = await import('./eas-integrations-2QVR45NE.js');
     const status = await ascStatus2();
-    return Boolean(status.connected);
+    return status.status === "connected";
   } catch {
     return false;
   }
 }
 async function liveCheckRotationSecrets() {
-  const projectId = await projectIdFromAppJson();
+  const projectId = await resolveProjectId();
   if (!projectId) return false;
   const eas = await envList("production").catch(() => /* @__PURE__ */ new Map());
   return [
@@ -5044,11 +5585,11 @@ async function stepPrerequisites() {
   else yep("Xcode not detected (install from Mac App Store)");
   const [easV, convexV] = await Promise.all([version2(), version()]);
   if (easV) ok(`eas-cli ${easV}`);
-  else nop("eas-cli not on PATH (bunx will fetch on demand)");
+  else nop("eas-cli not on PATH (npx will fetch on demand)");
   if (convexV) ok(`convex ${convexV}`);
-  else nop("convex CLI not on PATH (bunx will fetch on demand)");
+  else nop("convex CLI not on PATH (npx will fetch on demand)");
   if (await isLoggedIn()) ok("Convex auth detected");
-  else yep("not signed in to Convex (`bunx vexpo accounts` will prompt)");
+  else yep("not signed in to Convex (`npx vexpo accounts` will prompt)");
 }
 async function stepProbe() {
   section("Probe");
@@ -5087,7 +5628,7 @@ async function stepProbe() {
     line(`  ${BOLD}${label.padEnd(w)}${RESET}  ${mark(row.status)}`);
   }
   line(
-    `  ${BOLD}${"Review account".padEnd(w)}${RESET}  ${DIM}unknown (run \`bunx vexpo review-account\` to seed)${RESET}`
+    `  ${BOLD}${"Review account".padEnd(w)}${RESET}  ${DIM}unknown (run \`npx vexpo review-account\` to seed)${RESET}`
   );
   const needs = /* @__PURE__ */ new Map();
   for (const [k, row] of rows) needs.set(k, row.status === "missing");
@@ -5195,7 +5736,7 @@ async function describePhase(step, probe) {
         details: [
           "validates an ASC API key against ASC's GET /v1/apps before EAS uses it",
           "we do NOT upload to EAS. that's `eas credentials`. We only validate + cache",
-          "cache (issuer, keyId, p8 path) in state.json so `bunx vexpo apple services-id` can reuse",
+          "cache (issuer, keyId, p8 path) in state.json so `npx vexpo apple services-id` can reuse",
           "fast-fail: catches a bad key in <1s instead of waiting for an EAS build to fail"
         ]
       };
@@ -5239,23 +5780,24 @@ async function describePhase(step, probe) {
       return {
         step,
         label: "setup:asc:connect",
-        action: cached && !options.force ? "skip (already connected)" : "run (non-interactive)",
+        action: cached && !options.force ? "skip (already connected)" : "run (eas-cli interactive)",
         details: [
-          "wraps `eas integrations:asc:connect` to link the EAS project to its ASC app",
-          "fills --api-key-id from cached asc-key state, --bundle-id from .env.local",
-          "after this, `eas submit` skips ASC app discovery (faster + non-interactive)"
+          "spawns `eas integrations:asc:connect --bundle-id <bundle>`",
+          "pre-sets EXPO_ASC_API_KEY_* env vars from cached asc-key state",
+          "wizard prompts once when no key is uploaded yet (Create new / Use existing)",
+          "after this, `eas submit` skips ASC app discovery"
         ]
       };
     case "apple-eas-rotation-secrets":
       return {
         step,
         label: "setup:apple:eas-rotation-secrets",
-        action: cached && !options.force ? "skip (all 5 set)" : "run (interactive for CONVEX_DEPLOY_KEY)",
+        action: cached && !options.force ? "skip (all 5 set)" : "run (mints CONVEX_DEPLOY_KEY)",
         details: [
           "push the 5 EAS production secrets the JWT rotation cron needs",
-          "APPLE_P8_PRIVATE_KEY (PEM contents from cached path)",
+          "APPLE_P8_PRIVATE_KEY (.p8 path; EAS reads + base64-encodes it)",
           "APPLE_TEAM_ID, APPLE_KEY_ID, APPLE_SERVICES_ID (from .env.local)",
-          "CONVEX_DEPLOY_KEY (prompted, generate at dashboard.convex.dev)"
+          "CONVEX_DEPLOY_KEY (minted via the Convex Platform API; paste fallback if offline)"
         ]
       };
   }
@@ -5282,7 +5824,7 @@ async function printDryRunPlan(probe) {
   section("Dry run plan");
   if (options.fresh)
     note(
-      `${YELLOW}--fresh${RESET}: would wipe .setup-state.json + node_modules + ios/ + bun.lock + build artifacts before reprovisioning`
+      `${YELLOW}--fresh${RESET}: would wipe .setup-state.json + node_modules + ios/ + package-lock.json + build artifacts before reprovisioning`
     );
   if (options.force) note(`${YELLOW}--force${RESET}: would re-run every step regardless of cache`);
   if (probe.install) note(`would run install (no node_modules)`);
@@ -5305,7 +5847,7 @@ async function printDryRunPlan(probe) {
   );
   line();
   note(`drop ${DIM}--dry-run${RESET} to actually do it`);
-  note(`single-phase: ${DIM}bunx vexpo <phase>${RESET} (e.g. ${DIM}bunx vexpo resend${RESET})`);
+  note(`single-phase: ${DIM}npx vexpo <phase>${RESET} (e.g. ${DIM}npx vexpo resend${RESET})`);
 }
 var JOURNEY = {
   async: [
@@ -5348,8 +5890,8 @@ var JOURNEY = {
     },
     {
       label: "Convex production deploy key",
-      cost: "30 sec",
-      description: "For the JWT rotation cron and the deploy_convex step in deploy-production.yml. Generate once, paste into the CLI when prompted.",
+      cost: "auto",
+      description: "For the JWT rotation cron and the deploy_convex step in deploy-production.yml. Minted automatically via the Convex Platform API; paste only as an offline fallback.",
       url: "https://dashboard.convex.dev"
     },
     {
@@ -5397,7 +5939,7 @@ var JOURNEY = {
     {
       label: "EAS rotation secrets",
       cost: "auto",
-      description: "Pushes the 5 EAS production secrets the JWT rotation cron needs (4 from .env.local + state, plus CONVEX_DEPLOY_KEY which you paste)."
+      description: "Pushes the 5 EAS production secrets the JWT rotation cron needs (4 from .env.local + state, plus CONVEX_DEPLOY_KEY minted via the Platform API)."
     }
   ]
 };
@@ -5405,7 +5947,7 @@ function printJourneyPlan(lite) {
   if (lite) {
     section("Setup journey (lite)");
     line(
-      `  ${DIM}Lite mode provisions only what the iOS Simulator needs. No Apple Developer account, no domain, no Resend, no EAS account. ~60 seconds from start to \`bun run ios\`.${RESET}`
+      `  ${DIM}Lite mode provisions only what the iOS Simulator needs. No Apple Developer account, no domain, no Resend, no EAS account. ~60 seconds from start to \`npm run ios\`.${RESET}`
     );
     line();
     line(`  ${BOLD}${GREEN}Auto${RESET} ${DIM}(CLI does it, no input needed)${RESET}`);
@@ -5464,7 +6006,19 @@ var LITE_AUTO_LABELS = /* @__PURE__ */ new Set([
 ]);
 function isComplete(result) {
   if (result.install) return false;
-  for (const required of ["convex", "better-auth", "resend", "apple-sign-in", "eas"]) {
+  for (const required of [
+    "rebrand",
+    "convex",
+    "better-auth",
+    "resend",
+    "asc-key",
+    "apple-credentials",
+    "apple-asc-link",
+    "apple-services-id",
+    "apple-sign-in",
+    "apple-eas-rotation-secrets",
+    "eas"
+  ]) {
     if (result.needs.get(required)) return false;
   }
   return true;
@@ -5474,6 +6028,7 @@ async function stepCleanup(fresh) {
   const tmpdir = process.env.TMPDIR ?? "/tmp";
   const targets = [
     "node_modules",
+    "package-lock.json",
     "bun.lock",
     "ios",
     ".expo",
@@ -5502,6 +6057,7 @@ async function stepInstallOnly() {
 }
 var completed = [];
 var skipped = [];
+var failedStep = null;
 var STEP_RUNNERS = {
   "vexpo accounts": () => runAccounts({ lite: options.lite }),
   "vexpo rebrand": () => runRebrand({}),
@@ -5514,14 +6070,19 @@ var STEP_RUNNERS = {
   "vexpo apple jwt": () => runAppleJwt({}),
   "vexpo apple eas-rotation-secrets": () => runEasRotationSecrets({}),
   "vexpo asc connect": () => runAscConnect({}),
-  "vexpo eas": () => runEas({}),
+  "vexpo eas": async () => runEas({ withProd: await fileExists8(".env.prod") || await fileExists8(".env.production") }),
   "vexpo review-account": () => runReviewAccount({})
 };
 async function runStep(name, state) {
   const runner = STEP_RUNNERS[name];
   if (!runner) throw new Error(`unknown setup step: ${name}`);
-  const code = await runner();
-  if (code !== 0) throw new Error(`${name} exited with code ${code}`);
+  try {
+    const code = await runner();
+    if (code !== 0) throw new Error(`${name} exited with code ${code}`);
+  } catch (err) {
+    if (state) failedStep = state;
+    throw err;
+  }
   if (state) completed.push(state);
 }
 async function maybeRunStep(name, prompt, state) {
@@ -5543,7 +6104,7 @@ function printShipNextSteps() {
   line(`  Run this when you're ready:`);
   line();
   line(
-    `  ${BOLD}bunx eas build -p ios --profile production --auto-submit-with-profile testflight${RESET}`
+    `  ${BOLD}npx eas build -p ios --profile production --auto-submit-with-profile testflight${RESET}`
   );
   line();
   line(
@@ -5563,7 +6124,7 @@ async function printSummary(useLocal, elapsedMs) {
   section("Summary");
   const [localEnv, convexEnv] = await Promise.all([readAll(), envMap()]);
   const easEnv = await envList("production").catch(() => /* @__PURE__ */ new Map());
-  const projectId = await projectIdFromAppJson();
+  const projectId = await resolveProjectId();
   const state = await load();
   const localKeys = [
     "CONVEX_DEPLOYMENT",
@@ -5601,9 +6162,13 @@ async function printSummary(useLocal, elapsedMs) {
     "convex",
     "better-auth",
     "resend",
+    "review-account",
     "asc-key",
+    "apple-credentials",
+    "apple-asc-link",
     "apple-services-id",
     "apple-sign-in",
+    "apple-eas-rotation-secrets",
     "eas"
   ];
   const width = Math.max(
@@ -5639,16 +6204,18 @@ async function printSummary(useLocal, elapsedMs) {
   ${GREEN}ok${RESET}   setup complete in ${(elapsedMs / 1e3).toFixed(2)}s`);
   line(
     `
-  next: ${BOLD}${useLocal ? "bunx convex dev --local" : "bun run convex:dev"}${RESET} ${DIM}then${RESET} ${BOLD}bun run ios${RESET}
+  next: ${BOLD}${useLocal ? "npx convex dev" : "npm run convex:dev"}${RESET} ${DIM}then${RESET} ${BOLD}npm run ios${RESET}
 `
   );
 }
 async function runSetup(opts) {
   options = opts;
+  failedStep = null;
+  completed.length = 0;
+  skipped.length = 0;
   const startedAtPerf = performance.now();
   const startedAtIso = (/* @__PURE__ */ new Date()).toISOString();
   let failureMessage = null;
-  let failureStep = null;
   try {
     if (options.fresh) {
       await clearAll();
@@ -5656,7 +6223,7 @@ async function runSetup(opts) {
     if (!options.dryRun && !options.plan && !options.noState) {
       const existing = await load();
       const concurrent = checkConcurrentRun(existing);
-      if (concurrent.stale) {
+      if (concurrent.active && concurrent.otherPid !== void 0) {
         yep(
           `another vexpo run (pid ${concurrent.otherPid}) touched .setup-state.json recently; if you're not running in another terminal, ignore this`
         );
@@ -5844,7 +6411,7 @@ async function runSetup(opts) {
           cwd: process.cwd(),
           completed,
           skipped,
-          ...failureMessage ? { failed: { step: failureStep ?? "convex", message: failureMessage } } : {}
+          ...failureMessage ? { failed: { step: failedStep ?? "convex", message: failureMessage } } : {}
         });
       } catch {
       }
@@ -5913,13 +6480,29 @@ program.command("doctor").description(
 ).option("--channel <channel>", "dev | prod", "dev").option("--json", "machine-readable output", false).option("--strict", "exit non-zero on any warn", false).action((options2) => {
   exitWith(runDoctor(options2));
 });
+program.command("adopt").description(
+  "Finish a project created by `eas integrations:convex:connect`: adopt the existing dev deployment (never a fresh one), backfill site URLs + Better Auth, report the deployment topology (flagging a duplicate dev deployment), and print the exact commands left to finish."
+).option("--skip-dev-steps", "report topology + runbook only, don't run convex/better-auth", false).action((options2) => exitWith(runAdopt(options2)));
 program.command("convex").description("Provision or connect a Convex deployment.").option("--fresh", "provision a NEW deployment", false).option("--local", "self-hosted / local backend", false).option("--name <name>", "override Convex project name").action(
   (options2) => exitWith(runConvex(options2))
 );
+program.command("convex:migrate").description(
+  "Copy server-side Convex env (BETTER_AUTH_SECRET, RESEND_*, APPLE_*, APP_*, ...) from another deployment onto the current one. The piece a deployment migration can't get off disk; CONVEX_* are left untouched."
+).requiredOption("--from <deployment>", "source deployment slug to copy env from").option("--prod", "target the prod deployment (reads prod creds from .env.prod)").option("--dry-run", "show what would be copied, exit without changes", false).action(
+  (options2) => exitWith(runConvexMigrate(options2))
+);
 program.command("better-auth").description("Set SITE_URL, BETTER_AUTH_SECRET, APP_NAME on Convex.").option("--rotate-secret", "regenerate BETTER_AUTH_SECRET", false).option("--site-url <url>", "override SITE_URL").option("--app-name <name>", "override APP_NAME").action(
   (options2) => exitWith(runBetterAuth(options2))
 );
-program.command("resend").description("Provision Resend sending key + webhook, write to Convex env.").option("--name <name>", "override sending key name").option("--from <address>", "override EMAIL_FROM").action((options2) => exitWith(runResend(options2)));
+program.command("resend").description("Provision Resend sending key + webhook, write to Convex env.").option("--name <name>", "override sending key name").option("--from <address>", "override EMAIL_FROM").option(
+  "--repoint",
+  "move the webhook to the current convex.site + realign the secret, without rotating the sending key or changing auth policy"
+).option("--prod", "with --repoint, target the prod deployment + .env.prod site URL").option(
+  "--force",
+  "with --repoint, recreate the webhook even if it already points at the endpoint"
+).action(
+  (options2) => exitWith(runResend(options2))
+);
 var apple = program.command("apple").description("Apple-side provisioning.");
 apple.command("asc-key").description("Validate an App Store Connect API key against `/v1/apps`. No eas-cli equivalent.").option("--revalidate", "re-check the cached key still works", false).action((options2) => exitWith(runAscKey(options2)));
 apple.command("services-id").description(
@@ -5927,7 +6510,10 @@ apple.command("services-id").description(
 ).option("--services-id <id>", "override Services ID").action((options2) => exitWith(runServicesId(options2)));
 apple.command("jwt").description(
   "Sign the Sign In with Apple ES256 client_secret JWT (180-day expiry, Apple's max). Quarterly auto-rotation runs as an EAS Workflow cron. No eas-cli equivalent."
-).option("--rotate", "re-sign the JWT only", false).action((options2) => exitWith(runAppleJwt(options2)));
+).option("--rotate", "re-sign the JWT only", false).option(
+  "--copy-from <deployment>",
+  "copy APPLE_* env from another deployment (slug) instead of signing; no .p8 needed"
+).action((options2) => exitWith(runAppleJwt(options2)));
 apple.command("credentials").description(
   "Provision iOS build credentials by wrapping `eas credentials:configure-build` with the cached ASC API key passed via env vars (skips the Apple Developer login prompt in the wizard). EAS generates the dist cert + provisioning profile + push key."
 ).option("-e, --profile <name>", "build profile", "production").action((options2) => exitWith(runAppleCredentials(options2)));
@@ -5951,37 +6537,35 @@ env.command("push").description(
     );
   }
 );
-var ascVersion = program.command("asc:version").description("App Store version inspection.");
-ascVersion.command("list").description("List App Store versions.").option("-p, --platform <p>", "IOS | MAC_OS | TV_OS | VISION_OS").option("--state <state>", "filter by state (e.g. IN_REVIEW, READY_FOR_SALE)").option("--limit <n>", "max items", (v) => parseInt(v, 10), 25).option("--json", "JSON output", false).action((options2) => exitWith(runVersionList(options2)));
-ascVersion.command("view <versionId>").description("View a single App Store version + phased-release state.").option("--json", "JSON output", false).action(
-  (versionId, options2) => exitWith(runVersionView(versionId, options2))
-);
-ascVersion.command("phased <versionId> <action>").description("Pause | resume | complete the phased release for a version.").action((versionId, action) => {
-  if (!["pause", "resume", "complete"].includes(action)) {
-    process.stderr.write(`unknown action '${action}' (pause|resume|complete)
-`);
-    process.exit(2);
-  }
-  exitWith(
-    runPhasedRelease({
-      versionId,
-      action
+env.command("convex-key").description(
+  "Sync the Convex deploy key + deployment selector to EAS env (dev \u2192 development, prod \u2192 production/preview). Fixes a stale EAS deploy key after a deployment migration; env push skips these on purpose."
+).option("--dev-key <key>", "dev deploy key (default: CONVEX_DEPLOY_KEY in .env.local)").option("--prod-key <key>", "prod deploy key (default: CONVEX_DEPLOY_KEY in .env.prod)").option("--mint", "mint the prod deploy key via the Platform API if EAS lacks one", false).option("--local-file <path>", "override .env.local path").option("--prod-file <path>", "override .env.prod path").action(
+  (options2) => exitWith(
+    runConvexKey({
+      devKey: options2.devKey,
+      prodKey: options2.prodKey,
+      mint: options2.mint,
+      localFile: options2.localFile,
+      prodFile: options2.prodFile
     })
-  );
-});
-program.command("asc:submissions").description("List App Store review submissions for the current app.").option("-p, --platform <p>", "IOS | MAC_OS | TV_OS | VISION_OS").option("--state <state>", "filter by state").option("--json", "JSON output", false).action((options2) => exitWith(runSubmissionsList(options2)));
+  )
+);
+program.command("asc:connect").description(
+  "Link the EAS project to its App Store Connect app (wraps `eas integrations:asc:connect` with the cached ASC key). Lets `eas submit` resolve the app from the bundle id, so eas.json needs no committed ascAppId. Needs an interactive terminal."
+).option("--force", "re-run even if already connected", false).action((options2) => exitWith(runAscConnect(options2)));
+var ascPrivacy = program.command("asc:privacy").description("Privacy nutrition labels (local).");
+ascPrivacy.command("show [file]").description("Show the declared privacy.config.json (Apple has no live read API; set it in ASC).").option("--json", "JSON output", false).action(
+  (file, options2) => exitWith(runPrivacyShow(file ?? "app-store/privacy.config.json", options2))
+);
+ascPrivacy.command("lint <file>").description("Validate a local privacy.config.json against Apple's enums.").action((file) => exitWith(runPrivacyLint(file)));
+var ascA11y = program.command("asc:accessibility").description("Accessibility nutrition labels (iOS 26+).");
+ascA11y.command("show").description("Fetch the app's current accessibility declarations.").option("--json", "JSON output", false).action((options2) => exitWith(runAccessibilityShow(options2)));
+ascA11y.command("lint <file>").description("Validate a local accessibility.config.json against Apple's enums.").action((file) => exitWith(runAccessibilityLint(file)));
 var testflight2 = program.command("testflight").description("TestFlight beta groups + testers via ASC API.");
 var tfGroups = testflight2.command("groups").description("Beta groups.");
 tfGroups.command("list").description("List beta groups for the current app.").option("--json", "JSON output", false).action((options2) => exitWith(runTestflightGroupsList(options2)));
-tfGroups.command("create <name>").description("Create a beta group.").option("--public-link", "enable public link", false).option("--public-limit <n>", "public link tester limit", (v) => parseInt(v, 10)).option("--feedback", "enable in-app feedback", false).action(
-  (name, options2) => exitWith(
-    runTestflightGroupsCreate({
-      name,
-      publicLink: options2.publicLink,
-      publicLimit: options2.publicLimit,
-      feedback: options2.feedback
-    })
-  )
+tfGroups.command("create <name>").description("Create a beta group.").option("--feedback", "enable in-app feedback", false).action(
+  (name, options2) => exitWith(runTestflightGroupsCreate({ name, feedback: options2.feedback }))
 );
 tfGroups.command("view <id>").description("View a beta group + its testers.").option("--json", "JSON output", false).action(
   (id, options2) => exitWith(runTestflightGroupsView(id, options2))
@@ -5999,19 +6583,7 @@ testflight2.command("invite <email>").description("Add a tester + send a TestFli
     })
   )
 );
-testflight2.command("remove <email>").description("Remove a beta tester.").action((email) => exitWith(runTestflightRemove(email)));
 testflight2.command("whats-new <buildId> <text>").description(`Set the "What's new" release notes for a TestFlight build.`).option("--locale <locale>", "ISO locale", "en-US").action(
   (buildId, text, options2) => exitWith(runTestflightWhatsNew({ buildId, locale: options2.locale ?? "en-US", text }))
 );
-var reviewsCmd = program.command("reviews").description("Customer reviews + responses via ASC API.");
-reviewsCmd.command("list").description("List customer reviews.").option("--territory <code>", "filter by territory (e.g. US)").option("--rating <n>", "filter by rating (1-5)", (v) => parseInt(v, 10)).option("--limit <n>", "max items", (v) => parseInt(v, 10), 50).option("--json", "JSON output", false).action((options2) => exitWith(runReviewsList(options2)));
-reviewsCmd.command("unanswered").description("List reviews without a response.").option("--days <n>", "older than N days", (v) => parseInt(v, 10)).option("--limit <n>", "max items to scan", (v) => parseInt(v, 10), 200).option("--json", "JSON output", false).action((options2) => exitWith(runReviewsUnanswered(options2)));
-reviewsCmd.command("respond <reviewId> <body>").description("Post a response to a customer review.").action((reviewId, body) => exitWith(runReviewsRespond({ reviewId, body })));
-reviewsCmd.command("delete-response <responseId>").description("Delete a review response.").action((responseId) => exitWith(runReviewsDeleteResponse(responseId)));
-var sandboxCmd = program.command("sandbox").description("Sandbox testers for IAP testing via ASC API.");
-sandboxCmd.command("list").description("List sandbox testers.").option("--json", "JSON output", false).action((options2) => exitWith(runSandboxList(options2)));
-sandboxCmd.command("create").description("Create a sandbox tester.").requiredOption("--email <email>").requiredOption("--password <password>", "8+ chars; this is the App Store sandbox password").requiredOption("--first-name <name>").requiredOption("--last-name <name>").requiredOption("--territory <code>", "ISO territory code (e.g. USA)").action(
-  (options2) => exitWith(runSandboxCreate(options2))
-);
-sandboxCmd.command("delete <id>").description("Delete a sandbox tester.").action((id) => exitWith(runSandboxDelete(id)));
 program.parse();