@revos/cli 0.2.1 → 0.2.2

package/dist/core-CMrP5BQS.mjs

@@ -0,0 +1,2378 @@
+import { t as __exportAll } from "./chunk-CfYAbeIz.mjs";
+import * as fs from "fs";
+import * as path from "path";
+import * as os from "os";
+import { createServer } from "node:http";
+import * as crypto from "crypto";
+import { Client, client } from "@revos/api-client";
+import { parseAllDocuments, parseDocument, stringify } from "yaml";
+import { fromError } from "zod-validation-error";
+import { z } from "zod";
+import microdiff from "microdiff";
+import chalk from "chalk";
+import graphlib from "@dagrejs/graphlib";
+import { execFileSync } from "child_process";
+import search from "@inquirer/search";
+//#region src/core/errors.ts
+var ApiError = class extends Error {
+	name = "ApiError";
+	constructor(message, status, statusText, url, body) {
+		super(message);
+		this.status = status;
+		this.statusText = statusText;
+		this.url = url;
+		this.body = body;
+	}
+};
+//#endregion
+//#region src/core/auth/credentials-store.ts
+const REVOS_DIR = path.join(os.homedir(), ".revos");
+const CREDENTIALS_FILE = path.join(REVOS_DIR, "credentials.json");
+const isPosix = process.platform !== "win32";
+function getCredentialsPath() {
+	return CREDENTIALS_FILE;
+}
+function loadCredentials() {
+	try {
+		if (!fs.existsSync(CREDENTIALS_FILE)) return null;
+		const content = fs.readFileSync(CREDENTIALS_FILE, "utf-8");
+		return JSON.parse(content);
+	} catch {
+		return null;
+	}
+}
+function saveCredentials(credentials) {
+	if (!fs.existsSync(REVOS_DIR)) fs.mkdirSync(REVOS_DIR, isPosix ? { mode: 448 } : void 0);
+	fs.writeFileSync(CREDENTIALS_FILE, JSON.stringify(credentials, null, 2), isPosix ? {
+		mode: 384,
+		encoding: "utf-8"
+	} : { encoding: "utf-8" });
+}
+function deleteCredentials() {
+	try {
+		if (fs.existsSync(CREDENTIALS_FILE)) {
+			fs.unlinkSync(CREDENTIALS_FILE);
+			return true;
+		}
+		return false;
+	} catch {
+		return false;
+	}
+}
+function isTokenExpired(credentials) {
+	if (!credentials.expiresAt) return false;
+	return credentials.expiresAt < Date.now() + 300 * 1e3;
+}
+//#endregion
+//#region src/core/auth/oauth-server.ts
+const CALLBACK_TIMEOUT_MS = 120 * 1e3;
+const OAUTH_CALLBACK_PORTS = [
+	54321,
+	54322,
+	54323
+];
+async function startOAuthServer() {
+	for (const port of OAUTH_CALLBACK_PORTS) try {
+		return await tryStartServer(port);
+	} catch (err) {
+		if (err.code !== "EADDRINUSE") throw err;
+	}
+	throw new Error(`Could not start OAuth callback server. Ports ${OAUTH_CALLBACK_PORTS.join(", ")} are all in use.`);
+}
+function tryStartServer(port) {
+	return new Promise((resolve, reject) => {
+		let callbackResolve;
+		let callbackReject;
+		let timeoutId;
+		const callbackPromise = new Promise((res, rej) => {
+			callbackResolve = res;
+			callbackReject = rej;
+		});
+		const server = createServer((req, res) => {
+			const url = new URL(req.url ?? "/", `http://localhost:${port}`);
+			if (url.pathname !== "/callback" || req.method !== "GET") {
+				res.writeHead(404);
+				res.end();
+				return;
+			}
+			const code = url.searchParams.get("code") ?? void 0;
+			const state = url.searchParams.get("state") ?? void 0;
+			const error = url.searchParams.get("error") ?? void 0;
+			const errorDescription = url.searchParams.get("error_description") ?? void 0;
+			if (error) {
+				res.writeHead(200, { "Content-Type": "text/html; charset=utf-8" });
+				res.end(getErrorHtml(errorDescription || error));
+				callbackReject(new Error(errorDescription || error));
+				return;
+			}
+			if (!code || !state) {
+				res.writeHead(400, { "Content-Type": "text/html; charset=utf-8" });
+				res.end(getErrorHtml("Missing code or state parameter"));
+				callbackReject(/* @__PURE__ */ new Error("Missing code or state parameter"));
+				return;
+			}
+			res.writeHead(200, { "Content-Type": "text/html; charset=utf-8" });
+			res.end(getSuccessHtml());
+			callbackResolve({
+				code,
+				state
+			});
+		});
+		server.listen(port, () => {
+			const shutdown = () => {
+				clearTimeout(timeoutId);
+				server.close();
+			};
+			const waitForCallback = async () => {
+				timeoutId = setTimeout(() => {
+					callbackReject(/* @__PURE__ */ new Error("Authentication timed out. Please try again."));
+					shutdown();
+				}, CALLBACK_TIMEOUT_MS);
+				try {
+					const result = await callbackPromise;
+					shutdown();
+					return result;
+				} catch (error) {
+					shutdown();
+					throw error;
+				}
+			};
+			resolve({
+				port,
+				waitForCallback,
+				shutdown
+			});
+		});
+		server.on("error", (err) => {
+			reject(err);
+		});
+	});
+}
+function getSuccessHtml() {
+	return `
+<!DOCTYPE html>
+<html>
+<head>
+  <meta charset="utf-8">
+  <link rel="icon" href="https://www.revos.ai/favicons/favicon.ico">
+  <title>RevOS CLI - Authentication Successful</title>
+  <style>
+    body {
+      font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, sans-serif;
+      display: flex;
+      justify-content: center;
+      align-items: center;
+      height: 100vh;
+      margin: 0;
+      background: linear-gradient(135deg, #667eea 0%, #764ba2 100%);
+    }
+    .container {
+      text-align: center;
+      background: white;
+      padding: 3rem;
+      border-radius: 12px;
+      box-shadow: 0 4px 24px rgba(0,0,0,0.15);
+    }
+    .checkmark {
+      font-size: 4rem;
+      margin-bottom: 1rem;
+    }
+    h1 { color: #333; margin-bottom: 0.5rem; }
+    p { color: #666; }
+  </style>
+</head>
+<body>
+  <div class="container">
+    <div class="checkmark">✓</div>
+    <h1>Authentication Successful</h1>
+    <p>You can close this window and return to the terminal.</p>
+  </div>
+</body>
+</html>
+`;
+}
+function getErrorHtml(message) {
+	return `
+<!DOCTYPE html>
+<html>
+<head>
+  <meta charset="utf-8">
+  <link rel="icon" href="https://www.revos.ai/favicons/favicon.ico">
+  <title>RevOS CLI - Authentication Failed</title>
+  <style>
+    body {
+      font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, sans-serif;
+      display: flex;
+      justify-content: center;
+      align-items: center;
+      height: 100vh;
+      margin: 0;
+      background: linear-gradient(135deg, #f093fb 0%, #f5576c 100%);
+    }
+    .container {
+      text-align: center;
+      background: white;
+      padding: 3rem;
+      border-radius: 12px;
+      box-shadow: 0 4px 24px rgba(0,0,0,0.15);
+    }
+    .error-icon {
+      font-size: 4rem;
+      margin-bottom: 1rem;
+    }
+    h1 { color: #333; margin-bottom: 0.5rem; }
+    p { color: #666; }
+    .error-message { color: #e53e3e; margin-top: 1rem; }
+  </style>
+</head>
+<body>
+  <div class="container">
+    <div class="error-icon">✗</div>
+    <h1>Authentication Failed</h1>
+    <p class="error-message">${escapeHtml(message)}</p>
+    <p>Please close this window and try again.</p>
+  </div>
+</body>
+</html>
+`;
+}
+function escapeHtml(text) {
+	return text.replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;").replace(/"/g, "&quot;").replace(/'/g, "&#039;");
+}
+//#endregion
+//#region src/core/auth/clerk-oauth.ts
+const AUTH_ENVS = {
+	production: {
+		apiUrl: "https://api.revos.ai",
+		authUrl: "https://clerk.revos.ai",
+		authClientId: "Hkj5lEtyyF5DUQX6"
+	},
+	development: {
+		apiUrl: "https://api.revos.dev",
+		authUrl: "https://strong-minnow-46.clerk.accounts.dev",
+		authClientId: "o3eTaWPmeJAMfRPw"
+	}
+};
+let configOverride = {};
+function setAuthConfig(config) {
+	configOverride = config;
+}
+function getActiveAuthConfig() {
+	return {
+		authUrl: getAuthUrl(),
+		authClientId: getAuthClientId()
+	};
+}
+function getAuthUrl() {
+	return configOverride.authUrl || process.env.REVOS_AUTH_URL || AUTH_ENVS.production.authUrl;
+}
+function getAuthClientId() {
+	return configOverride.authClientId || process.env.REVOS_AUTH_CLIENT_ID || AUTH_ENVS.production.authClientId;
+}
+function setAuthEnv(env) {
+	const config = AUTH_ENVS[env];
+	setAuthConfig({
+		authUrl: config.authUrl,
+		authClientId: config.authClientId
+	});
+}
+function generatePKCEChallenge() {
+	const codeVerifier = crypto.randomBytes(32).toString("base64url");
+	return {
+		codeVerifier,
+		codeChallenge: crypto.createHash("sha256").update(codeVerifier).digest("base64url"),
+		state: crypto.randomBytes(16).toString("base64url")
+	};
+}
+function buildAuthorizationUrl(redirectUri, pkce) {
+	const authUrl = getAuthUrl();
+	const clientId = getAuthClientId();
+	return `${authUrl}/oauth/authorize?${new URLSearchParams({
+		client_id: clientId,
+		redirect_uri: redirectUri,
+		response_type: "code",
+		scope: "profile email offline_access",
+		code_challenge: pkce.codeChallenge,
+		code_challenge_method: "S256",
+		state: pkce.state
+	}).toString()}`;
+}
+async function exchangeCodeForTokens(code, redirectUri, codeVerifier) {
+	const authUrl = getAuthUrl();
+	const clientId = getAuthClientId();
+	const params = new URLSearchParams({
+		grant_type: "authorization_code",
+		code,
+		redirect_uri: redirectUri,
+		code_verifier: codeVerifier,
+		client_id: clientId
+	});
+	const response = await fetch(`${authUrl}/oauth/token`, {
+		method: "POST",
+		headers: { "Content-Type": "application/x-www-form-urlencoded" },
+		body: params.toString()
+	});
+	if (!response.ok) {
+		const error = await response.text();
+		throw new Error(`Token exchange failed: ${error}`);
+	}
+	return response.json();
+}
+async function getUserInfo(accessToken) {
+	const authUrl = getAuthUrl();
+	const response = await fetch(`${authUrl}/oauth/userinfo`, { headers: { Authorization: `Bearer ${accessToken}` } });
+	if (!response.ok) {
+		const error = await response.text();
+		throw new Error(`Failed to get user info: ${error}`);
+	}
+	return response.json();
+}
+function tokenResponseToCredentials(tokenResponse, userInfo) {
+	const expiresAt = tokenResponse.expires_in ? Date.now() + tokenResponse.expires_in * 1e3 : void 0;
+	return {
+		accessToken: tokenResponse.access_token,
+		refreshToken: tokenResponse.refresh_token,
+		expiresAt,
+		userId: userInfo.sub,
+		email: userInfo.email
+	};
+}
+async function refreshAccessToken(refreshToken) {
+	const authUrl = getAuthUrl();
+	const clientId = getAuthClientId();
+	const params = new URLSearchParams({
+		grant_type: "refresh_token",
+		refresh_token: refreshToken,
+		client_id: clientId
+	});
+	const response = await fetch(`${authUrl}/oauth/token`, {
+		method: "POST",
+		headers: { "Content-Type": "application/x-www-form-urlencoded" },
+		body: params.toString()
+	});
+	if (!response.ok) {
+		const error = await response.text();
+		throw new Error(`Token refresh failed: ${error}`);
+	}
+	return response.json();
+}
+//#endregion
+//#region src/core/config.ts
+const DEFAULT_API_URL = "https://api.revos.ai";
+async function getStoredAccessToken() {
+	const credentials = loadCredentials();
+	if (!credentials) return null;
+	if (!isTokenExpired(credentials)) return credentials.accessToken;
+	if (!credentials.refreshToken) return null;
+	try {
+		const tokenResponse = await refreshAccessToken(credentials.refreshToken);
+		const newCredentials = tokenResponseToCredentials(tokenResponse, await getUserInfo(tokenResponse.access_token));
+		newCredentials.organizationId = credentials.organizationId;
+		saveCredentials(newCredentials);
+		return newCredentials.accessToken;
+	} catch {
+		return null;
+	}
+}
+function getStoredOrganizationId() {
+	return loadCredentials()?.organizationId ?? void 0;
+}
+async function getConfig() {
+	const token = process.env.REVOS_TOKEN || await getStoredAccessToken();
+	if (!token) throw new Error("Not authenticated. Run 'revos auth login' or set REVOS_TOKEN environment variable.");
+	return {
+		apiUrl: process.env.REVOS_API_URL || "https://api.revos.ai",
+		token,
+		organizationId: process.env.REVOS_ORG_ID || getStoredOrganizationId()
+	};
+}
+//#endregion
+//#region src/core/utils.ts
+function formatError(error) {
+	return error instanceof Error ? error.message : String(error);
+}
+function sanitizeFileName(name) {
+	return name.replace(/[/\\:*?"<>|]/g, "_");
+}
+//#endregion
+//#region src/core/url.ts
+const DEFAULT_APP_URL = "https://app.revos.dev";
+/**
+* Derive the RevOS app (frontend) URL from the API URL.
+* `https://api.revos.ai` → `https://app.revos.ai`
+* `https://api.revos.dev` → `https://app.revos.dev`
+*/
+function resolveAppUrl(apiUrl) {
+	try {
+		const parsed = new URL(apiUrl);
+		const host = parsed.hostname;
+		if (host.startsWith("api.")) {
+			parsed.hostname = host.replace(/^api\./, "app.");
+			parsed.pathname = "/";
+			return parsed.origin;
+		}
+	} catch {}
+	return DEFAULT_APP_URL;
+}
+//#endregion
+//#region src/core/api/create-client.ts
+function createApiClient(config) {
+	const headers = {};
+	if (config.organizationId) headers["X-Revos-Org"] = config.organizationId;
+	client.setConfig({
+		baseUrl: config.apiUrl,
+		auth: config.token,
+		headers
+	});
+	return new Client({ client });
+}
+/**
+* Wraps an SDK call so a 404 returns `null` instead of throwing.
+*/
+async function getOrNull(fn) {
+	try {
+		return await fn();
+	} catch (err) {
+		if (err instanceof ApiError && err.status === 404) return null;
+		throw err;
+	}
+}
+/**
+* Walk a keyset-paginated list endpoint until exhausted. The cursor is
+* opaque and sequential by definition — pages must be fetched in order.
+*/
+async function walkAllPages(fetch) {
+	const out = [];
+	let pageToken;
+	do {
+		const res = await fetch(pageToken);
+		out.push(...unwrap(res));
+		pageToken = res.data?.metadata.nextPageToken ?? void 0;
+	} while (pageToken);
+	return out;
+}
+function unwrap(result) {
+	if (result.error) {
+		const body = result.error;
+		const status = result.response?.status ?? 0;
+		const statusText = result.response?.statusText ?? "";
+		const url = result.request?.url ?? "";
+		let message;
+		if (typeof body === "object" && body !== null && "message" in body) {
+			const msg = body.message;
+			message = typeof msg === "string" ? msg : JSON.stringify(msg);
+		} else if (typeof body === "string") message = body;
+		else message = JSON.stringify(body);
+		throw new ApiError(message, status, statusText, url, body);
+	}
+	return result.data.data;
+}
+//#endregion
+//#region src/core/iac/types.ts
+const API_VERSION = "revos/v1";
+var IacAggregateError = class extends Error {
+	constructor(errors) {
+		super(formatErrors(errors));
+		this.errors = errors;
+		this.name = "IacAggregateError";
+	}
+};
+function formatErrors(errors) {
+	if (errors.length === 0) return "no errors";
+	return errors.map((e) => {
+		const loc = e.source ? `${e.source.file}${e.source.line ? `:${e.source.line}` : ""}${e.source.column ? `:${e.source.column}` : ""}` : "";
+		const head = loc ? `${loc} — ` : "";
+		const tail = e.hint ? `\n  hint: ${e.hint}` : "";
+		return `${head}${e.message}${tail}`;
+	}).join("\n");
+}
+//#endregion
+//#region src/core/iac/project.ts
+const PROJECT_FILE = "revos.yaml";
+const PROJECT_KIND = "Project";
+var ProjectNotFoundError = class extends Error {
+	constructor(cwd) {
+		super(`Not in a revos project (no ${PROJECT_FILE} found in ${cwd} or any parent). Run \`revos init\` to create one.`);
+		this.name = "ProjectNotFoundError";
+	}
+};
+function discoverProject(opts = {}) {
+	const explicit = opts.projectPath ?? process.env.REVOS_PROJECT;
+	if (explicit) {
+		const resolved = path.resolve(explicit);
+		return readProjectFile(fs.statSync(resolved).isDirectory() ? path.join(resolved, PROJECT_FILE) : resolved);
+	}
+	const startDir = path.resolve(opts.cwd ?? process.cwd());
+	let current = startDir;
+	while (true) {
+		const candidate = path.join(current, PROJECT_FILE);
+		if (fs.existsSync(candidate)) {
+			const project = tryReadProjectFile(candidate);
+			if (project) return project;
+		}
+		const parent = path.dirname(current);
+		if (parent === current) break;
+		current = parent;
+	}
+	throw new ProjectNotFoundError(startDir);
+}
+function tryReadProjectFile(filePath) {
+	const doc = parseDocument(fs.readFileSync(filePath, "utf-8"));
+	if (doc.errors.length > 0) throw new Error(`${filePath}: invalid YAML — ${doc.errors[0].message}`);
+	const json = doc.toJS();
+	if (json.apiVersion !== "revos/v1" || json.kind !== "Project") return null;
+	if (!json.metadata?.orgId) throw new Error(`${filePath}: metadata.orgId is required`);
+	return {
+		path: filePath,
+		metadata: {
+			name: json.metadata.name,
+			orgId: json.metadata.orgId
+		}
+	};
+}
+function readProjectFile(filePath) {
+	const project = tryReadProjectFile(filePath);
+	if (!project) throw new Error(`${filePath}: not a revos Project file (expected apiVersion=${API_VERSION} kind=${PROJECT_KIND})`);
+	return project;
+}
+function projectRoot(project) {
+	return path.dirname(project.path);
+}
+function writeProjectFile(projectDir, metadata) {
+	const lines = [
+		"apiVersion: revos/v1",
+		"kind: Project",
+		"metadata:"
+	];
+	if (metadata.name) lines.push(`  name: ${metadata.name}`);
+	lines.push(`  orgId: ${metadata.orgId}`, "");
+	const filePath = path.join(projectDir, PROJECT_FILE);
+	fs.writeFileSync(filePath, lines.join("\n"), "utf-8");
+	return filePath;
+}
+//#endregion
+//#region src/core/iac/parser/load.ts
+const HARDCODED_IGNORES = new Set([
+	".git",
+	"node_modules",
+	"dist",
+	".revos",
+	".turbo",
+	".next"
+]);
+function scanYamlFiles(opts) {
+	const ignored = new Set([...HARDCODED_IGNORES, ...opts.ignored ?? []]);
+	const start = path.resolve(opts.startPath ?? opts.root);
+	const out = [];
+	walk$1(start, opts.root, ignored, out);
+	return out.sort((a, b) => a.path.localeCompare(b.path));
+}
+function walk$1(dir, root, ignored, out) {
+	let entries;
+	try {
+		entries = fs.readdirSync(dir, { withFileTypes: true });
+	} catch {
+		return;
+	}
+	for (const entry of entries) {
+		if (ignored.has(entry.name)) continue;
+		const fullPath = path.join(dir, entry.name);
+		if (entry.isDirectory()) walk$1(fullPath, root, ignored, out);
+		else if (entry.isFile() && isYamlFile(entry.name)) {
+			if (path.relative(root, fullPath) === "revos.yaml" || entry.name === "revos.yaml") continue;
+			const content = fs.readFileSync(fullPath, "utf-8");
+			out.push({
+				path: fullPath,
+				content
+			});
+		}
+	}
+}
+function isYamlFile(name) {
+	return name.endsWith(".yaml") || name.endsWith(".yml");
+}
+//#endregion
+//#region src/core/iac/parser/documents.ts
+function parseFiles(files) {
+	return files.map(parseFile);
+}
+function parseFile(file) {
+	const errors = [];
+	let docs;
+	try {
+		docs = parseAllDocuments(file.content, { keepSourceTokens: true });
+	} catch (err) {
+		errors.push({
+			code: "yaml.parse",
+			message: err instanceof Error ? err.message : String(err),
+			source: { file: file.path }
+		});
+		return {
+			file: file.path,
+			documents: [],
+			errors
+		};
+	}
+	const documents = [];
+	docs.forEach((document, index) => {
+		if (document.errors.length > 0) {
+			for (const e of document.errors) errors.push({
+				code: "yaml.parse",
+				message: e.message,
+				source: locationFromOffset(file.content, e.pos?.[0], file.path)
+			});
+			return;
+		}
+		const source = documentLocation(file, document);
+		documents.push({
+			file: file.path,
+			index,
+			document,
+			source
+		});
+	});
+	return {
+		file: file.path,
+		documents,
+		errors
+	};
+}
+function isResourceDocument(doc) {
+	if (doc.contents == null) return false;
+	const json = doc.toJS();
+	if (typeof json !== "object" || json === null) return false;
+	return json.apiVersion === API_VERSION;
+}
+function readResourceShape(doc) {
+	const json = doc.toJS();
+	if (typeof json !== "object" || json === null) return {};
+	return json;
+}
+function documentLocation(file, document) {
+	const contents = document.contents;
+	if (contents?.range) return locationFromOffset(file.content, contents.range[0], file.path);
+	return {
+		file: file.path,
+		line: 1,
+		column: 1
+	};
+}
+function locationFromOffset(content, offset, file) {
+	if (offset == null || offset < 0) return { file };
+	let line = 1;
+	let column = 1;
+	for (let i = 0; i < offset && i < content.length; i++) if (content[i] === "\n") {
+		line++;
+		column = 1;
+	} else column++;
+	return {
+		file,
+		line,
+		column
+	};
+}
+function asResourceDoc(parsed) {
+	const shape = readResourceShape(parsed.document);
+	if (shape.apiVersion !== "revos/v1") return null;
+	if (!shape.kind) return null;
+	if (!shape.metadata?.name) return null;
+	const spec = shape.spec ?? {};
+	return {
+		kind: shape.kind,
+		metadata: {
+			name: shape.metadata.name,
+			id: shape.metadata.id
+		},
+		spec,
+		rawSpec: shape.spec ?? {},
+		source: parsed.source,
+		docIndex: parsed.index,
+		document: parsed.document
+	};
+}
+//#endregion
+//#region src/core/iac/parser/index.ts
+function buildIndex(resources) {
+	const byAddress = /* @__PURE__ */ new Map();
+	const errors = [];
+	const seenAt = /* @__PURE__ */ new Map();
+	for (const r of resources) {
+		const addr = address(r.kind, r.metadata.name);
+		const prior = seenAt.get(addr);
+		if (prior) {
+			errors.push({
+				code: "duplicate",
+				message: `Duplicate resource ${addr} (also defined at ${formatLoc(prior)})`,
+				source: r.source,
+				hint: "Each (kind, metadata.name) pair must be unique within a project."
+			});
+			continue;
+		}
+		if (!isValidName(r.metadata.name)) {
+			errors.push({
+				code: "invalid-name",
+				message: `metadata.name "${r.metadata.name}" is invalid; must match ^[a-z][a-z0-9-]*$`,
+				source: r.source
+			});
+			continue;
+		}
+		if (r.metadata.id !== void 0 && !isLikelyId(r.metadata.id)) {
+			errors.push({
+				code: "tampered",
+				message: `${addr}: metadata.id appears tampered or corrupted`,
+				source: r.source,
+				hint: `Run \`revos pull ${addr}\` to recover.`
+			});
+			continue;
+		}
+		seenAt.set(addr, r.source);
+		byAddress.set(addr, r);
+	}
+	return {
+		byAddress,
+		all: [...byAddress.values()],
+		errors
+	};
+}
+function address(kind, name) {
+	return `${kind}/${name}`;
+}
+const NAME_RE = /^[a-z][a-z0-9-]*$/;
+function isValidName(name) {
+	return NAME_RE.test(name);
+}
+function isLikelyId(id) {
+	return typeof id === "string" && id.trim().length > 0 && !id.includes("\n");
+}
+function formatLoc(loc) {
+	if (loc.line) return `${loc.file}:${loc.line}`;
+	return loc.file;
+}
+//#endregion
+//#region src/core/iac/validate/validate.ts
+function validateResource(resource, schema) {
+	const result = schema.safeParse(resource.spec);
+	if (!result.success) return {
+		resource,
+		errors: zodErrorsToIac(result.error, resource.source, resource.kind, resource.metadata.name)
+	};
+	return {
+		resource: {
+			...resource,
+			spec: result.data
+		},
+		errors: []
+	};
+}
+function validateAll(resources, registry) {
+	const errors = [];
+	const validated = [];
+	for (const r of resources) {
+		const provider = registry.get(r.kind);
+		if (!provider) {
+			errors.push({
+				code: "unknown-kind",
+				message: `Unknown kind "${r.kind}"`,
+				source: r.source,
+				hint: `Known kinds: ${[...registry.kinds()].join(", ") || "(none)"}`
+			});
+			continue;
+		}
+		const result = validateResource(r, provider.schema);
+		errors.push(...result.errors);
+		if (result.errors.length === 0) validated.push(result.resource);
+	}
+	return {
+		resources: validated,
+		errors
+	};
+}
+function zodErrorsToIac(err, source, kind, name) {
+	return [{
+		code: "schema",
+		message: `${kind}/${name}: ${fromError(err, { prefix: null }).toString()}`,
+		source
+	}];
+}
+//#endregion
+//#region src/core/iac/providers/registry.ts
+var ProviderRegistry = class {
+	providers = /* @__PURE__ */ new Map();
+	register(provider) {
+		if (this.providers.has(provider.kind)) throw new Error(`Provider for kind "${provider.kind}" already registered`);
+		this.providers.set(provider.kind, provider);
+	}
+	get(kind) {
+		return this.providers.get(kind);
+	}
+	has(kind) {
+		return this.providers.has(kind);
+	}
+	kinds() {
+		return this.providers.keys();
+	}
+};
+//#endregion
+//#region src/core/iac/util/slug.ts
+/**
+* Convert a free-form display name into a valid `metadata.name` slug.
+*
+* Rules: lowercase, ASCII alnum + `-`, must start with a letter. Empty
+* or letter-less inputs fall back to `unnamed`.
+*/
+function slugify(input) {
+	const base = input.toLowerCase().replace(/[^a-z0-9]+/g, "-").replace(/^-+|-+$/g, "").replace(/--+/g, "-");
+	if (base.length === 0) return "unnamed";
+	if (!/^[a-z]/.test(base)) return `r-${base}`;
+	return base;
+}
+//#endregion
+//#region src/core/iac/providers/connection.provider.ts
+const scheduleSchema = z.object({
+	units: z.number().int().positive(),
+	timeUnit: z.enum([
+		"minutes",
+		"hours",
+		"days",
+		"weeks",
+		"months"
+	])
+});
+const syncModeSchema = z.enum([
+	"full_refresh_overwrite",
+	"full_refresh_append",
+	"incremental_append",
+	"incremental_deduped_history",
+	"full_refresh_overwrite_deduped"
+]);
+const hashingMapperSchema = z.object({
+	type: z.literal("hashing"),
+	id: z.string().uuid().optional(),
+	mapperConfiguration: z.object({
+		targetField: z.string().min(1),
+		method: z.enum([
+			"MD2",
+			"MD5",
+			"SHA-1",
+			"SHA-224",
+			"SHA-256",
+			"SHA-384",
+			"SHA-512"
+		]),
+		fieldNameSuffix: z.string()
+	})
+});
+const fieldRenamingMapperSchema = z.object({
+	type: z.literal("field-renaming"),
+	id: z.string().uuid().optional(),
+	mapperConfiguration: z.object({
+		originalFieldName: z.string().min(1),
+		newFieldName: z.string().min(1)
+	})
+});
+const fieldFilteringMapperSchema = z.object({
+	type: z.literal("field-filtering"),
+	id: z.string().uuid().optional(),
+	mapperConfiguration: z.object({ targetField: z.string().min(1) })
+});
+const rowFilteringEqualSchema = z.object({
+	type: z.literal("EQUAL"),
+	fieldName: z.string().min(1),
+	comparisonValue: z.string()
+});
+const rowFilteringOperationSchema = z.lazy(() => z.discriminatedUnion("type", [rowFilteringEqualSchema, z.object({
+	type: z.literal("NOT"),
+	conditions: z.array(rowFilteringOperationSchema).min(1)
+})]));
+const rowFilteringMapperSchema = z.object({
+	type: z.literal("row-filtering"),
+	id: z.string().uuid().optional(),
+	mapperConfiguration: z.object({ conditions: rowFilteringOperationSchema })
+});
+const encryptionMapperSchema = z.object({
+	type: z.literal("encryption"),
+	id: z.string().uuid().optional(),
+	mapperConfiguration: z.discriminatedUnion("algorithm", [z.object({
+		algorithm: z.literal("RSA"),
+		targetField: z.string().min(1),
+		fieldNameSuffix: z.string(),
+		publicKey: z.string().min(1)
+	}), z.object({
+		algorithm: z.literal("AES"),
+		targetField: z.string().min(1),
+		fieldNameSuffix: z.string(),
+		key: z.string().min(1),
+		mode: z.enum([
+			"CBC",
+			"CFB",
+			"OFB",
+			"CTR",
+			"GCM",
+			"ECB"
+		]),
+		padding: z.enum(["NoPadding", "PKCS5Padding"])
+	})])
+});
+const streamMapperSchema = z.discriminatedUnion("type", [
+	hashingMapperSchema,
+	fieldRenamingMapperSchema,
+	fieldFilteringMapperSchema,
+	rowFilteringMapperSchema,
+	encryptionMapperSchema
+]);
+const SYNC_MODES_REQUIRING_CURSOR = new Set(["incremental_append", "incremental_deduped_history"]);
+const SYNC_MODES_REQUIRING_PRIMARY_KEY = new Set(["incremental_deduped_history", "full_refresh_overwrite_deduped"]);
+const streamConfigSchema = z.object({
+	name: z.string().min(1),
+	namespace: z.string().optional(),
+	syncMode: syncModeSchema.optional(),
+	cursorField: z.array(z.string()).optional(),
+	primaryKey: z.array(z.array(z.string())).optional(),
+	selectedFields: z.array(z.object({ fieldPath: z.array(z.string()) })).optional(),
+	mappers: z.array(streamMapperSchema).optional()
+}).superRefine((stream, ctx) => {
+	if (!stream.syncMode) return;
+	if (SYNC_MODES_REQUIRING_CURSOR.has(stream.syncMode) && !stream.cursorField?.length) ctx.addIssue({
+		code: z.ZodIssueCode.custom,
+		path: ["cursorField"],
+		message: `cursorField is required when syncMode is ${stream.syncMode}`
+	});
+	if (SYNC_MODES_REQUIRING_PRIMARY_KEY.has(stream.syncMode) && !stream.primaryKey?.length) ctx.addIssue({
+		code: z.ZodIssueCode.custom,
+		path: ["primaryKey"],
+		message: `primaryKey is required when syncMode is ${stream.syncMode}`
+	});
+});
+const prefixSchema = z.string().max(63, "spec.prefix must be 63 characters or fewer").regex(/^[a-z0-9_]*$/, "spec.prefix must contain only lowercase letters, digits, and underscores");
+const connectionSpecSchema = z.object({
+	name: z.string().min(1, "spec.name is required"),
+	source: z.object({ id: z.string().min(1, "spec.source.id is required") }),
+	schedule: scheduleSchema.default({
+		units: 24,
+		timeUnit: "hours"
+	}),
+	streams: z.array(streamConfigSchema).default([]),
+	status: z.enum([
+		"active",
+		"inactive",
+		"deprecated"
+	]).default("active"),
+	prefix: prefixSchema.optional()
+});
+function createConnectionProvider(client) {
+	return {
+		kind: "Connection",
+		schema: connectionSpecSchema,
+		sensitivePaths: [],
+		localOnlyPaths: [],
+		dependsOn: [],
+		extractRefs() {
+			return [];
+		},
+		normalize(spec) {
+			return remoteToSpec$1(spec);
+		},
+		computedPaths: ["prefix"],
+		inflateRemote(remote) {
+			return remoteToSpec$1(remote);
+		},
+		async listRemote() {
+			return (await client.list()).map((r) => ({
+				id: r.id,
+				remote: r
+			}));
+		},
+		deriveName(remote) {
+			const r = remote ?? {};
+			return slugify(typeof r.name === "string" ? r.name : "");
+		},
+		async create(_ctx, spec) {
+			const remote = await client.create(specToCreateBody$1(spec));
+			return {
+				id: remote.id,
+				spec: remoteToSpec$1(remote)
+			};
+		},
+		async read(_ctx, id) {
+			const remote = await client.get(id);
+			if (!remote) return null;
+			return {
+				id: remote.id,
+				spec: remoteToSpec$1(remote)
+			};
+		},
+		async update(_ctx, id, spec) {
+			const remote = await client.update(id, specToUpdateBody$1(spec));
+			return {
+				id: remote.id,
+				spec: remoteToSpec$1(remote)
+			};
+		},
+		async delete(_ctx, id) {
+			await client.delete(id);
+		}
+	};
+}
+function specToCreateBody$1(spec) {
+	return {
+		name: spec.name,
+		sourceId: spec.source.id,
+		schedule: spec.schedule,
+		streams: spec.streams.length > 0 ? spec.streams : void 0,
+		status: spec.status === "deprecated" ? "inactive" : spec.status,
+		...spec.prefix !== void 0 && { prefix: spec.prefix }
+	};
+}
+function specToUpdateBody$1(spec) {
+	return {
+		name: spec.name,
+		schedule: spec.schedule,
+		streams: spec.streams,
+		status: spec.status,
+		...spec.prefix !== void 0 && { prefix: spec.prefix }
+	};
+}
+/**
+* Map a server connection back to the IaC spec shape. Strips empty arrays
+* inside per-stream config that the server emits as defaults so they don't
+* cause phantom drift between fresh-pull and apply round-trips.
+*/
+function remoteToSpec$1(remote) {
+	if (typeof remote !== "object" || remote === null) return {
+		name: "",
+		source: { id: "" },
+		schedule: {
+			units: 24,
+			timeUnit: "hours"
+		},
+		streams: [],
+		status: "active"
+	};
+	const r = remote;
+	const schedule = typeof r.schedule === "object" && r.schedule ? r.schedule : {
+		units: 24,
+		timeUnit: "hours"
+	};
+	const rawStreams = Array.isArray(r.streams) ? r.streams : [];
+	return {
+		name: typeof r.name === "string" ? r.name : "",
+		source: { id: typeof r.sourceId === "string" ? r.sourceId : "" },
+		schedule,
+		streams: rawStreams.map(normalizeStream),
+		status: r.status === "active" || r.status === "inactive" || r.status === "deprecated" ? r.status : "active",
+		...typeof r.prefix === "string" && { prefix: r.prefix }
+	};
+}
+/**
+* Drop empty arrays the server emits as defaults — `cursorField: []`,
+* `primaryKey: []`, `selectedFields: []`, `mappers: []`. Keeping them would
+* either bloat the YAML on a discovery pull, or cause spurious diff churn
+* when the user edits a stream and re-applies.
+*/
+function normalizeStream(s) {
+	const out = { name: s.name };
+	if (s.namespace) out.namespace = s.namespace;
+	if (s.syncMode) out.syncMode = s.syncMode;
+	if (s.cursorField && s.cursorField.length > 0) out.cursorField = s.cursorField;
+	if (s.primaryKey && s.primaryKey.length > 0) out.primaryKey = s.primaryKey;
+	if (s.selectedFields && s.selectedFields.length > 0) out.selectedFields = s.selectedFields;
+	if (s.mappers && s.mappers.length > 0) out.mappers = s.mappers;
+	return out;
+}
+//#endregion
+//#region src/core/iac/providers/cube.provider.ts
+const cubeSpecSchema = z.object({
+	name: z.string().min(1, "spec.name is required"),
+	definition: z.record(z.string(), z.unknown())
+});
+function createCubeProvider(client) {
+	return {
+		kind: "Cube",
+		schema: cubeSpecSchema,
+		sensitivePaths: [],
+		localOnlyPaths: [],
+		dependsOn: [],
+		extractRefs() {
+			return [];
+		},
+		normalize(remote) {
+			return remoteToSpec(remote);
+		},
+		inflateRemote(remote) {
+			return remoteToSpec(remote);
+		},
+		async listRemote() {
+			return (await client.list()).map((r) => ({
+				id: r.id,
+				remote: r
+			}));
+		},
+		deriveName(remote) {
+			const r = remote ?? {};
+			return slugify(typeof r.name === "string" ? r.name : "");
+		},
+		async create(_ctx, spec) {
+			const remote = await client.create(specToCreateBody(spec));
+			return {
+				id: remote.id,
+				spec: remoteToSpec(remote)
+			};
+		},
+		async read(_ctx, id) {
+			const remote = await client.get(id);
+			if (!remote) return null;
+			return {
+				id: remote.id,
+				spec: remoteToSpec(remote)
+			};
+		},
+		async update(_ctx, id, spec) {
+			const remote = await client.update(id, specToUpdateBody(spec));
+			return {
+				id: remote.id,
+				spec: remoteToSpec(remote)
+			};
+		},
+		async delete(_ctx, id) {
+			await client.delete(id);
+		}
+	};
+}
+function specToCreateBody(spec) {
+	return {
+		name: spec.name,
+		definition: ensureDefinitionName(spec.definition, spec.name)
+	};
+}
+function specToUpdateBody(spec) {
+	return {
+		name: spec.name,
+		definition: ensureDefinitionName(spec.definition, spec.name)
+	};
+}
+/**
+* Cube.dev requires `definition.name` to match the cube name (it's the
+* identifier referenced by `${CUBE}` and joins). Mirror it from spec.name
+* so the YAML doesn't have to carry the same name twice.
+*/
+function ensureDefinitionName(definition, name) {
+	return {
+		...definition,
+		name
+	};
+}
+function remoteToSpec(remote) {
+	if (typeof remote !== "object" || remote === null) return {
+		name: "",
+		definition: {}
+	};
+	const r = remote;
+	const { name: _ignoredDefName, ...definitionWithoutName } = typeof r.definition === "object" && r.definition !== null ? r.definition : {};
+	return {
+		name: typeof r.name === "string" ? r.name : "",
+		definition: definitionWithoutName
+	};
+}
+//#endregion
+//#region src/core/iac/api/connections-client.ts
+/**
+* Adapter over the typed `@revos/api-client` SDK. The SDK client is already
+* configured with the project's org via `createApiClient({ organizationId })`,
+* so per-call methods don't take the org id.
+*/
+function createSdkConnectionsClient(apiClient) {
+	return {
+		list: () => walkAllPages((pageToken) => apiClient.connections.list({
+			pageSize: 100,
+			pageToken
+		})),
+		get: (connectionId) => getOrNull(() => apiClient.connections.get({ id: connectionId }).then(unwrap)),
+		create: (body) => apiClient.connections.create({ body }).then(unwrap),
+		update: (connectionId, body) => apiClient.connections.update({
+			id: connectionId,
+			body
+		}).then(unwrap),
+		delete: async (connectionId) => {
+			await apiClient.connections.delete({ id: connectionId });
+		}
+	};
+}
+//#endregion
+//#region src/core/iac/api/cubes-client.ts
+/**
+* Adapter over the typed `@revos/api-client` SDK. The SDK client is already
+* configured with the project's org via `createApiClient({ organizationId })`,
+* so per-call methods don't take the org id.
+*/
+function createSdkCubesClient(apiClient) {
+	return {
+		list: () => apiClient.cubes.list().then(unwrap),
+		get: (cubeId) => getOrNull(() => apiClient.cubes.get({ id: cubeId }).then(unwrap)),
+		create: (body) => apiClient.cubes.create({ body }).then(unwrap),
+		update: (cubeId, body) => apiClient.cubes.update({
+			id: cubeId,
+			body
+		}).then(unwrap),
+		delete: async (cubeId) => {
+			await apiClient.cubes.delete({ id: cubeId });
+		}
+	};
+}
+//#endregion
+//#region src/core/iac/providers/build-registry.ts
+/** Build a `ProviderRegistry` populated with every IaC kind. */
+function buildIacRegistry(apiClient) {
+	const registry = new ProviderRegistry();
+	registry.register(createConnectionProvider(createSdkConnectionsClient(apiClient)));
+	registry.register(createCubeProvider(createSdkCubesClient(apiClient)));
+	return registry;
+}
+//#endregion
+//#region src/core/iac/ast/rewrite.ts
+/**
+* Apply edits to one or more documents in a YAML file in-place.
+*
+* Uses the `yaml` library's CST-aware Document AST so existing siblings,
+* comments, key order, and `---` separators are preserved byte-for-byte
+* outside the regions actually being modified.
+*
+* Returns the new file contents (and writes them to disk).
+*/
+function rewriteYamlFile(filePath, edits) {
+	const next = applyDocumentEdits(fs.readFileSync(filePath, "utf-8"), edits);
+	fs.writeFileSync(filePath, next, "utf-8");
+	return next;
+}
+/** Pure variant for tests / dry-run flows. */
+function applyDocumentEdits(src, edits) {
+	const docs = parseAllDocuments(src, { keepSourceTokens: true });
+	for (const edit of edits) {
+		const doc = docs[edit.docIndex];
+		if (!doc) throw new Error(`Cannot edit document #${edit.docIndex}: only ${docs.length} document(s) in source`);
+		edit.mutate(doc);
+	}
+	return docs.map((d) => d.toString()).join("");
+}
+function setMetadataId(filePath, docIndex, id) {
+	return rewriteYamlFile(filePath, [{
+		docIndex,
+		mutate: (doc) => doc.setIn(["metadata", "id"], id)
+	}]);
+}
+//#endregion
+//#region src/core/iac/env/interpolate.ts
+const FULL_MATCH = /^\$\{env\.([A-Z_][A-Z0-9_]*)\}$/;
+const PARTIAL_MATCH = /\$\{env\.([A-Z_][A-Z0-9_]*)\}/g;
+/**
+* Substitute `${env.VAR}` placeholders in spec values.
+*
+* Whole-string match (`"${env.HOST}"`) substitutes with the env var raw value
+* (preserving its type would require typed envs; we always return string).
+* Partial-string match (`"https://${env.HOST}"`) substitutes inline.
+*
+* Caller passes the resource source for error reporting.
+*/
+function interpolateSpec(spec, source, env = process.env) {
+	const errors = [];
+	return {
+		value: walk(spec, source, env, errors),
+		errors
+	};
+}
+function walk(v, source, env, errors) {
+	if (typeof v === "string") return interpolateString(v, source, env, errors);
+	if (Array.isArray(v)) return v.map((x) => walk(x, source, env, errors));
+	if (v !== null && typeof v === "object") {
+		const out = {};
+		for (const [k, val] of Object.entries(v)) out[k] = walk(val, source, env, errors);
+		return out;
+	}
+	return v;
+}
+function interpolateString(s, source, env, errors) {
+	const full = FULL_MATCH.exec(s);
+	if (full) {
+		const name = full[1];
+		const v = env[name];
+		if (v === void 0) {
+			errors.push({
+				code: "env.missing",
+				message: `Environment variable ${name} is not set (referenced as \${env.${name}})`,
+				source
+			});
+			return "";
+		}
+		return v;
+	}
+	return s.replace(PARTIAL_MATCH, (_, name) => {
+		const v = env[name];
+		if (v === void 0) {
+			errors.push({
+				code: "env.missing",
+				message: `Environment variable ${name} is not set (referenced as \${env.${name}})`,
+				source
+			});
+			return "";
+		}
+		return v;
+	});
+}
+//#endregion
+//#region src/core/iac/loader.ts
+/**
+* Two-pass loader:
+* 1. Parse every yaml file, expand `${env.VAR}` in spec values, build the
+*    `(kind, metadata.name)` index, detect duplicates and tampered metadata.
+* 2. Validate each resource's spec against its provider's schema.
+*
+* Returns the index and any accumulated errors. Caller decides whether to
+* proceed (e.g. `apply` aborts on any error; `status` may render partial state).
+*/
+function loadResources(opts) {
+	const parsedFiles = parseFiles(scanYamlFiles({
+		root: projectRoot(opts.project),
+		startPath: opts.startPath
+	}));
+	const errors = [];
+	const docs = [];
+	for (const pf of parsedFiles) {
+		errors.push(...pf.errors);
+		for (const pd of pf.documents) {
+			const doc = asResourceDoc(pd);
+			if (!doc) continue;
+			const interp = interpolateSpec(doc.spec, doc.source, opts.env);
+			errors.push(...interp.errors);
+			docs.push({
+				...doc,
+				spec: interp.value
+			});
+		}
+	}
+	const indexed = buildIndex(docs);
+	errors.push(...indexed.errors);
+	if (opts.validateSpecs === false) return {
+		index: indexed,
+		errors
+	};
+	const validated = validateAll(indexed.all, opts.registry);
+	errors.push(...validated.errors);
+	return {
+		index: buildIndex(validated.resources),
+		errors
+	};
+}
+//#endregion
+//#region src/core/iac/diff/diff.ts
+const REDACTED = "(sensitive value)";
+/**
+* Compare two normalized specs and return a list of changes. Sensitive paths
+* (declared by the provider) are not compared on raw values; instead the
+* before/after are replaced with a placeholder so callers never get a chance
+* to print a secret. The presence/absence of a value at a sensitive path is
+* still reported as a change so users see *something* moved.
+*/
+function diffSpecs(before, after, sensitivePaths = []) {
+	return microdiff(before ?? {}, after ?? {}).map((d) => toChange(d, sensitivePaths));
+}
+function toChange(d, sensitivePaths) {
+	const dotted = d.path.join(".");
+	const isSensitive = sensitivePaths.some((p) => dotted === p || dotted.startsWith(`${p}.`));
+	switch (d.type) {
+		case "CREATE": return {
+			kind: "add",
+			path: d.path,
+			after: isSensitive ? REDACTED : d.value,
+			sensitive: isSensitive
+		};
+		case "REMOVE": return {
+			kind: "remove",
+			path: d.path,
+			before: isSensitive ? REDACTED : d.oldValue,
+			sensitive: isSensitive
+		};
+		case "CHANGE": return {
+			kind: "change",
+			path: d.path,
+			before: isSensitive ? REDACTED : d.oldValue,
+			after: isSensitive ? REDACTED : d.value,
+			sensitive: isSensitive
+		};
+	}
+}
+/**
+* Render a single diff entry as a human-readable line. Used by both
+* `revos apply --dry-run` and `revos diff`.
+*/
+function formatDiffLine(c) {
+	const path = c.path.map(String).join(".");
+	switch (c.kind) {
+		case "add": return chalk.green(`  + ${path}: ${formatValue(c.after)}`);
+		case "remove": return chalk.red(`  - ${path}: ${formatValue(c.before)}`);
+		case "change": return chalk.yellow(`  ~ ${path}: ${formatValue(c.before)} → ${formatValue(c.after)}`);
+	}
+}
+function formatValue(v) {
+	if (v === REDACTED) return chalk.dim(REDACTED);
+	if (typeof v === "string") return JSON.stringify(v);
+	if (v === null || v === void 0) return String(v);
+	if (typeof v === "object") return JSON.stringify(v);
+	return String(v);
+}
+//#endregion
+//#region src/core/iac/refs/graph.ts
+const { Graph, alg } = graphlib;
+/**
+* Build the dependency DAG from a flat list of resources.
+*
+* Edges point from dependency → dependent: if Connection/c references
+* Source/s, we add an edge `Source/s → Connection/c`. That means once
+* `Source/s` is applied, `Connection/c` becomes eligible.
+*
+* Errors:
+* - A resource references a (kind, name) that does not exist locally.
+*   Reported with `file:line:col` of the referencing resource.
+* - The dependency graph contains a cycle. Reported with the addresses
+*   involved.
+*/
+function buildDependencyGraph(resources, registry) {
+	const errors = [];
+	const byAddress = /* @__PURE__ */ new Map();
+	for (const r of resources) byAddress.set(address(r.kind, r.metadata.name), r);
+	const g = new Graph({ directed: true });
+	for (const r of resources) g.setNode(address(r.kind, r.metadata.name));
+	for (const r of resources) {
+		const provider = registry.get(r.kind);
+		if (!provider) continue;
+		const refs = provider.extractRefs(r.spec);
+		for (const ref of refs) {
+			const dep = address(ref.kind, ref.name);
+			if (!byAddress.has(dep)) {
+				errors.push({
+					code: "ref",
+					message: `${address(r.kind, r.metadata.name)} references ${dep} but no local resource with that name exists`,
+					source: r.source,
+					hint: `Either define ${dep} in this project or remove the reference.`
+				});
+				continue;
+			}
+			g.setEdge(dep, address(r.kind, r.metadata.name));
+		}
+	}
+	if (errors.length > 0) return {
+		levels: [],
+		errors
+	};
+	const cycles = alg.findCycles(g);
+	if (cycles.length > 0) {
+		for (const cycle of cycles) errors.push({
+			code: "cycle",
+			message: `dependency cycle: ${cycle.join(" → ")} → ${cycle[0]}`,
+			hint: "Break the cycle by removing one of the references."
+		});
+		return {
+			levels: [],
+			errors
+		};
+	}
+	return {
+		levels: kahnLevels(g, byAddress),
+		errors: []
+	};
+}
+/**
+* Kahn's algorithm, leveled. Repeatedly extract every node whose remaining
+* predecessors are zero — those form the next level. Within a level, order
+* is alphabetical for deterministic output.
+*/
+function kahnLevels(g, byAddress) {
+	const inDegree = /* @__PURE__ */ new Map();
+	for (const node of g.nodes()) inDegree.set(node, (g.predecessors(node) ?? []).length);
+	const levels = [];
+	while (inDegree.size > 0) {
+		const ready = [...inDegree.entries()].filter(([, d]) => d === 0).map(([n]) => n).sort();
+		if (ready.length === 0) throw new Error("internal: kahnLevels could not make progress but no cycle was reported");
+		const level = [];
+		for (const n of ready) {
+			const r = byAddress.get(n);
+			if (r) level.push(r);
+			inDegree.delete(n);
+			for (const succ of g.successors(n) ?? []) inDegree.set(succ, (inDegree.get(succ) ?? 0) - 1);
+		}
+		levels.push(level);
+	}
+	return levels;
+}
+//#endregion
+//#region src/core/iac/apply/apply.ts
+const DEFAULT_PARALLELISM = 4;
+/**
+* Reconcile local YAML resources against the API.
+*
+* - No `metadata.id` → POST create, then AST-rewrite the file in place to
+*   record the returned id.
+* - Has `metadata.id` → GET remote, normalize, diff against local. Equal →
+*   `unchanged`. Different → PATCH update, report `update` with the drift
+*   list. In `dryRun` mode the GET still happens (so drift can be reported)
+*   but the PATCH/POST and the YAML rewrite are skipped — this is what
+*   powers `revos diff`.
+*
+* Resources are applied in dependency order: providers declare which other
+* resources they reference via `extractRefs(spec)`, and we apply level by
+* level. Within a level, resources are applied concurrently up to
+* `parallelism`.
+*
+* Stop-on-first-error: any failure halts further mutations. Anything done
+* before the failure has already been persisted (each resource is committed
+* as soon as its remote write returns), so re-running picks up where it
+* left off.
+*/
+async function apply(opts) {
+	const load = loadResources({
+		project: opts.project,
+		registry: opts.registry,
+		startPath: opts.startPath,
+		env: opts.env
+	});
+	if (load.errors.length > 0) return {
+		applied: [],
+		errors: load.errors
+	};
+	const dag = buildDependencyGraph(load.index.all, opts.registry);
+	if (dag.errors.length > 0) return {
+		applied: [],
+		errors: dag.errors
+	};
+	const result = {
+		applied: [],
+		errors: []
+	};
+	const dryRun = opts.dryRun ?? false;
+	const parallelism = Math.max(1, opts.parallelism ?? DEFAULT_PARALLELISM);
+	const resolver = makeResolver(load.index.all);
+	const idResolver = makeIdResolver(load.index.all);
+	for (const level of dag.levels) {
+		if (result.errors.length > 0) break;
+		const summaries = await runLevel(level, opts.registry, opts.project.metadata.orgId, resolver, idResolver, dryRun, parallelism, result);
+		result.applied.push(...summaries);
+	}
+	return result;
+}
+/**
+* Apply every resource in the level concurrently, capped at `parallelism`.
+* The first failure inside the level halts further work in this level
+* (other in-flight tasks finish, but no new tasks start), and the outer
+* loop will not advance to the next level. Resources whose work completed
+* before the failure are still persisted on disk and reported in the
+* result.
+*/
+async function runLevel(level, registry, orgId, resolver, idResolver, dryRun, parallelism, result) {
+	const summaries = [];
+	let cursor = 0;
+	let aborted = false;
+	async function worker() {
+		while (!aborted) {
+			const i = cursor++;
+			if (i >= level.length) return;
+			const resource = level[i];
+			const provider = registry.get(resource.kind);
+			if (!provider) continue;
+			const ctx = {
+				orgId,
+				resolveRef: resolver,
+				resolveById: idResolver
+			};
+			try {
+				const summary = await applyOne(provider, ctx, resource, dryRun);
+				summaries.push(summary);
+			} catch (err) {
+				aborted = true;
+				result.errors.push({
+					code: "apply",
+					message: err instanceof Error ? `${address(resource.kind, resource.metadata.name)}: ${err.message}` : String(err),
+					source: resource.source
+				});
+			}
+		}
+	}
+	const workers = Array.from({ length: Math.min(parallelism, level.length) }, () => worker());
+	await Promise.all(workers);
+	return summaries;
+}
+async function applyOne(provider, ctx, resource, dryRun) {
+	const base = {
+		address: address(resource.kind, resource.metadata.name),
+		kind: resource.kind,
+		name: resource.metadata.name,
+		file: resource.source.file
+	};
+	if (!resource.metadata.id) {
+		const createDiff = diffSpecs({}, resource.spec, provider.sensitivePaths);
+		if (dryRun) return {
+			...base,
+			action: "create",
+			diff: createDiff
+		};
+		const created = await provider.create(ctx, resource.spec);
+		rewriteYamlFile(resource.source.file, [{
+			docIndex: resource.docIndex,
+			mutate: (doc) => {
+				doc.setIn(["metadata", "id"], created.id);
+				for (const path of provider.computedPaths ?? []) {
+					const segs = path.split(".");
+					if (hasIn$1(resource.rawSpec, segs)) continue;
+					const value = getIn$1(created.spec, segs);
+					if (value === void 0) continue;
+					doc.setIn(["spec", ...segs], value);
+				}
+			}
+		}]);
+		return {
+			...base,
+			id: created.id,
+			action: "create",
+			diff: createDiff
+		};
+	}
+	const id = resource.metadata.id;
+	const remote = await provider.read(ctx, id);
+	if (!remote) throw new Error(`remote resource ${id} not found — local file references an id that no longer exists. Either remove metadata.id to recreate, or pull a fresh state.`);
+	const localNorm = provider.normalize(resource.spec);
+	const drift = diffSpecs(provider.normalize(remote.spec), localNorm, provider.sensitivePaths);
+	if (drift.length === 0) return {
+		...base,
+		id,
+		action: "unchanged"
+	};
+	if (dryRun) return {
+		...base,
+		id,
+		action: "update",
+		diff: drift
+	};
+	await provider.update(ctx, id, resource.spec);
+	return {
+		...base,
+		id,
+		action: "update",
+		diff: drift
+	};
+}
+/**
+* Resolve `(kind, name)` against the local index to the resource's current
+* `metadata.id`. The DAG guarantees dependencies are applied first, but if
+* we get here for a resource whose dependency was never applied (e.g. a
+* skipped kind without a registered provider), `metadata.id` will be
+* undefined and the provider's create/update body construction will fail
+* with a clear error.
+*/
+function makeResolver(resources) {
+	const byAddress = /* @__PURE__ */ new Map();
+	for (const r of resources) byAddress.set(address(r.kind, r.metadata.name), r);
+	return (ref) => byAddress.get(address(ref.kind, ref.name))?.metadata.id;
+}
+function hasIn$1(obj, path) {
+	let cur = obj;
+	for (const seg of path) {
+		if (typeof cur !== "object" || cur === null || !(seg in cur)) return false;
+		cur = cur[seg];
+	}
+	return true;
+}
+function getIn$1(obj, path) {
+	let cur = obj;
+	for (const seg of path) {
+		if (typeof cur !== "object" || cur === null) return void 0;
+		cur = cur[seg];
+	}
+	return cur;
+}
+function makeIdResolver(resources) {
+	const byKindId = /* @__PURE__ */ new Map();
+	for (const r of resources) if (r.metadata.id) byKindId.set(`${r.kind}/${r.metadata.id}`, r.metadata.name);
+	return (kind, id) => byKindId.get(`${kind}/${id}`);
+}
+//#endregion
+//#region src/core/iac/util/yaml.ts
+/**
+* Indent a YAML string by `baseIndent` levels (2-space indent per level).
+*/
+function stringifySpec(spec, baseIndent) {
+	const indent = "  ".repeat(baseIndent);
+	return stringify(spec ?? {}, { indent: 2 }).trimEnd().split("\n").map((line) => line.length === 0 ? line : indent + line).join("\n");
+}
+//#endregion
+//#region src/core/iac/pull/pull.ts
+/**
+* Reconcile local YAML with the API in the OPPOSITE direction of `apply`.
+*
+* For each registered kind (in topological order over `Provider.dependsOn`):
+*  1. List every remote resource of that kind.
+*  2. Match each remote against the local index by `metadata.id`. If the
+*     local exists, reconcile it (rewrite spec when drifted, leave alone
+*     when unchanged). If no local has that id, *discover* the remote: pick
+*     a default `metadata.name` and write a new YAML file under
+*     `<kind-lowercase>s/<name>.yaml`.
+*  3. Local resources whose `metadata.id` was not in the remote list get
+*     `skipped-not-found`. Local resources without `metadata.id` are
+*     unmapped — they get `skipped-no-id`.
+*
+* Refuses to overwrite files with uncommitted changes unless `--force`. New
+* files (discoveries) are written even when --force is unset, since they
+* can't conflict with anything on disk.
+*/
+async function pull(opts) {
+	const load = loadResources({
+		project: opts.project,
+		registry: opts.registry,
+		startPath: opts.startPath,
+		env: opts.env,
+		validateSpecs: false
+	});
+	if (load.errors.length > 0) return {
+		pulled: [],
+		errors: load.errors
+	};
+	const isDirty = opts.isDirty ?? defaultIsDirty;
+	const dryRun = opts.dryRun ?? false;
+	const localById = /* @__PURE__ */ new Map();
+	const localByAddress = /* @__PURE__ */ new Map();
+	for (const r of load.index.all) {
+		if (r.metadata.id) localById.set(`${r.kind}/${r.metadata.id}`, r);
+		localByAddress.set(address(r.kind, r.metadata.name), r);
+	}
+	const byId = /* @__PURE__ */ new Map();
+	for (const r of load.index.all) if (r.metadata.id) byId.set(`${r.kind}/${r.metadata.id}`, r.metadata.name);
+	const idResolver = (kind, id) => byId.get(`${kind}/${id}`);
+	const ctx = {
+		orgId: opts.project.metadata.orgId,
+		resolveRef: () => void 0,
+		resolveById: idResolver
+	};
+	const result = {
+		pulled: [],
+		errors: []
+	};
+	const matchedLocal = /* @__PURE__ */ new Set();
+	const editsByFile = /* @__PURE__ */ new Map();
+	const providers = orderedProviders(opts.registry);
+	const listed = await Promise.all(providers.map(async (provider) => {
+		try {
+			return {
+				provider,
+				remotes: await provider.listRemote(ctx),
+				error: null
+			};
+		} catch (err) {
+			return {
+				provider,
+				remotes: [],
+				error: {
+					code: "pull",
+					message: `${provider.kind}: ${err instanceof Error ? err.message : String(err)}`
+				}
+			};
+		}
+	}));
+	for (const { provider, remotes, error } of listed) {
+		if (error) {
+			result.errors.push(error);
+			return result;
+		}
+		for (const r of remotes) {
+			const local = localById.get(`${provider.kind}/${r.id}`);
+			if (local) {
+				matchedLocal.add(local);
+				const summary = await reconcileExisting({
+					provider,
+					local,
+					remote: r,
+					ctx,
+					isDirty,
+					force: opts.force ?? false,
+					editsByFile
+				});
+				result.pulled.push(summary);
+			} else {
+				const summary = discoverNew({
+					provider,
+					remote: r,
+					ctx,
+					project: opts.project,
+					localByAddress,
+					dryRun
+				});
+				if (summary.action === "discovered") {
+					byId.set(`${provider.kind}/${r.id}`, summary.name);
+					localByAddress.set(summary.address, {
+						kind: provider.kind,
+						metadata: {
+							name: summary.name,
+							id: r.id
+						},
+						spec: {},
+						rawSpec: {},
+						source: { file: summary.file },
+						docIndex: 0,
+						document: void 0
+					});
+				}
+				result.pulled.push(summary);
+			}
+		}
+	}
+	if (!dryRun) {
+		for (const [file, edits] of editsByFile) if (edits.length > 0) rewriteYamlFile(file, edits);
+	}
+	for (const r of load.index.all) {
+		if (matchedLocal.has(r)) continue;
+		const base = {
+			address: address(r.kind, r.metadata.name),
+			kind: r.kind,
+			name: r.metadata.name,
+			file: r.source.file
+		};
+		if (!r.metadata.id) result.pulled.push({
+			...base,
+			action: "skipped-no-id"
+		});
+		else result.pulled.push({
+			...base,
+			id: r.metadata.id,
+			action: "skipped-not-found"
+		});
+	}
+	return result;
+}
+async function reconcileExisting(args) {
+	const { provider, local, remote, ctx, isDirty, force, editsByFile } = args;
+	const file = local.source.file;
+	const base = {
+		address: address(provider.kind, local.metadata.name),
+		kind: provider.kind,
+		name: local.metadata.name,
+		id: remote.id,
+		file
+	};
+	if (!force && isDirty(file)) return {
+		...base,
+		action: "skipped-dirty"
+	};
+	const remoteSpec = provider.inflateRemote(remote.remote, ctx);
+	const writeSpec = mergeForPull(local.rawSpec, remoteSpec, provider);
+	if (deepEqual(local.rawSpec, writeSpec)) return {
+		...base,
+		action: "unchanged"
+	};
+	const edits = editsByFile.get(file) ?? [];
+	edits.push({
+		docIndex: local.docIndex,
+		mutate: (doc) => doc.setIn(["spec"], writeSpec)
+	});
+	editsByFile.set(file, edits);
+	return {
+		...base,
+		action: "pulled"
+	};
+}
+function discoverNew(args) {
+	const { provider, remote, ctx, project, localByAddress, dryRun } = args;
+	const root = projectRoot(project);
+	const folder = `${provider.kind.toLowerCase()}s`;
+	const name = dedupeName(provider.deriveName(remote.remote), provider.kind, localByAddress);
+	const addr = address(provider.kind, name);
+	const file = path.join(root, folder, `${name}.yaml`);
+	const spec = stripSensitivePaths(provider.inflateRemote(remote.remote, ctx), provider.sensitivePaths);
+	const yaml = renderResourceYaml({
+		kind: provider.kind,
+		name,
+		id: remote.id,
+		spec
+	});
+	if (!dryRun) {
+		fs.mkdirSync(path.dirname(file), { recursive: true });
+		fs.writeFileSync(file, yaml, { flag: "wx" });
+	}
+	return {
+		address: addr,
+		kind: provider.kind,
+		name,
+		id: remote.id,
+		file,
+		action: "discovered"
+	};
+}
+/**
+* Topologically order providers so a kind that depends on another kind is
+* processed after it.
+*/
+function orderedProviders(registry) {
+	const all = [];
+	for (const k of registry.kinds()) {
+		const p = registry.get(k);
+		if (p) all.push(p);
+	}
+	const ordered = [];
+	const placed = /* @__PURE__ */ new Set();
+	while (ordered.length < all.length) {
+		const before = ordered.length;
+		for (const p of all) {
+			if (placed.has(p.kind)) continue;
+			if (p.dependsOn.filter((d) => all.some((q) => q.kind === d)).every((d) => placed.has(d))) {
+				ordered.push(p);
+				placed.add(p.kind);
+			}
+		}
+		if (ordered.length === before) {
+			for (const p of all) if (!placed.has(p.kind)) ordered.push(p);
+			break;
+		}
+	}
+	return ordered;
+}
+function dedupeName(base, kind, taken) {
+	if (!taken.has(address(kind, base))) return base;
+	let i = 2;
+	while (taken.has(address(kind, `${base}-${i}`))) i++;
+	return `${base}-${i}`;
+}
+function renderResourceYaml(args) {
+	const lines = [
+		"apiVersion: revos/v1",
+		`kind: ${args.kind}`,
+		"metadata:",
+		`  name: ${args.name}`,
+		`  id: ${args.id}`,
+		"spec:"
+	];
+	const specYaml = stringifySpec(args.spec, 1);
+	return lines.join("\n") + "\n" + specYaml + "\n";
+}
+function defaultIsDirty(filePath) {
+	try {
+		const dir = path.dirname(filePath);
+		return execFileSync("git", [
+			"status",
+			"--porcelain",
+			"--",
+			filePath
+		], {
+			cwd: dir,
+			encoding: "utf-8",
+			stdio: [
+				"ignore",
+				"pipe",
+				"ignore"
+			]
+		}).trim().length > 0;
+	} catch {
+		return false;
+	}
+}
+function deepEqual(a, b) {
+	if (a === b) return true;
+	if (typeof a !== typeof b) return false;
+	if (a === null || b === null) return a === b;
+	if (Array.isArray(a)) {
+		if (!Array.isArray(b) || a.length !== b.length) return false;
+		return a.every((v, i) => deepEqual(v, b[i]));
+	}
+	if (typeof a === "object" && typeof b === "object") {
+		const ao = a;
+		const bo = b;
+		const keys = Object.keys(ao);
+		if (keys.length !== Object.keys(bo).length) return false;
+		return keys.every((k) => k in bo && deepEqual(ao[k], bo[k]));
+	}
+	return false;
+}
+function stripSensitivePaths(spec, sensitivePaths) {
+	const cloned = JSON.parse(JSON.stringify(spec ?? null));
+	for (const dotted of sensitivePaths) deleteIn(cloned, dotted.split("."));
+	return cloned;
+}
+/**
+* Build the spec we will write back to disk. Start from the inflated
+* remote, then merge in local values for the provider's `localOnlyPaths`
+* (refs the server doesn't echo back) and `sensitivePaths` (server-redacted
+* fields where the local file is the source of truth). For both lists,
+* absence in local also wins — i.e. we delete the path from the merged
+* spec rather than keep the server's redacted placeholder.
+*/
+function mergeForPull(localSpec, remoteSpec, provider) {
+	const merged = JSON.parse(JSON.stringify(remoteSpec ?? null));
+	const paths = [...provider.localOnlyPaths, ...provider.sensitivePaths];
+	for (const dotted of paths) {
+		const segs = dotted.split(".");
+		if (hasIn(localSpec, segs)) setIn(merged, segs, getIn(localSpec, segs));
+		else deleteIn(merged, segs);
+	}
+	return merged;
+}
+function hasIn(obj, path) {
+	let cur = obj;
+	for (const seg of path) {
+		if (typeof cur !== "object" || cur === null || !(seg in cur)) return false;
+		cur = cur[seg];
+	}
+	return true;
+}
+function getIn(obj, path) {
+	let cur = obj;
+	for (const seg of path) {
+		if (typeof cur !== "object" || cur === null) return void 0;
+		cur = cur[seg];
+	}
+	return cur;
+}
+function setIn(obj, path, value) {
+	let cur = obj;
+	for (let i = 0; i < path.length - 1; i++) {
+		const seg = path[i];
+		const next = cur[seg];
+		if (typeof next !== "object" || next === null) cur[seg] = {};
+		cur = cur[seg];
+	}
+	cur[path[path.length - 1]] = value;
+}
+function deleteIn(obj, path) {
+	let cur = obj;
+	for (let i = 0; i < path.length - 1; i++) {
+		const seg = path[i];
+		const next = cur[seg];
+		if (typeof next !== "object" || next === null) return;
+		cur = next;
+	}
+	delete cur[path[path.length - 1]];
+}
+//#endregion
+//#region src/core/iac/status.ts
+/**
+* Phase 1: state is local-only. Resources without `metadata.id` are `pending`;
+* resources whose metadata failed validation are `tampered` and surface from
+* the loader's error list. Phase 3+ will add `ok` and `drifted` once the apply
+* + diff paths exist.
+*/
+function resourceState(r) {
+	if (!r.metadata.id) return "pending";
+	return "ok";
+}
+function describeResources(load) {
+	const out = [];
+	const tamperedAddrs = new Set(load.errors.filter((e) => e.code === "tampered" && e.source).map((e) => e.message.split(":")[0]));
+	for (const r of load.index.all) {
+		const addr = address(r.kind, r.metadata.name);
+		out.push({
+			address: addr,
+			kind: r.kind,
+			name: r.metadata.name,
+			id: r.metadata.id,
+			state: tamperedAddrs.has(addr) ? "tampered" : resourceState(r),
+			source: {
+				file: r.source.file,
+				line: r.source.line
+			}
+		});
+	}
+	return out.sort((a, b) => a.address.localeCompare(b.address));
+}
+//#endregion
+//#region src/core/iac/index.ts
+var iac_exports = /* @__PURE__ */ __exportAll({
+	API_VERSION: () => API_VERSION,
+	IacAggregateError: () => IacAggregateError,
+	PROJECT_FILE: () => PROJECT_FILE,
+	PROJECT_KIND: () => PROJECT_KIND,
+	ProjectNotFoundError: () => ProjectNotFoundError,
+	ProviderRegistry: () => ProviderRegistry,
+	address: () => address,
+	apply: () => apply,
+	applyDocumentEdits: () => applyDocumentEdits,
+	asResourceDoc: () => asResourceDoc,
+	buildDependencyGraph: () => buildDependencyGraph,
+	buildIacRegistry: () => buildIacRegistry,
+	buildIndex: () => buildIndex,
+	connectionSpecSchema: () => connectionSpecSchema,
+	createConnectionProvider: () => createConnectionProvider,
+	createCubeProvider: () => createCubeProvider,
+	createSdkConnectionsClient: () => createSdkConnectionsClient,
+	createSdkCubesClient: () => createSdkCubesClient,
+	cubeSpecSchema: () => cubeSpecSchema,
+	describeResources: () => describeResources,
+	diffSpecs: () => diffSpecs,
+	discoverProject: () => discoverProject,
+	formatDiffLine: () => formatDiffLine,
+	interpolateSpec: () => interpolateSpec,
+	isResourceDocument: () => isResourceDocument,
+	isValidName: () => isValidName,
+	loadResources: () => loadResources,
+	locationFromOffset: () => locationFromOffset,
+	parseFile: () => parseFile,
+	parseFiles: () => parseFiles,
+	projectRoot: () => projectRoot,
+	pull: () => pull,
+	readResourceShape: () => readResourceShape,
+	resourceState: () => resourceState,
+	rewriteYamlFile: () => rewriteYamlFile,
+	scanYamlFiles: () => scanYamlFiles,
+	setMetadataId: () => setMetadataId,
+	validateAll: () => validateAll,
+	validateResource: () => validateResource,
+	writeProjectFile: () => writeProjectFile
+});
+//#endregion
+//#region src/core/services/org-selector.ts
+async function selectOrganization(organizations) {
+	const answer = await search({
+		message: "Select an organization",
+		source: (input) => {
+			const term = (input ?? "").toLowerCase();
+			return organizations.filter((org) => org.name.toLowerCase().includes(term)).map((org) => ({
+				name: org.name,
+				value: org.id
+			}));
+		}
+	});
+	const selected = organizations.find((o) => o.id === answer);
+	if (!selected) throw new Error("Organization not found");
+	return selected;
+}
+//#endregion
+//#region src/core/services/init.service.ts
+var InitService = class InitService {
+	static PROJECT_DIRS = [
+		".devcontainer",
+		".claude/skills/explore-lakehouse",
+		".claude/skills/create-connections",
+		".claude/skills/create-connections/references",
+		".claude/skills/create-cubes",
+		".claude/skills/create-cubes/references",
+		".claude/skills/create-dbt-transformations",
+		".claude/skills/create-dbt-transformations/references",
+		".claude/skills/load-sample-data",
+		".claude/skills/visualize-semantic-model",
+		".claude/skills/visualize-semantic-model/scripts",
+		"dbt/models/bronze",
+		"dbt/models/silver",
+		"dbt/models/gold",
+		"cubes"
+	];
+	static PROJECT_FILES = [
+		"revos.yaml",
+		".devcontainer/devcontainer.json",
+		".devcontainer/Dockerfile",
+		".devcontainer/setup.sh",
+		".gitignore",
+		"README.md",
+		"dbt/profiles.yml",
+		"dbt/dbt_project.yml",
+		"CLAUDE.md",
+		"AGENTS.md",
+		".claude/settings.json",
+		".claude/skills/explore-lakehouse/SKILL.md",
+		".claude/skills/create-connections/SKILL.md",
+		".claude/skills/create-connections/references/mappers.md",
+		".claude/skills/create-cubes/SKILL.md",
+		".claude/skills/create-cubes/references/cube-examples.md",
+		".claude/skills/create-cubes/references/key-patterns.md",
+		".claude/skills/create-cubes/references/validation-queries.md",
+		".claude/skills/create-cubes/references/hubspot-entities.md",
+		".claude/skills/create-cubes/references/jira-entities.md",
+		".claude/skills/create-cubes/references/stripe-entities.md",
+		".claude/skills/create-cubes/references/netsuite-entities.md",
+		".claude/skills/create-cubes/references/bq-pk-fk-conventions.md",
+		".claude/skills/create-dbt-transformations/SKILL.md",
+		".claude/skills/create-dbt-transformations/references/sql-templates.md",
+		".claude/skills/create-dbt-transformations/references/schema-conventions.md",
+		".claude/skills/create-dbt-transformations/references/edge-cases.md",
+		".claude/skills/load-sample-data/SKILL.md",
+		".claude/skills/visualize-semantic-model/SKILL.md",
+		".claude/skills/visualize-semantic-model/scripts/render_graph.py",
+		"dbt/models/bronze/.gitkeep",
+		"dbt/models/silver/.gitkeep",
+		"dbt/models/gold/.gitkeep",
+		"cubes/.gitkeep"
+	];
+	constructor(templatesDir) {
+		this.templatesDir = templatesDir;
+	}
+	async run(options) {
+		const { projectDir, apiUrl, token, organizationId } = options;
+		const org = options.organization ?? await this.resolveOrganization(apiUrl, token, organizationId);
+		const projectName = org.name;
+		const projectSlug = projectName.toLowerCase().replace(/[^a-z0-9]+/g, "-").replace(/^-|-$/g, "");
+		const gcpProjectId = await this.downloadGcpKey(apiUrl, token, org, projectSlug);
+		const resolvedOrg = {
+			...org,
+			bqProjectId: org.bqProjectId || gcpProjectId,
+			bqLocation: org.bqLocation || "europe-west3"
+		};
+		return {
+			projectDir,
+			organization: resolvedOrg,
+			createdFiles: this.scaffold(projectDir, projectName, projectSlug, resolvedOrg, options.allowExistingDir),
+			pulledIac: options.pullIac === false ? {
+				pulled: [],
+				errors: []
+			} : await this.pullIacResources({
+				projectDir,
+				apiUrl,
+				token,
+				orgId: org.id
+			})
+		};
+	}
+	/**
+	* Discover all IaC resources (Connections, Cubes) currently in the org
+	* and write them as YAML under `<projectDir>/<kind>s/`. Best-effort: any
+	* error is captured in the returned result rather than aborting init,
+	* since the project scaffolding has already succeeded.
+	*/
+	async pullIacResources(args) {
+		const project = discoverProject({ cwd: args.projectDir });
+		const registry = buildIacRegistry(createApiClient({
+			apiUrl: args.apiUrl,
+			token: args.token,
+			organizationId: args.orgId
+		}));
+		try {
+			return await pull({
+				project,
+				registry
+			});
+		} catch (err) {
+			return {
+				pulled: [],
+				errors: [{
+					code: "init.pull",
+					message: formatError(err)
+				}]
+			};
+		}
+	}
+	async resolveOrganization(apiUrl, token, organizationId) {
+		const api = createApiClient({
+			apiUrl,
+			token
+		});
+		if (organizationId) {
+			const full = unwrap(await api.organizations.get({ id: organizationId }));
+			if (!full.bqDataset) throw new Error("Organization is missing BigQuery dataset configuration. Contact support.");
+			return full;
+		}
+		const orgs = unwrap(await api.organizations.list()) ?? [];
+		if (orgs.length === 0) throw new Error("No organizations found for this account.");
+		const selected = orgs.length === 1 ? orgs[0] : await selectOrganization(orgs);
+		const full = unwrap(await api.organizations.get({ id: selected.id }));
+		if (!full.bqDataset) throw new Error("Organization is missing BigQuery dataset configuration. Contact support.");
+		return full;
+	}
+	async downloadGcpKey(apiUrl, token, org, projectSlug) {
+		const api = createApiClient({
+			apiUrl,
+			token,
+			organizationId: org.id
+		});
+		const keyId = unwrap(await api.gserviceAccounts.create({ body: { name: projectSlug } }))?.gServiceAccountKeys?.[0]?.id;
+		if (!keyId) throw new Error("Service account has no keys");
+		const keyJson = unwrap(await api.gserviceAccountKeys.reveal({ id: keyId }))?.key;
+		if (!keyJson) throw new Error("Service account key is empty");
+		const gcpKeyPath = path.join(os.homedir(), ".revos", `${projectSlug}-gsa-creds.json`);
+		fs.mkdirSync(path.dirname(gcpKeyPath), { recursive: true });
+		fs.writeFileSync(gcpKeyPath, keyJson, process.platform !== "win32" ? {
+			encoding: "utf-8",
+			mode: 384
+		} : { encoding: "utf-8" });
+		return JSON.parse(keyJson).project_id ?? "";
+	}
+	dryRun(projectDir) {
+		return {
+			projectDir,
+			dirs: InitService.PROJECT_DIRS,
+			files: InitService.PROJECT_FILES
+		};
+	}
+	scaffold(projectDir, projectName, projectSlug, org, allowExistingDir) {
+		if (fs.existsSync(projectDir) && !allowExistingDir) throw new Error(`Directory "${projectName}" already exists. Remove it or choose a different name.`);
+		const created = [];
+		const dirs = InitService.PROJECT_DIRS;
+		for (const dir of dirs) fs.mkdirSync(path.join(projectDir, dir), { recursive: true });
+		const dbtName = projectName.replace(/[^a-zA-Z0-9_]/g, "_");
+		const files = {
+			"revos.yaml": this.renderProjectMarker(projectSlug, org.id),
+			".devcontainer/devcontainer.json": this.renderTemplate(".devcontainer/devcontainer.json", {
+				projectName,
+				projectSlug,
+				bqProjectId: org.bqProjectId || "",
+				bqDataset: org.bqDataset,
+				organizationId: org.id
+			}),
+			".devcontainer/Dockerfile": this.renderTemplate(".devcontainer/Dockerfile", {}),
+			".devcontainer/setup.sh": this.renderTemplate(".devcontainer/setup.sh", {}),
+			".gitignore": this.renderTemplate("gitignore", {}),
+			"README.md": this.renderTemplate("README.md", {
+				projectName,
+				orgName: org.name
+			}),
+			"dbt/profiles.yml": this.renderTemplate("dbt/profiles.yml", { bqLocation: org.bqLocation ?? "europe-west3" }),
+			"dbt/dbt_project.yml": this.renderTemplate("dbt/dbt_project.yml", { dbtName }),
+			"CLAUDE.md": this.renderTemplate("CLAUDE.md", {}),
+			"AGENTS.md": this.renderTemplate("AGENTS.md", {
+				projectName,
+				orgName: org.name
+			}),
+			".claude/settings.json": this.renderTemplate(".claude/settings.json", {}),
+			".claude/skills/explore-lakehouse/SKILL.md": this.renderTemplate("skills/explore-lakehouse/SKILL.md", {
+				bqProjectId: org.bqProjectId || "",
+				bqDataset: org.bqDataset
+			}),
+			".claude/skills/create-connections/SKILL.md": this.renderTemplate("skills/create-connections/SKILL.md", {}),
+			".claude/skills/create-connections/references/mappers.md": this.renderTemplate("skills/create-connections/references/mappers.md", {}),
+			".claude/skills/create-cubes/SKILL.md": this.renderTemplate("skills/create-cubes/SKILL.md", {}),
+			".claude/skills/create-cubes/references/cube-examples.md": this.renderTemplate("skills/create-cubes/references/cube-examples.md", {}),
+			".claude/skills/create-cubes/references/key-patterns.md": this.renderTemplate("skills/create-cubes/references/key-patterns.md", {}),
+			".claude/skills/create-cubes/references/validation-queries.md": this.renderTemplate("skills/create-cubes/references/validation-queries.md", {}),
+			".claude/skills/create-cubes/references/hubspot-entities.md": this.renderTemplate("skills/create-cubes/references/hubspot-entities.md", {}),
+			".claude/skills/create-cubes/references/jira-entities.md": this.renderTemplate("skills/create-cubes/references/jira-entities.md", {}),
+			".claude/skills/create-cubes/references/stripe-entities.md": this.renderTemplate("skills/create-cubes/references/stripe-entities.md", {}),
+			".claude/skills/create-cubes/references/netsuite-entities.md": this.renderTemplate("skills/create-cubes/references/netsuite-entities.md", {}),
+			".claude/skills/create-cubes/references/bq-pk-fk-conventions.md": this.renderTemplate("skills/create-cubes/references/bq-pk-fk-conventions.md", {}),
+			".claude/skills/create-dbt-transformations/SKILL.md": this.renderTemplate("skills/create-dbt-transformations/SKILL.md", {}),
+			".claude/skills/create-dbt-transformations/references/sql-templates.md": this.renderTemplate("skills/create-dbt-transformations/references/sql-templates.md", {}),
+			".claude/skills/create-dbt-transformations/references/schema-conventions.md": this.renderTemplate("skills/create-dbt-transformations/references/schema-conventions.md", {}),
+			".claude/skills/create-dbt-transformations/references/edge-cases.md": this.renderTemplate("skills/create-dbt-transformations/references/edge-cases.md", {}),
+			".claude/skills/load-sample-data/SKILL.md": this.renderTemplate("skills/load-sample-data/SKILL.md", {}),
+			".claude/skills/visualize-semantic-model/SKILL.md": this.renderTemplate("skills/visualize-semantic-model/SKILL.md", {}),
+			".claude/skills/visualize-semantic-model/scripts/render_graph.py": this.renderTemplate("skills/visualize-semantic-model/scripts/render_graph.py", {}),
+			"dbt/models/bronze/.gitkeep": "",
+			"dbt/models/silver/.gitkeep": "",
+			"dbt/models/gold/.gitkeep": "",
+			"cubes/.gitkeep": ""
+		};
+		for (const [rel, content] of Object.entries(files)) {
+			const full = path.join(projectDir, rel);
+			fs.writeFileSync(full, content, "utf-8");
+			if (rel.endsWith(".sh") && process.platform !== "win32") fs.chmodSync(full, 493);
+			created.push(rel);
+		}
+		return created;
+	}
+	renderProjectMarker(name, orgId) {
+		return [
+			"apiVersion: revos/v1",
+			"kind: Project",
+			"metadata:",
+			`  name: ${name}`,
+			`  orgId: ${orgId}`,
+			""
+		].join("\n");
+	}
+	renderTemplate(relativePath, vars) {
+		const filePath = path.join(this.templatesDir, relativePath);
+		if (!fs.existsSync(filePath)) throw new Error(`Template "${relativePath}" not found — try reinstalling the revos CLI`);
+		let content = fs.readFileSync(filePath, "utf-8");
+		for (const [key, value] of Object.entries(vars)) content = content.replaceAll(`<%=${key}%>`, value);
+		return content;
+	}
+};
+//#endregion
+export { deleteCredentials as A, getActiveAuthConfig as C, setAuthEnv as D, setAuthConfig as E, ApiError as F, isTokenExpired as M, loadCredentials as N, tokenResponseToCredentials as O, saveCredentials as P, generatePKCEChallenge as S, refreshAccessToken as T, DEFAULT_API_URL as _, pull as a, buildAuthorizationUrl as b, loadResources as c, projectRoot as d, createApiClient as f, sanitizeFileName as g, formatError as h, describeResources as i, getCredentialsPath as j, startOAuthServer as k, buildIacRegistry as l, resolveAppUrl as m, selectOrganization as n, apply as o, unwrap as p, iac_exports as r, formatDiffLine as s, InitService as t, discoverProject as u, getConfig as v, getUserInfo as w, exchangeCodeForTokens as x, AUTH_ENVS as y };