@robinmordasiewicz/f5xc-xcsh 6.29.0 → 6.31.0

package/dist/index.js

@@ -44108,9 +44108,9 @@ var generatedDomains = /* @__PURE__ */ new Map([
   ["admin_console_and_ui", {
     name: "admin_console_and_ui",
     displayName: "Admin Console And Ui",
-    description: "Provides management capabilities for static components used in the F5 XC admin console and user interface. Enables operations to deploy, retrieve, update, and list static UI assets within namespace boundaries. Supports configuration of console interface elements, component metadata management, and asset lifecycle operations. Use this domain to manage custom UI components, static resources, and interface configurations that extend or customize the admin console experience.",
-    descriptionShort: "Static UI component and console asset management",
-    descriptionMedium: "Manage static components for the admin console interface. Deploy, retrieve, and list UI assets and configuration elements within namespaces.",
+    description: "Set up static resource definitions that control administrative dashboard appearance. Register named entries using object references, status tracking fields, and view settings. Fetch individual records through dedicated get operations or enumerate available entries with pagination and sorting. Handle request validation through typed error responses and support multiple output codes for success states. Define custom initialization blocks and namespace-scoped boundaries for organization.",
+    descriptionShort: "Manage static UI assets for admin console",
+    descriptionMedium: "Deploy and list dashboard widgets within namespaces. Create named visual resources with initialization parameters and structured configuration data.",
     aliases: ["console-ui", "ui-assets", "static-components"],
     complexity: "simple",
     isPreview: false,
@@ -44122,9 +44122,9 @@ var generatedDomains = /* @__PURE__ */ new Map([
   ["api", {
     name: "api",
     displayName: "Api",
-    description: "Comprehensive API lifecycle management including automatic discovery and cataloging of APIs across your infrastructure, security testing to identify vulnerabilities and validate behavior, credential management for secure API access, and policy-driven API grouping. Define testing policies to continuously validate API security posture, organize APIs into logical groups for governance, and integrate with WAF and network security controls. Supports marking endpoints as non-API traffic and...",
-    descriptionShort: "API discovery, security testing, and credential management",
-    descriptionMedium: "Discover and catalog APIs, test security behavior, manage credentials, and define API groups with testing policies for comprehensive API lifecycle...",
+    description: "Catalog services automatically to maintain an inventory of operations and their characteristics. Organize related resources by function or ownership through logical groupings. Establish verification procedures that confirm authentication requirements and expected response structures. Link definitions with load balancers for traffic routing decisions. Flag non-standard paths for exclusion from automated scanning. Monitor resource status and metadata throughout deployment zones.",
+    descriptionShort: "Discover, catalog, and test service interfaces",
+    descriptionMedium: "Define interface groups and discovery policies. Set up verification rules to check security posture and expected patterns across environments.",
     aliases: ["apisec", "api-discovery"],
     complexity: "advanced",
     isPreview: false,
@@ -44200,9 +44200,9 @@ var generatedDomains = /* @__PURE__ */ new Map([
   ["bigip", {
     name: "bigip",
     displayName: "Bigip",
-    description: "Configure and manage BigIP F5 appliance integration with Distributed Cloud infrastructure. Create and deploy iRule scripts for advanced traffic manipulation, manage data groups for dynamic configuration, configure Access Policy Manager (APM) settings for authentication and access control, and define BigIP virtual servers. Provides metrics collection for APM performance monitoring and enables seamless hybrid deployments combining traditional BigIP infrastructure with cloud-native services...",
-    descriptionShort: "BigIP appliance management, iRules, and data groups",
-    descriptionMedium: "Manage BigIP F5 appliances including iRule script configuration, data groups, APM policies, and virtual server integration with Distributed Cloud.",
+    description: "Define custom rule-based policies governing routing decisions and request handling. Build organized collections for network ranges, string patterns, and key-value entries. Map cloud services to physical appliances through connector setups. Link identity workflows using access modules. Track performance metrics and coordinate synchronization between components.",
+    descriptionShort: "Manage iRules, data groups, and virtual servers",
+    descriptionMedium: "Configure traffic logic scripts and structured list entries. Establish appliance bindings and access module integrations.",
     aliases: ["f5-bigip", "irule", "ltm"],
     complexity: "moderate",
     isPreview: false,
@@ -44214,9 +44214,9 @@ var generatedDomains = /* @__PURE__ */ new Map([
   ["billing_and_usage", {
     name: "billing_and_usage",
     displayName: "Billing And Usage",
-    description: "Comprehensive billing and usage management for F5 XC tenants. Handle subscription plan transitions between tiers, configure primary and secondary payment methods, and download invoice PDFs. Monitor resource quota limits and current usage across namespaces. Supports custom invoice listing, quota configuration per namespace, and contact management for billing communications. Essential for financial operations, capacity planning, and subscription lifecycle management.",
-    descriptionShort: "Subscription billing, payment methods, and usage tracking",
-    descriptionMedium: "Manage subscription plans, payment methods, invoices, and resource quotas. Track usage limits and billing transitions across namespaces.",
+    description: "Set up payment methods with primary and secondary designations for redundancy. Initiate plan transitions between subscription tiers with state tracking. Download invoice PDFs and query custom invoice lists by date range or status. Define quota limits per namespace and monitor current usage against allocated capacity. Swap payment method roles without service interruption.",
+    descriptionShort: "Manage subscription plans and payment methods",
+    descriptionMedium: "Configure billing transitions and payment processing. Track invoices and monitor resource quota consumption across namespaces.",
     aliases: ["billing-usage", "quotas", "usage-tracking"],
     complexity: "moderate",
     isPreview: false,
@@ -44228,9 +44228,9 @@ var generatedDomains = /* @__PURE__ */ new Map([
   ["blindfold", {
     name: "blindfold",
     displayName: "Blindfold",
-    description: "Configure and manage cryptographic secret protection with policy-based access controls. Create secret policies and policy rules that govern how sensitive data is encrypted, shared, and accessed across namespaces. Retrieve public keys for encryption operations, process policy information for secret sharing workflows, and decrypt secrets with proper authorization. Monitor secret access through comprehensive audit logs with aggregation and scrolling capabilities. Enforce data protection...",
-    descriptionShort: "Secret encryption and policy-based data protection",
-    descriptionMedium: "Manage encryption keys, secret policies, and sensitive data protection. Configure policy rules for secure secret sharing with audit logging.",
+    description: "Define policy rules with label matching and combining algorithms. Set up transformers and matchers to control data safeguarding. Track access patterns through timestamped records with scroll queries and date groupings. Retrieve public keys for cryptographic operations and process policy information for decryption workflows.",
+    descriptionShort: "Manage secret encryption and policy rules",
+    descriptionMedium: "Configure protection policies and access controls for sensitive data. Monitor usage through detailed logs and date-based rollups.",
     aliases: ["bf", "encrypt", "secrets"],
     complexity: "moderate",
     isPreview: false,
@@ -44242,9 +44242,9 @@ var generatedDomains = /* @__PURE__ */ new Map([
   ["bot_and_threat_defense", {
     name: "bot_and_threat_defense",
     displayName: "Bot And Threat Defense",
-    description: "Manage comprehensive bot and threat defense capabilities including Shape bot defense instance configuration, threat protection manager (TPM) categories for threat classification, and API key provisioning for automated defense systems. Create and manage TPM categories to organize threats by type, configure bot defense instances per namespace, and handle TPM manager lifecycle operations. Supports preauthorization and provisioning workflows for integrating threat intelligence services with...",
-    descriptionShort: "Bot detection, threat categorization, and defense management",
-    descriptionMedium: "Configure bot defense instances, manage threat categories, and provision TPM API keys for automated threat detection and mitigation.",
+    description: "Deploy Shape bot defense instances with namespace-scoped configuration for automated threat detection. Create TPM categories to classify and organize threat types across your security infrastructure. Generate and manage provisioning keys for programmatic access to defense systems. Set up threat managers to coordinate detection rules, integrate with WAF policies, and enable real-time protection against malicious traffic patterns.",
+    descriptionShort: "Configure bot protection and threat categories",
+    descriptionMedium: "Manage bot defense instances and threat classification per namespace. Provision automated defense keys for security integration.",
     aliases: ["threat-defense", "tpm", "shape-bot"],
     complexity: "moderate",
     isPreview: false,
@@ -44256,9 +44256,9 @@ var generatedDomains = /* @__PURE__ */ new Map([
   ["cdn", {
     name: "cdn",
     displayName: "Cdn",
-    description: "Create cache rules using path matchers, cookie matching, header conditions, and query parameter filters. Configure TTL settings and cache eligibility options for fine-grained control over cached content. Deploy load balancers with access logging, metrics collection, and cache purge capabilities. Manage subscription services and monitor service operation status for active deployments.",
-    descriptionShort: "Configure content delivery and caching rules",
-    descriptionMedium: "Set up cache rules with path matching and TTL controls. Define load balancers for optimized content distribution across edge locations.",
+    description: "Create cache rules with cookie, header, and query parameter matching to control content eligibility. Configure load balancers with origin pool routing, access logging, and metrics collection. Manage cache purge operations for immediate content invalidation. Monitor service operation status and aggregate access logs for performance analysis. Define path matchers and expressions for granular cache behavior control across namespaces.",
+    descriptionShort: "Configure caching rules and load balancers",
+    descriptionMedium: "Define cache TTL policies and path matching rules. Set up load balancers with origin pools and purge controls for content delivery.",
     aliases: ["cache", "content"],
     complexity: "advanced",
     isPreview: false,
@@ -44270,9 +44270,9 @@ var generatedDomains = /* @__PURE__ */ new Map([
   ["ce_management", {
     name: "ce_management",
     displayName: "Ce Management",
-    description: "Configure and manage Customer Edge (CE) site infrastructure across distributed deployments. Define network interfaces with DHCP, IPv6, and dedicated management settings. Organize sites into fleets for coordinated management. Handle site registration workflows including token-based registration, image downloads, and suggested configuration values. Monitor and execute site upgrades with pre-upgrade checks and status tracking. Supports both dedicated and Ethernet interface types with...",
-    descriptionShort: "Customer Edge site lifecycle and network configuration",
-    descriptionMedium: "Manage Customer Edge sites including network interfaces, fleet configurations, site upgrades, and registration workflows for distributed deployments.",
+    description: "Define network connectivity parameters including address allocation ranges, dual-stack protocol support, and isolated administrative ports for out-of-band access. Group physical locations under common policy templates for streamlined oversight. Onboard new deployments through secure credential workflows with expiration policies. Execute controlled software transitions featuring pre-flight validation, rollback capabilities, and progress tracking to maintain service continuity.",
+    descriptionShort: "Manage Customer Edge sites and network interfaces",
+    descriptionMedium: "Configure DHCP pools, IPv6 addressing, and dedicated management ports. Handle site tokens with lifecycle controls and software version transitions.",
     aliases: ["ce-mgmt", "edge-management", "ce-lifecycle"],
     complexity: "advanced",
     isPreview: false,
@@ -44284,9 +44284,9 @@ var generatedDomains = /* @__PURE__ */ new Map([
   ["certificates", {
     name: "certificates",
     displayName: "Certificates",
-    description: "Comprehensive certificate lifecycle management for securing application communications. Configure SSL/TLS certificates and certificate chains for endpoints, manage trusted Certificate Authority (CA) lists for client verification, and maintain Certificate Revocation Lists (CRLs) to invalidate compromised certificates. Supports certificate manifests for organized deployment across namespaces, enabling mTLS authentication, HTTPS termination, and secure service-to-service communication patterns.",
-    descriptionShort: "SSL/TLS certificate and trusted CA management",
-    descriptionMedium: "Manage SSL/TLS certificates, certificate chains, trusted CA lists, and certificate revocation lists for secure communications.",
+    description: "Create PKI artifacts organizing cryptographic identity materials by namespace for multi-tenant isolation. Deploy keypair bundles with issuer hierarchies for TLS termination. Establish verification anchor collections governing which external parties can authenticate. Maintain deny-lists blocking compromised identities from initiating sessions. Organize resources within independent security boundaries supporting granular access control.",
+    descriptionShort: "Manage SSL/TLS certificate chains and trusted CAs",
+    descriptionMedium: "Configure certificate manifests linking keys to credential bundles. Define trust anchors for validating client authenticity during mutual TLS.",
     aliases: ["cert", "certs", "ssl", "tls"],
     complexity: "moderate",
     isPreview: false,
@@ -44298,9 +44298,9 @@ var generatedDomains = /* @__PURE__ */ new Map([
   ["cloud_infrastructure", {
     name: "cloud_infrastructure",
     displayName: "Cloud Infrastructure",
-    description: "Establish and manage connectivity to major cloud providers including AWS, Azure, and GCP. Configure cloud credentials and authentication for secure provider access. Create and manage VPC attachments, transit gateways, and route tables for cross-cloud networking. Support elastic provisioning with automatic resource discovery and reapplication workflows. Monitor cloud connection metrics and segment performance. Integrate with Customer Edge sites for hybrid cloud deployments across multiple...",
-    descriptionShort: "Multi-cloud provider connectivity and credential management",
-    descriptionMedium: "Connect to AWS, Azure, and GCP cloud providers. Manage cloud credentials, VPC attachments, transit gateways, and cross-cloud networking with...",
+    description: "Establish connections to AWS, Azure, and GCP environments with secure authentication and network discovery. Define gateway links, edge site peering, and elastic provisioning workflows. Monitor segment performance and connection health across geographic regions. Create automated VPC attachment policies with intelligent path selection between customer locations and cloud workloads.",
+    descriptionShort: "Connect and manage multi-cloud providers",
+    descriptionMedium: "Configure cloud provider credentials and VPC attachments. Manage AWS transit gateways, Azure route tables, and cross-cloud connectivity.",
     aliases: ["cloud", "infra", "provider"],
     complexity: "moderate",
     isPreview: false,
@@ -44312,9 +44312,9 @@ var generatedDomains = /* @__PURE__ */ new Map([
   ["container_services", {
     name: "container_services",
     displayName: "Container Services",
-    description: "Container Services (XCCS) enables deployment and management of containerized applications across distributed edge sites without requiring full Kubernetes complexity. Create virtual Kubernetes clusters for isolated multi-tenant environments, define workload flavors for resource allocation, and deploy container workloads with simplified orchestration. Monitor workload usage and PVC metrics, manage namespace isolation, and integrate with site infrastructure for edge-native container...",
-    descriptionShort: "Edge container workloads and virtual Kubernetes management",
-    descriptionMedium: "Deploy and manage containerized workloads at the edge with simplified orchestration. Configure virtual Kubernetes clusters, workload flavors, and...",
+    description: "Create definitions for applications running on distributed infrastructure. Establish standardized templates controlling resource consumption and disk limits. Set up partitioned execution contexts supporting namespace separation and multi-tenant isolation. Track persistent volume claims and usage metrics. Connect with mesh networking for traffic routing.",
+    descriptionShort: "Deploy containerized workloads across sites",
+    descriptionMedium: "Run services with simplified orchestration. Define blueprints governing processor and storage allocation.",
     aliases: ["vk8s", "containers", "workloads"],
     complexity: "moderate",
     isPreview: false,
@@ -44326,9 +44326,9 @@ var generatedDomains = /* @__PURE__ */ new Map([
   ["data_and_privacy_security", {
     name: "data_and_privacy_security",
     displayName: "Data And Privacy Security",
-    description: "Manage comprehensive data privacy and security controls including sensitive data detection policies, custom data type definitions, and log management analytics (LMA) region configurations. Define patterns for identifying PII, financial data, and other sensitive information with configurable actions for masking, alerting, or blocking. Configure LMA regions with Elasticsearch, Kafka, or ClickHouse backends for centralized security logging and compliance auditing. Integrate geo-configurations...",
-    descriptionShort: "Sensitive data detection, classification, and privacy...",
-    descriptionMedium: "Configure data types, sensitive data policies, and LMA regions for detecting, classifying, and protecting personally identifiable information and...",
+    description: "Set up sensitive data policies that identify and protect personally identifiable information across traffic flows. Create custom data type definitions matching organizational privacy standards and industry regulations. Configure LMA region parameters including Clickhouse, Elastic, and Kafka integrations. Deploy geo-configurations enforcing data residency rules and regional compliance mandates. Monitor detection status through condition tracking and secret management with blindfold encryption.",
+    descriptionShort: "Configure sensitive data detection and privacy policies",
+    descriptionMedium: "Define custom data types for PII classification. Manage LMA regions and geo-configurations to meet regulatory compliance requirements.",
     aliases: ["data-privacy", "pii", "sensitive-data", "lma"],
     complexity: "simple",
     isPreview: false,
@@ -44354,9 +44354,9 @@ var generatedDomains = /* @__PURE__ */ new Map([
   ["ddos", {
     name: "ddos",
     displayName: "Ddos",
-    description: "Comprehensive DDoS protection and infrastructure security management. Configure deny list rules to block malicious traffic sources, create firewall rule groups for granular traffic filtering, and manage protection tunnels for secure infrastructure connectivity. The infraprotect APIs enable proactive threat mitigation through customizable security policies, real-time tunnel status monitoring, and namespace-scoped rule management. Integrates with network security and virtual load balancing for...",
-    descriptionShort: "DDoS protection and infrastructure security policies",
-    descriptionMedium: "Configure DDoS protection policies, deny lists, and firewall rules. Monitor infrastructure threats and manage protection tunnels for network security.",
+    description: "Deploy definitions that block IP addresses and network segments from accessing protected resources. Organize by threat type or source classification. Manage secure channels routing suspicious packets for analysis before reaching origin servers. Update status for real-time visibility into active defenses. Add items during attacks and monitor health metrics.",
+    descriptionShort: "Configure blocking policies and tunnel protection",
+    descriptionMedium: "Set up firewall configurations with deny list rules. Filter malicious traffic through inspection points.",
     aliases: ["dos", "ddos-protect"],
     complexity: "advanced",
     isPreview: false,
@@ -44368,9 +44368,9 @@ var generatedDomains = /* @__PURE__ */ new Map([
   ["dns", {
     name: "dns",
     displayName: "Dns",
-    description: "Create and manage authoritative zones with support for standard record types including A, AAAA, CNAME, CAA, CERT, and AFSDB. Import existing configurations through BIND file uploads or zone transfers. Define health check policies that monitor backend availability and automatically adjust record responses. Export zone files for backup or migration. Access request logs and performance metrics to analyze query patterns and troubleshoot resolution issues across namespaces.",
-    descriptionShort: "Manage zones, records, and resolution policies",
-    descriptionMedium: "Configure zone imports from BIND files or AXFR transfers. Set up health checks for load-balanced records and monitor query metrics.",
+    description: "Set up primary and secondary zones with support for A, AAAA, CNAME, CAA, CERT, and AFSDB record types. Define health checks to monitor target availability and enable automatic failover between record destinations. Clone existing domains, import zone configurations from external servers, or export zone files for backup. Track query metrics and request logs to analyze resolution patterns across namespaces.",
+    descriptionShort: "Manage zones, records, and load balancing",
+    descriptionMedium: "Configure authoritative name services with record sets and health checks. Import zones from BIND files or transfer via AXFR protocol.",
     aliases: ["dns-zone", "zones"],
     complexity: "advanced",
     isPreview: false,
@@ -44432,9 +44432,9 @@ var generatedDomains = /* @__PURE__ */ new Map([
   ["generative_ai", {
     name: "generative_ai",
     displayName: "Generative Ai",
-    description: "Generative AI services providing intelligent automation and analysis capabilities. Configure AI assistant policies and submit queries with feedback tracking for continuous improvement. Enable flow anomaly detection powered by machine learning. Manage AI data collection through the BFDP subsystem including feature enablement, token management, and subscription controls. Supports IP allocation for GIA services. Integrates dashboard visualization with customizable displays, filters, and link...",
-    descriptionShort: "AI-powered features, assistants, and data collection",
-    descriptionMedium: "Access generative AI capabilities including AI assistant queries, flow anomaly detection, and AI data collection with feedback mechanisms.",
+    description: "Set up query evaluation and response handling for intelligent assistant workflows. Manage rating collection with positive and negative outcome tracking. Subscribe to data streams for traffic pattern detection and behavioral analysis. Allocate and deallocate IP resources for ML infrastructure. Control feature enablement and token management for telemetry collection paths.",
+    descriptionShort: "Access AI assistant queries and feedback",
+    descriptionMedium: "Configure machine learning interactions and collect response ratings. Enable flow pattern monitoring through data subscription channels.",
     aliases: ["ai", "genai", "assistant"],
     complexity: "simple",
     isPreview: true,
@@ -44446,9 +44446,9 @@ var generatedDomains = /* @__PURE__ */ new Map([
   ["managed_kubernetes", {
     name: "managed_kubernetes",
     displayName: "Managed Kubernetes",
-    description: "Configure and manage Managed Kubernetes (XCKS) security and access controls. Define cluster roles with fine-grained permissions for API resources and non-resource URLs. Create role bindings to associate users and groups with cluster-wide permissions. Enforce pod security standards through admission controllers with configurable enforcement levels. Manage private container registries for secure image distribution. Integrates with external Kubernetes clusters including EKS, AKS, and GKE for...",
-    descriptionShort: "Kubernetes RBAC, pod security, and container registries",
-    descriptionMedium: "Manage Kubernetes cluster roles, RBAC bindings, pod security admission policies, and container registries for enterprise deployments.",
+    description: "Create granular access controls for namespace resources and non-resource URLs. Map permissions to users, groups, or service accounts through binding configurations. Deploy security admission enforcement using baseline, restricted, or privileged profiles. Register private image sources with credential management for secure pulls. Integrate with external managed solutions including EKS, AKS, and GKE infrastructure.",
+    descriptionShort: "Configure Kubernetes RBAC and pod security policies",
+    descriptionMedium: "Define permission boundaries for workload access. Set up private image repositories with authentication for enterprise deployments.",
     aliases: ["mk8s", "appstack", "k8s-mgmt"],
     complexity: "moderate",
     isPreview: false,
@@ -44460,9 +44460,9 @@ var generatedDomains = /* @__PURE__ */ new Map([
   ["marketplace", {
     name: "marketplace",
     displayName: "Marketplace",
-    description: "Access and manage the marketplace ecosystem including third-party integrations, add-on services, and external connectors. Configure connection types for direct, GRE tunnel, and IPSec connectivity with customizable IKE parameters and DPD keepalive settings. Manage navigation tiles for custom UI extensions, activate and monitor add-on service status across namespaces, and integrate with external platforms like Terraform. Supports TPM policy management and configuration management instances for...",
-    descriptionShort: "Third-party integrations, add-ons, and extensions",
-    descriptionMedium: "Manage marketplace extensions, external connectors, and third-party add-on services. Configure Terraform integrations and TPM policies.",
+    description: "Set up secure tunnel connections using IKEv1/IKEv2 parameters, GRE encapsulation with source and destination addressing, or dedicated link types. Manage DPD keep-alive timers and tunnel termination points for reliable connectivity. Activate purchasable services with namespace-scoped status tracking. Create custom portal widgets for interface integration and configure Cloud Manager instances for Terraform and infrastructure automation workflows.",
+    descriptionShort: "Manage third-party integrations and add-ons",
+    descriptionMedium: "Configure connector tunnels with IPSec, GRE, or direct links. Deploy purchasable services and portal customizations across namespaces.",
     aliases: ["market", "addons", "extensions"],
     complexity: "moderate",
     isPreview: false,
@@ -44474,9 +44474,9 @@ var generatedDomains = /* @__PURE__ */ new Map([
   ["network", {
     name: "network",
     displayName: "Network",
-    description: "Comprehensive network infrastructure management including BGP routing with ASN configuration and peering policies, IPsec tunnel establishment with full IKE phase 1 and phase 2 parameter control, and network connector configuration for hybrid cloud connectivity. Supports SRv6 segment routing, subnet management, DC cluster groups for data center integration, static and dynamic route definitions, and IP prefix set policies. Enables secure site-to-site VPN connections, multi-cloud network...",
-    descriptionShort: "BGP routing, IPsec tunnels, and network connectivity",
-    descriptionMedium: "Configure BGP routing policies, IPsec tunnels with IKE phases, network connectors, SRv6, and IP prefix sets for secure site-to-site connectivity.",
+    description: "Deploy secure site connectivity using IPsec tunnels with customizable IKE phase settings, encryption algorithms, and DH groups. Configure BGP routing with peer state monitoring, ASN management, and traffic policies. Set up SRv6 segments, IP prefix sets, and subnet definitions. Manage DC cluster groups for data center integration and define routes for traffic steering across distributed infrastructure.",
+    descriptionShort: "Configure BGP routing, tunnels, and connectivity",
+    descriptionMedium: "Manage IPsec tunnels and IKE configurations. Define BGP peers, ASN assignments, and routing policies for site-to-site connections.",
     aliases: ["net", "routing", "bgp"],
     complexity: "advanced",
     isPreview: false,
@@ -44488,9 +44488,9 @@ var generatedDomains = /* @__PURE__ */ new Map([
   ["network_security", {
     name: "network_security",
     displayName: "Network Security",
-    description: "Network security controls for protecting traffic at the network layer. Configure network firewalls with stateful inspection and ACL rules. Define NAT policies for address translation, port forwarding, and dynamic pool management. Create network policy sets for segmentation and micro-segmentation between workloads. Implement policy-based routing to direct traffic based on source, destination, or application criteria. Manage segment connections for multi-site network isolation. Configure...",
-    descriptionShort: "Network firewall, NAT, ACL, and policy-based routing",
-    descriptionMedium: "Configure network firewalls, NAT policies, ACLs, and policy-based routing. Manage network segmentation, port forwarding, and forward proxy policies.",
+    description: "Manage firewall configurations with match criteria and action rules. Create NAT policies using dynamic pools and port configurations for address translation. Define segment connections to isolate traffic between network zones. Configure policy-based routing to direct packets based on source, destination, or protocol attributes. Set up forward proxy policies and access control lists to govern outbound connections.",
+    descriptionShort: "Configure firewalls, NAT, and routing policies",
+    descriptionMedium: "Define network firewall rules and NAT policies. Set up policy-based routing with segment connections for traffic control.",
     aliases: ["netsec", "nfw"],
     complexity: "advanced",
     isPreview: false,
@@ -44502,9 +44502,9 @@ var generatedDomains = /* @__PURE__ */ new Map([
   ["nginx_one", {
     name: "nginx_one",
     displayName: "Nginx One",
-    description: "Integrate and manage NGINX One platform capabilities including subscription lifecycle management, NGINX Plus instance provisioning, and server configuration. Configure dataplane servers, manage nginx instances with WAF and API discovery specifications, and enable service discovery integrations. Supports NGINX Configuration Sync Gateway (CSG) configurations for centralized management workflows. Typical operations include subscribing to NGINX One services, retrieving server status and...",
-    descriptionShort: "NGINX One platform integration and instance management",
-    descriptionMedium: "Manage NGINX One platform subscriptions, configure NGINX Plus instances and servers, and integrate service discovery with centralized...",
+    description: "Set up load balancing configurations with backend server definitions and routing logic. Create monitoring schedules for availability tracking across distributed nodes. Build request handling pipelines with rate controls and authentication layers. Track instance performance metrics and traffic patterns. Coordinate failover mechanisms using weighted distribution and priority-based selection.",
+    descriptionShort: "Configure NGINX proxy instances and deployments",
+    descriptionMedium: "Manage upstream server pools and health monitors. Define SSL termination rules and connection parameters for gateway endpoints.",
     aliases: ["nginx", "nms", "nginx-plus"],
     complexity: "simple",
     isPreview: false,
@@ -44516,9 +44516,9 @@ var generatedDomains = /* @__PURE__ */ new Map([
   ["object_storage", {
     name: "object_storage",
     displayName: "Object Storage",
-    description: "Manage versioned object storage for mobile application components and platform integrations. Upload and retrieve mobile app shield configurations, SDK integrations, and custom artifacts organized by namespace and object type. Support for multiple versions of each object enables rollback and version-specific deployments. Presigned URLs provide secure, time-limited access for direct object downloads. Object types include mobile-app-shield for application protection, mobile-integrator for...",
-    descriptionShort: "Object storage for mobile SDK artifacts and integrations",
-    descriptionMedium: "Store and retrieve versioned objects including mobile app shields, SDK integrations, and custom artifacts with presigned URL access.",
+    description: "Deploy binary artifacts and configuration bundles with automatic version tracking and lifecycle policies. Organize content by category including protection signatures, SDK packages, and third-party connector files. Enable time-limited download links for secure distribution without credential exposure. Track revision history for audit trails and support rollback to previous artifact versions when needed.",
+    descriptionShort: "Manage stored objects and bucket versioning",
+    descriptionMedium: "Create versioned content within tenant buckets. Generate secure access URLs for SDK distributions and application protection resources.",
     aliases: ["storage", "s3", "buckets"],
     complexity: "simple",
     isPreview: false,
@@ -44530,9 +44530,9 @@ var generatedDomains = /* @__PURE__ */ new Map([
   ["observability", {
     name: "observability",
     displayName: "Observability",
-    description: "Comprehensive synthetic monitoring and observability capabilities for proactive infrastructure health assessment. Configure DNS monitors to validate resolution across AWS regions, set up HTTP monitors for endpoint availability testing, and track SSL/TLS certificate expiration status. Access real-time health summaries at global and namespace levels, review historical monitoring data, and generate detailed reports for DNS and HTTP monitors. Integrate with dashboards to visualize monitoring...",
-    descriptionShort: "Synthetic monitoring, health checks, and observability...",
-    descriptionMedium: "Configure synthetic monitoring with DNS and HTTP health checks. Track certificate status, monitor global health summaries, and analyze monitoring...",
+    description: "Deploy synthetic monitors to validate DNS resolution and HTTP service health from multiple geographic locations. Define monitoring schedules, response time thresholds, and alerting conditions for proactive issue detection. Access health summaries, historical trends, and detailed reports for certificate status and service availability. Integrate monitoring data with dashboards to visualize health patterns and identify performance degradation before user impact.",
+    descriptionShort: "Configure synthetic monitors and health checks",
+    descriptionMedium: "Set up DNS and HTTP monitoring with alerting thresholds. Track certificate expiration and service availability across regions.",
     aliases: ["obs", "monitoring", "synth"],
     complexity: "advanced",
     isPreview: false,
@@ -44544,9 +44544,9 @@ var generatedDomains = /* @__PURE__ */ new Map([
   ["rate_limiting", {
     name: "rate_limiting",
     displayName: "Rate Limiting",
-    description: "Manage rate limiting policies to protect applications from traffic surges and abuse. Configure rate limiters with customizable thresholds, time periods, and enforcement actions including blocking or throttling. Implement policers using leaky bucket algorithms for smooth traffic shaping. Define protocol-specific policers for granular control over different traffic types. Integrate with virtual hosts and load balancers to enforce rate limits at the edge, preventing resource exhaustion and...",
-    descriptionShort: "Traffic rate limiting, policers, and throttling controls",
-    descriptionMedium: "Configure rate limiters and policers to control traffic flow. Define request thresholds, leaky bucket algorithms, and enforcement actions for API...",
+    description: "Create rate limiter policies with configurable time periods using seconds, minutes, or hours granularity. Deploy policers and protocol policers to enforce bandwidth constraints across namespaces. Define limit values, burst allowances, and blocking behaviors when thresholds trigger. Integrate with load balancers and security policies for layered traffic management and abuse prevention.",
+    descriptionShort: "Configure traffic throttling and policer rules",
+    descriptionMedium: "Define request limits and burst thresholds for traffic control. Set up leaky bucket algorithms and block actions for exceeded quotas.",
     aliases: ["ratelimit", "throttle", "policer"],
     complexity: "simple",
     isPreview: false,
@@ -44558,9 +44558,9 @@ var generatedDomains = /* @__PURE__ */ new Map([
   ["secops_and_incident_response", {
     name: "secops_and_incident_response",
     displayName: "Secops And Incident Response",
-    description: "Security operations and incident response capabilities for detecting and mitigating malicious user activity. Create mitigation policies that define automated responses based on user threat levels, including blocking, challenging, or rate limiting suspicious users. Configure rules that match specific malicious user types and threat severity levels to appropriate mitigation actions. Supports namespace-scoped configurations for managing security policies across different application...",
-    descriptionShort: "Malicious user detection and automated threat mitigation",
-    descriptionMedium: "Configure automated responses to malicious user behavior. Define mitigation rules based on threat levels and apply actions like blocking or rate...",
+    description: "Manage incident response workflows that detect and mitigate malicious users automatically. Create rules matching threat levels to actions like blocking, rate limiting, or alerting. Set up mitigation policies per namespace to isolate security responses. Define thresholds for user behavior analysis and configure graduated responses based on severity. Integrate with bot defense and WAF systems for coordinated protection across application layers.",
+    descriptionShort: "Configure automated threat mitigation rules",
+    descriptionMedium: "Define malicious user detection policies and response actions. Apply blocking or rate limiting based on threat levels.",
     aliases: ["secops", "incident-response", "mitigation"],
     complexity: "simple",
     isPreview: false,
@@ -44572,9 +44572,9 @@ var generatedDomains = /* @__PURE__ */ new Map([
   ["service_mesh", {
     name: "service_mesh",
     displayName: "Service Mesh",
-    description: "Manage service mesh infrastructure including endpoint discovery and intelligent routing between distributed services. Define application types with learned API schemas, security risk classifications, and authentication configurations. Configure NFV (Network Function Virtualization) services with lifecycle management including force-delete operations. Leverage machine learning capabilities for automatic API endpoint detection, schema learning, and traffic pattern analysis. Integrate with...",
-    descriptionShort: "Service mesh connectivity, discovery, and NFV management",
-    descriptionMedium: "Configure service mesh networking with endpoint discovery, application type definitions, API endpoint learning, and NFV service lifecycle management.",
+    description: "Create classifications to organize services and support automatic identification of interconnected components. Set up analysis pipelines to understand patterns and build intelligent routing rules. Define network function virtualization for regional architectures. Configure authentication settings including location, state, and type recognition.",
+    descriptionShort: "Configure application types and discovery",
+    descriptionMedium: "Manage NFV integrations and workload categories. Enable traffic learning across distributed deployments.",
     aliases: ["mesh", "svc-mesh"],
     complexity: "advanced",
     isPreview: false,
@@ -44586,9 +44586,9 @@ var generatedDomains = /* @__PURE__ */ new Map([
   ["shape", {
     name: "shape",
     displayName: "Shape",
-    description: "Shape Security integration for advanced bot defense and threat prevention capabilities. Configure bot infrastructure deployments with policy management, deployment history tracking, and status monitoring. Manage mobile SDK attributes for application shielding and integrator configurations. Subscribe to bot defense add-ons and client-side defense services. Includes SafeAP policy configuration, threat recognition rules, and automated bot mitigation across namespaces with comprehensive...",
-    descriptionShort: "Bot defense and threat prevention with Shape Security",
-    descriptionMedium: "Configure Shape Security policies for bot defense, threat recognition, and mobile SDK protection. Manage bot infrastructure deployments and SafeAP...",
+    description: "Set up bot defense infrastructure across namespaces with deployment tracking and status monitoring. Integrate mobile SDK attributes for app shielding and device recognition. Subscribe to threat intelligence services for real-time protection updates. Define cluster states and location-based policies for distributed bot mitigation. Track deployment history and manage policy configurations through centralized infrastructure objects.",
+    descriptionShort: "Configure bot defense and threat prevention",
+    descriptionMedium: "Deploy bot infrastructure with mobile SDK integration. Manage subscription services and policy enforcement for automated threat protection.",
     aliases: ["shape-sec", "safeap"],
     complexity: "advanced",
     isPreview: false,
@@ -44600,9 +44600,9 @@ var generatedDomains = /* @__PURE__ */ new Map([
   ["sites", {
     name: "sites",
     displayName: "Sites",
-    description: "Comprehensive site infrastructure management for deploying F5 XC across multiple cloud providers and edge locations. Configure AWS Transit Gateway sites with VPN tunnels, VPC IP prefixes, and security settings. Manage virtual sites for logical grouping and policy application. Deploy Secure Mesh sites for networking-focused edge deployments, integrate external Kubernetes clusters as Customer Edge nodes, and configure cloud-specific resources including AWS VPC, Azure VNet, and GCP VPC sites....",
-    descriptionShort: "Multi-cloud site deployment and edge infrastructure",
-    descriptionMedium: "Deploy and manage F5 XC sites across AWS, Azure, and GCP. Configure AWS TGW sites, virtual sites, managed Kubernetes, and Customer Edge integrations.",
+    description: "Create virtual and physical edge deployments spanning multiple providers. Establish AWS Transit Gateway connections and secure tunnel configurations for hybrid connectivity. Integrate external container orchestration systems as customer edge nodes with managed control planes. Define virtual groupings using label selectors to apply consistent policies across distributed infrastructure. Enable secure mesh communication between edge nodes and cloud workloads with automated certificate management.",
+    descriptionShort: "Deploy and manage edge infrastructure",
+    descriptionMedium: "Configure cloud provider resources on AWS, Azure, and GCP. Set up VPC peering, transit gateways, and VPN tunnels for hybrid environments.",
     aliases: ["site", "deployment"],
     complexity: "advanced",
     isPreview: false,
@@ -44666,9 +44666,9 @@ var generatedDomains = /* @__PURE__ */ new Map([
   ["statistics", {
     name: "statistics",
     displayName: "Statistics",
-    description: "Comprehensive operational analytics and monitoring capabilities for distributed cloud infrastructure. Configure alert policies with custom matchers and grouping rules to detect anomalies across namespaces. Manage alert receivers with confirmation, testing, and verification workflows for reliable notification delivery. Access flow statistics, view historical alerts, generate reports and graphs for capacity planning, track service topology and discovery patterns, and monitor real-time status...",
-    descriptionShort: "Flow statistics, alerts, logs, and operational analytics",
-    descriptionMedium: "Access flow statistics and analytics, configure alert policies and receivers, view logs, generate reports and graphs, and monitor site status.",
+    description: "Set up alert policies with custom matchers, label filters, and group-by rules for targeted notifications. Define routing channels via email, webhook, or integration receivers with confirmation and verification workflows. Access flow analytics, historical alert data, and namespace-scoped metrics. Build capacity planning graphs and operational summaries. Observe deployment health and service discovery mapping across distributed environments.",
+    descriptionShort: "Monitor alerts, logs, and flow analytics",
+    descriptionMedium: "Configure alerting policies and notification receivers. Track service topology, build dashboards, and view site health summaries.",
     aliases: ["stats", "metrics", "logs"],
     complexity: "advanced",
     isPreview: false,
@@ -44680,9 +44680,9 @@ var generatedDomains = /* @__PURE__ */ new Map([
   ["support", {
     name: "support",
     displayName: "Support",
-    description: "Manage the complete customer support ticket lifecycle including creation, commenting, priority adjustment, escalation, and closure. Submit specialized requests such as tax exemption verification. Access site-level diagnostic capabilities including TCP dump capture, listing, and management for network troubleshooting. Integrates with operational workflows to enable support teams to gather diagnostic data directly from distributed sites while maintaining ticket-based tracking of all customer...",
-    descriptionShort: "Customer support ticket lifecycle and site diagnostics",
-    descriptionMedium: "Create, track, and manage support tickets with escalation workflows. Includes site diagnostic tools for packet capture and troubleshooting.",
+    description: "Open new cases and assign severity ratings based on business impact. Append notes throughout resolution workflows. Mark items as closed or reinstate them if symptoms recur. Execute diagnostic packet captures on deployed sites for network troubleshooting. Handle tax exemption verification through certificate submission.",
+    descriptionShort: "Create and track customer tickets",
+    descriptionMedium: "Submit requests with file uploads and priority levels. Add comments and escalate critical incidents to engineering teams.",
     aliases: ["tickets", "help-desk"],
     complexity: "moderate",
     isPreview: false,
@@ -44708,9 +44708,9 @@ var generatedDomains = /* @__PURE__ */ new Map([
   ["tenant_and_identity", {
     name: "tenant_and_identity",
     displayName: "Tenant And Identity",
-    description: "Comprehensive user and tenant identity management for F5 Distributed Cloud. Configure user settings including profile images, notification preferences (admin and combined), and view preferences. Manage user sessions with listing and control capabilities. Handle OTP (one-time password) administration including admin resets. Support identity management (IDM) enable/disable operations. Process initial access requests for new users. Manage customer support ticket attachments and interactions for...",
-    descriptionShort: "User settings, notifications, sessions, and identity...",
-    descriptionMedium: "Manage user profiles, notification preferences, session controls, OTP settings, and customer support interactions. Configure identity management...",
+    description: "Set up granular alert routing for administrative and combined channels with personalized delivery options. Control active login sessions and enforce one-time password resets for security compliance. Define display layouts and avatar images for customized user experiences. Process onboarding access submissions and toggle account management features. Coordinate support ticket attachments and client relationship interactions across managed tenant hierarchies.",
+    descriptionShort: "Manage user profiles and session controls",
+    descriptionMedium: "Configure OTP resets and admin alert channels. Handle view settings and profile customization for platform participants.",
     aliases: ["tenant-identity", "idm", "user-settings"],
     complexity: "advanced",
     isPreview: false,
@@ -44736,9 +44736,9 @@ var generatedDomains = /* @__PURE__ */ new Map([
   ["users", {
     name: "users",
     displayName: "Users",
-    description: "Comprehensive user and identity management for the F5 XC platform. Create and manage registration tokens for site and node onboarding, including cloud-init configuration retrieval. Define known label keys and values to establish consistent resource tagging taxonomies across namespaces. Configure implicit labels for automatic resource classification. Supports full lifecycle management of user-related configuration objects with metadata tracking, state management, and condition monitoring for...",
-    descriptionShort: "User accounts, tokens, and label management",
-    descriptionMedium: "Manage user accounts, registration tokens, and label systems. Configure known and implicit labels for resource organization and user identification.",
+    description: "Deploy namespace-scoped access credentials with lifecycle state tracking for secure machine enrollment. Build hierarchical tagging frameworks that enable systematic organization of infrastructure elements. Retrieve automated provisioning payloads for streamlined node initialization. Enable system-level automatic tagging that applies predefined metadata to newly created objects without operator action.",
+    descriptionShort: "Manage account tokens and label settings",
+    descriptionMedium: "Configure credential issuance and cloud-init provisioning. Establish key-value taxonomies for consistent resource categorization across deployments.",
     aliases: ["user", "accounts", "iam"],
     complexity: "simple",
     isPreview: false,
@@ -44750,9 +44750,9 @@ var generatedDomains = /* @__PURE__ */ new Map([
   ["virtual", {
     name: "virtual",
     displayName: "Virtual",
-    description: "Set up load balancing for HTTP, TCP, and UDP protocols with origin pool configuration and weighted routing. Create service policies to control access patterns and enforce rate limits on incoming requests. Deploy geo-location routing for region-aware traffic steering. Configure health checks to monitor backend availability and trigger automatic failover. Manage proxy forwarding rules and threat protection including malware scanning and campaign blocking.",
-    descriptionShort: "Configure HTTP and TCP load balancers",
-    descriptionMedium: "Manage origin pools and routing rules. Define rate limiting, service policies, and health checks for traffic distribution.",
+    description: "Deploy load balancers across protocols with origin pool management and service discovery. Set up geo-location routing to direct traffic based on client location. Define rate limiter policies to control request volume and protect services from abuse. Configure health checks for origin monitoring and automatic failover. Manage service policies for access control and traffic filtering. Enable malware protection and threat campaign blocking for security enforcement.",
+    descriptionShort: "Configure load balancers and origin pools",
+    descriptionMedium: "Create HTTP, TCP, and UDP load balancers with origin pools. Define routing rules, health checks, and rate limiting policies.",
     aliases: ["lb", "loadbalancer", "vhost"],
     complexity: "advanced",
     isPreview: false,
@@ -45309,8 +45309,8 @@ function getLogoModeFromEnv(envPrefix) {
 var CLI_NAME = "xcsh";
 var CLI_FULL_NAME = "F5 Distributed Cloud Shell";
 function getVersion() {
-  if ("6.29.0") {
-    return "6.29.0";
+  if ("6.31.0") {
+    return "6.31.0";
   }
   if (process.env.XCSH_VERSION) {
     return process.env.XCSH_VERSION;
@@ -45579,6 +45579,15 @@ var ProfileManager = class {
       return null;
     }
   }
+  /**
+   * Clear the active profile (used for force delete)
+   */
+  async clearActive() {
+    try {
+      await fs2.unlink(this.config.activeProfileFile);
+    } catch {
+    }
+  }
   /**
    * Set the active profile
    */
@@ -45694,16 +45703,54 @@ var APIError = class extends Error {
 };
 
 // src/api/client.ts
+var DEFAULT_RETRY_CONFIG = {
+  maxRetries: 3,
+  initialDelayMs: 1e3,
+  maxDelayMs: 1e4,
+  backoffMultiplier: 2,
+  jitter: true
+};
+var RETRYABLE_STATUS_CODES = /* @__PURE__ */ new Set([
+  408,
+  // Request Timeout
+  429,
+  // Too Many Requests
+  500,
+  // Internal Server Error
+  502,
+  // Bad Gateway
+  503,
+  // Service Unavailable
+  504
+  // Gateway Timeout
+]);
+function calculateBackoffDelay(attempt, config) {
+  const exponentialDelay = config.initialDelayMs * Math.pow(config.backoffMultiplier, attempt);
+  const cappedDelay = Math.min(exponentialDelay, config.maxDelayMs);
+  if (config.jitter) {
+    const jitterFactor = 1 + Math.random() * 0.25;
+    return Math.floor(cappedDelay * jitterFactor);
+  }
+  return cappedDelay;
+}
+function sleep(ms) {
+  return new Promise((resolve) => setTimeout(resolve, ms));
+}
 var APIClient = class {
   serverUrl;
   apiToken;
   timeout;
   debug;
+  retryConfig;
   constructor(config) {
     this.serverUrl = config.serverUrl.replace(/\/+$/, "");
     this.apiToken = config.apiToken ?? "";
     this.timeout = config.timeout ?? 3e4;
     this.debug = config.debug ?? false;
+    this.retryConfig = {
+      ...DEFAULT_RETRY_CONFIG,
+      ...config.retry
+    };
   }
   /**
    * Check if client has authentication configured
@@ -45734,25 +45781,21 @@ var APIClient = class {
     return url;
   }
   /**
-   * Execute an HTTP request
+   * Check if an error is retryable
    */
-  async request(options) {
-    const url = this.buildUrl(options.path, options.query);
-    const headers = {
-      "Content-Type": "application/json",
-      Accept: "application/json",
-      ...options.headers
-    };
-    if (this.apiToken) {
-      headers["Authorization"] = `APIToken ${this.apiToken}`;
+  isRetryableError(error) {
+    if (error instanceof APIError) {
+      return RETRYABLE_STATUS_CODES.has(error.statusCode);
     }
-    const body = options.body ? JSON.stringify(options.body) : null;
-    if (this.debug) {
-      console.error(`DEBUG: ${options.method} ${url}`);
-      if (body) {
-        console.error(`DEBUG: Request body: ${body}`);
-      }
+    if (error instanceof Error) {
+      return error.name === "AbortError" || error.message.includes("fetch failed") || error.message.includes("network") || error.message.includes("ECONNREFUSED") || error.message.includes("ENOTFOUND") || error.message.includes("ETIMEDOUT");
     }
+    return false;
+  }
+  /**
+   * Execute a single HTTP request attempt
+   */
+  async executeRequest(options, url, headers, body) {
     const controller = new AbortController();
     const timeoutId = setTimeout(() => controller.abort(), this.timeout);
     try {
@@ -45801,7 +45844,7 @@ var APIClient = class {
       if (error instanceof Error && error.name === "AbortError") {
         throw new APIError(
           `Request timed out after ${this.timeout}ms`,
-          0,
+          408,
           void 0,
           `${options.method} ${options.path}`
         );
@@ -45817,6 +45860,58 @@ var APIClient = class {
       throw error;
     }
   }
+  /**
+   * Execute an HTTP request with retry logic
+   */
+  async request(options) {
+    const url = this.buildUrl(options.path, options.query);
+    const headers = {
+      "Content-Type": "application/json",
+      Accept: "application/json",
+      ...options.headers
+    };
+    if (this.apiToken) {
+      headers["Authorization"] = `APIToken ${this.apiToken}`;
+    }
+    const body = options.body ? JSON.stringify(options.body) : null;
+    if (this.debug) {
+      console.error(`DEBUG: ${options.method} ${url}`);
+      if (body) {
+        console.error(`DEBUG: Request body: ${body}`);
+      }
+    }
+    let lastError;
+    for (let attempt = 0; attempt <= this.retryConfig.maxRetries; attempt++) {
+      try {
+        return await this.executeRequest(
+          options,
+          url,
+          headers,
+          body
+        );
+      } catch (error) {
+        lastError = error instanceof Error ? error : new Error(String(error));
+        const isRetryable = this.isRetryableError(error);
+        const hasRetriesLeft = attempt < this.retryConfig.maxRetries;
+        if (isRetryable && hasRetriesLeft) {
+          const delay = calculateBackoffDelay(
+            attempt,
+            this.retryConfig
+          );
+          if (this.debug) {
+            const statusInfo = error instanceof APIError ? ` (${error.statusCode})` : "";
+            console.error(
+              `DEBUG: Request failed${statusInfo}, retrying in ${delay}ms (attempt ${attempt + 1}/${this.retryConfig.maxRetries})`
+            );
+          }
+          await sleep(delay);
+          continue;
+        }
+        throw error;
+      }
+    }
+    throw lastError ?? new Error("Request failed after all retries");
+  }
   /**
    * GET request
    */
@@ -45880,621 +45975,8 @@ var APIClient = class {
   }
 };
 
-// src/subscription/types.ts
-var Tier = {
-  NoTier: "NO_TIER",
-  Basic: "BASIC",
-  // Discontinued - maps to Standard
-  Standard: "STANDARD",
-  // Active tier
-  Advanced: "ADVANCED",
-  // Active tier
-  Premium: "PREMIUM"
-  // Discontinued - maps to Advanced
-};
-var AddonState = {
-  None: "AS_NONE",
-  Pending: "AS_PENDING",
-  Subscribed: "AS_SUBSCRIBED",
-  Error: "AS_ERROR"
-};
-var AccessStatus = {
-  Allowed: "AS_AC_ALLOWED",
-  Denied: "AS_AC_PBAC_DENY",
-  UpgradeRequired: "AS_AC_PBAC_DENY_UPGRADE_PLAN",
-  ContactSales: "AS_AC_PBAC_DENY_CONTACT_SALES",
-  InternalService: "AS_AC_PBAC_DENY_INTERNAL_SVC",
-  Unknown: "AS_AC_UNKNOWN",
-  EOL: "AS_AC_EOL"
-};
-var ActivationType = {
-  Self: "self",
-  PartiallyManaged: "partially_managed",
-  Managed: "managed"
-};
-var SubscriptionState = {
-  Pending: "SUBSCRIPTION_PENDING",
-  Enabled: "SUBSCRIPTION_ENABLED",
-  DisablePending: "SUBSCRIPTION_DISABLE_PENDING",
-  Disabled: "SUBSCRIPTION_DISABLED"
-};
-var ValidationStatus = {
-  Pass: "PASS",
-  Fail: "FAIL",
-  Warning: "WARNING"
-};
-var QuotaStatus = {
-  OK: "OK",
-  Warning: "WARNING",
-  Exceeded: "EXCEEDED"
-};
-function isAddonActive(addon) {
-  return addon.state === AddonState.Subscribed;
-}
-function isAddonAvailable(addon) {
-  return addon.accessStatus === AccessStatus.Allowed && addon.state !== AddonState.Subscribed;
-}
-function isAddonDenied(addon) {
-  return addon.accessStatus === AccessStatus.Denied || addon.accessStatus === AccessStatus.UpgradeRequired || addon.accessStatus === AccessStatus.ContactSales || addon.accessStatus === AccessStatus.InternalService;
-}
-function isQuotaExceeded(quota) {
-  return quota.usage >= quota.limit;
-}
-function isQuotaAtRisk(quota) {
-  return quota.percentage >= 80 && quota.percentage < 100;
-}
-function getQuotaRemainingCapacity(quota) {
-  const remaining = quota.limit - quota.usage;
-  return remaining < 0 ? 0 : remaining;
-}
-function getTierDescription(tier) {
-  switch (tier) {
-    case Tier.NoTier:
-      return "No Tier";
-    case Tier.Basic:
-      return "Standard";
-    // Basic discontinued, maps to Standard
-    case Tier.Standard:
-      return "Standard";
-    case Tier.Advanced:
-      return "Advanced";
-    case Tier.Premium:
-      return "Advanced";
-    // Premium discontinued, maps to Advanced
-    default:
-      return "Unknown";
-  }
-}
-function getStateDescription(state) {
-  switch (state) {
-    case AddonState.None:
-      return "Not Subscribed";
-    case AddonState.Pending:
-      return "Pending";
-    case AddonState.Subscribed:
-      return "Subscribed";
-    case AddonState.Error:
-      return "Error";
-    default:
-      return "Unknown";
-  }
-}
-function getAccessStatusDescription(status) {
-  switch (status) {
-    case AccessStatus.Allowed:
-      return "Allowed";
-    case AccessStatus.Denied:
-      return "Denied";
-    case AccessStatus.UpgradeRequired:
-      return "Upgrade Required";
-    case AccessStatus.ContactSales:
-      return "Contact Sales";
-    case AccessStatus.InternalService:
-      return "Internal Service";
-    case AccessStatus.Unknown:
-      return "Unknown";
-    case AccessStatus.EOL:
-      return "End of Life";
-    default:
-      return "Unknown";
-  }
-}
-function getQuotaStatusFromPercentage(percentage) {
-  if (percentage >= 100) {
-    return QuotaStatus.Exceeded;
-  }
-  if (percentage >= 80) {
-    return QuotaStatus.Warning;
-  }
-  return QuotaStatus.OK;
-}
-
-// src/subscription/client.ts
-var SubscriptionClient = class {
-  apiClient;
-  constructor(apiClient) {
-    this.apiClient = apiClient;
-  }
-  /**
-   * Format display name from service name
-   * e.g., "client-side-defense" -> "Client Side Defense"
-   */
-  formatDisplayName(name) {
-    return name.split("-").map(
-      (word) => word.length > 0 ? word.charAt(0).toUpperCase() + word.slice(1).toLowerCase() : ""
-    ).join(" ");
-  }
-  /**
-   * Normalize tier value
-   */
-  normalizeTier(tier) {
-    const normalized = tier.toUpperCase().trim();
-    switch (normalized) {
-      case "NO_TIER":
-      case "NOTIER":
-      case "":
-        return "NO_TIER";
-      case "BASIC":
-        return "BASIC";
-      case "STANDARD":
-        return "STANDARD";
-      case "ADVANCED":
-        return "ADVANCED";
-      case "PREMIUM":
-        return "PREMIUM";
-      default:
-        return tier;
-    }
-  }
-  /**
-   * Normalize state value
-   */
-  normalizeState(state) {
-    const normalized = state.toUpperCase().trim();
-    switch (normalized) {
-      case "AS_NONE":
-      case "NONE":
-      case "":
-        return AddonState.None;
-      case "AS_PENDING":
-      case "PENDING":
-        return AddonState.Pending;
-      case "AS_SUBSCRIBED":
-      case "SUBSCRIBED":
-        return AddonState.Subscribed;
-      case "AS_ERROR":
-      case "ERROR":
-        return AddonState.Error;
-      default:
-        return state;
-    }
-  }
-  /**
-   * Normalize access status value
-   */
-  normalizeAccessStatus(status) {
-    const normalized = status.toUpperCase().trim();
-    switch (normalized) {
-      case "AS_AC_ALLOWED":
-      case "ALLOWED":
-      case "":
-        return AccessStatus.Allowed;
-      case "AS_AC_PBAC_DENY":
-      case "DENIED":
-      case "DENY":
-        return AccessStatus.Denied;
-      case "AS_AC_PBAC_DENY_UPGRADE_PLAN":
-      case "UPGRADE_REQUIRED":
-      case "UPGRADE_PLAN":
-        return AccessStatus.UpgradeRequired;
-      case "AS_AC_PBAC_DENY_CONTACT_SALES":
-      case "CONTACT_SALES":
-        return AccessStatus.ContactSales;
-      case "AS_AC_PBAC_DENY_INTERNAL_SVC":
-      case "INTERNAL_SERVICE":
-        return AccessStatus.InternalService;
-      default:
-        return status;
-    }
-  }
-  /**
-   * Determine tier from tenant type
-   */
-  determineTierFromTenantType(tenantType) {
-    switch (tenantType.toUpperCase()) {
-      case "ENTERPRISE":
-        return "Advanced";
-      case "FREEMIUM":
-        return "Standard";
-      default:
-        return "Standard";
-    }
-  }
-  /**
-   * Get subscription plans
-   */
-  async getPlans(namespace = "system") {
-    try {
-      const path = `/api/web/namespaces/${namespace}/plans`;
-      const response = await this.apiClient.get(path);
-      const plans = [];
-      for (const item of response.data?.items ?? []) {
-        if (!item?.metadata?.name) continue;
-        const plan = {
-          name: item.metadata.name,
-          displayName: item.spec?.display_name ?? item.metadata.name,
-          includedServices: item.spec?.included_services?.map(
-            (s) => s.name ?? ""
-          ) ?? [],
-          allowedServices: item.spec?.allowed_services?.map((s) => s.name ?? "") ?? []
-        };
-        if (item.spec?.description) {
-          plan.description = item.spec.description;
-        }
-        plans.push(plan);
-      }
-      return plans;
-    } catch {
-      return [];
-    }
-  }
-  /**
-   * Get addon service activation status
-   */
-  async getAddonServiceActivationStatus(addonName) {
-    try {
-      const path = `/api/web/namespaces/system/addon_services/${addonName}/activation-status`;
-      const response = await this.apiClient.get(path);
-      return {
-        name: addonName,
-        displayName: this.formatDisplayName(addonName),
-        tier: this.normalizeTier(response.data.tier ?? ""),
-        state: this.normalizeState(response.data.state ?? ""),
-        accessStatus: this.normalizeAccessStatus(
-          response.data.access_status ?? ""
-        )
-      };
-    } catch {
-      return null;
-    }
-  }
-  /**
-   * Get addon services
-   */
-  async getAddonServices(namespace = "system") {
-    const path = `/api/web/namespaces/${namespace}/addon_services`;
-    const response = await this.apiClient.get(path);
-    const addons = [];
-    for (const item of response.data.items ?? []) {
-      let addon = {
-        name: item.name,
-        displayName: this.formatDisplayName(item.name),
-        tier: "",
-        state: AddonState.None,
-        accessStatus: AccessStatus.Allowed
-      };
-      if (item.description) {
-        addon.description = item.description;
-      }
-      if (item.namespace) {
-        addon.namespace = item.namespace;
-      }
-      if (item.disabled) {
-        addon.state = AddonState.None;
-        addon.accessStatus = AccessStatus.Denied;
-      }
-      const activationStatus = await this.getAddonServiceActivationStatus(
-        item.name
-      );
-      if (activationStatus) {
-        addon = {
-          ...addon,
-          state: activationStatus.state,
-          accessStatus: activationStatus.accessStatus,
-          tier: activationStatus.tier
-        };
-      }
-      addons.push(addon);
-    }
-    return addons;
-  }
-  /**
-   * Get quota usage information (tenant-level)
-   */
-  async getQuotaInfo() {
-    const path = "/api/web/namespaces/system/quota/usage";
-    const response = await this.apiClient.get(path);
-    const objects = [];
-    const quotaMap = response.data.objects ?? response.data.quota_usage ?? {};
-    for (const [name, entry] of Object.entries(quotaMap)) {
-      const limit = entry.limit?.maximum ?? 0;
-      const usage = entry.usage?.current ?? 0;
-      if (limit < 0 || usage < 0) {
-        continue;
-      }
-      const percentage = limit > 0 ? usage / limit * 100 : 0;
-      const quotaItem = {
-        name,
-        displayName: entry.display_name ?? name,
-        objectType: name,
-        limit,
-        usage,
-        percentage,
-        status: getQuotaStatusFromPercentage(percentage)
-      };
-      if (entry.description) {
-        quotaItem.description = entry.description;
-      }
-      objects.push(quotaItem);
-    }
-    return {
-      namespace: "tenant",
-      // Quotas are tenant-level
-      objects
-    };
-  }
-  /**
-   * Get current usage plan
-   */
-  async getCurrentUsagePlan() {
-    const path = "/api/web/namespaces/system/usage_plans/current";
-    const response = await this.apiClient.get(path);
-    for (const plan of response.data.plans ?? []) {
-      if (plan.current) {
-        return plan;
-      }
-    }
-    if (response.data.plans && response.data.plans.length > 0) {
-      return response.data.plans[0] ?? null;
-    }
-    return null;
-  }
-  /**
-   * Get subscription tier from current plan
-   */
-  async getTierFromCurrentPlan() {
-    const plan = await this.getCurrentUsagePlan();
-    if (!plan) {
-      return "Standard";
-    }
-    return this.determineTierFromTenantType(plan.tenant_type);
-  }
-  /**
-   * Get complete subscription information
-   */
-  async getSubscriptionInfo() {
-    const plans = await this.getPlans("system");
-    const addons = await this.getAddonServices("system");
-    const quotaInfo = await this.getQuotaInfo();
-    let tier;
-    try {
-      tier = await this.getTierFromCurrentPlan();
-    } catch {
-      tier = this.determineTierFromPlansAndAddons(plans, addons);
-    }
-    const activeAddons = addons.filter(isAddonActive);
-    const availableAddons = addons.filter(isAddonAvailable);
-    let atRisk = 0;
-    let exceeded = 0;
-    for (const q of quotaInfo.objects) {
-      if (isQuotaExceeded(q)) {
-        exceeded++;
-      } else if (isQuotaAtRisk(q)) {
-        atRisk++;
-      }
-    }
-    const quotaSummary = {
-      totalLimits: quotaInfo.objects.length,
-      limitsAtRisk: atRisk,
-      limitsExceeded: exceeded,
-      objects: quotaInfo.objects
-    };
-    const info = {
-      tier,
-      activeAddons,
-      availableAddons,
-      quotaSummary,
-      plan: plans[0] ?? {
-        name: "unknown",
-        displayName: "Unknown"
-      }
-    };
-    return info;
-  }
-  /**
-   * Determine tier from plans and addons (legacy fallback)
-   */
-  determineTierFromPlansAndAddons(plans, addons) {
-    for (const plan of plans) {
-      const nameLower = plan.name.toLowerCase();
-      const displayLower = plan.displayName.toLowerCase();
-      if (nameLower.includes("advanced") || displayLower.includes("advanced")) {
-        return "Advanced";
-      }
-      if (nameLower.includes("enterprise") || displayLower.includes("enterprise")) {
-        return "Advanced";
-      }
-    }
-    for (const addon of addons) {
-      if (isAddonActive(addon) && (addon.tier === "ADVANCED" || addon.tier === "PREMIUM")) {
-        return "Advanced";
-      }
-    }
-    return "Standard";
-  }
-  /**
-   * Validate resource deployment
-   */
-  async validateResource(req) {
-    const result = {
-      valid: true,
-      checks: [],
-      warnings: [],
-      errors: []
-    };
-    if (req.resourceType && req.count && req.count > 0) {
-      const quotaInfo = await this.getQuotaInfo();
-      let found = false;
-      for (const q of quotaInfo.objects) {
-        if (q.objectType?.toLowerCase() === req.resourceType.toLowerCase() || q.name.toLowerCase() === req.resourceType.toLowerCase()) {
-          found = true;
-          const remaining = getQuotaRemainingCapacity(q);
-          const check = {
-            type: "quota",
-            resource: req.resourceType,
-            current: q.usage,
-            requested: req.count,
-            limit: q.limit,
-            result: ValidationStatus.Pass
-          };
-          if (req.count > remaining) {
-            check.result = ValidationStatus.Fail;
-            check.message = `Quota exceeded: ${req.resourceType} would have ${Math.floor(q.usage + req.count)}/${q.limit} (requesting ${req.count}, only ${Math.floor(remaining)} available)`;
-            result.valid = false;
-            result.errors?.push(check.message);
-          } else if ((q.usage + req.count) / q.limit >= 0.8) {
-            check.result = ValidationStatus.Warning;
-            check.message = `Quota warning: ${req.resourceType} will be at ${Math.round((q.usage + req.count) / q.limit * 100)}% after deployment`;
-            result.warnings?.push(check.message);
-          } else {
-            check.message = `Quota OK: ${req.resourceType} has sufficient capacity (${Math.floor(remaining)} available)`;
-          }
-          result.checks.push(check);
-          break;
-        }
-      }
-      if (!found) {
-        result.checks.push({
-          type: "quota",
-          resource: req.resourceType,
-          requested: req.count,
-          result: ValidationStatus.Warning,
-          message: `No quota limit found for resource type: ${req.resourceType}`
-        });
-      }
-    }
-    if (req.feature) {
-      const addons = await this.getAddonServices("system");
-      let found = false;
-      for (const addon of addons) {
-        if (addon.name.toLowerCase() === req.feature.toLowerCase()) {
-          found = true;
-          const check = {
-            type: "feature",
-            feature: req.feature,
-            currentTier: addon.tier,
-            status: getStateDescription(addon.state),
-            result: ValidationStatus.Pass
-          };
-          if (isAddonActive(addon)) {
-            check.message = `Feature '${req.feature}' is active (tier: ${addon.tier})`;
-          } else if (addon.accessStatus === AccessStatus.UpgradeRequired) {
-            check.result = ValidationStatus.Fail;
-            check.message = `Feature '${req.feature}' requires a plan upgrade`;
-            result.valid = false;
-            result.errors?.push(check.message);
-          } else if (addon.accessStatus === AccessStatus.ContactSales) {
-            check.result = ValidationStatus.Fail;
-            check.message = `Feature '${req.feature}' requires contacting F5 sales`;
-            result.valid = false;
-            result.errors?.push(check.message);
-          } else if (isAddonAvailable(addon)) {
-            check.result = ValidationStatus.Warning;
-            check.message = `Feature '${req.feature}' is available but not subscribed`;
-            result.warnings?.push(check.message);
-          } else {
-            check.result = ValidationStatus.Fail;
-            check.message = `Feature '${req.feature}' is not available (access: ${getAccessStatusDescription(addon.accessStatus)})`;
-            result.valid = false;
-            result.errors?.push(check.message);
-          }
-          result.checks.push(check);
-          break;
-        }
-      }
-      if (!found) {
-        result.checks.push({
-          type: "feature",
-          feature: req.feature,
-          result: ValidationStatus.Warning,
-          message: `Feature '${req.feature}' not found in addon services`
-        });
-      }
-    }
-    return result;
-  }
-  /**
-   * Filter addons by criteria
-   */
-  filterAddons(addons, filter) {
-    if (!filter) {
-      return addons;
-    }
-    switch (filter.toLowerCase()) {
-      case "active":
-        return addons.filter(isAddonActive);
-      case "available":
-        return addons.filter(isAddonAvailable);
-      case "denied":
-        return addons.filter(
-          (a) => a.accessStatus === AccessStatus.Denied || a.accessStatus === AccessStatus.UpgradeRequired || a.accessStatus === AccessStatus.ContactSales || a.accessStatus === AccessStatus.InternalService
-        );
-      default:
-        return addons;
-    }
-  }
-  /**
-   * Get pending activation requests
-   */
-  async getPendingActivations(namespace = "system") {
-    const addons = await this.getAddonServices(namespace);
-    const result = {
-      pendingActivations: [],
-      activeAddons: [],
-      totalPending: 0
-    };
-    for (const addon of addons) {
-      if (addon.state === AddonState.Pending) {
-        const pending = {
-          addonService: addon.name,
-          subscriptionState: SubscriptionState.Pending,
-          message: this.getActivationMessage(
-            addon.activationType ?? ""
-          )
-        };
-        if (addon.namespace) {
-          pending.namespace = addon.namespace;
-        }
-        if (addon.activationType) {
-          pending.activationType = addon.activationType;
-        }
-        result.pendingActivations.push(pending);
-      }
-      if (isAddonActive(addon)) {
-        result.activeAddons.push(addon.name);
-      }
-    }
-    result.totalPending = result.pendingActivations.length;
-    return result;
-  }
-  /**
-   * Get activation message based on type
-   */
-  getActivationMessage(activationType) {
-    switch (activationType) {
-      case ActivationType.Self:
-        return "Self-activation in progress";
-      case ActivationType.PartiallyManaged:
-        return "Awaiting partial backend processing";
-      case ActivationType.Managed:
-        return "Awaiting SRE approval";
-      default:
-        return "Activation pending";
-    }
-  }
-};
-
 // src/repl/session.ts
+var NAMESPACE_CACHE_TTL = 5 * 60 * 1e3;
 var REPLSession = class {
   _history = null;
   _namespace;
@@ -46511,7 +45993,8 @@ var REPLSession = class {
   _profileManager;
   _activeProfile = null;
   _activeProfileName = null;
-  _tier = "";
+  _namespaceCache = [];
+  _namespaceCacheTime = 0;
   constructor(config = {}) {
     this._namespace = config.namespace ?? this.getDefaultNamespace();
     this._contextPath = new ContextPath();
@@ -46548,18 +46031,6 @@ var REPLSession = class {
     await this.loadActiveProfile();
     if (this._apiClient?.isAuthenticated()) {
       await this.fetchUserInfo();
-      await this.fetchTier();
-    }
-  }
-  /**
-   * Fetch subscription tier from the API
-   */
-  async fetchTier() {
-    if (!this._apiClient) return;
-    try {
-      const subscriptionClient = new SubscriptionClient(this._apiClient);
-      this._tier = await subscriptionClient.getTierFromCurrentPlan();
-    } catch {
     }
   }
   /**
@@ -46577,6 +46048,7 @@ var REPLSession = class {
   }
   /**
    * Load the active profile from profile manager
+   * Note: Environment variables take priority over profile settings
    */
   async loadActiveProfile() {
     try {
@@ -46586,14 +46058,17 @@ var REPLSession = class {
         if (profile) {
           this._activeProfileName = activeName;
           this._activeProfile = profile;
-          if (profile.apiUrl) {
+          const envUrl = process.env[`${ENV_PREFIX}_API_URL`];
+          const envToken = process.env[`${ENV_PREFIX}_API_TOKEN`];
+          const envNamespace = process.env[`${ENV_PREFIX}_NAMESPACE`];
+          if (!envUrl && profile.apiUrl) {
             this._serverUrl = profile.apiUrl;
             this._tenant = this.extractTenant(profile.apiUrl);
           }
-          if (profile.apiToken) {
+          if (!envToken && profile.apiToken) {
             this._apiToken = profile.apiToken;
           }
-          if (profile.defaultNamespace) {
+          if (!envNamespace && profile.defaultNamespace) {
             this._namespace = profile.defaultNamespace;
           }
           if (this._serverUrl) {
@@ -46678,12 +46153,6 @@ var REPLSession = class {
   setUsername(username) {
     this._username = username;
   }
-  /**
-   * Get the subscription tier (Standard/Advanced)
-   */
-  getTier() {
-    return this._tier;
-  }
   /**
    * Get the context validator
    */
@@ -46768,6 +46237,7 @@ var REPLSession = class {
     if (!result.success) {
       return false;
     }
+    this.clearNamespaceCache();
     this._activeProfileName = profileName;
     this._activeProfile = profile;
     if (profile.apiUrl) {
@@ -46798,6 +46268,30 @@ var REPLSession = class {
     this._activeProfileName = null;
     this._activeProfile = null;
   }
+  /**
+   * Get cached namespaces (returns empty array if cache is stale/empty)
+   */
+  getNamespaceCache() {
+    const now = Date.now();
+    if (this._namespaceCache.length > 0 && now - this._namespaceCacheTime < NAMESPACE_CACHE_TTL) {
+      return this._namespaceCache;
+    }
+    return [];
+  }
+  /**
+   * Set namespace cache
+   */
+  setNamespaceCache(namespaces) {
+    this._namespaceCache = namespaces;
+    this._namespaceCacheTime = Date.now();
+  }
+  /**
+   * Clear namespace cache (called when switching profiles)
+   */
+  clearNamespaceCache() {
+    this._namespaceCache = [];
+    this._namespaceCacheTime = 0;
+  }
   /**
    * Add a command to history
    */
@@ -47705,10 +47199,11 @@ var createCommand2 = {
     if (!apiToken) {
       return errorResult("Missing required --token option");
     }
+    const sanitizedToken = apiToken.replace(/^["']|["']$/g, "");
     const profile = {
       name,
       apiUrl,
-      apiToken
+      apiToken: sanitizedToken
     };
     if (defaultNamespace) {
       profile.defaultNamespace = defaultNamespace;
@@ -47734,22 +47229,16 @@ var useCommand = {
   usage: "<name>",
   aliases: ["switch", "activate"],
   async execute(args, session) {
-    const manager = getProfileManager();
     const name = args[0];
     if (!name) {
       return errorResult("Usage: login profile use <name>");
     }
     try {
-      const result = await manager.setActive(name);
-      if (!result.success) {
-        return errorResult(result.message);
-      }
-      const profile = await manager.get(name);
-      if (profile) {
-        if (profile.defaultNamespace) {
-          session.setNamespace(profile.defaultNamespace);
-        }
+      const success = await session.switchProfile(name);
+      if (!success) {
+        return errorResult(`Profile '${name}' not found.`);
       }
+      const profile = session.getActiveProfile();
       return successResult(
         [
           `Switched to profile '${name}'.`,
@@ -47807,6 +47296,7 @@ var deleteCommand = {
             ].join("\n")
           );
         }
+        await manager.clearActive();
       }
       const result = await manager.delete(name);
       if (!result.success) {
@@ -47939,12 +47429,19 @@ var setCommand = {
     return successResult(lines, true);
   },
   async completion(partial, _args, session) {
+    const cached = session.getNamespaceCache();
+    if (cached.length > 0) {
+      return cached.filter(
+        (ns) => ns.toLowerCase().startsWith(partial.toLowerCase())
+      );
+    }
     const client = session.getAPIClient();
     if (client?.isAuthenticated()) {
       try {
         const response = await client.get("/api/web/namespaces");
         if (response.ok && response.data?.items) {
-          const namespaces = response.data.items.map((item) => item.name).filter((name) => !!name);
+          const namespaces = response.data.items.map((item) => item.name).filter((name) => !!name).sort();
+          session.setNamespaceCache(namespaces);
           return namespaces.filter(
             (ns) => ns.toLowerCase().startsWith(partial.toLowerCase())
           );
@@ -47982,6 +47479,7 @@ var listCommand2 = {
         return errorResult("Failed to fetch namespaces from API.");
       }
       const namespaces = response.data.items.map((item) => item.name).filter((name) => !!name).sort();
+      session.setNamespaceCache(namespaces);
       const lines = ["Available namespaces:", ""];
       for (const ns of namespaces) {
         if (ns === currentNamespace) {
@@ -48035,11 +47533,6 @@ var EnvVarRegistry = [
     description: "Output format (json, yaml, table)",
     relatedFlag: "-o"
   },
-  {
-    name: `${ENV_PREFIX}_SUBSCRIPTION_TIER`,
-    description: "Subscription tier for feature validation",
-    relatedFlag: ""
-  },
   {
     name: `${ENV_PREFIX}_LOGO`,
     description: "Logo display mode (auto, image, ascii, both, none)",
@@ -48488,25 +47981,8 @@ var bannerCommand = {
   }
 };
 
-// src/domains/login/whoami/types.ts
-function toDisplayTier(tier) {
-  const normalized = tier.toUpperCase();
-  switch (normalized) {
-    case "STANDARD":
-    case "BASIC":
-      return "Standard";
-    case "ADVANCED":
-    case "PREMIUM":
-    // Legacy mapping
-    case "ENTERPRISE":
-      return "Advanced";
-    default:
-      return void 0;
-  }
-}
-
 // src/domains/login/whoami/service.ts
-async function getWhoamiInfo(session, options = {}) {
+async function getWhoamiInfo(session, _options = {}) {
   const info = {
     serverUrl: session.getServerUrl(),
     namespace: session.getNamespace(),
@@ -48527,32 +48003,6 @@ async function getWhoamiInfo(session, options = {}) {
       info.username = username;
     }
   }
-  const apiClient = session.getAPIClient();
-  if (apiClient) {
-    const subscriptionClient = new SubscriptionClient(apiClient);
-    try {
-      const tierValue = await subscriptionClient.getTierFromCurrentPlan();
-      const displayTier = toDisplayTier(tierValue);
-      if (displayTier) {
-        info.tier = displayTier;
-      }
-    } catch {
-    }
-    if (options.includeQuotas || options.verbose) {
-      try {
-        const subscriptionInfo = await subscriptionClient.getSubscriptionInfo();
-        info.quotas = subscriptionInfo.quotaSummary;
-      } catch {
-      }
-    }
-    if (options.includeAddons || options.verbose) {
-      try {
-        const addons = await subscriptionClient.getAddonServices();
-        info.addons = addons.filter(isAddonActive);
-      } catch {
-      }
-    }
-  }
   return info;
 }
 
@@ -48564,41 +48014,19 @@ function formatWhoami(info, options = {}) {
   if (options.json) {
     return formatWhoamiJson(info);
   }
-  return formatWhoamiBox(info, options);
+  return formatWhoamiBox(info);
 }
 function formatWhoamiJson(info) {
   const output = {};
   if (info.tenant) output.tenant = info.tenant;
   if (info.username) output.username = info.username;
   if (info.email) output.email = info.email;
-  if (info.tier) output.tier = info.tier;
   output.namespace = info.namespace;
   output.serverUrl = info.serverUrl;
   output.isAuthenticated = info.isAuthenticated;
-  if (info.quotas) {
-    output.quotas = {
-      totalLimits: info.quotas.totalLimits,
-      limitsAtRisk: info.quotas.limitsAtRisk,
-      limitsExceeded: info.quotas.limitsExceeded,
-      objects: info.quotas.objects?.map((q) => ({
-        name: q.name,
-        displayName: q.displayName,
-        usage: q.usage,
-        limit: q.limit,
-        percentage: Math.round(q.percentage)
-      }))
-    };
-  }
-  if (info.addons && info.addons.length > 0) {
-    output.addons = info.addons.map((a) => ({
-      name: a.name,
-      displayName: a.displayName,
-      state: a.state
-    }));
-  }
   return [JSON.stringify(output, null, 2)];
 }
-function formatWhoamiBox(info, options) {
+function formatWhoamiBox(info) {
   const lines = [];
   const red = colors.red;
   const reset = colors.reset;
@@ -48608,9 +48036,7 @@ function formatWhoamiBox(info, options) {
     bottomLeft: "\u2570",
     bottomRight: "\u256F",
     horizontal: "\u2500",
-    vertical: "\u2502",
-    leftT: "\u251C",
-    rightT: "\u2524"
+    vertical: "\u2502"
   };
   const contentLines = [];
   if (info.tenant) {
@@ -48621,46 +48047,19 @@ function formatWhoamiBox(info, options) {
   } else if (info.username) {
     contentLines.push({ label: "User", value: info.username });
   }
-  if (info.tier) {
-    contentLines.push({ label: "Tier", value: info.tier });
-  }
   contentLines.push({ label: "Namespace", value: info.namespace });
   contentLines.push({ label: "Server", value: info.serverUrl });
   contentLines.push({
     label: "Auth",
     value: info.isAuthenticated ? "\u2713 Authenticated" : "Not authenticated"
   });
-  const quotaLines = [];
-  if (info.quotas && info.quotas.objects && (options.includeQuotas || options.verbose)) {
-    for (const quota of info.quotas.objects.slice(0, 10)) {
-      const pct = Math.round(quota.percentage);
-      quotaLines.push(
-        `${quota.displayName}:  ${quota.usage}/${quota.limit} (${pct}%)`
-      );
-    }
-    if (info.quotas.objects.length > 10) {
-      const remaining = info.quotas.objects.length - 10;
-      quotaLines.push(`... and ${remaining} more`);
-    }
-  }
-  const addonLines = [];
-  if (info.addons && info.addons.length > 0 && (options.includeAddons || options.verbose)) {
-    for (const addon of info.addons) {
-      addonLines.push(`\u2713 ${addon.displayName}`);
-    }
-  }
   const maxLabelWidth = Math.max(...contentLines.map((c) => c.label.length));
   const formattedContent = contentLines.map((c) => {
     const paddedLabel = c.label.padEnd(maxLabelWidth);
     return `${paddedLabel}:  ${c.value}`;
   });
-  const headerTitles = ["Connection Info", "Quota Usage", "Active Addons"];
-  const allTextLines = [
-    ...formattedContent,
-    ...quotaLines,
-    ...addonLines,
-    ...headerTitles
-  ];
+  const headerTitle = "Connection Info";
+  const allTextLines = [...formattedContent, headerTitle];
   const maxContentWidth = Math.max(...allTextLines.map((l) => l.length));
   const innerWidth = maxContentWidth + 2;
   const title = " Connection Info ";
@@ -48676,36 +48075,6 @@ function formatWhoamiBox(info, options) {
       `${red}${BOX.vertical}${reset} ${text}${" ".repeat(Math.max(0, padding - 1))}${red}${BOX.vertical}${reset}`
     );
   }
-  if (quotaLines.length > 0) {
-    const quotaTitle = " Quota Usage ";
-    const quotaRemaining = innerWidth - quotaTitle.length;
-    const quotaLeft = 1;
-    const quotaRight = Math.max(0, quotaRemaining - quotaLeft);
-    lines.push(
-      `${red}${BOX.leftT}${BOX.horizontal.repeat(quotaLeft)}${reset}${quotaTitle}${red}${BOX.horizontal.repeat(quotaRight)}${BOX.rightT}${reset}`
-    );
-    for (const text of quotaLines) {
-      const padding = innerWidth - text.length;
-      lines.push(
-        `${red}${BOX.vertical}${reset} ${text}${" ".repeat(Math.max(0, padding - 1))}${red}${BOX.vertical}${reset}`
-      );
-    }
-  }
-  if (addonLines.length > 0) {
-    const addonTitle = " Active Addons ";
-    const addonRemaining = innerWidth - addonTitle.length;
-    const addonLeft = 1;
-    const addonRight = Math.max(0, addonRemaining - addonLeft);
-    lines.push(
-      `${red}${BOX.leftT}${BOX.horizontal.repeat(addonLeft)}${reset}${addonTitle}${red}${BOX.horizontal.repeat(addonRight)}${BOX.rightT}${reset}`
-    );
-    for (const text of addonLines) {
-      const padding = innerWidth - text.length;
-      lines.push(
-        `${red}${BOX.vertical}${reset} ${text}${" ".repeat(Math.max(0, padding - 1))}${red}${BOX.vertical}${reset}`
-      );
-    }
-  }
   lines.push(
     `${red}${BOX.bottomLeft}${BOX.horizontal.repeat(innerWidth)}${BOX.bottomRight}${reset}`
   );
@@ -49443,727 +48812,297 @@ var cloudstatusDomain = {
 };
 var cloudstatusAliases = ["cs", "status"];
 
-// src/extensions/types.ts
-var RESERVED_API_ACTIONS = /* @__PURE__ */ new Set([
-  "list",
-  "get",
-  "create",
-  "delete",
-  "replace",
-  "apply",
-  "status",
-  "patch",
-  "add-labels",
-  "remove-labels"
-]);
-function isReservedAction(name) {
-  return RESERVED_API_ACTIONS.has(name.toLowerCase());
-}
-function validateExtension(extension) {
-  const conflicts = [];
-  for (const [name] of extension.commands) {
-    if (isReservedAction(name)) {
-      conflicts.push(name);
+// src/completion/registry.ts
+var CompletionRegistry = class {
+  tree = /* @__PURE__ */ new Map();
+  aliases = /* @__PURE__ */ new Map();
+  /**
+   * Register a domain with its completion subtree
+   * Later registrations for same name take precedence (custom > api)
+   */
+  registerDomain(node) {
+    this.tree.set(node.name, node);
+    if (node.aliases) {
+      for (const alias of node.aliases) {
+        this.aliases.set(alias, node.name);
+      }
     }
   }
-  if (conflicts.length > 0) {
-    throw new Error(
-      `Extension "${extension.targetDomain}" has commands that conflict with API actions: ${conflicts.join(", ")}. Use unique names or submit a feature request to upstream.`
-    );
-  }
-}
-
-// src/extensions/registry.ts
-var ExtensionRegistry = class {
-  extensions = /* @__PURE__ */ new Map();
-  mergedCache = /* @__PURE__ */ new Map();
   /**
-   * Register a domain extension
-   *
-   * @param extension - Extension definition to register
-   * @throws Error if extension has command name conflicts with API actions
+   * Add or merge children into an existing domain
+   * Used for extensions that augment API domains
    */
-  register(extension) {
-    validateExtension(extension);
-    this.extensions.set(extension.targetDomain, extension);
-    this.mergedCache.delete(extension.targetDomain);
+  mergeChildren(domainName, children) {
+    const existing = this.tree.get(domainName);
+    if (!existing) {
+      return;
+    }
+    if (!existing.children) {
+      existing.children = /* @__PURE__ */ new Map();
+    }
+    for (const [name, node] of children) {
+      existing.children.set(name, node);
+    }
   }
   /**
-   * Get extension for a domain
-   *
-   * @param domain - Canonical domain name
-   * @returns Extension if registered, undefined otherwise
+   * Get the complete completion tree
    */
-  getExtension(domain) {
-    return this.extensions.get(domain);
+  getTree() {
+    return this.tree;
   }
   /**
-   * Check if a domain has an extension
+   * Get all registered domains as array (sorted by name)
    */
-  hasExtension(domain) {
-    return this.extensions.has(domain);
+  getDomains() {
+    return Array.from(this.tree.values()).sort(
+      (a, b) => a.name.localeCompare(b.name)
+    );
   }
   /**
-   * Get merged domain view combining API domain + extension
-   *
-   * Resolution priority:
-   * 1. Check if canonical domain exists in generated domains
-   * 2. Check if extension exists for this domain
-   * 3. Merge if both exist, or return standalone if only one
-   *
-   * @param domain - Canonical domain name or alias
-   * @returns Merged domain view or undefined if neither exists
+   * Resolve alias to canonical name
    */
-  getMergedDomain(domain) {
-    const canonical = aliasRegistry.get(domain) ?? domain;
-    const cached = this.mergedCache.get(canonical);
-    if (cached) {
-      return cached;
-    }
-    const domainInfo = domainRegistry.get(canonical);
-    const extension = this.extensions.get(canonical);
-    if (!domainInfo && !extension) {
-      return void 0;
-    }
-    const merged = this.buildMergedDomain(canonical, domainInfo, extension);
-    this.mergedCache.set(canonical, merged);
-    return merged;
+  resolveAlias(nameOrAlias) {
+    return this.aliases.get(nameOrAlias) ?? nameOrAlias;
   }
   /**
-   * Build a merged domain from API domain info and/or extension
+   * Get a domain by name or alias
    */
-  buildMergedDomain(name, domainInfo, extension) {
-    const hasGeneratedDomain = !!domainInfo;
-    const hasExtension = !!extension;
-    let source;
-    if (hasGeneratedDomain && hasExtension) {
-      source = "merged";
-    } else if (hasGeneratedDomain) {
-      source = "generated";
-    } else {
-      source = "extension";
-    }
-    const displayName = domainInfo?.displayName ?? this.toDisplayName(extension?.targetDomain ?? name);
-    const description = domainInfo?.description ?? extension?.description ?? `Commands for ${displayName}`;
-    const merged = {
-      name,
-      displayName,
-      description,
-      source,
-      hasGeneratedDomain,
-      hasExtension,
-      extensionCommands: extension?.commands ?? /* @__PURE__ */ new Map(),
-      extensionSubcommands: extension?.subcommands ?? /* @__PURE__ */ new Map()
-    };
-    if (domainInfo) {
-      merged.metadata = domainInfo;
-    }
-    return merged;
+  get(nameOrAlias) {
+    const canonical = this.resolveAlias(nameOrAlias);
+    return this.tree.get(canonical);
   }
   /**
-   * Convert snake_case domain name to display name
+   * Check if a domain exists (by name or alias)
    */
-  toDisplayName(name) {
-    return name.split("_").map((word) => word.charAt(0).toUpperCase() + word.slice(1)).join(" ");
+  has(nameOrAlias) {
+    const canonical = this.resolveAlias(nameOrAlias);
+    return this.tree.has(canonical);
   }
   /**
-   * Get all domains with extensions (for iteration)
+   * Get all aliases
    */
-  getExtendedDomains() {
-    return Array.from(this.extensions.keys());
+  getAliases() {
+    return new Map(this.aliases);
   }
   /**
-   * Get all merged domains (generated + extended)
-   *
-   * Returns domains that either:
-   * - Have generated API commands (from upstream)
-   * - Have extension commands (xcsh-specific)
-   * - Have both (merged)
+   * Get domain suggestions for completion
    */
-  getAllMergedDomains() {
-    const domains = /* @__PURE__ */ new Set();
-    for (const name of domainRegistry.keys()) {
-      domains.add(name);
+  getDomainSuggestions(prefix = "") {
+    const suggestions = [];
+    const lowerPrefix = prefix.toLowerCase();
+    for (const node of this.tree.values()) {
+      if (node.hidden) continue;
+      if (!prefix || node.name.toLowerCase().startsWith(lowerPrefix)) {
+        suggestions.push({
+          text: node.name,
+          description: node.description,
+          category: "domain"
+        });
+      }
+      if (node.aliases) {
+        for (const alias of node.aliases) {
+          if (!prefix || alias.toLowerCase().startsWith(lowerPrefix)) {
+            suggestions.push({
+              text: alias,
+              description: `Alias for ${node.name}`,
+              category: "domain"
+            });
+          }
+        }
+      }
     }
-    for (const name of this.extensions.keys()) {
-      domains.add(name);
+    return suggestions.sort((a, b) => a.text.localeCompare(b.text));
+  }
+  /**
+   * Get child suggestions for a domain
+   */
+  getChildSuggestions(domainName, prefix = "") {
+    const node = this.get(domainName);
+    if (!node?.children) {
+      return [];
     }
-    const merged = [];
-    for (const name of domains) {
-      const domain = this.getMergedDomain(name);
-      if (domain) {
-        merged.push(domain);
+    const suggestions = [];
+    const lowerPrefix = prefix.toLowerCase();
+    for (const child of node.children.values()) {
+      if (child.hidden) continue;
+      if (!prefix || child.name.toLowerCase().startsWith(lowerPrefix)) {
+        suggestions.push({
+          text: child.name,
+          description: child.description,
+          category: child.children ? "subcommand" : "action"
+        });
       }
     }
-    return merged.sort((a, b) => a.name.localeCompare(b.name));
+    return suggestions.sort((a, b) => a.text.localeCompare(b.text));
   }
   /**
-   * Get extension command by name
-   *
-   * @param domain - Canonical domain name
-   * @param command - Command name
-   * @returns Command definition if found
+   * Get nested child suggestions (e.g., login profile <TAB>)
    */
-  getExtensionCommand(domain, command) {
-    const extension = this.getExtension(domain);
-    if (!extension) {
-      return void 0;
+  getNestedChildSuggestions(domainName, path, prefix = "") {
+    let node = this.get(domainName);
+    if (!node) {
+      return [];
     }
-    const cmd = extension.commands.get(command);
-    if (cmd) {
-      return cmd;
+    for (const segment of path) {
+      if (!node.children) {
+        return [];
+      }
+      const child = node.children.get(segment);
+      if (!child) {
+        return [];
+      }
+      node = child;
     }
-    for (const [, cmdDef] of extension.commands) {
-      if (cmdDef.aliases?.includes(command)) {
-        return cmdDef;
+    if (!node.children) {
+      return [];
+    }
+    const suggestions = [];
+    const lowerPrefix = prefix.toLowerCase();
+    for (const child of node.children.values()) {
+      if (child.hidden) continue;
+      if (!prefix || child.name.toLowerCase().startsWith(lowerPrefix)) {
+        suggestions.push({
+          text: child.name,
+          description: child.description,
+          category: "command"
+        });
       }
     }
-    return void 0;
+    return suggestions.sort((a, b) => a.text.localeCompare(b.text));
   }
   /**
-   * Get extension subcommand group
-   *
-   * @param domain - Canonical domain name
-   * @param subcommand - Subcommand group name
-   * @returns Subcommand group if found
+   * Clear the registry (useful for testing)
    */
-  getExtensionSubcommand(domain, subcommand) {
-    const extension = this.getExtension(domain);
-    return extension?.subcommands?.get(subcommand);
+  clear() {
+    this.tree.clear();
+    this.aliases.clear();
   }
-  /**
-   * Check if a command exists in extension
-   */
-  hasExtensionCommand(domain, command) {
-    return this.getExtensionCommand(domain, command) !== void 0;
+};
+var completionRegistry = new CompletionRegistry();
+
+// src/completion/adapters.ts
+var actionDescriptions = {
+  list: "List resources",
+  get: "Get a specific resource",
+  create: "Create a new resource",
+  delete: "Delete a resource",
+  replace: "Replace a resource",
+  apply: "Apply configuration from file",
+  status: "Get resource status",
+  patch: "Patch a resource",
+  "add-labels": "Add labels to a resource",
+  "remove-labels": "Remove labels from a resource"
+};
+function fromCommand(cmd) {
+  const node = {
+    name: cmd.name,
+    description: cmd.descriptionShort,
+    source: "custom"
+  };
+  if (cmd.aliases && cmd.aliases.length > 0) {
+    node.aliases = cmd.aliases;
   }
-  /**
-   * Get all extension command names for a domain
-   * Used for tab completion
-   */
-  getExtensionCommandNames(domain) {
-    const extension = this.getExtension(domain);
-    if (!extension) {
-      return [];
-    }
-    const names = [];
-    for (const [name, cmd] of extension.commands) {
-      names.push(name);
-      if (cmd.aliases) {
-        names.push(...cmd.aliases);
-      }
-    }
-    return names;
-  }
-  /**
-   * Clear the merged domain cache
-   * Call this if generated domains change
-   */
-  clearCache() {
-    this.mergedCache.clear();
-  }
-  /**
-   * Get registry statistics
-   */
-  getStats() {
-    let standaloneCount = 0;
-    let mergedCount = 0;
-    for (const [domain] of this.extensions) {
-      if (domainRegistry.has(domain)) {
-        mergedCount++;
-      } else {
-        standaloneCount++;
-      }
-    }
-    return {
-      extensionCount: this.extensions.size,
-      standaloneCount,
-      mergedCount
-    };
-  }
-};
-var extensionRegistry = new ExtensionRegistry();
-
-// src/extensions/subscription/index.ts
-var clientCache = /* @__PURE__ */ new Map();
-function getClient2(apiClient) {
-  const key = apiClient.getServerUrl();
-  let client = clientCache.get(key);
-  if (!client) {
-    client = new SubscriptionClient(apiClient);
-    clientCache.set(key, client);
-  }
-  return client;
+  return node;
 }
-var overviewCommand = {
-  name: "overview",
-  description: "Display a comprehensive overview of your tenant subscription including current tier level, activated addon services, and quota usage summary. Provides at-a-glance subscription health assessment.",
-  descriptionShort: "Display subscription tier and summary",
-  descriptionMedium: "Show subscription tier, active addons, and quota usage summary for tenant health assessment.",
-  usage: "[--json]",
-  aliases: ["show", "info"],
-  async execute(args, session) {
-    const jsonOutput = args.includes("--json");
-    const format = session.getOutputFormat();
-    const apiClient = session.getAPIClient();
-    if (!apiClient) {
-      return errorResult("Not authenticated. Use 'login' command first.");
-    }
-    try {
-      const client = getClient2(apiClient);
-      const info = await client.getSubscriptionInfo();
-      if (jsonOutput || format === "json") {
-        return successResult([JSON.stringify(info, null, 2)]);
-      }
-      const lines = [];
-      lines.push("=== Subscription Overview ===");
-      lines.push("");
-      lines.push(`Tier: ${info.tier}`);
-      if (info.plan) {
-        lines.push(`Plan: ${info.plan.displayName}`);
-        if (info.plan.description) {
-          lines.push(`Description: ${info.plan.description}`);
-        }
-      }
-      lines.push("");
-      lines.push("--- Active Addons ---");
-      if (info.activeAddons.length === 0) {
-        lines.push("  No active addons");
-      } else {
-        for (const addon of info.activeAddons) {
-          lines.push(
-            `  - ${addon.displayName} (${getTierDescription(addon.tier)})`
-          );
-        }
-      }
-      lines.push("");
-      lines.push("--- Quota Summary ---");
-      lines.push(`  Total Limits: ${info.quotaSummary.totalLimits}`);
-      lines.push(`  At Risk (>80%): ${info.quotaSummary.limitsAtRisk}`);
-      lines.push(`  Exceeded: ${info.quotaSummary.limitsExceeded}`);
-      if (info.quotaSummary.limitsExceeded > 0) {
-        lines.push("");
-        lines.push("  Warning: Some quotas are exceeded!");
-      }
-      return successResult(lines);
-    } catch (err) {
-      const message = err instanceof Error ? err.message : String(err);
-      return errorResult(`Failed to get subscription info: ${message}`);
-    }
+function fromSubcommandGroup(group) {
+  const children = /* @__PURE__ */ new Map();
+  for (const [name, cmd] of group.commands) {
+    children.set(name, fromCommand(cmd));
   }
-};
-var addonsCommand = {
-  name: "addons",
-  description: "List all addon services with their activation state and access status. Filter by active, available, or denied status. Shows tier requirements and enables identification of upgradable features.",
-  descriptionShort: "List addon services and status",
-  descriptionMedium: "Display addon services with activation state. Filter by active, available, or denied status.",
-  usage: "[--filter active|available|denied] [--all] [--json]",
-  aliases: ["services"],
-  async execute(args, session) {
-    const jsonOutput = args.includes("--json");
-    const showAll = args.includes("--all");
-    const format = session.getOutputFormat();
-    let filter = "";
-    const filterIdx = args.indexOf("--filter");
-    if (filterIdx !== -1) {
-      const filterArg = args[filterIdx + 1];
-      if (filterArg) {
-        filter = filterArg;
-      }
-    }
-    const apiClient = session.getAPIClient();
-    if (!apiClient) {
-      return errorResult("Not authenticated. Use 'login' command first.");
-    }
-    try {
-      const client = getClient2(apiClient);
-      let addons = await client.getAddonServices("system");
-      if (filter) {
-        addons = client.filterAddons(addons, filter);
-      } else if (!showAll) {
-        addons = addons.filter(
-          (a) => isAddonActive(a) || isAddonAvailable(a)
-        );
-      }
-      if (jsonOutput || format === "json") {
-        return successResult([JSON.stringify(addons, null, 2)]);
-      }
-      if (addons.length === 0) {
-        return successResult([
-          `No addon services found${filter ? ` (filter: ${filter})` : ""}`
-        ]);
-      }
-      const lines = [];
-      lines.push("=== Addon Services ===");
-      lines.push("");
-      const active = addons.filter(isAddonActive);
-      const available = addons.filter(isAddonAvailable);
-      const denied = addons.filter(isAddonDenied);
-      const other = addons.filter(
-        (a) => !isAddonActive(a) && !isAddonAvailable(a) && !isAddonDenied(a)
-      );
-      if (active.length > 0) {
-        lines.push("--- Active ---");
-        for (const addon of active) {
-          lines.push(`  [OK] ${addon.displayName}`);
-          lines.push(
-            `       Tier: ${getTierDescription(addon.tier)}`
-          );
-        }
-        lines.push("");
-      }
-      if (available.length > 0) {
-        lines.push("--- Available ---");
-        for (const addon of available) {
-          lines.push(`  [ ] ${addon.displayName}`);
-          lines.push(
-            `       Status: ${getStateDescription(addon.state)}`
-          );
-        }
-        lines.push("");
-      }
-      if (denied.length > 0 && (showAll || filter === "denied")) {
-        lines.push("--- Access Denied ---");
-        for (const addon of denied) {
-          lines.push(`  [X] ${addon.displayName}`);
-          lines.push(
-            `       Reason: ${getAccessStatusDescription(addon.accessStatus)}`
-          );
-        }
-        lines.push("");
-      }
-      if (other.length > 0 && showAll) {
-        lines.push("--- Other ---");
-        for (const addon of other) {
-          lines.push(`  [-] ${addon.displayName}`);
-          lines.push(
-            `       State: ${getStateDescription(addon.state)}`
-          );
-          lines.push(
-            `       Access: ${getAccessStatusDescription(addon.accessStatus)}`
-          );
-        }
-      }
-      return successResult(lines);
-    } catch (err) {
-      const message = err instanceof Error ? err.message : String(err);
-      return errorResult(`Failed to get addon services: ${message}`);
-    }
+  const node = {
+    name: group.name,
+    description: group.descriptionShort,
+    source: "custom"
+  };
+  if (children.size > 0) {
+    node.children = children;
   }
-};
-var quotaCommand = {
-  name: "quota",
-  description: "Display tenant-level quota limits and current usage for all resource types. Identify resources approaching limits with warning thresholds. Use --warnings to filter for at-risk quotas only.",
-  descriptionShort: "Display quota limits and usage",
-  descriptionMedium: "Show tenant-level quota limits with usage percentages. Filter for at-risk resources.",
-  usage: "[--warnings] [--json]",
-  aliases: ["quotas", "limits"],
-  async execute(args, session) {
-    const jsonOutput = args.includes("--json");
-    const showWarnings = args.includes("--warnings");
-    const format = session.getOutputFormat();
-    const apiClient = session.getAPIClient();
-    if (!apiClient) {
-      return errorResult("Not authenticated. Use 'login' command first.");
-    }
-    try {
-      const client = getClient2(apiClient);
-      const quotaInfo = await client.getQuotaInfo();
-      let objects = quotaInfo.objects;
-      if (showWarnings) {
-        objects = objects.filter(
-          (q) => q.status === QuotaStatus.Warning || q.status === QuotaStatus.Exceeded
-        );
-      }
-      if (jsonOutput || format === "json") {
-        return successResult([
-          JSON.stringify({ ...quotaInfo, objects }, null, 2)
-        ]);
-      }
-      if (objects.length === 0) {
-        return successResult([
-          showWarnings ? "No quota warnings or exceeded limits" : "No quota information available"
-        ]);
-      }
-      const lines = [];
-      lines.push("=== Quota Usage (Tenant-Level) ===");
-      lines.push("");
-      const exceeded = objects.filter(
-        (q) => q.status === QuotaStatus.Exceeded
-      );
-      const warning = objects.filter(
-        (q) => q.status === QuotaStatus.Warning
-      );
-      const ok = objects.filter((q) => q.status === QuotaStatus.OK);
-      if (exceeded.length > 0) {
-        lines.push("--- Exceeded ---");
-        for (const q of exceeded) {
-          lines.push(`  [!!] ${q.displayName}`);
-          lines.push(
-            `       Usage: ${q.usage} / ${q.limit} (${Math.round(q.percentage)}%)`
-          );
-        }
-        lines.push("");
-      }
-      if (warning.length > 0) {
-        lines.push("--- Warning (>80%) ---");
-        for (const q of warning) {
-          lines.push(`  [!] ${q.displayName}`);
-          lines.push(
-            `      Usage: ${q.usage} / ${q.limit} (${Math.round(q.percentage)}%)`
-          );
-        }
-        lines.push("");
-      }
-      if (ok.length > 0 && !showWarnings) {
-        lines.push("--- OK ---");
-        for (const q of ok) {
-          lines.push(
-            `  [OK] ${q.displayName}: ${q.usage} / ${q.limit} (${Math.round(q.percentage)}%)`
-          );
-        }
-      }
-      return successResult(lines);
-    } catch (err) {
-      const message = err instanceof Error ? err.message : String(err);
-      return errorResult(`Failed to get quota info: ${message}`);
-    }
+  return node;
+}
+function fromCustomDomain(domain) {
+  const children = /* @__PURE__ */ new Map();
+  for (const [name, cmd] of domain.commands) {
+    children.set(name, fromCommand(cmd));
   }
-};
-var validateCommand = {
-  name: "validate",
-  description: "Run pre-deployment validation checks against quota limits and feature availability. Verify resource creation will succeed before deployment. Check if specific features are enabled for your subscription tier.",
-  descriptionShort: "Validate quotas and feature access",
-  descriptionMedium: "Pre-deployment validation for quota capacity and feature availability checks.",
-  usage: "[--resource-type <type> --count <n>] [--feature <name>] [--json]",
-  async execute(args, session) {
-    const jsonOutput = args.includes("--json");
-    const format = session.getOutputFormat();
-    let resourceType;
-    const resourceIdx = args.indexOf("--resource-type");
-    if (resourceIdx !== -1 && args[resourceIdx + 1]) {
-      resourceType = args[resourceIdx + 1];
-    }
-    let count;
-    const countIdx = args.indexOf("--count");
-    if (countIdx !== -1) {
-      const countArg = args[countIdx + 1];
-      if (countArg) {
-        count = parseInt(countArg, 10);
-      }
-    }
-    let feature;
-    const featureIdx = args.indexOf("--feature");
-    if (featureIdx !== -1 && args[featureIdx + 1]) {
-      feature = args[featureIdx + 1];
-    }
-    if (!resourceType && !feature) {
-      return errorResult(
-        "Please specify --resource-type and --count, or --feature to validate"
-      );
-    }
-    const apiClient = session.getAPIClient();
-    if (!apiClient) {
-      return errorResult("Not authenticated. Use 'login' command first.");
-    }
-    try {
-      const client = getClient2(apiClient);
-      const result = await client.validateResource({
-        resourceType: resourceType ?? "",
-        count: count ?? 0,
-        feature: feature ?? ""
-      });
-      if (jsonOutput || format === "json") {
-        return successResult([JSON.stringify(result, null, 2)]);
-      }
-      const lines = [];
-      lines.push("=== Validation Result ===");
-      lines.push("");
-      lines.push(`Status: ${result.valid ? "[PASS]" : "[FAIL]"}`);
-      lines.push("");
-      if (result.checks.length > 0) {
-        lines.push("--- Checks ---");
-        for (const check of result.checks) {
-          const icon = check.result === "PASS" ? "[OK]" : check.result === "WARNING" ? "[!]" : "[X]";
-          lines.push(
-            `  ${icon} [${check.type}] ${check.message ?? ""}`
-          );
-        }
-      }
-      if (result.errors && result.errors.length > 0) {
-        lines.push("");
-        lines.push("--- Errors ---");
-        for (const error of result.errors) {
-          lines.push(`  [X] ${error}`);
-        }
-      }
-      if (result.warnings && result.warnings.length > 0) {
-        lines.push("");
-        lines.push("--- Warnings ---");
-        for (const warning of result.warnings) {
-          lines.push(`  [!] ${warning}`);
-        }
-      }
-      const commandResult = {
-        output: lines,
-        shouldExit: false,
-        shouldClear: false,
-        contextChanged: false
-      };
-      if (!result.valid) {
-        commandResult.error = "Validation failed";
-      }
-      return commandResult;
-    } catch (err) {
-      const message = err instanceof Error ? err.message : String(err);
-      return errorResult(`Validation failed: ${message}`);
-    }
+  for (const [name, group] of domain.subcommands) {
+    children.set(name, fromSubcommandGroup(group));
   }
-};
-var activationStatusCommand = {
-  name: "activation-status",
-  description: "Monitor the status of pending addon service activation requests. Track which addons are awaiting approval or provisioning. View currently active addons alongside pending requests.",
-  descriptionShort: "Check pending addon activations",
-  descriptionMedium: "Monitor pending addon activation requests and track provisioning status.",
-  usage: "[--json]",
-  async execute(args, session) {
-    const jsonOutput = args.includes("--json");
-    const format = session.getOutputFormat();
-    const apiClient = session.getAPIClient();
-    if (!apiClient) {
-      return errorResult("Not authenticated. Use 'login' command first.");
-    }
-    try {
-      const client = getClient2(apiClient);
-      const result = await client.getPendingActivations("system");
-      if (jsonOutput || format === "json") {
-        return successResult([JSON.stringify(result, null, 2)]);
-      }
-      const lines = [];
-      lines.push("=== Activation Status ===");
-      lines.push("");
-      if (result.pendingActivations.length === 0) {
-        lines.push("No pending activation requests.");
-      } else {
-        lines.push(`Pending Activations: ${result.totalPending}`);
-        lines.push("");
-        for (const pending of result.pendingActivations) {
-          lines.push(`  [...] ${pending.addonService}`);
-          if (pending.message) {
-            lines.push(`        Status: ${pending.message}`);
-          }
-        }
-      }
-      lines.push("");
-      lines.push(`Active Addons: ${result.activeAddons.length}`);
-      if (result.activeAddons.length > 0) {
-        for (const addon of result.activeAddons) {
-          lines.push(`  [OK] ${addon}`);
-        }
-      }
-      return successResult(lines);
-    } catch (err) {
-      const message = err instanceof Error ? err.message : String(err);
-      return errorResult(`Failed to get activation status: ${message}`);
-    }
+  const node = {
+    name: domain.name,
+    description: domain.descriptionShort,
+    source: "custom"
+  };
+  if (children.size > 0) {
+    node.children = children;
   }
-};
-var subscriptionExtension = {
-  targetDomain: "subscription",
-  description: "xcsh-specific subscription management commands (overview, quota analysis, validation)",
-  standalone: true,
-  // Works even before upstream adds subscription domain
-  commands: /* @__PURE__ */ new Map([
-    ["overview", overviewCommand],
-    ["addons", addonsCommand],
-    ["quota", quotaCommand],
-    ["validate", validateCommand],
-    ["activation-status", activationStatusCommand]
-  ]),
-  subcommands: /* @__PURE__ */ new Map()
-};
-
-// src/extensions/index.ts
-function initializeExtensions() {
-  extensionRegistry.register(subscriptionExtension);
+  return node;
 }
-initializeExtensions();
-
-// src/domains/completion/generators.ts
-function getAllDomains() {
-  const domains = [];
-  const seen = /* @__PURE__ */ new Set();
-  for (const domain of customDomains.all()) {
-    domains.push({
-      name: domain.name,
-      description: domain.descriptionShort,
-      aliases: []
+function fromApiDomain(info) {
+  const children = /* @__PURE__ */ new Map();
+  for (const action of validActions) {
+    children.set(action, {
+      name: action,
+      description: actionDescriptions[action] ?? action,
+      source: "api"
     });
-    seen.add(domain.name);
-  }
-  for (const extDomain of extensionRegistry.getExtendedDomains()) {
-    if (seen.has(extDomain)) continue;
-    if (domainRegistry.has(extDomain)) continue;
-    const merged = extensionRegistry.getMergedDomain(extDomain);
-    if (merged && merged.source === "extension") {
-      domains.push({
-        name: extDomain,
-        description: merged.description,
-        aliases: []
-      });
-      seen.add(extDomain);
-    }
   }
-  for (const [name, info] of domainRegistry) {
-    if (seen.has(name)) continue;
-    domains.push({
-      name,
-      description: info.descriptionShort,
-      aliases: info.aliases
-    });
-    seen.add(name);
+  const node = {
+    name: info.name,
+    description: info.descriptionShort,
+    children,
+    source: "api"
+  };
+  if (info.aliases.length > 0) {
+    node.aliases = info.aliases;
   }
-  return domains.sort((a, b) => a.name.localeCompare(b.name));
+  return node;
 }
-function getCustomDomainCommands(domainName) {
-  const domain = customDomains.get(domainName);
-  if (!domain) {
-    return { commands: [], subcommands: /* @__PURE__ */ new Map() };
-  }
-  const commands = Array.from(domain.commands.keys());
-  const subcommands = /* @__PURE__ */ new Map();
-  for (const [groupName, group] of domain.subcommands) {
-    subcommands.set(groupName, Array.from(group.commands.keys()));
-  }
-  return { commands, subcommands };
+function getActionDescriptions() {
+  return { ...actionDescriptions };
+}
+
+// src/completion/generators/common.ts
+function escapeForZsh(str) {
+  return str.replace(/'/g, "'\\''").replace(/:/g, "\\:");
+}
+function escapeForFish(str) {
+  return str.replace(/'/g, "\\'");
 }
+
+// src/domains/completion/generators.ts
 function generateBashCompletion() {
-  const domains = getAllDomains();
+  const domains = completionRegistry.getDomains();
   const domainNames = domains.map((d) => d.name).join(" ");
-  const allAliases = domains.flatMap((d) => d.aliases).join(" ");
-  const actions = Array.from(validActions).join(" ");
+  const allAliases = [];
+  for (const domain of domains) {
+    if (domain.aliases) {
+      allAliases.push(...domain.aliases);
+    }
+  }
+  const actionDescriptions2 = getActionDescriptions();
+  const actions = Object.keys(actionDescriptions2).join(" ");
   const customDomainCompletions = [];
-  for (const domain of customDomains.all()) {
-    const { commands, subcommands } = getCustomDomainCommands(domain.name);
-    if (commands.length > 0 || subcommands.size > 0) {
-      const allCommands = [
-        ...commands,
-        ...Array.from(subcommands.keys())
-      ];
+  for (const domain of domains) {
+    if (domain.source !== "custom" || !domain.children) continue;
+    const childNames = Array.from(domain.children.keys());
+    if (childNames.length > 0) {
       customDomainCompletions.push(
         `        ${domain.name})`,
-        `          COMPREPLY=($(compgen -W "${allCommands.join(" ")}" -- "\${cur}"))`,
+        `          COMPREPLY=($(compgen -W "${childNames.join(" ")}" -- "\${cur}"))`,
         `          return 0`,
         `          ;;`
       );
     }
-    for (const [groupName, groupCommands] of subcommands) {
-      customDomainCompletions.push(
-        `        ${domain.name}/${groupName})`,
-        `          COMPREPLY=($(compgen -W "${groupCommands.join(" ")}" -- "\${cur}"))`,
-        `          return 0`,
-        `          ;;`
-      );
+    for (const [childName, child] of domain.children) {
+      if (child.children && child.children.size > 0) {
+        const nestedNames = Array.from(child.children.keys());
+        customDomainCompletions.push(
+          `        ${domain.name}/${childName})`,
+          `          COMPREPLY=($(compgen -W "${nestedNames.join(" ")}" -- "\${cur}"))`,
+          `          return 0`,
+          `          ;;`
+        );
+      }
     }
   }
   return `# bash completion for xcsh
@@ -50174,7 +49113,7 @@ _xcsh_completions() {
   local cur prev words cword
   _init_completion || return
 
-  local commands="${domainNames} ${allAliases} help quit exit clear history"
+  local commands="${domainNames} ${allAliases.join(" ")} help quit exit clear history"
   local actions="${actions}"
   local builtins="help quit exit clear history context ctx"
   local global_flags="--help -h --version -v --interactive -i --no-color --output -o --namespace -ns"
@@ -50220,36 +49159,29 @@ complete -F _xcsh_completions xcsh
 `;
 }
 function generateZshCompletion() {
-  const domains = getAllDomains();
+  const domains = completionRegistry.getDomains();
   const domainDescriptions = domains.map((d) => {
-    const escaped = d.description.replace(/'/g, "'\\''").replace(/:/g, "\\:");
+    const escaped = escapeForZsh(d.description);
     return `'${d.name}:${escaped}'`;
   }).join("\n            ");
-  const aliasDescriptions = domains.flatMap((d) => d.aliases.map((a) => `'${a}:Alias for ${d.name}'`)).join("\n            ");
-  const actionDescriptions = [
-    "'list:List resources'",
-    "'get:Get a specific resource'",
-    "'create:Create a new resource'",
-    "'delete:Delete a resource'",
-    "'replace:Replace a resource'",
-    "'apply:Apply configuration from file'",
-    "'status:Get resource status'",
-    "'patch:Patch a resource'",
-    "'add-labels:Add labels to a resource'",
-    "'remove-labels:Remove labels from a resource'"
-  ].join("\n            ");
+  const aliasDescriptions = domains.filter((d) => d.aliases && d.aliases.length > 0).flatMap((d) => d.aliases.map((a) => `'${a}:Alias for ${d.name}'`)).join("\n            ");
+  const actionDescriptions2 = getActionDescriptions();
+  const actionDescArray = Object.entries(actionDescriptions2).map(([action, desc]) => {
+    const escaped = escapeForZsh(desc);
+    return `'${action}:${escaped}'`;
+  }).join("\n            ");
   const customDomainCompletions = [];
-  for (const domain of customDomains.all()) {
-    const { commands, subcommands } = getCustomDomainCommands(domain.name);
-    if (commands.length > 0 || subcommands.size > 0) {
-      const cmdDescriptions = commands.map((c) => `'${c}:Command'`);
-      const subDescriptions = Array.from(subcommands.keys()).map(
-        (s) => `'${s}:Subcommand group'`
-      );
-      const allDescriptions = [...cmdDescriptions, ...subDescriptions].filter((d) => d.length > 0).join(" ");
+  for (const domain of domains) {
+    if (domain.source !== "custom" || !domain.children) continue;
+    const childDescriptions = [];
+    for (const child of domain.children.values()) {
+      const escaped = escapeForZsh(child.description);
+      childDescriptions.push(`'${child.name}:${escaped}'`);
+    }
+    if (childDescriptions.length > 0) {
       customDomainCompletions.push(
         `        (${domain.name})`,
-        `            _values 'command' ${allDescriptions}`,
+        `            _values 'command' ${childDescriptions.join(" ")}`,
         `            ;;`
       );
     }
@@ -50305,7 +49237,7 @@ ${customDomainCompletions.join("\n")}
                 (*)
                     local -a actions
                     actions=(
-            ${actionDescriptions}
+            ${actionDescArray}
                     )
                     _describe -t actions 'action' actions
                     ;;
@@ -50336,163 +49268,417 @@ _xcsh "$@"
 `;
 }
 function generateFishCompletion() {
-  const domains = getAllDomains();
-  const actions = Array.from(validActions);
+  const domains = completionRegistry.getDomains();
+  const actionDescriptions2 = getActionDescriptions();
   const domainCompletions = domains.map((d) => {
-    const escaped = d.description.replace(/'/g, "\\'");
+    const escaped = escapeForFish(d.description);
     return `complete -c xcsh -n "__fish_use_subcommand" -a "${d.name}" -d '${escaped}'`;
   }).join("\n");
-  const aliasCompletions = domains.flatMap(
+  const aliasCompletions = domains.filter((d) => d.aliases && d.aliases.length > 0).flatMap(
     (d) => d.aliases.map(
       (a) => `complete -c xcsh -n "__fish_use_subcommand" -a "${a}" -d 'Alias for ${d.name}'`
     )
   ).join("\n");
-  const actionCompletions = domains.map(
-    (d) => actions.map(
-      (a) => `complete -c xcsh -n "__fish_seen_subcommand_from ${d.name}" -a "${a}" -d '${a.charAt(0).toUpperCase() + a.slice(1)} resources'`
-    ).join("\n")
-  ).join("\n");
   const customDomainCompletions = [];
-  for (const domain of customDomains.all()) {
-    const { commands, subcommands } = getCustomDomainCommands(domain.name);
-    for (const cmd of commands) {
+  for (const domain of domains) {
+    if (domain.source !== "custom" || !domain.children) continue;
+    for (const child of domain.children.values()) {
+      const escaped = escapeForFish(child.description);
       customDomainCompletions.push(
-        `complete -c xcsh -n "__fish_seen_subcommand_from ${domain.name}" -a "${cmd}" -d 'Command'`
+        `complete -c xcsh -n "__fish_seen_subcommand_from ${domain.name}" -a "${child.name}" -d '${escaped}'`
       );
+      if (child.children) {
+        for (const nested of child.children.values()) {
+          const nestedEscaped = escapeForFish(nested.description);
+          customDomainCompletions.push(
+            `complete -c xcsh -n "__fish_seen_subcommand_from ${domain.name}; and __fish_seen_subcommand_from ${child.name}" -a "${nested.name}" -d '${nestedEscaped}'`
+          );
+        }
+      }
     }
-    for (const [groupName, groupCommands] of subcommands) {
-      customDomainCompletions.push(
-        `complete -c xcsh -n "__fish_seen_subcommand_from ${domain.name}" -a "${groupName}" -d 'Subcommand group'`
-      );
-      for (const cmd of groupCommands) {
-        customDomainCompletions.push(
-          `complete -c xcsh -n "__fish_seen_subcommand_from ${domain.name}; and __fish_seen_subcommand_from ${groupName}" -a "${cmd}" -d 'Command'`
-        );
+  }
+  const apiDomains = domains.filter((d) => d.source === "api");
+  const actionCompletions = apiDomains.map(
+    (d) => Object.entries(actionDescriptions2).map(
+      ([action, desc]) => `complete -c xcsh -n "__fish_seen_subcommand_from ${d.name}" -a "${action}" -d '${escapeForFish(desc)}'`
+    ).join("\n")
+  ).join("\n");
+  return `# fish completion for xcsh
+# Generated by xcsh completion fish
+
+# Disable file completions for xcsh
+complete -c xcsh -f
+
+# Global options
+complete -c xcsh -s h -l help -d 'Show help information'
+complete -c xcsh -s v -l version -d 'Show version number'
+complete -c xcsh -s i -l interactive -d 'Force interactive mode'
+complete -c xcsh -l no-color -d 'Disable color output'
+complete -c xcsh -s o -l output -d 'Output format' -xa 'json yaml table'
+complete -c xcsh -l namespace -s ns -d 'Namespace' -xa 'default system shared'
+
+# Builtin commands
+complete -c xcsh -n "__fish_use_subcommand" -a "help" -d 'Show help information'
+complete -c xcsh -n "__fish_use_subcommand" -a "quit" -d 'Exit the shell'
+complete -c xcsh -n "__fish_use_subcommand" -a "exit" -d 'Exit the shell'
+complete -c xcsh -n "__fish_use_subcommand" -a "clear" -d 'Clear the screen'
+complete -c xcsh -n "__fish_use_subcommand" -a "history" -d 'Show command history'
+complete -c xcsh -n "__fish_use_subcommand" -a "context" -d 'Show current navigation context'
+complete -c xcsh -n "__fish_use_subcommand" -a "ctx" -d 'Show current navigation context'
+
+# Domain completions
+${domainCompletions}
+
+# Alias completions
+${aliasCompletions}
+
+# Custom domain subcommands
+${customDomainCompletions.join("\n")}
+
+# Action completions for API domains
+${actionCompletions}
+
+# Action-specific flags
+complete -c xcsh -l name -s n -d 'Resource name'
+complete -c xcsh -l limit -d 'Maximum results'
+complete -c xcsh -l label -d 'Filter by label'
+complete -c xcsh -s f -l file -d 'Configuration file' -r
+complete -c xcsh -l force -d 'Force deletion'
+complete -c xcsh -l cascade -d 'Cascade delete'
+`;
+}
+
+// src/domains/completion/index.ts
+var bashCommand = {
+  name: "bash",
+  description: "Generate a bash shell completion script for xcsh. Output the script to stdout for manual installation or pipe to a file. Enables tab-completion for commands, domains, actions, and option flags.",
+  descriptionShort: "Generate bash completion script",
+  descriptionMedium: "Output bash completion script for tab-completion of commands, domains, and flags.",
+  async execute() {
+    try {
+      const script = generateBashCompletion();
+      return successResult([script]);
+    } catch (error) {
+      return errorResult(
+        `Failed to generate bash completion: ${error instanceof Error ? error.message : "Unknown error"}`
+      );
+    }
+  }
+};
+var zshCommand = {
+  name: "zsh",
+  description: "Generate a zsh shell completion script for xcsh. Output the script to stdout for manual installation or add to your fpath. Provides rich tab-completion with descriptions for commands, domains, and options.",
+  descriptionShort: "Generate zsh completion script",
+  descriptionMedium: "Output zsh completion script with rich descriptions for commands and options.",
+  async execute() {
+    try {
+      const script = generateZshCompletion();
+      return successResult([script]);
+    } catch (error) {
+      return errorResult(
+        `Failed to generate zsh completion: ${error instanceof Error ? error.message : "Unknown error"}`
+      );
+    }
+  }
+};
+var fishCommand = {
+  name: "fish",
+  description: "Generate a fish shell completion script for xcsh. Output the script to stdout for manual installation or save to your fish completions directory. Enables intelligent tab-completion with inline descriptions.",
+  descriptionShort: "Generate fish completion script",
+  descriptionMedium: "Output fish completion script with inline descriptions for commands and options.",
+  async execute() {
+    try {
+      const script = generateFishCompletion();
+      return successResult([script]);
+    } catch (error) {
+      return errorResult(
+        `Failed to generate fish completion: ${error instanceof Error ? error.message : "Unknown error"}`
+      );
+    }
+  }
+};
+var completionDomain = {
+  name: "completion",
+  description: "Generate shell completion scripts for bash, zsh, and fish shells. Enables tab-completion for xcsh commands, domains, actions, and flags in your preferred shell environment.",
+  descriptionShort: "Shell completion script generation",
+  descriptionMedium: "Generate tab-completion scripts for bash, zsh, and fish shells to enhance the xcsh command-line experience.",
+  commands: /* @__PURE__ */ new Map([
+    ["bash", bashCommand],
+    ["zsh", zshCommand],
+    ["fish", fishCommand]
+  ]),
+  subcommands: /* @__PURE__ */ new Map()
+};
+
+// src/domains/index.ts
+customDomains.register(loginDomain);
+customDomains.register(cloudstatusDomain);
+customDomains.register(completionDomain);
+for (const domain of customDomains.all()) {
+  completionRegistry.registerDomain(fromCustomDomain(domain));
+}
+for (const [, info] of domainRegistry) {
+  if (!completionRegistry.has(info.name)) {
+    completionRegistry.registerDomain(fromApiDomain(info));
+  }
+}
+var domainAliases = /* @__PURE__ */ new Map();
+for (const alias of cloudstatusAliases) {
+  domainAliases.set(alias, "cloudstatus");
+}
+function resolveDomainAlias(name) {
+  return domainAliases.get(name) ?? name;
+}
+function isCustomDomain(name) {
+  const canonical = resolveDomainAlias(name);
+  return customDomains.has(canonical);
+}
+
+// src/extensions/types.ts
+var RESERVED_API_ACTIONS = /* @__PURE__ */ new Set([
+  "list",
+  "get",
+  "create",
+  "delete",
+  "replace",
+  "apply",
+  "status",
+  "patch",
+  "add-labels",
+  "remove-labels"
+]);
+function isReservedAction(name) {
+  return RESERVED_API_ACTIONS.has(name.toLowerCase());
+}
+function validateExtension(extension) {
+  const conflicts = [];
+  for (const [name] of extension.commands) {
+    if (isReservedAction(name)) {
+      conflicts.push(name);
+    }
+  }
+  if (conflicts.length > 0) {
+    throw new Error(
+      `Extension "${extension.targetDomain}" has commands that conflict with API actions: ${conflicts.join(", ")}. Use unique names or submit a feature request to upstream.`
+    );
+  }
+}
+
+// src/extensions/registry.ts
+var ExtensionRegistry = class {
+  extensions = /* @__PURE__ */ new Map();
+  mergedCache = /* @__PURE__ */ new Map();
+  /**
+   * Register a domain extension
+   *
+   * @param extension - Extension definition to register
+   * @throws Error if extension has command name conflicts with API actions
+   */
+  register(extension) {
+    validateExtension(extension);
+    this.extensions.set(extension.targetDomain, extension);
+    this.mergedCache.delete(extension.targetDomain);
+  }
+  /**
+   * Get extension for a domain
+   *
+   * @param domain - Canonical domain name
+   * @returns Extension if registered, undefined otherwise
+   */
+  getExtension(domain) {
+    return this.extensions.get(domain);
+  }
+  /**
+   * Check if a domain has an extension
+   */
+  hasExtension(domain) {
+    return this.extensions.has(domain);
+  }
+  /**
+   * Get merged domain view combining API domain + extension
+   *
+   * Resolution priority:
+   * 1. Check if canonical domain exists in generated domains
+   * 2. Check if extension exists for this domain
+   * 3. Merge if both exist, or return standalone if only one
+   *
+   * @param domain - Canonical domain name or alias
+   * @returns Merged domain view or undefined if neither exists
+   */
+  getMergedDomain(domain) {
+    const canonical = aliasRegistry.get(domain) ?? domain;
+    const cached = this.mergedCache.get(canonical);
+    if (cached) {
+      return cached;
+    }
+    const domainInfo = domainRegistry.get(canonical);
+    const extension = this.extensions.get(canonical);
+    if (!domainInfo && !extension) {
+      return void 0;
+    }
+    const merged = this.buildMergedDomain(canonical, domainInfo, extension);
+    this.mergedCache.set(canonical, merged);
+    return merged;
+  }
+  /**
+   * Build a merged domain from API domain info and/or extension
+   */
+  buildMergedDomain(name, domainInfo, extension) {
+    const hasGeneratedDomain = !!domainInfo;
+    const hasExtension = !!extension;
+    let source;
+    if (hasGeneratedDomain && hasExtension) {
+      source = "merged";
+    } else if (hasGeneratedDomain) {
+      source = "generated";
+    } else {
+      source = "extension";
+    }
+    const displayName = domainInfo?.displayName ?? this.toDisplayName(extension?.targetDomain ?? name);
+    const description = domainInfo?.description ?? extension?.description ?? `Commands for ${displayName}`;
+    const merged = {
+      name,
+      displayName,
+      description,
+      source,
+      hasGeneratedDomain,
+      hasExtension,
+      extensionCommands: extension?.commands ?? /* @__PURE__ */ new Map(),
+      extensionSubcommands: extension?.subcommands ?? /* @__PURE__ */ new Map()
+    };
+    if (domainInfo) {
+      merged.metadata = domainInfo;
+    }
+    return merged;
+  }
+  /**
+   * Convert snake_case domain name to display name
+   */
+  toDisplayName(name) {
+    return name.split("_").map((word) => word.charAt(0).toUpperCase() + word.slice(1)).join(" ");
+  }
+  /**
+   * Get all domains with extensions (for iteration)
+   */
+  getExtendedDomains() {
+    return Array.from(this.extensions.keys());
+  }
+  /**
+   * Get all merged domains (generated + extended)
+   *
+   * Returns domains that either:
+   * - Have generated API commands (from upstream)
+   * - Have extension commands (xcsh-specific)
+   * - Have both (merged)
+   */
+  getAllMergedDomains() {
+    const domains = /* @__PURE__ */ new Set();
+    for (const name of domainRegistry.keys()) {
+      domains.add(name);
+    }
+    for (const name of this.extensions.keys()) {
+      domains.add(name);
+    }
+    const merged = [];
+    for (const name of domains) {
+      const domain = this.getMergedDomain(name);
+      if (domain) {
+        merged.push(domain);
+      }
+    }
+    return merged.sort((a, b) => a.name.localeCompare(b.name));
+  }
+  /**
+   * Get extension command by name
+   *
+   * @param domain - Canonical domain name
+   * @param command - Command name
+   * @returns Command definition if found
+   */
+  getExtensionCommand(domain, command) {
+    const extension = this.getExtension(domain);
+    if (!extension) {
+      return void 0;
+    }
+    const cmd = extension.commands.get(command);
+    if (cmd) {
+      return cmd;
+    }
+    for (const [, cmdDef] of extension.commands) {
+      if (cmdDef.aliases?.includes(command)) {
+        return cmdDef;
       }
     }
+    return void 0;
   }
-  return `# fish completion for xcsh
-# Generated by xcsh completion fish
-
-# Disable file completions for xcsh
-complete -c xcsh -f
-
-# Global options
-complete -c xcsh -s h -l help -d 'Show help information'
-complete -c xcsh -s v -l version -d 'Show version number'
-complete -c xcsh -s i -l interactive -d 'Force interactive mode'
-complete -c xcsh -l no-color -d 'Disable color output'
-complete -c xcsh -s o -l output -d 'Output format' -xa 'json yaml table'
-complete -c xcsh -l namespace -s ns -d 'Namespace' -xa 'default system shared'
-
-# Builtin commands
-complete -c xcsh -n "__fish_use_subcommand" -a "help" -d 'Show help information'
-complete -c xcsh -n "__fish_use_subcommand" -a "quit" -d 'Exit the shell'
-complete -c xcsh -n "__fish_use_subcommand" -a "exit" -d 'Exit the shell'
-complete -c xcsh -n "__fish_use_subcommand" -a "clear" -d 'Clear the screen'
-complete -c xcsh -n "__fish_use_subcommand" -a "history" -d 'Show command history'
-complete -c xcsh -n "__fish_use_subcommand" -a "context" -d 'Show current navigation context'
-complete -c xcsh -n "__fish_use_subcommand" -a "ctx" -d 'Show current navigation context'
-
-# Domain completions
-${domainCompletions}
-
-# Alias completions
-${aliasCompletions}
-
-# Custom domain subcommands
-${customDomainCompletions.join("\n")}
-
-# Action completions for API domains
-${actionCompletions}
-
-# Action-specific flags
-complete -c xcsh -l name -s n -d 'Resource name'
-complete -c xcsh -l limit -d 'Maximum results'
-complete -c xcsh -l label -d 'Filter by label'
-complete -c xcsh -s f -l file -d 'Configuration file' -r
-complete -c xcsh -l force -d 'Force deletion'
-complete -c xcsh -l cascade -d 'Cascade delete'
-`;
-}
-
-// src/domains/completion/index.ts
-var bashCommand = {
-  name: "bash",
-  description: "Generate a bash shell completion script for xcsh. Output the script to stdout for manual installation or pipe to a file. Enables tab-completion for commands, domains, actions, and option flags.",
-  descriptionShort: "Generate bash completion script",
-  descriptionMedium: "Output bash completion script for tab-completion of commands, domains, and flags.",
-  async execute() {
-    try {
-      const script = generateBashCompletion();
-      return successResult([script]);
-    } catch (error) {
-      return errorResult(
-        `Failed to generate bash completion: ${error instanceof Error ? error.message : "Unknown error"}`
-      );
-    }
+  /**
+   * Get extension subcommand group
+   *
+   * @param domain - Canonical domain name
+   * @param subcommand - Subcommand group name
+   * @returns Subcommand group if found
+   */
+  getExtensionSubcommand(domain, subcommand) {
+    const extension = this.getExtension(domain);
+    return extension?.subcommands?.get(subcommand);
   }
-};
-var zshCommand = {
-  name: "zsh",
-  description: "Generate a zsh shell completion script for xcsh. Output the script to stdout for manual installation or add to your fpath. Provides rich tab-completion with descriptions for commands, domains, and options.",
-  descriptionShort: "Generate zsh completion script",
-  descriptionMedium: "Output zsh completion script with rich descriptions for commands and options.",
-  async execute() {
-    try {
-      const script = generateZshCompletion();
-      return successResult([script]);
-    } catch (error) {
-      return errorResult(
-        `Failed to generate zsh completion: ${error instanceof Error ? error.message : "Unknown error"}`
-      );
+  /**
+   * Check if a command exists in extension
+   */
+  hasExtensionCommand(domain, command) {
+    return this.getExtensionCommand(domain, command) !== void 0;
+  }
+  /**
+   * Get all extension command names for a domain
+   * Used for tab completion
+   */
+  getExtensionCommandNames(domain) {
+    const extension = this.getExtension(domain);
+    if (!extension) {
+      return [];
+    }
+    const names = [];
+    for (const [name, cmd] of extension.commands) {
+      names.push(name);
+      if (cmd.aliases) {
+        names.push(...cmd.aliases);
+      }
     }
+    return names;
   }
-};
-var fishCommand = {
-  name: "fish",
-  description: "Generate a fish shell completion script for xcsh. Output the script to stdout for manual installation or save to your fish completions directory. Enables intelligent tab-completion with inline descriptions.",
-  descriptionShort: "Generate fish completion script",
-  descriptionMedium: "Output fish completion script with inline descriptions for commands and options.",
-  async execute() {
-    try {
-      const script = generateFishCompletion();
-      return successResult([script]);
-    } catch (error) {
-      return errorResult(
-        `Failed to generate fish completion: ${error instanceof Error ? error.message : "Unknown error"}`
-      );
+  /**
+   * Clear the merged domain cache
+   * Call this if generated domains change
+   */
+  clearCache() {
+    this.mergedCache.clear();
+  }
+  /**
+   * Get registry statistics
+   */
+  getStats() {
+    let standaloneCount = 0;
+    let mergedCount = 0;
+    for (const [domain] of this.extensions) {
+      if (domainRegistry.has(domain)) {
+        mergedCount++;
+      } else {
+        standaloneCount++;
+      }
     }
+    return {
+      extensionCount: this.extensions.size,
+      standaloneCount,
+      mergedCount
+    };
   }
 };
-var completionDomain = {
-  name: "completion",
-  description: "Generate shell completion scripts for bash, zsh, and fish shells. Enables tab-completion for xcsh commands, domains, actions, and flags in your preferred shell environment.",
-  descriptionShort: "Shell completion script generation",
-  descriptionMedium: "Generate tab-completion scripts for bash, zsh, and fish shells to enhance the xcsh command-line experience.",
-  commands: /* @__PURE__ */ new Map([
-    ["bash", bashCommand],
-    ["zsh", zshCommand],
-    ["fish", fishCommand]
-  ]),
-  subcommands: /* @__PURE__ */ new Map()
-};
+var extensionRegistry = new ExtensionRegistry();
 
-// src/domains/index.ts
-customDomains.register(loginDomain);
-customDomains.register(cloudstatusDomain);
-customDomains.register(completionDomain);
-var domainAliases = /* @__PURE__ */ new Map();
-for (const alias of cloudstatusAliases) {
-  domainAliases.set(alias, "cloudstatus");
-}
-function resolveDomainAlias(name) {
-  return domainAliases.get(name) ?? name;
-}
-function isCustomDomain(name) {
-  const canonical = resolveDomainAlias(name);
-  return customDomains.has(canonical);
+// src/extensions/index.ts
+function initializeExtensions() {
 }
+initializeExtensions();
 
 // src/repl/completion/cache.ts
 var DEFAULT_TTL_MS = 5 * 60 * 1e3;
@@ -50712,7 +49898,25 @@ var Completer = class {
     }
     let suggestions;
     if (parsed.isEscapedToRoot) {
-      suggestions = this.getRootContextSuggestions();
+      const firstArg2 = parsed.args[0];
+      if (parsed.args.length > 0 && firstArg2) {
+        const targetDomain = firstArg2.toLowerCase();
+        if (completionRegistry.has(targetDomain)) {
+          const domainNode = completionRegistry.get(targetDomain);
+          if (domainNode?.source === "api") {
+            suggestions = this.getActionSuggestions();
+          } else {
+            suggestions = completionRegistry.getChildSuggestions(
+              targetDomain,
+              parsed.currentWord
+            );
+          }
+        } else {
+          suggestions = this.getRootContextSuggestions();
+        }
+      } else {
+        suggestions = this.getRootContextSuggestions();
+      }
     } else {
       suggestions = await this.getContextualSuggestions();
     }
@@ -50723,53 +49927,36 @@ var Completer = class {
   }
   /**
    * Get completions for custom domain commands
+   * Uses unified completion registry for structure navigation,
+   * falls back to domain handlers for argument completions
    */
   async getCustomDomainCompletions(domainName, args, currentWord) {
-    const domain = customDomains.get(domainName);
-    if (!domain) {
+    const domainNode = completionRegistry.get(domainName);
+    if (!domainNode) {
       return [];
     }
-    const suggestions = [];
     if (args.length === 0 || args.length === 1 && currentWord === args[0]) {
-      for (const [name, group] of domain.subcommands) {
-        if (!currentWord || name.toLowerCase().startsWith(currentWord.toLowerCase())) {
-          suggestions.push({
-            text: name,
-            description: group.description,
-            category: "subcommand"
-          });
-        }
-      }
-      for (const [name, cmd] of domain.commands) {
-        if (!currentWord || name.toLowerCase().startsWith(currentWord.toLowerCase())) {
-          suggestions.push({
-            text: name,
-            description: cmd.description,
-            category: "command"
-          });
-        }
-      }
-      return suggestions;
+      return completionRegistry.getChildSuggestions(
+        domainName,
+        currentWord
+      );
     }
     const subgroupName = args[0]?.toLowerCase() ?? "";
-    const subgroup = domain.subcommands.get(subgroupName);
-    if (subgroup) {
+    const subgroupNode = domainNode.children?.get(subgroupName);
+    if (subgroupNode?.children) {
       if (args.length === 1 || args.length === 2 && currentWord === args[1]) {
-        const cmdPrefix = args.length === 2 ? currentWord : "";
-        for (const [name, cmd] of subgroup.commands) {
-          if (!cmdPrefix || name.toLowerCase().startsWith(cmdPrefix.toLowerCase())) {
-            suggestions.push({
-              text: name,
-              description: cmd.description,
-              category: "command"
-            });
-          }
-        }
-        return suggestions;
+        const prefix = args.length === 2 ? currentWord : "";
+        return completionRegistry.getNestedChildSuggestions(
+          domainName,
+          [subgroupName],
+          prefix
+        );
       }
       if (args.length >= 2 && this.session) {
         const cmdName = args[1]?.toLowerCase() ?? "";
-        const cmd = subgroup.commands.get(cmdName);
+        const domain2 = customDomains.get(domainName);
+        const subgroup = domain2?.subcommands.get(subgroupName);
+        const cmd = subgroup?.commands.get(cmdName);
         if (cmd?.completion) {
           try {
             const completions = await cmd.completion(
@@ -50788,8 +49975,9 @@ var Completer = class {
       }
     }
     const directCmdName = args[0]?.toLowerCase() ?? "";
-    const directCmd = domain.commands.get(directCmdName);
-    if (directCmd?.completion) {
+    const domain = customDomains.get(domainName);
+    const directCmd = domain?.commands.get(directCmdName);
+    if (directCmd?.completion && this.session) {
       try {
         const completions = await directCmd.completion(
           currentWord,
@@ -50804,7 +49992,7 @@ var Completer = class {
       } catch {
       }
     }
-    return suggestions;
+    return [];
   }
   /**
    * Get suggestions based on current navigation context
@@ -50980,95 +50168,23 @@ var Completer = class {
     return suggestions;
   }
   /**
-   * Get domain suggestions from registry
+   * Get domain suggestions from unified registry
    */
   getDomainSuggestions() {
-    const suggestions = [];
-    const addedDomains = /* @__PURE__ */ new Set();
-    for (const domain of customDomains.all()) {
-      suggestions.push({
-        text: domain.name,
-        description: domain.description,
-        category: "domain"
-      });
-      addedDomains.add(domain.name);
-    }
-    for (const extDomain of extensionRegistry.getExtendedDomains()) {
-      if (addedDomains.has(extDomain)) continue;
-      if (domainRegistry.has(extDomain)) continue;
-      const merged = extensionRegistry.getMergedDomain(extDomain);
-      if (merged && merged.source === "extension") {
-        suggestions.push({
-          text: extDomain,
-          description: merged.description,
-          category: "domain"
-        });
-        addedDomains.add(extDomain);
-      }
-    }
-    for (const [domain, meta] of domainRegistry) {
-      if (addedDomains.has(domain)) continue;
-      suggestions.push({
-        text: domain,
-        description: meta.descriptionShort,
-        category: "domain"
-      });
-      addedDomains.add(domain);
-    }
-    return suggestions;
+    return completionRegistry.getDomainSuggestions();
   }
   /**
-   * Get action suggestions
+   * Get action suggestions from unified registry
    */
   getActionSuggestions() {
-    return [
-      { text: "list", description: "List resources", category: "action" },
-      {
-        text: "get",
-        description: "Get a specific resource",
-        category: "action"
-      },
-      {
-        text: "create",
-        description: "Create a new resource",
-        category: "action"
-      },
-      {
-        text: "delete",
-        description: "Delete a resource",
-        category: "action"
-      },
-      {
-        text: "replace",
-        description: "Replace a resource",
-        category: "action"
-      },
-      {
-        text: "apply",
-        description: "Apply configuration from file",
+    const actionDescriptions2 = getActionDescriptions();
+    return Object.entries(actionDescriptions2).map(
+      ([action, description]) => ({
+        text: action,
+        description,
         category: "action"
-      },
-      {
-        text: "status",
-        description: "Get resource status",
-        category: "action"
-      },
-      {
-        text: "patch",
-        description: "Patch a resource",
-        category: "action"
-      },
-      {
-        text: "add-labels",
-        description: "Add labels to a resource",
-        category: "action"
-      },
-      {
-        text: "remove-labels",
-        description: "Remove labels from a resource",
-        category: "action"
-      }
-    ];
+      })
+    );
   }
   /**
    * Get flag suggestions for current action
@@ -51682,7 +50798,7 @@ function formatDomainHelp(domain) {
   output.push(`  ${CLI_NAME} ${domain.name} <action> [options]`);
   output.push("");
   output.push("ACTIONS");
-  const actionDescriptions = {
+  const actionDescriptions2 = {
     list: "List resources",
     get: "Get a specific resource by name",
     create: "Create a new resource",
@@ -51695,7 +50811,7 @@ function formatDomainHelp(domain) {
     "remove-labels": "Remove labels from a resource"
   };
   for (const action of validActions) {
-    const desc = actionDescriptions[action] ?? action;
+    const desc = actionDescriptions2[action] ?? action;
     output.push(`  ${action.padEnd(16)} ${desc}`);
   }
   output.push("");
@@ -51731,7 +50847,7 @@ function formatDomainHelp(domain) {
 function formatActionHelp(domainName, action) {
   const domain = getDomainInfo(domainName);
   const displayDomain = domain?.displayName ?? domainName;
-  const actionDescriptions = {
+  const actionDescriptions2 = {
     list: {
       desc: "List all resources in the namespace",
       usage: `${CLI_NAME} ${domainName} list [--limit N] [--label key=value]`
@@ -51773,7 +50889,7 @@ function formatActionHelp(domainName, action) {
       usage: `${CLI_NAME} ${domainName} remove-labels <name> key`
     }
   };
-  const actionInfo = actionDescriptions[action] ?? {
+  const actionInfo = actionDescriptions2[action] ?? {
     desc: `Execute ${action} operation`,
     usage: `${CLI_NAME} ${domainName} ${action} [options]`
   };