@runa-ai/runa-cli 0.5.72 → 0.7.0

package/dist/env-SS66PZ4B.js

@@ -0,0 +1,2623 @@
+#!/usr/bin/env node
+import { createRequire } from 'module';
+import { tryResolveDatabaseUrl } from './chunk-KWX3JHCY.js';
+import { registerCleanup } from './chunk-TYIAD6SB.js';
+import { isNonInteractiveEnabled } from './chunk-6Y3LAUGL.js';
+import './chunk-NPSRD26F.js';
+import { loadEnvFiles } from './chunk-644FVGIQ.js';
+import { getVercelRootDirectory } from './chunk-MXRWBNIY.js';
+import { syncRunaConfigWithVercel } from './chunk-6AALH2ED.js';
+import './chunk-DRSUEMAK.js';
+import './chunk-II7VYQEM.js';
+import { init_local_supabase, getLocalSupabaseEnvValues, getLocalValueDescriptions } from './chunk-VM3IWOT5.js';
+import { emitJsonSuccess } from './chunk-KE6QJBZG.js';
+import './chunk-WJXC4MVY.js';
+import './chunk-HKUWEGUX.js';
+import './chunk-JMJP4A47.js';
+import { init_esm_shims } from './chunk-VRXHCR5K.js';
+import { Command } from 'commander';
+import { existsSync, rmSync, readFileSync, mkdtempSync, writeFileSync, chmodSync, realpathSync, unlinkSync } from 'fs';
+import path, { resolve, join, basename, dirname } from 'path';
+import { CLIError, createCLILogger, syncEnvironment, EnvSyncOutputSchema } from '@runa-ai/runa';
+import { execa } from 'execa';
+import { z } from 'zod';
+import { fileURLToPath } from 'url';
+import { parse } from 'dotenv';
+import { stdout, stdin } from 'process';
+import * as readline from 'readline/promises';
+import { randomBytes } from 'crypto';
+import { spawn } from 'child_process';
+import { tmpdir } from 'os';
+
+createRequire(import.meta.url);
+
+// src/commands/env/index.ts
+init_esm_shims();
+
+// src/commands/env/commands/env-check.ts
+init_esm_shims();
+var EnvCheckOutputSchema = z.object({
+  local: z.object({
+    ready: z.boolean(),
+    checks: z.array(
+      z.object({
+        name: z.string(),
+        status: z.enum(["ok", "warning", "error", "info"]),
+        message: z.string(),
+        hint: z.string().optional()
+      })
+    )
+  }),
+  production: z.object({
+    checks: z.array(
+      z.object({
+        name: z.string(),
+        status: z.enum(["ok", "warning", "error", "info"]),
+        message: z.string(),
+        hint: z.string().optional()
+      })
+    )
+  })
+});
+function checkEnvDevelopment(workDir) {
+  const filePath = resolve(workDir, ".env.development");
+  if (!existsSync(filePath)) {
+    return {
+      name: ".env.development",
+      status: "warning",
+      message: "Not found",
+      hint: "Run: runa env pull (or cp .env.example .env.development)"
+    };
+  }
+  const content = readFileSync(filePath, "utf-8");
+  const isEncrypted = content.includes("encrypted:");
+  return {
+    name: ".env.development",
+    status: "ok",
+    message: isEncrypted ? "Found (encrypted)" : "Found (plaintext)",
+    hint: isEncrypted ? void 0 : "Consider: runa env encrypt"
+  };
+}
+function checkEnvKeys(workDir) {
+  const filePath = resolve(workDir, ".env.keys");
+  if (!existsSync(filePath)) {
+    const devEnv = resolve(workDir, ".env.development");
+    if (existsSync(devEnv)) {
+      const content = readFileSync(devEnv, "utf-8");
+      if (content.includes("encrypted:")) {
+        return {
+          name: ".env.keys",
+          status: "error",
+          message: "Missing (required for encrypted .env files)",
+          hint: "Run: runa env pull (extracts keys from Vercel)"
+        };
+      }
+    }
+    return {
+      name: ".env.keys",
+      status: "info",
+      message: "Not found (optional if .env files are plaintext)"
+    };
+  }
+  return {
+    name: ".env.keys",
+    status: "ok",
+    message: "Found"
+  };
+}
+async function checkSupabaseLocal() {
+  try {
+    await execa("supabase", ["--version"], { stdio: "pipe" });
+    const result = await execa("supabase", ["status"], {
+      stdio: "pipe",
+      reject: false
+    });
+    if (result.exitCode === 0) {
+      const output3 = result.stdout;
+      const dbMatch = output3.match(/DB URL:\s+postgresql:\/\/.*:(\d+)/);
+      const port = dbMatch ? dbMatch[1] : "54322";
+      return {
+        name: "Supabase local",
+        status: "ok",
+        message: `Running (port ${port})`
+      };
+    }
+    return {
+      name: "Supabase local",
+      status: "warning",
+      message: "Not running",
+      hint: "Run: pnpm db:start"
+    };
+  } catch {
+    return {
+      name: "Supabase local",
+      status: "info",
+      message: "CLI not found",
+      hint: "Install: npm i -g supabase"
+    };
+  }
+}
+function checkVercelLinked(workDir) {
+  const projectJson = resolve(workDir, ".vercel", "project.json");
+  if (!existsSync(projectJson)) {
+    return {
+      name: "Vercel project",
+      status: "info",
+      message: "Not linked",
+      hint: "Run: vercel link"
+    };
+  }
+  try {
+    const content = JSON.parse(readFileSync(projectJson, "utf-8"));
+    const projectId = content.projectId || "unknown";
+    return {
+      name: "Vercel project",
+      status: "ok",
+      message: `Linked (${projectId.substring(0, 12)}...)`
+    };
+  } catch {
+    return {
+      name: "Vercel project",
+      status: "warning",
+      message: "Invalid project.json",
+      hint: "Run: vercel link"
+    };
+  }
+}
+async function checkGitHubRepo() {
+  try {
+    const result = await execa("gh", ["repo", "view", "--json", "nameWithOwner"], {
+      stdio: "pipe",
+      reject: false
+    });
+    if (result.exitCode === 0) {
+      const data = JSON.parse(result.stdout);
+      return {
+        name: "GitHub repo",
+        status: "ok",
+        message: data.nameWithOwner,
+        hint: "Verify secrets: gh secret list"
+      };
+    }
+    return {
+      name: "GitHub repo",
+      status: "info",
+      message: "Not a GitHub repo or gh not authenticated",
+      hint: "Run: gh auth login"
+    };
+  } catch {
+    return {
+      name: "GitHub repo",
+      status: "info",
+      message: "gh CLI not found",
+      hint: "Install: brew install gh"
+    };
+  }
+}
+var STATUS_ICONS = {
+  ok: "\u2705",
+  error: "\u274C",
+  warning: "\u26A0\uFE0F",
+  info: "\u2139\uFE0F"
+};
+function logCheckResult(logger, check, verbose) {
+  const icon = STATUS_ICONS[check.status];
+  logger.info(`${icon} ${check.name.padEnd(20)} ${check.message}`);
+  if (verbose && check.hint) {
+    logger.info(`   \u2514\u2500 ${check.hint}`);
+  }
+}
+function logCheckSection(logger, title, checks, verbose) {
+  logger.info(`\u2501\u2501\u2501 ${title} \u2501\u2501\u2501`);
+  for (const check of checks) {
+    logCheckResult(logger, check, verbose);
+  }
+}
+function logRemoteVerificationHints(logger) {
+  logger.info("");
+  logger.info("\u2501\u2501\u2501 Remote Verification (run manually) \u2501\u2501\u2501");
+  logger.info("\u2139\uFE0F  GitHub Secrets:    gh secret list");
+  logger.info("\u2139\uFE0F  Vercel env vars:   vercel env ls");
+}
+function logRequiredSecrets(logger) {
+  logger.info("");
+  logger.info("\u{1F4CB} Required GitHub Secrets for production:");
+  logger.info("   \u2022 GH_DATABASE_URL_ADMIN (Direct, port 5432)");
+  logger.info("   \u2022 GH_DATABASE_URL (Pooler, port 6543)");
+  logger.info("");
+  logger.info("\u{1F4CB} Required Vercel env vars:");
+  logger.info("   \u2022 NEXT_PUBLIC_SUPABASE_URL");
+  logger.info("   \u2022 NEXT_PUBLIC_SUPABASE_ANON_KEY");
+  logger.info("   \u2022 SUPABASE_SERVICE_ROLE_KEY");
+  logger.info("   \u2022 SUPABASE_PROJECT_REF");
+  logger.info("   \u2022 DATABASE_URL (Pooler, port 6543)");
+}
+async function runEnvCheckAction(options) {
+  const logger = createCLILogger("env:check");
+  const workDir = options.cwd || process.cwd();
+  const verbose = options.verbose ?? false;
+  logger.section("Environment Check");
+  const localChecks = [
+    checkEnvDevelopment(workDir),
+    checkEnvKeys(workDir),
+    await checkSupabaseLocal()
+  ];
+  logCheckSection(logger, "Local Development", localChecks, verbose);
+  const localReady = localChecks.every((c) => c.status !== "error");
+  let productionChecks = [];
+  if (!options.local) {
+    productionChecks = [checkVercelLinked(workDir), await checkGitHubRepo()];
+    logger.info("");
+    logCheckSection(logger, "Production Setup", productionChecks, verbose);
+    logRemoteVerificationHints(logger);
+  }
+  logger.info("");
+  if (localReady) {
+    logger.success("\u{1F4A1} Local development environment is ready!");
+  } else {
+    logger.warn("\u26A0\uFE0F  Some issues found. See hints above.");
+  }
+  if (!options.local) {
+    logRequiredSecrets(logger);
+  }
+  emitJsonSuccess(checkCommand, EnvCheckOutputSchema, {
+    local: { ready: localReady, checks: localChecks },
+    production: { checks: productionChecks }
+  });
+  if (!localReady) {
+    process.exitCode = 1;
+  }
+}
+var checkCommand = new Command("check").description("Check environment configuration status").option("--local", "Check local development environment only").option("-v, --verbose", "Show hints for each check").option("--cwd <path>", "Working directory (default: current directory)").action(async (options) => {
+  await runEnvCheckAction(options);
+});
+
+// src/commands/env/commands/env-encrypt.ts
+init_esm_shims();
+
+// src/utils/dotenvx.ts
+init_esm_shims();
+async function getDotenvxCliPath() {
+  const pkgJsonUrl = import.meta.resolve("@dotenvx/dotenvx/package.json");
+  const pkgDir = dirname(fileURLToPath(pkgJsonUrl));
+  return join(pkgDir, "src", "cli", "dotenvx.js");
+}
+async function execDotenvx(args, options) {
+  const dotenvxPath = await getDotenvxCliPath();
+  return execa("node", [dotenvxPath, ...args], options);
+}
+async function isDotenvxAvailable() {
+  try {
+    await execDotenvx(["--version"], { stdio: "pipe" });
+    return true;
+  } catch {
+    return false;
+  }
+}
+
+// src/commands/env/commands/env-encrypt.ts
+var EnvEncryptOutputSchema = z.object({
+  results: z.array(
+    z.object({
+      environment: z.enum(["development", "preview", "production"]),
+      file: z.string(),
+      success: z.boolean(),
+      alreadyEncrypted: z.boolean().optional(),
+      error: z.string().optional()
+    })
+  ),
+  keysFile: z.string().optional(),
+  totalEncrypted: z.number(),
+  totalFailed: z.number()
+});
+var VERCEL_ENVIRONMENTS = ["development", "preview", "production"];
+function isAlreadyEncrypted(filePath) {
+  if (!existsSync(filePath)) return false;
+  const content = readFileSync(filePath, "utf-8");
+  const hasPublicKeyDeclaration = /^DOTENV_PUBLIC_KEY_\w+\s*=\s*["']?[A-Za-z0-9+/=]+/m.test(
+    content
+  );
+  if (!hasPublicKeyDeclaration) return false;
+  const hasEncryptedValue = /^[A-Z_][A-Z0-9_]*\s*=\s*["']?encrypted:/m.test(content);
+  return hasEncryptedValue;
+}
+async function encryptFile(workDir, environment, logger, options) {
+  const fileName = `.env.${environment}`;
+  const filePath = resolve(workDir, fileName);
+  if (!existsSync(filePath)) {
+    logger.warn(`  \u23ED\uFE0F  ${fileName} (not found)`);
+    return {
+      environment,
+      file: fileName,
+      success: false,
+      error: "File not found"
+    };
+  }
+  if (isAlreadyEncrypted(filePath)) {
+    logger.info(`  \u23ED\uFE0F  ${fileName} (already encrypted)`);
+    return {
+      environment,
+      file: fileName,
+      success: true,
+      alreadyEncrypted: true
+    };
+  }
+  logger.info(`  \u{1F510} Encrypting ${fileName}...`);
+  try {
+    const args = ["encrypt", "-f", filePath];
+    if (options.stdout) {
+      args.push("--stdout");
+    }
+    const result = await execDotenvx(args, {
+      cwd: workDir,
+      stdio: "pipe"
+    });
+    if (options.stdout && typeof result.stdout === "string") {
+      logger.info(result.stdout);
+    }
+    logger.success(`  \u2713 ${fileName}`);
+    return {
+      environment,
+      file: fileName,
+      success: true
+    };
+  } catch (error) {
+    const message = error instanceof Error ? error.message : "Unknown error";
+    logger.error(`  \u2717 ${fileName}: ${message}`);
+    return {
+      environment,
+      file: fileName,
+      success: false,
+      error: message
+    };
+  }
+}
+async function runEnvEncryptAction(options) {
+  const logger = createCLILogger("env:encrypt");
+  const workDir = options.cwd ?? process.cwd();
+  logger.section("dotenvx Encryption (Vercel-aligned)");
+  logger.info(`Working directory: ${workDir}`);
+  if (!await isDotenvxAvailable()) {
+    throw new CLIError("dotenvx CLI not available", "ENV_ENCRYPT_DOTENVX_NOT_FOUND", [
+      "This is unexpected - dotenvx should be bundled with runa CLI.",
+      "Try reinstalling: pnpm install"
+    ]);
+  }
+  const environments = options.environment ? [options.environment] : VERCEL_ENVIRONMENTS;
+  logger.info(`Environments: ${environments.join(", ")}`);
+  logger.info("");
+  const results = [];
+  for (const env of environments) {
+    const result = await encryptFile(workDir, env, logger, { stdout: options.stdout });
+    results.push(result);
+  }
+  const totalEncrypted = results.filter((r) => r.success && !r.alreadyEncrypted).length;
+  const totalFailed = results.filter((r) => !r.success).length;
+  const keysFile = resolve(workDir, ".env.keys");
+  logger.info("");
+  if (totalFailed > 0 && totalFailed === results.length) {
+    logger.error("\u274C No files encrypted");
+  } else if (totalFailed > 0) {
+    logger.warn(`\u26A0\uFE0F  Encrypted ${totalEncrypted}/${results.length} files`);
+  } else {
+    logger.success(`\u2705 Encrypted ${totalEncrypted} file(s)`);
+  }
+  if (existsSync(keysFile) && !options.stdout) {
+    logger.info("");
+    logger.info("Keys saved to .env.keys (gitignore).");
+    logger.info("");
+    logger.info("Vercel & GitHub Secrets:");
+    logger.info("  DOTENV_PRIVATE_KEY_DEVELOPMENT");
+    logger.info("  DOTENV_PRIVATE_KEY_PREVIEW");
+    logger.info("  DOTENV_PRIVATE_KEY_PRODUCTION");
+  }
+  emitJsonSuccess(encryptCommand, EnvEncryptOutputSchema, {
+    results,
+    keysFile: existsSync(keysFile) ? keysFile : void 0,
+    totalEncrypted,
+    totalFailed
+  });
+  if (totalFailed > 0 && totalFailed === results.length) {
+    process.exitCode = 1;
+  }
+}
+var encryptCommand = new Command("encrypt").description("Encrypt .env.{environment} files using dotenvx").option("-e, --environment <env>", "Specific environment (development, preview, production)").option("--stdout", "Output encrypted content to stdout").option("--cwd <path>", "Working directory (default: current directory)").action(async (options) => {
+  try {
+    await runEnvEncryptAction(options);
+  } catch (error) {
+    if (error instanceof CLIError) throw error;
+    throw new CLIError(
+      error instanceof Error ? error.message : "Encryption failed",
+      "ENV_ENCRYPT_FAILED",
+      [
+        "Check dotenvx is installed: dotenvx --version",
+        "Ensure .env.{environment} files exist",
+        "Try: runa env pull --all first"
+      ],
+      error instanceof Error ? error : void 0
+    );
+  }
+});
+
+// src/commands/env/commands/env-pull.ts
+init_esm_shims();
+
+// src/commands/env/commands/env-pull/service.ts
+init_esm_shims();
+
+// src/commands/env/commands/env-pull/auth.ts
+init_esm_shims();
+function resolveVercelAuth(workDir, options, logger) {
+  if (options.token && options.project) {
+    logger.info("Auth: Using --token and --project flags");
+    return {
+      method: "env",
+      token: options.token,
+      projectId: options.project,
+      orgId: options.org
+    };
+  }
+  const envToken = process.env.VERCEL_TOKEN;
+  const envProjectId = process.env.VERCEL_PROJECT_ID;
+  const envOrgId = process.env.VERCEL_ORG_ID;
+  if (envToken && envProjectId) {
+    logger.info("Auth: Using VERCEL_TOKEN and VERCEL_PROJECT_ID environment variables");
+    return {
+      method: "env",
+      token: envToken,
+      projectId: envProjectId,
+      orgId: envOrgId
+    };
+  }
+  const projectJson = resolve(workDir, ".vercel", "project.json");
+  if (existsSync(projectJson)) {
+    try {
+      const config = JSON.parse(readFileSync(projectJson, "utf-8"));
+      if (config.projectId) {
+        logger.info("Auth: Using .vercel/project.json (vercel link)");
+        return {
+          method: "file",
+          projectId: config.projectId,
+          orgId: config.orgId
+        };
+      }
+    } catch {
+    }
+  }
+  throw new CLIError("Vercel authentication not configured", "ENV_PULL_NOT_AUTHENTICATED", [
+    "Option A (AI-friendly): Set environment variables:",
+    "  export VERCEL_TOKEN=<your_token>",
+    "  export VERCEL_PROJECT_ID=<project_id>",
+    "",
+    "Option B (CLI flags): runa env pull --token xxx --project prj_xxx",
+    "",
+    "Option C (Interactive): vercel link"
+  ]);
+}
+function buildVercelCmdEnv(auth) {
+  const cmdEnv = { ...process.env };
+  if (auth.method === "env") {
+    if (auth.token) cmdEnv.VERCEL_TOKEN = auth.token;
+    if (auth.projectId) cmdEnv.VERCEL_PROJECT_ID = auth.projectId;
+    if (auth.orgId) cmdEnv.VERCEL_ORG_ID = auth.orgId;
+  }
+  return cmdEnv;
+}
+async function ensureVercelCli() {
+  try {
+    await execa("vercel", ["--version"], { stdio: "pipe" });
+  } catch {
+    throw new CLIError("Vercel CLI not found", "ENV_PULL_VERCEL_NOT_FOUND", [
+      "Install Vercel CLI: npm i -g vercel",
+      "Or: pnpm add -g vercel"
+    ]);
+  }
+}
+async function ensureDotenvxCli() {
+  if (!await isDotenvxAvailable()) {
+    throw new CLIError(
+      "dotenvx CLI not available (required for --encrypt)",
+      "ENV_PULL_DOTENVX_NOT_FOUND",
+      [
+        "This is unexpected - dotenvx should be bundled with runa CLI.",
+        "Try reinstalling: pnpm install"
+      ]
+    );
+  }
+}
+
+// src/commands/env/commands/env-pull/dotenv-files.ts
+init_esm_shims();
+init_local_supabase();
+
+// src/commands/env/commands/env-pull/security.ts
+init_esm_shims();
+var ERROR_MESSAGES = {
+  INVALID_PATH: "Invalid working directory path",
+  PATH_TRAVERSAL: "Working directory path validation failed"
+};
+function sanitizeErrorMessage(message) {
+  if (!message || typeof message !== "string") {
+    return "Unknown error";
+  }
+  let sanitized = message;
+  sanitized = sanitized.replace(
+    /\b(vercel_|vc_|VERCEL_TOKEN[=:]\s*)[a-zA-Z0-9_-]{20,}/gi,
+    "$1[REDACTED]"
+  );
+  sanitized = sanitized.replace(/\b(Bearer\s+)[a-zA-Z0-9._-]{20,}/gi, "$1[REDACTED]");
+  sanitized = sanitized.replace(
+    /\b(token[=:]\s*["']?)[a-zA-Z0-9._-]{20,}(["']?)/gi,
+    "$1[REDACTED]$2"
+  );
+  sanitized = sanitized.replace(
+    /\b(api[_-]?key[=:]\s*["']?)[a-zA-Z0-9._-]{20,}(["']?)/gi,
+    "$1[REDACTED]$2"
+  );
+  sanitized = sanitized.replace(
+    /\b(Authorization[=:]\s*["']?)[a-zA-Z0-9\s._-]{20,}(["']?)/gi,
+    "$1[REDACTED]$2"
+  );
+  sanitized = sanitized.replace(/:\/\/[^@\s]+@/g, "://[CREDENTIALS]@");
+  return sanitized;
+}
+function containsPathTraversal(inputPath) {
+  const normalized = path.normalize(inputPath);
+  return normalized.includes("..") || inputPath.includes("\0");
+}
+function isPathWithinBase(filePath, baseDir) {
+  try {
+    const resolvedFile = existsSync(filePath) ? realpathSync(filePath) : path.resolve(filePath);
+    const resolvedBase = existsSync(baseDir) ? realpathSync(baseDir) : path.resolve(baseDir);
+    const normalizedFile = path.normalize(resolvedFile);
+    const normalizedBase = path.normalize(resolvedBase);
+    return normalizedFile === normalizedBase || normalizedFile.startsWith(normalizedBase + path.sep);
+  } catch {
+    return false;
+  }
+}
+function validateCustomWorkingDir(cwdPath, projectRoot) {
+  if (containsPathTraversal(cwdPath)) {
+    throw new CLIError(ERROR_MESSAGES.PATH_TRAVERSAL, "ENV_PULL_PATH_TRAVERSAL");
+  }
+  const absolutePath = path.isAbsolute(cwdPath) ? cwdPath : path.resolve(projectRoot, cwdPath);
+  if (!isPathWithinBase(absolutePath, projectRoot)) {
+    throw new CLIError(ERROR_MESSAGES.PATH_TRAVERSAL, "ENV_PULL_PATH_TRAVERSAL");
+  }
+  if (!existsSync(absolutePath)) {
+    throw new CLIError(ERROR_MESSAGES.INVALID_PATH, "ENV_PULL_CWD_NOT_FOUND");
+  }
+  return absolutePath;
+}
+function resolveWorkingDir(options, logger) {
+  const projectRoot = process.cwd();
+  if (options.app) {
+    logger.warn(
+      `--app is deprecated. Environment files are managed at the monorepo root only.
+Turbo auto-propagates root .env.* files to all workspaces.
+Writing to project root instead of apps/${options.app}/.`
+    );
+  }
+  if (options.cwd) {
+    return validateCustomWorkingDir(options.cwd, projectRoot);
+  }
+  return projectRoot;
+}
+
+// src/commands/env/commands/env-pull/dotenv-files.ts
+var LOCAL_BOOTSTRAP_REQUIRED_KEYS = [
+  "LOCAL_SUPABASE_HOST",
+  "LOCAL_SUPABASE_API_PORT",
+  "LOCAL_SUPABASE_DB_PORT"
+];
+function getMissingLocalBootstrapKeys(parsed) {
+  return LOCAL_BOOTSTRAP_REQUIRED_KEYS.filter((key) => !(key in parsed));
+}
+function getLocalBootstrapStatusFromParsed(parsed) {
+  const missing = getMissingLocalBootstrapKeys(parsed);
+  return {
+    status: missing.length === 0 ? "ok" : "partial",
+    missing
+  };
+}
+function missingLocalBootstrapReport() {
+  return {
+    status: "missing",
+    missing: [...LOCAL_BOOTSTRAP_REQUIRED_KEYS]
+  };
+}
+function formatEnvValue(value) {
+  if (value === void 0 || value === null) {
+    return "";
+  }
+  if (value === "") {
+    return "";
+  }
+  const needsQuotes = value.includes("\n") || value.includes('"') || value.includes("'") || value.includes(" ") || value.includes("#") || value.includes("$") || value.startsWith(" ") || value.endsWith(" ");
+  if (!needsQuotes) {
+    return value;
+  }
+  return `"${value.replace(/"/g, '\\"')}"`;
+}
+function getOutputPath(workDir, environment) {
+  return resolve(workDir, `.env.${environment}`);
+}
+function extractAndSavePrivateKeys(workDir, envFiles, logger) {
+  const privateKeys = {};
+  for (const filePath of envFiles) {
+    if (!existsSync(filePath)) continue;
+    const content = readFileSync(filePath, "utf-8");
+    const parsed = parse(content);
+    for (const [key, value] of Object.entries(parsed)) {
+      if (key.startsWith("DOTENV_PRIVATE_KEY_") && value) {
+        privateKeys[key] = value;
+      }
+    }
+  }
+  if (Object.keys(privateKeys).length === 0) {
+    logger.warn("  \u26A0\uFE0F  No DOTENV_PRIVATE_KEY_* found in pulled files");
+    logger.warn("     Keys may need to be registered in Vercel first");
+    return false;
+  }
+  const keysContent = [
+    "#/-------------------[DOTENV_PRIVATE_KEYS]--------------------/",
+    "#/            private decryption keys. DO NOT commit to        /",
+    "#/               source control (gitignore)                   /",
+    "#/----------------------------------------------------------/",
+    "",
+    ...Object.entries(privateKeys).map(([key, value]) => `${key}=${formatEnvValue(value)}`),
+    ""
+  ].join("\n");
+  const keysFile = resolve(workDir, ".env.keys");
+  writeFileSync(keysFile, keysContent, "utf-8");
+  chmodSync(keysFile, 384);
+  logger.success(`  \u{1F511} Extracted ${Object.keys(privateKeys).length} keys \u2192 .env.keys`);
+  return true;
+}
+function removePrivateKeysFromEnvFile(filePath) {
+  if (!existsSync(filePath)) return;
+  const content = readFileSync(filePath, "utf-8");
+  const parsed = parse(content);
+  const filtered = Object.entries(parsed).filter(([key]) => !key.startsWith("DOTENV_PRIVATE_KEY_"));
+  const newContent = filtered.map(([key, value]) => `${key}=${formatEnvValue(value)}`).join("\n");
+  writeFileSync(filePath, `${newContent}
+`, "utf-8");
+}
+function loadParsedEnvFileForLocalBootstrap(filePath, logger) {
+  if (!existsSync(filePath)) {
+    logger.warn("  \u26A0\uFE0F  .env.development not found (was pull successful?)");
+    return null;
+  }
+  const content = readFileSync(filePath, "utf-8");
+  if (!content.trim()) {
+    logger.warn("  \u26A0\uFE0F  .env.development is empty (no env vars in Vercel?)");
+    return null;
+  }
+  const parsed = parse(content);
+  if (Object.keys(parsed).length === 0) {
+    logger.warn("  \u26A0\uFE0F  No valid env vars found in .env.development (check syntax)");
+    return null;
+  }
+  return parsed;
+}
+function hasSupabaseRelatedKeys(parsed) {
+  return Object.keys(parsed).some(
+    (key) => key.includes("SUPABASE") || key.includes("DATABASE_URL")
+  );
+}
+function applyLocalSupabaseReplacements(parsed, localEnvValues) {
+  const replacementKeys = Object.keys(localEnvValues);
+  const hasSupabaseContext = hasSupabaseRelatedKeys(parsed) || replacementKeys.some((key) => key in parsed);
+  const replacedKeys = [];
+  for (const key of replacementKeys) {
+    if (key in parsed || hasSupabaseContext) {
+      parsed[key] = localEnvValues[key];
+      replacedKeys.push(key);
+    }
+  }
+  return replacedKeys;
+}
+function logNoReplacementOutcome(logger, parsed) {
+  if (hasSupabaseRelatedKeys(parsed)) {
+    logger.warn("  \u26A0\uFE0F  Found Supabase keys but none matched local replacement patterns");
+    return;
+  }
+  logger.info("  No Supabase variables found (may be expected for new projects)");
+}
+function renderEnvFileContent(parsed) {
+  return Object.entries(parsed).map(([key, value]) => `${key}=${formatEnvValue(value)}`).join("\n");
+}
+function logLocalReplacementSummary(logger, replacedKeys, localDescriptions, ensureRequired, dryRun) {
+  const prefix = dryRun ? "Would replace" : "Replaced";
+  const method = dryRun ? logger.info.bind(logger) : logger.success.bind(logger);
+  method(`  \u{1F3E0} ${prefix} ${replacedKeys.length} variables with local values:`);
+  for (const key of replacedKeys) {
+    const description = localDescriptions[key] || "localhost";
+    logger.info(`     ${key} \u2192 ${description}`);
+  }
+  logger.info(
+    `  ${ensureRequired ? "\u2705" : "\u26A0\uFE0F"}  Local bootstrap keys ready: ${ensureRequired ? "yes" : "partial"}`
+  );
+  if (dryRun) {
+    logger.info("  (dry-run: no files modified)");
+  }
+}
+function replaceWithLocalValues(filePath, workDir, logger, dryRun = false) {
+  const parsed = loadParsedEnvFileForLocalBootstrap(filePath, logger);
+  if (!parsed) {
+    return missingLocalBootstrapReport();
+  }
+  const localEnvValues = getLocalSupabaseEnvValues(workDir);
+  const localDescriptions = getLocalValueDescriptions(workDir);
+  const replacedKeys = applyLocalSupabaseReplacements(parsed, localEnvValues);
+  if (replacedKeys.length === 0) {
+    logNoReplacementOutcome(logger, parsed);
+    return getLocalBootstrapStatusFromParsed(parsed);
+  }
+  const bootstrapStatus = getLocalBootstrapStatusFromParsed(parsed);
+  if (bootstrapStatus.missing.length > 0) {
+    logger.warn(
+      `  \u26A0\uFE0F  Some local bootstrap keys were not updated: ${bootstrapStatus.missing.join(", ")}`
+    );
+  }
+  const ensureRequired = bootstrapStatus.status === "ok";
+  const newContent = renderEnvFileContent(parsed);
+  if (dryRun) {
+    logLocalReplacementSummary(logger, replacedKeys, localDescriptions, ensureRequired, true);
+    return bootstrapStatus;
+  }
+  writeFileSync(filePath, `${newContent}
+`, "utf-8");
+  logLocalReplacementSummary(logger, replacedKeys, localDescriptions, ensureRequired, false);
+  return bootstrapStatus;
+}
+async function encryptFile2(workDir, filePath, logger) {
+  if (!existsSync(filePath)) {
+    return false;
+  }
+  try {
+    const keysFile = resolve(workDir, ".env.keys");
+    const args = ["encrypt", "-f", filePath];
+    if (existsSync(keysFile)) {
+      args.push("-fk", keysFile);
+    }
+    await execDotenvx(args, {
+      cwd: workDir,
+      stdio: "pipe"
+    });
+    logger.success(`  \u{1F510} Encrypted \u2192 ${basename(filePath)}`);
+    return true;
+  } catch (error) {
+    const message = error instanceof Error ? error.message : "Unknown error";
+    logger.warn(`  \u26A0\uFE0F  Encryption failed: ${sanitizeErrorMessage(message)}`);
+    return false;
+  }
+}
+
+// src/commands/env/commands/env-pull/service.ts
+function mapVercelError(message, environment, outputPath, logger) {
+  const safeMessage = sanitizeErrorMessage(message);
+  if (message.includes("not linked")) {
+    logger.error(`  \u2717 ${environment}: Project not linked to Vercel`);
+    return {
+      environment,
+      outputPath,
+      success: false,
+      error: "Project not linked. Set VERCEL_TOKEN + VERCEL_PROJECT_ID or run: vercel link"
+    };
+  }
+  if (message.includes("No Project")) {
+    logger.error(`  \u2717 ${environment}: No Vercel project found`);
+    return {
+      environment,
+      outputPath,
+      success: false,
+      error: "No Vercel project. Set VERCEL_PROJECT_ID or run: vercel link"
+    };
+  }
+  if (message.includes("Invalid token") || message.includes("Unauthorized")) {
+    logger.error(`  \u2717 ${environment}: Invalid Vercel token`);
+    return {
+      environment,
+      outputPath,
+      success: false,
+      error: "Invalid VERCEL_TOKEN. Check your token is valid."
+    };
+  }
+  logger.error(`  \u2717 ${environment}: ${safeMessage}`);
+  return { environment, outputPath, success: false, error: safeMessage };
+}
+async function pullEnvironment(workDir, environment, auth, logger) {
+  const outputPath = getOutputPath(workDir, environment);
+  logger.info(`Pulling ${environment} environment...`);
+  logger.info(`  Output: ${outputPath}`);
+  try {
+    const args = ["env", "pull", outputPath, "--environment", environment, "--yes"];
+    const cmdEnv = buildVercelCmdEnv(auth);
+    await execa("vercel", args, { cwd: workDir, stdio: "pipe", env: cmdEnv });
+    logger.success(`  \u2713 ${environment} \u2192 ${basename(outputPath)}`);
+    return { environment, outputPath, success: true, encrypted: false };
+  } catch (error) {
+    const message = error instanceof Error ? error.message : "Unknown error";
+    return mapVercelError(message, environment, outputPath, logger);
+  }
+}
+async function pullAllEnvironments(workDir, environments, auth, logger) {
+  const results = [];
+  for (const environment of environments) {
+    results.push(await pullEnvironment(workDir, environment, auth, logger));
+  }
+  return results;
+}
+async function encryptPulledFiles(workDir, results, logger) {
+  const successfulPulls = results.filter((result) => result.success);
+  const envFiles = successfulPulls.map((result) => result.outputPath);
+  if (envFiles.length === 0) return;
+  logger.info("");
+  logger.info("Extracting encryption keys from Vercel...");
+  const keysExtracted = extractAndSavePrivateKeys(workDir, envFiles, logger);
+  if (!keysExtracted) return;
+  for (const filePath of envFiles) {
+    removePrivateKeysFromEnvFile(filePath);
+  }
+  logger.info("");
+  logger.info("Encrypting with Vercel-stored keys...");
+  for (const result of successfulPulls) {
+    result.encrypted = await encryptFile2(workDir, result.outputPath, logger);
+  }
+}
+async function syncVercelRootDirectory(workDir, logger) {
+  logger.info("");
+  logger.info("Checking Vercel Root Directory...");
+  const rootDirectory = await getVercelRootDirectory();
+  if (!rootDirectory) {
+    logger.info("  No Root Directory configured in Vercel project");
+    return {
+      detected: false,
+      rootDirectory: null,
+      configUpdated: false,
+      reason: "No Root Directory configured"
+    };
+  }
+  logger.info(`  Detected: ${rootDirectory}`);
+  const syncResult = syncRunaConfigWithVercel(workDir, rootDirectory);
+  if (!syncResult) {
+    return {
+      detected: true,
+      rootDirectory,
+      configUpdated: false,
+      reason: "Sync not needed"
+    };
+  }
+  if (syncResult.updated) {
+    logger.success(`  \u2705 Updated runa.config.ts: ${syncResult.field} = '${rootDirectory}'`);
+    return {
+      detected: true,
+      rootDirectory,
+      configUpdated: true,
+      reason: syncResult.reason
+    };
+  }
+  logger.info(`  runa.config.ts: ${syncResult.reason}`);
+  return {
+    detected: true,
+    rootDirectory,
+    configUpdated: false,
+    reason: syncResult.reason
+  };
+}
+function printPullSummary(logger, results, encrypt) {
+  const totalPulled = results.filter((result) => result.success).length;
+  const totalFailed = results.filter((result) => !result.success).length;
+  const totalEncrypted = results.filter((result) => result.encrypted).length;
+  logger.info("");
+  if (totalFailed > 0) {
+    logger.warn(`\u26A0\uFE0F  Pulled ${totalPulled}/${results.length} environments`);
+    for (const result of results.filter((item) => !item.success)) {
+      logger.warn(`   ${result.environment}: ${result.error}`);
+    }
+  } else {
+    logger.success(`\u2705 Pulled ${totalPulled} environment(s)`);
+    if (totalEncrypted > 0) {
+      logger.success(`\u{1F510} Encrypted ${totalEncrypted} file(s)`);
+    }
+  }
+  logger.info("");
+  if (encrypt) {
+    logger.info("Files encrypted for LOCAL SECURITY (not for git).");
+    logger.info("Keys saved to .env.keys (gitignore).");
+    logger.info("Decrypt: dotenvx run -- pnpm dev");
+  } else {
+    logger.warn("\u26A0\uFE0F  Files NOT encrypted. Use without --no-encrypt for security.");
+  }
+  return { totalPulled, totalFailed, totalEncrypted };
+}
+function validateEnvPullOptions(options) {
+  if (options.localhost && options.productionAll) {
+    throw new CLIError(
+      "--localhost and --production-all are mutually exclusive. Choose one.",
+      "INVALID_OPTIONS"
+    );
+  }
+}
+function resolveTargetEnvironments(options) {
+  return options.environment ? [options.environment] : ["development", "preview", "production"];
+}
+function logEnvPullMode(logger, workDir, options) {
+  const localhostMode = !options.productionAll;
+  logger.section("Vercel Environment Pull");
+  logger.info(`Working directory: ${workDir}`);
+  if (options.check) {
+    logger.info("Mode: DRY-RUN (preview only, no files will be written)");
+  }
+  logger.info(
+    `Development env: ${localhostMode ? "localhost (supabase start)" : "production URLs"}`
+  );
+  logger.info("");
+}
+function logTargetEnvironments(logger, environments, options) {
+  logger.info(`Environments: ${environments.join(", ")}`);
+  if (options.encrypt) {
+    logger.info("Encryption: enabled");
+  }
+  if (options.check) {
+    logger.info("Mode: dry-run (pull only, skip localhost replacement and encryption writes)");
+  }
+  logger.info("");
+}
+function shouldApplyLocalBootstrap(options) {
+  return !options.productionAll && (!options.environment || options.environment === "development");
+}
+function evaluateLocalBootstrap(options, results, workDir, logger) {
+  if (!shouldApplyLocalBootstrap(options)) {
+    return void 0;
+  }
+  const devResult = results.find(
+    (result) => result.environment === "development" && result.success
+  );
+  if (!devResult) {
+    logger.warn("  LOCAL_BOOTSTRAP: skipped (development env pull failed or missing)");
+    return missingLocalBootstrapReport();
+  }
+  logger.info("");
+  logger.info("Applying local Supabase values to .env.development...");
+  return replaceWithLocalValues(devResult.outputPath, workDir, logger, options.check);
+}
+async function runEncryptionStep(options, workDir, results, logger) {
+  if (!options.encrypt) {
+    return;
+  }
+  if (options.check) {
+    logger.info("");
+    logger.info("Encryption: skipped (dry-run mode)");
+    return;
+  }
+  await encryptPulledFiles(workDir, results, logger);
+}
+async function syncVercelConfigAfterPull(workDir, totalPulled, checkMode, logger) {
+  if (totalPulled === 0) {
+    return void 0;
+  }
+  if (checkMode) {
+    logger.info("Config sync: skipped (dry-run mode)");
+    return void 0;
+  }
+  return syncVercelRootDirectory(workDir, logger);
+}
+async function runEnvPullAction(options) {
+  const logger = createCLILogger("env:pull");
+  const workDir = resolveWorkingDir(options, logger);
+  validateEnvPullOptions(options);
+  logEnvPullMode(logger, workDir, options);
+  await ensureVercelCli();
+  if (options.encrypt) {
+    await ensureDotenvxCli();
+  }
+  const auth = resolveVercelAuth(workDir, options, logger);
+  const environments = resolveTargetEnvironments(options);
+  logTargetEnvironments(logger, environments, options);
+  const results = await pullAllEnvironments(workDir, environments, auth, logger);
+  const localBootstrap = evaluateLocalBootstrap(options, results, workDir, logger);
+  await runEncryptionStep(options, workDir, results, logger);
+  const totalPulled = results.filter((result) => result.success).length;
+  const vercelSyncResult = await syncVercelConfigAfterPull(
+    workDir,
+    totalPulled,
+    options.check === true,
+    logger
+  );
+  const { totalFailed, totalEncrypted } = printPullSummary(logger, results, options.encrypt);
+  return {
+    results,
+    totalPulled,
+    totalFailed,
+    totalEncrypted,
+    localBootstrap,
+    vercelSync: vercelSyncResult
+  };
+}
+
+// src/commands/env/commands/env-pull/shared.ts
+init_esm_shims();
+var EnvPullOutputSchema = z.object({
+  results: z.array(
+    z.object({
+      environment: z.enum(["development", "preview", "production"]),
+      outputPath: z.string(),
+      success: z.boolean(),
+      encrypted: z.boolean().optional(),
+      error: z.string().optional()
+    })
+  ),
+  totalPulled: z.number(),
+  totalFailed: z.number(),
+  totalEncrypted: z.number().optional(),
+  localBootstrap: z.object({
+    status: z.enum(["ok", "partial", "missing"]),
+    missing: z.array(z.string())
+  }).optional(),
+  vercelSync: z.object({
+    detected: z.boolean(),
+    rootDirectory: z.string().nullable(),
+    configUpdated: z.boolean(),
+    reason: z.string().optional()
+  }).optional()
+});
+
+// src/commands/env/commands/env-pull.ts
+var pullCommand = new Command("pull").description("Pull all environments from Vercel and encrypt (Vercel = SSOT)").option(
+  "-e, --environment <env>",
+  "Pull single environment only (development, preview, production)"
+).option("--app <name>", "App name for monorepo (e.g., dashboard)").option("--cwd <path>", "Working directory (default: current directory)").option("--no-encrypt", "Skip encryption (not recommended)").option(
+  "--production-all",
+  "Use production URLs for all environments (skip localhost replacement for development)"
+).option("--localhost", "Use localhost for development (default behavior, for explicit intent)").option("--check", "Dry-run mode: show what would be changed without writing files").option("--token <token>", "Vercel token (AI-friendly, alternative to vercel link)").option("--project <id>", "Vercel project ID (required with --token)").option("--org <id>", "Vercel org/team ID (optional with --token)").action(async (options) => {
+  try {
+    const result = await runEnvPullAction(options);
+    emitJsonSuccess(pullCommand, EnvPullOutputSchema, {
+      results: result.results,
+      totalPulled: result.totalPulled,
+      totalFailed: result.totalFailed,
+      totalEncrypted: options.encrypt ? result.totalEncrypted : void 0,
+      localBootstrap: result.localBootstrap,
+      vercelSync: result.vercelSync
+    });
+    if (result.totalFailed > 0) {
+      process.exitCode = 1;
+    }
+  } catch (error) {
+    if (error instanceof CLIError) throw error;
+    const rawMessage = error instanceof Error ? error.message : "Environment pull failed";
+    throw new CLIError(sanitizeErrorMessage(rawMessage), "ENV_PULL_FAILED", [
+      "Check Vercel CLI is installed: vercel --version",
+      "Ensure project is linked: vercel link",
+      "Check network connectivity"
+    ]);
+  }
+});
+
+// src/commands/env/commands/env-setup.ts
+init_esm_shims();
+
+// src/commands/env/commands/setup/action.ts
+init_esm_shims();
+
+// src/commands/env/commands/setup/auth.ts
+init_esm_shims();
+async function checkSupabaseCliAuth() {
+  try {
+    const result = await execa("supabase", ["projects", "list"], {
+      reject: false,
+      timeout: 1e4
+    });
+    if (result.exitCode !== 0) {
+      const stderr = result.stderr || "";
+      if (stderr.includes("not logged in") || stderr.includes("login")) {
+        return { authenticated: false, error: "Not logged in" };
+      }
+      if (stderr.includes("token") || stderr.includes("expired")) {
+        return { authenticated: false, error: "Token invalid or expired" };
+      }
+      return { authenticated: false, error: stderr || "Authentication failed" };
+    }
+    const linkPath = join(process.cwd(), "supabase", ".temp", "project-ref");
+    let linkedProject;
+    if (existsSync(linkPath)) {
+      linkedProject = readFileSync(linkPath, "utf-8").trim();
+    }
+    return { authenticated: true, linkedProject };
+  } catch (error) {
+    const message = error instanceof Error ? error.message : "Unknown error";
+    if (message.includes("ENOENT")) {
+      return { authenticated: false, error: "Supabase CLI not installed" };
+    }
+    return { authenticated: false, error: "Failed to verify authentication" };
+  }
+}
+async function checkAuth(logger) {
+  logger.info("Checking authentication status...");
+  const status = {
+    vercel: { authenticated: false },
+    github: { authenticated: false },
+    supabase: { authenticated: false }
+  };
+  try {
+    const result = await execa("vercel", ["whoami"], { reject: false });
+    if (result.exitCode === 0) {
+      status.vercel = { authenticated: true, user: result.stdout.trim() };
+      logger.success(`  \u2713 Vercel: ${status.vercel.user}`);
+    } else {
+      status.vercel = { authenticated: false, error: "Not logged in" };
+      logger.warn("  \u2717 Vercel: Not logged in");
+    }
+  } catch {
+    status.vercel = { authenticated: false, error: "CLI not found" };
+    logger.warn("  \u2717 Vercel: CLI not found");
+  }
+  try {
+    const result = await execa("gh", ["auth", "status"], { reject: false });
+    if (result.exitCode === 0) {
+      const output3 = result.stderr || result.stdout;
+      const userMatch = output3.match(/Logged in to .+ as (\S+)/);
+      status.github = { authenticated: true, user: userMatch?.[1] };
+      logger.success(`  \u2713 GitHub: ${status.github.user || "authenticated"}`);
+    } else {
+      status.github = { authenticated: false, error: "Not logged in" };
+      logger.warn("  \u2717 GitHub: Not logged in");
+    }
+  } catch {
+    status.github = { authenticated: false, error: "CLI not found" };
+    logger.warn("  \u2717 GitHub: CLI not found");
+  }
+  const supabaseAuth = await checkSupabaseCliAuth();
+  if (supabaseAuth.authenticated) {
+    status.supabase = { authenticated: true };
+    if (supabaseAuth.linkedProject) {
+      logger.success(`  \u2713 Supabase: Logged in, linked to ${supabaseAuth.linkedProject}`);
+    } else {
+      logger.success("  \u2713 Supabase: Logged in");
+    }
+  } else {
+    status.supabase = { authenticated: false, error: supabaseAuth.error };
+    logger.warn(`  \u2717 Supabase: ${supabaseAuth.error}`);
+  }
+  return status;
+}
+
+// src/commands/env/commands/setup/file-export.ts
+init_esm_shims();
+var ENV_SETUP_TMP_FILE = ".env.setup-tmp";
+var cleanupRegistered = false;
+var SECURE_FILE_MODE = 384;
+function writeEnvSetupFile(envVars, drizzleAppPassword, drizzleServicePassword, logger) {
+  const timestamp = (/* @__PURE__ */ new Date()).toISOString();
+  const vercelVars = envVars.filter((e) => e.target.includes("vercel"));
+  const githubVars = envVars.filter((e) => e.target.includes("github"));
+  let content = `# runa env setup --export
+# Generated at: ${timestamp}
+# Review and manually register these values
+#
+# IMPORTANT: This file contains sensitive credentials!
+# - Do NOT commit this file to git (it's gitignored)
+# - Delete this file after registering the values
+#
+# Next Steps:
+# 1. Review the values below
+# 2. Register to Vercel: echo "<VALUE>" | vercel env add <KEY>
+# 3. Register to GitHub: gh secret set <KEY>
+# 4. Run RBAC setup: DRIZZLE_APP_PASSWORD="..." DRIZZLE_SERVICE_PASSWORD="..." pnpm db:setup-roles
+# 5. Delete this file: rm ${ENV_SETUP_TMP_FILE}
+
+`;
+  content += `# \u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501
+# Vercel Environment Variables
+# Register: echo "<VALUE>" | vercel env add <KEY>
+# \u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501
+`;
+  for (const env of vercelVars) {
+    content += `
+# ${env.description}
+`;
+    content += `${env.key}=${env.value}
+`;
+  }
+  content += `
+# \u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501
+# GitHub Secrets
+# Register: gh secret set <KEY>
+# \u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501
+`;
+  for (const env of githubVars) {
+    content += `
+# ${env.description}
+`;
+    content += `${env.key}=${env.value}
+`;
+  }
+  content += `
+# \u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501
+# RBAC Setup (Run after registering the above)
+# \u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501
+
+# Copy this command to set up database roles:
+# DRIZZLE_APP_PASSWORD="${drizzleAppPassword}" \\
+# DRIZZLE_SERVICE_PASSWORD="${drizzleServicePassword}" \\
+# pnpm db:setup-roles
+`;
+  const filePath = join(process.cwd(), ENV_SETUP_TMP_FILE);
+  writeFileSync(filePath, content, { encoding: "utf-8", mode: SECURE_FILE_MODE });
+  try {
+    chmodSync(filePath, SECURE_FILE_MODE);
+  } catch {
+  }
+  if (!cleanupRegistered) {
+    registerCleanup(cleanupEnvSetupFileInternal);
+    cleanupRegistered = true;
+  }
+  logger.success(`\u2713 Written to ${ENV_SETUP_TMP_FILE} (permissions: owner-only)`);
+}
+function cleanupEnvSetupFileInternal() {
+  try {
+    const filePath = join(process.cwd(), ENV_SETUP_TMP_FILE);
+    if (existsSync(filePath)) {
+      unlinkSync(filePath);
+    }
+  } catch {
+  }
+}
+
+// src/commands/env/commands/setup/helpers.ts
+init_esm_shims();
+
+// src/commands/env/commands/setup/github-api.ts
+init_esm_shims();
+async function checkGitHubSecret(name, repoFullName) {
+  try {
+    const result = await execa("gh", ["secret", "list", "--json", "name", "--repo", repoFullName], {
+      reject: false
+    });
+    if (result.exitCode !== 0) return false;
+    const secrets = JSON.parse(result.stdout);
+    return secrets.some((s) => s.name === name);
+  } catch {
+    return false;
+  }
+}
+async function setGitHubSecret(name, value, overwrite, repoFullName, logger) {
+  const exists = await checkGitHubSecret(name, repoFullName);
+  if (exists && !overwrite) {
+    return {
+      key: name,
+      target: "github",
+      success: true,
+      action: "skipped"
+    };
+  }
+  try {
+    await execa("gh", ["secret", "set", name, "--body", value, "--repo", repoFullName]);
+    logger.success(`  \u2713 GitHub: ${name} ${exists ? "updated" : "created"}`);
+    return {
+      key: name,
+      target: "github",
+      success: true,
+      action: exists ? "updated" : "created"
+    };
+  } catch (error) {
+    return {
+      key: name,
+      target: "github",
+      success: false,
+      action: "skipped",
+      error: error instanceof Error ? error.message : "Unknown error"
+    };
+  }
+}
+
+// src/commands/env/commands/setup/parsers.ts
+init_esm_shims();
+function generateDrizzleAppPassword() {
+  return randomBytes(32).toString("base64url");
+}
+function generateDrizzleServicePassword() {
+  return randomBytes(32).toString("base64url");
+}
+function generateDotenvxPrivateKey() {
+  return randomBytes(32).toString("hex");
+}
+function parseVercelUrl(url) {
+  const cleanUrl = url.trim().replace(/^https?:\/\//, "").replace(/\/$/, "");
+  const match = cleanUrl.match(/^vercel\.com\/([a-zA-Z0-9_-]+)\/([a-zA-Z0-9_-]+)/);
+  if (!match) return null;
+  return { team: match[1], project: match[2] };
+}
+function isValidGitHubOwner(name) {
+  if (!name || name.length > 39) return false;
+  if (!/^[a-zA-Z0-9-]+$/.test(name)) return false;
+  if (name.startsWith("-") || name.endsWith("-")) return false;
+  return true;
+}
+function isValidGitHubRepo(name) {
+  if (!name || name.length > 100) return false;
+  if (!/^[a-zA-Z0-9._-]+$/.test(name)) return false;
+  if (name.startsWith(".") && name !== ".github") return false;
+  if (/\.\./.test(name)) return false;
+  return true;
+}
+function parseGitHubUrl(url) {
+  const cleanUrl = url.trim().replace(/^https?:\/\//, "").replace(/\.git$/, "").replace(/\/$/, "");
+  const githubMatch = cleanUrl.match(/^github\.com\/([^/]+)\/([^/]+)/);
+  if (githubMatch) {
+    const owner = githubMatch[1];
+    const repo = githubMatch[2];
+    if (owner && repo && isValidGitHubOwner(owner) && isValidGitHubRepo(repo)) {
+      return { owner, repo };
+    }
+  }
+  const sshMatch = url.trim().match(/^git@github\.com:([^/]+)\/([^/]+?)(?:\.git)?$/);
+  if (sshMatch) {
+    const owner = sshMatch[1];
+    const repo = sshMatch[2];
+    if (owner && repo && isValidGitHubOwner(owner) && isValidGitHubRepo(repo)) {
+      return { owner, repo };
+    }
+  }
+  const parts = cleanUrl.split("/");
+  if (parts.length === 2) {
+    const owner = parts[0];
+    const repo = parts[1];
+    if (owner && repo && isValidGitHubOwner(owner) && isValidGitHubRepo(repo)) {
+      return { owner, repo };
+    }
+  }
+  return null;
+}
+function parseSupabaseUrl(url) {
+  const cleanUrl = url.trim().replace(/^https?:\/\//, "");
+  const dashboardMatch = cleanUrl.match(/supabase\.com\/dashboard\/project\/([a-z0-9]+)/);
+  if (dashboardMatch) {
+    const projectRef = dashboardMatch[1];
+    if (projectRef.length >= 8 && projectRef.length <= 30) {
+      return projectRef;
+    }
+  }
+  const appMatch = cleanUrl.match(/app\.supabase\.com\/project\/([a-z0-9]+)/);
+  if (appMatch) {
+    const projectRef = appMatch[1];
+    if (projectRef.length >= 8 && projectRef.length <= 30) {
+      return projectRef;
+    }
+  }
+  return null;
+}
+function encodePasswordForUrl(password) {
+  return encodeURIComponent(password);
+}
+
+// src/commands/env/commands/setup/prompts.ts
+init_esm_shims();
+var CHAR_ENTER_CR = 13;
+var CHAR_ENTER_LF = 10;
+var CHAR_CTRL_C = 3;
+var CHAR_BACKSPACE_DEL = 127;
+var CHAR_BACKSPACE = 8;
+var CHAR_PRINTABLE_MIN = 32;
+function getCharAction(charCode) {
+  if (charCode === CHAR_ENTER_CR || charCode === CHAR_ENTER_LF) return "enter";
+  if (charCode === CHAR_CTRL_C) return "exit";
+  if (charCode === CHAR_BACKSPACE_DEL || charCode === CHAR_BACKSPACE) return "backspace";
+  if (charCode >= CHAR_PRINTABLE_MIN) return "char";
+  return "ignore";
+}
+function handlePasswordChar(char, password) {
+  const charCode = char.charCodeAt(0);
+  const action = getCharAction(charCode);
+  switch (action) {
+    case "enter":
+    case "exit":
+      return { action, password };
+    case "backspace":
+      if (password.length > 0) {
+        process.stdout.write("\b \b");
+        return { action, password: password.slice(0, -1) };
+      }
+      return { action: "ignore", password };
+    case "char":
+      process.stdout.write("*");
+      return { action, password: password + char };
+    default:
+      return { action: "ignore", password };
+  }
+}
+async function promptForUrl(rl, prompt, existingValue) {
+  const answer = await rl.question(`${prompt}: `);
+  return answer.trim();
+}
+async function promptForPassword(prompt) {
+  if (!process.stdin.isTTY) {
+    const rl = readline.createInterface({ input: stdin, output: stdout });
+    process.stdout.write(`${prompt}: `);
+    const answer = await rl.question("");
+    rl.close();
+    return answer.trim();
+  }
+  return new Promise((resolve5) => {
+    process.stdout.write(`${prompt}: `);
+    let password = "";
+    process.stdin.setRawMode(true);
+    process.stdin.resume();
+    process.stdin.setEncoding("utf8");
+    const cleanup = () => {
+      process.stdin.setRawMode(false);
+      process.stdin.pause();
+      process.stdin.removeListener("data", onData);
+    };
+    const onData = (data) => {
+      for (const char of data) {
+        const result = handlePasswordChar(char, password);
+        password = result.password;
+        if (result.action === "enter") {
+          cleanup();
+          process.stdout.write("\n");
+          resolve5(password);
+          return;
+        }
+        if (result.action === "exit") {
+          cleanup();
+          process.stdout.write("\n");
+          process.exit(1);
+        }
+      }
+    };
+    process.stdin.on("data", onData);
+  });
+}
+async function promptForConfirmation(rl, message, autoApprove) {
+  const answer = await rl.question(`${message} (y/N): `);
+  return answer.toLowerCase() === "y" || answer.toLowerCase() === "yes";
+}
+async function collectServiceRoleKey(rl, options, isSecretKeyMasked, projectRef, logger) {
+  if (options.serviceRoleKey) {
+    return options.serviceRoleKey;
+  }
+  if (rl) {
+    logger.info("");
+    logger.warn("\u26A0\uFE0F  The sb_secret_ key is masked in API response.");
+    logger.info("Enter your secret key (Supabase Dashboard \u2192 Settings \u2192 API keys \u2192 secret keys):");
+    logger.info("");
+    logger.info(`  https://supabase.com/dashboard/project/${projectRef}/settings/api-keys`);
+    logger.info("");
+    logger.info("  (Leave empty to use legacy JWT format instead)");
+    rl.close();
+    const key = await promptForPassword("> Secret Key");
+    return key || void 0;
+  }
+  return void 0;
+}
+async function promptForProjectLink(rl, needsVercel, needsSupabase) {
+  const services = [needsVercel ? "Vercel" : null, needsSupabase ? "Supabase" : null].filter(Boolean).join(" and ");
+  console.log("");
+  console.log(`Link ${services} to current directory?`);
+  console.log("This enables other commands to work without re-entering URLs.");
+  return promptForConfirmation(rl, `Link ${services}?`);
+}
+async function collectPostgresPassword(rl, options, projectRef, logger) {
+  if (options.postgresPassword) {
+    return options.postgresPassword;
+  }
+  if (rl) {
+    logger.info("");
+    logger.info("Enter your postgres password (Supabase Dashboard \u2192 Settings \u2192 Database):");
+    logger.info("");
+    logger.info(`  https://supabase.com/dashboard/project/${projectRef}/settings/database`);
+    logger.info("");
+    logger.info(
+      '  Note: If you forgot your password, click "Reset database password" on the page above.'
+    );
+    logger.info("        Only reset if necessary - existing connections will be invalidated.");
+    rl.close();
+    const password = await promptForPassword("> Postgres Password");
+    if (!password) {
+      throw new CLIError("Postgres password required", "PASSWORD_REQUIRED", [
+        `Get it from: https://supabase.com/dashboard/project/${projectRef}/settings/database`
+      ]);
+    }
+    return password;
+  }
+  throw new CLIError("Postgres password required", "PASSWORD_REQUIRED", [
+    "In non-interactive mode, provide password via flag:",
+    "  runa env setup --postgres-password <password>"
+  ]);
+}
+
+// src/commands/env/commands/setup/supabase-api.ts
+init_esm_shims();
+function checkSupabaseLinked(cwd) {
+  const projectRefPath = join(cwd, ".supabase", "project-ref");
+  if (existsSync(projectRefPath)) {
+    const projectRef = readFileSync(projectRefPath, "utf-8").trim();
+    if (projectRef) return { linked: true, projectRef };
+  }
+  const tempProjectRefPath = join(cwd, "supabase", ".temp", "project-ref");
+  if (existsSync(tempProjectRefPath)) {
+    const projectRef = readFileSync(tempProjectRefPath, "utf-8").trim();
+    if (projectRef) return { linked: true, projectRef };
+  }
+  return { linked: false };
+}
+async function linkSupabaseInCwd(projectRef, logger) {
+  const result = await execa("supabase", ["link", "--project-ref", projectRef], {
+    reject: false
+  });
+  if (result.exitCode !== 0) {
+    throw new Error(`Failed to link Supabase project: ${result.stderr || result.stdout}`);
+  }
+  logger.success(`  \u2713 Linked Supabase project: ${projectRef}`);
+}
+async function fetchSupabaseProjects() {
+  const result = await execa("supabase", ["projects", "list", "-o", "json"], { reject: false });
+  if (result.exitCode !== 0) {
+    const errorOutput = result.stderr || result.stdout || "";
+    throwSupabaseListError(errorOutput);
+  }
+  return JSON.parse(result.stdout);
+}
+function throwSupabaseListError(errorOutput) {
+  const isAuthError = errorOutput.includes("not logged in") || errorOutput.includes("unauthorized");
+  const isAccessError = errorOutput.includes("access") || errorOutput.includes("permission") || errorOutput.includes("forbidden");
+  if (isAuthError) {
+    throw new Error("Not logged in to Supabase. Run: supabase login");
+  }
+  if (isAccessError) {
+    throw new Error(
+      `Cannot access Supabase projects. Check:
+  1. You are logged in: supabase login
+  2. You have access to this organization in Supabase Dashboard`
+    );
+  }
+  throw new Error(
+    `Failed to list Supabase projects.
+  Steps to fix:
+  1. supabase login (authenticate)
+  2. Verify access in Supabase Dashboard
+  Error: ${errorOutput?.trim() || "No error message provided"}`
+  );
+}
+async function fetchSupabaseApiKeys(projectRef) {
+  const result = await execa(
+    "supabase",
+    ["projects", "api-keys", "--project-ref", projectRef, "-o", "json"],
+    { reject: false }
+  );
+  if (result.exitCode !== 0) {
+    throw new Error("Failed to fetch API keys");
+  }
+  return JSON.parse(result.stdout);
+}
+async function resolveServiceRoleKey(keys, providedKey, rl, projectRef, logger) {
+  if (providedKey) {
+    const format = providedKey.startsWith("sb_secret_") ? "secret (provided)" : "provided";
+    return { key: providedKey, format };
+  }
+  const newSecretKey = keys.find((k) => k.type === "secret")?.api_key;
+  const legacyKey = keys.find((k) => k.name === "service_role" && k.type === "legacy")?.api_key;
+  const isSecretKeyMasked = newSecretKey?.includes("\xB7");
+  if (isSecretKeyMasked) {
+    const emptyOptions = {};
+    const interactiveKey = await collectServiceRoleKey(rl, emptyOptions, true, projectRef, logger);
+    if (interactiveKey) {
+      const format = interactiveKey.startsWith("sb_secret_") ? "secret (input)" : "input";
+      return { key: interactiveKey, format };
+    }
+    if (legacyKey) {
+      logger.info("  Using legacy JWT format for service_role key.");
+      return { key: legacyKey, format: "legacy" };
+    }
+  }
+  if (newSecretKey && !isSecretKeyMasked) {
+    return { key: newSecretKey, format: "secret" };
+  }
+  if (legacyKey) {
+    return { key: legacyKey, format: "legacy" };
+  }
+  throw new Error("Could not find service_role API key");
+}
+function resolveAnonKey(keys) {
+  const newKey = keys.find((k) => k.type === "publishable")?.api_key;
+  const legacyKey = keys.find((k) => k.name === "anon" && k.type === "legacy")?.api_key;
+  if (newKey) return { key: newKey, format: "publishable" };
+  if (legacyKey) return { key: legacyKey, format: "legacy" };
+  throw new Error("Could not find anon API key");
+}
+async function getSupabaseProjectInfo(projectRef, logger, rl, providedServiceRoleKey) {
+  logger.info(`Fetching Supabase project info: ${projectRef}...`);
+  try {
+    const projects = await fetchSupabaseProjects();
+    const project = projects.find((p) => p.id === projectRef);
+    if (!project) {
+      throw new Error(`Project ${projectRef} not found. Ensure you have access to this project.`);
+    }
+    const keys = await fetchSupabaseApiKeys(projectRef);
+    const anon = resolveAnonKey(keys);
+    const service = await resolveServiceRoleKey(
+      keys,
+      providedServiceRoleKey,
+      rl,
+      projectRef,
+      logger
+    );
+    logger.success(`  \u2713 Found project: ${project.name}`);
+    logger.success(`  \u2713 Retrieved anon key (${anon.format})`);
+    logger.success(`  \u2713 Retrieved service_role key (${service.format})`);
+    return {
+      projectRef,
+      projectName: project.name,
+      anonKey: anon.key,
+      serviceRoleKey: service.key,
+      supabaseUrl: `https://${projectRef}.supabase.co`
+    };
+  } catch (error) {
+    throw new CLIError(
+      `Failed to get Supabase project info: ${error instanceof Error ? error.message : "Unknown error"}`,
+      "SUPABASE_PROJECT_ERROR",
+      [
+        "Ensure you are logged in: supabase login",
+        "Link your project: supabase link --project-ref <your-project-ref>",
+        "Ensure you have access to this project in Supabase Dashboard"
+      ],
+      error instanceof Error ? error : void 0
+    );
+  }
+}
+
+// src/commands/env/commands/setup/vercel-api.ts
+init_esm_shims();
+function checkVercelLinked2(cwd) {
+  const projectJsonPath = join(cwd, ".vercel", "project.json");
+  if (!existsSync(projectJsonPath)) {
+    return { linked: false };
+  }
+  try {
+    const content = JSON.parse(readFileSync(projectJsonPath, "utf-8"));
+    return { linked: true, projectId: content.projectId };
+  } catch {
+    return { linked: false };
+  }
+}
+async function linkVercelInCwd(team, project, logger) {
+  const args = ["link", "--project", project, "--yes"];
+  if (team) {
+    args.push("--scope", team);
+  }
+  const result = await execa("vercel", args, { reject: false });
+  if (result.exitCode !== 0) {
+    throw new Error(`Failed to link Vercel project: ${result.stderr || result.stdout}`);
+  }
+  logger.success(`  \u2713 Linked Vercel project: ${project}`);
+}
+async function getVercelProjectInfo(team, project, logger) {
+  logger.info(`Fetching Vercel project info: ${team}/${project}...`);
+  const linkedDir = mkdtempSync(join(tmpdir(), "runa-vercel-"));
+  try {
+    const result = await execa("vercel", ["project", "ls", "--json", "--scope", team], {
+      reject: false
+    });
+    if (result.exitCode !== 0) {
+      const fallbackResult = await execa("vercel", ["project", "ls", "--json"], {
+        reject: false
+      });
+      if (fallbackResult.exitCode !== 0) {
+        rmSync(linkedDir, { recursive: true, force: true });
+        throw new Error(`Failed to list Vercel projects (team: ${team})`);
+      }
+      const projectInfo2 = parseVercelProjectList(fallbackResult.stdout, team, project, logger);
+      await linkVercelProject(projectInfo2.projectName, void 0, linkedDir, logger);
+      return { ...projectInfo2, linkedDir };
+    }
+    const projectInfo = parseVercelProjectList(result.stdout, team, project, logger);
+    await linkVercelProject(projectInfo.projectName, team, linkedDir, logger);
+    return { ...projectInfo, linkedDir };
+  } catch (error) {
+    rmSync(linkedDir, { recursive: true, force: true });
+    throw new CLIError(
+      `Failed to get Vercel project info: ${error instanceof Error ? error.message : "Unknown error"}`,
+      "VERCEL_PROJECT_ERROR",
+      [
+        "Ensure you have access to this project",
+        `Verify team access: vercel teams ls`,
+        `Try: vercel project ls --scope ${team}`,
+        "Or: vercel login (to refresh authentication)"
+      ]
+    );
+  }
+}
+async function linkVercelProject(projectName, teamSlug, linkedDir, logger) {
+  const args = ["link", "--project", projectName, "--yes", "--cwd", linkedDir];
+  if (teamSlug) {
+    args.push("--scope", teamSlug);
+  }
+  const result = await execa("vercel", args, {
+    reject: false
+  });
+  if (result.exitCode !== 0) {
+    throw new Error(
+      `Failed to link Vercel project: ${result.stderr || result.stdout || "Unknown error"}`
+    );
+  }
+  logger.success(`  \u2713 Linked project for env operations`);
+}
+function parseVercelProjectList(stdout, team, project, logger) {
+  const lines = stdout.split("\n");
+  let jsonString = "";
+  let braceCount = 0;
+  let inJson = false;
+  for (const line of lines) {
+    if (!inJson && line.trim().startsWith("{")) {
+      inJson = true;
+      jsonString = "";
+    }
+    if (inJson) {
+      jsonString += `${line}
+`;
+      braceCount += (line.match(/\{/g) || []).length;
+      braceCount -= (line.match(/\}/g) || []).length;
+      if (braceCount === 0) {
+        break;
+      }
+    }
+  }
+  if (!jsonString.trim()) {
+    throw new Error("No JSON found in Vercel output");
+  }
+  const parsed = JSON.parse(jsonString.trim());
+  const foundProject = parsed.projects.find(
+    (p) => p.name === project || p.name === `${team}/${project}` || p.name.toLowerCase() === project.toLowerCase()
+  );
+  if (!foundProject) {
+    const availableProjects = parsed.projects.map((p) => p.name).slice(0, 5);
+    throw new Error(
+      `Project "${project}" not found in team "${team}". Available projects: ${availableProjects.join(", ")}${parsed.projects.length > 5 ? "..." : ""}`
+    );
+  }
+  logger.success(`  \u2713 Found project: ${foundProject.name} (${foundProject.id})`);
+  return {
+    projectId: foundProject.id,
+    projectName: foundProject.name,
+    orgId: foundProject.accountId,
+    teamSlug: team
+    // Store team for subsequent API calls
+  };
+}
+async function getVercelEnvVar(linkedDir, key) {
+  try {
+    const args = ["env", "ls", "--cwd", linkedDir];
+    const result = await execa("vercel", args, {
+      reject: false
+    });
+    if (result.exitCode !== 0) return { exists: false };
+    const lines = result.stdout.split("\n");
+    for (const line of lines) {
+      const trimmedLine = line.trim();
+      if (trimmedLine.startsWith(key) && /^\s/.test(line.charAt(key.length + 1) || "")) {
+        const parts = trimmedLine.split(/\s{2,}/);
+        if (parts[0] === key) {
+          return { exists: true };
+        }
+      }
+    }
+    return { exists: false };
+  } catch {
+    return { exists: false };
+  }
+}
+async function setVercelEnvVar(linkedDir, key, value, overwrite, logger) {
+  const existing = await getVercelEnvVar(linkedDir, key);
+  if (existing.exists && !overwrite) {
+    return {
+      key,
+      target: "vercel",
+      success: true,
+      action: "skipped"
+    };
+  }
+  try {
+    if (existing.exists) {
+      const rmArgs = ["env", "rm", key, "--yes", "--cwd", linkedDir];
+      await execa("vercel", rmArgs, {
+        reject: false
+        // Don't throw if variable doesn't exist in some environments
+      });
+    }
+    const environments = ["development", "preview", "production"];
+    for (const env of environments) {
+      const addArgs = ["env", "add", key, env, "--cwd", linkedDir];
+      await new Promise((resolve5, reject) => {
+        const proc = spawn("vercel", addArgs, {
+          stdio: ["pipe", "pipe", "pipe"]
+        });
+        let stderr = "";
+        proc.stderr?.on("data", (data) => {
+          stderr += data.toString();
+        });
+        proc.stdin?.write(`${value}
+`);
+        proc.stdin?.end();
+        proc.on("close", (code) => {
+          if (code === 0) {
+            resolve5();
+          } else {
+            reject(
+              new Error(`vercel env add (${env}) failed with exit code ${code}: ${stderr.trim()}`)
+            );
+          }
+        });
+        proc.on("error", (err) => {
+          reject(err);
+        });
+      });
+    }
+    logger.success(`  \u2713 Vercel: ${key} ${existing.exists ? "updated" : "created"}`);
+    return {
+      key,
+      target: "vercel",
+      success: true,
+      action: existing.exists ? "updated" : "created"
+    };
+  } catch (error) {
+    const errorMsg = error instanceof Error ? error.message : "Unknown error";
+    logger.warn(`  \u2717 Vercel: ${key} failed - ${errorMsg}`);
+    return {
+      key,
+      target: "vercel",
+      success: false,
+      action: "skipped",
+      error: errorMsg
+    };
+  }
+}
+
+// src/commands/env/commands/setup/helpers.ts
+function checkEarlyLinkStatus(logger) {
+  const cwd = process.cwd();
+  const vercelStatus = checkVercelLinked2(cwd);
+  const supabaseStatus = checkSupabaseLinked(cwd);
+  logger.info("Project Status:");
+  if (vercelStatus.linked) {
+    logger.info(`  \u2713 Vercel: linked (${vercelStatus.projectId})`);
+  } else {
+    logger.info("  \u25CB Vercel: not linked (will link during setup)");
+  }
+  if (supabaseStatus.linked) {
+    logger.info(`  \u2713 Supabase: linked (${supabaseStatus.projectRef})`);
+  } else {
+    logger.info("  \u25CB Supabase: not linked (will link during setup)");
+  }
+  logger.info("");
+  return {
+    vercelLinked: vercelStatus.linked,
+    vercelProjectId: vercelStatus.projectId,
+    supabaseLinked: supabaseStatus.linked,
+    supabaseProjectRef: supabaseStatus.projectRef
+  };
+}
+async function validateAuthenticationWithLinkStatus(authStatus, options, linkStatus) {
+  const linkHints = [];
+  if (!linkStatus.vercelLinked) {
+    linkHints.push("Note: Project linking will be prompted during setup if needed");
+  }
+  if (!linkStatus.supabaseLinked && linkStatus.vercelLinked) {
+    linkHints.push("Note: Supabase linking will be prompted during setup if needed");
+  }
+  if (!authStatus.vercel.authenticated && !options.skipVercel) {
+    throw new CLIError("Vercel authentication required", "AUTH_REQUIRED", [
+      "Run: vercel login",
+      ...linkHints.length > 0 ? ["", ...linkHints] : []
+    ]);
+  }
+  if (!authStatus.github.authenticated && !options.skipGithub) {
+    throw new CLIError("GitHub authentication required", "AUTH_REQUIRED", [
+      "Run: gh auth login",
+      ...linkHints.length > 0 ? ["", ...linkHints] : []
+    ]);
+  }
+  if (!authStatus.supabase.authenticated) {
+    throw new CLIError("Supabase authentication required", "AUTH_REQUIRED", [
+      "Run: supabase login",
+      ...linkHints.length > 0 ? ["", ...linkHints] : []
+    ]);
+  }
+}
+async function collectUrls(rl, options, logger) {
+  let vercelUrl = options.vercelUrl;
+  let githubUrl = options.githubUrl;
+  let supabaseUrl = options.supabaseUrl;
+  if (rl) {
+    if (!githubUrl) {
+      logger.info("Enter your GitHub repo URL (e.g., https://github.com/owner/repo):");
+      githubUrl = await promptForUrl(rl, "> GitHub URL");
+    }
+    if (!vercelUrl) {
+      logger.info("");
+      logger.info("Enter your Vercel project URL (e.g., https://vercel.com/team/project):");
+      vercelUrl = await promptForUrl(rl, "> Vercel URL");
+    }
+    if (!supabaseUrl) {
+      logger.info("");
+      logger.info(
+        "Enter your Supabase project URL (e.g., https://supabase.com/dashboard/project/abcd1234):"
+      );
+      supabaseUrl = await promptForUrl(rl, "> Supabase URL");
+    }
+  }
+  if (!vercelUrl || !githubUrl || !supabaseUrl) {
+    throw new CLIError("URLs required", "URLS_REQUIRED", [
+      "In non-interactive mode, provide URLs via flags:",
+      "  runa env setup --vercel-url <url> --github-url <url> --supabase-url <url>"
+    ]);
+  }
+  return { vercelUrl, githubUrl, supabaseUrl };
+}
+function parseAndValidateUrls(vercelUrl, githubUrl, supabaseUrl) {
+  const vercelParsed = parseVercelUrl(vercelUrl);
+  if (!vercelParsed) {
+    throw new CLIError("Invalid Vercel URL format", "INVALID_URL", [
+      "Expected: https://vercel.com/team/project"
+    ]);
+  }
+  const githubParsed = parseGitHubUrl(githubUrl);
+  if (!githubParsed) {
+    throw new CLIError("Invalid GitHub URL format", "INVALID_URL", [
+      "Expected: https://github.com/owner/repo"
+    ]);
+  }
+  const supabaseRef = parseSupabaseUrl(supabaseUrl);
+  if (!supabaseRef) {
+    throw new CLIError("Invalid Supabase URL format", "INVALID_URL", [
+      "Expected: https://supabase.com/dashboard/project/<project_ref>"
+    ]);
+  }
+  return { vercelParsed, githubParsed, supabaseRef };
+}
+function buildEnvVarList(supabaseProject, supabaseRef, postgresPassword, drizzleAppPassword, drizzleServicePassword, dotenvxKeys) {
+  const encodedPostgresPassword = encodePasswordForUrl(postgresPassword);
+  const encodedDrizzleAppPassword = encodePasswordForUrl(drizzleAppPassword);
+  const encodedDrizzleServicePassword = encodePasswordForUrl(drizzleServicePassword);
+  return [
+    // Supabase credentials
+    {
+      key: "NEXT_PUBLIC_SUPABASE_URL",
+      value: supabaseProject.supabaseUrl,
+      target: ["vercel"],
+      description: "Supabase project URL (public)"
+    },
+    {
+      key: "NEXT_PUBLIC_SUPABASE_ANON_KEY",
+      value: supabaseProject.anonKey,
+      target: ["vercel"],
+      description: "Supabase anon key (public)"
+    },
+    {
+      key: "SUPABASE_SERVICE_ROLE_KEY",
+      value: supabaseProject.serviceRoleKey,
+      target: ["vercel"],
+      description: "Supabase service role key (server-only)"
+    },
+    // Database URLs (Vercel)
+    {
+      key: "DATABASE_URL",
+      value: `postgresql://drizzle_app:${encodedDrizzleAppPassword}@db.${supabaseRef}.supabase.co:5432/postgres`,
+      target: ["vercel"],
+      description: "App database URL (drizzle_app role, DML only)"
+    },
+    {
+      key: "DATABASE_URL_ADMIN",
+      value: `postgresql://postgres:${encodedPostgresPassword}@db.${supabaseRef}.supabase.co:5432/postgres`,
+      target: ["vercel"],
+      description: "Admin database URL (postgres role, DDL)"
+    },
+    {
+      key: "DATABASE_URL_SERVICE",
+      value: `postgresql://drizzle_service:${encodedDrizzleServicePassword}@db.${supabaseRef}.supabase.co:5432/postgres`,
+      target: ["vercel"],
+      description: "Service database URL (drizzle_service role, RLS bypassed - Webhooks/Background Jobs only)"
+    },
+    // Database URLs (GitHub CI)
+    {
+      key: "GH_DATABASE_URL_ADMIN",
+      value: `postgresql://postgres:${encodedPostgresPassword}@db.${supabaseRef}.supabase.co:5432/postgres`,
+      target: ["github"],
+      description: "CI migrations URL (postgres role, DDL)"
+    },
+    {
+      key: "GH_DATABASE_URL",
+      value: `postgresql://drizzle_app:${encodedDrizzleAppPassword}@db.${supabaseRef}.supabase.co:5432/postgres`,
+      target: ["github"],
+      description: "CI verification URL (drizzle_app role, DML)"
+    },
+    // NOTE: VERCEL_PROJECT_ID is NOT registered to GitHub Secrets.
+    // Vercel GitHub Integration handles deployments automatically (no CI secrets needed).
+    // dotenvx encryption keys (Vercel only - for runa env pull)
+    {
+      key: "DOTENV_PRIVATE_KEY_DEVELOPMENT",
+      value: dotenvxKeys.development,
+      target: ["vercel"],
+      description: "dotenvx key for .env.development"
+    },
+    {
+      key: "DOTENV_PRIVATE_KEY_PREVIEW",
+      value: dotenvxKeys.preview,
+      target: ["vercel"],
+      description: "dotenvx key for .env.preview"
+    },
+    {
+      key: "DOTENV_PRIVATE_KEY_PRODUCTION",
+      value: dotenvxKeys.production,
+      target: ["vercel"],
+      description: "dotenvx key for .env.production"
+    }
+  ];
+}
+function maskSensitiveValue(key, value) {
+  if (key.includes("DATABASE_URL")) {
+    return value.replace(/:([^:@]+)@/, ":***@");
+  }
+  if (key.includes("SERVICE_ROLE")) {
+    if (value.length > 20) {
+      return `${value.substring(0, 8)}...${value.substring(value.length - 8)}`;
+    }
+  }
+  if (key.includes("ANON_KEY")) {
+    if (value.length > 20) {
+      return `${value.substring(0, 8)}...${value.substring(value.length - 8)}`;
+    }
+  }
+  if (key.includes("DOTENV_PRIVATE_KEY")) {
+    return `${value.substring(0, 8)}...`;
+  }
+  if (value.length > 60) {
+    return `${value.substring(0, 57)}...`;
+  }
+  return value;
+}
+function displayEnvVarsSummary(envVars, overwrites, logger) {
+  logger.info("");
+  logger.section("Environment Variables to Register");
+  logger.info("");
+  for (const env of envVars) {
+    const targets = env.target.join(", ");
+    const displayValue = maskSensitiveValue(env.key, env.value);
+    const isOverwrite = env.target.includes("vercel") && overwrites.vercel.includes(env.key) || env.target.includes("github") && overwrites.github.includes(env.key);
+    const overwriteIndicator = isOverwrite ? " [OVERWRITE]" : " [NEW]";
+    logger.info(`  ${env.key}${overwriteIndicator}`);
+    logger.info(`    Target: ${targets}`);
+    logger.info(`    Value: ${displayValue}`);
+    logger.info(`    ${env.description}`);
+    logger.info("");
+  }
+}
+async function checkExistingOverwrites(envVars, vercelLinkedDir, githubRepoFullName, options) {
+  const vercelVars = envVars.filter((e) => e.target.includes("vercel"));
+  const githubVars = envVars.filter((e) => e.target.includes("github"));
+  const vercelOverwrites = [];
+  if (!options.skipVercel) {
+    for (const env of vercelVars) {
+      const existing = await getVercelEnvVar(vercelLinkedDir, env.key);
+      if (existing.exists) {
+        vercelOverwrites.push(env.key);
+      }
+    }
+  }
+  const githubOverwrites = [];
+  if (!options.skipGithub && githubRepoFullName) {
+    for (const env of githubVars) {
+      const exists = await checkGitHubSecret(env.key, githubRepoFullName);
+      if (exists) {
+        githubOverwrites.push(env.key);
+      }
+    }
+  }
+  return { vercelOverwrites, githubOverwrites };
+}
+async function confirmOverwrites(rl, vercelOverwrites, githubOverwrites, vercelProjectName, githubRepoFullName, options, logger) {
+  let vercelApproved = options.autoApprove ?? false;
+  let githubApproved = options.autoApprove ?? false;
+  if (rl && vercelOverwrites.length > 0 && !options.autoApprove) {
+    logger.warn("");
+    logger.warn(`\u26A0\uFE0F  Vercel project: ${vercelProjectName}`);
+    logger.warn(`   The following env vars already exist: ${vercelOverwrites.join(", ")}`);
+    vercelApproved = await promptForConfirmation(
+      rl,
+      `Overwrite existing env vars in Vercel project "${vercelProjectName}"?`);
+  }
+  if (rl && githubOverwrites.length > 0 && !options.autoApprove) {
+    logger.warn("");
+    logger.warn(`\u26A0\uFE0F  GitHub repository: ${githubRepoFullName}`);
+    logger.warn(`   The following secrets already exist: ${githubOverwrites.join(", ")}`);
+    githubApproved = await promptForConfirmation(
+      rl,
+      `Overwrite existing secrets in GitHub repo "${githubRepoFullName}"?`);
+  }
+  return { vercelApproved, githubApproved };
+}
+async function registerToVercel(envVars, linkedDir, projectDisplayName, overwrites, overwriteApproved, logger) {
+  const results = [];
+  const vercelVars = envVars.filter((e) => e.target.includes("vercel"));
+  logger.info(`Vercel (${projectDisplayName}):`);
+  for (const env of vercelVars) {
+    const isOverwrite = overwrites.includes(env.key);
+    const shouldOverwrite = isOverwrite ? overwriteApproved : true;
+    const result = await setVercelEnvVar(linkedDir, env.key, env.value, shouldOverwrite, logger);
+    results.push(result);
+  }
+  return results;
+}
+async function registerToGitHub(envVars, overwrites, overwriteApproved, repoFullName, logger) {
+  const results = [];
+  const githubVars = envVars.filter((e) => e.target.includes("github"));
+  logger.info("");
+  logger.info(`GitHub (${repoFullName}):`);
+  for (const env of githubVars) {
+    const isOverwrite = overwrites.includes(env.key);
+    const shouldOverwrite = isOverwrite ? overwriteApproved : true;
+    const result = await setGitHubSecret(env.key, env.value, shouldOverwrite, repoFullName, logger);
+    results.push(result);
+  }
+  return results;
+}
+function printFinalSummary(results, _drizzleAppPassword, _drizzleServicePassword, logger) {
+  logger.info("");
+  logger.section("Summary");
+  logger.info("");
+  const created = results.filter((r) => r.action === "created").length;
+  const updated = results.filter((r) => r.action === "updated").length;
+  const skipped = results.filter((r) => r.action === "skipped").length;
+  const failed = results.filter((r) => !r.success && r.action !== "skipped").length;
+  logger.info(`  Created: ${created}`);
+  logger.info(`  Updated: ${updated}`);
+  logger.info(`  Skipped: ${skipped}`);
+  if (failed > 0) {
+    logger.warn(`  Failed: ${failed}`);
+  }
+  logger.info("");
+  logger.section("Next Steps");
+  logger.info("");
+  logger.info("  1. Apply schema and set role passwords:");
+  logger.info("     runa db apply production");
+  logger.info("");
+  logger.info("     This will automatically:");
+  logger.info("     - Create RBAC roles (15_rbac_roles.sql)");
+  logger.info("     - Extract passwords from DATABASE_URL, DATABASE_URL_SERVICE");
+  logger.info("     - Set passwords on drizzle_app, drizzle_service roles");
+  logger.info("     - Apply schema changes");
+  logger.info("");
+  logger.info("  2. Role Security Summary (3-Role Architecture):");
+  logger.info("     drizzle_app     - User API, Server Components (RLS enforced)");
+  logger.info("     drizzle_service - Webhooks, Background Jobs (RLS bypassed)");
+  logger.info("     postgres        - Migrations only (DDL access)");
+  logger.info("");
+  logger.info("  3. Deploy your application to Vercel");
+  logger.info("");
+  logger.success("\u2705 Environment setup complete!");
+}
+function reportLinkingStatus(vercelStatus, supabaseStatus, logger) {
+  if (vercelStatus.linked) {
+    logger.success(`  \u2713 Vercel: Already linked (${vercelStatus.projectId})`);
+  } else {
+    logger.info("  \u25CB Vercel: Not linked");
+  }
+  if (supabaseStatus.linked) {
+    logger.success(`  \u2713 Supabase: Already linked (${supabaseStatus.projectRef})`);
+  } else {
+    logger.info("  \u25CB Supabase: Not linked");
+  }
+}
+async function performLinking(needsVercel, needsSupabase, vercelParsed, supabaseRef, logger) {
+  if (needsVercel) {
+    await linkVercelInCwd(vercelParsed.team, vercelParsed.project, logger);
+  }
+  if (needsSupabase) {
+    await linkSupabaseInCwd(supabaseRef, logger);
+  }
+}
+async function checkAndLinkProjects(rl, vercelParsed, supabaseRef, options, logger) {
+  const cwd = process.cwd();
+  const vercelStatus = checkVercelLinked2(cwd);
+  const supabaseStatus = checkSupabaseLinked(cwd);
+  logger.info("");
+  logger.section("Project Linking");
+  reportLinkingStatus(vercelStatus, supabaseStatus, logger);
+  if (vercelStatus.linked && supabaseStatus.linked) {
+    return { vercelLinked: true, supabaseLinked: true };
+  }
+  const needsVercel = !vercelStatus.linked;
+  const needsSupabase = !supabaseStatus.linked;
+  const needsAnyLink = needsVercel || needsSupabase;
+  if (!needsAnyLink) {
+    return { vercelLinked: vercelStatus.linked, supabaseLinked: supabaseStatus.linked };
+  }
+  if (options.autoApprove) {
+    await performLinking(needsVercel, needsSupabase, vercelParsed, supabaseRef, logger);
+    return { vercelLinked: true, supabaseLinked: true };
+  }
+  if (rl) {
+    const shouldLink = await promptForProjectLink(rl, needsVercel, needsSupabase);
+    if (shouldLink) {
+      await performLinking(needsVercel, needsSupabase, vercelParsed, supabaseRef, logger);
+      return { vercelLinked: true, supabaseLinked: true };
+    }
+  }
+  return { vercelLinked: vercelStatus.linked, supabaseLinked: supabaseStatus.linked };
+}
+
+// src/commands/env/commands/setup/types.ts
+init_esm_shims();
+var EnvSetupOutputSchema = z.object({
+  authStatus: z.object({
+    vercel: z.object({
+      authenticated: z.boolean(),
+      user: z.string().optional(),
+      error: z.string().optional()
+    }),
+    github: z.object({
+      authenticated: z.boolean(),
+      user: z.string().optional(),
+      error: z.string().optional()
+    }),
+    supabase: z.object({
+      authenticated: z.boolean(),
+      error: z.string().optional()
+    })
+  }),
+  vercelProject: z.object({
+    projectId: z.string(),
+    projectName: z.string(),
+    orgId: z.string().optional()
+  }).optional(),
+  supabaseProject: z.object({
+    projectRef: z.string(),
+    projectName: z.string()
+  }).optional(),
+  registrationResults: z.array(
+    z.object({
+      key: z.string(),
+      target: z.enum(["vercel", "github"]),
+      success: z.boolean(),
+      action: z.enum(["created", "updated", "skipped"]),
+      error: z.string().optional()
+    })
+  ),
+  success: z.boolean()
+});
+
+// src/commands/env/commands/setup/action.ts
+function createReadlineIfInteractive(existing) {
+  if (isNonInteractiveEnabled()) {
+    return null;
+  }
+  try {
+    existing?.close();
+  } catch {
+  }
+  return readline.createInterface({ input: stdin, output: stdout });
+}
+function buildSuccessOutput(authStatus, vercelProject, supabaseProject, results) {
+  return {
+    authStatus,
+    vercelProject,
+    supabaseProject: {
+      projectRef: supabaseProject.projectRef,
+      projectName: supabaseProject.projectName
+    },
+    registrationResults: results,
+    success: true
+  };
+}
+function handleDryRunMode(setupCommand2, authStatus, vercelProject, supabaseProject, logger) {
+  logger.info("Dry run mode - no changes made.");
+  emitJsonSuccess(
+    setupCommand2,
+    EnvSetupOutputSchema,
+    buildSuccessOutput(authStatus, vercelProject, supabaseProject, [])
+  );
+}
+function handleExportMode(setupCommand2, authStatus, vercelProject, supabaseProject, envVars, drizzleAppPassword, drizzleServicePassword, logger) {
+  logger.info("");
+  logger.section("Exporting to File");
+  logger.info("");
+  writeEnvSetupFile(envVars, drizzleAppPassword, drizzleServicePassword, logger);
+  logger.info("");
+  logger.info("Review the file and manually register the values:");
+  logger.info(`  cat ${ENV_SETUP_TMP_FILE}`);
+  logger.info("");
+  logger.info("Then run without --export to auto-register:");
+  logger.info("  runa env setup");
+  logger.info("");
+  logger.warn(`Remember to delete ${ENV_SETUP_TMP_FILE} after use!`);
+  emitJsonSuccess(
+    setupCommand2,
+    EnvSetupOutputSchema,
+    buildSuccessOutput(authStatus, vercelProject, supabaseProject, [])
+  );
+}
+async function runEnvSetupAction(options, setupCommand2) {
+  const logger = createCLILogger("env:setup");
+  logger.section("Environment Setup");
+  logger.info("This command will configure production environment variables.");
+  logger.info("");
+  const earlyLinkStatus = checkEarlyLinkStatus(logger);
+  const authStatus = await checkAuth(logger);
+  await validateAuthenticationWithLinkStatus(authStatus, options, earlyLinkStatus);
+  logger.info("");
+  let rl = createReadlineIfInteractive(null);
+  let vercelLinkedDir = null;
+  try {
+    const { vercelUrl, githubUrl, supabaseUrl } = await collectUrls(rl, options, logger);
+    const { vercelParsed, githubParsed, supabaseRef } = parseAndValidateUrls(
+      vercelUrl,
+      githubUrl,
+      supabaseUrl
+    );
+    await checkAndLinkProjects(rl, vercelParsed, supabaseRef, options, logger);
+    logger.info("");
+    const vercelProject = await getVercelProjectInfo(
+      vercelParsed.team,
+      vercelParsed.project,
+      logger
+    );
+    vercelLinkedDir = vercelProject.linkedDir;
+    const supabaseProject = await getSupabaseProjectInfo(
+      supabaseRef,
+      logger,
+      rl,
+      options.serviceRoleKey
+    );
+    rl = createReadlineIfInteractive(rl);
+    const postgresPassword = await collectPostgresPassword(rl, options, supabaseRef, logger);
+    rl = createReadlineIfInteractive(rl);
+    logger.info("");
+    logger.info("Generating credentials...");
+    const drizzleAppPassword = generateDrizzleAppPassword();
+    logger.success("\u2713 Generated drizzle_app password (DML + RLS enforced)");
+    const drizzleServicePassword = generateDrizzleServicePassword();
+    logger.success("\u2713 Generated drizzle_service password (DML + RLS bypassed)");
+    const dotenvxKeys = {
+      development: generateDotenvxPrivateKey(),
+      preview: generateDotenvxPrivateKey(),
+      production: generateDotenvxPrivateKey()
+    };
+    logger.success("\u2713 Generated dotenvx encryption keys");
+    logger.info(`  GitHub repo: ${githubParsed.owner}/${githubParsed.repo}`);
+    const envVars = buildEnvVarList(
+      supabaseProject,
+      supabaseRef,
+      postgresPassword,
+      drizzleAppPassword,
+      drizzleServicePassword,
+      dotenvxKeys
+    );
+    const githubRepoFullName = `${githubParsed.owner}/${githubParsed.repo}`;
+    const { vercelOverwrites, githubOverwrites } = await checkExistingOverwrites(
+      envVars,
+      vercelProject.linkedDir,
+      githubRepoFullName,
+      options
+    );
+    displayEnvVarsSummary(envVars, { vercel: vercelOverwrites, github: githubOverwrites }, logger);
+    if (options.dryRun) {
+      handleDryRunMode(setupCommand2, authStatus, vercelProject, supabaseProject, logger);
+      return;
+    }
+    if (options.export) {
+      handleExportMode(
+        setupCommand2,
+        authStatus,
+        vercelProject,
+        supabaseProject,
+        envVars,
+        drizzleAppPassword,
+        drizzleServicePassword,
+        logger
+      );
+      return;
+    }
+    const { vercelApproved, githubApproved } = await confirmOverwrites(
+      rl,
+      vercelOverwrites,
+      githubOverwrites,
+      vercelProject.projectName,
+      githubRepoFullName,
+      options,
+      logger
+    );
+    if (rl && !options.autoApprove) {
+      logger.info("");
+      const proceed = await promptForConfirmation(rl, "Proceed with registration?", false);
+      if (!proceed) {
+        logger.info("Cancelled.");
+        return;
+      }
+    }
+    logger.info("");
+    logger.section("Registering Environment Variables");
+    logger.info("");
+    const results = [];
+    if (!options.skipVercel) {
+      const vercelDisplayName = vercelProject.teamSlug ? `${vercelProject.projectName} @ ${vercelProject.teamSlug}` : vercelProject.projectName;
+      const vercelResults = await registerToVercel(
+        envVars,
+        vercelProject.linkedDir,
+        vercelDisplayName,
+        vercelOverwrites,
+        vercelApproved,
+        logger
+      );
+      results.push(...vercelResults);
+    }
+    if (!options.skipGithub) {
+      const githubResults = await registerToGitHub(
+        envVars,
+        githubOverwrites,
+        githubApproved,
+        githubRepoFullName,
+        logger
+      );
+      results.push(...githubResults);
+    }
+    printFinalSummary(results, drizzleAppPassword, drizzleServicePassword, logger);
+    emitJsonSuccess(
+      setupCommand2,
+      EnvSetupOutputSchema,
+      buildSuccessOutput(authStatus, vercelProject, supabaseProject, results)
+    );
+  } finally {
+    rl?.close();
+    if (vercelLinkedDir) {
+      try {
+        rmSync(vercelLinkedDir, { recursive: true, force: true });
+      } catch {
+      }
+    }
+  }
+}
+
+// src/commands/env/commands/env-setup.ts
+var setupCommand = new Command("setup").description("Set up production environment variables (Vercel + GitHub + Supabase)").option("--vercel-url <url>", "Vercel project URL (e.g., https://vercel.com/team/project)").option("--github-url <url>", "GitHub repo URL (e.g., https://github.com/owner/repo)").option(
+  "--supabase-url <url>",
+  "Supabase dashboard URL (e.g., https://supabase.com/dashboard/project/abcd1234)"
+).option("--postgres-password <password>", "Postgres password (from Supabase Dashboard)").option(
+  "--service-role-key <key>",
+  "Supabase service role key (sb_secret_* format, from Dashboard)"
+).option("--auto-approve", "Skip confirmation prompts for overwrites").option("--skip-vercel", "Skip Vercel registration").option("--skip-github", "Skip GitHub registration").option("--dry-run", "Show what would be done without making changes").option("--export", "Write to .env.setup-tmp file instead of auto-registering").action(async (options) => {
+  try {
+    await runEnvSetupAction(options, setupCommand);
+  } catch (error) {
+    if (error instanceof CLIError) throw error;
+    throw new CLIError(
+      error instanceof Error ? error.message : "Environment setup failed",
+      "ENV_SETUP_FAILED",
+      [
+        "Check authentication: vercel whoami, gh auth status, supabase login",
+        "Provide URLs: --vercel-url, --github-url, --supabase-url",
+        "Try: runa env setup --dry-run (to see what would be done)"
+      ],
+      error instanceof Error ? error : void 0
+    );
+  }
+});
+
+// src/commands/env/commands/env-sync.ts
+init_esm_shims();
+function toRunaEnv(value) {
+  if (value === "preview") return "preview";
+  if (value === "main") return "main";
+  if (value === "production") return "production";
+  return "local";
+}
+function resolveDbUrl(env, options) {
+  if (options?.loadEnv) {
+    loadEnvFiles({ runaEnv: toRunaEnv(env), silent: true });
+  }
+  const url = tryResolveDatabaseUrl(toRunaEnv(env));
+  if (!url) {
+    throw new CLIError(`No database URL found for environment: ${env}`, "ENV_SYNC_URL_MISSING", [
+      `Set ${env.toUpperCase()}_DATABASE_URL`,
+      "Set DATABASE_URL_ADMIN for production"
+    ]);
+  }
+  return url;
+}
+async function runEnvSyncAction(options) {
+  const logger = createCLILogger("env:sync");
+  const validEnvs = ["local", "preview", "production"];
+  if (!validEnvs.includes(options.from)) {
+    throw new CLIError(`Invalid source environment: ${options.from}`, "ENV_SYNC_INVALID_SOURCE", [
+      "Valid environments: local, preview, production"
+    ]);
+  }
+  if (!validEnvs.includes(options.to)) {
+    throw new CLIError(`Invalid target environment: ${options.to}`, "ENV_SYNC_INVALID_TARGET", [
+      "Valid environments: local, preview, production"
+    ]);
+  }
+  if (options.from === options.to) {
+    throw new CLIError("Source and target environments cannot be the same", "ENV_SYNC_SAME_ENV", [
+      "Use different --from and --to values"
+    ]);
+  }
+  if (options.to === "production") {
+    throw new CLIError(
+      "Syncing TO production is not allowed (safety restriction)",
+      "ENV_SYNC_PROD_TARGET_BLOCKED",
+      ["Only sync FROM production, never TO it"]
+    );
+  }
+  const sourceUrl = resolveDbUrl(options.from, { loadEnv: true });
+  const targetUrl = resolveDbUrl(options.to, { loadEnv: true });
+  const schema = options.schema || "public";
+  const sampleLimit = options.sample ? Number.parseInt(options.sample, 10) : void 0;
+  const specificTables = options.tables?.split(",").map((t) => t.trim());
+  const maskPii = options.maskPii !== false;
+  logger.section("Environment Data Sync");
+  logger.info(`Source: ${options.from} \u2192 Target: ${options.to}`);
+  logger.info(`Schema: ${schema}`);
+  logger.info(`PII Masking: ${maskPii ? "ENABLED" : "disabled"}`);
+  if (sampleLimit) logger.info(`Sample limit: ${sampleLimit} rows per table`);
+  if (specificTables) logger.info(`Tables: ${specificTables.join(", ")}`);
+  if (options.dryRun) {
+    logger.info("\n[DRY RUN] Would sync data with above settings");
+    return;
+  }
+  if (!options.autoApprove) {
+    throw new CLIError("Data sync requires explicit confirmation", "ENV_SYNC_CONFIRM_REQUIRED", [
+      "Use --auto-approve to confirm",
+      "Use --dry-run to preview",
+      "\u26A0\uFE0F  This will overwrite data in target environment"
+    ]);
+  }
+  const result = await syncEnvironment({
+    sourceUrl,
+    targetUrl,
+    schema,
+    tables: specificTables,
+    sampleLimit,
+    maskPii,
+    onProgress: (message) => logger.info(message)
+  });
+  logger.info(`
+Processed ${result.tablesProcessed} tables`);
+  logger.info(`  \u2713 Synced: ${result.tablesSynced}`);
+  if (result.tablesFailed > 0) {
+    logger.warn(`  \u2717 Failed: ${result.tablesFailed}`);
+  }
+  for (const tableResult of result.results) {
+    if (tableResult.status === "failed") {
+      logger.warn(`  \u2717 ${tableResult.table}: ${tableResult.error}`);
+    }
+  }
+  logger.success("\n\u2705 Environment sync completed");
+  emitJsonSuccess(syncCommand, EnvSyncOutputSchema, result);
+}
+var syncCommand = new Command("sync").description("Sync data between environments with PII masking").requiredOption("--from <env>", "Source environment (local, preview, production)").requiredOption("--to <env>", "Target environment (local, preview)").option("--sample <count>", "Limit rows per table (for testing)").option("--tables <list>", "Specific tables to sync (comma-separated)").option("--no-mask-pii", "Disable PII masking (dangerous)").option("--schema <name>", "Schema to sync (default: public)", "public").option("--auto-approve", "Skip confirmation prompts").option("--dry-run", "Show what would be synced without applying").action(async (options) => {
+  try {
+    await runEnvSyncAction(options);
+  } catch (error) {
+    if (error instanceof CLIError) throw error;
+    throw new CLIError(
+      error instanceof Error ? error.message : "Environment sync failed",
+      "ENV_SYNC_FAILED",
+      ["Check database connections", "Verify pg_dump/psql are installed", "Run with --dry-run"],
+      error instanceof Error ? error : void 0
+    );
+  }
+});
+
+// src/commands/env/index.ts
+var envCommand = new Command("env").description(
+  "Environment management (check, pull, encrypt, sync)"
+);
+envCommand.addCommand(checkCommand);
+envCommand.addCommand(pullCommand);
+envCommand.addCommand(encryptCommand);
+envCommand.addCommand(syncCommand);
+envCommand.addCommand(setupCommand);
+
+export { envCommand };