@tarout/cli 0.2.2 → 0.3.0

package/dist/index.js

@@ -6,7 +6,7 @@ import {
   stopSpinner,
   succeedSpinner,
   updateSpinner
-} from "./chunk-5XBVQICT.js";
+} from "./chunk-BS6DFVSU.js";
 import {
   AuthError,
   BuildFailedError,
@@ -16,24 +16,26 @@ import {
   InvalidArgumentError,
   NotFoundError,
   analyzeDeploymentError,
-  clearConfig,
   findSimilar,
   getApiClient,
+  handleError,
+  platformFetch,
+  resetApiClient
+} from "./chunk-NHNK5ZQ5.js";
+import {
+  clearConfig,
   getApiUrl,
   getCurrentProfile,
   getProjectConfig,
   getToken,
-  handleError,
   isLoggedIn,
   isProjectLinked,
-  platformFetch,
   removeProjectConfig,
-  resetApiClient,
   setCurrentProfile,
   setProfile,
   setProjectConfig,
   updateProfile
-} from "./chunk-7YS2WBLB.js";
+} from "./chunk-5DAFGMBH.js";
 import {
   confirm,
   input,
@@ -67,11 +69,12 @@ import { Command } from "commander";
 // package.json
 var package_default = {
   name: "@tarout/cli",
-  version: "0.2.2",
+  version: "0.3.0",
   description: "Tarout CLI \u2014 the Saudi cloud platform for coding agents",
   type: "module",
   bin: {
-    tarout: "./bin/tarout"
+    tarout: "./bin/tarout",
+    "tarout-mcp": "./bin/tarout-mcp"
   },
   main: "./dist/index.js",
   types: "./dist/index.d.ts",
@@ -80,14 +83,15 @@ var package_default = {
     "dist"
   ],
   scripts: {
-    build: "tsup src/index.ts --format esm --dts --clean",
-    dev: "tsup src/index.ts --format esm --watch",
+    build: "tsup src/index.ts src/mcp/stdio.ts --format esm --dts --clean",
+    dev: "tsup src/index.ts src/mcp/stdio.ts --format esm --watch",
     typecheck: "tsc --noEmit",
     lint: "biome check src/",
     start: "node dist/index.js",
     prepublishOnly: "bun run build"
   },
   dependencies: {
+    "@modelcontextprotocol/sdk": "^1.29.0",
     "@trpc/client": "^10.45.2",
     "@trpc/server": "^10.45.2",
     chalk: "^5.3.0",
@@ -130,6 +134,83 @@ var package_default = {
   license: "MIT"
 };
 
+// src/lib/auth-profile.ts
+import { createTRPCProxyClient, httpBatchLink } from "@trpc/client";
+import superjson from "superjson";
+function createCredentialClient(apiUrl, token) {
+  return createTRPCProxyClient({
+    transformer: superjson,
+    links: [
+      httpBatchLink({
+        url: `${apiUrl.replace(/\/+$/, "")}/api/trpc`,
+        headers: () => ({ "x-api-key": token }),
+        fetch: platformFetch
+      })
+    ]
+  });
+}
+function pickUser(memberOrUser) {
+  return memberOrUser?.user ?? memberOrUser;
+}
+function pickEnvironmentName(environment, fallback) {
+  return environment?.displayName || environment?.name || environment?.slug || fallback || "production";
+}
+async function queryOrNull(query) {
+  try {
+    return await query();
+  } catch {
+    return null;
+  }
+}
+async function resolveProfileFromCredential(params) {
+  const apiUrl = params.apiUrl.replace(/\/+$/, "");
+  const client = createCredentialClient(apiUrl, params.token);
+  const member = await client.user.get.query();
+  if (!member) {
+    throw new Error(
+      "The credential is valid, but it is not scoped to an organization."
+    );
+  }
+  const user = pickUser(member);
+  const organizations = await client.organization.all.query();
+  const [activeProject, activeEnvironment] = await Promise.all([
+    queryOrNull(() => client.project.getActive.query()),
+    queryOrNull(() => client.environment.getActive.query())
+  ]);
+  const project = activeProject;
+  const environment = activeEnvironment;
+  const organizationId = member.organizationId || params.fallback?.organizationId || organizations?.[0]?.id;
+  const organization = organizations?.find((org) => org.id === organizationId) || organizations?.[0];
+  if (!organizationId || !organization) {
+    throw new Error("The credential is valid, but no organization was found.");
+  }
+  return {
+    token: params.token,
+    apiUrl,
+    userId: user?.id || member.userId || params.fallback?.userId || "",
+    userEmail: user?.email || member.email || params.fallback?.userEmail || "unknown",
+    userName: user?.name || member.name || params.fallback?.userName,
+    organizationId,
+    organizationName: organization.name || params.fallback?.organizationName || "Unknown",
+    projectId: project?.projectId || params.fallback?.projectId,
+    projectName: project?.name || params.fallback?.projectName,
+    projectSlug: project?.slug || params.fallback?.projectSlug,
+    environmentId: environment?.environmentId || params.fallback?.environmentId || "",
+    environmentName: pickEnvironmentName(
+      environment,
+      params.fallback?.environmentName
+    )
+  };
+}
+function isCredentialError(error2) {
+  const err = error2;
+  const code = err?.data?.code || err?.shape?.data?.code || err?.code;
+  const message = error2 instanceof Error ? error2.message : String(error2);
+  return code === "UNAUTHORIZED" || code === "FORBIDDEN" || /unauthorized|forbidden|invalid api key|invalid token|not authenticated|not logged in/i.test(
+    message
+  );
+}
+
 // src/commands/account.ts
 function registerAccountCommands(program2) {
   const account = program2.command("account").description("Manage your user account");
@@ -268,6 +349,19 @@ function registerAccountCommands(program2) {
           flag: "--name"
         });
         const client = getApiClient();
+        const profile = getCurrentProfile();
+        let organizationId = profile?.organizationId;
+        if (!organizationId) {
+          const resolved = await resolveProfileFromCredential({
+            apiUrl: getApiUrl(),
+            token: getToken() || "",
+            fallback: profile
+          });
+          organizationId = resolved.organizationId;
+        }
+        if (!organizationId) {
+          throw new AuthError();
+        }
         const _spinner = startSpinner("Creating API key...");
         const result = await client.user.createApiKey.mutate({
           name,
@@ -277,7 +371,8 @@ function registerAccountCommands(program2) {
           rateLimitTimeWindow: Number.parseInt(
             options.rateLimitWindow || "60000"
           ),
-          rateLimitMax: Number.parseInt(options.rateLimitMax || "100")
+          rateLimitMax: Number.parseInt(options.rateLimitMax || "100"),
+          metadata: { organizationId }
         });
         succeedSpinner("API key created.");
         if (isJsonMode()) {
@@ -327,26 +422,6 @@ function registerAccountCommands(program2) {
       handleError(err);
     }
   });
-  account.command("generate-token").description("Generate a one-time metrics/auth token").action(async () => {
-    try {
-      if (!isLoggedIn()) throw new AuthError();
-      const client = getApiClient();
-      const _spinner = startSpinner("Generating token...");
-      const result = await client.user.generateToken.mutate();
-      succeedSpinner();
-      if (isJsonMode()) {
-        outputData(result);
-        return;
-      }
-      const r = result;
-      log("");
-      log(`Token: ${colors.cyan(r.token || String(result))}`);
-      log("");
-    } catch (err) {
-      failSpinner();
-      handleError(err);
-    }
-  });
   account.command("metrics-token").description("Get the organization metrics token").action(async () => {
     try {
       if (!isLoggedIn()) throw new AuthError();
@@ -1164,6 +1239,14 @@ function formatDate(date) {
 
 // src/commands/apps.ts
 import open from "open";
+
+// src/utils/url.ts
+function formatAppUrl(host) {
+  if (!host) return null;
+  return /^https?:\/\//i.test(host) ? host : `https://${host}`;
+}
+
+// src/commands/apps.ts
 function registerAppsCommands(program2) {
   const apps = program2.command("apps").description("Manage applications");
   apps.command("list").alias("ls").description("List all applications").action(async () => {
@@ -1367,7 +1450,7 @@ function registerAppsCommands(program2) {
         log(`  ${colors.dim("No custom domain")}`);
       }
       log("");
-      const appUrl = app.appSubdomain ? `https://${app.appSubdomain}` : null;
+      const appUrl = formatAppUrl(app.appSubdomain);
       if (appUrl) {
         log(`${colors.bold("URL")}`);
         log(`  ${appUrl}`);
@@ -2172,9 +2255,9 @@ function registerAppsCommands(program2) {
       succeedSpinner();
       let url = null;
       if (app.domain && app.domain.length > 0) {
-        url = `https://${app.domain[0].host}`;
+        url = formatAppUrl(app.domain[0].host) ?? "";
       } else if (app.appSubdomain) {
-        url = `https://${app.appSubdomain}`;
+        url = formatAppUrl(app.appSubdomain) ?? "";
       }
       if (!url) {
         error(
@@ -2777,7 +2860,7 @@ function escapeHtml(value) {
   return String(value).replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;").replace(/"/g, "&quot;").replace(/'/g, "&#39;");
 }
 function startAuthServer(options = {}) {
-  return new Promise((resolve2) => {
+  return new Promise((resolve3) => {
     const app = express();
     const expectedState = options.state ?? createAuthState();
     let server;
@@ -2832,10 +2915,19 @@ function startAuthServer(options = {}) {
         callbackRejecter(new Error(String(error2)));
         return;
       }
-      if (!token || !userId || !userEmail || !organizationId || !organizationName || !environmentId || !environmentName) {
-        res.status(400).send("Missing required parameters");
+      const missing = [];
+      if (!token) missing.push("token");
+      if (!userId) missing.push("userId");
+      if (!userEmail) missing.push("userEmail");
+      if (!organizationId) missing.push("organizationId");
+      if (!organizationName) missing.push("organizationName");
+      if (!environmentId) missing.push("environmentId");
+      if (!environmentName) missing.push("environmentName");
+      if (missing.length > 0) {
+        const list = missing.join(", ");
+        res.status(400).send(`Missing required parameters: ${list}`);
         callbackRejecter(
-          new Error("Missing required parameters from auth callback")
+          new Error(`Missing required parameters from auth callback: ${list}`)
         );
         return;
       }
@@ -2892,7 +2984,7 @@ function startAuthServer(options = {}) {
     server = app.listen(0, "127.0.0.1", () => {
       const address = server.address();
       const port = typeof address === "object" && address ? address.port : 0;
-      resolve2({
+      resolve3({
         port,
         state: expectedState,
         waitForCallback: () => callbackPromise,
@@ -2902,86 +2994,9 @@ function startAuthServer(options = {}) {
   });
 }
 
-// src/lib/auth-profile.ts
-import { createTRPCProxyClient, httpBatchLink } from "@trpc/client";
-import superjson from "superjson";
-function createCredentialClient(apiUrl, token) {
-  return createTRPCProxyClient({
-    transformer: superjson,
-    links: [
-      httpBatchLink({
-        url: `${apiUrl.replace(/\/+$/, "")}/api/trpc`,
-        headers: () => ({ "x-api-key": token }),
-        fetch: platformFetch
-      })
-    ]
-  });
-}
-function pickUser(memberOrUser) {
-  return memberOrUser?.user ?? memberOrUser;
-}
-function pickEnvironmentName(environment, fallback) {
-  return environment?.displayName || environment?.name || environment?.slug || fallback || "production";
-}
-async function queryOrNull(query) {
-  try {
-    return await query();
-  } catch {
-    return null;
-  }
-}
-async function resolveProfileFromCredential(params) {
-  const apiUrl = params.apiUrl.replace(/\/+$/, "");
-  const client = createCredentialClient(apiUrl, params.token);
-  const member = await client.user.get.query();
-  if (!member) {
-    throw new Error(
-      "The credential is valid, but it is not scoped to an organization."
-    );
-  }
-  const user = pickUser(member);
-  const organizations = await client.organization.all.query();
-  const [activeProject, activeEnvironment] = await Promise.all([
-    queryOrNull(() => client.project.getActive.query()),
-    queryOrNull(() => client.environment.getActive.query())
-  ]);
-  const project = activeProject;
-  const environment = activeEnvironment;
-  const organizationId = member.organizationId || params.fallback?.organizationId || organizations?.[0]?.id;
-  const organization = organizations?.find((org) => org.id === organizationId) || organizations?.[0];
-  if (!organizationId || !organization) {
-    throw new Error("The credential is valid, but no organization was found.");
-  }
-  return {
-    token: params.token,
-    apiUrl,
-    userId: user?.id || member.userId || params.fallback?.userId || "",
-    userEmail: user?.email || member.email || params.fallback?.userEmail || "unknown",
-    userName: user?.name || member.name || params.fallback?.userName,
-    organizationId,
-    organizationName: organization.name || params.fallback?.organizationName || "Unknown",
-    projectId: project?.projectId || params.fallback?.projectId,
-    projectName: project?.name || params.fallback?.projectName,
-    projectSlug: project?.slug || params.fallback?.projectSlug,
-    environmentId: environment?.environmentId || params.fallback?.environmentId || "",
-    environmentName: pickEnvironmentName(
-      environment,
-      params.fallback?.environmentName
-    )
-  };
-}
-function isCredentialError(error2) {
-  const err = error2;
-  const code = err?.data?.code || err?.shape?.data?.code || err?.code;
-  const message = error2 instanceof Error ? error2.message : String(error2);
-  return code === "UNAUTHORIZED" || code === "FORBIDDEN" || /unauthorized|forbidden|invalid api key|invalid token|not authenticated|not logged in/i.test(
-    message
-  );
-}
-
 // src/commands/auth.ts
 function refuseBrowserAuthForAgent(action) {
-  const message = `tarout ${action} requires a browser. Agents should ask the user to run \`tarout token <api-token>\` or set TAROUT_TOKEN \u2014 generate one at https://tarout.sa/dashboard/account/api-keys.`;
+  const message = `tarout ${action} requires a browser. Agents should ask the user to run \`tarout token <api-token>\` or set TAROUT_TOKEN \u2014 generate one at https://tarout.sa/dashboard/settings/profile.`;
   if (isJsonMode()) {
     outputError("AUTH_BOOTSTRAP_REQUIRED", message, {
       action,
@@ -3250,16 +3265,34 @@ function registerAuthCommands(program2) {
           () => input("Token name (e.g., ci-deploy):")
         );
       }
-      const { getApiClient: getApiClient2 } = await import("./api-735LN7BA.js");
+      const { getApiClient: getApiClient2 } = await import("./api-QAKANRFX.js");
       const client = getApiClient2();
       const profile = getCurrentProfile();
+      let keyOrg = profile?.organizationId;
+      let keyEnv = profile?.environmentId;
+      let keyProj = profile?.projectId;
+      if (!keyOrg) {
+        const resolved = await resolveProfileFromCredential({
+          apiUrl: getApiUrl(),
+          token: getToken() || "",
+          fallback: profile
+        });
+        keyOrg = resolved.organizationId;
+        keyEnv = resolved.environmentId;
+        keyProj = resolved.projectId;
+      }
+      if (!keyOrg) {
+        throw new Error(
+          "Could not determine your organization. Run `tarout auth login` first, or pass a token scoped to an organization."
+        );
+      }
       const _spinner = startSpinner("Creating API token...");
       const result = await client.user.createApiKey.mutate({
         name: tokenName,
         metadata: {
-          organizationId: profile?.organizationId || "",
-          environmentId: profile?.environmentId || "",
-          projectId: profile?.projectId || ""
+          organizationId: keyOrg,
+          environmentId: keyEnv || "",
+          projectId: keyProj || ""
         }
       });
       succeedSpinner("API token created!");
@@ -3839,7 +3872,7 @@ function getDefaultPort(pkg) {
   return framework?.defaultPort || 3e3;
 }
 function runCommand(command, env, options = {}) {
-  return new Promise((resolve2) => {
+  return new Promise((resolve3) => {
     const [cmd, ...args] = parseCommand(command);
     const spawnOptions = {
       cwd: options.cwd || process.cwd(),
@@ -3874,7 +3907,7 @@ function runCommand(command, env, options = {}) {
     child.on("close", (code, signal) => {
       process.off("SIGINT", handleSignal);
       process.off("SIGTERM", handleSignal);
-      resolve2({
+      resolve3({
         exitCode: code ?? 1,
         signal
       });
@@ -3883,7 +3916,7 @@ function runCommand(command, env, options = {}) {
       process.off("SIGINT", handleSignal);
       process.off("SIGTERM", handleSignal);
       console.error(`Failed to start process: ${err.message}`);
-      resolve2({
+      resolve3({
         exitCode: 1,
         signal: null
       });
@@ -4071,6 +4104,124 @@ function findApp2(apps, identifier) {
   );
 }
 
+// src/commands/call.ts
+import { existsSync as existsSync2, mkdirSync, readFileSync as readFileSync2, writeFileSync } from "fs";
+import { homedir } from "os";
+import { join as join2 } from "path";
+var MANIFEST_TTL_MS = 5 * 60 * 1e3;
+function manifestCachePath() {
+  return join2(homedir(), ".tarout", "surface-manifest-cache.json");
+}
+async function fetchManifestFresh(client, apiUrl) {
+  const manifest = await client.settings.getSurfaceManifest.query();
+  try {
+    const dir = join2(homedir(), ".tarout");
+    if (!existsSync2(dir)) mkdirSync(dir, { recursive: true });
+    let cache = {};
+    try {
+      cache = JSON.parse(readFileSync2(manifestCachePath(), "utf8"));
+    } catch {
+    }
+    cache[apiUrl] = { at: Date.now(), manifest };
+    writeFileSync(manifestCachePath(), JSON.stringify(cache), { mode: 384 });
+  } catch {
+  }
+  return manifest;
+}
+async function loadManifest(client, apiUrl) {
+  try {
+    const cache = JSON.parse(readFileSync2(manifestCachePath(), "utf8"));
+    const entry = cache[apiUrl];
+    if (entry && Date.now() - entry.at < MANIFEST_TTL_MS && Array.isArray(entry.manifest)) {
+      return entry.manifest;
+    }
+  } catch {
+  }
+  return fetchManifestFresh(client, apiUrl);
+}
+function registerCallCommand(program2) {
+  program2.command("call [procedure]").description(
+    "Call any platform API procedure directly (e.g. application.create). Use --list to discover."
+  ).option("-i, --input <json>", "JSON input for the procedure", "{}").option("--input-file <path>", "Read JSON input from a file").option(
+    "-l, --list [filter]",
+    "List callable procedures (optionally filtered by substring)"
+  ).action(async (procedure, opts) => {
+    try {
+      if (!isLoggedIn()) throw new AuthError();
+      const client = getApiClient();
+      if (opts.list !== void 0 || !procedure) {
+        startSpinner("Loading control surface...");
+        const manifest2 = await fetchManifestFresh(client, getApiUrl());
+        succeedSpinner();
+        const filter = typeof opts.list === "string" ? opts.list : void 0;
+        const matched = manifest2.filter(
+          (m) => !filter || m.path.includes(filter)
+        );
+        if (isJsonMode()) {
+          outputData(matched);
+          return;
+        }
+        if (!procedure && opts.list === void 0) {
+          log(
+            colors.dim(
+              "No procedure given. Available procedures (call one with `tarout call <procedure> --input '{...}'`):"
+            )
+          );
+          log("");
+        }
+        table(
+          ["Procedure", "Type"],
+          matched.map((m) => [m.path, m.type])
+        );
+        log("");
+        log(colors.dim(`${matched.length} procedures`));
+        return;
+      }
+      const apiUrl = getApiUrl();
+      let manifest = await loadManifest(client, apiUrl);
+      let entry = manifest.find((m) => m.path === procedure);
+      if (!entry) {
+        manifest = await fetchManifestFresh(client, apiUrl);
+        entry = manifest.find((m) => m.path === procedure);
+      }
+      if (!entry) {
+        throw new Error(
+          `Unknown or non-exposed procedure: "${procedure}". Run \`tarout call --list\` to see what's available.`
+        );
+      }
+      let input2 = {};
+      const rawInput = opts.inputFile ? readFileSync2(opts.inputFile, "utf8") : opts.input;
+      if (rawInput && rawInput.trim()) {
+        try {
+          input2 = JSON.parse(rawInput);
+        } catch {
+          throw new Error(
+            `--input must be valid JSON. Received: ${rawInput}`
+          );
+        }
+      }
+      const [routerKey, procKey] = procedure.split(".");
+      const node = client[routerKey ?? ""]?.[procKey ?? ""];
+      if (!node) {
+        throw new Error(`Procedure path not found on client: ${procedure}`);
+      }
+      startSpinner(`Calling ${procedure}...`);
+      const result = entry.type === "mutation" ? await node.mutate(input2) : await node.query(input2);
+      succeedSpinner();
+      if (isJsonMode()) {
+        outputData(result);
+      } else {
+        log(
+          typeof result === "string" ? result : JSON.stringify(result, null, 2)
+        );
+      }
+    } catch (err) {
+      failSpinner();
+      handleError(err);
+    }
+  });
+}
+
 // src/commands/dashboard.ts
 function registerDashboardCommands(program2) {
   const dashboard = program2.command("dashboard").description("View organization dashboard overview");
@@ -4294,16 +4445,18 @@ function registerDbCommands(program2) {
         outputData(database);
         return;
       }
-      quietOutput(dbId);
+      if (dbId) quietOutput(dbId);
       box("Database Created", [
-        `ID: ${colors.cyan(dbId)}`,
-        `Name: ${database.name}`,
+        `ID: ${colors.cyan(dbId ?? "(pending)")}`,
+        `Name: ${database.name ?? dbName}`,
         `Type: ${getTypeLabel(dbType)}`
       ]);
       log("Next steps:");
-      log(
-        `  View connection info: ${colors.dim(`tarout db info ${dbId.slice(0, 8)}`)}`
-      );
+      if (dbId) {
+        log(
+          `  View connection info: ${colors.dim(`tarout db info ${dbId.slice(0, 8)}`)}`
+        );
+      }
       log("");
     } catch (err) {
       handleError(err);
@@ -4566,7 +4719,7 @@ function registerDbCommands(program2) {
         backups.map((b) => [
           colors.cyan((b.backupId || b.id || "").slice(0, 8)),
           b.schedule || colors.dim("-"),
-          b.enabled ? colors.green("yes") : colors.dim("no")
+          b.enabled ? colors.success("yes") : colors.dim("no")
         ])
       );
       log("");
@@ -5149,15 +5302,15 @@ function getConnectCommand(type, details) {
 import { execFile } from "child_process";
 import {
   createReadStream,
-  existsSync as existsSync2,
+  existsSync as existsSync3,
   mkdtempSync,
   readdirSync,
-  readFileSync as readFileSync2,
+  readFileSync as readFileSync3,
   rmSync,
   statSync
 } from "fs";
 import { tmpdir } from "os";
-import { basename, dirname, join as join2 } from "path";
+import { basename, dirname, join as join3 } from "path";
 import { promisify } from "util";
 import open3 from "open";
 
@@ -5174,13 +5327,13 @@ function streamDeploymentLogs(deploymentId, options) {
     }
   });
   let buffer = "";
-  const done = new Promise((resolve2) => {
+  const done = new Promise((resolve3) => {
     ws.on("close", (code, reason) => {
       if (buffer.length > 0) {
         options.onData(buffer);
       }
       options.onClose?.(code, reason.toString());
-      resolve2({ code, reason: reason.toString() });
+      resolve3({ code, reason: reason.toString() });
     });
   });
   ws.on("open", () => {
@@ -5226,13 +5379,13 @@ async function ensureAuthenticatedForDeploy(options) {
         {
           field: "token",
           kind: "password",
-          question: `Paste a Tarout API token. Generate one at ${apiUrl}/dashboard/account/tokens`,
+          question: `Paste a Tarout API token. Generate one at ${apiUrl}/dashboard/settings/profile`,
           flag: "--token",
           sensitive: true,
           context: {
             step: "auth",
             reason: "not_logged_in",
-            generateUrl: `${apiUrl}/dashboard/account/tokens`
+            generateUrl: `${apiUrl}/dashboard/settings/profile`
           }
         },
         // Unreachable: promptOrEmit exits the process in JSON mode.
@@ -5268,13 +5421,13 @@ async function ensureAuthenticatedForDeploy(options) {
         {
           field: "token",
           kind: "password",
-          question: `Stored credentials are invalid or expired. Paste a new Tarout API token from ${apiUrl}/dashboard/account/tokens`,
+          question: `Stored credentials are invalid or expired. Paste a new Tarout API token from ${apiUrl}/dashboard/settings/profile`,
           flag: "--token",
           sensitive: true,
           context: {
             step: "auth",
             reason: "expired_credentials",
-            generateUrl: `${apiUrl}/dashboard/account/tokens`
+            generateUrl: `${apiUrl}/dashboard/settings/profile`
           }
         },
         async () => {
@@ -5439,7 +5592,7 @@ async function confirmRegion(region) {
   }
 }
 function inspectCurrentProject(cwd = process.cwd()) {
-  const packageJson = readJsonFile(join2(cwd, "package.json"));
+  const packageJson = readJsonFile(join3(cwd, "package.json"));
   const dependencies = new Set(
     Object.keys({
       ...packageJson?.dependencies ?? {},
@@ -5487,8 +5640,8 @@ function printProjectInspection(inspection) {
 }
 function readJsonFile(path) {
   try {
-    if (!existsSync2(path)) return null;
-    return JSON.parse(readFileSync2(path, "utf8"));
+    if (!existsSync3(path)) return null;
+    return JSON.parse(readFileSync3(path, "utf8"));
   } catch {
     return null;
   }
@@ -5497,7 +5650,7 @@ function readTextFile(path, maxBytes) {
   try {
     const stat = statSync(path);
     if (stat.size > maxBytes) return "";
-    return readFileSync2(path, "utf8");
+    return readFileSync3(path, "utf8");
   } catch {
     return "";
   }
@@ -5552,7 +5705,7 @@ function collectInspectableFiles(root) {
     }
     for (const entry of entries) {
       if (files.length >= 400) return;
-      const fullPath = join2(dir, entry.name);
+      const fullPath = join3(dir, entry.name);
       if (entry.isDirectory()) {
         if (!excludedDirs.has(entry.name)) walk(fullPath, depth + 1);
         continue;
@@ -5604,7 +5757,7 @@ function detectDatabase(dependencies, files, cwd) {
     }
   }
   const prismaSchema = readTextFile(
-    join2(cwd, "prisma", "schema.prisma"),
+    join3(cwd, "prisma", "schema.prisma"),
     256 * 1024
   );
   if (/provider\s*=\s*"postgresql"/i.test(prismaSchema)) {
@@ -5685,15 +5838,15 @@ function detectStorage(dependencies, files) {
   return { detected: reasons.length > 0, reasons: uniqueReasons(reasons) };
 }
 function detectGitSource(cwd) {
-  const gitPath = join2(cwd, ".git");
-  if (!existsSync2(gitPath)) return { hasGit: false };
-  let configPath = join2(gitPath, "config");
+  const gitPath = join3(cwd, ".git");
+  if (!existsSync3(gitPath)) return { hasGit: false };
+  let configPath = join3(gitPath, "config");
   try {
     const stat = statSync(gitPath);
     if (stat.isFile()) {
       const content = readTextFile(gitPath, 4096);
       const match = content.match(/gitdir:\s*(.+)/i);
-      if (match?.[1]) configPath = join2(cwd, match[1].trim(), "config");
+      if (match?.[1]) configPath = join3(cwd, match[1].trim(), "config");
     }
   } catch {
   }
@@ -5822,7 +5975,7 @@ async function createAppFromCurrentDirectory(client, profile, options = {}) {
   const defaultName = basename(process.cwd()) || "tarout-app";
   const providedName = options.name?.trim();
   let appName = providedName || defaultName;
-  if (!providedName && !shouldSkipConfirmation()) {
+  if (!providedName && !shouldSkipConfirmation() && !isJsonMode()) {
     appName = await promptOrEmit(
       {
         field: "name",
@@ -5940,7 +6093,7 @@ function formatPlanPrice(priceHalalas) {
   return `${(priceHalalas / 100).toFixed(2)} SAR/mo`;
 }
 async function runInlineUpgrade(client, planKey) {
-  const { pollCheckoutUntilTerminal } = await import("./billing-WOKNOS4N.js");
+  const { pollCheckoutUntilTerminal } = await import("./billing-GUA4S2Y4.js");
   const _changing = startSpinner(`Switching to plan "${planKey}"...`);
   const result = await client.subscription.changePlan.mutate({ planKey });
   if (result?.applied) {
@@ -6229,31 +6382,48 @@ async function configureOptionalResources(client, profile, app, options, inspect
   const database = await resolveDatabaseChoice(options, inspection);
   const createdResources = [];
   if (database !== "none") {
-    const plan = await resolveResourcePlan(
-      options.databasePlan,
-      "Database plan:"
-    );
-    const databaseName = formatResourceName(
-      app.name,
-      database === "postgres" ? "Postgres" : "MySQL"
+    const decision = await resolveDatabaseProvisioning(
+      client,
+      profile,
+      app,
+      database,
+      options
     );
-    await createAndAttachDatabase(client, profile, app, {
-      kind: database,
-      name: databaseName,
-      plan
-    });
-    createdResources.push(
-      `${database === "postgres" ? "Postgres" : "MySQL"} (${plan})`
-    );
-  }
-  if (await resolveStorageChoice(options, inspection)) {
-    const plan = await resolveResourcePlan(options.storagePlan, "Storage plan:");
-    const storageName = formatResourceName(app.name, "files", 50);
-    await createAndAttachStorage(client, app, {
-      name: storageName,
-      plan
-    });
-    createdResources.push(`Storage (${plan})`);
+    if (decision.action === "reuse") {
+      await attachExistingDatabase(client, app, database, decision);
+      createdResources.push(
+        `${formatDatabaseKind(database)} reused \u2014 ${decision.name} (${decision.plan})`
+      );
+    } else {
+      await createAndAttachDatabase(client, profile, app, {
+        kind: database,
+        name: decision.name,
+        plan: decision.plan
+      });
+      createdResources.push(
+        `${formatDatabaseKind(database)} (${decision.plan})`
+      );
+    }
+  }
+  if (await resolveStorageChoice(options, inspection)) {
+    const decision = await resolveStorageProvisioning(
+      client,
+      profile,
+      app,
+      options
+    );
+    if (decision.action === "reuse") {
+      await attachExistingStorage(client, app, decision);
+      createdResources.push(
+        `Storage reused \u2014 ${decision.name} (${decision.plan})`
+      );
+    } else {
+      await createAndAttachStorage(client, app, {
+        name: decision.name,
+        plan: decision.plan
+      });
+      createdResources.push(`Storage (${decision.plan})`);
+    }
   }
   if (createdResources.length > 0 && !isJsonMode()) {
     box("Provisioned Resources", createdResources);
@@ -6313,9 +6483,10 @@ async function createAndAttachDatabase(client, profile, app, input2) {
   const appName = generateResourceSlug(app.name, input2.kind);
   const label = input2.kind === "postgres" ? "Postgres" : "MySQL";
   const _createSpinner = startSpinner(`Creating ${label} database...`);
+  let databaseId;
   try {
     if (input2.kind === "postgres") {
-      await client.postgres.create.mutate({
+      const created = await client.postgres.create.mutate({
         name: input2.name,
         appName,
         dockerImage: "postgres:17",
@@ -6324,8 +6495,9 @@ async function createAndAttachDatabase(client, profile, app, input2) {
         plan: input2.plan,
         region: DEFAULT_REGION
       });
+      databaseId = created?.postgresId;
     } else {
-      await client.mysql.create.mutate({
+      const created = await client.mysql.create.mutate({
         name: input2.name,
         appName,
         dockerImage: "mysql:9.1",
@@ -6334,13 +6506,16 @@ async function createAndAttachDatabase(client, profile, app, input2) {
         plan: input2.plan,
         region: DEFAULT_REGION
       });
+      databaseId = created?.mysqlId;
     }
     succeedSpinner(`${label} database created.`);
   } catch (err) {
     failSpinner(`Failed to create ${label} database.`);
     throw err;
   }
-  const databaseId = await findDatabaseIdByAppName(client, input2.kind, appName);
+  if (!databaseId) {
+    databaseId = await findDatabaseIdByAppName(client, input2.kind, appName);
+  }
   const _attachSpinner = startSpinner(`Attaching ${label} to ${app.name}...`);
   try {
     if (input2.kind === "postgres") {
@@ -6398,6 +6573,442 @@ async function createAndAttachStorage(client, app, input2) {
     throw err;
   }
 }
+async function resolveDatabaseProvisioning(client, profile, app, kind, options) {
+  const candidates = await listDatabaseCandidates(client, kind, profile);
+  const requestedPlan = normalizeResourcePlan(options.databasePlan);
+  const planExplicit = Boolean(options.databasePlan);
+  if (options.reuseDatabase) {
+    const picked2 = resolveExplicitDatabaseRef(
+      candidates,
+      options.reuseDatabase,
+      kind
+    );
+    return finalizeDatabaseReuse(
+      client,
+      picked2,
+      kind,
+      requestedPlan,
+      planExplicit
+    );
+  }
+  if (candidates.length === 0 || isJsonMode() || shouldSkipConfirmation()) {
+    return buildDatabaseCreateDecision(app, kind, requestedPlan);
+  }
+  const label = formatDatabaseKind(kind);
+  const choices = [
+    { name: `Create a new ${label} database`, value: "__create__" },
+    ...candidates.map((c) => ({
+      name: formatDatabaseCandidateLine(c),
+      value: c.id
+    }))
+  ];
+  log("");
+  log(
+    `Found ${candidates.length} existing ${label} database${candidates.length === 1 ? "" : "s"} in this project.`
+  );
+  const picked = await select(
+    `Reuse an existing ${label} database or create a new one?`,
+    choices,
+    {
+      field: kind === "postgres" ? "reuse_postgres" : "reuse_mysql",
+      flag: kind === "postgres" ? "--reuse-database <id|name|auto>" : "--reuse-database <id|name|auto>",
+      context: { kind }
+    }
+  );
+  if (picked === "__create__") {
+    const plan = requestedPlan ?? await resolveResourcePlan(void 0, "Database plan:");
+    return {
+      action: "create",
+      plan,
+      name: formatResourceName(app.name, label)
+    };
+  }
+  const candidate = candidates.find((c) => c.id === picked);
+  if (!candidate) {
+    throw new Error(
+      `Unable to resolve picked ${label} database (id=${picked}).`
+    );
+  }
+  return finalizeDatabaseReuse(
+    client,
+    candidate,
+    kind,
+    requestedPlan,
+    planExplicit
+  );
+}
+async function resolveStorageProvisioning(client, profile, app, options) {
+  const candidates = await listStorageCandidates(client, profile);
+  const requestedPlan = normalizeResourcePlan(options.storagePlan);
+  const planExplicit = Boolean(options.storagePlan);
+  if (options.reuseStorage) {
+    const picked2 = resolveExplicitStorageRef(candidates, options.reuseStorage);
+    return finalizeStorageReuse(client, picked2, requestedPlan, planExplicit);
+  }
+  if (candidates.length === 0 || isJsonMode() || shouldSkipConfirmation()) {
+    return buildStorageCreateDecision(app, requestedPlan);
+  }
+  const choices = [
+    { name: "Create a new storage bucket", value: "__create__" },
+    ...candidates.map((c) => ({
+      name: formatStorageCandidateLine(c),
+      value: c.bucketId
+    }))
+  ];
+  log("");
+  log(
+    `Found ${candidates.length} existing storage bucket${candidates.length === 1 ? "" : "s"} in this project.`
+  );
+  const picked = await select(
+    "Reuse an existing storage bucket or create a new one?",
+    choices,
+    {
+      field: "reuse_storage",
+      flag: "--reuse-storage <id|name|auto>"
+    }
+  );
+  if (picked === "__create__") {
+    const plan = requestedPlan ?? await resolveResourcePlan(void 0, "Storage plan:");
+    return {
+      action: "create",
+      plan,
+      name: formatResourceName(app.name, "files", 50)
+    };
+  }
+  const candidate = candidates.find((c) => c.bucketId === picked);
+  if (!candidate) {
+    throw new Error(`Unable to resolve picked storage bucket (id=${picked}).`);
+  }
+  return finalizeStorageReuse(client, candidate, requestedPlan, planExplicit);
+}
+async function listDatabaseCandidates(client, kind, profile) {
+  const rows = kind === "postgres" ? await client.postgres.allByOrganization.query() : await client.mysql.allByOrganization.query();
+  return (rows ?? []).filter((r) => {
+    if (!r?.projectId || !profile.projectId) return false;
+    return r.projectId === profile.projectId;
+  }).map((r) => ({
+    id: kind === "postgres" ? r.postgresId : r.mysqlId,
+    name: r.name,
+    appName: r.appName,
+    plan: r.plan ?? "FREE",
+    region: r.region ?? null,
+    projectId: r.projectId ?? null,
+    environmentId: r.environmentId ?? null,
+    applicationStatus: r.applicationStatus ?? null,
+    isReadOnly: r.isReadOnly ?? null,
+    createdAt: r.createdAt ?? null
+  })).filter((c) => Boolean(c.id));
+}
+async function listStorageCandidates(client, profile) {
+  const rows = await client.storage.allByOrganization.query();
+  return (rows ?? []).filter((r) => {
+    if (!r?.projectId || !profile.projectId) return false;
+    return r.projectId === profile.projectId;
+  }).map((r) => ({
+    bucketId: r.bucketId,
+    name: r.name,
+    plan: r.plan ?? "FREE",
+    region: r.region ?? null,
+    projectId: r.projectId ?? null,
+    environmentId: r.environmentId ?? null,
+    applicationStatus: r.applicationStatus ?? null,
+    isUploadBlocked: r.isUploadBlocked ?? null,
+    createdAt: r.createdAt ?? null
+  })).filter((c) => Boolean(c.bucketId));
+}
+function resolveExplicitDatabaseRef(candidates, ref, kind) {
+  const label = formatDatabaseKind(kind);
+  const normalized = ref.trim();
+  if (normalized.toLowerCase() === "auto") {
+    if (candidates.length === 0) {
+      throw new InvalidArgumentError(
+        `--reuse-database=auto: no existing ${label} databases in this project.`
+      );
+    }
+    if (candidates.length > 1) {
+      const sample = candidates.slice(0, 5).map((c) => `${c.name} (${c.id})`).join(", ");
+      throw new InvalidArgumentError(
+        `--reuse-database=auto needs exactly one match, found ${candidates.length}. Candidates: ${sample}. Pick one by id or name.`
+      );
+    }
+    return candidates[0];
+  }
+  const lower = normalized.toLowerCase();
+  const match = candidates.find((c) => c.id === normalized) ?? candidates.find((c) => c.name.toLowerCase() === lower) ?? candidates.find((c) => (c.appName ?? "").toLowerCase() === lower);
+  if (!match) {
+    const known = candidates.map((c) => `${c.name} (${c.id.slice(0, 8)})`);
+    const suggestions = findSimilar(
+      normalized,
+      candidates.flatMap((c) => [c.name, c.id])
+    );
+    throw new NotFoundError(
+      `${label} database`,
+      normalized,
+      suggestions.length > 0 ? suggestions : known.length > 0 ? known.slice(0, 5) : [
+        `No ${label} databases found in this project. Drop --reuse-database to create a new one.`
+      ]
+    );
+  }
+  return match;
+}
+function resolveExplicitStorageRef(candidates, ref) {
+  const normalized = ref.trim();
+  if (normalized.toLowerCase() === "auto") {
+    if (candidates.length === 0) {
+      throw new InvalidArgumentError(
+        "--reuse-storage=auto: no existing storage buckets in this project."
+      );
+    }
+    if (candidates.length > 1) {
+      const sample = candidates.slice(0, 5).map((c) => `${c.name} (${c.bucketId})`).join(", ");
+      throw new InvalidArgumentError(
+        `--reuse-storage=auto needs exactly one match, found ${candidates.length}. Candidates: ${sample}. Pick one by id or name.`
+      );
+    }
+    return candidates[0];
+  }
+  const lower = normalized.toLowerCase();
+  const match = candidates.find((c) => c.bucketId === normalized) ?? candidates.find((c) => c.name.toLowerCase() === lower);
+  if (!match) {
+    const known = candidates.map(
+      (c) => `${c.name} (${c.bucketId.slice(0, 8)})`
+    );
+    const suggestions = findSimilar(
+      normalized,
+      candidates.flatMap((c) => [c.name, c.bucketId])
+    );
+    throw new NotFoundError(
+      "Storage bucket",
+      normalized,
+      suggestions.length > 0 ? suggestions : known.length > 0 ? known.slice(0, 5) : [
+        "No storage buckets found in this project. Drop --reuse-storage to create a new one."
+      ]
+    );
+  }
+  return match;
+}
+async function finalizeDatabaseReuse(client, candidate, kind, requestedPlan, planExplicit) {
+  let plan = candidate.plan;
+  let upgraded = false;
+  if (planExplicit && requestedPlan) {
+    const cmp = compareResourcePlan(requestedPlan, candidate.plan);
+    if (cmp > 0) {
+      const ok = await confirmUpgrade(
+        `${formatDatabaseKind(kind)} ${candidate.name} is on ${candidate.plan}. Upgrade to ${requestedPlan} before attaching?`,
+        true,
+        kind === "postgres" ? "upgrade_postgres" : "upgrade_mysql"
+      );
+      if (ok) {
+        await runDatabaseUpgrade(client, kind, candidate.id, requestedPlan);
+        plan = requestedPlan;
+        upgraded = true;
+      }
+    } else if (cmp < 0 && !isJsonMode()) {
+      log(
+        colors.warn(
+          `Requested ${requestedPlan} is lower than existing ${candidate.plan}; attaching at current plan.`
+        )
+      );
+    }
+  }
+  return {
+    action: "reuse",
+    databaseId: candidate.id,
+    plan,
+    name: candidate.name,
+    upgraded
+  };
+}
+async function finalizeStorageReuse(client, candidate, requestedPlan, planExplicit) {
+  let plan = candidate.plan;
+  let upgraded = false;
+  if (planExplicit && requestedPlan) {
+    const cmp = compareResourcePlan(requestedPlan, candidate.plan);
+    if (cmp > 0) {
+      if (candidate.plan !== "FREE") {
+        if (!isJsonMode()) {
+          log(
+            colors.warn(
+              `Storage bucket ${candidate.name} is on ${candidate.plan}. Inline upgrades to ${requestedPlan} are only supported from FREE \u2014 upgrade from the dashboard. Attaching at current plan.`
+            )
+          );
+        }
+      } else if (requestedPlan === "STARTER" || requestedPlan === "STANDARD" || requestedPlan === "PRO") {
+        const ok = await confirmUpgrade(
+          `Storage bucket ${candidate.name} is on FREE. Upgrade to ${requestedPlan} before attaching?`,
+          true,
+          "upgrade_storage"
+        );
+        if (ok) {
+          await runStorageUpgrade(client, candidate.bucketId, requestedPlan);
+          plan = requestedPlan;
+          upgraded = true;
+        }
+      }
+    } else if (cmp < 0 && !isJsonMode()) {
+      log(
+        colors.warn(
+          `Requested ${requestedPlan} is lower than existing ${candidate.plan}; attaching at current plan.`
+        )
+      );
+    }
+  }
+  return {
+    action: "reuse",
+    bucketId: candidate.bucketId,
+    plan,
+    name: candidate.name,
+    upgraded
+  };
+}
+async function confirmUpgrade(message, defaultValue, field) {
+  if (isJsonMode() || shouldSkipConfirmation()) {
+    return false;
+  }
+  return confirm(message, defaultValue, {
+    field,
+    flag: "--yes (default attaches at current plan; pass --database-plan/--storage-plan with --yes to force an upgrade)"
+  });
+}
+async function runDatabaseUpgrade(client, kind, id, targetPlan) {
+  if (targetPlan === "FREE") return;
+  const label = formatDatabaseKind(kind);
+  const _spinner = startSpinner(`Upgrading ${label} to ${targetPlan}...`);
+  try {
+    if (kind === "postgres") {
+      await client.postgres.upgrade.mutate({
+        postgresId: id,
+        targetPlan
+      });
+    } else {
+      await client.mysql.upgrade.mutate({
+        mysqlId: id,
+        targetPlan
+      });
+    }
+    succeedSpinner(`${label} upgraded to ${targetPlan}.`);
+  } catch (err) {
+    failSpinner(`Failed to upgrade ${label}.`);
+    throw err;
+  }
+}
+async function runStorageUpgrade(client, bucketId, targetPlan) {
+  if (targetPlan === "FREE") return;
+  const _spinner = startSpinner(`Upgrading storage to ${targetPlan}...`);
+  try {
+    await client.storage.upgrade.mutate({
+      bucketId,
+      targetPlan
+    });
+    succeedSpinner(`Storage upgraded to ${targetPlan}.`);
+  } catch (err) {
+    failSpinner("Failed to upgrade storage.");
+    throw err;
+  }
+}
+async function attachExistingDatabase(client, app, kind, decision) {
+  const label = formatDatabaseKind(kind);
+  const _spinner = startSpinner(`Attaching ${label} to ${app.name}...`);
+  try {
+    if (kind === "postgres") {
+      await client.postgres.attachToApplication.mutate({
+        postgresId: decision.databaseId,
+        applicationId: app.applicationId
+      });
+    } else {
+      await client.mysql.attachToApplication.mutate({
+        mysqlId: decision.databaseId,
+        applicationId: app.applicationId
+      });
+    }
+    succeedSpinner(`${label} credentials attached.`);
+  } catch (err) {
+    failSpinner(`Failed to attach ${label} credentials.`);
+    throw err;
+  }
+}
+async function attachExistingStorage(client, app, decision) {
+  const _spinner = startSpinner(`Attaching storage to ${app.name}...`);
+  try {
+    await client.storage.attachToApplication.mutate({
+      bucketId: decision.bucketId,
+      applicationId: app.applicationId
+    });
+    succeedSpinner("Storage credentials attached.");
+  } catch (err) {
+    failSpinner("Failed to attach storage credentials.");
+    throw err;
+  }
+}
+async function buildDatabaseCreateDecision(app, kind, requestedPlan) {
+  const plan = requestedPlan ?? await resolveResourcePlan(void 0, "Database plan:");
+  return {
+    action: "create",
+    plan,
+    name: formatResourceName(app.name, formatDatabaseKind(kind))
+  };
+}
+async function buildStorageCreateDecision(app, requestedPlan) {
+  const plan = requestedPlan ?? await resolveResourcePlan(void 0, "Storage plan:");
+  return {
+    action: "create",
+    plan,
+    name: formatResourceName(app.name, "files", 50)
+  };
+}
+function formatDatabaseCandidateLine(c) {
+  const parts = [c.name];
+  const badges = [c.plan];
+  if (c.region) badges.push(c.region);
+  const ageBadge = describeAge(c.createdAt);
+  if (ageBadge) badges.push(ageBadge);
+  const status = describeApplicationStatus(c.applicationStatus);
+  if (status) badges.push(status);
+  if (c.isReadOnly) badges.push("read-only");
+  parts.push(`(${badges.join(" \xB7 ")})`);
+  parts.push(colors.dim(`[${c.id.slice(0, 8)}]`));
+  return parts.join(" ");
+}
+function formatStorageCandidateLine(c) {
+  const parts = [c.name];
+  const badges = [c.plan];
+  if (c.region) badges.push(c.region);
+  const ageBadge = describeAge(c.createdAt);
+  if (ageBadge) badges.push(ageBadge);
+  const status = describeApplicationStatus(c.applicationStatus);
+  if (status) badges.push(status);
+  if (c.isUploadBlocked) badges.push("upload blocked");
+  parts.push(`(${badges.join(" \xB7 ")})`);
+  parts.push(colors.dim(`[${c.bucketId.slice(0, 8)}]`));
+  return parts.join(" ");
+}
+function describeAge(value) {
+  if (!value) return null;
+  const date = value instanceof Date ? value : new Date(value);
+  const time = date.getTime();
+  if (!Number.isFinite(time)) return null;
+  const days = Math.max(0, Math.floor((Date.now() - time) / 864e5));
+  if (days === 0) return "today";
+  if (days === 1) return "1d ago";
+  if (days < 30) return `${days}d ago`;
+  if (days < 365) return `${Math.floor(days / 30)}mo ago`;
+  return `${Math.floor(days / 365)}y ago`;
+}
+function describeApplicationStatus(status) {
+  if (!status) return null;
+  const normalized = status.toLowerCase();
+  if (normalized === "running" || normalized === "done") return null;
+  return normalized;
+}
+var RESOURCE_PLAN_RANK = {
+  FREE: 0,
+  STARTER: 1,
+  STANDARD: 2,
+  PRO: 3
+};
+function compareResourcePlan(a, b) {
+  return RESOURCE_PLAN_RANK[a] - RESOURCE_PLAN_RANK[b];
+}
 function normalizeDatabaseKind(value) {
   if (!value) return void 0;
   const normalized = value.trim().toLowerCase();
@@ -6541,8 +7152,8 @@ async function uploadCurrentDirectorySource(client, applicationId, appName) {
   }
 }
 async function createSourceArchive() {
-  const tempDir = mkdtempSync(join2(tmpdir(), "tarout-source-"));
-  const archivePath = join2(tempDir, "source.zip");
+  const tempDir = mkdtempSync(join3(tmpdir(), "tarout-source-"));
+  const archivePath = join3(tempDir, "source.zip");
   const excludes = [
     ".git/*",
     ".tarout/*",
@@ -6595,6 +7206,12 @@ function registerDeployCommands(program2) {
   ).option("--storage", "Provision file storage and attach it to the app").option(
     "--storage-plan <plan>",
     "Storage plan: free, starter, standard, or pro"
+  ).option(
+    "--reuse-database <ref>",
+    "Reuse an existing database in this project: <id>, <name>, or 'auto' (exactly one match)"
+  ).option(
+    "--reuse-storage <ref>",
+    "Reuse an existing storage bucket in this project: <id>, <name>, or 'auto' (exactly one match)"
   ).option("--token <token>", "API token to use for this deployment").option("-r, --region <region>", "Deployment region", DEFAULT_REGION).option("--description <text>", "Description for a newly created app").option(
     "--framework-preset <preset>",
     "Framework preset override (e.g. nextjs, vite, astro)"
@@ -6742,7 +7359,7 @@ function registerDeployCommands(program2) {
           applicationId: app.applicationId,
           name: app.name,
           status: app.applicationStatus,
-          url: app.appSubdomain ? `https://${app.appSubdomain}` : app.domain?.[0]?.host ? `https://${app.domain[0].host}` : null,
+          url: formatAppUrl(app.appSubdomain) ?? formatAppUrl(app.domain?.[0]?.host),
           cloudStatus
         });
         return;
@@ -6751,7 +7368,7 @@ function registerDeployCommands(program2) {
       log(`${colors.bold(app.name)}`);
       log("");
       log(`Status: ${getStatusBadge(app.applicationStatus)}`);
-      const appUrl = app.appSubdomain ? `https://${app.appSubdomain}` : app.domain?.[0]?.host ? `https://${app.domain[0].host}` : null;
+      const appUrl = formatAppUrl(app.appSubdomain) ?? formatAppUrl(app.domain?.[0]?.host);
       if (appUrl) {
         log(`URL: ${colors.cyan(appUrl)}`);
       }
@@ -7180,7 +7797,7 @@ function formatDate5(date) {
   });
 }
 function sleep(ms) {
-  return new Promise((resolve2) => setTimeout(resolve2, ms));
+  return new Promise((resolve3) => setTimeout(resolve3, ms));
 }
 async function streamDeploymentWithLogs(client, deploymentId, appName, applicationId) {
   stopSpinner();
@@ -7195,6 +7812,23 @@ async function streamDeploymentWithLogs(client, deploymentId, appName, applicati
   const startTime = Date.now();
   let wsConnected = false;
   let lastStatus = deployment.status;
+  const backfillLogsIfEmpty = async () => {
+    if (logLines.length > 0) return;
+    try {
+      const res = await client.deployment.getDeploymentLogs.query({
+        deploymentId,
+        offset: 0,
+        limit: 5e3
+      });
+      if (Array.isArray(res?.lines)) {
+        for (const line of res.lines) {
+          logLines.push(line);
+          if (isErrorLine(line)) errors.push(line);
+        }
+      }
+    } catch {
+    }
+  };
   if (!isJsonMode()) {
     log("");
     log(
@@ -7238,9 +7872,10 @@ async function streamDeploymentWithLogs(client, deploymentId, appName, applicati
       if (lastStatus === "done") {
         await sleep(500);
         cleanup?.();
+        await backfillLogsIfEmpty();
         const finalApp = await client.application.one.query({ applicationId });
         const duration2 = Math.round((Date.now() - startTime) / 1e3);
-        const deployUrl = finalApp.appSubdomain ? `https://${finalApp.appSubdomain}` : finalApp.domain?.[0]?.host ? `https://${finalApp.domain[0].host}` : null;
+        const deployUrl = formatAppUrl(finalApp.appSubdomain) ?? formatAppUrl(finalApp.domain?.[0]?.host);
         if (isJsonMode()) {
           outputData({
             deploymentId,
@@ -7262,6 +7897,7 @@ async function streamDeploymentWithLogs(client, deploymentId, appName, applicati
       }
       if (lastStatus === "error" || lastStatus === "cancelled") {
         cleanup?.();
+        await backfillLogsIfEmpty();
         const errorAnalysis = analyzeDeploymentError(
           logLines,
           updatedDeployment.errorMessage
@@ -7321,6 +7957,7 @@ async function streamDeploymentWithLogs(client, deploymentId, appName, applicati
       }
     }
     cleanup?.();
+    await backfillLogsIfEmpty();
     const duration = Math.round((Date.now() - startTime) / 1e3);
     if (isJsonMode()) {
       outputError("DEPLOYMENT_TIMEOUT", "Deployment timed out", {
@@ -9724,837 +10361,65 @@ function truncate(str, max) {
   return `${str.slice(0, max - 3)}...`;
 }
 
-// src/commands/email.ts
-function registerEmailCommands(program2) {
-  const email = program2.command("email").description("Manage email service configuration, templates, and logs");
-  const config = email.command("config").description("Manage email configuration");
-  config.command("get").description("Show email configuration for an environment").option("-e, --env <environment-id>", "Environment ID").action(async (options) => {
+// src/commands/env.ts
+import { chmodSync, existsSync as existsSync4, readFileSync as readFileSync4, writeFileSync as writeFileSync2 } from "fs";
+function registerEnvCommands(program2) {
+  const env = program2.command("env").argument("<app>", "Application ID or name").description("Manage environment variables");
+  env.command("list").alias("ls").description("List all environment variables").option("--reveal", "Show actual values (not masked)").action(async (options, command) => {
     try {
       if (!isLoggedIn()) throw new AuthError();
-      const environmentId = options.env || await input("Environment ID:", void 0, {
-        field: "environment_id",
-        flag: "--env"
-      });
+      const appIdentifier = command.parent.args[0];
       const client = getApiClient();
-      const _spinner = startSpinner("Fetching email config...");
-      const data = await client.emailService.getConfig.query({
-        environmentId
+      const _spinner = startSpinner("Fetching environment variables...");
+      const apps = await client.application.allByOrganization.query();
+      const app = findApp6(apps, appIdentifier);
+      if (!app) {
+        failSpinner();
+        const suggestions = findSimilar(
+          appIdentifier,
+          apps.map((a) => a.name)
+        );
+        throw new NotFoundError("Application", appIdentifier, suggestions);
+      }
+      const variables = await client.envVariable.list.query({
+        applicationId: app.applicationId,
+        includeValues: options.reveal || false
       });
       succeedSpinner();
       if (isJsonMode()) {
-        outputData(data);
+        outputData(variables);
         return;
       }
-      const c = data;
-      if (!c) {
-        log("No email configuration found.");
+      if (variables.length === 0) {
+        log("");
+        log("No environment variables found.");
+        log("");
+        log(
+          `Set one with: ${colors.dim(`tarout env ${app.name} set KEY=value`)}`
+        );
         return;
       }
       log("");
-      log(colors.bold("Email Configuration"));
-      log(`  Provider:   ${c.provider || "-"}`);
-      log(`  From Name:  ${c.fromName || "-"}`);
-      log(`  From Email: ${c.fromEmail || "-"}`);
-      log(`  Domain:     ${c.fromDomain || "-"}`);
-      log(`  Reply To:   ${c.replyToEmail || "-"}`);
-      log(
-        `  Verified:   ${c.isVerified ? colors.success("yes") : colors.warn("no")}`
+      table(
+        ["KEY", "VALUE", "SECRET", "UPDATED"],
+        variables.map((v) => [
+          colors.cyan(v.key),
+          options.reveal ? v.value || colors.dim("-") : maskValue(v.value),
+          v.isSecret ? colors.warn("Yes") : "No",
+          formatDate7(v.updatedAt)
+        ])
       );
-      log(`  ID:         ${colors.dim(c.id || c.emailServiceId || "-")}`);
       log("");
+      log(
+        colors.dim(
+          `${variables.length} variable${variables.length === 1 ? "" : "s"}`
+        )
+      );
     } catch (err) {
-      failSpinner();
       handleError(err);
     }
   });
-  config.command("create").description("Create email configuration for an environment").option("-e, --env <environment-id>", "Environment ID").option(
-    "-p, --provider <provider>",
-    "Email provider (resend, sendgrid, mailgun, ses)"
-  ).option("--api-key <key>", "API key").option("--from-domain <domain>", "From domain").option("--from-name <name>", "From name").option("--from-email <email>", "From email address").option("--reply-to <email>", "Reply-to email").action(
-    async (options) => {
-      try {
-        if (!isLoggedIn()) throw new AuthError();
-        const environmentId = options.env || await input("Environment ID:", void 0, {
-          field: "environment_id",
-          flag: "--env"
-        });
-        const provider = options.provider || await select(
-          "Email provider:",
-          [
-            { name: "Resend", value: "resend" },
-            { name: "SendGrid", value: "sendgrid" },
-            { name: "Mailgun", value: "mailgun" },
-            { name: "Amazon SES", value: "ses" }
-          ],
-          { field: "email_provider", flag: "--provider" }
-        );
-        const apiKey = options.apiKey || await input("API Key:", void 0, {
-          field: "api_key",
-          flag: "--api-key",
-          sensitive: true
-        });
-        const fromDomain = options.fromDomain || await input("From domain (e.g. mail.example.com):", void 0, {
-          field: "from_domain",
-          flag: "--from-domain"
-        });
-        const fromName = options.fromName || await input("From name:", void 0, {
-          field: "from_name",
-          flag: "--from-name"
-        });
-        const fromEmail = options.fromEmail || await input(
-          `From email (e.g. hello@${fromDomain}):`,
-          void 0,
-          { field: "from_email", flag: "--from-email" }
-        );
-        const client = getApiClient();
-        const _spinner = startSpinner("Creating email config...");
-        const result = await client.emailService.createConfig.mutate({
-          environmentId,
-          provider,
-          apiKey,
-          fromDomain,
-          fromName,
-          fromEmail,
-          replyToEmail: options.replyTo
-        });
-        succeedSpinner("Email configuration created.");
-        if (isJsonMode()) outputData(result);
-        else quietOutput(result.id || environmentId);
-      } catch (err) {
-        failSpinner();
-        handleError(err);
-      }
-    }
-  );
-  config.command("update <email-service-id>").description("Update email configuration").option("--api-key <key>", "New API key").option("--from-domain <domain>", "New from domain").option("--from-name <name>", "New from name").option("--from-email <email>", "New from email").option("--reply-to <email>", "New reply-to email").action(
-    async (emailServiceId, options) => {
-      try {
-        if (!isLoggedIn()) throw new AuthError();
-        const client = getApiClient();
-        const _spinner = startSpinner("Updating email config...");
-        await client.emailService.updateConfig.mutate({
-          emailServiceId,
-          apiKey: options.apiKey,
-          fromDomain: options.fromDomain,
-          fromName: options.fromName,
-          fromEmail: options.fromEmail,
-          replyToEmail: options.replyTo
-        });
-        succeedSpinner("Email configuration updated.");
-        if (isJsonMode()) outputData({ updated: true, emailServiceId });
-      } catch (err) {
-        failSpinner();
-        handleError(err);
-      }
-    }
-  );
-  config.command("delete <email-service-id>").alias("rm").description("Delete email configuration").action(async (emailServiceId) => {
-    try {
-      if (!isLoggedIn()) throw new AuthError();
-      if (!shouldSkipConfirmation()) {
-        const confirmed = await confirm(
-          `Delete email configuration "${emailServiceId}"?`,
-          false,
-          {
-            field: "confirm_delete_email_config",
-            flag: "--yes",
-            context: { emailServiceId }
-          }
-        );
-        if (!confirmed) {
-          log("Cancelled.");
-          return;
-        }
-      }
-      const client = getApiClient();
-      const _spinner = startSpinner("Deleting email config...");
-      await client.emailService.deleteConfig.mutate({
-        emailServiceId
-      });
-      succeedSpinner("Email configuration deleted.");
-      if (isJsonMode()) outputData({ deleted: true, emailServiceId });
-    } catch (err) {
-      failSpinner();
-      handleError(err);
-    }
-  });
-  const domain = email.command("domain").description("Manage email domain verification");
-  domain.command("verify").description("Initiate email domain verification").option("-e, --env <environment-id>", "Environment ID").option("-d, --domain <domain>", "Domain to verify").action(async (options) => {
-    try {
-      if (!isLoggedIn()) throw new AuthError();
-      const environmentId = options.env || await input("Environment ID:", void 0, {
-        field: "environment_id",
-        flag: "--env"
-      });
-      const domainName = options.domain || await input("Domain to verify:", void 0, {
-        field: "domain",
-        flag: "--domain"
-      });
-      const client = getApiClient();
-      const _spinner = startSpinner("Initiating domain verification...");
-      const result = await client.emailService.verifyDomain.mutate({
-        environmentId,
-        domain: domainName
-      });
-      succeedSpinner("Verification initiated.");
-      if (isJsonMode()) outputData(result);
-    } catch (err) {
-      failSpinner();
-      handleError(err);
-    }
-  });
-  domain.command("status").description("Check email domain verification status").option("-e, --env <environment-id>", "Environment ID").option("-d, --domain <domain>", "Domain to check").action(async (options) => {
-    try {
-      if (!isLoggedIn()) throw new AuthError();
-      const environmentId = options.env || await input("Environment ID:", void 0, {
-        field: "environment_id",
-        flag: "--env"
-      });
-      const domainName = options.domain || await input("Domain name:", void 0, {
-        field: "domain",
-        flag: "--domain"
-      });
-      const client = getApiClient();
-      const _spinner = startSpinner("Checking domain status...");
-      const data = await client.emailService.getDomainStatus.query({
-        environmentId,
-        domain: domainName
-      });
-      succeedSpinner();
-      if (isJsonMode()) {
-        outputData(data);
-        return;
-      }
-      const s = data;
-      log("");
-      log(`Domain: ${colors.cyan(domainName)}`);
-      log(
-        `Status: ${s.verified || s.status === "verified" ? colors.success("verified") : colors.warn(s.status || "pending")}`
-      );
-      log("");
-    } catch (err) {
-      failSpinner();
-      handleError(err);
-    }
-  });
-  domain.command("dns-records").description("Get DNS records needed for email domain verification").option("-e, --env <environment-id>", "Environment ID").option("-d, --domain <domain>", "Domain name").option("--type <type>", "Domain type (managed/external)").action(
-    async (options) => {
-      try {
-        if (!isLoggedIn()) throw new AuthError();
-        const environmentId = options.env || await input("Environment ID:", void 0, {
-          field: "environment_id",
-          flag: "--env"
-        });
-        const domainName = options.domain || await input("Domain name:", void 0, {
-          field: "domain",
-          flag: "--domain"
-        });
-        const client = getApiClient();
-        const _spinner = startSpinner("Fetching DNS records...");
-        const data = await client.emailService.getDnsRecords.query({
-          environmentId,
-          domain: domainName,
-          domainType: options.type || "external"
-        });
-        succeedSpinner();
-        if (isJsonMode()) {
-          outputData(data);
-          return;
-        }
-        const records = Array.isArray(data) ? data : data?.records || [];
-        log("");
-        log(colors.bold("DNS Records for Email Verification"));
-        log("");
-        table(
-          ["TYPE", "HOST", "VALUE"],
-          records.map((r) => [
-            colors.cyan(r.type || "-"),
-            r.name || r.host || "-",
-            (r.value || r.data || "-").slice(0, 60)
-          ])
-        );
-        log("");
-      } catch (err) {
-        failSpinner();
-        handleError(err);
-      }
-    }
-  );
-  const templates = email.command("templates").description("Manage email templates");
-  templates.command("list").alias("ls").description("List email templates").option("-e, --env <environment-id>", "Environment ID").option("--active", "Show only active templates").action(async (options) => {
-    try {
-      if (!isLoggedIn()) throw new AuthError();
-      const environmentId = options.env || await input("Environment ID:", void 0, {
-        field: "environment_id",
-        flag: "--env"
-      });
-      const client = getApiClient();
-      const _spinner = startSpinner("Fetching templates...");
-      const list = await client.emailService.listTemplates.query({
-        environmentId,
-        isActive: options.active
-      });
-      succeedSpinner();
-      if (isJsonMode()) {
-        outputData(list);
-        return;
-      }
-      const items = Array.isArray(list) ? list : [];
-      if (items.length === 0) {
-        log("No templates found.");
-        return;
-      }
-      log("");
-      table(
-        ["NAME", "SLUG", "SUBJECT", "ACTIVE", "ID"],
-        items.map((t) => [
-          colors.bold(t.name || "-"),
-          t.slug || "-",
-          (t.subject || "-").slice(0, 40),
-          t.isActive ? colors.success("yes") : colors.dim("no"),
-          colors.dim(t.id || t.templateId || "-")
-        ])
-      );
-      log("");
-    } catch (err) {
-      failSpinner();
-      handleError(err);
-    }
-  });
-  templates.command("get-by-slug <slug>").description("Get an email template by its slug").option("-e, --env <environment-id>", "Environment ID").action(async (slug, options) => {
-    try {
-      if (!isLoggedIn()) throw new AuthError();
-      const environmentId = options.env || await input("Environment ID:", void 0, {
-        field: "environment_id",
-        flag: "--env"
-      });
-      const client = getApiClient();
-      const _spinner = startSpinner("Fetching template...");
-      const data = await client.emailService.getTemplateBySlug.query({
-        environmentId,
-        slug
-      });
-      succeedSpinner();
-      if (isJsonMode()) {
-        outputData(data);
-        return;
-      }
-      const t = data;
-      if (!t) {
-        log(`No template found with slug "${slug}".`);
-        return;
-      }
-      log("");
-      log(colors.bold(t.name || slug));
-      log(`  Slug:    ${t.slug || slug}`);
-      log(`  Subject: ${t.subject || "-"}`);
-      log(
-        `  Active:  ${t.isActive ? colors.success("yes") : colors.dim("no")}`
-      );
-      log(`  ID:      ${colors.dim(t.id || t.templateId || "-")}`);
-      log("");
-    } catch (err) {
-      failSpinner();
-      handleError(err);
-    }
-  });
-  templates.command("get <template-id>").description("Show email template details").action(async (templateId) => {
-    try {
-      if (!isLoggedIn()) throw new AuthError();
-      const client = getApiClient();
-      const _spinner = startSpinner("Fetching template...");
-      const data = await client.emailService.getTemplate.query({
-        templateId
-      });
-      succeedSpinner();
-      if (isJsonMode()) {
-        outputData(data);
-        return;
-      }
-      const t = data;
-      log("");
-      log(colors.bold(t.name || templateId));
-      log(`  Slug:      ${t.slug || "-"}`);
-      log(`  Subject:   ${t.subject || "-"}`);
-      log(
-        `  Active:    ${t.isActive ? colors.success("yes") : colors.dim("no")}`
-      );
-      log(`  Variables: ${(t.variables || []).join(", ") || "-"}`);
-      log(`  ID:        ${colors.dim(t.id || t.templateId || "-")}`);
-      log("");
-    } catch (err) {
-      failSpinner();
-      handleError(err);
-    }
-  });
-  templates.command("create").description("Create an email template").option("-e, --env <environment-id>", "Environment ID").option("-n, --name <name>", "Template name").option("--slug <slug>", "Template slug").option("--subject <subject>", "Email subject").option("--html <html>", "HTML content").option("--description <text>", "Template description").action(
-    async (options) => {
-      try {
-        if (!isLoggedIn()) throw new AuthError();
-        const environmentId = options.env || await input("Environment ID:", void 0, {
-          field: "environment_id",
-          flag: "--env"
-        });
-        const name = options.name || await input("Template name:", void 0, {
-          field: "template_name",
-          flag: "--name"
-        });
-        const subject = options.subject || await input("Email subject:", void 0, {
-          field: "email_subject",
-          flag: "--subject"
-        });
-        const htmlContent = options.html || await input("HTML content (or paste):", void 0, {
-          field: "html_content",
-          flag: "--html"
-        });
-        const client = getApiClient();
-        const _spinner = startSpinner("Creating template...");
-        const result = await client.emailService.createTemplate.mutate({
-          environmentId,
-          name,
-          slug: options.slug || name.toLowerCase().replace(/[^a-z0-9]+/g, "-"),
-          subject,
-          htmlContent,
-          description: options.description,
-          isActive: true
-        });
-        succeedSpinner("Template created.");
-        if (isJsonMode()) outputData(result);
-        else
-          quietOutput(
-            result.id || result.templateId || "created"
-          );
-      } catch (err) {
-        failSpinner();
-        handleError(err);
-      }
-    }
-  );
-  templates.command("update <template-id>").description("Update an email template").option("-n, --name <name>", "New name").option("--slug <slug>", "New slug").option("--subject <subject>", "New subject").option("--html <html>", "New HTML content").option("--activate", "Activate the template").option("--deactivate", "Deactivate the template").action(
-    async (templateId, options) => {
-      try {
-        if (!isLoggedIn()) throw new AuthError();
-        const isActive = options.activate ? true : options.deactivate ? false : void 0;
-        const client = getApiClient();
-        const _spinner = startSpinner("Updating template...");
-        await client.emailService.updateTemplate.mutate({
-          templateId,
-          name: options.name,
-          slug: options.slug,
-          subject: options.subject,
-          htmlContent: options.html,
-          isActive
-        });
-        succeedSpinner("Template updated.");
-        if (isJsonMode()) outputData({ updated: true, templateId });
-      } catch (err) {
-        failSpinner();
-        handleError(err);
-      }
-    }
-  );
-  templates.command("delete <template-id>").alias("rm").description("Delete an email template").action(async (templateId) => {
-    try {
-      if (!isLoggedIn()) throw new AuthError();
-      if (!shouldSkipConfirmation()) {
-        const confirmed = await confirm(
-          `Delete template "${templateId}"?`,
-          false,
-          {
-            field: "confirm_delete_template",
-            flag: "--yes",
-            context: { templateId }
-          }
-        );
-        if (!confirmed) {
-          log("Cancelled.");
-          return;
-        }
-      }
-      const client = getApiClient();
-      const _spinner = startSpinner("Deleting template...");
-      await client.emailService.deleteTemplate.mutate({
-        templateId
-      });
-      succeedSpinner("Template deleted.");
-      if (isJsonMode()) outputData({ deleted: true, templateId });
-    } catch (err) {
-      failSpinner();
-      handleError(err);
-    }
-  });
-  templates.command("seed").description("Seed pre-built templates for an environment").option("-e, --env <environment-id>", "Environment ID").action(async (options) => {
-    try {
-      if (!isLoggedIn()) throw new AuthError();
-      const environmentId = options.env || await input("Environment ID:", void 0, {
-        field: "environment_id",
-        flag: "--env"
-      });
-      const client = getApiClient();
-      const _spinner = startSpinner("Seeding templates...");
-      const result = await client.emailService.seedPrebuiltTemplates.mutate({
-        environmentId
-      });
-      succeedSpinner("Templates seeded.");
-      if (isJsonMode()) outputData(result);
-    } catch (err) {
-      failSpinner();
-      handleError(err);
-    }
-  });
-  email.command("send").description("Send an email").option("-e, --env <environment-id>", "Environment ID").option("--to <email>", "Recipient email").option("--subject <subject>", "Email subject").option("--html <html>", "HTML body").option("--text <text>", "Plain text body").option("--from <email>", "Override from email").action(
-    async (options) => {
-      try {
-        if (!isLoggedIn()) throw new AuthError();
-        const environmentId = options.env || await input("Environment ID:", void 0, {
-          field: "environment_id",
-          flag: "--env"
-        });
-        const to = options.to || await input("Recipient email:", void 0, {
-          field: "recipient_email",
-          flag: "--to"
-        });
-        const subject = options.subject || await input("Subject:", void 0, {
-          field: "email_subject",
-          flag: "--subject"
-        });
-        const html = options.html || options.text;
-        const client = getApiClient();
-        const _spinner = startSpinner("Sending email...");
-        const result = await client.emailService.sendEmail.mutate({
-          environmentId,
-          to,
-          subject,
-          html,
-          text: options.text,
-          from: options.from
-        });
-        succeedSpinner("Email sent.");
-        if (isJsonMode()) outputData(result);
-      } catch (err) {
-        failSpinner();
-        handleError(err);
-      }
-    }
-  );
-  email.command("send-template").description("Send a templated email").option("-e, --env <environment-id>", "Environment ID").option("--template-id <id>", "Template ID").option("--to <email>", "Recipient email").option("--vars <json>", "Template variables as JSON string").action(
-    async (options) => {
-      try {
-        if (!isLoggedIn()) throw new AuthError();
-        const environmentId = options.env || await input("Environment ID:", void 0, {
-          field: "environment_id",
-          flag: "--env"
-        });
-        const templateId = options.templateId || await input("Template ID:", void 0, {
-          field: "template_id",
-          flag: "--template-id"
-        });
-        const to = options.to || await input("Recipient email:", void 0, {
-          field: "recipient_email",
-          flag: "--to"
-        });
-        const variables = options.vars ? JSON.parse(options.vars) : {};
-        const client = getApiClient();
-        const _spinner = startSpinner("Sending templated email...");
-        const result = await client.emailService.sendTemplatedEmail.mutate({
-          environmentId,
-          templateId,
-          to,
-          variables
-        });
-        succeedSpinner("Email sent.");
-        if (isJsonMode()) outputData(result);
-      } catch (err) {
-        failSpinner();
-        handleError(err);
-      }
-    }
-  );
-  email.command("logs").description("View email sending logs").option("-e, --env <environment-id>", "Environment ID").option("-n, --limit <n>", "Number of logs to show", "50").option("--status <status>", "Filter by status (sent, failed, bounced)").option("--to <email>", "Filter by recipient").action(
-    async (options) => {
-      try {
-        if (!isLoggedIn()) throw new AuthError();
-        const environmentId = options.env || await input("Environment ID:", void 0, {
-          field: "environment_id",
-          flag: "--env"
-        });
-        const client = getApiClient();
-        const _spinner = startSpinner("Fetching logs...");
-        const logs = await client.emailService.getEmailLogs.query({
-          environmentId,
-          status: options.status,
-          to: options.to,
-          limit: Number.parseInt(options.limit || "50")
-        });
-        succeedSpinner();
-        if (isJsonMode()) {
-          outputData(logs);
-          return;
-        }
-        const list = Array.isArray(logs) ? logs : logs?.items || [];
-        if (list.length === 0) {
-          log("No email logs found.");
-          return;
-        }
-        log("");
-        table(
-          ["DATE", "TO", "SUBJECT", "STATUS"],
-          list.map((l) => [
-            l.createdAt ? new Date(l.createdAt).toLocaleString() : "-",
-            l.to || "-",
-            (l.subject || "-").slice(0, 40),
-            l.status === "sent" ? colors.success(l.status) : l.status === "failed" || l.status === "bounced" ? colors.error(l.status) : colors.warn(l.status || "-")
-          ])
-        );
-        log("");
-      } catch (err) {
-        failSpinner();
-        handleError(err);
-      }
-    }
-  );
-  email.command("stats").description("Show email sending statistics").option("-e, --env <environment-id>", "Environment ID").option("--start <date>", "Start date (ISO)").option("--end <date>", "End date (ISO)").action(async (options) => {
-    try {
-      if (!isLoggedIn()) throw new AuthError();
-      const environmentId = options.env || await input("Environment ID:", void 0, {
-        field: "environment_id",
-        flag: "--env"
-      });
-      const client = getApiClient();
-      const _spinner = startSpinner("Fetching stats...");
-      const stats = await client.emailService.getEmailStats.query({
-        environmentId,
-        startDate: options.start,
-        endDate: options.end
-      });
-      succeedSpinner();
-      if (isJsonMode()) {
-        outputData(stats);
-        return;
-      }
-      const s = stats;
-      log("");
-      log(colors.bold("Email Statistics"));
-      log(`  Total Sent:  ${colors.cyan(String(s.sent || s.total || 0))}`);
-      log(`  Delivered:   ${colors.success(String(s.delivered || 0))}`);
-      log(`  Bounced:     ${colors.error(String(s.bounced || 0))}`);
-      log(`  Failed:      ${colors.error(String(s.failed || 0))}`);
-      log(`  Open Rate:   ${s.openRate ? `${s.openRate}%` : "-"}`);
-      log(`  Click Rate:  ${s.clickRate ? `${s.clickRate}%` : "-"}`);
-      log("");
-    } catch (err) {
-      failSpinner();
-      handleError(err);
-    }
-  });
-  const apiKeys = email.command("api-keys").description("Manage email service API keys");
-  apiKeys.command("list").alias("ls").description("List email service API keys").option("-e, --env <environment-id>", "Environment ID").action(async (options) => {
-    try {
-      if (!isLoggedIn()) throw new AuthError();
-      const environmentId = options.env || await input("Environment ID:", void 0, {
-        field: "environment_id",
-        flag: "--env"
-      });
-      const client = getApiClient();
-      const _spinner = startSpinner("Fetching API keys...");
-      const list = await client.emailService.listApiKeys.query({
-        environmentId
-      });
-      succeedSpinner();
-      if (isJsonMode()) {
-        outputData(list);
-        return;
-      }
-      const items = Array.isArray(list) ? list : [];
-      if (items.length === 0) {
-        log("No API keys found.");
-        return;
-      }
-      log("");
-      table(
-        ["NAME", "MODE", "ID", "CREATED"],
-        items.map((k) => [
-          k.name || "-",
-          k.mode || "-",
-          colors.dim(k.id || k.apiKeyId || "-"),
-          k.createdAt ? new Date(k.createdAt).toLocaleDateString() : "-"
-        ])
-      );
-      log("");
-    } catch (err) {
-      failSpinner();
-      handleError(err);
-    }
-  });
-  apiKeys.command("create").description("Create an email service API key").option("-e, --env <environment-id>", "Environment ID").option("-n, --name <name>", "Key name").option("--mode <mode>", "Key mode (sending/full)", "sending").action(async (options) => {
-    try {
-      if (!isLoggedIn()) throw new AuthError();
-      const environmentId = options.env || await input("Environment ID:", void 0, {
-        field: "environment_id",
-        flag: "--env"
-      });
-      const name = options.name || await input("API key name:", void 0, {
-        field: "api_key_name",
-        flag: "--name"
-      });
-      const client = getApiClient();
-      const _spinner = startSpinner("Creating API key...");
-      const result = await client.emailService.createApiKey.mutate({
-        environmentId,
-        name,
-        mode: options.mode || "sending"
-      });
-      succeedSpinner("API key created.");
-      if (isJsonMode()) outputData(result);
-      else {
-        const r = result;
-        log("");
-        log(colors.warn("Save this key \u2014 it won't be shown again!"));
-        log(`Key: ${colors.cyan(r.key || r.token || "-")}`);
-        log("");
-      }
-    } catch (err) {
-      failSpinner();
-      handleError(err);
-    }
-  });
-  apiKeys.command("update <api-key-id>").description("Update an email service API key").option("-n, --name <name>", "New name").action(async (apiKeyId, options) => {
-    try {
-      if (!isLoggedIn()) throw new AuthError();
-      const name = options.name || await input("New name:", void 0, {
-        field: "new_name",
-        flag: "--name"
-      });
-      const client = getApiClient();
-      const _spinner = startSpinner("Updating API key...");
-      await client.emailService.updateApiKey.mutate({
-        apiKeyId,
-        name
-      });
-      succeedSpinner("API key updated.");
-      if (isJsonMode()) outputData({ updated: true, apiKeyId });
-    } catch (err) {
-      failSpinner();
-      handleError(err);
-    }
-  });
-  apiKeys.command("revoke <api-key-id>").description("Revoke an email service API key").action(async (apiKeyId) => {
-    try {
-      if (!isLoggedIn()) throw new AuthError();
-      if (!shouldSkipConfirmation()) {
-        const confirmed = await confirm(
-          `Revoke API key "${apiKeyId}"?`,
-          false,
-          {
-            field: "confirm_revoke_api_key",
-            flag: "--yes",
-            context: { apiKeyId }
-          }
-        );
-        if (!confirmed) {
-          log("Cancelled.");
-          return;
-        }
-      }
-      const client = getApiClient();
-      const _spinner = startSpinner("Revoking API key...");
-      await client.emailService.revokeApiKey.mutate({ apiKeyId });
-      succeedSpinner("API key revoked.");
-      if (isJsonMode()) outputData({ revoked: true, apiKeyId });
-    } catch (err) {
-      failSpinner();
-      handleError(err);
-    }
-  });
-  apiKeys.command("delete <api-key-id>").alias("rm").description("Delete an email service API key").action(async (apiKeyId) => {
-    try {
-      if (!isLoggedIn()) throw new AuthError();
-      if (!shouldSkipConfirmation()) {
-        const confirmed = await confirm(
-          `Delete API key "${apiKeyId}"?`,
-          false,
-          {
-            field: "confirm_delete_api_key",
-            flag: "--yes",
-            context: { apiKeyId }
-          }
-        );
-        if (!confirmed) {
-          log("Cancelled.");
-          return;
-        }
-      }
-      const client = getApiClient();
-      const _spinner = startSpinner("Deleting API key...");
-      await client.emailService.deleteApiKey.mutate({ apiKeyId });
-      succeedSpinner("API key deleted.");
-      if (isJsonMode()) outputData({ deleted: true, apiKeyId });
-    } catch (err) {
-      failSpinner();
-      handleError(err);
-    }
-  });
-}
-
-// src/commands/env.ts
-import { chmodSync, existsSync as existsSync3, readFileSync as readFileSync3, writeFileSync } from "fs";
-function registerEnvCommands(program2) {
-  const env = program2.command("env").argument("<app>", "Application ID or name").description("Manage environment variables");
-  env.command("list").alias("ls").description("List all environment variables").option("--reveal", "Show actual values (not masked)").action(async (options, command) => {
-    try {
-      if (!isLoggedIn()) throw new AuthError();
-      const appIdentifier = command.parent.args[0];
-      const client = getApiClient();
-      const _spinner = startSpinner("Fetching environment variables...");
-      const apps = await client.application.allByOrganization.query();
-      const app = findApp6(apps, appIdentifier);
-      if (!app) {
-        failSpinner();
-        const suggestions = findSimilar(
-          appIdentifier,
-          apps.map((a) => a.name)
-        );
-        throw new NotFoundError("Application", appIdentifier, suggestions);
-      }
-      const variables = await client.envVariable.list.query({
-        applicationId: app.applicationId,
-        includeValues: options.reveal || false
-      });
-      succeedSpinner();
-      if (isJsonMode()) {
-        outputData(variables);
-        return;
-      }
-      if (variables.length === 0) {
-        log("");
-        log("No environment variables found.");
-        log("");
-        log(
-          `Set one with: ${colors.dim(`tarout env ${app.name} set KEY=value`)}`
-        );
-        return;
-      }
-      log("");
-      table(
-        ["KEY", "VALUE", "SECRET", "UPDATED"],
-        variables.map((v) => [
-          colors.cyan(v.key),
-          options.reveal ? v.value || colors.dim("-") : maskValue(v.value),
-          v.isSecret ? colors.warn("Yes") : "No",
-          formatDate7(v.updatedAt)
-        ])
-      );
-      log("");
-      log(
-        colors.dim(
-          `${variables.length} variable${variables.length === 1 ? "" : "s"}`
-        )
-      );
-    } catch (err) {
-      handleError(err);
-    }
-  });
-  env.command("set").argument("<key=value>", "Variable to set (KEY=value format)").description("Set an environment variable").option("-s, --secret", "Mark as secret (default)", true).option("--no-secret", "Mark as non-secret").action(async (keyValue, options, command) => {
+  env.command("set").argument("<key=value>", "Variable to set (KEY=value format)").description("Set an environment variable").option("-s, --secret", "Mark as secret (default)", true).option("--no-secret", "Mark as non-secret").action(async (keyValue, options, command) => {
     try {
       if (!isLoggedIn()) throw new AuthError();
       const appIdentifier = command.parent.parent.args[0];
@@ -10657,7 +10522,7 @@ function registerEnvCommands(program2) {
         );
         throw new NotFoundError("Application", appIdentifier, suggestions);
       }
-      if (existsSync3(options.output) && !shouldSkipConfirmation()) {
+      if (existsSync4(options.output) && !shouldSkipConfirmation()) {
         succeedSpinner();
         const confirmed = await confirm(
           `File ${options.output} already exists. Overwrite?`,
@@ -10678,7 +10543,7 @@ function registerEnvCommands(program2) {
         format: "dotenv",
         maskSecrets: !options.reveal
       });
-      writeFileSync(options.output, result.content, { mode: 384 });
+      writeFileSync2(options.output, result.content, { mode: 384 });
       try {
         chmodSync(options.output, 384);
       } catch {
@@ -10697,10 +10562,10 @@ function registerEnvCommands(program2) {
     try {
       if (!isLoggedIn()) throw new AuthError();
       const appIdentifier = command.parent.parent.args[0];
-      if (!existsSync3(options.input)) {
+      if (!existsSync4(options.input)) {
         throw new InvalidArgumentError(`File not found: ${options.input}`);
       }
-      const content = readFileSync3(options.input, "utf-8");
+      const content = readFileSync4(options.input, "utf-8");
       const client = getApiClient();
       const _spinner = startSpinner("Uploading environment variables...");
       const apps = await client.application.allByOrganization.query();
@@ -11406,32 +11271,247 @@ function registerInboxCommands(program2) {
   });
   inbox.command("clear").description("Delete all notifications").action(async () => {
     try {
-      if (!isLoggedIn()) throw new AuthError();
-      if (!shouldSkipConfirmation()) {
-        const confirmed = await confirm(
-          "Clear all notifications? This cannot be undone.",
-          false,
-          {
-            field: "confirm_clear_notifications",
-            flag: "--yes"
+      if (!isLoggedIn()) throw new AuthError();
+      if (!shouldSkipConfirmation()) {
+        const confirmed = await confirm(
+          "Clear all notifications? This cannot be undone.",
+          false,
+          {
+            field: "confirm_clear_notifications",
+            flag: "--yes"
+          }
+        );
+        if (!confirmed) {
+          log("Cancelled.");
+          return;
+        }
+      }
+      const client = getApiClient();
+      const _spinner = startSpinner("Clearing notifications...");
+      await client.appNotification.clearAll.mutate();
+      succeedSpinner("All notifications cleared.");
+      if (isJsonMode()) outputData({ cleared: true });
+    } catch (err) {
+      failSpinner();
+      handleError(err);
+    }
+  });
+}
+
+// src/commands/init.ts
+import { existsSync as existsSync5, writeFileSync as writeFileSync3 } from "fs";
+import { basename as basename2, join as join4, resolve } from "path";
+var DEFAULT_REGION2 = "me-central2";
+var STARTER_INDEX_JS = `import { createServer } from "node:http";
+
+const port = process.env.PORT || 3000;
+
+createServer((_req, res) => {
+	res.writeHead(200, { "content-type": "application/json" });
+	res.end(JSON.stringify({ ok: true, message: "Hello from Tarout" }));
+}).listen(port, () => {
+	console.log(\`Listening on http://localhost:\${port}\`);
+});
+`;
+function toPackageName(name) {
+  return name.toLowerCase().replace(/[^a-z0-9-]+/g, "-").replace(/^-+|-+$/g, "") || "tarout-app";
+}
+function scaffoldStarter(cwd) {
+  const written = [];
+  const pkgPath = join4(cwd, "package.json");
+  if (existsSync5(pkgPath)) return written;
+  const pkg = {
+    name: toPackageName(basename2(cwd) || "tarout-app"),
+    version: "0.1.0",
+    private: true,
+    type: "module",
+    scripts: { start: "node index.js", dev: "node index.js" }
+  };
+  writeFileSync3(pkgPath, `${JSON.stringify(pkg, null, 2)}
+`);
+  written.push("package.json");
+  const indexPath = join4(cwd, "index.js");
+  if (!existsSync5(indexPath)) {
+    writeFileSync3(indexPath, STARTER_INDEX_JS);
+    written.push("index.js");
+  }
+  return written;
+}
+function envValueNeedsQuote(value) {
+  return /\s|#|"|'/.test(value);
+}
+function writeEnvFile(cwd, vars) {
+  const lines = Object.entries(vars).map(
+    ([k, v]) => `${k}=${envValueNeedsQuote(v) ? JSON.stringify(v) : v}`
+  );
+  const primary = join4(cwd, ".env");
+  const target = existsSync5(primary) ? join4(cwd, ".env.tarout") : primary;
+  writeFileSync3(target, `${lines.join("\n")}
+`, { mode: 384 });
+  return target;
+}
+function registerInitCommand(program2) {
+  program2.command("init").argument("[path]", "Project directory (defaults to current)").description(
+    "Provision a project backend (app, database, storage, env) and link it \u2014 the start of init \u2192 dev \u2192 deploy"
+  ).option(
+    "--api-url <url>",
+    "Custom API URL (defaults to saved profile or https://tarout.sa)"
+  ).option("--token <token>", "API token for this run").option("--name <name>", "Application name (defaults to directory name)").option(
+    "--plan <plan>",
+    "App hosting plan: free, shared, or dedicated",
+    "free"
+  ).option("-r, --region <region>", "Deployment region", DEFAULT_REGION2).option("--description <text>", "Description for the newly created app").option(
+    "--database <type>",
+    "Provision a database: none, postgres, or mysql (defaults to auto-detected)"
+  ).option("--database-plan <plan>", "Database plan (e.g. free, starter)").option("--storage", "Provision file storage").option("--storage-plan <plan>", "Storage plan (e.g. free, starter)").option("--scaffold", "Write a minimal starter app if the directory is empty").option("--no-env-write", "Do not write a local .env file with connection strings").action(async (cwdArg, options) => {
+    try {
+      const cwd = cwdArg ? resolve(cwdArg) : process.cwd();
+      if (cwdArg) process.chdir(cwd);
+      if (options.scaffold) {
+        const files = scaffoldStarter(cwd);
+        emitEvent({ event: "scaffold_done", files });
+      }
+      emitEvent({ event: "inspect_started", cwd });
+      const inspection = inspectCurrentProject(cwd);
+      emitEvent({
+        event: "inspect_done",
+        database: inspection.database,
+        storage: inspection.storage,
+        git: inspection.git
+      });
+      emitEvent({ event: "auth_check_started" });
+      const profile = await ensureAuthenticatedForDeploy({
+        apiUrl: options.apiUrl,
+        token: options.token,
+        region: options.region
+      });
+      emitEvent({
+        event: "auth_check_done",
+        userEmail: profile.userEmail,
+        organization: profile.organizationName
+      });
+      const client = getApiClient();
+      let app;
+      let createdApp = false;
+      const linked = getProjectConfig();
+      if (linked) {
+        const apps = await client.application.allByOrganization.query();
+        const existing = findApp3(apps, linked.applicationId) ?? findApp3(apps, linked.name);
+        if (existing) {
+          app = existing;
+          emitEvent({
+            event: "app_reused",
+            applicationId: app.applicationId,
+            name: app.name
+          });
+        }
+      }
+      if (!app) {
+        try {
+          emitEvent({ event: "app_create_started" });
+          app = await createAppFromCurrentDirectory(client, profile, {
+            name: options.name,
+            plan: options.plan,
+            region: options.region,
+            description: options.description
+          });
+          createdApp = true;
+          emitEvent({
+            event: "app_create_done",
+            applicationId: app.applicationId,
+            name: app.name,
+            plan: app.plan ?? options.plan ?? "free"
+          });
+        } catch (err) {
+          if (isEntitlementError(err)) {
+            const message = err instanceof Error ? err.message : "Plan upgrade required";
+            outputError("NEEDS_UPGRADE", message, {
+              suggestedPlan: inferSuggestedPlan(options.plan),
+              failedEntitlementKey: extractEntitlementKeyFromError(err),
+              hint: "Run `tarout billing upgrade <plan> --wait` to add slots, then retry `tarout init`."
+            });
+            exit(ExitCode.PERMISSION_DENIED);
           }
+          throw err;
+        }
+      }
+      if (!app) {
+        throw new AuthError();
+      }
+      if (createdApp) {
+        emitEvent({
+          event: "provision_started",
+          database: inspection.database,
+          storage: inspection.storage
+        });
+        await configureOptionalResources(
+          client,
+          profile,
+          app,
+          {
+            database: options.database,
+            databasePlan: options.databasePlan,
+            storage: options.storage,
+            storagePlan: options.storagePlan
+          },
+          inspection
         );
-        if (!confirmed) {
-          log("Cancelled.");
-          return;
+        emitEvent({ event: "provision_done" });
+      }
+      let envFile = null;
+      let envCount = 0;
+      if (options.envWrite !== false) {
+        try {
+          const variables = await client.envVariable.list.query({
+            applicationId: app.applicationId,
+            includeValues: true
+          });
+          const vars = envVarsToObject(variables);
+          envCount = Object.keys(vars).length;
+          if (envCount > 0) {
+            envFile = writeEnvFile(cwd, vars);
+            emitEvent({ event: "env_written", file: envFile, count: envCount });
+          }
+        } catch (err) {
+          emitEvent({
+            event: "env_write_skipped",
+            reason: err instanceof Error ? err.message : "unknown"
+          });
         }
       }
-      const client = getApiClient();
-      const _spinner = startSpinner("Clearing notifications...");
-      await client.appNotification.clearAll.mutate();
-      succeedSpinner("All notifications cleared.");
-      if (isJsonMode()) outputData({ cleared: true });
+      const url = formatAppUrl(app.appSubdomain);
+      if (isJsonMode()) {
+        outputJsonLine({
+          type: "result",
+          ok: true,
+          applicationId: app.applicationId,
+          name: app.name,
+          url,
+          envFile,
+          envCount,
+          nextSteps: ["tarout dev", "tarout deploy --wait"]
+        });
+        return;
+      }
+      box("Project initialized", [
+        `Application: ${colors.cyan(app.name)}`,
+        `ID: ${colors.dim(app.applicationId)}`,
+        ...envFile ? [`Env file: ${colors.dim(envFile)} (${envCount} vars)`] : []
+      ]);
+      log("Next steps:");
+      log(`  ${colors.dim("tarout dev")}            - Run locally with cloud env vars`);
+      log(`  ${colors.dim("tarout deploy --wait")}  - Ship to production`);
+      log("");
     } catch (err) {
-      failSpinner();
       handleError(err);
     }
   });
 }
+function emitEvent(payload) {
+  if (isJsonMode()) {
+    outputJsonLine({ type: "event", ...payload });
+  }
+}
 
 // src/commands/keys.ts
 function registerKeysCommands(program2) {
@@ -11485,8 +11565,8 @@ function registerKeysCommands(program2) {
         });
       }
       if (!publicKey && options.file) {
-        const { readFileSync: readFileSync4 } = await import("fs");
-        publicKey = readFileSync4(options.file, "utf-8").trim();
+        const { readFileSync: readFileSync5 } = await import("fs");
+        publicKey = readFileSync5(options.file, "utf-8").trim();
       }
       if (!publicKey) {
         log(
@@ -11686,7 +11766,7 @@ function formatDate8(date) {
 }
 
 // src/commands/link.ts
-import { basename as basename2 } from "path";
+import { basename as basename3 } from "path";
 function registerLinkCommands(program2) {
   program2.command("link").argument(
     "[app]",
@@ -11698,7 +11778,7 @@ function registerLinkCommands(program2) {
       if (!profile) throw new AuthError();
       const client = getApiClient();
       const cwd = process.cwd();
-      const dirName = basename2(cwd);
+      const dirName = basename3(cwd);
       if (isProjectLinked()) {
         const existingConfig = getProjectConfig();
         if (existingConfig && !shouldSkipConfirmation() && !options.yes) {
@@ -11879,7 +11959,7 @@ function registerLinkCommands(program2) {
               applicationId: config.applicationId,
               name: config.name,
               status: app.applicationStatus,
-              url: app.appSubdomain ? `https://${app.appSubdomain}` : null,
+              url: formatAppUrl(app.appSubdomain),
               linkedAt: config.linkedAt
             });
             return;
@@ -11891,7 +11971,7 @@ function registerLinkCommands(program2) {
           log(`ID: ${colors.dim(config.applicationId)}`);
           log(`Status: ${getStatusIndicator(app.applicationStatus)}`);
           if (app.appSubdomain) {
-            log(`URL: ${colors.cyan(`https://${app.appSubdomain}`)}`);
+            log(`URL: ${colors.cyan(formatAppUrl(app.appSubdomain) ?? "")}`);
           }
           log(`Linked: ${new Date(config.linkedAt).toLocaleString()}`);
           log("");
@@ -16394,294 +16474,76 @@ function registerSettingsCommands(program2) {
         log(
           `  Database: ${h.db ? colors.success("ok") : colors.error("error")}`
         );
-      if (h.redis !== void 0)
-        log(
-          `  Redis:    ${h.redis ? colors.success("ok") : colors.error("error")}`
-        );
-      if (h.version) log(`  Version:  ${colors.dim(h.version)}`);
-      log("");
-    } catch (err) {
-      failSpinner();
-      handleError(err);
-    }
-  });
-  settings.command("is-cloud").description("Check if running in Tarout Cloud mode").action(async () => {
-    try {
-      const client = getApiClient();
-      const _spinner = startSpinner("Checking deployment mode...");
-      const data = await client.settings.isCloud.query();
-      succeedSpinner();
-      if (isJsonMode()) {
-        outputData(data);
-        return;
-      }
-      const isCloud = data?.isCloud ?? data;
-      log(
-        `Cloud mode: ${isCloud ? colors.success("yes") : colors.dim("no")}`
-      );
-    } catch (err) {
-      failSpinner();
-      handleError(err);
-    }
-  });
-  settings.command("subscription-status").description("Check current subscription status").action(async () => {
-    try {
-      if (!isLoggedIn()) throw new AuthError();
-      const client = getApiClient();
-      const _spinner = startSpinner("Checking subscription...");
-      const data = await client.settings.isUserSubscribed.query();
-      succeedSpinner();
-      if (isJsonMode()) {
-        outputData(data);
-        return;
-      }
-      const sub = data;
-      log("");
-      log(colors.bold("Subscription Status"));
-      const isSubscribed = sub?.isSubscribed ?? sub;
-      log(
-        `  Subscribed: ${isSubscribed ? colors.success("yes") : colors.dim("no (free plan)")}`
-      );
-      if (sub?.planKey) log(`  Plan:       ${colors.cyan(sub.planKey)}`);
-      if (sub?.expiresAt)
-        log(`  Expires:    ${new Date(sub.expiresAt).toLocaleDateString()}`);
-      log("");
-    } catch (err) {
-      failSpinner();
-      handleError(err);
-    }
-  });
-  settings.command("openapi").description("Output the OpenAPI specification document").action(async () => {
-    try {
-      if (!isLoggedIn()) throw new AuthError();
-      const client = getApiClient();
-      const _spinner = startSpinner("Fetching OpenAPI spec...");
-      const data = await client.settings.getOpenApiDocument.query();
-      succeedSpinner();
-      outputData(data);
-    } catch (err) {
-      failSpinner();
-      handleError(err);
-    }
-  });
-}
-
-// src/commands/sms.ts
-function registerSmsCommands(program2) {
-  const sms = program2.command("sms").description("Manage SMS messaging configuration and logs");
-  sms.command("config").description("Show SMS configuration for an environment").option("-e, --env <environment-id>", "Environment ID").action(async (options) => {
-    try {
-      if (!isLoggedIn()) throw new AuthError();
-      const environmentId = options.env || await input("Environment ID:", void 0, {
-        field: "environment_id",
-        flag: "--env"
-      });
-      const client = getApiClient();
-      const _spinner = startSpinner("Fetching SMS config...");
-      const data = await client.sms.getConfig.query({ environmentId });
-      succeedSpinner();
-      if (isJsonMode()) {
-        outputData(data);
-        return;
-      }
-      const c = data;
-      log("");
-      log(colors.bold("SMS Configuration"));
-      log(`  Provider:    ${c.provider || "-"}`);
-      log(`  From Number: ${c.fromNumber || "-"}`);
-      log(
-        `  Enabled:     ${c.isEnabled ? colors.success("yes") : colors.dim("no")}`
-      );
-      log(`  Env ID:      ${colors.dim(environmentId)}`);
-      log("");
-    } catch (err) {
-      failSpinner();
-      handleError(err);
-    }
-  });
-  sms.command("setup").description("Create SMS configuration for an environment").option("-e, --env <environment-id>", "Environment ID").option("-p, --provider <provider>", "SMS provider (twilio, vonage, sinch)").option("--api-key <key>", "API key / Account SID").option("--api-secret <secret>", "API secret / Auth token").option("--from <number>", "From phone number").option("--enabled", "Enable SMS sending", true).action(
-    async (options) => {
-      try {
-        if (!isLoggedIn()) throw new AuthError();
-        const environmentId = options.env || await input("Environment ID:", void 0, {
-          field: "environment_id",
-          flag: "--env"
-        });
-        const provider = options.provider || await select(
-          "SMS provider:",
-          [
-            { name: "Twilio", value: "twilio" },
-            { name: "Vonage", value: "vonage" },
-            { name: "Sinch", value: "sinch" }
-          ],
-          { field: "sms_provider", flag: "--provider" }
-        );
-        const apiKey = options.apiKey || await input("API Key / Account SID:", void 0, {
-          field: "api_key",
-          flag: "--api-key",
-          sensitive: true
-        });
-        const apiSecret = options.apiSecret || await input("API Secret / Auth Token:", void 0, {
-          field: "api_secret",
-          flag: "--api-secret",
-          sensitive: true
-        });
-        const fromNumber = options.from || await input(
-          "From phone number (e.g. +1234567890):",
-          void 0,
-          { field: "from_number", flag: "--from" }
-        );
-        const client = getApiClient();
-        const _spinner = startSpinner("Creating SMS config...");
-        const result = await client.sms.createConfig.mutate({
-          environmentId,
-          provider,
-          apiKey,
-          apiSecret,
-          fromNumber,
-          isEnabled: options.enabled ?? true
-        });
-        succeedSpinner("SMS configuration created.");
-        if (isJsonMode()) outputData(result);
-        else quietOutput(environmentId);
-      } catch (err) {
-        failSpinner();
-        handleError(err);
-      }
-    }
-  );
-  sms.command("update").description("Update SMS configuration").option("-e, --env <environment-id>", "Environment ID").option("-p, --provider <provider>", "New provider").option("--api-key <key>", "New API key").option("--api-secret <secret>", "New API secret").option("--from <number>", "New from number").option("--enable", "Enable SMS").option("--disable", "Disable SMS").action(
-    async (options) => {
-      try {
-        if (!isLoggedIn()) throw new AuthError();
-        const environmentId = options.env || await input("Environment ID:", void 0, {
-          field: "environment_id",
-          flag: "--env"
-        });
-        const isEnabled = options.enable ? true : options.disable ? false : void 0;
-        const client = getApiClient();
-        const _spinner = startSpinner("Updating SMS config...");
-        await client.sms.updateConfig.mutate({
-          environmentId,
-          provider: options.provider,
-          apiKey: options.apiKey,
-          apiSecret: options.apiSecret,
-          fromNumber: options.from,
-          isEnabled
-        });
-        succeedSpinner("SMS configuration updated.");
-        if (isJsonMode()) outputData({ updated: true, environmentId });
-      } catch (err) {
-        failSpinner();
-        handleError(err);
-      }
-    }
-  );
-  sms.command("send").description("Send an SMS message").option("-e, --env <environment-id>", "Environment ID").option("--to <number>", "Recipient phone number").option("-m, --message <text>", "Message body").action(
-    async (options) => {
-      try {
-        if (!isLoggedIn()) throw new AuthError();
-        const environmentId = options.env || await input("Environment ID:", void 0, {
-          field: "environment_id",
-          flag: "--env"
-        });
-        const to = options.to || await input("Recipient phone number:", void 0, {
-          field: "recipient_phone",
-          flag: "--to"
-        });
-        const body = options.message || await input("Message:", void 0, {
-          field: "message_body",
-          flag: "--message"
-        });
-        const client = getApiClient();
-        const _spinner = startSpinner("Sending SMS...");
-        const result = await client.sms.send.mutate({
-          environmentId,
-          to,
-          body
-        });
-        succeedSpinner("SMS sent.");
-        if (isJsonMode()) outputData(result);
-      } catch (err) {
-        failSpinner();
-        handleError(err);
-      }
-    }
-  );
-  sms.command("logs").description("View SMS message logs").option("-e, --env <environment-id>", "Environment ID").option("-n, --limit <n>", "Number of logs to show", "50").option("--status <status>", "Filter by status (sent, failed, pending)").action(
-    async (options) => {
-      try {
-        if (!isLoggedIn()) throw new AuthError();
-        const environmentId = options.env || await input("Environment ID:", void 0, {
-          field: "environment_id",
-          flag: "--env"
-        });
-        const client = getApiClient();
-        const _spinner = startSpinner("Fetching logs...");
-        const logs = await client.sms.getLogs.query({
-          environmentId,
-          status: options.status,
-          limit: Number.parseInt(options.limit || "50")
-        });
-        succeedSpinner();
-        if (isJsonMode()) {
-          outputData(logs);
-          return;
-        }
-        const list = Array.isArray(logs) ? logs : logs?.items || [];
-        if (list.length === 0) {
-          log("No SMS logs found.");
-          return;
-        }
-        log("");
-        table(
-          ["DATE", "TO", "STATUS", "MESSAGE"],
-          list.map((l) => [
-            l.createdAt ? new Date(l.createdAt).toLocaleString() : "-",
-            l.to || "-",
-            l.status === "sent" ? colors.success(l.status) : l.status === "failed" ? colors.error(l.status) : colors.warn(l.status || "-"),
-            (l.body || l.message || "-").slice(0, 50)
-          ])
-        );
-        log("");
-      } catch (err) {
-        failSpinner();
-        handleError(err);
+      if (h.redis !== void 0)
+        log(
+          `  Redis:    ${h.redis ? colors.success("ok") : colors.error("error")}`
+        );
+      if (h.version) log(`  Version:  ${colors.dim(h.version)}`);
+      log("");
+    } catch (err) {
+      failSpinner();
+      handleError(err);
+    }
+  });
+  settings.command("is-cloud").description("Check if running in Tarout Cloud mode").action(async () => {
+    try {
+      const client = getApiClient();
+      const _spinner = startSpinner("Checking deployment mode...");
+      const data = await client.settings.isCloud.query();
+      succeedSpinner();
+      if (isJsonMode()) {
+        outputData(data);
+        return;
       }
+      const isCloud = data?.isCloud ?? data;
+      log(
+        `Cloud mode: ${isCloud ? colors.success("yes") : colors.dim("no")}`
+      );
+    } catch (err) {
+      failSpinner();
+      handleError(err);
     }
-  );
-  sms.command("stats").description("Show SMS sending statistics").option("-e, --env <environment-id>", "Environment ID").option("--start <date>", "Start date (ISO format)").option("--end <date>", "End date (ISO format)").action(async (options) => {
+  });
+  settings.command("subscription-status").description("Check current subscription status").action(async () => {
     try {
       if (!isLoggedIn()) throw new AuthError();
-      const environmentId = options.env || await input("Environment ID:", void 0, {
-        field: "environment_id",
-        flag: "--env"
-      });
       const client = getApiClient();
-      const _spinner = startSpinner("Fetching stats...");
-      const stats = await client.sms.getStats.query({
-        environmentId,
-        startDate: options.start,
-        endDate: options.end
-      });
+      const _spinner = startSpinner("Checking subscription...");
+      const data = await client.settings.isUserSubscribed.query();
       succeedSpinner();
       if (isJsonMode()) {
-        outputData(stats);
+        outputData(data);
         return;
       }
-      const s = stats;
+      const sub = data;
       log("");
-      log(colors.bold("SMS Statistics"));
-      log(`  Total Sent:   ${colors.cyan(String(s.total || s.sent || 0))}`);
-      log(`  Delivered:    ${colors.success(String(s.delivered || 0))}`);
-      log(`  Failed:       ${colors.error(String(s.failed || 0))}`);
-      log(`  Pending:      ${colors.warn(String(s.pending || 0))}`);
+      log(colors.bold("Subscription Status"));
+      const isSubscribed = sub?.isSubscribed ?? sub;
+      log(
+        `  Subscribed: ${isSubscribed ? colors.success("yes") : colors.dim("no (free plan)")}`
+      );
+      if (sub?.planKey) log(`  Plan:       ${colors.cyan(sub.planKey)}`);
+      if (sub?.expiresAt)
+        log(`  Expires:    ${new Date(sub.expiresAt).toLocaleDateString()}`);
       log("");
     } catch (err) {
       failSpinner();
       handleError(err);
     }
   });
+  settings.command("openapi").description("Output the OpenAPI specification document").action(async () => {
+    try {
+      if (!isLoggedIn()) throw new AuthError();
+      const client = getApiClient();
+      const _spinner = startSpinner("Fetching OpenAPI spec...");
+      const data = await client.settings.getOpenApiDocument.query();
+      succeedSpinner();
+      outputData(data);
+    } catch (err) {
+      failSpinner();
+      handleError(err);
+    }
+  });
 }
 
 // src/commands/storage.ts
@@ -17862,8 +17724,8 @@ function truncate3(str, max) {
 }
 
 // src/commands/up.ts
-import { resolve } from "path";
-var DEFAULT_REGION2 = "me-central2";
+import { resolve as resolve2 } from "path";
+var DEFAULT_REGION3 = "me-central2";
 function normalizeSource(value) {
   if (!value) return "upload";
   const v = value.trim().toLowerCase();
@@ -17892,7 +17754,19 @@ function registerUpCommand(program2) {
   ).option(
     "--api-url <url>",
     "Custom API URL (defaults to saved profile or https://tarout.sa)"
-  ).option("--token <token>", "API token for this run").option("--name <name>", "Application name (defaults to directory name)").option("--plan <plan>", "App hosting plan: free, shared, or dedicated", "free").option("--source <source>", "Source: upload (default) or github", "upload").option("--repo <owner/repo>", "GitHub repository (when --source github)").option("--branch <branch>", "GitHub branch (with --source github)", "main").option("-r, --region <region>", "Deployment region", DEFAULT_REGION2).option("--description <text>", "Description for the newly created app").option(
+  ).option("--token <token>", "API token for this run").option("--name <name>", "Application name (defaults to directory name)").option("--plan <plan>", "App hosting plan: free, shared, or dedicated", "free").option("--source <source>", "Source: upload (default) or github", "upload").option(
+    "--app <ref>",
+    "Deploy to an existing app by id or name (skips create-or-pick prompt; 'auto' picks the lone match)"
+  ).option("--repo <owner/repo>", "GitHub repository (when --source github)").option("--branch <branch>", "GitHub branch (with --source github)", "main").option("-r, --region <region>", "Deployment region", DEFAULT_REGION3).option(
+    "--database <type>",
+    "Provision and attach a database: none, postgres, or mysql (defaults to auto-detected)"
+  ).option("--database-plan <plan>", "Database plan (e.g. free, starter)").option("--storage", "Provision and attach file storage").option("--storage-plan <plan>", "Storage plan (e.g. free, starter)").option(
+    "--reuse-database <ref>",
+    "Reuse an existing database in this project: <id>, <name>, or 'auto'"
+  ).option(
+    "--reuse-storage <ref>",
+    "Reuse an existing storage bucket in this project: <id>, <name>, or 'auto'"
+  ).option("--description <text>", "Description for the newly created app").option(
     "--framework-preset <preset>",
     "Framework preset override (e.g. nextjs, vite, astro)"
   ).option("--root-directory <path>", "Project root directory inside the source").option("--install-command <cmd>", "Custom install command").option("--build-command <cmd>", "Custom build command").option(
@@ -17903,91 +17777,203 @@ function registerUpCommand(program2) {
     "Idempotency key for safe retries (Phase 2; logged only in v1)"
   ).action(async (cwdArg, options) => {
     try {
-      const cwd = cwdArg ? resolve(cwdArg) : process.cwd();
+      const cwd = cwdArg ? resolve2(cwdArg) : process.cwd();
       if (cwdArg) process.chdir(cwd);
       const source = normalizeSource(options.source);
       const idempotencyKey = options.idempotencyKey?.trim();
       if (idempotencyKey) {
-        emitEvent({
+        emitEvent2({
           event: "idempotency_key_received",
           idempotencyKey,
           note: "Phase 2 will use this to dedupe. Today it is logged only."
         });
       }
-      emitEvent({ event: "inspect_started", cwd });
+      emitEvent2({ event: "inspect_started", cwd });
       const inspection = inspectCurrentProject(cwd);
-      emitEvent({
+      emitEvent2({
         event: "inspect_done",
         database: inspection.database,
         storage: inspection.storage,
         git: inspection.git
       });
-      emitEvent({ event: "auth_check_started" });
+      emitEvent2({ event: "auth_check_started" });
       const profile = await ensureAuthenticatedForDeploy({
         apiUrl: options.apiUrl,
         token: options.token,
         region: options.region
       });
-      emitEvent({
+      emitEvent2({
         event: "auth_check_done",
         userEmail: profile.userEmail,
         organization: profile.organizationName
       });
       const client = getApiClient();
       let app;
-      try {
-        emitEvent({ event: "app_create_started" });
-        app = await createAppFromCurrentDirectory(client, profile, {
-          name: options.name,
-          plan: options.plan,
-          region: options.region,
-          description: options.description,
-          frameworkPreset: options.frameworkPreset,
-          rootDirectory: options.rootDirectory,
-          installCommand: options.installCommand,
-          buildCommand: options.buildCommand,
-          outputDirectory: options.outputDirectory,
-          startCommand: options.startCommand
+      let reused = false;
+      const linked = getProjectConfig();
+      let allApps;
+      const loadApps = async () => {
+        if (!allApps) {
+          allApps = await client.application.allByOrganization.query();
+        }
+        return allApps;
+      };
+      if (options.app) {
+        const apps = await loadApps();
+        const picked = resolveAppRef(apps, options.app);
+        app = picked;
+        reused = true;
+        setProjectConfig({
+          applicationId: picked.applicationId,
+          name: picked.name,
+          organizationId: profile.organizationId,
+          linkedAt: (/* @__PURE__ */ new Date()).toISOString()
         });
-        emitEvent({
-          event: "app_create_done",
-          applicationId: app.applicationId,
-          name: app.name,
-          plan: app.plan ?? options.plan ?? "free"
+        emitEvent2({
+          event: "app_reused",
+          applicationId: picked.applicationId,
+          name: picked.name,
+          via: "--app"
         });
-      } catch (err) {
-        if (isEntitlementError(err)) {
-          const message = err instanceof Error ? err.message : "Plan upgrade required";
-          if (isJsonMode() || shouldSkipConfirmation()) {
-            outputError("NEEDS_UPGRADE", message, {
-              suggestedPlan: inferSuggestedPlan(options.plan),
-              failedEntitlementKey: extractEntitlementKeyFromError(err),
-              hint: "Run `tarout billing upgrade <plan> --wait` to add slots, then retry `tarout up`."
-            });
-            exit(ExitCode.PERMISSION_DENIED);
-          }
+      } else if (linked) {
+        const apps = await loadApps();
+        const existing = findApp3(apps, linked.applicationId) ?? findApp3(apps, linked.name);
+        if (existing) {
+          app = existing;
+          reused = true;
+          emitEvent2({
+            event: "app_reused",
+            applicationId: app.applicationId,
+            name: app.name,
+            via: "linked"
+          });
+        }
+      }
+      if (!app && !isJsonMode() && !shouldSkipConfirmation()) {
+        const apps = await loadApps();
+        if (apps.length > 0) {
+          const createValue = "__create__";
           log("");
-          log(colors.warn(message));
-          const upgraded = await promptUpgradeFromEntitlementError(
-            client,
-            err,
-            options.plan
+          log(
+            `Found ${apps.length} existing app${apps.length === 1 ? "" : "s"} in this organization.`
           );
-          if (!upgraded) {
-            outputError("NEEDS_UPGRADE", message, {
-              suggestedPlan: inferSuggestedPlan(options.plan),
-              failedEntitlementKey: extractEntitlementKeyFromError(err),
-              hint: "Run `tarout billing upgrade <plan> --wait`, then retry `tarout up`."
+          const selected = await select(
+            "Deploy to an existing app or create a new one?",
+            [
+              {
+                name: `Create a new app${options.name ? ` named "${options.name}"` : ""}`,
+                value: createValue
+              },
+              ...apps.map((existing) => ({
+                name: `${existing.name} ${colors.dim(`(${existing.applicationId.slice(0, 8)})`)}`,
+                value: existing.applicationId
+              }))
+            ],
+            {
+              field: "deploy_target_app",
+              flag: "--app <id|name|auto>"
+            }
+          );
+          if (selected !== createValue) {
+            const picked = findApp3(apps, selected);
+            if (!picked) {
+              throw new NotFoundError("Application", selected);
+            }
+            app = picked;
+            reused = true;
+            setProjectConfig({
+              applicationId: picked.applicationId,
+              name: picked.name,
+              organizationId: profile.organizationId,
+              linkedAt: (/* @__PURE__ */ new Date()).toISOString()
+            });
+            emitEvent2({
+              event: "app_reused",
+              applicationId: picked.applicationId,
+              name: picked.name,
+              via: "interactive"
             });
-            exit(ExitCode.PERMISSION_DENIED);
           }
-          box("Upgrade complete", [
-            colors.success("Subscription updated."),
-            `Run ${colors.cyan("tarout up")} again to deploy on the new plan.`
-          ]);
-          return;
         }
-        throw err;
+      }
+      if (!reused) {
+        try {
+          emitEvent2({ event: "app_create_started" });
+          app = await createAppFromCurrentDirectory(client, profile, {
+            name: options.name,
+            plan: options.plan,
+            region: options.region,
+            description: options.description,
+            frameworkPreset: options.frameworkPreset,
+            rootDirectory: options.rootDirectory,
+            installCommand: options.installCommand,
+            buildCommand: options.buildCommand,
+            outputDirectory: options.outputDirectory,
+            startCommand: options.startCommand
+          });
+          emitEvent2({
+            event: "app_create_done",
+            applicationId: app.applicationId,
+            name: app.name,
+            plan: app.plan ?? options.plan ?? "free"
+          });
+        } catch (err) {
+          if (isEntitlementError(err)) {
+            const message = err instanceof Error ? err.message : "Plan upgrade required";
+            if (isJsonMode() || shouldSkipConfirmation()) {
+              outputError("NEEDS_UPGRADE", message, {
+                suggestedPlan: inferSuggestedPlan(options.plan),
+                failedEntitlementKey: extractEntitlementKeyFromError(err),
+                hint: "Run `tarout billing upgrade <plan> --wait` to add slots, then retry `tarout up`."
+              });
+              exit(ExitCode.PERMISSION_DENIED);
+            }
+            log("");
+            log(colors.warn(message));
+            const upgraded = await promptUpgradeFromEntitlementError(
+              client,
+              err,
+              options.plan
+            );
+            if (!upgraded) {
+              outputError("NEEDS_UPGRADE", message, {
+                suggestedPlan: inferSuggestedPlan(options.plan),
+                failedEntitlementKey: extractEntitlementKeyFromError(err),
+                hint: "Run `tarout billing upgrade <plan> --wait`, then retry `tarout up`."
+              });
+              exit(ExitCode.PERMISSION_DENIED);
+            }
+            box("Upgrade complete", [
+              colors.success("Subscription updated."),
+              `Run ${colors.cyan("tarout up")} again to deploy on the new plan.`
+            ]);
+            return;
+          }
+          throw err;
+        }
+        emitEvent2({
+          event: "provision_started",
+          database: inspection.database,
+          storage: inspection.storage
+        });
+        await configureOptionalResources(
+          client,
+          profile,
+          app,
+          {
+            database: options.database,
+            databasePlan: options.databasePlan,
+            storage: options.storage,
+            storagePlan: options.storagePlan,
+            reuseDatabase: options.reuseDatabase,
+            reuseStorage: options.reuseStorage
+          },
+          inspection
+        );
+        emitEvent2({ event: "provision_done" });
+      }
+      if (!app) {
+        throw new Error("Failed to resolve the target application.");
       }
       if (source === "github") {
         if (!options.repo) {
@@ -17996,7 +17982,7 @@ function registerUpCommand(program2) {
           );
         }
         const { owner, repository } = parseRepo(options.repo);
-        emitEvent({
+        emitEvent2({
           event: "github_connect_started",
           owner,
           repository,
@@ -18026,24 +18012,24 @@ function registerUpCommand(program2) {
           watchPaths: null,
           enableSubmodules: false
         });
-        emitEvent({
+        emitEvent2({
           event: "github_connect_done",
           repository: `${owner}/${repository}`
         });
       } else {
-        emitEvent({ event: "upload_started" });
+        emitEvent2({ event: "upload_started" });
         await uploadCurrentDirectorySource(
           client,
           app.applicationId,
           app.name
         );
-        emitEvent({ event: "upload_done" });
+        emitEvent2({ event: "upload_done" });
       }
-      emitEvent({ event: "deploy_started", applicationId: app.applicationId });
+      emitEvent2({ event: "deploy_started", applicationId: app.applicationId });
       const result = await client.application.deployToCloud.mutate({
         applicationId: app.applicationId
       });
-      emitEvent({
+      emitEvent2({
         event: "deploy_enqueued",
         deploymentId: result.deploymentId
       });
@@ -18068,11 +18054,41 @@ function registerUpCommand(program2) {
     }
   });
 }
-function emitEvent(payload) {
+function emitEvent2(payload) {
   if (isJsonMode()) {
     outputJsonLine({ type: "event", ...payload });
   }
 }
+function resolveAppRef(apps, ref) {
+  const normalized = ref.trim();
+  if (normalized.toLowerCase() === "auto") {
+    if (apps.length === 0) {
+      throw new InvalidArgumentError(
+        "--app=auto: no existing apps in this organization. Drop --app to create a new one."
+      );
+    }
+    if (apps.length > 1) {
+      const sample = apps.slice(0, 5).map((a) => `${a.name} (${a.applicationId.slice(0, 8)})`).join(", ");
+      throw new InvalidArgumentError(
+        `--app=auto needs exactly one match, found ${apps.length}. Candidates: ${sample}. Pick one by id or name.`
+      );
+    }
+    return apps[0];
+  }
+  const match = findApp3(apps, normalized);
+  if (match) return match;
+  const suggestions = findSimilar(
+    normalized,
+    apps.flatMap((a) => [a.name, a.applicationId])
+  );
+  throw new NotFoundError(
+    "Application",
+    normalized,
+    suggestions.length > 0 ? suggestions : apps.length > 0 ? apps.slice(0, 5).map((a) => `${a.name} (${a.applicationId.slice(0, 8)})`) : [
+      "No apps exist in this organization yet. Drop --app to create a new one."
+    ]
+  );
+}
 
 // src/commands/wallet.ts
 function registerWalletCommands(program2) {
@@ -18245,214 +18261,6 @@ function truncate4(str, max) {
   return `${str.slice(0, max - 3)}...`;
 }
 
-// src/commands/whatsapp.ts
-function registerWhatsappCommands(program2) {
-  const wa = program2.command("whatsapp").description("Manage WhatsApp messaging configuration and logs");
-  wa.command("config").description("Show WhatsApp configuration for an environment").option("-e, --env <environment-id>", "Environment ID").action(async (options) => {
-    try {
-      if (!isLoggedIn()) throw new AuthError();
-      const environmentId = options.env || await input("Environment ID:", void 0, {
-        field: "environment_id",
-        flag: "--env"
-      });
-      const client = getApiClient();
-      const _spinner = startSpinner("Fetching WhatsApp config...");
-      const data = await client.whatsapp.getConfig.query({ environmentId });
-      succeedSpinner();
-      if (isJsonMode()) {
-        outputData(data);
-        return;
-      }
-      const c = data;
-      log("");
-      log(colors.bold("WhatsApp Configuration"));
-      log(`  Provider:  ${c.provider || "-"}`);
-      log(`  Number:    ${c.whatsappNumber || "-"}`);
-      log(
-        `  Enabled:   ${c.isEnabled ? colors.success("yes") : colors.dim("no")}`
-      );
-      log("");
-    } catch (err) {
-      failSpinner();
-      handleError(err);
-    }
-  });
-  wa.command("setup").description("Create WhatsApp configuration").option("-e, --env <environment-id>", "Environment ID").option("-p, --provider <provider>", "Provider (twilio, meta)").option("--api-key <key>", "API key / token").option("--number <number>", "WhatsApp business number").option("--enabled", "Enable WhatsApp", true).action(
-    async (options) => {
-      try {
-        if (!isLoggedIn()) throw new AuthError();
-        const environmentId = options.env || await input("Environment ID:", void 0, {
-          field: "environment_id",
-          flag: "--env"
-        });
-        const provider = options.provider || await select(
-          "WhatsApp provider:",
-          [
-            { name: "Meta (official)", value: "meta" },
-            { name: "Twilio", value: "twilio" }
-          ],
-          { field: "whatsapp_provider", flag: "--provider" }
-        );
-        const apiKey = options.apiKey || await input("API Key / Token:", void 0, {
-          field: "api_key",
-          flag: "--api-key",
-          sensitive: true
-        });
-        const whatsappNumber = options.number || await input(
-          "WhatsApp business number (e.g. +1234567890):",
-          void 0,
-          { field: "whatsapp_number", flag: "--number" }
-        );
-        const client = getApiClient();
-        const _spinner = startSpinner("Creating WhatsApp config...");
-        const result = await client.whatsapp.createConfig.mutate({
-          environmentId,
-          provider,
-          apiKey,
-          whatsappNumber,
-          isEnabled: options.enabled ?? true
-        });
-        succeedSpinner("WhatsApp configuration created.");
-        if (isJsonMode()) outputData(result);
-        else quietOutput(environmentId);
-      } catch (err) {
-        failSpinner();
-        handleError(err);
-      }
-    }
-  );
-  wa.command("update").description("Update WhatsApp configuration").option("-e, --env <environment-id>", "Environment ID").option("-p, --provider <provider>", "New provider").option("--api-key <key>", "New API key").option("--number <number>", "New WhatsApp number").option("--enable", "Enable WhatsApp").option("--disable", "Disable WhatsApp").action(
-    async (options) => {
-      try {
-        if (!isLoggedIn()) throw new AuthError();
-        const environmentId = options.env || await input("Environment ID:", void 0, {
-          field: "environment_id",
-          flag: "--env"
-        });
-        const isEnabled = options.enable ? true : options.disable ? false : void 0;
-        const client = getApiClient();
-        const _spinner = startSpinner("Updating WhatsApp config...");
-        await client.whatsapp.updateConfig.mutate({
-          environmentId,
-          provider: options.provider,
-          apiKey: options.apiKey,
-          whatsappNumber: options.number,
-          isEnabled
-        });
-        succeedSpinner("WhatsApp configuration updated.");
-        if (isJsonMode()) outputData({ updated: true, environmentId });
-      } catch (err) {
-        failSpinner();
-        handleError(err);
-      }
-    }
-  );
-  wa.command("send").description("Send a WhatsApp message").option("-e, --env <environment-id>", "Environment ID").option("--to <number>", "Recipient phone number").option("-m, --message <text>", "Message body").option("--template <name>", "Template name").action(
-    async (options) => {
-      try {
-        if (!isLoggedIn()) throw new AuthError();
-        const environmentId = options.env || await input("Environment ID:", void 0, {
-          field: "environment_id",
-          flag: "--env"
-        });
-        const to = options.to || await input("Recipient phone number:", void 0, {
-          field: "recipient_phone",
-          flag: "--to"
-        });
-        const client = getApiClient();
-        const _spinner = startSpinner("Sending WhatsApp message...");
-        const result = await client.whatsapp.send.mutate({
-          environmentId,
-          to,
-          body: options.message,
-          templateName: options.template,
-          messageType: options.template ? "template" : "text"
-        });
-        succeedSpinner("Message sent.");
-        if (isJsonMode()) outputData(result);
-      } catch (err) {
-        failSpinner();
-        handleError(err);
-      }
-    }
-  );
-  wa.command("logs").description("View WhatsApp message logs").option("-e, --env <environment-id>", "Environment ID").option("-n, --limit <n>", "Number of logs to show", "50").option("--status <status>", "Filter by status").action(
-    async (options) => {
-      try {
-        if (!isLoggedIn()) throw new AuthError();
-        const environmentId = options.env || await input("Environment ID:", void 0, {
-          field: "environment_id",
-          flag: "--env"
-        });
-        const client = getApiClient();
-        const _spinner = startSpinner("Fetching logs...");
-        const logs = await client.whatsapp.getLogs.query({
-          environmentId,
-          status: options.status,
-          limit: Number.parseInt(options.limit || "50")
-        });
-        succeedSpinner();
-        if (isJsonMode()) {
-          outputData(logs);
-          return;
-        }
-        const list = Array.isArray(logs) ? logs : logs?.items || [];
-        if (list.length === 0) {
-          log("No WhatsApp logs found.");
-          return;
-        }
-        log("");
-        table(
-          ["DATE", "TO", "TYPE", "STATUS", "MESSAGE"],
-          list.map((l) => [
-            l.createdAt ? new Date(l.createdAt).toLocaleString() : "-",
-            l.to || "-",
-            l.messageType || "text",
-            l.status === "sent" ? colors.success(l.status) : l.status === "failed" ? colors.error(l.status) : colors.warn(l.status || "-"),
-            (l.body || l.message || "-").slice(0, 40)
-          ])
-        );
-        log("");
-      } catch (err) {
-        failSpinner();
-        handleError(err);
-      }
-    }
-  );
-  wa.command("stats").description("Show WhatsApp messaging statistics").option("-e, --env <environment-id>", "Environment ID").option("--start <date>", "Start date (ISO)").option("--end <date>", "End date (ISO)").action(async (options) => {
-    try {
-      if (!isLoggedIn()) throw new AuthError();
-      const environmentId = options.env || await input("Environment ID:", void 0, {
-        field: "environment_id",
-        flag: "--env"
-      });
-      const client = getApiClient();
-      const _spinner = startSpinner("Fetching stats...");
-      const stats = await client.whatsapp.getStats.query({
-        environmentId,
-        startDate: options.start,
-        endDate: options.end
-      });
-      succeedSpinner();
-      if (isJsonMode()) {
-        outputData(stats);
-        return;
-      }
-      const s = stats;
-      log("");
-      log(colors.bold("WhatsApp Statistics"));
-      log(`  Total Sent: ${colors.cyan(String(s.total || s.sent || 0))}`);
-      log(`  Delivered:  ${colors.success(String(s.delivered || 0))}`);
-      log(`  Failed:     ${colors.error(String(s.failed || 0))}`);
-      log(`  Read:       ${colors.dim(String(s.read || 0))}`);
-      log("");
-    } catch (err) {
-      failSpinner();
-      handleError(err);
-    }
-  });
-}
-
 // src/index.ts
 var program = new Command();
 program.name("tarout").description("Tarout PaaS Command Line Interface").version(package_default.version).option("--json", "Output as JSON (machine-readable)").option("-y, --yes", "Skip all confirmation prompts").option(
@@ -18472,6 +18280,7 @@ program.name("tarout").description("Tarout PaaS Command Line Interface").version
 registerAuthCommands(program);
 registerAppsCommands(program);
 registerDeployCommands(program);
+registerInitCommand(program);
 registerUpCommand(program);
 registerLogsCommand(program);
 registerEnvCommands(program);
@@ -18496,14 +18305,12 @@ registerBackupsCommands(program);
 registerAccountCommands(program);
 registerDashboardCommands(program);
 registerDestinationsCommands(program);
-registerEmailCommands(program);
 registerInboxCommands(program);
 registerProvidersCommands(program);
 registerSettingsCommands(program);
-registerSmsCommands(program);
-registerWhatsappCommands(program);
 registerFirewallCommands(program);
 registerQueuesCommands(program);
+registerCallCommand(program);
 var argErrorPatterns = [
   /invalid/i,
   /missing required/i,