@tokenbuddy/tb-admin 1.0.35 → 1.0.37

package/src/cli.ts

@@ -1,1614 +0,0 @@
-import { Command } from "commander";
-import { ConfigManager } from "./config.js";
-import { AdminClient } from "./client.js";
-import { FlyProvider } from "./server-cmd.js";
-import { SellerCommandRunner } from "./seller.js";
-import { bindAdminUiCommand } from "./ui-command.js";
-import {
-  loadRegistryFile,
-  SellerRegistryDocument,
-  validateRegistryDocument
-} from "./bootstrap-registry.js";
-import Table from "cli-table3";
-import * as fs from "fs";
-import * as path from "path";
-import { fileURLToPath } from "url";
-import YAML from "js-yaml";
-
-interface BootstrapConfigDocument {
-  bind?: {
-    host?: string;
-    port?: number;
-  };
-  clawtip: {
-    payTo: string;
-    sm4KeyBase64: string;
-    skillSlug: string;
-    skillId: string;
-    description: string;
-    resourceUrl: string;
-    activationFeeFen: number;
-    microsPerFen: number;
-  };
-  sellerRegistryPath: string;
-  allowLocalSellerUrls?: boolean;
-}
-
-type SellerConfigDocument = Record<string, any>;
-
-function currentModuleDir(): string {
-  if (typeof __dirname !== "undefined") {
-    return __dirname;
-  }
-
-  const stack = new Error().stack || "";
-  const fileUrlMatch = stack.match(/(file:\/\/\/[^)\n]+\/cli\.js):\d+:\d+/);
-  if (fileUrlMatch) {
-    return path.dirname(fileURLToPath(fileUrlMatch[1]));
-  }
-
-  const filePathMatch = stack.match(/(\/[^)\n]+\/cli\.(?:js|ts)):\d+:\d+/);
-  if (filePathMatch) {
-    return path.dirname(filePathMatch[1]);
-  }
-
-  return process.cwd();
-}
-
-function readAdminPackageVersion(): string {
-  let current = path.resolve(currentModuleDir(), "..");
-  const seen = new Set<string>();
-  while (!seen.has(current)) {
-    seen.add(current);
-    const packageJsonPath = path.join(current, "package.json");
-    if (fs.existsSync(packageJsonPath)) {
-      const packageJson = JSON.parse(fs.readFileSync(packageJsonPath, "utf8")) as { version?: unknown };
-      if (typeof packageJson.version === "string" && packageJson.version.length > 0) {
-        return packageJson.version;
-      }
-    }
-    const parent = path.dirname(current);
-    if (parent === current) break;
-    current = parent;
-  }
-  return "0.0.0";
-}
-
-function requireString(value: unknown, field: string): string {
-  const normalized = String(value || "").trim();
-  if (!normalized) {
-    throw new Error(`${field} is required`);
-  }
-  return normalized;
-}
-
-function positiveInteger(value: unknown, field: string): number {
-  const raw = Number(value);
-  if (!Number.isInteger(raw) || raw < 1) {
-    throw new Error(`${field} must be >= 1`);
-  }
-  return raw;
-}
-
-function validateBootstrapConfigDocument(input: any): BootstrapConfigDocument {
-  if (!input || typeof input !== "object") {
-    throw new Error("bootstrap config document is required");
-  }
-  if (!input.clawtip || typeof input.clawtip !== "object") {
-    throw new Error("clawtip config is required");
-  }
-  return {
-    bind: {
-      host: requireString(input.bind?.host || "0.0.0.0", "bind.host"),
-      port: positiveInteger(input.bind?.port || 8080, "bind.port")
-    },
-    clawtip: {
-      payTo: requireString(input.clawtip.payTo, "pay_to"),
-      sm4KeyBase64: requireString(input.clawtip.sm4KeyBase64, "sm4_key_base64"),
-      skillSlug: requireString(input.clawtip.skillSlug, "skill_slug"),
-      skillId: requireString(input.clawtip.skillId, "skill_id"),
-      description: requireString(input.clawtip.description, "description"),
-      resourceUrl: requireString(input.clawtip.resourceUrl, "resource_url"),
-      activationFeeFen: positiveInteger(input.clawtip.activationFeeFen, "activation_fee_fen"),
-      microsPerFen: positiveInteger(input.clawtip.microsPerFen, "micros_per_fen")
-    },
-    sellerRegistryPath: requireString(input.sellerRegistryPath, "seller_registry_path"),
-    allowLocalSellerUrls: Boolean(input.allowLocalSellerUrls)
-  };
-}
-
-function loadBootstrapConfigFile(filePath: string): BootstrapConfigDocument {
-  const content = fs.readFileSync(filePath, "utf8");
-  const parsed = YAML.load(content);
-  return validateBootstrapConfigDocument(parsed);
-}
-
-function validateSellerConfigDocument(input: any): SellerConfigDocument {
-  if (!input || typeof input !== "object" || Array.isArray(input)) {
-    throw new Error("seller config document is required");
-  }
-  requireString(input.upstreamUrl, "upstreamUrl");
-  if (input.clawtip !== undefined && input.clawtip !== null) {
-    requireString(input.clawtip.payTo, "clawtip.payTo");
-    requireString(input.clawtip.sm4KeyBase64, "clawtip.sm4KeyBase64");
-    requireString(input.clawtip.skillSlug, "clawtip.skillSlug");
-    requireString(input.clawtip.skillId, "clawtip.skillId");
-    requireString(input.clawtip.description, "clawtip.description");
-    requireString(input.clawtip.resourceUrl, "clawtip.resourceUrl");
-    positiveInteger(input.clawtip.activationFeeFen ?? 1, "clawtip.activationFeeFen");
-    positiveInteger(input.clawtip.microsPerFen ?? 10000, "clawtip.microsPerFen");
-  }
-  return input;
-}
-
-function loadSellerConfigFile(filePath: string): SellerConfigDocument {
-  const content = fs.readFileSync(filePath, "utf8");
-  const parsed = YAML.load(content);
-  return validateSellerConfigDocument(parsed);
-}
-
-function sellerConfigUpdateSummary(response: any, document: SellerConfigDocument): string {
-  const updated = response.config || document;
-  return `path=${response.configPath || "memory"} upstream=${updated.upstreamUrl} allowMock=${Boolean(updated.allowMock)} clawtip=${updated.clawtip ? "configured" : "disabled"}`;
-}
-
-function collectOption(value: string, previous: string[]): string[] {
-  previous.push(value);
-  return previous;
-}
-
-function optionalNumber(value: unknown, field: string): number | undefined {
-  if (value === undefined || value === null || value === "") {
-    return undefined;
-  }
-  const parsed = Number(value);
-  if (!Number.isFinite(parsed)) {
-    throw new Error(`${field} must be a number`);
-  }
-  return parsed;
-}
-
-function parseModelAliases(values: string[] | undefined): Record<string, string> {
-  const aliases: Record<string, string> = {};
-  for (const value of values || []) {
-    const index = value.indexOf("=");
-    if (index <= 0 || index === value.length - 1) {
-      throw new Error(`model alias must use alias=target format: ${value}`);
-    }
-    aliases[value.slice(0, index)] = value.slice(index + 1);
-  }
-  return aliases;
-}
-
-function loadYamlOrJsonFile(filePath: string): any {
-  return YAML.load(fs.readFileSync(filePath, "utf8"));
-}
-
-function loadSellerRegistryEntryFile(filePath: string): any {
-  const parsed = loadYamlOrJsonFile(filePath);
-  if (!parsed || typeof parsed !== "object" || Array.isArray(parsed)) {
-    throw new Error("seller registry entry document is required");
-  }
-  validateRegistryDocument({ version: 1, sellers: [parsed as any] });
-  return parsed;
-}
-
-function loadSellerRegistryPatchFile(filePath: string): any {
-  const parsed = loadYamlOrJsonFile(filePath);
-  if (!parsed || typeof parsed !== "object" || Array.isArray(parsed)) {
-    throw new Error("seller registry patch document is required");
-  }
-  if ("id" in parsed) {
-    throw new Error("seller registry patch must not include id");
-  }
-  return parsed;
-}
-
-function withExpectedVersion(body: Record<string, any>, expectedVersion: unknown): Record<string, any> {
-  if (expectedVersion === undefined) {
-    return body;
-  }
-  const version = Number(expectedVersion);
-  // Step 14 (v1.1): version 0 means empty db. CLI 跟 server 一起接受 0.
-  if (!Number.isInteger(version) || version < 0) {
-    throw new Error("expected version must be >= 0");
-  }
-  return { ...body, expectedVersion: version };
-}
-
-function requireUpstreamModels(data: any): any[] {
-  if (Array.isArray(data?.models)) {
-    return data.models;
-  }
-  if (Array.isArray(data?.upstreams)) {
-    const firstWithModels = data.upstreams.find((entry: any) => Array.isArray(entry?.models));
-    if (firstWithModels) {
-      return firstWithModels.models;
-    }
-  }
-  throw new Error("operator upstream summary must contain models array");
-}
-
-/**
- * 构造 admin commander program，绑定所有 `tb-admin` 子命令（profile / registry / seller / config / backup 等）。
- * 顶层选项支持 `--url` / `--token` / `--profile` / `--config`，与 `ConfigManager` 协同解析。
- *
- * @param configManager 配置管理器
- * @returns 配置完整的 commander Command 实例
- */
-export function buildAdminCli(configManager: ConfigManager): Command {
-  const program = new Command();
-  program
-    .name("tb-admin")
-    .description("Remote admin CLI for TokenBuddy seller apps")
-    .version(readAdminPackageVersion())
-    .option("--url <url>", "Remote seller core API url")
-    .option("--token <token>", "Operator Bearer token")
-    .option("--profile <profile>", "Use custom profile instead of default")
-    .option("--config <path>", "Use custom config file path");
-
-  bindAdminUiCommand(program, configManager);
-
-  // Helper to resolve client
-  function getClient(): AdminClient {
-    const opts = program.opts();
-    const configPath = opts.config;
-    const mgr = configPath ? new ConfigManager(configPath) : configManager;
-
-    const url = opts.url || process.env.TOKENBUDDY_ADMIN_URL;
-    const token = opts.token || process.env.TOKENBUDDY_ADMIN_TOKEN;
-    const profileName = opts.profile || process.env.TOKENBUDDY_ADMIN_PROFILE;
-
-    if (url && token) {
-      return new AdminClient(url, token);
-    }
-
-    const activeProfile = mgr.getProfile(profileName);
-    if (!activeProfile) {
-      throw new Error(
-        "No active profile found. Provide --url and --token, or set TOKENBUDDY_ADMIN_URL, or register config profiles."
-      );
-    }
-    return new AdminClient(activeProfile.url, activeProfile.token);
-  }
-
-  function getBaseUrl(): string {
-    const opts = program.opts();
-    const configPath = opts.config;
-    const mgr = configPath ? new ConfigManager(configPath) : configManager;
-
-    const url = opts.url || process.env.TOKENBUDDY_ADMIN_URL;
-    const profileName = opts.profile || process.env.TOKENBUDDY_ADMIN_PROFILE;
-    if (url) {
-      return url.replace(/\/+$/, "");
-    }
-
-    const activeProfile = mgr.getProfile(profileName);
-    if (!activeProfile) {
-      throw new Error("No active profile found. Provide --url, set TOKENBUDDY_ADMIN_URL, or register config profiles.");
-    }
-    return activeProfile.url.replace(/\/+$/, "");
-  }
-
-  async function publicGet(path: string): Promise<any> {
-    const response = await fetch(`${getBaseUrl()}${path}`);
-    if (!response.ok) {
-      const errorText = await response.text();
-      throw new Error(`HTTP Error ${response.status}: ${errorText || response.statusText}`);
-    }
-    const text = await response.text();
-    return text ? JSON.parse(text) : {};
-  }
-
-  async function getSellerConfig(client: AdminClient): Promise<SellerConfigDocument> {
-    const data = await client.get("/operator/admin/config");
-    return validateSellerConfigDocument(data.config || data);
-  }
-
-  async function putSellerConfig(client: AdminClient, document: SellerConfigDocument): Promise<any> {
-    validateSellerConfigDocument(document);
-    return client.put("/operator/admin/config", { config: document });
-  }
-
-  // 1. Status Command
-  program
-    .command("status")
-    .description("Show status of the seller server")
-    .action(async () => {
-      try {
-        const client = getClient();
-        const data = await client.get("/operator/status");
-        console.log("=== Seller Server Operator Status ===");
-        console.log(JSON.stringify(data, null, 2));
-      } catch (err: any) {
-        console.error("Error:", err.message);
-        process.exit(1);
-      }
-    });
-
-  // 2. Service Command
-  program
-    .command("service")
-    .description("Show admin service info")
-    .action(async () => {
-      try {
-        const client = getClient();
-        const data = await client.get("/operator/admin/service");
-        console.log("=== Seller Service Info ===");
-        console.log(JSON.stringify(data, null, 2));
-      } catch (err: any) {
-        console.error("Error:", err.message);
-        process.exit(1);
-      }
-    });
-
-  // 3. Payments Group
-  const payments = program.command("payments").description("Manage payment methods");
-  
-  payments
-    .command("list")
-    .description("List payment methods")
-    .action(async () => {
-      try {
-        const client = getClient();
-        const data = await client.get("/operator/admin/payments");
-        console.log("=== Configured Payments ===");
-        console.log(JSON.stringify(data, null, 2));
-      } catch (err: any) {
-        console.error("Error:", err.message);
-      }
-    });
-
-  payments
-    .command("set-clawtip")
-    .description("Configure ClawTip payment parameters")
-    .requiredOption("--pay-to <pay_to>", "Pay target account")
-    .requiredOption("--sm4-key-base64 <key>", "JD SM4 key encoded in base64")
-    .requiredOption("--skill-slug <slug>", "Skill Slug")
-    .requiredOption("--skill-id <id>", "Skill ID")
-    .requiredOption("--description <desc>", "Order description")
-    .requiredOption("--resource-url <url>", "Resource verification url")
-    .option("--micros-per-fen <micros>", "Micros per Fen exchange ratio", "10000")
-    .action(async (options) => {
-      try {
-        const client = getClient();
-        const document = await getSellerConfig(client);
-        document.clawtip = {
-          payTo: options.payTo,
-          sm4KeyBase64: options.sm4KeyBase64,
-          skillSlug: options.skillSlug,
-          skillId: options.skillId,
-          description: options.description,
-          resourceUrl: options.resourceUrl,
-          activationFeeFen: 1,
-          microsPerFen: parseInt(options.microsPerFen, 10)
-        };
-        const data = await putSellerConfig(client, document);
-        console.log(`ClawTip parameters successfully set: ${sellerConfigUpdateSummary(data, document)}`);
-      } catch (err: any) {
-        console.error("Error:", err.message);
-      }
-    });
-
-  payments
-    .command("clear-clawtip")
-    .description("Disable ClawTip payment parameters")
-    .action(async () => {
-      try {
-        const client = getClient();
-        const document = await getSellerConfig(client);
-        delete document.clawtip;
-        const data = await putSellerConfig(client, document);
-        console.log(`ClawTip parameters cleared: ${sellerConfigUpdateSummary(data, document)}`);
-      } catch (err: any) {
-        console.error("Error:", err.message);
-      }
-    });
-
-  payments
-    .command("enable-mock")
-    .description("Enable internal mock payment for developers")
-    .option("--internal", "Only enable internal mock purchase/complete; do not advertise mock publicly")
-    .action(async (options) => {
-      try {
-        const client = getClient();
-        const document = await getSellerConfig(client);
-        document.allowMock = true;
-        if (options.internal) {
-          document.publicMockPayments = false;
-        }
-        const data = await putSellerConfig(client, document);
-        console.log(`Internal mock payment enabled: ${sellerConfigUpdateSummary(data, document)}`);
-      } catch (err: any) {
-        console.error("Error:", err.message);
-      }
-    });
-
-  payments
-    .command("advertise-mock")
-    .description("Advertise mock payment in the public seller manifest")
-    .action(async () => {
-      try {
-        const client = getClient();
-        const document = await getSellerConfig(client);
-        document.allowMock = true;
-        document.publicMockPayments = true;
-        const data = await putSellerConfig(client, document);
-        console.log(`Public mock payment advertised: ${sellerConfigUpdateSummary(data, document)}`);
-      } catch (err: any) {
-        console.error("Error:", err.message);
-      }
-    });
-
-  payments
-    .command("hide-mock")
-    .description("Stop advertising mock payment publicly while preserving internal mock config")
-    .action(async () => {
-      try {
-        const client = getClient();
-        const document = await getSellerConfig(client);
-        document.publicMockPayments = false;
-        const data = await putSellerConfig(client, document);
-        console.log(`Public mock payment hidden: ${sellerConfigUpdateSummary(data, document)}`);
-      } catch (err: any) {
-        console.error("Error:", err.message);
-      }
-    });
-
-  payments
-    .command("disable-mock")
-    .description("Disable mock payment")
-    .action(async () => {
-      try {
-        const client = getClient();
-        const document = await getSellerConfig(client);
-        document.allowMock = false;
-        document.publicMockPayments = false;
-        const data = await putSellerConfig(client, document);
-        console.log(`Mock payment disabled: ${sellerConfigUpdateSummary(data, document)}`);
-      } catch (err: any) {
-        console.error("Error:", err.message);
-      }
-    });
-
-  // 4. Models Command
-  program
-    .command("models")
-    .description("List available upstream models")
-    .option("--json", "Print current upstream model summary as JSON")
-    .action(async (options) => {
-      try {
-        const client = getClient();
-        const data = await client.get("/operator/admin/upstreams");
-        const models = requireUpstreamModels(data);
-        if (options.json) {
-          console.log(JSON.stringify({ models }, null, 2));
-          return;
-        }
-        const table = new Table({ head: ["Model ID", "Input Price/1M", "Output Price/1M", "Streaming"] });
-        
-        for (const model of models) {
-          table.push([
-            model.id,
-            `${model.inputPriceMicrosPer1m ?? "unknown"} micros`,
-            `${model.outputPriceMicrosPer1m ?? "unknown"} micros`,
-            model.streaming ? "Yes" : "No"
-          ]);
-        }
-        console.log("=== Upstream Model Configurations ===");
-        console.log(table.toString());
-      } catch (err: any) {
-        console.error("Error:", err.message);
-        process.exit(1);
-      }
-    });
-
-  const upstreams = program.command("upstreams").description("Manage seller upstream config through full seller config updates");
-
-  upstreams
-    .command("get")
-    .description("Fetch seller upstream config summary")
-    .action(async () => {
-      try {
-        const client = getClient();
-        const data = await client.get("/operator/admin/upstreams");
-        console.log(JSON.stringify(data, null, 2));
-      } catch (err: any) {
-        console.error("Error:", err.message);
-        process.exit(1);
-      }
-    });
-
-  upstreams
-    .command("update")
-    .description("Update upstream fields by fetching and pushing the full seller config")
-    .option("--upstream-url <url>", "Upstream base URL")
-    .option("--api-key <key>", "Upstream API key")
-    .option("--chat-completions <state>", "chatCompletions probe policy (unsupported disables probing; support is detected by seller)")
-    .option("--responses <state>", "responses probe policy (unsupported disables probing; support is detected by seller)")
-    .option("--messages <state>", "messages probe policy (unsupported disables probing; support is detected by seller)")
-    .option("--markup-ratio <ratio>", "Markup ratio")
-    .option("--discount-ratio <ratio>", "Discount ratio")
-    .option("--models-file <path>", "YAML/JSON file containing an array of model configs")
-    .option("--clear-aliases", "Clear model aliases before applying --model-alias")
-    .option("--model-alias <alias=target>", "Add or update model alias", collectOption, [])
-    .option("--no-refresh", "Skip auto-refresh of upstream model catalog (default: refresh when --upstream-url or --api-key changes)")
-    .action(async (options) => {
-      try {
-        const client = getClient();
-
-        // If upstream URL or key changes, refresh the model catalog from
-        // the new upstream before pushing config. Without this, the seller
-        // would keep the old model's list (e.g. Claude names) even after
-        // switching to a different upstream (e.g. MiniMax) — every
-        // subsequent inference call would 400/404 upstream-side.
-        // Skipped if --models-file is provided (user has explicit list) or
-        // if --no-refresh is passed.
-        const upstreamChanged = Boolean(options.upstreamUrl) || options.apiKey !== undefined;
-        if (upstreamChanged && !options.modelsFile && !options.noRefresh) {
-          console.log("Auto-refreshing upstream model catalog (upstream URL or key changed)...");
-          const refreshResp = await client.post("/operator/admin/upstreams/refresh", { autoModels: true });
-          console.log(`  refreshed: ${refreshResp.refreshedModels ?? 0} models from upstream`);
-        }
-
-        const document = await getSellerConfig(client);
-
-        if (options.upstreamUrl) {
-          document.upstreamUrl = options.upstreamUrl;
-        }
-        if (options.apiKey !== undefined) {
-          document.upstreamApiKey = options.apiKey;
-        }
-        const capabilities = {
-          ...(document.upstreamCapabilities || {})
-        };
-        if (options.chatCompletions) {
-          capabilities.chatCompletions = options.chatCompletions;
-        }
-        if (options.responses) {
-          capabilities.responses = options.responses;
-        }
-        if (options.messages) {
-          capabilities.messages = options.messages;
-        }
-        if (Object.keys(capabilities).length > 0) {
-          document.upstreamCapabilities = capabilities;
-        }
-        const markupRatio = optionalNumber(options.markupRatio, "markupRatio");
-        if (markupRatio !== undefined) {
-          document.markupRatio = markupRatio;
-        }
-        const discountRatio = optionalNumber(options.discountRatio, "discountRatio");
-        if (discountRatio !== undefined) {
-          document.discountRatio = discountRatio;
-        }
-        if (options.modelsFile) {
-          const models = loadYamlOrJsonFile(options.modelsFile);
-          if (!Array.isArray(models)) {
-            throw new Error("models file must contain a YAML/JSON array");
-          }
-          document.models = models;
-        }
-        if (options.clearAliases) {
-          document.modelAliases = {};
-        }
-        const aliases = parseModelAliases(options.modelAlias);
-        if (Object.keys(aliases).length > 0) {
-          document.modelAliases = {
-            ...(document.modelAliases || {}),
-            ...aliases
-          };
-        }
-
-        const response = await putSellerConfig(client, document);
-        const updated = response.config || document;
-        console.log(`Updated upstream config: path=${response.configPath || "memory"} upstream=${updated.upstreamUrl} models=${Array.isArray(updated.models) ? updated.models.length : 0}`);
-      } catch (err: any) {
-        console.error("Error:", err.message);
-        process.exit(1);
-      }
-    });
-
-  upstreams
-    .command("refresh")
-    .description("Ask seller to refresh its transient upstream model catalog")
-    .option("--auto-models", "Replace configured models from refreshed OpenRouter catalog")
-    .action(async (options) => {
-      try {
-        const client = getClient();
-        const response = await client.post("/operator/admin/upstreams/refresh", { autoModels: Boolean(options.autoModels) });
-        console.log(`Refreshed upstream catalog: path=${response.configPath || "memory"} models=${response.refreshedModels} autoModels=${Boolean(response.autoModels)}`);
-      } catch (err: any) {
-        console.error("Error:", err.message);
-        process.exit(1);
-      }
-    });
-
-  const pricingMonitor = program.command("pricing-monitor").description("Manage seller pricing drift monitor");
-
-  pricingMonitor
-    .command("status")
-    .description("Show whether seller pricing drift monitor is enabled")
-    .action(async () => {
-      try {
-        const client = getClient();
-        const document = await getSellerConfig(client);
-        console.log(`Pricing drift monitor: ${document.pricingDriftMonitorEnabled === true ? "enabled" : "disabled"}`);
-      } catch (err: any) {
-        console.error("Error:", err.message);
-        process.exit(1);
-      }
-    });
-
-  pricingMonitor
-    .command("enable")
-    .description("Enable seller pricing drift monitor")
-    .action(async () => {
-      try {
-        const client = getClient();
-        const document = await getSellerConfig(client);
-        document.pricingDriftMonitorEnabled = true;
-        const data = await putSellerConfig(client, document);
-        console.log(`Pricing drift monitor enabled: ${sellerConfigUpdateSummary(data, document)}`);
-      } catch (err: any) {
-        console.error("Error:", err.message);
-        process.exit(1);
-      }
-    });
-
-  pricingMonitor
-    .command("disable")
-    .description("Disable seller pricing drift monitor")
-    .action(async () => {
-      try {
-        const client = getClient();
-        const document = await getSellerConfig(client);
-        document.pricingDriftMonitorEnabled = false;
-        const data = await putSellerConfig(client, document);
-        console.log(`Pricing drift monitor disabled: ${sellerConfigUpdateSummary(data, document)}`);
-      } catch (err: any) {
-        console.error("Error:", err.message);
-        process.exit(1);
-      }
-    });
-
-  // 5. Seller Runtime Config Command
-  const sellerConfig = program.command("seller-config").description("Manage seller runtime YAML config");
-
-  sellerConfig
-    .command("get")
-    .description("Fetch seller runtime config")
-    .action(async () => {
-      try {
-        const client = getClient();
-        const document = await getSellerConfig(client);
-        console.log(YAML.dump(document, { lineWidth: 120, noRefs: true, sortKeys: false }));
-      } catch (err: any) {
-        console.error("Error:", err.message);
-        process.exit(1);
-      }
-    });
-
-  sellerConfig
-    .command("put")
-    .description("Update seller runtime config from YAML")
-    .requiredOption("--file <path>", "Seller runtime YAML config file")
-    .action(async (options) => {
-      try {
-        const document = loadSellerConfigFile(options.file);
-        const client = getClient();
-        const response = await putSellerConfig(client, document);
-        console.log(`Updated seller config: path=${response.configPath || "memory"} upstream=${response.config?.upstreamUrl || document.upstreamUrl}`);
-      } catch (err: any) {
-        console.error("Error:", err.message);
-        process.exit(1);
-      }
-    });
-
-  sellerConfig
-    .command("validate")
-    .description("Validate seller runtime YAML config")
-    .requiredOption("--file <path>", "Seller runtime YAML config file")
-    .action((options) => {
-      try {
-        const document = loadSellerConfigFile(options.file);
-        console.log(`Seller config valid: upstream=${document.upstreamUrl} models=${Array.isArray(document.models) ? document.models.length : 0}`);
-      } catch (err: any) {
-        console.error("Error:", err.message);
-        process.exit(1);
-      }
-    });
-
-  // 5. Billing Command
-  const billing = program.command("billing").description("Query payment and inference billing records");
-  
-  billing
-    .command("purchases")
-    .description("List all remote token purchase / payment transactions")
-    .action(async () => {
-      try {
-        const client = getClient();
-        const data = await client.get("/operator/admin/purchases");
-        const table = new Table({ head: ["Purchase ID", "Provider", "Amount", "State", "Date"] });
-        
-        for (const p of data.purchases || []) {
-          table.push([
-            p.purchase_id,
-            p.payment_provider,
-            `${p.amount_micros} micros`,
-            p.state,
-            p.created_at
-          ]);
-        }
-        console.log("=== Remote Token Purchase / Payment History ===");
-        console.log(table.toString());
-      } catch (err: any) {
-        console.error("Error:", err.message);
-      }
-    });
-
-  billing
-    .command("requests")
-    .description("List all remote inference usage consumption logs")
-    .action(async () => {
-      try {
-        const client = getClient();
-        const data = await client.get("/operator/admin/requests");
-        const table = new Table({ head: ["Request ID", "Model", "State", "Reserved", "Settled", "Tokens (I/O)", "Date"] });
-        
-        for (const r of data.requests || []) {
-          table.push([
-            r.request_id,
-            r.model,
-            r.state,
-            `${r.reserved_micros} micros`,
-            `${r.settled_micros} micros`,
-            `${r.prompt_tokens} / ${r.completion_tokens}`,
-            r.created_at
-          ]);
-        }
-        console.log("=== Inference Usage Consumption Ledger ===");
-        console.log(table.toString());
-      } catch (err: any) {
-        console.error("Error:", err.message);
-      }
-    });
-
-  // 6. Bootstrap Registry Command
-  const bootstrap = program.command("bootstrap").description("Manage wallet bootstrap service");
-  const bootstrapSellers = bootstrap.command("sellers").description("Manage public seller registry");
-  const bootstrapDefaultSeller = bootstrap.command("default-seller").description("Manage bootstrap default seller");
-  const bootstrapRegistry = bootstrap.command("registry").description("Manage signed registry versions and publishing");
-  const bootstrapConfig = bootstrap.command("config").description("Manage wallet bootstrap YAML config");
-
-  bootstrapSellers
-    .command("get")
-    .description("Fetch public seller registry or one seller by id")
-    .argument("[id]", "Seller id")
-    .action(async (id?: string) => {
-      try {
-        const data = id
-          ? await getClient().get(`/operator/registry/sellers/${encodeURIComponent(id)}`)
-          : await publicGet("/registry/sellers") as SellerRegistryDocument;
-        console.log(JSON.stringify(data, null, 2));
-      } catch (err: any) {
-        console.error("Error:", err.message);
-        process.exit(1);
-      }
-    });
-
-  bootstrapSellers
-    .command("list")
-    .description("List seller entries from the operator registry")
-    .action(async () => {
-      try {
-        const data = await getClient().get("/operator/registry/sellers") as { sellers: any[] };
-        const table = new Table({ head: ["ID", "Status", "URL", "Models", "Protocols", "Payments"] });
-        for (const seller of data.sellers || []) {
-          table.push([
-            seller.id,
-            seller.status || "active",
-            seller.url,
-            String(seller.models?.length || seller.modelsCount || 0),
-            (seller.supportedProtocols || []).join(","),
-            (seller.paymentMethods || []).join(",")
-          ]);
-        }
-        console.log(table.toString());
-      } catch (err: any) {
-        console.error("Error:", err.message);
-        process.exit(1);
-      }
-    });
-
-  bootstrapSellers
-    .command("add")
-    .description("Add one seller entry without replacing the full registry")
-    .requiredOption("--file <path>", "Seller entry YAML/JSON file")
-    .requiredOption("--expect-version <n>", "Expected current registry version")
-    .option("--idempotency-key <key>", "Idempotency key for retry-safe writes")
-    .action(async (options) => {
-      try {
-        const seller = loadSellerRegistryEntryFile(options.file);
-        const headers = options.idempotencyKey ? { "Idempotency-Key": options.idempotencyKey } : undefined;
-        const response = await getClient().post(
-          "/operator/registry/sellers",
-          withExpectedVersion(seller, options.expectVersion),
-          headers
-        ) as SellerRegistryDocument;
-        console.log(`Added seller ${seller.id}: version=${response.version} sellers=${response.sellers.length} publish=pending`);
-      } catch (err: any) {
-        console.error("Error:", err.message);
-        process.exit(1);
-      }
-    });
-
-  bootstrapSellers
-    .command("update <id>")
-    .description("Patch one seller entry without replacing the full registry")
-    .requiredOption("--file <path>", "Seller patch YAML/JSON file")
-    .requiredOption("--expect-version <n>", "Expected current registry version")
-    .option("--idempotency-key <key>", "Idempotency key for retry-safe writes")
-    .action(async (id, options) => {
-      try {
-        const patch = loadSellerRegistryPatchFile(options.file);
-        const headers = options.idempotencyKey ? { "Idempotency-Key": options.idempotencyKey } : undefined;
-        const response = await getClient().patch(
-          `/operator/registry/sellers/${encodeURIComponent(id)}`,
-          withExpectedVersion(patch, options.expectVersion),
-          headers
-        ) as SellerRegistryDocument;
-        console.log(`Updated seller ${id}: version=${response.version} publish=pending`);
-      } catch (err: any) {
-        console.error("Error:", err.message);
-        process.exit(1);
-      }
-    });
-
-  bootstrapSellers
-    .command("status <id> <status>")
-    .description("Set one seller registry status: active, draining, or offline")
-    .requiredOption("--expect-version <n>", "Expected current registry version")
-    .option("--idempotency-key <key>", "Idempotency key for retry-safe writes")
-    .action(async (id, status, options) => {
-      try {
-        const headers = options.idempotencyKey ? { "Idempotency-Key": options.idempotencyKey } : undefined;
-        const response = await getClient().put(
-          `/operator/registry/sellers/${encodeURIComponent(id)}/status`,
-          withExpectedVersion({ status }, options.expectVersion),
-          headers
-        ) as SellerRegistryDocument;
-        console.log(`Set seller ${id} status=${status}: version=${response.version} publish=pending`);
-      } catch (err: any) {
-        console.error("Error:", err.message);
-        process.exit(1);
-      }
-    });
-
-  bootstrapSellers
-    .command("remove <id>")
-    .description("Remove one non-active seller entry")
-    .requiredOption("--expect-version <n>", "Expected current registry version")
-    .option("--force", "Allow forced removal when the service permits it")
-    .option("--idempotency-key <key>", "Idempotency key for retry-safe writes")
-    .action(async (id, options) => {
-      try {
-        const headers = options.idempotencyKey ? { "Idempotency-Key": options.idempotencyKey } : undefined;
-        const response = await getClient().delete(
-          `/operator/registry/sellers/${encodeURIComponent(id)}`,
-          withExpectedVersion({ force: Boolean(options.force) }, options.expectVersion),
-          headers
-        ) as SellerRegistryDocument;
-        console.log(`Removed seller ${id}: version=${response.version} sellers=${response.sellers.length} publish=pending`);
-      } catch (err: any) {
-        console.error("Error:", err.message);
-        process.exit(1);
-      }
-    });
-
-  bootstrapSellers
-    .command("put")
-    .description("Deprecated: dangerously replace public seller registry")
-    .requiredOption("--file <path>", "Seller registry JSON file")
-    .option("--force", "Acknowledge this full replacement is dangerous")
-    .action(async (options) => {
-      try {
-        if (!options.force) {
-          throw new Error("bootstrap sellers put is deprecated; use bootstrap registry import --dry-run first, then --force");
-        }
-        const document = loadRegistryFile(options.file);
-        const client = getClient();
-        const response = await client.put("/operator/registry/sellers", document) as SellerRegistryDocument;
-        console.log(`Dangerously replaced seller registry: version=${response.version} sellers=${response.sellers.length} publish=pending`);
-      } catch (err: any) {
-        console.error("Error:", err.message);
-        process.exit(1);
-      }
-    });
-
-  bootstrapSellers
-    .command("validate")
-    .description("Validate seller registry JSON")
-    .requiredOption("--file <path>", "Seller registry JSON file")
-    .action((options) => {
-      try {
-        const document = loadRegistryFile(options.file);
-        validateRegistryDocument(document);
-        console.log(`Seller registry valid: version=${document.version} sellers=${document.sellers.length}`);
-      } catch (err: any) {
-        console.error("Error:", err.message);
-        process.exit(1);
-      }
-    });
-
-  bootstrapDefaultSeller
-    .command("set <id>")
-    .description("Set default seller")
-    .requiredOption("--expect-version <n>", "Expected current registry version")
-    .option("--idempotency-key <key>", "Idempotency key for retry-safe writes")
-    .action(async (id, options) => {
-      try {
-        const headers = options.idempotencyKey ? { "Idempotency-Key": options.idempotencyKey } : undefined;
-        const response = await getClient().put(
-          "/operator/registry/default-seller",
-          withExpectedVersion({ sellerId: id }, options.expectVersion),
-          headers
-        ) as SellerRegistryDocument;
-        console.log(`Set default seller ${id}: version=${response.version} publish=pending`);
-      } catch (err: any) {
-        console.error("Error:", err.message);
-        process.exit(1);
-      }
-    });
-
-  bootstrapRegistry
-    .command("diff")
-    .description("Compare a local registry JSON file against the operator registry")
-    .requiredOption("--file <path>", "Seller registry JSON file")
-    .action(async (options) => {
-      try {
-        const local = loadRegistryFile(options.file);
-        const remote = await getClient().get("/operator/registry") as SellerRegistryDocument;
-        const localIds = new Set(local.sellers.map((seller) => seller.id));
-        const remoteIds = new Set(remote.sellers.map((seller) => seller.id));
-        const added = local.sellers.filter((seller) => !remoteIds.has(seller.id)).map((seller) => seller.id);
-        const removed = remote.sellers.filter((seller) => !localIds.has(seller.id)).map((seller) => seller.id);
-        const changed = local.sellers
-          .filter((seller) => remoteIds.has(seller.id))
-          .filter((seller) => JSON.stringify(seller) !== JSON.stringify(remote.sellers.find((entry) => entry.id === seller.id)))
-          .map((seller) => seller.id);
-        console.log(JSON.stringify({
-          remoteVersion: remote.version,
-          localVersion: local.version,
-          added,
-          removed,
-          changed,
-          defaultSellerChanged: remote.defaultSeller !== local.defaultSeller
-        }, null, 2));
-      } catch (err: any) {
-        console.error("Error:", err.message);
-        process.exit(1);
-      }
-    });
-
-  bootstrapRegistry
-    .command("import")
-    .description("Import a full registry JSON as a dangerous disaster-recovery operation")
-    .requiredOption("--file <path>", "Seller registry JSON file")
-    .option("--dry-run", "Only validate and show diff")
-    .option("--force", "Actually perform the full replacement")
-    .option("--expect-version <n>", "Expected current registry version before import")
-    .option("--force-delete-count <n>", "Maximum allowed delete count when forcing", "1")
-    .action(async (options) => {
-      try {
-        const local = loadRegistryFile(options.file);
-        const remote = await getClient().get("/operator/registry") as SellerRegistryDocument;
-        const localIds = new Set(local.sellers.map((seller) => seller.id));
-        const removed = remote.sellers.filter((seller) => !localIds.has(seller.id));
-        const forceDeleteCount = Number(options.forceDeleteCount);
-        if (!Number.isInteger(forceDeleteCount) || forceDeleteCount < 0) {
-          throw new Error("--force-delete-count must be >= 0");
-        }
-        console.log(`Import diff: remoteVersion=${remote.version} localVersion=${local.version} removes=${removed.length}`);
-        if (options.dryRun || !options.force) {
-          if (!options.dryRun) {
-            throw new Error("refusing full import without --force; run with --dry-run first");
-          }
-          return;
-        }
-        if (removed.length > forceDeleteCount) {
-          throw new Error(`import would remove ${removed.length} sellers; pass --force-delete-count ${removed.length} to allow`);
-        }
-        const body = withExpectedVersion(local as any, options.expectVersion);
-        const response = await getClient().put("/operator/registry/sellers", body) as SellerRegistryDocument;
-        console.log(`Imported seller registry: version=${response.version} sellers=${response.sellers.length} publish=pending`);
-      } catch (err: any) {
-        console.error("Error:", err.message);
-        process.exit(1);
-      }
-    });
-
-  bootstrapRegistry
-    .command("publish")
-    .description("Publish the current signed registry to R2")
-    .option("--version <n>", "Registry version to publish")
-    .action(async (options) => {
-      try {
-        const version = options.version ? Number(options.version) : undefined;
-        if (version !== undefined && (!Number.isInteger(version) || version < 1)) {
-          throw new Error("--version must be a positive integer");
-        }
-        const body = version === undefined ? {} : { version };
-        const response = await getClient().post("/operator/registry/publish", body) as {
-          version: number;
-          registrySha256: string;
-          signingKeyId: string;
-          artifacts?: Array<{ key: string; url: string }>;
-        };
-        console.log(`Published registry version=${response.version} sha256=${response.registrySha256} signingKey=${response.signingKeyId}`);
-        for (const artifact of response.artifacts || []) {
-          console.log(`  ${artifact.key} -> ${artifact.url}`);
-        }
-      } catch (err: any) {
-        console.error("Error:", err.message);
-        process.exit(1);
-      }
-    });
-
-  bootstrapRegistry
-    .command("versions")
-    .description("List registry versions")
-    .option("--limit <n>", "Maximum versions to list", "20")
-    .action(async (options) => {
-      try {
-        const limit = Number(options.limit);
-        if (!Number.isInteger(limit) || limit < 1) {
-          throw new Error("--limit must be a positive integer");
-        }
-        const response = await getClient().get(`/operator/registry/versions?limit=${encodeURIComponent(String(limit))}`) as {
-          versions?: Array<{
-            version: number;
-            registrySha256: string;
-            signingKeyId?: string;
-            signed?: boolean;
-            sellerCount?: number;
-            defaultSeller?: string;
-            createdAt?: string;
-            publishedAt?: string;
-          }>;
-        };
-        for (const version of response.versions || []) {
-          console.log([
-            `version=${version.version}`,
-            `sellers=${version.sellerCount ?? "?"}`,
-            `default=${version.defaultSeller || "-"}`,
-            `signed=${version.signed ? "yes" : "no"}`,
-            `published=${version.publishedAt || "pending"}`,
-            `sha256=${version.registrySha256}`,
-            `key=${version.signingKeyId || "-"}`
-          ].join(" "));
-        }
-      } catch (err: any) {
-        console.error("Error:", err.message);
-        process.exit(1);
-      }
-    });
-
-  bootstrapConfig
-    .command("get")
-    .description("Fetch wallet bootstrap runtime config")
-    .action(async () => {
-      try {
-        const client = getClient();
-        const data = await client.get("/operator/config") as BootstrapConfigDocument;
-        console.log(YAML.dump(data, { lineWidth: 120, noRefs: true }));
-      } catch (err: any) {
-        console.error("Error:", err.message);
-        process.exit(1);
-      }
-    });
-
-  bootstrapConfig
-    .command("put")
-    .description("Update wallet bootstrap runtime config from YAML")
-    .requiredOption("--file <path>", "Wallet bootstrap YAML config file")
-    .action(async (options) => {
-      try {
-        const document = loadBootstrapConfigFile(options.file);
-        const client = getClient();
-        const response = await client.put("/operator/config", document) as BootstrapConfigDocument;
-        console.log(`Updated wallet bootstrap config: skillSlug=${response.clawtip.skillSlug} registry=${response.sellerRegistryPath}`);
-      } catch (err: any) {
-        console.error("Error:", err.message);
-        process.exit(1);
-      }
-    });
-
-  bootstrapConfig
-    .command("validate")
-    .description("Validate wallet bootstrap YAML config")
-    .requiredOption("--file <path>", "Wallet bootstrap YAML config file")
-    .action((options) => {
-      try {
-        const document = loadBootstrapConfigFile(options.file);
-        console.log(`Wallet bootstrap config valid: skillSlug=${document.clawtip.skillSlug} registry=${document.sellerRegistryPath}`);
-      } catch (err: any) {
-        console.error("Error:", err.message);
-        process.exit(1);
-      }
-    });
-
-  // 7. Config Command (Local)
-  const configCmd = program.command("config").description("Manage local admin profiles");
-
-  configCmd
-    .command("set <profileName>")
-    .description("Add or update an admin connection profile")
-    .option("--url <url>", "Remote seller core API url")
-    .option("--token <token>", "Bearer Operator secret token")
-    .action((profileName, options) => {
-      const opts = program.opts();
-      const configPath = opts.config;
-      const mgr = configPath ? new ConfigManager(configPath) : configManager;
-
-      const url = options.url || opts.url || process.env.TOKENBUDDY_ADMIN_URL;
-      const token = options.token || opts.token || process.env.TOKENBUDDY_ADMIN_TOKEN;
-
-      if (!url || !token) {
-        console.error("error: required option '--url <url>' and '--token <token>' not specified");
-        process.exit(1);
-      }
-
-      mgr.setProfile(profileName, { url, token });
-      console.log(`Profile \`${profileName}\` successfully configured.`);
-    });
-
-  configCmd
-    .command("use <profileName>")
-    .description("Switch default profile to select")
-    .action((profileName) => {
-      const opts = program.opts();
-      const configPath = opts.config;
-      const mgr = configPath ? new ConfigManager(configPath) : configManager;
-
-      try {
-        mgr.useProfile(profileName);
-        console.log(`Now using profile \`${profileName}\` by default.`);
-      } catch (err: any) {
-        console.error("Error:", err.message);
-      }
-    });
-
-  configCmd
-    .command("list")
-    .description("List all configured profiles in the active config file")
-    .action(() => {
-      const opts = program.opts();
-      const configPath = opts.config;
-      const mgr = configPath ? new ConfigManager(configPath) : configManager;
-
-      const profiles = mgr.listProfiles();
-      const config = mgr.load();
-      console.log(`=== Configured Local Profiles (config: ${mgr.getConfigPath() || "default"}) ===`);
-      for (const p of profiles) {
-        const isDefault = p === config.default_profile ? "* " : "  ";
-        const details = config.profiles[p];
-        console.log(`${isDefault}${p} -> ${details.url}`);
-      }
-    });
-
-  // Step 14 (v1.1): 多 vendor 实例隔离.
-  // 默认 config dir 改成 ~/.config/tokenbuddy/profiles/*.toml, 每个 vendor 一份 config.
-  // 启动时 tb-admin (没传 --config) 会扫描 profiles/ 合并成一个虚拟配置 (default_profile 仍来自
-  // ~/.config/tokenbuddy/admin.toml). `tb-admin config ls` 列出当前 active file,
-  // `tb-admin config profiles` 扫描 profiles/ 列出所有 vendor file.
-  configCmd
-    .command("profiles")
-    .description("Scan the vendor profiles directory (~/.config/tokenbuddy/profiles/) and list every vendor config")
-    .action(() => {
-      const profileDir = defaultProfileDir();
-      const files = listProfileFiles(profileDir);
-      if (files.length === 0) {
-        console.log(`(no vendor profiles in ${profileDir})`);
-        console.log("Create one with: tb-admin --config <file> config set <vendor> --url <url> --token <token>");
-        return;
-      }
-      console.log(`=== Vendor Profiles (${profileDir}) ===`);
-      for (const file of files) {
-        try {
-          const mgr = new ConfigManager(file);
-          const config = mgr.load();
-          const profileNames = mgr.listProfiles();
-          const firstProfile = profileNames[0];
-          const url = firstProfile ? config.profiles[firstProfile]?.url : "(no profiles)";
-          console.log(`  ${file}\n    -> default=${config.default_profile || firstProfile || "?"} url=${url || "?"}`);
-        } catch (err: any) {
-          console.log(`  ${file}\n    -> (parse failed: ${err.message})`);
-        }
-      }
-    });
-
-  configCmd
-    .command("where")
-    .description("Print the config file path in use (resolves --config, env, or default)")
-    .action(() => {
-      const opts = program.opts();
-      const configPath = opts.config || process.env.TOKENBUDDY_ADMIN_CONFIG;
-      const resolved = configPath || `${process.env.HOME || ""}/.config/tokenbuddy/admin.toml`;
-      console.log(resolved);
-    });
-
-  // 8. Seller Command (Fly.io)
-  const sellerCmd = program.command("seller").description("Deploy and manage seller containers on Fly.io");
-
-  function getFlyProvider(): FlyProvider {
-    const opts = program.opts();
-    const mgr = opts.config ? new ConfigManager(opts.config) : configManager;
-    return new FlyProvider(mgr.getSellerProvider("fly"));
-  }
-
-  function getSellerRunner(): SellerCommandRunner {
-    const opts = program.opts();
-    const mgr = opts.config ? new ConfigManager(opts.config) : configManager;
-    return new SellerCommandRunner(mgr);
-  }
-
-  function printResult(res: unknown, json: boolean): void {
-    if (json) {
-      // json 路径 seller.ts 返回的是结构化 object; 直接 stringify 美化
-      if (typeof res === "string") {
-        // 防御: 任何子命令意外返回 string 都直接原样打
-        console.log(res);
-      } else {
-        console.log(JSON.stringify(res, null, 2));
-      }
-    } else {
-      // 文本路径: seller.ts 返回 string (1.0.31 行为) 或 dry-run string
-      console.log(res);
-    }
-  }
-
-  sellerCmd
-    .command("ls")
-    .description("List all deployed apps on Fly.io")
-    .option("--json", "Output structured JSON instead of human-readable table")
-    .action((options) => {
-      try {
-        const res = getSellerRunner().ls(Boolean(options.json));
-        printResult(res, Boolean(options.json));
-      } catch (err: any) {
-        console.error("Error:", err.message);
-        process.exit(1);
-      }
-    });
-
-  sellerCmd
-    .command("status <app>")
-    .description("Show Fly.io status for a specific seller app")
-    .option("--json", "Output structured JSON")
-    .action((app, options) => {
-      try {
-        const res = getSellerRunner().status(app, Boolean(options.json));
-        printResult(res, Boolean(options.json));
-      } catch (err: any) {
-        console.error("Error:", err.message);
-        process.exit(1);
-      }
-    });
-
-  sellerCmd
-    .command("create <name>")
-    .description("Deploy a new machines instance on Fly.io")
-    .option("--app <app>", "Fly.io app name (bypasses tb-seller- prefix; use tbs-<random> format)")
-    .option("--region <region>", "Fly region (default: sin)", "sin")
-    .requiredOption("--image <image>", "Published Docker image, for example registry.fly.io/tb-seller:<v>")
-    .requiredOption("--fly-config <path>", "Fly.io config file path, for example deploy/fly.io/fly.tb-seller.toml")
-    .option("--volume-name <name>", "Persistent volume name")
-    .option("--volume-size-gb <gb>", "Persistent volume size in GB", (v) => parseInt(v, 10))
-    .option("--volume-id <id>", "Attach existing volume by ID (skips volume creation)")
-    .option("--volume-snapshot-retention-days <days>", "Volume snapshot retention days", (v) => parseInt(v, 10))
-    .option("--initial-config <path>", "Initial seller YAML config to inject as TOKENBUDDY_SELLER_CONFIG_B64")
-    .requiredOption("--operator-secret <secret>", "Operator secret to configure")
-    .option("--dry-run", "Dry run display without actual execution")
-    .option("--json", "Output structured JSON (dry-run lists planned flyctl commands; real run captures summary)")
-    .action((name, options) => {
-      try {
-        const res = getSellerRunner().create(
-          {
-            name,
-            app: options.app,
-            region: options.region,
-            image: options.image,
-            flyConfig: options.flyConfig,
-            volumeName: options.volumeName,
-            volumeSizeGb: options.volumeSizeGb,
-            volumeId: options.volumeId,
-            volumeSnapshotRetentionDays: options.volumeSnapshotRetentionDays,
-            initialConfigPath: options.initialConfig,
-            operatorSecret: options.operatorSecret,
-            dryRun: options.dryRun
-          },
-          Boolean(options.json)
-        );
-        printResult(res, Boolean(options.json));
-      } catch (err: any) {
-        console.error("Error:", err.message);
-        process.exit(1);
-      }
-    });
-
-  sellerCmd
-    .command("deploy <app>")
-    .description("Update an existing seller app's Machines to an explicit image without changing Fly.io config or volumes")
-    .requiredOption("--image <image>", "Published Docker image, for example registry.fly.io/tb-seller:<v>")
-    .option("--dry-run", "Dry run")
-    .option("--json", "Output structured JSON")
-    .action((app, options) => {
-      try {
-        const res = getSellerRunner().deploy(
-          { app, image: options.image, dryRun: options.dryRun },
-          Boolean(options.json)
-        );
-        printResult(res, Boolean(options.json));
-      } catch (err: any) {
-        console.error("Error:", err.message);
-        process.exit(1);
-      }
-    });
-
-  sellerCmd
-    .command("roll")
-    .description("Sequentially redeploy every tbs-* seller app (live candidate list from `fly apps list`) to a single image, image-only, fail-fast. Replaces deploy/fly.io/deploy-seller-fleet-to-flyio.sh.")
-    .requiredOption("--image <image>", "Published Docker image, for example registry.fly.io/tb-seller:<v>")
-    .option("--exclude <list>", "Comma-separated list of seller app names to skip (e.g. tbs-86d81e,tbs-719577)")
-    .option("--dry-run", "List the planned candidate set and per-app plans, do not actually redeploy")
-    .option("--json", "Output structured JSON: candidates / excluded / attempts / completed")
-    .action((options) => {
-      try {
-        const exclude = options.exclude
-          ? String(options.exclude).split(",").map((s) => s.trim()).filter(Boolean)
-          : [];
-        const res = getSellerRunner().roll(
-          { image: options.image, exclude, dryRun: options.dryRun },
-          Boolean(options.json)
-        );
-        printResult(res, Boolean(options.json));
-        // 文本路径下, 失败时给非零退出码 (CI / script 可感知)
-        if (!options.json && typeof res === "string" && res.includes("roll stopped at failure")) {
-          process.exit(1);
-        }
-        // json 路径下, completed=false 也给非零
-        if (options.json && typeof res !== "string" && res.completed === false) {
-          process.exit(1);
-        }
-      } catch (err: any) {
-        console.error("Error:", err.message);
-        process.exit(1);
-      }
-    });
-
-  sellerCmd
-    .command("remove <name>")
-    .description("Completely destroy a seller app on Fly.io")
-    .option("--app <app>", "Fly.io app name (use if name is ambiguous or already a full app name)")
-    .option("--remove-profile", "Also delete the corresponding profile from local admin.toml")
-    .option("--dry-run", "Dry run")
-    .option("--json", "Output structured JSON")
-    .action((name, options) => {
-      try {
-        const appName = options.app || name;
-        const res = getSellerRunner().remove(appName, Boolean(options.dryRun), Boolean(options.json));
-        printResult(res, Boolean(options.json));
-        if (options.removeProfile && !options.dryRun && !options.json) {
-          const appBase = appName.includes("-") ? appName.replace(/^tb-seller-/, "") : appName;
-          const profileNames = [`tbs-1`, `tbs-2`, `tbs-3`, `tbs-4`, `tbs-5`];
-          const toRemove = profileNames.find((p) => {
-            const cfg = configManager.listProfiles().includes(p) &&
-              configManager.getProfile(p)?.url?.includes(appName);
-            return cfg;
-          });
-          if (toRemove) {
-            configManager.removeProfile(toRemove);
-            console.log(`Removed local profile \`${toRemove}\`.`);
-          } else {
-            console.log(`No matching local profile found for ${appName} — skipped.`);
-          }
-        }
-      } catch (err: any) {
-        console.error("Error:", err.message);
-        process.exit(1);
-      }
-    });
-
-  // ------------------------------------------------------------------------
-  // 7. Vendor domain commands (Step 5 of the registry redesign)
-  //
-  // vendor 走 `/platform/*` (Bearer vendor token, 不是 super-admin key).
-  // 这些命令不替代 platform publish / config* / default-seller / seller
-  // create-deploy-remove-ls; vendor 现在只能 stage 一个 seller + 提交
-  // release request. 旧命令保留 (兼容迁移期 smoke), 但 `bootstrap
-  // registry publish` / `bootstrap config*` / `bootstrap default-seller
-  // set` / `seller create|deploy|remove|ls` 在 server 端已不再服务
-  // super-admin 域 (Step 5 删 / Step 7 删 server).  客户端先行禁用:
-  // 这些子命令保留 parser, 但 runtime 立刻报 "deprecated" 错误.
-  // ------------------------------------------------------------------------
-
-  const vendorBootstrap = program.command("vendor-bootstrap")
-    .description("Vendor-domain seller and release management (registry redesign Step 5+)")
-    .option("--base-url <url>", "Override wallet-bootstrap base URL");
-
-  vendorBootstrap
-    .command("me")
-    .description("Show the authenticated vendor identity")
-    .action(async () => {
-      try {
-        const result = await getClient().get("/platform/me");
-        console.log(JSON.stringify(result, null, 2));
-      } catch (err: any) {
-        console.error("Error:", err.message);
-        process.exit(1);
-      }
-    });
-
-  vendorBootstrap
-    .command("sellers")
-    .description("List live sellers visible to the authenticated vendor")
-    .action(async () => {
-      try {
-        const result = await getClient().get("/platform/sellers");
-        const rows = (result.sellers as any[]) || [];
-        const table = new Table({ head: ["ID", "URL", "Status", "Models"] });
-        for (const seller of rows) {
-          table.push([
-            seller.id,
-            seller.url,
-            seller.status || "active",
-            String(seller.models?.length || 0)
-          ]);
-        }
-        console.log(table.toString());
-      } catch (err: any) {
-        console.error("Error:", err.message);
-        process.exit(1);
-      }
-    });
-
-  vendorBootstrap
-    .command("stage")
-    .description("Stage a seller entry for inclusion in the next release request")
-    .requiredOption("--file <path>", "Seller entry JSON file")
-    .action(async (options) => {
-      try {
-        const result = await getClient().post("/platform/sellers/stage", JSON.parse(fs.readFileSync(options.file, "utf8")));
-        console.log(`Staged ${(result as any).pendingSeller.id} (status: ${(result as any).pendingSeller.status})`);
-      } catch (err: any) {
-        console.error("Error:", err.message);
-        process.exit(1);
-      }
-    });
-
-  vendorBootstrap
-    .command("pending")
-    .description("List staged pending sellers for the authenticated vendor")
-    .option("--status <status>", "Filter by status: staged|published|rejected", "staged")
-    .action(async (options) => {
-      try {
-        const result = await getClient().get(`/platform/sellers/pending?status=${encodeURIComponent(options.status)}`);
-        const rows = (result as any).pendingSellers as any[];
-        if (rows.length === 0) {
-          console.log(`(no ${options.status} pending sellers)`);
-          return;
-        }
-        const table = new Table({ head: ["ID", "Status", "Submitted", "Decided"] });
-        for (const row of rows) {
-          table.push([row.id, row.status, row.submittedAt, row.decidedAt || "—"]);
-        }
-        console.log(table.toString());
-      } catch (err: any) {
-        console.error("Error:", err.message);
-        process.exit(1);
-      }
-    });
-
-  const releaseCmd = vendorBootstrap
-    .command("release")
-    .description("Submit and inspect release requests");
-
-  releaseCmd
-    .command("submit")
-    .description("Submit a release request that includes one or more staged sellers")
-    .option("--staged <id...>", "One or more staged seller ids to include", collectIds, [])
-    .option("--note <text>", "Note explaining the release")
-    .action(async (options) => {
-      try {
-        const result = await getClient().post("/platform/release-requests", {
-          stagedSellerIds: options.staged,
-          note: options.note
-        });
-        const record = (result as any).releaseRequest;
-        console.log(`Submitted release request #${record.id} (status: ${record.status})`);
-        console.log(`  sellers: ${record.payloadSummary.count} (${(record.payloadSummary.sellerIds || []).join(", ") || "—"})`);
-      } catch (err: any) {
-        console.error("Error:", err.message);
-        process.exit(1);
-      }
-    });
-
-  releaseCmd
-    .command("list")
-    .description("List release requests for the authenticated vendor")
-    .option("--limit <n>", "Maximum number of records to return", "20")
-    .action(async (options) => {
-      try {
-        const result = await getClient().get(`/platform/release-requests?limit=${encodeURIComponent(options.limit)}`);
-        const rows = (result as any).releaseRequests as any[];
-        if (rows.length === 0) {
-          console.log("(no release requests)");
-          return;
-        }
-        const table = new Table({ head: ["ID", "Status", "Sellers", "Submitted", "Version"] });
-        for (const r of rows) {
-          table.push([
-            `#${r.id}`,
-            r.status,
-            String(r.payloadSummary?.count || 0),
-            r.submittedAt,
-            r.publishedVersion !== null ? `v${r.publishedVersion}` : "—"
-          ]);
-        }
-        console.log(table.toString());
-      } catch (err: any) {
-        console.error("Error:", err.message);
-        process.exit(1);
-      }
-    });
-
-  releaseCmd
-    .command("show <id>")
-    .description("Show a single release request")
-    .action(async (id) => {
-      try {
-        const result = await getClient().get(`/platform/release-requests/${encodeURIComponent(id)}`);
-        const r = (result as any).releaseRequest;
-        if (!r) {
-          console.error("Release request not found");
-          process.exit(1);
-        }
-        console.log(JSON.stringify(r, null, 2));
-      } catch (err: any) {
-        console.error("Error:", err.message);
-        process.exit(1);
-      }
-    });
-
-  return program;
-}
-
-function collectIds(value: string, previous: string[]): string[] {
-  return previous.concat([value]);
-}
-
-// Step 14 (v1.1): 多 vendor 实例 config 隔离.
-// 默认 profiles 目录是 ~/.config/tokenbuddy/profiles/, 每个 vendor 一份独立 toml.
-// 默认主 config 仍走 ~/.config/tokenbuddy/admin.toml (default_profile 在此设).
-// 用户可以:
-//   - tb-admin --config /path/to/vendor-A.toml config ls    (单 vendor 显式)
-//   - tb-admin config profiles                             (扫 profiles/ 看所有 vendor)
-//   - TOKENBUDDY_CONFIG_DIR=/somewhere tb-admin ...       (env override)
-function defaultProfileDir(): string {
-  const override = process.env.TOKENBUDDY_CONFIG_DIR;
-  if (override) {
-    return path.join(override, "profiles");
-  }
-  return path.join(process.env.HOME || "", ".config", "tokenbuddy", "profiles");
-}
-
-function listProfileFiles(dir: string): string[] {
-  if (!fs.existsSync(dir)) {
-    return [];
-  }
-  return fs.readdirSync(dir)
-    .filter((name) => name.endsWith(".toml") || name.endsWith(".config"))
-    .map((name) => path.join(dir, name))
-    .sort();
-}