@treeseed/cli 0.4.12 → 0.6.0

package/dist/cli/handlers/config.js

@@ -1,10 +1,14 @@
 import {
+  applyTreeseedConfigValues,
   applyTreeseedSafeRepairs,
   collectTreeseedConfigContext,
+  ensureTreeseedActVerificationTooling,
+  ensureTreeseedSecretSessionForConfig,
   findNearestTreeseedRoot
 } from "@treeseed/sdk/workflow-support";
 import { fail, guidedResult } from "./utils.js";
 import { buildCliConfigPages, runCliConfigEditor } from "./config-ui.js";
+import { promptForNewPassphrase, promptHidden } from "./secret-prompts.js";
 import { createWorkflowSdk, renderWorkflowNextSteps, workflowErrorResult } from "./workflow.js";
 function normalizeConfigScopes(value) {
   const requested = Array.isArray(value) ? value.map(String) : typeof value === "string" ? [value] : ["all"];
@@ -31,11 +35,86 @@ function formatPrintEnvReports(payload) {
   }
   return lines.filter((line, index, all) => !(line === "" && all[index - 1] === ""));
 }
+function resolveMouseEnabled(value, env) {
+  if (value === true) {
+    return true;
+  }
+  const envValue = env.TREESEED_UI_MOUSE;
+  return envValue === "1" || envValue === "true";
+}
+function configReadinessLabel(readiness) {
+  if (!readiness) {
+    return "pending";
+  }
+  if (typeof readiness.phase === "string" && readiness.phase.length > 0) {
+    return readiness.phase;
+  }
+  if (readiness.deployable) {
+    return "deployable";
+  }
+  if (readiness.provisioned) {
+    return "provisioned";
+  }
+  if (readiness.configured) {
+    return "config_complete";
+  }
+  return "pending";
+}
+function describeSecretBootstrap(secretSession) {
+  if (!secretSession?.status) {
+    return "(unknown)";
+  }
+  if (secretSession.createdWrappedKey) {
+    return secretSession.unlockSource === "env" ? "created via env passphrase" : "created via interactive passphrase";
+  }
+  if (secretSession.migratedWrappedKey) {
+    return secretSession.unlockSource === "env" ? "migrated via env passphrase" : "migrated via interactive passphrase";
+  }
+  if (secretSession.unlockSource === "existing-session") {
+    return secretSession.status.unlocked ? "already unlocked" : "locked";
+  }
+  return secretSession.unlockSource === "env" ? "unlocked via env passphrase" : "unlocked interactively";
+}
+function describeInteractiveSecretBootstrap(secretSession) {
+  if (!secretSession?.status) {
+    return void 0;
+  }
+  if (secretSession.createdWrappedKey) {
+    return "Wrapped machine key created and unlocked.";
+  }
+  if (secretSession.migratedWrappedKey) {
+    return "Legacy machine key wrapped and unlocked.";
+  }
+  if (secretSession.unlockSource === "interactive") {
+    return "Wrapped machine key unlocked.";
+  }
+  if (secretSession.unlockSource === "env") {
+    return "Wrapped machine key unlocked from TREESEED_KEY_PASSPHRASE.";
+  }
+  return void 0;
+}
+function describeSharedStorageMigrations(migrations) {
+  if (!Array.isArray(migrations) || migrations.length === 0) {
+    return void 0;
+  }
+  return migrations.map((migration) => {
+    const label = typeof migration.label === "string" && migration.label.length > 0 ? migration.label : migration.entryId;
+    const promotedFrom = typeof migration.promotedFrom === "string" ? migration.promotedFrom : "staging";
+    const scopes = Array.isArray(migration.consolidatedScopes) && migration.consolidatedScopes.length > 0 ? migration.consolidatedScopes.join("/") : promotedFrom;
+    return migration.hadConflicts ? `${label} consolidated from ${scopes} using ${promotedFrom}` : `${label} promoted from ${promotedFrom}`;
+  }).join("; ");
+}
 function renderConfigResult(commandName, result) {
   const payload = result.payload;
   const toolHealth = payload.toolHealth;
+  const configContext = payload.context;
+  const configReadiness = configContext?.configReadinessByScope?.local ?? {};
   const readinessByScope = payload.result?.readinessByScope ?? {};
-  const summary = payload.mode === "print-env-only" ? "Treeseed config environment report completed." : payload.mode === "rotate-machine-key" ? "Treeseed machine key rotated successfully." : "Treeseed config completed successfully.";
+  const resourceInventoryByScope = payload.result?.resourceInventoryByScope ?? payload.resourceInventoryByScope ?? {};
+  const secretSession = payload.secretSession;
+  const sharedStorageMigrations = payload.result?.sharedStorageMigrations;
+  const summary = payload.mode === "print-env-only" ? "Treeseed config environment report completed." : payload.mode === "rotate-machine-key" ? "Treeseed machine key rotated successfully." : payload.mode === "connect-market" ? "Knowledge Coop pairing completed successfully." : payload.mode === "bootstrap-preflight" ? "Treeseed bootstrap verification preflight completed." : payload.mode === "bootstrap" ? "Treeseed platform bootstrap completed successfully." : "Treeseed config completed successfully.";
+  const market = payload.market;
   return guidedResult({
     command: commandName,
     summary,
@@ -46,15 +125,39 @@ function renderConfigResult(commandName, result) {
       { label: "Safe repairs", value: Array.isArray(payload.repairs) ? payload.repairs.length : 0 },
       { label: "Machine config", value: payload.configPath },
       { label: "Machine key", value: payload.keyPath },
-      { label: "Local readiness", value: readinessByScope.local?.deployable ? "deployable" : readinessByScope.local?.configured ? "configured" : "pending" },
-      { label: "Staging readiness", value: readinessByScope.staging?.deployable ? "deployable" : readinessByScope.staging?.provisioned ? "provisioned" : readinessByScope.staging?.configured ? "configured" : "pending" },
-      { label: "Prod readiness", value: readinessByScope.prod?.deployable ? "deployable" : readinessByScope.prod?.provisioned ? "provisioned" : readinessByScope.prod?.configured ? "configured" : "pending" },
+      { label: "Passphrase env", value: payload.passphraseEnv?.configured ? "configured" : "unset" },
+      { label: "Secrets session", value: describeSecretBootstrap(secretSession) },
+      { label: "Shared consolidations", value: describeSharedStorageMigrations(sharedStorageMigrations) },
+      { label: "Deployment key", value: resourceInventoryByScope.staging?.identity?.deploymentKey ?? resourceInventoryByScope.prod?.identity?.deploymentKey ?? "(unset)" },
+      { label: "Team", value: resourceInventoryByScope.staging?.identity?.teamId ?? resourceInventoryByScope.prod?.identity?.teamId ?? "(unset)" },
+      { label: "Project", value: resourceInventoryByScope.staging?.identity?.projectId ?? resourceInventoryByScope.prod?.identity?.projectId ?? "(unset)" },
+      { label: "Local readiness", value: configReadinessLabel(readinessByScope.local) },
+      { label: "Staging readiness", value: configReadinessLabel(readinessByScope.staging) },
+      { label: "Prod readiness", value: configReadinessLabel(readinessByScope.prod) },
+      { label: "Pages project", value: resourceInventoryByScope.staging?.resources?.pagesProject ?? resourceInventoryByScope.prod?.resources?.pagesProject ?? "(unset)" },
+      { label: "R2 bucket", value: resourceInventoryByScope.staging?.resources?.contentBucket ?? resourceInventoryByScope.prod?.resources?.contentBucket ?? "(unset)" },
+      { label: "GitHub token/config", value: configReadiness.github?.configured ? "configured" : "missing" },
+      { label: "Cloudflare token/config", value: configReadiness.cloudflare?.configured ? "configured" : "missing" },
+      { label: "Railway token/config", value: configReadiness.railway?.configured ? "configured" : "missing" },
       { label: "GitHub CLI", value: toolHealth?.githubCli?.available ? "ready" : "missing" },
+      { label: "Wrangler CLI", value: toolHealth?.wranglerCli?.available ? "ready" : "missing" },
+      { label: "Railway CLI", value: toolHealth?.railwayCli?.available ? "ready" : "missing" },
       { label: "gh act", value: toolHealth?.ghActExtension?.available ? "ready" : "missing" },
       { label: "Docker", value: toolHealth?.dockerDaemon?.available ? "ready" : "missing" },
-      { label: "ACT verify", value: toolHealth?.actVerificationReady ? "ready" : "not ready" }
+      { label: "ACT verify", value: toolHealth?.actVerificationReady ? "ready" : "not ready" },
+      ...market ? [
+        { label: "Market base URL", value: market.baseUrl ?? "(none)" },
+        { label: "Market team", value: market.teamSlug ?? market.teamId ?? "(none)" },
+        { label: "Market project", value: market.projectSlug ?? market.projectId ?? "(none)" },
+        { label: "Hub mode", value: market.hubMode ?? "(unknown)" },
+        { label: "Runtime mode", value: market.runtimeMode ?? "(unknown)" },
+        { label: "Runtime ready", value: market.runtimeReady ? "yes" : "no" }
+      ] : []
+    ],
+    nextSteps: [
+      ...payload.passphraseEnv?.configured ? [] : [payload.passphraseEnv?.recommendedLaunch].filter(Boolean),
+      ...renderWorkflowNextSteps(result)
     ],
-    nextSteps: renderWorkflowNextSteps(result),
     report: payload
   });
 }
@@ -66,35 +169,86 @@ const handleConfig = async (invocation, context) => {
     });
     const scopes = normalizeConfigScopes(invocation.args.environment);
     const sync = invocation.args.sync;
-    const interactive = context.outputFormat !== "json" && process.stdin.isTTY && process.stdout.isTTY;
-    if (interactive && invocation.args.printEnvOnly !== true && invocation.args.rotateMachineKey !== true) {
+    const interactive = context.outputFormat !== "json" && context.interactiveUi !== false && process.stdin.isTTY && process.stdout.isTTY;
+    const nonInteractive = invocation.args.nonInteractive === true || context.outputFormat === "json";
+    const operationalMode = invocation.args.printEnvOnly === true || invocation.args.rotateMachineKey === true || invocation.args.connectMarket === true || invocation.args.bootstrap === true;
+    if (!interactive && !nonInteractive && !operationalMode) {
+      return fail("Treeseed config requires a TTY for the interactive editor. Re-run in a terminal, or use --non-interactive, --json, --bootstrap, --print-env-only, --rotate-machine-key, or --connect-market.");
+    }
+    if (interactive && !nonInteractive && !operationalMode) {
       const tenantRoot = findNearestTreeseedRoot(context.cwd) ?? context.cwd;
       if (!tenantRoot) {
         return fail("Treeseed config requires a Treeseed project. Run the command from inside a tenant or initialize one first.");
       }
       applyTreeseedSafeRepairs(tenantRoot);
+      const toolAvailability = ensureTreeseedActVerificationTooling({
+        tenantRoot,
+        installIfMissing: invocation.args.installMissingTooling === true,
+        env: context.env,
+        write: context.write
+      });
+      const secretSession = await ensureTreeseedSecretSessionForConfig({
+        tenantRoot,
+        interactive: true,
+        env: context.env,
+        promptForPassphrase: () => promptHidden("Treeseed passphrase: "),
+        promptForNewPassphrase
+      });
       const configContext = collectTreeseedConfigContext({
         tenantRoot,
         scopes,
         env: context.env
       });
+      const initialViewMode = (() => {
+        if (invocation.args.full === true) {
+          return "full";
+        }
+        return buildCliConfigPages(configContext, "local", {}, "startup").length > 0 ? "startup" : "full";
+      })();
       const editorResult = await runCliConfigEditor(configContext, {
-        initialViewMode: invocation.args.full === true ? "full" : "startup"
+        initialViewMode,
+        mouseEnabled: resolveMouseEnabled(invocation.args.mouse, context.env),
+        initialStatusMessage: describeInteractiveSecretBootstrap(secretSession),
+        toolAvailability,
+        secretSession,
+        onCommit: async (update) => {
+          applyTreeseedConfigValues({
+            tenantRoot,
+            updates: [{
+              scope: update.scope,
+              entryId: update.entryId,
+              value: update.value,
+              reused: false
+            }]
+          });
+          return collectTreeseedConfigContext({
+            tenantRoot,
+            scopes,
+            env: context.env
+          });
+        }
       });
       if (editorResult === null) {
         return fail("Treeseed config canceled.");
       }
-      const updates = buildCliConfigPages(configContext, "all", editorResult.overrides, "full").map((page) => ({
+      const refreshedContext = collectTreeseedConfigContext({
+        tenantRoot,
+        scopes,
+        env: context.env
+      });
+      const updates = refreshedContext.scopes.flatMap((scope) => buildCliConfigPages(refreshedContext, scope, editorResult.overrides, "full")).filter((page, index, allPages) => allPages.findIndex((candidate) => candidate.key === page.key) === index).map((page) => ({
         scope: page.scope,
         entryId: page.entry.id,
         value: page.finalValue,
         reused: !(page.key in editorResult.overrides)
       }));
+      context.write("Applying config updates, validating environments, and syncing managed providers...", "stdout");
       const result2 = await workflow.config({
         environment: scopes,
         sync,
         printEnv: invocation.args.printEnv === true,
         showSecrets: invocation.args.showSecrets === true,
+        installMissingTooling: invocation.args.installMissingTooling === true,
         nonInteractive: true,
         updates
       });
@@ -103,11 +257,23 @@ const handleConfig = async (invocation, context) => {
     const result = await workflow.config({
       environment: invocation.args.environment,
       sync,
+      bootstrap: invocation.args.bootstrap === true,
+      preflight: invocation.args.preflight === true,
       printEnv: invocation.args.printEnv === true,
       printEnvOnly: invocation.args.printEnvOnly === true,
       showSecrets: invocation.args.showSecrets === true,
       rotateMachineKey: invocation.args.rotateMachineKey === true,
-      nonInteractive: context.outputFormat === "json"
+      connectMarket: invocation.args.connectMarket === true,
+      marketBaseUrl: typeof invocation.args.marketBaseUrl === "string" ? invocation.args.marketBaseUrl : void 0,
+      marketTeamId: typeof invocation.args.marketTeamId === "string" ? invocation.args.marketTeamId : void 0,
+      marketTeamSlug: typeof invocation.args.marketTeamSlug === "string" ? invocation.args.marketTeamSlug : void 0,
+      marketProjectId: typeof invocation.args.marketProjectId === "string" ? invocation.args.marketProjectId : void 0,
+      marketProjectSlug: typeof invocation.args.marketProjectSlug === "string" ? invocation.args.marketProjectSlug : void 0,
+      marketProjectApiBaseUrl: typeof invocation.args.marketProjectApiBaseUrl === "string" ? invocation.args.marketProjectApiBaseUrl : void 0,
+      marketAccessToken: typeof invocation.args.marketAccessToken === "string" ? invocation.args.marketAccessToken : void 0,
+      rotateRunnerToken: invocation.args.rotateRunnerToken === true,
+      installMissingTooling: invocation.args.installMissingTooling === true,
+      nonInteractive
     });
     if (context.outputFormat !== "json" && result.payload.mode === "print-env-only") {
       return {

package/dist/cli/handlers/dev.js

@@ -1,6 +1,7 @@
 import { existsSync, readFileSync } from "node:fs";
 import { createRequire } from "node:module";
 import { dirname, resolve } from "node:path";
+import { resolveTreeseedLaunchEnvironment } from "@treeseed/sdk/workflow-support";
 import { workflowErrorResult } from "./workflow.js";
 const require2 = createRequire(import.meta.url);
 function resolveCoreDevEntrypoint(cwd) {
@@ -46,7 +47,11 @@ const handleDev = async (invocation, context) => {
     const args = watch ? [...resolved.args, "--watch"] : resolved.args;
     const result = context.spawn(resolved.command, args, {
       cwd: context.cwd,
-      env: context.env,
+      env: resolveTreeseedLaunchEnvironment({
+        tenantRoot: context.cwd,
+        scope: "local",
+        baseEnv: { ...process.env, ...context.env ?? {} }
+      }),
       stdio: "inherit"
     });
     return {

package/dist/cli/handlers/doctor.js

@@ -19,6 +19,8 @@ const handleDoctor = async (invocation, context) => {
     if (preflight.missingCommands.includes("git")) mustFixNow.push("Install Git.");
     if (preflight.missingCommands.includes("npm")) mustFixNow.push("Install npm 10 or newer.");
     if (!state.files.machineConfig) mustFixNow.push("Run `treeseed config --environment local` to create the local machine config.");
+    if (!state.secrets.wrappedKeyPresent) mustFixNow.push("Run `treeseed secrets:unlock` to create the wrapped machine key used for local secret storage.");
+    if (state.secrets.migrationRequired) mustFixNow.push("Run `treeseed secrets:migrate-key` to replace the legacy plaintext machine key with the wrapped format.");
     if (state.packageSync.blockers.length > 0) mustFixNow.push(...state.packageSync.blockers);
     if (state.workflowControl.lock.active && state.workflowControl.lock.runId) {
       mustFixNow.push(`Active workflow lock detected for run ${state.workflowControl.lock.runId}. Use \`treeseed recover\` before starting another mutating command.`);
@@ -40,16 +42,20 @@ const handleDoctor = async (invocation, context) => {
         mustFixNow.push(`Missing root workflow contract .github/workflows/${workflowName}.`);
       }
     }
-    if (!state.files.envLocal) optional.push("Create `.env.local` or run `treeseed config --environment local` to generate it.");
-    if (!state.files.devVars) optional.push("Generate `.dev.vars` by running `treeseed config --environment local`.");
-    if (!state.auth.gh) optional.push("Configure `GH_TOKEN` for GitHub CLI automation and Copilot-backed workflows.");
-    if (!state.auth.wrangler) optional.push("Configure `CLOUDFLARE_API_TOKEN` before staging, preview, or production deployment work.");
+    if (!state.auth.gh) optional.push("Configure GitHub token/config (`GH_TOKEN`) for GitHub CLI automation and Copilot-backed workflows.");
+    if (!state.auth.wrangler) optional.push("Configure Cloudflare token/config (`CLOUDFLARE_API_TOKEN`) before staging, preview, or production deployment work.");
     if (!state.auth.railway && railwayManagedServicesEnabled) {
-      optional.push("Configure `RAILWAY_API_TOKEN` before deploying the managed Railway services.");
+      optional.push("Configure Railway token/config (`RAILWAY_API_TOKEN`) before deploying the managed Railway services.");
     }
     if (!state.auth.remoteApi && state.managedServices.api.enabled) {
       optional.push("Run `treeseed auth:login` so the CLI can use the configured remote API.");
     }
+    if (state.secrets.wrappedKeyPresent && !state.secrets.keyAgentUnlocked) {
+      optional.push("Run `treeseed secrets:unlock` before starting secret-backed dev, deploy, or runner commands.");
+    }
+    if (!state.secrets.keyAgentRunning) {
+      optional.push("The Treeseed key-agent is not running yet. It will start automatically when you unlock the secret session.");
+    }
     if (!state.auth.copilot) optional.push("Configure `GH_TOKEN` if you rely on local Copilot-assisted workflows.");
     return guidedResult({
       command: "doctor",

package/dist/cli/handlers/secret-prompts.d.ts

@@ -0,0 +1,2 @@
+export declare function promptHidden(question: string): Promise<string>;
+export declare function promptForNewPassphrase(): Promise<string>;

package/dist/cli/handlers/secret-prompts.js

@@ -0,0 +1,54 @@
+function promptHidden(question) {
+  return new Promise((resolvePromise) => {
+    const stdin = process.stdin;
+    const stdout = process.stdout;
+    let value = "";
+    function cleanup() {
+      stdin.removeListener("data", onData);
+      if (stdin.isTTY) {
+        stdin.setRawMode(false);
+      }
+      stdout.write("\n");
+    }
+    function onData(chunk) {
+      const text = Buffer.isBuffer(chunk) ? chunk.toString("utf8") : chunk;
+      for (const char of text) {
+        if (char === "\n" || char === "\r") {
+          cleanup();
+          resolvePromise(value);
+          return;
+        }
+        if (char === "") {
+          cleanup();
+          process.exit(1);
+        }
+        if (char === "\x7F") {
+          value = value.slice(0, -1);
+          continue;
+        }
+        value += char;
+      }
+    }
+    stdout.write(question);
+    if (stdin.isTTY) {
+      stdin.setRawMode(true);
+    }
+    stdin.resume();
+    stdin.on("data", onData);
+  });
+}
+async function promptForNewPassphrase() {
+  const passphrase = (await promptHidden("New Treeseed passphrase: ")).trim();
+  if (!passphrase) {
+    throw new Error("A non-empty passphrase is required.");
+  }
+  const confirmation = (await promptHidden("Confirm passphrase: ")).trim();
+  if (passphrase !== confirmation) {
+    throw new Error("The passphrase confirmation did not match.");
+  }
+  return passphrase;
+}
+export {
+  promptForNewPassphrase,
+  promptHidden
+};

package/dist/cli/handlers/secrets.d.ts

@@ -0,0 +1,7 @@
+import type { TreeseedCommandHandler } from '../types.js';
+export declare const handleSecretsStatus: TreeseedCommandHandler;
+export declare const handleSecretsUnlock: TreeseedCommandHandler;
+export declare const handleSecretsLock: TreeseedCommandHandler;
+export declare const handleSecretsMigrateKey: TreeseedCommandHandler;
+export declare const handleSecretsRotatePassphrase: TreeseedCommandHandler;
+export declare const handleSecretsRotateMachineKey: TreeseedCommandHandler;

package/dist/cli/handlers/secrets.js

@@ -0,0 +1,175 @@
+import {
+  inspectTreeseedKeyAgentStatus,
+  inspectTreeseedKeyAgentTransportDiagnostic,
+  inspectTreeseedPassphraseEnvDiagnostic,
+  lockTreeseedSecretSession,
+  migrateTreeseedMachineKeyToWrapped,
+  rotateTreeseedMachineKey,
+  rotateTreeseedMachineKeyPassphrase,
+  TREESEED_MACHINE_KEY_PASSPHRASE_ENV,
+  TreeseedKeyAgentError,
+  unlockTreeseedSecretSessionFromEnv,
+  unlockTreeseedSecretSessionInteractive
+} from "@treeseed/sdk/workflow-support";
+import { fail, guidedResult } from "./utils.js";
+import { promptForNewPassphrase } from "./secret-prompts.js";
+async function renderStatus(command, tenantRoot) {
+  const status = inspectTreeseedKeyAgentStatus(tenantRoot);
+  const passphraseEnv = inspectTreeseedPassphraseEnvDiagnostic();
+  const transport = await inspectTreeseedKeyAgentTransportDiagnostic();
+  return guidedResult({
+    command,
+    summary: status.unlocked ? "Treeseed secrets are unlocked." : "Treeseed secrets are locked.",
+    facts: [
+      { label: "Key agent", value: status.running ? "running" : "stopped" },
+      { label: "Wrapped key", value: status.wrappedKeyPresent ? "present" : "missing" },
+      { label: "Migration required", value: status.migrationRequired ? "yes" : "no" },
+      { label: "Socket", value: transport.socketPresent ? "present" : "missing" },
+      { label: "Socket connect", value: transport.socketConnectable ? "yes" : "no" },
+      { label: "Socket health", value: transport.healthOk ? "ok" : "failed" },
+      { label: "Idle timeout", value: `${Math.round(status.idleTimeoutMs / 1e3)}s` },
+      { label: "Idle remaining", value: `${Math.round(status.idleRemainingMs / 1e3)}s` },
+      { label: "Passphrase env", value: passphraseEnv.configured ? "configured" : "unset" },
+      { label: "Key path", value: status.keyPath },
+      { label: "Socket path", value: transport.socketPath }
+    ],
+    report: {
+      status,
+      passphraseEnv,
+      transport
+    },
+    nextSteps: [
+      ...passphraseEnv.configured ? [] : [passphraseEnv.recommendedLaunch],
+      ...transport.lastError ? [`Key-agent transport error: ${transport.lastError}`] : []
+    ]
+  });
+}
+function keyErrorResult(command, error) {
+  if (error instanceof TreeseedKeyAgentError) {
+    return guidedResult({
+      command,
+      summary: error.message,
+      exitCode: 1,
+      report: {
+        code: error.code,
+        details: error.details ?? null
+      },
+      nextSteps: error.code === "interactive_required" ? ["Run this command in a TTY or set TREESEED_KEY_PASSPHRASE for the startup unlock path."] : void 0
+    });
+  }
+  return fail(error instanceof Error ? error.message : String(error));
+}
+const handleSecretsStatus = async (_invocation, context) => renderStatus("secrets:status", context.cwd);
+const handleSecretsUnlock = async (invocation, context) => {
+  try {
+    const fromEnv = invocation.args.fromEnv === true;
+    const status = fromEnv ? unlockTreeseedSecretSessionFromEnv(context.cwd, {
+      allowMigration: invocation.args.allowMigration !== false,
+      createIfMissing: invocation.args.createIfMissing !== false
+    }) : (() => {
+      if (!process.stdin.isTTY || !process.stdout.isTTY) {
+        throw new TreeseedKeyAgentError(
+          "interactive_required",
+          "Treeseed secrets:unlock requires a TTY unless you use --from-env."
+        );
+      }
+      return unlockTreeseedSecretSessionInteractive(context.cwd);
+    })();
+    return guidedResult({
+      command: "secrets:unlock",
+      summary: "Treeseed secrets unlocked.",
+      facts: [
+        { label: "Key agent", value: status.running ? "running" : "stopped" },
+        { label: "Idle remaining", value: `${Math.round(status.idleRemainingMs / 1e3)}s` },
+        { label: "Wrapped key", value: status.wrappedKeyPresent ? "present" : "missing" }
+      ],
+      report: { status }
+    });
+  } catch (error) {
+    return keyErrorResult("secrets:unlock", error);
+  }
+};
+const handleSecretsLock = async (_invocation, context) => {
+  try {
+    const status = lockTreeseedSecretSession(context.cwd);
+    return guidedResult({
+      command: "secrets:lock",
+      summary: "Treeseed secrets locked.",
+      facts: [
+        { label: "Key agent", value: status.running ? "running" : "stopped" },
+        { label: "Wrapped key", value: status.wrappedKeyPresent ? "present" : "missing" }
+      ],
+      report: { status }
+    });
+  } catch (error) {
+    return keyErrorResult("secrets:lock", error);
+  }
+};
+const handleSecretsMigrateKey = async (_invocation, context) => {
+  try {
+    if (!process.stdin.isTTY || !process.stdout.isTTY) {
+      throw new TreeseedKeyAgentError("interactive_required", "Treeseed secrets:migrate-key requires a TTY.");
+    }
+    const passphrase = await promptForNewPassphrase().catch((error) => {
+      throw new TreeseedKeyAgentError("unlock_failed", error instanceof Error ? error.message : String(error));
+    });
+    const result = migrateTreeseedMachineKeyToWrapped(context.cwd, passphrase);
+    return guidedResult({
+      command: "secrets:migrate-key",
+      summary: result.alreadyWrapped ? "Treeseed machine key is already wrapped." : "Treeseed machine key migrated to the wrapped format.",
+      facts: [
+        { label: "Key path", value: result.keyPath },
+        { label: "Migrated", value: result.migrated ? "yes" : "no" }
+      ],
+      report: result
+    });
+  } catch (error) {
+    return keyErrorResult("secrets:migrate-key", error);
+  }
+};
+const handleSecretsRotatePassphrase = async (_invocation, context) => {
+  try {
+    if (!process.stdin.isTTY || !process.stdout.isTTY) {
+      throw new TreeseedKeyAgentError("interactive_required", "Treeseed secrets:rotate-passphrase requires a TTY.");
+    }
+    const passphrase = await promptForNewPassphrase().catch((error) => {
+      throw new TreeseedKeyAgentError("unlock_failed", error instanceof Error ? error.message : String(error));
+    });
+    const result = rotateTreeseedMachineKeyPassphrase(context.cwd, passphrase);
+    return guidedResult({
+      command: "secrets:rotate-passphrase",
+      summary: "Treeseed machine-key passphrase rotated.",
+      facts: [{ label: "Key path", value: result.keyPath }],
+      report: result
+    });
+  } catch (error) {
+    return keyErrorResult("secrets:rotate-passphrase", error);
+  }
+};
+const handleSecretsRotateMachineKey = async (_invocation, context) => {
+  try {
+    if (!process.env[TREESEED_MACHINE_KEY_PASSPHRASE_ENV]?.trim()) {
+      throw new TreeseedKeyAgentError(
+        "interactive_required",
+        `Set ${TREESEED_MACHINE_KEY_PASSPHRASE_ENV} before rotating the machine key.`
+      );
+    }
+    const result = rotateTreeseedMachineKey(context.cwd);
+    return guidedResult({
+      command: "secrets:rotate-machine-key",
+      summary: "Treeseed machine key rotated and re-encrypted.",
+      facts: [{ label: "Key path", value: result.keyPath }],
+      report: result
+    });
+  } catch (error) {
+    return keyErrorResult("secrets:rotate-machine-key", error);
+  }
+};
+export {
+  handleSecretsLock,
+  handleSecretsMigrateKey,
+  handleSecretsRotateMachineKey,
+  handleSecretsRotatePassphrase,
+  handleSecretsStatus,
+  handleSecretsUnlock
+};

package/dist/cli/handlers/status.js

@@ -19,17 +19,43 @@ const handleStatus = async (_invocation, context) => {
         { label: "Package branch aligned", value: state.packageSync.aligned ? "yes" : "no" },
         { label: "Dirty package repos", value: state.packageSync.dirty ? "yes" : "no" },
         { label: "Package blockers", value: state.packageSync.blockers.length > 0 ? state.packageSync.blockers.join(" | ") : "(none)" },
+        { label: "Local state", value: state.persistentEnvironments.local.phase },
+        { label: "Staging state", value: state.persistentEnvironments.staging.phase },
+        { label: "Prod state", value: state.persistentEnvironments.prod.phase },
         { label: "Local initialized", value: state.persistentEnvironments.local.initialized ? "yes" : "no" },
         { label: "Staging initialized", value: state.persistentEnvironments.staging.initialized ? "yes" : "no" },
         { label: "Prod initialized", value: state.persistentEnvironments.prod.initialized ? "yes" : "no" },
+        { label: "Staging blockers", value: state.persistentEnvironments.staging.blockers.length > 0 ? state.persistentEnvironments.staging.blockers.join(" | ") : "(none)" },
+        { label: "Prod blockers", value: state.persistentEnvironments.prod.blockers.length > 0 ? state.persistentEnvironments.prod.blockers.join(" | ") : "(none)" },
         { label: "Preview enabled", value: state.preview.enabled ? "yes" : "no" },
         { label: "Preview URL", value: state.preview.url ?? "(none)" },
-        { label: "GH_TOKEN", value: state.auth.gh ? "ready" : "missing" },
-        { label: "CLOUDFLARE_API_TOKEN", value: state.auth.wrangler ? "ready" : "missing" },
-        { label: "RAILWAY_API_TOKEN", value: state.auth.railway ? "ready" : "missing" },
+        { label: "GitHub token/config", value: state.auth.gh ? "configured" : "missing" },
+        { label: "Cloudflare token/config", value: state.auth.wrangler ? "configured" : "missing" },
+        { label: "Railway token/config", value: state.auth.railway ? "configured" : "missing" },
         { label: "Remote API auth", value: state.auth.remoteApi ? "ready" : "not ready" },
-        { label: "API service", value: state.managedServices.api.enabled ? `${state.managedServices.api.initialized ? "initialized" : "not initialized"}${state.managedServices.api.lastDeployedUrl ? ` (${state.managedServices.api.lastDeployedUrl})` : ""}` : "disabled" },
-        { label: "Agents service", value: state.managedServices.agents.enabled ? `${state.managedServices.agents.initialized ? "initialized" : "not initialized"}${state.managedServices.agents.lastDeployedUrl ? ` (${state.managedServices.agents.lastDeployedUrl})` : ""}` : "disabled" }
+        { label: "Wrapped machine key", value: state.secrets.wrappedKeyPresent ? "present" : "missing" },
+        { label: "Key migration", value: state.secrets.migrationRequired ? "required" : "not needed" },
+        { label: "Key agent", value: state.secrets.keyAgentRunning ? state.secrets.keyAgentUnlocked ? "running/unlocked" : "running/locked" : "stopped" },
+        { label: "Startup passphrase env", value: state.secrets.startupPassphraseConfigured ? "configured" : "unset" },
+        { label: "Market project", value: state.marketConnection.projectSlug ?? state.marketConnection.projectId ?? "(not paired)" },
+        { label: "Market team", value: state.marketConnection.teamSlug ?? state.marketConnection.teamId ?? "(not paired)" },
+        { label: "Market mode", value: state.marketConnection.connectionMode ?? "(not paired)" },
+        { label: "Hub mode", value: state.marketConnection.hubMode ?? "(unknown)" },
+        { label: "Runtime mode", value: state.marketConnection.runtimeMode ?? "(unknown)" },
+        { label: "Runtime registration", value: state.marketConnection.runtimeRegistration ?? "(none)" },
+        { label: "Runtime ready", value: state.marketConnection.runtimeReady ? "yes" : "no" },
+        { label: "Web cache host", value: state.webCache.webHost ?? "(none)" },
+        { label: "Content cache host", value: state.webCache.contentHost ?? "(none)" },
+        { label: "Source page cache", value: state.webCache.sourcePagePolicy ?? "(none)" },
+        { label: "Content page cache", value: state.webCache.contentPagePolicy ?? "(none)" },
+        { label: "R2 object cache", value: state.webCache.r2ObjectPolicy ?? "(none)" },
+        { label: "Cloudflare cache rules", value: state.webCache.cloudflareRulesManaged ? "managed" : "not managed" },
+        { label: "Last deploy purge", value: state.webCache.lastDeployPurgeAt ? `${state.webCache.lastDeployPurgeAt} (${state.webCache.lastDeployPurgeCount ?? 0} urls)` : "(none)" },
+        { label: "Last content purge", value: state.webCache.lastContentPurgeAt ? `${state.webCache.lastContentPurgeAt} (${state.webCache.lastContentPurgeCount ?? 0} urls)` : "(none)" },
+        { label: "Current workstream", value: state.marketConnection.currentWorkstreamId ?? "(none)" },
+        { label: "Approval blockers", value: state.marketConnection.approvalBlockers.length > 0 ? state.marketConnection.approvalBlockers.join(" | ") : "(none)" },
+        { label: "API service", value: state.managedServices.api.enabled ? `${state.managedServices.api.initialized ? "deployed" : "not deployed"}${state.managedServices.api.lastDeployedUrl ? ` (${state.managedServices.api.lastDeployedUrl})` : ""}` : "disabled" },
+        { label: "Worker service", value: state.managedServices.worker.enabled ? `${state.managedServices.worker.initialized ? "deployed" : "not deployed"}${state.managedServices.worker.lastDeployedUrl ? ` (${state.managedServices.worker.lastDeployedUrl})` : ""}` : "disabled" }
       ],
       nextSteps: renderWorkflowNextSteps(result),
       report: {