alepha 0.21.2 → 0.22.0

package/dist/cli/platform-lib/index.js

@@ -0,0 +1,2597 @@
+import { $atom, $inject, $module, $state, Alepha, AlephaError, t } from "alepha";
+import { createHash } from "node:crypto";
+import { readFile } from "node:fs/promises";
+import { join } from "node:path";
+import { AlephaCliUtils, BuildCloudflareTask, PackageManagerUtils } from "alepha/cli";
+import { Asker, EnvUtils, Runner } from "alepha/command";
+import { $logger, ConsoleColorProvider } from "alepha/logger";
+import { FileSystemProvider, ShellProvider } from "alepha/system";
+import { S3mini } from "s3mini";
+import { DateTimeProvider } from "alepha/datetime";
+import { homedir, platform } from "node:os";
+//#region ../../src/cli/platform-lib/atoms/platformOptions.ts
+/**
+* Platform deployment configuration atom.
+*
+* Filled from the `platform` section of `alepha.config.ts`.
+* Read by `PlatformCommand` to resolve environments and adapters.
+*/
+const platformOptions = $atom({
+	name: "alepha.cli.platform.options",
+	description: "Platform deployment configuration",
+	schema: t.optional(t.object({
+		/**
+		* Project name override. Defaults to root package.json "name".
+		*/
+		name: t.optional(t.text()),
+		/**
+		* Default environment when --env is omitted.
+		*
+		* @default "production"
+		*/
+		default: t.optional(t.text()),
+		/**
+		* Multi-tenancy mode — controls whether `--tenant <slug>` is
+		* accepted/required and how it shapes resource names + the domain.
+		*
+		* - `none` (default): single instance. `--tenant` is rejected.
+		* - `required`: every deploy needs `--tenant`; resources are named
+		*   `<tenant>-<project>-<env>` and the host becomes
+		*   `<tenant>.<domain>`. Omitting it errors.
+		* - `optional`: a base instance (no `--tenant`) plus per-tenant
+		*   instances coexist.
+		*
+		* @default "none"
+		*/
+		tenancy: t.optional(t.enum([
+			"none",
+			"optional",
+			"required"
+		])),
+		/**
+		* Secret store configuration for syncing .env secrets
+		* to external providers (e.g. GitHub Actions environments).
+		*/
+		secrets: t.optional(t.object({
+			/**
+			* Explicit override of the worker secret-key allowlist.
+			*
+			* By default the deploy `secrets` step uses the build manifest's
+			* `env` list (every key the app declares via `$env`, captured at
+			* build time) as the allowlist, resolving each value from
+			* `.env.<env>[.local]` first, then `process.env`. This lets CI
+			* deliver secrets via the job environment (no `.env` file on the
+			* runner) while only ever pushing declared keys — ambient runner
+			* vars (PATH, GITHUB_*, …) can never leak.
+			*
+			* Set `keys` to override that auto-detected list (e.g. to narrow it,
+			* or to add a key read via `process.env` rather than `$env`). When
+			* neither this nor a manifest is present, the `.env.<env>` file is
+			* itself the allowlist (legacy fallback).
+			*/
+			keys: t.optional(t.array(t.text())),
+			/**
+			* Secret store backend.
+			*/
+			store: t.optional(t.enum(["github"])),
+			/**
+			* Pattern for resolving environment names in the store.
+			* Placeholders: {project}, {env}.
+			*
+			* @default "{project}-{env}"
+			*/
+			environmentPattern: t.optional(t.text())
+		})),
+		/**
+		* Named environments with their adapter and configuration.
+		*/
+		environments: t.record(t.text({ description: "Environment name (e.g. 'production', 'staging', 'preview'). Used in resource naming and selected via --env." }), t.object({
+			adapter: t.enum(["cloudflare", "vercel"]),
+			/**
+			* Custom domain for the deployed worker (e.g. "api.example.com").
+			*
+			* On Cloudflare this is attached as a custom-domain route.
+			* Omit to use the adapter's default `*.workers.dev` / preview URL.
+			*
+			* Wildcards are supported for multi-tenant SaaS apps:
+			* `"*.club.alepha.dev"` routes every subdomain to the worker.
+			* Wildcard patterns require `zone` to be set, and the wildcard DNS
+			* record must already exist (proxied) in the Cloudflare zone.
+			*/
+			domain: t.optional(t.text()),
+			/**
+			* Cloudflare zone name (e.g. "alepha.dev") that owns `domain`.
+			*
+			* Required when `domain` contains a wildcard (`*`). Ignored for
+			* plain custom domains, which Cloudflare resolves automatically.
+			*/
+			zone: t.optional(t.text()),
+			/**
+			* Cloudflare data jurisdiction for R2 buckets and D1 databases.
+			* - "eu": data stays within the EU
+			* - "fedramp": FedRAMP-authorized regions
+			*
+			* Omit for the default (global) jurisdiction.
+			*/
+			jurisdiction: t.optional(t.enum(["eu", "fedramp"])),
+			/**
+			* Cloudflare account ID to deploy into.
+			*
+			* Falls back to `CLOUDFLARE_ACCOUNT_ID` env var, then to the
+			* token's account when the token is scoped to exactly one.
+			* Required when the token has access to multiple accounts.
+			*/
+			accountId: t.optional(t.text())
+		}))
+	}))
+});
+//#endregion
+//#region ../../src/cli/platform-lib/providers/PlatformCacheProvider.ts
+/**
+* Caches cloud provider login state to avoid slow auth checks.
+*
+* Stored in node_modules/.alepha/platform.json (gitignored, project-scoped).
+* TTL: 4 hours.
+*/
+var PlatformCacheProvider = class PlatformCacheProvider {
+	static TTL_MS = 14400 * 1e3;
+	fs = $inject(FileSystemProvider);
+	dateTime = $inject(DateTimeProvider);
+	cachePath(root) {
+		return this.fs.join(root, "node_modules", ".alepha", "platform.json");
+	}
+	async isLoginFresh(root, adapter) {
+		const entry = (await this.readCache(root))[adapter];
+		if (!entry) return false;
+		return this.dateTime.nowMillis() - entry.lastLoginCheck < PlatformCacheProvider.TTL_MS;
+	}
+	async getAccountId(root, adapter) {
+		return (await this.readCache(root))[adapter]?.accountId;
+	}
+	async recordLogin(root, adapter, accountId) {
+		const cache = await this.readCache(root);
+		cache[adapter] = {
+			lastLoginCheck: this.dateTime.nowMillis(),
+			accountId
+		};
+		await this.writeCache(root, cache);
+	}
+	async readCache(root) {
+		const path = this.cachePath(root);
+		try {
+			return await this.fs.readJsonFile(path);
+		} catch {
+			return {};
+		}
+	}
+	async writeCache(root, cache) {
+		const path = this.cachePath(root);
+		const lastSlash = path.lastIndexOf("/");
+		const dir = lastSlash > 0 ? path.slice(0, lastSlash) : path;
+		await this.fs.mkdir(dir, { recursive: true }).catch(() => null);
+		await this.fs.writeFile(path, JSON.stringify(cache, null, 2));
+	}
+};
+//#endregion
+//#region ../../src/cli/platform-lib/schemas/cloudflare.ts
+const cloudflareAccountSchema = t.object({
+	id: t.string(),
+	name: t.string()
+});
+const cloudflareD1Schema = t.object({
+	uuid: t.string(),
+	name: t.string()
+});
+const cloudflareKVSchema = t.object({
+	id: t.string(),
+	title: t.string()
+});
+const cloudflareR2Schema = t.object({
+	name: t.string(),
+	creation_date: t.optional(t.string())
+});
+const cloudflareR2ListSchema = t.object({ buckets: t.array(cloudflareR2Schema) });
+const cloudflareQueueSchema = t.object({
+	queue_id: t.string(),
+	queue_name: t.string()
+});
+const cloudflareQueueConsumerSchema = t.object({
+	consumer_id: t.string(),
+	service: t.string(),
+	environment: t.optional(t.string())
+});
+const cloudflareHyperdriveOriginSchema = t.object({ host: t.string() });
+const cloudflareHyperdriveSchema = t.object({
+	id: t.string(),
+	name: t.string(),
+	origin: cloudflareHyperdriveOriginSchema
+});
+const cloudflareWorkerSchema = t.object({
+	id: t.string(),
+	created_on: t.string(),
+	modified_on: t.string()
+});
+const cloudflareDeploymentVersionSchema = t.object({
+	version_id: t.string(),
+	percentage: t.number()
+});
+const cloudflareDeploymentSchema = t.object({
+	id: t.string(),
+	versions: t.array(cloudflareDeploymentVersionSchema),
+	created_on: t.string()
+});
+const cloudflareDeploymentListSchema = t.object({ deployments: t.array(cloudflareDeploymentSchema) });
+const cloudflareVersionSchema = t.object({
+	id: t.string(),
+	metadata: t.object({ created_on: t.string() }),
+	annotations: t.optional(t.record(t.string(), t.string()))
+});
+const cloudflareVersionListSchema = t.object({ items: t.array(cloudflareVersionSchema) });
+const cloudflareSecretSchema = t.object({
+	name: t.string(),
+	type: t.string()
+});
+const createD1BodySchema = t.object({
+	name: t.string(),
+	primary_location_hint: t.optional(t.string()),
+	jurisdiction: t.optional(t.string())
+});
+const createKVBodySchema = t.object({ title: t.string() });
+const createR2BodySchema = t.object({ name: t.string() });
+const cloudflareR2TokenSchema = t.object({
+	id: t.string(),
+	accessKeyId: t.string(),
+	secretAccessKey: t.string()
+});
+const createR2TokenBodySchema = t.object({
+	name: t.string(),
+	policies: t.array(t.object({
+		effect: t.string(),
+		permissions: t.array(t.string()),
+		buckets: t.optional(t.array(t.string()))
+	}))
+});
+const createQueueBodySchema = t.object({ queue_name: t.string() });
+const createHyperdriveOriginSchema = t.object({
+	scheme: t.string(),
+	host: t.string(),
+	port: t.number(),
+	database: t.string(),
+	user: t.string(),
+	password: t.string()
+});
+const createHyperdriveBodySchema = t.object({
+	name: t.string(),
+	origin: createHyperdriveOriginSchema
+});
+const putSecretBodySchema = t.object({
+	name: t.string(),
+	text: t.string(),
+	type: t.string()
+});
+const cloudflareApiErrorSchema = t.object({
+	code: t.number(),
+	message: t.string()
+});
+//#endregion
+//#region ../../src/cli/platform-lib/services/WranglerApi.ts
+/**
+* Wraps wrangler CLI commands that are kept as shell-outs.
+*
+* Only used for operations where wrangler provides value
+* beyond a raw API call: OAuth login, worker deploy (bundling/upload),
+* D1 migrations, and secret bulk push.
+*/
+var WranglerApi = class {
+	log = $logger();
+	shell = $inject(ShellProvider);
+	utils = $inject(AlephaCliUtils);
+	pm = $inject(PackageManagerUtils);
+	runner = $inject(Runner);
+	async runShell(command, options = {}) {
+		const capture = options.capture;
+		const output = await this.shell.run(command, {
+			...options,
+			capture: capture ?? this.runner.useDynamicLogger
+		});
+		if (capture && !this.runner.useDynamicLogger) this.log.info(output);
+		return output;
+	}
+	/**
+	* Ensure wrangler is installed in the project.
+	*/
+	async ensureInstalled(root, run) {
+		await this.pm.ensureDependency(root, "wrangler", {
+			dev: true,
+			exec: async (cmd, opts) => {
+				run.pause();
+				try {
+					await this.utils.exec(cmd, opts);
+				} finally {
+					run.resume();
+				}
+			}
+		});
+	}
+	/**
+	* Check if the user is authenticated. Returns the whoami output.
+	*/
+	async whoami() {
+		return await this.runShell("wrangler whoami", {
+			resolve: true,
+			capture: true
+		});
+	}
+	/**
+	* Open the browser-based OAuth login flow.
+	*/
+	async login() {
+		await this.runShell("wrangler login", { resolve: true });
+	}
+	/**
+	* Get the current auth token from wrangler (auto-refreshes if expired).
+	*/
+	async getAuthToken() {
+		const output = await this.shell.run("wrangler auth token --json", {
+			resolve: true,
+			capture: true
+		});
+		return JSON.parse(output).token;
+	}
+	/**
+	* Deploy a worker via wrangler (handles bundling and upload).
+	*
+	* Returns the workers.dev URL if found in the output.
+	*/
+	async deploy(workerName, configPath, root) {
+		return (await this.runShell(`wrangler deploy --name=${workerName} --no-bundle --config=${configPath}`, {
+			resolve: true,
+			capture: true,
+			root
+		})).match(/https:\/\/[^\s]*\.workers\.dev/)?.[0];
+	}
+	/**
+	* Apply D1 migrations remotely.
+	*/
+	async d1MigrationsApply(dbName, configPath, root) {
+		await this.runShell(`wrangler d1 migrations apply ${dbName} --remote --config=${configPath}`, {
+			resolve: true,
+			env: { CI: "1" },
+			root
+		});
+	}
+};
+//#endregion
+//#region ../../src/cli/platform-lib/services/CloudflareApi.ts
+/**
+* Thin wrapper over the Cloudflare REST API.
+*
+* Uses `wrangler auth token` to obtain credentials,
+* then calls `fetch()` directly for all CRUD operations.
+*/
+var CloudflareApi = class CloudflareApi {
+	static BASE = "https://api.cloudflare.com/client/v4";
+	log = $logger();
+	alepha = $inject(Alepha);
+	wrangler = $inject(WranglerApi);
+	token;
+	accountId;
+	jurisdiction;
+	/**
+	* Set the Cloudflare data jurisdiction for R2 and D1 resources.
+	*
+	* R2 buckets and D1 databases created under a jurisdiction live in a
+	* separate namespace — every R2 API call (list/create/delete) must include
+	* the `cf-r2-jurisdiction` header, and D1 create must include the field
+	* in the request body. Omit / pass `undefined` for the default (global).
+	*/
+	setJurisdiction(jurisdiction) {
+		this.jurisdiction = jurisdiction;
+	}
+	/**
+	* Override the Cloudflare account ID (from platform config).
+	*
+	* When unset, `resolveAccountId` falls back to `CLOUDFLARE_ACCOUNT_ID` env
+	* var or the token's single account.
+	*/
+	setAccountId(accountId) {
+		this.accountId = accountId;
+	}
+	/**
+	* Obtain the current auth token from wrangler.
+	*/
+	async resolveToken() {
+		if (this.token) return this.token;
+		this.token = await this.wrangler.getAuthToken();
+		return this.token;
+	}
+	/**
+	* Resolve the Cloudflare account ID.
+	*
+	* Calls /accounts and picks the first one. Cached after first call.
+	*/
+	async resolveAccountId() {
+		if (this.accountId) return this.accountId;
+		const fromEnv = process.env.CLOUDFLARE_ACCOUNT_ID;
+		if (fromEnv) {
+			this.accountId = fromEnv;
+			return this.accountId;
+		}
+		const res = await this.fetch("/accounts", { schema: t.array(cloudflareAccountSchema) });
+		if (res.length === 0) throw new AlephaError("No Cloudflare accounts found for this token.");
+		if (res.length > 1) {
+			const list = res.map((a) => `  - ${a.id}  ${a.name}`).join("\n");
+			throw new AlephaError(`Cloudflare token has access to ${res.length} accounts; set \`CLOUDFLARE_ACCOUNT_ID\` or the \`accountId\` field in your platform config to pick one:\n${list}`);
+		}
+		this.accountId = res[0].id;
+		return this.accountId;
+	}
+	async listD1() {
+		const accountId = await this.resolveAccountId();
+		return await this.paginate(`/accounts/${accountId}/d1/database`, cloudflareD1Schema);
+	}
+	async createD1(name, location = "weur") {
+		const accountId = await this.resolveAccountId();
+		const body = { name };
+		if (this.jurisdiction) body.jurisdiction = this.jurisdiction;
+		else body.primary_location_hint = location;
+		return await this.fetch(`/accounts/${accountId}/d1/database`, {
+			method: "POST",
+			body,
+			bodySchema: createD1BodySchema,
+			schema: cloudflareD1Schema
+		});
+	}
+	async deleteD1(databaseId) {
+		const accountId = await this.resolveAccountId();
+		await this.fetch(`/accounts/${accountId}/d1/database/${databaseId}`, { method: "DELETE" });
+	}
+	async listKV() {
+		const accountId = await this.resolveAccountId();
+		return await this.paginate(`/accounts/${accountId}/storage/kv/namespaces`, cloudflareKVSchema, 100);
+	}
+	async createKV(title) {
+		const accountId = await this.resolveAccountId();
+		return await this.fetch(`/accounts/${accountId}/storage/kv/namespaces`, {
+			method: "POST",
+			body: { title },
+			bodySchema: createKVBodySchema,
+			schema: cloudflareKVSchema
+		});
+	}
+	async deleteKV(namespaceId) {
+		const accountId = await this.resolveAccountId();
+		await this.fetch(`/accounts/${accountId}/storage/kv/namespaces/${namespaceId}`, { method: "DELETE" });
+	}
+	async listR2() {
+		const accountId = await this.resolveAccountId();
+		return await this.paginateCursor(`/accounts/${accountId}/r2/buckets`, "buckets", cloudflareR2Schema);
+	}
+	async createR2(name) {
+		const accountId = await this.resolveAccountId();
+		await this.fetch(`/accounts/${accountId}/r2/buckets`, {
+			method: "POST",
+			body: { name },
+			bodySchema: createR2BodySchema
+		});
+	}
+	async deleteR2(name) {
+		const accountId = await this.resolveAccountId();
+		await this.fetch(`/accounts/${accountId}/r2/buckets/${name}`, { method: "DELETE" });
+	}
+	/**
+	* Mint a bucket-scoped R2 API token (S3 access key + secret) using the
+	* current bearer token. Used by teardown to wipe a bucket over the S3
+	* protocol without requiring users to pre-create R2 access keys.
+	*
+	* The returned token should be revoked with `deleteR2Token` as soon as the
+	* wipe is done.
+	*/
+	async createR2Token(name, bucket) {
+		const accountId = await this.resolveAccountId();
+		return await this.fetch(`/accounts/${accountId}/r2/api-tokens`, {
+			method: "POST",
+			body: {
+				name,
+				policies: [{
+					effect: "allow",
+					permissions: ["admin-read-write"],
+					buckets: [bucket]
+				}]
+			},
+			bodySchema: createR2TokenBodySchema,
+			schema: cloudflareR2TokenSchema
+		});
+	}
+	async deleteR2Token(tokenId) {
+		const accountId = await this.resolveAccountId();
+		await this.fetch(`/accounts/${accountId}/r2/api-tokens/${tokenId}`, { method: "DELETE" });
+	}
+	async listQueues() {
+		const accountId = await this.resolveAccountId();
+		return await this.paginate(`/accounts/${accountId}/queues`, cloudflareQueueSchema);
+	}
+	async createQueue(name) {
+		const accountId = await this.resolveAccountId();
+		return await this.fetch(`/accounts/${accountId}/queues`, {
+			method: "POST",
+			body: { queue_name: name },
+			bodySchema: createQueueBodySchema,
+			schema: cloudflareQueueSchema
+		});
+	}
+	async deleteQueue(queueId) {
+		const accountId = await this.resolveAccountId();
+		await this.fetch(`/accounts/${accountId}/queues/${queueId}`, { method: "DELETE" });
+	}
+	async listQueueConsumers(queueId) {
+		const accountId = await this.resolveAccountId();
+		return await this.paginate(`/accounts/${accountId}/queues/${queueId}/consumers`, cloudflareQueueConsumerSchema);
+	}
+	async deleteQueueConsumer(queueId, consumerService) {
+		const accountId = await this.resolveAccountId();
+		const consumer = (await this.listQueueConsumers(queueId)).find((c) => c.service === consumerService);
+		if (!consumer) return;
+		await this.fetch(`/accounts/${accountId}/queues/${queueId}/consumers/${consumer.consumer_id}`, { method: "DELETE" });
+	}
+	async listHyperdrive() {
+		const accountId = await this.resolveAccountId();
+		return await this.paginate(`/accounts/${accountId}/hyperdrive/configs`, cloudflareHyperdriveSchema);
+	}
+	async createHyperdrive(name, connectionString) {
+		const accountId = await this.resolveAccountId();
+		return await this.fetch(`/accounts/${accountId}/hyperdrive/configs`, {
+			method: "POST",
+			body: {
+				name,
+				origin: this.parseConnectionString(connectionString)
+			},
+			bodySchema: createHyperdriveBodySchema,
+			schema: cloudflareHyperdriveSchema
+		});
+	}
+	async deleteHyperdrive(configId) {
+		const accountId = await this.resolveAccountId();
+		await this.fetch(`/accounts/${accountId}/hyperdrive/configs/${configId}`, { method: "DELETE" });
+	}
+	async getWorker(scriptName) {
+		const accountId = await this.resolveAccountId();
+		try {
+			return await this.fetch(`/accounts/${accountId}/workers/scripts/${scriptName}`, { schema: cloudflareWorkerSchema });
+		} catch {
+			return;
+		}
+	}
+	async deleteWorker(scriptName) {
+		const accountId = await this.resolveAccountId();
+		await this.fetch(`/accounts/${accountId}/workers/scripts/${scriptName}`, {
+			method: "DELETE",
+			query: { force: "true" }
+		});
+	}
+	async listDeployments(scriptName) {
+		const accountId = await this.resolveAccountId();
+		return (await this.fetch(`/accounts/${accountId}/workers/scripts/${scriptName}/deployments`, {
+			schema: cloudflareDeploymentListSchema,
+			query: { per_page: "100" }
+		})).deployments;
+	}
+	async listVersions(scriptName) {
+		const accountId = await this.resolveAccountId();
+		return await this.paginateCursor(`/accounts/${accountId}/workers/scripts/${scriptName}/versions`, "items", cloudflareVersionSchema);
+	}
+	async listSecrets(scriptName) {
+		const accountId = await this.resolveAccountId();
+		return await this.fetch(`/accounts/${accountId}/workers/scripts/${scriptName}/secrets`, { schema: t.array(cloudflareSecretSchema) });
+	}
+	async putSecret(scriptName, name, value) {
+		const accountId = await this.resolveAccountId();
+		await this.fetch(`/accounts/${accountId}/workers/scripts/${scriptName}/secrets`, {
+			method: "PUT",
+			body: {
+				name,
+				text: value,
+				type: "secret_text"
+			},
+			bodySchema: putSecretBodySchema
+		});
+	}
+	/**
+	* Fetch the current worker bindings via the script-settings endpoint.
+	* Used to merge new secrets into the existing binding set in one PATCH
+	* (avoids the per-secret `putSecret` calls, each of which creates a
+	* Cloudflare deployment — pushing 7 secrets meant 7 deployment rows).
+	*
+	* Secret bindings come back with `name` + `type` but no `text` (they're
+	* write-only on Cloudflare's side); to preserve them across a PATCH we
+	* forward each one as `{ type, name }` and Cloudflare keeps the stored
+	* value.
+	*/
+	async getWorkerSettings(scriptName) {
+		const accountId = await this.resolveAccountId();
+		return await this.fetch(`/accounts/${accountId}/workers/scripts/${scriptName}/settings`);
+	}
+	/**
+	* Replace the worker's binding set in one call (= one Cloudflare
+	* deployment, regardless of how many secrets are being updated).
+	*
+	* The endpoint expects multipart FormData with a `settings` field whose
+	* value is a JSON-encoded `{ bindings: [...] }` — the `fetch` helper
+	* above is JSON-only, so this one bypasses it and calls `globalThis.fetch`
+	* directly. Mirrors what `wrangler secret bulk` does internally.
+	*/
+	async patchWorkerBindings(scriptName, bindings) {
+		const accountId = await this.resolveAccountId();
+		const token = await this.resolveToken();
+		const url = `${CloudflareApi.BASE}/accounts/${accountId}/workers/scripts/${scriptName}/settings`;
+		const form = new FormData();
+		form.set("settings", JSON.stringify({ bindings }));
+		const response = await globalThis.fetch(url, {
+			method: "PATCH",
+			headers: { Authorization: `Bearer ${token}` },
+			body: form
+		});
+		const json = await response.json().catch(() => null);
+		if (!response.ok || !json?.success) {
+			const messages = json?.errors?.map((e) => e.message).join(", ");
+			throw new AlephaError(`Cloudflare API error (PATCH /workers/scripts/${scriptName}/settings): ${messages ?? response.statusText}`);
+		}
+	}
+	async fetch(path, options = {}) {
+		const token = await this.resolveToken();
+		const { method = "GET", body, query } = options;
+		let url = `${CloudflareApi.BASE}${path}`;
+		if (query) {
+			const params = new URLSearchParams(query);
+			url += `?${params.toString()}`;
+		}
+		const headers = { Authorization: `Bearer ${token}` };
+		if (this.jurisdiction && /\/r2\//.test(path)) headers["cf-r2-jurisdiction"] = this.jurisdiction;
+		const init = {
+			method,
+			headers
+		};
+		if (body) {
+			headers["Content-Type"] = "application/json";
+			const validated = options.bodySchema ? this.alepha.codec.validate(options.bodySchema, body) : body;
+			init.body = JSON.stringify(validated);
+		}
+		const json = await (await globalThis.fetch(url, init)).json();
+		if (!json.success) throw new AlephaError(`Cloudflare API error (${method} ${path}): ${json.errors.map((e) => e.message).join(", ")}`);
+		if (options.schema) return this.alepha.codec.validate(options.schema, json.result);
+		return json.result;
+	}
+	/**
+	* Paginate a page-based list endpoint (`result_info.total_pages`).
+	*
+	* Cloudflare defaults to `per_page=20`; we push it to 1000 (max on most
+	* list endpoints) and loop if more pages exist. Each page is validated
+	* against the item schema.
+	*/
+	async paginate(path, itemSchema, perPage = 1e3) {
+		const results = [];
+		let page = 1;
+		while (true) {
+			const token = await this.resolveToken();
+			const url = `${CloudflareApi.BASE}${path}?per_page=${perPage}&page=${page}`;
+			const headers = { Authorization: `Bearer ${token}` };
+			if (this.jurisdiction && /\/r2\//.test(path)) headers["cf-r2-jurisdiction"] = this.jurisdiction;
+			const json = await (await globalThis.fetch(url, {
+				method: "GET",
+				headers
+			})).json();
+			if (!json.success) throw new AlephaError(`Cloudflare API error (GET ${path}): ${json.errors.map((e) => e.message).join(", ")}`);
+			const validated = this.alepha.codec.validate(t.array(itemSchema), json.result);
+			results.push(...validated);
+			const totalPages = json.result_info?.total_pages;
+			if (!totalPages || page >= totalPages || validated.length === 0) break;
+			page++;
+		}
+		return results;
+	}
+	/**
+	* Paginate a cursor-based list endpoint where `result` is an object
+	* containing both the items array and a `cursor` field (R2 buckets,
+	* Workers versions). Returns the flattened item array.
+	*/
+	async paginateCursor(path, itemsKey, itemSchema, perPage = 1e3) {
+		const results = [];
+		let cursor;
+		while (true) {
+			const query = { per_page: String(perPage) };
+			if (cursor) query.cursor = cursor;
+			const res = await this.fetch(path, { query });
+			const items = res[itemsKey] ?? [];
+			const validated = this.alepha.codec.validate(t.array(itemSchema), items);
+			results.push(...validated);
+			const nextCursor = res.cursor;
+			if (!nextCursor || validated.length === 0) break;
+			cursor = nextCursor;
+		}
+		return results;
+	}
+	/**
+	* Parse a postgres:// connection string into Hyperdrive origin fields.
+	*/
+	parseConnectionString(connectionString) {
+		const url = new URL(connectionString);
+		return {
+			scheme: "postgres",
+			host: url.hostname,
+			port: Number(url.port) || 5432,
+			database: url.pathname.slice(1),
+			user: decodeURIComponent(url.username),
+			password: decodeURIComponent(url.password)
+		};
+	}
+};
+//#endregion
+//#region ../../src/cli/platform-lib/services/NamingService.ts
+/**
+* Validate a `--tenant` value against the app's declared `tenancy` and
+* return the effective tenant (or `undefined` for a base/non-tenanted
+* deploy). Throws on any matrix violation so a misconfigured deploy fails
+* fast instead of landing on the wrong resource names / host.
+*/
+function resolveTenant(tenancy, tenant) {
+	const mode = tenancy ?? "none";
+	if (tenant !== void 0 && !/^[a-z0-9][a-z0-9-]*$/.test(tenant)) throw new AlephaError(`Invalid --tenant "${tenant}": must be a slug (lowercase alphanumeric + dashes, e.g. "b14").`);
+	if (mode === "none") {
+		if (tenant !== void 0) throw new AlephaError(`This app is not tenanted (tenancy: "none") but --tenant "${tenant}" was given. Set tenancy: "optional" | "required" in platform() to deploy per-tenant.`);
+		return;
+	}
+	if (mode === "required" && tenant === void 0) throw new AlephaError(`This app requires a tenant (tenancy: "required"). Pass --tenant <slug>.`);
+	return tenant;
+}
+/**
+* Resolve the host a deploy is served on.
+*
+* - `override` (V2 custom domains, e.g. `reservation.club-b14.fr`) wins
+*   outright when supplied — not wired to a flag today, but the single
+*   seam a future `--domain` / Rocket `config.hostname` plugs into.
+* - else a tenant becomes the leftmost DNS label: `b14` + `alepha.club`
+*   → `b14.alepha.club`.
+* - else the base domain is used as-is.
+*/
+function tenantDomain(base, tenant, override) {
+	if (override) return override;
+	if (!base) return base;
+	return tenant ? `${tenant}.${base}` : base;
+}
+/**
+* Generates deterministic resource names for cloud deployments.
+*
+* Pattern: `<tenant>-<project>-<env>` (tenant segment omitted when the
+* deploy isn't tenanted).
+*
+* All segments are slugified (lowercase, alphanumeric + dashes, max 63
+* chars). One app per workspace — see `alepha platform`.
+*/
+var NamingService = class {
+	forContext(project, env, tenant) {
+		return new NamingContext([
+			tenant,
+			project,
+			env
+		].filter((segment) => !!segment).map((segment) => this.slugify(segment)).join("-"));
+	}
+	slugify(name) {
+		return name.toLowerCase().replace(/[^a-z0-9]+/g, "-").replace(/^-+|-+$/g, "").slice(0, 63);
+	}
+};
+var NamingContext = class {
+	prefix;
+	constructor(prefix) {
+		this.prefix = prefix;
+	}
+	worker() {
+		return this.prefix;
+	}
+	d1() {
+		return this.prefix;
+	}
+	hyperdrive() {
+		return this.prefix;
+	}
+	r2() {
+		return this.prefix;
+	}
+	kv() {
+		return this.prefix;
+	}
+	queue() {
+		return this.prefix;
+	}
+};
+//#endregion
+//#region ../../src/cli/platform-lib/adapters/PlatformAdapter.ts
+/**
+* Abstract platform adapter.
+*
+* Each cloud provider (Cloudflare, AKS, docker-compose) implements this.
+* The PlatformOrchestrator calls these methods in the correct order.
+*/
+var PlatformAdapter = class {
+	/**
+	* Create/ensure cloud resources exist (DB, buckets, queues).
+	* Not all adapters provision -- AKS defers to Helm.
+	*/
+	async provision(_ctx, _run) {}
+	/**
+	* Run database migrations.
+	*/
+	async migrate(_ctx, _run) {}
+	/**
+	* Export the deployed database to a local file — the remote → local dev
+	* snapshot workflow. Adapter/dialect specific; the default refuses.
+	*/
+	async exportDb(_ctx, _run, _options = {}) {
+		throw new AlephaError(`Database export is not supported by the '${this.constructor.name}' adapter.`);
+	}
+	/**
+	* Push runtime secrets to the deployed worker(s).
+	*
+	* Reads secrets from `.env.{env}` files (parsed, not from process.env),
+	* filters out vars already handled by bindings (DATABASE_URL, R2, etc.),
+	* and pushes the rest via the platform's secret management.
+	*/
+	async secrets(_ctx, _run) {}
+};
+//#endregion
+//#region ../../src/cli/platform-lib/adapters/CloudflareAdapter.ts
+/**
+* Cloudflare Workers adapter.
+*
+* Uses the Cloudflare REST API (via CloudflareApi) for resource provisioning
+* and teardown, and wrangler CLI (via WranglerApi) for login, deploy,
+* D1 migrations, and secret bulk push.
+*/
+var CloudflareAdapter = class CloudflareAdapter extends PlatformAdapter {
+	log = $logger();
+	fs = $inject(FileSystemProvider);
+	shell = $inject(ShellProvider);
+	cache = $inject(PlatformCacheProvider);
+	alepha = $inject(Alepha);
+	envUtils = $inject(EnvUtils);
+	api = $inject(CloudflareApi);
+	wrangler = $inject(WranglerApi);
+	runner = $inject(Runner);
+	buildTask = $inject(BuildCloudflareTask);
+	options = $state(platformOptions);
+	provisionedD1Id;
+	provisionedHyperdriveId;
+	provisionedKVIds = /* @__PURE__ */ new Map();
+	/**
+	* Check if the user's DATABASE_URL points to an external Postgres database.
+	* If so, we use Hyperdrive instead of D1.
+	*
+	* Reads from `.env.{env}` first, falls back to `process.env`.
+	*/
+	async isPostgres(ctx) {
+		return !!((await this.envUtils.parseEnv(ctx.root, [`.env.${ctx.env}`])).DATABASE_URL ?? process.env.DATABASE_URL)?.startsWith("postgres:");
+	}
+	/**
+	* Propagate the environment's data-jurisdiction setting to the API client.
+	*
+	* Must be invoked at the top of every entry point (authenticate, build,
+	* deploy, secrets, provision, migrate, inspect, teardown) because
+	* CloudflareApi is a singleton reused across env invocations.
+	*/
+	configureApi(ctx) {
+		this.api.setJurisdiction(ctx.envConfig.jurisdiction);
+		this.api.setAccountId(ctx.envConfig.accountId);
+	}
+	async runShell(command, options = {}) {
+		const capture = options.capture;
+		const output = await this.shell.run(command, {
+			...options,
+			capture: capture ?? this.runner.useDynamicLogger
+		});
+		if (capture && !this.runner.useDynamicLogger) this.log.info(output);
+		return output;
+	}
+	async authenticate(ctx, run) {
+		this.configureApi(ctx);
+		await run({
+			name: "authenticate",
+			handler: async () => {
+				await this.wrangler.ensureInstalled(ctx.root, run);
+				let needsLogin = false;
+				try {
+					await this.wrangler.getAuthToken();
+				} catch {
+					needsLogin = true;
+				}
+				if (needsLogin) {
+					run.pause();
+					await this.wrangler.login();
+					run.resume();
+				}
+				if (await this.cache.isLoginFresh(ctx.root, "cloudflare")) return;
+				try {
+					const accountId = await this.api.resolveAccountId();
+					await this.cache.recordLogin(ctx.root, "cloudflare", accountId);
+				} catch {
+					await this.cache.recordLogin(ctx.root, "cloudflare");
+				}
+			}
+		});
+	}
+	async build(ctx, run) {
+		this.configureApi(ctx);
+		const appDir = ctx.root;
+		const env = {};
+		if (ctx.resources.hasDatabase) {
+			if (this.provisionedHyperdriveId) {
+				env.HYPERDRIVE_ID = this.provisionedHyperdriveId;
+				const pgSchema = (await this.envUtils.parseEnv(ctx.root, [`.env.${ctx.env}`])).POSTGRES_SCHEMA ?? process.env.POSTGRES_SCHEMA;
+				if (pgSchema) env.POSTGRES_SCHEMA = pgSchema;
+			} else if (this.provisionedD1Id) env.DATABASE_URL = `d1://${ctx.naming.d1()}:${this.provisionedD1Id}`;
+		}
+		if (ctx.resources.hasBucket) env.R2_BUCKET_NAME = ctx.naming.r2();
+		if (ctx.resources.hasKV) {
+			const kvName = ctx.naming.kv();
+			env.CLOUDFLARE_KV_NAME = kvName;
+			const kvId = this.provisionedKVIds.get(kvName);
+			if (kvId) env.CLOUDFLARE_KV_ID = kvId;
+		}
+		if (ctx.resources.hasQueue) env.CLOUDFLARE_QUEUE_NAME = ctx.naming.queue();
+		const host = tenantDomain(ctx.envConfig.domain, ctx.tenant);
+		if (host) {
+			if (host.includes("*") && !ctx.envConfig.zone) throw new AlephaError(`Wildcard domain "${host}" requires "zone" to be set in the environment config (the Cloudflare zone name, e.g. "alepha.dev").`);
+			env.CLOUDFLARE_DOMAIN = host;
+			if (ctx.envConfig.zone) env.CLOUDFLARE_ZONE = ctx.envConfig.zone;
+		}
+		if (ctx.envConfig.jurisdiction) env.CLOUDFLARE_JURISDICTION = ctx.envConfig.jurisdiction;
+		if (ctx.prebuilt) {
+			await run({
+				name: "alepha build -t cloudflare --prebuilt (in-process)",
+				handler: async () => {
+					await this.runBuildInProcess(appDir, env);
+				}
+			});
+			return;
+		}
+		const cmd = "alepha build -t cloudflare";
+		await run({
+			name: cmd,
+			handler: async () => {
+				await this.runShell(cmd, {
+					root: appDir,
+					env
+				});
+			}
+		});
+	}
+	/**
+	* Library-embed of `alepha build -t cloudflare --prebuilt`. Loads the
+	* pre-built `dist/manifest.json`, sets the per-tenant env vars on
+	* `process.env` for the duration of the call (the task's enhance*
+	* methods read them directly), then runs `BuildCloudflareTask`
+	* against a synthetic context.
+	*
+	* `ctx.alepha` is intentionally null — in manifest mode the task
+	* reads resources/crons/containers from `ctx.manifest` and never
+	* dereferences `ctx.alepha`. Same for `entry` and `hasClient`:
+	* prebuilt mode skips the bundle tasks; only the wrangler.jsonc /
+	* worker-entrypoint emission runs.
+	*/
+	async runBuildInProcess(root, env) {
+		const manifestPath = join(root, "dist", "manifest.json");
+		let manifest;
+		try {
+			manifest = JSON.parse(await readFile(manifestPath, "utf-8"));
+		} catch (err) {
+			throw new AlephaError(`Cannot read ${manifestPath}: ${err.message}. Prebuilt deploys require dist/manifest.json (emitted by \`alepha build -t cloudflare\`).`);
+		}
+		const ctx = {
+			alepha: null,
+			options: {
+				target: "cloudflare",
+				output: {
+					dist: "dist",
+					public: "public"
+				}
+			},
+			run: this.runner.run,
+			root,
+			entry: {
+				root,
+				server: ""
+			},
+			hasClient: false,
+			manifest,
+			platformOptions: null,
+			flags: { prebuilt: true }
+		};
+		const previous = {};
+		for (const [k, v] of Object.entries(env)) {
+			previous[k] = process.env[k];
+			process.env[k] = v;
+		}
+		try {
+			await this.buildTask.run(ctx);
+		} finally {
+			for (const [k, prev] of Object.entries(previous)) if (prev === void 0) delete process.env[k];
+			else process.env[k] = prev;
+		}
+	}
+	async deploy(ctx, run) {
+		this.configureApi(ctx);
+		const workerName = ctx.naming.worker();
+		const distDir = this.fs.join(ctx.root, "dist");
+		let url;
+		await run({
+			name: `deploy worker ${ctx.project}`,
+			handler: async () => {
+				url = await this.wrangler.deploy(workerName, `${distDir}/wrangler.jsonc`, ctx.root);
+			}
+		});
+		return url;
+	}
+	/**
+	* Vars that are handled by wrangler bindings or build config.
+	* These should not be pushed as secrets.
+	*/
+	static EXCLUDED_SECRET_KEYS = new Set([
+		"DATABASE_URL",
+		"R2_BUCKET_NAME",
+		"CLOUDFLARE_DOMAIN",
+		"CLOUDFLARE_ZONE",
+		"CLOUDFLARE_JURISDICTION",
+		"HYPERDRIVE_ID",
+		"POSTGRES_SCHEMA",
+		"NODE_ENV",
+		"LOG_LEVEL",
+		"LOG_FORMAT",
+		"SERVER_HOST",
+		"SERVER_PORT",
+		"TRUST_PROXY",
+		"REACT_SSR_ENABLED",
+		"DATABASE_SYNC",
+		"DEBUG"
+	]);
+	/**
+	* Read the build manifest's `env` list (every key the app declares via
+	* `$env`) from `dist/manifest.json`. Used as the default worker-secret
+	* allowlist. Returns `undefined` when the manifest is absent or predates
+	* the `env` field, so the caller falls back to the `.env` file keys.
+	*/
+	async readManifestEnvKeys(root) {
+		try {
+			const manifest = await this.fs.readJsonFile(this.fs.join(root, "dist", "manifest.json"));
+			return Array.isArray(manifest.env) ? manifest.env : void 0;
+		} catch {
+			return;
+		}
+	}
+	async secrets(ctx, run) {
+		this.configureApi(ctx);
+		const envVars = await this.envUtils.parseEnv(ctx.root, [`.env.${ctx.env}`]);
+		const declaredKeys = this.options?.secrets?.keys;
+		const manifestKeys = await this.readManifestEnvKeys(ctx.root);
+		const localKeys = Object.keys(await this.envUtils.parseEnv(ctx.root, [`.env.${ctx.env}.local`]));
+		const keys = declaredKeys ?? Array.from(new Set([...manifestKeys ?? Object.keys(envVars), ...localKeys]));
+		const secrets = {};
+		for (const key of keys) {
+			if (CloudflareAdapter.EXCLUDED_SECRET_KEYS.has(key)) continue;
+			if (key.startsWith("VITE_")) continue;
+			const value = envVars[key] ?? process.env[key];
+			if (!value) continue;
+			secrets[key] = value;
+		}
+		if (!secrets.PUBLIC_URL) {
+			const url = this.publicUrl(ctx);
+			if (url) secrets.PUBLIC_URL = url;
+		}
+		if (Object.keys(secrets).length === 0) return;
+		const hash = computeSecretsHash(secrets);
+		{
+			const workerName = ctx.naming.worker();
+			await run({
+				name: `push secrets to ${workerName} (bulk)`,
+				handler: async () => {
+					const existingBindings = (await this.api.getWorkerSettings(workerName)).bindings ?? [];
+					if (existingBindings.find((b) => b.type === "plain_text" && b.name === CloudflareAdapter.SECRETS_HASH_BINDING)?.text === hash) {
+						this.log.info(`Secrets for ${workerName} unchanged (hash ${hash.slice(0, 8)}…), skipping push.`);
+						return;
+					}
+					const overwriting = new Set(Object.keys(secrets));
+					const inherit = existingBindings.filter((b) => !(b.type === "plain_text" && b.name === CloudflareAdapter.SECRETS_HASH_BINDING) && (b.type !== "secret_text" || !overwriting.has(b.name))).map((b) => ({
+						type: b.type,
+						name: b.name
+					}));
+					const upsert = Object.entries(secrets).map(([name, text]) => ({
+						type: "secret_text",
+						name,
+						text
+					}));
+					await this.api.patchWorkerBindings(workerName, [
+						...inherit,
+						...upsert,
+						{
+							type: "plain_text",
+							name: CloudflareAdapter.SECRETS_HASH_BINDING,
+							text: hash
+						}
+					]);
+				}
+			});
+		}
+	}
+	/**
+	* Public base URL for this deploy, derived from the configured domain
+	* (honoring tenant subdomains). Returns undefined when no domain is set or
+	* the host is a wildcard — there's no single resolvable origin to point at.
+	*/
+	publicUrl(ctx) {
+		const host = tenantDomain(ctx.envConfig.domain, ctx.tenant);
+		if (!host || host.includes("*")) return;
+		return `https://${host}`;
+	}
+	/**
+	* Plain-text binding used to fingerprint the deployed secret set so the
+	* next `up` can skip the PATCH when nothing has changed.
+	*/
+	static SECRETS_HASH_BINDING = "ALEPHA_SECRETS_HASH";
+	async provision(ctx, run) {
+		this.configureApi(ctx);
+		const needsDB = ctx.resources.hasDatabase;
+		const needsBucket = ctx.resources.hasBucket;
+		const postgres = needsDB && await this.isPostgres(ctx);
+		const tasks = [];
+		if (needsDB) if (postgres) {
+			const hdName = ctx.naming.hyperdrive();
+			const dbUrl = (await this.envUtils.parseEnv(ctx.root, [`.env.${ctx.env}`])).DATABASE_URL ?? process.env.DATABASE_URL;
+			tasks.push({
+				name: `provision hyperdrive (${hdName})`,
+				handler: async () => {
+					this.provisionedHyperdriveId = await this.ensureHyperdrive(hdName, dbUrl);
+				}
+			});
+		} else {
+			const dbName = ctx.naming.d1();
+			tasks.push({
+				name: `provision d1 (${dbName})`,
+				handler: async () => {
+					this.provisionedD1Id = await this.ensureD1(dbName);
+				}
+			});
+		}
+		if (needsBucket) {
+			const bucketName = ctx.naming.r2();
+			tasks.push({
+				name: `provision r2 (${bucketName})`,
+				handler: async () => {
+					await this.ensureR2(bucketName);
+				}
+			});
+		}
+		if (ctx.resources.hasKV) {
+			const kvName = ctx.naming.kv();
+			tasks.push({
+				name: `provision kv (${kvName})`,
+				handler: async () => {
+					this.provisionedKVIds.set(kvName, await this.ensureKV(kvName));
+				}
+			});
+		}
+		if (ctx.resources.hasQueue) {
+			const queueName = ctx.naming.queue();
+			tasks.push({
+				name: `provision queue (${queueName})`,
+				handler: async () => {
+					await this.ensureQueue(queueName);
+				}
+			});
+		}
+		await run(tasks);
+	}
+	async migrate(ctx, run) {
+		this.configureApi(ctx);
+		if (!ctx.resources.hasDatabase) return;
+		if (await this.isPostgres(ctx)) await this.migratePostgres(ctx, run);
+		else await this.migrateD1(ctx, run);
+	}
+	async exportDb(ctx, run, options = {}) {
+		this.configureApi(ctx);
+		if (!ctx.resources.hasDatabase) throw new AlephaError("No database detected for this app — nothing to export.");
+		if (await this.isPostgres(ctx)) throw new AlephaError("Database export currently supports Cloudflare D1 only — Postgres/Hyperdrive export (pg_dump) is not implemented yet.");
+		const dbName = ctx.naming.d1();
+		const tmpDir = this.fs.join(ctx.root, "node_modules", ".alepha");
+		const sqlPath = this.fs.join(tmpDir, `${dbName}.sql`);
+		const dbPath = options.output ?? this.fs.join(tmpDir, "sqlite.db");
+		await this.fs.mkdir(tmpDir, { recursive: true });
+		await run(`wrangler d1 export ${dbName} --remote --output=${sqlPath}`, { alias: `export D1 ${dbName} → ${sqlPath}` });
+		await this.fs.rm(dbPath, { force: true });
+		await run(`sh -c "sqlite3 '${dbPath}' < '${sqlPath}'"`, { alias: `import dump → ${dbPath}` });
+		if (!options.keepSql) await this.fs.rm(sqlPath, { force: true });
+	}
+	async migrateD1(ctx, run) {
+		const dbName = ctx.naming.d1();
+		await run({
+			name: "migrate d1",
+			handler: async () => {
+				const migrationsDir = this.fs.join(ctx.root, "migrations", "sqlite");
+				const env = { DATABASE_URL: this.provisionedD1Id ? `d1://${dbName}:${this.provisionedD1Id}` : `d1://${dbName}` };
+				if (!ctx.prebuilt) if (await this.fs.exists(migrationsDir)) await this.runShell(`alepha db migrations check --mode ${ctx.env}`, {
+					resolve: true,
+					env
+				});
+				else await this.runShell(`alepha db migrations create --mode ${ctx.env}`, {
+					resolve: true,
+					env
+				});
+				const distMigrations = this.fs.join(ctx.root, "dist", "migrations");
+				await this.fs.cp(migrationsDir, distMigrations);
+				await this.wrangler.d1MigrationsApply(dbName, "dist/wrangler.jsonc", ctx.root);
+				await this.fs.rm(distMigrations, { recursive: true });
+			}
+		});
+	}
+	async migratePostgres(ctx, run) {
+		if (ctx.prebuilt) throw new AlephaError("Postgres migrations are not yet supported in prebuilt mode. Use the `alepha platform up` CLI for now.");
+		await run({
+			name: "migrate postgres",
+			handler: async () => {
+				const envVars = await this.envUtils.parseEnv(ctx.root, [`.env.${ctx.env}`]);
+				const env = { DATABASE_URL: envVars.DATABASE_URL ?? process.env.DATABASE_URL };
+				if (envVars.POSTGRES_SCHEMA ?? process.env.POSTGRES_SCHEMA) env.POSTGRES_SCHEMA = envVars.POSTGRES_SCHEMA ?? process.env.POSTGRES_SCHEMA;
+				await this.runShell(`alepha db migrations apply --mode ${ctx.env}`, {
+					resolve: true,
+					env
+				});
+			}
+		});
+	}
+	async inspect(ctx, run) {
+		this.configureApi(ctx);
+		const state = {
+			workers: [],
+			databases: [],
+			buckets: [],
+			kvNamespaces: [],
+			queues: [],
+			secrets: []
+		};
+		const tasks = [];
+		{
+			const name = ctx.naming.worker();
+			tasks.push({
+				name: `inspect worker (${name})`,
+				handler: async () => {
+					try {
+						const deployment = await this.getActiveDeployment(name);
+						if (deployment) state.workers.push({
+							name,
+							exists: true,
+							version: deployment.versionId,
+							tag: deployment.tag,
+							createdAt: deployment.createdAt
+						});
+						else state.workers.push({
+							name,
+							exists: false
+						});
+					} catch {
+						state.workers.push({
+							name,
+							exists: false
+						});
+					}
+				}
+			});
+		}
+		if (ctx.resources.hasDatabase) if (await this.isPostgres(ctx)) {
+			const hdName = ctx.naming.hyperdrive();
+			tasks.push({
+				name: `inspect hyperdrive (${hdName})`,
+				handler: async () => {
+					const existing = (await this.api.listHyperdrive()).find((c) => c.name === hdName);
+					state.databases.push({
+						name: hdName,
+						exists: !!existing,
+						id: existing?.id,
+						detail: existing?.origin.host
+					});
+				}
+			});
+		} else {
+			const dbName = ctx.naming.d1();
+			tasks.push({
+				name: `inspect d1 (${dbName})`,
+				handler: async () => {
+					const existing = (await this.api.listD1()).find((db) => db.name === dbName);
+					state.databases.push({
+						name: dbName,
+						exists: !!existing,
+						id: existing?.uuid
+					});
+				}
+			});
+		}
+		if (ctx.resources.hasBucket) {
+			const bucketName = ctx.naming.r2();
+			tasks.push({
+				name: `inspect r2 (${bucketName})`,
+				handler: async () => {
+					const existing = (await this.api.listR2()).find((b) => b.name === bucketName);
+					state.buckets.push({
+						name: bucketName,
+						exists: !!existing,
+						id: existing?.creation_date
+					});
+				}
+			});
+		}
+		if (ctx.resources.hasKV) {
+			const kvName = ctx.naming.kv();
+			tasks.push({
+				name: `inspect kv (${kvName})`,
+				handler: async () => {
+					const existing = (await this.api.listKV()).find((ns) => ns.title === kvName);
+					state.kvNamespaces.push({
+						name: kvName,
+						exists: !!existing,
+						id: existing?.id
+					});
+				}
+			});
+		}
+		if (ctx.resources.hasQueue) {
+			const queueName = ctx.naming.queue();
+			tasks.push({
+				name: `inspect queue (${queueName})`,
+				handler: async () => {
+					const existing = (await this.api.listQueues()).find((q) => q.queue_name === queueName);
+					state.queues.push({
+						name: queueName,
+						exists: !!existing,
+						id: existing?.queue_id
+					});
+				}
+			});
+		}
+		const envVars = await this.envUtils.parseEnv(ctx.root, [`.env.${ctx.env}`]);
+		const expectedSecrets = Object.keys(envVars).filter((key) => envVars[key] && !CloudflareAdapter.EXCLUDED_SECRET_KEYS.has(key) && !key.startsWith("VITE_"));
+		if (expectedSecrets.length > 0) {
+			const workerName = ctx.naming.worker();
+			tasks.push({
+				name: "inspect secrets",
+				handler: async () => {
+					try {
+						const deployed = await this.api.listSecrets(workerName);
+						const deployedNames = new Set(deployed.map((s) => s.name));
+						for (const key of expectedSecrets) state.secrets.push({
+							name: key,
+							deployed: deployedNames.has(key)
+						});
+					} catch {
+						for (const key of expectedSecrets) state.secrets.push({
+							name: key,
+							deployed: false
+						});
+					}
+				}
+			});
+		}
+		await run(tasks);
+		return state;
+	}
+	async teardown(ctx, run) {
+		this.configureApi(ctx);
+		if (ctx.resources.hasQueue) {
+			const workerName = ctx.naming.worker();
+			const queueName = ctx.naming.queue();
+			await run({
+				name: `unbind queue consumer ${queueName}`,
+				handler: async () => {
+					try {
+						const queue = (await this.api.listQueues()).find((q) => q.queue_name === queueName);
+						if (queue) await this.api.deleteQueueConsumer(queue.queue_id, workerName);
+					} catch (error) {
+						this.log.warn(`Failed to unbind queue consumer: ${String(error.message || "")}`);
+					}
+				}
+			});
+		}
+		{
+			const name = ctx.naming.worker();
+			await run({
+				name: `delete worker ${name}`,
+				handler: async () => {
+					try {
+						await this.api.deleteWorker(name);
+					} catch (error) {
+						this.log.warn(`Failed to delete worker ${name}: ${String(error.message || "")}`);
+					}
+				}
+			});
+		}
+		if (ctx.resources.hasQueue) {
+			const name = ctx.naming.queue();
+			await run({
+				name: `delete queue ${name}`,
+				handler: async () => {
+					try {
+						const queue = (await this.api.listQueues()).find((q) => q.queue_name === name);
+						if (!queue) {
+							this.log.debug(`Queue ${name} not found — skipping.`);
+							return;
+						}
+						await this.api.deleteQueue(queue.queue_id);
+					} catch (error) {
+						this.log.warn(`Failed to delete queue ${name}: ${String(error.message || "")}`);
+					}
+				}
+			});
+		}
+		if (ctx.resources.hasKV) {
+			const name = ctx.naming.kv();
+			await run({
+				name: `delete kv ${name}`,
+				handler: async () => {
+					try {
+						const existing = (await this.api.listKV()).find((ns) => ns.title === name);
+						if (!existing) {
+							this.log.debug(`KV namespace ${name} not found — skipping.`);
+							return;
+						}
+						await this.api.deleteKV(existing.id);
+					} catch (error) {
+						this.log.warn(`Failed to delete kv ${name}: ${String(error.message || "")}`);
+					}
+				}
+			});
+		}
+		if (ctx.resources.hasBucket) {
+			const name = ctx.naming.r2();
+			await run({
+				name: `delete r2 ${name}`,
+				handler: async () => {
+					try {
+						await this.wipeR2Bucket(name, ctx);
+						await this.api.deleteR2(name);
+					} catch (error) {
+						const msg = String(error.message || "");
+						if (msg.includes("does not exist") || msg.includes("NoSuchBucket")) this.log.debug(`Bucket ${name} not found — skipping.`);
+						else this.log.warn(`Failed to delete r2 ${name}: ${msg}`);
+					}
+				}
+			});
+		}
+		if (ctx.resources.hasDatabase) if (await this.isPostgres(ctx)) {
+			const name = ctx.naming.hyperdrive();
+			await run({
+				name: `delete hyperdrive ${name}`,
+				handler: async () => {
+					try {
+						const existing = (await this.api.listHyperdrive()).find((c) => c.name === name);
+						if (!existing) {
+							this.log.debug(`Hyperdrive ${name} not found — skipping.`);
+							return;
+						}
+						await this.api.deleteHyperdrive(existing.id);
+					} catch (error) {
+						this.log.warn(`Failed to delete hyperdrive ${name}: ${String(error.message || "")}`);
+					}
+				}
+			});
+		} else {
+			const name = ctx.naming.d1();
+			await run({
+				name: `delete d1 ${name}`,
+				handler: async () => {
+					try {
+						const existing = (await this.api.listD1()).find((db) => db.name === name);
+						if (!existing) {
+							this.log.debug(`D1 database ${name} not found — skipping.`);
+							return;
+						}
+						await this.api.deleteD1(existing.uuid);
+					} catch (error) {
+						this.log.warn(`Failed to delete d1 ${name}: ${String(error.message || "")}`);
+					}
+				}
+			});
+		}
+	}
+	async ensureD1(name) {
+		const existing = (await this.api.listD1()).find((db) => db.name === name);
+		if (existing) return existing.uuid;
+		return (await this.api.createD1(name)).uuid;
+	}
+	async ensureHyperdrive(name, connectionString) {
+		const existing = (await this.api.listHyperdrive()).find((c) => c.name === name);
+		if (existing) return existing.id;
+		return (await this.api.createHyperdrive(name, connectionString)).id;
+	}
+	async ensureR2(name) {
+		if ((await this.api.listR2()).find((b) => b.name === name)) return;
+		await this.api.createR2(name);
+	}
+	/**
+	* Empty an R2 bucket via the S3-compatible API.
+	*
+	* Cloudflare's REST `DELETE /r2/buckets/:name` rejects non-empty buckets
+	* with `BucketNotEmpty`, and the REST API has no object-level endpoints —
+	* objects must be listed and deleted over the S3 protocol. To avoid
+	* making users pre-create R2 access keys, we mint a short-lived
+	* bucket-scoped API token using the wrangler bearer token, wipe the
+	* bucket with `s3mini`, then revoke the token.
+	*
+	* Also aborts any pending multipart uploads — those count as bucket
+	* contents from R2's perspective and would otherwise block the delete.
+	*/
+	async wipeR2Bucket(bucketName, ctx) {
+		if (!process.env.CLOUDFLARE_API_TOKEN) {
+			this.log.warn(`Skipping R2 wipe for ${bucketName}: CLOUDFLARE_API_TOKEN not set. Delete the bucket manually in the Cloudflare dashboard.`);
+			return;
+		}
+		const tokenName = `alepha-teardown-${bucketName}-${Date.now()}`;
+		const token = await this.api.createR2Token(tokenName, bucketName);
+		try {
+			const accountId = await this.api.resolveAccountId();
+			const jur = ctx.envConfig.jurisdiction;
+			const host = jur ? `${accountId}.${jur}.r2.cloudflarestorage.com` : `${accountId}.r2.cloudflarestorage.com`;
+			const client = new S3mini({
+				accessKeyId: token.accessKeyId,
+				secretAccessKey: token.secretAccessKey,
+				region: "auto",
+				endpoint: `https://${host}/${bucketName}`
+			});
+			try {
+				const mp = await client.listMultipartUploads();
+				if ("listMultipartUploadsResult" in mp) {
+					const uploads = mp.listMultipartUploadsResult.uploads ?? [];
+					for (const upload of uploads) {
+						const u = upload;
+						const key = u.Key ?? u.key;
+						const uploadId = u.UploadId ?? u.uploadId;
+						if (key && uploadId) await client.abortMultipartUpload(key, uploadId);
+					}
+				}
+			} catch (error) {
+				this.log.debug(`listMultipartUploads on ${bucketName} failed: ${String(error.message || "")}`);
+			}
+			let cursor;
+			let total = 0;
+			while (true) {
+				const page = await client.listObjectsPaged(void 0, void 0, 1e3, cursor);
+				const objects = page?.objects ?? [];
+				if (objects.length === 0) break;
+				await client.deleteObjects(objects.map((o) => o.Key));
+				total += objects.length;
+				cursor = page?.nextContinuationToken;
+				if (!cursor) break;
+			}
+			if (total > 0) this.log.info(`Emptied ${total} object(s) from bucket ${bucketName}.`);
+		} finally {
+			try {
+				await this.api.deleteR2Token(token.id);
+			} catch (error) {
+				this.log.warn(`Failed to revoke ephemeral R2 token ${token.id}: ${String(error.message || "")}`);
+			}
+		}
+	}
+	async ensureKV(name) {
+		const existing = (await this.api.listKV()).find((ns) => ns.title === name);
+		if (existing) return existing.id;
+		return (await this.api.createKV(name)).id;
+	}
+	async ensureQueue(name) {
+		if ((await this.api.listQueues()).find((q) => q.queue_name === name)) return;
+		await this.api.createQueue(name);
+	}
+	/**
+	* Get the currently active deployment for a worker.
+	*/
+	async getActiveDeployment(workerName) {
+		const latest = [...await this.api.listDeployments(workerName)].sort((a, b) => b.created_on.localeCompare(a.created_on))[0];
+		if (!latest?.versions?.[0]) return;
+		const activeVersionId = latest.versions[0].version_id;
+		const version = (await this.api.listVersions(workerName)).find((v) => v.id === activeVersionId);
+		return {
+			versionId: activeVersionId,
+			tag: version?.annotations?.["workers/tag"],
+			createdAt: version?.metadata.created_on
+		};
+	}
+};
+/**
+* Stable SHA-256 of the secret set. Keys are sorted so reordering `.env`
+* lines does not invalidate the cache. Used as a fingerprint by
+* `CloudflareAdapter.secrets` — see the comment block there.
+*/
+function computeSecretsHash(secrets) {
+	const sorted = Object.keys(secrets).sort().map((k) => `${k}=${secrets[k]}`).join("\n");
+	return createHash("sha256").update(sorted).digest("hex");
+}
+//#endregion
+//#region ../../src/cli/platform-lib/schemas/vercel.ts
+const vercelProjectSchema = t.object({
+	id: t.string(),
+	name: t.string(),
+	accountId: t.string()
+});
+const createProjectBodySchema = t.object({
+	name: t.string(),
+	framework: t.optional(t.null())
+});
+const vercelDeploymentSchema = t.object({
+	uid: t.string(),
+	name: t.string(),
+	url: t.string(),
+	state: t.optional(t.string()),
+	readyState: t.optional(t.string()),
+	created: t.optional(t.number()),
+	target: t.optional(t.string()),
+	alias: t.optional(t.array(t.string()))
+});
+const vercelEnvVarSchema = t.object({
+	id: t.string(),
+	key: t.string(),
+	value: t.optional(t.string()),
+	type: t.string(),
+	target: t.array(t.string())
+});
+const createEnvVarBodySchema = t.object({
+	key: t.string(),
+	value: t.string(),
+	type: t.string(),
+	target: t.array(t.string())
+});
+//#endregion
+//#region ../../src/cli/platform-lib/services/VercelCli.ts
+/**
+* Wraps Vercel CLI commands and token management.
+*
+* Used for operations where the Vercel CLI provides value:
+* OAuth login, prebuilt deploy, and auth token extraction.
+*/
+var VercelCli = class {
+	log = $logger();
+	shell = $inject(ShellProvider);
+	fs = $inject(FileSystemProvider);
+	utils = $inject(AlephaCliUtils);
+	pm = $inject(PackageManagerUtils);
+	runner = $inject(Runner);
+	async runShell(command, options = {}) {
+		const capture = options.capture;
+		const output = await this.shell.run(command, {
+			...options,
+			capture: capture ?? this.runner.useDynamicLogger
+		});
+		if (capture && !this.runner.useDynamicLogger) this.log.info(output);
+		return output;
+	}
+	/**
+	* Ensure vercel CLI is installed in the project.
+	*/
+	async ensureInstalled(root, run) {
+		await this.pm.ensureDependency(root, "vercel", {
+			dev: true,
+			exec: async (cmd, opts) => {
+				run.pause();
+				try {
+					await this.utils.exec(cmd, opts);
+				} finally {
+					run.resume();
+				}
+			}
+		});
+	}
+	/**
+	* Get the Vercel auth token.
+	*
+	* Priority:
+	* 1. VERCEL_TOKEN environment variable (CI/CD)
+	* 2. Vercel CLI auth.json file (local dev)
+	*/
+	async getAuthToken() {
+		const envToken = process.env.VERCEL_TOKEN;
+		if (envToken) return envToken;
+		const authPath = this.getAuthFilePath();
+		if (!await this.fs.exists(authPath)) throw new AlephaError("Vercel auth token not found. Run `vercel login` or set VERCEL_TOKEN.");
+		const content = await this.fs.readFile(authPath);
+		const parsed = JSON.parse(content.toString());
+		if (!parsed.token) throw new AlephaError("Vercel auth.json exists but contains no token. Run `vercel login`.");
+		return parsed.token;
+	}
+	/**
+	* Validate the current auth token.
+	*/
+	async whoami() {
+		return await this.runShell("vercel whoami", {
+			resolve: true,
+			capture: true
+		});
+	}
+	/**
+	* Open the browser-based login flow.
+	*/
+	async login() {
+		await this.runShell("vercel login", { resolve: true });
+	}
+	/**
+	* Deploy a prebuilt .vercel/output/ directory.
+	*
+	* Returns the deployment URL.
+	*/
+	async deploy(distDir, options) {
+		const args = [
+			"vercel",
+			"deploy",
+			"--prebuilt"
+		];
+		if (options.prod) args.push("--prod");
+		if (options.token) args.push(`--token=${options.token}`);
+		return (await this.runShell(args.join(" "), {
+			resolve: true,
+			capture: true,
+			root: distDir
+		})).trim().split("\n").reverse().find((line) => line.trim().startsWith("https://"))?.trim();
+	}
+	/**
+	* Resolve the path to Vercel CLI auth.json.
+	*/
+	getAuthFilePath() {
+		const os = platform();
+		if (os === "darwin") return join(homedir(), "Library", "Application Support", "com.vercel.cli", "auth.json");
+		if (os === "win32") return join(homedir(), "AppData", "Roaming", "xdg.data", "com.vercel.cli", "auth.json");
+		return join(homedir(), ".local", "share", "com.vercel.cli", "auth.json");
+	}
+};
+//#endregion
+//#region ../../src/cli/platform-lib/services/VercelApi.ts
+/**
+* Thin wrapper over the Vercel REST API.
+*
+* Uses the auth token from VercelCli for all requests.
+*/
+var VercelApi = class VercelApi {
+	static BASE = "https://api.vercel.com";
+	log = $logger();
+	alepha = $inject(Alepha);
+	vercelCli = $inject(VercelCli);
+	token;
+	/**
+	* Obtain the current auth token from the Vercel CLI.
+	*/
+	async resolveToken() {
+		if (this.token) return this.token;
+		this.token = await this.vercelCli.getAuthToken();
+		return this.token;
+	}
+	async listProjects() {
+		return (await this.fetch("/v10/projects", { schema: t.object({ projects: t.array(vercelProjectSchema) }) })).projects;
+	}
+	async getProject(nameOrId) {
+		try {
+			return await this.fetch(`/v9/projects/${encodeURIComponent(nameOrId)}`, { schema: vercelProjectSchema });
+		} catch {
+			return;
+		}
+	}
+	async createProject(name) {
+		return await this.fetch("/v11/projects", {
+			method: "POST",
+			body: {
+				name,
+				framework: null
+			},
+			bodySchema: createProjectBodySchema,
+			schema: vercelProjectSchema
+		});
+	}
+	async updateProject(nameOrId, settings) {
+		await this.fetch(`/v9/projects/${encodeURIComponent(nameOrId)}`, {
+			method: "PATCH",
+			body: settings
+		});
+	}
+	async deleteProject(nameOrId) {
+		await this.fetch(`/v9/projects/${encodeURIComponent(nameOrId)}`, { method: "DELETE" });
+	}
+	async listDeployments(projectId, options) {
+		const query = { projectId };
+		if (options?.limit) query.limit = String(options.limit);
+		if (options?.target) query.target = options.target;
+		return (await this.fetch("/v6/deployments", {
+			query,
+			schema: t.object({ deployments: t.array(vercelDeploymentSchema) })
+		})).deployments;
+	}
+	async listEnvVars(projectId) {
+		return (await this.fetch(`/v10/projects/${encodeURIComponent(projectId)}/env`, {
+			query: { decrypt: "true" },
+			schema: t.object({ envs: t.array(vercelEnvVarSchema) })
+		})).envs;
+	}
+	async upsertEnvVars(projectId, vars) {
+		for (const v of vars) await this.fetch(`/v10/projects/${encodeURIComponent(projectId)}/env`, {
+			method: "POST",
+			query: { upsert: "true" },
+			body: {
+				key: v.key,
+				value: v.value,
+				type: "encrypted",
+				target: v.target
+			},
+			bodySchema: createEnvVarBodySchema
+		});
+	}
+	async deleteEnvVar(projectId, envVarId) {
+		await this.fetch(`/v9/projects/${encodeURIComponent(projectId)}/env/${envVarId}`, { method: "DELETE" });
+	}
+	async fetch(path, options = {}) {
+		const token = await this.resolveToken();
+		const { method = "GET", body, query } = options;
+		let url = `${VercelApi.BASE}${path}`;
+		if (query) {
+			const params = new URLSearchParams(query);
+			url += `?${params.toString()}`;
+		}
+		const headers = { Authorization: `Bearer ${token}` };
+		const init = {
+			method,
+			headers
+		};
+		if (body) {
+			headers["Content-Type"] = "application/json";
+			const validated = options.bodySchema ? this.alepha.codec.validate(options.bodySchema, body) : body;
+			init.body = JSON.stringify(validated);
+		}
+		const response = await globalThis.fetch(url, init);
+		if (response.status === 204) return;
+		const json = await response.json();
+		if (json.error) throw new AlephaError(`Vercel API error (${method} ${path}): ${json.error.message ?? JSON.stringify(json.error)}`);
+		if (!response.ok) throw new AlephaError(`Vercel API error (${method} ${path}): HTTP ${response.status}`);
+		if (options.schema) return this.alepha.codec.validate(options.schema, json);
+		return json;
+	}
+};
+//#endregion
+//#region ../../src/cli/platform-lib/adapters/VercelAdapter.ts
+/**
+* Vercel platform adapter.
+*
+* Uses the Vercel CLI for login and deploy (--prebuilt),
+* and the Vercel REST API for project management, env vars, and inspection.
+*
+* v1 scope: deploy pipeline only. No DB/storage/KV provisioning.
+*/
+var VercelAdapter = class VercelAdapter extends PlatformAdapter {
+	log = $logger();
+	fs = $inject(FileSystemProvider);
+	shell = $inject(ShellProvider);
+	utils = $inject(AlephaCliUtils);
+	cache = $inject(PlatformCacheProvider);
+	alepha = $inject(Alepha);
+	envUtils = $inject(EnvUtils);
+	api = $inject(VercelApi);
+	vercelCli = $inject(VercelCli);
+	runner = $inject(Runner);
+	/**
+	* Vars that should not be pushed as env vars.
+	* These are either handled by the build or are internal.
+	*/
+	static EXCLUDED_SECRET_KEYS = new Set(["NODE_ENV"]);
+	async runShell(command, options = {}) {
+		const capture = options.capture;
+		const output = await this.shell.run(command, {
+			...options,
+			capture: capture ?? this.runner.useDynamicLogger
+		});
+		if (capture && !this.runner.useDynamicLogger) this.log.info(output);
+		return output;
+	}
+	async authenticate(ctx, run) {
+		await run({
+			name: "authenticate",
+			handler: async () => {
+				await this.vercelCli.ensureInstalled(ctx.root, run);
+				let needsLogin = false;
+				try {
+					await this.vercelCli.getAuthToken();
+					await this.vercelCli.whoami();
+				} catch {
+					needsLogin = true;
+				}
+				if (needsLogin) {
+					run.pause();
+					await this.vercelCli.login();
+					run.resume();
+				}
+				if (await this.cache.isLoginFresh(ctx.root, "vercel")) return;
+				await this.cache.recordLogin(ctx.root, "vercel");
+			}
+		});
+	}
+	async build(ctx, run) {
+		const appDir = ctx.root;
+		await run({
+			name: "alepha build -t vercel",
+			handler: async () => {
+				await this.runShell("alepha build -t vercel", { root: appDir });
+			}
+		});
+	}
+	async deploy(ctx, run) {
+		const distDir = this.fs.join(ctx.root, "dist");
+		const projectName = ctx.naming.worker();
+		let url;
+		await run({
+			name: `deploy ${ctx.project}`,
+			handler: async () => {
+				let project = await this.api.getProject(projectName);
+				if (!project) project = await this.api.createProject(projectName);
+				await this.api.updateProject(projectName, { framework: null });
+				const vercelDir = this.fs.join(distDir, ".vercel");
+				await this.fs.mkdir(vercelDir);
+				await this.fs.writeFile(this.fs.join(vercelDir, "project.json"), JSON.stringify({
+					projectId: project.id,
+					orgId: project.accountId
+				}, null, 2));
+				const token = process.env.VERCEL_TOKEN;
+				await this.vercelCli.deploy(distDir, {
+					prod: true,
+					token
+				});
+				const latest = (await this.api.listDeployments(project.id, {
+					limit: 1,
+					target: "production"
+				}))[0];
+				url = latest?.alias?.[0] ? `https://${latest.alias[0]}` : `https://${projectName}.vercel.app`;
+			}
+		});
+		return url;
+	}
+	async secrets(ctx, run) {
+		const envVars = await this.envUtils.parseEnv(ctx.root, [`.env.${ctx.env}`]);
+		const vars = [];
+		for (const [key, value] of Object.entries(envVars)) {
+			if (!value) continue;
+			if (VercelAdapter.EXCLUDED_SECRET_KEYS.has(key)) continue;
+			if (key.startsWith("VITE_")) continue;
+			vars.push({
+				key,
+				value,
+				target: ["production", "preview"]
+			});
+		}
+		if (vars.length === 0) return;
+		{
+			const projectName = ctx.naming.worker();
+			await run({
+				name: `push env vars to ${projectName}`,
+				handler: async () => {
+					await this.api.upsertEnvVars(projectName, vars);
+				}
+			});
+		}
+	}
+	async inspect(ctx, run) {
+		const state = {
+			workers: [],
+			databases: [],
+			buckets: [],
+			kvNamespaces: [],
+			queues: [],
+			secrets: []
+		};
+		const tasks = [];
+		{
+			const projectName = ctx.naming.worker();
+			tasks.push({
+				name: `inspect project (${projectName})`,
+				handler: async () => {
+					const project = await this.api.getProject(projectName);
+					if (!project) {
+						state.workers.push({
+							name: projectName,
+							exists: false
+						});
+						return;
+					}
+					const latest = (await this.api.listDeployments(project.id, { limit: 1 }))[0];
+					state.workers.push({
+						name: projectName,
+						exists: true,
+						version: latest?.uid,
+						createdAt: latest?.created ? new Date(latest.created).toISOString() : void 0
+					});
+				}
+			});
+		}
+		const envVars = await this.envUtils.parseEnv(ctx.root, [`.env.${ctx.env}`]);
+		const expectedVars = Object.keys(envVars).filter((key) => envVars[key] && !VercelAdapter.EXCLUDED_SECRET_KEYS.has(key) && !key.startsWith("VITE_"));
+		if (expectedVars.length > 0) {
+			const projectName = ctx.naming.worker();
+			tasks.push({
+				name: "inspect env vars",
+				handler: async () => {
+					try {
+						const deployed = await this.api.listEnvVars(projectName);
+						const deployedKeys = new Set(deployed.map((v) => v.key));
+						for (const key of expectedVars) state.secrets.push({
+							name: key,
+							deployed: deployedKeys.has(key)
+						});
+					} catch {
+						for (const key of expectedVars) state.secrets.push({
+							name: key,
+							deployed: false
+						});
+					}
+				}
+			});
+		}
+		await run(tasks);
+		return state;
+	}
+	async teardown(ctx, run) {
+		{
+			const projectName = ctx.naming.worker();
+			await run({
+				name: `delete project ${projectName}`,
+				handler: async () => {
+					try {
+						await this.api.deleteProject(projectName);
+					} catch (error) {
+						this.log.warn(`Failed to delete project ${projectName}: ${String(error.message || "")}`);
+					}
+				}
+			});
+		}
+	}
+};
+//#endregion
+//#region ../../src/cli/platform-lib/providers/GitHubSecretStore.ts
+/**
+* GitHub Actions secret store backed by the `gh` CLI.
+*
+* Requires the GitHub CLI (`gh`) to be installed and authenticated.
+* Pushes secrets into GitHub Actions environments.
+*/
+var GitHubSecretStore = class {
+	log = $logger();
+	shell = $inject(ShellProvider);
+	fs = $inject(FileSystemProvider);
+	/**
+	* Verify that `gh` is installed and authenticated.
+	*/
+	async ensureAvailable() {
+		if (!await this.shell.isInstalled("gh")) throw new AlephaError("GitHub CLI (gh) is not installed. Install it from https://cli.github.com");
+		try {
+			await this.shell.run("gh auth status", { capture: true });
+		} catch {
+			throw new AlephaError("GitHub CLI is not authenticated. Run `gh auth login` first.");
+		}
+	}
+	/**
+	* Create the GitHub Actions environment if it doesn't exist.
+	*/
+	async ensureEnvironment(environment) {
+		await this.shell.run(`gh api --method PUT /repos/{owner}/{repo}/environments/${environment} --silent`, { capture: true });
+		this.log.debug(`Ensured environment "${environment}" exists`);
+	}
+	/**
+	* List all secrets in a GitHub Actions environment.
+	*/
+	async list(environment) {
+		try {
+			const output = await this.shell.run(`gh secret list --env ${environment} --json name,updatedAt`, { capture: true });
+			return JSON.parse(output || "[]").map((s) => ({
+				name: s.name,
+				updatedAt: s.updatedAt
+			}));
+		} catch (error) {
+			this.log.debug("Failed to list secrets", {
+				environment,
+				error
+			});
+			return [];
+		}
+	}
+	/**
+	* Set a secret in a GitHub Actions environment.
+	*
+	* Writes a dotenv-formatted file and uses `gh secret set --env-file` to
+	* avoid shell pipe issues with NodeShellProvider escaping the `|` character.
+	*/
+	async set(environment, key, value) {
+		const tmpFile = `/tmp/alepha-secret-${key}-${Date.now()}`;
+		const escaped = value.replace(/\\/g, "\\\\").replace(/"/g, "\\\"").replace(/\n/g, "\\n");
+		await this.fs.writeFile(tmpFile, `${key}="${escaped}"\n`);
+		try {
+			const output = await this.shell.run(`gh secret set -f ${tmpFile} --env ${environment}`, { capture: true });
+			this.log.debug(`Secret set: ${key}`, { output });
+		} finally {
+			await this.fs.rm(tmpFile);
+		}
+	}
+	/**
+	* Delete a secret from a GitHub Actions environment.
+	*/
+	async delete(environment, key) {
+		await this.shell.run(`gh secret delete ${key} --env ${environment}`, { capture: true });
+	}
+};
+//#endregion
+//#region ../../src/cli/platform-lib/providers/MemorySecretStore.ts
+/**
+* In-memory implementation of SecretStoreProvider for testing.
+* Records all operations and stores secrets in a nested Map.
+*/
+var MemorySecretStore = class {
+	/**
+	* Secrets keyed by environment, then by key.
+	*/
+	secrets = /* @__PURE__ */ new Map();
+	/**
+	* All recorded operations.
+	*/
+	calls = [];
+	/**
+	* When set, ensureAvailable() will throw with this message.
+	*/
+	availableError = null;
+	async ensureAvailable() {
+		this.calls.push({ method: "ensureAvailable" });
+		if (this.availableError) throw new AlephaError(this.availableError);
+	}
+	async ensureEnvironment(environment) {
+		this.calls.push({
+			method: "ensureEnvironment",
+			environment
+		});
+		if (!this.secrets.has(environment)) this.secrets.set(environment, /* @__PURE__ */ new Map());
+	}
+	async list(environment) {
+		this.calls.push({
+			method: "list",
+			environment
+		});
+		const envSecrets = this.secrets.get(environment);
+		if (!envSecrets) return [];
+		return Array.from(envSecrets.keys()).map((name) => ({ name }));
+	}
+	async set(environment, key, value) {
+		this.calls.push({
+			method: "set",
+			environment,
+			key,
+			value
+		});
+		let envSecrets = this.secrets.get(environment);
+		if (!envSecrets) {
+			envSecrets = /* @__PURE__ */ new Map();
+			this.secrets.set(environment, envSecrets);
+		}
+		envSecrets.set(key, value);
+	}
+	async delete(environment, key) {
+		this.calls.push({
+			method: "delete",
+			environment,
+			key
+		});
+		this.secrets.get(environment)?.delete(key);
+	}
+	/**
+	* Check if set() was called for a given environment and key.
+	*/
+	wasSet(environment, key) {
+		return this.calls.some((c) => c.method === "set" && c.environment === environment && c.key === key);
+	}
+	/**
+	* Check if delete() was called for a given environment and key.
+	*/
+	wasDeleted(environment, key) {
+		return this.calls.some((c) => c.method === "delete" && c.environment === environment && c.key === key);
+	}
+	/**
+	* Get all set() calls for a given environment.
+	*/
+	getSetCalls(environment) {
+		return this.calls.filter((c) => c.method === "set" && c.environment === environment).map((c) => ({
+			key: c.key,
+			value: c.value
+		}));
+	}
+	/**
+	* Reset all state.
+	*/
+	reset() {
+		this.secrets.clear();
+		this.calls = [];
+		this.availableError = null;
+	}
+};
+//#endregion
+//#region ../../src/cli/platform-lib/services/PlatformInspector.ts
+/**
+* Reads platform config and resolves project topology.
+*
+* Validates project name and environment configuration. Does NOT
+* introspect app code for resources — that happens at deploy time via
+* ViteBuildProvider.
+*
+* Each app self-declares its platform topology via its own
+* `alepha.config.ts`. Run `alepha platform <op>` from the app's
+* directory; no monorepo-root orchestration here.
+*/
+var PlatformInspector = class {
+	log = $logger();
+	alepha = $inject(Alepha);
+	fs = $inject(FileSystemProvider);
+	asker = $inject(Asker);
+	options = $state(platformOptions);
+	naming = $inject(NamingService);
+	/**
+	* Resolve and validate the full platform configuration.
+	*
+	* Source priority:
+	*   1. `platformOptions` atom (set by `alepha.config.ts` during the
+	*      configure hook) — local dev / from-source deploys.
+	*   2. `dist/manifest.json` (written by `alepha build`) — pre-built
+	*      deploys via Alepha Rocket or any `--prebuilt` consumer that
+	*      ships only the build artifact without `alepha.config.ts`.
+	*/
+	async resolveConfig(root) {
+		if (this.options) {
+			const opts = this.options;
+			const project = await this.resolveProjectName(root, opts.name);
+			return {
+				project: this.naming.slugify(project),
+				defaultEnv: opts.default ?? "production",
+				tenancy: opts.tenancy,
+				environments: opts.environments
+			};
+		}
+		const manifest = await this.readManifest(root);
+		if (manifest) return {
+			project: this.naming.slugify(manifest.project),
+			defaultEnv: manifest.defaultEnv ?? "production",
+			tenancy: manifest.tenancy,
+			environments: manifest.environments
+		};
+		this.log.warn(` alepha.config.ts not found or missing platform config.
+
+Please add a "platform" section to alepha.config.ts:
+
+export default defineConfig({
+  platform: {
+    environments: {
+      production: { adapter: "cloudflare" },
+    },
+  },
+});
+        `);
+		throw new AlephaError("Missing platform configuration.");
+	}
+	/**
+	* Read `dist/manifest.json` if present. Returns null on any error so
+	* callers fall back to the strict alepha.config.ts path.
+	*/
+	async readManifest(root) {
+		try {
+			const fs = await import("node:fs/promises");
+			const path = await import("node:path");
+			const raw = await fs.readFile(path.join(root, "dist", "manifest.json"), "utf-8");
+			return JSON.parse(raw);
+		} catch {
+			return null;
+		}
+	}
+	/**
+	* Resolve a specific environment, validating it exists.
+	*/
+	async resolveEnvironment(root, envName) {
+		const config = await this.resolveConfig(root);
+		const envConfig = config.environments[envName];
+		if (!envConfig) throw new AlephaError(`Unknown environment "${envName}". Available: ${Object.keys(config.environments).join(", ")}`);
+		return envConfig;
+	}
+	async resolveProjectName(root, configName) {
+		if (configName) return configName;
+		try {
+			const pkgPath = this.fs.join(root, "package.json");
+			const pkg = await this.fs.readJsonFile(pkgPath);
+			if (pkg.name) return pkg.name;
+		} catch {}
+		throw new AlephaError("Missing project name. Set \"name\" in alepha.config.ts or add a \"name\" field to package.json.");
+	}
+};
+//#endregion
+//#region ../../src/cli/platform-lib/services/PlatformOrchestrator.ts
+/**
+* Orchestrates platform lifecycle operations.
+*
+* Coordinates adapter calls in the correct order for
+* up (build -> migrate -> deploy), down, plan, and status.
+*/
+var PlatformOrchestrator = class {
+	log = $logger();
+	color = $inject(ConsoleColorProvider);
+	inspector = $inject(PlatformInspector);
+	naming = $inject(NamingService);
+	cloudflareAdapter = $inject(CloudflareAdapter);
+	vercelAdapter = $inject(VercelAdapter);
+	alepha = $inject(Alepha);
+	resolveAdapter(adapterName) {
+		switch (adapterName) {
+			case "cloudflare": return this.cloudflareAdapter;
+			case "vercel": return this.vercelAdapter;
+			default: throw new AlephaError(`Unknown adapter: "${adapterName}"`);
+		}
+	}
+	async up(options) {
+		const { root, env, entry, resources, run, prebuilt } = options;
+		const envConfig = await this.inspector.resolveEnvironment(root, env);
+		const config = await this.inspector.resolveConfig(root);
+		const adapter = this.resolveAdapter(envConfig.adapter);
+		const tenant = resolveTenant(config.tenancy, options.tenant);
+		const namingCtx = this.naming.forContext(config.project, env, tenant);
+		const ctx = {
+			project: config.project,
+			env,
+			envConfig,
+			root,
+			entry,
+			resources,
+			naming: namingCtx,
+			tenant,
+			prebuilt
+		};
+		await adapter.authenticate(ctx, run);
+		await adapter.provision(ctx, run);
+		await adapter.build(ctx, run);
+		await adapter.migrate(ctx, run);
+		const url = await adapter.deploy(ctx, run);
+		await adapter.secrets(ctx, run);
+		run.end();
+		return {
+			urls: url ? [url] : [],
+			domain: tenantDomain(envConfig.domain, tenant)
+		};
+	}
+	/**
+	* Pretty-print the `up()` result to stdout. Matches the formatting the
+	* orchestrator used to emit inline; split out so callers that want
+	* JSON output can skip this branch.
+	*/
+	printUpSummary(result) {
+		const c = this.color;
+		if (result.domain) {
+			this.log.info("");
+			const display = result.domain.includes("*") ? `https://${result.domain} (wildcard route)` : `https://${result.domain}`;
+			this.log.info(`  ${c.set("GREEN", "→")} ${c.set("CYAN", display)}`);
+			this.log.info("");
+		} else for (const url of result.urls) {
+			this.log.info("");
+			this.log.info(`  ${c.set("GREEN", "→")} ${c.set("CYAN", url)}`);
+			this.log.info("");
+		}
+	}
+	async down(options) {
+		const { root, env, entry, resources, run, confirm } = options;
+		const envConfig = await this.inspector.resolveEnvironment(root, env);
+		const config = await this.inspector.resolveConfig(root);
+		const adapter = this.resolveAdapter(envConfig.adapter);
+		const tenant = resolveTenant(config.tenancy, options.tenant);
+		const namingCtx = this.naming.forContext(config.project, env, tenant);
+		const ctx = {
+			project: config.project,
+			env,
+			envConfig,
+			root,
+			entry,
+			resources,
+			naming: namingCtx,
+			tenant
+		};
+		if (!this.isTmpEnv(env)) {
+			if (await confirm(`Type "${env}" to confirm teardown:`) !== env) {
+				this.log.info("Aborted.");
+				return false;
+			}
+		}
+		await adapter.authenticate(ctx, run);
+		await adapter.teardown(ctx, run);
+		run.end();
+		return true;
+	}
+	async plan(options) {
+		const { root, env, resources } = options;
+		const config = await this.inspector.resolveConfig(root);
+		const tenant = resolveTenant(config.tenancy, options.tenant);
+		return {
+			config,
+			naming: this.naming.forContext(config.project, env, tenant),
+			resources
+		};
+	}
+	async status(options) {
+		const { root, env, entry, resources, run } = options;
+		const envConfig = await this.inspector.resolveEnvironment(root, env);
+		const config = await this.inspector.resolveConfig(root);
+		const adapter = this.resolveAdapter(envConfig.adapter);
+		const tenant = resolveTenant(config.tenancy, options.tenant);
+		const namingCtx = this.naming.forContext(config.project, env, tenant);
+		const ctx = {
+			project: config.project,
+			env,
+			envConfig,
+			root,
+			entry,
+			resources,
+			naming: namingCtx,
+			tenant
+		};
+		await adapter.authenticate(ctx, run);
+		return {
+			config,
+			state: await adapter.inspect(ctx, run)
+		};
+	}
+	isTmpEnv(env) {
+		return env.startsWith("tmp");
+	}
+};
+//#endregion
+//#region ../../src/cli/platform-lib/services/SecretFilterService.ts
+/**
+* Filters environment variables for secret store syncing.
+*
+* Excludes platform-managed vars (NODE_ENV), build-time vars (VITE_*),
+* and empty values. Keeps everything else — including DATABASE_URL
+* and POSTGRES_SCHEMA which GitHub Actions needs.
+*
+* Also handles renaming GITHUB_* keys since GitHub Actions rejects
+* secret names starting with GITHUB_.
+*/
+var SecretFilterService = class SecretFilterService {
+	static EXCLUDED_KEYS = new Set(["NODE_ENV"]);
+	static GITHUB_PREFIX = "GITHUB_";
+	static REMOTE_PREFIX = "APP_GITHUB_";
+	/**
+	* Return only the entries that should be pushed to a secret store.
+	*/
+	filter(envVars) {
+		const result = {};
+		for (const [key, value] of Object.entries(envVars)) {
+			if (!value) continue;
+			if (SecretFilterService.EXCLUDED_KEYS.has(key)) continue;
+			if (key.startsWith("VITE_")) continue;
+			result[key] = value;
+		}
+		return result;
+	}
+	/**
+	* Convert a local env key to a remote secret name.
+	*
+	* GITHUB_* keys are prefixed with APP_ since GitHub Actions rejects
+	* secret names starting with GITHUB_.
+	*/
+	toRemoteName(key) {
+		if (key.startsWith(SecretFilterService.GITHUB_PREFIX)) return `${SecretFilterService.REMOTE_PREFIX}${key.slice(SecretFilterService.GITHUB_PREFIX.length)}`;
+		return key;
+	}
+	/**
+	* Convert a remote secret name back to the local env key.
+	*/
+	toLocalName(remoteName) {
+		if (remoteName.startsWith(SecretFilterService.REMOTE_PREFIX)) return `${SecretFilterService.GITHUB_PREFIX}${remoteName.slice(SecretFilterService.REMOTE_PREFIX.length)}`;
+		return remoteName;
+	}
+};
+//#endregion
+//#region ../../src/cli/platform-lib/providers/SecretStoreProvider.ts
+/**
+* Abstract provider for managing secrets in an external store.
+*
+* Implementations: GitHubSecretStore, MemorySecretStore
+*/
+var SecretStoreProvider = class {};
+//#endregion
+//#region ../../src/cli/platform-lib/schemas/platform.ts
+const platformStatusWorkerSchema = t.object({
+	name: t.string(),
+	exists: t.boolean(),
+	id: t.optional(t.string()),
+	detail: t.optional(t.string()),
+	version: t.optional(t.string()),
+	tag: t.optional(t.string()),
+	createdAt: t.optional(t.string())
+});
+const platformStatusResourceSchema = t.object({
+	name: t.string(),
+	exists: t.boolean(),
+	id: t.optional(t.string()),
+	detail: t.optional(t.string())
+});
+const platformStatusSecretSchema = t.object({
+	name: t.string(),
+	deployed: t.boolean()
+});
+const platformStatusSchema = t.object({
+	project: t.string(),
+	env: t.string(),
+	adapter: t.string(),
+	workers: t.array(platformStatusWorkerSchema),
+	databases: t.array(platformStatusResourceSchema),
+	buckets: t.array(platformStatusResourceSchema),
+	kvNamespaces: t.array(platformStatusResourceSchema),
+	queues: t.array(platformStatusResourceSchema),
+	secrets: t.array(platformStatusSecretSchema)
+});
+const platformPlanAppResourcesSchema = t.object({
+	hasDatabase: t.boolean(),
+	hasBucket: t.boolean(),
+	hasKV: t.boolean(),
+	hasQueue: t.boolean(),
+	hasCron: t.boolean()
+});
+const platformPlanAppSchema = t.object({
+	name: t.string(),
+	path: t.string(),
+	resources: platformPlanAppResourcesSchema
+});
+const platformPlanEnvironmentSchema = t.object({
+	adapter: t.string(),
+	domain: t.optional(t.string()),
+	zone: t.optional(t.string())
+});
+const platformPlanResourceSchema = t.object({
+	label: t.string(),
+	value: t.string()
+});
+const platformPlanSchema = t.object({
+	project: t.string(),
+	env: t.string(),
+	mode: t.enum(["monorepo", "standalone"]),
+	apps: t.array(platformPlanAppSchema),
+	environments: t.record(t.string(), platformPlanEnvironmentSchema),
+	resources: t.array(platformPlanResourceSchema),
+	secretCount: t.number()
+});
+//#endregion
+//#region ../../src/cli/platform-lib/index.ts
+/**
+* Framework-agnostic platform deploy services.
+*
+* Exports `PlatformOrchestrator` + adapters + secret stores + the
+* `platformOptions` atom — everything needed to drive a deploy
+* programmatically. **No `$command` instances** and **no
+* `AppEntryProvider` / `ViteBuildProvider` dependency** — so consumers
+* importing this subpath don't pull in the CLI argv-parser or Vite.
+*
+* Used by Alepha Rocket (and other non-CLI deploy orchestrators) to
+* call `orchestrator.up({ ... })` directly. For CLI usage
+* (`alepha platform up`), import `AlephaCliPlatformPlugin` from
+* `alepha/cli/platform` — that one adds the command layer on top.
+*/
+const AlephaPlatformLibPlugin = $module({
+	name: "alepha.cli.platform-lib",
+	services: [
+		CloudflareAdapter,
+		CloudflareApi,
+		VercelAdapter,
+		VercelApi,
+		VercelCli,
+		WranglerApi,
+		PlatformCacheProvider,
+		GitHubSecretStore,
+		MemorySecretStore,
+		NamingService,
+		SecretFilterService,
+		PlatformInspector,
+		PlatformOrchestrator
+	]
+});
+//#endregion
+export { AlephaPlatformLibPlugin, CloudflareAdapter, CloudflareApi, GitHubSecretStore, MemorySecretStore, NamingContext, NamingService, PlatformAdapter, PlatformCacheProvider, PlatformInspector, PlatformOrchestrator, SecretFilterService, SecretStoreProvider, VercelAdapter, VercelApi, VercelCli, WranglerApi, cloudflareAccountSchema, cloudflareApiErrorSchema, cloudflareD1Schema, cloudflareDeploymentListSchema, cloudflareDeploymentSchema, cloudflareDeploymentVersionSchema, cloudflareHyperdriveOriginSchema, cloudflareHyperdriveSchema, cloudflareKVSchema, cloudflareQueueConsumerSchema, cloudflareQueueSchema, cloudflareR2ListSchema, cloudflareR2Schema, cloudflareR2TokenSchema, cloudflareSecretSchema, cloudflareVersionListSchema, cloudflareVersionSchema, cloudflareWorkerSchema, createD1BodySchema, createEnvVarBodySchema, createHyperdriveBodySchema, createHyperdriveOriginSchema, createKVBodySchema, createProjectBodySchema, createQueueBodySchema, createR2BodySchema, createR2TokenBodySchema, platformOptions, platformPlanAppResourcesSchema, platformPlanAppSchema, platformPlanEnvironmentSchema, platformPlanResourceSchema, platformPlanSchema, platformStatusResourceSchema, platformStatusSchema, platformStatusSecretSchema, platformStatusWorkerSchema, putSecretBodySchema, resolveTenant, tenantDomain, vercelDeploymentSchema, vercelEnvVarSchema, vercelProjectSchema };
+
+//# sourceMappingURL=index.js.map