alepha 0.21.2 → 0.23.0

package/dist/cli/platform/index.js

@@ -1,2169 +1,8 @@
-import { $atom, $context, $inject, $module, $state, Alepha, AlephaError, t } from "alepha";
-import { AlephaCli, AlephaCliUtils, AppEntryProvider, PackageManagerUtils, ViteBuildProvider } from "alepha/cli";
-import { createHash } from "node:crypto";
-import { $command, Asker, EnvUtils, Runner } from "alepha/command";
+import { $context, $inject, $module, $state, AlephaError, t } from "alepha";
+import { AlephaCli, AppEntryProvider, ViteBuildProvider } from "alepha/cli";
+import { AlephaPlatformLibPlugin, CloudflareAdapter, GitHubSecretStore, NamingService, PlatformInspector, PlatformOrchestrator, SecretFilterService, VercelAdapter, platformOptions, resolveTenant } from "alepha/cli/platform-lib";
+import { $command, EnvUtils } from "alepha/command";
 import { $logger, ConsoleColorProvider } from "alepha/logger";
-import { FileSystemProvider, ShellProvider } from "alepha/system";
-import { S3mini } from "s3mini";
-import { DateTimeProvider } from "alepha/datetime";
-import { homedir, platform as platform$1 } from "node:os";
-import { join } from "node:path";
-//#region ../../src/cli/platform/providers/PlatformCacheProvider.ts
-/**
-* Caches cloud provider login state to avoid slow auth checks.
-*
-* Stored in node_modules/.alepha/platform.json (gitignored, project-scoped).
-* TTL: 4 hours.
-*/
-var PlatformCacheProvider = class PlatformCacheProvider {
-	static TTL_MS = 14400 * 1e3;
-	fs = $inject(FileSystemProvider);
-	dateTime = $inject(DateTimeProvider);
-	cachePath(root) {
-		return this.fs.join(root, "node_modules", ".alepha", "platform.json");
-	}
-	async isLoginFresh(root, adapter) {
-		const entry = (await this.readCache(root))[adapter];
-		if (!entry) return false;
-		return this.dateTime.nowMillis() - entry.lastLoginCheck < PlatformCacheProvider.TTL_MS;
-	}
-	async getAccountId(root, adapter) {
-		return (await this.readCache(root))[adapter]?.accountId;
-	}
-	async recordLogin(root, adapter, accountId) {
-		const cache = await this.readCache(root);
-		cache[adapter] = {
-			lastLoginCheck: this.dateTime.nowMillis(),
-			accountId
-		};
-		await this.writeCache(root, cache);
-	}
-	async readCache(root) {
-		const path = this.cachePath(root);
-		try {
-			return await this.fs.readJsonFile(path);
-		} catch {
-			return {};
-		}
-	}
-	async writeCache(root, cache) {
-		const path = this.cachePath(root);
-		const lastSlash = path.lastIndexOf("/");
-		const dir = lastSlash > 0 ? path.slice(0, lastSlash) : path;
-		await this.fs.mkdir(dir, { recursive: true }).catch(() => null);
-		await this.fs.writeFile(path, JSON.stringify(cache, null, 2));
-	}
-};
-//#endregion
-//#region ../../src/cli/platform/schemas/cloudflare.ts
-const cloudflareAccountSchema = t.object({
-	id: t.string(),
-	name: t.string()
-});
-const cloudflareD1Schema = t.object({
-	uuid: t.string(),
-	name: t.string()
-});
-const cloudflareKVSchema = t.object({
-	id: t.string(),
-	title: t.string()
-});
-const cloudflareR2Schema = t.object({
-	name: t.string(),
-	creation_date: t.optional(t.string())
-});
-const cloudflareR2ListSchema = t.object({ buckets: t.array(cloudflareR2Schema) });
-const cloudflareQueueSchema = t.object({
-	queue_id: t.string(),
-	queue_name: t.string()
-});
-const cloudflareQueueConsumerSchema = t.object({
-	consumer_id: t.string(),
-	service: t.string(),
-	environment: t.optional(t.string())
-});
-const cloudflareHyperdriveOriginSchema = t.object({ host: t.string() });
-const cloudflareHyperdriveSchema = t.object({
-	id: t.string(),
-	name: t.string(),
-	origin: cloudflareHyperdriveOriginSchema
-});
-const cloudflareWorkerSchema = t.object({
-	id: t.string(),
-	created_on: t.string(),
-	modified_on: t.string()
-});
-const cloudflareDeploymentVersionSchema = t.object({
-	version_id: t.string(),
-	percentage: t.number()
-});
-const cloudflareDeploymentSchema = t.object({
-	id: t.string(),
-	versions: t.array(cloudflareDeploymentVersionSchema),
-	created_on: t.string()
-});
-const cloudflareDeploymentListSchema = t.object({ deployments: t.array(cloudflareDeploymentSchema) });
-const cloudflareVersionSchema = t.object({
-	id: t.string(),
-	metadata: t.object({ created_on: t.string() }),
-	annotations: t.optional(t.record(t.string(), t.string()))
-});
-const cloudflareVersionListSchema = t.object({ items: t.array(cloudflareVersionSchema) });
-const cloudflareSecretSchema = t.object({
-	name: t.string(),
-	type: t.string()
-});
-const createD1BodySchema = t.object({
-	name: t.string(),
-	primary_location_hint: t.optional(t.string()),
-	jurisdiction: t.optional(t.string())
-});
-const createKVBodySchema = t.object({ title: t.string() });
-const createR2BodySchema = t.object({ name: t.string() });
-const cloudflareR2TokenSchema = t.object({
-	id: t.string(),
-	accessKeyId: t.string(),
-	secretAccessKey: t.string()
-});
-const createR2TokenBodySchema = t.object({
-	name: t.string(),
-	policies: t.array(t.object({
-		effect: t.string(),
-		permissions: t.array(t.string()),
-		buckets: t.optional(t.array(t.string()))
-	}))
-});
-const createQueueBodySchema = t.object({ queue_name: t.string() });
-const createHyperdriveOriginSchema = t.object({
-	scheme: t.string(),
-	host: t.string(),
-	port: t.number(),
-	database: t.string(),
-	user: t.string(),
-	password: t.string()
-});
-const createHyperdriveBodySchema = t.object({
-	name: t.string(),
-	origin: createHyperdriveOriginSchema
-});
-const putSecretBodySchema = t.object({
-	name: t.string(),
-	text: t.string(),
-	type: t.string()
-});
-const cloudflareApiErrorSchema = t.object({
-	code: t.number(),
-	message: t.string()
-});
-//#endregion
-//#region ../../src/cli/platform/services/WranglerApi.ts
-/**
-* Wraps wrangler CLI commands that are kept as shell-outs.
-*
-* Only used for operations where wrangler provides value
-* beyond a raw API call: OAuth login, worker deploy (bundling/upload),
-* D1 migrations, and secret bulk push.
-*/
-var WranglerApi = class {
-	log = $logger();
-	shell = $inject(ShellProvider);
-	utils = $inject(AlephaCliUtils);
-	pm = $inject(PackageManagerUtils);
-	runner = $inject(Runner);
-	async runShell(command, options = {}) {
-		const capture = options.capture;
-		const output = await this.shell.run(command, {
-			...options,
-			capture: capture ?? this.runner.useDynamicLogger
-		});
-		if (capture && !this.runner.useDynamicLogger) this.log.info(output);
-		return output;
-	}
-	/**
-	* Ensure wrangler is installed in the project.
-	*/
-	async ensureInstalled(root, run) {
-		await this.pm.ensureDependency(root, "wrangler", {
-			dev: true,
-			exec: async (cmd, opts) => {
-				run.pause();
-				try {
-					await this.utils.exec(cmd, opts);
-				} finally {
-					run.resume();
-				}
-			}
-		});
-	}
-	/**
-	* Check if the user is authenticated. Returns the whoami output.
-	*/
-	async whoami() {
-		return await this.runShell("wrangler whoami", {
-			resolve: true,
-			capture: true
-		});
-	}
-	/**
-	* Open the browser-based OAuth login flow.
-	*/
-	async login() {
-		await this.runShell("wrangler login", { resolve: true });
-	}
-	/**
-	* Get the current auth token from wrangler (auto-refreshes if expired).
-	*/
-	async getAuthToken() {
-		const output = await this.shell.run("wrangler auth token --json", {
-			resolve: true,
-			capture: true
-		});
-		return JSON.parse(output).token;
-	}
-	/**
-	* Deploy a worker via wrangler (handles bundling and upload).
-	*
-	* Returns the workers.dev URL if found in the output.
-	*/
-	async deploy(workerName, configPath) {
-		return (await this.runShell(`wrangler deploy --name=${workerName} --no-bundle --config=${configPath}`, {
-			resolve: true,
-			capture: true
-		})).match(/https:\/\/[^\s]*\.workers\.dev/)?.[0];
-	}
-	/**
-	* Apply D1 migrations remotely.
-	*/
-	async d1MigrationsApply(dbName, configPath) {
-		await this.runShell(`wrangler d1 migrations apply ${dbName} --remote --config=${configPath}`, {
-			resolve: true,
-			env: { CI: "1" }
-		});
-	}
-};
-//#endregion
-//#region ../../src/cli/platform/services/CloudflareApi.ts
-/**
-* Thin wrapper over the Cloudflare REST API.
-*
-* Uses `wrangler auth token` to obtain credentials,
-* then calls `fetch()` directly for all CRUD operations.
-*/
-var CloudflareApi = class CloudflareApi {
-	static BASE = "https://api.cloudflare.com/client/v4";
-	log = $logger();
-	alepha = $inject(Alepha);
-	wrangler = $inject(WranglerApi);
-	token;
-	accountId;
-	jurisdiction;
-	/**
-	* Set the Cloudflare data jurisdiction for R2 and D1 resources.
-	*
-	* R2 buckets and D1 databases created under a jurisdiction live in a
-	* separate namespace — every R2 API call (list/create/delete) must include
-	* the `cf-r2-jurisdiction` header, and D1 create must include the field
-	* in the request body. Omit / pass `undefined` for the default (global).
-	*/
-	setJurisdiction(jurisdiction) {
-		this.jurisdiction = jurisdiction;
-	}
-	/**
-	* Override the Cloudflare account ID (from platform config).
-	*
-	* When unset, `resolveAccountId` falls back to `CLOUDFLARE_ACCOUNT_ID` env
-	* var or the token's single account.
-	*/
-	setAccountId(accountId) {
-		this.accountId = accountId;
-	}
-	/**
-	* Obtain the current auth token from wrangler.
-	*/
-	async resolveToken() {
-		if (this.token) return this.token;
-		this.token = await this.wrangler.getAuthToken();
-		return this.token;
-	}
-	/**
-	* Resolve the Cloudflare account ID.
-	*
-	* Calls /accounts and picks the first one. Cached after first call.
-	*/
-	async resolveAccountId() {
-		if (this.accountId) return this.accountId;
-		const fromEnv = process.env.CLOUDFLARE_ACCOUNT_ID;
-		if (fromEnv) {
-			this.accountId = fromEnv;
-			return this.accountId;
-		}
-		const res = await this.fetch("/accounts", { schema: t.array(cloudflareAccountSchema) });
-		if (res.length === 0) throw new AlephaError("No Cloudflare accounts found for this token.");
-		if (res.length > 1) {
-			const list = res.map((a) => `  - ${a.id}  ${a.name}`).join("\n");
-			throw new AlephaError(`Cloudflare token has access to ${res.length} accounts; set \`CLOUDFLARE_ACCOUNT_ID\` or the \`accountId\` field in your platform config to pick one:\n${list}`);
-		}
-		this.accountId = res[0].id;
-		return this.accountId;
-	}
-	async listD1() {
-		const accountId = await this.resolveAccountId();
-		return await this.paginate(`/accounts/${accountId}/d1/database`, cloudflareD1Schema);
-	}
-	async createD1(name, location = "weur") {
-		const accountId = await this.resolveAccountId();
-		const body = { name };
-		if (this.jurisdiction) body.jurisdiction = this.jurisdiction;
-		else body.primary_location_hint = location;
-		return await this.fetch(`/accounts/${accountId}/d1/database`, {
-			method: "POST",
-			body,
-			bodySchema: createD1BodySchema,
-			schema: cloudflareD1Schema
-		});
-	}
-	async deleteD1(databaseId) {
-		const accountId = await this.resolveAccountId();
-		await this.fetch(`/accounts/${accountId}/d1/database/${databaseId}`, { method: "DELETE" });
-	}
-	async listKV() {
-		const accountId = await this.resolveAccountId();
-		return await this.paginate(`/accounts/${accountId}/storage/kv/namespaces`, cloudflareKVSchema, 100);
-	}
-	async createKV(title) {
-		const accountId = await this.resolveAccountId();
-		return await this.fetch(`/accounts/${accountId}/storage/kv/namespaces`, {
-			method: "POST",
-			body: { title },
-			bodySchema: createKVBodySchema,
-			schema: cloudflareKVSchema
-		});
-	}
-	async deleteKV(namespaceId) {
-		const accountId = await this.resolveAccountId();
-		await this.fetch(`/accounts/${accountId}/storage/kv/namespaces/${namespaceId}`, { method: "DELETE" });
-	}
-	async listR2() {
-		const accountId = await this.resolveAccountId();
-		return await this.paginateCursor(`/accounts/${accountId}/r2/buckets`, "buckets", cloudflareR2Schema);
-	}
-	async createR2(name) {
-		const accountId = await this.resolveAccountId();
-		await this.fetch(`/accounts/${accountId}/r2/buckets`, {
-			method: "POST",
-			body: { name },
-			bodySchema: createR2BodySchema
-		});
-	}
-	async deleteR2(name) {
-		const accountId = await this.resolveAccountId();
-		await this.fetch(`/accounts/${accountId}/r2/buckets/${name}`, { method: "DELETE" });
-	}
-	/**
-	* Mint a bucket-scoped R2 API token (S3 access key + secret) using the
-	* current bearer token. Used by teardown to wipe a bucket over the S3
-	* protocol without requiring users to pre-create R2 access keys.
-	*
-	* The returned token should be revoked with `deleteR2Token` as soon as the
-	* wipe is done.
-	*/
-	async createR2Token(name, bucket) {
-		const accountId = await this.resolveAccountId();
-		return await this.fetch(`/accounts/${accountId}/r2/api-tokens`, {
-			method: "POST",
-			body: {
-				name,
-				policies: [{
-					effect: "allow",
-					permissions: ["admin-read-write"],
-					buckets: [bucket]
-				}]
-			},
-			bodySchema: createR2TokenBodySchema,
-			schema: cloudflareR2TokenSchema
-		});
-	}
-	async deleteR2Token(tokenId) {
-		const accountId = await this.resolveAccountId();
-		await this.fetch(`/accounts/${accountId}/r2/api-tokens/${tokenId}`, { method: "DELETE" });
-	}
-	async listQueues() {
-		const accountId = await this.resolveAccountId();
-		return await this.paginate(`/accounts/${accountId}/queues`, cloudflareQueueSchema);
-	}
-	async createQueue(name) {
-		const accountId = await this.resolveAccountId();
-		return await this.fetch(`/accounts/${accountId}/queues`, {
-			method: "POST",
-			body: { queue_name: name },
-			bodySchema: createQueueBodySchema,
-			schema: cloudflareQueueSchema
-		});
-	}
-	async deleteQueue(queueId) {
-		const accountId = await this.resolveAccountId();
-		await this.fetch(`/accounts/${accountId}/queues/${queueId}`, { method: "DELETE" });
-	}
-	async listQueueConsumers(queueId) {
-		const accountId = await this.resolveAccountId();
-		return await this.paginate(`/accounts/${accountId}/queues/${queueId}/consumers`, cloudflareQueueConsumerSchema);
-	}
-	async deleteQueueConsumer(queueId, consumerService) {
-		const accountId = await this.resolveAccountId();
-		const consumer = (await this.listQueueConsumers(queueId)).find((c) => c.service === consumerService);
-		if (!consumer) return;
-		await this.fetch(`/accounts/${accountId}/queues/${queueId}/consumers/${consumer.consumer_id}`, { method: "DELETE" });
-	}
-	async listHyperdrive() {
-		const accountId = await this.resolveAccountId();
-		return await this.paginate(`/accounts/${accountId}/hyperdrive/configs`, cloudflareHyperdriveSchema);
-	}
-	async createHyperdrive(name, connectionString) {
-		const accountId = await this.resolveAccountId();
-		return await this.fetch(`/accounts/${accountId}/hyperdrive/configs`, {
-			method: "POST",
-			body: {
-				name,
-				origin: this.parseConnectionString(connectionString)
-			},
-			bodySchema: createHyperdriveBodySchema,
-			schema: cloudflareHyperdriveSchema
-		});
-	}
-	async deleteHyperdrive(configId) {
-		const accountId = await this.resolveAccountId();
-		await this.fetch(`/accounts/${accountId}/hyperdrive/configs/${configId}`, { method: "DELETE" });
-	}
-	async getWorker(scriptName) {
-		const accountId = await this.resolveAccountId();
-		try {
-			return await this.fetch(`/accounts/${accountId}/workers/scripts/${scriptName}`, { schema: cloudflareWorkerSchema });
-		} catch {
-			return;
-		}
-	}
-	async deleteWorker(scriptName) {
-		const accountId = await this.resolveAccountId();
-		await this.fetch(`/accounts/${accountId}/workers/scripts/${scriptName}`, {
-			method: "DELETE",
-			query: { force: "true" }
-		});
-	}
-	async listDeployments(scriptName) {
-		const accountId = await this.resolveAccountId();
-		return (await this.fetch(`/accounts/${accountId}/workers/scripts/${scriptName}/deployments`, {
-			schema: cloudflareDeploymentListSchema,
-			query: { per_page: "100" }
-		})).deployments;
-	}
-	async listVersions(scriptName) {
-		const accountId = await this.resolveAccountId();
-		return await this.paginateCursor(`/accounts/${accountId}/workers/scripts/${scriptName}/versions`, "items", cloudflareVersionSchema);
-	}
-	async listSecrets(scriptName) {
-		const accountId = await this.resolveAccountId();
-		return await this.fetch(`/accounts/${accountId}/workers/scripts/${scriptName}/secrets`, { schema: t.array(cloudflareSecretSchema) });
-	}
-	async putSecret(scriptName, name, value) {
-		const accountId = await this.resolveAccountId();
-		await this.fetch(`/accounts/${accountId}/workers/scripts/${scriptName}/secrets`, {
-			method: "PUT",
-			body: {
-				name,
-				text: value,
-				type: "secret_text"
-			},
-			bodySchema: putSecretBodySchema
-		});
-	}
-	/**
-	* Fetch the current worker bindings via the script-settings endpoint.
-	* Used to merge new secrets into the existing binding set in one PATCH
-	* (avoids the per-secret `putSecret` calls, each of which creates a
-	* Cloudflare deployment — pushing 7 secrets meant 7 deployment rows).
-	*
-	* Secret bindings come back with `name` + `type` but no `text` (they're
-	* write-only on Cloudflare's side); to preserve them across a PATCH we
-	* forward each one as `{ type, name }` and Cloudflare keeps the stored
-	* value.
-	*/
-	async getWorkerSettings(scriptName) {
-		const accountId = await this.resolveAccountId();
-		return await this.fetch(`/accounts/${accountId}/workers/scripts/${scriptName}/settings`);
-	}
-	/**
-	* Replace the worker's binding set in one call (= one Cloudflare
-	* deployment, regardless of how many secrets are being updated).
-	*
-	* The endpoint expects multipart FormData with a `settings` field whose
-	* value is a JSON-encoded `{ bindings: [...] }` — the `fetch` helper
-	* above is JSON-only, so this one bypasses it and calls `globalThis.fetch`
-	* directly. Mirrors what `wrangler secret bulk` does internally.
-	*/
-	async patchWorkerBindings(scriptName, bindings) {
-		const accountId = await this.resolveAccountId();
-		const token = await this.resolveToken();
-		const url = `${CloudflareApi.BASE}/accounts/${accountId}/workers/scripts/${scriptName}/settings`;
-		const form = new FormData();
-		form.set("settings", JSON.stringify({ bindings }));
-		const response = await globalThis.fetch(url, {
-			method: "PATCH",
-			headers: { Authorization: `Bearer ${token}` },
-			body: form
-		});
-		const json = await response.json().catch(() => null);
-		if (!response.ok || !json?.success) {
-			const messages = json?.errors?.map((e) => e.message).join(", ");
-			throw new AlephaError(`Cloudflare API error (PATCH /workers/scripts/${scriptName}/settings): ${messages ?? response.statusText}`);
-		}
-	}
-	async fetch(path, options = {}) {
-		const token = await this.resolveToken();
-		const { method = "GET", body, query } = options;
-		let url = `${CloudflareApi.BASE}${path}`;
-		if (query) {
-			const params = new URLSearchParams(query);
-			url += `?${params.toString()}`;
-		}
-		const headers = { Authorization: `Bearer ${token}` };
-		if (this.jurisdiction && /\/r2\//.test(path)) headers["cf-r2-jurisdiction"] = this.jurisdiction;
-		const init = {
-			method,
-			headers
-		};
-		if (body) {
-			headers["Content-Type"] = "application/json";
-			const validated = options.bodySchema ? this.alepha.codec.validate(options.bodySchema, body) : body;
-			init.body = JSON.stringify(validated);
-		}
-		const json = await (await globalThis.fetch(url, init)).json();
-		if (!json.success) throw new AlephaError(`Cloudflare API error (${method} ${path}): ${json.errors.map((e) => e.message).join(", ")}`);
-		if (options.schema) return this.alepha.codec.validate(options.schema, json.result);
-		return json.result;
-	}
-	/**
-	* Paginate a page-based list endpoint (`result_info.total_pages`).
-	*
-	* Cloudflare defaults to `per_page=20`; we push it to 1000 (max on most
-	* list endpoints) and loop if more pages exist. Each page is validated
-	* against the item schema.
-	*/
-	async paginate(path, itemSchema, perPage = 1e3) {
-		const results = [];
-		let page = 1;
-		while (true) {
-			const token = await this.resolveToken();
-			const url = `${CloudflareApi.BASE}${path}?per_page=${perPage}&page=${page}`;
-			const headers = { Authorization: `Bearer ${token}` };
-			if (this.jurisdiction && /\/r2\//.test(path)) headers["cf-r2-jurisdiction"] = this.jurisdiction;
-			const json = await (await globalThis.fetch(url, {
-				method: "GET",
-				headers
-			})).json();
-			if (!json.success) throw new AlephaError(`Cloudflare API error (GET ${path}): ${json.errors.map((e) => e.message).join(", ")}`);
-			const validated = this.alepha.codec.validate(t.array(itemSchema), json.result);
-			results.push(...validated);
-			const totalPages = json.result_info?.total_pages;
-			if (!totalPages || page >= totalPages || validated.length === 0) break;
-			page++;
-		}
-		return results;
-	}
-	/**
-	* Paginate a cursor-based list endpoint where `result` is an object
-	* containing both the items array and a `cursor` field (R2 buckets,
-	* Workers versions). Returns the flattened item array.
-	*/
-	async paginateCursor(path, itemsKey, itemSchema, perPage = 1e3) {
-		const results = [];
-		let cursor;
-		while (true) {
-			const query = { per_page: String(perPage) };
-			if (cursor) query.cursor = cursor;
-			const res = await this.fetch(path, { query });
-			const items = res[itemsKey] ?? [];
-			const validated = this.alepha.codec.validate(t.array(itemSchema), items);
-			results.push(...validated);
-			const nextCursor = res.cursor;
-			if (!nextCursor || validated.length === 0) break;
-			cursor = nextCursor;
-		}
-		return results;
-	}
-	/**
-	* Parse a postgres:// connection string into Hyperdrive origin fields.
-	*/
-	parseConnectionString(connectionString) {
-		const url = new URL(connectionString);
-		return {
-			scheme: "postgres",
-			host: url.hostname,
-			port: Number(url.port) || 5432,
-			database: url.pathname.slice(1),
-			user: decodeURIComponent(url.username),
-			password: decodeURIComponent(url.password)
-		};
-	}
-};
-//#endregion
-//#region ../../src/cli/platform/adapters/PlatformAdapter.ts
-/**
-* Abstract platform adapter.
-*
-* Each cloud provider (Cloudflare, AKS, docker-compose) implements this.
-* The PlatformOrchestrator calls these methods in the correct order.
-*/
-var PlatformAdapter = class {
-	/**
-	* Create/ensure cloud resources exist (DB, buckets, queues).
-	* Not all adapters provision -- AKS defers to Helm.
-	*/
-	async provision(_ctx, _run) {}
-	/**
-	* Run database migrations.
-	*/
-	async migrate(_ctx, _run) {}
-	/**
-	* Push runtime secrets to the deployed worker(s).
-	*
-	* Reads secrets from `.env.{env}` files (parsed, not from process.env),
-	* filters out vars already handled by bindings (DATABASE_URL, R2, etc.),
-	* and pushes the rest via the platform's secret management.
-	*/
-	async secrets(_ctx, _run) {}
-};
-//#endregion
-//#region ../../src/cli/platform/adapters/CloudflareAdapter.ts
-/**
-* Cloudflare Workers adapter.
-*
-* Uses the Cloudflare REST API (via CloudflareApi) for resource provisioning
-* and teardown, and wrangler CLI (via WranglerApi) for login, deploy,
-* D1 migrations, and secret bulk push.
-*/
-var CloudflareAdapter = class CloudflareAdapter extends PlatformAdapter {
-	log = $logger();
-	fs = $inject(FileSystemProvider);
-	shell = $inject(ShellProvider);
-	cache = $inject(PlatformCacheProvider);
-	alepha = $inject(Alepha);
-	envUtils = $inject(EnvUtils);
-	api = $inject(CloudflareApi);
-	wrangler = $inject(WranglerApi);
-	runner = $inject(Runner);
-	provisionedD1Id;
-	provisionedHyperdriveId;
-	provisionedKVIds = /* @__PURE__ */ new Map();
-	/**
-	* Check if the user's DATABASE_URL points to an external Postgres database.
-	* If so, we use Hyperdrive instead of D1.
-	*
-	* Reads from `.env.{env}` first, falls back to `process.env`.
-	*/
-	async isPostgres(ctx) {
-		return !!((await this.envUtils.parseEnv(ctx.root, [`.env.${ctx.env}`])).DATABASE_URL ?? process.env.DATABASE_URL)?.startsWith("postgres:");
-	}
-	/**
-	* Propagate the environment's data-jurisdiction setting to the API client.
-	*
-	* Must be invoked at the top of every entry point (authenticate, build,
-	* deploy, secrets, provision, migrate, inspect, teardown) because
-	* CloudflareApi is a singleton reused across env invocations.
-	*/
-	configureApi(ctx) {
-		this.api.setJurisdiction(ctx.envConfig.jurisdiction);
-		this.api.setAccountId(ctx.envConfig.accountId);
-	}
-	async runShell(command, options = {}) {
-		const capture = options.capture;
-		const output = await this.shell.run(command, {
-			...options,
-			capture: capture ?? this.runner.useDynamicLogger
-		});
-		if (capture && !this.runner.useDynamicLogger) this.log.info(output);
-		return output;
-	}
-	async authenticate(ctx, run) {
-		this.configureApi(ctx);
-		await run({
-			name: "authenticate",
-			handler: async () => {
-				await this.wrangler.ensureInstalled(ctx.root, run);
-				let needsLogin = false;
-				try {
-					await this.wrangler.getAuthToken();
-				} catch {
-					needsLogin = true;
-				}
-				if (needsLogin) {
-					run.pause();
-					await this.wrangler.login();
-					run.resume();
-				}
-				if (await this.cache.isLoginFresh(ctx.root, "cloudflare")) return;
-				try {
-					const accountId = await this.api.resolveAccountId();
-					await this.cache.recordLogin(ctx.root, "cloudflare", accountId);
-				} catch {
-					await this.cache.recordLogin(ctx.root, "cloudflare");
-				}
-			}
-		});
-	}
-	async build(ctx, run) {
-		this.configureApi(ctx);
-		const appDir = ctx.app.path ? this.fs.join(ctx.root, ctx.app.path) : ctx.root;
-		const env = {};
-		if (ctx.app.resources.hasDatabase) {
-			if (this.provisionedHyperdriveId) {
-				env.HYPERDRIVE_ID = this.provisionedHyperdriveId;
-				const pgSchema = (await this.envUtils.parseEnv(ctx.root, [`.env.${ctx.env}`])).POSTGRES_SCHEMA ?? process.env.POSTGRES_SCHEMA;
-				if (pgSchema) env.POSTGRES_SCHEMA = pgSchema;
-			} else if (this.provisionedD1Id) env.DATABASE_URL = `d1://${ctx.naming.d1()}:${this.provisionedD1Id}`;
-		}
-		if (ctx.app.resources.hasBucket) env.R2_BUCKET_NAME = ctx.naming.r2();
-		if (ctx.app.resources.hasKV) {
-			const kvName = ctx.naming.kv();
-			env.CLOUDFLARE_KV_NAME = kvName;
-			const kvId = this.provisionedKVIds.get(kvName);
-			if (kvId) env.CLOUDFLARE_KV_ID = kvId;
-		}
-		if (ctx.app.resources.hasQueue) env.CLOUDFLARE_QUEUE_NAME = ctx.naming.queue();
-		if (ctx.envConfig.domain) {
-			if (ctx.envConfig.domain.includes("*") && !ctx.envConfig.zone) throw new AlephaError(`Wildcard domain "${ctx.envConfig.domain}" requires "zone" to be set in the environment config (the Cloudflare zone name, e.g. "alepha.dev").`);
-			env.CLOUDFLARE_DOMAIN = ctx.envConfig.domain;
-			if (ctx.envConfig.zone) env.CLOUDFLARE_ZONE = ctx.envConfig.zone;
-		}
-		if (ctx.envConfig.jurisdiction) env.CLOUDFLARE_JURISDICTION = ctx.envConfig.jurisdiction;
-		const cmd = ctx.prebuilt ? "alepha build -t cloudflare --prebuilt" : "alepha build -t cloudflare";
-		await run({
-			name: cmd,
-			handler: async () => {
-				await this.runShell(cmd, {
-					root: appDir,
-					env
-				});
-			}
-		});
-	}
-	async deploy(ctx, run) {
-		this.configureApi(ctx);
-		const workerName = ctx.naming.worker();
-		const distDir = ctx.app.path ? this.fs.join(ctx.root, ctx.app.path, "dist") : this.fs.join(ctx.root, "dist");
-		let url;
-		await run({
-			name: `deploy worker ${ctx.app.name}`,
-			handler: async () => {
-				url = await this.wrangler.deploy(workerName, `${distDir}/wrangler.jsonc`);
-			}
-		});
-		return url;
-	}
-	/**
-	* Vars that are handled by wrangler bindings or build config.
-	* These should not be pushed as secrets.
-	*/
-	static EXCLUDED_SECRET_KEYS = new Set([
-		"DATABASE_URL",
-		"R2_BUCKET_NAME",
-		"CLOUDFLARE_DOMAIN",
-		"CLOUDFLARE_ZONE",
-		"CLOUDFLARE_JURISDICTION",
-		"HYPERDRIVE_ID",
-		"POSTGRES_SCHEMA",
-		"NODE_ENV"
-	]);
-	async secrets(ctx, run) {
-		this.configureApi(ctx);
-		const envVars = await this.envUtils.parseEnv(ctx.root, [`.env.${ctx.env}`]);
-		const secrets = {};
-		for (const [key, value] of Object.entries(envVars)) {
-			if (!value) continue;
-			if (CloudflareAdapter.EXCLUDED_SECRET_KEYS.has(key)) continue;
-			if (key.startsWith("VITE_")) continue;
-			secrets[key] = value;
-		}
-		if (Object.keys(secrets).length === 0) return;
-		const hash = computeSecretsHash(secrets);
-		for (const _app of ctx.apps) {
-			const workerName = ctx.naming.worker();
-			await run({
-				name: `push secrets to ${workerName} (bulk)`,
-				handler: async () => {
-					const existingBindings = (await this.api.getWorkerSettings(workerName)).bindings ?? [];
-					if (existingBindings.find((b) => b.type === "plain_text" && b.name === CloudflareAdapter.SECRETS_HASH_BINDING)?.text === hash) {
-						this.log.info(`Secrets for ${workerName} unchanged (hash ${hash.slice(0, 8)}…), skipping push.`);
-						return;
-					}
-					const overwriting = new Set(Object.keys(secrets));
-					const inherit = existingBindings.filter((b) => !(b.type === "plain_text" && b.name === CloudflareAdapter.SECRETS_HASH_BINDING) && (b.type !== "secret_text" || !overwriting.has(b.name))).map((b) => ({
-						type: b.type,
-						name: b.name
-					}));
-					const upsert = Object.entries(secrets).map(([name, text]) => ({
-						type: "secret_text",
-						name,
-						text
-					}));
-					await this.api.patchWorkerBindings(workerName, [
-						...inherit,
-						...upsert,
-						{
-							type: "plain_text",
-							name: CloudflareAdapter.SECRETS_HASH_BINDING,
-							text: hash
-						}
-					]);
-				}
-			});
-		}
-	}
-	/**
-	* Plain-text binding used to fingerprint the deployed secret set so the
-	* next `up` can skip the PATCH when nothing has changed.
-	*/
-	static SECRETS_HASH_BINDING = "ALEPHA_SECRETS_HASH";
-	async provision(ctx, run) {
-		this.configureApi(ctx);
-		const needsDB = ctx.apps.some((a) => a.resources.hasDatabase);
-		const needsBucket = ctx.apps.some((a) => a.resources.hasBucket);
-		const postgres = needsDB && await this.isPostgres(ctx);
-		const tasks = [];
-		if (needsDB) if (postgres) {
-			const hdName = ctx.naming.hyperdrive();
-			const dbUrl = (await this.envUtils.parseEnv(ctx.root, [`.env.${ctx.env}`])).DATABASE_URL ?? process.env.DATABASE_URL;
-			tasks.push({
-				name: `provision hyperdrive (${hdName})`,
-				handler: async () => {
-					this.provisionedHyperdriveId = await this.ensureHyperdrive(hdName, dbUrl);
-				}
-			});
-		} else {
-			const dbName = ctx.naming.d1();
-			tasks.push({
-				name: `provision d1 (${dbName})`,
-				handler: async () => {
-					this.provisionedD1Id = await this.ensureD1(dbName);
-				}
-			});
-		}
-		if (needsBucket) {
-			const bucketName = ctx.naming.r2();
-			tasks.push({
-				name: `provision r2 (${bucketName})`,
-				handler: async () => {
-					await this.ensureR2(bucketName);
-				}
-			});
-		}
-		for (const app of ctx.apps) {
-			if (app.resources.hasKV) {
-				const kvName = ctx.naming.kv();
-				tasks.push({
-					name: `provision kv (${kvName})`,
-					handler: async () => {
-						this.provisionedKVIds.set(kvName, await this.ensureKV(kvName));
-					}
-				});
-			}
-			if (app.resources.hasQueue) {
-				const queueName = ctx.naming.queue();
-				tasks.push({
-					name: `provision queue (${queueName})`,
-					handler: async () => {
-						await this.ensureQueue(queueName);
-					}
-				});
-			}
-		}
-		await run(tasks);
-	}
-	async migrate(ctx, run) {
-		this.configureApi(ctx);
-		if (!ctx.apps.some((a) => a.resources.hasDatabase)) return;
-		if (await this.isPostgres(ctx)) await this.migratePostgres(ctx, run);
-		else await this.migrateD1(ctx, run);
-	}
-	async migrateD1(ctx, run) {
-		const dbName = ctx.naming.d1();
-		await run({
-			name: "migrate d1",
-			handler: async () => {
-				const migrationsDir = this.fs.join(ctx.root, "migrations", "sqlite");
-				const env = { DATABASE_URL: this.provisionedD1Id ? `d1://${dbName}:${this.provisionedD1Id}` : `d1://${dbName}` };
-				if (await this.fs.exists(migrationsDir)) await this.runShell(`alepha db migrations check --mode ${ctx.env}`, {
-					resolve: true,
-					env
-				});
-				else await this.runShell(`alepha db migrations create --mode ${ctx.env}`, {
-					resolve: true,
-					env
-				});
-				const distMigrations = this.fs.join(ctx.root, "dist", "migrations");
-				await this.fs.cp(migrationsDir, distMigrations);
-				await this.wrangler.d1MigrationsApply(dbName, "dist/wrangler.jsonc");
-				await this.fs.rm(distMigrations, { recursive: true });
-			}
-		});
-	}
-	async migratePostgres(ctx, run) {
-		await run({
-			name: "migrate postgres",
-			handler: async () => {
-				const envVars = await this.envUtils.parseEnv(ctx.root, [`.env.${ctx.env}`]);
-				const env = { DATABASE_URL: envVars.DATABASE_URL ?? process.env.DATABASE_URL };
-				if (envVars.POSTGRES_SCHEMA ?? process.env.POSTGRES_SCHEMA) env.POSTGRES_SCHEMA = envVars.POSTGRES_SCHEMA ?? process.env.POSTGRES_SCHEMA;
-				await this.runShell(`alepha db migrations apply --mode ${ctx.env}`, {
-					resolve: true,
-					env
-				});
-			}
-		});
-	}
-	async inspect(ctx, run) {
-		this.configureApi(ctx);
-		const state = {
-			workers: [],
-			databases: [],
-			buckets: [],
-			kvNamespaces: [],
-			queues: [],
-			secrets: []
-		};
-		const tasks = [];
-		for (const _app of ctx.apps) {
-			const name = ctx.naming.worker();
-			tasks.push({
-				name: `inspect worker (${name})`,
-				handler: async () => {
-					try {
-						const deployment = await this.getActiveDeployment(name);
-						if (deployment) state.workers.push({
-							name,
-							exists: true,
-							version: deployment.versionId,
-							tag: deployment.tag,
-							createdAt: deployment.createdAt
-						});
-						else state.workers.push({
-							name,
-							exists: false
-						});
-					} catch {
-						state.workers.push({
-							name,
-							exists: false
-						});
-					}
-				}
-			});
-		}
-		if (ctx.apps.some((a) => a.resources.hasDatabase)) if (await this.isPostgres(ctx)) {
-			const hdName = ctx.naming.hyperdrive();
-			tasks.push({
-				name: `inspect hyperdrive (${hdName})`,
-				handler: async () => {
-					const existing = (await this.api.listHyperdrive()).find((c) => c.name === hdName);
-					state.databases.push({
-						name: hdName,
-						exists: !!existing,
-						id: existing?.id,
-						detail: existing?.origin.host
-					});
-				}
-			});
-		} else {
-			const dbName = ctx.naming.d1();
-			tasks.push({
-				name: `inspect d1 (${dbName})`,
-				handler: async () => {
-					const existing = (await this.api.listD1()).find((db) => db.name === dbName);
-					state.databases.push({
-						name: dbName,
-						exists: !!existing,
-						id: existing?.uuid
-					});
-				}
-			});
-		}
-		if (ctx.apps.some((a) => a.resources.hasBucket)) {
-			const bucketName = ctx.naming.r2();
-			tasks.push({
-				name: `inspect r2 (${bucketName})`,
-				handler: async () => {
-					const existing = (await this.api.listR2()).find((b) => b.name === bucketName);
-					state.buckets.push({
-						name: bucketName,
-						exists: !!existing,
-						id: existing?.creation_date
-					});
-				}
-			});
-		}
-		for (const app of ctx.apps) if (app.resources.hasKV) {
-			const kvName = ctx.naming.kv();
-			tasks.push({
-				name: `inspect kv (${kvName})`,
-				handler: async () => {
-					const existing = (await this.api.listKV()).find((ns) => ns.title === kvName);
-					state.kvNamespaces.push({
-						name: kvName,
-						exists: !!existing,
-						id: existing?.id
-					});
-				}
-			});
-		}
-		for (const app of ctx.apps) if (app.resources.hasQueue) {
-			const queueName = ctx.naming.queue();
-			tasks.push({
-				name: `inspect queue (${queueName})`,
-				handler: async () => {
-					const existing = (await this.api.listQueues()).find((q) => q.queue_name === queueName);
-					state.queues.push({
-						name: queueName,
-						exists: !!existing,
-						id: existing?.queue_id
-					});
-				}
-			});
-		}
-		const envVars = await this.envUtils.parseEnv(ctx.root, [`.env.${ctx.env}`]);
-		const expectedSecrets = Object.keys(envVars).filter((key) => envVars[key] && !CloudflareAdapter.EXCLUDED_SECRET_KEYS.has(key) && !key.startsWith("VITE_"));
-		if (expectedSecrets.length > 0) {
-			const workerName = ctx.naming.worker();
-			tasks.push({
-				name: "inspect secrets",
-				handler: async () => {
-					try {
-						const deployed = await this.api.listSecrets(workerName);
-						const deployedNames = new Set(deployed.map((s) => s.name));
-						for (const key of expectedSecrets) state.secrets.push({
-							name: key,
-							deployed: deployedNames.has(key)
-						});
-					} catch {
-						for (const key of expectedSecrets) state.secrets.push({
-							name: key,
-							deployed: false
-						});
-					}
-				}
-			});
-		}
-		await run(tasks);
-		return state;
-	}
-	async teardown(ctx, run) {
-		this.configureApi(ctx);
-		for (const app of ctx.apps) if (app.resources.hasQueue) {
-			const workerName = ctx.naming.worker();
-			const queueName = ctx.naming.queue();
-			await run({
-				name: `unbind queue consumer ${queueName}`,
-				handler: async () => {
-					try {
-						const queue = (await this.api.listQueues()).find((q) => q.queue_name === queueName);
-						if (queue) await this.api.deleteQueueConsumer(queue.queue_id, workerName);
-					} catch (error) {
-						this.log.warn(`Failed to unbind queue consumer: ${String(error.message || "")}`);
-					}
-				}
-			});
-		}
-		for (const _app of ctx.apps) {
-			const name = ctx.naming.worker();
-			await run({
-				name: `delete worker ${name}`,
-				handler: async () => {
-					try {
-						await this.api.deleteWorker(name);
-					} catch (error) {
-						this.log.warn(`Failed to delete worker ${name}: ${String(error.message || "")}`);
-					}
-				}
-			});
-		}
-		for (const app of ctx.apps) if (app.resources.hasQueue) {
-			const name = ctx.naming.queue();
-			await run({
-				name: `delete queue ${name}`,
-				handler: async () => {
-					try {
-						const queue = (await this.api.listQueues()).find((q) => q.queue_name === name);
-						if (!queue) {
-							this.log.debug(`Queue ${name} not found — skipping.`);
-							return;
-						}
-						await this.api.deleteQueue(queue.queue_id);
-					} catch (error) {
-						this.log.warn(`Failed to delete queue ${name}: ${String(error.message || "")}`);
-					}
-				}
-			});
-		}
-		for (const app of ctx.apps) if (app.resources.hasKV) {
-			const name = ctx.naming.kv();
-			await run({
-				name: `delete kv ${name}`,
-				handler: async () => {
-					try {
-						const existing = (await this.api.listKV()).find((ns) => ns.title === name);
-						if (!existing) {
-							this.log.debug(`KV namespace ${name} not found — skipping.`);
-							return;
-						}
-						await this.api.deleteKV(existing.id);
-					} catch (error) {
-						this.log.warn(`Failed to delete kv ${name}: ${String(error.message || "")}`);
-					}
-				}
-			});
-		}
-		if (ctx.apps.some((a) => a.resources.hasBucket)) {
-			const name = ctx.naming.r2();
-			await run({
-				name: `delete r2 ${name}`,
-				handler: async () => {
-					try {
-						await this.wipeR2Bucket(name, ctx);
-						await this.api.deleteR2(name);
-					} catch (error) {
-						const msg = String(error.message || "");
-						if (msg.includes("does not exist") || msg.includes("NoSuchBucket")) this.log.debug(`Bucket ${name} not found — skipping.`);
-						else this.log.warn(`Failed to delete r2 ${name}: ${msg}`);
-					}
-				}
-			});
-		}
-		if (ctx.apps.some((a) => a.resources.hasDatabase)) if (await this.isPostgres(ctx)) {
-			const name = ctx.naming.hyperdrive();
-			await run({
-				name: `delete hyperdrive ${name}`,
-				handler: async () => {
-					try {
-						const existing = (await this.api.listHyperdrive()).find((c) => c.name === name);
-						if (!existing) {
-							this.log.debug(`Hyperdrive ${name} not found — skipping.`);
-							return;
-						}
-						await this.api.deleteHyperdrive(existing.id);
-					} catch (error) {
-						this.log.warn(`Failed to delete hyperdrive ${name}: ${String(error.message || "")}`);
-					}
-				}
-			});
-		} else {
-			const name = ctx.naming.d1();
-			await run({
-				name: `delete d1 ${name}`,
-				handler: async () => {
-					try {
-						const existing = (await this.api.listD1()).find((db) => db.name === name);
-						if (!existing) {
-							this.log.debug(`D1 database ${name} not found — skipping.`);
-							return;
-						}
-						await this.api.deleteD1(existing.uuid);
-					} catch (error) {
-						this.log.warn(`Failed to delete d1 ${name}: ${String(error.message || "")}`);
-					}
-				}
-			});
-		}
-	}
-	async ensureD1(name) {
-		const existing = (await this.api.listD1()).find((db) => db.name === name);
-		if (existing) return existing.uuid;
-		return (await this.api.createD1(name)).uuid;
-	}
-	async ensureHyperdrive(name, connectionString) {
-		const existing = (await this.api.listHyperdrive()).find((c) => c.name === name);
-		if (existing) return existing.id;
-		return (await this.api.createHyperdrive(name, connectionString)).id;
-	}
-	async ensureR2(name) {
-		if ((await this.api.listR2()).find((b) => b.name === name)) return;
-		await this.api.createR2(name);
-	}
-	/**
-	* Empty an R2 bucket via the S3-compatible API.
-	*
-	* Cloudflare's REST `DELETE /r2/buckets/:name` rejects non-empty buckets
-	* with `BucketNotEmpty`, and the REST API has no object-level endpoints —
-	* objects must be listed and deleted over the S3 protocol. To avoid
-	* making users pre-create R2 access keys, we mint a short-lived
-	* bucket-scoped API token using the wrangler bearer token, wipe the
-	* bucket with `s3mini`, then revoke the token.
-	*
-	* Also aborts any pending multipart uploads — those count as bucket
-	* contents from R2's perspective and would otherwise block the delete.
-	*/
-	async wipeR2Bucket(bucketName, ctx) {
-		const tokenName = `alepha-teardown-${bucketName}-${Date.now()}`;
-		const token = await this.api.createR2Token(tokenName, bucketName);
-		try {
-			const accountId = await this.api.resolveAccountId();
-			const jur = ctx.envConfig.jurisdiction;
-			const host = jur ? `${accountId}.${jur}.r2.cloudflarestorage.com` : `${accountId}.r2.cloudflarestorage.com`;
-			const client = new S3mini({
-				accessKeyId: token.accessKeyId,
-				secretAccessKey: token.secretAccessKey,
-				region: "auto",
-				endpoint: `https://${host}/${bucketName}`
-			});
-			try {
-				const mp = await client.listMultipartUploads();
-				if ("listMultipartUploadsResult" in mp) {
-					const uploads = mp.listMultipartUploadsResult.uploads ?? [];
-					for (const upload of uploads) {
-						const u = upload;
-						const key = u.Key ?? u.key;
-						const uploadId = u.UploadId ?? u.uploadId;
-						if (key && uploadId) await client.abortMultipartUpload(key, uploadId);
-					}
-				}
-			} catch (error) {
-				this.log.debug(`listMultipartUploads on ${bucketName} failed: ${String(error.message || "")}`);
-			}
-			let cursor;
-			let total = 0;
-			while (true) {
-				const page = await client.listObjectsPaged(void 0, void 0, 1e3, cursor);
-				const objects = page?.objects ?? [];
-				if (objects.length === 0) break;
-				await client.deleteObjects(objects.map((o) => o.Key));
-				total += objects.length;
-				cursor = page?.nextContinuationToken;
-				if (!cursor) break;
-			}
-			if (total > 0) this.log.info(`Emptied ${total} object(s) from bucket ${bucketName}.`);
-		} finally {
-			try {
-				await this.api.deleteR2Token(token.id);
-			} catch (error) {
-				this.log.warn(`Failed to revoke ephemeral R2 token ${token.id}: ${String(error.message || "")}`);
-			}
-		}
-	}
-	async ensureKV(name) {
-		const existing = (await this.api.listKV()).find((ns) => ns.title === name);
-		if (existing) return existing.id;
-		return (await this.api.createKV(name)).id;
-	}
-	async ensureQueue(name) {
-		if ((await this.api.listQueues()).find((q) => q.queue_name === name)) return;
-		await this.api.createQueue(name);
-	}
-	/**
-	* Get the currently active deployment for a worker.
-	*/
-	async getActiveDeployment(workerName) {
-		const latest = [...await this.api.listDeployments(workerName)].sort((a, b) => b.created_on.localeCompare(a.created_on))[0];
-		if (!latest?.versions?.[0]) return;
-		const activeVersionId = latest.versions[0].version_id;
-		const version = (await this.api.listVersions(workerName)).find((v) => v.id === activeVersionId);
-		return {
-			versionId: activeVersionId,
-			tag: version?.annotations?.["workers/tag"],
-			createdAt: version?.metadata.created_on
-		};
-	}
-};
-/**
-* Stable SHA-256 of the secret set. Keys are sorted so reordering `.env`
-* lines does not invalidate the cache. Used as a fingerprint by
-* `CloudflareAdapter.secrets` — see the comment block there.
-*/
-function computeSecretsHash(secrets) {
-	const sorted = Object.keys(secrets).sort().map((k) => `${k}=${secrets[k]}`).join("\n");
-	return createHash("sha256").update(sorted).digest("hex");
-}
-//#endregion
-//#region ../../src/cli/platform/schemas/vercel.ts
-const vercelProjectSchema = t.object({
-	id: t.string(),
-	name: t.string(),
-	accountId: t.string()
-});
-const createProjectBodySchema = t.object({
-	name: t.string(),
-	framework: t.optional(t.null())
-});
-const vercelDeploymentSchema = t.object({
-	uid: t.string(),
-	name: t.string(),
-	url: t.string(),
-	state: t.optional(t.string()),
-	readyState: t.optional(t.string()),
-	created: t.optional(t.number()),
-	target: t.optional(t.string()),
-	alias: t.optional(t.array(t.string()))
-});
-const vercelEnvVarSchema = t.object({
-	id: t.string(),
-	key: t.string(),
-	value: t.optional(t.string()),
-	type: t.string(),
-	target: t.array(t.string())
-});
-const createEnvVarBodySchema = t.object({
-	key: t.string(),
-	value: t.string(),
-	type: t.string(),
-	target: t.array(t.string())
-});
-//#endregion
-//#region ../../src/cli/platform/services/VercelCli.ts
-/**
-* Wraps Vercel CLI commands and token management.
-*
-* Used for operations where the Vercel CLI provides value:
-* OAuth login, prebuilt deploy, and auth token extraction.
-*/
-var VercelCli = class {
-	log = $logger();
-	shell = $inject(ShellProvider);
-	fs = $inject(FileSystemProvider);
-	utils = $inject(AlephaCliUtils);
-	pm = $inject(PackageManagerUtils);
-	runner = $inject(Runner);
-	async runShell(command, options = {}) {
-		const capture = options.capture;
-		const output = await this.shell.run(command, {
-			...options,
-			capture: capture ?? this.runner.useDynamicLogger
-		});
-		if (capture && !this.runner.useDynamicLogger) this.log.info(output);
-		return output;
-	}
-	/**
-	* Ensure vercel CLI is installed in the project.
-	*/
-	async ensureInstalled(root, run) {
-		await this.pm.ensureDependency(root, "vercel", {
-			dev: true,
-			exec: async (cmd, opts) => {
-				run.pause();
-				try {
-					await this.utils.exec(cmd, opts);
-				} finally {
-					run.resume();
-				}
-			}
-		});
-	}
-	/**
-	* Get the Vercel auth token.
-	*
-	* Priority:
-	* 1. VERCEL_TOKEN environment variable (CI/CD)
-	* 2. Vercel CLI auth.json file (local dev)
-	*/
-	async getAuthToken() {
-		const envToken = process.env.VERCEL_TOKEN;
-		if (envToken) return envToken;
-		const authPath = this.getAuthFilePath();
-		if (!await this.fs.exists(authPath)) throw new AlephaError("Vercel auth token not found. Run `vercel login` or set VERCEL_TOKEN.");
-		const content = await this.fs.readFile(authPath);
-		const parsed = JSON.parse(content.toString());
-		if (!parsed.token) throw new AlephaError("Vercel auth.json exists but contains no token. Run `vercel login`.");
-		return parsed.token;
-	}
-	/**
-	* Validate the current auth token.
-	*/
-	async whoami() {
-		return await this.runShell("vercel whoami", {
-			resolve: true,
-			capture: true
-		});
-	}
-	/**
-	* Open the browser-based login flow.
-	*/
-	async login() {
-		await this.runShell("vercel login", { resolve: true });
-	}
-	/**
-	* Deploy a prebuilt .vercel/output/ directory.
-	*
-	* Returns the deployment URL.
-	*/
-	async deploy(distDir, options) {
-		const args = [
-			"vercel",
-			"deploy",
-			"--prebuilt"
-		];
-		if (options.prod) args.push("--prod");
-		if (options.token) args.push(`--token=${options.token}`);
-		return (await this.runShell(args.join(" "), {
-			resolve: true,
-			capture: true,
-			root: distDir
-		})).trim().split("\n").reverse().find((line) => line.trim().startsWith("https://"))?.trim();
-	}
-	/**
-	* Resolve the path to Vercel CLI auth.json.
-	*/
-	getAuthFilePath() {
-		const os = platform$1();
-		if (os === "darwin") return join(homedir(), "Library", "Application Support", "com.vercel.cli", "auth.json");
-		if (os === "win32") return join(homedir(), "AppData", "Roaming", "xdg.data", "com.vercel.cli", "auth.json");
-		return join(homedir(), ".local", "share", "com.vercel.cli", "auth.json");
-	}
-};
-//#endregion
-//#region ../../src/cli/platform/services/VercelApi.ts
-/**
-* Thin wrapper over the Vercel REST API.
-*
-* Uses the auth token from VercelCli for all requests.
-*/
-var VercelApi = class VercelApi {
-	static BASE = "https://api.vercel.com";
-	log = $logger();
-	alepha = $inject(Alepha);
-	vercelCli = $inject(VercelCli);
-	token;
-	/**
-	* Obtain the current auth token from the Vercel CLI.
-	*/
-	async resolveToken() {
-		if (this.token) return this.token;
-		this.token = await this.vercelCli.getAuthToken();
-		return this.token;
-	}
-	async listProjects() {
-		return (await this.fetch("/v10/projects", { schema: t.object({ projects: t.array(vercelProjectSchema) }) })).projects;
-	}
-	async getProject(nameOrId) {
-		try {
-			return await this.fetch(`/v9/projects/${encodeURIComponent(nameOrId)}`, { schema: vercelProjectSchema });
-		} catch {
-			return;
-		}
-	}
-	async createProject(name) {
-		return await this.fetch("/v11/projects", {
-			method: "POST",
-			body: {
-				name,
-				framework: null
-			},
-			bodySchema: createProjectBodySchema,
-			schema: vercelProjectSchema
-		});
-	}
-	async updateProject(nameOrId, settings) {
-		await this.fetch(`/v9/projects/${encodeURIComponent(nameOrId)}`, {
-			method: "PATCH",
-			body: settings
-		});
-	}
-	async deleteProject(nameOrId) {
-		await this.fetch(`/v9/projects/${encodeURIComponent(nameOrId)}`, { method: "DELETE" });
-	}
-	async listDeployments(projectId, options) {
-		const query = { projectId };
-		if (options?.limit) query.limit = String(options.limit);
-		if (options?.target) query.target = options.target;
-		return (await this.fetch("/v6/deployments", {
-			query,
-			schema: t.object({ deployments: t.array(vercelDeploymentSchema) })
-		})).deployments;
-	}
-	async listEnvVars(projectId) {
-		return (await this.fetch(`/v10/projects/${encodeURIComponent(projectId)}/env`, {
-			query: { decrypt: "true" },
-			schema: t.object({ envs: t.array(vercelEnvVarSchema) })
-		})).envs;
-	}
-	async upsertEnvVars(projectId, vars) {
-		for (const v of vars) await this.fetch(`/v10/projects/${encodeURIComponent(projectId)}/env`, {
-			method: "POST",
-			query: { upsert: "true" },
-			body: {
-				key: v.key,
-				value: v.value,
-				type: "encrypted",
-				target: v.target
-			},
-			bodySchema: createEnvVarBodySchema
-		});
-	}
-	async deleteEnvVar(projectId, envVarId) {
-		await this.fetch(`/v9/projects/${encodeURIComponent(projectId)}/env/${envVarId}`, { method: "DELETE" });
-	}
-	async fetch(path, options = {}) {
-		const token = await this.resolveToken();
-		const { method = "GET", body, query } = options;
-		let url = `${VercelApi.BASE}${path}`;
-		if (query) {
-			const params = new URLSearchParams(query);
-			url += `?${params.toString()}`;
-		}
-		const headers = { Authorization: `Bearer ${token}` };
-		const init = {
-			method,
-			headers
-		};
-		if (body) {
-			headers["Content-Type"] = "application/json";
-			const validated = options.bodySchema ? this.alepha.codec.validate(options.bodySchema, body) : body;
-			init.body = JSON.stringify(validated);
-		}
-		const response = await globalThis.fetch(url, init);
-		if (response.status === 204) return;
-		const json = await response.json();
-		if (json.error) throw new AlephaError(`Vercel API error (${method} ${path}): ${json.error.message ?? JSON.stringify(json.error)}`);
-		if (!response.ok) throw new AlephaError(`Vercel API error (${method} ${path}): HTTP ${response.status}`);
-		if (options.schema) return this.alepha.codec.validate(options.schema, json);
-		return json;
-	}
-};
-//#endregion
-//#region ../../src/cli/platform/adapters/VercelAdapter.ts
-/**
-* Vercel platform adapter.
-*
-* Uses the Vercel CLI for login and deploy (--prebuilt),
-* and the Vercel REST API for project management, env vars, and inspection.
-*
-* v1 scope: deploy pipeline only. No DB/storage/KV provisioning.
-*/
-var VercelAdapter = class VercelAdapter extends PlatformAdapter {
-	log = $logger();
-	fs = $inject(FileSystemProvider);
-	shell = $inject(ShellProvider);
-	utils = $inject(AlephaCliUtils);
-	cache = $inject(PlatformCacheProvider);
-	alepha = $inject(Alepha);
-	envUtils = $inject(EnvUtils);
-	api = $inject(VercelApi);
-	vercelCli = $inject(VercelCli);
-	runner = $inject(Runner);
-	/**
-	* Vars that should not be pushed as env vars.
-	* These are either handled by the build or are internal.
-	*/
-	static EXCLUDED_SECRET_KEYS = new Set(["NODE_ENV"]);
-	async runShell(command, options = {}) {
-		const capture = options.capture;
-		const output = await this.shell.run(command, {
-			...options,
-			capture: capture ?? this.runner.useDynamicLogger
-		});
-		if (capture && !this.runner.useDynamicLogger) this.log.info(output);
-		return output;
-	}
-	async authenticate(ctx, run) {
-		await run({
-			name: "authenticate",
-			handler: async () => {
-				await this.vercelCli.ensureInstalled(ctx.root, run);
-				let needsLogin = false;
-				try {
-					await this.vercelCli.getAuthToken();
-					await this.vercelCli.whoami();
-				} catch {
-					needsLogin = true;
-				}
-				if (needsLogin) {
-					run.pause();
-					await this.vercelCli.login();
-					run.resume();
-				}
-				if (await this.cache.isLoginFresh(ctx.root, "vercel")) return;
-				await this.cache.recordLogin(ctx.root, "vercel");
-			}
-		});
-	}
-	async build(ctx, run) {
-		const appDir = ctx.app.path ? this.fs.join(ctx.root, ctx.app.path) : ctx.root;
-		await run({
-			name: "alepha build -t vercel",
-			handler: async () => {
-				await this.runShell("alepha build -t vercel", { root: appDir });
-			}
-		});
-	}
-	async deploy(ctx, run) {
-		const distDir = ctx.app.path ? this.fs.join(ctx.root, ctx.app.path, "dist") : this.fs.join(ctx.root, "dist");
-		const projectName = ctx.naming.worker();
-		let url;
-		await run({
-			name: `deploy ${ctx.app.name}`,
-			handler: async () => {
-				let project = await this.api.getProject(projectName);
-				if (!project) project = await this.api.createProject(projectName);
-				await this.api.updateProject(projectName, { framework: null });
-				const vercelDir = this.fs.join(distDir, ".vercel");
-				await this.fs.mkdir(vercelDir);
-				await this.fs.writeFile(this.fs.join(vercelDir, "project.json"), JSON.stringify({
-					projectId: project.id,
-					orgId: project.accountId
-				}, null, 2));
-				const token = process.env.VERCEL_TOKEN;
-				await this.vercelCli.deploy(distDir, {
-					prod: true,
-					token
-				});
-				const latest = (await this.api.listDeployments(project.id, {
-					limit: 1,
-					target: "production"
-				}))[0];
-				url = latest?.alias?.[0] ? `https://${latest.alias[0]}` : `https://${projectName}.vercel.app`;
-			}
-		});
-		return url;
-	}
-	async secrets(ctx, run) {
-		const envVars = await this.envUtils.parseEnv(ctx.root, [`.env.${ctx.env}`]);
-		const vars = [];
-		for (const [key, value] of Object.entries(envVars)) {
-			if (!value) continue;
-			if (VercelAdapter.EXCLUDED_SECRET_KEYS.has(key)) continue;
-			if (key.startsWith("VITE_")) continue;
-			vars.push({
-				key,
-				value,
-				target: ["production", "preview"]
-			});
-		}
-		if (vars.length === 0) return;
-		for (const app of ctx.apps) {
-			const projectName = ctx.naming.worker();
-			await run({
-				name: `push env vars to ${projectName}`,
-				handler: async () => {
-					await this.api.upsertEnvVars(projectName, vars);
-				}
-			});
-		}
-	}
-	async inspect(ctx, run) {
-		const state = {
-			workers: [],
-			databases: [],
-			buckets: [],
-			kvNamespaces: [],
-			queues: [],
-			secrets: []
-		};
-		const tasks = [];
-		for (const app of ctx.apps) {
-			const projectName = ctx.naming.worker();
-			tasks.push({
-				name: `inspect project (${projectName})`,
-				handler: async () => {
-					const project = await this.api.getProject(projectName);
-					if (!project) {
-						state.workers.push({
-							name: projectName,
-							exists: false
-						});
-						return;
-					}
-					const latest = (await this.api.listDeployments(project.id, { limit: 1 }))[0];
-					state.workers.push({
-						name: projectName,
-						exists: true,
-						version: latest?.uid,
-						createdAt: latest?.created ? new Date(latest.created).toISOString() : void 0
-					});
-				}
-			});
-		}
-		const envVars = await this.envUtils.parseEnv(ctx.root, [`.env.${ctx.env}`]);
-		const expectedVars = Object.keys(envVars).filter((key) => envVars[key] && !VercelAdapter.EXCLUDED_SECRET_KEYS.has(key) && !key.startsWith("VITE_"));
-		if (expectedVars.length > 0) {
-			const projectName = ctx.naming.worker();
-			tasks.push({
-				name: "inspect env vars",
-				handler: async () => {
-					try {
-						const deployed = await this.api.listEnvVars(projectName);
-						const deployedKeys = new Set(deployed.map((v) => v.key));
-						for (const key of expectedVars) state.secrets.push({
-							name: key,
-							deployed: deployedKeys.has(key)
-						});
-					} catch {
-						for (const key of expectedVars) state.secrets.push({
-							name: key,
-							deployed: false
-						});
-					}
-				}
-			});
-		}
-		await run(tasks);
-		return state;
-	}
-	async teardown(ctx, run) {
-		for (const app of ctx.apps) {
-			const projectName = ctx.naming.worker();
-			await run({
-				name: `delete project ${projectName}`,
-				handler: async () => {
-					try {
-						await this.api.deleteProject(projectName);
-					} catch (error) {
-						this.log.warn(`Failed to delete project ${projectName}: ${String(error.message || "")}`);
-					}
-				}
-			});
-		}
-	}
-};
-//#endregion
-//#region ../../src/cli/platform/atoms/platformOptions.ts
-/**
-* Platform deployment configuration atom.
-*
-* Filled from the `platform` section of `alepha.config.ts`.
-* Read by `PlatformCommand` to resolve environments and adapters.
-*/
-const platformOptions = $atom({
-	name: "alepha.cli.platform.options",
-	description: "Platform deployment configuration",
-	schema: t.optional(t.object({
-		/**
-		* Project name override. Defaults to root package.json "name".
-		*/
-		name: t.optional(t.text()),
-		/**
-		* Default environment when --env is omitted.
-		*
-		* @default "production"
-		*/
-		default: t.optional(t.text()),
-		/**
-		* Secret store configuration for syncing .env secrets
-		* to external providers (e.g. GitHub Actions environments).
-		*/
-		secrets: t.optional(t.object({
-			/**
-			* Secret store backend.
-			*/
-			store: t.enum(["github"]),
-			/**
-			* Pattern for resolving environment names in the store.
-			* Placeholders: {project}, {env}.
-			*
-			* @default "{project}-{env}"
-			*/
-			environmentPattern: t.optional(t.text())
-		})),
-		/**
-		* Named environments with their adapter and configuration.
-		*/
-		environments: t.record(t.text({ description: "Environment name (e.g. 'production', 'staging', 'preview'). Used in resource naming and selected via --env." }), t.object({
-			adapter: t.enum(["cloudflare", "vercel"]),
-			/**
-			* Custom domain for the deployed worker (e.g. "api.example.com").
-			*
-			* On Cloudflare this is attached as a custom-domain route.
-			* Omit to use the adapter's default `*.workers.dev` / preview URL.
-			*
-			* Wildcards are supported for multi-tenant SaaS apps:
-			* `"*.club.alepha.dev"` routes every subdomain to the worker.
-			* Wildcard patterns require `zone` to be set, and the wildcard DNS
-			* record must already exist (proxied) in the Cloudflare zone.
-			*/
-			domain: t.optional(t.text()),
-			/**
-			* Cloudflare zone name (e.g. "alepha.dev") that owns `domain`.
-			*
-			* Required when `domain` contains a wildcard (`*`). Ignored for
-			* plain custom domains, which Cloudflare resolves automatically.
-			*/
-			zone: t.optional(t.text()),
-			/**
-			* Cloudflare data jurisdiction for R2 buckets and D1 databases.
-			* - "eu": data stays within the EU
-			* - "fedramp": FedRAMP-authorized regions
-			*
-			* Omit for the default (global) jurisdiction.
-			*/
-			jurisdiction: t.optional(t.enum(["eu", "fedramp"])),
-			/**
-			* Cloudflare account ID to deploy into.
-			*
-			* Falls back to `CLOUDFLARE_ACCOUNT_ID` env var, then to the
-			* token's account when the token is scoped to exactly one.
-			* Required when the token has access to multiple accounts.
-			*/
-			accountId: t.optional(t.text())
-		}))
-	}))
-});
-//#endregion
-//#region ../../src/cli/platform/services/NamingService.ts
-/**
-* Generates deterministic resource names for cloud deployments.
-*
-* Pattern: `<project>-<env>`.
-*
-* All segments are slugified (lowercase, alphanumeric + dashes, max 63
-* chars). One app per workspace — see `alepha platform`.
-*/
-var NamingService = class {
-	forContext(project, env) {
-		return new NamingContext(`${this.slugify(project)}-${this.slugify(env)}`);
-	}
-	slugify(name) {
-		return name.toLowerCase().replace(/[^a-z0-9]+/g, "-").replace(/^-+|-+$/g, "").slice(0, 63);
-	}
-};
-var NamingContext = class {
-	prefix;
-	constructor(prefix) {
-		this.prefix = prefix;
-	}
-	worker() {
-		return this.prefix;
-	}
-	d1() {
-		return this.prefix;
-	}
-	hyperdrive() {
-		return this.prefix;
-	}
-	r2() {
-		return this.prefix;
-	}
-	kv() {
-		return this.prefix;
-	}
-	queue() {
-		return this.prefix;
-	}
-};
-//#endregion
-//#region ../../src/cli/platform/services/PlatformInspector.ts
-/**
-* Reads platform config and resolves project topology.
-*
-* Validates project name and environment configuration. Does NOT
-* introspect app code for resources — that happens at deploy time via
-* ViteBuildProvider.
-*
-* Each app self-declares its platform topology via its own
-* `alepha.config.ts`. Run `alepha platform <op>` from the app's
-* directory; no monorepo-root orchestration here.
-*/
-var PlatformInspector = class {
-	log = $logger();
-	alepha = $inject(Alepha);
-	fs = $inject(FileSystemProvider);
-	asker = $inject(Asker);
-	options = $state(platformOptions);
-	naming = $inject(NamingService);
-	/**
-	* Resolve and validate the full platform configuration.
-	*/
-	async resolveConfig(root) {
-		if (!this.options) {
-			this.log.warn(` alepha.config.ts not found or missing platform config.
-
-Please add a "platform" section to alepha.config.ts:
-
-export default defineConfig({
-  platform: {
-    environments: {
-      production: { adapter: "cloudflare" },
-    },
-  },
-});
-        `);
-			throw new AlephaError("Missing platform configuration.");
-		}
-		const opts = this.options;
-		const project = await this.resolveProjectName(root, opts.name);
-		return {
-			project: this.naming.slugify(project),
-			defaultEnv: opts.default ?? "production",
-			environments: opts.environments
-		};
-	}
-	/**
-	* Resolve a specific environment, validating it exists.
-	*/
-	async resolveEnvironment(root, envName) {
-		const config = await this.resolveConfig(root);
-		const envConfig = config.environments[envName];
-		if (!envConfig) throw new AlephaError(`Unknown environment "${envName}". Available: ${Object.keys(config.environments).join(", ")}`);
-		return envConfig;
-	}
-	async resolveProjectName(root, configName) {
-		if (configName) return configName;
-		try {
-			const pkgPath = this.fs.join(root, "package.json");
-			const pkg = await this.fs.readJsonFile(pkgPath);
-			if (pkg.name) return pkg.name;
-		} catch {}
-		throw new AlephaError("Missing project name. Set \"name\" in alepha.config.ts or add a \"name\" field to package.json.");
-	}
-};
-//#endregion
-//#region ../../src/cli/platform/services/PlatformOrchestrator.ts
-/**
-* Orchestrates platform lifecycle operations.
-*
-* Coordinates adapter calls in the correct order for
-* up (build -> migrate -> deploy), down, plan, and status.
-*/
-var PlatformOrchestrator = class {
-	log = $logger();
-	color = $inject(ConsoleColorProvider);
-	inspector = $inject(PlatformInspector);
-	naming = $inject(NamingService);
-	cloudflareAdapter = $inject(CloudflareAdapter);
-	vercelAdapter = $inject(VercelAdapter);
-	alepha = $inject(Alepha);
-	resolveAdapter(adapterName) {
-		switch (adapterName) {
-			case "cloudflare": return this.cloudflareAdapter;
-			case "vercel": return this.vercelAdapter;
-			default: throw new AlephaError(`Unknown adapter: "${adapterName}"`);
-		}
-	}
-	async up(options) {
-		const { root, env, apps, run, prebuilt } = options;
-		const envConfig = await this.inspector.resolveEnvironment(root, env);
-		const config = await this.inspector.resolveConfig(root);
-		const adapter = this.resolveAdapter(envConfig.adapter);
-		const namingCtx = this.naming.forContext(config.project, env);
-		const ctx = {
-			project: config.project,
-			env,
-			envConfig,
-			apps,
-			root,
-			naming: namingCtx,
-			prebuilt
-		};
-		await adapter.authenticate(ctx, run);
-		await adapter.provision(ctx, run);
-		for (const a of apps) await adapter.build({
-			...ctx,
-			app: a
-		}, run);
-		await adapter.migrate(ctx, run);
-		const urls = [];
-		for (const a of apps) {
-			const url = await adapter.deploy({
-				...ctx,
-				app: a
-			}, run);
-			if (url) urls.push(url);
-		}
-		await adapter.secrets(ctx, run);
-		run.end();
-		return {
-			urls,
-			domain: envConfig.domain
-		};
-	}
-	/**
-	* Pretty-print the `up()` result to stdout. Matches the formatting the
-	* orchestrator used to emit inline; split out so callers that want
-	* JSON output can skip this branch.
-	*/
-	printUpSummary(result) {
-		const c = this.color;
-		if (result.domain) {
-			this.log.info("");
-			const display = result.domain.includes("*") ? `https://${result.domain} (wildcard route)` : `https://${result.domain}`;
-			this.log.info(`  ${c.set("GREEN", "→")} ${c.set("CYAN", display)}`);
-			this.log.info("");
-		} else for (const url of result.urls) {
-			this.log.info("");
-			this.log.info(`  ${c.set("GREEN", "→")} ${c.set("CYAN", url)}`);
-			this.log.info("");
-		}
-	}
-	async down(options) {
-		const { root, env, apps, run, confirm } = options;
-		const envConfig = await this.inspector.resolveEnvironment(root, env);
-		const config = await this.inspector.resolveConfig(root);
-		const adapter = this.resolveAdapter(envConfig.adapter);
-		const namingCtx = this.naming.forContext(config.project, env);
-		const ctx = {
-			project: config.project,
-			env,
-			envConfig,
-			apps,
-			root,
-			naming: namingCtx
-		};
-		if (!this.isTmpEnv(env)) {
-			if (await confirm(`Type "${env}" to confirm teardown:`) !== env) {
-				this.log.info("Aborted.");
-				return false;
-			}
-		}
-		await adapter.authenticate(ctx, run);
-		await adapter.teardown(ctx, run);
-		run.end();
-		return true;
-	}
-	async plan(options) {
-		const { root, env, apps } = options;
-		const config = await this.inspector.resolveConfig(root);
-		return {
-			config,
-			naming: this.naming.forContext(config.project, env),
-			apps
-		};
-	}
-	async status(options) {
-		const { root, env, apps, run } = options;
-		const envConfig = await this.inspector.resolveEnvironment(root, env);
-		const config = await this.inspector.resolveConfig(root);
-		const adapter = this.resolveAdapter(envConfig.adapter);
-		const namingCtx = this.naming.forContext(config.project, env);
-		const ctx = {
-			project: config.project,
-			env,
-			envConfig,
-			apps,
-			root,
-			naming: namingCtx
-		};
-		await adapter.authenticate(ctx, run);
-		return {
-			config,
-			state: await adapter.inspect(ctx, run)
-		};
-	}
-	isTmpEnv(env) {
-		return env.startsWith("tmp");
-	}
-};
-//#endregion
-//#region ../../src/cli/platform/providers/GitHubSecretStore.ts
-/**
-* GitHub Actions secret store backed by the `gh` CLI.
-*
-* Requires the GitHub CLI (`gh`) to be installed and authenticated.
-* Pushes secrets into GitHub Actions environments.
-*/
-var GitHubSecretStore = class {
-	log = $logger();
-	shell = $inject(ShellProvider);
-	fs = $inject(FileSystemProvider);
-	/**
-	* Verify that `gh` is installed and authenticated.
-	*/
-	async ensureAvailable() {
-		if (!await this.shell.isInstalled("gh")) throw new AlephaError("GitHub CLI (gh) is not installed. Install it from https://cli.github.com");
-		try {
-			await this.shell.run("gh auth status", { capture: true });
-		} catch {
-			throw new AlephaError("GitHub CLI is not authenticated. Run `gh auth login` first.");
-		}
-	}
-	/**
-	* Create the GitHub Actions environment if it doesn't exist.
-	*/
-	async ensureEnvironment(environment) {
-		await this.shell.run(`gh api --method PUT /repos/{owner}/{repo}/environments/${environment} --silent`, { capture: true });
-		this.log.debug(`Ensured environment "${environment}" exists`);
-	}
-	/**
-	* List all secrets in a GitHub Actions environment.
-	*/
-	async list(environment) {
-		try {
-			const output = await this.shell.run(`gh secret list --env ${environment} --json name,updatedAt`, { capture: true });
-			return JSON.parse(output || "[]").map((s) => ({
-				name: s.name,
-				updatedAt: s.updatedAt
-			}));
-		} catch (error) {
-			this.log.debug("Failed to list secrets", {
-				environment,
-				error
-			});
-			return [];
-		}
-	}
-	/**
-	* Set a secret in a GitHub Actions environment.
-	*
-	* Writes a dotenv-formatted file and uses `gh secret set --env-file` to
-	* avoid shell pipe issues with NodeShellProvider escaping the `|` character.
-	*/
-	async set(environment, key, value) {
-		const tmpFile = `/tmp/alepha-secret-${key}-${Date.now()}`;
-		const escaped = value.replace(/\\/g, "\\\\").replace(/"/g, "\\\"").replace(/\n/g, "\\n");
-		await this.fs.writeFile(tmpFile, `${key}="${escaped}"\n`);
-		try {
-			const output = await this.shell.run(`gh secret set -f ${tmpFile} --env ${environment}`, { capture: true });
-			this.log.debug(`Secret set: ${key}`, { output });
-		} finally {
-			await this.fs.rm(tmpFile);
-		}
-	}
-	/**
-	* Delete a secret from a GitHub Actions environment.
-	*/
-	async delete(environment, key) {
-		await this.shell.run(`gh secret delete ${key} --env ${environment}`, { capture: true });
-	}
-};
-//#endregion
-//#region ../../src/cli/platform/services/SecretFilterService.ts
-/**
-* Filters environment variables for secret store syncing.
-*
-* Excludes platform-managed vars (NODE_ENV), build-time vars (VITE_*),
-* and empty values. Keeps everything else — including DATABASE_URL
-* and POSTGRES_SCHEMA which GitHub Actions needs.
-*
-* Also handles renaming GITHUB_* keys since GitHub Actions rejects
-* secret names starting with GITHUB_.
-*/
-var SecretFilterService = class SecretFilterService {
-	static EXCLUDED_KEYS = new Set(["NODE_ENV"]);
-	static GITHUB_PREFIX = "GITHUB_";
-	static REMOTE_PREFIX = "APP_GITHUB_";
-	/**
-	* Return only the entries that should be pushed to a secret store.
-	*/
-	filter(envVars) {
-		const result = {};
-		for (const [key, value] of Object.entries(envVars)) {
-			if (!value) continue;
-			if (SecretFilterService.EXCLUDED_KEYS.has(key)) continue;
-			if (key.startsWith("VITE_")) continue;
-			result[key] = value;
-		}
-		return result;
-	}
-	/**
-	* Convert a local env key to a remote secret name.
-	*
-	* GITHUB_* keys are prefixed with APP_ since GitHub Actions rejects
-	* secret names starting with GITHUB_.
-	*/
-	toRemoteName(key) {
-		if (key.startsWith(SecretFilterService.GITHUB_PREFIX)) return `${SecretFilterService.REMOTE_PREFIX}${key.slice(SecretFilterService.GITHUB_PREFIX.length)}`;
-		return key;
-	}
-	/**
-	* Convert a remote secret name back to the local env key.
-	*/
-	toLocalName(remoteName) {
-		if (remoteName.startsWith(SecretFilterService.REMOTE_PREFIX)) return `${SecretFilterService.GITHUB_PREFIX}${remoteName.slice(SecretFilterService.REMOTE_PREFIX.length)}`;
-		return remoteName;
-	}
-};
-//#endregion
 //#region ../../src/cli/platform/commands/SecretsCommand.ts
 var SecretsCommand = class {
 	log = $logger();
@@ -2352,6 +191,7 @@ var PlatformCommand = class {
 			aliases: ["e"],
 			description: "Target environment"
 		})),
+		tenant: t.optional(t.text({ description: "Tenant slug (apps with tenancy: optional | required). Names resources <tenant>-<project>-<env> and serves <tenant>.<domain>." })),
 		verbose: t.optional(t.boolean({
 			aliases: ["v"],
 			description: "Verbose output"
@@ -2367,7 +207,8 @@ var PlatformCommand = class {
 			const env = flags.env ?? config.defaultEnv;
 			const adapterName = config.environments[env]?.adapter ?? "cloudflare";
 			const apps = await this.resolveApps(root, config, this.isServerless(adapterName));
-			const namingCtx = this.naming.forContext(config.project, env);
+			const tenant = resolveTenant(config.tenancy, flags.tenant);
+			const namingCtx = this.naming.forContext(config.project, env, tenant);
 			const hasDB = apps.some((a) => a.resources.hasDatabase);
 			const hasBucket = apps.some((a) => a.resources.hasBucket);
 			const envVars = await this.envUtils.parseEnv(root, [`.env.${env}`]);
@@ -2462,13 +303,15 @@ var PlatformCommand = class {
 			const config = await this.inspector.resolveConfig(root);
 			const env = flags.env ?? config.defaultEnv;
 			const adapter = config.environments[env]?.adapter ?? "cloudflare";
-			const apps = await this.resolveApps(root, config, this.isServerless(adapter));
+			const apps = await this.resolveApps(root, config, this.isServerless(adapter), { prebuilt: flags.prebuilt });
 			const result = await this.orchestrator.up({
 				root,
 				env,
-				apps,
+				entry: apps[0].entry,
+				resources: apps[0].resources,
 				run,
-				prebuilt: flags.prebuilt
+				prebuilt: flags.prebuilt,
+				tenant: flags.tenant
 			});
 			if (flags.json) process.stdout.write(`${JSON.stringify({
 				status: "succeeded",
@@ -2498,8 +341,10 @@ var PlatformCommand = class {
 			const completed = await this.orchestrator.down({
 				root,
 				env: flags.env,
-				apps,
+				entry: apps[0].entry,
+				resources: apps[0].resources,
 				run,
+				tenant: flags.tenant,
 				confirm: async (prompt) => {
 					if (flags.yes) return flags.env;
 					ask.intro("Confirm teardown");
@@ -2528,8 +373,10 @@ var PlatformCommand = class {
 			const { state } = await this.orchestrator.status({
 				root,
 				env,
-				apps,
-				run
+				entry: apps[0].entry,
+				resources: apps[0].resources,
+				run,
+				tenant: flags.tenant
 			});
 			if (flags.json) {
 				run.end();
@@ -2620,19 +467,19 @@ var PlatformCommand = class {
 			const envConfig = config.environments[env];
 			const adapter = this.orchestrator.resolveAdapter(envConfig.adapter);
 			const apps = await this.resolveApps(root, config, this.isServerless(envConfig.adapter));
-			const namingCtx = this.naming.forContext(config.project, env);
+			const tenant = resolveTenant(config.tenancy, flags.tenant);
+			const namingCtx = this.naming.forContext(config.project, env, tenant);
 			const ctx = {
 				project: config.project,
 				env,
 				envConfig,
-				apps,
+				entry: apps[0].entry,
+				resources: apps[0].resources,
 				root,
-				naming: namingCtx
+				naming: namingCtx,
+				tenant
 			};
-			for (const app of apps) await adapter.build({
-				...ctx,
-				app
-			}, run);
+			await adapter.build(ctx, run);
 		}
 	});
 	deploy = $command({
@@ -2645,20 +492,20 @@ var PlatformCommand = class {
 			const envConfig = config.environments[env];
 			const adapter = this.orchestrator.resolveAdapter(envConfig.adapter);
 			const apps = await this.resolveApps(root, config, this.isServerless(envConfig.adapter));
-			const namingCtx = this.naming.forContext(config.project, env);
+			const tenant = resolveTenant(config.tenancy, flags.tenant);
+			const namingCtx = this.naming.forContext(config.project, env, tenant);
 			const ctx = {
 				project: config.project,
 				env,
 				envConfig,
-				apps,
+				entry: apps[0].entry,
+				resources: apps[0].resources,
 				root,
-				naming: namingCtx
+				naming: namingCtx,
+				tenant
 			};
 			await adapter.authenticate(ctx, run);
-			for (const app of apps) await adapter.deploy({
-				...ctx,
-				app
-			}, run);
+			await adapter.deploy(ctx, run);
 		}
 	});
 	migrate = $command({
@@ -2671,14 +518,17 @@ var PlatformCommand = class {
 			const envConfig = config.environments[env];
 			const adapter = this.orchestrator.resolveAdapter(envConfig.adapter);
 			const apps = await this.resolveApps(root, config, this.isServerless(envConfig.adapter));
-			const namingCtx = this.naming.forContext(config.project, env);
+			const tenant = resolveTenant(config.tenancy, flags.tenant);
+			const namingCtx = this.naming.forContext(config.project, env, tenant);
 			const ctx = {
 				project: config.project,
 				env,
 				envConfig,
-				apps,
+				entry: apps[0].entry,
+				resources: apps[0].resources,
 				root,
-				naming: namingCtx
+				naming: namingCtx,
+				tenant
 			};
 			await adapter.authenticate(ctx, run);
 			await adapter.migrate(ctx, run);
@@ -2689,6 +539,53 @@ var PlatformCommand = class {
 			}, null, 2)}\n`);
 		}
 	});
+	dbExport = $command({
+		name: "export",
+		description: "Export the deployed database to a local snapshot (remote → local dev DB).",
+		flags: t.object({
+			...this.envFlags.properties,
+			output: t.optional(t.text({ description: "Destination SQLite file. Defaults to the dev DB path (node_modules/.alepha/sqlite.db)." })),
+			keepSql: t.optional(t.boolean({ description: "Keep the intermediate .sql dump file." }))
+		}),
+		handler: async ({ flags, root, run }) => {
+			const config = await this.inspector.resolveConfig(root);
+			const env = flags.env ?? config.defaultEnv;
+			const envConfig = config.environments[env];
+			const adapter = this.orchestrator.resolveAdapter(envConfig.adapter);
+			const app = await this.resolveApp(root, config, this.isServerless(envConfig.adapter));
+			const tenant = resolveTenant(config.tenancy, flags.tenant);
+			const namingCtx = this.naming.forContext(config.project, env, tenant);
+			const ctx = {
+				project: config.project,
+				env,
+				envConfig,
+				entry: app.entry,
+				resources: app.resources,
+				root,
+				naming: namingCtx,
+				tenant
+			};
+			await adapter.authenticate(ctx, run);
+			await adapter.exportDb(ctx, run, {
+				output: flags.output,
+				keepSql: flags.keepSql
+			});
+		}
+	});
+	/**
+	* `db` subgroup — operations against the *deployed* database (export,
+	* migrate). They live under `platform` (not core `alepha db`) because
+	* they need the env config, tenancy, adapter, and resource naming.
+	*/
+	db = $command({
+		name: "db",
+		description: "Deployed-database operations (export, migrate).",
+		children: [this.dbExport, this.migrate],
+		handler: async ({ help, root }) => {
+			await this.inspector.resolveConfig(root);
+			help();
+		}
+	});
 	platform = $command({
 		name: "platform",
 		aliases: ["p"],
@@ -2700,7 +597,7 @@ var PlatformCommand = class {
 			this.status,
 			this.build,
 			this.deploy,
-			this.migrate,
+			this.db,
 			this.secretsCommand.secrets
 		],
 		handler: async ({ help, root }) => {
@@ -2718,12 +615,32 @@ var PlatformCommand = class {
 	* ViteBuildProvider.init() per app. This is expensive -- only done
 	* for up/down/status, not for plan.
 	*/
-	async resolveApps(root, config, isServerless) {
+	async resolveApp(root, _config, isServerless, options = {}) {
+		if (options.prebuilt) {
+			const manifest = await this.readManifest(root);
+			if (manifest) return {
+				entry: {
+					root,
+					server: ""
+				},
+				resources: manifest.resources
+			};
+		}
 		const entry = await this.boot.getAppEntry(root);
 		if (isServerless) process.env.ALEPHA_SERVERLESS = "true";
 		const appAlepha = await this.viteBuild.init({ entry });
 		delete process.env.ALEPHA_SERVERLESS;
-		const resources = this.detectResources(appAlepha);
+		return {
+			entry,
+			resources: this.detectResources(appAlepha)
+		};
+	}
+	/**
+	* @deprecated single-app projects; use `resolveApp` directly.
+	* Kept temporarily so existing commands can be migrated one at a time.
+	*/
+	async resolveApps(root, config, isServerless, options = {}) {
+		const { entry, resources } = await this.resolveApp(root, config, isServerless, options);
 		return [{
 			name: config.project,
 			path: "",
@@ -2734,6 +651,21 @@ var PlatformCommand = class {
 	isServerless(adapter) {
 		return adapter === "vercel" || adapter === "cloudflare";
 	}
+	/**
+	* Read `dist/manifest.json` if present. Returns `null` when the file
+	* doesn't exist or isn't parseable — caller falls back to the
+	* Vite-introspection path.
+	*/
+	async readManifest(root) {
+		try {
+			const fs = await import("node:fs/promises");
+			const path = await import("node:path");
+			const raw = await fs.readFile(path.join(root, "dist", "manifest.json"), "utf-8");
+			return JSON.parse(raw);
+		} catch {
+			return null;
+		}
+	}
 	detectResources(alepha) {
 		let hasDatabase = false;
 		let hasBucket = false;
@@ -2765,174 +697,15 @@ var PlatformCommand = class {
 	}
 };
 //#endregion
-//#region ../../src/cli/platform/providers/MemorySecretStore.ts
-/**
-* In-memory implementation of SecretStoreProvider for testing.
-* Records all operations and stores secrets in a nested Map.
-*/
-var MemorySecretStore = class {
-	/**
-	* Secrets keyed by environment, then by key.
-	*/
-	secrets = /* @__PURE__ */ new Map();
-	/**
-	* All recorded operations.
-	*/
-	calls = [];
-	/**
-	* When set, ensureAvailable() will throw with this message.
-	*/
-	availableError = null;
-	async ensureAvailable() {
-		this.calls.push({ method: "ensureAvailable" });
-		if (this.availableError) throw new AlephaError(this.availableError);
-	}
-	async ensureEnvironment(environment) {
-		this.calls.push({
-			method: "ensureEnvironment",
-			environment
-		});
-		if (!this.secrets.has(environment)) this.secrets.set(environment, /* @__PURE__ */ new Map());
-	}
-	async list(environment) {
-		this.calls.push({
-			method: "list",
-			environment
-		});
-		const envSecrets = this.secrets.get(environment);
-		if (!envSecrets) return [];
-		return Array.from(envSecrets.keys()).map((name) => ({ name }));
-	}
-	async set(environment, key, value) {
-		this.calls.push({
-			method: "set",
-			environment,
-			key,
-			value
-		});
-		let envSecrets = this.secrets.get(environment);
-		if (!envSecrets) {
-			envSecrets = /* @__PURE__ */ new Map();
-			this.secrets.set(environment, envSecrets);
-		}
-		envSecrets.set(key, value);
-	}
-	async delete(environment, key) {
-		this.calls.push({
-			method: "delete",
-			environment,
-			key
-		});
-		this.secrets.get(environment)?.delete(key);
-	}
-	/**
-	* Check if set() was called for a given environment and key.
-	*/
-	wasSet(environment, key) {
-		return this.calls.some((c) => c.method === "set" && c.environment === environment && c.key === key);
-	}
-	/**
-	* Check if delete() was called for a given environment and key.
-	*/
-	wasDeleted(environment, key) {
-		return this.calls.some((c) => c.method === "delete" && c.environment === environment && c.key === key);
-	}
-	/**
-	* Get all set() calls for a given environment.
-	*/
-	getSetCalls(environment) {
-		return this.calls.filter((c) => c.method === "set" && c.environment === environment).map((c) => ({
-			key: c.key,
-			value: c.value
-		}));
-	}
-	/**
-	* Reset all state.
-	*/
-	reset() {
-		this.secrets.clear();
-		this.calls = [];
-		this.availableError = null;
-	}
-};
-//#endregion
-//#region ../../src/cli/platform/providers/SecretStoreProvider.ts
-/**
-* Abstract provider for managing secrets in an external store.
-*
-* Implementations: GitHubSecretStore, MemorySecretStore
-*/
-var SecretStoreProvider = class {};
-//#endregion
-//#region ../../src/cli/platform/schemas/platform.ts
-const platformStatusWorkerSchema = t.object({
-	name: t.string(),
-	exists: t.boolean(),
-	id: t.optional(t.string()),
-	detail: t.optional(t.string()),
-	version: t.optional(t.string()),
-	tag: t.optional(t.string()),
-	createdAt: t.optional(t.string())
-});
-const platformStatusResourceSchema = t.object({
-	name: t.string(),
-	exists: t.boolean(),
-	id: t.optional(t.string()),
-	detail: t.optional(t.string())
-});
-const platformStatusSecretSchema = t.object({
-	name: t.string(),
-	deployed: t.boolean()
-});
-const platformStatusSchema = t.object({
-	project: t.string(),
-	env: t.string(),
-	adapter: t.string(),
-	workers: t.array(platformStatusWorkerSchema),
-	databases: t.array(platformStatusResourceSchema),
-	buckets: t.array(platformStatusResourceSchema),
-	kvNamespaces: t.array(platformStatusResourceSchema),
-	queues: t.array(platformStatusResourceSchema),
-	secrets: t.array(platformStatusSecretSchema)
-});
-const platformPlanAppResourcesSchema = t.object({
-	hasDatabase: t.boolean(),
-	hasBucket: t.boolean(),
-	hasKV: t.boolean(),
-	hasQueue: t.boolean(),
-	hasCron: t.boolean()
-});
-const platformPlanAppSchema = t.object({
-	name: t.string(),
-	path: t.string(),
-	resources: platformPlanAppResourcesSchema
-});
-const platformPlanEnvironmentSchema = t.object({
-	adapter: t.string(),
-	domain: t.optional(t.string()),
-	zone: t.optional(t.string())
-});
-const platformPlanResourceSchema = t.object({
-	label: t.string(),
-	value: t.string()
-});
-const platformPlanSchema = t.object({
-	project: t.string(),
-	env: t.string(),
-	mode: t.enum(["monorepo", "standalone"]),
-	apps: t.array(platformPlanAppSchema),
-	environments: t.record(t.string(), platformPlanEnvironmentSchema),
-	resources: t.array(platformPlanResourceSchema),
-	secretCount: t.number()
-});
-//#endregion
 //#region ../../src/cli/platform/index.ts
 /**
 * CLI plugin for multi-cloud deployment orchestration.
 *
-* Manages the full lifecycle of deploying Alepha apps: provision
-* resources, build, migrate databases, deploy, and sync secrets.
-* Supports Cloudflare Workers and Vercel.
+* Wraps `AlephaPlatformLibPlugin` (the framework-agnostic deploy
+* services) with `$command` instances so the orchestration is
+* reachable from `alepha platform …`. Non-CLI consumers (e.g. Alepha
+* Rocket) should depend on `alepha/cli/platform-lib` directly instead
+* of pulling in this command surface.
 *
 * Commands:
 * - `alepha platform plan`    — show project topology and resource names
@@ -2940,9 +713,10 @@ const platformPlanSchema = t.object({
 * - `alepha platform down`    — teardown an environment
 * - `alepha platform status`  — inspect deployed resources
 * - `alepha platform build`   — build apps locally
-* - `alepha platform deploy`  — deploy to cloud
-* - `alepha platform migrate` — run database migrations
-* - `alepha platform secrets` — manage external secret stores
+* - `alepha platform deploy`     — deploy to cloud
+* - `alepha platform db migrate` — run database migrations
+* - `alepha platform db export`  — pull the deployed DB into a local snapshot
+* - `alepha platform secrets`    — manage external secret stores
 *
 * Configuration in `alepha.config.ts`:
 *
@@ -2964,21 +738,9 @@ const AlephaCliPlatformPlugin = $module({
 	name: "alepha.cli.plugins.platform",
 	services: [
 		AlephaCli,
+		AlephaPlatformLibPlugin,
 		PlatformCommand,
-		SecretsCommand,
-		CloudflareAdapter,
-		CloudflareApi,
-		VercelAdapter,
-		VercelApi,
-		VercelCli,
-		WranglerApi,
-		PlatformCacheProvider,
-		GitHubSecretStore,
-		MemorySecretStore,
-		NamingService,
-		SecretFilterService,
-		PlatformInspector,
-		PlatformOrchestrator
+		SecretsCommand
 	]
 });
 const platform = (options) => {
@@ -2992,6 +754,6 @@ const platform = (options) => {
 	};
 };
 //#endregion
-export { AlephaCliPlatformPlugin, CloudflareAdapter, CloudflareApi, GitHubSecretStore, MemorySecretStore, NamingContext, NamingService, PlatformAdapter, PlatformCacheProvider, PlatformCommand, PlatformInspector, PlatformOrchestrator, SecretFilterService, SecretStoreProvider, SecretsCommand, VercelAdapter, VercelApi, VercelCli, WranglerApi, cloudflareAccountSchema, cloudflareApiErrorSchema, cloudflareD1Schema, cloudflareDeploymentListSchema, cloudflareDeploymentSchema, cloudflareDeploymentVersionSchema, cloudflareHyperdriveOriginSchema, cloudflareHyperdriveSchema, cloudflareKVSchema, cloudflareQueueConsumerSchema, cloudflareQueueSchema, cloudflareR2ListSchema, cloudflareR2Schema, cloudflareR2TokenSchema, cloudflareSecretSchema, cloudflareVersionListSchema, cloudflareVersionSchema, cloudflareWorkerSchema, createD1BodySchema, createEnvVarBodySchema, createHyperdriveBodySchema, createHyperdriveOriginSchema, createKVBodySchema, createProjectBodySchema, createQueueBodySchema, createR2BodySchema, createR2TokenBodySchema, platform, platformOptions, platformPlanAppResourcesSchema, platformPlanAppSchema, platformPlanEnvironmentSchema, platformPlanResourceSchema, platformPlanSchema, platformStatusResourceSchema, platformStatusSchema, platformStatusSecretSchema, platformStatusWorkerSchema, putSecretBodySchema, vercelDeploymentSchema, vercelEnvVarSchema, vercelProjectSchema };
+export { AlephaCliPlatformPlugin, PlatformCommand, SecretsCommand, platform };
 
 //# sourceMappingURL=index.js.map