alepha 0.21.2 → 0.23.0

package/dist/cli/platform-lib/index.d.ts

@@ -0,0 +1,1472 @@
+import { Alepha, Static, TSchema } from "alepha";
+import { AlephaCliUtils, AppEntry, BuildCloudflareTask, PackageManagerUtils } from "alepha/cli";
+import { Asker, EnvUtils, Runner, RunnerMethod } from "alepha/command";
+import { ConsoleColorProvider } from "alepha/logger";
+import { FileSystemProvider, ShellProvider } from "alepha/system";
+import { DateTimeProvider } from "alepha/datetime";
+
+//#region ../../src/cli/platform-lib/providers/PlatformCacheProvider.d.ts
+interface PlatformCache {
+  [adapter: string]: {
+    lastLoginCheck: number;
+    accountId?: string;
+  };
+}
+/**
+ * Caches cloud provider login state to avoid slow auth checks.
+ *
+ * Stored in node_modules/.alepha/platform.json (gitignored, project-scoped).
+ * TTL: 4 hours.
+ */
+declare class PlatformCacheProvider {
+  protected static readonly TTL_MS: number;
+  protected readonly fs: FileSystemProvider;
+  protected readonly dateTime: DateTimeProvider;
+  protected cachePath(root: string): string;
+  isLoginFresh(root: string, adapter: string): Promise<boolean>;
+  getAccountId(root: string, adapter: string): Promise<string | undefined>;
+  recordLogin(root: string, adapter: string, accountId?: string): Promise<void>;
+  protected readCache(root: string): Promise<PlatformCache>;
+  protected writeCache(root: string, cache: PlatformCache): Promise<void>;
+}
+//#endregion
+//#region ../../src/cli/platform-lib/schemas/cloudflare.d.ts
+declare const cloudflareAccountSchema: import("typebox").TObject<{
+  id: import("typebox").TString;
+  name: import("typebox").TString;
+}>;
+type CloudflareAccount = Static<typeof cloudflareAccountSchema>;
+declare const cloudflareD1Schema: import("typebox").TObject<{
+  uuid: import("typebox").TString;
+  name: import("typebox").TString;
+}>;
+type CloudflareD1 = Static<typeof cloudflareD1Schema>;
+declare const cloudflareKVSchema: import("typebox").TObject<{
+  id: import("typebox").TString;
+  title: import("typebox").TString;
+}>;
+type CloudflareKV = Static<typeof cloudflareKVSchema>;
+declare const cloudflareR2Schema: import("typebox").TObject<{
+  name: import("typebox").TString;
+  creation_date: import("typebox").TOptional<import("typebox").TString>;
+}>;
+type CloudflareR2 = Static<typeof cloudflareR2Schema>;
+declare const cloudflareR2ListSchema: import("typebox").TObject<{
+  buckets: import("typebox").TArray<import("typebox").TObject<{
+    name: import("typebox").TString;
+    creation_date: import("typebox").TOptional<import("typebox").TString>;
+  }>>;
+}>;
+declare const cloudflareQueueSchema: import("typebox").TObject<{
+  queue_id: import("typebox").TString;
+  queue_name: import("typebox").TString;
+}>;
+type CloudflareQueue = Static<typeof cloudflareQueueSchema>;
+declare const cloudflareQueueConsumerSchema: import("typebox").TObject<{
+  consumer_id: import("typebox").TString;
+  service: import("typebox").TString;
+  environment: import("typebox").TOptional<import("typebox").TString>;
+}>;
+type CloudflareQueueConsumer = Static<typeof cloudflareQueueConsumerSchema>;
+declare const cloudflareHyperdriveOriginSchema: import("typebox").TObject<{
+  host: import("typebox").TString;
+}>;
+declare const cloudflareHyperdriveSchema: import("typebox").TObject<{
+  id: import("typebox").TString;
+  name: import("typebox").TString;
+  origin: import("typebox").TObject<{
+    host: import("typebox").TString;
+  }>;
+}>;
+type CloudflareHyperdrive = Static<typeof cloudflareHyperdriveSchema>;
+declare const cloudflareWorkerSchema: import("typebox").TObject<{
+  id: import("typebox").TString;
+  created_on: import("typebox").TString;
+  modified_on: import("typebox").TString;
+}>;
+type CloudflareWorker = Static<typeof cloudflareWorkerSchema>;
+declare const cloudflareDeploymentVersionSchema: import("typebox").TObject<{
+  version_id: import("typebox").TString;
+  percentage: import("typebox").TNumber;
+}>;
+declare const cloudflareDeploymentSchema: import("typebox").TObject<{
+  id: import("typebox").TString;
+  versions: import("typebox").TArray<import("typebox").TObject<{
+    version_id: import("typebox").TString;
+    percentage: import("typebox").TNumber;
+  }>>;
+  created_on: import("typebox").TString;
+}>;
+type CloudflareDeployment = Static<typeof cloudflareDeploymentSchema>;
+declare const cloudflareDeploymentListSchema: import("typebox").TObject<{
+  deployments: import("typebox").TArray<import("typebox").TObject<{
+    id: import("typebox").TString;
+    versions: import("typebox").TArray<import("typebox").TObject<{
+      version_id: import("typebox").TString;
+      percentage: import("typebox").TNumber;
+    }>>;
+    created_on: import("typebox").TString;
+  }>>;
+}>;
+declare const cloudflareVersionSchema: import("typebox").TObject<{
+  id: import("typebox").TString;
+  metadata: import("typebox").TObject<{
+    created_on: import("typebox").TString;
+  }>;
+  annotations: import("typebox").TOptional<import("typebox").TRecord<"^.*$", import("typebox").TString>>;
+}>;
+type CloudflareVersion = Static<typeof cloudflareVersionSchema>;
+declare const cloudflareVersionListSchema: import("typebox").TObject<{
+  items: import("typebox").TArray<import("typebox").TObject<{
+    id: import("typebox").TString;
+    metadata: import("typebox").TObject<{
+      created_on: import("typebox").TString;
+    }>;
+    annotations: import("typebox").TOptional<import("typebox").TRecord<"^.*$", import("typebox").TString>>;
+  }>>;
+}>;
+declare const cloudflareSecretSchema: import("typebox").TObject<{
+  name: import("typebox").TString;
+  type: import("typebox").TString;
+}>;
+type CloudflareSecret = Static<typeof cloudflareSecretSchema>;
+declare const createD1BodySchema: import("typebox").TObject<{
+  name: import("typebox").TString;
+  primary_location_hint: import("typebox").TOptional<import("typebox").TString>;
+  jurisdiction: import("typebox").TOptional<import("typebox").TString>;
+}>;
+declare const createKVBodySchema: import("typebox").TObject<{
+  title: import("typebox").TString;
+}>;
+declare const createR2BodySchema: import("typebox").TObject<{
+  name: import("typebox").TString;
+}>;
+declare const cloudflareR2TokenSchema: import("typebox").TObject<{
+  id: import("typebox").TString;
+  accessKeyId: import("typebox").TString;
+  secretAccessKey: import("typebox").TString;
+}>;
+type CloudflareR2Token = Static<typeof cloudflareR2TokenSchema>;
+declare const createR2TokenBodySchema: import("typebox").TObject<{
+  name: import("typebox").TString;
+  policies: import("typebox").TArray<import("typebox").TObject<{
+    effect: import("typebox").TString;
+    permissions: import("typebox").TArray<import("typebox").TString>;
+    buckets: import("typebox").TOptional<import("typebox").TArray<import("typebox").TString>>;
+  }>>;
+}>;
+declare const createQueueBodySchema: import("typebox").TObject<{
+  queue_name: import("typebox").TString;
+}>;
+declare const createHyperdriveOriginSchema: import("typebox").TObject<{
+  scheme: import("typebox").TString;
+  host: import("typebox").TString;
+  port: import("typebox").TNumber;
+  database: import("typebox").TString;
+  user: import("typebox").TString;
+  password: import("typebox").TString;
+}>;
+declare const createHyperdriveBodySchema: import("typebox").TObject<{
+  name: import("typebox").TString;
+  origin: import("typebox").TObject<{
+    scheme: import("typebox").TString;
+    host: import("typebox").TString;
+    port: import("typebox").TNumber;
+    database: import("typebox").TString;
+    user: import("typebox").TString;
+    password: import("typebox").TString;
+  }>;
+}>;
+declare const putSecretBodySchema: import("typebox").TObject<{
+  name: import("typebox").TString;
+  text: import("typebox").TString;
+  type: import("typebox").TString;
+}>;
+declare const cloudflareApiErrorSchema: import("typebox").TObject<{
+  code: import("typebox").TNumber;
+  message: import("typebox").TString;
+}>;
+type CloudflareApiError = Static<typeof cloudflareApiErrorSchema>;
+//#endregion
+//#region ../../src/cli/platform-lib/services/WranglerApi.d.ts
+/**
+ * Wraps wrangler CLI commands that are kept as shell-outs.
+ *
+ * Only used for operations where wrangler provides value
+ * beyond a raw API call: OAuth login, worker deploy (bundling/upload),
+ * D1 migrations, and secret bulk push.
+ */
+declare class WranglerApi {
+  protected readonly log: import("alepha/logger").Logger;
+  protected readonly shell: ShellProvider;
+  protected readonly utils: AlephaCliUtils;
+  protected readonly pm: PackageManagerUtils;
+  protected readonly runner: Runner;
+  protected runShell(command: string, options?: Parameters<ShellProvider["run"]>[1]): Promise<string>;
+  /**
+   * Ensure wrangler is installed in the project.
+   */
+  ensureInstalled(root: string, run: RunnerMethod): Promise<void>;
+  /**
+   * Check if the user is authenticated. Returns the whoami output.
+   */
+  whoami(): Promise<string>;
+  /**
+   * Open the browser-based OAuth login flow.
+   */
+  login(): Promise<void>;
+  /**
+   * Get the current auth token from wrangler (auto-refreshes if expired).
+   */
+  getAuthToken(): Promise<string>;
+  /**
+   * Deploy a worker via wrangler (handles bundling and upload).
+   *
+   * Returns the workers.dev URL if found in the output.
+   */
+  deploy(workerName: string, configPath: string, root?: string): Promise<string | undefined>;
+  /**
+   * Apply D1 migrations remotely.
+   */
+  d1MigrationsApply(dbName: string, configPath: string, root?: string): Promise<void>;
+}
+//#endregion
+//#region ../../src/cli/platform-lib/services/CloudflareApi.d.ts
+/**
+ * Thin wrapper over the Cloudflare REST API.
+ *
+ * Uses `wrangler auth token` to obtain credentials,
+ * then calls `fetch()` directly for all CRUD operations.
+ */
+declare class CloudflareApi {
+  protected static readonly BASE = "https://api.cloudflare.com/client/v4";
+  protected readonly log: import("alepha/logger").Logger;
+  protected readonly alepha: Alepha;
+  protected readonly wrangler: WranglerApi;
+  protected token?: string;
+  protected accountId?: string;
+  protected jurisdiction?: "eu" | "fedramp";
+  /**
+   * Set the Cloudflare data jurisdiction for R2 and D1 resources.
+   *
+   * R2 buckets and D1 databases created under a jurisdiction live in a
+   * separate namespace — every R2 API call (list/create/delete) must include
+   * the `cf-r2-jurisdiction` header, and D1 create must include the field
+   * in the request body. Omit / pass `undefined` for the default (global).
+   */
+  setJurisdiction(jurisdiction?: "eu" | "fedramp"): void;
+  /**
+   * Override the Cloudflare account ID (from platform config).
+   *
+   * When unset, `resolveAccountId` falls back to `CLOUDFLARE_ACCOUNT_ID` env
+   * var or the token's single account.
+   */
+  setAccountId(accountId?: string): void;
+  /**
+   * Obtain the current auth token from wrangler.
+   */
+  resolveToken(): Promise<string>;
+  /**
+   * Resolve the Cloudflare account ID.
+   *
+   * Calls /accounts and picks the first one. Cached after first call.
+   */
+  resolveAccountId(): Promise<string>;
+  listD1(): Promise<CloudflareD1[]>;
+  createD1(name: string, location?: string): Promise<CloudflareD1>;
+  deleteD1(databaseId: string): Promise<void>;
+  listKV(): Promise<CloudflareKV[]>;
+  createKV(title: string): Promise<CloudflareKV>;
+  deleteKV(namespaceId: string): Promise<void>;
+  listR2(): Promise<CloudflareR2[]>;
+  createR2(name: string): Promise<void>;
+  deleteR2(name: string): Promise<void>;
+  /**
+   * Mint a bucket-scoped R2 API token (S3 access key + secret) using the
+   * current bearer token. Used by teardown to wipe a bucket over the S3
+   * protocol without requiring users to pre-create R2 access keys.
+   *
+   * The returned token should be revoked with `deleteR2Token` as soon as the
+   * wipe is done.
+   */
+  createR2Token(name: string, bucket: string): Promise<CloudflareR2Token>;
+  deleteR2Token(tokenId: string): Promise<void>;
+  listQueues(): Promise<CloudflareQueue[]>;
+  createQueue(name: string): Promise<CloudflareQueue>;
+  deleteQueue(queueId: string): Promise<void>;
+  listQueueConsumers(queueId: string): Promise<CloudflareQueueConsumer[]>;
+  deleteQueueConsumer(queueId: string, consumerService: string): Promise<void>;
+  listHyperdrive(): Promise<CloudflareHyperdrive[]>;
+  createHyperdrive(name: string, connectionString: string): Promise<CloudflareHyperdrive>;
+  deleteHyperdrive(configId: string): Promise<void>;
+  getWorker(scriptName: string): Promise<CloudflareWorker | undefined>;
+  deleteWorker(scriptName: string): Promise<void>;
+  listDeployments(scriptName: string): Promise<CloudflareDeployment[]>;
+  listVersions(scriptName: string): Promise<CloudflareVersion[]>;
+  listSecrets(scriptName: string): Promise<CloudflareSecret[]>;
+  putSecret(scriptName: string, name: string, value: string): Promise<void>;
+  /**
+   * Fetch the current worker bindings via the script-settings endpoint.
+   * Used to merge new secrets into the existing binding set in one PATCH
+   * (avoids the per-secret `putSecret` calls, each of which creates a
+   * Cloudflare deployment — pushing 7 secrets meant 7 deployment rows).
+   *
+   * Secret bindings come back with `name` + `type` but no `text` (they're
+   * write-only on Cloudflare's side); to preserve them across a PATCH we
+   * forward each one as `{ type, name }` and Cloudflare keeps the stored
+   * value.
+   */
+  getWorkerSettings(scriptName: string): Promise<{
+    bindings: Array<{
+      type: string;
+      name: string;
+      text?: string;
+    }>;
+  }>;
+  /**
+   * Replace the worker's binding set in one call (= one Cloudflare
+   * deployment, regardless of how many secrets are being updated).
+   *
+   * The endpoint expects multipart FormData with a `settings` field whose
+   * value is a JSON-encoded `{ bindings: [...] }` — the `fetch` helper
+   * above is JSON-only, so this one bypasses it and calls `globalThis.fetch`
+   * directly. Mirrors what `wrangler secret bulk` does internally.
+   */
+  patchWorkerBindings(scriptName: string, bindings: Array<{
+    type: string;
+    name: string;
+    text?: string;
+  }>): Promise<void>;
+  protected fetch<T = unknown>(path: string, options?: {
+    method?: string;
+    body?: unknown;
+    bodySchema?: TSchema;
+    schema?: TSchema;
+    query?: Record<string, string>;
+  }): Promise<T>;
+  /**
+   * Paginate a page-based list endpoint (`result_info.total_pages`).
+   *
+   * Cloudflare defaults to `per_page=20`; we push it to 1000 (max on most
+   * list endpoints) and loop if more pages exist. Each page is validated
+   * against the item schema.
+   */
+  protected paginate<T>(path: string, itemSchema: TSchema, perPage?: number): Promise<T[]>;
+  /**
+   * Paginate a cursor-based list endpoint where `result` is an object
+   * containing both the items array and a `cursor` field (R2 buckets,
+   * Workers versions). Returns the flattened item array.
+   */
+  protected paginateCursor<T>(path: string, itemsKey: string, itemSchema: TSchema, perPage?: number): Promise<T[]>;
+  /**
+   * Parse a postgres:// connection string into Hyperdrive origin fields.
+   */
+  protected parseConnectionString(connectionString: string): {
+    scheme: string;
+    host: string;
+    port: number;
+    database: string;
+    user: string;
+    password: string;
+  };
+}
+//#endregion
+//#region ../../src/cli/platform-lib/atoms/platformOptions.d.ts
+/**
+ * Platform deployment configuration atom.
+ *
+ * Filled from the `platform` section of `alepha.config.ts`.
+ * Read by `PlatformCommand` to resolve environments and adapters.
+ */
+declare const platformOptions: import("alepha").Atom<import("typebox").TOptional<import("typebox").TObject<{
+  /**
+   * Project name override. Defaults to root package.json "name".
+   */
+  name: import("typebox").TOptional<import("typebox").TString>;
+  /**
+   * Default environment when --env is omitted.
+   *
+   * @default "production"
+   */
+  default: import("typebox").TOptional<import("typebox").TString>;
+  /**
+   * Multi-tenancy mode — controls whether `--tenant <slug>` is
+   * accepted/required and how it shapes resource names + the domain.
+   *
+   * - `none` (default): single instance. `--tenant` is rejected.
+   * - `required`: every deploy needs `--tenant`; resources are named
+   *   `<tenant>-<project>-<env>` and the host becomes
+   *   `<tenant>.<domain>`. Omitting it errors.
+   * - `optional`: a base instance (no `--tenant`) plus per-tenant
+   *   instances coexist.
+   *
+   * @default "none"
+   */
+  tenancy: import("typebox").TOptional<import("typebox").TUnsafe<"required" | "none" | "optional">>;
+  /**
+   * Secret store configuration for syncing .env secrets
+   * to external providers (e.g. GitHub Actions environments).
+   */
+  secrets: import("typebox").TOptional<import("typebox").TObject<{
+    /**
+     * Explicit override of the worker secret-key allowlist.
+     *
+     * By default the deploy `secrets` step uses the build manifest's
+     * `env` list (every key the app declares via `$env`, captured at
+     * build time) as the allowlist, resolving each value from
+     * `.env.<env>[.local]` first, then `process.env`. This lets CI
+     * deliver secrets via the job environment (no `.env` file on the
+     * runner) while only ever pushing declared keys — ambient runner
+     * vars (PATH, GITHUB_*, …) can never leak.
+     *
+     * Set `keys` to override that auto-detected list (e.g. to narrow it,
+     * or to add a key read via `process.env` rather than `$env`). When
+     * neither this nor a manifest is present, the `.env.<env>` file is
+     * itself the allowlist (legacy fallback).
+     */
+    keys: import("typebox").TOptional<import("typebox").TArray<import("typebox").TString>>;
+    /**
+     * Secret store backend.
+     */
+    store: import("typebox").TOptional<import("typebox").TUnsafe<"github">>;
+    /**
+     * Pattern for resolving environment names in the store.
+     * Placeholders: {project}, {env}.
+     *
+     * @default "{project}-{env}"
+     */
+    environmentPattern: import("typebox").TOptional<import("typebox").TString>;
+  }>>;
+  /**
+   * Named environments with their adapter and configuration.
+   */
+  environments: import("typebox").TRecord<"^.*$", import("typebox").TObject<{
+    adapter: import("typebox").TUnsafe<"cloudflare" | "vercel">;
+    /**
+     * Custom domain for the deployed worker (e.g. "api.example.com").
+     *
+     * On Cloudflare this is attached as a custom-domain route.
+     * Omit to use the adapter's default `*.workers.dev` / preview URL.
+     *
+     * Wildcards are supported for multi-tenant SaaS apps:
+     * `"*.club.alepha.dev"` routes every subdomain to the worker.
+     * Wildcard patterns require `zone` to be set, and the wildcard DNS
+     * record must already exist (proxied) in the Cloudflare zone.
+     */
+    domain: import("typebox").TOptional<import("typebox").TString>;
+    /**
+     * Cloudflare zone name (e.g. "alepha.dev") that owns `domain`.
+     *
+     * Required when `domain` contains a wildcard (`*`). Ignored for
+     * plain custom domains, which Cloudflare resolves automatically.
+     */
+    zone: import("typebox").TOptional<import("typebox").TString>;
+    /**
+     * Cloudflare data jurisdiction for R2 buckets and D1 databases.
+     * - "eu": data stays within the EU
+     * - "fedramp": FedRAMP-authorized regions
+     *
+     * Omit for the default (global) jurisdiction.
+     */
+    jurisdiction: import("typebox").TOptional<import("typebox").TUnsafe<"eu" | "fedramp">>;
+    /**
+     * Cloudflare account ID to deploy into.
+     *
+     * Falls back to `CLOUDFLARE_ACCOUNT_ID` env var, then to the
+     * token's account when the token is scoped to exactly one.
+     * Required when the token has access to multiple accounts.
+     */
+    accountId: import("typebox").TOptional<import("typebox").TString>;
+  }>>;
+}>>, "alepha.cli.platform.options">;
+/**
+ * Type for platform options.
+ */
+type PlatformOptions = Static<typeof platformOptions.schema>;
+/**
+ * Configuration for a single named environment.
+ */
+interface EnvironmentConfig {
+  adapter: "cloudflare" | "vercel";
+  domain?: string;
+  zone?: string;
+  vars?: Record<string, string>;
+  jurisdiction?: "eu" | "fedramp";
+  accountId?: string;
+}
+//#endregion
+//#region ../../src/cli/platform-lib/services/NamingService.d.ts
+/**
+ * Multi-tenancy mode for an app's deployments.
+ *
+ * - `none` (default): single-instance app. Passing `--tenant` is an
+ *   error — guards a non-tenanted app (e.g. the SaaS console) from
+ *   accidentally getting a tenant prefix.
+ * - `required`: every deploy targets a tenant. Omitting `--tenant` is an
+ *   error — kills the "forgot the flag → deployed to the apex" footgun.
+ * - `optional`: both work — a base instance (no `--tenant`) and per-tenant
+ *   instances coexist (distinct names + hosts).
+ */
+type Tenancy = "none" | "optional" | "required";
+/**
+ * Validate a `--tenant` value against the app's declared `tenancy` and
+ * return the effective tenant (or `undefined` for a base/non-tenanted
+ * deploy). Throws on any matrix violation so a misconfigured deploy fails
+ * fast instead of landing on the wrong resource names / host.
+ */
+declare function resolveTenant(tenancy: Tenancy | undefined, tenant: string | undefined): string | undefined;
+/**
+ * Resolve the host a deploy is served on.
+ *
+ * - `override` (V2 custom domains, e.g. `reservation.club-b14.fr`) wins
+ *   outright when supplied — not wired to a flag today, but the single
+ *   seam a future `--domain` / Rocket `config.hostname` plugs into.
+ * - else a tenant becomes the leftmost DNS label: `b14` + `alepha.club`
+ *   → `b14.alepha.club`.
+ * - else the base domain is used as-is.
+ */
+declare function tenantDomain(base: string | undefined, tenant: string | undefined, override?: string): string | undefined;
+/**
+ * Generates deterministic resource names for cloud deployments.
+ *
+ * Pattern: `<tenant>-<project>-<env>` (tenant segment omitted when the
+ * deploy isn't tenanted).
+ *
+ * All segments are slugified (lowercase, alphanumeric + dashes, max 63
+ * chars). One app per workspace — see `alepha platform`.
+ */
+declare class NamingService {
+  forContext(project: string, env: string, tenant?: string): NamingContext;
+  slugify(name: string): string;
+}
+declare class NamingContext {
+  protected readonly prefix: string;
+  constructor(prefix: string);
+  worker(): string;
+  d1(): string;
+  hyperdrive(): string;
+  r2(): string;
+  kv(): string;
+  queue(): string;
+}
+//#endregion
+//#region ../../src/cli/platform-lib/adapters/PlatformAdapter.d.ts
+/**
+ * Options for {@link PlatformAdapter.exportDb}.
+ */
+interface ExportDbOptions {
+  /**
+   * Destination file for the local snapshot. Adapter-specific default —
+   * Cloudflare/D1 writes the dev SQLite at
+   * `node_modules/.alepha/sqlite.db`.
+   */
+  output?: string;
+  /**
+   * Keep the intermediate `.sql` dump instead of deleting it after import.
+   */
+  keepSql?: boolean;
+}
+interface DetectedResources {
+  hasDatabase: boolean;
+  hasBucket: boolean;
+  hasKV: boolean;
+  hasQueue: boolean;
+  hasCron: boolean;
+}
+/**
+ * One workspace = one app. Used to be a per-app definition in a
+ * monorepo-aware orchestrator; flattened into `PlatformContext` after
+ * the `apps:` field was removed from platform options.
+ */
+interface PlatformContext {
+  /**
+   * Slugified project name (from package.json or platform config).
+   */
+  project: string;
+  /**
+   * Environment key (e.g., "production", "staging", "tmp-bug001").
+   */
+  env: string;
+  /**
+   * Environment configuration from alepha.config.ts.
+   */
+  envConfig: EnvironmentConfig;
+  /**
+   * Workspace root path.
+   */
+  root: string;
+  /**
+   * Resolved entry points for the workspace. Stub (`{ root, server: "" }`)
+   * in pre-built / manifest mode since no source booting happens.
+   */
+  entry: AppEntry;
+  /**
+   * Cloud resources the workspace uses — discovered at build time, read
+   * from `dist/manifest.json` at deploy time.
+   */
+  resources: DetectedResources;
+  /**
+   * Resource name generator bound to this project+env(+tenant).
+   */
+  naming: NamingContext;
+  /**
+   * Active tenant slug for this deploy (apps with `tenancy: optional |
+   * required`), or `undefined` for a base / non-tenanted deploy. Shapes
+   * the served host (`<tenant>.<domain>`); resource names already fold it
+   * in via {@link naming}.
+   */
+  tenant?: string;
+  /**
+   * Pre-built mode. When true, the adapter's `build()` should skip the
+   * Vite bundle steps and only regenerate the deploy config
+   * (wrangler.jsonc, Dockerfile, etc.) so it reflects current bindings +
+   * per-tenant overrides.
+   */
+  prebuilt?: boolean;
+}
+/**
+ * @deprecated Same as `PlatformContext` since the `apps:` collapse —
+ * kept as a type alias so existing adapter signatures still compile.
+ */
+type AppContext = PlatformContext;
+interface ResourceState {
+  name: string;
+  exists: boolean;
+  id?: string;
+  detail?: string;
+}
+interface WorkerState extends ResourceState {
+  version?: string;
+  tag?: string;
+  createdAt?: string;
+}
+interface SecretState {
+  name: string;
+  deployed: boolean;
+}
+interface PlatformState {
+  workers: WorkerState[];
+  databases: ResourceState[];
+  buckets: ResourceState[];
+  kvNamespaces: ResourceState[];
+  queues: ResourceState[];
+  secrets: SecretState[];
+}
+/**
+ * Abstract platform adapter.
+ *
+ * Each cloud provider (Cloudflare, AKS, docker-compose) implements this.
+ * The PlatformOrchestrator calls these methods in the correct order.
+ */
+declare abstract class PlatformAdapter {
+  /**
+   * Ensure the user is authenticated with the cloud provider.
+   * May use cached credentials to avoid slow checks.
+   */
+  abstract authenticate(ctx: PlatformContext, run: RunnerMethod): Promise<void>;
+  /**
+   * Build artifacts for a single app.
+   */
+  abstract build(ctx: AppContext, run: RunnerMethod): Promise<void>;
+  /**
+   * Deploy a single app (upload + activate atomically, e.g., wrangler deploy).
+   * Returns the live URL if the platform provides one.
+   */
+  abstract deploy(ctx: AppContext, run: RunnerMethod): Promise<string | undefined>;
+  /**
+   * Create/ensure cloud resources exist (DB, buckets, queues).
+   * Not all adapters provision -- AKS defers to Helm.
+   */
+  provision(_ctx: PlatformContext, _run: RunnerMethod): Promise<void>;
+  /**
+   * Run database migrations.
+   */
+  migrate(_ctx: PlatformContext, _run: RunnerMethod): Promise<void>;
+  /**
+   * Export the deployed database to a local file — the remote → local dev
+   * snapshot workflow. Adapter/dialect specific; the default refuses.
+   */
+  exportDb(_ctx: PlatformContext, _run: RunnerMethod, _options?: ExportDbOptions): Promise<void>;
+  /**
+   * Push runtime secrets to the deployed worker(s).
+   *
+   * Reads secrets from `.env.{env}` files (parsed, not from process.env),
+   * filters out vars already handled by bindings (DATABASE_URL, R2, etc.),
+   * and pushes the rest via the platform's secret management.
+   */
+  secrets(_ctx: PlatformContext, _run: RunnerMethod): Promise<void>;
+  /**
+   * Detect existing resources and their state.
+   * Used by `plan` and `status` commands.
+   */
+  abstract inspect(ctx: PlatformContext, run: RunnerMethod): Promise<PlatformState>;
+  /**
+   * Tear down all resources for an environment.
+   */
+  abstract teardown(ctx: PlatformContext, run: RunnerMethod): Promise<void>;
+}
+//#endregion
+//#region ../../src/cli/platform-lib/adapters/CloudflareAdapter.d.ts
+/**
+ * Cloudflare Workers adapter.
+ *
+ * Uses the Cloudflare REST API (via CloudflareApi) for resource provisioning
+ * and teardown, and wrangler CLI (via WranglerApi) for login, deploy,
+ * D1 migrations, and secret bulk push.
+ */
+declare class CloudflareAdapter extends PlatformAdapter {
+  protected readonly log: import("alepha/logger").Logger;
+  protected readonly fs: FileSystemProvider;
+  protected readonly shell: ShellProvider;
+  protected readonly cache: PlatformCacheProvider;
+  protected readonly alepha: Alepha;
+  protected readonly envUtils: EnvUtils;
+  protected readonly api: CloudflareApi;
+  protected readonly wrangler: WranglerApi;
+  protected readonly runner: Runner;
+  protected readonly buildTask: BuildCloudflareTask;
+  protected readonly options: Readonly<{
+    name?: string | undefined;
+    default?: string | undefined;
+    tenancy?: "required" | "none" | "optional" | undefined;
+    secrets?: {
+      keys?: string[] | undefined;
+      store?: "github" | undefined;
+      environmentPattern?: string | undefined;
+    } | undefined;
+    environments: Record<string, {
+      domain?: string | undefined;
+      zone?: string | undefined;
+      jurisdiction?: "eu" | "fedramp" | undefined;
+      accountId?: string | undefined;
+      adapter: "cloudflare" | "vercel";
+    }>;
+  }>;
+  protected provisionedD1Id?: string;
+  protected provisionedHyperdriveId?: string;
+  protected provisionedKVIds: Map<string, string>;
+  /**
+   * Check if the user's DATABASE_URL points to an external Postgres database.
+   * If so, we use Hyperdrive instead of D1.
+   *
+   * Reads from `.env.{env}` first, falls back to `process.env`.
+   */
+  protected isPostgres(ctx: PlatformContext): Promise<boolean>;
+  /**
+   * Propagate the environment's data-jurisdiction setting to the API client.
+   *
+   * Must be invoked at the top of every entry point (authenticate, build,
+   * deploy, secrets, provision, migrate, inspect, teardown) because
+   * CloudflareApi is a singleton reused across env invocations.
+   */
+  protected configureApi(ctx: PlatformContext): void;
+  protected runShell(command: string, options?: Parameters<ShellProvider["run"]>[1]): Promise<string>;
+  authenticate(ctx: PlatformContext, run: RunnerMethod): Promise<void>;
+  build(ctx: AppContext, run: RunnerMethod): Promise<void>;
+  /**
+   * Library-embed of `alepha build -t cloudflare --prebuilt`. Loads the
+   * pre-built `dist/manifest.json`, sets the per-tenant env vars on
+   * `process.env` for the duration of the call (the task's enhance*
+   * methods read them directly), then runs `BuildCloudflareTask`
+   * against a synthetic context.
+   *
+   * `ctx.alepha` is intentionally null — in manifest mode the task
+   * reads resources/crons/containers from `ctx.manifest` and never
+   * dereferences `ctx.alepha`. Same for `entry` and `hasClient`:
+   * prebuilt mode skips the bundle tasks; only the wrangler.jsonc /
+   * worker-entrypoint emission runs.
+   */
+  protected runBuildInProcess(root: string, env: Record<string, string>): Promise<void>;
+  deploy(ctx: AppContext, run: RunnerMethod): Promise<string | undefined>;
+  /**
+   * Vars that are handled by wrangler bindings or build config.
+   * These should not be pushed as secrets.
+   */
+  static readonly EXCLUDED_SECRET_KEYS: Set<string>;
+  /**
+   * Read the build manifest's `env` list (every key the app declares via
+   * `$env`) from `dist/manifest.json`. Used as the default worker-secret
+   * allowlist. Returns `undefined` when the manifest is absent or predates
+   * the `env` field, so the caller falls back to the `.env` file keys.
+   */
+  protected readManifestEnvKeys(root: string): Promise<string[] | undefined>;
+  secrets(ctx: PlatformContext, run: RunnerMethod): Promise<void>;
+  /**
+   * Public base URL for this deploy, derived from the configured domain
+   * (honoring tenant subdomains). Returns undefined when no domain is set or
+   * the host is a wildcard — there's no single resolvable origin to point at.
+   */
+  protected publicUrl(ctx: PlatformContext): string | undefined;
+  /**
+   * Plain-text binding used to fingerprint the deployed secret set so the
+   * next `up` can skip the PATCH when nothing has changed.
+   */
+  static readonly SECRETS_HASH_BINDING = "ALEPHA_SECRETS_HASH";
+  provision(ctx: PlatformContext, run: RunnerMethod): Promise<void>;
+  migrate(ctx: PlatformContext, run: RunnerMethod): Promise<void>;
+  exportDb(ctx: PlatformContext, run: RunnerMethod, options?: ExportDbOptions): Promise<void>;
+  protected migrateD1(ctx: PlatformContext, run: RunnerMethod): Promise<void>;
+  protected migratePostgres(ctx: PlatformContext, run: RunnerMethod): Promise<void>;
+  inspect(ctx: PlatformContext, run: RunnerMethod): Promise<PlatformState>;
+  teardown(ctx: PlatformContext, run: RunnerMethod): Promise<void>;
+  protected ensureD1(name: string): Promise<string>;
+  protected ensureHyperdrive(name: string, connectionString: string): Promise<string>;
+  protected ensureR2(name: string): Promise<void>;
+  /** Whether a Cloudflare error message indicates the bucket is already gone. */
+  protected isMissingBucketError(msg: string): boolean;
+  /**
+   * Resolve S3 credentials for wiping an R2 bucket over the S3 protocol.
+   *
+   * Prefers the account's R2 S3 credentials from the environment
+   * (`S3_ACCESS_KEY_ID` / `S3_SECRET_ACCESS_KEY`) — these are already
+   * provisioned for the deploy (artifact registry) and are account-scoped,
+   * so they can empty any bucket without minting anything. Returns `null`
+   * when not configured, letting the caller fall back to token minting.
+   */
+  protected resolveR2Credentials(): {
+    accessKeyId: string;
+    secretAccessKey: string;
+  } | null;
+  /**
+   * Delete an R2 bucket, emptying it first only when necessary.
+   *
+   * Cloudflare's REST `DELETE /r2/buckets/:name` succeeds on an empty bucket
+   * but rejects a non-empty one. So we attempt the delete directly (the
+   * common teardown case — no objects, no creds needed), and only on failure
+   * empty the bucket over the S3 protocol and retry. A missing bucket is a
+   * no-op, so teardown is idempotent.
+   */
+  protected deleteR2Bucket(name: string, ctx: PlatformContext): Promise<void>;
+  /**
+   * Empty an R2 bucket via the S3-compatible API.
+   *
+   * Cloudflare's REST API has no object-level endpoints — objects must be
+   * listed and deleted over the S3 protocol. We use the account's R2 S3
+   * credentials (`S3_ACCESS_KEY_ID` / `S3_SECRET_ACCESS_KEY`) when present;
+   * otherwise we fall back to minting a short-lived bucket-scoped token via
+   * the CF API (requires a user-scoped `CLOUDFLARE_API_TOKEN`) and revoke it
+   * after. When neither is available the wipe is skipped with a warning —
+   * the caller still attempts the delete, which succeeds for empty buckets.
+   *
+   * Also aborts any pending multipart uploads — those count as bucket
+   * contents from R2's perspective and would otherwise block the delete.
+   */
+  protected wipeR2Bucket(bucketName: string, ctx: PlatformContext): Promise<void>;
+  protected ensureKV(name: string): Promise<string>;
+  protected ensureQueue(name: string): Promise<void>;
+  /**
+   * Get the currently active deployment for a worker.
+   */
+  protected getActiveDeployment(workerName: string): Promise<{
+    versionId: string;
+    tag?: string;
+    createdAt?: string;
+  } | undefined>;
+}
+//#endregion
+//#region ../../src/cli/platform-lib/schemas/vercel.d.ts
+declare const vercelProjectSchema: import("typebox").TObject<{
+  id: import("typebox").TString;
+  name: import("typebox").TString;
+  accountId: import("typebox").TString;
+}>;
+type VercelProject = Static<typeof vercelProjectSchema>;
+declare const createProjectBodySchema: import("typebox").TObject<{
+  name: import("typebox").TString;
+  framework: import("typebox").TOptional<import("typebox").TNull>;
+}>;
+declare const vercelDeploymentSchema: import("typebox").TObject<{
+  uid: import("typebox").TString;
+  name: import("typebox").TString;
+  url: import("typebox").TString;
+  state: import("typebox").TOptional<import("typebox").TString>;
+  readyState: import("typebox").TOptional<import("typebox").TString>;
+  created: import("typebox").TOptional<import("typebox").TNumber>;
+  target: import("typebox").TOptional<import("typebox").TString>;
+  alias: import("typebox").TOptional<import("typebox").TArray<import("typebox").TString>>;
+}>;
+type VercelDeployment = Static<typeof vercelDeploymentSchema>;
+declare const vercelEnvVarSchema: import("typebox").TObject<{
+  id: import("typebox").TString;
+  key: import("typebox").TString;
+  value: import("typebox").TOptional<import("typebox").TString>;
+  type: import("typebox").TString;
+  target: import("typebox").TArray<import("typebox").TString>;
+}>;
+type VercelEnvVar = Static<typeof vercelEnvVarSchema>;
+declare const createEnvVarBodySchema: import("typebox").TObject<{
+  key: import("typebox").TString;
+  value: import("typebox").TString;
+  type: import("typebox").TString;
+  target: import("typebox").TArray<import("typebox").TString>;
+}>;
+//#endregion
+//#region ../../src/cli/platform-lib/services/VercelCli.d.ts
+/**
+ * Wraps Vercel CLI commands and token management.
+ *
+ * Used for operations where the Vercel CLI provides value:
+ * OAuth login, prebuilt deploy, and auth token extraction.
+ */
+declare class VercelCli {
+  protected readonly log: import("alepha/logger").Logger;
+  protected readonly shell: ShellProvider;
+  protected readonly fs: FileSystemProvider;
+  protected readonly utils: AlephaCliUtils;
+  protected readonly pm: PackageManagerUtils;
+  protected readonly runner: Runner;
+  protected runShell(command: string, options?: Parameters<ShellProvider["run"]>[1]): Promise<string>;
+  /**
+   * Ensure vercel CLI is installed in the project.
+   */
+  ensureInstalled(root: string, run: RunnerMethod): Promise<void>;
+  /**
+   * Get the Vercel auth token.
+   *
+   * Priority:
+   * 1. VERCEL_TOKEN environment variable (CI/CD)
+   * 2. Vercel CLI auth.json file (local dev)
+   */
+  getAuthToken(): Promise<string>;
+  /**
+   * Validate the current auth token.
+   */
+  whoami(): Promise<string>;
+  /**
+   * Open the browser-based login flow.
+   */
+  login(): Promise<void>;
+  /**
+   * Deploy a prebuilt .vercel/output/ directory.
+   *
+   * Returns the deployment URL.
+   */
+  deploy(distDir: string, options: {
+    prod?: boolean;
+    token?: string;
+  }): Promise<string | undefined>;
+  /**
+   * Resolve the path to Vercel CLI auth.json.
+   */
+  protected getAuthFilePath(): string;
+}
+//#endregion
+//#region ../../src/cli/platform-lib/services/VercelApi.d.ts
+/**
+ * Thin wrapper over the Vercel REST API.
+ *
+ * Uses the auth token from VercelCli for all requests.
+ */
+declare class VercelApi {
+  protected static readonly BASE = "https://api.vercel.com";
+  protected readonly log: import("alepha/logger").Logger;
+  protected readonly alepha: Alepha;
+  protected readonly vercelCli: VercelCli;
+  protected token?: string;
+  /**
+   * Obtain the current auth token from the Vercel CLI.
+   */
+  resolveToken(): Promise<string>;
+  listProjects(): Promise<VercelProject[]>;
+  getProject(nameOrId: string): Promise<VercelProject | undefined>;
+  createProject(name: string): Promise<VercelProject>;
+  updateProject(nameOrId: string, settings: {
+    framework?: null;
+  }): Promise<void>;
+  deleteProject(nameOrId: string): Promise<void>;
+  listDeployments(projectId: string, options?: {
+    limit?: number;
+    target?: string;
+  }): Promise<VercelDeployment[]>;
+  listEnvVars(projectId: string): Promise<VercelEnvVar[]>;
+  upsertEnvVars(projectId: string, vars: Array<{
+    key: string;
+    value: string;
+    target: string[];
+  }>): Promise<void>;
+  deleteEnvVar(projectId: string, envVarId: string): Promise<void>;
+  protected fetch<T = unknown>(path: string, options?: {
+    method?: string;
+    body?: unknown;
+    bodySchema?: TSchema;
+    schema?: TSchema;
+    query?: Record<string, string>;
+  }): Promise<T>;
+}
+//#endregion
+//#region ../../src/cli/platform-lib/adapters/VercelAdapter.d.ts
+/**
+ * Vercel platform adapter.
+ *
+ * Uses the Vercel CLI for login and deploy (--prebuilt),
+ * and the Vercel REST API for project management, env vars, and inspection.
+ *
+ * v1 scope: deploy pipeline only. No DB/storage/KV provisioning.
+ */
+declare class VercelAdapter extends PlatformAdapter {
+  protected readonly log: import("alepha/logger").Logger;
+  protected readonly fs: FileSystemProvider;
+  protected readonly shell: ShellProvider;
+  protected readonly utils: AlephaCliUtils;
+  protected readonly cache: PlatformCacheProvider;
+  protected readonly alepha: Alepha;
+  protected readonly envUtils: EnvUtils;
+  protected readonly api: VercelApi;
+  protected readonly vercelCli: VercelCli;
+  protected readonly runner: Runner;
+  /**
+   * Vars that should not be pushed as env vars.
+   * These are either handled by the build or are internal.
+   */
+  static readonly EXCLUDED_SECRET_KEYS: Set<string>;
+  protected runShell(command: string, options?: Parameters<ShellProvider["run"]>[1]): Promise<string>;
+  authenticate(ctx: PlatformContext, run: RunnerMethod): Promise<void>;
+  build(ctx: AppContext, run: RunnerMethod): Promise<void>;
+  deploy(ctx: AppContext, run: RunnerMethod): Promise<string | undefined>;
+  secrets(ctx: PlatformContext, run: RunnerMethod): Promise<void>;
+  inspect(ctx: PlatformContext, run: RunnerMethod): Promise<PlatformState>;
+  teardown(ctx: PlatformContext, run: RunnerMethod): Promise<void>;
+}
+//#endregion
+//#region ../../src/cli/platform-lib/providers/SecretStoreProvider.d.ts
+/**
+ * A secret stored in a remote secret store.
+ */
+interface RemoteSecret {
+  name: string;
+  updatedAt?: string;
+}
+/**
+ * Abstract provider for managing secrets in an external store.
+ *
+ * Implementations: GitHubSecretStore, MemorySecretStore
+ */
+declare abstract class SecretStoreProvider {
+  /**
+   * Verify the backing store is reachable and authenticated.
+   */
+  abstract ensureAvailable(): Promise<void>;
+  /**
+   * Ensure the target environment exists in the store, creating it if needed.
+   */
+  abstract ensureEnvironment(environment: string): Promise<void>;
+  /**
+   * List all secrets in a given environment.
+   */
+  abstract list(environment: string): Promise<RemoteSecret[]>;
+  /**
+   * Set (create or update) a secret in a given environment.
+   */
+  abstract set(environment: string, key: string, value: string): Promise<void>;
+  /**
+   * Delete a secret from a given environment.
+   */
+  abstract delete(environment: string, key: string): Promise<void>;
+}
+//#endregion
+//#region ../../src/cli/platform-lib/providers/GitHubSecretStore.d.ts
+/**
+ * GitHub Actions secret store backed by the `gh` CLI.
+ *
+ * Requires the GitHub CLI (`gh`) to be installed and authenticated.
+ * Pushes secrets into GitHub Actions environments.
+ */
+declare class GitHubSecretStore implements SecretStoreProvider {
+  protected readonly log: import("alepha/logger").Logger;
+  protected readonly shell: ShellProvider;
+  protected readonly fs: FileSystemProvider;
+  /**
+   * Verify that `gh` is installed and authenticated.
+   */
+  ensureAvailable(): Promise<void>;
+  /**
+   * Create the GitHub Actions environment if it doesn't exist.
+   */
+  ensureEnvironment(environment: string): Promise<void>;
+  /**
+   * List all secrets in a GitHub Actions environment.
+   */
+  list(environment: string): Promise<RemoteSecret[]>;
+  /**
+   * Set a secret in a GitHub Actions environment.
+   *
+   * Writes a dotenv-formatted file and uses `gh secret set --env-file` to
+   * avoid shell pipe issues with NodeShellProvider escaping the `|` character.
+   */
+  set(environment: string, key: string, value: string): Promise<void>;
+  /**
+   * Delete a secret from a GitHub Actions environment.
+   */
+  delete(environment: string, key: string): Promise<void>;
+}
+//#endregion
+//#region ../../src/cli/platform-lib/providers/MemorySecretStore.d.ts
+interface MemorySecretStoreCall {
+  method: "ensureAvailable" | "ensureEnvironment" | "list" | "set" | "delete";
+  environment?: string;
+  key?: string;
+  value?: string;
+}
+/**
+ * In-memory implementation of SecretStoreProvider for testing.
+ * Records all operations and stores secrets in a nested Map.
+ */
+declare class MemorySecretStore implements SecretStoreProvider {
+  /**
+   * Secrets keyed by environment, then by key.
+   */
+  secrets: Map<string, Map<string, string>>;
+  /**
+   * All recorded operations.
+   */
+  calls: MemorySecretStoreCall[];
+  /**
+   * When set, ensureAvailable() will throw with this message.
+   */
+  availableError: string | null;
+  ensureAvailable(): Promise<void>;
+  ensureEnvironment(environment: string): Promise<void>;
+  list(environment: string): Promise<RemoteSecret[]>;
+  set(environment: string, key: string, value: string): Promise<void>;
+  delete(environment: string, key: string): Promise<void>;
+  /**
+   * Check if set() was called for a given environment and key.
+   */
+  wasSet(environment: string, key: string): boolean;
+  /**
+   * Check if delete() was called for a given environment and key.
+   */
+  wasDeleted(environment: string, key: string): boolean;
+  /**
+   * Get all set() calls for a given environment.
+   */
+  getSetCalls(environment: string): Array<{
+    key: string;
+    value: string;
+  }>;
+  /**
+   * Reset all state.
+   */
+  reset(): void;
+}
+//#endregion
+//#region ../../src/cli/platform-lib/schemas/platform.d.ts
+declare const platformStatusWorkerSchema: import("typebox").TObject<{
+  name: import("typebox").TString;
+  exists: import("typebox").TBoolean;
+  id: import("typebox").TOptional<import("typebox").TString>;
+  detail: import("typebox").TOptional<import("typebox").TString>;
+  version: import("typebox").TOptional<import("typebox").TString>;
+  tag: import("typebox").TOptional<import("typebox").TString>;
+  createdAt: import("typebox").TOptional<import("typebox").TString>;
+}>;
+declare const platformStatusResourceSchema: import("typebox").TObject<{
+  name: import("typebox").TString;
+  exists: import("typebox").TBoolean;
+  id: import("typebox").TOptional<import("typebox").TString>;
+  detail: import("typebox").TOptional<import("typebox").TString>;
+}>;
+declare const platformStatusSecretSchema: import("typebox").TObject<{
+  name: import("typebox").TString;
+  deployed: import("typebox").TBoolean;
+}>;
+declare const platformStatusSchema: import("typebox").TObject<{
+  project: import("typebox").TString;
+  env: import("typebox").TString;
+  adapter: import("typebox").TString;
+  workers: import("typebox").TArray<import("typebox").TObject<{
+    name: import("typebox").TString;
+    exists: import("typebox").TBoolean;
+    id: import("typebox").TOptional<import("typebox").TString>;
+    detail: import("typebox").TOptional<import("typebox").TString>;
+    version: import("typebox").TOptional<import("typebox").TString>;
+    tag: import("typebox").TOptional<import("typebox").TString>;
+    createdAt: import("typebox").TOptional<import("typebox").TString>;
+  }>>;
+  databases: import("typebox").TArray<import("typebox").TObject<{
+    name: import("typebox").TString;
+    exists: import("typebox").TBoolean;
+    id: import("typebox").TOptional<import("typebox").TString>;
+    detail: import("typebox").TOptional<import("typebox").TString>;
+  }>>;
+  buckets: import("typebox").TArray<import("typebox").TObject<{
+    name: import("typebox").TString;
+    exists: import("typebox").TBoolean;
+    id: import("typebox").TOptional<import("typebox").TString>;
+    detail: import("typebox").TOptional<import("typebox").TString>;
+  }>>;
+  kvNamespaces: import("typebox").TArray<import("typebox").TObject<{
+    name: import("typebox").TString;
+    exists: import("typebox").TBoolean;
+    id: import("typebox").TOptional<import("typebox").TString>;
+    detail: import("typebox").TOptional<import("typebox").TString>;
+  }>>;
+  queues: import("typebox").TArray<import("typebox").TObject<{
+    name: import("typebox").TString;
+    exists: import("typebox").TBoolean;
+    id: import("typebox").TOptional<import("typebox").TString>;
+    detail: import("typebox").TOptional<import("typebox").TString>;
+  }>>;
+  secrets: import("typebox").TArray<import("typebox").TObject<{
+    name: import("typebox").TString;
+    deployed: import("typebox").TBoolean;
+  }>>;
+}>;
+type PlatformStatusOutput = Static<typeof platformStatusSchema>;
+declare const platformPlanAppResourcesSchema: import("typebox").TObject<{
+  hasDatabase: import("typebox").TBoolean;
+  hasBucket: import("typebox").TBoolean;
+  hasKV: import("typebox").TBoolean;
+  hasQueue: import("typebox").TBoolean;
+  hasCron: import("typebox").TBoolean;
+}>;
+declare const platformPlanAppSchema: import("typebox").TObject<{
+  name: import("typebox").TString;
+  path: import("typebox").TString;
+  resources: import("typebox").TObject<{
+    hasDatabase: import("typebox").TBoolean;
+    hasBucket: import("typebox").TBoolean;
+    hasKV: import("typebox").TBoolean;
+    hasQueue: import("typebox").TBoolean;
+    hasCron: import("typebox").TBoolean;
+  }>;
+}>;
+declare const platformPlanEnvironmentSchema: import("typebox").TObject<{
+  adapter: import("typebox").TString;
+  domain: import("typebox").TOptional<import("typebox").TString>;
+  zone: import("typebox").TOptional<import("typebox").TString>;
+}>;
+declare const platformPlanResourceSchema: import("typebox").TObject<{
+  label: import("typebox").TString;
+  value: import("typebox").TString;
+}>;
+declare const platformPlanSchema: import("typebox").TObject<{
+  project: import("typebox").TString;
+  env: import("typebox").TString;
+  mode: import("typebox").TUnsafe<"monorepo" | "standalone">;
+  apps: import("typebox").TArray<import("typebox").TObject<{
+    name: import("typebox").TString;
+    path: import("typebox").TString;
+    resources: import("typebox").TObject<{
+      hasDatabase: import("typebox").TBoolean;
+      hasBucket: import("typebox").TBoolean;
+      hasKV: import("typebox").TBoolean;
+      hasQueue: import("typebox").TBoolean;
+      hasCron: import("typebox").TBoolean;
+    }>;
+  }>>;
+  environments: import("typebox").TRecord<"^.*$", import("typebox").TObject<{
+    adapter: import("typebox").TString;
+    domain: import("typebox").TOptional<import("typebox").TString>;
+    zone: import("typebox").TOptional<import("typebox").TString>;
+  }>>;
+  resources: import("typebox").TArray<import("typebox").TObject<{
+    label: import("typebox").TString;
+    value: import("typebox").TString;
+  }>>;
+  secretCount: import("typebox").TNumber;
+}>;
+type PlatformPlanOutput = Static<typeof platformPlanSchema>;
+//#endregion
+//#region ../../src/cli/platform-lib/services/PlatformInspector.d.ts
+interface ResolvedPlatformConfig {
+  project: string;
+  defaultEnv: string;
+  /** App tenancy mode (undefined ⇒ "none"). */
+  tenancy?: Tenancy;
+  environments: Record<string, EnvironmentConfig>;
+}
+/**
+ * Reads platform config and resolves project topology.
+ *
+ * Validates project name and environment configuration. Does NOT
+ * introspect app code for resources — that happens at deploy time via
+ * ViteBuildProvider.
+ *
+ * Each app self-declares its platform topology via its own
+ * `alepha.config.ts`. Run `alepha platform <op>` from the app's
+ * directory; no monorepo-root orchestration here.
+ */
+declare class PlatformInspector {
+  protected readonly log: import("alepha/logger").Logger;
+  protected readonly alepha: Alepha;
+  protected readonly fs: FileSystemProvider;
+  protected readonly asker: Asker;
+  protected readonly options: Readonly<{
+    name?: string | undefined;
+    default?: string | undefined;
+    tenancy?: "required" | "none" | "optional" | undefined;
+    secrets?: {
+      keys?: string[] | undefined;
+      store?: "github" | undefined;
+      environmentPattern?: string | undefined;
+    } | undefined;
+    environments: Record<string, {
+      domain?: string | undefined;
+      zone?: string | undefined;
+      jurisdiction?: "eu" | "fedramp" | undefined;
+      accountId?: string | undefined;
+      adapter: "cloudflare" | "vercel";
+    }>;
+  }>;
+  protected readonly naming: NamingService;
+  /**
+   * Resolve and validate the full platform configuration.
+   *
+   * Source priority:
+   *   1. `platformOptions` atom (set by `alepha.config.ts` during the
+   *      configure hook) — local dev / from-source deploys.
+   *   2. `dist/manifest.json` (written by `alepha build`) — pre-built
+   *      deploys via Alepha Rocket or any `--prebuilt` consumer that
+   *      ships only the build artifact without `alepha.config.ts`.
+   */
+  resolveConfig(root: string): Promise<ResolvedPlatformConfig>;
+  /**
+   * Read `dist/manifest.json` if present. Returns null on any error so
+   * callers fall back to the strict alepha.config.ts path.
+   */
+  protected readManifest(root: string): Promise<{
+    project: string;
+    defaultEnv?: string;
+    tenancy?: Tenancy;
+    environments?: Record<string, unknown>;
+  } | null>;
+  /**
+   * Resolve a specific environment, validating it exists.
+   */
+  resolveEnvironment(root: string, envName: string): Promise<EnvironmentConfig>;
+  protected resolveProjectName(root: string, configName?: string): Promise<string>;
+}
+//#endregion
+//#region ../../src/cli/platform-lib/services/PlatformOrchestrator.d.ts
+/**
+ * Orchestrates platform lifecycle operations.
+ *
+ * Coordinates adapter calls in the correct order for
+ * up (build -> migrate -> deploy), down, plan, and status.
+ */
+declare class PlatformOrchestrator {
+  protected readonly log: import("alepha/logger").Logger;
+  protected readonly color: ConsoleColorProvider;
+  protected readonly inspector: PlatformInspector;
+  protected readonly naming: NamingService;
+  protected readonly cloudflareAdapter: CloudflareAdapter;
+  protected readonly vercelAdapter: VercelAdapter;
+  protected readonly alepha: Alepha;
+  resolveAdapter(adapterName: string): PlatformAdapter;
+  up(options: {
+    root: string;
+    env: string;
+    entry: AppEntry;
+    resources: DetectedResources;
+    run: RunnerMethod;
+    /**
+     * Pre-built mode — the artifact's `dist/` is already produced.
+     *
+     * Still runs auth → provision → build → migrate → deploy → secrets,
+     * but the `build` step shells out to `alepha build --prebuilt` which
+     * only regenerates the target-specific deploy config (e.g.
+     * `wrangler.jsonc`) and skips the Vite client + server builds.
+     * Used by external orchestrators (Rocket) that ship a pre-built
+     * `dist/` and just need the wrangler config refreshed for
+     * per-tenant overrides on every deploy.
+     */
+    prebuilt?: boolean; /** Tenant slug (apps with tenancy optional|required). */
+    tenant?: string;
+  }): Promise<{
+    urls: string[];
+    domain?: string;
+  }>;
+  /**
+   * Pretty-print the `up()` result to stdout. Matches the formatting the
+   * orchestrator used to emit inline; split out so callers that want
+   * JSON output can skip this branch.
+   */
+  printUpSummary(result: {
+    urls: string[];
+    domain?: string;
+  }): void;
+  down(options: {
+    root: string;
+    env: string;
+    entry: AppEntry;
+    resources: DetectedResources;
+    run: RunnerMethod;
+    confirm: (prompt: string) => Promise<string>; /** Tenant slug (apps with tenancy optional|required). */
+    tenant?: string;
+  }): Promise<boolean>;
+  plan(options: {
+    root: string;
+    env: string;
+    resources: DetectedResources; /** Tenant slug (apps with tenancy optional|required). */
+    tenant?: string;
+  }): Promise<{
+    config: ResolvedPlatformConfig;
+    naming: NamingContext;
+    resources: DetectedResources;
+  }>;
+  status(options: {
+    root: string;
+    env: string;
+    entry: AppEntry;
+    resources: DetectedResources;
+    run: RunnerMethod; /** Tenant slug (apps with tenancy optional|required). */
+    tenant?: string;
+  }): Promise<{
+    config: ResolvedPlatformConfig;
+    state: PlatformState;
+  }>;
+  isTmpEnv(env: string): boolean;
+}
+//#endregion
+//#region ../../src/cli/platform-lib/services/SecretFilterService.d.ts
+/**
+ * Filters environment variables for secret store syncing.
+ *
+ * Excludes platform-managed vars (NODE_ENV), build-time vars (VITE_*),
+ * and empty values. Keeps everything else — including DATABASE_URL
+ * and POSTGRES_SCHEMA which GitHub Actions needs.
+ *
+ * Also handles renaming GITHUB_* keys since GitHub Actions rejects
+ * secret names starting with GITHUB_.
+ */
+declare class SecretFilterService {
+  protected static readonly EXCLUDED_KEYS: Set<string>;
+  protected static readonly GITHUB_PREFIX = "GITHUB_";
+  protected static readonly REMOTE_PREFIX = "APP_GITHUB_";
+  /**
+   * Return only the entries that should be pushed to a secret store.
+   */
+  filter(envVars: Record<string, string>): Record<string, string>;
+  /**
+   * Convert a local env key to a remote secret name.
+   *
+   * GITHUB_* keys are prefixed with APP_ since GitHub Actions rejects
+   * secret names starting with GITHUB_.
+   */
+  toRemoteName(key: string): string;
+  /**
+   * Convert a remote secret name back to the local env key.
+   */
+  toLocalName(remoteName: string): string;
+}
+//#endregion
+//#region ../../src/cli/platform-lib/index.d.ts
+/**
+ * Framework-agnostic platform deploy services.
+ *
+ * Exports `PlatformOrchestrator` + adapters + secret stores + the
+ * `platformOptions` atom — everything needed to drive a deploy
+ * programmatically. **No `$command` instances** and **no
+ * `AppEntryProvider` / `ViteBuildProvider` dependency** — so consumers
+ * importing this subpath don't pull in the CLI argv-parser or Vite.
+ *
+ * Used by Alepha Rocket (and other non-CLI deploy orchestrators) to
+ * call `orchestrator.up({ ... })` directly. For CLI usage
+ * (`alepha platform up`), import `AlephaCliPlatformPlugin` from
+ * `alepha/cli/platform` — that one adds the command layer on top.
+ */
+declare const AlephaPlatformLibPlugin: import("alepha").Service<import("alepha").Module>;
+//#endregion
+export { AlephaPlatformLibPlugin, AppContext, CloudflareAccount, CloudflareAdapter, CloudflareApi, CloudflareApiError, CloudflareD1, CloudflareDeployment, CloudflareHyperdrive, CloudflareKV, CloudflareQueue, CloudflareQueueConsumer, CloudflareR2, CloudflareR2Token, CloudflareSecret, CloudflareVersion, CloudflareWorker, DetectedResources, EnvironmentConfig, ExportDbOptions, GitHubSecretStore, MemorySecretStore, MemorySecretStoreCall, NamingContext, NamingService, PlatformAdapter, PlatformCacheProvider, PlatformContext, PlatformInspector, PlatformOptions, PlatformOrchestrator, PlatformPlanOutput, PlatformState, PlatformStatusOutput, RemoteSecret, ResolvedPlatformConfig, ResourceState, SecretFilterService, SecretState, SecretStoreProvider, Tenancy, VercelAdapter, VercelApi, VercelCli, VercelDeployment, VercelEnvVar, VercelProject, WorkerState, WranglerApi, cloudflareAccountSchema, cloudflareApiErrorSchema, cloudflareD1Schema, cloudflareDeploymentListSchema, cloudflareDeploymentSchema, cloudflareDeploymentVersionSchema, cloudflareHyperdriveOriginSchema, cloudflareHyperdriveSchema, cloudflareKVSchema, cloudflareQueueConsumerSchema, cloudflareQueueSchema, cloudflareR2ListSchema, cloudflareR2Schema, cloudflareR2TokenSchema, cloudflareSecretSchema, cloudflareVersionListSchema, cloudflareVersionSchema, cloudflareWorkerSchema, createD1BodySchema, createEnvVarBodySchema, createHyperdriveBodySchema, createHyperdriveOriginSchema, createKVBodySchema, createProjectBodySchema, createQueueBodySchema, createR2BodySchema, createR2TokenBodySchema, platformOptions, platformPlanAppResourcesSchema, platformPlanAppSchema, platformPlanEnvironmentSchema, platformPlanResourceSchema, platformPlanSchema, platformStatusResourceSchema, platformStatusSchema, platformStatusSecretSchema, platformStatusWorkerSchema, putSecretBodySchema, resolveTenant, tenantDomain, vercelDeploymentSchema, vercelEnvVarSchema, vercelProjectSchema };
+//# sourceMappingURL=index.d.ts.map