burnless 0.1.0

package/dist/index.js

@@ -0,0 +1,1550 @@
+#!/usr/bin/env node
+import { createRequire as __createRequire } from 'node:module';
+import { fileURLToPath as __fileURLToPath } from 'node:url';
+import { dirname as __pathDirname } from 'node:path';
+const require = __createRequire(import.meta.url);
+const __filename = __fileURLToPath(import.meta.url);
+const __dirname = __pathDirname(__filename);
+import {
+  pAdd,
+  pDisable,
+  pEnable,
+  pList,
+  pRemove,
+  pSetDefault,
+  pSetKey,
+  resolveProviderForTest,
+  resolveProviderId,
+  verifyConnection
+} from "./chunk-I5ODYEMY.js";
+import {
+  readSecret
+} from "./chunk-M7YWG4WP.js";
+import {
+  instanceEnvPath,
+  loadInstanceEnv,
+  readInstanceEnv,
+  setInstanceEnvVar
+} from "./chunk-CFKTW5EF.js";
+import {
+  BRAND,
+  DIRTY,
+  EMPTY_PATH,
+  INVALID,
+  NEVER,
+  OK,
+  ParseStatus,
+  ZodAny,
+  ZodArray,
+  ZodBigInt,
+  ZodBoolean,
+  ZodBranded,
+  ZodCatch,
+  ZodDate,
+  ZodDefault,
+  ZodDiscriminatedUnion,
+  ZodEffects,
+  ZodEnum,
+  ZodError,
+  ZodFirstPartyTypeKind,
+  ZodFunction,
+  ZodIntersection,
+  ZodIssueCode,
+  ZodLazy,
+  ZodLiteral,
+  ZodMap,
+  ZodNaN,
+  ZodNativeEnum,
+  ZodNever,
+  ZodNull,
+  ZodNullable,
+  ZodNumber,
+  ZodObject,
+  ZodOptional,
+  ZodParsedType,
+  ZodPipeline,
+  ZodPromise,
+  ZodReadonly,
+  ZodRecord,
+  ZodSet,
+  ZodString,
+  ZodSymbol,
+  ZodTuple,
+  ZodType,
+  ZodUndefined,
+  ZodUnion,
+  ZodUnknown,
+  ZodVoid,
+  addIssueToContext,
+  anyType,
+  arrayType,
+  bigIntType,
+  booleanType,
+  buildRemoteProgram,
+  coerce,
+  custom,
+  dateType,
+  datetimeRegex,
+  dim,
+  discriminatedUnionType,
+  effectsType,
+  en_default,
+  enumType,
+  functionType,
+  getErrorMap,
+  getParsedType,
+  green,
+  instanceOfType,
+  intersectionType,
+  isAborted,
+  isAsync,
+  isDirty,
+  isValid,
+  late,
+  lazyType,
+  literalType,
+  makeIssue,
+  mapType,
+  nanType,
+  nativeEnumType,
+  neverType,
+  nullType,
+  nullableType,
+  numberType,
+  objectType,
+  objectUtil,
+  oboolean,
+  onumber,
+  optionalType,
+  ostring,
+  pipelineType,
+  preprocessType,
+  promiseType,
+  quotelessJson,
+  recordType,
+  red,
+  renderBanner,
+  runAction,
+  setErrorMap,
+  setType,
+  strictObjectType,
+  stringType,
+  symbolType,
+  topVerb,
+  tupleType,
+  undefinedType,
+  unionType,
+  unknownType,
+  util,
+  versionString,
+  voidType
+} from "./chunk-L24B5MJD.js";
+import {
+  ensureArtifact,
+  flipCurrent,
+  versionsDir
+} from "./chunk-N7IP6VPJ.js";
+import "./chunk-BN3QFA6Z.js";
+import {
+  UsageError
+} from "./chunk-VKDF3OUE.js";
+import {
+  PROVIDER_KINDS,
+  isKnownKind
+} from "./chunk-OYCC45VC.js";
+import {
+  addAiProviderModel,
+  applyMigrations,
+  closeDatabase,
+  createClient,
+  createUser,
+  getOwnerUser,
+  initDatabase,
+  isDatabaseBooted,
+  isOwnerClaimed,
+  listAiProviderModels,
+  listUsers,
+  resolveDriver,
+  setDefaultAiProviderModel,
+  setUserPassword
+} from "./chunk-KSP7MJZ3.js";
+import "./chunk-IBT7EFKB.js";
+import "./chunk-MHVBJUPX.js";
+import {
+  sql
+} from "./chunk-RDP4RLLI.js";
+import {
+  __export
+} from "./chunk-BMDIVUSL.js";
+
+// src/index.ts
+import { pathToFileURL } from "url";
+
+// ../../node_modules/.pnpm/zod@3.25.76/node_modules/zod/v3/external.js
+var external_exports = {};
+__export(external_exports, {
+  BRAND: () => BRAND,
+  DIRTY: () => DIRTY,
+  EMPTY_PATH: () => EMPTY_PATH,
+  INVALID: () => INVALID,
+  NEVER: () => NEVER,
+  OK: () => OK,
+  ParseStatus: () => ParseStatus,
+  Schema: () => ZodType,
+  ZodAny: () => ZodAny,
+  ZodArray: () => ZodArray,
+  ZodBigInt: () => ZodBigInt,
+  ZodBoolean: () => ZodBoolean,
+  ZodBranded: () => ZodBranded,
+  ZodCatch: () => ZodCatch,
+  ZodDate: () => ZodDate,
+  ZodDefault: () => ZodDefault,
+  ZodDiscriminatedUnion: () => ZodDiscriminatedUnion,
+  ZodEffects: () => ZodEffects,
+  ZodEnum: () => ZodEnum,
+  ZodError: () => ZodError,
+  ZodFirstPartyTypeKind: () => ZodFirstPartyTypeKind,
+  ZodFunction: () => ZodFunction,
+  ZodIntersection: () => ZodIntersection,
+  ZodIssueCode: () => ZodIssueCode,
+  ZodLazy: () => ZodLazy,
+  ZodLiteral: () => ZodLiteral,
+  ZodMap: () => ZodMap,
+  ZodNaN: () => ZodNaN,
+  ZodNativeEnum: () => ZodNativeEnum,
+  ZodNever: () => ZodNever,
+  ZodNull: () => ZodNull,
+  ZodNullable: () => ZodNullable,
+  ZodNumber: () => ZodNumber,
+  ZodObject: () => ZodObject,
+  ZodOptional: () => ZodOptional,
+  ZodParsedType: () => ZodParsedType,
+  ZodPipeline: () => ZodPipeline,
+  ZodPromise: () => ZodPromise,
+  ZodReadonly: () => ZodReadonly,
+  ZodRecord: () => ZodRecord,
+  ZodSchema: () => ZodType,
+  ZodSet: () => ZodSet,
+  ZodString: () => ZodString,
+  ZodSymbol: () => ZodSymbol,
+  ZodTransformer: () => ZodEffects,
+  ZodTuple: () => ZodTuple,
+  ZodType: () => ZodType,
+  ZodUndefined: () => ZodUndefined,
+  ZodUnion: () => ZodUnion,
+  ZodUnknown: () => ZodUnknown,
+  ZodVoid: () => ZodVoid,
+  addIssueToContext: () => addIssueToContext,
+  any: () => anyType,
+  array: () => arrayType,
+  bigint: () => bigIntType,
+  boolean: () => booleanType,
+  coerce: () => coerce,
+  custom: () => custom,
+  date: () => dateType,
+  datetimeRegex: () => datetimeRegex,
+  defaultErrorMap: () => en_default,
+  discriminatedUnion: () => discriminatedUnionType,
+  effect: () => effectsType,
+  enum: () => enumType,
+  function: () => functionType,
+  getErrorMap: () => getErrorMap,
+  getParsedType: () => getParsedType,
+  instanceof: () => instanceOfType,
+  intersection: () => intersectionType,
+  isAborted: () => isAborted,
+  isAsync: () => isAsync,
+  isDirty: () => isDirty,
+  isValid: () => isValid,
+  late: () => late,
+  lazy: () => lazyType,
+  literal: () => literalType,
+  makeIssue: () => makeIssue,
+  map: () => mapType,
+  nan: () => nanType,
+  nativeEnum: () => nativeEnumType,
+  never: () => neverType,
+  null: () => nullType,
+  nullable: () => nullableType,
+  number: () => numberType,
+  object: () => objectType,
+  objectUtil: () => objectUtil,
+  oboolean: () => oboolean,
+  onumber: () => onumber,
+  optional: () => optionalType,
+  ostring: () => ostring,
+  pipeline: () => pipelineType,
+  preprocess: () => preprocessType,
+  promise: () => promiseType,
+  quotelessJson: () => quotelessJson,
+  record: () => recordType,
+  set: () => setType,
+  setErrorMap: () => setErrorMap,
+  strictObject: () => strictObjectType,
+  string: () => stringType,
+  symbol: () => symbolType,
+  transformer: () => effectsType,
+  tuple: () => tupleType,
+  undefined: () => undefinedType,
+  union: () => unionType,
+  unknown: () => unknownType,
+  util: () => util,
+  void: () => voidType
+});
+
+// src/local/artifact.ts
+import { existsSync } from "fs";
+import { dirname, join, resolve } from "path";
+import { fileURLToPath } from "url";
+
+// src/local/artifact-layout.ts
+var ARTIFACT_MARKER = ".burnless-artifact";
+var ARTIFACT_LAYOUT = {
+  /** tsup CLI bundle entry (both faces). */
+  cliEntry: "cli/index.js",
+  /** Next standalone server entry → BURNLESS_SERVER_ENTRY. */
+  serverEntry: "web/apps/web/server.js",
+  /** drizzle migrations dir → BURNLESS_MIGRATIONS_DIR. */
+  migrationsDir: "drizzle",
+  /** pgvector loadable-extension tarball → BURNLESS_PGLITE_VECTOR_BUNDLE. */
+  vectorBundle: "node_modules/@electric-sql/pglite-pgvector/dist/vector.tar.gz",
+  /** Optional launcher-managed Node the installer (P5) may stage; else system Node. */
+  managedNode: "runtime/bin/node",
+  /** POSIX launcher at the artifact root → what bin/burnless + delegateToArtifact exec. */
+  launcher: "burnless"
+};
+
+// src/local/artifact.ts
+function detectArtifactRoot(entryUrl = import.meta.url) {
+  let here;
+  try {
+    here = dirname(fileURLToPath(entryUrl));
+  } catch {
+    return null;
+  }
+  const root = resolve(here, "..");
+  return existsSync(join(root, ARTIFACT_MARKER)) ? root : null;
+}
+function prepareArtifactEnv(opts = {}) {
+  const env = opts.env ?? process.env;
+  const root = detectArtifactRoot(opts.entryUrl);
+  if (!root) return;
+  const setIfUnset = (key, value) => {
+    if (!env[key]?.trim()) env[key] = value;
+  };
+  setIfUnset("BURNLESS_MIGRATIONS_DIR", join(root, ARTIFACT_LAYOUT.migrationsDir));
+  setIfUnset("BURNLESS_PGLITE_VECTOR_BUNDLE", join(root, ARTIFACT_LAYOUT.vectorBundle));
+  setIfUnset("BURNLESS_SERVER_ENTRY", join(root, ARTIFACT_LAYOUT.serverEntry));
+}
+function resolveNodeBinary(opts = {}) {
+  const env = opts.env ?? process.env;
+  const override = env.BURNLESS_NODE?.trim();
+  if (override) return override;
+  const root = detectArtifactRoot(opts.entryUrl);
+  if (root) {
+    const homeManaged = resolve(root, "..", "..", ARTIFACT_LAYOUT.managedNode);
+    if (existsSync(homeManaged)) return homeManaged;
+    const managed = join(root, ARTIFACT_LAYOUT.managedNode);
+    if (existsSync(managed)) return managed;
+  }
+  return process.execPath;
+}
+
+// src/local/ai-model-ops.ts
+async function withDb(fn) {
+  const owned = !isDatabaseBooted();
+  await initDatabase();
+  try {
+    return await fn();
+  } finally {
+    if (owned) await closeDatabase();
+  }
+}
+async function mList(providerName) {
+  return withDb(async () => {
+    const { id } = await resolveProviderId(providerName);
+    return listAiProviderModels(id);
+  });
+}
+async function mAdd(providerName, modelId) {
+  return withDb(async () => {
+    const { id } = await resolveProviderId(providerName);
+    return addAiProviderModel(id, { modelId, source: "manual" });
+  });
+}
+async function mDefault(providerName, modelId) {
+  await withDb(async () => {
+    const { id: providerId } = await resolveProviderId(providerName);
+    const row = (await listAiProviderModels(providerId)).find((m) => m.modelId === modelId);
+    if (!row) throw new UsageError(`Provider "${providerName}" has no model "${modelId}". Add it with \`burnless model add\`.`);
+    await setDefaultAiProviderModel(row.id, providerId);
+  });
+}
+
+// src/commands/ai-config.ts
+function isLocalProfile(baseUrl) {
+  let host;
+  try {
+    host = new URL(baseUrl).hostname;
+  } catch {
+    return false;
+  }
+  return host === "127.0.0.1" || host === "localhost" || host === "::1" || host === "[::1]";
+}
+function assertLocalProfile(baseUrl) {
+  if (isLocalProfile(baseUrl)) return;
+  throw new UsageError(
+    "AI provider config from the CLI manages the LOCAL instance only. For a remote/cloud instance, use its Settings \u2192 AI tab. (Remote CLI provider config is a planned follow-up.)"
+  );
+}
+function prepLocal() {
+  prepareArtifactEnv();
+  loadInstanceEnv({ env: process.env });
+}
+function registerProvider(program) {
+  const provider = program.command("provider").description("Manage AI providers (local instance)");
+  provider.command("list").action(async (_opts, cmd) => {
+    await runAction(cmd, async (ctx) => {
+      assertLocalProfile(ctx.profile.baseUrl);
+      prepLocal();
+      const rows = await pList();
+      if (ctx.json) process.stdout.write(JSON.stringify({ providers: rows }) + "\n");
+      else
+        for (const p of rows)
+          process.stderr.write(
+            `${p.name} [${p.kind}]${p.isDefault ? " *default" : ""}${p.enabled ? "" : " (disabled)"} \u2014 ${p.apiKeySet ? "key set" : "no key"}, ${p.modelCount} model(s)
+`
+          );
+    }, { allowMissingProfile: true });
+  });
+  provider.command("add").argument("<name>", "a label for this provider").requiredOption("--kind <kind>", `provider kind (${PROVIDER_KINDS.join("|")})`).option("--base-url <url>", "API base URL (prefilled for openrouter/ollama)").option("--key-stdin", "read the API key from stdin (else a masked prompt; omit for keyless e.g. ollama)").option("--no-key", "create without an API key (e.g. ollama)").action(async (name, opts, cmd) => {
+    await runAction(cmd, async (ctx) => {
+      assertLocalProfile(ctx.profile.baseUrl);
+      prepLocal();
+      if (!isKnownKind(opts.kind)) throw new UsageError(`Unknown kind "${opts.kind}" (expected ${PROVIDER_KINDS.join("|")}).`);
+      const kind = opts.kind;
+      let apiKey;
+      if (opts.key !== false) {
+        apiKey = await readSecret({ stdin: opts.keyStdin, label: "API key: " });
+        if (!apiKey) throw new UsageError("Empty API key \u2014 pass --no-key for a keyless provider.");
+      }
+      const created = await pAdd({ name, kind, baseUrl: opts.baseUrl, apiKey });
+      if (ctx.json) process.stdout.write(JSON.stringify({ id: created.id, name: created.name }) + "\n");
+      else process.stderr.write(`Added provider ${created.name} (${created.kind})${created.isDefault ? ", set as default" : ""}.
+`);
+    }, { allowMissingProfile: true });
+  });
+  provider.command("test").argument("<name>").action(async (name, _opts, cmd) => {
+    await runAction(cmd, async (ctx) => {
+      assertLocalProfile(ctx.profile.baseUrl);
+      prepLocal();
+      const { baseUrl, apiKey } = await resolveProviderForTest(name);
+      if (!baseUrl) throw new UsageError(`Provider "${name}" has no base URL to test (vendor providers test from the UI).`);
+      const r = await verifyConnection({ baseUrl, apiKey });
+      if (ctx.json) process.stdout.write(JSON.stringify(r) + "\n");
+      else process.stderr.write(`${r.ok ? "OK" : "FAILED"}: ${r.detail}
+`);
+      if (!r.ok) process.exitCode = 1;
+    }, { allowMissingProfile: true });
+  });
+  for (const [verb, fn, msg] of [
+    ["enable", pEnable, "enabled"],
+    ["disable", pDisable, "disabled"],
+    ["default", pSetDefault, "set as default"]
+  ]) {
+    provider.command(verb).argument("<name>").action(async (name, _opts, cmd) => {
+      await runAction(cmd, async (ctx) => {
+        assertLocalProfile(ctx.profile.baseUrl);
+        prepLocal();
+        await fn(name);
+        process.stderr.write(`Provider ${name} ${msg}.
+`);
+      }, { allowMissingProfile: true });
+    });
+  }
+  provider.command("remove").argument("<name>").action(async (name, _opts, cmd) => {
+    await runAction(cmd, async (ctx) => {
+      assertLocalProfile(ctx.profile.baseUrl);
+      prepLocal();
+      const ok = await pRemove(name);
+      process.stderr.write(ok ? `Removed provider ${name}.
+` : `No provider named ${name}.
+`);
+    }, { allowMissingProfile: true });
+  });
+}
+function registerKey(program) {
+  const key = program.command("key").description("Manage AI provider API keys (local instance)");
+  key.command("set").argument("<provider>", "provider name").option("--stdin", "read the key from stdin instead of a prompt").action(async (providerName, opts, cmd) => {
+    await runAction(cmd, async (ctx) => {
+      assertLocalProfile(ctx.profile.baseUrl);
+      prepLocal();
+      const apiKey = await readSecret({ stdin: opts.stdin, label: "API key: " });
+      if (!apiKey) throw new UsageError("Empty key \u2014 aborted.");
+      await pSetKey(providerName, apiKey);
+      process.stderr.write(`Key set for ${providerName}.
+`);
+    }, { allowMissingProfile: true });
+  });
+}
+function registerModel(program) {
+  const model = program.command("model").description("Manage AI provider models (local instance)");
+  model.command("list").argument("<provider>", "provider name").action(async (providerName, _opts, cmd) => {
+    await runAction(cmd, async (ctx) => {
+      assertLocalProfile(ctx.profile.baseUrl);
+      prepLocal();
+      const rows = await mList(providerName);
+      if (ctx.json) process.stdout.write(JSON.stringify({ models: rows }) + "\n");
+      else for (const m of rows) process.stderr.write(`${m.modelId}${m.isDefault ? " *default" : ""} [${m.source}]
+`);
+    }, { allowMissingProfile: true });
+  });
+  model.command("add").argument("<provider>").argument("<modelId>").action(async (providerName, modelId, _opts, cmd) => {
+    await runAction(cmd, async (ctx) => {
+      assertLocalProfile(ctx.profile.baseUrl);
+      prepLocal();
+      await mAdd(providerName, modelId);
+      process.stderr.write(`Added model ${modelId} to ${providerName}.
+`);
+    }, { allowMissingProfile: true });
+  });
+  model.command("default").argument("<provider>").argument("<modelId>").action(async (providerName, modelId, _opts, cmd) => {
+    await runAction(cmd, async (ctx) => {
+      assertLocalProfile(ctx.profile.baseUrl);
+      prepLocal();
+      await mDefault(providerName, modelId);
+      process.stderr.write(`Default model for ${providerName} set to ${modelId}.
+`);
+    }, { allowMissingProfile: true });
+  });
+}
+
+// src/local/db.ts
+async function withHandle(fn) {
+  const handle = await createClient(resolveDriver(process.env));
+  try {
+    return await fn(handle);
+  } finally {
+    await handle.close();
+  }
+}
+async function runMigrate() {
+  return withHandle(async (h) => {
+    await applyMigrations(h);
+    return { driver: h.dialect };
+  });
+}
+async function dbStatus() {
+  return withHandle(async (h) => {
+    await h.db.execute(sql`SELECT 1`);
+    return { driver: h.dialect, connected: true };
+  });
+}
+
+// src/local/preflight.ts
+import { createServer } from "net";
+var MIN_NODE = [20, 9, 0];
+function assertNodeVersion(version = process.versions.node) {
+  const parts = version.split(".").map((n) => Number.parseInt(n, 10));
+  const [maj = 0, min = 0, pat = 0] = parts;
+  const ok = maj > MIN_NODE[0] || maj === MIN_NODE[0] && (min > MIN_NODE[1] || min === MIN_NODE[1] && pat >= MIN_NODE[2]);
+  if (!ok) {
+    throw new UsageError(
+      `burnless needs Node >= ${MIN_NODE.join(".")} but found ${version}.
+Upgrade Node (e.g. via your version manager) and re-run.`
+    );
+  }
+}
+function isPortFree(port, host) {
+  return new Promise((resolve2) => {
+    const srv = createServer();
+    srv.once("error", () => resolve2(false));
+    srv.once("listening", () => srv.close(() => resolve2(true)));
+    srv.listen(port, host);
+  });
+}
+function nodeCheck() {
+  const major = Number(process.versions.node.split(".")[0]);
+  const ok = major >= 20;
+  return { name: "node", ok, detail: `Node ${process.versions.node}${ok ? "" : " (need >= 20)"}` };
+}
+function keyCheck(home) {
+  const present = (process.env.SECRETS_ENCRYPTION_KEY?.trim().length ?? 0) > 0 || (readInstanceEnv(home).SECRETS_ENCRYPTION_KEY?.length ?? 0) > 0;
+  return {
+    name: "secrets_key",
+    ok: present,
+    detail: present ? "SECRETS_ENCRYPTION_KEY resolved" : "will be generated on first start"
+  };
+}
+function driverCheck() {
+  try {
+    const r = resolveDriver(process.env);
+    return {
+      name: "db_driver",
+      ok: true,
+      detail: r.driver === "pglite" ? `PGLite @ ${r.dataDir}` : "Postgres (DATABASE_URL)"
+    };
+  } catch (e) {
+    return { name: "db_driver", ok: false, detail: e.message };
+  }
+}
+async function doctor(opts) {
+  const free = await isPortFree(opts.port, opts.host);
+  return [
+    nodeCheck(),
+    driverCheck(),
+    keyCheck(opts.home),
+    {
+      name: "port",
+      ok: free,
+      detail: free ? `${opts.host}:${opts.port} is free` : `${opts.host}:${opts.port} is in use`
+    }
+  ];
+}
+async function health(opts) {
+  return [driverCheck(), keyCheck(opts.home)];
+}
+
+// src/local/secrets.ts
+import { randomBytes } from "crypto";
+function ensureSecret(name, opts) {
+  const env = opts.env ?? process.env;
+  const fromEnv = env[name]?.trim();
+  if (fromEnv) return fromEnv;
+  const persisted = readInstanceEnv(opts.home)[name];
+  if (persisted) {
+    env[name] = persisted;
+    return persisted;
+  }
+  const value = randomBytes(32).toString("base64");
+  setInstanceEnvVar(name, value, opts.home);
+  env[name] = value;
+  return value;
+}
+function ensureSecretsKey(opts = {}) {
+  return ensureSecret("SECRETS_ENCRYPTION_KEY", opts);
+}
+function ensureAuthSecret(opts = {}) {
+  return ensureSecret("AUTH_SECRET", opts);
+}
+
+// src/commands/bootstrap.ts
+async function runBootstrap(opts = {}) {
+  prepareArtifactEnv();
+  assertNodeVersion();
+  const hadKey = (process.env.SECRETS_ENCRYPTION_KEY?.trim().length ?? 0) > 0 || (readInstanceEnv(opts.home).SECRETS_ENCRYPTION_KEY?.length ?? 0) > 0;
+  ensureSecretsKey({ home: opts.home, env: process.env });
+  ensureAuthSecret({ home: opts.home, env: process.env });
+  const { driver } = await runMigrate();
+  if (process.env.BURNLESS_DEPLOYMENT !== "cloud") {
+    const {
+      closeDatabase: closeDatabase2,
+      createOwnerCompanyIfNone,
+      createOwnerUserIfNone,
+      getOwnerUser: getOwnerUser2,
+      initDatabase: initDatabase2,
+      isDatabaseBooted: isDatabaseBooted2
+    } = await import("./src-ADT5KSGE.js");
+    const owned = !isDatabaseBooted2();
+    await initDatabase2();
+    try {
+      await createOwnerUserIfNone();
+      const owner = await getOwnerUser2();
+      if (owner) await createOwnerCompanyIfNone(owner.id);
+    } finally {
+      if (owned) await closeDatabase2();
+    }
+  }
+  return { driver, keyGenerated: !hadKey };
+}
+function registerBootstrap(program) {
+  program.command("bootstrap").description("One-shot headless setup: generate the secrets key and migrate").action(async (_opts, cmd) => {
+    await runAction(
+      cmd,
+      async (ctx) => {
+        const result = await runBootstrap();
+        if (ctx.json) {
+          process.stdout.write(JSON.stringify(result) + "\n");
+        } else {
+          process.stderr.write(
+            `Bootstrap done (${result.driver}; key ${result.keyGenerated ? "generated" : "already set"}). Run \`burnless start\` to launch.
+`
+          );
+        }
+      },
+      { allowMissingProfile: true }
+    );
+  });
+}
+
+// src/commands/config.ts
+var OFF_VALUES = /* @__PURE__ */ new Set(["off", "false", "0", "no"]);
+function runConfigGet(opts) {
+  return readInstanceEnv(opts.home)[opts.key];
+}
+function runConfigList(opts = {}) {
+  return readInstanceEnv(opts.home);
+}
+async function runConfigSet(opts) {
+  if (opts.key === "BURNLESS_CAP_AUTO_LOGIN" && OFF_VALUES.has(opts.value.trim().toLowerCase())) {
+    await initDatabase();
+    let claimed;
+    try {
+      claimed = await isOwnerClaimed();
+    } finally {
+      await closeDatabase();
+    }
+    if (!claimed) {
+      throw new UsageError(
+        "Refusing to disable auto-login: the owner has no password yet, so this would lock you out (live session expires, then there's no way to sign in).\nSet a password first: `burnless users passwd`, then re-run this."
+      );
+    }
+  }
+  setInstanceEnvVar(opts.key, opts.value, opts.home);
+}
+async function runConfigUnset(opts) {
+  const current = readInstanceEnv(opts.home);
+  if (!(opts.key in current)) return;
+  delete current[opts.key];
+  const { writeFileSync, mkdirSync } = await import("fs");
+  const { dirname: dirname2 } = await import("path");
+  const path = instanceEnvPath(opts.home);
+  const body = Object.entries(current).map(([k, v]) => `${k}=${v}`).join("\n");
+  mkdirSync(dirname2(path), { recursive: true, mode: 448 });
+  writeFileSync(path, body.length ? body + "\n" : "", { mode: 384 });
+}
+function registerConfig(program) {
+  const cfg = program.command("config").description("Read/write local instance configuration (~/.burnless/instance.env)");
+  cfg.command("get").argument("<key>").action(async (key, _opts, cmd) => {
+    await runAction(
+      cmd,
+      async (ctx) => {
+        const value = runConfigGet({ key });
+        if (ctx.json) process.stdout.write(JSON.stringify({ key, value: value ?? null }) + "\n");
+        else process.stdout.write((value ?? "") + "\n");
+      },
+      { allowMissingProfile: true }
+    );
+  });
+  cfg.command("set").argument("<key>").argument("<value>").action(async (key, value, _opts, cmd) => {
+    await runAction(
+      cmd,
+      async () => {
+        await runConfigSet({ key, value });
+        process.stderr.write(`Set ${key}.
+`);
+      },
+      { allowMissingProfile: true }
+    );
+  });
+  cfg.command("list").action(async (_opts, cmd) => {
+    await runAction(
+      cmd,
+      async (ctx) => {
+        const all = runConfigList();
+        if (ctx.json) process.stdout.write(JSON.stringify(all) + "\n");
+        else for (const [k, v] of Object.entries(all)) process.stdout.write(`${k}=${v}
+`);
+      },
+      { allowMissingProfile: true }
+    );
+  });
+  cfg.command("unset").argument("<key>").action(async (key, _opts, cmd) => {
+    await runAction(
+      cmd,
+      async () => {
+        await runConfigUnset({ key });
+        process.stderr.write(`Unset ${key}.
+`);
+      },
+      { allowMissingProfile: true }
+    );
+  });
+}
+
+// src/commands/db.ts
+function prep() {
+  prepareArtifactEnv();
+}
+function registerDb(program) {
+  const db = program.command("db").description("Local database operations");
+  db.command("migrate").description("Apply pending migrations to the local database").action(async (_opts, cmd) => {
+    await runAction(cmd, async (ctx) => {
+      prep();
+      const { driver } = await runMigrate();
+      if (ctx.json) process.stdout.write(JSON.stringify({ ok: true, driver }) + "\n");
+      else process.stderr.write(`Migrations applied (${driver}).
+`);
+    }, { allowMissingProfile: true });
+  });
+  db.command("status").description("Show the local database driver and connectivity").action(async (_opts, cmd) => {
+    await runAction(cmd, async (ctx) => {
+      prep();
+      const status = await dbStatus();
+      if (ctx.json) process.stdout.write(JSON.stringify(status) + "\n");
+      else process.stderr.write(`Driver: ${status.driver} \u2014 connected: ${status.connected}
+`);
+    }, { allowMissingProfile: true });
+  });
+  db.command("push").description("Dev-only schema push (not available in the shipped artifact)").action(async (_opts, cmd) => {
+    await runAction(cmd, async () => {
+      prep();
+      throw new UsageError(
+        "`db push` is a dev-only convenience (no migration files). Use `burnless db migrate` for the shipped artifact, or `pnpm db:push` in the repo."
+      );
+    }, { allowMissingProfile: true });
+  });
+}
+
+// src/commands/doctor.ts
+function registerDoctor(program) {
+  program.command("doctor").description("Run deep preflight checks for a local instance").option("--port <port>", "port to probe", "2876").option("--host <host>", "host to probe", "127.0.0.1").action(async (opts, cmd) => {
+    await runAction(
+      cmd,
+      async (ctx) => {
+        const checks = await doctor({ port: Number(opts.port), host: opts.host });
+        if (ctx.json) {
+          process.stdout.write(JSON.stringify({ checks }) + "\n");
+        } else {
+          for (const c of checks) {
+            process.stderr.write(`${c.ok ? green("\u2713") : red("\u2717")} ${c.name}: ${c.detail}
+`);
+          }
+        }
+        if (checks.some((c) => !c.ok)) process.exitCode = 1;
+      },
+      { allowMissingProfile: true }
+    );
+  });
+}
+
+// src/commands/health.ts
+function registerHealth(program) {
+  program.command("health").description("Quick liveness check for a local instance").action(async (_opts, cmd) => {
+    await runAction(
+      cmd,
+      async (ctx) => {
+        const checks = await health({});
+        if (ctx.json) {
+          process.stdout.write(JSON.stringify({ checks }) + "\n");
+        } else {
+          for (const c of checks) {
+            process.stderr.write(`${c.ok ? green("\u2713") : red("\u2717")} ${c.name}: ${c.detail}
+`);
+          }
+        }
+        if (checks.some((c) => !c.ok)) process.exitCode = 1;
+      },
+      { allowMissingProfile: true }
+    );
+  });
+}
+
+// src/local/server.ts
+import { spawn } from "child_process";
+function resolveServerEntry(env = process.env) {
+  const entry = env.BURNLESS_SERVER_ENTRY?.trim();
+  return entry && entry.length > 0 ? entry : null;
+}
+function startServer(opts) {
+  const doSpawn = opts.spawnFn ?? spawn;
+  const nodeBin = opts.nodeBin ?? process.execPath;
+  return doSpawn(nodeBin, [opts.entry], {
+    stdio: "inherit",
+    env: { ...opts.env, PORT: String(opts.port), HOSTNAME: opts.host }
+  });
+}
+
+// src/commands/start.ts
+var LOOPBACK = /* @__PURE__ */ new Set(["127.0.0.1", "localhost", "::1", "[::1]"]);
+function assertExposureAllowed(host, unsafeExpose) {
+  if (LOOPBACK.has(host) || unsafeExpose) return;
+  throw new UsageError(
+    `Refusing to bind ${host}: auto-login has no password gate, so a non-loopback bind would let anyone on the network in as the owner.
+Bind 127.0.0.1 (default), or pass --unsafe-expose if you understand the risk (set a password first with a claimed identity).`
+  );
+}
+function defaultAppUrlForLoopback(host, port, env) {
+  if (!LOOPBACK.has(host)) return null;
+  if (env.NEXT_PUBLIC_APP_URL?.trim() || env.ALLOWED_ORIGINS?.trim()) return null;
+  const displayHost = host.includes(":") && !host.startsWith("[") ? `[${host}]` : host;
+  return `http://${displayHost}:${port}`;
+}
+function exposeWarning(host, ownerClaimed) {
+  if (LOOPBACK.has(host) || ownerClaimed) return "";
+  return `\u26A0 Exposing ${host} with an UNCLAIMED owner (no password). Auto-login will admit anyone who can reach this address as the owner. Set a password (\`burnless users passwd\`) and consider \`config set BURNLESS_CAP_AUTO_LOGIN=off\`.`;
+}
+function registerStart(program) {
+  program.command("start").description("Start the local burnless instance").option("--host <host>", "host to bind", "127.0.0.1").option("--port <port>", "port to listen on", "2876").option("--no-migrate", "skip applying migrations before boot").option("--open", "open the app in a browser after start").option("--unsafe-expose", "allow binding a non-loopback host (see the warning)").action(
+    async (opts, cmd) => {
+      await runAction(
+        cmd,
+        async (ctx) => {
+          prepareArtifactEnv();
+          assertNodeVersion();
+          loadInstanceEnv();
+          assertExposureAllowed(opts.host, opts.unsafeExpose === true);
+          const port = Number(opts.port);
+          const displayHost = opts.host.includes(":") ? `[${opts.host}]` : opts.host;
+          if (!ctx.json) process.stderr.write(renderBanner(versionString()) + "\n");
+          const checks = await doctor({ port, host: opts.host });
+          const failed = checks.filter((c) => !c.ok && c.name !== "secrets_key");
+          if (failed.length > 0) {
+            throw new UsageError(
+              `Preflight failed:
+` + failed.map((c) => `  - ${c.name}: ${c.detail}`).join("\n")
+            );
+          }
+          ensureSecretsKey({ env: process.env });
+          ensureAuthSecret({ env: process.env });
+          const appUrl = defaultAppUrlForLoopback(opts.host, port, process.env);
+          if (appUrl) {
+            process.env.ALLOWED_ORIGINS = appUrl;
+            process.env.NEXT_PUBLIC_APP_URL = appUrl;
+          }
+          try {
+            const { shouldOfferAiSetup, runFirstRunAiSetup } = await import("./first-run-ai-SP5SERHZ.js");
+            if (!ctx.json && shouldOfferAiSetup({ isTTY: process.stdin.isTTY === true, env: process.env })) {
+              const { createInterface } = await import("readline");
+              const { PROVIDER_KINDS: PROVIDER_KINDS2 } = await import("./ai-catalog-6AA75OA3.js");
+              const { verifyConnection: verifyConnection2 } = await import("./ai-provider-ops-3342GI65.js");
+              const { readSecret: readSecret2 } = await import("./prompt-QYBNOJ26.js");
+              process.stderr.write("\nConfigure an AI provider for autofill during onboarding? (Enter a number, or blank to skip)\n");
+              PROVIDER_KINDS2.forEach((k, i) => process.stderr.write(`  ${i + 1}) ${k}
+`));
+              const chooseKind = async () => {
+                const rl = createInterface({ input: process.stdin, output: process.stderr });
+                const answer = await new Promise((res) => rl.question("> ", (a) => {
+                  rl.close();
+                  res(a.trim());
+                }));
+                const idx = Number(answer) - 1;
+                return Number.isInteger(idx) && idx >= 0 && idx < PROVIDER_KINDS2.length ? PROVIDER_KINDS2[idx] : null;
+              };
+              const result = await runFirstRunAiSetup({
+                chooseKind,
+                readApiKey: () => readSecret2({ label: "API key (input hidden): " }),
+                verify: verifyConnection2
+              });
+              process.stderr.write(
+                result.configured ? "AI provider configured \u2014 onboarding will use it.\n\n" : `Skipped AI setup${result.detail ? ` (${result.detail})` : ""} \u2014 onboarding will use manual entry.
+
+`
+              );
+            }
+          } catch {
+          }
+          if (opts.migrate) await runMigrate();
+          if (!(/* @__PURE__ */ new Set(["127.0.0.1", "localhost", "::1", "[::1]"])).has(opts.host)) {
+            try {
+              const { initDatabase: initDatabase2, isOwnerClaimed: isOwnerClaimed2, closeDatabase: closeDatabase2 } = await import("./src-ADT5KSGE.js");
+              await initDatabase2();
+              try {
+                const claimed = await isOwnerClaimed2();
+                const warning = exposeWarning(opts.host, claimed);
+                if (warning) process.stderr.write(warning + "\n");
+              } finally {
+                await closeDatabase2();
+              }
+            } catch {
+            }
+          }
+          const entry = resolveServerEntry();
+          if (!entry) {
+            throw new UsageError(
+              "No server entry found (BURNLESS_SERVER_ENTRY unset). The bundled server is produced by the fat-artifact packaging (a later release); set BURNLESS_SERVER_ENTRY to a built server.js to start manually."
+            );
+          }
+          process.stderr.write(dim(`Starting on http://${displayHost}:${port} \u2026`) + "\n");
+          const child = startServer({
+            entry,
+            host: opts.host,
+            port,
+            env: process.env,
+            nodeBin: resolveNodeBinary()
+          });
+          if (opts.open) {
+            void import("child_process").then(({ exec }) => {
+              const url = `http://${displayHost}:${port}`;
+              const opener = process.platform === "darwin" ? "open" : process.platform === "win32" ? "start" : "xdg-open";
+              exec(`${opener} ${url}`);
+            });
+          }
+          await new Promise((resolve2) => child.on("exit", () => resolve2()));
+        },
+        { allowMissingProfile: true }
+      );
+    }
+  );
+}
+
+// src/commands/update.ts
+import { execFile } from "child_process";
+import { readlinkSync } from "fs";
+import { basename, join as join2 } from "path";
+import { promisify } from "util";
+var execFileAsync = promisify(execFile);
+function currentVersion(home) {
+  const link = readlinkSync(join2(versionsDir(home), "current"));
+  return basename(link);
+}
+function shortReason(raw) {
+  let msg = "";
+  if (raw && typeof raw === "object") {
+    const e = raw;
+    if (typeof e.stderr === "string" && e.stderr.trim()) msg = e.stderr;
+    else if (typeof e.message === "string") msg = e.message;
+  } else if (typeof raw === "string") {
+    msg = raw;
+  }
+  msg = msg.replace(/\s+/g, " ").trim();
+  return msg.length > 200 ? `${msg.slice(0, 197)}...` : msg;
+}
+async function defaultCheck(opts) {
+  try {
+    const launcher = join2(versionsDir(opts.home), opts.version, "burnless");
+    await execFileAsync(launcher, ["doctor", "--json"]);
+    return { ok: true };
+  } catch (err) {
+    return { ok: false, error: shortReason(err) || "post-swap doctor check failed" };
+  }
+}
+async function runUpdate(opts) {
+  const cur = currentVersion(opts.home);
+  if (cur === opts.targetVersion) {
+    return { from: cur, to: cur, rolledBack: false, noop: true };
+  }
+  const ensure = opts.ensureFn ?? (async (o) => {
+    await ensureArtifact({ base: o.base, version: o.version, home: o.home, flip: false });
+  });
+  await ensure({ version: opts.targetVersion, home: opts.home, base: opts.base });
+  const from = cur;
+  flipCurrent(opts.targetVersion, opts.home);
+  const check = opts.checkFn ? { ok: await opts.checkFn({ version: opts.targetVersion, home: opts.home }) } : await defaultCheck({ version: opts.targetVersion, home: opts.home });
+  if (check.ok) {
+    return { from, to: opts.targetVersion, rolledBack: false };
+  }
+  flipCurrent(from, opts.home);
+  return { from, to: opts.targetVersion, rolledBack: true, error: check.error };
+}
+function registerUpdate(program) {
+  program.command("update [version]").description("Update the local fat-artifact to a specific version (atomic flip + rollback-on-fail)").option("--base <url>", "release base URL override (download source)").action(async (version, opts, cmd) => {
+    await runAction(
+      cmd,
+      async (ctx) => {
+        if (version === void 0 || version.trim() === "") {
+          throw new UsageError(
+            'specify a version to update to (e.g. `burnless update 0.2.0`); to grab the newest, resolve it first: `burnless update "$(curl -fsSL https://burnless.ai/latest)"`'
+          );
+        }
+        const result = await runUpdate({
+          home: ctx.homeDir,
+          targetVersion: version,
+          base: opts.base
+        });
+        if (ctx.json) {
+          process.stdout.write(JSON.stringify(result) + "\n");
+        } else if (result.noop) {
+          process.stderr.write(`${green("\u2713")} already at ${result.to}
+`);
+        } else if (result.rolledBack) {
+          const reason = result.error ? ` (reason: ${result.error})` : "";
+          process.stderr.write(
+            `${red("\u2717")} update to ${result.to} failed post-swap check \u2014 rolled back to ${result.from}${reason}
+`
+          );
+        } else {
+          process.stderr.write(`${green("\u2713")} updated ${result.from} \u2192 ${result.to}
+`);
+        }
+        if (result.rolledBack) process.exitCode = 1;
+      },
+      { allowMissingProfile: true }
+    );
+  });
+}
+
+// ../types/src/api/validators.ts
+var MAX_AMOUNT = 1e16;
+var positiveAmount = () => external_exports.number().finite().min(0).max(MAX_AMOUNT);
+var percentage = () => external_exports.number().finite().min(0).max(100);
+var ratio = () => external_exports.number().finite().min(0).max(1);
+var toLocalDate = (s) => new Date(/^\d{4}-\d{2}-\d{2}$/.test(s) ? `${s}T00:00:00` : s);
+var dateString = () => external_exports.string().min(1, "Date is required").refine((s) => !Number.isNaN(Date.parse(s)), "Invalid date").transform(toLocalDate);
+var nullableDateString = () => external_exports.string().min(1, "Date is required").refine((s) => !Number.isNaN(Date.parse(s)), "Invalid date").transform(toLocalDate).nullable().default(null);
+var forecastLineName = () => external_exports.string().trim().min(1).max(64).regex(/^[A-Za-z_][A-Za-z0-9_]*$/);
+var toEpoch = (v) => {
+  if (v == null) return null;
+  if (v instanceof Date) {
+    const t2 = v.getTime();
+    return Number.isNaN(t2) ? null : t2;
+  }
+  const t = Date.parse(String(v));
+  return Number.isNaN(t) ? null : t;
+};
+var withDateRange = (schema) => schema.refine(
+  (data) => {
+    const start = toEpoch(data?.startDate);
+    const end = toEpoch(data?.endDate);
+    if (start == null || end == null) return true;
+    return start <= end;
+  },
+  { message: "endDate must be on or after startDate", path: ["endDate"] }
+);
+
+// ../types/src/api/schemas.ts
+var accountTypeEnum = external_exports.enum(["income", "expense", "asset", "liability", "equity"]);
+var accountCategoryEnum = external_exports.enum([
+  "revenue",
+  "cogs",
+  "operating_expense",
+  "other_income",
+  "other_expense",
+  "asset",
+  "liability",
+  "equity"
+]);
+var forecastMethodEnum = external_exports.enum(["fixed", "growth_rate", "per_unit", "percentage_of", "custom_formula"]);
+var revenueStreamTypeEnum = external_exports.enum([
+  "subscription",
+  "one_time",
+  "usage_based",
+  "services",
+  "marketplace",
+  "ecommerce",
+  "hardware"
+]);
+var fundingRoundTypeEnum = external_exports.enum(["pre_seed", "seed", "series_a", "series_b", "series_c_plus", "debt", "grant", "safe", "convertible"]);
+var integrationTypeEnum = external_exports.enum(["quickbooks", "xero", "freshbooks", "plaid", "mercury", "gusto", "stripe"]);
+var aiDataModeEnum = external_exports.enum(["full", "show_cached", "hide_all"]);
+var aiWriteModeEnum = external_exports.enum(["full", "confirm", "read_only"]);
+var createAccountSchema = external_exports.object({
+  name: external_exports.string().min(1),
+  type: accountTypeEnum,
+  category: accountCategoryEnum,
+  parentId: external_exports.string().nullable().default(null),
+  isSystem: external_exports.boolean().default(false),
+  sortOrder: external_exports.number().int().default(0),
+  coversHeadcount: external_exports.boolean().default(false)
+});
+var updateAccountSchema = external_exports.object({
+  name: external_exports.string().min(1).optional(),
+  type: accountTypeEnum.optional(),
+  category: accountCategoryEnum.optional(),
+  parentId: external_exports.string().nullable().optional(),
+  sortOrder: external_exports.number().int().optional(),
+  coversHeadcount: external_exports.boolean().optional()
+});
+var createDepartmentSchema = external_exports.object({
+  name: external_exports.string().min(1),
+  parentId: external_exports.string().nullable().default(null)
+});
+var updateDepartmentSchema = external_exports.object({
+  name: external_exports.string().min(1).optional(),
+  parentId: external_exports.string().nullable().optional()
+});
+var scenarioSourceEnum = external_exports.enum(["blank", "ai", "template", "clone", "backup"]);
+var scenarioStatusEnumZ = external_exports.enum(["active", "promoted", "archived"]);
+var createScenarioSchema = external_exports.object({
+  name: external_exports.string().min(1),
+  description: external_exports.string().nullable().default(null),
+  source: scenarioSourceEnum.default("blank"),
+  color: external_exports.string().nullable().default(null),
+  sourceScenarioId: external_exports.string().nullable().default(null)
+});
+var updateScenarioSchema = external_exports.object({
+  name: external_exports.string().min(1).optional(),
+  description: external_exports.string().nullable().optional(),
+  color: external_exports.string().nullable().optional(),
+  status: scenarioStatusEnumZ.optional(),
+  autoDeleteAt: external_exports.string().datetime().nullable().optional()
+});
+var headcountEmployeeTypeEnum = external_exports.enum(["full_time", "part_time", "contractor"]);
+var createHeadcountSchema = withDateRange(
+  external_exports.object({
+    departmentId: external_exports.string(),
+    title: external_exports.string().min(1),
+    name: external_exports.string().nullable().optional(),
+    employeeType: headcountEmployeeTypeEnum.default("full_time"),
+    count: external_exports.number().min(0).max(99.99).default(1),
+    salary: positiveAmount(),
+    hourlyRate: external_exports.number().nonnegative().nullable().optional(),
+    hoursPerWeek: external_exports.number().min(0).max(168).nullable().optional(),
+    startDate: dateString(),
+    endDate: nullableDateString(),
+    benefitsRate: ratio().default(0.2),
+    parameters: external_exports.record(external_exports.unknown()).optional()
+  })
+);
+var updateHeadcountSchema = external_exports.object({
+  departmentId: external_exports.string().optional(),
+  title: external_exports.string().min(1).optional(),
+  name: external_exports.string().nullable().optional(),
+  employeeType: headcountEmployeeTypeEnum.optional(),
+  count: external_exports.number().min(0).max(99.99).optional(),
+  salary: positiveAmount().optional(),
+  hourlyRate: external_exports.number().nonnegative().nullable().optional(),
+  hoursPerWeek: external_exports.number().min(0).max(168).nullable().optional(),
+  startDate: dateString().optional(),
+  endDate: external_exports.string().nullable().transform((s) => s ? new Date(s) : null).optional(),
+  benefitsRate: ratio().optional(),
+  parameters: external_exports.record(external_exports.unknown()).optional()
+});
+var createSalaryChangeSchema = external_exports.object({
+  effectiveDate: dateString(),
+  newSalary: positiveAmount(),
+  reason: external_exports.string().nullable().optional()
+});
+var updateSalaryChangeSchema = external_exports.object({
+  effectiveDate: dateString().optional(),
+  newSalary: positiveAmount().optional(),
+  reason: external_exports.string().nullable().optional()
+});
+var bonusTypeEnumZ = external_exports.enum(["signing", "performance", "retention", "other"]);
+var createBonusSchema = external_exports.object({
+  payoutMonth: dateString(),
+  amount: positiveAmount(),
+  type: bonusTypeEnumZ.default("performance"),
+  notes: external_exports.string().nullable().optional()
+});
+var updateBonusSchema = external_exports.object({
+  payoutMonth: dateString().optional(),
+  amount: positiveAmount().optional(),
+  type: bonusTypeEnumZ.optional(),
+  notes: external_exports.string().nullable().optional()
+});
+var equityGrantTypeEnumZ = external_exports.enum(["iso", "nso", "rsu"]);
+var vestingMilestoneSchema = external_exports.object({
+  type: external_exports.enum(["cliff", "monthly", "quarterly", "annual", "milestone"]),
+  date: external_exports.string().regex(/^\d{4}-\d{2}-\d{2}$/),
+  sharesVested: external_exports.number().nonnegative()
+});
+var createEquityGrantSchema = external_exports.object({
+  grantDate: dateString(),
+  shares: external_exports.number().positive(),
+  strikePrice: external_exports.number().nonnegative().nullable().optional(),
+  grantType: equityGrantTypeEnumZ.default("iso"),
+  parameters: external_exports.object({
+    vestingSchedule: external_exports.array(vestingMilestoneSchema).default([])
+  }).passthrough().optional()
+});
+var updateEquityGrantSchema = external_exports.object({
+  grantDate: dateString().optional(),
+  shares: external_exports.number().positive().optional(),
+  strikePrice: external_exports.number().nonnegative().nullable().optional(),
+  grantType: equityGrantTypeEnumZ.optional(),
+  parameters: external_exports.object({
+    vestingSchedule: external_exports.array(vestingMilestoneSchema).optional()
+  }).passthrough().optional()
+});
+var createRevenueStreamSchema = withDateRange(
+  external_exports.object({
+    name: external_exports.string().min(1),
+    type: revenueStreamTypeEnum.default("subscription"),
+    startDate: external_exports.string().date(),
+    // ISO YYYY-MM-DD, required
+    endDate: external_exports.string().date().nullable().optional(),
+    // ISO YYYY-MM-DD or null
+    parameters: external_exports.record(external_exports.unknown()).default({})
+  })
+);
+var updateRevenueStreamSchema = withDateRange(
+  external_exports.object({
+    name: external_exports.string().min(1).optional(),
+    type: revenueStreamTypeEnum.optional(),
+    startDate: external_exports.string().date().optional(),
+    endDate: external_exports.string().date().nullable().optional(),
+    parameters: external_exports.record(external_exports.unknown()).optional()
+  })
+);
+var createFundingRoundSchema = external_exports.object({
+  name: external_exports.string().min(1),
+  // FUND-01: the Add form sends `roundType` (matches the AI tool + DB intent); the
+  // POST route maps roundType -> the DB `type` column. Renamed from `type` (which
+  // 400'd every create). roundType is immutable post-creation (omitted from update).
+  roundType: fundingRoundTypeEnum,
+  amount: positiveAmount(),
+  date: dateString(),
+  preMoneyValuation: positiveAmount().nullable().default(null),
+  dilutionPercent: percentage().nullable().default(null),
+  isProjected: external_exports.boolean().default(false),
+  // FUND-04: type-specific data + close/notes were silently stripped on create
+  // (present on update only). Mirror updateFundingRoundSchema so they persist.
+  closeDate: nullableDateString(),
+  notes: external_exports.string().nullable().optional(),
+  parameters: external_exports.record(external_exports.unknown()).optional()
+});
+var updateFundingRoundSchema = external_exports.object({
+  name: external_exports.string().min(1).optional(),
+  // NOTE: `type`/`roundType` are intentionally omitted — they are immutable
+  // post-creation. The route-level peek-strip enforces this with a 400 before
+  // Zod ever runs; omitting them here keeps the schema in sync with intent.
+  amount: positiveAmount().optional(),
+  date: dateString().optional(),
+  preMoneyValuation: positiveAmount().nullable().optional(),
+  dilutionPercent: percentage().nullable().optional(),
+  isProjected: external_exports.boolean().optional(),
+  // Phase 2 D fields — were previously silently dropped by Zod strip.
+  closeDate: external_exports.string().nullable().optional(),
+  notes: external_exports.string().nullable().optional(),
+  parameters: external_exports.record(external_exports.unknown()).optional()
+});
+var shareClassTypeEnumZ = external_exports.enum(["common", "preferred"]);
+var MAX_SHARES = 1e18;
+var shareCount = () => external_exports.number().int().nonnegative().max(MAX_SHARES);
+var createShareClassSchema = external_exports.object({
+  name: external_exports.string().min(1),
+  // Defaults to 'preferred' (matches the DB column default); founder common
+  // stock is created by explicitly passing classType:'common'.
+  classType: shareClassTypeEnumZ.default("preferred"),
+  totalAuthorized: shareCount(),
+  totalIssued: shareCount().default(0),
+  // numeric(7,4) liquidation multiple, e.g. 1× non-participating. Not a share
+  // count — plain (possibly fractional) number.
+  liquidationPreference: external_exports.number().finite().min(0).max(999.9999).default(1),
+  // numeric(18,6) par value (money). Optional — defaults at the DB level.
+  parValue: external_exports.number().finite().min(0).optional()
+}).refine((d) => d.totalIssued <= d.totalAuthorized, {
+  path: ["totalIssued"],
+  message: "totalIssued cannot exceed totalAuthorized"
+});
+var updateShareClassSchema = external_exports.object({
+  name: external_exports.string().min(1).optional(),
+  classType: shareClassTypeEnumZ.optional(),
+  totalAuthorized: shareCount().optional(),
+  totalIssued: shareCount().optional(),
+  liquidationPreference: external_exports.number().finite().min(0).max(999.9999).optional(),
+  parValue: external_exports.number().finite().min(0).optional()
+}).refine(
+  (d) => d.totalAuthorized == null || d.totalIssued == null || d.totalIssued <= d.totalAuthorized,
+  { path: ["totalIssued"], message: "totalIssued cannot exceed totalAuthorized" }
+);
+var createOptionPoolSchema = external_exports.object({
+  name: external_exports.string().min(1),
+  totalReserved: shareCount(),
+  refreshDate: nullableDateString().optional()
+});
+var updateOptionPoolSchema = external_exports.object({
+  name: external_exports.string().min(1).optional(),
+  totalReserved: shareCount().optional(),
+  refreshDate: nullableDateString().optional()
+});
+var expenseFrequencyEnum = external_exports.enum(["monthly", "quarterly", "annual"]);
+var createForecastLineSchema = withDateRange(
+  external_exports.object({
+    accountId: external_exports.string(),
+    method: forecastMethodEnum.default("fixed"),
+    parameters: external_exports.record(external_exports.unknown()).default({}),
+    startDate: dateString(),
+    endDate: nullableDateString(),
+    // Phase 4 §4.1 — stable identifier referenced by other lines' custom_formula.
+    name: forecastLineName().nullable().optional(),
+    // ── Phase 1 §1.5 / §2.C additions ───────────────────────────────────────
+    notes: external_exports.string().nullable().optional(),
+    vendor: external_exports.string().nullable().optional(),
+    // Explicit per-line category override (set in the expense form). string = set,
+    // null = clear (derive automatically), undefined = leave as-is.
+    subcategory: external_exports.string().trim().min(1).max(100).nullable().optional(),
+    departmentId: external_exports.string().nullable().optional(),
+    frequency: expenseFrequencyEnum.default("monthly"),
+    isOneTime: external_exports.boolean().default(false),
+    // Tri-state: true | false | null (cleared) | undefined (untouched).
+    isRecurring: external_exports.boolean().nullable().optional()
+  })
+);
+var updateForecastLineSchema = external_exports.object({
+  method: forecastMethodEnum.optional(),
+  parameters: external_exports.record(external_exports.unknown()).optional(),
+  startDate: dateString().optional(),
+  endDate: external_exports.string().nullable().transform((s) => s ? new Date(s) : null).optional(),
+  // Phase 4 §4.1 — stable identifier referenced by other lines' custom_formula.
+  name: forecastLineName().nullable().optional(),
+  // ── Phase 1 §1.5 / §2.C additions ───────────────────────────────────────
+  notes: external_exports.string().nullable().optional(),
+  vendor: external_exports.string().nullable().optional(),
+  // Explicit per-line category override (set in the expense form). string = set,
+  // null = clear (derive automatically), undefined = leave as-is.
+  subcategory: external_exports.string().trim().min(1).max(100).nullable().optional(),
+  departmentId: external_exports.string().nullable().optional(),
+  frequency: expenseFrequencyEnum.optional(),
+  isOneTime: external_exports.boolean().optional(),
+  // Tri-state: explicit `null` clears the column back to NULL.
+  isRecurring: external_exports.boolean().nullable().optional()
+});
+var createIntegrationSchema = external_exports.object({
+  type: integrationTypeEnum,
+  metadata: external_exports.record(external_exports.unknown()).optional()
+});
+var updateAiFeaturesSchema = external_exports.object({
+  masterEnabled: external_exports.boolean().optional(),
+  dataMode: aiDataModeEnum.optional(),
+  writeMode: aiWriteModeEnum.optional(),
+  features: external_exports.object({
+    onboarding: external_exports.boolean().optional(),
+    chat: external_exports.boolean().optional(),
+    insights: external_exports.boolean().optional(),
+    uiPersonalization: external_exports.boolean().optional(),
+    autoCategorization: external_exports.boolean().optional()
+  }).optional(),
+  companionName: external_exports.string().min(1).max(50).optional()
+  // S6 W1.1: legacy single-provider BYOK fields removed — AI provider config
+  // lives in the aiProviders model (managed via /api/ai-providers).
+});
+var inviteCodeTypeEnum = external_exports.enum(["single_use", "multi_use"]);
+var createInviteCodeSchema = external_exports.object({
+  code: external_exports.string().min(4).max(64).regex(/^[A-Za-z0-9_-]+$/, "Code must be alphanumeric (hyphens and underscores allowed)"),
+  type: inviteCodeTypeEnum.default("single_use"),
+  maxRedemptions: external_exports.number().int().min(1).default(1),
+  expiresAt: external_exports.string().datetime().nullable().optional(),
+  freePlatformDays: external_exports.number().int().min(0).default(30),
+  aiCreditsCents: external_exports.number().int().min(0).default(5e3),
+  note: external_exports.string().max(500).nullable().optional()
+});
+var updateInviteCodeSchema = external_exports.object({
+  isActive: external_exports.boolean().optional(),
+  maxRedemptions: external_exports.number().int().min(1).optional(),
+  expiresAt: external_exports.string().datetime().nullable().optional(),
+  freePlatformDays: external_exports.number().int().min(0).optional(),
+  aiCreditsCents: external_exports.number().int().min(0).optional(),
+  note: external_exports.string().max(500).nullable().optional()
+});
+var redeemInviteCodeSchema = external_exports.object({
+  code: external_exports.string().min(1)
+});
+
+// ../types/src/password.ts
+var ITERATIONS = 1e5;
+var KEY_LENGTH = 32;
+var SALT_LENGTH = 32;
+async function hashPassword(password) {
+  const salt = crypto.getRandomValues(new Uint8Array(SALT_LENGTH));
+  const key = await deriveKey(password, salt);
+  const keyBytes = new Uint8Array(await crypto.subtle.exportKey("raw", key));
+  const saltHex = Buffer.from(salt).toString("hex");
+  const hashHex = Buffer.from(keyBytes).toString("hex");
+  return `pbkdf2:${ITERATIONS}:${saltHex}:${hashHex}`;
+}
+async function deriveKey(password, salt, iterations = ITERATIONS) {
+  const encoder = new TextEncoder();
+  const keyMaterial = await crypto.subtle.importKey(
+    "raw",
+    encoder.encode(password),
+    "PBKDF2",
+    false,
+    ["deriveBits", "deriveKey"]
+  );
+  return crypto.subtle.deriveKey(
+    { name: "PBKDF2", salt, iterations, hash: "SHA-256" },
+    keyMaterial,
+    { name: "AES-GCM", length: KEY_LENGTH * 8 },
+    true,
+    ["encrypt"]
+  );
+}
+
+// src/commands/users.ts
+async function withDb2(fn) {
+  const owned = !isDatabaseBooted();
+  await initDatabase();
+  try {
+    return await fn();
+  } finally {
+    if (owned) await closeDatabase();
+  }
+}
+async function runUsersList() {
+  return withDb2(() => listUsers());
+}
+async function runUsersPasswd(input) {
+  await withDb2(async () => {
+    const email = input.email ?? (await getOwnerUser())?.email;
+    if (!email) throw new UsageError("No user to set a password for (run `burnless bootstrap` first).");
+    const hash = await hashPassword(input.password);
+    const n = await setUserPassword(email, hash);
+    if (n === 0) throw new UsageError(`No user with email "${email}".`);
+  });
+}
+async function runUsersCreate(input) {
+  return withDb2(async () => {
+    const hash = await hashPassword(input.password);
+    return createUser({ email: input.email, name: input.name, passwordHash: hash });
+  });
+}
+function registerUsers(program) {
+  const usersCmd = program.command("users").description("Manage local users (owner, recovery)");
+  usersCmd.command("list").description("List local users").action(async (_opts, cmd) => {
+    await runAction(
+      cmd,
+      async (ctx) => {
+        const rows = await runUsersList();
+        if (ctx.json) process.stdout.write(JSON.stringify({ users: rows }) + "\n");
+        else
+          for (const u of rows)
+            process.stderr.write(`${u.email}${u.claimed ? "" : " (unclaimed)"} \u2014 ${u.id}
+`);
+      },
+      { allowMissingProfile: true }
+    );
+  });
+  usersCmd.command("passwd").description("Set/reset a user's password (default: the owner \u2014 claims it). Reads the password from a masked prompt or --stdin.").argument("[email]", "target user email (defaults to the owner)").option("--stdin", "read the new password from stdin instead of a prompt").action(async (email, opts, cmd) => {
+    await runAction(
+      cmd,
+      async () => {
+        const password = await readSecret({ stdin: opts.stdin, label: "New password: " });
+        if (!password) throw new UsageError("Empty password \u2014 aborted.");
+        await runUsersPasswd({ email, password });
+        process.stderr.write(`Password set for ${email ?? "the owner"}.
+`);
+      },
+      { allowMissingProfile: true }
+    );
+  });
+  usersCmd.command("create").description("Create an additional local user. Reads the password from a masked prompt or --stdin.").requiredOption("--email <email>", "the new user's email").option("--name <name>", "the new user's display name").option("--stdin", "read the password from stdin instead of a prompt").action(async (opts, cmd) => {
+    await runAction(
+      cmd,
+      async (ctx) => {
+        const password = await readSecret({ stdin: opts.stdin, label: "Password: " });
+        if (!password) throw new UsageError("Empty password \u2014 aborted.");
+        const { id } = await runUsersCreate({ email: opts.email, name: opts.name, password });
+        if (ctx.json) process.stdout.write(JSON.stringify({ id, email: opts.email }) + "\n");
+        else process.stderr.write(`Created user ${opts.email} (${id}).
+`);
+      },
+      { allowMissingProfile: true }
+    );
+  });
+}
+
+// src/index.ts
+function buildProgram() {
+  const program = buildRemoteProgram();
+  registerStart(program);
+  registerDb(program);
+  registerHealth(program);
+  registerDoctor(program);
+  registerBootstrap(program);
+  registerUsers(program);
+  registerConfig(program);
+  registerProvider(program);
+  registerKey(program);
+  registerModel(program);
+  registerUpdate(program);
+  return program;
+}
+var isMain = process.argv[1] !== void 0 && import.meta.url === pathToFileURL(process.argv[1]).href;
+if (isMain) {
+  const program = buildProgram();
+  program.exitOverride((err) => {
+    process.exit(err.exitCode === 0 ? 0 : 2);
+  });
+  const verbForBare = topVerb(process.argv);
+  const wantsVersion = process.argv.includes("-V") || process.argv.includes("--version");
+  if (verbForBare === void 0 && !wantsVersion) {
+    program.outputHelp();
+    process.exit(0);
+  }
+  await program.parseAsync(process.argv);
+}
+export {
+  buildProgram
+};