dineway 0.1.26 → 0.1.28

package/dist/cli/index.mjs

@@ -23,8 +23,8 @@ import "../ssrf-KAIQS48_.mjs";
 import { t as validateSeed } from "../validate-JE-WfUQ5.mjs";
 import { t as applySeed } from "../apply-TIoQ00aH.mjs";
 import { n as fingerprintKey, r as generateEncryptionKey, t as DinewaySecretsError } from "../secrets-DfeNNoLa.mjs";
-import { o as convertDataForRead } from "../transport-B7kO-4ee.mjs";
 import { createHeaderAwareFetch, customHeadersInterceptor, isRedirectResponse, resolveCustomHeaders } from "../client/external-auth-headers.mjs";
+import { o as convertDataForRead } from "../transport-B7kO-4ee.mjs";
 import { DinewayClient } from "../client/index.mjs";
 import { LocalStorage } from "../storage/local.mjs";
 import { imageSize } from "image-size";
@@ -35,50 +35,13 @@ import { basename, dirname, extname, isAbsolute, join, relative, resolve } from
 import { defineCommand, runCommand, runMain } from "citty";
 import consola, { consola as consola$1 } from "consola";
 import pc from "picocolors";
-import { access, chmod, copyFile, mkdir, readFile, readdir, rm, stat, symlink, writeFile } from "node:fs/promises";
 import { homedir } from "node:os";
+import { access, chmod, copyFile, mkdir, readFile, readdir, rm, stat, symlink, writeFile } from "node:fs/promises";
 import { createInterface } from "node:readline/promises";
 import { spawn } from "node:child_process";
 import { pipeline } from "node:stream/promises";
 import { packTar } from "modern-tar/fs";
 
-//#region src/cli/commands/auth.ts
-/**
-* Auth CLI commands
-*/
-/**
-* Generate a cryptographically secure auth secret
-*/
-function generateAuthSecret() {
-	const bytes = new Uint8Array(32);
-	crypto.getRandomValues(bytes);
-	return encodeBase64url(bytes);
-}
-const secretCommand = defineCommand({
-	meta: {
-		name: "secret",
-		description: "Generate a secure auth secret"
-	},
-	run() {
-		const secret = generateAuthSecret();
-		consola$1.log("");
-		consola$1.log(pc.bold("Generated auth secret:"));
-		consola$1.log("");
-		consola$1.log(`  ${pc.cyan("DINEWAY_AUTH_SECRET")}=${pc.green(secret)}`);
-		consola$1.log("");
-		consola$1.log(pc.dim("Add this to your environment variables."));
-		consola$1.log("");
-	}
-});
-const authCommand = defineCommand({
-	meta: {
-		name: "auth",
-		description: "Authentication utilities"
-	},
-	subCommands: { secret: secretCommand }
-});
-
-//#endregion
 //#region src/cli/credentials.ts
 /**
 * Credential storage for CLI auth tokens.
@@ -223,6 +186,79 @@ function removeMarketplaceCredential(registryUrl) {
 	return false;
 }
 
+//#endregion
+//#region src/cli/project-env.ts
+const DEFAULT_DINEWAY_URL = "http://localhost:4321";
+const ENV_KEY_PATTERN = /^[A-Za-z_][A-Za-z0-9_]*$/;
+const LINE_SPLIT_PATTERN = /\r?\n/;
+const NEWLINE_PATTERN = /\r?\n/g;
+function parseDotenvValue(value) {
+	const trimmed = value.trim();
+	if (trimmed.startsWith("\"") && trimmed.endsWith("\"") || trimmed.startsWith("'") && trimmed.endsWith("'")) return trimmed.slice(1, -1);
+	return trimmed;
+}
+function parseDotenv(text) {
+	const env = {};
+	for (const line of text.split(LINE_SPLIT_PATTERN)) {
+		const trimmed = line.trim();
+		if (!trimmed || trimmed.startsWith("#")) continue;
+		const normalized = trimmed.startsWith("export ") ? trimmed.slice(7).trim() : trimmed;
+		const equalsIndex = normalized.indexOf("=");
+		if (equalsIndex <= 0) continue;
+		const key = normalized.slice(0, equalsIndex).trim();
+		if (!ENV_KEY_PATTERN.test(key)) continue;
+		env[key] = parseDotenvValue(normalized.slice(equalsIndex + 1));
+	}
+	return env;
+}
+function readProjectEnv(cwd = process.cwd()) {
+	const envPath = join(cwd, ".env");
+	if (!existsSync(envPath)) return {};
+	return parseDotenv(readFileSync(envPath, "utf-8"));
+}
+function getProjectEnvValue(name, cwd = process.cwd()) {
+	return process.env[name] ?? readProjectEnv(cwd)[name];
+}
+function resolveDinewayBaseUrl(url, cwd = process.cwd()) {
+	if (url && url !== DEFAULT_DINEWAY_URL) return url;
+	const projectEnv = readProjectEnv(cwd);
+	return process.env["DINEWAY_URL"] ?? process.env["DINEWAY_SITE_URL"] ?? projectEnv["DINEWAY_SITE_URL"] ?? projectEnv["DINEWAY_URL"] ?? url ?? DEFAULT_DINEWAY_URL;
+}
+function resolveDinewayToken(token, cwd = process.cwd()) {
+	return token ?? getProjectEnvValue("DINEWAY_TOKEN", cwd);
+}
+function formatEnvValue(value) {
+	return value.replace(NEWLINE_PATTERN, "");
+}
+async function upsertProjectEnv(cwd, values) {
+	const envPath = join(cwd, ".env");
+	const existing = await readFile(envPath, "utf-8").catch(() => "");
+	const lines = existing ? existing.split(LINE_SPLIT_PATTERN) : [];
+	const seen = /* @__PURE__ */ new Set();
+	const nextLines = lines.map((line) => {
+		const trimmed = line.trim();
+		const normalized = trimmed.startsWith("export ") ? trimmed.slice(7).trim() : trimmed;
+		const equalsIndex = normalized.indexOf("=");
+		if (equalsIndex <= 0) return line;
+		const key = normalized.slice(0, equalsIndex).trim();
+		const value = values[key];
+		if (!(key in values) || value === void 0) return line;
+		seen.add(key);
+		return `${key}=${formatEnvValue(value)}`;
+	});
+	for (const [key, value] of Object.entries(values)) {
+		if (value === void 0 || seen.has(key)) continue;
+		nextLines.push(`${key}=${formatEnvValue(value)}`);
+	}
+	await writeFile(envPath, `${nextLines.filter((line, index) => line || index < nextLines.length - 1).join("\n")}\n`, "utf-8");
+}
+async function ensureProjectGitignoreEntry(cwd, entry) {
+	const gitignorePath = join(cwd, ".gitignore");
+	const existing = await readFile(gitignorePath, "utf-8").catch(() => "");
+	if (existing.split(LINE_SPLIT_PATTERN).map((line) => line.trim()).includes(entry)) return;
+	await writeFile(gitignorePath, `${existing}${existing && !existing.endsWith("\n") ? "\n" : ""}${entry}\n`, "utf-8");
+}
+
 //#endregion
 //#region src/cli/client-factory.ts
 var client_factory_exports = /* @__PURE__ */ __exportAll({
@@ -238,7 +274,7 @@ const connectionArgs = {
 		type: "string",
 		alias: "u",
 		description: "Dineway instance URL",
-		default: "http://localhost:4321"
+		default: DEFAULT_DINEWAY_URL
 	},
 	token: {
 		type: "string",
@@ -270,8 +306,8 @@ const connectionArgs = {
 * 3. --header CLI flags
 */
 function createClientFromArgs(args) {
-	const baseUrl = args.url || process.env["DINEWAY_URL"] || "http://localhost:4321";
-	let token = args.token || process.env["DINEWAY_TOKEN"];
+	const baseUrl = resolveDinewayBaseUrl(args.url);
+	let token = resolveDinewayToken(args.token);
 	const isLocal = baseUrl.includes("localhost") || baseUrl.includes("127.0.0.1");
 	const cred = !token ? getCredentials(baseUrl) : null;
 	const customHeaders = {
@@ -367,6 +403,69 @@ function prettyPrint(data, indent = 0) {
 	consola$1.log(typeof data === "string" ? data : JSON.stringify(data));
 }
 
+//#endregion
+//#region src/cli/commands/auth.ts
+/**
+* Auth CLI commands
+*/
+/**
+* Generate a cryptographically secure auth secret
+*/
+function generateAuthSecret() {
+	const bytes = new Uint8Array(32);
+	crypto.getRandomValues(bytes);
+	return encodeBase64url(bytes);
+}
+const secretCommand = defineCommand({
+	meta: {
+		name: "secret",
+		description: "Generate a secure auth secret"
+	},
+	run() {
+		const secret = generateAuthSecret();
+		consola$1.log("");
+		consola$1.log(pc.bold("Generated auth secret:"));
+		consola$1.log("");
+		consola$1.log(`  ${pc.cyan("DINEWAY_AUTH_SECRET")}=${pc.green(secret)}`);
+		consola$1.log("");
+		consola$1.log(pc.dim("Add this to your environment variables."));
+		consola$1.log("");
+	}
+});
+const setupLinkCommand = defineCommand({
+	meta: {
+		name: "setup-link",
+		description: "Create a one-time admin setup link"
+	},
+	args: connectionArgs,
+	async run({ args }) {
+		configureOutputMode(args);
+		try {
+			const result = await createClientFromArgs(args).createSetupLink();
+			if (args.json || !process.stdout.isTTY) {
+				output(result, args);
+				return;
+			}
+			consola$1.success("Created one-time setup link");
+			consola$1.info(`Expires: ${result.expiresAt}`);
+			consola$1.log(result.setupUrl);
+		} catch (error) {
+			consola$1.error(error instanceof Error ? error.message : "Failed to create setup link");
+			process.exit(2);
+		}
+	}
+});
+const authCommand = defineCommand({
+	meta: {
+		name: "auth",
+		description: "Authentication utilities"
+	},
+	subCommands: {
+		secret: secretCommand,
+		"setup-link": setupLinkCommand
+	}
+});
+
 //#endregion
 //#region src/cli/commands/content.ts
 /**
@@ -1541,17 +1640,6 @@ async function writeForgewayCredentials(credentials, cwd) {
 	store.credentials = credentials;
 	await writeStore(store, cwd);
 }
-async function readForgewayProjectSecret(projectId, cwd) {
-	return (await readStore(cwd)).projects?.[projectId] ?? null;
-}
-async function writeForgewayProjectSecret(projectId, secret, cwd) {
-	const store = await readStore(cwd);
-	store.projects = {
-		...store.projects,
-		[projectId]: secret
-	};
-	await writeStore(store, cwd);
-}
 function shadowGrantKey(platformApiUrl, placeId) {
 	return `${platformApiUrl.replace(TRAILING_SLASH_PATTERN$1, "")}#${placeId}`;
 }
@@ -1577,7 +1665,6 @@ async function writeForgewayShadowGrant(grant, cwd) {
 //#endregion
 //#region src/cli/commands/deploy/targets/forgeway.ts
 const DEFAULT_PLATFORM_API_URL = "https://api.dineway.ai";
-const DEFAULT_SITE_BASE_DOMAIN = "dineway.site";
 const DATABASE_ENV_VAR_NAMES = ["DINEWAY_DATABASE_URL", "DINEWAY_DATABASE_AUTH_TOKEN"];
 const POLL_INTERVAL_MS$1 = 5e3;
 const POLL_TIMEOUT_MS$1 = 3e5;
@@ -1594,6 +1681,7 @@ const BACKSLASH_PATTERN = /\\/g;
 const DIACRITICS_PATTERN = /[\u0300-\u036f]/g;
 const NON_COMPARE_PATTERN = /[^\p{Letter}\p{Number}]+/gu;
 const LOCATION_PARTS_PATTERN = /[,;|/]+|\s+-\s+/u;
+const SHADOW_EMAIL_PATTERN = /^shadow_[a-f0-9]{16}@dineway\.ai$/i;
 const EXCLUDE_PATTERNS = [
 	"node_modules",
 	".git",
@@ -1634,7 +1722,7 @@ function normalizeForgewayUser(user) {
 		name: user.profile?.name ?? user.name ?? user.email,
 		email: user.email,
 		avatarUrl: user.profile?.avatar_url ?? user.avatarUrl ?? user.avatar_url ?? null,
-		emailVerified: user.emailVerified ?? user.email_verified ?? true
+		emailVerified: user.emailVerified ?? user.email_verified ?? false
 	};
 }
 function getFetch(deps) {
@@ -1676,79 +1764,35 @@ async function parseErrorResponse(response) {
 	}
 	return `Forgeway request failed: ${response.status}`;
 }
-async function loginWithEmail(platformApiUrl, deps) {
-	const email = getEnv("FORGEWAY_EMAIL");
-	const password = getEnv("FORGEWAY_PASSWORD");
-	if (!email || !password) throw new Error("FORGEWAY_EMAIL and FORGEWAY_PASSWORD are required for admin login.");
-	const response = await forgewayRequest(`${platformApiUrl}/api/auth/admin/sessions`, {
-		method: "POST",
-		headers: { "Content-Type": "application/json" },
-		body: JSON.stringify({
-			email,
-			password
-		})
-	}, deps);
-	if (!response.ok) throw new Error(await parseErrorResponse(response));
-	const payload = await response.json();
-	if (!payload.accessToken || !payload.user) throw new Error("Forgeway login response was missing accessToken or user.");
-	return {
-		platformApiUrl,
-		accessToken: payload.accessToken,
-		refreshToken: payload.refreshToken,
-		user: normalizeForgewayUser(payload.user)
-	};
+function normalizeEmail(email) {
+	return email.trim().toLowerCase();
 }
-async function resolveCredentials(cwd, platformApiUrl, deps, _dryRun) {
-	const envToken = getEnv("FORGEWAY_ACCESS_TOKEN");
-	if (envToken) return {
-		platformApiUrl,
-		accessToken: envToken
-	};
-	const stored = await (deps.readCredentials ?? readForgewayCredentials)(cwd);
-	if (stored?.accessToken) return {
-		...stored,
-		platformApiUrl
-	};
-	if (!getEnv("FORGEWAY_EMAIL") || !getEnv("FORGEWAY_PASSWORD")) return null;
-	const credentials = await loginWithEmail(platformApiUrl, deps);
-	await (deps.writeCredentials ?? writeForgewayCredentials)(credentials, cwd);
-	return credentials;
+function isShadowEmail(email) {
+	return Boolean(email && SHADOW_EMAIL_PATTERN.test(email));
 }
-async function platformFetch(path, context, deps, options = {}) {
-	const request = async (accessToken) => await forgewayRequest(`${context.platformApiUrl}${path}`, {
-		...options,
-		headers: {
-			"Content-Type": "application/json",
-			Authorization: `Bearer ${accessToken}`,
-			...options.headers
-		}
-	}, deps);
-	let response = await request(context.credentials.accessToken);
-	if (response.status === 401 && context.credentials.refreshToken) {
-		const refreshed = await refreshAccessToken(context.projectDir, context.platformApiUrl, context.credentials, deps);
-		context.credentials.accessToken = refreshed;
-		response = await request(refreshed);
-	}
-	if (!response.ok) throw new ForgewayApiError(await parseErrorResponse(response), response.status);
-	return await response.json();
-}
-async function refreshAccessToken(cwd, platformApiUrl, credentials, deps) {
-	if (!credentials.refreshToken) throw new Error("Forgeway refresh token is missing. Log in again.");
-	const response = await forgewayRequest(`${platformApiUrl}/api/auth/refresh?client_type=server`, {
+async function refreshFormalAccessToken(context, deps) {
+	if (!context.refreshToken) throw new Error("Forgeway formal account refresh token is missing. Run dineway deploy again.");
+	const response = await forgewayRequest(`${context.platformApiUrl}/api/auth/refresh?client_type=server`, {
 		method: "POST",
 		headers: { "Content-Type": "application/json" },
-		body: JSON.stringify({ refreshToken: credentials.refreshToken })
+		body: JSON.stringify({ refreshToken: context.refreshToken })
 	}, deps);
-	if (!response.ok) throw new Error("Failed to refresh Forgeway access token. Log in again.");
+	if (!response.ok) throw new Error("Failed to refresh Forgeway formal account credentials. Run dineway deploy again.");
 	const payload = await response.json();
 	if (!payload.accessToken) throw new Error("Forgeway refresh response was missing accessToken.");
+	const user = assertVerifiedFormalAccountUser(payload.user ? normalizeForgewayUser(payload.user) : context.user, context.user?.email);
 	const updated = {
-		...credentials,
-		platformApiUrl,
+		platformApiUrl: context.platformApiUrl,
 		accessToken: payload.accessToken,
-		refreshToken: payload.refreshToken ?? credentials.refreshToken
+		refreshToken: payload.refreshToken ?? context.refreshToken,
+		...user ? { user } : {},
+		source: "shadow-email-upgrade",
+		...context.placeId ? { placeId: context.placeId } : {}
 	};
-	await (deps.writeCredentials ?? writeForgewayCredentials)(updated, cwd);
+	context.accessToken = updated.accessToken;
+	context.refreshToken = updated.refreshToken;
+	context.user = updated.user;
+	await (deps.writeCredentials ?? writeForgewayCredentials)(updated, context.projectDir);
 	return payload.accessToken;
 }
 async function refreshShadowAccessToken(context, deps) {
@@ -1794,89 +1838,84 @@ async function promptRequired(question, initialValue, deps, errorMessage) {
 	if (!answer) throw new Error(errorMessage);
 	return answer;
 }
-async function chooseSingleOrPrompt(label, items, deps) {
-	if (items.length === 0) throw new Error(`No Forgeway ${label}s found.`);
-	if (items.length === 1) return items[0];
-	if (!process.stdin.isTTY && !deps.promptText) throw new Error(`Multiple Forgeway ${label}s found. Set FORGEWAY_${label.toUpperCase()}_ID.`);
-	consola.info(`Available Forgeway ${label}s:`);
-	items.forEach((item, index) => consola.info(`  ${index + 1}. ${item.name} (${item.id})`));
-	const answer = await promptRequired(`Choose ${label}: `, "1", deps, `${label} is required.`);
-	const index = Number(answer);
-	if (!Number.isInteger(index) || index < 1 || index > items.length) throw new Error(`Invalid Forgeway ${label} selection: ${answer}`);
-	return items[index - 1];
-}
 function getSavedForgewayMetadata(pkg) {
 	return pkg.dineway?.deploy?.forgeway ?? {};
 }
-async function resolveAdminProjectContext(cwd, options, deps) {
-	const saved = getSavedForgewayMetadata(await readDeployPackageJson(cwd));
-	const platformApiUrl = normalizePlatformApiUrl(getEnv("FORGEWAY_API_URL") ?? (typeof saved.platformApiUrl === "string" ? saved.platformApiUrl : void 0));
-	const envApiKey = getEnv("FORGEWAY_PROJECT_API_KEY");
-	const envOssHost = getEnv("FORGEWAY_OSS_HOST");
-	if (envApiKey && envOssHost) return {
-		projectDir: cwd,
-		platformApiUrl,
-		authKind: "project-api-key",
-		projectId: getEnv("FORGEWAY_PROJECT_ID") ?? saved.projectId,
-		projectName: saved.projectName,
-		orgId: saved.orgId,
-		appkey: saved.appkey,
-		region: saved.region,
-		apiKey: envApiKey,
-		ossHost: envOssHost
-	};
-	const credentials = await resolveCredentials(cwd, platformApiUrl, deps, Boolean(options.dryRun));
-	if (!credentials) return null;
-	const platformContext = {
-		platformApiUrl,
-		projectDir: cwd,
-		credentials
-	};
-	let projectId = getEnv("FORGEWAY_PROJECT_ID") ?? (typeof saved.projectId === "string" ? saved.projectId : void 0);
-	let project = null;
-	if (!projectId) {
-		const orgId = getEnv("FORGEWAY_ORG_ID");
-		project = await chooseSingleOrPrompt("project", await listProjects((orgId !== void 0 ? {
-			id: orgId,
-			name: orgId
-		} : await chooseSingleOrPrompt("org", await listOrganizations(platformContext, deps), deps)).id, platformContext, deps), deps);
-		projectId = project.id;
-	}
-	if (!project) {
-		if (!projectId) throw new Error("Forgeway project id is required");
-		project = unwrapProjectPayload(await platformFetch(`/projects/v1/${encodeURIComponent(projectId)}`, platformContext, deps));
-	}
-	const savedSecret = await (deps.readProjectSecret ?? readForgewayProjectSecret)(projectId, cwd) ?? void 0;
-	const apiKey = getEnv("FORGEWAY_PROJECT_API_KEY") ?? savedSecret?.apiKey ?? await fetchProjectApiKey(projectId, platformContext, deps);
-	const orgId = project.organization_id ?? project.organizationId ?? (typeof saved.orgId === "string" ? saved.orgId : "unknown");
-	const ossHost = getEnv("FORGEWAY_OSS_HOST") ?? savedSecret?.ossHost ?? (typeof saved.ossHost === "string" ? saved.ossHost : void 0) ?? `https://${project.appkey}.${project.region}.${DEFAULT_SITE_BASE_DOMAIN}`;
-	if (!options.dryRun) {
-		await (deps.writeProjectSecret ?? writeForgewayProjectSecret)(projectId, {
-			apiKey,
-			ossHost
-		}, cwd);
-		await writeForgewayDeployMetadata(cwd, {
-			platformApiUrl,
-			projectId,
-			projectName: project.name,
-			orgId,
-			appkey: project.appkey,
-			region: project.region,
-			ossHost
-		});
-	}
+async function resolveForgewayAccountEmail(options, grant, cwd, deps) {
+	const stored = await (deps.readCredentials ?? readForgewayCredentials)(cwd);
+	const storedEmail = stored?.source === "shadow-email-upgrade" && stored.placeId === grant.placeId && stored.user?.emailVerified === true && !isShadowEmail(stored.user?.email) ? stored.user?.email : void 0;
+	const email = normalizeEmail(options.email ?? getEnv("DINEWAY_EMAIL") ?? getEnv("FORGEWAY_EMAIL") ?? storedEmail ?? await promptRequired("Dineway account email: ", void 0, deps, "Dineway account email is required. Pass --email or set DINEWAY_EMAIL."));
+	if (!email || isShadowEmail(email)) throw new Error("Dineway account email must be a real owner email, not a shadow user email.");
+	return email;
+}
+function isStoredFormalCredentialForGrant(stored, grant, email) {
+	if (!stored?.accessToken || stored.source !== "shadow-email-upgrade" || stored.placeId !== grant.placeId || !stored.user) return false;
+	if (normalizeEmail(stored.user.email) !== email) return false;
+	if (stored.user.emailVerified !== true) return false;
+	if (isShadowEmail(stored.user.email)) return false;
+	if (grant.user?.id && stored.user.id !== grant.user.id) return false;
+	return true;
+}
+function assertVerifiedFormalAccountUser(user, expectedEmail) {
+	if (!user || user.emailVerified !== true || isShadowEmail(user.email)) throw new Error("Forgeway formal account credentials require a verified formal account.");
+	if (expectedEmail && normalizeEmail(user.email) !== normalizeEmail(expectedEmail)) throw new Error("Forgeway refresh returned credentials for a different email.");
+	return user;
+}
+async function shadowUpgradeFetch(context, path, deps, options) {
+	const request = async (accessToken) => await forgewayRequest(`${context.platformApiUrl}${path}`, {
+		...options,
+		headers: {
+			"Content-Type": "application/json",
+			Authorization: `Bearer ${accessToken}`,
+			...options.headers
+		}
+	}, deps);
+	if (!context.accessToken) throw new Error("Dineway shadow deploy grant is missing its access token.");
+	let response = await request(context.accessToken);
+	if (response.status === 401) response = await request(await refreshShadowAccessToken(context, deps));
+	if (!response.ok) throw new ForgewayApiError(await parseErrorResponse(response), response.status);
+	return await response.json();
+}
+async function startShadowEmailUpgrade(context, email, deps) {
+	const payload = await shadowUpgradeFetch(context, "/api/auth/users/shadow/upgrade/email/start", deps, {
+		method: "POST",
+		body: JSON.stringify({ email })
+	});
+	if (payload.email && normalizeEmail(payload.email) !== email) throw new Error("Forgeway email verification response returned a different email.");
+	return payload;
+}
+async function verifyShadowEmailUpgrade(context, email, otp, deps) {
+	const payload = await shadowUpgradeFetch(context, "/api/auth/users/shadow/upgrade/email/verify", deps, {
+		method: "POST",
+		body: JSON.stringify({
+			email,
+			otp
+		})
+	});
+	if (!payload.accessToken || !payload.refreshToken || !payload.user) throw new Error("Forgeway email upgrade response was missing credentials.");
+	const user = normalizeForgewayUser(payload.user);
+	if (normalizeEmail(user.email) !== email) throw new Error("Forgeway email upgrade returned credentials for a different email.");
+	if (user.emailVerified !== true || isShadowEmail(user.email)) throw new Error("Forgeway email upgrade did not return a verified formal account.");
 	return {
-		projectDir: cwd,
-		platformApiUrl,
-		authKind: "project-api-key",
-		projectId,
-		projectName: project.name,
-		orgId,
-		appkey: project.appkey,
-		region: project.region,
-		apiKey,
-		ossHost
+		platformApiUrl: context.platformApiUrl,
+		accessToken: payload.accessToken,
+		refreshToken: payload.refreshToken,
+		user,
+		source: "shadow-email-upgrade",
+		...context.placeId ? { placeId: context.placeId } : {}
+	};
+}
+async function resolveFormalAccountCredentials(context, grant, email, deps) {
+	const stored = await (deps.readCredentials ?? readForgewayCredentials)(context.projectDir);
+	if (isStoredFormalCredentialForGrant(stored, grant, email)) return {
+		...stored,
+		platformApiUrl: context.platformApiUrl
 	};
+	await startShadowEmailUpgrade(context, email, deps);
+	consola.info(`Sent Forgeway email verification code to ${email}`);
+	const credentials = await verifyShadowEmailUpgrade(context, email, await promptRequired("Email verification code: ", void 0, deps, "Email verification code is required."), deps);
+	await (deps.writeCredentials ?? writeForgewayCredentials)(credentials, context.projectDir);
+	return credentials;
 }
 async function resolveShadowProjectContext(cwd, options, deps) {
 	const pkg = await readDeployPackageJson(cwd).catch(() => null);
@@ -1901,37 +1940,35 @@ async function resolveShadowProjectContext(cwd, options, deps) {
 		name: options.restaurantName ?? grant.restaurantName,
 		city: options.city ?? grant.city
 	};
+	const shadowContext = {
+		projectDir: cwd,
+		platformApiUrl,
+		authKind: "shadow-grant",
+		accessToken: grant.accessToken,
+		refreshToken: grant.refreshToken,
+		user: grant.user,
+		ossHost: platformApiUrl,
+		placeId: grant.placeId,
+		restaurantName: restaurant.name,
+		city: restaurant.city
+	};
+	const accountEmail = await resolveForgewayAccountEmail(options, grant, cwd, deps);
+	const credentials = await resolveFormalAccountCredentials(shadowContext, grant, accountEmail, deps);
 	return {
 		context: {
-			projectDir: cwd,
-			platformApiUrl,
-			authKind: "shadow-grant",
-			accessToken: grant.accessToken,
-			refreshToken: grant.refreshToken,
-			ossHost: platformApiUrl,
-			placeId: grant.placeId,
-			restaurantName: restaurant.name,
-			city: restaurant.city
+			...shadowContext,
+			authKind: "formal-account",
+			accessToken: credentials.accessToken,
+			refreshToken: credentials.refreshToken,
+			user: credentials.user,
+			ossHost: platformApiUrl
 		},
 		restaurant
 	};
 }
 async function resolveProjectContext(cwd, options, deps) {
-	const adminContext = await resolveAdminProjectContext(cwd, options, deps);
-	if (adminContext) return { context: adminContext };
 	return await resolveShadowProjectContext(cwd, options, deps);
 }
-function unwrapProjectPayload(payload) {
-	if (isRecord(payload) && "project" in payload) {
-		if (isForgewayProject(payload.project)) return payload.project;
-		throw new Error("Forgeway project response did not include a project");
-	}
-	if (isForgewayProject(payload)) return payload;
-	throw new Error("Forgeway project response did not include a project");
-}
-function isForgewayProject(value) {
-	return isRecord(value) && typeof value.id === "string" && typeof value.name === "string" && typeof value.appkey === "string" && typeof value.region === "string";
-}
 function isRecord(value) {
 	return typeof value === "object" && value !== null;
 }
@@ -2038,20 +2075,6 @@ async function createShadowGrant(options) {
 	await (options.deps.writeShadowGrant ?? writeForgewayShadowGrant)(grant, options.cwd);
 	return grant;
 }
-async function listOrganizations(context, deps) {
-	const payload = await platformFetch("/organizations/v1", context, deps);
-	return Array.isArray(payload) ? payload : payload.organizations ?? [];
-}
-async function listProjects(orgId, context, deps) {
-	const payload = await platformFetch(`/organizations/v1/${encodeURIComponent(orgId)}/projects`, context, deps);
-	return Array.isArray(payload) ? payload : payload.projects ?? [];
-}
-async function fetchProjectApiKey(projectId, context, deps) {
-	const payload = await platformFetch(`/projects/v1/${encodeURIComponent(projectId)}/access-api-key`, context, deps);
-	const apiKey = payload.access_api_key ?? payload.apiKey;
-	if (!apiKey) throw new Error("Forgeway project API key response was empty.");
-	return apiKey;
-}
 async function ossFetch(context, path, deps, options = {}) {
 	const request = async (token) => await forgewayRequest(`${context.ossHost.replace(TRAILING_SLASH_PATTERN, "")}${path}`, {
 		...options,
@@ -2061,10 +2084,10 @@ async function ossFetch(context, path, deps, options = {}) {
 			...options.headers
 		}
 	}, deps);
-	const token = context.apiKey ?? context.accessToken;
+	const token = context.accessToken;
 	if (!token) throw new Error("Forgeway deploy context is missing an authorization token.");
 	let response = await request(token);
-	if (response.status === 401 && context.authKind === "shadow-grant") response = await request(await refreshShadowAccessToken(context, deps));
+	if (response.status === 401) response = await request(context.authKind === "formal-account" ? await refreshFormalAccessToken(context, deps) : await refreshShadowAccessToken(context, deps));
 	if (!response.ok) throw new ForgewayApiError(await parseErrorResponse(response), response.status);
 	return await response.json();
 }
@@ -2382,15 +2405,21 @@ async function deploySiteProject(options) {
 		dinewayAdminBootstrap: createResult.dinewayAdminBootstrap
 	};
 }
-function formatDinewayAdminBootstrapMessage(bootstrap, siteUrl) {
+async function persistForgewayCliEnv(cwd, params) {
+	await upsertProjectEnv(cwd, {
+		DINEWAY_SITE_URL: params.siteUrl,
+		DINEWAY_TOKEN: params.token
+	});
+	await ensureProjectGitignoreEntry(cwd, ".env");
+}
+function formatDinewayAdminBootstrapMessage(bootstrap) {
 	if (!bootstrap) return "";
 	if (bootstrap.status === "already_issued") return `Dineway admin bootstrap: ${bootstrap.message}`;
 	return [
-		"Dineway admin bootstrap credentials were issued. Forgeway will not print these again.",
-		`Admin email: ${bootstrap.adminEmail}`,
+		"Dineway admin access is ready. Local CLI defaults were saved to .env.",
+		`Dineway admin email: ${bootstrap.adminEmail}`,
 		`Setup link (expires ${bootstrap.setupTokenExpiresAt}): ${bootstrap.setupUrl}`,
-		`Admin API token: ${bootstrap.apiToken}`,
-		`CLI example: DINEWAY_TOKEN=${bootstrap.apiToken} dineway whoami --url ${siteUrl}`
+		"CLI example: dineway whoami"
 	].join("\n");
 }
 async function deployForgeway(cwd, options, deps = {}) {
@@ -2429,7 +2458,11 @@ async function deployForgeway(cwd, options, deps = {}) {
 		deps
 	});
 	const url = deployment.liveUrl ?? `https://${site.domain}`;
-	const bootstrapMessage = formatDinewayAdminBootstrapMessage(deployment.dinewayAdminBootstrap, url);
+	await (deps.writeProjectEnv ?? persistForgewayCliEnv)(cwd, {
+		siteUrl: url,
+		token: deployment.dinewayAdminBootstrap?.status === "issued" ? deployment.dinewayAdminBootstrap.apiToken : void 0
+	});
+	const bootstrapMessage = formatDinewayAdminBootstrapMessage(deployment.dinewayAdminBootstrap);
 	const statusMessage = deployment.isReady ? `Deploy complete: ${url}` : `Deploy started for ${site.domain}. Check Forgeway for build status.`;
 	return {
 		url,
@@ -2965,6 +2998,11 @@ const deployCommand = defineCommand({
 			description: "Forgeway deployment site ID or slug",
 			required: false
 		},
+		email: {
+			type: "string",
+			description: "Dineway account email for deploy authorization",
+			required: false
+		},
 		"restaurant-name": {
 			type: "string",
 			description: "Restaurant name for first Forgeway site creation",
@@ -2995,6 +3033,7 @@ const deployCommand = defineCommand({
 			yes: args.yes,
 			dryRun: args["dry-run"],
 			site: args.site,
+			email: args.email,
 			restaurantName: args["restaurant-name"],
 			city: args.city,
 			database: args.database,
@@ -3971,7 +4010,7 @@ const loginCommand = defineCommand({
 			type: "string",
 			alias: "u",
 			description: "Dineway instance URL",
-			default: "http://localhost:4321"
+			default: DEFAULT_DINEWAY_URL
 		},
 		header: {
 			type: "string",
@@ -3980,7 +4019,7 @@ const loginCommand = defineCommand({
 		}
 	},
 	async run({ args }) {
-		const baseUrl = args.url || "http://localhost:4321";
+		const baseUrl = resolveDinewayBaseUrl(args.url);
 		consola$1.start(`Connecting to ${baseUrl}...`);
 		const customHeaders = resolveCustomHeaders();
 		let headerFetch = createHeaderAwareFetch(customHeaders);
@@ -4092,10 +4131,10 @@ const logoutCommand = defineCommand({
 		type: "string",
 		alias: "u",
 		description: "Dineway instance URL",
-		default: "http://localhost:4321"
+		default: DEFAULT_DINEWAY_URL
 	} },
 	async run({ args }) {
-		const baseUrl = args.url || "http://localhost:4321";
+		const baseUrl = resolveDinewayBaseUrl(args.url);
 		const cred = getCredentials(baseUrl);
 		if (!cred) {
 			consola$1.info("No stored credentials found for this instance.");
@@ -4123,7 +4162,7 @@ const whoamiCommand = defineCommand({
 			type: "string",
 			alias: "u",
 			description: "Dineway instance URL",
-			default: "http://localhost:4321"
+			default: DEFAULT_DINEWAY_URL
 		},
 		token: {
 			type: "string",
@@ -4137,8 +4176,8 @@ const whoamiCommand = defineCommand({
 	},
 	async run({ args }) {
 		configureOutputMode(args);
-		const baseUrl = args.url || "http://localhost:4321";
-		let token = args.token || process.env["DINEWAY_TOKEN"];
+		const baseUrl = resolveDinewayBaseUrl(args.url);
+		let token = resolveDinewayToken(args.token);
 		let authMethod = token ? "token" : "none";
 		let storedHeaders = {};
 		if (!token) {