viza 1.8.2 → 1.8.9

package/dist/src/cli/options.js

@@ -2,6 +2,5 @@ export function registerGlobalOptions(program) {
     program
         .option("--status", "Show status only (no execution)")
         .option("--remove-log", "Remove execution logs after completion", false)
-        .option("--self-hosted", "Use self-hosted runner (viza-builder)", false)
-        .option("--cloud-runner", "Use cloud managed runner (GitHub-hosted)", false);
+        .option("--self-hosted", "Use self-hosted runner (viza-builder)", false);
 }

package/dist/src/commands/age/bootstrap/bootstrap.js

@@ -1,21 +1,7 @@
 import { resolveEnv } from "../../../context/env.js";
 import { RESOURCE_HUB_INTENT_BY_ENV } from "../../../context/hubIntent.js";
 import { dispatchIntentAndWait } from "../../../core/dispatch.js";
-/**
- * Target teams for `viza login aws`.
- * This is a CLI-only UX constraint for fail-fast validation.
- * NOT a policy and MUST NOT be sent to gateway.
- */
-const TARGET_TEAMS = {
-    "dev": [
-        "viza-admin",
-        "viza-super"
-    ],
-    "prod": [
-        "viza-admin",
-        "viza-super"
-    ]
-};
+import { policy } from "./policy.js";
 /**
  * viza login aws
  *
@@ -33,12 +19,7 @@ export async function bootstrapAgeCommand(options) {
     // Resolve allowed teams
     // - Dispatch mode: restrict by targetEnv
     // - Status mode: allow union of all env teams (read-only query)
-    const allowedTeams = options.status === true && env === "dev"
-        ? Array.from(new Set([
-            ...TARGET_TEAMS.dev,
-            ...TARGET_TEAMS.prod,
-        ]))
-        : TARGET_TEAMS[env];
+    const allowedTeams = Array.from(policy.byEnv[env]);
     // 5) Dispatch intent (freeze)
     await dispatchIntentAndWait({
         intent,

package/dist/src/commands/age/bootstrap/policy.js

@@ -0,0 +1,12 @@
+export const policy = {
+    byEnv: {
+        "dev": [
+            "viza-admin",
+            "viza-super"
+        ],
+        "prod": [
+            "viza-admin",
+            "viza-super"
+        ]
+    }
+};

package/dist/src/commands/aws/rolesanywhere/bootstrap/bootstrap.js

@@ -1,15 +1,7 @@
 import { resolveEnv } from "../../../../context/env.js";
 import { RESOURCE_HUB_INTENT_BY_ENV } from "../../../../context/hubIntent.js";
 import { dispatchIntentAndWait } from "../../../../core/dispatch.js";
-/**
- * Target teams for `viza aws rolesanywhere bootstrap`.
- * CLI-only fail-fast UX constraint.
- * NOT a policy and MUST NOT be sent to gateway.
- */
-const TARGET_TEAMS = {
-    dev: ["viza-super"],
-    prod: ["viza-super"],
-};
+import { policy } from "./policy.js";
 /**
  * viza aws rolesanywhere bootstrap
  *
@@ -24,7 +16,7 @@ export async function bootstrapAwsRolesAnywhereCommand(options) {
     const env = resolveEnv(options);
     const intent = RESOURCE_HUB_INTENT_BY_ENV;
     // 2) Resolve allowed teams (no status mode for bootstrap)
-    const allowedTeams = TARGET_TEAMS[env];
+    const allowedTeams = Array.from(policy.byEnv[env]);
     // 3) Dispatch intent (freeze)
     await dispatchIntentAndWait({
         intent,

package/dist/src/commands/aws/rolesanywhere/bootstrap/policy.js

@@ -0,0 +1,6 @@
+export const policy = {
+    byEnv: {
+        dev: ["viza-super"],
+        prod: ["viza-super"],
+    }
+};

package/dist/src/commands/aws/rolesanywhere/rebootstrap/policy.js

@@ -0,0 +1,6 @@
+export const policy = {
+    byEnv: {
+        dev: ["viza-super"],
+        prod: ["viza-super"],
+    }
+};

package/dist/src/commands/aws/rolesanywhere/rebootstrap/rebootstrap.js

@@ -1,19 +1,7 @@
 import { resolveEnv } from "../../../../context/env.js";
 import { RESOURCE_HUB_INTENT_BY_ENV } from "../../../../context/hubIntent.js";
 import { dispatchIntentAndWait } from "../../../../core/dispatch.js";
-/**
- * Target teams for `viza aws rolesanywhere bootstrap`.
- * CLI-only fail-fast UX constraint.
- * NOT a policy and MUST NOT be sent to gateway.
- */
-const TARGET_TEAMS = {
-    "dev": [
-        "viza-super"
-    ],
-    "prod": [
-        "viza-super"
-    ]
-};
+import { policy } from "./policy.js";
 /**
  * viza aws rolesanywhere bootstrap
  *
@@ -28,7 +16,7 @@ export async function rebootstrapAwsRolesAnywhereCommand(options) {
     const env = resolveEnv(options);
     const intent = RESOURCE_HUB_INTENT_BY_ENV;
     // 2) Resolve allowed teams (no status mode for bootstrap)
-    const allowedTeams = TARGET_TEAMS[env];
+    const allowedTeams = Array.from(policy.byEnv[env]);
     // 3) Dispatch intent (freeze)
     await dispatchIntentAndWait({
         intent,

package/dist/src/commands/aws/rolesanywhere/rotate/policy.js

@@ -0,0 +1,13 @@
+export const policy = {
+    byEnv: {
+        "dev": [
+            "viza-manager",
+            "viza-admin",
+            "viza-super"
+        ],
+        "prod": [
+            "viza-admin",
+            "viza-super"
+        ]
+    }
+};

package/dist/src/commands/aws/rolesanywhere/rotate/rotate.js

@@ -1,22 +1,7 @@
 import { resolveEnv } from "../../../../context/env.js";
 import { RESOURCE_HUB_INTENT_BY_ENV } from "../../../../context/hubIntent.js";
 import { dispatchIntentAndWait } from "../../../../core/dispatch.js";
-/**
- * Target teams for `viza aws rolesanywhere rotate`.
- * CLI-only fail-fast UX constraint.
- * NOT a policy and MUST NOT be sent to gateway.
- */
-const TARGET_TEAMS = {
-    "dev": [
-        "viza-manager",
-        "viza-admin",
-        "viza-super"
-    ],
-    "prod": [
-        "viza-admin",
-        "viza-super"
-    ]
-};
+import { policy } from "./policy.js";
 /**
  * viza aws rolesanywhere rotate
  *
@@ -31,7 +16,7 @@ export async function rotateAwsRolesAnywhereCommand(options) {
     const env = resolveEnv(options);
     const intent = RESOURCE_HUB_INTENT_BY_ENV;
     // 2) Resolve allowed teams (no status mode for rotate)
-    const allowedTeams = TARGET_TEAMS[env];
+    const allowedTeams = Array.from(policy.byEnv[env]);
     // 3) Dispatch intent (freeze)
     await dispatchIntentAndWait({
         intent,

package/dist/src/commands/aws/rolesanywhere/update-role/policy.js

@@ -0,0 +1,6 @@
+export const policy = {
+    byEnv: {
+        dev: ["viza-super"],
+        prod: ["viza-super"],
+    }
+};

package/dist/src/commands/aws/rolesanywhere/update-role/update-role.js

@@ -1,19 +1,7 @@
 import { resolveEnv } from "../../../../context/env.js";
 import { RESOURCE_HUB_INTENT_BY_ENV } from "../../../../context/hubIntent.js";
 import { dispatchIntentAndWait } from "../../../../core/dispatch.js";
-/**
- * Target teams for `viza aws rolesanywhere update-role`.
- * CLI-only fail-fast UX constraint.
- * NOT a policy and MUST NOT be sent to gateway.
- */
-const TARGET_TEAMS = {
-    "dev": [
-        "viza-super"
-    ],
-    "prod": [
-        "viza-super"
-    ]
-};
+import { policy } from "./policy.js";
 /**
  * viza aws rolesanywhere update-role
  *
@@ -28,7 +16,7 @@ export async function updateAwsRolesAnywhereRoleCommand(options) {
     const env = resolveEnv(options);
     const intent = RESOURCE_HUB_INTENT_BY_ENV;
     // 2) Resolve allowed teams (no status mode for rotate)
-    const allowedTeams = TARGET_TEAMS[env];
+    const allowedTeams = Array.from(policy.byEnv[env]);
     // 3) Dispatch intent (freeze)
     await dispatchIntentAndWait({
         intent,

package/dist/src/commands/billing/login/aws/aws.js

@@ -1,16 +1,7 @@
 import { RUNTIME_HUB_INTENT } from "../../../../context/hubIntent.js";
 import { dispatchIntentAndWait } from "../../../../core/dispatch.js";
 import { showSsoLinkMenu } from "../../../../ui/sso/awsLoginMenu.js";
-/**
- * Target teams for `viza login aws`.
- * This is a CLI-only UX constraint for fail-fast validation.
- * NOT a policy and MUST NOT be sent to gateway.
- */
-const TARGET_TEAMS = [
-    "viza-billing",
-    "viza-admin",
-    "viza-super",
-];
+import { policy } from "./policy.js";
 /**
  * viza login aws
  *
@@ -24,7 +15,7 @@ const TARGET_TEAMS = [
 export async function loginBillingAwsCommand(options) {
     // 1) Resolve environment
     const intent = RUNTIME_HUB_INTENT;
-    const allowedTeams = TARGET_TEAMS;
+    const allowedTeams = Array.from(policy.byEnv["prod"]);
     // 5) Dispatch intent (freeze)
     const result = await dispatchIntentAndWait({
         intent,

package/dist/src/commands/billing/login/aws/policy.js

@@ -0,0 +1,9 @@
+export const policy = {
+    byEnv: {
+        "prod": [
+            "viza-billing",
+            "viza-admin",
+            "viza-super",
+        ]
+    }
+};

package/dist/src/commands/dispatch/logs/logs.js

@@ -1,20 +1,7 @@
 import { resolveEnv } from "../../../context/env.js";
 import { RESOURCE_HUB_INTENT_BY_ENV } from "../../../context/hubIntent.js";
 import { dispatchIntentAndWait } from "../../../core/dispatch.js";
-const TARGET_TEAMS = {
-    "dev": [
-        "viza-designer",
-        "viza-deployer",
-        "viza-manager",
-        "viza-admin",
-        "viza-super"
-    ],
-    "prod": [
-        "viza-publisher",
-        "viza-admin",
-        "viza-super"
-    ]
-};
+import { policy } from "./policy.js";
 /**
  * viza dispatch logs <runId>
  *
@@ -28,7 +15,7 @@ export async function logsCommand(runId, options) {
     const env = resolveEnv(options);
     const intent = RESOURCE_HUB_INTENT_BY_ENV;
     // Resolve allowed teams (same contract as other commands)
-    const allowedTeams = TARGET_TEAMS[env];
+    const allowedTeams = Array.from(policy.byEnv[env]);
     // 2️⃣ Handle --app locally (do NOT dispatch)
     if (options.app === true) {
         const url = env === "prod"

package/dist/src/commands/dispatch/logs/policy.js

@@ -0,0 +1,16 @@
+export const policy = {
+    byEnv: {
+        "dev": [
+            "viza-designer",
+            "viza-deployer",
+            "viza-manager",
+            "viza-admin",
+            "viza-super"
+        ],
+        "prod": [
+            "viza-publisher",
+            "viza-admin",
+            "viza-super"
+        ]
+    }
+};

package/dist/src/commands/dispatch/runs/policy.js

@@ -0,0 +1,16 @@
+export const policy = {
+    byEnv: {
+        "dev": [
+            "viza-designer",
+            "viza-deployer",
+            "viza-manager",
+            "viza-admin",
+            "viza-super"
+        ],
+        "prod": [
+            "viza-publisher",
+            "viza-admin",
+            "viza-super"
+        ]
+    }
+};

package/dist/src/commands/dispatch/runs/runs.js

@@ -1,21 +1,8 @@
 import { resolveEnv } from "../../../context/env.js";
 import { RUNTIME_HUB_INTENT } from "../../../context/hubIntent.js";
 import { dispatchIntentAndWait } from "../../../core/dispatch.js";
+import { policy } from "./policy.js";
 import { showDispatchRuns } from "./show-runs.js";
-const TARGET_TEAMS = {
-    "dev": [
-        "viza-designer",
-        "viza-deployer",
-        "viza-manager",
-        "viza-admin",
-        "viza-super"
-    ],
-    "prod": [
-        "viza-publisher",
-        "viza-admin",
-        "viza-super"
-    ]
-};
 /**
  * viza dispatch runs
  *
@@ -29,7 +16,7 @@ export async function runsCommand(options) {
     const env = resolveEnv(options);
     const intent = RUNTIME_HUB_INTENT;
     // Resolve allowed teams (same contract as other commands)
-    const allowedTeams = TARGET_TEAMS[env];
+    const allowedTeams = Array.from(policy.byEnv[env]);
     // 2️⃣ Handle --app locally (do NOT dispatch)
     if (options.app === true) {
         const url = env === "prod"

package/dist/src/commands/github/secrets/backup/backup.js

@@ -1,19 +1,7 @@
 import { resolveEnv } from "../../../../context/env.js";
 import { RESOURCE_HUB_INTENT_BY_ENV } from "../../../../context/hubIntent.js";
 import { dispatchIntentAndWait } from "../../../../core/dispatch.js";
-/**
- * Target teams for `viza login aws`.
- * This is a CLI-only UX constraint for fail-fast validation.
- * NOT a policy and MUST NOT be sent to gateway.
- */
-const TARGET_TEAMS = {
-    "dev": [
-        "viza-super"
-    ],
-    "prod": [
-        "viza-super"
-    ]
-};
+import { policy } from "./policy.js";
 /**
  * viza github secrets backup
  *
@@ -31,12 +19,7 @@ export async function backupGithubSecretsCommand(options) {
     // Resolve allowed teams
     // - Dispatch mode: restrict by targetEnv
     // - Status mode: allow union of all env teams (read-only query)
-    const allowedTeams = options.status === true && env === "dev"
-        ? Array.from(new Set([
-            ...TARGET_TEAMS.dev,
-            ...TARGET_TEAMS.prod,
-        ]))
-        : TARGET_TEAMS[env];
+    const allowedTeams = Array.from(policy.byEnv[env]);
     // 5) Dispatch intent (freeze)
     await dispatchIntentAndWait({
         intent,

package/dist/src/commands/github/secrets/backup/policy.js

@@ -0,0 +1,10 @@
+export const policy = {
+    byEnv: {
+        "dev": [
+            "viza-super"
+        ],
+        "prod": [
+            "viza-super"
+        ]
+    }
+};

package/dist/src/commands/github/secrets/restore/policy.js

@@ -0,0 +1,12 @@
+export const policy = {
+    byEnv: {
+        "dev": [
+            "viza-admin",
+            "viza-super"
+        ],
+        "prod": [
+            "viza-admin",
+            "viza-super"
+        ]
+    }
+};

package/dist/src/commands/github/secrets/restore/register.js

@@ -14,6 +14,7 @@ export function registerGithubSecretsRestoreCommand(program) {
         .option("--infra", "Restore configuration for Modo-Infra hub repositories")
         .option("--builder", "Restore configuration for build/publish app repositories")
         .option("--deployer", "Restore configuration for deployer repositories (Modo-Front / Modo-Back)")
+        .option("--all", "Restore configuration for all targets (core, infra, builder, deployer)")
         .action(async (_opts, command) => {
         const fullOpts = getResolvedOptions(command);
         await restoreGithubSecretsCommand(fullOpts);

package/dist/src/commands/github/secrets/restore/restore.js

@@ -1,21 +1,7 @@
 import { resolveEnv } from "../../../../context/env.js";
 import { RUNTIME_HUB_INTENT } from "../../../../context/hubIntent.js";
 import { dispatchIntentAndWait } from "../../../../core/dispatch.js";
-/**
- * Target teams for `viza login aws`.
- * This is a CLI-only UX constraint for fail-fast validation.
- * NOT a policy and MUST NOT be sent to gateway.
- */
-const TARGET_TEAMS = {
-    "dev": [
-        "viza-admin",
-        "viza-super"
-    ],
-    "prod": [
-        "viza-admin",
-        "viza-super"
-    ]
-};
+import { policy } from "./policy.js";
 /**
  * viza github secrets restore
  *
@@ -33,22 +19,29 @@ export async function restoreGithubSecretsCommand(options) {
     // Resolve allowed teams
     // - Dispatch mode: restrict by targetEnv
     // - Status mode: allow union of all env teams (read-only query)
-    const allowedTeams = options.status === true && env === "dev"
-        ? Array.from(new Set([
-            ...TARGET_TEAMS.dev,
-            ...TARGET_TEAMS.prod,
-        ]))
-        : TARGET_TEAMS[env];
+    const allowedTeams = Array.from(policy.byEnv[env]);
     // Resolve domain restore flags (forward to hub)
     const payload = {};
-    if (options.core)
+    if (options.all) {
         payload.core = true;
-    if (options.infra)
         payload.infra = true;
-    if (options.builder)
         payload.builder = true;
-    if (options.deployer)
         payload.deployer = true;
+    }
+    else {
+        if (options.core)
+            payload.core = true;
+        if (options.infra)
+            payload.infra = true;
+        if (options.builder)
+            payload.builder = true;
+        if (options.deployer)
+            payload.deployer = true;
+    }
+    // Fail fast if no domain flags were provided
+    if (Object.keys(payload).length === 0) {
+        throw new Error("No restore target specified. Use one of: --core, --infra, --builder, --deployer, or --all");
+    }
     // 5) Dispatch intent (freeze)
     await dispatchIntentAndWait({
         intent,

package/dist/src/commands/infra/deploy/command-hub/command-hub.js

@@ -0,0 +1,39 @@
+import { resolveEnv } from "../../../../context/env.js";
+import { resolveHubIntent } from "../../../../context/hubIntent.js";
+import { dispatchIntentAndWait } from "../../../../core/dispatch.js";
+import { policy } from "./policy.js";
+/**
+ * viza login aws
+ *
+ * Flow:
+ * 1) Resolve env (deterministic)
+ * 2) Resolve user identity (trusted via gh auth)
+ * 3) CLI pre-check against target teams (fail-fast UX)
+ * 4) Derive ONE valid team (deterministic)
+ * 5) Dispatch frozen intent to gateway
+ */
+export async function deployCommandHubCommand(options) {
+    // 1) Resolve environment
+    const env = resolveEnv(options);
+    const intent = resolveHubIntent(options.runner);
+    // Resolve allowed teams for the current environment only.
+    // CLI performs a fail-fast UX check but must still respect env boundaries.
+    const allowedTeams = Array.from(policy.byEnv[env]);
+    // 5) Dispatch intent (freeze)
+    await dispatchIntentAndWait({
+        intent,
+        commandType: "infra.command-hub.deploy",
+        infraKey: "core",
+        targetEnv: env,
+        allowedTeams,
+        selfHosted: options.selfHosted === true,
+        keepLog: options.removeLog !== true,
+        flowGates: {
+            secrets: true,
+        },
+        payload: {}
+    }, {
+        status: options.status === true,
+        log: "show",
+    });
+}

package/dist/src/commands/infra/deploy/command-hub/policy.js

@@ -0,0 +1,12 @@
+export const policy = {
+    byEnv: {
+        dev: [
+            "viza-admin",
+            "viza-super"
+        ],
+        prod: [
+            "viza-admin",
+            "viza-super"
+        ]
+    }
+};

package/dist/src/commands/infra/{command-hub → deploy/command-hub}/register.js

@@ -1,19 +1,16 @@
 import { deployCommandHubCommand } from "./command-hub.js";
-import { getResolvedOptions } from "../../../cli/resolveOptions.js";
+import { getResolvedOptions } from "../../../../cli/resolveOptions.js";
 /**
  * Register:
  * viza infra deploy command-hub
  */
 export function registerCommandHubDeployCommand(program) {
     program
-        .command("infra")
-        .description("Infrastructure commands")
-        .command("deploy")
-        .description("Deploy infrastructure components")
         .command("command-hub")
         .description("Deploy command hub worker to Cloudflare")
         .option("--prod", "Use production environment")
         .option("--dev", "Use development environment")
+        .option("--runner <type>", "Execution runner (hub | deployer | builder)", "hub")
         .action(async (_opts, command) => {
         const fullOpts = getResolvedOptions(command);
         await deployCommandHubCommand(fullOpts);

package/dist/src/commands/infra/deploy/register.js

@@ -0,0 +1,12 @@
+import { registerCommandHubDeployCommand } from "./command-hub/register.js";
+/**
+ * Register:
+ * viza infra deploy command-hub
+ */
+export function registerDeployCommand(program) {
+    const deploy = program
+        .command("deploy")
+        .description("Deploy infrastructure components");
+    // Register subcommands under "infra"
+    registerCommandHubDeployCommand(deploy);
+}

package/dist/src/commands/infra/register.js

@@ -1,4 +1,8 @@
-import { registerCommandHubDeployCommand } from "./command-hub/register.js";
+import { registerDeployCommand } from "./deploy/register.js";
 export function registerInfraCommand(program) {
-    registerCommandHubDeployCommand(program);
+    const infra = program
+        .command("infra")
+        .description("Infrastructure commands");
+    // Register subcommands under "infra"
+    registerDeployCommand(infra);
 }

package/dist/src/commands/login/aws/aws.js

@@ -2,24 +2,7 @@ import { resolveEnv } from "../../../context/env.js";
 import { RUNTIME_HUB_INTENT } from "../../../context/hubIntent.js";
 import { dispatchIntentAndWait } from "../../../core/dispatch.js";
 import { showSsoLinkMenu } from "../../../ui/sso/awsLoginMenu.js";
-/**
- * Target teams for `viza login aws`.
- * This is a CLI-only UX constraint for fail-fast validation.
- * NOT a policy and MUST NOT be sent to gateway.
- */
-const TARGET_TEAMS = {
-    "dev": [
-        "viza-deployer",
-        "viza-manager",
-        "viza-admin",
-        "viza-super"
-    ],
-    "prod": [
-        "viza-publisher",
-        "viza-admin",
-        "viza-super"
-    ]
-};
+import { policy } from "./policy.js";
 /**
  * viza login aws
  *
@@ -37,12 +20,7 @@ export async function loginAwsCommand(options) {
     // Resolve allowed teams
     // - Dispatch mode: restrict by targetEnv
     // - Status mode: allow union of all env teams (read-only query)
-    const allowedTeams = options.status === true && env === "dev"
-        ? Array.from(new Set([
-            ...TARGET_TEAMS.dev,
-            ...TARGET_TEAMS.prod,
-        ]))
-        : TARGET_TEAMS[env];
+    const allowedTeams = Array.from(policy.byEnv[env]);
     // 5) Dispatch intent (freeze)
     const result = await dispatchIntentAndWait({
         intent,

package/dist/src/commands/login/aws/policy.js

@@ -0,0 +1,15 @@
+export const policy = {
+    byEnv: {
+        "dev": [
+            "viza-deployer",
+            "viza-manager",
+            "viza-admin",
+            "viza-super"
+        ],
+        "prod": [
+            "viza-publisher",
+            "viza-admin",
+            "viza-super"
+        ]
+    }
+};

package/dist/src/context/hubIntent.js

@@ -10,15 +10,19 @@ export const RESOURCE_DEPLOYER_INTENT_BY_ENV = "deployer";
 /**
  * Build & publish application layer
  */
-export const RESOURCE_BACKER_INTENT_BY_ENV = "backer";
+export const RESOURCE_BACKER_INTENT_BY_ENV = "builder";
 /**
  * Runtime command hub (worker layer)
  * Single intent for both dev and prod (env derived at gateway)
  */
 export const RUNTIME_HUB_INTENT = "hub-worker";
-export function resolveHubIntent(cloudRunner) {
-    if (cloudRunner) {
-        return RESOURCE_BACKER_INTENT_BY_ENV;
+export function resolveHubIntent(runner) {
+    switch (runner) {
+        case "builder":
+            return RESOURCE_BACKER_INTENT_BY_ENV;
+        case "deployer":
+            return RESOURCE_DEPLOYER_INTENT_BY_ENV;
+        default:
+            return RESOURCE_HUB_INTENT_BY_ENV;
     }
-    return RESOURCE_HUB_INTENT_BY_ENV;
 }

package/dist/src/types/runner.js

@@ -0,0 +1 @@
+export const RUNNER_TYPES = ["hub", "deployer", "builder"];

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "viza",
-  "version": "1.8.2",
+  "version": "1.8.9",
   "type": "module",
   "description": "Viza unified command line interface",
   "bin": {

package/dist/src/commands/infra/command-hub/command-hub.js

@@ -1,60 +0,0 @@
-import { resolveEnv } from "../../../context/env.js";
-import { resolveHubIntent } from "../../../context/hubIntent.js";
-import { dispatchIntentAndWait } from "../../../core/dispatch.js";
-/**
- * Target teams for `viza login aws`.
- * This is a CLI-only UX constraint for fail-fast validation.
- * NOT a policy and MUST NOT be sent to gateway.
- */
-const TARGET_TEAMS = {
-    "dev": [
-        "viza-admin",
-        "viza-super"
-    ],
-    "prod": [
-        "viza-admin",
-        "viza-super"
-    ]
-};
-/**
- * viza login aws
- *
- * Flow:
- * 1) Resolve env (deterministic)
- * 2) Resolve user identity (trusted via gh auth)
- * 3) CLI pre-check against target teams (fail-fast UX)
- * 4) Derive ONE valid team (deterministic)
- * 5) Dispatch frozen intent to gateway
- */
-export async function deployCommandHubCommand(options) {
-    // 1) Resolve environment
-    const env = resolveEnv(options);
-    const cloudRunner = options.cloudRunner === true;
-    const intent = resolveHubIntent(cloudRunner);
-    // Resolve allowed teams
-    // - Dispatch mode: restrict by targetEnv
-    // - Status mode: allow union of all env teams (read-only query)
-    const allowedTeams = options.status === true && env === "dev"
-        ? Array.from(new Set([
-            ...TARGET_TEAMS.dev,
-            ...TARGET_TEAMS.prod,
-        ]))
-        : TARGET_TEAMS[env];
-    // 5) Dispatch intent (freeze)
-    await dispatchIntentAndWait({
-        intent,
-        commandType: "infra.command-hub.deploy",
-        infraKey: "core",
-        targetEnv: env,
-        allowedTeams,
-        selfHosted: options.selfHosted === true,
-        keepLog: options.removeLog !== true,
-        flowGates: {
-            secrets: true,
-        },
-        payload: {}
-    }, {
-        status: options.status === true,
-        log: "show",
-    });
-}