diff --git a/.gitignore b/.gitignore
index 62c2f43..ce58724 100644
--- a/.gitignore
+++ b/.gitignore
@@ -5,3 +5,6 @@ __pycache__/
 dist/
 build/
 .eggs/
+
+# Rust
+/target/
diff --git a/Cargo.lock b/Cargo.lock
new file mode 100644
index 0000000..fa0c239
--- /dev/null
+++ b/Cargo.lock
@@ -0,0 +1,4882 @@
+# This file is automatically @generated by Cargo.
+# It is not intended for manual editing.
+version = 4
+
+[[package]]
+name = "adler2"
+version = "2.0.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "320119579fcad9c21884f5c4861d16174d0e06250625266f50fe6898340abefa"
+
+[[package]]
+name = "aead"
+version = "0.5.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d122413f284cf2d62fb1b7db97e02edb8cda96d769b16e443a4f6195e35662b0"
+dependencies = [
+ "crypto-common",
+ "generic-array",
+]
+
+[[package]]
+name = "aes"
+version = "0.8.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b169f7a6d4742236a0a00c541b845991d0ac43e546831af1249753ab4c3aa3a0"
+dependencies = [
+ "cfg-if",
+ "cipher",
+ "cpufeatures",
+]
+
+[[package]]
+name = "aes-gcm"
+version = "0.10.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "831010a0f742e1209b3bcea8fab6a8e149051ba6099432c8cb2cc117dec3ead1"
+dependencies = [
+ "aead",
+ "aes",
+ "cipher",
+ "ctr",
+ "ghash",
+ "subtle",
+]
+
+[[package]]
+name = "ahash"
+version = "0.8.12"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "5a15f179cd60c4584b8a8c596927aadc462e27f2ca70c04e0071964a73ba7a75"
+dependencies = [
+ "cfg-if",
+ "const-random",
+ "getrandom 0.3.4",
+ "once_cell",
+ "version_check",
+ "zerocopy",
+]
+
+[[package]]
+name = "aho-corasick"
+version = "1.1.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ddd31a130427c27518df266943a5308ed92d4b226cc639f5a8f1002816174301"
+dependencies = [
+ "memchr",
+]
+
+[[package]]
+name = "allocator-api2"
+version = "0.2.21"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "683d7910e743518b0e34f1186f92494becacb047c7b6bf616c96772180fef923"
+
+[[package]]
+name = "android_system_properties"
+version = "0.1.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "819e7219dbd41043ac279b19830f2efc897156490d7fd6ea916720117ee66311"
+dependencies = [
+ "libc",
+]
+
+[[package]]
+name = "anstream"
+version = "1.0.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "824a212faf96e9acacdbd09febd34438f8f711fb84e09a8916013cd7815ca28d"
+dependencies = [
+ "anstyle",
+ "anstyle-parse",
+ "anstyle-query",
+ "anstyle-wincon",
+ "colorchoice",
+ "is_terminal_polyfill",
+ "utf8parse",
+]
+
+[[package]]
+name = "anstyle"
+version = "1.0.14"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "940b3a0ca603d1eade50a4846a2afffd5ef57a9feac2c0e2ec2e14f9ead76000"
+
+[[package]]
+name = "anstyle-parse"
+version = "1.0.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "52ce7f38b242319f7cabaa6813055467063ecdc9d355bbb4ce0c68908cd8130e"
+dependencies = [
+ "utf8parse",
+]
+
+[[package]]
+name = "anstyle-query"
+version = "1.1.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "40c48f72fd53cd289104fc64099abca73db4166ad86ea0b4341abe65af83dadc"
+dependencies = [
+ "windows-sys 0.61.2",
+]
+
+[[package]]
+name = "anstyle-wincon"
+version = "3.0.11"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "291e6a250ff86cd4a820112fb8898808a366d8f9f58ce16d1f538353ad55747d"
+dependencies = [
+ "anstyle",
+ "once_cell_polyfill",
+ "windows-sys 0.61.2",
+]
+
+[[package]]
+name = "anyhow"
+version = "1.0.102"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7f202df86484c868dbad7eaa557ef785d5c66295e41b460ef922eca0723b842c"
+
+[[package]]
+name = "ar_archive_writer"
+version = "0.5.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7eb93bbb63b9c227414f6eb3a0adfddca591a8ce1e9b60661bb08969b87e340b"
+dependencies = [
+ "object",
+]
+
+[[package]]
+name = "asn1-rs"
+version = "0.7.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "56624a96882bb8c26d61312ae18cb45868e5a9992ea73c58e45c3101e56a1e60"
+dependencies = [
+ "asn1-rs-derive",
+ "asn1-rs-impl",
+ "displaydoc",
+ "nom 7.1.3",
+ "num-traits",
+ "rusticata-macros",
+ "thiserror 2.0.18",
+ "time",
+]
+
+[[package]]
+name = "asn1-rs-derive"
+version = "0.6.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "3109e49b1e4909e9db6515a30c633684d68cdeaa252f215214cb4fa1a5bfee2c"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn",
+ "synstructure",
+]
+
+[[package]]
+name = "asn1-rs-impl"
+version = "0.2.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7b18050c2cd6fe86c3a76584ef5e0baf286d038cda203eb6223df2cc413565f7"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn",
+]
+
+[[package]]
+name = "async-broadcast"
+version = "0.7.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "435a87a52755b8f27fcf321ac4f04b2802e337c8c4872923137471ec39c37532"
+dependencies = [
+ "event-listener",
+ "event-listener-strategy",
+ "futures-core",
+ "pin-project-lite",
+]
+
+[[package]]
+name = "async-stream"
+version = "0.3.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "0b5a71a6f37880a80d1d7f19efd781e4b5de42c88f0722cc13bcb6cc2cfe8476"
+dependencies = [
+ "async-stream-impl",
+ "futures-core",
+ "pin-project-lite",
+]
+
+[[package]]
+name = "async-stream-impl"
+version = "0.3.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "c7c24de15d275a1ecfd47a380fb4d5ec9bfe0933f309ed5e705b775596a3574d"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn",
+]
+
+[[package]]
+name = "async-trait"
+version = "0.1.89"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9035ad2d096bed7955a320ee7e2230574d28fd3c3a0f186cbea1ff3c7eed5dbb"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn",
+]
+
+[[package]]
+name = "atomic-waker"
+version = "1.1.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1505bd5d3d116872e7271a6d4e16d81d0c8570876c8de68093a09ac269d8aac0"
+
+[[package]]
+name = "autocfg"
+version = "1.5.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "c08606f8c3cbf4ce6ec8e28fb0014a2c086708fe954eaa885384a6165172e7e8"
+
+[[package]]
+name = "aws-lc-rs"
+version = "1.16.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a054912289d18629dc78375ba2c3726a3afe3ff71b4edba9dedfca0e3446d1fc"
+dependencies = [
+ "aws-lc-sys",
+ "zeroize",
+]
+
+[[package]]
+name = "aws-lc-sys"
+version = "0.39.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1fa7e52a4c5c547c741610a2c6f123f3881e409b714cd27e6798ef020c514f0a"
+dependencies = [
+ "cc",
+ "cmake",
+ "dunce",
+ "fs_extra",
+]
+
+[[package]]
+name = "backon"
+version = "1.6.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "cffb0e931875b666fc4fcb20fee52e9bbd1ef836fd9e9e04ec21555f9f85f7ef"
+dependencies = [
+ "fastrand",
+ "gloo-timers",
+ "tokio",
+]
+
+[[package]]
+name = "base16ct"
+version = "0.2.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "4c7f02d4ea65f2c1853089ffd8d2787bdbc63de2f0d29dedbcf8ccdfa0ccd4cf"
+
+[[package]]
+name = "base64"
+version = "0.22.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "72b3254f16251a8381aa12e40e3c4d2f0199f8c6508fbecb9d91f575e0fbb8c6"
+
+[[package]]
+name = "base64ct"
+version = "1.8.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "2af50177e190e07a26ab74f8b1efbfe2ef87da2116221318cb1c2e82baf7de06"
+
+[[package]]
+name = "bcrypt-pbkdf"
+version = "0.10.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "6aeac2e1fe888769f34f05ac343bbef98b14d1ffb292ab69d4608b3abc86f2a2"
+dependencies = [
+ "blowfish",
+ "pbkdf2",
+ "sha2",
+]
+
+[[package]]
+name = "bitflags"
+version = "2.11.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "843867be96c8daad0d758b57df9392b6d8d271134fce549de6ce169ff98a92af"
+dependencies = [
+ "serde_core",
+]
+
+[[package]]
+name = "block-buffer"
+version = "0.10.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "3078c7629b62d3f0439517fa394996acacc5cbc91c5a20d8c658e77abd503a71"
+dependencies = [
+ "generic-array",
+]
+
+[[package]]
+name = "block-padding"
+version = "0.3.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a8894febbff9f758034a5b8e12d87918f56dfc64a8e1fe757d65e29041538d93"
+dependencies = [
+ "generic-array",
+]
+
+[[package]]
+name = "blowfish"
+version = "0.9.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e412e2cd0f2b2d93e02543ceae7917b3c70331573df19ee046bcbc35e45e87d7"
+dependencies = [
+ "byteorder",
+ "cipher",
+]
+
+[[package]]
+name = "bumpalo"
+version = "3.20.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "5d20789868f4b01b2f2caec9f5c4e0213b41e3e5702a50157d699ae31ced2fcb"
+
+[[package]]
+name = "byteorder"
+version = "1.5.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1fd0f2584146f6f2ef48085050886acf353beff7305ebd1ae69500e27c67f64b"
+
+[[package]]
+name = "bytes"
+version = "1.11.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1e748733b7cbc798e1434b6ac524f0c1ff2ab456fe201501e6497c8417a4fc33"
+
+[[package]]
+name = "cbc"
+version = "0.1.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "26b52a9543ae338f279b96b0b9fed9c8093744685043739079ce85cd58f289a6"
+dependencies = [
+ "cipher",
+]
+
+[[package]]
+name = "cc"
+version = "1.2.57"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7a0dd1ca384932ff3641c8718a02769f1698e7563dc6974ffd03346116310423"
+dependencies = [
+ "find-msvc-tools",
+ "jobserver",
+ "libc",
+ "shlex",
+]
+
+[[package]]
+name = "cfg-if"
+version = "1.0.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9330f8b2ff13f34540b44e946ef35111825727b38d33286ef986142615121801"
+
+[[package]]
+name = "cfg_aliases"
+version = "0.2.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "613afe47fcd5fac7ccf1db93babcb082c5994d996f20b8b159f2ad1658eb5724"
+
+[[package]]
+name = "chacha20"
+version = "0.9.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "c3613f74bd2eac03dad61bd53dbe620703d4371614fe0bc3b9f04dd36fe4e818"
+dependencies = [
+ "cfg-if",
+ "cipher",
+ "cpufeatures",
+]
+
+[[package]]
+name = "chrono"
+version = "0.4.44"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "c673075a2e0e5f4a1dde27ce9dee1ea4558c7ffe648f576438a20ca1d2acc4b0"
+dependencies = [
+ "iana-time-zone",
+ "js-sys",
+ "num-traits",
+ "serde",
+ "wasm-bindgen",
+ "windows-link",
+]
+
+[[package]]
+name = "chumsky"
+version = "0.9.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8eebd66744a15ded14960ab4ccdbfb51ad3b81f51f3f04a80adac98c985396c9"
+dependencies = [
+ "hashbrown 0.14.5",
+ "stacker",
+]
+
+[[package]]
+name = "cipher"
+version = "0.4.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "773f3b9af64447d2ce9850330c473515014aa235e6a783b02db81ff39e4a3dad"
+dependencies = [
+ "crypto-common",
+ "inout",
+]
+
+[[package]]
+name = "clap"
+version = "4.6.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b193af5b67834b676abd72466a96c1024e6a6ad978a1f484bd90b85c94041351"
+dependencies = [
+ "clap_builder",
+ "clap_derive",
+]
+
+[[package]]
+name = "clap_builder"
+version = "4.6.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "714a53001bf66416adb0e2ef5ac857140e7dc3a0c48fb28b2f10762fc4b5069f"
+dependencies = [
+ "anstream",
+ "anstyle",
+ "clap_lex",
+ "strsim",
+]
+
+[[package]]
+name = "clap_derive"
+version = "4.6.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1110bd8a634a1ab8cb04345d8d878267d57c3cf1b38d91b71af6686408bbca6a"
+dependencies = [
+ "heck",
+ "proc-macro2",
+ "quote",
+ "syn",
+]
+
+[[package]]
+name = "clap_lex"
+version = "1.1.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "c8d4a3bb8b1e0c1050499d1815f5ab16d04f0959b233085fb31653fbfc9d98f9"
+
+[[package]]
+name = "cmake"
+version = "0.1.57"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "75443c44cd6b379beb8c5b45d85d0773baf31cce901fe7bb252f4eff3008ef7d"
+dependencies = [
+ "cc",
+]
+
+[[package]]
+name = "colorchoice"
+version = "1.0.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1d07550c9036bf2ae0c684c4297d503f838287c83c53686d05370d0e139ae570"
+
+[[package]]
+name = "concurrent-queue"
+version = "2.5.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "4ca0197aee26d1ae37445ee532fefce43251d24cc7c166799f4d46817f1d3973"
+dependencies = [
+ "crossbeam-utils",
+]
+
+[[package]]
+name = "const-oid"
+version = "0.9.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "c2459377285ad874054d797f3ccebf984978aa39129f6eafde5cdc8315b612f8"
+
+[[package]]
+name = "const-random"
+version = "0.1.18"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "87e00182fe74b066627d63b85fd550ac2998d4b0bd86bfed477a0ae4c7c71359"
+dependencies = [
+ "const-random-macro",
+]
+
+[[package]]
+name = "const-random-macro"
+version = "0.1.16"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f9d839f2a20b0aee515dc581a6172f2321f96cab76c1a38a4c584a194955390e"
+dependencies = [
+ "getrandom 0.2.17",
+ "once_cell",
+ "tiny-keccak",
+]
+
+[[package]]
+name = "core-foundation"
+version = "0.9.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "91e195e091a93c46f7102ec7818a2aa394e1e1771c3ab4825963fa03e45afb8f"
+dependencies = [
+ "core-foundation-sys",
+ "libc",
+]
+
+[[package]]
+name = "core-foundation"
+version = "0.10.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b2a6cd9ae233e7f62ba4e9353e81a88df7fc8a5987b8d445b4d90c879bd156f6"
+dependencies = [
+ "core-foundation-sys",
+ "libc",
+]
+
+[[package]]
+name = "core-foundation-sys"
+version = "0.8.7"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "773648b94d0e5d620f64f280777445740e61fe701025087ec8b57f45c791888b"
+
+[[package]]
+name = "cpufeatures"
+version = "0.2.17"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "59ed5838eebb26a2bb2e58f6d5b5316989ae9d08bab10e0e6d103e656d1b0280"
+dependencies = [
+ "libc",
+]
+
+[[package]]
+name = "crc32fast"
+version = "1.5.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9481c1c90cbf2ac953f07c8d4a58aa3945c425b7185c9154d67a65e4230da511"
+dependencies = [
+ "cfg-if",
+]
+
+[[package]]
+name = "crossbeam-utils"
+version = "0.8.21"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d0a5c400df2834b80a4c3327b3aad3a4c4cd4de0629063962b03235697506a28"
+
+[[package]]
+name = "crunchy"
+version = "0.2.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "460fbee9c2c2f33933d720630a6a0bac33ba7053db5344fac858d4b8952d77d5"
+
+[[package]]
+name = "crypto-bigint"
+version = "0.5.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "0dc92fb57ca44df6db8059111ab3af99a63d5d0f8375d9972e319a379c6bab76"
+dependencies = [
+ "generic-array",
+ "rand_core 0.6.4",
+ "subtle",
+ "zeroize",
+]
+
+[[package]]
+name = "crypto-common"
+version = "0.1.7"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "78c8292055d1c1df0cce5d180393dc8cce0abec0a7102adb6c7b1eef6016d60a"
+dependencies = [
+ "generic-array",
+ "rand_core 0.6.4",
+ "typenum",
+]
+
+[[package]]
+name = "ctr"
+version = "0.9.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "0369ee1ad671834580515889b80f2ea915f23b8be8d0daa4bbaf2ac5c7590835"
+dependencies = [
+ "cipher",
+]
+
+[[package]]
+name = "curve25519-dalek"
+version = "4.1.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "97fb8b7c4503de7d6ae7b42ab72a5a59857b4c937ec27a3d4539dba95b5ab2be"
+dependencies = [
+ "cfg-if",
+ "cpufeatures",
+ "curve25519-dalek-derive",
+ "digest",
+ "fiat-crypto",
+ "rustc_version",
+ "subtle",
+ "zeroize",
+]
+
+[[package]]
+name = "curve25519-dalek-derive"
+version = "0.1.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f46882e17999c6cc590af592290432be3bce0428cb0d5f8b6715e4dc7b383eb3"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn",
+]
+
+[[package]]
+name = "darling"
+version = "0.20.11"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "fc7f46116c46ff9ab3eb1597a45688b6715c6e628b5c133e288e709a29bcb4ee"
+dependencies = [
+ "darling_core",
+ "darling_macro",
+]
+
+[[package]]
+name = "darling_core"
+version = "0.20.11"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "0d00b9596d185e565c2207a0b01f8bd1a135483d02d9b7b0a54b11da8d53412e"
+dependencies = [
+ "fnv",
+ "ident_case",
+ "proc-macro2",
+ "quote",
+ "strsim",
+ "syn",
+]
+
+[[package]]
+name = "darling_macro"
+version = "0.20.11"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "fc34b93ccb385b40dc71c6fceac4b2ad23662c7eeb248cf10d529b7e055b6ead"
+dependencies = [
+ "darling_core",
+ "quote",
+ "syn",
+]
+
+[[package]]
+name = "data-encoding"
+version = "2.10.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d7a1e2f27636f116493b8b860f5546edb47c8d8f8ea73e1d2a20be88e28d1fea"
+
+[[package]]
+name = "delegate"
+version = "0.13.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "780eb241654bf097afb00fc5f054a09b687dad862e485fdcf8399bb056565370"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn",
+]
+
+[[package]]
+name = "der"
+version = "0.7.10"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e7c1832837b905bbfb5101e07cc24c8deddf52f93225eee6ead5f4d63d53ddcb"
+dependencies = [
+ "const-oid",
+ "pem-rfc7468",
+ "zeroize",
+]
+
+[[package]]
+name = "der-parser"
+version = "10.0.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "07da5016415d5a3c4dd39b11ed26f915f52fc4e0dc197d87908bc916e51bc1a6"
+dependencies = [
+ "asn1-rs",
+ "displaydoc",
+ "nom 7.1.3",
+ "num-bigint",
+ "num-traits",
+ "rusticata-macros",
+]
+
+[[package]]
+name = "deranged"
+version = "0.5.8"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7cd812cc2bc1d69d4764bd80df88b4317eaef9e773c75226407d9bc0876b211c"
+dependencies = [
+ "powerfmt",
+]
+
+[[package]]
+name = "des"
+version = "0.8.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ffdd80ce8ce993de27e9f063a444a4d53ce8e8db4c1f00cc03af5ad5a9867a1e"
+dependencies = [
+ "cipher",
+]
+
+[[package]]
+name = "digest"
+version = "0.10.7"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9ed9a281f7bc9b7576e61468ba615a66a5c8cfdff42420a70aa82701a3b1e292"
+dependencies = [
+ "block-buffer",
+ "const-oid",
+ "crypto-common",
+ "subtle",
+]
+
+[[package]]
+name = "dirs"
+version = "5.0.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "44c45a9d03d6676652bcb5e724c7e988de1acad23a711b5217ab9cbecbec2225"
+dependencies = [
+ "dirs-sys",
+]
+
+[[package]]
+name = "dirs-sys"
+version = "0.4.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "520f05a5cbd335fae5a99ff7a6ab8627577660ee5cfd6a94a6a929b52ff0321c"
+dependencies = [
+ "libc",
+ "option-ext",
+ "redox_users",
+ "windows-sys 0.48.0",
+]
+
+[[package]]
+name = "displaydoc"
+version = "0.2.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "97369cbbc041bc366949bc74d34658d6cda5621039731c6310521892a3a20ae0"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn",
+]
+
+[[package]]
+name = "dunce"
+version = "1.0.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "92773504d58c093f6de2459af4af33faa518c13451eb8f2b5698ed3d36e7c813"
+
+[[package]]
+name = "dyn-clone"
+version = "1.0.20"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d0881ea181b1df73ff77ffaaf9c7544ecc11e82fba9b5f27b262a3c73a332555"
+
+[[package]]
+name = "ecdsa"
+version = "0.16.9"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ee27f32b5c5292967d2d4a9d7f1e0b0aed2c15daded5a60300e4abb9d8020bca"
+dependencies = [
+ "der",
+ "digest",
+ "elliptic-curve",
+ "rfc6979",
+ "signature",
+ "spki",
+]
+
+[[package]]
+name = "ed25519"
+version = "2.2.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "115531babc129696a58c64a4fef0a8bf9e9698629fb97e9e40767d235cfbcd53"
+dependencies = [
+ "pkcs8",
+ "signature",
+]
+
+[[package]]
+name = "ed25519-dalek"
+version = "2.2.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "70e796c081cee67dc755e1a36a0a172b897fab85fc3f6bc48307991f64e4eca9"
+dependencies = [
+ "curve25519-dalek",
+ "ed25519",
+ "rand_core 0.6.4",
+ "serde",
+ "sha2",
+ "subtle",
+ "zeroize",
+]
+
+[[package]]
+name = "educe"
+version = "0.6.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1d7bc049e1bd8cdeb31b68bbd586a9464ecf9f3944af3958a7a9d0f8b9799417"
+dependencies = [
+ "enum-ordinalize",
+ "proc-macro2",
+ "quote",
+ "syn",
+]
+
+[[package]]
+name = "either"
+version = "1.15.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "48c757948c5ede0e46177b7add2e67155f70e33c07fea8284df6576da70b3719"
+
+[[package]]
+name = "elliptic-curve"
+version = "0.13.8"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b5e6043086bf7973472e0c7dff2142ea0b680d30e18d9cc40f267efbf222bd47"
+dependencies = [
+ "base16ct",
+ "crypto-bigint",
+ "digest",
+ "ff",
+ "generic-array",
+ "group",
+ "hkdf",
+ "pem-rfc7468",
+ "pkcs8",
+ "rand_core 0.6.4",
+ "sec1",
+ "subtle",
+ "zeroize",
+]
+
+[[package]]
+name = "email-encoding"
+version = "0.4.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9298e6504d9b9e780ed3f7dfd43a61be8cd0e09eb07f7706a945b0072b6670b6"
+dependencies = [
+ "base64",
+ "memchr",
+]
+
+[[package]]
+name = "email_address"
+version = "0.2.9"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e079f19b08ca6239f47f8ba8509c11cf3ea30095831f7fed61441475edd8c449"
+
+[[package]]
+name = "encoding_rs"
+version = "0.8.35"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "75030f3c4f45dafd7586dd6780965a8c7e8e285a5ecb86713e63a79c5b2766f3"
+dependencies = [
+ "cfg-if",
+]
+
+[[package]]
+name = "enum-ordinalize"
+version = "4.3.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "4a1091a7bb1f8f2c4b28f1fe2cef4980ca2d410a3d727d67ecc3178c9b0800f0"
+dependencies = [
+ "enum-ordinalize-derive",
+]
+
+[[package]]
+name = "enum-ordinalize-derive"
+version = "4.3.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8ca9601fb2d62598ee17836250842873a413586e5d7ed88b356e38ddbb0ec631"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn",
+]
+
+[[package]]
+name = "equivalent"
+version = "1.0.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "877a4ace8713b0bcf2a4e7eec82529c029f1d0619886d18145fea96c3ffe5c0f"
+
+[[package]]
+name = "errno"
+version = "0.3.14"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "39cab71617ae0d63f51a36d69f866391735b51691dbda63cf6f96d042b63efeb"
+dependencies = [
+ "libc",
+ "windows-sys 0.61.2",
+]
+
+[[package]]
+name = "event-listener"
+version = "5.4.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e13b66accf52311f30a0db42147dadea9850cb48cd070028831ae5f5d4b856ab"
+dependencies = [
+ "concurrent-queue",
+ "parking",
+ "pin-project-lite",
+]
+
+[[package]]
+name = "event-listener-strategy"
+version = "0.5.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8be9f3dfaaffdae2972880079a491a1a8bb7cbed0b8dd7a347f668b4150a3b93"
+dependencies = [
+ "event-listener",
+ "pin-project-lite",
+]
+
+[[package]]
+name = "fastrand"
+version = "2.3.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "37909eebbb50d72f9059c3b6d82c0463f2ff062c9e95845c43a6c9c0355411be"
+
+[[package]]
+name = "ff"
+version = "0.13.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "c0b50bfb653653f9ca9095b427bed08ab8d75a137839d9ad64eb11810d5b6393"
+dependencies = [
+ "rand_core 0.6.4",
+ "subtle",
+]
+
+[[package]]
+name = "fiat-crypto"
+version = "0.2.9"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "28dea519a9695b9977216879a3ebfddf92f1c08c05d984f8996aecd6ecdc811d"
+
+[[package]]
+name = "filetime"
+version = "0.2.27"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f98844151eee8917efc50bd9e8318cb963ae8b297431495d3f758616ea5c57db"
+dependencies = [
+ "cfg-if",
+ "libc",
+ "libredox",
+]
+
+[[package]]
+name = "find-msvc-tools"
+version = "0.1.9"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "5baebc0774151f905a1a2cc41989300b1e6fbb29aff0ceffa1064fdd3088d582"
+
+[[package]]
+name = "flate2"
+version = "1.1.9"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "843fba2746e448b37e26a819579957415c8cef339bf08564fe8b7ddbd959573c"
+dependencies = [
+ "crc32fast",
+ "miniz_oxide",
+]
+
+[[package]]
+name = "flurry"
+version = "0.5.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "cf5efcf77a4da27927d3ab0509dec5b0954bb3bc59da5a1de9e52642ebd4cdf9"
+dependencies = [
+ "ahash",
+ "num_cpus",
+ "parking_lot",
+ "seize",
+]
+
+[[package]]
+name = "fnv"
+version = "1.0.7"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "3f9eec918d3f24069decb9af1554cad7c880e2da24a9afd88aca000531ab82c1"
+
+[[package]]
+name = "foldhash"
+version = "0.1.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d9c4f5dac5e15c24eb999c26181a6ca40b39fe946cbe4c263c7209467bc83af2"
+
+[[package]]
+name = "foreign-types"
+version = "0.3.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f6f339eb8adc052cd2ca78910fda869aefa38d22d5cb648e6485e4d3fc06f3b1"
+dependencies = [
+ "foreign-types-shared",
+]
+
+[[package]]
+name = "foreign-types-shared"
+version = "0.1.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "00b0228411908ca8685dba7fc2cdd70ec9990a6e753e89b6ac91a84c40fbaf4b"
+
+[[package]]
+name = "form_urlencoded"
+version = "1.2.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "cb4cb245038516f5f85277875cdaa4f7d2c9a0fa0468de06ed190163b1581fcf"
+dependencies = [
+ "percent-encoding",
+]
+
+[[package]]
+name = "fs_extra"
+version = "1.3.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "42703706b716c37f96a77aea830392ad231f44c9e9a67872fa5548707e11b11c"
+
+[[package]]
+name = "futures"
+version = "0.3.32"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8b147ee9d1f6d097cef9ce628cd2ee62288d963e16fb287bd9286455b241382d"
+dependencies = [
+ "futures-channel",
+ "futures-core",
+ "futures-executor",
+ "futures-io",
+ "futures-sink",
+ "futures-task",
+ "futures-util",
+]
+
+[[package]]
+name = "futures-channel"
+version = "0.3.32"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "07bbe89c50d7a535e539b8c17bc0b49bdb77747034daa8087407d655f3f7cc1d"
+dependencies = [
+ "futures-core",
+ "futures-sink",
+]
+
+[[package]]
+name = "futures-core"
+version = "0.3.32"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7e3450815272ef58cec6d564423f6e755e25379b217b0bc688e295ba24df6b1d"
+
+[[package]]
+name = "futures-executor"
+version = "0.3.32"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "baf29c38818342a3b26b5b923639e7b1f4a61fc5e76102d4b1981c6dc7a7579d"
+dependencies = [
+ "futures-core",
+ "futures-task",
+ "futures-util",
+]
+
+[[package]]
+name = "futures-io"
+version = "0.3.32"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "cecba35d7ad927e23624b22ad55235f2239cfa44fd10428eecbeba6d6a717718"
+
+[[package]]
+name = "futures-macro"
+version = "0.3.32"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e835b70203e41293343137df5c0664546da5745f82ec9b84d40be8336958447b"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn",
+]
+
+[[package]]
+name = "futures-sink"
+version = "0.3.32"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "c39754e157331b013978ec91992bde1ac089843443c49cbc7f46150b0fad0893"
+
+[[package]]
+name = "futures-task"
+version = "0.3.32"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "037711b3d59c33004d3856fbdc83b99d4ff37a24768fa1be9ce3538a1cde4393"
+
+[[package]]
+name = "futures-util"
+version = "0.3.32"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "389ca41296e6190b48053de0321d02a77f32f8a5d2461dd38762c0593805c6d6"
+dependencies = [
+ "futures-channel",
+ "futures-core",
+ "futures-io",
+ "futures-macro",
+ "futures-sink",
+ "futures-task",
+ "memchr",
+ "pin-project-lite",
+ "slab",
+]
+
+[[package]]
+name = "generic-array"
+version = "0.14.7"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "85649ca51fd72272d7821adaf274ad91c288277713d9c18820d8499a7ff69e9a"
+dependencies = [
+ "typenum",
+ "version_check",
+ "zeroize",
+]
+
+[[package]]
+name = "getrandom"
+version = "0.2.17"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ff2abc00be7fca6ebc474524697ae276ad847ad0a6b3faa4bcb027e9a4614ad0"
+dependencies = [
+ "cfg-if",
+ "js-sys",
+ "libc",
+ "wasi",
+ "wasm-bindgen",
+]
+
+[[package]]
+name = "getrandom"
+version = "0.3.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "899def5c37c4fd7b2664648c28120ecec138e4d395b459e5ca34f9cce2dd77fd"
+dependencies = [
+ "cfg-if",
+ "js-sys",
+ "libc",
+ "r-efi 5.3.0",
+ "wasip2",
+ "wasm-bindgen",
+]
+
+[[package]]
+name = "getrandom"
+version = "0.4.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "0de51e6874e94e7bf76d726fc5d13ba782deca734ff60d5bb2fb2607c7406555"
+dependencies = [
+ "cfg-if",
+ "libc",
+ "r-efi 6.0.0",
+ "wasip2",
+ "wasip3",
+]
+
+[[package]]
+name = "ghash"
+version = "0.5.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f0d8a4362ccb29cb0b265253fb0a2728f592895ee6854fd9bc13f2ffda266ff1"
+dependencies = [
+ "opaque-debug",
+ "polyval",
+]
+
+[[package]]
+name = "gloo-timers"
+version = "0.3.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "bbb143cf96099802033e0d4f4963b19fd2e0b728bcf076cd9cf7f6634f092994"
+dependencies = [
+ "futures-channel",
+ "futures-core",
+ "js-sys",
+ "wasm-bindgen",
+]
+
+[[package]]
+name = "group"
+version = "0.13.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f0f9ef7462f7c099f518d754361858f86d8a07af53ba9af0fe635bbccb151a63"
+dependencies = [
+ "ff",
+ "rand_core 0.6.4",
+ "subtle",
+]
+
+[[package]]
+name = "h2"
+version = "0.4.13"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "2f44da3a8150a6703ed5d34e164b875fd14c2cdab9af1252a9a1020bde2bdc54"
+dependencies = [
+ "atomic-waker",
+ "bytes",
+ "fnv",
+ "futures-core",
+ "futures-sink",
+ "http",
+ "indexmap",
+ "slab",
+ "tokio",
+ "tokio-util",
+ "tracing",
+]
+
+[[package]]
+name = "hashbrown"
+version = "0.14.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e5274423e17b7c9fc20b6e7e208532f9b19825d82dfd615708b70edd83df41f1"
+dependencies = [
+ "ahash",
+ "allocator-api2",
+]
+
+[[package]]
+name = "hashbrown"
+version = "0.15.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9229cfe53dfd69f0609a49f65461bd93001ea1ef889cd5529dd176593f5338a1"
+dependencies = [
+ "allocator-api2",
+ "equivalent",
+ "foldhash",
+]
+
+[[package]]
+name = "hashbrown"
+version = "0.16.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "841d1cc9bed7f9236f321df977030373f4a4163ae1a7dbfe1a51a2c1a51d9100"
+
+[[package]]
+name = "headers"
+version = "0.4.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b3314d5adb5d94bcdf56771f2e50dbbc80bb4bdf88967526706205ac9eff24eb"
+dependencies = [
+ "base64",
+ "bytes",
+ "headers-core",
+ "http",
+ "httpdate",
+ "mime",
+ "sha1",
+]
+
+[[package]]
+name = "headers-core"
+version = "0.3.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "54b4a22553d4242c49fddb9ba998a99962b5cc6f22cb5a3482bec22522403ce4"
+dependencies = [
+ "http",
+]
+
+[[package]]
+name = "heck"
+version = "0.5.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "2304e00983f87ffb38b55b444b5e3b60a884b5d30c0fca7d82fe33449bbe55ea"
+
+[[package]]
+name = "hermit-abi"
+version = "0.5.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "fc0fef456e4baa96da950455cd02c081ca953b141298e41db3fc7e36b1da849c"
+
+[[package]]
+name = "hex-literal"
+version = "0.4.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "6fe2267d4ed49bc07b63801559be28c718ea06c4738b7a03c94df7386d2cde46"
+
+[[package]]
+name = "hkdf"
+version = "0.12.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7b5f8eb2ad728638ea2c7d47a21db23b7b58a72ed6a38256b8a1849f15fbbdf7"
+dependencies = [
+ "hmac",
+]
+
+[[package]]
+name = "hmac"
+version = "0.12.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "6c49c37c09c17a53d937dfbb742eb3a961d65a994e6bcdcf37e7399d0cc8ab5e"
+dependencies = [
+ "digest",
+]
+
+[[package]]
+name = "home"
+version = "0.5.12"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "cc627f471c528ff0c4a49e1d5e60450c8f6461dd6d10ba9dcd3a61d3dff7728d"
+dependencies = [
+ "windows-sys 0.61.2",
+]
+
+[[package]]
+name = "hostname"
+version = "0.4.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "617aaa3557aef3810a6369d0a99fac8a080891b68bd9f9812a1eeda0c0730cbd"
+dependencies = [
+ "cfg-if",
+ "libc",
+ "windows-link",
+]
+
+[[package]]
+name = "http"
+version = "1.4.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e3ba2a386d7f85a81f119ad7498ebe444d2e22c2af0b86b069416ace48b3311a"
+dependencies = [
+ "bytes",
+ "itoa",
+]
+
+[[package]]
+name = "http-body"
+version = "1.0.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1efedce1fb8e6913f23e0c92de8e62cd5b772a67e7b3946df930a62566c93184"
+dependencies = [
+ "bytes",
+ "http",
+]
+
+[[package]]
+name = "http-body-util"
+version = "0.1.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b021d93e26becf5dc7e1b75b1bed1fd93124b374ceb73f43d4d4eafec896a64a"
+dependencies = [
+ "bytes",
+ "futures-core",
+ "http",
+ "http-body",
+ "pin-project-lite",
+]
+
+[[package]]
+name = "httparse"
+version = "1.10.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "6dbf3de79e51f3d586ab4cb9d5c3e2c14aa28ed23d180cf89b4df0454a69cc87"
+
+[[package]]
+name = "httpdate"
+version = "1.0.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "df3b46402a9d5adb4c86a0cf463f42e19994e3ee891101b1841f30a545cb49a9"
+
+[[package]]
+name = "hyper"
+version = "1.8.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "2ab2d4f250c3d7b1c9fcdff1cece94ea4e2dfbec68614f7b87cb205f24ca9d11"
+dependencies = [
+ "atomic-waker",
+ "bytes",
+ "futures-channel",
+ "futures-core",
+ "h2",
+ "http",
+ "http-body",
+ "httparse",
+ "itoa",
+ "pin-project-lite",
+ "pin-utils",
+ "smallvec",
+ "tokio",
+ "want",
+]
+
+[[package]]
+name = "hyper-http-proxy"
+version = "1.1.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7ad4b0a1e37510028bc4ba81d0e38d239c39671b0f0ce9e02dfa93a8133f7c08"
+dependencies = [
+ "bytes",
+ "futures-util",
+ "headers",
+ "http",
+ "hyper",
+ "hyper-rustls",
+ "hyper-util",
+ "pin-project-lite",
+ "rustls-native-certs 0.7.3",
+ "tokio",
+ "tokio-rustls",
+ "tower-service",
+]
+
+[[package]]
+name = "hyper-rustls"
+version = "0.27.7"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e3c93eb611681b207e1fe55d5a71ecf91572ec8a6705cdb6857f7d8d5242cf58"
+dependencies = [
+ "http",
+ "hyper",
+ "hyper-util",
+ "log",
+ "rustls",
+ "rustls-native-certs 0.8.3",
+ "rustls-pki-types",
+ "tokio",
+ "tokio-rustls",
+ "tower-service",
+ "webpki-roots",
+]
+
+[[package]]
+name = "hyper-timeout"
+version = "0.5.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "2b90d566bffbce6a75bd8b09a05aa8c2cb1fabb6cb348f8840c9e4c90a0d83b0"
+dependencies = [
+ "hyper",
+ "hyper-util",
+ "pin-project-lite",
+ "tokio",
+ "tower-service",
+]
+
+[[package]]
+name = "hyper-tls"
+version = "0.6.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "70206fc6890eaca9fde8a0bf71caa2ddfc9fe045ac9e5c70df101a7dbde866e0"
+dependencies = [
+ "bytes",
+ "http-body-util",
+ "hyper",
+ "hyper-util",
+ "native-tls",
+ "tokio",
+ "tokio-native-tls",
+ "tower-service",
+]
+
+[[package]]
+name = "hyper-util"
+version = "0.1.20"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "96547c2556ec9d12fb1578c4eaf448b04993e7fb79cbaad930a656880a6bdfa0"
+dependencies = [
+ "base64",
+ "bytes",
+ "futures-channel",
+ "futures-util",
+ "http",
+ "http-body",
+ "hyper",
+ "ipnet",
+ "libc",
+ "percent-encoding",
+ "pin-project-lite",
+ "socket2",
+ "system-configuration",
+ "tokio",
+ "tower-service",
+ "tracing",
+ "windows-registry",
+]
+
+[[package]]
+name = "iana-time-zone"
+version = "0.1.65"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e31bc9ad994ba00e440a8aa5c9ef0ec67d5cb5e5cb0cc7f8b744a35b389cc470"
+dependencies = [
+ "android_system_properties",
+ "core-foundation-sys",
+ "iana-time-zone-haiku",
+ "js-sys",
+ "log",
+ "wasm-bindgen",
+ "windows-core 0.62.2",
+]
+
+[[package]]
+name = "iana-time-zone-haiku"
+version = "0.1.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f31827a206f56af32e590ba56d5d2d085f558508192593743f16b2306495269f"
+dependencies = [
+ "cc",
+]
+
+[[package]]
+name = "icu_collections"
+version = "2.1.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "4c6b649701667bbe825c3b7e6388cb521c23d88644678e83c0c4d0a621a34b43"
+dependencies = [
+ "displaydoc",
+ "potential_utf",
+ "yoke",
+ "zerofrom",
+ "zerovec",
+]
+
+[[package]]
+name = "icu_locale_core"
+version = "2.1.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "edba7861004dd3714265b4db54a3c390e880ab658fec5f7db895fae2046b5bb6"
+dependencies = [
+ "displaydoc",
+ "litemap",
+ "tinystr",
+ "writeable",
+ "zerovec",
+]
+
+[[package]]
+name = "icu_normalizer"
+version = "2.1.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "5f6c8828b67bf8908d82127b2054ea1b4427ff0230ee9141c54251934ab1b599"
+dependencies = [
+ "icu_collections",
+ "icu_normalizer_data",
+ "icu_properties",
+ "icu_provider",
+ "smallvec",
+ "zerovec",
+]
+
+[[package]]
+name = "icu_normalizer_data"
+version = "2.1.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7aedcccd01fc5fe81e6b489c15b247b8b0690feb23304303a9e560f37efc560a"
+
+[[package]]
+name = "icu_properties"
+version = "2.1.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "020bfc02fe870ec3a66d93e677ccca0562506e5872c650f893269e08615d74ec"
+dependencies = [
+ "icu_collections",
+ "icu_locale_core",
+ "icu_properties_data",
+ "icu_provider",
+ "zerotrie",
+ "zerovec",
+]
+
+[[package]]
+name = "icu_properties_data"
+version = "2.1.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "616c294cf8d725c6afcd8f55abc17c56464ef6211f9ed59cccffe534129c77af"
+
+[[package]]
+name = "icu_provider"
+version = "2.1.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "85962cf0ce02e1e0a629cc34e7ca3e373ce20dda4c4d7294bbd0bf1fdb59e614"
+dependencies = [
+ "displaydoc",
+ "icu_locale_core",
+ "writeable",
+ "yoke",
+ "zerofrom",
+ "zerotrie",
+ "zerovec",
+]
+
+[[package]]
+name = "id-arena"
+version = "2.3.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "3d3067d79b975e8844ca9eb072e16b31c3c1c36928edf9c6789548c524d0d954"
+
+[[package]]
+name = "ident_case"
+version = "1.0.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b9e0384b61958566e926dc50660321d12159025e767c18e043daf26b70104c39"
+
+[[package]]
+name = "idna"
+version = "1.1.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "3b0875f23caa03898994f6ddc501886a45c7d3d62d04d2d90788d47be1b1e4de"
+dependencies = [
+ "idna_adapter",
+ "smallvec",
+ "utf8_iter",
+]
+
+[[package]]
+name = "idna_adapter"
+version = "1.2.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "3acae9609540aa318d1bc588455225fb2085b9ed0c4f6bd0d9d5bcd86f1a0344"
+dependencies = [
+ "icu_normalizer",
+ "icu_properties",
+]
+
+[[package]]
+name = "indexmap"
+version = "2.13.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7714e70437a7dc3ac8eb7e6f8df75fd8eb422675fc7678aff7364301092b1017"
+dependencies = [
+ "equivalent",
+ "hashbrown 0.16.1",
+ "serde",
+ "serde_core",
+]
+
+[[package]]
+name = "inout"
+version = "0.1.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "879f10e63c20629ecabbb64a8010319738c66a5cd0c29b02d63d272b03751d01"
+dependencies = [
+ "block-padding",
+ "generic-array",
+]
+
+[[package]]
+name = "ipnet"
+version = "2.12.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d98f6fed1fde3f8c21bc40a1abb88dd75e67924f9cffc3ef95607bad8017f8e2"
+
+[[package]]
+name = "iri-string"
+version = "0.7.10"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "c91338f0783edbd6195decb37bae672fd3b165faffb89bf7b9e6942f8b1a731a"
+dependencies = [
+ "memchr",
+ "serde",
+]
+
+[[package]]
+name = "is_terminal_polyfill"
+version = "1.70.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a6cb138bb79a146c1bd460005623e142ef0181e3d0219cb493e02f7d08a35695"
+
+[[package]]
+name = "itoa"
+version = "1.0.18"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8f42a60cbdf9a97f5d2305f08a87dc4e09308d1276d28c869c684d7777685682"
+
+[[package]]
+name = "jobserver"
+version = "0.1.34"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9afb3de4395d6b3e67a780b6de64b51c978ecf11cb9a462c66be7d4ca9039d33"
+dependencies = [
+ "getrandom 0.3.4",
+ "libc",
+]
+
+[[package]]
+name = "js-sys"
+version = "0.3.91"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b49715b7073f385ba4bc528e5747d02e66cb39c6146efb66b781f131f0fb399c"
+dependencies = [
+ "once_cell",
+ "wasm-bindgen",
+]
+
+[[package]]
+name = "json-patch"
+version = "4.1.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f300e415e2134745ef75f04562dd0145405c2f7fd92065db029ac4b16b57fe90"
+dependencies = [
+ "jsonptr",
+ "serde",
+ "serde_json",
+ "thiserror 1.0.69",
+]
+
+[[package]]
+name = "jsonpath-rust"
+version = "0.7.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "0c00ae348f9f8fd2d09f82a98ca381c60df9e0820d8d79fce43e649b4dc3128b"
+dependencies = [
+ "pest",
+ "pest_derive",
+ "regex",
+ "serde_json",
+ "thiserror 2.0.18",
+]
+
+[[package]]
+name = "jsonptr"
+version = "0.7.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a5a3cc660ba5d72bce0b3bb295bf20847ccbb40fd423f3f05b61273672e561fe"
+dependencies = [
+ "serde",
+ "serde_json",
+]
+
+[[package]]
+name = "k8s-openapi"
+version = "0.24.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "2c75b990324f09bef15e791606b7b7a296d02fc88a344f6eba9390970a870ad5"
+dependencies = [
+ "base64",
+ "chrono",
+ "serde",
+ "serde-value",
+ "serde_json",
+]
+
+[[package]]
+name = "kube"
+version = "0.99.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9a4eb20010536b48abe97fec37d23d43069bcbe9686adcf9932202327bc5ca6e"
+dependencies = [
+ "k8s-openapi",
+ "kube-client",
+ "kube-core",
+ "kube-derive",
+ "kube-runtime",
+]
+
+[[package]]
+name = "kube-client"
+version = "0.99.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7fc2ed952042df20d15ac2fe9614d0ec14b6118eab89633985d4b36e688dccf1"
+dependencies = [
+ "base64",
+ "bytes",
+ "chrono",
+ "either",
+ "futures",
+ "home",
+ "http",
+ "http-body",
+ "http-body-util",
+ "hyper",
+ "hyper-http-proxy",
+ "hyper-rustls",
+ "hyper-timeout",
+ "hyper-util",
+ "jsonpath-rust",
+ "k8s-openapi",
+ "kube-core",
+ "pem",
+ "rustls",
+ "secrecy",
+ "serde",
+ "serde_json",
+ "serde_yaml",
+ "thiserror 2.0.18",
+ "tokio",
+ "tokio-tungstenite",
+ "tokio-util",
+ "tower",
+ "tower-http",
+ "tracing",
+]
+
+[[package]]
+name = "kube-core"
+version = "0.99.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ff0d0793db58e70ca6d689489183816cb3aa481673e7433dc618cf7e8007c675"
+dependencies = [
+ "chrono",
+ "form_urlencoded",
+ "http",
+ "json-patch",
+ "k8s-openapi",
+ "schemars",
+ "serde",
+ "serde-value",
+ "serde_json",
+ "thiserror 2.0.18",
+]
+
+[[package]]
+name = "kube-derive"
+version = "0.99.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "c562f58dc9f7ca5feac8a6ee5850ca221edd6f04ce0dd2ee873202a88cd494c9"
+dependencies = [
+ "darling",
+ "proc-macro2",
+ "quote",
+ "serde",
+ "serde_json",
+ "syn",
+]
+
+[[package]]
+name = "kube-runtime"
+version = "0.99.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "88f34cfab9b4bd8633062e0e85edb81df23cb09f159f2e31c60b069ae826ffdc"
+dependencies = [
+ "ahash",
+ "async-broadcast",
+ "async-stream",
+ "async-trait",
+ "backon",
+ "educe",
+ "futures",
+ "hashbrown 0.15.5",
+ "hostname",
+ "json-patch",
+ "k8s-openapi",
+ "kube-client",
+ "parking_lot",
+ "pin-project",
+ "serde",
+ "serde_json",
+ "thiserror 2.0.18",
+ "tokio",
+ "tokio-util",
+ "tracing",
+]
+
+[[package]]
+name = "lazy_static"
+version = "1.5.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "bbd2bcb4c963f2ddae06a2efc7e9f3591312473c50c6685e1f298068316e66fe"
+dependencies = [
+ "spin",
+]
+
+[[package]]
+name = "leb128fmt"
+version = "0.1.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "09edd9e8b54e49e587e4f6295a7d29c3ea94d469cb40ab8ca70b288248a81db2"
+
+[[package]]
+name = "lettre"
+version = "0.11.19"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9e13e10e8818f8b2a60f52cb127041d388b89f3a96a62be9ceaffa22262fef7f"
+dependencies = [
+ "async-trait",
+ "base64",
+ "chumsky",
+ "email-encoding",
+ "email_address",
+ "fastrand",
+ "futures-io",
+ "futures-util",
+ "hostname",
+ "httpdate",
+ "idna",
+ "mime",
+ "nom 8.0.0",
+ "percent-encoding",
+ "quoted_printable",
+ "rustls",
+ "socket2",
+ "tokio",
+ "tokio-rustls",
+ "url",
+ "webpki-roots",
+]
+
+[[package]]
+name = "libc"
+version = "0.2.183"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b5b646652bf6661599e1da8901b3b9522896f01e736bad5f723fe7a3a27f899d"
+
+[[package]]
+name = "libm"
+version = "0.2.16"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b6d2cec3eae94f9f509c767b45932f1ada8350c4bdb85af2fcab4a3c14807981"
+
+[[package]]
+name = "libredox"
+version = "0.1.14"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1744e39d1d6a9948f4f388969627434e31128196de472883b39f148769bfe30a"
+dependencies = [
+ "bitflags",
+ "libc",
+ "plain",
+ "redox_syscall 0.7.3",
+]
+
+[[package]]
+name = "linux-raw-sys"
+version = "0.12.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "32a66949e030da00e8c7d4434b251670a91556f4144941d37452769c25d58a53"
+
+[[package]]
+name = "litemap"
+version = "0.8.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "6373607a59f0be73a39b6fe456b8192fcc3585f602af20751600e974dd455e77"
+
+[[package]]
+name = "lock_api"
+version = "0.4.14"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "224399e74b87b5f3557511d98dff8b14089b3dadafcab6bb93eab67d3aace965"
+dependencies = [
+ "scopeguard",
+]
+
+[[package]]
+name = "log"
+version = "0.4.29"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "5e5032e24019045c762d3c0f28f5b6b8bbf38563a65908389bf7978758920897"
+
+[[package]]
+name = "lru-slab"
+version = "0.1.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "112b39cec0b298b6c1999fee3e31427f74f676e4cb9879ed1a121b43661a4154"
+
+[[package]]
+name = "matchers"
+version = "0.2.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d1525a2a28c7f4fa0fc98bb91ae755d1e2d1505079e05539e35bc876b5d65ae9"
+dependencies = [
+ "regex-automata",
+]
+
+[[package]]
+name = "md5"
+version = "0.7.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "490cc448043f947bae3cbee9c203358d62dbee0db12107a74be5c30ccfd09771"
+
+[[package]]
+name = "memchr"
+version = "2.8.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f8ca58f447f06ed17d5fc4043ce1b10dd205e060fb3ce5b979b8ed8e59ff3f79"
+
+[[package]]
+name = "mime"
+version = "0.3.17"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "6877bb514081ee2a7ff5ef9de3281f14a4dd4bceac4c09388074a6b5df8a139a"
+
+[[package]]
+name = "minimal-lexical"
+version = "0.2.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "68354c5c6bd36d73ff3feceb05efa59b6acb7626617f4962be322a825e61f79a"
+
+[[package]]
+name = "miniz_oxide"
+version = "0.8.9"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1fa76a2c86f704bdb222d66965fb3d63269ce38518b83cb0575fca855ebb6316"
+dependencies = [
+ "adler2",
+ "simd-adler32",
+]
+
+[[package]]
+name = "mio"
+version = "1.1.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a69bcab0ad47271a0234d9422b131806bf3968021e5dc9328caf2d4cd58557fc"
+dependencies = [
+ "libc",
+ "wasi",
+ "windows-sys 0.61.2",
+]
+
+[[package]]
+name = "native-tls"
+version = "0.2.18"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "465500e14ea162429d264d44189adc38b199b62b1c21eea9f69e4b73cb03bbf2"
+dependencies = [
+ "libc",
+ "log",
+ "openssl",
+ "openssl-probe 0.2.1",
+ "openssl-sys",
+ "schannel",
+ "security-framework 3.7.0",
+ "security-framework-sys",
+ "tempfile",
+]
+
+[[package]]
+name = "nom"
+version = "7.1.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d273983c5a657a70a3e8f2a01329822f3b8c8172b73826411a55751e404a0a4a"
+dependencies = [
+ "memchr",
+ "minimal-lexical",
+]
+
+[[package]]
+name = "nom"
+version = "8.0.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "df9761775871bdef83bee530e60050f7e54b1105350d6884eb0fb4f46c2f9405"
+dependencies = [
+ "memchr",
+]
+
+[[package]]
+name = "nu-ansi-term"
+version = "0.50.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7957b9740744892f114936ab4a57b3f487491bbeafaf8083688b16841a4240e5"
+dependencies = [
+ "windows-sys 0.61.2",
+]
+
+[[package]]
+name = "num-bigint"
+version = "0.4.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a5e44f723f1133c9deac646763579fdb3ac745e418f2a7af9cd0c431da1f20b9"
+dependencies = [
+ "num-integer",
+ "num-traits",
+ "rand 0.8.5",
+]
+
+[[package]]
+name = "num-bigint-dig"
+version = "0.8.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e661dda6640fad38e827a6d4a310ff4763082116fe217f279885c97f511bb0b7"
+dependencies = [
+ "lazy_static",
+ "libm",
+ "num-integer",
+ "num-iter",
+ "num-traits",
+ "rand 0.8.5",
+ "smallvec",
+ "zeroize",
+]
+
+[[package]]
+name = "num-conv"
+version = "0.2.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "cf97ec579c3c42f953ef76dbf8d55ac91fb219dde70e49aa4a6b7d74e9919050"
+
+[[package]]
+name = "num-integer"
+version = "0.1.46"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7969661fd2958a5cb096e56c8e1ad0444ac2bbcd0061bd28660485a44879858f"
+dependencies = [
+ "num-traits",
+]
+
+[[package]]
+name = "num-iter"
+version = "0.1.45"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1429034a0490724d0075ebb2bc9e875d6503c3cf69e235a8941aa757d83ef5bf"
+dependencies = [
+ "autocfg",
+ "num-integer",
+ "num-traits",
+]
+
+[[package]]
+name = "num-traits"
+version = "0.2.19"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "071dfc062690e90b734c0b2273ce72ad0ffa95f0c74596bc250dcfd960262841"
+dependencies = [
+ "autocfg",
+ "libm",
+]
+
+[[package]]
+name = "num_cpus"
+version = "1.17.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "91df4bbde75afed763b708b7eee1e8e7651e02d97f6d5dd763e89367e957b23b"
+dependencies = [
+ "hermit-abi",
+ "libc",
+]
+
+[[package]]
+name = "object"
+version = "0.37.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ff76201f031d8863c38aa7f905eca4f53abbfa15f609db4277d44cd8938f33fe"
+dependencies = [
+ "memchr",
+]
+
+[[package]]
+name = "oid-registry"
+version = "0.8.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "12f40cff3dde1b6087cc5d5f5d4d65712f34016a03ed60e9c08dcc392736b5b7"
+dependencies = [
+ "asn1-rs",
+]
+
+[[package]]
+name = "once_cell"
+version = "1.21.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9f7c3e4beb33f85d45ae3e3a1792185706c8e16d043238c593331cc7cd313b50"
+
+[[package]]
+name = "once_cell_polyfill"
+version = "1.70.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "384b8ab6d37215f3c5301a95a4accb5d64aa607f1fcb26a11b5303878451b4fe"
+
+[[package]]
+name = "opaque-debug"
+version = "0.3.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "c08d65885ee38876c4f86fa503fb49d7b507c2b62552df7c70b2fce627e06381"
+
+[[package]]
+name = "openssl"
+version = "0.10.76"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "951c002c75e16ea2c65b8c7e4d3d51d5530d8dfa7d060b4776828c88cfb18ecf"
+dependencies = [
+ "bitflags",
+ "cfg-if",
+ "foreign-types",
+ "libc",
+ "once_cell",
+ "openssl-macros",
+ "openssl-sys",
+]
+
+[[package]]
+name = "openssl-macros"
+version = "0.1.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a948666b637a0f465e8564c73e89d4dde00d72d4d473cc972f390fc3dcee7d9c"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn",
+]
+
+[[package]]
+name = "openssl-probe"
+version = "0.1.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d05e27ee213611ffe7d6348b942e8f942b37114c00cc03cec254295a4a17852e"
+
+[[package]]
+name = "openssl-probe"
+version = "0.2.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7c87def4c32ab89d880effc9e097653c8da5d6ef28e6b539d313baaacfbafcbe"
+
+[[package]]
+name = "openssl-sys"
+version = "0.9.112"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "57d55af3b3e226502be1526dfdba67ab0e9c96fc293004e79576b2b9edb0dbdb"
+dependencies = [
+ "cc",
+ "libc",
+ "pkg-config",
+ "vcpkg",
+]
+
+[[package]]
+name = "option-ext"
+version = "0.2.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "04744f49eae99ab78e0d5c0b603ab218f515ea8cfe5a456d7629ad883a3b6e7d"
+
+[[package]]
+name = "ordered-float"
+version = "2.10.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "68f19d67e5a2795c94e73e0bb1cc1a7edeb2e28efd39e2e1c9b7a40c1108b11c"
+dependencies = [
+ "num-traits",
+]
+
+[[package]]
+name = "p256"
+version = "0.13.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "c9863ad85fa8f4460f9c48cb909d38a0d689dba1f6f6988a5e3e0d31071bcd4b"
+dependencies = [
+ "ecdsa",
+ "elliptic-curve",
+ "primeorder",
+ "sha2",
+]
+
+[[package]]
+name = "p384"
+version = "0.13.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "fe42f1670a52a47d448f14b6a5c61dd78fce51856e68edaa38f7ae3a46b8d6b6"
+dependencies = [
+ "ecdsa",
+ "elliptic-curve",
+ "primeorder",
+ "sha2",
+]
+
+[[package]]
+name = "p521"
+version = "0.13.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "0fc9e2161f1f215afdfce23677034ae137bbd45016a880c2eb3ba8eb95f085b2"
+dependencies = [
+ "base16ct",
+ "ecdsa",
+ "elliptic-curve",
+ "primeorder",
+ "rand_core 0.6.4",
+ "sha2",
+]
+
+[[package]]
+name = "pageant"
+version = "0.0.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "032d6201d2fb765158455ae0d5a510c016bb6da7232e5040e39e9c8db12b0afc"
+dependencies = [
+ "bytes",
+ "delegate",
+ "futures",
+ "rand 0.8.5",
+ "thiserror 1.0.69",
+ "tokio",
+ "windows",
+]
+
+[[package]]
+name = "parking"
+version = "2.2.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f38d5652c16fde515bb1ecef450ab0f6a219d619a7274976324d5e377f7dceba"
+
+[[package]]
+name = "parking_lot"
+version = "0.12.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "93857453250e3077bd71ff98b6a65ea6621a19bb0f559a85248955ac12c45a1a"
+dependencies = [
+ "lock_api",
+ "parking_lot_core",
+]
+
+[[package]]
+name = "parking_lot_core"
+version = "0.9.12"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "2621685985a2ebf1c516881c026032ac7deafcda1a2c9b7850dc81e3dfcb64c1"
+dependencies = [
+ "cfg-if",
+ "libc",
+ "redox_syscall 0.5.18",
+ "smallvec",
+ "windows-link",
+]
+
+[[package]]
+name = "pbkdf2"
+version = "0.12.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f8ed6a7761f76e3b9f92dfb0a60a6a6477c61024b775147ff0973a02653abaf2"
+dependencies = [
+ "digest",
+ "hmac",
+]
+
+[[package]]
+name = "pem"
+version = "3.0.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1d30c53c26bc5b31a98cd02d20f25a7c8567146caf63ed593a9d87b2775291be"
+dependencies = [
+ "base64",
+ "serde_core",
+]
+
+[[package]]
+name = "pem-rfc7468"
+version = "0.7.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "88b39c9bfcfc231068454382784bb460aae594343fb030d46e9f50a645418412"
+dependencies = [
+ "base64ct",
+]
+
+[[package]]
+name = "percent-encoding"
+version = "2.3.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9b4f627cb1b25917193a259e49bdad08f671f8d9708acfd5fe0a8c1455d87220"
+
+[[package]]
+name = "pest"
+version = "2.8.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e0848c601009d37dfa3430c4666e147e49cdcf1b92ecd3e63657d8a5f19da662"
+dependencies = [
+ "memchr",
+ "ucd-trie",
+]
+
+[[package]]
+name = "pest_derive"
+version = "2.8.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "11f486f1ea21e6c10ed15d5a7c77165d0ee443402f0780849d1768e7d9d6fe77"
+dependencies = [
+ "pest",
+ "pest_generator",
+]
+
+[[package]]
+name = "pest_generator"
+version = "2.8.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8040c4647b13b210a963c1ed407c1ff4fdfa01c31d6d2a098218702e6664f94f"
+dependencies = [
+ "pest",
+ "pest_meta",
+ "proc-macro2",
+ "quote",
+ "syn",
+]
+
+[[package]]
+name = "pest_meta"
+version = "2.8.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "89815c69d36021a140146f26659a81d6c2afa33d216d736dd4be5381a7362220"
+dependencies = [
+ "pest",
+ "sha2",
+]
+
+[[package]]
+name = "pin-project"
+version = "1.1.11"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f1749c7ed4bcaf4c3d0a3efc28538844fb29bcdd7d2b67b2be7e20ba861ff517"
+dependencies = [
+ "pin-project-internal",
+]
+
+[[package]]
+name = "pin-project-internal"
+version = "1.1.11"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d9b20ed30f105399776b9c883e68e536ef602a16ae6f596d2c473591d6ad64c6"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn",
+]
+
+[[package]]
+name = "pin-project-lite"
+version = "0.2.17"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a89322df9ebe1c1578d689c92318e070967d1042b512afbe49518723f4e6d5cd"
+
+[[package]]
+name = "pin-utils"
+version = "0.1.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8b870d8c151b6f2fb93e84a13146138f05d02ed11c7e7c54f8826aaaf7c9f184"
+
+[[package]]
+name = "pkcs1"
+version = "0.7.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "c8ffb9f10fa047879315e6625af03c164b16962a5368d724ed16323b68ace47f"
+dependencies = [
+ "der",
+ "pkcs8",
+ "spki",
+]
+
+[[package]]
+name = "pkcs5"
+version = "0.7.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e847e2c91a18bfa887dd028ec33f2fe6f25db77db3619024764914affe8b69a6"
+dependencies = [
+ "aes",
+ "cbc",
+ "der",
+ "pbkdf2",
+ "scrypt",
+ "sha2",
+ "spki",
+]
+
+[[package]]
+name = "pkcs8"
+version = "0.10.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f950b2377845cebe5cf8b5165cb3cc1a5e0fa5cfa3e1f7f55707d8fd82e0a7b7"
+dependencies = [
+ "der",
+ "pkcs5",
+ "rand_core 0.6.4",
+ "spki",
+]
+
+[[package]]
+name = "pkg-config"
+version = "0.3.32"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7edddbd0b52d732b21ad9a5fab5c704c14cd949e5e9a1ec5929a24fded1b904c"
+
+[[package]]
+name = "plain"
+version = "0.2.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b4596b6d070b27117e987119b4dac604f3c58cfb0b191112e24771b2faeac1a6"
+
+[[package]]
+name = "poly1305"
+version = "0.8.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8159bd90725d2df49889a078b54f4f79e87f1f8a8444194cdca81d38f5393abf"
+dependencies = [
+ "cpufeatures",
+ "opaque-debug",
+ "universal-hash",
+]
+
+[[package]]
+name = "polyval"
+version = "0.6.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9d1fe60d06143b2430aa532c94cfe9e29783047f06c0d7fd359a9a51b729fa25"
+dependencies = [
+ "cfg-if",
+ "cpufeatures",
+ "opaque-debug",
+ "universal-hash",
+]
+
+[[package]]
+name = "potential_utf"
+version = "0.1.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b73949432f5e2a09657003c25bca5e19a0e9c84f8058ca374f49e0ebe605af77"
+dependencies = [
+ "zerovec",
+]
+
+[[package]]
+name = "powerfmt"
+version = "0.2.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "439ee305def115ba05938db6eb1644ff94165c5ab5e9420d1c1bcedbba909391"
+
+[[package]]
+name = "ppv-lite86"
+version = "0.2.21"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "85eae3c4ed2f50dcfe72643da4befc30deadb458a9b590d720cde2f2b1e97da9"
+dependencies = [
+ "zerocopy",
+]
+
+[[package]]
+name = "prettyplease"
+version = "0.2.37"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "479ca8adacdd7ce8f1fb39ce9ecccbfe93a3f1344b3d0d97f20bc0196208f62b"
+dependencies = [
+ "proc-macro2",
+ "syn",
+]
+
+[[package]]
+name = "primeorder"
+version = "0.13.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "353e1ca18966c16d9deb1c69278edbc5f194139612772bd9537af60ac231e1e6"
+dependencies = [
+ "elliptic-curve",
+]
+
+[[package]]
+name = "proc-macro2"
+version = "1.0.106"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8fd00f0bb2e90d81d1044c2b32617f68fcb9fa3bb7640c23e9c748e53fb30934"
+dependencies = [
+ "unicode-ident",
+]
+
+[[package]]
+name = "psm"
+version = "0.1.30"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "3852766467df634d74f0b2d7819bf8dc483a0eb2e3b0f50f756f9cfe8b0d18d8"
+dependencies = [
+ "ar_archive_writer",
+ "cc",
+]
+
+[[package]]
+name = "quinn"
+version = "0.11.9"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b9e20a958963c291dc322d98411f541009df2ced7b5a4f2bd52337638cfccf20"
+dependencies = [
+ "bytes",
+ "cfg_aliases",
+ "pin-project-lite",
+ "quinn-proto",
+ "quinn-udp",
+ "rustc-hash",
+ "rustls",
+ "socket2",
+ "thiserror 2.0.18",
+ "tokio",
+ "tracing",
+ "web-time",
+]
+
+[[package]]
+name = "quinn-proto"
+version = "0.11.14"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "434b42fec591c96ef50e21e886936e66d3cc3f737104fdb9b737c40ffb94c098"
+dependencies = [
+ "bytes",
+ "getrandom 0.3.4",
+ "lru-slab",
+ "rand 0.9.2",
+ "ring",
+ "rustc-hash",
+ "rustls",
+ "rustls-pki-types",
+ "slab",
+ "thiserror 2.0.18",
+ "tinyvec",
+ "tracing",
+ "web-time",
+]
+
+[[package]]
+name = "quinn-udp"
+version = "0.5.14"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "addec6a0dcad8a8d96a771f815f0eaf55f9d1805756410b39f5fa81332574cbd"
+dependencies = [
+ "cfg_aliases",
+ "libc",
+ "once_cell",
+ "socket2",
+ "tracing",
+ "windows-sys 0.60.2",
+]
+
+[[package]]
+name = "quote"
+version = "1.0.45"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "41f2619966050689382d2b44f664f4bc593e129785a36d6ee376ddf37259b924"
+dependencies = [
+ "proc-macro2",
+]
+
+[[package]]
+name = "quoted_printable"
+version = "0.5.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "640c9bd8497b02465aeef5375144c26062e0dcd5939dfcbb0f5db76cb8c17c73"
+
+[[package]]
+name = "r-efi"
+version = "5.3.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "69cdb34c158ceb288df11e18b4bd39de994f6657d83847bdffdbd7f346754b0f"
+
+[[package]]
+name = "r-efi"
+version = "6.0.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f8dcc9c7d52a811697d2151c701e0d08956f92b0e24136cf4cf27b57a6a0d9bf"
+
+[[package]]
+name = "rand"
+version = "0.8.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "34af8d1a0e25924bc5b7c43c079c942339d8f0a8b57c39049bef581b46327404"
+dependencies = [
+ "libc",
+ "rand_chacha 0.3.1",
+ "rand_core 0.6.4",
+]
+
+[[package]]
+name = "rand"
+version = "0.9.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "6db2770f06117d490610c7488547d543617b21bfa07796d7a12f6f1bd53850d1"
+dependencies = [
+ "rand_chacha 0.9.0",
+ "rand_core 0.9.5",
+]
+
+[[package]]
+name = "rand_chacha"
+version = "0.3.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e6c10a63a0fa32252be49d21e7709d4d4baf8d231c2dbce1eaa8141b9b127d88"
+dependencies = [
+ "ppv-lite86",
+ "rand_core 0.6.4",
+]
+
+[[package]]
+name = "rand_chacha"
+version = "0.9.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d3022b5f1df60f26e1ffddd6c66e8aa15de382ae63b3a0c1bfc0e4d3e3f325cb"
+dependencies = [
+ "ppv-lite86",
+ "rand_core 0.9.5",
+]
+
+[[package]]
+name = "rand_core"
+version = "0.6.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ec0be4795e2f6a28069bec0b5ff3e2ac9bafc99e6a9a7dc3547996c5c816922c"
+dependencies = [
+ "getrandom 0.2.17",
+]
+
+[[package]]
+name = "rand_core"
+version = "0.9.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "76afc826de14238e6e8c374ddcc1fa19e374fd8dd986b0d2af0d02377261d83c"
+dependencies = [
+ "getrandom 0.3.4",
+]
+
+[[package]]
+name = "rcgen"
+version = "0.14.7"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "10b99e0098aa4082912d4c649628623db6aba77335e4f4569ff5083a6448b32e"
+dependencies = [
+ "pem",
+ "ring",
+ "rustls-pki-types",
+ "time",
+ "x509-parser",
+ "yasna",
+]
+
+[[package]]
+name = "redox_syscall"
+version = "0.5.18"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ed2bf2547551a7053d6fdfafda3f938979645c44812fbfcda098faae3f1a362d"
+dependencies = [
+ "bitflags",
+]
+
+[[package]]
+name = "redox_syscall"
+version = "0.7.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "6ce70a74e890531977d37e532c34d45e9055d2409ed08ddba14529471ed0be16"
+dependencies = [
+ "bitflags",
+]
+
+[[package]]
+name = "redox_users"
+version = "0.4.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ba009ff324d1fc1b900bd1fdb31564febe58a8ccc8a6fdbb93b543d33b13ca43"
+dependencies = [
+ "getrandom 0.2.17",
+ "libredox",
+ "thiserror 1.0.69",
+]
+
+[[package]]
+name = "regex"
+version = "1.12.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e10754a14b9137dd7b1e3e5b0493cc9171fdd105e0ab477f51b72e7f3ac0e276"
+dependencies = [
+ "aho-corasick",
+ "memchr",
+ "regex-automata",
+ "regex-syntax",
+]
+
+[[package]]
+name = "regex-automata"
+version = "0.4.14"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "6e1dd4122fc1595e8162618945476892eefca7b88c52820e74af6262213cae8f"
+dependencies = [
+ "aho-corasick",
+ "memchr",
+ "regex-syntax",
+]
+
+[[package]]
+name = "regex-syntax"
+version = "0.8.10"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "dc897dd8d9e8bd1ed8cdad82b5966c3e0ecae09fb1907d58efaa013543185d0a"
+
+[[package]]
+name = "reqwest"
+version = "0.12.28"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "eddd3ca559203180a307f12d114c268abf583f59b03cb906fd0b3ff8646c1147"
+dependencies = [
+ "base64",
+ "bytes",
+ "encoding_rs",
+ "futures-channel",
+ "futures-core",
+ "futures-util",
+ "h2",
+ "http",
+ "http-body",
+ "http-body-util",
+ "hyper",
+ "hyper-rustls",
+ "hyper-tls",
+ "hyper-util",
+ "js-sys",
+ "log",
+ "mime",
+ "native-tls",
+ "percent-encoding",
+ "pin-project-lite",
+ "quinn",
+ "rustls",
+ "rustls-pki-types",
+ "serde",
+ "serde_json",
+ "serde_urlencoded",
+ "sync_wrapper",
+ "tokio",
+ "tokio-native-tls",
+ "tokio-rustls",
+ "tower",
+ "tower-http",
+ "tower-service",
+ "url",
+ "wasm-bindgen",
+ "wasm-bindgen-futures",
+ "web-sys",
+ "webpki-roots",
+]
+
+[[package]]
+name = "rfc6979"
+version = "0.4.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f8dd2a808d456c4a54e300a23e9f5a67e122c3024119acbfd73e3bf664491cb2"
+dependencies = [
+ "hmac",
+ "subtle",
+]
+
+[[package]]
+name = "ring"
+version = "0.17.14"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a4689e6c2294d81e88dc6261c768b63bc4fcdb852be6d1352498b114f61383b7"
+dependencies = [
+ "cc",
+ "cfg-if",
+ "getrandom 0.2.17",
+ "libc",
+ "untrusted",
+ "windows-sys 0.52.0",
+]
+
+[[package]]
+name = "rsa"
+version = "0.9.10"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b8573f03f5883dcaebdfcf4725caa1ecb9c15b2ef50c43a07b816e06799bb12d"
+dependencies = [
+ "const-oid",
+ "digest",
+ "num-bigint-dig",
+ "num-integer",
+ "num-traits",
+ "pkcs1",
+ "pkcs8",
+ "rand_core 0.6.4",
+ "sha2",
+ "signature",
+ "spki",
+ "subtle",
+ "zeroize",
+]
+
+[[package]]
+name = "russh"
+version = "0.46.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "c536b90d8e2468d8dedc8de2369383c101325e23fffa3a30de713032862a11d4"
+dependencies = [
+ "aes",
+ "aes-gcm",
+ "async-trait",
+ "bitflags",
+ "byteorder",
+ "cbc",
+ "chacha20",
+ "ctr",
+ "curve25519-dalek",
+ "des",
+ "digest",
+ "elliptic-curve",
+ "flate2",
+ "futures",
+ "generic-array",
+ "hex-literal",
+ "hmac",
+ "log",
+ "num-bigint",
+ "once_cell",
+ "p256",
+ "p384",
+ "p521",
+ "poly1305",
+ "rand 0.8.5",
+ "rand_core 0.6.4",
+ "russh-cryptovec",
+ "russh-keys",
+ "russh-sftp",
+ "russh-util",
+ "sha1",
+ "sha2",
+ "ssh-encoding",
+ "ssh-key",
+ "subtle",
+ "thiserror 1.0.69",
+ "tokio",
+]
+
+[[package]]
+name = "russh-cryptovec"
+version = "0.7.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "fadd2c0ab350e21c66556f94ee06f766d8bdae3213857ba7610bfd8e10e51880"
+dependencies = [
+ "libc",
+ "winapi",
+]
+
+[[package]]
+name = "russh-keys"
+version = "0.46.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "6e3db166c8678c824627c2c46f619ed5ce4ae33f38a35403c62f6ab8f3985867"
+dependencies = [
+ "aes",
+ "async-trait",
+ "bcrypt-pbkdf",
+ "block-padding",
+ "byteorder",
+ "cbc",
+ "ctr",
+ "data-encoding",
+ "der",
+ "digest",
+ "ecdsa",
+ "ed25519-dalek",
+ "elliptic-curve",
+ "futures",
+ "getrandom 0.2.17",
+ "hmac",
+ "home",
+ "inout",
+ "log",
+ "md5",
+ "num-integer",
+ "p256",
+ "p384",
+ "p521",
+ "pageant",
+ "pbkdf2",
+ "pkcs1",
+ "pkcs5",
+ "pkcs8",
+ "rand 0.8.5",
+ "rand_core 0.6.4",
+ "rsa",
+ "russh-cryptovec",
+ "russh-util",
+ "sec1",
+ "serde",
+ "sha1",
+ "sha2",
+ "spki",
+ "ssh-encoding",
+ "ssh-key",
+ "thiserror 1.0.69",
+ "tokio",
+ "tokio-stream",
+ "typenum",
+ "zeroize",
+]
+
+[[package]]
+name = "russh-sftp"
+version = "2.1.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "3bb94393cafad0530145b8f626d8687f1ee1dedb93d7ba7740d6ae81868b13b5"
+dependencies = [
+ "bitflags",
+ "bytes",
+ "chrono",
+ "flurry",
+ "log",
+ "serde",
+ "thiserror 2.0.18",
+ "tokio",
+ "tokio-util",
+]
+
+[[package]]
+name = "russh-util"
+version = "0.46.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "63aeb9d2b74f8f38befdc0c5172d5ffcf58f3d2ffcb423f3b6cdfe2c2d747b80"
+dependencies = [
+ "chrono",
+ "tokio",
+ "wasm-bindgen",
+ "wasm-bindgen-futures",
+]
+
+[[package]]
+name = "rustc-hash"
+version = "2.1.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "357703d41365b4b27c590e3ed91eabb1b663f07c4c084095e60cbed4362dff0d"
+
+[[package]]
+name = "rustc_version"
+version = "0.4.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "cfcb3a22ef46e85b45de6ee7e79d063319ebb6594faafcf1c225ea92ab6e9b92"
+dependencies = [
+ "semver",
+]
+
+[[package]]
+name = "rusticata-macros"
+version = "4.1.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "faf0c4a6ece9950b9abdb62b1cfcf2a68b3b67a10ba445b3bb85be2a293d0632"
+dependencies = [
+ "nom 7.1.3",
+]
+
+[[package]]
+name = "rustix"
+version = "1.1.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b6fe4565b9518b83ef4f91bb47ce29620ca828bd32cb7e408f0062e9930ba190"
+dependencies = [
+ "bitflags",
+ "errno",
+ "libc",
+ "linux-raw-sys",
+ "windows-sys 0.61.2",
+]
+
+[[package]]
+name = "rustls"
+version = "0.23.37"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "758025cb5fccfd3bc2fd74708fd4682be41d99e5dff73c377c0646c6012c73a4"
+dependencies = [
+ "aws-lc-rs",
+ "log",
+ "once_cell",
+ "ring",
+ "rustls-pki-types",
+ "rustls-webpki",
+ "subtle",
+ "zeroize",
+]
+
+[[package]]
+name = "rustls-native-certs"
+version = "0.7.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e5bfb394eeed242e909609f56089eecfe5fda225042e8b171791b9c95f5931e5"
+dependencies = [
+ "openssl-probe 0.1.6",
+ "rustls-pemfile",
+ "rustls-pki-types",
+ "schannel",
+ "security-framework 2.11.1",
+]
+
+[[package]]
+name = "rustls-native-certs"
+version = "0.8.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "612460d5f7bea540c490b2b6395d8e34a953e52b491accd6c86c8164c5932a63"
+dependencies = [
+ "openssl-probe 0.2.1",
+ "rustls-pki-types",
+ "schannel",
+ "security-framework 3.7.0",
+]
+
+[[package]]
+name = "rustls-pemfile"
+version = "2.2.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "dce314e5fee3f39953d46bb63bb8a46d40c2f8fb7cc5a3b6cab2bde9721d6e50"
+dependencies = [
+ "rustls-pki-types",
+]
+
+[[package]]
+name = "rustls-pki-types"
+version = "1.14.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "be040f8b0a225e40375822a563fa9524378b9d63112f53e19ffff34df5d33fdd"
+dependencies = [
+ "web-time",
+ "zeroize",
+]
+
+[[package]]
+name = "rustls-webpki"
+version = "0.103.9"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d7df23109aa6c1567d1c575b9952556388da57401e4ace1d15f79eedad0d8f53"
+dependencies = [
+ "aws-lc-rs",
+ "ring",
+ "rustls-pki-types",
+ "untrusted",
+]
+
+[[package]]
+name = "rustversion"
+version = "1.0.22"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b39cdef0fa800fc44525c84ccb54a029961a8215f9619753635a9c0d2538d46d"
+
+[[package]]
+name = "ryu"
+version = "1.0.23"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9774ba4a74de5f7b1c1451ed6cd5285a32eddb5cccb8cc655a4e50009e06477f"
+
+[[package]]
+name = "salsa20"
+version = "0.10.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "97a22f5af31f73a954c10289c93e8a50cc23d971e80ee446f1f6f7137a088213"
+dependencies = [
+ "cipher",
+]
+
+[[package]]
+name = "schannel"
+version = "0.1.29"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "91c1b7e4904c873ef0710c1f407dde2e6287de2bebc1bbbf7d430bb7cbffd939"
+dependencies = [
+ "windows-sys 0.61.2",
+]
+
+[[package]]
+name = "schemars"
+version = "0.8.22"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "3fbf2ae1b8bc8e02df939598064d22402220cd5bbcca1c76f7d6a310974d5615"
+dependencies = [
+ "dyn-clone",
+ "schemars_derive",
+ "serde",
+ "serde_json",
+]
+
+[[package]]
+name = "schemars_derive"
+version = "0.8.22"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "32e265784ad618884abaea0600a9adf15393368d840e0222d101a072f3f7534d"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "serde_derive_internals",
+ "syn",
+]
+
+[[package]]
+name = "scopeguard"
+version = "1.2.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "94143f37725109f92c262ed2cf5e59bce7498c01bcc1502d7b9afe439a4e9f49"
+
+[[package]]
+name = "scrypt"
+version = "0.11.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "0516a385866c09368f0b5bcd1caff3366aace790fcd46e2bb032697bb172fd1f"
+dependencies = [
+ "pbkdf2",
+ "salsa20",
+ "sha2",
+]
+
+[[package]]
+name = "sec1"
+version = "0.7.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d3e97a565f76233a6003f9f5c54be1d9c5bdfa3eccfb189469f11ec4901c47dc"
+dependencies = [
+ "base16ct",
+ "der",
+ "generic-array",
+ "pkcs8",
+ "subtle",
+ "zeroize",
+]
+
+[[package]]
+name = "secrecy"
+version = "0.10.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e891af845473308773346dc847b2c23ee78fe442e0472ac50e22a18a93d3ae5a"
+dependencies = [
+ "zeroize",
+]
+
+[[package]]
+name = "security-framework"
+version = "2.11.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "897b2245f0b511c87893af39b033e5ca9cce68824c4d7e7630b5a1d339658d02"
+dependencies = [
+ "bitflags",
+ "core-foundation 0.9.4",
+ "core-foundation-sys",
+ "libc",
+ "security-framework-sys",
+]
+
+[[package]]
+name = "security-framework"
+version = "3.7.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b7f4bc775c73d9a02cde8bf7b2ec4c9d12743edf609006c7facc23998404cd1d"
+dependencies = [
+ "bitflags",
+ "core-foundation 0.10.1",
+ "core-foundation-sys",
+ "libc",
+ "security-framework-sys",
+]
+
+[[package]]
+name = "security-framework-sys"
+version = "2.17.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "6ce2691df843ecc5d231c0b14ece2acc3efb62c0a398c7e1d875f3983ce020e3"
+dependencies = [
+ "core-foundation-sys",
+ "libc",
+]
+
+[[package]]
+name = "seize"
+version = "0.3.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "689224d06523904ebcc9b482c6a3f4f7fb396096645c4cd10c0d2ff7371a34d3"
+
+[[package]]
+name = "semver"
+version = "1.0.27"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d767eb0aabc880b29956c35734170f26ed551a859dbd361d140cdbeca61ab1e2"
+
+[[package]]
+name = "serde"
+version = "1.0.228"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9a8e94ea7f378bd32cbbd37198a4a91436180c5bb472411e48b5ec2e2124ae9e"
+dependencies = [
+ "serde_core",
+ "serde_derive",
+]
+
+[[package]]
+name = "serde-value"
+version = "0.7.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f3a1a3341211875ef120e117ea7fd5228530ae7e7036a779fdc9117be6b3282c"
+dependencies = [
+ "ordered-float",
+ "serde",
+]
+
+[[package]]
+name = "serde_core"
+version = "1.0.228"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "41d385c7d4ca58e59fc732af25c3983b67ac852c1a25000afe1175de458b67ad"
+dependencies = [
+ "serde_derive",
+]
+
+[[package]]
+name = "serde_derive"
+version = "1.0.228"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d540f220d3187173da220f885ab66608367b6574e925011a9353e4badda91d79"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn",
+]
+
+[[package]]
+name = "serde_derive_internals"
+version = "0.29.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "18d26a20a969b9e3fdf2fc2d9f21eda6c40e2de84c9408bb5d3b05d499aae711"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn",
+]
+
+[[package]]
+name = "serde_json"
+version = "1.0.149"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "83fc039473c5595ace860d8c4fafa220ff474b3fc6bfdb4293327f1a37e94d86"
+dependencies = [
+ "itoa",
+ "memchr",
+ "serde",
+ "serde_core",
+ "zmij",
+]
+
+[[package]]
+name = "serde_urlencoded"
+version = "0.7.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d3491c14715ca2294c4d6a88f15e84739788c1d030eed8c110436aafdaa2f3fd"
+dependencies = [
+ "form_urlencoded",
+ "itoa",
+ "ryu",
+ "serde",
+]
+
+[[package]]
+name = "serde_yaml"
+version = "0.9.34+deprecated"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "6a8b1a1a2ebf674015cc02edccce75287f1a0130d394307b36743c2f5d504b47"
+dependencies = [
+ "indexmap",
+ "itoa",
+ "ryu",
+ "serde",
+ "unsafe-libyaml",
+]
+
+[[package]]
+name = "sha1"
+version = "0.10.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e3bf829a2d51ab4a5ddf1352d8470c140cadc8301b2ae1789db023f01cedd6ba"
+dependencies = [
+ "cfg-if",
+ "cpufeatures",
+ "digest",
+]
+
+[[package]]
+name = "sha2"
+version = "0.10.9"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a7507d819769d01a365ab707794a4084392c824f54a7a6a7862f8c3d0892b283"
+dependencies = [
+ "cfg-if",
+ "cpufeatures",
+ "digest",
+]
+
+[[package]]
+name = "sharded-slab"
+version = "0.1.7"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f40ca3c46823713e0d4209592e8d6e826aa57e928f09752619fc696c499637f6"
+dependencies = [
+ "lazy_static",
+]
+
+[[package]]
+name = "shlex"
+version = "1.3.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "0fda2ff0d084019ba4d7c6f371c95d8fd75ce3524c3cb8fb653a3023f6323e64"
+
+[[package]]
+name = "signal-hook-registry"
+version = "1.4.8"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "c4db69cba1110affc0e9f7bcd48bbf87b3f4fc7c61fc9155afd4c469eb3d6c1b"
+dependencies = [
+ "errno",
+ "libc",
+]
+
+[[package]]
+name = "signature"
+version = "2.2.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "77549399552de45a898a580c1b41d445bf730df867cc44e6c0233bbc4b8329de"
+dependencies = [
+ "digest",
+ "rand_core 0.6.4",
+]
+
+[[package]]
+name = "simd-adler32"
+version = "0.3.8"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e320a6c5ad31d271ad523dcf3ad13e2767ad8b1cb8f047f75a8aeaf8da139da2"
+
+[[package]]
+name = "slab"
+version = "0.4.12"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "0c790de23124f9ab44544d7ac05d60440adc586479ce501c1d6d7da3cd8c9cf5"
+
+[[package]]
+name = "smallvec"
+version = "1.15.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "67b1b7a3b5fe4f1376887184045fcf45c69e92af734b7aaddc05fb777b6fbd03"
+
+[[package]]
+name = "socket2"
+version = "0.6.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "3a766e1110788c36f4fa1c2b71b387a7815aa65f88ce0229841826633d93723e"
+dependencies = [
+ "libc",
+ "windows-sys 0.61.2",
+]
+
+[[package]]
+name = "spin"
+version = "0.9.8"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "6980e8d7511241f8acf4aebddbb1ff938df5eebe98691418c4468d0b72a96a67"
+
+[[package]]
+name = "spki"
+version = "0.7.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d91ed6c858b01f942cd56b37a94b3e0a1798290327d1236e4d9cf4eaca44d29d"
+dependencies = [
+ "base64ct",
+ "der",
+]
+
+[[package]]
+name = "ssh-cipher"
+version = "0.2.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "caac132742f0d33c3af65bfcde7f6aa8f62f0e991d80db99149eb9d44708784f"
+dependencies = [
+ "aes",
+ "aes-gcm",
+ "cbc",
+ "chacha20",
+ "cipher",
+ "ctr",
+ "poly1305",
+ "ssh-encoding",
+ "subtle",
+]
+
+[[package]]
+name = "ssh-encoding"
+version = "0.2.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "eb9242b9ef4108a78e8cd1a2c98e193ef372437f8c22be363075233321dd4a15"
+dependencies = [
+ "base64ct",
+ "pem-rfc7468",
+ "sha2",
+]
+
+[[package]]
+name = "ssh-key"
+version = "0.6.7"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "3b86f5297f0f04d08cabaa0f6bff7cb6aec4d9c3b49d87990d63da9d9156a8c3"
+dependencies = [
+ "bcrypt-pbkdf",
+ "ed25519-dalek",
+ "num-bigint-dig",
+ "p256",
+ "p384",
+ "p521",
+ "rand_core 0.6.4",
+ "rsa",
+ "sec1",
+ "sha2",
+ "signature",
+ "ssh-cipher",
+ "ssh-encoding",
+ "subtle",
+ "zeroize",
+]
+
+[[package]]
+name = "stable_deref_trait"
+version = "1.2.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "6ce2be8dc25455e1f91df71bfa12ad37d7af1092ae736f3a6cd0e37bc7810596"
+
+[[package]]
+name = "stacker"
+version = "0.1.23"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "08d74a23609d509411d10e2176dc2a4346e3b4aea2e7b1869f19fdedbc71c013"
+dependencies = [
+ "cc",
+ "cfg-if",
+ "libc",
+ "psm",
+ "windows-sys 0.59.0",
+]
+
+[[package]]
+name = "strsim"
+version = "0.11.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7da8b5736845d9f2fcb837ea5d9e2628564b3b043a70948a3f0b778838c5fb4f"
+
+[[package]]
+name = "subtle"
+version = "2.6.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "13c2bddecc57b384dee18652358fb23172facb8a2c51ccc10d74c157bdea3292"
+
+[[package]]
+name = "sunbeam"
+version = "0.1.0"
+dependencies = [
+ "chrono",
+ "clap",
+ "rustls",
+ "sunbeam-sdk",
+ "tokio",
+ "tracing",
+ "tracing-subscriber",
+]
+
+[[package]]
+name = "sunbeam-sdk"
+version = "0.1.0"
+dependencies = [
+ "base64",
+ "chrono",
+ "clap",
+ "dirs",
+ "flate2",
+ "futures",
+ "hmac",
+ "k8s-openapi",
+ "kube",
+ "lettre",
+ "pkcs1",
+ "pkcs8",
+ "rand 0.8.5",
+ "rcgen",
+ "reqwest",
+ "rsa",
+ "russh",
+ "russh-keys",
+ "serde",
+ "serde_json",
+ "serde_yaml",
+ "sha2",
+ "tar",
+ "tempfile",
+ "thiserror 2.0.18",
+ "tokio",
+ "tokio-stream",
+ "tracing",
+]
+
+[[package]]
+name = "syn"
+version = "2.0.117"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e665b8803e7b1d2a727f4023456bbbbe74da67099c585258af0ad9c5013b9b99"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "unicode-ident",
+]
+
+[[package]]
+name = "sync_wrapper"
+version = "1.0.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "0bf256ce5efdfa370213c1dabab5935a12e49f2c58d15e9eac2870d3b4f27263"
+dependencies = [
+ "futures-core",
+]
+
+[[package]]
+name = "synstructure"
+version = "0.13.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "728a70f3dbaf5bab7f0c4b1ac8d7ae5ea60a4b5549c8a5914361c99147a709d2"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn",
+]
+
+[[package]]
+name = "system-configuration"
+version = "0.7.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a13f3d0daba03132c0aa9767f98351b3488edc2c100cda2d2ec2b04f3d8d3c8b"
+dependencies = [
+ "bitflags",
+ "core-foundation 0.9.4",
+ "system-configuration-sys",
+]
+
+[[package]]
+name = "system-configuration-sys"
+version = "0.6.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8e1d1b10ced5ca923a1fcb8d03e96b8d3268065d724548c0211415ff6ac6bac4"
+dependencies = [
+ "core-foundation-sys",
+ "libc",
+]
+
+[[package]]
+name = "tar"
+version = "0.4.45"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "22692a6476a21fa75fdfc11d452fda482af402c008cdbaf3476414e122040973"
+dependencies = [
+ "filetime",
+ "libc",
+ "xattr",
+]
+
+[[package]]
+name = "tempfile"
+version = "3.27.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "32497e9a4c7b38532efcdebeef879707aa9f794296a4f0244f6f69e9bc8574bd"
+dependencies = [
+ "fastrand",
+ "getrandom 0.4.2",
+ "once_cell",
+ "rustix",
+ "windows-sys 0.61.2",
+]
+
+[[package]]
+name = "thiserror"
+version = "1.0.69"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b6aaf5339b578ea85b50e080feb250a3e8ae8cfcdff9a461c9ec2904bc923f52"
+dependencies = [
+ "thiserror-impl 1.0.69",
+]
+
+[[package]]
+name = "thiserror"
+version = "2.0.18"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "4288b5bcbc7920c07a1149a35cf9590a2aa808e0bc1eafaade0b80947865fbc4"
+dependencies = [
+ "thiserror-impl 2.0.18",
+]
+
+[[package]]
+name = "thiserror-impl"
+version = "1.0.69"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "4fee6c4efc90059e10f81e6d42c60a18f76588c3d74cb83a0b242a2b6c7504c1"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn",
+]
+
+[[package]]
+name = "thiserror-impl"
+version = "2.0.18"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ebc4ee7f67670e9b64d05fa4253e753e016c6c95ff35b89b7941d6b856dec1d5"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn",
+]
+
+[[package]]
+name = "thread_local"
+version = "1.1.9"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f60246a4944f24f6e018aa17cdeffb7818b76356965d03b07d6a9886e8962185"
+dependencies = [
+ "cfg-if",
+]
+
+[[package]]
+name = "time"
+version = "0.3.47"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "743bd48c283afc0388f9b8827b976905fb217ad9e647fae3a379a9283c4def2c"
+dependencies = [
+ "deranged",
+ "itoa",
+ "num-conv",
+ "powerfmt",
+ "serde_core",
+ "time-core",
+ "time-macros",
+]
+
+[[package]]
+name = "time-core"
+version = "0.1.8"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7694e1cfe791f8d31026952abf09c69ca6f6fa4e1a1229e18988f06a04a12dca"
+
+[[package]]
+name = "time-macros"
+version = "0.2.27"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "2e70e4c5a0e0a8a4823ad65dfe1a6930e4f4d756dcd9dd7939022b5e8c501215"
+dependencies = [
+ "num-conv",
+ "time-core",
+]
+
+[[package]]
+name = "tiny-keccak"
+version = "2.0.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "2c9d3793400a45f954c52e73d068316d76b6f4e36977e3fcebb13a2721e80237"
+dependencies = [
+ "crunchy",
+]
+
+[[package]]
+name = "tinystr"
+version = "0.8.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "42d3e9c45c09de15d06dd8acf5f4e0e399e85927b7f00711024eb7ae10fa4869"
+dependencies = [
+ "displaydoc",
+ "zerovec",
+]
+
+[[package]]
+name = "tinyvec"
+version = "1.11.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "3e61e67053d25a4e82c844e8424039d9745781b3fc4f32b8d55ed50f5f667ef3"
+dependencies = [
+ "tinyvec_macros",
+]
+
+[[package]]
+name = "tinyvec_macros"
+version = "0.1.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1f3ccbac311fea05f86f61904b462b55fb3df8837a366dfc601a0161d0532f20"
+
+[[package]]
+name = "tokio"
+version = "1.50.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "27ad5e34374e03cfffefc301becb44e9dc3c17584f414349ebe29ed26661822d"
+dependencies = [
+ "bytes",
+ "libc",
+ "mio",
+ "parking_lot",
+ "pin-project-lite",
+ "signal-hook-registry",
+ "socket2",
+ "tokio-macros",
+ "windows-sys 0.61.2",
+]
+
+[[package]]
+name = "tokio-macros"
+version = "2.6.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "5c55a2eff8b69ce66c84f85e1da1c233edc36ceb85a2058d11b0d6a3c7e7569c"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn",
+]
+
+[[package]]
+name = "tokio-native-tls"
+version = "0.3.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "bbae76ab933c85776efabc971569dd6119c580d8f5d448769dec1764bf796ef2"
+dependencies = [
+ "native-tls",
+ "tokio",
+]
+
+[[package]]
+name = "tokio-rustls"
+version = "0.26.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1729aa945f29d91ba541258c8df89027d5792d85a8841fb65e8bf0f4ede4ef61"
+dependencies = [
+ "rustls",
+ "tokio",
+]
+
+[[package]]
+name = "tokio-stream"
+version = "0.1.18"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "32da49809aab5c3bc678af03902d4ccddea2a87d028d86392a4b1560c6906c70"
+dependencies = [
+ "futures-core",
+ "pin-project-lite",
+ "tokio",
+ "tokio-util",
+]
+
+[[package]]
+name = "tokio-tungstenite"
+version = "0.26.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7a9daff607c6d2bf6c16fd681ccb7eecc83e4e2cdc1ca067ffaadfca5de7f084"
+dependencies = [
+ "futures-util",
+ "log",
+ "tokio",
+ "tungstenite",
+]
+
+[[package]]
+name = "tokio-util"
+version = "0.7.18"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9ae9cec805b01e8fc3fd2fe289f89149a9b66dd16786abd8b19cfa7b48cb0098"
+dependencies = [
+ "bytes",
+ "futures-core",
+ "futures-sink",
+ "pin-project-lite",
+ "slab",
+ "tokio",
+]
+
+[[package]]
+name = "tower"
+version = "0.5.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ebe5ef63511595f1344e2d5cfa636d973292adc0eec1f0ad45fae9f0851ab1d4"
+dependencies = [
+ "futures-core",
+ "futures-util",
+ "pin-project-lite",
+ "sync_wrapper",
+ "tokio",
+ "tokio-util",
+ "tower-layer",
+ "tower-service",
+ "tracing",
+]
+
+[[package]]
+name = "tower-http"
+version = "0.6.8"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d4e6559d53cc268e5031cd8429d05415bc4cb4aefc4aa5d6cc35fbf5b924a1f8"
+dependencies = [
+ "base64",
+ "bitflags",
+ "bytes",
+ "futures-util",
+ "http",
+ "http-body",
+ "iri-string",
+ "mime",
+ "pin-project-lite",
+ "tower",
+ "tower-layer",
+ "tower-service",
+ "tracing",
+]
+
+[[package]]
+name = "tower-layer"
+version = "0.3.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "121c2a6cda46980bb0fcd1647ffaf6cd3fc79a013de288782836f6df9c48780e"
+
+[[package]]
+name = "tower-service"
+version = "0.3.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8df9b6e13f2d32c91b9bd719c00d1958837bc7dec474d94952798cc8e69eeec3"
+
+[[package]]
+name = "tracing"
+version = "0.1.44"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "63e71662fa4b2a2c3a26f570f037eb95bb1f85397f3cd8076caed2f026a6d100"
+dependencies = [
+ "log",
+ "pin-project-lite",
+ "tracing-attributes",
+ "tracing-core",
+]
+
+[[package]]
+name = "tracing-attributes"
+version = "0.1.31"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7490cfa5ec963746568740651ac6781f701c9c5ea257c58e057f3ba8cf69e8da"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn",
+]
+
+[[package]]
+name = "tracing-core"
+version = "0.1.36"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "db97caf9d906fbde555dd62fa95ddba9eecfd14cb388e4f491a66d74cd5fb79a"
+dependencies = [
+ "once_cell",
+ "valuable",
+]
+
+[[package]]
+name = "tracing-log"
+version = "0.2.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ee855f1f400bd0e5c02d150ae5de3840039a3f54b025156404e34c23c03f47c3"
+dependencies = [
+ "log",
+ "once_cell",
+ "tracing-core",
+]
+
+[[package]]
+name = "tracing-subscriber"
+version = "0.3.23"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "cb7f578e5945fb242538965c2d0b04418d38ec25c79d160cd279bf0731c8d319"
+dependencies = [
+ "matchers",
+ "nu-ansi-term",
+ "once_cell",
+ "regex-automata",
+ "sharded-slab",
+ "smallvec",
+ "thread_local",
+ "tracing",
+ "tracing-core",
+ "tracing-log",
+]
+
+[[package]]
+name = "try-lock"
+version = "0.2.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e421abadd41a4225275504ea4d6566923418b7f05506fbc9c0fe86ba7396114b"
+
+[[package]]
+name = "tungstenite"
+version = "0.26.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "4793cb5e56680ecbb1d843515b23b6de9a75eb04b66643e256a396d43be33c13"
+dependencies = [
+ "bytes",
+ "data-encoding",
+ "http",
+ "httparse",
+ "log",
+ "rand 0.9.2",
+ "sha1",
+ "thiserror 2.0.18",
+ "utf-8",
+]
+
+[[package]]
+name = "typenum"
+version = "1.19.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "562d481066bde0658276a35467c4af00bdc6ee726305698a55b86e61d7ad82bb"
+
+[[package]]
+name = "ucd-trie"
+version = "0.1.7"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "2896d95c02a80c6d6a5d6e953d479f5ddf2dfdb6a244441010e373ac0fb88971"
+
+[[package]]
+name = "unicode-ident"
+version = "1.0.24"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e6e4313cd5fcd3dad5cafa179702e2b244f760991f45397d14d4ebf38247da75"
+
+[[package]]
+name = "unicode-xid"
+version = "0.2.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ebc1c04c71510c7f702b52b7c350734c9ff1295c464a03335b00bb84fc54f853"
+
+[[package]]
+name = "universal-hash"
+version = "0.5.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "fc1de2c688dc15305988b563c3854064043356019f97a4b46276fe734c4f07ea"
+dependencies = [
+ "crypto-common",
+ "subtle",
+]
+
+[[package]]
+name = "unsafe-libyaml"
+version = "0.2.11"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "673aac59facbab8a9007c7f6108d11f63b603f7cabff99fabf650fea5c32b861"
+
+[[package]]
+name = "untrusted"
+version = "0.9.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8ecb6da28b8a351d773b68d5825ac39017e680750f980f3a1a85cd8dd28a47c1"
+
+[[package]]
+name = "url"
+version = "2.5.8"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ff67a8a4397373c3ef660812acab3268222035010ab8680ec4215f38ba3d0eed"
+dependencies = [
+ "form_urlencoded",
+ "idna",
+ "percent-encoding",
+ "serde",
+]
+
+[[package]]
+name = "utf-8"
+version = "0.7.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "09cc8ee72d2a9becf2f2febe0205bbed8fc6615b7cb429ad062dc7b7ddd036a9"
+
+[[package]]
+name = "utf8_iter"
+version = "1.0.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b6c140620e7ffbb22c2dee59cafe6084a59b5ffc27a8859a5f0d494b5d52b6be"
+
+[[package]]
+name = "utf8parse"
+version = "0.2.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "06abde3611657adf66d383f00b093d7faecc7fa57071cce2578660c9f1010821"
+
+[[package]]
+name = "valuable"
+version = "0.1.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ba73ea9cf16a25df0c8caa16c51acb937d5712a8429db78a3ee29d5dcacd3a65"
+
+[[package]]
+name = "vcpkg"
+version = "0.2.15"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "accd4ea62f7bb7a82fe23066fb0957d48ef677f6eeb8215f372f52e48bb32426"
+
+[[package]]
+name = "version_check"
+version = "0.9.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "0b928f33d975fc6ad9f86c8f283853ad26bdd5b10b7f1542aa2fa15e2289105a"
+
+[[package]]
+name = "want"
+version = "0.3.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "bfa7760aed19e106de2c7c0b581b509f2f25d3dacaf737cb82ac61bc6d760b0e"
+dependencies = [
+ "try-lock",
+]
+
+[[package]]
+name = "wasi"
+version = "0.11.1+wasi-snapshot-preview1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ccf3ec651a847eb01de73ccad15eb7d99f80485de043efb2f370cd654f4ea44b"
+
+[[package]]
+name = "wasip2"
+version = "1.0.2+wasi-0.2.9"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9517f9239f02c069db75e65f174b3da828fe5f5b945c4dd26bd25d89c03ebcf5"
+dependencies = [
+ "wit-bindgen",
+]
+
+[[package]]
+name = "wasip3"
+version = "0.4.0+wasi-0.3.0-rc-2026-01-06"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "5428f8bf88ea5ddc08faddef2ac4a67e390b88186c703ce6dbd955e1c145aca5"
+dependencies = [
+ "wit-bindgen",
+]
+
+[[package]]
+name = "wasm-bindgen"
+version = "0.2.114"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "6532f9a5c1ece3798cb1c2cfdba640b9b3ba884f5db45973a6f442510a87d38e"
+dependencies = [
+ "cfg-if",
+ "once_cell",
+ "rustversion",
+ "wasm-bindgen-macro",
+ "wasm-bindgen-shared",
+]
+
+[[package]]
+name = "wasm-bindgen-futures"
+version = "0.4.64"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e9c5522b3a28661442748e09d40924dfb9ca614b21c00d3fd135720e48b67db8"
+dependencies = [
+ "cfg-if",
+ "futures-util",
+ "js-sys",
+ "once_cell",
+ "wasm-bindgen",
+ "web-sys",
+]
+
+[[package]]
+name = "wasm-bindgen-macro"
+version = "0.2.114"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "18a2d50fcf105fb33bb15f00e7a77b772945a2ee45dcf454961fd843e74c18e6"
+dependencies = [
+ "quote",
+ "wasm-bindgen-macro-support",
+]
+
+[[package]]
+name = "wasm-bindgen-macro-support"
+version = "0.2.114"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "03ce4caeaac547cdf713d280eda22a730824dd11e6b8c3ca9e42247b25c631e3"
+dependencies = [
+ "bumpalo",
+ "proc-macro2",
+ "quote",
+ "syn",
+ "wasm-bindgen-shared",
+]
+
+[[package]]
+name = "wasm-bindgen-shared"
+version = "0.2.114"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "75a326b8c223ee17883a4251907455a2431acc2791c98c26279376490c378c16"
+dependencies = [
+ "unicode-ident",
+]
+
+[[package]]
+name = "wasm-encoder"
+version = "0.244.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "990065f2fe63003fe337b932cfb5e3b80e0b4d0f5ff650e6985b1048f62c8319"
+dependencies = [
+ "leb128fmt",
+ "wasmparser",
+]
+
+[[package]]
+name = "wasm-metadata"
+version = "0.244.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "bb0e353e6a2fbdc176932bbaab493762eb1255a7900fe0fea1a2f96c296cc909"
+dependencies = [
+ "anyhow",
+ "indexmap",
+ "wasm-encoder",
+ "wasmparser",
+]
+
+[[package]]
+name = "wasmparser"
+version = "0.244.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "47b807c72e1bac69382b3a6fb3dbe8ea4c0ed87ff5629b8685ae6b9a611028fe"
+dependencies = [
+ "bitflags",
+ "hashbrown 0.15.5",
+ "indexmap",
+ "semver",
+]
+
+[[package]]
+name = "web-sys"
+version = "0.3.91"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "854ba17bb104abfb26ba36da9729addc7ce7f06f5c0f90f3c391f8461cca21f9"
+dependencies = [
+ "js-sys",
+ "wasm-bindgen",
+]
+
+[[package]]
+name = "web-time"
+version = "1.1.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "5a6580f308b1fad9207618087a65c04e7a10bc77e02c8e84e9b00dd4b12fa0bb"
+dependencies = [
+ "js-sys",
+ "wasm-bindgen",
+]
+
+[[package]]
+name = "webpki-roots"
+version = "1.0.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "22cfaf3c063993ff62e73cb4311efde4db1efb31ab78a3e5c457939ad5cc0bed"
+dependencies = [
+ "rustls-pki-types",
+]
+
+[[package]]
+name = "winapi"
+version = "0.3.9"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "5c839a674fcd7a98952e593242ea400abe93992746761e38641405d28b00f419"
+dependencies = [
+ "winapi-i686-pc-windows-gnu",
+ "winapi-x86_64-pc-windows-gnu",
+]
+
+[[package]]
+name = "winapi-i686-pc-windows-gnu"
+version = "0.4.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ac3b87c63620426dd9b991e5ce0329eff545bccbbb34f3be09ff6fb6ab51b7b6"
+
+[[package]]
+name = "winapi-x86_64-pc-windows-gnu"
+version = "0.4.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "712e227841d057c1ee1cd2fb22fa7e5a5461ae8e48fa2ca79ec42cfc1931183f"
+
+[[package]]
+name = "windows"
+version = "0.58.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "dd04d41d93c4992d421894c18c8b43496aa748dd4c081bac0dc93eb0489272b6"
+dependencies = [
+ "windows-core 0.58.0",
+ "windows-targets 0.52.6",
+]
+
+[[package]]
+name = "windows-core"
+version = "0.58.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "6ba6d44ec8c2591c134257ce647b7ea6b20335bf6379a27dac5f1641fcf59f99"
+dependencies = [
+ "windows-implement 0.58.0",
+ "windows-interface 0.58.0",
+ "windows-result 0.2.0",
+ "windows-strings 0.1.0",
+ "windows-targets 0.52.6",
+]
+
+[[package]]
+name = "windows-core"
+version = "0.62.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b8e83a14d34d0623b51dce9581199302a221863196a1dde71a7663a4c2be9deb"
+dependencies = [
+ "windows-implement 0.60.2",
+ "windows-interface 0.59.3",
+ "windows-link",
+ "windows-result 0.4.1",
+ "windows-strings 0.5.1",
+]
+
+[[package]]
+name = "windows-implement"
+version = "0.58.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "2bbd5b46c938e506ecbce286b6628a02171d56153ba733b6c741fc627ec9579b"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn",
+]
+
+[[package]]
+name = "windows-implement"
+version = "0.60.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "053e2e040ab57b9dc951b72c264860db7eb3b0200ba345b4e4c3b14f67855ddf"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn",
+]
+
+[[package]]
+name = "windows-interface"
+version = "0.58.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "053c4c462dc91d3b1504c6fe5a726dd15e216ba718e84a0e46a88fbe5ded3515"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn",
+]
+
+[[package]]
+name = "windows-interface"
+version = "0.59.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "3f316c4a2570ba26bbec722032c4099d8c8bc095efccdc15688708623367e358"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn",
+]
+
+[[package]]
+name = "windows-link"
+version = "0.2.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f0805222e57f7521d6a62e36fa9163bc891acd422f971defe97d64e70d0a4fe5"
+
+[[package]]
+name = "windows-registry"
+version = "0.6.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "02752bf7fbdcce7f2a27a742f798510f3e5ad88dbe84871e5168e2120c3d5720"
+dependencies = [
+ "windows-link",
+ "windows-result 0.4.1",
+ "windows-strings 0.5.1",
+]
+
+[[package]]
+name = "windows-result"
+version = "0.2.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1d1043d8214f791817bab27572aaa8af63732e11bf84aa21a45a78d6c317ae0e"
+dependencies = [
+ "windows-targets 0.52.6",
+]
+
+[[package]]
+name = "windows-result"
+version = "0.4.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7781fa89eaf60850ac3d2da7af8e5242a5ea78d1a11c49bf2910bb5a73853eb5"
+dependencies = [
+ "windows-link",
+]
+
+[[package]]
+name = "windows-strings"
+version = "0.1.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "4cd9b125c486025df0eabcb585e62173c6c9eddcec5d117d3b6e8c30e2ee4d10"
+dependencies = [
+ "windows-result 0.2.0",
+ "windows-targets 0.52.6",
+]
+
+[[package]]
+name = "windows-strings"
+version = "0.5.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7837d08f69c77cf6b07689544538e017c1bfcf57e34b4c0ff58e6c2cd3b37091"
+dependencies = [
+ "windows-link",
+]
+
+[[package]]
+name = "windows-sys"
+version = "0.48.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "677d2418bec65e3338edb076e806bc1ec15693c5d0104683f2efe857f61056a9"
+dependencies = [
+ "windows-targets 0.48.5",
+]
+
+[[package]]
+name = "windows-sys"
+version = "0.52.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "282be5f36a8ce781fad8c8ae18fa3f9beff57ec1b52cb3de0789201425d9a33d"
+dependencies = [
+ "windows-targets 0.52.6",
+]
+
+[[package]]
+name = "windows-sys"
+version = "0.59.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1e38bc4d79ed67fd075bcc251a1c39b32a1776bbe92e5bef1f0bf1f8c531853b"
+dependencies = [
+ "windows-targets 0.52.6",
+]
+
+[[package]]
+name = "windows-sys"
+version = "0.60.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f2f500e4d28234f72040990ec9d39e3a6b950f9f22d3dba18416c35882612bcb"
+dependencies = [
+ "windows-targets 0.53.5",
+]
+
+[[package]]
+name = "windows-sys"
+version = "0.61.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ae137229bcbd6cdf0f7b80a31df61766145077ddf49416a728b02cb3921ff3fc"
+dependencies = [
+ "windows-link",
+]
+
+[[package]]
+name = "windows-targets"
+version = "0.48.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9a2fa6e2155d7247be68c096456083145c183cbbbc2764150dda45a87197940c"
+dependencies = [
+ "windows_aarch64_gnullvm 0.48.5",
+ "windows_aarch64_msvc 0.48.5",
+ "windows_i686_gnu 0.48.5",
+ "windows_i686_msvc 0.48.5",
+ "windows_x86_64_gnu 0.48.5",
+ "windows_x86_64_gnullvm 0.48.5",
+ "windows_x86_64_msvc 0.48.5",
+]
+
+[[package]]
+name = "windows-targets"
+version = "0.52.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9b724f72796e036ab90c1021d4780d4d3d648aca59e491e6b98e725b84e99973"
+dependencies = [
+ "windows_aarch64_gnullvm 0.52.6",
+ "windows_aarch64_msvc 0.52.6",
+ "windows_i686_gnu 0.52.6",
+ "windows_i686_gnullvm 0.52.6",
+ "windows_i686_msvc 0.52.6",
+ "windows_x86_64_gnu 0.52.6",
+ "windows_x86_64_gnullvm 0.52.6",
+ "windows_x86_64_msvc 0.52.6",
+]
+
+[[package]]
+name = "windows-targets"
+version = "0.53.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "4945f9f551b88e0d65f3db0bc25c33b8acea4d9e41163edf90dcd0b19f9069f3"
+dependencies = [
+ "windows-link",
+ "windows_aarch64_gnullvm 0.53.1",
+ "windows_aarch64_msvc 0.53.1",
+ "windows_i686_gnu 0.53.1",
+ "windows_i686_gnullvm 0.53.1",
+ "windows_i686_msvc 0.53.1",
+ "windows_x86_64_gnu 0.53.1",
+ "windows_x86_64_gnullvm 0.53.1",
+ "windows_x86_64_msvc 0.53.1",
+]
+
+[[package]]
+name = "windows_aarch64_gnullvm"
+version = "0.48.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "2b38e32f0abccf9987a4e3079dfb67dcd799fb61361e53e2882c3cbaf0d905d8"
+
+[[package]]
+name = "windows_aarch64_gnullvm"
+version = "0.52.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "32a4622180e7a0ec044bb555404c800bc9fd9ec262ec147edd5989ccd0c02cd3"
+
+[[package]]
+name = "windows_aarch64_gnullvm"
+version = "0.53.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a9d8416fa8b42f5c947f8482c43e7d89e73a173cead56d044f6a56104a6d1b53"
+
+[[package]]
+name = "windows_aarch64_msvc"
+version = "0.48.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "dc35310971f3b2dbbf3f0690a219f40e2d9afcf64f9ab7cc1be722937c26b4bc"
+
+[[package]]
+name = "windows_aarch64_msvc"
+version = "0.52.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "09ec2a7bb152e2252b53fa7803150007879548bc709c039df7627cabbd05d469"
+
+[[package]]
+name = "windows_aarch64_msvc"
+version = "0.53.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b9d782e804c2f632e395708e99a94275910eb9100b2114651e04744e9b125006"
+
+[[package]]
+name = "windows_i686_gnu"
+version = "0.48.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a75915e7def60c94dcef72200b9a8e58e5091744960da64ec734a6c6e9b3743e"
+
+[[package]]
+name = "windows_i686_gnu"
+version = "0.52.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8e9b5ad5ab802e97eb8e295ac6720e509ee4c243f69d781394014ebfe8bbfa0b"
+
+[[package]]
+name = "windows_i686_gnu"
+version = "0.53.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "960e6da069d81e09becb0ca57a65220ddff016ff2d6af6a223cf372a506593a3"
+
+[[package]]
+name = "windows_i686_gnullvm"
+version = "0.52.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "0eee52d38c090b3caa76c563b86c3a4bd71ef1a819287c19d586d7334ae8ed66"
+
+[[package]]
+name = "windows_i686_gnullvm"
+version = "0.53.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "fa7359d10048f68ab8b09fa71c3daccfb0e9b559aed648a8f95469c27057180c"
+
+[[package]]
+name = "windows_i686_msvc"
+version = "0.48.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8f55c233f70c4b27f66c523580f78f1004e8b5a8b659e05a4eb49d4166cca406"
+
+[[package]]
+name = "windows_i686_msvc"
+version = "0.52.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "240948bc05c5e7c6dabba28bf89d89ffce3e303022809e73deaefe4f6ec56c66"
+
+[[package]]
+name = "windows_i686_msvc"
+version = "0.53.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1e7ac75179f18232fe9c285163565a57ef8d3c89254a30685b57d83a38d326c2"
+
+[[package]]
+name = "windows_x86_64_gnu"
+version = "0.48.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "53d40abd2583d23e4718fddf1ebec84dbff8381c07cae67ff7768bbf19c6718e"
+
+[[package]]
+name = "windows_x86_64_gnu"
+version = "0.52.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "147a5c80aabfbf0c7d901cb5895d1de30ef2907eb21fbbab29ca94c5b08b1a78"
+
+[[package]]
+name = "windows_x86_64_gnu"
+version = "0.53.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9c3842cdd74a865a8066ab39c8a7a473c0778a3f29370b5fd6b4b9aa7df4a499"
+
+[[package]]
+name = "windows_x86_64_gnullvm"
+version = "0.48.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "0b7b52767868a23d5bab768e390dc5f5c55825b6d30b86c844ff2dc7414044cc"
+
+[[package]]
+name = "windows_x86_64_gnullvm"
+version = "0.52.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "24d5b23dc417412679681396f2b49f3de8c1473deb516bd34410872eff51ed0d"
+
+[[package]]
+name = "windows_x86_64_gnullvm"
+version = "0.53.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "0ffa179e2d07eee8ad8f57493436566c7cc30ac536a3379fdf008f47f6bb7ae1"
+
+[[package]]
+name = "windows_x86_64_msvc"
+version = "0.48.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ed94fce61571a4006852b7389a063ab983c02eb1bb37b47f8272ce92d06d9538"
+
+[[package]]
+name = "windows_x86_64_msvc"
+version = "0.52.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "589f6da84c646204747d1270a2a5661ea66ed1cced2631d546fdfb155959f9ec"
+
+[[package]]
+name = "windows_x86_64_msvc"
+version = "0.53.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d6bbff5f0aada427a1e5a6da5f1f98158182f26556f345ac9e04d36d0ebed650"
+
+[[package]]
+name = "wit-bindgen"
+version = "0.51.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d7249219f66ced02969388cf2bb044a09756a083d0fab1e566056b04d9fbcaa5"
+dependencies = [
+ "wit-bindgen-rust-macro",
+]
+
+[[package]]
+name = "wit-bindgen-core"
+version = "0.51.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ea61de684c3ea68cb082b7a88508a8b27fcc8b797d738bfc99a82facf1d752dc"
+dependencies = [
+ "anyhow",
+ "heck",
+ "wit-parser",
+]
+
+[[package]]
+name = "wit-bindgen-rust"
+version = "0.51.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b7c566e0f4b284dd6561c786d9cb0142da491f46a9fbed79ea69cdad5db17f21"
+dependencies = [
+ "anyhow",
+ "heck",
+ "indexmap",
+ "prettyplease",
+ "syn",
+ "wasm-metadata",
+ "wit-bindgen-core",
+ "wit-component",
+]
+
+[[package]]
+name = "wit-bindgen-rust-macro"
+version = "0.51.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "0c0f9bfd77e6a48eccf51359e3ae77140a7f50b1e2ebfe62422d8afdaffab17a"
+dependencies = [
+ "anyhow",
+ "prettyplease",
+ "proc-macro2",
+ "quote",
+ "syn",
+ "wit-bindgen-core",
+ "wit-bindgen-rust",
+]
+
+[[package]]
+name = "wit-component"
+version = "0.244.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9d66ea20e9553b30172b5e831994e35fbde2d165325bec84fc43dbf6f4eb9cb2"
+dependencies = [
+ "anyhow",
+ "bitflags",
+ "indexmap",
+ "log",
+ "serde",
+ "serde_derive",
+ "serde_json",
+ "wasm-encoder",
+ "wasm-metadata",
+ "wasmparser",
+ "wit-parser",
+]
+
+[[package]]
+name = "wit-parser"
+version = "0.244.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ecc8ac4bc1dc3381b7f59c34f00b67e18f910c2c0f50015669dde7def656a736"
+dependencies = [
+ "anyhow",
+ "id-arena",
+ "indexmap",
+ "log",
+ "semver",
+ "serde",
+ "serde_derive",
+ "serde_json",
+ "unicode-xid",
+ "wasmparser",
+]
+
+[[package]]
+name = "writeable"
+version = "0.6.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9edde0db4769d2dc68579893f2306b26c6ecfbe0ef499b013d731b7b9247e0b9"
+
+[[package]]
+name = "x509-parser"
+version = "0.18.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d43b0f71ce057da06bc0851b23ee24f3f86190b07203dd8f567d0b706a185202"
+dependencies = [
+ "asn1-rs",
+ "data-encoding",
+ "der-parser",
+ "lazy_static",
+ "nom 7.1.3",
+ "oid-registry",
+ "ring",
+ "rusticata-macros",
+ "thiserror 2.0.18",
+ "time",
+]
+
+[[package]]
+name = "xattr"
+version = "1.6.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "32e45ad4206f6d2479085147f02bc2ef834ac85886624a23575ae137c8aa8156"
+dependencies = [
+ "libc",
+ "rustix",
+]
+
+[[package]]
+name = "yasna"
+version = "0.5.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e17bb3549cc1321ae1296b9cdc2698e2b6cb1992adfa19a8c72e5b7a738f44cd"
+dependencies = [
+ "time",
+]
+
+[[package]]
+name = "yoke"
+version = "0.8.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "72d6e5c6afb84d73944e5cedb052c4680d5657337201555f9f2a16b7406d4954"
+dependencies = [
+ "stable_deref_trait",
+ "yoke-derive",
+ "zerofrom",
+]
+
+[[package]]
+name = "yoke-derive"
+version = "0.8.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b659052874eb698efe5b9e8cf382204678a0086ebf46982b79d6ca3182927e5d"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn",
+ "synstructure",
+]
+
+[[package]]
+name = "zerocopy"
+version = "0.8.47"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "efbb2a062be311f2ba113ce66f697a4dc589f85e78a4aea276200804cea0ed87"
+dependencies = [
+ "zerocopy-derive",
+]
+
+[[package]]
+name = "zerocopy-derive"
+version = "0.8.47"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "0e8bc7269b54418e7aeeef514aa68f8690b8c0489a06b0136e5f57c4c5ccab89"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn",
+]
+
+[[package]]
+name = "zerofrom"
+version = "0.1.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "50cc42e0333e05660c3587f3bf9d0478688e15d870fab3346451ce7f8c9fbea5"
+dependencies = [
+ "zerofrom-derive",
+]
+
+[[package]]
+name = "zerofrom-derive"
+version = "0.1.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d71e5d6e06ab090c67b5e44993ec16b72dcbaabc526db883a360057678b48502"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn",
+ "synstructure",
+]
+
+[[package]]
+name = "zeroize"
+version = "1.8.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b97154e67e32c85465826e8bcc1c59429aaaf107c1e4a9e53c8d8ccd5eff88d0"
+
+[[package]]
+name = "zerotrie"
+version = "0.2.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "2a59c17a5562d507e4b54960e8569ebee33bee890c70aa3fe7b97e85a9fd7851"
+dependencies = [
+ "displaydoc",
+ "yoke",
+ "zerofrom",
+]
+
+[[package]]
+name = "zerovec"
+version = "0.11.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "6c28719294829477f525be0186d13efa9a3c602f7ec202ca9e353d310fb9a002"
+dependencies = [
+ "yoke",
+ "zerofrom",
+ "zerovec-derive",
+]
+
+[[package]]
+name = "zerovec-derive"
+version = "0.11.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "eadce39539ca5cb3985590102671f2567e659fca9666581ad3411d59207951f3"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn",
+]
+
+[[package]]
+name = "zmij"
+version = "1.0.21"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b8848ee67ecc8aedbaf3e4122217aff892639231befc6a1b58d29fff4c2cabaa"
diff --git a/Cargo.toml b/Cargo.toml
new file mode 100644
index 0000000..a94707f
--- /dev/null
+++ b/Cargo.toml
@@ -0,0 +1,3 @@
+[workspace]
+members = ["sunbeam-sdk", "sunbeam"]
+resolver = "3"
diff --git a/build.rs b/build.rs
new file mode 100644
index 0000000..ab4d628
--- /dev/null
+++ b/build.rs
@@ -0,0 +1,132 @@
+use flate2::read::GzDecoder;
+use std::env;
+use std::fs;
+use std::io::Read;
+use std::path::PathBuf;
+use std::process::Command;
+use tar::Archive;
+
+const KUSTOMIZE_VERSION: &str = "v5.8.1";
+const HELM_VERSION: &str = "v4.1.0";
+
+fn main() {
+    let out_dir = PathBuf::from(env::var("OUT_DIR").unwrap());
+    let target = env::var("TARGET").unwrap_or_default();
+    let (os, arch) = parse_target(&target);
+
+    download_and_embed("kustomize", KUSTOMIZE_VERSION, &os, &arch, &out_dir);
+    download_and_embed("helm", HELM_VERSION, &os, &arch, &out_dir);
+
+    // Set version info from git
+    let commit = git_commit_sha();
+    println!("cargo:rustc-env=SUNBEAM_COMMIT={commit}");
+
+    // Build target triple and build date
+    println!("cargo:rustc-env=SUNBEAM_TARGET={target}");
+    let date = chrono::Utc::now().format("%Y-%m-%d").to_string();
+    println!("cargo:rustc-env=SUNBEAM_BUILD_DATE={date}");
+
+    // Rebuild if git HEAD changes
+    println!("cargo:rerun-if-changed=.git/HEAD");
+}
+
+fn parse_target(target: &str) -> (String, String) {
+    let os = if target.contains("darwin") {
+        "darwin"
+    } else if target.contains("linux") {
+        "linux"
+    } else if cfg!(target_os = "macos") {
+        "darwin"
+    } else {
+        "linux"
+    };
+
+    let arch = if target.contains("aarch64") || target.contains("arm64") {
+        "arm64"
+    } else if target.contains("x86_64") || target.contains("amd64") {
+        "amd64"
+    } else if cfg!(target_arch = "aarch64") {
+        "arm64"
+    } else {
+        "amd64"
+    };
+
+    (os.to_string(), arch.to_string())
+}
+
+fn download_and_embed(tool: &str, version: &str, os: &str, arch: &str, out_dir: &PathBuf) {
+    let dest = out_dir.join(tool);
+    if dest.exists() {
+        return;
+    }
+
+    let url = match tool {
+        "kustomize" => format!(
+            "https://github.com/kubernetes-sigs/kustomize/releases/download/\
+             kustomize%2F{version}/kustomize_{version}_{os}_{arch}.tar.gz"
+        ),
+        "helm" => format!(
+            "https://get.helm.sh/helm-{version}-{os}-{arch}.tar.gz"
+        ),
+        _ => panic!("Unknown tool: {tool}"),
+    };
+
+    let extract_path = match tool {
+        "kustomize" => "kustomize".to_string(),
+        "helm" => format!("{os}-{arch}/helm"),
+        _ => unreachable!(),
+    };
+
+    eprintln!("cargo:warning=Downloading {tool} {version} for {os}/{arch}...");
+
+    let response = reqwest::blocking::get(&url)
+        .unwrap_or_else(|e| panic!("Failed to download {tool}: {e}"));
+    let bytes = response
+        .bytes()
+        .unwrap_or_else(|e| panic!("Failed to read {tool} response: {e}"));
+
+    let decoder = GzDecoder::new(&bytes[..]);
+    let mut archive = Archive::new(decoder);
+
+    for entry in archive.entries().expect("Failed to read tar entries") {
+        let mut entry = entry.expect("Failed to read tar entry");
+        let path = entry
+            .path()
+            .expect("Failed to read entry path")
+            .to_path_buf();
+        if path.to_string_lossy() == extract_path {
+            let mut data = Vec::new();
+            entry
+                .read_to_end(&mut data)
+                .expect("Failed to read binary");
+            fs::write(&dest, &data).expect("Failed to write binary");
+
+            #[cfg(unix)]
+            {
+                use std::os::unix::fs::PermissionsExt;
+                fs::set_permissions(&dest, fs::Permissions::from_mode(0o755))
+                    .expect("Failed to set permissions");
+            }
+
+            eprintln!("cargo:warning=Embedded {tool} ({} bytes)", data.len());
+            return;
+        }
+    }
+
+    panic!("Could not find {extract_path} in {tool} archive");
+}
+
+fn git_commit_sha() -> String {
+    Command::new("git")
+        .args(["rev-parse", "--short=8", "HEAD"])
+        .output()
+        .ok()
+        .and_then(|o| {
+            if o.status.success() {
+                Some(String::from_utf8_lossy(&o.stdout).trim().to_string())
+            } else {
+                None
+            }
+        })
+        .unwrap_or_else(|| "unknown".to_string())
+}
diff --git a/src/auth.rs b/src/auth.rs
new file mode 100644
index 0000000..3b334e6
--- /dev/null
+++ b/src/auth.rs
@@ -0,0 +1,952 @@
+//! OAuth2 Authorization Code flow with PKCE for CLI authentication against Hydra.
+
+use crate::error::{Result, ResultExt, SunbeamError};
+use base64::Engine;
+use chrono::{DateTime, Utc};
+use serde::{Deserialize, Serialize};
+use sha2::{Digest, Sha256};
+use std::path::PathBuf;
+
+// ---------------------------------------------------------------------------
+// Token cache data
+// ---------------------------------------------------------------------------
+
+/// Cached OAuth2 tokens persisted to disk.
+#[derive(Debug, Clone, Serialize, Deserialize)]
+pub struct AuthTokens {
+    pub access_token: String,
+    pub refresh_token: String,
+    pub expires_at: DateTime<Utc>,
+    #[serde(default, skip_serializing_if = "Option::is_none")]
+    pub id_token: Option<String>,
+    pub domain: String,
+    /// Gitea personal access token (created during auth login).
+    #[serde(default, skip_serializing_if = "Option::is_none")]
+    pub gitea_token: Option<String>,
+}
+
+/// Default client ID when the K8s secret is unavailable.
+const DEFAULT_CLIENT_ID: &str = "sunbeam-cli";
+
+// ---------------------------------------------------------------------------
+// Cache file helpers
+// ---------------------------------------------------------------------------
+
+/// Cache path for auth tokens — per-domain so multiple environments work.
+fn cache_path_for_domain(domain: &str) -> PathBuf {
+    let dir = dirs::data_dir()
+        .unwrap_or_else(|| {
+            dirs::home_dir()
+                .unwrap_or_else(|| PathBuf::from("."))
+                .join(".local/share")
+        })
+        .join("sunbeam")
+        .join("auth");
+    if domain.is_empty() {
+        dir.join("default.json")
+    } else {
+        // Sanitize domain for filename
+        let safe = domain.replace(['/', '\\', ':'], "_");
+        dir.join(format!("{safe}.json"))
+    }
+}
+
+fn cache_path() -> PathBuf {
+    let domain = crate::config::domain();
+    cache_path_for_domain(domain)
+}
+
+fn read_cache() -> Result<AuthTokens> {
+    let path = cache_path();
+    let content = std::fs::read_to_string(&path).map_err(|e| {
+        SunbeamError::Identity(format!("No cached auth tokens ({}): {e}", path.display()))
+    })?;
+    let tokens: AuthTokens = serde_json::from_str(&content)
+        .ctx("Failed to parse cached auth tokens")?;
+    Ok(tokens)
+}
+
+fn write_cache(tokens: &AuthTokens) -> Result<()> {
+    let path = cache_path();
+    if let Some(parent) = path.parent() {
+        std::fs::create_dir_all(parent)
+            .with_ctx(|| format!("Failed to create auth cache dir: {}", parent.display()))?;
+    }
+    let content = serde_json::to_string_pretty(tokens)?;
+    std::fs::write(&path, &content)
+        .with_ctx(|| format!("Failed to write auth cache to {}", path.display()))?;
+
+    // Set 0600 permissions on unix
+    #[cfg(unix)]
+    {
+        use std::os::unix::fs::PermissionsExt;
+        let perms = std::fs::Permissions::from_mode(0o600);
+        std::fs::set_permissions(&path, perms)
+            .with_ctx(|| format!("Failed to set permissions on {}", path.display()))?;
+    }
+
+    Ok(())
+}
+
+// ---------------------------------------------------------------------------
+// PKCE
+// ---------------------------------------------------------------------------
+
+/// Generate a PKCE code_verifier and code_challenge (S256).
+fn generate_pkce() -> (String, String) {
+    let verifier_bytes: [u8; 32] = rand::random();
+    let verifier = base64::engine::general_purpose::URL_SAFE_NO_PAD.encode(verifier_bytes);
+    let challenge = {
+        let hash = Sha256::digest(verifier.as_bytes());
+        base64::engine::general_purpose::URL_SAFE_NO_PAD.encode(hash)
+    };
+    (verifier, challenge)
+}
+
+/// Generate a random state parameter for OAuth2.
+fn generate_state() -> String {
+    let bytes: [u8; 16] = rand::random();
+    base64::engine::general_purpose::URL_SAFE_NO_PAD.encode(bytes)
+}
+
+// ---------------------------------------------------------------------------
+// OIDC discovery
+// ---------------------------------------------------------------------------
+
+#[derive(Debug, Deserialize)]
+struct OidcDiscovery {
+    authorization_endpoint: String,
+    token_endpoint: String,
+}
+
+/// Resolve the domain for authentication, trying multiple sources.
+async fn resolve_domain(explicit: Option<&str>) -> Result<String> {
+    // 1. Explicit --domain flag
+    if let Some(d) = explicit {
+        if !d.is_empty() {
+            return Ok(d.to_string());
+        }
+    }
+
+    // 2. Active context domain (set by cli::dispatch from config)
+    let ctx_domain = crate::config::domain();
+    if !ctx_domain.is_empty() {
+        return Ok(ctx_domain.to_string());
+    }
+
+    // 3. Cached token domain (already logged in)
+    if let Ok(tokens) = read_cache() {
+        if !tokens.domain.is_empty() {
+            crate::output::ok(&format!("Using cached domain: {}", tokens.domain));
+            return Ok(tokens.domain);
+        }
+    }
+
+    // 4. Try cluster discovery (may fail if not connected)
+    match crate::kube::get_domain().await {
+        Ok(d) if !d.is_empty() && !d.starts_with('.') => return Ok(d),
+        _ => {}
+    }
+
+    Err(SunbeamError::config(
+        "Could not determine domain. Use --domain flag, or configure with:\n  \
+         sunbeam config set --host user@your-server.example.com",
+    ))
+}
+
+async fn discover_oidc(domain: &str) -> Result<OidcDiscovery> {
+    let url = format!("https://auth.{domain}/.well-known/openid-configuration");
+    let client = reqwest::Client::new();
+    let resp = client
+        .get(&url)
+        .send()
+        .await
+        .with_ctx(|| format!("Failed to fetch OIDC discovery from {url}"))?;
+
+    if !resp.status().is_success() {
+        return Err(SunbeamError::network(format!(
+            "OIDC discovery returned HTTP {}",
+            resp.status()
+        )));
+    }
+
+    let discovery: OidcDiscovery = resp
+        .json()
+        .await
+        .ctx("Failed to parse OIDC discovery response")?;
+    Ok(discovery)
+}
+
+// ---------------------------------------------------------------------------
+// Token exchange / refresh
+// ---------------------------------------------------------------------------
+
+#[derive(Debug, Deserialize)]
+struct TokenResponse {
+    access_token: String,
+    #[serde(default)]
+    refresh_token: Option<String>,
+    #[serde(default)]
+    expires_in: Option<i64>,
+    #[serde(default)]
+    id_token: Option<String>,
+}
+
+async fn exchange_code(
+    token_endpoint: &str,
+    code: &str,
+    redirect_uri: &str,
+    client_id: &str,
+    code_verifier: &str,
+) -> Result<TokenResponse> {
+    let client = reqwest::Client::new();
+    let resp = client
+        .post(token_endpoint)
+        .form(&[
+            ("grant_type", "authorization_code"),
+            ("code", code),
+            ("redirect_uri", redirect_uri),
+            ("client_id", client_id),
+            ("code_verifier", code_verifier),
+        ])
+        .send()
+        .await
+        .ctx("Failed to exchange authorization code")?;
+
+    if !resp.status().is_success() {
+        let status = resp.status();
+        let body = resp.text().await.unwrap_or_default();
+        return Err(SunbeamError::identity(format!(
+            "Token exchange failed (HTTP {status}): {body}"
+        )));
+    }
+
+    let token_resp: TokenResponse = resp.json().await.ctx("Failed to parse token response")?;
+    Ok(token_resp)
+}
+
+/// Refresh an access token using a refresh token.
+async fn refresh_token(cached: &AuthTokens) -> Result<AuthTokens> {
+    let discovery = discover_oidc(&cached.domain).await?;
+
+    // Try to get client_id from K8s, fall back to default
+    let client_id = resolve_client_id().await;
+
+    let client = reqwest::Client::new();
+    let resp = client
+        .post(&discovery.token_endpoint)
+        .form(&[
+            ("grant_type", "refresh_token"),
+            ("refresh_token", &cached.refresh_token),
+            ("client_id", &client_id),
+        ])
+        .send()
+        .await
+        .ctx("Failed to refresh token")?;
+
+    if !resp.status().is_success() {
+        let status = resp.status();
+        let body = resp.text().await.unwrap_or_default();
+        return Err(SunbeamError::identity(format!(
+            "Token refresh failed (HTTP {status}): {body}"
+        )));
+    }
+
+    let token_resp: TokenResponse = resp
+        .json()
+        .await
+        .ctx("Failed to parse refresh token response")?;
+
+    let expires_at = Utc::now()
+        + chrono::Duration::seconds(token_resp.expires_in.unwrap_or(3600));
+
+    let new_tokens = AuthTokens {
+        access_token: token_resp.access_token,
+        refresh_token: token_resp
+            .refresh_token
+            .unwrap_or_else(|| cached.refresh_token.clone()),
+        expires_at,
+        id_token: token_resp.id_token.or_else(|| cached.id_token.clone()),
+        domain: cached.domain.clone(),
+        gitea_token: cached.gitea_token.clone(),
+    };
+
+    write_cache(&new_tokens)?;
+    Ok(new_tokens)
+}
+
+// ---------------------------------------------------------------------------
+// Client ID resolution
+// ---------------------------------------------------------------------------
+
+/// Try to read the client_id from K8s secret `oidc-sunbeam-cli` in `ory` namespace.
+/// Falls back to the default client ID.
+async fn resolve_client_id() -> String {
+    // The OAuth2Client is pre-created with a known client_id matching
+    // DEFAULT_CLIENT_ID ("sunbeam-cli") via a pre-seeded K8s secret.
+    // No cluster access needed.
+    DEFAULT_CLIENT_ID.to_string()
+}
+
+// ---------------------------------------------------------------------------
+// JWT payload decoding (minimal, no verification)
+// ---------------------------------------------------------------------------
+
+/// Decode the payload of a JWT (middle segment) without verification.
+/// Returns the parsed JSON value.
+fn decode_jwt_payload(token: &str) -> Result<serde_json::Value> {
+    let parts: Vec<&str> = token.splitn(3, '.').collect();
+    if parts.len() < 2 {
+        return Err(SunbeamError::identity("Invalid JWT: not enough segments"));
+    }
+    let payload_bytes = base64::engine::general_purpose::URL_SAFE_NO_PAD
+        .decode(parts[1])
+        .ctx("Failed to base64-decode JWT payload")?;
+    let payload: serde_json::Value =
+        serde_json::from_slice(&payload_bytes).ctx("Failed to parse JWT payload as JSON")?;
+    Ok(payload)
+}
+
+/// Extract the email claim from an id_token.
+fn extract_email(id_token: &str) -> Option<String> {
+    let payload = decode_jwt_payload(id_token).ok()?;
+    payload
+        .get("email")
+        .and_then(|v| v.as_str())
+        .map(|s| s.to_string())
+}
+
+// ---------------------------------------------------------------------------
+// HTTP callback server
+// ---------------------------------------------------------------------------
+
+/// Parsed callback parameters from the OAuth2 redirect.
+struct CallbackParams {
+    code: String,
+    #[allow(dead_code)]
+    state: String,
+}
+
+/// Bind a TCP listener for the OAuth2 callback, preferring ports 9876-9880.
+async fn bind_callback_listener() -> Result<(tokio::net::TcpListener, u16)> {
+    for port in 9876..=9880 {
+        if let Ok(listener) = tokio::net::TcpListener::bind(("127.0.0.1", port)).await {
+            return Ok((listener, port));
+        }
+    }
+    // Fall back to ephemeral port
+    let listener = tokio::net::TcpListener::bind("127.0.0.1:0")
+        .await
+        .ctx("Failed to bind callback listener")?;
+    let port = listener.local_addr().ctx("No local address")?.port();
+    Ok((listener, port))
+}
+
+/// Wait for a single HTTP callback request, extract code and state, send HTML response.
+async fn wait_for_callback(
+    listener: tokio::net::TcpListener,
+    expected_state: &str,
+    redirect_url: Option<&str>,
+) -> Result<CallbackParams> {
+    use tokio::io::{AsyncReadExt, AsyncWriteExt};
+
+    // Wait up to 5 minutes for the callback, or until Ctrl+C
+    let accept_result = tokio::time::timeout(
+        std::time::Duration::from_secs(300),
+        listener.accept(),
+    )
+    .await
+    .map_err(|_| SunbeamError::identity("Login timed out (5 min). Try again with `sunbeam auth login`."))?;
+
+    let (mut stream, _) = accept_result.ctx("Failed to accept callback connection")?;
+
+    let mut buf = vec![0u8; 4096];
+    let n = stream
+        .read(&mut buf)
+        .await
+        .ctx("Failed to read callback request")?;
+    let request = String::from_utf8_lossy(&buf[..n]);
+
+    // Parse the GET request line: "GET /callback?code=...&state=... HTTP/1.1"
+    let request_line = request
+        .lines()
+        .next()
+        .ctx("Empty callback request")?;
+
+    let path = request_line
+        .split_whitespace()
+        .nth(1)
+        .ctx("No path in callback request")?;
+
+    // Parse query params
+    let query = path
+        .split('?')
+        .nth(1)
+        .ctx("No query params in callback")?;
+
+    let mut code = None;
+    let mut state = None;
+
+    for param in query.split('&') {
+        let mut kv = param.splitn(2, '=');
+        match (kv.next(), kv.next()) {
+            (Some("code"), Some(v)) => code = Some(v.to_string()),
+            (Some("state"), Some(v)) => state = Some(v.to_string()),
+            _ => {}
+        }
+    }
+
+    let code = code.ok_or_else(|| SunbeamError::identity("No 'code' in callback"))?;
+    let state = state.ok_or_else(|| SunbeamError::identity("No 'state' in callback"))?;
+
+    if state != expected_state {
+        return Err(SunbeamError::identity(
+            "OAuth2 state mismatch -- possible CSRF attack",
+        ));
+    }
+
+    // Send success response — redirect to next step if provided, otherwise show done page
+    let response = if let Some(next_url) = redirect_url {
+        let html = format!(
+            "<!DOCTYPE html><html><head>\
+             <meta http-equiv='refresh' content='1;url={next_url}'>\
+             <style>\
+             body{{font-family:system-ui,sans-serif;display:flex;justify-content:center;\
+             align-items:center;min-height:100vh;margin:0;background:#1a1f2e;color:#e8e6e3}}\
+             .card{{text-align:center;padding:3rem;border:1px solid #334;border-radius:1rem}}\
+             h2{{margin:0 0 1rem}}p{{color:#9ca3af}}a{{color:#d97706}}\
+             </style></head><body><div class='card'>\
+             <h2>SSO login successful</h2>\
+             <p>Redirecting to Gitea token setup...</p>\
+             <p><a href='{next_url}'>Click here if not redirected</a></p>\
+             </div></body></html>"
+        );
+        format!(
+            "HTTP/1.1 200 OK\r\nContent-Type: text/html\r\nContent-Length: {}\r\nConnection: close\r\n\r\n{}",
+            html.len(),
+            html
+        )
+    } else {
+        let html = "\
+             <!DOCTYPE html><html><head><style>\
+             body{font-family:system-ui,sans-serif;display:flex;justify-content:center;\
+             align-items:center;min-height:100vh;margin:0;background:#1a1f2e;color:#e8e6e3}\
+             .card{text-align:center;padding:3rem;border:1px solid #334;border-radius:1rem}\
+             h2{margin:0 0 1rem}p{color:#9ca3af}\
+             </style></head><body><div class='card'>\
+             <h2>Authentication successful</h2>\
+             <p>You can close this tab and return to the terminal.</p>\
+             </div></body></html>";
+        format!(
+            "HTTP/1.1 200 OK\r\nContent-Type: text/html\r\nContent-Length: {}\r\nConnection: close\r\n\r\n{}",
+            html.len(),
+            html
+        )
+    };
+    let _ = stream.write_all(response.as_bytes()).await;
+    let _ = stream.shutdown().await;
+
+    Ok(CallbackParams { code, state })
+}
+
+// ---------------------------------------------------------------------------
+// Public API
+// ---------------------------------------------------------------------------
+
+/// Get a valid access token, refreshing if needed.
+///
+/// Returns the access token string ready for use in Authorization headers.
+/// If no cached token exists or refresh fails, returns an error prompting
+/// the user to run `sunbeam auth login`.
+pub async fn get_token() -> Result<String> {
+    let cached = match read_cache() {
+        Ok(tokens) => tokens,
+        Err(_) => {
+            return Err(SunbeamError::identity(
+                "Not logged in. Run `sunbeam auth login` to authenticate.",
+            ));
+        }
+    };
+
+    // Check if access token is still valid (>60s remaining)
+    let now = Utc::now();
+    if cached.expires_at > now + chrono::Duration::seconds(60) {
+        return Ok(cached.access_token);
+    }
+
+    // Try to refresh
+    if !cached.refresh_token.is_empty() {
+        match refresh_token(&cached).await {
+            Ok(new_tokens) => return Ok(new_tokens.access_token),
+            Err(e) => {
+                crate::output::warn(&format!("Token refresh failed: {e}"));
+            }
+        }
+    }
+
+    Err(SunbeamError::identity(
+        "Session expired. Run `sunbeam auth login` to re-authenticate.",
+    ))
+}
+
+/// Interactive browser-based OAuth2 login.
+/// SSO login — Hydra OIDC authorization code flow with PKCE.
+/// `gitea_redirect`: if Some, the browser callback page auto-redirects to Gitea token page.
+pub async fn cmd_auth_sso_login_with_redirect(
+    domain_override: Option<&str>,
+    gitea_redirect: Option<&str>,
+) -> Result<()> {
+    crate::output::step("Authenticating with Hydra");
+
+    // Resolve domain: explicit flag > cached token domain > config > cluster discovery
+    let domain = resolve_domain(domain_override).await?;
+
+    crate::output::ok(&format!("Domain: {domain}"));
+
+    // OIDC discovery
+    let discovery = discover_oidc(&domain).await?;
+
+    // Resolve client_id
+    let client_id = resolve_client_id().await;
+
+    // Generate PKCE
+    let (code_verifier, code_challenge) = generate_pkce();
+
+    // Generate state
+    let state = generate_state();
+
+    // Bind callback listener
+    let (listener, port) = bind_callback_listener().await?;
+    let redirect_uri = format!("http://localhost:{port}/callback");
+
+    // Build authorization URL
+    let auth_url = format!(
+        "{}?client_id={}&redirect_uri={}&response_type=code&scope={}&code_challenge={}&code_challenge_method=S256&state={}",
+        discovery.authorization_endpoint,
+        urlencoding(&client_id),
+        urlencoding(&redirect_uri),
+        "openid%20email%20profile%20offline_access",
+        code_challenge,
+        state,
+    );
+
+    crate::output::ok("Opening browser for login...");
+    println!("\n    {auth_url}\n");
+
+    // Try to open the browser
+    let _open_result = open_browser(&auth_url);
+
+    // Wait for callback
+    crate::output::ok("Waiting for authentication callback...");
+    let callback = wait_for_callback(listener, &state, gitea_redirect).await?;
+
+    // Exchange code for tokens
+    crate::output::ok("Exchanging authorization code for tokens...");
+    let token_resp = exchange_code(
+        &discovery.token_endpoint,
+        &callback.code,
+        &redirect_uri,
+        &client_id,
+        &code_verifier,
+    )
+    .await?;
+
+    let expires_at = Utc::now()
+        + chrono::Duration::seconds(token_resp.expires_in.unwrap_or(3600));
+
+    let tokens = AuthTokens {
+        access_token: token_resp.access_token,
+        refresh_token: token_resp.refresh_token.unwrap_or_default(),
+        expires_at,
+        id_token: token_resp.id_token.clone(),
+        domain: domain.clone(),
+        gitea_token: None,
+    };
+
+    // Print success with email if available
+    let email = tokens
+        .id_token
+        .as_ref()
+        .and_then(|t| extract_email(t));
+    if let Some(ref email) = email {
+        crate::output::ok(&format!("Logged in as {email}"));
+    } else {
+        crate::output::ok("Logged in successfully");
+    }
+
+    write_cache(&tokens)?;
+    Ok(())
+}
+
+/// SSO login — standalone (no redirect after callback).
+pub async fn cmd_auth_sso_login(domain_override: Option<&str>) -> Result<()> {
+    cmd_auth_sso_login_with_redirect(domain_override, None).await
+}
+
+/// Gitea token login — opens the PAT creation page and prompts for the token.
+pub async fn cmd_auth_git_login(domain_override: Option<&str>) -> Result<()> {
+    crate::output::step("Setting up Gitea API access");
+
+    let domain = resolve_domain(domain_override).await?;
+    let url = format!("https://src.{domain}/user/settings/applications");
+
+    crate::output::ok("Opening Gitea token page in your browser...");
+    crate::output::ok("Create a token with all scopes selected, then paste it below.");
+    println!("\n    {url}\n");
+
+    let _ = open_browser(&url);
+
+    // Prompt for the token
+    eprint!("    Gitea token: ");
+    let mut token = String::new();
+    std::io::stdin()
+        .read_line(&mut token)
+        .ctx("Failed to read token from stdin")?;
+    let token = token.trim().to_string();
+
+    if token.is_empty() {
+        return Err(SunbeamError::identity("No token provided."));
+    }
+
+    // Verify the token works
+    let client = reqwest::Client::new();
+    let resp = client
+        .get(format!("https://src.{domain}/api/v1/user"))
+        .header("Authorization", format!("token {token}"))
+        .send()
+        .await
+        .ctx("Failed to verify Gitea token")?;
+
+    if !resp.status().is_success() {
+        return Err(SunbeamError::identity(format!(
+            "Gitea token is invalid (HTTP {}). Check the token and try again.",
+            resp.status()
+        )));
+    }
+
+    let user: serde_json::Value = resp.json().await?;
+    let login = user
+        .get("login")
+        .and_then(|v| v.as_str())
+        .unwrap_or("unknown");
+
+    // Save to cache
+    let mut tokens = read_cache().unwrap_or_else(|_| AuthTokens {
+        access_token: String::new(),
+        refresh_token: String::new(),
+        expires_at: Utc::now(),
+        id_token: None,
+        domain: domain.clone(),
+        gitea_token: None,
+    });
+    tokens.gitea_token = Some(token);
+    if tokens.domain.is_empty() {
+        tokens.domain = domain;
+    }
+    write_cache(&tokens)?;
+
+    crate::output::ok(&format!("Gitea authenticated as {login}"));
+    Ok(())
+}
+
+/// Combined login — SSO first, then Gitea.
+pub async fn cmd_auth_login_all(domain_override: Option<&str>) -> Result<()> {
+    // Resolve domain early so we can build the Gitea redirect URL
+    let domain = resolve_domain(domain_override).await?;
+    let gitea_url = format!("https://src.{domain}/user/settings/applications");
+    cmd_auth_sso_login_with_redirect(Some(&domain), Some(&gitea_url)).await?;
+    cmd_auth_git_login(Some(&domain)).await?;
+    Ok(())
+}
+
+/// Get the Gitea API token (for use by pm.rs).
+pub fn get_gitea_token() -> Result<String> {
+    let tokens = read_cache().map_err(|_| {
+        SunbeamError::identity("Not logged in. Run `sunbeam auth login` first.")
+    })?;
+    tokens.gitea_token.ok_or_else(|| {
+        SunbeamError::identity(
+            "No Gitea token. Run `sunbeam auth login` or `sunbeam auth set-gitea-token <token>`.",
+        )
+    })
+}
+
+/// Remove cached auth tokens.
+pub async fn cmd_auth_logout() -> Result<()> {
+    let path = cache_path();
+    if path.exists() {
+        std::fs::remove_file(&path)
+            .with_ctx(|| format!("Failed to remove {}", path.display()))?;
+        crate::output::ok("Logged out (cached tokens removed)");
+    } else {
+        crate::output::ok("Not logged in (no cached tokens to remove)");
+    }
+    Ok(())
+}
+
+/// Print current auth status.
+pub async fn cmd_auth_status() -> Result<()> {
+    match read_cache() {
+        Ok(tokens) => {
+            let now = Utc::now();
+            let expired = tokens.expires_at <= now;
+
+            // Try to get email from id_token
+            let identity = tokens
+                .id_token
+                .as_deref()
+                .and_then(extract_email)
+                .unwrap_or_else(|| "unknown".to_string());
+
+            if expired {
+                crate::output::ok(&format!(
+                    "Logged in as {identity} (token expired at {})",
+                    tokens.expires_at.format("%Y-%m-%d %H:%M:%S UTC")
+                ));
+                if !tokens.refresh_token.is_empty() {
+                    crate::output::ok("Token can be refreshed automatically on next use");
+                }
+            } else {
+                crate::output::ok(&format!(
+                    "Logged in as {identity} (token valid until {})",
+                    tokens.expires_at.format("%Y-%m-%d %H:%M:%S UTC")
+                ));
+            }
+            crate::output::ok(&format!("Domain: {}", tokens.domain));
+        }
+        Err(_) => {
+            crate::output::ok("Not logged in. Run `sunbeam auth login` to authenticate.");
+        }
+    }
+    Ok(())
+}
+
+// ---------------------------------------------------------------------------
+// Utility helpers
+// ---------------------------------------------------------------------------
+
+/// Minimal percent-encoding for URL query parameters.
+fn urlencoding(s: &str) -> String {
+    let mut out = String::with_capacity(s.len());
+    for b in s.bytes() {
+        match b {
+            b'A'..=b'Z' | b'a'..=b'z' | b'0'..=b'9' | b'-' | b'_' | b'.' | b'~' => {
+                out.push(b as char);
+            }
+            _ => {
+                out.push_str(&format!("%{:02X}", b));
+            }
+        }
+    }
+    out
+}
+
+/// Try to open a URL in the default browser.
+fn open_browser(url: &str) -> std::result::Result<(), std::io::Error> {
+    #[cfg(target_os = "macos")]
+    {
+        std::process::Command::new("open").arg(url).spawn()?;
+    }
+    #[cfg(target_os = "linux")]
+    {
+        std::process::Command::new("xdg-open").arg(url).spawn()?;
+    }
+    #[cfg(not(any(target_os = "macos", target_os = "linux")))]
+    {
+        let _ = url;
+        // No-op on unsupported platforms; URL is printed to the terminal.
+    }
+    Ok(())
+}
+
+// ---------------------------------------------------------------------------
+// Tests
+// ---------------------------------------------------------------------------
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+    use chrono::Duration;
+
+    #[test]
+    fn test_pkce_generation() {
+        let (verifier, challenge) = generate_pkce();
+
+        // Verifier should be base64url-encoded 32 bytes -> 43 chars
+        assert_eq!(verifier.len(), 43);
+
+        // Challenge should be base64url-encoded SHA256 -> 43 chars
+        assert_eq!(challenge.len(), 43);
+
+        // Verify the challenge matches the verifier
+        let expected_hash = Sha256::digest(verifier.as_bytes());
+        let expected_challenge =
+            base64::engine::general_purpose::URL_SAFE_NO_PAD.encode(expected_hash);
+        assert_eq!(challenge, expected_challenge);
+
+        // Two calls should produce different values
+        let (v2, c2) = generate_pkce();
+        assert_ne!(verifier, v2);
+        assert_ne!(challenge, c2);
+    }
+
+    #[test]
+    fn test_token_cache_roundtrip() {
+        let tokens = AuthTokens {
+            access_token: "access_abc".to_string(),
+            refresh_token: "refresh_xyz".to_string(),
+            expires_at: Utc::now() + Duration::hours(1),
+            id_token: Some("eyJhbGciOiJSUzI1NiJ9.eyJlbWFpbCI6InRlc3RAZXhhbXBsZS5jb20ifQ.sig".to_string()),
+            domain: "sunbeam.pt".to_string(),
+            gitea_token: None,
+        };
+
+        let json = serde_json::to_string_pretty(&tokens).unwrap();
+        let deserialized: AuthTokens = serde_json::from_str(&json).unwrap();
+
+        assert_eq!(deserialized.access_token, "access_abc");
+        assert_eq!(deserialized.refresh_token, "refresh_xyz");
+        assert_eq!(deserialized.domain, "sunbeam.pt");
+        assert!(deserialized.id_token.is_some());
+
+        // Verify expires_at survives roundtrip (within 1 second tolerance)
+        let diff = (deserialized.expires_at - tokens.expires_at)
+            .num_milliseconds()
+            .abs();
+        assert!(diff < 1000, "expires_at drift: {diff}ms");
+    }
+
+    #[test]
+    fn test_token_cache_roundtrip_no_id_token() {
+        let tokens = AuthTokens {
+            access_token: "access".to_string(),
+            refresh_token: "refresh".to_string(),
+            expires_at: Utc::now() + Duration::hours(1),
+            id_token: None,
+            domain: "example.com".to_string(),
+            gitea_token: None,
+        };
+
+        let json = serde_json::to_string(&tokens).unwrap();
+        // id_token should be absent from the JSON when None
+        assert!(!json.contains("id_token"));
+
+        let deserialized: AuthTokens = serde_json::from_str(&json).unwrap();
+        assert!(deserialized.id_token.is_none());
+    }
+
+    #[test]
+    fn test_token_expiry_check_valid() {
+        let tokens = AuthTokens {
+            access_token: "valid".to_string(),
+            refresh_token: "refresh".to_string(),
+            expires_at: Utc::now() + Duration::hours(1),
+            id_token: None,
+            domain: "example.com".to_string(),
+            gitea_token: None,
+        };
+
+        let now = Utc::now();
+        // Token is valid: more than 60 seconds until expiry
+        assert!(tokens.expires_at > now + Duration::seconds(60));
+    }
+
+    #[test]
+    fn test_token_expiry_check_expired() {
+        let tokens = AuthTokens {
+            access_token: "expired".to_string(),
+            refresh_token: "refresh".to_string(),
+            expires_at: Utc::now() - Duration::hours(1),
+            id_token: None,
+            domain: "example.com".to_string(),
+            gitea_token: None,
+        };
+
+        let now = Utc::now();
+        // Token is expired
+        assert!(tokens.expires_at <= now + Duration::seconds(60));
+    }
+
+    #[test]
+    fn test_token_expiry_check_almost_expired() {
+        let tokens = AuthTokens {
+            access_token: "almost".to_string(),
+            refresh_token: "refresh".to_string(),
+            expires_at: Utc::now() + Duration::seconds(30),
+            id_token: None,
+            domain: "example.com".to_string(),
+            gitea_token: None,
+        };
+
+        let now = Utc::now();
+        // Token expires in 30s, which is within the 60s threshold
+        assert!(tokens.expires_at <= now + Duration::seconds(60));
+    }
+
+    #[test]
+    fn test_jwt_payload_decode() {
+        // Build a fake JWT: header.payload.signature
+        let payload_json = r#"{"email":"user@example.com","sub":"12345"}"#;
+        let encoded_payload =
+            base64::engine::general_purpose::URL_SAFE_NO_PAD.encode(payload_json.as_bytes());
+        let fake_jwt = format!("eyJhbGciOiJSUzI1NiJ9.{encoded_payload}.fakesig");
+
+        let payload = decode_jwt_payload(&fake_jwt).unwrap();
+        assert_eq!(payload["email"], "user@example.com");
+        assert_eq!(payload["sub"], "12345");
+    }
+
+    #[test]
+    fn test_extract_email() {
+        let payload_json = r#"{"email":"alice@sunbeam.pt","name":"Alice"}"#;
+        let encoded_payload =
+            base64::engine::general_purpose::URL_SAFE_NO_PAD.encode(payload_json.as_bytes());
+        let fake_jwt = format!("eyJhbGciOiJSUzI1NiJ9.{encoded_payload}.fakesig");
+
+        assert_eq!(extract_email(&fake_jwt), Some("alice@sunbeam.pt".to_string()));
+    }
+
+    #[test]
+    fn test_extract_email_missing() {
+        let payload_json = r#"{"sub":"12345","name":"Bob"}"#;
+        let encoded_payload =
+            base64::engine::general_purpose::URL_SAFE_NO_PAD.encode(payload_json.as_bytes());
+        let fake_jwt = format!("eyJhbGciOiJSUzI1NiJ9.{encoded_payload}.fakesig");
+
+        assert_eq!(extract_email(&fake_jwt), None);
+    }
+
+    #[test]
+    fn test_urlencoding() {
+        assert_eq!(urlencoding("hello"), "hello");
+        assert_eq!(urlencoding("hello world"), "hello%20world");
+        assert_eq!(
+            urlencoding("http://localhost:9876/callback"),
+            "http%3A%2F%2Flocalhost%3A9876%2Fcallback"
+        );
+    }
+
+    #[test]
+    fn test_generate_state() {
+        let s1 = generate_state();
+        let s2 = generate_state();
+        assert_ne!(s1, s2);
+        // 16 bytes base64url -> 22 chars
+        assert_eq!(s1.len(), 22);
+    }
+
+    #[test]
+    fn test_cache_path_is_under_sunbeam() {
+        let path = cache_path_for_domain("sunbeam.pt");
+        let path_str = path.to_string_lossy();
+        assert!(path_str.contains("sunbeam"));
+        assert!(path_str.contains("auth"));
+        assert!(path_str.ends_with("sunbeam.pt.json"));
+    }
+
+    #[test]
+    fn test_cache_path_default_domain() {
+        let path = cache_path_for_domain("");
+        assert!(path.to_string_lossy().ends_with("default.json"));
+    }
+}
diff --git a/src/checks.rs b/src/checks.rs
new file mode 100644
index 0000000..057f73d
--- /dev/null
+++ b/src/checks.rs
@@ -0,0 +1,1214 @@
+//! Service-level health checks — functional probes beyond pod readiness.
+
+use crate::error::Result;
+use base64::Engine;
+use hmac::{Hmac, Mac};
+use k8s_openapi::api::core::v1::Pod;
+use kube::api::{Api, ListParams};
+use kube::ResourceExt;
+use sha2::{Digest, Sha256};
+use std::time::Duration;
+
+use crate::kube::{get_client, kube_exec, parse_target};
+use crate::output::{ok, step, warn};
+
+type HmacSha256 = Hmac<Sha256>;
+
+// ---------------------------------------------------------------------------
+// CheckResult
+// ---------------------------------------------------------------------------
+
+/// Result of a single health check.
+#[derive(Debug, Clone)]
+pub struct CheckResult {
+    pub name: String,
+    pub ns: String,
+    pub svc: String,
+    pub passed: bool,
+    pub detail: String,
+}
+
+impl CheckResult {
+    fn ok(name: &str, ns: &str, svc: &str, detail: &str) -> Self {
+        Self {
+            name: name.into(),
+            ns: ns.into(),
+            svc: svc.into(),
+            passed: true,
+            detail: detail.into(),
+        }
+    }
+
+    fn fail(name: &str, ns: &str, svc: &str, detail: &str) -> Self {
+        Self {
+            name: name.into(),
+            ns: ns.into(),
+            svc: svc.into(),
+            passed: false,
+            detail: detail.into(),
+        }
+    }
+}
+
+// ---------------------------------------------------------------------------
+// HTTP client builder
+// ---------------------------------------------------------------------------
+
+/// Build a reqwest client that trusts the mkcert local CA if available,
+/// does not follow redirects, and has a 5s timeout.
+fn build_http_client() -> Result<reqwest::Client> {
+    let mut builder = reqwest::Client::builder()
+        .redirect(reqwest::redirect::Policy::none())
+        .timeout(Duration::from_secs(5));
+
+    // Try mkcert root CA
+    if let Ok(output) = std::process::Command::new("mkcert")
+        .arg("-CAROOT")
+        .output()
+    {
+        if output.status.success() {
+            let ca_root = String::from_utf8_lossy(&output.stdout).trim().to_string();
+            let ca_file = std::path::Path::new(&ca_root).join("rootCA.pem");
+            if ca_file.exists() {
+                if let Ok(pem_bytes) = std::fs::read(&ca_file) {
+                    if let Ok(cert) = reqwest::Certificate::from_pem(&pem_bytes) {
+                        builder = builder.add_root_certificate(cert);
+                    }
+                }
+            }
+        }
+    }
+
+    Ok(builder.build()?)
+}
+
+/// Helper: GET a URL, return (status_code, body_bytes). Does not follow redirects.
+async fn http_get(
+    client: &reqwest::Client,
+    url: &str,
+    headers: Option<&[(&str, &str)]>,
+) -> std::result::Result<(u16, Vec<u8>), String> {
+    let mut req = client.get(url);
+    if let Some(hdrs) = headers {
+        for (k, v) in hdrs {
+            req = req.header(*k, *v);
+        }
+    }
+    match req.send().await {
+        Ok(resp) => {
+            let status = resp.status().as_u16();
+            let body = resp.bytes().await.unwrap_or_default().to_vec();
+            Ok((status, body))
+        }
+        Err(e) => Err(format!("{e}")),
+    }
+}
+
+/// Read a K8s secret field, returning empty string on failure.
+async fn kube_secret(ns: &str, name: &str, key: &str) -> String {
+    crate::kube::kube_get_secret_field(ns, name, key)
+        .await
+        .unwrap_or_default()
+}
+
+// ---------------------------------------------------------------------------
+// Individual checks
+// ---------------------------------------------------------------------------
+
+/// GET /api/v1/version -> JSON with version field.
+async fn check_gitea_version(domain: &str, client: &reqwest::Client) -> CheckResult {
+    let url = format!("https://src.{domain}/api/v1/version");
+    match http_get(client, &url, None).await {
+        Ok((200, body)) => {
+            let ver = serde_json::from_slice::<serde_json::Value>(&body)
+                .ok()
+                .and_then(|v| v.get("version").and_then(|v| v.as_str()).map(String::from))
+                .unwrap_or_else(|| "?".into());
+            CheckResult::ok("gitea-version", "devtools", "gitea", &format!("v{ver}"))
+        }
+        Ok((status, _)) => {
+            CheckResult::fail("gitea-version", "devtools", "gitea", &format!("HTTP {status}"))
+        }
+        Err(e) => CheckResult::fail("gitea-version", "devtools", "gitea", &e),
+    }
+}
+
+/// GET /api/v1/user with admin credentials -> 200 and login field.
+async fn check_gitea_auth(domain: &str, client: &reqwest::Client) -> CheckResult {
+    let username = {
+        let u = kube_secret("devtools", "gitea-admin-credentials", "username").await;
+        if u.is_empty() {
+            "gitea_admin".to_string()
+        } else {
+            u
+        }
+    };
+    let password =
+        kube_secret("devtools", "gitea-admin-credentials", "password").await;
+    if password.is_empty() {
+        return CheckResult::fail(
+            "gitea-auth",
+            "devtools",
+            "gitea",
+            "password not found in secret",
+        );
+    }
+
+    let creds =
+        base64::engine::general_purpose::STANDARD.encode(format!("{username}:{password}"));
+    let auth_hdr = format!("Basic {creds}");
+    let url = format!("https://src.{domain}/api/v1/user");
+
+    match http_get(client, &url, Some(&[("Authorization", &auth_hdr)])).await {
+        Ok((200, body)) => {
+            let login = serde_json::from_slice::<serde_json::Value>(&body)
+                .ok()
+                .and_then(|v| v.get("login").and_then(|v| v.as_str()).map(String::from))
+                .unwrap_or_else(|| "?".into());
+            CheckResult::ok("gitea-auth", "devtools", "gitea", &format!("user={login}"))
+        }
+        Ok((status, _)) => {
+            CheckResult::fail("gitea-auth", "devtools", "gitea", &format!("HTTP {status}"))
+        }
+        Err(e) => CheckResult::fail("gitea-auth", "devtools", "gitea", &e),
+    }
+}
+
+/// CNPG Cluster readyInstances == instances.
+async fn check_postgres(_domain: &str, _client: &reqwest::Client) -> CheckResult {
+    let kube_client = match get_client().await {
+        Ok(c) => c,
+        Err(e) => {
+            return CheckResult::fail("postgres", "data", "postgres", &format!("{e}"));
+        }
+    };
+
+    let ar = kube::api::ApiResource {
+        group: "postgresql.cnpg.io".into(),
+        version: "v1".into(),
+        api_version: "postgresql.cnpg.io/v1".into(),
+        kind: "Cluster".into(),
+        plural: "clusters".into(),
+    };
+
+    let api: Api<kube::api::DynamicObject> =
+        Api::namespaced_with(kube_client.clone(), "data", &ar);
+
+    match api.get_opt("postgres").await {
+        Ok(Some(obj)) => {
+            let ready = obj
+                .data
+                .get("status")
+                .and_then(|s| s.get("readyInstances"))
+                .and_then(|v| v.as_i64())
+                .map(|v| v.to_string())
+                .unwrap_or_default();
+            let total = obj
+                .data
+                .get("status")
+                .and_then(|s| s.get("instances"))
+                .and_then(|v| v.as_i64())
+                .map(|v| v.to_string())
+                .unwrap_or_default();
+
+            if !ready.is_empty() && !total.is_empty() && ready == total {
+                CheckResult::ok(
+                    "postgres",
+                    "data",
+                    "postgres",
+                    &format!("{ready}/{total} ready"),
+                )
+            } else {
+                let r = if ready.is_empty() { "?" } else { &ready };
+                let t = if total.is_empty() { "?" } else { &total };
+                CheckResult::fail("postgres", "data", "postgres", &format!("{r}/{t} ready"))
+            }
+        }
+        Ok(None) => CheckResult::fail("postgres", "data", "postgres", "cluster not found"),
+        Err(e) => CheckResult::fail("postgres", "data", "postgres", &format!("{e}")),
+    }
+}
+
+/// kubectl exec valkey pod -- valkey-cli ping -> PONG.
+async fn check_valkey(_domain: &str, _client: &reqwest::Client) -> CheckResult {
+    let kube_client = match get_client().await {
+        Ok(c) => c,
+        Err(e) => return CheckResult::fail("valkey", "data", "valkey", &format!("{e}")),
+    };
+
+    let api: Api<Pod> = Api::namespaced(kube_client.clone(), "data");
+    let lp = ListParams::default().labels("app=valkey");
+    let pod_list = match api.list(&lp).await {
+        Ok(l) => l,
+        Err(e) => return CheckResult::fail("valkey", "data", "valkey", &format!("{e}")),
+    };
+
+    let pod_name = match pod_list.items.first() {
+        Some(p) => p.name_any(),
+        None => return CheckResult::fail("valkey", "data", "valkey", "no valkey pod"),
+    };
+
+    match kube_exec("data", &pod_name, &["valkey-cli", "ping"], Some("valkey")).await {
+        Ok((_, out)) => {
+            let passed = out == "PONG";
+            let detail = if out.is_empty() {
+                "no response".to_string()
+            } else {
+                out
+            };
+            CheckResult {
+                name: "valkey".into(),
+                ns: "data".into(),
+                svc: "valkey".into(),
+                passed,
+                detail,
+            }
+        }
+        Err(e) => CheckResult::fail("valkey", "data", "valkey", &format!("{e}")),
+    }
+}
+
+/// kubectl exec openbao-0 -- bao status -format=json -> initialized + unsealed.
+async fn check_openbao(_domain: &str, _client: &reqwest::Client) -> CheckResult {
+    match kube_exec(
+        "data",
+        "openbao-0",
+        &["bao", "status", "-format=json"],
+        Some("openbao"),
+    )
+    .await
+    {
+        Ok((_, out)) => {
+            if out.is_empty() {
+                return CheckResult::fail("openbao", "data", "openbao", "no response");
+            }
+            match serde_json::from_str::<serde_json::Value>(&out) {
+                Ok(data) => {
+                    let init = data
+                        .get("initialized")
+                        .and_then(|v| v.as_bool())
+                        .unwrap_or(false);
+                    let sealed = data
+                        .get("sealed")
+                        .and_then(|v| v.as_bool())
+                        .unwrap_or(true);
+                    let passed = init && !sealed;
+                    CheckResult {
+                        name: "openbao".into(),
+                        ns: "data".into(),
+                        svc: "openbao".into(),
+                        passed,
+                        detail: format!("init={init}, sealed={sealed}"),
+                    }
+                }
+                Err(_) => {
+                    let truncated: String = out.chars().take(80).collect();
+                    CheckResult::fail("openbao", "data", "openbao", &truncated)
+                }
+            }
+        }
+        Err(e) => CheckResult::fail("openbao", "data", "openbao", &format!("{e}")),
+    }
+}
+
+// ---------------------------------------------------------------------------
+// S3 auth (AWS4-HMAC-SHA256)
+// ---------------------------------------------------------------------------
+
+/// Generate AWS4-HMAC-SHA256 Authorization and x-amz-date headers for an unsigned
+/// GET / request, matching the Python `_s3_auth_headers` function exactly.
+fn s3_auth_headers(access_key: &str, secret_key: &str, host: &str) -> (String, String) {
+    s3_auth_headers_at(access_key, secret_key, host, chrono::Utc::now())
+}
+
+/// Deterministic inner implementation that accepts an explicit timestamp.
+fn s3_auth_headers_at(
+    access_key: &str,
+    secret_key: &str,
+    host: &str,
+    now: chrono::DateTime<chrono::Utc>,
+) -> (String, String) {
+    let amzdate = now.format("%Y%m%dT%H%M%SZ").to_string();
+    let datestamp = now.format("%Y%m%d").to_string();
+
+    let payload_hash = hex_encode(&Sha256::digest(b""));
+    let canonical = format!(
+        "GET\n/\n\nhost:{host}\nx-amz-date:{amzdate}\n\nhost;x-amz-date\n{payload_hash}"
+    );
+    let credential_scope = format!("{datestamp}/us-east-1/s3/aws4_request");
+    let canonical_hash = hex_encode(&Sha256::digest(canonical.as_bytes()));
+    let string_to_sign =
+        format!("AWS4-HMAC-SHA256\n{amzdate}\n{credential_scope}\n{canonical_hash}");
+
+    fn hmac_sign(key: &[u8], msg: &[u8]) -> Vec<u8> {
+        let mut mac = HmacSha256::new_from_slice(key).expect("HMAC accepts any key length");
+        mac.update(msg);
+        mac.finalize().into_bytes().to_vec()
+    }
+
+    let k = hmac_sign(
+        format!("AWS4{secret_key}").as_bytes(),
+        datestamp.as_bytes(),
+    );
+    let k = hmac_sign(&k, b"us-east-1");
+    let k = hmac_sign(&k, b"s3");
+    let k = hmac_sign(&k, b"aws4_request");
+
+    let sig = {
+        let mut mac = HmacSha256::new_from_slice(&k).expect("HMAC accepts any key length");
+        mac.update(string_to_sign.as_bytes());
+        hex_encode(&mac.finalize().into_bytes())
+    };
+
+    let auth = format!(
+        "AWS4-HMAC-SHA256 Credential={access_key}/{credential_scope}, SignedHeaders=host;x-amz-date, Signature={sig}"
+    );
+    (auth, amzdate)
+}
+
+/// GET https://s3.{domain}/ with S3 credentials -> 200 list-buckets response.
+async fn check_seaweedfs(domain: &str, client: &reqwest::Client) -> CheckResult {
+    let access_key =
+        kube_secret("storage", "seaweedfs-s3-credentials", "S3_ACCESS_KEY").await;
+    let secret_key =
+        kube_secret("storage", "seaweedfs-s3-credentials", "S3_SECRET_KEY").await;
+
+    if access_key.is_empty() || secret_key.is_empty() {
+        return CheckResult::fail(
+            "seaweedfs",
+            "storage",
+            "seaweedfs",
+            "credentials not found in seaweedfs-s3-credentials secret",
+        );
+    }
+
+    let host = format!("s3.{domain}");
+    let url = format!("https://{host}/");
+    let (auth, amzdate) = s3_auth_headers(&access_key, &secret_key, &host);
+
+    match http_get(
+        client,
+        &url,
+        Some(&[("Authorization", &auth), ("x-amz-date", &amzdate)]),
+    )
+    .await
+    {
+        Ok((200, _)) => {
+            CheckResult::ok("seaweedfs", "storage", "seaweedfs", "S3 authenticated")
+        }
+        Ok((status, _)) => CheckResult::fail(
+            "seaweedfs",
+            "storage",
+            "seaweedfs",
+            &format!("HTTP {status}"),
+        ),
+        Err(e) => CheckResult::fail("seaweedfs", "storage", "seaweedfs", &e),
+    }
+}
+
+/// GET /kratos/health/ready -> 200.
+async fn check_kratos(domain: &str, client: &reqwest::Client) -> CheckResult {
+    let url = format!("https://auth.{domain}/kratos/health/ready");
+    match http_get(client, &url, None).await {
+        Ok((status, body)) => {
+            let ok_flag = status == 200;
+            let mut detail = format!("HTTP {status}");
+            if !ok_flag && !body.is_empty() {
+                let body_str: String =
+                    String::from_utf8_lossy(&body).chars().take(80).collect();
+                detail = format!("{detail}: {body_str}");
+            }
+            CheckResult {
+                name: "kratos".into(),
+                ns: "ory".into(),
+                svc: "kratos".into(),
+                passed: ok_flag,
+                detail,
+            }
+        }
+        Err(e) => CheckResult::fail("kratos", "ory", "kratos", &e),
+    }
+}
+
+/// GET /.well-known/openid-configuration -> 200 with issuer field.
+async fn check_hydra_oidc(domain: &str, client: &reqwest::Client) -> CheckResult {
+    let url = format!("https://auth.{domain}/.well-known/openid-configuration");
+    match http_get(client, &url, None).await {
+        Ok((200, body)) => {
+            let issuer = serde_json::from_slice::<serde_json::Value>(&body)
+                .ok()
+                .and_then(|v| v.get("issuer").and_then(|v| v.as_str()).map(String::from))
+                .unwrap_or_else(|| "?".into());
+            CheckResult::ok("hydra-oidc", "ory", "hydra", &format!("issuer={issuer}"))
+        }
+        Ok((status, _)) => {
+            CheckResult::fail("hydra-oidc", "ory", "hydra", &format!("HTTP {status}"))
+        }
+        Err(e) => CheckResult::fail("hydra-oidc", "ory", "hydra", &e),
+    }
+}
+
+/// GET https://people.{domain}/ -> any response < 500 (302 to OIDC is fine).
+async fn check_people(domain: &str, client: &reqwest::Client) -> CheckResult {
+    let url = format!("https://people.{domain}/");
+    match http_get(client, &url, None).await {
+        Ok((status, _)) => CheckResult {
+            name: "people".into(),
+            ns: "lasuite".into(),
+            svc: "people".into(),
+            passed: status < 500,
+            detail: format!("HTTP {status}"),
+        },
+        Err(e) => CheckResult::fail("people", "lasuite", "people", &e),
+    }
+}
+
+/// GET /api/v1.0/config/ -> any response < 500 (401 auth-required is fine).
+async fn check_people_api(domain: &str, client: &reqwest::Client) -> CheckResult {
+    let url = format!("https://people.{domain}/api/v1.0/config/");
+    match http_get(client, &url, None).await {
+        Ok((status, _)) => CheckResult {
+            name: "people-api".into(),
+            ns: "lasuite".into(),
+            svc: "people".into(),
+            passed: status < 500,
+            detail: format!("HTTP {status}"),
+        },
+        Err(e) => CheckResult::fail("people-api", "lasuite", "people", &e),
+    }
+}
+
+/// kubectl exec livekit-server pod -- wget localhost:7880/ -> rc 0.
+async fn check_livekit(_domain: &str, _client: &reqwest::Client) -> CheckResult {
+    let kube_client = match get_client().await {
+        Ok(c) => c,
+        Err(e) => return CheckResult::fail("livekit", "media", "livekit", &format!("{e}")),
+    };
+
+    let api: Api<Pod> = Api::namespaced(kube_client.clone(), "media");
+    let lp = ListParams::default().labels("app.kubernetes.io/name=livekit-server");
+    let pod_list = match api.list(&lp).await {
+        Ok(l) => l,
+        Err(e) => return CheckResult::fail("livekit", "media", "livekit", &format!("{e}")),
+    };
+
+    let pod_name = match pod_list.items.first() {
+        Some(p) => p.name_any(),
+        None => return CheckResult::fail("livekit", "media", "livekit", "no livekit pod"),
+    };
+
+    match kube_exec(
+        "media",
+        &pod_name,
+        &["wget", "-qO-", "http://localhost:7880/"],
+        None,
+    )
+    .await
+    {
+        Ok((exit_code, _)) => {
+            if exit_code == 0 {
+                CheckResult::ok("livekit", "media", "livekit", "server responding")
+            } else {
+                CheckResult::fail("livekit", "media", "livekit", "server not responding")
+            }
+        }
+        Err(e) => CheckResult::fail("livekit", "media", "livekit", &format!("{e}")),
+    }
+}
+
+// ---------------------------------------------------------------------------
+// Check registry — function pointer + metadata
+// ---------------------------------------------------------------------------
+
+type CheckFn = for<'a> fn(
+    &'a str,
+    &'a reqwest::Client,
+) -> std::pin::Pin<Box<dyn std::future::Future<Output = CheckResult> + Send + 'a>>;
+
+struct CheckEntry {
+    func: CheckFn,
+    ns: &'static str,
+    svc: &'static str,
+}
+
+fn check_registry() -> Vec<CheckEntry> {
+    vec![
+        CheckEntry {
+            func: |d, c| Box::pin(check_gitea_version(d, c)),
+            ns: "devtools",
+            svc: "gitea",
+        },
+        CheckEntry {
+            func: |d, c| Box::pin(check_gitea_auth(d, c)),
+            ns: "devtools",
+            svc: "gitea",
+        },
+        CheckEntry {
+            func: |d, c| Box::pin(check_postgres(d, c)),
+            ns: "data",
+            svc: "postgres",
+        },
+        CheckEntry {
+            func: |d, c| Box::pin(check_valkey(d, c)),
+            ns: "data",
+            svc: "valkey",
+        },
+        CheckEntry {
+            func: |d, c| Box::pin(check_openbao(d, c)),
+            ns: "data",
+            svc: "openbao",
+        },
+        CheckEntry {
+            func: |d, c| Box::pin(check_seaweedfs(d, c)),
+            ns: "storage",
+            svc: "seaweedfs",
+        },
+        CheckEntry {
+            func: |d, c| Box::pin(check_kratos(d, c)),
+            ns: "ory",
+            svc: "kratos",
+        },
+        CheckEntry {
+            func: |d, c| Box::pin(check_hydra_oidc(d, c)),
+            ns: "ory",
+            svc: "hydra",
+        },
+        CheckEntry {
+            func: |d, c| Box::pin(check_people(d, c)),
+            ns: "lasuite",
+            svc: "people",
+        },
+        CheckEntry {
+            func: |d, c| Box::pin(check_people_api(d, c)),
+            ns: "lasuite",
+            svc: "people",
+        },
+        CheckEntry {
+            func: |d, c| Box::pin(check_livekit(d, c)),
+            ns: "media",
+            svc: "livekit",
+        },
+    ]
+}
+
+// ---------------------------------------------------------------------------
+// cmd_check — concurrent execution
+// ---------------------------------------------------------------------------
+
+/// Run service-level health checks, optionally scoped to a namespace or service.
+pub async fn cmd_check(target: Option<&str>) -> Result<()> {
+    step("Service health checks...");
+
+    let domain = crate::kube::get_domain().await?;
+    let http_client = build_http_client()?;
+
+    let (ns_filter, svc_filter) = parse_target(target)?;
+
+    let all_checks = check_registry();
+    let selected: Vec<&CheckEntry> = all_checks
+        .iter()
+        .filter(|e| {
+            (ns_filter.is_none() || ns_filter == Some(e.ns))
+                && (svc_filter.is_none() || svc_filter == Some(e.svc))
+        })
+        .collect();
+
+    if selected.is_empty() {
+        warn(&format!(
+            "No checks match target: {}",
+            target.unwrap_or("(none)")
+        ));
+        return Ok(());
+    }
+
+    // Run all checks concurrently
+    let mut join_set = tokio::task::JoinSet::new();
+    for entry in &selected {
+        let domain = domain.clone();
+        let client = http_client.clone();
+        let func = entry.func;
+        join_set.spawn(async move { func(&domain, &client).await });
+    }
+
+    let mut results: Vec<CheckResult> = Vec::new();
+    while let Some(res) = join_set.join_next().await {
+        match res {
+            Ok(cr) => results.push(cr),
+            Err(e) => results.push(CheckResult::fail("unknown", "?", "?", &format!("{e}"))),
+        }
+    }
+
+    // Sort to match the registry order for consistent output
+    let registry = check_registry();
+    results.sort_by(|a, b| {
+        let idx_a = registry
+            .iter()
+            .position(|e| e.ns == a.ns && e.svc == a.svc)
+            .unwrap_or(usize::MAX);
+        let idx_b = registry
+            .iter()
+            .position(|e| e.ns == b.ns && e.svc == b.svc)
+            .unwrap_or(usize::MAX);
+        idx_a.cmp(&idx_b).then_with(|| a.name.cmp(&b.name))
+    });
+
+    // Print grouped by namespace
+    let name_w = results.iter().map(|r| r.name.len()).max().unwrap_or(0);
+    let mut cur_ns: Option<&str> = None;
+    for r in &results {
+        if cur_ns != Some(&r.ns) {
+            println!("  {}:", r.ns);
+            cur_ns = Some(&r.ns);
+        }
+        let icon = if r.passed { "\u{2713}" } else { "\u{2717}" };
+        let detail = if r.detail.is_empty() {
+            String::new()
+        } else {
+            format!("  {}", r.detail)
+        };
+        println!("    {icon} {:<name_w$}{detail}", r.name);
+    }
+
+    println!();
+    let failed: Vec<&CheckResult> = results.iter().filter(|r| !r.passed).collect();
+    if failed.is_empty() {
+        ok(&format!("All {} check(s) passed.", results.len()));
+    } else {
+        warn(&format!("{} check(s) failed.", failed.len()));
+    }
+
+    Ok(())
+}
+
+// ---------------------------------------------------------------------------
+// hex encoding helper (avoids adding the `hex` crate)
+// ---------------------------------------------------------------------------
+
+fn hex_encode(bytes: impl AsRef<[u8]>) -> String {
+    const HEX_CHARS: &[u8; 16] = b"0123456789abcdef";
+    let bytes = bytes.as_ref();
+    let mut s = String::with_capacity(bytes.len() * 2);
+    for &b in bytes {
+        s.push(HEX_CHARS[(b >> 4) as usize] as char);
+        s.push(HEX_CHARS[(b & 0xf) as usize] as char);
+    }
+    s
+}
+
+// ---------------------------------------------------------------------------
+// Tests
+// ---------------------------------------------------------------------------
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    // ── S3 auth header tests ─────────────────────────────────────────────
+
+    #[test]
+    fn test_s3_auth_headers_format() {
+        let (auth, amzdate) = s3_auth_headers(
+            "AKIAIOSFODNN7EXAMPLE",
+            "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY",
+            "s3.example.com",
+        );
+
+        // Verify header structure
+        assert!(auth.starts_with("AWS4-HMAC-SHA256 Credential=AKIAIOSFODNN7EXAMPLE/"));
+        assert!(auth.contains("us-east-1/s3/aws4_request"));
+        assert!(auth.contains("SignedHeaders=host;x-amz-date"));
+        assert!(auth.contains("Signature="));
+
+        // amzdate format: YYYYMMDDTHHMMSSZ
+        assert_eq!(amzdate.len(), 16);
+        assert!(amzdate.ends_with('Z'));
+        assert!(amzdate.contains('T'));
+    }
+
+    #[test]
+    fn test_s3_auth_headers_signature_changes_with_key() {
+        let (auth1, _) = s3_auth_headers("key1", "secret1", "host1");
+        let (auth2, _) = s3_auth_headers("key2", "secret2", "host2");
+        // Different keys produce different signatures
+        let sig1 = auth1.split("Signature=").nth(1).unwrap();
+        let sig2 = auth2.split("Signature=").nth(1).unwrap();
+        assert_ne!(sig1, sig2);
+    }
+
+    #[test]
+    fn test_s3_auth_headers_credential_scope() {
+        let (auth, amzdate) = s3_auth_headers("AK", "SK", "s3.example.com");
+        let datestamp = &amzdate[..8];
+        let expected_scope = format!("{datestamp}/us-east-1/s3/aws4_request");
+        assert!(auth.contains(&expected_scope));
+    }
+
+    // ── hex encoding ────────────────────────────────────────────────────
+
+    #[test]
+    fn test_hex_encode_empty() {
+        assert_eq!(hex_encode(b""), "");
+    }
+
+    #[test]
+    fn test_hex_encode_zero() {
+        assert_eq!(hex_encode(b"\x00"), "00");
+    }
+
+    #[test]
+    fn test_hex_encode_ff() {
+        assert_eq!(hex_encode(b"\xff"), "ff");
+    }
+
+    #[test]
+    fn test_hex_encode_deadbeef() {
+        assert_eq!(hex_encode(b"\xde\xad\xbe\xef"), "deadbeef");
+    }
+
+    #[test]
+    fn test_hex_encode_hello() {
+        assert_eq!(hex_encode(b"hello"), "68656c6c6f");
+    }
+
+    // ── CheckResult ─────────────────────────────────────────────────────
+
+    #[test]
+    fn test_check_result_ok() {
+        let r = CheckResult::ok("gitea-version", "devtools", "gitea", "v1.21.0");
+        assert!(r.passed);
+        assert_eq!(r.name, "gitea-version");
+        assert_eq!(r.ns, "devtools");
+        assert_eq!(r.svc, "gitea");
+        assert_eq!(r.detail, "v1.21.0");
+    }
+
+    #[test]
+    fn test_check_result_fail() {
+        let r = CheckResult::fail("postgres", "data", "postgres", "cluster not found");
+        assert!(!r.passed);
+        assert_eq!(r.detail, "cluster not found");
+    }
+
+    // ── Check registry ──────────────────────────────────────────────────
+
+    #[test]
+    fn test_check_registry_has_all_checks() {
+        let registry = check_registry();
+        assert_eq!(registry.len(), 11);
+
+        // Verify order matches Python CHECKS list
+        assert_eq!(registry[0].ns, "devtools");
+        assert_eq!(registry[0].svc, "gitea");
+        assert_eq!(registry[1].ns, "devtools");
+        assert_eq!(registry[1].svc, "gitea");
+        assert_eq!(registry[2].ns, "data");
+        assert_eq!(registry[2].svc, "postgres");
+        assert_eq!(registry[3].ns, "data");
+        assert_eq!(registry[3].svc, "valkey");
+        assert_eq!(registry[4].ns, "data");
+        assert_eq!(registry[4].svc, "openbao");
+        assert_eq!(registry[5].ns, "storage");
+        assert_eq!(registry[5].svc, "seaweedfs");
+        assert_eq!(registry[6].ns, "ory");
+        assert_eq!(registry[6].svc, "kratos");
+        assert_eq!(registry[7].ns, "ory");
+        assert_eq!(registry[7].svc, "hydra");
+        assert_eq!(registry[8].ns, "lasuite");
+        assert_eq!(registry[8].svc, "people");
+        assert_eq!(registry[9].ns, "lasuite");
+        assert_eq!(registry[9].svc, "people");
+        assert_eq!(registry[10].ns, "media");
+        assert_eq!(registry[10].svc, "livekit");
+    }
+
+    #[test]
+    fn test_check_registry_filter_namespace() {
+        let all = check_registry();
+        let filtered: Vec<&CheckEntry> = all.iter().filter(|e| e.ns == "ory").collect();
+        assert_eq!(filtered.len(), 2);
+    }
+
+    #[test]
+    fn test_check_registry_filter_service() {
+        let all = check_registry();
+        let filtered: Vec<&CheckEntry> = all
+            .iter()
+            .filter(|e| e.ns == "ory" && e.svc == "kratos")
+            .collect();
+        assert_eq!(filtered.len(), 1);
+    }
+
+    #[test]
+    fn test_check_registry_filter_no_match() {
+        let all = check_registry();
+        let filtered: Vec<&CheckEntry> =
+            all.iter().filter(|e| e.ns == "nonexistent").collect();
+        assert!(filtered.is_empty());
+    }
+
+    // ── HMAC-SHA256 verification ────────────────────────────────────────
+
+    #[test]
+    fn test_hmac_sha256_known_vector() {
+        // RFC 4231 Test Case 2
+        let key = b"Jefe";
+        let data = b"what do ya want for nothing?";
+        let mut mac = HmacSha256::new_from_slice(key).expect("HMAC key");
+        mac.update(data);
+        let result = hex_encode(mac.finalize().into_bytes());
+        assert_eq!(
+            result,
+            "5bdcc146bf60754e6a042426089575c75a003f089d2739839dec58b964ec3843"
+        );
+    }
+
+    // ── SHA256 verification ─────────────────────────────────────────────
+
+    #[test]
+    fn test_sha256_empty() {
+        let hash = hex_encode(Sha256::digest(b""));
+        assert_eq!(
+            hash,
+            "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855"
+        );
+    }
+
+    #[test]
+    fn test_sha256_hello() {
+        let hash = hex_encode(Sha256::digest(b"hello"));
+        assert_eq!(
+            hash,
+            "2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824"
+        );
+    }
+
+    // ── Additional CheckResult tests ──────────────────────────────────
+
+    #[test]
+    fn test_check_result_ok_empty_detail() {
+        let r = CheckResult::ok("test", "ns", "svc", "");
+        assert!(r.passed);
+        assert!(r.detail.is_empty());
+    }
+
+    #[test]
+    fn test_check_result_fail_contains_status_code() {
+        let r = CheckResult::fail("gitea-version", "devtools", "gitea", "HTTP 502");
+        assert!(!r.passed);
+        assert!(r.detail.contains("502"));
+    }
+
+    #[test]
+    fn test_check_result_fail_contains_secret_message() {
+        let r = CheckResult::fail(
+            "gitea-auth",
+            "devtools",
+            "gitea",
+            "password not found in secret",
+        );
+        assert!(!r.passed);
+        assert!(r.detail.contains("secret"));
+    }
+
+    #[test]
+    fn test_check_result_ok_with_version() {
+        let r = CheckResult::ok("gitea-version", "devtools", "gitea", "v1.21.0");
+        assert!(r.passed);
+        assert!(r.detail.contains("1.21.0"));
+    }
+
+    #[test]
+    fn test_check_result_ok_with_login() {
+        let r = CheckResult::ok("gitea-auth", "devtools", "gitea", "user=gitea_admin");
+        assert!(r.passed);
+        assert!(r.detail.contains("gitea_admin"));
+    }
+
+    #[test]
+    fn test_check_result_ok_authenticated() {
+        let r = CheckResult::ok("seaweedfs", "storage", "seaweedfs", "S3 authenticated");
+        assert!(r.passed);
+        assert!(r.detail.contains("authenticated"));
+    }
+
+    // ── Additional registry tests ─────────────────────────────────────
+
+    #[test]
+    fn test_check_registry_expected_namespaces() {
+        let registry = check_registry();
+        let namespaces: std::collections::HashSet<&str> =
+            registry.iter().map(|e| e.ns).collect();
+        for expected in &["devtools", "data", "storage", "ory", "lasuite", "media"] {
+            assert!(
+                namespaces.contains(expected),
+                "registry missing namespace: {expected}"
+            );
+        }
+    }
+
+    #[test]
+    fn test_check_registry_expected_services() {
+        let registry = check_registry();
+        let services: std::collections::HashSet<&str> =
+            registry.iter().map(|e| e.svc).collect();
+        for expected in &[
+            "gitea", "postgres", "valkey", "openbao", "seaweedfs", "kratos", "hydra",
+            "people", "livekit",
+        ] {
+            assert!(
+                services.contains(expected),
+                "registry missing service: {expected}"
+            );
+        }
+    }
+
+    #[test]
+    fn test_check_registry_devtools_has_two_gitea_entries() {
+        let registry = check_registry();
+        let gitea: Vec<_> = registry
+            .iter()
+            .filter(|e| e.ns == "devtools" && e.svc == "gitea")
+            .collect();
+        assert_eq!(gitea.len(), 2);
+    }
+
+    #[test]
+    fn test_check_registry_lasuite_has_two_people_entries() {
+        let registry = check_registry();
+        let people: Vec<_> = registry
+            .iter()
+            .filter(|e| e.ns == "lasuite" && e.svc == "people")
+            .collect();
+        assert_eq!(people.len(), 2);
+    }
+
+    #[test]
+    fn test_check_registry_data_has_three_entries() {
+        let registry = check_registry();
+        let data: Vec<_> = registry.iter().filter(|e| e.ns == "data").collect();
+        assert_eq!(data.len(), 3); // postgres, valkey, openbao
+    }
+
+    // ── Filter logic (mirrors Python TestCmdCheck) ────────────────────
+
+    /// Helper: apply the same filter logic as cmd_check to the registry.
+    fn filter_registry(
+        ns_filter: Option<&str>,
+        svc_filter: Option<&str>,
+    ) -> Vec<(&'static str, &'static str)> {
+        let all = check_registry();
+        all.into_iter()
+            .filter(|e| ns_filter.map_or(true, |ns| e.ns == ns))
+            .filter(|e| svc_filter.map_or(true, |svc| e.svc == svc))
+            .map(|e| (e.ns, e.svc))
+            .collect()
+    }
+
+    #[test]
+    fn test_no_target_runs_all() {
+        let selected = filter_registry(None, None);
+        assert_eq!(selected.len(), 11);
+    }
+
+    #[test]
+    fn test_ns_filter_devtools_selects_two() {
+        let selected = filter_registry(Some("devtools"), None);
+        assert_eq!(selected.len(), 2);
+        assert!(selected.iter().all(|(ns, _)| *ns == "devtools"));
+    }
+
+    #[test]
+    fn test_ns_filter_skips_other_namespaces() {
+        let selected = filter_registry(Some("devtools"), None);
+        // Should NOT contain data/postgres
+        assert!(selected.iter().all(|(ns, _)| *ns != "data"));
+    }
+
+    #[test]
+    fn test_svc_filter_ory_kratos() {
+        let selected = filter_registry(Some("ory"), Some("kratos"));
+        assert_eq!(selected.len(), 1);
+        assert_eq!(selected[0], ("ory", "kratos"));
+    }
+
+    #[test]
+    fn test_svc_filter_ory_hydra() {
+        let selected = filter_registry(Some("ory"), Some("hydra"));
+        assert_eq!(selected.len(), 1);
+        assert_eq!(selected[0], ("ory", "hydra"));
+    }
+
+    #[test]
+    fn test_svc_filter_people_returns_both() {
+        let selected = filter_registry(Some("lasuite"), Some("people"));
+        assert_eq!(selected.len(), 2);
+        assert!(selected.iter().all(|(ns, svc)| *ns == "lasuite" && *svc == "people"));
+    }
+
+    #[test]
+    fn test_filter_nonexistent_ns_returns_empty() {
+        let selected = filter_registry(Some("nonexistent"), None);
+        assert!(selected.is_empty());
+    }
+
+    #[test]
+    fn test_filter_ns_match_svc_mismatch_returns_empty() {
+        // ory namespace exists but postgres service does not live there
+        let selected = filter_registry(Some("ory"), Some("postgres"));
+        assert!(selected.is_empty());
+    }
+
+    #[test]
+    fn test_filter_data_namespace() {
+        let selected = filter_registry(Some("data"), None);
+        assert_eq!(selected.len(), 3);
+        let svcs: Vec<&str> = selected.iter().map(|(_, svc)| *svc).collect();
+        assert!(svcs.contains(&"postgres"));
+        assert!(svcs.contains(&"valkey"));
+        assert!(svcs.contains(&"openbao"));
+    }
+
+    #[test]
+    fn test_filter_storage_namespace() {
+        let selected = filter_registry(Some("storage"), None);
+        assert_eq!(selected.len(), 1);
+        assert_eq!(selected[0], ("storage", "seaweedfs"));
+    }
+
+    #[test]
+    fn test_filter_media_namespace() {
+        let selected = filter_registry(Some("media"), None);
+        assert_eq!(selected.len(), 1);
+        assert_eq!(selected[0], ("media", "livekit"));
+    }
+
+    // ── S3 auth AWS reference vector test ─────────────────────────────
+
+    #[test]
+    fn test_s3_auth_headers_aws_reference_vector() {
+        // Uses AWS test values with a fixed timestamp to verify signature
+        // correctness against a known reference (AWS SigV4 documentation).
+        use chrono::TimeZone;
+
+        let access_key = "AKIAIOSFODNN7EXAMPLE";
+        let secret_key = "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY";
+        let host = "examplebucket.s3.amazonaws.com";
+        let now = chrono::Utc.with_ymd_and_hms(2013, 5, 24, 0, 0, 0).unwrap();
+
+        let (auth, amzdate) = s3_auth_headers_at(access_key, secret_key, host, now);
+
+        // 1. Verify the date header
+        assert_eq!(amzdate, "20130524T000000Z");
+
+        // 2. Verify canonical request intermediate values.
+        //    Canonical request for GET / with empty body:
+        //      GET\n/\n\nhost:examplebucket.s3.amazonaws.com\n
+        //      x-amz-date:20130524T000000Z\n\nhost;x-amz-date\n<sha256("")>
+        let payload_hash =
+            "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855";
+        let canonical = format!(
+            "GET\n/\n\nhost:{host}\nx-amz-date:{amzdate}\n\nhost;x-amz-date\n{payload_hash}"
+        );
+        let canonical_hash = hex_encode(&Sha256::digest(canonical.as_bytes()));
+
+        // 3. Verify the string to sign
+        let credential_scope = "20130524/us-east-1/s3/aws4_request";
+        let string_to_sign = format!(
+            "AWS4-HMAC-SHA256\n{amzdate}\n{credential_scope}\n{canonical_hash}"
+        );
+
+        // 4. Compute the expected signing key and signature to pin the value.
+        fn hmac_sign(key: &[u8], msg: &[u8]) -> Vec<u8> {
+            let mut mac =
+                HmacSha256::new_from_slice(key).expect("HMAC accepts any key length");
+            mac.update(msg);
+            mac.finalize().into_bytes().to_vec()
+        }
+
+        let k = hmac_sign(
+            format!("AWS4{secret_key}").as_bytes(),
+            b"20130524",
+        );
+        let k = hmac_sign(&k, b"us-east-1");
+        let k = hmac_sign(&k, b"s3");
+        let k = hmac_sign(&k, b"aws4_request");
+
+        let expected_sig = {
+            let mut mac =
+                HmacSha256::new_from_slice(&k).expect("HMAC accepts any key length");
+            mac.update(string_to_sign.as_bytes());
+            hex_encode(&mac.finalize().into_bytes())
+        };
+
+        // 5. Verify the full Authorization header matches
+        let expected_auth = format!(
+            "AWS4-HMAC-SHA256 Credential={access_key}/{credential_scope}, \
+             SignedHeaders=host;x-amz-date, Signature={expected_sig}"
+        );
+        assert_eq!(auth, expected_auth);
+
+        // 6. Pin the exact signature value so any regression is caught
+        //    immediately without needing to recompute.
+        let sig = auth.split("Signature=").nth(1).unwrap();
+        assert_eq!(sig, expected_sig);
+        assert_eq!(sig.len(), 64, "SHA-256 HMAC signature must be 64 hex chars");
+    }
+
+    // ── Additional S3 auth header tests ───────────────────────────────
+
+    #[test]
+    fn test_s3_auth_headers_deterministic() {
+        // Same inputs at the same point in time produce identical output.
+        // (Time may advance between calls, but the format is still valid.)
+        let (auth1, date1) = s3_auth_headers("AK", "SK", "host");
+        let (auth2, date2) = s3_auth_headers("AK", "SK", "host");
+        // If both calls happen within the same second, they must be identical.
+        if date1 == date2 {
+            assert_eq!(auth1, auth2, "same inputs at same time must produce same signature");
+        }
+    }
+
+    #[test]
+    fn test_s3_auth_headers_different_hosts_differ() {
+        let (auth1, d1) = s3_auth_headers("AK", "SK", "s3.a.com");
+        let (auth2, d2) = s3_auth_headers("AK", "SK", "s3.b.com");
+        let sig1 = auth1.split("Signature=").nth(1).unwrap();
+        let sig2 = auth2.split("Signature=").nth(1).unwrap();
+        // Different hosts -> different canonical request -> different signature
+        // (only guaranteed when timestamps match)
+        if d1 == d2 {
+            assert_ne!(sig1, sig2);
+        }
+    }
+
+    #[test]
+    fn test_s3_auth_headers_signature_is_64_hex_chars() {
+        let (auth, _) = s3_auth_headers("AK", "SK", "host");
+        let sig = auth.split("Signature=").nth(1).unwrap();
+        assert_eq!(sig.len(), 64, "SHA-256 HMAC hex signature is 64 chars");
+        assert!(
+            sig.chars().all(|c| c.is_ascii_hexdigit()),
+            "signature must be lowercase hex: {sig}"
+        );
+    }
+
+    // ── hex_encode edge cases ─────────────────────────────────────────
+
+    #[test]
+    fn test_hex_encode_all_byte_values() {
+        // Verify 0x00..0xff all produce 2-char lowercase hex
+        for b in 0u8..=255 {
+            let encoded = hex_encode([b]);
+            assert_eq!(encoded.len(), 2);
+            assert!(encoded.chars().all(|c| c.is_ascii_hexdigit()));
+        }
+    }
+
+    #[test]
+    fn test_hex_encode_matches_format() {
+        // Cross-check against Rust's built-in formatting
+        let bytes: Vec<u8> = (0..32).collect();
+        let expected: String = bytes.iter().map(|b| format!("{b:02x}")).collect();
+        assert_eq!(hex_encode(&bytes), expected);
+    }
+}
diff --git a/src/cli.rs b/src/cli.rs
new file mode 100644
index 0000000..9281877
--- /dev/null
+++ b/src/cli.rs
@@ -0,0 +1,1097 @@
+use crate::error::{Result, SunbeamError};
+use clap::{Parser, Subcommand, ValueEnum};
+
+/// Sunbeam local dev stack manager.
+#[derive(Parser, Debug)]
+#[command(name = "sunbeam", about = "Sunbeam local dev stack manager")]
+pub struct Cli {
+    /// Named context to use (overrides current-context from config).
+    #[arg(long)]
+    pub context: Option<String>,
+
+    /// Domain suffix override (e.g. sunbeam.pt).
+    #[arg(long, default_value = "")]
+    pub domain: String,
+
+    /// ACME email for cert-manager (e.g. ops@sunbeam.pt).
+    #[arg(long, default_value = "")]
+    pub email: String,
+
+    #[command(subcommand)]
+    pub verb: Option<Verb>,
+}
+
+
+#[derive(Subcommand, Debug)]
+pub enum Verb {
+    /// Full cluster bring-up.
+    Up,
+
+    /// Pod health (optionally scoped).
+    Status {
+        /// namespace or namespace/name
+        target: Option<String>,
+    },
+
+    /// kustomize build + domain subst + kubectl apply.
+    Apply {
+        /// Limit apply to one namespace.
+        namespace: Option<String>,
+        /// Apply all namespaces without confirmation.
+        #[arg(long = "all")]
+        apply_all: bool,
+        /// Domain suffix (e.g. sunbeam.pt).
+        #[arg(long, default_value = "")]
+        domain: String,
+        /// ACME email for cert-manager.
+        #[arg(long, default_value = "")]
+        email: String,
+    },
+
+    /// Generate/store all credentials in OpenBao.
+    Seed,
+
+    /// E2E VSO + OpenBao integration test.
+    Verify,
+
+    /// kubectl logs for a service.
+    Logs {
+        /// namespace/name
+        target: String,
+        /// Stream logs.
+        #[arg(short, long)]
+        follow: bool,
+    },
+
+    /// Raw kubectl get for a pod (ns/name).
+    Get {
+        /// namespace/name
+        target: String,
+        /// Output format.
+        #[arg(short, long, default_value = "yaml", value_parser = ["yaml", "json", "wide"])]
+        output: String,
+    },
+
+    /// Rolling restart of services.
+    Restart {
+        /// namespace or namespace/name
+        target: Option<String>,
+    },
+
+    /// Build an artifact.
+    Build {
+        /// What to build.
+        what: BuildTarget,
+        /// Push image to registry after building.
+        #[arg(long)]
+        push: bool,
+        /// Apply manifests and rollout restart after pushing (implies --push).
+        #[arg(long)]
+        deploy: bool,
+        /// Disable buildkitd layer cache.
+        #[arg(long)]
+        no_cache: bool,
+    },
+
+    /// Functional service health checks.
+    Check {
+        /// namespace or namespace/name
+        target: Option<String>,
+    },
+
+    /// Mirror amd64-only La Suite images.
+    Mirror,
+
+    /// Create Gitea orgs/repos; bootstrap services.
+    Bootstrap,
+
+    /// Manage sunbeam configuration.
+    Config {
+        #[command(subcommand)]
+        action: Option<ConfigAction>,
+    },
+
+    /// kubectl passthrough.
+    K8s {
+        /// arguments forwarded verbatim to kubectl
+        #[arg(trailing_var_arg = true, allow_hyphen_values = true)]
+        kubectl_args: Vec<String>,
+    },
+
+    /// bao CLI passthrough (runs inside OpenBao pod with root token).
+    Bao {
+        /// arguments forwarded verbatim to bao
+        #[arg(trailing_var_arg = true, allow_hyphen_values = true)]
+        bao_args: Vec<String>,
+    },
+
+    /// User/identity management.
+    User {
+        #[command(subcommand)]
+        action: Option<UserAction>,
+    },
+
+    /// Authenticate with Sunbeam (OAuth2 login via browser).
+    Auth {
+        #[command(subcommand)]
+        action: Option<AuthAction>,
+    },
+
+    /// Project management across Planka and Gitea.
+    Pm {
+        #[command(subcommand)]
+        action: Option<PmAction>,
+    },
+
+    /// Self-update from latest mainline commit.
+    Update,
+
+    /// Print version info.
+    Version,
+}
+
+#[derive(Subcommand, Debug)]
+pub enum AuthAction {
+    /// Log in to both SSO and Gitea.
+    Login {
+        /// Domain to authenticate against (e.g. sunbeam.pt).
+        #[arg(long)]
+        domain: Option<String>,
+    },
+    /// Log in to SSO only (Hydra OIDC — for Planka, identity management).
+    Sso {
+        /// Domain to authenticate against.
+        #[arg(long)]
+        domain: Option<String>,
+    },
+    /// Log in to Gitea only (personal access token).
+    Git {
+        /// Domain to authenticate against.
+        #[arg(long)]
+        domain: Option<String>,
+    },
+    /// Log out (remove all cached tokens).
+    Logout,
+    /// Show current authentication status.
+    Status,
+}
+
+#[derive(Subcommand, Debug)]
+pub enum PmAction {
+    /// List tickets across Planka and Gitea.
+    List {
+        /// Filter by source: planka, gitea, or all (default: all).
+        #[arg(long, default_value = "all")]
+        source: String,
+        /// Filter by state: open, closed, all (default: open).
+        #[arg(long, default_value = "open")]
+        state: String,
+    },
+    /// Show ticket details.
+    Show {
+        /// Ticket ID (e.g. p:42 for Planka, g:studio/cli#7 for Gitea).
+        id: String,
+    },
+    /// Create a new ticket.
+    Create {
+        /// Ticket title.
+        title: String,
+        /// Ticket body/description.
+        #[arg(long, default_value = "")]
+        body: String,
+        /// Source: planka or gitea.
+        #[arg(long, default_value = "gitea")]
+        source: String,
+        /// Target: board ID for Planka, or org/repo for Gitea.
+        #[arg(long, default_value = "")]
+        target: String,
+    },
+    /// Add a comment to a ticket.
+    Comment {
+        /// Ticket ID.
+        id: String,
+        /// Comment text.
+        text: String,
+    },
+    /// Close/complete a ticket.
+    Close {
+        /// Ticket ID.
+        id: String,
+    },
+    /// Assign a user to a ticket.
+    Assign {
+        /// Ticket ID.
+        id: String,
+        /// Username or email to assign.
+        user: String,
+    },
+}
+
+#[derive(Debug, Clone, ValueEnum)]
+pub enum BuildTarget {
+    Proxy,
+    Integration,
+    KratosAdmin,
+    Meet,
+    DocsFrontend,
+    PeopleFrontend,
+    People,
+    Messages,
+    MessagesBackend,
+    MessagesFrontend,
+    MessagesMtaIn,
+    MessagesMtaOut,
+    MessagesMpa,
+    MessagesSocksProxy,
+    Tuwunel,
+    Calendars,
+    Projects,
+    Sol,
+}
+
+impl std::fmt::Display for BuildTarget {
+    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
+        let s = match self {
+            BuildTarget::Proxy => "proxy",
+            BuildTarget::Integration => "integration",
+            BuildTarget::KratosAdmin => "kratos-admin",
+            BuildTarget::Meet => "meet",
+            BuildTarget::DocsFrontend => "docs-frontend",
+            BuildTarget::PeopleFrontend => "people-frontend",
+            BuildTarget::People => "people",
+            BuildTarget::Messages => "messages",
+            BuildTarget::MessagesBackend => "messages-backend",
+            BuildTarget::MessagesFrontend => "messages-frontend",
+            BuildTarget::MessagesMtaIn => "messages-mta-in",
+            BuildTarget::MessagesMtaOut => "messages-mta-out",
+            BuildTarget::MessagesMpa => "messages-mpa",
+            BuildTarget::MessagesSocksProxy => "messages-socks-proxy",
+            BuildTarget::Tuwunel => "tuwunel",
+            BuildTarget::Calendars => "calendars",
+            BuildTarget::Projects => "projects",
+            BuildTarget::Sol => "sol",
+        };
+        write!(f, "{s}")
+    }
+}
+
+#[derive(Subcommand, Debug)]
+pub enum ConfigAction {
+    /// Set configuration values for the current context.
+    Set {
+        /// Domain suffix (e.g. sunbeam.pt).
+        #[arg(long, default_value = "")]
+        domain: String,
+        /// Production SSH host (e.g. user@server.example.com).
+        #[arg(long, default_value = "")]
+        host: String,
+        /// Infrastructure directory root.
+        #[arg(long, default_value = "")]
+        infra_dir: String,
+        /// ACME email for Let's Encrypt certificates.
+        #[arg(long, default_value = "")]
+        acme_email: String,
+        /// Context name to configure (default: current context).
+        #[arg(long, default_value = "")]
+        context_name: String,
+    },
+    /// Get current configuration.
+    Get,
+    /// Clear configuration.
+    Clear,
+    /// Switch the active context.
+    UseContext {
+        /// Context name to switch to.
+        name: String,
+    },
+}
+
+#[derive(Subcommand, Debug)]
+pub enum UserAction {
+    /// List identities.
+    List {
+        /// Filter by email.
+        #[arg(long, default_value = "")]
+        search: String,
+    },
+    /// Get identity by email or ID.
+    Get {
+        /// Email or identity ID.
+        target: String,
+    },
+    /// Create identity.
+    Create {
+        /// Email address.
+        email: String,
+        /// Display name.
+        #[arg(long, default_value = "")]
+        name: String,
+        /// Schema ID.
+        #[arg(long, default_value = "default")]
+        schema: String,
+    },
+    /// Delete identity.
+    Delete {
+        /// Email or identity ID.
+        target: String,
+    },
+    /// Generate recovery link.
+    Recover {
+        /// Email or identity ID.
+        target: String,
+    },
+    /// Disable identity + revoke sessions (lockout).
+    Disable {
+        /// Email or identity ID.
+        target: String,
+    },
+    /// Re-enable a disabled identity.
+    Enable {
+        /// Email or identity ID.
+        target: String,
+    },
+    /// Set password for an identity.
+    SetPassword {
+        /// Email or identity ID.
+        target: String,
+        /// New password. If omitted, reads from stdin.
+        password: Option<String>,
+    },
+    /// Onboard new user (create + welcome email).
+    Onboard {
+        /// Email address.
+        email: String,
+        /// Display name (First Last).
+        #[arg(long, default_value = "")]
+        name: String,
+        /// Schema ID.
+        #[arg(long, default_value = "employee")]
+        schema: String,
+        /// Skip sending welcome email.
+        #[arg(long)]
+        no_email: bool,
+        /// Send welcome email to this address instead.
+        #[arg(long, default_value = "")]
+        notify: String,
+        /// Job title.
+        #[arg(long, default_value = "")]
+        job_title: String,
+        /// Department.
+        #[arg(long, default_value = "")]
+        department: String,
+        /// Office location.
+        #[arg(long, default_value = "")]
+        office_location: String,
+        /// Hire date (YYYY-MM-DD).
+        #[arg(long, default_value = "", value_parser = validate_date)]
+        hire_date: String,
+        /// Manager name or email.
+        #[arg(long, default_value = "")]
+        manager: String,
+    },
+    /// Offboard user (disable + revoke all).
+    Offboard {
+        /// Email or identity ID.
+        target: String,
+    },
+}
+
+fn validate_date(s: &str) -> std::result::Result<String, String> {
+    if s.is_empty() {
+        return Ok(s.to_string());
+    }
+    chrono::NaiveDate::parse_from_str(s, "%Y-%m-%d")
+        .map(|_| s.to_string())
+        .map_err(|_| format!("Invalid date: '{s}' (expected YYYY-MM-DD)"))
+}
+
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+    use clap::Parser;
+
+    fn parse(args: &[&str]) -> Cli {
+        Cli::try_parse_from(args).unwrap()
+    }
+
+    // 1. test_up
+    #[test]
+    fn test_up() {
+        let cli = parse(&["sunbeam", "up"]);
+        assert!(matches!(cli.verb, Some(Verb::Up)));
+    }
+
+    // 2. test_status_no_target
+    #[test]
+    fn test_status_no_target() {
+        let cli = parse(&["sunbeam", "status"]);
+        match cli.verb {
+            Some(Verb::Status { target }) => assert!(target.is_none()),
+            _ => panic!("expected Status"),
+        }
+    }
+
+    // 3. test_status_with_namespace
+    #[test]
+    fn test_status_with_namespace() {
+        let cli = parse(&["sunbeam", "status", "ory"]);
+        match cli.verb {
+            Some(Verb::Status { target }) => assert_eq!(target.unwrap(), "ory"),
+            _ => panic!("expected Status"),
+        }
+    }
+
+    // 4. test_logs_no_follow
+    #[test]
+    fn test_logs_no_follow() {
+        let cli = parse(&["sunbeam", "logs", "ory/kratos"]);
+        match cli.verb {
+            Some(Verb::Logs { target, follow }) => {
+                assert_eq!(target, "ory/kratos");
+                assert!(!follow);
+            }
+            _ => panic!("expected Logs"),
+        }
+    }
+
+    // 5. test_logs_follow_short
+    #[test]
+    fn test_logs_follow_short() {
+        let cli = parse(&["sunbeam", "logs", "ory/kratos", "-f"]);
+        match cli.verb {
+            Some(Verb::Logs { follow, .. }) => assert!(follow),
+            _ => panic!("expected Logs"),
+        }
+    }
+
+    // 6. test_build_proxy
+    #[test]
+    fn test_build_proxy() {
+        let cli = parse(&["sunbeam", "build", "proxy"]);
+        match cli.verb {
+            Some(Verb::Build { what, push, deploy, no_cache }) => {
+                assert!(matches!(what, BuildTarget::Proxy));
+                assert!(!push);
+                assert!(!deploy);
+                assert!(!no_cache);
+            }
+            _ => panic!("expected Build"),
+        }
+    }
+
+    // 7. test_build_deploy_flag
+    #[test]
+    fn test_build_deploy_flag() {
+        let cli = parse(&["sunbeam", "build", "proxy", "--deploy"]);
+        match cli.verb {
+            Some(Verb::Build { deploy, push, no_cache, .. }) => {
+                assert!(deploy);
+                // clap does not imply --push; that logic is in dispatch()
+                assert!(!push);
+                assert!(!no_cache);
+            }
+            _ => panic!("expected Build"),
+        }
+    }
+
+    // 8. test_build_invalid_target
+    #[test]
+    fn test_build_invalid_target() {
+        let result = Cli::try_parse_from(&["sunbeam", "build", "notavalidtarget"]);
+        assert!(result.is_err());
+    }
+
+    // 9. test_user_set_password
+    #[test]
+    fn test_user_set_password() {
+        let cli = parse(&["sunbeam", "user", "set-password", "admin@example.com", "hunter2"]);
+        match cli.verb {
+            Some(Verb::User { action: Some(UserAction::SetPassword { target, password }) }) => {
+                assert_eq!(target, "admin@example.com");
+                assert_eq!(password, Some("hunter2".to_string()));
+            }
+            _ => panic!("expected User SetPassword"),
+        }
+    }
+
+    #[test]
+    fn test_user_set_password_no_password() {
+        let cli = parse(&["sunbeam", "user", "set-password", "admin@example.com"]);
+        match cli.verb {
+            Some(Verb::User { action: Some(UserAction::SetPassword { target, password }) }) => {
+                assert_eq!(target, "admin@example.com");
+                assert!(password.is_none());
+            }
+            _ => panic!("expected User SetPassword"),
+        }
+    }
+
+    // 10. test_user_onboard_basic
+    #[test]
+    fn test_user_onboard_basic() {
+        let cli = parse(&["sunbeam", "user", "onboard", "a@b.com"]);
+        match cli.verb {
+            Some(Verb::User { action: Some(UserAction::Onboard {
+                email, name, schema, no_email, notify, ..
+            }) }) => {
+                assert_eq!(email, "a@b.com");
+                assert_eq!(name, "");
+                assert_eq!(schema, "employee");
+                assert!(!no_email);
+                assert_eq!(notify, "");
+            }
+            _ => panic!("expected User Onboard"),
+        }
+    }
+
+    // 11. test_user_onboard_full
+    #[test]
+    fn test_user_onboard_full() {
+        let cli = parse(&[
+            "sunbeam", "user", "onboard", "a@b.com",
+            "--name", "A B", "--schema", "default", "--no-email",
+            "--job-title", "Engineer", "--department", "Dev",
+            "--office-location", "Paris", "--hire-date", "2026-01-15",
+            "--manager", "boss@b.com",
+        ]);
+        match cli.verb {
+            Some(Verb::User { action: Some(UserAction::Onboard {
+                email, name, schema, no_email, job_title,
+                department, office_location, hire_date, manager, ..
+            }) }) => {
+                assert_eq!(email, "a@b.com");
+                assert_eq!(name, "A B");
+                assert_eq!(schema, "default");
+                assert!(no_email);
+                assert_eq!(job_title, "Engineer");
+                assert_eq!(department, "Dev");
+                assert_eq!(office_location, "Paris");
+                assert_eq!(hire_date, "2026-01-15");
+                assert_eq!(manager, "boss@b.com");
+            }
+            _ => panic!("expected User Onboard"),
+        }
+    }
+
+    // 12. test_apply_no_namespace
+    #[test]
+    fn test_apply_no_namespace() {
+        let cli = parse(&["sunbeam", "apply"]);
+        match cli.verb {
+            Some(Verb::Apply { namespace, .. }) => assert!(namespace.is_none()),
+            _ => panic!("expected Apply"),
+        }
+    }
+
+    // 13. test_apply_with_namespace
+    #[test]
+    fn test_apply_with_namespace() {
+        let cli = parse(&["sunbeam", "apply", "lasuite"]);
+        match cli.verb {
+            Some(Verb::Apply { namespace, .. }) => assert_eq!(namespace.unwrap(), "lasuite"),
+            _ => panic!("expected Apply"),
+        }
+    }
+
+    // 14. test_config_set
+    #[test]
+    fn test_config_set() {
+        let cli = parse(&[
+            "sunbeam", "config", "set",
+            "--host", "user@example.com",
+            "--infra-dir", "/path/to/infra",
+        ]);
+        match cli.verb {
+            Some(Verb::Config { action: Some(ConfigAction::Set { host, infra_dir, .. }) }) => {
+                assert_eq!(host, "user@example.com");
+                assert_eq!(infra_dir, "/path/to/infra");
+            }
+            _ => panic!("expected Config Set"),
+        }
+    }
+
+    // 15. test_config_get / test_config_clear
+    #[test]
+    fn test_config_get() {
+        let cli = parse(&["sunbeam", "config", "get"]);
+        match cli.verb {
+            Some(Verb::Config { action: Some(ConfigAction::Get) }) => {}
+            _ => panic!("expected Config Get"),
+        }
+    }
+
+    #[test]
+    fn test_config_clear() {
+        let cli = parse(&["sunbeam", "config", "clear"]);
+        match cli.verb {
+            Some(Verb::Config { action: Some(ConfigAction::Clear) }) => {}
+            _ => panic!("expected Config Clear"),
+        }
+    }
+
+    // 16. test_no_args_prints_help
+    #[test]
+    fn test_no_args_prints_help() {
+        let cli = parse(&["sunbeam"]);
+        assert!(cli.verb.is_none());
+    }
+
+    // 17. test_get_json_output
+    #[test]
+    fn test_get_json_output() {
+        let cli = parse(&["sunbeam", "get", "ory/kratos-abc", "-o", "json"]);
+        match cli.verb {
+            Some(Verb::Get { target, output }) => {
+                assert_eq!(target, "ory/kratos-abc");
+                assert_eq!(output, "json");
+            }
+            _ => panic!("expected Get"),
+        }
+    }
+
+    // 18. test_check_with_target
+    #[test]
+    fn test_check_with_target() {
+        let cli = parse(&["sunbeam", "check", "devtools"]);
+        match cli.verb {
+            Some(Verb::Check { target }) => assert_eq!(target.unwrap(), "devtools"),
+            _ => panic!("expected Check"),
+        }
+    }
+
+    // 19. test_build_messages_components
+    #[test]
+    fn test_build_messages_backend() {
+        let cli = parse(&["sunbeam", "build", "messages-backend"]);
+        match cli.verb {
+            Some(Verb::Build { what, .. }) => {
+                assert!(matches!(what, BuildTarget::MessagesBackend));
+            }
+            _ => panic!("expected Build"),
+        }
+    }
+
+    #[test]
+    fn test_build_messages_frontend() {
+        let cli = parse(&["sunbeam", "build", "messages-frontend"]);
+        match cli.verb {
+            Some(Verb::Build { what, .. }) => {
+                assert!(matches!(what, BuildTarget::MessagesFrontend));
+            }
+            _ => panic!("expected Build"),
+        }
+    }
+
+    #[test]
+    fn test_build_messages_mta_in() {
+        let cli = parse(&["sunbeam", "build", "messages-mta-in"]);
+        match cli.verb {
+            Some(Verb::Build { what, .. }) => {
+                assert!(matches!(what, BuildTarget::MessagesMtaIn));
+            }
+            _ => panic!("expected Build"),
+        }
+    }
+
+    #[test]
+    fn test_build_messages_mta_out() {
+        let cli = parse(&["sunbeam", "build", "messages-mta-out"]);
+        match cli.verb {
+            Some(Verb::Build { what, .. }) => {
+                assert!(matches!(what, BuildTarget::MessagesMtaOut));
+            }
+            _ => panic!("expected Build"),
+        }
+    }
+
+    #[test]
+    fn test_build_messages_mpa() {
+        let cli = parse(&["sunbeam", "build", "messages-mpa"]);
+        match cli.verb {
+            Some(Verb::Build { what, .. }) => {
+                assert!(matches!(what, BuildTarget::MessagesMpa));
+            }
+            _ => panic!("expected Build"),
+        }
+    }
+
+    #[test]
+    fn test_build_messages_socks_proxy() {
+        let cli = parse(&["sunbeam", "build", "messages-socks-proxy"]);
+        match cli.verb {
+            Some(Verb::Build { what, .. }) => {
+                assert!(matches!(what, BuildTarget::MessagesSocksProxy));
+            }
+            _ => panic!("expected Build"),
+        }
+    }
+
+    // 20. test_hire_date_validation
+    #[test]
+    fn test_hire_date_valid() {
+        let cli = parse(&[
+            "sunbeam", "user", "onboard", "a@b.com",
+            "--hire-date", "2026-01-15",
+        ]);
+        match cli.verb {
+            Some(Verb::User { action: Some(UserAction::Onboard { hire_date, .. }) }) => {
+                assert_eq!(hire_date, "2026-01-15");
+            }
+            _ => panic!("expected User Onboard"),
+        }
+    }
+
+    #[test]
+    fn test_hire_date_invalid() {
+        let result = Cli::try_parse_from(&[
+            "sunbeam", "user", "onboard", "a@b.com",
+            "--hire-date", "not-a-date",
+        ]);
+        assert!(result.is_err());
+    }
+}
+
+/// Main dispatch function — parse CLI args and route to subcommands.
+pub async fn dispatch() -> Result<()> {
+    let cli = Cli::parse();
+
+    // Resolve the active context from config + CLI flags (like kubectl)
+    let config = crate::config::load_config();
+    let active = crate::config::resolve_context(
+        &config,
+        "",
+        cli.context.as_deref(),
+        &cli.domain,
+    );
+
+    // Initialize kube context from the resolved context
+    let kube_ctx_str = if active.kube_context.is_empty() {
+        "sunbeam".to_string()
+    } else {
+        active.kube_context.clone()
+    };
+    let ssh_host_str = active.ssh_host.clone();
+    crate::kube::set_context(&kube_ctx_str, &ssh_host_str);
+
+    // Store active context globally for other modules to read
+    crate::config::set_active_context(active);
+
+    match cli.verb {
+        None => {
+            // Print help via clap
+            use clap::CommandFactory;
+            Cli::command().print_help()?;
+            println!();
+            Ok(())
+        }
+
+        Some(Verb::Up) => crate::cluster::cmd_up().await,
+
+        Some(Verb::Status { target }) => {
+            crate::services::cmd_status(target.as_deref()).await
+        }
+
+        Some(Verb::Apply {
+            namespace,
+            apply_all,
+            domain,
+            email,
+        }) => {
+            let is_production = !crate::config::active_context().ssh_host.is_empty();
+            let env_str = if is_production { "production" } else { "local" };
+            let domain = if domain.is_empty() {
+                cli.domain.clone()
+            } else {
+                domain
+            };
+            let email = if email.is_empty() {
+                cli.email.clone()
+            } else {
+                email
+            };
+            let ns = namespace.unwrap_or_default();
+
+            // Production full-apply requires --all or confirmation
+            if is_production && ns.is_empty() && !apply_all {
+                crate::output::warn(
+                    "This will apply ALL namespaces to production.",
+                );
+                eprint!("  Continue? [y/N] ");
+                let mut answer = String::new();
+                std::io::stdin().read_line(&mut answer)?;
+                if !matches!(answer.trim().to_lowercase().as_str(), "y" | "yes") {
+                    println!("Aborted.");
+                    return Ok(());
+                }
+            }
+
+            crate::manifests::cmd_apply(&env_str, &domain, &email, &ns).await
+        }
+
+        Some(Verb::Seed) => crate::secrets::cmd_seed().await,
+
+        Some(Verb::Verify) => crate::secrets::cmd_verify().await,
+
+        Some(Verb::Logs { target, follow }) => {
+            crate::services::cmd_logs(&target, follow).await
+        }
+
+        Some(Verb::Get { target, output }) => {
+            crate::services::cmd_get(&target, &output).await
+        }
+
+        Some(Verb::Restart { target }) => {
+            crate::services::cmd_restart(target.as_deref()).await
+        }
+
+        Some(Verb::Build { what, push, deploy, no_cache }) => {
+            let push = push || deploy;
+            crate::images::cmd_build(&what, push, deploy, no_cache).await
+        }
+
+        Some(Verb::Check { target }) => {
+            crate::checks::cmd_check(target.as_deref()).await
+        }
+
+        Some(Verb::Mirror) => crate::images::cmd_mirror().await,
+
+        Some(Verb::Bootstrap) => crate::gitea::cmd_bootstrap().await,
+
+        Some(Verb::Config { action }) => match action {
+            None => {
+                use clap::CommandFactory;
+                // Print config subcommand help
+                let mut cmd = Cli::command();
+                let sub = cmd
+                    .find_subcommand_mut("config")
+                    .expect("config subcommand");
+                sub.print_help()?;
+                println!();
+                Ok(())
+            }
+            Some(ConfigAction::Set {
+                domain: set_domain,
+                host,
+                infra_dir,
+                acme_email,
+                context_name,
+            }) => {
+                let mut config = crate::config::load_config();
+                // Determine which context to modify
+                let ctx_name = if context_name.is_empty() {
+                    if !config.current_context.is_empty() {
+                        config.current_context.clone()
+                    } else {
+                        "production".to_string()
+                    }
+                } else {
+                    context_name
+                };
+
+                let ctx = config.contexts.entry(ctx_name.clone()).or_default();
+                if !set_domain.is_empty() {
+                    ctx.domain = set_domain;
+                }
+                if !host.is_empty() {
+                    ctx.ssh_host = host.clone();
+                    config.production_host = host; // keep legacy field in sync
+                }
+                if !infra_dir.is_empty() {
+                    ctx.infra_dir = infra_dir.clone();
+                    config.infra_directory = infra_dir;
+                }
+                if !acme_email.is_empty() {
+                    ctx.acme_email = acme_email.clone();
+                    config.acme_email = acme_email;
+                }
+                if config.current_context.is_empty() {
+                    config.current_context = ctx_name;
+                }
+                crate::config::save_config(&config)
+            }
+            Some(ConfigAction::UseContext { name }) => {
+                let mut config = crate::config::load_config();
+                if !config.contexts.contains_key(&name) {
+                    crate::output::warn(&format!("Context '{name}' does not exist. Creating empty context."));
+                    config.contexts.insert(name.clone(), crate::config::Context::default());
+                }
+                config.current_context = name.clone();
+                crate::config::save_config(&config)?;
+                crate::output::ok(&format!("Switched to context '{name}'."));
+                Ok(())
+            }
+            Some(ConfigAction::Get) => {
+                let config = crate::config::load_config();
+                let current = if config.current_context.is_empty() {
+                    "(none)"
+                } else {
+                    &config.current_context
+                };
+                crate::output::ok(&format!("Current context: {current}"));
+                println!();
+                for (name, ctx) in &config.contexts {
+                    let marker = if name == current { " *" } else { "" };
+                    crate::output::ok(&format!("Context: {name}{marker}"));
+                    if !ctx.domain.is_empty() {
+                        crate::output::ok(&format!("  domain:       {}", ctx.domain));
+                    }
+                    if !ctx.kube_context.is_empty() {
+                        crate::output::ok(&format!("  kube-context: {}", ctx.kube_context));
+                    }
+                    if !ctx.ssh_host.is_empty() {
+                        crate::output::ok(&format!("  ssh-host:     {}", ctx.ssh_host));
+                    }
+                    if !ctx.infra_dir.is_empty() {
+                        crate::output::ok(&format!("  infra-dir:    {}", ctx.infra_dir));
+                    }
+                    if !ctx.acme_email.is_empty() {
+                        crate::output::ok(&format!("  acme-email:   {}", ctx.acme_email));
+                    }
+                    println!();
+                }
+                Ok(())
+            }
+            Some(ConfigAction::Clear) => crate::config::clear_config(),
+        },
+
+        Some(Verb::K8s { kubectl_args }) => {
+            crate::kube::cmd_k8s(&kubectl_args).await
+        }
+
+        Some(Verb::Bao { bao_args }) => {
+            crate::kube::cmd_bao(&bao_args).await
+        }
+
+        Some(Verb::User { action }) => match action {
+            None => {
+                use clap::CommandFactory;
+                let mut cmd = Cli::command();
+                let sub = cmd
+                    .find_subcommand_mut("user")
+                    .expect("user subcommand");
+                sub.print_help()?;
+                println!();
+                Ok(())
+            }
+            Some(UserAction::List { search }) => {
+                crate::users::cmd_user_list(&search).await
+            }
+            Some(UserAction::Get { target }) => {
+                crate::users::cmd_user_get(&target).await
+            }
+            Some(UserAction::Create {
+                email,
+                name,
+                schema,
+            }) => crate::users::cmd_user_create(&email, &name, &schema).await,
+            Some(UserAction::Delete { target }) => {
+                crate::users::cmd_user_delete(&target).await
+            }
+            Some(UserAction::Recover { target }) => {
+                crate::users::cmd_user_recover(&target).await
+            }
+            Some(UserAction::Disable { target }) => {
+                crate::users::cmd_user_disable(&target).await
+            }
+            Some(UserAction::Enable { target }) => {
+                crate::users::cmd_user_enable(&target).await
+            }
+            Some(UserAction::SetPassword { target, password }) => {
+                let pw = match password {
+                    Some(p) => p,
+                    None => {
+                        eprint!("Password: ");
+                        let mut pw = String::new();
+                        std::io::stdin().read_line(&mut pw)?;
+                        pw.trim().to_string()
+                    }
+                };
+                crate::users::cmd_user_set_password(&target, &pw).await
+            }
+            Some(UserAction::Onboard {
+                email,
+                name,
+                schema,
+                no_email,
+                notify,
+                job_title,
+                department,
+                office_location,
+                hire_date,
+                manager,
+            }) => {
+                crate::users::cmd_user_onboard(
+                    &email,
+                    &name,
+                    &schema,
+                    !no_email,
+                    &notify,
+                    &job_title,
+                    &department,
+                    &office_location,
+                    &hire_date,
+                    &manager,
+                )
+                .await
+            }
+            Some(UserAction::Offboard { target }) => {
+                crate::users::cmd_user_offboard(&target).await
+            }
+        },
+
+        Some(Verb::Auth { action }) => match action {
+            None => crate::auth::cmd_auth_status().await,
+            Some(AuthAction::Login { domain }) => {
+                crate::auth::cmd_auth_login_all(domain.as_deref()).await
+            }
+            Some(AuthAction::Sso { domain }) => {
+                crate::auth::cmd_auth_sso_login(domain.as_deref()).await
+            }
+            Some(AuthAction::Git { domain }) => {
+                crate::auth::cmd_auth_git_login(domain.as_deref()).await
+            }
+            Some(AuthAction::Logout) => crate::auth::cmd_auth_logout().await,
+            Some(AuthAction::Status) => crate::auth::cmd_auth_status().await,
+        },
+
+        Some(Verb::Pm { action }) => match action {
+            None => {
+                use clap::CommandFactory;
+                let mut cmd = Cli::command();
+                let sub = cmd
+                    .find_subcommand_mut("pm")
+                    .expect("pm subcommand");
+                sub.print_help()?;
+                println!();
+                Ok(())
+            }
+            Some(PmAction::List { source, state }) => {
+                let src = if source == "all" { None } else { Some(source.as_str()) };
+                crate::pm::cmd_pm_list(src, &state).await
+            }
+            Some(PmAction::Show { id }) => {
+                crate::pm::cmd_pm_show(&id).await
+            }
+            Some(PmAction::Create { title, body, source, target }) => {
+                crate::pm::cmd_pm_create(&title, &body, &source, &target).await
+            }
+            Some(PmAction::Comment { id, text }) => {
+                crate::pm::cmd_pm_comment(&id, &text).await
+            }
+            Some(PmAction::Close { id }) => {
+                crate::pm::cmd_pm_close(&id).await
+            }
+            Some(PmAction::Assign { id, user }) => {
+                crate::pm::cmd_pm_assign(&id, &user).await
+            }
+        },
+
+        Some(Verb::Update) => crate::update::cmd_update().await,
+
+        Some(Verb::Version) => {
+            crate::update::cmd_version();
+            Ok(())
+        }
+    }
+}
diff --git a/src/cluster.rs b/src/cluster.rs
new file mode 100644
index 0000000..e5de3cf
--- /dev/null
+++ b/src/cluster.rs
@@ -0,0 +1,461 @@
+//! Cluster lifecycle — cert-manager, Linkerd, TLS, core service readiness.
+//!
+//! Pure K8s implementation: no Lima VM operations.
+
+use crate::constants::GITEA_ADMIN_USER;
+use crate::error::{Result, ResultExt, SunbeamError};
+use std::path::PathBuf;
+
+const CERT_MANAGER_URL: &str =
+    "https://github.com/cert-manager/cert-manager/releases/download/v1.17.0/cert-manager.yaml";
+
+const GATEWAY_API_CRDS_URL: &str =
+    "https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.4.0/standard-install.yaml";
+
+fn secrets_dir() -> PathBuf {
+    crate::config::get_infra_dir()
+        .join("secrets")
+        .join("local")
+}
+
+// ---------------------------------------------------------------------------
+// cert-manager
+// ---------------------------------------------------------------------------
+
+async fn ensure_cert_manager() -> Result<()> {
+    crate::output::step("cert-manager...");
+
+    if crate::kube::ns_exists("cert-manager").await? {
+        crate::output::ok("Already installed.");
+        return Ok(());
+    }
+
+    crate::output::ok("Installing...");
+
+    // Download and apply cert-manager YAML
+    let body = reqwest::get(CERT_MANAGER_URL)
+        .await
+        .ctx("Failed to download cert-manager manifest")?
+        .text()
+        .await
+        .ctx("Failed to read cert-manager manifest body")?;
+
+    crate::kube::kube_apply(&body).await?;
+
+    // Wait for rollout
+    for dep in &[
+        "cert-manager",
+        "cert-manager-webhook",
+        "cert-manager-cainjector",
+    ] {
+        crate::output::ok(&format!("Waiting for {dep}..."));
+        wait_rollout("cert-manager", dep, 120).await?;
+    }
+
+    crate::output::ok("Installed.");
+    Ok(())
+}
+
+// ---------------------------------------------------------------------------
+// Linkerd
+// ---------------------------------------------------------------------------
+
+async fn ensure_linkerd() -> Result<()> {
+    crate::output::step("Linkerd...");
+
+    if crate::kube::ns_exists("linkerd").await? {
+        crate::output::ok("Already installed.");
+        return Ok(());
+    }
+
+    // Gateway API CRDs
+    crate::output::ok("Installing Gateway API CRDs...");
+    let gateway_body = reqwest::get(GATEWAY_API_CRDS_URL)
+        .await
+        .ctx("Failed to download Gateway API CRDs")?
+        .text()
+        .await?;
+
+    // Gateway API CRDs require server-side apply; kube_apply already does SSA
+    crate::kube::kube_apply(&gateway_body).await?;
+
+    // Linkerd CRDs via subprocess (no pure HTTP source for linkerd manifests)
+    crate::output::ok("Installing Linkerd CRDs...");
+    let crds_output = tokio::process::Command::new("linkerd")
+        .args(["install", "--crds"])
+        .output()
+        .await
+        .ctx("Failed to run `linkerd install --crds`")?;
+
+    if !crds_output.status.success() {
+        let stderr = String::from_utf8_lossy(&crds_output.stderr);
+        return Err(SunbeamError::tool("linkerd", format!("install --crds failed: {stderr}")));
+    }
+    let crds = String::from_utf8_lossy(&crds_output.stdout);
+    crate::kube::kube_apply(&crds).await?;
+
+    // Linkerd control plane
+    crate::output::ok("Installing Linkerd control plane...");
+    let cp_output = tokio::process::Command::new("linkerd")
+        .args(["install"])
+        .output()
+        .await
+        .ctx("Failed to run `linkerd install`")?;
+
+    if !cp_output.status.success() {
+        let stderr = String::from_utf8_lossy(&cp_output.stderr);
+        return Err(SunbeamError::tool("linkerd", format!("install failed: {stderr}")));
+    }
+    let cp = String::from_utf8_lossy(&cp_output.stdout);
+    crate::kube::kube_apply(&cp).await?;
+
+    for dep in &[
+        "linkerd-identity",
+        "linkerd-destination",
+        "linkerd-proxy-injector",
+    ] {
+        crate::output::ok(&format!("Waiting for {dep}..."));
+        wait_rollout("linkerd", dep, 120).await?;
+    }
+
+    crate::output::ok("Installed.");
+    Ok(())
+}
+
+// ---------------------------------------------------------------------------
+// TLS certificate (rcgen)
+// ---------------------------------------------------------------------------
+
+async fn ensure_tls_cert(domain: &str) -> Result<()> {
+    crate::output::step("TLS certificate...");
+
+    let dir = secrets_dir();
+    let cert_path = dir.join("tls.crt");
+    let key_path = dir.join("tls.key");
+
+    if cert_path.exists() {
+        crate::output::ok(&format!("Cert exists. Domain: {domain}"));
+        return Ok(());
+    }
+
+    crate::output::ok(&format!("Generating wildcard cert for *.{domain}..."));
+    std::fs::create_dir_all(&dir)
+        .with_ctx(|| format!("Failed to create secrets dir: {}", dir.display()))?;
+
+    let subject_alt_names = vec![format!("*.{domain}")];
+    let mut params = rcgen::CertificateParams::new(subject_alt_names)
+        .map_err(|e| SunbeamError::kube(format!("Failed to create certificate params: {e}")))?;
+    params
+        .distinguished_name
+        .push(rcgen::DnType::CommonName, format!("*.{domain}"));
+
+    let key_pair = rcgen::KeyPair::generate()
+        .map_err(|e| SunbeamError::kube(format!("Failed to generate key pair: {e}")))?;
+    let cert = params
+        .self_signed(&key_pair)
+        .map_err(|e| SunbeamError::kube(format!("Failed to generate self-signed certificate: {e}")))?;
+
+    std::fs::write(&cert_path, cert.pem())
+        .with_ctx(|| format!("Failed to write {}", cert_path.display()))?;
+    std::fs::write(&key_path, key_pair.serialize_pem())
+        .with_ctx(|| format!("Failed to write {}", key_path.display()))?;
+
+    #[cfg(unix)]
+    {
+        use std::os::unix::fs::PermissionsExt;
+        std::fs::set_permissions(&key_path, std::fs::Permissions::from_mode(0o600))?;
+    }
+
+    crate::output::ok(&format!("Cert generated. Domain: {domain}"));
+    Ok(())
+}
+
+// ---------------------------------------------------------------------------
+// TLS secret
+// ---------------------------------------------------------------------------
+
+async fn ensure_tls_secret(domain: &str) -> Result<()> {
+    crate::output::step("TLS secret...");
+
+    let _ = domain; // domain used contextually above; secret uses files
+    crate::kube::ensure_ns("ingress").await?;
+
+    let dir = secrets_dir();
+    let cert_pem =
+        std::fs::read_to_string(dir.join("tls.crt")).ctx("Failed to read tls.crt")?;
+    let key_pem =
+        std::fs::read_to_string(dir.join("tls.key")).ctx("Failed to read tls.key")?;
+
+    // Create TLS secret via kube-rs
+    let client = crate::kube::get_client().await?;
+    let api: kube::api::Api<k8s_openapi::api::core::v1::Secret> =
+        kube::api::Api::namespaced(client.clone(), "ingress");
+
+    let b64_cert = base64::Engine::encode(
+        &base64::engine::general_purpose::STANDARD,
+        cert_pem.as_bytes(),
+    );
+    let b64_key = base64::Engine::encode(
+        &base64::engine::general_purpose::STANDARD,
+        key_pem.as_bytes(),
+    );
+
+    let secret_obj = serde_json::json!({
+        "apiVersion": "v1",
+        "kind": "Secret",
+        "metadata": {
+            "name": "pingora-tls",
+            "namespace": "ingress",
+        },
+        "type": "kubernetes.io/tls",
+        "data": {
+            "tls.crt": b64_cert,
+            "tls.key": b64_key,
+        },
+    });
+
+    let pp = kube::api::PatchParams::apply("sunbeam").force();
+    api.patch("pingora-tls", &pp, &kube::api::Patch::Apply(secret_obj))
+        .await
+        .ctx("Failed to create TLS secret")?;
+
+    crate::output::ok("Done.");
+    Ok(())
+}
+
+// ---------------------------------------------------------------------------
+// Wait for core
+// ---------------------------------------------------------------------------
+
+async fn wait_for_core() -> Result<()> {
+    crate::output::step("Waiting for core services...");
+
+    for (ns, dep) in &[("data", "valkey"), ("ory", "kratos"), ("ory", "hydra")] {
+        let _ = wait_rollout(ns, dep, 120).await;
+    }
+
+    crate::output::ok("Core services ready.");
+    Ok(())
+}
+
+// ---------------------------------------------------------------------------
+// Print URLs
+// ---------------------------------------------------------------------------
+
+fn print_urls(domain: &str, _gitea_admin_pass: &str) {
+    let sep = "\u{2500}".repeat(60);
+    println!("\n{sep}");
+    println!("  Stack is up.  Domain: {domain}");
+    println!("{sep}");
+
+    let urls: &[(&str, String)] = &[
+        ("Auth", format!("https://auth.{domain}/")),
+        ("Docs", format!("https://docs.{domain}/")),
+        ("Meet", format!("https://meet.{domain}/")),
+        ("Drive", format!("https://drive.{domain}/")),
+        ("Chat", format!("https://chat.{domain}/")),
+        ("Mail", format!("https://mail.{domain}/")),
+        ("People", format!("https://people.{domain}/")),
+        (
+            "Gitea",
+            format!(
+                "https://src.{domain}/  ({GITEA_ADMIN_USER} / <from openbao>)"
+            ),
+        ),
+    ];
+
+    for (name, url) in urls {
+        println!("  {name:<10} {url}");
+    }
+
+    println!();
+    println!("  OpenBao UI:");
+    println!("    kubectl --context=sunbeam -n data port-forward svc/openbao 8200:8200");
+    println!("    http://localhost:8200");
+    println!(
+        "    token: kubectl --context=sunbeam -n data get secret openbao-keys \
+         -o jsonpath='{{.data.root-token}}' | base64 -d"
+    );
+    println!("{sep}\n");
+}
+
+// ---------------------------------------------------------------------------
+// Helpers
+// ---------------------------------------------------------------------------
+
+/// Poll deployment rollout status (approximate: check Available condition).
+async fn wait_rollout(ns: &str, deployment: &str, timeout_secs: u64) -> Result<()> {
+    use k8s_openapi::api::apps::v1::Deployment;
+    use std::time::{Duration, Instant};
+
+    let client = crate::kube::get_client().await?;
+    let api: kube::api::Api<Deployment> = kube::api::Api::namespaced(client.clone(), ns);
+
+    let deadline = Instant::now() + Duration::from_secs(timeout_secs);
+
+    loop {
+        if Instant::now() > deadline {
+            return Err(SunbeamError::kube(format!("Timed out waiting for deployment {ns}/{deployment}")));
+        }
+
+        match api.get_opt(deployment).await? {
+            Some(dep) => {
+                if let Some(status) = &dep.status {
+                    if let Some(conditions) = &status.conditions {
+                        let available = conditions.iter().any(|c| {
+                            c.type_ == "Available" && c.status == "True"
+                        });
+                        if available {
+                            return Ok(());
+                        }
+                    }
+                }
+            }
+            None => {
+                // Deployment doesn't exist yet — keep waiting
+            }
+        }
+
+        tokio::time::sleep(Duration::from_secs(3)).await;
+    }
+}
+
+// ---------------------------------------------------------------------------
+// Commands
+// ---------------------------------------------------------------------------
+
+/// Full cluster bring-up (pure K8s — no Lima VM operations).
+pub async fn cmd_up() -> Result<()> {
+    // Resolve domain from cluster state
+    let domain = crate::kube::get_domain().await?;
+
+    ensure_cert_manager().await?;
+    ensure_linkerd().await?;
+    ensure_tls_cert(&domain).await?;
+    ensure_tls_secret(&domain).await?;
+
+    // Apply manifests
+    crate::manifests::cmd_apply("local", &domain, "", "").await?;
+
+    // Seed secrets
+    crate::secrets::cmd_seed().await?;
+
+    // Gitea bootstrap
+    crate::gitea::cmd_bootstrap().await?;
+
+    // Mirror amd64-only images
+    crate::images::cmd_mirror().await?;
+
+    // Wait for core services
+    wait_for_core().await?;
+
+    // Get gitea admin password for URL display
+    let admin_pass = crate::kube::kube_get_secret_field(
+        "devtools",
+        "gitea-admin-credentials",
+        "password",
+    )
+    .await
+    .unwrap_or_default();
+
+    print_urls(&domain, &admin_pass);
+    Ok(())
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    #[test]
+    fn cert_manager_url_points_to_github_release() {
+        assert!(CERT_MANAGER_URL.starts_with("https://github.com/cert-manager/cert-manager/"));
+        assert!(CERT_MANAGER_URL.contains("/releases/download/"));
+        assert!(CERT_MANAGER_URL.ends_with(".yaml"));
+    }
+
+    #[test]
+    fn cert_manager_url_has_version() {
+        // Verify the URL contains a version tag like v1.x.x
+        assert!(
+            CERT_MANAGER_URL.contains("/v1."),
+            "CERT_MANAGER_URL should reference a v1.x release"
+        );
+    }
+
+    #[test]
+    fn gateway_api_crds_url_points_to_github_release() {
+        assert!(GATEWAY_API_CRDS_URL
+            .starts_with("https://github.com/kubernetes-sigs/gateway-api/"));
+        assert!(GATEWAY_API_CRDS_URL.contains("/releases/download/"));
+        assert!(GATEWAY_API_CRDS_URL.ends_with(".yaml"));
+    }
+
+    #[test]
+    fn gateway_api_crds_url_has_version() {
+        assert!(
+            GATEWAY_API_CRDS_URL.contains("/v1."),
+            "GATEWAY_API_CRDS_URL should reference a v1.x release"
+        );
+    }
+
+    #[test]
+    fn secrets_dir_ends_with_secrets_local() {
+        let dir = secrets_dir();
+        assert!(
+            dir.ends_with("secrets/local"),
+            "secrets_dir() should end with secrets/local, got: {}",
+            dir.display()
+        );
+    }
+
+    #[test]
+    fn secrets_dir_has_at_least_three_components() {
+        let dir = secrets_dir();
+        let components: Vec<_> = dir.components().collect();
+        assert!(
+            components.len() >= 3,
+            "secrets_dir() should have at least 3 path components (base/secrets/local), got: {}",
+            dir.display()
+        );
+    }
+
+    #[test]
+    fn gitea_admin_user_constant() {
+        assert_eq!(GITEA_ADMIN_USER, "gitea_admin");
+    }
+
+    #[test]
+    fn print_urls_contains_expected_services() {
+        // Capture print_urls output by checking the URL construction logic.
+        // We can't easily capture stdout in unit tests, but we can verify
+        // the URL format matches expectations.
+        let domain = "test.local";
+        let expected_urls = [
+            format!("https://auth.{domain}/"),
+            format!("https://docs.{domain}/"),
+            format!("https://meet.{domain}/"),
+            format!("https://drive.{domain}/"),
+            format!("https://chat.{domain}/"),
+            format!("https://mail.{domain}/"),
+            format!("https://people.{domain}/"),
+            format!("https://src.{domain}/"),
+        ];
+
+        // Verify URL patterns are valid
+        for url in &expected_urls {
+            assert!(url.starts_with("https://"));
+            assert!(url.contains(domain));
+        }
+    }
+
+    #[test]
+    fn print_urls_gitea_includes_credentials() {
+        let domain = "example.local";
+        let gitea_url = format!(
+            "https://src.{domain}/  ({GITEA_ADMIN_USER} / <from openbao>)"
+        );
+        assert!(gitea_url.contains(GITEA_ADMIN_USER));
+        assert!(gitea_url.contains("<from openbao>"));
+        assert!(gitea_url.contains(&format!("src.{domain}")));
+    }
+}
diff --git a/src/config.rs b/src/config.rs
new file mode 100644
index 0000000..b5b9726
--- /dev/null
+++ b/src/config.rs
@@ -0,0 +1,404 @@
+use crate::error::{Result, ResultExt, SunbeamError};
+use serde::{Deserialize, Serialize};
+use std::collections::HashMap;
+use std::path::PathBuf;
+use std::sync::OnceLock;
+
+// ---------------------------------------------------------------------------
+// Config data model
+// ---------------------------------------------------------------------------
+
+/// Sunbeam configuration stored at ~/.sunbeam.json.
+///
+/// Supports kubectl-style named contexts. Each context bundles a domain,
+/// kube context, SSH host, and infrastructure directory.
+#[derive(Debug, Clone, Default, Serialize, Deserialize)]
+pub struct SunbeamConfig {
+    /// The active context name. If empty, uses "default".
+    #[serde(default, rename = "current-context")]
+    pub current_context: String,
+
+    /// Named contexts.
+    #[serde(default)]
+    pub contexts: HashMap<String, Context>,
+
+    // --- Legacy fields (migrated on load) ---
+    #[serde(default, skip_serializing_if = "String::is_empty")]
+    pub production_host: String,
+    #[serde(default, skip_serializing_if = "String::is_empty")]
+    pub infra_directory: String,
+    #[serde(default, skip_serializing_if = "String::is_empty")]
+    pub acme_email: String,
+}
+
+/// A named context — everything needed to target a specific environment.
+#[derive(Debug, Clone, Default, Serialize, Deserialize)]
+pub struct Context {
+    /// The domain suffix (e.g. "sunbeam.pt", "192.168.105.3.sslip.io").
+    #[serde(default)]
+    pub domain: String,
+
+    /// Kubernetes context name (e.g. "production", "sunbeam").
+    #[serde(default, rename = "kube-context")]
+    pub kube_context: String,
+
+    /// SSH host for production tunnel (e.g. "sienna@62.210.145.138").
+    #[serde(default, rename = "ssh-host")]
+    pub ssh_host: String,
+
+    /// Infrastructure directory root.
+    #[serde(default, rename = "infra-dir")]
+    pub infra_dir: String,
+
+    /// ACME email for cert-manager.
+    #[serde(default, rename = "acme-email")]
+    pub acme_email: String,
+}
+
+// ---------------------------------------------------------------------------
+// Active context (set once at startup, read everywhere)
+// ---------------------------------------------------------------------------
+
+static ACTIVE_CONTEXT: OnceLock<Context> = OnceLock::new();
+
+/// Initialize the active context. Called once from cli::dispatch().
+pub fn set_active_context(ctx: Context) {
+    let _ = ACTIVE_CONTEXT.set(ctx);
+}
+
+/// Get the active context. Panics if not initialized (should never happen
+/// after dispatch starts).
+pub fn active_context() -> &'static Context {
+    ACTIVE_CONTEXT.get().expect("active context not initialized")
+}
+
+/// Get the domain from the active context. Returns empty string if not set.
+pub fn domain() -> &'static str {
+    ACTIVE_CONTEXT
+        .get()
+        .map(|c| c.domain.as_str())
+        .unwrap_or("")
+}
+
+// ---------------------------------------------------------------------------
+// Config file I/O
+// ---------------------------------------------------------------------------
+
+fn config_path() -> PathBuf {
+    dirs::home_dir()
+        .unwrap_or_else(|| PathBuf::from("."))
+        .join(".sunbeam.json")
+}
+
+/// Load configuration from ~/.sunbeam.json, return default if not found.
+/// Migrates legacy flat config to context-based format.
+pub fn load_config() -> SunbeamConfig {
+    let path = config_path();
+    if !path.exists() {
+        return SunbeamConfig::default();
+    }
+    let mut config: SunbeamConfig = match std::fs::read_to_string(&path) {
+        Ok(content) => serde_json::from_str(&content).unwrap_or_else(|e| {
+            crate::output::warn(&format!(
+                "Failed to parse config from {}: {e}",
+                path.display()
+            ));
+            SunbeamConfig::default()
+        }),
+        Err(e) => {
+            crate::output::warn(&format!(
+                "Failed to read config from {}: {e}",
+                path.display()
+            ));
+            SunbeamConfig::default()
+        }
+    };
+
+    // Migrate legacy flat fields into a "production" context
+    if !config.production_host.is_empty() && !config.contexts.contains_key("production") {
+        let domain = derive_domain_from_host(&config.production_host);
+        config.contexts.insert(
+            "production".to_string(),
+            Context {
+                domain,
+                kube_context: "production".to_string(),
+                ssh_host: config.production_host.clone(),
+                infra_dir: config.infra_directory.clone(),
+                acme_email: config.acme_email.clone(),
+            },
+        );
+        if config.current_context.is_empty() {
+            config.current_context = "production".to_string();
+        }
+    }
+
+    config
+}
+
+/// Save configuration to ~/.sunbeam.json.
+pub fn save_config(config: &SunbeamConfig) -> Result<()> {
+    let path = config_path();
+    if let Some(parent) = path.parent() {
+        std::fs::create_dir_all(parent).with_ctx(|| {
+            format!("Failed to create config directory: {}", parent.display())
+        })?;
+    }
+    let content = serde_json::to_string_pretty(config)?;
+    std::fs::write(&path, content)
+        .with_ctx(|| format!("Failed to save config to {}", path.display()))?;
+    crate::output::ok(&format!("Configuration saved to {}", path.display()));
+    Ok(())
+}
+
+/// Resolve the context to use, given CLI flags and config.
+///
+/// Priority (same as kubectl):
+///   1. `--context` flag (explicit context name)
+///   2. `current-context` from config
+///   3. Default to "local"
+pub fn resolve_context(
+    config: &SunbeamConfig,
+    _env_flag: &str,
+    context_override: Option<&str>,
+    domain_override: &str,
+) -> Context {
+    let context_name = if let Some(explicit) = context_override {
+        explicit.to_string()
+    } else if !config.current_context.is_empty() {
+        config.current_context.clone()
+    } else {
+        "local".to_string()
+    };
+
+    let mut ctx = config
+        .contexts
+        .get(&context_name)
+        .cloned()
+        .unwrap_or_else(|| {
+            // Synthesize defaults for well-known names
+            match context_name.as_str() {
+                "local" => Context {
+                    kube_context: "sunbeam".to_string(),
+                    ..Default::default()
+                },
+                "production" => Context {
+                    kube_context: "production".to_string(),
+                    ssh_host: config.production_host.clone(),
+                    infra_dir: config.infra_directory.clone(),
+                    acme_email: config.acme_email.clone(),
+                    domain: derive_domain_from_host(&config.production_host),
+                    ..Default::default()
+                },
+                _ => Default::default(),
+            }
+        });
+
+    // CLI flags override context values
+    if !domain_override.is_empty() {
+        ctx.domain = domain_override.to_string();
+    }
+
+    ctx
+}
+
+// ---------------------------------------------------------------------------
+// Helpers
+// ---------------------------------------------------------------------------
+
+/// Derive a domain from an SSH host (e.g. "user@admin.sunbeam.pt" → "sunbeam.pt").
+fn derive_domain_from_host(host: &str) -> String {
+    let raw = host.split('@').last().unwrap_or(host);
+    let raw = raw.split(':').next().unwrap_or(raw);
+    let parts: Vec<&str> = raw.split('.').collect();
+    if parts.len() >= 2 {
+        format!("{}.{}", parts[parts.len() - 2], parts[parts.len() - 1])
+    } else {
+        String::new()
+    }
+}
+
+/// Get production host from config or SUNBEAM_SSH_HOST environment variable.
+pub fn get_production_host() -> String {
+    let config = load_config();
+    // Check active context first
+    if let Some(ctx) = ACTIVE_CONTEXT.get() {
+        if !ctx.ssh_host.is_empty() {
+            return ctx.ssh_host.clone();
+        }
+    }
+    if !config.production_host.is_empty() {
+        return config.production_host;
+    }
+    std::env::var("SUNBEAM_SSH_HOST").unwrap_or_default()
+}
+
+/// Infrastructure manifests directory as a Path.
+pub fn get_infra_dir() -> PathBuf {
+    // Check active context
+    if let Some(ctx) = ACTIVE_CONTEXT.get() {
+        if !ctx.infra_dir.is_empty() {
+            return PathBuf::from(&ctx.infra_dir);
+        }
+    }
+    let configured = load_config().infra_directory;
+    if !configured.is_empty() {
+        return PathBuf::from(configured);
+    }
+    // Dev fallback
+    std::env::current_exe()
+        .ok()
+        .and_then(|p| p.canonicalize().ok())
+        .and_then(|p| {
+            let mut dir = p.as_path();
+            for _ in 0..10 {
+                dir = dir.parent()?;
+                if dir.join("infrastructure").is_dir() {
+                    return Some(dir.join("infrastructure"));
+                }
+            }
+            None
+        })
+        .unwrap_or_else(|| PathBuf::from("infrastructure"))
+}
+
+/// Monorepo root directory (parent of the infrastructure directory).
+pub fn get_repo_root() -> PathBuf {
+    get_infra_dir()
+        .parent()
+        .map(|p| p.to_path_buf())
+        .unwrap_or_else(|| PathBuf::from("."))
+}
+
+/// Clear configuration file.
+pub fn clear_config() -> Result<()> {
+    let path = config_path();
+    if path.exists() {
+        std::fs::remove_file(&path)
+            .with_ctx(|| format!("Failed to remove {}", path.display()))?;
+        crate::output::ok(&format!("Configuration cleared from {}", path.display()));
+    } else {
+        crate::output::warn("No configuration file found to clear");
+    }
+    Ok(())
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    #[test]
+    fn test_default_config() {
+        let config = SunbeamConfig::default();
+        assert!(config.current_context.is_empty());
+        assert!(config.contexts.is_empty());
+    }
+
+    #[test]
+    fn test_derive_domain_from_host() {
+        assert_eq!(derive_domain_from_host("sienna@admin.sunbeam.pt"), "sunbeam.pt");
+        assert_eq!(derive_domain_from_host("user@62.210.145.138"), "145.138");
+        assert_eq!(derive_domain_from_host("sunbeam.pt"), "sunbeam.pt");
+        assert_eq!(derive_domain_from_host("localhost"), "");
+    }
+
+    #[test]
+    fn test_legacy_migration() {
+        let json = r#"{
+            "production_host": "sienna@62.210.145.138",
+            "infra_directory": "/path/to/infra",
+            "acme_email": "ops@sunbeam.pt"
+        }"#;
+        let config: SunbeamConfig = serde_json::from_str(json).unwrap();
+        // After load_config migration, contexts would be populated.
+        // Here we just test the struct deserializes legacy fields.
+        assert_eq!(config.production_host, "sienna@62.210.145.138");
+        assert!(config.contexts.is_empty()); // migration happens in load_config()
+    }
+
+    #[test]
+    fn test_context_roundtrip() {
+        let mut config = SunbeamConfig::default();
+        config.current_context = "production".to_string();
+        config.contexts.insert(
+            "production".to_string(),
+            Context {
+                domain: "sunbeam.pt".to_string(),
+                kube_context: "production".to_string(),
+                ssh_host: "sienna@server.sunbeam.pt".to_string(),
+                infra_dir: "/home/infra".to_string(),
+                acme_email: "ops@sunbeam.pt".to_string(),
+            },
+        );
+        let json = serde_json::to_string(&config).unwrap();
+        let loaded: SunbeamConfig = serde_json::from_str(&json).unwrap();
+        assert_eq!(loaded.current_context, "production");
+        let ctx = loaded.contexts.get("production").unwrap();
+        assert_eq!(ctx.domain, "sunbeam.pt");
+        assert_eq!(ctx.ssh_host, "sienna@server.sunbeam.pt");
+    }
+
+    #[test]
+    fn test_resolve_context_explicit_flag() {
+        let mut config = SunbeamConfig::default();
+        config.contexts.insert(
+            "production".to_string(),
+            Context {
+                domain: "sunbeam.pt".to_string(),
+                kube_context: "production".to_string(),
+                ..Default::default()
+            },
+        );
+        // --context production explicitly selects the named context
+        let ctx = resolve_context(&config, "", Some("production"), "");
+        assert_eq!(ctx.domain, "sunbeam.pt");
+        assert_eq!(ctx.kube_context, "production");
+    }
+
+    #[test]
+    fn test_resolve_context_current_context() {
+        let mut config = SunbeamConfig::default();
+        config.current_context = "staging".to_string();
+        config.contexts.insert(
+            "staging".to_string(),
+            Context {
+                domain: "staging.example.com".to_string(),
+                ..Default::default()
+            },
+        );
+        // No --context flag, uses current-context
+        let ctx = resolve_context(&config, "", None, "");
+        assert_eq!(ctx.domain, "staging.example.com");
+    }
+
+    #[test]
+    fn test_resolve_context_domain_override() {
+        let config = SunbeamConfig::default();
+        let ctx = resolve_context(&config, "", None, "custom.example.com");
+        assert_eq!(ctx.domain, "custom.example.com");
+    }
+
+    #[test]
+    fn test_resolve_context_defaults_local() {
+        let config = SunbeamConfig::default();
+        // No current-context, no --context flag → defaults to "local"
+        let ctx = resolve_context(&config, "", None, "");
+        assert_eq!(ctx.kube_context, "sunbeam");
+    }
+
+    #[test]
+    fn test_resolve_context_flag_overrides_current() {
+        let mut config = SunbeamConfig::default();
+        config.current_context = "staging".to_string();
+        config.contexts.insert(
+            "staging".to_string(),
+            Context { domain: "staging.example.com".to_string(), ..Default::default() },
+        );
+        config.contexts.insert(
+            "prod".to_string(),
+            Context { domain: "prod.example.com".to_string(), ..Default::default() },
+        );
+        // --context prod overrides current-context "staging"
+        let ctx = resolve_context(&config, "", Some("prod"), "");
+        assert_eq!(ctx.domain, "prod.example.com");
+    }
+}
diff --git a/src/constants.rs b/src/constants.rs
new file mode 100644
index 0000000..5ab992e
--- /dev/null
+++ b/src/constants.rs
@@ -0,0 +1,16 @@
+//! Shared constants used across multiple modules.
+
+pub const GITEA_ADMIN_USER: &str = "gitea_admin";
+
+pub const MANAGED_NS: &[&str] = &[
+    "data",
+    "devtools",
+    "ingress",
+    "lasuite",
+    "matrix",
+    "media",
+    "monitoring",
+    "ory",
+    "storage",
+    "vault-secrets-operator",
+];
diff --git a/src/error.rs b/src/error.rs
new file mode 100644
index 0000000..470774f
--- /dev/null
+++ b/src/error.rs
@@ -0,0 +1,365 @@
+//! Unified error tree for the sunbeam CLI.
+//!
+//! Every module returns `Result<T, SunbeamError>`. Errors bubble up to `main`,
+//! which maps them to exit codes and log output.
+
+/// Exit codes for the sunbeam CLI.
+#[allow(dead_code)]
+pub mod exit {
+    pub const SUCCESS: i32 = 0;
+    pub const GENERAL: i32 = 1;
+    pub const USAGE: i32 = 2;
+    pub const KUBE: i32 = 3;
+    pub const CONFIG: i32 = 4;
+    pub const NETWORK: i32 = 5;
+    pub const SECRETS: i32 = 6;
+    pub const BUILD: i32 = 7;
+    pub const IDENTITY: i32 = 8;
+    pub const EXTERNAL_TOOL: i32 = 9;
+}
+
+/// Top-level error type for the sunbeam CLI.
+///
+/// Each variant maps to a logical error category with its own exit code.
+/// Leaf errors (io, json, yaml, kube, reqwest, etc.) are converted via `From` impls.
+#[derive(Debug, thiserror::Error)]
+pub enum SunbeamError {
+    /// Kubernetes API or cluster-related error.
+    #[error("{context}")]
+    Kube {
+        context: String,
+        #[source]
+        source: Option<kube::Error>,
+    },
+
+    /// Configuration error (missing config, invalid config, bad arguments).
+    #[error("{0}")]
+    Config(String),
+
+    /// Network/HTTP error.
+    #[error("{context}")]
+    Network {
+        context: String,
+        #[source]
+        source: Option<reqwest::Error>,
+    },
+
+    /// OpenBao / Vault error.
+    #[error("{0}")]
+    Secrets(String),
+
+    /// Image build error.
+    #[error("{0}")]
+    Build(String),
+
+    /// Identity / user management error (Kratos, Hydra).
+    #[error("{0}")]
+    Identity(String),
+
+    /// External tool error (kustomize, linkerd, buildctl, yarn, etc.).
+    #[error("{tool}: {detail}")]
+    ExternalTool { tool: String, detail: String },
+
+    /// IO error.
+    #[error("{context}: {source}")]
+    Io {
+        context: String,
+        source: std::io::Error,
+    },
+
+    /// JSON serialization/deserialization error.
+    #[error("{0}")]
+    Json(#[from] serde_json::Error),
+
+    /// YAML serialization/deserialization error.
+    #[error("{0}")]
+    Yaml(#[from] serde_yaml::Error),
+
+    /// Catch-all for errors that don't fit a specific category.
+    #[error("{0}")]
+    Other(String),
+}
+
+/// Convenience type alias used throughout the codebase.
+pub type Result<T> = std::result::Result<T, SunbeamError>;
+
+impl SunbeamError {
+    /// Map this error to a process exit code.
+    pub fn exit_code(&self) -> i32 {
+        match self {
+            SunbeamError::Config(_) => exit::CONFIG,
+            SunbeamError::Kube { .. } => exit::KUBE,
+            SunbeamError::Network { .. } => exit::NETWORK,
+            SunbeamError::Secrets(_) => exit::SECRETS,
+            SunbeamError::Build(_) => exit::BUILD,
+            SunbeamError::Identity(_) => exit::IDENTITY,
+            SunbeamError::ExternalTool { .. } => exit::EXTERNAL_TOOL,
+            SunbeamError::Io { .. } => exit::GENERAL,
+            SunbeamError::Json(_) => exit::GENERAL,
+            SunbeamError::Yaml(_) => exit::GENERAL,
+            SunbeamError::Other(_) => exit::GENERAL,
+        }
+    }
+}
+
+// ---------------------------------------------------------------------------
+// From impls for automatic conversion
+// ---------------------------------------------------------------------------
+
+impl From<kube::Error> for SunbeamError {
+    fn from(e: kube::Error) -> Self {
+        SunbeamError::Kube {
+            context: e.to_string(),
+            source: Some(e),
+        }
+    }
+}
+
+impl From<reqwest::Error> for SunbeamError {
+    fn from(e: reqwest::Error) -> Self {
+        SunbeamError::Network {
+            context: e.to_string(),
+            source: Some(e),
+        }
+    }
+}
+
+impl From<std::io::Error> for SunbeamError {
+    fn from(e: std::io::Error) -> Self {
+        SunbeamError::Io {
+            context: "IO error".into(),
+            source: e,
+        }
+    }
+}
+
+impl From<lettre::transport::smtp::Error> for SunbeamError {
+    fn from(e: lettre::transport::smtp::Error) -> Self {
+        SunbeamError::Network {
+            context: format!("SMTP error: {e}"),
+            source: None,
+        }
+    }
+}
+
+impl From<lettre::error::Error> for SunbeamError {
+    fn from(e: lettre::error::Error) -> Self {
+        SunbeamError::Other(format!("Email error: {e}"))
+    }
+}
+
+impl From<base64::DecodeError> for SunbeamError {
+    fn from(e: base64::DecodeError) -> Self {
+        SunbeamError::Other(format!("Base64 decode error: {e}"))
+    }
+}
+
+impl From<std::string::FromUtf8Error> for SunbeamError {
+    fn from(e: std::string::FromUtf8Error) -> Self {
+        SunbeamError::Other(format!("UTF-8 error: {e}"))
+    }
+}
+
+// ---------------------------------------------------------------------------
+// Context extension trait (replaces anyhow's .context())
+// ---------------------------------------------------------------------------
+
+/// Extension trait that adds `.ctx()` to `Result<T, E>` for adding context strings.
+/// Replaces `anyhow::Context`.
+pub trait ResultExt<T> {
+    /// Add context to an error, converting it to `SunbeamError`.
+    fn ctx(self, context: &str) -> Result<T>;
+
+    /// Add lazy context to an error.
+    fn with_ctx<F: FnOnce() -> String>(self, f: F) -> Result<T>;
+}
+
+impl<T, E: Into<SunbeamError>> ResultExt<T> for std::result::Result<T, E> {
+    fn ctx(self, context: &str) -> Result<T> {
+        self.map_err(|e| {
+            let inner = e.into();
+            match inner {
+                SunbeamError::Kube { source, .. } => SunbeamError::Kube {
+                    context: context.to_string(),
+                    source,
+                },
+                SunbeamError::Network { source, .. } => SunbeamError::Network {
+                    context: context.to_string(),
+                    source,
+                },
+                SunbeamError::Io { source, .. } => SunbeamError::Io {
+                    context: context.to_string(),
+                    source,
+                },
+                SunbeamError::Secrets(msg) => SunbeamError::Secrets(format!("{context}: {msg}")),
+                SunbeamError::Config(msg) => SunbeamError::Config(format!("{context}: {msg}")),
+                SunbeamError::Build(msg) => SunbeamError::Build(format!("{context}: {msg}")),
+                SunbeamError::Identity(msg) => SunbeamError::Identity(format!("{context}: {msg}")),
+                SunbeamError::ExternalTool { tool, detail } => SunbeamError::ExternalTool {
+                    tool,
+                    detail: format!("{context}: {detail}"),
+                },
+                other => SunbeamError::Other(format!("{context}: {other}")),
+            }
+        })
+    }
+
+    fn with_ctx<F: FnOnce() -> String>(self, f: F) -> Result<T> {
+        self.map_err(|e| {
+            let context = f();
+            let inner = e.into();
+            match inner {
+                SunbeamError::Kube { source, .. } => SunbeamError::Kube {
+                    context,
+                    source,
+                },
+                SunbeamError::Network { source, .. } => SunbeamError::Network {
+                    context,
+                    source,
+                },
+                SunbeamError::Io { source, .. } => SunbeamError::Io {
+                    context,
+                    source,
+                },
+                SunbeamError::Secrets(msg) => SunbeamError::Secrets(format!("{context}: {msg}")),
+                SunbeamError::Config(msg) => SunbeamError::Config(format!("{context}: {msg}")),
+                SunbeamError::Build(msg) => SunbeamError::Build(format!("{context}: {msg}")),
+                SunbeamError::Identity(msg) => SunbeamError::Identity(format!("{context}: {msg}")),
+                SunbeamError::ExternalTool { tool, detail } => SunbeamError::ExternalTool {
+                    tool,
+                    detail: format!("{context}: {detail}"),
+                },
+                other => SunbeamError::Other(format!("{context}: {other}")),
+            }
+        })
+    }
+}
+
+impl<T> ResultExt<T> for Option<T> {
+    fn ctx(self, context: &str) -> Result<T> {
+        self.ok_or_else(|| SunbeamError::Other(context.to_string()))
+    }
+
+    fn with_ctx<F: FnOnce() -> String>(self, f: F) -> Result<T> {
+        self.ok_or_else(|| SunbeamError::Other(f()))
+    }
+}
+
+// ---------------------------------------------------------------------------
+// Convenience constructors
+// ---------------------------------------------------------------------------
+
+impl SunbeamError {
+    pub fn kube(context: impl Into<String>) -> Self {
+        SunbeamError::Kube {
+            context: context.into(),
+            source: None,
+        }
+    }
+
+    pub fn config(msg: impl Into<String>) -> Self {
+        SunbeamError::Config(msg.into())
+    }
+
+    pub fn network(context: impl Into<String>) -> Self {
+        SunbeamError::Network {
+            context: context.into(),
+            source: None,
+        }
+    }
+
+    pub fn secrets(msg: impl Into<String>) -> Self {
+        SunbeamError::Secrets(msg.into())
+    }
+
+    pub fn build(msg: impl Into<String>) -> Self {
+        SunbeamError::Build(msg.into())
+    }
+
+    pub fn identity(msg: impl Into<String>) -> Self {
+        SunbeamError::Identity(msg.into())
+    }
+
+    pub fn tool(tool: impl Into<String>, detail: impl Into<String>) -> Self {
+        SunbeamError::ExternalTool {
+            tool: tool.into(),
+            detail: detail.into(),
+        }
+    }
+}
+
+// ---------------------------------------------------------------------------
+// bail! macro replacement
+// ---------------------------------------------------------------------------
+
+/// Like anyhow::bail! but produces a SunbeamError::Other.
+#[macro_export]
+macro_rules! bail {
+    ($($arg:tt)*) => {
+        return Err($crate::error::SunbeamError::Other(format!($($arg)*)))
+    };
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    #[test]
+    fn test_exit_codes() {
+        assert_eq!(SunbeamError::config("bad").exit_code(), exit::CONFIG);
+        assert_eq!(SunbeamError::kube("fail").exit_code(), exit::KUBE);
+        assert_eq!(SunbeamError::network("fail").exit_code(), exit::NETWORK);
+        assert_eq!(SunbeamError::secrets("fail").exit_code(), exit::SECRETS);
+        assert_eq!(SunbeamError::build("fail").exit_code(), exit::BUILD);
+        assert_eq!(SunbeamError::identity("fail").exit_code(), exit::IDENTITY);
+        assert_eq!(
+            SunbeamError::tool("kustomize", "not found").exit_code(),
+            exit::EXTERNAL_TOOL
+        );
+        assert_eq!(SunbeamError::Other("oops".into()).exit_code(), exit::GENERAL);
+    }
+
+    #[test]
+    fn test_display_formatting() {
+        let e = SunbeamError::tool("kustomize", "build failed");
+        assert_eq!(e.to_string(), "kustomize: build failed");
+
+        let e = SunbeamError::config("missing --domain");
+        assert_eq!(e.to_string(), "missing --domain");
+    }
+
+    #[test]
+    fn test_kube_from() {
+        // Just verify the From impl compiles and categorizes correctly
+        let e = SunbeamError::kube("test");
+        assert!(matches!(e, SunbeamError::Kube { .. }));
+    }
+
+    #[test]
+    fn test_context_extension() {
+        let result: std::result::Result<(), std::io::Error> =
+            Err(std::io::Error::new(std::io::ErrorKind::NotFound, "gone"));
+        let mapped = result.ctx("reading config");
+        assert!(mapped.is_err());
+        let e = mapped.unwrap_err();
+        assert!(e.to_string().starts_with("reading config"));
+        assert_eq!(e.exit_code(), exit::GENERAL); // IO maps to general
+    }
+
+    #[test]
+    fn test_option_context() {
+        let val: Option<i32> = None;
+        let result = val.ctx("value not found");
+        assert!(result.is_err());
+        assert_eq!(result.unwrap_err().to_string(), "value not found");
+    }
+
+    #[test]
+    fn test_bail_macro() {
+        fn failing() -> Result<()> {
+            bail!("something went wrong: {}", 42);
+        }
+        let e = failing().unwrap_err();
+        assert_eq!(e.to_string(), "something went wrong: 42");
+    }
+}
diff --git a/src/gitea.rs b/src/gitea.rs
new file mode 100644
index 0000000..b94924c
--- /dev/null
+++ b/src/gitea.rs
@@ -0,0 +1,429 @@
+//! Gitea bootstrap -- admin setup, org creation, OIDC auth source configuration.
+
+use crate::error::Result;
+use k8s_openapi::api::core::v1::Pod;
+use kube::api::{Api, ListParams};
+use serde_json::Value;
+
+use crate::kube::{get_client, get_domain, kube_exec, kube_get_secret_field};
+use crate::output::{ok, step, warn};
+
+const GITEA_ADMIN_USER: &str = "gitea_admin";
+const GITEA_ADMIN_EMAIL: &str = "gitea@local.domain";
+
+/// Bootstrap Gitea: set admin password, create orgs, configure OIDC.
+pub async fn cmd_bootstrap() -> Result<()> {
+    let domain = get_domain().await?;
+
+    // Retrieve gitea admin password from cluster secret
+    let gitea_admin_pass = kube_get_secret_field("devtools", "gitea-admin-credentials", "password")
+        .await
+        .unwrap_or_default();
+
+    if gitea_admin_pass.is_empty() {
+        warn("gitea-admin-credentials password not found -- cannot bootstrap.");
+        return Ok(());
+    }
+
+    step("Bootstrapping Gitea...");
+
+    // Wait for a Running + Ready Gitea pod
+    let pod_name = wait_for_gitea_pod().await?;
+    let Some(pod) = pod_name else {
+        warn("Gitea pod not ready after 3 min -- skipping bootstrap.");
+        return Ok(());
+    };
+
+    // Set admin password
+    set_admin_password(&pod, &gitea_admin_pass).await?;
+
+    // Mark admin as private
+    mark_admin_private(&pod, &gitea_admin_pass).await?;
+
+    // Create orgs
+    create_orgs(&pod, &gitea_admin_pass).await?;
+
+    // Configure OIDC auth source
+    configure_oidc(&pod, &gitea_admin_pass).await?;
+
+    ok(&format!(
+        "Gitea ready -- https://src.{domain} ({GITEA_ADMIN_USER} / <from openbao>)"
+    ));
+    Ok(())
+}
+
+/// Wait for a Running + Ready Gitea pod (up to 3 minutes).
+async fn wait_for_gitea_pod() -> Result<Option<String>> {
+    let client = get_client().await?;
+    let pods: Api<Pod> = Api::namespaced(client.clone(), "devtools");
+
+    for _ in 0..60 {
+        let lp = ListParams::default().labels("app.kubernetes.io/name=gitea");
+        if let Ok(pod_list) = pods.list(&lp).await {
+            for pod in &pod_list.items {
+                let phase = pod
+                    .status
+                    .as_ref()
+                    .and_then(|s| s.phase.as_deref())
+                    .unwrap_or("");
+
+                if phase != "Running" {
+                    continue;
+                }
+
+                let ready = pod
+                    .status
+                    .as_ref()
+                    .and_then(|s| s.container_statuses.as_ref())
+                    .and_then(|cs| cs.first())
+                    .map(|c| c.ready)
+                    .unwrap_or(false);
+
+                if ready {
+                    let name = pod
+                        .metadata
+                        .name
+                        .as_deref()
+                        .unwrap_or("")
+                        .to_string();
+                    if !name.is_empty() {
+                        return Ok(Some(name));
+                    }
+                }
+            }
+        }
+        tokio::time::sleep(std::time::Duration::from_secs(3)).await;
+    }
+
+    Ok(None)
+}
+
+/// Set the admin password via gitea CLI exec.
+async fn set_admin_password(pod: &str, password: &str) -> Result<()> {
+    let (code, output) = kube_exec(
+        "devtools",
+        pod,
+        &[
+            "gitea",
+            "admin",
+            "user",
+            "change-password",
+            "--username",
+            GITEA_ADMIN_USER,
+            "--password",
+            password,
+            "--must-change-password=false",
+        ],
+        Some("gitea"),
+    )
+    .await?;
+
+    if code == 0 || output.to_lowercase().contains("password") {
+        ok(&format!("Admin '{GITEA_ADMIN_USER}' password set."));
+    } else {
+        warn(&format!("change-password: {output}"));
+    }
+    Ok(())
+}
+
+/// Call Gitea API via kubectl exec + curl inside the pod.
+async fn gitea_api(
+    pod: &str,
+    method: &str,
+    path: &str,
+    password: &str,
+    data: Option<&Value>,
+) -> Result<Value> {
+    let url = format!("http://localhost:3000/api/v1{path}");
+    let auth = format!("{GITEA_ADMIN_USER}:{password}");
+
+    let mut args = vec![
+        "curl", "-s", "-X", method, &url, "-H", "Content-Type: application/json", "-u", &auth,
+    ];
+
+    let data_str;
+    if let Some(d) = data {
+        data_str = serde_json::to_string(d)?;
+        args.push("-d");
+        args.push(&data_str);
+    }
+
+    let (_, stdout) = kube_exec("devtools", pod, &args, Some("gitea")).await?;
+
+    Ok(serde_json::from_str(&stdout).unwrap_or(Value::Object(Default::default())))
+}
+
+/// Mark the admin account as private.
+async fn mark_admin_private(pod: &str, password: &str) -> Result<()> {
+    let data = serde_json::json!({
+        "source_id": 0,
+        "login_name": GITEA_ADMIN_USER,
+        "email": GITEA_ADMIN_EMAIL,
+        "visibility": "private",
+    });
+
+    let result = gitea_api(
+        pod,
+        "PATCH",
+        &format!("/admin/users/{GITEA_ADMIN_USER}"),
+        password,
+        Some(&data),
+    )
+    .await?;
+
+    if result.get("login").and_then(|v| v.as_str()) == Some(GITEA_ADMIN_USER) {
+        ok(&format!("Admin '{GITEA_ADMIN_USER}' marked as private."));
+    } else {
+        warn(&format!("Could not set admin visibility: {result}"));
+    }
+    Ok(())
+}
+
+/// Create the studio and internal organizations.
+async fn create_orgs(pod: &str, password: &str) -> Result<()> {
+    let orgs = [
+        ("studio", "public", "Public source code"),
+        ("internal", "private", "Internal tools and services"),
+    ];
+
+    for (org_name, visibility, desc) in &orgs {
+        let data = serde_json::json!({
+            "username": org_name,
+            "visibility": visibility,
+            "description": desc,
+        });
+
+        let result = gitea_api(pod, "POST", "/orgs", password, Some(&data)).await?;
+
+        if result.get("id").is_some() {
+            ok(&format!("Created org '{org_name}'."));
+        } else if result
+            .get("message")
+            .and_then(|v| v.as_str())
+            .unwrap_or("")
+            .to_lowercase()
+            .contains("already")
+        {
+            ok(&format!("Org '{org_name}' already exists."));
+        } else {
+            let msg = result
+                .get("message")
+                .and_then(|v| v.as_str())
+                .map(|s| s.to_string())
+                .unwrap_or_else(|| format!("{result}"));
+            warn(&format!("Org '{org_name}': {msg}"));
+        }
+    }
+    Ok(())
+}
+
+/// Configure Hydra as the OIDC authentication source.
+async fn configure_oidc(pod: &str, _password: &str) -> Result<()> {
+    // List existing auth sources
+    let (_, auth_list_output) =
+        kube_exec("devtools", pod, &["gitea", "admin", "auth", "list"], Some("gitea")).await?;
+
+    let mut existing_id: Option<String> = None;
+    let mut exact_ok = false;
+
+    for line in auth_list_output.lines().skip(1) {
+        // Tab-separated: ID\tName\tType\tEnabled
+        let parts: Vec<&str> = line.split('\t').collect();
+        if parts.len() < 2 {
+            continue;
+        }
+        let src_id = parts[0].trim();
+        let src_name = parts[1].trim();
+
+        if src_name == "Sunbeam" {
+            exact_ok = true;
+            break;
+        }
+
+        let src_type = if parts.len() > 2 {
+            parts[2].trim()
+        } else {
+            ""
+        };
+
+        if src_name == "Sunbeam Auth"
+            || (src_name.starts_with("Sunbeam") && src_type == "OAuth2")
+        {
+            existing_id = Some(src_id.to_string());
+        }
+    }
+
+    if exact_ok {
+        ok("OIDC auth source 'Sunbeam' already present.");
+        return Ok(());
+    }
+
+    if let Some(eid) = existing_id {
+        // Wrong name -- rename in-place
+        let (code, stderr) = kube_exec(
+            "devtools",
+            pod,
+            &[
+                "gitea",
+                "admin",
+                "auth",
+                "update-oauth",
+                "--id",
+                &eid,
+                "--name",
+                "Sunbeam",
+            ],
+            Some("gitea"),
+        )
+        .await?;
+
+        if code == 0 {
+            ok(&format!(
+                "Renamed OIDC auth source (id={eid}) to 'Sunbeam'."
+            ));
+        } else {
+            warn(&format!("Rename failed: {stderr}"));
+        }
+        return Ok(());
+    }
+
+    // Create new OIDC auth source
+    let oidc_id = kube_get_secret_field("lasuite", "oidc-gitea", "CLIENT_ID").await;
+    let oidc_secret = kube_get_secret_field("lasuite", "oidc-gitea", "CLIENT_SECRET").await;
+
+    match (oidc_id, oidc_secret) {
+        (Ok(oidc_id), Ok(oidc_sec)) => {
+            let discover_url =
+                "http://hydra-public.ory.svc.cluster.local:4444/.well-known/openid-configuration";
+
+            let (code, stderr) = kube_exec(
+                "devtools",
+                pod,
+                &[
+                    "gitea",
+                    "admin",
+                    "auth",
+                    "add-oauth",
+                    "--name",
+                    "Sunbeam",
+                    "--provider",
+                    "openidConnect",
+                    "--key",
+                    &oidc_id,
+                    "--secret",
+                    &oidc_sec,
+                    "--auto-discover-url",
+                    discover_url,
+                    "--scopes",
+                    "openid",
+                    "--scopes",
+                    "email",
+                    "--scopes",
+                    "profile",
+                ],
+                Some("gitea"),
+            )
+            .await?;
+
+            if code == 0 {
+                ok("OIDC auth source 'Sunbeam' configured.");
+            } else {
+                warn(&format!("OIDC auth source config failed: {stderr}"));
+            }
+        }
+        _ => {
+            warn("oidc-gitea secret not found -- OIDC auth source not configured.");
+        }
+    }
+
+    Ok(())
+}
+
+// ---------------------------------------------------------------------------
+// Tests
+// ---------------------------------------------------------------------------
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    #[test]
+    fn test_constants() {
+        assert_eq!(GITEA_ADMIN_USER, "gitea_admin");
+        assert_eq!(GITEA_ADMIN_EMAIL, "gitea@local.domain");
+    }
+
+    #[test]
+    fn test_org_definitions() {
+        // Verify the org configs match the Python version
+        let orgs = [
+            ("studio", "public", "Public source code"),
+            ("internal", "private", "Internal tools and services"),
+        ];
+        assert_eq!(orgs[0].0, "studio");
+        assert_eq!(orgs[0].1, "public");
+        assert_eq!(orgs[1].0, "internal");
+        assert_eq!(orgs[1].1, "private");
+    }
+
+    #[test]
+    fn test_parse_auth_list_output() {
+        let output = "ID\tName\tType\tEnabled\n1\tSunbeam\tOAuth2\ttrue\n";
+        let mut found = false;
+        for line in output.lines().skip(1) {
+            let parts: Vec<&str> = line.split('\t').collect();
+            if parts.len() >= 2 && parts[1].trim() == "Sunbeam" {
+                found = true;
+            }
+        }
+        assert!(found);
+    }
+
+    #[test]
+    fn test_parse_auth_list_rename_needed() {
+        let output = "ID\tName\tType\tEnabled\n5\tSunbeam Auth\tOAuth2\ttrue\n";
+        let mut rename_id: Option<String> = None;
+        for line in output.lines().skip(1) {
+            let parts: Vec<&str> = line.split('\t').collect();
+            if parts.len() >= 3 {
+                let name = parts[1].trim();
+                let typ = parts[2].trim();
+                if name == "Sunbeam Auth" || (name.starts_with("Sunbeam") && typ == "OAuth2") {
+                    rename_id = Some(parts[0].trim().to_string());
+                }
+            }
+        }
+        assert_eq!(rename_id, Some("5".to_string()));
+    }
+
+    #[test]
+    fn test_gitea_api_response_parsing() {
+        // Simulate a successful org creation response
+        let json_str = r#"{"id": 1, "username": "studio"}"#;
+        let val: Value = serde_json::from_str(json_str).unwrap();
+        assert!(val.get("id").is_some());
+
+        // Simulate an "already exists" response
+        let json_str = r#"{"message": "organization already exists"}"#;
+        let val: Value = serde_json::from_str(json_str).unwrap();
+        assert!(val
+            .get("message")
+            .unwrap()
+            .as_str()
+            .unwrap()
+            .to_lowercase()
+            .contains("already"));
+    }
+
+    #[test]
+    fn test_admin_visibility_patch_body() {
+        let data = serde_json::json!({
+            "source_id": 0,
+            "login_name": GITEA_ADMIN_USER,
+            "email": GITEA_ADMIN_EMAIL,
+            "visibility": "private",
+        });
+        assert_eq!(data["login_name"], "gitea_admin");
+        assert_eq!(data["visibility"], "private");
+    }
+}
diff --git a/src/images.rs b/src/images.rs
new file mode 100644
index 0000000..ea290e3
--- /dev/null
+++ b/src/images.rs
@@ -0,0 +1,1809 @@
+//! Image building, mirroring, and pushing to Gitea registry.
+
+use crate::error::{Result, ResultExt, SunbeamError};
+use base64::Engine;
+use std::collections::HashMap;
+use std::path::{Path, PathBuf};
+use std::process::Stdio;
+
+use crate::cli::BuildTarget;
+use crate::constants::{GITEA_ADMIN_USER, MANAGED_NS};
+use crate::output::{ok, step, warn};
+
+/// amd64-only images that need mirroring: (source, org, repo, tag).
+const AMD64_ONLY_IMAGES: &[(&str, &str, &str, &str)] = &[
+    (
+        "docker.io/lasuite/people-backend:latest",
+        "studio",
+        "people-backend",
+        "latest",
+    ),
+    (
+        "docker.io/lasuite/people-frontend:latest",
+        "studio",
+        "people-frontend",
+        "latest",
+    ),
+    (
+        "docker.io/lasuite/impress-backend:latest",
+        "studio",
+        "impress-backend",
+        "latest",
+    ),
+    (
+        "docker.io/lasuite/impress-frontend:latest",
+        "studio",
+        "impress-frontend",
+        "latest",
+    ),
+    (
+        "docker.io/lasuite/impress-y-provider:latest",
+        "studio",
+        "impress-y-provider",
+        "latest",
+    ),
+];
+
+// ---------------------------------------------------------------------------
+// Build environment
+// ---------------------------------------------------------------------------
+
+/// Resolved build environment — production (remote k8s) or local.
+#[derive(Debug, Clone)]
+pub struct BuildEnv {
+    pub is_prod: bool,
+    pub domain: String,
+    pub registry: String,
+    pub admin_pass: String,
+    pub platform: String,
+    pub ssh_host: Option<String>,
+}
+
+/// Detect prod vs local and resolve registry credentials.
+async fn get_build_env() -> Result<BuildEnv> {
+    let ssh = crate::kube::ssh_host();
+    let is_prod = !ssh.is_empty();
+
+    let domain = crate::kube::get_domain().await?;
+
+    // Fetch gitea admin password from the cluster secret
+    let admin_pass = crate::kube::kube_get_secret_field(
+        "devtools",
+        "gitea-admin-credentials",
+        "password",
+    )
+    .await
+    .ctx("gitea-admin-credentials secret not found -- run seed first.")?;
+
+    let platform = if is_prod {
+        "linux/amd64".to_string()
+    } else {
+        "linux/arm64".to_string()
+    };
+
+    let ssh_host = if is_prod {
+        Some(ssh.to_string())
+    } else {
+        None
+    };
+
+    Ok(BuildEnv {
+        is_prod,
+        domain: domain.clone(),
+        registry: format!("src.{domain}"),
+        admin_pass,
+        platform,
+        ssh_host,
+    })
+}
+
+// ---------------------------------------------------------------------------
+// buildctl build + push
+// ---------------------------------------------------------------------------
+
+/// Build and push an image via buildkitd running in k8s.
+///
+/// Port-forwards to the buildkitd service in the `build` namespace,
+/// runs `buildctl build`, and pushes the image directly to the Gitea
+/// registry from inside the cluster.
+#[allow(clippy::too_many_arguments)]
+async fn buildctl_build_and_push(
+    env: &BuildEnv,
+    image: &str,
+    dockerfile: &Path,
+    context_dir: &Path,
+    target: Option<&str>,
+    build_args: Option<&HashMap<String, String>>,
+    _no_cache: bool,
+) -> Result<()> {
+    // Find a free local port for port-forward
+    let listener = std::net::TcpListener::bind("127.0.0.1:0")
+        .ctx("Failed to bind ephemeral port")?;
+    let local_port = listener.local_addr()?.port();
+    drop(listener);
+
+    // Build docker config for registry auth
+    let auth_token = base64::engine::general_purpose::STANDARD
+        .encode(format!("{GITEA_ADMIN_USER}:{}", env.admin_pass));
+    let docker_cfg = serde_json::json!({
+        "auths": {
+            &env.registry: { "auth": auth_token }
+        }
+    });
+
+    let tmpdir = tempfile::TempDir::new().ctx("Failed to create temp dir")?;
+    let cfg_path = tmpdir.path().join("config.json");
+    std::fs::write(&cfg_path, serde_json::to_string(&docker_cfg)?)
+        .ctx("Failed to write docker config")?;
+
+    // Start port-forward to buildkitd
+    let ctx_arg = format!("--context={}", crate::kube::context());
+    let pf_port_arg = format!("{local_port}:1234");
+
+    let mut pf = tokio::process::Command::new("kubectl")
+        .args([
+            &ctx_arg,
+            "port-forward",
+            "-n",
+            "build",
+            "svc/buildkitd",
+            &pf_port_arg,
+        ])
+        .stdout(Stdio::null())
+        .stderr(Stdio::null())
+        .spawn()
+        .ctx("Failed to start buildkitd port-forward")?;
+
+    // Wait for port-forward to become ready
+    let deadline = tokio::time::Instant::now() + std::time::Duration::from_secs(15);
+    loop {
+        if tokio::time::Instant::now() > deadline {
+            pf.kill().await.ok();
+            return Err(SunbeamError::tool("buildctl", format!("buildkitd port-forward on :{local_port} did not become ready within 15s")));
+        }
+        if tokio::net::TcpStream::connect(format!("127.0.0.1:{local_port}"))
+            .await
+            .is_ok()
+        {
+            break;
+        }
+        tokio::time::sleep(std::time::Duration::from_millis(300)).await;
+    }
+
+    // Build the buildctl command
+    let dockerfile_parent = dockerfile
+        .parent()
+        .unwrap_or(dockerfile)
+        .to_string_lossy()
+        .to_string();
+    let dockerfile_name = dockerfile
+        .file_name()
+        .unwrap_or_default()
+        .to_string_lossy()
+        .to_string();
+    let context_str = context_dir.to_string_lossy().to_string();
+
+    let mut cmd_args = vec![
+        "build".to_string(),
+        "--frontend".to_string(),
+        "dockerfile.v0".to_string(),
+        "--local".to_string(),
+        format!("context={context_str}"),
+        "--local".to_string(),
+        format!("dockerfile={dockerfile_parent}"),
+        "--opt".to_string(),
+        format!("filename={dockerfile_name}"),
+        "--opt".to_string(),
+        format!("platform={}", env.platform),
+        "--output".to_string(),
+        format!("type=image,name={image},push=true"),
+    ];
+
+    if let Some(tgt) = target {
+        cmd_args.push("--opt".to_string());
+        cmd_args.push(format!("target={tgt}"));
+    }
+
+    if _no_cache {
+        cmd_args.push("--no-cache".to_string());
+    }
+
+    if let Some(args) = build_args {
+        for (k, v) in args {
+            cmd_args.push("--opt".to_string());
+            cmd_args.push(format!("build-arg:{k}={v}"));
+        }
+    }
+
+    let buildctl_host = format!("tcp://127.0.0.1:{local_port}");
+    let tmpdir_str = tmpdir.path().to_string_lossy().to_string();
+
+    let result = tokio::process::Command::new("buildctl")
+        .args(&cmd_args)
+        .env("BUILDKIT_HOST", &buildctl_host)
+        .env("DOCKER_CONFIG", &tmpdir_str)
+        .stdin(Stdio::null())
+        .stdout(Stdio::inherit())
+        .stderr(Stdio::inherit())
+        .status()
+        .await;
+
+    // Always terminate port-forward
+    pf.kill().await.ok();
+    pf.wait().await.ok();
+
+    match result {
+        Ok(status) if status.success() => Ok(()),
+        Ok(status) => return Err(SunbeamError::tool("buildctl", format!("exited with status {status}"))),
+        Err(e) => return Err(SunbeamError::tool("buildctl", format!("failed to run: {e}"))),
+    }
+}
+
+// ---------------------------------------------------------------------------
+// build_image wrapper
+// ---------------------------------------------------------------------------
+
+/// Build a container image via buildkitd and push to the Gitea registry.
+#[allow(clippy::too_many_arguments)]
+async fn build_image(
+    env: &BuildEnv,
+    image: &str,
+    dockerfile: &Path,
+    context_dir: &Path,
+    target: Option<&str>,
+    build_args: Option<&HashMap<String, String>>,
+    push: bool,
+    no_cache: bool,
+    cleanup_paths: &[PathBuf],
+) -> Result<()> {
+    ok(&format!(
+        "Building image ({}{})...",
+        env.platform,
+        target
+            .map(|t| format!(", {t} target"))
+            .unwrap_or_default()
+    ));
+
+    if !push {
+        warn("Builds require --push (buildkitd pushes directly to registry); skipping.");
+        return Ok(());
+    }
+
+    let result = buildctl_build_and_push(
+        env,
+        image,
+        dockerfile,
+        context_dir,
+        target,
+        build_args,
+        no_cache,
+    )
+    .await;
+
+    // Cleanup
+    for p in cleanup_paths {
+        if p.exists() {
+            if p.is_dir() {
+                let _ = std::fs::remove_dir_all(p);
+            } else {
+                let _ = std::fs::remove_file(p);
+            }
+        }
+    }
+
+    result
+}
+
+// ---------------------------------------------------------------------------
+// Node operations
+// ---------------------------------------------------------------------------
+
+/// Return one SSH-reachable IP per node in the cluster.
+async fn get_node_addresses() -> Result<Vec<String>> {
+    let client = crate::kube::get_client().await?;
+    let api: kube::api::Api<k8s_openapi::api::core::v1::Node> =
+        kube::api::Api::all(client.clone());
+
+    let node_list = api
+        .list(&kube::api::ListParams::default())
+        .await
+        .ctx("Failed to list nodes")?;
+
+    let mut addresses = Vec::new();
+    for node in &node_list.items {
+        if let Some(status) = &node.status {
+            if let Some(addrs) = &status.addresses {
+                // Prefer IPv4 InternalIP
+                let mut ipv4: Option<String> = None;
+                let mut any_internal: Option<String> = None;
+
+                for addr in addrs {
+                    if addr.type_ == "InternalIP" {
+                        if !addr.address.contains(':') {
+                            ipv4 = Some(addr.address.clone());
+                        } else if any_internal.is_none() {
+                            any_internal = Some(addr.address.clone());
+                        }
+                    }
+                }
+
+                if let Some(ip) = ipv4.or(any_internal) {
+                    addresses.push(ip);
+                }
+            }
+        }
+    }
+
+    Ok(addresses)
+}
+
+/// SSH to each k3s node and pull images into containerd.
+async fn ctr_pull_on_nodes(env: &BuildEnv, images: &[String]) -> Result<()> {
+    if images.is_empty() {
+        return Ok(());
+    }
+
+    let nodes = get_node_addresses().await?;
+    if nodes.is_empty() {
+        warn("Could not detect node addresses; skipping ctr pull.");
+        return Ok(());
+    }
+
+    let ssh_user = env
+        .ssh_host
+        .as_deref()
+        .and_then(|h| h.split('@').next())
+        .unwrap_or("root");
+
+    for node_ip in &nodes {
+        for img in images {
+            ok(&format!("Pulling {img} into containerd on {node_ip}..."));
+            let status = tokio::process::Command::new("ssh")
+                .args([
+                    "-p",
+                    "2222",
+                    "-o",
+                    "StrictHostKeyChecking=no",
+                    &format!("{ssh_user}@{node_ip}"),
+                    &format!("sudo ctr -n k8s.io images pull {img}"),
+                ])
+                .stdout(Stdio::null())
+                .stderr(Stdio::piped())
+                .status()
+                .await;
+
+            match status {
+                Ok(s) if s.success() => ok(&format!("Pulled {img} on {node_ip}")),
+                _ => return Err(SunbeamError::tool("ctr", format!("pull failed on {node_ip} for {img}"))),
+            }
+        }
+    }
+
+    Ok(())
+}
+
+// ---------------------------------------------------------------------------
+// Deploy rollout
+// ---------------------------------------------------------------------------
+
+/// Apply manifests for the target namespace and rolling-restart the given deployments.
+async fn deploy_rollout(
+    env: &BuildEnv,
+    deployments: &[&str],
+    namespace: &str,
+    timeout_secs: u64,
+    images: Option<&[String]>,
+) -> Result<()> {
+    let env_str = if env.is_prod { "production" } else { "local" };
+    crate::manifests::cmd_apply(env_str, &env.domain, "", namespace).await?;
+
+    // Pull fresh images into containerd on every node before rollout
+    if let Some(imgs) = images {
+        ctr_pull_on_nodes(env, imgs).await?;
+    }
+
+    for dep in deployments {
+        ok(&format!("Rolling {dep}..."));
+        crate::kube::kube_rollout_restart(namespace, dep).await?;
+    }
+
+    // Wait for rollout completion
+    for dep in deployments {
+        wait_deployment_ready(namespace, dep, timeout_secs).await?;
+    }
+
+    ok("Redeployed.");
+    Ok(())
+}
+
+/// Wait for a deployment to become ready.
+async fn wait_deployment_ready(ns: &str, deployment: &str, timeout_secs: u64) -> Result<()> {
+    use k8s_openapi::api::apps::v1::Deployment;
+    use std::time::{Duration, Instant};
+
+    let client = crate::kube::get_client().await?;
+    let api: kube::api::Api<Deployment> = kube::api::Api::namespaced(client.clone(), ns);
+    let deadline = Instant::now() + Duration::from_secs(timeout_secs);
+
+    loop {
+        if Instant::now() > deadline {
+            return Err(SunbeamError::build(format!("Timed out waiting for deployment {ns}/{deployment}")));
+        }
+
+        if let Some(dep) = api.get_opt(deployment).await? {
+            if let Some(status) = &dep.status {
+                if let Some(conditions) = &status.conditions {
+                    let available = conditions
+                        .iter()
+                        .any(|c| c.type_ == "Available" && c.status == "True");
+                    if available {
+                        return Ok(());
+                    }
+                }
+            }
+        }
+
+        tokio::time::sleep(Duration::from_secs(3)).await;
+    }
+}
+
+// ---------------------------------------------------------------------------
+// Mirroring
+// ---------------------------------------------------------------------------
+
+/// Docker Hub auth token response.
+#[derive(serde::Deserialize)]
+struct DockerAuthToken {
+    token: String,
+}
+
+/// Fetch a Docker Hub auth token for the given repository.
+async fn docker_hub_token(repo: &str) -> Result<String> {
+    let url = format!(
+        "https://auth.docker.io/token?service=registry.docker.io&scope=repository:{repo}:pull"
+    );
+    let resp: DockerAuthToken = reqwest::get(&url)
+        .await
+        .ctx("Failed to fetch Docker Hub token")?
+        .json()
+        .await
+        .ctx("Failed to parse Docker Hub token response")?;
+    Ok(resp.token)
+}
+
+/// Fetch an OCI/Docker manifest index from Docker Hub.
+async fn fetch_manifest_index(
+    repo: &str,
+    tag: &str,
+) -> Result<serde_json::Value> {
+    let token = docker_hub_token(repo).await?;
+
+    let client = reqwest::Client::new();
+    let url = format!("https://registry-1.docker.io/v2/{repo}/manifests/{tag}");
+    let accept = "application/vnd.oci.image.index.v1+json,\
+                   application/vnd.docker.distribution.manifest.list.v2+json";
+
+    let resp = client
+        .get(&url)
+        .header("Authorization", format!("Bearer {token}"))
+        .header("Accept", accept)
+        .send()
+        .await
+        .ctx("Failed to fetch manifest from Docker Hub")?;
+
+    if !resp.status().is_success() {
+        return Err(SunbeamError::build(format!(
+            "Docker Hub returned {} for {repo}:{tag}",
+            resp.status()
+        )));
+    }
+
+    resp.json()
+        .await
+        .ctx("Failed to parse manifest index JSON")
+}
+
+/// Build an OCI tar archive containing a patched index that maps both
+/// amd64 and arm64 to the same amd64 manifest.
+fn make_oci_tar(
+    ref_name: &str,
+    new_index_bytes: &[u8],
+    amd64_manifest_bytes: &[u8],
+) -> Result<Vec<u8>> {
+    use std::io::Write;
+
+    let ix_hex = {
+        use sha2::Digest;
+        let hash = sha2::Sha256::digest(new_index_bytes);
+        hash.iter().map(|b| format!("{b:02x}")).collect::<String>()
+    };
+
+    let new_index: serde_json::Value = serde_json::from_slice(new_index_bytes)?;
+    let amd64_hex = new_index["manifests"][0]["digest"]
+        .as_str()
+        .unwrap_or("")
+        .replace("sha256:", "");
+
+    let layout = serde_json::json!({"imageLayoutVersion": "1.0.0"});
+    let layout_bytes = serde_json::to_vec(&layout)?;
+
+    let top = serde_json::json!({
+        "schemaVersion": 2,
+        "mediaType": "application/vnd.oci.image.index.v1+json",
+        "manifests": [{
+            "mediaType": "application/vnd.oci.image.index.v1+json",
+            "digest": format!("sha256:{ix_hex}"),
+            "size": new_index_bytes.len(),
+            "annotations": {
+                "org.opencontainers.image.ref.name": ref_name,
+            },
+        }],
+    });
+    let top_bytes = serde_json::to_vec(&top)?;
+
+    let mut buf = Vec::new();
+    {
+        let mut builder = tar::Builder::new(&mut buf);
+
+        let mut add_entry = |name: &str, data: &[u8]| -> Result<()> {
+            let mut header = tar::Header::new_gnu();
+            header.set_size(data.len() as u64);
+            header.set_mode(0o644);
+            header.set_cksum();
+            builder.append_data(&mut header, name, data)?;
+            Ok(())
+        };
+
+        add_entry("oci-layout", &layout_bytes)?;
+        add_entry("index.json", &top_bytes)?;
+        add_entry(&format!("blobs/sha256/{ix_hex}"), new_index_bytes)?;
+        add_entry(
+            &format!("blobs/sha256/{amd64_hex}"),
+            amd64_manifest_bytes,
+        )?;
+
+        builder.finish()?;
+    }
+
+    // Flush
+    buf.flush().ok();
+    Ok(buf)
+}
+
+/// Mirror amd64-only La Suite images to the Gitea registry.
+///
+/// The Python version ran a script inside the Lima VM via `limactl shell`.
+/// Without Lima, we use reqwest for Docker registry token/manifest fetching
+/// and construct OCI tars natively. The containerd import + push operations
+/// require SSH to nodes and are implemented via subprocess.
+pub async fn cmd_mirror() -> Result<()> {
+    step("Mirroring amd64-only images to Gitea registry...");
+
+    let domain = crate::kube::get_domain().await?;
+    let admin_pass = crate::kube::kube_get_secret_field(
+        "devtools",
+        "gitea-admin-credentials",
+        "password",
+    )
+    .await
+    .unwrap_or_default();
+
+    if admin_pass.is_empty() {
+        warn("Could not get gitea admin password; skipping mirror.");
+        return Ok(());
+    }
+
+    let registry = format!("src.{domain}");
+
+    let nodes = get_node_addresses().await.unwrap_or_default();
+    if nodes.is_empty() {
+        warn("No node addresses found; cannot mirror images (need SSH to containerd).");
+        return Ok(());
+    }
+
+    // Determine SSH user
+    let ssh_host_val = crate::kube::ssh_host();
+    let ssh_user = if ssh_host_val.contains('@') {
+        ssh_host_val.split('@').next().unwrap_or("root")
+    } else {
+        "root"
+    };
+
+    for (src, org, repo, tag) in AMD64_ONLY_IMAGES {
+        let tgt = format!("{registry}/{org}/{repo}:{tag}");
+        ok(&format!("Processing {src} -> {tgt}"));
+
+        // Fetch manifest index from Docker Hub
+        let no_prefix = src.replace("docker.io/", "");
+        let parts: Vec<&str> = no_prefix.splitn(2, ':').collect();
+        let (docker_repo, docker_tag) = if parts.len() == 2 {
+            (parts[0], parts[1])
+        } else {
+            (parts[0], "latest")
+        };
+
+        let index = match fetch_manifest_index(docker_repo, docker_tag).await {
+            Ok(idx) => idx,
+            Err(e) => {
+                warn(&format!("Failed to fetch index for {src}: {e}"));
+                continue;
+            }
+        };
+
+        // Find amd64 manifest
+        let manifests = index["manifests"].as_array();
+        let amd64 = manifests.and_then(|ms| {
+            ms.iter().find(|m| {
+                m["platform"]["architecture"].as_str() == Some("amd64")
+                    && m["platform"]["os"].as_str() == Some("linux")
+            })
+        });
+
+        let amd64 = match amd64 {
+            Some(m) => m.clone(),
+            None => {
+                warn(&format!("No linux/amd64 entry in index for {src}; skipping"));
+                continue;
+            }
+        };
+
+        let amd64_digest = amd64["digest"]
+            .as_str()
+            .unwrap_or("")
+            .to_string();
+
+        // Fetch the actual amd64 manifest blob from registry
+        let token = docker_hub_token(docker_repo).await?;
+        let manifest_url = format!(
+            "https://registry-1.docker.io/v2/{docker_repo}/manifests/{amd64_digest}"
+        );
+        let client = reqwest::Client::new();
+        let amd64_manifest_bytes = client
+            .get(&manifest_url)
+            .header("Authorization", format!("Bearer {token}"))
+            .header(
+                "Accept",
+                "application/vnd.oci.image.manifest.v1+json,\
+                 application/vnd.docker.distribution.manifest.v2+json",
+            )
+            .send()
+            .await?
+            .bytes()
+            .await?;
+
+        // Build patched index: amd64 + arm64 alias pointing to same manifest
+        let arm64_entry = serde_json::json!({
+            "mediaType": amd64["mediaType"],
+            "digest": amd64["digest"],
+            "size": amd64["size"],
+            "platform": {"architecture": "arm64", "os": "linux"},
+        });
+
+        let new_index = serde_json::json!({
+            "schemaVersion": index["schemaVersion"],
+            "mediaType": index.get("mediaType").unwrap_or(&serde_json::json!("application/vnd.oci.image.index.v1+json")),
+            "manifests": [amd64, arm64_entry],
+        });
+        let new_index_bytes = serde_json::to_vec(&new_index)?;
+
+        // Build OCI tar
+        let oci_tar = match make_oci_tar(&tgt, &new_index_bytes, &amd64_manifest_bytes) {
+            Ok(tar) => tar,
+            Err(e) => {
+                warn(&format!("Failed to build OCI tar for {tgt}: {e}"));
+                continue;
+            }
+        };
+
+        // Import + push via SSH to each node (containerd operations)
+        for node_ip in &nodes {
+            ok(&format!("Importing {tgt} on {node_ip}..."));
+
+            // Remove existing, import, label
+            let ssh_target = format!("{ssh_user}@{node_ip}");
+
+            // Import via stdin
+            let mut import_cmd = tokio::process::Command::new("ssh")
+                .args([
+                    "-p",
+                    "2222",
+                    "-o",
+                    "StrictHostKeyChecking=no",
+                    &ssh_target,
+                    "sudo ctr -n k8s.io images import --all-platforms -",
+                ])
+                .stdin(Stdio::piped())
+                .stdout(Stdio::null())
+                .stderr(Stdio::piped())
+                .spawn()
+                .ctx("Failed to spawn ssh for ctr import")?;
+
+            if let Some(mut stdin) = import_cmd.stdin.take() {
+                use tokio::io::AsyncWriteExt;
+                stdin.write_all(&oci_tar).await?;
+                drop(stdin);
+            }
+            let import_status = import_cmd.wait().await?;
+            if !import_status.success() {
+                warn(&format!("ctr import failed on {node_ip} for {tgt}"));
+                continue;
+            }
+
+            // Label for CRI
+            let _ = tokio::process::Command::new("ssh")
+                .args([
+                    "-p",
+                    "2222",
+                    "-o",
+                    "StrictHostKeyChecking=no",
+                    &ssh_target,
+                    &format!(
+                        "sudo ctr -n k8s.io images label {tgt} io.cri-containerd.image=managed"
+                    ),
+                ])
+                .stdout(Stdio::null())
+                .stderr(Stdio::null())
+                .status()
+                .await;
+
+            // Push to Gitea registry
+            ok(&format!("Pushing {tgt} from {node_ip}..."));
+            let push_status = tokio::process::Command::new("ssh")
+                .args([
+                    "-p",
+                    "2222",
+                    "-o",
+                    "StrictHostKeyChecking=no",
+                    &ssh_target,
+                    &format!(
+                        "sudo ctr -n k8s.io images push --user {GITEA_ADMIN_USER}:{admin_pass} {tgt}"
+                    ),
+                ])
+                .stdout(Stdio::null())
+                .stderr(Stdio::piped())
+                .status()
+                .await;
+
+            match push_status {
+                Ok(s) if s.success() => ok(&format!("Pushed {tgt}")),
+                _ => warn(&format!("Push failed for {tgt} on {node_ip}")),
+            }
+
+            // Only need to push from one node
+            break;
+        }
+    }
+
+    // Delete pods stuck in image-pull error states
+    ok("Clearing image-pull-error pods...");
+    clear_image_pull_error_pods().await?;
+
+    ok("Done.");
+    Ok(())
+}
+
+/// Delete pods in image-pull error states across managed namespaces.
+async fn clear_image_pull_error_pods() -> Result<()> {
+    use k8s_openapi::api::core::v1::Pod;
+
+    let error_reasons = ["ImagePullBackOff", "ErrImagePull", "ErrImageNeverPull"];
+
+    let client = crate::kube::get_client().await?;
+
+    for ns in MANAGED_NS {
+        let api: kube::api::Api<Pod> = kube::api::Api::namespaced(client.clone(), ns);
+        let pods = api
+            .list(&kube::api::ListParams::default())
+            .await;
+
+        let pods = match pods {
+            Ok(p) => p,
+            Err(_) => continue,
+        };
+
+        for pod in &pods.items {
+            let pod_name = pod.metadata.name.as_deref().unwrap_or("");
+            if pod_name.is_empty() {
+                continue;
+            }
+
+            let has_error = pod
+                .status
+                .as_ref()
+                .and_then(|s| s.container_statuses.as_ref())
+                .map(|statuses| {
+                    statuses.iter().any(|cs| {
+                        cs.state
+                            .as_ref()
+                            .and_then(|s| s.waiting.as_ref())
+                            .and_then(|w| w.reason.as_deref())
+                            .is_some_and(|r| error_reasons.contains(&r))
+                    })
+                })
+                .unwrap_or(false);
+
+            if has_error {
+                let _ = api
+                    .delete(pod_name, &kube::api::DeleteParams::default())
+                    .await;
+            }
+        }
+    }
+
+    Ok(())
+}
+
+// ---------------------------------------------------------------------------
+// Per-service build functions
+// ---------------------------------------------------------------------------
+
+async fn build_proxy(push: bool, deploy: bool, no_cache: bool) -> Result<()> {
+    let env = get_build_env().await?;
+    let proxy_dir = crate::config::get_repo_root().join("proxy");
+    if !proxy_dir.is_dir() {
+        return Err(SunbeamError::build(format!("Proxy source not found at {}", proxy_dir.display())));
+    }
+
+    let image = format!("{}/studio/proxy:latest", env.registry);
+    step(&format!("Building sunbeam-proxy -> {image} ..."));
+
+    build_image(
+        &env,
+        &image,
+        &proxy_dir.join("Dockerfile"),
+        &proxy_dir,
+        None,
+        None,
+        push,
+        no_cache,
+        &[],
+    )
+    .await?;
+
+    if deploy {
+        deploy_rollout(&env, &["pingora"], "ingress", 120, Some(&[image])).await?;
+    }
+    Ok(())
+}
+
+async fn build_tuwunel(push: bool, deploy: bool, no_cache: bool) -> Result<()> {
+    let env = get_build_env().await?;
+    let tuwunel_dir = crate::config::get_repo_root().join("tuwunel");
+    if !tuwunel_dir.is_dir() {
+        return Err(SunbeamError::build(format!("Tuwunel source not found at {}", tuwunel_dir.display())));
+    }
+
+    let image = format!("{}/studio/tuwunel:latest", env.registry);
+    step(&format!("Building tuwunel -> {image} ..."));
+
+    build_image(
+        &env,
+        &image,
+        &tuwunel_dir.join("Dockerfile"),
+        &tuwunel_dir,
+        None,
+        None,
+        push,
+        no_cache,
+        &[],
+    )
+    .await?;
+
+    if deploy {
+        deploy_rollout(&env, &["tuwunel"], "matrix", 180, Some(&[image])).await?;
+    }
+    Ok(())
+}
+
+async fn build_integration(push: bool, deploy: bool, no_cache: bool) -> Result<()> {
+    let env = get_build_env().await?;
+    let sunbeam_dir = crate::config::get_repo_root();
+    let integration_service_dir = sunbeam_dir.join("integration-service");
+    let dockerfile = integration_service_dir.join("Dockerfile");
+    let dockerignore = integration_service_dir.join(".dockerignore");
+
+    if !dockerfile.exists() {
+        return Err(SunbeamError::build(format!(
+            "integration-service Dockerfile not found at {}",
+            dockerfile.display()
+        )));
+    }
+    if !sunbeam_dir
+        .join("integration")
+        .join("packages")
+        .join("widgets")
+        .is_dir()
+    {
+        return Err(SunbeamError::build(format!(
+            "integration repo not found at {} -- \
+             run: cd sunbeam && git clone https://github.com/suitenumerique/integration.git",
+            sunbeam_dir.join("integration").display()
+        )));
+    }
+
+    let image = format!("{}/studio/integration:latest", env.registry);
+    step(&format!("Building integration -> {image} ..."));
+
+    // .dockerignore needs to be at context root
+    let root_ignore = sunbeam_dir.join(".dockerignore");
+    let mut copied_ignore = false;
+    if !root_ignore.exists() && dockerignore.exists() {
+        std::fs::copy(&dockerignore, &root_ignore).ok();
+        copied_ignore = true;
+    }
+
+    let result = build_image(
+        &env,
+        &image,
+        &dockerfile,
+        &sunbeam_dir,
+        None,
+        None,
+        push,
+        no_cache,
+        &[],
+    )
+    .await;
+
+    if copied_ignore && root_ignore.exists() {
+        let _ = std::fs::remove_file(&root_ignore);
+    }
+
+    result?;
+
+    if deploy {
+        deploy_rollout(&env, &["integration"], "lasuite", 120, None).await?;
+    }
+    Ok(())
+}
+
+async fn build_kratos_admin(push: bool, deploy: bool, no_cache: bool) -> Result<()> {
+    let env = get_build_env().await?;
+    let kratos_admin_dir = crate::config::get_repo_root().join("kratos-admin");
+    if !kratos_admin_dir.is_dir() {
+        return Err(SunbeamError::build(format!(
+            "kratos-admin source not found at {}",
+            kratos_admin_dir.display()
+        )));
+    }
+
+    let image = format!("{}/studio/kratos-admin-ui:latest", env.registry);
+    step(&format!("Building kratos-admin-ui -> {image} ..."));
+
+    build_image(
+        &env,
+        &image,
+        &kratos_admin_dir.join("Dockerfile"),
+        &kratos_admin_dir,
+        None,
+        None,
+        push,
+        no_cache,
+        &[],
+    )
+    .await?;
+
+    if deploy {
+        deploy_rollout(&env, &["kratos-admin-ui"], "ory", 120, None).await?;
+    }
+    Ok(())
+}
+
+async fn build_meet(push: bool, deploy: bool, no_cache: bool) -> Result<()> {
+    let env = get_build_env().await?;
+    let meet_dir = crate::config::get_repo_root().join("meet");
+    if !meet_dir.is_dir() {
+        return Err(SunbeamError::build(format!("meet source not found at {}", meet_dir.display())));
+    }
+
+    let backend_image = format!("{}/studio/meet-backend:latest", env.registry);
+    let frontend_image = format!("{}/studio/meet-frontend:latest", env.registry);
+
+    // Backend
+    step(&format!("Building meet-backend -> {backend_image} ..."));
+    build_image(
+        &env,
+        &backend_image,
+        &meet_dir.join("Dockerfile"),
+        &meet_dir,
+        Some("backend-production"),
+        None,
+        push,
+        no_cache,
+        &[],
+    )
+    .await?;
+
+    // Frontend
+    step(&format!("Building meet-frontend -> {frontend_image} ..."));
+    let frontend_dockerfile = meet_dir.join("src").join("frontend").join("Dockerfile");
+    if !frontend_dockerfile.exists() {
+        return Err(SunbeamError::build(format!(
+            "meet frontend Dockerfile not found at {}",
+            frontend_dockerfile.display()
+        )));
+    }
+
+    let mut build_args = HashMap::new();
+    build_args.insert("VITE_API_BASE_URL".to_string(), String::new());
+
+    build_image(
+        &env,
+        &frontend_image,
+        &frontend_dockerfile,
+        &meet_dir,
+        Some("frontend-production"),
+        Some(&build_args),
+        push,
+        no_cache,
+        &[],
+    )
+    .await?;
+
+    if deploy {
+        deploy_rollout(
+            &env,
+            &["meet-backend", "meet-celery-worker", "meet-frontend"],
+            "lasuite",
+            180,
+            None,
+        )
+        .await?;
+    }
+    Ok(())
+}
+
+async fn build_people(push: bool, deploy: bool, no_cache: bool) -> Result<()> {
+    let env = get_build_env().await?;
+    let people_dir = crate::config::get_repo_root().join("people");
+    if !people_dir.is_dir() {
+        return Err(SunbeamError::build(format!("people source not found at {}", people_dir.display())));
+    }
+
+    let workspace_dir = people_dir.join("src").join("frontend");
+    let app_dir = workspace_dir.join("apps").join("desk");
+    let dockerfile = workspace_dir.join("Dockerfile");
+    if !dockerfile.exists() {
+        return Err(SunbeamError::build(format!("Dockerfile not found at {}", dockerfile.display())));
+    }
+
+    let image = format!("{}/studio/people-frontend:latest", env.registry);
+    step(&format!("Building people-frontend -> {image} ..."));
+
+    // yarn install
+    ok("Updating yarn.lock (yarn install in workspace)...");
+    let yarn_status = tokio::process::Command::new("yarn")
+        .args(["install", "--ignore-engines"])
+        .current_dir(&workspace_dir)
+        .status()
+        .await
+        .ctx("Failed to run yarn install")?;
+    if !yarn_status.success() {
+        return Err(SunbeamError::tool("yarn", "install failed"));
+    }
+
+    // cunningham design tokens
+    ok("Regenerating cunningham design tokens...");
+    let cunningham_bin = workspace_dir
+        .join("node_modules")
+        .join(".bin")
+        .join("cunningham");
+    let cunningham_status = tokio::process::Command::new(&cunningham_bin)
+        .args(["-g", "css,ts", "-o", "src/cunningham", "--utility-classes"])
+        .current_dir(&app_dir)
+        .status()
+        .await
+        .ctx("Failed to run cunningham")?;
+    if !cunningham_status.success() {
+        return Err(SunbeamError::tool("cunningham", "design token generation failed"));
+    }
+
+    let mut build_args = HashMap::new();
+    build_args.insert("DOCKER_USER".to_string(), "101".to_string());
+
+    build_image(
+        &env,
+        &image,
+        &dockerfile,
+        &people_dir,
+        Some("frontend-production"),
+        Some(&build_args),
+        push,
+        no_cache,
+        &[],
+    )
+    .await?;
+
+    if deploy {
+        deploy_rollout(&env, &["people-frontend"], "lasuite", 180, None).await?;
+    }
+    Ok(())
+}
+
+/// Message component definition: (cli_name, image_name, dockerfile_rel, target).
+const MESSAGES_COMPONENTS: &[(&str, &str, &str, Option<&str>)] = &[
+    (
+        "messages-backend",
+        "messages-backend",
+        "src/backend/Dockerfile",
+        Some("runtime-distroless-prod"),
+    ),
+    (
+        "messages-frontend",
+        "messages-frontend",
+        "src/frontend/Dockerfile",
+        Some("runtime-prod"),
+    ),
+    (
+        "messages-mta-in",
+        "messages-mta-in",
+        "src/mta-in/Dockerfile",
+        None,
+    ),
+    (
+        "messages-mta-out",
+        "messages-mta-out",
+        "src/mta-out/Dockerfile",
+        None,
+    ),
+    (
+        "messages-mpa",
+        "messages-mpa",
+        "src/mpa/rspamd/Dockerfile",
+        None,
+    ),
+    (
+        "messages-socks-proxy",
+        "messages-socks-proxy",
+        "src/socks-proxy/Dockerfile",
+        None,
+    ),
+];
+
+async fn build_messages(what: &str, push: bool, deploy: bool, no_cache: bool) -> Result<()> {
+    let env = get_build_env().await?;
+    let messages_dir = crate::config::get_repo_root().join("messages");
+    if !messages_dir.is_dir() {
+        return Err(SunbeamError::build(format!("messages source not found at {}", messages_dir.display())));
+    }
+
+    let components: Vec<_> = if what == "messages" {
+        MESSAGES_COMPONENTS.to_vec()
+    } else {
+        MESSAGES_COMPONENTS
+            .iter()
+            .filter(|(name, _, _, _)| *name == what)
+            .copied()
+            .collect()
+    };
+
+    let mut built_images = Vec::new();
+
+    for (component, image_name, dockerfile_rel, target) in &components {
+        let dockerfile = messages_dir.join(dockerfile_rel);
+        if !dockerfile.exists() {
+            warn(&format!(
+                "Dockerfile not found at {} -- skipping {component}",
+                dockerfile.display()
+            ));
+            continue;
+        }
+
+        let image = format!("{}/studio/{image_name}:latest", env.registry);
+        let context_dir = dockerfile.parent().unwrap_or(&messages_dir);
+        step(&format!("Building {component} -> {image} ..."));
+
+        // Patch ghcr.io/astral-sh/uv COPY for messages-backend on local builds
+        let mut cleanup_paths = Vec::new();
+        let actual_dockerfile;
+
+        if !env.is_prod && *image_name == "messages-backend" {
+            let (patched, cleanup) =
+                patch_dockerfile_uv(&dockerfile, context_dir, &env.platform).await?;
+            actual_dockerfile = patched;
+            cleanup_paths = cleanup;
+        } else {
+            actual_dockerfile = dockerfile.clone();
+        }
+
+        build_image(
+            &env,
+            &image,
+            &actual_dockerfile,
+            context_dir,
+            *target,
+            None,
+            push,
+            no_cache,
+            &cleanup_paths,
+        )
+        .await?;
+
+        built_images.push(image);
+    }
+
+    if deploy && !built_images.is_empty() {
+        deploy_rollout(
+            &env,
+            &[
+                "messages-backend",
+                "messages-worker",
+                "messages-frontend",
+                "messages-mta-in",
+                "messages-mta-out",
+                "messages-mpa",
+                "messages-socks-proxy",
+            ],
+            "lasuite",
+            180,
+            None,
+        )
+        .await?;
+    }
+
+    Ok(())
+}
+
+/// Build a La Suite frontend image from source and push to the Gitea registry.
+#[allow(clippy::too_many_arguments)]
+async fn build_la_suite_frontend(
+    app: &str,
+    repo_dir: &Path,
+    workspace_rel: &str,
+    app_rel: &str,
+    dockerfile_rel: &str,
+    image_name: &str,
+    deployment: &str,
+    namespace: &str,
+    push: bool,
+    deploy: bool,
+    no_cache: bool,
+) -> Result<()> {
+    let env = get_build_env().await?;
+
+    let workspace_dir = repo_dir.join(workspace_rel);
+    let app_dir = repo_dir.join(app_rel);
+    let dockerfile = repo_dir.join(dockerfile_rel);
+
+    if !repo_dir.is_dir() {
+        return Err(SunbeamError::build(format!("{app} source not found at {}", repo_dir.display())));
+    }
+    if !dockerfile.exists() {
+        return Err(SunbeamError::build(format!("Dockerfile not found at {}", dockerfile.display())));
+    }
+
+    let image = format!("{}/studio/{image_name}:latest", env.registry);
+    step(&format!("Building {app} -> {image} ..."));
+
+    ok("Updating yarn.lock (yarn install in workspace)...");
+    let yarn_status = tokio::process::Command::new("yarn")
+        .args(["install", "--ignore-engines"])
+        .current_dir(&workspace_dir)
+        .status()
+        .await
+        .ctx("Failed to run yarn install")?;
+    if !yarn_status.success() {
+        return Err(SunbeamError::tool("yarn", "install failed"));
+    }
+
+    ok("Regenerating cunningham design tokens (yarn build-theme)...");
+    let theme_status = tokio::process::Command::new("yarn")
+        .args(["build-theme"])
+        .current_dir(&app_dir)
+        .status()
+        .await
+        .ctx("Failed to run yarn build-theme")?;
+    if !theme_status.success() {
+        return Err(SunbeamError::tool("yarn", "build-theme failed"));
+    }
+
+    let mut build_args = HashMap::new();
+    build_args.insert("DOCKER_USER".to_string(), "101".to_string());
+
+    build_image(
+        &env,
+        &image,
+        &dockerfile,
+        repo_dir,
+        Some("frontend-production"),
+        Some(&build_args),
+        push,
+        no_cache,
+        &[],
+    )
+    .await?;
+
+    if deploy {
+        deploy_rollout(&env, &[deployment], namespace, 180, None).await?;
+    }
+    Ok(())
+}
+
+/// Download uv from GitHub releases and return a patched Dockerfile path.
+async fn patch_dockerfile_uv(
+    dockerfile_path: &Path,
+    context_dir: &Path,
+    platform: &str,
+) -> Result<(PathBuf, Vec<PathBuf>)> {
+    let content = std::fs::read_to_string(dockerfile_path)
+        .ctx("Failed to read Dockerfile for uv patching")?;
+
+    // Match COPY --from=ghcr.io/astral-sh/uv@sha256:... /uv /uvx /bin/
+    let original_copy = content
+        .lines()
+        .find(|line| {
+            line.contains("COPY")
+                && line.contains("--from=ghcr.io/astral-sh/uv@sha256:")
+                && line.contains("/uv")
+                && line.contains("/bin/")
+        })
+        .map(|line| line.trim().to_string());
+
+    let original_copy = match original_copy {
+        Some(c) => c,
+        None => return Ok((dockerfile_path.to_path_buf(), vec![])),
+    };
+
+    // Find uv version from comment like: oci://ghcr.io/astral-sh/uv:0.x.y
+    let version = content
+        .lines()
+        .find_map(|line| {
+            let marker = "oci://ghcr.io/astral-sh/uv:";
+            if let Some(idx) = line.find(marker) {
+                let rest = &line[idx + marker.len()..];
+                let ver = rest.split_whitespace().next().unwrap_or("");
+                if !ver.is_empty() {
+                    Some(ver.to_string())
+                } else {
+                    None
+                }
+            } else {
+                None
+            }
+        });
+
+    let version = match version {
+        Some(v) => v,
+        None => {
+            warn("Could not find uv version comment in Dockerfile; ghcr.io pull may fail.");
+            return Ok((dockerfile_path.to_path_buf(), vec![]));
+        }
+    };
+
+    let arch = if platform.contains("amd64") {
+        "x86_64"
+    } else {
+        "aarch64"
+    };
+
+    let url = format!(
+        "https://github.com/astral-sh/uv/releases/download/{version}/uv-{arch}-unknown-linux-gnu.tar.gz"
+    );
+
+    let stage_dir = context_dir.join("_sunbeam_uv_stage");
+    let patched_df = dockerfile_path
+        .parent()
+        .unwrap_or(dockerfile_path)
+        .join("Dockerfile._sunbeam_patched");
+    let cleanup = vec![stage_dir.clone(), patched_df.clone()];
+
+    ok(&format!(
+        "Downloading uv {version} ({arch}) from GitHub releases to bypass ghcr.io..."
+    ));
+
+    std::fs::create_dir_all(&stage_dir)?;
+
+    // Download tarball
+    let response = reqwest::get(&url)
+        .await
+        .ctx("Failed to download uv release")?;
+    let tarball_bytes = response.bytes().await?;
+
+    // Extract uv and uvx from tarball
+    let decoder = flate2::read::GzDecoder::new(&tarball_bytes[..]);
+    let mut archive = tar::Archive::new(decoder);
+
+    for entry in archive.entries()? {
+        let mut entry = entry?;
+        let path = entry.path()?.to_path_buf();
+        let file_name = path
+            .file_name()
+            .unwrap_or_default()
+            .to_string_lossy()
+            .to_string();
+
+        if (file_name == "uv" || file_name == "uvx") && entry.header().entry_type().is_file() {
+            let dest = stage_dir.join(&file_name);
+            let mut outfile = std::fs::File::create(&dest)?;
+            std::io::copy(&mut entry, &mut outfile)?;
+
+            #[cfg(unix)]
+            {
+                use std::os::unix::fs::PermissionsExt;
+                std::fs::set_permissions(&dest, std::fs::Permissions::from_mode(0o755))?;
+            }
+        }
+    }
+
+    if !stage_dir.join("uv").exists() {
+        warn("uv binary not found in release tarball; build may fail.");
+        return Ok((dockerfile_path.to_path_buf(), cleanup));
+    }
+
+    let patched = content.replace(
+        &original_copy,
+        "COPY _sunbeam_uv_stage/uv _sunbeam_uv_stage/uvx /bin/",
+    );
+    std::fs::write(&patched_df, patched)?;
+    ok(&format!("  uv {version} staged; using patched Dockerfile."));
+
+    Ok((patched_df, cleanup))
+}
+
+async fn build_projects(push: bool, deploy: bool, no_cache: bool) -> Result<()> {
+    let env = get_build_env().await?;
+    let projects_dir = crate::config::get_repo_root().join("projects");
+    if !projects_dir.is_dir() {
+        return Err(SunbeamError::build(format!("projects source not found at {}", projects_dir.display())));
+    }
+
+    let image = format!("{}/studio/projects:latest", env.registry);
+    step(&format!("Building projects -> {image} ..."));
+
+    build_image(
+        &env,
+        &image,
+        &projects_dir.join("Dockerfile"),
+        &projects_dir,
+        None,
+        None,
+        push,
+        no_cache,
+        &[],
+    )
+    .await?;
+
+    if deploy {
+        deploy_rollout(&env, &["projects"], "lasuite", 180, Some(&[image])).await?;
+    }
+    Ok(())
+}
+
+async fn build_sol(push: bool, deploy: bool, no_cache: bool) -> Result<()> {
+    let env = get_build_env().await?;
+    let sol_dir = crate::config::get_repo_root().join("sol");
+    if !sol_dir.is_dir() {
+        return Err(SunbeamError::build(format!("Sol source not found at {}", sol_dir.display())));
+    }
+
+    let image = format!("{}/studio/sol:latest", env.registry);
+    step(&format!("Building sol -> {image} ..."));
+
+    build_image(
+        &env,
+        &image,
+        &sol_dir.join("Dockerfile"),
+        &sol_dir,
+        None,
+        None,
+        push,
+        no_cache,
+        &[],
+    )
+    .await?;
+
+    if deploy {
+        deploy_rollout(&env, &["sol"], "matrix", 120, None).await?;
+    }
+    Ok(())
+}
+
+async fn build_calendars(push: bool, deploy: bool, no_cache: bool) -> Result<()> {
+    let env = get_build_env().await?;
+    let cal_dir = crate::config::get_repo_root().join("calendars");
+    if !cal_dir.is_dir() {
+        return Err(SunbeamError::build(format!("calendars source not found at {}", cal_dir.display())));
+    }
+
+    let backend_dir = cal_dir.join("src").join("backend");
+    let backend_image = format!("{}/studio/calendars-backend:latest", env.registry);
+    step(&format!("Building calendars-backend -> {backend_image} ..."));
+
+    // Stage translations.json into the build context
+    let translations_src = cal_dir
+        .join("src")
+        .join("frontend")
+        .join("apps")
+        .join("calendars")
+        .join("src")
+        .join("features")
+        .join("i18n")
+        .join("translations.json");
+
+    let translations_dst = backend_dir.join("_translations.json");
+    let mut cleanup: Vec<PathBuf> = Vec::new();
+    let mut dockerfile = backend_dir.join("Dockerfile");
+
+    if translations_src.exists() {
+        std::fs::copy(&translations_src, &translations_dst)?;
+        cleanup.push(translations_dst);
+
+        // Patch Dockerfile to COPY translations into production image
+        let mut content = std::fs::read_to_string(&dockerfile)?;
+        content.push_str(
+            "\n# Sunbeam: bake translations.json for default calendar names\n\
+             COPY _translations.json /data/translations.json\n",
+        );
+        let patched_df = backend_dir.join("Dockerfile._sunbeam_patched");
+        std::fs::write(&patched_df, content)?;
+        cleanup.push(patched_df.clone());
+        dockerfile = patched_df;
+    }
+
+    build_image(
+        &env,
+        &backend_image,
+        &dockerfile,
+        &backend_dir,
+        Some("backend-production"),
+        None,
+        push,
+        no_cache,
+        &cleanup,
+    )
+    .await?;
+
+    // caldav
+    let caldav_image = format!("{}/studio/calendars-caldav:latest", env.registry);
+    step(&format!("Building calendars-caldav -> {caldav_image} ..."));
+    let caldav_dir = cal_dir.join("src").join("caldav");
+    build_image(
+        &env,
+        &caldav_image,
+        &caldav_dir.join("Dockerfile"),
+        &caldav_dir,
+        None,
+        None,
+        push,
+        no_cache,
+        &[],
+    )
+    .await?;
+
+    // frontend
+    let frontend_image = format!("{}/studio/calendars-frontend:latest", env.registry);
+    step(&format!(
+        "Building calendars-frontend -> {frontend_image} ..."
+    ));
+    let integration_base = format!("https://integration.{}", env.domain);
+    let mut build_args = HashMap::new();
+    build_args.insert(
+        "VISIO_BASE_URL".to_string(),
+        format!("https://meet.{}", env.domain),
+    );
+    build_args.insert(
+        "GAUFRE_WIDGET_PATH".to_string(),
+        format!("{integration_base}/api/v2/lagaufre.js"),
+    );
+    build_args.insert(
+        "GAUFRE_API_URL".to_string(),
+        format!("{integration_base}/api/v2/services.json"),
+    );
+    build_args.insert(
+        "THEME_CSS_URL".to_string(),
+        format!("{integration_base}/api/v2/theme.css"),
+    );
+
+    let frontend_dir = cal_dir.join("src").join("frontend");
+    build_image(
+        &env,
+        &frontend_image,
+        &frontend_dir.join("Dockerfile"),
+        &frontend_dir,
+        Some("frontend-production"),
+        Some(&build_args),
+        push,
+        no_cache,
+        &[],
+    )
+    .await?;
+
+    if deploy {
+        deploy_rollout(
+            &env,
+            &[
+                "calendars-backend",
+                "calendars-worker",
+                "calendars-caldav",
+                "calendars-frontend",
+            ],
+            "lasuite",
+            180,
+            Some(&[backend_image, caldav_image, frontend_image]),
+        )
+        .await?;
+    }
+    Ok(())
+}
+
+// ---------------------------------------------------------------------------
+// Build dispatch
+// ---------------------------------------------------------------------------
+
+/// Build an image. Pass push=true to push, deploy=true to also apply + rollout.
+pub async fn cmd_build(what: &BuildTarget, push: bool, deploy: bool, no_cache: bool) -> Result<()> {
+    match what {
+        BuildTarget::Proxy => build_proxy(push, deploy, no_cache).await,
+        BuildTarget::Integration => build_integration(push, deploy, no_cache).await,
+        BuildTarget::KratosAdmin => build_kratos_admin(push, deploy, no_cache).await,
+        BuildTarget::Meet => build_meet(push, deploy, no_cache).await,
+        BuildTarget::DocsFrontend => {
+            let repo_dir = crate::config::get_repo_root().join("docs");
+            build_la_suite_frontend(
+                "docs-frontend",
+                &repo_dir,
+                "src/frontend",
+                "src/frontend/apps/impress",
+                "src/frontend/Dockerfile",
+                "impress-frontend",
+                "docs-frontend",
+                "lasuite",
+                push,
+                deploy,
+                no_cache,
+            )
+            .await
+        }
+        BuildTarget::PeopleFrontend | BuildTarget::People => build_people(push, deploy, no_cache).await,
+        BuildTarget::Messages => build_messages("messages", push, deploy, no_cache).await,
+        BuildTarget::MessagesBackend => build_messages("messages-backend", push, deploy, no_cache).await,
+        BuildTarget::MessagesFrontend => build_messages("messages-frontend", push, deploy, no_cache).await,
+        BuildTarget::MessagesMtaIn => build_messages("messages-mta-in", push, deploy, no_cache).await,
+        BuildTarget::MessagesMtaOut => build_messages("messages-mta-out", push, deploy, no_cache).await,
+        BuildTarget::MessagesMpa => build_messages("messages-mpa", push, deploy, no_cache).await,
+        BuildTarget::MessagesSocksProxy => {
+            build_messages("messages-socks-proxy", push, deploy, no_cache).await
+        }
+        BuildTarget::Tuwunel => build_tuwunel(push, deploy, no_cache).await,
+        BuildTarget::Calendars => build_calendars(push, deploy, no_cache).await,
+        BuildTarget::Projects => build_projects(push, deploy, no_cache).await,
+        BuildTarget::Sol => build_sol(push, deploy, no_cache).await,
+    }
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    #[test]
+    fn managed_ns_is_sorted() {
+        let mut sorted = MANAGED_NS.to_vec();
+        sorted.sort();
+        assert_eq!(
+            MANAGED_NS, &sorted[..],
+            "MANAGED_NS should be in alphabetical order"
+        );
+    }
+
+    #[test]
+    fn managed_ns_contains_expected_namespaces() {
+        assert!(MANAGED_NS.contains(&"data"));
+        assert!(MANAGED_NS.contains(&"devtools"));
+        assert!(MANAGED_NS.contains(&"ingress"));
+        assert!(MANAGED_NS.contains(&"ory"));
+        assert!(MANAGED_NS.contains(&"matrix"));
+    }
+
+    #[test]
+    fn amd64_only_images_all_from_docker_hub() {
+        for (src, _org, _repo, _tag) in AMD64_ONLY_IMAGES {
+            assert!(
+                src.starts_with("docker.io/"),
+                "Expected docker.io prefix, got: {src}"
+            );
+        }
+    }
+
+    #[test]
+    fn amd64_only_images_all_have_latest_tag() {
+        for (src, _org, _repo, tag) in AMD64_ONLY_IMAGES {
+            assert_eq!(
+                *tag, "latest",
+                "Expected 'latest' tag for {src}, got: {tag}"
+            );
+        }
+    }
+
+    #[test]
+    fn amd64_only_images_non_empty() {
+        assert!(
+            !AMD64_ONLY_IMAGES.is_empty(),
+            "AMD64_ONLY_IMAGES should not be empty"
+        );
+    }
+
+    #[test]
+    fn amd64_only_images_org_is_studio() {
+        for (src, org, _repo, _tag) in AMD64_ONLY_IMAGES {
+            assert_eq!(
+                *org, "studio",
+                "Expected org 'studio' for {src}, got: {org}"
+            );
+        }
+    }
+
+    #[test]
+    fn build_target_display_proxy() {
+        assert_eq!(BuildTarget::Proxy.to_string(), "proxy");
+    }
+
+    #[test]
+    fn build_target_display_kratos_admin() {
+        assert_eq!(BuildTarget::KratosAdmin.to_string(), "kratos-admin");
+    }
+
+    #[test]
+    fn build_target_display_all_lowercase_or_hyphenated() {
+        let targets = [
+            BuildTarget::Proxy,
+            BuildTarget::Integration,
+            BuildTarget::KratosAdmin,
+            BuildTarget::Meet,
+            BuildTarget::DocsFrontend,
+            BuildTarget::PeopleFrontend,
+            BuildTarget::People,
+            BuildTarget::Messages,
+            BuildTarget::MessagesBackend,
+            BuildTarget::MessagesFrontend,
+            BuildTarget::MessagesMtaIn,
+            BuildTarget::MessagesMtaOut,
+            BuildTarget::MessagesMpa,
+            BuildTarget::MessagesSocksProxy,
+            BuildTarget::Tuwunel,
+            BuildTarget::Calendars,
+            BuildTarget::Projects,
+            BuildTarget::Sol,
+        ];
+        for t in &targets {
+            let s = t.to_string();
+            assert!(
+                s.chars().all(|c| c.is_ascii_lowercase() || c == '-'),
+                "BuildTarget display '{s}' has unexpected characters"
+            );
+        }
+    }
+
+    #[test]
+    fn gitea_admin_user_constant() {
+        assert_eq!(GITEA_ADMIN_USER, "gitea_admin");
+    }
+
+    #[test]
+    fn messages_components_non_empty() {
+        assert!(!MESSAGES_COMPONENTS.is_empty());
+    }
+
+    #[test]
+    fn messages_components_dockerfiles_are_relative() {
+        for (_name, _image, dockerfile_rel, _target) in MESSAGES_COMPONENTS {
+            assert!(
+                dockerfile_rel.ends_with("Dockerfile"),
+                "Expected Dockerfile suffix in: {dockerfile_rel}"
+            );
+            assert!(
+                !dockerfile_rel.starts_with('/'),
+                "Dockerfile path should be relative: {dockerfile_rel}"
+            );
+        }
+    }
+
+    #[test]
+    fn messages_components_names_match_build_targets() {
+        for (name, _image, _df, _target) in MESSAGES_COMPONENTS {
+            assert!(
+                name.starts_with("messages-"),
+                "Component name should start with 'messages-': {name}"
+            );
+        }
+    }
+}
diff --git a/src/kube.rs b/src/kube.rs
new file mode 100644
index 0000000..a6b10f5
--- /dev/null
+++ b/src/kube.rs
@@ -0,0 +1,758 @@
+use crate::error::{Result, SunbeamError, ResultExt};
+use base64::Engine;
+use k8s_openapi::api::apps::v1::Deployment;
+use k8s_openapi::api::core::v1::{Namespace, Secret};
+use kube::api::{Api, ApiResource, DynamicObject, ListParams, Patch, PatchParams};
+use kube::config::{KubeConfigOptions, Kubeconfig};
+use kube::discovery::{self, Scope};
+use kube::{Client, Config};
+use std::collections::HashMap;
+use std::path::Path;
+use std::process::Stdio;
+use std::sync::{Mutex, OnceLock};
+use tokio::sync::OnceCell;
+
+static CONTEXT: OnceLock<String> = OnceLock::new();
+static SSH_HOST: OnceLock<String> = OnceLock::new();
+static KUBE_CLIENT: OnceCell<Client> = OnceCell::const_new();
+static SSH_TUNNEL: Mutex<Option<tokio::process::Child>> = Mutex::new(None);
+static API_DISCOVERY: OnceCell<kube::discovery::Discovery> = OnceCell::const_new();
+
+/// Set the active kubectl context and optional SSH host for production tunnel.
+pub fn set_context(ctx: &str, ssh_host: &str) {
+    let _ = CONTEXT.set(ctx.to_string());
+    let _ = SSH_HOST.set(ssh_host.to_string());
+}
+
+/// Get the active context.
+pub fn context() -> &'static str {
+    CONTEXT.get().map(|s| s.as_str()).unwrap_or("sunbeam")
+}
+
+/// Get the SSH host (empty for local).
+pub fn ssh_host() -> &'static str {
+    SSH_HOST.get().map(|s| s.as_str()).unwrap_or("")
+}
+
+// ---------------------------------------------------------------------------
+// SSH tunnel management
+// ---------------------------------------------------------------------------
+
+/// Ensure SSH tunnel is open for production (forwards localhost:16443 -> remote:6443).
+/// For local dev (empty ssh_host), this is a no-op.
+#[allow(dead_code)]
+pub async fn ensure_tunnel() -> Result<()> {
+    let host = ssh_host();
+    if host.is_empty() {
+        return Ok(());
+    }
+
+    // Check if tunnel is already open
+    if tokio::net::TcpStream::connect("127.0.0.1:16443")
+        .await
+        .is_ok()
+    {
+        return Ok(());
+    }
+
+    crate::output::ok(&format!("Opening SSH tunnel to {host}..."));
+
+    let child = tokio::process::Command::new("ssh")
+        .args([
+            "-p",
+            "2222",
+            "-L",
+            "16443:127.0.0.1:6443",
+            "-N",
+            "-o",
+            "ExitOnForwardFailure=yes",
+            "-o",
+            "StrictHostKeyChecking=no",
+            host,
+        ])
+        .stdout(Stdio::null())
+        .stderr(Stdio::null())
+        .spawn()
+        .ctx("Failed to spawn SSH tunnel")?;
+
+    // Store child so it lives for the process lifetime (and can be killed on cleanup)
+    if let Ok(mut guard) = SSH_TUNNEL.lock() {
+        *guard = Some(child);
+    }
+
+    // Wait for tunnel to become available
+    for _ in 0..20 {
+        tokio::time::sleep(std::time::Duration::from_millis(500)).await;
+        if tokio::net::TcpStream::connect("127.0.0.1:16443")
+            .await
+            .is_ok()
+        {
+            return Ok(());
+        }
+    }
+
+    bail!("SSH tunnel to {host} did not open in time")
+}
+
+// ---------------------------------------------------------------------------
+// Client initialization
+// ---------------------------------------------------------------------------
+
+/// Get or create a kube::Client configured for the active context.
+/// Opens SSH tunnel first if needed for production.
+pub async fn get_client() -> Result<&'static Client> {
+    KUBE_CLIENT
+        .get_or_try_init(|| async {
+            ensure_tunnel().await?;
+
+            let kubeconfig = Kubeconfig::read().map_err(|e| SunbeamError::kube(format!("Failed to read kubeconfig: {e}")))?;
+            let options = KubeConfigOptions {
+                context: Some(context().to_string()),
+                ..Default::default()
+            };
+            let config = Config::from_custom_kubeconfig(kubeconfig, &options)
+                .await
+                .map_err(|e| SunbeamError::kube(format!("Failed to build kube config from kubeconfig: {e}")))?;
+            Client::try_from(config).ctx("Failed to create kube client")
+        })
+        .await
+}
+
+// ---------------------------------------------------------------------------
+// Core Kubernetes operations
+// ---------------------------------------------------------------------------
+
+/// Server-side apply a multi-document YAML manifest.
+#[allow(dead_code)]
+pub async fn kube_apply(manifest: &str) -> Result<()> {
+    let client = get_client().await?;
+    let ssapply = PatchParams::apply("sunbeam").force();
+
+    for doc in manifest.split("\n---") {
+        let doc = doc.trim();
+        if doc.is_empty() || doc == "---" {
+            continue;
+        }
+
+        // Parse the YAML to a DynamicObject so we can route it
+        let obj: serde_yaml::Value =
+            serde_yaml::from_str(doc).ctx("Failed to parse YAML document")?;
+
+        let api_version = obj
+            .get("apiVersion")
+            .and_then(|v| v.as_str())
+            .unwrap_or("");
+        let kind = obj.get("kind").and_then(|v| v.as_str()).unwrap_or("");
+        let metadata = obj.get("metadata");
+        let name = metadata
+            .and_then(|m| m.get("name"))
+            .and_then(|v| v.as_str())
+            .unwrap_or("");
+        let namespace = metadata
+            .and_then(|m| m.get("namespace"))
+            .and_then(|v| v.as_str());
+
+        if name.is_empty() || kind.is_empty() {
+            continue; // skip incomplete documents
+        }
+
+        // Use discovery to find the right API resource
+        let (ar, scope) = resolve_api_resource(client, api_version, kind).await?;
+
+        let api: Api<DynamicObject> = if let Some(ns) = namespace {
+            Api::namespaced_with(client.clone(), ns, &ar)
+        } else if scope == Scope::Namespaced {
+            // Namespaced resource without a namespace specified; use default
+            Api::default_namespaced_with(client.clone(), &ar)
+        } else {
+            Api::all_with(client.clone(), &ar)
+        };
+
+        let patch: serde_json::Value =
+            serde_yaml::from_str(doc).ctx("Failed to parse YAML to JSON value")?;
+
+        api.patch(name, &ssapply, &Patch::Apply(patch))
+            .await
+            .with_ctx(|| format!("Failed to apply {kind}/{name}"))?;
+    }
+    Ok(())
+}
+
+/// Resolve an API resource from apiVersion and kind using discovery.
+async fn resolve_api_resource(
+    client: &Client,
+    api_version: &str,
+    kind: &str,
+) -> Result<(ApiResource, Scope)> {
+    // Split apiVersion into group and version
+    let (group, version) = if api_version.contains('/') {
+        let parts: Vec<&str> = api_version.splitn(2, '/').collect();
+        (parts[0], parts[1])
+    } else {
+        ("", api_version) // core API group
+    };
+
+    let disc = API_DISCOVERY
+        .get_or_try_init(|| async {
+            discovery::Discovery::new(client.clone())
+                .run()
+                .await
+                .ctx("API discovery failed")
+        })
+        .await?;
+
+    for api_group in disc.groups() {
+        if api_group.name() == group {
+            for (ar, caps) in api_group.resources_by_stability() {
+                if ar.kind == kind && ar.version == version {
+                    return Ok((ar, caps.scope));
+                }
+            }
+        }
+    }
+
+    bail!("Could not discover API resource for {api_version}/{kind}")
+}
+
+/// Get a Kubernetes Secret object.
+#[allow(dead_code)]
+pub async fn kube_get_secret(ns: &str, name: &str) -> Result<Option<Secret>> {
+    let client = get_client().await?;
+    let api: Api<Secret> = Api::namespaced(client.clone(), ns);
+    match api.get_opt(name).await {
+        Ok(secret) => Ok(secret),
+        Err(e) => Err(e).with_ctx(|| format!("Failed to get secret {ns}/{name}")),
+    }
+}
+
+/// Get a specific base64-decoded field from a Kubernetes secret.
+#[allow(dead_code)]
+pub async fn kube_get_secret_field(ns: &str, name: &str, key: &str) -> Result<String> {
+    let secret = kube_get_secret(ns, name)
+        .await?
+        .with_ctx(|| format!("Secret {ns}/{name} not found"))?;
+
+    let data = secret.data.as_ref().ctx("Secret has no data")?;
+
+    let bytes = data
+        .get(key)
+        .with_ctx(|| format!("Key {key:?} not found in secret {ns}/{name}"))?;
+
+    String::from_utf8(bytes.0.clone())
+        .with_ctx(|| format!("Key {key:?} in secret {ns}/{name} is not valid UTF-8"))
+}
+
+/// Check if a namespace exists.
+#[allow(dead_code)]
+pub async fn ns_exists(ns: &str) -> Result<bool> {
+    let client = get_client().await?;
+    let api: Api<Namespace> = Api::all(client.clone());
+    match api.get_opt(ns).await {
+        Ok(Some(_)) => Ok(true),
+        Ok(None) => Ok(false),
+        Err(e) => Err(e).with_ctx(|| format!("Failed to check namespace {ns}")),
+    }
+}
+
+/// Create namespace if it does not exist.
+#[allow(dead_code)]
+pub async fn ensure_ns(ns: &str) -> Result<()> {
+    if ns_exists(ns).await? {
+        return Ok(());
+    }
+    let client = get_client().await?;
+    let api: Api<Namespace> = Api::all(client.clone());
+    let ns_obj = serde_json::json!({
+        "apiVersion": "v1",
+        "kind": "Namespace",
+        "metadata": { "name": ns }
+    });
+    let pp = PatchParams::apply("sunbeam").force();
+    api.patch(ns, &pp, &Patch::Apply(ns_obj))
+        .await
+        .with_ctx(|| format!("Failed to create namespace {ns}"))?;
+    Ok(())
+}
+
+/// Create or update a generic Kubernetes secret via server-side apply.
+#[allow(dead_code)]
+pub async fn create_secret(ns: &str, name: &str, data: HashMap<String, String>) -> Result<()> {
+    let client = get_client().await?;
+    let api: Api<Secret> = Api::namespaced(client.clone(), ns);
+
+    // Encode values as base64
+    let mut encoded: serde_json::Map<String, serde_json::Value> = serde_json::Map::new();
+    for (k, v) in &data {
+        let b64 = base64::engine::general_purpose::STANDARD.encode(v.as_bytes());
+        encoded.insert(k.clone(), serde_json::Value::String(b64));
+    }
+
+    let secret_obj = serde_json::json!({
+        "apiVersion": "v1",
+        "kind": "Secret",
+        "metadata": {
+            "name": name,
+            "namespace": ns,
+        },
+        "type": "Opaque",
+        "data": encoded,
+    });
+
+    let pp = PatchParams::apply("sunbeam").force();
+    api.patch(name, &pp, &Patch::Apply(secret_obj))
+        .await
+        .with_ctx(|| format!("Failed to create/update secret {ns}/{name}"))?;
+    Ok(())
+}
+
+/// Execute a command in a pod and return (exit_code, stdout).
+#[allow(dead_code)]
+pub async fn kube_exec(
+    ns: &str,
+    pod: &str,
+    cmd: &[&str],
+    container: Option<&str>,
+) -> Result<(i32, String)> {
+    let client = get_client().await?;
+    let pods: Api<k8s_openapi::api::core::v1::Pod> = Api::namespaced(client.clone(), ns);
+
+    let mut ep = kube::api::AttachParams::default();
+    ep.stdout = true;
+    ep.stderr = true;
+    ep.stdin = false;
+    if let Some(c) = container {
+        ep.container = Some(c.to_string());
+    }
+
+    let cmd_strings: Vec<String> = cmd.iter().map(|s| s.to_string()).collect();
+    let mut attached = pods
+        .exec(pod, cmd_strings, &ep)
+        .await
+        .with_ctx(|| format!("Failed to exec in pod {ns}/{pod}"))?;
+
+    let stdout = {
+        let mut stdout_reader = attached
+            .stdout()
+            .ctx("No stdout stream from exec")?;
+        let mut buf = Vec::new();
+        tokio::io::AsyncReadExt::read_to_end(&mut stdout_reader, &mut buf).await?;
+        String::from_utf8_lossy(&buf).to_string()
+    };
+
+    let status = attached
+        .take_status()
+        .ctx("No status channel from exec")?;
+
+    // Wait for the status
+    let exit_code = if let Some(status) = status.await {
+        status
+            .status
+            .map(|s| if s == "Success" { 0 } else { 1 })
+            .unwrap_or(1)
+    } else {
+        1
+    };
+
+    Ok((exit_code, stdout.trim().to_string()))
+}
+
+/// Patch a deployment to trigger a rollout restart.
+#[allow(dead_code)]
+pub async fn kube_rollout_restart(ns: &str, deployment: &str) -> Result<()> {
+    let client = get_client().await?;
+    let api: Api<Deployment> = Api::namespaced(client.clone(), ns);
+
+    let now = chrono::Utc::now().to_rfc3339();
+    let patch = serde_json::json!({
+        "spec": {
+            "template": {
+                "metadata": {
+                    "annotations": {
+                        "kubectl.kubernetes.io/restartedAt": now
+                    }
+                }
+            }
+        }
+    });
+
+    api.patch(deployment, &PatchParams::default(), &Patch::Strategic(patch))
+        .await
+        .with_ctx(|| format!("Failed to restart deployment {ns}/{deployment}"))?;
+    Ok(())
+}
+
+/// Discover the active domain from cluster state.
+///
+/// Tries the gitea-inline-config secret first (DOMAIN=src.<domain>),
+/// falls back to lasuite-oidc-provider configmap, then Lima VM IP.
+#[allow(dead_code)]
+pub async fn get_domain() -> Result<String> {
+    // 1. Gitea inline-config secret
+    if let Ok(Some(secret)) = kube_get_secret("devtools", "gitea-inline-config").await {
+        if let Some(data) = &secret.data {
+            if let Some(server_bytes) = data.get("server") {
+                let server_ini = String::from_utf8_lossy(&server_bytes.0);
+                for line in server_ini.lines() {
+                    if let Some(rest) = line.strip_prefix("DOMAIN=src.") {
+                        return Ok(rest.trim().to_string());
+                    }
+                }
+            }
+        }
+    }
+
+    // 2. Fallback: lasuite-oidc-provider configmap
+    {
+        let client = get_client().await?;
+        let api: Api<k8s_openapi::api::core::v1::ConfigMap> =
+            Api::namespaced(client.clone(), "lasuite");
+        if let Ok(Some(cm)) = api.get_opt("lasuite-oidc-provider").await {
+            if let Some(data) = &cm.data {
+                if let Some(endpoint) = data.get("OIDC_OP_JWKS_ENDPOINT") {
+                    if let Some(rest) = endpoint.split("https://auth.").nth(1) {
+                        if let Some(domain) = rest.split('/').next() {
+                            return Ok(domain.to_string());
+                        }
+                    }
+                }
+            }
+        }
+    }
+
+    // 3. Local dev fallback: Lima VM IP
+    let ip = get_lima_ip().await;
+    Ok(format!("{ip}.sslip.io"))
+}
+
+/// Get the socket_vmnet IP of the Lima sunbeam VM.
+async fn get_lima_ip() -> String {
+    let output = tokio::process::Command::new("limactl")
+        .args(["shell", "sunbeam", "ip", "-4", "addr", "show", "eth1"])
+        .output()
+        .await;
+
+    if let Ok(out) = output {
+        let stdout = String::from_utf8_lossy(&out.stdout);
+        for line in stdout.lines() {
+            if line.contains("inet ") {
+                if let Some(addr) = line.trim().split_whitespace().nth(1) {
+                    if let Some(ip) = addr.split('/').next() {
+                        return ip.to_string();
+                    }
+                }
+            }
+        }
+    }
+
+    // Fallback: hostname -I
+    let output2 = tokio::process::Command::new("limactl")
+        .args(["shell", "sunbeam", "hostname", "-I"])
+        .output()
+        .await;
+
+    if let Ok(out) = output2 {
+        let stdout = String::from_utf8_lossy(&out.stdout);
+        let ips: Vec<&str> = stdout.trim().split_whitespace().collect();
+        if ips.len() >= 2 {
+            return ips[ips.len() - 1].to_string();
+        } else if !ips.is_empty() {
+            return ips[0].to_string();
+        }
+    }
+
+    String::new()
+}
+
+// ---------------------------------------------------------------------------
+// kustomize build
+// ---------------------------------------------------------------------------
+
+/// Run kustomize build --enable-helm and apply domain/email substitution.
+#[allow(dead_code)]
+pub async fn kustomize_build(overlay: &Path, domain: &str, email: &str) -> Result<String> {
+    let kustomize_path = crate::tools::ensure_kustomize()?;
+    let helm_path = crate::tools::ensure_helm()?;
+
+    // Ensure helm's parent dir is on PATH so kustomize can find it
+    let helm_dir = helm_path
+        .parent()
+        .map(|p| p.to_string_lossy().to_string())
+        .unwrap_or_default();
+
+    let mut env_path = helm_dir.clone();
+    if let Ok(existing) = std::env::var("PATH") {
+        env_path = format!("{helm_dir}:{existing}");
+    }
+
+    let output = tokio::process::Command::new(&kustomize_path)
+        .args(["build", "--enable-helm"])
+        .arg(overlay)
+        .env("PATH", &env_path)
+        .output()
+        .await
+        .ctx("Failed to run kustomize")?;
+
+    if !output.status.success() {
+        let stderr = String::from_utf8_lossy(&output.stderr);
+        bail!("kustomize build failed: {stderr}");
+    }
+
+    let mut text = String::from_utf8(output.stdout).ctx("kustomize output not UTF-8")?;
+
+    // Domain substitution
+    text = domain_replace(&text, domain);
+
+    // ACME email substitution
+    if !email.is_empty() {
+        text = text.replace("ACME_EMAIL", email);
+    }
+
+    // Registry host IP resolution
+    if text.contains("REGISTRY_HOST_IP") {
+        let registry_ip = resolve_registry_ip(domain).await;
+        text = text.replace("REGISTRY_HOST_IP", &registry_ip);
+    }
+
+    // Strip null annotations artifact
+    text = text.replace("\n      annotations: null", "");
+
+    Ok(text)
+}
+
+/// Resolve the registry host IP for REGISTRY_HOST_IP substitution.
+async fn resolve_registry_ip(domain: &str) -> String {
+    // Try DNS for src.<domain>
+    let hostname = format!("src.{domain}:443");
+    if let Ok(mut addrs) = tokio::net::lookup_host(&hostname).await {
+        if let Some(addr) = addrs.next() {
+            return addr.ip().to_string();
+        }
+    }
+
+    // Fallback: derive from production host config
+    let ssh_host = crate::config::get_production_host();
+    if !ssh_host.is_empty() {
+        let raw = ssh_host
+            .split('@')
+            .last()
+            .unwrap_or(&ssh_host)
+            .split(':')
+            .next()
+            .unwrap_or(&ssh_host);
+        let host_lookup = format!("{raw}:443");
+        if let Ok(mut addrs) = tokio::net::lookup_host(&host_lookup).await {
+            if let Some(addr) = addrs.next() {
+                return addr.ip().to_string();
+            }
+        }
+        // raw is likely already an IP
+        return raw.to_string();
+    }
+
+    String::new()
+}
+
+// ---------------------------------------------------------------------------
+// kubectl / bao passthrough
+// ---------------------------------------------------------------------------
+
+/// Transparent kubectl passthrough for the active context.
+pub async fn cmd_k8s(kubectl_args: &[String]) -> Result<()> {
+    ensure_tunnel().await?;
+
+    let status = tokio::process::Command::new("kubectl")
+        .arg(format!("--context={}", context()))
+        .args(kubectl_args)
+        .stdin(Stdio::inherit())
+        .stdout(Stdio::inherit())
+        .stderr(Stdio::inherit())
+        .status()
+        .await
+        .ctx("Failed to run kubectl")?;
+
+    if !status.success() {
+        std::process::exit(status.code().unwrap_or(1));
+    }
+    Ok(())
+}
+
+/// Run bao CLI inside the OpenBao pod with the root token.
+pub async fn cmd_bao(bao_args: &[String]) -> Result<()> {
+    // Find the openbao pod
+    let client = get_client().await?;
+    let pods: Api<k8s_openapi::api::core::v1::Pod> = Api::namespaced(client.clone(), "data");
+
+    let lp = ListParams::default().labels("app.kubernetes.io/name=openbao");
+    let pod_list = pods.list(&lp).await.ctx("Failed to list OpenBao pods")?;
+    let ob_pod = pod_list
+        .items
+        .first()
+        .and_then(|p| p.metadata.name.as_deref())
+        .ctx("OpenBao pod not found -- is the cluster running?")?
+        .to_string();
+
+    // Get root token
+    let root_token = kube_get_secret_field("data", "openbao-keys", "root-token")
+        .await
+        .ctx("root-token not found in openbao-keys secret")?;
+
+    // Build the exec command using env to set VAULT_TOKEN without shell interpretation
+    let vault_token_env = format!("VAULT_TOKEN={root_token}");
+    let mut kubectl_args = vec![
+        format!("--context={}", context()),
+        "-n".to_string(),
+        "data".to_string(),
+        "exec".to_string(),
+        ob_pod,
+        "-c".to_string(),
+        "openbao".to_string(),
+        "--".to_string(),
+        "env".to_string(),
+        vault_token_env,
+        "bao".to_string(),
+    ];
+    kubectl_args.extend(bao_args.iter().cloned());
+
+    // Use kubectl for full TTY support
+    let status = tokio::process::Command::new("kubectl")
+        .args(&kubectl_args)
+        .stdin(Stdio::inherit())
+        .stdout(Stdio::inherit())
+        .stderr(Stdio::inherit())
+        .status()
+        .await
+        .ctx("Failed to run bao in OpenBao pod")?;
+
+    if !status.success() {
+        std::process::exit(status.code().unwrap_or(1));
+    }
+    Ok(())
+}
+
+// ---------------------------------------------------------------------------
+// Parse target and domain_replace (already tested)
+// ---------------------------------------------------------------------------
+
+/// Parse 'ns/name' -> (Some(ns), Some(name)), 'ns' -> (Some(ns), None), None -> (None, None).
+pub fn parse_target(s: Option<&str>) -> Result<(Option<&str>, Option<&str>)> {
+    match s {
+        None => Ok((None, None)),
+        Some(s) => {
+            let parts: Vec<&str> = s.splitn(3, '/').collect();
+            match parts.len() {
+                1 => Ok((Some(parts[0]), None)),
+                2 => Ok((Some(parts[0]), Some(parts[1]))),
+                _ => bail!("Invalid target {s:?}: expected 'namespace' or 'namespace/name'"),
+            }
+        }
+    }
+}
+
+/// Replace all occurrences of DOMAIN_SUFFIX with domain.
+pub fn domain_replace(text: &str, domain: &str) -> String {
+    text.replace("DOMAIN_SUFFIX", domain)
+}
+
+// ---------------------------------------------------------------------------
+// Tests
+// ---------------------------------------------------------------------------
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    #[test]
+    fn test_parse_target_none() {
+        let (ns, name) = parse_target(None).unwrap();
+        assert!(ns.is_none());
+        assert!(name.is_none());
+    }
+
+    #[test]
+    fn test_parse_target_namespace_only() {
+        let (ns, name) = parse_target(Some("ory")).unwrap();
+        assert_eq!(ns, Some("ory"));
+        assert!(name.is_none());
+    }
+
+    #[test]
+    fn test_parse_target_namespace_and_name() {
+        let (ns, name) = parse_target(Some("ory/kratos")).unwrap();
+        assert_eq!(ns, Some("ory"));
+        assert_eq!(name, Some("kratos"));
+    }
+
+    #[test]
+    fn test_parse_target_too_many_parts() {
+        assert!(parse_target(Some("too/many/parts")).is_err());
+    }
+
+    #[test]
+    fn test_parse_target_empty_string() {
+        let (ns, name) = parse_target(Some("")).unwrap();
+        assert_eq!(ns, Some(""));
+        assert!(name.is_none());
+    }
+
+    #[test]
+    fn test_domain_replace_single() {
+        let result = domain_replace("src.DOMAIN_SUFFIX/foo", "192.168.1.1.sslip.io");
+        assert_eq!(result, "src.192.168.1.1.sslip.io/foo");
+    }
+
+    #[test]
+    fn test_domain_replace_multiple() {
+        let result = domain_replace("DOMAIN_SUFFIX and DOMAIN_SUFFIX", "x.sslip.io");
+        assert_eq!(result, "x.sslip.io and x.sslip.io");
+    }
+
+    #[test]
+    fn test_domain_replace_none() {
+        let result = domain_replace("no match here", "x.sslip.io");
+        assert_eq!(result, "no match here");
+    }
+
+    #[tokio::test]
+    async fn test_ensure_tunnel_noop_when_ssh_host_empty() {
+        // When ssh_host is empty (local dev), ensure_tunnel should return Ok
+        // immediately without spawning any SSH process.
+        // SSH_HOST OnceLock may already be set from another test, but the
+        // default (unset) value is "" which is what we want. If it was set
+        // to a non-empty value by a prior test in the same process, this
+        // test would attempt a real SSH connection and fail — that is acceptable
+        // as a signal that test isolation changed.
+        //
+        // In a fresh test binary SSH_HOST is unset, so ssh_host() returns "".
+        let result = ensure_tunnel().await;
+        assert!(result.is_ok(), "ensure_tunnel should be a no-op when ssh_host is empty");
+    }
+
+    #[test]
+    fn test_create_secret_data_encoding() {
+        // Test that we can build the expected JSON structure for secret creation
+        let mut data = HashMap::new();
+        data.insert("username".to_string(), "admin".to_string());
+        data.insert("password".to_string(), "s3cret".to_string());
+
+        let mut encoded: serde_json::Map<String, serde_json::Value> = serde_json::Map::new();
+        for (k, v) in &data {
+            let b64 = base64::engine::general_purpose::STANDARD.encode(v.as_bytes());
+            encoded.insert(k.clone(), serde_json::Value::String(b64));
+        }
+
+        let secret_obj = serde_json::json!({
+            "apiVersion": "v1",
+            "kind": "Secret",
+            "metadata": {
+                "name": "test-secret",
+                "namespace": "default",
+            },
+            "type": "Opaque",
+            "data": encoded,
+        });
+
+        let json_str = serde_json::to_string(&secret_obj).unwrap();
+        assert!(json_str.contains("YWRtaW4=")); // base64("admin")
+        assert!(json_str.contains("czNjcmV0")); // base64("s3cret")
+    }
+}
diff --git a/src/main.rs b/src/main.rs
new file mode 100644
index 0000000..8b7b6d4
--- /dev/null
+++ b/src/main.rs
@@ -0,0 +1,59 @@
+#[macro_use]
+mod error;
+
+mod auth;
+mod checks;
+mod cli;
+mod cluster;
+mod constants;
+mod config;
+mod gitea;
+mod images;
+mod kube;
+mod manifests;
+mod openbao;
+mod output;
+mod pm;
+mod secrets;
+mod services;
+mod tools;
+mod update;
+mod users;
+
+#[tokio::main]
+async fn main() {
+    // Install rustls crypto provider (ring) before any TLS operations.
+    rustls::crypto::ring::default_provider()
+        .install_default()
+        .expect("Failed to install rustls crypto provider");
+
+    // Initialize tracing subscriber.
+    // Respects RUST_LOG env var (e.g. RUST_LOG=debug, RUST_LOG=sunbeam=trace).
+    // Default: warn for dependencies, info for sunbeam.
+    tracing_subscriber::fmt()
+        .with_env_filter(
+            tracing_subscriber::EnvFilter::try_from_default_env().unwrap_or_else(|_| {
+                tracing_subscriber::EnvFilter::new("sunbeam=info,warn")
+            }),
+        )
+        .with_target(false)
+        .with_writer(std::io::stderr)
+        .init();
+
+    match cli::dispatch().await {
+        Ok(()) => {}
+        Err(e) => {
+            let code = e.exit_code();
+            tracing::error!("{e}");
+
+            // Print source chain for non-trivial errors
+            let mut source = std::error::Error::source(&e);
+            while let Some(cause) = source {
+                tracing::debug!("caused by: {cause}");
+                source = std::error::Error::source(cause);
+            }
+
+            std::process::exit(code);
+        }
+    }
+}
diff --git a/src/manifests.rs b/src/manifests.rs
new file mode 100644
index 0000000..f0761b9
--- /dev/null
+++ b/src/manifests.rs
@@ -0,0 +1,880 @@
+use crate::error::Result;
+use crate::constants::MANAGED_NS;
+
+/// Return only the YAML documents that belong to the given namespace.
+pub fn filter_by_namespace(manifests: &str, namespace: &str) -> String {
+    let mut kept = Vec::new();
+    for doc in manifests.split("\n---") {
+        let doc = doc.trim();
+        if doc.is_empty() {
+            continue;
+        }
+        let has_ns = doc.contains(&format!("namespace: {namespace}"));
+        let is_ns_resource =
+            doc.contains("kind: Namespace") && doc.contains(&format!("name: {namespace}"));
+        if has_ns || is_ns_resource {
+            kept.push(doc);
+        }
+    }
+    if kept.is_empty() {
+        return String::new();
+    }
+    format!("---\n{}\n", kept.join("\n---\n"))
+}
+
+/// Build kustomize overlay for env, substitute domain/email, apply via kube-rs.
+///
+/// Runs a second convergence pass if cert-manager is present in the overlay —
+/// cert-manager registers a ValidatingWebhook that must be running before
+/// ClusterIssuer / Certificate resources can be created.
+pub async fn cmd_apply(env: &str, domain: &str, email: &str, namespace: &str) -> Result<()> {
+    // Fall back to config for ACME email if not provided via CLI flag.
+    let email = if email.is_empty() {
+        crate::config::load_config().acme_email
+    } else {
+        email.to_string()
+    };
+
+    let infra_dir = crate::config::get_infra_dir();
+
+    let (resolved_domain, overlay) = if env == "production" {
+        let d = if domain.is_empty() {
+            crate::kube::get_domain().await?
+        } else {
+            domain.to_string()
+        };
+        if d.is_empty() {
+            bail!("--domain is required for production apply on first deploy");
+        }
+        let overlay = infra_dir.join("overlays").join("production");
+        (d, overlay)
+    } else {
+        // Local: discover domain from Lima IP
+        let d = crate::kube::get_domain().await?;
+        let overlay = infra_dir.join("overlays").join("local");
+        (d, overlay)
+    };
+
+    let scope = if namespace.is_empty() {
+        String::new()
+    } else {
+        format!(" [{namespace}]")
+    };
+    crate::output::step(&format!(
+        "Applying manifests (env: {env}, domain: {resolved_domain}){scope}..."
+    ));
+
+    if env == "local" {
+        apply_mkcert_ca_configmap().await;
+    }
+
+    let ns_list = if namespace.is_empty() {
+        None
+    } else {
+        Some(vec![namespace.to_string()])
+    };
+    pre_apply_cleanup(ns_list.as_deref()).await;
+
+    let before = snapshot_configmaps().await;
+    let mut manifests =
+        crate::kube::kustomize_build(&overlay, &resolved_domain, &email).await?;
+
+    if !namespace.is_empty() {
+        manifests = filter_by_namespace(&manifests, namespace);
+        if manifests.trim().is_empty() {
+            crate::output::warn(&format!(
+                "No resources found for namespace '{namespace}' -- check the name and try again."
+            ));
+            return Ok(());
+        }
+    }
+
+    // First pass: may emit errors for resources that depend on webhooks not yet running
+    if let Err(e) = crate::kube::kube_apply(&manifests).await {
+        crate::output::warn(&format!("First apply pass had errors (may be expected): {e}"));
+    }
+
+    // If cert-manager is in the overlay, wait for its webhook then re-apply
+    let cert_manager_present = overlay
+        .join("../../base/cert-manager")
+        .exists();
+
+    if cert_manager_present && namespace.is_empty() {
+        if wait_for_webhook("cert-manager", "cert-manager-webhook", 120).await {
+            crate::output::ok("Running convergence pass for cert-manager resources...");
+            let manifests2 =
+                crate::kube::kustomize_build(&overlay, &resolved_domain, &email).await?;
+            crate::kube::kube_apply(&manifests2).await?;
+        }
+    }
+
+    restart_for_changed_configmaps(&before, &snapshot_configmaps().await).await;
+
+    // Post-apply hooks
+    if namespace.is_empty() || namespace == "matrix" {
+        patch_tuwunel_oauth2_redirect(&resolved_domain).await;
+        inject_opensearch_model_id().await;
+    }
+    if namespace.is_empty() || namespace == "data" {
+        ensure_opensearch_ml().await;
+    }
+
+    crate::output::ok("Applied.");
+    Ok(())
+}
+
+// ---------------------------------------------------------------------------
+// Helpers
+// ---------------------------------------------------------------------------
+
+/// Delete immutable resources that must be re-created on each apply.
+async fn pre_apply_cleanup(namespaces: Option<&[String]>) {
+    let ns_list: Vec<&str> = match namespaces {
+        Some(ns) => ns.iter().map(|s| s.as_str()).collect(),
+        None => MANAGED_NS.to_vec(),
+    };
+
+    crate::output::ok("Cleaning up immutable Jobs and test Pods...");
+
+    // Prune stale VaultStaticSecrets that share a name with VaultDynamicSecrets
+    prune_stale_vault_static_secrets(&ns_list).await;
+
+    for ns in &ns_list {
+        // Delete all jobs
+        let client = match crate::kube::get_client().await {
+            Ok(c) => c,
+            Err(e) => {
+                crate::output::warn(&format!("Failed to get kube client: {e}"));
+                return;
+            }
+        };
+        let jobs: kube::api::Api<k8s_openapi::api::batch::v1::Job> =
+            kube::api::Api::namespaced(client.clone(), ns);
+        if let Ok(job_list) = jobs.list(&kube::api::ListParams::default()).await {
+            for job in job_list.items {
+                if let Some(name) = &job.metadata.name {
+                    let dp = kube::api::DeleteParams::default();
+                    let _ = jobs.delete(name, &dp).await;
+                }
+            }
+        }
+
+        // Delete test pods
+        let pods: kube::api::Api<k8s_openapi::api::core::v1::Pod> =
+            kube::api::Api::namespaced(client.clone(), ns);
+        if let Ok(pod_list) = pods.list(&kube::api::ListParams::default()).await {
+            for pod in pod_list.items {
+                if let Some(name) = &pod.metadata.name {
+                    if name.ends_with("-test-connection")
+                        || name.ends_with("-server-test")
+                        || name.ends_with("-test")
+                    {
+                        let dp = kube::api::DeleteParams::default();
+                        let _ = pods.delete(name, &dp).await;
+                    }
+                }
+            }
+        }
+    }
+}
+
+/// Prune VaultStaticSecrets that share a name with VaultDynamicSecrets in the same namespace.
+async fn prune_stale_vault_static_secrets(namespaces: &[&str]) {
+    let client = match crate::kube::get_client().await {
+        Ok(c) => c,
+        Err(e) => {
+            crate::output::warn(&format!("Failed to get kube client for VSS pruning: {e}"));
+            return;
+        }
+    };
+
+    let vss_ar = kube::api::ApiResource {
+        group: "secrets.hashicorp.com".into(),
+        version: "v1beta1".into(),
+        api_version: "secrets.hashicorp.com/v1beta1".into(),
+        kind: "VaultStaticSecret".into(),
+        plural: "vaultstaticsecrets".into(),
+    };
+
+    let vds_ar = kube::api::ApiResource {
+        group: "secrets.hashicorp.com".into(),
+        version: "v1beta1".into(),
+        api_version: "secrets.hashicorp.com/v1beta1".into(),
+        kind: "VaultDynamicSecret".into(),
+        plural: "vaultdynamicsecrets".into(),
+    };
+
+    for ns in namespaces {
+        let vss_api: kube::api::Api<kube::api::DynamicObject> =
+            kube::api::Api::namespaced_with(client.clone(), ns, &vss_ar);
+        let vds_api: kube::api::Api<kube::api::DynamicObject> =
+            kube::api::Api::namespaced_with(client.clone(), ns, &vds_ar);
+
+        let vss_list = match vss_api.list(&kube::api::ListParams::default()).await {
+            Ok(l) => l,
+            Err(_) => continue,
+        };
+        let vds_list = match vds_api.list(&kube::api::ListParams::default()).await {
+            Ok(l) => l,
+            Err(_) => continue,
+        };
+
+        let vds_names: std::collections::HashSet<String> = vds_list
+            .items
+            .iter()
+            .filter_map(|o| o.metadata.name.clone())
+            .collect();
+
+        for vss in &vss_list.items {
+            if let Some(name) = &vss.metadata.name {
+                if vds_names.contains(name) {
+                    crate::output::ok(&format!(
+                        "Pruning stale VaultStaticSecret {ns}/{name} (replaced by VaultDynamicSecret)"
+                    ));
+                    let dp = kube::api::DeleteParams::default();
+                    let _ = vss_api.delete(name, &dp).await;
+                }
+            }
+        }
+    }
+}
+
+/// Snapshot ConfigMap resourceVersions across managed namespaces.
+async fn snapshot_configmaps() -> std::collections::HashMap<String, String> {
+    let mut result = std::collections::HashMap::new();
+    let client = match crate::kube::get_client().await {
+        Ok(c) => c,
+        Err(_) => return result,
+    };
+
+    for ns in MANAGED_NS {
+        let cms: kube::api::Api<k8s_openapi::api::core::v1::ConfigMap> =
+            kube::api::Api::namespaced(client.clone(), ns);
+        if let Ok(cm_list) = cms.list(&kube::api::ListParams::default()).await {
+            for cm in cm_list.items {
+                if let (Some(name), Some(rv)) = (
+                    &cm.metadata.name,
+                    &cm.metadata.resource_version,
+                ) {
+                    result.insert(format!("{ns}/{name}"), rv.clone());
+                }
+            }
+        }
+    }
+    result
+}
+
+/// Restart deployments that mount any ConfigMap whose resourceVersion changed.
+async fn restart_for_changed_configmaps(
+    before: &std::collections::HashMap<String, String>,
+    after: &std::collections::HashMap<String, String>,
+) {
+    let mut changed_by_ns: std::collections::HashMap<&str, std::collections::HashSet<&str>> =
+        std::collections::HashMap::new();
+
+    for (key, rv) in after {
+        if before.get(key) != Some(rv) {
+            if let Some((ns, name)) = key.split_once('/') {
+                changed_by_ns.entry(ns).or_default().insert(name);
+            }
+        }
+    }
+
+    if changed_by_ns.is_empty() {
+        return;
+    }
+
+    let client = match crate::kube::get_client().await {
+        Ok(c) => c,
+        Err(_) => return,
+    };
+
+    for (ns, cm_names) in &changed_by_ns {
+        let deps: kube::api::Api<k8s_openapi::api::apps::v1::Deployment> =
+            kube::api::Api::namespaced(client.clone(), ns);
+        if let Ok(dep_list) = deps.list(&kube::api::ListParams::default()).await {
+            for dep in dep_list.items {
+                let dep_name = dep.metadata.name.as_deref().unwrap_or("");
+                // Check if this deployment mounts any changed ConfigMap
+                let volumes = dep
+                    .spec
+                    .as_ref()
+                    .and_then(|s| s.template.spec.as_ref())
+                    .and_then(|s| s.volumes.as_ref());
+
+                if let Some(vols) = volumes {
+                    let mounts_changed = vols.iter().any(|v| {
+                        if let Some(cm) = &v.config_map {
+                            cm_names.contains(cm.name.as_str())
+                        } else {
+                            false
+                        }
+                    });
+                    if mounts_changed {
+                        crate::output::ok(&format!(
+                            "Restarting {ns}/{dep_name} (ConfigMap updated)..."
+                        ));
+                        let _ = crate::kube::kube_rollout_restart(ns, dep_name).await;
+                    }
+                }
+            }
+        }
+    }
+}
+
+/// Wait for a webhook endpoint to become ready.
+async fn wait_for_webhook(ns: &str, svc: &str, timeout_secs: u64) -> bool {
+    crate::output::ok(&format!(
+        "Waiting for {ns}/{svc} webhook (up to {timeout_secs}s)..."
+    ));
+    let deadline =
+        std::time::Instant::now() + std::time::Duration::from_secs(timeout_secs);
+
+    let client = match crate::kube::get_client().await {
+        Ok(c) => c,
+        Err(_) => return false,
+    };
+    let eps: kube::api::Api<k8s_openapi::api::core::v1::Endpoints> =
+        kube::api::Api::namespaced(client.clone(), ns);
+
+    loop {
+        if std::time::Instant::now() > deadline {
+            crate::output::warn(&format!(
+                "  {ns}/{svc} not ready after {timeout_secs}s -- continuing anyway."
+            ));
+            return false;
+        }
+
+        if let Ok(Some(ep)) = eps.get_opt(svc).await {
+            let has_addr = ep
+                .subsets
+                .as_ref()
+                .and_then(|ss| ss.first())
+                .and_then(|s| s.addresses.as_ref())
+                .is_some_and(|a| !a.is_empty());
+            if has_addr {
+                crate::output::ok(&format!("  {ns}/{svc} ready."));
+                return true;
+            }
+        }
+
+        tokio::time::sleep(std::time::Duration::from_secs(3)).await;
+    }
+}
+
+/// Create/update gitea-mkcert-ca ConfigMap from the local mkcert root CA.
+async fn apply_mkcert_ca_configmap() {
+    let caroot = tokio::process::Command::new("mkcert")
+        .arg("-CAROOT")
+        .output()
+        .await;
+
+    let caroot_path = match caroot {
+        Ok(out) if out.status.success() => {
+            String::from_utf8_lossy(&out.stdout).trim().to_string()
+        }
+        _ => {
+            crate::output::warn("mkcert not found -- skipping gitea-mkcert-ca ConfigMap.");
+            return;
+        }
+    };
+
+    let ca_pem_path = std::path::Path::new(&caroot_path).join("rootCA.pem");
+    let ca_pem = match std::fs::read_to_string(&ca_pem_path) {
+        Ok(s) => s,
+        Err(_) => {
+            crate::output::warn(&format!(
+                "mkcert root CA not found at {} -- skipping.",
+                ca_pem_path.display()
+            ));
+            return;
+        }
+    };
+
+    let cm = serde_json::json!({
+        "apiVersion": "v1",
+        "kind": "ConfigMap",
+        "metadata": {"name": "gitea-mkcert-ca", "namespace": "devtools"},
+        "data": {"ca.crt": ca_pem},
+    });
+
+    let manifest = serde_json::to_string(&cm).unwrap_or_default();
+    if let Err(e) = crate::kube::kube_apply(&manifest).await {
+        crate::output::warn(&format!("Failed to apply gitea-mkcert-ca: {e}"));
+    } else {
+        crate::output::ok("gitea-mkcert-ca ConfigMap applied.");
+    }
+}
+
+/// Patch the tuwunel OAuth2Client redirect URI with the actual client_id.
+async fn patch_tuwunel_oauth2_redirect(domain: &str) {
+    let client_id = match crate::kube::kube_get_secret_field("matrix", "oidc-tuwunel", "CLIENT_ID")
+        .await
+    {
+        Ok(id) if !id.is_empty() => id,
+        _ => {
+            crate::output::warn(
+                "oidc-tuwunel secret not yet available -- skipping redirect URI patch.",
+            );
+            return;
+        }
+    };
+
+    let redirect_uri = format!(
+        "https://messages.{domain}/_matrix/client/unstable/login/sso/callback/{client_id}"
+    );
+
+    // Patch the OAuth2Client CRD via kube-rs
+    let client = match crate::kube::get_client().await {
+        Ok(c) => c,
+        Err(_) => return,
+    };
+
+    let ar = kube::api::ApiResource {
+        group: "hydra.ory.sh".into(),
+        version: "v1alpha1".into(),
+        api_version: "hydra.ory.sh/v1alpha1".into(),
+        kind: "OAuth2Client".into(),
+        plural: "oauth2clients".into(),
+    };
+
+    let api: kube::api::Api<kube::api::DynamicObject> =
+        kube::api::Api::namespaced_with(client.clone(), "matrix", &ar);
+
+    let patch = serde_json::json!({
+        "spec": {
+            "redirectUris": [redirect_uri]
+        }
+    });
+
+    let pp = kube::api::PatchParams::default();
+    if let Err(e) = api
+        .patch("tuwunel", &pp, &kube::api::Patch::Merge(patch))
+        .await
+    {
+        crate::output::warn(&format!("Failed to patch tuwunel OAuth2Client: {e}"));
+    } else {
+        crate::output::ok("Patched tuwunel OAuth2Client redirect URI.");
+    }
+}
+
+// ---------------------------------------------------------------------------
+// OpenSearch helpers (kube exec + curl inside pod)
+// ---------------------------------------------------------------------------
+
+/// Call OpenSearch API via kube exec curl inside the opensearch pod.
+async fn os_api(path: &str, method: &str, body: Option<&str>) -> Option<String> {
+    let url = format!("http://localhost:9200{path}");
+    let mut curl_args: Vec<&str> = vec!["curl", "-sf", &url];
+    if method != "GET" {
+        curl_args.extend_from_slice(&["-X", method]);
+    }
+    let body_string;
+    if let Some(b) = body {
+        body_string = b.to_string();
+        curl_args.extend_from_slice(&["-H", "Content-Type: application/json", "-d", &body_string]);
+    }
+
+    // Build the full exec command: exec deploy/opensearch -n data -c opensearch -- curl ...
+    let exec_cmd = curl_args;
+
+    match crate::kube::kube_exec("data", "opensearch-0", &exec_cmd, Some("opensearch")).await {
+        Ok((0, out)) if !out.is_empty() => Some(out),
+        _ => None,
+    }
+}
+
+/// Inject OpenSearch model_id into matrix/opensearch-ml-config ConfigMap.
+async fn inject_opensearch_model_id() {
+    let pipe_resp =
+        match os_api("/_ingest/pipeline/tuwunel_embedding_pipeline", "GET", None).await {
+            Some(r) => r,
+            None => {
+                crate::output::warn(
+                    "OpenSearch ingest pipeline not found -- skipping model_id injection.",
+                );
+                return;
+            }
+        };
+
+    let model_id = serde_json::from_str::<serde_json::Value>(&pipe_resp)
+        .ok()
+        .and_then(|v| {
+            v.get("tuwunel_embedding_pipeline")?
+                .get("processors")?
+                .as_array()?
+                .iter()
+                .find_map(|p| {
+                    p.get("text_embedding")?
+                        .get("model_id")?
+                        .as_str()
+                        .map(String::from)
+                })
+        });
+
+    let Some(model_id) = model_id else {
+        crate::output::warn(
+            "No model_id in ingest pipeline -- tuwunel hybrid search unavailable.",
+        );
+        return;
+    };
+
+    // Check if ConfigMap already has this value
+    if let Ok(current) =
+        crate::kube::kube_get_secret_field("matrix", "opensearch-ml-config", "model_id").await
+    {
+        if current == model_id {
+            return;
+        }
+    }
+
+    let cm = serde_json::json!({
+        "apiVersion": "v1",
+        "kind": "ConfigMap",
+        "metadata": {"name": "opensearch-ml-config", "namespace": "matrix"},
+        "data": {"model_id": &model_id},
+    });
+
+    let manifest = serde_json::to_string(&cm).unwrap_or_default();
+    if let Err(e) = crate::kube::kube_apply(&manifest).await {
+        crate::output::warn(&format!("Failed to inject OpenSearch model_id: {e}"));
+    } else {
+        crate::output::ok(&format!(
+            "Injected OpenSearch model_id ({model_id}) into matrix/opensearch-ml-config."
+        ));
+    }
+}
+
+/// Configure OpenSearch ML Commons for neural search.
+///
+/// 1. Sets cluster settings to allow ML on data nodes.
+/// 2. Registers and deploys all-mpnet-base-v2 (pre-trained, 384-dim).
+/// 3. Creates ingest + search pipelines for hybrid BM25+neural scoring.
+async fn ensure_opensearch_ml() {
+    if os_api("/_cluster/health", "GET", None).await.is_none() {
+        crate::output::warn("OpenSearch not reachable -- skipping ML setup.");
+        return;
+    }
+
+    // 1. ML Commons cluster settings
+    let settings = serde_json::json!({
+        "persistent": {
+            "plugins.ml_commons.only_run_on_ml_node": false,
+            "plugins.ml_commons.native_memory_threshold": 90,
+            "plugins.ml_commons.model_access_control_enabled": false,
+            "plugins.ml_commons.allow_registering_model_via_url": true,
+        }
+    });
+    os_api(
+        "/_cluster/settings",
+        "PUT",
+        Some(&serde_json::to_string(&settings).unwrap()),
+    )
+    .await;
+
+    // 2. Check if model already registered and deployed
+    let search_body =
+        r#"{"query":{"match":{"name":"huggingface/sentence-transformers/all-mpnet-base-v2"}}}"#;
+    let search_resp = match os_api("/_plugins/_ml/models/_search", "POST", Some(search_body)).await
+    {
+        Some(r) => r,
+        None => {
+            crate::output::warn("OpenSearch ML search API failed -- skipping ML setup.");
+            return;
+        }
+    };
+
+    let resp: serde_json::Value = match serde_json::from_str(&search_resp) {
+        Ok(v) => v,
+        Err(_) => return,
+    };
+
+    let hits = resp
+        .get("hits")
+        .and_then(|h| h.get("hits"))
+        .and_then(|h| h.as_array())
+        .cloned()
+        .unwrap_or_default();
+
+    let mut model_id: Option<String> = None;
+    let mut already_deployed = false;
+
+    for hit in &hits {
+        let state = hit
+            .get("_source")
+            .and_then(|s| s.get("model_state"))
+            .and_then(|v| v.as_str())
+            .unwrap_or("");
+        let id = hit.get("_id").and_then(|v| v.as_str()).unwrap_or("");
+        match state {
+            "DEPLOYED" => {
+                model_id = Some(id.to_string());
+                already_deployed = true;
+                break;
+            }
+            "REGISTERED" | "DEPLOYING" => {
+                model_id = Some(id.to_string());
+            }
+            _ => {}
+        }
+    }
+
+    if !already_deployed {
+        if let Some(ref mid) = model_id {
+            // Registered but not deployed -- deploy it
+            crate::output::ok("Deploying OpenSearch ML model...");
+            os_api(
+                &format!("/_plugins/_ml/models/{mid}/_deploy"),
+                "POST",
+                None,
+            )
+            .await;
+            for _ in 0..30 {
+                tokio::time::sleep(std::time::Duration::from_secs(5)).await;
+                if let Some(r) =
+                    os_api(&format!("/_plugins/_ml/models/{mid}"), "GET", None).await
+                {
+                    if r.contains("\"DEPLOYED\"") {
+                        break;
+                    }
+                }
+            }
+        } else {
+            // Register from pre-trained hub
+            crate::output::ok("Registering OpenSearch ML model (all-mpnet-base-v2)...");
+            let reg_body = serde_json::json!({
+                "name": "huggingface/sentence-transformers/all-mpnet-base-v2",
+                "version": "1.0.1",
+                "model_format": "TORCH_SCRIPT",
+            });
+            let reg_resp = match os_api(
+                "/_plugins/_ml/models/_register",
+                "POST",
+                Some(&serde_json::to_string(&reg_body).unwrap()),
+            )
+            .await
+            {
+                Some(r) => r,
+                None => {
+                    crate::output::warn("Failed to register ML model -- skipping.");
+                    return;
+                }
+            };
+
+            let task_id = serde_json::from_str::<serde_json::Value>(&reg_resp)
+                .ok()
+                .and_then(|v| v.get("task_id")?.as_str().map(String::from))
+                .unwrap_or_default();
+
+            if task_id.is_empty() {
+                crate::output::warn("No task_id from model registration -- skipping.");
+                return;
+            }
+
+            crate::output::ok("Waiting for model registration...");
+            let mut registered_id = None;
+            for _ in 0..60 {
+                tokio::time::sleep(std::time::Duration::from_secs(10)).await;
+                if let Some(task_resp) =
+                    os_api(&format!("/_plugins/_ml/tasks/{task_id}"), "GET", None).await
+                {
+                    if let Ok(task) = serde_json::from_str::<serde_json::Value>(&task_resp) {
+                        match task.get("state").and_then(|v| v.as_str()).unwrap_or("") {
+                            "COMPLETED" => {
+                                registered_id = task
+                                    .get("model_id")
+                                    .and_then(|v| v.as_str())
+                                    .map(String::from);
+                                break;
+                            }
+                            "FAILED" => {
+                                crate::output::warn(&format!(
+                                    "ML model registration failed: {task_resp}"
+                                ));
+                                return;
+                            }
+                            _ => {}
+                        }
+                    }
+                }
+            }
+
+            let Some(mid) = registered_id else {
+                crate::output::warn("ML model registration timed out.");
+                return;
+            };
+
+            crate::output::ok("Deploying ML model...");
+            os_api(
+                &format!("/_plugins/_ml/models/{mid}/_deploy"),
+                "POST",
+                None,
+            )
+            .await;
+            for _ in 0..30 {
+                tokio::time::sleep(std::time::Duration::from_secs(5)).await;
+                if let Some(r) =
+                    os_api(&format!("/_plugins/_ml/models/{mid}"), "GET", None).await
+                {
+                    if r.contains("\"DEPLOYED\"") {
+                        break;
+                    }
+                }
+            }
+            model_id = Some(mid);
+        }
+    }
+
+    let Some(model_id) = model_id else {
+        crate::output::warn("No ML model available -- skipping pipeline setup.");
+        return;
+    };
+
+    // 3. Ingest pipeline
+    let ingest = serde_json::json!({
+        "description": "Tuwunel message embedding pipeline",
+        "processors": [{"text_embedding": {
+            "model_id": &model_id,
+            "field_map": {"body": "embedding"},
+        }}],
+    });
+    os_api(
+        "/_ingest/pipeline/tuwunel_embedding_pipeline",
+        "PUT",
+        Some(&serde_json::to_string(&ingest).unwrap()),
+    )
+    .await;
+
+    // 4. Search pipeline
+    let search = serde_json::json!({
+        "description": "Tuwunel hybrid BM25+neural search pipeline",
+        "phase_results_processors": [{"normalization-processor": {
+            "normalization": {"technique": "min_max"},
+            "combination": {
+                "technique": "arithmetic_mean",
+                "parameters": {"weights": [0.3, 0.7]},
+            },
+        }}],
+    });
+    os_api(
+        "/_search/pipeline/tuwunel_hybrid_pipeline",
+        "PUT",
+        Some(&serde_json::to_string(&search).unwrap()),
+    )
+    .await;
+
+    crate::output::ok(&format!("OpenSearch ML ready (model: {model_id})."));
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    const MULTI_DOC: &str = "\
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: meet-config
+  namespace: lasuite
+data:
+  FOO: bar
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: meet-backend
+  namespace: lasuite
+spec:
+  replicas: 1
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: lasuite
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: pingora-config
+  namespace: ingress
+data:
+  config.toml: |
+    hello
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: pingora
+  namespace: ingress
+spec:
+  replicas: 1
+";
+
+    #[test]
+    fn test_keeps_matching_namespace() {
+        let result = filter_by_namespace(MULTI_DOC, "lasuite");
+        assert!(result.contains("name: meet-config"));
+        assert!(result.contains("name: meet-backend"));
+    }
+
+    #[test]
+    fn test_excludes_other_namespaces() {
+        let result = filter_by_namespace(MULTI_DOC, "lasuite");
+        assert!(!result.contains("namespace: ingress"));
+        assert!(!result.contains("name: pingora-config"));
+        assert!(!result.contains("name: pingora\n"));
+    }
+
+    #[test]
+    fn test_includes_namespace_resource_itself() {
+        let result = filter_by_namespace(MULTI_DOC, "lasuite");
+        assert!(result.contains("kind: Namespace"));
+    }
+
+    #[test]
+    fn test_ingress_filter() {
+        let result = filter_by_namespace(MULTI_DOC, "ingress");
+        assert!(result.contains("name: pingora-config"));
+        assert!(result.contains("name: pingora"));
+        assert!(!result.contains("namespace: lasuite"));
+    }
+
+    #[test]
+    fn test_unknown_namespace_returns_empty() {
+        let result = filter_by_namespace(MULTI_DOC, "nonexistent");
+        assert!(result.trim().is_empty());
+    }
+
+    #[test]
+    fn test_empty_input_returns_empty() {
+        let result = filter_by_namespace("", "lasuite");
+        assert!(result.trim().is_empty());
+    }
+
+    #[test]
+    fn test_result_starts_with_separator() {
+        let result = filter_by_namespace(MULTI_DOC, "lasuite");
+        assert!(result.starts_with("---"));
+    }
+
+    #[test]
+    fn test_does_not_include_namespace_resource_for_wrong_ns() {
+        let result = filter_by_namespace(MULTI_DOC, "ingress");
+        assert!(!result.contains("kind: Namespace"));
+    }
+
+    #[test]
+    fn test_single_doc_matching() {
+        let doc = "apiVersion: v1\nkind: ConfigMap\nmetadata:\n  name: x\n  namespace: ory\n";
+        let result = filter_by_namespace(doc, "ory");
+        assert!(result.contains("name: x"));
+    }
+
+    #[test]
+    fn test_single_doc_not_matching() {
+        let doc = "apiVersion: v1\nkind: ConfigMap\nmetadata:\n  name: x\n  namespace: ory\n";
+        let result = filter_by_namespace(doc, "lasuite");
+        assert!(result.trim().is_empty());
+    }
+}
diff --git a/src/openbao.rs b/src/openbao.rs
new file mode 100644
index 0000000..cdea8d9
--- /dev/null
+++ b/src/openbao.rs
@@ -0,0 +1,498 @@
+//! Lightweight OpenBao/Vault HTTP API client.
+//!
+//! Replaces all `kubectl exec openbao-0 -- sh -c "bao ..."` calls from the
+//! Python version with direct HTTP API calls via port-forward to openbao:8200.
+
+use crate::error::{Result, ResultExt};
+use serde::{Deserialize, Serialize};
+use std::collections::HashMap;
+
+/// OpenBao HTTP client wrapping a base URL and optional root token.
+#[derive(Clone)]
+pub struct BaoClient {
+    pub base_url: String,
+    pub token: Option<String>,
+    http: reqwest::Client,
+}
+
+// ── API response types ──────────────────────────────────────────────────────
+
+#[derive(Debug, Deserialize)]
+pub struct InitResponse {
+    pub unseal_keys_b64: Vec<String>,
+    pub root_token: String,
+}
+
+#[derive(Debug, Deserialize)]
+pub struct SealStatusResponse {
+    #[serde(default)]
+    pub initialized: bool,
+    #[serde(default)]
+    pub sealed: bool,
+    #[serde(default)]
+    pub progress: u32,
+    #[serde(default)]
+    pub t: u32,
+    #[serde(default)]
+    pub n: u32,
+}
+
+#[derive(Debug, Deserialize)]
+pub struct UnsealResponse {
+    #[serde(default)]
+    pub sealed: bool,
+    #[serde(default)]
+    pub progress: u32,
+}
+
+/// KV v2 read response wrapper.
+#[derive(Debug, Deserialize)]
+struct KvReadResponse {
+    data: Option<KvReadData>,
+}
+
+#[derive(Debug, Deserialize)]
+struct KvReadData {
+    data: Option<HashMap<String, serde_json::Value>>,
+}
+
+// ── Client implementation ───────────────────────────────────────────────────
+
+impl BaoClient {
+    /// Create a new client pointing at `base_url` (e.g. `http://localhost:8200`).
+    pub fn new(base_url: &str) -> Self {
+        Self {
+            base_url: base_url.trim_end_matches('/').to_string(),
+            token: None,
+            http: reqwest::Client::new(),
+        }
+    }
+
+    /// Create a client with an authentication token.
+    pub fn with_token(base_url: &str, token: &str) -> Self {
+        let mut client = Self::new(base_url);
+        client.token = Some(token.to_string());
+        client
+    }
+
+    fn url(&self, path: &str) -> String {
+        format!("{}/v1/{}", self.base_url, path.trim_start_matches('/'))
+    }
+
+    fn request(&self, method: reqwest::Method, path: &str) -> reqwest::RequestBuilder {
+        let mut req = self.http.request(method, self.url(path));
+        if let Some(ref token) = self.token {
+            req = req.header("X-Vault-Token", token);
+        }
+        req
+    }
+
+    // ── System operations ───────────────────────────────────────────────
+
+    /// Get the seal status of the OpenBao instance.
+    pub async fn seal_status(&self) -> Result<SealStatusResponse> {
+        let resp = self
+            .http
+            .get(format!("{}/v1/sys/seal-status", self.base_url))
+            .send()
+            .await
+            .ctx("Failed to connect to OpenBao")?;
+        if !resp.status().is_success() {
+            let status = resp.status();
+            let body = resp.text().await.unwrap_or_default();
+            bail!("OpenBao seal-status returned {status}: {body}");
+        }
+        resp.json().await.ctx("Failed to parse seal status")
+    }
+
+    /// Initialize OpenBao with the given number of key shares and threshold.
+    pub async fn init(&self, key_shares: u32, key_threshold: u32) -> Result<InitResponse> {
+        #[derive(Serialize)]
+        struct InitRequest {
+            secret_shares: u32,
+            secret_threshold: u32,
+        }
+
+        let resp = self
+            .http
+            .put(format!("{}/v1/sys/init", self.base_url))
+            .json(&InitRequest {
+                secret_shares: key_shares,
+                secret_threshold: key_threshold,
+            })
+            .send()
+            .await
+            .ctx("Failed to initialize OpenBao")?;
+
+        if !resp.status().is_success() {
+            let status = resp.status();
+            let body = resp.text().await.unwrap_or_default();
+            bail!("OpenBao init returned {status}: {body}");
+        }
+        resp.json().await.ctx("Failed to parse init response")
+    }
+
+    /// Unseal OpenBao with one key share.
+    pub async fn unseal(&self, key: &str) -> Result<UnsealResponse> {
+        #[derive(Serialize)]
+        struct UnsealRequest<'a> {
+            key: &'a str,
+        }
+
+        let resp = self
+            .http
+            .put(format!("{}/v1/sys/unseal", self.base_url))
+            .json(&UnsealRequest { key })
+            .send()
+            .await
+            .ctx("Failed to unseal OpenBao")?;
+
+        if !resp.status().is_success() {
+            let status = resp.status();
+            let body = resp.text().await.unwrap_or_default();
+            bail!("OpenBao unseal returned {status}: {body}");
+        }
+        resp.json().await.ctx("Failed to parse unseal response")
+    }
+
+    // ── Secrets engine management ───────────────────────────────────────
+
+    /// Enable a secrets engine at the given path.
+    /// Returns Ok(()) even if already enabled (400 is tolerated).
+    pub async fn enable_secrets_engine(&self, path: &str, engine_type: &str) -> Result<()> {
+        #[derive(Serialize)]
+        struct EnableRequest<'a> {
+            r#type: &'a str,
+        }
+
+        let resp = self
+            .request(reqwest::Method::POST, &format!("sys/mounts/{path}"))
+            .json(&EnableRequest {
+                r#type: engine_type,
+            })
+            .send()
+            .await
+            .ctx("Failed to enable secrets engine")?;
+
+        let status = resp.status();
+        if status.is_success() || status.as_u16() == 400 {
+            // 400 = "path is already in use" — idempotent
+            Ok(())
+        } else {
+            let body = resp.text().await.unwrap_or_default();
+            bail!("Enable secrets engine {path} returned {status}: {body}");
+        }
+    }
+
+    // ── KV v2 operations ────────────────────────────────────────────────
+
+    /// Read all fields from a KV v2 secret path.
+    /// Returns None if the path doesn't exist (404).
+    pub async fn kv_get(&self, mount: &str, path: &str) -> Result<Option<HashMap<String, String>>> {
+        let resp = self
+            .request(reqwest::Method::GET, &format!("{mount}/data/{path}"))
+            .send()
+            .await
+            .ctx("Failed to read KV secret")?;
+
+        if resp.status().as_u16() == 404 {
+            return Ok(None);
+        }
+        if !resp.status().is_success() {
+            let status = resp.status();
+            let body = resp.text().await.unwrap_or_default();
+            bail!("KV get {mount}/{path} returned {status}: {body}");
+        }
+
+        let kv_resp: KvReadResponse = resp.json().await.ctx("Failed to parse KV response")?;
+        let data = kv_resp
+            .data
+            .and_then(|d| d.data)
+            .unwrap_or_default();
+
+        // Convert all values to strings
+        let result: HashMap<String, String> = data
+            .into_iter()
+            .map(|(k, v)| {
+                let s = match v {
+                    serde_json::Value::String(s) => s,
+                    other => other.to_string(),
+                };
+                (k, s)
+            })
+            .collect();
+
+        Ok(Some(result))
+    }
+
+    /// Read a single field from a KV v2 secret path.
+    /// Returns empty string if path or field doesn't exist.
+    pub async fn kv_get_field(&self, mount: &str, path: &str, field: &str) -> Result<String> {
+        match self.kv_get(mount, path).await? {
+            Some(data) => Ok(data.get(field).cloned().unwrap_or_default()),
+            None => Ok(String::new()),
+        }
+    }
+
+    /// Write (create or overwrite) all fields in a KV v2 secret path.
+    pub async fn kv_put(
+        &self,
+        mount: &str,
+        path: &str,
+        data: &HashMap<String, String>,
+    ) -> Result<()> {
+        #[derive(Serialize)]
+        struct KvWriteRequest<'a> {
+            data: &'a HashMap<String, String>,
+        }
+
+        let resp = self
+            .request(reqwest::Method::POST, &format!("{mount}/data/{path}"))
+            .json(&KvWriteRequest { data })
+            .send()
+            .await
+            .ctx("Failed to write KV secret")?;
+
+        if !resp.status().is_success() {
+            let status = resp.status();
+            let body = resp.text().await.unwrap_or_default();
+            bail!("KV put {mount}/{path} returned {status}: {body}");
+        }
+        Ok(())
+    }
+
+    /// Patch (merge) fields into an existing KV v2 secret path.
+    pub async fn kv_patch(
+        &self,
+        mount: &str,
+        path: &str,
+        data: &HashMap<String, String>,
+    ) -> Result<()> {
+        #[derive(Serialize)]
+        struct KvWriteRequest<'a> {
+            data: &'a HashMap<String, String>,
+        }
+
+        let resp = self
+            .request(reqwest::Method::PATCH, &format!("{mount}/data/{path}"))
+            .header("Content-Type", "application/merge-patch+json")
+            .json(&KvWriteRequest { data })
+            .send()
+            .await
+            .ctx("Failed to patch KV secret")?;
+
+        if !resp.status().is_success() {
+            let status = resp.status();
+            let body = resp.text().await.unwrap_or_default();
+            bail!("KV patch {mount}/{path} returned {status}: {body}");
+        }
+        Ok(())
+    }
+
+    /// Delete a KV v2 secret path (soft delete — deletes latest version).
+    pub async fn kv_delete(&self, mount: &str, path: &str) -> Result<()> {
+        let resp = self
+            .request(reqwest::Method::DELETE, &format!("{mount}/data/{path}"))
+            .send()
+            .await
+            .ctx("Failed to delete KV secret")?;
+
+        // 404 is fine (already deleted)
+        if !resp.status().is_success() && resp.status().as_u16() != 404 {
+            let status = resp.status();
+            let body = resp.text().await.unwrap_or_default();
+            bail!("KV delete {mount}/{path} returned {status}: {body}");
+        }
+        Ok(())
+    }
+
+    // ── Auth operations ─────────────────────────────────────────────────
+
+    /// Enable an auth method at the given path.
+    /// Tolerates "already enabled" (400/409).
+    pub async fn auth_enable(&self, path: &str, method_type: &str) -> Result<()> {
+        #[derive(Serialize)]
+        struct AuthEnableRequest<'a> {
+            r#type: &'a str,
+        }
+
+        let resp = self
+            .request(reqwest::Method::POST, &format!("sys/auth/{path}"))
+            .json(&AuthEnableRequest {
+                r#type: method_type,
+            })
+            .send()
+            .await
+            .ctx("Failed to enable auth method")?;
+
+        let status = resp.status();
+        if status.is_success() || status.as_u16() == 400 {
+            Ok(())
+        } else {
+            let body = resp.text().await.unwrap_or_default();
+            bail!("Enable auth {path} returned {status}: {body}");
+        }
+    }
+
+    /// Write a policy.
+    pub async fn write_policy(&self, name: &str, policy_hcl: &str) -> Result<()> {
+        #[derive(Serialize)]
+        struct PolicyRequest<'a> {
+            policy: &'a str,
+        }
+
+        let resp = self
+            .request(
+                reqwest::Method::PUT,
+                &format!("sys/policies/acl/{name}"),
+            )
+            .json(&PolicyRequest { policy: policy_hcl })
+            .send()
+            .await
+            .ctx("Failed to write policy")?;
+
+        if !resp.status().is_success() {
+            let status = resp.status();
+            let body = resp.text().await.unwrap_or_default();
+            bail!("Write policy {name} returned {status}: {body}");
+        }
+        Ok(())
+    }
+
+    /// Write to an arbitrary API path (for auth config, roles, database config, etc.).
+    pub async fn write(
+        &self,
+        path: &str,
+        data: &serde_json::Value,
+    ) -> Result<serde_json::Value> {
+        let resp = self
+            .request(reqwest::Method::POST, path)
+            .json(data)
+            .send()
+            .await
+            .with_ctx(|| format!("Failed to write to {path}"))?;
+
+        if !resp.status().is_success() {
+            let status = resp.status();
+            let body = resp.text().await.unwrap_or_default();
+            bail!("Write {path} returned {status}: {body}");
+        }
+
+        let body = resp.text().await.unwrap_or_default();
+        if body.is_empty() {
+            Ok(serde_json::Value::Null)
+        } else {
+            serde_json::from_str(&body).ctx("Failed to parse write response")
+        }
+    }
+
+    /// Read from an arbitrary API path.
+    pub async fn read(&self, path: &str) -> Result<Option<serde_json::Value>> {
+        let resp = self
+            .request(reqwest::Method::GET, path)
+            .send()
+            .await
+            .with_ctx(|| format!("Failed to read {path}"))?;
+
+        if resp.status().as_u16() == 404 {
+            return Ok(None);
+        }
+        if !resp.status().is_success() {
+            let status = resp.status();
+            let body = resp.text().await.unwrap_or_default();
+            bail!("Read {path} returned {status}: {body}");
+        }
+
+        let body = resp.text().await.unwrap_or_default();
+        if body.is_empty() {
+            Ok(Some(serde_json::Value::Null))
+        } else {
+            Ok(Some(serde_json::from_str(&body)?))
+        }
+    }
+
+    // ── Database secrets engine ─────────────────────────────────────────
+
+    /// Configure the database secrets engine connection.
+    pub async fn write_db_config(
+        &self,
+        name: &str,
+        plugin: &str,
+        connection_url: &str,
+        username: &str,
+        password: &str,
+        allowed_roles: &str,
+    ) -> Result<()> {
+        let data = serde_json::json!({
+            "plugin_name": plugin,
+            "connection_url": connection_url,
+            "username": username,
+            "password": password,
+            "allowed_roles": allowed_roles,
+        });
+        self.write(&format!("database/config/{name}"), &data).await?;
+        Ok(())
+    }
+
+    /// Create a database static role.
+    pub async fn write_db_static_role(
+        &self,
+        name: &str,
+        db_name: &str,
+        username: &str,
+        rotation_period: u64,
+        rotation_statements: &[&str],
+    ) -> Result<()> {
+        let data = serde_json::json!({
+            "db_name": db_name,
+            "username": username,
+            "rotation_period": rotation_period,
+            "rotation_statements": rotation_statements,
+        });
+        self.write(&format!("database/static-roles/{name}"), &data)
+            .await?;
+        Ok(())
+    }
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    #[test]
+    fn test_client_url_construction() {
+        let client = BaoClient::new("http://localhost:8200");
+        assert_eq!(client.url("sys/seal-status"), "http://localhost:8200/v1/sys/seal-status");
+        assert_eq!(client.url("/sys/seal-status"), "http://localhost:8200/v1/sys/seal-status");
+    }
+
+    #[test]
+    fn test_client_url_strips_trailing_slash() {
+        let client = BaoClient::new("http://localhost:8200/");
+        assert_eq!(client.base_url, "http://localhost:8200");
+    }
+
+    #[test]
+    fn test_with_token() {
+        let client = BaoClient::with_token("http://localhost:8200", "mytoken");
+        assert_eq!(client.token, Some("mytoken".to_string()));
+    }
+
+    #[test]
+    fn test_new_has_no_token() {
+        let client = BaoClient::new("http://localhost:8200");
+        assert!(client.token.is_none());
+    }
+
+    #[tokio::test]
+    async fn test_seal_status_error_on_nonexistent_server() {
+        // Connecting to a port where nothing is listening should produce an
+        // error (connection refused), not a panic or hang.
+        let client = BaoClient::new("http://127.0.0.1:19999");
+        let result = client.seal_status().await;
+        assert!(
+            result.is_err(),
+            "seal_status should return an error when the server is unreachable"
+        );
+    }
+}
diff --git a/src/output.rs b/src/output.rs
new file mode 100644
index 0000000..af5f5a9
--- /dev/null
+++ b/src/output.rs
@@ -0,0 +1,92 @@
+/// Print a step header.
+pub fn step(msg: &str) {
+    println!("\n==> {msg}");
+}
+
+/// Print a success/info line.
+pub fn ok(msg: &str) {
+    println!("    {msg}");
+}
+
+/// Print a warning to stderr.
+pub fn warn(msg: &str) {
+    eprintln!("    WARN: {msg}");
+}
+
+/// Return an aligned text table. Columns padded to max width.
+pub fn table(rows: &[Vec<String>], headers: &[&str]) -> String {
+    if headers.is_empty() {
+        return String::new();
+    }
+
+    let mut col_widths: Vec<usize> = headers.iter().map(|h| h.len()).collect();
+    for row in rows {
+        for (i, cell) in row.iter().enumerate() {
+            if i < col_widths.len() {
+                col_widths[i] = col_widths[i].max(cell.len());
+            }
+        }
+    }
+
+    let header_line: String = headers
+        .iter()
+        .enumerate()
+        .map(|(i, h)| format!("{:<width$}", h, width = col_widths[i]))
+        .collect::<Vec<_>>()
+        .join("  ");
+
+    let separator: String = col_widths
+        .iter()
+        .map(|&w| "-".repeat(w))
+        .collect::<Vec<_>>()
+        .join("  ");
+
+    let mut lines = vec![header_line, separator];
+
+    for row in rows {
+        let cells: Vec<String> = (0..headers.len())
+            .map(|i| {
+                let val = row.get(i).map(|s| s.as_str()).unwrap_or("");
+                format!("{:<width$}", val, width = col_widths[i])
+            })
+            .collect();
+        lines.push(cells.join("  "));
+    }
+
+    lines.join("\n")
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    #[test]
+    fn test_table_basic() {
+        let rows = vec![
+            vec!["abc".to_string(), "def".to_string()],
+            vec!["x".to_string(), "longer".to_string()],
+        ];
+        let result = table(&rows, &["Col1", "Col2"]);
+        assert!(result.contains("Col1"));
+        assert!(result.contains("Col2"));
+        assert!(result.contains("abc"));
+        assert!(result.contains("longer"));
+    }
+
+    #[test]
+    fn test_table_empty_headers() {
+        let result = table(&[], &[]);
+        assert!(result.is_empty());
+    }
+
+    #[test]
+    fn test_table_column_widths() {
+        let rows = vec![vec!["short".to_string(), "x".to_string()]];
+        let result = table(&rows, &["LongHeader", "H2"]);
+        // Header should set minimum width
+        for line in result.lines().skip(2) {
+            // Data row: "short" should be padded to "LongHeader" width
+            assert!(line.starts_with("short     "));
+        }
+    }
+}
diff --git a/src/pm.rs b/src/pm.rs
new file mode 100644
index 0000000..5d0e698
--- /dev/null
+++ b/src/pm.rs
@@ -0,0 +1,1664 @@
+//! Unified project management across Planka (kanban boards) and Gitea (issues).
+//!
+//! Ticket IDs use a prefix format:
+//! - `p:42` or `planka:42` — Planka card
+//! - `g:studio/cli#7` or `gitea:studio/cli#7` — Gitea issue
+
+use crate::error::{Result, ResultExt, SunbeamError};
+use crate::output;
+use serde::{Deserialize, Serialize};
+
+// ---------------------------------------------------------------------------
+// Domain types
+// ---------------------------------------------------------------------------
+
+/// Unified ticket representation across both systems.
+#[derive(Debug, Clone)]
+pub struct Ticket {
+    pub id: String,
+    pub source: Source,
+    pub title: String,
+    pub description: String,
+    pub status: Status,
+    pub assignees: Vec<String>,
+    pub labels: Vec<String>,
+    pub created_at: String,
+    pub updated_at: String,
+    pub url: String,
+}
+
+/// Which backend a ticket originates from.
+#[derive(Debug, Clone, PartialEq, Eq)]
+pub enum Source {
+    Planka,
+    Gitea,
+}
+
+/// Normalised ticket status across both systems.
+#[derive(Debug, Clone, PartialEq, Eq)]
+pub enum Status {
+    Open,
+    InProgress,
+    Done,
+    Closed,
+}
+
+impl std::fmt::Display for Source {
+    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
+        match self {
+            Source::Planka => write!(f, "planka"),
+            Source::Gitea => write!(f, "gitea"),
+        }
+    }
+}
+
+impl std::fmt::Display for Status {
+    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
+        match self {
+            Status::Open => write!(f, "open"),
+            Status::InProgress => write!(f, "in-progress"),
+            Status::Done => write!(f, "done"),
+            Status::Closed => write!(f, "closed"),
+        }
+    }
+}
+
+// ---------------------------------------------------------------------------
+// Ticket ID parsing
+// ---------------------------------------------------------------------------
+
+/// A parsed ticket reference.
+#[derive(Debug, Clone, PartialEq, Eq)]
+pub enum TicketRef {
+    /// Planka card by ID (snowflake string).
+    Planka(String),
+    /// Gitea issue: (org, repo, issue number).
+    Gitea {
+        org: String,
+        repo: String,
+        number: u64,
+    },
+}
+
+/// Parse a prefixed ticket ID string.
+///
+/// Accepted formats:
+/// - `p:42`, `planka:42`
+/// - `g:studio/cli#7`, `gitea:studio/cli#7`
+pub fn parse_ticket_id(id: &str) -> Result<TicketRef> {
+    let (prefix, rest) = id
+        .split_once(':')
+        .ctx("Invalid ticket ID: expected 'p:ID' or 'g:org/repo#num'")?;
+
+    match prefix {
+        "p" | "planka" => {
+            if rest.is_empty() {
+                return Err(SunbeamError::config("Empty Planka card ID"));
+            }
+            Ok(TicketRef::Planka(rest.to_string()))
+        }
+        "g" | "gitea" => {
+            // Expected: org/repo#number
+            let (org_repo, num_str) = rest
+                .rsplit_once('#')
+                .ctx("Invalid Gitea ticket ID: expected org/repo#number")?;
+            let (org, repo) = org_repo
+                .split_once('/')
+                .ctx("Invalid Gitea ticket ID: expected org/repo#number")?;
+            let number: u64 = num_str
+                .parse()
+                .map_err(|_| SunbeamError::config(format!("Invalid issue number: {num_str}")))?;
+            Ok(TicketRef::Gitea {
+                org: org.to_string(),
+                repo: repo.to_string(),
+                number,
+            })
+        }
+        _ => Err(SunbeamError::config(format!(
+            "Unknown ticket prefix '{prefix}': use 'p'/'planka' or 'g'/'gitea'"
+        ))),
+    }
+}
+
+// ---------------------------------------------------------------------------
+// Auth helper
+// ---------------------------------------------------------------------------
+
+/// Retrieve the user's Hydra OAuth2 access token via the auth module.
+async fn get_token() -> Result<String> {
+    crate::auth::get_token().await
+}
+
+// ---------------------------------------------------------------------------
+// Planka client
+// ---------------------------------------------------------------------------
+
+/// Update payload for a Planka card.
+#[derive(Debug, Default, Serialize)]
+#[serde(rename_all = "camelCase")]
+pub struct CardUpdate {
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub name: Option<String>,
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub description: Option<String>,
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub list_id: Option<serde_json::Value>,
+}
+
+struct PlankaClient {
+    base_url: String,
+    token: String,
+    http: reqwest::Client,
+}
+
+/// Serde helpers for Planka JSON responses.
+mod planka_json {
+    use super::*;
+
+    #[derive(Debug, Deserialize)]
+    #[serde(rename_all = "camelCase")]
+    pub struct ExchangeResponse {
+        #[serde(default)]
+        pub token: Option<String>,
+        // Planka may also return the token in `item`
+        #[serde(default)]
+        pub item: Option<String>,
+    }
+
+    #[derive(Debug, Clone, Deserialize)]
+    #[serde(rename_all = "camelCase")]
+    pub struct Card {
+        pub id: serde_json::Value,
+        #[serde(default)]
+        pub name: String,
+        #[serde(default)]
+        pub description: Option<String>,
+        #[serde(default)]
+        pub list_id: Option<serde_json::Value>,
+        #[serde(default)]
+        pub created_at: Option<String>,
+        #[serde(default)]
+        pub updated_at: Option<String>,
+    }
+
+    #[derive(Debug, Deserialize)]
+    #[serde(rename_all = "camelCase")]
+    pub struct BoardResponse {
+        #[serde(default)]
+        pub included: Option<BoardIncluded>,
+    }
+
+    #[derive(Debug, Deserialize)]
+    #[serde(rename_all = "camelCase")]
+    pub struct BoardIncluded {
+        #[serde(default)]
+        pub cards: Vec<Card>,
+        #[serde(default)]
+        pub card_memberships: Vec<CardMembership>,
+        #[serde(default)]
+        pub card_labels: Vec<CardLabel>,
+        #[serde(default)]
+        pub labels: Vec<Label>,
+        #[serde(default)]
+        pub lists: Vec<List>,
+        #[serde(default)]
+        pub users: Vec<User>,
+    }
+
+    #[derive(Debug, Deserialize)]
+    #[serde(rename_all = "camelCase")]
+    pub struct CardMembership {
+        pub card_id: serde_json::Value,
+        pub user_id: serde_json::Value,
+    }
+
+    #[derive(Debug, Deserialize)]
+    #[serde(rename_all = "camelCase")]
+    pub struct CardLabel {
+        pub card_id: serde_json::Value,
+        pub label_id: serde_json::Value,
+    }
+
+    #[derive(Debug, Deserialize)]
+    #[serde(rename_all = "camelCase")]
+    pub struct Label {
+        pub id: serde_json::Value,
+        #[serde(default)]
+        pub name: Option<String>,
+    }
+
+    #[derive(Debug, Deserialize)]
+    #[serde(rename_all = "camelCase")]
+    pub struct List {
+        pub id: serde_json::Value,
+        #[serde(default)]
+        pub name: String,
+    }
+
+    #[derive(Debug, Deserialize)]
+    #[serde(rename_all = "camelCase")]
+    pub struct User {
+        pub id: serde_json::Value,
+        #[serde(default)]
+        pub name: Option<String>,
+        #[serde(default)]
+        pub username: Option<String>,
+    }
+
+    #[derive(Debug, Deserialize)]
+    #[serde(rename_all = "camelCase")]
+    pub struct CardDetailResponse {
+        pub item: Card,
+        #[serde(default)]
+        pub included: Option<BoardIncluded>,
+    }
+
+    impl Card {
+        pub fn to_ticket(self, base_url: &str, included: Option<&BoardIncluded>) -> Ticket {
+            let status = match included {
+                Some(inc) => list_name_to_status(
+                    self.list_id
+                        .and_then(|lid| inc.lists.iter().find(|l| l.id == lid))
+                        .map(|l| l.name.as_str())
+                        .unwrap_or(""),
+                ),
+                None => Status::Open,
+            };
+
+            let assignees = match included {
+                Some(inc) => inc
+                    .card_memberships
+                    .iter()
+                    .filter(|m| m.card_id == self.id)
+                    .filter_map(|m| {
+                        inc.users.iter().find(|u| u.id == m.user_id).map(|u| {
+                            u.username
+                                .clone()
+                                .or_else(|| u.name.clone())
+                                .unwrap_or_else(|| m.user_id.to_string())
+                        })
+                    })
+                    .collect(),
+                None => vec![],
+            };
+
+            let labels = match included {
+                Some(inc) => inc
+                    .card_labels
+                    .iter()
+                    .filter(|cl| cl.card_id == self.id)
+                    .filter_map(|cl| {
+                        inc.labels.iter().find(|l| l.id == cl.label_id).map(|l| {
+                            l.name
+                                .clone()
+                                .unwrap_or_else(|| cl.label_id.to_string())
+                        })
+                    })
+                    .collect(),
+                None => vec![],
+            };
+
+            // Derive web URL from API base URL (strip `/api`).
+            let web_base = base_url.trim_end_matches("/api");
+            Ticket {
+                id: format!("p:{}", self.id.as_str().unwrap_or(&self.id.to_string())),
+                source: Source::Planka,
+                title: self.name,
+                description: self.description.unwrap_or_default(),
+                status,
+                assignees,
+                labels,
+                created_at: self.created_at.unwrap_or_default(),
+                updated_at: self.updated_at.unwrap_or_default(),
+                url: format!("{web_base}/cards/{}", self.id.as_str().unwrap_or(&self.id.to_string())),
+            }
+        }
+    }
+
+    /// Map a Planka list name to a normalised status.
+    fn list_name_to_status(name: &str) -> Status {
+        let lower = name.to_lowercase();
+        if lower.contains("done") || lower.contains("complete") {
+            Status::Done
+        } else if lower.contains("progress") || lower.contains("doing") || lower.contains("active")
+        {
+            Status::InProgress
+        } else if lower.contains("closed") || lower.contains("archive") {
+            Status::Closed
+        } else {
+            Status::Open
+        }
+    }
+}
+
+impl PlankaClient {
+    /// Create a new Planka client, exchanging the Hydra token for a Planka JWT
+    /// if the direct Bearer token is rejected.
+    async fn new(domain: &str) -> Result<Self> {
+        let base_url = format!("https://projects.{domain}/api");
+        let hydra_token = get_token().await?;
+        let http = reqwest::Client::builder()
+            .timeout(std::time::Duration::from_secs(30))
+            .build()
+            .map_err(|e| SunbeamError::network(format!("Failed to build HTTP client: {e}")))?;
+
+        // Exchange the Hydra access token for a Planka JWT via our custom endpoint.
+        let exchange_url = format!("{base_url}/access-tokens/exchange-using-token");
+        let exchange_resp = http
+            .post(&exchange_url)
+            .json(&serde_json::json!({ "token": hydra_token }))
+            .send()
+            .await
+            .map_err(|e| SunbeamError::network(format!("Planka token exchange failed: {e}")))?;
+
+        if !exchange_resp.status().is_success() {
+            let status = exchange_resp.status();
+            let body = exchange_resp.text().await.unwrap_or_default();
+            return Err(SunbeamError::identity(format!(
+                "Planka token exchange returned {status}: {body}"
+            )));
+        }
+
+        let body: serde_json::Value = exchange_resp.json().await?;
+        let token = body
+            .get("item")
+            .and_then(|v| v.as_str())
+            .ok_or_else(|| SunbeamError::identity("Planka exchange response missing 'item' field"))?
+            .to_string();
+
+        Ok(Self {
+            base_url,
+            token,
+            http,
+        })
+    }
+
+    /// Discover all projects and boards, then fetch cards from each.
+    async fn list_all_cards(&self) -> Result<Vec<Ticket>> {
+        // GET /api/projects returns all projects the user has access to,
+        // with included boards.
+        let url = format!("{}/projects", self.base_url);
+        let resp = self
+            .http
+            .get(&url)
+            .bearer_auth(&self.token)
+            .send()
+            .await
+            .map_err(|e| SunbeamError::network(format!("Planka list projects: {e}")))?;
+
+        if !resp.status().is_success() {
+            return Err(SunbeamError::network(format!(
+                "Planka GET projects returned {}",
+                resp.status()
+            )));
+        }
+
+        let body: serde_json::Value = resp.json().await?;
+        // Extract board IDs — Planka uses string IDs (snowflake-style)
+        let board_ids: Vec<String> = body
+            .get("included")
+            .and_then(|inc| inc.get("boards"))
+            .and_then(|b| b.as_array())
+            .map(|boards| {
+                boards
+                    .iter()
+                    .filter_map(|b| {
+                        b.get("id").and_then(|id| {
+                            id.as_str()
+                                .map(|s| s.to_string())
+                                .or_else(|| id.as_u64().map(|n| n.to_string()))
+                        })
+                    })
+                    .collect()
+            })
+            .unwrap_or_default();
+
+        if board_ids.is_empty() {
+            return Ok(vec![]);
+        }
+
+        // Fetch cards from each board
+        let mut all_tickets = Vec::new();
+        for board_id in &board_ids {
+            match self.list_cards(board_id).await {
+                Ok(tickets) => all_tickets.extend(tickets),
+                Err(e) => {
+                    crate::output::warn(&format!("Planka board {board_id}: {e}"));
+                }
+            }
+        }
+
+        Ok(all_tickets)
+    }
+
+    /// GET /api/boards/{id} and extract all cards.
+    async fn list_cards(&self, board_id: &str) -> Result<Vec<Ticket>> {
+        let url = format!("{}/boards/{board_id}", self.base_url);
+        let resp = self
+            .http
+            .get(&url)
+            .bearer_auth(&self.token)
+            .send()
+            .await
+            .map_err(|e| SunbeamError::network(format!("Planka list_cards: {e}")))?;
+
+        if !resp.status().is_success() {
+            return Err(SunbeamError::network(format!(
+                "Planka GET board {board_id} returned {}",
+                resp.status()
+            )));
+        }
+
+        let body: planka_json::BoardResponse = resp
+            .json()
+            .await
+            .map_err(|e| SunbeamError::network(format!("Planka board parse error: {e}")))?;
+
+        let included = body.included;
+        let tickets = included
+            .as_ref()
+            .map(|inc| {
+                inc.cards
+                    .clone()
+                    .into_iter()
+                    .map(|c: planka_json::Card| c.to_ticket(&self.base_url, Some(inc)))
+                    .collect()
+            })
+            .unwrap_or_default();
+
+        Ok(tickets)
+    }
+
+    /// GET /api/cards/{id}
+    async fn get_card(&self, id: &str) -> Result<Ticket> {
+        let url = format!("{}/cards/{id}", self.base_url);
+        let resp = self
+            .http
+            .get(&url)
+            .bearer_auth(&self.token)
+            .send()
+            .await
+            .map_err(|e| SunbeamError::network(format!("Planka get_card: {e}")))?;
+
+        if !resp.status().is_success() {
+            return Err(SunbeamError::network(format!(
+                "Planka GET card {id} returned {}",
+                resp.status()
+            )));
+        }
+
+        let body: planka_json::CardDetailResponse = resp
+            .json()
+            .await
+            .map_err(|e| SunbeamError::network(format!("Planka card parse error: {e}")))?;
+
+        Ok(body
+            .item
+            .to_ticket(&self.base_url, body.included.as_ref()))
+    }
+
+    /// POST /api/lists/{list_id}/cards
+    async fn create_card(
+        &self,
+        _board_id: &str,
+        list_id: &str,
+        name: &str,
+        description: &str,
+    ) -> Result<Ticket> {
+        let url = format!("{}/lists/{list_id}/cards", self.base_url);
+        let body = serde_json::json!({
+            "name": name,
+            "description": description,
+            "position": 65535,
+        });
+
+        let resp = self
+            .http
+            .post(&url)
+            .bearer_auth(&self.token)
+            .json(&body)
+            .send()
+            .await
+            .map_err(|e| SunbeamError::network(format!("Planka create_card: {e}")))?;
+
+        if !resp.status().is_success() {
+            return Err(SunbeamError::network(format!(
+                "Planka POST card returned {}",
+                resp.status()
+            )));
+        }
+
+        let card: planka_json::CardDetailResponse = resp
+            .json()
+            .await
+            .map_err(|e| SunbeamError::network(format!("Planka card create parse error: {e}")))?;
+
+        Ok(card.item.to_ticket(&self.base_url, card.included.as_ref()))
+    }
+
+    /// PATCH /api/cards/{id}
+    async fn update_card(&self, id: &str, updates: &CardUpdate) -> Result<()> {
+        let url = format!("{}/cards/{id}", self.base_url);
+        let resp = self
+            .http
+            .patch(&url)
+            .bearer_auth(&self.token)
+            .json(updates)
+            .send()
+            .await
+            .map_err(|e| SunbeamError::network(format!("Planka update_card: {e}")))?;
+
+        if !resp.status().is_success() {
+            return Err(SunbeamError::network(format!(
+                "Planka PATCH card {id} returned {}",
+                resp.status()
+            )));
+        }
+        Ok(())
+    }
+
+    /// Move a card to a different list.
+    async fn move_card(&self, id: &str, list_id: &str) -> Result<()> {
+        self.update_card(
+            id,
+            &CardUpdate {
+                list_id: Some(serde_json::json!(list_id)),
+                ..Default::default()
+            },
+        )
+        .await
+    }
+
+    /// POST /api/cards/{id}/comment-actions
+    async fn comment_card(&self, id: &str, text: &str) -> Result<()> {
+        let url = format!("{}/cards/{id}/comment-actions", self.base_url);
+        let body = serde_json::json!({ "text": text });
+
+        let resp = self
+            .http
+            .post(&url)
+            .bearer_auth(&self.token)
+            .json(&body)
+            .send()
+            .await
+            .map_err(|e| SunbeamError::network(format!("Planka comment_card: {e}")))?;
+
+        if !resp.status().is_success() {
+            return Err(SunbeamError::network(format!(
+                "Planka POST comment on card {id} returned {}",
+                resp.status()
+            )));
+        }
+        Ok(())
+    }
+
+    /// Search for a Planka user by name/username, return their ID.
+    async fn resolve_user_id(&self, query: &str) -> Result<String> {
+        // "me" or "self" assigns to the current user
+        if query == "me" || query == "self" {
+            // Get current user via the token (decode JWT or call /api/users/me equivalent)
+            // Planka doesn't have /api/users/me, but we can get user from any board membership
+            let projects_url = format!("{}/projects", self.base_url);
+            if let Ok(resp) = self.http.get(&projects_url).bearer_auth(&self.token).send().await {
+                if let Ok(body) = resp.json::<serde_json::Value>().await {
+                    if let Some(memberships) = body.get("included")
+                        .and_then(|i| i.get("boardMemberships"))
+                        .and_then(|b| b.as_array())
+                    {
+                        if let Some(user_id) = memberships.first()
+                            .and_then(|m| m.get("userId"))
+                            .and_then(|v| v.as_str())
+                        {
+                            return Ok(user_id.to_string());
+                        }
+                    }
+                }
+            }
+        }
+
+        // Search other users (note: Planka excludes current user from search results)
+        let url = format!("{}/users/search", self.base_url);
+        let resp = self.http.get(&url)
+            .bearer_auth(&self.token)
+            .query(&[("query", query)])
+            .send().await
+            .map_err(|e| SunbeamError::network(format!("Planka user search: {e}")))?;
+        let body: serde_json::Value = resp.json().await?;
+        let users = body.get("items").and_then(|i| i.as_array());
+        if let Some(users) = users {
+            if let Some(user) = users.first() {
+                if let Some(id) = user.get("id").and_then(|v| v.as_str()) {
+                    return Ok(id.to_string());
+                }
+            }
+        }
+        Err(SunbeamError::identity(format!(
+            "Planka user not found: {query} (use 'me' to assign to yourself)"
+        )))
+    }
+
+    /// POST /api/cards/{id}/memberships
+    async fn assign_card(&self, id: &str, user: &str) -> Result<()> {
+        // Resolve username to user ID
+        let user_id = self.resolve_user_id(user).await?;
+        let url = format!("{}/cards/{id}/memberships", self.base_url);
+        let body = serde_json::json!({ "userId": user_id });
+
+        let resp = self
+            .http
+            .post(&url)
+            .bearer_auth(&self.token)
+            .json(&body)
+            .send()
+            .await
+            .map_err(|e| SunbeamError::network(format!("Planka assign_card: {e}")))?;
+
+        if !resp.status().is_success() {
+            return Err(SunbeamError::network(format!(
+                "Planka POST membership on card {id} returned {}",
+                resp.status()
+            )));
+        }
+        Ok(())
+    }
+}
+
+// ---------------------------------------------------------------------------
+// Gitea client
+// ---------------------------------------------------------------------------
+
+/// Update payload for a Gitea issue.
+#[derive(Debug, Default, Serialize)]
+pub struct IssueUpdate {
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub title: Option<String>,
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub body: Option<String>,
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub state: Option<String>,
+}
+
+struct GiteaClient {
+    base_url: String,
+    token: String,
+    http: reqwest::Client,
+}
+
+/// Serde helpers for Gitea JSON responses.
+mod gitea_json {
+    use super::*;
+
+    #[derive(Debug, Deserialize)]
+    pub struct Issue {
+        pub number: u64,
+        #[serde(default)]
+        pub title: String,
+        #[serde(default)]
+        pub body: Option<String>,
+        #[serde(default)]
+        pub state: String,
+        #[serde(default)]
+        pub assignees: Option<Vec<GiteaUser>>,
+        #[serde(default)]
+        pub labels: Option<Vec<GiteaLabel>>,
+        #[serde(default)]
+        pub created_at: Option<String>,
+        #[serde(default)]
+        pub updated_at: Option<String>,
+        #[serde(default)]
+        pub html_url: Option<String>,
+        #[serde(default)]
+        pub repository: Option<Repository>,
+    }
+
+    #[derive(Debug, Deserialize)]
+    pub struct GiteaUser {
+        #[serde(default)]
+        pub login: String,
+    }
+
+    #[derive(Debug, Deserialize)]
+    pub struct GiteaLabel {
+        #[serde(default)]
+        pub name: String,
+    }
+
+    #[derive(Debug, Deserialize)]
+    pub struct Repository {
+        #[serde(default)]
+        pub full_name: Option<String>,
+    }
+
+    impl Issue {
+        pub fn to_ticket(self, base_url: &str, org: &str, repo: &str) -> Ticket {
+            let status = state_to_status(&self.state);
+            let assignees = self
+                .assignees
+                .unwrap_or_default()
+                .into_iter()
+                .map(|u| u.login)
+                .collect();
+            let labels = self
+                .labels
+                .unwrap_or_default()
+                .into_iter()
+                .map(|l| l.name)
+                .collect();
+            let web_base = base_url.trim_end_matches("/api/v1");
+            let url = self
+                .html_url
+                .unwrap_or_else(|| format!("{web_base}/{org}/{repo}/issues/{}", self.number));
+
+            Ticket {
+                id: format!("g:{org}/{repo}#{}", self.number),
+                source: Source::Gitea,
+                title: self.title,
+                description: self.body.unwrap_or_default(),
+                status,
+                assignees,
+                labels,
+                created_at: self.created_at.unwrap_or_default(),
+                updated_at: self.updated_at.unwrap_or_default(),
+                url,
+            }
+        }
+    }
+
+    /// Map Gitea issue state to normalised status.
+    pub fn state_to_status(state: &str) -> Status {
+        match state {
+            "open" => Status::Open,
+            "closed" => Status::Closed,
+            _ => Status::Open,
+        }
+    }
+}
+
+impl GiteaClient {
+    /// Create a new Gitea client using the Hydra OAuth2 token.
+    async fn new(domain: &str) -> Result<Self> {
+        let base_url = format!("https://src.{domain}/api/v1");
+        // Gitea needs its own PAT, not the Hydra access token
+        let token = crate::auth::get_gitea_token()?;
+        let http = reqwest::Client::builder()
+            .timeout(std::time::Duration::from_secs(30))
+            .build()
+            .map_err(|e| SunbeamError::network(format!("Failed to build HTTP client: {e}")))?;
+
+        Ok(Self {
+            base_url,
+            token,
+            http,
+        })
+    }
+
+    /// Build a request with Gitea PAT auth (`Authorization: token <pat>`).
+    fn authed_get(&self, url: &str) -> reqwest::RequestBuilder {
+        self.http
+            .get(url)
+            .header("Authorization", format!("token {}", self.token))
+    }
+
+    fn authed_post(&self, url: &str) -> reqwest::RequestBuilder {
+        self.http
+            .post(url)
+            .header("Authorization", format!("token {}", self.token))
+    }
+
+    fn authed_patch(&self, url: &str) -> reqwest::RequestBuilder {
+        self.http
+            .patch(url)
+            .header("Authorization", format!("token {}", self.token))
+    }
+
+    /// List issues for an org/repo (or search across an org).
+    fn list_issues<'a>(
+        &'a self,
+        org: &'a str,
+        repo: Option<&'a str>,
+        state: &'a str,
+    ) -> futures::future::BoxFuture<'a, Result<Vec<Ticket>>> {
+        Box::pin(self.list_issues_inner(org, repo, state))
+    }
+
+    async fn list_issues_inner(
+        &self,
+        org: &str,
+        repo: Option<&str>,
+        state: &str,
+    ) -> Result<Vec<Ticket>> {
+        match repo {
+            Some(r) => {
+                let url = format!("{}/repos/{org}/{r}/issues", self.base_url);
+                let resp = self
+                    .http
+                    .get(&url)
+                    .header("Authorization", format!("token {}", self.token))
+                    .query(&[("state", state), ("type", "issues"), ("limit", "50")])
+                    .send()
+                    .await
+                    .map_err(|e| SunbeamError::network(format!("Gitea list_issues: {e}")))?;
+
+                if !resp.status().is_success() {
+                    return Err(SunbeamError::network(format!(
+                        "Gitea GET issues for {org}/{r} returned {}",
+                        resp.status()
+                    )));
+                }
+
+                let issues: Vec<gitea_json::Issue> = resp
+                    .json()
+                    .await
+                    .map_err(|e| SunbeamError::network(format!("Gitea issues parse error: {e}")))?;
+
+                Ok(issues
+                    .into_iter()
+                    .map(|i| i.to_ticket(&self.base_url, org, r))
+                    .collect())
+            }
+            None => {
+                // Search across the entire org by listing org repos, then issues.
+                let repos_url = format!("{}/orgs/{org}/repos", self.base_url);
+                let repos_resp = self
+                    .http
+                    .get(&repos_url)
+                    .header("Authorization", format!("token {}", self.token))
+                    .query(&[("limit", "50")])
+                    .send()
+                    .await
+                    .map_err(|e| SunbeamError::network(format!("Gitea list org repos: {e}")))?;
+
+                if !repos_resp.status().is_success() {
+                    return Err(SunbeamError::network(format!(
+                        "Gitea GET repos for org {org} returned {}",
+                        repos_resp.status()
+                    )));
+                }
+
+                #[derive(Deserialize)]
+                struct Repo {
+                    name: String,
+                }
+                let repos: Vec<Repo> = repos_resp
+                    .json()
+                    .await
+                    .map_err(|e| SunbeamError::network(format!("Gitea repos parse: {e}")))?;
+
+                let mut all = Vec::new();
+                for r in &repos {
+                    match self.list_issues(org, Some(&r.name), state).await {
+                        Ok(mut tickets) => all.append(&mut tickets),
+                        Err(_) => continue, // skip repos we cannot read
+                    }
+                }
+                Ok(all)
+            }
+        }
+    }
+
+    /// GET /api/v1/repos/{org}/{repo}/issues/{index}
+    async fn get_issue(&self, org: &str, repo: &str, index: u64) -> Result<Ticket> {
+        let url = format!("{}/repos/{org}/{repo}/issues/{index}", self.base_url);
+        let resp = self
+            .http
+            .get(&url)
+            .header("Authorization", format!("token {}", self.token))
+            .send()
+            .await
+            .map_err(|e| SunbeamError::network(format!("Gitea get_issue: {e}")))?;
+
+        if !resp.status().is_success() {
+            return Err(SunbeamError::network(format!(
+                "Gitea GET issue {org}/{repo}#{index} returned {}",
+                resp.status()
+            )));
+        }
+
+        let issue: gitea_json::Issue = resp
+            .json()
+            .await
+            .map_err(|e| SunbeamError::network(format!("Gitea issue parse: {e}")))?;
+
+        Ok(issue.to_ticket(&self.base_url, org, repo))
+    }
+
+    /// POST /api/v1/repos/{org}/{repo}/issues
+    async fn create_issue(
+        &self,
+        org: &str,
+        repo: &str,
+        title: &str,
+        body: &str,
+    ) -> Result<Ticket> {
+        let url = format!("{}/repos/{org}/{repo}/issues", self.base_url);
+        let payload = serde_json::json!({
+            "title": title,
+            "body": body,
+        });
+
+        let resp = self
+            .http
+            .post(&url)
+            .header("Authorization", format!("token {}", self.token))
+            .json(&payload)
+            .send()
+            .await
+            .map_err(|e| SunbeamError::network(format!("Gitea create_issue: {e}")))?;
+
+        if !resp.status().is_success() {
+            return Err(SunbeamError::network(format!(
+                "Gitea POST issue to {org}/{repo} returned {}",
+                resp.status()
+            )));
+        }
+
+        let issue: gitea_json::Issue = resp
+            .json()
+            .await
+            .map_err(|e| SunbeamError::network(format!("Gitea issue create parse: {e}")))?;
+
+        Ok(issue.to_ticket(&self.base_url, org, repo))
+    }
+
+    /// PATCH /api/v1/repos/{org}/{repo}/issues/{index}
+    async fn update_issue(
+        &self,
+        org: &str,
+        repo: &str,
+        index: u64,
+        updates: &IssueUpdate,
+    ) -> Result<()> {
+        let url = format!("{}/repos/{org}/{repo}/issues/{index}", self.base_url);
+        let resp = self
+            .http
+            .patch(&url)
+            .header("Authorization", format!("token {}", self.token))
+            .json(updates)
+            .send()
+            .await
+            .map_err(|e| SunbeamError::network(format!("Gitea update_issue: {e}")))?;
+
+        if !resp.status().is_success() {
+            return Err(SunbeamError::network(format!(
+                "Gitea PATCH issue {org}/{repo}#{index} returned {}",
+                resp.status()
+            )));
+        }
+        Ok(())
+    }
+
+    /// Close an issue.
+    async fn close_issue(&self, org: &str, repo: &str, index: u64) -> Result<()> {
+        self.update_issue(
+            org,
+            repo,
+            index,
+            &IssueUpdate {
+                state: Some("closed".to_string()),
+                ..Default::default()
+            },
+        )
+        .await
+    }
+
+    /// POST /api/v1/repos/{org}/{repo}/issues/{index}/comments
+    async fn comment_issue(
+        &self,
+        org: &str,
+        repo: &str,
+        index: u64,
+        body: &str,
+    ) -> Result<()> {
+        let url = format!(
+            "{}/repos/{org}/{repo}/issues/{index}/comments",
+            self.base_url
+        );
+        let payload = serde_json::json!({ "body": body });
+
+        let resp = self
+            .http
+            .post(&url)
+            .header("Authorization", format!("token {}", self.token))
+            .json(&payload)
+            .send()
+            .await
+            .map_err(|e| SunbeamError::network(format!("Gitea comment_issue: {e}")))?;
+
+        if !resp.status().is_success() {
+            return Err(SunbeamError::network(format!(
+                "Gitea POST comment on {org}/{repo}#{index} returned {}",
+                resp.status()
+            )));
+        }
+        Ok(())
+    }
+
+    /// POST /api/v1/repos/{org}/{repo}/issues/{index}/assignees
+    #[allow(dead_code)]
+    async fn assign_issue(
+        &self,
+        org: &str,
+        repo: &str,
+        index: u64,
+        assignee: &str,
+    ) -> Result<()> {
+        // Use PATCH on the issue itself — the /assignees endpoint requires
+        // the user to be an explicit collaborator, while PATCH works for
+        // any org member with write access.
+        let url = format!(
+            "{}/repos/{org}/{repo}/issues/{index}",
+            self.base_url
+        );
+        let payload = serde_json::json!({ "assignees": [assignee] });
+
+        let resp = self
+            .http
+            .patch(&url)
+            .header("Authorization", format!("token {}", self.token))
+            .json(&payload)
+            .send()
+            .await
+            .map_err(|e| SunbeamError::network(format!("Gitea assign_issue: {e}")))?;
+
+        if !resp.status().is_success() {
+            return Err(SunbeamError::network(format!(
+                "Gitea assign on {org}/{repo}#{index} returned {}",
+                resp.status()
+            )));
+        }
+        Ok(())
+    }
+}
+
+// ---------------------------------------------------------------------------
+// Display helpers
+// ---------------------------------------------------------------------------
+
+/// Format a list of tickets as a table.
+fn display_ticket_list(tickets: &[Ticket]) {
+    if tickets.is_empty() {
+        output::ok("No tickets found.");
+        return;
+    }
+
+    let rows: Vec<Vec<String>> = tickets
+        .iter()
+        .map(|t| {
+            vec![
+                t.id.clone(),
+                t.status.to_string(),
+                t.title.clone(),
+                t.assignees.join(", "),
+                t.source.to_string(),
+            ]
+        })
+        .collect();
+
+    let tbl = output::table(&rows, &["ID", "STATUS", "TITLE", "ASSIGNEES", "SOURCE"]);
+    println!("{tbl}");
+}
+
+/// Print a single ticket in detail.
+fn display_ticket_detail(t: &Ticket) {
+    println!("{} ({})", t.title, t.id);
+    println!("  Status:      {}", t.status);
+    println!("  Source:      {}", t.source);
+    if !t.assignees.is_empty() {
+        println!("  Assignees:   {}", t.assignees.join(", "));
+    }
+    if !t.labels.is_empty() {
+        println!("  Labels:      {}", t.labels.join(", "));
+    }
+    if !t.created_at.is_empty() {
+        println!("  Created:     {}", t.created_at);
+    }
+    if !t.updated_at.is_empty() {
+        println!("  Updated:     {}", t.updated_at);
+    }
+    println!("  URL:         {}", t.url);
+    if !t.description.is_empty() {
+        println!();
+        println!("{}", t.description);
+    }
+}
+
+// ---------------------------------------------------------------------------
+// Unified commands
+// ---------------------------------------------------------------------------
+
+/// List tickets, optionally filtering by source and state.
+///
+/// When `source` is `None`, both Planka and Gitea are queried in parallel.
+#[allow(dead_code)]
+pub async fn cmd_pm_list(source: Option<&str>, state: &str) -> Result<()> {
+    let domain = crate::config::domain();
+    if domain.is_empty() { return Err(crate::error::SunbeamError::config("No domain configured. Run: sunbeam config set --domain sunbeam.pt")); }
+
+    let fetch_planka = source.is_none() || matches!(source, Some("planka" | "p"));
+    let fetch_gitea = source.is_none() || matches!(source, Some("gitea" | "g"));
+
+    let planka_fut = async {
+        if fetch_planka {
+            let client = PlankaClient::new(&domain).await?;
+            client.list_all_cards().await
+        } else {
+            Ok(vec![])
+        }
+    };
+
+    let gitea_fut = async {
+        if fetch_gitea {
+            let client = GiteaClient::new(&domain).await?;
+            client.list_issues("studio", None, state).await
+        } else {
+            Ok(vec![])
+        }
+    };
+
+    let (planka_result, gitea_result) = tokio::join!(planka_fut, gitea_fut);
+
+    let mut tickets = Vec::new();
+
+    match planka_result {
+        Ok(mut t) => tickets.append(&mut t),
+        Err(e) => output::warn(&format!("Planka: {e}")),
+    }
+
+    match gitea_result {
+        Ok(mut t) => tickets.append(&mut t),
+        Err(e) => output::warn(&format!("Gitea: {e}")),
+    }
+
+    // Filter by state if looking at Planka results too.
+    if state == "closed" {
+        tickets.retain(|t| matches!(t.status, Status::Closed | Status::Done));
+    } else if state == "open" {
+        tickets.retain(|t| matches!(t.status, Status::Open | Status::InProgress));
+    }
+
+    display_ticket_list(&tickets);
+    Ok(())
+}
+
+/// Show details for a single ticket by ID.
+#[allow(dead_code)]
+pub async fn cmd_pm_show(id: &str) -> Result<()> {
+    let domain = crate::config::domain();
+    if domain.is_empty() { return Err(crate::error::SunbeamError::config("No domain configured. Run: sunbeam config set --domain sunbeam.pt")); }
+    let ticket_ref = parse_ticket_id(id)?;
+
+    let ticket = match ticket_ref {
+        TicketRef::Planka(card_id) => {
+            let client = PlankaClient::new(&domain).await?;
+            client.get_card(&card_id).await?
+        }
+        TicketRef::Gitea { org, repo, number } => {
+            let client = GiteaClient::new(&domain).await?;
+            client.get_issue(&org, &repo, number).await?
+        }
+    };
+
+    display_ticket_detail(&ticket);
+    Ok(())
+}
+
+/// Create a new ticket.
+///
+/// `source` must be `"planka"` or `"gitea"`.
+/// `target` is source-specific: for Planka it is `"board_id/list_id"`,
+/// for Gitea it is `"org/repo"`.
+#[allow(dead_code)]
+pub async fn cmd_pm_create(title: &str, body: &str, source: &str, target: &str) -> Result<()> {
+    let domain = crate::config::domain();
+    if domain.is_empty() { return Err(crate::error::SunbeamError::config("No domain configured. Run: sunbeam config set --domain sunbeam.pt")); }
+
+    let ticket = match source {
+        "planka" | "p" => {
+            let client = PlankaClient::new(&domain).await?;
+
+            // Fetch all boards
+            let projects_url = format!("{}/projects", client.base_url);
+            let resp = client.http.get(&projects_url).bearer_auth(&client.token).send().await?;
+            let projects_body: serde_json::Value = resp.json().await?;
+            let boards = projects_body.get("included").and_then(|i| i.get("boards"))
+                .and_then(|b| b.as_array())
+                .ok_or_else(|| SunbeamError::config("No Planka boards found"))?;
+
+            // Find the board: by name (--target "Board Name") or by ID, or use first
+            let board = if target.is_empty() {
+                boards.first()
+            } else {
+                boards.iter().find(|b| {
+                    let name = b.get("name").and_then(|n| n.as_str()).unwrap_or("");
+                    let id = b.get("id").and_then(|v| v.as_str()).unwrap_or("");
+                    name.eq_ignore_ascii_case(target) || id == target
+                }).or_else(|| boards.first())
+            }.ok_or_else(|| SunbeamError::config("No Planka boards found"))?;
+
+            let board_id = board.get("id").and_then(|v| v.as_str())
+                .ok_or_else(|| SunbeamError::config("Board has no ID"))?;
+            let board_name = board.get("name").and_then(|n| n.as_str()).unwrap_or("?");
+
+            // Fetch the board to get its lists, use the first list
+            let board_url = format!("{}/boards/{board_id}", client.base_url);
+            let board_resp = client.http.get(&board_url).bearer_auth(&client.token).send().await?;
+            let board_body: serde_json::Value = board_resp.json().await?;
+            let list_id = board_body.get("included").and_then(|i| i.get("lists"))
+                .and_then(|l| l.as_array()).and_then(|a| a.first())
+                .and_then(|l| l.get("id")).and_then(|v| v.as_str())
+                .ok_or_else(|| SunbeamError::config(format!("No lists in board '{board_name}'")))?;
+
+            client.create_card(board_id, list_id, title, body).await?
+        }
+        "gitea" | "g" => {
+            if target.is_empty() {
+                return Err(SunbeamError::config(
+                    "Gitea target required: --target org/repo (e.g. studio/marathon)",
+                ));
+            }
+            let parts: Vec<&str> = target.splitn(2, '/').collect();
+            if parts.len() != 2 {
+                return Err(SunbeamError::config("Gitea target must be 'org/repo'"));
+            }
+            let client = GiteaClient::new(&domain).await?;
+            client.create_issue(parts[0], parts[1], title, body).await?
+        }
+        _ => {
+            return Err(SunbeamError::config(format!(
+                "Unknown source '{source}': use 'planka' or 'gitea'"
+            )));
+        }
+    };
+
+    output::ok(&format!("Created: {} ({})", ticket.title, ticket.id));
+    println!("  {}", ticket.url);
+    Ok(())
+}
+
+/// Add a comment to a ticket.
+#[allow(dead_code)]
+pub async fn cmd_pm_comment(id: &str, text: &str) -> Result<()> {
+    let domain = crate::config::domain();
+    if domain.is_empty() { return Err(crate::error::SunbeamError::config("No domain configured. Run: sunbeam config set --domain sunbeam.pt")); }
+    let ticket_ref = parse_ticket_id(id)?;
+
+    match ticket_ref {
+        TicketRef::Planka(card_id) => {
+            let client = PlankaClient::new(&domain).await?;
+            client.comment_card(&card_id, text).await?;
+        }
+        TicketRef::Gitea { org, repo, number } => {
+            let client = GiteaClient::new(&domain).await?;
+            client.comment_issue(&org, &repo, number, text).await?;
+        }
+    }
+
+    output::ok(&format!("Comment added to {id}."));
+    Ok(())
+}
+
+/// Close a ticket.
+#[allow(dead_code)]
+pub async fn cmd_pm_close(id: &str) -> Result<()> {
+    let domain = crate::config::domain();
+    if domain.is_empty() { return Err(crate::error::SunbeamError::config("No domain configured. Run: sunbeam config set --domain sunbeam.pt")); }
+    let ticket_ref = parse_ticket_id(id)?;
+
+    match ticket_ref {
+        TicketRef::Planka(card_id) => {
+            let client = PlankaClient::new(&domain).await?;
+            // Get the card to find its board, then find a "Done"/"Closed" list
+            let ticket = client.get_card(&card_id).await?;
+            // Try to find the board and its lists
+            let url = format!("{}/cards/{card_id}", client.base_url);
+            let resp = client.http.get(&url).bearer_auth(&client.token).send().await
+                .map_err(|e| SunbeamError::network(format!("Planka get card: {e}")))?;
+            let body: serde_json::Value = resp.json().await?;
+            let board_id = body.get("item").and_then(|i| i.get("boardId"))
+                .and_then(|v| v.as_str()).unwrap_or("");
+
+            if !board_id.is_empty() {
+                // Fetch the board to get its lists
+                let board_url = format!("{}/boards/{board_id}", client.base_url);
+                let board_resp = client.http.get(&board_url).bearer_auth(&client.token).send().await
+                    .map_err(|e| SunbeamError::network(format!("Planka get board: {e}")))?;
+                let board_body: serde_json::Value = board_resp.json().await?;
+                let lists = board_body.get("included")
+                    .and_then(|i| i.get("lists"))
+                    .and_then(|l| l.as_array());
+
+                if let Some(lists) = lists {
+                    // Find a list named "Done", "Closed", "Complete", or similar
+                    let done_list = lists.iter().find(|l| {
+                        let name = l.get("name").and_then(|n| n.as_str()).unwrap_or("").to_lowercase();
+                        name.contains("done") || name.contains("closed") || name.contains("complete")
+                    });
+
+                    if let Some(done_list) = done_list {
+                        let list_id = done_list.get("id").and_then(|v| v.as_str()).unwrap_or("");
+                        if !list_id.is_empty() {
+                            client.update_card(&card_id, &CardUpdate {
+                                list_id: Some(serde_json::json!(list_id)),
+                                ..Default::default()
+                            }).await?;
+                            output::ok(&format!("Moved p:{card_id} to Done."));
+                            return Ok(());
+                        }
+                    }
+                }
+            }
+            output::warn(&format!("Could not find a Done list for p:{card_id}. Move it manually."));
+        }
+        TicketRef::Gitea { org, repo, number } => {
+            let client = GiteaClient::new(&domain).await?;
+            client.close_issue(&org, &repo, number).await?;
+            output::ok(&format!("Closed gitea:{org}/{repo}#{number}."));
+        }
+    }
+
+    Ok(())
+}
+
+/// Assign a user to a ticket.
+#[allow(dead_code)]
+pub async fn cmd_pm_assign(id: &str, user: &str) -> Result<()> {
+    let domain = crate::config::domain();
+    if domain.is_empty() { return Err(crate::error::SunbeamError::config("No domain configured. Run: sunbeam config set --domain sunbeam.pt")); }
+    let ticket_ref = parse_ticket_id(id)?;
+
+    match ticket_ref {
+        TicketRef::Planka(card_id) => {
+            let client = PlankaClient::new(&domain).await?;
+            client.assign_card(&card_id, user).await?;
+        }
+        TicketRef::Gitea { org, repo, number } => {
+            let client = GiteaClient::new(&domain).await?;
+            client.assign_issue(&org, &repo, number, user).await?;
+        }
+    }
+
+    output::ok(&format!("Assigned {user} to {id}."));
+    Ok(())
+}
+
+// ---------------------------------------------------------------------------
+// Tests
+// ---------------------------------------------------------------------------
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    // -- Ticket ID parsing --------------------------------------------------
+
+    #[test]
+    fn test_parse_planka_short() {
+        let r = parse_ticket_id("p:42").unwrap();
+        assert_eq!(r, TicketRef::Planka("42".to_string()));
+    }
+
+    #[test]
+    fn test_parse_planka_long() {
+        let r = parse_ticket_id("planka:100").unwrap();
+        assert_eq!(r, TicketRef::Planka("100".to_string()));
+    }
+
+    #[test]
+    fn test_parse_gitea_short() {
+        let r = parse_ticket_id("g:studio/cli#7").unwrap();
+        assert_eq!(
+            r,
+            TicketRef::Gitea {
+                org: "studio".to_string(),
+                repo: "cli".to_string(),
+                number: 7,
+            }
+        );
+    }
+
+    #[test]
+    fn test_parse_gitea_long() {
+        let r = parse_ticket_id("gitea:internal/infra#123").unwrap();
+        assert_eq!(
+            r,
+            TicketRef::Gitea {
+                org: "internal".to_string(),
+                repo: "infra".to_string(),
+                number: 123,
+            }
+        );
+    }
+
+    #[test]
+    fn test_parse_missing_colon() {
+        assert!(parse_ticket_id("noprefix").is_err());
+    }
+
+    #[test]
+    fn test_parse_unknown_prefix() {
+        assert!(parse_ticket_id("jira:FOO-1").is_err());
+    }
+
+    #[test]
+    fn test_parse_invalid_planka_id() {
+        // Empty ID should fail
+        assert!(parse_ticket_id("p:").is_err());
+    }
+
+    #[test]
+    fn test_parse_gitea_missing_hash() {
+        assert!(parse_ticket_id("g:studio/cli").is_err());
+    }
+
+    #[test]
+    fn test_parse_gitea_missing_slash() {
+        assert!(parse_ticket_id("g:repo#1").is_err());
+    }
+
+    #[test]
+    fn test_parse_gitea_invalid_number() {
+        assert!(parse_ticket_id("g:studio/cli#abc").is_err());
+    }
+
+    // -- Status mapping -----------------------------------------------------
+
+    #[test]
+    fn test_gitea_state_open() {
+        assert_eq!(gitea_json::state_to_status("open"), Status::Open);
+    }
+
+    #[test]
+    fn test_gitea_state_closed() {
+        assert_eq!(gitea_json::state_to_status("closed"), Status::Closed);
+    }
+
+    #[test]
+    fn test_gitea_state_unknown_defaults_open() {
+        assert_eq!(gitea_json::state_to_status("weird"), Status::Open);
+    }
+
+    #[test]
+    fn test_status_display() {
+        assert_eq!(Status::Open.to_string(), "open");
+        assert_eq!(Status::InProgress.to_string(), "in-progress");
+        assert_eq!(Status::Done.to_string(), "done");
+        assert_eq!(Status::Closed.to_string(), "closed");
+    }
+
+    #[test]
+    fn test_source_display() {
+        assert_eq!(Source::Planka.to_string(), "planka");
+        assert_eq!(Source::Gitea.to_string(), "gitea");
+    }
+
+    // -- Display formatting -------------------------------------------------
+
+    #[test]
+    fn test_display_ticket_list_table() {
+        let tickets = vec![
+            Ticket {
+                id: "p:1".to_string(),
+                source: Source::Planka,
+                title: "Fix login".to_string(),
+                description: String::new(),
+                status: Status::Open,
+                assignees: vec!["alice".to_string()],
+                labels: vec![],
+                created_at: "2025-01-01".to_string(),
+                updated_at: "2025-01-02".to_string(),
+                url: "https://projects.example.com/cards/1".to_string(),
+            },
+            Ticket {
+                id: "g:studio/cli#7".to_string(),
+                source: Source::Gitea,
+                title: "Add tests".to_string(),
+                description: "We need more tests.".to_string(),
+                status: Status::InProgress,
+                assignees: vec!["bob".to_string(), "carol".to_string()],
+                labels: vec!["enhancement".to_string()],
+                created_at: "2025-02-01".to_string(),
+                updated_at: "2025-02-05".to_string(),
+                url: "https://src.example.com/studio/cli/issues/7".to_string(),
+            },
+        ];
+
+        let rows: Vec<Vec<String>> = tickets
+            .iter()
+            .map(|t| {
+                vec![
+                    t.id.clone(),
+                    t.status.to_string(),
+                    t.title.clone(),
+                    t.assignees.join(", "),
+                    t.source.to_string(),
+                ]
+            })
+            .collect();
+
+        let tbl = output::table(&rows, &["ID", "STATUS", "TITLE", "ASSIGNEES", "SOURCE"]);
+        assert!(tbl.contains("p:1"));
+        assert!(tbl.contains("g:studio/cli#7"));
+        assert!(tbl.contains("open"));
+        assert!(tbl.contains("in-progress"));
+        assert!(tbl.contains("Fix login"));
+        assert!(tbl.contains("Add tests"));
+        assert!(tbl.contains("alice"));
+        assert!(tbl.contains("bob, carol"));
+        assert!(tbl.contains("planka"));
+        assert!(tbl.contains("gitea"));
+    }
+
+    #[test]
+    fn test_display_ticket_list_empty() {
+        let rows: Vec<Vec<String>> = vec![];
+        let tbl = output::table(&rows, &["ID", "STATUS", "TITLE", "ASSIGNEES", "SOURCE"]);
+        // Should have header + separator but no data rows.
+        assert!(tbl.contains("ID"));
+        assert_eq!(tbl.lines().count(), 2);
+    }
+
+    #[test]
+    fn test_card_update_serialization() {
+        let update = CardUpdate {
+            name: Some("New name".to_string()),
+            description: None,
+            list_id: Some(serde_json::json!(5)),
+        };
+        let json = serde_json::to_value(&update).unwrap();
+        assert_eq!(json["name"], "New name");
+        assert_eq!(json["listId"], 5);
+        assert!(json.get("description").is_none());
+    }
+
+    #[test]
+    fn test_issue_update_serialization() {
+        let update = IssueUpdate {
+            title: None,
+            body: Some("Updated body".to_string()),
+            state: Some("closed".to_string()),
+        };
+        let json = serde_json::to_value(&update).unwrap();
+        assert!(json.get("title").is_none());
+        assert_eq!(json["body"], "Updated body");
+        assert_eq!(json["state"], "closed");
+    }
+
+    #[test]
+    fn test_planka_list_name_to_status() {
+        // Test via Card::to_ticket with synthetic included data.
+        use planka_json::*;
+
+        let inc = BoardIncluded {
+            cards: vec![],
+            card_memberships: vec![],
+            card_labels: vec![],
+            labels: vec![],
+            lists: vec![
+                List { id: serde_json::json!(1), name: "To Do".to_string() },
+                List { id: serde_json::json!(2), name: "In Progress".to_string() },
+                List { id: serde_json::json!(3), name: "Done".to_string() },
+                List { id: serde_json::json!(4), name: "Archived / Closed".to_string() },
+            ],
+            users: vec![],
+        };
+
+        let make_card = |list_id: u64| Card {
+            id: serde_json::json!(1),
+            name: "test".to_string(),
+            description: None,
+            list_id: Some(serde_json::json!(list_id)),
+            created_at: None,
+            updated_at: None,
+        };
+
+        assert_eq!(
+            make_card(1).to_ticket("https://x/api", Some(&inc)).status,
+            Status::Open
+        );
+        assert_eq!(
+            make_card(2).to_ticket("https://x/api", Some(&inc)).status,
+            Status::InProgress
+        );
+        assert_eq!(
+            make_card(3).to_ticket("https://x/api", Some(&inc)).status,
+            Status::Done
+        );
+        assert_eq!(
+            make_card(4).to_ticket("https://x/api", Some(&inc)).status,
+            Status::Closed
+        );
+    }
+
+    #[test]
+    fn test_gitea_issue_to_ticket() {
+        let issue = gitea_json::Issue {
+            number: 42,
+            title: "Bug report".to_string(),
+            body: Some("Something broke".to_string()),
+            state: "open".to_string(),
+            assignees: Some(vec![gitea_json::GiteaUser {
+                login: "dev1".to_string(),
+            }]),
+            labels: Some(vec![gitea_json::GiteaLabel {
+                name: "bug".to_string(),
+            }]),
+            created_at: Some("2025-03-01T00:00:00Z".to_string()),
+            updated_at: Some("2025-03-02T00:00:00Z".to_string()),
+            html_url: Some("https://src.example.com/studio/app/issues/42".to_string()),
+            repository: None,
+        };
+
+        let ticket = issue.to_ticket("https://src.example.com/api/v1", "studio", "app");
+        assert_eq!(ticket.id, "g:studio/app#42");
+        assert_eq!(ticket.source, Source::Gitea);
+        assert_eq!(ticket.title, "Bug report");
+        assert_eq!(ticket.description, "Something broke");
+        assert_eq!(ticket.status, Status::Open);
+        assert_eq!(ticket.assignees, vec!["dev1"]);
+        assert_eq!(ticket.labels, vec!["bug"]);
+        assert_eq!(
+            ticket.url,
+            "https://src.example.com/studio/app/issues/42"
+        );
+    }
+}
diff --git a/src/secrets.rs b/src/secrets.rs
new file mode 100644
index 0000000..c206184
--- /dev/null
+++ b/src/secrets.rs
@@ -0,0 +1,1727 @@
+//! Secrets management — OpenBao KV seeding, DB engine config, VSO verification.
+//!
+//! Replaces Python's `kubectl exec openbao-0 -- bao ...` pattern with:
+//! 1. kube-rs port-forward to openbao pod on port 8200
+//! 2. `crate::openbao::BaoClient` for all HTTP API calls
+
+use crate::error::{Result, ResultExt, SunbeamError};
+use k8s_openapi::api::core::v1::Pod;
+use kube::api::{Api, ApiResource, DynamicObject, ListParams};
+use rand::RngCore;
+use rsa::pkcs8::{EncodePrivateKey, EncodePublicKey};
+use rsa::RsaPrivateKey;
+use serde::Deserialize;
+use std::collections::{HashMap, HashSet};
+use tokio::net::TcpListener;
+
+use crate::kube as k;
+use crate::openbao::BaoClient;
+use crate::output::{ok, step, warn};
+
+// ── Constants ───────────────────────────────────────────────────────────────
+
+const ADMIN_USERNAME: &str = "estudio-admin";
+const GITEA_ADMIN_USER: &str = "gitea_admin";
+const PG_USERS: &[&str] = &[
+    "kratos",
+    "hydra",
+    "gitea",
+    "hive",
+    "docs",
+    "meet",
+    "drive",
+    "messages",
+    "conversations",
+    "people",
+    "find",
+    "calendars",
+    "projects",
+];
+
+const SMTP_URI: &str = "smtp://postfix.lasuite.svc.cluster.local:25/?skip_ssl_verify=true";
+
+// ── Key generation ──────────────────────────────────────────────────────────
+
+/// Generate a Fernet-compatible key (32 random bytes, URL-safe base64).
+fn gen_fernet_key() -> String {
+    use base64::Engine;
+    let mut buf = [0u8; 32];
+    rand::thread_rng().fill_bytes(&mut buf);
+    base64::engine::general_purpose::URL_SAFE.encode(buf)
+}
+
+/// Generate an RSA 2048-bit DKIM key pair.
+/// Returns (private_pem_pkcs8, public_pem). Returns ("", "") on failure.
+fn gen_dkim_key_pair() -> (String, String) {
+    let mut rng = rand::thread_rng();
+    let bits = 2048;
+    let private_key = match RsaPrivateKey::new(&mut rng, bits) {
+        Ok(k) => k,
+        Err(e) => {
+            warn(&format!("RSA key generation failed: {e}"));
+            return (String::new(), String::new());
+        }
+    };
+
+    let private_pem = match private_key.to_pkcs8_pem(rsa::pkcs8::LineEnding::LF) {
+        Ok(p) => p.to_string(),
+        Err(e) => {
+            warn(&format!("PKCS8 encoding failed: {e}"));
+            return (String::new(), String::new());
+        }
+    };
+
+    let public_key = private_key.to_public_key();
+    let public_pem = match public_key.to_public_key_pem(rsa::pkcs8::LineEnding::LF) {
+        Ok(p) => p.to_string(),
+        Err(e) => {
+            warn(&format!("Public key PEM encoding failed: {e}"));
+            return (private_pem, String::new());
+        }
+    };
+
+    (private_pem, public_pem)
+}
+
+/// Generate a URL-safe random token (32 bytes).
+fn rand_token() -> String {
+    use base64::Engine;
+    let mut buf = [0u8; 32];
+    rand::thread_rng().fill_bytes(&mut buf);
+    base64::engine::general_purpose::URL_SAFE_NO_PAD.encode(buf)
+}
+
+/// Generate a URL-safe random token with a specific byte count.
+fn rand_token_n(n: usize) -> String {
+    use base64::Engine;
+    let mut buf = vec![0u8; n];
+    rand::thread_rng().fill_bytes(&mut buf);
+    base64::engine::general_purpose::URL_SAFE_NO_PAD.encode(buf)
+}
+
+// ── Port-forward helper ─────────────────────────────────────────────────────
+
+/// Port-forward guard — cancels the background forwarder on drop.
+struct PortForwardGuard {
+    _abort_handle: tokio::task::AbortHandle,
+    pub local_port: u16,
+}
+
+impl Drop for PortForwardGuard {
+    fn drop(&mut self) {
+        self._abort_handle.abort();
+    }
+}
+
+/// Open a kube-rs port-forward to `pod_name` in `namespace` on `remote_port`.
+/// Binds a local TCP listener and proxies connections to the pod.
+async fn port_forward(
+    namespace: &str,
+    pod_name: &str,
+    remote_port: u16,
+) -> Result<PortForwardGuard> {
+    let client = k::get_client().await?;
+    let pods: Api<Pod> = Api::namespaced(client.clone(), namespace);
+
+    let listener = TcpListener::bind("127.0.0.1:0")
+        .await
+        .ctx("Failed to bind local TCP listener for port-forward")?;
+    let local_port = listener
+        .local_addr()
+        .map_err(|e| SunbeamError::Other(format!("local_addr: {e}")))?
+        .port();
+
+    let pod_name = pod_name.to_string();
+    let ns = namespace.to_string();
+    let task = tokio::spawn(async move {
+        let mut current_pod = pod_name;
+        loop {
+            let (mut client_stream, _) = match listener.accept().await {
+                Ok(s) => s,
+                Err(_) => break,
+            };
+
+            let pf_result = pods.portforward(&current_pod, &[remote_port]).await;
+            let mut pf = match pf_result {
+                Ok(pf) => pf,
+                Err(e) => {
+                    tracing::warn!("Port-forward failed, re-resolving pod: {e}");
+                    // Re-resolve the pod in case it restarted with a new name
+                    if let Ok(new_client) = k::get_client().await {
+                        let new_pods: Api<Pod> = Api::namespaced(new_client.clone(), &ns);
+                        let lp = ListParams::default();
+                        if let Ok(pod_list) = new_pods.list(&lp).await {
+                            if let Some(name) = pod_list
+                                .items
+                                .iter()
+                                .find(|p| {
+                                    p.metadata
+                                        .name
+                                        .as_deref()
+                                        .map(|n| n.starts_with(current_pod.split('-').next().unwrap_or("")))
+                                        .unwrap_or(false)
+                                })
+                                .and_then(|p| p.metadata.name.clone())
+                            {
+                                current_pod = name;
+                            }
+                        }
+                    }
+                    continue; // next accept() iteration will retry
+                }
+            };
+
+            let mut upstream = match pf.take_stream(remote_port) {
+                Some(s) => s,
+                None => continue,
+            };
+
+            tokio::spawn(async move {
+                let _ = tokio::io::copy_bidirectional(&mut client_stream, &mut upstream).await;
+            });
+        }
+    });
+
+    let abort_handle = task.abort_handle();
+    tokio::time::sleep(std::time::Duration::from_millis(100)).await;
+
+    Ok(PortForwardGuard {
+        _abort_handle: abort_handle,
+        local_port,
+    })
+}
+
+/// Port-forward to a service by finding a matching pod via label selector.
+async fn port_forward_svc(
+    namespace: &str,
+    label_selector: &str,
+    remote_port: u16,
+) -> Result<PortForwardGuard> {
+    let client = k::get_client().await?;
+    let pods: Api<Pod> = Api::namespaced(client.clone(), namespace);
+    let lp = ListParams::default().labels(label_selector);
+    let pod_list = pods.list(&lp).await?;
+    let pod_name = pod_list
+        .items
+        .first()
+        .and_then(|p| p.metadata.name.as_deref())
+        .ctx("No pod found matching label selector")?
+        .to_string();
+
+    port_forward(namespace, &pod_name, remote_port).await
+}
+
+// ── OpenBao KV seeding ──────────────────────────────────────────────────────
+
+/// Internal result from seed_openbao, used by cmd_seed.
+struct SeedResult {
+    creds: HashMap<String, String>,
+    ob_pod: String,
+    root_token: String,
+}
+
+/// Read-or-create pattern: reads existing KV values, only generates missing ones.
+async fn get_or_create(
+    bao: &BaoClient,
+    path: &str,
+    fields: &[(&str, &dyn Fn() -> String)],
+    dirty_paths: &mut HashSet<String>,
+) -> Result<HashMap<String, String>> {
+    let existing = bao.kv_get("secret", path).await?.unwrap_or_default();
+    let mut result = HashMap::new();
+    for (key, default_fn) in fields {
+        let val = existing.get(*key).filter(|v| !v.is_empty()).cloned();
+        if let Some(v) = val {
+            result.insert(key.to_string(), v);
+        } else {
+            result.insert(key.to_string(), default_fn());
+            dirty_paths.insert(path.to_string());
+        }
+    }
+    Ok(result)
+}
+
+/// Initialize/unseal OpenBao, generate/read credentials idempotently, configure VSO auth.
+async fn seed_openbao() -> Result<Option<SeedResult>> {
+    let client = k::get_client().await?;
+    let pods: Api<Pod> = Api::namespaced(client.clone(), "data");
+    let lp = ListParams::default().labels("app.kubernetes.io/name=openbao,component=server");
+    let pod_list = pods.list(&lp).await?;
+
+    let ob_pod = match pod_list
+        .items
+        .first()
+        .and_then(|p| p.metadata.name.as_deref())
+    {
+        Some(name) => name.to_string(),
+        None => {
+            ok("OpenBao pod not found -- skipping.");
+            return Ok(None);
+        }
+    };
+
+    ok(&format!("OpenBao ({ob_pod})..."));
+    let _ = wait_pod_running("data", &ob_pod, 120).await;
+
+    let pf = port_forward("data", &ob_pod, 8200).await?;
+    let bao_url = format!("http://127.0.0.1:{}", pf.local_port);
+    let bao = BaoClient::new(&bao_url);
+
+    // ── Init / Unseal ───────────────────────────────────────────────────
+    let mut unseal_key = String::new();
+    let mut root_token = String::new();
+
+    let status = bao.seal_status().await.unwrap_or_else(|_| {
+        crate::openbao::SealStatusResponse {
+            initialized: false,
+            sealed: true,
+            progress: 0,
+            t: 0,
+            n: 0,
+        }
+    });
+
+    let mut already_initialized = status.initialized;
+    if !already_initialized {
+        if let Ok(Some(_)) = k::kube_get_secret("data", "openbao-keys").await {
+            already_initialized = true;
+        }
+    }
+
+    if !already_initialized {
+        ok("Initializing OpenBao...");
+        match bao.init(1, 1).await {
+            Ok(init) => {
+                unseal_key = init.unseal_keys_b64[0].clone();
+                root_token = init.root_token.clone();
+                let mut data = HashMap::new();
+                data.insert("key".to_string(), unseal_key.clone());
+                data.insert("root-token".to_string(), root_token.clone());
+                k::create_secret("data", "openbao-keys", data).await?;
+                ok("Initialized -- keys stored in secret/openbao-keys.");
+            }
+            Err(e) => {
+                warn(&format!(
+                    "Init failed -- resetting OpenBao storage for local dev... ({e})"
+                ));
+                let _ = delete_resource("data", "pvc", "data-openbao-0").await;
+                let _ = delete_resource("data", "pod", &ob_pod).await;
+                warn("OpenBao storage reset. Run --seed again after the pod restarts.");
+                return Ok(None);
+            }
+        }
+    } else {
+        ok("Already initialized.");
+        if let Ok(key) = k::kube_get_secret_field("data", "openbao-keys", "key").await {
+            unseal_key = key;
+        }
+        if let Ok(token) = k::kube_get_secret_field("data", "openbao-keys", "root-token").await {
+            root_token = token;
+        }
+    }
+
+    // Unseal if needed
+    let status = bao.seal_status().await.unwrap_or_else(|_| {
+        crate::openbao::SealStatusResponse {
+            initialized: true,
+            sealed: true,
+            progress: 0,
+            t: 0,
+            n: 0,
+        }
+    });
+    if status.sealed && !unseal_key.is_empty() {
+        ok("Unsealing...");
+        bao.unseal(&unseal_key).await?;
+    }
+
+    if root_token.is_empty() {
+        warn("No root token available -- skipping KV seeding.");
+        return Ok(None);
+    }
+
+    let bao = BaoClient::with_token(&bao_url, &root_token);
+
+    // ── KV seeding ──────────────────────────────────────────────────────
+    ok("Seeding KV (idempotent -- existing values preserved)...");
+    let _ = bao.enable_secrets_engine("secret", "kv").await;
+    let _ = bao
+        .write(
+            "sys/mounts/secret/tune",
+            &serde_json::json!({"options": {"version": "2"}}),
+        )
+        .await;
+
+    let mut dirty_paths: HashSet<String> = HashSet::new();
+
+    let hydra = get_or_create(
+        &bao,
+        "hydra",
+        &[
+            ("system-secret", &rand_token as &dyn Fn() -> String),
+            ("cookie-secret", &rand_token),
+            ("pairwise-salt", &rand_token),
+        ],
+        &mut dirty_paths,
+    )
+    .await?;
+
+    let smtp_uri_fn = || SMTP_URI.to_string();
+    let kratos = get_or_create(
+        &bao,
+        "kratos",
+        &[
+            ("secrets-default", &rand_token as &dyn Fn() -> String),
+            ("secrets-cookie", &rand_token),
+            ("smtp-connection-uri", &smtp_uri_fn),
+        ],
+        &mut dirty_paths,
+    )
+    .await?;
+
+    let seaweedfs = get_or_create(
+        &bao,
+        "seaweedfs",
+        &[
+            ("access-key", &rand_token as &dyn Fn() -> String),
+            ("secret-key", &rand_token),
+        ],
+        &mut dirty_paths,
+    )
+    .await?;
+
+    let gitea_admin_user_fn = || GITEA_ADMIN_USER.to_string();
+    let gitea = get_or_create(
+        &bao,
+        "gitea",
+        &[
+            (
+                "admin-username",
+                &gitea_admin_user_fn as &dyn Fn() -> String,
+            ),
+            ("admin-password", &rand_token),
+        ],
+        &mut dirty_paths,
+    )
+    .await?;
+
+    let hive_local_fn = || "hive-local".to_string();
+    let hive = get_or_create(
+        &bao,
+        "hive",
+        &[
+            ("oidc-client-id", &hive_local_fn as &dyn Fn() -> String),
+            ("oidc-client-secret", &rand_token),
+        ],
+        &mut dirty_paths,
+    )
+    .await?;
+
+    let devkey_fn = || "devkey".to_string();
+    let livekit = get_or_create(
+        &bao,
+        "livekit",
+        &[
+            ("api-key", &devkey_fn as &dyn Fn() -> String),
+            ("api-secret", &rand_token),
+        ],
+        &mut dirty_paths,
+    )
+    .await?;
+
+    let people = get_or_create(
+        &bao,
+        "people",
+        &[("django-secret-key", &rand_token as &dyn Fn() -> String)],
+        &mut dirty_paths,
+    )
+    .await?;
+
+    let login_ui = get_or_create(
+        &bao,
+        "login-ui",
+        &[
+            ("cookie-secret", &rand_token as &dyn Fn() -> String),
+            ("csrf-cookie-secret", &rand_token),
+        ],
+        &mut dirty_paths,
+    )
+    .await?;
+
+    let sw_access = seaweedfs.get("access-key").cloned().unwrap_or_default();
+    let sw_secret = seaweedfs.get("secret-key").cloned().unwrap_or_default();
+    let empty_fn = || String::new();
+    let sw_access_fn = {
+        let v = sw_access.clone();
+        move || v.clone()
+    };
+    let sw_secret_fn = {
+        let v = sw_secret.clone();
+        move || v.clone()
+    };
+
+    let kratos_admin = get_or_create(
+        &bao,
+        "kratos-admin",
+        &[
+            ("cookie-secret", &rand_token as &dyn Fn() -> String),
+            ("csrf-cookie-secret", &rand_token),
+            ("admin-identity-ids", &empty_fn),
+            ("s3-access-key", &sw_access_fn),
+            ("s3-secret-key", &sw_secret_fn),
+        ],
+        &mut dirty_paths,
+    )
+    .await?;
+
+    let docs = get_or_create(
+        &bao,
+        "docs",
+        &[
+            ("django-secret-key", &rand_token as &dyn Fn() -> String),
+            ("collaboration-secret", &rand_token),
+        ],
+        &mut dirty_paths,
+    )
+    .await?;
+
+    let meet = get_or_create(
+        &bao,
+        "meet",
+        &[
+            ("django-secret-key", &rand_token as &dyn Fn() -> String),
+            ("application-jwt-secret-key", &rand_token),
+        ],
+        &mut dirty_paths,
+    )
+    .await?;
+
+    let drive = get_or_create(
+        &bao,
+        "drive",
+        &[("django-secret-key", &rand_token as &dyn Fn() -> String)],
+        &mut dirty_paths,
+    )
+    .await?;
+
+    let projects = get_or_create(
+        &bao,
+        "projects",
+        &[("secret-key", &rand_token as &dyn Fn() -> String)],
+        &mut dirty_paths,
+    )
+    .await?;
+
+    let cal_django_fn = || rand_token_n(50);
+    let calendars = get_or_create(
+        &bao,
+        "calendars",
+        &[
+            ("django-secret-key", &cal_django_fn as &dyn Fn() -> String),
+            ("salt-key", &rand_token),
+            ("caldav-inbound-api-key", &rand_token),
+            ("caldav-outbound-api-key", &rand_token),
+            ("caldav-internal-api-key", &rand_token),
+        ],
+        &mut dirty_paths,
+    )
+    .await?;
+
+    // DKIM key pair — generated together since keys are coupled.
+    let existing_messages = bao.kv_get("secret", "messages").await?.unwrap_or_default();
+    let (dkim_private, dkim_public) = if existing_messages
+        .get("dkim-private-key")
+        .filter(|v| !v.is_empty())
+        .is_some()
+    {
+        (
+            existing_messages
+                .get("dkim-private-key")
+                .cloned()
+                .unwrap_or_default(),
+            existing_messages
+                .get("dkim-public-key")
+                .cloned()
+                .unwrap_or_default(),
+        )
+    } else {
+        gen_dkim_key_pair()
+    };
+
+    let dkim_priv_fn = {
+        let v = dkim_private.clone();
+        move || v.clone()
+    };
+    let dkim_pub_fn = {
+        let v = dkim_public.clone();
+        move || v.clone()
+    };
+    let socks_proxy_fn = || format!("sunbeam:{}", rand_token());
+    let sunbeam_fn = || "sunbeam".to_string();
+
+    let messages = get_or_create(
+        &bao,
+        "messages",
+        &[
+            ("django-secret-key", &rand_token as &dyn Fn() -> String),
+            ("salt-key", &rand_token),
+            ("mda-api-secret", &rand_token),
+            (
+                "oidc-refresh-token-key",
+                &gen_fernet_key as &dyn Fn() -> String,
+            ),
+            ("dkim-private-key", &dkim_priv_fn),
+            ("dkim-public-key", &dkim_pub_fn),
+            ("rspamd-password", &rand_token),
+            ("socks-proxy-users", &socks_proxy_fn),
+            ("mta-out-smtp-username", &sunbeam_fn),
+            ("mta-out-smtp-password", &rand_token),
+        ],
+        &mut dirty_paths,
+    )
+    .await?;
+
+    let admin_fn = || "admin".to_string();
+    let collabora = get_or_create(
+        &bao,
+        "collabora",
+        &[
+            ("username", &admin_fn as &dyn Fn() -> String),
+            ("password", &rand_token),
+        ],
+        &mut dirty_paths,
+    )
+    .await?;
+
+    let tuwunel = get_or_create(
+        &bao,
+        "tuwunel",
+        &[
+            ("oidc-client-id", &empty_fn as &dyn Fn() -> String),
+            ("oidc-client-secret", &empty_fn),
+            ("turn-secret", &empty_fn),
+            ("registration-token", &rand_token),
+        ],
+        &mut dirty_paths,
+    )
+    .await?;
+
+    let grafana = get_or_create(
+        &bao,
+        "grafana",
+        &[("admin-password", &rand_token as &dyn Fn() -> String)],
+        &mut dirty_paths,
+    )
+    .await?;
+
+    let scw_access_fn = || scw_config("access-key");
+    let scw_secret_fn = || scw_config("secret-key");
+    let scaleway_s3 = get_or_create(
+        &bao,
+        "scaleway-s3",
+        &[
+            ("access-key-id", &scw_access_fn as &dyn Fn() -> String),
+            ("secret-access-key", &scw_secret_fn),
+        ],
+        &mut dirty_paths,
+    )
+    .await?;
+
+    // ── Write dirty paths ───────────────────────────────────────────────
+    if dirty_paths.is_empty() {
+        ok("All OpenBao KV secrets already present -- skipping writes.");
+    } else {
+        let mut sorted_paths: Vec<&String> = dirty_paths.iter().collect();
+        sorted_paths.sort();
+        ok(&format!(
+            "Writing new secrets to OpenBao KV ({})...",
+            sorted_paths
+                .iter()
+                .map(|s| s.as_str())
+                .collect::<Vec<_>>()
+                .join(", ")
+        ));
+
+        let all_paths: &[(&str, &HashMap<String, String>)] = &[
+            ("hydra", &hydra),
+            ("kratos", &kratos),
+            ("seaweedfs", &seaweedfs),
+            ("gitea", &gitea),
+            ("hive", &hive),
+            ("livekit", &livekit),
+            ("people", &people),
+            ("login-ui", &login_ui),
+            ("kratos-admin", &kratos_admin),
+            ("docs", &docs),
+            ("meet", &meet),
+            ("drive", &drive),
+            ("projects", &projects),
+            ("calendars", &calendars),
+            ("messages", &messages),
+            ("collabora", &collabora),
+            ("tuwunel", &tuwunel),
+            ("grafana", &grafana),
+            ("scaleway-s3", &scaleway_s3),
+        ];
+
+        for (path, data) in all_paths {
+            if dirty_paths.contains(*path) {
+                bao.kv_patch("secret", path, data).await?;
+            }
+        }
+    }
+
+    // ── Kubernetes auth for VSO ─────────────────────────────────────────
+    ok("Configuring Kubernetes auth for VSO...");
+    let _ = bao.auth_enable("kubernetes", "kubernetes").await;
+
+    bao.write(
+        "auth/kubernetes/config",
+        &serde_json::json!({
+            "kubernetes_host": "https://kubernetes.default.svc.cluster.local"
+        }),
+    )
+    .await?;
+
+    let policy_hcl = concat!(
+        "path \"secret/data/*\" { capabilities = [\"read\"] }\n",
+        "path \"secret/metadata/*\" { capabilities = [\"read\", \"list\"] }\n",
+        "path \"database/static-creds/*\" { capabilities = [\"read\"] }\n",
+    );
+    bao.write_policy("vso-reader", policy_hcl).await?;
+
+    bao.write(
+        "auth/kubernetes/role/vso",
+        &serde_json::json!({
+            "bound_service_account_names": "default",
+            "bound_service_account_namespaces": "ory,devtools,storage,lasuite,matrix,media,data,monitoring",
+            "policies": "vso-reader",
+            "ttl": "1h"
+        }),
+    )
+    .await?;
+
+    // Build credentials map
+    let mut creds = HashMap::new();
+    let field_map: &[(&str, &str, &HashMap<String, String>)] = &[
+        ("hydra-system-secret", "system-secret", &hydra),
+        ("hydra-cookie-secret", "cookie-secret", &hydra),
+        ("hydra-pairwise-salt", "pairwise-salt", &hydra),
+        ("kratos-secrets-default", "secrets-default", &kratos),
+        ("kratos-secrets-cookie", "secrets-cookie", &kratos),
+        ("s3-access-key", "access-key", &seaweedfs),
+        ("s3-secret-key", "secret-key", &seaweedfs),
+        ("gitea-admin-password", "admin-password", &gitea),
+        ("hive-oidc-client-id", "oidc-client-id", &hive),
+        ("hive-oidc-client-secret", "oidc-client-secret", &hive),
+        ("people-django-secret", "django-secret-key", &people),
+        ("livekit-api-key", "api-key", &livekit),
+        ("livekit-api-secret", "api-secret", &livekit),
+        (
+            "kratos-admin-cookie-secret",
+            "cookie-secret",
+            &kratos_admin,
+        ),
+        ("messages-dkim-public-key", "dkim-public-key", &messages),
+    ];
+
+    for (cred_key, field_key, source) in field_map {
+        creds.insert(
+            cred_key.to_string(),
+            source.get(*field_key).cloned().unwrap_or_default(),
+        );
+    }
+
+    Ok(Some(SeedResult {
+        creds,
+        ob_pod,
+        root_token,
+    }))
+}
+
+// ── Database secrets engine ─────────────────────────────────────────────────
+
+/// Enable OpenBao database secrets engine and create PostgreSQL static roles.
+async fn configure_db_engine(bao: &BaoClient) -> Result<()> {
+    ok("Configuring OpenBao database secrets engine...");
+    let pg_rw = "postgres-rw.data.svc.cluster.local:5432";
+
+    let _ = bao.enable_secrets_engine("database", "database").await;
+
+    // ── vault PG user setup ─────────────────────────────────────────────
+    let client = k::get_client().await?;
+    let pods: Api<Pod> = Api::namespaced(client.clone(), "data");
+    let lp = ListParams::default().labels("cnpg.io/cluster=postgres,role=primary");
+    let pod_list = pods.list(&lp).await?;
+    let cnpg_pod = pod_list
+        .items
+        .first()
+        .and_then(|p| p.metadata.name.as_deref())
+        .ctx("Could not find CNPG primary pod for vault user setup.")?
+        .to_string();
+
+    let existing_vault_pass = bao.kv_get_field("secret", "vault", "pg-password").await?;
+    let vault_pg_pass = if existing_vault_pass.is_empty() {
+        let new_pass = rand_token();
+        let mut vault_data = HashMap::new();
+        vault_data.insert("pg-password".to_string(), new_pass.clone());
+        bao.kv_put("secret", "vault", &vault_data).await?;
+        ok("vault KV entry written.");
+        new_pass
+    } else {
+        ok("vault KV entry already present -- skipping write.");
+        existing_vault_pass
+    };
+
+    let create_vault_sql = concat!(
+        "DO $$ BEGIN ",
+        "IF NOT EXISTS (SELECT FROM pg_roles WHERE rolname = 'vault') THEN ",
+        "CREATE USER vault WITH LOGIN CREATEROLE; ",
+        "END IF; ",
+        "END $$;"
+    );
+
+    psql_exec(&cnpg_pod, create_vault_sql).await?;
+    psql_exec(
+        &cnpg_pod,
+        &format!("ALTER USER vault WITH PASSWORD '{vault_pg_pass}';"),
+    )
+    .await?;
+
+    for user in PG_USERS {
+        psql_exec(
+            &cnpg_pod,
+            &format!("GRANT {user} TO vault WITH ADMIN OPTION;"),
+        )
+        .await?;
+    }
+    ok("vault PG user configured with ADMIN OPTION on all service roles.");
+
+    let conn_url = format!(
+        "postgresql://{{{{username}}}}:{{{{password}}}}@{pg_rw}/postgres?sslmode=disable"
+    );
+
+    bao.write_db_config(
+        "cnpg-postgres",
+        "postgresql-database-plugin",
+        &conn_url,
+        "vault",
+        &vault_pg_pass,
+        "*",
+    )
+    .await?;
+    ok("DB engine connection configured (vault user).");
+
+    let rotation_stmt = r#"ALTER USER "{{name}}" WITH PASSWORD '{{password}}';"#;
+
+    for user in PG_USERS {
+        bao.write_db_static_role(user, "cnpg-postgres", user, 86400, &[rotation_stmt])
+            .await?;
+        ok(&format!("  static-role/{user}"));
+    }
+
+    ok("Database secrets engine configured.");
+    Ok(())
+}
+
+/// Execute a psql command on the CNPG primary pod.
+async fn psql_exec(cnpg_pod: &str, sql: &str) -> Result<(i32, String)> {
+    k::kube_exec(
+        "data",
+        cnpg_pod,
+        &["psql", "-U", "postgres", "-c", sql],
+        Some("postgres"),
+    )
+    .await
+}
+
+// ── Kratos admin identity seeding ───────────────────────────────────────────
+
+#[derive(Debug, Deserialize)]
+struct KratosIdentity {
+    id: String,
+}
+
+#[derive(Debug, Deserialize)]
+struct KratosRecovery {
+    #[serde(default)]
+    recovery_link: String,
+    #[serde(default)]
+    recovery_code: String,
+}
+
+/// Ensure estudio-admin@<domain> exists in Kratos and is the only admin identity.
+async fn seed_kratos_admin_identity(bao: &BaoClient) -> (String, String) {
+    let domain = match k::get_domain().await {
+        Ok(d) => d,
+        Err(e) => {
+            warn(&format!("Could not determine domain: {e}"));
+            return (String::new(), String::new());
+        }
+    };
+    let admin_email = format!("{ADMIN_USERNAME}@{domain}");
+    ok(&format!(
+        "Ensuring Kratos admin identity ({admin_email})..."
+    ));
+
+    let result: std::result::Result<(String, String), SunbeamError> = async {
+        let pf = match port_forward_svc("ory", "app.kubernetes.io/name=kratos-admin", 80).await {
+            Ok(pf) => pf,
+            Err(_) => port_forward_svc("ory", "app.kubernetes.io/name=kratos", 4434)
+                .await
+                .ctx("Could not port-forward to Kratos admin API")?,
+        };
+        let base = format!("http://127.0.0.1:{}", pf.local_port);
+        tokio::time::sleep(std::time::Duration::from_secs(1)).await;
+
+        let http = reqwest::Client::new();
+
+        let resp = http
+            .get(format!(
+                "{base}/admin/identities?credentials_identifier={admin_email}&page_size=1"
+            ))
+            .header("Accept", "application/json")
+            .send()
+            .await?;
+
+        let identities: Vec<KratosIdentity> = resp.json().await.unwrap_or_default();
+        let identity_id = if let Some(existing) = identities.first() {
+            ok(&format!(
+                "  admin identity exists ({}...)",
+                &existing.id[..8.min(existing.id.len())]
+            ));
+            existing.id.clone()
+        } else {
+            let resp = http
+                .post(format!("{base}/admin/identities"))
+                .header("Content-Type", "application/json")
+                .header("Accept", "application/json")
+                .json(&serde_json::json!({
+                    "schema_id": "employee",
+                    "traits": {"email": admin_email},
+                    "state": "active",
+                }))
+                .send()
+                .await?;
+
+            let identity: KratosIdentity =
+                resp.json().await.map_err(|e| SunbeamError::Other(e.to_string()))?;
+            ok(&format!(
+                "  created admin identity ({}...)",
+                &identity.id[..8.min(identity.id.len())]
+            ));
+            identity.id
+        };
+
+        let resp = http
+            .post(format!("{base}/admin/recovery/code"))
+            .header("Content-Type", "application/json")
+            .header("Accept", "application/json")
+            .json(&serde_json::json!({
+                "identity_id": identity_id,
+                "expires_in": "24h",
+            }))
+            .send()
+            .await?;
+
+        let recovery: KratosRecovery = resp.json().await.unwrap_or(KratosRecovery {
+            recovery_link: String::new(),
+            recovery_code: String::new(),
+        });
+
+        let mut patch_data = HashMap::new();
+        patch_data.insert("admin-identity-ids".to_string(), admin_email.clone());
+        let _ = bao.kv_patch("secret", "kratos-admin", &patch_data).await;
+        ok(&format!("  ADMIN_IDENTITY_IDS set to {admin_email}"));
+
+        Ok((recovery.recovery_link, recovery.recovery_code))
+    }
+    .await;
+
+    match result {
+        Ok(r) => r,
+        Err(e) => {
+            warn(&format!(
+                "Could not seed Kratos admin identity (Kratos may not be ready): {e}"
+            ));
+            (String::new(), String::new())
+        }
+    }
+}
+
+// ── cmd_seed — main entry point ─────────────────────────────────────────────
+
+/// Seed OpenBao KV with crypto-random credentials, then mirror to K8s Secrets.
+/// File-based advisory lock for `cmd_seed` to prevent concurrent runs.
+struct SeedLock {
+    path: std::path::PathBuf,
+}
+
+impl SeedLock {
+    fn acquire() -> Result<Self> {
+        let lock_path = dirs::data_dir()
+            .unwrap_or_else(|| dirs::home_dir().unwrap().join(".local/share"))
+            .join("sunbeam")
+            .join("seed.lock");
+        std::fs::create_dir_all(lock_path.parent().unwrap())?;
+
+        match std::fs::OpenOptions::new()
+            .write(true)
+            .create_new(true)
+            .open(&lock_path)
+        {
+            Ok(mut f) => {
+                use std::io::Write;
+                write!(f, "{}", std::process::id())?;
+                Ok(SeedLock { path: lock_path })
+            }
+            Err(e) if e.kind() == std::io::ErrorKind::AlreadyExists => {
+                // Check if the PID in the file is still alive
+                if let Ok(pid_str) = std::fs::read_to_string(&lock_path) {
+                    if let Ok(pid) = pid_str.trim().parse::<i32>() {
+                        // kill(pid, 0) checks if process exists without sending a signal
+                        let alive = is_pid_alive(pid);
+                        if alive {
+                            return Err(SunbeamError::secrets(
+                                "Another sunbeam seed is already running. Wait for it to finish.",
+                            ));
+                        }
+                    }
+                }
+                // Stale lock, remove and retry
+                std::fs::remove_file(&lock_path)?;
+                let mut f = std::fs::OpenOptions::new()
+                    .write(true)
+                    .create_new(true)
+                    .open(&lock_path)?;
+                use std::io::Write;
+                write!(f, "{}", std::process::id())?;
+                Ok(SeedLock { path: lock_path })
+            }
+            Err(e) => Err(e.into()),
+        }
+    }
+}
+
+impl Drop for SeedLock {
+    fn drop(&mut self) {
+        let _ = std::fs::remove_file(&self.path);
+    }
+}
+
+/// Check if a process with the given PID is still alive.
+fn is_pid_alive(pid: i32) -> bool {
+    std::process::Command::new("kill")
+        .args(["-0", &pid.to_string()])
+        .stdout(std::process::Stdio::null())
+        .stderr(std::process::Stdio::null())
+        .status()
+        .map(|s| s.success())
+        .unwrap_or(false)
+}
+
+pub async fn cmd_seed() -> Result<()> {
+    let _lock = SeedLock::acquire()?;
+    step("Seeding secrets...");
+
+    let seed_result = seed_openbao().await?;
+    let (creds, ob_pod, root_token) = match seed_result {
+        Some(r) => (r.creds, r.ob_pod, r.root_token),
+        None => (HashMap::new(), String::new(), String::new()),
+    };
+
+    let s3_access_key = creds.get("s3-access-key").cloned().unwrap_or_default();
+    let s3_secret_key = creds.get("s3-secret-key").cloned().unwrap_or_default();
+    let hydra_system = creds
+        .get("hydra-system-secret")
+        .cloned()
+        .unwrap_or_default();
+    let hydra_cookie = creds
+        .get("hydra-cookie-secret")
+        .cloned()
+        .unwrap_or_default();
+    let hydra_pairwise = creds
+        .get("hydra-pairwise-salt")
+        .cloned()
+        .unwrap_or_default();
+    let kratos_secrets_default = creds
+        .get("kratos-secrets-default")
+        .cloned()
+        .unwrap_or_default();
+    let kratos_secrets_cookie = creds
+        .get("kratos-secrets-cookie")
+        .cloned()
+        .unwrap_or_default();
+    let hive_oidc_id = creds
+        .get("hive-oidc-client-id")
+        .cloned()
+        .unwrap_or_else(|| "hive-local".into());
+    let hive_oidc_sec = creds
+        .get("hive-oidc-client-secret")
+        .cloned()
+        .unwrap_or_default();
+    let django_secret = creds
+        .get("people-django-secret")
+        .cloned()
+        .unwrap_or_default();
+    let gitea_admin_pass = creds
+        .get("gitea-admin-password")
+        .cloned()
+        .unwrap_or_default();
+
+    // ── Wait for Postgres ───────────────────────────────────────────────
+    ok("Waiting for postgres cluster...");
+    let mut pg_pod = String::new();
+
+    let client = k::get_client().await?;
+    let ar = ApiResource {
+        group: "postgresql.cnpg.io".into(),
+        version: "v1".into(),
+        api_version: "postgresql.cnpg.io/v1".into(),
+        kind: "Cluster".into(),
+        plural: "clusters".into(),
+    };
+    let cnpg_api: Api<DynamicObject> = Api::namespaced_with(client.clone(), "data", &ar);
+    for _ in 0..60 {
+        if let Ok(cluster) = cnpg_api.get("postgres").await {
+            let phase = cluster
+                .data
+                .get("status")
+                .and_then(|s| s.get("phase"))
+                .and_then(|p| p.as_str())
+                .unwrap_or("");
+            if phase == "Cluster in healthy state" {
+                // Cluster is healthy — find the primary pod name
+                let pods: Api<Pod> = Api::namespaced(client.clone(), "data");
+                let lp = ListParams::default().labels("cnpg.io/cluster=postgres,role=primary");
+                if let Ok(pod_list) = pods.list(&lp).await {
+                    if let Some(name) = pod_list
+                        .items
+                        .first()
+                        .and_then(|p| p.metadata.name.as_deref())
+                    {
+                        pg_pod = name.to_string();
+                        ok(&format!("Postgres ready ({pg_pod})."));
+                        break;
+                    }
+                }
+            }
+        }
+        tokio::time::sleep(std::time::Duration::from_secs(5)).await;
+    }
+
+    if pg_pod.is_empty() {
+        warn("Postgres not ready after 5 min -- continuing anyway.");
+    }
+
+    if !pg_pod.is_empty() {
+        ok("Ensuring postgres roles and databases exist...");
+        let db_map: HashMap<&str, &str> = [
+            ("kratos", "kratos_db"),
+            ("hydra", "hydra_db"),
+            ("gitea", "gitea_db"),
+            ("hive", "hive_db"),
+            ("docs", "docs_db"),
+            ("meet", "meet_db"),
+            ("drive", "drive_db"),
+            ("messages", "messages_db"),
+            ("conversations", "conversations_db"),
+            ("people", "people_db"),
+            ("find", "find_db"),
+            ("calendars", "calendars_db"),
+            ("projects", "projects_db"),
+        ]
+        .into_iter()
+        .collect();
+
+        for user in PG_USERS {
+            let ensure_sql = format!(
+                "DO $$ BEGIN IF NOT EXISTS (SELECT FROM pg_roles WHERE rolname='{user}') \
+                 THEN EXECUTE 'CREATE USER {user}'; END IF; END $$;"
+            );
+            let _ = k::kube_exec(
+                "data",
+                &pg_pod,
+                &["psql", "-U", "postgres", "-c", &ensure_sql],
+                Some("postgres"),
+            )
+            .await;
+
+            let db = db_map.get(user).copied().unwrap_or("unknown_db");
+            let create_db_sql = format!("CREATE DATABASE {db} OWNER {user};");
+            let _ = k::kube_exec(
+                "data",
+                &pg_pod,
+                &["psql", "-U", "postgres", "-c", &create_db_sql],
+                Some("postgres"),
+            )
+            .await;
+        }
+
+        // Configure database secrets engine via port-forward
+        if !ob_pod.is_empty() && !root_token.is_empty() {
+            match port_forward("data", &ob_pod, 8200).await {
+                Ok(pf) => {
+                    let bao_url = format!("http://127.0.0.1:{}", pf.local_port);
+                    let bao = BaoClient::with_token(&bao_url, &root_token);
+                    if let Err(e) = configure_db_engine(&bao).await {
+                        warn(&format!("DB engine config failed: {e}"));
+                    }
+                }
+                Err(e) => warn(&format!("Port-forward to OpenBao failed: {e}")),
+            }
+        } else {
+            warn("Skipping DB engine config -- missing ob_pod or root_token.");
+        }
+    }
+
+    // ── Create K8s secrets ──────────────────────────────────────────────
+    ok("Creating K8s secrets (VSO will overwrite on next sync)...");
+
+    k::ensure_ns("ory").await?;
+    k::create_secret(
+        "ory",
+        "hydra",
+        HashMap::from([
+            ("secretsSystem".into(), hydra_system),
+            ("secretsCookie".into(), hydra_cookie),
+            ("pairwise-salt".into(), hydra_pairwise),
+        ]),
+    )
+    .await?;
+    k::create_secret(
+        "ory",
+        "kratos-app-secrets",
+        HashMap::from([
+            ("secretsDefault".into(), kratos_secrets_default),
+            ("secretsCookie".into(), kratos_secrets_cookie),
+        ]),
+    )
+    .await?;
+
+    k::ensure_ns("devtools").await?;
+    k::create_secret(
+        "devtools",
+        "gitea-s3-credentials",
+        HashMap::from([
+            ("access-key".into(), s3_access_key.clone()),
+            ("secret-key".into(), s3_secret_key.clone()),
+        ]),
+    )
+    .await?;
+    k::create_secret(
+        "devtools",
+        "gitea-admin-credentials",
+        HashMap::from([
+            ("username".into(), GITEA_ADMIN_USER.into()),
+            ("password".into(), gitea_admin_pass.clone()),
+        ]),
+    )
+    .await?;
+
+    // Sync Gitea admin password to Gitea's own DB
+    if !gitea_admin_pass.is_empty() {
+        let gitea_pods: Api<Pod> = Api::namespaced(client.clone(), "devtools");
+        let lp = ListParams::default().labels("app.kubernetes.io/name=gitea");
+        if let Ok(pod_list) = gitea_pods.list(&lp).await {
+            if let Some(gitea_pod) = pod_list
+                .items
+                .first()
+                .and_then(|p| p.metadata.name.as_deref())
+            {
+                match k::kube_exec(
+                    "devtools",
+                    gitea_pod,
+                    &[
+                        "gitea",
+                        "admin",
+                        "user",
+                        "change-password",
+                        "--username",
+                        GITEA_ADMIN_USER,
+                        "--password",
+                        &gitea_admin_pass,
+                        "--must-change-password=false",
+                    ],
+                    Some("gitea"),
+                )
+                .await
+                {
+                    Ok((0, _)) => ok("Gitea admin password synced to Gitea DB."),
+                    Ok((_, stderr)) => {
+                        warn(&format!("Could not sync Gitea admin password: {stderr}"))
+                    }
+                    Err(e) => warn(&format!("Could not sync Gitea admin password: {e}")),
+                }
+            } else {
+                warn("Gitea pod not found -- admin password NOT synced to Gitea DB. Run seed again after Gitea is deployed.");
+            }
+        }
+    }
+
+    k::ensure_ns("storage").await?;
+    let s3_json = format!(
+        r#"{{"identities":[{{"name":"seaweed","credentials":[{{"accessKey":"{}","secretKey":"{}"}}],"actions":["Admin","Read","Write","List","Tagging"]}}]}}"#,
+        s3_access_key, s3_secret_key
+    );
+    k::create_secret(
+        "storage",
+        "seaweedfs-s3-credentials",
+        HashMap::from([
+            ("S3_ACCESS_KEY".into(), s3_access_key.clone()),
+            ("S3_SECRET_KEY".into(), s3_secret_key.clone()),
+        ]),
+    )
+    .await?;
+    k::create_secret(
+        "storage",
+        "seaweedfs-s3-json",
+        HashMap::from([("s3.json".into(), s3_json)]),
+    )
+    .await?;
+
+    k::ensure_ns("lasuite").await?;
+    k::create_secret(
+        "lasuite",
+        "seaweedfs-s3-credentials",
+        HashMap::from([
+            ("S3_ACCESS_KEY".into(), s3_access_key),
+            ("S3_SECRET_KEY".into(), s3_secret_key),
+        ]),
+    )
+    .await?;
+    k::create_secret(
+        "lasuite",
+        "hive-oidc",
+        HashMap::from([
+            ("client-id".into(), hive_oidc_id),
+            ("client-secret".into(), hive_oidc_sec),
+        ]),
+    )
+    .await?;
+    k::create_secret(
+        "lasuite",
+        "people-django-secret",
+        HashMap::from([("DJANGO_SECRET_KEY".into(), django_secret)]),
+    )
+    .await?;
+
+    k::ensure_ns("matrix").await?;
+    k::ensure_ns("media").await?;
+    k::ensure_ns("monitoring").await?;
+
+    // ── Kratos admin identity ───────────────────────────────────────────
+    if !ob_pod.is_empty() && !root_token.is_empty() {
+        if let Ok(pf) = port_forward("data", &ob_pod, 8200).await {
+            let bao_url = format!("http://127.0.0.1:{}", pf.local_port);
+            let bao = BaoClient::with_token(&bao_url, &root_token);
+            let (recovery_link, recovery_code) = seed_kratos_admin_identity(&bao).await;
+            if !recovery_link.is_empty() {
+                ok("Admin recovery link (valid 24h):");
+                println!("  {recovery_link}");
+            }
+            if !recovery_code.is_empty() {
+                ok("Admin recovery code (enter on the page above):");
+                println!("  {recovery_code}");
+            }
+        }
+    }
+
+    let dkim_pub = creds
+        .get("messages-dkim-public-key")
+        .cloned()
+        .unwrap_or_default();
+    if !dkim_pub.is_empty() {
+        let b64_key: String = dkim_pub
+            .replace("-----BEGIN PUBLIC KEY-----", "")
+            .replace("-----END PUBLIC KEY-----", "")
+            .replace("-----BEGIN RSA PUBLIC KEY-----", "")
+            .replace("-----END RSA PUBLIC KEY-----", "")
+            .split_whitespace()
+            .collect();
+
+        if let Ok(domain) = k::get_domain().await {
+            ok("DKIM DNS record (add to DNS at your registrar):");
+            println!(
+                "  default._domainkey.{domain}  TXT  \"v=DKIM1; k=rsa; p={b64_key}\""
+            );
+        }
+    }
+
+    ok("All secrets seeded.");
+    Ok(())
+}
+
+// ── cmd_verify — VSO E2E verification ───────────────────────────────────────
+
+/// End-to-end test of VSO -> OpenBao integration.
+pub async fn cmd_verify() -> Result<()> {
+    step("Verifying VSO -> OpenBao integration (E2E)...");
+
+    let client = k::get_client().await?;
+    let pods: Api<Pod> = Api::namespaced(client.clone(), "data");
+    let lp = ListParams::default().labels("app.kubernetes.io/name=openbao,component=server");
+    let pod_list = pods.list(&lp).await?;
+
+    let ob_pod = pod_list
+        .items
+        .first()
+        .and_then(|p| p.metadata.name.as_deref())
+        .ctx("OpenBao pod not found -- run full bring-up first.")?
+        .to_string();
+
+    let root_token = k::kube_get_secret_field("data", "openbao-keys", "root-token")
+        .await
+        .ctx("Could not read openbao-keys secret.")?;
+
+    let pf = port_forward("data", &ob_pod, 8200).await?;
+    let bao_url = format!("http://127.0.0.1:{}", pf.local_port);
+    let bao = BaoClient::with_token(&bao_url, &root_token);
+
+    let test_value = rand_token_n(16);
+    let test_ns = "ory";
+    let test_name = "vso-verify";
+
+    let result: std::result::Result<(), SunbeamError> = async {
+        ok("Writing test sentinel to OpenBao secret/vso-test ...");
+        let mut data = HashMap::new();
+        data.insert("test-key".to_string(), test_value.clone());
+        bao.kv_put("secret", "vso-test", &data).await?;
+
+        ok(&format!("Creating VaultAuth {test_ns}/{test_name} ..."));
+        k::kube_apply(&format!(
+            r#"
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultAuth
+metadata:
+  name: {test_name}
+  namespace: {test_ns}
+spec:
+  method: kubernetes
+  mount: kubernetes
+  kubernetes:
+    role: vso
+    serviceAccount: default
+"#
+        ))
+        .await?;
+
+        ok(&format!(
+            "Creating VaultStaticSecret {test_ns}/{test_name} ..."
+        ));
+        k::kube_apply(&format!(
+            r#"
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultStaticSecret
+metadata:
+  name: {test_name}
+  namespace: {test_ns}
+spec:
+  vaultAuthRef: {test_name}
+  mount: secret
+  type: kv-v2
+  path: vso-test
+  refreshAfter: 10s
+  destination:
+    name: {test_name}
+    create: true
+    overwrite: true
+"#
+        ))
+        .await?;
+
+        ok("Waiting for VSO to sync (up to 60s) ...");
+        let deadline = tokio::time::Instant::now() + std::time::Duration::from_secs(60);
+        let mut synced = false;
+
+        while tokio::time::Instant::now() < deadline {
+            let (code, mac) = kubectl_jsonpath(
+                test_ns,
+                "vaultstaticsecret",
+                test_name,
+                "{.status.secretMAC}",
+            )
+            .await;
+            if code == 0 && !mac.is_empty() && mac != "<none>" {
+                synced = true;
+                break;
+            }
+            tokio::time::sleep(std::time::Duration::from_secs(3)).await;
+        }
+
+        if !synced {
+            let (_, msg) = kubectl_jsonpath(
+                test_ns,
+                "vaultstaticsecret",
+                test_name,
+                "{.status.conditions[0].message}",
+            )
+            .await;
+            return Err(SunbeamError::secrets(format!(
+                "VSO did not sync within 60s. Last status: {}",
+                if msg.is_empty() {
+                    "unknown".to_string()
+                } else {
+                    msg
+                }
+            )));
+        }
+
+        ok("Verifying K8s Secret contents ...");
+        let secret = k::kube_get_secret(test_ns, test_name)
+            .await?
+            .with_ctx(|| format!("K8s Secret {test_ns}/{test_name} not found."))?;
+
+        let data = secret.data.as_ref().ctx("Secret has no data")?;
+        let raw = data
+            .get("test-key")
+            .ctx("Missing key 'test-key' in secret")?;
+        let actual = String::from_utf8(raw.0.clone())
+            .map_err(|e| SunbeamError::Other(format!("UTF-8 error: {e}")))?;
+
+        if actual != test_value {
+            return Err(SunbeamError::secrets(format!(
+                "Value mismatch!\n  expected: {:?}\n  got:      {:?}",
+                test_value,
+                actual
+            )));
+        }
+
+        ok("Sentinel value matches -- VSO -> OpenBao integration is working.");
+        Ok(())
+    }
+    .await;
+
+    // Always clean up
+    ok("Cleaning up test resources...");
+    let _ = delete_crd(test_ns, "vaultstaticsecret", test_name).await;
+    let _ = delete_crd(test_ns, "vaultauth", test_name).await;
+    let _ = delete_k8s_secret(test_ns, test_name).await;
+    let _ = bao.kv_delete("secret", "vso-test").await;
+
+    match result {
+        Ok(()) => {
+            ok("VSO E2E verification passed.");
+            Ok(())
+        }
+        Err(e) => Err(SunbeamError::secrets(format!(
+            "VSO verification FAILED: {e}"
+        ))),
+    }
+}
+
+// ── Utility helpers ─────────────────────────────────────────────────────────
+
+async fn wait_pod_running(ns: &str, pod_name: &str, timeout_secs: u64) -> bool {
+    let client = match k::get_client().await {
+        Ok(c) => c,
+        Err(_) => return false,
+    };
+    let pods: Api<Pod> = Api::namespaced(client.clone(), ns);
+
+    let deadline = tokio::time::Instant::now() + std::time::Duration::from_secs(timeout_secs);
+    while tokio::time::Instant::now() < deadline {
+        if let Ok(Some(pod)) = pods.get_opt(pod_name).await {
+            if pod
+                .status
+                .as_ref()
+                .and_then(|s| s.phase.as_deref())
+                .unwrap_or("")
+                == "Running"
+            {
+                return true;
+            }
+        }
+        tokio::time::sleep(std::time::Duration::from_secs(2)).await;
+    }
+    false
+}
+
+fn scw_config(key: &str) -> String {
+    std::process::Command::new("scw")
+        .args(["config", "get", key])
+        .output()
+        .ok()
+        .filter(|o| o.status.success())
+        .map(|o| String::from_utf8_lossy(&o.stdout).trim().to_string())
+        .unwrap_or_default()
+}
+
+async fn delete_crd(ns: &str, kind: &str, name: &str) -> Result<()> {
+    let ctx = format!("--context={}", k::context());
+    let _ = tokio::process::Command::new("kubectl")
+        .args([&ctx, "-n", ns, "delete", kind, name, "--ignore-not-found"])
+        .output()
+        .await;
+    Ok(())
+}
+
+async fn delete_k8s_secret(ns: &str, name: &str) -> Result<()> {
+    let client = k::get_client().await?;
+    let api: Api<k8s_openapi::api::core::v1::Secret> = Api::namespaced(client.clone(), ns);
+    let _ = api
+        .delete(name, &kube::api::DeleteParams::default())
+        .await;
+    Ok(())
+}
+
+async fn delete_resource(ns: &str, kind: &str, name: &str) -> Result<()> {
+    let ctx = format!("--context={}", k::context());
+    let _ = tokio::process::Command::new("kubectl")
+        .args([&ctx, "-n", ns, "delete", kind, name, "--ignore-not-found"])
+        .output()
+        .await;
+    Ok(())
+}
+
+async fn kubectl_jsonpath(ns: &str, kind: &str, name: &str, jsonpath: &str) -> (i32, String) {
+    let ctx = format!("--context={}", k::context());
+    let jp = format!("-o=jsonpath={jsonpath}");
+    match tokio::process::Command::new("kubectl")
+        .args([&ctx, "-n", ns, "get", kind, name, &jp, "--ignore-not-found"])
+        .output()
+        .await
+    {
+        Ok(output) => {
+            let code = output.status.code().unwrap_or(1);
+            let stdout = String::from_utf8_lossy(&output.stdout).trim().to_string();
+            (code, stdout)
+        }
+        Err(_) => (1, String::new()),
+    }
+}
+
+// ── Tests ───────────────────────────────────────────────────────────────────
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    #[test]
+    fn test_gen_fernet_key_length() {
+        use base64::Engine;
+        let key = gen_fernet_key();
+        assert_eq!(key.len(), 44);
+        let decoded = base64::engine::general_purpose::URL_SAFE
+            .decode(&key)
+            .expect("should be valid URL-safe base64");
+        assert_eq!(decoded.len(), 32);
+    }
+
+    #[test]
+    fn test_gen_fernet_key_unique() {
+        let k1 = gen_fernet_key();
+        let k2 = gen_fernet_key();
+        assert_ne!(k1, k2, "Two generated Fernet keys should differ");
+    }
+
+    #[test]
+    fn test_gen_dkim_key_pair_produces_pem() {
+        let (private_pem, public_pem) = gen_dkim_key_pair();
+        assert!(
+            private_pem.contains("BEGIN PRIVATE KEY"),
+            "Private key should be PKCS8 PEM"
+        );
+        assert!(
+            public_pem.contains("BEGIN PUBLIC KEY"),
+            "Public key should be SPKI PEM (not PKCS#1)"
+        );
+        assert!(
+            !public_pem.contains("BEGIN RSA PUBLIC KEY"),
+            "Public key should NOT be PKCS#1 format"
+        );
+        assert!(!private_pem.is_empty());
+        assert!(!public_pem.is_empty());
+    }
+
+    #[test]
+    fn test_rand_token_nonempty_and_unique() {
+        let t1 = rand_token();
+        let t2 = rand_token();
+        assert!(!t1.is_empty());
+        assert_ne!(t1, t2);
+    }
+
+    #[test]
+    fn test_rand_token_n_length() {
+        use base64::Engine;
+        let t = rand_token_n(50);
+        let decoded = base64::engine::general_purpose::URL_SAFE_NO_PAD
+            .decode(&t)
+            .expect("should be valid URL-safe base64");
+        assert_eq!(decoded.len(), 50);
+    }
+
+    #[test]
+    fn test_constants() {
+        assert_eq!(ADMIN_USERNAME, "estudio-admin");
+        assert_eq!(GITEA_ADMIN_USER, "gitea_admin");
+        assert_eq!(PG_USERS.len(), 13);
+        assert!(PG_USERS.contains(&"kratos"));
+        assert!(PG_USERS.contains(&"projects"));
+    }
+
+    #[test]
+    fn test_scw_config_returns_empty_on_missing_binary() {
+        let result = scw_config("nonexistent-key");
+        let _ = result;
+    }
+
+    #[test]
+    fn test_seed_result_structure() {
+        let mut creds = HashMap::new();
+        creds.insert(
+            "hydra-system-secret".to_string(),
+            "existingvalue".to_string(),
+        );
+        let result = SeedResult {
+            creds,
+            ob_pod: "openbao-0".to_string(),
+            root_token: "token123".to_string(),
+        };
+        assert!(result.creds.contains_key("hydra-system-secret"));
+        assert_eq!(result.creds["hydra-system-secret"], "existingvalue");
+        assert_eq!(result.ob_pod, "openbao-0");
+    }
+
+    #[test]
+    fn test_dkim_public_key_extraction() {
+        let pem = "-----BEGIN PUBLIC KEY-----\nMIIBCgKCAQ...\nbase64data\n-----END PUBLIC KEY-----";
+        let b64_key: String = pem
+            .replace("-----BEGIN PUBLIC KEY-----", "")
+            .replace("-----END PUBLIC KEY-----", "")
+            .replace("-----BEGIN RSA PUBLIC KEY-----", "")
+            .replace("-----END RSA PUBLIC KEY-----", "")
+            .split_whitespace()
+            .collect();
+        assert_eq!(b64_key, "MIIBCgKCAQ...base64data");
+    }
+
+    #[test]
+    fn test_smtp_uri() {
+        assert_eq!(
+            SMTP_URI,
+            "smtp://postfix.lasuite.svc.cluster.local:25/?skip_ssl_verify=true"
+        );
+    }
+
+    #[test]
+    fn test_pg_users_match_python() {
+        let expected = vec![
+            "kratos",
+            "hydra",
+            "gitea",
+            "hive",
+            "docs",
+            "meet",
+            "drive",
+            "messages",
+            "conversations",
+            "people",
+            "find",
+            "calendars",
+            "projects",
+        ];
+        assert_eq!(PG_USERS, &expected[..]);
+    }
+}
diff --git a/src/services.rs b/src/services.rs
new file mode 100644
index 0000000..1f69109
--- /dev/null
+++ b/src/services.rs
@@ -0,0 +1,573 @@
+//! Service management — status, logs, restart.
+
+use crate::error::{Result, SunbeamError};
+use k8s_openapi::api::core::v1::Pod;
+use kube::api::{Api, DynamicObject, ListParams, LogParams};
+use kube::ResourceExt;
+use std::collections::BTreeMap;
+use crate::constants::MANAGED_NS;
+use crate::kube::{get_client, kube_rollout_restart, parse_target};
+use crate::output::{ok, step, warn};
+
+/// Services that can be rollout-restarted, as (namespace, deployment) pairs.
+pub const SERVICES_TO_RESTART: &[(&str, &str)] = &[
+    ("ory", "hydra"),
+    ("ory", "kratos"),
+    ("ory", "login-ui"),
+    ("devtools", "gitea"),
+    ("storage", "seaweedfs-filer"),
+    ("lasuite", "hive"),
+    ("lasuite", "people-backend"),
+    ("lasuite", "people-frontend"),
+    ("lasuite", "people-celery-worker"),
+    ("lasuite", "people-celery-beat"),
+    ("lasuite", "projects"),
+    ("matrix", "tuwunel"),
+    ("media", "livekit-server"),
+];
+
+// ---------------------------------------------------------------------------
+// Status helpers
+// ---------------------------------------------------------------------------
+
+/// Parsed pod row for display.
+struct PodRow {
+    ns: String,
+    name: String,
+    ready: String,
+    status: String,
+}
+
+fn icon_for_status(status: &str) -> &'static str {
+    match status {
+        "Running" | "Completed" | "Succeeded" => "\u{2713}",
+        "Pending" => "\u{25cb}",
+        "Failed" => "\u{2717}",
+        _ => "?",
+    }
+}
+
+fn is_unhealthy(pod: &Pod) -> bool {
+    let status = pod.status.as_ref();
+    let phase = status
+        .and_then(|s| s.phase.as_deref())
+        .unwrap_or("Unknown");
+
+    match phase {
+        "Running" => {
+            // Check all containers are ready.
+            let container_statuses = status
+                .and_then(|s| s.container_statuses.as_ref());
+            if let Some(cs) = container_statuses {
+                let total = cs.len();
+                let ready = cs.iter().filter(|c| c.ready).count();
+                ready != total
+            } else {
+                true
+            }
+        }
+        "Succeeded" | "Completed" => false,
+        _ => true,
+    }
+}
+
+fn pod_phase(pod: &Pod) -> String {
+    pod.status
+        .as_ref()
+        .and_then(|s| s.phase.clone())
+        .unwrap_or_else(|| "Unknown".to_string())
+}
+
+fn pod_ready_str(pod: &Pod) -> String {
+    let cs = pod
+        .status
+        .as_ref()
+        .and_then(|s| s.container_statuses.as_ref());
+    match cs {
+        Some(cs) => {
+            let total = cs.len();
+            let ready = cs.iter().filter(|c| c.ready).count();
+            format!("{ready}/{total}")
+        }
+        None => "0/0".to_string(),
+    }
+}
+
+// ---------------------------------------------------------------------------
+// VSO sync status
+// ---------------------------------------------------------------------------
+
+async fn vso_sync_status() -> Result<()> {
+    step("VSO secret sync status...");
+
+    let client = get_client().await?;
+    let mut all_ok = true;
+
+    // --- VaultStaticSecrets ---
+    {
+        let ar = kube::api::ApiResource {
+            group: "secrets.hashicorp.com".into(),
+            version: "v1beta1".into(),
+            api_version: "secrets.hashicorp.com/v1beta1".into(),
+            kind: "VaultStaticSecret".into(),
+            plural: "vaultstaticsecrets".into(),
+        };
+
+        let api: Api<DynamicObject> = Api::all_with(client.clone(), &ar);
+        let list = api.list(&ListParams::default()).await;
+
+        if let Ok(list) = list {
+            // Group by namespace and sort
+            let mut grouped: BTreeMap<String, Vec<(String, bool)>> = BTreeMap::new();
+            for obj in &list.items {
+                let ns = obj.namespace().unwrap_or_default();
+                let name = obj.name_any();
+                let mac = obj
+                    .data
+                    .get("status")
+                    .and_then(|s| s.get("secretMAC"))
+                    .and_then(|v| v.as_str())
+                    .unwrap_or("");
+                let synced = !mac.is_empty() && mac != "<none>";
+                if !synced {
+                    all_ok = false;
+                }
+                grouped.entry(ns).or_default().push((name, synced));
+            }
+            for (ns, mut items) in grouped {
+                println!("  {ns} (VSS):");
+                items.sort();
+                for (name, synced) in items {
+                    let icon = if synced { "\u{2713}" } else { "\u{2717}" };
+                    println!("    {icon} {name}");
+                }
+            }
+        }
+    }
+
+    // --- VaultDynamicSecrets ---
+    {
+        let ar = kube::api::ApiResource {
+            group: "secrets.hashicorp.com".into(),
+            version: "v1beta1".into(),
+            api_version: "secrets.hashicorp.com/v1beta1".into(),
+            kind: "VaultDynamicSecret".into(),
+            plural: "vaultdynamicsecrets".into(),
+        };
+
+        let api: Api<DynamicObject> = Api::all_with(client.clone(), &ar);
+        let list = api.list(&ListParams::default()).await;
+
+        if let Ok(list) = list {
+            let mut grouped: BTreeMap<String, Vec<(String, bool)>> = BTreeMap::new();
+            for obj in &list.items {
+                let ns = obj.namespace().unwrap_or_default();
+                let name = obj.name_any();
+                let renewed = obj
+                    .data
+                    .get("status")
+                    .and_then(|s| s.get("lastRenewalTime"))
+                    .and_then(|v| v.as_str())
+                    .unwrap_or("0");
+                let synced = !renewed.is_empty() && renewed != "0" && renewed != "<none>";
+                if !synced {
+                    all_ok = false;
+                }
+                grouped.entry(ns).or_default().push((name, synced));
+            }
+            for (ns, mut items) in grouped {
+                println!("  {ns} (VDS):");
+                items.sort();
+                for (name, synced) in items {
+                    let icon = if synced { "\u{2713}" } else { "\u{2717}" };
+                    println!("    {icon} {name}");
+                }
+            }
+        }
+    }
+
+    println!();
+    if all_ok {
+        ok("All VSO secrets synced.");
+    } else {
+        warn("Some VSO secrets are not synced.");
+    }
+    Ok(())
+}
+
+// ---------------------------------------------------------------------------
+// Public commands
+// ---------------------------------------------------------------------------
+
+/// Show pod health, optionally filtered by namespace or namespace/service.
+pub async fn cmd_status(target: Option<&str>) -> Result<()> {
+    step("Pod health across all namespaces...");
+
+    let client = get_client().await?;
+    let (ns_filter, svc_filter) = parse_target(target)?;
+
+    let mut pods: Vec<PodRow> = Vec::new();
+
+    match (ns_filter, svc_filter) {
+        (None, _) => {
+            // All managed namespaces
+            let ns_set: std::collections::HashSet<&str> =
+                MANAGED_NS.iter().copied().collect();
+            for ns in MANAGED_NS {
+                let api: Api<Pod> = Api::namespaced(client.clone(), ns);
+                let lp = ListParams::default();
+                if let Ok(list) = api.list(&lp).await {
+                    for pod in list.items {
+                        let pod_ns = pod.namespace().unwrap_or_default();
+                        if !ns_set.contains(pod_ns.as_str()) {
+                            continue;
+                        }
+                        pods.push(PodRow {
+                            ns: pod_ns,
+                            name: pod.name_any(),
+                            ready: pod_ready_str(&pod),
+                            status: pod_phase(&pod),
+                        });
+                    }
+                }
+            }
+        }
+        (Some(ns), None) => {
+            // All pods in a namespace
+            let api: Api<Pod> = Api::namespaced(client.clone(), ns);
+            let lp = ListParams::default();
+            if let Ok(list) = api.list(&lp).await {
+                for pod in list.items {
+                    pods.push(PodRow {
+                        ns: ns.to_string(),
+                        name: pod.name_any(),
+                        ready: pod_ready_str(&pod),
+                        status: pod_phase(&pod),
+                    });
+                }
+            }
+        }
+        (Some(ns), Some(svc)) => {
+            // Specific service: filter by app label
+            let api: Api<Pod> = Api::namespaced(client.clone(), ns);
+            let lp = ListParams::default().labels(&format!("app={svc}"));
+            if let Ok(list) = api.list(&lp).await {
+                for pod in list.items {
+                    pods.push(PodRow {
+                        ns: ns.to_string(),
+                        name: pod.name_any(),
+                        ready: pod_ready_str(&pod),
+                        status: pod_phase(&pod),
+                    });
+                }
+            }
+        }
+    }
+
+    if pods.is_empty() {
+        warn("No pods found in managed namespaces.");
+        return Ok(());
+    }
+
+    pods.sort_by(|a, b| (&a.ns, &a.name).cmp(&(&b.ns, &b.name)));
+
+    let mut all_ok = true;
+    let mut cur_ns: Option<&str> = None;
+    for row in &pods {
+        if cur_ns != Some(&row.ns) {
+            println!("  {}:", row.ns);
+            cur_ns = Some(&row.ns);
+        }
+        let icon = icon_for_status(&row.status);
+
+        let mut unhealthy = !matches!(
+            row.status.as_str(),
+            "Running" | "Completed" | "Succeeded"
+        );
+        // For Running pods, check ready ratio
+        if !unhealthy && row.status == "Running" && row.ready.contains('/') {
+            let parts: Vec<&str> = row.ready.split('/').collect();
+            if parts.len() == 2 && parts[0] != parts[1] {
+                unhealthy = true;
+            }
+        }
+        if unhealthy {
+            all_ok = false;
+        }
+        println!("    {icon} {:<50} {:<6} {}", row.name, row.ready, row.status);
+    }
+
+    println!();
+    if all_ok {
+        ok("All pods healthy.");
+    } else {
+        warn("Some pods are not ready.");
+    }
+
+    vso_sync_status().await?;
+    Ok(())
+}
+
+/// Stream logs for a service. Target must include service name (e.g. ory/kratos).
+pub async fn cmd_logs(target: &str, follow: bool) -> Result<()> {
+    let (ns_opt, name_opt) = parse_target(Some(target))?;
+    let ns = ns_opt.unwrap_or("");
+    let name = match name_opt {
+        Some(n) => n,
+        None => bail!("Logs require a service name, e.g. 'ory/kratos'."),
+    };
+
+    let client = get_client().await?;
+    let api: Api<Pod> = Api::namespaced(client.clone(), ns);
+
+    // Find pods matching the app label
+    let lp = ListParams::default().labels(&format!("app={name}"));
+    let pod_list = api.list(&lp).await?;
+
+    if pod_list.items.is_empty() {
+        bail!("No pods found for {ns}/{name}");
+    }
+
+    if follow {
+        // Stream logs from the first matching pod
+        let pod_name = pod_list.items[0].name_any();
+        let mut lp = LogParams::default();
+        lp.follow = true;
+        lp.tail_lines = Some(100);
+
+        // log_stream returns a futures::AsyncBufRead — use the futures crate to read it
+        use futures::AsyncBufReadExt;
+        let stream = api.log_stream(&pod_name, &lp).await?;
+        let reader = futures::io::BufReader::new(stream);
+        let mut lines = reader.lines();
+        use futures::StreamExt;
+        while let Some(line) = lines.next().await {
+            match line {
+                Ok(line) => println!("{line}"),
+                Err(e) => {
+                    warn(&format!("Log stream error: {e}"));
+                    break;
+                }
+            }
+        }
+    } else {
+        // Print logs from all matching pods
+        for pod in &pod_list.items {
+            let pod_name = pod.name_any();
+            let mut lp = LogParams::default();
+            lp.tail_lines = Some(100);
+
+            match api.logs(&pod_name, &lp).await {
+                Ok(logs) => print!("{logs}"),
+                Err(e) => warn(&format!("Failed to get logs for {pod_name}: {e}")),
+            }
+        }
+    }
+
+    Ok(())
+}
+
+/// Print raw pod output in YAML or JSON format.
+pub async fn cmd_get(target: &str, output: &str) -> Result<()> {
+    let (ns_opt, name_opt) = parse_target(Some(target))?;
+    let ns = match ns_opt {
+        Some(n) if !n.is_empty() => n,
+        _ => bail!("get requires namespace/name, e.g. 'sunbeam get ory/kratos-abc'"),
+    };
+    let name = match name_opt {
+        Some(n) => n,
+        None => bail!("get requires namespace/name, e.g. 'sunbeam get ory/kratos-abc'"),
+    };
+
+    let client = get_client().await?;
+    let api: Api<Pod> = Api::namespaced(client.clone(), ns);
+
+    let pod = api
+        .get_opt(name)
+        .await?
+        .ok_or_else(|| SunbeamError::kube(format!("Pod {ns}/{name} not found.")))?;
+
+    let text = match output {
+        "json" => serde_json::to_string_pretty(&pod)?,
+        _ => serde_yaml::to_string(&pod)?,
+    };
+    println!("{text}");
+    Ok(())
+}
+
+/// Restart deployments. None=all, 'ory'=namespace, 'ory/kratos'=specific.
+pub async fn cmd_restart(target: Option<&str>) -> Result<()> {
+    step("Restarting services...");
+
+    let (ns_filter, svc_filter) = parse_target(target)?;
+
+    let matched: Vec<(&str, &str)> = match (ns_filter, svc_filter) {
+        (None, _) => SERVICES_TO_RESTART.to_vec(),
+        (Some(ns), None) => SERVICES_TO_RESTART
+            .iter()
+            .filter(|(n, _)| *n == ns)
+            .copied()
+            .collect(),
+        (Some(ns), Some(name)) => SERVICES_TO_RESTART
+            .iter()
+            .filter(|(n, d)| *n == ns && *d == name)
+            .copied()
+            .collect(),
+    };
+
+    if matched.is_empty() {
+        warn(&format!(
+            "No matching services for target: {}",
+            target.unwrap_or("(none)")
+        ));
+        return Ok(());
+    }
+
+    for (ns, dep) in &matched {
+        if let Err(e) = kube_rollout_restart(ns, dep).await {
+            warn(&format!("Failed to restart {ns}/{dep}: {e}"));
+        }
+    }
+    ok("Done.");
+    Ok(())
+}
+
+// ---------------------------------------------------------------------------
+// Tests
+// ---------------------------------------------------------------------------
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    #[test]
+    fn test_managed_ns_contains_expected() {
+        assert!(MANAGED_NS.contains(&"ory"));
+        assert!(MANAGED_NS.contains(&"data"));
+        assert!(MANAGED_NS.contains(&"devtools"));
+        assert!(MANAGED_NS.contains(&"ingress"));
+        assert!(MANAGED_NS.contains(&"lasuite"));
+        assert!(MANAGED_NS.contains(&"matrix"));
+        assert!(MANAGED_NS.contains(&"media"));
+        assert!(MANAGED_NS.contains(&"storage"));
+        assert!(MANAGED_NS.contains(&"monitoring"));
+        assert!(MANAGED_NS.contains(&"vault-secrets-operator"));
+        assert_eq!(MANAGED_NS.len(), 10);
+    }
+
+    #[test]
+    fn test_services_to_restart_contains_expected() {
+        assert!(SERVICES_TO_RESTART.contains(&("ory", "hydra")));
+        assert!(SERVICES_TO_RESTART.contains(&("ory", "kratos")));
+        assert!(SERVICES_TO_RESTART.contains(&("ory", "login-ui")));
+        assert!(SERVICES_TO_RESTART.contains(&("devtools", "gitea")));
+        assert!(SERVICES_TO_RESTART.contains(&("storage", "seaweedfs-filer")));
+        assert!(SERVICES_TO_RESTART.contains(&("lasuite", "hive")));
+        assert!(SERVICES_TO_RESTART.contains(&("matrix", "tuwunel")));
+        assert!(SERVICES_TO_RESTART.contains(&("media", "livekit-server")));
+        assert_eq!(SERVICES_TO_RESTART.len(), 13);
+    }
+
+    #[test]
+    fn test_icon_for_status() {
+        assert_eq!(icon_for_status("Running"), "\u{2713}");
+        assert_eq!(icon_for_status("Completed"), "\u{2713}");
+        assert_eq!(icon_for_status("Succeeded"), "\u{2713}");
+        assert_eq!(icon_for_status("Pending"), "\u{25cb}");
+        assert_eq!(icon_for_status("Failed"), "\u{2717}");
+        assert_eq!(icon_for_status("Unknown"), "?");
+        assert_eq!(icon_for_status("CrashLoopBackOff"), "?");
+    }
+
+    #[test]
+    fn test_restart_filter_namespace() {
+        let matched: Vec<(&str, &str)> = SERVICES_TO_RESTART
+            .iter()
+            .filter(|(n, _)| *n == "ory")
+            .copied()
+            .collect();
+        assert_eq!(matched.len(), 3);
+        assert!(matched.contains(&("ory", "hydra")));
+        assert!(matched.contains(&("ory", "kratos")));
+        assert!(matched.contains(&("ory", "login-ui")));
+    }
+
+    #[test]
+    fn test_restart_filter_specific() {
+        let matched: Vec<(&str, &str)> = SERVICES_TO_RESTART
+            .iter()
+            .filter(|(n, d)| *n == "ory" && *d == "kratos")
+            .copied()
+            .collect();
+        assert_eq!(matched.len(), 1);
+        assert_eq!(matched[0], ("ory", "kratos"));
+    }
+
+    #[test]
+    fn test_restart_filter_no_match() {
+        let matched: Vec<(&str, &str)> = SERVICES_TO_RESTART
+            .iter()
+            .filter(|(n, d)| *n == "nonexistent" && *d == "nosuch")
+            .copied()
+            .collect();
+        assert!(matched.is_empty());
+    }
+
+    #[test]
+    fn test_restart_filter_all() {
+        let matched: Vec<(&str, &str)> = SERVICES_TO_RESTART.to_vec();
+        assert_eq!(matched.len(), 13);
+    }
+
+    #[test]
+    fn test_pod_ready_string_format() {
+        // Verify format: "N/M"
+        let ready = "2/3";
+        let parts: Vec<&str> = ready.split('/').collect();
+        assert_eq!(parts.len(), 2);
+        assert_ne!(parts[0], parts[1]); // unhealthy
+    }
+
+    #[test]
+    fn test_unhealthy_detection_by_ready_ratio() {
+        // Simulate the ready ratio check used in cmd_status
+        let ready = "1/2";
+        let status = "Running";
+        let mut unhealthy = !matches!(status, "Running" | "Completed" | "Succeeded");
+        if !unhealthy && status == "Running" && ready.contains('/') {
+            let parts: Vec<&str> = ready.split('/').collect();
+            if parts.len() == 2 && parts[0] != parts[1] {
+                unhealthy = true;
+            }
+        }
+        assert!(unhealthy);
+    }
+
+    #[test]
+    fn test_healthy_detection_by_ready_ratio() {
+        let ready = "2/2";
+        let status = "Running";
+        let mut unhealthy = !matches!(status, "Running" | "Completed" | "Succeeded");
+        if !unhealthy && status == "Running" && ready.contains('/') {
+            let parts: Vec<&str> = ready.split('/').collect();
+            if parts.len() == 2 && parts[0] != parts[1] {
+                unhealthy = true;
+            }
+        }
+        assert!(!unhealthy);
+    }
+
+    #[test]
+    fn test_completed_pods_are_healthy() {
+        let status = "Completed";
+        let unhealthy = !matches!(status, "Running" | "Completed" | "Succeeded");
+        assert!(!unhealthy);
+    }
+
+    #[test]
+    fn test_pending_pods_are_unhealthy() {
+        let status = "Pending";
+        let unhealthy = !matches!(status, "Running" | "Completed" | "Succeeded");
+        assert!(unhealthy);
+    }
+}
diff --git a/src/tools.rs b/src/tools.rs
new file mode 100644
index 0000000..ac025ab
--- /dev/null
+++ b/src/tools.rs
@@ -0,0 +1,180 @@
+use crate::error::{Result, ResultExt};
+use std::path::PathBuf;
+
+static KUSTOMIZE_BIN: &[u8] = include_bytes!(concat!(env!("OUT_DIR"), "/kustomize"));
+static HELM_BIN: &[u8] = include_bytes!(concat!(env!("OUT_DIR"), "/helm"));
+
+fn cache_dir() -> PathBuf {
+    dirs::data_dir()
+        .unwrap_or_else(|| dirs::home_dir().unwrap_or_else(|| PathBuf::from(".")))
+        .join("sunbeam")
+        .join("bin")
+}
+
+/// Extract an embedded binary to the cache directory if not already present.
+fn extract_embedded(data: &[u8], name: &str) -> Result<PathBuf> {
+    let dir = cache_dir();
+    std::fs::create_dir_all(&dir)
+        .with_ctx(|| format!("Failed to create cache dir: {}", dir.display()))?;
+
+    let dest = dir.join(name);
+
+    // Skip if already extracted and same size
+    if dest.exists() {
+        if let Ok(meta) = std::fs::metadata(&dest) {
+            if meta.len() == data.len() as u64 {
+                return Ok(dest);
+            }
+        }
+    }
+
+    std::fs::write(&dest, data)
+        .with_ctx(|| format!("Failed to write {}", dest.display()))?;
+
+    #[cfg(unix)]
+    {
+        use std::os::unix::fs::PermissionsExt;
+        std::fs::set_permissions(&dest, std::fs::Permissions::from_mode(0o755))?;
+    }
+
+    Ok(dest)
+}
+
+/// Ensure kustomize is extracted and return its path.
+pub fn ensure_kustomize() -> Result<PathBuf> {
+    extract_embedded(KUSTOMIZE_BIN, "kustomize")
+}
+
+/// Ensure helm is extracted and return its path.
+pub fn ensure_helm() -> Result<PathBuf> {
+    extract_embedded(HELM_BIN, "helm")
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    #[test]
+    fn kustomize_bin_is_non_empty() {
+        assert!(
+            KUSTOMIZE_BIN.len() > 0,
+            "Embedded kustomize binary should not be empty"
+        );
+    }
+
+    #[test]
+    fn helm_bin_is_non_empty() {
+        assert!(
+            HELM_BIN.len() > 0,
+            "Embedded helm binary should not be empty"
+        );
+    }
+
+    #[test]
+    fn kustomize_bin_has_reasonable_size() {
+        // kustomize binary should be at least 1 MB
+        assert!(
+            KUSTOMIZE_BIN.len() > 1_000_000,
+            "Embedded kustomize binary seems too small: {} bytes",
+            KUSTOMIZE_BIN.len()
+        );
+    }
+
+    #[test]
+    fn helm_bin_has_reasonable_size() {
+        // helm binary should be at least 1 MB
+        assert!(
+            HELM_BIN.len() > 1_000_000,
+            "Embedded helm binary seems too small: {} bytes",
+            HELM_BIN.len()
+        );
+    }
+
+    #[test]
+    fn cache_dir_ends_with_sunbeam_bin() {
+        let dir = cache_dir();
+        assert!(
+            dir.ends_with("sunbeam/bin"),
+            "cache_dir() should end with sunbeam/bin, got: {}",
+            dir.display()
+        );
+    }
+
+    #[test]
+    fn cache_dir_is_absolute() {
+        let dir = cache_dir();
+        assert!(
+            dir.is_absolute(),
+            "cache_dir() should return an absolute path, got: {}",
+            dir.display()
+        );
+    }
+
+    #[test]
+    fn ensure_kustomize_returns_valid_path() {
+        let path = ensure_kustomize().expect("ensure_kustomize should succeed");
+        assert!(
+            path.ends_with("kustomize"),
+            "ensure_kustomize path should end with 'kustomize', got: {}",
+            path.display()
+        );
+        assert!(path.exists(), "kustomize binary should exist at: {}", path.display());
+    }
+
+    #[test]
+    fn ensure_helm_returns_valid_path() {
+        let path = ensure_helm().expect("ensure_helm should succeed");
+        assert!(
+            path.ends_with("helm"),
+            "ensure_helm path should end with 'helm', got: {}",
+            path.display()
+        );
+        assert!(path.exists(), "helm binary should exist at: {}", path.display());
+    }
+
+    #[test]
+    fn ensure_kustomize_is_idempotent() {
+        let path1 = ensure_kustomize().expect("first call should succeed");
+        let path2 = ensure_kustomize().expect("second call should succeed");
+        assert_eq!(path1, path2, "ensure_kustomize should return the same path on repeated calls");
+    }
+
+    #[test]
+    fn ensure_helm_is_idempotent() {
+        let path1 = ensure_helm().expect("first call should succeed");
+        let path2 = ensure_helm().expect("second call should succeed");
+        assert_eq!(path1, path2, "ensure_helm should return the same path on repeated calls");
+    }
+
+    #[test]
+    fn extracted_kustomize_is_executable() {
+        let path = ensure_kustomize().expect("ensure_kustomize should succeed");
+        #[cfg(unix)]
+        {
+            use std::os::unix::fs::PermissionsExt;
+            let perms = std::fs::metadata(&path)
+                .expect("should read metadata")
+                .permissions();
+            assert!(
+                perms.mode() & 0o111 != 0,
+                "kustomize binary should be executable"
+            );
+        }
+    }
+
+    #[test]
+    fn extracted_helm_is_executable() {
+        let path = ensure_helm().expect("ensure_helm should succeed");
+        #[cfg(unix)]
+        {
+            use std::os::unix::fs::PermissionsExt;
+            let perms = std::fs::metadata(&path)
+                .expect("should read metadata")
+                .permissions();
+            assert!(
+                perms.mode() & 0o111 != 0,
+                "helm binary should be executable"
+            );
+        }
+    }
+}
diff --git a/src/update.rs b/src/update.rs
new file mode 100644
index 0000000..554d12e
--- /dev/null
+++ b/src/update.rs
@@ -0,0 +1,443 @@
+use crate::error::{Result, ResultExt};
+use chrono::{DateTime, Utc};
+use serde::{Deserialize, Serialize};
+use sha2::{Digest, Sha256};
+use std::fs;
+use std::path::PathBuf;
+
+/// Compile-time commit SHA set by build.rs.
+pub const COMMIT: &str = env!("SUNBEAM_COMMIT");
+
+/// Compile-time build target triple set by build.rs.
+pub const TARGET: &str = env!("SUNBEAM_TARGET");
+
+/// Compile-time build date set by build.rs.
+pub const BUILD_DATE: &str = env!("SUNBEAM_BUILD_DATE");
+
+/// Artifact name prefix for this platform.
+fn artifact_name() -> String {
+    format!("sunbeam-{TARGET}")
+}
+
+/// Resolve the forge URL (Gitea instance).
+///
+/// TODO: Once kube.rs exposes `get_domain()`, derive this automatically as
+/// `https://src.{domain}`. For now we read the SUNBEAM_FORGE_URL environment
+/// variable with a sensible fallback.
+fn forge_url() -> String {
+    if let Ok(url) = std::env::var("SUNBEAM_FORGE_URL") {
+        return url.trim_end_matches('/').to_string();
+    }
+
+    // Derive from production_host domain in config
+    let config = crate::config::load_config();
+    if !config.production_host.is_empty() {
+        // production_host is like "user@server.example.com" — extract domain
+        let host = config
+            .production_host
+            .split('@')
+            .last()
+            .unwrap_or(&config.production_host);
+        // Strip any leading subdomain segments that look like a hostname to get the base domain.
+        // For a host like "admin.sunbeam.pt", the forge is "src.sunbeam.pt".
+        // Heuristic: use the last two segments as the domain.
+        let parts: Vec<&str> = host.split('.').collect();
+        if parts.len() >= 2 {
+            let domain = format!("{}.{}", parts[parts.len() - 2], parts[parts.len() - 1]);
+            return format!("https://src.{domain}");
+        }
+    }
+
+    // Hard fallback — will fail at runtime if not configured, which is fine.
+    String::new()
+}
+
+/// Cache file location for background update checks.
+fn update_cache_path() -> PathBuf {
+    dirs::data_dir()
+        .unwrap_or_else(|| dirs::home_dir().unwrap_or_else(|| PathBuf::from(".")).join(".local/share"))
+        .join("sunbeam")
+        .join("update-check.json")
+}
+
+// ---------------------------------------------------------------------------
+// Gitea API response types
+// ---------------------------------------------------------------------------
+
+#[derive(Debug, Deserialize)]
+struct BranchResponse {
+    commit: BranchCommit,
+}
+
+#[derive(Debug, Deserialize)]
+struct BranchCommit {
+    id: String,
+}
+
+#[derive(Debug, Deserialize)]
+struct ArtifactListResponse {
+    artifacts: Vec<Artifact>,
+}
+
+#[derive(Debug, Deserialize)]
+struct Artifact {
+    name: String,
+    id: u64,
+}
+
+// ---------------------------------------------------------------------------
+// Update-check cache
+// ---------------------------------------------------------------------------
+
+#[derive(Debug, Serialize, Deserialize)]
+struct UpdateCache {
+    last_check: DateTime<Utc>,
+    latest_commit: String,
+    current_commit: String,
+}
+
+// ---------------------------------------------------------------------------
+// Public API
+// ---------------------------------------------------------------------------
+
+/// Print version information.
+pub fn cmd_version() {
+    println!("sunbeam {COMMIT}");
+    println!("  target: {TARGET}");
+    println!("  built:  {BUILD_DATE}");
+}
+
+/// Self-update from the latest mainline commit via Gitea CI artifacts.
+pub async fn cmd_update() -> Result<()> {
+    let base = forge_url();
+    if base.is_empty() {
+        bail!(
+            "Forge URL not configured. Set SUNBEAM_FORGE_URL or configure a \
+             production host via `sunbeam config set --host`."
+        );
+    }
+
+    crate::output::step("Checking for updates...");
+
+    let client = reqwest::Client::new();
+
+    // 1. Check latest commit on mainline
+    let latest_commit = fetch_latest_commit(&client, &base).await?;
+    let short_latest = &latest_commit[..std::cmp::min(8, latest_commit.len())];
+
+    crate::output::ok(&format!("Current: {COMMIT}"));
+    crate::output::ok(&format!("Latest:  {short_latest}"));
+
+    if latest_commit.starts_with(COMMIT) || COMMIT.starts_with(&latest_commit[..std::cmp::min(COMMIT.len(), latest_commit.len())]) {
+        crate::output::ok("Already up to date.");
+        return Ok(());
+    }
+
+    // 2. Find the CI artifact for our platform
+    crate::output::step("Downloading update...");
+    let wanted = artifact_name();
+
+    let artifacts = fetch_artifacts(&client, &base).await?;
+    let binary_artifact = artifacts
+        .iter()
+        .find(|a| a.name == wanted)
+        .with_ctx(|| format!("No artifact found for platform '{wanted}'"))?;
+
+    let checksums_artifact = artifacts
+        .iter()
+        .find(|a| a.name == "checksums.txt" || a.name == "checksums");
+
+    // 3. Download the binary
+    let binary_url = format!(
+        "{base}/api/v1/repos/studio/cli/actions/artifacts/{id}",
+        id = binary_artifact.id
+    );
+    let binary_bytes = client
+        .get(&binary_url)
+        .send()
+        .await?
+        .error_for_status()
+        .ctx("Failed to download binary artifact")?
+        .bytes()
+        .await?;
+
+    crate::output::ok(&format!("Downloaded {} bytes", binary_bytes.len()));
+
+    // 4. Verify SHA256 if checksums artifact exists
+    if let Some(checksums) = checksums_artifact {
+        let checksums_url = format!(
+            "{base}/api/v1/repos/studio/cli/actions/artifacts/{id}",
+            id = checksums.id
+        );
+        let checksums_text = client
+            .get(&checksums_url)
+            .send()
+            .await?
+            .error_for_status()
+            .ctx("Failed to download checksums")?
+            .text()
+            .await?;
+
+        verify_checksum(&binary_bytes, &wanted, &checksums_text)?;
+        crate::output::ok("SHA256 checksum verified.");
+    } else {
+        crate::output::warn("No checksums artifact found; skipping verification.");
+    }
+
+    // 5. Atomic self-replace
+    crate::output::step("Installing update...");
+    let current_exe = std::env::current_exe().ctx("Failed to determine current executable path")?;
+    atomic_replace(&current_exe, &binary_bytes)?;
+
+    crate::output::ok(&format!(
+        "Updated sunbeam {COMMIT} -> {short_latest}"
+    ));
+
+    // Update the cache so background check knows we are current
+    let _ = write_cache(&UpdateCache {
+        last_check: Utc::now(),
+        latest_commit: latest_commit.clone(),
+        current_commit: latest_commit,
+    });
+
+    Ok(())
+}
+
+/// Background update check. Returns a notification message if a newer version
+/// is available, or None if up-to-date / on error / checked too recently.
+///
+/// This function never blocks for long and never returns errors — it silently
+/// returns None on any failure.
+pub async fn check_update_background() -> Option<String> {
+    // Read cache
+    let cache_path = update_cache_path();
+    if let Ok(data) = fs::read_to_string(&cache_path) {
+        if let Ok(cache) = serde_json::from_str::<UpdateCache>(&data) {
+            let age = Utc::now().signed_duration_since(cache.last_check);
+            if age.num_seconds() < 3600 {
+                // Checked recently — just compare cached values
+                if cache.latest_commit.starts_with(COMMIT)
+                    || COMMIT.starts_with(&cache.latest_commit[..std::cmp::min(COMMIT.len(), cache.latest_commit.len())])
+                {
+                    return None; // up to date
+                }
+                let short = &cache.latest_commit[..std::cmp::min(8, cache.latest_commit.len())];
+                return Some(format!(
+                    "A newer version of sunbeam is available ({short}). Run `sunbeam update` to upgrade."
+                ));
+            }
+        }
+    }
+
+    // Time to check again
+    let base = forge_url();
+    if base.is_empty() {
+        return None;
+    }
+
+    let client = reqwest::Client::builder()
+        .timeout(std::time::Duration::from_secs(5))
+        .build()
+        .ok()?;
+
+    let latest = fetch_latest_commit(&client, &base).await.ok()?;
+
+    let cache = UpdateCache {
+        last_check: Utc::now(),
+        latest_commit: latest.clone(),
+        current_commit: COMMIT.to_string(),
+    };
+    let _ = write_cache(&cache);
+
+    if latest.starts_with(COMMIT)
+        || COMMIT.starts_with(&latest[..std::cmp::min(COMMIT.len(), latest.len())])
+    {
+        return None;
+    }
+
+    let short = &latest[..std::cmp::min(8, latest.len())];
+    Some(format!(
+        "A newer version of sunbeam is available ({short}). Run `sunbeam update` to upgrade."
+    ))
+}
+
+// ---------------------------------------------------------------------------
+// Internal helpers
+// ---------------------------------------------------------------------------
+
+/// Fetch the latest commit SHA on the mainline branch.
+async fn fetch_latest_commit(client: &reqwest::Client, forge_url: &str) -> Result<String> {
+    let url = format!("{forge_url}/api/v1/repos/studio/cli/branches/mainline");
+    let resp: BranchResponse = client
+        .get(&url)
+        .send()
+        .await?
+        .error_for_status()
+        .ctx("Failed to query mainline branch")?
+        .json()
+        .await?;
+    Ok(resp.commit.id)
+}
+
+/// Fetch the list of CI artifacts for the repo.
+async fn fetch_artifacts(client: &reqwest::Client, forge_url: &str) -> Result<Vec<Artifact>> {
+    let url = format!("{forge_url}/api/v1/repos/studio/cli/actions/artifacts");
+    let resp: ArtifactListResponse = client
+        .get(&url)
+        .send()
+        .await?
+        .error_for_status()
+        .ctx("Failed to query CI artifacts")?
+        .json()
+        .await?;
+    Ok(resp.artifacts)
+}
+
+/// Verify that the downloaded binary matches the expected SHA256 from checksums text.
+///
+/// Checksums file format (one per line):
+///   <hex-sha256>  <filename>
+fn verify_checksum(binary: &[u8], artifact_name: &str, checksums_text: &str) -> Result<()> {
+    let actual = {
+        let mut hasher = Sha256::new();
+        hasher.update(binary);
+        format!("{:x}", hasher.finalize())
+    };
+
+    for line in checksums_text.lines() {
+        // Split on whitespace — format is "<hash>  <name>" or "<hash> <name>"
+        let mut parts = line.split_whitespace();
+        if let (Some(expected_hash), Some(name)) = (parts.next(), parts.next()) {
+            if name == artifact_name {
+                if actual != expected_hash {
+                    bail!(
+                        "Checksum mismatch for {artifact_name}:\n  expected: {expected_hash}\n  actual:   {actual}"
+                    );
+                }
+                return Ok(());
+            }
+        }
+    }
+
+    bail!("No checksum entry found for '{artifact_name}' in checksums file");
+}
+
+/// Atomically replace the binary at `target` with `new_bytes`.
+///
+/// Writes to a temp file in the same directory, sets executable permissions,
+/// then renames over the original.
+fn atomic_replace(target: &std::path::Path, new_bytes: &[u8]) -> Result<()> {
+    let parent = target
+        .parent()
+        .ctx("Cannot determine parent directory of current executable")?;
+
+    let tmp_path = parent.join(".sunbeam-update.tmp");
+
+    // Write new binary
+    fs::write(&tmp_path, new_bytes).ctx("Failed to write temporary update file")?;
+
+    // Set executable permissions (unix)
+    #[cfg(unix)]
+    {
+        use std::os::unix::fs::PermissionsExt;
+        fs::set_permissions(&tmp_path, fs::Permissions::from_mode(0o755))
+            .ctx("Failed to set executable permissions")?;
+    }
+
+    // Atomic rename
+    fs::rename(&tmp_path, target).ctx("Failed to replace current executable")?;
+
+    Ok(())
+}
+
+/// Write the update-check cache to disk.
+fn write_cache(cache: &UpdateCache) -> Result<()> {
+    let path = update_cache_path();
+    if let Some(parent) = path.parent() {
+        fs::create_dir_all(parent)?;
+    }
+    let json = serde_json::to_string_pretty(cache)?;
+    fs::write(&path, json)?;
+    Ok(())
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    #[test]
+    fn test_version_consts() {
+        // COMMIT, TARGET, BUILD_DATE are set at compile time
+        assert!(!COMMIT.is_empty());
+        assert!(!TARGET.is_empty());
+        assert!(!BUILD_DATE.is_empty());
+    }
+
+    #[test]
+    fn test_artifact_name() {
+        let name = artifact_name();
+        assert!(name.starts_with("sunbeam-"));
+        assert!(name.contains(TARGET));
+    }
+
+    #[test]
+    fn test_verify_checksum_ok() {
+        let data = b"hello world";
+        let mut hasher = Sha256::new();
+        hasher.update(data);
+        let hash = format!("{:x}", hasher.finalize());
+
+        let checksums = format!("{hash}  sunbeam-test");
+        assert!(verify_checksum(data, "sunbeam-test", &checksums).is_ok());
+    }
+
+    #[test]
+    fn test_verify_checksum_mismatch() {
+        let checksums = "0000000000000000000000000000000000000000000000000000000000000000  sunbeam-test";
+        assert!(verify_checksum(b"hello", "sunbeam-test", checksums).is_err());
+    }
+
+    #[test]
+    fn test_verify_checksum_missing_entry() {
+        let checksums = "abcdef1234567890  sunbeam-other";
+        assert!(verify_checksum(b"hello", "sunbeam-test", checksums).is_err());
+    }
+
+    #[test]
+    fn test_update_cache_path() {
+        let path = update_cache_path();
+        assert!(path.to_string_lossy().contains("sunbeam"));
+        assert!(path.to_string_lossy().ends_with("update-check.json"));
+    }
+
+    #[test]
+    fn test_cache_roundtrip() {
+        let cache = UpdateCache {
+            last_check: Utc::now(),
+            latest_commit: "abc12345".to_string(),
+            current_commit: "def67890".to_string(),
+        };
+        let json = serde_json::to_string(&cache).unwrap();
+        let loaded: UpdateCache = serde_json::from_str(&json).unwrap();
+        assert_eq!(loaded.latest_commit, "abc12345");
+        assert_eq!(loaded.current_commit, "def67890");
+    }
+
+    #[tokio::test]
+    async fn test_check_update_background_returns_none_when_forge_url_empty() {
+        // When SUNBEAM_FORGE_URL is unset and there is no production_host config,
+        // forge_url() returns "" and check_update_background should return None
+        // without making any network requests.
+        // Clear the env var to ensure we hit the empty-URL path.
+        // SAFETY: This test is not run concurrently with other tests that depend on this env var.
+        unsafe { std::env::remove_var("SUNBEAM_FORGE_URL") };
+        // Note: this test assumes no production_host is configured in the test
+        // environment, which is the default for CI/dev. If forge_url() returns
+        // a non-empty string (e.g. from config), the test may still pass because
+        // the background check silently returns None on network errors.
+        let result = check_update_background().await;
+        // Either None (empty forge URL or network error) — never panics.
+        // The key property: this completes quickly without hanging.
+        drop(result);
+    }
+}
diff --git a/src/users.rs b/src/users.rs
new file mode 100644
index 0000000..c452e83
--- /dev/null
+++ b/src/users.rs
@@ -0,0 +1,1157 @@
+//! User management -- Kratos identity operations via port-forwarded admin API.
+
+use serde_json::Value;
+use std::io::Write;
+
+use crate::error::{Result, ResultExt, SunbeamError};
+use crate::output::{ok, step, table, warn};
+
+const SMTP_LOCAL_PORT: u16 = 10025;
+
+// ---------------------------------------------------------------------------
+// Port-forward helper
+// ---------------------------------------------------------------------------
+
+/// RAII guard that terminates the port-forward on drop.
+struct PortForward {
+    child: tokio::process::Child,
+    pub base_url: String,
+}
+
+impl PortForward {
+    async fn new(ns: &str, svc: &str, local_port: u16, remote_port: u16) -> Result<Self> {
+        let ctx = crate::kube::context();
+        let child = tokio::process::Command::new("kubectl")
+            .arg(format!("--context={ctx}"))
+            .args([
+                "-n",
+                ns,
+                "port-forward",
+                &format!("svc/{svc}"),
+                &format!("{local_port}:{remote_port}"),
+            ])
+            .stdout(std::process::Stdio::piped())
+            .stderr(std::process::Stdio::piped())
+            .spawn()
+            .with_ctx(|| format!("Failed to spawn port-forward to {ns}/svc/{svc}"))?;
+
+        // Give the port-forward time to bind
+        tokio::time::sleep(std::time::Duration::from_millis(1500)).await;
+
+        Ok(Self {
+            child,
+            base_url: format!("http://localhost:{local_port}"),
+        })
+    }
+
+    /// Convenience: Kratos admin (ory/kratos-admin 80 -> 4434).
+    async fn kratos() -> Result<Self> {
+        Self::new("ory", "kratos-admin", 4434, 80).await
+    }
+}
+
+impl Drop for PortForward {
+    fn drop(&mut self) {
+        let _ = self.child.start_kill();
+    }
+}
+
+// ---------------------------------------------------------------------------
+// HTTP helpers
+// ---------------------------------------------------------------------------
+
+/// Make an HTTP request to an admin API endpoint.
+async fn api(
+    base_url: &str,
+    path: &str,
+    method: &str,
+    body: Option<&Value>,
+    prefix: &str,
+    ok_statuses: &[u16],
+) -> Result<Option<Value>> {
+    let url = format!("{base_url}{prefix}{path}");
+    let client = reqwest::Client::new();
+
+    let mut req = match method {
+        "GET" => client.get(&url),
+        "POST" => client.post(&url),
+        "PUT" => client.put(&url),
+        "PATCH" => client.patch(&url),
+        "DELETE" => client.delete(&url),
+        _ => bail!("Unsupported HTTP method: {method}"),
+    };
+
+    req = req
+        .header("Content-Type", "application/json")
+        .header("Accept", "application/json");
+
+    if let Some(b) = body {
+        req = req.json(b);
+    }
+
+    let resp = req
+        .send()
+        .await
+        .with_ctx(|| format!("HTTP {method} {url} failed"))?;
+    let status = resp.status().as_u16();
+
+    if !resp.status().is_success() {
+        if ok_statuses.contains(&status) {
+            return Ok(None);
+        }
+        let err_text = resp.text().await.unwrap_or_default();
+        bail!("API error {status}: {err_text}");
+    }
+
+    let text = resp.text().await.unwrap_or_default();
+    if text.is_empty() {
+        return Ok(None);
+    }
+    let val: Value = serde_json::from_str(&text)
+        .with_ctx(|| format!("Failed to parse API response as JSON: {text}"))?;
+    Ok(Some(val))
+}
+
+/// Shorthand: Kratos admin API call (prefix = "/admin").
+async fn kratos_api(
+    base_url: &str,
+    path: &str,
+    method: &str,
+    body: Option<&Value>,
+    ok_statuses: &[u16],
+) -> Result<Option<Value>> {
+    api(base_url, path, method, body, "/admin", ok_statuses).await
+}
+
+// ---------------------------------------------------------------------------
+// Identity helpers
+// ---------------------------------------------------------------------------
+
+/// Find identity by UUID or email search. Returns the identity JSON.
+async fn find_identity(base_url: &str, target: &str, required: bool) -> Result<Option<Value>> {
+    // Looks like a UUID?
+    if target.len() == 36 && target.chars().filter(|&c| c == '-').count() == 4 {
+        let result = kratos_api(base_url, &format!("/identities/{target}"), "GET", None, &[]).await?;
+        return Ok(result);
+    }
+
+    // Search by email
+    let result = kratos_api(
+        base_url,
+        &format!("/identities?credentials_identifier={target}&page_size=1"),
+        "GET",
+        None,
+        &[],
+    )
+    .await?;
+
+    if let Some(Value::Array(arr)) = &result {
+        if let Some(first) = arr.first() {
+            return Ok(Some(first.clone()));
+        }
+    }
+
+    if required {
+        return Err(SunbeamError::identity(format!("Identity not found: {target}")));
+    }
+    Ok(None)
+}
+
+/// Build the PUT body for updating an identity, preserving all required fields.
+fn identity_put_body(identity: &Value, state: Option<&str>, extra: Option<Value>) -> Value {
+    let mut body = serde_json::json!({
+        "schema_id": identity["schema_id"],
+        "traits": identity["traits"],
+        "state": state.unwrap_or_else(|| identity.get("state").and_then(|v| v.as_str()).unwrap_or("active")),
+        "metadata_public": identity.get("metadata_public").cloned().unwrap_or(Value::Null),
+        "metadata_admin": identity.get("metadata_admin").cloned().unwrap_or(Value::Null),
+    });
+
+    if let Some(extra_obj) = extra {
+        if let (Some(base_map), Some(extra_map)) = (body.as_object_mut(), extra_obj.as_object()) {
+            for (k, v) in extra_map {
+                base_map.insert(k.clone(), v.clone());
+            }
+        }
+    }
+
+    body
+}
+
+/// Generate a 24h recovery code. Returns (link, code).
+async fn generate_recovery(base_url: &str, identity_id: &str) -> Result<(String, String)> {
+    let body = serde_json::json!({
+        "identity_id": identity_id,
+        "expires_in": "24h",
+    });
+
+    let result = kratos_api(base_url, "/recovery/code", "POST", Some(&body), &[]).await?;
+
+    let recovery = result.unwrap_or_default();
+    let link = recovery
+        .get("recovery_link")
+        .and_then(|v| v.as_str())
+        .unwrap_or("")
+        .to_string();
+    let code = recovery
+        .get("recovery_code")
+        .and_then(|v| v.as_str())
+        .unwrap_or("")
+        .to_string();
+
+    Ok((link, code))
+}
+
+/// Find the next sequential employee ID by scanning all employee identities.
+///
+/// Paginates through all identities using `page` and `page_size` params to
+/// avoid missing employee IDs when there are more than 200 identities.
+async fn next_employee_id(base_url: &str) -> Result<String> {
+    let mut max_num: u64 = 0;
+    let mut page = 1;
+    loop {
+        let result = kratos_api(
+            base_url,
+            &format!("/identities?page_size=200&page={page}"),
+            "GET",
+            None,
+            &[],
+        )
+        .await?;
+
+        let identities = match result {
+            Some(Value::Array(arr)) if !arr.is_empty() => arr,
+            _ => break,
+        };
+
+        for ident in &identities {
+            if let Some(eid) = ident
+                .get("traits")
+                .and_then(|t| t.get("employee_id"))
+                .and_then(|v| v.as_str())
+            {
+                if let Ok(n) = eid.parse::<u64>() {
+                    max_num = max_num.max(n);
+                }
+            }
+        }
+
+        if identities.len() < 200 {
+            break; // last page
+        }
+        page += 1;
+    }
+
+    Ok((max_num + 1).to_string())
+}
+
+// ---------------------------------------------------------------------------
+// Display helpers
+// ---------------------------------------------------------------------------
+
+/// Extract a display name from identity traits (supports both default and employee schemas).
+fn display_name(traits: &Value) -> String {
+    let given = traits
+        .get("given_name")
+        .and_then(|v| v.as_str())
+        .unwrap_or("");
+    let family = traits
+        .get("family_name")
+        .and_then(|v| v.as_str())
+        .unwrap_or("");
+
+    if !given.is_empty() || !family.is_empty() {
+        return format!("{given} {family}").trim().to_string();
+    }
+
+    match traits.get("name") {
+        Some(Value::Object(name_map)) => {
+            let first = name_map
+                .get("first")
+                .and_then(|v| v.as_str())
+                .unwrap_or("");
+            let last = name_map
+                .get("last")
+                .and_then(|v| v.as_str())
+                .unwrap_or("");
+            format!("{first} {last}").trim().to_string()
+        }
+        Some(name) => name.as_str().unwrap_or("").to_string(),
+        None => String::new(),
+    }
+}
+
+/// Extract the short ID prefix (first 8 chars + "...").
+fn short_id(id: &str) -> String {
+    if id.len() >= 8 {
+        format!("{}...", &id[..8])
+    } else {
+        id.to_string()
+    }
+}
+
+/// Get identity ID as a string from a JSON value.
+fn identity_id(identity: &Value) -> Result<String> {
+    identity
+        .get("id")
+        .and_then(|v| v.as_str())
+        .map(|s| s.to_string())
+        .ok_or_else(|| SunbeamError::identity("Identity missing 'id' field"))
+}
+
+// ---------------------------------------------------------------------------
+// Public commands
+// ---------------------------------------------------------------------------
+
+pub async fn cmd_user_list(search: &str) -> Result<()> {
+    step("Listing identities...");
+
+    let pf = PortForward::kratos().await?;
+    let mut path = "/identities?page_size=20".to_string();
+    if !search.is_empty() {
+        path.push_str(&format!("&credentials_identifier={search}"));
+    }
+    let result = kratos_api(&pf.base_url, &path, "GET", None, &[]).await?;
+    drop(pf);
+
+    let identities = match result {
+        Some(Value::Array(arr)) => arr,
+        _ => vec![],
+    };
+
+    let rows: Vec<Vec<String>> = identities
+        .iter()
+        .map(|i| {
+            let traits = i.get("traits").cloned().unwrap_or(Value::Object(Default::default()));
+            let email = traits
+                .get("email")
+                .and_then(|v| v.as_str())
+                .unwrap_or("")
+                .to_string();
+            let name = display_name(&traits);
+            let state = i
+                .get("state")
+                .and_then(|v| v.as_str())
+                .unwrap_or("active")
+                .to_string();
+            let id = i
+                .get("id")
+                .and_then(|v| v.as_str())
+                .unwrap_or("");
+            vec![short_id(id), email, name, state]
+        })
+        .collect();
+
+    println!("{}", table(&rows, &["ID", "Email", "Name", "State"]));
+    Ok(())
+}
+
+pub async fn cmd_user_get(target: &str) -> Result<()> {
+    step(&format!("Getting identity: {target}"));
+
+    let pf = PortForward::kratos().await?;
+    let identity = find_identity(&pf.base_url, target, true)
+        .await?
+        .ok_or_else(|| SunbeamError::identity("Identity not found"))?;
+    drop(pf);
+
+    println!("{}", serde_json::to_string_pretty(&identity)?);
+    Ok(())
+}
+
+pub async fn cmd_user_create(email: &str, name: &str, schema_id: &str) -> Result<()> {
+    step(&format!("Creating identity: {email}"));
+
+    let mut traits = serde_json::json!({ "email": email });
+    if !name.is_empty() {
+        let parts: Vec<&str> = name.splitn(2, ' ').collect();
+        traits["name"] = serde_json::json!({
+            "first": parts[0],
+            "last": if parts.len() > 1 { parts[1] } else { "" },
+        });
+    }
+
+    let body = serde_json::json!({
+        "schema_id": schema_id,
+        "traits": traits,
+        "state": "active",
+    });
+
+    let pf = PortForward::kratos().await?;
+    let identity = kratos_api(&pf.base_url, "/identities", "POST", Some(&body), &[])
+        .await?
+        .ok_or_else(|| SunbeamError::identity("Failed to create identity"))?;
+
+    let iid = identity_id(&identity)?;
+    ok(&format!("Created identity: {iid}"));
+
+    let (link, code) = generate_recovery(&pf.base_url, &iid).await?;
+    drop(pf);
+
+    ok("Recovery link (valid 24h):");
+    println!("{link}");
+    ok("Recovery code (enter on the page above):");
+    println!("{code}");
+    Ok(())
+}
+
+pub async fn cmd_user_delete(target: &str) -> Result<()> {
+    step(&format!("Deleting identity: {target}"));
+
+    eprint!("Delete identity '{target}'? This cannot be undone. [y/N] ");
+    std::io::stderr().flush()?;
+    let mut answer = String::new();
+    std::io::stdin().read_line(&mut answer)?;
+    if answer.trim().to_lowercase() != "y" {
+        ok("Cancelled.");
+        return Ok(());
+    }
+
+    let pf = PortForward::kratos().await?;
+    let identity = find_identity(&pf.base_url, target, true)
+        .await?
+        .ok_or_else(|| SunbeamError::identity("Identity not found"))?;
+    let iid = identity_id(&identity)?;
+    kratos_api(
+        &pf.base_url,
+        &format!("/identities/{iid}"),
+        "DELETE",
+        None,
+        &[],
+    )
+    .await?;
+    drop(pf);
+
+    ok("Deleted.");
+    Ok(())
+}
+
+pub async fn cmd_user_recover(target: &str) -> Result<()> {
+    step(&format!("Generating recovery link for: {target}"));
+
+    let pf = PortForward::kratos().await?;
+    let identity = find_identity(&pf.base_url, target, true)
+        .await?
+        .ok_or_else(|| SunbeamError::identity("Identity not found"))?;
+    let iid = identity_id(&identity)?;
+    let (link, code) = generate_recovery(&pf.base_url, &iid).await?;
+    drop(pf);
+
+    ok("Recovery link (valid 24h):");
+    println!("{link}");
+    ok("Recovery code (enter on the page above):");
+    println!("{code}");
+    Ok(())
+}
+
+pub async fn cmd_user_disable(target: &str) -> Result<()> {
+    step(&format!("Disabling identity: {target}"));
+
+    let pf = PortForward::kratos().await?;
+    let identity = find_identity(&pf.base_url, target, true)
+        .await?
+        .ok_or_else(|| SunbeamError::identity("Identity not found"))?;
+    let iid = identity_id(&identity)?;
+
+    let put_body = identity_put_body(&identity, Some("inactive"), None);
+    kratos_api(
+        &pf.base_url,
+        &format!("/identities/{iid}"),
+        "PUT",
+        Some(&put_body),
+        &[],
+    )
+    .await?;
+    kratos_api(
+        &pf.base_url,
+        &format!("/identities/{iid}/sessions"),
+        "DELETE",
+        None,
+        &[],
+    )
+    .await?;
+    drop(pf);
+
+    ok(&format!(
+        "Identity {}... disabled and all Kratos sessions revoked.",
+        &iid[..8.min(iid.len())]
+    ));
+    warn("App sessions (docs/people) expire within SESSION_COOKIE_AGE -- currently 1h.");
+    Ok(())
+}
+
+pub async fn cmd_user_enable(target: &str) -> Result<()> {
+    step(&format!("Enabling identity: {target}"));
+
+    let pf = PortForward::kratos().await?;
+    let identity = find_identity(&pf.base_url, target, true)
+        .await?
+        .ok_or_else(|| SunbeamError::identity("Identity not found"))?;
+    let iid = identity_id(&identity)?;
+
+    let put_body = identity_put_body(&identity, Some("active"), None);
+    kratos_api(
+        &pf.base_url,
+        &format!("/identities/{iid}"),
+        "PUT",
+        Some(&put_body),
+        &[],
+    )
+    .await?;
+    drop(pf);
+
+    ok(&format!("Identity {}... re-enabled.", short_id(&iid)));
+    Ok(())
+}
+
+pub async fn cmd_user_set_password(target: &str, password: &str) -> Result<()> {
+    step(&format!("Setting password for: {target}"));
+
+    let pf = PortForward::kratos().await?;
+    let identity = find_identity(&pf.base_url, target, true)
+        .await?
+        .ok_or_else(|| SunbeamError::identity("Identity not found"))?;
+    let iid = identity_id(&identity)?;
+
+    let extra = serde_json::json!({
+        "credentials": {
+            "password": {
+                "config": {
+                    "password": password,
+                }
+            }
+        }
+    });
+    let put_body = identity_put_body(&identity, None, Some(extra));
+    kratos_api(
+        &pf.base_url,
+        &format!("/identities/{iid}"),
+        "PUT",
+        Some(&put_body),
+        &[],
+    )
+    .await?;
+    drop(pf);
+
+    ok(&format!("Password set for {}...", short_id(&iid)));
+    Ok(())
+}
+
+// ---------------------------------------------------------------------------
+// App-level provisioning (best-effort)
+// ---------------------------------------------------------------------------
+
+/// Resolve a deployment to the name of a running pod.
+async fn pod_for_deployment(ns: &str, deployment: &str) -> Result<String> {
+    let client = crate::kube::get_client().await?;
+    let pods: kube::Api<k8s_openapi::api::core::v1::Pod> =
+        kube::Api::namespaced(client.clone(), ns);
+
+    let label = format!("app.kubernetes.io/name={deployment}");
+    let lp = kube::api::ListParams::default().labels(&label);
+    let pod_list = pods
+        .list(&lp)
+        .await
+        .with_ctx(|| format!("Failed to list pods for deployment {deployment} in {ns}"))?;
+
+    for pod in &pod_list.items {
+        if let Some(status) = &pod.status {
+            let phase = status.phase.as_deref().unwrap_or("");
+            if phase == "Running" {
+                if let Some(name) = &pod.metadata.name {
+                    return Ok(name.clone());
+                }
+            }
+        }
+    }
+
+    // Fallback: try with app= label
+    let label2 = format!("app={deployment}");
+    let lp2 = kube::api::ListParams::default().labels(&label2);
+    let pod_list2 = match pods.list(&lp2).await {
+        Ok(list) => list,
+        Err(_) => {
+            return Err(SunbeamError::kube(format!(
+                "No running pod found for deployment {deployment} in {ns}"
+            )));
+        }
+    };
+
+    for pod in &pod_list2.items {
+        if let Some(status) = &pod.status {
+            let phase = status.phase.as_deref().unwrap_or("");
+            if phase == "Running" {
+                if let Some(name) = &pod.metadata.name {
+                    return Ok(name.clone());
+                }
+            }
+        }
+    }
+
+    Err(SunbeamError::kube(format!(
+        "No running pod found for deployment {deployment} in {ns}"
+    )))
+}
+
+/// Create a mailbox in Messages via kubectl exec into the backend.
+async fn create_mailbox(email: &str, name: &str) {
+    let parts: Vec<&str> = email.splitn(2, '@').collect();
+    if parts.len() != 2 {
+        warn(&format!("Invalid email for mailbox creation: {email}"));
+        return;
+    }
+    let local_part = parts[0];
+    let domain_part = parts[1];
+    let display_name = if name.is_empty() { local_part } else { name };
+    let _ = display_name; // used in Python for future features; kept for parity
+
+    step(&format!("Creating mailbox: {email}"));
+
+    let pod = match pod_for_deployment("lasuite", "messages-backend").await {
+        Ok(p) => p,
+        Err(e) => {
+            warn(&format!("Could not find messages-backend pod: {e}"));
+            return;
+        }
+    };
+
+    let script = format!(
+        "mb, created = Mailbox.objects.get_or_create(\n    local_part=\"{}\",\n    domain=MailDomain.objects.get(name=\"{}\"),\n)\nprint(\"created\" if created else \"exists\")\n",
+        local_part, domain_part,
+    );
+
+    let cmd: Vec<&str> = vec!["python", "manage.py", "shell", "-c", &script];
+    match crate::kube::kube_exec("lasuite", &pod, &cmd, Some("messages-backend")).await {
+        Ok((0, output)) if output.contains("created") => {
+            ok(&format!("Mailbox {email} created."));
+        }
+        Ok((0, output)) if output.contains("exists") => {
+            ok(&format!("Mailbox {email} already exists."));
+        }
+        Ok((_, output)) => {
+            warn(&format!(
+                "Could not create mailbox (Messages backend may not be running): {output}"
+            ));
+        }
+        Err(e) => {
+            warn(&format!("Could not create mailbox: {e}"));
+        }
+    }
+}
+
+/// Delete a mailbox and associated Django user in Messages.
+async fn delete_mailbox(email: &str) {
+    let parts: Vec<&str> = email.splitn(2, '@').collect();
+    if parts.len() != 2 {
+        warn(&format!("Invalid email for mailbox deletion: {email}"));
+        return;
+    }
+    let local_part = parts[0];
+    let domain_part = parts[1];
+
+    step(&format!("Cleaning up mailbox: {email}"));
+
+    let pod = match pod_for_deployment("lasuite", "messages-backend").await {
+        Ok(p) => p,
+        Err(e) => {
+            warn(&format!("Could not find messages-backend pod: {e}"));
+            return;
+        }
+    };
+
+    let script = format!(
+        "from django.contrib.auth import get_user_model\nUser = get_user_model()\ndeleted = 0\nfor mb in Mailbox.objects.filter(local_part=\"{local_part}\", domain__name=\"{domain_part}\"):\n    mb.delete()\n    deleted += 1\ntry:\n    u = User.objects.get(email=\"{email}\")\n    u.delete()\n    deleted += 1\nexcept User.DoesNotExist:\n    pass\nprint(f\"deleted {{deleted}}\")\n",
+    );
+
+    let cmd: Vec<&str> = vec!["python", "manage.py", "shell", "-c", &script];
+    match crate::kube::kube_exec("lasuite", &pod, &cmd, Some("messages-backend")).await {
+        Ok((0, output)) if output.contains("deleted") => {
+            ok("Mailbox and user cleaned up.");
+        }
+        Ok((_, output)) => {
+            warn(&format!("Could not clean up mailbox: {output}"));
+        }
+        Err(e) => {
+            warn(&format!("Could not clean up mailbox: {e}"));
+        }
+    }
+}
+
+/// Create a Projects (Planka) user and add them as manager of the Default project.
+async fn setup_projects_user(email: &str, name: &str) {
+    step(&format!("Setting up Projects user: {email}"));
+
+    let pod = match pod_for_deployment("lasuite", "projects").await {
+        Ok(p) => p,
+        Err(e) => {
+            warn(&format!("Could not find projects pod: {e}"));
+            return;
+        }
+    };
+
+    let js = format!(
+        "const knex = require('knex')({{client: 'pg', connection: process.env.DATABASE_URL}});\nasync function go() {{\n  let user = await knex('user_account').where({{email: '{email}'}}).first();\n  if (!user) {{\n    const id = Date.now().toString();\n    await knex('user_account').insert({{\n      id, email: '{email}', name: '{name}', password: '',\n      is_admin: true, is_sso: true, language: 'en-US',\n      created_at: new Date(), updated_at: new Date()\n    }});\n    user = {{id}};\n    console.log('user_created');\n  }} else {{\n    console.log('user_exists');\n  }}\n  const project = await knex('project').where({{name: 'Default'}}).first();\n  if (project) {{\n    const exists = await knex('project_manager').where({{project_id: project.id, user_id: user.id}}).first();\n    if (!exists) {{\n      await knex('project_manager').insert({{\n        id: (Date.now()+1).toString(), project_id: project.id,\n        user_id: user.id, created_at: new Date()\n      }});\n      console.log('manager_added');\n    }} else {{\n      console.log('manager_exists');\n    }}\n  }} else {{\n    console.log('no_default_project');\n  }}\n}}\ngo().then(() => process.exit(0)).catch(e => {{ console.error(e.message); process.exit(1); }});\n",
+    );
+
+    let cmd: Vec<&str> = vec!["node", "-e", &js];
+    match crate::kube::kube_exec("lasuite", &pod, &cmd, Some("projects")).await {
+        Ok((0, output))
+            if output.contains("manager_added") || output.contains("manager_exists") =>
+        {
+            ok("Projects user ready.");
+        }
+        Ok((0, output)) if output.contains("no_default_project") => {
+            warn("No Default project found in Projects -- skip.");
+        }
+        Ok((_, output)) => {
+            warn(&format!("Could not set up Projects user: {output}"));
+        }
+        Err(e) => {
+            warn(&format!("Could not set up Projects user: {e}"));
+        }
+    }
+}
+
+/// Remove a user from Projects (Planka) -- delete memberships and soft-delete user.
+async fn cleanup_projects_user(email: &str) {
+    step(&format!("Cleaning up Projects user: {email}"));
+
+    let pod = match pod_for_deployment("lasuite", "projects").await {
+        Ok(p) => p,
+        Err(e) => {
+            warn(&format!("Could not find projects pod: {e}"));
+            return;
+        }
+    };
+
+    let js = format!(
+        "const knex = require('knex')({{client: 'pg', connection: process.env.DATABASE_URL}});\nasync function go() {{\n  const user = await knex('user_account').where({{email: '{email}'}}).first();\n  if (!user) {{ console.log('not_found'); return; }}\n  await knex('board_membership').where({{user_id: user.id}}).del();\n  await knex('project_manager').where({{user_id: user.id}}).del();\n  await knex('user_account').where({{id: user.id}}).update({{deleted_at: new Date()}});\n  console.log('cleaned');\n}}\ngo().then(() => process.exit(0)).catch(e => {{ console.error(e.message); process.exit(1); }});\n",
+    );
+
+    let cmd: Vec<&str> = vec!["node", "-e", &js];
+    match crate::kube::kube_exec("lasuite", &pod, &cmd, Some("projects")).await {
+        Ok((0, output)) if output.contains("cleaned") => {
+            ok("Projects user cleaned up.");
+        }
+        Ok((_, output)) => {
+            warn(&format!("Could not clean up Projects user: {output}"));
+        }
+        Err(e) => {
+            warn(&format!("Could not clean up Projects user: {e}"));
+        }
+    }
+}
+
+// ---------------------------------------------------------------------------
+// Onboard
+// ---------------------------------------------------------------------------
+
+/// Send a welcome email via cluster Postfix (port-forward to svc/postfix in lasuite).
+async fn send_welcome_email(
+    domain: &str,
+    email: &str,
+    name: &str,
+    recovery_link: &str,
+    recovery_code: &str,
+    job_title: &str,
+    department: &str,
+) -> Result<()> {
+    let greeting = if name.is_empty() {
+        "Hi".to_string()
+    } else {
+        format!("Hi {name}")
+    };
+
+    let joining_line = if !job_title.is_empty() && !department.is_empty() {
+        format!(
+            " You're joining as {job_title} in the {department} department."
+        )
+    } else {
+        String::new()
+    };
+
+    let body_text = format!(
+        "{greeting},
+
+Welcome to Sunbeam Studios!{joining_line} Your account has been created.
+
+To set your password, open this link and enter the recovery code below:
+
+  Link: {recovery_link}
+  Code: {recovery_code}
+
+This link expires in 24 hours.
+
+Once signed in you will be prompted to set up 2FA (mandatory).
+
+After that, head to https://auth.{domain}/settings to set up your
+profile -- add your name, profile picture, and any other details.
+
+Your services:
+  Calendar:     https://cal.{domain}
+  Drive:        https://drive.{domain}
+  Mail:         https://mail.{domain}
+  Meet:         https://meet.{domain}
+  Projects:     https://projects.{domain}
+  Source Code:  https://src.{domain}
+
+Messages (Matrix):
+  Download Element from https://element.io/download
+  Open Element and sign in with a custom homeserver:
+    Homeserver: https://messages.{domain}
+  Use \"Sign in with Sunbeam Studios\" (SSO) to log in.
+
+-- With Love & Warmth, Sunbeam Studios
+"
+    );
+
+    use lettre::message::Mailbox;
+    use lettre::{Message, SmtpTransport, Transport};
+
+    let from: Mailbox = format!("Sunbeam Studios <noreply@{domain}>")
+        .parse()
+        .map_err(|e| SunbeamError::Other(format!("Invalid from address: {e}")))?;
+    let to: Mailbox = email
+        .parse()
+        .map_err(|e| SunbeamError::Other(format!("Invalid recipient address: {e}")))?;
+
+    let message = Message::builder()
+        .from(from)
+        .to(to)
+        .subject("Welcome to Sunbeam Studios -- Set Your Password")
+        .body(body_text)
+        .ctx("Failed to build email message")?;
+
+    let _pf = PortForward::new("lasuite", "postfix", SMTP_LOCAL_PORT, 25).await?;
+
+    let mailer = SmtpTransport::builder_dangerous("localhost")
+        .port(SMTP_LOCAL_PORT)
+        .build();
+
+    tokio::task::spawn_blocking(move || {
+        mailer
+            .send(&message)
+            .map_err(|e| SunbeamError::Other(format!("Failed to send welcome email via SMTP: {e}")))
+    })
+    .await
+    .map_err(|e| SunbeamError::Other(format!("Email send task panicked: {e}")))??;
+
+    ok(&format!("Welcome email sent to {email}"));
+    Ok(())
+}
+
+#[allow(clippy::too_many_arguments)]
+pub async fn cmd_user_onboard(
+    email: &str,
+    name: &str,
+    schema_id: &str,
+    send_email: bool,
+    notify: &str,
+    job_title: &str,
+    department: &str,
+    office_location: &str,
+    hire_date: &str,
+    manager: &str,
+) -> Result<()> {
+    step(&format!("Onboarding: {email}"));
+
+    let pf = PortForward::kratos().await?;
+
+    let (iid, recovery_link, recovery_code, is_new) = {
+        let existing = find_identity(&pf.base_url, email, false).await?;
+
+        if let Some(existing) = existing {
+            let iid = identity_id(&existing)?;
+            warn(&format!("Identity already exists: {}...", short_id(&iid)));
+            step("Generating fresh recovery link...");
+            let (link, code) = generate_recovery(&pf.base_url, &iid).await?;
+            (iid, link, code, false)
+        } else {
+            let mut traits = serde_json::json!({ "email": email });
+            if !name.is_empty() {
+                let parts: Vec<&str> = name.splitn(2, ' ').collect();
+                traits["given_name"] = Value::String(parts[0].to_string());
+                traits["family_name"] =
+                    Value::String(if parts.len() > 1 { parts[1] } else { "" }.to_string());
+            }
+
+            let mut employee_id = String::new();
+            if schema_id == "employee" {
+                employee_id = next_employee_id(&pf.base_url).await?;
+                traits["employee_id"] = Value::String(employee_id.clone());
+                if !job_title.is_empty() {
+                    traits["job_title"] = Value::String(job_title.to_string());
+                }
+                if !department.is_empty() {
+                    traits["department"] = Value::String(department.to_string());
+                }
+                if !office_location.is_empty() {
+                    traits["office_location"] = Value::String(office_location.to_string());
+                }
+                if !hire_date.is_empty() {
+                    traits["hire_date"] = Value::String(hire_date.to_string());
+                }
+                if !manager.is_empty() {
+                    traits["manager"] = Value::String(manager.to_string());
+                }
+            }
+
+            let body = serde_json::json!({
+                "schema_id": schema_id,
+                "traits": traits,
+                "state": "active",
+                "verifiable_addresses": [{
+                    "value": email,
+                    "verified": true,
+                    "via": "email",
+                }],
+            });
+
+            let identity = kratos_api(&pf.base_url, "/identities", "POST", Some(&body), &[])
+                .await?
+                .ok_or_else(|| SunbeamError::identity("Failed to create identity"))?;
+
+            let iid = identity_id(&identity)?;
+            ok(&format!("Created identity: {iid}"));
+            if !employee_id.is_empty() {
+                ok(&format!("Employee #{employee_id}"));
+            }
+
+            // Kratos ignores verifiable_addresses on POST -- PATCH to mark verified
+            let patch_body = serde_json::json!([
+                {"op": "replace", "path": "/verifiable_addresses/0/verified", "value": true},
+                {"op": "replace", "path": "/verifiable_addresses/0/status", "value": "completed"},
+            ]);
+            kratos_api(
+                &pf.base_url,
+                &format!("/identities/{iid}"),
+                "PATCH",
+                Some(&patch_body),
+                &[],
+            )
+            .await?;
+
+            let (link, code) = generate_recovery(&pf.base_url, &iid).await?;
+            (iid, link, code, true)
+        }
+    };
+
+    drop(pf);
+
+    // Provision app-level accounts for new users
+    if is_new {
+        create_mailbox(email, name).await;
+        setup_projects_user(email, name).await;
+    }
+
+    if send_email {
+        let domain = crate::kube::get_domain().await?;
+        let recipient = if notify.is_empty() { email } else { notify };
+        send_welcome_email(
+            &domain, recipient, name, &recovery_link, &recovery_code,
+            job_title, department,
+        )
+        .await?;
+    }
+
+    ok(&format!("Identity ID: {iid}"));
+    ok("Recovery link (valid 24h):");
+    println!("{recovery_link}");
+    ok("Recovery code:");
+    println!("{recovery_code}");
+    Ok(())
+}
+
+// ---------------------------------------------------------------------------
+// Offboard
+// ---------------------------------------------------------------------------
+
+pub async fn cmd_user_offboard(target: &str) -> Result<()> {
+    step(&format!("Offboarding: {target}"));
+
+    eprint!("Offboard '{target}'? This will disable the account and revoke all sessions. [y/N] ");
+    std::io::stderr().flush()?;
+    let mut answer = String::new();
+    std::io::stdin().read_line(&mut answer)?;
+    if answer.trim().to_lowercase() != "y" {
+        ok("Cancelled.");
+        return Ok(());
+    }
+
+    let pf = PortForward::kratos().await?;
+    let identity = find_identity(&pf.base_url, target, true)
+        .await?
+        .ok_or_else(|| SunbeamError::identity("Identity not found"))?;
+    let iid = identity_id(&identity)?;
+
+    step("Disabling identity...");
+    let put_body = identity_put_body(&identity, Some("inactive"), None);
+    kratos_api(
+        &pf.base_url,
+        &format!("/identities/{iid}"),
+        "PUT",
+        Some(&put_body),
+        &[],
+    )
+    .await?;
+    ok(&format!("Identity {}... disabled.", short_id(&iid)));
+
+    step("Revoking Kratos sessions...");
+    kratos_api(
+        &pf.base_url,
+        &format!("/identities/{iid}/sessions"),
+        "DELETE",
+        None,
+        &[404],
+    )
+    .await?;
+    ok("Kratos sessions revoked.");
+
+    step("Revoking Hydra consent sessions...");
+    {
+        let hydra_pf = PortForward::new("ory", "hydra-admin", 14445, 4445).await?;
+        api(
+            &hydra_pf.base_url,
+            &format!("/oauth2/auth/sessions/consent?subject={iid}&all=true"),
+            "DELETE",
+            None,
+            "/admin",
+            &[404],
+        )
+        .await?;
+    }
+    ok("Hydra consent sessions revoked.");
+
+    drop(pf);
+
+    // Clean up Messages mailbox and Projects user
+    let email = identity
+        .get("traits")
+        .and_then(|t| t.get("email"))
+        .and_then(|v| v.as_str())
+        .unwrap_or("");
+    if !email.is_empty() {
+        delete_mailbox(email).await;
+        cleanup_projects_user(email).await;
+    }
+
+    ok(&format!("Offboarding complete for {}...", short_id(&iid)));
+    warn("Existing access tokens expire within ~1h (Hydra TTL).");
+    warn("App sessions (docs/people) expire within SESSION_COOKIE_AGE (~1h).");
+    Ok(())
+}
+
+// ---------------------------------------------------------------------------
+// Tests
+// ---------------------------------------------------------------------------
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    #[test]
+    fn test_display_name_employee_schema() {
+        let traits = serde_json::json!({
+            "email": "test@example.com",
+            "given_name": "Alice",
+            "family_name": "Smith",
+        });
+        assert_eq!(display_name(&traits), "Alice Smith");
+    }
+
+    #[test]
+    fn test_display_name_default_schema() {
+        let traits = serde_json::json!({
+            "email": "test@example.com",
+            "name": { "first": "Bob", "last": "Jones" },
+        });
+        assert_eq!(display_name(&traits), "Bob Jones");
+    }
+
+    #[test]
+    fn test_display_name_empty() {
+        let traits = serde_json::json!({ "email": "test@example.com" });
+        assert_eq!(display_name(&traits), "");
+    }
+
+    #[test]
+    fn test_display_name_given_only() {
+        let traits = serde_json::json!({
+            "given_name": "Alice",
+        });
+        assert_eq!(display_name(&traits), "Alice");
+    }
+
+    #[test]
+    fn test_short_id() {
+        assert_eq!(
+            short_id("12345678-abcd-1234-abcd-123456789012"),
+            "12345678..."
+        );
+    }
+
+    #[test]
+    fn test_short_id_short() {
+        assert_eq!(short_id("abc"), "abc");
+    }
+
+    #[test]
+    fn test_identity_put_body_preserves_fields() {
+        let identity = serde_json::json!({
+            "schema_id": "employee",
+            "traits": { "email": "a@b.com" },
+            "state": "active",
+            "metadata_public": null,
+            "metadata_admin": null,
+        });
+
+        let body = identity_put_body(&identity, Some("inactive"), None);
+        assert_eq!(body["state"], "inactive");
+        assert_eq!(body["schema_id"], "employee");
+        assert_eq!(body["traits"]["email"], "a@b.com");
+    }
+
+    #[test]
+    fn test_identity_put_body_with_extra() {
+        let identity = serde_json::json!({
+            "schema_id": "default",
+            "traits": { "email": "a@b.com" },
+            "state": "active",
+        });
+
+        let extra = serde_json::json!({
+            "credentials": {
+                "password": { "config": { "password": "s3cret" } }
+            }
+        });
+        let body = identity_put_body(&identity, None, Some(extra));
+        assert_eq!(body["state"], "active");
+        assert!(body["credentials"]["password"]["config"]["password"] == "s3cret");
+    }
+
+    #[test]
+    fn test_identity_put_body_default_state() {
+        let identity = serde_json::json!({
+            "schema_id": "default",
+            "traits": {},
+            "state": "inactive",
+        });
+        let body = identity_put_body(&identity, None, None);
+        assert_eq!(body["state"], "inactive");
+    }
+
+    #[test]
+    fn test_identity_id_extraction() {
+        let identity = serde_json::json!({ "id": "12345678-abcd-1234-abcd-123456789012" });
+        assert_eq!(
+            identity_id(&identity).unwrap(),
+            "12345678-abcd-1234-abcd-123456789012"
+        );
+    }
+
+    #[test]
+    fn test_identity_id_missing() {
+        let identity = serde_json::json!({});
+        assert!(identity_id(&identity).is_err());
+    }
+}
diff --git a/sunbeam-sdk/Cargo.toml b/sunbeam-sdk/Cargo.toml
new file mode 100644
index 0000000..9c99747
--- /dev/null
+++ b/sunbeam-sdk/Cargo.toml
@@ -0,0 +1,65 @@
+[package]
+name = "sunbeam-sdk"
+version = "0.1.0"
+edition = "2024"
+description = "Sunbeam SDK — reusable library for cluster management"
+
+[features]
+default = []
+cli = ["clap"]
+
+[dependencies]
+# Core
+thiserror = "2"
+tokio = { version = "1", features = ["full"] }
+clap = { version = "4", features = ["derive"], optional = true }
+serde = { version = "1", features = ["derive"] }
+serde_json = "1"
+serde_yaml = "0.9"
+tracing = "0.1"
+
+# Kubernetes
+kube = { version = "0.99", features = ["client", "runtime", "derive", "ws"] }
+k8s-openapi = { version = "0.24", features = ["v1_32"] }
+
+# HTTP + TLS
+reqwest = { version = "0.12", features = ["json", "rustls-tls", "blocking"] }
+
+# SSH
+russh = "0.46"
+russh-keys = "0.46"
+
+# Crypto
+rsa = "0.9"
+pkcs8 = { version = "0.10", features = ["pem"] }
+pkcs1 = { version = "0.7", features = ["pem"] }
+sha2 = "0.10"
+hmac = "0.12"
+base64 = "0.22"
+rand = "0.8"
+
+# Certificate generation
+rcgen = "0.14"
+
+# SMTP
+lettre = { version = "0.11", default-features = false, features = ["smtp-transport", "tokio1-rustls-tls", "builder", "hostname"] }
+
+# Archive handling
+flate2 = "1"
+tar = "0.4"
+
+# Async
+futures = "0.3"
+tokio-stream = "0.1"
+
+# Utility
+tempfile = "3"
+dirs = "5"
+chrono = { version = "0.4", features = ["serde"] }
+
+[build-dependencies]
+reqwest = { version = "0.12", features = ["blocking", "rustls-tls"] }
+sha2 = "0.10"
+flate2 = "1"
+tar = "0.4"
+chrono = "0.4"
diff --git a/sunbeam-sdk/build.rs b/sunbeam-sdk/build.rs
new file mode 100644
index 0000000..3bfd1d2
--- /dev/null
+++ b/sunbeam-sdk/build.rs
@@ -0,0 +1,132 @@
+use flate2::read::GzDecoder;
+use std::env;
+use std::fs;
+use std::io::Read;
+use std::path::PathBuf;
+use std::process::Command;
+use tar::Archive;
+
+const KUSTOMIZE_VERSION: &str = "v5.8.1";
+const HELM_VERSION: &str = "v4.1.0";
+
+fn main() {
+    let out_dir = PathBuf::from(env::var("OUT_DIR").unwrap());
+    let target = env::var("TARGET").unwrap_or_default();
+    let (os, arch) = parse_target(&target);
+
+    download_and_embed("kustomize", KUSTOMIZE_VERSION, &os, &arch, &out_dir);
+    download_and_embed("helm", HELM_VERSION, &os, &arch, &out_dir);
+
+    // Set version info from git
+    let commit = git_commit_sha();
+    println!("cargo:rustc-env=SUNBEAM_COMMIT={commit}");
+
+    // Build target triple and build date
+    println!("cargo:rustc-env=SUNBEAM_TARGET={target}");
+    let date = chrono::Utc::now().format("%Y-%m-%d").to_string();
+    println!("cargo:rustc-env=SUNBEAM_BUILD_DATE={date}");
+
+    // Rebuild if git HEAD changes (workspace root is two levels up)
+    println!("cargo:rerun-if-changed=../../.git/HEAD");
+}
+
+fn parse_target(target: &str) -> (String, String) {
+    let os = if target.contains("darwin") {
+        "darwin"
+    } else if target.contains("linux") {
+        "linux"
+    } else if cfg!(target_os = "macos") {
+        "darwin"
+    } else {
+        "linux"
+    };
+
+    let arch = if target.contains("aarch64") || target.contains("arm64") {
+        "arm64"
+    } else if target.contains("x86_64") || target.contains("amd64") {
+        "amd64"
+    } else if cfg!(target_arch = "aarch64") {
+        "arm64"
+    } else {
+        "amd64"
+    };
+
+    (os.to_string(), arch.to_string())
+}
+
+fn download_and_embed(tool: &str, version: &str, os: &str, arch: &str, out_dir: &PathBuf) {
+    let dest = out_dir.join(tool);
+    if dest.exists() {
+        return;
+    }
+
+    let url = match tool {
+        "kustomize" => format!(
+            "https://github.com/kubernetes-sigs/kustomize/releases/download/\
+             kustomize%2F{version}/kustomize_{version}_{os}_{arch}.tar.gz"
+        ),
+        "helm" => format!(
+            "https://get.helm.sh/helm-{version}-{os}-{arch}.tar.gz"
+        ),
+        _ => panic!("Unknown tool: {tool}"),
+    };
+
+    let extract_path = match tool {
+        "kustomize" => "kustomize".to_string(),
+        "helm" => format!("{os}-{arch}/helm"),
+        _ => unreachable!(),
+    };
+
+    eprintln!("cargo:warning=Downloading {tool} {version} for {os}/{arch}...");
+
+    let response = reqwest::blocking::get(&url)
+        .unwrap_or_else(|e| panic!("Failed to download {tool}: {e}"));
+    let bytes = response
+        .bytes()
+        .unwrap_or_else(|e| panic!("Failed to read {tool} response: {e}"));
+
+    let decoder = GzDecoder::new(&bytes[..]);
+    let mut archive = Archive::new(decoder);
+
+    for entry in archive.entries().expect("Failed to read tar entries") {
+        let mut entry = entry.expect("Failed to read tar entry");
+        let path = entry
+            .path()
+            .expect("Failed to read entry path")
+            .to_path_buf();
+        if path.to_string_lossy() == extract_path {
+            let mut data = Vec::new();
+            entry
+                .read_to_end(&mut data)
+                .expect("Failed to read binary");
+            fs::write(&dest, &data).expect("Failed to write binary");
+
+            #[cfg(unix)]
+            {
+                use std::os::unix::fs::PermissionsExt;
+                fs::set_permissions(&dest, fs::Permissions::from_mode(0o755))
+                    .expect("Failed to set permissions");
+            }
+
+            eprintln!("cargo:warning=Embedded {tool} ({} bytes)", data.len());
+            return;
+        }
+    }
+
+    panic!("Could not find {extract_path} in {tool} archive");
+}
+
+fn git_commit_sha() -> String {
+    Command::new("git")
+        .args(["rev-parse", "--short=8", "HEAD"])
+        .output()
+        .ok()
+        .and_then(|o| {
+            if o.status.success() {
+                Some(String::from_utf8_lossy(&o.stdout).trim().to_string())
+            } else {
+                None
+            }
+        })
+        .unwrap_or_else(|| "unknown".to_string())
+}
diff --git a/sunbeam-sdk/src/auth/mod.rs b/sunbeam-sdk/src/auth/mod.rs
new file mode 100644
index 0000000..3b334e6
--- /dev/null
+++ b/sunbeam-sdk/src/auth/mod.rs
@@ -0,0 +1,952 @@
+//! OAuth2 Authorization Code flow with PKCE for CLI authentication against Hydra.
+
+use crate::error::{Result, ResultExt, SunbeamError};
+use base64::Engine;
+use chrono::{DateTime, Utc};
+use serde::{Deserialize, Serialize};
+use sha2::{Digest, Sha256};
+use std::path::PathBuf;
+
+// ---------------------------------------------------------------------------
+// Token cache data
+// ---------------------------------------------------------------------------
+
+/// Cached OAuth2 tokens persisted to disk.
+#[derive(Debug, Clone, Serialize, Deserialize)]
+pub struct AuthTokens {
+    pub access_token: String,
+    pub refresh_token: String,
+    pub expires_at: DateTime<Utc>,
+    #[serde(default, skip_serializing_if = "Option::is_none")]
+    pub id_token: Option<String>,
+    pub domain: String,
+    /// Gitea personal access token (created during auth login).
+    #[serde(default, skip_serializing_if = "Option::is_none")]
+    pub gitea_token: Option<String>,
+}
+
+/// Default client ID when the K8s secret is unavailable.
+const DEFAULT_CLIENT_ID: &str = "sunbeam-cli";
+
+// ---------------------------------------------------------------------------
+// Cache file helpers
+// ---------------------------------------------------------------------------
+
+/// Cache path for auth tokens — per-domain so multiple environments work.
+fn cache_path_for_domain(domain: &str) -> PathBuf {
+    let dir = dirs::data_dir()
+        .unwrap_or_else(|| {
+            dirs::home_dir()
+                .unwrap_or_else(|| PathBuf::from("."))
+                .join(".local/share")
+        })
+        .join("sunbeam")
+        .join("auth");
+    if domain.is_empty() {
+        dir.join("default.json")
+    } else {
+        // Sanitize domain for filename
+        let safe = domain.replace(['/', '\\', ':'], "_");
+        dir.join(format!("{safe}.json"))
+    }
+}
+
+fn cache_path() -> PathBuf {
+    let domain = crate::config::domain();
+    cache_path_for_domain(domain)
+}
+
+fn read_cache() -> Result<AuthTokens> {
+    let path = cache_path();
+    let content = std::fs::read_to_string(&path).map_err(|e| {
+        SunbeamError::Identity(format!("No cached auth tokens ({}): {e}", path.display()))
+    })?;
+    let tokens: AuthTokens = serde_json::from_str(&content)
+        .ctx("Failed to parse cached auth tokens")?;
+    Ok(tokens)
+}
+
+fn write_cache(tokens: &AuthTokens) -> Result<()> {
+    let path = cache_path();
+    if let Some(parent) = path.parent() {
+        std::fs::create_dir_all(parent)
+            .with_ctx(|| format!("Failed to create auth cache dir: {}", parent.display()))?;
+    }
+    let content = serde_json::to_string_pretty(tokens)?;
+    std::fs::write(&path, &content)
+        .with_ctx(|| format!("Failed to write auth cache to {}", path.display()))?;
+
+    // Set 0600 permissions on unix
+    #[cfg(unix)]
+    {
+        use std::os::unix::fs::PermissionsExt;
+        let perms = std::fs::Permissions::from_mode(0o600);
+        std::fs::set_permissions(&path, perms)
+            .with_ctx(|| format!("Failed to set permissions on {}", path.display()))?;
+    }
+
+    Ok(())
+}
+
+// ---------------------------------------------------------------------------
+// PKCE
+// ---------------------------------------------------------------------------
+
+/// Generate a PKCE code_verifier and code_challenge (S256).
+fn generate_pkce() -> (String, String) {
+    let verifier_bytes: [u8; 32] = rand::random();
+    let verifier = base64::engine::general_purpose::URL_SAFE_NO_PAD.encode(verifier_bytes);
+    let challenge = {
+        let hash = Sha256::digest(verifier.as_bytes());
+        base64::engine::general_purpose::URL_SAFE_NO_PAD.encode(hash)
+    };
+    (verifier, challenge)
+}
+
+/// Generate a random state parameter for OAuth2.
+fn generate_state() -> String {
+    let bytes: [u8; 16] = rand::random();
+    base64::engine::general_purpose::URL_SAFE_NO_PAD.encode(bytes)
+}
+
+// ---------------------------------------------------------------------------
+// OIDC discovery
+// ---------------------------------------------------------------------------
+
+#[derive(Debug, Deserialize)]
+struct OidcDiscovery {
+    authorization_endpoint: String,
+    token_endpoint: String,
+}
+
+/// Resolve the domain for authentication, trying multiple sources.
+async fn resolve_domain(explicit: Option<&str>) -> Result<String> {
+    // 1. Explicit --domain flag
+    if let Some(d) = explicit {
+        if !d.is_empty() {
+            return Ok(d.to_string());
+        }
+    }
+
+    // 2. Active context domain (set by cli::dispatch from config)
+    let ctx_domain = crate::config::domain();
+    if !ctx_domain.is_empty() {
+        return Ok(ctx_domain.to_string());
+    }
+
+    // 3. Cached token domain (already logged in)
+    if let Ok(tokens) = read_cache() {
+        if !tokens.domain.is_empty() {
+            crate::output::ok(&format!("Using cached domain: {}", tokens.domain));
+            return Ok(tokens.domain);
+        }
+    }
+
+    // 4. Try cluster discovery (may fail if not connected)
+    match crate::kube::get_domain().await {
+        Ok(d) if !d.is_empty() && !d.starts_with('.') => return Ok(d),
+        _ => {}
+    }
+
+    Err(SunbeamError::config(
+        "Could not determine domain. Use --domain flag, or configure with:\n  \
+         sunbeam config set --host user@your-server.example.com",
+    ))
+}
+
+async fn discover_oidc(domain: &str) -> Result<OidcDiscovery> {
+    let url = format!("https://auth.{domain}/.well-known/openid-configuration");
+    let client = reqwest::Client::new();
+    let resp = client
+        .get(&url)
+        .send()
+        .await
+        .with_ctx(|| format!("Failed to fetch OIDC discovery from {url}"))?;
+
+    if !resp.status().is_success() {
+        return Err(SunbeamError::network(format!(
+            "OIDC discovery returned HTTP {}",
+            resp.status()
+        )));
+    }
+
+    let discovery: OidcDiscovery = resp
+        .json()
+        .await
+        .ctx("Failed to parse OIDC discovery response")?;
+    Ok(discovery)
+}
+
+// ---------------------------------------------------------------------------
+// Token exchange / refresh
+// ---------------------------------------------------------------------------
+
+#[derive(Debug, Deserialize)]
+struct TokenResponse {
+    access_token: String,
+    #[serde(default)]
+    refresh_token: Option<String>,
+    #[serde(default)]
+    expires_in: Option<i64>,
+    #[serde(default)]
+    id_token: Option<String>,
+}
+
+async fn exchange_code(
+    token_endpoint: &str,
+    code: &str,
+    redirect_uri: &str,
+    client_id: &str,
+    code_verifier: &str,
+) -> Result<TokenResponse> {
+    let client = reqwest::Client::new();
+    let resp = client
+        .post(token_endpoint)
+        .form(&[
+            ("grant_type", "authorization_code"),
+            ("code", code),
+            ("redirect_uri", redirect_uri),
+            ("client_id", client_id),
+            ("code_verifier", code_verifier),
+        ])
+        .send()
+        .await
+        .ctx("Failed to exchange authorization code")?;
+
+    if !resp.status().is_success() {
+        let status = resp.status();
+        let body = resp.text().await.unwrap_or_default();
+        return Err(SunbeamError::identity(format!(
+            "Token exchange failed (HTTP {status}): {body}"
+        )));
+    }
+
+    let token_resp: TokenResponse = resp.json().await.ctx("Failed to parse token response")?;
+    Ok(token_resp)
+}
+
+/// Refresh an access token using a refresh token.
+async fn refresh_token(cached: &AuthTokens) -> Result<AuthTokens> {
+    let discovery = discover_oidc(&cached.domain).await?;
+
+    // Try to get client_id from K8s, fall back to default
+    let client_id = resolve_client_id().await;
+
+    let client = reqwest::Client::new();
+    let resp = client
+        .post(&discovery.token_endpoint)
+        .form(&[
+            ("grant_type", "refresh_token"),
+            ("refresh_token", &cached.refresh_token),
+            ("client_id", &client_id),
+        ])
+        .send()
+        .await
+        .ctx("Failed to refresh token")?;
+
+    if !resp.status().is_success() {
+        let status = resp.status();
+        let body = resp.text().await.unwrap_or_default();
+        return Err(SunbeamError::identity(format!(
+            "Token refresh failed (HTTP {status}): {body}"
+        )));
+    }
+
+    let token_resp: TokenResponse = resp
+        .json()
+        .await
+        .ctx("Failed to parse refresh token response")?;
+
+    let expires_at = Utc::now()
+        + chrono::Duration::seconds(token_resp.expires_in.unwrap_or(3600));
+
+    let new_tokens = AuthTokens {
+        access_token: token_resp.access_token,
+        refresh_token: token_resp
+            .refresh_token
+            .unwrap_or_else(|| cached.refresh_token.clone()),
+        expires_at,
+        id_token: token_resp.id_token.or_else(|| cached.id_token.clone()),
+        domain: cached.domain.clone(),
+        gitea_token: cached.gitea_token.clone(),
+    };
+
+    write_cache(&new_tokens)?;
+    Ok(new_tokens)
+}
+
+// ---------------------------------------------------------------------------
+// Client ID resolution
+// ---------------------------------------------------------------------------
+
+/// Try to read the client_id from K8s secret `oidc-sunbeam-cli` in `ory` namespace.
+/// Falls back to the default client ID.
+async fn resolve_client_id() -> String {
+    // The OAuth2Client is pre-created with a known client_id matching
+    // DEFAULT_CLIENT_ID ("sunbeam-cli") via a pre-seeded K8s secret.
+    // No cluster access needed.
+    DEFAULT_CLIENT_ID.to_string()
+}
+
+// ---------------------------------------------------------------------------
+// JWT payload decoding (minimal, no verification)
+// ---------------------------------------------------------------------------
+
+/// Decode the payload of a JWT (middle segment) without verification.
+/// Returns the parsed JSON value.
+fn decode_jwt_payload(token: &str) -> Result<serde_json::Value> {
+    let parts: Vec<&str> = token.splitn(3, '.').collect();
+    if parts.len() < 2 {
+        return Err(SunbeamError::identity("Invalid JWT: not enough segments"));
+    }
+    let payload_bytes = base64::engine::general_purpose::URL_SAFE_NO_PAD
+        .decode(parts[1])
+        .ctx("Failed to base64-decode JWT payload")?;
+    let payload: serde_json::Value =
+        serde_json::from_slice(&payload_bytes).ctx("Failed to parse JWT payload as JSON")?;
+    Ok(payload)
+}
+
+/// Extract the email claim from an id_token.
+fn extract_email(id_token: &str) -> Option<String> {
+    let payload = decode_jwt_payload(id_token).ok()?;
+    payload
+        .get("email")
+        .and_then(|v| v.as_str())
+        .map(|s| s.to_string())
+}
+
+// ---------------------------------------------------------------------------
+// HTTP callback server
+// ---------------------------------------------------------------------------
+
+/// Parsed callback parameters from the OAuth2 redirect.
+struct CallbackParams {
+    code: String,
+    #[allow(dead_code)]
+    state: String,
+}
+
+/// Bind a TCP listener for the OAuth2 callback, preferring ports 9876-9880.
+async fn bind_callback_listener() -> Result<(tokio::net::TcpListener, u16)> {
+    for port in 9876..=9880 {
+        if let Ok(listener) = tokio::net::TcpListener::bind(("127.0.0.1", port)).await {
+            return Ok((listener, port));
+        }
+    }
+    // Fall back to ephemeral port
+    let listener = tokio::net::TcpListener::bind("127.0.0.1:0")
+        .await
+        .ctx("Failed to bind callback listener")?;
+    let port = listener.local_addr().ctx("No local address")?.port();
+    Ok((listener, port))
+}
+
+/// Wait for a single HTTP callback request, extract code and state, send HTML response.
+async fn wait_for_callback(
+    listener: tokio::net::TcpListener,
+    expected_state: &str,
+    redirect_url: Option<&str>,
+) -> Result<CallbackParams> {
+    use tokio::io::{AsyncReadExt, AsyncWriteExt};
+
+    // Wait up to 5 minutes for the callback, or until Ctrl+C
+    let accept_result = tokio::time::timeout(
+        std::time::Duration::from_secs(300),
+        listener.accept(),
+    )
+    .await
+    .map_err(|_| SunbeamError::identity("Login timed out (5 min). Try again with `sunbeam auth login`."))?;
+
+    let (mut stream, _) = accept_result.ctx("Failed to accept callback connection")?;
+
+    let mut buf = vec![0u8; 4096];
+    let n = stream
+        .read(&mut buf)
+        .await
+        .ctx("Failed to read callback request")?;
+    let request = String::from_utf8_lossy(&buf[..n]);
+
+    // Parse the GET request line: "GET /callback?code=...&state=... HTTP/1.1"
+    let request_line = request
+        .lines()
+        .next()
+        .ctx("Empty callback request")?;
+
+    let path = request_line
+        .split_whitespace()
+        .nth(1)
+        .ctx("No path in callback request")?;
+
+    // Parse query params
+    let query = path
+        .split('?')
+        .nth(1)
+        .ctx("No query params in callback")?;
+
+    let mut code = None;
+    let mut state = None;
+
+    for param in query.split('&') {
+        let mut kv = param.splitn(2, '=');
+        match (kv.next(), kv.next()) {
+            (Some("code"), Some(v)) => code = Some(v.to_string()),
+            (Some("state"), Some(v)) => state = Some(v.to_string()),
+            _ => {}
+        }
+    }
+
+    let code = code.ok_or_else(|| SunbeamError::identity("No 'code' in callback"))?;
+    let state = state.ok_or_else(|| SunbeamError::identity("No 'state' in callback"))?;
+
+    if state != expected_state {
+        return Err(SunbeamError::identity(
+            "OAuth2 state mismatch -- possible CSRF attack",
+        ));
+    }
+
+    // Send success response — redirect to next step if provided, otherwise show done page
+    let response = if let Some(next_url) = redirect_url {
+        let html = format!(
+            "<!DOCTYPE html><html><head>\
+             <meta http-equiv='refresh' content='1;url={next_url}'>\
+             <style>\
+             body{{font-family:system-ui,sans-serif;display:flex;justify-content:center;\
+             align-items:center;min-height:100vh;margin:0;background:#1a1f2e;color:#e8e6e3}}\
+             .card{{text-align:center;padding:3rem;border:1px solid #334;border-radius:1rem}}\
+             h2{{margin:0 0 1rem}}p{{color:#9ca3af}}a{{color:#d97706}}\
+             </style></head><body><div class='card'>\
+             <h2>SSO login successful</h2>\
+             <p>Redirecting to Gitea token setup...</p>\
+             <p><a href='{next_url}'>Click here if not redirected</a></p>\
+             </div></body></html>"
+        );
+        format!(
+            "HTTP/1.1 200 OK\r\nContent-Type: text/html\r\nContent-Length: {}\r\nConnection: close\r\n\r\n{}",
+            html.len(),
+            html
+        )
+    } else {
+        let html = "\
+             <!DOCTYPE html><html><head><style>\
+             body{font-family:system-ui,sans-serif;display:flex;justify-content:center;\
+             align-items:center;min-height:100vh;margin:0;background:#1a1f2e;color:#e8e6e3}\
+             .card{text-align:center;padding:3rem;border:1px solid #334;border-radius:1rem}\
+             h2{margin:0 0 1rem}p{color:#9ca3af}\
+             </style></head><body><div class='card'>\
+             <h2>Authentication successful</h2>\
+             <p>You can close this tab and return to the terminal.</p>\
+             </div></body></html>";
+        format!(
+            "HTTP/1.1 200 OK\r\nContent-Type: text/html\r\nContent-Length: {}\r\nConnection: close\r\n\r\n{}",
+            html.len(),
+            html
+        )
+    };
+    let _ = stream.write_all(response.as_bytes()).await;
+    let _ = stream.shutdown().await;
+
+    Ok(CallbackParams { code, state })
+}
+
+// ---------------------------------------------------------------------------
+// Public API
+// ---------------------------------------------------------------------------
+
+/// Get a valid access token, refreshing if needed.
+///
+/// Returns the access token string ready for use in Authorization headers.
+/// If no cached token exists or refresh fails, returns an error prompting
+/// the user to run `sunbeam auth login`.
+pub async fn get_token() -> Result<String> {
+    let cached = match read_cache() {
+        Ok(tokens) => tokens,
+        Err(_) => {
+            return Err(SunbeamError::identity(
+                "Not logged in. Run `sunbeam auth login` to authenticate.",
+            ));
+        }
+    };
+
+    // Check if access token is still valid (>60s remaining)
+    let now = Utc::now();
+    if cached.expires_at > now + chrono::Duration::seconds(60) {
+        return Ok(cached.access_token);
+    }
+
+    // Try to refresh
+    if !cached.refresh_token.is_empty() {
+        match refresh_token(&cached).await {
+            Ok(new_tokens) => return Ok(new_tokens.access_token),
+            Err(e) => {
+                crate::output::warn(&format!("Token refresh failed: {e}"));
+            }
+        }
+    }
+
+    Err(SunbeamError::identity(
+        "Session expired. Run `sunbeam auth login` to re-authenticate.",
+    ))
+}
+
+/// Interactive browser-based OAuth2 login.
+/// SSO login — Hydra OIDC authorization code flow with PKCE.
+/// `gitea_redirect`: if Some, the browser callback page auto-redirects to Gitea token page.
+pub async fn cmd_auth_sso_login_with_redirect(
+    domain_override: Option<&str>,
+    gitea_redirect: Option<&str>,
+) -> Result<()> {
+    crate::output::step("Authenticating with Hydra");
+
+    // Resolve domain: explicit flag > cached token domain > config > cluster discovery
+    let domain = resolve_domain(domain_override).await?;
+
+    crate::output::ok(&format!("Domain: {domain}"));
+
+    // OIDC discovery
+    let discovery = discover_oidc(&domain).await?;
+
+    // Resolve client_id
+    let client_id = resolve_client_id().await;
+
+    // Generate PKCE
+    let (code_verifier, code_challenge) = generate_pkce();
+
+    // Generate state
+    let state = generate_state();
+
+    // Bind callback listener
+    let (listener, port) = bind_callback_listener().await?;
+    let redirect_uri = format!("http://localhost:{port}/callback");
+
+    // Build authorization URL
+    let auth_url = format!(
+        "{}?client_id={}&redirect_uri={}&response_type=code&scope={}&code_challenge={}&code_challenge_method=S256&state={}",
+        discovery.authorization_endpoint,
+        urlencoding(&client_id),
+        urlencoding(&redirect_uri),
+        "openid%20email%20profile%20offline_access",
+        code_challenge,
+        state,
+    );
+
+    crate::output::ok("Opening browser for login...");
+    println!("\n    {auth_url}\n");
+
+    // Try to open the browser
+    let _open_result = open_browser(&auth_url);
+
+    // Wait for callback
+    crate::output::ok("Waiting for authentication callback...");
+    let callback = wait_for_callback(listener, &state, gitea_redirect).await?;
+
+    // Exchange code for tokens
+    crate::output::ok("Exchanging authorization code for tokens...");
+    let token_resp = exchange_code(
+        &discovery.token_endpoint,
+        &callback.code,
+        &redirect_uri,
+        &client_id,
+        &code_verifier,
+    )
+    .await?;
+
+    let expires_at = Utc::now()
+        + chrono::Duration::seconds(token_resp.expires_in.unwrap_or(3600));
+
+    let tokens = AuthTokens {
+        access_token: token_resp.access_token,
+        refresh_token: token_resp.refresh_token.unwrap_or_default(),
+        expires_at,
+        id_token: token_resp.id_token.clone(),
+        domain: domain.clone(),
+        gitea_token: None,
+    };
+
+    // Print success with email if available
+    let email = tokens
+        .id_token
+        .as_ref()
+        .and_then(|t| extract_email(t));
+    if let Some(ref email) = email {
+        crate::output::ok(&format!("Logged in as {email}"));
+    } else {
+        crate::output::ok("Logged in successfully");
+    }
+
+    write_cache(&tokens)?;
+    Ok(())
+}
+
+/// SSO login — standalone (no redirect after callback).
+pub async fn cmd_auth_sso_login(domain_override: Option<&str>) -> Result<()> {
+    cmd_auth_sso_login_with_redirect(domain_override, None).await
+}
+
+/// Gitea token login — opens the PAT creation page and prompts for the token.
+pub async fn cmd_auth_git_login(domain_override: Option<&str>) -> Result<()> {
+    crate::output::step("Setting up Gitea API access");
+
+    let domain = resolve_domain(domain_override).await?;
+    let url = format!("https://src.{domain}/user/settings/applications");
+
+    crate::output::ok("Opening Gitea token page in your browser...");
+    crate::output::ok("Create a token with all scopes selected, then paste it below.");
+    println!("\n    {url}\n");
+
+    let _ = open_browser(&url);
+
+    // Prompt for the token
+    eprint!("    Gitea token: ");
+    let mut token = String::new();
+    std::io::stdin()
+        .read_line(&mut token)
+        .ctx("Failed to read token from stdin")?;
+    let token = token.trim().to_string();
+
+    if token.is_empty() {
+        return Err(SunbeamError::identity("No token provided."));
+    }
+
+    // Verify the token works
+    let client = reqwest::Client::new();
+    let resp = client
+        .get(format!("https://src.{domain}/api/v1/user"))
+        .header("Authorization", format!("token {token}"))
+        .send()
+        .await
+        .ctx("Failed to verify Gitea token")?;
+
+    if !resp.status().is_success() {
+        return Err(SunbeamError::identity(format!(
+            "Gitea token is invalid (HTTP {}). Check the token and try again.",
+            resp.status()
+        )));
+    }
+
+    let user: serde_json::Value = resp.json().await?;
+    let login = user
+        .get("login")
+        .and_then(|v| v.as_str())
+        .unwrap_or("unknown");
+
+    // Save to cache
+    let mut tokens = read_cache().unwrap_or_else(|_| AuthTokens {
+        access_token: String::new(),
+        refresh_token: String::new(),
+        expires_at: Utc::now(),
+        id_token: None,
+        domain: domain.clone(),
+        gitea_token: None,
+    });
+    tokens.gitea_token = Some(token);
+    if tokens.domain.is_empty() {
+        tokens.domain = domain;
+    }
+    write_cache(&tokens)?;
+
+    crate::output::ok(&format!("Gitea authenticated as {login}"));
+    Ok(())
+}
+
+/// Combined login — SSO first, then Gitea.
+pub async fn cmd_auth_login_all(domain_override: Option<&str>) -> Result<()> {
+    // Resolve domain early so we can build the Gitea redirect URL
+    let domain = resolve_domain(domain_override).await?;
+    let gitea_url = format!("https://src.{domain}/user/settings/applications");
+    cmd_auth_sso_login_with_redirect(Some(&domain), Some(&gitea_url)).await?;
+    cmd_auth_git_login(Some(&domain)).await?;
+    Ok(())
+}
+
+/// Get the Gitea API token (for use by pm.rs).
+pub fn get_gitea_token() -> Result<String> {
+    let tokens = read_cache().map_err(|_| {
+        SunbeamError::identity("Not logged in. Run `sunbeam auth login` first.")
+    })?;
+    tokens.gitea_token.ok_or_else(|| {
+        SunbeamError::identity(
+            "No Gitea token. Run `sunbeam auth login` or `sunbeam auth set-gitea-token <token>`.",
+        )
+    })
+}
+
+/// Remove cached auth tokens.
+pub async fn cmd_auth_logout() -> Result<()> {
+    let path = cache_path();
+    if path.exists() {
+        std::fs::remove_file(&path)
+            .with_ctx(|| format!("Failed to remove {}", path.display()))?;
+        crate::output::ok("Logged out (cached tokens removed)");
+    } else {
+        crate::output::ok("Not logged in (no cached tokens to remove)");
+    }
+    Ok(())
+}
+
+/// Print current auth status.
+pub async fn cmd_auth_status() -> Result<()> {
+    match read_cache() {
+        Ok(tokens) => {
+            let now = Utc::now();
+            let expired = tokens.expires_at <= now;
+
+            // Try to get email from id_token
+            let identity = tokens
+                .id_token
+                .as_deref()
+                .and_then(extract_email)
+                .unwrap_or_else(|| "unknown".to_string());
+
+            if expired {
+                crate::output::ok(&format!(
+                    "Logged in as {identity} (token expired at {})",
+                    tokens.expires_at.format("%Y-%m-%d %H:%M:%S UTC")
+                ));
+                if !tokens.refresh_token.is_empty() {
+                    crate::output::ok("Token can be refreshed automatically on next use");
+                }
+            } else {
+                crate::output::ok(&format!(
+                    "Logged in as {identity} (token valid until {})",
+                    tokens.expires_at.format("%Y-%m-%d %H:%M:%S UTC")
+                ));
+            }
+            crate::output::ok(&format!("Domain: {}", tokens.domain));
+        }
+        Err(_) => {
+            crate::output::ok("Not logged in. Run `sunbeam auth login` to authenticate.");
+        }
+    }
+    Ok(())
+}
+
+// ---------------------------------------------------------------------------
+// Utility helpers
+// ---------------------------------------------------------------------------
+
+/// Minimal percent-encoding for URL query parameters.
+fn urlencoding(s: &str) -> String {
+    let mut out = String::with_capacity(s.len());
+    for b in s.bytes() {
+        match b {
+            b'A'..=b'Z' | b'a'..=b'z' | b'0'..=b'9' | b'-' | b'_' | b'.' | b'~' => {
+                out.push(b as char);
+            }
+            _ => {
+                out.push_str(&format!("%{:02X}", b));
+            }
+        }
+    }
+    out
+}
+
+/// Try to open a URL in the default browser.
+fn open_browser(url: &str) -> std::result::Result<(), std::io::Error> {
+    #[cfg(target_os = "macos")]
+    {
+        std::process::Command::new("open").arg(url).spawn()?;
+    }
+    #[cfg(target_os = "linux")]
+    {
+        std::process::Command::new("xdg-open").arg(url).spawn()?;
+    }
+    #[cfg(not(any(target_os = "macos", target_os = "linux")))]
+    {
+        let _ = url;
+        // No-op on unsupported platforms; URL is printed to the terminal.
+    }
+    Ok(())
+}
+
+// ---------------------------------------------------------------------------
+// Tests
+// ---------------------------------------------------------------------------
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+    use chrono::Duration;
+
+    #[test]
+    fn test_pkce_generation() {
+        let (verifier, challenge) = generate_pkce();
+
+        // Verifier should be base64url-encoded 32 bytes -> 43 chars
+        assert_eq!(verifier.len(), 43);
+
+        // Challenge should be base64url-encoded SHA256 -> 43 chars
+        assert_eq!(challenge.len(), 43);
+
+        // Verify the challenge matches the verifier
+        let expected_hash = Sha256::digest(verifier.as_bytes());
+        let expected_challenge =
+            base64::engine::general_purpose::URL_SAFE_NO_PAD.encode(expected_hash);
+        assert_eq!(challenge, expected_challenge);
+
+        // Two calls should produce different values
+        let (v2, c2) = generate_pkce();
+        assert_ne!(verifier, v2);
+        assert_ne!(challenge, c2);
+    }
+
+    #[test]
+    fn test_token_cache_roundtrip() {
+        let tokens = AuthTokens {
+            access_token: "access_abc".to_string(),
+            refresh_token: "refresh_xyz".to_string(),
+            expires_at: Utc::now() + Duration::hours(1),
+            id_token: Some("eyJhbGciOiJSUzI1NiJ9.eyJlbWFpbCI6InRlc3RAZXhhbXBsZS5jb20ifQ.sig".to_string()),
+            domain: "sunbeam.pt".to_string(),
+            gitea_token: None,
+        };
+
+        let json = serde_json::to_string_pretty(&tokens).unwrap();
+        let deserialized: AuthTokens = serde_json::from_str(&json).unwrap();
+
+        assert_eq!(deserialized.access_token, "access_abc");
+        assert_eq!(deserialized.refresh_token, "refresh_xyz");
+        assert_eq!(deserialized.domain, "sunbeam.pt");
+        assert!(deserialized.id_token.is_some());
+
+        // Verify expires_at survives roundtrip (within 1 second tolerance)
+        let diff = (deserialized.expires_at - tokens.expires_at)
+            .num_milliseconds()
+            .abs();
+        assert!(diff < 1000, "expires_at drift: {diff}ms");
+    }
+
+    #[test]
+    fn test_token_cache_roundtrip_no_id_token() {
+        let tokens = AuthTokens {
+            access_token: "access".to_string(),
+            refresh_token: "refresh".to_string(),
+            expires_at: Utc::now() + Duration::hours(1),
+            id_token: None,
+            domain: "example.com".to_string(),
+            gitea_token: None,
+        };
+
+        let json = serde_json::to_string(&tokens).unwrap();
+        // id_token should be absent from the JSON when None
+        assert!(!json.contains("id_token"));
+
+        let deserialized: AuthTokens = serde_json::from_str(&json).unwrap();
+        assert!(deserialized.id_token.is_none());
+    }
+
+    #[test]
+    fn test_token_expiry_check_valid() {
+        let tokens = AuthTokens {
+            access_token: "valid".to_string(),
+            refresh_token: "refresh".to_string(),
+            expires_at: Utc::now() + Duration::hours(1),
+            id_token: None,
+            domain: "example.com".to_string(),
+            gitea_token: None,
+        };
+
+        let now = Utc::now();
+        // Token is valid: more than 60 seconds until expiry
+        assert!(tokens.expires_at > now + Duration::seconds(60));
+    }
+
+    #[test]
+    fn test_token_expiry_check_expired() {
+        let tokens = AuthTokens {
+            access_token: "expired".to_string(),
+            refresh_token: "refresh".to_string(),
+            expires_at: Utc::now() - Duration::hours(1),
+            id_token: None,
+            domain: "example.com".to_string(),
+            gitea_token: None,
+        };
+
+        let now = Utc::now();
+        // Token is expired
+        assert!(tokens.expires_at <= now + Duration::seconds(60));
+    }
+
+    #[test]
+    fn test_token_expiry_check_almost_expired() {
+        let tokens = AuthTokens {
+            access_token: "almost".to_string(),
+            refresh_token: "refresh".to_string(),
+            expires_at: Utc::now() + Duration::seconds(30),
+            id_token: None,
+            domain: "example.com".to_string(),
+            gitea_token: None,
+        };
+
+        let now = Utc::now();
+        // Token expires in 30s, which is within the 60s threshold
+        assert!(tokens.expires_at <= now + Duration::seconds(60));
+    }
+
+    #[test]
+    fn test_jwt_payload_decode() {
+        // Build a fake JWT: header.payload.signature
+        let payload_json = r#"{"email":"user@example.com","sub":"12345"}"#;
+        let encoded_payload =
+            base64::engine::general_purpose::URL_SAFE_NO_PAD.encode(payload_json.as_bytes());
+        let fake_jwt = format!("eyJhbGciOiJSUzI1NiJ9.{encoded_payload}.fakesig");
+
+        let payload = decode_jwt_payload(&fake_jwt).unwrap();
+        assert_eq!(payload["email"], "user@example.com");
+        assert_eq!(payload["sub"], "12345");
+    }
+
+    #[test]
+    fn test_extract_email() {
+        let payload_json = r#"{"email":"alice@sunbeam.pt","name":"Alice"}"#;
+        let encoded_payload =
+            base64::engine::general_purpose::URL_SAFE_NO_PAD.encode(payload_json.as_bytes());
+        let fake_jwt = format!("eyJhbGciOiJSUzI1NiJ9.{encoded_payload}.fakesig");
+
+        assert_eq!(extract_email(&fake_jwt), Some("alice@sunbeam.pt".to_string()));
+    }
+
+    #[test]
+    fn test_extract_email_missing() {
+        let payload_json = r#"{"sub":"12345","name":"Bob"}"#;
+        let encoded_payload =
+            base64::engine::general_purpose::URL_SAFE_NO_PAD.encode(payload_json.as_bytes());
+        let fake_jwt = format!("eyJhbGciOiJSUzI1NiJ9.{encoded_payload}.fakesig");
+
+        assert_eq!(extract_email(&fake_jwt), None);
+    }
+
+    #[test]
+    fn test_urlencoding() {
+        assert_eq!(urlencoding("hello"), "hello");
+        assert_eq!(urlencoding("hello world"), "hello%20world");
+        assert_eq!(
+            urlencoding("http://localhost:9876/callback"),
+            "http%3A%2F%2Flocalhost%3A9876%2Fcallback"
+        );
+    }
+
+    #[test]
+    fn test_generate_state() {
+        let s1 = generate_state();
+        let s2 = generate_state();
+        assert_ne!(s1, s2);
+        // 16 bytes base64url -> 22 chars
+        assert_eq!(s1.len(), 22);
+    }
+
+    #[test]
+    fn test_cache_path_is_under_sunbeam() {
+        let path = cache_path_for_domain("sunbeam.pt");
+        let path_str = path.to_string_lossy();
+        assert!(path_str.contains("sunbeam"));
+        assert!(path_str.contains("auth"));
+        assert!(path_str.ends_with("sunbeam.pt.json"));
+    }
+
+    #[test]
+    fn test_cache_path_default_domain() {
+        let path = cache_path_for_domain("");
+        assert!(path.to_string_lossy().ends_with("default.json"));
+    }
+}
diff --git a/sunbeam-sdk/src/checks/mod.rs b/sunbeam-sdk/src/checks/mod.rs
new file mode 100644
index 0000000..c4e2b54
--- /dev/null
+++ b/sunbeam-sdk/src/checks/mod.rs
@@ -0,0 +1,792 @@
+//! Service-level health checks -- functional probes beyond pod readiness.
+
+mod probes;
+
+use crate::error::Result;
+use crate::kube::parse_target;
+use crate::output::{ok, step, warn};
+
+// ---------------------------------------------------------------------------
+// CheckResult
+// ---------------------------------------------------------------------------
+
+/// Result of a single health check.
+#[derive(Debug, Clone)]
+pub struct CheckResult {
+    pub name: String,
+    pub ns: String,
+    pub svc: String,
+    pub passed: bool,
+    pub detail: String,
+}
+
+impl CheckResult {
+    fn ok(name: &str, ns: &str, svc: &str, detail: &str) -> Self {
+        Self {
+            name: name.into(),
+            ns: ns.into(),
+            svc: svc.into(),
+            passed: true,
+            detail: detail.into(),
+        }
+    }
+
+    fn fail(name: &str, ns: &str, svc: &str, detail: &str) -> Self {
+        Self {
+            name: name.into(),
+            ns: ns.into(),
+            svc: svc.into(),
+            passed: false,
+            detail: detail.into(),
+        }
+    }
+}
+
+// ---------------------------------------------------------------------------
+// HTTP client builder
+// ---------------------------------------------------------------------------
+
+/// Build a reqwest client that trusts the mkcert local CA if available,
+/// does not follow redirects, and has a 5s timeout.
+fn build_http_client() -> Result<reqwest::Client> {
+    let mut builder = reqwest::Client::builder()
+        .redirect(reqwest::redirect::Policy::none())
+        .timeout(std::time::Duration::from_secs(5));
+
+    // Try mkcert root CA
+    if let Ok(output) = std::process::Command::new("mkcert")
+        .arg("-CAROOT")
+        .output()
+    {
+        if output.status.success() {
+            let ca_root = String::from_utf8_lossy(&output.stdout).trim().to_string();
+            let ca_file = std::path::Path::new(&ca_root).join("rootCA.pem");
+            if ca_file.exists() {
+                if let Ok(pem_bytes) = std::fs::read(&ca_file) {
+                    if let Ok(cert) = reqwest::Certificate::from_pem(&pem_bytes) {
+                        builder = builder.add_root_certificate(cert);
+                    }
+                }
+            }
+        }
+    }
+
+    Ok(builder.build()?)
+}
+
+/// Helper: GET a URL, return (status_code, body_bytes). Does not follow redirects.
+async fn http_get(
+    client: &reqwest::Client,
+    url: &str,
+    headers: Option<&[(&str, &str)]>,
+) -> std::result::Result<(u16, Vec<u8>), String> {
+    let mut req = client.get(url);
+    if let Some(hdrs) = headers {
+        for (k, v) in hdrs {
+            req = req.header(*k, *v);
+        }
+    }
+    match req.send().await {
+        Ok(resp) => {
+            let status = resp.status().as_u16();
+            let body = resp.bytes().await.unwrap_or_default().to_vec();
+            Ok((status, body))
+        }
+        Err(e) => Err(format!("{e}")),
+    }
+}
+
+/// Read a K8s secret field, returning empty string on failure.
+async fn kube_secret(ns: &str, name: &str, key: &str) -> String {
+    crate::kube::kube_get_secret_field(ns, name, key)
+        .await
+        .unwrap_or_default()
+}
+
+// ---------------------------------------------------------------------------
+// Check registry -- function pointer + metadata
+// ---------------------------------------------------------------------------
+
+type CheckFn = for<'a> fn(
+    &'a str,
+    &'a reqwest::Client,
+) -> std::pin::Pin<Box<dyn std::future::Future<Output = CheckResult> + Send + 'a>>;
+
+struct CheckEntry {
+    func: CheckFn,
+    ns: &'static str,
+    svc: &'static str,
+}
+
+fn check_registry() -> Vec<CheckEntry> {
+    use probes::*;
+    vec![
+        CheckEntry {
+            func: |d, c| Box::pin(check_gitea_version(d, c)),
+            ns: "devtools",
+            svc: "gitea",
+        },
+        CheckEntry {
+            func: |d, c| Box::pin(check_gitea_auth(d, c)),
+            ns: "devtools",
+            svc: "gitea",
+        },
+        CheckEntry {
+            func: |d, c| Box::pin(check_postgres(d, c)),
+            ns: "data",
+            svc: "postgres",
+        },
+        CheckEntry {
+            func: |d, c| Box::pin(check_valkey(d, c)),
+            ns: "data",
+            svc: "valkey",
+        },
+        CheckEntry {
+            func: |d, c| Box::pin(check_openbao(d, c)),
+            ns: "data",
+            svc: "openbao",
+        },
+        CheckEntry {
+            func: |d, c| Box::pin(check_seaweedfs(d, c)),
+            ns: "storage",
+            svc: "seaweedfs",
+        },
+        CheckEntry {
+            func: |d, c| Box::pin(check_kratos(d, c)),
+            ns: "ory",
+            svc: "kratos",
+        },
+        CheckEntry {
+            func: |d, c| Box::pin(check_hydra_oidc(d, c)),
+            ns: "ory",
+            svc: "hydra",
+        },
+        CheckEntry {
+            func: |d, c| Box::pin(check_people(d, c)),
+            ns: "lasuite",
+            svc: "people",
+        },
+        CheckEntry {
+            func: |d, c| Box::pin(check_people_api(d, c)),
+            ns: "lasuite",
+            svc: "people",
+        },
+        CheckEntry {
+            func: |d, c| Box::pin(check_livekit(d, c)),
+            ns: "media",
+            svc: "livekit",
+        },
+    ]
+}
+
+// ---------------------------------------------------------------------------
+// cmd_check -- concurrent execution
+// ---------------------------------------------------------------------------
+
+/// Run service-level health checks, optionally scoped to a namespace or service.
+pub async fn cmd_check(target: Option<&str>) -> Result<()> {
+    step("Service health checks...");
+
+    let domain = crate::kube::get_domain().await?;
+    let http_client = build_http_client()?;
+
+    let (ns_filter, svc_filter) = parse_target(target)?;
+
+    let all_checks = check_registry();
+    let selected: Vec<&CheckEntry> = all_checks
+        .iter()
+        .filter(|e| {
+            (ns_filter.is_none() || ns_filter == Some(e.ns))
+                && (svc_filter.is_none() || svc_filter == Some(e.svc))
+        })
+        .collect();
+
+    if selected.is_empty() {
+        warn(&format!(
+            "No checks match target: {}",
+            target.unwrap_or("(none)")
+        ));
+        return Ok(());
+    }
+
+    // Run all checks concurrently
+    let mut join_set = tokio::task::JoinSet::new();
+    for entry in &selected {
+        let domain = domain.clone();
+        let client = http_client.clone();
+        let func = entry.func;
+        join_set.spawn(async move { func(&domain, &client).await });
+    }
+
+    let mut results: Vec<CheckResult> = Vec::new();
+    while let Some(res) = join_set.join_next().await {
+        match res {
+            Ok(cr) => results.push(cr),
+            Err(e) => results.push(CheckResult::fail("unknown", "?", "?", &format!("{e}"))),
+        }
+    }
+
+    // Sort to match the registry order for consistent output
+    let registry = check_registry();
+    results.sort_by(|a, b| {
+        let idx_a = registry
+            .iter()
+            .position(|e| e.ns == a.ns && e.svc == a.svc)
+            .unwrap_or(usize::MAX);
+        let idx_b = registry
+            .iter()
+            .position(|e| e.ns == b.ns && e.svc == b.svc)
+            .unwrap_or(usize::MAX);
+        idx_a.cmp(&idx_b).then_with(|| a.name.cmp(&b.name))
+    });
+
+    // Print grouped by namespace
+    let name_w = results.iter().map(|r| r.name.len()).max().unwrap_or(0);
+    let mut cur_ns: Option<&str> = None;
+    for r in &results {
+        if cur_ns != Some(&r.ns) {
+            println!("  {}:", r.ns);
+            cur_ns = Some(&r.ns);
+        }
+        let icon = if r.passed { "\u{2713}" } else { "\u{2717}" };
+        let detail = if r.detail.is_empty() {
+            String::new()
+        } else {
+            format!("  {}", r.detail)
+        };
+        println!("    {icon} {:<name_w$}{detail}", r.name);
+    }
+
+    println!();
+    let failed: Vec<&CheckResult> = results.iter().filter(|r| !r.passed).collect();
+    if failed.is_empty() {
+        ok(&format!("All {} check(s) passed.", results.len()));
+    } else {
+        warn(&format!("{} check(s) failed.", failed.len()));
+    }
+
+    Ok(())
+}
+
+// ---------------------------------------------------------------------------
+// Tests
+// ---------------------------------------------------------------------------
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+    use super::probes::*;
+    use hmac::{Hmac, Mac};
+    use sha2::{Digest, Sha256};
+
+    type HmacSha256 = Hmac<Sha256>;
+
+    // ── S3 auth header tests ─────────────────────────────────────────────
+
+    #[test]
+    fn test_s3_auth_headers_format() {
+        let (auth, amzdate) = s3_auth_headers(
+            "AKIAIOSFODNN7EXAMPLE",
+            "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY",
+            "s3.example.com",
+        );
+
+        // Verify header structure
+        assert!(auth.starts_with("AWS4-HMAC-SHA256 Credential=AKIAIOSFODNN7EXAMPLE/"));
+        assert!(auth.contains("us-east-1/s3/aws4_request"));
+        assert!(auth.contains("SignedHeaders=host;x-amz-date"));
+        assert!(auth.contains("Signature="));
+
+        // amzdate format: YYYYMMDDTHHMMSSZ
+        assert_eq!(amzdate.len(), 16);
+        assert!(amzdate.ends_with('Z'));
+        assert!(amzdate.contains('T'));
+    }
+
+    #[test]
+    fn test_s3_auth_headers_signature_changes_with_key() {
+        let (auth1, _) = s3_auth_headers("key1", "secret1", "host1");
+        let (auth2, _) = s3_auth_headers("key2", "secret2", "host2");
+        // Different keys produce different signatures
+        let sig1 = auth1.split("Signature=").nth(1).unwrap();
+        let sig2 = auth2.split("Signature=").nth(1).unwrap();
+        assert_ne!(sig1, sig2);
+    }
+
+    #[test]
+    fn test_s3_auth_headers_credential_scope() {
+        let (auth, amzdate) = s3_auth_headers("AK", "SK", "s3.example.com");
+        let datestamp = &amzdate[..8];
+        let expected_scope = format!("{datestamp}/us-east-1/s3/aws4_request");
+        assert!(auth.contains(&expected_scope));
+    }
+
+    // ── hex encoding ────────────────────────────────────────────────────
+
+    #[test]
+    fn test_hex_encode_empty() {
+        assert_eq!(hex_encode(b""), "");
+    }
+
+    #[test]
+    fn test_hex_encode_zero() {
+        assert_eq!(hex_encode(b"\x00"), "00");
+    }
+
+    #[test]
+    fn test_hex_encode_ff() {
+        assert_eq!(hex_encode(b"\xff"), "ff");
+    }
+
+    #[test]
+    fn test_hex_encode_deadbeef() {
+        assert_eq!(hex_encode(b"\xde\xad\xbe\xef"), "deadbeef");
+    }
+
+    #[test]
+    fn test_hex_encode_hello() {
+        assert_eq!(hex_encode(b"hello"), "68656c6c6f");
+    }
+
+    // ── CheckResult ─────────────────────────────────────────────────────
+
+    #[test]
+    fn test_check_result_ok() {
+        let r = CheckResult::ok("gitea-version", "devtools", "gitea", "v1.21.0");
+        assert!(r.passed);
+        assert_eq!(r.name, "gitea-version");
+        assert_eq!(r.ns, "devtools");
+        assert_eq!(r.svc, "gitea");
+        assert_eq!(r.detail, "v1.21.0");
+    }
+
+    #[test]
+    fn test_check_result_fail() {
+        let r = CheckResult::fail("postgres", "data", "postgres", "cluster not found");
+        assert!(!r.passed);
+        assert_eq!(r.detail, "cluster not found");
+    }
+
+    // ── Check registry ──────────────────────────────────────────────────
+
+    #[test]
+    fn test_check_registry_has_all_checks() {
+        let registry = check_registry();
+        assert_eq!(registry.len(), 11);
+
+        // Verify order matches Python CHECKS list
+        assert_eq!(registry[0].ns, "devtools");
+        assert_eq!(registry[0].svc, "gitea");
+        assert_eq!(registry[1].ns, "devtools");
+        assert_eq!(registry[1].svc, "gitea");
+        assert_eq!(registry[2].ns, "data");
+        assert_eq!(registry[2].svc, "postgres");
+        assert_eq!(registry[3].ns, "data");
+        assert_eq!(registry[3].svc, "valkey");
+        assert_eq!(registry[4].ns, "data");
+        assert_eq!(registry[4].svc, "openbao");
+        assert_eq!(registry[5].ns, "storage");
+        assert_eq!(registry[5].svc, "seaweedfs");
+        assert_eq!(registry[6].ns, "ory");
+        assert_eq!(registry[6].svc, "kratos");
+        assert_eq!(registry[7].ns, "ory");
+        assert_eq!(registry[7].svc, "hydra");
+        assert_eq!(registry[8].ns, "lasuite");
+        assert_eq!(registry[8].svc, "people");
+        assert_eq!(registry[9].ns, "lasuite");
+        assert_eq!(registry[9].svc, "people");
+        assert_eq!(registry[10].ns, "media");
+        assert_eq!(registry[10].svc, "livekit");
+    }
+
+    #[test]
+    fn test_check_registry_filter_namespace() {
+        let all = check_registry();
+        let filtered: Vec<&CheckEntry> = all.iter().filter(|e| e.ns == "ory").collect();
+        assert_eq!(filtered.len(), 2);
+    }
+
+    #[test]
+    fn test_check_registry_filter_service() {
+        let all = check_registry();
+        let filtered: Vec<&CheckEntry> = all
+            .iter()
+            .filter(|e| e.ns == "ory" && e.svc == "kratos")
+            .collect();
+        assert_eq!(filtered.len(), 1);
+    }
+
+    #[test]
+    fn test_check_registry_filter_no_match() {
+        let all = check_registry();
+        let filtered: Vec<&CheckEntry> =
+            all.iter().filter(|e| e.ns == "nonexistent").collect();
+        assert!(filtered.is_empty());
+    }
+
+    // ── HMAC-SHA256 verification ────────────────────────────────────────
+
+    #[test]
+    fn test_hmac_sha256_known_vector() {
+        // RFC 4231 Test Case 2
+        let key = b"Jefe";
+        let data = b"what do ya want for nothing?";
+        let mut mac = HmacSha256::new_from_slice(key).expect("HMAC key");
+        mac.update(data);
+        let result = hex_encode(mac.finalize().into_bytes());
+        assert_eq!(
+            result,
+            "5bdcc146bf60754e6a042426089575c75a003f089d2739839dec58b964ec3843"
+        );
+    }
+
+    // ── SHA256 verification ─────────────────────────────────────────────
+
+    #[test]
+    fn test_sha256_empty() {
+        let hash = hex_encode(Sha256::digest(b""));
+        assert_eq!(
+            hash,
+            "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855"
+        );
+    }
+
+    #[test]
+    fn test_sha256_hello() {
+        let hash = hex_encode(Sha256::digest(b"hello"));
+        assert_eq!(
+            hash,
+            "2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824"
+        );
+    }
+
+    // ── Additional CheckResult tests ──────────────────────────────────
+
+    #[test]
+    fn test_check_result_ok_empty_detail() {
+        let r = CheckResult::ok("test", "ns", "svc", "");
+        assert!(r.passed);
+        assert!(r.detail.is_empty());
+    }
+
+    #[test]
+    fn test_check_result_fail_contains_status_code() {
+        let r = CheckResult::fail("gitea-version", "devtools", "gitea", "HTTP 502");
+        assert!(!r.passed);
+        assert!(r.detail.contains("502"));
+    }
+
+    #[test]
+    fn test_check_result_fail_contains_secret_message() {
+        let r = CheckResult::fail(
+            "gitea-auth",
+            "devtools",
+            "gitea",
+            "password not found in secret",
+        );
+        assert!(!r.passed);
+        assert!(r.detail.contains("secret"));
+    }
+
+    #[test]
+    fn test_check_result_ok_with_version() {
+        let r = CheckResult::ok("gitea-version", "devtools", "gitea", "v1.21.0");
+        assert!(r.passed);
+        assert!(r.detail.contains("1.21.0"));
+    }
+
+    #[test]
+    fn test_check_result_ok_with_login() {
+        let r = CheckResult::ok("gitea-auth", "devtools", "gitea", "user=gitea_admin");
+        assert!(r.passed);
+        assert!(r.detail.contains("gitea_admin"));
+    }
+
+    #[test]
+    fn test_check_result_ok_authenticated() {
+        let r = CheckResult::ok("seaweedfs", "storage", "seaweedfs", "S3 authenticated");
+        assert!(r.passed);
+        assert!(r.detail.contains("authenticated"));
+    }
+
+    // ── Additional registry tests ─────────────────────────────────────
+
+    #[test]
+    fn test_check_registry_expected_namespaces() {
+        let registry = check_registry();
+        let namespaces: std::collections::HashSet<&str> =
+            registry.iter().map(|e| e.ns).collect();
+        for expected in &["devtools", "data", "storage", "ory", "lasuite", "media"] {
+            assert!(
+                namespaces.contains(expected),
+                "registry missing namespace: {expected}"
+            );
+        }
+    }
+
+    #[test]
+    fn test_check_registry_expected_services() {
+        let registry = check_registry();
+        let services: std::collections::HashSet<&str> =
+            registry.iter().map(|e| e.svc).collect();
+        for expected in &[
+            "gitea", "postgres", "valkey", "openbao", "seaweedfs", "kratos", "hydra",
+            "people", "livekit",
+        ] {
+            assert!(
+                services.contains(expected),
+                "registry missing service: {expected}"
+            );
+        }
+    }
+
+    #[test]
+    fn test_check_registry_devtools_has_two_gitea_entries() {
+        let registry = check_registry();
+        let gitea: Vec<_> = registry
+            .iter()
+            .filter(|e| e.ns == "devtools" && e.svc == "gitea")
+            .collect();
+        assert_eq!(gitea.len(), 2);
+    }
+
+    #[test]
+    fn test_check_registry_lasuite_has_two_people_entries() {
+        let registry = check_registry();
+        let people: Vec<_> = registry
+            .iter()
+            .filter(|e| e.ns == "lasuite" && e.svc == "people")
+            .collect();
+        assert_eq!(people.len(), 2);
+    }
+
+    #[test]
+    fn test_check_registry_data_has_three_entries() {
+        let registry = check_registry();
+        let data: Vec<_> = registry.iter().filter(|e| e.ns == "data").collect();
+        assert_eq!(data.len(), 3); // postgres, valkey, openbao
+    }
+
+    // ── Filter logic (mirrors Python TestCmdCheck) ────────────────────
+
+    /// Helper: apply the same filter logic as cmd_check to the registry.
+    fn filter_registry(
+        ns_filter: Option<&str>,
+        svc_filter: Option<&str>,
+    ) -> Vec<(&'static str, &'static str)> {
+        let all = check_registry();
+        all.into_iter()
+            .filter(|e| ns_filter.map_or(true, |ns| e.ns == ns))
+            .filter(|e| svc_filter.map_or(true, |svc| e.svc == svc))
+            .map(|e| (e.ns, e.svc))
+            .collect()
+    }
+
+    #[test]
+    fn test_no_target_runs_all() {
+        let selected = filter_registry(None, None);
+        assert_eq!(selected.len(), 11);
+    }
+
+    #[test]
+    fn test_ns_filter_devtools_selects_two() {
+        let selected = filter_registry(Some("devtools"), None);
+        assert_eq!(selected.len(), 2);
+        assert!(selected.iter().all(|(ns, _)| *ns == "devtools"));
+    }
+
+    #[test]
+    fn test_ns_filter_skips_other_namespaces() {
+        let selected = filter_registry(Some("devtools"), None);
+        // Should NOT contain data/postgres
+        assert!(selected.iter().all(|(ns, _)| *ns != "data"));
+    }
+
+    #[test]
+    fn test_svc_filter_ory_kratos() {
+        let selected = filter_registry(Some("ory"), Some("kratos"));
+        assert_eq!(selected.len(), 1);
+        assert_eq!(selected[0], ("ory", "kratos"));
+    }
+
+    #[test]
+    fn test_svc_filter_ory_hydra() {
+        let selected = filter_registry(Some("ory"), Some("hydra"));
+        assert_eq!(selected.len(), 1);
+        assert_eq!(selected[0], ("ory", "hydra"));
+    }
+
+    #[test]
+    fn test_svc_filter_people_returns_both() {
+        let selected = filter_registry(Some("lasuite"), Some("people"));
+        assert_eq!(selected.len(), 2);
+        assert!(selected.iter().all(|(ns, svc)| *ns == "lasuite" && *svc == "people"));
+    }
+
+    #[test]
+    fn test_filter_nonexistent_ns_returns_empty() {
+        let selected = filter_registry(Some("nonexistent"), None);
+        assert!(selected.is_empty());
+    }
+
+    #[test]
+    fn test_filter_ns_match_svc_mismatch_returns_empty() {
+        // ory namespace exists but postgres service does not live there
+        let selected = filter_registry(Some("ory"), Some("postgres"));
+        assert!(selected.is_empty());
+    }
+
+    #[test]
+    fn test_filter_data_namespace() {
+        let selected = filter_registry(Some("data"), None);
+        assert_eq!(selected.len(), 3);
+        let svcs: Vec<&str> = selected.iter().map(|(_, svc)| *svc).collect();
+        assert!(svcs.contains(&"postgres"));
+        assert!(svcs.contains(&"valkey"));
+        assert!(svcs.contains(&"openbao"));
+    }
+
+    #[test]
+    fn test_filter_storage_namespace() {
+        let selected = filter_registry(Some("storage"), None);
+        assert_eq!(selected.len(), 1);
+        assert_eq!(selected[0], ("storage", "seaweedfs"));
+    }
+
+    #[test]
+    fn test_filter_media_namespace() {
+        let selected = filter_registry(Some("media"), None);
+        assert_eq!(selected.len(), 1);
+        assert_eq!(selected[0], ("media", "livekit"));
+    }
+
+    // ── S3 auth AWS reference vector test ─────────────────────────────
+
+    #[test]
+    fn test_s3_auth_headers_aws_reference_vector() {
+        // Uses AWS test values with a fixed timestamp to verify signature
+        // correctness against a known reference (AWS SigV4 documentation).
+        use chrono::TimeZone;
+
+        let access_key = "AKIAIOSFODNN7EXAMPLE";
+        let secret_key = "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY";
+        let host = "examplebucket.s3.amazonaws.com";
+        let now = chrono::Utc.with_ymd_and_hms(2013, 5, 24, 0, 0, 0).unwrap();
+
+        let (auth, amzdate) = s3_auth_headers_at(access_key, secret_key, host, now);
+
+        // 1. Verify the date header
+        assert_eq!(amzdate, "20130524T000000Z");
+
+        // 2. Verify canonical request intermediate values.
+        //    Canonical request for GET / with empty body:
+        //      GET\n/\n\nhost:examplebucket.s3.amazonaws.com\n
+        //      x-amz-date:20130524T000000Z\n\nhost;x-amz-date\n<sha256("")>
+        let payload_hash =
+            "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855";
+        let canonical = format!(
+            "GET\n/\n\nhost:{host}\nx-amz-date:{amzdate}\n\nhost;x-amz-date\n{payload_hash}"
+        );
+        let canonical_hash = hex_encode(&Sha256::digest(canonical.as_bytes()));
+
+        // 3. Verify the string to sign
+        let credential_scope = "20130524/us-east-1/s3/aws4_request";
+        let string_to_sign = format!(
+            "AWS4-HMAC-SHA256\n{amzdate}\n{credential_scope}\n{canonical_hash}"
+        );
+
+        // 4. Compute the expected signing key and signature to pin the value.
+        fn hmac_sign(key: &[u8], msg: &[u8]) -> Vec<u8> {
+            let mut mac =
+                HmacSha256::new_from_slice(key).expect("HMAC accepts any key length");
+            mac.update(msg);
+            mac.finalize().into_bytes().to_vec()
+        }
+
+        let k = hmac_sign(
+            format!("AWS4{secret_key}").as_bytes(),
+            b"20130524",
+        );
+        let k = hmac_sign(&k, b"us-east-1");
+        let k = hmac_sign(&k, b"s3");
+        let k = hmac_sign(&k, b"aws4_request");
+
+        let expected_sig = {
+            let mut mac =
+                HmacSha256::new_from_slice(&k).expect("HMAC accepts any key length");
+            mac.update(string_to_sign.as_bytes());
+            hex_encode(&mac.finalize().into_bytes())
+        };
+
+        // 5. Verify the full Authorization header matches
+        let expected_auth = format!(
+            "AWS4-HMAC-SHA256 Credential={access_key}/{credential_scope}, \
+             SignedHeaders=host;x-amz-date, Signature={expected_sig}"
+        );
+        assert_eq!(auth, expected_auth);
+
+        // 6. Pin the exact signature value so any regression is caught
+        //    immediately without needing to recompute.
+        let sig = auth.split("Signature=").nth(1).unwrap();
+        assert_eq!(sig, expected_sig);
+        assert_eq!(sig.len(), 64, "SHA-256 HMAC signature must be 64 hex chars");
+    }
+
+    // ── Additional S3 auth header tests ───────────────────────────────
+
+    #[test]
+    fn test_s3_auth_headers_deterministic() {
+        // Same inputs at the same point in time produce identical output.
+        // (Time may advance between calls, but the format is still valid.)
+        let (auth1, date1) = s3_auth_headers("AK", "SK", "host");
+        let (auth2, date2) = s3_auth_headers("AK", "SK", "host");
+        // If both calls happen within the same second, they must be identical.
+        if date1 == date2 {
+            assert_eq!(auth1, auth2, "same inputs at same time must produce same signature");
+        }
+    }
+
+    #[test]
+    fn test_s3_auth_headers_different_hosts_differ() {
+        let (auth1, d1) = s3_auth_headers("AK", "SK", "s3.a.com");
+        let (auth2, d2) = s3_auth_headers("AK", "SK", "s3.b.com");
+        let sig1 = auth1.split("Signature=").nth(1).unwrap();
+        let sig2 = auth2.split("Signature=").nth(1).unwrap();
+        // Different hosts -> different canonical request -> different signature
+        // (only guaranteed when timestamps match)
+        if d1 == d2 {
+            assert_ne!(sig1, sig2);
+        }
+    }
+
+    #[test]
+    fn test_s3_auth_headers_signature_is_64_hex_chars() {
+        let (auth, _) = s3_auth_headers("AK", "SK", "host");
+        let sig = auth.split("Signature=").nth(1).unwrap();
+        assert_eq!(sig.len(), 64, "SHA-256 HMAC hex signature is 64 chars");
+        assert!(
+            sig.chars().all(|c| c.is_ascii_hexdigit()),
+            "signature must be lowercase hex: {sig}"
+        );
+    }
+
+    // ── hex_encode edge cases ─────────────────────────────────────────
+
+    #[test]
+    fn test_hex_encode_all_byte_values() {
+        // Verify 0x00..0xff all produce 2-char lowercase hex
+        for b in 0u8..=255 {
+            let encoded = hex_encode([b]);
+            assert_eq!(encoded.len(), 2);
+            assert!(encoded.chars().all(|c| c.is_ascii_hexdigit()));
+        }
+    }
+
+    #[test]
+    fn test_hex_encode_matches_format() {
+        // Cross-check against Rust's built-in formatting
+        let bytes: Vec<u8> = (0..32).collect();
+        let expected: String = bytes.iter().map(|b| format!("{b:02x}")).collect();
+        assert_eq!(hex_encode(&bytes), expected);
+    }
+}
diff --git a/sunbeam-sdk/src/checks/probes.rs b/sunbeam-sdk/src/checks/probes.rs
new file mode 100644
index 0000000..f0bc3fa
--- /dev/null
+++ b/sunbeam-sdk/src/checks/probes.rs
@@ -0,0 +1,433 @@
+//! Individual service health check probe functions.
+
+use base64::Engine;
+use hmac::{Hmac, Mac};
+use k8s_openapi::api::core::v1::Pod;
+use kube::api::{Api, ListParams};
+use kube::ResourceExt;
+use sha2::{Digest, Sha256};
+
+use super::{CheckResult, http_get, kube_secret};
+use crate::kube::{get_client, kube_exec};
+
+type HmacSha256 = Hmac<Sha256>;
+
+// ---------------------------------------------------------------------------
+// Individual checks
+// ---------------------------------------------------------------------------
+
+/// GET /api/v1/version -> JSON with version field.
+pub(super) async fn check_gitea_version(domain: &str, client: &reqwest::Client) -> CheckResult {
+    let url = format!("https://src.{domain}/api/v1/version");
+    match http_get(client, &url, None).await {
+        Ok((200, body)) => {
+            let ver = serde_json::from_slice::<serde_json::Value>(&body)
+                .ok()
+                .and_then(|v| v.get("version").and_then(|v| v.as_str()).map(String::from))
+                .unwrap_or_else(|| "?".into());
+            CheckResult::ok("gitea-version", "devtools", "gitea", &format!("v{ver}"))
+        }
+        Ok((status, _)) => {
+            CheckResult::fail("gitea-version", "devtools", "gitea", &format!("HTTP {status}"))
+        }
+        Err(e) => CheckResult::fail("gitea-version", "devtools", "gitea", &e),
+    }
+}
+
+/// GET /api/v1/user with admin credentials -> 200 and login field.
+pub(super) async fn check_gitea_auth(domain: &str, client: &reqwest::Client) -> CheckResult {
+    let username = {
+        let u = kube_secret("devtools", "gitea-admin-credentials", "username").await;
+        if u.is_empty() {
+            "gitea_admin".to_string()
+        } else {
+            u
+        }
+    };
+    let password =
+        kube_secret("devtools", "gitea-admin-credentials", "password").await;
+    if password.is_empty() {
+        return CheckResult::fail(
+            "gitea-auth",
+            "devtools",
+            "gitea",
+            "password not found in secret",
+        );
+    }
+
+    let creds =
+        base64::engine::general_purpose::STANDARD.encode(format!("{username}:{password}"));
+    let auth_hdr = format!("Basic {creds}");
+    let url = format!("https://src.{domain}/api/v1/user");
+
+    match http_get(client, &url, Some(&[("Authorization", &auth_hdr)])).await {
+        Ok((200, body)) => {
+            let login = serde_json::from_slice::<serde_json::Value>(&body)
+                .ok()
+                .and_then(|v| v.get("login").and_then(|v| v.as_str()).map(String::from))
+                .unwrap_or_else(|| "?".into());
+            CheckResult::ok("gitea-auth", "devtools", "gitea", &format!("user={login}"))
+        }
+        Ok((status, _)) => {
+            CheckResult::fail("gitea-auth", "devtools", "gitea", &format!("HTTP {status}"))
+        }
+        Err(e) => CheckResult::fail("gitea-auth", "devtools", "gitea", &e),
+    }
+}
+
+/// CNPG Cluster readyInstances == instances.
+pub(super) async fn check_postgres(_domain: &str, _client: &reqwest::Client) -> CheckResult {
+    let kube_client = match get_client().await {
+        Ok(c) => c,
+        Err(e) => {
+            return CheckResult::fail("postgres", "data", "postgres", &format!("{e}"));
+        }
+    };
+
+    let ar = kube::api::ApiResource {
+        group: "postgresql.cnpg.io".into(),
+        version: "v1".into(),
+        api_version: "postgresql.cnpg.io/v1".into(),
+        kind: "Cluster".into(),
+        plural: "clusters".into(),
+    };
+
+    let api: Api<kube::api::DynamicObject> =
+        Api::namespaced_with(kube_client.clone(), "data", &ar);
+
+    match api.get_opt("postgres").await {
+        Ok(Some(obj)) => {
+            let ready = obj
+                .data
+                .get("status")
+                .and_then(|s| s.get("readyInstances"))
+                .and_then(|v| v.as_i64())
+                .map(|v| v.to_string())
+                .unwrap_or_default();
+            let total = obj
+                .data
+                .get("status")
+                .and_then(|s| s.get("instances"))
+                .and_then(|v| v.as_i64())
+                .map(|v| v.to_string())
+                .unwrap_or_default();
+
+            if !ready.is_empty() && !total.is_empty() && ready == total {
+                CheckResult::ok(
+                    "postgres",
+                    "data",
+                    "postgres",
+                    &format!("{ready}/{total} ready"),
+                )
+            } else {
+                let r = if ready.is_empty() { "?" } else { &ready };
+                let t = if total.is_empty() { "?" } else { &total };
+                CheckResult::fail("postgres", "data", "postgres", &format!("{r}/{t} ready"))
+            }
+        }
+        Ok(None) => CheckResult::fail("postgres", "data", "postgres", "cluster not found"),
+        Err(e) => CheckResult::fail("postgres", "data", "postgres", &format!("{e}")),
+    }
+}
+
+/// kubectl exec valkey pod -- valkey-cli ping -> PONG.
+pub(super) async fn check_valkey(_domain: &str, _client: &reqwest::Client) -> CheckResult {
+    let kube_client = match get_client().await {
+        Ok(c) => c,
+        Err(e) => return CheckResult::fail("valkey", "data", "valkey", &format!("{e}")),
+    };
+
+    let api: Api<Pod> = Api::namespaced(kube_client.clone(), "data");
+    let lp = ListParams::default().labels("app=valkey");
+    let pod_list = match api.list(&lp).await {
+        Ok(l) => l,
+        Err(e) => return CheckResult::fail("valkey", "data", "valkey", &format!("{e}")),
+    };
+
+    let pod_name = match pod_list.items.first() {
+        Some(p) => p.name_any(),
+        None => return CheckResult::fail("valkey", "data", "valkey", "no valkey pod"),
+    };
+
+    match kube_exec("data", &pod_name, &["valkey-cli", "ping"], Some("valkey")).await {
+        Ok((_, out)) => {
+            let passed = out == "PONG";
+            let detail = if out.is_empty() {
+                "no response".to_string()
+            } else {
+                out
+            };
+            CheckResult {
+                name: "valkey".into(),
+                ns: "data".into(),
+                svc: "valkey".into(),
+                passed,
+                detail,
+            }
+        }
+        Err(e) => CheckResult::fail("valkey", "data", "valkey", &format!("{e}")),
+    }
+}
+
+/// kubectl exec openbao-0 -- bao status -format=json -> initialized + unsealed.
+pub(super) async fn check_openbao(_domain: &str, _client: &reqwest::Client) -> CheckResult {
+    match kube_exec(
+        "data",
+        "openbao-0",
+        &["bao", "status", "-format=json"],
+        Some("openbao"),
+    )
+    .await
+    {
+        Ok((_, out)) => {
+            if out.is_empty() {
+                return CheckResult::fail("openbao", "data", "openbao", "no response");
+            }
+            match serde_json::from_str::<serde_json::Value>(&out) {
+                Ok(data) => {
+                    let init = data
+                        .get("initialized")
+                        .and_then(|v| v.as_bool())
+                        .unwrap_or(false);
+                    let sealed = data
+                        .get("sealed")
+                        .and_then(|v| v.as_bool())
+                        .unwrap_or(true);
+                    let passed = init && !sealed;
+                    CheckResult {
+                        name: "openbao".into(),
+                        ns: "data".into(),
+                        svc: "openbao".into(),
+                        passed,
+                        detail: format!("init={init}, sealed={sealed}"),
+                    }
+                }
+                Err(_) => {
+                    let truncated: String = out.chars().take(80).collect();
+                    CheckResult::fail("openbao", "data", "openbao", &truncated)
+                }
+            }
+        }
+        Err(e) => CheckResult::fail("openbao", "data", "openbao", &format!("{e}")),
+    }
+}
+
+// ---------------------------------------------------------------------------
+// S3 auth (AWS4-HMAC-SHA256)
+// ---------------------------------------------------------------------------
+
+/// Generate AWS4-HMAC-SHA256 Authorization and x-amz-date headers for an unsigned
+/// GET / request, matching the Python `_s3_auth_headers` function exactly.
+pub(crate) fn s3_auth_headers(access_key: &str, secret_key: &str, host: &str) -> (String, String) {
+    s3_auth_headers_at(access_key, secret_key, host, chrono::Utc::now())
+}
+
+/// Deterministic inner implementation that accepts an explicit timestamp.
+pub(crate) fn s3_auth_headers_at(
+    access_key: &str,
+    secret_key: &str,
+    host: &str,
+    now: chrono::DateTime<chrono::Utc>,
+) -> (String, String) {
+    let amzdate = now.format("%Y%m%dT%H%M%SZ").to_string();
+    let datestamp = now.format("%Y%m%d").to_string();
+
+    let payload_hash = hex_encode(&Sha256::digest(b""));
+    let canonical = format!(
+        "GET\n/\n\nhost:{host}\nx-amz-date:{amzdate}\n\nhost;x-amz-date\n{payload_hash}"
+    );
+    let credential_scope = format!("{datestamp}/us-east-1/s3/aws4_request");
+    let canonical_hash = hex_encode(&Sha256::digest(canonical.as_bytes()));
+    let string_to_sign =
+        format!("AWS4-HMAC-SHA256\n{amzdate}\n{credential_scope}\n{canonical_hash}");
+
+    fn hmac_sign(key: &[u8], msg: &[u8]) -> Vec<u8> {
+        let mut mac = HmacSha256::new_from_slice(key).expect("HMAC accepts any key length");
+        mac.update(msg);
+        mac.finalize().into_bytes().to_vec()
+    }
+
+    let k = hmac_sign(
+        format!("AWS4{secret_key}").as_bytes(),
+        datestamp.as_bytes(),
+    );
+    let k = hmac_sign(&k, b"us-east-1");
+    let k = hmac_sign(&k, b"s3");
+    let k = hmac_sign(&k, b"aws4_request");
+
+    let sig = {
+        let mut mac = HmacSha256::new_from_slice(&k).expect("HMAC accepts any key length");
+        mac.update(string_to_sign.as_bytes());
+        hex_encode(&mac.finalize().into_bytes())
+    };
+
+    let auth = format!(
+        "AWS4-HMAC-SHA256 Credential={access_key}/{credential_scope}, SignedHeaders=host;x-amz-date, Signature={sig}"
+    );
+    (auth, amzdate)
+}
+
+/// GET https://s3.{domain}/ with S3 credentials -> 200 list-buckets response.
+pub(super) async fn check_seaweedfs(domain: &str, client: &reqwest::Client) -> CheckResult {
+    let access_key =
+        kube_secret("storage", "seaweedfs-s3-credentials", "S3_ACCESS_KEY").await;
+    let secret_key =
+        kube_secret("storage", "seaweedfs-s3-credentials", "S3_SECRET_KEY").await;
+
+    if access_key.is_empty() || secret_key.is_empty() {
+        return CheckResult::fail(
+            "seaweedfs",
+            "storage",
+            "seaweedfs",
+            "credentials not found in seaweedfs-s3-credentials secret",
+        );
+    }
+
+    let host = format!("s3.{domain}");
+    let url = format!("https://{host}/");
+    let (auth, amzdate) = s3_auth_headers(&access_key, &secret_key, &host);
+
+    match http_get(
+        client,
+        &url,
+        Some(&[("Authorization", &auth), ("x-amz-date", &amzdate)]),
+    )
+    .await
+    {
+        Ok((200, _)) => {
+            CheckResult::ok("seaweedfs", "storage", "seaweedfs", "S3 authenticated")
+        }
+        Ok((status, _)) => CheckResult::fail(
+            "seaweedfs",
+            "storage",
+            "seaweedfs",
+            &format!("HTTP {status}"),
+        ),
+        Err(e) => CheckResult::fail("seaweedfs", "storage", "seaweedfs", &e),
+    }
+}
+
+/// GET /kratos/health/ready -> 200.
+pub(super) async fn check_kratos(domain: &str, client: &reqwest::Client) -> CheckResult {
+    let url = format!("https://auth.{domain}/kratos/health/ready");
+    match http_get(client, &url, None).await {
+        Ok((status, body)) => {
+            let ok_flag = status == 200;
+            let mut detail = format!("HTTP {status}");
+            if !ok_flag && !body.is_empty() {
+                let body_str: String =
+                    String::from_utf8_lossy(&body).chars().take(80).collect();
+                detail = format!("{detail}: {body_str}");
+            }
+            CheckResult {
+                name: "kratos".into(),
+                ns: "ory".into(),
+                svc: "kratos".into(),
+                passed: ok_flag,
+                detail,
+            }
+        }
+        Err(e) => CheckResult::fail("kratos", "ory", "kratos", &e),
+    }
+}
+
+/// GET /.well-known/openid-configuration -> 200 with issuer field.
+pub(super) async fn check_hydra_oidc(domain: &str, client: &reqwest::Client) -> CheckResult {
+    let url = format!("https://auth.{domain}/.well-known/openid-configuration");
+    match http_get(client, &url, None).await {
+        Ok((200, body)) => {
+            let issuer = serde_json::from_slice::<serde_json::Value>(&body)
+                .ok()
+                .and_then(|v| v.get("issuer").and_then(|v| v.as_str()).map(String::from))
+                .unwrap_or_else(|| "?".into());
+            CheckResult::ok("hydra-oidc", "ory", "hydra", &format!("issuer={issuer}"))
+        }
+        Ok((status, _)) => {
+            CheckResult::fail("hydra-oidc", "ory", "hydra", &format!("HTTP {status}"))
+        }
+        Err(e) => CheckResult::fail("hydra-oidc", "ory", "hydra", &e),
+    }
+}
+
+/// GET https://people.{domain}/ -> any response < 500 (302 to OIDC is fine).
+pub(super) async fn check_people(domain: &str, client: &reqwest::Client) -> CheckResult {
+    let url = format!("https://people.{domain}/");
+    match http_get(client, &url, None).await {
+        Ok((status, _)) => CheckResult {
+            name: "people".into(),
+            ns: "lasuite".into(),
+            svc: "people".into(),
+            passed: status < 500,
+            detail: format!("HTTP {status}"),
+        },
+        Err(e) => CheckResult::fail("people", "lasuite", "people", &e),
+    }
+}
+
+/// GET /api/v1.0/config/ -> any response < 500 (401 auth-required is fine).
+pub(super) async fn check_people_api(domain: &str, client: &reqwest::Client) -> CheckResult {
+    let url = format!("https://people.{domain}/api/v1.0/config/");
+    match http_get(client, &url, None).await {
+        Ok((status, _)) => CheckResult {
+            name: "people-api".into(),
+            ns: "lasuite".into(),
+            svc: "people".into(),
+            passed: status < 500,
+            detail: format!("HTTP {status}"),
+        },
+        Err(e) => CheckResult::fail("people-api", "lasuite", "people", &e),
+    }
+}
+
+/// kubectl exec livekit-server pod -- wget localhost:7880/ -> rc 0.
+pub(super) async fn check_livekit(_domain: &str, _client: &reqwest::Client) -> CheckResult {
+    let kube_client = match get_client().await {
+        Ok(c) => c,
+        Err(e) => return CheckResult::fail("livekit", "media", "livekit", &format!("{e}")),
+    };
+
+    let api: Api<Pod> = Api::namespaced(kube_client.clone(), "media");
+    let lp = ListParams::default().labels("app.kubernetes.io/name=livekit-server");
+    let pod_list = match api.list(&lp).await {
+        Ok(l) => l,
+        Err(e) => return CheckResult::fail("livekit", "media", "livekit", &format!("{e}")),
+    };
+
+    let pod_name = match pod_list.items.first() {
+        Some(p) => p.name_any(),
+        None => return CheckResult::fail("livekit", "media", "livekit", "no livekit pod"),
+    };
+
+    match kube_exec(
+        "media",
+        &pod_name,
+        &["wget", "-qO-", "http://localhost:7880/"],
+        None,
+    )
+    .await
+    {
+        Ok((exit_code, _)) => {
+            if exit_code == 0 {
+                CheckResult::ok("livekit", "media", "livekit", "server responding")
+            } else {
+                CheckResult::fail("livekit", "media", "livekit", "server not responding")
+            }
+        }
+        Err(e) => CheckResult::fail("livekit", "media", "livekit", &format!("{e}")),
+    }
+}
+
+// ---------------------------------------------------------------------------
+// hex encoding helper (avoids adding the `hex` crate)
+// ---------------------------------------------------------------------------
+
+pub(crate) fn hex_encode(bytes: impl AsRef<[u8]>) -> String {
+    const HEX_CHARS: &[u8; 16] = b"0123456789abcdef";
+    let bytes = bytes.as_ref();
+    let mut s = String::with_capacity(bytes.len() * 2);
+    for &b in bytes {
+        s.push(HEX_CHARS[(b >> 4) as usize] as char);
+        s.push(HEX_CHARS[(b & 0xf) as usize] as char);
+    }
+    s
+}
diff --git a/sunbeam-sdk/src/cluster/mod.rs b/sunbeam-sdk/src/cluster/mod.rs
new file mode 100644
index 0000000..e5de3cf
--- /dev/null
+++ b/sunbeam-sdk/src/cluster/mod.rs
@@ -0,0 +1,461 @@
+//! Cluster lifecycle — cert-manager, Linkerd, TLS, core service readiness.
+//!
+//! Pure K8s implementation: no Lima VM operations.
+
+use crate::constants::GITEA_ADMIN_USER;
+use crate::error::{Result, ResultExt, SunbeamError};
+use std::path::PathBuf;
+
+const CERT_MANAGER_URL: &str =
+    "https://github.com/cert-manager/cert-manager/releases/download/v1.17.0/cert-manager.yaml";
+
+const GATEWAY_API_CRDS_URL: &str =
+    "https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.4.0/standard-install.yaml";
+
+fn secrets_dir() -> PathBuf {
+    crate::config::get_infra_dir()
+        .join("secrets")
+        .join("local")
+}
+
+// ---------------------------------------------------------------------------
+// cert-manager
+// ---------------------------------------------------------------------------
+
+async fn ensure_cert_manager() -> Result<()> {
+    crate::output::step("cert-manager...");
+
+    if crate::kube::ns_exists("cert-manager").await? {
+        crate::output::ok("Already installed.");
+        return Ok(());
+    }
+
+    crate::output::ok("Installing...");
+
+    // Download and apply cert-manager YAML
+    let body = reqwest::get(CERT_MANAGER_URL)
+        .await
+        .ctx("Failed to download cert-manager manifest")?
+        .text()
+        .await
+        .ctx("Failed to read cert-manager manifest body")?;
+
+    crate::kube::kube_apply(&body).await?;
+
+    // Wait for rollout
+    for dep in &[
+        "cert-manager",
+        "cert-manager-webhook",
+        "cert-manager-cainjector",
+    ] {
+        crate::output::ok(&format!("Waiting for {dep}..."));
+        wait_rollout("cert-manager", dep, 120).await?;
+    }
+
+    crate::output::ok("Installed.");
+    Ok(())
+}
+
+// ---------------------------------------------------------------------------
+// Linkerd
+// ---------------------------------------------------------------------------
+
+async fn ensure_linkerd() -> Result<()> {
+    crate::output::step("Linkerd...");
+
+    if crate::kube::ns_exists("linkerd").await? {
+        crate::output::ok("Already installed.");
+        return Ok(());
+    }
+
+    // Gateway API CRDs
+    crate::output::ok("Installing Gateway API CRDs...");
+    let gateway_body = reqwest::get(GATEWAY_API_CRDS_URL)
+        .await
+        .ctx("Failed to download Gateway API CRDs")?
+        .text()
+        .await?;
+
+    // Gateway API CRDs require server-side apply; kube_apply already does SSA
+    crate::kube::kube_apply(&gateway_body).await?;
+
+    // Linkerd CRDs via subprocess (no pure HTTP source for linkerd manifests)
+    crate::output::ok("Installing Linkerd CRDs...");
+    let crds_output = tokio::process::Command::new("linkerd")
+        .args(["install", "--crds"])
+        .output()
+        .await
+        .ctx("Failed to run `linkerd install --crds`")?;
+
+    if !crds_output.status.success() {
+        let stderr = String::from_utf8_lossy(&crds_output.stderr);
+        return Err(SunbeamError::tool("linkerd", format!("install --crds failed: {stderr}")));
+    }
+    let crds = String::from_utf8_lossy(&crds_output.stdout);
+    crate::kube::kube_apply(&crds).await?;
+
+    // Linkerd control plane
+    crate::output::ok("Installing Linkerd control plane...");
+    let cp_output = tokio::process::Command::new("linkerd")
+        .args(["install"])
+        .output()
+        .await
+        .ctx("Failed to run `linkerd install`")?;
+
+    if !cp_output.status.success() {
+        let stderr = String::from_utf8_lossy(&cp_output.stderr);
+        return Err(SunbeamError::tool("linkerd", format!("install failed: {stderr}")));
+    }
+    let cp = String::from_utf8_lossy(&cp_output.stdout);
+    crate::kube::kube_apply(&cp).await?;
+
+    for dep in &[
+        "linkerd-identity",
+        "linkerd-destination",
+        "linkerd-proxy-injector",
+    ] {
+        crate::output::ok(&format!("Waiting for {dep}..."));
+        wait_rollout("linkerd", dep, 120).await?;
+    }
+
+    crate::output::ok("Installed.");
+    Ok(())
+}
+
+// ---------------------------------------------------------------------------
+// TLS certificate (rcgen)
+// ---------------------------------------------------------------------------
+
+async fn ensure_tls_cert(domain: &str) -> Result<()> {
+    crate::output::step("TLS certificate...");
+
+    let dir = secrets_dir();
+    let cert_path = dir.join("tls.crt");
+    let key_path = dir.join("tls.key");
+
+    if cert_path.exists() {
+        crate::output::ok(&format!("Cert exists. Domain: {domain}"));
+        return Ok(());
+    }
+
+    crate::output::ok(&format!("Generating wildcard cert for *.{domain}..."));
+    std::fs::create_dir_all(&dir)
+        .with_ctx(|| format!("Failed to create secrets dir: {}", dir.display()))?;
+
+    let subject_alt_names = vec![format!("*.{domain}")];
+    let mut params = rcgen::CertificateParams::new(subject_alt_names)
+        .map_err(|e| SunbeamError::kube(format!("Failed to create certificate params: {e}")))?;
+    params
+        .distinguished_name
+        .push(rcgen::DnType::CommonName, format!("*.{domain}"));
+
+    let key_pair = rcgen::KeyPair::generate()
+        .map_err(|e| SunbeamError::kube(format!("Failed to generate key pair: {e}")))?;
+    let cert = params
+        .self_signed(&key_pair)
+        .map_err(|e| SunbeamError::kube(format!("Failed to generate self-signed certificate: {e}")))?;
+
+    std::fs::write(&cert_path, cert.pem())
+        .with_ctx(|| format!("Failed to write {}", cert_path.display()))?;
+    std::fs::write(&key_path, key_pair.serialize_pem())
+        .with_ctx(|| format!("Failed to write {}", key_path.display()))?;
+
+    #[cfg(unix)]
+    {
+        use std::os::unix::fs::PermissionsExt;
+        std::fs::set_permissions(&key_path, std::fs::Permissions::from_mode(0o600))?;
+    }
+
+    crate::output::ok(&format!("Cert generated. Domain: {domain}"));
+    Ok(())
+}
+
+// ---------------------------------------------------------------------------
+// TLS secret
+// ---------------------------------------------------------------------------
+
+async fn ensure_tls_secret(domain: &str) -> Result<()> {
+    crate::output::step("TLS secret...");
+
+    let _ = domain; // domain used contextually above; secret uses files
+    crate::kube::ensure_ns("ingress").await?;
+
+    let dir = secrets_dir();
+    let cert_pem =
+        std::fs::read_to_string(dir.join("tls.crt")).ctx("Failed to read tls.crt")?;
+    let key_pem =
+        std::fs::read_to_string(dir.join("tls.key")).ctx("Failed to read tls.key")?;
+
+    // Create TLS secret via kube-rs
+    let client = crate::kube::get_client().await?;
+    let api: kube::api::Api<k8s_openapi::api::core::v1::Secret> =
+        kube::api::Api::namespaced(client.clone(), "ingress");
+
+    let b64_cert = base64::Engine::encode(
+        &base64::engine::general_purpose::STANDARD,
+        cert_pem.as_bytes(),
+    );
+    let b64_key = base64::Engine::encode(
+        &base64::engine::general_purpose::STANDARD,
+        key_pem.as_bytes(),
+    );
+
+    let secret_obj = serde_json::json!({
+        "apiVersion": "v1",
+        "kind": "Secret",
+        "metadata": {
+            "name": "pingora-tls",
+            "namespace": "ingress",
+        },
+        "type": "kubernetes.io/tls",
+        "data": {
+            "tls.crt": b64_cert,
+            "tls.key": b64_key,
+        },
+    });
+
+    let pp = kube::api::PatchParams::apply("sunbeam").force();
+    api.patch("pingora-tls", &pp, &kube::api::Patch::Apply(secret_obj))
+        .await
+        .ctx("Failed to create TLS secret")?;
+
+    crate::output::ok("Done.");
+    Ok(())
+}
+
+// ---------------------------------------------------------------------------
+// Wait for core
+// ---------------------------------------------------------------------------
+
+async fn wait_for_core() -> Result<()> {
+    crate::output::step("Waiting for core services...");
+
+    for (ns, dep) in &[("data", "valkey"), ("ory", "kratos"), ("ory", "hydra")] {
+        let _ = wait_rollout(ns, dep, 120).await;
+    }
+
+    crate::output::ok("Core services ready.");
+    Ok(())
+}
+
+// ---------------------------------------------------------------------------
+// Print URLs
+// ---------------------------------------------------------------------------
+
+fn print_urls(domain: &str, _gitea_admin_pass: &str) {
+    let sep = "\u{2500}".repeat(60);
+    println!("\n{sep}");
+    println!("  Stack is up.  Domain: {domain}");
+    println!("{sep}");
+
+    let urls: &[(&str, String)] = &[
+        ("Auth", format!("https://auth.{domain}/")),
+        ("Docs", format!("https://docs.{domain}/")),
+        ("Meet", format!("https://meet.{domain}/")),
+        ("Drive", format!("https://drive.{domain}/")),
+        ("Chat", format!("https://chat.{domain}/")),
+        ("Mail", format!("https://mail.{domain}/")),
+        ("People", format!("https://people.{domain}/")),
+        (
+            "Gitea",
+            format!(
+                "https://src.{domain}/  ({GITEA_ADMIN_USER} / <from openbao>)"
+            ),
+        ),
+    ];
+
+    for (name, url) in urls {
+        println!("  {name:<10} {url}");
+    }
+
+    println!();
+    println!("  OpenBao UI:");
+    println!("    kubectl --context=sunbeam -n data port-forward svc/openbao 8200:8200");
+    println!("    http://localhost:8200");
+    println!(
+        "    token: kubectl --context=sunbeam -n data get secret openbao-keys \
+         -o jsonpath='{{.data.root-token}}' | base64 -d"
+    );
+    println!("{sep}\n");
+}
+
+// ---------------------------------------------------------------------------
+// Helpers
+// ---------------------------------------------------------------------------
+
+/// Poll deployment rollout status (approximate: check Available condition).
+async fn wait_rollout(ns: &str, deployment: &str, timeout_secs: u64) -> Result<()> {
+    use k8s_openapi::api::apps::v1::Deployment;
+    use std::time::{Duration, Instant};
+
+    let client = crate::kube::get_client().await?;
+    let api: kube::api::Api<Deployment> = kube::api::Api::namespaced(client.clone(), ns);
+
+    let deadline = Instant::now() + Duration::from_secs(timeout_secs);
+
+    loop {
+        if Instant::now() > deadline {
+            return Err(SunbeamError::kube(format!("Timed out waiting for deployment {ns}/{deployment}")));
+        }
+
+        match api.get_opt(deployment).await? {
+            Some(dep) => {
+                if let Some(status) = &dep.status {
+                    if let Some(conditions) = &status.conditions {
+                        let available = conditions.iter().any(|c| {
+                            c.type_ == "Available" && c.status == "True"
+                        });
+                        if available {
+                            return Ok(());
+                        }
+                    }
+                }
+            }
+            None => {
+                // Deployment doesn't exist yet — keep waiting
+            }
+        }
+
+        tokio::time::sleep(Duration::from_secs(3)).await;
+    }
+}
+
+// ---------------------------------------------------------------------------
+// Commands
+// ---------------------------------------------------------------------------
+
+/// Full cluster bring-up (pure K8s — no Lima VM operations).
+pub async fn cmd_up() -> Result<()> {
+    // Resolve domain from cluster state
+    let domain = crate::kube::get_domain().await?;
+
+    ensure_cert_manager().await?;
+    ensure_linkerd().await?;
+    ensure_tls_cert(&domain).await?;
+    ensure_tls_secret(&domain).await?;
+
+    // Apply manifests
+    crate::manifests::cmd_apply("local", &domain, "", "").await?;
+
+    // Seed secrets
+    crate::secrets::cmd_seed().await?;
+
+    // Gitea bootstrap
+    crate::gitea::cmd_bootstrap().await?;
+
+    // Mirror amd64-only images
+    crate::images::cmd_mirror().await?;
+
+    // Wait for core services
+    wait_for_core().await?;
+
+    // Get gitea admin password for URL display
+    let admin_pass = crate::kube::kube_get_secret_field(
+        "devtools",
+        "gitea-admin-credentials",
+        "password",
+    )
+    .await
+    .unwrap_or_default();
+
+    print_urls(&domain, &admin_pass);
+    Ok(())
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    #[test]
+    fn cert_manager_url_points_to_github_release() {
+        assert!(CERT_MANAGER_URL.starts_with("https://github.com/cert-manager/cert-manager/"));
+        assert!(CERT_MANAGER_URL.contains("/releases/download/"));
+        assert!(CERT_MANAGER_URL.ends_with(".yaml"));
+    }
+
+    #[test]
+    fn cert_manager_url_has_version() {
+        // Verify the URL contains a version tag like v1.x.x
+        assert!(
+            CERT_MANAGER_URL.contains("/v1."),
+            "CERT_MANAGER_URL should reference a v1.x release"
+        );
+    }
+
+    #[test]
+    fn gateway_api_crds_url_points_to_github_release() {
+        assert!(GATEWAY_API_CRDS_URL
+            .starts_with("https://github.com/kubernetes-sigs/gateway-api/"));
+        assert!(GATEWAY_API_CRDS_URL.contains("/releases/download/"));
+        assert!(GATEWAY_API_CRDS_URL.ends_with(".yaml"));
+    }
+
+    #[test]
+    fn gateway_api_crds_url_has_version() {
+        assert!(
+            GATEWAY_API_CRDS_URL.contains("/v1."),
+            "GATEWAY_API_CRDS_URL should reference a v1.x release"
+        );
+    }
+
+    #[test]
+    fn secrets_dir_ends_with_secrets_local() {
+        let dir = secrets_dir();
+        assert!(
+            dir.ends_with("secrets/local"),
+            "secrets_dir() should end with secrets/local, got: {}",
+            dir.display()
+        );
+    }
+
+    #[test]
+    fn secrets_dir_has_at_least_three_components() {
+        let dir = secrets_dir();
+        let components: Vec<_> = dir.components().collect();
+        assert!(
+            components.len() >= 3,
+            "secrets_dir() should have at least 3 path components (base/secrets/local), got: {}",
+            dir.display()
+        );
+    }
+
+    #[test]
+    fn gitea_admin_user_constant() {
+        assert_eq!(GITEA_ADMIN_USER, "gitea_admin");
+    }
+
+    #[test]
+    fn print_urls_contains_expected_services() {
+        // Capture print_urls output by checking the URL construction logic.
+        // We can't easily capture stdout in unit tests, but we can verify
+        // the URL format matches expectations.
+        let domain = "test.local";
+        let expected_urls = [
+            format!("https://auth.{domain}/"),
+            format!("https://docs.{domain}/"),
+            format!("https://meet.{domain}/"),
+            format!("https://drive.{domain}/"),
+            format!("https://chat.{domain}/"),
+            format!("https://mail.{domain}/"),
+            format!("https://people.{domain}/"),
+            format!("https://src.{domain}/"),
+        ];
+
+        // Verify URL patterns are valid
+        for url in &expected_urls {
+            assert!(url.starts_with("https://"));
+            assert!(url.contains(domain));
+        }
+    }
+
+    #[test]
+    fn print_urls_gitea_includes_credentials() {
+        let domain = "example.local";
+        let gitea_url = format!(
+            "https://src.{domain}/  ({GITEA_ADMIN_USER} / <from openbao>)"
+        );
+        assert!(gitea_url.contains(GITEA_ADMIN_USER));
+        assert!(gitea_url.contains("<from openbao>"));
+        assert!(gitea_url.contains(&format!("src.{domain}")));
+    }
+}
diff --git a/sunbeam-sdk/src/config.rs b/sunbeam-sdk/src/config.rs
new file mode 100644
index 0000000..b5b9726
--- /dev/null
+++ b/sunbeam-sdk/src/config.rs
@@ -0,0 +1,404 @@
+use crate::error::{Result, ResultExt, SunbeamError};
+use serde::{Deserialize, Serialize};
+use std::collections::HashMap;
+use std::path::PathBuf;
+use std::sync::OnceLock;
+
+// ---------------------------------------------------------------------------
+// Config data model
+// ---------------------------------------------------------------------------
+
+/// Sunbeam configuration stored at ~/.sunbeam.json.
+///
+/// Supports kubectl-style named contexts. Each context bundles a domain,
+/// kube context, SSH host, and infrastructure directory.
+#[derive(Debug, Clone, Default, Serialize, Deserialize)]
+pub struct SunbeamConfig {
+    /// The active context name. If empty, uses "default".
+    #[serde(default, rename = "current-context")]
+    pub current_context: String,
+
+    /// Named contexts.
+    #[serde(default)]
+    pub contexts: HashMap<String, Context>,
+
+    // --- Legacy fields (migrated on load) ---
+    #[serde(default, skip_serializing_if = "String::is_empty")]
+    pub production_host: String,
+    #[serde(default, skip_serializing_if = "String::is_empty")]
+    pub infra_directory: String,
+    #[serde(default, skip_serializing_if = "String::is_empty")]
+    pub acme_email: String,
+}
+
+/// A named context — everything needed to target a specific environment.
+#[derive(Debug, Clone, Default, Serialize, Deserialize)]
+pub struct Context {
+    /// The domain suffix (e.g. "sunbeam.pt", "192.168.105.3.sslip.io").
+    #[serde(default)]
+    pub domain: String,
+
+    /// Kubernetes context name (e.g. "production", "sunbeam").
+    #[serde(default, rename = "kube-context")]
+    pub kube_context: String,
+
+    /// SSH host for production tunnel (e.g. "sienna@62.210.145.138").
+    #[serde(default, rename = "ssh-host")]
+    pub ssh_host: String,
+
+    /// Infrastructure directory root.
+    #[serde(default, rename = "infra-dir")]
+    pub infra_dir: String,
+
+    /// ACME email for cert-manager.
+    #[serde(default, rename = "acme-email")]
+    pub acme_email: String,
+}
+
+// ---------------------------------------------------------------------------
+// Active context (set once at startup, read everywhere)
+// ---------------------------------------------------------------------------
+
+static ACTIVE_CONTEXT: OnceLock<Context> = OnceLock::new();
+
+/// Initialize the active context. Called once from cli::dispatch().
+pub fn set_active_context(ctx: Context) {
+    let _ = ACTIVE_CONTEXT.set(ctx);
+}
+
+/// Get the active context. Panics if not initialized (should never happen
+/// after dispatch starts).
+pub fn active_context() -> &'static Context {
+    ACTIVE_CONTEXT.get().expect("active context not initialized")
+}
+
+/// Get the domain from the active context. Returns empty string if not set.
+pub fn domain() -> &'static str {
+    ACTIVE_CONTEXT
+        .get()
+        .map(|c| c.domain.as_str())
+        .unwrap_or("")
+}
+
+// ---------------------------------------------------------------------------
+// Config file I/O
+// ---------------------------------------------------------------------------
+
+fn config_path() -> PathBuf {
+    dirs::home_dir()
+        .unwrap_or_else(|| PathBuf::from("."))
+        .join(".sunbeam.json")
+}
+
+/// Load configuration from ~/.sunbeam.json, return default if not found.
+/// Migrates legacy flat config to context-based format.
+pub fn load_config() -> SunbeamConfig {
+    let path = config_path();
+    if !path.exists() {
+        return SunbeamConfig::default();
+    }
+    let mut config: SunbeamConfig = match std::fs::read_to_string(&path) {
+        Ok(content) => serde_json::from_str(&content).unwrap_or_else(|e| {
+            crate::output::warn(&format!(
+                "Failed to parse config from {}: {e}",
+                path.display()
+            ));
+            SunbeamConfig::default()
+        }),
+        Err(e) => {
+            crate::output::warn(&format!(
+                "Failed to read config from {}: {e}",
+                path.display()
+            ));
+            SunbeamConfig::default()
+        }
+    };
+
+    // Migrate legacy flat fields into a "production" context
+    if !config.production_host.is_empty() && !config.contexts.contains_key("production") {
+        let domain = derive_domain_from_host(&config.production_host);
+        config.contexts.insert(
+            "production".to_string(),
+            Context {
+                domain,
+                kube_context: "production".to_string(),
+                ssh_host: config.production_host.clone(),
+                infra_dir: config.infra_directory.clone(),
+                acme_email: config.acme_email.clone(),
+            },
+        );
+        if config.current_context.is_empty() {
+            config.current_context = "production".to_string();
+        }
+    }
+
+    config
+}
+
+/// Save configuration to ~/.sunbeam.json.
+pub fn save_config(config: &SunbeamConfig) -> Result<()> {
+    let path = config_path();
+    if let Some(parent) = path.parent() {
+        std::fs::create_dir_all(parent).with_ctx(|| {
+            format!("Failed to create config directory: {}", parent.display())
+        })?;
+    }
+    let content = serde_json::to_string_pretty(config)?;
+    std::fs::write(&path, content)
+        .with_ctx(|| format!("Failed to save config to {}", path.display()))?;
+    crate::output::ok(&format!("Configuration saved to {}", path.display()));
+    Ok(())
+}
+
+/// Resolve the context to use, given CLI flags and config.
+///
+/// Priority (same as kubectl):
+///   1. `--context` flag (explicit context name)
+///   2. `current-context` from config
+///   3. Default to "local"
+pub fn resolve_context(
+    config: &SunbeamConfig,
+    _env_flag: &str,
+    context_override: Option<&str>,
+    domain_override: &str,
+) -> Context {
+    let context_name = if let Some(explicit) = context_override {
+        explicit.to_string()
+    } else if !config.current_context.is_empty() {
+        config.current_context.clone()
+    } else {
+        "local".to_string()
+    };
+
+    let mut ctx = config
+        .contexts
+        .get(&context_name)
+        .cloned()
+        .unwrap_or_else(|| {
+            // Synthesize defaults for well-known names
+            match context_name.as_str() {
+                "local" => Context {
+                    kube_context: "sunbeam".to_string(),
+                    ..Default::default()
+                },
+                "production" => Context {
+                    kube_context: "production".to_string(),
+                    ssh_host: config.production_host.clone(),
+                    infra_dir: config.infra_directory.clone(),
+                    acme_email: config.acme_email.clone(),
+                    domain: derive_domain_from_host(&config.production_host),
+                    ..Default::default()
+                },
+                _ => Default::default(),
+            }
+        });
+
+    // CLI flags override context values
+    if !domain_override.is_empty() {
+        ctx.domain = domain_override.to_string();
+    }
+
+    ctx
+}
+
+// ---------------------------------------------------------------------------
+// Helpers
+// ---------------------------------------------------------------------------
+
+/// Derive a domain from an SSH host (e.g. "user@admin.sunbeam.pt" → "sunbeam.pt").
+fn derive_domain_from_host(host: &str) -> String {
+    let raw = host.split('@').last().unwrap_or(host);
+    let raw = raw.split(':').next().unwrap_or(raw);
+    let parts: Vec<&str> = raw.split('.').collect();
+    if parts.len() >= 2 {
+        format!("{}.{}", parts[parts.len() - 2], parts[parts.len() - 1])
+    } else {
+        String::new()
+    }
+}
+
+/// Get production host from config or SUNBEAM_SSH_HOST environment variable.
+pub fn get_production_host() -> String {
+    let config = load_config();
+    // Check active context first
+    if let Some(ctx) = ACTIVE_CONTEXT.get() {
+        if !ctx.ssh_host.is_empty() {
+            return ctx.ssh_host.clone();
+        }
+    }
+    if !config.production_host.is_empty() {
+        return config.production_host;
+    }
+    std::env::var("SUNBEAM_SSH_HOST").unwrap_or_default()
+}
+
+/// Infrastructure manifests directory as a Path.
+pub fn get_infra_dir() -> PathBuf {
+    // Check active context
+    if let Some(ctx) = ACTIVE_CONTEXT.get() {
+        if !ctx.infra_dir.is_empty() {
+            return PathBuf::from(&ctx.infra_dir);
+        }
+    }
+    let configured = load_config().infra_directory;
+    if !configured.is_empty() {
+        return PathBuf::from(configured);
+    }
+    // Dev fallback
+    std::env::current_exe()
+        .ok()
+        .and_then(|p| p.canonicalize().ok())
+        .and_then(|p| {
+            let mut dir = p.as_path();
+            for _ in 0..10 {
+                dir = dir.parent()?;
+                if dir.join("infrastructure").is_dir() {
+                    return Some(dir.join("infrastructure"));
+                }
+            }
+            None
+        })
+        .unwrap_or_else(|| PathBuf::from("infrastructure"))
+}
+
+/// Monorepo root directory (parent of the infrastructure directory).
+pub fn get_repo_root() -> PathBuf {
+    get_infra_dir()
+        .parent()
+        .map(|p| p.to_path_buf())
+        .unwrap_or_else(|| PathBuf::from("."))
+}
+
+/// Clear configuration file.
+pub fn clear_config() -> Result<()> {
+    let path = config_path();
+    if path.exists() {
+        std::fs::remove_file(&path)
+            .with_ctx(|| format!("Failed to remove {}", path.display()))?;
+        crate::output::ok(&format!("Configuration cleared from {}", path.display()));
+    } else {
+        crate::output::warn("No configuration file found to clear");
+    }
+    Ok(())
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    #[test]
+    fn test_default_config() {
+        let config = SunbeamConfig::default();
+        assert!(config.current_context.is_empty());
+        assert!(config.contexts.is_empty());
+    }
+
+    #[test]
+    fn test_derive_domain_from_host() {
+        assert_eq!(derive_domain_from_host("sienna@admin.sunbeam.pt"), "sunbeam.pt");
+        assert_eq!(derive_domain_from_host("user@62.210.145.138"), "145.138");
+        assert_eq!(derive_domain_from_host("sunbeam.pt"), "sunbeam.pt");
+        assert_eq!(derive_domain_from_host("localhost"), "");
+    }
+
+    #[test]
+    fn test_legacy_migration() {
+        let json = r#"{
+            "production_host": "sienna@62.210.145.138",
+            "infra_directory": "/path/to/infra",
+            "acme_email": "ops@sunbeam.pt"
+        }"#;
+        let config: SunbeamConfig = serde_json::from_str(json).unwrap();
+        // After load_config migration, contexts would be populated.
+        // Here we just test the struct deserializes legacy fields.
+        assert_eq!(config.production_host, "sienna@62.210.145.138");
+        assert!(config.contexts.is_empty()); // migration happens in load_config()
+    }
+
+    #[test]
+    fn test_context_roundtrip() {
+        let mut config = SunbeamConfig::default();
+        config.current_context = "production".to_string();
+        config.contexts.insert(
+            "production".to_string(),
+            Context {
+                domain: "sunbeam.pt".to_string(),
+                kube_context: "production".to_string(),
+                ssh_host: "sienna@server.sunbeam.pt".to_string(),
+                infra_dir: "/home/infra".to_string(),
+                acme_email: "ops@sunbeam.pt".to_string(),
+            },
+        );
+        let json = serde_json::to_string(&config).unwrap();
+        let loaded: SunbeamConfig = serde_json::from_str(&json).unwrap();
+        assert_eq!(loaded.current_context, "production");
+        let ctx = loaded.contexts.get("production").unwrap();
+        assert_eq!(ctx.domain, "sunbeam.pt");
+        assert_eq!(ctx.ssh_host, "sienna@server.sunbeam.pt");
+    }
+
+    #[test]
+    fn test_resolve_context_explicit_flag() {
+        let mut config = SunbeamConfig::default();
+        config.contexts.insert(
+            "production".to_string(),
+            Context {
+                domain: "sunbeam.pt".to_string(),
+                kube_context: "production".to_string(),
+                ..Default::default()
+            },
+        );
+        // --context production explicitly selects the named context
+        let ctx = resolve_context(&config, "", Some("production"), "");
+        assert_eq!(ctx.domain, "sunbeam.pt");
+        assert_eq!(ctx.kube_context, "production");
+    }
+
+    #[test]
+    fn test_resolve_context_current_context() {
+        let mut config = SunbeamConfig::default();
+        config.current_context = "staging".to_string();
+        config.contexts.insert(
+            "staging".to_string(),
+            Context {
+                domain: "staging.example.com".to_string(),
+                ..Default::default()
+            },
+        );
+        // No --context flag, uses current-context
+        let ctx = resolve_context(&config, "", None, "");
+        assert_eq!(ctx.domain, "staging.example.com");
+    }
+
+    #[test]
+    fn test_resolve_context_domain_override() {
+        let config = SunbeamConfig::default();
+        let ctx = resolve_context(&config, "", None, "custom.example.com");
+        assert_eq!(ctx.domain, "custom.example.com");
+    }
+
+    #[test]
+    fn test_resolve_context_defaults_local() {
+        let config = SunbeamConfig::default();
+        // No current-context, no --context flag → defaults to "local"
+        let ctx = resolve_context(&config, "", None, "");
+        assert_eq!(ctx.kube_context, "sunbeam");
+    }
+
+    #[test]
+    fn test_resolve_context_flag_overrides_current() {
+        let mut config = SunbeamConfig::default();
+        config.current_context = "staging".to_string();
+        config.contexts.insert(
+            "staging".to_string(),
+            Context { domain: "staging.example.com".to_string(), ..Default::default() },
+        );
+        config.contexts.insert(
+            "prod".to_string(),
+            Context { domain: "prod.example.com".to_string(), ..Default::default() },
+        );
+        // --context prod overrides current-context "staging"
+        let ctx = resolve_context(&config, "", Some("prod"), "");
+        assert_eq!(ctx.domain, "prod.example.com");
+    }
+}
diff --git a/sunbeam-sdk/src/constants.rs b/sunbeam-sdk/src/constants.rs
new file mode 100644
index 0000000..5ab992e
--- /dev/null
+++ b/sunbeam-sdk/src/constants.rs
@@ -0,0 +1,16 @@
+//! Shared constants used across multiple modules.
+
+pub const GITEA_ADMIN_USER: &str = "gitea_admin";
+
+pub const MANAGED_NS: &[&str] = &[
+    "data",
+    "devtools",
+    "ingress",
+    "lasuite",
+    "matrix",
+    "media",
+    "monitoring",
+    "ory",
+    "storage",
+    "vault-secrets-operator",
+];
diff --git a/sunbeam-sdk/src/error.rs b/sunbeam-sdk/src/error.rs
new file mode 100644
index 0000000..470774f
--- /dev/null
+++ b/sunbeam-sdk/src/error.rs
@@ -0,0 +1,365 @@
+//! Unified error tree for the sunbeam CLI.
+//!
+//! Every module returns `Result<T, SunbeamError>`. Errors bubble up to `main`,
+//! which maps them to exit codes and log output.
+
+/// Exit codes for the sunbeam CLI.
+#[allow(dead_code)]
+pub mod exit {
+    pub const SUCCESS: i32 = 0;
+    pub const GENERAL: i32 = 1;
+    pub const USAGE: i32 = 2;
+    pub const KUBE: i32 = 3;
+    pub const CONFIG: i32 = 4;
+    pub const NETWORK: i32 = 5;
+    pub const SECRETS: i32 = 6;
+    pub const BUILD: i32 = 7;
+    pub const IDENTITY: i32 = 8;
+    pub const EXTERNAL_TOOL: i32 = 9;
+}
+
+/// Top-level error type for the sunbeam CLI.
+///
+/// Each variant maps to a logical error category with its own exit code.
+/// Leaf errors (io, json, yaml, kube, reqwest, etc.) are converted via `From` impls.
+#[derive(Debug, thiserror::Error)]
+pub enum SunbeamError {
+    /// Kubernetes API or cluster-related error.
+    #[error("{context}")]
+    Kube {
+        context: String,
+        #[source]
+        source: Option<kube::Error>,
+    },
+
+    /// Configuration error (missing config, invalid config, bad arguments).
+    #[error("{0}")]
+    Config(String),
+
+    /// Network/HTTP error.
+    #[error("{context}")]
+    Network {
+        context: String,
+        #[source]
+        source: Option<reqwest::Error>,
+    },
+
+    /// OpenBao / Vault error.
+    #[error("{0}")]
+    Secrets(String),
+
+    /// Image build error.
+    #[error("{0}")]
+    Build(String),
+
+    /// Identity / user management error (Kratos, Hydra).
+    #[error("{0}")]
+    Identity(String),
+
+    /// External tool error (kustomize, linkerd, buildctl, yarn, etc.).
+    #[error("{tool}: {detail}")]
+    ExternalTool { tool: String, detail: String },
+
+    /// IO error.
+    #[error("{context}: {source}")]
+    Io {
+        context: String,
+        source: std::io::Error,
+    },
+
+    /// JSON serialization/deserialization error.
+    #[error("{0}")]
+    Json(#[from] serde_json::Error),
+
+    /// YAML serialization/deserialization error.
+    #[error("{0}")]
+    Yaml(#[from] serde_yaml::Error),
+
+    /// Catch-all for errors that don't fit a specific category.
+    #[error("{0}")]
+    Other(String),
+}
+
+/// Convenience type alias used throughout the codebase.
+pub type Result<T> = std::result::Result<T, SunbeamError>;
+
+impl SunbeamError {
+    /// Map this error to a process exit code.
+    pub fn exit_code(&self) -> i32 {
+        match self {
+            SunbeamError::Config(_) => exit::CONFIG,
+            SunbeamError::Kube { .. } => exit::KUBE,
+            SunbeamError::Network { .. } => exit::NETWORK,
+            SunbeamError::Secrets(_) => exit::SECRETS,
+            SunbeamError::Build(_) => exit::BUILD,
+            SunbeamError::Identity(_) => exit::IDENTITY,
+            SunbeamError::ExternalTool { .. } => exit::EXTERNAL_TOOL,
+            SunbeamError::Io { .. } => exit::GENERAL,
+            SunbeamError::Json(_) => exit::GENERAL,
+            SunbeamError::Yaml(_) => exit::GENERAL,
+            SunbeamError::Other(_) => exit::GENERAL,
+        }
+    }
+}
+
+// ---------------------------------------------------------------------------
+// From impls for automatic conversion
+// ---------------------------------------------------------------------------
+
+impl From<kube::Error> for SunbeamError {
+    fn from(e: kube::Error) -> Self {
+        SunbeamError::Kube {
+            context: e.to_string(),
+            source: Some(e),
+        }
+    }
+}
+
+impl From<reqwest::Error> for SunbeamError {
+    fn from(e: reqwest::Error) -> Self {
+        SunbeamError::Network {
+            context: e.to_string(),
+            source: Some(e),
+        }
+    }
+}
+
+impl From<std::io::Error> for SunbeamError {
+    fn from(e: std::io::Error) -> Self {
+        SunbeamError::Io {
+            context: "IO error".into(),
+            source: e,
+        }
+    }
+}
+
+impl From<lettre::transport::smtp::Error> for SunbeamError {
+    fn from(e: lettre::transport::smtp::Error) -> Self {
+        SunbeamError::Network {
+            context: format!("SMTP error: {e}"),
+            source: None,
+        }
+    }
+}
+
+impl From<lettre::error::Error> for SunbeamError {
+    fn from(e: lettre::error::Error) -> Self {
+        SunbeamError::Other(format!("Email error: {e}"))
+    }
+}
+
+impl From<base64::DecodeError> for SunbeamError {
+    fn from(e: base64::DecodeError) -> Self {
+        SunbeamError::Other(format!("Base64 decode error: {e}"))
+    }
+}
+
+impl From<std::string::FromUtf8Error> for SunbeamError {
+    fn from(e: std::string::FromUtf8Error) -> Self {
+        SunbeamError::Other(format!("UTF-8 error: {e}"))
+    }
+}
+
+// ---------------------------------------------------------------------------
+// Context extension trait (replaces anyhow's .context())
+// ---------------------------------------------------------------------------
+
+/// Extension trait that adds `.ctx()` to `Result<T, E>` for adding context strings.
+/// Replaces `anyhow::Context`.
+pub trait ResultExt<T> {
+    /// Add context to an error, converting it to `SunbeamError`.
+    fn ctx(self, context: &str) -> Result<T>;
+
+    /// Add lazy context to an error.
+    fn with_ctx<F: FnOnce() -> String>(self, f: F) -> Result<T>;
+}
+
+impl<T, E: Into<SunbeamError>> ResultExt<T> for std::result::Result<T, E> {
+    fn ctx(self, context: &str) -> Result<T> {
+        self.map_err(|e| {
+            let inner = e.into();
+            match inner {
+                SunbeamError::Kube { source, .. } => SunbeamError::Kube {
+                    context: context.to_string(),
+                    source,
+                },
+                SunbeamError::Network { source, .. } => SunbeamError::Network {
+                    context: context.to_string(),
+                    source,
+                },
+                SunbeamError::Io { source, .. } => SunbeamError::Io {
+                    context: context.to_string(),
+                    source,
+                },
+                SunbeamError::Secrets(msg) => SunbeamError::Secrets(format!("{context}: {msg}")),
+                SunbeamError::Config(msg) => SunbeamError::Config(format!("{context}: {msg}")),
+                SunbeamError::Build(msg) => SunbeamError::Build(format!("{context}: {msg}")),
+                SunbeamError::Identity(msg) => SunbeamError::Identity(format!("{context}: {msg}")),
+                SunbeamError::ExternalTool { tool, detail } => SunbeamError::ExternalTool {
+                    tool,
+                    detail: format!("{context}: {detail}"),
+                },
+                other => SunbeamError::Other(format!("{context}: {other}")),
+            }
+        })
+    }
+
+    fn with_ctx<F: FnOnce() -> String>(self, f: F) -> Result<T> {
+        self.map_err(|e| {
+            let context = f();
+            let inner = e.into();
+            match inner {
+                SunbeamError::Kube { source, .. } => SunbeamError::Kube {
+                    context,
+                    source,
+                },
+                SunbeamError::Network { source, .. } => SunbeamError::Network {
+                    context,
+                    source,
+                },
+                SunbeamError::Io { source, .. } => SunbeamError::Io {
+                    context,
+                    source,
+                },
+                SunbeamError::Secrets(msg) => SunbeamError::Secrets(format!("{context}: {msg}")),
+                SunbeamError::Config(msg) => SunbeamError::Config(format!("{context}: {msg}")),
+                SunbeamError::Build(msg) => SunbeamError::Build(format!("{context}: {msg}")),
+                SunbeamError::Identity(msg) => SunbeamError::Identity(format!("{context}: {msg}")),
+                SunbeamError::ExternalTool { tool, detail } => SunbeamError::ExternalTool {
+                    tool,
+                    detail: format!("{context}: {detail}"),
+                },
+                other => SunbeamError::Other(format!("{context}: {other}")),
+            }
+        })
+    }
+}
+
+impl<T> ResultExt<T> for Option<T> {
+    fn ctx(self, context: &str) -> Result<T> {
+        self.ok_or_else(|| SunbeamError::Other(context.to_string()))
+    }
+
+    fn with_ctx<F: FnOnce() -> String>(self, f: F) -> Result<T> {
+        self.ok_or_else(|| SunbeamError::Other(f()))
+    }
+}
+
+// ---------------------------------------------------------------------------
+// Convenience constructors
+// ---------------------------------------------------------------------------
+
+impl SunbeamError {
+    pub fn kube(context: impl Into<String>) -> Self {
+        SunbeamError::Kube {
+            context: context.into(),
+            source: None,
+        }
+    }
+
+    pub fn config(msg: impl Into<String>) -> Self {
+        SunbeamError::Config(msg.into())
+    }
+
+    pub fn network(context: impl Into<String>) -> Self {
+        SunbeamError::Network {
+            context: context.into(),
+            source: None,
+        }
+    }
+
+    pub fn secrets(msg: impl Into<String>) -> Self {
+        SunbeamError::Secrets(msg.into())
+    }
+
+    pub fn build(msg: impl Into<String>) -> Self {
+        SunbeamError::Build(msg.into())
+    }
+
+    pub fn identity(msg: impl Into<String>) -> Self {
+        SunbeamError::Identity(msg.into())
+    }
+
+    pub fn tool(tool: impl Into<String>, detail: impl Into<String>) -> Self {
+        SunbeamError::ExternalTool {
+            tool: tool.into(),
+            detail: detail.into(),
+        }
+    }
+}
+
+// ---------------------------------------------------------------------------
+// bail! macro replacement
+// ---------------------------------------------------------------------------
+
+/// Like anyhow::bail! but produces a SunbeamError::Other.
+#[macro_export]
+macro_rules! bail {
+    ($($arg:tt)*) => {
+        return Err($crate::error::SunbeamError::Other(format!($($arg)*)))
+    };
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    #[test]
+    fn test_exit_codes() {
+        assert_eq!(SunbeamError::config("bad").exit_code(), exit::CONFIG);
+        assert_eq!(SunbeamError::kube("fail").exit_code(), exit::KUBE);
+        assert_eq!(SunbeamError::network("fail").exit_code(), exit::NETWORK);
+        assert_eq!(SunbeamError::secrets("fail").exit_code(), exit::SECRETS);
+        assert_eq!(SunbeamError::build("fail").exit_code(), exit::BUILD);
+        assert_eq!(SunbeamError::identity("fail").exit_code(), exit::IDENTITY);
+        assert_eq!(
+            SunbeamError::tool("kustomize", "not found").exit_code(),
+            exit::EXTERNAL_TOOL
+        );
+        assert_eq!(SunbeamError::Other("oops".into()).exit_code(), exit::GENERAL);
+    }
+
+    #[test]
+    fn test_display_formatting() {
+        let e = SunbeamError::tool("kustomize", "build failed");
+        assert_eq!(e.to_string(), "kustomize: build failed");
+
+        let e = SunbeamError::config("missing --domain");
+        assert_eq!(e.to_string(), "missing --domain");
+    }
+
+    #[test]
+    fn test_kube_from() {
+        // Just verify the From impl compiles and categorizes correctly
+        let e = SunbeamError::kube("test");
+        assert!(matches!(e, SunbeamError::Kube { .. }));
+    }
+
+    #[test]
+    fn test_context_extension() {
+        let result: std::result::Result<(), std::io::Error> =
+            Err(std::io::Error::new(std::io::ErrorKind::NotFound, "gone"));
+        let mapped = result.ctx("reading config");
+        assert!(mapped.is_err());
+        let e = mapped.unwrap_err();
+        assert!(e.to_string().starts_with("reading config"));
+        assert_eq!(e.exit_code(), exit::GENERAL); // IO maps to general
+    }
+
+    #[test]
+    fn test_option_context() {
+        let val: Option<i32> = None;
+        let result = val.ctx("value not found");
+        assert!(result.is_err());
+        assert_eq!(result.unwrap_err().to_string(), "value not found");
+    }
+
+    #[test]
+    fn test_bail_macro() {
+        fn failing() -> Result<()> {
+            bail!("something went wrong: {}", 42);
+        }
+        let e = failing().unwrap_err();
+        assert_eq!(e.to_string(), "something went wrong: 42");
+    }
+}
diff --git a/sunbeam-sdk/src/gitea/mod.rs b/sunbeam-sdk/src/gitea/mod.rs
new file mode 100644
index 0000000..b94924c
--- /dev/null
+++ b/sunbeam-sdk/src/gitea/mod.rs
@@ -0,0 +1,429 @@
+//! Gitea bootstrap -- admin setup, org creation, OIDC auth source configuration.
+
+use crate::error::Result;
+use k8s_openapi::api::core::v1::Pod;
+use kube::api::{Api, ListParams};
+use serde_json::Value;
+
+use crate::kube::{get_client, get_domain, kube_exec, kube_get_secret_field};
+use crate::output::{ok, step, warn};
+
+const GITEA_ADMIN_USER: &str = "gitea_admin";
+const GITEA_ADMIN_EMAIL: &str = "gitea@local.domain";
+
+/// Bootstrap Gitea: set admin password, create orgs, configure OIDC.
+pub async fn cmd_bootstrap() -> Result<()> {
+    let domain = get_domain().await?;
+
+    // Retrieve gitea admin password from cluster secret
+    let gitea_admin_pass = kube_get_secret_field("devtools", "gitea-admin-credentials", "password")
+        .await
+        .unwrap_or_default();
+
+    if gitea_admin_pass.is_empty() {
+        warn("gitea-admin-credentials password not found -- cannot bootstrap.");
+        return Ok(());
+    }
+
+    step("Bootstrapping Gitea...");
+
+    // Wait for a Running + Ready Gitea pod
+    let pod_name = wait_for_gitea_pod().await?;
+    let Some(pod) = pod_name else {
+        warn("Gitea pod not ready after 3 min -- skipping bootstrap.");
+        return Ok(());
+    };
+
+    // Set admin password
+    set_admin_password(&pod, &gitea_admin_pass).await?;
+
+    // Mark admin as private
+    mark_admin_private(&pod, &gitea_admin_pass).await?;
+
+    // Create orgs
+    create_orgs(&pod, &gitea_admin_pass).await?;
+
+    // Configure OIDC auth source
+    configure_oidc(&pod, &gitea_admin_pass).await?;
+
+    ok(&format!(
+        "Gitea ready -- https://src.{domain} ({GITEA_ADMIN_USER} / <from openbao>)"
+    ));
+    Ok(())
+}
+
+/// Wait for a Running + Ready Gitea pod (up to 3 minutes).
+async fn wait_for_gitea_pod() -> Result<Option<String>> {
+    let client = get_client().await?;
+    let pods: Api<Pod> = Api::namespaced(client.clone(), "devtools");
+
+    for _ in 0..60 {
+        let lp = ListParams::default().labels("app.kubernetes.io/name=gitea");
+        if let Ok(pod_list) = pods.list(&lp).await {
+            for pod in &pod_list.items {
+                let phase = pod
+                    .status
+                    .as_ref()
+                    .and_then(|s| s.phase.as_deref())
+                    .unwrap_or("");
+
+                if phase != "Running" {
+                    continue;
+                }
+
+                let ready = pod
+                    .status
+                    .as_ref()
+                    .and_then(|s| s.container_statuses.as_ref())
+                    .and_then(|cs| cs.first())
+                    .map(|c| c.ready)
+                    .unwrap_or(false);
+
+                if ready {
+                    let name = pod
+                        .metadata
+                        .name
+                        .as_deref()
+                        .unwrap_or("")
+                        .to_string();
+                    if !name.is_empty() {
+                        return Ok(Some(name));
+                    }
+                }
+            }
+        }
+        tokio::time::sleep(std::time::Duration::from_secs(3)).await;
+    }
+
+    Ok(None)
+}
+
+/// Set the admin password via gitea CLI exec.
+async fn set_admin_password(pod: &str, password: &str) -> Result<()> {
+    let (code, output) = kube_exec(
+        "devtools",
+        pod,
+        &[
+            "gitea",
+            "admin",
+            "user",
+            "change-password",
+            "--username",
+            GITEA_ADMIN_USER,
+            "--password",
+            password,
+            "--must-change-password=false",
+        ],
+        Some("gitea"),
+    )
+    .await?;
+
+    if code == 0 || output.to_lowercase().contains("password") {
+        ok(&format!("Admin '{GITEA_ADMIN_USER}' password set."));
+    } else {
+        warn(&format!("change-password: {output}"));
+    }
+    Ok(())
+}
+
+/// Call Gitea API via kubectl exec + curl inside the pod.
+async fn gitea_api(
+    pod: &str,
+    method: &str,
+    path: &str,
+    password: &str,
+    data: Option<&Value>,
+) -> Result<Value> {
+    let url = format!("http://localhost:3000/api/v1{path}");
+    let auth = format!("{GITEA_ADMIN_USER}:{password}");
+
+    let mut args = vec![
+        "curl", "-s", "-X", method, &url, "-H", "Content-Type: application/json", "-u", &auth,
+    ];
+
+    let data_str;
+    if let Some(d) = data {
+        data_str = serde_json::to_string(d)?;
+        args.push("-d");
+        args.push(&data_str);
+    }
+
+    let (_, stdout) = kube_exec("devtools", pod, &args, Some("gitea")).await?;
+
+    Ok(serde_json::from_str(&stdout).unwrap_or(Value::Object(Default::default())))
+}
+
+/// Mark the admin account as private.
+async fn mark_admin_private(pod: &str, password: &str) -> Result<()> {
+    let data = serde_json::json!({
+        "source_id": 0,
+        "login_name": GITEA_ADMIN_USER,
+        "email": GITEA_ADMIN_EMAIL,
+        "visibility": "private",
+    });
+
+    let result = gitea_api(
+        pod,
+        "PATCH",
+        &format!("/admin/users/{GITEA_ADMIN_USER}"),
+        password,
+        Some(&data),
+    )
+    .await?;
+
+    if result.get("login").and_then(|v| v.as_str()) == Some(GITEA_ADMIN_USER) {
+        ok(&format!("Admin '{GITEA_ADMIN_USER}' marked as private."));
+    } else {
+        warn(&format!("Could not set admin visibility: {result}"));
+    }
+    Ok(())
+}
+
+/// Create the studio and internal organizations.
+async fn create_orgs(pod: &str, password: &str) -> Result<()> {
+    let orgs = [
+        ("studio", "public", "Public source code"),
+        ("internal", "private", "Internal tools and services"),
+    ];
+
+    for (org_name, visibility, desc) in &orgs {
+        let data = serde_json::json!({
+            "username": org_name,
+            "visibility": visibility,
+            "description": desc,
+        });
+
+        let result = gitea_api(pod, "POST", "/orgs", password, Some(&data)).await?;
+
+        if result.get("id").is_some() {
+            ok(&format!("Created org '{org_name}'."));
+        } else if result
+            .get("message")
+            .and_then(|v| v.as_str())
+            .unwrap_or("")
+            .to_lowercase()
+            .contains("already")
+        {
+            ok(&format!("Org '{org_name}' already exists."));
+        } else {
+            let msg = result
+                .get("message")
+                .and_then(|v| v.as_str())
+                .map(|s| s.to_string())
+                .unwrap_or_else(|| format!("{result}"));
+            warn(&format!("Org '{org_name}': {msg}"));
+        }
+    }
+    Ok(())
+}
+
+/// Configure Hydra as the OIDC authentication source.
+async fn configure_oidc(pod: &str, _password: &str) -> Result<()> {
+    // List existing auth sources
+    let (_, auth_list_output) =
+        kube_exec("devtools", pod, &["gitea", "admin", "auth", "list"], Some("gitea")).await?;
+
+    let mut existing_id: Option<String> = None;
+    let mut exact_ok = false;
+
+    for line in auth_list_output.lines().skip(1) {
+        // Tab-separated: ID\tName\tType\tEnabled
+        let parts: Vec<&str> = line.split('\t').collect();
+        if parts.len() < 2 {
+            continue;
+        }
+        let src_id = parts[0].trim();
+        let src_name = parts[1].trim();
+
+        if src_name == "Sunbeam" {
+            exact_ok = true;
+            break;
+        }
+
+        let src_type = if parts.len() > 2 {
+            parts[2].trim()
+        } else {
+            ""
+        };
+
+        if src_name == "Sunbeam Auth"
+            || (src_name.starts_with("Sunbeam") && src_type == "OAuth2")
+        {
+            existing_id = Some(src_id.to_string());
+        }
+    }
+
+    if exact_ok {
+        ok("OIDC auth source 'Sunbeam' already present.");
+        return Ok(());
+    }
+
+    if let Some(eid) = existing_id {
+        // Wrong name -- rename in-place
+        let (code, stderr) = kube_exec(
+            "devtools",
+            pod,
+            &[
+                "gitea",
+                "admin",
+                "auth",
+                "update-oauth",
+                "--id",
+                &eid,
+                "--name",
+                "Sunbeam",
+            ],
+            Some("gitea"),
+        )
+        .await?;
+
+        if code == 0 {
+            ok(&format!(
+                "Renamed OIDC auth source (id={eid}) to 'Sunbeam'."
+            ));
+        } else {
+            warn(&format!("Rename failed: {stderr}"));
+        }
+        return Ok(());
+    }
+
+    // Create new OIDC auth source
+    let oidc_id = kube_get_secret_field("lasuite", "oidc-gitea", "CLIENT_ID").await;
+    let oidc_secret = kube_get_secret_field("lasuite", "oidc-gitea", "CLIENT_SECRET").await;
+
+    match (oidc_id, oidc_secret) {
+        (Ok(oidc_id), Ok(oidc_sec)) => {
+            let discover_url =
+                "http://hydra-public.ory.svc.cluster.local:4444/.well-known/openid-configuration";
+
+            let (code, stderr) = kube_exec(
+                "devtools",
+                pod,
+                &[
+                    "gitea",
+                    "admin",
+                    "auth",
+                    "add-oauth",
+                    "--name",
+                    "Sunbeam",
+                    "--provider",
+                    "openidConnect",
+                    "--key",
+                    &oidc_id,
+                    "--secret",
+                    &oidc_sec,
+                    "--auto-discover-url",
+                    discover_url,
+                    "--scopes",
+                    "openid",
+                    "--scopes",
+                    "email",
+                    "--scopes",
+                    "profile",
+                ],
+                Some("gitea"),
+            )
+            .await?;
+
+            if code == 0 {
+                ok("OIDC auth source 'Sunbeam' configured.");
+            } else {
+                warn(&format!("OIDC auth source config failed: {stderr}"));
+            }
+        }
+        _ => {
+            warn("oidc-gitea secret not found -- OIDC auth source not configured.");
+        }
+    }
+
+    Ok(())
+}
+
+// ---------------------------------------------------------------------------
+// Tests
+// ---------------------------------------------------------------------------
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    #[test]
+    fn test_constants() {
+        assert_eq!(GITEA_ADMIN_USER, "gitea_admin");
+        assert_eq!(GITEA_ADMIN_EMAIL, "gitea@local.domain");
+    }
+
+    #[test]
+    fn test_org_definitions() {
+        // Verify the org configs match the Python version
+        let orgs = [
+            ("studio", "public", "Public source code"),
+            ("internal", "private", "Internal tools and services"),
+        ];
+        assert_eq!(orgs[0].0, "studio");
+        assert_eq!(orgs[0].1, "public");
+        assert_eq!(orgs[1].0, "internal");
+        assert_eq!(orgs[1].1, "private");
+    }
+
+    #[test]
+    fn test_parse_auth_list_output() {
+        let output = "ID\tName\tType\tEnabled\n1\tSunbeam\tOAuth2\ttrue\n";
+        let mut found = false;
+        for line in output.lines().skip(1) {
+            let parts: Vec<&str> = line.split('\t').collect();
+            if parts.len() >= 2 && parts[1].trim() == "Sunbeam" {
+                found = true;
+            }
+        }
+        assert!(found);
+    }
+
+    #[test]
+    fn test_parse_auth_list_rename_needed() {
+        let output = "ID\tName\tType\tEnabled\n5\tSunbeam Auth\tOAuth2\ttrue\n";
+        let mut rename_id: Option<String> = None;
+        for line in output.lines().skip(1) {
+            let parts: Vec<&str> = line.split('\t').collect();
+            if parts.len() >= 3 {
+                let name = parts[1].trim();
+                let typ = parts[2].trim();
+                if name == "Sunbeam Auth" || (name.starts_with("Sunbeam") && typ == "OAuth2") {
+                    rename_id = Some(parts[0].trim().to_string());
+                }
+            }
+        }
+        assert_eq!(rename_id, Some("5".to_string()));
+    }
+
+    #[test]
+    fn test_gitea_api_response_parsing() {
+        // Simulate a successful org creation response
+        let json_str = r#"{"id": 1, "username": "studio"}"#;
+        let val: Value = serde_json::from_str(json_str).unwrap();
+        assert!(val.get("id").is_some());
+
+        // Simulate an "already exists" response
+        let json_str = r#"{"message": "organization already exists"}"#;
+        let val: Value = serde_json::from_str(json_str).unwrap();
+        assert!(val
+            .get("message")
+            .unwrap()
+            .as_str()
+            .unwrap()
+            .to_lowercase()
+            .contains("already"));
+    }
+
+    #[test]
+    fn test_admin_visibility_patch_body() {
+        let data = serde_json::json!({
+            "source_id": 0,
+            "login_name": GITEA_ADMIN_USER,
+            "email": GITEA_ADMIN_EMAIL,
+            "visibility": "private",
+        });
+        assert_eq!(data["login_name"], "gitea_admin");
+        assert_eq!(data["visibility"], "private");
+    }
+}
diff --git a/sunbeam-sdk/src/images/builders.rs b/sunbeam-sdk/src/images/builders.rs
new file mode 100644
index 0000000..a0bd9c9
--- /dev/null
+++ b/sunbeam-sdk/src/images/builders.rs
@@ -0,0 +1,806 @@
+//! Per-service image build functions.
+
+use crate::error::{Result, ResultExt, SunbeamError};
+use crate::output::{ok, step, warn};
+use std::collections::HashMap;
+use std::path::{Path, PathBuf};
+
+use super::{build_image, deploy_rollout, get_build_env};
+
+/// Message component definition: (cli_name, image_name, dockerfile_rel, target).
+pub const MESSAGES_COMPONENTS: &[(&str, &str, &str, Option<&str>)] = &[
+    (
+        "messages-backend",
+        "messages-backend",
+        "src/backend/Dockerfile",
+        Some("runtime-distroless-prod"),
+    ),
+    (
+        "messages-frontend",
+        "messages-frontend",
+        "src/frontend/Dockerfile",
+        Some("runtime-prod"),
+    ),
+    (
+        "messages-mta-in",
+        "messages-mta-in",
+        "src/mta-in/Dockerfile",
+        None,
+    ),
+    (
+        "messages-mta-out",
+        "messages-mta-out",
+        "src/mta-out/Dockerfile",
+        None,
+    ),
+    (
+        "messages-mpa",
+        "messages-mpa",
+        "src/mpa/rspamd/Dockerfile",
+        None,
+    ),
+    (
+        "messages-socks-proxy",
+        "messages-socks-proxy",
+        "src/socks-proxy/Dockerfile",
+        None,
+    ),
+];
+
+pub async fn build_proxy(push: bool, deploy: bool, no_cache: bool) -> Result<()> {
+    let env = get_build_env().await?;
+    let proxy_dir = crate::config::get_repo_root().join("proxy");
+    if !proxy_dir.is_dir() {
+        return Err(SunbeamError::build(format!("Proxy source not found at {}", proxy_dir.display())));
+    }
+
+    let image = format!("{}/studio/proxy:latest", env.registry);
+    step(&format!("Building sunbeam-proxy -> {image} ..."));
+
+    build_image(
+        &env,
+        &image,
+        &proxy_dir.join("Dockerfile"),
+        &proxy_dir,
+        None,
+        None,
+        push,
+        no_cache,
+        &[],
+    )
+    .await?;
+
+    if deploy {
+        deploy_rollout(&env, &["pingora"], "ingress", 120, Some(&[image])).await?;
+    }
+    Ok(())
+}
+
+pub async fn build_tuwunel(push: bool, deploy: bool, no_cache: bool) -> Result<()> {
+    let env = get_build_env().await?;
+    let tuwunel_dir = crate::config::get_repo_root().join("tuwunel");
+    if !tuwunel_dir.is_dir() {
+        return Err(SunbeamError::build(format!("Tuwunel source not found at {}", tuwunel_dir.display())));
+    }
+
+    let image = format!("{}/studio/tuwunel:latest", env.registry);
+    step(&format!("Building tuwunel -> {image} ..."));
+
+    build_image(
+        &env,
+        &image,
+        &tuwunel_dir.join("Dockerfile"),
+        &tuwunel_dir,
+        None,
+        None,
+        push,
+        no_cache,
+        &[],
+    )
+    .await?;
+
+    if deploy {
+        deploy_rollout(&env, &["tuwunel"], "matrix", 180, Some(&[image])).await?;
+    }
+    Ok(())
+}
+
+pub async fn build_integration(push: bool, deploy: bool, no_cache: bool) -> Result<()> {
+    let env = get_build_env().await?;
+    let sunbeam_dir = crate::config::get_repo_root();
+    let integration_service_dir = sunbeam_dir.join("integration-service");
+    let dockerfile = integration_service_dir.join("Dockerfile");
+    let dockerignore = integration_service_dir.join(".dockerignore");
+
+    if !dockerfile.exists() {
+        return Err(SunbeamError::build(format!(
+            "integration-service Dockerfile not found at {}",
+            dockerfile.display()
+        )));
+    }
+    if !sunbeam_dir
+        .join("integration")
+        .join("packages")
+        .join("widgets")
+        .is_dir()
+    {
+        return Err(SunbeamError::build(format!(
+            "integration repo not found at {} -- \
+             run: cd sunbeam && git clone https://github.com/suitenumerique/integration.git",
+            sunbeam_dir.join("integration").display()
+        )));
+    }
+
+    let image = format!("{}/studio/integration:latest", env.registry);
+    step(&format!("Building integration -> {image} ..."));
+
+    // .dockerignore needs to be at context root
+    let root_ignore = sunbeam_dir.join(".dockerignore");
+    let mut copied_ignore = false;
+    if !root_ignore.exists() && dockerignore.exists() {
+        std::fs::copy(&dockerignore, &root_ignore).ok();
+        copied_ignore = true;
+    }
+
+    let result = build_image(
+        &env,
+        &image,
+        &dockerfile,
+        &sunbeam_dir,
+        None,
+        None,
+        push,
+        no_cache,
+        &[],
+    )
+    .await;
+
+    if copied_ignore && root_ignore.exists() {
+        let _ = std::fs::remove_file(&root_ignore);
+    }
+
+    result?;
+
+    if deploy {
+        deploy_rollout(&env, &["integration"], "lasuite", 120, None).await?;
+    }
+    Ok(())
+}
+
+pub async fn build_kratos_admin(push: bool, deploy: bool, no_cache: bool) -> Result<()> {
+    let env = get_build_env().await?;
+    let kratos_admin_dir = crate::config::get_repo_root().join("kratos-admin");
+    if !kratos_admin_dir.is_dir() {
+        return Err(SunbeamError::build(format!(
+            "kratos-admin source not found at {}",
+            kratos_admin_dir.display()
+        )));
+    }
+
+    let image = format!("{}/studio/kratos-admin-ui:latest", env.registry);
+    step(&format!("Building kratos-admin-ui -> {image} ..."));
+
+    build_image(
+        &env,
+        &image,
+        &kratos_admin_dir.join("Dockerfile"),
+        &kratos_admin_dir,
+        None,
+        None,
+        push,
+        no_cache,
+        &[],
+    )
+    .await?;
+
+    if deploy {
+        deploy_rollout(&env, &["kratos-admin-ui"], "ory", 120, None).await?;
+    }
+    Ok(())
+}
+
+pub async fn build_meet(push: bool, deploy: bool, no_cache: bool) -> Result<()> {
+    let env = get_build_env().await?;
+    let meet_dir = crate::config::get_repo_root().join("meet");
+    if !meet_dir.is_dir() {
+        return Err(SunbeamError::build(format!("meet source not found at {}", meet_dir.display())));
+    }
+
+    let backend_image = format!("{}/studio/meet-backend:latest", env.registry);
+    let frontend_image = format!("{}/studio/meet-frontend:latest", env.registry);
+
+    // Backend
+    step(&format!("Building meet-backend -> {backend_image} ..."));
+    build_image(
+        &env,
+        &backend_image,
+        &meet_dir.join("Dockerfile"),
+        &meet_dir,
+        Some("backend-production"),
+        None,
+        push,
+        no_cache,
+        &[],
+    )
+    .await?;
+
+    // Frontend
+    step(&format!("Building meet-frontend -> {frontend_image} ..."));
+    let frontend_dockerfile = meet_dir.join("src").join("frontend").join("Dockerfile");
+    if !frontend_dockerfile.exists() {
+        return Err(SunbeamError::build(format!(
+            "meet frontend Dockerfile not found at {}",
+            frontend_dockerfile.display()
+        )));
+    }
+
+    let mut build_args = HashMap::new();
+    build_args.insert("VITE_API_BASE_URL".to_string(), String::new());
+
+    build_image(
+        &env,
+        &frontend_image,
+        &frontend_dockerfile,
+        &meet_dir,
+        Some("frontend-production"),
+        Some(&build_args),
+        push,
+        no_cache,
+        &[],
+    )
+    .await?;
+
+    if deploy {
+        deploy_rollout(
+            &env,
+            &["meet-backend", "meet-celery-worker", "meet-frontend"],
+            "lasuite",
+            180,
+            None,
+        )
+        .await?;
+    }
+    Ok(())
+}
+
+pub async fn build_people(push: bool, deploy: bool, no_cache: bool) -> Result<()> {
+    let env = get_build_env().await?;
+    let people_dir = crate::config::get_repo_root().join("people");
+    if !people_dir.is_dir() {
+        return Err(SunbeamError::build(format!("people source not found at {}", people_dir.display())));
+    }
+
+    let workspace_dir = people_dir.join("src").join("frontend");
+    let app_dir = workspace_dir.join("apps").join("desk");
+    let dockerfile = workspace_dir.join("Dockerfile");
+    if !dockerfile.exists() {
+        return Err(SunbeamError::build(format!("Dockerfile not found at {}", dockerfile.display())));
+    }
+
+    let image = format!("{}/studio/people-frontend:latest", env.registry);
+    step(&format!("Building people-frontend -> {image} ..."));
+
+    // yarn install
+    ok("Updating yarn.lock (yarn install in workspace)...");
+    let yarn_status = tokio::process::Command::new("yarn")
+        .args(["install", "--ignore-engines"])
+        .current_dir(&workspace_dir)
+        .status()
+        .await
+        .ctx("Failed to run yarn install")?;
+    if !yarn_status.success() {
+        return Err(SunbeamError::tool("yarn", "install failed"));
+    }
+
+    // cunningham design tokens
+    ok("Regenerating cunningham design tokens...");
+    let cunningham_bin = workspace_dir
+        .join("node_modules")
+        .join(".bin")
+        .join("cunningham");
+    let cunningham_status = tokio::process::Command::new(&cunningham_bin)
+        .args(["-g", "css,ts", "-o", "src/cunningham", "--utility-classes"])
+        .current_dir(&app_dir)
+        .status()
+        .await
+        .ctx("Failed to run cunningham")?;
+    if !cunningham_status.success() {
+        return Err(SunbeamError::tool("cunningham", "design token generation failed"));
+    }
+
+    let mut build_args = HashMap::new();
+    build_args.insert("DOCKER_USER".to_string(), "101".to_string());
+
+    build_image(
+        &env,
+        &image,
+        &dockerfile,
+        &people_dir,
+        Some("frontend-production"),
+        Some(&build_args),
+        push,
+        no_cache,
+        &[],
+    )
+    .await?;
+
+    if deploy {
+        deploy_rollout(&env, &["people-frontend"], "lasuite", 180, None).await?;
+    }
+    Ok(())
+}
+
+pub async fn build_messages(what: &str, push: bool, deploy: bool, no_cache: bool) -> Result<()> {
+    let env = get_build_env().await?;
+    let messages_dir = crate::config::get_repo_root().join("messages");
+    if !messages_dir.is_dir() {
+        return Err(SunbeamError::build(format!("messages source not found at {}", messages_dir.display())));
+    }
+
+    let components: Vec<_> = if what == "messages" {
+        MESSAGES_COMPONENTS.to_vec()
+    } else {
+        MESSAGES_COMPONENTS
+            .iter()
+            .filter(|(name, _, _, _)| *name == what)
+            .copied()
+            .collect()
+    };
+
+    let mut built_images = Vec::new();
+
+    for (component, image_name, dockerfile_rel, target) in &components {
+        let dockerfile = messages_dir.join(dockerfile_rel);
+        if !dockerfile.exists() {
+            warn(&format!(
+                "Dockerfile not found at {} -- skipping {component}",
+                dockerfile.display()
+            ));
+            continue;
+        }
+
+        let image = format!("{}/studio/{image_name}:latest", env.registry);
+        let context_dir = dockerfile.parent().unwrap_or(&messages_dir);
+        step(&format!("Building {component} -> {image} ..."));
+
+        // Patch ghcr.io/astral-sh/uv COPY for messages-backend on local builds
+        let mut cleanup_paths = Vec::new();
+        let actual_dockerfile;
+
+        if !env.is_prod && *image_name == "messages-backend" {
+            let (patched, cleanup) =
+                patch_dockerfile_uv(&dockerfile, context_dir, &env.platform).await?;
+            actual_dockerfile = patched;
+            cleanup_paths = cleanup;
+        } else {
+            actual_dockerfile = dockerfile.clone();
+        }
+
+        build_image(
+            &env,
+            &image,
+            &actual_dockerfile,
+            context_dir,
+            *target,
+            None,
+            push,
+            no_cache,
+            &cleanup_paths,
+        )
+        .await?;
+
+        built_images.push(image);
+    }
+
+    if deploy && !built_images.is_empty() {
+        deploy_rollout(
+            &env,
+            &[
+                "messages-backend",
+                "messages-worker",
+                "messages-frontend",
+                "messages-mta-in",
+                "messages-mta-out",
+                "messages-mpa",
+                "messages-socks-proxy",
+            ],
+            "lasuite",
+            180,
+            None,
+        )
+        .await?;
+    }
+
+    Ok(())
+}
+
+/// Build a La Suite frontend image from source and push to the Gitea registry.
+#[allow(clippy::too_many_arguments)]
+pub async fn build_la_suite_frontend(
+    app: &str,
+    repo_dir: &Path,
+    workspace_rel: &str,
+    app_rel: &str,
+    dockerfile_rel: &str,
+    image_name: &str,
+    deployment: &str,
+    namespace: &str,
+    push: bool,
+    deploy: bool,
+    no_cache: bool,
+) -> Result<()> {
+    let env = get_build_env().await?;
+
+    let workspace_dir = repo_dir.join(workspace_rel);
+    let app_dir = repo_dir.join(app_rel);
+    let dockerfile = repo_dir.join(dockerfile_rel);
+
+    if !repo_dir.is_dir() {
+        return Err(SunbeamError::build(format!("{app} source not found at {}", repo_dir.display())));
+    }
+    if !dockerfile.exists() {
+        return Err(SunbeamError::build(format!("Dockerfile not found at {}", dockerfile.display())));
+    }
+
+    let image = format!("{}/studio/{image_name}:latest", env.registry);
+    step(&format!("Building {app} -> {image} ..."));
+
+    ok("Updating yarn.lock (yarn install in workspace)...");
+    let yarn_status = tokio::process::Command::new("yarn")
+        .args(["install", "--ignore-engines"])
+        .current_dir(&workspace_dir)
+        .status()
+        .await
+        .ctx("Failed to run yarn install")?;
+    if !yarn_status.success() {
+        return Err(SunbeamError::tool("yarn", "install failed"));
+    }
+
+    ok("Regenerating cunningham design tokens (yarn build-theme)...");
+    let theme_status = tokio::process::Command::new("yarn")
+        .args(["build-theme"])
+        .current_dir(&app_dir)
+        .status()
+        .await
+        .ctx("Failed to run yarn build-theme")?;
+    if !theme_status.success() {
+        return Err(SunbeamError::tool("yarn", "build-theme failed"));
+    }
+
+    let mut build_args = HashMap::new();
+    build_args.insert("DOCKER_USER".to_string(), "101".to_string());
+
+    build_image(
+        &env,
+        &image,
+        &dockerfile,
+        repo_dir,
+        Some("frontend-production"),
+        Some(&build_args),
+        push,
+        no_cache,
+        &[],
+    )
+    .await?;
+
+    if deploy {
+        deploy_rollout(&env, &[deployment], namespace, 180, None).await?;
+    }
+    Ok(())
+}
+
+/// Download uv from GitHub releases and return a patched Dockerfile path.
+pub async fn patch_dockerfile_uv(
+    dockerfile_path: &Path,
+    context_dir: &Path,
+    platform: &str,
+) -> Result<(PathBuf, Vec<PathBuf>)> {
+    let content = std::fs::read_to_string(dockerfile_path)
+        .ctx("Failed to read Dockerfile for uv patching")?;
+
+    // Match COPY --from=ghcr.io/astral-sh/uv@sha256:... /uv /uvx /bin/
+    let original_copy = content
+        .lines()
+        .find(|line| {
+            line.contains("COPY")
+                && line.contains("--from=ghcr.io/astral-sh/uv@sha256:")
+                && line.contains("/uv")
+                && line.contains("/bin/")
+        })
+        .map(|line| line.trim().to_string());
+
+    let original_copy = match original_copy {
+        Some(c) => c,
+        None => return Ok((dockerfile_path.to_path_buf(), vec![])),
+    };
+
+    // Find uv version from comment like: oci://ghcr.io/astral-sh/uv:0.x.y
+    let version = content
+        .lines()
+        .find_map(|line| {
+            let marker = "oci://ghcr.io/astral-sh/uv:";
+            if let Some(idx) = line.find(marker) {
+                let rest = &line[idx + marker.len()..];
+                let ver = rest.split_whitespace().next().unwrap_or("");
+                if !ver.is_empty() {
+                    Some(ver.to_string())
+                } else {
+                    None
+                }
+            } else {
+                None
+            }
+        });
+
+    let version = match version {
+        Some(v) => v,
+        None => {
+            warn("Could not find uv version comment in Dockerfile; ghcr.io pull may fail.");
+            return Ok((dockerfile_path.to_path_buf(), vec![]));
+        }
+    };
+
+    let arch = if platform.contains("amd64") {
+        "x86_64"
+    } else {
+        "aarch64"
+    };
+
+    let url = format!(
+        "https://github.com/astral-sh/uv/releases/download/{version}/uv-{arch}-unknown-linux-gnu.tar.gz"
+    );
+
+    let stage_dir = context_dir.join("_sunbeam_uv_stage");
+    let patched_df = dockerfile_path
+        .parent()
+        .unwrap_or(dockerfile_path)
+        .join("Dockerfile._sunbeam_patched");
+    let cleanup = vec![stage_dir.clone(), patched_df.clone()];
+
+    ok(&format!(
+        "Downloading uv {version} ({arch}) from GitHub releases to bypass ghcr.io..."
+    ));
+
+    std::fs::create_dir_all(&stage_dir)?;
+
+    // Download tarball
+    let response = reqwest::get(&url)
+        .await
+        .ctx("Failed to download uv release")?;
+    let tarball_bytes = response.bytes().await?;
+
+    // Extract uv and uvx from tarball
+    let decoder = flate2::read::GzDecoder::new(&tarball_bytes[..]);
+    let mut archive = tar::Archive::new(decoder);
+
+    for entry in archive.entries()? {
+        let mut entry = entry?;
+        let path = entry.path()?.to_path_buf();
+        let file_name = path
+            .file_name()
+            .unwrap_or_default()
+            .to_string_lossy()
+            .to_string();
+
+        if (file_name == "uv" || file_name == "uvx") && entry.header().entry_type().is_file() {
+            let dest = stage_dir.join(&file_name);
+            let mut outfile = std::fs::File::create(&dest)?;
+            std::io::copy(&mut entry, &mut outfile)?;
+
+            #[cfg(unix)]
+            {
+                use std::os::unix::fs::PermissionsExt;
+                std::fs::set_permissions(&dest, std::fs::Permissions::from_mode(0o755))?;
+            }
+        }
+    }
+
+    if !stage_dir.join("uv").exists() {
+        warn("uv binary not found in release tarball; build may fail.");
+        return Ok((dockerfile_path.to_path_buf(), cleanup));
+    }
+
+    let patched = content.replace(
+        &original_copy,
+        "COPY _sunbeam_uv_stage/uv _sunbeam_uv_stage/uvx /bin/",
+    );
+    std::fs::write(&patched_df, patched)?;
+    ok(&format!("  uv {version} staged; using patched Dockerfile."));
+
+    Ok((patched_df, cleanup))
+}
+
+pub async fn build_projects(push: bool, deploy: bool, no_cache: bool) -> Result<()> {
+    let env = get_build_env().await?;
+    let projects_dir = crate::config::get_repo_root().join("projects");
+    if !projects_dir.is_dir() {
+        return Err(SunbeamError::build(format!("projects source not found at {}", projects_dir.display())));
+    }
+
+    let image = format!("{}/studio/projects:latest", env.registry);
+    step(&format!("Building projects -> {image} ..."));
+
+    build_image(
+        &env,
+        &image,
+        &projects_dir.join("Dockerfile"),
+        &projects_dir,
+        None,
+        None,
+        push,
+        no_cache,
+        &[],
+    )
+    .await?;
+
+    if deploy {
+        deploy_rollout(&env, &["projects"], "lasuite", 180, Some(&[image])).await?;
+    }
+    Ok(())
+}
+
+// TODO: first deploy requires registration enabled on tuwunel to create
+// the @sol:sunbeam.pt bot account. Flow:
+//   1. Set allow_registration = true in tuwunel-config.yaml
+//   2. Apply + restart tuwunel
+//   3. Register bot via POST /_matrix/client/v3/register with registration token
+//   4. Store access_token + device_id in OpenBao at secret/sol
+//   5. Set allow_registration = false, re-apply
+//   6. Then build + deploy sol
+// This should be automated as `sunbeam user create-bot <name>`.
+pub async fn build_sol(push: bool, deploy: bool, no_cache: bool) -> Result<()> {
+    let env = get_build_env().await?;
+    let sol_dir = crate::config::get_repo_root().join("sol");
+    if !sol_dir.is_dir() {
+        return Err(SunbeamError::build(format!("Sol source not found at {}", sol_dir.display())));
+    }
+
+    let image = format!("{}/studio/sol:latest", env.registry);
+    step(&format!("Building sol -> {image} ..."));
+
+    build_image(
+        &env,
+        &image,
+        &sol_dir.join("Dockerfile"),
+        &sol_dir,
+        None,
+        None,
+        push,
+        no_cache,
+        &[],
+    )
+    .await?;
+
+    if deploy {
+        deploy_rollout(&env, &["sol"], "matrix", 120, None).await?;
+    }
+    Ok(())
+}
+
+pub async fn build_calendars(push: bool, deploy: bool, no_cache: bool) -> Result<()> {
+    let env = get_build_env().await?;
+    let cal_dir = crate::config::get_repo_root().join("calendars");
+    if !cal_dir.is_dir() {
+        return Err(SunbeamError::build(format!("calendars source not found at {}", cal_dir.display())));
+    }
+
+    let backend_dir = cal_dir.join("src").join("backend");
+    let backend_image = format!("{}/studio/calendars-backend:latest", env.registry);
+    step(&format!("Building calendars-backend -> {backend_image} ..."));
+
+    // Stage translations.json into the build context
+    let translations_src = cal_dir
+        .join("src")
+        .join("frontend")
+        .join("apps")
+        .join("calendars")
+        .join("src")
+        .join("features")
+        .join("i18n")
+        .join("translations.json");
+
+    let translations_dst = backend_dir.join("_translations.json");
+    let mut cleanup: Vec<PathBuf> = Vec::new();
+    let mut dockerfile = backend_dir.join("Dockerfile");
+
+    if translations_src.exists() {
+        std::fs::copy(&translations_src, &translations_dst)?;
+        cleanup.push(translations_dst);
+
+        // Patch Dockerfile to COPY translations into production image
+        let mut content = std::fs::read_to_string(&dockerfile)?;
+        content.push_str(
+            "\n# Sunbeam: bake translations.json for default calendar names\n\
+             COPY _translations.json /data/translations.json\n",
+        );
+        let patched_df = backend_dir.join("Dockerfile._sunbeam_patched");
+        std::fs::write(&patched_df, content)?;
+        cleanup.push(patched_df.clone());
+        dockerfile = patched_df;
+    }
+
+    build_image(
+        &env,
+        &backend_image,
+        &dockerfile,
+        &backend_dir,
+        Some("backend-production"),
+        None,
+        push,
+        no_cache,
+        &cleanup,
+    )
+    .await?;
+
+    // caldav
+    let caldav_image = format!("{}/studio/calendars-caldav:latest", env.registry);
+    step(&format!("Building calendars-caldav -> {caldav_image} ..."));
+    let caldav_dir = cal_dir.join("src").join("caldav");
+    build_image(
+        &env,
+        &caldav_image,
+        &caldav_dir.join("Dockerfile"),
+        &caldav_dir,
+        None,
+        None,
+        push,
+        no_cache,
+        &[],
+    )
+    .await?;
+
+    // frontend
+    let frontend_image = format!("{}/studio/calendars-frontend:latest", env.registry);
+    step(&format!(
+        "Building calendars-frontend -> {frontend_image} ..."
+    ));
+    let integration_base = format!("https://integration.{}", env.domain);
+    let mut build_args = HashMap::new();
+    build_args.insert(
+        "VISIO_BASE_URL".to_string(),
+        format!("https://meet.{}", env.domain),
+    );
+    build_args.insert(
+        "GAUFRE_WIDGET_PATH".to_string(),
+        format!("{integration_base}/api/v2/lagaufre.js"),
+    );
+    build_args.insert(
+        "GAUFRE_API_URL".to_string(),
+        format!("{integration_base}/api/v2/services.json"),
+    );
+    build_args.insert(
+        "THEME_CSS_URL".to_string(),
+        format!("{integration_base}/api/v2/theme.css"),
+    );
+
+    let frontend_dir = cal_dir.join("src").join("frontend");
+    build_image(
+        &env,
+        &frontend_image,
+        &frontend_dir.join("Dockerfile"),
+        &frontend_dir,
+        Some("frontend-production"),
+        Some(&build_args),
+        push,
+        no_cache,
+        &[],
+    )
+    .await?;
+
+    if deploy {
+        deploy_rollout(
+            &env,
+            &[
+                "calendars-backend",
+                "calendars-worker",
+                "calendars-caldav",
+                "calendars-frontend",
+            ],
+            "lasuite",
+            180,
+            Some(&[backend_image, caldav_image, frontend_image]),
+        )
+        .await?;
+    }
+    Ok(())
+}
diff --git a/sunbeam-sdk/src/images/mod.rs b/sunbeam-sdk/src/images/mod.rs
new file mode 100644
index 0000000..b71f65d
--- /dev/null
+++ b/sunbeam-sdk/src/images/mod.rs
@@ -0,0 +1,1070 @@
+//! Image building, mirroring, and pushing to Gitea registry.
+
+pub mod builders;
+
+use crate::error::{Result, ResultExt, SunbeamError};
+use base64::Engine;
+use std::collections::HashMap;
+use std::path::{Path, PathBuf};
+use std::process::Stdio;
+
+use crate::constants::{GITEA_ADMIN_USER, MANAGED_NS};
+use crate::output::{ok, step, warn};
+
+// ---------------------------------------------------------------------------
+// BuildTarget enum (moved from cli.rs)
+// ---------------------------------------------------------------------------
+
+#[derive(Debug, Clone)]
+#[cfg_attr(feature = "cli", derive(clap::ValueEnum))]
+pub enum BuildTarget {
+    Proxy,
+    Integration,
+    KratosAdmin,
+    Meet,
+    DocsFrontend,
+    PeopleFrontend,
+    People,
+    Messages,
+    MessagesBackend,
+    MessagesFrontend,
+    MessagesMtaIn,
+    MessagesMtaOut,
+    MessagesMpa,
+    MessagesSocksProxy,
+    Tuwunel,
+    Calendars,
+    Projects,
+    Sol,
+}
+
+impl std::fmt::Display for BuildTarget {
+    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
+        let s = match self {
+            BuildTarget::Proxy => "proxy",
+            BuildTarget::Integration => "integration",
+            BuildTarget::KratosAdmin => "kratos-admin",
+            BuildTarget::Meet => "meet",
+            BuildTarget::DocsFrontend => "docs-frontend",
+            BuildTarget::PeopleFrontend => "people-frontend",
+            BuildTarget::People => "people",
+            BuildTarget::Messages => "messages",
+            BuildTarget::MessagesBackend => "messages-backend",
+            BuildTarget::MessagesFrontend => "messages-frontend",
+            BuildTarget::MessagesMtaIn => "messages-mta-in",
+            BuildTarget::MessagesMtaOut => "messages-mta-out",
+            BuildTarget::MessagesMpa => "messages-mpa",
+            BuildTarget::MessagesSocksProxy => "messages-socks-proxy",
+            BuildTarget::Tuwunel => "tuwunel",
+            BuildTarget::Calendars => "calendars",
+            BuildTarget::Projects => "projects",
+            BuildTarget::Sol => "sol",
+        };
+        write!(f, "{s}")
+    }
+}
+
+/// amd64-only images that need mirroring: (source, org, repo, tag).
+const AMD64_ONLY_IMAGES: &[(&str, &str, &str, &str)] = &[
+    (
+        "docker.io/lasuite/people-backend:latest",
+        "studio",
+        "people-backend",
+        "latest",
+    ),
+    (
+        "docker.io/lasuite/people-frontend:latest",
+        "studio",
+        "people-frontend",
+        "latest",
+    ),
+    (
+        "docker.io/lasuite/impress-backend:latest",
+        "studio",
+        "impress-backend",
+        "latest",
+    ),
+    (
+        "docker.io/lasuite/impress-frontend:latest",
+        "studio",
+        "impress-frontend",
+        "latest",
+    ),
+    (
+        "docker.io/lasuite/impress-y-provider:latest",
+        "studio",
+        "impress-y-provider",
+        "latest",
+    ),
+];
+
+// ---------------------------------------------------------------------------
+// Build environment
+// ---------------------------------------------------------------------------
+
+/// Resolved build environment — production (remote k8s) or local.
+#[derive(Debug, Clone)]
+pub struct BuildEnv {
+    pub is_prod: bool,
+    pub domain: String,
+    pub registry: String,
+    pub admin_pass: String,
+    pub platform: String,
+    pub ssh_host: Option<String>,
+}
+
+/// Detect prod vs local and resolve registry credentials.
+pub(crate) async fn get_build_env() -> Result<BuildEnv> {
+    let ssh = crate::kube::ssh_host();
+    let is_prod = !ssh.is_empty();
+
+    let domain = crate::kube::get_domain().await?;
+
+    // Fetch gitea admin password from the cluster secret
+    let admin_pass = crate::kube::kube_get_secret_field(
+        "devtools",
+        "gitea-admin-credentials",
+        "password",
+    )
+    .await
+    .ctx("gitea-admin-credentials secret not found -- run seed first.")?;
+
+    let platform = if is_prod {
+        "linux/amd64".to_string()
+    } else {
+        "linux/arm64".to_string()
+    };
+
+    let ssh_host = if is_prod {
+        Some(ssh.to_string())
+    } else {
+        None
+    };
+
+    Ok(BuildEnv {
+        is_prod,
+        domain: domain.clone(),
+        registry: format!("src.{domain}"),
+        admin_pass,
+        platform,
+        ssh_host,
+    })
+}
+
+// ---------------------------------------------------------------------------
+// buildctl build + push
+// ---------------------------------------------------------------------------
+
+/// Build and push an image via buildkitd running in k8s.
+///
+/// Port-forwards to the buildkitd service in the `build` namespace,
+/// runs `buildctl build`, and pushes the image directly to the Gitea
+/// registry from inside the cluster.
+#[allow(clippy::too_many_arguments)]
+pub(crate) async fn buildctl_build_and_push(
+    env: &BuildEnv,
+    image: &str,
+    dockerfile: &Path,
+    context_dir: &Path,
+    target: Option<&str>,
+    build_args: Option<&HashMap<String, String>>,
+    _no_cache: bool,
+) -> Result<()> {
+    // Find a free local port for port-forward
+    let listener = std::net::TcpListener::bind("127.0.0.1:0")
+        .ctx("Failed to bind ephemeral port")?;
+    let local_port = listener.local_addr()?.port();
+    drop(listener);
+
+    // Build docker config for registry auth
+    let auth_token = base64::engine::general_purpose::STANDARD
+        .encode(format!("{GITEA_ADMIN_USER}:{}", env.admin_pass));
+    let docker_cfg = serde_json::json!({
+        "auths": {
+            &env.registry: { "auth": auth_token }
+        }
+    });
+
+    let tmpdir = tempfile::TempDir::new().ctx("Failed to create temp dir")?;
+    let cfg_path = tmpdir.path().join("config.json");
+    std::fs::write(&cfg_path, serde_json::to_string(&docker_cfg)?)
+        .ctx("Failed to write docker config")?;
+
+    // Start port-forward to buildkitd
+    let ctx_arg = format!("--context={}", crate::kube::context());
+    let pf_port_arg = format!("{local_port}:1234");
+
+    let mut pf = tokio::process::Command::new("kubectl")
+        .args([
+            &ctx_arg,
+            "port-forward",
+            "-n",
+            "build",
+            "svc/buildkitd",
+            &pf_port_arg,
+        ])
+        .stdout(Stdio::null())
+        .stderr(Stdio::null())
+        .spawn()
+        .ctx("Failed to start buildkitd port-forward")?;
+
+    // Wait for port-forward to become ready
+    let deadline = tokio::time::Instant::now() + std::time::Duration::from_secs(15);
+    loop {
+        if tokio::time::Instant::now() > deadline {
+            pf.kill().await.ok();
+            return Err(SunbeamError::tool("buildctl", format!("buildkitd port-forward on :{local_port} did not become ready within 15s")));
+        }
+        if tokio::net::TcpStream::connect(format!("127.0.0.1:{local_port}"))
+            .await
+            .is_ok()
+        {
+            break;
+        }
+        tokio::time::sleep(std::time::Duration::from_millis(300)).await;
+    }
+
+    // Build the buildctl command
+    let dockerfile_parent = dockerfile
+        .parent()
+        .unwrap_or(dockerfile)
+        .to_string_lossy()
+        .to_string();
+    let dockerfile_name = dockerfile
+        .file_name()
+        .unwrap_or_default()
+        .to_string_lossy()
+        .to_string();
+    let context_str = context_dir.to_string_lossy().to_string();
+
+    let mut cmd_args = vec![
+        "build".to_string(),
+        "--frontend".to_string(),
+        "dockerfile.v0".to_string(),
+        "--local".to_string(),
+        format!("context={context_str}"),
+        "--local".to_string(),
+        format!("dockerfile={dockerfile_parent}"),
+        "--opt".to_string(),
+        format!("filename={dockerfile_name}"),
+        "--opt".to_string(),
+        format!("platform={}", env.platform),
+        "--output".to_string(),
+        format!("type=image,name={image},push=true"),
+    ];
+
+    if let Some(tgt) = target {
+        cmd_args.push("--opt".to_string());
+        cmd_args.push(format!("target={tgt}"));
+    }
+
+    if _no_cache {
+        cmd_args.push("--no-cache".to_string());
+    }
+
+    if let Some(args) = build_args {
+        for (k, v) in args {
+            cmd_args.push("--opt".to_string());
+            cmd_args.push(format!("build-arg:{k}={v}"));
+        }
+    }
+
+    let buildctl_host = format!("tcp://127.0.0.1:{local_port}");
+    let tmpdir_str = tmpdir.path().to_string_lossy().to_string();
+
+    let result = tokio::process::Command::new("buildctl")
+        .args(&cmd_args)
+        .env("BUILDKIT_HOST", &buildctl_host)
+        .env("DOCKER_CONFIG", &tmpdir_str)
+        .stdin(Stdio::null())
+        .stdout(Stdio::inherit())
+        .stderr(Stdio::inherit())
+        .status()
+        .await;
+
+    // Always terminate port-forward
+    pf.kill().await.ok();
+    pf.wait().await.ok();
+
+    match result {
+        Ok(status) if status.success() => Ok(()),
+        Ok(status) => return Err(SunbeamError::tool("buildctl", format!("exited with status {status}"))),
+        Err(e) => return Err(SunbeamError::tool("buildctl", format!("failed to run: {e}"))),
+    }
+}
+
+// ---------------------------------------------------------------------------
+// build_image wrapper
+// ---------------------------------------------------------------------------
+
+/// Build a container image via buildkitd and push to the Gitea registry.
+#[allow(clippy::too_many_arguments)]
+pub(crate) async fn build_image(
+    env: &BuildEnv,
+    image: &str,
+    dockerfile: &Path,
+    context_dir: &Path,
+    target: Option<&str>,
+    build_args: Option<&HashMap<String, String>>,
+    push: bool,
+    no_cache: bool,
+    cleanup_paths: &[PathBuf],
+) -> Result<()> {
+    ok(&format!(
+        "Building image ({}{})...",
+        env.platform,
+        target
+            .map(|t| format!(", {t} target"))
+            .unwrap_or_default()
+    ));
+
+    if !push {
+        warn("Builds require --push (buildkitd pushes directly to registry); skipping.");
+        return Ok(());
+    }
+
+    let result = buildctl_build_and_push(
+        env,
+        image,
+        dockerfile,
+        context_dir,
+        target,
+        build_args,
+        no_cache,
+    )
+    .await;
+
+    // Cleanup
+    for p in cleanup_paths {
+        if p.exists() {
+            if p.is_dir() {
+                let _ = std::fs::remove_dir_all(p);
+            } else {
+                let _ = std::fs::remove_file(p);
+            }
+        }
+    }
+
+    result
+}
+
+// ---------------------------------------------------------------------------
+// Node operations
+// ---------------------------------------------------------------------------
+
+/// Return one SSH-reachable IP per node in the cluster.
+async fn get_node_addresses() -> Result<Vec<String>> {
+    let client = crate::kube::get_client().await?;
+    let api: kube::api::Api<k8s_openapi::api::core::v1::Node> =
+        kube::api::Api::all(client.clone());
+
+    let node_list = api
+        .list(&kube::api::ListParams::default())
+        .await
+        .ctx("Failed to list nodes")?;
+
+    let mut addresses = Vec::new();
+    for node in &node_list.items {
+        if let Some(status) = &node.status {
+            if let Some(addrs) = &status.addresses {
+                // Prefer IPv4 InternalIP
+                let mut ipv4: Option<String> = None;
+                let mut any_internal: Option<String> = None;
+
+                for addr in addrs {
+                    if addr.type_ == "InternalIP" {
+                        if !addr.address.contains(':') {
+                            ipv4 = Some(addr.address.clone());
+                        } else if any_internal.is_none() {
+                            any_internal = Some(addr.address.clone());
+                        }
+                    }
+                }
+
+                if let Some(ip) = ipv4.or(any_internal) {
+                    addresses.push(ip);
+                }
+            }
+        }
+    }
+
+    Ok(addresses)
+}
+
+/// SSH to each k3s node and pull images into containerd.
+pub(crate) async fn ctr_pull_on_nodes(env: &BuildEnv, images: &[String]) -> Result<()> {
+    if images.is_empty() {
+        return Ok(());
+    }
+
+    let nodes = get_node_addresses().await?;
+    if nodes.is_empty() {
+        warn("Could not detect node addresses; skipping ctr pull.");
+        return Ok(());
+    }
+
+    let ssh_user = env
+        .ssh_host
+        .as_deref()
+        .and_then(|h| h.split('@').next())
+        .unwrap_or("root");
+
+    for node_ip in &nodes {
+        for img in images {
+            ok(&format!("Pulling {img} into containerd on {node_ip}..."));
+            let status = tokio::process::Command::new("ssh")
+                .args([
+                    "-p",
+                    "2222",
+                    "-o",
+                    "StrictHostKeyChecking=no",
+                    &format!("{ssh_user}@{node_ip}"),
+                    &format!("sudo ctr -n k8s.io images pull {img}"),
+                ])
+                .stdout(Stdio::null())
+                .stderr(Stdio::piped())
+                .status()
+                .await;
+
+            match status {
+                Ok(s) if s.success() => ok(&format!("Pulled {img} on {node_ip}")),
+                _ => return Err(SunbeamError::tool("ctr", format!("pull failed on {node_ip} for {img}"))),
+            }
+        }
+    }
+
+    Ok(())
+}
+
+// ---------------------------------------------------------------------------
+// Deploy rollout
+// ---------------------------------------------------------------------------
+
+/// Apply manifests for the target namespace and rolling-restart the given deployments.
+pub(crate) async fn deploy_rollout(
+    env: &BuildEnv,
+    deployments: &[&str],
+    namespace: &str,
+    timeout_secs: u64,
+    images: Option<&[String]>,
+) -> Result<()> {
+    let env_str = if env.is_prod { "production" } else { "local" };
+    crate::manifests::cmd_apply(env_str, &env.domain, "", namespace).await?;
+
+    // Pull fresh images into containerd on every node before rollout
+    if let Some(imgs) = images {
+        ctr_pull_on_nodes(env, imgs).await?;
+    }
+
+    for dep in deployments {
+        ok(&format!("Rolling {dep}..."));
+        crate::kube::kube_rollout_restart(namespace, dep).await?;
+    }
+
+    // Wait for rollout completion
+    for dep in deployments {
+        wait_deployment_ready(namespace, dep, timeout_secs).await?;
+    }
+
+    ok("Redeployed.");
+    Ok(())
+}
+
+/// Wait for a deployment to become ready.
+async fn wait_deployment_ready(ns: &str, deployment: &str, timeout_secs: u64) -> Result<()> {
+    use k8s_openapi::api::apps::v1::Deployment;
+    use std::time::{Duration, Instant};
+
+    let client = crate::kube::get_client().await?;
+    let api: kube::api::Api<Deployment> = kube::api::Api::namespaced(client.clone(), ns);
+    let deadline = Instant::now() + Duration::from_secs(timeout_secs);
+
+    loop {
+        if Instant::now() > deadline {
+            return Err(SunbeamError::build(format!("Timed out waiting for deployment {ns}/{deployment}")));
+        }
+
+        if let Some(dep) = api.get_opt(deployment).await? {
+            if let Some(status) = &dep.status {
+                if let Some(conditions) = &status.conditions {
+                    let available = conditions
+                        .iter()
+                        .any(|c| c.type_ == "Available" && c.status == "True");
+                    if available {
+                        return Ok(());
+                    }
+                }
+            }
+        }
+
+        tokio::time::sleep(Duration::from_secs(3)).await;
+    }
+}
+
+// ---------------------------------------------------------------------------
+// Mirroring
+// ---------------------------------------------------------------------------
+
+/// Docker Hub auth token response.
+#[derive(serde::Deserialize)]
+struct DockerAuthToken {
+    token: String,
+}
+
+/// Fetch a Docker Hub auth token for the given repository.
+async fn docker_hub_token(repo: &str) -> Result<String> {
+    let url = format!(
+        "https://auth.docker.io/token?service=registry.docker.io&scope=repository:{repo}:pull"
+    );
+    let resp: DockerAuthToken = reqwest::get(&url)
+        .await
+        .ctx("Failed to fetch Docker Hub token")?
+        .json()
+        .await
+        .ctx("Failed to parse Docker Hub token response")?;
+    Ok(resp.token)
+}
+
+/// Fetch an OCI/Docker manifest index from Docker Hub.
+async fn fetch_manifest_index(
+    repo: &str,
+    tag: &str,
+) -> Result<serde_json::Value> {
+    let token = docker_hub_token(repo).await?;
+
+    let client = reqwest::Client::new();
+    let url = format!("https://registry-1.docker.io/v2/{repo}/manifests/{tag}");
+    let accept = "application/vnd.oci.image.index.v1+json,\
+                   application/vnd.docker.distribution.manifest.list.v2+json";
+
+    let resp = client
+        .get(&url)
+        .header("Authorization", format!("Bearer {token}"))
+        .header("Accept", accept)
+        .send()
+        .await
+        .ctx("Failed to fetch manifest from Docker Hub")?;
+
+    if !resp.status().is_success() {
+        return Err(SunbeamError::build(format!(
+            "Docker Hub returned {} for {repo}:{tag}",
+            resp.status()
+        )));
+    }
+
+    resp.json()
+        .await
+        .ctx("Failed to parse manifest index JSON")
+}
+
+/// Build an OCI tar archive containing a patched index that maps both
+/// amd64 and arm64 to the same amd64 manifest.
+fn make_oci_tar(
+    ref_name: &str,
+    new_index_bytes: &[u8],
+    amd64_manifest_bytes: &[u8],
+) -> Result<Vec<u8>> {
+    use std::io::Write;
+
+    let ix_hex = {
+        use sha2::Digest;
+        let hash = sha2::Sha256::digest(new_index_bytes);
+        hash.iter().map(|b| format!("{b:02x}")).collect::<String>()
+    };
+
+    let new_index: serde_json::Value = serde_json::from_slice(new_index_bytes)?;
+    let amd64_hex = new_index["manifests"][0]["digest"]
+        .as_str()
+        .unwrap_or("")
+        .replace("sha256:", "");
+
+    let layout = serde_json::json!({"imageLayoutVersion": "1.0.0"});
+    let layout_bytes = serde_json::to_vec(&layout)?;
+
+    let top = serde_json::json!({
+        "schemaVersion": 2,
+        "mediaType": "application/vnd.oci.image.index.v1+json",
+        "manifests": [{
+            "mediaType": "application/vnd.oci.image.index.v1+json",
+            "digest": format!("sha256:{ix_hex}"),
+            "size": new_index_bytes.len(),
+            "annotations": {
+                "org.opencontainers.image.ref.name": ref_name,
+            },
+        }],
+    });
+    let top_bytes = serde_json::to_vec(&top)?;
+
+    let mut buf = Vec::new();
+    {
+        let mut builder = tar::Builder::new(&mut buf);
+
+        let mut add_entry = |name: &str, data: &[u8]| -> Result<()> {
+            let mut header = tar::Header::new_gnu();
+            header.set_size(data.len() as u64);
+            header.set_mode(0o644);
+            header.set_cksum();
+            builder.append_data(&mut header, name, data)?;
+            Ok(())
+        };
+
+        add_entry("oci-layout", &layout_bytes)?;
+        add_entry("index.json", &top_bytes)?;
+        add_entry(&format!("blobs/sha256/{ix_hex}"), new_index_bytes)?;
+        add_entry(
+            &format!("blobs/sha256/{amd64_hex}"),
+            amd64_manifest_bytes,
+        )?;
+
+        builder.finish()?;
+    }
+
+    // Flush
+    buf.flush().ok();
+    Ok(buf)
+}
+
+/// Mirror amd64-only La Suite images to the Gitea registry.
+///
+/// The Python version ran a script inside the Lima VM via `limactl shell`.
+/// Without Lima, we use reqwest for Docker registry token/manifest fetching
+/// and construct OCI tars natively. The containerd import + push operations
+/// require SSH to nodes and are implemented via subprocess.
+pub async fn cmd_mirror() -> Result<()> {
+    step("Mirroring amd64-only images to Gitea registry...");
+
+    let domain = crate::kube::get_domain().await?;
+    let admin_pass = crate::kube::kube_get_secret_field(
+        "devtools",
+        "gitea-admin-credentials",
+        "password",
+    )
+    .await
+    .unwrap_or_default();
+
+    if admin_pass.is_empty() {
+        warn("Could not get gitea admin password; skipping mirror.");
+        return Ok(());
+    }
+
+    let registry = format!("src.{domain}");
+
+    let nodes = get_node_addresses().await.unwrap_or_default();
+    if nodes.is_empty() {
+        warn("No node addresses found; cannot mirror images (need SSH to containerd).");
+        return Ok(());
+    }
+
+    // Determine SSH user
+    let ssh_host_val = crate::kube::ssh_host();
+    let ssh_user = if ssh_host_val.contains('@') {
+        ssh_host_val.split('@').next().unwrap_or("root")
+    } else {
+        "root"
+    };
+
+    for (src, org, repo, tag) in AMD64_ONLY_IMAGES {
+        let tgt = format!("{registry}/{org}/{repo}:{tag}");
+        ok(&format!("Processing {src} -> {tgt}"));
+
+        // Fetch manifest index from Docker Hub
+        let no_prefix = src.replace("docker.io/", "");
+        let parts: Vec<&str> = no_prefix.splitn(2, ':').collect();
+        let (docker_repo, docker_tag) = if parts.len() == 2 {
+            (parts[0], parts[1])
+        } else {
+            (parts[0], "latest")
+        };
+
+        let index = match fetch_manifest_index(docker_repo, docker_tag).await {
+            Ok(idx) => idx,
+            Err(e) => {
+                warn(&format!("Failed to fetch index for {src}: {e}"));
+                continue;
+            }
+        };
+
+        // Find amd64 manifest
+        let manifests = index["manifests"].as_array();
+        let amd64 = manifests.and_then(|ms| {
+            ms.iter().find(|m| {
+                m["platform"]["architecture"].as_str() == Some("amd64")
+                    && m["platform"]["os"].as_str() == Some("linux")
+            })
+        });
+
+        let amd64 = match amd64 {
+            Some(m) => m.clone(),
+            None => {
+                warn(&format!("No linux/amd64 entry in index for {src}; skipping"));
+                continue;
+            }
+        };
+
+        let amd64_digest = amd64["digest"]
+            .as_str()
+            .unwrap_or("")
+            .to_string();
+
+        // Fetch the actual amd64 manifest blob from registry
+        let token = docker_hub_token(docker_repo).await?;
+        let manifest_url = format!(
+            "https://registry-1.docker.io/v2/{docker_repo}/manifests/{amd64_digest}"
+        );
+        let client = reqwest::Client::new();
+        let amd64_manifest_bytes = client
+            .get(&manifest_url)
+            .header("Authorization", format!("Bearer {token}"))
+            .header(
+                "Accept",
+                "application/vnd.oci.image.manifest.v1+json,\
+                 application/vnd.docker.distribution.manifest.v2+json",
+            )
+            .send()
+            .await?
+            .bytes()
+            .await?;
+
+        // Build patched index: amd64 + arm64 alias pointing to same manifest
+        let arm64_entry = serde_json::json!({
+            "mediaType": amd64["mediaType"],
+            "digest": amd64["digest"],
+            "size": amd64["size"],
+            "platform": {"architecture": "arm64", "os": "linux"},
+        });
+
+        let new_index = serde_json::json!({
+            "schemaVersion": index["schemaVersion"],
+            "mediaType": index.get("mediaType").unwrap_or(&serde_json::json!("application/vnd.oci.image.index.v1+json")),
+            "manifests": [amd64, arm64_entry],
+        });
+        let new_index_bytes = serde_json::to_vec(&new_index)?;
+
+        // Build OCI tar
+        let oci_tar = match make_oci_tar(&tgt, &new_index_bytes, &amd64_manifest_bytes) {
+            Ok(tar) => tar,
+            Err(e) => {
+                warn(&format!("Failed to build OCI tar for {tgt}: {e}"));
+                continue;
+            }
+        };
+
+        // Import + push via SSH to each node (containerd operations)
+        for node_ip in &nodes {
+            ok(&format!("Importing {tgt} on {node_ip}..."));
+
+            // Remove existing, import, label
+            let ssh_target = format!("{ssh_user}@{node_ip}");
+
+            // Import via stdin
+            let mut import_cmd = tokio::process::Command::new("ssh")
+                .args([
+                    "-p",
+                    "2222",
+                    "-o",
+                    "StrictHostKeyChecking=no",
+                    &ssh_target,
+                    "sudo ctr -n k8s.io images import --all-platforms -",
+                ])
+                .stdin(Stdio::piped())
+                .stdout(Stdio::null())
+                .stderr(Stdio::piped())
+                .spawn()
+                .ctx("Failed to spawn ssh for ctr import")?;
+
+            if let Some(mut stdin) = import_cmd.stdin.take() {
+                use tokio::io::AsyncWriteExt;
+                stdin.write_all(&oci_tar).await?;
+                drop(stdin);
+            }
+            let import_status = import_cmd.wait().await?;
+            if !import_status.success() {
+                warn(&format!("ctr import failed on {node_ip} for {tgt}"));
+                continue;
+            }
+
+            // Label for CRI
+            let _ = tokio::process::Command::new("ssh")
+                .args([
+                    "-p",
+                    "2222",
+                    "-o",
+                    "StrictHostKeyChecking=no",
+                    &ssh_target,
+                    &format!(
+                        "sudo ctr -n k8s.io images label {tgt} io.cri-containerd.image=managed"
+                    ),
+                ])
+                .stdout(Stdio::null())
+                .stderr(Stdio::null())
+                .status()
+                .await;
+
+            // Push to Gitea registry
+            ok(&format!("Pushing {tgt} from {node_ip}..."));
+            let push_status = tokio::process::Command::new("ssh")
+                .args([
+                    "-p",
+                    "2222",
+                    "-o",
+                    "StrictHostKeyChecking=no",
+                    &ssh_target,
+                    &format!(
+                        "sudo ctr -n k8s.io images push --user {GITEA_ADMIN_USER}:{admin_pass} {tgt}"
+                    ),
+                ])
+                .stdout(Stdio::null())
+                .stderr(Stdio::piped())
+                .status()
+                .await;
+
+            match push_status {
+                Ok(s) if s.success() => ok(&format!("Pushed {tgt}")),
+                _ => warn(&format!("Push failed for {tgt} on {node_ip}")),
+            }
+
+            // Only need to push from one node
+            break;
+        }
+    }
+
+    // Delete pods stuck in image-pull error states
+    ok("Clearing image-pull-error pods...");
+    clear_image_pull_error_pods().await?;
+
+    ok("Done.");
+    Ok(())
+}
+
+/// Delete pods in image-pull error states across managed namespaces.
+async fn clear_image_pull_error_pods() -> Result<()> {
+    use k8s_openapi::api::core::v1::Pod;
+
+    let error_reasons = ["ImagePullBackOff", "ErrImagePull", "ErrImageNeverPull"];
+
+    let client = crate::kube::get_client().await?;
+
+    for ns in MANAGED_NS {
+        let api: kube::api::Api<Pod> = kube::api::Api::namespaced(client.clone(), ns);
+        let pods = api
+            .list(&kube::api::ListParams::default())
+            .await;
+
+        let pods = match pods {
+            Ok(p) => p,
+            Err(_) => continue,
+        };
+
+        for pod in &pods.items {
+            let pod_name = pod.metadata.name.as_deref().unwrap_or("");
+            if pod_name.is_empty() {
+                continue;
+            }
+
+            let has_error = pod
+                .status
+                .as_ref()
+                .and_then(|s| s.container_statuses.as_ref())
+                .map(|statuses| {
+                    statuses.iter().any(|cs| {
+                        cs.state
+                            .as_ref()
+                            .and_then(|s| s.waiting.as_ref())
+                            .and_then(|w| w.reason.as_deref())
+                            .is_some_and(|r| error_reasons.contains(&r))
+                    })
+                })
+                .unwrap_or(false);
+
+            if has_error {
+                let _ = api
+                    .delete(pod_name, &kube::api::DeleteParams::default())
+                    .await;
+            }
+        }
+    }
+
+    Ok(())
+}
+
+// ---------------------------------------------------------------------------
+// Build dispatch
+// ---------------------------------------------------------------------------
+
+/// Build an image. Pass push=true to push, deploy=true to also apply + rollout.
+pub async fn cmd_build(what: &BuildTarget, push: bool, deploy: bool, no_cache: bool) -> Result<()> {
+    match what {
+        BuildTarget::Proxy => builders::build_proxy(push, deploy, no_cache).await,
+        BuildTarget::Integration => builders::build_integration(push, deploy, no_cache).await,
+        BuildTarget::KratosAdmin => builders::build_kratos_admin(push, deploy, no_cache).await,
+        BuildTarget::Meet => builders::build_meet(push, deploy, no_cache).await,
+        BuildTarget::DocsFrontend => {
+            let repo_dir = crate::config::get_repo_root().join("docs");
+            builders::build_la_suite_frontend(
+                "docs-frontend",
+                &repo_dir,
+                "src/frontend",
+                "src/frontend/apps/impress",
+                "src/frontend/Dockerfile",
+                "impress-frontend",
+                "docs-frontend",
+                "lasuite",
+                push,
+                deploy,
+                no_cache,
+            )
+            .await
+        }
+        BuildTarget::PeopleFrontend | BuildTarget::People => builders::build_people(push, deploy, no_cache).await,
+        BuildTarget::Messages => builders::build_messages("messages", push, deploy, no_cache).await,
+        BuildTarget::MessagesBackend => builders::build_messages("messages-backend", push, deploy, no_cache).await,
+        BuildTarget::MessagesFrontend => builders::build_messages("messages-frontend", push, deploy, no_cache).await,
+        BuildTarget::MessagesMtaIn => builders::build_messages("messages-mta-in", push, deploy, no_cache).await,
+        BuildTarget::MessagesMtaOut => builders::build_messages("messages-mta-out", push, deploy, no_cache).await,
+        BuildTarget::MessagesMpa => builders::build_messages("messages-mpa", push, deploy, no_cache).await,
+        BuildTarget::MessagesSocksProxy => {
+            builders::build_messages("messages-socks-proxy", push, deploy, no_cache).await
+        }
+        BuildTarget::Tuwunel => builders::build_tuwunel(push, deploy, no_cache).await,
+        BuildTarget::Calendars => builders::build_calendars(push, deploy, no_cache).await,
+        BuildTarget::Projects => builders::build_projects(push, deploy, no_cache).await,
+        BuildTarget::Sol => builders::build_sol(push, deploy, no_cache).await,
+    }
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    #[test]
+    fn managed_ns_is_sorted() {
+        let mut sorted = MANAGED_NS.to_vec();
+        sorted.sort();
+        assert_eq!(
+            MANAGED_NS, &sorted[..],
+            "MANAGED_NS should be in alphabetical order"
+        );
+    }
+
+    #[test]
+    fn managed_ns_contains_expected_namespaces() {
+        assert!(MANAGED_NS.contains(&"data"));
+        assert!(MANAGED_NS.contains(&"devtools"));
+        assert!(MANAGED_NS.contains(&"ingress"));
+        assert!(MANAGED_NS.contains(&"ory"));
+        assert!(MANAGED_NS.contains(&"matrix"));
+    }
+
+    #[test]
+    fn amd64_only_images_all_from_docker_hub() {
+        for (src, _org, _repo, _tag) in AMD64_ONLY_IMAGES {
+            assert!(
+                src.starts_with("docker.io/"),
+                "Expected docker.io prefix, got: {src}"
+            );
+        }
+    }
+
+    #[test]
+    fn amd64_only_images_all_have_latest_tag() {
+        for (src, _org, _repo, tag) in AMD64_ONLY_IMAGES {
+            assert_eq!(
+                *tag, "latest",
+                "Expected 'latest' tag for {src}, got: {tag}"
+            );
+        }
+    }
+
+    #[test]
+    fn amd64_only_images_non_empty() {
+        assert!(
+            !AMD64_ONLY_IMAGES.is_empty(),
+            "AMD64_ONLY_IMAGES should not be empty"
+        );
+    }
+
+    #[test]
+    fn amd64_only_images_org_is_studio() {
+        for (src, org, _repo, _tag) in AMD64_ONLY_IMAGES {
+            assert_eq!(
+                *org, "studio",
+                "Expected org 'studio' for {src}, got: {org}"
+            );
+        }
+    }
+
+    #[test]
+    fn build_target_display_proxy() {
+        assert_eq!(BuildTarget::Proxy.to_string(), "proxy");
+    }
+
+    #[test]
+    fn build_target_display_kratos_admin() {
+        assert_eq!(BuildTarget::KratosAdmin.to_string(), "kratos-admin");
+    }
+
+    #[test]
+    fn build_target_display_all_lowercase_or_hyphenated() {
+        let targets = [
+            BuildTarget::Proxy,
+            BuildTarget::Integration,
+            BuildTarget::KratosAdmin,
+            BuildTarget::Meet,
+            BuildTarget::DocsFrontend,
+            BuildTarget::PeopleFrontend,
+            BuildTarget::People,
+            BuildTarget::Messages,
+            BuildTarget::MessagesBackend,
+            BuildTarget::MessagesFrontend,
+            BuildTarget::MessagesMtaIn,
+            BuildTarget::MessagesMtaOut,
+            BuildTarget::MessagesMpa,
+            BuildTarget::MessagesSocksProxy,
+            BuildTarget::Tuwunel,
+            BuildTarget::Calendars,
+            BuildTarget::Projects,
+            BuildTarget::Sol,
+        ];
+        for t in &targets {
+            let s = t.to_string();
+            assert!(
+                s.chars().all(|c| c.is_ascii_lowercase() || c == '-'),
+                "BuildTarget display '{s}' has unexpected characters"
+            );
+        }
+    }
+
+    #[test]
+    fn gitea_admin_user_constant() {
+        assert_eq!(GITEA_ADMIN_USER, "gitea_admin");
+    }
+
+    #[test]
+    fn messages_components_non_empty() {
+        assert!(!builders::MESSAGES_COMPONENTS.is_empty());
+    }
+
+    #[test]
+    fn messages_components_dockerfiles_are_relative() {
+        for (_name, _image, dockerfile_rel, _target) in builders::MESSAGES_COMPONENTS {
+            assert!(
+                dockerfile_rel.ends_with("Dockerfile"),
+                "Expected Dockerfile suffix in: {dockerfile_rel}"
+            );
+            assert!(
+                !dockerfile_rel.starts_with('/'),
+                "Dockerfile path should be relative: {dockerfile_rel}"
+            );
+        }
+    }
+
+    #[test]
+    fn messages_components_names_match_build_targets() {
+        for (name, _image, _df, _target) in builders::MESSAGES_COMPONENTS {
+            assert!(
+                name.starts_with("messages-"),
+                "Component name should start with 'messages-': {name}"
+            );
+        }
+    }
+}
diff --git a/sunbeam-sdk/src/kube/mod.rs b/sunbeam-sdk/src/kube/mod.rs
new file mode 100644
index 0000000..70bcea7
--- /dev/null
+++ b/sunbeam-sdk/src/kube/mod.rs
@@ -0,0 +1,761 @@
+mod tunnel;
+pub mod tools;
+
+use crate::error::{Result, SunbeamError, ResultExt};
+use base64::Engine;
+use k8s_openapi::api::apps::v1::Deployment;
+use k8s_openapi::api::core::v1::{Namespace, Secret};
+use kube::api::{Api, ApiResource, DynamicObject, ListParams, Patch, PatchParams};
+use kube::config::{KubeConfigOptions, Kubeconfig};
+use kube::discovery::{self, Scope};
+use kube::{Client, Config};
+use std::collections::HashMap;
+use std::path::Path;
+use std::process::Stdio;
+use std::sync::{Mutex, OnceLock};
+use tokio::sync::OnceCell;
+
+static CONTEXT: OnceLock<String> = OnceLock::new();
+static SSH_HOST: OnceLock<String> = OnceLock::new();
+static KUBE_CLIENT: OnceCell<Client> = OnceCell::const_new();
+static SSH_TUNNEL: Mutex<Option<tokio::process::Child>> = Mutex::new(None);
+static API_DISCOVERY: OnceCell<kube::discovery::Discovery> = OnceCell::const_new();
+
+/// Set the active kubectl context and optional SSH host for production tunnel.
+pub fn set_context(ctx: &str, ssh_host: &str) {
+    let _ = CONTEXT.set(ctx.to_string());
+    let _ = SSH_HOST.set(ssh_host.to_string());
+}
+
+/// Get the active context.
+pub fn context() -> &'static str {
+    CONTEXT.get().map(|s| s.as_str()).unwrap_or("sunbeam")
+}
+
+/// Get the SSH host (empty for local).
+pub fn ssh_host() -> &'static str {
+    SSH_HOST.get().map(|s| s.as_str()).unwrap_or("")
+}
+
+// ---------------------------------------------------------------------------
+// SSH tunnel management
+// ---------------------------------------------------------------------------
+
+/// Ensure SSH tunnel is open for production (forwards localhost:16443 -> remote:6443).
+/// For local dev (empty ssh_host), this is a no-op.
+#[allow(dead_code)]
+pub async fn ensure_tunnel() -> Result<()> {
+    let host = ssh_host();
+    if host.is_empty() {
+        return Ok(());
+    }
+
+    // Check if tunnel is already open
+    if tokio::net::TcpStream::connect("127.0.0.1:16443")
+        .await
+        .is_ok()
+    {
+        return Ok(());
+    }
+
+    crate::output::ok(&format!("Opening SSH tunnel to {host}..."));
+
+    let child = tokio::process::Command::new("ssh")
+        .args([
+            "-p",
+            "2222",
+            "-L",
+            "16443:127.0.0.1:6443",
+            "-N",
+            "-o",
+            "ExitOnForwardFailure=yes",
+            "-o",
+            "StrictHostKeyChecking=no",
+            host,
+        ])
+        .stdout(Stdio::null())
+        .stderr(Stdio::null())
+        .spawn()
+        .ctx("Failed to spawn SSH tunnel")?;
+
+    // Store child so it lives for the process lifetime (and can be killed on cleanup)
+    if let Ok(mut guard) = SSH_TUNNEL.lock() {
+        *guard = Some(child);
+    }
+
+    // Wait for tunnel to become available
+    for _ in 0..20 {
+        tokio::time::sleep(std::time::Duration::from_millis(500)).await;
+        if tokio::net::TcpStream::connect("127.0.0.1:16443")
+            .await
+            .is_ok()
+        {
+            return Ok(());
+        }
+    }
+
+    bail!("SSH tunnel to {host} did not open in time")
+}
+
+// ---------------------------------------------------------------------------
+// Client initialization
+// ---------------------------------------------------------------------------
+
+/// Get or create a kube::Client configured for the active context.
+/// Opens SSH tunnel first if needed for production.
+pub async fn get_client() -> Result<&'static Client> {
+    KUBE_CLIENT
+        .get_or_try_init(|| async {
+            ensure_tunnel().await?;
+
+            let kubeconfig = Kubeconfig::read().map_err(|e| SunbeamError::kube(format!("Failed to read kubeconfig: {e}")))?;
+            let options = KubeConfigOptions {
+                context: Some(context().to_string()),
+                ..Default::default()
+            };
+            let config = Config::from_custom_kubeconfig(kubeconfig, &options)
+                .await
+                .map_err(|e| SunbeamError::kube(format!("Failed to build kube config from kubeconfig: {e}")))?;
+            Client::try_from(config).ctx("Failed to create kube client")
+        })
+        .await
+}
+
+// ---------------------------------------------------------------------------
+// Core Kubernetes operations
+// ---------------------------------------------------------------------------
+
+/// Server-side apply a multi-document YAML manifest.
+#[allow(dead_code)]
+pub async fn kube_apply(manifest: &str) -> Result<()> {
+    let client = get_client().await?;
+    let ssapply = PatchParams::apply("sunbeam").force();
+
+    for doc in manifest.split("\n---") {
+        let doc = doc.trim();
+        if doc.is_empty() || doc == "---" {
+            continue;
+        }
+
+        // Parse the YAML to a DynamicObject so we can route it
+        let obj: serde_yaml::Value =
+            serde_yaml::from_str(doc).ctx("Failed to parse YAML document")?;
+
+        let api_version = obj
+            .get("apiVersion")
+            .and_then(|v| v.as_str())
+            .unwrap_or("");
+        let kind = obj.get("kind").and_then(|v| v.as_str()).unwrap_or("");
+        let metadata = obj.get("metadata");
+        let name = metadata
+            .and_then(|m| m.get("name"))
+            .and_then(|v| v.as_str())
+            .unwrap_or("");
+        let namespace = metadata
+            .and_then(|m| m.get("namespace"))
+            .and_then(|v| v.as_str());
+
+        if name.is_empty() || kind.is_empty() {
+            continue; // skip incomplete documents
+        }
+
+        // Use discovery to find the right API resource
+        let (ar, scope) = resolve_api_resource(client, api_version, kind).await?;
+
+        let api: Api<DynamicObject> = if let Some(ns) = namespace {
+            Api::namespaced_with(client.clone(), ns, &ar)
+        } else if scope == Scope::Namespaced {
+            // Namespaced resource without a namespace specified; use default
+            Api::default_namespaced_with(client.clone(), &ar)
+        } else {
+            Api::all_with(client.clone(), &ar)
+        };
+
+        let patch: serde_json::Value =
+            serde_yaml::from_str(doc).ctx("Failed to parse YAML to JSON value")?;
+
+        api.patch(name, &ssapply, &Patch::Apply(patch))
+            .await
+            .with_ctx(|| format!("Failed to apply {kind}/{name}"))?;
+    }
+    Ok(())
+}
+
+/// Resolve an API resource from apiVersion and kind using discovery.
+async fn resolve_api_resource(
+    client: &Client,
+    api_version: &str,
+    kind: &str,
+) -> Result<(ApiResource, Scope)> {
+    // Split apiVersion into group and version
+    let (group, version) = if api_version.contains('/') {
+        let parts: Vec<&str> = api_version.splitn(2, '/').collect();
+        (parts[0], parts[1])
+    } else {
+        ("", api_version) // core API group
+    };
+
+    let disc = API_DISCOVERY
+        .get_or_try_init(|| async {
+            discovery::Discovery::new(client.clone())
+                .run()
+                .await
+                .ctx("API discovery failed")
+        })
+        .await?;
+
+    for api_group in disc.groups() {
+        if api_group.name() == group {
+            for (ar, caps) in api_group.resources_by_stability() {
+                if ar.kind == kind && ar.version == version {
+                    return Ok((ar, caps.scope));
+                }
+            }
+        }
+    }
+
+    bail!("Could not discover API resource for {api_version}/{kind}")
+}
+
+/// Get a Kubernetes Secret object.
+#[allow(dead_code)]
+pub async fn kube_get_secret(ns: &str, name: &str) -> Result<Option<Secret>> {
+    let client = get_client().await?;
+    let api: Api<Secret> = Api::namespaced(client.clone(), ns);
+    match api.get_opt(name).await {
+        Ok(secret) => Ok(secret),
+        Err(e) => Err(e).with_ctx(|| format!("Failed to get secret {ns}/{name}")),
+    }
+}
+
+/// Get a specific base64-decoded field from a Kubernetes secret.
+#[allow(dead_code)]
+pub async fn kube_get_secret_field(ns: &str, name: &str, key: &str) -> Result<String> {
+    let secret = kube_get_secret(ns, name)
+        .await?
+        .with_ctx(|| format!("Secret {ns}/{name} not found"))?;
+
+    let data = secret.data.as_ref().ctx("Secret has no data")?;
+
+    let bytes = data
+        .get(key)
+        .with_ctx(|| format!("Key {key:?} not found in secret {ns}/{name}"))?;
+
+    String::from_utf8(bytes.0.clone())
+        .with_ctx(|| format!("Key {key:?} in secret {ns}/{name} is not valid UTF-8"))
+}
+
+/// Check if a namespace exists.
+#[allow(dead_code)]
+pub async fn ns_exists(ns: &str) -> Result<bool> {
+    let client = get_client().await?;
+    let api: Api<Namespace> = Api::all(client.clone());
+    match api.get_opt(ns).await {
+        Ok(Some(_)) => Ok(true),
+        Ok(None) => Ok(false),
+        Err(e) => Err(e).with_ctx(|| format!("Failed to check namespace {ns}")),
+    }
+}
+
+/// Create namespace if it does not exist.
+#[allow(dead_code)]
+pub async fn ensure_ns(ns: &str) -> Result<()> {
+    if ns_exists(ns).await? {
+        return Ok(());
+    }
+    let client = get_client().await?;
+    let api: Api<Namespace> = Api::all(client.clone());
+    let ns_obj = serde_json::json!({
+        "apiVersion": "v1",
+        "kind": "Namespace",
+        "metadata": { "name": ns }
+    });
+    let pp = PatchParams::apply("sunbeam").force();
+    api.patch(ns, &pp, &Patch::Apply(ns_obj))
+        .await
+        .with_ctx(|| format!("Failed to create namespace {ns}"))?;
+    Ok(())
+}
+
+/// Create or update a generic Kubernetes secret via server-side apply.
+#[allow(dead_code)]
+pub async fn create_secret(ns: &str, name: &str, data: HashMap<String, String>) -> Result<()> {
+    let client = get_client().await?;
+    let api: Api<Secret> = Api::namespaced(client.clone(), ns);
+
+    // Encode values as base64
+    let mut encoded: serde_json::Map<String, serde_json::Value> = serde_json::Map::new();
+    for (k, v) in &data {
+        let b64 = base64::engine::general_purpose::STANDARD.encode(v.as_bytes());
+        encoded.insert(k.clone(), serde_json::Value::String(b64));
+    }
+
+    let secret_obj = serde_json::json!({
+        "apiVersion": "v1",
+        "kind": "Secret",
+        "metadata": {
+            "name": name,
+            "namespace": ns,
+        },
+        "type": "Opaque",
+        "data": encoded,
+    });
+
+    let pp = PatchParams::apply("sunbeam").force();
+    api.patch(name, &pp, &Patch::Apply(secret_obj))
+        .await
+        .with_ctx(|| format!("Failed to create/update secret {ns}/{name}"))?;
+    Ok(())
+}
+
+/// Execute a command in a pod and return (exit_code, stdout).
+#[allow(dead_code)]
+pub async fn kube_exec(
+    ns: &str,
+    pod: &str,
+    cmd: &[&str],
+    container: Option<&str>,
+) -> Result<(i32, String)> {
+    let client = get_client().await?;
+    let pods: Api<k8s_openapi::api::core::v1::Pod> = Api::namespaced(client.clone(), ns);
+
+    let mut ep = kube::api::AttachParams::default();
+    ep.stdout = true;
+    ep.stderr = true;
+    ep.stdin = false;
+    if let Some(c) = container {
+        ep.container = Some(c.to_string());
+    }
+
+    let cmd_strings: Vec<String> = cmd.iter().map(|s| s.to_string()).collect();
+    let mut attached = pods
+        .exec(pod, cmd_strings, &ep)
+        .await
+        .with_ctx(|| format!("Failed to exec in pod {ns}/{pod}"))?;
+
+    let stdout = {
+        let mut stdout_reader = attached
+            .stdout()
+            .ctx("No stdout stream from exec")?;
+        let mut buf = Vec::new();
+        tokio::io::AsyncReadExt::read_to_end(&mut stdout_reader, &mut buf).await?;
+        String::from_utf8_lossy(&buf).to_string()
+    };
+
+    let status = attached
+        .take_status()
+        .ctx("No status channel from exec")?;
+
+    // Wait for the status
+    let exit_code = if let Some(status) = status.await {
+        status
+            .status
+            .map(|s| if s == "Success" { 0 } else { 1 })
+            .unwrap_or(1)
+    } else {
+        1
+    };
+
+    Ok((exit_code, stdout.trim().to_string()))
+}
+
+/// Patch a deployment to trigger a rollout restart.
+#[allow(dead_code)]
+pub async fn kube_rollout_restart(ns: &str, deployment: &str) -> Result<()> {
+    let client = get_client().await?;
+    let api: Api<Deployment> = Api::namespaced(client.clone(), ns);
+
+    let now = chrono::Utc::now().to_rfc3339();
+    let patch = serde_json::json!({
+        "spec": {
+            "template": {
+                "metadata": {
+                    "annotations": {
+                        "kubectl.kubernetes.io/restartedAt": now
+                    }
+                }
+            }
+        }
+    });
+
+    api.patch(deployment, &PatchParams::default(), &Patch::Strategic(patch))
+        .await
+        .with_ctx(|| format!("Failed to restart deployment {ns}/{deployment}"))?;
+    Ok(())
+}
+
+/// Discover the active domain from cluster state.
+///
+/// Tries the gitea-inline-config secret first (DOMAIN=src.<domain>),
+/// falls back to lasuite-oidc-provider configmap, then Lima VM IP.
+#[allow(dead_code)]
+pub async fn get_domain() -> Result<String> {
+    // 1. Gitea inline-config secret
+    if let Ok(Some(secret)) = kube_get_secret("devtools", "gitea-inline-config").await {
+        if let Some(data) = &secret.data {
+            if let Some(server_bytes) = data.get("server") {
+                let server_ini = String::from_utf8_lossy(&server_bytes.0);
+                for line in server_ini.lines() {
+                    if let Some(rest) = line.strip_prefix("DOMAIN=src.") {
+                        return Ok(rest.trim().to_string());
+                    }
+                }
+            }
+        }
+    }
+
+    // 2. Fallback: lasuite-oidc-provider configmap
+    {
+        let client = get_client().await?;
+        let api: Api<k8s_openapi::api::core::v1::ConfigMap> =
+            Api::namespaced(client.clone(), "lasuite");
+        if let Ok(Some(cm)) = api.get_opt("lasuite-oidc-provider").await {
+            if let Some(data) = &cm.data {
+                if let Some(endpoint) = data.get("OIDC_OP_JWKS_ENDPOINT") {
+                    if let Some(rest) = endpoint.split("https://auth.").nth(1) {
+                        if let Some(domain) = rest.split('/').next() {
+                            return Ok(domain.to_string());
+                        }
+                    }
+                }
+            }
+        }
+    }
+
+    // 3. Local dev fallback: Lima VM IP
+    let ip = get_lima_ip().await;
+    Ok(format!("{ip}.sslip.io"))
+}
+
+/// Get the socket_vmnet IP of the Lima sunbeam VM.
+async fn get_lima_ip() -> String {
+    let output = tokio::process::Command::new("limactl")
+        .args(["shell", "sunbeam", "ip", "-4", "addr", "show", "eth1"])
+        .output()
+        .await;
+
+    if let Ok(out) = output {
+        let stdout = String::from_utf8_lossy(&out.stdout);
+        for line in stdout.lines() {
+            if line.contains("inet ") {
+                if let Some(addr) = line.trim().split_whitespace().nth(1) {
+                    if let Some(ip) = addr.split('/').next() {
+                        return ip.to_string();
+                    }
+                }
+            }
+        }
+    }
+
+    // Fallback: hostname -I
+    let output2 = tokio::process::Command::new("limactl")
+        .args(["shell", "sunbeam", "hostname", "-I"])
+        .output()
+        .await;
+
+    if let Ok(out) = output2 {
+        let stdout = String::from_utf8_lossy(&out.stdout);
+        let ips: Vec<&str> = stdout.trim().split_whitespace().collect();
+        if ips.len() >= 2 {
+            return ips[ips.len() - 1].to_string();
+        } else if !ips.is_empty() {
+            return ips[0].to_string();
+        }
+    }
+
+    String::new()
+}
+
+// ---------------------------------------------------------------------------
+// kustomize build
+// ---------------------------------------------------------------------------
+
+/// Run kustomize build --enable-helm and apply domain/email substitution.
+#[allow(dead_code)]
+pub async fn kustomize_build(overlay: &Path, domain: &str, email: &str) -> Result<String> {
+    let kustomize_path = self::tools::ensure_kustomize()?;
+    let helm_path = self::tools::ensure_helm()?;
+
+    // Ensure helm's parent dir is on PATH so kustomize can find it
+    let helm_dir = helm_path
+        .parent()
+        .map(|p| p.to_string_lossy().to_string())
+        .unwrap_or_default();
+
+    let mut env_path = helm_dir.clone();
+    if let Ok(existing) = std::env::var("PATH") {
+        env_path = format!("{helm_dir}:{existing}");
+    }
+
+    let output = tokio::process::Command::new(&kustomize_path)
+        .args(["build", "--enable-helm"])
+        .arg(overlay)
+        .env("PATH", &env_path)
+        .output()
+        .await
+        .ctx("Failed to run kustomize")?;
+
+    if !output.status.success() {
+        let stderr = String::from_utf8_lossy(&output.stderr);
+        bail!("kustomize build failed: {stderr}");
+    }
+
+    let mut text = String::from_utf8(output.stdout).ctx("kustomize output not UTF-8")?;
+
+    // Domain substitution
+    text = domain_replace(&text, domain);
+
+    // ACME email substitution
+    if !email.is_empty() {
+        text = text.replace("ACME_EMAIL", email);
+    }
+
+    // Registry host IP resolution
+    if text.contains("REGISTRY_HOST_IP") {
+        let registry_ip = resolve_registry_ip(domain).await;
+        text = text.replace("REGISTRY_HOST_IP", &registry_ip);
+    }
+
+    // Strip null annotations artifact
+    text = text.replace("\n      annotations: null", "");
+
+    Ok(text)
+}
+
+/// Resolve the registry host IP for REGISTRY_HOST_IP substitution.
+async fn resolve_registry_ip(domain: &str) -> String {
+    // Try DNS for src.<domain>
+    let hostname = format!("src.{domain}:443");
+    if let Ok(mut addrs) = tokio::net::lookup_host(&hostname).await {
+        if let Some(addr) = addrs.next() {
+            return addr.ip().to_string();
+        }
+    }
+
+    // Fallback: derive from production host config
+    let ssh_host = crate::config::get_production_host();
+    if !ssh_host.is_empty() {
+        let raw = ssh_host
+            .split('@')
+            .last()
+            .unwrap_or(&ssh_host)
+            .split(':')
+            .next()
+            .unwrap_or(&ssh_host);
+        let host_lookup = format!("{raw}:443");
+        if let Ok(mut addrs) = tokio::net::lookup_host(&host_lookup).await {
+            if let Some(addr) = addrs.next() {
+                return addr.ip().to_string();
+            }
+        }
+        // raw is likely already an IP
+        return raw.to_string();
+    }
+
+    String::new()
+}
+
+// ---------------------------------------------------------------------------
+// kubectl / bao passthrough
+// ---------------------------------------------------------------------------
+
+/// Transparent kubectl passthrough for the active context.
+pub async fn cmd_k8s(kubectl_args: &[String]) -> Result<()> {
+    ensure_tunnel().await?;
+
+    let status = tokio::process::Command::new("kubectl")
+        .arg(format!("--context={}", context()))
+        .args(kubectl_args)
+        .stdin(Stdio::inherit())
+        .stdout(Stdio::inherit())
+        .stderr(Stdio::inherit())
+        .status()
+        .await
+        .ctx("Failed to run kubectl")?;
+
+    if !status.success() {
+        std::process::exit(status.code().unwrap_or(1));
+    }
+    Ok(())
+}
+
+/// Run bao CLI inside the OpenBao pod with the root token.
+pub async fn cmd_bao(bao_args: &[String]) -> Result<()> {
+    // Find the openbao pod
+    let client = get_client().await?;
+    let pods: Api<k8s_openapi::api::core::v1::Pod> = Api::namespaced(client.clone(), "data");
+
+    let lp = ListParams::default().labels("app.kubernetes.io/name=openbao");
+    let pod_list = pods.list(&lp).await.ctx("Failed to list OpenBao pods")?;
+    let ob_pod = pod_list
+        .items
+        .first()
+        .and_then(|p| p.metadata.name.as_deref())
+        .ctx("OpenBao pod not found -- is the cluster running?")?
+        .to_string();
+
+    // Get root token
+    let root_token = kube_get_secret_field("data", "openbao-keys", "root-token")
+        .await
+        .ctx("root-token not found in openbao-keys secret")?;
+
+    // Build the kubectl exec command
+    let vault_token_env = format!("VAULT_TOKEN={root_token}");
+    let mut kubectl_args = vec![
+        format!("--context={}", context()),
+        "-n".to_string(),
+        "data".to_string(),
+        "exec".to_string(),
+        ob_pod,
+        "-c".to_string(),
+        "openbao".to_string(),
+        "--".to_string(),
+        "env".to_string(),
+        vault_token_env,
+        "bao".to_string(),
+    ];
+    kubectl_args.extend(bao_args.iter().cloned());
+
+    // Use kubectl for full TTY support
+    let status = tokio::process::Command::new("kubectl")
+        .args(&kubectl_args)
+        .stdin(Stdio::inherit())
+        .stdout(Stdio::inherit())
+        .stderr(Stdio::inherit())
+        .status()
+        .await
+        .ctx("Failed to run bao in OpenBao pod")?;
+
+    if !status.success() {
+        std::process::exit(status.code().unwrap_or(1));
+    }
+    Ok(())
+}
+
+// ---------------------------------------------------------------------------
+// Parse target and domain_replace (already tested)
+// ---------------------------------------------------------------------------
+
+/// Parse 'ns/name' -> (Some(ns), Some(name)), 'ns' -> (Some(ns), None), None -> (None, None).
+pub fn parse_target(s: Option<&str>) -> Result<(Option<&str>, Option<&str>)> {
+    match s {
+        None => Ok((None, None)),
+        Some(s) => {
+            let parts: Vec<&str> = s.splitn(3, '/').collect();
+            match parts.len() {
+                1 => Ok((Some(parts[0]), None)),
+                2 => Ok((Some(parts[0]), Some(parts[1]))),
+                _ => bail!("Invalid target {s:?}: expected 'namespace' or 'namespace/name'"),
+            }
+        }
+    }
+}
+
+/// Replace all occurrences of DOMAIN_SUFFIX with domain.
+pub fn domain_replace(text: &str, domain: &str) -> String {
+    text.replace("DOMAIN_SUFFIX", domain)
+}
+
+// ---------------------------------------------------------------------------
+// Tests
+// ---------------------------------------------------------------------------
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    #[test]
+    fn test_parse_target_none() {
+        let (ns, name) = parse_target(None).unwrap();
+        assert!(ns.is_none());
+        assert!(name.is_none());
+    }
+
+    #[test]
+    fn test_parse_target_namespace_only() {
+        let (ns, name) = parse_target(Some("ory")).unwrap();
+        assert_eq!(ns, Some("ory"));
+        assert!(name.is_none());
+    }
+
+    #[test]
+    fn test_parse_target_namespace_and_name() {
+        let (ns, name) = parse_target(Some("ory/kratos")).unwrap();
+        assert_eq!(ns, Some("ory"));
+        assert_eq!(name, Some("kratos"));
+    }
+
+    #[test]
+    fn test_parse_target_too_many_parts() {
+        assert!(parse_target(Some("too/many/parts")).is_err());
+    }
+
+    #[test]
+    fn test_parse_target_empty_string() {
+        let (ns, name) = parse_target(Some("")).unwrap();
+        assert_eq!(ns, Some(""));
+        assert!(name.is_none());
+    }
+
+    #[test]
+    fn test_domain_replace_single() {
+        let result = domain_replace("src.DOMAIN_SUFFIX/foo", "192.168.1.1.sslip.io");
+        assert_eq!(result, "src.192.168.1.1.sslip.io/foo");
+    }
+
+    #[test]
+    fn test_domain_replace_multiple() {
+        let result = domain_replace("DOMAIN_SUFFIX and DOMAIN_SUFFIX", "x.sslip.io");
+        assert_eq!(result, "x.sslip.io and x.sslip.io");
+    }
+
+    #[test]
+    fn test_domain_replace_none() {
+        let result = domain_replace("no match here", "x.sslip.io");
+        assert_eq!(result, "no match here");
+    }
+
+    #[tokio::test]
+    async fn test_ensure_tunnel_noop_when_ssh_host_empty() {
+        // When ssh_host is empty (local dev), ensure_tunnel should return Ok
+        // immediately without spawning any SSH process.
+        // SSH_HOST OnceLock may already be set from another test, but the
+        // default (unset) value is "" which is what we want. If it was set
+        // to a non-empty value by a prior test in the same process, this
+        // test would attempt a real SSH connection and fail — that is acceptable
+        // as a signal that test isolation changed.
+        //
+        // In a fresh test binary SSH_HOST is unset, so ssh_host() returns "".
+        let result = ensure_tunnel().await;
+        assert!(result.is_ok(), "ensure_tunnel should be a no-op when ssh_host is empty");
+    }
+
+    #[test]
+    fn test_create_secret_data_encoding() {
+        // Test that we can build the expected JSON structure for secret creation
+        let mut data = HashMap::new();
+        data.insert("username".to_string(), "admin".to_string());
+        data.insert("password".to_string(), "s3cret".to_string());
+
+        let mut encoded: serde_json::Map<String, serde_json::Value> = serde_json::Map::new();
+        for (k, v) in &data {
+            let b64 = base64::engine::general_purpose::STANDARD.encode(v.as_bytes());
+            encoded.insert(k.clone(), serde_json::Value::String(b64));
+        }
+
+        let secret_obj = serde_json::json!({
+            "apiVersion": "v1",
+            "kind": "Secret",
+            "metadata": {
+                "name": "test-secret",
+                "namespace": "default",
+            },
+            "type": "Opaque",
+            "data": encoded,
+        });
+
+        let json_str = serde_json::to_string(&secret_obj).unwrap();
+        assert!(json_str.contains("YWRtaW4=")); // base64("admin")
+        assert!(json_str.contains("czNjcmV0")); // base64("s3cret")
+    }
+}
diff --git a/sunbeam-sdk/src/kube/tools.rs b/sunbeam-sdk/src/kube/tools.rs
new file mode 100644
index 0000000..ac025ab
--- /dev/null
+++ b/sunbeam-sdk/src/kube/tools.rs
@@ -0,0 +1,180 @@
+use crate::error::{Result, ResultExt};
+use std::path::PathBuf;
+
+static KUSTOMIZE_BIN: &[u8] = include_bytes!(concat!(env!("OUT_DIR"), "/kustomize"));
+static HELM_BIN: &[u8] = include_bytes!(concat!(env!("OUT_DIR"), "/helm"));
+
+fn cache_dir() -> PathBuf {
+    dirs::data_dir()
+        .unwrap_or_else(|| dirs::home_dir().unwrap_or_else(|| PathBuf::from(".")))
+        .join("sunbeam")
+        .join("bin")
+}
+
+/// Extract an embedded binary to the cache directory if not already present.
+fn extract_embedded(data: &[u8], name: &str) -> Result<PathBuf> {
+    let dir = cache_dir();
+    std::fs::create_dir_all(&dir)
+        .with_ctx(|| format!("Failed to create cache dir: {}", dir.display()))?;
+
+    let dest = dir.join(name);
+
+    // Skip if already extracted and same size
+    if dest.exists() {
+        if let Ok(meta) = std::fs::metadata(&dest) {
+            if meta.len() == data.len() as u64 {
+                return Ok(dest);
+            }
+        }
+    }
+
+    std::fs::write(&dest, data)
+        .with_ctx(|| format!("Failed to write {}", dest.display()))?;
+
+    #[cfg(unix)]
+    {
+        use std::os::unix::fs::PermissionsExt;
+        std::fs::set_permissions(&dest, std::fs::Permissions::from_mode(0o755))?;
+    }
+
+    Ok(dest)
+}
+
+/// Ensure kustomize is extracted and return its path.
+pub fn ensure_kustomize() -> Result<PathBuf> {
+    extract_embedded(KUSTOMIZE_BIN, "kustomize")
+}
+
+/// Ensure helm is extracted and return its path.
+pub fn ensure_helm() -> Result<PathBuf> {
+    extract_embedded(HELM_BIN, "helm")
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    #[test]
+    fn kustomize_bin_is_non_empty() {
+        assert!(
+            KUSTOMIZE_BIN.len() > 0,
+            "Embedded kustomize binary should not be empty"
+        );
+    }
+
+    #[test]
+    fn helm_bin_is_non_empty() {
+        assert!(
+            HELM_BIN.len() > 0,
+            "Embedded helm binary should not be empty"
+        );
+    }
+
+    #[test]
+    fn kustomize_bin_has_reasonable_size() {
+        // kustomize binary should be at least 1 MB
+        assert!(
+            KUSTOMIZE_BIN.len() > 1_000_000,
+            "Embedded kustomize binary seems too small: {} bytes",
+            KUSTOMIZE_BIN.len()
+        );
+    }
+
+    #[test]
+    fn helm_bin_has_reasonable_size() {
+        // helm binary should be at least 1 MB
+        assert!(
+            HELM_BIN.len() > 1_000_000,
+            "Embedded helm binary seems too small: {} bytes",
+            HELM_BIN.len()
+        );
+    }
+
+    #[test]
+    fn cache_dir_ends_with_sunbeam_bin() {
+        let dir = cache_dir();
+        assert!(
+            dir.ends_with("sunbeam/bin"),
+            "cache_dir() should end with sunbeam/bin, got: {}",
+            dir.display()
+        );
+    }
+
+    #[test]
+    fn cache_dir_is_absolute() {
+        let dir = cache_dir();
+        assert!(
+            dir.is_absolute(),
+            "cache_dir() should return an absolute path, got: {}",
+            dir.display()
+        );
+    }
+
+    #[test]
+    fn ensure_kustomize_returns_valid_path() {
+        let path = ensure_kustomize().expect("ensure_kustomize should succeed");
+        assert!(
+            path.ends_with("kustomize"),
+            "ensure_kustomize path should end with 'kustomize', got: {}",
+            path.display()
+        );
+        assert!(path.exists(), "kustomize binary should exist at: {}", path.display());
+    }
+
+    #[test]
+    fn ensure_helm_returns_valid_path() {
+        let path = ensure_helm().expect("ensure_helm should succeed");
+        assert!(
+            path.ends_with("helm"),
+            "ensure_helm path should end with 'helm', got: {}",
+            path.display()
+        );
+        assert!(path.exists(), "helm binary should exist at: {}", path.display());
+    }
+
+    #[test]
+    fn ensure_kustomize_is_idempotent() {
+        let path1 = ensure_kustomize().expect("first call should succeed");
+        let path2 = ensure_kustomize().expect("second call should succeed");
+        assert_eq!(path1, path2, "ensure_kustomize should return the same path on repeated calls");
+    }
+
+    #[test]
+    fn ensure_helm_is_idempotent() {
+        let path1 = ensure_helm().expect("first call should succeed");
+        let path2 = ensure_helm().expect("second call should succeed");
+        assert_eq!(path1, path2, "ensure_helm should return the same path on repeated calls");
+    }
+
+    #[test]
+    fn extracted_kustomize_is_executable() {
+        let path = ensure_kustomize().expect("ensure_kustomize should succeed");
+        #[cfg(unix)]
+        {
+            use std::os::unix::fs::PermissionsExt;
+            let perms = std::fs::metadata(&path)
+                .expect("should read metadata")
+                .permissions();
+            assert!(
+                perms.mode() & 0o111 != 0,
+                "kustomize binary should be executable"
+            );
+        }
+    }
+
+    #[test]
+    fn extracted_helm_is_executable() {
+        let path = ensure_helm().expect("ensure_helm should succeed");
+        #[cfg(unix)]
+        {
+            use std::os::unix::fs::PermissionsExt;
+            let perms = std::fs::metadata(&path)
+                .expect("should read metadata")
+                .permissions();
+            assert!(
+                perms.mode() & 0o111 != 0,
+                "helm binary should be executable"
+            );
+        }
+    }
+}
diff --git a/sunbeam-sdk/src/kube/tunnel.rs b/sunbeam-sdk/src/kube/tunnel.rs
new file mode 100644
index 0000000..adbdd9d
--- /dev/null
+++ b/sunbeam-sdk/src/kube/tunnel.rs
@@ -0,0 +1 @@
+// SSH tunnel management — reserved for future extraction.
diff --git a/sunbeam-sdk/src/lib.rs b/sunbeam-sdk/src/lib.rs
new file mode 100644
index 0000000..39ddabb
--- /dev/null
+++ b/sunbeam-sdk/src/lib.rs
@@ -0,0 +1,19 @@
+#[macro_use]
+pub mod error;
+
+pub mod auth;
+pub mod checks;
+pub mod cluster;
+pub mod config;
+pub mod constants;
+pub mod gitea;
+pub mod images;
+pub mod kube;
+pub mod manifests;
+pub mod openbao;
+pub mod output;
+pub mod pm;
+pub mod secrets;
+pub mod services;
+pub mod update;
+pub mod users;
diff --git a/sunbeam-sdk/src/manifests/mod.rs b/sunbeam-sdk/src/manifests/mod.rs
new file mode 100644
index 0000000..f0761b9
--- /dev/null
+++ b/sunbeam-sdk/src/manifests/mod.rs
@@ -0,0 +1,880 @@
+use crate::error::Result;
+use crate::constants::MANAGED_NS;
+
+/// Return only the YAML documents that belong to the given namespace.
+pub fn filter_by_namespace(manifests: &str, namespace: &str) -> String {
+    let mut kept = Vec::new();
+    for doc in manifests.split("\n---") {
+        let doc = doc.trim();
+        if doc.is_empty() {
+            continue;
+        }
+        let has_ns = doc.contains(&format!("namespace: {namespace}"));
+        let is_ns_resource =
+            doc.contains("kind: Namespace") && doc.contains(&format!("name: {namespace}"));
+        if has_ns || is_ns_resource {
+            kept.push(doc);
+        }
+    }
+    if kept.is_empty() {
+        return String::new();
+    }
+    format!("---\n{}\n", kept.join("\n---\n"))
+}
+
+/// Build kustomize overlay for env, substitute domain/email, apply via kube-rs.
+///
+/// Runs a second convergence pass if cert-manager is present in the overlay —
+/// cert-manager registers a ValidatingWebhook that must be running before
+/// ClusterIssuer / Certificate resources can be created.
+pub async fn cmd_apply(env: &str, domain: &str, email: &str, namespace: &str) -> Result<()> {
+    // Fall back to config for ACME email if not provided via CLI flag.
+    let email = if email.is_empty() {
+        crate::config::load_config().acme_email
+    } else {
+        email.to_string()
+    };
+
+    let infra_dir = crate::config::get_infra_dir();
+
+    let (resolved_domain, overlay) = if env == "production" {
+        let d = if domain.is_empty() {
+            crate::kube::get_domain().await?
+        } else {
+            domain.to_string()
+        };
+        if d.is_empty() {
+            bail!("--domain is required for production apply on first deploy");
+        }
+        let overlay = infra_dir.join("overlays").join("production");
+        (d, overlay)
+    } else {
+        // Local: discover domain from Lima IP
+        let d = crate::kube::get_domain().await?;
+        let overlay = infra_dir.join("overlays").join("local");
+        (d, overlay)
+    };
+
+    let scope = if namespace.is_empty() {
+        String::new()
+    } else {
+        format!(" [{namespace}]")
+    };
+    crate::output::step(&format!(
+        "Applying manifests (env: {env}, domain: {resolved_domain}){scope}..."
+    ));
+
+    if env == "local" {
+        apply_mkcert_ca_configmap().await;
+    }
+
+    let ns_list = if namespace.is_empty() {
+        None
+    } else {
+        Some(vec![namespace.to_string()])
+    };
+    pre_apply_cleanup(ns_list.as_deref()).await;
+
+    let before = snapshot_configmaps().await;
+    let mut manifests =
+        crate::kube::kustomize_build(&overlay, &resolved_domain, &email).await?;
+
+    if !namespace.is_empty() {
+        manifests = filter_by_namespace(&manifests, namespace);
+        if manifests.trim().is_empty() {
+            crate::output::warn(&format!(
+                "No resources found for namespace '{namespace}' -- check the name and try again."
+            ));
+            return Ok(());
+        }
+    }
+
+    // First pass: may emit errors for resources that depend on webhooks not yet running
+    if let Err(e) = crate::kube::kube_apply(&manifests).await {
+        crate::output::warn(&format!("First apply pass had errors (may be expected): {e}"));
+    }
+
+    // If cert-manager is in the overlay, wait for its webhook then re-apply
+    let cert_manager_present = overlay
+        .join("../../base/cert-manager")
+        .exists();
+
+    if cert_manager_present && namespace.is_empty() {
+        if wait_for_webhook("cert-manager", "cert-manager-webhook", 120).await {
+            crate::output::ok("Running convergence pass for cert-manager resources...");
+            let manifests2 =
+                crate::kube::kustomize_build(&overlay, &resolved_domain, &email).await?;
+            crate::kube::kube_apply(&manifests2).await?;
+        }
+    }
+
+    restart_for_changed_configmaps(&before, &snapshot_configmaps().await).await;
+
+    // Post-apply hooks
+    if namespace.is_empty() || namespace == "matrix" {
+        patch_tuwunel_oauth2_redirect(&resolved_domain).await;
+        inject_opensearch_model_id().await;
+    }
+    if namespace.is_empty() || namespace == "data" {
+        ensure_opensearch_ml().await;
+    }
+
+    crate::output::ok("Applied.");
+    Ok(())
+}
+
+// ---------------------------------------------------------------------------
+// Helpers
+// ---------------------------------------------------------------------------
+
+/// Delete immutable resources that must be re-created on each apply.
+async fn pre_apply_cleanup(namespaces: Option<&[String]>) {
+    let ns_list: Vec<&str> = match namespaces {
+        Some(ns) => ns.iter().map(|s| s.as_str()).collect(),
+        None => MANAGED_NS.to_vec(),
+    };
+
+    crate::output::ok("Cleaning up immutable Jobs and test Pods...");
+
+    // Prune stale VaultStaticSecrets that share a name with VaultDynamicSecrets
+    prune_stale_vault_static_secrets(&ns_list).await;
+
+    for ns in &ns_list {
+        // Delete all jobs
+        let client = match crate::kube::get_client().await {
+            Ok(c) => c,
+            Err(e) => {
+                crate::output::warn(&format!("Failed to get kube client: {e}"));
+                return;
+            }
+        };
+        let jobs: kube::api::Api<k8s_openapi::api::batch::v1::Job> =
+            kube::api::Api::namespaced(client.clone(), ns);
+        if let Ok(job_list) = jobs.list(&kube::api::ListParams::default()).await {
+            for job in job_list.items {
+                if let Some(name) = &job.metadata.name {
+                    let dp = kube::api::DeleteParams::default();
+                    let _ = jobs.delete(name, &dp).await;
+                }
+            }
+        }
+
+        // Delete test pods
+        let pods: kube::api::Api<k8s_openapi::api::core::v1::Pod> =
+            kube::api::Api::namespaced(client.clone(), ns);
+        if let Ok(pod_list) = pods.list(&kube::api::ListParams::default()).await {
+            for pod in pod_list.items {
+                if let Some(name) = &pod.metadata.name {
+                    if name.ends_with("-test-connection")
+                        || name.ends_with("-server-test")
+                        || name.ends_with("-test")
+                    {
+                        let dp = kube::api::DeleteParams::default();
+                        let _ = pods.delete(name, &dp).await;
+                    }
+                }
+            }
+        }
+    }
+}
+
+/// Prune VaultStaticSecrets that share a name with VaultDynamicSecrets in the same namespace.
+async fn prune_stale_vault_static_secrets(namespaces: &[&str]) {
+    let client = match crate::kube::get_client().await {
+        Ok(c) => c,
+        Err(e) => {
+            crate::output::warn(&format!("Failed to get kube client for VSS pruning: {e}"));
+            return;
+        }
+    };
+
+    let vss_ar = kube::api::ApiResource {
+        group: "secrets.hashicorp.com".into(),
+        version: "v1beta1".into(),
+        api_version: "secrets.hashicorp.com/v1beta1".into(),
+        kind: "VaultStaticSecret".into(),
+        plural: "vaultstaticsecrets".into(),
+    };
+
+    let vds_ar = kube::api::ApiResource {
+        group: "secrets.hashicorp.com".into(),
+        version: "v1beta1".into(),
+        api_version: "secrets.hashicorp.com/v1beta1".into(),
+        kind: "VaultDynamicSecret".into(),
+        plural: "vaultdynamicsecrets".into(),
+    };
+
+    for ns in namespaces {
+        let vss_api: kube::api::Api<kube::api::DynamicObject> =
+            kube::api::Api::namespaced_with(client.clone(), ns, &vss_ar);
+        let vds_api: kube::api::Api<kube::api::DynamicObject> =
+            kube::api::Api::namespaced_with(client.clone(), ns, &vds_ar);
+
+        let vss_list = match vss_api.list(&kube::api::ListParams::default()).await {
+            Ok(l) => l,
+            Err(_) => continue,
+        };
+        let vds_list = match vds_api.list(&kube::api::ListParams::default()).await {
+            Ok(l) => l,
+            Err(_) => continue,
+        };
+
+        let vds_names: std::collections::HashSet<String> = vds_list
+            .items
+            .iter()
+            .filter_map(|o| o.metadata.name.clone())
+            .collect();
+
+        for vss in &vss_list.items {
+            if let Some(name) = &vss.metadata.name {
+                if vds_names.contains(name) {
+                    crate::output::ok(&format!(
+                        "Pruning stale VaultStaticSecret {ns}/{name} (replaced by VaultDynamicSecret)"
+                    ));
+                    let dp = kube::api::DeleteParams::default();
+                    let _ = vss_api.delete(name, &dp).await;
+                }
+            }
+        }
+    }
+}
+
+/// Snapshot ConfigMap resourceVersions across managed namespaces.
+async fn snapshot_configmaps() -> std::collections::HashMap<String, String> {
+    let mut result = std::collections::HashMap::new();
+    let client = match crate::kube::get_client().await {
+        Ok(c) => c,
+        Err(_) => return result,
+    };
+
+    for ns in MANAGED_NS {
+        let cms: kube::api::Api<k8s_openapi::api::core::v1::ConfigMap> =
+            kube::api::Api::namespaced(client.clone(), ns);
+        if let Ok(cm_list) = cms.list(&kube::api::ListParams::default()).await {
+            for cm in cm_list.items {
+                if let (Some(name), Some(rv)) = (
+                    &cm.metadata.name,
+                    &cm.metadata.resource_version,
+                ) {
+                    result.insert(format!("{ns}/{name}"), rv.clone());
+                }
+            }
+        }
+    }
+    result
+}
+
+/// Restart deployments that mount any ConfigMap whose resourceVersion changed.
+async fn restart_for_changed_configmaps(
+    before: &std::collections::HashMap<String, String>,
+    after: &std::collections::HashMap<String, String>,
+) {
+    let mut changed_by_ns: std::collections::HashMap<&str, std::collections::HashSet<&str>> =
+        std::collections::HashMap::new();
+
+    for (key, rv) in after {
+        if before.get(key) != Some(rv) {
+            if let Some((ns, name)) = key.split_once('/') {
+                changed_by_ns.entry(ns).or_default().insert(name);
+            }
+        }
+    }
+
+    if changed_by_ns.is_empty() {
+        return;
+    }
+
+    let client = match crate::kube::get_client().await {
+        Ok(c) => c,
+        Err(_) => return,
+    };
+
+    for (ns, cm_names) in &changed_by_ns {
+        let deps: kube::api::Api<k8s_openapi::api::apps::v1::Deployment> =
+            kube::api::Api::namespaced(client.clone(), ns);
+        if let Ok(dep_list) = deps.list(&kube::api::ListParams::default()).await {
+            for dep in dep_list.items {
+                let dep_name = dep.metadata.name.as_deref().unwrap_or("");
+                // Check if this deployment mounts any changed ConfigMap
+                let volumes = dep
+                    .spec
+                    .as_ref()
+                    .and_then(|s| s.template.spec.as_ref())
+                    .and_then(|s| s.volumes.as_ref());
+
+                if let Some(vols) = volumes {
+                    let mounts_changed = vols.iter().any(|v| {
+                        if let Some(cm) = &v.config_map {
+                            cm_names.contains(cm.name.as_str())
+                        } else {
+                            false
+                        }
+                    });
+                    if mounts_changed {
+                        crate::output::ok(&format!(
+                            "Restarting {ns}/{dep_name} (ConfigMap updated)..."
+                        ));
+                        let _ = crate::kube::kube_rollout_restart(ns, dep_name).await;
+                    }
+                }
+            }
+        }
+    }
+}
+
+/// Wait for a webhook endpoint to become ready.
+async fn wait_for_webhook(ns: &str, svc: &str, timeout_secs: u64) -> bool {
+    crate::output::ok(&format!(
+        "Waiting for {ns}/{svc} webhook (up to {timeout_secs}s)..."
+    ));
+    let deadline =
+        std::time::Instant::now() + std::time::Duration::from_secs(timeout_secs);
+
+    let client = match crate::kube::get_client().await {
+        Ok(c) => c,
+        Err(_) => return false,
+    };
+    let eps: kube::api::Api<k8s_openapi::api::core::v1::Endpoints> =
+        kube::api::Api::namespaced(client.clone(), ns);
+
+    loop {
+        if std::time::Instant::now() > deadline {
+            crate::output::warn(&format!(
+                "  {ns}/{svc} not ready after {timeout_secs}s -- continuing anyway."
+            ));
+            return false;
+        }
+
+        if let Ok(Some(ep)) = eps.get_opt(svc).await {
+            let has_addr = ep
+                .subsets
+                .as_ref()
+                .and_then(|ss| ss.first())
+                .and_then(|s| s.addresses.as_ref())
+                .is_some_and(|a| !a.is_empty());
+            if has_addr {
+                crate::output::ok(&format!("  {ns}/{svc} ready."));
+                return true;
+            }
+        }
+
+        tokio::time::sleep(std::time::Duration::from_secs(3)).await;
+    }
+}
+
+/// Create/update gitea-mkcert-ca ConfigMap from the local mkcert root CA.
+async fn apply_mkcert_ca_configmap() {
+    let caroot = tokio::process::Command::new("mkcert")
+        .arg("-CAROOT")
+        .output()
+        .await;
+
+    let caroot_path = match caroot {
+        Ok(out) if out.status.success() => {
+            String::from_utf8_lossy(&out.stdout).trim().to_string()
+        }
+        _ => {
+            crate::output::warn("mkcert not found -- skipping gitea-mkcert-ca ConfigMap.");
+            return;
+        }
+    };
+
+    let ca_pem_path = std::path::Path::new(&caroot_path).join("rootCA.pem");
+    let ca_pem = match std::fs::read_to_string(&ca_pem_path) {
+        Ok(s) => s,
+        Err(_) => {
+            crate::output::warn(&format!(
+                "mkcert root CA not found at {} -- skipping.",
+                ca_pem_path.display()
+            ));
+            return;
+        }
+    };
+
+    let cm = serde_json::json!({
+        "apiVersion": "v1",
+        "kind": "ConfigMap",
+        "metadata": {"name": "gitea-mkcert-ca", "namespace": "devtools"},
+        "data": {"ca.crt": ca_pem},
+    });
+
+    let manifest = serde_json::to_string(&cm).unwrap_or_default();
+    if let Err(e) = crate::kube::kube_apply(&manifest).await {
+        crate::output::warn(&format!("Failed to apply gitea-mkcert-ca: {e}"));
+    } else {
+        crate::output::ok("gitea-mkcert-ca ConfigMap applied.");
+    }
+}
+
+/// Patch the tuwunel OAuth2Client redirect URI with the actual client_id.
+async fn patch_tuwunel_oauth2_redirect(domain: &str) {
+    let client_id = match crate::kube::kube_get_secret_field("matrix", "oidc-tuwunel", "CLIENT_ID")
+        .await
+    {
+        Ok(id) if !id.is_empty() => id,
+        _ => {
+            crate::output::warn(
+                "oidc-tuwunel secret not yet available -- skipping redirect URI patch.",
+            );
+            return;
+        }
+    };
+
+    let redirect_uri = format!(
+        "https://messages.{domain}/_matrix/client/unstable/login/sso/callback/{client_id}"
+    );
+
+    // Patch the OAuth2Client CRD via kube-rs
+    let client = match crate::kube::get_client().await {
+        Ok(c) => c,
+        Err(_) => return,
+    };
+
+    let ar = kube::api::ApiResource {
+        group: "hydra.ory.sh".into(),
+        version: "v1alpha1".into(),
+        api_version: "hydra.ory.sh/v1alpha1".into(),
+        kind: "OAuth2Client".into(),
+        plural: "oauth2clients".into(),
+    };
+
+    let api: kube::api::Api<kube::api::DynamicObject> =
+        kube::api::Api::namespaced_with(client.clone(), "matrix", &ar);
+
+    let patch = serde_json::json!({
+        "spec": {
+            "redirectUris": [redirect_uri]
+        }
+    });
+
+    let pp = kube::api::PatchParams::default();
+    if let Err(e) = api
+        .patch("tuwunel", &pp, &kube::api::Patch::Merge(patch))
+        .await
+    {
+        crate::output::warn(&format!("Failed to patch tuwunel OAuth2Client: {e}"));
+    } else {
+        crate::output::ok("Patched tuwunel OAuth2Client redirect URI.");
+    }
+}
+
+// ---------------------------------------------------------------------------
+// OpenSearch helpers (kube exec + curl inside pod)
+// ---------------------------------------------------------------------------
+
+/// Call OpenSearch API via kube exec curl inside the opensearch pod.
+async fn os_api(path: &str, method: &str, body: Option<&str>) -> Option<String> {
+    let url = format!("http://localhost:9200{path}");
+    let mut curl_args: Vec<&str> = vec!["curl", "-sf", &url];
+    if method != "GET" {
+        curl_args.extend_from_slice(&["-X", method]);
+    }
+    let body_string;
+    if let Some(b) = body {
+        body_string = b.to_string();
+        curl_args.extend_from_slice(&["-H", "Content-Type: application/json", "-d", &body_string]);
+    }
+
+    // Build the full exec command: exec deploy/opensearch -n data -c opensearch -- curl ...
+    let exec_cmd = curl_args;
+
+    match crate::kube::kube_exec("data", "opensearch-0", &exec_cmd, Some("opensearch")).await {
+        Ok((0, out)) if !out.is_empty() => Some(out),
+        _ => None,
+    }
+}
+
+/// Inject OpenSearch model_id into matrix/opensearch-ml-config ConfigMap.
+async fn inject_opensearch_model_id() {
+    let pipe_resp =
+        match os_api("/_ingest/pipeline/tuwunel_embedding_pipeline", "GET", None).await {
+            Some(r) => r,
+            None => {
+                crate::output::warn(
+                    "OpenSearch ingest pipeline not found -- skipping model_id injection.",
+                );
+                return;
+            }
+        };
+
+    let model_id = serde_json::from_str::<serde_json::Value>(&pipe_resp)
+        .ok()
+        .and_then(|v| {
+            v.get("tuwunel_embedding_pipeline")?
+                .get("processors")?
+                .as_array()?
+                .iter()
+                .find_map(|p| {
+                    p.get("text_embedding")?
+                        .get("model_id")?
+                        .as_str()
+                        .map(String::from)
+                })
+        });
+
+    let Some(model_id) = model_id else {
+        crate::output::warn(
+            "No model_id in ingest pipeline -- tuwunel hybrid search unavailable.",
+        );
+        return;
+    };
+
+    // Check if ConfigMap already has this value
+    if let Ok(current) =
+        crate::kube::kube_get_secret_field("matrix", "opensearch-ml-config", "model_id").await
+    {
+        if current == model_id {
+            return;
+        }
+    }
+
+    let cm = serde_json::json!({
+        "apiVersion": "v1",
+        "kind": "ConfigMap",
+        "metadata": {"name": "opensearch-ml-config", "namespace": "matrix"},
+        "data": {"model_id": &model_id},
+    });
+
+    let manifest = serde_json::to_string(&cm).unwrap_or_default();
+    if let Err(e) = crate::kube::kube_apply(&manifest).await {
+        crate::output::warn(&format!("Failed to inject OpenSearch model_id: {e}"));
+    } else {
+        crate::output::ok(&format!(
+            "Injected OpenSearch model_id ({model_id}) into matrix/opensearch-ml-config."
+        ));
+    }
+}
+
+/// Configure OpenSearch ML Commons for neural search.
+///
+/// 1. Sets cluster settings to allow ML on data nodes.
+/// 2. Registers and deploys all-mpnet-base-v2 (pre-trained, 384-dim).
+/// 3. Creates ingest + search pipelines for hybrid BM25+neural scoring.
+async fn ensure_opensearch_ml() {
+    if os_api("/_cluster/health", "GET", None).await.is_none() {
+        crate::output::warn("OpenSearch not reachable -- skipping ML setup.");
+        return;
+    }
+
+    // 1. ML Commons cluster settings
+    let settings = serde_json::json!({
+        "persistent": {
+            "plugins.ml_commons.only_run_on_ml_node": false,
+            "plugins.ml_commons.native_memory_threshold": 90,
+            "plugins.ml_commons.model_access_control_enabled": false,
+            "plugins.ml_commons.allow_registering_model_via_url": true,
+        }
+    });
+    os_api(
+        "/_cluster/settings",
+        "PUT",
+        Some(&serde_json::to_string(&settings).unwrap()),
+    )
+    .await;
+
+    // 2. Check if model already registered and deployed
+    let search_body =
+        r#"{"query":{"match":{"name":"huggingface/sentence-transformers/all-mpnet-base-v2"}}}"#;
+    let search_resp = match os_api("/_plugins/_ml/models/_search", "POST", Some(search_body)).await
+    {
+        Some(r) => r,
+        None => {
+            crate::output::warn("OpenSearch ML search API failed -- skipping ML setup.");
+            return;
+        }
+    };
+
+    let resp: serde_json::Value = match serde_json::from_str(&search_resp) {
+        Ok(v) => v,
+        Err(_) => return,
+    };
+
+    let hits = resp
+        .get("hits")
+        .and_then(|h| h.get("hits"))
+        .and_then(|h| h.as_array())
+        .cloned()
+        .unwrap_or_default();
+
+    let mut model_id: Option<String> = None;
+    let mut already_deployed = false;
+
+    for hit in &hits {
+        let state = hit
+            .get("_source")
+            .and_then(|s| s.get("model_state"))
+            .and_then(|v| v.as_str())
+            .unwrap_or("");
+        let id = hit.get("_id").and_then(|v| v.as_str()).unwrap_or("");
+        match state {
+            "DEPLOYED" => {
+                model_id = Some(id.to_string());
+                already_deployed = true;
+                break;
+            }
+            "REGISTERED" | "DEPLOYING" => {
+                model_id = Some(id.to_string());
+            }
+            _ => {}
+        }
+    }
+
+    if !already_deployed {
+        if let Some(ref mid) = model_id {
+            // Registered but not deployed -- deploy it
+            crate::output::ok("Deploying OpenSearch ML model...");
+            os_api(
+                &format!("/_plugins/_ml/models/{mid}/_deploy"),
+                "POST",
+                None,
+            )
+            .await;
+            for _ in 0..30 {
+                tokio::time::sleep(std::time::Duration::from_secs(5)).await;
+                if let Some(r) =
+                    os_api(&format!("/_plugins/_ml/models/{mid}"), "GET", None).await
+                {
+                    if r.contains("\"DEPLOYED\"") {
+                        break;
+                    }
+                }
+            }
+        } else {
+            // Register from pre-trained hub
+            crate::output::ok("Registering OpenSearch ML model (all-mpnet-base-v2)...");
+            let reg_body = serde_json::json!({
+                "name": "huggingface/sentence-transformers/all-mpnet-base-v2",
+                "version": "1.0.1",
+                "model_format": "TORCH_SCRIPT",
+            });
+            let reg_resp = match os_api(
+                "/_plugins/_ml/models/_register",
+                "POST",
+                Some(&serde_json::to_string(&reg_body).unwrap()),
+            )
+            .await
+            {
+                Some(r) => r,
+                None => {
+                    crate::output::warn("Failed to register ML model -- skipping.");
+                    return;
+                }
+            };
+
+            let task_id = serde_json::from_str::<serde_json::Value>(&reg_resp)
+                .ok()
+                .and_then(|v| v.get("task_id")?.as_str().map(String::from))
+                .unwrap_or_default();
+
+            if task_id.is_empty() {
+                crate::output::warn("No task_id from model registration -- skipping.");
+                return;
+            }
+
+            crate::output::ok("Waiting for model registration...");
+            let mut registered_id = None;
+            for _ in 0..60 {
+                tokio::time::sleep(std::time::Duration::from_secs(10)).await;
+                if let Some(task_resp) =
+                    os_api(&format!("/_plugins/_ml/tasks/{task_id}"), "GET", None).await
+                {
+                    if let Ok(task) = serde_json::from_str::<serde_json::Value>(&task_resp) {
+                        match task.get("state").and_then(|v| v.as_str()).unwrap_or("") {
+                            "COMPLETED" => {
+                                registered_id = task
+                                    .get("model_id")
+                                    .and_then(|v| v.as_str())
+                                    .map(String::from);
+                                break;
+                            }
+                            "FAILED" => {
+                                crate::output::warn(&format!(
+                                    "ML model registration failed: {task_resp}"
+                                ));
+                                return;
+                            }
+                            _ => {}
+                        }
+                    }
+                }
+            }
+
+            let Some(mid) = registered_id else {
+                crate::output::warn("ML model registration timed out.");
+                return;
+            };
+
+            crate::output::ok("Deploying ML model...");
+            os_api(
+                &format!("/_plugins/_ml/models/{mid}/_deploy"),
+                "POST",
+                None,
+            )
+            .await;
+            for _ in 0..30 {
+                tokio::time::sleep(std::time::Duration::from_secs(5)).await;
+                if let Some(r) =
+                    os_api(&format!("/_plugins/_ml/models/{mid}"), "GET", None).await
+                {
+                    if r.contains("\"DEPLOYED\"") {
+                        break;
+                    }
+                }
+            }
+            model_id = Some(mid);
+        }
+    }
+
+    let Some(model_id) = model_id else {
+        crate::output::warn("No ML model available -- skipping pipeline setup.");
+        return;
+    };
+
+    // 3. Ingest pipeline
+    let ingest = serde_json::json!({
+        "description": "Tuwunel message embedding pipeline",
+        "processors": [{"text_embedding": {
+            "model_id": &model_id,
+            "field_map": {"body": "embedding"},
+        }}],
+    });
+    os_api(
+        "/_ingest/pipeline/tuwunel_embedding_pipeline",
+        "PUT",
+        Some(&serde_json::to_string(&ingest).unwrap()),
+    )
+    .await;
+
+    // 4. Search pipeline
+    let search = serde_json::json!({
+        "description": "Tuwunel hybrid BM25+neural search pipeline",
+        "phase_results_processors": [{"normalization-processor": {
+            "normalization": {"technique": "min_max"},
+            "combination": {
+                "technique": "arithmetic_mean",
+                "parameters": {"weights": [0.3, 0.7]},
+            },
+        }}],
+    });
+    os_api(
+        "/_search/pipeline/tuwunel_hybrid_pipeline",
+        "PUT",
+        Some(&serde_json::to_string(&search).unwrap()),
+    )
+    .await;
+
+    crate::output::ok(&format!("OpenSearch ML ready (model: {model_id})."));
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    const MULTI_DOC: &str = "\
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: meet-config
+  namespace: lasuite
+data:
+  FOO: bar
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: meet-backend
+  namespace: lasuite
+spec:
+  replicas: 1
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: lasuite
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: pingora-config
+  namespace: ingress
+data:
+  config.toml: |
+    hello
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: pingora
+  namespace: ingress
+spec:
+  replicas: 1
+";
+
+    #[test]
+    fn test_keeps_matching_namespace() {
+        let result = filter_by_namespace(MULTI_DOC, "lasuite");
+        assert!(result.contains("name: meet-config"));
+        assert!(result.contains("name: meet-backend"));
+    }
+
+    #[test]
+    fn test_excludes_other_namespaces() {
+        let result = filter_by_namespace(MULTI_DOC, "lasuite");
+        assert!(!result.contains("namespace: ingress"));
+        assert!(!result.contains("name: pingora-config"));
+        assert!(!result.contains("name: pingora\n"));
+    }
+
+    #[test]
+    fn test_includes_namespace_resource_itself() {
+        let result = filter_by_namespace(MULTI_DOC, "lasuite");
+        assert!(result.contains("kind: Namespace"));
+    }
+
+    #[test]
+    fn test_ingress_filter() {
+        let result = filter_by_namespace(MULTI_DOC, "ingress");
+        assert!(result.contains("name: pingora-config"));
+        assert!(result.contains("name: pingora"));
+        assert!(!result.contains("namespace: lasuite"));
+    }
+
+    #[test]
+    fn test_unknown_namespace_returns_empty() {
+        let result = filter_by_namespace(MULTI_DOC, "nonexistent");
+        assert!(result.trim().is_empty());
+    }
+
+    #[test]
+    fn test_empty_input_returns_empty() {
+        let result = filter_by_namespace("", "lasuite");
+        assert!(result.trim().is_empty());
+    }
+
+    #[test]
+    fn test_result_starts_with_separator() {
+        let result = filter_by_namespace(MULTI_DOC, "lasuite");
+        assert!(result.starts_with("---"));
+    }
+
+    #[test]
+    fn test_does_not_include_namespace_resource_for_wrong_ns() {
+        let result = filter_by_namespace(MULTI_DOC, "ingress");
+        assert!(!result.contains("kind: Namespace"));
+    }
+
+    #[test]
+    fn test_single_doc_matching() {
+        let doc = "apiVersion: v1\nkind: ConfigMap\nmetadata:\n  name: x\n  namespace: ory\n";
+        let result = filter_by_namespace(doc, "ory");
+        assert!(result.contains("name: x"));
+    }
+
+    #[test]
+    fn test_single_doc_not_matching() {
+        let doc = "apiVersion: v1\nkind: ConfigMap\nmetadata:\n  name: x\n  namespace: ory\n";
+        let result = filter_by_namespace(doc, "lasuite");
+        assert!(result.trim().is_empty());
+    }
+}
diff --git a/sunbeam-sdk/src/openbao/mod.rs b/sunbeam-sdk/src/openbao/mod.rs
new file mode 100644
index 0000000..cdea8d9
--- /dev/null
+++ b/sunbeam-sdk/src/openbao/mod.rs
@@ -0,0 +1,498 @@
+//! Lightweight OpenBao/Vault HTTP API client.
+//!
+//! Replaces all `kubectl exec openbao-0 -- sh -c "bao ..."` calls from the
+//! Python version with direct HTTP API calls via port-forward to openbao:8200.
+
+use crate::error::{Result, ResultExt};
+use serde::{Deserialize, Serialize};
+use std::collections::HashMap;
+
+/// OpenBao HTTP client wrapping a base URL and optional root token.
+#[derive(Clone)]
+pub struct BaoClient {
+    pub base_url: String,
+    pub token: Option<String>,
+    http: reqwest::Client,
+}
+
+// ── API response types ──────────────────────────────────────────────────────
+
+#[derive(Debug, Deserialize)]
+pub struct InitResponse {
+    pub unseal_keys_b64: Vec<String>,
+    pub root_token: String,
+}
+
+#[derive(Debug, Deserialize)]
+pub struct SealStatusResponse {
+    #[serde(default)]
+    pub initialized: bool,
+    #[serde(default)]
+    pub sealed: bool,
+    #[serde(default)]
+    pub progress: u32,
+    #[serde(default)]
+    pub t: u32,
+    #[serde(default)]
+    pub n: u32,
+}
+
+#[derive(Debug, Deserialize)]
+pub struct UnsealResponse {
+    #[serde(default)]
+    pub sealed: bool,
+    #[serde(default)]
+    pub progress: u32,
+}
+
+/// KV v2 read response wrapper.
+#[derive(Debug, Deserialize)]
+struct KvReadResponse {
+    data: Option<KvReadData>,
+}
+
+#[derive(Debug, Deserialize)]
+struct KvReadData {
+    data: Option<HashMap<String, serde_json::Value>>,
+}
+
+// ── Client implementation ───────────────────────────────────────────────────
+
+impl BaoClient {
+    /// Create a new client pointing at `base_url` (e.g. `http://localhost:8200`).
+    pub fn new(base_url: &str) -> Self {
+        Self {
+            base_url: base_url.trim_end_matches('/').to_string(),
+            token: None,
+            http: reqwest::Client::new(),
+        }
+    }
+
+    /// Create a client with an authentication token.
+    pub fn with_token(base_url: &str, token: &str) -> Self {
+        let mut client = Self::new(base_url);
+        client.token = Some(token.to_string());
+        client
+    }
+
+    fn url(&self, path: &str) -> String {
+        format!("{}/v1/{}", self.base_url, path.trim_start_matches('/'))
+    }
+
+    fn request(&self, method: reqwest::Method, path: &str) -> reqwest::RequestBuilder {
+        let mut req = self.http.request(method, self.url(path));
+        if let Some(ref token) = self.token {
+            req = req.header("X-Vault-Token", token);
+        }
+        req
+    }
+
+    // ── System operations ───────────────────────────────────────────────
+
+    /// Get the seal status of the OpenBao instance.
+    pub async fn seal_status(&self) -> Result<SealStatusResponse> {
+        let resp = self
+            .http
+            .get(format!("{}/v1/sys/seal-status", self.base_url))
+            .send()
+            .await
+            .ctx("Failed to connect to OpenBao")?;
+        if !resp.status().is_success() {
+            let status = resp.status();
+            let body = resp.text().await.unwrap_or_default();
+            bail!("OpenBao seal-status returned {status}: {body}");
+        }
+        resp.json().await.ctx("Failed to parse seal status")
+    }
+
+    /// Initialize OpenBao with the given number of key shares and threshold.
+    pub async fn init(&self, key_shares: u32, key_threshold: u32) -> Result<InitResponse> {
+        #[derive(Serialize)]
+        struct InitRequest {
+            secret_shares: u32,
+            secret_threshold: u32,
+        }
+
+        let resp = self
+            .http
+            .put(format!("{}/v1/sys/init", self.base_url))
+            .json(&InitRequest {
+                secret_shares: key_shares,
+                secret_threshold: key_threshold,
+            })
+            .send()
+            .await
+            .ctx("Failed to initialize OpenBao")?;
+
+        if !resp.status().is_success() {
+            let status = resp.status();
+            let body = resp.text().await.unwrap_or_default();
+            bail!("OpenBao init returned {status}: {body}");
+        }
+        resp.json().await.ctx("Failed to parse init response")
+    }
+
+    /// Unseal OpenBao with one key share.
+    pub async fn unseal(&self, key: &str) -> Result<UnsealResponse> {
+        #[derive(Serialize)]
+        struct UnsealRequest<'a> {
+            key: &'a str,
+        }
+
+        let resp = self
+            .http
+            .put(format!("{}/v1/sys/unseal", self.base_url))
+            .json(&UnsealRequest { key })
+            .send()
+            .await
+            .ctx("Failed to unseal OpenBao")?;
+
+        if !resp.status().is_success() {
+            let status = resp.status();
+            let body = resp.text().await.unwrap_or_default();
+            bail!("OpenBao unseal returned {status}: {body}");
+        }
+        resp.json().await.ctx("Failed to parse unseal response")
+    }
+
+    // ── Secrets engine management ───────────────────────────────────────
+
+    /// Enable a secrets engine at the given path.
+    /// Returns Ok(()) even if already enabled (400 is tolerated).
+    pub async fn enable_secrets_engine(&self, path: &str, engine_type: &str) -> Result<()> {
+        #[derive(Serialize)]
+        struct EnableRequest<'a> {
+            r#type: &'a str,
+        }
+
+        let resp = self
+            .request(reqwest::Method::POST, &format!("sys/mounts/{path}"))
+            .json(&EnableRequest {
+                r#type: engine_type,
+            })
+            .send()
+            .await
+            .ctx("Failed to enable secrets engine")?;
+
+        let status = resp.status();
+        if status.is_success() || status.as_u16() == 400 {
+            // 400 = "path is already in use" — idempotent
+            Ok(())
+        } else {
+            let body = resp.text().await.unwrap_or_default();
+            bail!("Enable secrets engine {path} returned {status}: {body}");
+        }
+    }
+
+    // ── KV v2 operations ────────────────────────────────────────────────
+
+    /// Read all fields from a KV v2 secret path.
+    /// Returns None if the path doesn't exist (404).
+    pub async fn kv_get(&self, mount: &str, path: &str) -> Result<Option<HashMap<String, String>>> {
+        let resp = self
+            .request(reqwest::Method::GET, &format!("{mount}/data/{path}"))
+            .send()
+            .await
+            .ctx("Failed to read KV secret")?;
+
+        if resp.status().as_u16() == 404 {
+            return Ok(None);
+        }
+        if !resp.status().is_success() {
+            let status = resp.status();
+            let body = resp.text().await.unwrap_or_default();
+            bail!("KV get {mount}/{path} returned {status}: {body}");
+        }
+
+        let kv_resp: KvReadResponse = resp.json().await.ctx("Failed to parse KV response")?;
+        let data = kv_resp
+            .data
+            .and_then(|d| d.data)
+            .unwrap_or_default();
+
+        // Convert all values to strings
+        let result: HashMap<String, String> = data
+            .into_iter()
+            .map(|(k, v)| {
+                let s = match v {
+                    serde_json::Value::String(s) => s,
+                    other => other.to_string(),
+                };
+                (k, s)
+            })
+            .collect();
+
+        Ok(Some(result))
+    }
+
+    /// Read a single field from a KV v2 secret path.
+    /// Returns empty string if path or field doesn't exist.
+    pub async fn kv_get_field(&self, mount: &str, path: &str, field: &str) -> Result<String> {
+        match self.kv_get(mount, path).await? {
+            Some(data) => Ok(data.get(field).cloned().unwrap_or_default()),
+            None => Ok(String::new()),
+        }
+    }
+
+    /// Write (create or overwrite) all fields in a KV v2 secret path.
+    pub async fn kv_put(
+        &self,
+        mount: &str,
+        path: &str,
+        data: &HashMap<String, String>,
+    ) -> Result<()> {
+        #[derive(Serialize)]
+        struct KvWriteRequest<'a> {
+            data: &'a HashMap<String, String>,
+        }
+
+        let resp = self
+            .request(reqwest::Method::POST, &format!("{mount}/data/{path}"))
+            .json(&KvWriteRequest { data })
+            .send()
+            .await
+            .ctx("Failed to write KV secret")?;
+
+        if !resp.status().is_success() {
+            let status = resp.status();
+            let body = resp.text().await.unwrap_or_default();
+            bail!("KV put {mount}/{path} returned {status}: {body}");
+        }
+        Ok(())
+    }
+
+    /// Patch (merge) fields into an existing KV v2 secret path.
+    pub async fn kv_patch(
+        &self,
+        mount: &str,
+        path: &str,
+        data: &HashMap<String, String>,
+    ) -> Result<()> {
+        #[derive(Serialize)]
+        struct KvWriteRequest<'a> {
+            data: &'a HashMap<String, String>,
+        }
+
+        let resp = self
+            .request(reqwest::Method::PATCH, &format!("{mount}/data/{path}"))
+            .header("Content-Type", "application/merge-patch+json")
+            .json(&KvWriteRequest { data })
+            .send()
+            .await
+            .ctx("Failed to patch KV secret")?;
+
+        if !resp.status().is_success() {
+            let status = resp.status();
+            let body = resp.text().await.unwrap_or_default();
+            bail!("KV patch {mount}/{path} returned {status}: {body}");
+        }
+        Ok(())
+    }
+
+    /// Delete a KV v2 secret path (soft delete — deletes latest version).
+    pub async fn kv_delete(&self, mount: &str, path: &str) -> Result<()> {
+        let resp = self
+            .request(reqwest::Method::DELETE, &format!("{mount}/data/{path}"))
+            .send()
+            .await
+            .ctx("Failed to delete KV secret")?;
+
+        // 404 is fine (already deleted)
+        if !resp.status().is_success() && resp.status().as_u16() != 404 {
+            let status = resp.status();
+            let body = resp.text().await.unwrap_or_default();
+            bail!("KV delete {mount}/{path} returned {status}: {body}");
+        }
+        Ok(())
+    }
+
+    // ── Auth operations ─────────────────────────────────────────────────
+
+    /// Enable an auth method at the given path.
+    /// Tolerates "already enabled" (400/409).
+    pub async fn auth_enable(&self, path: &str, method_type: &str) -> Result<()> {
+        #[derive(Serialize)]
+        struct AuthEnableRequest<'a> {
+            r#type: &'a str,
+        }
+
+        let resp = self
+            .request(reqwest::Method::POST, &format!("sys/auth/{path}"))
+            .json(&AuthEnableRequest {
+                r#type: method_type,
+            })
+            .send()
+            .await
+            .ctx("Failed to enable auth method")?;
+
+        let status = resp.status();
+        if status.is_success() || status.as_u16() == 400 {
+            Ok(())
+        } else {
+            let body = resp.text().await.unwrap_or_default();
+            bail!("Enable auth {path} returned {status}: {body}");
+        }
+    }
+
+    /// Write a policy.
+    pub async fn write_policy(&self, name: &str, policy_hcl: &str) -> Result<()> {
+        #[derive(Serialize)]
+        struct PolicyRequest<'a> {
+            policy: &'a str,
+        }
+
+        let resp = self
+            .request(
+                reqwest::Method::PUT,
+                &format!("sys/policies/acl/{name}"),
+            )
+            .json(&PolicyRequest { policy: policy_hcl })
+            .send()
+            .await
+            .ctx("Failed to write policy")?;
+
+        if !resp.status().is_success() {
+            let status = resp.status();
+            let body = resp.text().await.unwrap_or_default();
+            bail!("Write policy {name} returned {status}: {body}");
+        }
+        Ok(())
+    }
+
+    /// Write to an arbitrary API path (for auth config, roles, database config, etc.).
+    pub async fn write(
+        &self,
+        path: &str,
+        data: &serde_json::Value,
+    ) -> Result<serde_json::Value> {
+        let resp = self
+            .request(reqwest::Method::POST, path)
+            .json(data)
+            .send()
+            .await
+            .with_ctx(|| format!("Failed to write to {path}"))?;
+
+        if !resp.status().is_success() {
+            let status = resp.status();
+            let body = resp.text().await.unwrap_or_default();
+            bail!("Write {path} returned {status}: {body}");
+        }
+
+        let body = resp.text().await.unwrap_or_default();
+        if body.is_empty() {
+            Ok(serde_json::Value::Null)
+        } else {
+            serde_json::from_str(&body).ctx("Failed to parse write response")
+        }
+    }
+
+    /// Read from an arbitrary API path.
+    pub async fn read(&self, path: &str) -> Result<Option<serde_json::Value>> {
+        let resp = self
+            .request(reqwest::Method::GET, path)
+            .send()
+            .await
+            .with_ctx(|| format!("Failed to read {path}"))?;
+
+        if resp.status().as_u16() == 404 {
+            return Ok(None);
+        }
+        if !resp.status().is_success() {
+            let status = resp.status();
+            let body = resp.text().await.unwrap_or_default();
+            bail!("Read {path} returned {status}: {body}");
+        }
+
+        let body = resp.text().await.unwrap_or_default();
+        if body.is_empty() {
+            Ok(Some(serde_json::Value::Null))
+        } else {
+            Ok(Some(serde_json::from_str(&body)?))
+        }
+    }
+
+    // ── Database secrets engine ─────────────────────────────────────────
+
+    /// Configure the database secrets engine connection.
+    pub async fn write_db_config(
+        &self,
+        name: &str,
+        plugin: &str,
+        connection_url: &str,
+        username: &str,
+        password: &str,
+        allowed_roles: &str,
+    ) -> Result<()> {
+        let data = serde_json::json!({
+            "plugin_name": plugin,
+            "connection_url": connection_url,
+            "username": username,
+            "password": password,
+            "allowed_roles": allowed_roles,
+        });
+        self.write(&format!("database/config/{name}"), &data).await?;
+        Ok(())
+    }
+
+    /// Create a database static role.
+    pub async fn write_db_static_role(
+        &self,
+        name: &str,
+        db_name: &str,
+        username: &str,
+        rotation_period: u64,
+        rotation_statements: &[&str],
+    ) -> Result<()> {
+        let data = serde_json::json!({
+            "db_name": db_name,
+            "username": username,
+            "rotation_period": rotation_period,
+            "rotation_statements": rotation_statements,
+        });
+        self.write(&format!("database/static-roles/{name}"), &data)
+            .await?;
+        Ok(())
+    }
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    #[test]
+    fn test_client_url_construction() {
+        let client = BaoClient::new("http://localhost:8200");
+        assert_eq!(client.url("sys/seal-status"), "http://localhost:8200/v1/sys/seal-status");
+        assert_eq!(client.url("/sys/seal-status"), "http://localhost:8200/v1/sys/seal-status");
+    }
+
+    #[test]
+    fn test_client_url_strips_trailing_slash() {
+        let client = BaoClient::new("http://localhost:8200/");
+        assert_eq!(client.base_url, "http://localhost:8200");
+    }
+
+    #[test]
+    fn test_with_token() {
+        let client = BaoClient::with_token("http://localhost:8200", "mytoken");
+        assert_eq!(client.token, Some("mytoken".to_string()));
+    }
+
+    #[test]
+    fn test_new_has_no_token() {
+        let client = BaoClient::new("http://localhost:8200");
+        assert!(client.token.is_none());
+    }
+
+    #[tokio::test]
+    async fn test_seal_status_error_on_nonexistent_server() {
+        // Connecting to a port where nothing is listening should produce an
+        // error (connection refused), not a panic or hang.
+        let client = BaoClient::new("http://127.0.0.1:19999");
+        let result = client.seal_status().await;
+        assert!(
+            result.is_err(),
+            "seal_status should return an error when the server is unreachable"
+        );
+    }
+}
diff --git a/sunbeam-sdk/src/output.rs b/sunbeam-sdk/src/output.rs
new file mode 100644
index 0000000..af5f5a9
--- /dev/null
+++ b/sunbeam-sdk/src/output.rs
@@ -0,0 +1,92 @@
+/// Print a step header.
+pub fn step(msg: &str) {
+    println!("\n==> {msg}");
+}
+
+/// Print a success/info line.
+pub fn ok(msg: &str) {
+    println!("    {msg}");
+}
+
+/// Print a warning to stderr.
+pub fn warn(msg: &str) {
+    eprintln!("    WARN: {msg}");
+}
+
+/// Return an aligned text table. Columns padded to max width.
+pub fn table(rows: &[Vec<String>], headers: &[&str]) -> String {
+    if headers.is_empty() {
+        return String::new();
+    }
+
+    let mut col_widths: Vec<usize> = headers.iter().map(|h| h.len()).collect();
+    for row in rows {
+        for (i, cell) in row.iter().enumerate() {
+            if i < col_widths.len() {
+                col_widths[i] = col_widths[i].max(cell.len());
+            }
+        }
+    }
+
+    let header_line: String = headers
+        .iter()
+        .enumerate()
+        .map(|(i, h)| format!("{:<width$}", h, width = col_widths[i]))
+        .collect::<Vec<_>>()
+        .join("  ");
+
+    let separator: String = col_widths
+        .iter()
+        .map(|&w| "-".repeat(w))
+        .collect::<Vec<_>>()
+        .join("  ");
+
+    let mut lines = vec![header_line, separator];
+
+    for row in rows {
+        let cells: Vec<String> = (0..headers.len())
+            .map(|i| {
+                let val = row.get(i).map(|s| s.as_str()).unwrap_or("");
+                format!("{:<width$}", val, width = col_widths[i])
+            })
+            .collect();
+        lines.push(cells.join("  "));
+    }
+
+    lines.join("\n")
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    #[test]
+    fn test_table_basic() {
+        let rows = vec![
+            vec!["abc".to_string(), "def".to_string()],
+            vec!["x".to_string(), "longer".to_string()],
+        ];
+        let result = table(&rows, &["Col1", "Col2"]);
+        assert!(result.contains("Col1"));
+        assert!(result.contains("Col2"));
+        assert!(result.contains("abc"));
+        assert!(result.contains("longer"));
+    }
+
+    #[test]
+    fn test_table_empty_headers() {
+        let result = table(&[], &[]);
+        assert!(result.is_empty());
+    }
+
+    #[test]
+    fn test_table_column_widths() {
+        let rows = vec![vec!["short".to_string(), "x".to_string()]];
+        let result = table(&rows, &["LongHeader", "H2"]);
+        // Header should set minimum width
+        for line in result.lines().skip(2) {
+            // Data row: "short" should be padded to "LongHeader" width
+            assert!(line.starts_with("short     "));
+        }
+    }
+}
diff --git a/sunbeam-sdk/src/pm/gitea_issues.rs b/sunbeam-sdk/src/pm/gitea_issues.rs
new file mode 100644
index 0000000..6db1aa4
--- /dev/null
+++ b/sunbeam-sdk/src/pm/gitea_issues.rs
@@ -0,0 +1,420 @@
+//! Gitea issues client.
+
+use serde::{Deserialize, Serialize};
+
+use crate::error::{Result, SunbeamError};
+use super::{Ticket, Source, Status};
+
+// ---------------------------------------------------------------------------
+// IssueUpdate
+// ---------------------------------------------------------------------------
+
+/// Update payload for a Gitea issue.
+#[derive(Debug, Default, Serialize)]
+pub struct IssueUpdate {
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub title: Option<String>,
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub body: Option<String>,
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub state: Option<String>,
+}
+
+// ---------------------------------------------------------------------------
+// GiteaClient
+// ---------------------------------------------------------------------------
+
+pub(super) struct GiteaClient {
+    base_url: String,
+    token: String,
+    http: reqwest::Client,
+}
+
+/// Serde helpers for Gitea JSON responses.
+pub(super) mod gitea_json {
+    use super::*;
+
+    #[derive(Debug, Deserialize)]
+    pub struct Issue {
+        pub number: u64,
+        #[serde(default)]
+        pub title: String,
+        #[serde(default)]
+        pub body: Option<String>,
+        #[serde(default)]
+        pub state: String,
+        #[serde(default)]
+        pub assignees: Option<Vec<GiteaUser>>,
+        #[serde(default)]
+        pub labels: Option<Vec<GiteaLabel>>,
+        #[serde(default)]
+        pub created_at: Option<String>,
+        #[serde(default)]
+        pub updated_at: Option<String>,
+        #[serde(default)]
+        pub html_url: Option<String>,
+        #[serde(default)]
+        pub repository: Option<Repository>,
+    }
+
+    #[derive(Debug, Deserialize)]
+    pub struct GiteaUser {
+        #[serde(default)]
+        pub login: String,
+    }
+
+    #[derive(Debug, Deserialize)]
+    pub struct GiteaLabel {
+        #[serde(default)]
+        pub name: String,
+    }
+
+    #[derive(Debug, Deserialize)]
+    pub struct Repository {
+        #[serde(default)]
+        pub full_name: Option<String>,
+    }
+
+    impl Issue {
+        pub fn to_ticket(self, base_url: &str, org: &str, repo: &str) -> Ticket {
+            let status = state_to_status(&self.state);
+            let assignees = self
+                .assignees
+                .unwrap_or_default()
+                .into_iter()
+                .map(|u| u.login)
+                .collect();
+            let labels = self
+                .labels
+                .unwrap_or_default()
+                .into_iter()
+                .map(|l| l.name)
+                .collect();
+            let web_base = base_url.trim_end_matches("/api/v1");
+            let url = self
+                .html_url
+                .unwrap_or_else(|| format!("{web_base}/{org}/{repo}/issues/{}", self.number));
+
+            Ticket {
+                id: format!("g:{org}/{repo}#{}", self.number),
+                source: Source::Gitea,
+                title: self.title,
+                description: self.body.unwrap_or_default(),
+                status,
+                assignees,
+                labels,
+                created_at: self.created_at.unwrap_or_default(),
+                updated_at: self.updated_at.unwrap_or_default(),
+                url,
+            }
+        }
+    }
+
+    /// Map Gitea issue state to normalised status.
+    pub fn state_to_status(state: &str) -> Status {
+        match state {
+            "open" => Status::Open,
+            "closed" => Status::Closed,
+            _ => Status::Open,
+        }
+    }
+}
+
+impl GiteaClient {
+    /// Create a new Gitea client using the Hydra OAuth2 token.
+    pub(super) async fn new(domain: &str) -> Result<Self> {
+        let base_url = format!("https://src.{domain}/api/v1");
+        // Gitea needs its own PAT, not the Hydra access token
+        let token = crate::auth::get_gitea_token()?;
+        let http = reqwest::Client::builder()
+            .timeout(std::time::Duration::from_secs(30))
+            .build()
+            .map_err(|e| SunbeamError::network(format!("Failed to build HTTP client: {e}")))?;
+
+        Ok(Self {
+            base_url,
+            token,
+            http,
+        })
+    }
+
+    /// Build a request with Gitea PAT auth (`Authorization: token <pat>`).
+    #[allow(dead_code)]
+    fn authed_get(&self, url: &str) -> reqwest::RequestBuilder {
+        self.http
+            .get(url)
+            .header("Authorization", format!("token {}", self.token))
+    }
+
+    #[allow(dead_code)]
+    fn authed_post(&self, url: &str) -> reqwest::RequestBuilder {
+        self.http
+            .post(url)
+            .header("Authorization", format!("token {}", self.token))
+    }
+
+    #[allow(dead_code)]
+    fn authed_patch(&self, url: &str) -> reqwest::RequestBuilder {
+        self.http
+            .patch(url)
+            .header("Authorization", format!("token {}", self.token))
+    }
+
+    /// List issues for an org/repo (or search across an org).
+    pub(super) fn list_issues<'a>(
+        &'a self,
+        org: &'a str,
+        repo: Option<&'a str>,
+        state: &'a str,
+    ) -> futures::future::BoxFuture<'a, Result<Vec<Ticket>>> {
+        Box::pin(self.list_issues_inner(org, repo, state))
+    }
+
+    async fn list_issues_inner(
+        &self,
+        org: &str,
+        repo: Option<&str>,
+        state: &str,
+    ) -> Result<Vec<Ticket>> {
+        match repo {
+            Some(r) => {
+                let url = format!("{}/repos/{org}/{r}/issues", self.base_url);
+                let resp = self
+                    .http
+                    .get(&url)
+                    .header("Authorization", format!("token {}", self.token))
+                    .query(&[("state", state), ("type", "issues"), ("limit", "50")])
+                    .send()
+                    .await
+                    .map_err(|e| SunbeamError::network(format!("Gitea list_issues: {e}")))?;
+
+                if !resp.status().is_success() {
+                    return Err(SunbeamError::network(format!(
+                        "Gitea GET issues for {org}/{r} returned {}",
+                        resp.status()
+                    )));
+                }
+
+                let issues: Vec<gitea_json::Issue> = resp
+                    .json()
+                    .await
+                    .map_err(|e| SunbeamError::network(format!("Gitea issues parse error: {e}")))?;
+
+                Ok(issues
+                    .into_iter()
+                    .map(|i| i.to_ticket(&self.base_url, org, r))
+                    .collect())
+            }
+            None => {
+                // Search across the entire org by listing org repos, then issues.
+                let repos_url = format!("{}/orgs/{org}/repos", self.base_url);
+                let repos_resp = self
+                    .http
+                    .get(&repos_url)
+                    .header("Authorization", format!("token {}", self.token))
+                    .query(&[("limit", "50")])
+                    .send()
+                    .await
+                    .map_err(|e| SunbeamError::network(format!("Gitea list org repos: {e}")))?;
+
+                if !repos_resp.status().is_success() {
+                    return Err(SunbeamError::network(format!(
+                        "Gitea GET repos for org {org} returned {}",
+                        repos_resp.status()
+                    )));
+                }
+
+                #[derive(Deserialize)]
+                struct Repo {
+                    name: String,
+                }
+                let repos: Vec<Repo> = repos_resp
+                    .json()
+                    .await
+                    .map_err(|e| SunbeamError::network(format!("Gitea repos parse: {e}")))?;
+
+                let mut all = Vec::new();
+                for r in &repos {
+                    match self.list_issues(org, Some(&r.name), state).await {
+                        Ok(mut tickets) => all.append(&mut tickets),
+                        Err(_) => continue, // skip repos we cannot read
+                    }
+                }
+                Ok(all)
+            }
+        }
+    }
+
+    /// GET /api/v1/repos/{org}/{repo}/issues/{index}
+    pub(super) async fn get_issue(&self, org: &str, repo: &str, index: u64) -> Result<Ticket> {
+        let url = format!("{}/repos/{org}/{repo}/issues/{index}", self.base_url);
+        let resp = self
+            .http
+            .get(&url)
+            .header("Authorization", format!("token {}", self.token))
+            .send()
+            .await
+            .map_err(|e| SunbeamError::network(format!("Gitea get_issue: {e}")))?;
+
+        if !resp.status().is_success() {
+            return Err(SunbeamError::network(format!(
+                "Gitea GET issue {org}/{repo}#{index} returned {}",
+                resp.status()
+            )));
+        }
+
+        let issue: gitea_json::Issue = resp
+            .json()
+            .await
+            .map_err(|e| SunbeamError::network(format!("Gitea issue parse: {e}")))?;
+
+        Ok(issue.to_ticket(&self.base_url, org, repo))
+    }
+
+    /// POST /api/v1/repos/{org}/{repo}/issues
+    pub(super) async fn create_issue(
+        &self,
+        org: &str,
+        repo: &str,
+        title: &str,
+        body: &str,
+    ) -> Result<Ticket> {
+        let url = format!("{}/repos/{org}/{repo}/issues", self.base_url);
+        let payload = serde_json::json!({
+            "title": title,
+            "body": body,
+        });
+
+        let resp = self
+            .http
+            .post(&url)
+            .header("Authorization", format!("token {}", self.token))
+            .json(&payload)
+            .send()
+            .await
+            .map_err(|e| SunbeamError::network(format!("Gitea create_issue: {e}")))?;
+
+        if !resp.status().is_success() {
+            return Err(SunbeamError::network(format!(
+                "Gitea POST issue to {org}/{repo} returned {}",
+                resp.status()
+            )));
+        }
+
+        let issue: gitea_json::Issue = resp
+            .json()
+            .await
+            .map_err(|e| SunbeamError::network(format!("Gitea issue create parse: {e}")))?;
+
+        Ok(issue.to_ticket(&self.base_url, org, repo))
+    }
+
+    /// PATCH /api/v1/repos/{org}/{repo}/issues/{index}
+    pub(super) async fn update_issue(
+        &self,
+        org: &str,
+        repo: &str,
+        index: u64,
+        updates: &IssueUpdate,
+    ) -> Result<()> {
+        let url = format!("{}/repos/{org}/{repo}/issues/{index}", self.base_url);
+        let resp = self
+            .http
+            .patch(&url)
+            .header("Authorization", format!("token {}", self.token))
+            .json(updates)
+            .send()
+            .await
+            .map_err(|e| SunbeamError::network(format!("Gitea update_issue: {e}")))?;
+
+        if !resp.status().is_success() {
+            return Err(SunbeamError::network(format!(
+                "Gitea PATCH issue {org}/{repo}#{index} returned {}",
+                resp.status()
+            )));
+        }
+        Ok(())
+    }
+
+    /// Close an issue.
+    pub(super) async fn close_issue(&self, org: &str, repo: &str, index: u64) -> Result<()> {
+        self.update_issue(
+            org,
+            repo,
+            index,
+            &IssueUpdate {
+                state: Some("closed".to_string()),
+                ..Default::default()
+            },
+        )
+        .await
+    }
+
+    /// POST /api/v1/repos/{org}/{repo}/issues/{index}/comments
+    pub(super) async fn comment_issue(
+        &self,
+        org: &str,
+        repo: &str,
+        index: u64,
+        body: &str,
+    ) -> Result<()> {
+        let url = format!(
+            "{}/repos/{org}/{repo}/issues/{index}/comments",
+            self.base_url
+        );
+        let payload = serde_json::json!({ "body": body });
+
+        let resp = self
+            .http
+            .post(&url)
+            .header("Authorization", format!("token {}", self.token))
+            .json(&payload)
+            .send()
+            .await
+            .map_err(|e| SunbeamError::network(format!("Gitea comment_issue: {e}")))?;
+
+        if !resp.status().is_success() {
+            return Err(SunbeamError::network(format!(
+                "Gitea POST comment on {org}/{repo}#{index} returned {}",
+                resp.status()
+            )));
+        }
+        Ok(())
+    }
+
+    /// POST /api/v1/repos/{org}/{repo}/issues/{index}/assignees
+    #[allow(dead_code)]
+    pub(super) async fn assign_issue(
+        &self,
+        org: &str,
+        repo: &str,
+        index: u64,
+        assignee: &str,
+    ) -> Result<()> {
+        // Use PATCH on the issue itself -- the /assignees endpoint requires
+        // the user to be an explicit collaborator, while PATCH works for
+        // any org member with write access.
+        let url = format!(
+            "{}/repos/{org}/{repo}/issues/{index}",
+            self.base_url
+        );
+        let payload = serde_json::json!({ "assignees": [assignee] });
+
+        let resp = self
+            .http
+            .patch(&url)
+            .header("Authorization", format!("token {}", self.token))
+            .json(&payload)
+            .send()
+            .await
+            .map_err(|e| SunbeamError::network(format!("Gitea assign_issue: {e}")))?;
+
+        if !resp.status().is_success() {
+            return Err(SunbeamError::network(format!(
+                "Gitea assign on {org}/{repo}#{index} returned {}",
+                resp.status()
+            )));
+        }
+        Ok(())
+    }
+}
diff --git a/sunbeam-sdk/src/pm/mod.rs b/sunbeam-sdk/src/pm/mod.rs
new file mode 100644
index 0000000..9905c16
--- /dev/null
+++ b/sunbeam-sdk/src/pm/mod.rs
@@ -0,0 +1,729 @@
+//! Unified project management across Planka (kanban boards) and Gitea (issues).
+//!
+//! Ticket IDs use a prefix format:
+//! - `p:42` or `planka:42` -- Planka card
+//! - `g:studio/cli#7` or `gitea:studio/cli#7` -- Gitea issue
+
+mod planka;
+mod gitea_issues;
+
+use planka::PlankaClient;
+use gitea_issues::GiteaClient;
+
+use crate::error::{Result, ResultExt, SunbeamError};
+use crate::output;
+use serde::{Deserialize, Serialize};
+
+// ---------------------------------------------------------------------------
+// Domain types
+// ---------------------------------------------------------------------------
+
+/// Unified ticket representation across both systems.
+#[derive(Debug, Clone)]
+pub struct Ticket {
+    pub id: String,
+    pub source: Source,
+    pub title: String,
+    pub description: String,
+    pub status: Status,
+    pub assignees: Vec<String>,
+    pub labels: Vec<String>,
+    pub created_at: String,
+    pub updated_at: String,
+    pub url: String,
+}
+
+/// Which backend a ticket originates from.
+#[derive(Debug, Clone, PartialEq, Eq)]
+pub enum Source {
+    Planka,
+    Gitea,
+}
+
+/// Normalised ticket status across both systems.
+#[derive(Debug, Clone, PartialEq, Eq)]
+pub enum Status {
+    Open,
+    InProgress,
+    Done,
+    Closed,
+}
+
+impl std::fmt::Display for Source {
+    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
+        match self {
+            Source::Planka => write!(f, "planka"),
+            Source::Gitea => write!(f, "gitea"),
+        }
+    }
+}
+
+impl std::fmt::Display for Status {
+    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
+        match self {
+            Status::Open => write!(f, "open"),
+            Status::InProgress => write!(f, "in-progress"),
+            Status::Done => write!(f, "done"),
+            Status::Closed => write!(f, "closed"),
+        }
+    }
+}
+
+// ---------------------------------------------------------------------------
+// Ticket ID parsing
+// ---------------------------------------------------------------------------
+
+/// A parsed ticket reference.
+#[derive(Debug, Clone, PartialEq, Eq)]
+pub enum TicketRef {
+    /// Planka card by ID (snowflake string).
+    Planka(String),
+    /// Gitea issue: (org, repo, issue number).
+    Gitea {
+        org: String,
+        repo: String,
+        number: u64,
+    },
+}
+
+/// Parse a prefixed ticket ID string.
+///
+/// Accepted formats:
+/// - `p:42`, `planka:42`
+/// - `g:studio/cli#7`, `gitea:studio/cli#7`
+pub fn parse_ticket_id(id: &str) -> Result<TicketRef> {
+    let (prefix, rest) = id
+        .split_once(':')
+        .ctx("Invalid ticket ID: expected 'p:ID' or 'g:org/repo#num'")?;
+
+    match prefix {
+        "p" | "planka" => {
+            if rest.is_empty() {
+                return Err(SunbeamError::config("Empty Planka card ID"));
+            }
+            Ok(TicketRef::Planka(rest.to_string()))
+        }
+        "g" | "gitea" => {
+            // Expected: org/repo#number
+            let (org_repo, num_str) = rest
+                .rsplit_once('#')
+                .ctx("Invalid Gitea ticket ID: expected org/repo#number")?;
+            let (org, repo) = org_repo
+                .split_once('/')
+                .ctx("Invalid Gitea ticket ID: expected org/repo#number")?;
+            let number: u64 = num_str
+                .parse()
+                .map_err(|_| SunbeamError::config(format!("Invalid issue number: {num_str}")))?;
+            Ok(TicketRef::Gitea {
+                org: org.to_string(),
+                repo: repo.to_string(),
+                number,
+            })
+        }
+        _ => Err(SunbeamError::config(format!(
+            "Unknown ticket prefix '{prefix}': use 'p'/'planka' or 'g'/'gitea'"
+        ))),
+    }
+}
+
+// ---------------------------------------------------------------------------
+// Auth helper
+// ---------------------------------------------------------------------------
+
+/// Retrieve the user's Hydra OAuth2 access token via the auth module.
+async fn get_token() -> Result<String> {
+    crate::auth::get_token().await
+}
+
+// ---------------------------------------------------------------------------
+// Display helpers
+// ---------------------------------------------------------------------------
+
+/// Format a list of tickets as a table.
+fn display_ticket_list(tickets: &[Ticket]) {
+    if tickets.is_empty() {
+        output::ok("No tickets found.");
+        return;
+    }
+
+    let rows: Vec<Vec<String>> = tickets
+        .iter()
+        .map(|t| {
+            vec![
+                t.id.clone(),
+                t.status.to_string(),
+                t.title.clone(),
+                t.assignees.join(", "),
+                t.source.to_string(),
+            ]
+        })
+        .collect();
+
+    let tbl = output::table(&rows, &["ID", "STATUS", "TITLE", "ASSIGNEES", "SOURCE"]);
+    println!("{tbl}");
+}
+
+/// Print a single ticket in detail.
+fn display_ticket_detail(t: &Ticket) {
+    println!("{} ({})", t.title, t.id);
+    println!("  Status:      {}", t.status);
+    println!("  Source:      {}", t.source);
+    if !t.assignees.is_empty() {
+        println!("  Assignees:   {}", t.assignees.join(", "));
+    }
+    if !t.labels.is_empty() {
+        println!("  Labels:      {}", t.labels.join(", "));
+    }
+    if !t.created_at.is_empty() {
+        println!("  Created:     {}", t.created_at);
+    }
+    if !t.updated_at.is_empty() {
+        println!("  Updated:     {}", t.updated_at);
+    }
+    println!("  URL:         {}", t.url);
+    if !t.description.is_empty() {
+        println!();
+        println!("{}", t.description);
+    }
+}
+
+// ---------------------------------------------------------------------------
+// Unified commands
+// ---------------------------------------------------------------------------
+
+/// List tickets, optionally filtering by source and state.
+///
+/// When `source` is `None`, both Planka and Gitea are queried in parallel.
+#[allow(dead_code)]
+pub async fn cmd_pm_list(source: Option<&str>, state: &str) -> Result<()> {
+    let domain = crate::config::domain();
+    if domain.is_empty() { return Err(crate::error::SunbeamError::config("No domain configured. Run: sunbeam config set --domain sunbeam.pt")); }
+
+    let fetch_planka = source.is_none() || matches!(source, Some("planka" | "p"));
+    let fetch_gitea = source.is_none() || matches!(source, Some("gitea" | "g"));
+
+    let planka_fut = async {
+        if fetch_planka {
+            let client = PlankaClient::new(&domain).await?;
+            client.list_all_cards().await
+        } else {
+            Ok(vec![])
+        }
+    };
+
+    let gitea_fut = async {
+        if fetch_gitea {
+            let client = GiteaClient::new(&domain).await?;
+            client.list_issues("studio", None, state).await
+        } else {
+            Ok(vec![])
+        }
+    };
+
+    let (planka_result, gitea_result) = tokio::join!(planka_fut, gitea_fut);
+
+    let mut tickets = Vec::new();
+
+    match planka_result {
+        Ok(mut t) => tickets.append(&mut t),
+        Err(e) => output::warn(&format!("Planka: {e}")),
+    }
+
+    match gitea_result {
+        Ok(mut t) => tickets.append(&mut t),
+        Err(e) => output::warn(&format!("Gitea: {e}")),
+    }
+
+    // Filter by state if looking at Planka results too.
+    if state == "closed" {
+        tickets.retain(|t| matches!(t.status, Status::Closed | Status::Done));
+    } else if state == "open" {
+        tickets.retain(|t| matches!(t.status, Status::Open | Status::InProgress));
+    }
+
+    display_ticket_list(&tickets);
+    Ok(())
+}
+
+/// Show details for a single ticket by ID.
+#[allow(dead_code)]
+pub async fn cmd_pm_show(id: &str) -> Result<()> {
+    let domain = crate::config::domain();
+    if domain.is_empty() { return Err(crate::error::SunbeamError::config("No domain configured. Run: sunbeam config set --domain sunbeam.pt")); }
+    let ticket_ref = parse_ticket_id(id)?;
+
+    let ticket = match ticket_ref {
+        TicketRef::Planka(card_id) => {
+            let client = PlankaClient::new(&domain).await?;
+            client.get_card(&card_id).await?
+        }
+        TicketRef::Gitea { org, repo, number } => {
+            let client = GiteaClient::new(&domain).await?;
+            client.get_issue(&org, &repo, number).await?
+        }
+    };
+
+    display_ticket_detail(&ticket);
+    Ok(())
+}
+
+/// Create a new ticket.
+///
+/// `source` must be `"planka"` or `"gitea"`.
+/// `target` is source-specific: for Planka it is `"board_id/list_id"`,
+/// for Gitea it is `"org/repo"`.
+#[allow(dead_code)]
+pub async fn cmd_pm_create(title: &str, body: &str, source: &str, target: &str) -> Result<()> {
+    let domain = crate::config::domain();
+    if domain.is_empty() { return Err(crate::error::SunbeamError::config("No domain configured. Run: sunbeam config set --domain sunbeam.pt")); }
+
+    let ticket = match source {
+        "planka" | "p" => {
+            let client = PlankaClient::new(&domain).await?;
+
+            // Fetch all boards
+            let projects_url = format!("{}/projects", client.base_url);
+            let resp = client.http.get(&projects_url).bearer_auth(&client.token).send().await?;
+            let projects_body: serde_json::Value = resp.json().await?;
+            let boards = projects_body.get("included").and_then(|i| i.get("boards"))
+                .and_then(|b| b.as_array())
+                .ok_or_else(|| SunbeamError::config("No Planka boards found"))?;
+
+            // Find the board: by name (--target "Board Name") or by ID, or use first
+            let board = if target.is_empty() {
+                boards.first()
+            } else {
+                boards.iter().find(|b| {
+                    let name = b.get("name").and_then(|n| n.as_str()).unwrap_or("");
+                    let id = b.get("id").and_then(|v| v.as_str()).unwrap_or("");
+                    name.eq_ignore_ascii_case(target) || id == target
+                }).or_else(|| boards.first())
+            }.ok_or_else(|| SunbeamError::config("No Planka boards found"))?;
+
+            let board_id = board.get("id").and_then(|v| v.as_str())
+                .ok_or_else(|| SunbeamError::config("Board has no ID"))?;
+            let board_name = board.get("name").and_then(|n| n.as_str()).unwrap_or("?");
+
+            // Fetch the board to get its lists, use the first list
+            let board_url = format!("{}/boards/{board_id}", client.base_url);
+            let board_resp = client.http.get(&board_url).bearer_auth(&client.token).send().await?;
+            let board_body: serde_json::Value = board_resp.json().await?;
+            let list_id = board_body.get("included").and_then(|i| i.get("lists"))
+                .and_then(|l| l.as_array()).and_then(|a| a.first())
+                .and_then(|l| l.get("id")).and_then(|v| v.as_str())
+                .ok_or_else(|| SunbeamError::config(format!("No lists in board '{board_name}'")))?;
+
+            client.create_card(board_id, list_id, title, body).await?
+        }
+        "gitea" | "g" => {
+            if target.is_empty() {
+                return Err(SunbeamError::config(
+                    "Gitea target required: --target org/repo (e.g. studio/marathon)",
+                ));
+            }
+            let parts: Vec<&str> = target.splitn(2, '/').collect();
+            if parts.len() != 2 {
+                return Err(SunbeamError::config("Gitea target must be 'org/repo'"));
+            }
+            let client = GiteaClient::new(&domain).await?;
+            client.create_issue(parts[0], parts[1], title, body).await?
+        }
+        _ => {
+            return Err(SunbeamError::config(format!(
+                "Unknown source '{source}': use 'planka' or 'gitea'"
+            )));
+        }
+    };
+
+    output::ok(&format!("Created: {} ({})", ticket.title, ticket.id));
+    println!("  {}", ticket.url);
+    Ok(())
+}
+
+/// Add a comment to a ticket.
+#[allow(dead_code)]
+pub async fn cmd_pm_comment(id: &str, text: &str) -> Result<()> {
+    let domain = crate::config::domain();
+    if domain.is_empty() { return Err(crate::error::SunbeamError::config("No domain configured. Run: sunbeam config set --domain sunbeam.pt")); }
+    let ticket_ref = parse_ticket_id(id)?;
+
+    match ticket_ref {
+        TicketRef::Planka(card_id) => {
+            let client = PlankaClient::new(&domain).await?;
+            client.comment_card(&card_id, text).await?;
+        }
+        TicketRef::Gitea { org, repo, number } => {
+            let client = GiteaClient::new(&domain).await?;
+            client.comment_issue(&org, &repo, number, text).await?;
+        }
+    }
+
+    output::ok(&format!("Comment added to {id}."));
+    Ok(())
+}
+
+/// Close a ticket.
+#[allow(dead_code)]
+pub async fn cmd_pm_close(id: &str) -> Result<()> {
+    let domain = crate::config::domain();
+    if domain.is_empty() { return Err(crate::error::SunbeamError::config("No domain configured. Run: sunbeam config set --domain sunbeam.pt")); }
+    let ticket_ref = parse_ticket_id(id)?;
+
+    match ticket_ref {
+        TicketRef::Planka(card_id) => {
+            let client = PlankaClient::new(&domain).await?;
+            // Get the card to find its board, then find a "Done"/"Closed" list
+            let ticket = client.get_card(&card_id).await?;
+            // Try to find the board and its lists
+            let url = format!("{}/cards/{card_id}", client.base_url);
+            let resp = client.http.get(&url).bearer_auth(&client.token).send().await
+                .map_err(|e| SunbeamError::network(format!("Planka get card: {e}")))?;
+            let body: serde_json::Value = resp.json().await?;
+            let board_id = body.get("item").and_then(|i| i.get("boardId"))
+                .and_then(|v| v.as_str()).unwrap_or("");
+
+            if !board_id.is_empty() {
+                // Fetch the board to get its lists
+                let board_url = format!("{}/boards/{board_id}", client.base_url);
+                let board_resp = client.http.get(&board_url).bearer_auth(&client.token).send().await
+                    .map_err(|e| SunbeamError::network(format!("Planka get board: {e}")))?;
+                let board_body: serde_json::Value = board_resp.json().await?;
+                let lists = board_body.get("included")
+                    .and_then(|i| i.get("lists"))
+                    .and_then(|l| l.as_array());
+
+                if let Some(lists) = lists {
+                    // Find a list named "Done", "Closed", "Complete", or similar
+                    let done_list = lists.iter().find(|l| {
+                        let name = l.get("name").and_then(|n| n.as_str()).unwrap_or("").to_lowercase();
+                        name.contains("done") || name.contains("closed") || name.contains("complete")
+                    });
+
+                    if let Some(done_list) = done_list {
+                        let list_id = done_list.get("id").and_then(|v| v.as_str()).unwrap_or("");
+                        if !list_id.is_empty() {
+                            client.update_card(&card_id, &planka::CardUpdate {
+                                list_id: Some(serde_json::json!(list_id)),
+                                ..Default::default()
+                            }).await?;
+                            output::ok(&format!("Moved p:{card_id} to Done."));
+                            return Ok(());
+                        }
+                    }
+                }
+            }
+            output::warn(&format!("Could not find a Done list for p:{card_id}. Move it manually."));
+        }
+        TicketRef::Gitea { org, repo, number } => {
+            let client = GiteaClient::new(&domain).await?;
+            client.close_issue(&org, &repo, number).await?;
+            output::ok(&format!("Closed gitea:{org}/{repo}#{number}."));
+        }
+    }
+
+    Ok(())
+}
+
+/// Assign a user to a ticket.
+#[allow(dead_code)]
+pub async fn cmd_pm_assign(id: &str, user: &str) -> Result<()> {
+    let domain = crate::config::domain();
+    if domain.is_empty() { return Err(crate::error::SunbeamError::config("No domain configured. Run: sunbeam config set --domain sunbeam.pt")); }
+    let ticket_ref = parse_ticket_id(id)?;
+
+    match ticket_ref {
+        TicketRef::Planka(card_id) => {
+            let client = PlankaClient::new(&domain).await?;
+            client.assign_card(&card_id, user).await?;
+        }
+        TicketRef::Gitea { org, repo, number } => {
+            let client = GiteaClient::new(&domain).await?;
+            client.assign_issue(&org, &repo, number, user).await?;
+        }
+    }
+
+    output::ok(&format!("Assigned {user} to {id}."));
+    Ok(())
+}
+
+// ---------------------------------------------------------------------------
+// Tests
+// ---------------------------------------------------------------------------
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    // -- Ticket ID parsing --------------------------------------------------
+
+    #[test]
+    fn test_parse_planka_short() {
+        let r = parse_ticket_id("p:42").unwrap();
+        assert_eq!(r, TicketRef::Planka("42".to_string()));
+    }
+
+    #[test]
+    fn test_parse_planka_long() {
+        let r = parse_ticket_id("planka:100").unwrap();
+        assert_eq!(r, TicketRef::Planka("100".to_string()));
+    }
+
+    #[test]
+    fn test_parse_gitea_short() {
+        let r = parse_ticket_id("g:studio/cli#7").unwrap();
+        assert_eq!(
+            r,
+            TicketRef::Gitea {
+                org: "studio".to_string(),
+                repo: "cli".to_string(),
+                number: 7,
+            }
+        );
+    }
+
+    #[test]
+    fn test_parse_gitea_long() {
+        let r = parse_ticket_id("gitea:internal/infra#123").unwrap();
+        assert_eq!(
+            r,
+            TicketRef::Gitea {
+                org: "internal".to_string(),
+                repo: "infra".to_string(),
+                number: 123,
+            }
+        );
+    }
+
+    #[test]
+    fn test_parse_missing_colon() {
+        assert!(parse_ticket_id("noprefix").is_err());
+    }
+
+    #[test]
+    fn test_parse_unknown_prefix() {
+        assert!(parse_ticket_id("jira:FOO-1").is_err());
+    }
+
+    #[test]
+    fn test_parse_invalid_planka_id() {
+        // Empty ID should fail
+        assert!(parse_ticket_id("p:").is_err());
+    }
+
+    #[test]
+    fn test_parse_gitea_missing_hash() {
+        assert!(parse_ticket_id("g:studio/cli").is_err());
+    }
+
+    #[test]
+    fn test_parse_gitea_missing_slash() {
+        assert!(parse_ticket_id("g:repo#1").is_err());
+    }
+
+    #[test]
+    fn test_parse_gitea_invalid_number() {
+        assert!(parse_ticket_id("g:studio/cli#abc").is_err());
+    }
+
+    // -- Status mapping -----------------------------------------------------
+
+    #[test]
+    fn test_gitea_state_open() {
+        assert_eq!(gitea_issues::gitea_json::state_to_status("open"), Status::Open);
+    }
+
+    #[test]
+    fn test_gitea_state_closed() {
+        assert_eq!(gitea_issues::gitea_json::state_to_status("closed"), Status::Closed);
+    }
+
+    #[test]
+    fn test_gitea_state_unknown_defaults_open() {
+        assert_eq!(gitea_issues::gitea_json::state_to_status("weird"), Status::Open);
+    }
+
+    #[test]
+    fn test_status_display() {
+        assert_eq!(Status::Open.to_string(), "open");
+        assert_eq!(Status::InProgress.to_string(), "in-progress");
+        assert_eq!(Status::Done.to_string(), "done");
+        assert_eq!(Status::Closed.to_string(), "closed");
+    }
+
+    #[test]
+    fn test_source_display() {
+        assert_eq!(Source::Planka.to_string(), "planka");
+        assert_eq!(Source::Gitea.to_string(), "gitea");
+    }
+
+    // -- Display formatting -------------------------------------------------
+
+    #[test]
+    fn test_display_ticket_list_table() {
+        let tickets = vec![
+            Ticket {
+                id: "p:1".to_string(),
+                source: Source::Planka,
+                title: "Fix login".to_string(),
+                description: String::new(),
+                status: Status::Open,
+                assignees: vec!["alice".to_string()],
+                labels: vec![],
+                created_at: "2025-01-01".to_string(),
+                updated_at: "2025-01-02".to_string(),
+                url: "https://projects.example.com/cards/1".to_string(),
+            },
+            Ticket {
+                id: "g:studio/cli#7".to_string(),
+                source: Source::Gitea,
+                title: "Add tests".to_string(),
+                description: "We need more tests.".to_string(),
+                status: Status::InProgress,
+                assignees: vec!["bob".to_string(), "carol".to_string()],
+                labels: vec!["enhancement".to_string()],
+                created_at: "2025-02-01".to_string(),
+                updated_at: "2025-02-05".to_string(),
+                url: "https://src.example.com/studio/cli/issues/7".to_string(),
+            },
+        ];
+
+        let rows: Vec<Vec<String>> = tickets
+            .iter()
+            .map(|t| {
+                vec![
+                    t.id.clone(),
+                    t.status.to_string(),
+                    t.title.clone(),
+                    t.assignees.join(", "),
+                    t.source.to_string(),
+                ]
+            })
+            .collect();
+
+        let tbl = output::table(&rows, &["ID", "STATUS", "TITLE", "ASSIGNEES", "SOURCE"]);
+        assert!(tbl.contains("p:1"));
+        assert!(tbl.contains("g:studio/cli#7"));
+        assert!(tbl.contains("open"));
+        assert!(tbl.contains("in-progress"));
+        assert!(tbl.contains("Fix login"));
+        assert!(tbl.contains("Add tests"));
+        assert!(tbl.contains("alice"));
+        assert!(tbl.contains("bob, carol"));
+        assert!(tbl.contains("planka"));
+        assert!(tbl.contains("gitea"));
+    }
+
+    #[test]
+    fn test_display_ticket_list_empty() {
+        let rows: Vec<Vec<String>> = vec![];
+        let tbl = output::table(&rows, &["ID", "STATUS", "TITLE", "ASSIGNEES", "SOURCE"]);
+        // Should have header + separator but no data rows.
+        assert!(tbl.contains("ID"));
+        assert_eq!(tbl.lines().count(), 2);
+    }
+
+    #[test]
+    fn test_card_update_serialization() {
+        let update = planka::CardUpdate {
+            name: Some("New name".to_string()),
+            description: None,
+            list_id: Some(serde_json::json!(5)),
+        };
+        let json = serde_json::to_value(&update).unwrap();
+        assert_eq!(json["name"], "New name");
+        assert_eq!(json["listId"], 5);
+        assert!(json.get("description").is_none());
+    }
+
+    #[test]
+    fn test_issue_update_serialization() {
+        let update = gitea_issues::IssueUpdate {
+            title: None,
+            body: Some("Updated body".to_string()),
+            state: Some("closed".to_string()),
+        };
+        let json = serde_json::to_value(&update).unwrap();
+        assert!(json.get("title").is_none());
+        assert_eq!(json["body"], "Updated body");
+        assert_eq!(json["state"], "closed");
+    }
+
+    #[test]
+    fn test_planka_list_name_to_status() {
+        // Test via Card::to_ticket with synthetic included data.
+        use planka::planka_json::*;
+
+        let inc = BoardIncluded {
+            cards: vec![],
+            card_memberships: vec![],
+            card_labels: vec![],
+            labels: vec![],
+            lists: vec![
+                List { id: serde_json::json!(1), name: "To Do".to_string() },
+                List { id: serde_json::json!(2), name: "In Progress".to_string() },
+                List { id: serde_json::json!(3), name: "Done".to_string() },
+                List { id: serde_json::json!(4), name: "Archived / Closed".to_string() },
+            ],
+            users: vec![],
+        };
+
+        let make_card = |list_id: u64| Card {
+            id: serde_json::json!(1),
+            name: "test".to_string(),
+            description: None,
+            list_id: Some(serde_json::json!(list_id)),
+            created_at: None,
+            updated_at: None,
+        };
+
+        assert_eq!(
+            make_card(1).to_ticket("https://x/api", Some(&inc)).status,
+            Status::Open
+        );
+        assert_eq!(
+            make_card(2).to_ticket("https://x/api", Some(&inc)).status,
+            Status::InProgress
+        );
+        assert_eq!(
+            make_card(3).to_ticket("https://x/api", Some(&inc)).status,
+            Status::Done
+        );
+        assert_eq!(
+            make_card(4).to_ticket("https://x/api", Some(&inc)).status,
+            Status::Closed
+        );
+    }
+
+    #[test]
+    fn test_gitea_issue_to_ticket() {
+        let issue = gitea_issues::gitea_json::Issue {
+            number: 42,
+            title: "Bug report".to_string(),
+            body: Some("Something broke".to_string()),
+            state: "open".to_string(),
+            assignees: Some(vec![gitea_issues::gitea_json::GiteaUser {
+                login: "dev1".to_string(),
+            }]),
+            labels: Some(vec![gitea_issues::gitea_json::GiteaLabel {
+                name: "bug".to_string(),
+            }]),
+            created_at: Some("2025-03-01T00:00:00Z".to_string()),
+            updated_at: Some("2025-03-02T00:00:00Z".to_string()),
+            html_url: Some("https://src.example.com/studio/app/issues/42".to_string()),
+            repository: None,
+        };
+
+        let ticket = issue.to_ticket("https://src.example.com/api/v1", "studio", "app");
+        assert_eq!(ticket.id, "g:studio/app#42");
+        assert_eq!(ticket.source, Source::Gitea);
+        assert_eq!(ticket.title, "Bug report");
+        assert_eq!(ticket.description, "Something broke");
+        assert_eq!(ticket.status, Status::Open);
+        assert_eq!(ticket.assignees, vec!["dev1"]);
+        assert_eq!(ticket.labels, vec!["bug"]);
+        assert_eq!(
+            ticket.url,
+            "https://src.example.com/studio/app/issues/42"
+        );
+    }
+}
diff --git a/sunbeam-sdk/src/pm/planka.rs b/sunbeam-sdk/src/pm/planka.rs
new file mode 100644
index 0000000..28fb531
--- /dev/null
+++ b/sunbeam-sdk/src/pm/planka.rs
@@ -0,0 +1,546 @@
+//! Planka (kanban board) client.
+
+use serde::Serialize;
+
+use crate::error::{Result, SunbeamError};
+use super::{get_token, Ticket, Source, Status};
+
+// ---------------------------------------------------------------------------
+// CardUpdate
+// ---------------------------------------------------------------------------
+
+/// Update payload for a Planka card.
+#[derive(Debug, Default, Serialize)]
+#[serde(rename_all = "camelCase")]
+pub struct CardUpdate {
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub name: Option<String>,
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub description: Option<String>,
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub list_id: Option<serde_json::Value>,
+}
+
+// ---------------------------------------------------------------------------
+// PlankaClient
+// ---------------------------------------------------------------------------
+
+pub(super) struct PlankaClient {
+    pub(super) base_url: String,
+    pub(super) token: String,
+    pub(super) http: reqwest::Client,
+}
+
+/// Serde helpers for Planka JSON responses.
+pub(super) mod planka_json {
+    use super::*;
+    use serde::Deserialize;
+
+    #[derive(Debug, Deserialize)]
+    #[serde(rename_all = "camelCase")]
+    pub struct ExchangeResponse {
+        #[serde(default)]
+        pub token: Option<String>,
+        // Planka may also return the token in `item`
+        #[serde(default)]
+        pub item: Option<String>,
+    }
+
+    #[derive(Debug, Clone, Deserialize)]
+    #[serde(rename_all = "camelCase")]
+    pub struct Card {
+        pub id: serde_json::Value,
+        #[serde(default)]
+        pub name: String,
+        #[serde(default)]
+        pub description: Option<String>,
+        #[serde(default)]
+        pub list_id: Option<serde_json::Value>,
+        #[serde(default)]
+        pub created_at: Option<String>,
+        #[serde(default)]
+        pub updated_at: Option<String>,
+    }
+
+    #[derive(Debug, Deserialize)]
+    #[serde(rename_all = "camelCase")]
+    pub struct BoardResponse {
+        #[serde(default)]
+        pub included: Option<BoardIncluded>,
+    }
+
+    #[derive(Debug, Deserialize)]
+    #[serde(rename_all = "camelCase")]
+    pub struct BoardIncluded {
+        #[serde(default)]
+        pub cards: Vec<Card>,
+        #[serde(default)]
+        pub card_memberships: Vec<CardMembership>,
+        #[serde(default)]
+        pub card_labels: Vec<CardLabel>,
+        #[serde(default)]
+        pub labels: Vec<Label>,
+        #[serde(default)]
+        pub lists: Vec<List>,
+        #[serde(default)]
+        pub users: Vec<User>,
+    }
+
+    #[derive(Debug, Deserialize)]
+    #[serde(rename_all = "camelCase")]
+    pub struct CardMembership {
+        pub card_id: serde_json::Value,
+        pub user_id: serde_json::Value,
+    }
+
+    #[derive(Debug, Deserialize)]
+    #[serde(rename_all = "camelCase")]
+    pub struct CardLabel {
+        pub card_id: serde_json::Value,
+        pub label_id: serde_json::Value,
+    }
+
+    #[derive(Debug, Deserialize)]
+    #[serde(rename_all = "camelCase")]
+    pub struct Label {
+        pub id: serde_json::Value,
+        #[serde(default)]
+        pub name: Option<String>,
+    }
+
+    #[derive(Debug, Deserialize)]
+    #[serde(rename_all = "camelCase")]
+    pub struct List {
+        pub id: serde_json::Value,
+        #[serde(default)]
+        pub name: String,
+    }
+
+    #[derive(Debug, Deserialize)]
+    #[serde(rename_all = "camelCase")]
+    pub struct User {
+        pub id: serde_json::Value,
+        #[serde(default)]
+        pub name: Option<String>,
+        #[serde(default)]
+        pub username: Option<String>,
+    }
+
+    #[derive(Debug, Deserialize)]
+    #[serde(rename_all = "camelCase")]
+    pub struct CardDetailResponse {
+        pub item: Card,
+        #[serde(default)]
+        pub included: Option<BoardIncluded>,
+    }
+
+    impl Card {
+        pub fn to_ticket(self, base_url: &str, included: Option<&BoardIncluded>) -> Ticket {
+            let status = match included {
+                Some(inc) => list_name_to_status(
+                    self.list_id
+                        .and_then(|lid| inc.lists.iter().find(|l| l.id == lid))
+                        .map(|l| l.name.as_str())
+                        .unwrap_or(""),
+                ),
+                None => Status::Open,
+            };
+
+            let assignees = match included {
+                Some(inc) => inc
+                    .card_memberships
+                    .iter()
+                    .filter(|m| m.card_id == self.id)
+                    .filter_map(|m| {
+                        inc.users.iter().find(|u| u.id == m.user_id).map(|u| {
+                            u.username
+                                .clone()
+                                .or_else(|| u.name.clone())
+                                .unwrap_or_else(|| m.user_id.to_string())
+                        })
+                    })
+                    .collect(),
+                None => vec![],
+            };
+
+            let labels = match included {
+                Some(inc) => inc
+                    .card_labels
+                    .iter()
+                    .filter(|cl| cl.card_id == self.id)
+                    .filter_map(|cl| {
+                        inc.labels.iter().find(|l| l.id == cl.label_id).map(|l| {
+                            l.name
+                                .clone()
+                                .unwrap_or_else(|| cl.label_id.to_string())
+                        })
+                    })
+                    .collect(),
+                None => vec![],
+            };
+
+            // Derive web URL from API base URL (strip `/api`).
+            let web_base = base_url.trim_end_matches("/api");
+            Ticket {
+                id: format!("p:{}", self.id.as_str().unwrap_or(&self.id.to_string())),
+                source: Source::Planka,
+                title: self.name,
+                description: self.description.unwrap_or_default(),
+                status,
+                assignees,
+                labels,
+                created_at: self.created_at.unwrap_or_default(),
+                updated_at: self.updated_at.unwrap_or_default(),
+                url: format!("{web_base}/cards/{}", self.id.as_str().unwrap_or(&self.id.to_string())),
+            }
+        }
+    }
+
+    /// Map a Planka list name to a normalised status.
+    fn list_name_to_status(name: &str) -> Status {
+        let lower = name.to_lowercase();
+        if lower.contains("done") || lower.contains("complete") {
+            Status::Done
+        } else if lower.contains("progress") || lower.contains("doing") || lower.contains("active")
+        {
+            Status::InProgress
+        } else if lower.contains("closed") || lower.contains("archive") {
+            Status::Closed
+        } else {
+            Status::Open
+        }
+    }
+}
+
+impl PlankaClient {
+    /// Create a new Planka client, exchanging the Hydra token for a Planka JWT
+    /// if the direct Bearer token is rejected.
+    pub(super) async fn new(domain: &str) -> Result<Self> {
+        let base_url = format!("https://projects.{domain}/api");
+        let hydra_token = get_token().await?;
+        let http = reqwest::Client::builder()
+            .timeout(std::time::Duration::from_secs(30))
+            .build()
+            .map_err(|e| SunbeamError::network(format!("Failed to build HTTP client: {e}")))?;
+
+        // Exchange the Hydra access token for a Planka JWT via our custom endpoint.
+        let exchange_url = format!("{base_url}/access-tokens/exchange-using-token");
+        let exchange_resp = http
+            .post(&exchange_url)
+            .json(&serde_json::json!({ "token": hydra_token }))
+            .send()
+            .await
+            .map_err(|e| SunbeamError::network(format!("Planka token exchange failed: {e}")))?;
+
+        if !exchange_resp.status().is_success() {
+            let status = exchange_resp.status();
+            let body = exchange_resp.text().await.unwrap_or_default();
+            return Err(SunbeamError::identity(format!(
+                "Planka token exchange returned {status}: {body}"
+            )));
+        }
+
+        let body: serde_json::Value = exchange_resp.json().await?;
+        let token = body
+            .get("item")
+            .and_then(|v| v.as_str())
+            .ok_or_else(|| SunbeamError::identity("Planka exchange response missing 'item' field"))?
+            .to_string();
+
+        Ok(Self {
+            base_url,
+            token,
+            http,
+        })
+    }
+
+    /// Discover all projects and boards, then fetch cards from each.
+    pub(super) async fn list_all_cards(&self) -> Result<Vec<Ticket>> {
+        // GET /api/projects returns all projects the user has access to,
+        // with included boards.
+        let url = format!("{}/projects", self.base_url);
+        let resp = self
+            .http
+            .get(&url)
+            .bearer_auth(&self.token)
+            .send()
+            .await
+            .map_err(|e| SunbeamError::network(format!("Planka list projects: {e}")))?;
+
+        if !resp.status().is_success() {
+            return Err(SunbeamError::network(format!(
+                "Planka GET projects returned {}",
+                resp.status()
+            )));
+        }
+
+        let body: serde_json::Value = resp.json().await?;
+        // Extract board IDs -- Planka uses string IDs (snowflake-style)
+        let board_ids: Vec<String> = body
+            .get("included")
+            .and_then(|inc| inc.get("boards"))
+            .and_then(|b| b.as_array())
+            .map(|boards| {
+                boards
+                    .iter()
+                    .filter_map(|b| {
+                        b.get("id").and_then(|id| {
+                            id.as_str()
+                                .map(|s| s.to_string())
+                                .or_else(|| id.as_u64().map(|n| n.to_string()))
+                        })
+                    })
+                    .collect()
+            })
+            .unwrap_or_default();
+
+        if board_ids.is_empty() {
+            return Ok(vec![]);
+        }
+
+        // Fetch cards from each board
+        let mut all_tickets = Vec::new();
+        for board_id in &board_ids {
+            match self.list_cards(board_id).await {
+                Ok(tickets) => all_tickets.extend(tickets),
+                Err(e) => {
+                    crate::output::warn(&format!("Planka board {board_id}: {e}"));
+                }
+            }
+        }
+
+        Ok(all_tickets)
+    }
+
+    /// GET /api/boards/{id} and extract all cards.
+    async fn list_cards(&self, board_id: &str) -> Result<Vec<Ticket>> {
+        let url = format!("{}/boards/{board_id}", self.base_url);
+        let resp = self
+            .http
+            .get(&url)
+            .bearer_auth(&self.token)
+            .send()
+            .await
+            .map_err(|e| SunbeamError::network(format!("Planka list_cards: {e}")))?;
+
+        if !resp.status().is_success() {
+            return Err(SunbeamError::network(format!(
+                "Planka GET board {board_id} returned {}",
+                resp.status()
+            )));
+        }
+
+        let body: planka_json::BoardResponse = resp
+            .json()
+            .await
+            .map_err(|e| SunbeamError::network(format!("Planka board parse error: {e}")))?;
+
+        let included = body.included;
+        let tickets = included
+            .as_ref()
+            .map(|inc| {
+                inc.cards
+                    .clone()
+                    .into_iter()
+                    .map(|c: planka_json::Card| c.to_ticket(&self.base_url, Some(inc)))
+                    .collect()
+            })
+            .unwrap_or_default();
+
+        Ok(tickets)
+    }
+
+    /// GET /api/cards/{id}
+    pub(super) async fn get_card(&self, id: &str) -> Result<Ticket> {
+        let url = format!("{}/cards/{id}", self.base_url);
+        let resp = self
+            .http
+            .get(&url)
+            .bearer_auth(&self.token)
+            .send()
+            .await
+            .map_err(|e| SunbeamError::network(format!("Planka get_card: {e}")))?;
+
+        if !resp.status().is_success() {
+            return Err(SunbeamError::network(format!(
+                "Planka GET card {id} returned {}",
+                resp.status()
+            )));
+        }
+
+        let body: planka_json::CardDetailResponse = resp
+            .json()
+            .await
+            .map_err(|e| SunbeamError::network(format!("Planka card parse error: {e}")))?;
+
+        Ok(body
+            .item
+            .to_ticket(&self.base_url, body.included.as_ref()))
+    }
+
+    /// POST /api/lists/{list_id}/cards
+    pub(super) async fn create_card(
+        &self,
+        _board_id: &str,
+        list_id: &str,
+        name: &str,
+        description: &str,
+    ) -> Result<Ticket> {
+        let url = format!("{}/lists/{list_id}/cards", self.base_url);
+        let body = serde_json::json!({
+            "name": name,
+            "description": description,
+            "position": 65535,
+        });
+
+        let resp = self
+            .http
+            .post(&url)
+            .bearer_auth(&self.token)
+            .json(&body)
+            .send()
+            .await
+            .map_err(|e| SunbeamError::network(format!("Planka create_card: {e}")))?;
+
+        if !resp.status().is_success() {
+            return Err(SunbeamError::network(format!(
+                "Planka POST card returned {}",
+                resp.status()
+            )));
+        }
+
+        let card: planka_json::CardDetailResponse = resp
+            .json()
+            .await
+            .map_err(|e| SunbeamError::network(format!("Planka card create parse error: {e}")))?;
+
+        Ok(card.item.to_ticket(&self.base_url, card.included.as_ref()))
+    }
+
+    /// PATCH /api/cards/{id}
+    pub(super) async fn update_card(&self, id: &str, updates: &CardUpdate) -> Result<()> {
+        let url = format!("{}/cards/{id}", self.base_url);
+        let resp = self
+            .http
+            .patch(&url)
+            .bearer_auth(&self.token)
+            .json(updates)
+            .send()
+            .await
+            .map_err(|e| SunbeamError::network(format!("Planka update_card: {e}")))?;
+
+        if !resp.status().is_success() {
+            return Err(SunbeamError::network(format!(
+                "Planka PATCH card {id} returned {}",
+                resp.status()
+            )));
+        }
+        Ok(())
+    }
+
+    /// Move a card to a different list.
+    #[allow(dead_code)]
+    pub(super) async fn move_card(&self, id: &str, list_id: &str) -> Result<()> {
+        self.update_card(
+            id,
+            &CardUpdate {
+                list_id: Some(serde_json::json!(list_id)),
+                ..Default::default()
+            },
+        )
+        .await
+    }
+
+    /// POST /api/cards/{id}/comment-actions
+    pub(super) async fn comment_card(&self, id: &str, text: &str) -> Result<()> {
+        let url = format!("{}/cards/{id}/comment-actions", self.base_url);
+        let body = serde_json::json!({ "text": text });
+
+        let resp = self
+            .http
+            .post(&url)
+            .bearer_auth(&self.token)
+            .json(&body)
+            .send()
+            .await
+            .map_err(|e| SunbeamError::network(format!("Planka comment_card: {e}")))?;
+
+        if !resp.status().is_success() {
+            return Err(SunbeamError::network(format!(
+                "Planka POST comment on card {id} returned {}",
+                resp.status()
+            )));
+        }
+        Ok(())
+    }
+
+    /// Search for a Planka user by name/username, return their ID.
+    async fn resolve_user_id(&self, query: &str) -> Result<String> {
+        // "me" or "self" assigns to the current user
+        if query == "me" || query == "self" {
+            // Get current user via the token (decode JWT or call /api/users/me equivalent)
+            // Planka doesn't have /api/users/me, but we can get user from any board membership
+            let projects_url = format!("{}/projects", self.base_url);
+            if let Ok(resp) = self.http.get(&projects_url).bearer_auth(&self.token).send().await {
+                if let Ok(body) = resp.json::<serde_json::Value>().await {
+                    if let Some(memberships) = body.get("included")
+                        .and_then(|i| i.get("boardMemberships"))
+                        .and_then(|b| b.as_array())
+                    {
+                        if let Some(user_id) = memberships.first()
+                            .and_then(|m| m.get("userId"))
+                            .and_then(|v| v.as_str())
+                        {
+                            return Ok(user_id.to_string());
+                        }
+                    }
+                }
+            }
+        }
+
+        // Search other users (note: Planka excludes current user from search results)
+        let url = format!("{}/users/search", self.base_url);
+        let resp = self.http.get(&url)
+            .bearer_auth(&self.token)
+            .query(&[("query", query)])
+            .send().await
+            .map_err(|e| SunbeamError::network(format!("Planka user search: {e}")))?;
+        let body: serde_json::Value = resp.json().await?;
+        let users = body.get("items").and_then(|i| i.as_array());
+        if let Some(users) = users {
+            if let Some(user) = users.first() {
+                if let Some(id) = user.get("id").and_then(|v| v.as_str()) {
+                    return Ok(id.to_string());
+                }
+            }
+        }
+        Err(SunbeamError::identity(format!(
+            "Planka user not found: {query} (use 'me' to assign to yourself)"
+        )))
+    }
+
+    /// POST /api/cards/{id}/memberships
+    pub(super) async fn assign_card(&self, id: &str, user: &str) -> Result<()> {
+        // Resolve username to user ID
+        let user_id = self.resolve_user_id(user).await?;
+        let url = format!("{}/cards/{id}/memberships", self.base_url);
+        let body = serde_json::json!({ "userId": user_id });
+
+        let resp = self
+            .http
+            .post(&url)
+            .bearer_auth(&self.token)
+            .json(&body)
+            .send()
+            .await
+            .map_err(|e| SunbeamError::network(format!("Planka assign_card: {e}")))?;
+
+        if !resp.status().is_success() {
+            return Err(SunbeamError::network(format!(
+                "Planka POST membership on card {id} returned {}",
+                resp.status()
+            )));
+        }
+        Ok(())
+    }
+}
diff --git a/sunbeam-sdk/src/secrets/db_engine.rs b/sunbeam-sdk/src/secrets/db_engine.rs
new file mode 100644
index 0000000..2aeb9a7
--- /dev/null
+++ b/sunbeam-sdk/src/secrets/db_engine.rs
@@ -0,0 +1,107 @@
+//! OpenBao database secrets engine configuration.
+
+use std::collections::HashMap;
+
+use k8s_openapi::api::core::v1::Pod;
+use kube::api::{Api, ListParams};
+
+use crate::error::{Result, ResultExt};
+use crate::kube as k;
+use crate::openbao::BaoClient;
+use crate::output::ok;
+
+use super::{rand_token, PG_USERS};
+
+/// Enable OpenBao database secrets engine and create PostgreSQL static roles.
+pub async fn configure_db_engine(bao: &BaoClient) -> Result<()> {
+    ok("Configuring OpenBao database secrets engine...");
+    let pg_rw = "postgres-rw.data.svc.cluster.local:5432";
+
+    let _ = bao.enable_secrets_engine("database", "database").await;
+
+    // ── vault PG user setup ─────────────────────────────────────────────
+    let client = k::get_client().await?;
+    let pods: Api<Pod> = Api::namespaced(client.clone(), "data");
+    let lp = ListParams::default().labels("cnpg.io/cluster=postgres,role=primary");
+    let pod_list = pods.list(&lp).await?;
+    let cnpg_pod = pod_list
+        .items
+        .first()
+        .and_then(|p| p.metadata.name.as_deref())
+        .ctx("Could not find CNPG primary pod for vault user setup.")?
+        .to_string();
+
+    let existing_vault_pass = bao.kv_get_field("secret", "vault", "pg-password").await?;
+    let vault_pg_pass = if existing_vault_pass.is_empty() {
+        let new_pass = rand_token();
+        let mut vault_data = HashMap::new();
+        vault_data.insert("pg-password".to_string(), new_pass.clone());
+        bao.kv_put("secret", "vault", &vault_data).await?;
+        ok("vault KV entry written.");
+        new_pass
+    } else {
+        ok("vault KV entry already present -- skipping write.");
+        existing_vault_pass
+    };
+
+    let create_vault_sql = concat!(
+        "DO $$ BEGIN ",
+        "IF NOT EXISTS (SELECT FROM pg_roles WHERE rolname = 'vault') THEN ",
+        "CREATE USER vault WITH LOGIN CREATEROLE; ",
+        "END IF; ",
+        "END $$;"
+    );
+
+    psql_exec(&cnpg_pod, create_vault_sql).await?;
+    psql_exec(
+        &cnpg_pod,
+        &format!("ALTER USER vault WITH PASSWORD '{vault_pg_pass}';"),
+    )
+    .await?;
+
+    for user in PG_USERS {
+        psql_exec(
+            &cnpg_pod,
+            &format!("GRANT {user} TO vault WITH ADMIN OPTION;"),
+        )
+        .await?;
+    }
+    ok("vault PG user configured with ADMIN OPTION on all service roles.");
+
+    let conn_url = format!(
+        "postgresql://{{{{username}}}}:{{{{password}}}}@{pg_rw}/postgres?sslmode=disable"
+    );
+
+    bao.write_db_config(
+        "cnpg-postgres",
+        "postgresql-database-plugin",
+        &conn_url,
+        "vault",
+        &vault_pg_pass,
+        "*",
+    )
+    .await?;
+    ok("DB engine connection configured (vault user).");
+
+    let rotation_stmt = r#"ALTER USER "{{name}}" WITH PASSWORD '{{password}}';"#;
+
+    for user in PG_USERS {
+        bao.write_db_static_role(user, "cnpg-postgres", user, 86400, &[rotation_stmt])
+            .await?;
+        ok(&format!("  static-role/{user}"));
+    }
+
+    ok("Database secrets engine configured.");
+    Ok(())
+}
+
+/// Execute a psql command on the CNPG primary pod.
+async fn psql_exec(cnpg_pod: &str, sql: &str) -> Result<(i32, String)> {
+    k::kube_exec(
+        "data",
+        cnpg_pod,
+        &["psql", "-U", "postgres", "-c", sql],
+        Some("postgres"),
+    )
+    .await
+}
diff --git a/sunbeam-sdk/src/secrets/mod.rs b/sunbeam-sdk/src/secrets/mod.rs
new file mode 100644
index 0000000..faa81c3
--- /dev/null
+++ b/sunbeam-sdk/src/secrets/mod.rs
@@ -0,0 +1,1106 @@
+//! Secrets management — OpenBao KV seeding, DB engine config, VSO verification.
+//!
+//! Replaces Python's `kubectl exec openbao-0 -- bao ...` pattern with:
+//! 1. kube-rs port-forward to openbao pod on port 8200
+//! 2. `crate::openbao::BaoClient` for all HTTP API calls
+
+pub mod db_engine;
+pub mod seeding;
+
+use crate::error::{Result, ResultExt, SunbeamError};
+use k8s_openapi::api::core::v1::Pod;
+use kube::api::{Api, ApiResource, DynamicObject, ListParams};
+use rand::RngCore;
+use rsa::pkcs8::{EncodePrivateKey, EncodePublicKey};
+use rsa::RsaPrivateKey;
+use serde::Deserialize;
+use std::collections::HashMap;
+use tokio::net::TcpListener;
+
+use crate::kube as k;
+use crate::openbao::BaoClient;
+use crate::output::{ok, step, warn};
+
+// ── Constants ───────────────────────────────────────────────────────────────
+
+const ADMIN_USERNAME: &str = "estudio-admin";
+const GITEA_ADMIN_USER: &str = "gitea_admin";
+const PG_USERS: &[&str] = &[
+    "kratos",
+    "hydra",
+    "gitea",
+    "hive",
+    "docs",
+    "meet",
+    "drive",
+    "messages",
+    "conversations",
+    "people",
+    "find",
+    "calendars",
+    "projects",
+];
+
+const SMTP_URI: &str = "smtp://postfix.lasuite.svc.cluster.local:25/?skip_ssl_verify=true";
+
+// ── Key generation ──────────────────────────────────────────────────────────
+
+/// Generate a Fernet-compatible key (32 random bytes, URL-safe base64).
+fn gen_fernet_key() -> String {
+    use base64::Engine;
+    let mut buf = [0u8; 32];
+    rand::thread_rng().fill_bytes(&mut buf);
+    base64::engine::general_purpose::URL_SAFE.encode(buf)
+}
+
+/// Generate an RSA 2048-bit DKIM key pair.
+/// Returns (private_pem_pkcs8, public_pem). Returns ("", "") on failure.
+fn gen_dkim_key_pair() -> (String, String) {
+    let mut rng = rand::thread_rng();
+    let bits = 2048;
+    let private_key = match RsaPrivateKey::new(&mut rng, bits) {
+        Ok(k) => k,
+        Err(e) => {
+            warn(&format!("RSA key generation failed: {e}"));
+            return (String::new(), String::new());
+        }
+    };
+
+    let private_pem = match private_key.to_pkcs8_pem(rsa::pkcs8::LineEnding::LF) {
+        Ok(p) => p.to_string(),
+        Err(e) => {
+            warn(&format!("PKCS8 encoding failed: {e}"));
+            return (String::new(), String::new());
+        }
+    };
+
+    let public_key = private_key.to_public_key();
+    let public_pem = match public_key.to_public_key_pem(rsa::pkcs8::LineEnding::LF) {
+        Ok(p) => p.to_string(),
+        Err(e) => {
+            warn(&format!("Public key PEM encoding failed: {e}"));
+            return (private_pem, String::new());
+        }
+    };
+
+    (private_pem, public_pem)
+}
+
+/// Generate a URL-safe random token (32 bytes).
+pub(crate) fn rand_token() -> String {
+    use base64::Engine;
+    let mut buf = [0u8; 32];
+    rand::thread_rng().fill_bytes(&mut buf);
+    base64::engine::general_purpose::URL_SAFE_NO_PAD.encode(buf)
+}
+
+/// Generate a URL-safe random token with a specific byte count.
+fn rand_token_n(n: usize) -> String {
+    use base64::Engine;
+    let mut buf = vec![0u8; n];
+    rand::thread_rng().fill_bytes(&mut buf);
+    base64::engine::general_purpose::URL_SAFE_NO_PAD.encode(buf)
+}
+
+// ── Port-forward helper ─────────────────────────────────────────────────────
+
+/// Port-forward guard — cancels the background forwarder on drop.
+struct PortForwardGuard {
+    _abort_handle: tokio::task::AbortHandle,
+    pub local_port: u16,
+}
+
+impl Drop for PortForwardGuard {
+    fn drop(&mut self) {
+        self._abort_handle.abort();
+    }
+}
+
+/// Open a kube-rs port-forward to `pod_name` in `namespace` on `remote_port`.
+/// Binds a local TCP listener and proxies connections to the pod.
+async fn port_forward(
+    namespace: &str,
+    pod_name: &str,
+    remote_port: u16,
+) -> Result<PortForwardGuard> {
+    let client = k::get_client().await?;
+    let pods: Api<Pod> = Api::namespaced(client.clone(), namespace);
+
+    let listener = TcpListener::bind("127.0.0.1:0")
+        .await
+        .ctx("Failed to bind local TCP listener for port-forward")?;
+    let local_port = listener
+        .local_addr()
+        .map_err(|e| SunbeamError::Other(format!("local_addr: {e}")))?
+        .port();
+
+    let pod_name = pod_name.to_string();
+    let ns = namespace.to_string();
+    let task = tokio::spawn(async move {
+        let mut current_pod = pod_name;
+        loop {
+            let (mut client_stream, _) = match listener.accept().await {
+                Ok(s) => s,
+                Err(_) => break,
+            };
+
+            let pf_result = pods.portforward(&current_pod, &[remote_port]).await;
+            let mut pf = match pf_result {
+                Ok(pf) => pf,
+                Err(e) => {
+                    tracing::warn!("Port-forward failed, re-resolving pod: {e}");
+                    // Re-resolve the pod in case it restarted with a new name
+                    if let Ok(new_client) = k::get_client().await {
+                        let new_pods: Api<Pod> = Api::namespaced(new_client.clone(), &ns);
+                        let lp = ListParams::default();
+                        if let Ok(pod_list) = new_pods.list(&lp).await {
+                            if let Some(name) = pod_list
+                                .items
+                                .iter()
+                                .find(|p| {
+                                    p.metadata
+                                        .name
+                                        .as_deref()
+                                        .map(|n| n.starts_with(current_pod.split('-').next().unwrap_or("")))
+                                        .unwrap_or(false)
+                                })
+                                .and_then(|p| p.metadata.name.clone())
+                            {
+                                current_pod = name;
+                            }
+                        }
+                    }
+                    continue; // next accept() iteration will retry
+                }
+            };
+
+            let mut upstream = match pf.take_stream(remote_port) {
+                Some(s) => s,
+                None => continue,
+            };
+
+            tokio::spawn(async move {
+                let _ = tokio::io::copy_bidirectional(&mut client_stream, &mut upstream).await;
+            });
+        }
+    });
+
+    let abort_handle = task.abort_handle();
+    tokio::time::sleep(std::time::Duration::from_millis(100)).await;
+
+    Ok(PortForwardGuard {
+        _abort_handle: abort_handle,
+        local_port,
+    })
+}
+
+/// Port-forward to a service by finding a matching pod via label selector.
+async fn port_forward_svc(
+    namespace: &str,
+    label_selector: &str,
+    remote_port: u16,
+) -> Result<PortForwardGuard> {
+    let client = k::get_client().await?;
+    let pods: Api<Pod> = Api::namespaced(client.clone(), namespace);
+    let lp = ListParams::default().labels(label_selector);
+    let pod_list = pods.list(&lp).await?;
+    let pod_name = pod_list
+        .items
+        .first()
+        .and_then(|p| p.metadata.name.as_deref())
+        .ctx("No pod found matching label selector")?
+        .to_string();
+
+    port_forward(namespace, &pod_name, remote_port).await
+}
+
+// ── Kratos admin identity seeding ───────────────────────────────────────────
+
+#[derive(Debug, Deserialize)]
+struct KratosIdentity {
+    id: String,
+}
+
+#[derive(Debug, Deserialize)]
+struct KratosRecovery {
+    #[serde(default)]
+    recovery_link: String,
+    #[serde(default)]
+    recovery_code: String,
+}
+
+/// Ensure estudio-admin@<domain> exists in Kratos and is the only admin identity.
+async fn seed_kratos_admin_identity(bao: &BaoClient) -> (String, String) {
+    let domain = match k::get_domain().await {
+        Ok(d) => d,
+        Err(e) => {
+            warn(&format!("Could not determine domain: {e}"));
+            return (String::new(), String::new());
+        }
+    };
+    let admin_email = format!("{ADMIN_USERNAME}@{domain}");
+    ok(&format!(
+        "Ensuring Kratos admin identity ({admin_email})..."
+    ));
+
+    let result: std::result::Result<(String, String), SunbeamError> = async {
+        let pf = match port_forward_svc("ory", "app.kubernetes.io/name=kratos-admin", 80).await {
+            Ok(pf) => pf,
+            Err(_) => port_forward_svc("ory", "app.kubernetes.io/name=kratos", 4434)
+                .await
+                .ctx("Could not port-forward to Kratos admin API")?,
+        };
+        let base = format!("http://127.0.0.1:{}", pf.local_port);
+        tokio::time::sleep(std::time::Duration::from_secs(1)).await;
+
+        let http = reqwest::Client::new();
+
+        let resp = http
+            .get(format!(
+                "{base}/admin/identities?credentials_identifier={admin_email}&page_size=1"
+            ))
+            .header("Accept", "application/json")
+            .send()
+            .await?;
+
+        let identities: Vec<KratosIdentity> = resp.json().await.unwrap_or_default();
+        let identity_id = if let Some(existing) = identities.first() {
+            ok(&format!(
+                "  admin identity exists ({}...)",
+                &existing.id[..8.min(existing.id.len())]
+            ));
+            existing.id.clone()
+        } else {
+            let resp = http
+                .post(format!("{base}/admin/identities"))
+                .header("Content-Type", "application/json")
+                .header("Accept", "application/json")
+                .json(&serde_json::json!({
+                    "schema_id": "employee",
+                    "traits": {"email": admin_email},
+                    "state": "active",
+                }))
+                .send()
+                .await?;
+
+            let identity: KratosIdentity =
+                resp.json().await.map_err(|e| SunbeamError::Other(e.to_string()))?;
+            ok(&format!(
+                "  created admin identity ({}...)",
+                &identity.id[..8.min(identity.id.len())]
+            ));
+            identity.id
+        };
+
+        let resp = http
+            .post(format!("{base}/admin/recovery/code"))
+            .header("Content-Type", "application/json")
+            .header("Accept", "application/json")
+            .json(&serde_json::json!({
+                "identity_id": identity_id,
+                "expires_in": "24h",
+            }))
+            .send()
+            .await?;
+
+        let recovery: KratosRecovery = resp.json().await.unwrap_or(KratosRecovery {
+            recovery_link: String::new(),
+            recovery_code: String::new(),
+        });
+
+        let mut patch_data = HashMap::new();
+        patch_data.insert("admin-identity-ids".to_string(), admin_email.clone());
+        let _ = bao.kv_patch("secret", "kratos-admin", &patch_data).await;
+        ok(&format!("  ADMIN_IDENTITY_IDS set to {admin_email}"));
+
+        Ok((recovery.recovery_link, recovery.recovery_code))
+    }
+    .await;
+
+    match result {
+        Ok(r) => r,
+        Err(e) => {
+            warn(&format!(
+                "Could not seed Kratos admin identity (Kratos may not be ready): {e}"
+            ));
+            (String::new(), String::new())
+        }
+    }
+}
+
+// ── cmd_seed — main entry point ─────────────────────────────────────────────
+
+/// Seed OpenBao KV with crypto-random credentials, then mirror to K8s Secrets.
+/// File-based advisory lock for `cmd_seed` to prevent concurrent runs.
+struct SeedLock {
+    path: std::path::PathBuf,
+}
+
+impl SeedLock {
+    fn acquire() -> Result<Self> {
+        let lock_path = dirs::data_dir()
+            .unwrap_or_else(|| dirs::home_dir().unwrap().join(".local/share"))
+            .join("sunbeam")
+            .join("seed.lock");
+        std::fs::create_dir_all(lock_path.parent().unwrap())?;
+
+        match std::fs::OpenOptions::new()
+            .write(true)
+            .create_new(true)
+            .open(&lock_path)
+        {
+            Ok(mut f) => {
+                use std::io::Write;
+                write!(f, "{}", std::process::id())?;
+                Ok(SeedLock { path: lock_path })
+            }
+            Err(e) if e.kind() == std::io::ErrorKind::AlreadyExists => {
+                // Check if the PID in the file is still alive
+                if let Ok(pid_str) = std::fs::read_to_string(&lock_path) {
+                    if let Ok(pid) = pid_str.trim().parse::<i32>() {
+                        // kill(pid, 0) checks if process exists without sending a signal
+                        let alive = is_pid_alive(pid);
+                        if alive {
+                            return Err(SunbeamError::secrets(
+                                "Another sunbeam seed is already running. Wait for it to finish.",
+                            ));
+                        }
+                    }
+                }
+                // Stale lock, remove and retry
+                std::fs::remove_file(&lock_path)?;
+                let mut f = std::fs::OpenOptions::new()
+                    .write(true)
+                    .create_new(true)
+                    .open(&lock_path)?;
+                use std::io::Write;
+                write!(f, "{}", std::process::id())?;
+                Ok(SeedLock { path: lock_path })
+            }
+            Err(e) => Err(e.into()),
+        }
+    }
+}
+
+impl Drop for SeedLock {
+    fn drop(&mut self) {
+        let _ = std::fs::remove_file(&self.path);
+    }
+}
+
+/// Check if a process with the given PID is still alive.
+fn is_pid_alive(pid: i32) -> bool {
+    std::process::Command::new("kill")
+        .args(["-0", &pid.to_string()])
+        .stdout(std::process::Stdio::null())
+        .stderr(std::process::Stdio::null())
+        .status()
+        .map(|s| s.success())
+        .unwrap_or(false)
+}
+
+pub async fn cmd_seed() -> Result<()> {
+    let _lock = SeedLock::acquire()?;
+    step("Seeding secrets...");
+
+    let seed_result = seeding::seed_openbao().await?;
+    let (creds, ob_pod, root_token) = match seed_result {
+        Some(r) => (r.creds, r.ob_pod, r.root_token),
+        None => (HashMap::new(), String::new(), String::new()),
+    };
+
+    let s3_access_key = creds.get("s3-access-key").cloned().unwrap_or_default();
+    let s3_secret_key = creds.get("s3-secret-key").cloned().unwrap_or_default();
+    let hydra_system = creds
+        .get("hydra-system-secret")
+        .cloned()
+        .unwrap_or_default();
+    let hydra_cookie = creds
+        .get("hydra-cookie-secret")
+        .cloned()
+        .unwrap_or_default();
+    let hydra_pairwise = creds
+        .get("hydra-pairwise-salt")
+        .cloned()
+        .unwrap_or_default();
+    let kratos_secrets_default = creds
+        .get("kratos-secrets-default")
+        .cloned()
+        .unwrap_or_default();
+    let kratos_secrets_cookie = creds
+        .get("kratos-secrets-cookie")
+        .cloned()
+        .unwrap_or_default();
+    let hive_oidc_id = creds
+        .get("hive-oidc-client-id")
+        .cloned()
+        .unwrap_or_else(|| "hive-local".into());
+    let hive_oidc_sec = creds
+        .get("hive-oidc-client-secret")
+        .cloned()
+        .unwrap_or_default();
+    let django_secret = creds
+        .get("people-django-secret")
+        .cloned()
+        .unwrap_or_default();
+    let gitea_admin_pass = creds
+        .get("gitea-admin-password")
+        .cloned()
+        .unwrap_or_default();
+
+    // ── Wait for Postgres ───────────────────────────────────────────────
+    ok("Waiting for postgres cluster...");
+    let mut pg_pod = String::new();
+
+    let client = k::get_client().await?;
+    let ar = ApiResource {
+        group: "postgresql.cnpg.io".into(),
+        version: "v1".into(),
+        api_version: "postgresql.cnpg.io/v1".into(),
+        kind: "Cluster".into(),
+        plural: "clusters".into(),
+    };
+    let cnpg_api: Api<DynamicObject> = Api::namespaced_with(client.clone(), "data", &ar);
+    for _ in 0..60 {
+        if let Ok(cluster) = cnpg_api.get("postgres").await {
+            let phase = cluster
+                .data
+                .get("status")
+                .and_then(|s| s.get("phase"))
+                .and_then(|p| p.as_str())
+                .unwrap_or("");
+            if phase == "Cluster in healthy state" {
+                // Cluster is healthy — find the primary pod name
+                let pods: Api<Pod> = Api::namespaced(client.clone(), "data");
+                let lp = ListParams::default().labels("cnpg.io/cluster=postgres,role=primary");
+                if let Ok(pod_list) = pods.list(&lp).await {
+                    if let Some(name) = pod_list
+                        .items
+                        .first()
+                        .and_then(|p| p.metadata.name.as_deref())
+                    {
+                        pg_pod = name.to_string();
+                        ok(&format!("Postgres ready ({pg_pod})."));
+                        break;
+                    }
+                }
+            }
+        }
+        tokio::time::sleep(std::time::Duration::from_secs(5)).await;
+    }
+
+    if pg_pod.is_empty() {
+        warn("Postgres not ready after 5 min -- continuing anyway.");
+    }
+
+    if !pg_pod.is_empty() {
+        ok("Ensuring postgres roles and databases exist...");
+        let db_map: HashMap<&str, &str> = [
+            ("kratos", "kratos_db"),
+            ("hydra", "hydra_db"),
+            ("gitea", "gitea_db"),
+            ("hive", "hive_db"),
+            ("docs", "docs_db"),
+            ("meet", "meet_db"),
+            ("drive", "drive_db"),
+            ("messages", "messages_db"),
+            ("conversations", "conversations_db"),
+            ("people", "people_db"),
+            ("find", "find_db"),
+            ("calendars", "calendars_db"),
+            ("projects", "projects_db"),
+        ]
+        .into_iter()
+        .collect();
+
+        for user in PG_USERS {
+            let ensure_sql = format!(
+                "DO $$ BEGIN IF NOT EXISTS (SELECT FROM pg_roles WHERE rolname='{user}') \
+                 THEN EXECUTE 'CREATE USER {user}'; END IF; END $$;"
+            );
+            let _ = k::kube_exec(
+                "data",
+                &pg_pod,
+                &["psql", "-U", "postgres", "-c", &ensure_sql],
+                Some("postgres"),
+            )
+            .await;
+
+            let db = db_map.get(user).copied().unwrap_or("unknown_db");
+            let create_db_sql = format!("CREATE DATABASE {db} OWNER {user};");
+            let _ = k::kube_exec(
+                "data",
+                &pg_pod,
+                &["psql", "-U", "postgres", "-c", &create_db_sql],
+                Some("postgres"),
+            )
+            .await;
+        }
+
+        // Configure database secrets engine via port-forward
+        if !ob_pod.is_empty() && !root_token.is_empty() {
+            match port_forward("data", &ob_pod, 8200).await {
+                Ok(pf) => {
+                    let bao_url = format!("http://127.0.0.1:{}", pf.local_port);
+                    let bao = BaoClient::with_token(&bao_url, &root_token);
+                    if let Err(e) = db_engine::configure_db_engine(&bao).await {
+                        warn(&format!("DB engine config failed: {e}"));
+                    }
+                }
+                Err(e) => warn(&format!("Port-forward to OpenBao failed: {e}")),
+            }
+        } else {
+            warn("Skipping DB engine config -- missing ob_pod or root_token.");
+        }
+    }
+
+    // ── Create K8s secrets ──────────────────────────────────────────────
+    ok("Creating K8s secrets (VSO will overwrite on next sync)...");
+
+    k::ensure_ns("ory").await?;
+    k::create_secret(
+        "ory",
+        "hydra",
+        HashMap::from([
+            ("secretsSystem".into(), hydra_system),
+            ("secretsCookie".into(), hydra_cookie),
+            ("pairwise-salt".into(), hydra_pairwise),
+        ]),
+    )
+    .await?;
+    k::create_secret(
+        "ory",
+        "kratos-app-secrets",
+        HashMap::from([
+            ("secretsDefault".into(), kratos_secrets_default),
+            ("secretsCookie".into(), kratos_secrets_cookie),
+        ]),
+    )
+    .await?;
+
+    k::ensure_ns("devtools").await?;
+    k::create_secret(
+        "devtools",
+        "gitea-s3-credentials",
+        HashMap::from([
+            ("access-key".into(), s3_access_key.clone()),
+            ("secret-key".into(), s3_secret_key.clone()),
+        ]),
+    )
+    .await?;
+    k::create_secret(
+        "devtools",
+        "gitea-admin-credentials",
+        HashMap::from([
+            ("username".into(), GITEA_ADMIN_USER.into()),
+            ("password".into(), gitea_admin_pass.clone()),
+        ]),
+    )
+    .await?;
+
+    // Sync Gitea admin password to Gitea's own DB
+    if !gitea_admin_pass.is_empty() {
+        let gitea_pods: Api<Pod> = Api::namespaced(client.clone(), "devtools");
+        let lp = ListParams::default().labels("app.kubernetes.io/name=gitea");
+        if let Ok(pod_list) = gitea_pods.list(&lp).await {
+            if let Some(gitea_pod) = pod_list
+                .items
+                .first()
+                .and_then(|p| p.metadata.name.as_deref())
+            {
+                match k::kube_exec(
+                    "devtools",
+                    gitea_pod,
+                    &[
+                        "gitea",
+                        "admin",
+                        "user",
+                        "change-password",
+                        "--username",
+                        GITEA_ADMIN_USER,
+                        "--password",
+                        &gitea_admin_pass,
+                        "--must-change-password=false",
+                    ],
+                    Some("gitea"),
+                )
+                .await
+                {
+                    Ok((0, _)) => ok("Gitea admin password synced to Gitea DB."),
+                    Ok((_, stderr)) => {
+                        warn(&format!("Could not sync Gitea admin password: {stderr}"))
+                    }
+                    Err(e) => warn(&format!("Could not sync Gitea admin password: {e}")),
+                }
+            } else {
+                warn("Gitea pod not found -- admin password NOT synced to Gitea DB. Run seed again after Gitea is deployed.");
+            }
+        }
+    }
+
+    k::ensure_ns("storage").await?;
+    let s3_json = format!(
+        r#"{{"identities":[{{"name":"seaweed","credentials":[{{"accessKey":"{}","secretKey":"{}"}}],"actions":["Admin","Read","Write","List","Tagging"]}}]}}"#,
+        s3_access_key, s3_secret_key
+    );
+    k::create_secret(
+        "storage",
+        "seaweedfs-s3-credentials",
+        HashMap::from([
+            ("S3_ACCESS_KEY".into(), s3_access_key.clone()),
+            ("S3_SECRET_KEY".into(), s3_secret_key.clone()),
+        ]),
+    )
+    .await?;
+    k::create_secret(
+        "storage",
+        "seaweedfs-s3-json",
+        HashMap::from([("s3.json".into(), s3_json)]),
+    )
+    .await?;
+
+    k::ensure_ns("lasuite").await?;
+    k::create_secret(
+        "lasuite",
+        "seaweedfs-s3-credentials",
+        HashMap::from([
+            ("S3_ACCESS_KEY".into(), s3_access_key),
+            ("S3_SECRET_KEY".into(), s3_secret_key),
+        ]),
+    )
+    .await?;
+    k::create_secret(
+        "lasuite",
+        "hive-oidc",
+        HashMap::from([
+            ("client-id".into(), hive_oidc_id),
+            ("client-secret".into(), hive_oidc_sec),
+        ]),
+    )
+    .await?;
+    k::create_secret(
+        "lasuite",
+        "people-django-secret",
+        HashMap::from([("DJANGO_SECRET_KEY".into(), django_secret)]),
+    )
+    .await?;
+
+    k::ensure_ns("matrix").await?;
+    k::ensure_ns("media").await?;
+    k::ensure_ns("monitoring").await?;
+
+    // ── Kratos admin identity ───────────────────────────────────────────
+    if !ob_pod.is_empty() && !root_token.is_empty() {
+        if let Ok(pf) = port_forward("data", &ob_pod, 8200).await {
+            let bao_url = format!("http://127.0.0.1:{}", pf.local_port);
+            let bao = BaoClient::with_token(&bao_url, &root_token);
+            let (recovery_link, recovery_code) = seed_kratos_admin_identity(&bao).await;
+            if !recovery_link.is_empty() {
+                ok("Admin recovery link (valid 24h):");
+                println!("  {recovery_link}");
+            }
+            if !recovery_code.is_empty() {
+                ok("Admin recovery code (enter on the page above):");
+                println!("  {recovery_code}");
+            }
+        }
+    }
+
+    let dkim_pub = creds
+        .get("messages-dkim-public-key")
+        .cloned()
+        .unwrap_or_default();
+    if !dkim_pub.is_empty() {
+        let b64_key: String = dkim_pub
+            .replace("-----BEGIN PUBLIC KEY-----", "")
+            .replace("-----END PUBLIC KEY-----", "")
+            .replace("-----BEGIN RSA PUBLIC KEY-----", "")
+            .replace("-----END RSA PUBLIC KEY-----", "")
+            .split_whitespace()
+            .collect();
+
+        if let Ok(domain) = k::get_domain().await {
+            ok("DKIM DNS record (add to DNS at your registrar):");
+            println!(
+                "  default._domainkey.{domain}  TXT  \"v=DKIM1; k=rsa; p={b64_key}\""
+            );
+        }
+    }
+
+    ok("All secrets seeded.");
+    Ok(())
+}
+
+// ── cmd_verify — VSO E2E verification ───────────────────────────────────────
+
+/// End-to-end test of VSO -> OpenBao integration.
+pub async fn cmd_verify() -> Result<()> {
+    step("Verifying VSO -> OpenBao integration (E2E)...");
+
+    let client = k::get_client().await?;
+    let pods: Api<Pod> = Api::namespaced(client.clone(), "data");
+    let lp = ListParams::default().labels("app.kubernetes.io/name=openbao,component=server");
+    let pod_list = pods.list(&lp).await?;
+
+    let ob_pod = pod_list
+        .items
+        .first()
+        .and_then(|p| p.metadata.name.as_deref())
+        .ctx("OpenBao pod not found -- run full bring-up first.")?
+        .to_string();
+
+    let root_token = k::kube_get_secret_field("data", "openbao-keys", "root-token")
+        .await
+        .ctx("Could not read openbao-keys secret.")?;
+
+    let pf = port_forward("data", &ob_pod, 8200).await?;
+    let bao_url = format!("http://127.0.0.1:{}", pf.local_port);
+    let bao = BaoClient::with_token(&bao_url, &root_token);
+
+    let test_value = rand_token_n(16);
+    let test_ns = "ory";
+    let test_name = "vso-verify";
+
+    let result: std::result::Result<(), SunbeamError> = async {
+        ok("Writing test sentinel to OpenBao secret/vso-test ...");
+        let mut data = HashMap::new();
+        data.insert("test-key".to_string(), test_value.clone());
+        bao.kv_put("secret", "vso-test", &data).await?;
+
+        ok(&format!("Creating VaultAuth {test_ns}/{test_name} ..."));
+        k::kube_apply(&format!(
+            r#"
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultAuth
+metadata:
+  name: {test_name}
+  namespace: {test_ns}
+spec:
+  method: kubernetes
+  mount: kubernetes
+  kubernetes:
+    role: vso
+    serviceAccount: default
+"#
+        ))
+        .await?;
+
+        ok(&format!(
+            "Creating VaultStaticSecret {test_ns}/{test_name} ..."
+        ));
+        k::kube_apply(&format!(
+            r#"
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultStaticSecret
+metadata:
+  name: {test_name}
+  namespace: {test_ns}
+spec:
+  vaultAuthRef: {test_name}
+  mount: secret
+  type: kv-v2
+  path: vso-test
+  refreshAfter: 10s
+  destination:
+    name: {test_name}
+    create: true
+    overwrite: true
+"#
+        ))
+        .await?;
+
+        ok("Waiting for VSO to sync (up to 60s) ...");
+        let deadline = tokio::time::Instant::now() + std::time::Duration::from_secs(60);
+        let mut synced = false;
+
+        while tokio::time::Instant::now() < deadline {
+            let (code, mac) = kubectl_jsonpath(
+                test_ns,
+                "vaultstaticsecret",
+                test_name,
+                "{.status.secretMAC}",
+            )
+            .await;
+            if code == 0 && !mac.is_empty() && mac != "<none>" {
+                synced = true;
+                break;
+            }
+            tokio::time::sleep(std::time::Duration::from_secs(3)).await;
+        }
+
+        if !synced {
+            let (_, msg) = kubectl_jsonpath(
+                test_ns,
+                "vaultstaticsecret",
+                test_name,
+                "{.status.conditions[0].message}",
+            )
+            .await;
+            return Err(SunbeamError::secrets(format!(
+                "VSO did not sync within 60s. Last status: {}",
+                if msg.is_empty() {
+                    "unknown".to_string()
+                } else {
+                    msg
+                }
+            )));
+        }
+
+        ok("Verifying K8s Secret contents ...");
+        let secret = k::kube_get_secret(test_ns, test_name)
+            .await?
+            .with_ctx(|| format!("K8s Secret {test_ns}/{test_name} not found."))?;
+
+        let data = secret.data.as_ref().ctx("Secret has no data")?;
+        let raw = data
+            .get("test-key")
+            .ctx("Missing key 'test-key' in secret")?;
+        let actual = String::from_utf8(raw.0.clone())
+            .map_err(|e| SunbeamError::Other(format!("UTF-8 error: {e}")))?;
+
+        if actual != test_value {
+            return Err(SunbeamError::secrets(format!(
+                "Value mismatch!\n  expected: {:?}\n  got:      {:?}",
+                test_value,
+                actual
+            )));
+        }
+
+        ok("Sentinel value matches -- VSO -> OpenBao integration is working.");
+        Ok(())
+    }
+    .await;
+
+    // Always clean up
+    ok("Cleaning up test resources...");
+    let _ = delete_crd(test_ns, "vaultstaticsecret", test_name).await;
+    let _ = delete_crd(test_ns, "vaultauth", test_name).await;
+    let _ = delete_k8s_secret(test_ns, test_name).await;
+    let _ = bao.kv_delete("secret", "vso-test").await;
+
+    match result {
+        Ok(()) => {
+            ok("VSO E2E verification passed.");
+            Ok(())
+        }
+        Err(e) => Err(SunbeamError::secrets(format!(
+            "VSO verification FAILED: {e}"
+        ))),
+    }
+}
+
+// ── Utility helpers ─────────────────────────────────────────────────────────
+
+async fn wait_pod_running(ns: &str, pod_name: &str, timeout_secs: u64) -> bool {
+    let client = match k::get_client().await {
+        Ok(c) => c,
+        Err(_) => return false,
+    };
+    let pods: Api<Pod> = Api::namespaced(client.clone(), ns);
+
+    let deadline = tokio::time::Instant::now() + std::time::Duration::from_secs(timeout_secs);
+    while tokio::time::Instant::now() < deadline {
+        if let Ok(Some(pod)) = pods.get_opt(pod_name).await {
+            if pod
+                .status
+                .as_ref()
+                .and_then(|s| s.phase.as_deref())
+                .unwrap_or("")
+                == "Running"
+            {
+                return true;
+            }
+        }
+        tokio::time::sleep(std::time::Duration::from_secs(2)).await;
+    }
+    false
+}
+
+fn scw_config(key: &str) -> String {
+    std::process::Command::new("scw")
+        .args(["config", "get", key])
+        .output()
+        .ok()
+        .filter(|o| o.status.success())
+        .map(|o| String::from_utf8_lossy(&o.stdout).trim().to_string())
+        .unwrap_or_default()
+}
+
+async fn delete_crd(ns: &str, kind: &str, name: &str) -> Result<()> {
+    let ctx = format!("--context={}", k::context());
+    let _ = tokio::process::Command::new("kubectl")
+        .args([&ctx, "-n", ns, "delete", kind, name, "--ignore-not-found"])
+        .output()
+        .await;
+    Ok(())
+}
+
+async fn delete_k8s_secret(ns: &str, name: &str) -> Result<()> {
+    let client = k::get_client().await?;
+    let api: Api<k8s_openapi::api::core::v1::Secret> = Api::namespaced(client.clone(), ns);
+    let _ = api
+        .delete(name, &kube::api::DeleteParams::default())
+        .await;
+    Ok(())
+}
+
+async fn delete_resource(ns: &str, kind: &str, name: &str) -> Result<()> {
+    let ctx = format!("--context={}", k::context());
+    let _ = tokio::process::Command::new("kubectl")
+        .args([&ctx, "-n", ns, "delete", kind, name, "--ignore-not-found"])
+        .output()
+        .await;
+    Ok(())
+}
+
+async fn kubectl_jsonpath(ns: &str, kind: &str, name: &str, jsonpath: &str) -> (i32, String) {
+    let ctx = format!("--context={}", k::context());
+    let jp = format!("-o=jsonpath={jsonpath}");
+    match tokio::process::Command::new("kubectl")
+        .args([&ctx, "-n", ns, "get", kind, name, &jp, "--ignore-not-found"])
+        .output()
+        .await
+    {
+        Ok(output) => {
+            let code = output.status.code().unwrap_or(1);
+            let stdout = String::from_utf8_lossy(&output.stdout).trim().to_string();
+            (code, stdout)
+        }
+        Err(_) => (1, String::new()),
+    }
+}
+
+// ── Tests ───────────────────────────────────────────────────────────────────
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    #[test]
+    fn test_gen_fernet_key_length() {
+        use base64::Engine;
+        let key = gen_fernet_key();
+        assert_eq!(key.len(), 44);
+        let decoded = base64::engine::general_purpose::URL_SAFE
+            .decode(&key)
+            .expect("should be valid URL-safe base64");
+        assert_eq!(decoded.len(), 32);
+    }
+
+    #[test]
+    fn test_gen_fernet_key_unique() {
+        let k1 = gen_fernet_key();
+        let k2 = gen_fernet_key();
+        assert_ne!(k1, k2, "Two generated Fernet keys should differ");
+    }
+
+    #[test]
+    fn test_gen_dkim_key_pair_produces_pem() {
+        let (private_pem, public_pem) = gen_dkim_key_pair();
+        assert!(
+            private_pem.contains("BEGIN PRIVATE KEY"),
+            "Private key should be PKCS8 PEM"
+        );
+        assert!(
+            public_pem.contains("BEGIN PUBLIC KEY"),
+            "Public key should be SPKI PEM (not PKCS#1)"
+        );
+        assert!(
+            !public_pem.contains("BEGIN RSA PUBLIC KEY"),
+            "Public key should NOT be PKCS#1 format"
+        );
+        assert!(!private_pem.is_empty());
+        assert!(!public_pem.is_empty());
+    }
+
+    #[test]
+    fn test_rand_token_nonempty_and_unique() {
+        let t1 = rand_token();
+        let t2 = rand_token();
+        assert!(!t1.is_empty());
+        assert_ne!(t1, t2);
+    }
+
+    #[test]
+    fn test_rand_token_n_length() {
+        use base64::Engine;
+        let t = rand_token_n(50);
+        let decoded = base64::engine::general_purpose::URL_SAFE_NO_PAD
+            .decode(&t)
+            .expect("should be valid URL-safe base64");
+        assert_eq!(decoded.len(), 50);
+    }
+
+    #[test]
+    fn test_constants() {
+        assert_eq!(ADMIN_USERNAME, "estudio-admin");
+        assert_eq!(GITEA_ADMIN_USER, "gitea_admin");
+        assert_eq!(PG_USERS.len(), 13);
+        assert!(PG_USERS.contains(&"kratos"));
+        assert!(PG_USERS.contains(&"projects"));
+    }
+
+    #[test]
+    fn test_scw_config_returns_empty_on_missing_binary() {
+        let result = scw_config("nonexistent-key");
+        let _ = result;
+    }
+
+    #[test]
+    fn test_seed_result_structure() {
+        let mut creds = HashMap::new();
+        creds.insert(
+            "hydra-system-secret".to_string(),
+            "existingvalue".to_string(),
+        );
+        let result = seeding::SeedResult {
+            creds,
+            ob_pod: "openbao-0".to_string(),
+            root_token: "token123".to_string(),
+        };
+        assert!(result.creds.contains_key("hydra-system-secret"));
+        assert_eq!(result.creds["hydra-system-secret"], "existingvalue");
+        assert_eq!(result.ob_pod, "openbao-0");
+    }
+
+    #[test]
+    fn test_dkim_public_key_extraction() {
+        let pem = "-----BEGIN PUBLIC KEY-----\nMIIBCgKCAQ...\nbase64data\n-----END PUBLIC KEY-----";
+        let b64_key: String = pem
+            .replace("-----BEGIN PUBLIC KEY-----", "")
+            .replace("-----END PUBLIC KEY-----", "")
+            .replace("-----BEGIN RSA PUBLIC KEY-----", "")
+            .replace("-----END RSA PUBLIC KEY-----", "")
+            .split_whitespace()
+            .collect();
+        assert_eq!(b64_key, "MIIBCgKCAQ...base64data");
+    }
+
+    #[test]
+    fn test_smtp_uri() {
+        assert_eq!(
+            SMTP_URI,
+            "smtp://postfix.lasuite.svc.cluster.local:25/?skip_ssl_verify=true"
+        );
+    }
+
+    #[test]
+    fn test_pg_users_match_python() {
+        let expected = vec![
+            "kratos",
+            "hydra",
+            "gitea",
+            "hive",
+            "docs",
+            "meet",
+            "drive",
+            "messages",
+            "conversations",
+            "people",
+            "find",
+            "calendars",
+            "projects",
+        ];
+        assert_eq!(PG_USERS, &expected[..]);
+    }
+}
diff --git a/sunbeam-sdk/src/secrets/seeding.rs b/sunbeam-sdk/src/secrets/seeding.rs
new file mode 100644
index 0000000..0f80a00
--- /dev/null
+++ b/sunbeam-sdk/src/secrets/seeding.rs
@@ -0,0 +1,542 @@
+//! OpenBao KV seeding — init/unseal, idempotent credential generation, VSO auth.
+
+use std::collections::{HashMap, HashSet};
+
+use k8s_openapi::api::core::v1::Pod;
+use kube::api::{Api, ListParams};
+
+use crate::error::Result;
+use crate::kube as k;
+use crate::openbao::BaoClient;
+use crate::output::{ok, warn};
+
+use super::{
+    gen_dkim_key_pair, gen_fernet_key, port_forward, rand_token, rand_token_n, scw_config,
+    wait_pod_running, delete_resource, GITEA_ADMIN_USER, SMTP_URI,
+};
+
+/// Internal result from seed_openbao, used by cmd_seed.
+pub struct SeedResult {
+    pub creds: HashMap<String, String>,
+    pub ob_pod: String,
+    pub root_token: String,
+}
+
+/// Read-or-create pattern: reads existing KV values, only generates missing ones.
+pub async fn get_or_create(
+    bao: &BaoClient,
+    path: &str,
+    fields: &[(&str, &dyn Fn() -> String)],
+    dirty_paths: &mut HashSet<String>,
+) -> Result<HashMap<String, String>> {
+    let existing = bao.kv_get("secret", path).await?.unwrap_or_default();
+    let mut result = HashMap::new();
+    for (key, default_fn) in fields {
+        let val = existing.get(*key).filter(|v| !v.is_empty()).cloned();
+        if let Some(v) = val {
+            result.insert(key.to_string(), v);
+        } else {
+            result.insert(key.to_string(), default_fn());
+            dirty_paths.insert(path.to_string());
+        }
+    }
+    Ok(result)
+}
+
+/// Initialize/unseal OpenBao, generate/read credentials idempotently, configure VSO auth.
+pub async fn seed_openbao() -> Result<Option<SeedResult>> {
+    let client = k::get_client().await?;
+    let pods: Api<Pod> = Api::namespaced(client.clone(), "data");
+    let lp = ListParams::default().labels("app.kubernetes.io/name=openbao,component=server");
+    let pod_list = pods.list(&lp).await?;
+
+    let ob_pod = match pod_list
+        .items
+        .first()
+        .and_then(|p| p.metadata.name.as_deref())
+    {
+        Some(name) => name.to_string(),
+        None => {
+            ok("OpenBao pod not found -- skipping.");
+            return Ok(None);
+        }
+    };
+
+    ok(&format!("OpenBao ({ob_pod})..."));
+    let _ = wait_pod_running("data", &ob_pod, 120).await;
+
+    let pf = port_forward("data", &ob_pod, 8200).await?;
+    let bao_url = format!("http://127.0.0.1:{}", pf.local_port);
+    let bao = BaoClient::new(&bao_url);
+
+    // ── Init / Unseal ───────────────────────────────────────────────────
+    let mut unseal_key = String::new();
+    let mut root_token = String::new();
+
+    let status = bao.seal_status().await.unwrap_or_else(|_| {
+        crate::openbao::SealStatusResponse {
+            initialized: false,
+            sealed: true,
+            progress: 0,
+            t: 0,
+            n: 0,
+        }
+    });
+
+    let mut already_initialized = status.initialized;
+    if !already_initialized {
+        if let Ok(Some(_)) = k::kube_get_secret("data", "openbao-keys").await {
+            already_initialized = true;
+        }
+    }
+
+    if !already_initialized {
+        ok("Initializing OpenBao...");
+        match bao.init(1, 1).await {
+            Ok(init) => {
+                unseal_key = init.unseal_keys_b64[0].clone();
+                root_token = init.root_token.clone();
+                let mut data = HashMap::new();
+                data.insert("key".to_string(), unseal_key.clone());
+                data.insert("root-token".to_string(), root_token.clone());
+                k::create_secret("data", "openbao-keys", data).await?;
+                ok("Initialized -- keys stored in secret/openbao-keys.");
+            }
+            Err(e) => {
+                warn(&format!(
+                    "Init failed -- resetting OpenBao storage for local dev... ({e})"
+                ));
+                let _ = delete_resource("data", "pvc", "data-openbao-0").await;
+                let _ = delete_resource("data", "pod", &ob_pod).await;
+                warn("OpenBao storage reset. Run --seed again after the pod restarts.");
+                return Ok(None);
+            }
+        }
+    } else {
+        ok("Already initialized.");
+        if let Ok(key) = k::kube_get_secret_field("data", "openbao-keys", "key").await {
+            unseal_key = key;
+        }
+        if let Ok(token) = k::kube_get_secret_field("data", "openbao-keys", "root-token").await {
+            root_token = token;
+        }
+    }
+
+    // Unseal if needed
+    let status = bao.seal_status().await.unwrap_or_else(|_| {
+        crate::openbao::SealStatusResponse {
+            initialized: true,
+            sealed: true,
+            progress: 0,
+            t: 0,
+            n: 0,
+        }
+    });
+    if status.sealed && !unseal_key.is_empty() {
+        ok("Unsealing...");
+        bao.unseal(&unseal_key).await?;
+    }
+
+    if root_token.is_empty() {
+        warn("No root token available -- skipping KV seeding.");
+        return Ok(None);
+    }
+
+    let bao = BaoClient::with_token(&bao_url, &root_token);
+
+    // ── KV seeding ──────────────────────────────────────────────────────
+    ok("Seeding KV (idempotent -- existing values preserved)...");
+    let _ = bao.enable_secrets_engine("secret", "kv").await;
+    let _ = bao
+        .write(
+            "sys/mounts/secret/tune",
+            &serde_json::json!({"options": {"version": "2"}}),
+        )
+        .await;
+
+    let mut dirty_paths: HashSet<String> = HashSet::new();
+
+    let hydra = get_or_create(
+        &bao,
+        "hydra",
+        &[
+            ("system-secret", &rand_token as &dyn Fn() -> String),
+            ("cookie-secret", &rand_token),
+            ("pairwise-salt", &rand_token),
+        ],
+        &mut dirty_paths,
+    )
+    .await?;
+
+    let smtp_uri_fn = || SMTP_URI.to_string();
+    let kratos = get_or_create(
+        &bao,
+        "kratos",
+        &[
+            ("secrets-default", &rand_token as &dyn Fn() -> String),
+            ("secrets-cookie", &rand_token),
+            ("smtp-connection-uri", &smtp_uri_fn),
+        ],
+        &mut dirty_paths,
+    )
+    .await?;
+
+    let seaweedfs = get_or_create(
+        &bao,
+        "seaweedfs",
+        &[
+            ("access-key", &rand_token as &dyn Fn() -> String),
+            ("secret-key", &rand_token),
+        ],
+        &mut dirty_paths,
+    )
+    .await?;
+
+    let gitea_admin_user_fn = || GITEA_ADMIN_USER.to_string();
+    let gitea = get_or_create(
+        &bao,
+        "gitea",
+        &[
+            (
+                "admin-username",
+                &gitea_admin_user_fn as &dyn Fn() -> String,
+            ),
+            ("admin-password", &rand_token),
+        ],
+        &mut dirty_paths,
+    )
+    .await?;
+
+    let hive_local_fn = || "hive-local".to_string();
+    let hive = get_or_create(
+        &bao,
+        "hive",
+        &[
+            ("oidc-client-id", &hive_local_fn as &dyn Fn() -> String),
+            ("oidc-client-secret", &rand_token),
+        ],
+        &mut dirty_paths,
+    )
+    .await?;
+
+    let devkey_fn = || "devkey".to_string();
+    let livekit = get_or_create(
+        &bao,
+        "livekit",
+        &[
+            ("api-key", &devkey_fn as &dyn Fn() -> String),
+            ("api-secret", &rand_token),
+        ],
+        &mut dirty_paths,
+    )
+    .await?;
+
+    let people = get_or_create(
+        &bao,
+        "people",
+        &[("django-secret-key", &rand_token as &dyn Fn() -> String)],
+        &mut dirty_paths,
+    )
+    .await?;
+
+    let login_ui = get_or_create(
+        &bao,
+        "login-ui",
+        &[
+            ("cookie-secret", &rand_token as &dyn Fn() -> String),
+            ("csrf-cookie-secret", &rand_token),
+        ],
+        &mut dirty_paths,
+    )
+    .await?;
+
+    let sw_access = seaweedfs.get("access-key").cloned().unwrap_or_default();
+    let sw_secret = seaweedfs.get("secret-key").cloned().unwrap_or_default();
+    let empty_fn = || String::new();
+    let sw_access_fn = {
+        let v = sw_access.clone();
+        move || v.clone()
+    };
+    let sw_secret_fn = {
+        let v = sw_secret.clone();
+        move || v.clone()
+    };
+
+    let kratos_admin = get_or_create(
+        &bao,
+        "kratos-admin",
+        &[
+            ("cookie-secret", &rand_token as &dyn Fn() -> String),
+            ("csrf-cookie-secret", &rand_token),
+            ("admin-identity-ids", &empty_fn),
+            ("s3-access-key", &sw_access_fn),
+            ("s3-secret-key", &sw_secret_fn),
+        ],
+        &mut dirty_paths,
+    )
+    .await?;
+
+    let docs = get_or_create(
+        &bao,
+        "docs",
+        &[
+            ("django-secret-key", &rand_token as &dyn Fn() -> String),
+            ("collaboration-secret", &rand_token),
+        ],
+        &mut dirty_paths,
+    )
+    .await?;
+
+    let meet = get_or_create(
+        &bao,
+        "meet",
+        &[
+            ("django-secret-key", &rand_token as &dyn Fn() -> String),
+            ("application-jwt-secret-key", &rand_token),
+        ],
+        &mut dirty_paths,
+    )
+    .await?;
+
+    let drive = get_or_create(
+        &bao,
+        "drive",
+        &[("django-secret-key", &rand_token as &dyn Fn() -> String)],
+        &mut dirty_paths,
+    )
+    .await?;
+
+    let projects = get_or_create(
+        &bao,
+        "projects",
+        &[("secret-key", &rand_token as &dyn Fn() -> String)],
+        &mut dirty_paths,
+    )
+    .await?;
+
+    let cal_django_fn = || rand_token_n(50);
+    let calendars = get_or_create(
+        &bao,
+        "calendars",
+        &[
+            ("django-secret-key", &cal_django_fn as &dyn Fn() -> String),
+            ("salt-key", &rand_token),
+            ("caldav-inbound-api-key", &rand_token),
+            ("caldav-outbound-api-key", &rand_token),
+            ("caldav-internal-api-key", &rand_token),
+        ],
+        &mut dirty_paths,
+    )
+    .await?;
+
+    // DKIM key pair — generated together since keys are coupled.
+    let existing_messages = bao.kv_get("secret", "messages").await?.unwrap_or_default();
+    let (dkim_private, dkim_public) = if existing_messages
+        .get("dkim-private-key")
+        .filter(|v| !v.is_empty())
+        .is_some()
+    {
+        (
+            existing_messages
+                .get("dkim-private-key")
+                .cloned()
+                .unwrap_or_default(),
+            existing_messages
+                .get("dkim-public-key")
+                .cloned()
+                .unwrap_or_default(),
+        )
+    } else {
+        gen_dkim_key_pair()
+    };
+
+    let dkim_priv_fn = {
+        let v = dkim_private.clone();
+        move || v.clone()
+    };
+    let dkim_pub_fn = {
+        let v = dkim_public.clone();
+        move || v.clone()
+    };
+    let socks_proxy_fn = || format!("sunbeam:{}", rand_token());
+    let sunbeam_fn = || "sunbeam".to_string();
+
+    let messages = get_or_create(
+        &bao,
+        "messages",
+        &[
+            ("django-secret-key", &rand_token as &dyn Fn() -> String),
+            ("salt-key", &rand_token),
+            ("mda-api-secret", &rand_token),
+            (
+                "oidc-refresh-token-key",
+                &gen_fernet_key as &dyn Fn() -> String,
+            ),
+            ("dkim-private-key", &dkim_priv_fn),
+            ("dkim-public-key", &dkim_pub_fn),
+            ("rspamd-password", &rand_token),
+            ("socks-proxy-users", &socks_proxy_fn),
+            ("mta-out-smtp-username", &sunbeam_fn),
+            ("mta-out-smtp-password", &rand_token),
+        ],
+        &mut dirty_paths,
+    )
+    .await?;
+
+    let admin_fn = || "admin".to_string();
+    let collabora = get_or_create(
+        &bao,
+        "collabora",
+        &[
+            ("username", &admin_fn as &dyn Fn() -> String),
+            ("password", &rand_token),
+        ],
+        &mut dirty_paths,
+    )
+    .await?;
+
+    let tuwunel = get_or_create(
+        &bao,
+        "tuwunel",
+        &[
+            ("oidc-client-id", &empty_fn as &dyn Fn() -> String),
+            ("oidc-client-secret", &empty_fn),
+            ("turn-secret", &empty_fn),
+            ("registration-token", &rand_token),
+        ],
+        &mut dirty_paths,
+    )
+    .await?;
+
+    let grafana = get_or_create(
+        &bao,
+        "grafana",
+        &[("admin-password", &rand_token as &dyn Fn() -> String)],
+        &mut dirty_paths,
+    )
+    .await?;
+
+    let scw_access_fn = || scw_config("access-key");
+    let scw_secret_fn = || scw_config("secret-key");
+    let scaleway_s3 = get_or_create(
+        &bao,
+        "scaleway-s3",
+        &[
+            ("access-key-id", &scw_access_fn as &dyn Fn() -> String),
+            ("secret-access-key", &scw_secret_fn),
+        ],
+        &mut dirty_paths,
+    )
+    .await?;
+
+    // ── Write dirty paths ───────────────────────────────────────────────
+    if dirty_paths.is_empty() {
+        ok("All OpenBao KV secrets already present -- skipping writes.");
+    } else {
+        let mut sorted_paths: Vec<&String> = dirty_paths.iter().collect();
+        sorted_paths.sort();
+        ok(&format!(
+            "Writing new secrets to OpenBao KV ({})...",
+            sorted_paths
+                .iter()
+                .map(|s| s.as_str())
+                .collect::<Vec<_>>()
+                .join(", ")
+        ));
+
+        let all_paths: &[(&str, &HashMap<String, String>)] = &[
+            ("hydra", &hydra),
+            ("kratos", &kratos),
+            ("seaweedfs", &seaweedfs),
+            ("gitea", &gitea),
+            ("hive", &hive),
+            ("livekit", &livekit),
+            ("people", &people),
+            ("login-ui", &login_ui),
+            ("kratos-admin", &kratos_admin),
+            ("docs", &docs),
+            ("meet", &meet),
+            ("drive", &drive),
+            ("projects", &projects),
+            ("calendars", &calendars),
+            ("messages", &messages),
+            ("collabora", &collabora),
+            ("tuwunel", &tuwunel),
+            ("grafana", &grafana),
+            ("scaleway-s3", &scaleway_s3),
+        ];
+
+        for (path, data) in all_paths {
+            if dirty_paths.contains(*path) {
+                bao.kv_patch("secret", path, data).await?;
+            }
+        }
+    }
+
+    // ── Kubernetes auth for VSO ─────────────────────────────────────────
+    ok("Configuring Kubernetes auth for VSO...");
+    let _ = bao.auth_enable("kubernetes", "kubernetes").await;
+
+    bao.write(
+        "auth/kubernetes/config",
+        &serde_json::json!({
+            "kubernetes_host": "https://kubernetes.default.svc.cluster.local"
+        }),
+    )
+    .await?;
+
+    let policy_hcl = concat!(
+        "path \"secret/data/*\" { capabilities = [\"read\"] }\n",
+        "path \"secret/metadata/*\" { capabilities = [\"read\", \"list\"] }\n",
+        "path \"database/static-creds/*\" { capabilities = [\"read\"] }\n",
+    );
+    bao.write_policy("vso-reader", policy_hcl).await?;
+
+    bao.write(
+        "auth/kubernetes/role/vso",
+        &serde_json::json!({
+            "bound_service_account_names": "default",
+            "bound_service_account_namespaces": "ory,devtools,storage,lasuite,matrix,media,data,monitoring",
+            "policies": "vso-reader",
+            "ttl": "1h"
+        }),
+    )
+    .await?;
+
+    // Build credentials map
+    let mut creds = HashMap::new();
+    let field_map: &[(&str, &str, &HashMap<String, String>)] = &[
+        ("hydra-system-secret", "system-secret", &hydra),
+        ("hydra-cookie-secret", "cookie-secret", &hydra),
+        ("hydra-pairwise-salt", "pairwise-salt", &hydra),
+        ("kratos-secrets-default", "secrets-default", &kratos),
+        ("kratos-secrets-cookie", "secrets-cookie", &kratos),
+        ("s3-access-key", "access-key", &seaweedfs),
+        ("s3-secret-key", "secret-key", &seaweedfs),
+        ("gitea-admin-password", "admin-password", &gitea),
+        ("hive-oidc-client-id", "oidc-client-id", &hive),
+        ("hive-oidc-client-secret", "oidc-client-secret", &hive),
+        ("people-django-secret", "django-secret-key", &people),
+        ("livekit-api-key", "api-key", &livekit),
+        ("livekit-api-secret", "api-secret", &livekit),
+        (
+            "kratos-admin-cookie-secret",
+            "cookie-secret",
+            &kratos_admin,
+        ),
+        ("messages-dkim-public-key", "dkim-public-key", &messages),
+    ];
+
+    for (cred_key, field_key, source) in field_map {
+        creds.insert(
+            cred_key.to_string(),
+            source.get(*field_key).cloned().unwrap_or_default(),
+        );
+    }
+
+    Ok(Some(SeedResult {
+        creds,
+        ob_pod,
+        root_token,
+    }))
+}
diff --git a/sunbeam-sdk/src/services/mod.rs b/sunbeam-sdk/src/services/mod.rs
new file mode 100644
index 0000000..1f69109
--- /dev/null
+++ b/sunbeam-sdk/src/services/mod.rs
@@ -0,0 +1,573 @@
+//! Service management — status, logs, restart.
+
+use crate::error::{Result, SunbeamError};
+use k8s_openapi::api::core::v1::Pod;
+use kube::api::{Api, DynamicObject, ListParams, LogParams};
+use kube::ResourceExt;
+use std::collections::BTreeMap;
+use crate::constants::MANAGED_NS;
+use crate::kube::{get_client, kube_rollout_restart, parse_target};
+use crate::output::{ok, step, warn};
+
+/// Services that can be rollout-restarted, as (namespace, deployment) pairs.
+pub const SERVICES_TO_RESTART: &[(&str, &str)] = &[
+    ("ory", "hydra"),
+    ("ory", "kratos"),
+    ("ory", "login-ui"),
+    ("devtools", "gitea"),
+    ("storage", "seaweedfs-filer"),
+    ("lasuite", "hive"),
+    ("lasuite", "people-backend"),
+    ("lasuite", "people-frontend"),
+    ("lasuite", "people-celery-worker"),
+    ("lasuite", "people-celery-beat"),
+    ("lasuite", "projects"),
+    ("matrix", "tuwunel"),
+    ("media", "livekit-server"),
+];
+
+// ---------------------------------------------------------------------------
+// Status helpers
+// ---------------------------------------------------------------------------
+
+/// Parsed pod row for display.
+struct PodRow {
+    ns: String,
+    name: String,
+    ready: String,
+    status: String,
+}
+
+fn icon_for_status(status: &str) -> &'static str {
+    match status {
+        "Running" | "Completed" | "Succeeded" => "\u{2713}",
+        "Pending" => "\u{25cb}",
+        "Failed" => "\u{2717}",
+        _ => "?",
+    }
+}
+
+fn is_unhealthy(pod: &Pod) -> bool {
+    let status = pod.status.as_ref();
+    let phase = status
+        .and_then(|s| s.phase.as_deref())
+        .unwrap_or("Unknown");
+
+    match phase {
+        "Running" => {
+            // Check all containers are ready.
+            let container_statuses = status
+                .and_then(|s| s.container_statuses.as_ref());
+            if let Some(cs) = container_statuses {
+                let total = cs.len();
+                let ready = cs.iter().filter(|c| c.ready).count();
+                ready != total
+            } else {
+                true
+            }
+        }
+        "Succeeded" | "Completed" => false,
+        _ => true,
+    }
+}
+
+fn pod_phase(pod: &Pod) -> String {
+    pod.status
+        .as_ref()
+        .and_then(|s| s.phase.clone())
+        .unwrap_or_else(|| "Unknown".to_string())
+}
+
+fn pod_ready_str(pod: &Pod) -> String {
+    let cs = pod
+        .status
+        .as_ref()
+        .and_then(|s| s.container_statuses.as_ref());
+    match cs {
+        Some(cs) => {
+            let total = cs.len();
+            let ready = cs.iter().filter(|c| c.ready).count();
+            format!("{ready}/{total}")
+        }
+        None => "0/0".to_string(),
+    }
+}
+
+// ---------------------------------------------------------------------------
+// VSO sync status
+// ---------------------------------------------------------------------------
+
+async fn vso_sync_status() -> Result<()> {
+    step("VSO secret sync status...");
+
+    let client = get_client().await?;
+    let mut all_ok = true;
+
+    // --- VaultStaticSecrets ---
+    {
+        let ar = kube::api::ApiResource {
+            group: "secrets.hashicorp.com".into(),
+            version: "v1beta1".into(),
+            api_version: "secrets.hashicorp.com/v1beta1".into(),
+            kind: "VaultStaticSecret".into(),
+            plural: "vaultstaticsecrets".into(),
+        };
+
+        let api: Api<DynamicObject> = Api::all_with(client.clone(), &ar);
+        let list = api.list(&ListParams::default()).await;
+
+        if let Ok(list) = list {
+            // Group by namespace and sort
+            let mut grouped: BTreeMap<String, Vec<(String, bool)>> = BTreeMap::new();
+            for obj in &list.items {
+                let ns = obj.namespace().unwrap_or_default();
+                let name = obj.name_any();
+                let mac = obj
+                    .data
+                    .get("status")
+                    .and_then(|s| s.get("secretMAC"))
+                    .and_then(|v| v.as_str())
+                    .unwrap_or("");
+                let synced = !mac.is_empty() && mac != "<none>";
+                if !synced {
+                    all_ok = false;
+                }
+                grouped.entry(ns).or_default().push((name, synced));
+            }
+            for (ns, mut items) in grouped {
+                println!("  {ns} (VSS):");
+                items.sort();
+                for (name, synced) in items {
+                    let icon = if synced { "\u{2713}" } else { "\u{2717}" };
+                    println!("    {icon} {name}");
+                }
+            }
+        }
+    }
+
+    // --- VaultDynamicSecrets ---
+    {
+        let ar = kube::api::ApiResource {
+            group: "secrets.hashicorp.com".into(),
+            version: "v1beta1".into(),
+            api_version: "secrets.hashicorp.com/v1beta1".into(),
+            kind: "VaultDynamicSecret".into(),
+            plural: "vaultdynamicsecrets".into(),
+        };
+
+        let api: Api<DynamicObject> = Api::all_with(client.clone(), &ar);
+        let list = api.list(&ListParams::default()).await;
+
+        if let Ok(list) = list {
+            let mut grouped: BTreeMap<String, Vec<(String, bool)>> = BTreeMap::new();
+            for obj in &list.items {
+                let ns = obj.namespace().unwrap_or_default();
+                let name = obj.name_any();
+                let renewed = obj
+                    .data
+                    .get("status")
+                    .and_then(|s| s.get("lastRenewalTime"))
+                    .and_then(|v| v.as_str())
+                    .unwrap_or("0");
+                let synced = !renewed.is_empty() && renewed != "0" && renewed != "<none>";
+                if !synced {
+                    all_ok = false;
+                }
+                grouped.entry(ns).or_default().push((name, synced));
+            }
+            for (ns, mut items) in grouped {
+                println!("  {ns} (VDS):");
+                items.sort();
+                for (name, synced) in items {
+                    let icon = if synced { "\u{2713}" } else { "\u{2717}" };
+                    println!("    {icon} {name}");
+                }
+            }
+        }
+    }
+
+    println!();
+    if all_ok {
+        ok("All VSO secrets synced.");
+    } else {
+        warn("Some VSO secrets are not synced.");
+    }
+    Ok(())
+}
+
+// ---------------------------------------------------------------------------
+// Public commands
+// ---------------------------------------------------------------------------
+
+/// Show pod health, optionally filtered by namespace or namespace/service.
+pub async fn cmd_status(target: Option<&str>) -> Result<()> {
+    step("Pod health across all namespaces...");
+
+    let client = get_client().await?;
+    let (ns_filter, svc_filter) = parse_target(target)?;
+
+    let mut pods: Vec<PodRow> = Vec::new();
+
+    match (ns_filter, svc_filter) {
+        (None, _) => {
+            // All managed namespaces
+            let ns_set: std::collections::HashSet<&str> =
+                MANAGED_NS.iter().copied().collect();
+            for ns in MANAGED_NS {
+                let api: Api<Pod> = Api::namespaced(client.clone(), ns);
+                let lp = ListParams::default();
+                if let Ok(list) = api.list(&lp).await {
+                    for pod in list.items {
+                        let pod_ns = pod.namespace().unwrap_or_default();
+                        if !ns_set.contains(pod_ns.as_str()) {
+                            continue;
+                        }
+                        pods.push(PodRow {
+                            ns: pod_ns,
+                            name: pod.name_any(),
+                            ready: pod_ready_str(&pod),
+                            status: pod_phase(&pod),
+                        });
+                    }
+                }
+            }
+        }
+        (Some(ns), None) => {
+            // All pods in a namespace
+            let api: Api<Pod> = Api::namespaced(client.clone(), ns);
+            let lp = ListParams::default();
+            if let Ok(list) = api.list(&lp).await {
+                for pod in list.items {
+                    pods.push(PodRow {
+                        ns: ns.to_string(),
+                        name: pod.name_any(),
+                        ready: pod_ready_str(&pod),
+                        status: pod_phase(&pod),
+                    });
+                }
+            }
+        }
+        (Some(ns), Some(svc)) => {
+            // Specific service: filter by app label
+            let api: Api<Pod> = Api::namespaced(client.clone(), ns);
+            let lp = ListParams::default().labels(&format!("app={svc}"));
+            if let Ok(list) = api.list(&lp).await {
+                for pod in list.items {
+                    pods.push(PodRow {
+                        ns: ns.to_string(),
+                        name: pod.name_any(),
+                        ready: pod_ready_str(&pod),
+                        status: pod_phase(&pod),
+                    });
+                }
+            }
+        }
+    }
+
+    if pods.is_empty() {
+        warn("No pods found in managed namespaces.");
+        return Ok(());
+    }
+
+    pods.sort_by(|a, b| (&a.ns, &a.name).cmp(&(&b.ns, &b.name)));
+
+    let mut all_ok = true;
+    let mut cur_ns: Option<&str> = None;
+    for row in &pods {
+        if cur_ns != Some(&row.ns) {
+            println!("  {}:", row.ns);
+            cur_ns = Some(&row.ns);
+        }
+        let icon = icon_for_status(&row.status);
+
+        let mut unhealthy = !matches!(
+            row.status.as_str(),
+            "Running" | "Completed" | "Succeeded"
+        );
+        // For Running pods, check ready ratio
+        if !unhealthy && row.status == "Running" && row.ready.contains('/') {
+            let parts: Vec<&str> = row.ready.split('/').collect();
+            if parts.len() == 2 && parts[0] != parts[1] {
+                unhealthy = true;
+            }
+        }
+        if unhealthy {
+            all_ok = false;
+        }
+        println!("    {icon} {:<50} {:<6} {}", row.name, row.ready, row.status);
+    }
+
+    println!();
+    if all_ok {
+        ok("All pods healthy.");
+    } else {
+        warn("Some pods are not ready.");
+    }
+
+    vso_sync_status().await?;
+    Ok(())
+}
+
+/// Stream logs for a service. Target must include service name (e.g. ory/kratos).
+pub async fn cmd_logs(target: &str, follow: bool) -> Result<()> {
+    let (ns_opt, name_opt) = parse_target(Some(target))?;
+    let ns = ns_opt.unwrap_or("");
+    let name = match name_opt {
+        Some(n) => n,
+        None => bail!("Logs require a service name, e.g. 'ory/kratos'."),
+    };
+
+    let client = get_client().await?;
+    let api: Api<Pod> = Api::namespaced(client.clone(), ns);
+
+    // Find pods matching the app label
+    let lp = ListParams::default().labels(&format!("app={name}"));
+    let pod_list = api.list(&lp).await?;
+
+    if pod_list.items.is_empty() {
+        bail!("No pods found for {ns}/{name}");
+    }
+
+    if follow {
+        // Stream logs from the first matching pod
+        let pod_name = pod_list.items[0].name_any();
+        let mut lp = LogParams::default();
+        lp.follow = true;
+        lp.tail_lines = Some(100);
+
+        // log_stream returns a futures::AsyncBufRead — use the futures crate to read it
+        use futures::AsyncBufReadExt;
+        let stream = api.log_stream(&pod_name, &lp).await?;
+        let reader = futures::io::BufReader::new(stream);
+        let mut lines = reader.lines();
+        use futures::StreamExt;
+        while let Some(line) = lines.next().await {
+            match line {
+                Ok(line) => println!("{line}"),
+                Err(e) => {
+                    warn(&format!("Log stream error: {e}"));
+                    break;
+                }
+            }
+        }
+    } else {
+        // Print logs from all matching pods
+        for pod in &pod_list.items {
+            let pod_name = pod.name_any();
+            let mut lp = LogParams::default();
+            lp.tail_lines = Some(100);
+
+            match api.logs(&pod_name, &lp).await {
+                Ok(logs) => print!("{logs}"),
+                Err(e) => warn(&format!("Failed to get logs for {pod_name}: {e}")),
+            }
+        }
+    }
+
+    Ok(())
+}
+
+/// Print raw pod output in YAML or JSON format.
+pub async fn cmd_get(target: &str, output: &str) -> Result<()> {
+    let (ns_opt, name_opt) = parse_target(Some(target))?;
+    let ns = match ns_opt {
+        Some(n) if !n.is_empty() => n,
+        _ => bail!("get requires namespace/name, e.g. 'sunbeam get ory/kratos-abc'"),
+    };
+    let name = match name_opt {
+        Some(n) => n,
+        None => bail!("get requires namespace/name, e.g. 'sunbeam get ory/kratos-abc'"),
+    };
+
+    let client = get_client().await?;
+    let api: Api<Pod> = Api::namespaced(client.clone(), ns);
+
+    let pod = api
+        .get_opt(name)
+        .await?
+        .ok_or_else(|| SunbeamError::kube(format!("Pod {ns}/{name} not found.")))?;
+
+    let text = match output {
+        "json" => serde_json::to_string_pretty(&pod)?,
+        _ => serde_yaml::to_string(&pod)?,
+    };
+    println!("{text}");
+    Ok(())
+}
+
+/// Restart deployments. None=all, 'ory'=namespace, 'ory/kratos'=specific.
+pub async fn cmd_restart(target: Option<&str>) -> Result<()> {
+    step("Restarting services...");
+
+    let (ns_filter, svc_filter) = parse_target(target)?;
+
+    let matched: Vec<(&str, &str)> = match (ns_filter, svc_filter) {
+        (None, _) => SERVICES_TO_RESTART.to_vec(),
+        (Some(ns), None) => SERVICES_TO_RESTART
+            .iter()
+            .filter(|(n, _)| *n == ns)
+            .copied()
+            .collect(),
+        (Some(ns), Some(name)) => SERVICES_TO_RESTART
+            .iter()
+            .filter(|(n, d)| *n == ns && *d == name)
+            .copied()
+            .collect(),
+    };
+
+    if matched.is_empty() {
+        warn(&format!(
+            "No matching services for target: {}",
+            target.unwrap_or("(none)")
+        ));
+        return Ok(());
+    }
+
+    for (ns, dep) in &matched {
+        if let Err(e) = kube_rollout_restart(ns, dep).await {
+            warn(&format!("Failed to restart {ns}/{dep}: {e}"));
+        }
+    }
+    ok("Done.");
+    Ok(())
+}
+
+// ---------------------------------------------------------------------------
+// Tests
+// ---------------------------------------------------------------------------
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    #[test]
+    fn test_managed_ns_contains_expected() {
+        assert!(MANAGED_NS.contains(&"ory"));
+        assert!(MANAGED_NS.contains(&"data"));
+        assert!(MANAGED_NS.contains(&"devtools"));
+        assert!(MANAGED_NS.contains(&"ingress"));
+        assert!(MANAGED_NS.contains(&"lasuite"));
+        assert!(MANAGED_NS.contains(&"matrix"));
+        assert!(MANAGED_NS.contains(&"media"));
+        assert!(MANAGED_NS.contains(&"storage"));
+        assert!(MANAGED_NS.contains(&"monitoring"));
+        assert!(MANAGED_NS.contains(&"vault-secrets-operator"));
+        assert_eq!(MANAGED_NS.len(), 10);
+    }
+
+    #[test]
+    fn test_services_to_restart_contains_expected() {
+        assert!(SERVICES_TO_RESTART.contains(&("ory", "hydra")));
+        assert!(SERVICES_TO_RESTART.contains(&("ory", "kratos")));
+        assert!(SERVICES_TO_RESTART.contains(&("ory", "login-ui")));
+        assert!(SERVICES_TO_RESTART.contains(&("devtools", "gitea")));
+        assert!(SERVICES_TO_RESTART.contains(&("storage", "seaweedfs-filer")));
+        assert!(SERVICES_TO_RESTART.contains(&("lasuite", "hive")));
+        assert!(SERVICES_TO_RESTART.contains(&("matrix", "tuwunel")));
+        assert!(SERVICES_TO_RESTART.contains(&("media", "livekit-server")));
+        assert_eq!(SERVICES_TO_RESTART.len(), 13);
+    }
+
+    #[test]
+    fn test_icon_for_status() {
+        assert_eq!(icon_for_status("Running"), "\u{2713}");
+        assert_eq!(icon_for_status("Completed"), "\u{2713}");
+        assert_eq!(icon_for_status("Succeeded"), "\u{2713}");
+        assert_eq!(icon_for_status("Pending"), "\u{25cb}");
+        assert_eq!(icon_for_status("Failed"), "\u{2717}");
+        assert_eq!(icon_for_status("Unknown"), "?");
+        assert_eq!(icon_for_status("CrashLoopBackOff"), "?");
+    }
+
+    #[test]
+    fn test_restart_filter_namespace() {
+        let matched: Vec<(&str, &str)> = SERVICES_TO_RESTART
+            .iter()
+            .filter(|(n, _)| *n == "ory")
+            .copied()
+            .collect();
+        assert_eq!(matched.len(), 3);
+        assert!(matched.contains(&("ory", "hydra")));
+        assert!(matched.contains(&("ory", "kratos")));
+        assert!(matched.contains(&("ory", "login-ui")));
+    }
+
+    #[test]
+    fn test_restart_filter_specific() {
+        let matched: Vec<(&str, &str)> = SERVICES_TO_RESTART
+            .iter()
+            .filter(|(n, d)| *n == "ory" && *d == "kratos")
+            .copied()
+            .collect();
+        assert_eq!(matched.len(), 1);
+        assert_eq!(matched[0], ("ory", "kratos"));
+    }
+
+    #[test]
+    fn test_restart_filter_no_match() {
+        let matched: Vec<(&str, &str)> = SERVICES_TO_RESTART
+            .iter()
+            .filter(|(n, d)| *n == "nonexistent" && *d == "nosuch")
+            .copied()
+            .collect();
+        assert!(matched.is_empty());
+    }
+
+    #[test]
+    fn test_restart_filter_all() {
+        let matched: Vec<(&str, &str)> = SERVICES_TO_RESTART.to_vec();
+        assert_eq!(matched.len(), 13);
+    }
+
+    #[test]
+    fn test_pod_ready_string_format() {
+        // Verify format: "N/M"
+        let ready = "2/3";
+        let parts: Vec<&str> = ready.split('/').collect();
+        assert_eq!(parts.len(), 2);
+        assert_ne!(parts[0], parts[1]); // unhealthy
+    }
+
+    #[test]
+    fn test_unhealthy_detection_by_ready_ratio() {
+        // Simulate the ready ratio check used in cmd_status
+        let ready = "1/2";
+        let status = "Running";
+        let mut unhealthy = !matches!(status, "Running" | "Completed" | "Succeeded");
+        if !unhealthy && status == "Running" && ready.contains('/') {
+            let parts: Vec<&str> = ready.split('/').collect();
+            if parts.len() == 2 && parts[0] != parts[1] {
+                unhealthy = true;
+            }
+        }
+        assert!(unhealthy);
+    }
+
+    #[test]
+    fn test_healthy_detection_by_ready_ratio() {
+        let ready = "2/2";
+        let status = "Running";
+        let mut unhealthy = !matches!(status, "Running" | "Completed" | "Succeeded");
+        if !unhealthy && status == "Running" && ready.contains('/') {
+            let parts: Vec<&str> = ready.split('/').collect();
+            if parts.len() == 2 && parts[0] != parts[1] {
+                unhealthy = true;
+            }
+        }
+        assert!(!unhealthy);
+    }
+
+    #[test]
+    fn test_completed_pods_are_healthy() {
+        let status = "Completed";
+        let unhealthy = !matches!(status, "Running" | "Completed" | "Succeeded");
+        assert!(!unhealthy);
+    }
+
+    #[test]
+    fn test_pending_pods_are_unhealthy() {
+        let status = "Pending";
+        let unhealthy = !matches!(status, "Running" | "Completed" | "Succeeded");
+        assert!(unhealthy);
+    }
+}
diff --git a/sunbeam-sdk/src/update/mod.rs b/sunbeam-sdk/src/update/mod.rs
new file mode 100644
index 0000000..554d12e
--- /dev/null
+++ b/sunbeam-sdk/src/update/mod.rs
@@ -0,0 +1,443 @@
+use crate::error::{Result, ResultExt};
+use chrono::{DateTime, Utc};
+use serde::{Deserialize, Serialize};
+use sha2::{Digest, Sha256};
+use std::fs;
+use std::path::PathBuf;
+
+/// Compile-time commit SHA set by build.rs.
+pub const COMMIT: &str = env!("SUNBEAM_COMMIT");
+
+/// Compile-time build target triple set by build.rs.
+pub const TARGET: &str = env!("SUNBEAM_TARGET");
+
+/// Compile-time build date set by build.rs.
+pub const BUILD_DATE: &str = env!("SUNBEAM_BUILD_DATE");
+
+/// Artifact name prefix for this platform.
+fn artifact_name() -> String {
+    format!("sunbeam-{TARGET}")
+}
+
+/// Resolve the forge URL (Gitea instance).
+///
+/// TODO: Once kube.rs exposes `get_domain()`, derive this automatically as
+/// `https://src.{domain}`. For now we read the SUNBEAM_FORGE_URL environment
+/// variable with a sensible fallback.
+fn forge_url() -> String {
+    if let Ok(url) = std::env::var("SUNBEAM_FORGE_URL") {
+        return url.trim_end_matches('/').to_string();
+    }
+
+    // Derive from production_host domain in config
+    let config = crate::config::load_config();
+    if !config.production_host.is_empty() {
+        // production_host is like "user@server.example.com" — extract domain
+        let host = config
+            .production_host
+            .split('@')
+            .last()
+            .unwrap_or(&config.production_host);
+        // Strip any leading subdomain segments that look like a hostname to get the base domain.
+        // For a host like "admin.sunbeam.pt", the forge is "src.sunbeam.pt".
+        // Heuristic: use the last two segments as the domain.
+        let parts: Vec<&str> = host.split('.').collect();
+        if parts.len() >= 2 {
+            let domain = format!("{}.{}", parts[parts.len() - 2], parts[parts.len() - 1]);
+            return format!("https://src.{domain}");
+        }
+    }
+
+    // Hard fallback — will fail at runtime if not configured, which is fine.
+    String::new()
+}
+
+/// Cache file location for background update checks.
+fn update_cache_path() -> PathBuf {
+    dirs::data_dir()
+        .unwrap_or_else(|| dirs::home_dir().unwrap_or_else(|| PathBuf::from(".")).join(".local/share"))
+        .join("sunbeam")
+        .join("update-check.json")
+}
+
+// ---------------------------------------------------------------------------
+// Gitea API response types
+// ---------------------------------------------------------------------------
+
+#[derive(Debug, Deserialize)]
+struct BranchResponse {
+    commit: BranchCommit,
+}
+
+#[derive(Debug, Deserialize)]
+struct BranchCommit {
+    id: String,
+}
+
+#[derive(Debug, Deserialize)]
+struct ArtifactListResponse {
+    artifacts: Vec<Artifact>,
+}
+
+#[derive(Debug, Deserialize)]
+struct Artifact {
+    name: String,
+    id: u64,
+}
+
+// ---------------------------------------------------------------------------
+// Update-check cache
+// ---------------------------------------------------------------------------
+
+#[derive(Debug, Serialize, Deserialize)]
+struct UpdateCache {
+    last_check: DateTime<Utc>,
+    latest_commit: String,
+    current_commit: String,
+}
+
+// ---------------------------------------------------------------------------
+// Public API
+// ---------------------------------------------------------------------------
+
+/// Print version information.
+pub fn cmd_version() {
+    println!("sunbeam {COMMIT}");
+    println!("  target: {TARGET}");
+    println!("  built:  {BUILD_DATE}");
+}
+
+/// Self-update from the latest mainline commit via Gitea CI artifacts.
+pub async fn cmd_update() -> Result<()> {
+    let base = forge_url();
+    if base.is_empty() {
+        bail!(
+            "Forge URL not configured. Set SUNBEAM_FORGE_URL or configure a \
+             production host via `sunbeam config set --host`."
+        );
+    }
+
+    crate::output::step("Checking for updates...");
+
+    let client = reqwest::Client::new();
+
+    // 1. Check latest commit on mainline
+    let latest_commit = fetch_latest_commit(&client, &base).await?;
+    let short_latest = &latest_commit[..std::cmp::min(8, latest_commit.len())];
+
+    crate::output::ok(&format!("Current: {COMMIT}"));
+    crate::output::ok(&format!("Latest:  {short_latest}"));
+
+    if latest_commit.starts_with(COMMIT) || COMMIT.starts_with(&latest_commit[..std::cmp::min(COMMIT.len(), latest_commit.len())]) {
+        crate::output::ok("Already up to date.");
+        return Ok(());
+    }
+
+    // 2. Find the CI artifact for our platform
+    crate::output::step("Downloading update...");
+    let wanted = artifact_name();
+
+    let artifacts = fetch_artifacts(&client, &base).await?;
+    let binary_artifact = artifacts
+        .iter()
+        .find(|a| a.name == wanted)
+        .with_ctx(|| format!("No artifact found for platform '{wanted}'"))?;
+
+    let checksums_artifact = artifacts
+        .iter()
+        .find(|a| a.name == "checksums.txt" || a.name == "checksums");
+
+    // 3. Download the binary
+    let binary_url = format!(
+        "{base}/api/v1/repos/studio/cli/actions/artifacts/{id}",
+        id = binary_artifact.id
+    );
+    let binary_bytes = client
+        .get(&binary_url)
+        .send()
+        .await?
+        .error_for_status()
+        .ctx("Failed to download binary artifact")?
+        .bytes()
+        .await?;
+
+    crate::output::ok(&format!("Downloaded {} bytes", binary_bytes.len()));
+
+    // 4. Verify SHA256 if checksums artifact exists
+    if let Some(checksums) = checksums_artifact {
+        let checksums_url = format!(
+            "{base}/api/v1/repos/studio/cli/actions/artifacts/{id}",
+            id = checksums.id
+        );
+        let checksums_text = client
+            .get(&checksums_url)
+            .send()
+            .await?
+            .error_for_status()
+            .ctx("Failed to download checksums")?
+            .text()
+            .await?;
+
+        verify_checksum(&binary_bytes, &wanted, &checksums_text)?;
+        crate::output::ok("SHA256 checksum verified.");
+    } else {
+        crate::output::warn("No checksums artifact found; skipping verification.");
+    }
+
+    // 5. Atomic self-replace
+    crate::output::step("Installing update...");
+    let current_exe = std::env::current_exe().ctx("Failed to determine current executable path")?;
+    atomic_replace(&current_exe, &binary_bytes)?;
+
+    crate::output::ok(&format!(
+        "Updated sunbeam {COMMIT} -> {short_latest}"
+    ));
+
+    // Update the cache so background check knows we are current
+    let _ = write_cache(&UpdateCache {
+        last_check: Utc::now(),
+        latest_commit: latest_commit.clone(),
+        current_commit: latest_commit,
+    });
+
+    Ok(())
+}
+
+/// Background update check. Returns a notification message if a newer version
+/// is available, or None if up-to-date / on error / checked too recently.
+///
+/// This function never blocks for long and never returns errors — it silently
+/// returns None on any failure.
+pub async fn check_update_background() -> Option<String> {
+    // Read cache
+    let cache_path = update_cache_path();
+    if let Ok(data) = fs::read_to_string(&cache_path) {
+        if let Ok(cache) = serde_json::from_str::<UpdateCache>(&data) {
+            let age = Utc::now().signed_duration_since(cache.last_check);
+            if age.num_seconds() < 3600 {
+                // Checked recently — just compare cached values
+                if cache.latest_commit.starts_with(COMMIT)
+                    || COMMIT.starts_with(&cache.latest_commit[..std::cmp::min(COMMIT.len(), cache.latest_commit.len())])
+                {
+                    return None; // up to date
+                }
+                let short = &cache.latest_commit[..std::cmp::min(8, cache.latest_commit.len())];
+                return Some(format!(
+                    "A newer version of sunbeam is available ({short}). Run `sunbeam update` to upgrade."
+                ));
+            }
+        }
+    }
+
+    // Time to check again
+    let base = forge_url();
+    if base.is_empty() {
+        return None;
+    }
+
+    let client = reqwest::Client::builder()
+        .timeout(std::time::Duration::from_secs(5))
+        .build()
+        .ok()?;
+
+    let latest = fetch_latest_commit(&client, &base).await.ok()?;
+
+    let cache = UpdateCache {
+        last_check: Utc::now(),
+        latest_commit: latest.clone(),
+        current_commit: COMMIT.to_string(),
+    };
+    let _ = write_cache(&cache);
+
+    if latest.starts_with(COMMIT)
+        || COMMIT.starts_with(&latest[..std::cmp::min(COMMIT.len(), latest.len())])
+    {
+        return None;
+    }
+
+    let short = &latest[..std::cmp::min(8, latest.len())];
+    Some(format!(
+        "A newer version of sunbeam is available ({short}). Run `sunbeam update` to upgrade."
+    ))
+}
+
+// ---------------------------------------------------------------------------
+// Internal helpers
+// ---------------------------------------------------------------------------
+
+/// Fetch the latest commit SHA on the mainline branch.
+async fn fetch_latest_commit(client: &reqwest::Client, forge_url: &str) -> Result<String> {
+    let url = format!("{forge_url}/api/v1/repos/studio/cli/branches/mainline");
+    let resp: BranchResponse = client
+        .get(&url)
+        .send()
+        .await?
+        .error_for_status()
+        .ctx("Failed to query mainline branch")?
+        .json()
+        .await?;
+    Ok(resp.commit.id)
+}
+
+/// Fetch the list of CI artifacts for the repo.
+async fn fetch_artifacts(client: &reqwest::Client, forge_url: &str) -> Result<Vec<Artifact>> {
+    let url = format!("{forge_url}/api/v1/repos/studio/cli/actions/artifacts");
+    let resp: ArtifactListResponse = client
+        .get(&url)
+        .send()
+        .await?
+        .error_for_status()
+        .ctx("Failed to query CI artifacts")?
+        .json()
+        .await?;
+    Ok(resp.artifacts)
+}
+
+/// Verify that the downloaded binary matches the expected SHA256 from checksums text.
+///
+/// Checksums file format (one per line):
+///   <hex-sha256>  <filename>
+fn verify_checksum(binary: &[u8], artifact_name: &str, checksums_text: &str) -> Result<()> {
+    let actual = {
+        let mut hasher = Sha256::new();
+        hasher.update(binary);
+        format!("{:x}", hasher.finalize())
+    };
+
+    for line in checksums_text.lines() {
+        // Split on whitespace — format is "<hash>  <name>" or "<hash> <name>"
+        let mut parts = line.split_whitespace();
+        if let (Some(expected_hash), Some(name)) = (parts.next(), parts.next()) {
+            if name == artifact_name {
+                if actual != expected_hash {
+                    bail!(
+                        "Checksum mismatch for {artifact_name}:\n  expected: {expected_hash}\n  actual:   {actual}"
+                    );
+                }
+                return Ok(());
+            }
+        }
+    }
+
+    bail!("No checksum entry found for '{artifact_name}' in checksums file");
+}
+
+/// Atomically replace the binary at `target` with `new_bytes`.
+///
+/// Writes to a temp file in the same directory, sets executable permissions,
+/// then renames over the original.
+fn atomic_replace(target: &std::path::Path, new_bytes: &[u8]) -> Result<()> {
+    let parent = target
+        .parent()
+        .ctx("Cannot determine parent directory of current executable")?;
+
+    let tmp_path = parent.join(".sunbeam-update.tmp");
+
+    // Write new binary
+    fs::write(&tmp_path, new_bytes).ctx("Failed to write temporary update file")?;
+
+    // Set executable permissions (unix)
+    #[cfg(unix)]
+    {
+        use std::os::unix::fs::PermissionsExt;
+        fs::set_permissions(&tmp_path, fs::Permissions::from_mode(0o755))
+            .ctx("Failed to set executable permissions")?;
+    }
+
+    // Atomic rename
+    fs::rename(&tmp_path, target).ctx("Failed to replace current executable")?;
+
+    Ok(())
+}
+
+/// Write the update-check cache to disk.
+fn write_cache(cache: &UpdateCache) -> Result<()> {
+    let path = update_cache_path();
+    if let Some(parent) = path.parent() {
+        fs::create_dir_all(parent)?;
+    }
+    let json = serde_json::to_string_pretty(cache)?;
+    fs::write(&path, json)?;
+    Ok(())
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    #[test]
+    fn test_version_consts() {
+        // COMMIT, TARGET, BUILD_DATE are set at compile time
+        assert!(!COMMIT.is_empty());
+        assert!(!TARGET.is_empty());
+        assert!(!BUILD_DATE.is_empty());
+    }
+
+    #[test]
+    fn test_artifact_name() {
+        let name = artifact_name();
+        assert!(name.starts_with("sunbeam-"));
+        assert!(name.contains(TARGET));
+    }
+
+    #[test]
+    fn test_verify_checksum_ok() {
+        let data = b"hello world";
+        let mut hasher = Sha256::new();
+        hasher.update(data);
+        let hash = format!("{:x}", hasher.finalize());
+
+        let checksums = format!("{hash}  sunbeam-test");
+        assert!(verify_checksum(data, "sunbeam-test", &checksums).is_ok());
+    }
+
+    #[test]
+    fn test_verify_checksum_mismatch() {
+        let checksums = "0000000000000000000000000000000000000000000000000000000000000000  sunbeam-test";
+        assert!(verify_checksum(b"hello", "sunbeam-test", checksums).is_err());
+    }
+
+    #[test]
+    fn test_verify_checksum_missing_entry() {
+        let checksums = "abcdef1234567890  sunbeam-other";
+        assert!(verify_checksum(b"hello", "sunbeam-test", checksums).is_err());
+    }
+
+    #[test]
+    fn test_update_cache_path() {
+        let path = update_cache_path();
+        assert!(path.to_string_lossy().contains("sunbeam"));
+        assert!(path.to_string_lossy().ends_with("update-check.json"));
+    }
+
+    #[test]
+    fn test_cache_roundtrip() {
+        let cache = UpdateCache {
+            last_check: Utc::now(),
+            latest_commit: "abc12345".to_string(),
+            current_commit: "def67890".to_string(),
+        };
+        let json = serde_json::to_string(&cache).unwrap();
+        let loaded: UpdateCache = serde_json::from_str(&json).unwrap();
+        assert_eq!(loaded.latest_commit, "abc12345");
+        assert_eq!(loaded.current_commit, "def67890");
+    }
+
+    #[tokio::test]
+    async fn test_check_update_background_returns_none_when_forge_url_empty() {
+        // When SUNBEAM_FORGE_URL is unset and there is no production_host config,
+        // forge_url() returns "" and check_update_background should return None
+        // without making any network requests.
+        // Clear the env var to ensure we hit the empty-URL path.
+        // SAFETY: This test is not run concurrently with other tests that depend on this env var.
+        unsafe { std::env::remove_var("SUNBEAM_FORGE_URL") };
+        // Note: this test assumes no production_host is configured in the test
+        // environment, which is the default for CI/dev. If forge_url() returns
+        // a non-empty string (e.g. from config), the test may still pass because
+        // the background check silently returns None on network errors.
+        let result = check_update_background().await;
+        // Either None (empty forge URL or network error) — never panics.
+        // The key property: this completes quickly without hanging.
+        drop(result);
+    }
+}
diff --git a/sunbeam-sdk/src/users/mod.rs b/sunbeam-sdk/src/users/mod.rs
new file mode 100644
index 0000000..01461e6
--- /dev/null
+++ b/sunbeam-sdk/src/users/mod.rs
@@ -0,0 +1,656 @@
+//! User management -- Kratos identity operations via port-forwarded admin API.
+
+mod provisioning;
+pub use provisioning::{cmd_user_onboard, cmd_user_offboard};
+
+use serde_json::Value;
+use std::io::Write;
+
+use crate::error::{Result, ResultExt, SunbeamError};
+use crate::output::{ok, step, table, warn};
+
+const SMTP_LOCAL_PORT: u16 = 10025;
+
+// ---------------------------------------------------------------------------
+// Port-forward helper
+// ---------------------------------------------------------------------------
+
+/// RAII guard that terminates the port-forward on drop.
+struct PortForward {
+    child: tokio::process::Child,
+    pub base_url: String,
+}
+
+impl PortForward {
+    async fn new(ns: &str, svc: &str, local_port: u16, remote_port: u16) -> Result<Self> {
+        let ctx = crate::kube::context();
+        let child = tokio::process::Command::new("kubectl")
+            .arg(format!("--context={ctx}"))
+            .args([
+                "-n",
+                ns,
+                "port-forward",
+                &format!("svc/{svc}"),
+                &format!("{local_port}:{remote_port}"),
+            ])
+            .stdout(std::process::Stdio::piped())
+            .stderr(std::process::Stdio::piped())
+            .spawn()
+            .with_ctx(|| format!("Failed to spawn port-forward to {ns}/svc/{svc}"))?;
+
+        // Give the port-forward time to bind
+        tokio::time::sleep(std::time::Duration::from_millis(1500)).await;
+
+        Ok(Self {
+            child,
+            base_url: format!("http://localhost:{local_port}"),
+        })
+    }
+
+    /// Convenience: Kratos admin (ory/kratos-admin 80 -> 4434).
+    async fn kratos() -> Result<Self> {
+        Self::new("ory", "kratos-admin", 4434, 80).await
+    }
+}
+
+impl Drop for PortForward {
+    fn drop(&mut self) {
+        let _ = self.child.start_kill();
+    }
+}
+
+// ---------------------------------------------------------------------------
+// HTTP helpers
+// ---------------------------------------------------------------------------
+
+/// Make an HTTP request to an admin API endpoint.
+async fn api(
+    base_url: &str,
+    path: &str,
+    method: &str,
+    body: Option<&Value>,
+    prefix: &str,
+    ok_statuses: &[u16],
+) -> Result<Option<Value>> {
+    let url = format!("{base_url}{prefix}{path}");
+    let client = reqwest::Client::new();
+
+    let mut req = match method {
+        "GET" => client.get(&url),
+        "POST" => client.post(&url),
+        "PUT" => client.put(&url),
+        "PATCH" => client.patch(&url),
+        "DELETE" => client.delete(&url),
+        _ => bail!("Unsupported HTTP method: {method}"),
+    };
+
+    req = req
+        .header("Content-Type", "application/json")
+        .header("Accept", "application/json");
+
+    if let Some(b) = body {
+        req = req.json(b);
+    }
+
+    let resp = req
+        .send()
+        .await
+        .with_ctx(|| format!("HTTP {method} {url} failed"))?;
+    let status = resp.status().as_u16();
+
+    if !resp.status().is_success() {
+        if ok_statuses.contains(&status) {
+            return Ok(None);
+        }
+        let err_text = resp.text().await.unwrap_or_default();
+        bail!("API error {status}: {err_text}");
+    }
+
+    let text = resp.text().await.unwrap_or_default();
+    if text.is_empty() {
+        return Ok(None);
+    }
+    let val: Value = serde_json::from_str(&text)
+        .with_ctx(|| format!("Failed to parse API response as JSON: {text}"))?;
+    Ok(Some(val))
+}
+
+/// Shorthand: Kratos admin API call (prefix = "/admin").
+async fn kratos_api(
+    base_url: &str,
+    path: &str,
+    method: &str,
+    body: Option<&Value>,
+    ok_statuses: &[u16],
+) -> Result<Option<Value>> {
+    api(base_url, path, method, body, "/admin", ok_statuses).await
+}
+
+// ---------------------------------------------------------------------------
+// Identity helpers
+// ---------------------------------------------------------------------------
+
+/// Find identity by UUID or email search. Returns the identity JSON.
+async fn find_identity(base_url: &str, target: &str, required: bool) -> Result<Option<Value>> {
+    // Looks like a UUID?
+    if target.len() == 36 && target.chars().filter(|&c| c == '-').count() == 4 {
+        let result = kratos_api(base_url, &format!("/identities/{target}"), "GET", None, &[]).await?;
+        return Ok(result);
+    }
+
+    // Search by email
+    let result = kratos_api(
+        base_url,
+        &format!("/identities?credentials_identifier={target}&page_size=1"),
+        "GET",
+        None,
+        &[],
+    )
+    .await?;
+
+    if let Some(Value::Array(arr)) = &result {
+        if let Some(first) = arr.first() {
+            return Ok(Some(first.clone()));
+        }
+    }
+
+    if required {
+        return Err(SunbeamError::identity(format!("Identity not found: {target}")));
+    }
+    Ok(None)
+}
+
+/// Build the PUT body for updating an identity, preserving all required fields.
+fn identity_put_body(identity: &Value, state: Option<&str>, extra: Option<Value>) -> Value {
+    let mut body = serde_json::json!({
+        "schema_id": identity["schema_id"],
+        "traits": identity["traits"],
+        "state": state.unwrap_or_else(|| identity.get("state").and_then(|v| v.as_str()).unwrap_or("active")),
+        "metadata_public": identity.get("metadata_public").cloned().unwrap_or(Value::Null),
+        "metadata_admin": identity.get("metadata_admin").cloned().unwrap_or(Value::Null),
+    });
+
+    if let Some(extra_obj) = extra {
+        if let (Some(base_map), Some(extra_map)) = (body.as_object_mut(), extra_obj.as_object()) {
+            for (k, v) in extra_map {
+                base_map.insert(k.clone(), v.clone());
+            }
+        }
+    }
+
+    body
+}
+
+/// Generate a 24h recovery code. Returns (link, code).
+async fn generate_recovery(base_url: &str, identity_id: &str) -> Result<(String, String)> {
+    let body = serde_json::json!({
+        "identity_id": identity_id,
+        "expires_in": "24h",
+    });
+
+    let result = kratos_api(base_url, "/recovery/code", "POST", Some(&body), &[]).await?;
+
+    let recovery = result.unwrap_or_default();
+    let link = recovery
+        .get("recovery_link")
+        .and_then(|v| v.as_str())
+        .unwrap_or("")
+        .to_string();
+    let code = recovery
+        .get("recovery_code")
+        .and_then(|v| v.as_str())
+        .unwrap_or("")
+        .to_string();
+
+    Ok((link, code))
+}
+
+/// Find the next sequential employee ID by scanning all employee identities.
+///
+/// Paginates through all identities using `page` and `page_size` params to
+/// avoid missing employee IDs when there are more than 200 identities.
+async fn next_employee_id(base_url: &str) -> Result<String> {
+    let mut max_num: u64 = 0;
+    let mut page = 1;
+    loop {
+        let result = kratos_api(
+            base_url,
+            &format!("/identities?page_size=200&page={page}"),
+            "GET",
+            None,
+            &[],
+        )
+        .await?;
+
+        let identities = match result {
+            Some(Value::Array(arr)) if !arr.is_empty() => arr,
+            _ => break,
+        };
+
+        for ident in &identities {
+            if let Some(eid) = ident
+                .get("traits")
+                .and_then(|t| t.get("employee_id"))
+                .and_then(|v| v.as_str())
+            {
+                if let Ok(n) = eid.parse::<u64>() {
+                    max_num = max_num.max(n);
+                }
+            }
+        }
+
+        if identities.len() < 200 {
+            break; // last page
+        }
+        page += 1;
+    }
+
+    Ok((max_num + 1).to_string())
+}
+
+// ---------------------------------------------------------------------------
+// Display helpers
+// ---------------------------------------------------------------------------
+
+/// Extract a display name from identity traits (supports both default and employee schemas).
+fn display_name(traits: &Value) -> String {
+    let given = traits
+        .get("given_name")
+        .and_then(|v| v.as_str())
+        .unwrap_or("");
+    let family = traits
+        .get("family_name")
+        .and_then(|v| v.as_str())
+        .unwrap_or("");
+
+    if !given.is_empty() || !family.is_empty() {
+        return format!("{given} {family}").trim().to_string();
+    }
+
+    match traits.get("name") {
+        Some(Value::Object(name_map)) => {
+            let first = name_map
+                .get("first")
+                .and_then(|v| v.as_str())
+                .unwrap_or("");
+            let last = name_map
+                .get("last")
+                .and_then(|v| v.as_str())
+                .unwrap_or("");
+            format!("{first} {last}").trim().to_string()
+        }
+        Some(name) => name.as_str().unwrap_or("").to_string(),
+        None => String::new(),
+    }
+}
+
+/// Extract the short ID prefix (first 8 chars + "...").
+fn short_id(id: &str) -> String {
+    if id.len() >= 8 {
+        format!("{}...", &id[..8])
+    } else {
+        id.to_string()
+    }
+}
+
+/// Get identity ID as a string from a JSON value.
+fn identity_id(identity: &Value) -> Result<String> {
+    identity
+        .get("id")
+        .and_then(|v| v.as_str())
+        .map(|s| s.to_string())
+        .ok_or_else(|| SunbeamError::identity("Identity missing 'id' field"))
+}
+
+// ---------------------------------------------------------------------------
+// Public commands
+// ---------------------------------------------------------------------------
+
+pub async fn cmd_user_list(search: &str) -> Result<()> {
+    step("Listing identities...");
+
+    let pf = PortForward::kratos().await?;
+    let mut path = "/identities?page_size=20".to_string();
+    if !search.is_empty() {
+        path.push_str(&format!("&credentials_identifier={search}"));
+    }
+    let result = kratos_api(&pf.base_url, &path, "GET", None, &[]).await?;
+    drop(pf);
+
+    let identities = match result {
+        Some(Value::Array(arr)) => arr,
+        _ => vec![],
+    };
+
+    let rows: Vec<Vec<String>> = identities
+        .iter()
+        .map(|i| {
+            let traits = i.get("traits").cloned().unwrap_or(Value::Object(Default::default()));
+            let email = traits
+                .get("email")
+                .and_then(|v| v.as_str())
+                .unwrap_or("")
+                .to_string();
+            let name = display_name(&traits);
+            let state = i
+                .get("state")
+                .and_then(|v| v.as_str())
+                .unwrap_or("active")
+                .to_string();
+            let id = i
+                .get("id")
+                .and_then(|v| v.as_str())
+                .unwrap_or("");
+            vec![short_id(id), email, name, state]
+        })
+        .collect();
+
+    println!("{}", table(&rows, &["ID", "Email", "Name", "State"]));
+    Ok(())
+}
+
+pub async fn cmd_user_get(target: &str) -> Result<()> {
+    step(&format!("Getting identity: {target}"));
+
+    let pf = PortForward::kratos().await?;
+    let identity = find_identity(&pf.base_url, target, true)
+        .await?
+        .ok_or_else(|| SunbeamError::identity("Identity not found"))?;
+    drop(pf);
+
+    println!("{}", serde_json::to_string_pretty(&identity)?);
+    Ok(())
+}
+
+pub async fn cmd_user_create(email: &str, name: &str, schema_id: &str) -> Result<()> {
+    step(&format!("Creating identity: {email}"));
+
+    let mut traits = serde_json::json!({ "email": email });
+    if !name.is_empty() {
+        let parts: Vec<&str> = name.splitn(2, ' ').collect();
+        traits["name"] = serde_json::json!({
+            "first": parts[0],
+            "last": if parts.len() > 1 { parts[1] } else { "" },
+        });
+    }
+
+    let body = serde_json::json!({
+        "schema_id": schema_id,
+        "traits": traits,
+        "state": "active",
+    });
+
+    let pf = PortForward::kratos().await?;
+    let identity = kratos_api(&pf.base_url, "/identities", "POST", Some(&body), &[])
+        .await?
+        .ok_or_else(|| SunbeamError::identity("Failed to create identity"))?;
+
+    let iid = identity_id(&identity)?;
+    ok(&format!("Created identity: {iid}"));
+
+    let (link, code) = generate_recovery(&pf.base_url, &iid).await?;
+    drop(pf);
+
+    ok("Recovery link (valid 24h):");
+    println!("{link}");
+    ok("Recovery code (enter on the page above):");
+    println!("{code}");
+    Ok(())
+}
+
+pub async fn cmd_user_delete(target: &str) -> Result<()> {
+    step(&format!("Deleting identity: {target}"));
+
+    eprint!("Delete identity '{target}'? This cannot be undone. [y/N] ");
+    std::io::stderr().flush()?;
+    let mut answer = String::new();
+    std::io::stdin().read_line(&mut answer)?;
+    if answer.trim().to_lowercase() != "y" {
+        ok("Cancelled.");
+        return Ok(());
+    }
+
+    let pf = PortForward::kratos().await?;
+    let identity = find_identity(&pf.base_url, target, true)
+        .await?
+        .ok_or_else(|| SunbeamError::identity("Identity not found"))?;
+    let iid = identity_id(&identity)?;
+    kratos_api(
+        &pf.base_url,
+        &format!("/identities/{iid}"),
+        "DELETE",
+        None,
+        &[],
+    )
+    .await?;
+    drop(pf);
+
+    ok("Deleted.");
+    Ok(())
+}
+
+pub async fn cmd_user_recover(target: &str) -> Result<()> {
+    step(&format!("Generating recovery link for: {target}"));
+
+    let pf = PortForward::kratos().await?;
+    let identity = find_identity(&pf.base_url, target, true)
+        .await?
+        .ok_or_else(|| SunbeamError::identity("Identity not found"))?;
+    let iid = identity_id(&identity)?;
+    let (link, code) = generate_recovery(&pf.base_url, &iid).await?;
+    drop(pf);
+
+    ok("Recovery link (valid 24h):");
+    println!("{link}");
+    ok("Recovery code (enter on the page above):");
+    println!("{code}");
+    Ok(())
+}
+
+pub async fn cmd_user_disable(target: &str) -> Result<()> {
+    step(&format!("Disabling identity: {target}"));
+
+    let pf = PortForward::kratos().await?;
+    let identity = find_identity(&pf.base_url, target, true)
+        .await?
+        .ok_or_else(|| SunbeamError::identity("Identity not found"))?;
+    let iid = identity_id(&identity)?;
+
+    let put_body = identity_put_body(&identity, Some("inactive"), None);
+    kratos_api(
+        &pf.base_url,
+        &format!("/identities/{iid}"),
+        "PUT",
+        Some(&put_body),
+        &[],
+    )
+    .await?;
+    kratos_api(
+        &pf.base_url,
+        &format!("/identities/{iid}/sessions"),
+        "DELETE",
+        None,
+        &[],
+    )
+    .await?;
+    drop(pf);
+
+    ok(&format!(
+        "Identity {}... disabled and all Kratos sessions revoked.",
+        &iid[..8.min(iid.len())]
+    ));
+    warn("App sessions (docs/people) expire within SESSION_COOKIE_AGE -- currently 1h.");
+    Ok(())
+}
+
+pub async fn cmd_user_enable(target: &str) -> Result<()> {
+    step(&format!("Enabling identity: {target}"));
+
+    let pf = PortForward::kratos().await?;
+    let identity = find_identity(&pf.base_url, target, true)
+        .await?
+        .ok_or_else(|| SunbeamError::identity("Identity not found"))?;
+    let iid = identity_id(&identity)?;
+
+    let put_body = identity_put_body(&identity, Some("active"), None);
+    kratos_api(
+        &pf.base_url,
+        &format!("/identities/{iid}"),
+        "PUT",
+        Some(&put_body),
+        &[],
+    )
+    .await?;
+    drop(pf);
+
+    ok(&format!("Identity {}... re-enabled.", short_id(&iid)));
+    Ok(())
+}
+
+pub async fn cmd_user_set_password(target: &str, password: &str) -> Result<()> {
+    step(&format!("Setting password for: {target}"));
+
+    let pf = PortForward::kratos().await?;
+    let identity = find_identity(&pf.base_url, target, true)
+        .await?
+        .ok_or_else(|| SunbeamError::identity("Identity not found"))?;
+    let iid = identity_id(&identity)?;
+
+    let extra = serde_json::json!({
+        "credentials": {
+            "password": {
+                "config": {
+                    "password": password,
+                }
+            }
+        }
+    });
+    let put_body = identity_put_body(&identity, None, Some(extra));
+    kratos_api(
+        &pf.base_url,
+        &format!("/identities/{iid}"),
+        "PUT",
+        Some(&put_body),
+        &[],
+    )
+    .await?;
+    drop(pf);
+
+    ok(&format!("Password set for {}...", short_id(&iid)));
+    Ok(())
+}
+
+// ---------------------------------------------------------------------------
+// Tests
+// ---------------------------------------------------------------------------
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    #[test]
+    fn test_display_name_employee_schema() {
+        let traits = serde_json::json!({
+            "email": "test@example.com",
+            "given_name": "Alice",
+            "family_name": "Smith",
+        });
+        assert_eq!(display_name(&traits), "Alice Smith");
+    }
+
+    #[test]
+    fn test_display_name_default_schema() {
+        let traits = serde_json::json!({
+            "email": "test@example.com",
+            "name": { "first": "Bob", "last": "Jones" },
+        });
+        assert_eq!(display_name(&traits), "Bob Jones");
+    }
+
+    #[test]
+    fn test_display_name_empty() {
+        let traits = serde_json::json!({ "email": "test@example.com" });
+        assert_eq!(display_name(&traits), "");
+    }
+
+    #[test]
+    fn test_display_name_given_only() {
+        let traits = serde_json::json!({
+            "given_name": "Alice",
+        });
+        assert_eq!(display_name(&traits), "Alice");
+    }
+
+    #[test]
+    fn test_short_id() {
+        assert_eq!(
+            short_id("12345678-abcd-1234-abcd-123456789012"),
+            "12345678..."
+        );
+    }
+
+    #[test]
+    fn test_short_id_short() {
+        assert_eq!(short_id("abc"), "abc");
+    }
+
+    #[test]
+    fn test_identity_put_body_preserves_fields() {
+        let identity = serde_json::json!({
+            "schema_id": "employee",
+            "traits": { "email": "a@b.com" },
+            "state": "active",
+            "metadata_public": null,
+            "metadata_admin": null,
+        });
+
+        let body = identity_put_body(&identity, Some("inactive"), None);
+        assert_eq!(body["state"], "inactive");
+        assert_eq!(body["schema_id"], "employee");
+        assert_eq!(body["traits"]["email"], "a@b.com");
+    }
+
+    #[test]
+    fn test_identity_put_body_with_extra() {
+        let identity = serde_json::json!({
+            "schema_id": "default",
+            "traits": { "email": "a@b.com" },
+            "state": "active",
+        });
+
+        let extra = serde_json::json!({
+            "credentials": {
+                "password": { "config": { "password": "s3cret" } }
+            }
+        });
+        let body = identity_put_body(&identity, None, Some(extra));
+        assert_eq!(body["state"], "active");
+        assert!(body["credentials"]["password"]["config"]["password"] == "s3cret");
+    }
+
+    #[test]
+    fn test_identity_put_body_default_state() {
+        let identity = serde_json::json!({
+            "schema_id": "default",
+            "traits": {},
+            "state": "inactive",
+        });
+        let body = identity_put_body(&identity, None, None);
+        assert_eq!(body["state"], "inactive");
+    }
+
+    #[test]
+    fn test_identity_id_extraction() {
+        let identity = serde_json::json!({ "id": "12345678-abcd-1234-abcd-123456789012" });
+        assert_eq!(
+            identity_id(&identity).unwrap(),
+            "12345678-abcd-1234-abcd-123456789012"
+        );
+    }
+
+    #[test]
+    fn test_identity_id_missing() {
+        let identity = serde_json::json!({});
+        assert!(identity_id(&identity).is_err());
+    }
+}
diff --git a/sunbeam-sdk/src/users/provisioning.rs b/sunbeam-sdk/src/users/provisioning.rs
new file mode 100644
index 0000000..75db5f0
--- /dev/null
+++ b/sunbeam-sdk/src/users/provisioning.rs
@@ -0,0 +1,516 @@
+//! User provisioning -- onboarding and offboarding workflows.
+
+use serde_json::Value;
+use std::io::Write;
+
+use crate::error::{Result, ResultExt, SunbeamError};
+use crate::output::{ok, step, warn};
+
+use super::{
+    api, find_identity, generate_recovery, identity_id, identity_put_body, kratos_api,
+    next_employee_id, short_id, PortForward, SMTP_LOCAL_PORT,
+};
+
+// ---------------------------------------------------------------------------
+// App-level provisioning (best-effort)
+// ---------------------------------------------------------------------------
+
+/// Resolve a deployment to the name of a running pod.
+async fn pod_for_deployment(ns: &str, deployment: &str) -> Result<String> {
+    let client = crate::kube::get_client().await?;
+    let pods: kube::Api<k8s_openapi::api::core::v1::Pod> =
+        kube::Api::namespaced(client.clone(), ns);
+
+    let label = format!("app.kubernetes.io/name={deployment}");
+    let lp = kube::api::ListParams::default().labels(&label);
+    let pod_list = pods
+        .list(&lp)
+        .await
+        .with_ctx(|| format!("Failed to list pods for deployment {deployment} in {ns}"))?;
+
+    for pod in &pod_list.items {
+        if let Some(status) = &pod.status {
+            let phase = status.phase.as_deref().unwrap_or("");
+            if phase == "Running" {
+                if let Some(name) = &pod.metadata.name {
+                    return Ok(name.clone());
+                }
+            }
+        }
+    }
+
+    // Fallback: try with app= label
+    let label2 = format!("app={deployment}");
+    let lp2 = kube::api::ListParams::default().labels(&label2);
+    let pod_list2 = match pods.list(&lp2).await {
+        Ok(list) => list,
+        Err(_) => {
+            return Err(SunbeamError::kube(format!(
+                "No running pod found for deployment {deployment} in {ns}"
+            )));
+        }
+    };
+
+    for pod in &pod_list2.items {
+        if let Some(status) = &pod.status {
+            let phase = status.phase.as_deref().unwrap_or("");
+            if phase == "Running" {
+                if let Some(name) = &pod.metadata.name {
+                    return Ok(name.clone());
+                }
+            }
+        }
+    }
+
+    Err(SunbeamError::kube(format!(
+        "No running pod found for deployment {deployment} in {ns}"
+    )))
+}
+
+/// Create a mailbox in Messages via kubectl exec into the backend.
+async fn create_mailbox(email: &str, name: &str) {
+    let parts: Vec<&str> = email.splitn(2, '@').collect();
+    if parts.len() != 2 {
+        warn(&format!("Invalid email for mailbox creation: {email}"));
+        return;
+    }
+    let local_part = parts[0];
+    let domain_part = parts[1];
+    let display_name = if name.is_empty() { local_part } else { name };
+    let _ = display_name; // used in Python for future features; kept for parity
+
+    step(&format!("Creating mailbox: {email}"));
+
+    let pod = match pod_for_deployment("lasuite", "messages-backend").await {
+        Ok(p) => p,
+        Err(e) => {
+            warn(&format!("Could not find messages-backend pod: {e}"));
+            return;
+        }
+    };
+
+    let script = format!(
+        "mb, created = Mailbox.objects.get_or_create(\n    local_part=\"{}\",\n    domain=MailDomain.objects.get(name=\"{}\"),\n)\nprint(\"created\" if created else \"exists\")\n",
+        local_part, domain_part,
+    );
+
+    let cmd: Vec<&str> = vec!["python", "manage.py", "shell", "-c", &script];
+    match crate::kube::kube_exec("lasuite", &pod, &cmd, Some("messages-backend")).await {
+        Ok((0, output)) if output.contains("created") => {
+            ok(&format!("Mailbox {email} created."));
+        }
+        Ok((0, output)) if output.contains("exists") => {
+            ok(&format!("Mailbox {email} already exists."));
+        }
+        Ok((_, output)) => {
+            warn(&format!(
+                "Could not create mailbox (Messages backend may not be running): {output}"
+            ));
+        }
+        Err(e) => {
+            warn(&format!("Could not create mailbox: {e}"));
+        }
+    }
+}
+
+/// Delete a mailbox and associated Django user in Messages.
+async fn delete_mailbox(email: &str) {
+    let parts: Vec<&str> = email.splitn(2, '@').collect();
+    if parts.len() != 2 {
+        warn(&format!("Invalid email for mailbox deletion: {email}"));
+        return;
+    }
+    let local_part = parts[0];
+    let domain_part = parts[1];
+
+    step(&format!("Cleaning up mailbox: {email}"));
+
+    let pod = match pod_for_deployment("lasuite", "messages-backend").await {
+        Ok(p) => p,
+        Err(e) => {
+            warn(&format!("Could not find messages-backend pod: {e}"));
+            return;
+        }
+    };
+
+    let script = format!(
+        "from django.contrib.auth import get_user_model\nUser = get_user_model()\ndeleted = 0\nfor mb in Mailbox.objects.filter(local_part=\"{local_part}\", domain__name=\"{domain_part}\"):\n    mb.delete()\n    deleted += 1\ntry:\n    u = User.objects.get(email=\"{email}\")\n    u.delete()\n    deleted += 1\nexcept User.DoesNotExist:\n    pass\nprint(f\"deleted {{deleted}}\")\n",
+    );
+
+    let cmd: Vec<&str> = vec!["python", "manage.py", "shell", "-c", &script];
+    match crate::kube::kube_exec("lasuite", &pod, &cmd, Some("messages-backend")).await {
+        Ok((0, output)) if output.contains("deleted") => {
+            ok("Mailbox and user cleaned up.");
+        }
+        Ok((_, output)) => {
+            warn(&format!("Could not clean up mailbox: {output}"));
+        }
+        Err(e) => {
+            warn(&format!("Could not clean up mailbox: {e}"));
+        }
+    }
+}
+
+/// Create a Projects (Planka) user and add them as manager of the Default project.
+async fn setup_projects_user(email: &str, name: &str) {
+    step(&format!("Setting up Projects user: {email}"));
+
+    let pod = match pod_for_deployment("lasuite", "projects").await {
+        Ok(p) => p,
+        Err(e) => {
+            warn(&format!("Could not find projects pod: {e}"));
+            return;
+        }
+    };
+
+    let js = format!(
+        "const knex = require('knex')({{client: 'pg', connection: process.env.DATABASE_URL}});\nasync function go() {{\n  let user = await knex('user_account').where({{email: '{email}'}}).first();\n  if (!user) {{\n    const id = Date.now().toString();\n    await knex('user_account').insert({{\n      id, email: '{email}', name: '{name}', password: '',\n      is_admin: true, is_sso: true, language: 'en-US',\n      created_at: new Date(), updated_at: new Date()\n    }});\n    user = {{id}};\n    console.log('user_created');\n  }} else {{\n    console.log('user_exists');\n  }}\n  const project = await knex('project').where({{name: 'Default'}}).first();\n  if (project) {{\n    const exists = await knex('project_manager').where({{project_id: project.id, user_id: user.id}}).first();\n    if (!exists) {{\n      await knex('project_manager').insert({{\n        id: (Date.now()+1).toString(), project_id: project.id,\n        user_id: user.id, created_at: new Date()\n      }});\n      console.log('manager_added');\n    }} else {{\n      console.log('manager_exists');\n    }}\n  }} else {{\n    console.log('no_default_project');\n  }}\n}}\ngo().then(() => process.exit(0)).catch(e => {{ console.error(e.message); process.exit(1); }});\n",
+    );
+
+    let cmd: Vec<&str> = vec!["node", "-e", &js];
+    match crate::kube::kube_exec("lasuite", &pod, &cmd, Some("projects")).await {
+        Ok((0, output))
+            if output.contains("manager_added") || output.contains("manager_exists") =>
+        {
+            ok("Projects user ready.");
+        }
+        Ok((0, output)) if output.contains("no_default_project") => {
+            warn("No Default project found in Projects -- skip.");
+        }
+        Ok((_, output)) => {
+            warn(&format!("Could not set up Projects user: {output}"));
+        }
+        Err(e) => {
+            warn(&format!("Could not set up Projects user: {e}"));
+        }
+    }
+}
+
+/// Remove a user from Projects (Planka) -- delete memberships and soft-delete user.
+async fn cleanup_projects_user(email: &str) {
+    step(&format!("Cleaning up Projects user: {email}"));
+
+    let pod = match pod_for_deployment("lasuite", "projects").await {
+        Ok(p) => p,
+        Err(e) => {
+            warn(&format!("Could not find projects pod: {e}"));
+            return;
+        }
+    };
+
+    let js = format!(
+        "const knex = require('knex')({{client: 'pg', connection: process.env.DATABASE_URL}});\nasync function go() {{\n  const user = await knex('user_account').where({{email: '{email}'}}).first();\n  if (!user) {{ console.log('not_found'); return; }}\n  await knex('board_membership').where({{user_id: user.id}}).del();\n  await knex('project_manager').where({{user_id: user.id}}).del();\n  await knex('user_account').where({{id: user.id}}).update({{deleted_at: new Date()}});\n  console.log('cleaned');\n}}\ngo().then(() => process.exit(0)).catch(e => {{ console.error(e.message); process.exit(1); }});\n",
+    );
+
+    let cmd: Vec<&str> = vec!["node", "-e", &js];
+    match crate::kube::kube_exec("lasuite", &pod, &cmd, Some("projects")).await {
+        Ok((0, output)) if output.contains("cleaned") => {
+            ok("Projects user cleaned up.");
+        }
+        Ok((_, output)) => {
+            warn(&format!("Could not clean up Projects user: {output}"));
+        }
+        Err(e) => {
+            warn(&format!("Could not clean up Projects user: {e}"));
+        }
+    }
+}
+
+// ---------------------------------------------------------------------------
+// Onboard
+// ---------------------------------------------------------------------------
+
+/// Send a welcome email via cluster Postfix (port-forward to svc/postfix in lasuite).
+async fn send_welcome_email(
+    domain: &str,
+    email: &str,
+    name: &str,
+    recovery_link: &str,
+    recovery_code: &str,
+    job_title: &str,
+    department: &str,
+) -> Result<()> {
+    let greeting = if name.is_empty() {
+        "Hi".to_string()
+    } else {
+        format!("Hi {name}")
+    };
+
+    let joining_line = if !job_title.is_empty() && !department.is_empty() {
+        format!(
+            " You're joining as {job_title} in the {department} department."
+        )
+    } else {
+        String::new()
+    };
+
+    let body_text = format!(
+        "{greeting},
+
+Welcome to Sunbeam Studios!{joining_line} Your account has been created.
+
+To set your password, open this link and enter the recovery code below:
+
+  Link: {recovery_link}
+  Code: {recovery_code}
+
+This link expires in 24 hours.
+
+Once signed in you will be prompted to set up 2FA (mandatory).
+
+After that, head to https://auth.{domain}/settings to set up your
+profile -- add your name, profile picture, and any other details.
+
+Your services:
+  Calendar:     https://cal.{domain}
+  Drive:        https://drive.{domain}
+  Mail:         https://mail.{domain}
+  Meet:         https://meet.{domain}
+  Projects:     https://projects.{domain}
+  Source Code:  https://src.{domain}
+
+Messages (Matrix):
+  Download Element from https://element.io/download
+  Open Element and sign in with a custom homeserver:
+    Homeserver: https://messages.{domain}
+  Use \"Sign in with Sunbeam Studios\" (SSO) to log in.
+
+-- With Love & Warmth, Sunbeam Studios
+"
+    );
+
+    use lettre::message::Mailbox;
+    use lettre::{Message, SmtpTransport, Transport};
+
+    let from: Mailbox = format!("Sunbeam Studios <noreply@{domain}>")
+        .parse()
+        .map_err(|e| SunbeamError::Other(format!("Invalid from address: {e}")))?;
+    let to: Mailbox = email
+        .parse()
+        .map_err(|e| SunbeamError::Other(format!("Invalid recipient address: {e}")))?;
+
+    let message = Message::builder()
+        .from(from)
+        .to(to)
+        .subject("Welcome to Sunbeam Studios -- Set Your Password")
+        .body(body_text)
+        .ctx("Failed to build email message")?;
+
+    let _pf = PortForward::new("lasuite", "postfix", SMTP_LOCAL_PORT, 25).await?;
+
+    let mailer = SmtpTransport::builder_dangerous("localhost")
+        .port(SMTP_LOCAL_PORT)
+        .build();
+
+    tokio::task::spawn_blocking(move || {
+        mailer
+            .send(&message)
+            .map_err(|e| SunbeamError::Other(format!("Failed to send welcome email via SMTP: {e}")))
+    })
+    .await
+    .map_err(|e| SunbeamError::Other(format!("Email send task panicked: {e}")))??;
+
+    ok(&format!("Welcome email sent to {email}"));
+    Ok(())
+}
+
+#[allow(clippy::too_many_arguments)]
+pub async fn cmd_user_onboard(
+    email: &str,
+    name: &str,
+    schema_id: &str,
+    send_email: bool,
+    notify: &str,
+    job_title: &str,
+    department: &str,
+    office_location: &str,
+    hire_date: &str,
+    manager: &str,
+) -> Result<()> {
+    step(&format!("Onboarding: {email}"));
+
+    let pf = PortForward::kratos().await?;
+
+    let (iid, recovery_link, recovery_code, is_new) = {
+        let existing = find_identity(&pf.base_url, email, false).await?;
+
+        if let Some(existing) = existing {
+            let iid = identity_id(&existing)?;
+            warn(&format!("Identity already exists: {}...", short_id(&iid)));
+            step("Generating fresh recovery link...");
+            let (link, code) = generate_recovery(&pf.base_url, &iid).await?;
+            (iid, link, code, false)
+        } else {
+            let mut traits = serde_json::json!({ "email": email });
+            if !name.is_empty() {
+                let parts: Vec<&str> = name.splitn(2, ' ').collect();
+                traits["given_name"] = Value::String(parts[0].to_string());
+                traits["family_name"] =
+                    Value::String(if parts.len() > 1 { parts[1] } else { "" }.to_string());
+            }
+
+            let mut employee_id = String::new();
+            if schema_id == "employee" {
+                employee_id = next_employee_id(&pf.base_url).await?;
+                traits["employee_id"] = Value::String(employee_id.clone());
+                if !job_title.is_empty() {
+                    traits["job_title"] = Value::String(job_title.to_string());
+                }
+                if !department.is_empty() {
+                    traits["department"] = Value::String(department.to_string());
+                }
+                if !office_location.is_empty() {
+                    traits["office_location"] = Value::String(office_location.to_string());
+                }
+                if !hire_date.is_empty() {
+                    traits["hire_date"] = Value::String(hire_date.to_string());
+                }
+                if !manager.is_empty() {
+                    traits["manager"] = Value::String(manager.to_string());
+                }
+            }
+
+            let body = serde_json::json!({
+                "schema_id": schema_id,
+                "traits": traits,
+                "state": "active",
+                "verifiable_addresses": [{
+                    "value": email,
+                    "verified": true,
+                    "via": "email",
+                }],
+            });
+
+            let identity = kratos_api(&pf.base_url, "/identities", "POST", Some(&body), &[])
+                .await?
+                .ok_or_else(|| SunbeamError::identity("Failed to create identity"))?;
+
+            let iid = identity_id(&identity)?;
+            ok(&format!("Created identity: {iid}"));
+            if !employee_id.is_empty() {
+                ok(&format!("Employee #{employee_id}"));
+            }
+
+            // Kratos ignores verifiable_addresses on POST -- PATCH to mark verified
+            let patch_body = serde_json::json!([
+                {"op": "replace", "path": "/verifiable_addresses/0/verified", "value": true},
+                {"op": "replace", "path": "/verifiable_addresses/0/status", "value": "completed"},
+            ]);
+            kratos_api(
+                &pf.base_url,
+                &format!("/identities/{iid}"),
+                "PATCH",
+                Some(&patch_body),
+                &[],
+            )
+            .await?;
+
+            let (link, code) = generate_recovery(&pf.base_url, &iid).await?;
+            (iid, link, code, true)
+        }
+    };
+
+    drop(pf);
+
+    // Provision app-level accounts for new users
+    if is_new {
+        create_mailbox(email, name).await;
+        setup_projects_user(email, name).await;
+    }
+
+    if send_email {
+        let domain = crate::kube::get_domain().await?;
+        let recipient = if notify.is_empty() { email } else { notify };
+        send_welcome_email(
+            &domain, recipient, name, &recovery_link, &recovery_code,
+            job_title, department,
+        )
+        .await?;
+    }
+
+    ok(&format!("Identity ID: {iid}"));
+    ok("Recovery link (valid 24h):");
+    println!("{recovery_link}");
+    ok("Recovery code:");
+    println!("{recovery_code}");
+    Ok(())
+}
+
+// ---------------------------------------------------------------------------
+// Offboard
+// ---------------------------------------------------------------------------
+
+pub async fn cmd_user_offboard(target: &str) -> Result<()> {
+    step(&format!("Offboarding: {target}"));
+
+    eprint!("Offboard '{target}'? This will disable the account and revoke all sessions. [y/N] ");
+    std::io::stderr().flush()?;
+    let mut answer = String::new();
+    std::io::stdin().read_line(&mut answer)?;
+    if answer.trim().to_lowercase() != "y" {
+        ok("Cancelled.");
+        return Ok(());
+    }
+
+    let pf = PortForward::kratos().await?;
+    let identity = find_identity(&pf.base_url, target, true)
+        .await?
+        .ok_or_else(|| SunbeamError::identity("Identity not found"))?;
+    let iid = identity_id(&identity)?;
+
+    step("Disabling identity...");
+    let put_body = identity_put_body(&identity, Some("inactive"), None);
+    kratos_api(
+        &pf.base_url,
+        &format!("/identities/{iid}"),
+        "PUT",
+        Some(&put_body),
+        &[],
+    )
+    .await?;
+    ok(&format!("Identity {}... disabled.", short_id(&iid)));
+
+    step("Revoking Kratos sessions...");
+    kratos_api(
+        &pf.base_url,
+        &format!("/identities/{iid}/sessions"),
+        "DELETE",
+        None,
+        &[404],
+    )
+    .await?;
+    ok("Kratos sessions revoked.");
+
+    step("Revoking Hydra consent sessions...");
+    {
+        let hydra_pf = PortForward::new("ory", "hydra-admin", 14445, 4445).await?;
+        api(
+            &hydra_pf.base_url,
+            &format!("/oauth2/auth/sessions/consent?subject={iid}&all=true"),
+            "DELETE",
+            None,
+            "/admin",
+            &[404],
+        )
+        .await?;
+    }
+    ok("Hydra consent sessions revoked.");
+
+    drop(pf);
+
+    // Clean up Messages mailbox and Projects user
+    let email = identity
+        .get("traits")
+        .and_then(|t| t.get("email"))
+        .and_then(|v| v.as_str())
+        .unwrap_or("");
+    if !email.is_empty() {
+        delete_mailbox(email).await;
+        cleanup_projects_user(email).await;
+    }
+
+    ok(&format!("Offboarding complete for {}...", short_id(&iid)));
+    warn("Existing access tokens expire within ~1h (Hydra TTL).");
+    warn("App sessions (docs/people) expire within SESSION_COOKIE_AGE (~1h).");
+    Ok(())
+}
diff --git a/sunbeam/Cargo.toml b/sunbeam/Cargo.toml
new file mode 100644
index 0000000..afb3265
--- /dev/null
+++ b/sunbeam/Cargo.toml
@@ -0,0 +1,18 @@
+[package]
+name = "sunbeam"
+version = "0.1.0"
+edition = "2024"
+description = "Sunbeam local dev stack manager"
+
+[[bin]]
+name = "sunbeam"
+path = "src/main.rs"
+
+[dependencies]
+sunbeam-sdk = { path = "../sunbeam-sdk", features = ["cli"] }
+tokio = { version = "1", features = ["full"] }
+clap = { version = "4", features = ["derive"] }
+chrono = "0.4"
+tracing = "0.1"
+tracing-subscriber = { version = "0.3", features = ["env-filter"] }
+rustls = { version = "0.23", features = ["ring"] }
diff --git a/sunbeam/cli.py b/sunbeam/cli.py
index d2eddb0..c752681 100644
--- a/sunbeam/cli.py
+++ b/sunbeam/cli.py
@@ -1,8 +1,20 @@
 """CLI entry point — argparse dispatch table for all sunbeam verbs."""
 import argparse
+import datetime
 import sys
 
 
+def _date_type(value):
+    """Validate YYYY-MM-DD date format for argparse."""
+    if not value:
+        return value
+    try:
+        datetime.date.fromisoformat(value)
+    except ValueError:
+        raise argparse.ArgumentTypeError(f"Invalid date: {value!r} (expected YYYY-MM-DD)")
+    return value
+
+
 ENV_CONTEXTS = {
     "local":      "sunbeam",
     "production": "production",
@@ -48,6 +60,8 @@ def main() -> None:
     p_apply = sub.add_parser("apply", help="kustomize build + domain subst + kubectl apply")
     p_apply.add_argument("namespace", nargs="?", default="",
                          help="Limit apply to one namespace (e.g. lasuite, ingress, ory)")
+    p_apply.add_argument("--all", action="store_true", dest="apply_all",
+                         help="Apply all namespaces without confirmation")
     p_apply.add_argument("--domain", default="", help="Domain suffix (e.g. sunbeam.pt)")
     p_apply.add_argument("--email", default="", help="ACME email for cert-manager")
 
@@ -82,12 +96,15 @@ def main() -> None:
                                   "docs-frontend", "people-frontend", "people",
                                   "messages", "messages-backend", "messages-frontend",
                                   "messages-mta-in", "messages-mta-out",
-                                  "messages-mpa", "messages-socks-proxy"],
+                                  "messages-mpa", "messages-socks-proxy",
+                                  "tuwunel", "calendars", "projects", "sol"],
                          help="What to build")
     p_build.add_argument("--push", action="store_true",
                          help="Push image to registry after building")
     p_build.add_argument("--deploy", action="store_true",
                          help="Apply manifests and rollout restart after pushing (implies --push)")
+    p_build.add_argument("--no-cache", action="store_true",
+                         help="Disable buildkitd layer cache")
 
     # sunbeam check [ns[/name]]
     p_check = sub.add_parser("check", help="Functional service health checks")
@@ -104,12 +121,14 @@ def main() -> None:
     p_config = sub.add_parser("config", help="Manage sunbeam configuration")
     config_sub = p_config.add_subparsers(dest="config_action", metavar="action")
 
-    # sunbeam config set --host HOST --infra-dir DIR
+    # sunbeam config set --host HOST --infra-dir DIR --acme-email EMAIL
     p_config_set = config_sub.add_parser("set", help="Set configuration values")
     p_config_set.add_argument("--host", default="",
                            help="Production SSH host (e.g. user@server.example.com)")
     p_config_set.add_argument("--infra-dir", default="",
                            help="Infrastructure directory root")
+    p_config_set.add_argument("--acme-email", default="",
+                           help="ACME email for Let's Encrypt certificates (e.g. ops@sunbeam.pt)")
 
     # sunbeam config get
     config_sub.add_parser("get", help="Get current configuration")
@@ -158,6 +177,21 @@ def main() -> None:
     p_user_set_pw.add_argument("target", help="Email or identity ID")
     p_user_set_pw.add_argument("password", help="New password")
 
+    p_user_onboard = user_sub.add_parser("onboard", help="Onboard new user (create + welcome email)")
+    p_user_onboard.add_argument("email", help="Email address")
+    p_user_onboard.add_argument("--name", default="", help="Display name (First Last)")
+    p_user_onboard.add_argument("--schema", default="employee", help="Schema ID (default: employee)")
+    p_user_onboard.add_argument("--no-email", action="store_true", help="Skip sending welcome email")
+    p_user_onboard.add_argument("--notify", default="", help="Send welcome email to this address instead of identity email")
+    p_user_onboard.add_argument("--job-title", default="", help="Job title")
+    p_user_onboard.add_argument("--department", default="", help="Department")
+    p_user_onboard.add_argument("--office-location", default="", help="Office location")
+    p_user_onboard.add_argument("--hire-date", default="", type=_date_type, help="Hire date (YYYY-MM-DD)")
+    p_user_onboard.add_argument("--manager", default="", help="Manager name or email")
+
+    p_user_offboard = user_sub.add_parser("offboard", help="Offboard user (disable + revoke all)")
+    p_user_offboard.add_argument("target", help="Email or identity ID")
+
     args = parser.parse_args()
 
 
@@ -196,11 +230,25 @@ def main() -> None:
         cmd_status(args.target)
 
     elif args.verb == "apply":
-        from sunbeam.manifests import cmd_apply
+        from sunbeam.manifests import cmd_apply, MANAGED_NS
         # --domain/--email can appear before OR after the verb; subparser wins if both set.
         domain    = getattr(args, "domain",    "") or ""
         email     = getattr(args, "email",     "") or ""
         namespace = getattr(args, "namespace", "") or ""
+        apply_all = getattr(args, "apply_all", False)
+
+        # Full apply on production requires --all or interactive confirmation
+        if args.env == "production" and not namespace and not apply_all:
+            from sunbeam.output import warn
+            warn(f"This will apply ALL namespaces ({', '.join(MANAGED_NS)}) to production.")
+            try:
+                answer = input("  Continue? [y/N] ").strip().lower()
+            except (EOFError, KeyboardInterrupt):
+                answer = ""
+            if answer not in ("y", "yes"):
+                print("Aborted.")
+                sys.exit(0)
+
         cmd_apply(env=args.env, domain=domain, email=email, namespace=namespace)
 
     elif args.verb == "seed":
@@ -226,7 +274,7 @@ def main() -> None:
     elif args.verb == "build":
         from sunbeam.images import cmd_build
         push = args.push or args.deploy
-        cmd_build(args.what, push=push, deploy=args.deploy)
+        cmd_build(args.what, push=push, deploy=args.deploy, no_cache=args.no_cache)
 
     elif args.verb == "check":
         from sunbeam.checks import cmd_check
@@ -249,17 +297,21 @@ def main() -> None:
             p_config.print_help()
             sys.exit(0)
         elif action == "set":
-            config = SunbeamConfig(
-                production_host=args.host if args.host else "",
-                infra_directory=args.infra_dir if args.infra_dir else ""
-            )
+            config = load_config()
+            if args.host:
+                config.production_host = args.host
+            if args.infra_dir:
+                config.infra_directory = args.infra_dir
+            if args.acme_email:
+                config.acme_email = args.acme_email
             save_config(config)
         elif action == "get":
             from sunbeam.output import ok
             config = load_config()
             ok(f"Production host: {config.production_host or '(not set)'}")
             ok(f"Infrastructure directory: {config.infra_directory or '(not set)'}")
-            
+            ok(f"ACME email: {config.acme_email or '(not set)'}")
+
             # Also show effective production host (from config or env)
             effective_host = get_production_host()
             if effective_host:
@@ -287,7 +339,8 @@ def main() -> None:
         from sunbeam.users import (cmd_user_list, cmd_user_get, cmd_user_create,
                                    cmd_user_delete, cmd_user_recover,
                                    cmd_user_disable, cmd_user_enable,
-                                   cmd_user_set_password)
+                                   cmd_user_set_password,
+                                   cmd_user_onboard, cmd_user_offboard)
         action = getattr(args, "user_action", None)
         if action is None:
             p_user.print_help()
@@ -308,6 +361,14 @@ def main() -> None:
             cmd_user_enable(args.target)
         elif action == "set-password":
             cmd_user_set_password(args.target, args.password)
+        elif action == "onboard":
+            cmd_user_onboard(args.email, name=args.name, schema_id=args.schema,
+                             send_email=not args.no_email, notify=args.notify,
+                             job_title=args.job_title, department=args.department,
+                             office_location=args.office_location,
+                             hire_date=args.hire_date, manager=args.manager)
+        elif action == "offboard":
+            cmd_user_offboard(args.target)
 
     else:
         parser.print_help()
diff --git a/sunbeam/cluster.py b/sunbeam/cluster.py
index 4b9d7ed..325f39e 100644
--- a/sunbeam/cluster.py
+++ b/sunbeam/cluster.py
@@ -12,7 +12,8 @@ from sunbeam.tools import run_tool, CACHE_DIR
 from sunbeam.output import step, ok, warn, die
 
 LIMA_VM = "sunbeam"
-SECRETS_DIR = Path(__file__).parents[3] / "infrastructure" / "secrets" / "local"
+from sunbeam.config import get_infra_dir as _get_infra_dir
+SECRETS_DIR = _get_infra_dir() / "secrets" / "local"
 
 GITEA_ADMIN_USER = "gitea_admin"
 
diff --git a/sunbeam/config.py b/sunbeam/config.py
index 319c384..3dbfbb0 100644
--- a/sunbeam/config.py
+++ b/sunbeam/config.py
@@ -11,15 +11,18 @@ CONFIG_PATH = Path.home() / ".sunbeam.json"
 class SunbeamConfig:
     """Sunbeam configuration with production host and infrastructure directory."""
     
-    def __init__(self, production_host: str = "", infra_directory: str = ""):
+    def __init__(self, production_host: str = "", infra_directory: str = "",
+                 acme_email: str = ""):
         self.production_host = production_host
         self.infra_directory = infra_directory
+        self.acme_email = acme_email
 
     def to_dict(self) -> dict:
         """Convert configuration to dictionary for JSON serialization."""
         return {
             "production_host": self.production_host,
             "infra_directory": self.infra_directory,
+            "acme_email": self.acme_email,
         }
 
     @classmethod
@@ -28,6 +31,7 @@ class SunbeamConfig:
         return cls(
             production_host=data.get("production_host", ""),
             infra_directory=data.get("infra_directory", ""),
+            acme_email=data.get("acme_email", ""),
         )
 
 
@@ -71,3 +75,22 @@ def get_infra_directory() -> str:
     """Get infrastructure directory from config."""
     config = load_config()
     return config.infra_directory
+
+
+def get_infra_dir() -> "Path":
+    """Infrastructure manifests directory as a Path.
+
+    Prefers the configured infra_directory; falls back to the package-relative
+    path (works when running from the development checkout).
+    """
+    from pathlib import Path
+    configured = load_config().infra_directory
+    if configured:
+        return Path(configured)
+    # Dev fallback: cli/sunbeam/config.py → parents[0]=cli/sunbeam, [1]=cli, [2]=monorepo root
+    return Path(__file__).resolve().parents[2] / "infrastructure"
+
+
+def get_repo_root() -> "Path":
+    """Monorepo root directory (parent of the infrastructure directory)."""
+    return get_infra_dir().parent
diff --git a/sunbeam/images.py b/sunbeam/images.py
index 48a0c39..5d4cdc0 100644
--- a/sunbeam/images.py
+++ b/sunbeam/images.py
@@ -259,6 +259,7 @@ def _buildctl_build_and_push(
     *,
     target: str | None = None,
     build_args: dict[str, str] | None = None,
+    no_cache: bool = False,
 ) -> None:
     """Build and push an image via buildkitd running in k3s.
 
@@ -320,6 +321,8 @@ def _buildctl_build_and_push(
             ]
             if target:
                 cmd += ["--opt", f"target={target}"]
+            if no_cache:
+                cmd += ["--no-cache"]
             if build_args:
                 for k, v in build_args.items():
                     cmd += ["--opt", f"build-arg:{k}={v}"]
@@ -343,6 +346,7 @@ def _build_image(
     target: str | None = None,
     build_args: dict[str, str] | None = None,
     push: bool = False,
+    no_cache: bool = False,
     cleanup_paths: list[Path] | None = None,
 ) -> None:
     """Build a container image via buildkitd and push to the Gitea registry.
@@ -364,6 +368,7 @@ def _build_image(
             context_dir=context_dir,
             target=target,
             build_args=build_args,
+            no_cache=no_cache,
         )
     finally:
         for p in (cleanup_paths or []):
@@ -514,16 +519,16 @@ def cmd_mirror(domain: str = "", gitea_admin_pass: str = ""):
 # Build dispatch
 # ---------------------------------------------------------------------------
 
-def cmd_build(what: str, push: bool = False, deploy: bool = False):
+def cmd_build(what: str, push: bool = False, deploy: bool = False, no_cache: bool = False):
     """Build an image. Pass push=True to push, deploy=True to also apply + rollout."""
     try:
-        _cmd_build(what, push=push, deploy=deploy)
+        _cmd_build(what, push=push, deploy=deploy, no_cache=no_cache)
     except subprocess.CalledProcessError as exc:
         cmd_str = " ".join(str(a) for a in exc.cmd)
         die(f"Build step failed (exit {exc.returncode}): {cmd_str}")
 
 
-def _cmd_build(what: str, push: bool = False, deploy: bool = False):
+def _cmd_build(what: str, push: bool = False, deploy: bool = False, no_cache: bool = False):
     if what == "proxy":
         _build_proxy(push=push, deploy=deploy)
     elif what == "integration":
@@ -553,6 +558,12 @@ def _cmd_build(what: str, push: bool = False, deploy: bool = False):
         _build_messages(what, push=push, deploy=deploy)
     elif what == "tuwunel":
         _build_tuwunel(push=push, deploy=deploy)
+    elif what == "calendars":
+        _build_calendars(push=push, deploy=deploy)
+    elif what == "projects":
+        _build_projects(push=push, deploy=deploy)
+    elif what == "sol":
+        _build_sol(push=push, deploy=deploy)
     else:
         die(f"Unknown build target: {what}")
 
@@ -645,52 +656,11 @@ def _build_kratos_admin(push: bool = False, deploy: bool = False):
 
     step(f"Building kratos-admin-ui -> {image} ...")
 
-    if env.is_prod:
-        # Cross-compile Deno for x86_64 and package into a minimal image.
-        if not shutil.which("deno"):
-            die("deno not found — install Deno: https://deno.land/")
-        if not shutil.which("npm"):
-            die("npm not found — install Node.js")
-
-        ok("Building UI assets (npm run build)...")
-        _run(["npm", "run", "build"], cwd=str(kratos_admin_dir / "ui"))
-
-        ok("Cross-compiling Deno binary for x86_64-linux-gnu...")
-        _run([
-            "deno", "compile",
-            "--target", "x86_64-unknown-linux-gnu",
-            "--allow-net", "--allow-read", "--allow-env",
-            "--include", "ui/dist",
-            "-o", "kratos-admin-x86_64",
-            "main.ts",
-        ], cwd=str(kratos_admin_dir))
-
-        bin_path = kratos_admin_dir / "kratos-admin-x86_64"
-        if not bin_path.exists():
-            die("Deno cross-compilation produced no binary")
-
-        pkg_dir = Path(tempfile.mkdtemp(prefix="kratos-admin-pkg-"))
-        shutil.copy2(str(bin_path), str(pkg_dir / "kratos-admin"))
-        dockerfile = pkg_dir / "Dockerfile"
-        dockerfile.write_text(
-            "FROM gcr.io/distroless/cc-debian12:nonroot\n"
-            "WORKDIR /app\n"
-            "COPY kratos-admin ./\n"
-            "EXPOSE 3000\n"
-            'ENTRYPOINT ["/app/kratos-admin"]\n'
-        )
-
-        try:
-            _build_image(env, image, dockerfile, pkg_dir, push=push)
-        finally:
-            shutil.rmtree(str(pkg_dir), ignore_errors=True)
-    else:
-        # Local: buildkitd handles the full Dockerfile build
-        _build_image(
-            env, image,
-            kratos_admin_dir / "Dockerfile", kratos_admin_dir,
-            push=push,
-        )
+    _build_image(
+        env, image,
+        kratos_admin_dir / "Dockerfile", kratos_admin_dir,
+        push=push,
+    )
 
     if deploy:
         _deploy_rollout(env, ["kratos-admin-ui"], "ory", timeout="120s")
@@ -964,3 +934,116 @@ def _patch_dockerfile_uv(
     except Exception as exc:
         warn(f"Failed to stage uv binaries: {exc}")
         return (dockerfile_path, cleanup)
+
+
+def _build_projects(push: bool = False, deploy: bool = False):
+    """Build projects (Planka Kanban) image from source."""
+    env = _get_build_env()
+
+    projects_dir = _get_repo_root() / "projects"
+    if not projects_dir.is_dir():
+        die(f"projects source not found at {projects_dir}")
+
+    image = f"{env.registry}/studio/projects:latest"
+    step(f"Building projects -> {image} ...")
+
+    _build_image(env, image, projects_dir / "Dockerfile", projects_dir, push=push)
+
+    if deploy:
+        _deploy_rollout(env, ["projects"], "lasuite", timeout="180s",
+                        images=[image])
+
+
+def _build_sol(push: bool = False, deploy: bool = False):
+    """Build Sol virtual librarian image from source.
+
+    # TODO: first deploy requires registration enabled on tuwunel to create
+    # the @sol:sunbeam.pt bot account. Flow:
+    #   1. Set allow_registration = true in tuwunel-config.yaml
+    #   2. Apply + restart tuwunel
+    #   3. Register bot via POST /_matrix/client/v3/register with registration token
+    #   4. Store access_token + device_id in OpenBao at secret/sol
+    #   5. Set allow_registration = false, re-apply
+    #   6. Then build + deploy sol
+    # This should be automated as `sunbeam user create-bot <name>`.
+    """
+    env = _get_build_env()
+
+    sol_dir = _get_repo_root() / "sol"
+    if not sol_dir.is_dir():
+        die(f"Sol source not found at {sol_dir}")
+
+    image = f"{env.registry}/studio/sol:latest"
+    step(f"Building sol -> {image} ...")
+
+    _build_image(env, image, sol_dir / "Dockerfile", sol_dir, push=push)
+
+    if deploy:
+        _deploy_rollout(env, ["sol"], "matrix", timeout="120s")
+
+
+def _build_calendars(push: bool = False, deploy: bool = False):
+    env = _get_build_env()
+    cal_dir = _get_repo_root() / "calendars"
+    if not cal_dir.is_dir():
+        die(f"calendars source not found at {cal_dir}")
+
+    backend_dir = cal_dir / "src" / "backend"
+    backend_image = f"{env.registry}/studio/calendars-backend:latest"
+    step(f"Building calendars-backend -> {backend_image} ...")
+
+    # Stage translations.json into the build context so the production image
+    # has it at /data/translations.json (Docker Compose mounts it; we bake it in).
+    translations_src = (cal_dir / "src" / "frontend" / "apps" / "calendars"
+                        / "src" / "features" / "i18n" / "translations.json")
+    translations_dst = backend_dir / "_translations.json"
+    cleanup: list[Path] = []
+    dockerfile = backend_dir / "Dockerfile"
+    if translations_src.exists():
+        shutil.copy(str(translations_src), str(translations_dst))
+        cleanup.append(translations_dst)
+        # Patch Dockerfile to COPY translations into production image
+        patched = dockerfile.read_text() + (
+            "\n# Sunbeam: bake translations.json for default calendar names\n"
+            "COPY _translations.json /data/translations.json\n"
+        )
+        patched_df = backend_dir / "Dockerfile._sunbeam_patched"
+        patched_df.write_text(patched)
+        cleanup.append(patched_df)
+        dockerfile = patched_df
+
+    _build_image(env, backend_image,
+                 dockerfile,
+                 backend_dir,
+                 target="backend-production",
+                 push=push,
+                 cleanup_paths=cleanup)
+
+    caldav_image = f"{env.registry}/studio/calendars-caldav:latest"
+    step(f"Building calendars-caldav -> {caldav_image} ...")
+    _build_image(env, caldav_image,
+                 cal_dir / "src" / "caldav" / "Dockerfile",
+                 cal_dir / "src" / "caldav",
+                 push=push)
+
+    frontend_image = f"{env.registry}/studio/calendars-frontend:latest"
+    step(f"Building calendars-frontend -> {frontend_image} ...")
+    integration_base = f"https://integration.{env.domain}"
+    _build_image(env, frontend_image,
+                 cal_dir / "src" / "frontend" / "Dockerfile",
+                 cal_dir / "src" / "frontend",
+                 target="frontend-production",
+                 build_args={
+                     "VISIO_BASE_URL": f"https://meet.{env.domain}",
+                     "GAUFRE_WIDGET_PATH": f"{integration_base}/api/v2/lagaufre.js",
+                     "GAUFRE_API_URL": f"{integration_base}/api/v2/services.json",
+                     "THEME_CSS_URL": f"{integration_base}/api/v2/theme.css",
+                 },
+                 push=push)
+
+    if deploy:
+        _deploy_rollout(env,
+                        ["calendars-backend", "calendars-worker",
+                         "calendars-caldav", "calendars-frontend"],
+                        "lasuite", timeout="180s",
+                        images=[backend_image, caldav_image, frontend_image])
diff --git a/sunbeam/kube.py b/sunbeam/kube.py
index 02a0b18..f3be0ad 100644
--- a/sunbeam/kube.py
+++ b/sunbeam/kube.py
@@ -227,6 +227,7 @@ def cmd_bao(bao_args: list[str]) -> int:
 
 def kustomize_build(overlay: Path, domain: str, email: str = "") -> str:
     """Run kustomize build --enable-helm and apply domain/email substitution."""
+    import socket as _socket
     r = run_tool(
         "kustomize", "build", "--enable-helm", str(overlay),
         capture_output=True, text=True, check=True,
@@ -235,5 +236,22 @@ def kustomize_build(overlay: Path, domain: str, email: str = "") -> str:
     text = domain_replace(text, domain)
     if email:
         text = text.replace("ACME_EMAIL", email)
+    if "REGISTRY_HOST_IP" in text:
+        registry_ip = ""
+        try:
+            registry_ip = _socket.gethostbyname(f"src.{domain}")
+        except _socket.gaierror:
+            pass
+        if not registry_ip:
+            # DNS not resolvable locally (VPN, split-horizon, etc.) — derive IP from SSH host config
+            from sunbeam.config import get_production_host as _get_host
+            ssh_host = _get_host()
+            # ssh_host may be "user@host" or just "host"
+            raw = ssh_host.split("@")[-1].split(":")[0]
+            try:
+                registry_ip = _socket.gethostbyname(raw)
+            except _socket.gaierror:
+                registry_ip = raw  # raw is already an IP in typical config
+        text = text.replace("REGISTRY_HOST_IP", registry_ip)
     text = text.replace("\n      annotations: null", "")
     return text
diff --git a/sunbeam/manifests.py b/sunbeam/manifests.py
index 983940d..464ecde 100644
--- a/sunbeam/manifests.py
+++ b/sunbeam/manifests.py
@@ -5,9 +5,10 @@ from pathlib import Path
 from sunbeam.kube import kube, kube_out, kube_ok, kube_apply, kustomize_build, get_lima_ip, get_domain
 from sunbeam.output import step, ok, warn
 
-REPO_ROOT = Path(__file__).parents[2] / "infrastructure"
-MANAGED_NS = ["data", "devtools", "ingress", "lasuite", "media", "monitoring", "ory",
-              "storage", "vault-secrets-operator"]
+from sunbeam.config import get_infra_dir as _get_infra_dir
+REPO_ROOT = _get_infra_dir()
+MANAGED_NS = ["data", "devtools", "ingress", "lasuite", "matrix", "media", "monitoring",
+              "ory", "storage", "vault-secrets-operator"]
 
 
 def pre_apply_cleanup(namespaces=None):
@@ -156,6 +157,219 @@ def _filter_by_namespace(manifests: str, namespace: str) -> str:
     return "---\n" + "\n---\n".join(kept) + "\n"
 
 
+def _patch_tuwunel_oauth2_redirect(domain: str):
+    """Patch the tuwunel OAuth2Client redirect URI with the actual client_id.
+
+    Hydra-maester generates the client_id when it first reconciles the
+    OAuth2Client CRD, storing it in the oidc-tuwunel Secret. We read that
+    secret and patch the CRD's redirectUris to include the correct callback
+    path that tuwunel will use.
+    """
+    import base64, json
+
+    client_id_b64 = kube_out("get", "secret", "oidc-tuwunel", "-n", "matrix",
+                             "-o=jsonpath={.data.CLIENT_ID}", "--ignore-not-found")
+    if not client_id_b64:
+        warn("oidc-tuwunel secret not yet available — skipping redirect URI patch. "
+             "Re-run 'sunbeam apply matrix' after hydra-maester has reconciled.")
+        return
+
+    client_id = base64.b64decode(client_id_b64).decode()
+    redirect_uri = f"https://messages.{domain}/_matrix/client/unstable/login/sso/callback/{client_id}"
+
+    # Check current redirect URIs to avoid unnecessary patches.
+    current = kube_out("get", "oauth2client", "tuwunel", "-n", "matrix",
+                       "-o=jsonpath={.spec.redirectUris[*]}", "--ignore-not-found")
+    if redirect_uri in current.split():
+        return
+
+    patch = json.dumps({"spec": {"redirectUris": [redirect_uri]}})
+    kube("patch", "oauth2client", "tuwunel", "-n", "matrix",
+         "--type=merge", f"-p={patch}", check=False)
+    ok(f"Patched tuwunel OAuth2Client redirect URI.")
+
+
+def _os_api(path: str, method: str = "GET", data: str | None = None) -> str:
+    """Call OpenSearch API via kubectl exec. Returns response body."""
+    cmd = ["exec", "deploy/opensearch", "-n", "data", "-c", "opensearch", "--"]
+    curl = ["curl", "-sf", f"http://localhost:9200{path}"]
+    if method != "GET":
+        curl += ["-X", method]
+    if data is not None:
+        curl += ["-H", "Content-Type: application/json", "-d", data]
+    return kube_out(*cmd, *curl)
+
+
+def _ensure_opensearch_ml():
+    """Idempotently configure OpenSearch ML Commons for neural search.
+
+    1. Sets cluster settings to allow ML on data nodes.
+    2. Registers and deploys all-mpnet-base-v2 (pre-trained, 384-dim).
+    3. Creates ingest + search pipelines for hybrid BM25+neural scoring.
+    """
+    import json, time
+
+    # Check OpenSearch is reachable.
+    if not _os_api("/_cluster/health"):
+        warn("OpenSearch not reachable — skipping ML setup.")
+        return
+
+    # 1. Ensure ML Commons cluster settings (idempotent PUT).
+    _os_api("/_cluster/settings", "PUT", json.dumps({"persistent": {
+        "plugins.ml_commons.only_run_on_ml_node": False,
+        "plugins.ml_commons.native_memory_threshold": 90,
+        "plugins.ml_commons.model_access_control_enabled": False,
+        "plugins.ml_commons.allow_registering_model_via_url": True,
+    }}))
+
+    # 2. Check if model already registered and deployed.
+    search_resp = _os_api("/_plugins/_ml/models/_search", "POST",
+                          '{"query":{"match":{"name":"huggingface/sentence-transformers/all-mpnet-base-v2"}}}')
+    if not search_resp:
+        warn("OpenSearch ML search API failed — skipping ML setup.")
+        return
+
+    resp = json.loads(search_resp)
+    hits = resp.get("hits", {}).get("hits", [])
+    model_id = None
+
+    for hit in hits:
+        state = hit.get("_source", {}).get("model_state", "")
+        if state == "DEPLOYED":
+            model_id = hit["_id"]
+            break
+        elif state in ("REGISTERED", "DEPLOYING"):
+            model_id = hit["_id"]
+
+    if model_id and any(h["_source"].get("model_state") == "DEPLOYED" for h in hits):
+        pass  # Already deployed, skip to pipelines.
+    elif model_id:
+        # Registered but not deployed — deploy it.
+        ok("Deploying OpenSearch ML model...")
+        _os_api(f"/_plugins/_ml/models/{model_id}/_deploy", "POST")
+        for _ in range(30):
+            time.sleep(5)
+            r = _os_api(f"/_plugins/_ml/models/{model_id}")
+            if r and '"DEPLOYED"' in r:
+                break
+    else:
+        # Register from pre-trained hub.
+        ok("Registering OpenSearch ML model (all-mpnet-base-v2)...")
+        reg_resp = _os_api("/_plugins/_ml/models/_register", "POST", json.dumps({
+            "name": "huggingface/sentence-transformers/all-mpnet-base-v2",
+            "version": "1.0.1",
+            "model_format": "TORCH_SCRIPT",
+        }))
+        if not reg_resp:
+            warn("Failed to register ML model — skipping.")
+            return
+        task_id = json.loads(reg_resp).get("task_id", "")
+        if not task_id:
+            warn("No task_id from model registration — skipping.")
+            return
+
+        # Wait for registration.
+        ok("Waiting for model registration...")
+        for _ in range(60):
+            time.sleep(10)
+            task_resp = _os_api(f"/_plugins/_ml/tasks/{task_id}")
+            if not task_resp:
+                continue
+            task = json.loads(task_resp)
+            state = task.get("state", "")
+            if state == "COMPLETED":
+                model_id = task.get("model_id", "")
+                break
+            if state == "FAILED":
+                warn(f"ML model registration failed: {task_resp}")
+                return
+
+        if not model_id:
+            warn("ML model registration timed out.")
+            return
+
+        # Deploy.
+        ok("Deploying ML model...")
+        _os_api(f"/_plugins/_ml/models/{model_id}/_deploy", "POST")
+        for _ in range(30):
+            time.sleep(5)
+            r = _os_api(f"/_plugins/_ml/models/{model_id}")
+            if r and '"DEPLOYED"' in r:
+                break
+
+    if not model_id:
+        warn("No ML model available — skipping pipeline setup.")
+        return
+
+    # 3. Create/update ingest pipeline (PUT is idempotent).
+    _os_api("/_ingest/pipeline/tuwunel_embedding_pipeline", "PUT", json.dumps({
+        "description": "Tuwunel message embedding pipeline",
+        "processors": [{"text_embedding": {
+            "model_id": model_id,
+            "field_map": {"body": "embedding"},
+        }}],
+    }))
+
+    # 4. Create/update search pipeline (PUT is idempotent).
+    _os_api("/_search/pipeline/tuwunel_hybrid_pipeline", "PUT", json.dumps({
+        "description": "Tuwunel hybrid BM25+neural search pipeline",
+        "phase_results_processors": [{"normalization-processor": {
+            "normalization": {"technique": "min_max"},
+            "combination": {"technique": "arithmetic_mean", "parameters": {"weights": [0.3, 0.7]}},
+        }}],
+    }))
+
+    ok(f"OpenSearch ML ready (model: {model_id}).")
+    return model_id
+
+
+def _inject_opensearch_model_id():
+    """Read deployed ML model_id from OpenSearch, write to ConfigMap in matrix ns.
+
+    The tuwunel deployment reads TUWUNEL_SEARCH_OPENSEARCH_MODEL_ID from this
+    ConfigMap. Creates or updates the ConfigMap idempotently.
+
+    Reads the model_id from the ingest pipeline (which _ensure_opensearch_ml
+    already configured with the correct model_id).
+    """
+    import json
+
+    # Read model_id from the ingest pipeline that _ensure_opensearch_ml created.
+    pipe_resp = _os_api("/_ingest/pipeline/tuwunel_embedding_pipeline")
+    if not pipe_resp:
+        warn("OpenSearch ingest pipeline not found — skipping model_id injection. "
+             "Run 'sunbeam apply data' first.")
+        return
+
+    pipe = json.loads(pipe_resp)
+    processors = (pipe.get("tuwunel_embedding_pipeline", {})
+                      .get("processors", []))
+    model_id = None
+    for proc in processors:
+        model_id = proc.get("text_embedding", {}).get("model_id")
+        if model_id:
+            break
+
+    if not model_id:
+        warn("No model_id in ingest pipeline — tuwunel hybrid search will be unavailable.")
+        return
+
+    # Check if ConfigMap already has this value.
+    current = kube_out("get", "configmap", "opensearch-ml-config", "-n", "matrix",
+                       "-o=jsonpath={.data.model_id}", "--ignore-not-found")
+    if current == model_id:
+        return
+
+    cm = json.dumps({
+        "apiVersion": "v1",
+        "kind": "ConfigMap",
+        "metadata": {"name": "opensearch-ml-config", "namespace": "matrix"},
+        "data": {"model_id": model_id},
+    })
+    kube("apply", "--server-side", "-f", "-", input=cm)
+    ok(f"Injected OpenSearch model_id ({model_id}) into matrix/opensearch-ml-config.")
+
+
 def cmd_apply(env: str = "local", domain: str = "", email: str = "", namespace: str = ""):
     """Build kustomize overlay for env, substitute domain/email, kubectl apply.
 
@@ -163,6 +377,11 @@ def cmd_apply(env: str = "local", domain: str = "", email: str = "", namespace:
     cert-manager registers a ValidatingWebhook that must be running before
     ClusterIssuer / Certificate resources can be created.
     """
+    # Fall back to config for ACME email if not provided via CLI flag.
+    if not email:
+        from sunbeam.config import load_config
+        email = load_config().acme_email
+
     if env == "production":
         if not domain:
             # Try to discover domain from running cluster
@@ -207,4 +426,12 @@ def cmd_apply(env: str = "local", domain: str = "", email: str = "", namespace:
             kube("apply", "--server-side", "--force-conflicts", "-f", "-", input=manifests2)
 
     _restart_for_changed_configmaps(before, _snapshot_configmaps())
+
+    # Post-apply hooks for namespaces that need runtime patching.
+    if not namespace or namespace == "matrix":
+        _patch_tuwunel_oauth2_redirect(domain)
+        _inject_opensearch_model_id()
+    if not namespace or namespace == "data":
+        _ensure_opensearch_ml()
+
     ok("Applied.")
diff --git a/sunbeam/secrets.py b/sunbeam/secrets.py
index 1dcea52..124ea73 100644
--- a/sunbeam/secrets.py
+++ b/sunbeam/secrets.py
@@ -15,6 +15,11 @@ from sunbeam.output import step, ok, warn, die
 ADMIN_USERNAME = "estudio-admin"
 
 
+def _gen_fernet_key() -> str:
+    """Generate a Fernet-compatible key (32 random bytes, URL-safe base64)."""
+    return base64.urlsafe_b64encode(_secrets.token_bytes(32)).decode()
+
+
 def _gen_dkim_key_pair() -> tuple[str, str]:
     """Generate an RSA 2048-bit DKIM key pair using openssl.
 
@@ -45,7 +50,7 @@ GITEA_ADMIN_USER = "gitea_admin"
 PG_USERS = [
     "kratos", "hydra", "gitea", "hive",
     "docs", "meet", "drive", "messages", "conversations",
-    "people", "find",
+    "people", "find", "calendars", "projects",
 ]
 
 
@@ -133,6 +138,9 @@ def _seed_openbao() -> dict:
         return {}
 
     # Read-or-generate helper: preserves existing KV values; only generates missing ones.
+    # Tracks which paths had new values so we only write back when necessary.
+    _dirty_paths: set = set()
+
     def get_or_create(path, **fields):
         raw = bao(
             f"BAO_ADDR=http://127.0.0.1:8200 BAO_TOKEN='{root_token}' "
@@ -145,7 +153,12 @@ def _seed_openbao() -> dict:
             pass
         result = {}
         for key, default_fn in fields.items():
-            result[key] = existing.get(key) or default_fn()
+            val = existing.get(key)
+            if val:
+                result[key] = val
+            else:
+                result[key] = default_fn()
+                _dirty_paths.add(path)
         return result
 
     def rand():
@@ -193,7 +206,9 @@ def _seed_openbao() -> dict:
     kratos_admin = get_or_create("kratos-admin",
         **{"cookie-secret":      rand,
            "csrf-cookie-secret": rand,
-           "admin-identity-ids": lambda: ""})
+           "admin-identity-ids": lambda: "",
+           "s3-access-key":      lambda: seaweedfs["access-key"],
+           "s3-secret-key":      lambda: seaweedfs["secret-key"]})
 
     docs = get_or_create("docs",
         **{"django-secret-key":      rand,
@@ -206,6 +221,16 @@ def _seed_openbao() -> dict:
     drive = get_or_create("drive",
         **{"django-secret-key": rand})
 
+    projects = get_or_create("projects",
+        **{"secret-key": rand})
+
+    calendars = get_or_create("calendars",
+        **{"django-secret-key":       lambda: _secrets.token_urlsafe(50),
+           "salt-key":                rand,
+           "caldav-inbound-api-key":  rand,
+           "caldav-outbound-api-key": rand,
+           "caldav-internal-api-key": rand})
+
     # DKIM key pair -- generated together since private and public keys are coupled.
     # Read existing keys first; only generate a new pair when absent.
     existing_messages_raw = bao(
@@ -225,15 +250,16 @@ def _seed_openbao() -> dict:
         _dkim_private, _dkim_public = _gen_dkim_key_pair()
 
     messages = get_or_create("messages",
-        **{"django-secret-key":      rand,
-           "salt-key":               rand,
-           "mda-api-secret":         rand,
-           "dkim-private-key":       lambda: _dkim_private,
-           "dkim-public-key":        lambda: _dkim_public,
-           "rspamd-password":        rand,
-           "socks-proxy-users":      lambda: f"sunbeam:{rand()}",
-           "mta-out-smtp-username":  lambda: "sunbeam",
-           "mta-out-smtp-password":  rand})
+        **{"django-secret-key":        rand,
+           "salt-key":                 rand,
+           "mda-api-secret":           rand,
+           "oidc-refresh-token-key":   _gen_fernet_key,
+           "dkim-private-key":         lambda: _dkim_private,
+           "dkim-public-key":          lambda: _dkim_public,
+           "rspamd-password":          rand,
+           "socks-proxy-users":        lambda: f"sunbeam:{rand()}",
+           "mta-out-smtp-username":    lambda: "sunbeam",
+           "mta-out-smtp-password":    rand})
 
     collabora = get_or_create("collabora",
         **{"username": lambda: "admin",
@@ -262,48 +288,100 @@ def _seed_openbao() -> dict:
         **{"access-key-id":     lambda: _scw_config("access-key"),
            "secret-access-key": lambda: _scw_config("secret-key")})
 
-    # Write all secrets to KV (idempotent -- puts same values back)
-    # messages secrets written separately first (multi-field KV, avoids line-length issues)
-    bao(f"BAO_ADDR=http://127.0.0.1:8200 BAO_TOKEN='{root_token}' sh -c '"
-        f"bao kv put secret/messages"
-        f" django-secret-key=\"{messages['django-secret-key']}\""
-        f" salt-key=\"{messages['salt-key']}\""
-        f" mda-api-secret=\"{messages['mda-api-secret']}\""
-        f" rspamd-password=\"{messages['rspamd-password']}\""
-        f" socks-proxy-users=\"{messages['socks-proxy-users']}\""
-        f" mta-out-smtp-username=\"{messages['mta-out-smtp-username']}\""
-        f" mta-out-smtp-password=\"{messages['mta-out-smtp-password']}\""
-        f"'")
-    # DKIM keys stored separately (large PEM values)
-    dkim_priv_b64 = base64.b64encode(messages['dkim-private-key'].encode()).decode()
-    dkim_pub_b64  = base64.b64encode(messages['dkim-public-key'].encode()).decode()
-    bao(f"BAO_ADDR=http://127.0.0.1:8200 BAO_TOKEN='{root_token}' sh -c '"
-        f"echo {dkim_priv_b64} | base64 -d > /tmp/dkim_priv.pem && "
-        f"echo {dkim_pub_b64}  | base64 -d > /tmp/dkim_pub.pem && "
-        f"bao kv patch secret/messages"
-        f" dkim-private-key=\"$(cat /tmp/dkim_priv.pem)\""
-        f" dkim-public-key=\"$(cat /tmp/dkim_pub.pem)\" && "
-        f"rm /tmp/dkim_priv.pem /tmp/dkim_pub.pem"
-        f"'")
+    # Only write secrets to OpenBao KV for paths that have new/missing values.
+    # This avoids unnecessary KV version bumps which trigger VSO re-syncs and
+    # rollout restarts across the cluster.
+    if not _dirty_paths:
+        ok("All OpenBao KV secrets already present -- skipping writes.")
+    else:
+        ok(f"Writing new secrets to OpenBao KV ({', '.join(sorted(_dirty_paths))})...")
 
-    bao(f"BAO_ADDR=http://127.0.0.1:8200 BAO_TOKEN='{root_token}' sh -c '"
-        f"bao kv put secret/hydra           system-secret=\"{hydra['system-secret']}\" cookie-secret=\"{hydra['cookie-secret']}\" pairwise-salt=\"{hydra['pairwise-salt']}\" && "
-        f"bao kv put secret/kratos          secrets-default=\"{kratos['secrets-default']}\" secrets-cookie=\"{kratos['secrets-cookie']}\" smtp-connection-uri=\"{kratos['smtp-connection-uri']}\" && "
-        f"bao kv put secret/gitea           admin-username=\"{gitea['admin-username']}\" admin-password=\"{gitea['admin-password']}\" && "
-        f"bao kv put secret/seaweedfs       access-key=\"{seaweedfs['access-key']}\" secret-key=\"{seaweedfs['secret-key']}\" && "
-        f"bao kv put secret/hive            oidc-client-id=\"{hive['oidc-client-id']}\" oidc-client-secret=\"{hive['oidc-client-secret']}\" && "
-        f"bao kv put secret/livekit         api-key=\"{livekit['api-key']}\" api-secret=\"{livekit['api-secret']}\" && "
-        f"bao kv put secret/people          django-secret-key=\"{people['django-secret-key']}\" && "
-        f"bao kv put secret/login-ui        cookie-secret=\"{login_ui['cookie-secret']}\" csrf-cookie-secret=\"{login_ui['csrf-cookie-secret']}\" && "
-        f"bao kv put secret/kratos-admin    cookie-secret=\"{kratos_admin['cookie-secret']}\" csrf-cookie-secret=\"{kratos_admin['csrf-cookie-secret']}\" admin-identity-ids=\"{kratos_admin['admin-identity-ids']}\" && "
-        f"bao kv put secret/docs            django-secret-key=\"{docs['django-secret-key']}\" collaboration-secret=\"{docs['collaboration-secret']}\" && "
-        f"bao kv put secret/meet            django-secret-key=\"{meet['django-secret-key']}\" application-jwt-secret-key=\"{meet['application-jwt-secret-key']}\" && "
-        f"bao kv put secret/drive           django-secret-key=\"{drive['django-secret-key']}\" && "
-        f"bao kv put secret/collabora       username=\"{collabora['username']}\" password=\"{collabora['password']}\" && "
-        f"bao kv put secret/grafana          admin-password=\"{grafana['admin-password']}\" && "
-        f"bao kv put secret/scaleway-s3     access-key-id=\"{scaleway_s3['access-key-id']}\" secret-access-key=\"{scaleway_s3['secret-access-key']}\" && "
-        f"bao kv put secret/tuwunel         oidc-client-id=\"{tuwunel['oidc-client-id']}\" oidc-client-secret=\"{tuwunel['oidc-client-secret']}\" turn-secret=\"{tuwunel['turn-secret']}\" registration-token=\"{tuwunel['registration-token']}\""
-        f"'")
+        def _kv_put(path, **kv):
+            pairs = " ".join(f'{k}="{v}"' for k, v in kv.items())
+            bao(f"BAO_ADDR=http://127.0.0.1:8200 BAO_TOKEN='{root_token}' "
+                f"bao kv put secret/{path} {pairs}")
+
+        if "messages" in _dirty_paths:
+            _kv_put("messages",
+                **{"django-secret-key":      messages["django-secret-key"],
+                   "salt-key":               messages["salt-key"],
+                   "mda-api-secret":         messages["mda-api-secret"],
+                   "oidc-refresh-token-key": messages["oidc-refresh-token-key"],
+                   "rspamd-password":        messages["rspamd-password"],
+                   "socks-proxy-users":      messages["socks-proxy-users"],
+                   "mta-out-smtp-username":  messages["mta-out-smtp-username"],
+                   "mta-out-smtp-password":  messages["mta-out-smtp-password"]})
+            # DKIM keys stored separately (large PEM values)
+            dkim_priv_b64 = base64.b64encode(messages['dkim-private-key'].encode()).decode()
+            dkim_pub_b64  = base64.b64encode(messages['dkim-public-key'].encode()).decode()
+            bao(f"BAO_ADDR=http://127.0.0.1:8200 BAO_TOKEN='{root_token}' sh -c '"
+                f"echo {dkim_priv_b64} | base64 -d > /tmp/dkim_priv.pem && "
+                f"echo {dkim_pub_b64}  | base64 -d > /tmp/dkim_pub.pem && "
+                f"bao kv patch secret/messages"
+                f" dkim-private-key=\"$(cat /tmp/dkim_priv.pem)\""
+                f" dkim-public-key=\"$(cat /tmp/dkim_pub.pem)\" && "
+                f"rm /tmp/dkim_priv.pem /tmp/dkim_pub.pem"
+                f"'")
+        if "hydra" in _dirty_paths:
+            _kv_put("hydra", **{"system-secret": hydra["system-secret"],
+                                "cookie-secret": hydra["cookie-secret"],
+                                "pairwise-salt": hydra["pairwise-salt"]})
+        if "kratos" in _dirty_paths:
+            _kv_put("kratos", **{"secrets-default": kratos["secrets-default"],
+                                 "secrets-cookie": kratos["secrets-cookie"],
+                                 "smtp-connection-uri": kratos["smtp-connection-uri"]})
+        if "gitea" in _dirty_paths:
+            _kv_put("gitea", **{"admin-username": gitea["admin-username"],
+                                "admin-password": gitea["admin-password"]})
+        if "seaweedfs" in _dirty_paths:
+            _kv_put("seaweedfs", **{"access-key": seaweedfs["access-key"],
+                                    "secret-key": seaweedfs["secret-key"]})
+        if "hive" in _dirty_paths:
+            _kv_put("hive", **{"oidc-client-id": hive["oidc-client-id"],
+                               "oidc-client-secret": hive["oidc-client-secret"]})
+        if "livekit" in _dirty_paths:
+            _kv_put("livekit", **{"api-key": livekit["api-key"],
+                                  "api-secret": livekit["api-secret"]})
+        if "people" in _dirty_paths:
+            _kv_put("people", **{"django-secret-key": people["django-secret-key"]})
+        if "login-ui" in _dirty_paths:
+            _kv_put("login-ui", **{"cookie-secret": login_ui["cookie-secret"],
+                                   "csrf-cookie-secret": login_ui["csrf-cookie-secret"]})
+        if "kratos-admin" in _dirty_paths:
+            _kv_put("kratos-admin", **{"cookie-secret": kratos_admin["cookie-secret"],
+                                       "csrf-cookie-secret": kratos_admin["csrf-cookie-secret"],
+                                       "admin-identity-ids": kratos_admin["admin-identity-ids"],
+                                       "s3-access-key": kratos_admin["s3-access-key"],
+                                       "s3-secret-key": kratos_admin["s3-secret-key"]})
+        if "docs" in _dirty_paths:
+            _kv_put("docs", **{"django-secret-key": docs["django-secret-key"],
+                               "collaboration-secret": docs["collaboration-secret"]})
+        if "meet" in _dirty_paths:
+            _kv_put("meet", **{"django-secret-key": meet["django-secret-key"],
+                               "application-jwt-secret-key": meet["application-jwt-secret-key"]})
+        if "drive" in _dirty_paths:
+            _kv_put("drive", **{"django-secret-key": drive["django-secret-key"]})
+        if "projects" in _dirty_paths:
+            _kv_put("projects", **{"secret-key": projects["secret-key"]})
+        if "calendars" in _dirty_paths:
+            _kv_put("calendars", **{"django-secret-key": calendars["django-secret-key"],
+                                    "salt-key": calendars["salt-key"],
+                                    "caldav-inbound-api-key": calendars["caldav-inbound-api-key"],
+                                    "caldav-outbound-api-key": calendars["caldav-outbound-api-key"],
+                                    "caldav-internal-api-key": calendars["caldav-internal-api-key"]})
+        if "collabora" in _dirty_paths:
+            _kv_put("collabora", **{"username": collabora["username"],
+                                    "password": collabora["password"]})
+        if "grafana" in _dirty_paths:
+            _kv_put("grafana", **{"admin-password": grafana["admin-password"]})
+        if "scaleway-s3" in _dirty_paths:
+            _kv_put("scaleway-s3", **{"access-key-id": scaleway_s3["access-key-id"],
+                                      "secret-access-key": scaleway_s3["secret-access-key"]})
+        if "tuwunel" in _dirty_paths:
+            _kv_put("tuwunel", **{"oidc-client-id": tuwunel["oidc-client-id"],
+                                  "oidc-client-secret": tuwunel["oidc-client-secret"],
+                                  "turn-secret": tuwunel["turn-secret"],
+                                  "registration-token": tuwunel["registration-token"]})
 
     # Configure Kubernetes auth method so VSO can authenticate with OpenBao
     ok("Configuring Kubernetes auth for VSO...")
@@ -519,7 +597,7 @@ def _seed_kratos_admin_identity(ob_pod: str, root_token: str) -> tuple[str, str]
                 ok(f"  admin identity exists ({identity_id[:8]}...)")
             else:
                 identity = _kratos_api(base, "/identities", method="POST", body={
-                    "schema_id": "default",
+                    "schema_id": "employee",
                     "traits": {"email": admin_email},
                     "state": "active",
                 })
@@ -600,6 +678,7 @@ def cmd_seed() -> dict:
             "drive": "drive_db", "messages": "messages_db",
             "conversations": "conversations_db",
             "people": "people_db", "find": "find_db",
+            "calendars": "calendars_db", "projects": "projects_db",
         }
         for user in PG_USERS:
             # Only CREATE if missing -- passwords are managed by OpenBao static roles.
diff --git a/sunbeam/services.py b/sunbeam/services.py
index 999eac8..60e1301 100644
--- a/sunbeam/services.py
+++ b/sunbeam/services.py
@@ -8,8 +8,8 @@ from sunbeam.kube import kube, kube_out, parse_target
 from sunbeam.tools import ensure_tool
 from sunbeam.output import step, ok, warn, die
 
-MANAGED_NS = ["data", "devtools", "ingress", "lasuite", "media", "ory", "storage",
-              "vault-secrets-operator"]
+MANAGED_NS = ["data", "devtools", "ingress", "lasuite", "matrix", "media", "ory",
+              "storage", "vault-secrets-operator"]
 
 SERVICES_TO_RESTART = [
     ("ory",      "hydra"),
@@ -22,6 +22,8 @@ SERVICES_TO_RESTART = [
     ("lasuite",  "people-frontend"),
     ("lasuite",  "people-celery-worker"),
     ("lasuite",  "people-celery-beat"),
+    ("lasuite",  "projects"),
+    ("matrix",   "tuwunel"),
     ("media",    "livekit-server"),
 ]
 
@@ -186,8 +188,9 @@ def cmd_logs(target: str, follow: bool):
     if not name:
         die("Logs require a service name, e.g. 'ory/kratos'.")
 
+    _kube_mod.ensure_tunnel()
     kubectl = str(ensure_tool("kubectl"))
-    cmd = [kubectl, "--context=sunbeam", "-n", ns, "logs",
+    cmd = [kubectl, _kube_mod.context_arg(), "-n", ns, "logs",
            "-l", f"app={name}", "--tail=100"]
     if follow:
         cmd.append("--follow")
diff --git a/sunbeam/src/cli.rs b/sunbeam/src/cli.rs
new file mode 100644
index 0000000..94976ad
--- /dev/null
+++ b/sunbeam/src/cli.rs
@@ -0,0 +1,1050 @@
+use sunbeam_sdk::error::{Result, SunbeamError};
+use sunbeam_sdk::images::BuildTarget;
+use clap::{Parser, Subcommand, ValueEnum};
+
+/// Sunbeam local dev stack manager.
+#[derive(Parser, Debug)]
+#[command(name = "sunbeam", about = "Sunbeam local dev stack manager")]
+pub struct Cli {
+    /// Named context to use (overrides current-context from config).
+    #[arg(long)]
+    pub context: Option<String>,
+
+    /// Domain suffix override (e.g. sunbeam.pt).
+    #[arg(long, default_value = "")]
+    pub domain: String,
+
+    /// ACME email for cert-manager (e.g. ops@sunbeam.pt).
+    #[arg(long, default_value = "")]
+    pub email: String,
+
+    #[command(subcommand)]
+    pub verb: Option<Verb>,
+}
+
+
+#[derive(Subcommand, Debug)]
+pub enum Verb {
+    /// Full cluster bring-up.
+    Up,
+
+    /// Pod health (optionally scoped).
+    Status {
+        /// namespace or namespace/name
+        target: Option<String>,
+    },
+
+    /// kustomize build + domain subst + kubectl apply.
+    Apply {
+        /// Limit apply to one namespace.
+        namespace: Option<String>,
+        /// Apply all namespaces without confirmation.
+        #[arg(long = "all")]
+        apply_all: bool,
+        /// Domain suffix (e.g. sunbeam.pt).
+        #[arg(long, default_value = "")]
+        domain: String,
+        /// ACME email for cert-manager.
+        #[arg(long, default_value = "")]
+        email: String,
+    },
+
+    /// Generate/store all credentials in OpenBao.
+    Seed,
+
+    /// E2E VSO + OpenBao integration test.
+    Verify,
+
+    /// kubectl logs for a service.
+    Logs {
+        /// namespace/name
+        target: String,
+        /// Stream logs.
+        #[arg(short, long)]
+        follow: bool,
+    },
+
+    /// Raw kubectl get for a pod (ns/name).
+    Get {
+        /// namespace/name
+        target: String,
+        /// Output format.
+        #[arg(short, long, default_value = "yaml", value_parser = ["yaml", "json", "wide"])]
+        output: String,
+    },
+
+    /// Rolling restart of services.
+    Restart {
+        /// namespace or namespace/name
+        target: Option<String>,
+    },
+
+    /// Build an artifact.
+    Build {
+        /// What to build.
+        what: BuildTarget,
+        /// Push image to registry after building.
+        #[arg(long)]
+        push: bool,
+        /// Apply manifests and rollout restart after pushing (implies --push).
+        #[arg(long)]
+        deploy: bool,
+        /// Disable buildkitd layer cache.
+        #[arg(long)]
+        no_cache: bool,
+    },
+
+    /// Functional service health checks.
+    Check {
+        /// namespace or namespace/name
+        target: Option<String>,
+    },
+
+    /// Mirror amd64-only La Suite images.
+    Mirror,
+
+    /// Create Gitea orgs/repos; bootstrap services.
+    Bootstrap,
+
+    /// Manage sunbeam configuration.
+    Config {
+        #[command(subcommand)]
+        action: Option<ConfigAction>,
+    },
+
+    /// kubectl passthrough.
+    K8s {
+        /// arguments forwarded verbatim to kubectl
+        #[arg(trailing_var_arg = true, allow_hyphen_values = true)]
+        kubectl_args: Vec<String>,
+    },
+
+    /// bao CLI passthrough (runs inside OpenBao pod with root token).
+    Bao {
+        /// arguments forwarded verbatim to bao
+        #[arg(trailing_var_arg = true, allow_hyphen_values = true)]
+        bao_args: Vec<String>,
+    },
+
+    /// User/identity management.
+    User {
+        #[command(subcommand)]
+        action: Option<UserAction>,
+    },
+
+    /// Authenticate with Sunbeam (OAuth2 login via browser).
+    Auth {
+        #[command(subcommand)]
+        action: Option<AuthAction>,
+    },
+
+    /// Project management across Planka and Gitea.
+    Pm {
+        #[command(subcommand)]
+        action: Option<PmAction>,
+    },
+
+    /// Self-update from latest mainline commit.
+    Update,
+
+    /// Print version info.
+    Version,
+}
+
+#[derive(Subcommand, Debug)]
+pub enum AuthAction {
+    /// Log in to both SSO and Gitea.
+    Login {
+        /// Domain to authenticate against (e.g. sunbeam.pt).
+        #[arg(long)]
+        domain: Option<String>,
+    },
+    /// Log in to SSO only (Hydra OIDC — for Planka, identity management).
+    Sso {
+        /// Domain to authenticate against.
+        #[arg(long)]
+        domain: Option<String>,
+    },
+    /// Log in to Gitea only (personal access token).
+    Git {
+        /// Domain to authenticate against.
+        #[arg(long)]
+        domain: Option<String>,
+    },
+    /// Log out (remove all cached tokens).
+    Logout,
+    /// Show current authentication status.
+    Status,
+}
+
+#[derive(Subcommand, Debug)]
+pub enum PmAction {
+    /// List tickets across Planka and Gitea.
+    List {
+        /// Filter by source: planka, gitea, or all (default: all).
+        #[arg(long, default_value = "all")]
+        source: String,
+        /// Filter by state: open, closed, all (default: open).
+        #[arg(long, default_value = "open")]
+        state: String,
+    },
+    /// Show ticket details.
+    Show {
+        /// Ticket ID (e.g. p:42 for Planka, g:studio/cli#7 for Gitea).
+        id: String,
+    },
+    /// Create a new ticket.
+    Create {
+        /// Ticket title.
+        title: String,
+        /// Ticket body/description.
+        #[arg(long, default_value = "")]
+        body: String,
+        /// Source: planka or gitea.
+        #[arg(long, default_value = "gitea")]
+        source: String,
+        /// Target: board ID for Planka, or org/repo for Gitea.
+        #[arg(long, default_value = "")]
+        target: String,
+    },
+    /// Add a comment to a ticket.
+    Comment {
+        /// Ticket ID.
+        id: String,
+        /// Comment text.
+        text: String,
+    },
+    /// Close/complete a ticket.
+    Close {
+        /// Ticket ID.
+        id: String,
+    },
+    /// Assign a user to a ticket.
+    Assign {
+        /// Ticket ID.
+        id: String,
+        /// Username or email to assign.
+        user: String,
+    },
+}
+
+#[derive(Subcommand, Debug)]
+pub enum ConfigAction {
+    /// Set configuration values for the current context.
+    Set {
+        /// Domain suffix (e.g. sunbeam.pt).
+        #[arg(long, default_value = "")]
+        domain: String,
+        /// Production SSH host (e.g. user@server.example.com).
+        #[arg(long, default_value = "")]
+        host: String,
+        /// Infrastructure directory root.
+        #[arg(long, default_value = "")]
+        infra_dir: String,
+        /// ACME email for Let's Encrypt certificates.
+        #[arg(long, default_value = "")]
+        acme_email: String,
+        /// Context name to configure (default: current context).
+        #[arg(long, default_value = "")]
+        context_name: String,
+    },
+    /// Get current configuration.
+    Get,
+    /// Clear configuration.
+    Clear,
+    /// Switch the active context.
+    UseContext {
+        /// Context name to switch to.
+        name: String,
+    },
+}
+
+#[derive(Subcommand, Debug)]
+pub enum UserAction {
+    /// List identities.
+    List {
+        /// Filter by email.
+        #[arg(long, default_value = "")]
+        search: String,
+    },
+    /// Get identity by email or ID.
+    Get {
+        /// Email or identity ID.
+        target: String,
+    },
+    /// Create identity.
+    Create {
+        /// Email address.
+        email: String,
+        /// Display name.
+        #[arg(long, default_value = "")]
+        name: String,
+        /// Schema ID.
+        #[arg(long, default_value = "default")]
+        schema: String,
+    },
+    /// Delete identity.
+    Delete {
+        /// Email or identity ID.
+        target: String,
+    },
+    /// Generate recovery link.
+    Recover {
+        /// Email or identity ID.
+        target: String,
+    },
+    /// Disable identity + revoke sessions (lockout).
+    Disable {
+        /// Email or identity ID.
+        target: String,
+    },
+    /// Re-enable a disabled identity.
+    Enable {
+        /// Email or identity ID.
+        target: String,
+    },
+    /// Set password for an identity.
+    SetPassword {
+        /// Email or identity ID.
+        target: String,
+        /// New password. If omitted, reads from stdin.
+        password: Option<String>,
+    },
+    /// Onboard new user (create + welcome email).
+    Onboard {
+        /// Email address.
+        email: String,
+        /// Display name (First Last).
+        #[arg(long, default_value = "")]
+        name: String,
+        /// Schema ID.
+        #[arg(long, default_value = "employee")]
+        schema: String,
+        /// Skip sending welcome email.
+        #[arg(long)]
+        no_email: bool,
+        /// Send welcome email to this address instead.
+        #[arg(long, default_value = "")]
+        notify: String,
+        /// Job title.
+        #[arg(long, default_value = "")]
+        job_title: String,
+        /// Department.
+        #[arg(long, default_value = "")]
+        department: String,
+        /// Office location.
+        #[arg(long, default_value = "")]
+        office_location: String,
+        /// Hire date (YYYY-MM-DD).
+        #[arg(long, default_value = "", value_parser = validate_date)]
+        hire_date: String,
+        /// Manager name or email.
+        #[arg(long, default_value = "")]
+        manager: String,
+    },
+    /// Offboard user (disable + revoke all).
+    Offboard {
+        /// Email or identity ID.
+        target: String,
+    },
+}
+
+fn validate_date(s: &str) -> std::result::Result<String, String> {
+    if s.is_empty() {
+        return Ok(s.to_string());
+    }
+    chrono::NaiveDate::parse_from_str(s, "%Y-%m-%d")
+        .map(|_| s.to_string())
+        .map_err(|_| format!("Invalid date: '{s}' (expected YYYY-MM-DD)"))
+}
+
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+    use clap::Parser;
+
+    fn parse(args: &[&str]) -> Cli {
+        Cli::try_parse_from(args).unwrap()
+    }
+
+    // 1. test_up
+    #[test]
+    fn test_up() {
+        let cli = parse(&["sunbeam", "up"]);
+        assert!(matches!(cli.verb, Some(Verb::Up)));
+    }
+
+    // 2. test_status_no_target
+    #[test]
+    fn test_status_no_target() {
+        let cli = parse(&["sunbeam", "status"]);
+        match cli.verb {
+            Some(Verb::Status { target }) => assert!(target.is_none()),
+            _ => panic!("expected Status"),
+        }
+    }
+
+    // 3. test_status_with_namespace
+    #[test]
+    fn test_status_with_namespace() {
+        let cli = parse(&["sunbeam", "status", "ory"]);
+        match cli.verb {
+            Some(Verb::Status { target }) => assert_eq!(target.unwrap(), "ory"),
+            _ => panic!("expected Status"),
+        }
+    }
+
+    // 4. test_logs_no_follow
+    #[test]
+    fn test_logs_no_follow() {
+        let cli = parse(&["sunbeam", "logs", "ory/kratos"]);
+        match cli.verb {
+            Some(Verb::Logs { target, follow }) => {
+                assert_eq!(target, "ory/kratos");
+                assert!(!follow);
+            }
+            _ => panic!("expected Logs"),
+        }
+    }
+
+    // 5. test_logs_follow_short
+    #[test]
+    fn test_logs_follow_short() {
+        let cli = parse(&["sunbeam", "logs", "ory/kratos", "-f"]);
+        match cli.verb {
+            Some(Verb::Logs { follow, .. }) => assert!(follow),
+            _ => panic!("expected Logs"),
+        }
+    }
+
+    // 6. test_build_proxy
+    #[test]
+    fn test_build_proxy() {
+        let cli = parse(&["sunbeam", "build", "proxy"]);
+        match cli.verb {
+            Some(Verb::Build { what, push, deploy, no_cache }) => {
+                assert!(matches!(what, BuildTarget::Proxy));
+                assert!(!push);
+                assert!(!deploy);
+                assert!(!no_cache);
+            }
+            _ => panic!("expected Build"),
+        }
+    }
+
+    // 7. test_build_deploy_flag
+    #[test]
+    fn test_build_deploy_flag() {
+        let cli = parse(&["sunbeam", "build", "proxy", "--deploy"]);
+        match cli.verb {
+            Some(Verb::Build { deploy, push, no_cache, .. }) => {
+                assert!(deploy);
+                // clap does not imply --push; that logic is in dispatch()
+                assert!(!push);
+                assert!(!no_cache);
+            }
+            _ => panic!("expected Build"),
+        }
+    }
+
+    // 8. test_build_invalid_target
+    #[test]
+    fn test_build_invalid_target() {
+        let result = Cli::try_parse_from(&["sunbeam", "build", "notavalidtarget"]);
+        assert!(result.is_err());
+    }
+
+    // 9. test_user_set_password
+    #[test]
+    fn test_user_set_password() {
+        let cli = parse(&["sunbeam", "user", "set-password", "admin@example.com", "hunter2"]);
+        match cli.verb {
+            Some(Verb::User { action: Some(UserAction::SetPassword { target, password }) }) => {
+                assert_eq!(target, "admin@example.com");
+                assert_eq!(password, Some("hunter2".to_string()));
+            }
+            _ => panic!("expected User SetPassword"),
+        }
+    }
+
+    #[test]
+    fn test_user_set_password_no_password() {
+        let cli = parse(&["sunbeam", "user", "set-password", "admin@example.com"]);
+        match cli.verb {
+            Some(Verb::User { action: Some(UserAction::SetPassword { target, password }) }) => {
+                assert_eq!(target, "admin@example.com");
+                assert!(password.is_none());
+            }
+            _ => panic!("expected User SetPassword"),
+        }
+    }
+
+    // 10. test_user_onboard_basic
+    #[test]
+    fn test_user_onboard_basic() {
+        let cli = parse(&["sunbeam", "user", "onboard", "a@b.com"]);
+        match cli.verb {
+            Some(Verb::User { action: Some(UserAction::Onboard {
+                email, name, schema, no_email, notify, ..
+            }) }) => {
+                assert_eq!(email, "a@b.com");
+                assert_eq!(name, "");
+                assert_eq!(schema, "employee");
+                assert!(!no_email);
+                assert_eq!(notify, "");
+            }
+            _ => panic!("expected User Onboard"),
+        }
+    }
+
+    // 11. test_user_onboard_full
+    #[test]
+    fn test_user_onboard_full() {
+        let cli = parse(&[
+            "sunbeam", "user", "onboard", "a@b.com",
+            "--name", "A B", "--schema", "default", "--no-email",
+            "--job-title", "Engineer", "--department", "Dev",
+            "--office-location", "Paris", "--hire-date", "2026-01-15",
+            "--manager", "boss@b.com",
+        ]);
+        match cli.verb {
+            Some(Verb::User { action: Some(UserAction::Onboard {
+                email, name, schema, no_email, job_title,
+                department, office_location, hire_date, manager, ..
+            }) }) => {
+                assert_eq!(email, "a@b.com");
+                assert_eq!(name, "A B");
+                assert_eq!(schema, "default");
+                assert!(no_email);
+                assert_eq!(job_title, "Engineer");
+                assert_eq!(department, "Dev");
+                assert_eq!(office_location, "Paris");
+                assert_eq!(hire_date, "2026-01-15");
+                assert_eq!(manager, "boss@b.com");
+            }
+            _ => panic!("expected User Onboard"),
+        }
+    }
+
+    // 12. test_apply_no_namespace
+    #[test]
+    fn test_apply_no_namespace() {
+        let cli = parse(&["sunbeam", "apply"]);
+        match cli.verb {
+            Some(Verb::Apply { namespace, .. }) => assert!(namespace.is_none()),
+            _ => panic!("expected Apply"),
+        }
+    }
+
+    // 13. test_apply_with_namespace
+    #[test]
+    fn test_apply_with_namespace() {
+        let cli = parse(&["sunbeam", "apply", "lasuite"]);
+        match cli.verb {
+            Some(Verb::Apply { namespace, .. }) => assert_eq!(namespace.unwrap(), "lasuite"),
+            _ => panic!("expected Apply"),
+        }
+    }
+
+    // 14. test_config_set
+    #[test]
+    fn test_config_set() {
+        let cli = parse(&[
+            "sunbeam", "config", "set",
+            "--host", "user@example.com",
+            "--infra-dir", "/path/to/infra",
+        ]);
+        match cli.verb {
+            Some(Verb::Config { action: Some(ConfigAction::Set { host, infra_dir, .. }) }) => {
+                assert_eq!(host, "user@example.com");
+                assert_eq!(infra_dir, "/path/to/infra");
+            }
+            _ => panic!("expected Config Set"),
+        }
+    }
+
+    // 15. test_config_get / test_config_clear
+    #[test]
+    fn test_config_get() {
+        let cli = parse(&["sunbeam", "config", "get"]);
+        match cli.verb {
+            Some(Verb::Config { action: Some(ConfigAction::Get) }) => {}
+            _ => panic!("expected Config Get"),
+        }
+    }
+
+    #[test]
+    fn test_config_clear() {
+        let cli = parse(&["sunbeam", "config", "clear"]);
+        match cli.verb {
+            Some(Verb::Config { action: Some(ConfigAction::Clear) }) => {}
+            _ => panic!("expected Config Clear"),
+        }
+    }
+
+    // 16. test_no_args_prints_help
+    #[test]
+    fn test_no_args_prints_help() {
+        let cli = parse(&["sunbeam"]);
+        assert!(cli.verb.is_none());
+    }
+
+    // 17. test_get_json_output
+    #[test]
+    fn test_get_json_output() {
+        let cli = parse(&["sunbeam", "get", "ory/kratos-abc", "-o", "json"]);
+        match cli.verb {
+            Some(Verb::Get { target, output }) => {
+                assert_eq!(target, "ory/kratos-abc");
+                assert_eq!(output, "json");
+            }
+            _ => panic!("expected Get"),
+        }
+    }
+
+    // 18. test_check_with_target
+    #[test]
+    fn test_check_with_target() {
+        let cli = parse(&["sunbeam", "check", "devtools"]);
+        match cli.verb {
+            Some(Verb::Check { target }) => assert_eq!(target.unwrap(), "devtools"),
+            _ => panic!("expected Check"),
+        }
+    }
+
+    // 19. test_build_messages_components
+    #[test]
+    fn test_build_messages_backend() {
+        let cli = parse(&["sunbeam", "build", "messages-backend"]);
+        match cli.verb {
+            Some(Verb::Build { what, .. }) => {
+                assert!(matches!(what, BuildTarget::MessagesBackend));
+            }
+            _ => panic!("expected Build"),
+        }
+    }
+
+    #[test]
+    fn test_build_messages_frontend() {
+        let cli = parse(&["sunbeam", "build", "messages-frontend"]);
+        match cli.verb {
+            Some(Verb::Build { what, .. }) => {
+                assert!(matches!(what, BuildTarget::MessagesFrontend));
+            }
+            _ => panic!("expected Build"),
+        }
+    }
+
+    #[test]
+    fn test_build_messages_mta_in() {
+        let cli = parse(&["sunbeam", "build", "messages-mta-in"]);
+        match cli.verb {
+            Some(Verb::Build { what, .. }) => {
+                assert!(matches!(what, BuildTarget::MessagesMtaIn));
+            }
+            _ => panic!("expected Build"),
+        }
+    }
+
+    #[test]
+    fn test_build_messages_mta_out() {
+        let cli = parse(&["sunbeam", "build", "messages-mta-out"]);
+        match cli.verb {
+            Some(Verb::Build { what, .. }) => {
+                assert!(matches!(what, BuildTarget::MessagesMtaOut));
+            }
+            _ => panic!("expected Build"),
+        }
+    }
+
+    #[test]
+    fn test_build_messages_mpa() {
+        let cli = parse(&["sunbeam", "build", "messages-mpa"]);
+        match cli.verb {
+            Some(Verb::Build { what, .. }) => {
+                assert!(matches!(what, BuildTarget::MessagesMpa));
+            }
+            _ => panic!("expected Build"),
+        }
+    }
+
+    #[test]
+    fn test_build_messages_socks_proxy() {
+        let cli = parse(&["sunbeam", "build", "messages-socks-proxy"]);
+        match cli.verb {
+            Some(Verb::Build { what, .. }) => {
+                assert!(matches!(what, BuildTarget::MessagesSocksProxy));
+            }
+            _ => panic!("expected Build"),
+        }
+    }
+
+    // 20. test_hire_date_validation
+    #[test]
+    fn test_hire_date_valid() {
+        let cli = parse(&[
+            "sunbeam", "user", "onboard", "a@b.com",
+            "--hire-date", "2026-01-15",
+        ]);
+        match cli.verb {
+            Some(Verb::User { action: Some(UserAction::Onboard { hire_date, .. }) }) => {
+                assert_eq!(hire_date, "2026-01-15");
+            }
+            _ => panic!("expected User Onboard"),
+        }
+    }
+
+    #[test]
+    fn test_hire_date_invalid() {
+        let result = Cli::try_parse_from(&[
+            "sunbeam", "user", "onboard", "a@b.com",
+            "--hire-date", "not-a-date",
+        ]);
+        assert!(result.is_err());
+    }
+}
+
+/// Main dispatch function — parse CLI args and route to subcommands.
+pub async fn dispatch() -> Result<()> {
+    let cli = Cli::parse();
+
+    // Resolve the active context from config + CLI flags (like kubectl)
+    let config = sunbeam_sdk::config::load_config();
+    let active = sunbeam_sdk::config::resolve_context(
+        &config,
+        "",
+        cli.context.as_deref(),
+        &cli.domain,
+    );
+
+    // Initialize kube context from the resolved context
+    let kube_ctx_str = if active.kube_context.is_empty() {
+        "sunbeam".to_string()
+    } else {
+        active.kube_context.clone()
+    };
+    let ssh_host_str = active.ssh_host.clone();
+    sunbeam_sdk::kube::set_context(&kube_ctx_str, &ssh_host_str);
+
+    // Store active context globally for other modules to read
+    sunbeam_sdk::config::set_active_context(active);
+
+    match cli.verb {
+        None => {
+            // Print help via clap
+            use clap::CommandFactory;
+            Cli::command().print_help()?;
+            println!();
+            Ok(())
+        }
+
+        Some(Verb::Up) => sunbeam_sdk::cluster::cmd_up().await,
+
+        Some(Verb::Status { target }) => {
+            sunbeam_sdk::services::cmd_status(target.as_deref()).await
+        }
+
+        Some(Verb::Apply {
+            namespace,
+            apply_all,
+            domain,
+            email,
+        }) => {
+            let is_production = !sunbeam_sdk::config::active_context().ssh_host.is_empty();
+            let env_str = if is_production { "production" } else { "local" };
+            let domain = if domain.is_empty() {
+                cli.domain.clone()
+            } else {
+                domain
+            };
+            let email = if email.is_empty() {
+                cli.email.clone()
+            } else {
+                email
+            };
+            let ns = namespace.unwrap_or_default();
+
+            // Production full-apply requires --all or confirmation
+            if is_production && ns.is_empty() && !apply_all {
+                sunbeam_sdk::output::warn(
+                    "This will apply ALL namespaces to production.",
+                );
+                eprint!("  Continue? [y/N] ");
+                let mut answer = String::new();
+                std::io::stdin().read_line(&mut answer)?;
+                if !matches!(answer.trim().to_lowercase().as_str(), "y" | "yes") {
+                    println!("Aborted.");
+                    return Ok(());
+                }
+            }
+
+            sunbeam_sdk::manifests::cmd_apply(&env_str, &domain, &email, &ns).await
+        }
+
+        Some(Verb::Seed) => sunbeam_sdk::secrets::cmd_seed().await,
+
+        Some(Verb::Verify) => sunbeam_sdk::secrets::cmd_verify().await,
+
+        Some(Verb::Logs { target, follow }) => {
+            sunbeam_sdk::services::cmd_logs(&target, follow).await
+        }
+
+        Some(Verb::Get { target, output }) => {
+            sunbeam_sdk::services::cmd_get(&target, &output).await
+        }
+
+        Some(Verb::Restart { target }) => {
+            sunbeam_sdk::services::cmd_restart(target.as_deref()).await
+        }
+
+        Some(Verb::Build { what, push, deploy, no_cache }) => {
+            let push = push || deploy;
+            sunbeam_sdk::images::cmd_build(&what, push, deploy, no_cache).await
+        }
+
+        Some(Verb::Check { target }) => {
+            sunbeam_sdk::checks::cmd_check(target.as_deref()).await
+        }
+
+        Some(Verb::Mirror) => sunbeam_sdk::images::cmd_mirror().await,
+
+        Some(Verb::Bootstrap) => sunbeam_sdk::gitea::cmd_bootstrap().await,
+
+        Some(Verb::Config { action }) => match action {
+            None => {
+                use clap::CommandFactory;
+                // Print config subcommand help
+                let mut cmd = Cli::command();
+                let sub = cmd
+                    .find_subcommand_mut("config")
+                    .expect("config subcommand");
+                sub.print_help()?;
+                println!();
+                Ok(())
+            }
+            Some(ConfigAction::Set {
+                domain: set_domain,
+                host,
+                infra_dir,
+                acme_email,
+                context_name,
+            }) => {
+                let mut config = sunbeam_sdk::config::load_config();
+                // Determine which context to modify
+                let ctx_name = if context_name.is_empty() {
+                    if !config.current_context.is_empty() {
+                        config.current_context.clone()
+                    } else {
+                        "production".to_string()
+                    }
+                } else {
+                    context_name
+                };
+
+                let ctx = config.contexts.entry(ctx_name.clone()).or_default();
+                if !set_domain.is_empty() {
+                    ctx.domain = set_domain;
+                }
+                if !host.is_empty() {
+                    ctx.ssh_host = host.clone();
+                    config.production_host = host; // keep legacy field in sync
+                }
+                if !infra_dir.is_empty() {
+                    ctx.infra_dir = infra_dir.clone();
+                    config.infra_directory = infra_dir;
+                }
+                if !acme_email.is_empty() {
+                    ctx.acme_email = acme_email.clone();
+                    config.acme_email = acme_email;
+                }
+                if config.current_context.is_empty() {
+                    config.current_context = ctx_name;
+                }
+                sunbeam_sdk::config::save_config(&config)
+            }
+            Some(ConfigAction::UseContext { name }) => {
+                let mut config = sunbeam_sdk::config::load_config();
+                if !config.contexts.contains_key(&name) {
+                    sunbeam_sdk::output::warn(&format!("Context '{name}' does not exist. Creating empty context."));
+                    config.contexts.insert(name.clone(), sunbeam_sdk::config::Context::default());
+                }
+                config.current_context = name.clone();
+                sunbeam_sdk::config::save_config(&config)?;
+                sunbeam_sdk::output::ok(&format!("Switched to context '{name}'."));
+                Ok(())
+            }
+            Some(ConfigAction::Get) => {
+                let config = sunbeam_sdk::config::load_config();
+                let current = if config.current_context.is_empty() {
+                    "(none)"
+                } else {
+                    &config.current_context
+                };
+                sunbeam_sdk::output::ok(&format!("Current context: {current}"));
+                println!();
+                for (name, ctx) in &config.contexts {
+                    let marker = if name == current { " *" } else { "" };
+                    sunbeam_sdk::output::ok(&format!("Context: {name}{marker}"));
+                    if !ctx.domain.is_empty() {
+                        sunbeam_sdk::output::ok(&format!("  domain:       {}", ctx.domain));
+                    }
+                    if !ctx.kube_context.is_empty() {
+                        sunbeam_sdk::output::ok(&format!("  kube-context: {}", ctx.kube_context));
+                    }
+                    if !ctx.ssh_host.is_empty() {
+                        sunbeam_sdk::output::ok(&format!("  ssh-host:     {}", ctx.ssh_host));
+                    }
+                    if !ctx.infra_dir.is_empty() {
+                        sunbeam_sdk::output::ok(&format!("  infra-dir:    {}", ctx.infra_dir));
+                    }
+                    if !ctx.acme_email.is_empty() {
+                        sunbeam_sdk::output::ok(&format!("  acme-email:   {}", ctx.acme_email));
+                    }
+                    println!();
+                }
+                Ok(())
+            }
+            Some(ConfigAction::Clear) => sunbeam_sdk::config::clear_config(),
+        },
+
+        Some(Verb::K8s { kubectl_args }) => {
+            sunbeam_sdk::kube::cmd_k8s(&kubectl_args).await
+        }
+
+        Some(Verb::Bao { bao_args }) => {
+            sunbeam_sdk::kube::cmd_bao(&bao_args).await
+        }
+
+        Some(Verb::User { action }) => match action {
+            None => {
+                use clap::CommandFactory;
+                let mut cmd = Cli::command();
+                let sub = cmd
+                    .find_subcommand_mut("user")
+                    .expect("user subcommand");
+                sub.print_help()?;
+                println!();
+                Ok(())
+            }
+            Some(UserAction::List { search }) => {
+                sunbeam_sdk::users::cmd_user_list(&search).await
+            }
+            Some(UserAction::Get { target }) => {
+                sunbeam_sdk::users::cmd_user_get(&target).await
+            }
+            Some(UserAction::Create {
+                email,
+                name,
+                schema,
+            }) => sunbeam_sdk::users::cmd_user_create(&email, &name, &schema).await,
+            Some(UserAction::Delete { target }) => {
+                sunbeam_sdk::users::cmd_user_delete(&target).await
+            }
+            Some(UserAction::Recover { target }) => {
+                sunbeam_sdk::users::cmd_user_recover(&target).await
+            }
+            Some(UserAction::Disable { target }) => {
+                sunbeam_sdk::users::cmd_user_disable(&target).await
+            }
+            Some(UserAction::Enable { target }) => {
+                sunbeam_sdk::users::cmd_user_enable(&target).await
+            }
+            Some(UserAction::SetPassword { target, password }) => {
+                let pw = match password {
+                    Some(p) => p,
+                    None => {
+                        eprint!("Password: ");
+                        let mut pw = String::new();
+                        std::io::stdin().read_line(&mut pw)?;
+                        pw.trim().to_string()
+                    }
+                };
+                sunbeam_sdk::users::cmd_user_set_password(&target, &pw).await
+            }
+            Some(UserAction::Onboard {
+                email,
+                name,
+                schema,
+                no_email,
+                notify,
+                job_title,
+                department,
+                office_location,
+                hire_date,
+                manager,
+            }) => {
+                sunbeam_sdk::users::cmd_user_onboard(
+                    &email,
+                    &name,
+                    &schema,
+                    !no_email,
+                    &notify,
+                    &job_title,
+                    &department,
+                    &office_location,
+                    &hire_date,
+                    &manager,
+                )
+                .await
+            }
+            Some(UserAction::Offboard { target }) => {
+                sunbeam_sdk::users::cmd_user_offboard(&target).await
+            }
+        },
+
+        Some(Verb::Auth { action }) => match action {
+            None => sunbeam_sdk::auth::cmd_auth_status().await,
+            Some(AuthAction::Login { domain }) => {
+                sunbeam_sdk::auth::cmd_auth_login_all(domain.as_deref()).await
+            }
+            Some(AuthAction::Sso { domain }) => {
+                sunbeam_sdk::auth::cmd_auth_sso_login(domain.as_deref()).await
+            }
+            Some(AuthAction::Git { domain }) => {
+                sunbeam_sdk::auth::cmd_auth_git_login(domain.as_deref()).await
+            }
+            Some(AuthAction::Logout) => sunbeam_sdk::auth::cmd_auth_logout().await,
+            Some(AuthAction::Status) => sunbeam_sdk::auth::cmd_auth_status().await,
+        },
+
+        Some(Verb::Pm { action }) => match action {
+            None => {
+                use clap::CommandFactory;
+                let mut cmd = Cli::command();
+                let sub = cmd
+                    .find_subcommand_mut("pm")
+                    .expect("pm subcommand");
+                sub.print_help()?;
+                println!();
+                Ok(())
+            }
+            Some(PmAction::List { source, state }) => {
+                let src = if source == "all" { None } else { Some(source.as_str()) };
+                sunbeam_sdk::pm::cmd_pm_list(src, &state).await
+            }
+            Some(PmAction::Show { id }) => {
+                sunbeam_sdk::pm::cmd_pm_show(&id).await
+            }
+            Some(PmAction::Create { title, body, source, target }) => {
+                sunbeam_sdk::pm::cmd_pm_create(&title, &body, &source, &target).await
+            }
+            Some(PmAction::Comment { id, text }) => {
+                sunbeam_sdk::pm::cmd_pm_comment(&id, &text).await
+            }
+            Some(PmAction::Close { id }) => {
+                sunbeam_sdk::pm::cmd_pm_close(&id).await
+            }
+            Some(PmAction::Assign { id, user }) => {
+                sunbeam_sdk::pm::cmd_pm_assign(&id, &user).await
+            }
+        },
+
+        Some(Verb::Update) => sunbeam_sdk::update::cmd_update().await,
+
+        Some(Verb::Version) => {
+            sunbeam_sdk::update::cmd_version();
+            Ok(())
+        }
+    }
+}
diff --git a/sunbeam/src/main.rs b/sunbeam/src/main.rs
new file mode 100644
index 0000000..826a5be
--- /dev/null
+++ b/sunbeam/src/main.rs
@@ -0,0 +1,39 @@
+mod cli;
+
+#[tokio::main]
+async fn main() {
+    // Install rustls crypto provider (ring) before any TLS operations.
+    rustls::crypto::ring::default_provider()
+        .install_default()
+        .expect("Failed to install rustls crypto provider");
+
+    // Initialize tracing subscriber.
+    // Respects RUST_LOG env var (e.g. RUST_LOG=debug, RUST_LOG=sunbeam=trace).
+    // Default: warn for dependencies, info for sunbeam + sunbeam_sdk.
+    tracing_subscriber::fmt()
+        .with_env_filter(
+            tracing_subscriber::EnvFilter::try_from_default_env().unwrap_or_else(|_| {
+                tracing_subscriber::EnvFilter::new("sunbeam=info,sunbeam_sdk=info,warn")
+            }),
+        )
+        .with_target(false)
+        .with_writer(std::io::stderr)
+        .init();
+
+    match cli::dispatch().await {
+        Ok(()) => {}
+        Err(e) => {
+            let code = e.exit_code();
+            tracing::error!("{e}");
+
+            // Print source chain for non-trivial errors
+            let mut source = std::error::Error::source(&e);
+            while let Some(cause) = source {
+                tracing::debug!("caused by: {cause}");
+                source = std::error::Error::source(cause);
+            }
+
+            std::process::exit(code);
+        }
+    }
+}
diff --git a/sunbeam/tests/test_cli.py b/sunbeam/tests/test_cli.py
index ab4aea2..f9d2ef7 100644
--- a/sunbeam/tests/test_cli.py
+++ b/sunbeam/tests/test_cli.py
@@ -63,7 +63,20 @@ class TestArgParsing(unittest.TestCase):
         p_user_set_pw = user_sub.add_parser("set-password")
         p_user_set_pw.add_argument("target")
         p_user_set_pw.add_argument("password")
-        
+        p_user_onboard = user_sub.add_parser("onboard")
+        p_user_onboard.add_argument("email")
+        p_user_onboard.add_argument("--name", default="")
+        p_user_onboard.add_argument("--schema", default="employee")
+        p_user_onboard.add_argument("--no-email", action="store_true")
+        p_user_onboard.add_argument("--notify", default="")
+        p_user_onboard.add_argument("--job-title", default="")
+        p_user_onboard.add_argument("--department", default="")
+        p_user_onboard.add_argument("--office-location", default="")
+        p_user_onboard.add_argument("--hire-date", default="")
+        p_user_onboard.add_argument("--manager", default="")
+        p_user_offboard = user_sub.add_parser("offboard")
+        p_user_offboard.add_argument("target")
+
         # Add config subcommand for testing
         p_config = sub.add_parser("config")
         config_sub = p_config.add_subparsers(dest="config_action")
@@ -155,6 +168,42 @@ class TestArgParsing(unittest.TestCase):
         self.assertEqual(args.email, "x@example.com")
         self.assertEqual(args.name, "X Y")
 
+    def test_user_onboard_basic(self):
+        args = self._parse(["user", "onboard", "a@b.com"])
+        self.assertEqual(args.user_action, "onboard")
+        self.assertEqual(args.email, "a@b.com")
+        self.assertEqual(args.name, "")
+        self.assertEqual(args.schema, "employee")
+        self.assertFalse(args.no_email)
+        self.assertEqual(args.notify, "")
+
+    def test_user_onboard_full(self):
+        args = self._parse(["user", "onboard", "a@b.com", "--name", "A B", "--schema", "default",
+                            "--no-email", "--job-title", "Engineer", "--department", "Dev",
+                            "--office-location", "Paris", "--hire-date", "2026-01-15",
+                            "--manager", "boss@b.com"])
+        self.assertEqual(args.user_action, "onboard")
+        self.assertEqual(args.email, "a@b.com")
+        self.assertEqual(args.name, "A B")
+        self.assertEqual(args.schema, "default")
+        self.assertTrue(args.no_email)
+        self.assertEqual(args.job_title, "Engineer")
+        self.assertEqual(args.department, "Dev")
+        self.assertEqual(args.office_location, "Paris")
+        self.assertEqual(args.hire_date, "2026-01-15")
+        self.assertEqual(args.manager, "boss@b.com")
+
+    def test_user_onboard_notify(self):
+        args = self._parse(["user", "onboard", "a@work.com", "--notify", "a@personal.com"])
+        self.assertEqual(args.email, "a@work.com")
+        self.assertEqual(args.notify, "a@personal.com")
+        self.assertFalse(args.no_email)
+
+    def test_user_offboard(self):
+        args = self._parse(["user", "offboard", "a@b.com"])
+        self.assertEqual(args.user_action, "offboard")
+        self.assertEqual(args.target, "a@b.com")
+
     def test_get_with_target(self):
         args = self._parse(["get", "ory/kratos-abc"])
         self.assertEqual(args.verb, "get")
@@ -259,6 +308,16 @@ class TestArgParsing(unittest.TestCase):
 class TestCliDispatch(unittest.TestCase):
     """Test that main() dispatches to the correct command function."""
 
+    @staticmethod
+    def _mock_users(**overrides):
+        defaults = {f: MagicMock() for f in [
+            "cmd_user_list", "cmd_user_get", "cmd_user_create", "cmd_user_delete",
+            "cmd_user_recover", "cmd_user_disable", "cmd_user_enable",
+            "cmd_user_set_password", "cmd_user_onboard", "cmd_user_offboard",
+        ]}
+        defaults.update(overrides)
+        return MagicMock(**defaults)
+
     def test_no_verb_exits_0(self):
         with patch.object(sys, "argv", ["sunbeam"]):
             from sunbeam import cli
@@ -356,7 +415,7 @@ class TestCliDispatch(unittest.TestCase):
                     cli_mod.main()
                 except SystemExit:
                     pass
-        mock_build.assert_called_once_with("proxy", push=False, deploy=False)
+        mock_build.assert_called_once_with("proxy", push=False, deploy=False, no_cache=False)
 
     def test_build_with_push_flag(self):
         mock_build = MagicMock()
@@ -368,7 +427,7 @@ class TestCliDispatch(unittest.TestCase):
                     cli_mod.main()
                 except SystemExit:
                     pass
-        mock_build.assert_called_once_with("integration", push=True, deploy=False)
+        mock_build.assert_called_once_with("integration", push=True, deploy=False, no_cache=False)
 
     def test_build_with_deploy_flag_implies_push(self):
         mock_build = MagicMock()
@@ -380,16 +439,11 @@ class TestCliDispatch(unittest.TestCase):
                     cli_mod.main()
                 except SystemExit:
                     pass
-        mock_build.assert_called_once_with("proxy", push=True, deploy=True)
+        mock_build.assert_called_once_with("proxy", push=True, deploy=True, no_cache=False)
 
     def test_user_set_password_dispatches(self):
         mock_set_pw = MagicMock()
-        mock_users = MagicMock(
-            cmd_user_list=MagicMock(), cmd_user_get=MagicMock(),
-            cmd_user_create=MagicMock(), cmd_user_delete=MagicMock(),
-            cmd_user_recover=MagicMock(), cmd_user_disable=MagicMock(),
-            cmd_user_enable=MagicMock(), cmd_user_set_password=mock_set_pw,
-        )
+        mock_users = self._mock_users(cmd_user_set_password=mock_set_pw)
         with patch.object(sys, "argv", ["sunbeam", "user", "set-password",
                                         "admin@sunbeam.pt", "s3cr3t"]):
             with patch.dict("sys.modules", {"sunbeam.users": mock_users}):
@@ -403,12 +457,7 @@ class TestCliDispatch(unittest.TestCase):
 
     def test_user_disable_dispatches(self):
         mock_disable = MagicMock()
-        mock_users = MagicMock(
-            cmd_user_list=MagicMock(), cmd_user_get=MagicMock(),
-            cmd_user_create=MagicMock(), cmd_user_delete=MagicMock(),
-            cmd_user_recover=MagicMock(), cmd_user_disable=mock_disable,
-            cmd_user_enable=MagicMock(), cmd_user_set_password=MagicMock(),
-        )
+        mock_users = self._mock_users(cmd_user_disable=mock_disable)
         with patch.object(sys, "argv", ["sunbeam", "user", "disable", "x@sunbeam.pt"]):
             with patch.dict("sys.modules", {"sunbeam.users": mock_users}):
                 import importlib, sunbeam.cli as cli_mod
@@ -421,12 +470,7 @@ class TestCliDispatch(unittest.TestCase):
 
     def test_user_enable_dispatches(self):
         mock_enable = MagicMock()
-        mock_users = MagicMock(
-            cmd_user_list=MagicMock(), cmd_user_get=MagicMock(),
-            cmd_user_create=MagicMock(), cmd_user_delete=MagicMock(),
-            cmd_user_recover=MagicMock(), cmd_user_disable=MagicMock(),
-            cmd_user_enable=mock_enable, cmd_user_set_password=MagicMock(),
-        )
+        mock_users = self._mock_users(cmd_user_enable=mock_enable)
         with patch.object(sys, "argv", ["sunbeam", "user", "enable", "x@sunbeam.pt"]):
             with patch.dict("sys.modules", {"sunbeam.users": mock_users}):
                 import importlib, sunbeam.cli as cli_mod
@@ -471,7 +515,7 @@ class TestCliDispatch(unittest.TestCase):
                     cli_mod.main()
                 except SystemExit:
                     pass
-        mock_build.assert_called_once_with("people", push=False, deploy=False)
+        mock_build.assert_called_once_with("people", push=False, deploy=False, no_cache=False)
 
     def test_build_people_push_dispatches(self):
         mock_build = MagicMock()
@@ -483,7 +527,7 @@ class TestCliDispatch(unittest.TestCase):
                     cli_mod.main()
                 except SystemExit:
                     pass
-        mock_build.assert_called_once_with("people", push=True, deploy=False)
+        mock_build.assert_called_once_with("people", push=True, deploy=False, no_cache=False)
 
     def test_build_people_deploy_implies_push(self):
         mock_build = MagicMock()
@@ -495,7 +539,7 @@ class TestCliDispatch(unittest.TestCase):
                     cli_mod.main()
                 except SystemExit:
                     pass
-        mock_build.assert_called_once_with("people", push=True, deploy=True)
+        mock_build.assert_called_once_with("people", push=True, deploy=True, no_cache=False)
 
     def test_build_meet_dispatches(self):
         mock_build = MagicMock()
@@ -507,7 +551,7 @@ class TestCliDispatch(unittest.TestCase):
                     cli_mod.main()
                 except SystemExit:
                     pass
-        mock_build.assert_called_once_with("meet", push=False, deploy=False)
+        mock_build.assert_called_once_with("meet", push=False, deploy=False, no_cache=False)
 
     def test_check_no_target(self):
         mock_check = MagicMock()
@@ -534,6 +578,56 @@ class TestCliDispatch(unittest.TestCase):
         mock_check.assert_called_once_with("lasuite/people")
 
 
+    def test_user_onboard_dispatches(self):
+        mock_onboard = MagicMock()
+        mock_users = self._mock_users(cmd_user_onboard=mock_onboard)
+        with patch.object(sys, "argv", ["sunbeam", "user", "onboard",
+                                        "new@sunbeam.pt", "--name", "New User"]):
+            with patch.dict("sys.modules", {"sunbeam.users": mock_users}):
+                import importlib, sunbeam.cli as cli_mod
+                importlib.reload(cli_mod)
+                try:
+                    cli_mod.main()
+                except SystemExit:
+                    pass
+        mock_onboard.assert_called_once_with("new@sunbeam.pt", name="New User",
+                                             schema_id="employee", send_email=True,
+                                             notify="", job_title="", department="",
+                                             office_location="", hire_date="",
+                                             manager="")
+
+    def test_user_onboard_no_email_dispatches(self):
+        mock_onboard = MagicMock()
+        mock_users = self._mock_users(cmd_user_onboard=mock_onboard)
+        with patch.object(sys, "argv", ["sunbeam", "user", "onboard",
+                                        "new@sunbeam.pt", "--no-email"]):
+            with patch.dict("sys.modules", {"sunbeam.users": mock_users}):
+                import importlib, sunbeam.cli as cli_mod
+                importlib.reload(cli_mod)
+                try:
+                    cli_mod.main()
+                except SystemExit:
+                    pass
+        mock_onboard.assert_called_once_with("new@sunbeam.pt", name="",
+                                             schema_id="employee", send_email=False,
+                                             notify="", job_title="", department="",
+                                             office_location="", hire_date="",
+                                             manager="")
+
+    def test_user_offboard_dispatches(self):
+        mock_offboard = MagicMock()
+        mock_users = self._mock_users(cmd_user_offboard=mock_offboard)
+        with patch.object(sys, "argv", ["sunbeam", "user", "offboard", "x@sunbeam.pt"]):
+            with patch.dict("sys.modules", {"sunbeam.users": mock_users}):
+                import importlib, sunbeam.cli as cli_mod
+                importlib.reload(cli_mod)
+                try:
+                    cli_mod.main()
+                except SystemExit:
+                    pass
+        mock_offboard.assert_called_once_with("x@sunbeam.pt")
+
+
 class TestConfigCli(unittest.TestCase):
     """Test config subcommand functionality."""
 
@@ -643,14 +737,18 @@ class TestConfigCli(unittest.TestCase):
 
     def test_config_cli_set_dispatch(self):
         """Test that config set CLI dispatches correctly."""
+        mock_existing = MagicMock()
+        mock_existing.production_host = "old@example.com"
+        mock_existing.infra_directory = "/old/infra"
+        mock_existing.acme_email = ""
         mock_save = MagicMock()
         mock_config = MagicMock(
-            SunbeamConfig=MagicMock(return_value="mock_config"),
+            load_config=MagicMock(return_value=mock_existing),
             save_config=mock_save
         )
-        
-        with patch.object(sys, "argv", ["sunbeam", "config", "set", 
-                                        "--host", "cli@example.com", 
+
+        with patch.object(sys, "argv", ["sunbeam", "config", "set",
+                                        "--host", "cli@example.com",
                                         "--infra-dir", "/cli/infra"]):
             with patch.dict("sys.modules", {"sunbeam.config": mock_config}):
                 import importlib, sunbeam.cli as cli_mod
@@ -659,14 +757,12 @@ class TestConfigCli(unittest.TestCase):
                     cli_mod.main()
                 except SystemExit:
                     pass
-        
-        # Verify SunbeamConfig was called with correct args
-        mock_config.SunbeamConfig.assert_called_once_with(
-            production_host="cli@example.com",
-            infra_directory="/cli/infra"
-        )
-        # Verify save_config was called
-        mock_save.assert_called_once_with("mock_config")
+
+        # Verify existing config was loaded and updated
+        self.assertEqual(mock_existing.production_host, "cli@example.com")
+        self.assertEqual(mock_existing.infra_directory, "/cli/infra")
+        # Verify save_config was called with the updated config
+        mock_save.assert_called_once_with(mock_existing)
 
     def test_config_cli_get_dispatch(self):
         """Test that config get CLI dispatches correctly."""
diff --git a/sunbeam/tools.py b/sunbeam/tools.py
index 4030668..be2ef9c 100644
--- a/sunbeam/tools.py
+++ b/sunbeam/tools.py
@@ -1,10 +1,13 @@
-"""Binary bundler — downloads kubectl, kustomize, helm at pinned versions.
+"""Binary bundler — downloads kubectl, kustomize, helm, buildctl at pinned versions.
 
 Binaries are cached in ~/.local/share/sunbeam/bin/ and SHA256-verified.
+Platform (OS + arch) is detected at runtime so the same package works on
+darwin/arm64 (development Mac), darwin/amd64, linux/arm64, and linux/amd64.
 """
 import hashlib
 import io
 import os
+import platform
 import stat
 import subprocess
 import tarfile
@@ -13,26 +16,79 @@ from pathlib import Path
 
 CACHE_DIR = Path.home() / ".local/share/sunbeam/bin"
 
-TOOLS: dict[str, dict] = {
+# Tool specs — URL and extract templates use {version}, {os}, {arch}.
+# {os}   : darwin | linux
+# {arch} : arm64  | amd64
+_TOOL_SPECS: dict[str, dict] = {
     "kubectl": {
         "version": "v1.32.2",
-        "url": "https://dl.k8s.io/release/v1.32.2/bin/darwin/arm64/kubectl",
-        "sha256": "",  # set to actual hash; empty = skip verify
+        "url": "https://dl.k8s.io/release/{version}/bin/{os}/{arch}/kubectl",
+        # plain binary, no archive
     },
     "kustomize": {
         "version": "v5.8.1",
-        "url": "https://github.com/kubernetes-sigs/kustomize/releases/download/kustomize%2Fv5.8.1/kustomize_v5.8.1_darwin_arm64.tar.gz",
-        "sha256": "",
+        "url": (
+            "https://github.com/kubernetes-sigs/kustomize/releases/download/"
+            "kustomize%2F{version}/kustomize_{version}_{os}_{arch}.tar.gz"
+        ),
         "extract": "kustomize",
     },
     "helm": {
         "version": "v4.1.0",
-        "url": "https://get.helm.sh/helm-v4.1.0-darwin-arm64.tar.gz",
-        "sha256": "82f7065bf4e08d4c8d7881b85c0a080581ef4968a4ae6df4e7b432f8f7a88d0c",
-        "extract": "darwin-arm64/helm",
+        "url": "https://get.helm.sh/helm-{version}-{os}-{arch}.tar.gz",
+        "extract": "{os}-{arch}/helm",
+        "sha256": {
+            "darwin_arm64": "82f7065bf4e08d4c8d7881b85c0a080581ef4968a4ae6df4e7b432f8f7a88d0c",
+        },
+    },
+    "buildctl": {
+        "version": "v0.28.0",
+        # BuildKit releases: buildkit-v0.28.0.linux.amd64.tar.gz
+        "url": (
+            "https://github.com/moby/buildkit/releases/download/{version}/"
+            "buildkit-{version}.{os}-{arch}.tar.gz"
+        ),
+        "extract": "bin/buildctl",
     },
 }
 
+# Expose as TOOLS for callers that do `if "helm" in TOOLS`.
+TOOLS = _TOOL_SPECS
+
+
+def _detect_platform() -> tuple[str, str]:
+    """Return (os_name, arch) for the current host."""
+    sys_os = platform.system().lower()
+    machine = platform.machine().lower()
+    os_name = {"darwin": "darwin", "linux": "linux"}.get(sys_os)
+    if not os_name:
+        raise RuntimeError(f"Unsupported OS: {sys_os}")
+    arch = "arm64" if machine in ("arm64", "aarch64") else "amd64"
+    return os_name, arch
+
+
+def _resolve_spec(name: str) -> dict:
+    """Return a tool spec with {os} / {arch} / {version} substituted.
+
+    Uses the module-level TOOLS dict so that tests can patch it.
+    """
+    if name not in TOOLS:
+        raise ValueError(f"Unknown tool: {name}")
+    os_name, arch = _detect_platform()
+    raw = TOOLS[name]
+    version = raw.get("version", "")
+    fmt = {"version": version, "os": os_name, "arch": arch}
+    spec = dict(raw)
+    spec["version"] = version
+    spec["url"] = raw["url"].format(**fmt)
+    if "extract" in raw:
+        spec["extract"] = raw["extract"].format(**fmt)
+    # sha256 may be a per-platform dict {"darwin_arm64": "..."} or a plain string.
+    sha256_val = raw.get("sha256", {})
+    if isinstance(sha256_val, dict):
+        spec["sha256"] = sha256_val.get(f"{os_name}_{arch}", "")
+    return spec
+
 
 def _sha256(path: Path) -> str:
     h = hashlib.sha256()
@@ -45,12 +101,10 @@ def _sha256(path: Path) -> str:
 def ensure_tool(name: str) -> Path:
     """Return path to cached binary, downloading + verifying if needed.
 
-    Re-downloads automatically when the pinned version in TOOLS changes.
+    Re-downloads automatically when the pinned version in _TOOL_SPECS changes.
     A <name>.version sidecar file records the version of the cached binary.
     """
-    if name not in TOOLS:
-        raise ValueError(f"Unknown tool: {name}")
-    spec = TOOLS[name]
+    spec = _resolve_spec(name)
     CACHE_DIR.mkdir(parents=True, exist_ok=True)
     dest = CACHE_DIR / name
     version_file = CACHE_DIR / f"{name}.version"
@@ -58,7 +112,6 @@ def ensure_tool(name: str) -> Path:
     expected_sha = spec.get("sha256", "")
     expected_version = spec.get("version", "")
 
-    # Use cached binary if version matches (or no version pinned) and SHA passes
     if dest.exists():
         version_ok = (
             not expected_version
@@ -67,18 +120,17 @@ def ensure_tool(name: str) -> Path:
         sha_ok = not expected_sha or _sha256(dest) == expected_sha
         if version_ok and sha_ok:
             return dest
+
     # Version mismatch or SHA mismatch — re-download
     if dest.exists():
         dest.unlink()
     if version_file.exists():
         version_file.unlink()
 
-    # Download
     url = spec["url"]
     with urllib.request.urlopen(url) as resp:  # noqa: S310
         data = resp.read()
 
-    # Extract from tar.gz if needed
     extract_path = spec.get("extract")
     if extract_path:
         with tarfile.open(fileobj=io.BytesIO(data)) as tf:
@@ -88,10 +140,8 @@ def ensure_tool(name: str) -> Path:
     else:
         binary_data = data
 
-    # Write to cache
     dest.write_bytes(binary_data)
 
-    # Verify SHA256 (after extraction)
     if expected_sha:
         actual = _sha256(dest)
         if actual != expected_sha:
@@ -100,9 +150,7 @@ def ensure_tool(name: str) -> Path:
                 f"SHA256 mismatch for {name}: expected {expected_sha}, got {actual}"
             )
 
-    # Make executable
     dest.chmod(dest.stat().st_mode | stat.S_IXUSR | stat.S_IXGRP | stat.S_IXOTH)
-    # Record version so future calls skip re-download when version unchanged
     version_file.write_text(expected_version)
     return dest
 
@@ -116,9 +164,8 @@ def run_tool(name: str, *args, **kwargs) -> subprocess.CompletedProcess:
     env = kwargs.pop("env", None)
     if env is None:
         env = os.environ.copy()
-    # kustomize needs helm on PATH for helm chart rendering
     if name == "kustomize":
         if "helm" in TOOLS:
-            ensure_tool("helm")  # ensure bundled helm is present before kustomize runs
+            ensure_tool("helm")
         env["PATH"] = str(CACHE_DIR) + os.pathsep + env.get("PATH", "")
     return subprocess.run([str(bin_path), *args], env=env, **kwargs)
diff --git a/sunbeam/users.py b/sunbeam/users.py
index 355052c..9464a38 100644
--- a/sunbeam/users.py
+++ b/sunbeam/users.py
@@ -1,19 +1,23 @@
 """User management — Kratos identity operations via port-forwarded admin API."""
 import json
+import smtplib
 import subprocess
 import sys
 import time
 import urllib.request
 import urllib.error
 from contextlib import contextmanager
+from email.message import EmailMessage
 
 import sunbeam.kube as _kube_mod
 from sunbeam.output import step, ok, warn, die, table
 
+_SMTP_LOCAL_PORT = 10025
+
 
 @contextmanager
 def _port_forward(ns="ory", svc="kratos-admin", local_port=4434, remote_port=80):
-    """Port-forward directly to the Kratos admin HTTP API and yield the local URL."""
+    """Port-forward to a cluster service and yield the local base URL."""
     proc = subprocess.Popen(
         ["kubectl", _kube_mod.context_arg(), "-n", ns, "port-forward",
          f"svc/{svc}", f"{local_port}:{remote_port}"],
@@ -28,23 +32,25 @@ def _port_forward(ns="ory", svc="kratos-admin", local_port=4434, remote_port=80)
         proc.wait()
 
 
-def _api(base_url, path, method="GET", body=None):
-    """Make a request to the Kratos admin API via port-forward."""
-    url = f"{base_url}/admin{path}"
+def _api(base_url, path, method="GET", body=None, prefix="/admin", ok_statuses=()):
+    """Make a request to an admin API via port-forward."""
+    url = f"{base_url}{prefix}{path}"
     data = json.dumps(body).encode() if body is not None else None
     headers = {"Content-Type": "application/json", "Accept": "application/json"}
     req = urllib.request.Request(url, data=data, headers=headers, method=method)
     try:
         with urllib.request.urlopen(req) as resp:
-            body = resp.read()
-            return json.loads(body) if body else None
+            resp_body = resp.read()
+            return json.loads(resp_body) if resp_body else None
     except urllib.error.HTTPError as e:
-        body_text = e.read().decode()
-        die(f"API error {e.code}: {body_text}")
+        if e.code in ok_statuses:
+            return None
+        err_text = e.read().decode()
+        die(f"API error {e.code}: {err_text}")
 
 
-def _find_identity(base_url, target):
-    """Find identity by email or ID. Returns identity dict."""
+def _find_identity(base_url, target, required=True):
+    """Find identity by email or ID. Returns identity dict or None if not required."""
     # Try as ID first
     if len(target) == 36 and target.count("-") == 4:
         return _api(base_url, f"/identities/{target}")
@@ -52,7 +58,31 @@ def _find_identity(base_url, target):
     result = _api(base_url, f"/identities?credentials_identifier={target}&page_size=1")
     if isinstance(result, list) and result:
         return result[0]
-    die(f"Identity not found: {target}")
+    if required:
+        die(f"Identity not found: {target}")
+    return None
+
+
+def _identity_put_body(identity, state=None, **extra):
+    """Build the PUT body for updating an identity, preserving all required fields."""
+    body = {
+        "schema_id": identity["schema_id"],
+        "traits": identity["traits"],
+        "state": state or identity.get("state", "active"),
+        "metadata_public": identity.get("metadata_public"),
+        "metadata_admin": identity.get("metadata_admin"),
+    }
+    body.update(extra)
+    return body
+
+
+def _generate_recovery(base_url, identity_id):
+    """Generate a 24h recovery code. Returns (link, code)."""
+    recovery = _api(base_url, "/recovery/code", method="POST", body={
+        "identity_id": identity_id,
+        "expires_in": "24h",
+    })
+    return recovery.get("recovery_link", ""), recovery.get("recovery_code", "")
 
 
 def cmd_user_list(search=""):
@@ -67,11 +97,17 @@ def cmd_user_list(search=""):
     for i in identities or []:
         traits = i.get("traits", {})
         email = traits.get("email", "")
-        name = traits.get("name", {})
-        if isinstance(name, dict):
-            display_name = f"{name.get('first', '')} {name.get('last', '')}".strip()
+        # Support both employee (given_name/family_name) and default (name.first/last) schemas
+        given = traits.get("given_name", "")
+        family = traits.get("family_name", "")
+        if given or family:
+            display_name = f"{given} {family}".strip()
         else:
-            display_name = str(name) if name else ""
+            name = traits.get("name", {})
+            if isinstance(name, dict):
+                display_name = f"{name.get('first', '')} {name.get('last', '')}".strip()
+            else:
+                display_name = str(name) if name else ""
         rows.append([i["id"][:8] + "...", email, display_name, i.get("state", "active")])
 
     print(table(rows, ["ID", "Email", "Name", "State"]))
@@ -100,17 +136,12 @@ def cmd_user_create(email, name="", schema_id="default"):
     with _port_forward() as base:
         identity = _api(base, "/identities", method="POST", body=body)
         ok(f"Created identity: {identity['id']}")
-
-        # Generate recovery code (link is deprecated in Kratos v1.x)
-        recovery = _api(base, "/recovery/code", method="POST", body={
-            "identity_id": identity["id"],
-            "expires_in": "24h",
-        })
+        link, code = _generate_recovery(base, identity["id"])
 
     ok("Recovery link (valid 24h):")
-    print(recovery.get("recovery_link", ""))
+    print(link)
     ok("Recovery code (enter on the page above):")
-    print(recovery.get("recovery_code", ""))
+    print(code)
 
 
 def cmd_user_delete(target):
@@ -131,14 +162,11 @@ def cmd_user_recover(target):
     step(f"Generating recovery link for: {target}")
     with _port_forward() as base:
         identity = _find_identity(base, target)
-        recovery = _api(base, "/recovery/code", method="POST", body={
-            "identity_id": identity["id"],
-            "expires_in": "24h",
-        })
+        link, code = _generate_recovery(base, identity["id"])
     ok("Recovery link (valid 24h):")
-    print(recovery.get("recovery_link", ""))
+    print(link)
     ok("Recovery code (enter on the page above):")
-    print(recovery.get("recovery_code", ""))
+    print(code)
 
 
 def cmd_user_disable(target):
@@ -153,13 +181,8 @@ def cmd_user_disable(target):
     with _port_forward() as base:
         identity = _find_identity(base, target)
         iid = identity["id"]
-        _api(base, f"/identities/{iid}", method="PUT", body={
-            "schema_id": identity["schema_id"],
-            "traits": identity["traits"],
-            "state": "inactive",
-            "metadata_public": identity.get("metadata_public"),
-            "metadata_admin": identity.get("metadata_admin"),
-        })
+        _api(base, f"/identities/{iid}", method="PUT",
+             body=_identity_put_body(identity, state="inactive"))
         _api(base, f"/identities/{iid}/sessions", method="DELETE")
     ok(f"Identity {iid[:8]}... disabled and all Kratos sessions revoked.")
     warn("App sessions (docs/people) expire within SESSION_COOKIE_AGE — currently 1h.")
@@ -171,18 +194,10 @@ def cmd_user_set_password(target, password):
     with _port_forward() as base:
         identity = _find_identity(base, target)
         iid = identity["id"]
-        _api(base, f"/identities/{iid}", method="PUT", body={
-            "schema_id": identity["schema_id"],
-            "traits": identity["traits"],
-            "state": identity.get("state", "active"),
-            "metadata_public": identity.get("metadata_public"),
-            "metadata_admin": identity.get("metadata_admin"),
-            "credentials": {
-                "password": {
-                    "config": {"password": password},
-                },
-            },
-        })
+        _api(base, f"/identities/{iid}", method="PUT",
+             body=_identity_put_body(identity, credentials={
+                 "password": {"config": {"password": password}},
+             }))
     ok(f"Password set for {iid[:8]}...")
 
 
@@ -192,11 +207,322 @@ def cmd_user_enable(target):
     with _port_forward() as base:
         identity = _find_identity(base, target)
         iid = identity["id"]
-        _api(base, f"/identities/{iid}", method="PUT", body={
-            "schema_id": identity["schema_id"],
-            "traits": identity["traits"],
-            "state": "active",
-            "metadata_public": identity.get("metadata_public"),
-            "metadata_admin": identity.get("metadata_admin"),
-        })
+        _api(base, f"/identities/{iid}", method="PUT",
+             body=_identity_put_body(identity, state="active"))
     ok(f"Identity {iid[:8]}... re-enabled.")
+
+
+def _send_welcome_email(domain, email, name, recovery_link, recovery_code,
+                        job_title="", department=""):
+    """Send a welcome email via cluster Postfix (port-forward to svc/postfix in lasuite)."""
+    greeting = f"Hi {name}" if name else "Hi"
+    body_text = f"""{greeting},
+
+Welcome to Sunbeam Studios!{f" You're joining as {job_title} in the {department} department." if job_title and department else ""} Your account has been created.
+
+To set your password, open this link and enter the recovery code below:
+
+  Link: {recovery_link}
+  Code: {recovery_code}
+
+This link expires in 24 hours.
+
+Once signed in you will be prompted to set up 2FA (mandatory).
+
+After that, head to https://auth.{domain}/settings to set up your
+profile — add your name, profile picture, and any other details.
+
+Your services:
+  Calendar:     https://cal.{domain}
+  Drive:        https://drive.{domain}
+  Mail:         https://mail.{domain}
+  Meet:         https://meet.{domain}
+  Projects:     https://projects.{domain}
+  Source Code:  https://src.{domain}
+
+Messages (Matrix):
+  Download Element for your platform:
+    Desktop: https://element.io/download
+    iOS:     https://apps.apple.com/app/element-messenger/id1083446067
+    Android: https://play.google.com/store/apps/details?id=im.vector.app
+
+  Setup:
+    1. Open Element and tap "Sign in"
+    2. Tap "Edit" next to the homeserver field (matrix.org)
+    3. Enter: https://messages.{domain}
+    4. Tap "Continue" — you'll be redirected to Sunbeam Studios SSO
+    5. Sign in with your {domain} email and password
+
+\u2014 With Love & Warmth, Sunbeam Studios
+"""
+    msg = EmailMessage()
+    msg["Subject"] = "Welcome to Sunbeam Studios — Set Your Password"
+    msg["From"] = f"Sunbeam Studios <noreply@{domain}>"
+    msg["To"] = email
+    msg.set_content(body_text)
+
+    with _port_forward(ns="lasuite", svc="postfix", local_port=_SMTP_LOCAL_PORT, remote_port=25):
+        with smtplib.SMTP("localhost", _SMTP_LOCAL_PORT) as smtp:
+            smtp.send_message(msg)
+    ok(f"Welcome email sent to {email}")
+
+
+def _next_employee_id(base_url):
+    """Find the next sequential employee ID by scanning all employee identities."""
+    identities = _api(base_url, "/identities?page_size=200") or []
+    max_num = 0
+    for ident in identities:
+        eid = ident.get("traits", {}).get("employee_id", "")
+        if eid and eid.isdigit():
+            max_num = max(max_num, int(eid))
+    return str(max_num + 1)
+
+
+def _create_mailbox(email, name=""):
+    """Create a mailbox in Messages via kubectl exec into the backend."""
+    local_part, domain_part = email.split("@", 1)
+    display_name = name or local_part
+    step(f"Creating mailbox: {email}")
+    result = _kube_mod.kube_out(
+        "exec", "deployment/messages-backend", "-n", "lasuite",
+        "-c", "messages-backend", "--",
+        "python", "manage.py", "shell", "-c",
+        f"""
+mb, created = Mailbox.objects.get_or_create(
+    local_part="{local_part}",
+    domain=MailDomain.objects.get(name="{domain_part}"),
+)
+print("created" if created else "exists")
+""",
+    )
+    if "created" in (result or ""):
+        ok(f"Mailbox {email} created.")
+    elif "exists" in (result or ""):
+        ok(f"Mailbox {email} already exists.")
+    else:
+        warn(f"Could not create mailbox (Messages backend may not be running): {result}")
+
+
+def _delete_mailbox(email):
+    """Delete a mailbox and associated Django user in Messages."""
+    local_part, domain_part = email.split("@", 1)
+    step(f"Cleaning up mailbox: {email}")
+    result = _kube_mod.kube_out(
+        "exec", "deployment/messages-backend", "-n", "lasuite",
+        "-c", "messages-backend", "--",
+        "python", "manage.py", "shell", "-c",
+        f"""
+from django.contrib.auth import get_user_model
+User = get_user_model()
+# Delete mailbox + access + contacts
+deleted = 0
+for mb in Mailbox.objects.filter(local_part="{local_part}", domain__name="{domain_part}"):
+    mb.delete()
+    deleted += 1
+# Delete Django user
+try:
+    u = User.objects.get(email="{email}")
+    u.delete()
+    deleted += 1
+except User.DoesNotExist:
+    pass
+print(f"deleted {{deleted}}")
+""",
+    )
+    if "deleted" in (result or ""):
+        ok(f"Mailbox and user cleaned up.")
+    else:
+        warn(f"Could not clean up mailbox: {result}")
+
+
+def _setup_projects_user(email, name=""):
+    """Create a Projects (Planka) user and add them as manager of the Default project."""
+    step(f"Setting up Projects user: {email}")
+    js = f"""
+const knex = require('knex')({{client: 'pg', connection: process.env.DATABASE_URL}});
+async function go() {{
+  // Create or find user
+  let user = await knex('user_account').where({{email: '{email}'}}).first();
+  if (!user) {{
+    const id = Date.now().toString();
+    await knex('user_account').insert({{
+      id, email: '{email}', name: '{name}', password: '',
+      is_admin: true, is_sso: true, language: 'en-US',
+      created_at: new Date(), updated_at: new Date()
+    }});
+    user = {{id}};
+    console.log('user_created');
+  }} else {{
+    console.log('user_exists');
+  }}
+  // Add to Default project
+  const project = await knex('project').where({{name: 'Default'}}).first();
+  if (project) {{
+    const exists = await knex('project_manager').where({{project_id: project.id, user_id: user.id}}).first();
+    if (!exists) {{
+      await knex('project_manager').insert({{
+        id: (Date.now()+1).toString(), project_id: project.id,
+        user_id: user.id, created_at: new Date()
+      }});
+      console.log('manager_added');
+    }} else {{
+      console.log('manager_exists');
+    }}
+  }} else {{
+    console.log('no_default_project');
+  }}
+}}
+go().then(() => process.exit(0)).catch(e => {{ console.error(e.message); process.exit(1); }});
+"""
+    result = _kube_mod.kube_out(
+        "exec", "deployment/projects", "-n", "lasuite",
+        "-c", "projects", "--", "node", "-e", js,
+    )
+    if "manager_added" in (result or "") or "manager_exists" in (result or ""):
+        ok(f"Projects user ready.")
+    elif "no_default_project" in (result or ""):
+        warn("No Default project found in Projects — skip.")
+    else:
+        warn(f"Could not set up Projects user: {result}")
+
+
+def _cleanup_projects_user(email):
+    """Remove a user from Projects (Planka) — delete memberships and user record."""
+    step(f"Cleaning up Projects user: {email}")
+    js = f"""
+const knex = require('knex')({{client: 'pg', connection: process.env.DATABASE_URL}});
+async function go() {{
+  const user = await knex('user_account').where({{email: '{email}'}}).first();
+  if (!user) {{ console.log('not_found'); return; }}
+  await knex('board_membership').where({{user_id: user.id}}).del();
+  await knex('project_manager').where({{user_id: user.id}}).del();
+  await knex('user_account').where({{id: user.id}}).update({{deleted_at: new Date()}});
+  console.log('cleaned');
+}}
+go().then(() => process.exit(0)).catch(e => {{ console.error(e.message); process.exit(1); }});
+"""
+    result = _kube_mod.kube_out(
+        "exec", "deployment/projects", "-n", "lasuite",
+        "-c", "projects", "--", "node", "-e", js,
+    )
+    if "cleaned" in (result or ""):
+        ok("Projects user cleaned up.")
+    else:
+        warn(f"Could not clean up Projects user: {result}")
+
+
+def cmd_user_onboard(email, name="", schema_id="employee", send_email=True,
+                     notify="", job_title="", department="", office_location="",
+                     hire_date="", manager=""):
+    """Onboard a new user: create identity, generate recovery link, optionally send welcome email."""
+    step(f"Onboarding: {email}")
+
+    with _port_forward() as base:
+        existing = _find_identity(base, email, required=False)
+
+        if existing:
+            warn(f"Identity already exists: {existing['id'][:8]}...")
+            step("Generating fresh recovery link...")
+            iid = existing["id"]
+            recovery_link, recovery_code = _generate_recovery(base, iid)
+        else:
+            traits = {"email": email}
+            if name:
+                parts = name.split(" ", 1)
+                traits["given_name"] = parts[0]
+                traits["family_name"] = parts[1] if len(parts) > 1 else ""
+
+            # Auto-assign employee ID if not provided and using employee schema
+            employee_id = ""
+            if schema_id == "employee":
+                employee_id = _next_employee_id(base)
+                traits["employee_id"] = employee_id
+                if job_title:
+                    traits["job_title"] = job_title
+                if department:
+                    traits["department"] = department
+                if office_location:
+                    traits["office_location"] = office_location
+                if hire_date:
+                    traits["hire_date"] = hire_date
+                if manager:
+                    traits["manager"] = manager
+
+            identity = _api(base, "/identities", method="POST", body={
+                "schema_id": schema_id,
+                "traits": traits,
+                "state": "active",
+                "verifiable_addresses": [{
+                    "value": email,
+                    "verified": True,
+                    "via": "email",
+                }],
+            })
+            iid = identity["id"]
+            ok(f"Created identity: {iid}")
+            if employee_id:
+                ok(f"Employee #{employee_id}")
+
+            # Kratos ignores verifiable_addresses on POST — PATCH is required
+            _api(base, f"/identities/{iid}", method="PATCH", body=[
+                {"op": "replace", "path": "/verifiable_addresses/0/verified", "value": True},
+                {"op": "replace", "path": "/verifiable_addresses/0/status", "value": "completed"},
+            ])
+
+            recovery_link, recovery_code = _generate_recovery(base, iid)
+
+    # Provision app-level accounts
+    if not existing:
+        _create_mailbox(email, name)
+        _setup_projects_user(email, name)
+
+    if send_email:
+        domain = _kube_mod.get_domain()
+        recipient = notify or email
+        _send_welcome_email(domain, recipient, name, recovery_link, recovery_code,
+                            job_title=job_title, department=department)
+
+    ok(f"Identity ID: {iid}")
+    ok("Recovery link (valid 24h):")
+    print(recovery_link)
+    ok("Recovery code:")
+    print(recovery_code)
+
+
+def cmd_user_offboard(target):
+    """Offboard a user: disable identity, revoke all Kratos + Hydra sessions."""
+    step(f"Offboarding: {target}")
+
+    confirm = input(f"Offboard '{target}'? This will disable the account and revoke all sessions. [y/N] ").strip().lower()
+    if confirm != "y":
+        ok("Cancelled.")
+        return
+
+    with _port_forward() as base:
+        identity = _find_identity(base, target)
+        iid = identity["id"]
+
+        step("Disabling identity...")
+        _api(base, f"/identities/{iid}", method="PUT",
+             body=_identity_put_body(identity, state="inactive"))
+        ok(f"Identity {iid[:8]}... disabled.")
+
+        step("Revoking Kratos sessions...")
+        _api(base, f"/identities/{iid}/sessions", method="DELETE", ok_statuses=(404,))
+        ok("Kratos sessions revoked.")
+
+        step("Revoking Hydra consent sessions...")
+        with _port_forward(svc="hydra-admin", local_port=14445, remote_port=4445) as hydra_base:
+            _api(hydra_base, f"/oauth2/auth/sessions/consent?subject={iid}&all=true",
+                 method="DELETE", prefix="/admin", ok_statuses=(404,))
+        ok("Hydra consent sessions revoked.")
+
+    # Clean up Messages Django user and mailbox
+    email = identity.get("traits", {}).get("email", "")
+    if email:
+        _delete_mailbox(email)
+        _cleanup_projects_user(email)
+
+    ok(f"Offboarding complete for {iid[:8]}...")
+    warn("Existing access tokens expire within ~1h (Hydra TTL).")
+    warn("App sessions (docs/people) expire within SESSION_COOKIE_AGE (~1h).")