diff --git a/.codex/skills/fctl-v4-architecture/SKILL.md b/.codex/skills/fctl-v4-architecture/SKILL.md
new file mode 100644
index 00000000..58e1a03b
--- /dev/null
+++ b/.codex/skills/fctl-v4-architecture/SKILL.md
@@ -0,0 +1,65 @@
+---
+name: fctl-v4-architecture
+description: Use when working on the Formance fctl v4 CLI architecture, contexts, authentication, API version resolution, compatibility manifests, command design, or migrations from fctl v3. This skill keeps future work aligned with the repository's v4 RFC and ADRs.
+---
+
+# fctl v4 Architecture Skill
+
+Use this skill for any `fctl` v4 design or implementation work.
+
+## Required Reading
+
+Before changing v4 architecture or commands, read these repository files:
+
+- `docs/rfcs/0001-fctl-v4-architecture.md`
+- `docs/cli-v4/command-design.md`
+- `docs/cli-v4/compatibility-manifest.md`
+- `todos/01-v4-isolated-skeleton.md`
+
+Read ADRs as needed:
+
+- `docs/adr/0001-contexts-as-primary-target.md`
+- `docs/adr/0002-auth-is-decoupled-from-cloud.md`
+- `docs/adr/0003-api-version-resolution.md`
+- `docs/adr/0004-cobra-thin-runtime.md`
+- `docs/adr/0005-build-v4-in-isolated-directory.md`
+
+## Core Rules
+
+- Do not make Formance Cloud membership required for stack commands.
+- Treat contexts as the primary target selector.
+- Keep auth as a target-local strategy.
+- Use `/versions` plus the compatibility manifest to infer supported API namespaces.
+- Commands express product intent; they must not expose API versions as the primary UX.
+- Keep CLI flags canonical and product-oriented; map them to version-specific SDK request fields internally.
+- Keep Cobra thin. Runtime concerns belong in typed internal packages.
+- Build the rewrite under `v4/` until the explicit cutover goal.
+- Follow `todos/*.md` in order unless the user explicitly reprioritizes.
+- Commit after each logical step.
+
+## CLI Rendering Policy
+
+- Human `plain` output must go through shared rendering helpers instead of writing raw strings directly to `cmd.OutOrStdout()`.
+- Use `styledSuccessLine` for successful mutations, `writeStyledKeyValues` for detail views, `writeStyledRows`/`v4render.Table` for lists, `styledEmptyLine` for empty states, and `styledInfoLine` for supporting metadata such as API versions.
+- Keep scriptability intact: JSON/YAML output must stay unstyled, non-TTY plain output must remain stable, and ANSI styling must only be emitted for terminal output.
+- Direct writes to `cmd.OutOrStdout()` are allowed only for raw payloads such as archives, manifests, logs, or compatibility-preserving fallback paths that are explicitly tracked by tests.
+- When adding or touching a command renderer, remove it from the raw-output baseline in `v4/cmd/rendering_policy_test.go` and route its output through the shared helpers.
+
+## Implementation Shape
+
+Prefer this package split under `v4/` during the transition:
+
+```text
+v4/cmd/                  Cobra declarations only
+v4/internal/runtime/     target resolution, auth, versions, API selection
+v4/internal/config/      contexts, defaults, XDG paths, migrations
+v4/internal/credentials/ keyring and insecure fallback
+v4/internal/capabilities generated manifest and compatibility ranges
+v4/internal/commands/    typed product command implementations
+v4/internal/render/      table, json, yaml, markdown
+v4/internal/prompt/      optional interactive flows
+```
+
+## Validation
+
+For command behavior, prefer integration-style tests that execute real CLI commands and assert stdout, stderr, exit codes, and config files. Keep scriptability and non-interactive usage as first-class requirements.
diff --git a/AGENTS.md b/AGENTS.md
new file mode 100644
index 00000000..6f5c7ae9
--- /dev/null
+++ b/AGENTS.md
@@ -0,0 +1,20 @@
+# fctl v4 Guidance
+
+Before working on the next major CLI architecture, read:
+
+- `docs/rfcs/0001-fctl-v4-architecture.md`
+- `docs/cli-v4/command-design.md`
+- `docs/cli-v4/compatibility-manifest.md`
+- `todos/01-v4-isolated-skeleton.md`
+
+Core rules:
+
+- Do not couple stack commands to Formance Cloud membership.
+- Treat context, target, auth, capabilities, API version, and rendering as separate concepts.
+- Commands express product intent; API version selection belongs in the runtime.
+- Use `/versions` plus the generated compatibility manifest to select the best supported SDK namespace.
+- Keep Cobra as a thin parser/router; keep business logic in typed internal packages.
+- Store credentials in a keyring when possible; keep config files free of long-lived secrets.
+- Build the rewrite under `v4/` until the explicit cutover goal.
+- Follow `todos/*.md` in order unless the user explicitly reprioritizes.
+- Commit after each logical step when implementing v4 work.
diff --git a/docs/adr/0001-contexts-as-primary-target.md b/docs/adr/0001-contexts-as-primary-target.md
new file mode 100644
index 00000000..4b48e7e4
--- /dev/null
+++ b/docs/adr/0001-contexts-as-primary-target.md
@@ -0,0 +1,18 @@
+# ADR 0001: Contexts Are The Primary Target Selector
+
+Status: Accepted for v4 planning
+
+## Context
+
+The current profile model is centered on Formance Cloud membership. That makes stack usage depend on Cloud identity even when the user wants to talk to a local or self-hosted stack.
+
+## Decision
+
+Use named contexts as the primary target selector. A context describes the target endpoint, authentication method, defaults, and API version policy.
+
+## Consequences
+
+- Stack commands can run without Cloud membership.
+- Cloud workflows remain possible through Cloud-specific context kinds.
+- `--context` and `FCTL_CONTEXT` can override the current context.
+- Context export/import becomes possible later.
diff --git a/docs/adr/0002-auth-is-decoupled-from-cloud.md b/docs/adr/0002-auth-is-decoupled-from-cloud.md
new file mode 100644
index 00000000..3741e0e8
--- /dev/null
+++ b/docs/adr/0002-auth-is-decoupled-from-cloud.md
@@ -0,0 +1,18 @@
+# ADR 0002: Authentication Is Decoupled From Cloud
+
+Status: Accepted for v4 planning
+
+## Context
+
+The current CLI authenticates through a membership relying party. This prevents a clean local and self-hosted user experience.
+
+## Decision
+
+Model authentication as a target-local strategy. Supported strategies should include Cloud device flow, generic OIDC, client credentials, token from stdin/env, and explicit no-auth development mode.
+
+## Consequences
+
+- Local stacks can use `client_credentials` with default development clients.
+- Self-hosted stacks can use their own OIDC issuer.
+- CI can use tokens or client credentials without browser flows.
+- Cloud membership becomes one auth strategy, not the root abstraction.
diff --git a/docs/adr/0003-api-version-resolution.md b/docs/adr/0003-api-version-resolution.md
new file mode 100644
index 00000000..71630488
--- /dev/null
+++ b/docs/adr/0003-api-version-resolution.md
@@ -0,0 +1,18 @@
+# ADR 0003: API Version Resolution Belongs In Runtime
+
+Status: Accepted for v4 planning
+
+## Context
+
+The public SDK exposes versioned namespaces such as `Ledger.V1`, `Ledger.V2`, and `Payments.V3`. The stack exposes `/versions`, but not a full capabilities endpoint.
+
+## Decision
+
+Commands declare product features and available handlers. The runtime calls `/versions`, maps component versions to supported API namespaces, intersects that with command handlers, and selects the best compatible handler.
+
+## Consequences
+
+- Commands do not hardcode the oldest API namespace.
+- New endpoints can appear as normal product commands and fail cleanly on older targets.
+- A small manual compatibility table is still required for component version ranges.
+- Most operation metadata can be generated from the OpenAPI spec.
diff --git a/docs/adr/0004-cobra-thin-runtime.md b/docs/adr/0004-cobra-thin-runtime.md
new file mode 100644
index 00000000..5d0f4de4
--- /dev/null
+++ b/docs/adr/0004-cobra-thin-runtime.md
@@ -0,0 +1,18 @@
+# ADR 0004: Keep Cobra Thin
+
+Status: Accepted for v4 planning
+
+## Context
+
+Cobra is widely used and already present in `fctl`, but current command implementations mix parsing, auth, client construction, API selection, and rendering.
+
+## Decision
+
+Keep Cobra for routing, flags, help, aliases, deprecations, and shell completions. Move target resolution, authentication, API versioning, and business logic into typed internal packages.
+
+## Consequences
+
+- Existing Cobra knowledge remains useful.
+- Command files become smaller and easier to test.
+- The runtime can be tested independently from Cobra.
+- The CLI can keep a stable user experience while API versions evolve.
diff --git a/docs/adr/0005-build-v4-in-isolated-directory.md b/docs/adr/0005-build-v4-in-isolated-directory.md
new file mode 100644
index 00000000..2964e4c6
--- /dev/null
+++ b/docs/adr/0005-build-v4-in-isolated-directory.md
@@ -0,0 +1,19 @@
+# ADR 0005: Build v4 In An Isolated Directory
+
+Status: Accepted for v4 planning
+
+## Context
+
+`fctl` v4 is intended to be a near-rewrite. The existing v3 code remains useful as a behavioral reference during implementation and review.
+
+## Decision
+
+Build the new CLI under a top-level `v4/` directory during the transition. Keep the existing root implementation intact until v4 has reached feature parity or an explicit cutover point.
+
+## Consequences
+
+- v3 remains available for comparison while v4 is built.
+- Review is easier because new code is isolated from old code.
+- The v4 module can start with a clean package layout.
+- The final cutover will delete or archive the old root implementation and move the v4 implementation to the root.
+- Build, release, and test commands must be explicit about whether they target v3 root or `v4/`.
diff --git a/docs/cli-v4/README.md b/docs/cli-v4/README.md
new file mode 100644
index 00000000..67f4192c
--- /dev/null
+++ b/docs/cli-v4/README.md
@@ -0,0 +1,21 @@
+# fctl v4 Documentation
+
+The v4 CLI is implemented under `v4/`, but its documentation lives here so it
+can be reviewed with the repository-level architecture docs.
+
+Read these in order when onboarding to v4:
+
+1. `../rfcs/0001-fctl-v4-architecture.md` for the target architecture.
+2. `../adr/` for accepted decisions.
+3. `command-design.md` for command shape and Cobra boundaries.
+4. `config-format.md` for profiles, contexts, and credential storage.
+5. `runtime-behavior.md` for current login, scopes, stack waits, rendering, and
+   debug behavior.
+6. `command-reference.md` for visible command families.
+7. `migration-v3-v4.md` and `compatibility-aliases.md` for v3 compatibility.
+8. `testing-strategy.md` for local and CI validation.
+9. `implementation-audit.md` for current implementation status and known gaps.
+10. `cutover-plan.md` for the future move out of `v4/`.
+
+Keep `command-reference.md` and `runtime-behavior.md` aligned with Cobra help and
+the manual command audit whenever commands are added, hidden, or renamed.
diff --git a/docs/cli-v4/command-design.md b/docs/cli-v4/command-design.md
new file mode 100644
index 00000000..a3d01648
--- /dev/null
+++ b/docs/cli-v4/command-design.md
@@ -0,0 +1,77 @@
+# fctl v4 Command Design
+
+Commands should express Formance product intent, not OpenAPI or SDK structure.
+
+Prefer:
+
+```bash
+fctl ledger transactions list
+fctl ledger transactions revert <id>
+fctl ledger schemas insert <version>
+```
+
+Avoid:
+
+```bash
+fctl ledger v2 transactions list
+fctl ledger transactions list-v2
+```
+
+## Canonical Inputs
+
+Each command should parse into a version-independent input model.
+
+```go
+type ListTransactionsInput struct {
+    Ledger         string
+    AccountAddress string
+    PageSize       int64
+}
+```
+
+Version-specific adapters convert that model into generated SDK request types.
+
+```go
+func toLedgerV1(input ListTransactionsInput) operations.ListTransactionsRequest
+func toLedgerV2(input ListTransactionsInput) operations.V2ListTransactionsRequest
+```
+
+## Renamed API Parameters
+
+If API v1 calls a field `account` and API v2 calls it `address`, but the CLI concept is the same, expose one canonical flag.
+
+```bash
+fctl ledger transactions list --account users:123
+```
+
+Keep aliases only for CLI compatibility, not because generated API names changed.
+
+## Version-Specific Features
+
+A command can exist even if only newer targets support it.
+
+```bash
+fctl ledger transactions explain <id>
+```
+
+If the current target only supports an older Ledger API, return:
+
+```text
+ledger transactions explain requires Ledger >= 3.0.0.
+Current target runs Ledger 2.3.4.
+```
+
+If the command requires an API operation that is not exposed by the public stack
+spec or the current SDK, keep it hidden from the visible command surface until
+the contract is explicit. `ledger transactions explain` currently follows this
+rule.
+
+## Help Text
+
+Help should be stable and product-oriented. For flags or commands requiring newer APIs, include capability notes:
+
+```text
+--include-descendants    Include child accounts (requires ledger API v2+)
+```
+
+Context-aware help can be added later, but the base help should remain useful without network calls.
diff --git a/docs/cli-v4/command-reference.md b/docs/cli-v4/command-reference.md
new file mode 100644
index 00000000..b9b6984b
--- /dev/null
+++ b/docs/cli-v4/command-reference.md
@@ -0,0 +1,302 @@
+# fctl v4 Command Reference
+
+This reference lists the current canonical v4 command families implemented under
+`v4/`. It tracks visible commands only. Hidden compatibility commands and
+temporarily disabled command families are documented separately below.
+
+The latest manual command audit covered 193 visible executable leaf commands.
+When this file changes, verify it against Cobra help before committing.
+
+## Global Flags
+
+- `--profile <name>`
+- `--context <name>` hidden deprecated alias for `--profile`
+- `--organization <organization-id>` Cloud or EE organization override
+- `--stack <stack-id>` Cloud or EE stack override
+- `--config-dir <dir>`, `-c <dir>`
+- `--credential-dir <dir>`
+- `--output plain|json|yaml`
+- `--non-interactive`
+- `--insecure-tls`
+- `--debug`, `-d`
+- `--no-color`
+
+## Target and Configuration
+
+- `fctl login`
+- `fctl login --target cloud --client-id <id> --client-secret-stdin`
+- `fctl login --target ee --membership-url <url> --client-id <id> --client-secret-stdin`
+- `fctl login --target open-source --stack-url <url>`
+- `fctl logout`
+- `fctl whoami`
+- `fctl profile create stack <name> --stack-url <url>`
+- `fctl profile create cloud <name> --cloud-url <url>`
+- `fctl profile create cloud-stack <name> --cloud-url <url> --organization <organization-id> --stack <stack-id>`
+- `fctl profile list`
+- `fctl profile show <name>`
+- `fctl profile use <name>`
+- `fctl profile rename <old-name> <new-name>`
+- `fctl profile delete <name> --confirm`
+- `fctl profile set [name] --organization <organization-id> --stack <stack-id> --default-ledger <ledger>`
+- `fctl profile unset-defaults [name] --confirm`
+- `fctl config migrate-v3`
+- `fctl setup`
+- `fctl target inspect`
+- `fctl target proxy --port 55001`
+- `fctl stack proxy --port 55001` deprecated alias for `fctl target proxy`
+
+`context` and `session` commands remain hidden implementation/compatibility
+commands for now. New user flows should use `login`, `logout`, `whoami`, and
+`profile`.
+
+## Cloud
+
+- `fctl cloud me show`
+- `fctl cloud me invitations list`
+- `fctl cloud me invitations accept <invitation-id> --confirm`
+- `fctl cloud me invitations decline <invitation-id> --confirm`
+- `fctl cloud ui --print`
+- `fctl cloud organizations create <name>`
+- `fctl cloud organizations list`
+- `fctl cloud organizations show <organization-id>`
+- `fctl cloud organizations history [organization-id] --action <action> --user-id <user-id> --data key=value`
+- `fctl cloud organizations update <organization-id> --name <name>`
+- `fctl cloud organizations delete <organization-id> --confirm`
+- `fctl cloud organizations applications list --organization <organization-id>`
+- `fctl cloud organizations applications show <application-id> --organization <organization-id>`
+- `fctl cloud organizations authentication-provider show --organization <organization-id>`
+- `fctl cloud organizations authentication-provider configure --type <type> --name <name> --client-id <client-id> --client-secret-stdin --organization <organization-id>`
+- `fctl cloud organizations authentication-provider delete --organization <organization-id> --confirm`
+- `fctl cloud organizations oauth-clients create --name <name> --organization <organization-id> --confirm`
+- `fctl cloud organizations oauth-clients list --organization <organization-id>`
+- `fctl cloud organizations oauth-clients show <client-id> --organization <organization-id>`
+- `fctl cloud organizations oauth-clients update <client-id> --name <name> --organization <organization-id> --confirm`
+- `fctl cloud organizations oauth-clients delete <client-id> --organization <organization-id> --confirm`
+- `fctl cloud organizations invitations list --organization <organization-id>`
+- `fctl cloud organizations invitations send <email> --organization <organization-id>`
+- `fctl cloud organizations invitations delete <invitation-id> --organization <organization-id> --confirm`
+- `fctl cloud organizations users list --organization <organization-id>`
+- `fctl cloud organizations users show <user-id> --organization <organization-id>`
+- `fctl cloud organizations users link <user-id> --organization <organization-id> --policy-id <policy-id>`
+- `fctl cloud organizations users unlink <user-id> --organization <organization-id> --confirm`
+- `fctl cloud organizations policies create <name> --organization <organization-id>`
+- `fctl cloud organizations policies list --organization <organization-id>`
+- `fctl cloud organizations policies show <policy-id> --organization <organization-id>`
+- `fctl cloud organizations policies update <policy-id> --organization <organization-id> --name <name>`
+- `fctl cloud organizations policies delete <policy-id> --organization <organization-id> --confirm`
+- `fctl cloud organizations policies add-scope <policy-id> <scope-id> --organization <organization-id>`
+- `fctl cloud organizations policies remove-scope <policy-id> <scope-id> --organization <organization-id> --confirm`
+- `fctl cloud regions create <name> --organization <organization-id>`
+- `fctl cloud regions list --organization <organization-id>`
+- `fctl cloud regions show <region-id> --organization <organization-id>`
+- `fctl cloud regions delete <region-id> --organization <organization-id> --confirm`
+
+Cloud commands require a `cloud` or `cloud-stack` context. They are not required
+for direct local or self-hosted stack commands. The root `ui` command is a
+hidden deprecated alias for `cloud ui`.
+
+## Cloud Stacks
+
+- `fctl cloud stacks create <name> --region <region-id>`
+- `fctl cloud stacks list --organization <organization-id>`
+- `fctl cloud stacks show <stack-id> --organization <organization-id>`
+- `fctl cloud stacks update <stack-id> --name <name>`
+- `fctl cloud stacks delete <stack-id> --confirm`
+- `fctl cloud stacks enable <stack-id>`
+- `fctl cloud stacks disable <stack-id> --confirm`
+- `fctl cloud stacks restore <stack-id> --confirm`
+- `fctl cloud stacks upgrade <stack-id> --version <version> --confirm`
+- `fctl cloud stacks history <stack-id>`
+- `fctl cloud stacks users list <stack-id>`
+- `fctl cloud stacks users link <stack-id> <user-id> --policy-id <policy-id>`
+- `fctl cloud stacks users unlink <stack-id> <user-id> --confirm`
+- `fctl cloud stacks modules list <stack-id>`
+- `fctl cloud stacks modules enable <stack-id> <module>`
+- `fctl cloud stacks modules disable <stack-id> <module> --confirm`
+
+When the active context is `cloud-stack`, `--organization` defaults to the
+context organization. `cloud_stacks`, `stack`, and `stacks` are deprecated
+aliases for `cloud stacks`, except `stack proxy`, which remains a deprecated
+alias for the data-plane `target proxy` command.
+
+`cloud stacks create` prompts for missing name, region, and version in
+interactive terminals. Region versions are sorted in descending semantic-version
+order. Unless `--no-wait` is passed, create waits for stack availability before
+printing the final styled success block.
+
+## Ledger
+
+- `fctl ledger create [name]`
+- `fctl ledger list`
+- `fctl ledger info`
+- `fctl ledger stats`
+- `fctl ledger import <ledger> --file <path>|-`
+- `fctl ledger export --ledger <ledger>`
+- `fctl ledger set-metadata <ledger> [key=value]... --metadata-file <path>|- --confirm`
+- `fctl ledger delete-metadata <ledger> <key> --confirm`
+- `fctl ledger accounts list`
+- `fctl ledger accounts show <account>`
+- `fctl ledger accounts query <query-id> --schema-version <version>`
+- `fctl ledger accounts set-metadata <account> [key=value]... --metadata-file <path>|- --confirm`
+- `fctl ledger accounts delete-metadata <account> <key> --confirm`
+- `fctl ledger schemas list`
+- `fctl ledger schemas show <version>`
+- `fctl ledger schemas insert <version>`
+- `fctl ledger transactions list`
+- `fctl ledger transactions show <transaction-id>`
+- `fctl ledger transactions send`
+- `fctl ledger transactions run-script --file <path>|-`
+- `fctl ledger transactions revert <transaction-id>`
+- `fctl ledger transactions count`
+- `fctl ledger transactions set-metadata <transaction-id> [key=value]... --metadata-file <path>|- --confirm`
+- `fctl ledger transactions delete-metadata <transaction-id> <key> --confirm`
+- `fctl ledger volumes list`
+
+Ledger commands use service-qualified internal names and adapt canonical CLI
+flags to the selected Ledger API version.
+
+## Payments
+
+- `fctl payments versions`
+- `fctl payments connectors install <connector> --file <path>|-`
+- `fctl payments connectors list`
+- `fctl payments connectors config show <connector-id>`
+- `fctl payments connectors config update <connector-id> --file <path>|-`
+- `fctl payments connectors uninstall <connector-id> --confirm`
+- `fctl payments accounts create --file <path>|-`
+- `fctl payments accounts list`
+- `fctl payments accounts show <account-id>`
+- `fctl payments accounts balances <account-id>`
+- `fctl payments bank-accounts create --file <path>|-`
+- `fctl payments bank-accounts list`
+- `fctl payments bank-accounts show <bank-account-id>`
+- `fctl payments bank-accounts forward <bank-account-id> <connector-id>`
+- `fctl payments bank-accounts set-metadata <bank-account-id> <key=value>... --confirm`
+- `fctl payments payments create --file <path>|-`
+- `fctl payments payments list`
+- `fctl payments payments show <payment-id>`
+- `fctl payments payments set-metadata <payment-id> <key=value>... --confirm`
+- `fctl payments pools create --file <path>|-`
+- `fctl payments pools list`
+- `fctl payments pools show <pool-id>`
+- `fctl payments pools delete <pool-id> --confirm`
+- `fctl payments pools add-account <pool-id> <account-id>`
+- `fctl payments pools remove-account <pool-id> <account-id> --confirm`
+- `fctl payments pools update-query <pool-id> --file <path>|- --confirm`
+- `fctl payments pools balances <pool-id> --at <time>`
+- `fctl payments pools latest-balances <pool-id>`
+- `fctl payments tasks show <task-id>`
+- `fctl payments transfer-initiation create --file <path>|-`
+- `fctl payments transfer-initiation list`
+- `fctl payments transfer-initiation show <transfer-initiation-id>`
+- `fctl payments transfer-initiation approve <transfer-initiation-id> --confirm`
+- `fctl payments transfer-initiation reject <transfer-initiation-id> --confirm`
+- `fctl payments transfer-initiation retry <transfer-initiation-id> --confirm`
+- `fctl payments transfer-initiation delete <transfer-initiation-id> --confirm`
+- `fctl payments transfer-initiation update-status <transfer-initiation-id> <status> --confirm`
+- `fctl payments transfer-initiation reverse <transfer-initiation-id> --file <path>|- --confirm`
+
+Connector configuration commands always target a connector ID.
+
+## Wallets
+
+- `fctl wallets create <name>`
+- `fctl wallets list`
+- `fctl wallets show <wallet-id>`
+- `fctl wallets update <wallet-id>`
+- `fctl wallets credit <wallet-id> --amount <amount> --asset <asset> --confirm`
+- `fctl wallets debit <wallet-id> --amount <amount> --asset <asset> --confirm`
+- `fctl wallets balances create <wallet-id> <name>`
+- `fctl wallets balances list <wallet-id>`
+- `fctl wallets balances show <wallet-id> <balance-name>`
+- `fctl wallets holds list`
+- `fctl wallets holds show <hold-id>`
+- `fctl wallets holds void <hold-id> --confirm`
+- `fctl wallets holds confirm <hold-id> --confirm`
+- `fctl wallets transactions list <wallet-id>`
+
+Wallet credit and debit require the wallet target explicitly.
+
+## Flows
+
+- `fctl flows workflows create --file <path>|-`
+- `fctl flows workflows list`
+- `fctl flows workflows show <workflow-id>`
+- `fctl flows workflows run <workflow-id>`
+- `fctl flows workflows delete <workflow-id> --confirm`
+- `fctl flows instances list`
+- `fctl flows instances show <instance-id>`
+- `fctl flows instances inspect <instance-id>`
+- `fctl flows instances send-event <instance-id> <event>`
+- `fctl flows instances stop <instance-id> --confirm`
+- `fctl flows triggers create <event> <workflow-id>`
+- `fctl flows triggers list`
+- `fctl flows triggers show <trigger-id>`
+- `fctl flows triggers delete <trigger-id> --confirm`
+- `fctl flows triggers test <trigger-id>`
+- `fctl flows triggers occurrences list <trigger-id>`
+
+`orchestration` is a deprecated alias for `flows`.
+
+## Reconciliation
+
+- `fctl reconciliation list`
+- `fctl reconciliation show <reconciliation-id>`
+- `fctl reconciliation policies create --file <path>|- --confirm`
+- `fctl reconciliation policies list`
+- `fctl reconciliation policies show <policy-id>`
+- `fctl reconciliation policies delete <policy-id> --confirm`
+- `fctl reconciliation policies reconcile <policy-id> --ledger-at <time> --payments-at <time> --confirm`
+
+## Login and Profiles
+
+`fctl login` is the primary setup flow. It creates or replaces the selected
+profile, defaulting to `default` when `--profile` is not provided.
+
+- Interactive terminal sessions use a Charmbracelet Huh wizard. Non-TTY input,
+  `--non-interactive`, and scripts keep stable flag/error behavior.
+- Formance Cloud uses `https://app.formance.cloud/api` by default.
+- Formance EE Self-Hosted asks for `--membership-url` or prompts for it.
+- Formance Open Source asks for `--stack-url` and defaults to no auth.
+- `--organization` and `--stack` select a Cloud or EE stack for commands that
+  need stack scope.
+- Browser/device login uses the Cloud/EE device authorization flow and stores
+  root tokens outside the config file. Non-interactive login can use client
+  credentials flags.
+
+`auth` remains reserved for the stack Auth service command family.
+
+## Auth
+
+- `fctl auth clients create <name>`
+- `fctl auth clients list`
+- `fctl auth clients show <client-id>`
+- `fctl auth clients update <client-id> --name <name>`
+- `fctl auth clients delete <client-id> --confirm`
+- `fctl auth clients secrets create <client-id> <secret-name>`
+- `fctl auth clients secrets delete <client-id> <secret-id> --confirm`
+- `fctl auth users list`
+- `fctl auth users show <user-id>`
+
+`auth` is the canonical service name.
+
+## Webhooks
+
+- `fctl webhooks create <endpoint> <event-type>...`
+- `fctl webhooks list`
+- `fctl webhooks activate <config-id>`
+- `fctl webhooks deactivate <config-id> --confirm`
+- `fctl webhooks delete <config-id> --confirm`
+- `fctl webhooks secret rotate <config-id> --secret-stdin`
+
+Plain output masks webhook secrets.
+
+## Hidden Or Deferred Commands
+
+- `fctl cloud apps ...` exists in code but is hidden from help because Cloud apps
+  are not part of the product surface exposed in v4 yet.
+- `fctl ledger transactions explain <transaction-id>` is hidden until the public
+  stack spec and `formance-sdk-go` expose `explainTransaction`.
+- `fctl context ...`, `fctl session ...`, and root `fctl ui` are hidden
+  compatibility or implementation commands. New user flows should use
+  `profile`, `login`, `logout`, `whoami`, `target`, and `cloud ui`.
diff --git a/docs/cli-v4/compatibility-aliases.md b/docs/cli-v4/compatibility-aliases.md
new file mode 100644
index 00000000..642f5a7b
--- /dev/null
+++ b/docs/cli-v4/compatibility-aliases.md
@@ -0,0 +1,57 @@
+# fctl v4 Compatibility Aliases
+
+Aliases in v4 are migration aids. They should be cheap to maintain, visible in
+tests, and explicit about their canonical replacement.
+
+| Alias | Canonical command | Status | Removal target |
+| --- | --- | --- | --- |
+| `--context <name>` | `--profile <name>` | Hidden deprecated warning | v4.x |
+| `context ...` | `profile ...` | Hidden compatibility command | v4.x |
+| `profiles ...` | `profile ...` | Hidden deprecated warning | v4.x |
+| `orchestration ...` | `flows ...` | Deprecated warning | v4.x or v5 |
+| `orchestration workflows create <file>\|-` | `flows workflows create --file <path>\|-` | Deprecated warning | v4.x |
+| `flows instances describe` | `flows instances inspect` | Deprecated warning | v4.x |
+| `payments connectors get-config --connector-id <id>` | `payments connectors config show <connector-id>` | Deprecated warning | v4.x |
+| `payments connectors config get` | `payments connectors config show` | Deprecated warning | v4.x |
+| `payments connectors update-config` | `payments connectors config update` | Deprecated warning | v4.x |
+| `payments transfer-initiation get` | `payments transfer-initiation show` | Deprecated warning | v4.x |
+| `payments transfer-initiation update_status` | `payments transfer-initiation update-status` | Deprecated warning | v4.x |
+| `reconciliation get` | `reconciliation show` | Deprecated warning | v4.x |
+| `reconciliation policies get` | `reconciliation policies show` | Deprecated warning | v4.x |
+| `reconciliation policies reconcile <policy-id> <at-ledger> <at-payments>` | `reconciliation policies reconcile <policy-id> --ledger-at --payments-at` | Deprecated warning | v4.x |
+| `auth clients get` | `auth clients show` | Deprecated warning | v4.x |
+| `auth users get` | `auth users show` | Deprecated warning | v4.x |
+| `auth clients users ...` | `auth users ...` | Deprecated warning | v4.x |
+| `webhooks change-secret` | `webhooks secret rotate` | Deprecated warning | v4.x |
+| `cloud me info` | `cloud me show` | Deprecated warning | v4.x |
+| `cloud organizations describe` | `cloud organizations show` | Deprecated warning | v4.x |
+| `cloud organizations authentication-provider configure <type> <name> <client-id> <client-secret>` | `cloud organizations authentication-provider configure --type --name --client-id --client-secret-stdin` | Deprecated warning | v4.x |
+| `ui` | `cloud ui` | Hidden deprecated warning | v4.x |
+| `cloud_stacks ...` | `cloud stacks ...` | Deprecated warning | v4.1, v4.2, or v5 |
+| `stack ...` | `cloud stacks ...` | Deprecated warning | v4.1, v4.2, or v5 |
+| `stack proxy` | `target proxy` | Deprecated warning | v4.1, v4.2, or v5 |
+| `stacks ...` | `cloud stacks ...` | Deprecated warning | v4.1, v4.2, or v5 |
+
+## Removed Commands
+
+| Command | Status | Reason |
+| --- | --- | --- |
+| `auth login/status/token/logout` | Removed | `auth` is reserved for stack Auth service resources; CLI authentication starts at root `login`. |
+| `search ...` | Removed | The product no longer exists. |
+| `se` | Removed | Alias for removed `search`. |
+
+## Hidden Until Product Contract
+
+| Command | Status | Reason |
+| --- | --- | --- |
+| `cloud apps ...` | Hidden | Cloud apps are not part of the visible v4 product surface yet. |
+| `ledger transactions explain` | Hidden | The public stack spec and `formance-sdk-go` do not expose `explainTransaction` yet. |
+
+## Rules
+
+- Alias warnings go to stderr.
+- Warning text must name the canonical command.
+- Aliases should not hide important v4 target arguments such as wallet IDs or
+  connector IDs.
+- Service-qualified identifiers remain service-qualified. Do not add generic
+  internal aliases such as `FCTL_TransactionList`.
diff --git a/docs/cli-v4/compatibility-manifest.md b/docs/cli-v4/compatibility-manifest.md
new file mode 100644
index 00000000..008808bd
--- /dev/null
+++ b/docs/cli-v4/compatibility-manifest.md
@@ -0,0 +1,112 @@
+# fctl v4 Compatibility Manifest
+
+The v4 CLI should derive most operation metadata from the released stack OpenAPI document.
+
+Current reference:
+
+```text
+https://github.com/formancehq/stack/releases/download/v3.2.4/generate.json
+```
+
+The spec contains versioned tags such as:
+
+- `ledger.v1`
+- `ledger.v2`
+- `payments.v1`
+- `payments.v3`
+- `orchestration.v1`
+- `orchestration.v2`
+- `auth.v1`
+- `wallets.v1`
+- `webhooks.v1`
+- `reconciliation.v1`
+
+Retired products such as `search` must be ignored even if an old stack spec still
+contains their tags.
+
+## Generated Data
+
+Generate a manifest with:
+
+- stack spec version
+- product name
+- API namespace
+- operation ID
+- HTTP method
+- path
+- tags
+
+Example shape:
+
+```json
+{
+  "specVersion": "v3.2.4",
+  "products": {
+    "ledger": {
+      "apiVersions": ["v1", "v2"],
+      "operations": {
+        "listTransactions": {
+          "v1": {
+            "operationId": "listTransactions",
+            "path": "/api/ledger/{ledger}/transactions"
+          },
+          "v2": {
+            "operationId": "v2ListTransactions",
+            "path": "/api/ledger/v2/{ledger}/transactions"
+          }
+        }
+      }
+    }
+  }
+}
+```
+
+## Manual Data
+
+The OpenAPI spec does not fully define which component binary versions support which API namespaces. Keep that as a small explicit table.
+
+Example:
+
+```go
+var ComponentCompatibility = []ComponentRange{
+    {
+        Product: "ledger",
+        Range: ">=1.0.0 <2.0.0",
+        APIVersions: []APIVersion{"v1"},
+    },
+    {
+        Product: "ledger",
+        Range: ">=2.0.0 <3.0.0",
+        APIVersions: []APIVersion{"v1", "v2"},
+    },
+}
+```
+
+## Runtime Resolution
+
+1. Call `GetVersions`.
+2. Convert component versions into supported API namespaces.
+3. Find command handlers for the requested feature.
+4. Select the highest compatible API namespace unless the user pinned one.
+5. Return a clean error if no handler can run.
+
+## Known Runtime Gap
+
+The generated manifest currently contains operation metadata by product,
+feature, and API namespace, but the runtime resolver still primarily operates at
+the product/API-namespace level. `Feature` is available in
+`VersionResolutionRequest`, but it is not yet used to query the generated
+manifest before selecting a handler.
+
+This is acceptable for the MVP only if the gap stays explicit. The next
+capabilities iteration should:
+
+- verify that the selected API namespace exposes the requested feature in the
+  generated manifest;
+- add feature-level component ranges for behavior introduced inside an existing
+  API namespace;
+- move version-dependent flag checks into declarative compatibility data where
+  possible.
+
+Until this is done, handlers may still need narrow validation for specific flags
+or fields that are only supported by newer component versions.
diff --git a/docs/cli-v4/config-format.md b/docs/cli-v4/config-format.md
new file mode 100644
index 00000000..cbe4fa89
--- /dev/null
+++ b/docs/cli-v4/config-format.md
@@ -0,0 +1,85 @@
+# fctl v4 Config Format
+
+The v4 config should be explicit, versioned, and free of long-lived secrets.
+
+## Example
+
+```yaml
+version: 4
+currentContext: local
+
+contexts:
+  local:
+    kind: stack
+    stackURL: http://localhost/api
+    auth:
+      method: client_credentials
+      issuerURL: http://localhost/api/auth
+      clientID: testing
+      secretRef: keyring://formance/local/testing
+    defaults:
+      ledger: default
+    api:
+      ledger: latest-compatible
+
+  cloud-prod:
+    kind: cloud-stack
+    cloudURL: https://app.formance.cloud/api
+    organization: org_x
+    stack: stack_y
+    auth:
+      method: cloud_device
+      account: user@example.com
+      tokenRef: keyring://formance/cloud-prod/user@example.com
+    api:
+      ledger: latest-compatible
+```
+
+## Context Kinds
+
+- `stack`: direct stack API target.
+- `cloud`: Formance Cloud control plane target.
+- `cloud-stack`: stack target discovered or authorized through Formance Cloud.
+
+## Default Login Profile
+
+When no v4 config exists yet, `fctl login` creates a default profile named
+`default` unless `--profile` selects another name. Formance Cloud defaults to
+the production membership URL:
+
+```yaml
+currentContext: default
+contexts:
+  default:
+    kind: cloud
+    cloudURL: https://app.formance.cloud/api
+    auth:
+      method: none
+```
+
+The login command then replaces `auth` with the selected method. Product stack
+commands need either a direct `stack` profile or a Cloud/EE profile plus
+`--organization` and `--stack` when the profile does not already store them.
+
+## Auth Methods
+
+- `cloud_device`
+- `oidc_device`
+- `client_credentials`
+- `token`
+- `none`
+
+`none` must be explicit and should warn unless the command is non-interactive or configured to suppress warnings.
+
+## Paths
+
+Use XDG-aware locations:
+
+- config: user config directory
+- cache: discovery and temporary API tokens
+- state: telemetry IDs and non-secret local state
+
+Keep credentials in a system keyring when available. Until the v4 keyring
+backend is wired, commands store secrets under the v4 config directory
+`credentials/` subdirectory by default, or under `--credential-dir` when
+provided. Secret values must not be written to `config.yaml`.
diff --git a/docs/cli-v4/cutover-plan.md b/docs/cli-v4/cutover-plan.md
new file mode 100644
index 00000000..3705c33b
--- /dev/null
+++ b/docs/cli-v4/cutover-plan.md
@@ -0,0 +1,143 @@
+# fctl v4 Cutover Plan
+
+Status: Draft, planning only.
+
+Do not execute this plan until v4 feature parity and release readiness are explicitly approved.
+
+## Current State
+
+- The current repository root is the v3 implementation.
+- The v4 rewrite lives under `v4/`.
+- v4 is a separate Go module: `github.com/formancehq/fctl/v4`.
+- v4 currently validates the architecture through profiles/contexts, runtime
+  resolution, auth providers, device login, capabilities, target inspection,
+  v3 migration, Cloud stack lifecycle, and product command families for Ledger,
+  Payments, Wallets, Flows, Reconciliation, Auth service, and Webhooks.
+
+## Cutover Preconditions
+
+- All required product commands have v4 equivalents or documented compatibility gaps.
+- `go test ./...` passes in `v4/`.
+- The final root module test suite passes after the move.
+- Release packaging, completions, Docker/Homebrew/GitHub Actions paths are updated.
+- Migration documentation is published.
+- A rollback branch or tag exists before deleting root v3 files.
+
+## Root Inventory
+
+Likely preserve or update:
+
+- `.github/`
+- `.codex/`
+- `AGENTS.md`
+- `README.md`
+- `docs/`
+- `todos/`
+- `openapi/`, if still useful for generated clients or historical specs
+- `flake.nix`, if updated to build v4
+- `build.Dockerfile`, if updated to build v4
+
+Likely remove or archive during cutover:
+
+- root `cmd/`
+- root `pkg/`
+- root `internal/` generated v3 membership/deploy clients, unless still needed
+- root `main.go`
+- root `go.mod`
+- root `go.sum`
+- root `completions/`, if regenerated by v4 release process
+
+Likely move from `v4/` to root:
+
+- `v4/main.go` -> `main.go`
+- `v4/cmd/` -> `cmd/`
+- `v4/internal/` -> `internal/`
+- `v4/go.mod` -> `go.mod`
+- `v4/go.sum` -> `go.sum`
+- `v4/README.md` content merged into root `README.md`
+
+## Module Path Plan
+
+Before cutover, decide whether the root module path remains:
+
+```text
+github.com/formancehq/fctl/v4
+```
+
+or whether packaging keeps the module path separate from binary versioning.
+
+If the module path changes during the move, update imports mechanically and run:
+
+```bash
+go mod tidy
+go test ./...
+```
+
+## Proposed Cutover Steps
+
+1. Create a final pre-cutover tag or branch.
+2. Ensure `feat/v4` is up to date with the target base branch.
+3. Run from `v4/`:
+
+   ```bash
+   go test ./...
+   go run . --help
+   go run . version
+   ```
+
+4. Remove root v3 implementation files listed in the inventory.
+5. Move v4 implementation files to root.
+6. Update import paths if needed.
+7. Update release/build files to target the new root module.
+8. Regenerate completions if they are committed artifacts.
+9. Run from root:
+
+   ```bash
+   go mod tidy
+   go test ./...
+   go run . --help
+   go run . version
+   ```
+
+10. Run migration and context smoke tests against temporary config directories.
+11. Review generated manifest and release packaging diffs.
+12. Commit the cutover as one explicit commit.
+
+## Validation Matrix
+
+- `context create/list/show/use` against temp config.
+- `target inspect` against fake `/versions`.
+- `ledger transactions list` against fake Ledger v2 endpoint.
+- `config migrate-v3 --dry-run` against fixture v3 config.
+- `config migrate-v3` write mode against fixture v3 config.
+- JSON output for context, target, Ledger, migration.
+- YAML output for at least context and target.
+- Non-interactive mode for setup-like commands.
+- Error paths:
+  - missing config
+  - invalid context config
+  - missing credentials
+  - unsupported pinned API version
+
+## User Compatibility Notes
+
+- v3 profiles are not silently modified.
+- Users migrate explicitly with `config migrate-v3`.
+- Stack contexts no longer require Formance Cloud membership.
+- API version selection defaults to latest compatible target/CLI intersection.
+- Product commands should avoid exposing API namespaces in command paths.
+
+## Risks
+
+- Some v3 commands may not have v4 parity at cutover.
+- Release tooling may still assume the root v3 module layout.
+- The generated capabilities manifest may need to be refreshed before release.
+- Cloud auth device flow is implemented, but it still needs release-readiness
+  validation against Cloud and EE before cutover.
+- Hidden product surfaces such as `cloud apps ...` and `ledger transactions
+  explain` must either be promoted with an explicit contract or remain hidden at
+  cutover.
+
+## Rollback
+
+Rollback should restore the pre-cutover branch or tag. Do not attempt partial rollback by mixing root v3 and moved v4 files.
diff --git a/docs/cli-v4/implementation-audit.md b/docs/cli-v4/implementation-audit.md
new file mode 100644
index 00000000..0d1e2927
--- /dev/null
+++ b/docs/cli-v4/implementation-audit.md
@@ -0,0 +1,83 @@
+# fctl v4 Implementation Audit
+
+This audit records the implementation status of `plan.md` so reviewers can
+separate completed migration work from explicit blockers and future cutover
+work.
+
+## Implemented
+
+- v4 remains isolated under `v4/`; v3 root command behavior has not been moved.
+- Profiles/contexts, credentials, auth strategies, runtime target resolution, `/versions`
+  parsing, and API version selection are implemented in v4 packages.
+- Global flags from the migration plan are implemented when actionable:
+  `--profile`, hidden deprecated `--context`, `--organization`, `--stack`,
+  `--config-dir/-c`, `--debug/-d`, `--insecure-tls`, `--non-interactive`,
+  `--no-color`, and `--output`.
+- Root `login`, `logout`, and `whoami` provide the primary user-facing
+  authentication flow. `profile` is the primary target-management command, while
+  `context` and `session` are hidden from help.
+- Interactive `login` uses Charmbracelet Huh when stdin/stderr are terminals.
+  Non-TTY runs, `--non-interactive`, and tests keep deterministic plain prompts
+  and flag errors.
+- Browser/device login is implemented for Cloud and EE. Login does not expose a
+  static-token choice in the wizard. Device credentials are stored outside the
+  config file and can be refreshed when command scopes are missing.
+- `--telemetry` and `--quiet` are intentionally not exposed as silent no-ops.
+- Cloud control-plane commands are grouped under `cloud`, with `cloud stacks`
+  as the canonical stack lifecycle command and deprecated `cloud_stacks`,
+  `stack`, and `stacks` aliases.
+- `cloud stacks create` provides interactive name, region, and version prompts,
+  sorts stack versions descending, waits for availability by default, and shows
+  styled progress and final output.
+- Stack data-plane commands do not require Formance Cloud membership.
+- Ledger commands use canonical CLI flags and runtime API resolution, including
+  v1/v2 adaptation and deprecated flag aliases.
+- Payments, wallets, flows, reconciliation, Auth service, and webhooks have v4
+  command families with migration aliases for low-cost v3 shapes.
+- Human output is styled through shared terminal helpers. JSON/YAML output stays
+  stable for scripts. `--debug/-d` emits HTTP diagnostics to stderr with
+  sensitive headers redacted.
+- The removed `search` product is not exposed in v4.
+- `v4/testdata/v3-command-inventory.json` records the v3 Cobra inventory used
+  during migration review.
+- The user-facing docs under `docs/cli-v4/` describe command reference,
+  runtime behavior, migration behavior, compatibility aliases, testing strategy,
+  config migration, versioning ownership, and cutover constraints.
+
+## Explicitly Deferred Or Blocked
+
+- `auth login/status/token/logout` are not kept as aliases. `auth` is reserved
+  for stack Auth service resources.
+- `cloud personal-tokens create` is not implemented because the v3 flow depends
+  on Cloud claims, stack access checks, and an Auth token exchange model not yet
+  present in the v4 runtime.
+- `cloud apps ...` is hidden from visible help because Cloud apps are not part
+  of the v4 product surface yet.
+- `ledger transactions explain` is hidden until the public stack spec and
+  `formance-sdk-go` expose `explainTransaction`.
+- Runtime capabilities are still coarse-grained at product/API-namespace level.
+  Feature-level manifest checks and intra-namespace capability ranges are
+  documented as follow-up work in `docs/cli-v4/versioning-and-ownership.md`.
+- Plugins are not the v4 MVP architecture. They remain a future option once
+  packaging, discovery, installation, and per-product ownership are explicit.
+- A reusable OpenAPI-backed mock server remains future work. Current v4 tests
+  use targeted `httptest` handlers that assert method, path, query, body,
+  stdout, stderr, errors, and deprecation warnings.
+- Cutover from `v4/` to the repository root remains blocked by
+  `docs/cli-v4/cutover-plan.md` and must be done in a dedicated goal.
+
+## Verification
+
+Before the latest review commits, the following gates were run repeatedly:
+
+```bash
+cd v4 && go test ./...
+git diff --check
+nix develop --impure --command just pre-commit
+```
+
+The v4 tree currently has command integration tests in `v4/cmd/root_test.go`
+and focused package tests across config, credentials, auth, capabilities,
+runtime, Ledger, Payments, Wallets, Flows, and target proxy behavior. The latest
+manual command audit covered 193 visible executable leaf commands with zero
+untested visible commands.
diff --git a/docs/cli-v4/migration-from-v3.md b/docs/cli-v4/migration-from-v3.md
new file mode 100644
index 00000000..b238a5d9
--- /dev/null
+++ b/docs/cli-v4/migration-from-v3.md
@@ -0,0 +1,49 @@
+# Migration From fctl v3
+
+The v4 CLI should import v3 configuration without deleting or rewriting it in place.
+
+## Mapping
+
+Current v3 profile fields:
+
+- `membershipURI`
+- `rootTokens`
+- `defaultOrganization`
+- `defaultStack`
+
+Suggested v4 mapping:
+
+- `membershipURI` -> `cloudURL`
+- `defaultOrganization` -> context `organization`
+- `defaultStack` -> context `stack`
+- `rootTokens` -> keyring credential, referenced by `tokenRef`
+
+## Command
+
+Provide an explicit migration command:
+
+```bash
+fctl config migrate-v3
+```
+
+By default the command reads the v3 configuration from
+`$HOME/.config/formance/fctl`. Use `--from <dir>` only when the v3 config lives
+elsewhere. The source directory must contain the v3 `config.yml` file and the
+`profiles/` directory.
+
+The command writes the v4 config to the platform user config directory as
+`config.yaml` (`$HOME/Library/Application Support/formance/fctl/config.yaml`
+on macOS, or `--config-dir <dir>/config.yaml` when provided). It does not create
+or mutate the v3 `config.yml` source file.
+
+The command should:
+
+1. Read v3 config and profiles.
+2. Show the contexts that will be created.
+3. Move secrets to keyring when possible.
+4. Write v4 config.
+5. Leave v3 files untouched.
+
+## Compatibility
+
+During early v4 releases, support a read-only fallback that can detect v3 profiles and suggest migration. Do not silently mutate v3 profile files during normal command execution.
diff --git a/docs/cli-v4/migration-v3-v4.md b/docs/cli-v4/migration-v3-v4.md
new file mode 100644
index 00000000..1782ec4e
--- /dev/null
+++ b/docs/cli-v4/migration-v3-v4.md
@@ -0,0 +1,113 @@
+# fctl v3 to v4 Migration
+
+This guide tracks the user-facing migration from the current fctl command tree to
+the isolated v4 implementation under `v4/`.
+
+## Core Changes
+
+- Profiles are the primary target selector. A command targets a local,
+  self-hosted, Cloud, or Cloud stack profile instead of assuming Formance Cloud.
+- API versions are selected by capability resolution. Commands expose product
+  intent and use the latest compatible API by default.
+- The CLI is not a complete OpenAPI projection. It exposes product workflows and
+  business features, not every generated endpoint.
+- Generated SDK namespaces remain an implementation detail. Command names and
+  environment-derived internal identifiers include the service name, for example
+  `FCTL_LedgerTransactionList`.
+- `auth` remains the canonical service name. Do not introduce `identity` in this
+  migration.
+- CLI setup and authentication starts at root `login`, with `logout` and
+  `whoami` for daily use. `session` remains hidden implementation detail, so
+  `auth` is not overloaded between CLI authentication state and the stack Auth
+  service.
+- Browser/device login is the default interactive Cloud and EE flow. Client
+  credentials remain available for non-interactive automation. Static-token
+  login is not exposed as an interactive product choice.
+- `flows` is the canonical command for the former `orchestration` product.
+- `cloud stacks` is the canonical command for Cloud stack lifecycle operations.
+  `cloud_stacks`, `stack`, and `stacks` are deprecated migration aliases with
+  warnings.
+- `cloud stacks create` restores the v3-style wizard for missing name, region,
+  and version, then waits for stack availability unless `--no-wait` is passed.
+- `search` is removed from v4 because the product no longer exists.
+
+## Command Renames
+
+| v3 command | v4 command | Migration behavior |
+| --- | --- | --- |
+| `--profile <name>` | `--profile <name>` | Primary selector. |
+| `--context <name>` | `--profile <name>` | Hidden deprecated alias with a warning. |
+| `--organization <org>` / `--stack <stack>` | `--organization <org>` / `--stack <stack>` | Global Cloud/EE target overrides for profiles that support them. |
+| `-c`, `--config-dir <dir>` | `-c`, `--config-dir <dir>` | Kept for config directory selection. |
+| `-d`, `--debug` | `-d`, `--debug` | Kept; runtime diagnostics are written to stderr. |
+| `--insecure-tls` | `--insecure-tls` | Kept as an explicit non-persistent runtime override. |
+| none | `--no-color` | New stable flag; v4 renderers are plain by default. |
+| `ui` | `cloud ui --print` or `cloud ui` | Root `ui` is a hidden deprecated alias. `--print` is non-browser/non-interactive friendly. |
+| `login --membership-uri <url>` | `login --target cloud` or `login --target ee --membership-url <url>` | Browser/device login uses the v3-style device authorization flow and stores root tokens outside config. |
+| `profiles ...` | `profile ...` | `profiles` is a hidden deprecated alias with a warning. |
+| `profiles reset <name>` | `profile unset-defaults <name> --confirm` | Deprecated alias. |
+| `profiles set-default-organization <org>` | `profile set --organization <org>` | Deprecated alias updates the current profile. |
+| `profiles set-default-stack <stack>` | `profile set --stack <stack>` | Deprecated alias updates the current profile. |
+| `orchestration ...` | `flows ...` | `orchestration` is a deprecated alias with a warning. |
+| `orchestration workflows create <file>\|-` | `flows workflows create --file <path>\|-` | Deprecated positional file form warns on stderr. |
+| `orchestration instances describe` | `flows instances inspect` | `describe` remains a deprecated alias. |
+| `payments connectors get-config --connector-id <id>` | `payments connectors config show <connector-id>` | Deprecated alias with a warning. |
+| `payments ... get` | `payments ... show` | `get` remains a deprecated alias when cheap to maintain. |
+| `reconciliation ... get` | `reconciliation ... show` | `get` remains a deprecated alias. |
+| `reconciliation policies reconcile <policy-id> <at-ledger> <at-payments>` | `reconciliation policies reconcile <policy-id> --ledger-at <time> --payments-at <time>` | Deprecated positional timestamp form warns on stderr. |
+| `auth clients get` | `auth clients show` | `get` remains a deprecated alias. |
+| `auth users get` | `auth users show` | `get` remains a deprecated alias. |
+| `auth clients users ...` | `auth users ...` | Deprecated nested alias with a warning. |
+| `webhooks change-secret` | `webhooks secret rotate` | `change-secret` remains a deprecated alias. |
+| `cloud me info` | `cloud me show` | `info` remains a deprecated alias. |
+| `cloud organizations describe` | `cloud organizations show` | `describe` remains a deprecated alias. |
+| `cloud organizations authentication-provider configure <type> <name> <client-id> <client-secret>` | `cloud organizations authentication-provider configure --type <type> --name <name> --client-id <client-id> --client-secret-stdin` | Deprecated positional form warns on stderr. |
+| `cloud_stacks ...` | `cloud stacks ...` | Deprecated alias with warnings for Cloud lifecycle commands. |
+| `stack ...` / `stacks ...` | `cloud stacks ...` | Deprecated aliases with warnings for Cloud lifecycle commands. |
+| `cloud apps ...` | none visible | Hidden until the Cloud apps product contract is part of the v4 surface. |
+| `search ...` | none | Removed. |
+
+## Argument Changes
+
+| Area | v3 shape | v4 shape |
+| --- | --- | --- |
+| Wallet credit | `wallets credit <amount> <asset>` | `wallets credit <wallet-id> --amount <amount> --asset <asset>` |
+| Wallet debit | `wallets debit <amount> <asset>` | `wallets debit <wallet-id> --amount <amount> --asset <asset>` |
+| Payment connector config update | connector type plus `--connector-id` | `payments connectors config update <connector-id> --file <path>\|-` |
+| Reconciliation run | positional timestamps | `reconciliation policies reconcile <policy-id> --ledger-at <time> --payments-at <time>` |
+| Webhook secret rotation | positional secret | `webhooks secret rotate <config-id> --secret-stdin` or `--secret` |
+
+## Secrets
+
+Secrets should not be passed positionally in new v4 commands. Prefer stdin flags
+such as `--secret-stdin` when available. Plain text output must not print clear
+secrets returned by APIs. Structured output can expose explicit response fields
+when the command is intentionally machine-readable.
+
+## Debugging And Output
+
+`-d`/`--debug` is kept for v3 debugging workflows. It writes HTTP diagnostics to
+stderr, including method, URL, status, and headers, while redacting sensitive
+headers such as `Authorization`, `Cookie`, and `Set-Cookie`.
+
+Human output should use the shared styled renderers. JSON and YAML output remain
+plain and scriptable. Prompt cancellation should not leak low-level prompt
+messages.
+
+## Deferred Items
+
+- `--telemetry` is deferred until opt-in/out behavior and stored state are
+  documented.
+- `--quiet` is deferred until each command family defines its primary quiet
+  output, so v4 does not expose a silent no-op flag.
+- `ledger transactions explain` is hidden until the public stack spec and SDK
+  expose the operation.
+- Plugin-based command isolation remains a future architecture option. The v4
+  MVP keeps one binary to reduce installation, packaging, and ownership
+  complexity while the target/auth/rendering model stabilizes.
+
+## Compatibility Warnings
+
+Deprecated aliases should write warnings to stderr and include the canonical v4
+command. They are not long-term compatibility guarantees and can be removed in a
+minor v4 release or in v5 depending on usage and maintenance cost.
diff --git a/docs/cli-v4/runtime-behavior.md b/docs/cli-v4/runtime-behavior.md
new file mode 100644
index 00000000..740cbfed
--- /dev/null
+++ b/docs/cli-v4/runtime-behavior.md
@@ -0,0 +1,146 @@
+# fctl v4 Runtime Behavior
+
+This page documents the current behavior that is not obvious from command help
+alone. It is intended as the operational companion to the architecture RFC and
+the command reference.
+
+## Target Model
+
+v4 separates target selection, authentication, API version resolution, and
+rendering.
+
+- `profile` selects the configured target.
+- `--organization` and `--stack` are Cloud or EE stack overrides.
+- Stack data-plane commands can run against a direct `stack` profile without
+  Cloud membership.
+- Cloud control-plane commands require a `cloud` or `cloud-stack` profile.
+- Product commands ask the runtime for the best supported SDK namespace instead
+  of exposing API namespaces in command paths.
+
+## Login
+
+`fctl login` is the primary user-facing authentication flow. It creates or
+replaces the selected profile, defaulting to `default`.
+
+Visible login modes:
+
+- `fctl login --target cloud`
+- `fctl login --target ee --membership-url <url>`
+- `fctl login --target open-source --stack-url <url>`
+- `fctl login --target cloud --client-id <id> --client-secret-stdin`
+- `fctl login --target ee --membership-url <url> --client-id <id> --client-secret-stdin`
+
+Interactive terminals use a Charmbracelet Huh wizard. The wizard asks only for
+fields that were not provided by flags, then prints the selected values as
+styled confirmation lines. Non-TTY execution and `--non-interactive` keep stable
+flag validation and never require interactive prompts.
+
+Browser/device login uses the Cloud or EE OIDC device authorization endpoint.
+The CLI opens the browser when possible, prints the verification URL when it
+cannot, then polls until authentication succeeds or expires.
+
+Static-token login is not exposed as a login choice. The config model can still
+represent token credentials for explicit contexts and migration compatibility,
+but users should not see a "static token" option in the login wizard.
+
+## Cloud Scopes
+
+Device login requests the full Cloud organization scope set needed by visible
+Cloud commands, including stack, region, policy, user, invitation, OAuth client,
+authentication-provider, logs, and feature scopes.
+
+Stored device credentials are validated before use. If the access token is
+expired or does not contain the scopes required by the command, the device token
+source refreshes credentials with the missing command scopes and stores the
+refreshed token set.
+
+Scope errors such as `invalid_scope` or `missing one of scopes` usually mean the
+stored credentials predate the current scope list or the Cloud authorization
+server rejected a requested scope. Re-run `fctl login` after scope list changes.
+
+## API Version Resolution
+
+Stack product commands resolve API versions at runtime:
+
+1. Fetch `<stack-url>/versions`.
+2. Read component versions and health values.
+3. Map component versions to supported API namespaces using the generated
+   compatibility data.
+4. Intersect target support with handlers compiled into the CLI.
+5. Select the highest compatible API namespace unless `--api-version` pins one.
+
+The command path stays product-oriented, for example
+`ledger transactions list`; generated SDK namespaces remain implementation
+details.
+
+The current resolver works at API-namespace granularity. It does not yet model
+every feature or parameter difference inside a namespace. See
+`docs/cli-v4/versioning-and-ownership.md` for the known gaps and the planned
+capabilities improvements.
+
+## Cloud Stack Creation Wait
+
+`cloud stacks create` waits for availability by default. Use `--no-wait` to
+return immediately after the Cloud API accepts stack creation.
+
+The wait loop uses two signals in order:
+
+1. It probes `<stack-url>/versions`. The stack is considered available only when
+   the endpoint returns HTTP 200, returns at least one version, and every
+   returned version has `health=true`.
+2. If `/versions` is unavailable or unhealthy, it falls back to the Cloud
+   membership stack status and keeps polling until the stack reaches `READY`.
+
+The wait loop polls every two seconds, has a ten-minute default timeout, and
+prints a styled spinner in interactive terminals. The spinner message includes
+the stack URL when the Cloud API has returned it.
+
+The final human output is a single styled success block containing the stack ID
+and URL. It should not print a second unstyled "created" line.
+
+## Output Rendering
+
+Human output uses the shared terminal styling helpers in `v4/cmd/terminal_ui.go`.
+Commands should not print raw key/value lines or plain success strings unless
+they are intentionally in structured output mode.
+
+Rendering rules:
+
+- Human output is styled and goes to stdout.
+- Warnings, debug traces, and deprecation messages go to stderr.
+- `--output json` and `--output yaml` bypass decorative human styling.
+- `--no-color` disables color but keeps stable spacing and labels.
+- Secrets are masked in human output. Use stdin flags such as `--secret-stdin`
+  for secret input.
+- Prompt cancellation should return a clean cancellation error without leaking
+  low-level prompt messages such as `prompt cancelled`.
+
+The rendering policy is enforced by tests that scan command implementations for
+unstyled output paths.
+
+## HTTP Debugging
+
+`-d` and `--debug` enable technical diagnostics on stderr.
+
+Debug mode prints:
+
+- selected context, target kind, and target URL;
+- outgoing HTTP method and URL;
+- request headers, with sensitive headers redacted;
+- response status and response headers, with sensitive headers redacted.
+
+Sensitive headers include `Authorization`, `Cookie`, and `Set-Cookie`.
+
+Debug output is for troubleshooting and must not change stdout rendering or
+structured output.
+
+## Hidden Product Surface
+
+Some code paths exist but are hidden until the product contract is explicit:
+
+- `cloud apps ...` is hidden from visible help and command audits.
+- `ledger transactions explain` is hidden until the public stack spec and
+  `formance-sdk-go` expose `explainTransaction`.
+
+Hidden commands can remain covered by tests, but they are not part of the user
+contract and should not be listed as visible commands in the command reference.
diff --git a/docs/cli-v4/testing-strategy.md b/docs/cli-v4/testing-strategy.md
new file mode 100644
index 00000000..b260f58b
--- /dev/null
+++ b/docs/cli-v4/testing-strategy.md
@@ -0,0 +1,79 @@
+# fctl v4 Testing Strategy
+
+The v4 CLI should remain scriptable, version-aware, and safe for local,
+self-hosted, and Cloud targets.
+
+## Unit Tests
+
+| Area | Coverage |
+| --- | --- |
+| `internal/config` | Config parsing, defaults, context validation, v3 migration idempotence. |
+| `internal/credentials` | In-memory store, insecure file fallback, delete/read errors, file modes. |
+| `internal/auth` | No-auth, token refs, stdin/env token sources, client credentials token flow. |
+| `internal/capabilities` | `/versions` parsing, semver ranges, latest compatible selection, pinned API errors. |
+| `internal/runtime` | Context resolution, auth wiring, target versions, API policy. |
+| `internal/commands/*` | Canonical inputs, version-specific SDK adapters, validation errors. |
+| `internal/render` | Plain/json/yaml behavior and stdout/stderr separation. |
+
+## CLI Integration Tests
+
+Use `httptest` servers per command family. Each test should:
+
+- create a temporary v4 config directory;
+- create or select an explicit context;
+- expose `/versions` with the product under test;
+- assert the exact API path, method, query, and request body;
+- assert stdout, stderr, and returned errors;
+- verify deprecated aliases warn on stderr;
+- verify destructive commands require `--confirm`;
+- verify plain output does not print secrets.
+- verify human output uses the shared styled renderers for success, info,
+  warnings, key/value blocks, and tables.
+- verify hidden commands stay out of visible help and visible command audits.
+
+## Mock Stack
+
+The OpenAPI stack spec is available at:
+
+```text
+https://github.com/formancehq/stack/releases/download/v3.2.4/generate.json
+```
+
+A future mock server can be generated under `v4/internal/testserver/openapi`.
+Until then, targeted `httptest` handlers are preferred because they keep each
+command migration small and reviewable.
+
+## Gates Before Commit
+
+Run from the repository root unless noted:
+
+```bash
+cd v4 && go test ./...
+git diff --check
+nix develop --impure --command just pre-commit
+```
+
+Only stage the v4 files and documentation for the current logical change. Do not
+stage unrelated v3 changes or pre-existing todo deletions.
+
+## Manual Command Audit
+
+For broad command-surface changes, build the v4 binary and audit visible leaf
+commands from Cobra help/completion. The audit should exclude hidden commands and
+the synthetic `help <command>` subtree.
+
+Each visible leaf command should be covered by one of:
+
+- a real command execution against a safe Cloud or stack target;
+- a local fake Cloud/stack server for mutating or destructive commands;
+- a documented expected error when the selected real target does not expose that
+  component, followed by local fake-server coverage for the command behavior.
+
+The audit output should record:
+
+- visible executable leaf command count;
+- `--help` routing failures;
+- covered OK commands;
+- commands unavailable on the selected real target;
+- commands intentionally hidden until supported;
+- commands not manually executed yet.
diff --git a/docs/cli-v4/versioning-and-ownership.md b/docs/cli-v4/versioning-and-ownership.md
new file mode 100644
index 00000000..a7937450
--- /dev/null
+++ b/docs/cli-v4/versioning-and-ownership.md
@@ -0,0 +1,189 @@
+# fctl v4 Versioning And Ownership
+
+This document records the current v4 position after comparing the isolated v4
+architecture with the plugin architecture proposal. It focuses on where API
+version complexity lives, who owns CLI evolution, and what must be explicit
+before cutover.
+
+## Product Surface
+
+`fctl` is not intended to be a full OpenAPI explorer. Commands should expose
+stable Formance product intent.
+
+That means:
+
+- a business feature may map to one endpoint, several endpoints, or no direct
+  one-to-one OpenAPI operation;
+- not every stack endpoint must become a visible CLI command;
+- generated SDK namespaces remain implementation details;
+- visible command names should stay stable when API paths or generated SDK names
+  change;
+- hidden commands are acceptable when code exists but the product contract is not
+  ready.
+
+This is why `cloud apps ...` and `ledger transactions explain` can exist in code
+without being part of the visible v4 command surface.
+
+## Current MVP Choice
+
+The current v4 implementation keeps product commands in the main `fctl` binary.
+This is an MVP and operational choice, not a claim that the monolithic approach
+is always structurally better than plugins.
+
+The main benefits are:
+
+- zero install friction for users;
+- one binary to distribute, debug, sign, and support;
+- one place for profile, auth, target resolution, rendering, and command tests;
+- easier migration from v3 while the team is still stabilizing ownership.
+
+The main costs are:
+
+- handlers, mappers, and tests accumulate as API versions accumulate;
+- static Cobra help can show flags that only some target versions support;
+- intra-version capability differences need explicit modeling;
+- the main binary can grow if support windows are unbounded.
+
+## Why Plugins Are Not The MVP
+
+Plugins remain a valid future architecture, but they move complexity from code
+to operations.
+
+They would require clear answers for:
+
+- plugin packaging and signing;
+- plugin registry and discovery;
+- automatic installation for Cloud stacks;
+- self-hosted and local installation flows;
+- per-product ownership and release duties;
+- version retirement policy;
+- support and debugging when the core CLI and plugin versions drift;
+- CI expectations for every product team.
+
+That operational overhead is too high for the current MVP. The team already has
+maintenance pressure on shared tools; multiplying binaries and release surfaces
+would make ownership harder before the v4 model is validated.
+
+The plugin architecture should be revisited when:
+
+- the core profile/auth/rendering model is stable;
+- product teams have explicit CLI ownership expectations;
+- plugin packaging and discovery can be made nearly invisible for Cloud users;
+- self-hosted/local users have a documented setup flow;
+- the monolithic handler surface starts creating measurable maintenance or binary
+  size problems.
+
+## Capabilities Gaps
+
+The current capabilities system is intentionally useful but incomplete.
+
+The model is intentionally close to the Console/frontend approach: discover the
+running component versions, select compatible generated SDK code, and keep the
+user-facing surface stable while stack releases move forward.
+
+It handles coarse API namespace selection:
+
+1. read `/versions`;
+2. map component semver ranges to supported API namespaces;
+3. intersect target API namespaces with command handler API namespaces;
+4. select the highest compatible namespace unless pinned.
+
+Known gaps:
+
+- the generated manifest contains per-feature operation metadata, but command
+  execution does not currently query it to prove that a selected API namespace
+  exposes the requested feature;
+- `Feature` is passed through version resolution mostly for error context;
+- capabilities do not model feature availability inside the same API namespace,
+  such as a query parameter or response field added in a minor component
+  version;
+- version-dependent flags are static Cobra flags, so `--help` can show a flag
+  that the selected target stack does not support.
+
+Required improvements:
+
+- use the generated manifest at runtime to verify feature availability for the
+  selected API namespace;
+- add feature-level compatibility ranges for intra-namespace differences;
+- centralize version-dependent flag validation instead of scattering ad hoc
+  `if` checks inside handlers;
+- annotate version-dependent flags in help text as a low-cost short-term fix,
+  for example `[ledger v2+]`;
+- decide later whether target-aware dynamic help is worth the network call to
+  `/versions`.
+
+## SDK And Release Cadence
+
+The v4 CLI may temporarily need SDK code that is ahead of the last public stack
+release, especially while a product feature, generated SDK, stack release, and
+CLI command are being developed in parallel.
+
+That is acceptable only when the drift is short-lived and explicit:
+
+- prefer generated SDK updates over hand-written request code;
+- avoid pinning long-lived commit hashes without a cleanup plan;
+- document when a custom or ahead-of-release SDK is required;
+- remove temporary SDK workarounds once the stack release and public SDK catch
+  up;
+- keep capabilities data aligned with the stack versions users can actually run.
+
+Faster SDK generation and release cadence should reduce the time between product
+feature implementation and CLI availability, but it does not remove the need for
+capability checks.
+
+## Support Window
+
+v4 must not imply unbounded support for every historical stack version forever.
+
+Before cutover, define a support policy such as:
+
+- latest stack major plus one previous supported major;
+- product-specific exceptions documented in compatibility data;
+- deprecated API handlers removed only at explicit release boundaries;
+- command tests covering every supported API namespace in the policy.
+
+Every new product API version should include a CLI impact note:
+
+- new visible command;
+- new flag on an existing command;
+- changed request or response mapping;
+- required compatibility range update;
+- tests to add or remove;
+- documentation to update.
+
+## Ownership Rule
+
+The initial v4 migration can be bootstrapped centrally, but future product
+changes must include CLI work when they affect user-facing operations.
+
+For a product PR that changes an API contract, the expected checklist is:
+
+- update or confirm the OpenAPI spec;
+- update generated SDK or custom SDK references as needed;
+- update compatibility data;
+- update the relevant `fctl` command or explicitly document why no CLI surface is
+  exposed;
+- update tests for command behavior and version compatibility;
+- update `docs/cli-v4/command-reference.md` and related docs.
+
+The CLI should not become a separate backlog owned only by a few maintainers.
+Product teams own the CLI surface for their product in the same way they own API
+and documentation changes.
+
+## RFC And Review Governance
+
+Architecture changes need a clear review window.
+
+Recommended process:
+
+- publish the RFC or PR with a concrete review deadline;
+- ask required reviewers to acknowledge with a comment or approval marker;
+- unresolved objections must be written on the PR/RFC, not only discussed in
+  Slack;
+- if no blocking comments are added before the deadline, the proposal can be
+  considered accepted for the stated scope;
+- large competing approaches, such as plugins versus monolithic handlers, should
+  be recorded as ADR/RFC tradeoffs instead of staying as informal PR comments.
+
+This keeps disagreement visible and prevents important architecture decisions
+from depending on private or ephemeral discussion.
diff --git a/docs/rfcs/0001-fctl-v4-architecture.md b/docs/rfcs/0001-fctl-v4-architecture.md
new file mode 100644
index 00000000..f3f01fdb
--- /dev/null
+++ b/docs/rfcs/0001-fctl-v4-architecture.md
@@ -0,0 +1,203 @@
+# RFC 0001: fctl v4 Architecture
+
+Status: Draft
+
+## Summary
+
+`fctl` v4 should be rebuilt around Formance targets rather than Formance Cloud membership. The CLI should work naturally against Formance Cloud, self-hosted stacks, and local development stacks. Authentication, target selection, API version selection, and rendering should be independent runtime concerns.
+
+The current CLI is Cloud-first: profiles store a membership URL and root Cloud tokens, and stack clients are created through membership-derived stack access. That makes local and self-hosted usage awkward or impossible without a Cloud membership. It also makes API version selection a command-level concern, so Ledger commands often call the oldest API namespace even when newer SDK namespaces exist.
+
+## Goals
+
+- Make local and self-hosted stack usage first-class.
+- Keep Cloud workflows supported without making Cloud the root abstraction.
+- Introduce contexts as the primary user-facing target selector.
+- Support multiple authentication methods: Cloud device flow, generic OIDC, client credentials, token, and explicit no-auth development mode.
+- Select the best compatible API namespace automatically using `/versions` and a generated manifest.
+- Keep CLI commands stable at the product language level, even when OpenAPI names change.
+- Preserve scriptability with stable JSON/YAML output, non-interactive modes, and predictable exit codes.
+
+## Non-Goals
+
+- Do not expose API namespaces directly in the primary UX, such as `fctl ledger v2 ...`.
+- Do not require a new server-side capabilities endpoint for v4 MVP.
+- Do not rewrite the public Go SDK as part of the CLI rewrite.
+- Do not make interactive TUI flows mandatory.
+
+## Current Problems
+
+- Authentication is structurally tied to Formance Cloud membership.
+- The profile model conflates identity, Cloud organization, stack selection, and token storage.
+- Stack commands must authenticate through membership before building stack clients.
+- Commands call SDK namespaces directly, for example `Ledger.V1` or `Ledger.V2`, making version policy scattered.
+- CLI flags mirror API shapes too closely, which makes API evolution leak into the user experience.
+- Secrets are stored in profile files rather than being consistently delegated to secure storage.
+
+## Target Model
+
+The v4 runtime should separate these concepts:
+
+- **Context**: named user selection, similar to Docker or Kubernetes contexts.
+- **Target**: the actual thing a command talks to, such as a Cloud control plane or a stack data plane.
+- **Auth**: how credentials are obtained for that target.
+- **Capabilities**: what the CLI infers the target can support.
+- **API version policy**: how the CLI chooses among SDK namespaces.
+- **Rendering**: how typed command results become tables, JSON, YAML, or human text.
+
+Example context:
+
+```yaml
+currentContext: local
+contexts:
+  local:
+    kind: stack
+    stackURL: http://localhost/api
+    auth:
+      method: client_credentials
+      issuerURL: http://localhost/api/auth
+      clientID: testing
+      secretRef: keyring://formance/local/testing
+    defaults:
+      ledger: default
+    api:
+      ledger: latest-compatible
+
+  cloud-prod:
+    kind: cloud-stack
+    cloudURL: https://app.formance.cloud/api
+    organization: org_x
+    stack: stack_y
+    auth:
+      method: cloud_device
+      account: user@example.com
+    api:
+      ledger: latest-compatible
+```
+
+## Command Model
+
+Commands represent product intent, not OpenAPI operations. For example:
+
+```bash
+fctl ledger transactions list
+fctl ledger transactions revert <id>
+fctl ledger schemas insert <version>
+```
+
+Each command parses a canonical input model, then delegates to a versioned handler selected by the runtime.
+
+```go
+type VersionedCommand[In any, Out any] struct {
+    Product  string
+    Feature  string
+    Handlers []VersionedHandler[In, Out]
+}
+
+type VersionedHandler[In any, Out any] struct {
+    APIVersion APIVersion
+    Run        func(context.Context, *formance.Formance, In) (Out, error)
+}
+```
+
+The Cobra command should only parse flags, construct the canonical input, and call the typed command package.
+
+## API Version Selection
+
+The server currently exposes `/versions`, not a full capabilities endpoint. That is sufficient for v4.
+
+Runtime flow:
+
+1. Call `sdk.GetVersions(ctx)`.
+2. Read component versions, such as `ledger=2.3.4`.
+3. Map component versions to supported API namespaces through a small compatibility table.
+4. Intersect server-supported API namespaces with SDK handlers available in the CLI.
+5. Choose the highest compatible version by default.
+
+Example:
+
+- CLI has handlers for `ledger.v1`, `ledger.v2`, `ledger.v3`.
+- `/versions` reports Ledger `2.3.4`.
+- Compatibility table says Ledger `>=2.0.0 <3.0.0` supports `v1` and `v2`.
+- The command uses `Ledger.V2`.
+
+Users can still force a version:
+
+```bash
+fctl ledger transactions list --api-version v1
+fctl ledger transactions list --latest
+```
+
+The default should be `latest-compatible`.
+
+## Compatibility Manifest
+
+Most operation metadata should be generated from the released OpenAPI document, for example:
+
+`https://github.com/formancehq/stack/releases/download/v3.2.4/generate.json`
+
+The OpenAPI tags already contain names like `ledger.v1`, `ledger.v2`, `payments.v1`, `payments.v3`, `orchestration.v1`, and `orchestration.v2`. The generator can produce a manifest mapping product, API namespace, operation ID, and path.
+
+The only manual compatibility data should be component-version ranges to API namespaces, such as:
+
+```go
+ledger >= 1.0.0 < 2.0.0 => v1
+ledger >= 2.0.0 < 3.0.0 => v1, v2
+ledger >= 3.0.0          => v1, v2, v3
+```
+
+## Flag and Parameter Design
+
+CLI flags should use Formance product vocabulary, not generated API field names. If an API changes `account` to `address`, but the product concept is still an account address, the CLI should expose one canonical flag and map it internally.
+
+Rules:
+
+- If only the API name changed, keep one canonical CLI flag.
+- If an old CLI flag is widely used, keep it as a deprecated alias.
+- If a flag only works on newer API versions, keep it visible and validate it against runtime capabilities.
+- If concepts diverge semantically, create separate product-level commands rather than version-suffixed commands.
+
+## Technical Stack
+
+- Keep Cobra and pflag for command routing, help, aliases, deprecations, and shell completions.
+- Keep Cobra thin; do not put target/auth/version logic in command files.
+- Use Charmbracelet Huh for optional interactive setup flows.
+- Use Lip Gloss and Glamour for terminal and Markdown rendering where useful.
+- Use a system keyring for secrets and explicit insecure fallback only when requested.
+- Use XDG-aware paths for config, cache, and state.
+- Use `testscript` style integration tests for real CLI behavior.
+- Use GoReleaser for packaging, checksums, completions, and package manager artifacts.
+- Build the rewrite under a top-level `v4/` directory during the transition. Keep the current root implementation intact until the explicit cutover.
+
+## Proposed Package Shape
+
+```text
+v4/cmd/                  Cobra declarations only
+v4/internal/runtime/     target resolution, auth, versions, API selection
+v4/internal/config/      contexts, defaults, XDG paths, migrations
+v4/internal/credentials/ keyring and insecure fallback
+v4/internal/capabilities generated manifest and compatibility ranges
+v4/internal/commands/    typed product command implementations
+v4/internal/render/      table, json, yaml, markdown
+v4/internal/prompt/      optional interactive flows
+```
+
+## Migration
+
+The v4 CLI should import v3 profiles into contexts:
+
+- A v3 Cloud profile becomes a `cloud-stack` or `cloud` context.
+- Membership tokens move out of profile files into the credential store when possible.
+- Existing default organization and stack become context defaults.
+- The v3 config should not be deleted automatically.
+
+## Open Questions
+
+- Exact naming for `context` versus `target`.
+- Whether compatibility ranges should live in the CLI repo, the SDK repo, or both.
+- How aggressively to warn when a newer API namespace is available.
+
+## Resolved Decisions
+
+- Do not create generic command aliases such as `fctl transaction list`; commands
+  stay service-qualified, for example `fctl ledger transactions list`.
diff --git a/go.mod b/go.mod
index 79ded667..83d34f5f 100644
--- a/go.mod
+++ b/go.mod
@@ -18,6 +18,7 @@ require (
 	github.com/pterm/pterm v0.12.83
 	github.com/segmentio/ksuid v1.0.4
 	github.com/spf13/cobra v1.10.2
+	github.com/spf13/pflag v1.0.10
 	github.com/zitadel/oidc/v2 v2.12.2
 	golang.org/x/mod v0.34.0
 	golang.org/x/oauth2 v0.36.0
@@ -71,7 +72,6 @@ require (
 	github.com/puzpuzpuz/xsync/v3 v3.5.1 // indirect
 	github.com/sergi/go-diff v1.4.0 // indirect
 	github.com/sirupsen/logrus v1.9.4 // indirect
-	github.com/spf13/pflag v1.0.10 // indirect
 	github.com/stretchr/testify v1.11.1 // indirect
 	github.com/tmthrgd/go-hex v0.0.0-20190904060850-447a3041c3bc // indirect
 	github.com/uptrace/bun v1.2.18 // indirect
diff --git a/plan.md b/plan.md
new file mode 100644
index 00000000..78bc862d
--- /dev/null
+++ b/plan.md
@@ -0,0 +1,769 @@
+# Plan de migration fctl v3 vers fctl v4
+
+Statut: brouillon de travail pour la migration complete.
+
+Source d'inventaire:
+
+- commandes v3 sous `cmd/`;
+- architecture v4 sous `docs/rfcs/0001-fctl-v4-architecture.md`;
+- ADR v4 sous `docs/adr/`;
+- design des commandes sous `docs/cli-v4/command-design.md`;
+- manifeste de compatibilite sous `docs/cli-v4/compatibility-manifest.md`;
+- migration de configuration sous `docs/cli-v4/migration-from-v3.md`.
+
+Objectif du document:
+
+- donner une vision exhaustive des commandes v3 a migrer;
+- definir le nom canonique v4, les alias de compatibilite et les changements d'arguments;
+- servir de base a la documentation utilisateur "v3 vers v4";
+- servir de checklist de review pendant l'implementation;
+- cadrer les tests unitaires, integration et end-to-end necessaires.
+
+## Principes v4
+
+### Modele utilisateur
+
+La v4 ne doit plus supposer que l'utilisateur dispose d'un compte Formance Cloud ou d'un membership.
+
+Les commandes parlent a un profil utilisateur, qui encapsule le contexte
+technique cible:
+
+- `stack`: stack locale ou self-hosted;
+- `cloud`: controle plane Formance Cloud;
+- `cloud-stack`: stack Formance Cloud selectionnee par organisation et stack.
+
+L'authentification est une propriete du profil, pas une hypothese globale du CLI.
+
+### Resolution des versions API
+
+Les commandes exposent une intention produit stable:
+
+```bash
+fctl ledger transactions list
+```
+
+Elles ne doivent pas exposer l'espace de noms SDK comme UX primaire:
+
+```bash
+# Non canonique
+fctl ledger v2 transactions list
+fctl ledger transactions list-v2
+```
+
+Le runtime v4 choisit l'API comme suit:
+
+1. appeler `/versions`;
+2. lire la version du composant, par exemple `ledger=2.3.4`;
+3. convertir la version composant en namespaces API supportes via le manifeste de compatibilite;
+4. intersecter avec les handlers disponibles dans le CLI;
+5. choisir par defaut le namespace le plus recent compatible;
+6. autoriser un override explicite avec `--api-version ledger=v1` ou `--api-version v1` dans une commande produit.
+
+### Regles de naming
+
+| Cas v3 | Regle v4 | Exemple |
+| --- | --- | --- |
+| Commandes avec `_` | kebab-case canonique, alias underscore deprecie | `transfer_initiation` -> `transfer-initiation` |
+| `get` et `describe` melanges | `show` canonique, aliases `get`/`describe` si existants | `payments payments get` -> `payments payments show` |
+| Abreviations peu claires | flag explicite canonique, alias court deprecie | `--ik` -> `--idempotency-key` |
+| Commandes produit historiques avec `_` | grouper sous le service parent quand cela clarifie l'UX | `cloud_stacks` devient `cloud stacks`, avec alias deprecie |
+| Flags API-specifiques | flag produit stable | `--account` reste `--account` meme si l'API v2 attend `address` |
+| Flags v3 tres utilises | conserver comme alias cache ou deprecie | `--src` -> `--source`, `--dst` -> `--destination` |
+| Saisie fichier | `--file <path>|-` quand l'objet principal n'est pas naturellement positionnel | `create <file>|-` peut rester alias |
+| Pagination | `--cursor`, `--page-size` | `ledger transactions list --page-size 20` |
+| Metadata | `--metadata key=value` repetable, `--metadata-file <path>|-` si utile | toutes familles |
+| Confirmation | `--confirm` pour scripts, prompt interactif seulement si TTY | commandes destructives ou mutantes |
+
+### Politique d'alias
+
+La v4 etant une version majeure, elle peut casser des commandes, mais les chemins v3 les plus courants doivent rester disponibles comme aliases de migration quand cela ne complique pas l'implementation.
+
+Regles:
+
+- alias visibles pour les raccourcis utiles (`list`, `ls`);
+- alias deprecie pour les anciens noms (`get`, `transfer_initiation`, `bank_accounts`, `update_status`);
+- alias cache seulement pour les formes tres anciennes ou incoherentes;
+- chaque alias deprecie conserve doit afficher un warning sur stderr qui indique la commande canonique a utiliser;
+- erreur claire si un ancien flag ne peut pas etre mappe sans ambiguite;
+- documentation generee a partir de cette table pour chaque suppression volontaire.
+
+### Format global des flags
+
+| v3 | v4 canonique | Compatibilite | Notes |
+| --- | --- | --- | --- |
+| `--profile` | `--profile` | canonique | Selectionne le profil cible. |
+| `--context` | `--profile` | alias cache deprecie | Reste temporairement pour compatibilite interne, avec warning. |
+| `--organization` / `--stack` | `--organization` / `--stack` | canonique | Override global pour profils Cloud/EE; invalide pour stack directe. |
+| `--config-dir`, `-c` | `--config-dir` | garder `-c` | Le short `-c` reste reserve au repertoire de config. |
+| `--debug`, `-d` | `--debug` | garder `-d` | Active logs techniques sur stderr. |
+| `--output`, `-o plain,json` | `--output`, `-o plain,json,yaml` | extension compatible | Les sorties structurees doivent etre stables. |
+| `--insecure-tls` | `--insecure-tls` dans le contexte ou flag override | garder flag | Ne pas persister implicitement sans action explicite. |
+| `--telemetry` | differe | bloque | La v4 doit documenter opt-in/opt-out avant d'exposer le flag. |
+| absent | `--non-interactive` | nouveau | Aucune question, erreurs propres. |
+| absent | `--api-version` | nouveau | Pin produit ou commande, ex: `ledger=v2`. |
+| absent | `--no-color` | nouveau | Necessaire pour CI et golden tests. |
+| absent | `--quiet` | differe | Necessite un contrat par commande pour definir la donnee principale ou l'identifiant cree. |
+
+Implementation v4:
+
+- `--profile <name>` est le selecteur public principal;
+- `--context <name>` est conserve comme alias cache deprecie de `--profile <name>`; fournir les deux produit une erreur explicite;
+- `--organization <org>` et `--stack <stack>` permettent de cibler une stack Cloud/EE depuis un profil Cloud/EE;
+- `--config-dir <dir>` conserve le short `-c`;
+- `--debug`, `-d` active des logs runtime techniques sur stderr sans modifier stdout;
+- `--insecure-tls` est conserve comme override runtime explicite et non persistant; il configure le client HTTP partage par `/versions`, les SDK stack, les SDK Cloud et les flux `client_credentials`.
+- `--no-color` est expose comme flag stable pour CI/golden tests; les renderers v4 restent sans couleur par defaut.
+
+Points bloques / differes:
+
+- `--telemetry` est differe tant que le modele opt-in/opt-out, l'emplacement d'etat et les donnees collectees ne sont pas documentes; ne pas ajouter de flag no-op silencieux.
+- `--quiet` est differe tant que le contrat de sortie principale n'est pas defini par famille de commandes; ne pas ajouter de flag no-op silencieux.
+
+## Migration configuration et session
+
+| v3 | v4 canonique | Changements | Tests critiques |
+| --- | --- | --- | --- |
+| `fctl login --membership-uri <url>` | `fctl login --target cloud` ou `fctl login --target ee --membership-url <url>` | Wizard racine; browser/device flow differe tant que le contrat n'est pas explicite. | migration de token, erreurs sans browser, non-interactif. |
+| aucun equivalent local propre | `fctl login --target open-source --stack-url <url>` | Local/dev sans auth par defaut. | config schema, no-auth explicite. |
+| aucun equivalent local propre | `fctl login --target cloud --client-id --client-secret-stdin` | Auth machine-to-machine Cloud. | secret jamais ecrit en clair dans config si keyring disponible. |
+| aucun equivalent local propre | `fctl login --target ee --membership-url --client-id --client-secret-stdin` | Auth machine-to-machine EE self-hosted. | renouvellement, expiration, erreurs OAuth. |
+| `fctl profiles list` | `fctl profile list` | `profiles` alias cache deprecie. | format table/json/yaml stable. |
+| `fctl profiles show <name>` | `fctl profile show <name>` | meme argument. | masque les secrets. |
+| `fctl profiles use <name>` | `fctl profile use <name>` | current profile. | ecriture atomique. |
+| `fctl profiles delete <name>` | `fctl profile delete <name>` | refuse si current sans `--force`. | deletion config + references credentials. |
+| `fctl profiles rename <old> <new>` | `fctl profile rename <old> <new>` | meme forme. | conserve current si necessaire. |
+| `fctl profiles reset <name>` | `fctl profile unset-defaults <name> --confirm` | Clarifie le reset comme suppression des defaults uniquement; ne supprime jamais les credentials. Alias deprecie `profiles reset`. | confirmation et non-interactif. |
+| `fctl profiles set-default-organization <org>` | `fctl profile set <name> --organization <org>` | Peut prendre current profile par defaut. | validation kind cloud/cloud-stack. |
+| `fctl profiles set-default-stack <stack>` | `fctl profile set <name> --stack <stack>` | Peut prendre current profile par defaut. | validation kind cloud-stack. |
+| aucun equivalent v3 | `fctl profile create stack <name> --stack-url <url> [--auth ...]` | Base self-hosted/local. | config schema, auth method. |
+| aucun equivalent v3 | `fctl profile create cloud <name> --cloud-url <url>` | Controle plane Cloud. | aucun stack requis. |
+| aucun equivalent v3 | `fctl profile create cloud-stack <name> --cloud-url --organization --stack` | Stack Cloud data-plane. | resolution d'URL stack. |
+| aucun equivalent v3 | `fctl target inspect` | Montre target, auth, `/versions`, API choisies. | mock `/versions`. |
+| aucun equivalent v3 | `fctl config migrate-v3` | Importe les profiles v3 sans les modifier. | fixtures v3, keyring fake, idempotence. |
+| `fctl prompt` | `fctl setup` ou `fctl login` | Garder `prompt` alias cache/deprecie. | ne jamais bloquer en `--non-interactive`. |
+| `fctl version` | `fctl version` | Ajouter build metadata v4. | stdout stable. |
+| `fctl ui` | `fctl cloud ui [--print]` | `ui` racine devient alias cache deprecie; `--print` donne une sortie scriptable sans navigateur. | detection browser/TTY. |
+
+Implementation v4:
+
+- `fctl login` cree ou remplace le profil selectionne par `--profile`, avec `default` comme nom par defaut;
+- `fctl login` utilise un wizard Charmbracelet Huh en terminal interactif, tout
+  en gardant des prompts texte deterministes hors TTY et aucune question en
+  `--non-interactive`;
+- `fctl login --target open-source` cree un profil `stack` no-auth qui parle directement a la stack;
+- `fctl login --target cloud` utilise l'URL Cloud production par defaut;
+- `fctl login --target ee` demande ou prend `--membership-url`;
+- `fctl login` implemente le browser/device flow Cloud/EE dans le style v3 et stocke tokens et secrets hors config via `<config-dir>/credentials` tant que le backend keyring v4 n'est pas branche, avec override possible par `--credential-dir`;
+- `fctl logout` supprime les credentials geres par le CLI du profil courant et repasse son auth a `none`;
+- `fctl whoami` affiche profil, cible, methode d'auth, organisation et stack sans exposer les secrets;
+- `profile unset-defaults [name] --confirm` supprime les defaults du profil sans toucher a l'auth ni aux credentials; les aliases deprecies `profiles reset`, `profiles set-default-organization` et `profiles set-default-stack` restent disponibles pour les migrations peu couteuses.
+- `cloud ui [--print]` reste disponible sur les profils `cloud`/`cloud-stack`; il lit `/_info.consoleURL`, ouvre le navigateur seulement en mode interactif, et refuse les profils `stack`; `ui` racine reste un alias cache deprecie.
+
+## Mapping commandes Cloud
+
+Les commandes Cloud restent sous `cloud`, mais elles doivent utiliser un contexte `cloud` ou `cloud-stack`. Elles ne doivent pas etre requises pour utiliser les produits stack (`ledger`, `payments`, etc.) contre une stack locale.
+
+| v3 | v4 canonique | Changements d'arguments | Notes |
+| --- | --- | --- | --- |
+| `cloud generate-personal-token` | `cloud personal-tokens create` | Sortir le token en `--output json` sans decoration. | Garder ancien nom alias si simple. |
+| `cloud me info` | `cloud me show` | `info` alias. | |
+| `cloud me invitations list` | identique | pagination normalisee si disponible. | |
+| `cloud me invitations accept <id>` | identique | `--confirm` si action irreversible. | |
+| `cloud me invitations decline <id>` | identique | `--confirm` si action irreversible. | |
+| `cloud organizations create <name> --default-stack-role --default-organization-role` | identique | flags kebab-case deja OK; valider enums. | |
+| `cloud organizations list` | identique | `--cursor/--page-size` si API le supporte, sinon adapter page interne. | |
+| `cloud organizations describe <organizationId>` | `cloud organizations show <organization-id>` | alias `describe`; argument kebab dans docs. | |
+| `cloud organizations update <organizationId> --name --default-policy-id` | `cloud organizations update <organization-id>` | flags repetables documentes. | |
+| `cloud organizations delete <organization-id>` | identique | `--confirm` obligatoire en non-interactif. | |
+| `cloud organizations history` | identique | Sortie evenement structuree. | |
+| `cloud organizations applications list` | identique | | |
+| `cloud organizations applications show <application-id>` | identique | | |
+| `cloud organizations authentication-provider show` | `cloud organizations authentication-provider show` | | |
+| `cloud organizations authentication-provider configure <type> <name> <client-id> <client-secret>` | `cloud organizations authentication-provider configure --type --name --client-id --client-secret` | Eviter secret positionnel dans shell history; accepter ancien format alias. | Secret via prompt ou `--client-secret-stdin`. |
+| `cloud organizations authentication-provider delete` | identique | `--confirm`. | |
+| `cloud organizations invitations list` | identique | | |
+| `cloud organizations invitations send <email>` | identique | flags role/policy si presents dans API. | |
+| `cloud organizations invitations delete <id>` | identique | `--confirm`. | |
+| `cloud organizations oauth-clients create` | identique | preferer flags explicites ou `--file`. | |
+| `cloud organizations oauth-clients list` | identique | | |
+| `cloud organizations oauth-clients show <client_id>` | `cloud organizations oauth-clients show <client-id>` | alias underscore. | |
+| `cloud organizations oauth-clients update <clientId>` | `cloud organizations oauth-clients update <client-id>` | normaliser argument. | |
+| `cloud organizations oauth-clients delete <client_id>` | `cloud organizations oauth-clients delete <client-id>` | `--confirm`. | |
+| `cloud organizations policies create <name>` | identique | scopes via `--scope` repetable. | |
+| `cloud organizations policies list` | identique | | |
+| `cloud organizations policies show <policy-id>` | identique | | |
+| `cloud organizations policies update <policy-id>` | identique | | |
+| `cloud organizations policies delete <policy-id>` | identique | `--confirm`. | |
+| `cloud organizations policies add-scope <policy-id> <scope-id>` | identique | | |
+| `cloud organizations policies remove-scope <policy-id> <scope-id>` | identique | `--confirm` si necessaire. | |
+| `cloud organizations users list` | identique | | |
+| `cloud organizations users show <user-id>` | identique | | |
+| `cloud organizations users link <user-id>` | identique | | |
+| `cloud organizations users unlink <user-id>` | identique | `--confirm`. | |
+| `cloud regions create` | identique | payload flags ou `--file`. | |
+| `cloud regions list` | identique | | |
+| `cloud regions show` | identique | | |
+| `cloud regions delete` | identique | `--confirm`. | |
+| `cloud apps create` | identique | Clarifier si app appartient org/stack/contexte. | |
+| `cloud apps list` | identique | | |
+| `cloud apps show` | identique | | |
+| `cloud apps delete` | identique | `--confirm`. | |
+| `cloud apps deploy` | identique | Documenter source: cwd, image, manifest. | |
+| `cloud apps runs list` | identique | | |
+| `cloud apps runs show` | identique | | |
+| `cloud apps runs logs` | identique | `--follow`, `--since`, `--tail` si API. | |
+| `cloud apps versions list` | identique | | |
+| `cloud apps versions show` | identique | | |
+| `cloud apps versions show-manifest` | `cloud apps versions manifest` | alias `show-manifest`. | |
+| `cloud apps versions show-archive` | `cloud apps versions archive show` ou garder `show-archive` | Choisir selon API; documenter. | |
+| `cloud apps versions archive` | identique si existant | `--confirm`. | |
+| `cloud apps variables list` | identique | | |
+| `cloud apps variables create` | identique | Secret via stdin/prompt si sensible. | |
+| `cloud apps variables delete` | identique | `--confirm`. | |
+
+Implementation v4 initiale:
+
+- `cloud apps` est implemente sous le contexte `cloud`/`cloud-stack` et utilise un client deployserver separe du client membership;
+- `--organization` reste optionnel avec un contexte `cloud-stack` et obligatoire avec un contexte `cloud`;
+- `--deploy-url` permet de cibler un deployserver non-production sans changer l'URL membership du contexte Cloud;
+- les commandes destructives ajoutees dans cette tranche exigent `--confirm` quand le plan le demande;
+- `cloud apps variables create` accepte `--value-stdin` pour eviter d'exposer une variable sensible dans l'historique shell;
+- `cloud apps versions manifest` est le nom canonique, avec `show-manifest` alias deprecie cache.
+- `cloud apps versions archive show` est le nom canonique pour lire l'archive, avec `show-archive` alias deprecie cache.
+
+Points bloques / non applicables avec le SDK actuel:
+
+- `cloud personal-tokens create` n'est pas implemente pour l'instant: la v3 depend de claims Cloud, de `EnsureStackAccess`, puis d'un token exchange contre l'Auth de la stack. Le runtime v4 ne porte pas encore le modele d'acces Cloud stack/cache de token necessaire, et il ne faut pas recreer une dependance Cloud pour les commandes stack locales.
+- `cloud apps versions archive` comme action mutante n'est pas expose par le deployserver SDK actuel; seule la lecture de l'archive est disponible et exposee via `cloud apps versions archive show`.
+
+## Mapping Cloud stacks lifecycle
+
+Les commandes `stack` v3 sont Cloud-control-plane. En v4, elles doivent etre clairement distinguees des commandes qui parlent a une stack data-plane.
+Le chemin canonique v4 est `cloud stacks ...`, car ces operations appartiennent naturellement au controle plane Cloud.
+L'ancien chemin v4 intermediaire `cloud_stacks ...` et les anciens chemins v3 `stacks ...` et `stack ...` restent des aliases deprecies pendant la v4 quand ils sont peu couteux a maintenir, avec warning indiquant la commande `cloud stacks ...`.
+Ces aliases pourront etre supprimes en v5 ou dans une version mineure ulterieure si on decide de durcir la migration.
+
+Implementation v4:
+
+- `cloud stacks history <stack-id>` est implemente avec le meme service d'audit que `cloud organizations history`, en imposant le filtre `stackId` au niveau membership.
+- `target proxy --port <port>` est implemente pour les profils `stack` directs;
+  `stack proxy --port <port>` reste disponible comme alias deprecie vers
+  `target proxy` pour recuperer l'usage v3 historique;
+  le proxy Cloud stack reste separe tant que la resolution d'URI data-plane Cloud n'est pas dans le runtime v4.
+
+| v3 | v4 canonique | Changements | Notes |
+| --- | --- | --- | --- |
+| `stack create` | `cloud stacks create` | `cloud_stacks create`, `stack create` et `stacks create` aliases deprecies avec warning. | Ne doit pas exister pour contexte `stack` local. |
+| `stack list` | `cloud stacks list` | aliases deprecies avec warning. | |
+| `stack show` | `cloud stacks show <stack-id>` | aliases deprecies avec warning. | |
+| `stack update` | `cloud stacks update <stack-id>` | aliases deprecies avec warning. | |
+| `stack delete` | `cloud stacks delete <stack-id>` | `--confirm`; aliases deprecies avec warning. | |
+| `stack enable` | `cloud stacks enable <stack-id>` | aliases deprecies avec warning. | |
+| `stack disable` | `cloud stacks disable <stack-id>` | `--confirm`; aliases deprecies avec warning. | |
+| `stack restore` | `cloud stacks restore <stack-id>` | `--confirm`; aliases deprecies avec warning. | |
+| `stack upgrade` | `cloud stacks upgrade <stack-id>` | `--confirm`, afficher target version; aliases deprecies avec warning. | |
+| `stack history` | `cloud stacks history <stack-id>` | aliases deprecies avec warning. | |
+| `stack proxy` | `target proxy` | alias deprecie avec warning. | Proxy data-plane de la cible courante. |
+| `stack users list` | `cloud stacks users list <stack-id>` | aliases deprecies avec warning. | |
+| `stack users link <user-id>` | `cloud stacks users link <stack-id> <user-id>` | stack explicite ou contexte courant; aliases deprecies avec warning. | |
+| `stack users unlink <user-id>` | `cloud stacks users unlink <stack-id> <user-id>` | `--confirm`; aliases deprecies avec warning. | |
+| `stack modules list` | `cloud stacks modules list <stack-id>` | aliases deprecies avec warning. | |
+| `stack modules enable` | `cloud stacks modules enable <stack-id> <module>` | aliases deprecies avec warning. | |
+| `stack modules disable` | `cloud stacks modules disable <stack-id> <module>` | `--confirm`; aliases deprecies avec warning. | |
+
+## Mapping Ledger
+
+Le ledger est la premiere famille a beneficier de la resolution API automatique. Les commandes v4 doivent construire des inputs canoniques, puis laisser `internal/runtime` choisir `ledger.v1`, `ledger.v2`, `ledger.v3`, etc.
+
+Regles de flags ledger:
+
+- `--ledger` reste le selecteur produit, avec defaut depuis le contexte;
+- `--account` reste le terme CLI canonique pour une adresse de compte;
+- si une API appelle le champ `address`, l'adapter v4 fait la traduction;
+- `--src` et `--dst` deviennent aliases deprecies de `--source` et `--destination`;
+- les timestamps acceptent RFC3339 et doivent produire des erreurs explicites;
+- les commandes qui n'existent qu'en v3+ doivent etre visibles avec une note `requires ledger API v3+`.
+
+| v3 | v4 canonique | Changements d'arguments | Notes |
+| --- | --- | --- | --- |
+| `ledger --ledger <name>` | `ledger --ledger <name>` | Defaut depuis `context.defaults.ledger`. | Pas de Cloud obligatoire. |
+| `ledger list` | identique | | Liste des ledgers si API exposee. |
+| `ledger create <name> --bucket --features --metadata` | identique | `--metadata` repetable, `--feature` repetable; `--confirm` si destructif non applicable. | Adapter selon API. |
+| `ledger import <ledger name> <file path> --input --resume` | `ledger import <ledger> --file <path>|-` | ancien positionnel garde; clarifier `--input` vs `--file`. | Tester reprise/resume. |
+| `ledger export --output <file>` | `ledger export --file <path>|-` | `--output` global ne doit pas entrer en conflit; utiliser `--file` pour fichier. | `--output json` reste rendu CLI. |
+| `ledger server-infos` | `ledger info` | alias `server-infos`. | |
+| `ledger stats` | identique | | |
+| `ledger send [source] <destination> <amount> <asset> --metadata --reference` | `ledger transactions send --source --destination --amount --asset` | garder `ledger send` alias; source positionnelle depreciee. | Evite ambiguite des positionnels. |
+| `ledger set-metadata <ledger-name> key=value...` | identique | ajouter `--metadata-file`. | |
+| `ledger delete-metadata <ledger-name> <key>` | identique | `--confirm` non necessaire si API idempotente, a verifier. | |
+| `ledger accounts list --address --metadata --page-size` | `ledger accounts list --account --metadata --page-size` | `--address` alias deprecie de `--account`; l'adapter traduit vers `address` si l'API l'attend. | `--account` reste le vocabulaire CLI canonique. |
+| `ledger accounts show <address>` | identique | | |
+| `ledger accounts set-metadata <address> key=value...` | identique | | |
+| `ledger accounts delete-metadata <address> <key>` | identique | | |
+| `ledger transactions list --account --dst --src --reference --metadata --page-size --start --end` | `ledger transactions list --account --destination --source --reference --metadata --page-size --start --end` | aliases `--dst`, `--src`; adapter `account/address` selon API. | Deja commence en v4, etendre avec tous filtres. |
+| aucun equivalent v3 direct | `ledger transactions count --account --destination --source --reference` | retourne le header API `Count`; aliases `--dst`, `--src`. | Commande read-only exposee par les API Ledger v1/v2. |
+| `ledger transactions show <transaction-id>` | identique | ID type string cote CLI, adapter int/uuid selon API. | |
+| `ledger transactions num -|<filename>` | `ledger transactions run-script --file <path>|-` ou `ledger transactions create --script-file <path>|-` | ne pas mapper vers `count`; garder `num` alias deprecie uniquement pour l'execution Numscript. | Nom canonique a choisir avant implementation. |
+| `ledger transactions revert <transaction-id> --at-effective-date --force` | identique | `--force` devient alias ou complement de `--confirm`; date RFC3339. | |
+| `ledger transactions set-metadata <transaction-id> key=value...` | identique | | |
+| `ledger transactions delete-metadata <transaction-id> <key>` | identique | | |
+| `ledger volumes list --pit --oot --use-insertion-date --group-by --address --metadata --cursor --page-size` | `ledger volumes list --start-time --end-time --use-insertion-date --group-by --account --metadata --cursor --page-size` | `--address` alias deprecie de `--account`, `--oot` alias de `--start-time`, `--pit` alias de `--end-time`; `--group-by` enum validee. | |
+
+Implementation v4:
+
+- le nom canonique retenu est `ledger transactions run-script --file <path>|-`;
+- `ledger transactions num <file>` est conserve comme alias deprecie avec warning;
+- la commande reutilise la resolution API Ledger et mappe vers `createTransaction` v1/v2 avec payload Numscript.
+- `ledger accounts query <query-id> --schema-version <version>` est implemente via `v2RunQuery`;
+- la commande reste product-oriented: elle force le resource template `accounts`, accepte `--var key=value`, et garde `--api-version` comme override technique uniquement.
+- `ledger set-metadata <ledger> [key=value]... --metadata-file <path>|-` accepte un objet JSON de metadata et laisse les `key=value` explicites surcharger le fichier.
+
+Commandes nouvelles possibles si l'API Ledger v3 les expose:
+
+| Nouvelle commande | Condition | Comportement si cible trop ancienne |
+| --- | --- | --- |
+| `ledger transactions explain <id>` | `ledger API v3+` | erreur `requires ledger API v3+`, avec version cible courante. |
+| `ledger schemas list/show/insert` | selon manifeste | commande visible, validation runtime. |
+| `ledger accounts query` | selon manifeste | proposer `--api-version` seulement comme override technique. |
+
+Etat d'implementation:
+
+- `ledger transactions explain <id>` est visible et preflight la resolution `ledger API v3+`.
+- La spec stack `v3.2.4` (`generate.json`) et `formance-sdk-go` courant n'exposent pas encore `explainTransaction`; sur une cible Ledger v3, la commande retourne donc une erreur explicite de gap spec/SDK au lieu d'inventer un endpoint.
+
+## Mapping Payments
+
+Regles:
+
+- utiliser kebab-case pour les resources composees;
+- conserver les anciens chemins avec underscores comme aliases deprecies;
+- les payloads JSON passent par `--file <path>|-` tout en acceptant l'ancien positionnel;
+- `get` devient `show`;
+- les connecteurs gardent leurs noms metier exacts.
+
+| v3 | v4 canonique | Changements d'arguments | Notes |
+| --- | --- | --- | --- |
+| `payments versions` | `payments versions` ou `target inspect --product payments` | Garder pour compat si utile. | Le runtime centralise deja `/versions`. |
+| `payments accounts create <file>|-` | `payments accounts create --file <path>|-` | ancien positionnel alias. | Valider JSON par schema si possible. |
+| `payments accounts list` | identique | pagination et filtres normalises. | |
+| `payments accounts get <accountID>` | `payments accounts show <account-id>` | alias `get`; argument kebab dans docs. | |
+| `payments accounts balances <accountID>` | `payments accounts balances <account-id>` | | |
+| `payments bank_accounts create <file>|-` | `payments bank-accounts create --file <path>|-` | alias `bank_accounts`. | |
+| `payments bank_accounts list` | `payments bank-accounts list` | | |
+| `payments bank_accounts get <bankAccountID>` | `payments bank-accounts show <bank-account-id>` | alias `get`. | |
+| `payments bank_accounts forward <bankAccountID> <connectorID>` | `payments bank-accounts forward <bank-account-id> <connector-id>` | | |
+| `payments bank_accounts update-metadata <bankAccountID> key=value...` | `payments bank-accounts set-metadata <bank-account-id> key=value...` | `update-metadata` alias si API reste ainsi. | Harmoniser avec autres produits. |
+| `payments payments create <file>|-` | `payments payments create --file <path>|-` | ancien positionnel alias. | Nom double conserve mais documenter. |
+| `payments payments list` | identique | | |
+| `payments payments get <paymentID>` | `payments payments show <payment-id>` | alias `get`. | |
+| `payments payments set-metadata <paymentID> key=value...` | `payments payments set-metadata <payment-id> key=value...` | | |
+| `payments pools create <file>|-` | `payments pools create --file <path>|-` | | |
+| `payments pools list` | identique | | |
+| `payments pools get <poolID>` | `payments pools show <pool-id>` | alias `get`. | |
+| `payments pools delete <poolID>` | `payments pools delete <pool-id>` | `--confirm`. | |
+| `payments pools add-account <poolID> <accountID>` | `payments pools add-account <pool-id> <account-id>` | | v3 file name is `add_accounts.go` but command is singular. |
+| `payments pools remove-account <poolID> <accountID>` | `payments pools remove-account <pool-id> <account-id>` | `--confirm` if destructive. | |
+| `payments pools update-query <poolID> <file>|-` | `payments pools update-query <pool-id> --file <path>|-` | | |
+| `payments pools balances <poolID> <at>` | `payments pools balances <pool-id> --at <time>` | old positional `<at>` alias. | |
+| `payments pools latest-balances <poolID>` | identique | | |
+| `payments tasks show` | `payments tasks show <task-id>` | verifier v3 args exacts. | |
+| `payments transfer_initiation create <file>|-` | `payments transfer-initiation create --file <path>|-` | alias underscore. | |
+| `payments transfer_initiation list` | `payments transfer-initiation list` | | |
+| `payments transfer_initiation get <transferID>` | `payments transfer-initiation show <transfer-id>` | alias `get`. | |
+| `payments transfer_initiation approve <transferInitiationID>` | `payments transfer-initiation approve <transfer-initiation-id>` | | |
+| `payments transfer_initiation reject <transferInitiationID>` | `payments transfer-initiation reject <transfer-initiation-id>` | | |
+| `payments transfer_initiation retry <transferID>` | `payments transfer-initiation retry <transfer-id>` | | |
+| `payments transfer_initiation reverse <transferID> <file>|-` | `payments transfer-initiation reverse <transfer-id> --file <path>|-` | | |
+| `payments transfer_initiation delete <transferID>` | `payments transfer-initiation delete <transfer-id>` | `--confirm`. | |
+| `payments transfer_initiation update_status <transferID> <status>` | `payments transfer-initiation update-status <transfer-id> <status>` | alias underscore. | validate status enum. |
+
+### Connecteurs Payments
+
+Connecteurs v3 inventories:
+
+- `adyen`
+- `atlar`
+- `bankingcircle`
+- `coinbaseprime`
+- `column`
+- `currencycloud`
+- `fireblocks`
+- `generic`
+- `increase`
+- `mangopay`
+- `modulr`
+- `moneycorp`
+- `plaid`
+- `powens`
+- `qonto`
+- `stripe`
+- `tink`
+- `wise`
+
+| v3 | v4 canonique | Changements |
+| --- | --- | --- |
+| `payments connectors list` | identique | sortie stable, inclure type, id, status. |
+| `payments connectors uninstall` | `payments connectors uninstall <connector-id>` | `--confirm`. |
+| `payments connectors install <connector> <file>|-` | `payments connectors install <connector> --file <path>|-` | garder ancien positionnel. |
+| `payments connectors update-config <connector> <file>|- --connector-id <id>` | `payments connectors config update <connector-id> --file <path>|-` | l'identifiant cible est toujours le connector ID; le type connector v3 devient un detail d'adapter ou une option de compatibilite. |
+| `payments connectors update-config get-config --connector-id <id>` | `payments connectors config show <connector-id>` | la lecture de config cible un connector ID en v4. |
+
+Decisions d'implementation:
+
+- `install` prend un type de connecteur (`stripe`, `qonto`, etc.) et retourne un connector ID;
+- `config update` prend toujours un connector ID;
+- les anciens sous-chemins par type, comme `update-config stripe`, peuvent rester aliases deprecies quand ils aident l'autocompletion, mais ils doivent exiger `--connector-id` et afficher un warning;
+- ne pas ajouter d'alias court qui masque le connector ID cible;
+- ne pas accepter de forme qui laisse croire que le type connecteur est l'identifiant cible; l'objet modifie est toujours le connector ID;
+- eviter de multiplier les sous-commandes generees si une commande generique avec schema OpenAPI suffit;
+- garder les commandes par connecteur comme aliases pour l'autocompletion et la documentation.
+
+## Mapping Wallets
+
+Regles:
+
+- conserver `wallets`;
+- `--ik` devient `--idempotency-key`;
+- `credit` et `debit` prennent toujours un wallet cible explicite en v4;
+- commandes mutantes gardent `--confirm` si elles ont deja une confirmation v3;
+- identifiants documentes en kebab-case dans l'aide, sans changer la valeur attendue.
+
+| v3 | v4 canonique | Changements d'arguments | Notes |
+| --- | --- | --- | --- |
+| `wallets create <name> --metadata --ik` | `wallets create <name> --metadata --idempotency-key` | alias `--ik`. | |
+| `wallets list` | identique | pagination/filtres si disponibles. | |
+| `wallets show` | `wallets show <wallet-id>` | verifier si v3 lit un flag implicite; rendre explicite. | |
+| `wallets update <wallet-id>` | identique | metadata/name via flags ou `--file`. | |
+| `wallets credit <amount> <asset>` | `wallets credit <wallet-id> --amount <amount> --asset <asset>` | wallet cible explicite obligatoire; ancienne forme seulement alias deprecie si elle peut etre resolue sans ambiguite. | |
+| `wallets debit <amount> <asset>` | `wallets debit <wallet-id> --amount <amount> --asset <asset>` | wallet cible explicite obligatoire; ancienne forme seulement alias deprecie si elle peut etre resolue sans ambiguite. | |
+| `wallets balances create <balance-name>` | identique | | |
+| `wallets balances list` | identique | | |
+| `wallets balances show <balance-name>` | identique | | |
+| `wallets holds list` | identique | | |
+| `wallets holds show <hold-id>` | identique | | |
+| `wallets holds void <hold-id>` | identique | `--confirm`. | |
+| `wallets holds confirm <hold-id>` | identique | `--confirm` si irreversible. | |
+| `wallets transactions list` | identique | pagination/filtres. | |
+
+## Mapping Flows
+
+L'ancien produit `orchestration` doit etre expose sous le nom canonique `flows` en v4.
+Le chemin `orchestration ...` peut rester comme alias deprecie pendant la phase de migration si cela ne complique pas le routeur Cobra.
+
+| v3 | v4 canonique | Changements d'arguments | Notes |
+| --- | --- | --- | --- |
+| `orchestration workflows create <file>|-` | `flows workflows create --file <path>|-` | ancien positionnel alias; ancien prefixe `orchestration` alias deprecie. | |
+| `orchestration workflows list` | `flows workflows list` | prefixe v3 alias deprecie. | |
+| `orchestration workflows show <id>` | `flows workflows show <id>` | prefixe v3 alias deprecie. | |
+| `orchestration workflows run <id>` | `flows workflows run <id>` | payload vars via `--input`/`--file` si API; prefixe v3 alias deprecie. | |
+| `orchestration workflows delete <workflow-id>` | `flows workflows delete <workflow-id>` | `--confirm`; prefixe v3 alias deprecie. | |
+| `orchestration instances list` | `flows instances list` | prefixe v3 alias deprecie. | |
+| `orchestration instances show <instance-id>` | `flows instances show <instance-id>` | prefixe v3 alias deprecie. | |
+| `orchestration instances describe <instance-id>` | `flows instances inspect <instance-id>` | alias `describe`; prefixe v3 alias deprecie. | Choisir selon distinction show/inspect. |
+| `orchestration instances send-event <instance-id> <event>` | `flows instances send-event <instance-id> <event>` | event JSON via `--event` ou `--file` si necessaire; prefixe v3 alias deprecie. | |
+| `orchestration instances stop <instance-id>` | `flows instances stop <instance-id>` | `--confirm`; prefixe v3 alias deprecie. | |
+| `orchestration triggers create <event> <workflow-id>` | `flows triggers create <event> <workflow-id>` | flags pour conditions si API; prefixe v3 alias deprecie. | |
+| `orchestration triggers list` | `flows triggers list` | prefixe v3 alias deprecie. | |
+| `orchestration triggers show <trigger-id>` | `flows triggers show <trigger-id>` | prefixe v3 alias deprecie. | |
+| `orchestration triggers delete <trigger-id>` | `flows triggers delete <trigger-id>` | `--confirm`; prefixe v3 alias deprecie. | |
+| `orchestration triggers test <trigger-id> <event>` | `flows triggers test <trigger-id> <event>` | event JSON/file si possible; prefixe v3 alias deprecie. | |
+| `orchestration triggers occurrences list` | `flows triggers occurrences list` | prefixe v3 alias deprecie. | |
+
+## Mapping Reconciliation
+
+| v3 | v4 canonique | Changements d'arguments | Notes |
+| --- | --- | --- | --- |
+| `reconciliation list` | identique | pagination/filtres normalises. | |
+| `reconciliation get <reconciliationID>` | `reconciliation show <reconciliation-id>` | alias `get`. | |
+| `reconciliation policies create <file>|-` | `reconciliation policies create --file <path>|-` | ancien positionnel alias. | |
+| `reconciliation policies list` | identique | | |
+| `reconciliation policies get <policyID>` | `reconciliation policies show <policy-id>` | alias `get`. | |
+| `reconciliation policies delete <policyID>` | `reconciliation policies delete <policy-id>` | `--confirm`. | |
+| `reconciliation policies reconcile <policyID> <atLedger> <atPayments>` | `reconciliation policies reconcile <policy-id> --ledger-at <time> --payments-at <time>` | anciens positionnels alias. | |
+
+## Mapping Auth service
+
+La v3 utilise `auth` pour le service Auth de la stack. La v4 garde `auth` comme nom canonique du service, car `identity` pourra devenir un produit Formance distinct plus tard.
+Les commandes d'authentification CLI vivent au niveau racine (`login`, `logout`,
+`whoami`) et les commandes du service restent `auth clients ...` et
+`auth users ...`.
+
+Decision:
+
+- `login/logout/whoami` = session CLI publique;
+- `session login/status/logout/token` = implementation cachee transitoire;
+- `auth clients ...` et `auth users ...` = service Auth de la stack;
+- pas d'alias `auth login/status/logout/token`, pour eviter de melanger session CLI et service Auth;
+- ne pas introduire `identity` comme alias ou nom canonique dans cette migration.
+
+| v3 | v4 canonique | Changements d'arguments | Notes |
+| --- | --- | --- | --- |
+| `auth clients create <name>` | identique | flags scopes/redirects explicites. | |
+| `auth clients list` | identique | | |
+| `auth clients show <client-id>` | identique | | |
+| `auth clients update <client-id>` | identique | | |
+| `auth clients delete <client-id>` | identique | `--confirm`. | |
+| `auth clients secrets create <client-id> <secret-name>` | identique | afficher secret seulement en sortie structuree controlee. | |
+| `auth clients secrets delete <client-id> <secret-id>` | identique | `--confirm`. | |
+| `auth users list` | identique | | |
+| `auth users show <user-id>` | identique | | |
+
+## Mapping Webhooks
+
+| v3 | v4 canonique | Changements d'arguments | Notes |
+| --- | --- | --- | --- |
+| `webhooks create <endpoint> [event-type...] --secret` | identique | permettre `--secret-stdin`; secret masque. | |
+| `webhooks list` | identique | | |
+| `webhooks activate <config-id>` | identique | | |
+| `webhooks deactivate <config-id>` | identique | `--confirm` si necessaire. | |
+| `webhooks delete <config-id>` | identique | `--confirm`. | |
+| `webhooks change-secret <config-id> <secret>` | `webhooks secret rotate <config-id>` ou `webhooks change-secret` | Preferer `--secret-stdin`; garder ancien nom. | |
+
+## Commandes a retirer ou a requalifier
+
+| v3 | Decision proposee | Raison |
+| --- | --- | --- |
+| `prompt` | remplacer par `setup`/`login`, garder alias cache | Le nom ne decrit pas l'intention utilisateur. |
+| `cloud_stacks ...`, `stack ...` et `stacks ...` a la racine | deprecie vers `cloud stacks ...` avec warning | `stack` doit pouvoir signifier target data-plane; les operations lifecycle sont Cloud. |
+| `search ...` et alias `se` | supprimer | Le produit n'existe plus en v4. |
+| `payments ... get` | deprecie vers `show` | Coherence globale. |
+| commandes avec underscores | aliases deprecies avec warning | Coherence shell. |
+
+Les aliases conserves sont une aide de migration v4, pas une promesse de compatibilite long terme. Leur suppression pourra etre planifiee dans une version ulterieure (`v4.1`, `v4.2` ou `v5`) selon le cout de maintenance et l'usage observe.
+
+## Documentation a produire depuis ce plan
+
+1. `docs/cli-v4/migration-v3-v4.md`
+   - guide utilisateur;
+   - sections "ce qui change", "commandes renommees", "flags renommes";
+   - exemples avant/apres.
+
+2. `docs/cli-v4/command-reference.md`
+   - reference v4 canonique;
+   - generee en partie depuis Cobra pour eviter la derive.
+
+3. `docs/cli-v4/compatibility-aliases.md`
+   - liste des aliases v3;
+   - statut: visible, deprecie, cache, supprime;
+   - date/version cible de suppression si applicable.
+
+4. `docs/cli-v4/testing-strategy.md`
+   - strategie de tests decrite ci-dessous;
+   - comment lancer les mocks localement;
+   - comment ajouter une commande avec fixtures.
+
+## Strategie de tests
+
+### Tests unitaires critiques
+
+| Zone | Ce qu'il faut tester |
+| --- | --- |
+| `internal/config` | parsing config, defaults, validation kind/auth, ecriture atomique, migration v3 idempotente. |
+| `internal/credentials` | keyring fake, fallback insecure explicite, aucun secret en clair par defaut. |
+| `internal/auth` | token statique, client credentials, OIDC/cloud device flow mocke, expiration/refresh. |
+| `internal/capabilities` | parsing `/versions`, ranges semver, choix du namespace le plus recent, override `--api-version`, erreurs si aucune version compatible. |
+| `internal/runtime` | resolution context -> target -> auth -> versions -> SDK client; erreurs sans contexte; local no-auth. |
+| `internal/render` | plain/json/yaml, stderr vs stdout, no-color, quiet, erreurs structurees. |
+| `internal/prompt` | jamais appele en `--non-interactive`, fallback propre si pas de TTY. |
+| `internal/commands/ledger` | inputs canoniques, adapters v1/v2/v3, aliases `--src/--dst`, validation de dates. |
+| `internal/commands/payments` | payload `--file|-`, normalisation kebab/underscore, connecteurs. |
+| `internal/commands/wallets` | `--idempotency-key`/`--ik`, wallet subject resolution. |
+| `internal/commands/cloud` | contexte requis `cloud`/`cloud-stack`, erreurs propres sur contexte `stack`. |
+
+### Tests d'integration CLI
+
+Approche:
+
+- construire le binaire v4 une fois par package de tests;
+- executer de vraies commandes avec config temporaire;
+- utiliser des serveurs HTTP `httptest` pour stack, membership et auth;
+- capturer stdout, stderr, exit code;
+- comparer les sorties structurees avec golden files;
+- interdire les prompts avec `--non-interactive`;
+- verifier que les erreurs sont scriptables.
+
+Scenarios minimaux:
+
+| Scenario | Commandes |
+| --- | --- |
+| contexte local no-auth | `login --target open-source`, `target inspect`, `ledger transactions list`. |
+| contexte open-source no-auth | `login --target open-source --stack-url <url>`, `target inspect`, commande produit. |
+| contexte client credentials | `login --target ee --client-id --client-secret`, refresh token, commande produit. |
+| contexte Cloud stack | `login --target cloud --organization --stack`, `cloud organizations list`, `ledger transactions list`. |
+| migration v3 | `config migrate-v3`, puis `profile list/show/use`. |
+| aliases v3 | `profiles list`, `payments transfer_initiation list`, `payments bank_accounts list`, `ledger transactions list --src --dst`. |
+| non-interactif | commandes mutantes sans `--confirm` doivent echouer proprement. |
+| sortie stable | chaque famille avec `--output json` et `--output yaml`. |
+
+### Mock OpenAPI stack et membership
+
+Specs disponibles:
+
+- stack: `https://github.com/formancehq/stack/releases/download/v3.2.4/generate.json`;
+- SDK public: `https://github.com/formancehq/formance-sdk-go`;
+- membership/deployserver: verifier les specs locales sous `openapi/` si presentes dans le repo.
+
+Plan de mock:
+
+1. Ajouter `v4/internal/testserver/openapi`.
+2. Charger les specs OpenAPI via `github.com/getkin/kin-openapi/openapi3`.
+3. Router les requetes avec `routers/gorillamux` ou equivalent.
+4. Valider method/path/query/body quand le schema est disponible.
+5. Retourner des fixtures JSON stockees sous `v4/testdata/responses/<product>/<operation>.json`.
+6. Exposer `/versions` avec une fixture parametrable par test.
+7. Fournir un mock membership minimal pour:
+   - device flow/cloud login;
+   - organisations;
+   - stacks;
+   - tokens personnels;
+   - erreurs 401/403/404.
+8. Fournir un mock auth/OIDC minimal pour:
+   - discovery `.well-known/openid-configuration`;
+   - token endpoint;
+   - refresh;
+   - JWKS si necessaire.
+
+Le mock ne doit pas devenir une implementation complete de la stack. Il doit valider que le CLI:
+
+- appelle le bon endpoint pour la version API resolue;
+- envoie les bons parametres apres adaptation v3/v4;
+- gere correctement les erreurs API;
+- produit une sortie stable.
+
+### Tests contractuels OpenAPI
+
+Pour chaque commande v4 implementee:
+
+- declarer le produit, la feature et les operation IDs supportes;
+- verifier que les operation IDs existent dans le manifeste genere;
+- verifier que chaque handler versionne a une operation correspondante;
+- verifier que les commandes marquees `requires API vN+` echouent proprement sur des fixtures `/versions` plus anciennes.
+
+Exemples:
+
+| Commande | Contrat |
+| --- | --- |
+| `ledger transactions list` | operation list transactions existe pour chaque namespace handler. |
+| `payments transfer-initiation create` | payload fixture valide contre le schema. |
+| `cloud organizations list` | commande refuse contexte non Cloud avant tout appel reseau. |
+| `auth clients create` | operation auth service presente dans stack spec. |
+
+### E2E de bout en bout
+
+Les E2E doivent rester peu nombreux mais couvrir les chemins de valeur:
+
+1. Installer/initialiser un contexte local.
+2. Inspecter la cible.
+3. Creer/importer un ledger ou fixture equivalente.
+4. Lister les transactions avec API latest compatible.
+5. Forcer une API plus ancienne avec `--api-version`.
+6. Migrer une config v3 vers v4.
+7. Executer une commande Cloud contre membership mock.
+8. Verifier que les anciens aliases produisent soit la meme sortie, soit un warning de deprecation sur stderr.
+
+Les E2E contre une vraie stack peuvent etre ajoutes separement derriere un tag Go:
+
+```bash
+go test ./... -tags=e2e_real_stack
+```
+
+Ils ne doivent pas etre requis pour les PR ordinaires.
+
+## Strategie d'implementation
+
+### Phase 0: inventaire automatique
+
+- Ajouter un outil interne qui parcourt l'arbre Cobra v3 et ecrit `v4/testdata/v3-command-inventory.json`.
+- Capturer pour chaque commande:
+  - chemin complet;
+  - aliases;
+  - flags;
+  - args;
+  - hidden/deprecated;
+  - short/long help.
+- Utiliser ce fichier pour verifier que ce plan ne perd aucune commande.
+
+### Phase 1: fondations transverses
+
+- Finaliser contextes/auth/credentials/runtime/render.
+- Stabiliser `--profile`, `--organization`, `--stack`, `--output`, `--non-interactive`, `--api-version`.
+- Ajouter le mock OpenAPI minimal et le harness CLI.
+- Ajouter les tests de migration config.
+
+### Phase 2: Ledger complet
+
+- Migrer toutes les commandes ledger.
+- Ajouter adapters v1/v2/v3.
+- Tester les changements de parametres `account/address`, `src/source`, `dst/destination`.
+- Ajouter les commandes v3+ uniquement si elles existent dans le manifeste.
+
+### Phase 3: produits stack restants
+
+Ordre recommande:
+
+1. `payments`, car beaucoup de payloads et connecteurs;
+2. `wallets`, car sujet/wallet implicite a clarifier;
+3. `flows` pour l'ancien `orchestration`;
+4. `reconciliation`;
+5. `webhooks`;
+6. `auth` service pour `auth clients/users`.
+
+Chaque famille doit etre livree avec:
+
+- commandes canoniques;
+- aliases v3 documentes;
+- tests adapters;
+- tests CLI avec mock;
+- golden outputs.
+
+### Phase 4: Cloud control plane
+
+- Migrer `cloud ...`;
+- migrer `cloud_stacks ...`, `stack ...` et `stacks ...` vers `cloud stacks ...` avec warnings de deprecation;
+- garder aliases v3 quand non ambigus;
+- couvrir membership mock.
+
+### Phase 5: documentation et compatibilite
+
+- Generer la reference v4;
+- rediger le guide v3 -> v4;
+- ajouter warnings de deprecation;
+- verifier tous les aliases de ce plan;
+- produire une matrice "commande v3 / commande v4 / statut".
+
+### Phase 6: cutover
+
+- Quand v4 est fonctionnellement complet:
+  - executer les tests v4;
+  - executer les tests v3 encore presents pour verifier absence de regression avant suppression;
+  - deplacer v4 a la racine selon l'ADR de cutover;
+  - supprimer l'implementation v3 dans un commit dedie;
+  - mettre a jour packaging, CI, goreleaser, completions.
+
+## Checklist de review par commande
+
+Pour chaque commande migree:
+
+- [ ] le chemin v4 canonique suit ce plan;
+- [ ] les aliases v3 utiles existent ou la suppression est documentee;
+- [ ] les flags v3 renommes ont un alias deprecie si possible;
+- [ ] l'input Cobra est converti en modele canonique;
+- [ ] les adapters API versionnes sont testes;
+- [ ] la selection d'API vient du runtime, pas de la commande;
+- [ ] le contexte requis est valide avant appel reseau;
+- [ ] les prompts sont desactives en `--non-interactive`;
+- [ ] stdout contient la donnee, stderr contient logs/warnings;
+- [ ] JSON/YAML sont stables;
+- [ ] une erreur API est rendue proprement;
+- [ ] les fixtures mock couvrent au moins succes + une erreur;
+- [ ] la documentation avant/apres est mise a jour.
+
+## Decisions actees
+
+1. Le service Auth garde le nom canonique `auth`; ne pas utiliser `identity` dans cette migration.
+2. Les operations Cloud de lifecycle de stack utilisent `cloud stacks ...`; l'ancien chemin `cloud_stacks ...` et les anciens chemins `stacks ...` et `stack ...` sont des aliases deprecies avec warning.
+3. `wallets credit` et `wallets debit` prennent un wallet cible explicite en v4.
+4. `payments connectors config update` cible toujours un connector ID.
+5. Ne pas ajouter d'alias court comme `fctl transaction list`; toujours garder le nom du service, par exemple `fctl ledger transactions list`.
+6. Les aliases v3 peu couteux peuvent rester pendant la v4, mais chaque utilisation doit afficher un warning avec la commande canonique. Leur suppression pourra arriver dans une version ulterieure, potentiellement `v4.1`, `v4.2` ou `v5` selon le cout de maintenance et l'usage observe.
+7. Les noms internes, variables d'environnement et identifiants generes doivent toujours inclure le service: `FCTL_LedgerTransactionList`, jamais `FCTL_TransactionList`.
diff --git a/tools/v3-command-inventory/main.go b/tools/v3-command-inventory/main.go
new file mode 100644
index 00000000..bb0fbae0
--- /dev/null
+++ b/tools/v3-command-inventory/main.go
@@ -0,0 +1,192 @@
+package main
+
+import (
+	"encoding/json"
+	"flag"
+	"fmt"
+	"os"
+	"path/filepath"
+	"sort"
+	"strings"
+
+	"github.com/spf13/cobra"
+	"github.com/spf13/pflag"
+
+	v3cmd "github.com/formancehq/fctl/v3/cmd"
+)
+
+const schemaVersion = 1
+
+type inventory struct {
+	SchemaVersion int             `json:"schemaVersion"`
+	SourceModule  string          `json:"sourceModule"`
+	RootUse       string          `json:"rootUse"`
+	CommandCount  int             `json:"commandCount"`
+	Commands      []commandRecord `json:"commands"`
+}
+
+type commandRecord struct {
+	Path           string       `json:"path"`
+	PathParts      []string     `json:"pathParts"`
+	Use            string       `json:"use"`
+	Aliases        []string     `json:"aliases,omitempty"`
+	Short          string       `json:"short,omitempty"`
+	Long           string       `json:"long,omitempty"`
+	Hidden         bool         `json:"hidden,omitempty"`
+	Deprecated     string       `json:"deprecated,omitempty"`
+	Runnable       bool         `json:"runnable"`
+	HasSubcommands bool         `json:"hasSubcommands"`
+	Flags          []flagRecord `json:"flags,omitempty"`
+}
+
+type flagRecord struct {
+	Name        string `json:"name"`
+	Scope       string `json:"scope"`
+	Shorthand   string `json:"shorthand,omitempty"`
+	Usage       string `json:"usage,omitempty"`
+	Default     string `json:"default,omitempty"`
+	Type        string `json:"type,omitempty"`
+	NoOptDefVal string `json:"noOptDefVal,omitempty"`
+	Hidden      bool   `json:"hidden,omitempty"`
+	Deprecated  string `json:"deprecated,omitempty"`
+}
+
+func main() {
+	var output string
+	flag.StringVar(&output, "output", "", "Path to write inventory JSON, or stdout when empty")
+	flag.Parse()
+
+	homeDir, err := os.UserHomeDir()
+	if err != nil {
+		exitf("resolve home directory: %v", err)
+	}
+
+	root := v3cmd.NewRootCommand()
+	root.DisableAutoGenTag = true
+
+	records := collectCommands(root, homeDir)
+	sort.Slice(records, func(i, j int) bool {
+		return records[i].Path < records[j].Path
+	})
+
+	doc := inventory{
+		SchemaVersion: schemaVersion,
+		SourceModule:  "github.com/formancehq/fctl/v3",
+		RootUse:       root.Use,
+		CommandCount:  len(records),
+		Commands:      records,
+	}
+
+	payload, err := json.MarshalIndent(doc, "", "  ")
+	if err != nil {
+		exitf("marshal inventory: %v", err)
+	}
+	payload = append(payload, '\n')
+
+	if output == "" || output == "-" {
+		if _, err := os.Stdout.Write(payload); err != nil {
+			exitf("write stdout: %v", err)
+		}
+		return
+	}
+
+	if err := os.MkdirAll(filepath.Dir(output), 0o750); err != nil {
+		exitf("create output directory: %v", err)
+	}
+	if err := os.WriteFile(output, payload, 0o600); err != nil {
+		exitf("write %s: %v", output, err)
+	}
+}
+
+func collectCommands(root *cobra.Command, homeDir string) []commandRecord {
+	var records []commandRecord
+	var walk func(*cobra.Command)
+	walk = func(cmd *cobra.Command) {
+		records = append(records, commandRecord{
+			Path:           cmd.CommandPath(),
+			PathParts:      strings.Fields(cmd.CommandPath()),
+			Use:            cmd.Use,
+			Aliases:        sortedStrings(cmd.Aliases),
+			Short:          cmd.Short,
+			Long:           cmd.Long,
+			Hidden:         cmd.Hidden,
+			Deprecated:     cmd.Deprecated,
+			Runnable:       cmd.Runnable(),
+			HasSubcommands: cmd.HasSubCommands(),
+			Flags:          collectFlags(cmd, homeDir),
+		})
+
+		children := cmd.Commands()
+		sort.Slice(children, func(i, j int) bool {
+			return children[i].Name() < children[j].Name()
+		})
+		for _, child := range children {
+			walk(child)
+		}
+	}
+	walk(root)
+	return records
+}
+
+func collectFlags(cmd *cobra.Command, homeDir string) []flagRecord {
+	var records []flagRecord
+	records = append(records, flagsFromSet("local", cmd.LocalFlags(), homeDir)...)
+	records = append(records, flagsFromSet("persistent", cmd.PersistentFlags(), homeDir)...)
+	records = append(records, flagsFromSet("inherited", cmd.InheritedFlags(), homeDir)...)
+	sort.Slice(records, func(i, j int) bool {
+		if records[i].Name == records[j].Name {
+			return records[i].Scope < records[j].Scope
+		}
+		return records[i].Name < records[j].Name
+	})
+	return records
+}
+
+func flagsFromSet(scope string, set *pflag.FlagSet, homeDir string) []flagRecord {
+	if set == nil {
+		return nil
+	}
+
+	var records []flagRecord
+	set.VisitAll(func(f *pflag.Flag) {
+		record := flagRecord{
+			Name:        f.Name,
+			Scope:       scope,
+			Shorthand:   f.Shorthand,
+			Usage:       f.Usage,
+			Default:     normalizeDefault(f.DefValue, homeDir),
+			NoOptDefVal: f.NoOptDefVal,
+			Hidden:      f.Hidden,
+			Deprecated:  f.Deprecated,
+		}
+		if f.Value != nil {
+			record.Type = f.Value.Type()
+		}
+		records = append(records, record)
+	})
+	return records
+}
+
+func normalizeDefault(value string, homeDir string) string {
+	if homeDir == "" {
+		return value
+	}
+	if value == homeDir {
+		return "$HOME"
+	}
+	return strings.ReplaceAll(value, homeDir+string(os.PathSeparator), "$HOME/")
+}
+
+func sortedStrings(values []string) []string {
+	if len(values) == 0 {
+		return nil
+	}
+	out := append([]string(nil), values...)
+	sort.Strings(out)
+	return out
+}
+
+func exitf(format string, args ...any) {
+	fmt.Fprintf(os.Stderr, format+"\n", args...)
+	os.Exit(1)
+}
diff --git a/tools/v3-command-inventory/main_test.go b/tools/v3-command-inventory/main_test.go
new file mode 100644
index 00000000..cbb27d6f
--- /dev/null
+++ b/tools/v3-command-inventory/main_test.go
@@ -0,0 +1,54 @@
+package main
+
+import (
+	"os"
+	"strings"
+	"testing"
+
+	v3cmd "github.com/formancehq/fctl/v3/cmd"
+)
+
+func TestCollectCommandsIncludesImportantV3Paths(t *testing.T) {
+	homeDir, err := os.UserHomeDir()
+	if err != nil {
+		t.Fatalf("resolve home directory: %v", err)
+	}
+
+	records := collectCommands(v3cmd.NewRootCommand(), homeDir)
+	byPath := map[string]commandRecord{}
+	for _, record := range records {
+		byPath[record.Path] = record
+	}
+
+	for _, path := range []string{
+		"fctl ledger transactions list",
+		"fctl payments connectors update-config stripe",
+		"fctl orchestration workflows create",
+		"fctl search",
+		"fctl stack create",
+	} {
+		if _, ok := byPath[path]; !ok {
+			t.Fatalf("expected inventory to include %q", path)
+		}
+	}
+
+	if !byPath["fctl orchestration"].Hidden {
+		t.Fatalf("expected fctl orchestration to be marked hidden")
+	}
+}
+
+func TestCollectCommandsNormalizesHomeDirectoryDefaults(t *testing.T) {
+	homeDir, err := os.UserHomeDir()
+	if err != nil {
+		t.Fatalf("resolve home directory: %v", err)
+	}
+
+	records := collectCommands(v3cmd.NewRootCommand(), homeDir)
+	for _, command := range records {
+		for _, flag := range command.Flags {
+			if homeDir != "" && strings.Contains(flag.Default, homeDir) {
+				t.Fatalf("flag %s on %s leaks home directory in default %q", flag.Name, command.Path, flag.Default)
+			}
+		}
+	}
+}
diff --git a/v4/README.md b/v4/README.md
new file mode 100644
index 00000000..c49d467f
--- /dev/null
+++ b/v4/README.md
@@ -0,0 +1,50 @@
+# fctl v4
+
+This directory contains the isolated fctl v4 rewrite. The existing repository
+root remains the current v3 implementation during the transition.
+
+## Run
+
+From this directory:
+
+```bash
+go run . --help
+go run . version
+```
+
+## Test
+
+From this directory:
+
+```bash
+go test ./...
+```
+
+## Documentation
+
+The v4 user and architecture documentation lives in the repository-level
+`docs/` directory:
+
+- `docs/rfcs/0001-fctl-v4-architecture.md`: target architecture and core
+  separation of context, target, auth, capabilities, API version selection, and
+  rendering.
+- `docs/adr/`: accepted design decisions for contexts, auth, API version
+  resolution, Cobra boundaries, and the isolated v4 directory.
+- `docs/cli-v4/command-reference.md`: current visible command families.
+- `docs/cli-v4/runtime-behavior.md`: operational behavior for login, scopes,
+  stack availability waits, styling, debug output, and hidden product surface.
+- `docs/cli-v4/versioning-and-ownership.md`: product-surface policy,
+  monolith-versus-plugin tradeoffs, capabilities gaps, support window, and
+  ownership expectations.
+- `docs/cli-v4/migration-v3-v4.md`: user-facing v3 to v4 command migration.
+- `docs/cli-v4/config-format.md`: v4 config shape and credential handling.
+- `docs/cli-v4/testing-strategy.md`: expected test coverage and local gates.
+- `docs/cli-v4/cutover-plan.md`: future move from `v4/` to the repository
+  root.
+
+## Boundaries
+
+- Keep new implementation code under `v4/` until the explicit cutover.
+- Do not import root v3 packages from v4 code.
+- Keep Cobra command files thin; place runtime and product behavior under
+  `v4/internal`.
diff --git a/v4/cli_integration_test.go b/v4/cli_integration_test.go
new file mode 100644
index 00000000..a3475d09
--- /dev/null
+++ b/v4/cli_integration_test.go
@@ -0,0 +1,161 @@
+package main
+
+import (
+	"bytes"
+	"fmt"
+	"net/http"
+	"net/http/httptest"
+	"os/exec"
+	"strings"
+	"testing"
+)
+
+func TestCLIIntegrationCoreWorkflow(t *testing.T) {
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		switch r.URL.Path {
+		case "/versions":
+			w.Header().Set("Content-Type", "application/json")
+			fmt.Fprint(w, `{"versions":[{"name":"ledger","version":"2.3.4","health":true}]}`)
+		case "/api/ledger/v2/default/transactions":
+			w.Header().Set("Content-Type", "application/json")
+			fmt.Fprint(w, `{"cursor":{"data":[],"hasMore":false,"pageSize":15}}`)
+		default:
+			t.Fatalf("unexpected path %s", r.URL.Path)
+		}
+	}))
+	defer server.Close()
+
+	configDir := t.TempDir()
+
+	result := runCLI(t,
+		"--config-dir", configDir,
+		"--non-interactive",
+		"profile", "create", "stack", "local",
+		"--stack-url", server.URL,
+	)
+	result.requireSuccess(t)
+	if !strings.Contains(result.stdout, "Context local created.") {
+		t.Fatalf("unexpected create output: %q", result.stdout)
+	}
+
+	result = runCLI(t, "--config-dir", configDir, "-o", "yaml", "profile", "list")
+	result.requireSuccess(t)
+	for _, expected := range []string{"currentContext: local", "- local"} {
+		if !strings.Contains(result.stdout, expected) {
+			t.Fatalf("expected YAML output to contain %q, got:\n%s", expected, result.stdout)
+		}
+	}
+
+	result = runCLI(t, "--config-dir", configDir, "-o", "json", "target", "inspect")
+	result.requireSuccess(t)
+	for _, expected := range []string{`"targetKind": "stack"`, `"name": "ledger"`, `"v2"`} {
+		if !strings.Contains(result.stdout, expected) {
+			t.Fatalf("expected inspect JSON to contain %q, got:\n%s", expected, result.stdout)
+		}
+	}
+
+	result = runCLI(t, "--config-dir", configDir, "-o", "json", "ledger", "transactions", "list")
+	result.requireSuccess(t)
+	for _, expected := range []string{`"apiVersion": "v2"`, `"transactions": []`} {
+		if !strings.Contains(result.stdout, expected) {
+			t.Fatalf("expected ledger JSON to contain %q, got:\n%s", expected, result.stdout)
+		}
+	}
+
+	result = runCLI(t, "--config-dir", configDir, "ledger", "transactions", "list", "--api-version", "v3")
+	if result.exitCode == 0 {
+		t.Fatalf("expected pinned unsupported API version to fail")
+	}
+	if !strings.Contains(result.stderr, "does not support pinned api version v3") {
+		t.Fatalf("expected unsupported api error, got stderr:\n%s", result.stderr)
+	}
+}
+
+func TestCLIIntegrationMissingConfigError(t *testing.T) {
+	result := runCLI(t, "--config-dir", t.TempDir(), "target", "inspect")
+	if result.exitCode == 0 {
+		t.Fatalf("expected missing config to fail")
+	}
+	if !strings.Contains(result.stderr, "v4 config not found") ||
+		!strings.Contains(result.stderr, "fctl login") ||
+		!strings.Contains(result.stderr, "fctl profile create stack") {
+		t.Fatalf("unexpected stderr:\n%s", result.stderr)
+	}
+}
+
+func TestCLIIntegrationInvalidConfigError(t *testing.T) {
+	result := runCLI(t,
+		"--config-dir", t.TempDir(),
+		"profile", "create", "stack", "local",
+	)
+	if result.exitCode == 0 {
+		t.Fatalf("expected invalid context creation to fail")
+	}
+	if !strings.Contains(result.stderr, "stackURL is required") {
+		t.Fatalf("unexpected stderr:\n%s", result.stderr)
+	}
+}
+
+func TestCLIIntegrationMissingAuthError(t *testing.T) {
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		t.Fatalf("request should not reach server without credentials")
+	}))
+	defer server.Close()
+
+	configDir := t.TempDir()
+	result := runCLI(t,
+		"--config-dir", configDir,
+		"profile", "create", "stack", "local",
+		"--stack-url", server.URL,
+		"--auth-method", "client_credentials",
+		"--issuer-url", server.URL,
+		"--client-id", "client",
+		"--secret-ref", "missing-secret",
+	)
+	result.requireSuccess(t)
+
+	result = runCLI(t, "--config-dir", configDir, "target", "inspect")
+	if result.exitCode == 0 {
+		t.Fatalf("expected missing auth to fail")
+	}
+	if !strings.Contains(result.stderr, "credential not found") {
+		t.Fatalf("unexpected stderr:\n%s", result.stderr)
+	}
+}
+
+type cliResult struct {
+	stdout   string
+	stderr   string
+	exitCode int
+}
+
+func (r cliResult) requireSuccess(t *testing.T) {
+	t.Helper()
+	if r.exitCode != 0 {
+		t.Fatalf("expected success, got exit %d\nstdout:\n%s\nstderr:\n%s", r.exitCode, r.stdout, r.stderr)
+	}
+	if r.stderr != "" {
+		t.Fatalf("expected empty stderr, got:\n%s", r.stderr)
+	}
+}
+
+func runCLI(t *testing.T, args ...string) cliResult {
+	t.Helper()
+
+	commandArgs := append([]string{"run", "."}, args...)
+	cmd := exec.Command("go", commandArgs...)
+	stdout := bytes.Buffer{}
+	stderr := bytes.Buffer{}
+	cmd.Stdout = &stdout
+	cmd.Stderr = &stderr
+
+	err := cmd.Run()
+	exitCode := 0
+	if err != nil {
+		exitCode = 1
+		if exitError, ok := err.(*exec.ExitError); ok {
+			exitCode = exitError.ExitCode()
+		}
+	}
+	return cliResult{stdout: stdout.String(), stderr: stderr.String(), exitCode: exitCode}
+}
diff --git a/v4/cmd/auth.go b/v4/cmd/auth.go
new file mode 100644
index 00000000..0eb16fb4
--- /dev/null
+++ b/v4/cmd/auth.go
@@ -0,0 +1,1072 @@
+package cmd
+
+import (
+	"context"
+	"fmt"
+	"io"
+	"strings"
+
+	formance "github.com/formancehq/formance-sdk-go/v3"
+	"github.com/spf13/cobra"
+
+	v4auth "github.com/formancehq/fctl/v4/internal/auth"
+	"github.com/formancehq/fctl/v4/internal/capabilities"
+	authcmd "github.com/formancehq/fctl/v4/internal/commands/auth"
+	v4config "github.com/formancehq/fctl/v4/internal/config"
+)
+
+func newAuthCommand() *cobra.Command {
+	command := &cobra.Command{
+		Use:   "auth",
+		Short: "Manage Auth service resources",
+		Args:  cobra.NoArgs,
+		RunE: func(cmd *cobra.Command, _ []string) error {
+			return cmd.Help()
+		},
+	}
+	command.AddCommand(newAuthClientsCommand())
+	command.AddCommand(newAuthUsersCommand(false))
+	return command
+}
+
+func newSessionCommand() *cobra.Command {
+	command := &cobra.Command{
+		Use:    "session",
+		Short:  "Manage CLI authentication sessions",
+		Hidden: true,
+		Args:   cobra.NoArgs,
+		RunE: func(cmd *cobra.Command, _ []string) error {
+			return cmd.Help()
+		},
+	}
+	command.AddCommand(newSessionLoginCommand())
+	command.AddCommand(newSessionStatusCommand())
+	command.AddCommand(newSessionTokenCommand())
+	command.AddCommand(newSessionLogoutCommand())
+	return command
+}
+
+func newSessionLoginCommand() *cobra.Command {
+	command := &cobra.Command{
+		Use:   "login",
+		Short: "Configure authentication for the selected context",
+		Args:  cobra.NoArgs,
+		RunE: func(cmd *cobra.Command, _ []string) error {
+			return cmd.Help()
+		},
+	}
+	command.AddCommand(newSessionLoginCloudCommand())
+	command.AddCommand(newSessionLoginTokenCommand())
+	command.AddCommand(newSessionLoginClientCredentialsCommand())
+	command.AddCommand(newSessionLoginOIDCCommand())
+	command.AddCommand(newSessionLoginNoneCommand())
+	return command
+}
+
+func newSessionLoginCloudCommand() *cobra.Command {
+	var cloudURL string
+
+	command := &cobra.Command{
+		Use:   "cloud",
+		Short: "Log in to Formance Cloud (deferred)",
+		Args:  cobra.NoArgs,
+		RunE: func(_ *cobra.Command, _ []string) error {
+			return fmt.Errorf("session login cloud is deferred until the Cloud device/browser login contract is explicit; use session login token or session login client-credentials for now")
+		},
+	}
+	command.Flags().StringVar(&cloudURL, "cloud-url", "", "Formance Cloud URL")
+	return command
+}
+
+func newSessionLoginOIDCCommand() *cobra.Command {
+	var issuerURL string
+	var clientID string
+
+	command := &cobra.Command{
+		Use:   "oidc",
+		Short: "Log in with generic OIDC device flow (deferred)",
+		Args:  cobra.NoArgs,
+		RunE: func(_ *cobra.Command, _ []string) error {
+			if issuerURL == "" {
+				return fmt.Errorf("session login oidc requires --issuer-url")
+			}
+			if clientID == "" {
+				return fmt.Errorf("session login oidc requires --client-id")
+			}
+			return fmt.Errorf("session login oidc is deferred until the generic device flow contract is specified; use session login token or session login client-credentials for now")
+		},
+	}
+	command.Flags().StringVar(&issuerURL, "issuer-url", "", "OIDC issuer URL")
+	command.Flags().StringVar(&clientID, "client-id", "", "OIDC client ID")
+	return command
+}
+
+func newSessionLoginTokenCommand() *cobra.Command {
+	var token string
+	var tokenStdin bool
+	var tokenRef string
+
+	command := &cobra.Command{
+		Use:   "token",
+		Short: "Use a static bearer token for the selected context",
+		Args:  cobra.NoArgs,
+		RunE: func(cmd *cobra.Command, _ []string) error {
+			cfg, path, name, context, err := selectedContextForSessionLogin(cmd)
+			if err != nil {
+				return err
+			}
+			if token != "" && tokenStdin {
+				return fmt.Errorf("--token and --token-stdin are mutually exclusive")
+			}
+			secret := token
+			if tokenStdin {
+				data, err := io.ReadAll(cmd.InOrStdin())
+				if err != nil {
+					return err
+				}
+				secret = strings.TrimSpace(string(data))
+			}
+			if secret == "" && tokenRef == "" {
+				return fmt.Errorf("session login token requires --token, --token-stdin, or --token-ref")
+			}
+			if secret != "" {
+				if tokenRef == "" {
+					tokenRef = "contexts/" + name + "/token"
+				}
+				store, err := persistentCredentialStoreFromCommand(cmd)
+				if err != nil {
+					return err
+				}
+				if err := store.Set(cmd.Context(), tokenRef, secret); err != nil {
+					return err
+				}
+			}
+			context.Auth = v4config.Auth{Method: v4config.AuthMethodToken, TokenRef: tokenRef}
+			cfg.Contexts[name] = context
+			if err := v4config.SaveFile(path, cfg); err != nil {
+				return err
+			}
+			if handled, err := writeStructuredOutput(cmd, contextShowOutput{Name: name, Current: name == cfg.CurrentContext, Context: context}); handled || err != nil {
+				return err
+			}
+			_, err = fmt.Fprintln(cmd.OutOrStdout(), styledSuccessLine(cmd, fmt.Sprintf("Authentication for context %s set to token.", name)))
+			return err
+		},
+	}
+	command.Flags().StringVar(&token, "token", "", "Bearer token value")
+	command.Flags().BoolVar(&tokenStdin, "token-stdin", false, "Read bearer token from stdin")
+	command.Flags().StringVar(&tokenRef, "token-ref", "", "Existing credential reference for token auth")
+	return command
+}
+
+func newSessionLoginClientCredentialsCommand() *cobra.Command {
+	var issuerURL string
+	var clientID string
+	var clientSecret string
+	var clientSecretStdin bool
+	var secretRef string
+
+	command := &cobra.Command{
+		Use:   "client-credentials",
+		Short: "Use OAuth client credentials for the selected context",
+		Args:  cobra.NoArgs,
+		RunE: func(cmd *cobra.Command, _ []string) error {
+			cfg, path, name, context, err := selectedContextForSessionLogin(cmd)
+			if err != nil {
+				return err
+			}
+			if issuerURL == "" {
+				return fmt.Errorf("session login client-credentials requires --issuer-url")
+			}
+			if clientID == "" {
+				return fmt.Errorf("session login client-credentials requires --client-id")
+			}
+			if clientSecret != "" && clientSecretStdin {
+				return fmt.Errorf("--client-secret and --client-secret-stdin are mutually exclusive")
+			}
+			secret := clientSecret
+			if clientSecretStdin {
+				data, err := io.ReadAll(cmd.InOrStdin())
+				if err != nil {
+					return err
+				}
+				secret = strings.TrimSpace(string(data))
+			}
+			if secret == "" && secretRef == "" {
+				return fmt.Errorf("session login client-credentials requires --client-secret, --client-secret-stdin, or --secret-ref")
+			}
+			if secret != "" {
+				if secretRef == "" {
+					secretRef = "contexts/" + name + "/client-secret"
+				}
+				store, err := persistentCredentialStoreFromCommand(cmd)
+				if err != nil {
+					return err
+				}
+				if err := store.Set(cmd.Context(), secretRef, secret); err != nil {
+					return err
+				}
+			}
+			context.Auth = v4config.Auth{
+				Method:    v4config.AuthMethodClientCredentials,
+				IssuerURL: issuerURL,
+				ClientID:  clientID,
+				SecretRef: secretRef,
+				Scopes:    clientCredentialsScopesForContext(context),
+			}
+			cfg.Contexts[name] = context
+			if err := v4config.SaveFile(path, cfg); err != nil {
+				return err
+			}
+			if handled, err := writeStructuredOutput(cmd, contextShowOutput{Name: name, Current: name == cfg.CurrentContext, Context: context}); handled || err != nil {
+				return err
+			}
+			_, err = fmt.Fprintln(cmd.OutOrStdout(), styledSuccessLine(cmd, fmt.Sprintf("Authentication for context %s set to client credentials.", name)))
+			return err
+		},
+	}
+	command.Flags().StringVar(&issuerURL, "issuer-url", "", "OIDC issuer URL")
+	command.Flags().StringVar(&clientID, "client-id", "", "OAuth client ID")
+	command.Flags().StringVar(&clientSecret, "client-secret", "", "OAuth client secret")
+	command.Flags().BoolVar(&clientSecretStdin, "client-secret-stdin", false, "Read OAuth client secret from stdin")
+	command.Flags().StringVar(&secretRef, "secret-ref", "", "Existing credential reference for client secret")
+	return command
+}
+
+func newSessionLoginNoneCommand() *cobra.Command {
+	var confirm bool
+
+	command := &cobra.Command{
+		Use:   "none",
+		Short: "Disable authentication for the selected context",
+		Args:  cobra.NoArgs,
+		RunE: func(cmd *cobra.Command, _ []string) error {
+			cfg, path, name, context, err := selectedContextForSession(cmd)
+			if err != nil {
+				return err
+			}
+			if context.Kind != v4config.ContextKindStack && !confirm {
+				return fmt.Errorf("session login none on %s contexts requires --confirm", context.Kind)
+			}
+			context.Auth = v4config.Auth{Method: v4config.AuthMethodNone}
+			cfg.Contexts[name] = context
+			if err := v4config.SaveFile(path, cfg); err != nil {
+				return err
+			}
+			if handled, err := writeStructuredOutput(cmd, contextShowOutput{Name: name, Current: name == cfg.CurrentContext, Context: context}); handled || err != nil {
+				return err
+			}
+			_, err = fmt.Fprintln(cmd.OutOrStdout(), styledSuccessLine(cmd, fmt.Sprintf("Authentication for context %s disabled.", name)))
+			return err
+		},
+	}
+	command.Flags().BoolVar(&confirm, "confirm", false, "Confirm disabling auth on non-stack contexts")
+	return command
+}
+
+func selectedContextForSession(cmd *cobra.Command) (v4config.Config, string, string, v4config.Context, error) {
+	cfg, path, err := loadConfig(cmd, false)
+	if err != nil {
+		return v4config.Config{}, "", "", v4config.Context{}, err
+	}
+	contextName, err := contextNameFromCommand(cmd)
+	if err != nil {
+		return v4config.Config{}, "", "", v4config.Context{}, err
+	}
+	name, context, err := v4config.ResolveCurrentContext(cfg, v4config.ContextOverride{Name: contextName})
+	if err != nil {
+		return v4config.Config{}, "", "", v4config.Context{}, err
+	}
+	return cfg, path, name, context, nil
+}
+
+func selectedContextForSessionLogin(cmd *cobra.Command) (v4config.Config, string, string, v4config.Context, error) {
+	cfg, path, err := loadConfig(cmd, true)
+	if err != nil {
+		return v4config.Config{}, "", "", v4config.Context{}, err
+	}
+	contextName, err := contextNameFromCommand(cmd)
+	if err != nil {
+		return v4config.Config{}, "", "", v4config.Context{}, err
+	}
+	if len(cfg.Contexts) == 0 && contextName == "" {
+		contextName = v4config.DefaultCloudContextName
+		cfg.Contexts = map[string]v4config.Context{
+			contextName: v4config.DefaultCloudContext(),
+		}
+		cfg.CurrentContext = contextName
+	}
+	name, context, err := v4config.ResolveCurrentContext(cfg, v4config.ContextOverride{Name: contextName})
+	if err != nil {
+		return v4config.Config{}, "", "", v4config.Context{}, err
+	}
+	return cfg, path, name, context, nil
+}
+
+func newSessionStatusCommand() *cobra.Command {
+	return &cobra.Command{
+		Use:   "status",
+		Short: "Show authentication for the selected context",
+		Args:  cobra.NoArgs,
+		RunE: func(cmd *cobra.Command, _ []string) error {
+			cfg, _, name, context, err := selectedContextForSession(cmd)
+			if err != nil {
+				return err
+			}
+			output := authStatusOutput{Name: name, Current: name == cfg.CurrentContext, Auth: context.Auth}
+			if handled, err := writeStructuredOutput(cmd, output); handled || err != nil {
+				return err
+			}
+			rows := []styledKeyValue{
+				{Label: "Context", Value: name},
+				{Label: "Method", Value: string(context.Auth.Method)},
+			}
+			if context.Auth.TokenRef != "" {
+				rows = append(rows, styledKeyValue{Label: "TokenRef", Value: context.Auth.TokenRef})
+			}
+			if context.Auth.SecretRef != "" {
+				rows = append(rows, styledKeyValue{Label: "SecretRef", Value: context.Auth.SecretRef})
+			}
+			if context.Auth.ClientID != "" {
+				rows = append(rows, styledKeyValue{Label: "ClientID", Value: context.Auth.ClientID})
+			}
+			if context.Auth.IssuerURL != "" {
+				rows = append(rows, styledKeyValue{Label: "IssuerURL", Value: context.Auth.IssuerURL})
+			}
+			return writeStyledKeyValues(cmd, rows...)
+		},
+	}
+}
+
+func newSessionTokenCommand() *cobra.Command {
+	return &cobra.Command{
+		Use:   "token",
+		Short: "Print an access token for the selected context",
+		Args:  cobra.NoArgs,
+		RunE: func(cmd *cobra.Command, _ []string) error {
+			_, _, _, context, err := selectedContextForSession(cmd)
+			if err != nil {
+				return err
+			}
+			if context.Auth.Method == v4config.AuthMethodNone {
+				return fmt.Errorf("session token requires an authenticated context")
+			}
+			authOptions, err := authOptionsFromCommand(cmd)
+			if err != nil {
+				return err
+			}
+			store, err := credentialStoreFromCommand(cmd)
+			if err != nil {
+				return err
+			}
+			source, err := v4auth.NewTokenSource(context.Auth, store, authOptions)
+			if err != nil {
+				return err
+			}
+			if source == nil {
+				return fmt.Errorf("session token requires an authenticated context")
+			}
+			token, err := source.Token(cmd.Context())
+			if err != nil {
+				return err
+			}
+			_, err = fmt.Fprintln(cmd.OutOrStdout(), token.AccessToken)
+			return err
+		},
+	}
+}
+
+func newSessionLogoutCommand() *cobra.Command {
+	var confirm bool
+
+	command := &cobra.Command{
+		Use:   "logout",
+		Short: "Clear authentication for the selected context",
+		Args:  cobra.NoArgs,
+		RunE: func(cmd *cobra.Command, _ []string) error {
+			if !confirm {
+				return fmt.Errorf("session logout requires --confirm")
+			}
+			cfg, path, name, context, err := selectedContextForSession(cmd)
+			if err != nil {
+				return err
+			}
+			store, err := credentialStoreFromCommand(cmd)
+			if err != nil {
+				return err
+			}
+			deleteCredentialRef(cmd, store, context.Auth.TokenRef)
+			deleteCredentialRef(cmd, store, context.Auth.SecretRef)
+			context.Auth = v4config.Auth{Method: v4config.AuthMethodNone}
+			cfg.Contexts[name] = context
+			if err := v4config.SaveFile(path, cfg); err != nil {
+				return err
+			}
+			if handled, err := writeStructuredOutput(cmd, contextShowOutput{Name: name, Current: name == cfg.CurrentContext, Context: context}); handled || err != nil {
+				return err
+			}
+			_, err = fmt.Fprintln(cmd.OutOrStdout(), styledSuccessLine(cmd, fmt.Sprintf("Authentication for context %s cleared.", name)))
+			return err
+		},
+	}
+	command.Flags().BoolVar(&confirm, "confirm", false, "Confirm clearing authentication")
+	return command
+}
+
+func deleteCredentialRef(cmd *cobra.Command, store interface {
+	Delete(context.Context, string) error
+}, ref string) {
+	if ref == "" || strings.HasPrefix(ref, "env://") || strings.HasPrefix(ref, "file://") || strings.HasPrefix(ref, "stdin://") {
+		return
+	}
+	_ = store.Delete(cmd.Context(), ref)
+}
+
+type authStatusOutput struct {
+	Name    string        `json:"name" yaml:"name"`
+	Current bool          `json:"current" yaml:"current"`
+	Auth    v4config.Auth `json:"auth" yaml:"auth"`
+}
+
+func newAuthClientsCommand() *cobra.Command {
+	command := &cobra.Command{
+		Use:   "clients",
+		Short: "Manage Auth clients",
+	}
+	command.AddCommand(newAuthClientsCreateCommand())
+	command.AddCommand(newAuthClientsListCommand())
+	command.AddCommand(newAuthClientsShowCommand("show", []string{"sh"}, false))
+	command.AddCommand(newAuthClientsShowCommand("get", nil, true))
+	command.AddCommand(newAuthClientsUpdateCommand())
+	command.AddCommand(newAuthClientsDeleteCommand())
+	command.AddCommand(newAuthClientsSecretsCommand())
+	command.AddCommand(newAuthUsersCommand(true))
+	return command
+}
+
+func newAuthClientsSecretsCommand() *cobra.Command {
+	command := &cobra.Command{
+		Use:   "secrets",
+		Short: "Manage Auth client secrets",
+	}
+	command.AddCommand(newAuthClientsSecretsCreateCommand())
+	command.AddCommand(newAuthClientsSecretsDeleteCommand())
+	return command
+}
+
+func newAuthClientsCreateCommand() *cobra.Command {
+	var input authClientFlags
+	var apiVersion string
+
+	command := &cobra.Command{
+		Use:   "create <name>",
+		Short: "Create an Auth client",
+		Args:  cobra.ExactArgs(1),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			request, err := input.mutationInput(cmd, "", args[0])
+			if err != nil {
+				return err
+			}
+			service, err := newCreateAuthClientService(cmd, apiVersion)
+			if err != nil {
+				return err
+			}
+			output, err := service.Run(cmd.Context(), request)
+			if err != nil {
+				return err
+			}
+			if handled, err := writeStructuredOutput(cmd, output); handled || err != nil {
+				return err
+			}
+			return renderAuthClientMutated(cmd, output, "created")
+		},
+	}
+	bindAuthClientFlags(command, &input, false)
+	command.Flags().StringVar(&apiVersion, "api-version", "", "Pin auth API version")
+	return command
+}
+
+func newAuthUsersCommand(deprecatedClientsAlias bool) *cobra.Command {
+	command := &cobra.Command{
+		Use:     "users",
+		Aliases: []string{"u", "user"},
+		Short:   "Manage Auth users",
+		PersistentPreRun: func(cmd *cobra.Command, _ []string) {
+			if deprecatedClientsAlias {
+				fmt.Fprintln(cmd.ErrOrStderr(), "Command auth clients users has been deprecated, use auth users")
+			}
+		},
+	}
+	if deprecatedClientsAlias {
+		command.Deprecated = "use auth users"
+	}
+	command.AddCommand(newAuthUsersListCommand())
+	command.AddCommand(newAuthUsersShowCommand("show", []string{"sh"}, false))
+	command.AddCommand(newAuthUsersShowCommand("get", nil, true))
+	return command
+}
+
+func newAuthClientsListCommand() *cobra.Command {
+	var apiVersion string
+
+	command := &cobra.Command{
+		Use:     "list",
+		Aliases: []string{"ls", "l"},
+		Short:   "List Auth clients",
+		Args:    cobra.NoArgs,
+		RunE: func(cmd *cobra.Command, _ []string) error {
+			service, err := newListAuthClientsService(cmd, apiVersion)
+			if err != nil {
+				return err
+			}
+			output, err := service.Run(cmd.Context())
+			if err != nil {
+				return err
+			}
+			if handled, err := writeStructuredOutput(cmd, output); handled || err != nil {
+				return err
+			}
+			return renderAuthClients(cmd, output)
+		},
+	}
+	command.Flags().StringVar(&apiVersion, "api-version", "", "Pin auth API version")
+	return command
+}
+
+func newAuthClientsShowCommand(use string, aliases []string, deprecated bool) *cobra.Command {
+	var apiVersion string
+
+	command := &cobra.Command{
+		Use:     use + " <client-id>",
+		Aliases: aliases,
+		Short:   "Show an Auth client",
+		Args:    cobra.ExactArgs(1),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			if deprecated {
+				fmt.Fprintln(cmd.ErrOrStderr(), "Command auth clients get has been deprecated, use auth clients show")
+			}
+			service, err := newGetAuthClientService(cmd, apiVersion)
+			if err != nil {
+				return err
+			}
+			output, err := service.Run(cmd.Context(), authcmd.GetClientInput{ClientID: args[0]})
+			if err != nil {
+				return err
+			}
+			if handled, err := writeStructuredOutput(cmd, output); handled || err != nil {
+				return err
+			}
+			return renderAuthClient(cmd, output)
+		},
+	}
+	if deprecated {
+		command.Deprecated = "use auth clients show"
+	}
+	command.Flags().StringVar(&apiVersion, "api-version", "", "Pin auth API version")
+	return command
+}
+
+func newAuthClientsUpdateCommand() *cobra.Command {
+	var input authClientFlags
+	var apiVersion string
+
+	command := &cobra.Command{
+		Use:   "update <client-id>",
+		Short: "Update an Auth client",
+		Args:  cobra.ExactArgs(1),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			request, err := input.mutationInput(cmd, args[0], input.name)
+			if err != nil {
+				return err
+			}
+			service, err := newUpdateAuthClientService(cmd, apiVersion)
+			if err != nil {
+				return err
+			}
+			output, err := service.Run(cmd.Context(), request)
+			if err != nil {
+				return err
+			}
+			if handled, err := writeStructuredOutput(cmd, output); handled || err != nil {
+				return err
+			}
+			return renderAuthClientMutated(cmd, output, "updated")
+		},
+	}
+	bindAuthClientFlags(command, &input, true)
+	command.Flags().StringVar(&apiVersion, "api-version", "", "Pin auth API version")
+	return command
+}
+
+func newAuthClientsDeleteCommand() *cobra.Command {
+	var confirm bool
+	var apiVersion string
+
+	command := &cobra.Command{
+		Use:   "delete <client-id>",
+		Short: "Delete an Auth client",
+		Args:  cobra.ExactArgs(1),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			if !confirm {
+				return fmt.Errorf("auth clients delete requires --confirm")
+			}
+			service, err := newDeleteAuthClientService(cmd, apiVersion)
+			if err != nil {
+				return err
+			}
+			output, err := service.Run(cmd.Context(), authcmd.DeleteClientInput{ClientID: args[0]})
+			if err != nil {
+				return err
+			}
+			if handled, err := writeStructuredOutput(cmd, output); handled || err != nil {
+				return err
+			}
+			return renderAuthClientDeleted(cmd, output)
+		},
+	}
+	command.Flags().BoolVar(&confirm, "confirm", false, "Confirm client deletion")
+	command.Flags().StringVar(&apiVersion, "api-version", "", "Pin auth API version")
+	return command
+}
+
+func newAuthClientsSecretsCreateCommand() *cobra.Command {
+	var metadata []string
+	var apiVersion string
+
+	command := &cobra.Command{
+		Use:   "create <client-id> <secret-name>",
+		Short: "Create an Auth client secret",
+		Args:  cobra.ExactArgs(2),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			parsedMetadata, err := parseMetadataFlags(metadata)
+			if err != nil {
+				return err
+			}
+			service, err := newCreateAuthSecretService(cmd, apiVersion)
+			if err != nil {
+				return err
+			}
+			output, err := service.Run(cmd.Context(), authcmd.CreateSecretInput{
+				ClientID: args[0],
+				Name:     args[1],
+				Metadata: parsedMetadata,
+			})
+			if err != nil {
+				return err
+			}
+			if handled, err := writeStructuredOutput(cmd, output); handled || err != nil {
+				return err
+			}
+			return renderAuthSecretCreated(cmd, output)
+		},
+	}
+	command.Flags().StringArrayVar(&metadata, "metadata", nil, "Secret metadata as key=value")
+	command.Flags().StringVar(&apiVersion, "api-version", "", "Pin auth API version")
+	return command
+}
+
+func newAuthClientsSecretsDeleteCommand() *cobra.Command {
+	var confirm bool
+	var apiVersion string
+
+	command := &cobra.Command{
+		Use:   "delete <client-id> <secret-id>",
+		Short: "Delete an Auth client secret",
+		Args:  cobra.ExactArgs(2),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			if !confirm {
+				return fmt.Errorf("auth clients secrets delete requires --confirm")
+			}
+			service, err := newDeleteAuthSecretService(cmd, apiVersion)
+			if err != nil {
+				return err
+			}
+			output, err := service.Run(cmd.Context(), authcmd.DeleteSecretInput{ClientID: args[0], SecretID: args[1]})
+			if err != nil {
+				return err
+			}
+			if handled, err := writeStructuredOutput(cmd, output); handled || err != nil {
+				return err
+			}
+			return renderAuthSecretDeleted(cmd, output)
+		},
+	}
+	command.Flags().BoolVar(&confirm, "confirm", false, "Confirm secret deletion")
+	command.Flags().StringVar(&apiVersion, "api-version", "", "Pin auth API version")
+	return command
+}
+
+func newAuthUsersListCommand() *cobra.Command {
+	var apiVersion string
+
+	command := &cobra.Command{
+		Use:     "list",
+		Aliases: []string{"ls", "l"},
+		Short:   "List Auth users",
+		Args:    cobra.NoArgs,
+		RunE: func(cmd *cobra.Command, _ []string) error {
+			service, err := newListAuthUsersService(cmd, apiVersion)
+			if err != nil {
+				return err
+			}
+			output, err := service.Run(cmd.Context())
+			if err != nil {
+				return err
+			}
+			if handled, err := writeStructuredOutput(cmd, output); handled || err != nil {
+				return err
+			}
+			return renderAuthUsers(cmd, output)
+		},
+	}
+	command.Flags().StringVar(&apiVersion, "api-version", "", "Pin auth API version")
+	return command
+}
+
+func newAuthUsersShowCommand(use string, aliases []string, deprecated bool) *cobra.Command {
+	var apiVersion string
+
+	command := &cobra.Command{
+		Use:     use + " <user-id>",
+		Aliases: aliases,
+		Short:   "Show an Auth user",
+		Args:    cobra.ExactArgs(1),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			if deprecated {
+				fmt.Fprintln(cmd.ErrOrStderr(), "Command auth users get has been deprecated, use auth users show")
+			}
+			service, err := newGetAuthUserService(cmd, apiVersion)
+			if err != nil {
+				return err
+			}
+			output, err := service.Run(cmd.Context(), authcmd.GetUserInput{UserID: args[0]})
+			if err != nil {
+				return err
+			}
+			if handled, err := writeStructuredOutput(cmd, output); handled || err != nil {
+				return err
+			}
+			return renderAuthUser(cmd, output)
+		},
+	}
+	if deprecated {
+		command.Deprecated = "use auth users show"
+	}
+	command.Flags().StringVar(&apiVersion, "api-version", "", "Pin auth API version")
+	return command
+}
+
+type authClientFlags struct {
+	name                   string
+	description            string
+	metadata               []string
+	scopes                 []string
+	redirectURIs           []string
+	postLogoutRedirectURIs []string
+	public                 bool
+	trusted                bool
+}
+
+func bindAuthClientFlags(command *cobra.Command, input *authClientFlags, includeName bool) {
+	if includeName {
+		command.Flags().StringVar(&input.name, "name", "", "Client name")
+	}
+	command.Flags().StringVar(&input.description, "description", "", "Client description")
+	command.Flags().StringArrayVar(&input.metadata, "metadata", nil, "Client metadata as key=value")
+	command.Flags().StringArrayVar(&input.scopes, "scope", nil, "OAuth scope")
+	command.Flags().StringArrayVar(&input.redirectURIs, "redirect-uri", nil, "OAuth redirect URI")
+	command.Flags().StringArrayVar(&input.postLogoutRedirectURIs, "post-logout-redirect-uri", nil, "Post logout redirect URI")
+	command.Flags().BoolVar(&input.public, "public", false, "Mark client as public")
+	command.Flags().BoolVar(&input.trusted, "trusted", false, "Mark client as trusted")
+}
+
+func (f authClientFlags) mutationInput(cmd *cobra.Command, clientID string, name string) (authcmd.ClientMutationInput, error) {
+	metadata, err := parseMetadataFlags(f.metadata)
+	if err != nil {
+		return authcmd.ClientMutationInput{}, err
+	}
+	var description *string
+	if cmd.Flags().Changed("description") {
+		description = &f.description
+	}
+	var public *bool
+	if cmd.Flags().Changed("public") {
+		public = &f.public
+	}
+	var trusted *bool
+	if cmd.Flags().Changed("trusted") {
+		trusted = &f.trusted
+	}
+	return authcmd.ClientMutationInput{
+		ClientID:               clientID,
+		Name:                   name,
+		Description:            description,
+		Metadata:               metadata,
+		Scopes:                 f.scopes,
+		RedirectURIs:           f.redirectURIs,
+		PostLogoutRedirectURIs: f.postLogoutRedirectURIs,
+		Public:                 public,
+		Trusted:                trusted,
+	}, nil
+}
+
+func newCreateAuthClientService(cmd *cobra.Command, apiVersion string) (authcmd.CreateClientService, error) {
+	rt, err := stackRuntimeFromCommand(cmd)
+	if err != nil {
+		return authcmd.CreateClientService{}, err
+	}
+	httpClient, err := rt.HTTPClient(cmd.Context())
+	if err != nil {
+		return authcmd.CreateClientService{}, err
+	}
+	sdk := formance.New(formance.WithServerURL(rt.Target.URL), formance.WithClient(httpClient))
+	return authcmd.CreateClientService{
+		Handlers: authcmd.SDKCreateClientHandlers(sdk),
+		Resolve:  authVersionResolver(rt, authcmd.FeatureCreateClient, apiVersion),
+	}, nil
+}
+
+func newListAuthClientsService(cmd *cobra.Command, apiVersion string) (authcmd.ListClientsService, error) {
+	rt, err := stackRuntimeFromCommand(cmd)
+	if err != nil {
+		return authcmd.ListClientsService{}, err
+	}
+	httpClient, err := rt.HTTPClient(cmd.Context())
+	if err != nil {
+		return authcmd.ListClientsService{}, err
+	}
+	sdk := formance.New(formance.WithServerURL(rt.Target.URL), formance.WithClient(httpClient))
+	return authcmd.ListClientsService{
+		Handlers: authcmd.SDKListClientsHandlers(sdk),
+		Resolve:  authVersionResolver(rt, authcmd.FeatureListClients, apiVersion),
+	}, nil
+}
+
+func newGetAuthClientService(cmd *cobra.Command, apiVersion string) (authcmd.GetClientService, error) {
+	rt, err := stackRuntimeFromCommand(cmd)
+	if err != nil {
+		return authcmd.GetClientService{}, err
+	}
+	httpClient, err := rt.HTTPClient(cmd.Context())
+	if err != nil {
+		return authcmd.GetClientService{}, err
+	}
+	sdk := formance.New(formance.WithServerURL(rt.Target.URL), formance.WithClient(httpClient))
+	return authcmd.GetClientService{
+		Handlers: authcmd.SDKGetClientHandlers(sdk),
+		Resolve:  authVersionResolver(rt, authcmd.FeatureReadClient, apiVersion),
+	}, nil
+}
+
+func newUpdateAuthClientService(cmd *cobra.Command, apiVersion string) (authcmd.UpdateClientService, error) {
+	rt, err := stackRuntimeFromCommand(cmd)
+	if err != nil {
+		return authcmd.UpdateClientService{}, err
+	}
+	httpClient, err := rt.HTTPClient(cmd.Context())
+	if err != nil {
+		return authcmd.UpdateClientService{}, err
+	}
+	sdk := formance.New(formance.WithServerURL(rt.Target.URL), formance.WithClient(httpClient))
+	return authcmd.UpdateClientService{
+		Handlers: authcmd.SDKUpdateClientHandlers(sdk),
+		Resolve:  authVersionResolver(rt, authcmd.FeatureUpdateClient, apiVersion),
+	}, nil
+}
+
+func newDeleteAuthClientService(cmd *cobra.Command, apiVersion string) (authcmd.DeleteClientService, error) {
+	rt, err := stackRuntimeFromCommand(cmd)
+	if err != nil {
+		return authcmd.DeleteClientService{}, err
+	}
+	httpClient, err := rt.HTTPClient(cmd.Context())
+	if err != nil {
+		return authcmd.DeleteClientService{}, err
+	}
+	sdk := formance.New(formance.WithServerURL(rt.Target.URL), formance.WithClient(httpClient))
+	return authcmd.DeleteClientService{
+		Handlers: authcmd.SDKDeleteClientHandlers(sdk),
+		Resolve:  authVersionResolver(rt, authcmd.FeatureDeleteClient, apiVersion),
+	}, nil
+}
+
+func newCreateAuthSecretService(cmd *cobra.Command, apiVersion string) (authcmd.CreateSecretService, error) {
+	rt, err := stackRuntimeFromCommand(cmd)
+	if err != nil {
+		return authcmd.CreateSecretService{}, err
+	}
+	httpClient, err := rt.HTTPClient(cmd.Context())
+	if err != nil {
+		return authcmd.CreateSecretService{}, err
+	}
+	sdk := formance.New(formance.WithServerURL(rt.Target.URL), formance.WithClient(httpClient))
+	return authcmd.CreateSecretService{
+		Handlers: authcmd.SDKCreateSecretHandlers(sdk),
+		Resolve:  authVersionResolver(rt, authcmd.FeatureCreateSecret, apiVersion),
+	}, nil
+}
+
+func newDeleteAuthSecretService(cmd *cobra.Command, apiVersion string) (authcmd.DeleteSecretService, error) {
+	rt, err := stackRuntimeFromCommand(cmd)
+	if err != nil {
+		return authcmd.DeleteSecretService{}, err
+	}
+	httpClient, err := rt.HTTPClient(cmd.Context())
+	if err != nil {
+		return authcmd.DeleteSecretService{}, err
+	}
+	sdk := formance.New(formance.WithServerURL(rt.Target.URL), formance.WithClient(httpClient))
+	return authcmd.DeleteSecretService{
+		Handlers: authcmd.SDKDeleteSecretHandlers(sdk),
+		Resolve:  authVersionResolver(rt, authcmd.FeatureDeleteSecret, apiVersion),
+	}, nil
+}
+
+func newListAuthUsersService(cmd *cobra.Command, apiVersion string) (authcmd.ListUsersService, error) {
+	rt, err := stackRuntimeFromCommand(cmd)
+	if err != nil {
+		return authcmd.ListUsersService{}, err
+	}
+	httpClient, err := rt.HTTPClient(cmd.Context())
+	if err != nil {
+		return authcmd.ListUsersService{}, err
+	}
+	sdk := formance.New(formance.WithServerURL(rt.Target.URL), formance.WithClient(httpClient))
+	return authcmd.ListUsersService{
+		Handlers: authcmd.SDKListUsersHandlers(sdk),
+		Resolve:  authVersionResolver(rt, authcmd.FeatureListUsers, apiVersion),
+	}, nil
+}
+
+func newGetAuthUserService(cmd *cobra.Command, apiVersion string) (authcmd.GetUserService, error) {
+	rt, err := stackRuntimeFromCommand(cmd)
+	if err != nil {
+		return authcmd.GetUserService{}, err
+	}
+	httpClient, err := rt.HTTPClient(cmd.Context())
+	if err != nil {
+		return authcmd.GetUserService{}, err
+	}
+	sdk := formance.New(formance.WithServerURL(rt.Target.URL), formance.WithClient(httpClient))
+	return authcmd.GetUserService{
+		Handlers: authcmd.SDKGetUserHandlers(sdk),
+		Resolve:  authVersionResolver(rt, authcmd.FeatureReadUser, apiVersion),
+	}, nil
+}
+
+func authVersionResolver(rt interface {
+	ResolveAPIVersion(context.Context, capabilities.VersionResolutionRequest) (capabilities.APIVersion, error)
+}, feature capabilities.Feature, apiVersion string) func(context.Context, []capabilities.APIVersion) (capabilities.APIVersion, error) {
+	return func(ctx context.Context, handlerVersions []capabilities.APIVersion) (capabilities.APIVersion, error) {
+		request := capabilities.VersionResolutionRequest{
+			Product:         authcmd.ProductAuth,
+			Feature:         feature,
+			HandlerVersions: handlerVersions,
+		}
+		if apiVersion != "" {
+			request.Policy = capabilities.VersionPolicyPinned
+			request.PinnedVersion = capabilities.APIVersion(apiVersion)
+		}
+		return rt.ResolveAPIVersion(ctx, request)
+	}
+}
+
+func renderAuthClients(cmd *cobra.Command, output authcmd.ListClientsOutput) error {
+	if err := writeStyledAPIVersion(cmd, output.APIVersion); err != nil {
+		return err
+	}
+	if len(output.Clients) == 0 {
+		_, err := fmt.Fprintln(cmd.OutOrStdout(), styledEmptyLine(cmd, "No Auth clients found."))
+		return err
+	}
+	rows := make([][]string, 0, len(output.Clients))
+	for _, client := range output.Clients {
+		rows = append(rows, []string{client.ID, client.Name, strings.Join(client.Scopes, ",")})
+	}
+	return writeStyledRows(cmd, []string{"ID", "Name", "Scopes"}, rows)
+}
+
+func renderAuthClient(cmd *cobra.Command, output authcmd.GetClientOutput) error {
+	if err := writeStyledAPIVersion(cmd, output.APIVersion); err != nil {
+		return err
+	}
+	client := output.Client
+	rows := []styledKeyValue{
+		{Label: "ID", Value: client.ID},
+		{Label: "Name", Value: client.Name},
+	}
+	if len(client.Scopes) > 0 {
+		rows = append(rows, styledKeyValue{Label: "Scopes", Value: strings.Join(client.Scopes, ",")})
+	}
+	if len(client.RedirectURIs) > 0 {
+		rows = append(rows, styledKeyValue{Label: "Redirect URIs", Value: strings.Join(client.RedirectURIs, ",")})
+	}
+	if len(client.Secrets) > 0 {
+		rows = append(rows, styledKeyValue{Label: "Secrets", Value: fmt.Sprintf("%d", len(client.Secrets))})
+	}
+	return writeStyledKeyValues(cmd, rows...)
+}
+
+func renderAuthClientMutated(cmd *cobra.Command, output authcmd.ClientMutationOutput, action string) error {
+	if err := writeStyledAPIVersion(cmd, output.APIVersion); err != nil {
+		return err
+	}
+	_, err := fmt.Fprintln(cmd.OutOrStdout(), styledSuccessLine(cmd, fmt.Sprintf("Client %s %s.", output.Client.ID, action)))
+	return err
+}
+
+func renderAuthClientDeleted(cmd *cobra.Command, output authcmd.DeleteClientOutput) error {
+	if err := writeStyledAPIVersion(cmd, output.APIVersion); err != nil {
+		return err
+	}
+	_, err := fmt.Fprintln(cmd.OutOrStdout(), styledSuccessLine(cmd, fmt.Sprintf("Client %s deleted.", output.ClientID)))
+	return err
+}
+
+func renderAuthSecretCreated(cmd *cobra.Command, output authcmd.CreateSecretOutput) error {
+	if err := writeStyledAPIVersion(cmd, output.APIVersion); err != nil {
+		return err
+	}
+	if output.Secret.ID != "" {
+		if err := writeStyledKeyValues(cmd, styledKeyValue{Label: "Secret ID", Value: output.Secret.ID}); err != nil {
+			return err
+		}
+	}
+	_, err := fmt.Fprintln(cmd.OutOrStdout(), styledSuccessLine(cmd, fmt.Sprintf("Secret %s created for client %s. Use -o json to retrieve the clear secret.", output.Secret.Name, output.ClientID)))
+	return err
+}
+
+func renderAuthSecretDeleted(cmd *cobra.Command, output authcmd.DeleteSecretOutput) error {
+	if err := writeStyledAPIVersion(cmd, output.APIVersion); err != nil {
+		return err
+	}
+	_, err := fmt.Fprintln(cmd.OutOrStdout(), styledSuccessLine(cmd, fmt.Sprintf("Secret %s deleted for client %s.", output.SecretID, output.ClientID)))
+	return err
+}
+
+func renderAuthUsers(cmd *cobra.Command, output authcmd.ListUsersOutput) error {
+	if err := writeStyledAPIVersion(cmd, output.APIVersion); err != nil {
+		return err
+	}
+	if len(output.Users) == 0 {
+		_, err := fmt.Fprintln(cmd.OutOrStdout(), styledEmptyLine(cmd, "No Auth users found."))
+		return err
+	}
+	rows := make([][]string, 0, len(output.Users))
+	for _, user := range output.Users {
+		rows = append(rows, []string{user.ID, user.Email, user.Subject})
+	}
+	return writeStyledRows(cmd, []string{"ID", "Email", "Subject"}, rows)
+}
+
+func renderAuthUser(cmd *cobra.Command, output authcmd.GetUserOutput) error {
+	if err := writeStyledAPIVersion(cmd, output.APIVersion); err != nil {
+		return err
+	}
+	user := output.User
+	return writeStyledKeyValues(cmd,
+		styledKeyValue{Label: "ID", Value: user.ID},
+		styledKeyValue{Label: "Email", Value: user.Email},
+		styledKeyValue{Label: "Subject", Value: user.Subject},
+	)
+}
diff --git a/v4/cmd/auth_scopes.go b/v4/cmd/auth_scopes.go
new file mode 100644
index 00000000..5200d1d9
--- /dev/null
+++ b/v4/cmd/auth_scopes.go
@@ -0,0 +1,26 @@
+package cmd
+
+import (
+	v4auth "github.com/formancehq/fctl/v4/internal/auth"
+	v4config "github.com/formancehq/fctl/v4/internal/config"
+)
+
+func clientCredentialsScopesForPlatform(platform bool) []string {
+	if !platform {
+		return nil
+	}
+	return cloneOrganizationScopes()
+}
+
+func clientCredentialsScopesForContext(context v4config.Context) []string {
+	switch context.Kind {
+	case v4config.ContextKindCloud, v4config.ContextKindCloudStack:
+		return cloneOrganizationScopes()
+	default:
+		return nil
+	}
+}
+
+func cloneOrganizationScopes() []string {
+	return append([]string(nil), v4auth.OrganizationScopes...)
+}
diff --git a/v4/cmd/cloud.go b/v4/cmd/cloud.go
new file mode 100644
index 00000000..49433066
--- /dev/null
+++ b/v4/cmd/cloud.go
@@ -0,0 +1,1887 @@
+package cmd
+
+import (
+	"fmt"
+	"io"
+	"net/http"
+	"strconv"
+	"strings"
+	"time"
+
+	membership "github.com/formancehq/fctl/internal/membershipclient/v3"
+	"github.com/spf13/cobra"
+
+	v4auth "github.com/formancehq/fctl/v4/internal/auth"
+	cloudcmd "github.com/formancehq/fctl/v4/internal/commands/cloud"
+	v4config "github.com/formancehq/fctl/v4/internal/config"
+	"github.com/formancehq/fctl/v4/internal/credentials"
+	"github.com/formancehq/fctl/v4/internal/runtime"
+)
+
+func newCloudCommand() *cobra.Command {
+	command := &cobra.Command{
+		Use:   "cloud",
+		Short: "Manage Formance Cloud resources",
+	}
+	command.AddCommand(newCloudMeCommand())
+	command.AddCommand(newCloudOrganizationsCommand())
+	command.AddCommand(newCloudRegionsCommand())
+	command.AddCommand(newCloudStacksCommand("stacks", "cloud stacks", false))
+	command.AddCommand(newCloudAppsCommand())
+	command.AddCommand(newUICommand(false))
+	return command
+}
+
+func newCloudMeCommand() *cobra.Command {
+	command := &cobra.Command{
+		Use:   "me",
+		Short: "Inspect the connected Cloud user",
+	}
+	command.AddCommand(newCloudMeShowCommand("show", nil, false))
+	command.AddCommand(newCloudMeShowCommand("info", nil, true))
+	command.AddCommand(newCloudMeInvitationsCommand())
+	return command
+}
+
+func newCloudMeShowCommand(use string, aliases []string, deprecated bool) *cobra.Command {
+	command := &cobra.Command{
+		Use:     use,
+		Aliases: aliases,
+		Short:   "Show the connected Cloud user",
+		Args:    cobra.NoArgs,
+		RunE: func(cmd *cobra.Command, _ []string) error {
+			if deprecated {
+				fmt.Fprintln(cmd.ErrOrStderr(), "Command cloud me info has been deprecated, use cloud me show")
+			}
+			client, err := membershipClientFromCommand(cmd)
+			if err != nil {
+				return err
+			}
+			output, err := cloudcmd.MeService{Client: client}.Run(cmd.Context())
+			if err != nil {
+				return err
+			}
+			if handled, err := writeStructuredOutput(cmd, output); handled || err != nil {
+				return err
+			}
+			return renderCloudMe(cmd, output)
+		},
+	}
+	if deprecated {
+		command.Hidden = true
+	}
+	return command
+}
+
+func newCloudMeInvitationsCommand() *cobra.Command {
+	command := &cobra.Command{
+		Use:   "invitations",
+		Short: "Manage invitations for the connected Cloud user",
+	}
+	command.AddCommand(newCloudMeInvitationsListCommand())
+	command.AddCommand(newCloudMeInvitationsActionCommand("accept"))
+	command.AddCommand(newCloudMeInvitationsActionCommand("decline"))
+	return command
+}
+
+func newCloudMeInvitationsListCommand() *cobra.Command {
+	var status string
+	var organization string
+
+	command := &cobra.Command{
+		Use:   "list",
+		Short: "List invitations for the connected Cloud user",
+		Args:  cobra.NoArgs,
+		RunE: func(cmd *cobra.Command, _ []string) error {
+			client, err := membershipClientFromCommand(cmd)
+			if err != nil {
+				return err
+			}
+			output, err := cloudcmd.ListInvitationsService{Client: client}.Run(cmd.Context(), cloudcmd.ListInvitationsInput{
+				Status:       status,
+				Organization: organization,
+			})
+			if err != nil {
+				return err
+			}
+			if handled, err := writeStructuredOutput(cmd, output); handled || err != nil {
+				return err
+			}
+			return renderCloudInvitations(cmd, output)
+		},
+	}
+	command.Flags().StringVar(&status, "status", "", "Invitation status")
+	command.Flags().StringVar(&organization, "organization", "", "Organization ID")
+	return command
+}
+
+func newCloudMeInvitationsActionCommand(action string) *cobra.Command {
+	var confirm bool
+
+	command := &cobra.Command{
+		Use:   action + " <invitation-id>",
+		Short: action + " a Cloud invitation",
+		Args:  cobra.ExactArgs(1),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			if !confirm {
+				return fmt.Errorf("cloud me invitations %s requires --confirm", action)
+			}
+			client, err := membershipClientFromCommand(cmd)
+			if err != nil {
+				return err
+			}
+			output, err := cloudcmd.InvitationActionService{Client: client, Action: action}.Run(cmd.Context(), args[0])
+			if err != nil {
+				return err
+			}
+			if handled, err := writeStructuredOutput(cmd, output); handled || err != nil {
+				return err
+			}
+			return renderCloudInvitationAction(cmd, output)
+		},
+	}
+	command.Flags().BoolVar(&confirm, "confirm", false, "Confirm invitation "+action)
+	return command
+}
+
+func newCloudOrganizationsCommand() *cobra.Command {
+	command := &cobra.Command{
+		Use:   "organizations",
+		Short: "Manage Cloud organizations",
+	}
+	command.AddCommand(newCloudOrganizationsCreateCommand())
+	command.AddCommand(newCloudOrganizationsListCommand())
+	command.AddCommand(newCloudOrganizationsShowCommand("show", nil, false))
+	command.AddCommand(newCloudOrganizationsShowCommand("describe", nil, true))
+	command.AddCommand(newCloudOrganizationsHistoryCommand())
+	command.AddCommand(newCloudOrganizationsUpdateCommand())
+	command.AddCommand(newCloudOrganizationsDeleteCommand())
+	command.AddCommand(newCloudOrganizationsApplicationsCommand())
+	command.AddCommand(newCloudOrganizationsAuthenticationProviderCommand())
+	command.AddCommand(newCloudOrganizationsInvitationsCommand())
+	command.AddCommand(newCloudOrganizationsOAuthClientsCommand())
+	command.AddCommand(newCloudOrganizationsUsersCommand())
+	command.AddCommand(newCloudOrganizationsPoliciesCommand())
+	return command
+}
+
+func newCloudOrganizationsHistoryCommand() *cobra.Command {
+	var organizationID string
+	var stackID string
+	var cursor string
+	var pageSize int64
+	var action string
+	var userID string
+	var data string
+
+	command := &cobra.Command{
+		Use:     "history [organization-id]",
+		Aliases: []string{"hist"},
+		Short:   "Query Cloud organization history",
+		Args:    cobra.MaximumNArgs(1),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			targetOrganizationID := organizationID
+			if len(args) == 1 {
+				targetOrganizationID = args[0]
+			}
+			_, resolvedOrganizationID, client, err := cloudRuntimeAndOrganizationMembershipClientFromCommand(cmd, targetOrganizationID)
+			if err != nil {
+				return err
+			}
+			output, err := cloudcmd.ListLogsService{Client: client}.Run(cmd.Context(), cloudcmd.ListLogsInput{
+				OrganizationID: resolvedOrganizationID,
+				StackID:        stackID,
+				Cursor:         cursor,
+				PageSize:       pageSize,
+				Action:         action,
+				UserID:         userID,
+				Data:           data,
+			})
+			if err != nil {
+				return err
+			}
+			if handled, err := writeStructuredOutput(cmd, output); handled || err != nil {
+				return err
+			}
+			return renderCloudLogs(cmd, output)
+		},
+	}
+	command.Flags().StringVar(&organizationID, "organization", "", "Cloud organization ID")
+	command.Flags().StringVar(&stackID, "stack", "", "Cloud stack ID")
+	command.Flags().StringVar(&cursor, "cursor", "", "Pagination cursor")
+	command.Flags().Int64Var(&pageSize, "page-size", 10, "Page size")
+	command.Flags().StringVar(&action, "action", "", "Filter by action")
+	command.Flags().StringVar(&userID, "user-id", "", "Filter by user ID")
+	command.Flags().StringVar(&data, "data", "", "Filter by modified data as key=value")
+	return command
+}
+
+func newCloudOrganizationsOAuthClientsCommand() *cobra.Command {
+	command := &cobra.Command{
+		Use:   "oauth-clients",
+		Short: "Manage Cloud organization OAuth clients",
+	}
+	command.AddCommand(newCloudOrganizationsOAuthClientsCreateCommand())
+	command.AddCommand(newCloudOrganizationsOAuthClientsListCommand())
+	command.AddCommand(newCloudOrganizationsOAuthClientsShowCommand())
+	command.AddCommand(newCloudOrganizationsOAuthClientsUpdateCommand())
+	command.AddCommand(newCloudOrganizationsOAuthClientsDeleteCommand())
+	return command
+}
+
+func newCloudOrganizationsOAuthClientsCreateCommand() *cobra.Command {
+	var organizationID string
+	var name string
+	var description string
+	var confirm bool
+
+	command := &cobra.Command{
+		Use:   "create",
+		Short: "Create a Cloud organization OAuth client",
+		Args:  cobra.NoArgs,
+		RunE: func(cmd *cobra.Command, _ []string) error {
+			if !confirm {
+				return fmt.Errorf("cloud organizations oauth-clients create requires --confirm")
+			}
+			_, resolvedOrganizationID, client, err := cloudRuntimeAndOrganizationMembershipClientFromCommand(cmd, organizationID)
+			if err != nil {
+				return err
+			}
+			output, err := cloudcmd.CreateOAuthClientService{Client: client}.Run(cmd.Context(), cloudcmd.OAuthClientInput{
+				OrganizationID: resolvedOrganizationID,
+				Name:           name,
+				Description:    description,
+			})
+			if err != nil {
+				return err
+			}
+			if handled, err := writeStructuredOutput(cmd, output); handled || err != nil {
+				return err
+			}
+			return renderCloudOAuthClientCreated(cmd, output)
+		},
+	}
+	command.Flags().StringVar(&organizationID, "organization", "", "Cloud organization ID")
+	command.Flags().StringVar(&name, "name", "", "OAuth client name")
+	command.Flags().StringVar(&description, "description", "", "OAuth client description")
+	command.Flags().BoolVar(&confirm, "confirm", false, "Confirm OAuth client creation")
+	return command
+}
+
+func newCloudOrganizationsOAuthClientsListCommand() *cobra.Command {
+	var organizationID string
+	var cursor string
+	var pageSize int64
+
+	command := &cobra.Command{
+		Use:     "list",
+		Aliases: []string{"ls", "l"},
+		Short:   "List Cloud organization OAuth clients",
+		Args:    cobra.NoArgs,
+		RunE: func(cmd *cobra.Command, _ []string) error {
+			_, resolvedOrganizationID, client, err := cloudRuntimeAndOrganizationMembershipClientFromCommand(cmd, organizationID)
+			if err != nil {
+				return err
+			}
+			output, err := cloudcmd.ListOAuthClientsService{Client: client}.Run(cmd.Context(), cloudcmd.ListOAuthClientsInput{
+				OrganizationID: resolvedOrganizationID,
+				Cursor:         cursor,
+				PageSize:       pageSize,
+			})
+			if err != nil {
+				return err
+			}
+			if handled, err := writeStructuredOutput(cmd, output); handled || err != nil {
+				return err
+			}
+			return renderCloudOAuthClients(cmd, output)
+		},
+	}
+	command.Flags().StringVar(&organizationID, "organization", "", "Cloud organization ID")
+	command.Flags().StringVar(&cursor, "cursor", "", "Pagination cursor")
+	command.Flags().Int64Var(&pageSize, "page-size", 0, "Page size")
+	return command
+}
+
+func newCloudOrganizationsOAuthClientsShowCommand() *cobra.Command {
+	var organizationID string
+
+	command := &cobra.Command{
+		Use:   "show <client-id>",
+		Short: "Show a Cloud organization OAuth client",
+		Args:  cobra.ExactArgs(1),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			_, resolvedOrganizationID, client, err := cloudRuntimeAndOrganizationMembershipClientFromCommand(cmd, organizationID)
+			if err != nil {
+				return err
+			}
+			output, err := cloudcmd.ReadOAuthClientService{Client: client}.Run(cmd.Context(), cloudcmd.OAuthClientInput{
+				OrganizationID: resolvedOrganizationID,
+				ClientID:       args[0],
+			})
+			if err != nil {
+				return err
+			}
+			if handled, err := writeStructuredOutput(cmd, output); handled || err != nil {
+				return err
+			}
+			return renderCloudOAuthClient(cmd, output, false)
+		},
+	}
+	command.Flags().StringVar(&organizationID, "organization", "", "Cloud organization ID")
+	return command
+}
+
+func newCloudOrganizationsOAuthClientsUpdateCommand() *cobra.Command {
+	var organizationID string
+	var name string
+	var description string
+	var confirm bool
+
+	command := &cobra.Command{
+		Use:   "update <client-id>",
+		Short: "Update a Cloud organization OAuth client",
+		Args:  cobra.ExactArgs(1),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			if !confirm {
+				return fmt.Errorf("cloud organizations oauth-clients update requires --confirm")
+			}
+			_, resolvedOrganizationID, client, err := cloudRuntimeAndOrganizationMembershipClientFromCommand(cmd, organizationID)
+			if err != nil {
+				return err
+			}
+			output, err := cloudcmd.UpdateOAuthClientService{Client: client}.Run(cmd.Context(), cloudcmd.OAuthClientInput{
+				OrganizationID: resolvedOrganizationID,
+				ClientID:       args[0],
+				Name:           name,
+				Description:    description,
+			})
+			if err != nil {
+				return err
+			}
+			if handled, err := writeStructuredOutput(cmd, output); handled || err != nil {
+				return err
+			}
+			return renderCloudOAuthClientMutated(cmd, output, "updated")
+		},
+	}
+	command.Flags().StringVar(&organizationID, "organization", "", "Cloud organization ID")
+	command.Flags().StringVar(&name, "name", "", "OAuth client name")
+	command.Flags().StringVar(&description, "description", "", "OAuth client description")
+	command.Flags().BoolVar(&confirm, "confirm", false, "Confirm OAuth client update")
+	return command
+}
+
+func newCloudOrganizationsOAuthClientsDeleteCommand() *cobra.Command {
+	var organizationID string
+	var confirm bool
+
+	command := &cobra.Command{
+		Use:   "delete <client-id>",
+		Short: "Delete a Cloud organization OAuth client",
+		Args:  cobra.ExactArgs(1),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			if !confirm {
+				return fmt.Errorf("cloud organizations oauth-clients delete requires --confirm")
+			}
+			_, resolvedOrganizationID, client, err := cloudRuntimeAndOrganizationMembershipClientFromCommand(cmd, organizationID)
+			if err != nil {
+				return err
+			}
+			output, err := cloudcmd.DeleteOAuthClientService{Client: client}.Run(cmd.Context(), cloudcmd.OAuthClientInput{
+				OrganizationID: resolvedOrganizationID,
+				ClientID:       args[0],
+			})
+			if err != nil {
+				return err
+			}
+			if handled, err := writeStructuredOutput(cmd, output); handled || err != nil {
+				return err
+			}
+			_, err = fmt.Fprintln(cmd.OutOrStdout(), styledSuccessLine(cmd, fmt.Sprintf("Cloud OAuth client %s deleted.", output.ClientID)))
+			return err
+		},
+	}
+	command.Flags().StringVar(&organizationID, "organization", "", "Cloud organization ID")
+	command.Flags().BoolVar(&confirm, "confirm", false, "Confirm OAuth client deletion")
+	return command
+}
+
+func newCloudOrganizationsAuthenticationProviderCommand() *cobra.Command {
+	command := &cobra.Command{
+		Use:   "authentication-provider",
+		Short: "Manage Cloud organization authentication provider",
+	}
+	command.AddCommand(newCloudOrganizationsAuthenticationProviderShowCommand())
+	command.AddCommand(newCloudOrganizationsAuthenticationProviderConfigureCommand())
+	command.AddCommand(newCloudOrganizationsAuthenticationProviderDeleteCommand())
+	return command
+}
+
+func newCloudOrganizationsAuthenticationProviderShowCommand() *cobra.Command {
+	var organizationID string
+
+	command := &cobra.Command{
+		Use:   "show",
+		Short: "Show Cloud organization authentication provider",
+		Args:  cobra.NoArgs,
+		RunE: func(cmd *cobra.Command, _ []string) error {
+			_, resolvedOrganizationID, client, err := cloudRuntimeAndOrganizationMembershipClientFromCommand(cmd, organizationID)
+			if err != nil {
+				return err
+			}
+			output, err := cloudcmd.ReadAuthenticationProviderService{Client: client}.Run(cmd.Context(), resolvedOrganizationID)
+			if err != nil {
+				return err
+			}
+			if handled, err := writeStructuredOutput(cmd, output); handled || err != nil {
+				return err
+			}
+			return renderCloudAuthenticationProvider(cmd, output)
+		},
+	}
+	command.Flags().StringVar(&organizationID, "organization", "", "Cloud organization ID")
+	return command
+}
+
+func newCloudOrganizationsAuthenticationProviderConfigureCommand() *cobra.Command {
+	var organizationID string
+	var providerType string
+	var name string
+	var clientID string
+	var clientSecret string
+	var clientSecretStdin bool
+	var oidcIssuer string
+	var oidcDiscovery string
+	var microsoftTenant string
+
+	command := &cobra.Command{
+		Use:   "configure [type name client-id client-secret]",
+		Short: "Configure Cloud organization authentication provider",
+		Args: func(_ *cobra.Command, args []string) error {
+			if len(args) == 0 || len(args) == 4 {
+				return nil
+			}
+			return fmt.Errorf("accepts either no positional args or the deprecated positional form <type> <name> <client-id> <client-secret>, received %d", len(args))
+		},
+		RunE: func(cmd *cobra.Command, args []string) error {
+			if len(args) == 4 {
+				if providerType != "" || name != "" || clientID != "" || clientSecret != "" || clientSecretStdin {
+					return fmt.Errorf("deprecated positional authentication provider arguments cannot be combined with --type, --name, --client-id, --client-secret, or --client-secret-stdin")
+				}
+				fmt.Fprintln(cmd.ErrOrStderr(), "Positional authentication provider arguments have been deprecated, use --type --name --client-id and --client-secret-stdin")
+				providerType = args[0]
+				name = args[1]
+				clientID = args[2]
+				clientSecret = args[3]
+			}
+			if clientSecretStdin {
+				data, err := io.ReadAll(cmd.InOrStdin())
+				if err != nil {
+					return err
+				}
+				clientSecret = strings.TrimSpace(string(data))
+			}
+			_, resolvedOrganizationID, client, err := cloudRuntimeAndOrganizationMembershipClientFromCommand(cmd, organizationID)
+			if err != nil {
+				return err
+			}
+			output, err := cloudcmd.ConfigureAuthenticationProviderService{Client: client}.Run(cmd.Context(), cloudcmd.AuthenticationProviderInput{
+				OrganizationID:  resolvedOrganizationID,
+				Type:            providerType,
+				Name:            name,
+				ClientID:        clientID,
+				ClientSecret:    clientSecret,
+				OIDCIssuer:      oidcIssuer,
+				OIDCDiscovery:   oidcDiscovery,
+				MicrosoftTenant: microsoftTenant,
+			})
+			if err != nil {
+				return err
+			}
+			if handled, err := writeStructuredOutput(cmd, output); handled || err != nil {
+				return err
+			}
+			return renderCloudAuthenticationProviderMutated(cmd, output, "configured")
+		},
+	}
+	command.Flags().StringVar(&organizationID, "organization", "", "Cloud organization ID")
+	command.Flags().StringVar(&providerType, "type", "", "Authentication provider type (github, google, microsoft, oidc)")
+	command.Flags().StringVar(&name, "name", "", "Authentication provider name")
+	command.Flags().StringVar(&clientID, "client-id", "", "Authentication provider client ID")
+	command.Flags().StringVar(&clientSecret, "client-secret", "", "Authentication provider client secret")
+	command.Flags().BoolVar(&clientSecretStdin, "client-secret-stdin", false, "Read authentication provider client secret from stdin")
+	command.Flags().StringVar(&oidcIssuer, "oidc-issuer", "", "OIDC issuer URL")
+	command.Flags().StringVar(&oidcDiscovery, "oidc-discovery-path", "", "OIDC discovery path")
+	command.Flags().StringVar(&microsoftTenant, "microsoft-tenant", "", "Microsoft tenant ID")
+	return command
+}
+
+func newCloudOrganizationsAuthenticationProviderDeleteCommand() *cobra.Command {
+	var organizationID string
+	var confirm bool
+
+	command := &cobra.Command{
+		Use:   "delete",
+		Short: "Delete Cloud organization authentication provider",
+		Args:  cobra.NoArgs,
+		RunE: func(cmd *cobra.Command, _ []string) error {
+			if !confirm {
+				return fmt.Errorf("cloud organizations authentication-provider delete requires --confirm")
+			}
+			_, resolvedOrganizationID, client, err := cloudRuntimeAndOrganizationMembershipClientFromCommand(cmd, organizationID)
+			if err != nil {
+				return err
+			}
+			output, err := cloudcmd.DeleteAuthenticationProviderService{Client: client}.Run(cmd.Context(), resolvedOrganizationID)
+			if err != nil {
+				return err
+			}
+			if handled, err := writeStructuredOutput(cmd, output); handled || err != nil {
+				return err
+			}
+			_, err = fmt.Fprintln(cmd.OutOrStdout(), styledSuccessLine(cmd, fmt.Sprintf("Cloud authentication provider for organization %s deleted.", output.OrganizationID)))
+			return err
+		},
+	}
+	command.Flags().StringVar(&organizationID, "organization", "", "Cloud organization ID")
+	command.Flags().BoolVar(&confirm, "confirm", false, "Confirm authentication provider deletion")
+	return command
+}
+
+func newCloudOrganizationsApplicationsCommand() *cobra.Command {
+	command := &cobra.Command{
+		Use:   "applications",
+		Short: "Manage Cloud organization applications",
+	}
+	command.AddCommand(newCloudOrganizationsApplicationsListCommand())
+	command.AddCommand(newCloudOrganizationsApplicationsShowCommand())
+	return command
+}
+
+func newCloudOrganizationsApplicationsListCommand() *cobra.Command {
+	var organizationID string
+	var page int64
+	var pageSize int64
+
+	command := &cobra.Command{
+		Use:     "list",
+		Aliases: []string{"ls", "l"},
+		Short:   "List Cloud organization applications",
+		Args:    cobra.NoArgs,
+		RunE: func(cmd *cobra.Command, _ []string) error {
+			_, resolvedOrganizationID, client, err := cloudRuntimeAndOrganizationMembershipClientFromCommand(cmd, organizationID)
+			if err != nil {
+				return err
+			}
+			output, err := cloudcmd.ListApplicationsService{Client: client}.Run(cmd.Context(), cloudcmd.ListApplicationsInput{
+				OrganizationID: resolvedOrganizationID,
+				Page:           page,
+				PageSize:       pageSize,
+			})
+			if err != nil {
+				return err
+			}
+			if handled, err := writeStructuredOutput(cmd, output); handled || err != nil {
+				return err
+			}
+			return renderCloudApplications(cmd, output)
+		},
+	}
+	command.Flags().StringVar(&organizationID, "organization", "", "Cloud organization ID")
+	command.Flags().Int64Var(&page, "page", 0, "Page number")
+	command.Flags().Int64Var(&pageSize, "page-size", 15, "Page size")
+	return command
+}
+
+func newCloudOrganizationsApplicationsShowCommand() *cobra.Command {
+	var organizationID string
+
+	command := &cobra.Command{
+		Use:   "show <application-id>",
+		Short: "Show a Cloud organization application",
+		Args:  cobra.ExactArgs(1),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			_, resolvedOrganizationID, client, err := cloudRuntimeAndOrganizationMembershipClientFromCommand(cmd, organizationID)
+			if err != nil {
+				return err
+			}
+			output, err := cloudcmd.ReadApplicationService{Client: client}.Run(cmd.Context(), cloudcmd.ApplicationInput{
+				OrganizationID: resolvedOrganizationID,
+				ApplicationID:  args[0],
+			})
+			if err != nil {
+				return err
+			}
+			if handled, err := writeStructuredOutput(cmd, output); handled || err != nil {
+				return err
+			}
+			return renderCloudApplication(cmd, output)
+		},
+	}
+	command.Flags().StringVar(&organizationID, "organization", "", "Cloud organization ID")
+	return command
+}
+
+func newCloudRegionsCommand() *cobra.Command {
+	command := &cobra.Command{
+		Use:   "regions",
+		Short: "Manage Cloud regions",
+	}
+	command.AddCommand(newCloudRegionsCreateCommand())
+	command.AddCommand(newCloudRegionsListCommand())
+	command.AddCommand(newCloudRegionsShowCommand())
+	command.AddCommand(newCloudRegionsDeleteCommand())
+	return command
+}
+
+func newCloudRegionsCreateCommand() *cobra.Command {
+	var organizationID string
+
+	command := &cobra.Command{
+		Use:   "create <name>",
+		Short: "Create a private Cloud region",
+		Args:  cobra.ExactArgs(1),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			rt, _, err := cloudRuntimeAndMembershipClientFromCommand(cmd)
+			if err != nil {
+				return err
+			}
+			resolvedOrganizationID := resolveCloudOrganizationID(rt, organizationID)
+			client, err := organizationMembershipClientFromRuntime(cmd, rt, resolvedOrganizationID)
+			if err != nil {
+				return err
+			}
+			output, err := cloudcmd.CreateRegionService{Client: client}.Run(cmd.Context(), cloudcmd.RegionInput{
+				OrganizationID: resolvedOrganizationID,
+				Name:           args[0],
+			})
+			if err != nil {
+				return err
+			}
+			if handled, err := writeStructuredOutput(cmd, output); handled || err != nil {
+				return err
+			}
+			return renderCloudRegionMutated(cmd, output, "created")
+		},
+	}
+	command.Flags().StringVar(&organizationID, "organization", "", "Cloud organization ID")
+	return command
+}
+
+func newCloudRegionsListCommand() *cobra.Command {
+	var organizationID string
+
+	command := &cobra.Command{
+		Use:     "list",
+		Aliases: []string{"ls", "l"},
+		Short:   "List Cloud regions",
+		Args:    cobra.NoArgs,
+		RunE: func(cmd *cobra.Command, _ []string) error {
+			rt, _, err := cloudRuntimeAndMembershipClientFromCommand(cmd)
+			if err != nil {
+				return err
+			}
+			resolvedOrganizationID := resolveCloudOrganizationID(rt, organizationID)
+			client, err := organizationMembershipClientFromRuntime(cmd, rt, resolvedOrganizationID)
+			if err != nil {
+				return err
+			}
+			output, err := cloudcmd.ListRegionsService{Client: client}.Run(cmd.Context(), resolvedOrganizationID)
+			if err != nil {
+				return err
+			}
+			if handled, err := writeStructuredOutput(cmd, output); handled || err != nil {
+				return err
+			}
+			return renderCloudRegions(cmd, output)
+		},
+	}
+	command.Flags().StringVar(&organizationID, "organization", "", "Cloud organization ID")
+	return command
+}
+
+func newCloudRegionsShowCommand() *cobra.Command {
+	var organizationID string
+
+	command := &cobra.Command{
+		Use:   "show <region-id>",
+		Short: "Show a Cloud region",
+		Args:  cobra.ExactArgs(1),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			rt, _, err := cloudRuntimeAndMembershipClientFromCommand(cmd)
+			if err != nil {
+				return err
+			}
+			resolvedOrganizationID := resolveCloudOrganizationID(rt, organizationID)
+			client, err := organizationMembershipClientFromRuntime(cmd, rt, resolvedOrganizationID)
+			if err != nil {
+				return err
+			}
+			output, err := cloudcmd.ReadRegionService{Client: client}.Run(cmd.Context(), cloudcmd.RegionInput{
+				OrganizationID: resolvedOrganizationID,
+				RegionID:       args[0],
+			})
+			if err != nil {
+				return err
+			}
+			if handled, err := writeStructuredOutput(cmd, output); handled || err != nil {
+				return err
+			}
+			return renderCloudRegion(cmd, output)
+		},
+	}
+	command.Flags().StringVar(&organizationID, "organization", "", "Cloud organization ID")
+	return command
+}
+
+func newCloudRegionsDeleteCommand() *cobra.Command {
+	var organizationID string
+	var confirm bool
+
+	command := &cobra.Command{
+		Use:   "delete <region-id>",
+		Short: "Delete a Cloud region",
+		Args:  cobra.ExactArgs(1),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			if !confirm {
+				return fmt.Errorf("cloud regions delete requires --confirm")
+			}
+			rt, _, err := cloudRuntimeAndMembershipClientFromCommand(cmd)
+			if err != nil {
+				return err
+			}
+			resolvedOrganizationID := resolveCloudOrganizationID(rt, organizationID)
+			client, err := organizationMembershipClientFromRuntime(cmd, rt, resolvedOrganizationID)
+			if err != nil {
+				return err
+			}
+			output, err := cloudcmd.DeleteRegionService{Client: client}.Run(cmd.Context(), cloudcmd.RegionInput{
+				OrganizationID: resolvedOrganizationID,
+				RegionID:       args[0],
+			})
+			if err != nil {
+				return err
+			}
+			if handled, err := writeStructuredOutput(cmd, output); handled || err != nil {
+				return err
+			}
+			_, err = fmt.Fprintln(cmd.OutOrStdout(), styledSuccessLine(cmd, fmt.Sprintf("Cloud region %s deleted.", output.RegionID)))
+			return err
+		},
+	}
+	command.Flags().StringVar(&organizationID, "organization", "", "Cloud organization ID")
+	command.Flags().BoolVar(&confirm, "confirm", false, "Confirm Cloud region deletion")
+	return command
+}
+
+func newCloudOrganizationsCreateCommand() *cobra.Command {
+	var domain string
+	var defaultPolicyID int64
+	var ownerID string
+
+	command := &cobra.Command{
+		Use:   "create <name>",
+		Short: "Create a Cloud organization",
+		Args:  cobra.ExactArgs(1),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			client, err := membershipClientFromCommand(cmd)
+			if err != nil {
+				return err
+			}
+			output, err := cloudcmd.CreateOrganizationService{Client: client}.Run(cmd.Context(), cloudcmd.CreateOrganizationInput{
+				Name:            args[0],
+				Domain:          domain,
+				DefaultPolicyID: optionalInt64(defaultPolicyID),
+				OwnerID:         ownerID,
+			})
+			if err != nil {
+				return err
+			}
+			if handled, err := writeStructuredOutput(cmd, output); handled || err != nil {
+				return err
+			}
+			return renderCloudOrganizationMutated(cmd, output, "created")
+		},
+	}
+	command.Flags().StringVar(&domain, "domain", "", "Organization domain")
+	command.Flags().Int64Var(&defaultPolicyID, "default-policy-id", 0, "Default policy ID")
+	command.Flags().StringVar(&ownerID, "owner-id", "", "Organization owner user ID")
+	return command
+}
+
+func newCloudOrganizationsInvitationsCommand() *cobra.Command {
+	command := &cobra.Command{
+		Use:   "invitations",
+		Short: "Manage Cloud organization invitations",
+	}
+	command.AddCommand(newCloudOrganizationsInvitationsListCommand())
+	command.AddCommand(newCloudOrganizationsInvitationsSendCommand())
+	command.AddCommand(newCloudOrganizationsInvitationsDeleteCommand())
+	return command
+}
+
+func newCloudOrganizationsUsersCommand() *cobra.Command {
+	command := &cobra.Command{
+		Use:   "users",
+		Short: "Manage Cloud organization users",
+	}
+	command.AddCommand(newCloudOrganizationsUsersListCommand())
+	command.AddCommand(newCloudOrganizationsUsersShowCommand())
+	command.AddCommand(newCloudOrganizationsUsersLinkCommand())
+	command.AddCommand(newCloudOrganizationsUsersUnlinkCommand())
+	return command
+}
+
+func newCloudOrganizationsUsersListCommand() *cobra.Command {
+	var organizationID string
+
+	command := &cobra.Command{
+		Use:   "list",
+		Short: "List Cloud organization users",
+		Args:  cobra.NoArgs,
+		RunE: func(cmd *cobra.Command, _ []string) error {
+			_, resolvedOrganizationID, client, err := cloudRuntimeAndOrganizationMembershipClientFromCommand(cmd, organizationID)
+			if err != nil {
+				return err
+			}
+			output, err := cloudcmd.ListOrganizationUsersService{Client: client}.Run(cmd.Context(), resolvedOrganizationID)
+			if err != nil {
+				return err
+			}
+			if handled, err := writeStructuredOutput(cmd, output); handled || err != nil {
+				return err
+			}
+			return renderCloudOrganizationUsers(cmd, output)
+		},
+	}
+	command.Flags().StringVar(&organizationID, "organization", "", "Cloud organization ID")
+	return command
+}
+
+func newCloudOrganizationsUsersShowCommand() *cobra.Command {
+	var organizationID string
+
+	command := &cobra.Command{
+		Use:   "show <user-id>",
+		Short: "Show a Cloud organization user",
+		Args:  cobra.ExactArgs(1),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			_, resolvedOrganizationID, client, err := cloudRuntimeAndOrganizationMembershipClientFromCommand(cmd, organizationID)
+			if err != nil {
+				return err
+			}
+			output, err := cloudcmd.ReadOrganizationUserService{Client: client}.Run(cmd.Context(), cloudcmd.OrganizationUserActionInput{
+				OrganizationID: resolvedOrganizationID,
+				UserID:         args[0],
+			})
+			if err != nil {
+				return err
+			}
+			if handled, err := writeStructuredOutput(cmd, output); handled || err != nil {
+				return err
+			}
+			return renderCloudOrganizationUser(cmd, output)
+		},
+	}
+	command.Flags().StringVar(&organizationID, "organization", "", "Cloud organization ID")
+	return command
+}
+
+func newCloudOrganizationsUsersLinkCommand() *cobra.Command {
+	var organizationID string
+	var policyID int64
+
+	command := &cobra.Command{
+		Use:   "link <user-id>",
+		Short: "Link a user to a Cloud organization",
+		Args:  cobra.ExactArgs(1),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			_, resolvedOrganizationID, client, err := cloudRuntimeAndOrganizationMembershipClientFromCommand(cmd, organizationID)
+			if err != nil {
+				return err
+			}
+			output, err := cloudcmd.OrganizationUserActionService{Client: client, Action: "link"}.Run(cmd.Context(), cloudcmd.OrganizationUserActionInput{
+				OrganizationID: resolvedOrganizationID,
+				UserID:         args[0],
+				PolicyID:       policyID,
+			})
+			if err != nil {
+				return err
+			}
+			if handled, err := writeStructuredOutput(cmd, output); handled || err != nil {
+				return err
+			}
+			return renderCloudOrganizationUserAction(cmd, output)
+		},
+	}
+	command.Flags().StringVar(&organizationID, "organization", "", "Cloud organization ID")
+	command.Flags().Int64Var(&policyID, "policy-id", 0, "Organization policy ID")
+	return command
+}
+
+func newCloudOrganizationsUsersUnlinkCommand() *cobra.Command {
+	var organizationID string
+	var confirm bool
+
+	command := &cobra.Command{
+		Use:   "unlink <user-id>",
+		Short: "Unlink a user from a Cloud organization",
+		Args:  cobra.ExactArgs(1),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			if !confirm {
+				return fmt.Errorf("cloud organizations users unlink requires --confirm")
+			}
+			_, resolvedOrganizationID, client, err := cloudRuntimeAndOrganizationMembershipClientFromCommand(cmd, organizationID)
+			if err != nil {
+				return err
+			}
+			output, err := cloudcmd.OrganizationUserActionService{Client: client, Action: "unlink"}.Run(cmd.Context(), cloudcmd.OrganizationUserActionInput{
+				OrganizationID: resolvedOrganizationID,
+				UserID:         args[0],
+			})
+			if err != nil {
+				return err
+			}
+			if handled, err := writeStructuredOutput(cmd, output); handled || err != nil {
+				return err
+			}
+			return renderCloudOrganizationUserAction(cmd, output)
+		},
+	}
+	command.Flags().StringVar(&organizationID, "organization", "", "Cloud organization ID")
+	command.Flags().BoolVar(&confirm, "confirm", false, "Confirm organization user unlink")
+	return command
+}
+
+func newCloudOrganizationsPoliciesCommand() *cobra.Command {
+	command := &cobra.Command{
+		Use:   "policies",
+		Short: "Manage Cloud organization policies",
+	}
+	command.AddCommand(newCloudOrganizationsPoliciesCreateCommand())
+	command.AddCommand(newCloudOrganizationsPoliciesListCommand())
+	command.AddCommand(newCloudOrganizationsPoliciesShowCommand())
+	command.AddCommand(newCloudOrganizationsPoliciesUpdateCommand())
+	command.AddCommand(newCloudOrganizationsPoliciesDeleteCommand())
+	command.AddCommand(newCloudOrganizationsPoliciesScopeActionCommand("add-scope", false))
+	command.AddCommand(newCloudOrganizationsPoliciesScopeActionCommand("remove-scope", true))
+	return command
+}
+
+func newCloudOrganizationsPoliciesCreateCommand() *cobra.Command {
+	var organizationID string
+	var description string
+
+	command := &cobra.Command{
+		Use:   "create <name>",
+		Short: "Create a Cloud organization policy",
+		Args:  cobra.ExactArgs(1),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			_, resolvedOrganizationID, client, err := cloudRuntimeAndOrganizationMembershipClientFromCommand(cmd, organizationID)
+			if err != nil {
+				return err
+			}
+			output, err := cloudcmd.CreatePolicyService{Client: client}.Run(cmd.Context(), cloudcmd.PolicyInput{
+				OrganizationID: resolvedOrganizationID,
+				Name:           args[0],
+				Description:    description,
+			})
+			if err != nil {
+				return err
+			}
+			if handled, err := writeStructuredOutput(cmd, output); handled || err != nil {
+				return err
+			}
+			return renderCloudPolicyMutated(cmd, output, "created")
+		},
+	}
+	command.Flags().StringVar(&organizationID, "organization", "", "Cloud organization ID")
+	command.Flags().StringVar(&description, "description", "", "Policy description")
+	return command
+}
+
+func newCloudOrganizationsPoliciesListCommand() *cobra.Command {
+	var organizationID string
+
+	command := &cobra.Command{
+		Use:   "list",
+		Short: "List Cloud organization policies",
+		Args:  cobra.NoArgs,
+		RunE: func(cmd *cobra.Command, _ []string) error {
+			_, resolvedOrganizationID, client, err := cloudRuntimeAndOrganizationMembershipClientFromCommand(cmd, organizationID)
+			if err != nil {
+				return err
+			}
+			output, err := cloudcmd.ListPoliciesService{Client: client}.Run(cmd.Context(), resolvedOrganizationID)
+			if err != nil {
+				return err
+			}
+			if handled, err := writeStructuredOutput(cmd, output); handled || err != nil {
+				return err
+			}
+			return renderCloudPolicies(cmd, output)
+		},
+	}
+	command.Flags().StringVar(&organizationID, "organization", "", "Cloud organization ID")
+	return command
+}
+
+func newCloudOrganizationsPoliciesShowCommand() *cobra.Command {
+	var organizationID string
+
+	command := &cobra.Command{
+		Use:   "show <policy-id>",
+		Short: "Show a Cloud organization policy",
+		Args:  cobra.ExactArgs(1),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			policyID, err := parseInt64Arg("policy id", args[0])
+			if err != nil {
+				return err
+			}
+			_, resolvedOrganizationID, client, err := cloudRuntimeAndOrganizationMembershipClientFromCommand(cmd, organizationID)
+			if err != nil {
+				return err
+			}
+			output, err := cloudcmd.ReadPolicyService{Client: client}.Run(cmd.Context(), cloudcmd.PolicyInput{
+				OrganizationID: resolvedOrganizationID,
+				PolicyID:       policyID,
+			})
+			if err != nil {
+				return err
+			}
+			if handled, err := writeStructuredOutput(cmd, output); handled || err != nil {
+				return err
+			}
+			return renderCloudPolicy(cmd, output)
+		},
+	}
+	command.Flags().StringVar(&organizationID, "organization", "", "Cloud organization ID")
+	return command
+}
+
+func newCloudOrganizationsPoliciesUpdateCommand() *cobra.Command {
+	var organizationID string
+	var name string
+	var description string
+
+	command := &cobra.Command{
+		Use:   "update <policy-id>",
+		Short: "Update a Cloud organization policy",
+		Args:  cobra.ExactArgs(1),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			policyID, err := parseInt64Arg("policy id", args[0])
+			if err != nil {
+				return err
+			}
+			_, resolvedOrganizationID, client, err := cloudRuntimeAndOrganizationMembershipClientFromCommand(cmd, organizationID)
+			if err != nil {
+				return err
+			}
+			output, err := cloudcmd.UpdatePolicyService{Client: client}.Run(cmd.Context(), cloudcmd.PolicyInput{
+				OrganizationID: resolvedOrganizationID,
+				PolicyID:       policyID,
+				Name:           name,
+				Description:    description,
+			})
+			if err != nil {
+				return err
+			}
+			if handled, err := writeStructuredOutput(cmd, output); handled || err != nil {
+				return err
+			}
+			return renderCloudPolicyMutated(cmd, output, "updated")
+		},
+	}
+	command.Flags().StringVar(&organizationID, "organization", "", "Cloud organization ID")
+	command.Flags().StringVar(&name, "name", "", "Policy name")
+	command.Flags().StringVar(&description, "description", "", "Policy description")
+	return command
+}
+
+func newCloudOrganizationsPoliciesDeleteCommand() *cobra.Command {
+	var organizationID string
+	var confirm bool
+
+	command := &cobra.Command{
+		Use:   "delete <policy-id>",
+		Short: "Delete a Cloud organization policy",
+		Args:  cobra.ExactArgs(1),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			if !confirm {
+				return fmt.Errorf("cloud organizations policies delete requires --confirm")
+			}
+			return runCloudPolicyAction(cmd, organizationID, args[0], 0, "delete")
+		},
+	}
+	command.Flags().StringVar(&organizationID, "organization", "", "Cloud organization ID")
+	command.Flags().BoolVar(&confirm, "confirm", false, "Confirm policy deletion")
+	return command
+}
+
+func newCloudOrganizationsPoliciesScopeActionCommand(action string, requiresConfirm bool) *cobra.Command {
+	var organizationID string
+	var confirm bool
+
+	command := &cobra.Command{
+		Use:   action + " <policy-id> <scope-id>",
+		Short: action + " on a Cloud organization policy",
+		Args:  cobra.ExactArgs(2),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			if requiresConfirm && !confirm {
+				return fmt.Errorf("cloud organizations policies %s requires --confirm", action)
+			}
+			scopeID, err := parseInt64Arg("scope id", args[1])
+			if err != nil {
+				return err
+			}
+			return runCloudPolicyAction(cmd, organizationID, args[0], scopeID, action)
+		},
+	}
+	command.Flags().StringVar(&organizationID, "organization", "", "Cloud organization ID")
+	if requiresConfirm {
+		command.Flags().BoolVar(&confirm, "confirm", false, "Confirm policy scope removal")
+	}
+	return command
+}
+
+func runCloudPolicyAction(cmd *cobra.Command, organizationID string, policyIDArg string, scopeID int64, action string) error {
+	policyID, err := parseInt64Arg("policy id", policyIDArg)
+	if err != nil {
+		return err
+	}
+	_, resolvedOrganizationID, client, err := cloudRuntimeAndOrganizationMembershipClientFromCommand(cmd, organizationID)
+	if err != nil {
+		return err
+	}
+	output, err := cloudcmd.PolicyActionService{Client: client, Action: action}.Run(cmd.Context(), cloudcmd.PolicyActionInput{
+		OrganizationID: resolvedOrganizationID,
+		PolicyID:       policyID,
+		ScopeID:        scopeID,
+	})
+	if err != nil {
+		return err
+	}
+	if handled, err := writeStructuredOutput(cmd, output); handled || err != nil {
+		return err
+	}
+	return renderCloudPolicyAction(cmd, output)
+}
+
+func newCloudOrganizationsInvitationsListCommand() *cobra.Command {
+	var organizationID string
+	var status string
+
+	command := &cobra.Command{
+		Use:   "list",
+		Short: "List Cloud organization invitations",
+		Args:  cobra.NoArgs,
+		RunE: func(cmd *cobra.Command, _ []string) error {
+			_, resolvedOrganizationID, client, err := cloudRuntimeAndOrganizationMembershipClientFromCommand(cmd, organizationID)
+			if err != nil {
+				return err
+			}
+			output, err := cloudcmd.ListOrganizationInvitationsService{Client: client}.Run(cmd.Context(), cloudcmd.ListOrganizationInvitationsInput{
+				OrganizationID: resolvedOrganizationID,
+				Status:         status,
+			})
+			if err != nil {
+				return err
+			}
+			if handled, err := writeStructuredOutput(cmd, output); handled || err != nil {
+				return err
+			}
+			return renderCloudInvitations(cmd, output)
+		},
+	}
+	command.Flags().StringVar(&organizationID, "organization", "", "Cloud organization ID")
+	command.Flags().StringVar(&status, "status", "", "Invitation status")
+	return command
+}
+
+func newCloudOrganizationsInvitationsSendCommand() *cobra.Command {
+	var organizationID string
+
+	command := &cobra.Command{
+		Use:   "send <email>",
+		Short: "Send a Cloud organization invitation",
+		Args:  cobra.ExactArgs(1),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			_, resolvedOrganizationID, client, err := cloudRuntimeAndOrganizationMembershipClientFromCommand(cmd, organizationID)
+			if err != nil {
+				return err
+			}
+			invitation, err := cloudcmd.CreateInvitationService{Client: client}.Run(cmd.Context(), cloudcmd.CreateInvitationInput{
+				OrganizationID: resolvedOrganizationID,
+				Email:          args[0],
+			})
+			if err != nil {
+				return err
+			}
+			if handled, err := writeStructuredOutput(cmd, map[string]cloudcmd.InvitationSummary{"invitation": invitation}); handled || err != nil {
+				return err
+			}
+			_, err = fmt.Fprintln(cmd.OutOrStdout(), styledSuccessLine(cmd, fmt.Sprintf("Cloud invitation %s sent.", invitation.ID)))
+			return err
+		},
+	}
+	command.Flags().StringVar(&organizationID, "organization", "", "Cloud organization ID")
+	return command
+}
+
+func newCloudOrganizationsInvitationsDeleteCommand() *cobra.Command {
+	var organizationID string
+	var confirm bool
+
+	command := &cobra.Command{
+		Use:   "delete <invitation-id>",
+		Short: "Delete a Cloud organization invitation",
+		Args:  cobra.ExactArgs(1),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			if !confirm {
+				return fmt.Errorf("cloud organizations invitations delete requires --confirm")
+			}
+			_, resolvedOrganizationID, client, err := cloudRuntimeAndOrganizationMembershipClientFromCommand(cmd, organizationID)
+			if err != nil {
+				return err
+			}
+			output, err := cloudcmd.DeleteInvitationService{Client: client}.Run(cmd.Context(), cloudcmd.OrganizationInvitationActionInput{
+				OrganizationID: resolvedOrganizationID,
+				InvitationID:   args[0],
+			})
+			if err != nil {
+				return err
+			}
+			if handled, err := writeStructuredOutput(cmd, output); handled || err != nil {
+				return err
+			}
+			_, err = fmt.Fprintln(cmd.OutOrStdout(), styledSuccessLine(cmd, fmt.Sprintf("Cloud invitation %s deleted.", output.InvitationID)))
+			return err
+		},
+	}
+	command.Flags().StringVar(&organizationID, "organization", "", "Cloud organization ID")
+	command.Flags().BoolVar(&confirm, "confirm", false, "Confirm invitation deletion")
+	return command
+}
+
+func newCloudOrganizationsListCommand() *cobra.Command {
+	var expand bool
+
+	command := &cobra.Command{
+		Use:     "list",
+		Aliases: []string{"ls", "l"},
+		Short:   "List Cloud organizations",
+		Args:    cobra.NoArgs,
+		RunE: func(cmd *cobra.Command, _ []string) error {
+			client, err := membershipClientFromCommand(cmd)
+			if err != nil {
+				return err
+			}
+			output, err := cloudcmd.ListOrganizationsService{Client: client}.Run(cmd.Context(), cloudcmd.ListOrganizationsInput{Expand: expand})
+			if err != nil {
+				return err
+			}
+			if handled, err := writeStructuredOutput(cmd, output); handled || err != nil {
+				return err
+			}
+			return renderCloudOrganizations(cmd, output)
+		},
+	}
+	command.Flags().BoolVar(&expand, "expand", false, "Expand related organization data")
+	return command
+}
+
+func newCloudOrganizationsShowCommand(use string, aliases []string, deprecated bool) *cobra.Command {
+	var expand bool
+
+	command := &cobra.Command{
+		Use:     use + " <organization-id>",
+		Aliases: aliases,
+		Short:   "Show a Cloud organization",
+		Args:    cobra.ExactArgs(1),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			if deprecated {
+				fmt.Fprintln(cmd.ErrOrStderr(), "Command cloud organizations describe has been deprecated, use cloud organizations show")
+			}
+			_, _, client, err := cloudRuntimeAndOrganizationMembershipClientFromCommand(cmd, args[0])
+			if err != nil {
+				return err
+			}
+			output, err := cloudcmd.ReadOrganizationService{Client: client}.Run(cmd.Context(), cloudcmd.OrganizationIDInput{
+				OrganizationID: args[0],
+				Expand:         expand,
+			})
+			if err != nil {
+				return err
+			}
+			if handled, err := writeStructuredOutput(cmd, output); handled || err != nil {
+				return err
+			}
+			return renderCloudOrganization(cmd, output)
+		},
+	}
+	command.Flags().BoolVar(&expand, "expand", false, "Expand related organization data")
+	if deprecated {
+		command.Hidden = true
+	}
+	return command
+}
+
+func newCloudOrganizationsUpdateCommand() *cobra.Command {
+	var name string
+	var domain string
+	var defaultPolicyID int64
+
+	command := &cobra.Command{
+		Use:   "update <organization-id>",
+		Short: "Update a Cloud organization",
+		Args:  cobra.ExactArgs(1),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			_, _, client, err := cloudRuntimeAndOrganizationMembershipClientFromCommand(cmd, args[0])
+			if err != nil {
+				return err
+			}
+			output, err := cloudcmd.UpdateOrganizationService{Client: client}.Run(cmd.Context(), cloudcmd.UpdateOrganizationInput{
+				OrganizationID:  args[0],
+				Name:            name,
+				Domain:          domain,
+				DefaultPolicyID: optionalInt64(defaultPolicyID),
+			})
+			if err != nil {
+				return err
+			}
+			if handled, err := writeStructuredOutput(cmd, output); handled || err != nil {
+				return err
+			}
+			return renderCloudOrganizationMutated(cmd, output, "updated")
+		},
+	}
+	command.Flags().StringVar(&name, "name", "", "Organization name")
+	command.Flags().StringVar(&domain, "domain", "", "Organization domain")
+	command.Flags().Int64Var(&defaultPolicyID, "default-policy-id", 0, "Default policy ID")
+	return command
+}
+
+func newCloudOrganizationsDeleteCommand() *cobra.Command {
+	var confirm bool
+
+	command := &cobra.Command{
+		Use:   "delete <organization-id>",
+		Short: "Delete a Cloud organization",
+		Args:  cobra.ExactArgs(1),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			if !confirm {
+				return fmt.Errorf("cloud organizations delete requires --confirm")
+			}
+			_, _, client, err := cloudRuntimeAndOrganizationMembershipClientFromCommand(cmd, args[0])
+			if err != nil {
+				return err
+			}
+			output, err := cloudcmd.DeleteOrganizationService{Client: client}.Run(cmd.Context(), args[0])
+			if err != nil {
+				return err
+			}
+			if handled, err := writeStructuredOutput(cmd, output); handled || err != nil {
+				return err
+			}
+			_, err = fmt.Fprintln(cmd.OutOrStdout(), styledSuccessLine(cmd, fmt.Sprintf("Cloud organization %s deleted.", output.OrganizationID)))
+			return err
+		},
+	}
+	command.Flags().BoolVar(&confirm, "confirm", false, "Confirm Cloud organization deletion")
+	return command
+}
+
+func optionalInt64(value int64) *int64 {
+	if value == 0 {
+		return nil
+	}
+	return &value
+}
+
+func parseInt64Arg(name string, value string) (int64, error) {
+	ret, err := strconv.ParseInt(value, 10, 64)
+	if err != nil || ret <= 0 {
+		return 0, fmt.Errorf("%s must be a positive integer", name)
+	}
+	return ret, nil
+}
+
+func membershipClientFromCommand(cmd *cobra.Command) (*membership.SDK, error) {
+	_, client, err := cloudRuntimeAndMembershipClientFromCommand(cmd)
+	return client, err
+}
+
+func cloudRuntimeAndMembershipClientFromCommand(cmd *cobra.Command) (*runtime.Runtime, *membership.SDK, error) {
+	rt, err := runtimeFromCommand(cmd)
+	if err != nil {
+		return nil, nil, err
+	}
+	if rt.Target.Kind != runtime.TargetKindCloud && rt.Target.Kind != runtime.TargetKindCloudStack {
+		return nil, nil, fmt.Errorf("cloud commands require a cloud or cloud-stack context")
+	}
+	httpClient, err := rt.HTTPClient(cmd.Context())
+	if err != nil {
+		return nil, nil, err
+	}
+	return rt, newMembershipClient(rt.Target.URL, httpClient), nil
+}
+
+func cloudRuntimeAndOrganizationMembershipClientFromCommand(cmd *cobra.Command, organizationID string) (*runtime.Runtime, string, *membership.SDK, error) {
+	rt, _, err := cloudRuntimeAndMembershipClientFromCommand(cmd)
+	if err != nil {
+		return nil, "", nil, err
+	}
+	resolvedOrganizationID := resolveCloudOrganizationID(rt, organizationID)
+	client, err := organizationMembershipClientFromRuntime(cmd, rt, resolvedOrganizationID)
+	if err != nil {
+		return nil, "", nil, err
+	}
+	return rt, resolvedOrganizationID, client, nil
+}
+
+func organizationMembershipClientFromRuntime(cmd *cobra.Command, rt *runtime.Runtime, organizationID string) (*membership.SDK, error) {
+	if rt == nil {
+		return nil, fmt.Errorf("runtime is required")
+	}
+	if rt.Context.Auth.Method != v4config.AuthMethodCloudDevice {
+		httpClient, err := rt.HTTPClient(cmd.Context())
+		if err != nil {
+			return nil, err
+		}
+		return newMembershipClient(rt.Target.URL, httpClient), nil
+	}
+	if organizationID == "" {
+		return nil, fmt.Errorf("organization id is required")
+	}
+	scopedAuth, err := ensureCloudDeviceOrganizationAuth(cmd, rt, organizationID)
+	if err != nil {
+		return nil, err
+	}
+	httpClient, err := v4auth.NewHTTPClient(cmd.Context(), scopedAuth, rt.Credentials, rt.AuthOptions)
+	if err != nil {
+		return nil, err
+	}
+	return newMembershipClient(rt.Target.URL, httpClient), nil
+}
+
+func ensureCloudDeviceOrganizationAuth(cmd *cobra.Command, rt *runtime.Runtime, organizationID string) (v4config.Auth, error) {
+	rootAuth := rt.Context.Auth
+	scopedRef := organizationTokenRef(rootAuth.TokenRef, organizationID)
+	issuerURL := rootAuth.IssuerURL
+	if issuerURL == "" {
+		issuerURL = rt.Context.CloudURL
+	}
+	scopedAuth := v4config.Auth{
+		Method:    v4config.AuthMethodCloudDevice,
+		IssuerURL: issuerURL,
+		TokenRef:  scopedRef,
+		Scopes:    append([]string(nil), v4auth.OrganizationScopes...),
+	}
+	source, err := v4auth.NewTokenSource(scopedAuth, rt.Credentials, rt.AuthOptions)
+	if err == nil {
+		if _, tokenErr := source.Token(cmd.Context()); tokenErr == nil {
+			return scopedAuth, nil
+		} else if !isCredentialNotFound(tokenErr) {
+			return v4config.Auth{}, tokenErr
+		}
+	}
+
+	rootValue, err := rt.Credentials.Get(cmd.Context(), rootAuth.TokenRef)
+	if err != nil {
+		return v4config.Auth{}, err
+	}
+	rootTokens, err := v4auth.ParseDeviceTokens(rootValue)
+	if err != nil {
+		return v4config.Auth{}, err
+	}
+	authOptions, err := authOptionsFromCommand(cmd)
+	if err != nil {
+		return v4config.Auth{}, err
+	}
+	tokens, err := v4auth.DeviceLogin(cmd.Context(), v4auth.DeviceLoginOptions{
+		IssuerURL:      issuerURL,
+		ClientID:       v4auth.DeviceClientID,
+		Scopes:         append([]string{"openid", "offline_access"}, v4auth.OrganizationScopes...),
+		OrganizationID: organizationID,
+		IDTokenHint:    rootTokens.IDToken,
+		HTTPClient:     authOptions.HTTPClient,
+		OpenURL:        loginOpenURL,
+		Out:            cmd.OutOrStdout(),
+	})
+	if err != nil {
+		return v4config.Auth{}, err
+	}
+	encoded, err := v4auth.MarshalDeviceTokens(tokens)
+	if err != nil {
+		return v4config.Auth{}, err
+	}
+	if err := rt.Credentials.Set(cmd.Context(), scopedRef, encoded); err != nil {
+		return v4config.Auth{}, err
+	}
+	return scopedAuth, nil
+}
+
+func ensureCloudDeviceStackAuth(cmd *cobra.Command, rt *runtime.Runtime, stack cloudcmd.StackSummary) (v4config.Auth, error) {
+	if stack.ID == "" {
+		return v4config.Auth{}, fmt.Errorf("stack id is required")
+	}
+	if rt.Target.Organization == "" {
+		return v4config.Auth{}, fmt.Errorf("organization id is required")
+	}
+	rootAuth := rt.Context.Auth
+	scopedRef := stackTokenRef(rootAuth.TokenRef, rt.Target.Organization, stack.ID)
+	issuerURL := rootAuth.IssuerURL
+	if issuerURL == "" {
+		issuerURL = rt.Context.CloudURL
+	}
+	resource := v4auth.StackResource(rt.Target.Organization, stack.ID)
+	scopedAuth := v4config.Auth{
+		Method:    v4config.AuthMethodCloudDevice,
+		IssuerURL: issuerURL,
+		TokenRef:  scopedRef,
+	}
+	source, err := v4auth.NewTokenSource(scopedAuth, rt.Credentials, rt.AuthOptions)
+	if err == nil {
+		if _, tokenErr := source.Token(cmd.Context()); tokenErr == nil {
+			return scopedAuth, nil
+		} else if !isCredentialNotFound(tokenErr) {
+			return v4config.Auth{}, tokenErr
+		}
+	}
+
+	rootValue, err := rt.Credentials.Get(cmd.Context(), rootAuth.TokenRef)
+	if err != nil {
+		return v4config.Auth{}, err
+	}
+	rootTokens, err := v4auth.ParseDeviceTokens(rootValue)
+	if err != nil {
+		return v4config.Auth{}, err
+	}
+	authOptions, err := authOptionsFromCommand(cmd)
+	if err != nil {
+		return v4config.Auth{}, err
+	}
+	tokens, err := v4auth.DeviceLogin(cmd.Context(), v4auth.DeviceLoginOptions{
+		IssuerURL:      issuerURL,
+		ClientID:       v4auth.DeviceClientID,
+		Scopes:         []string{"openid", "offline_access"},
+		Resources:      []string{resource},
+		OrganizationID: rt.Target.Organization,
+		IDTokenHint:    rootTokens.IDToken,
+		HTTPClient:     authOptions.HTTPClient,
+		OpenURL:        loginOpenURL,
+		Out:            cmd.OutOrStdout(),
+	})
+	if err != nil {
+		return v4config.Auth{}, err
+	}
+	encoded, err := v4auth.MarshalDeviceTokens(tokens)
+	if err != nil {
+		return v4config.Auth{}, err
+	}
+	if err := rt.Credentials.Set(cmd.Context(), scopedRef, encoded); err != nil {
+		return v4config.Auth{}, err
+	}
+	return scopedAuth, nil
+}
+
+func organizationTokenRef(rootRef string, organizationID string) string {
+	base := strings.TrimSuffix(rootRef, "/root-tokens")
+	if base == rootRef {
+		base = strings.TrimSuffix(rootRef, "/token")
+	}
+	return base + "/organizations/" + organizationID + "/root-tokens"
+}
+
+func stackTokenRef(rootRef string, organizationID string, stackID string) string {
+	base := strings.TrimSuffix(rootRef, "/root-tokens")
+	if base == rootRef {
+		base = strings.TrimSuffix(rootRef, "/token")
+	}
+	return base + "/organizations/" + organizationID + "/stacks/" + stackID + "/root-tokens"
+}
+
+func isCredentialNotFound(err error) bool {
+	return strings.Contains(err.Error(), credentials.ErrNotFound.Error())
+}
+
+func newMembershipClient(baseURL string, httpClient *http.Client) *membership.SDK {
+	options := []membership.SDKOption{membership.WithServerURL(baseURL)}
+	if httpClient != nil {
+		options = append(options, membership.WithClient(httpClient))
+	}
+	return membership.New(options...)
+}
+
+func renderCloudMe(cmd *cobra.Command, output cloudcmd.MeOutput) error {
+	return writeStyledKeyValues(cmd,
+		styledKeyValue{Label: "ID", Value: output.User.ID},
+		styledKeyValue{Label: "Email", Value: output.User.Email},
+		styledKeyValue{Label: "Role", Value: output.User.Role},
+	)
+}
+
+func renderCloudInvitations(cmd *cobra.Command, output cloudcmd.ListInvitationsOutput) error {
+	if len(output.Invitations) == 0 {
+		_, err := fmt.Fprintln(cmd.OutOrStdout(), styledEmptyLine(cmd, "No invitations found."))
+		return err
+	}
+	rows := make([][]string, 0, len(output.Invitations))
+	for _, invitation := range output.Invitations {
+		rows = append(rows, []string{invitation.ID, invitation.OrganizationID, invitation.UserEmail, invitation.Status})
+	}
+	return writeStyledRows(cmd, []string{"ID", "Organization", "Email", "Status"}, rows)
+}
+
+func renderCloudInvitationAction(cmd *cobra.Command, output cloudcmd.InvitationActionOutput) error {
+	done := "accepted"
+	if output.Action == "decline" {
+		done = "declined"
+	}
+	_, err := fmt.Fprintln(cmd.OutOrStdout(), styledSuccessLine(cmd, fmt.Sprintf("Cloud invitation %s %s.", output.InvitationID, done)))
+	return err
+}
+
+func renderCloudRegions(cmd *cobra.Command, output cloudcmd.ListRegionsOutput) error {
+	if len(output.Regions) == 0 {
+		_, err := fmt.Fprintln(cmd.OutOrStdout(), styledEmptyLine(cmd, "No regions found."))
+		return err
+	}
+	rows := make([][]string, 0, len(output.Regions))
+	for _, region := range output.Regions {
+		rows = append(rows, []string{region.ID, region.Name, fmt.Sprint(region.Active), fmt.Sprint(region.Public)})
+	}
+	return writeStyledRows(cmd, []string{"ID", "Name", "Active", "Public"}, rows)
+}
+
+func renderCloudRegion(cmd *cobra.Command, output cloudcmd.RegionOutput) error {
+	region := output.Region
+	rows := []styledKeyValue{
+		{Label: "ID", Value: region.ID},
+		{Label: "Name", Value: region.Name},
+		{Label: "Active", Value: fmt.Sprint(region.Active)},
+		{Label: "Public", Value: fmt.Sprint(region.Public)},
+	}
+	if region.BaseURL != "" {
+		rows = append(rows, styledKeyValue{Label: "BaseURL", Value: region.BaseURL})
+	}
+	if region.Version != "" {
+		rows = append(rows, styledKeyValue{Label: "Version", Value: region.Version})
+	}
+	return writeStyledKeyValues(cmd, rows...)
+}
+
+func renderCloudRegionMutated(cmd *cobra.Command, output cloudcmd.RegionOutput, action string) error {
+	_, err := fmt.Fprintln(cmd.OutOrStdout(), styledSuccessLine(cmd, fmt.Sprintf("Cloud region %s %s.", output.Region.ID, action)))
+	return err
+}
+
+func renderCloudOrganizations(cmd *cobra.Command, output cloudcmd.ListOrganizationsOutput) error {
+	if len(output.Organizations) == 0 {
+		_, err := fmt.Fprintln(cmd.OutOrStdout(), styledEmptyLine(cmd, "No organizations found."))
+		return err
+	}
+	rows := make([][]string, 0, len(output.Organizations))
+	for _, organization := range output.Organizations {
+		rows = append(rows, []string{organization.ID, organization.Name, organization.OwnerID})
+	}
+	return writeStyledRows(cmd, []string{"ID", "Name", "Owner"}, rows)
+}
+
+func renderCloudLogs(cmd *cobra.Command, output cloudcmd.ListLogsOutput) error {
+	if len(output.Logs) == 0 {
+		_, err := fmt.Fprintln(cmd.OutOrStdout(), styledEmptyLine(cmd, "No logs found."))
+		return err
+	}
+	rows := make([][]string, 0, len(output.Logs))
+	for _, log := range output.Logs {
+		rows = append(rows, []string{log.Seq, log.OrganizationID, log.UserID, log.Action, log.Date.Format(time.RFC3339)})
+	}
+	return writeStyledRows(cmd, []string{"Seq", "Organization", "User", "Action", "Date"}, rows)
+}
+
+func renderCloudApplications(cmd *cobra.Command, output cloudcmd.ListApplicationsOutput) error {
+	if len(output.Applications) == 0 {
+		_, err := fmt.Fprintln(cmd.OutOrStdout(), styledEmptyLine(cmd, "No applications found."))
+		return err
+	}
+	rows := make([][]string, 0, len(output.Applications))
+	for _, application := range output.Applications {
+		rows = append(rows, []string{application.ID, application.Name, application.Alias, application.URL})
+	}
+	return writeStyledRows(cmd, []string{"ID", "Name", "Alias", "URL"}, rows)
+}
+
+func renderCloudApplication(cmd *cobra.Command, output cloudcmd.ApplicationOutput) error {
+	application := output.Application
+	rows := []styledKeyValue{
+		{Label: "ID", Value: application.ID},
+		{Label: "Name", Value: application.Name},
+		{Label: "Alias", Value: application.Alias},
+		{Label: "URL", Value: application.URL},
+	}
+	if application.Description != "" {
+		rows = append(rows, styledKeyValue{Label: "Description", Value: application.Description})
+	}
+	for _, scope := range application.Scopes {
+		rows = append(rows, styledKeyValue{Label: "Scope", Value: fmt.Sprintf("%d\t%s", scope.ID, scope.Label)})
+	}
+	return writeStyledKeyValues(cmd, rows...)
+}
+
+func renderCloudAuthenticationProvider(cmd *cobra.Command, output cloudcmd.AuthenticationProviderOutput) error {
+	provider := output.Provider
+	rows := []styledKeyValue{
+		{Label: "Type", Value: provider.Type},
+		{Label: "Name", Value: provider.Name},
+		{Label: "ClientID", Value: provider.ClientID},
+	}
+	if provider.RedirectURI != "" {
+		rows = append(rows, styledKeyValue{Label: "RedirectURI", Value: provider.RedirectURI})
+	}
+	if provider.Issuer != "" {
+		rows = append(rows, styledKeyValue{Label: "Issuer", Value: provider.Issuer})
+	}
+	if provider.Tenant != "" {
+		rows = append(rows, styledKeyValue{Label: "Tenant", Value: provider.Tenant})
+	}
+	return writeStyledKeyValues(cmd, rows...)
+}
+
+func renderCloudAuthenticationProviderMutated(cmd *cobra.Command, output cloudcmd.AuthenticationProviderOutput, action string) error {
+	_, err := fmt.Fprintln(cmd.OutOrStdout(), styledSuccessLine(cmd, fmt.Sprintf("Cloud authentication provider %s %s.", output.Provider.Name, action)))
+	return err
+}
+
+func renderCloudOAuthClients(cmd *cobra.Command, output cloudcmd.ListOAuthClientsOutput) error {
+	if len(output.Clients) == 0 {
+		_, err := fmt.Fprintln(cmd.OutOrStdout(), styledEmptyLine(cmd, "No OAuth clients found."))
+		return err
+	}
+	rows := make([][]string, 0, len(output.Clients))
+	for _, client := range output.Clients {
+		rows = append(rows, []string{client.ClientID, client.Name, client.SecretLastDigits, client.Description})
+	}
+	return writeStyledRows(cmd, []string{"ClientID", "Name", "SecretLastDigits", "Description"}, rows)
+}
+
+func renderCloudOAuthClient(cmd *cobra.Command, output cloudcmd.OAuthClientOutput, includeSecret bool) error {
+	client := output.Client
+	rows := []styledKeyValue{
+		{Label: "ClientID", Value: client.ClientID},
+		{Label: "Name", Value: client.Name},
+		{Label: "SecretLastDigits", Value: client.SecretLastDigits},
+		{Label: "Description", Value: client.Description},
+	}
+	if includeSecret && client.Secret != "" {
+		rows = append(rows, styledKeyValue{Label: "Secret", Value: client.Secret})
+	}
+	return writeStyledKeyValues(cmd, rows...)
+}
+
+func renderCloudOAuthClientCreated(cmd *cobra.Command, output cloudcmd.OAuthClientOutput) error {
+	return renderCloudOAuthClient(cmd, output, true)
+}
+
+func renderCloudOAuthClientMutated(cmd *cobra.Command, output cloudcmd.OAuthClientOutput, action string) error {
+	_, err := fmt.Fprintln(cmd.OutOrStdout(), styledSuccessLine(cmd, fmt.Sprintf("Cloud OAuth client %s %s.", output.Client.ClientID, action)))
+	return err
+}
+
+func renderCloudOrganizationUsers(cmd *cobra.Command, output cloudcmd.ListOrganizationUsersOutput) error {
+	if len(output.Users) == 0 {
+		_, err := fmt.Fprintln(cmd.OutOrStdout(), styledEmptyLine(cmd, "No organization users found."))
+		return err
+	}
+	rows := make([][]string, 0, len(output.Users))
+	for _, user := range output.Users {
+		rows = append(rows, []string{user.ID, user.Email, fmt.Sprint(user.PolicyID)})
+	}
+	return writeStyledRows(cmd, []string{"ID", "Email", "Policy"}, rows)
+}
+
+func renderCloudOrganizationUser(cmd *cobra.Command, output cloudcmd.OrganizationUserOutput) error {
+	return writeStyledKeyValues(cmd,
+		styledKeyValue{Label: "ID", Value: output.User.ID},
+		styledKeyValue{Label: "Email", Value: output.User.Email},
+		styledKeyValue{Label: "Policy", Value: fmt.Sprint(output.User.PolicyID)},
+	)
+}
+
+func renderCloudOrganizationUserAction(cmd *cobra.Command, output cloudcmd.OrganizationUserActionOutput) error {
+	done := "linked"
+	if output.Action == "unlink" {
+		done = "unlinked"
+	}
+	_, err := fmt.Fprintln(cmd.OutOrStdout(), styledSuccessLine(cmd, fmt.Sprintf("Cloud organization %s user %s %s.", output.OrganizationID, output.UserID, done)))
+	return err
+}
+
+func renderCloudPolicies(cmd *cobra.Command, output cloudcmd.ListPoliciesOutput) error {
+	if len(output.Policies) == 0 {
+		_, err := fmt.Fprintln(cmd.OutOrStdout(), styledEmptyLine(cmd, "No policies found."))
+		return err
+	}
+	rows := make([][]string, 0, len(output.Policies))
+	for _, policy := range output.Policies {
+		rows = append(rows, []string{fmt.Sprint(policy.ID), policy.Name, fmt.Sprint(policy.Protected)})
+	}
+	return writeStyledRows(cmd, []string{"ID", "Name", "Protected"}, rows)
+}
+
+func renderCloudPolicy(cmd *cobra.Command, output cloudcmd.PolicyOutput) error {
+	policy := output.Policy
+	rows := []styledKeyValue{
+		{Label: "ID", Value: fmt.Sprint(policy.ID)},
+		{Label: "Name", Value: policy.Name},
+		{Label: "Protected", Value: fmt.Sprint(policy.Protected)},
+	}
+	if policy.Description != "" {
+		rows = append(rows, styledKeyValue{Label: "Description", Value: policy.Description})
+	}
+	for _, scope := range policy.Scopes {
+		rows = append(rows, styledKeyValue{Label: "Scope", Value: fmt.Sprintf("%d\t%s", scope.ID, scope.Label)})
+	}
+	return writeStyledKeyValues(cmd, rows...)
+}
+
+func renderCloudPolicyMutated(cmd *cobra.Command, output cloudcmd.PolicyOutput, action string) error {
+	_, err := fmt.Fprintln(cmd.OutOrStdout(), styledSuccessLine(cmd, fmt.Sprintf("Cloud policy %d %s.", output.Policy.ID, action)))
+	return err
+}
+
+func renderCloudPolicyAction(cmd *cobra.Command, output cloudcmd.PolicyActionOutput) error {
+	switch output.Action {
+	case "delete":
+		_, err := fmt.Fprintln(cmd.OutOrStdout(), styledSuccessLine(cmd, fmt.Sprintf("Cloud policy %d deleted.", output.PolicyID)))
+		return err
+	case "add-scope":
+		_, err := fmt.Fprintln(cmd.OutOrStdout(), styledSuccessLine(cmd, fmt.Sprintf("Cloud policy %d scope %d added.", output.PolicyID, output.ScopeID)))
+		return err
+	case "remove-scope":
+		_, err := fmt.Fprintln(cmd.OutOrStdout(), styledSuccessLine(cmd, fmt.Sprintf("Cloud policy %d scope %d removed.", output.PolicyID, output.ScopeID)))
+		return err
+	default:
+		_, err := fmt.Fprintln(cmd.OutOrStdout(), styledSuccessLine(cmd, fmt.Sprintf("Cloud policy %d %s completed.", output.PolicyID, output.Action)))
+		return err
+	}
+}
+
+func renderCloudOrganization(cmd *cobra.Command, output cloudcmd.OrganizationOutput) error {
+	organization := output.Organization
+	rows := []styledKeyValue{
+		{Label: "ID", Value: organization.ID},
+		{Label: "Name", Value: organization.Name},
+		{Label: "Owner", Value: organization.OwnerID},
+	}
+	if organization.Domain != "" {
+		rows = append(rows, styledKeyValue{Label: "Domain", Value: organization.Domain})
+	}
+	return writeStyledKeyValues(cmd, rows...)
+}
+
+func renderCloudOrganizationMutated(cmd *cobra.Command, output cloudcmd.OrganizationOutput, action string) error {
+	_, err := fmt.Fprintln(cmd.OutOrStdout(), styledSuccessLine(cmd, fmt.Sprintf("Cloud organization %s %s.", output.Organization.ID, action)))
+	return err
+}
diff --git a/v4/cmd/cloud_apps.go b/v4/cmd/cloud_apps.go
new file mode 100644
index 00000000..a6d8a4c6
--- /dev/null
+++ b/v4/cmd/cloud_apps.go
@@ -0,0 +1,675 @@
+package cmd
+
+import (
+	"fmt"
+	"io"
+	"net/http"
+	"os"
+	"strings"
+
+	deployserver "github.com/formancehq/fctl/internal/deployserverclient/v3"
+	"github.com/formancehq/fctl/internal/deployserverclient/v3/models/operations"
+	"github.com/spf13/cobra"
+
+	cloudcmd "github.com/formancehq/fctl/v4/internal/commands/cloud"
+	"github.com/formancehq/fctl/v4/internal/runtime"
+)
+
+const defaultDeployURL = "https://deploy.formance.cloud"
+
+func newCloudAppsCommand() *cobra.Command {
+	var deployURL string
+	var organizationID string
+
+	command := &cobra.Command{
+		Use:     "apps",
+		Aliases: []string{"app"},
+		Short:   "Manage Cloud apps",
+		Hidden:  true,
+	}
+	command.PersistentFlags().StringVar(&deployURL, "deploy-url", defaultDeployURL, "Cloud apps deploy server URL")
+	command.PersistentFlags().StringVar(&organizationID, "organization", "", "Cloud organization ID")
+	command.AddCommand(newCloudAppsListCommand(&deployURL, &organizationID))
+	command.AddCommand(newCloudAppsCreateCommand(&deployURL, &organizationID))
+	command.AddCommand(newCloudAppsShowCommand(&deployURL, &organizationID))
+	command.AddCommand(newCloudAppsDeleteCommand(&deployURL, &organizationID))
+	command.AddCommand(newCloudAppsDeployCommand(&deployURL))
+	command.AddCommand(newCloudAppsRunsCommand(&deployURL))
+	command.AddCommand(newCloudAppsVersionsCommand(&deployURL))
+	command.AddCommand(newCloudAppsVariablesCommand(&deployURL))
+	return command
+}
+
+func newCloudAppsListCommand(deployURL *string, organizationID *string) *cobra.Command {
+	var page int64
+	var pageSize int64
+
+	command := &cobra.Command{
+		Use:     "list",
+		Aliases: []string{"ls"},
+		Short:   "List Cloud apps",
+		Args:    cobra.NoArgs,
+		RunE: func(cmd *cobra.Command, _ []string) error {
+			rt, client, err := deployClientFromCommand(cmd, *deployURL)
+			if err != nil {
+				return err
+			}
+			output, err := cloudcmd.ListCloudAppsService{Client: client}.Run(cmd.Context(), cloudcmd.ListCloudAppsInput{
+				OrganizationID: resolveCloudOrganizationID(rt, *organizationID),
+				Page:           page,
+				PageSize:       pageSize,
+			})
+			if err != nil {
+				return err
+			}
+			if handled, err := writeStructuredOutput(cmd, output); handled || err != nil {
+				return err
+			}
+			return renderCloudApps(cmd, output)
+		},
+	}
+	command.Flags().Int64Var(&page, "page", 1, "Page number")
+	command.Flags().Int64Var(&pageSize, "page-size", 100, "Page size")
+	return command
+}
+
+func newCloudAppsCreateCommand(deployURL *string, organizationID *string) *cobra.Command {
+	return &cobra.Command{
+		Use:   "create",
+		Short: "Create a Cloud app",
+		Args:  cobra.NoArgs,
+		RunE: func(cmd *cobra.Command, _ []string) error {
+			rt, client, err := deployClientFromCommand(cmd, *deployURL)
+			if err != nil {
+				return err
+			}
+			output, err := cloudcmd.CreateCloudAppService{Client: client}.Run(cmd.Context(), resolveCloudOrganizationID(rt, *organizationID))
+			if err != nil {
+				return err
+			}
+			if handled, err := writeStructuredOutput(cmd, output); handled || err != nil {
+				return err
+			}
+			_, err = fmt.Fprintf(cmd.OutOrStdout(), "Cloud app %s created.\n", output.App.ID)
+			return err
+		},
+	}
+}
+
+func newCloudAppsShowCommand(deployURL *string, organizationID *string) *cobra.Command {
+	return &cobra.Command{
+		Use:   "show <app-id>",
+		Short: "Show a Cloud app",
+		Args:  cobra.ExactArgs(1),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			rt, client, err := deployClientFromCommand(cmd, *deployURL)
+			if err != nil {
+				return err
+			}
+			output, err := cloudcmd.GetCloudAppService{Client: client}.Run(cmd.Context(), cloudcmd.CloudAppInput{
+				OrganizationID: resolveCloudOrganizationID(rt, *organizationID),
+				AppID:          args[0],
+			})
+			if err != nil {
+				return err
+			}
+			if handled, err := writeStructuredOutput(cmd, output); handled || err != nil {
+				return err
+			}
+			return renderCloudApp(cmd, output)
+		},
+	}
+}
+
+func newCloudAppsDeleteCommand(deployURL *string, organizationID *string) *cobra.Command {
+	var confirm bool
+
+	command := &cobra.Command{
+		Use:   "delete <app-id>",
+		Short: "Delete a Cloud app",
+		Args:  cobra.ExactArgs(1),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			if !confirm {
+				return fmt.Errorf("cloud apps delete requires --confirm")
+			}
+			rt, client, err := deployClientFromCommand(cmd, *deployURL)
+			if err != nil {
+				return err
+			}
+			output, err := cloudcmd.DeleteCloudAppService{Client: client}.Run(cmd.Context(), cloudcmd.CloudAppInput{
+				OrganizationID: resolveCloudOrganizationID(rt, *organizationID),
+				AppID:          args[0],
+			})
+			if err != nil {
+				return err
+			}
+			if handled, err := writeStructuredOutput(cmd, output); handled || err != nil {
+				return err
+			}
+			_, err = fmt.Fprintf(cmd.OutOrStdout(), "Cloud app %s deleted.\n", output.AppID)
+			return err
+		},
+	}
+	command.Flags().BoolVar(&confirm, "confirm", false, "Confirm Cloud app deletion")
+	return command
+}
+
+func newCloudAppsDeployCommand(deployURL *string) *cobra.Command {
+	var file string
+
+	command := &cobra.Command{
+		Use:   "deploy <app-id>",
+		Short: "Deploy a Cloud app manifest",
+		Args:  cobra.ExactArgs(1),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			if file == "" {
+				return fmt.Errorf("cloud apps deploy requires --file")
+			}
+			data, err := os.ReadFile(file)
+			if err != nil {
+				return err
+			}
+			_, client, err := deployClientFromCommand(cmd, *deployURL)
+			if err != nil {
+				return err
+			}
+			output, err := cloudcmd.DeployCloudAppService{Client: client}.Run(cmd.Context(), args[0], data)
+			if err != nil {
+				return err
+			}
+			if handled, err := writeStructuredOutput(cmd, output); handled || err != nil {
+				return err
+			}
+			_, err = fmt.Fprintf(cmd.OutOrStdout(), "Cloud app deployment accepted with run %s.\n", output.Run.ID)
+			return err
+		},
+	}
+	command.Flags().StringVar(&file, "file", "", "Path to manifest file")
+	command.Flags().StringVar(&file, "path", "", "Deprecated alias for --file")
+	_ = command.Flags().MarkDeprecated("path", "use --file instead")
+	return command
+}
+
+func newCloudAppsRunsCommand(deployURL *string) *cobra.Command {
+	command := &cobra.Command{
+		Use:   "runs",
+		Short: "Manage Cloud app runs",
+	}
+	command.AddCommand(newCloudAppsRunsListCommand(deployURL))
+	command.AddCommand(newCloudAppsRunsShowCommand(deployURL))
+	command.AddCommand(newCloudAppsRunsLogsCommand(deployURL))
+	return command
+}
+
+func newCloudAppsRunsListCommand(deployURL *string) *cobra.Command {
+	var page int64
+	var pageSize int64
+
+	command := &cobra.Command{
+		Use:     "list <app-id>",
+		Aliases: []string{"ls"},
+		Short:   "List Cloud app runs",
+		Args:    cobra.ExactArgs(1),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			_, client, err := deployClientFromCommand(cmd, *deployURL)
+			if err != nil {
+				return err
+			}
+			output, err := cloudcmd.ListCloudRunsService{Client: client}.Run(cmd.Context(), args[0], page, pageSize)
+			if err != nil {
+				return err
+			}
+			if handled, err := writeStructuredOutput(cmd, output); handled || err != nil {
+				return err
+			}
+			return renderCloudRuns(cmd, output)
+		},
+	}
+	command.Flags().Int64Var(&page, "page", 1, "Page number")
+	command.Flags().Int64Var(&pageSize, "page-size", 100, "Page size")
+	return command
+}
+
+func newCloudAppsRunsShowCommand(deployURL *string) *cobra.Command {
+	return &cobra.Command{
+		Use:   "show <run-id>",
+		Short: "Show a Cloud app run",
+		Args:  cobra.ExactArgs(1),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			_, client, err := deployClientFromCommand(cmd, *deployURL)
+			if err != nil {
+				return err
+			}
+			output, err := cloudcmd.GetCloudRunService{Client: client}.Run(cmd.Context(), args[0])
+			if err != nil {
+				return err
+			}
+			if handled, err := writeStructuredOutput(cmd, output); handled || err != nil {
+				return err
+			}
+			return renderCloudRun(cmd, output)
+		},
+	}
+}
+
+func newCloudAppsRunsLogsCommand(deployURL *string) *cobra.Command {
+	return &cobra.Command{
+		Use:   "logs <run-id>",
+		Short: "Show Cloud app run logs",
+		Args:  cobra.ExactArgs(1),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			_, client, err := deployClientFromCommand(cmd, *deployURL)
+			if err != nil {
+				return err
+			}
+			output, err := cloudcmd.GetCloudRunLogsService{Client: client}.Run(cmd.Context(), args[0])
+			if err != nil {
+				return err
+			}
+			if handled, err := writeStructuredOutput(cmd, output); handled || err != nil {
+				return err
+			}
+			return renderCloudRunLogs(cmd, output)
+		},
+	}
+}
+
+func newCloudAppsVersionsCommand(deployURL *string) *cobra.Command {
+	command := &cobra.Command{
+		Use:   "versions",
+		Short: "Manage Cloud app versions",
+	}
+	command.AddCommand(newCloudAppsVersionsListCommand(deployURL))
+	command.AddCommand(newCloudAppsVersionsShowCommand(deployURL))
+	command.AddCommand(newCloudAppsVersionsManifestCommand(deployURL, "manifest"))
+	command.AddCommand(newCloudAppsVersionsManifestCommand(deployURL, "show-manifest"))
+	command.AddCommand(newCloudAppsVersionsArchiveCommand(deployURL))
+	command.AddCommand(newCloudAppsVersionsArchiveShowCommand(deployURL, "show-archive", true))
+	return command
+}
+
+func newCloudAppsVersionsListCommand(deployURL *string) *cobra.Command {
+	var page int64
+	var pageSize int64
+
+	command := &cobra.Command{
+		Use:     "list <app-id>",
+		Aliases: []string{"ls"},
+		Short:   "List Cloud app versions",
+		Args:    cobra.ExactArgs(1),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			_, client, err := deployClientFromCommand(cmd, *deployURL)
+			if err != nil {
+				return err
+			}
+			output, err := cloudcmd.ListCloudVersionsService{Client: client}.Run(cmd.Context(), args[0], page, pageSize)
+			if err != nil {
+				return err
+			}
+			if handled, err := writeStructuredOutput(cmd, output); handled || err != nil {
+				return err
+			}
+			return renderCloudVersions(cmd, output)
+		},
+	}
+	command.Flags().Int64Var(&page, "page", 1, "Page number")
+	command.Flags().Int64Var(&pageSize, "page-size", 100, "Page size")
+	return command
+}
+
+func newCloudAppsVersionsShowCommand(deployURL *string) *cobra.Command {
+	return &cobra.Command{
+		Use:   "show <version-id>",
+		Short: "Show a Cloud app version",
+		Args:  cobra.ExactArgs(1),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			_, client, err := deployClientFromCommand(cmd, *deployURL)
+			if err != nil {
+				return err
+			}
+			output, err := cloudcmd.GetCloudVersionService{Client: client}.Run(cmd.Context(), args[0])
+			if err != nil {
+				return err
+			}
+			if handled, err := writeStructuredOutput(cmd, output); handled || err != nil {
+				return err
+			}
+			return renderCloudVersion(cmd, output)
+		},
+	}
+}
+
+func newCloudAppsVersionsManifestCommand(deployURL *string, use string) *cobra.Command {
+	command := &cobra.Command{
+		Use:   use + " <version-id>",
+		Short: "Show a Cloud app version manifest",
+		Args:  cobra.ExactArgs(1),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			if use == "show-manifest" {
+				fmt.Fprintln(cmd.ErrOrStderr(), "Command cloud apps versions show-manifest has been deprecated, use cloud apps versions manifest")
+			}
+			_, client, err := deployClientFromCommand(cmd, *deployURL)
+			if err != nil {
+				return err
+			}
+			output, err := cloudcmd.GetCloudVersionBlobService{
+				Client: client,
+				Accept: operations.AcceptHeaderEnumApplicationYaml,
+			}.Run(cmd.Context(), args[0])
+			if err != nil {
+				return err
+			}
+			_, err = cmd.OutOrStdout().Write(output.Data)
+			return err
+		},
+	}
+	if use == "show-manifest" {
+		command.Hidden = true
+	}
+	return command
+}
+
+func newCloudAppsVersionsArchiveCommand(deployURL *string) *cobra.Command {
+	command := &cobra.Command{
+		Use:   "archive",
+		Short: "Manage Cloud app version archives",
+	}
+	command.AddCommand(newCloudAppsVersionsArchiveShowCommand(deployURL, "show", false))
+	return command
+}
+
+func newCloudAppsVersionsArchiveShowCommand(deployURL *string, use string, deprecated bool) *cobra.Command {
+	command := &cobra.Command{
+		Use:   use + " <version-id>",
+		Short: "Show a Cloud app version archive",
+		Args:  cobra.ExactArgs(1),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			if deprecated {
+				fmt.Fprintln(cmd.ErrOrStderr(), "Command cloud apps versions show-archive has been deprecated, use cloud apps versions archive show")
+			}
+			_, client, err := deployClientFromCommand(cmd, *deployURL)
+			if err != nil {
+				return err
+			}
+			output, err := cloudcmd.GetCloudVersionBlobService{
+				Client: client,
+				Accept: operations.AcceptHeaderEnumApplicationGzip,
+			}.Run(cmd.Context(), args[0])
+			if err != nil {
+				return err
+			}
+			_, err = cmd.OutOrStdout().Write(output.Data)
+			return err
+		},
+	}
+	if deprecated {
+		command.Hidden = true
+	}
+	return command
+}
+
+func newCloudAppsVariablesCommand(deployURL *string) *cobra.Command {
+	command := &cobra.Command{
+		Use:   "variables",
+		Short: "Manage Cloud app variables",
+	}
+	command.AddCommand(newCloudAppsVariablesListCommand(deployURL))
+	command.AddCommand(newCloudAppsVariablesCreateCommand(deployURL))
+	command.AddCommand(newCloudAppsVariablesDeleteCommand(deployURL))
+	return command
+}
+
+func newCloudAppsVariablesListCommand(deployURL *string) *cobra.Command {
+	var page int64
+	var pageSize int64
+
+	command := &cobra.Command{
+		Use:     "list <app-id>",
+		Aliases: []string{"ls"},
+		Short:   "List Cloud app variables",
+		Args:    cobra.ExactArgs(1),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			_, client, err := deployClientFromCommand(cmd, *deployURL)
+			if err != nil {
+				return err
+			}
+			output, err := cloudcmd.ListCloudVariablesService{Client: client}.Run(cmd.Context(), args[0], page, pageSize)
+			if err != nil {
+				return err
+			}
+			if handled, err := writeStructuredOutput(cmd, output); handled || err != nil {
+				return err
+			}
+			return renderCloudVariables(cmd, output)
+		},
+	}
+	command.Flags().Int64Var(&page, "page", 1, "Page number")
+	command.Flags().Int64Var(&pageSize, "page-size", 100, "Page size")
+	return command
+}
+
+func newCloudAppsVariablesCreateCommand(deployURL *string) *cobra.Command {
+	var key string
+	var value string
+	var valueStdin bool
+	var description string
+	var sensitive bool
+
+	command := &cobra.Command{
+		Use:   "create <app-id>",
+		Short: "Create a Cloud app variable",
+		Args:  cobra.ExactArgs(1),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			if key == "" {
+				return fmt.Errorf("cloud apps variables create requires --key")
+			}
+			if value != "" && valueStdin {
+				return fmt.Errorf("cloud apps variables create accepts only one of --value or --value-stdin")
+			}
+			if valueStdin {
+				data, err := io.ReadAll(cmd.InOrStdin())
+				if err != nil {
+					return err
+				}
+				value = strings.TrimRight(string(data), "\r\n")
+			}
+			if value == "" {
+				return fmt.Errorf("cloud apps variables create requires --value")
+			}
+			_, client, err := deployClientFromCommand(cmd, *deployURL)
+			if err != nil {
+				return err
+			}
+			output, err := cloudcmd.CreateCloudVariableService{Client: client}.Run(cmd.Context(), cloudcmd.CloudVariableInput{
+				AppID:       args[0],
+				Key:         key,
+				Value:       value,
+				Description: description,
+				Sensitive:   sensitive,
+			})
+			if err != nil {
+				return err
+			}
+			if handled, err := writeStructuredOutput(cmd, output); handled || err != nil {
+				return err
+			}
+			return renderCloudVariable(cmd, output)
+		},
+	}
+	command.Flags().StringVar(&key, "key", "", "Variable key")
+	command.Flags().StringVar(&value, "value", "", "Variable value")
+	command.Flags().BoolVar(&valueStdin, "value-stdin", false, "Read variable value from stdin")
+	command.Flags().StringVar(&description, "description", "", "Variable description")
+	command.Flags().BoolVar(&sensitive, "sensitive", true, "Mark variable as sensitive")
+	return command
+}
+
+func newCloudAppsVariablesDeleteCommand(deployURL *string) *cobra.Command {
+	var confirm bool
+
+	command := &cobra.Command{
+		Use:   "delete <app-id> <variable-id>",
+		Short: "Delete a Cloud app variable",
+		Args:  cobra.ExactArgs(2),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			if !confirm {
+				return fmt.Errorf("cloud apps variables delete requires --confirm")
+			}
+			_, client, err := deployClientFromCommand(cmd, *deployURL)
+			if err != nil {
+				return err
+			}
+			output, err := cloudcmd.DeleteCloudVariableService{Client: client}.Run(cmd.Context(), cloudcmd.CloudVariableInput{
+				AppID:      args[0],
+				VariableID: args[1],
+			})
+			if err != nil {
+				return err
+			}
+			if handled, err := writeStructuredOutput(cmd, output); handled || err != nil {
+				return err
+			}
+			_, err = fmt.Fprintf(cmd.OutOrStdout(), "Cloud app variable %s deleted.\n", output.VariableID)
+			return err
+		},
+	}
+	command.Flags().BoolVar(&confirm, "confirm", false, "Confirm Cloud app variable deletion")
+	return command
+}
+
+func cloudRuntimeFromCommand(cmd *cobra.Command) (*runtime.Runtime, *http.Client, error) {
+	rt, err := runtimeFromCommand(cmd)
+	if err != nil {
+		return nil, nil, err
+	}
+	if rt.Target.Kind != runtime.TargetKindCloud && rt.Target.Kind != runtime.TargetKindCloudStack {
+		return nil, nil, fmt.Errorf("cloud commands require a cloud or cloud-stack context")
+	}
+	httpClient, err := rt.HTTPClient(cmd.Context())
+	if err != nil {
+		return nil, nil, err
+	}
+	return rt, httpClient, nil
+}
+
+func deployClientFromCommand(cmd *cobra.Command, deployURL string) (*runtime.Runtime, *deployserver.DeployServer, error) {
+	rt, httpClient, err := cloudRuntimeFromCommand(cmd)
+	if err != nil {
+		return nil, nil, err
+	}
+	if deployURL == "" {
+		deployURL = defaultDeployURL
+	}
+	options := []deployserver.SDKOption{deployserver.WithServerURL(deployURL)}
+	if httpClient != nil {
+		options = append(options, deployserver.WithClient(httpClient))
+	}
+	return rt, deployserver.New(options...), nil
+}
+
+func renderCloudApps(cmd *cobra.Command, output cloudcmd.ListCloudAppsOutput) error {
+	if len(output.Apps) == 0 {
+		_, err := fmt.Fprintln(cmd.OutOrStdout(), styledEmptyLine(cmd, "No Cloud apps found."))
+		return err
+	}
+	for _, app := range output.Apps {
+		if _, err := fmt.Fprintf(cmd.OutOrStdout(), "%s\t%s\t%s\t%s\n", app.ID, app.Name, valueOrNA(app.RunStatus), valueOrNA(app.CurrentConfigurationVersionID)); err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+func renderCloudApp(cmd *cobra.Command, output cloudcmd.CloudAppOutput) error {
+	app := output.App
+	if _, err := fmt.Fprintf(cmd.OutOrStdout(), "ID\t%s\nName\t%s\nRunStatus\t%s\nCurrentConfigurationVersionID\t%s\n", app.ID, app.Name, valueOrNA(app.RunStatus), valueOrNA(app.CurrentConfigurationVersionID)); err != nil {
+		return err
+	}
+	for key, value := range app.StateStack {
+		if _, err := fmt.Fprintf(cmd.OutOrStdout(), "State\t%s\t%v\n", key, value); err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+func renderCloudRuns(cmd *cobra.Command, output cloudcmd.ListCloudRunsOutput) error {
+	if len(output.Runs) == 0 {
+		_, err := fmt.Fprintln(cmd.OutOrStdout(), styledEmptyLine(cmd, "No Cloud app runs found."))
+		return err
+	}
+	for _, run := range output.Runs {
+		if _, err := fmt.Fprintf(cmd.OutOrStdout(), "%s\t%s\t%s\t%s\n", run.ID, run.Status, run.ConfigurationVersionID, run.Message); err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+func renderCloudRun(cmd *cobra.Command, output cloudcmd.CloudRunOutput) error {
+	run := output.Run
+	_, err := fmt.Fprintf(cmd.OutOrStdout(), "ID\t%s\nStatus\t%s\nConfigurationVersionID\t%s\nMessage\t%s\nCreatedAt\t%s\n", run.ID, run.Status, run.ConfigurationVersionID, run.Message, run.CreatedAt.Format("2006-01-02T15:04:05Z07:00"))
+	return err
+}
+
+func renderCloudRunLogs(cmd *cobra.Command, output cloudcmd.CloudRunLogsOutput) error {
+	for _, log := range output.Logs {
+		if _, err := fmt.Fprintf(cmd.OutOrStdout(), "%s\t%s\t%s\t%s\n", log.Timestamp, log.Module, log.Message, log.Severity); err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+func renderCloudVersions(cmd *cobra.Command, output cloudcmd.ListCloudVersionsOutput) error {
+	if len(output.Versions) == 0 {
+		_, err := fmt.Fprintln(cmd.OutOrStdout(), styledEmptyLine(cmd, "No Cloud app versions found."))
+		return err
+	}
+	for _, version := range output.Versions {
+		if _, err := fmt.Fprintf(cmd.OutOrStdout(), "%s\t%s\t%t\t%s\n", version.ID, version.Status, version.AutoQueueRuns, version.ErrorMessage); err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+func renderCloudVersion(cmd *cobra.Command, output cloudcmd.CloudVersionOutput) error {
+	version := output.Version
+	_, err := fmt.Fprintf(cmd.OutOrStdout(), "ID\t%s\nStatus\t%s\nAutoQueueRuns\t%t\nError\t%s\nErrorMessage\t%s\n", version.ID, version.Status, version.AutoQueueRuns, version.Error, version.ErrorMessage)
+	return err
+}
+
+func renderCloudVariables(cmd *cobra.Command, output cloudcmd.ListCloudVariablesOutput) error {
+	if len(output.Variables) == 0 {
+		_, err := fmt.Fprintln(cmd.OutOrStdout(), styledEmptyLine(cmd, "No Cloud app variables found."))
+		return err
+	}
+	for _, variable := range output.Variables {
+		value := variable.Value
+		if variable.Sensitive {
+			value = "****"
+		}
+		if _, err := fmt.Fprintf(cmd.OutOrStdout(), "%s\t%s\t%s\t%s\n", variable.ID, variable.Key, value, variable.Description); err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+func renderCloudVariable(cmd *cobra.Command, output cloudcmd.CloudVariableOutput) error {
+	variable := output.Variable
+	value := variable.Value
+	if variable.Sensitive {
+		value = "****"
+	}
+	_, err := fmt.Fprintf(cmd.OutOrStdout(), "ID\t%s\nKey\t%s\nValue\t%s\nDescription\t%s\nSensitive\t%t\n", variable.ID, variable.Key, value, variable.Description, variable.Sensitive)
+	return err
+}
+
+func valueOrNA(value string) string {
+	if value == "" {
+		return "N/A"
+	}
+	return value
+}
diff --git a/v4/cmd/cloud_stacks.go b/v4/cmd/cloud_stacks.go
new file mode 100644
index 00000000..79e408a3
--- /dev/null
+++ b/v4/cmd/cloud_stacks.go
@@ -0,0 +1,1038 @@
+package cmd
+
+import (
+	"bufio"
+	"errors"
+	"fmt"
+	"io"
+	"os"
+	"sort"
+	"strconv"
+	"strings"
+
+	membership "github.com/formancehq/fctl/internal/membershipclient/v3"
+	"github.com/spf13/cobra"
+	"golang.org/x/mod/semver"
+
+	cloudcmd "github.com/formancehq/fctl/v4/internal/commands/cloud"
+	v4prompt "github.com/formancehq/fctl/v4/internal/prompt"
+	v4render "github.com/formancehq/fctl/v4/internal/render"
+	"github.com/formancehq/fctl/v4/internal/runtime"
+)
+
+func newCloudStacksCommand(use string, canonical string, deprecated bool) *cobra.Command {
+	command := &cobra.Command{
+		Use:   use,
+		Short: "Manage Formance Cloud stacks",
+		PersistentPreRun: func(cmd *cobra.Command, _ []string) {
+			if deprecated {
+				if use == "stack" && cmd.Name() == "proxy" {
+					fmt.Fprintln(cmd.ErrOrStderr(), "Command stack proxy has been deprecated, use target proxy")
+					return
+				}
+				fmt.Fprintf(cmd.ErrOrStderr(), "Command %s has been deprecated, use %s\n", use, canonical)
+			}
+		},
+	}
+	if deprecated {
+		command.Deprecated = "use " + canonical
+	}
+	command.AddCommand(newCloudStacksCreateCommand())
+	command.AddCommand(newCloudStacksListCommand())
+	command.AddCommand(newCloudStacksShowCommand())
+	command.AddCommand(newCloudStacksUpdateCommand())
+	command.AddCommand(newCloudStacksDeleteCommand())
+	command.AddCommand(newCloudStacksEnableCommand())
+	command.AddCommand(newCloudStacksDisableCommand())
+	command.AddCommand(newCloudStacksRestoreCommand())
+	command.AddCommand(newCloudStacksUpgradeCommand())
+	command.AddCommand(newCloudStacksHistoryCommand())
+	command.AddCommand(newCloudStacksUsersCommand())
+	command.AddCommand(newCloudStacksModulesCommand())
+	if use == "stack" {
+		command.AddCommand(newStackProxyCommand())
+	}
+	return command
+}
+
+func newStackProxyCommand() *cobra.Command {
+	command := newTargetProxyCommand()
+	command.Short = "Deprecated alias for target proxy"
+	return command
+}
+
+func newCloudStacksCreateCommand() *cobra.Command {
+	var organizationID string
+	var regionID string
+	var version string
+	var metadata []string
+	var noWait bool
+
+	command := &cobra.Command{
+		Use:   "create [name]",
+		Short: "Create a Cloud stack",
+		Args:  cobra.MaximumNArgs(1),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			rt, client, err := cloudRuntimeAndMembershipClientFromCommand(cmd)
+			if err != nil {
+				return err
+			}
+			input, err := newCloudStackCreateInput(cmd)
+			if err != nil {
+				return err
+			}
+			organizationID, err := resolveCloudOrganizationIDOrPrompt(cmd, rt, client, organizationID)
+			if err != nil {
+				return err
+			}
+			organizationClient, err := organizationMembershipClientFromRuntime(cmd, rt, organizationID)
+			if err != nil {
+				return err
+			}
+			stackName, err := input.resolveName(cmd, args)
+			if err != nil {
+				return err
+			}
+			regionID, err := input.resolveRegion(cmd, organizationClient, organizationID, regionID)
+			if err != nil {
+				return err
+			}
+			version, err := input.resolveVersion(cmd, organizationClient, organizationID, regionID, version)
+			if err != nil {
+				return err
+			}
+			parsedMetadata, err := parseMetadataFlags(metadata)
+			if err != nil {
+				return err
+			}
+			output, err := withTerminalSpinnerUpdates(cmd, !noWait, "Creating stack", "", func(update func(string)) (cloudcmd.StackOutput, error) {
+				return cloudcmd.CreateStackService{Client: organizationClient, HTTPClient: baseHTTPClient(rt.AuthOptions)}.Run(cmd.Context(), cloudcmd.CreateStackInput{
+					OrganizationID: organizationID,
+					Name:           stackName,
+					RegionID:       regionID,
+					Version:        version,
+					Metadata:       parsedMetadata,
+					Wait:           !noWait,
+					WaitProgress: func(progress cloudcmd.StackWaitProgress) {
+						if progress.StackURL != "" {
+							update("Waiting services availability at " + progress.StackURL)
+							return
+						}
+						update("Waiting services availability")
+					},
+				})
+			})
+			if err != nil {
+				return err
+			}
+			if handled, err := writeStructuredOutput(cmd, output); handled || err != nil {
+				return err
+			}
+			return renderCloudStackMutated(cmd, output, "created")
+		},
+	}
+	command.Flags().StringVar(&organizationID, "organization", "", "Cloud organization ID")
+	command.Flags().StringVar(&regionID, "region", "", "Cloud region ID")
+	command.Flags().StringVar(&version, "version", "", "Stack version")
+	command.Flags().StringArrayVar(&metadata, "metadata", nil, "Stack metadata as key=value")
+	command.Flags().BoolVar(&noWait, "no-wait", false, "Do not wait for stack availability")
+	return command
+}
+
+type cloudStackCreateInput struct {
+	nonInteractive bool
+	wizard         v4prompt.Wizard
+	reader         *bufio.Reader
+	customInput    bool
+}
+
+func newCloudStackCreateInput(cmd *cobra.Command) (cloudStackCreateInput, error) {
+	nonInteractive, err := cmd.Root().PersistentFlags().GetBool(nonInteractiveFlag)
+	if err != nil {
+		return cloudStackCreateInput{}, err
+	}
+	in := cmd.InOrStdin()
+	_, inputIsFile := in.(*os.File)
+	return cloudStackCreateInput{
+		nonInteractive: nonInteractive,
+		wizard:         v4prompt.NewWizardWithColor(in, cmd.ErrOrStderr(), commandColorEnabled(cmd)),
+		reader:         bufio.NewReader(in),
+		customInput:    !inputIsFile,
+	}, nil
+}
+
+func (i cloudStackCreateInput) resolveName(cmd *cobra.Command, args []string) (string, error) {
+	if len(args) > 0 && strings.TrimSpace(args[0]) != "" {
+		return strings.TrimSpace(args[0]), nil
+	}
+	value, err := i.input(cmd, "Enter a name", "cloud stacks create requires a stack name in non-interactive mode")
+	if err != nil {
+		return "", err
+	}
+	if value == "" {
+		return "", fmt.Errorf("stack name is required")
+	}
+	i.report(cmd, "Name", value)
+	return value, nil
+}
+
+func (i cloudStackCreateInput) resolveRegion(cmd *cobra.Command, client cloudcmd.MembershipClient, organizationID string, explicit string) (string, error) {
+	if strings.TrimSpace(explicit) != "" {
+		return strings.TrimSpace(explicit), nil
+	}
+	if i.nonInteractive {
+		return "", fmt.Errorf("cloud stacks create requires --region in non-interactive mode")
+	}
+	output, err := cloudcmd.ListRegionsService{Client: client}.Run(cmd.Context(), organizationID)
+	if err != nil {
+		return "", fmt.Errorf("list regions for selection: %w", err)
+	}
+	if len(output.Regions) == 0 {
+		return "", fmt.Errorf("cloud stacks create requires --region and no regions are available")
+	}
+	choices := make([]v4prompt.Choice, 0, len(output.Regions))
+	for _, region := range output.Regions {
+		choices = append(choices, v4prompt.Choice{
+			Title: cloudStackRegionChoiceTitle(region),
+			Value: region.ID,
+		})
+	}
+	value, err := i.selectRequired(cmd, "Please select a region", choices, "region id is required")
+	if err != nil {
+		return "", err
+	}
+	i.report(cmd, "Region", value)
+	return value, nil
+}
+
+func (i cloudStackCreateInput) resolveVersion(cmd *cobra.Command, client cloudcmd.MembershipClient, organizationID string, regionID string, explicit string) (string, error) {
+	if strings.TrimSpace(explicit) != "" {
+		return strings.TrimSpace(explicit), nil
+	}
+	if i.nonInteractive || (!i.wizard.Available() && !i.customInput) {
+		return "", nil
+	}
+	output, err := cloudcmd.ListRegionVersionsService{Client: client}.Run(cmd.Context(), cloudcmd.RegionInput{
+		OrganizationID: organizationID,
+		RegionID:       regionID,
+	})
+	if err != nil {
+		return "", fmt.Errorf("list region versions for selection: %w", err)
+	}
+	if len(output.Versions) == 0 {
+		return "", nil
+	}
+	versions := sortedCloudStackRegionVersions(output.Versions)
+	choices := make([]v4prompt.Choice, 0, len(versions))
+	for _, version := range versions {
+		if strings.TrimSpace(version.Name) == "" {
+			continue
+		}
+		title := version.Name
+		if version.Deprecated {
+			title += " (deprecated)"
+		}
+		choices = append(choices, v4prompt.Choice{Title: title, Value: version.Name})
+	}
+	if len(choices) == 0 {
+		return "", nil
+	}
+	value, err := i.selectOptional(cmd, "Please select a version", choices)
+	if err != nil {
+		return "", err
+	}
+	i.report(cmd, "Version", value)
+	return value, nil
+}
+
+func (i cloudStackCreateInput) input(cmd *cobra.Command, label string, nonInteractiveMessage string) (string, error) {
+	if i.nonInteractive {
+		return "", errors.New(nonInteractiveMessage)
+	}
+	if i.wizard.Available() {
+		value, err := i.wizard.Input(label, "", false)
+		return strings.TrimSpace(value), err
+	}
+	if _, err := fmt.Fprintf(cmd.OutOrStdout(), "%s: ", label); err != nil {
+		return "", err
+	}
+	value, err := i.reader.ReadString('\n')
+	if err != nil && err != io.EOF {
+		return "", err
+	}
+	return strings.TrimSpace(value), nil
+}
+
+func (i cloudStackCreateInput) selectRequired(cmd *cobra.Command, title string, choices []v4prompt.Choice, emptyMessage string) (string, error) {
+	value, err := i.selectValue(cmd, title, choices)
+	if err != nil {
+		return "", err
+	}
+	if value == "" {
+		return "", errors.New(emptyMessage)
+	}
+	return value, nil
+}
+
+func (i cloudStackCreateInput) selectOptional(cmd *cobra.Command, title string, choices []v4prompt.Choice) (string, error) {
+	return i.selectValue(cmd, title, choices)
+}
+
+func (i cloudStackCreateInput) selectValue(cmd *cobra.Command, title string, choices []v4prompt.Choice) (string, error) {
+	if len(choices) == 0 {
+		return "", nil
+	}
+	if i.wizard.Available() {
+		return i.wizard.Select(title, choices)
+	}
+	if _, err := fmt.Fprintln(cmd.OutOrStdout(), title); err != nil {
+		return "", err
+	}
+	for index, choice := range choices {
+		if _, err := fmt.Fprintf(cmd.OutOrStdout(), "%d. %s\n", index+1, choice.Title); err != nil {
+			return "", err
+		}
+	}
+	answer, err := i.input(cmd, "Choice", "interactive selection is disabled")
+	if err != nil {
+		return "", err
+	}
+	answer = strings.TrimSpace(answer)
+	if answer == "" {
+		return "", nil
+	}
+	if index, err := strconv.Atoi(answer); err == nil {
+		if index < 1 || index > len(choices) {
+			return "", fmt.Errorf("choice %d is out of range", index)
+		}
+		return choices[index-1].Value, nil
+	}
+	for _, choice := range choices {
+		if strings.EqualFold(answer, choice.Value) || strings.EqualFold(answer, choice.Title) {
+			return choice.Value, nil
+		}
+	}
+	return "", fmt.Errorf("unsupported choice %q", answer)
+}
+
+func (i cloudStackCreateInput) report(cmd *cobra.Command, label string, value string) {
+	if i.nonInteractive || strings.TrimSpace(value) == "" {
+		return
+	}
+	fmt.Fprintln(cmd.OutOrStdout(), styledKeyValueLine(cmd, label, value))
+}
+
+func cloudStackRegionChoiceTitle(region cloudcmd.RegionSummary) string {
+	visibility := "Private"
+	if region.Public {
+		visibility = "Public"
+	}
+	name := strings.TrimSpace(region.Name)
+	if name == "" {
+		name = "<noname>"
+	}
+	return fmt.Sprintf("%s | %s | %s", region.ID, visibility, name)
+}
+
+func sortedCloudStackRegionVersions(versions []cloudcmd.RegionVersionSummary) []cloudcmd.RegionVersionSummary {
+	sorted := append([]cloudcmd.RegionVersionSummary(nil), versions...)
+	sort.SliceStable(sorted, func(i, j int) bool {
+		return compareCloudStackVersionNames(sorted[i].Name, sorted[j].Name) > 0
+	})
+	return sorted
+}
+
+func compareCloudStackVersionNames(left string, right string) int {
+	left = strings.TrimSpace(left)
+	right = strings.TrimSpace(right)
+	leftComparable, leftValid := comparableCloudStackVersionName(left)
+	rightComparable, rightValid := comparableCloudStackVersionName(right)
+	if leftValid && rightValid {
+		if comparison := semver.Compare(leftComparable, rightComparable); comparison != 0 {
+			return comparison
+		}
+		return strings.Compare(left, right)
+	}
+	if leftValid {
+		return 1
+	}
+	if rightValid {
+		return -1
+	}
+	return strings.Compare(left, right)
+}
+
+func comparableCloudStackVersionName(value string) (string, bool) {
+	value = strings.TrimSpace(value)
+	if semver.IsValid(value) {
+		return value, true
+	}
+	if !strings.HasPrefix(value, "v") {
+		return "", false
+	}
+
+	core, suffix, _ := strings.Cut(value, "-")
+	if suffix != "" {
+		suffix = "-" + suffix
+	} else if before, after, ok := strings.Cut(value, "+"); ok {
+		core = before
+		suffix = "+" + after
+	}
+
+	parts := strings.Split(strings.TrimPrefix(core, "v"), ".")
+	switch len(parts) {
+	case 1:
+		value = "v" + parts[0] + ".0.0" + suffix
+	case 2:
+		value = "v" + parts[0] + "." + parts[1] + ".0" + suffix
+	default:
+		return "", false
+	}
+	if semver.IsValid(value) {
+		return value, true
+	}
+	return "", false
+}
+
+func newCloudStacksListCommand() *cobra.Command {
+	var organizationID string
+	var all bool
+
+	command := &cobra.Command{
+		Use:     "list",
+		Aliases: []string{"ls", "l"},
+		Short:   "List Cloud stacks",
+		Args:    cobra.NoArgs,
+		RunE: func(cmd *cobra.Command, _ []string) error {
+			rt, client, err := cloudRuntimeAndMembershipClientFromCommand(cmd)
+			if err != nil {
+				return err
+			}
+			organizationID, err := resolveCloudOrganizationIDOrPrompt(cmd, rt, client, organizationID)
+			if err != nil {
+				return err
+			}
+			organizationClient, err := organizationMembershipClientFromRuntime(cmd, rt, organizationID)
+			if err != nil {
+				return err
+			}
+			output, err := cloudcmd.ListStacksService{Client: organizationClient}.Run(cmd.Context(), cloudcmd.ListStacksInput{
+				OrganizationID: organizationID,
+				All:            all,
+			})
+			if err != nil {
+				return err
+			}
+			if handled, err := writeStructuredOutput(cmd, output); handled || err != nil {
+				return err
+			}
+			return renderCloudStacks(cmd, output)
+		},
+	}
+	command.Flags().StringVar(&organizationID, "organization", "", "Cloud organization ID")
+	command.Flags().BoolVar(&all, "all", false, "Include deleted and disabled stacks")
+	return command
+}
+
+func newCloudStacksShowCommand() *cobra.Command {
+	var organizationID string
+
+	command := &cobra.Command{
+		Use:   "show <stack-id>",
+		Short: "Show a Cloud stack",
+		Args:  cobra.ExactArgs(1),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			organizationID, organizationClient, err := cloudStackOrganizationClientFromCommand(cmd, organizationID)
+			if err != nil {
+				return err
+			}
+			output, err := cloudcmd.ReadStackService{Client: organizationClient}.Run(cmd.Context(), cloudcmd.StackIDInput{
+				OrganizationID: organizationID,
+				StackID:        args[0],
+			})
+			if err != nil {
+				return err
+			}
+			if handled, err := writeStructuredOutput(cmd, output); handled || err != nil {
+				return err
+			}
+			return renderCloudStack(cmd, output)
+		},
+	}
+	command.Flags().StringVar(&organizationID, "organization", "", "Cloud organization ID")
+	return command
+}
+
+func newCloudStacksUpdateCommand() *cobra.Command {
+	var organizationID string
+	var name string
+	var metadata []string
+
+	command := &cobra.Command{
+		Use:   "update <stack-id>",
+		Short: "Update a Cloud stack",
+		Args:  cobra.ExactArgs(1),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			organizationID, organizationClient, err := cloudStackOrganizationClientFromCommand(cmd, organizationID)
+			if err != nil {
+				return err
+			}
+			parsedMetadata, err := parseMetadataFlags(metadata)
+			if err != nil {
+				return err
+			}
+			output, err := cloudcmd.UpdateStackService{Client: organizationClient}.Run(cmd.Context(), cloudcmd.UpdateStackInput{
+				OrganizationID: organizationID,
+				StackID:        args[0],
+				Name:           name,
+				Metadata:       parsedMetadata,
+			})
+			if err != nil {
+				return err
+			}
+			if handled, err := writeStructuredOutput(cmd, output); handled || err != nil {
+				return err
+			}
+			return renderCloudStackMutated(cmd, output, "updated")
+		},
+	}
+	command.Flags().StringVar(&organizationID, "organization", "", "Cloud organization ID")
+	command.Flags().StringVar(&name, "name", "", "Stack name")
+	command.Flags().StringArrayVar(&metadata, "metadata", nil, "Stack metadata as key=value")
+	return command
+}
+
+func newCloudStacksDeleteCommand() *cobra.Command {
+	var organizationID string
+	var force bool
+	var confirm bool
+
+	command := &cobra.Command{
+		Use:   "delete <stack-id>",
+		Short: "Delete a Cloud stack",
+		Args:  cobra.ExactArgs(1),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			if !confirm {
+				return fmt.Errorf("cloud stacks delete requires --confirm")
+			}
+			organizationID, organizationClient, err := cloudStackOrganizationClientFromCommand(cmd, organizationID)
+			if err != nil {
+				return err
+			}
+			output, err := cloudcmd.DeleteStackService{Client: organizationClient}.Run(cmd.Context(), cloudcmd.DeleteStackInput{
+				OrganizationID: organizationID,
+				StackID:        args[0],
+				Force:          force,
+			})
+			if err != nil {
+				return err
+			}
+			if handled, err := writeStructuredOutput(cmd, output); handled || err != nil {
+				return err
+			}
+			return renderCloudStackDeleted(cmd, output)
+		},
+	}
+	command.Flags().StringVar(&organizationID, "organization", "", "Cloud organization ID")
+	command.Flags().BoolVar(&force, "force", false, "Force Cloud stack deletion")
+	command.Flags().BoolVar(&confirm, "confirm", false, "Confirm Cloud stack deletion")
+	return command
+}
+
+func newCloudStacksEnableCommand() *cobra.Command {
+	return newCloudStacksActionCommand("enable", false)
+}
+
+func newCloudStacksDisableCommand() *cobra.Command {
+	return newCloudStacksActionCommand("disable", true)
+}
+
+func newCloudStacksRestoreCommand() *cobra.Command {
+	return newCloudStacksActionCommand("restore", true)
+}
+
+func newCloudStacksUpgradeCommand() *cobra.Command {
+	var organizationID string
+	var version string
+	var confirm bool
+
+	command := &cobra.Command{
+		Use:   "upgrade <stack-id>",
+		Short: "Upgrade a Cloud stack",
+		Args:  cobra.ExactArgs(1),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			if !confirm {
+				return fmt.Errorf("cloud stacks upgrade requires --confirm")
+			}
+			organizationID, organizationClient, err := cloudStackOrganizationClientFromCommand(cmd, organizationID)
+			if err != nil {
+				return err
+			}
+			output, err := cloudcmd.StackActionService{Client: organizationClient, Action: "upgrade"}.Run(cmd.Context(), cloudcmd.StackActionInput{
+				OrganizationID: organizationID,
+				StackID:        args[0],
+				Version:        version,
+			})
+			if err != nil {
+				return err
+			}
+			if handled, err := writeStructuredOutput(cmd, output); handled || err != nil {
+				return err
+			}
+			return renderCloudStackAction(cmd, output)
+		},
+	}
+	command.Flags().StringVar(&organizationID, "organization", "", "Cloud organization ID")
+	command.Flags().StringVar(&version, "version", "", "Target stack version; omit for latest")
+	command.Flags().BoolVar(&confirm, "confirm", false, "Confirm Cloud stack upgrade")
+	return command
+}
+
+func newCloudStacksActionCommand(action string, requiresConfirm bool) *cobra.Command {
+	var organizationID string
+	var confirm bool
+
+	command := &cobra.Command{
+		Use:   action + " <stack-id>",
+		Short: fmt.Sprintf("%s a Cloud stack", action),
+		Args:  cobra.ExactArgs(1),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			if requiresConfirm && !confirm {
+				return fmt.Errorf("cloud stacks %s requires --confirm", action)
+			}
+			organizationID, organizationClient, err := cloudStackOrganizationClientFromCommand(cmd, organizationID)
+			if err != nil {
+				return err
+			}
+			output, err := cloudcmd.StackActionService{Client: organizationClient, Action: action}.Run(cmd.Context(), cloudcmd.StackActionInput{
+				OrganizationID: organizationID,
+				StackID:        args[0],
+			})
+			if err != nil {
+				return err
+			}
+			if handled, err := writeStructuredOutput(cmd, output); handled || err != nil {
+				return err
+			}
+			return renderCloudStackAction(cmd, output)
+		},
+	}
+	command.Flags().StringVar(&organizationID, "organization", "", "Cloud organization ID")
+	if requiresConfirm {
+		command.Flags().BoolVar(&confirm, "confirm", false, "Confirm Cloud stack "+action)
+	}
+	return command
+}
+
+func newCloudStacksHistoryCommand() *cobra.Command {
+	var organizationID string
+	var cursor string
+	var pageSize int64
+	var action string
+	var userID string
+	var data string
+
+	command := &cobra.Command{
+		Use:     "history <stack-id>",
+		Aliases: []string{"hist"},
+		Short:   "Query Cloud stack history",
+		Args:    cobra.ExactArgs(1),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			organizationID, organizationClient, err := cloudStackOrganizationClientFromCommand(cmd, organizationID)
+			if err != nil {
+				return err
+			}
+			output, err := cloudcmd.ListLogsService{Client: organizationClient}.Run(cmd.Context(), cloudcmd.ListLogsInput{
+				OrganizationID: organizationID,
+				StackID:        args[0],
+				Cursor:         cursor,
+				PageSize:       pageSize,
+				Action:         action,
+				UserID:         userID,
+				Data:           data,
+			})
+			if err != nil {
+				return err
+			}
+			if handled, err := writeStructuredOutput(cmd, output); handled || err != nil {
+				return err
+			}
+			return renderCloudLogs(cmd, output)
+		},
+	}
+	command.Flags().StringVar(&organizationID, "organization", "", "Cloud organization ID")
+	command.Flags().StringVar(&cursor, "cursor", "", "Pagination cursor")
+	command.Flags().Int64Var(&pageSize, "page-size", 10, "Page size")
+	command.Flags().StringVar(&action, "action", "", "Filter by action")
+	command.Flags().StringVar(&userID, "user-id", "", "Filter by user ID")
+	command.Flags().StringVar(&data, "data", "", "Filter by modified data as key=value")
+	return command
+}
+
+func newCloudStacksUsersCommand() *cobra.Command {
+	command := &cobra.Command{
+		Use:   "users",
+		Short: "Manage Cloud stack user access",
+	}
+	command.AddCommand(newCloudStacksUsersListCommand())
+	command.AddCommand(newCloudStacksUsersLinkCommand())
+	command.AddCommand(newCloudStacksUsersUnlinkCommand())
+	return command
+}
+
+func newCloudStacksUsersListCommand() *cobra.Command {
+	var organizationID string
+
+	command := &cobra.Command{
+		Use:   "list <stack-id>",
+		Short: "List Cloud stack users",
+		Args:  cobra.ExactArgs(1),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			organizationID, organizationClient, err := cloudStackOrganizationClientFromCommand(cmd, organizationID)
+			if err != nil {
+				return err
+			}
+			output, err := cloudcmd.ListStackUsersService{Client: organizationClient}.Run(cmd.Context(), cloudcmd.StackIDInput{
+				OrganizationID: organizationID,
+				StackID:        args[0],
+			})
+			if err != nil {
+				return err
+			}
+			if handled, err := writeStructuredOutput(cmd, output); handled || err != nil {
+				return err
+			}
+			return renderCloudStackUsers(cmd, output)
+		},
+	}
+	command.Flags().StringVar(&organizationID, "organization", "", "Cloud organization ID")
+	return command
+}
+
+func newCloudStacksUsersLinkCommand() *cobra.Command {
+	var organizationID string
+	var policyID int64
+
+	command := &cobra.Command{
+		Use:   "link <stack-id> <user-id>",
+		Short: "Link a user to a Cloud stack",
+		Args:  cobra.ExactArgs(2),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			organizationID, organizationClient, err := cloudStackOrganizationClientFromCommand(cmd, organizationID)
+			if err != nil {
+				return err
+			}
+			output, err := cloudcmd.StackUserAccessService{Client: organizationClient, Action: "link"}.Run(cmd.Context(), cloudcmd.StackUserAccessInput{
+				OrganizationID: organizationID,
+				StackID:        args[0],
+				UserID:         args[1],
+				PolicyID:       policyID,
+			})
+			if err != nil {
+				return err
+			}
+			if handled, err := writeStructuredOutput(cmd, output); handled || err != nil {
+				return err
+			}
+			return renderCloudStackUserAction(cmd, output)
+		},
+	}
+	command.Flags().StringVar(&organizationID, "organization", "", "Cloud organization ID")
+	command.Flags().Int64Var(&policyID, "policy-id", 0, "Cloud stack policy ID")
+	return command
+}
+
+func newCloudStacksUsersUnlinkCommand() *cobra.Command {
+	var organizationID string
+	var confirm bool
+
+	command := &cobra.Command{
+		Use:   "unlink <stack-id> <user-id>",
+		Short: "Unlink a user from a Cloud stack",
+		Args:  cobra.ExactArgs(2),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			if !confirm {
+				return fmt.Errorf("cloud stacks users unlink requires --confirm")
+			}
+			organizationID, organizationClient, err := cloudStackOrganizationClientFromCommand(cmd, organizationID)
+			if err != nil {
+				return err
+			}
+			output, err := cloudcmd.StackUserAccessService{Client: organizationClient, Action: "unlink"}.Run(cmd.Context(), cloudcmd.StackUserAccessInput{
+				OrganizationID: organizationID,
+				StackID:        args[0],
+				UserID:         args[1],
+			})
+			if err != nil {
+				return err
+			}
+			if handled, err := writeStructuredOutput(cmd, output); handled || err != nil {
+				return err
+			}
+			return renderCloudStackUserAction(cmd, output)
+		},
+	}
+	command.Flags().StringVar(&organizationID, "organization", "", "Cloud organization ID")
+	command.Flags().BoolVar(&confirm, "confirm", false, "Confirm Cloud stack user unlink")
+	return command
+}
+
+func newCloudStacksModulesCommand() *cobra.Command {
+	command := &cobra.Command{
+		Use:   "modules",
+		Short: "Manage Cloud stack modules",
+	}
+	command.AddCommand(newCloudStacksModulesListCommand())
+	command.AddCommand(newCloudStacksModulesEnableCommand())
+	command.AddCommand(newCloudStacksModulesDisableCommand())
+	return command
+}
+
+func newCloudStacksModulesListCommand() *cobra.Command {
+	var organizationID string
+
+	command := &cobra.Command{
+		Use:   "list <stack-id>",
+		Short: "List Cloud stack modules",
+		Args:  cobra.ExactArgs(1),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			organizationID, organizationClient, err := cloudStackOrganizationClientFromCommand(cmd, organizationID)
+			if err != nil {
+				return err
+			}
+			output, err := cloudcmd.ListModulesService{Client: organizationClient}.Run(cmd.Context(), cloudcmd.StackIDInput{
+				OrganizationID: organizationID,
+				StackID:        args[0],
+			})
+			if err != nil {
+				return err
+			}
+			if handled, err := writeStructuredOutput(cmd, output); handled || err != nil {
+				return err
+			}
+			return renderCloudStackModules(cmd, output)
+		},
+	}
+	command.Flags().StringVar(&organizationID, "organization", "", "Cloud organization ID")
+	return command
+}
+
+func newCloudStacksModulesEnableCommand() *cobra.Command {
+	return newCloudStacksModulesActionCommand("enable", false)
+}
+
+func newCloudStacksModulesDisableCommand() *cobra.Command {
+	return newCloudStacksModulesActionCommand("disable", true)
+}
+
+func newCloudStacksModulesActionCommand(action string, requiresConfirm bool) *cobra.Command {
+	var organizationID string
+	var confirm bool
+
+	command := &cobra.Command{
+		Use:   action + " <stack-id> <module>",
+		Short: fmt.Sprintf("%s a Cloud stack module", action),
+		Args:  cobra.ExactArgs(2),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			if requiresConfirm && !confirm {
+				return fmt.Errorf("cloud stacks modules %s requires --confirm", action)
+			}
+			organizationID, organizationClient, err := cloudStackOrganizationClientFromCommand(cmd, organizationID)
+			if err != nil {
+				return err
+			}
+			output, err := cloudcmd.ModuleActionService{Client: organizationClient, Action: action}.Run(cmd.Context(), cloudcmd.ModuleActionInput{
+				OrganizationID: organizationID,
+				StackID:        args[0],
+				Name:           args[1],
+			})
+			if err != nil {
+				return err
+			}
+			if handled, err := writeStructuredOutput(cmd, output); handled || err != nil {
+				return err
+			}
+			return renderCloudStackModuleAction(cmd, output)
+		},
+	}
+	command.Flags().StringVar(&organizationID, "organization", "", "Cloud organization ID")
+	if requiresConfirm {
+		command.Flags().BoolVar(&confirm, "confirm", false, "Confirm Cloud stack module "+action)
+	}
+	return command
+}
+
+func resolveCloudOrganizationID(rt *runtime.Runtime, explicit string) string {
+	if explicit != "" {
+		return explicit
+	}
+	if rt == nil {
+		return ""
+	}
+	return rt.Target.Organization
+}
+
+func cloudStackOrganizationClientFromCommand(cmd *cobra.Command, explicit string) (string, *membership.SDK, error) {
+	rt, client, err := cloudRuntimeAndMembershipClientFromCommand(cmd)
+	if err != nil {
+		return "", nil, err
+	}
+	organizationID, err := resolveCloudOrganizationIDOrPrompt(cmd, rt, client, explicit)
+	if err != nil {
+		return "", nil, err
+	}
+	organizationClient, err := organizationMembershipClientFromRuntime(cmd, rt, organizationID)
+	if err != nil {
+		return "", nil, err
+	}
+	return organizationID, organizationClient, nil
+}
+
+func resolveCloudOrganizationIDOrPrompt(cmd *cobra.Command, rt *runtime.Runtime, client cloudcmd.MembershipClient, explicit string) (string, error) {
+	organizationID := resolveCloudOrganizationID(rt, explicit)
+	if organizationID != "" {
+		return organizationID, nil
+	}
+
+	message := "organization id is required; pass --organization or select a cloud-stack profile"
+	nonInteractive, err := cmd.Root().PersistentFlags().GetBool(nonInteractiveFlag)
+	if err != nil {
+		return "", err
+	}
+	wizard := v4prompt.NewWizardWithColor(cmd.InOrStdin(), cmd.ErrOrStderr(), commandColorEnabled(cmd))
+	if nonInteractive || !wizard.Available() {
+		return "", errors.New(message)
+	}
+
+	output, err := cloudcmd.ListOrganizationsService{Client: client}.Run(cmd.Context(), cloudcmd.ListOrganizationsInput{})
+	if err != nil {
+		return "", fmt.Errorf("list organizations for selection: %w", err)
+	}
+	if len(output.Organizations) == 0 {
+		return "", fmt.Errorf("organization id is required and no organizations are available")
+	}
+
+	choices := make([]v4prompt.Choice, 0, len(output.Organizations))
+	for _, organization := range output.Organizations {
+		title := organization.ID
+		if strings.TrimSpace(organization.Name) != "" {
+			title = fmt.Sprintf("%s (%s)", organization.Name, organization.ID)
+		}
+		choices = append(choices, v4prompt.Choice{Title: title, Value: organization.ID})
+	}
+	return wizard.Select("Organization ID is required. Select an organization:", choices)
+}
+
+func renderCloudStacks(cmd *cobra.Command, output cloudcmd.ListStacksOutput) error {
+	if len(output.Stacks) == 0 {
+		_, err := fmt.Fprintln(cmd.OutOrStdout(), styledEmptyLine(cmd, "No Cloud stacks found."))
+		return err
+	}
+	headers := []string{"ID", "Name", "Dashboard", "Region", "Status", "Audit Enabled"}
+	rows := make([][]string, 0, len(output.Stacks))
+	for _, stack := range output.Stacks {
+		rows = append(rows, []string{
+			stack.ID,
+			stack.Name,
+			stack.Dashboard,
+			stack.RegionID,
+			stack.State,
+			boolPointerLabel(stack.AuditEnabled),
+		})
+	}
+	return v4render.Table(cmd.OutOrStdout(), headers, rows)
+}
+
+func boolPointerLabel(value *bool) string {
+	if value == nil {
+		return "No"
+	}
+	if *value {
+		return "Yes"
+	}
+	return "No"
+}
+
+func renderCloudStackMutated(cmd *cobra.Command, output cloudcmd.StackOutput, action string) error {
+	if _, err := fmt.Fprintln(cmd.OutOrStdout(), styledSuccessLine(cmd, fmt.Sprintf("Cloud stack %s %s.", output.Stack.ID, action))); err != nil {
+		return err
+	}
+	if action == "created" && output.Stack.URI != "" {
+		_, err := fmt.Fprintln(cmd.OutOrStdout(), styledKeyValueLine(cmd, "URL", output.Stack.URI))
+		return err
+	}
+	return nil
+}
+
+func renderCloudStackDeleted(cmd *cobra.Command, output cloudcmd.DeleteStackOutput) error {
+	_, err := fmt.Fprintln(cmd.OutOrStdout(), styledSuccessLine(cmd, fmt.Sprintf("Cloud stack %s deleted.", output.StackID)))
+	return err
+}
+
+func renderCloudStackAction(cmd *cobra.Command, output cloudcmd.StackActionOutput) error {
+	if output.Action == "upgrade" {
+		version := output.Version
+		if version == "" {
+			version = "latest"
+		}
+		_, err := fmt.Fprintln(cmd.OutOrStdout(), styledSuccessLine(cmd, fmt.Sprintf("Cloud stack %s upgrade requested to %s.", output.StackID, version)))
+		return err
+	}
+	_, err := fmt.Fprintln(cmd.OutOrStdout(), styledSuccessLine(cmd, fmt.Sprintf("Cloud stack %s %s requested.", output.StackID, output.Action)))
+	return err
+}
+
+func renderCloudStackUsers(cmd *cobra.Command, output cloudcmd.ListStackUsersOutput) error {
+	if len(output.Users) == 0 {
+		_, err := fmt.Fprintln(cmd.OutOrStdout(), styledEmptyLine(cmd, "No Cloud stack users found."))
+		return err
+	}
+	rows := make([][]string, 0, len(output.Users))
+	for _, user := range output.Users {
+		rows = append(rows, []string{user.UserID, user.Email, user.StackID, fmt.Sprint(user.PolicyID)})
+	}
+	return writeStyledRows(cmd, []string{"User", "Email", "Stack", "Policy"}, rows)
+}
+
+func renderCloudStackUserAction(cmd *cobra.Command, output cloudcmd.StackUserAccessOutput) error {
+	done := "linked"
+	if output.Action == "unlink" {
+		done = "unlinked"
+	}
+	_, err := fmt.Fprintln(cmd.OutOrStdout(), styledSuccessLine(cmd, fmt.Sprintf("Cloud stack %s user %s %s.", output.StackID, output.UserID, done)))
+	return err
+}
+
+func renderCloudStackModules(cmd *cobra.Command, output cloudcmd.ListModulesOutput) error {
+	if len(output.Modules) == 0 {
+		_, err := fmt.Fprintln(cmd.OutOrStdout(), styledEmptyLine(cmd, "No Cloud stack modules found."))
+		return err
+	}
+	rows := make([][]string, 0, len(output.Modules))
+	for _, module := range output.Modules {
+		rows = append(rows, []string{module.Name, module.State, module.Status})
+	}
+	return writeStyledRows(cmd, []string{"Name", "State", "Status"}, rows)
+}
+
+func renderCloudStackModuleAction(cmd *cobra.Command, output cloudcmd.ModuleActionOutput) error {
+	_, err := fmt.Fprintln(cmd.OutOrStdout(), styledSuccessLine(cmd, fmt.Sprintf("Cloud stack %s module %s %sd.", output.StackID, output.Name, output.Action)))
+	return err
+}
+
+func renderCloudStack(cmd *cobra.Command, output cloudcmd.StackOutput) error {
+	stack := output.Stack
+	rows := []styledKeyValue{
+		{Label: "ID", Value: stack.ID},
+		{Label: "Name", Value: stack.Name},
+		{Label: "Status", Value: stack.Status},
+		{Label: "State", Value: stack.State},
+	}
+	if stack.URI != "" {
+		rows = append(rows, styledKeyValue{Label: "URI", Value: stack.URI})
+	}
+	if stack.Version != "" {
+		rows = append(rows, styledKeyValue{Label: "Version", Value: stack.Version})
+	}
+	return writeStyledKeyValues(cmd, rows...)
+}
diff --git a/v4/cmd/config.go b/v4/cmd/config.go
new file mode 100644
index 00000000..d7f97382
--- /dev/null
+++ b/v4/cmd/config.go
@@ -0,0 +1,56 @@
+package cmd
+
+import (
+	"errors"
+	"fmt"
+	"os"
+	"path/filepath"
+
+	"github.com/spf13/cobra"
+
+	v4config "github.com/formancehq/fctl/v4/internal/config"
+)
+
+const configFilename = "config.yaml"
+
+func configPath(cmd *cobra.Command) (string, error) {
+	configDir, err := cmd.Root().PersistentFlags().GetString(configDirFlag)
+	if err != nil {
+		return "", err
+	}
+	if configDir == "" {
+		userConfigDir, err := os.UserConfigDir()
+		if err != nil {
+			return "", fmt.Errorf("resolve user config directory: %w", err)
+		}
+		configDir = filepath.Join(userConfigDir, "formance", "fctl")
+	}
+	return filepath.Join(configDir, configFilename), nil
+}
+
+func loadConfig(cmd *cobra.Command, allowMissing bool) (v4config.Config, string, error) {
+	path, err := configPath(cmd)
+	if err != nil {
+		return v4config.Config{}, "", err
+	}
+
+	cfg, err := v4config.LoadFile(path)
+	if err != nil {
+		if allowMissing && errors.Is(err, os.ErrNotExist) {
+			return v4config.New(), path, nil
+		}
+		if errors.Is(err, os.ErrNotExist) {
+			return v4config.Config{}, "", missingConfigError(path)
+		}
+		return v4config.Config{}, "", err
+	}
+	return cfg, path, nil
+}
+
+func missingConfigError(path string) error {
+	return fmt.Errorf("v4 config not found at %s; run `fctl login`, create a profile with `fctl profile create stack <name> --stack-url <url>`, `fctl profile create cloud <name> --cloud-url <url>`, or `fctl profile create cloud-stack <name> --cloud-url <url> --organization <org> --stack <stack>`; alternatively migrate an existing v3 config with `fctl config migrate-v3`", path)
+}
+
+func outputFormat(cmd *cobra.Command) (string, error) {
+	return cmd.Root().PersistentFlags().GetString(outputFlag)
+}
diff --git a/v4/cmd/config_command.go b/v4/cmd/config_command.go
new file mode 100644
index 00000000..350019f9
--- /dev/null
+++ b/v4/cmd/config_command.go
@@ -0,0 +1,132 @@
+package cmd
+
+import (
+	"fmt"
+	"os"
+	"path/filepath"
+
+	"github.com/spf13/cobra"
+
+	v4config "github.com/formancehq/fctl/v4/internal/config"
+	"github.com/formancehq/fctl/v4/internal/credentials"
+)
+
+func newConfigCommand() *cobra.Command {
+	command := &cobra.Command{
+		Use:   "config",
+		Short: "Manage fctl v4 configuration",
+	}
+	command.AddCommand(newConfigMigrateV3Command())
+	return command
+}
+
+func newConfigMigrateV3Command() *cobra.Command {
+	var fromDir string
+	var dryRun bool
+	var credentialDir string
+
+	command := &cobra.Command{
+		Use:   "migrate-v3",
+		Short: "Migrate fctl v3 profiles into v4 contexts",
+		Args:  cobra.NoArgs,
+		RunE: func(cmd *cobra.Command, _ []string) error {
+			if fromDir == "" {
+				defaultDir, err := defaultV3ConfigDir()
+				if err != nil {
+					return err
+				}
+				fromDir = defaultDir
+			}
+
+			state, err := v4config.LoadV3State(fromDir)
+			if err != nil {
+				return err
+			}
+			plan, err := v4config.PlanV3Migration(state)
+			if err != nil {
+				return err
+			}
+
+			if dryRun {
+				return renderMigrationPlan(cmd, plan)
+			}
+
+			var store credentials.Store
+			if len(plan.CredentialMoves) > 0 {
+				if credentialDir == "" {
+					return fmt.Errorf("--credential-dir is required to migrate v3 tokens without a keyring backend")
+				}
+				store = credentials.NewInsecureFileStore(credentialDir)
+			}
+			path, err := configPath(cmd)
+			if err != nil {
+				return err
+			}
+			if err := v4config.WriteMigration(cmd.Context(), path, plan, store); err != nil {
+				return err
+			}
+			if handled, err := writeStructuredOutput(cmd, map[string]any{
+				"configPath":      path,
+				"contexts":        len(plan.Contexts),
+				"credentialMoves": len(plan.CredentialMoves),
+			}); handled || err != nil {
+				return err
+			}
+			_, err = fmt.Fprintln(cmd.OutOrStdout(), styledSuccessLine(cmd, fmt.Sprintf("Migrated %d context(s) to %s.", len(plan.Contexts), path)))
+			return err
+		},
+	}
+
+	command.Flags().StringVar(&fromDir, "from", "", "Path to the fctl v3 configuration directory (default $HOME/.config/formance/fctl)")
+	command.Flags().BoolVar(&dryRun, "dry-run", false, "Show the migration plan without writing v4 config")
+	command.Flags().StringVar(&credentialDir, "credential-dir", "", "Explicit insecure credential directory for migrated v3 tokens")
+
+	return command
+}
+
+func defaultV3ConfigDir() (string, error) {
+	homeDir, err := os.UserHomeDir()
+	if err != nil {
+		return "", fmt.Errorf("resolve home directory for default v3 config path: %w", err)
+	}
+	return filepath.Join(homeDir, ".config", "formance", "fctl"), nil
+}
+
+func renderMigrationPlan(cmd *cobra.Command, plan v4config.MigrationPlan) error {
+	result := migrationPlanOutput{
+		CurrentContext:  plan.CurrentContext,
+		Contexts:        contextNames(plan.Contexts),
+		CredentialMoves: len(plan.CredentialMoves),
+	}
+	if handled, err := writeStructuredOutput(cmd, result); handled || err != nil {
+		return err
+	}
+
+	if _, err := fmt.Fprintln(cmd.OutOrStdout(), styledInfoLine(cmd, "Current context", plan.CurrentContext)); err != nil {
+		return err
+	}
+	if err := writeStyledSectionTitle(cmd, "Contexts"); err != nil {
+		return err
+	}
+	rows := make([][]string, 0, len(plan.Contexts))
+	for _, name := range contextNames(plan.Contexts) {
+		context := plan.Contexts[name]
+		rows = append(rows, []string{name, string(context.Kind)})
+	}
+	if err := writeStyledBulletedPairRows(cmd, []string{"Profile", "Kind"}, rows); err != nil {
+		return err
+	}
+	_, err := fmt.Fprintln(cmd.OutOrStdout(), styledInfoLine(cmd, "Credential moves", fmt.Sprintf("%d", len(plan.CredentialMoves))))
+	return err
+}
+
+type migrationPlanOutput struct {
+	CurrentContext  string   `json:"currentContext" yaml:"currentContext"`
+	Contexts        []string `json:"contexts" yaml:"contexts"`
+	CredentialMoves int      `json:"credentialMoves" yaml:"credentialMoves"`
+}
+
+func contextNames(contexts map[string]v4config.Context) []string {
+	cfg := v4config.Config{Contexts: contexts}
+	return cfg.ContextNames()
+}
diff --git a/v4/cmd/context.go b/v4/cmd/context.go
new file mode 100644
index 00000000..cf4e1168
--- /dev/null
+++ b/v4/cmd/context.go
@@ -0,0 +1,685 @@
+package cmd
+
+import (
+	"fmt"
+
+	"github.com/spf13/cobra"
+
+	v4config "github.com/formancehq/fctl/v4/internal/config"
+)
+
+func newContextCommand() *cobra.Command {
+	command := &cobra.Command{
+		Use:    "context",
+		Short:  "Manage fctl v4 contexts",
+		Hidden: true,
+	}
+
+	command.AddCommand(
+		newContextListCommand(),
+		newContextShowCommand(),
+		newContextUseCommand(),
+		newContextDeleteCommand(),
+		newContextRenameCommand(),
+		newContextCreateCommand(),
+		newContextSetCommand(),
+		newContextUnsetDefaultsCommand(),
+		newContextWizardCommand(),
+	)
+
+	return command
+}
+
+func newProfileCommand() *cobra.Command {
+	command := &cobra.Command{
+		Use:   "profile",
+		Short: "Manage profiles",
+	}
+
+	command.AddCommand(
+		newContextListCommand(),
+		newContextShowCommand(),
+		newContextUseCommand(),
+		newContextDeleteCommand(),
+		newContextRenameCommand(),
+		newContextCreateCommand(),
+		newContextSetCommand(),
+		newContextUnsetDefaultsCommand(),
+	)
+
+	return command
+}
+
+func newProfilesCommand() *cobra.Command {
+	command := &cobra.Command{
+		Use:    "profiles",
+		Short:  "Deprecated alias for profile",
+		Hidden: true,
+		PersistentPreRun: func(cmd *cobra.Command, _ []string) {
+			fmt.Fprintln(cmd.ErrOrStderr(), "Command profiles has been deprecated, use profile")
+		},
+	}
+	command.Deprecated = "use profile"
+	command.AddCommand(
+		newContextListCommand(),
+		newContextShowCommand(),
+		newContextUseCommand(),
+		newContextDeleteCommand(),
+		newContextRenameCommand(),
+		newProfilesResetCommand(),
+		newProfilesSetDefaultOrganizationCommand(),
+		newProfilesSetDefaultStackCommand(),
+	)
+	return command
+}
+
+func newContextListCommand() *cobra.Command {
+	return &cobra.Command{
+		Use:   "list",
+		Short: "List configured contexts",
+		Args:  cobra.NoArgs,
+		RunE: func(cmd *cobra.Command, _ []string) error {
+			cfg, _, err := loadConfig(cmd, true)
+			if err != nil {
+				return err
+			}
+
+			names := cfg.ContextNames()
+			result := contextListOutput{
+				Current:  cfg.CurrentContext,
+				Contexts: names,
+			}
+			if handled, err := writeStructuredOutput(cmd, result); handled || err != nil {
+				return err
+			}
+			if len(names) == 0 {
+				_, err := fmt.Fprintln(cmd.OutOrStdout(), styledEmptyLine(cmd, "No contexts found."))
+				return err
+			}
+			if terminalOutputEnabled(cmd) {
+				rows := make([][]string, 0, len(names))
+				for _, name := range names {
+					current := ""
+					if name == cfg.CurrentContext {
+						current = "yes"
+					}
+					rows = append(rows, []string{name, current})
+				}
+				return writeStyledRows(cmd, []string{"Profile", "Current"}, rows)
+			}
+			for _, name := range names {
+				prefix := " "
+				if name == cfg.CurrentContext {
+					prefix = "*"
+				}
+				if _, err := fmt.Fprintf(cmd.OutOrStdout(), "%s %s\n", prefix, name); err != nil {
+					return err
+				}
+			}
+			return nil
+		},
+	}
+}
+
+func newContextShowCommand() *cobra.Command {
+	return &cobra.Command{
+		Use:   "show [name]",
+		Short: "Show a configured context",
+		Args:  cobra.MaximumNArgs(1),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			cfg, _, err := loadConfig(cmd, false)
+			if err != nil {
+				return err
+			}
+
+			override := v4config.ContextOverride{}
+			if len(args) == 1 {
+				override.Name = args[0]
+			}
+			name, context, err := v4config.ResolveCurrentContext(cfg, override)
+			if err != nil {
+				return err
+			}
+
+			result := contextShowOutput{Name: name, Current: name == cfg.CurrentContext, Context: context}
+			if handled, err := writeStructuredOutput(cmd, result); handled || err != nil {
+				return err
+			}
+			return writeStyledColonKeyValues(cmd,
+				styledKeyValue{Label: "Name", Value: name},
+				styledKeyValue{Label: "Kind", Value: string(context.Kind)},
+			)
+		},
+	}
+}
+
+func newContextUseCommand() *cobra.Command {
+	return &cobra.Command{
+		Use:   "use <name>",
+		Short: "Set the current context",
+		Args:  cobra.ExactArgs(1),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			cfg, path, err := loadConfig(cmd, false)
+			if err != nil {
+				return err
+			}
+			name := args[0]
+			if _, ok := cfg.Contexts[name]; !ok {
+				return fmt.Errorf("context %q does not exist", name)
+			}
+			cfg.CurrentContext = name
+			if err := v4config.SaveFile(path, cfg); err != nil {
+				return err
+			}
+
+			if handled, err := writeStructuredOutput(cmd, map[string]string{"currentContext": name}); handled || err != nil {
+				return err
+			}
+			_, err = fmt.Fprintln(cmd.OutOrStdout(), styledSuccessLine(cmd, fmt.Sprintf("Current context set to %s.", name)))
+			return err
+		},
+	}
+}
+
+func newContextDeleteCommand() *cobra.Command {
+	var force bool
+	var confirm bool
+
+	command := &cobra.Command{
+		Use:   "delete <name>",
+		Short: "Delete a configured context",
+		Args:  cobra.ExactArgs(1),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			if !confirm {
+				return fmt.Errorf("context delete requires --confirm")
+			}
+			cfg, path, err := loadConfig(cmd, false)
+			if err != nil {
+				return err
+			}
+			name := args[0]
+			if _, ok := cfg.Contexts[name]; !ok {
+				return fmt.Errorf("context %q does not exist", name)
+			}
+			if len(cfg.Contexts) == 1 {
+				return fmt.Errorf("cannot delete the last context")
+			}
+			if cfg.CurrentContext == name && !force {
+				return fmt.Errorf("context %q is current; pass --force to delete it", name)
+			}
+			delete(cfg.Contexts, name)
+			if cfg.CurrentContext == name {
+				cfg.CurrentContext = ""
+			}
+			if err := v4config.SaveFile(path, cfg); err != nil {
+				return err
+			}
+			if handled, err := writeStructuredOutput(cmd, map[string]string{"deleted": name}); handled || err != nil {
+				return err
+			}
+			_, err = fmt.Fprintln(cmd.OutOrStdout(), styledSuccessLine(cmd, fmt.Sprintf("Context %s deleted.", name)))
+			return err
+		},
+	}
+	command.Flags().BoolVar(&force, "force", false, "Delete the current context")
+	command.Flags().BoolVar(&confirm, "confirm", false, "Confirm context deletion")
+	return command
+}
+
+func newContextRenameCommand() *cobra.Command {
+	return &cobra.Command{
+		Use:   "rename <old-name> <new-name>",
+		Short: "Rename a configured context",
+		Args:  cobra.ExactArgs(2),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			cfg, path, err := loadConfig(cmd, false)
+			if err != nil {
+				return err
+			}
+			oldName := args[0]
+			newName := args[1]
+			context, ok := cfg.Contexts[oldName]
+			if !ok {
+				return fmt.Errorf("context %q does not exist", oldName)
+			}
+			if _, exists := cfg.Contexts[newName]; exists {
+				return fmt.Errorf("context %q already exists", newName)
+			}
+			delete(cfg.Contexts, oldName)
+			cfg.Contexts[newName] = context
+			if cfg.CurrentContext == oldName {
+				cfg.CurrentContext = newName
+			}
+			if err := v4config.SaveFile(path, cfg); err != nil {
+				return err
+			}
+			if handled, err := writeStructuredOutput(cmd, map[string]string{"renamed": oldName, "name": newName}); handled || err != nil {
+				return err
+			}
+			_, err = fmt.Fprintln(cmd.OutOrStdout(), styledSuccessLine(cmd, fmt.Sprintf("Context %s renamed to %s.", oldName, newName)))
+			return err
+		},
+	}
+}
+
+func newContextCreateCommand() *cobra.Command {
+	command := &cobra.Command{
+		Use:   "create",
+		Short: "Create contexts",
+	}
+	command.AddCommand(newContextCreateStackCommand())
+	command.AddCommand(newContextCreateCloudCommand())
+	command.AddCommand(newContextCreateCloudStackCommand())
+	return command
+}
+
+func newContextSetCommand() *cobra.Command {
+	var organization string
+	var stack string
+	var defaultLedger string
+
+	command := &cobra.Command{
+		Use:   "set [name]",
+		Short: "Update a configured context",
+		Args:  cobra.MaximumNArgs(1),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			cfg, path, err := loadConfig(cmd, false)
+			if err != nil {
+				return err
+			}
+			name := cfg.CurrentContext
+			if len(args) == 1 {
+				name = args[0]
+			}
+			if name == "" {
+				return fmt.Errorf("no context selected")
+			}
+			context, ok := cfg.Contexts[name]
+			if !ok {
+				return fmt.Errorf("context %q does not exist", name)
+			}
+			if organization != "" {
+				if context.Kind != v4config.ContextKindCloud && context.Kind != v4config.ContextKindCloudStack {
+					return fmt.Errorf("--organization can only be set on cloud or cloud-stack contexts")
+				}
+				context.Organization = organization
+			}
+			if stack != "" {
+				if context.Kind != v4config.ContextKindCloudStack {
+					return fmt.Errorf("--stack can only be set on cloud-stack contexts")
+				}
+				context.Stack = stack
+			}
+			if defaultLedger != "" {
+				if context.Defaults == nil {
+					context.Defaults = map[string]string{}
+				}
+				context.Defaults["ledger"] = defaultLedger
+			}
+			cfg.Contexts[name] = context
+			if err := v4config.SaveFile(path, cfg); err != nil {
+				return err
+			}
+			if handled, err := writeStructuredOutput(cmd, contextShowOutput{Name: name, Current: name == cfg.CurrentContext, Context: context}); handled || err != nil {
+				return err
+			}
+			_, err = fmt.Fprintln(cmd.OutOrStdout(), styledSuccessLine(cmd, fmt.Sprintf("Context %s updated.", name)))
+			return err
+		},
+	}
+	command.Flags().StringVar(&organization, "organization", "", "Cloud organization ID")
+	command.Flags().StringVar(&stack, "stack", "", "Cloud stack ID")
+	command.Flags().StringVar(&defaultLedger, "default-ledger", "", "Default ledger for this context")
+	return command
+}
+
+func newContextUnsetDefaultsCommand() *cobra.Command {
+	var confirm bool
+
+	command := &cobra.Command{
+		Use:   "unset-defaults [name]",
+		Short: "Clear defaults from a configured context",
+		Args:  cobra.MaximumNArgs(1),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			if !confirm {
+				return fmt.Errorf("context unset-defaults requires --confirm")
+			}
+			cfg, path, err := loadConfig(cmd, false)
+			if err != nil {
+				return err
+			}
+			name := cfg.CurrentContext
+			if len(args) == 1 {
+				name = args[0]
+			}
+			if name == "" {
+				return fmt.Errorf("no context selected")
+			}
+			context, ok := cfg.Contexts[name]
+			if !ok {
+				return fmt.Errorf("context %q does not exist", name)
+			}
+			context.Defaults = nil
+			cfg.Contexts[name] = context
+			if err := v4config.SaveFile(path, cfg); err != nil {
+				return err
+			}
+			if handled, err := writeStructuredOutput(cmd, contextShowOutput{Name: name, Current: name == cfg.CurrentContext, Context: context}); handled || err != nil {
+				return err
+			}
+			_, err = fmt.Fprintln(cmd.OutOrStdout(), styledSuccessLine(cmd, fmt.Sprintf("Context %s defaults cleared.", name)))
+			return err
+		},
+	}
+	command.Flags().BoolVar(&confirm, "confirm", false, "Confirm clearing context defaults")
+	return command
+}
+
+func newProfilesResetCommand() *cobra.Command {
+	command := newContextUnsetDefaultsCommand()
+	command.Use = "reset <name>"
+	command.Short = "Clear defaults from a configured context"
+	command.Args = cobra.ExactArgs(1)
+	command.PreRun = func(cmd *cobra.Command, _ []string) {
+		fmt.Fprintln(cmd.ErrOrStderr(), "Command profiles reset has been deprecated, use profile unset-defaults <name> --confirm")
+	}
+	return command
+}
+
+func newProfilesSetDefaultOrganizationCommand() *cobra.Command {
+	command := &cobra.Command{
+		Use:     "set-default-organization <organization-id>",
+		Aliases: []string{"sdo"},
+		Short:   "Set the default organization on the current context",
+		Args:    cobra.ExactArgs(1),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			fmt.Fprintln(cmd.ErrOrStderr(), "Command profiles set-default-organization has been deprecated, use profile set --organization <organization-id>")
+			cfg, path, err := loadConfig(cmd, false)
+			if err != nil {
+				return err
+			}
+			name := cfg.CurrentContext
+			if name == "" {
+				return fmt.Errorf("no context selected")
+			}
+			context, ok := cfg.Contexts[name]
+			if !ok {
+				return fmt.Errorf("context %q does not exist", name)
+			}
+			if context.Kind != v4config.ContextKindCloud && context.Kind != v4config.ContextKindCloudStack {
+				return fmt.Errorf("--organization can only be set on cloud or cloud-stack contexts")
+			}
+			context.Organization = args[0]
+			cfg.Contexts[name] = context
+			if err := v4config.SaveFile(path, cfg); err != nil {
+				return err
+			}
+			if handled, err := writeStructuredOutput(cmd, contextShowOutput{Name: name, Current: true, Context: context}); handled || err != nil {
+				return err
+			}
+			_, err = fmt.Fprintln(cmd.OutOrStdout(), styledSuccessLine(cmd, fmt.Sprintf("Context %s updated.", name)))
+			return err
+		},
+	}
+	return command
+}
+
+func newProfilesSetDefaultStackCommand() *cobra.Command {
+	command := &cobra.Command{
+		Use:     "set-default-stack <stack-id>",
+		Aliases: []string{"sds"},
+		Short:   "Set the default stack on the current context",
+		Args:    cobra.ExactArgs(1),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			fmt.Fprintln(cmd.ErrOrStderr(), "Command profiles set-default-stack has been deprecated, use profile set --stack <stack-id>")
+			cfg, path, err := loadConfig(cmd, false)
+			if err != nil {
+				return err
+			}
+			name := cfg.CurrentContext
+			if name == "" {
+				return fmt.Errorf("no context selected")
+			}
+			context, ok := cfg.Contexts[name]
+			if !ok {
+				return fmt.Errorf("context %q does not exist", name)
+			}
+			if context.Kind != v4config.ContextKindCloudStack {
+				return fmt.Errorf("--stack can only be set on cloud-stack contexts")
+			}
+			context.Stack = args[0]
+			cfg.Contexts[name] = context
+			if err := v4config.SaveFile(path, cfg); err != nil {
+				return err
+			}
+			if handled, err := writeStructuredOutput(cmd, contextShowOutput{Name: name, Current: true, Context: context}); handled || err != nil {
+				return err
+			}
+			_, err = fmt.Fprintln(cmd.OutOrStdout(), styledSuccessLine(cmd, fmt.Sprintf("Context %s updated.", name)))
+			return err
+		},
+	}
+	return command
+}
+
+func newContextCreateStackCommand() *cobra.Command {
+	var stackURL string
+	var authMethod string
+	var issuerURL string
+	var clientID string
+	var secretRef string
+	var defaultLedger string
+
+	command := &cobra.Command{
+		Use:   "stack <name>",
+		Short: "Create a direct stack context",
+		Args:  cobra.ExactArgs(1),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			cfg, path, err := loadConfig(cmd, true)
+			if err != nil {
+				return err
+			}
+			if cfg.Contexts == nil {
+				cfg.Contexts = map[string]v4config.Context{}
+			}
+
+			name := args[0]
+			if _, exists := cfg.Contexts[name]; exists {
+				return fmt.Errorf("context %q already exists", name)
+			}
+
+			auth := v4config.Auth{Method: v4config.AuthMethod(authMethod)}
+			switch auth.Method {
+			case v4config.AuthMethodClientCredentials:
+				auth.IssuerURL = issuerURL
+				auth.ClientID = clientID
+				auth.SecretRef = secretRef
+			case v4config.AuthMethodNone:
+			default:
+				return fmt.Errorf("unsupported stack auth method %q", authMethod)
+			}
+
+			defaults := map[string]string{}
+			if defaultLedger != "" {
+				defaults["ledger"] = defaultLedger
+			}
+			if len(defaults) == 0 {
+				defaults = nil
+			}
+
+			cfg.Contexts[name] = v4config.Context{
+				Kind:     v4config.ContextKindStack,
+				StackURL: stackURL,
+				Auth:     auth,
+				Defaults: defaults,
+				API:      map[string]string{"ledger": string(v4config.APIPolicyLatestCompatible)},
+			}
+			if cfg.CurrentContext == "" {
+				cfg.CurrentContext = name
+			}
+
+			if err := v4config.SaveFile(path, cfg); err != nil {
+				return err
+			}
+
+			if handled, err := writeStructuredOutput(cmd, contextShowOutput{
+				Name:    name,
+				Current: name == cfg.CurrentContext,
+				Context: cfg.Contexts[name],
+			}); handled || err != nil {
+				return err
+			}
+			_, err = fmt.Fprintln(cmd.OutOrStdout(), styledSuccessLine(cmd, fmt.Sprintf("Context %s created.", name)))
+			return err
+		},
+	}
+
+	command.Flags().StringVar(&stackURL, "stack-url", "", "Stack API URL")
+	command.Flags().StringVar(&authMethod, "auth-method", string(v4config.AuthMethodNone), "Authentication method (none, client_credentials)")
+	command.Flags().StringVar(&issuerURL, "issuer-url", "", "OIDC issuer URL for client credentials")
+	command.Flags().StringVar(&clientID, "client-id", "", "Client ID for client credentials")
+	command.Flags().StringVar(&secretRef, "secret-ref", "", "Credential reference for client secret")
+	command.Flags().StringVar(&defaultLedger, "default-ledger", "", "Default ledger for this context")
+
+	return command
+}
+
+func newContextCreateCloudCommand() *cobra.Command {
+	var cloudURL string
+	var authMethod string
+	var tokenRef string
+	var account string
+
+	command := &cobra.Command{
+		Use:   "cloud <name>",
+		Short: "Create a Formance Cloud control-plane context",
+		Args:  cobra.ExactArgs(1),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			cfg, path, err := loadConfig(cmd, true)
+			if err != nil {
+				return err
+			}
+			if cfg.Contexts == nil {
+				cfg.Contexts = map[string]v4config.Context{}
+			}
+			name := args[0]
+			if _, exists := cfg.Contexts[name]; exists {
+				return fmt.Errorf("context %q already exists", name)
+			}
+			auth, err := cloudContextAuth(authMethod, tokenRef, account)
+			if err != nil {
+				return err
+			}
+			cfg.Contexts[name] = v4config.Context{
+				Kind:     v4config.ContextKindCloud,
+				CloudURL: cloudURL,
+				Auth:     auth,
+			}
+			if cfg.CurrentContext == "" {
+				cfg.CurrentContext = name
+			}
+			if err := v4config.SaveFile(path, cfg); err != nil {
+				return err
+			}
+			if handled, err := writeStructuredOutput(cmd, contextShowOutput{Name: name, Current: name == cfg.CurrentContext, Context: cfg.Contexts[name]}); handled || err != nil {
+				return err
+			}
+			_, err = fmt.Fprintln(cmd.OutOrStdout(), styledSuccessLine(cmd, fmt.Sprintf("Context %s created.", name)))
+			return err
+		},
+	}
+	command.Flags().StringVar(&cloudURL, "cloud-url", v4config.DefaultCloudURL, "Cloud API URL")
+	command.Flags().StringVar(&authMethod, "auth-method", string(v4config.AuthMethodCloudDevice), "Authentication method (cloud_device, token, none)")
+	command.Flags().StringVar(&tokenRef, "token-ref", "", "Credential reference for token auth")
+	command.Flags().StringVar(&account, "account", "", "Cloud account label")
+	return command
+}
+
+func newContextCreateCloudStackCommand() *cobra.Command {
+	var cloudURL string
+	var organization string
+	var stack string
+	var authMethod string
+	var tokenRef string
+	var account string
+	var defaultLedger string
+
+	command := &cobra.Command{
+		Use:   "cloud-stack <name>",
+		Short: "Create a Formance Cloud stack context",
+		Args:  cobra.ExactArgs(1),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			cfg, path, err := loadConfig(cmd, true)
+			if err != nil {
+				return err
+			}
+			if cfg.Contexts == nil {
+				cfg.Contexts = map[string]v4config.Context{}
+			}
+			name := args[0]
+			if _, exists := cfg.Contexts[name]; exists {
+				return fmt.Errorf("context %q already exists", name)
+			}
+			auth, err := cloudContextAuth(authMethod, tokenRef, account)
+			if err != nil {
+				return err
+			}
+			defaults := map[string]string{}
+			if defaultLedger != "" {
+				defaults["ledger"] = defaultLedger
+			}
+			if len(defaults) == 0 {
+				defaults = nil
+			}
+			cfg.Contexts[name] = v4config.Context{
+				Kind:         v4config.ContextKindCloudStack,
+				CloudURL:     cloudURL,
+				Organization: organization,
+				Stack:        stack,
+				Auth:         auth,
+				Defaults:     defaults,
+				API:          map[string]string{"ledger": string(v4config.APIPolicyLatestCompatible)},
+			}
+			if cfg.CurrentContext == "" {
+				cfg.CurrentContext = name
+			}
+			if err := v4config.SaveFile(path, cfg); err != nil {
+				return err
+			}
+			if handled, err := writeStructuredOutput(cmd, contextShowOutput{Name: name, Current: name == cfg.CurrentContext, Context: cfg.Contexts[name]}); handled || err != nil {
+				return err
+			}
+			_, err = fmt.Fprintln(cmd.OutOrStdout(), styledSuccessLine(cmd, fmt.Sprintf("Context %s created.", name)))
+			return err
+		},
+	}
+	command.Flags().StringVar(&cloudURL, "cloud-url", v4config.DefaultCloudURL, "Cloud API URL")
+	command.Flags().StringVar(&organization, "organization", "", "Cloud organization ID")
+	command.Flags().StringVar(&stack, "stack", "", "Cloud stack ID")
+	command.Flags().StringVar(&authMethod, "auth-method", string(v4config.AuthMethodCloudDevice), "Authentication method (cloud_device, token, none)")
+	command.Flags().StringVar(&tokenRef, "token-ref", "", "Credential reference for token auth")
+	command.Flags().StringVar(&account, "account", "", "Cloud account label")
+	command.Flags().StringVar(&defaultLedger, "default-ledger", "", "Default ledger for this context")
+	return command
+}
+
+func cloudContextAuth(authMethod string, tokenRef string, account string) (v4config.Auth, error) {
+	auth := v4config.Auth{Method: v4config.AuthMethod(authMethod), TokenRef: tokenRef, Account: account}
+	switch auth.Method {
+	case v4config.AuthMethodCloudDevice, v4config.AuthMethodToken, v4config.AuthMethodNone:
+		return auth, nil
+	default:
+		return v4config.Auth{}, fmt.Errorf("unsupported cloud auth method %q", authMethod)
+	}
+}
+
+type contextListOutput struct {
+	Current  string   `json:"currentContext" yaml:"currentContext"`
+	Contexts []string `json:"contexts" yaml:"contexts"`
+}
+
+type contextShowOutput struct {
+	Name    string           `json:"name" yaml:"name"`
+	Current bool             `json:"current" yaml:"current"`
+	Context v4config.Context `json:"context" yaml:"context"`
+}
diff --git a/v4/cmd/flows.go b/v4/cmd/flows.go
new file mode 100644
index 00000000..81dd9093
--- /dev/null
+++ b/v4/cmd/flows.go
@@ -0,0 +1,1133 @@
+package cmd
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"time"
+
+	formance "github.com/formancehq/formance-sdk-go/v3"
+	"github.com/formancehq/formance-sdk-go/v3/pkg/models/shared"
+	"github.com/spf13/cobra"
+
+	"github.com/formancehq/fctl/v4/internal/capabilities"
+	flowscmd "github.com/formancehq/fctl/v4/internal/commands/flows"
+)
+
+func newFlowsCommand(deprecatedAlias bool) *cobra.Command {
+	command := &cobra.Command{
+		Use:   "flows",
+		Short: "Manage flows",
+		PersistentPreRun: func(cmd *cobra.Command, _ []string) {
+			if deprecatedAlias {
+				fmt.Fprintln(cmd.ErrOrStderr(), "Command orchestration has been deprecated, use flows")
+			}
+		},
+	}
+	if deprecatedAlias {
+		command.Use = "orchestration"
+		command.Deprecated = "use flows"
+	}
+	command.AddCommand(newFlowsWorkflowsCommand())
+	command.AddCommand(newFlowsInstancesCommand())
+	command.AddCommand(newFlowsTriggersCommand())
+	return command
+}
+
+func newFlowsTriggersCommand() *cobra.Command {
+	command := &cobra.Command{
+		Use:   "triggers",
+		Short: "Manage workflow triggers",
+	}
+	command.AddCommand(newFlowsTriggersCreateCommand())
+	command.AddCommand(newFlowsTriggersListCommand())
+	command.AddCommand(newFlowsTriggersShowCommand())
+	command.AddCommand(newFlowsTriggersDeleteCommand())
+	command.AddCommand(newFlowsTriggersTestCommand())
+	command.AddCommand(newFlowsTriggersOccurrencesCommand())
+	return command
+}
+
+func newFlowsTriggersOccurrencesCommand() *cobra.Command {
+	command := &cobra.Command{
+		Use:   "occurrences",
+		Short: "Manage trigger occurrences",
+	}
+	command.AddCommand(newFlowsTriggersOccurrencesListCommand())
+	return command
+}
+
+func newFlowsTriggersOccurrencesListCommand() *cobra.Command {
+	var pageSize int64 = 15
+	var cursor string
+	var apiVersion string
+
+	command := &cobra.Command{
+		Use:     "list <trigger-id>",
+		Aliases: []string{"ls", "l"},
+		Short:   "List trigger occurrences",
+		Args:    cobra.ExactArgs(1),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			rt, err := stackRuntimeFromCommand(cmd)
+			if err != nil {
+				return err
+			}
+			httpClient, err := rt.HTTPClient(cmd.Context())
+			if err != nil {
+				return err
+			}
+			sdk := formance.New(formance.WithServerURL(rt.Target.URL), formance.WithClient(httpClient))
+			service := flowscmd.ListTriggerOccurrencesService{
+				Handlers: flowscmd.SDKListTriggerOccurrencesHandlers(sdk),
+				Resolve: func(ctx context.Context, handlerVersions []capabilities.APIVersion) (capabilities.APIVersion, error) {
+					request := capabilities.VersionResolutionRequest{
+						Product:         flowscmd.ProductOrchestration,
+						Feature:         flowscmd.FeatureListTriggerOccurrences,
+						HandlerVersions: handlerVersions,
+					}
+					if apiVersion != "" {
+						request.Policy = capabilities.VersionPolicyPinned
+						request.PinnedVersion = capabilities.APIVersion(apiVersion)
+					}
+					return rt.ResolveAPIVersion(ctx, request)
+				},
+			}
+			output, err := service.Run(cmd.Context(), flowscmd.ListTriggerOccurrencesInput{
+				TriggerID: args[0],
+				PageSize:  pageSize,
+				Cursor:    cursor,
+			})
+			if err != nil {
+				return err
+			}
+			if handled, err := writeStructuredOutput(cmd, output); handled || err != nil {
+				return err
+			}
+			return renderFlowsTriggerOccurrences(cmd, output)
+		},
+	}
+	command.Flags().Int64Var(&pageSize, "page-size", 15, "Page size")
+	command.Flags().StringVar(&cursor, "cursor", "", "Pagination cursor")
+	command.Flags().StringVar(&apiVersion, "api-version", "", "Pin flows API version")
+	return command
+}
+
+func newFlowsTriggersCreateCommand() *cobra.Command {
+	var confirm bool
+	var name string
+	var filter string
+	var version string
+	var variable []string
+	var apiVersion string
+
+	command := &cobra.Command{
+		Use:   "create <event> <workflow-id>",
+		Short: "Create a workflow trigger",
+		Args:  cobra.ExactArgs(2),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			if !confirm {
+				return fmt.Errorf("flows triggers create requires --confirm")
+			}
+			vars, err := parseAnyMapFlags(variable)
+			if err != nil {
+				return err
+			}
+			output, err := runFlowsCreateTriggerCommand(cmd, flowscmd.CreateTriggerInput{
+				Event:      args[0],
+				WorkflowID: args[1],
+				Name:       name,
+				Filter:     filter,
+				Version:    version,
+				Vars:       vars,
+			}, apiVersion)
+			if err != nil {
+				return err
+			}
+			if handled, err := writeStructuredOutput(cmd, output); handled || err != nil {
+				return err
+			}
+			return renderFlowsTriggerCreated(cmd, output)
+		},
+	}
+	command.Flags().BoolVar(&confirm, "confirm", false, "Confirm trigger creation")
+	command.Flags().StringVar(&name, "name", "", "Trigger name")
+	command.Flags().StringVar(&filter, "filter", "", "Trigger filter expression")
+	command.Flags().StringVar(&version, "version", "", "Workflow version")
+	command.Flags().StringArrayVar(&variable, "variable", nil, "Variable as key=value")
+	command.Flags().StringVar(&apiVersion, "api-version", "", "Pin flows API version")
+	return command
+}
+
+func newFlowsTriggersListCommand() *cobra.Command {
+	var pageSize int64 = 15
+	var cursor string
+	var name string
+	var apiVersion string
+
+	command := &cobra.Command{
+		Use:     "list",
+		Aliases: []string{"ls", "l"},
+		Short:   "List workflow triggers",
+		Args:    cobra.NoArgs,
+		RunE: func(cmd *cobra.Command, _ []string) error {
+			rt, err := stackRuntimeFromCommand(cmd)
+			if err != nil {
+				return err
+			}
+			httpClient, err := rt.HTTPClient(cmd.Context())
+			if err != nil {
+				return err
+			}
+			sdk := formance.New(formance.WithServerURL(rt.Target.URL), formance.WithClient(httpClient))
+			service := flowscmd.ListTriggersService{
+				Handlers: flowscmd.SDKListTriggersHandlers(sdk),
+				Resolve: func(ctx context.Context, handlerVersions []capabilities.APIVersion) (capabilities.APIVersion, error) {
+					request := capabilities.VersionResolutionRequest{
+						Product:         flowscmd.ProductOrchestration,
+						Feature:         flowscmd.FeatureListTriggers,
+						HandlerVersions: handlerVersions,
+					}
+					if apiVersion != "" {
+						request.Policy = capabilities.VersionPolicyPinned
+						request.PinnedVersion = capabilities.APIVersion(apiVersion)
+					}
+					return rt.ResolveAPIVersion(ctx, request)
+				},
+			}
+			output, err := service.Run(cmd.Context(), flowscmd.ListTriggersInput{PageSize: pageSize, Cursor: cursor, Name: name})
+			if err != nil {
+				return err
+			}
+			if handled, err := writeStructuredOutput(cmd, output); handled || err != nil {
+				return err
+			}
+			return renderFlowsTriggers(cmd, output)
+		},
+	}
+	command.Flags().Int64Var(&pageSize, "page-size", 15, "Page size")
+	command.Flags().StringVar(&cursor, "cursor", "", "Pagination cursor")
+	command.Flags().StringVar(&name, "name", "", "Filter triggers by name")
+	command.Flags().StringVar(&apiVersion, "api-version", "", "Pin flows API version")
+	return command
+}
+
+func newFlowsTriggersShowCommand() *cobra.Command {
+	var apiVersion string
+
+	command := &cobra.Command{
+		Use:   "show <trigger-id>",
+		Short: "Show a workflow trigger",
+		Args:  cobra.ExactArgs(1),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			rt, err := stackRuntimeFromCommand(cmd)
+			if err != nil {
+				return err
+			}
+			httpClient, err := rt.HTTPClient(cmd.Context())
+			if err != nil {
+				return err
+			}
+			sdk := formance.New(formance.WithServerURL(rt.Target.URL), formance.WithClient(httpClient))
+			service := flowscmd.GetTriggerService{
+				Handlers: flowscmd.SDKGetTriggerHandlers(sdk),
+				Resolve: func(ctx context.Context, handlerVersions []capabilities.APIVersion) (capabilities.APIVersion, error) {
+					request := capabilities.VersionResolutionRequest{
+						Product:         flowscmd.ProductOrchestration,
+						Feature:         flowscmd.FeatureReadTrigger,
+						HandlerVersions: handlerVersions,
+					}
+					if apiVersion != "" {
+						request.Policy = capabilities.VersionPolicyPinned
+						request.PinnedVersion = capabilities.APIVersion(apiVersion)
+					}
+					return rt.ResolveAPIVersion(ctx, request)
+				},
+			}
+			output, err := service.Run(cmd.Context(), flowscmd.GetTriggerInput{TriggerID: args[0]})
+			if err != nil {
+				return err
+			}
+			if handled, err := writeStructuredOutput(cmd, output); handled || err != nil {
+				return err
+			}
+			return renderFlowsTrigger(cmd, output)
+		},
+	}
+	command.Flags().StringVar(&apiVersion, "api-version", "", "Pin flows API version")
+	return command
+}
+
+func newFlowsTriggersDeleteCommand() *cobra.Command {
+	var confirm bool
+	var apiVersion string
+
+	command := &cobra.Command{
+		Use:   "delete <trigger-id>",
+		Short: "Delete a workflow trigger",
+		Args:  cobra.ExactArgs(1),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			if !confirm {
+				return fmt.Errorf("flows triggers delete requires --confirm")
+			}
+			output, err := runFlowsDeleteTriggerCommand(cmd, args[0], apiVersion)
+			if err != nil {
+				return err
+			}
+			if handled, err := writeStructuredOutput(cmd, output); handled || err != nil {
+				return err
+			}
+			return renderFlowsTriggerDeleted(cmd, output)
+		},
+	}
+	command.Flags().BoolVar(&confirm, "confirm", false, "Confirm trigger deletion")
+	command.Flags().StringVar(&apiVersion, "api-version", "", "Pin flows API version")
+	return command
+}
+
+func newFlowsTriggersTestCommand() *cobra.Command {
+	var apiVersion string
+
+	command := &cobra.Command{
+		Use:   "test <trigger-id> <event-json>",
+		Short: "Test a workflow trigger",
+		Args:  cobra.ExactArgs(2),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			event := map[string]any{}
+			if err := json.Unmarshal([]byte(args[1]), &event); err != nil {
+				return fmt.Errorf("decode event json: %w", err)
+			}
+			output, err := runFlowsTestTriggerCommand(cmd, flowscmd.TestTriggerInput{TriggerID: args[0], Event: event}, apiVersion)
+			if err != nil {
+				return err
+			}
+			if handled, err := writeStructuredOutput(cmd, output); handled || err != nil {
+				return err
+			}
+			return renderFlowsTriggerTest(cmd, output)
+		},
+	}
+	command.Flags().StringVar(&apiVersion, "api-version", "", "Pin flows API version")
+	return command
+}
+
+func newFlowsInstancesCommand() *cobra.Command {
+	command := &cobra.Command{
+		Use:   "instances",
+		Short: "Manage workflow instances",
+	}
+	command.AddCommand(newFlowsInstancesListCommand())
+	command.AddCommand(newFlowsInstancesShowCommand("show", nil, false))
+	command.AddCommand(newFlowsInstancesShowCommand("inspect", nil, false))
+	command.AddCommand(newFlowsInstancesShowCommand("describe", nil, true))
+	command.AddCommand(newFlowsInstancesSendEventCommand())
+	command.AddCommand(newFlowsInstancesStopCommand())
+	return command
+}
+
+func newFlowsInstancesSendEventCommand() *cobra.Command {
+	var apiVersion string
+
+	command := &cobra.Command{
+		Use:   "send-event <instance-id> <event>",
+		Short: "Send an event to a workflow instance",
+		Args:  cobra.ExactArgs(2),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			output, err := runFlowsInstanceActionCommand(cmd, flowsInstanceActionCommandRequest{
+				Feature:    flowscmd.FeatureSendEvent,
+				Handlers:   flowscmd.SDKSendEventHandlers,
+				InstanceID: args[0],
+				Event:      args[1],
+				APIVersion: apiVersion,
+			})
+			if err != nil {
+				return err
+			}
+			if handled, err := writeStructuredOutput(cmd, output); handled || err != nil {
+				return err
+			}
+			return renderFlowsInstanceEventSent(cmd, output)
+		},
+	}
+	command.Flags().StringVar(&apiVersion, "api-version", "", "Pin flows API version")
+	return command
+}
+
+func newFlowsInstancesStopCommand() *cobra.Command {
+	var confirm bool
+	var apiVersion string
+
+	command := &cobra.Command{
+		Use:   "stop <instance-id>",
+		Short: "Stop a workflow instance",
+		Args:  cobra.ExactArgs(1),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			if !confirm {
+				return fmt.Errorf("flows instances stop requires --confirm")
+			}
+			output, err := runFlowsInstanceActionCommand(cmd, flowsInstanceActionCommandRequest{
+				Feature:    flowscmd.FeatureCancelEvent,
+				Handlers:   flowscmd.SDKStopInstanceHandlers,
+				InstanceID: args[0],
+				APIVersion: apiVersion,
+			})
+			if err != nil {
+				return err
+			}
+			if handled, err := writeStructuredOutput(cmd, output); handled || err != nil {
+				return err
+			}
+			return renderFlowsInstanceStopped(cmd, output)
+		},
+	}
+	command.Flags().BoolVar(&confirm, "confirm", false, "Confirm instance stop")
+	command.Flags().StringVar(&apiVersion, "api-version", "", "Pin flows API version")
+	return command
+}
+
+type flowsInstanceActionCommandRequest struct {
+	Feature    capabilities.Feature
+	Handlers   func(*formance.Formance) []flowscmd.InstanceActionHandler
+	InstanceID string
+	Event      string
+	APIVersion string
+}
+
+func runFlowsInstanceActionCommand(cmd *cobra.Command, request flowsInstanceActionCommandRequest) (flowscmd.InstanceActionOutput, error) {
+	rt, err := stackRuntimeFromCommand(cmd)
+	if err != nil {
+		return flowscmd.InstanceActionOutput{}, err
+	}
+	httpClient, err := rt.HTTPClient(cmd.Context())
+	if err != nil {
+		return flowscmd.InstanceActionOutput{}, err
+	}
+	sdk := formance.New(formance.WithServerURL(rt.Target.URL), formance.WithClient(httpClient))
+	service := flowscmd.StopInstanceService{
+		Handlers: request.Handlers(sdk),
+		Resolve: func(ctx context.Context, handlerVersions []capabilities.APIVersion) (capabilities.APIVersion, error) {
+			versionRequest := capabilities.VersionResolutionRequest{
+				Product:         flowscmd.ProductOrchestration,
+				Feature:         request.Feature,
+				HandlerVersions: handlerVersions,
+			}
+			if request.APIVersion != "" {
+				versionRequest.Policy = capabilities.VersionPolicyPinned
+				versionRequest.PinnedVersion = capabilities.APIVersion(request.APIVersion)
+			}
+			return rt.ResolveAPIVersion(ctx, versionRequest)
+		},
+	}
+	return service.Run(cmd.Context(), flowscmd.InstanceActionInput{InstanceID: request.InstanceID, Event: request.Event})
+}
+
+func newFlowsInstancesListCommand() *cobra.Command {
+	var pageSize int64 = 15
+	var cursor string
+	var workflowID string
+	var running bool
+	var apiVersion string
+
+	command := &cobra.Command{
+		Use:     "list",
+		Aliases: []string{"ls", "l"},
+		Short:   "List workflow instances",
+		Args:    cobra.NoArgs,
+		RunE: func(cmd *cobra.Command, _ []string) error {
+			var runningPtr *bool
+			if cmd.Flags().Changed("running") {
+				runningPtr = &running
+			}
+			rt, err := stackRuntimeFromCommand(cmd)
+			if err != nil {
+				return err
+			}
+			httpClient, err := rt.HTTPClient(cmd.Context())
+			if err != nil {
+				return err
+			}
+			sdk := formance.New(formance.WithServerURL(rt.Target.URL), formance.WithClient(httpClient))
+			service := flowscmd.ListInstancesService{
+				Handlers: flowscmd.SDKListInstancesHandlers(sdk),
+				Resolve: func(ctx context.Context, handlerVersions []capabilities.APIVersion) (capabilities.APIVersion, error) {
+					request := capabilities.VersionResolutionRequest{
+						Product:         flowscmd.ProductOrchestration,
+						Feature:         flowscmd.FeatureListInstances,
+						HandlerVersions: handlerVersions,
+					}
+					if apiVersion != "" {
+						request.Policy = capabilities.VersionPolicyPinned
+						request.PinnedVersion = capabilities.APIVersion(apiVersion)
+					}
+					return rt.ResolveAPIVersion(ctx, request)
+				},
+			}
+			output, err := service.Run(cmd.Context(), flowscmd.ListInstancesInput{
+				PageSize:   pageSize,
+				Cursor:     cursor,
+				WorkflowID: workflowID,
+				Running:    runningPtr,
+			})
+			if err != nil {
+				return err
+			}
+			if handled, err := writeStructuredOutput(cmd, output); handled || err != nil {
+				return err
+			}
+			return renderFlowsInstances(cmd, output)
+		},
+	}
+	command.Flags().Int64Var(&pageSize, "page-size", 15, "Page size")
+	command.Flags().StringVar(&cursor, "cursor", "", "Pagination cursor")
+	command.Flags().StringVar(&workflowID, "workflow-id", "", "Filter by workflow ID")
+	command.Flags().BoolVar(&running, "running", false, "Filter running instances")
+	command.Flags().StringVar(&apiVersion, "api-version", "", "Pin flows API version")
+	return command
+}
+
+func newFlowsInstancesShowCommand(use string, aliases []string, deprecated bool) *cobra.Command {
+	var apiVersion string
+
+	command := &cobra.Command{
+		Use:     use + " <instance-id>",
+		Aliases: aliases,
+		Short:   "Show a workflow instance",
+		Args:    cobra.ExactArgs(1),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			if deprecated {
+				fmt.Fprintln(cmd.ErrOrStderr(), "Command flows instances describe has been deprecated, use flows instances inspect")
+			}
+			rt, err := stackRuntimeFromCommand(cmd)
+			if err != nil {
+				return err
+			}
+			httpClient, err := rt.HTTPClient(cmd.Context())
+			if err != nil {
+				return err
+			}
+			sdk := formance.New(formance.WithServerURL(rt.Target.URL), formance.WithClient(httpClient))
+			service := flowscmd.GetInstanceService{
+				Handlers: flowscmd.SDKGetInstanceHandlers(sdk),
+				Resolve: func(ctx context.Context, handlerVersions []capabilities.APIVersion) (capabilities.APIVersion, error) {
+					request := capabilities.VersionResolutionRequest{
+						Product:         flowscmd.ProductOrchestration,
+						Feature:         flowscmd.FeatureGetInstance,
+						HandlerVersions: handlerVersions,
+					}
+					if apiVersion != "" {
+						request.Policy = capabilities.VersionPolicyPinned
+						request.PinnedVersion = capabilities.APIVersion(apiVersion)
+					}
+					return rt.ResolveAPIVersion(ctx, request)
+				},
+			}
+			output, err := service.Run(cmd.Context(), flowscmd.GetInstanceInput{InstanceID: args[0]})
+			if err != nil {
+				return err
+			}
+			if handled, err := writeStructuredOutput(cmd, output); handled || err != nil {
+				return err
+			}
+			return renderFlowsInstance(cmd, output)
+		},
+	}
+	if deprecated {
+		command.Deprecated = "use flows instances inspect"
+	}
+	command.Flags().StringVar(&apiVersion, "api-version", "", "Pin flows API version")
+	return command
+}
+
+func newFlowsWorkflowsCommand() *cobra.Command {
+	command := &cobra.Command{
+		Use:   "workflows",
+		Short: "Manage workflows",
+	}
+	command.AddCommand(newFlowsWorkflowsListCommand())
+	command.AddCommand(newFlowsWorkflowsShowCommand())
+	command.AddCommand(newFlowsWorkflowsCreateCommand())
+	command.AddCommand(newFlowsWorkflowsDeleteCommand())
+	command.AddCommand(newFlowsWorkflowsRunCommand())
+	return command
+}
+
+func newFlowsWorkflowsCreateCommand() *cobra.Command {
+	var file string
+	var confirm bool
+	var apiVersion string
+
+	command := &cobra.Command{
+		Use:   "create [file]",
+		Short: "Create a workflow",
+		Args: func(_ *cobra.Command, args []string) error {
+			if len(args) == 0 || len(args) == 1 {
+				return nil
+			}
+			return fmt.Errorf("accepts 0 or 1 arg(s), received %d", len(args))
+		},
+		RunE: func(cmd *cobra.Command, args []string) error {
+			if !confirm {
+				return fmt.Errorf("flows workflows create requires --confirm")
+			}
+			if len(args) == 1 {
+				if file != "" {
+					return fmt.Errorf("use either --file or positional file, not both")
+				}
+				file = args[0]
+				fmt.Fprintln(cmd.ErrOrStderr(), "Positional file has been deprecated, use flows workflows create --file <path>|-")
+			}
+			if file == "" {
+				return fmt.Errorf("flows workflows create requires --file <path>|-")
+			}
+			data, err := readPaymentCommandFile(cmd, file)
+			if err != nil {
+				return err
+			}
+			var workflowRequest shared.CreateWorkflowRequest
+			if err := json.Unmarshal(data, &workflowRequest); err != nil {
+				return fmt.Errorf("decode workflow request: %w", err)
+			}
+			output, err := runFlowsCreateWorkflowCommand(cmd, workflowRequest, apiVersion)
+			if err != nil {
+				return err
+			}
+			if handled, err := writeStructuredOutput(cmd, output); handled || err != nil {
+				return err
+			}
+			return renderFlowsWorkflowCreated(cmd, output)
+		},
+	}
+	command.Flags().StringVar(&file, "file", "", "Workflow JSON file path or - for stdin")
+	command.Flags().BoolVar(&confirm, "confirm", false, "Confirm workflow creation")
+	command.Flags().StringVar(&apiVersion, "api-version", "", "Pin flows API version")
+	return command
+}
+
+func newFlowsWorkflowsDeleteCommand() *cobra.Command {
+	var confirm bool
+	var apiVersion string
+
+	command := &cobra.Command{
+		Use:   "delete <workflow-id>",
+		Short: "Delete a workflow",
+		Args:  cobra.ExactArgs(1),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			if !confirm {
+				return fmt.Errorf("flows workflows delete requires --confirm")
+			}
+			rt, err := stackRuntimeFromCommand(cmd)
+			if err != nil {
+				return err
+			}
+			httpClient, err := rt.HTTPClient(cmd.Context())
+			if err != nil {
+				return err
+			}
+			sdk := formance.New(formance.WithServerURL(rt.Target.URL), formance.WithClient(httpClient))
+			service := flowscmd.DeleteWorkflowService{
+				Handlers: flowscmd.SDKDeleteWorkflowHandlers(sdk),
+				Resolve: func(ctx context.Context, handlerVersions []capabilities.APIVersion) (capabilities.APIVersion, error) {
+					request := capabilities.VersionResolutionRequest{
+						Product:         flowscmd.ProductOrchestration,
+						Feature:         flowscmd.FeatureDeleteWorkflow,
+						HandlerVersions: handlerVersions,
+					}
+					if apiVersion != "" {
+						request.Policy = capabilities.VersionPolicyPinned
+						request.PinnedVersion = capabilities.APIVersion(apiVersion)
+					}
+					return rt.ResolveAPIVersion(ctx, request)
+				},
+			}
+			output, err := service.Run(cmd.Context(), flowscmd.DeleteWorkflowInput{WorkflowID: args[0]})
+			if err != nil {
+				return err
+			}
+			if handled, err := writeStructuredOutput(cmd, output); handled || err != nil {
+				return err
+			}
+			return renderFlowsWorkflowDeleted(cmd, output)
+		},
+	}
+	command.Flags().BoolVar(&confirm, "confirm", false, "Confirm workflow deletion")
+	command.Flags().StringVar(&apiVersion, "api-version", "", "Pin flows API version")
+	return command
+}
+
+func newFlowsWorkflowsRunCommand() *cobra.Command {
+	var variable []string
+	var wait bool
+	var apiVersion string
+
+	command := &cobra.Command{
+		Use:   "run <workflow-id>",
+		Short: "Run a workflow",
+		Args:  cobra.ExactArgs(1),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			vars, err := parseMetadataFlags(variable)
+			if err != nil {
+				return err
+			}
+			var waitPtr *bool
+			if cmd.Flags().Changed("wait") {
+				waitPtr = &wait
+			}
+			rt, err := stackRuntimeFromCommand(cmd)
+			if err != nil {
+				return err
+			}
+			httpClient, err := rt.HTTPClient(cmd.Context())
+			if err != nil {
+				return err
+			}
+			sdk := formance.New(formance.WithServerURL(rt.Target.URL), formance.WithClient(httpClient))
+			service := flowscmd.RunWorkflowService{
+				Handlers: flowscmd.SDKRunWorkflowHandlers(sdk),
+				Resolve: func(ctx context.Context, handlerVersions []capabilities.APIVersion) (capabilities.APIVersion, error) {
+					request := capabilities.VersionResolutionRequest{
+						Product:         flowscmd.ProductOrchestration,
+						Feature:         flowscmd.FeatureRunWorkflow,
+						HandlerVersions: handlerVersions,
+					}
+					if apiVersion != "" {
+						request.Policy = capabilities.VersionPolicyPinned
+						request.PinnedVersion = capabilities.APIVersion(apiVersion)
+					}
+					return rt.ResolveAPIVersion(ctx, request)
+				},
+			}
+			output, err := service.Run(cmd.Context(), flowscmd.RunWorkflowInput{
+				WorkflowID: args[0],
+				Vars:       vars,
+				Wait:       waitPtr,
+			})
+			if err != nil {
+				return err
+			}
+			if handled, err := writeStructuredOutput(cmd, output); handled || err != nil {
+				return err
+			}
+			return renderFlowsWorkflowRun(cmd, output)
+		},
+	}
+	command.Flags().StringArrayVar(&variable, "variable", nil, "Variable as key=value")
+	command.Flags().BoolVar(&wait, "wait", false, "Wait for workflow completion")
+	command.Flags().StringVar(&apiVersion, "api-version", "", "Pin flows API version")
+	return command
+}
+
+func runFlowsCreateWorkflowCommand(cmd *cobra.Command, workflowRequest shared.CreateWorkflowRequest, apiVersion string) (flowscmd.CreateWorkflowOutput, error) {
+	rt, err := stackRuntimeFromCommand(cmd)
+	if err != nil {
+		return flowscmd.CreateWorkflowOutput{}, err
+	}
+	httpClient, err := rt.HTTPClient(cmd.Context())
+	if err != nil {
+		return flowscmd.CreateWorkflowOutput{}, err
+	}
+	sdk := formance.New(formance.WithServerURL(rt.Target.URL), formance.WithClient(httpClient))
+	service := flowscmd.CreateWorkflowService{
+		Handlers: flowscmd.SDKCreateWorkflowHandlers(sdk),
+		Resolve: func(ctx context.Context, handlerVersions []capabilities.APIVersion) (capabilities.APIVersion, error) {
+			request := capabilities.VersionResolutionRequest{
+				Product:         flowscmd.ProductOrchestration,
+				Feature:         flowscmd.FeatureCreateWorkflow,
+				HandlerVersions: handlerVersions,
+			}
+			if apiVersion != "" {
+				request.Policy = capabilities.VersionPolicyPinned
+				request.PinnedVersion = capabilities.APIVersion(apiVersion)
+			}
+			return rt.ResolveAPIVersion(ctx, request)
+		},
+	}
+	return service.Run(cmd.Context(), flowscmd.CreateWorkflowInput{Workflow: workflowRequest})
+}
+
+func runFlowsCreateTriggerCommand(cmd *cobra.Command, input flowscmd.CreateTriggerInput, apiVersion string) (flowscmd.CreateTriggerOutput, error) {
+	rt, err := stackRuntimeFromCommand(cmd)
+	if err != nil {
+		return flowscmd.CreateTriggerOutput{}, err
+	}
+	httpClient, err := rt.HTTPClient(cmd.Context())
+	if err != nil {
+		return flowscmd.CreateTriggerOutput{}, err
+	}
+	sdk := formance.New(formance.WithServerURL(rt.Target.URL), formance.WithClient(httpClient))
+	service := flowscmd.CreateTriggerService{
+		Handlers: flowscmd.SDKCreateTriggerHandlers(sdk),
+		Resolve: func(ctx context.Context, handlerVersions []capabilities.APIVersion) (capabilities.APIVersion, error) {
+			request := capabilities.VersionResolutionRequest{
+				Product:         flowscmd.ProductOrchestration,
+				Feature:         flowscmd.FeatureCreateTrigger,
+				HandlerVersions: handlerVersions,
+			}
+			if apiVersion != "" {
+				request.Policy = capabilities.VersionPolicyPinned
+				request.PinnedVersion = capabilities.APIVersion(apiVersion)
+			}
+			return rt.ResolveAPIVersion(ctx, request)
+		},
+	}
+	return service.Run(cmd.Context(), input)
+}
+
+func runFlowsDeleteTriggerCommand(cmd *cobra.Command, triggerID string, apiVersion string) (flowscmd.DeleteTriggerOutput, error) {
+	rt, err := stackRuntimeFromCommand(cmd)
+	if err != nil {
+		return flowscmd.DeleteTriggerOutput{}, err
+	}
+	httpClient, err := rt.HTTPClient(cmd.Context())
+	if err != nil {
+		return flowscmd.DeleteTriggerOutput{}, err
+	}
+	sdk := formance.New(formance.WithServerURL(rt.Target.URL), formance.WithClient(httpClient))
+	service := flowscmd.DeleteTriggerService{
+		Handlers: flowscmd.SDKDeleteTriggerHandlers(sdk),
+		Resolve: func(ctx context.Context, handlerVersions []capabilities.APIVersion) (capabilities.APIVersion, error) {
+			request := capabilities.VersionResolutionRequest{
+				Product:         flowscmd.ProductOrchestration,
+				Feature:         flowscmd.FeatureDeleteTrigger,
+				HandlerVersions: handlerVersions,
+			}
+			if apiVersion != "" {
+				request.Policy = capabilities.VersionPolicyPinned
+				request.PinnedVersion = capabilities.APIVersion(apiVersion)
+			}
+			return rt.ResolveAPIVersion(ctx, request)
+		},
+	}
+	return service.Run(cmd.Context(), flowscmd.DeleteTriggerInput{TriggerID: triggerID})
+}
+
+func runFlowsTestTriggerCommand(cmd *cobra.Command, input flowscmd.TestTriggerInput, apiVersion string) (flowscmd.TestTriggerOutput, error) {
+	rt, err := stackRuntimeFromCommand(cmd)
+	if err != nil {
+		return flowscmd.TestTriggerOutput{}, err
+	}
+	httpClient, err := rt.HTTPClient(cmd.Context())
+	if err != nil {
+		return flowscmd.TestTriggerOutput{}, err
+	}
+	sdk := formance.New(formance.WithServerURL(rt.Target.URL), formance.WithClient(httpClient))
+	service := flowscmd.TestTriggerService{
+		Handlers: flowscmd.SDKTestTriggerHandlers(sdk),
+		Resolve: func(ctx context.Context, handlerVersions []capabilities.APIVersion) (capabilities.APIVersion, error) {
+			request := capabilities.VersionResolutionRequest{
+				Product:         flowscmd.ProductOrchestration,
+				Feature:         flowscmd.FeatureTestTrigger,
+				HandlerVersions: handlerVersions,
+			}
+			if apiVersion != "" {
+				request.Policy = capabilities.VersionPolicyPinned
+				request.PinnedVersion = capabilities.APIVersion(apiVersion)
+			}
+			return rt.ResolveAPIVersion(ctx, request)
+		},
+	}
+	return service.Run(cmd.Context(), input)
+}
+
+func parseAnyMapFlags(values []string) (map[string]any, error) {
+	parsed, err := parseMetadataFlags(values)
+	if err != nil {
+		return nil, err
+	}
+	if parsed == nil {
+		return nil, nil
+	}
+	ret := make(map[string]any, len(parsed))
+	for key, value := range parsed {
+		ret[key] = value
+	}
+	return ret, nil
+}
+
+func newFlowsWorkflowsListCommand() *cobra.Command {
+	var pageSize int64 = 15
+	var cursor string
+	var apiVersion string
+
+	command := &cobra.Command{
+		Use:     "list",
+		Aliases: []string{"ls", "l"},
+		Short:   "List workflows",
+		Args:    cobra.NoArgs,
+		RunE: func(cmd *cobra.Command, _ []string) error {
+			rt, err := stackRuntimeFromCommand(cmd)
+			if err != nil {
+				return err
+			}
+			httpClient, err := rt.HTTPClient(cmd.Context())
+			if err != nil {
+				return err
+			}
+			sdk := formance.New(formance.WithServerURL(rt.Target.URL), formance.WithClient(httpClient))
+			service := flowscmd.ListWorkflowsService{
+				Handlers: flowscmd.SDKListWorkflowsHandlers(sdk),
+				Resolve: func(ctx context.Context, handlerVersions []capabilities.APIVersion) (capabilities.APIVersion, error) {
+					request := capabilities.VersionResolutionRequest{
+						Product:         flowscmd.ProductOrchestration,
+						Feature:         flowscmd.FeatureListWorkflows,
+						HandlerVersions: handlerVersions,
+					}
+					if apiVersion != "" {
+						request.Policy = capabilities.VersionPolicyPinned
+						request.PinnedVersion = capabilities.APIVersion(apiVersion)
+					}
+					return rt.ResolveAPIVersion(ctx, request)
+				},
+			}
+			output, err := service.Run(cmd.Context(), flowscmd.ListWorkflowsInput{
+				PageSize: pageSize,
+				Cursor:   cursor,
+			})
+			if err != nil {
+				return err
+			}
+			if handled, err := writeStructuredOutput(cmd, output); handled || err != nil {
+				return err
+			}
+			return renderFlowsWorkflows(cmd, output)
+		},
+	}
+	command.Flags().Int64Var(&pageSize, "page-size", 15, "Page size")
+	command.Flags().StringVar(&cursor, "cursor", "", "Pagination cursor")
+	command.Flags().StringVar(&apiVersion, "api-version", "", "Pin flows API version")
+	return command
+}
+
+func newFlowsWorkflowsShowCommand() *cobra.Command {
+	var apiVersion string
+
+	command := &cobra.Command{
+		Use:   "show <workflow-id>",
+		Short: "Show a workflow",
+		Args:  cobra.ExactArgs(1),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			rt, err := stackRuntimeFromCommand(cmd)
+			if err != nil {
+				return err
+			}
+			httpClient, err := rt.HTTPClient(cmd.Context())
+			if err != nil {
+				return err
+			}
+			sdk := formance.New(formance.WithServerURL(rt.Target.URL), formance.WithClient(httpClient))
+			service := flowscmd.GetWorkflowService{
+				Handlers: flowscmd.SDKGetWorkflowHandlers(sdk),
+				Resolve: func(ctx context.Context, handlerVersions []capabilities.APIVersion) (capabilities.APIVersion, error) {
+					request := capabilities.VersionResolutionRequest{
+						Product:         flowscmd.ProductOrchestration,
+						Feature:         flowscmd.FeatureGetWorkflow,
+						HandlerVersions: handlerVersions,
+					}
+					if apiVersion != "" {
+						request.Policy = capabilities.VersionPolicyPinned
+						request.PinnedVersion = capabilities.APIVersion(apiVersion)
+					}
+					return rt.ResolveAPIVersion(ctx, request)
+				},
+			}
+			output, err := service.Run(cmd.Context(), flowscmd.GetWorkflowInput{WorkflowID: args[0]})
+			if err != nil {
+				return err
+			}
+			if handled, err := writeStructuredOutput(cmd, output); handled || err != nil {
+				return err
+			}
+			return renderFlowsWorkflow(cmd, output)
+		},
+	}
+	command.Flags().StringVar(&apiVersion, "api-version", "", "Pin flows API version")
+	return command
+}
+
+func renderFlowsWorkflows(cmd *cobra.Command, output flowscmd.ListWorkflowsOutput) error {
+	if err := writeStyledAPIVersion(cmd, output.APIVersion); err != nil {
+		return err
+	}
+	if len(output.Workflows) == 0 {
+		_, err := fmt.Fprintln(cmd.OutOrStdout(), styledEmptyLine(cmd, "No workflows found."))
+		return err
+	}
+	rows := make([][]string, 0, len(output.Workflows))
+	for _, workflow := range output.Workflows {
+		rows = append(rows, []string{workflow.ID, workflow.Name, workflow.CreatedAt.Format(time.RFC3339)})
+	}
+	if err := writeStyledRows(cmd, []string{"ID", "Name", "Created at"}, rows); err != nil {
+		return err
+	}
+	if output.HasMore && output.Next != nil {
+		return writeStyledNext(cmd, *output.Next)
+	}
+	return nil
+}
+
+func renderFlowsWorkflow(cmd *cobra.Command, output flowscmd.GetWorkflowOutput) error {
+	if err := writeStyledAPIVersion(cmd, output.APIVersion); err != nil {
+		return err
+	}
+	workflow := output.Workflow
+	return writeStyledKeyValues(cmd,
+		styledKeyValue{Label: "ID", Value: workflow.ID},
+		styledKeyValue{Label: "Name", Value: workflow.Name},
+		styledKeyValue{Label: "Created at", Value: workflow.CreatedAt.Format(time.RFC3339)},
+		styledKeyValue{Label: "Updated at", Value: workflow.UpdatedAt.Format(time.RFC3339)},
+	)
+}
+
+func renderFlowsWorkflowCreated(cmd *cobra.Command, output flowscmd.CreateWorkflowOutput) error {
+	if err := writeStyledAPIVersion(cmd, output.APIVersion); err != nil {
+		return err
+	}
+	_, err := fmt.Fprintln(cmd.OutOrStdout(), styledSuccessLine(cmd, fmt.Sprintf("Workflow created with ID: %s", output.Workflow.ID)))
+	return err
+}
+
+func renderFlowsWorkflowDeleted(cmd *cobra.Command, output flowscmd.DeleteWorkflowOutput) error {
+	if err := writeStyledAPIVersion(cmd, output.APIVersion); err != nil {
+		return err
+	}
+	_, err := fmt.Fprintln(cmd.OutOrStdout(), styledSuccessLine(cmd, fmt.Sprintf("Workflow %s deleted.", output.WorkflowID)))
+	return err
+}
+
+func renderFlowsWorkflowRun(cmd *cobra.Command, output flowscmd.RunWorkflowOutput) error {
+	if err := writeStyledAPIVersion(cmd, output.APIVersion); err != nil {
+		return err
+	}
+	_, err := fmt.Fprintln(cmd.OutOrStdout(), styledSuccessLine(cmd, fmt.Sprintf("Workflow instance created with ID: %s", output.Instance.ID)))
+	return err
+}
+
+func renderFlowsInstances(cmd *cobra.Command, output flowscmd.ListInstancesOutput) error {
+	if err := writeStyledAPIVersion(cmd, output.APIVersion); err != nil {
+		return err
+	}
+	if len(output.Instances) == 0 {
+		_, err := fmt.Fprintln(cmd.OutOrStdout(), styledEmptyLine(cmd, "No workflow instances found."))
+		return err
+	}
+	rows := make([][]string, 0, len(output.Instances))
+	for _, instance := range output.Instances {
+		rows = append(rows, []string{instance.ID, instance.WorkflowID, fmt.Sprintf("%t", instance.Terminated), instance.CreatedAt.Format(time.RFC3339)})
+	}
+	if err := writeStyledRows(cmd, []string{"ID", "Workflow ID", "Terminated", "Created at"}, rows); err != nil {
+		return err
+	}
+	if output.HasMore && output.Next != nil {
+		return writeStyledNext(cmd, *output.Next)
+	}
+	return nil
+}
+
+func renderFlowsInstance(cmd *cobra.Command, output flowscmd.GetInstanceOutput) error {
+	if err := writeStyledAPIVersion(cmd, output.APIVersion); err != nil {
+		return err
+	}
+	instance := output.Instance
+	return writeStyledKeyValues(cmd,
+		styledKeyValue{Label: "ID", Value: instance.ID},
+		styledKeyValue{Label: "Workflow ID", Value: instance.WorkflowID},
+		styledKeyValue{Label: "Terminated", Value: fmt.Sprintf("%t", instance.Terminated)},
+		styledKeyValue{Label: "Created at", Value: instance.CreatedAt.Format(time.RFC3339)},
+	)
+}
+
+func renderFlowsInstanceEventSent(cmd *cobra.Command, output flowscmd.InstanceActionOutput) error {
+	if err := writeStyledAPIVersion(cmd, output.APIVersion); err != nil {
+		return err
+	}
+	_, err := fmt.Fprintln(cmd.OutOrStdout(), styledSuccessLine(cmd, fmt.Sprintf("Event %s sent to instance %s.", output.Event, output.InstanceID)))
+	return err
+}
+
+func renderFlowsInstanceStopped(cmd *cobra.Command, output flowscmd.InstanceActionOutput) error {
+	if err := writeStyledAPIVersion(cmd, output.APIVersion); err != nil {
+		return err
+	}
+	_, err := fmt.Fprintln(cmd.OutOrStdout(), styledSuccessLine(cmd, fmt.Sprintf("Workflow instance %s stopped.", output.InstanceID)))
+	return err
+}
+
+func renderFlowsTriggerCreated(cmd *cobra.Command, output flowscmd.CreateTriggerOutput) error {
+	if err := writeStyledAPIVersion(cmd, output.APIVersion); err != nil {
+		return err
+	}
+	_, err := fmt.Fprintln(cmd.OutOrStdout(), styledSuccessLine(cmd, fmt.Sprintf("Trigger created with ID: %s", output.Trigger.ID)))
+	return err
+}
+
+func renderFlowsTriggers(cmd *cobra.Command, output flowscmd.ListTriggersOutput) error {
+	if err := writeStyledAPIVersion(cmd, output.APIVersion); err != nil {
+		return err
+	}
+	if len(output.Triggers) == 0 {
+		_, err := fmt.Fprintln(cmd.OutOrStdout(), styledEmptyLine(cmd, "No triggers found."))
+		return err
+	}
+	rows := make([][]string, 0, len(output.Triggers))
+	for _, trigger := range output.Triggers {
+		rows = append(rows, []string{trigger.ID, trigger.Name, trigger.Event, trigger.WorkflowID})
+	}
+	if err := writeStyledRows(cmd, []string{"ID", "Name", "Event", "Workflow ID"}, rows); err != nil {
+		return err
+	}
+	if output.HasMore && output.Next != nil {
+		return writeStyledNext(cmd, *output.Next)
+	}
+	return nil
+}
+
+func renderFlowsTrigger(cmd *cobra.Command, output flowscmd.GetTriggerOutput) error {
+	if err := writeStyledAPIVersion(cmd, output.APIVersion); err != nil {
+		return err
+	}
+	trigger := output.Trigger
+	return writeStyledKeyValues(cmd,
+		styledKeyValue{Label: "ID", Value: trigger.ID},
+		styledKeyValue{Label: "Name", Value: trigger.Name},
+		styledKeyValue{Label: "Event", Value: trigger.Event},
+		styledKeyValue{Label: "Workflow ID", Value: trigger.WorkflowID},
+	)
+}
+
+func renderFlowsTriggerDeleted(cmd *cobra.Command, output flowscmd.DeleteTriggerOutput) error {
+	if err := writeStyledAPIVersion(cmd, output.APIVersion); err != nil {
+		return err
+	}
+	_, err := fmt.Fprintln(cmd.OutOrStdout(), styledSuccessLine(cmd, fmt.Sprintf("Trigger %s deleted.", output.TriggerID)))
+	return err
+}
+
+func renderFlowsTriggerTest(cmd *cobra.Command, output flowscmd.TestTriggerOutput) error {
+	if err := writeStyledAPIVersion(cmd, output.APIVersion); err != nil {
+		return err
+	}
+	if output.Matched != nil {
+		return writeStyledKeyValues(cmd, styledKeyValue{Label: "Filter match", Value: fmt.Sprintf("%t", *output.Matched)})
+	}
+	_, err := fmt.Fprintln(cmd.OutOrStdout(), styledSuccessLine(cmd, fmt.Sprintf("Trigger %s tested.", output.TriggerID)))
+	return err
+}
+
+func renderFlowsTriggerOccurrences(cmd *cobra.Command, output flowscmd.ListTriggerOccurrencesOutput) error {
+	if err := writeStyledAPIVersion(cmd, output.APIVersion); err != nil {
+		return err
+	}
+	if len(output.Occurrences) == 0 {
+		_, err := fmt.Fprintln(cmd.OutOrStdout(), styledEmptyLine(cmd, "No trigger occurrences found."))
+		return err
+	}
+	rows := make([][]string, 0, len(output.Occurrences))
+	for _, occurrence := range output.Occurrences {
+		rows = append(rows, []string{occurrence.TriggerID, occurrence.WorkflowInstanceID, occurrence.Date.Format(time.RFC3339), occurrence.Error})
+	}
+	if err := writeStyledRows(cmd, []string{"Trigger ID", "Workflow instance ID", "Date", "Error"}, rows); err != nil {
+		return err
+	}
+	if output.HasMore && output.Next != nil {
+		return writeStyledNext(cmd, *output.Next)
+	}
+	return nil
+}
diff --git a/v4/cmd/http_debug.go b/v4/cmd/http_debug.go
new file mode 100644
index 00000000..fe6f8b54
--- /dev/null
+++ b/v4/cmd/http_debug.go
@@ -0,0 +1,105 @@
+package cmd
+
+import (
+	"bytes"
+	"encoding/json"
+	"fmt"
+	"io"
+	"net/http"
+)
+
+type debugRoundTripper struct {
+	base   http.RoundTripper
+	writer io.Writer
+}
+
+func (t debugRoundTripper) RoundTrip(req *http.Request) (*http.Response, error) {
+	base := t.base
+	if base == nil {
+		base = http.DefaultTransport
+	}
+	writer := t.writer
+	if writer == nil {
+		writer = io.Discard
+	}
+
+	if err := dumpDebugRequest(writer, req); err != nil {
+		return nil, err
+	}
+	rsp, err := base.RoundTrip(req)
+	if err != nil {
+		fmt.Fprintf(writer, "<<< error: %v\n\n", err)
+		return nil, err
+	}
+	if err := dumpDebugResponse(writer, rsp); err != nil {
+		return nil, err
+	}
+	return rsp, nil
+}
+
+func dumpDebugRequest(writer io.Writer, req *http.Request) error {
+	fmt.Fprintf(writer, ">>> %s %s\n", req.Method, req.URL.String())
+	writeDebugHeaders(writer, req.Header)
+	if req.Body != nil {
+		body, err := io.ReadAll(req.Body)
+		if err != nil {
+			return err
+		}
+		_ = req.Body.Close()
+		req.Body = io.NopCloser(bytes.NewReader(body))
+		writeDebugBody(writer, body)
+	}
+	fmt.Fprintln(writer)
+	return nil
+}
+
+func dumpDebugResponse(writer io.Writer, rsp *http.Response) error {
+	fmt.Fprintf(writer, "<<< HTTP %s\n", rsp.Status)
+	writeDebugHeaders(writer, rsp.Header)
+	if rsp.Body != nil {
+		body, err := io.ReadAll(rsp.Body)
+		if err != nil {
+			return err
+		}
+		_ = rsp.Body.Close()
+		rsp.Body = io.NopCloser(bytes.NewReader(body))
+		writeDebugBody(writer, body)
+	}
+	fmt.Fprintln(writer)
+	return nil
+}
+
+func writeDebugHeaders(writer io.Writer, headers http.Header) {
+	for key, values := range headers {
+		for _, value := range values {
+			if debugHeaderShouldRedact(key) {
+				value = "<redacted>"
+			}
+			fmt.Fprintf(writer, "%s: %s\n", key, value)
+		}
+	}
+}
+
+func debugHeaderShouldRedact(key string) bool {
+	switch http.CanonicalHeaderKey(key) {
+	case "Authorization", "Cookie", "Set-Cookie":
+		return true
+	default:
+		return false
+	}
+}
+
+func writeDebugBody(writer io.Writer, body []byte) {
+	if len(body) == 0 {
+		return
+	}
+	var raw any
+	if err := json.Unmarshal(body, &raw); err == nil {
+		pretty, err := json.MarshalIndent(raw, "", "  ")
+		if err == nil {
+			fmt.Fprintf(writer, "%s\n", pretty)
+			return
+		}
+	}
+	fmt.Fprintf(writer, "%s\n", body)
+}
diff --git a/v4/cmd/ledger.go b/v4/cmd/ledger.go
new file mode 100644
index 00000000..1c12a548
--- /dev/null
+++ b/v4/cmd/ledger.go
@@ -0,0 +1,2620 @@
+package cmd
+
+import (
+	"context"
+	"encoding/json"
+	"errors"
+	"fmt"
+	"io"
+	"os"
+	"strings"
+	"time"
+
+	formance "github.com/formancehq/formance-sdk-go/v3"
+	"github.com/spf13/cobra"
+
+	"github.com/formancehq/fctl/v4/internal/capabilities"
+	ledgercmd "github.com/formancehq/fctl/v4/internal/commands/ledger"
+	v4prompt "github.com/formancehq/fctl/v4/internal/prompt"
+)
+
+func newLedgerCommand() *cobra.Command {
+	command := &cobra.Command{
+		Use:   "ledger",
+		Short: "Manage ledgers",
+	}
+	command.AddCommand(newLedgerInfoCommand("info", nil, false))
+	command.AddCommand(newLedgerInfoCommand("server-infos", []string{"si"}, true))
+	command.AddCommand(newLedgerAccountsCommand())
+	command.AddCommand(newLedgerCreateCommand())
+	command.AddCommand(newLedgerDeleteMetadataCommand())
+	command.AddCommand(newLedgerExportCommand())
+	command.AddCommand(newLedgerImportCommand())
+	command.AddCommand(newLedgerListCommand())
+	command.AddCommand(newLedgerSchemasCommand())
+	command.AddCommand(newLedgerSetMetadataCommand())
+	command.AddCommand(newLedgerTransactionsSendCommand(true))
+	command.AddCommand(newLedgerStatsCommand())
+	command.AddCommand(newLedgerTransactionsCommand())
+	command.AddCommand(newLedgerVolumesCommand())
+	return command
+}
+
+func newLedgerAccountsCommand() *cobra.Command {
+	command := &cobra.Command{
+		Use:   "accounts",
+		Short: "Manage ledger accounts",
+	}
+	command.AddCommand(newLedgerAccountsListCommand())
+	command.AddCommand(newLedgerAccountsDeleteMetadataCommand())
+	command.AddCommand(newLedgerAccountsQueryCommand())
+	command.AddCommand(newLedgerAccountsSetMetadataCommand())
+	command.AddCommand(newLedgerAccountsShowCommand())
+	return command
+}
+
+func newLedgerSchemasCommand() *cobra.Command {
+	command := &cobra.Command{
+		Use:   "schemas",
+		Short: "Manage ledger schemas",
+	}
+	command.AddCommand(newLedgerSchemasListCommand())
+	command.AddCommand(newLedgerSchemasShowCommand())
+	command.AddCommand(newLedgerSchemasInsertCommand())
+	return command
+}
+
+func newLedgerSchemasListCommand() *cobra.Command {
+	var ledger string
+	var pageSize int64 = 15
+	var cursor string
+	var apiVersion string
+
+	command := &cobra.Command{
+		Use:   "list",
+		Short: "List ledger schemas",
+		Args:  cobra.NoArgs,
+		RunE: func(cmd *cobra.Command, _ []string) error {
+			rt, err := stackRuntimeFromCommand(cmd)
+			if err != nil {
+				return err
+			}
+			if ledger == "" {
+				ledger = rt.Context.Defaults["ledger"]
+			}
+			if ledger == "" {
+				ledger = "default"
+			}
+
+			httpClient, err := rt.HTTPClient(cmd.Context())
+			if err != nil {
+				return err
+			}
+			sdk := formance.New(
+				formance.WithServerURL(rt.Target.URL),
+				formance.WithClient(httpClient),
+			)
+			service := ledgercmd.ListSchemasService{
+				Handlers: ledgercmd.SDKListSchemasHandlers(sdk),
+				Resolve: func(ctx context.Context, handlerVersions []capabilities.APIVersion) (capabilities.APIVersion, error) {
+					request := capabilities.VersionResolutionRequest{
+						Product:         ledgercmd.ProductLedger,
+						Feature:         ledgercmd.FeatureListSchemas,
+						HandlerVersions: handlerVersions,
+					}
+					if apiVersion != "" {
+						request.Policy = capabilities.VersionPolicyPinned
+						request.PinnedVersion = capabilities.APIVersion(apiVersion)
+					}
+					return rt.ResolveAPIVersion(ctx, request)
+				},
+			}
+			output, err := service.Run(cmd.Context(), ledgercmd.ListSchemasInput{
+				Ledger:   ledger,
+				PageSize: pageSize,
+				Cursor:   cursor,
+			})
+			if err != nil {
+				return err
+			}
+			if handled, err := writeStructuredOutput(cmd, output); handled || err != nil {
+				return err
+			}
+			return renderLedgerSchemas(cmd, output)
+		},
+	}
+
+	command.Flags().StringVar(&ledger, "ledger", "", "Ledger name")
+	command.Flags().Int64Var(&pageSize, "page-size", 15, "Page size")
+	command.Flags().StringVar(&cursor, "cursor", "", "Pagination cursor")
+	command.Flags().StringVar(&apiVersion, "api-version", "", "Pin ledger API version")
+
+	return command
+}
+
+func newLedgerSchemasShowCommand() *cobra.Command {
+	var ledger string
+	var apiVersion string
+
+	command := &cobra.Command{
+		Use:   "show <version>",
+		Short: "Show a ledger schema",
+		Args:  cobra.ExactArgs(1),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			rt, err := stackRuntimeFromCommand(cmd)
+			if err != nil {
+				return err
+			}
+			if ledger == "" {
+				ledger = rt.Context.Defaults["ledger"]
+			}
+			if ledger == "" {
+				ledger = "default"
+			}
+
+			httpClient, err := rt.HTTPClient(cmd.Context())
+			if err != nil {
+				return err
+			}
+			sdk := formance.New(
+				formance.WithServerURL(rt.Target.URL),
+				formance.WithClient(httpClient),
+			)
+			service := ledgercmd.GetSchemaService{
+				Handlers: ledgercmd.SDKGetSchemaHandlers(sdk),
+				Resolve: func(ctx context.Context, handlerVersions []capabilities.APIVersion) (capabilities.APIVersion, error) {
+					request := capabilities.VersionResolutionRequest{
+						Product:         ledgercmd.ProductLedger,
+						Feature:         ledgercmd.FeatureGetSchema,
+						HandlerVersions: handlerVersions,
+					}
+					if apiVersion != "" {
+						request.Policy = capabilities.VersionPolicyPinned
+						request.PinnedVersion = capabilities.APIVersion(apiVersion)
+					}
+					return rt.ResolveAPIVersion(ctx, request)
+				},
+			}
+			output, err := service.Run(cmd.Context(), ledgercmd.GetSchemaInput{
+				Ledger:  ledger,
+				Version: args[0],
+			})
+			if err != nil {
+				return err
+			}
+			if handled, err := writeStructuredOutput(cmd, output); handled || err != nil {
+				return err
+			}
+			return renderLedgerSchema(cmd, output)
+		},
+	}
+
+	command.Flags().StringVar(&ledger, "ledger", "", "Ledger name")
+	command.Flags().StringVar(&apiVersion, "api-version", "", "Pin ledger API version")
+
+	return command
+}
+
+func newLedgerSchemasInsertCommand() *cobra.Command {
+	var ledger string
+	var file string
+	var confirm bool
+	var idempotencyKey string
+	var apiVersion string
+
+	command := &cobra.Command{
+		Use:   "insert <version>",
+		Short: "Insert a ledger schema",
+		Args:  cobra.ExactArgs(1),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			if !confirm {
+				return fmt.Errorf("ledger schemas insert requires --confirm")
+			}
+			if file == "" {
+				return fmt.Errorf("ledger schemas insert requires --file <path>|-")
+			}
+
+			var data []byte
+			var err error
+			if file == "-" {
+				data, err = io.ReadAll(cmd.InOrStdin())
+			} else {
+				data, err = os.ReadFile(file)
+			}
+			if err != nil {
+				return err
+			}
+
+			rt, err := stackRuntimeFromCommand(cmd)
+			if err != nil {
+				return err
+			}
+			if ledger == "" {
+				ledger = rt.Context.Defaults["ledger"]
+			}
+			if ledger == "" {
+				ledger = "default"
+			}
+
+			httpClient, err := rt.HTTPClient(cmd.Context())
+			if err != nil {
+				return err
+			}
+			sdk := formance.New(
+				formance.WithServerURL(rt.Target.URL),
+				formance.WithClient(httpClient),
+			)
+			service := ledgercmd.InsertSchemaService{
+				Handlers: ledgercmd.SDKInsertSchemaHandlers(sdk),
+				Resolve: func(ctx context.Context, handlerVersions []capabilities.APIVersion) (capabilities.APIVersion, error) {
+					request := capabilities.VersionResolutionRequest{
+						Product:         ledgercmd.ProductLedger,
+						Feature:         ledgercmd.FeatureInsertSchema,
+						HandlerVersions: handlerVersions,
+					}
+					if apiVersion != "" {
+						request.Policy = capabilities.VersionPolicyPinned
+						request.PinnedVersion = capabilities.APIVersion(apiVersion)
+					}
+					return rt.ResolveAPIVersion(ctx, request)
+				},
+			}
+			output, err := service.Run(cmd.Context(), ledgercmd.InsertSchemaInput{
+				Ledger:         ledger,
+				Version:        args[0],
+				Data:           data,
+				IdempotencyKey: idempotencyKey,
+			})
+			if err != nil {
+				return err
+			}
+			if handled, err := writeStructuredOutput(cmd, output); handled || err != nil {
+				return err
+			}
+			return renderLedgerSchemaInserted(cmd, output)
+		},
+	}
+
+	command.Flags().StringVar(&ledger, "ledger", "", "Ledger name")
+	command.Flags().StringVar(&file, "file", "", "Read schema JSON from file, or - for stdin")
+	command.Flags().BoolVar(&confirm, "confirm", false, "Confirm the schema insertion")
+	command.Flags().StringVar(&idempotencyKey, "idempotency-key", "", "Idempotency key")
+	command.Flags().StringVar(&apiVersion, "api-version", "", "Pin ledger API version")
+
+	return command
+}
+
+func newLedgerAccountsListCommand() *cobra.Command {
+	var ledger string
+	var pageSize int64
+	var cursor string
+	var account string
+	var metadata []string
+	var apiVersion string
+
+	command := &cobra.Command{
+		Use:     "list",
+		Aliases: []string{"ls", "l"},
+		Short:   "List ledger accounts",
+		Args:    cobra.NoArgs,
+		RunE: func(cmd *cobra.Command, _ []string) error {
+			if cmd.Flags().Changed("address") {
+				fmt.Fprintln(cmd.ErrOrStderr(), "Flag --address has been deprecated, use --account")
+			}
+
+			rt, err := stackRuntimeFromCommand(cmd)
+			if err != nil {
+				return err
+			}
+			if ledger == "" {
+				ledger = rt.Context.Defaults["ledger"]
+			}
+			if ledger == "" {
+				ledger = "default"
+			}
+
+			parsedMetadata, err := parseMetadataFlags(metadata)
+			if err != nil {
+				return err
+			}
+
+			httpClient, err := rt.HTTPClient(cmd.Context())
+			if err != nil {
+				return err
+			}
+			sdk := formance.New(
+				formance.WithServerURL(rt.Target.URL),
+				formance.WithClient(httpClient),
+			)
+			service := ledgercmd.ListAccountsService{
+				Handlers: ledgercmd.SDKListAccountsHandlers(sdk),
+				Resolve: func(ctx context.Context, handlerVersions []capabilities.APIVersion) (capabilities.APIVersion, error) {
+					request := capabilities.VersionResolutionRequest{
+						Product:         ledgercmd.ProductLedger,
+						Feature:         ledgercmd.FeatureListAccounts,
+						HandlerVersions: handlerVersions,
+					}
+					if apiVersion != "" {
+						request.Policy = capabilities.VersionPolicyPinned
+						request.PinnedVersion = capabilities.APIVersion(apiVersion)
+					}
+					return rt.ResolveAPIVersion(ctx, request)
+				},
+			}
+			output, err := service.Run(cmd.Context(), ledgercmd.ListAccountsInput{
+				Ledger:   ledger,
+				PageSize: pageSize,
+				Cursor:   cursor,
+				Account:  account,
+				Metadata: parsedMetadata,
+			})
+			if err != nil {
+				return err
+			}
+
+			if handled, err := writeStructuredOutput(cmd, output); handled || err != nil {
+				return err
+			}
+			return renderLedgerAccounts(cmd, output)
+		},
+	}
+
+	command.Flags().StringVar(&ledger, "ledger", "", "Ledger name")
+	command.Flags().Int64Var(&pageSize, "page-size", 15, "Page size")
+	command.Flags().StringVar(&cursor, "cursor", "", "Pagination cursor")
+	command.Flags().StringVar(&account, "account", "", "Filter by account address")
+	command.Flags().StringVar(&account, "address", "", "Deprecated alias for --account")
+	command.Flags().StringSliceVar(&metadata, "metadata", nil, "Filter by metadata key=value")
+	command.Flags().StringVar(&apiVersion, "api-version", "", "Pin ledger API version")
+	_ = command.Flags().MarkDeprecated("address", "use --account")
+
+	return command
+}
+
+func newLedgerAccountsQueryCommand() *cobra.Command {
+	var ledger string
+	var schemaVersion string
+	var pageSize int64
+	var cursor string
+	var expand string
+	var pit string
+	var reverse bool
+	var sort string
+	var variables []string
+	var apiVersion string
+
+	command := &cobra.Command{
+		Use:   "query <query-id>",
+		Short: "Run a ledger account query template",
+		Args:  cobra.ExactArgs(1),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			parsedVars, err := parseKeyValueFlags(variables, "var")
+			if err != nil {
+				return err
+			}
+			parsedPit, err := parseOptionalRFC3339(pit, "pit")
+			if err != nil {
+				return err
+			}
+
+			rt, err := stackRuntimeFromCommand(cmd)
+			if err != nil {
+				return err
+			}
+			if ledger == "" {
+				ledger = rt.Context.Defaults["ledger"]
+			}
+			if ledger == "" {
+				ledger = "default"
+			}
+
+			httpClient, err := rt.HTTPClient(cmd.Context())
+			if err != nil {
+				return err
+			}
+			sdk := formance.New(
+				formance.WithServerURL(rt.Target.URL),
+				formance.WithClient(httpClient),
+			)
+			service := ledgercmd.RunAccountQueryService{
+				Handlers: ledgercmd.SDKRunAccountQueryHandlers(sdk),
+				Resolve: func(ctx context.Context, handlerVersions []capabilities.APIVersion) (capabilities.APIVersion, error) {
+					request := capabilities.VersionResolutionRequest{
+						Product:         ledgercmd.ProductLedger,
+						Feature:         ledgercmd.FeatureRunQuery,
+						HandlerVersions: handlerVersions,
+					}
+					if apiVersion != "" {
+						request.Policy = capabilities.VersionPolicyPinned
+						request.PinnedVersion = capabilities.APIVersion(apiVersion)
+					}
+					return rt.ResolveAPIVersion(ctx, request)
+				},
+			}
+			output, err := service.Run(cmd.Context(), ledgercmd.RunAccountQueryInput{
+				Ledger:        ledger,
+				QueryID:       args[0],
+				SchemaVersion: schemaVersion,
+				PageSize:      pageSize,
+				Cursor:        cursor,
+				Expand:        expand,
+				Pit:           parsedPit,
+				Reverse:       reverse,
+				Sort:          sort,
+				Vars:          parsedVars,
+			})
+			if err != nil {
+				return err
+			}
+
+			if handled, err := writeStructuredOutput(cmd, output); handled || err != nil {
+				return err
+			}
+			return renderLedgerAccountQuery(cmd, output)
+		},
+	}
+
+	command.Flags().StringVar(&ledger, "ledger", "", "Ledger name")
+	command.Flags().StringVar(&schemaVersion, "schema-version", "", "Ledger schema version")
+	command.Flags().Int64Var(&pageSize, "page-size", 15, "Page size")
+	command.Flags().StringVar(&cursor, "cursor", "", "Pagination cursor")
+	command.Flags().StringVar(&expand, "expand", "", "Expand response fields")
+	command.Flags().StringVar(&pit, "pit", "", "Point-in-time timestamp (RFC3339)")
+	command.Flags().BoolVar(&reverse, "reverse", false, "Reverse result order")
+	command.Flags().StringVar(&sort, "sort", "", "Sort results as field:asc or field:desc")
+	command.Flags().StringArrayVar(&variables, "var", nil, "Query template variable as key=value")
+	command.Flags().StringVar(&apiVersion, "api-version", "", "Pin ledger API version")
+
+	return command
+}
+
+func newLedgerAccountsShowCommand() *cobra.Command {
+	var ledger string
+	var apiVersion string
+
+	command := &cobra.Command{
+		Use:     "show <account>",
+		Aliases: []string{"sh", "s"},
+		Short:   "Show a ledger account",
+		Args:    cobra.ExactArgs(1),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			rt, err := stackRuntimeFromCommand(cmd)
+			if err != nil {
+				return err
+			}
+			if ledger == "" {
+				ledger = rt.Context.Defaults["ledger"]
+			}
+			if ledger == "" {
+				ledger = "default"
+			}
+
+			httpClient, err := rt.HTTPClient(cmd.Context())
+			if err != nil {
+				return err
+			}
+			sdk := formance.New(
+				formance.WithServerURL(rt.Target.URL),
+				formance.WithClient(httpClient),
+			)
+			service := ledgercmd.GetAccountService{
+				Handlers: ledgercmd.SDKGetAccountHandlers(sdk),
+				Resolve: func(ctx context.Context, handlerVersions []capabilities.APIVersion) (capabilities.APIVersion, error) {
+					request := capabilities.VersionResolutionRequest{
+						Product:         ledgercmd.ProductLedger,
+						Feature:         ledgercmd.FeatureGetAccount,
+						HandlerVersions: handlerVersions,
+					}
+					if apiVersion != "" {
+						request.Policy = capabilities.VersionPolicyPinned
+						request.PinnedVersion = capabilities.APIVersion(apiVersion)
+					}
+					return rt.ResolveAPIVersion(ctx, request)
+				},
+			}
+			output, err := service.Run(cmd.Context(), ledgercmd.GetAccountInput{
+				Ledger:  ledger,
+				Account: args[0],
+			})
+			if err != nil {
+				return err
+			}
+
+			if handled, err := writeStructuredOutput(cmd, output); handled || err != nil {
+				return err
+			}
+			return renderLedgerAccount(cmd, output)
+		},
+	}
+
+	command.Flags().StringVar(&ledger, "ledger", "", "Ledger name")
+	command.Flags().StringVar(&apiVersion, "api-version", "", "Pin ledger API version")
+
+	return command
+}
+
+func newLedgerAccountsSetMetadataCommand() *cobra.Command {
+	var ledger string
+	var confirm bool
+	var apiVersion string
+
+	command := &cobra.Command{
+		Use:     "set-metadata <account> <key=value>...",
+		Aliases: []string{"sm", "set-meta"},
+		Short:   "Set metadata on a ledger account",
+		Args:    cobra.MinimumNArgs(2),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			if !confirm {
+				return fmt.Errorf("ledger accounts set-metadata requires --confirm")
+			}
+
+			rt, err := stackRuntimeFromCommand(cmd)
+			if err != nil {
+				return err
+			}
+			if ledger == "" {
+				ledger = rt.Context.Defaults["ledger"]
+			}
+			if ledger == "" {
+				ledger = "default"
+			}
+
+			metadata, err := parseMetadataFlags(args[1:])
+			if err != nil {
+				return err
+			}
+
+			httpClient, err := rt.HTTPClient(cmd.Context())
+			if err != nil {
+				return err
+			}
+			sdk := formance.New(
+				formance.WithServerURL(rt.Target.URL),
+				formance.WithClient(httpClient),
+			)
+			service := ledgercmd.AddAccountMetadataService{
+				Handlers: ledgercmd.SDKAddAccountMetadataHandlers(sdk),
+				Resolve: func(ctx context.Context, handlerVersions []capabilities.APIVersion) (capabilities.APIVersion, error) {
+					request := capabilities.VersionResolutionRequest{
+						Product:         ledgercmd.ProductLedger,
+						Feature:         ledgercmd.FeatureAddAccountMetadata,
+						HandlerVersions: handlerVersions,
+					}
+					if apiVersion != "" {
+						request.Policy = capabilities.VersionPolicyPinned
+						request.PinnedVersion = capabilities.APIVersion(apiVersion)
+					}
+					return rt.ResolveAPIVersion(ctx, request)
+				},
+			}
+			output, err := service.Run(cmd.Context(), ledgercmd.AddAccountMetadataInput{
+				Ledger:   ledger,
+				Account:  args[0],
+				Metadata: metadata,
+			})
+			if err != nil {
+				return err
+			}
+
+			if handled, err := writeStructuredOutput(cmd, output); handled || err != nil {
+				return err
+			}
+			return renderLedgerAccountMetadataSet(cmd, output)
+		},
+	}
+
+	command.Flags().StringVar(&ledger, "ledger", "", "Ledger name")
+	command.Flags().BoolVar(&confirm, "confirm", false, "Confirm the metadata update")
+	command.Flags().StringVar(&apiVersion, "api-version", "", "Pin ledger API version")
+
+	return command
+}
+
+func newLedgerAccountsDeleteMetadataCommand() *cobra.Command {
+	var ledger string
+	var confirm bool
+	var apiVersion string
+
+	command := &cobra.Command{
+		Use:     "delete-metadata <account> <key>",
+		Aliases: []string{"dm", "del-meta"},
+		Short:   "Delete metadata from a ledger account",
+		Args:    cobra.ExactArgs(2),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			if !confirm {
+				return fmt.Errorf("ledger accounts delete-metadata requires --confirm")
+			}
+
+			rt, err := stackRuntimeFromCommand(cmd)
+			if err != nil {
+				return err
+			}
+			if ledger == "" {
+				ledger = rt.Context.Defaults["ledger"]
+			}
+			if ledger == "" {
+				ledger = "default"
+			}
+
+			httpClient, err := rt.HTTPClient(cmd.Context())
+			if err != nil {
+				return err
+			}
+			sdk := formance.New(
+				formance.WithServerURL(rt.Target.URL),
+				formance.WithClient(httpClient),
+			)
+			service := ledgercmd.DeleteAccountMetadataService{
+				Handlers: ledgercmd.SDKDeleteAccountMetadataHandlers(sdk),
+				Resolve: func(ctx context.Context, handlerVersions []capabilities.APIVersion) (capabilities.APIVersion, error) {
+					request := capabilities.VersionResolutionRequest{
+						Product:         ledgercmd.ProductLedger,
+						Feature:         ledgercmd.FeatureDeleteAccountMetadata,
+						HandlerVersions: handlerVersions,
+					}
+					if apiVersion != "" {
+						request.Policy = capabilities.VersionPolicyPinned
+						request.PinnedVersion = capabilities.APIVersion(apiVersion)
+					}
+					return rt.ResolveAPIVersion(ctx, request)
+				},
+			}
+			output, err := service.Run(cmd.Context(), ledgercmd.DeleteAccountMetadataInput{
+				Ledger:  ledger,
+				Account: args[0],
+				Key:     args[1],
+			})
+			if err != nil {
+				return err
+			}
+
+			if handled, err := writeStructuredOutput(cmd, output); handled || err != nil {
+				return err
+			}
+			return renderLedgerAccountMetadataDeleted(cmd, output)
+		},
+	}
+
+	command.Flags().StringVar(&ledger, "ledger", "", "Ledger name")
+	command.Flags().BoolVar(&confirm, "confirm", false, "Confirm the metadata deletion")
+	command.Flags().StringVar(&apiVersion, "api-version", "", "Pin ledger API version")
+
+	return command
+}
+
+func newLedgerExportCommand() *cobra.Command {
+	var ledger string
+	var file string
+	var apiVersion string
+
+	command := &cobra.Command{
+		Use:   "export",
+		Short: "Export ledger logs",
+		Args:  cobra.NoArgs,
+		RunE: func(cmd *cobra.Command, _ []string) error {
+			rt, err := stackRuntimeFromCommand(cmd)
+			if err != nil {
+				return err
+			}
+			if ledger == "" {
+				ledger = rt.Context.Defaults["ledger"]
+			}
+			if ledger == "" {
+				ledger = "default"
+			}
+
+			httpClient, err := rt.HTTPClient(cmd.Context())
+			if err != nil {
+				return err
+			}
+			sdk := formance.New(
+				formance.WithServerURL(rt.Target.URL),
+				formance.WithClient(httpClient),
+			)
+			service := ledgercmd.ExportLogsService{
+				Handlers: ledgercmd.SDKExportLogsHandlers(sdk),
+				Resolve: func(ctx context.Context, handlerVersions []capabilities.APIVersion) (capabilities.APIVersion, error) {
+					request := capabilities.VersionResolutionRequest{
+						Product:         ledgercmd.ProductLedger,
+						Feature:         ledgercmd.FeatureExportLogs,
+						HandlerVersions: handlerVersions,
+					}
+					if apiVersion != "" {
+						request.Policy = capabilities.VersionPolicyPinned
+						request.PinnedVersion = capabilities.APIVersion(apiVersion)
+					}
+					return rt.ResolveAPIVersion(ctx, request)
+				},
+			}
+			output, err := service.Run(cmd.Context(), ledgercmd.ExportLogsInput{
+				Ledger: ledger,
+			})
+			if err != nil {
+				return err
+			}
+
+			if file != "" && file != "-" {
+				if err := os.WriteFile(file, output.Data, 0o600); err != nil {
+					return err
+				}
+				return renderLedgerExported(cmd, output, file)
+			}
+			_, err = cmd.OutOrStdout().Write(output.Data)
+			return err
+		},
+	}
+
+	command.Flags().StringVar(&ledger, "ledger", "", "Ledger name")
+	command.Flags().StringVar(&file, "file", "", "Write export to file, or - for stdout")
+	command.Flags().StringVar(&apiVersion, "api-version", "", "Pin ledger API version")
+
+	return command
+}
+
+func newLedgerImportCommand() *cobra.Command {
+	var file string
+	var input string
+	var resume bool
+	var apiVersion string
+
+	command := &cobra.Command{
+		Use:   "import <ledger> [file]",
+		Short: "Import ledger logs",
+		Args:  cobra.RangeArgs(1, 2),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			if input != "" {
+				if file != "" {
+					return fmt.Errorf("--input and --file are mutually exclusive")
+				}
+				file = input
+			}
+			if len(args) == 2 {
+				if file != "" {
+					return fmt.Errorf("positional file and --file are mutually exclusive")
+				}
+				file = args[1]
+			}
+			if file == "" {
+				return fmt.Errorf("ledger import requires --file <path>|-")
+			}
+
+			rt, err := stackRuntimeFromCommand(cmd)
+			if err != nil {
+				return err
+			}
+			httpClient, err := rt.HTTPClient(cmd.Context())
+			if err != nil {
+				return err
+			}
+			sdk := formance.New(
+				formance.WithServerURL(rt.Target.URL),
+				formance.WithClient(httpClient),
+			)
+			service := ledgercmd.ImportLogsService{
+				Handlers: ledgercmd.SDKImportLogsHandlers(sdk),
+				Resolve: func(ctx context.Context, handlerVersions []capabilities.APIVersion) (capabilities.APIVersion, error) {
+					request := capabilities.VersionResolutionRequest{
+						Product:         ledgercmd.ProductLedger,
+						Feature:         ledgercmd.FeatureImportLogs,
+						HandlerVersions: handlerVersions,
+					}
+					if apiVersion != "" {
+						request.Policy = capabilities.VersionPolicyPinned
+						request.PinnedVersion = capabilities.APIVersion(apiVersion)
+					}
+					return rt.ResolveAPIVersion(ctx, request)
+				},
+			}
+
+			importInput := ledgercmd.ImportLogsInput{
+				Ledger:            args[0],
+				FilePath:          file,
+				ResumeFromLastLog: resume,
+			}
+			if file == "-" {
+				data, err := io.ReadAll(cmd.InOrStdin())
+				if err != nil {
+					return err
+				}
+				importInput.FilePath = ""
+				importInput.Data = data
+			}
+
+			output, err := service.Run(cmd.Context(), importInput)
+			if err != nil {
+				return err
+			}
+			if handled, err := writeStructuredOutput(cmd, output); handled || err != nil {
+				return err
+			}
+			return renderLedgerImported(cmd, output)
+		},
+	}
+
+	command.Flags().StringVar(&file, "file", "", "Read import from file, or - for stdin")
+	command.Flags().StringVar(&input, "input", "", "Read import from file, or - for stdin")
+	_ = command.Flags().MarkDeprecated("input", "use --file")
+	command.Flags().BoolVar(&resume, "resume-from-last-log", false, "Resume import after the latest log already present in the ledger")
+	command.Flags().StringVar(&apiVersion, "api-version", "", "Pin ledger API version")
+
+	return command
+}
+
+func newLedgerSetMetadataCommand() *cobra.Command {
+	var confirm bool
+	var metadataFile string
+	var apiVersion string
+
+	command := &cobra.Command{
+		Use:     "set-metadata <ledger> [key=value]...",
+		Aliases: []string{"sm", "set-meta"},
+		Short:   "Set metadata on a ledger",
+		Args:    cobra.MinimumNArgs(1),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			if !confirm {
+				return fmt.Errorf("ledger set-metadata requires --confirm")
+			}
+
+			metadata, err := parseMetadataFile(cmd, metadataFile)
+			if err != nil {
+				return err
+			}
+			argMetadata, err := parseMetadataFlags(args[1:])
+			if err != nil {
+				return err
+			}
+			for key, value := range argMetadata {
+				if metadata == nil {
+					metadata = map[string]string{}
+				}
+				metadata[key] = value
+			}
+
+			rt, err := stackRuntimeFromCommand(cmd)
+			if err != nil {
+				return err
+			}
+			httpClient, err := rt.HTTPClient(cmd.Context())
+			if err != nil {
+				return err
+			}
+			sdk := formance.New(
+				formance.WithServerURL(rt.Target.URL),
+				formance.WithClient(httpClient),
+			)
+			service := ledgercmd.UpdateLedgerMetadataService{
+				Handlers: ledgercmd.SDKUpdateLedgerMetadataHandlers(sdk),
+				Resolve: func(ctx context.Context, handlerVersions []capabilities.APIVersion) (capabilities.APIVersion, error) {
+					request := capabilities.VersionResolutionRequest{
+						Product:         ledgercmd.ProductLedger,
+						Feature:         ledgercmd.FeatureUpdateLedgerMetadata,
+						HandlerVersions: handlerVersions,
+					}
+					if apiVersion != "" {
+						request.Policy = capabilities.VersionPolicyPinned
+						request.PinnedVersion = capabilities.APIVersion(apiVersion)
+					}
+					return rt.ResolveAPIVersion(ctx, request)
+				},
+			}
+			output, err := service.Run(cmd.Context(), ledgercmd.UpdateLedgerMetadataInput{
+				Ledger:   args[0],
+				Metadata: metadata,
+			})
+			if err != nil {
+				return err
+			}
+
+			if handled, err := writeStructuredOutput(cmd, output); handled || err != nil {
+				return err
+			}
+			return renderLedgerMetadataSet(cmd, output)
+		},
+	}
+
+	command.Flags().BoolVar(&confirm, "confirm", false, "Confirm the metadata update")
+	command.Flags().StringVar(&metadataFile, "metadata-file", "", "Read metadata JSON object from path or stdin with -")
+	command.Flags().StringVar(&apiVersion, "api-version", "", "Pin ledger API version")
+
+	return command
+}
+
+func newLedgerDeleteMetadataCommand() *cobra.Command {
+	var confirm bool
+	var apiVersion string
+
+	command := &cobra.Command{
+		Use:     "delete-metadata <ledger> <key>",
+		Aliases: []string{"dm", "del-meta"},
+		Short:   "Delete metadata from a ledger",
+		Args:    cobra.ExactArgs(2),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			if !confirm {
+				return fmt.Errorf("ledger delete-metadata requires --confirm")
+			}
+
+			rt, err := stackRuntimeFromCommand(cmd)
+			if err != nil {
+				return err
+			}
+			httpClient, err := rt.HTTPClient(cmd.Context())
+			if err != nil {
+				return err
+			}
+			sdk := formance.New(
+				formance.WithServerURL(rt.Target.URL),
+				formance.WithClient(httpClient),
+			)
+			service := ledgercmd.DeleteLedgerMetadataService{
+				Handlers: ledgercmd.SDKDeleteLedgerMetadataHandlers(sdk),
+				Resolve: func(ctx context.Context, handlerVersions []capabilities.APIVersion) (capabilities.APIVersion, error) {
+					request := capabilities.VersionResolutionRequest{
+						Product:         ledgercmd.ProductLedger,
+						Feature:         ledgercmd.FeatureDeleteLedgerMetadata,
+						HandlerVersions: handlerVersions,
+					}
+					if apiVersion != "" {
+						request.Policy = capabilities.VersionPolicyPinned
+						request.PinnedVersion = capabilities.APIVersion(apiVersion)
+					}
+					return rt.ResolveAPIVersion(ctx, request)
+				},
+			}
+			output, err := service.Run(cmd.Context(), ledgercmd.DeleteLedgerMetadataInput{
+				Ledger: args[0],
+				Key:    args[1],
+			})
+			if err != nil {
+				return err
+			}
+
+			if handled, err := writeStructuredOutput(cmd, output); handled || err != nil {
+				return err
+			}
+			return renderLedgerMetadataDeleted(cmd, output)
+		},
+	}
+
+	command.Flags().BoolVar(&confirm, "confirm", false, "Confirm the metadata deletion")
+	command.Flags().StringVar(&apiVersion, "api-version", "", "Pin ledger API version")
+
+	return command
+}
+
+func newLedgerCreateCommand() *cobra.Command {
+	var bucket string
+	var features []string
+	var metadata []string
+	var confirm bool
+	var apiVersion string
+
+	command := &cobra.Command{
+		Use:     "create [name]",
+		Aliases: []string{"c", "cr"},
+		Short:   "Create a ledger",
+		Args:    cobra.MaximumNArgs(1),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			ledgerName, err := resolveLedgerCreateName(cmd, args)
+			if err != nil {
+				return err
+			}
+			if !confirm {
+				approved, err := confirmLedgerCreate(cmd, ledgerName)
+				if err != nil {
+					return err
+				}
+				if !approved {
+					return v4prompt.ErrCancelled
+				}
+			}
+
+			parsedFeatures, err := parseKeyValueFlags(features, "feature")
+			if err != nil {
+				return err
+			}
+			parsedMetadata, err := parseMetadataFlags(metadata)
+			if err != nil {
+				return err
+			}
+
+			rt, err := stackRuntimeFromCommand(cmd)
+			if err != nil {
+				return err
+			}
+			httpClient, err := rt.HTTPClient(cmd.Context())
+			if err != nil {
+				return err
+			}
+			sdk := formance.New(
+				formance.WithServerURL(rt.Target.URL),
+				formance.WithClient(httpClient),
+			)
+			service := ledgercmd.CreateLedgerService{
+				Handlers: ledgercmd.SDKCreateLedgerHandlers(sdk),
+				Resolve: func(ctx context.Context, handlerVersions []capabilities.APIVersion) (capabilities.APIVersion, error) {
+					request := capabilities.VersionResolutionRequest{
+						Product:         ledgercmd.ProductLedger,
+						Feature:         ledgercmd.FeatureCreateLedger,
+						HandlerVersions: handlerVersions,
+					}
+					if apiVersion != "" {
+						request.Policy = capabilities.VersionPolicyPinned
+						request.PinnedVersion = capabilities.APIVersion(apiVersion)
+					}
+					return rt.ResolveAPIVersion(ctx, request)
+				},
+			}
+			output, err := service.Run(cmd.Context(), ledgercmd.CreateLedgerInput{
+				Name:     ledgerName,
+				Bucket:   bucket,
+				Features: parsedFeatures,
+				Metadata: parsedMetadata,
+			})
+			if err != nil {
+				return err
+			}
+
+			if handled, err := writeStructuredOutput(cmd, output); handled || err != nil {
+				return err
+			}
+			return renderLedgerCreated(cmd, output)
+		},
+	}
+
+	command.Flags().StringVar(&bucket, "bucket", "", "Bucket in which to create the ledger")
+	command.Flags().StringSliceVar(&features, "feature", nil, "Feature key=value to enable")
+	command.Flags().StringSliceVar(&metadata, "metadata", nil, "Metadata key=value to apply")
+	command.Flags().BoolVar(&confirm, "confirm", false, "Confirm the ledger creation")
+	command.Flags().StringVar(&apiVersion, "api-version", "", "Pin ledger API version")
+
+	return command
+}
+
+func resolveLedgerCreateName(cmd *cobra.Command, args []string) (string, error) {
+	if len(args) > 0 && strings.TrimSpace(args[0]) != "" {
+		return strings.TrimSpace(args[0]), nil
+	}
+	nonInteractive, err := cmd.Root().PersistentFlags().GetBool(nonInteractiveFlag)
+	if err != nil {
+		return "", err
+	}
+	wizard := v4prompt.NewWizardWithColor(cmd.InOrStdin(), cmd.ErrOrStderr(), commandColorEnabled(cmd))
+	if nonInteractive || !wizard.Available() {
+		return "", fmt.Errorf("ledger create requires <name>")
+	}
+	value, err := wizard.Input("Ledger name", "default", false)
+	if err != nil {
+		return "", err
+	}
+	value = strings.TrimSpace(value)
+	if value == "" {
+		return "", fmt.Errorf("ledger name is required")
+	}
+	fmt.Fprintln(cmd.OutOrStdout(), styledKeyValueLine(cmd, "Name", value))
+	return value, nil
+}
+
+func confirmLedgerCreate(cmd *cobra.Command, ledgerName string) (bool, error) {
+	nonInteractive, err := cmd.Root().PersistentFlags().GetBool(nonInteractiveFlag)
+	if err != nil {
+		return false, err
+	}
+	wizard := v4prompt.NewWizardWithColor(cmd.InOrStdin(), cmd.ErrOrStderr(), commandColorEnabled(cmd))
+	if nonInteractive || !wizard.Available() {
+		return false, fmt.Errorf("ledger create requires --confirm")
+	}
+	return wizard.Confirm(fmt.Sprintf("Create ledger %s?", ledgerName), "Create", "Cancel")
+}
+
+func newLedgerInfoCommand(use string, aliases []string, deprecated bool) *cobra.Command {
+	var apiVersion string
+
+	command := &cobra.Command{
+		Use:     use,
+		Aliases: aliases,
+		Short:   "Read ledger server info",
+		Args:    cobra.NoArgs,
+		RunE: func(cmd *cobra.Command, _ []string) error {
+			if deprecated {
+				fmt.Fprintf(cmd.ErrOrStderr(), "Command ledger %s has been deprecated, use ledger info\n", cmd.CalledAs())
+			}
+
+			rt, err := stackRuntimeFromCommand(cmd)
+			if err != nil {
+				return err
+			}
+
+			httpClient, err := rt.HTTPClient(cmd.Context())
+			if err != nil {
+				return err
+			}
+			sdk := formance.New(
+				formance.WithServerURL(rt.Target.URL),
+				formance.WithClient(httpClient),
+			)
+			service := ledgercmd.ReadInfoService{
+				Handlers: ledgercmd.SDKReadInfoHandlers(sdk),
+				Resolve: func(ctx context.Context, handlerVersions []capabilities.APIVersion) (capabilities.APIVersion, error) {
+					request := capabilities.VersionResolutionRequest{
+						Product:         ledgercmd.ProductLedger,
+						Feature:         ledgercmd.FeatureGetInfo,
+						HandlerVersions: handlerVersions,
+					}
+					if apiVersion != "" {
+						request.Policy = capabilities.VersionPolicyPinned
+						request.PinnedVersion = capabilities.APIVersion(apiVersion)
+					}
+					return rt.ResolveAPIVersion(ctx, request)
+				},
+			}
+			output, err := service.Run(cmd.Context())
+			if err != nil {
+				return err
+			}
+
+			if handled, err := writeStructuredOutput(cmd, output); handled || err != nil {
+				return err
+			}
+			return renderLedgerInfo(cmd, output)
+		},
+	}
+
+	command.Flags().StringVar(&apiVersion, "api-version", "", "Pin ledger API version")
+	if deprecated {
+		command.Deprecated = "use ledger info"
+	}
+
+	return command
+}
+
+func newLedgerListCommand() *cobra.Command {
+	var pageSize int64
+	var cursor string
+	var includeDeleted bool
+	var sort string
+	var apiVersion string
+
+	command := &cobra.Command{
+		Use:     "list",
+		Aliases: []string{"ls", "l"},
+		Short:   "List ledgers",
+		Args:    cobra.NoArgs,
+		RunE: func(cmd *cobra.Command, _ []string) error {
+			rt, err := stackRuntimeFromCommand(cmd)
+			if err != nil {
+				return err
+			}
+
+			httpClient, err := rt.HTTPClient(cmd.Context())
+			if err != nil {
+				return err
+			}
+			sdk := formance.New(
+				formance.WithServerURL(rt.Target.URL),
+				formance.WithClient(httpClient),
+			)
+			service := ledgercmd.ListLedgersService{
+				Handlers: ledgercmd.SDKListLedgersHandlers(sdk),
+				Resolve: func(ctx context.Context, handlerVersions []capabilities.APIVersion) (capabilities.APIVersion, error) {
+					request := capabilities.VersionResolutionRequest{
+						Product:         ledgercmd.ProductLedger,
+						Feature:         ledgercmd.FeatureListLedgers,
+						HandlerVersions: handlerVersions,
+					}
+					if apiVersion != "" {
+						request.Policy = capabilities.VersionPolicyPinned
+						request.PinnedVersion = capabilities.APIVersion(apiVersion)
+					}
+					return rt.ResolveAPIVersion(ctx, request)
+				},
+			}
+			output, err := service.Run(cmd.Context(), ledgercmd.ListLedgersInput{
+				PageSize:       pageSize,
+				Cursor:         cursor,
+				IncludeDeleted: includeDeleted,
+				Sort:           sort,
+			})
+			if err != nil {
+				return err
+			}
+
+			if handled, err := writeStructuredOutput(cmd, output); handled || err != nil {
+				return err
+			}
+			return renderLedgers(cmd, output)
+		},
+	}
+
+	command.Flags().Int64Var(&pageSize, "page-size", 15, "Page size")
+	command.Flags().StringVar(&cursor, "cursor", "", "Pagination cursor")
+	command.Flags().BoolVar(&includeDeleted, "include-deleted", false, "Include deleted ledgers")
+	command.Flags().StringVar(&sort, "sort", "", "Sort expression, formatted as <field>:<asc|desc>")
+	command.Flags().StringVar(&apiVersion, "api-version", "", "Pin ledger API version")
+
+	return command
+}
+
+func newLedgerStatsCommand() *cobra.Command {
+	var ledger string
+	var apiVersion string
+
+	command := &cobra.Command{
+		Use:     "stats",
+		Aliases: []string{"st"},
+		Short:   "Read ledger stats",
+		Args:    cobra.NoArgs,
+		RunE: func(cmd *cobra.Command, _ []string) error {
+			rt, err := stackRuntimeFromCommand(cmd)
+			if err != nil {
+				return err
+			}
+			if ledger == "" {
+				ledger = rt.Context.Defaults["ledger"]
+			}
+			if ledger == "" {
+				ledger = "default"
+			}
+
+			httpClient, err := rt.HTTPClient(cmd.Context())
+			if err != nil {
+				return err
+			}
+			sdk := formance.New(
+				formance.WithServerURL(rt.Target.URL),
+				formance.WithClient(httpClient),
+			)
+			service := ledgercmd.ReadStatsService{
+				Handlers: ledgercmd.SDKReadStatsHandlers(sdk),
+				Resolve: func(ctx context.Context, handlerVersions []capabilities.APIVersion) (capabilities.APIVersion, error) {
+					request := capabilities.VersionResolutionRequest{
+						Product:         ledgercmd.ProductLedger,
+						Feature:         ledgercmd.FeatureReadStats,
+						HandlerVersions: handlerVersions,
+					}
+					if apiVersion != "" {
+						request.Policy = capabilities.VersionPolicyPinned
+						request.PinnedVersion = capabilities.APIVersion(apiVersion)
+					}
+					return rt.ResolveAPIVersion(ctx, request)
+				},
+			}
+			output, err := service.Run(cmd.Context(), ledgercmd.ReadStatsInput{Ledger: ledger})
+			if err != nil {
+				return err
+			}
+
+			if handled, err := writeStructuredOutput(cmd, output); handled || err != nil {
+				return err
+			}
+			return renderLedgerStats(cmd, output)
+		},
+	}
+
+	command.Flags().StringVar(&ledger, "ledger", "", "Ledger name")
+	command.Flags().StringVar(&apiVersion, "api-version", "", "Pin ledger API version")
+
+	return command
+}
+
+func newLedgerTransactionsCommand() *cobra.Command {
+	command := &cobra.Command{
+		Use:   "transactions",
+		Short: "Manage ledger transactions",
+	}
+	command.AddCommand(newLedgerTransactionsCountCommand())
+	command.AddCommand(newLedgerTransactionsDeleteMetadataCommand())
+	command.AddCommand(newLedgerTransactionsExplainCommand())
+	command.AddCommand(newLedgerTransactionsListCommand())
+	command.AddCommand(newLedgerTransactionsRevertCommand())
+	command.AddCommand(newLedgerTransactionsRunScriptCommand("run-script", nil, false))
+	command.AddCommand(newLedgerTransactionsRunScriptCommand("num", nil, true))
+	command.AddCommand(newLedgerTransactionsSendCommand(false))
+	command.AddCommand(newLedgerTransactionsSetMetadataCommand())
+	command.AddCommand(newLedgerTransactionsShowCommand())
+	return command
+}
+
+func newLedgerTransactionsExplainCommand() *cobra.Command {
+	var ledger string
+	var apiVersion string
+
+	command := &cobra.Command{
+		Use:    "explain <transaction-id>",
+		Short:  "Explain a ledger transaction (requires ledger API v3+)",
+		Hidden: true,
+		Args:   cobra.ExactArgs(1),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			rt, err := stackRuntimeFromCommand(cmd)
+			if err != nil {
+				return err
+			}
+			if ledger == "" {
+				ledger = rt.Context.Defaults["ledger"]
+			}
+			if ledger == "" {
+				ledger = "default"
+			}
+
+			request := capabilities.VersionResolutionRequest{
+				Product:         ledgercmd.ProductLedger,
+				Feature:         ledgercmd.FeatureExplainTransaction,
+				HandlerVersions: []capabilities.APIVersion{"v3"},
+			}
+			if apiVersion != "" {
+				request.Policy = capabilities.VersionPolicyPinned
+				request.PinnedVersion = capabilities.APIVersion(apiVersion)
+			}
+			selected, err := rt.ResolveAPIVersion(cmd.Context(), request)
+			if err != nil {
+				var unsupported *capabilities.UnsupportedFeatureError
+				if errors.As(err, &unsupported) {
+					return fmt.Errorf("ledger transactions explain requires ledger API v3+; target ledger component %s supports %s",
+						unsupported.ComponentVersion,
+						strings.Join(apiVersionsToStrings(unsupported.Supported), ","),
+					)
+				}
+				return err
+			}
+			return fmt.Errorf("ledger transactions explain resolved %s for ledger %s transaction %s, but explainTransaction is not exposed by the current stack v3.2.4 spec or formance-sdk-go yet",
+				selected,
+				ledger,
+				args[0],
+			)
+		},
+	}
+	command.Flags().StringVar(&ledger, "ledger", "", "Ledger name")
+	command.Flags().StringVar(&apiVersion, "api-version", "", "Pin ledger API version")
+	return command
+}
+
+func newLedgerTransactionsRunScriptCommand(use string, aliases []string, deprecated bool) *cobra.Command {
+	var ledger string
+	var file string
+	var accountVars []string
+	var amountVars []string
+	var portionVars []string
+	var metadata []string
+	var timestamp string
+	var reference string
+	var confirm bool
+	var apiVersion string
+
+	command := &cobra.Command{
+		Use:     use,
+		Aliases: aliases,
+		Short:   "Execute a Numscript program on a ledger",
+		Args:    cobra.MaximumNArgs(1),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			if deprecated {
+				fmt.Fprintln(cmd.ErrOrStderr(), "Command ledger transactions num has been deprecated, use ledger transactions run-script --file <path>|-")
+			}
+			if file != "" && len(args) == 1 {
+				return fmt.Errorf("positional file and --file are mutually exclusive")
+			}
+			if file == "" && len(args) == 1 {
+				file = args[0]
+				fmt.Fprintln(cmd.ErrOrStderr(), "Positional file has been deprecated, use ledger transactions run-script --file <path>|-")
+			}
+			if file == "" {
+				return fmt.Errorf("ledger transactions run-script requires --file <path>|-")
+			}
+			if !confirm {
+				return fmt.Errorf("ledger transactions run-script requires --confirm")
+			}
+
+			script, err := readLedgerCommandFile(cmd, file)
+			if err != nil {
+				return err
+			}
+			parsedAccountVars, err := parseKeyValueFlags(accountVars, "account-var")
+			if err != nil {
+				return err
+			}
+			parsedAmountVars, err := parseKeyValueFlags(amountVars, "amount-var")
+			if err != nil {
+				return err
+			}
+			parsedPortionVars, err := parseKeyValueFlags(portionVars, "portion-var")
+			if err != nil {
+				return err
+			}
+			parsedMetadata, err := parseMetadataFlags(metadata)
+			if err != nil {
+				return err
+			}
+			parsedTimestamp, err := parseOptionalRFC3339(timestamp, "timestamp")
+			if err != nil {
+				return err
+			}
+
+			rt, err := stackRuntimeFromCommand(cmd)
+			if err != nil {
+				return err
+			}
+			if ledger == "" {
+				ledger = rt.Context.Defaults["ledger"]
+			}
+			if ledger == "" {
+				ledger = "default"
+			}
+
+			httpClient, err := rt.HTTPClient(cmd.Context())
+			if err != nil {
+				return err
+			}
+			sdk := formance.New(
+				formance.WithServerURL(rt.Target.URL),
+				formance.WithClient(httpClient),
+			)
+			service := ledgercmd.RunScriptService{
+				Handlers: ledgercmd.SDKRunScriptHandlers(sdk),
+				Resolve: func(ctx context.Context, handlerVersions []capabilities.APIVersion) (capabilities.APIVersion, error) {
+					request := capabilities.VersionResolutionRequest{
+						Product:         ledgercmd.ProductLedger,
+						Feature:         ledgercmd.FeatureCreateTransaction,
+						HandlerVersions: handlerVersions,
+					}
+					if apiVersion != "" {
+						request.Policy = capabilities.VersionPolicyPinned
+						request.PinnedVersion = capabilities.APIVersion(apiVersion)
+					}
+					return rt.ResolveAPIVersion(ctx, request)
+				},
+			}
+			output, err := service.Run(cmd.Context(), ledgercmd.RunScriptInput{
+				Ledger:      ledger,
+				Script:      string(script),
+				AccountVars: parsedAccountVars,
+				AmountVars:  parsedAmountVars,
+				PortionVars: parsedPortionVars,
+				Metadata:    parsedMetadata,
+				Reference:   reference,
+				Timestamp:   parsedTimestamp,
+			})
+			if err != nil {
+				return err
+			}
+			if handled, err := writeStructuredOutput(cmd, output); handled || err != nil {
+				return err
+			}
+			return renderLedgerSentTransaction(cmd, ledgercmd.SendTransactionOutput{
+				APIVersion:  output.APIVersion,
+				Transaction: output.Transaction,
+			})
+		},
+	}
+	if deprecated {
+		command.Deprecated = "use ledger transactions run-script --file <path>|-"
+	}
+	command.Flags().StringVar(&ledger, "ledger", "", "Ledger name")
+	command.Flags().StringVar(&file, "file", "", "Path to Numscript file or - for stdin")
+	command.Flags().StringSliceVar(&accountVars, "account-var", nil, "Numscript account variable as key=value")
+	command.Flags().StringSliceVar(&amountVars, "amount-var", nil, "Numscript amount variable as key=amount/asset")
+	command.Flags().StringSliceVar(&portionVars, "portion-var", nil, "Numscript portion variable as key=value")
+	command.Flags().StringSliceVar(&metadata, "metadata", nil, "Metadata key=value to apply")
+	command.Flags().StringVar(&timestamp, "timestamp", "", "Transaction timestamp (RFC3339)")
+	command.Flags().StringVar(&reference, "reference", "", "Transaction reference")
+	command.Flags().BoolVar(&confirm, "confirm", false, "Confirm the transaction creation")
+	command.Flags().StringVar(&apiVersion, "api-version", "", "Pin ledger API version")
+	return command
+}
+
+func newLedgerTransactionsSendCommand(deprecatedRootAlias bool) *cobra.Command {
+	var ledger string
+	var source string
+	var destination string
+	var amount string
+	var asset string
+	var reference string
+	var metadata []string
+	var confirm bool
+	var apiVersion string
+
+	argsValidator := cobra.NoArgs
+	if deprecatedRootAlias {
+		argsValidator = func(_ *cobra.Command, args []string) error {
+			if len(args) == 0 || len(args) == 3 || len(args) == 4 {
+				return nil
+			}
+			return fmt.Errorf("ledger send accepts either flags or [source] <destination> <amount> <asset>")
+		}
+	}
+
+	command := &cobra.Command{
+		Use:   "send",
+		Short: "Send from one ledger account to another",
+		Args:  argsValidator,
+		RunE: func(cmd *cobra.Command, args []string) error {
+			if deprecatedRootAlias {
+				fmt.Fprintln(cmd.ErrOrStderr(), "Command ledger send has been deprecated, use ledger transactions send")
+			}
+			if deprecatedRootAlias && len(args) > 0 {
+				fmt.Fprintln(cmd.ErrOrStderr(), "Positional ledger send arguments have been deprecated, use ledger transactions send with explicit flags")
+				if len(args) == 3 {
+					source = "world"
+					destination = args[0]
+					amount = args[1]
+					asset = args[2]
+				} else {
+					source = args[0]
+					destination = args[1]
+					amount = args[2]
+					asset = args[3]
+				}
+			}
+			if !confirm {
+				return fmt.Errorf("ledger transactions send requires --confirm")
+			}
+
+			parsedMetadata, err := parseMetadataFlags(metadata)
+			if err != nil {
+				return err
+			}
+
+			rt, err := stackRuntimeFromCommand(cmd)
+			if err != nil {
+				return err
+			}
+			if ledger == "" {
+				ledger = rt.Context.Defaults["ledger"]
+			}
+			if ledger == "" {
+				ledger = "default"
+			}
+
+			httpClient, err := rt.HTTPClient(cmd.Context())
+			if err != nil {
+				return err
+			}
+			sdk := formance.New(
+				formance.WithServerURL(rt.Target.URL),
+				formance.WithClient(httpClient),
+			)
+			service := ledgercmd.SendTransactionService{
+				Handlers: ledgercmd.SDKSendTransactionHandlers(sdk),
+				Resolve: func(ctx context.Context, handlerVersions []capabilities.APIVersion) (capabilities.APIVersion, error) {
+					request := capabilities.VersionResolutionRequest{
+						Product:         ledgercmd.ProductLedger,
+						Feature:         ledgercmd.FeatureCreateTransaction,
+						HandlerVersions: handlerVersions,
+					}
+					if apiVersion != "" {
+						request.Policy = capabilities.VersionPolicyPinned
+						request.PinnedVersion = capabilities.APIVersion(apiVersion)
+					}
+					return rt.ResolveAPIVersion(ctx, request)
+				},
+			}
+			output, err := service.Run(cmd.Context(), ledgercmd.SendTransactionInput{
+				Ledger:      ledger,
+				Source:      source,
+				Destination: destination,
+				Amount:      amount,
+				Asset:       asset,
+				Reference:   reference,
+				Metadata:    parsedMetadata,
+			})
+			if err != nil {
+				return err
+			}
+
+			if handled, err := writeStructuredOutput(cmd, output); handled || err != nil {
+				return err
+			}
+			return renderLedgerSentTransaction(cmd, output)
+		},
+	}
+	if deprecatedRootAlias {
+		command.Aliases = []string{"s"}
+		command.Deprecated = "use ledger transactions send"
+	}
+
+	command.Flags().StringVar(&ledger, "ledger", "", "Ledger name")
+	command.Flags().StringVar(&source, "source", "", "Source account")
+	command.Flags().StringVar(&destination, "destination", "", "Destination account")
+	command.Flags().StringVar(&amount, "amount", "", "Amount to send")
+	command.Flags().StringVar(&asset, "asset", "", "Asset to send")
+	command.Flags().StringVar(&reference, "reference", "", "Transaction reference")
+	command.Flags().StringSliceVar(&metadata, "metadata", nil, "Metadata key=value to apply")
+	command.Flags().BoolVar(&confirm, "confirm", false, "Confirm the transaction creation")
+	command.Flags().StringVar(&apiVersion, "api-version", "", "Pin ledger API version")
+
+	return command
+}
+
+func newLedgerVolumesCommand() *cobra.Command {
+	command := &cobra.Command{
+		Use:   "volumes",
+		Short: "Manage ledger volumes",
+	}
+	command.AddCommand(newLedgerVolumesListCommand())
+	return command
+}
+
+func newLedgerVolumesListCommand() *cobra.Command {
+	var ledger string
+	var pageSize int64
+	var cursor string
+	var account string
+	var metadata []string
+	var startTime string
+	var endTime string
+	var useInsertionDate bool
+	var groupBy int64
+	var sort string
+	var apiVersion string
+
+	command := &cobra.Command{
+		Use:     "list",
+		Aliases: []string{"ls", "l"},
+		Short:   "List ledger volumes and balances",
+		Args:    cobra.NoArgs,
+		RunE: func(cmd *cobra.Command, _ []string) error {
+			if cmd.Flags().Changed("address") {
+				fmt.Fprintln(cmd.ErrOrStderr(), "Flag --address has been deprecated, use --account")
+			}
+			if cmd.Flags().Changed("oot") {
+				fmt.Fprintln(cmd.ErrOrStderr(), "Flag --oot has been deprecated, use --start-time")
+			}
+			if cmd.Flags().Changed("pit") {
+				fmt.Fprintln(cmd.ErrOrStderr(), "Flag --pit has been deprecated, use --end-time")
+			}
+			if cmd.Flags().Changed("insertion-date") {
+				fmt.Fprintln(cmd.ErrOrStderr(), "Flag --insertion-date has been deprecated, use --use-insertion-date")
+			}
+
+			rt, err := stackRuntimeFromCommand(cmd)
+			if err != nil {
+				return err
+			}
+			if ledger == "" {
+				ledger = rt.Context.Defaults["ledger"]
+			}
+			if ledger == "" {
+				ledger = "default"
+			}
+
+			parsedMetadata, err := parseMetadataFlags(metadata)
+			if err != nil {
+				return err
+			}
+			parsedStartTime, err := parseOptionalRFC3339(startTime, "start-time")
+			if err != nil {
+				return err
+			}
+			parsedEndTime, err := parseOptionalRFC3339(endTime, "end-time")
+			if err != nil {
+				return err
+			}
+
+			httpClient, err := rt.HTTPClient(cmd.Context())
+			if err != nil {
+				return err
+			}
+			sdk := formance.New(
+				formance.WithServerURL(rt.Target.URL),
+				formance.WithClient(httpClient),
+			)
+			service := ledgercmd.ListVolumesService{
+				Handlers: ledgercmd.SDKListVolumesHandlers(sdk),
+				Resolve: func(ctx context.Context, handlerVersions []capabilities.APIVersion) (capabilities.APIVersion, error) {
+					request := capabilities.VersionResolutionRequest{
+						Product:         ledgercmd.ProductLedger,
+						Feature:         ledgercmd.FeatureGetVolumesWithBalances,
+						HandlerVersions: handlerVersions,
+					}
+					if apiVersion != "" {
+						request.Policy = capabilities.VersionPolicyPinned
+						request.PinnedVersion = capabilities.APIVersion(apiVersion)
+					}
+					return rt.ResolveAPIVersion(ctx, request)
+				},
+			}
+			output, err := service.Run(cmd.Context(), ledgercmd.ListVolumesInput{
+				Ledger:           ledger,
+				PageSize:         pageSize,
+				Cursor:           cursor,
+				Account:          account,
+				Metadata:         parsedMetadata,
+				StartTime:        parsedStartTime,
+				EndTime:          parsedEndTime,
+				UseInsertionDate: useInsertionDate,
+				GroupBy:          groupBy,
+				Sort:             sort,
+			})
+			if err != nil {
+				return err
+			}
+
+			if handled, err := writeStructuredOutput(cmd, output); handled || err != nil {
+				return err
+			}
+			return renderLedgerVolumes(cmd, output)
+		},
+	}
+
+	command.Flags().StringVar(&ledger, "ledger", "", "Ledger name")
+	command.Flags().Int64Var(&pageSize, "page-size", 10, "Page size")
+	command.Flags().StringVar(&cursor, "cursor", "", "Pagination cursor")
+	command.Flags().StringVar(&account, "account", "", "Filter by account address")
+	command.Flags().StringVar(&account, "address", "", "Deprecated alias for --account")
+	command.Flags().StringSliceVar(&metadata, "metadata", nil, "Filter by metadata key=value")
+	command.Flags().StringVar(&startTime, "start-time", "", "Origin of time in RFC3339 format")
+	command.Flags().StringVar(&startTime, "oot", "", "Deprecated alias for --start-time")
+	command.Flags().StringVar(&endTime, "end-time", "", "Point in time in RFC3339 format")
+	command.Flags().StringVar(&endTime, "pit", "", "Deprecated alias for --end-time")
+	command.Flags().BoolVar(&useInsertionDate, "use-insertion-date", false, "Use insertion date")
+	command.Flags().BoolVar(&useInsertionDate, "insertion-date", false, "Deprecated alias for --use-insertion-date")
+	command.Flags().Int64Var(&groupBy, "group-by", 0, "Group by address segment level")
+	command.Flags().StringVar(&sort, "sort", "", "Sort expression, formatted as <field>:<asc|desc>")
+	command.Flags().StringVar(&apiVersion, "api-version", "", "Pin ledger API version")
+	_ = command.Flags().MarkDeprecated("address", "use --account")
+	_ = command.Flags().MarkDeprecated("oot", "use --start-time")
+	_ = command.Flags().MarkDeprecated("pit", "use --end-time")
+	_ = command.Flags().MarkDeprecated("insertion-date", "use --use-insertion-date")
+
+	return command
+}
+
+func newLedgerTransactionsShowCommand() *cobra.Command {
+	var ledger string
+	var apiVersion string
+
+	command := &cobra.Command{
+		Use:     "show <transaction-id>",
+		Aliases: []string{"sh"},
+		Short:   "Show a ledger transaction",
+		Args:    cobra.ExactArgs(1),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			rt, err := stackRuntimeFromCommand(cmd)
+			if err != nil {
+				return err
+			}
+			if ledger == "" {
+				ledger = rt.Context.Defaults["ledger"]
+			}
+			if ledger == "" {
+				ledger = "default"
+			}
+
+			httpClient, err := rt.HTTPClient(cmd.Context())
+			if err != nil {
+				return err
+			}
+			sdk := formance.New(
+				formance.WithServerURL(rt.Target.URL),
+				formance.WithClient(httpClient),
+			)
+			service := ledgercmd.GetTransactionService{
+				Handlers: ledgercmd.SDKGetTransactionHandlers(sdk),
+				Resolve: func(ctx context.Context, handlerVersions []capabilities.APIVersion) (capabilities.APIVersion, error) {
+					request := capabilities.VersionResolutionRequest{
+						Product:         ledgercmd.ProductLedger,
+						Feature:         ledgercmd.FeatureGetTransaction,
+						HandlerVersions: handlerVersions,
+					}
+					if apiVersion != "" {
+						request.Policy = capabilities.VersionPolicyPinned
+						request.PinnedVersion = capabilities.APIVersion(apiVersion)
+					}
+					return rt.ResolveAPIVersion(ctx, request)
+				},
+			}
+			output, err := service.Run(cmd.Context(), ledgercmd.GetTransactionInput{
+				Ledger:        ledger,
+				TransactionID: args[0],
+			})
+			if err != nil {
+				return err
+			}
+
+			if handled, err := writeStructuredOutput(cmd, output); handled || err != nil {
+				return err
+			}
+			return renderLedgerTransaction(cmd, output)
+		},
+	}
+
+	command.Flags().StringVar(&ledger, "ledger", "", "Ledger name")
+	command.Flags().StringVar(&apiVersion, "api-version", "", "Pin ledger API version")
+
+	return command
+}
+
+func newLedgerTransactionsListCommand() *cobra.Command {
+	var ledger string
+	var pageSize int64
+	var cursor string
+	var account string
+	var source string
+	var destination string
+	var reference string
+	var metadata []string
+	var start string
+	var end string
+	var apiVersion string
+
+	command := &cobra.Command{
+		Use:   "list",
+		Short: "List ledger transactions",
+		Args:  cobra.NoArgs,
+		RunE: func(cmd *cobra.Command, _ []string) error {
+			if cmd.Flags().Changed("src") {
+				fmt.Fprintln(cmd.ErrOrStderr(), "Flag --src has been deprecated, use --source")
+			}
+			if cmd.Flags().Changed("dst") {
+				fmt.Fprintln(cmd.ErrOrStderr(), "Flag --dst has been deprecated, use --destination")
+			}
+			if cmd.Flags().Changed("start-time") {
+				fmt.Fprintln(cmd.ErrOrStderr(), "Flag --start-time has been deprecated, use --start")
+			}
+			if cmd.Flags().Changed("end-time") {
+				fmt.Fprintln(cmd.ErrOrStderr(), "Flag --end-time has been deprecated, use --end")
+			}
+
+			parsedMetadata, err := parseMetadataFlags(metadata)
+			if err != nil {
+				return err
+			}
+			parsedStart, err := parseOptionalRFC3339(start, "start")
+			if err != nil {
+				return err
+			}
+			parsedEnd, err := parseOptionalRFC3339(end, "end")
+			if err != nil {
+				return err
+			}
+
+			rt, err := stackRuntimeFromCommand(cmd)
+			if err != nil {
+				return err
+			}
+			if ledger == "" {
+				ledger = rt.Context.Defaults["ledger"]
+			}
+			if ledger == "" {
+				ledger = "default"
+			}
+
+			httpClient, err := rt.HTTPClient(cmd.Context())
+			if err != nil {
+				return err
+			}
+			sdk := formance.New(
+				formance.WithServerURL(rt.Target.URL),
+				formance.WithClient(httpClient),
+			)
+			service := ledgercmd.ListTransactionsService{
+				Handlers: ledgercmd.SDKListTransactionsHandlers(sdk),
+				Resolve: func(ctx context.Context, handlerVersions []capabilities.APIVersion) (capabilities.APIVersion, error) {
+					request := capabilities.VersionResolutionRequest{
+						Product:         ledgercmd.ProductLedger,
+						Feature:         ledgercmd.FeatureListTransactions,
+						HandlerVersions: handlerVersions,
+					}
+					if apiVersion != "" {
+						request.Policy = capabilities.VersionPolicyPinned
+						request.PinnedVersion = capabilities.APIVersion(apiVersion)
+					}
+					return rt.ResolveAPIVersion(ctx, request)
+				},
+			}
+			output, err := service.Run(cmd.Context(), ledgercmd.ListTransactionsInput{
+				Ledger:      ledger,
+				PageSize:    pageSize,
+				Cursor:      cursor,
+				Account:     account,
+				Source:      source,
+				Destination: destination,
+				Reference:   reference,
+				Metadata:    parsedMetadata,
+				StartTime:   parsedStart,
+				EndTime:     parsedEnd,
+			})
+			if err != nil {
+				return err
+			}
+
+			if handled, err := writeStructuredOutput(cmd, output); handled || err != nil {
+				return err
+			}
+			return renderLedgerTransactions(cmd, output)
+		},
+	}
+
+	command.Flags().StringVar(&ledger, "ledger", "", "Ledger name")
+	command.Flags().Int64Var(&pageSize, "page-size", 15, "Page size")
+	command.Flags().StringVar(&cursor, "cursor", "", "Pagination cursor")
+	command.Flags().StringVar(&account, "account", "", "Filter by account")
+	command.Flags().StringVar(&source, "source", "", "Filter by source account")
+	command.Flags().StringVar(&source, "src", "", "Deprecated alias for --source")
+	command.Flags().StringVar(&destination, "destination", "", "Filter by destination account")
+	command.Flags().StringVar(&destination, "dst", "", "Deprecated alias for --destination")
+	command.Flags().StringVar(&reference, "reference", "", "Filter by reference")
+	command.Flags().StringSliceVar(&metadata, "metadata", nil, "Filter by metadata key=value")
+	command.Flags().StringVar(&start, "start", "", "Filter transactions after this RFC3339 timestamp")
+	command.Flags().StringVar(&start, "start-time", "", "Deprecated alias for --start")
+	command.Flags().StringVar(&end, "end", "", "Filter transactions before this RFC3339 timestamp")
+	command.Flags().StringVar(&end, "end-time", "", "Deprecated alias for --end")
+	command.Flags().StringVar(&apiVersion, "api-version", "", "Pin ledger API version")
+	_ = command.Flags().MarkDeprecated("src", "use --source")
+	_ = command.Flags().MarkDeprecated("dst", "use --destination")
+	_ = command.Flags().MarkDeprecated("start-time", "use --start")
+	_ = command.Flags().MarkDeprecated("end-time", "use --end")
+
+	return command
+}
+
+func newLedgerTransactionsCountCommand() *cobra.Command {
+	var ledger string
+	var account string
+	var source string
+	var destination string
+	var reference string
+	var apiVersion string
+
+	command := &cobra.Command{
+		Use:   "count",
+		Short: "Count ledger transactions",
+		Args:  cobra.NoArgs,
+		RunE: func(cmd *cobra.Command, _ []string) error {
+			if cmd.Flags().Changed("src") {
+				fmt.Fprintln(cmd.ErrOrStderr(), "Flag --src has been deprecated, use --source")
+			}
+			if cmd.Flags().Changed("dst") {
+				fmt.Fprintln(cmd.ErrOrStderr(), "Flag --dst has been deprecated, use --destination")
+			}
+
+			rt, err := stackRuntimeFromCommand(cmd)
+			if err != nil {
+				return err
+			}
+			if ledger == "" {
+				ledger = rt.Context.Defaults["ledger"]
+			}
+			if ledger == "" {
+				ledger = "default"
+			}
+
+			httpClient, err := rt.HTTPClient(cmd.Context())
+			if err != nil {
+				return err
+			}
+			sdk := formance.New(
+				formance.WithServerURL(rt.Target.URL),
+				formance.WithClient(httpClient),
+			)
+			service := ledgercmd.CountTransactionsService{
+				Handlers: ledgercmd.SDKCountTransactionsHandlers(sdk),
+				Resolve: func(ctx context.Context, handlerVersions []capabilities.APIVersion) (capabilities.APIVersion, error) {
+					request := capabilities.VersionResolutionRequest{
+						Product:         ledgercmd.ProductLedger,
+						Feature:         ledgercmd.FeatureCountTransactions,
+						HandlerVersions: handlerVersions,
+					}
+					if apiVersion != "" {
+						request.Policy = capabilities.VersionPolicyPinned
+						request.PinnedVersion = capabilities.APIVersion(apiVersion)
+					}
+					return rt.ResolveAPIVersion(ctx, request)
+				},
+			}
+			output, err := service.Run(cmd.Context(), ledgercmd.CountTransactionsInput{
+				Ledger:      ledger,
+				Account:     account,
+				Source:      source,
+				Destination: destination,
+				Reference:   reference,
+			})
+			if err != nil {
+				return err
+			}
+
+			if handled, err := writeStructuredOutput(cmd, output); handled || err != nil {
+				return err
+			}
+			return renderLedgerTransactionsCount(cmd, output)
+		},
+	}
+
+	command.Flags().StringVar(&ledger, "ledger", "", "Ledger name")
+	command.Flags().StringVar(&account, "account", "", "Filter by account")
+	command.Flags().StringVar(&source, "source", "", "Filter by source account")
+	command.Flags().StringVar(&source, "src", "", "Deprecated alias for --source")
+	command.Flags().StringVar(&destination, "destination", "", "Filter by destination account")
+	command.Flags().StringVar(&destination, "dst", "", "Deprecated alias for --destination")
+	command.Flags().StringVar(&reference, "reference", "", "Filter by reference")
+	command.Flags().StringVar(&apiVersion, "api-version", "", "Pin ledger API version")
+	_ = command.Flags().MarkDeprecated("src", "use --source")
+	_ = command.Flags().MarkDeprecated("dst", "use --destination")
+
+	return command
+}
+
+func newLedgerTransactionsSetMetadataCommand() *cobra.Command {
+	var ledger string
+	var confirm bool
+	var apiVersion string
+
+	command := &cobra.Command{
+		Use:     "set-metadata <transaction-id> <key=value>...",
+		Aliases: []string{"sm", "set-meta"},
+		Short:   "Set metadata on a ledger transaction",
+		Args:    cobra.MinimumNArgs(2),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			if !confirm {
+				return fmt.Errorf("ledger transactions set-metadata requires --confirm")
+			}
+
+			rt, err := stackRuntimeFromCommand(cmd)
+			if err != nil {
+				return err
+			}
+			if ledger == "" {
+				ledger = rt.Context.Defaults["ledger"]
+			}
+			if ledger == "" {
+				ledger = "default"
+			}
+
+			metadata, err := parseMetadataFlags(args[1:])
+			if err != nil {
+				return err
+			}
+
+			httpClient, err := rt.HTTPClient(cmd.Context())
+			if err != nil {
+				return err
+			}
+			sdk := formance.New(
+				formance.WithServerURL(rt.Target.URL),
+				formance.WithClient(httpClient),
+			)
+			service := ledgercmd.AddTransactionMetadataService{
+				Handlers: ledgercmd.SDKAddTransactionMetadataHandlers(sdk),
+				Resolve: func(ctx context.Context, handlerVersions []capabilities.APIVersion) (capabilities.APIVersion, error) {
+					request := capabilities.VersionResolutionRequest{
+						Product:         ledgercmd.ProductLedger,
+						Feature:         ledgercmd.FeatureAddTransactionMetadata,
+						HandlerVersions: handlerVersions,
+					}
+					if apiVersion != "" {
+						request.Policy = capabilities.VersionPolicyPinned
+						request.PinnedVersion = capabilities.APIVersion(apiVersion)
+					}
+					return rt.ResolveAPIVersion(ctx, request)
+				},
+			}
+			output, err := service.Run(cmd.Context(), ledgercmd.AddTransactionMetadataInput{
+				Ledger:        ledger,
+				TransactionID: args[0],
+				Metadata:      metadata,
+			})
+			if err != nil {
+				return err
+			}
+
+			if handled, err := writeStructuredOutput(cmd, output); handled || err != nil {
+				return err
+			}
+			return renderLedgerTransactionMetadataSet(cmd, output)
+		},
+	}
+
+	command.Flags().StringVar(&ledger, "ledger", "", "Ledger name")
+	command.Flags().BoolVar(&confirm, "confirm", false, "Confirm the metadata update")
+	command.Flags().StringVar(&apiVersion, "api-version", "", "Pin ledger API version")
+
+	return command
+}
+
+func newLedgerTransactionsDeleteMetadataCommand() *cobra.Command {
+	var ledger string
+	var confirm bool
+	var apiVersion string
+
+	command := &cobra.Command{
+		Use:     "delete-metadata <transaction-id> <key>",
+		Aliases: []string{"dm", "del-meta"},
+		Short:   "Delete metadata from a ledger transaction",
+		Args:    cobra.ExactArgs(2),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			if !confirm {
+				return fmt.Errorf("ledger transactions delete-metadata requires --confirm")
+			}
+
+			rt, err := stackRuntimeFromCommand(cmd)
+			if err != nil {
+				return err
+			}
+			if ledger == "" {
+				ledger = rt.Context.Defaults["ledger"]
+			}
+			if ledger == "" {
+				ledger = "default"
+			}
+
+			httpClient, err := rt.HTTPClient(cmd.Context())
+			if err != nil {
+				return err
+			}
+			sdk := formance.New(
+				formance.WithServerURL(rt.Target.URL),
+				formance.WithClient(httpClient),
+			)
+			service := ledgercmd.DeleteTransactionMetadataService{
+				Handlers: ledgercmd.SDKDeleteTransactionMetadataHandlers(sdk),
+				Resolve: func(ctx context.Context, handlerVersions []capabilities.APIVersion) (capabilities.APIVersion, error) {
+					request := capabilities.VersionResolutionRequest{
+						Product:         ledgercmd.ProductLedger,
+						Feature:         ledgercmd.FeatureDeleteTransactionMetadata,
+						HandlerVersions: handlerVersions,
+					}
+					if apiVersion != "" {
+						request.Policy = capabilities.VersionPolicyPinned
+						request.PinnedVersion = capabilities.APIVersion(apiVersion)
+					}
+					return rt.ResolveAPIVersion(ctx, request)
+				},
+			}
+			output, err := service.Run(cmd.Context(), ledgercmd.DeleteTransactionMetadataInput{
+				Ledger:        ledger,
+				TransactionID: args[0],
+				Key:           args[1],
+			})
+			if err != nil {
+				return err
+			}
+
+			if handled, err := writeStructuredOutput(cmd, output); handled || err != nil {
+				return err
+			}
+			return renderLedgerTransactionMetadataDeleted(cmd, output)
+		},
+	}
+
+	command.Flags().StringVar(&ledger, "ledger", "", "Ledger name")
+	command.Flags().BoolVar(&confirm, "confirm", false, "Confirm the metadata deletion")
+	command.Flags().StringVar(&apiVersion, "api-version", "", "Pin ledger API version")
+
+	return command
+}
+
+func newLedgerTransactionsRevertCommand() *cobra.Command {
+	var ledger string
+	var atEffectiveDate bool
+	var force bool
+	var confirm bool
+	var apiVersion string
+
+	command := &cobra.Command{
+		Use:   "revert <transaction-id>",
+		Short: "Revert a ledger transaction",
+		Args:  cobra.ExactArgs(1),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			if !confirm {
+				return fmt.Errorf("ledger transactions revert requires --confirm")
+			}
+
+			rt, err := stackRuntimeFromCommand(cmd)
+			if err != nil {
+				return err
+			}
+			if ledger == "" {
+				ledger = rt.Context.Defaults["ledger"]
+			}
+			if ledger == "" {
+				ledger = "default"
+			}
+
+			httpClient, err := rt.HTTPClient(cmd.Context())
+			if err != nil {
+				return err
+			}
+			sdk := formance.New(
+				formance.WithServerURL(rt.Target.URL),
+				formance.WithClient(httpClient),
+			)
+			service := ledgercmd.RevertTransactionService{
+				Handlers: ledgercmd.SDKRevertTransactionHandlers(sdk),
+				Resolve: func(ctx context.Context, handlerVersions []capabilities.APIVersion) (capabilities.APIVersion, error) {
+					request := capabilities.VersionResolutionRequest{
+						Product:         ledgercmd.ProductLedger,
+						Feature:         ledgercmd.FeatureRevertTransaction,
+						HandlerVersions: handlerVersions,
+					}
+					if apiVersion != "" {
+						request.Policy = capabilities.VersionPolicyPinned
+						request.PinnedVersion = capabilities.APIVersion(apiVersion)
+					}
+					return rt.ResolveAPIVersion(ctx, request)
+				},
+			}
+			output, err := service.Run(cmd.Context(), ledgercmd.RevertTransactionInput{
+				Ledger:          ledger,
+				TransactionID:   args[0],
+				AtEffectiveDate: atEffectiveDate,
+				Force:           force,
+			})
+			if err != nil {
+				return err
+			}
+
+			if handled, err := writeStructuredOutput(cmd, output); handled || err != nil {
+				return err
+			}
+			return renderLedgerRevertedTransaction(cmd, output)
+		},
+	}
+
+	command.Flags().StringVar(&ledger, "ledger", "", "Ledger name")
+	command.Flags().BoolVar(&atEffectiveDate, "at-effective-date", false, "Revert at the original transaction effective date")
+	command.Flags().BoolVar(&force, "force", false, "Force revert and bypass ledger checks when supported")
+	command.Flags().BoolVar(&confirm, "confirm", false, "Confirm the transaction revert")
+	command.Flags().StringVar(&apiVersion, "api-version", "", "Pin ledger API version")
+
+	return command
+}
+
+func renderLedgers(cmd *cobra.Command, output ledgercmd.ListLedgersOutput) error {
+	if err := writeStyledAPIVersion(cmd, output.APIVersion); err != nil {
+		return err
+	}
+	if len(output.Ledgers) == 0 {
+		_, err := fmt.Fprintln(cmd.OutOrStdout(), styledEmptyLine(cmd, "No ledgers found."))
+		return err
+	}
+	rows := make([][]string, 0, len(output.Ledgers))
+	for _, ledger := range output.Ledgers {
+		rows = append(rows, []string{
+			ledger.Name,
+			ledger.Bucket,
+			ledger.AddedAt.Format(time.RFC3339),
+		})
+	}
+	return writeStyledTable(cmd, []string{"Name", "Bucket", "Created at"}, rows)
+}
+
+func renderLedgerAccounts(cmd *cobra.Command, output ledgercmd.ListAccountsOutput) error {
+	if err := writeStyledAPIVersion(cmd, output.APIVersion); err != nil {
+		return err
+	}
+	if len(output.Accounts) == 0 {
+		_, err := fmt.Fprintln(cmd.OutOrStdout(), styledEmptyLine(cmd, "No accounts found."))
+		return err
+	}
+	rows := make([][]string, 0, len(output.Accounts))
+	for _, account := range output.Accounts {
+		rows = append(rows, []string{account.Address})
+	}
+	return writeStyledTable(cmd, []string{"Address"}, rows)
+}
+
+func renderLedgerAccount(cmd *cobra.Command, output ledgercmd.GetAccountOutput) error {
+	if err := writeStyledAPIVersion(cmd, output.APIVersion); err != nil {
+		return err
+	}
+	if err := writeStyledKeyValueRows(cmd, [][]string{{"Address", output.Account.Address}}); err != nil {
+		return err
+	}
+	if len(output.Account.Volumes) == 0 {
+		_, err := fmt.Fprintln(cmd.OutOrStdout(), styledEmptyLine(cmd, "No volumes."))
+		return err
+	}
+	rows := make([][]string, 0, len(output.Account.Volumes))
+	for asset, volume := range output.Account.Volumes {
+		rows = append(rows, []string{asset, volume.Input, volume.Output, volume.Balance})
+	}
+	return writeStyledTable(cmd, []string{"Asset", "Input", "Output", "Balance"}, rows)
+}
+
+func renderLedgerAccountQuery(cmd *cobra.Command, output ledgercmd.RunAccountQueryOutput) error {
+	if err := writeStyledAPIVersion(cmd, output.APIVersion); err != nil {
+		return err
+	}
+	if err := writeStyledKeyValueRows(cmd, [][]string{{"Query", output.QueryID}}); err != nil {
+		return err
+	}
+	if len(output.Accounts) == 0 {
+		_, err := fmt.Fprintln(cmd.OutOrStdout(), styledEmptyLine(cmd, "No accounts found."))
+		return err
+	}
+	rows := make([][]string, 0, len(output.Accounts))
+	for _, account := range output.Accounts {
+		rows = append(rows, []string{account.Address})
+	}
+	if err := writeStyledTable(cmd, []string{"Address"}, rows); err != nil {
+		return err
+	}
+	if output.HasMore && output.Next != nil {
+		return writeStyledNext(cmd, *output.Next)
+	}
+	return nil
+}
+
+func renderLedgerAccountMetadataSet(cmd *cobra.Command, output ledgercmd.AddAccountMetadataOutput) error {
+	if err := writeStyledAPIVersion(cmd, output.APIVersion); err != nil {
+		return err
+	}
+	_, err := fmt.Fprintln(cmd.OutOrStdout(), styledSuccessLine(cmd, "Metadata added."))
+	return err
+}
+
+func renderLedgerAccountMetadataDeleted(cmd *cobra.Command, output ledgercmd.DeleteAccountMetadataOutput) error {
+	if err := writeStyledAPIVersion(cmd, output.APIVersion); err != nil {
+		return err
+	}
+	_, err := fmt.Fprintln(cmd.OutOrStdout(), styledSuccessLine(cmd, "Metadata deleted."))
+	return err
+}
+
+func renderLedgerCreated(cmd *cobra.Command, output ledgercmd.CreateLedgerOutput) error {
+	if err := writeStyledAPIVersion(cmd, output.APIVersion); err != nil {
+		return err
+	}
+	_, err := fmt.Fprintln(cmd.OutOrStdout(), styledSuccessLine(cmd, fmt.Sprintf("Ledger %s created.", output.Name)))
+	return err
+}
+
+func renderLedgerExported(cmd *cobra.Command, output ledgercmd.ExportLogsOutput, file string) error {
+	if err := writeStyledAPIVersion(cmd, output.APIVersion); err != nil {
+		return err
+	}
+	_, err := fmt.Fprintln(cmd.OutOrStdout(), styledSuccessLine(cmd, fmt.Sprintf("Ledger %s exported to %s.", output.Ledger, file)))
+	return err
+}
+
+func renderLedgerImported(cmd *cobra.Command, output ledgercmd.ImportLogsOutput) error {
+	if err := writeStyledAPIVersion(cmd, output.APIVersion); err != nil {
+		return err
+	}
+	_, err := fmt.Fprintln(cmd.OutOrStdout(), styledSuccessLine(cmd, fmt.Sprintf("Ledger %s imported.", output.Ledger)))
+	return err
+}
+
+func renderLedgerSchemas(cmd *cobra.Command, output ledgercmd.ListSchemasOutput) error {
+	if err := writeStyledAPIVersion(cmd, output.APIVersion); err != nil {
+		return err
+	}
+	if len(output.Schemas) == 0 {
+		_, err := fmt.Fprintln(cmd.OutOrStdout(), styledEmptyLine(cmd, "No schemas found."))
+		return err
+	}
+	rows := make([][]string, 0, len(output.Schemas))
+	for _, schema := range output.Schemas {
+		rows = append(rows, []string{
+			schema.Version,
+			schema.CreatedAt.Format(time.RFC3339),
+			fmt.Sprintf("%d", schema.ChartSegments),
+			fmt.Sprintf("%d", schema.QueryTemplates),
+			fmt.Sprintf("%d", schema.TransactionModels),
+		})
+	}
+	if err := writeStyledTable(cmd, []string{"Version", "Created at", "Chart segments", "Query templates", "Transaction models"}, rows); err != nil {
+		return err
+	}
+	if output.HasMore && output.Next != nil {
+		return writeStyledNext(cmd, *output.Next)
+	}
+	return nil
+}
+
+func renderLedgerSchema(cmd *cobra.Command, output ledgercmd.GetSchemaOutput) error {
+	if err := writeStyledAPIVersion(cmd, output.APIVersion); err != nil {
+		return err
+	}
+	return writeStyledKeyValueRows(cmd, [][]string{
+		{"Version", output.Schema.Version},
+		{"Created at", output.Schema.CreatedAt.Format(time.RFC3339)},
+		{"Chart segments", fmt.Sprintf("%d", len(output.Schema.Chart))},
+		{"Query templates", fmt.Sprintf("%d", len(output.Schema.Queries))},
+		{"Transaction models", fmt.Sprintf("%d", len(output.Schema.Transactions))},
+	})
+}
+
+func renderLedgerSchemaInserted(cmd *cobra.Command, output ledgercmd.InsertSchemaOutput) error {
+	if err := writeStyledAPIVersion(cmd, output.APIVersion); err != nil {
+		return err
+	}
+	_, err := fmt.Fprintln(cmd.OutOrStdout(), styledSuccessLine(cmd, fmt.Sprintf("Schema %s inserted in ledger %s.", output.Version, output.Ledger)))
+	return err
+}
+
+func renderLedgerMetadataSet(cmd *cobra.Command, output ledgercmd.UpdateLedgerMetadataOutput) error {
+	if err := writeStyledAPIVersion(cmd, output.APIVersion); err != nil {
+		return err
+	}
+	_, err := fmt.Fprintln(cmd.OutOrStdout(), styledSuccessLine(cmd, "Metadata added."))
+	return err
+}
+
+func renderLedgerMetadataDeleted(cmd *cobra.Command, output ledgercmd.DeleteLedgerMetadataOutput) error {
+	if err := writeStyledAPIVersion(cmd, output.APIVersion); err != nil {
+		return err
+	}
+	_, err := fmt.Fprintln(cmd.OutOrStdout(), styledSuccessLine(cmd, "Metadata deleted."))
+	return err
+}
+
+func renderLedgerInfo(cmd *cobra.Command, output ledgercmd.ReadInfoOutput) error {
+	if err := writeStyledAPIVersion(cmd, output.APIVersion); err != nil {
+		return err
+	}
+	return writeStyledKeyValueRows(cmd, [][]string{
+		{"Server", output.Server},
+		{"Version", output.Version},
+	})
+}
+
+func renderLedgerStats(cmd *cobra.Command, output ledgercmd.ReadStatsOutput) error {
+	if err := writeStyledAPIVersion(cmd, output.APIVersion); err != nil {
+		return err
+	}
+	return writeStyledKeyValueRows(cmd, [][]string{
+		{"Transactions", output.Transactions},
+		{"Accounts", fmt.Sprintf("%d", output.Accounts)},
+	})
+}
+
+func renderLedgerTransactions(cmd *cobra.Command, output ledgercmd.ListTransactionsOutput) error {
+	if err := writeStyledAPIVersion(cmd, output.APIVersion); err != nil {
+		return err
+	}
+	if len(output.Transactions) == 0 {
+		_, err := fmt.Fprintln(cmd.OutOrStdout(), styledEmptyLine(cmd, "No transactions found."))
+		return err
+	}
+	rows := make([][]string, 0, len(output.Transactions))
+	for _, transaction := range output.Transactions {
+		reference := ""
+		if transaction.Reference != nil {
+			reference = *transaction.Reference
+		}
+		rows = append(rows, []string{
+			transaction.ID,
+			reference,
+			transaction.Timestamp.Format(time.RFC3339),
+		})
+	}
+	return writeStyledTable(cmd, []string{"ID", "Reference", "Timestamp"}, rows)
+}
+
+func renderLedgerTransactionsCount(cmd *cobra.Command, output ledgercmd.CountTransactionsOutput) error {
+	if err := writeStyledAPIVersion(cmd, output.APIVersion); err != nil {
+		return err
+	}
+	return writeStyledKeyValueRows(cmd, [][]string{{"Count", fmt.Sprintf("%d", output.Count)}})
+}
+
+func renderLedgerSentTransaction(cmd *cobra.Command, output ledgercmd.SendTransactionOutput) error {
+	if err := writeStyledAPIVersion(cmd, output.APIVersion); err != nil {
+		return err
+	}
+	reference := ""
+	if output.Transaction.Reference != nil {
+		reference = *output.Transaction.Reference
+	}
+	return renderLedgerTransactionSummary(cmd, output.Transaction.ID, reference, output.Transaction.Timestamp)
+}
+
+func renderLedgerTransactionMetadataSet(cmd *cobra.Command, output ledgercmd.AddTransactionMetadataOutput) error {
+	if err := writeStyledAPIVersion(cmd, output.APIVersion); err != nil {
+		return err
+	}
+	_, err := fmt.Fprintln(cmd.OutOrStdout(), styledSuccessLine(cmd, "Metadata added."))
+	return err
+}
+
+func renderLedgerTransactionMetadataDeleted(cmd *cobra.Command, output ledgercmd.DeleteTransactionMetadataOutput) error {
+	if err := writeStyledAPIVersion(cmd, output.APIVersion); err != nil {
+		return err
+	}
+	_, err := fmt.Fprintln(cmd.OutOrStdout(), styledSuccessLine(cmd, "Metadata deleted."))
+	return err
+}
+
+func renderLedgerTransaction(cmd *cobra.Command, output ledgercmd.GetTransactionOutput) error {
+	if err := writeStyledAPIVersion(cmd, output.APIVersion); err != nil {
+		return err
+	}
+	reference := ""
+	if output.Transaction.Reference != nil {
+		reference = *output.Transaction.Reference
+	}
+	return renderLedgerTransactionSummary(cmd, output.Transaction.ID, reference, output.Transaction.Timestamp)
+}
+
+func renderLedgerRevertedTransaction(cmd *cobra.Command, output ledgercmd.RevertTransactionOutput) error {
+	if err := writeStyledAPIVersion(cmd, output.APIVersion); err != nil {
+		return err
+	}
+	reference := ""
+	if output.Transaction.Reference != nil {
+		reference = *output.Transaction.Reference
+	}
+	return renderLedgerTransactionSummary(cmd, output.Transaction.ID, reference, output.Transaction.Timestamp)
+}
+
+func renderLedgerVolumes(cmd *cobra.Command, output ledgercmd.ListVolumesOutput) error {
+	if err := writeStyledAPIVersion(cmd, output.APIVersion); err != nil {
+		return err
+	}
+	if len(output.Volumes) == 0 {
+		_, err := fmt.Fprintln(cmd.OutOrStdout(), styledEmptyLine(cmd, "No volumes found."))
+		return err
+	}
+	rows := make([][]string, 0, len(output.Volumes))
+	for _, volume := range output.Volumes {
+		rows = append(rows, []string{volume.Account, volume.Asset, volume.Input, volume.Output, volume.Balance})
+	}
+	return writeStyledTable(cmd, []string{"Account", "Asset", "Input", "Output", "Balance"}, rows)
+}
+
+func renderLedgerTransactionSummary(cmd *cobra.Command, id string, reference string, timestamp time.Time) error {
+	return writeStyledKeyValueRows(cmd, [][]string{
+		{"ID", id},
+		{"Reference", reference},
+		{"Timestamp", timestamp.Format(time.RFC3339)},
+	})
+}
+
+func parseMetadataFlags(values []string) (map[string]string, error) {
+	return parseKeyValueFlags(values, "metadata")
+}
+
+func parseMetadataFile(cmd *cobra.Command, file string) (map[string]string, error) {
+	if file == "" {
+		return nil, nil
+	}
+	data, err := readLedgerCommandFile(cmd, file)
+	if err != nil {
+		return nil, err
+	}
+	var metadata map[string]string
+	if err := json.Unmarshal(data, &metadata); err != nil {
+		return nil, fmt.Errorf("parse metadata file: %w", err)
+	}
+	if len(metadata) == 0 {
+		return nil, nil
+	}
+	return metadata, nil
+}
+
+func readLedgerCommandFile(cmd *cobra.Command, file string) ([]byte, error) {
+	if file == "-" {
+		return io.ReadAll(cmd.InOrStdin())
+	}
+	return os.ReadFile(file)
+}
+
+func parseKeyValueFlags(values []string, name string) (map[string]string, error) {
+	if len(values) == 0 {
+		return nil, nil
+	}
+	ret := map[string]string{}
+	for _, value := range values {
+		if value == "" {
+			continue
+		}
+		key, val, ok := strings.Cut(value, "=")
+		if !ok || key == "" {
+			return nil, fmt.Errorf("%s must use key=value format", name)
+		}
+		ret[key] = val
+	}
+	if len(ret) == 0 {
+		return nil, nil
+	}
+	return ret, nil
+}
+
+func parseOptionalRFC3339(value string, name string) (*time.Time, error) {
+	if value == "" {
+		return nil, nil
+	}
+	parsed, err := time.Parse(time.RFC3339Nano, value)
+	if err != nil {
+		return nil, fmt.Errorf("parsing %s: %w", name, err)
+	}
+	return &parsed, nil
+}
diff --git a/v4/cmd/login.go b/v4/cmd/login.go
new file mode 100644
index 00000000..6f6c50df
--- /dev/null
+++ b/v4/cmd/login.go
@@ -0,0 +1,575 @@
+package cmd
+
+import (
+	"bufio"
+	"fmt"
+	"io"
+	"strings"
+
+	"github.com/spf13/cobra"
+
+	v4auth "github.com/formancehq/fctl/v4/internal/auth"
+	v4config "github.com/formancehq/fctl/v4/internal/config"
+	v4prompt "github.com/formancehq/fctl/v4/internal/prompt"
+)
+
+const (
+	loginTargetCloud      = "cloud"
+	loginTargetEE         = "ee"
+	loginTargetOpenSource = "open-source"
+	defaultProfileName    = "default"
+)
+
+var loginOpenURL = v4auth.OpenURL
+
+func newLoginCommand() *cobra.Command {
+	var target string
+	var membershipURL string
+	var stackURL string
+	var issuerURL string
+	var clientID string
+	var clientSecret string
+	var clientSecretStdin bool
+	var defaultLedger string
+
+	command := &cobra.Command{
+		Use:   "login",
+		Short: "Connect fctl to Formance Cloud, Enterprise, or an open-source stack",
+		Args:  cobra.NoArgs,
+		RunE: func(cmd *cobra.Command, _ []string) error {
+			input, err := newLoginInput(cmd)
+			if err != nil {
+				return err
+			}
+			if target == "" {
+				if nonInteractive, err := cmd.Root().PersistentFlags().GetBool(nonInteractiveFlag); err != nil {
+					return err
+				} else if nonInteractive {
+					return fmt.Errorf("login requires --target in non-interactive mode")
+				}
+				target, err = input.chooseTarget(cmd)
+				if err != nil {
+					return err
+				}
+			}
+			normalizedTarget, err := normalizeLoginTarget(target)
+			if err != nil {
+				return err
+			}
+
+			profileName, err := selectedProfileNameForLogin(cmd)
+			if err != nil {
+				return err
+			}
+			organization, stack, err := organizationAndStackFromCommand(cmd)
+			if err != nil {
+				return err
+			}
+
+			cfg, path, err := loadConfig(cmd, true)
+			if err != nil {
+				return err
+			}
+			if cfg.Contexts == nil {
+				cfg.Contexts = map[string]v4config.Context{}
+			}
+
+			context, err := loginContextForTarget(cmd, input, loginContextInput{
+				Target:            normalizedTarget,
+				MembershipURL:     membershipURL,
+				StackURL:          stackURL,
+				Organization:      organization,
+				Stack:             stack,
+				DefaultLedger:     defaultLedger,
+				IssuerURL:         issuerURL,
+				ClientID:          clientID,
+				ClientSecret:      clientSecret,
+				ClientSecretStdin: clientSecretStdin,
+				ProfileName:       profileName,
+			})
+			if err != nil {
+				return err
+			}
+
+			cfg.Contexts[profileName] = context
+			cfg.CurrentContext = profileName
+			if err := v4config.SaveFile(path, cfg); err != nil {
+				return err
+			}
+			if handled, err := writeStructuredOutput(cmd, contextShowOutput{Name: profileName, Current: true, Context: context}); handled || err != nil {
+				return err
+			}
+			_, err = fmt.Fprintln(cmd.OutOrStdout(), styledSuccessLine(cmd, fmt.Sprintf("Logged in with profile %s.", profileName)))
+			return err
+		},
+	}
+	command.Flags().StringVar(&target, "target", "", "Target type (cloud, ee, open-source)")
+	command.Flags().StringVar(&membershipURL, "membership-url", "", "Cloud or Enterprise membership URL")
+	command.Flags().StringVar(&stackURL, "stack-url", "", "Open-source stack API URL")
+	command.Flags().StringVar(&issuerURL, "issuer-url", "", "OIDC issuer URL for token exchange")
+	command.Flags().StringVar(&clientID, "client-id", "", "OAuth client ID")
+	command.Flags().StringVar(&clientSecret, "client-secret", "", "OAuth client secret")
+	command.Flags().BoolVar(&clientSecretStdin, "client-secret-stdin", false, "Read OAuth client secret from stdin")
+	command.Flags().StringVar(&defaultLedger, "default-ledger", "", "Default ledger for this profile")
+	return command
+}
+
+type loginContextInput struct {
+	Target            string
+	MembershipURL     string
+	StackURL          string
+	Organization      string
+	Stack             string
+	DefaultLedger     string
+	IssuerURL         string
+	ClientID          string
+	ClientSecret      string
+	ClientSecretStdin bool
+	ProfileName       string
+}
+
+func loginContextForTarget(cmd *cobra.Command, input loginInput, options loginContextInput) (v4config.Context, error) {
+	switch options.Target {
+	case loginTargetCloud:
+		if options.MembershipURL == "" {
+			options.MembershipURL = v4config.DefaultCloudURL
+		}
+		return platformLoginContext(cmd, input, options)
+	case loginTargetEE:
+		if options.MembershipURL == "" {
+			if input.nonInteractive {
+				return v4config.Context{}, fmt.Errorf("login ee requires --membership-url")
+			}
+			membershipURL, err := input.prompt(cmd, "Membership URL")
+			if err != nil {
+				return v4config.Context{}, err
+			}
+			options.MembershipURL = membershipURL
+			input.report(cmd, "Membership URL", options.MembershipURL)
+		}
+		return platformLoginContext(cmd, input, options)
+	case loginTargetOpenSource:
+		if options.StackURL == "" {
+			if input.nonInteractive {
+				return v4config.Context{}, fmt.Errorf("login open-source requires --stack-url")
+			}
+			stackURL, err := input.prompt(cmd, "Stack URL")
+			if err != nil {
+				return v4config.Context{}, err
+			}
+			options.StackURL = stackURL
+			input.report(cmd, "Stack URL", options.StackURL)
+		}
+		if options.StackURL == "" {
+			return v4config.Context{}, fmt.Errorf("login open-source requires --stack-url")
+		}
+		auth, err := authFromLoginOptions(cmd, input, options, false)
+		if err != nil {
+			return v4config.Context{}, err
+		}
+		return v4config.Context{
+			Kind:     v4config.ContextKindStack,
+			StackURL: options.StackURL,
+			Auth:     auth,
+			Defaults: defaultsFromLogin(options.DefaultLedger),
+			API:      map[string]string{"ledger": string(v4config.APIPolicyLatestCompatible)},
+		}, nil
+	default:
+		return v4config.Context{}, fmt.Errorf("unsupported login target %q", options.Target)
+	}
+}
+
+func platformLoginContext(cmd *cobra.Command, input loginInput, options loginContextInput) (v4config.Context, error) {
+	if options.MembershipURL == "" {
+		return v4config.Context{}, fmt.Errorf("login %s requires --membership-url", options.Target)
+	}
+	auth, err := authFromLoginOptions(cmd, input, options, true)
+	if err != nil {
+		return v4config.Context{}, err
+	}
+	kind := v4config.ContextKindCloud
+	if options.Stack != "" {
+		kind = v4config.ContextKindCloudStack
+	}
+	context := v4config.Context{
+		Kind:         kind,
+		CloudURL:     options.MembershipURL,
+		Organization: options.Organization,
+		Stack:        options.Stack,
+		Auth:         auth,
+		Defaults:     defaultsFromLogin(options.DefaultLedger),
+		API:          map[string]string{"ledger": string(v4config.APIPolicyLatestCompatible)},
+	}
+	if kind == v4config.ContextKindCloudStack && context.Organization == "" {
+		return v4config.Context{}, fmt.Errorf("login with --stack requires --organization")
+	}
+	return context, nil
+}
+
+func authFromLoginOptions(cmd *cobra.Command, input loginInput, options loginContextInput, platform bool) (v4config.Auth, error) {
+	if platform && options.ClientID == "" && options.ClientSecret == "" && !options.ClientSecretStdin {
+		authMethod, err := input.choosePlatformAuth(cmd)
+		if err != nil {
+			return v4config.Auth{}, err
+		}
+		switch authMethod {
+		case "1", "browser", "browser/device login", "device":
+			return cloudDeviceAuthFromLoginOptions(cmd, options)
+		case "2", "client credentials", "client-credentials":
+			clientID, err := input.prompt(cmd, "Client ID")
+			if err != nil {
+				return v4config.Auth{}, err
+			}
+			clientSecret, err := input.secretPrompt(cmd, "Client secret")
+			if err != nil {
+				return v4config.Auth{}, err
+			}
+			options.ClientID = clientID
+			input.report(cmd, "Client ID", options.ClientID)
+			options.ClientSecret = clientSecret
+		default:
+			return v4config.Auth{}, fmt.Errorf("unsupported authentication choice %q", authMethod)
+		}
+	}
+
+	if options.ClientID != "" || options.ClientSecret != "" || options.ClientSecretStdin {
+		if options.ClientSecret != "" && options.ClientSecretStdin {
+			return v4config.Auth{}, fmt.Errorf("--client-secret and --client-secret-stdin are mutually exclusive")
+		}
+		if options.ClientID == "" {
+			return v4config.Auth{}, fmt.Errorf("login client credentials requires --client-id")
+		}
+		issuerURL := options.IssuerURL
+		if issuerURL == "" {
+			issuerURL = options.MembershipURL
+		}
+		if issuerURL == "" {
+			return v4config.Auth{}, fmt.Errorf("login client credentials requires --issuer-url")
+		}
+		secret := options.ClientSecret
+		if options.ClientSecretStdin {
+			data, err := io.ReadAll(cmd.InOrStdin())
+			if err != nil {
+				return v4config.Auth{}, err
+			}
+			secret = strings.TrimSpace(string(data))
+		}
+		if secret == "" {
+			return v4config.Auth{}, fmt.Errorf("login client credentials requires --client-secret or --client-secret-stdin")
+		}
+		ref := "contexts/" + options.ProfileName + "/client-secret"
+		store, err := persistentCredentialStoreFromCommand(cmd)
+		if err != nil {
+			return v4config.Auth{}, err
+		}
+		if err := store.Set(cmd.Context(), ref, secret); err != nil {
+			return v4config.Auth{}, err
+		}
+		return v4config.Auth{
+			Method:    v4config.AuthMethodClientCredentials,
+			IssuerURL: issuerURL,
+			ClientID:  options.ClientID,
+			SecretRef: ref,
+			Scopes:    clientCredentialsScopesForPlatform(platform),
+		}, nil
+	}
+
+	if platform {
+		return cloudDeviceAuthFromLoginOptions(cmd, options)
+	}
+	return v4config.Auth{Method: v4config.AuthMethodNone}, nil
+}
+
+func cloudDeviceAuthFromLoginOptions(cmd *cobra.Command, options loginContextInput) (v4config.Auth, error) {
+	store, err := persistentCredentialStoreFromCommand(cmd)
+	if err != nil {
+		return v4config.Auth{}, err
+	}
+	authOptions, err := authOptionsFromCommand(cmd)
+	if err != nil {
+		return v4config.Auth{}, err
+	}
+	tokens, err := v4auth.DeviceLogin(cmd.Context(), v4auth.DeviceLoginOptions{
+		IssuerURL:  options.MembershipURL,
+		ClientID:   v4auth.DeviceClientID,
+		Scopes:     cloudDeviceLoginScopes(),
+		Prompt:     []string{"no-org"},
+		HTTPClient: authOptions.HTTPClient,
+		OpenURL:    loginOpenURL,
+		Out:        cmd.OutOrStdout(),
+	})
+	if err != nil {
+		return v4config.Auth{}, err
+	}
+	ref := "contexts/" + options.ProfileName + "/root-tokens"
+	encoded, err := v4auth.MarshalDeviceTokens(tokens)
+	if err != nil {
+		return v4config.Auth{}, err
+	}
+	if err := store.Set(cmd.Context(), ref, encoded); err != nil {
+		return v4config.Auth{}, err
+	}
+	return v4config.Auth{
+		Method:    v4config.AuthMethodCloudDevice,
+		IssuerURL: options.MembershipURL,
+		TokenRef:  ref,
+		Account:   v4auth.EmailFromIDToken(tokens.IDToken),
+	}, nil
+}
+
+func cloudDeviceLoginScopes() []string {
+	return []string{"openid", "offline_access", "accesses", "on_behalf"}
+}
+
+func defaultsFromLogin(defaultLedger string) map[string]string {
+	if defaultLedger == "" {
+		return nil
+	}
+	return map[string]string{"ledger": defaultLedger}
+}
+
+func newLogoutCommand() *cobra.Command {
+	return &cobra.Command{
+		Use:   "logout",
+		Short: "Clear authentication from the selected profile",
+		Args:  cobra.NoArgs,
+		RunE: func(cmd *cobra.Command, _ []string) error {
+			cfg, path, name, context, err := selectedContextForSession(cmd)
+			if err != nil {
+				return err
+			}
+			store, err := credentialStoreFromCommand(cmd)
+			if err != nil {
+				return err
+			}
+			deleteCredentialRef(cmd, store, context.Auth.TokenRef)
+			deleteCredentialRef(cmd, store, context.Auth.SecretRef)
+			context.Auth = v4config.Auth{Method: v4config.AuthMethodNone}
+			cfg.Contexts[name] = context
+			if err := v4config.SaveFile(path, cfg); err != nil {
+				return err
+			}
+			if handled, err := writeStructuredOutput(cmd, contextShowOutput{Name: name, Current: true, Context: context}); handled || err != nil {
+				return err
+			}
+			_, err = fmt.Fprintln(cmd.OutOrStdout(), styledSuccessLine(cmd, fmt.Sprintf("Logged out from profile %s.", name)))
+			return err
+		},
+	}
+}
+
+func newWhoamiCommand() *cobra.Command {
+	return &cobra.Command{
+		Use:   "whoami",
+		Short: "Show the selected profile and authentication state",
+		Args:  cobra.NoArgs,
+		RunE: func(cmd *cobra.Command, _ []string) error {
+			cfg, _, name, context, err := selectedContextForSession(cmd)
+			if err != nil {
+				return err
+			}
+			output := contextShowOutput{Name: name, Current: name == cfg.CurrentContext, Context: context}
+			if handled, err := writeStructuredOutput(cmd, output); handled || err != nil {
+				return err
+			}
+			rows := []styledKeyValue{
+				{Label: "Profile", Value: name},
+				{Label: "Target", Value: string(context.Kind)},
+				{Label: "Auth", Value: string(context.Auth.Method)},
+			}
+			if context.Organization != "" {
+				rows = append(rows, styledKeyValue{Label: "Organization", Value: context.Organization})
+			}
+			if context.Stack != "" {
+				rows = append(rows, styledKeyValue{Label: "Stack", Value: context.Stack})
+			}
+			return writeStyledKeyValues(cmd, rows...)
+		},
+	}
+}
+
+type loginInput struct {
+	reader         *bufio.Reader
+	wizard         v4prompt.Wizard
+	nonInteractive bool
+}
+
+func newLoginInput(cmd *cobra.Command) (loginInput, error) {
+	nonInteractive, err := cmd.Root().PersistentFlags().GetBool(nonInteractiveFlag)
+	if err != nil {
+		return loginInput{}, err
+	}
+	noColor, err := cmd.Root().PersistentFlags().GetBool(noColorFlag)
+	if err != nil {
+		return loginInput{}, err
+	}
+
+	in := cmd.InOrStdin()
+	input := loginInput{
+		reader:         bufio.NewReader(in),
+		nonInteractive: nonInteractive,
+	}
+	if !nonInteractive && !noColor {
+		input.wizard = v4prompt.NewWizardWithColor(in, cmd.ErrOrStderr(), true)
+	} else if !nonInteractive {
+		input.wizard = v4prompt.NewWizardWithColor(in, cmd.ErrOrStderr(), false)
+	}
+	return input, nil
+}
+
+func (i loginInput) chooseTarget(cmd *cobra.Command) (string, error) {
+	if i.wizard.Available() {
+		selected, err := i.wizard.Select("What do you want to connect to?", []v4prompt.Choice{
+			{Title: "Formance Cloud", Value: loginTargetCloud},
+			{Title: "Formance EE Self-Hosted", Value: loginTargetEE},
+			{Title: "Formance Open Source / local", Value: loginTargetOpenSource},
+		})
+		if err != nil {
+			return "", err
+		}
+		i.report(cmd, "Target", loginTargetLabel(selected))
+		return selected, nil
+	}
+	if _, err := fmt.Fprintln(cmd.OutOrStdout(), "What do you want to connect to?"); err != nil {
+		return "", err
+	}
+	if _, err := fmt.Fprintln(cmd.OutOrStdout(), "1. Formance Cloud"); err != nil {
+		return "", err
+	}
+	if _, err := fmt.Fprintln(cmd.OutOrStdout(), "2. Formance EE Self-Hosted"); err != nil {
+		return "", err
+	}
+	if _, err := fmt.Fprintln(cmd.OutOrStdout(), "3. Formance Open Source / local"); err != nil {
+		return "", err
+	}
+	answer, err := i.prompt(cmd, "Choice")
+	if err != nil {
+		return "", err
+	}
+	switch strings.TrimSpace(strings.ToLower(answer)) {
+	case "1", "cloud", "formance cloud":
+		i.report(cmd, "Target", loginTargetLabel(loginTargetCloud))
+		return loginTargetCloud, nil
+	case "2", "ee", "self-hosted", "enterprise":
+		i.report(cmd, "Target", loginTargetLabel(loginTargetEE))
+		return loginTargetEE, nil
+	case "3", "open-source", "oss", "local":
+		i.report(cmd, "Target", loginTargetLabel(loginTargetOpenSource))
+		return loginTargetOpenSource, nil
+	default:
+		return "", fmt.Errorf("unsupported login choice %q", answer)
+	}
+}
+
+func (i loginInput) choosePlatformAuth(cmd *cobra.Command) (string, error) {
+	if i.nonInteractive {
+		return "", fmt.Errorf("login requires --client-id/--client-secret in non-interactive mode")
+	}
+	if i.wizard.Available() {
+		selected, err := i.wizard.Select("How do you want to authenticate?", []v4prompt.Choice{
+			{Title: "Browser/device login", Value: "browser"},
+			{Title: "Client credentials", Value: "client-credentials"},
+		})
+		if err != nil {
+			return "", err
+		}
+		i.report(cmd, "Authentication", loginAuthLabel(selected))
+		return selected, nil
+	}
+	if _, err := fmt.Fprintln(cmd.OutOrStdout(), "How do you want to authenticate?"); err != nil {
+		return "", err
+	}
+	if _, err := fmt.Fprintln(cmd.OutOrStdout(), "1. Browser/device login"); err != nil {
+		return "", err
+	}
+	if _, err := fmt.Fprintln(cmd.OutOrStdout(), "2. Client credentials"); err != nil {
+		return "", err
+	}
+	answer, err := i.prompt(cmd, "Choice")
+	if err != nil {
+		return "", err
+	}
+	normalized := strings.TrimSpace(strings.ToLower(answer))
+	i.report(cmd, "Authentication", loginAuthLabel(normalized))
+	return normalized, nil
+}
+
+func (i loginInput) prompt(cmd *cobra.Command, label string) (string, error) {
+	return i.promptValue(cmd, label, "", false)
+}
+
+func (i loginInput) secretPrompt(cmd *cobra.Command, label string) (string, error) {
+	return i.promptValue(cmd, label, "", true)
+}
+
+func (i loginInput) promptValue(cmd *cobra.Command, label string, placeholder string, secret bool) (string, error) {
+	if i.nonInteractive {
+		return "", fmt.Errorf("%s is required in non-interactive mode", label)
+	}
+	if i.wizard.Available() {
+		return i.wizard.Input(label, placeholder, secret)
+	}
+	if _, err := fmt.Fprintf(cmd.OutOrStdout(), "%s: ", label); err != nil {
+		return "", err
+	}
+	value, err := i.reader.ReadString('\n')
+	if err != nil && err != io.EOF {
+		return "", err
+	}
+	return strings.TrimSpace(value), nil
+}
+
+func (i loginInput) report(cmd *cobra.Command, label string, value string) {
+	if i.nonInteractive || strings.TrimSpace(value) == "" {
+		return
+	}
+	fmt.Fprintln(cmd.OutOrStdout(), styledKeyValueLine(cmd, label, value))
+}
+
+func loginTargetLabel(target string) string {
+	switch target {
+	case loginTargetCloud:
+		return "Formance Cloud"
+	case loginTargetEE:
+		return "Formance EE Self-Hosted"
+	case loginTargetOpenSource:
+		return "Formance Open Source / local"
+	default:
+		return target
+	}
+}
+
+func loginAuthLabel(authMethod string) string {
+	switch strings.TrimSpace(strings.ToLower(authMethod)) {
+	case "1", "browser", "browser/device login", "device":
+		return "Browser/device login"
+	case "2", "client credentials", "client-credentials":
+		return "Client credentials"
+	default:
+		return authMethod
+	}
+}
+
+func normalizeLoginTarget(value string) (string, error) {
+	switch strings.TrimSpace(strings.ToLower(value)) {
+	case "cloud", "formance-cloud", "formance cloud":
+		return loginTargetCloud, nil
+	case "ee", "enterprise", "self-hosted", "selfhosted", "formance-ee":
+		return loginTargetEE, nil
+	case "open-source", "opensource", "oss", "local", "stack":
+		return loginTargetOpenSource, nil
+	default:
+		return "", fmt.Errorf("unsupported login target %q", value)
+	}
+}
+
+func selectedProfileNameForLogin(cmd *cobra.Command) (string, error) {
+	name, err := contextNameFromCommand(cmd)
+	if err != nil {
+		return "", err
+	}
+	if name == "" {
+		name = defaultProfileName
+	}
+	return name, nil
+}
diff --git a/v4/cmd/output.go b/v4/cmd/output.go
new file mode 100644
index 00000000..595742ef
--- /dev/null
+++ b/v4/cmd/output.go
@@ -0,0 +1,22 @@
+package cmd
+
+import (
+	"github.com/spf13/cobra"
+
+	"github.com/formancehq/fctl/v4/internal/render"
+)
+
+func writeStructuredOutput(cmd *cobra.Command, value any) (bool, error) {
+	format, err := outputFormat(cmd)
+	if err != nil {
+		return false, err
+	}
+	switch format {
+	case "json":
+		return true, render.JSON(cmd.OutOrStdout(), value)
+	case "yaml":
+		return true, render.YAML(cmd.OutOrStdout(), value)
+	default:
+		return false, nil
+	}
+}
diff --git a/v4/cmd/payments.go b/v4/cmd/payments.go
new file mode 100644
index 00000000..dd6af49b
--- /dev/null
+++ b/v4/cmd/payments.go
@@ -0,0 +1,3063 @@
+package cmd
+
+import (
+	"bytes"
+	"context"
+	"encoding/json"
+	"fmt"
+	"io"
+	"math/big"
+	"os"
+	"strings"
+	"time"
+
+	formance "github.com/formancehq/formance-sdk-go/v3"
+	"github.com/formancehq/formance-sdk-go/v3/pkg/models/shared"
+	"github.com/spf13/cobra"
+
+	"github.com/formancehq/fctl/v4/internal/capabilities"
+	paymentscmd "github.com/formancehq/fctl/v4/internal/commands/payments"
+)
+
+func newPaymentsCommand() *cobra.Command {
+	command := &cobra.Command{
+		Use:   "payments",
+		Short: "Manage payments",
+	}
+	command.AddCommand(newPaymentsAccountsCommand())
+	command.AddCommand(newPaymentsBankAccountsCommand("bank-accounts", nil, false))
+	command.AddCommand(newPaymentsBankAccountsCommand("bank_accounts", []string{"bacc", "ba", "bac", "baccount"}, true))
+	command.AddCommand(newPaymentsConnectorsCommand())
+	command.AddCommand(newPaymentsPaymentsCommand())
+	command.AddCommand(newPaymentsPoolsCommand())
+	command.AddCommand(newPaymentsTasksCommand())
+	command.AddCommand(newPaymentsTransferInitiationCommand("transfer-initiation", []string{"ti"}, false))
+	command.AddCommand(newPaymentsTransferInitiationCommand("transfer_initiation", nil, true))
+	command.AddCommand(newPaymentsVersionsCommand())
+	return command
+}
+
+func newPaymentsVersionsCommand() *cobra.Command {
+	return &cobra.Command{
+		Use:   "versions",
+		Short: "Show payments component and API versions",
+		Args:  cobra.NoArgs,
+		RunE: func(cmd *cobra.Command, _ []string) error {
+			rt, err := stackRuntimeFromCommand(cmd)
+			if err != nil {
+				return err
+			}
+			versions, err := rt.ComponentVersions(cmd.Context())
+			if err != nil {
+				return err
+			}
+			for _, version := range versions {
+				if version.Product != paymentscmd.ProductPayments {
+					continue
+				}
+				apiVersions, _ := rt.Compatibility.APIVersionsFor(version.Product, version.Version)
+				output := paymentsVersionsOutput{
+					Name:        string(version.Product),
+					Version:     version.Version,
+					Health:      version.Health,
+					APIVersions: apiVersionsToStrings(apiVersions),
+					APIPolicy:   string(rt.APIPolicyFor(version.Product)),
+				}
+				if handled, err := writeStructuredOutput(cmd, output); handled || err != nil {
+					return err
+				}
+				health := "unhealthy"
+				if output.Health {
+					health = "healthy"
+				}
+				if terminalOutputEnabled(cmd) {
+					return writeStyledKeyValues(cmd,
+						styledKeyValue{Label: "Component", Value: output.Name},
+						styledKeyValue{Label: "Version", Value: output.Version},
+						styledKeyValue{Label: "Health", Value: health},
+						styledKeyValue{Label: "API", Value: fmt.Sprintf("%v", output.APIVersions)},
+						styledKeyValue{Label: "Policy", Value: output.APIPolicy},
+					)
+				}
+				_, err := fmt.Fprintf(cmd.OutOrStdout(), "%s %s %s api=%v policy=%s\n",
+					output.Name, output.Version, health, output.APIVersions, output.APIPolicy)
+				return err
+			}
+			return fmt.Errorf("payments component not found in target versions")
+		},
+	}
+}
+
+type paymentsVersionsOutput struct {
+	Name        string   `json:"name" yaml:"name"`
+	Version     string   `json:"version" yaml:"version"`
+	Health      bool     `json:"health" yaml:"health"`
+	APIVersions []string `json:"apiVersions" yaml:"apiVersions"`
+	APIPolicy   string   `json:"apiPolicy" yaml:"apiPolicy"`
+}
+
+func newPaymentsConnectorsCommand() *cobra.Command {
+	command := &cobra.Command{
+		Use:     "connectors",
+		Aliases: []string{"connector", "co"},
+		Short:   "Manage payment connectors",
+	}
+	command.AddCommand(newPaymentsConnectorsInstallCommand())
+	command.AddCommand(newPaymentsConnectorsListCommand())
+	command.AddCommand(newPaymentsConnectorsConfigCommand())
+	command.AddCommand(newPaymentsConnectorsDeprecatedGetConfigCommand())
+	command.AddCommand(newPaymentsConnectorsDeprecatedUpdateConfigCommand())
+	command.AddCommand(newPaymentsConnectorsUninstallCommand())
+	return command
+}
+
+func newPaymentsConnectorsInstallCommand() *cobra.Command {
+	var confirm bool
+	var file string
+	var apiVersion string
+
+	command := &cobra.Command{
+		Use:     "install <connector>",
+		Aliases: []string{"i"},
+		Short:   "Install a payment connector",
+		Args: func(cmd *cobra.Command, args []string) error {
+			if len(args) == 1 || len(args) == 2 {
+				return nil
+			}
+			return fmt.Errorf("accepts 1 or 2 arg(s), received %d", len(args))
+		},
+		RunE: func(cmd *cobra.Command, args []string) error {
+			if !confirm {
+				return fmt.Errorf("payments connectors install requires --confirm")
+			}
+			if len(args) == 2 {
+				if file != "" {
+					return fmt.Errorf("use either --file or positional file, not both")
+				}
+				file = args[1]
+				fmt.Fprintln(cmd.ErrOrStderr(), "Positional file has been deprecated, use payments connectors install <connector> --file <path>|-")
+			}
+			if file == "" {
+				return fmt.Errorf("payments connectors install requires --file <path>|-")
+			}
+			data, err := readPaymentCommandFile(cmd, file)
+			if err != nil {
+				return err
+			}
+			rt, err := stackRuntimeFromCommand(cmd)
+			if err != nil {
+				return err
+			}
+			httpClient, err := rt.HTTPClient(cmd.Context())
+			if err != nil {
+				return err
+			}
+			sdk := formance.New(formance.WithServerURL(rt.Target.URL), formance.WithClient(httpClient))
+			service := paymentscmd.InstallConnectorService{
+				Handlers: paymentscmd.SDKInstallConnectorHandlers(sdk),
+				Resolve: func(ctx context.Context, handlerVersions []capabilities.APIVersion) (capabilities.APIVersion, error) {
+					request := capabilities.VersionResolutionRequest{
+						Product:         paymentscmd.ProductPayments,
+						Feature:         paymentscmd.FeatureInstallConnector,
+						HandlerVersions: handlerVersions,
+					}
+					if apiVersion != "" {
+						request.Policy = capabilities.VersionPolicyPinned
+						request.PinnedVersion = capabilities.APIVersion(apiVersion)
+					}
+					return rt.ResolveAPIVersion(ctx, request)
+				},
+			}
+			output, err := service.Run(cmd.Context(), paymentscmd.InstallConnectorInput{
+				Connector: args[0],
+				Config:    data,
+			})
+			if err != nil {
+				return err
+			}
+			if handled, err := writeStructuredOutput(cmd, output); handled || err != nil {
+				return err
+			}
+			return renderPaymentConnectorInstalled(cmd, output)
+		},
+	}
+	command.Flags().BoolVar(&confirm, "confirm", false, "Confirm connector installation")
+	command.Flags().StringVar(&file, "file", "", "JSON connector config file, or - for stdin")
+	command.Flags().StringVar(&apiVersion, "api-version", "", "Pin payments API version")
+	return command
+}
+
+func newPaymentsConnectorsListCommand() *cobra.Command {
+	var pageSize int64 = 15
+	var cursor string
+	var apiVersion string
+
+	command := &cobra.Command{
+		Use:     "list",
+		Aliases: []string{"ls", "l"},
+		Short:   "List payment connectors",
+		Args:    cobra.NoArgs,
+		RunE: func(cmd *cobra.Command, _ []string) error {
+			rt, err := stackRuntimeFromCommand(cmd)
+			if err != nil {
+				return err
+			}
+			httpClient, err := rt.HTTPClient(cmd.Context())
+			if err != nil {
+				return err
+			}
+			sdk := formance.New(formance.WithServerURL(rt.Target.URL), formance.WithClient(httpClient))
+			service := paymentscmd.ListConnectorsService{
+				Handlers: paymentscmd.SDKListConnectorsHandlers(sdk),
+				Resolve: func(ctx context.Context, handlerVersions []capabilities.APIVersion) (capabilities.APIVersion, error) {
+					request := capabilities.VersionResolutionRequest{
+						Product:         paymentscmd.ProductPayments,
+						Feature:         paymentscmd.FeatureListConnectors,
+						HandlerVersions: handlerVersions,
+					}
+					if apiVersion != "" {
+						request.Policy = capabilities.VersionPolicyPinned
+						request.PinnedVersion = capabilities.APIVersion(apiVersion)
+					}
+					return rt.ResolveAPIVersion(ctx, request)
+				},
+			}
+			output, err := service.Run(cmd.Context(), paymentscmd.ListConnectorsInput{
+				PageSize: pageSize,
+				Cursor:   cursor,
+			})
+			if err != nil {
+				return err
+			}
+			if handled, err := writeStructuredOutput(cmd, output); handled || err != nil {
+				return err
+			}
+			return renderPaymentConnectors(cmd, output)
+		},
+	}
+	command.Flags().Int64Var(&pageSize, "page-size", 15, "Page size")
+	command.Flags().StringVar(&cursor, "cursor", "", "Pagination cursor")
+	command.Flags().StringVar(&apiVersion, "api-version", "", "Pin payments API version")
+	return command
+}
+
+func newPaymentsConnectorsConfigCommand() *cobra.Command {
+	command := &cobra.Command{
+		Use:   "config",
+		Short: "Manage payment connector configuration",
+	}
+	command.AddCommand(newPaymentsConnectorsConfigShowCommand("show", nil, false))
+	command.AddCommand(newPaymentsConnectorsConfigShowCommand("get", []string{"g"}, true))
+	command.AddCommand(newPaymentsConnectorsConfigUpdateCommand("update", nil, false))
+	return command
+}
+
+func newPaymentsConnectorsConfigShowCommand(use string, aliases []string, deprecated bool) *cobra.Command {
+	var provider string
+	var apiVersion string
+
+	command := &cobra.Command{
+		Use:     use + " <connector-id>",
+		Aliases: aliases,
+		Short:   "Show a payment connector configuration",
+		Args:    cobra.ExactArgs(1),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			if deprecated {
+				fmt.Fprintln(cmd.ErrOrStderr(), "Command payments connectors config get has been deprecated, use payments connectors config show")
+			}
+			rt, err := stackRuntimeFromCommand(cmd)
+			if err != nil {
+				return err
+			}
+			httpClient, err := rt.HTTPClient(cmd.Context())
+			if err != nil {
+				return err
+			}
+			sdk := formance.New(formance.WithServerURL(rt.Target.URL), formance.WithClient(httpClient))
+			service := paymentscmd.GetConnectorConfigService{
+				Handlers: paymentscmd.SDKGetConnectorConfigHandlers(sdk),
+				Resolve: func(ctx context.Context, handlerVersions []capabilities.APIVersion) (capabilities.APIVersion, error) {
+					request := capabilities.VersionResolutionRequest{
+						Product:         paymentscmd.ProductPayments,
+						Feature:         paymentscmd.FeatureGetConnectorConfig,
+						HandlerVersions: handlerVersions,
+					}
+					if apiVersion != "" {
+						request.Policy = capabilities.VersionPolicyPinned
+						request.PinnedVersion = capabilities.APIVersion(apiVersion)
+					}
+					return rt.ResolveAPIVersion(ctx, request)
+				},
+			}
+			output, err := service.Run(cmd.Context(), paymentscmd.GetConnectorConfigInput{
+				ConnectorID: args[0],
+				Provider:    provider,
+			})
+			if err != nil {
+				return err
+			}
+			if handled, err := writeStructuredOutput(cmd, output); handled || err != nil {
+				return err
+			}
+			return renderPaymentConnectorConfig(cmd, output)
+		},
+	}
+	if deprecated {
+		command.Deprecated = "use payments connectors config show"
+	}
+	command.Flags().StringVar(&provider, "provider", "", "Connector provider, required only when pinned to payments API v1")
+	command.Flags().StringVar(&apiVersion, "api-version", "", "Pin payments API version")
+	return command
+}
+
+func newPaymentsConnectorsDeprecatedGetConfigCommand() *cobra.Command {
+	var connectorID string
+	var provider string
+	var apiVersion string
+
+	command := &cobra.Command{
+		Use:        "get-config",
+		Short:      "Show a payment connector configuration",
+		Deprecated: "use payments connectors config show",
+		Args:       cobra.NoArgs,
+		RunE: func(cmd *cobra.Command, _ []string) error {
+			fmt.Fprintln(cmd.ErrOrStderr(), "Command payments connectors get-config has been deprecated, use payments connectors config show <connector-id>")
+			if connectorID == "" {
+				return fmt.Errorf("payments connectors get-config requires --connector-id")
+			}
+			rt, err := stackRuntimeFromCommand(cmd)
+			if err != nil {
+				return err
+			}
+			httpClient, err := rt.HTTPClient(cmd.Context())
+			if err != nil {
+				return err
+			}
+			sdk := formance.New(formance.WithServerURL(rt.Target.URL), formance.WithClient(httpClient))
+			service := paymentscmd.GetConnectorConfigService{
+				Handlers: paymentscmd.SDKGetConnectorConfigHandlers(sdk),
+				Resolve: func(ctx context.Context, handlerVersions []capabilities.APIVersion) (capabilities.APIVersion, error) {
+					request := capabilities.VersionResolutionRequest{
+						Product:         paymentscmd.ProductPayments,
+						Feature:         paymentscmd.FeatureGetConnectorConfig,
+						HandlerVersions: handlerVersions,
+					}
+					if apiVersion != "" {
+						request.Policy = capabilities.VersionPolicyPinned
+						request.PinnedVersion = capabilities.APIVersion(apiVersion)
+					}
+					return rt.ResolveAPIVersion(ctx, request)
+				},
+			}
+			output, err := service.Run(cmd.Context(), paymentscmd.GetConnectorConfigInput{
+				ConnectorID: connectorID,
+				Provider:    provider,
+			})
+			if err != nil {
+				return err
+			}
+			if handled, err := writeStructuredOutput(cmd, output); handled || err != nil {
+				return err
+			}
+			return renderPaymentConnectorConfig(cmd, output)
+		},
+	}
+	command.Flags().StringVar(&connectorID, "connector-id", "", "Connector ID")
+	command.Flags().StringVar(&provider, "provider", "", "Connector provider, required only when pinned to payments API v1")
+	command.Flags().StringVar(&apiVersion, "api-version", "", "Pin payments API version")
+	return command
+}
+
+func newPaymentsConnectorsConfigUpdateCommand(use string, aliases []string, deprecated bool) *cobra.Command {
+	var confirm bool
+	var file string
+	var provider string
+	var apiVersion string
+
+	command := &cobra.Command{
+		Use:     use + " <connector-id>",
+		Aliases: aliases,
+		Short:   "Update a payment connector configuration",
+		Args: func(cmd *cobra.Command, args []string) error {
+			if len(args) == 1 || len(args) == 2 {
+				return nil
+			}
+			return fmt.Errorf("accepts 1 or 2 arg(s), received %d", len(args))
+		},
+		RunE: func(cmd *cobra.Command, args []string) error {
+			if deprecated {
+				fmt.Fprintln(cmd.ErrOrStderr(), "Command payments connectors update-config has been deprecated, use payments connectors config update <connector-id> --file <path>|-")
+			}
+			if !confirm {
+				return fmt.Errorf("payments connectors config update requires --confirm")
+			}
+			if len(args) == 2 {
+				if file != "" {
+					return fmt.Errorf("use either --file or positional file, not both")
+				}
+				file = args[1]
+				fmt.Fprintln(cmd.ErrOrStderr(), "Positional file has been deprecated, use payments connectors config update <connector-id> --file <path>|-")
+			}
+			if file == "" {
+				return fmt.Errorf("payments connectors config update requires --file <path>|-")
+			}
+			data, err := readPaymentCommandFile(cmd, file)
+			if err != nil {
+				return err
+			}
+			rt, err := stackRuntimeFromCommand(cmd)
+			if err != nil {
+				return err
+			}
+			httpClient, err := rt.HTTPClient(cmd.Context())
+			if err != nil {
+				return err
+			}
+			sdk := formance.New(formance.WithServerURL(rt.Target.URL), formance.WithClient(httpClient))
+			service := paymentscmd.UpdateConnectorConfigService{
+				Handlers: paymentscmd.SDKUpdateConnectorConfigHandlers(sdk),
+				Resolve: func(ctx context.Context, handlerVersions []capabilities.APIVersion) (capabilities.APIVersion, error) {
+					request := capabilities.VersionResolutionRequest{
+						Product:         paymentscmd.ProductPayments,
+						Feature:         paymentscmd.FeatureUpdateConnectorConfig,
+						HandlerVersions: handlerVersions,
+					}
+					if apiVersion != "" {
+						request.Policy = capabilities.VersionPolicyPinned
+						request.PinnedVersion = capabilities.APIVersion(apiVersion)
+					}
+					return rt.ResolveAPIVersion(ctx, request)
+				},
+			}
+			output, err := service.Run(cmd.Context(), paymentscmd.UpdateConnectorConfigInput{
+				ConnectorID: args[0],
+				Provider:    provider,
+				Config:      data,
+			})
+			if err != nil {
+				return err
+			}
+			if handled, err := writeStructuredOutput(cmd, output); handled || err != nil {
+				return err
+			}
+			return renderPaymentConnectorConfigUpdated(cmd, output)
+		},
+	}
+	if deprecated {
+		command.Deprecated = "use payments connectors config update"
+	}
+	command.Flags().BoolVar(&confirm, "confirm", false, "Confirm connector configuration update")
+	command.Flags().StringVar(&file, "file", "", "JSON connector config file, or - for stdin")
+	command.Flags().StringVar(&provider, "provider", "", "Connector provider, required for payments API v1 and used to infer a missing provider in v3 payloads")
+	command.Flags().StringVar(&apiVersion, "api-version", "", "Pin payments API version")
+	return command
+}
+
+func newPaymentsConnectorsDeprecatedUpdateConfigCommand() *cobra.Command {
+	var connectorID string
+	command := newPaymentsConnectorsConfigUpdateCommand("update-config <connector>", []string{"uc"}, true)
+	command.Use = "update-config <connector>"
+	command.Args = func(cmd *cobra.Command, args []string) error {
+		if len(args) == 1 || len(args) == 2 {
+			return nil
+		}
+		return fmt.Errorf("accepts 1 or 2 arg(s), received %d", len(args))
+	}
+	originalRunE := command.RunE
+	command.RunE = func(cmd *cobra.Command, args []string) error {
+		if connectorID == "" {
+			return fmt.Errorf("payments connectors update-config requires --connector-id")
+		}
+		providerFlag := cmd.Flags().Lookup("provider")
+		if providerFlag != nil && providerFlag.Value.String() == "" {
+			if err := cmd.Flags().Set("provider", args[0]); err != nil {
+				return err
+			}
+		}
+		args[0] = connectorID
+		return originalRunE(cmd, args)
+	}
+	command.Flags().StringVar(&connectorID, "connector-id", "", "Connector ID")
+	return command
+}
+
+func newPaymentsConnectorsUninstallCommand() *cobra.Command {
+	var confirm bool
+	var provider string
+	var apiVersion string
+
+	command := &cobra.Command{
+		Use:     "uninstall <connector-id>",
+		Aliases: []string{"un", "u"},
+		Short:   "Uninstall a payment connector",
+		Args:    cobra.ExactArgs(1),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			if !confirm {
+				return fmt.Errorf("payments connectors uninstall requires --confirm")
+			}
+			rt, err := stackRuntimeFromCommand(cmd)
+			if err != nil {
+				return err
+			}
+			httpClient, err := rt.HTTPClient(cmd.Context())
+			if err != nil {
+				return err
+			}
+			sdk := formance.New(formance.WithServerURL(rt.Target.URL), formance.WithClient(httpClient))
+			service := paymentscmd.UninstallConnectorService{
+				Handlers: paymentscmd.SDKUninstallConnectorHandlers(sdk),
+				Resolve: func(ctx context.Context, handlerVersions []capabilities.APIVersion) (capabilities.APIVersion, error) {
+					request := capabilities.VersionResolutionRequest{
+						Product:         paymentscmd.ProductPayments,
+						Feature:         paymentscmd.FeatureUninstallConnector,
+						HandlerVersions: handlerVersions,
+					}
+					if apiVersion != "" {
+						request.Policy = capabilities.VersionPolicyPinned
+						request.PinnedVersion = capabilities.APIVersion(apiVersion)
+					}
+					return rt.ResolveAPIVersion(ctx, request)
+				},
+			}
+			output, err := service.Run(cmd.Context(), paymentscmd.UninstallConnectorInput{
+				ConnectorID: args[0],
+				Provider:    provider,
+			})
+			if err != nil {
+				return err
+			}
+			if handled, err := writeStructuredOutput(cmd, output); handled || err != nil {
+				return err
+			}
+			return renderPaymentConnectorUninstalled(cmd, output)
+		},
+	}
+	command.Flags().BoolVar(&confirm, "confirm", false, "Confirm connector uninstall")
+	command.Flags().StringVar(&provider, "provider", "", "Connector provider, required only when pinned to payments API v1")
+	command.Flags().StringVar(&apiVersion, "api-version", "", "Pin payments API version")
+	return command
+}
+
+func renderPaymentConnectorInstalled(cmd *cobra.Command, output paymentscmd.InstallConnectorOutput) error {
+	if err := writeStyledAPIVersion(cmd, output.APIVersion); err != nil {
+		return err
+	}
+	if output.ConnectorID != "" {
+		_, err := fmt.Fprintln(cmd.OutOrStdout(), styledSuccessLine(cmd, fmt.Sprintf("Connector %s installed with ID: %s", output.Connector, output.ConnectorID)))
+		return err
+	}
+	_, err := fmt.Fprintln(cmd.OutOrStdout(), styledSuccessLine(cmd, fmt.Sprintf("Connector %s installed.", output.Connector)))
+	return err
+}
+
+func renderPaymentConnectors(cmd *cobra.Command, output paymentscmd.ListConnectorsOutput) error {
+	if err := writeStyledAPIVersion(cmd, output.APIVersion); err != nil {
+		return err
+	}
+	if len(output.Connectors) == 0 {
+		_, err := fmt.Fprintln(cmd.OutOrStdout(), styledEmptyLine(cmd, "No payment connectors found."))
+		return err
+	}
+	rows := make([][]string, 0, len(output.Connectors))
+	for _, connector := range output.Connectors {
+		rows = append(rows, []string{connector.Provider, connector.Name, connector.ID})
+	}
+	if err := writeStyledRows(cmd, []string{"Provider", "Name", "ID"}, rows); err != nil {
+		return err
+	}
+	if output.HasMore && output.Next != nil {
+		return writeStyledNext(cmd, *output.Next)
+	}
+	return nil
+}
+
+func renderPaymentConnectorConfig(cmd *cobra.Command, output paymentscmd.GetConnectorConfigOutput) error {
+	if err := writeStyledAPIVersion(cmd, output.APIVersion); err != nil {
+		return err
+	}
+	rows := []styledKeyValue{{Label: "Connector ID", Value: output.ConnectorID}}
+	if output.Provider != "" {
+		rows = append(rows, styledKeyValue{Label: "Provider", Value: output.Provider})
+	}
+	if err := writeStyledColonKeyValues(cmd, rows...); err != nil {
+		return err
+	}
+	formatted := output.Config
+	var indented bytes.Buffer
+	if err := json.Indent(&indented, output.Config, "", "  "); err == nil {
+		formatted = indented.Bytes()
+	}
+	_, err := fmt.Fprintf(cmd.OutOrStdout(), "%s\n", formatted)
+	return err
+}
+
+func renderPaymentConnectorConfigUpdated(cmd *cobra.Command, output paymentscmd.UpdateConnectorConfigOutput) error {
+	if err := writeStyledAPIVersion(cmd, output.APIVersion); err != nil {
+		return err
+	}
+	_, err := fmt.Fprintln(cmd.OutOrStdout(), styledSuccessLine(cmd, fmt.Sprintf("Connector %s config updated.", output.ConnectorID)))
+	return err
+}
+
+func renderPaymentConnectorUninstalled(cmd *cobra.Command, output paymentscmd.UninstallConnectorOutput) error {
+	if err := writeStyledAPIVersion(cmd, output.APIVersion); err != nil {
+		return err
+	}
+	if output.TaskID != "" {
+		if err := writeStyledColonKeyValues(cmd, styledKeyValue{Label: "Task ID", Value: output.TaskID}); err != nil {
+			return err
+		}
+		_, err := fmt.Fprintln(cmd.OutOrStdout(), styledSuccessLine(cmd, fmt.Sprintf("Connector %s uninstall scheduled.", output.ConnectorID)))
+		return err
+	}
+	_, err := fmt.Fprintln(cmd.OutOrStdout(), styledSuccessLine(cmd, fmt.Sprintf("Connector %s uninstalled.", output.ConnectorID)))
+	return err
+}
+
+func newPaymentsTransferInitiationCommand(use string, aliases []string, deprecated bool) *cobra.Command {
+	command := &cobra.Command{
+		Use:     use,
+		Aliases: aliases,
+		Short:   "Manage payment transfer initiations",
+	}
+	if deprecated {
+		command.Deprecated = "use payments transfer-initiation"
+		command.PersistentPreRun = func(cmd *cobra.Command, _ []string) {
+			fmt.Fprintln(cmd.ErrOrStderr(), "Command payments transfer_initiation has been deprecated, use payments transfer-initiation")
+		}
+	}
+	command.AddCommand(newPaymentsTransferInitiationListCommand())
+	command.AddCommand(newPaymentsTransferInitiationCreateCommand())
+	command.AddCommand(newPaymentsTransferInitiationShowCommand("show", []string{"sh", "s"}, false))
+	command.AddCommand(newPaymentsTransferInitiationShowCommand("get", []string{"g"}, true))
+	command.AddCommand(newPaymentsTransferInitiationActionCommand("approve", []string{"a"}, "Approve a payment transfer initiation", paymentscmd.FeatureApprovePaymentInitiation, paymentscmd.SDKApprovePaymentInitiationHandlers, "approved", true))
+	command.AddCommand(newPaymentsTransferInitiationActionCommand("reject", []string{"rj"}, "Reject a payment transfer initiation", paymentscmd.FeatureRejectPaymentInitiation, paymentscmd.SDKRejectPaymentInitiationHandlers, "rejected", true))
+	command.AddCommand(newPaymentsTransferInitiationActionCommand("retry", []string{"r"}, "Retry a payment transfer initiation", paymentscmd.FeatureRetryPaymentInitiation, paymentscmd.SDKRetryPaymentInitiationHandlers, "queued for retry", true))
+	command.AddCommand(newPaymentsTransferInitiationActionCommand("delete", []string{"d"}, "Delete a payment transfer initiation", paymentscmd.FeatureDeletePaymentInitiation, paymentscmd.SDKDeletePaymentInitiationHandlers, "deleted", true))
+	command.AddCommand(newPaymentsTransferInitiationReverseCommand())
+	command.AddCommand(newPaymentsTransferInitiationUpdateStatusCommand("update-status", []string{"u"}, false))
+	command.AddCommand(newPaymentsTransferInitiationUpdateStatusCommand("update_status", nil, true))
+	return command
+}
+
+func newPaymentsTasksCommand() *cobra.Command {
+	command := &cobra.Command{
+		Use:     "tasks",
+		Aliases: []string{"t"},
+		Short:   "Manage payment tasks",
+	}
+	command.AddCommand(newPaymentsTasksShowCommand("show", []string{"sh", "s"}, false))
+	command.AddCommand(newPaymentsTasksShowCommand("get", nil, true))
+	return command
+}
+
+func newPaymentsPoolsCommand() *cobra.Command {
+	command := &cobra.Command{
+		Use:   "pools",
+		Short: "Manage payment pools",
+	}
+	command.AddCommand(newPaymentsPoolsCreateCommand())
+	command.AddCommand(newPaymentsPoolsListCommand())
+	command.AddCommand(newPaymentsPoolsShowCommand("show", nil, false))
+	command.AddCommand(newPaymentsPoolsShowCommand("get", []string{"g"}, true))
+	command.AddCommand(newPaymentsPoolsDeleteCommand())
+	command.AddCommand(newPaymentsPoolsAddAccountCommand())
+	command.AddCommand(newPaymentsPoolsRemoveAccountCommand())
+	command.AddCommand(newPaymentsPoolsUpdateQueryCommand())
+	command.AddCommand(newPaymentsPoolsBalancesCommand())
+	command.AddCommand(newPaymentsPoolsLatestBalancesCommand())
+	return command
+}
+
+func newPaymentsPaymentsCommand() *cobra.Command {
+	command := &cobra.Command{
+		Use:     "payments",
+		Aliases: []string{"p"},
+		Short:   "Manage payments",
+	}
+	command.AddCommand(newPaymentsPaymentsCreateCommand())
+	command.AddCommand(newPaymentsPaymentsListCommand())
+	command.AddCommand(newPaymentsPaymentsShowCommand("show", nil, false))
+	command.AddCommand(newPaymentsPaymentsShowCommand("get", []string{"g"}, true))
+	command.AddCommand(newPaymentsPaymentsSetMetadataCommand())
+	return command
+}
+
+func newPaymentsBankAccountsCommand(use string, aliases []string, deprecated bool) *cobra.Command {
+	command := &cobra.Command{
+		Use:     use,
+		Aliases: aliases,
+		Short:   "Manage payment bank accounts",
+	}
+	if deprecated {
+		command.Deprecated = "use payments bank-accounts"
+		command.PersistentPreRun = func(cmd *cobra.Command, _ []string) {
+			fmt.Fprintln(cmd.ErrOrStderr(), "Command payments bank_accounts has been deprecated, use payments bank-accounts")
+		}
+	}
+	command.AddCommand(newPaymentsBankAccountsCreateCommand())
+	command.AddCommand(newPaymentsBankAccountsListCommand())
+	command.AddCommand(newPaymentsBankAccountsShowCommand("show", nil, false))
+	command.AddCommand(newPaymentsBankAccountsShowCommand("get", []string{"g"}, true))
+	command.AddCommand(newPaymentsBankAccountsForwardCommand())
+	command.AddCommand(newPaymentsBankAccountsSetMetadataCommand("set-metadata", nil, false))
+	command.AddCommand(newPaymentsBankAccountsSetMetadataCommand("update-metadata", []string{"update-meta"}, true))
+	return command
+}
+
+func newPaymentsBankAccountsCreateCommand() *cobra.Command {
+	var confirm bool
+	var file string
+	var apiVersion string
+
+	command := &cobra.Command{
+		Use:     "create",
+		Aliases: []string{"cr", "c"},
+		Short:   "Create a payment bank account",
+		Args: func(cmd *cobra.Command, args []string) error {
+			if len(args) == 0 {
+				return nil
+			}
+			if len(args) == 1 {
+				return nil
+			}
+			return fmt.Errorf("accepts 0 arg(s), received %d", len(args))
+		},
+		RunE: func(cmd *cobra.Command, args []string) error {
+			if !confirm {
+				return fmt.Errorf("payments bank-accounts create requires --confirm")
+			}
+			if len(args) == 1 {
+				if file != "" {
+					return fmt.Errorf("use either --file or positional file, not both")
+				}
+				file = args[0]
+				fmt.Fprintln(cmd.ErrOrStderr(), "Positional file has been deprecated, use payments bank-accounts create --file <path>|-")
+			}
+			if file == "" {
+				return fmt.Errorf("payments bank-accounts create requires --file <path>|-")
+			}
+			data, err := readPaymentCommandFile(cmd, file)
+			if err != nil {
+				return err
+			}
+			request, err := parseCreatePaymentBankAccountRequest(data)
+			if err != nil {
+				return err
+			}
+			rt, err := stackRuntimeFromCommand(cmd)
+			if err != nil {
+				return err
+			}
+			httpClient, err := rt.HTTPClient(cmd.Context())
+			if err != nil {
+				return err
+			}
+			sdk := formance.New(formance.WithServerURL(rt.Target.URL), formance.WithClient(httpClient))
+			service := paymentscmd.CreateBankAccountService{
+				Handlers: paymentscmd.SDKCreateBankAccountHandlers(sdk),
+				Resolve: func(ctx context.Context, handlerVersions []capabilities.APIVersion) (capabilities.APIVersion, error) {
+					request := capabilities.VersionResolutionRequest{
+						Product:         paymentscmd.ProductPayments,
+						Feature:         paymentscmd.FeatureCreateBankAccount,
+						HandlerVersions: handlerVersions,
+					}
+					if apiVersion != "" {
+						request.Policy = capabilities.VersionPolicyPinned
+						request.PinnedVersion = capabilities.APIVersion(apiVersion)
+					}
+					return rt.ResolveAPIVersion(ctx, request)
+				},
+			}
+			output, err := service.Run(cmd.Context(), paymentscmd.CreateBankAccountInput{
+				AccountNumber: request.AccountNumber,
+				ConnectorID:   request.ConnectorID,
+				Country:       request.Country,
+				Iban:          request.Iban,
+				Metadata:      request.Metadata,
+				Name:          request.Name,
+				SwiftBicCode:  request.SwiftBicCode,
+			})
+			if err != nil {
+				return err
+			}
+			if handled, err := writeStructuredOutput(cmd, output); handled || err != nil {
+				return err
+			}
+			return renderPaymentBankAccountCreated(cmd, output)
+		},
+	}
+	command.Flags().BoolVar(&confirm, "confirm", false, "Confirm bank account creation")
+	command.Flags().StringVar(&file, "file", "", "JSON bank account request file, or - for stdin")
+	command.Flags().StringVar(&apiVersion, "api-version", "", "Pin payments API version")
+	return command
+}
+
+type createPaymentBankAccountRequestFile struct {
+	AccountNumber string            `json:"accountNumber"`
+	ConnectorID   string            `json:"connectorID"`
+	Country       string            `json:"country"`
+	Iban          string            `json:"iban"`
+	Metadata      map[string]string `json:"metadata"`
+	Name          string            `json:"name"`
+	SwiftBicCode  string            `json:"swiftBicCode"`
+}
+
+func parseCreatePaymentBankAccountRequest(data []byte) (createPaymentBankAccountRequestFile, error) {
+	var request createPaymentBankAccountRequestFile
+	if err := json.Unmarshal(data, &request); err != nil {
+		return createPaymentBankAccountRequestFile{}, err
+	}
+	return request, nil
+}
+
+func renderPaymentBankAccountCreated(cmd *cobra.Command, output paymentscmd.CreateBankAccountOutput) error {
+	if err := writeStyledAPIVersion(cmd, output.APIVersion); err != nil {
+		return err
+	}
+	_, err := fmt.Fprintln(cmd.OutOrStdout(), styledSuccessLine(cmd, fmt.Sprintf("Bank account created with ID: %s", output.BankAccountID)))
+	return err
+}
+
+func newPaymentsBankAccountsForwardCommand() *cobra.Command {
+	var confirm bool
+	var apiVersion string
+
+	command := &cobra.Command{
+		Use:     "forward <bank-account-id> <connector-id>",
+		Aliases: []string{"fo", "f"},
+		Short:   "Forward a payment bank account to a connector",
+		Args:    cobra.ExactArgs(2),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			if !confirm {
+				return fmt.Errorf("payments bank-accounts forward requires --confirm")
+			}
+			rt, err := stackRuntimeFromCommand(cmd)
+			if err != nil {
+				return err
+			}
+			httpClient, err := rt.HTTPClient(cmd.Context())
+			if err != nil {
+				return err
+			}
+			sdk := formance.New(formance.WithServerURL(rt.Target.URL), formance.WithClient(httpClient))
+			service := paymentscmd.ForwardBankAccountService{
+				Handlers: paymentscmd.SDKForwardBankAccountHandlers(sdk),
+				Resolve: func(ctx context.Context, handlerVersions []capabilities.APIVersion) (capabilities.APIVersion, error) {
+					request := capabilities.VersionResolutionRequest{
+						Product:         paymentscmd.ProductPayments,
+						Feature:         paymentscmd.FeatureForwardBankAccount,
+						HandlerVersions: handlerVersions,
+					}
+					if apiVersion != "" {
+						request.Policy = capabilities.VersionPolicyPinned
+						request.PinnedVersion = capabilities.APIVersion(apiVersion)
+					}
+					return rt.ResolveAPIVersion(ctx, request)
+				},
+			}
+			output, err := service.Run(cmd.Context(), paymentscmd.ForwardBankAccountInput{
+				BankAccountID: args[0],
+				ConnectorID:   args[1],
+			})
+			if err != nil {
+				return err
+			}
+			if handled, err := writeStructuredOutput(cmd, output); handled || err != nil {
+				return err
+			}
+			return renderPaymentBankAccountForwarded(cmd, output)
+		},
+	}
+	command.Flags().BoolVar(&confirm, "confirm", false, "Confirm bank account forwarding")
+	command.Flags().StringVar(&apiVersion, "api-version", "", "Pin payments API version")
+	return command
+}
+
+func renderPaymentBankAccountForwarded(cmd *cobra.Command, output paymentscmd.ForwardBankAccountOutput) error {
+	if err := writeStyledAPIVersion(cmd, output.APIVersion); err != nil {
+		return err
+	}
+	if output.TaskID != "" {
+		_, err := fmt.Fprintln(cmd.OutOrStdout(), styledSuccessLine(cmd, fmt.Sprintf("Bank account forwarding scheduled with task ID: %s", output.TaskID)))
+		return err
+	}
+	_, err := fmt.Fprintln(cmd.OutOrStdout(), styledSuccessLine(cmd, fmt.Sprintf("Bank account %s forwarded to connector %s.", output.BankAccountID, output.ConnectorID)))
+	return err
+}
+
+func newPaymentsBankAccountsSetMetadataCommand(use string, aliases []string, deprecated bool) *cobra.Command {
+	var confirm bool
+	var apiVersion string
+
+	command := &cobra.Command{
+		Use:     use + " <bank-account-id> <key=value>...",
+		Aliases: aliases,
+		Short:   "Set payment bank account metadata",
+		Args:    cobra.MinimumNArgs(2),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			if deprecated {
+				fmt.Fprintln(cmd.ErrOrStderr(), "Command payments bank-accounts update-metadata has been deprecated, use payments bank-accounts set-metadata")
+			}
+			if !confirm {
+				return fmt.Errorf("payments bank-accounts %s requires --confirm", use)
+			}
+			metadata, err := parseMetadataFlags(args[1:])
+			if err != nil {
+				return err
+			}
+			rt, err := stackRuntimeFromCommand(cmd)
+			if err != nil {
+				return err
+			}
+			httpClient, err := rt.HTTPClient(cmd.Context())
+			if err != nil {
+				return err
+			}
+			sdk := formance.New(formance.WithServerURL(rt.Target.URL), formance.WithClient(httpClient))
+			service := paymentscmd.SetBankAccountMetadataService{
+				Handlers: paymentscmd.SDKSetBankAccountMetadataHandlers(sdk),
+				Resolve: func(ctx context.Context, handlerVersions []capabilities.APIVersion) (capabilities.APIVersion, error) {
+					request := capabilities.VersionResolutionRequest{
+						Product:         paymentscmd.ProductPayments,
+						Feature:         paymentscmd.FeatureSetBankAccountMetadata,
+						HandlerVersions: handlerVersions,
+					}
+					if apiVersion != "" {
+						request.Policy = capabilities.VersionPolicyPinned
+						request.PinnedVersion = capabilities.APIVersion(apiVersion)
+					}
+					return rt.ResolveAPIVersion(ctx, request)
+				},
+			}
+			output, err := service.Run(cmd.Context(), paymentscmd.SetBankAccountMetadataInput{BankAccountID: args[0], Metadata: metadata})
+			if err != nil {
+				return err
+			}
+			if handled, err := writeStructuredOutput(cmd, output); handled || err != nil {
+				return err
+			}
+			return renderPaymentBankAccountMetadataSet(cmd, output)
+		},
+	}
+	if deprecated {
+		command.Deprecated = "use payments bank-accounts set-metadata"
+	}
+	command.Flags().BoolVar(&confirm, "confirm", false, "Confirm bank account metadata update")
+	command.Flags().StringVar(&apiVersion, "api-version", "", "Pin payments API version")
+	return command
+}
+
+func renderPaymentBankAccountMetadataSet(cmd *cobra.Command, output paymentscmd.SetBankAccountMetadataOutput) error {
+	if err := writeStyledAPIVersion(cmd, output.APIVersion); err != nil {
+		return err
+	}
+	_, err := fmt.Fprintln(cmd.OutOrStdout(), styledSuccessLine(cmd, fmt.Sprintf("Metadata set on bank account %s.", output.BankAccountID)))
+	return err
+}
+
+func newPaymentsAccountsCommand() *cobra.Command {
+	command := &cobra.Command{
+		Use:   "accounts",
+		Short: "Manage payment accounts",
+	}
+	command.AddCommand(newPaymentsAccountsCreateCommand())
+	command.AddCommand(newPaymentsAccountsListCommand())
+	command.AddCommand(newPaymentsAccountsShowCommand("show", nil, false))
+	command.AddCommand(newPaymentsAccountsShowCommand("get", []string{"g"}, true))
+	command.AddCommand(newPaymentsAccountsBalancesCommand())
+	return command
+}
+
+func newPaymentsAccountsCreateCommand() *cobra.Command {
+	var confirm bool
+	var file string
+	var apiVersion string
+
+	command := &cobra.Command{
+		Use:     "create",
+		Aliases: []string{"cr", "c"},
+		Short:   "Create a payment account",
+		Args: func(cmd *cobra.Command, args []string) error {
+			if len(args) == 0 {
+				return nil
+			}
+			if len(args) == 1 {
+				return nil
+			}
+			return fmt.Errorf("accepts 0 arg(s), received %d", len(args))
+		},
+		RunE: func(cmd *cobra.Command, args []string) error {
+			if !confirm {
+				return fmt.Errorf("payments accounts create requires --confirm")
+			}
+			if len(args) == 1 {
+				if file != "" {
+					return fmt.Errorf("use either --file or positional file, not both")
+				}
+				file = args[0]
+				fmt.Fprintln(cmd.ErrOrStderr(), "Positional file has been deprecated, use payments accounts create --file <path>|-")
+			}
+			if file == "" {
+				return fmt.Errorf("payments accounts create requires --file <path>|-")
+			}
+			data, err := readPaymentCommandFile(cmd, file)
+			if err != nil {
+				return err
+			}
+			request, err := parseCreatePaymentAccountRequest(data)
+			if err != nil {
+				return err
+			}
+			rt, err := stackRuntimeFromCommand(cmd)
+			if err != nil {
+				return err
+			}
+			httpClient, err := rt.HTTPClient(cmd.Context())
+			if err != nil {
+				return err
+			}
+			sdk := formance.New(formance.WithServerURL(rt.Target.URL), formance.WithClient(httpClient))
+			service := paymentscmd.CreateAccountService{
+				Handlers: paymentscmd.SDKCreateAccountHandlers(sdk),
+				Resolve: func(ctx context.Context, handlerVersions []capabilities.APIVersion) (capabilities.APIVersion, error) {
+					request := capabilities.VersionResolutionRequest{
+						Product:         paymentscmd.ProductPayments,
+						Feature:         paymentscmd.FeatureCreateAccount,
+						HandlerVersions: handlerVersions,
+					}
+					if apiVersion != "" {
+						request.Policy = capabilities.VersionPolicyPinned
+						request.PinnedVersion = capabilities.APIVersion(apiVersion)
+					}
+					return rt.ResolveAPIVersion(ctx, request)
+				},
+			}
+			output, err := service.Run(cmd.Context(), paymentscmd.CreateAccountInput{
+				AccountName:  request.AccountName,
+				ConnectorID:  request.ConnectorID,
+				CreatedAt:    request.CreatedAt,
+				DefaultAsset: request.DefaultAsset,
+				Metadata:     request.Metadata,
+				Reference:    request.Reference,
+				Type:         request.Type,
+			})
+			if err != nil {
+				return err
+			}
+			if handled, err := writeStructuredOutput(cmd, output); handled || err != nil {
+				return err
+			}
+			return renderPaymentAccountCreated(cmd, output)
+		},
+	}
+	command.Flags().BoolVar(&confirm, "confirm", false, "Confirm account creation")
+	command.Flags().StringVar(&file, "file", "", "JSON account request file, or - for stdin")
+	command.Flags().StringVar(&apiVersion, "api-version", "", "Pin payments API version")
+	return command
+}
+
+type createPaymentAccountRequestFile struct {
+	AccountName  string            `json:"accountName"`
+	ConnectorID  string            `json:"connectorID"`
+	CreatedAt    time.Time         `json:"createdAt"`
+	DefaultAsset string            `json:"defaultAsset"`
+	Metadata     map[string]string `json:"metadata"`
+	Reference    string            `json:"reference"`
+	Type         string            `json:"type"`
+}
+
+func parseCreatePaymentAccountRequest(data []byte) (createPaymentAccountRequestFile, error) {
+	var request createPaymentAccountRequestFile
+	if err := json.Unmarshal(data, &request); err != nil {
+		return createPaymentAccountRequestFile{}, err
+	}
+	request.Type = strings.ToUpper(request.Type)
+	return request, nil
+}
+
+func renderPaymentAccountCreated(cmd *cobra.Command, output paymentscmd.CreateAccountOutput) error {
+	if err := writeStyledAPIVersion(cmd, output.APIVersion); err != nil {
+		return err
+	}
+	_, err := fmt.Fprintln(cmd.OutOrStdout(), styledSuccessLine(cmd, fmt.Sprintf("Account created with ID: %s", output.AccountID)))
+	return err
+}
+
+func newPaymentsAccountsListCommand() *cobra.Command {
+	var pageSize int64 = 15
+	var cursor string
+	var apiVersion string
+
+	command := &cobra.Command{
+		Use:     "list",
+		Aliases: []string{"ls", "l"},
+		Short:   "List payment accounts",
+		Args:    cobra.NoArgs,
+		RunE: func(cmd *cobra.Command, _ []string) error {
+			rt, err := stackRuntimeFromCommand(cmd)
+			if err != nil {
+				return err
+			}
+			httpClient, err := rt.HTTPClient(cmd.Context())
+			if err != nil {
+				return err
+			}
+			sdk := formance.New(
+				formance.WithServerURL(rt.Target.URL),
+				formance.WithClient(httpClient),
+			)
+			service := paymentscmd.ListAccountsService{
+				Handlers: paymentscmd.SDKListAccountsHandlers(sdk),
+				Resolve: func(ctx context.Context, handlerVersions []capabilities.APIVersion) (capabilities.APIVersion, error) {
+					request := capabilities.VersionResolutionRequest{
+						Product:         paymentscmd.ProductPayments,
+						Feature:         paymentscmd.FeatureListAccounts,
+						HandlerVersions: handlerVersions,
+					}
+					if apiVersion != "" {
+						request.Policy = capabilities.VersionPolicyPinned
+						request.PinnedVersion = capabilities.APIVersion(apiVersion)
+					}
+					return rt.ResolveAPIVersion(ctx, request)
+				},
+			}
+			output, err := service.Run(cmd.Context(), paymentscmd.ListAccountsInput{
+				PageSize: pageSize,
+				Cursor:   cursor,
+			})
+			if err != nil {
+				return err
+			}
+			if handled, err := writeStructuredOutput(cmd, output); handled || err != nil {
+				return err
+			}
+			return renderPaymentAccounts(cmd, output)
+		},
+	}
+
+	command.Flags().Int64Var(&pageSize, "page-size", 15, "Page size")
+	command.Flags().StringVar(&cursor, "cursor", "", "Pagination cursor")
+	command.Flags().StringVar(&apiVersion, "api-version", "", "Pin payments API version")
+
+	return command
+}
+
+func newPaymentsAccountsShowCommand(use string, aliases []string, deprecated bool) *cobra.Command {
+	var apiVersion string
+
+	command := &cobra.Command{
+		Use:     use + " <account-id>",
+		Aliases: aliases,
+		Short:   "Show a payment account",
+		Args:    cobra.ExactArgs(1),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			if deprecated {
+				fmt.Fprintln(cmd.ErrOrStderr(), "Command payments accounts get has been deprecated, use payments accounts show")
+			}
+			rt, err := stackRuntimeFromCommand(cmd)
+			if err != nil {
+				return err
+			}
+			httpClient, err := rt.HTTPClient(cmd.Context())
+			if err != nil {
+				return err
+			}
+			sdk := formance.New(
+				formance.WithServerURL(rt.Target.URL),
+				formance.WithClient(httpClient),
+			)
+			service := paymentscmd.GetAccountService{
+				Handlers: paymentscmd.SDKGetAccountHandlers(sdk),
+				Resolve: func(ctx context.Context, handlerVersions []capabilities.APIVersion) (capabilities.APIVersion, error) {
+					request := capabilities.VersionResolutionRequest{
+						Product:         paymentscmd.ProductPayments,
+						Feature:         paymentscmd.FeatureGetAccount,
+						HandlerVersions: handlerVersions,
+					}
+					if apiVersion != "" {
+						request.Policy = capabilities.VersionPolicyPinned
+						request.PinnedVersion = capabilities.APIVersion(apiVersion)
+					}
+					return rt.ResolveAPIVersion(ctx, request)
+				},
+			}
+			output, err := service.Run(cmd.Context(), paymentscmd.GetAccountInput{AccountID: args[0]})
+			if err != nil {
+				return err
+			}
+			if handled, err := writeStructuredOutput(cmd, output); handled || err != nil {
+				return err
+			}
+			return renderPaymentAccount(cmd, output)
+		},
+	}
+	if deprecated {
+		command.Deprecated = "use payments accounts show"
+	}
+	command.Flags().StringVar(&apiVersion, "api-version", "", "Pin payments API version")
+	return command
+}
+
+func newPaymentsAccountsBalancesCommand() *cobra.Command {
+	var pageSize int64 = 15
+	var cursor string
+	var asset string
+	var apiVersion string
+
+	command := &cobra.Command{
+		Use:   "balances <account-id>",
+		Short: "List payment account balances",
+		Args:  cobra.ExactArgs(1),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			rt, err := stackRuntimeFromCommand(cmd)
+			if err != nil {
+				return err
+			}
+			httpClient, err := rt.HTTPClient(cmd.Context())
+			if err != nil {
+				return err
+			}
+			sdk := formance.New(
+				formance.WithServerURL(rt.Target.URL),
+				formance.WithClient(httpClient),
+			)
+			service := paymentscmd.ListAccountBalancesService{
+				Handlers: paymentscmd.SDKListAccountBalancesHandlers(sdk),
+				Resolve: func(ctx context.Context, handlerVersions []capabilities.APIVersion) (capabilities.APIVersion, error) {
+					request := capabilities.VersionResolutionRequest{
+						Product:         paymentscmd.ProductPayments,
+						Feature:         paymentscmd.FeatureGetAccountBalances,
+						HandlerVersions: handlerVersions,
+					}
+					if apiVersion != "" {
+						request.Policy = capabilities.VersionPolicyPinned
+						request.PinnedVersion = capabilities.APIVersion(apiVersion)
+					}
+					return rt.ResolveAPIVersion(ctx, request)
+				},
+			}
+			output, err := service.Run(cmd.Context(), paymentscmd.ListAccountBalancesInput{
+				AccountID: args[0],
+				PageSize:  pageSize,
+				Cursor:    cursor,
+				Asset:     asset,
+			})
+			if err != nil {
+				return err
+			}
+			if handled, err := writeStructuredOutput(cmd, output); handled || err != nil {
+				return err
+			}
+			return renderPaymentAccountBalances(cmd, output)
+		},
+	}
+
+	command.Flags().Int64Var(&pageSize, "page-size", 15, "Page size")
+	command.Flags().StringVar(&cursor, "cursor", "", "Pagination cursor")
+	command.Flags().StringVar(&asset, "asset", "", "Filter by asset")
+	command.Flags().StringVar(&apiVersion, "api-version", "", "Pin payments API version")
+
+	return command
+}
+
+func renderPaymentAccounts(cmd *cobra.Command, output paymentscmd.ListAccountsOutput) error {
+	if err := writeStyledAPIVersion(cmd, output.APIVersion); err != nil {
+		return err
+	}
+	if len(output.Accounts) == 0 {
+		_, err := fmt.Fprintln(cmd.OutOrStdout(), styledEmptyLine(cmd, "No payment accounts found."))
+		return err
+	}
+	rows := make([][]string, 0, len(output.Accounts))
+	for _, account := range output.Accounts {
+		rows = append(rows, []string{account.ID, account.Reference, account.CreatedAt.Format(time.RFC3339), account.Name, account.DefaultAsset, account.ConnectorID})
+	}
+	if err := writeStyledRows(cmd, []string{"ID", "Reference", "Created at", "Name", "Default asset", "Connector"}, rows); err != nil {
+		return err
+	}
+	if output.HasMore && output.Next != nil {
+		return writeStyledNext(cmd, *output.Next)
+	}
+	return nil
+}
+
+func renderPaymentAccountBalances(cmd *cobra.Command, output paymentscmd.ListAccountBalancesOutput) error {
+	if err := writeStyledAPIVersion(cmd, output.APIVersion); err != nil {
+		return err
+	}
+	if len(output.Balances) == 0 {
+		_, err := fmt.Fprintln(cmd.OutOrStdout(), styledEmptyLine(cmd, "No account balances found."))
+		return err
+	}
+	rows := make([][]string, 0, len(output.Balances))
+	for _, balance := range output.Balances {
+		rows = append(rows, []string{balance.AccountID, balance.Asset, balance.Balance, balance.CreatedAt.Format(time.RFC3339), balance.LastUpdatedAt.Format(time.RFC3339)})
+	}
+	if err := writeStyledRows(cmd, []string{"Account", "Asset", "Balance", "Created at", "Updated at"}, rows); err != nil {
+		return err
+	}
+	if output.HasMore && output.Next != nil {
+		return writeStyledNext(cmd, *output.Next)
+	}
+	return nil
+}
+
+func renderPaymentAccount(cmd *cobra.Command, output paymentscmd.GetAccountOutput) error {
+	if err := writeStyledAPIVersion(cmd, output.APIVersion); err != nil {
+		return err
+	}
+	account := output.Account
+	return writeStyledKeyValues(cmd,
+		styledKeyValue{Label: "ID", Value: account.ID},
+		styledKeyValue{Label: "Reference", Value: account.Reference},
+		styledKeyValue{Label: "Name", Value: account.Name},
+		styledKeyValue{Label: "Created at", Value: account.CreatedAt.Format(time.RFC3339)},
+		styledKeyValue{Label: "Connector ID", Value: account.ConnectorID},
+		styledKeyValue{Label: "Default asset", Value: account.DefaultAsset},
+		styledKeyValue{Label: "Type", Value: account.Type},
+	)
+}
+
+func newPaymentsBankAccountsListCommand() *cobra.Command {
+	var pageSize int64 = 15
+	var cursor string
+	var apiVersion string
+
+	command := &cobra.Command{
+		Use:     "list",
+		Aliases: []string{"ls", "l"},
+		Short:   "List payment bank accounts",
+		Args:    cobra.NoArgs,
+		RunE: func(cmd *cobra.Command, _ []string) error {
+			rt, err := stackRuntimeFromCommand(cmd)
+			if err != nil {
+				return err
+			}
+			httpClient, err := rt.HTTPClient(cmd.Context())
+			if err != nil {
+				return err
+			}
+			sdk := formance.New(formance.WithServerURL(rt.Target.URL), formance.WithClient(httpClient))
+			service := paymentscmd.ListBankAccountsService{
+				Handlers: paymentscmd.SDKListBankAccountsHandlers(sdk),
+				Resolve: func(ctx context.Context, handlerVersions []capabilities.APIVersion) (capabilities.APIVersion, error) {
+					request := capabilities.VersionResolutionRequest{
+						Product:         paymentscmd.ProductPayments,
+						Feature:         paymentscmd.FeatureListBankAccounts,
+						HandlerVersions: handlerVersions,
+					}
+					if apiVersion != "" {
+						request.Policy = capabilities.VersionPolicyPinned
+						request.PinnedVersion = capabilities.APIVersion(apiVersion)
+					}
+					return rt.ResolveAPIVersion(ctx, request)
+				},
+			}
+			output, err := service.Run(cmd.Context(), paymentscmd.ListBankAccountsInput{PageSize: pageSize, Cursor: cursor})
+			if err != nil {
+				return err
+			}
+			if handled, err := writeStructuredOutput(cmd, output); handled || err != nil {
+				return err
+			}
+			return renderPaymentBankAccounts(cmd, output)
+		},
+	}
+	command.Flags().Int64Var(&pageSize, "page-size", 15, "Page size")
+	command.Flags().StringVar(&cursor, "cursor", "", "Pagination cursor")
+	command.Flags().StringVar(&apiVersion, "api-version", "", "Pin payments API version")
+	return command
+}
+
+func newPaymentsBankAccountsShowCommand(use string, aliases []string, deprecated bool) *cobra.Command {
+	var apiVersion string
+
+	command := &cobra.Command{
+		Use:     use + " <bank-account-id>",
+		Aliases: aliases,
+		Short:   "Show a payment bank account",
+		Args:    cobra.ExactArgs(1),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			if deprecated {
+				fmt.Fprintln(cmd.ErrOrStderr(), "Command payments bank-accounts get has been deprecated, use payments bank-accounts show")
+			}
+			rt, err := stackRuntimeFromCommand(cmd)
+			if err != nil {
+				return err
+			}
+			httpClient, err := rt.HTTPClient(cmd.Context())
+			if err != nil {
+				return err
+			}
+			sdk := formance.New(formance.WithServerURL(rt.Target.URL), formance.WithClient(httpClient))
+			service := paymentscmd.GetBankAccountService{
+				Handlers: paymentscmd.SDKGetBankAccountHandlers(sdk),
+				Resolve: func(ctx context.Context, handlerVersions []capabilities.APIVersion) (capabilities.APIVersion, error) {
+					request := capabilities.VersionResolutionRequest{
+						Product:         paymentscmd.ProductPayments,
+						Feature:         paymentscmd.FeatureGetBankAccount,
+						HandlerVersions: handlerVersions,
+					}
+					if apiVersion != "" {
+						request.Policy = capabilities.VersionPolicyPinned
+						request.PinnedVersion = capabilities.APIVersion(apiVersion)
+					}
+					return rt.ResolveAPIVersion(ctx, request)
+				},
+			}
+			output, err := service.Run(cmd.Context(), paymentscmd.GetBankAccountInput{BankAccountID: args[0]})
+			if err != nil {
+				return err
+			}
+			if handled, err := writeStructuredOutput(cmd, output); handled || err != nil {
+				return err
+			}
+			return renderPaymentBankAccount(cmd, output)
+		},
+	}
+	if deprecated {
+		command.Deprecated = "use payments bank-accounts show"
+	}
+	command.Flags().StringVar(&apiVersion, "api-version", "", "Pin payments API version")
+	return command
+}
+
+func renderPaymentBankAccounts(cmd *cobra.Command, output paymentscmd.ListBankAccountsOutput) error {
+	if err := writeStyledAPIVersion(cmd, output.APIVersion); err != nil {
+		return err
+	}
+	if len(output.BankAccounts) == 0 {
+		_, err := fmt.Fprintln(cmd.OutOrStdout(), styledEmptyLine(cmd, "No bank accounts found."))
+		return err
+	}
+	rows := make([][]string, 0, len(output.BankAccounts))
+	for _, account := range output.BankAccounts {
+		rows = append(rows, []string{account.ID, account.Name, account.CreatedAt.Format(time.RFC3339), account.Country})
+	}
+	if err := writeStyledRows(cmd, []string{"ID", "Name", "Created at", "Country"}, rows); err != nil {
+		return err
+	}
+	if output.HasMore && output.Next != nil {
+		return writeStyledNext(cmd, *output.Next)
+	}
+	return nil
+}
+
+func renderPaymentBankAccount(cmd *cobra.Command, output paymentscmd.GetBankAccountOutput) error {
+	if err := writeStyledAPIVersion(cmd, output.APIVersion); err != nil {
+		return err
+	}
+	account := output.BankAccount
+	rows := []styledKeyValue{
+		{Label: "ID", Value: account.ID},
+		{Label: "Name", Value: account.Name},
+		{Label: "Created at", Value: account.CreatedAt.Format(time.RFC3339)},
+	}
+	if account.Country != "" {
+		rows = append(rows, styledKeyValue{Label: "Country", Value: account.Country})
+	}
+	if account.Iban != "" {
+		rows = append(rows, styledKeyValue{Label: "IBAN", Value: account.Iban})
+	}
+	rows = append(rows, styledKeyValue{Label: "Swift BIC", Value: account.SwiftBicCode})
+	return writeStyledKeyValues(cmd, rows...)
+}
+
+func newPaymentsPaymentsCreateCommand() *cobra.Command {
+	var confirm bool
+	var file string
+	var apiVersion string
+
+	command := &cobra.Command{
+		Use:     "create",
+		Aliases: []string{"cr", "c"},
+		Short:   "Create a payment",
+		Args: func(cmd *cobra.Command, args []string) error {
+			if len(args) == 0 {
+				return nil
+			}
+			if len(args) == 1 {
+				return nil
+			}
+			return fmt.Errorf("accepts 0 arg(s), received %d", len(args))
+		},
+		RunE: func(cmd *cobra.Command, args []string) error {
+			if !confirm {
+				return fmt.Errorf("payments payments create requires --confirm")
+			}
+			if len(args) == 1 {
+				if file != "" {
+					return fmt.Errorf("use either --file or positional file, not both")
+				}
+				file = args[0]
+				fmt.Fprintln(cmd.ErrOrStderr(), "Positional file has been deprecated, use payments payments create --file <path>|-")
+			}
+			if file == "" {
+				return fmt.Errorf("payments payments create requires --file <path>|-")
+			}
+			data, err := readPaymentCommandFile(cmd, file)
+			if err != nil {
+				return err
+			}
+			request, err := parseCreatePaymentRequest(data)
+			if err != nil {
+				return err
+			}
+			rt, err := stackRuntimeFromCommand(cmd)
+			if err != nil {
+				return err
+			}
+			httpClient, err := rt.HTTPClient(cmd.Context())
+			if err != nil {
+				return err
+			}
+			sdk := formance.New(formance.WithServerURL(rt.Target.URL), formance.WithClient(httpClient))
+			service := paymentscmd.CreatePaymentService{
+				Handlers: paymentscmd.SDKCreatePaymentHandlers(sdk),
+				Resolve: func(ctx context.Context, handlerVersions []capabilities.APIVersion) (capabilities.APIVersion, error) {
+					request := capabilities.VersionResolutionRequest{
+						Product:         paymentscmd.ProductPayments,
+						Feature:         paymentscmd.FeatureCreatePayment,
+						HandlerVersions: handlerVersions,
+					}
+					if apiVersion != "" {
+						request.Policy = capabilities.VersionPolicyPinned
+						request.PinnedVersion = capabilities.APIVersion(apiVersion)
+					}
+					return rt.ResolveAPIVersion(ctx, request)
+				},
+			}
+			output, err := service.Run(cmd.Context(), request)
+			if err != nil {
+				return err
+			}
+			if handled, err := writeStructuredOutput(cmd, output); handled || err != nil {
+				return err
+			}
+			return renderPaymentCreated(cmd, output)
+		},
+	}
+	command.Flags().BoolVar(&confirm, "confirm", false, "Confirm payment creation")
+	command.Flags().StringVar(&file, "file", "", "JSON payment request file, or - for stdin")
+	command.Flags().StringVar(&apiVersion, "api-version", "", "Pin payments API version")
+	return command
+}
+
+func parseCreatePaymentRequest(data []byte) (paymentscmd.CreatePaymentInput, error) {
+	var v1 shared.PaymentRequest
+	if err := json.Unmarshal(data, &v1); err != nil {
+		return paymentscmd.CreatePaymentInput{}, err
+	}
+	var v3 shared.V3CreatePaymentRequest
+	if err := json.Unmarshal(data, &v3); err != nil {
+		return paymentscmd.CreatePaymentInput{}, err
+	}
+	if v3.InitialAmount == nil {
+		v3.InitialAmount = v3.Amount
+	}
+	return paymentscmd.CreatePaymentInput{V1: v1, V3: v3}, nil
+}
+
+func renderPaymentCreated(cmd *cobra.Command, output paymentscmd.CreatePaymentOutput) error {
+	if err := writeStyledAPIVersion(cmd, output.APIVersion); err != nil {
+		return err
+	}
+	_, err := fmt.Fprintln(cmd.OutOrStdout(), styledSuccessLine(cmd, fmt.Sprintf("Payment created with ID: %s", output.PaymentID)))
+	return err
+}
+
+func newPaymentsPaymentsListCommand() *cobra.Command {
+	var pageSize int64 = 15
+	var cursor string
+	var apiVersion string
+
+	command := &cobra.Command{
+		Use:     "list",
+		Aliases: []string{"ls", "l"},
+		Short:   "List payments",
+		Args:    cobra.NoArgs,
+		RunE: func(cmd *cobra.Command, _ []string) error {
+			rt, err := stackRuntimeFromCommand(cmd)
+			if err != nil {
+				return err
+			}
+			httpClient, err := rt.HTTPClient(cmd.Context())
+			if err != nil {
+				return err
+			}
+			sdk := formance.New(formance.WithServerURL(rt.Target.URL), formance.WithClient(httpClient))
+			service := paymentscmd.ListPaymentsService{
+				Handlers: paymentscmd.SDKListPaymentsHandlers(sdk),
+				Resolve: func(ctx context.Context, handlerVersions []capabilities.APIVersion) (capabilities.APIVersion, error) {
+					request := capabilities.VersionResolutionRequest{
+						Product:         paymentscmd.ProductPayments,
+						Feature:         paymentscmd.FeatureListPayments,
+						HandlerVersions: handlerVersions,
+					}
+					if apiVersion != "" {
+						request.Policy = capabilities.VersionPolicyPinned
+						request.PinnedVersion = capabilities.APIVersion(apiVersion)
+					}
+					return rt.ResolveAPIVersion(ctx, request)
+				},
+			}
+			output, err := service.Run(cmd.Context(), paymentscmd.ListPaymentsInput{PageSize: pageSize, Cursor: cursor})
+			if err != nil {
+				return err
+			}
+			if handled, err := writeStructuredOutput(cmd, output); handled || err != nil {
+				return err
+			}
+			return renderPayments(cmd, output)
+		},
+	}
+	command.Flags().Int64Var(&pageSize, "page-size", 15, "Page size")
+	command.Flags().StringVar(&cursor, "cursor", "", "Pagination cursor")
+	command.Flags().StringVar(&apiVersion, "api-version", "", "Pin payments API version")
+	return command
+}
+
+func newPaymentsPaymentsShowCommand(use string, aliases []string, deprecated bool) *cobra.Command {
+	var apiVersion string
+
+	command := &cobra.Command{
+		Use:     use + " <payment-id>",
+		Aliases: aliases,
+		Short:   "Show a payment",
+		Args:    cobra.ExactArgs(1),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			if deprecated {
+				fmt.Fprintln(cmd.ErrOrStderr(), "Command payments payments get has been deprecated, use payments payments show")
+			}
+			rt, err := stackRuntimeFromCommand(cmd)
+			if err != nil {
+				return err
+			}
+			httpClient, err := rt.HTTPClient(cmd.Context())
+			if err != nil {
+				return err
+			}
+			sdk := formance.New(formance.WithServerURL(rt.Target.URL), formance.WithClient(httpClient))
+			service := paymentscmd.GetPaymentService{
+				Handlers: paymentscmd.SDKGetPaymentHandlers(sdk),
+				Resolve: func(ctx context.Context, handlerVersions []capabilities.APIVersion) (capabilities.APIVersion, error) {
+					request := capabilities.VersionResolutionRequest{
+						Product:         paymentscmd.ProductPayments,
+						Feature:         paymentscmd.FeatureGetPayment,
+						HandlerVersions: handlerVersions,
+					}
+					if apiVersion != "" {
+						request.Policy = capabilities.VersionPolicyPinned
+						request.PinnedVersion = capabilities.APIVersion(apiVersion)
+					}
+					return rt.ResolveAPIVersion(ctx, request)
+				},
+			}
+			output, err := service.Run(cmd.Context(), paymentscmd.GetPaymentInput{PaymentID: args[0]})
+			if err != nil {
+				return err
+			}
+			if handled, err := writeStructuredOutput(cmd, output); handled || err != nil {
+				return err
+			}
+			return renderPayment(cmd, output)
+		},
+	}
+	if deprecated {
+		command.Deprecated = "use payments payments show"
+	}
+	command.Flags().StringVar(&apiVersion, "api-version", "", "Pin payments API version")
+	return command
+}
+
+func newPaymentsPaymentsSetMetadataCommand() *cobra.Command {
+	var confirm bool
+	var apiVersion string
+
+	command := &cobra.Command{
+		Use:     "set-metadata <payment-id> <key=value>...",
+		Aliases: []string{"sm", "set-meta"},
+		Short:   "Set payment metadata",
+		Args:    cobra.MinimumNArgs(2),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			if !confirm {
+				return fmt.Errorf("payments payments set-metadata requires --confirm")
+			}
+			metadata, err := parseMetadataFlags(args[1:])
+			if err != nil {
+				return err
+			}
+			rt, err := stackRuntimeFromCommand(cmd)
+			if err != nil {
+				return err
+			}
+			httpClient, err := rt.HTTPClient(cmd.Context())
+			if err != nil {
+				return err
+			}
+			sdk := formance.New(formance.WithServerURL(rt.Target.URL), formance.WithClient(httpClient))
+			service := paymentscmd.SetPaymentMetadataService{
+				Handlers: paymentscmd.SDKSetPaymentMetadataHandlers(sdk),
+				Resolve: func(ctx context.Context, handlerVersions []capabilities.APIVersion) (capabilities.APIVersion, error) {
+					request := capabilities.VersionResolutionRequest{
+						Product:         paymentscmd.ProductPayments,
+						Feature:         paymentscmd.FeatureSetPaymentMetadata,
+						HandlerVersions: handlerVersions,
+					}
+					if apiVersion != "" {
+						request.Policy = capabilities.VersionPolicyPinned
+						request.PinnedVersion = capabilities.APIVersion(apiVersion)
+					}
+					return rt.ResolveAPIVersion(ctx, request)
+				},
+			}
+			output, err := service.Run(cmd.Context(), paymentscmd.SetPaymentMetadataInput{PaymentID: args[0], Metadata: metadata})
+			if err != nil {
+				return err
+			}
+			if handled, err := writeStructuredOutput(cmd, output); handled || err != nil {
+				return err
+			}
+			return renderPaymentMetadataSet(cmd, output)
+		},
+	}
+	command.Flags().BoolVar(&confirm, "confirm", false, "Confirm payment metadata update")
+	command.Flags().StringVar(&apiVersion, "api-version", "", "Pin payments API version")
+	return command
+}
+
+func renderPaymentMetadataSet(cmd *cobra.Command, output paymentscmd.SetPaymentMetadataOutput) error {
+	if err := writeStyledAPIVersion(cmd, output.APIVersion); err != nil {
+		return err
+	}
+	_, err := fmt.Fprintln(cmd.OutOrStdout(), styledSuccessLine(cmd, fmt.Sprintf("Metadata set on payment %s.", output.PaymentID)))
+	return err
+}
+
+func renderPayments(cmd *cobra.Command, output paymentscmd.ListPaymentsOutput) error {
+	if err := writeStyledAPIVersion(cmd, output.APIVersion); err != nil {
+		return err
+	}
+	if len(output.Payments) == 0 {
+		_, err := fmt.Fprintln(cmd.OutOrStdout(), styledEmptyLine(cmd, "No payments found."))
+		return err
+	}
+	rows := make([][]string, 0, len(output.Payments))
+	for _, payment := range output.Payments {
+		rows = append(rows, []string{payment.ID, payment.Type, payment.Amount, payment.Asset, payment.Status, payment.CreatedAt.Format(time.RFC3339)})
+	}
+	if err := writeStyledRows(cmd, []string{"ID", "Type", "Amount", "Asset", "Status", "Created at"}, rows); err != nil {
+		return err
+	}
+	if output.HasMore && output.Next != nil {
+		return writeStyledNext(cmd, *output.Next)
+	}
+	return nil
+}
+
+func renderPayment(cmd *cobra.Command, output paymentscmd.GetPaymentOutput) error {
+	if err := writeStyledAPIVersion(cmd, output.APIVersion); err != nil {
+		return err
+	}
+	payment := output.Payment
+	return writeStyledKeyValues(cmd,
+		styledKeyValue{Label: "ID", Value: payment.ID},
+		styledKeyValue{Label: "Reference", Value: payment.Reference},
+		styledKeyValue{Label: "Amount", Value: payment.Amount},
+		styledKeyValue{Label: "Asset", Value: payment.Asset},
+		styledKeyValue{Label: "Status", Value: payment.Status},
+		styledKeyValue{Label: "Created at", Value: payment.CreatedAt.Format(time.RFC3339)},
+	)
+}
+
+func newPaymentsPoolsListCommand() *cobra.Command {
+	var pageSize int64 = 15
+	var cursor string
+	var query string
+	var apiVersion string
+
+	command := &cobra.Command{
+		Use:     "list",
+		Aliases: []string{"ls", "l"},
+		Short:   "List payment pools",
+		Args:    cobra.NoArgs,
+		RunE: func(cmd *cobra.Command, _ []string) error {
+			rt, err := stackRuntimeFromCommand(cmd)
+			if err != nil {
+				return err
+			}
+			httpClient, err := rt.HTTPClient(cmd.Context())
+			if err != nil {
+				return err
+			}
+			sdk := formance.New(formance.WithServerURL(rt.Target.URL), formance.WithClient(httpClient))
+			service := paymentscmd.ListPoolsService{
+				Handlers: paymentscmd.SDKListPoolsHandlers(sdk),
+				Resolve: func(ctx context.Context, handlerVersions []capabilities.APIVersion) (capabilities.APIVersion, error) {
+					request := capabilities.VersionResolutionRequest{
+						Product:         paymentscmd.ProductPayments,
+						Feature:         paymentscmd.FeatureListPools,
+						HandlerVersions: handlerVersions,
+					}
+					if apiVersion != "" {
+						request.Policy = capabilities.VersionPolicyPinned
+						request.PinnedVersion = capabilities.APIVersion(apiVersion)
+					}
+					return rt.ResolveAPIVersion(ctx, request)
+				},
+			}
+			output, err := service.Run(cmd.Context(), paymentscmd.ListPoolsInput{PageSize: pageSize, Cursor: cursor, Query: query})
+			if err != nil {
+				return err
+			}
+			if handled, err := writeStructuredOutput(cmd, output); handled || err != nil {
+				return err
+			}
+			return renderPaymentPools(cmd, output)
+		},
+	}
+	command.Flags().Int64Var(&pageSize, "page-size", 15, "Page size")
+	command.Flags().StringVar(&cursor, "cursor", "", "Pagination cursor")
+	command.Flags().StringVar(&query, "query", "", "Filter pools with the API query syntax")
+	command.Flags().StringVar(&apiVersion, "api-version", "", "Pin payments API version")
+	return command
+}
+
+func newPaymentsPoolsCreateCommand() *cobra.Command {
+	var confirm bool
+	var file string
+	var apiVersion string
+
+	command := &cobra.Command{
+		Use:     "create",
+		Aliases: []string{"cr", "c"},
+		Short:   "Create a payment pool",
+		Args: func(cmd *cobra.Command, args []string) error {
+			if len(args) == 0 || len(args) == 1 {
+				return nil
+			}
+			return fmt.Errorf("accepts 0 or 1 arg(s), received %d", len(args))
+		},
+		RunE: func(cmd *cobra.Command, args []string) error {
+			if !confirm {
+				return fmt.Errorf("payments pools create requires --confirm")
+			}
+			if len(args) == 1 {
+				if file != "" {
+					return fmt.Errorf("use either --file or positional file, not both")
+				}
+				file = args[0]
+				fmt.Fprintln(cmd.ErrOrStderr(), "Positional file has been deprecated, use payments pools create --file <path>|-")
+			}
+			if file == "" {
+				return fmt.Errorf("payments pools create requires --file <path>|-")
+			}
+			data, err := readPaymentCommandFile(cmd, file)
+			if err != nil {
+				return err
+			}
+			rt, err := stackRuntimeFromCommand(cmd)
+			if err != nil {
+				return err
+			}
+			httpClient, err := rt.HTTPClient(cmd.Context())
+			if err != nil {
+				return err
+			}
+			sdk := formance.New(formance.WithServerURL(rt.Target.URL), formance.WithClient(httpClient))
+			service := paymentscmd.CreatePoolService{
+				Handlers: paymentscmd.SDKCreatePoolHandlers(sdk),
+				Resolve: func(ctx context.Context, handlerVersions []capabilities.APIVersion) (capabilities.APIVersion, error) {
+					request := capabilities.VersionResolutionRequest{
+						Product:         paymentscmd.ProductPayments,
+						Feature:         paymentscmd.FeatureCreatePool,
+						HandlerVersions: handlerVersions,
+					}
+					if apiVersion != "" {
+						request.Policy = capabilities.VersionPolicyPinned
+						request.PinnedVersion = capabilities.APIVersion(apiVersion)
+					}
+					return rt.ResolveAPIVersion(ctx, request)
+				},
+			}
+			output, err := service.Run(cmd.Context(), paymentscmd.CreatePoolInput{Payload: data})
+			if err != nil {
+				return err
+			}
+			if handled, err := writeStructuredOutput(cmd, output); handled || err != nil {
+				return err
+			}
+			return renderPaymentPoolCreated(cmd, output)
+		},
+	}
+	command.Flags().BoolVar(&confirm, "confirm", false, "Confirm pool creation")
+	command.Flags().StringVar(&file, "file", "", "JSON pool request file, or - for stdin")
+	command.Flags().StringVar(&apiVersion, "api-version", "", "Pin payments API version")
+	return command
+}
+
+func newPaymentsPoolsShowCommand(use string, aliases []string, deprecated bool) *cobra.Command {
+	var apiVersion string
+
+	command := &cobra.Command{
+		Use:     use + " <pool-id>",
+		Aliases: aliases,
+		Short:   "Show a payment pool",
+		Args:    cobra.ExactArgs(1),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			if deprecated {
+				fmt.Fprintln(cmd.ErrOrStderr(), "Command payments pools get has been deprecated, use payments pools show")
+			}
+			rt, err := stackRuntimeFromCommand(cmd)
+			if err != nil {
+				return err
+			}
+			httpClient, err := rt.HTTPClient(cmd.Context())
+			if err != nil {
+				return err
+			}
+			sdk := formance.New(formance.WithServerURL(rt.Target.URL), formance.WithClient(httpClient))
+			service := paymentscmd.GetPoolService{
+				Handlers: paymentscmd.SDKGetPoolHandlers(sdk),
+				Resolve: func(ctx context.Context, handlerVersions []capabilities.APIVersion) (capabilities.APIVersion, error) {
+					request := capabilities.VersionResolutionRequest{
+						Product:         paymentscmd.ProductPayments,
+						Feature:         paymentscmd.FeatureGetPool,
+						HandlerVersions: handlerVersions,
+					}
+					if apiVersion != "" {
+						request.Policy = capabilities.VersionPolicyPinned
+						request.PinnedVersion = capabilities.APIVersion(apiVersion)
+					}
+					return rt.ResolveAPIVersion(ctx, request)
+				},
+			}
+			output, err := service.Run(cmd.Context(), paymentscmd.GetPoolInput{PoolID: args[0]})
+			if err != nil {
+				return err
+			}
+			if handled, err := writeStructuredOutput(cmd, output); handled || err != nil {
+				return err
+			}
+			return renderPaymentPool(cmd, output)
+		},
+	}
+	if deprecated {
+		command.Deprecated = "use payments pools show"
+	}
+	command.Flags().StringVar(&apiVersion, "api-version", "", "Pin payments API version")
+	return command
+}
+
+func newPaymentsPoolsDeleteCommand() *cobra.Command {
+	var confirm bool
+	var apiVersion string
+
+	command := &cobra.Command{
+		Use:   "delete <pool-id>",
+		Short: "Delete a payment pool",
+		Args:  cobra.ExactArgs(1),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			if !confirm {
+				return fmt.Errorf("payments pools delete requires --confirm")
+			}
+			rt, err := stackRuntimeFromCommand(cmd)
+			if err != nil {
+				return err
+			}
+			httpClient, err := rt.HTTPClient(cmd.Context())
+			if err != nil {
+				return err
+			}
+			sdk := formance.New(formance.WithServerURL(rt.Target.URL), formance.WithClient(httpClient))
+			service := paymentscmd.DeletePoolService{
+				Handlers: paymentscmd.SDKDeletePoolHandlers(sdk),
+				Resolve: func(ctx context.Context, handlerVersions []capabilities.APIVersion) (capabilities.APIVersion, error) {
+					request := capabilities.VersionResolutionRequest{
+						Product:         paymentscmd.ProductPayments,
+						Feature:         paymentscmd.FeatureDeletePool,
+						HandlerVersions: handlerVersions,
+					}
+					if apiVersion != "" {
+						request.Policy = capabilities.VersionPolicyPinned
+						request.PinnedVersion = capabilities.APIVersion(apiVersion)
+					}
+					return rt.ResolveAPIVersion(ctx, request)
+				},
+			}
+			output, err := service.Run(cmd.Context(), paymentscmd.DeletePoolInput{PoolID: args[0]})
+			if err != nil {
+				return err
+			}
+			if handled, err := writeStructuredOutput(cmd, output); handled || err != nil {
+				return err
+			}
+			return renderPaymentPoolDeleted(cmd, output)
+		},
+	}
+	command.Flags().BoolVar(&confirm, "confirm", false, "Confirm pool deletion")
+	command.Flags().StringVar(&apiVersion, "api-version", "", "Pin payments API version")
+	return command
+}
+
+func renderPaymentPoolCreated(cmd *cobra.Command, output paymentscmd.CreatePoolOutput) error {
+	if err := writeStyledAPIVersion(cmd, output.APIVersion); err != nil {
+		return err
+	}
+	_, err := fmt.Fprintln(cmd.OutOrStdout(), styledSuccessLine(cmd, fmt.Sprintf("Pool created with ID: %s", output.PoolID)))
+	return err
+}
+
+func renderPaymentPools(cmd *cobra.Command, output paymentscmd.ListPoolsOutput) error {
+	if err := writeStyledAPIVersion(cmd, output.APIVersion); err != nil {
+		return err
+	}
+	if len(output.Pools) == 0 {
+		_, err := fmt.Fprintln(cmd.OutOrStdout(), styledEmptyLine(cmd, "No payment pools found."))
+		return err
+	}
+	rows := make([][]string, 0, len(output.Pools))
+	for _, pool := range output.Pools {
+		rows = append(rows, []string{pool.ID, pool.Name, strings.Join(pool.Accounts, ",")})
+	}
+	if err := writeStyledRows(cmd, []string{"ID", "Name", "Accounts"}, rows); err != nil {
+		return err
+	}
+	if output.HasMore && output.Next != nil {
+		return writeStyledNext(cmd, *output.Next)
+	}
+	return nil
+}
+
+func renderPaymentPool(cmd *cobra.Command, output paymentscmd.GetPoolOutput) error {
+	if err := writeStyledAPIVersion(cmd, output.APIVersion); err != nil {
+		return err
+	}
+	pool := output.Pool
+	rows := []styledKeyValue{
+		{Label: "ID", Value: pool.ID},
+		{Label: "Name", Value: pool.Name},
+		{Label: "Accounts", Value: strings.Join(pool.Accounts, ",")},
+	}
+	if pool.Type != "" {
+		rows = append(rows, styledKeyValue{Label: "Type", Value: pool.Type})
+	}
+	if !pool.CreatedAt.IsZero() {
+		rows = append(rows, styledKeyValue{Label: "Created at", Value: pool.CreatedAt.Format(time.RFC3339)})
+	}
+	return writeStyledKeyValues(cmd, rows...)
+}
+
+func renderPaymentPoolDeleted(cmd *cobra.Command, output paymentscmd.DeletePoolOutput) error {
+	if err := writeStyledAPIVersion(cmd, output.APIVersion); err != nil {
+		return err
+	}
+	_, err := fmt.Fprintln(cmd.OutOrStdout(), styledSuccessLine(cmd, fmt.Sprintf("Pool %s deleted.", output.PoolID)))
+	return err
+}
+
+func newPaymentsPoolsAddAccountCommand() *cobra.Command {
+	var apiVersion string
+
+	command := &cobra.Command{
+		Use:     "add-account <pool-id> <account-id>",
+		Aliases: []string{"add", "a"},
+		Short:   "Add an account to a payment pool",
+		Args:    cobra.ExactArgs(2),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			rt, err := stackRuntimeFromCommand(cmd)
+			if err != nil {
+				return err
+			}
+			httpClient, err := rt.HTTPClient(cmd.Context())
+			if err != nil {
+				return err
+			}
+			sdk := formance.New(formance.WithServerURL(rt.Target.URL), formance.WithClient(httpClient))
+			service := paymentscmd.AddAccountToPoolService{
+				Handlers: paymentscmd.SDKAddAccountToPoolHandlers(sdk),
+				Resolve: func(ctx context.Context, handlerVersions []capabilities.APIVersion) (capabilities.APIVersion, error) {
+					request := capabilities.VersionResolutionRequest{
+						Product:         paymentscmd.ProductPayments,
+						Feature:         paymentscmd.FeatureAddAccountToPool,
+						HandlerVersions: handlerVersions,
+					}
+					if apiVersion != "" {
+						request.Policy = capabilities.VersionPolicyPinned
+						request.PinnedVersion = capabilities.APIVersion(apiVersion)
+					}
+					return rt.ResolveAPIVersion(ctx, request)
+				},
+			}
+			output, err := service.Run(cmd.Context(), paymentscmd.PoolAccountInput{PoolID: args[0], AccountID: args[1]})
+			if err != nil {
+				return err
+			}
+			if handled, err := writeStructuredOutput(cmd, output); handled || err != nil {
+				return err
+			}
+			return renderPaymentPoolAccountAdded(cmd, output)
+		},
+	}
+	command.Flags().StringVar(&apiVersion, "api-version", "", "Pin payments API version")
+	return command
+}
+
+func newPaymentsPoolsRemoveAccountCommand() *cobra.Command {
+	var confirm bool
+	var apiVersion string
+
+	command := &cobra.Command{
+		Use:     "remove-account <pool-id> <account-id>",
+		Aliases: []string{"remove", "rm"},
+		Short:   "Remove an account from a payment pool",
+		Args:    cobra.ExactArgs(2),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			if !confirm {
+				return fmt.Errorf("payments pools remove-account requires --confirm")
+			}
+			rt, err := stackRuntimeFromCommand(cmd)
+			if err != nil {
+				return err
+			}
+			httpClient, err := rt.HTTPClient(cmd.Context())
+			if err != nil {
+				return err
+			}
+			sdk := formance.New(formance.WithServerURL(rt.Target.URL), formance.WithClient(httpClient))
+			service := paymentscmd.RemoveAccountFromPoolService{
+				Handlers: paymentscmd.SDKRemoveAccountFromPoolHandlers(sdk),
+				Resolve: func(ctx context.Context, handlerVersions []capabilities.APIVersion) (capabilities.APIVersion, error) {
+					request := capabilities.VersionResolutionRequest{
+						Product:         paymentscmd.ProductPayments,
+						Feature:         paymentscmd.FeatureRemoveAccountFromPool,
+						HandlerVersions: handlerVersions,
+					}
+					if apiVersion != "" {
+						request.Policy = capabilities.VersionPolicyPinned
+						request.PinnedVersion = capabilities.APIVersion(apiVersion)
+					}
+					return rt.ResolveAPIVersion(ctx, request)
+				},
+			}
+			output, err := service.Run(cmd.Context(), paymentscmd.PoolAccountInput{PoolID: args[0], AccountID: args[1]})
+			if err != nil {
+				return err
+			}
+			if handled, err := writeStructuredOutput(cmd, output); handled || err != nil {
+				return err
+			}
+			return renderPaymentPoolAccountRemoved(cmd, output)
+		},
+	}
+	command.Flags().BoolVar(&confirm, "confirm", false, "Confirm account removal")
+	command.Flags().StringVar(&apiVersion, "api-version", "", "Pin payments API version")
+	return command
+}
+
+func renderPaymentPoolAccountAdded(cmd *cobra.Command, output paymentscmd.PoolAccountOutput) error {
+	if err := writeStyledAPIVersion(cmd, output.APIVersion); err != nil {
+		return err
+	}
+	_, err := fmt.Fprintln(cmd.OutOrStdout(), styledSuccessLine(cmd, fmt.Sprintf("Account %s added to pool %s.", output.AccountID, output.PoolID)))
+	return err
+}
+
+func renderPaymentPoolAccountRemoved(cmd *cobra.Command, output paymentscmd.PoolAccountOutput) error {
+	if err := writeStyledAPIVersion(cmd, output.APIVersion); err != nil {
+		return err
+	}
+	_, err := fmt.Fprintln(cmd.OutOrStdout(), styledSuccessLine(cmd, fmt.Sprintf("Account %s removed from pool %s.", output.AccountID, output.PoolID)))
+	return err
+}
+
+func newPaymentsPoolsUpdateQueryCommand() *cobra.Command {
+	var file string
+	var confirm bool
+	var apiVersion string
+
+	command := &cobra.Command{
+		Use:     "update-query <pool-id> [file]",
+		Aliases: []string{"uq"},
+		Short:   "Update a payment pool query",
+		Args:    cobra.RangeArgs(1, 2),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			if !confirm {
+				return fmt.Errorf("payments pools update-query requires --confirm")
+			}
+			if len(args) == 2 {
+				if file != "" {
+					return fmt.Errorf("positional file and --file are mutually exclusive")
+				}
+				file = args[1]
+				fmt.Fprintln(cmd.ErrOrStderr(), "Positional file has been deprecated, use payments pools update-query <pool-id> --file <path>|-")
+			}
+			if file == "" {
+				return fmt.Errorf("payments pools update-query requires --file <path>|-")
+			}
+
+			data, err := readPaymentCommandFile(cmd, file)
+			if err != nil {
+				return err
+			}
+			var request struct {
+				Query map[string]any `json:"query"`
+			}
+			if err := json.Unmarshal(data, &request); err != nil {
+				return err
+			}
+
+			rt, err := stackRuntimeFromCommand(cmd)
+			if err != nil {
+				return err
+			}
+			httpClient, err := rt.HTTPClient(cmd.Context())
+			if err != nil {
+				return err
+			}
+			sdk := formance.New(formance.WithServerURL(rt.Target.URL), formance.WithClient(httpClient))
+			service := paymentscmd.UpdatePoolQueryService{
+				Handlers: paymentscmd.SDKUpdatePoolQueryHandlers(sdk),
+				Resolve: func(ctx context.Context, handlerVersions []capabilities.APIVersion) (capabilities.APIVersion, error) {
+					request := capabilities.VersionResolutionRequest{
+						Product:         paymentscmd.ProductPayments,
+						Feature:         paymentscmd.FeatureUpdatePoolQuery,
+						HandlerVersions: handlerVersions,
+					}
+					if apiVersion != "" {
+						request.Policy = capabilities.VersionPolicyPinned
+						request.PinnedVersion = capabilities.APIVersion(apiVersion)
+					}
+					return rt.ResolveAPIVersion(ctx, request)
+				},
+			}
+			output, err := service.Run(cmd.Context(), paymentscmd.UpdatePoolQueryInput{PoolID: args[0], Query: request.Query})
+			if err != nil {
+				return err
+			}
+			if handled, err := writeStructuredOutput(cmd, output); handled || err != nil {
+				return err
+			}
+			return renderPaymentPoolQueryUpdated(cmd, output)
+		},
+	}
+	command.Flags().StringVar(&file, "file", "", "Read query payload from path or stdin with -")
+	command.Flags().BoolVar(&confirm, "confirm", false, "Confirm pool query update")
+	command.Flags().StringVar(&apiVersion, "api-version", "", "Pin payments API version")
+	return command
+}
+
+func newPaymentsPoolsBalancesCommand() *cobra.Command {
+	var at string
+	var apiVersion string
+
+	command := &cobra.Command{
+		Use:   "balances <pool-id> [at]",
+		Short: "List payment pool balances at a time",
+		Args:  cobra.RangeArgs(1, 2),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			if len(args) == 2 {
+				if at != "" {
+					return fmt.Errorf("positional at and --at are mutually exclusive")
+				}
+				at = args[1]
+				fmt.Fprintln(cmd.ErrOrStderr(), "Positional <at> has been deprecated, use payments pools balances <pool-id> --at <time>")
+			}
+			if at == "" {
+				return fmt.Errorf("payments pools balances requires --at <time>")
+			}
+			parsedAt, err := time.Parse(time.RFC3339, at)
+			if err != nil {
+				return fmt.Errorf("parse --at as RFC3339: %w", err)
+			}
+
+			rt, err := stackRuntimeFromCommand(cmd)
+			if err != nil {
+				return err
+			}
+			httpClient, err := rt.HTTPClient(cmd.Context())
+			if err != nil {
+				return err
+			}
+			sdk := formance.New(formance.WithServerURL(rt.Target.URL), formance.WithClient(httpClient))
+			service := paymentscmd.GetPoolBalancesService{
+				Handlers: paymentscmd.SDKGetPoolBalancesHandlers(sdk),
+				Resolve: func(ctx context.Context, handlerVersions []capabilities.APIVersion) (capabilities.APIVersion, error) {
+					request := capabilities.VersionResolutionRequest{
+						Product:         paymentscmd.ProductPayments,
+						Feature:         paymentscmd.FeatureGetPoolBalances,
+						HandlerVersions: handlerVersions,
+					}
+					if apiVersion != "" {
+						request.Policy = capabilities.VersionPolicyPinned
+						request.PinnedVersion = capabilities.APIVersion(apiVersion)
+					}
+					return rt.ResolveAPIVersion(ctx, request)
+				},
+			}
+			output, err := service.Run(cmd.Context(), paymentscmd.GetPoolBalancesInput{PoolID: args[0], At: parsedAt})
+			if err != nil {
+				return err
+			}
+			if handled, err := writeStructuredOutput(cmd, output); handled || err != nil {
+				return err
+			}
+			return renderPaymentPoolBalances(cmd, output)
+		},
+	}
+	command.Flags().StringVar(&at, "at", "", "RFC3339 timestamp")
+	command.Flags().StringVar(&apiVersion, "api-version", "", "Pin payments API version")
+	return command
+}
+
+func newPaymentsPoolsLatestBalancesCommand() *cobra.Command {
+	var apiVersion string
+
+	command := &cobra.Command{
+		Use:   "latest-balances <pool-id>",
+		Short: "List latest payment pool balances",
+		Args:  cobra.ExactArgs(1),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			rt, err := stackRuntimeFromCommand(cmd)
+			if err != nil {
+				return err
+			}
+			httpClient, err := rt.HTTPClient(cmd.Context())
+			if err != nil {
+				return err
+			}
+			sdk := formance.New(formance.WithServerURL(rt.Target.URL), formance.WithClient(httpClient))
+			service := paymentscmd.GetPoolBalancesService{
+				Handlers: paymentscmd.SDKGetPoolBalancesHandlers(sdk),
+				Resolve: func(ctx context.Context, handlerVersions []capabilities.APIVersion) (capabilities.APIVersion, error) {
+					request := capabilities.VersionResolutionRequest{
+						Product:         paymentscmd.ProductPayments,
+						Feature:         paymentscmd.FeatureGetPoolBalancesLatest,
+						HandlerVersions: handlerVersions,
+					}
+					if apiVersion != "" {
+						request.Policy = capabilities.VersionPolicyPinned
+						request.PinnedVersion = capabilities.APIVersion(apiVersion)
+					}
+					return rt.ResolveAPIVersion(ctx, request)
+				},
+			}
+			output, err := service.Run(cmd.Context(), paymentscmd.GetPoolBalancesInput{PoolID: args[0], Latest: true})
+			if err != nil {
+				return err
+			}
+			if handled, err := writeStructuredOutput(cmd, output); handled || err != nil {
+				return err
+			}
+			return renderPaymentPoolBalances(cmd, output)
+		},
+	}
+	command.Flags().StringVar(&apiVersion, "api-version", "", "Pin payments API version")
+	return command
+}
+
+func readPaymentCommandFile(cmd *cobra.Command, file string) ([]byte, error) {
+	if file == "-" {
+		return io.ReadAll(cmd.InOrStdin())
+	}
+	return os.ReadFile(file)
+}
+
+func renderPaymentPoolQueryUpdated(cmd *cobra.Command, output paymentscmd.UpdatePoolQueryOutput) error {
+	if err := writeStyledAPIVersion(cmd, output.APIVersion); err != nil {
+		return err
+	}
+	_, err := fmt.Fprintln(cmd.OutOrStdout(), styledSuccessLine(cmd, fmt.Sprintf("Query updated for pool %s.", output.PoolID)))
+	return err
+}
+
+func renderPaymentPoolBalances(cmd *cobra.Command, output paymentscmd.GetPoolBalancesOutput) error {
+	if err := writeStyledAPIVersion(cmd, output.APIVersion); err != nil {
+		return err
+	}
+	if len(output.Balances) == 0 {
+		_, err := fmt.Fprintln(cmd.OutOrStdout(), styledEmptyLine(cmd, "No pool balances found."))
+		return err
+	}
+	rows := make([][]string, 0, len(output.Balances))
+	for _, balance := range output.Balances {
+		rows = append(rows, []string{balance.Asset, balance.Amount, strings.Join(balance.RelatedAccounts, ",")})
+	}
+	return writeStyledRows(cmd, []string{"Asset", "Amount", "Related accounts"}, rows)
+}
+
+func newPaymentsTasksShowCommand(use string, aliases []string, deprecated bool) *cobra.Command {
+	var apiVersion string
+
+	command := &cobra.Command{
+		Use:     use + " <task-id>",
+		Aliases: aliases,
+		Short:   "Show a payment task",
+		Args:    cobra.ExactArgs(1),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			if deprecated {
+				fmt.Fprintln(cmd.ErrOrStderr(), "Command payments tasks get has been deprecated, use payments tasks show")
+			}
+			rt, err := stackRuntimeFromCommand(cmd)
+			if err != nil {
+				return err
+			}
+			httpClient, err := rt.HTTPClient(cmd.Context())
+			if err != nil {
+				return err
+			}
+			sdk := formance.New(formance.WithServerURL(rt.Target.URL), formance.WithClient(httpClient))
+			service := paymentscmd.GetTaskService{
+				Handlers: paymentscmd.SDKGetTaskHandlers(sdk),
+				Resolve: func(ctx context.Context, handlerVersions []capabilities.APIVersion) (capabilities.APIVersion, error) {
+					request := capabilities.VersionResolutionRequest{
+						Product:         paymentscmd.ProductPayments,
+						Feature:         paymentscmd.FeatureGetTask,
+						HandlerVersions: handlerVersions,
+					}
+					if apiVersion != "" {
+						request.Policy = capabilities.VersionPolicyPinned
+						request.PinnedVersion = capabilities.APIVersion(apiVersion)
+					}
+					return rt.ResolveAPIVersion(ctx, request)
+				},
+			}
+			output, err := service.Run(cmd.Context(), paymentscmd.GetTaskInput{TaskID: args[0]})
+			if err != nil {
+				return err
+			}
+			if handled, err := writeStructuredOutput(cmd, output); handled || err != nil {
+				return err
+			}
+			return renderPaymentTask(cmd, output)
+		},
+	}
+	if deprecated {
+		command.Deprecated = "use payments tasks show"
+	}
+	command.Flags().StringVar(&apiVersion, "api-version", "", "Pin payments API version")
+	return command
+}
+
+func renderPaymentTask(cmd *cobra.Command, output paymentscmd.GetTaskOutput) error {
+	if err := writeStyledAPIVersion(cmd, output.APIVersion); err != nil {
+		return err
+	}
+	task := output.Task
+	rows := []styledKeyValue{{Label: "ID", Value: task.ID}}
+	if task.ConnectorID != "" {
+		rows = append(rows, styledKeyValue{Label: "Connector ID", Value: task.ConnectorID})
+	}
+	if task.CreatedObjectID != "" {
+		rows = append(rows, styledKeyValue{Label: "Created object ID", Value: task.CreatedObjectID})
+	}
+	rows = append(rows, styledKeyValue{Label: "Status", Value: task.Status})
+	if task.Error != "" {
+		rows = append(rows, styledKeyValue{Label: "Error", Value: task.Error})
+	}
+	rows = append(rows,
+		styledKeyValue{Label: "Created at", Value: task.CreatedAt.Format(time.RFC3339)},
+		styledKeyValue{Label: "Updated at", Value: task.UpdatedAt.Format(time.RFC3339)},
+	)
+	return writeStyledKeyValues(cmd, rows...)
+}
+
+func newPaymentsTransferInitiationListCommand() *cobra.Command {
+	var pageSize int64 = 15
+	var cursor string
+	var query string
+	var apiVersion string
+
+	command := &cobra.Command{
+		Use:     "list",
+		Aliases: []string{"ls", "l"},
+		Short:   "List payment transfer initiations",
+		Args:    cobra.NoArgs,
+		RunE: func(cmd *cobra.Command, _ []string) error {
+			rt, err := stackRuntimeFromCommand(cmd)
+			if err != nil {
+				return err
+			}
+			httpClient, err := rt.HTTPClient(cmd.Context())
+			if err != nil {
+				return err
+			}
+			sdk := formance.New(formance.WithServerURL(rt.Target.URL), formance.WithClient(httpClient))
+			service := paymentscmd.ListTransferInitiationsService{
+				Handlers: paymentscmd.SDKListTransferInitiationsHandlers(sdk),
+				Resolve: func(ctx context.Context, handlerVersions []capabilities.APIVersion) (capabilities.APIVersion, error) {
+					request := capabilities.VersionResolutionRequest{
+						Product:         paymentscmd.ProductPayments,
+						Feature:         paymentscmd.FeatureListTransferInitiation,
+						HandlerVersions: handlerVersions,
+					}
+					if apiVersion != "" {
+						request.Policy = capabilities.VersionPolicyPinned
+						request.PinnedVersion = capabilities.APIVersion(apiVersion)
+					}
+					return rt.ResolveAPIVersion(ctx, request)
+				},
+			}
+			output, err := service.Run(cmd.Context(), paymentscmd.ListTransferInitiationsInput{PageSize: pageSize, Cursor: cursor, Query: query})
+			if err != nil {
+				return err
+			}
+			if handled, err := writeStructuredOutput(cmd, output); handled || err != nil {
+				return err
+			}
+			return renderPaymentTransferInitiations(cmd, output)
+		},
+	}
+	command.Flags().Int64Var(&pageSize, "page-size", 15, "Page size")
+	command.Flags().StringVar(&cursor, "cursor", "", "Pagination cursor")
+	command.Flags().StringVar(&query, "query", "", "Filter transfer initiations with the API query syntax")
+	command.Flags().StringVar(&apiVersion, "api-version", "", "Pin payments API version")
+	return command
+}
+
+func newPaymentsTransferInitiationCreateCommand() *cobra.Command {
+	var confirm bool
+	var file string
+	var apiVersion string
+
+	command := &cobra.Command{
+		Use:     "create",
+		Aliases: []string{"cr", "c"},
+		Short:   "Create a payment transfer initiation",
+		Args: func(cmd *cobra.Command, args []string) error {
+			if len(args) == 0 {
+				return nil
+			}
+			if len(args) == 1 {
+				return nil
+			}
+			return fmt.Errorf("accepts 0 arg(s), received %d", len(args))
+		},
+		RunE: func(cmd *cobra.Command, args []string) error {
+			if !confirm {
+				return fmt.Errorf("payments transfer-initiation create requires --confirm")
+			}
+			if len(args) == 1 {
+				if file != "" {
+					return fmt.Errorf("use either --file or positional file, not both")
+				}
+				file = args[0]
+				fmt.Fprintln(cmd.ErrOrStderr(), "Positional file has been deprecated, use payments transfer-initiation create --file <path>|-")
+			}
+			if file == "" {
+				return fmt.Errorf("payments transfer-initiation create requires --file <path>|-")
+			}
+			data, err := readPaymentCommandFile(cmd, file)
+			if err != nil {
+				return err
+			}
+			request, err := parseCreateTransferInitiationRequest(data)
+			if err != nil {
+				return err
+			}
+			rt, err := stackRuntimeFromCommand(cmd)
+			if err != nil {
+				return err
+			}
+			httpClient, err := rt.HTTPClient(cmd.Context())
+			if err != nil {
+				return err
+			}
+			sdk := formance.New(formance.WithServerURL(rt.Target.URL), formance.WithClient(httpClient))
+			service := paymentscmd.CreateTransferInitiationService{
+				Handlers: paymentscmd.SDKCreateTransferInitiationHandlers(sdk),
+				Resolve: func(ctx context.Context, handlerVersions []capabilities.APIVersion) (capabilities.APIVersion, error) {
+					request := capabilities.VersionResolutionRequest{
+						Product:         paymentscmd.ProductPayments,
+						Feature:         paymentscmd.FeatureCreateTransferInitiation,
+						HandlerVersions: handlerVersions,
+					}
+					if apiVersion != "" {
+						request.Policy = capabilities.VersionPolicyPinned
+						request.PinnedVersion = capabilities.APIVersion(apiVersion)
+					}
+					return rt.ResolveAPIVersion(ctx, request)
+				},
+			}
+			output, err := service.Run(cmd.Context(), paymentscmd.CreateTransferInitiationInput{
+				Amount:               request.Amount,
+				Asset:                request.Asset,
+				ConnectorID:          request.ConnectorID,
+				Description:          request.Description,
+				DestinationAccountID: request.DestinationAccountID,
+				Metadata:             request.Metadata,
+				Reference:            request.Reference,
+				ScheduledAt:          request.ScheduledAt,
+				SourceAccountID:      request.SourceAccountID,
+				Type:                 request.Type,
+				Validated:            request.Validated,
+			})
+			if err != nil {
+				return err
+			}
+			if handled, err := writeStructuredOutput(cmd, output); handled || err != nil {
+				return err
+			}
+			return renderPaymentTransferInitiationCreated(cmd, output)
+		},
+	}
+	command.Flags().BoolVar(&confirm, "confirm", false, "Confirm transfer initiation creation")
+	command.Flags().StringVar(&file, "file", "", "JSON transfer initiation request file, or - for stdin")
+	command.Flags().StringVar(&apiVersion, "api-version", "", "Pin payments API version")
+	return command
+}
+
+type createTransferInitiationRequestFile struct {
+	Amount               *big.Int          `json:"amount"`
+	Asset                string            `json:"asset"`
+	ConnectorID          string            `json:"connectorID"`
+	Description          string            `json:"description"`
+	DestinationAccountID string            `json:"destinationAccountID"`
+	Metadata             map[string]string `json:"metadata"`
+	Reference            string            `json:"reference"`
+	ScheduledAt          time.Time         `json:"scheduledAt"`
+	SourceAccountID      string            `json:"sourceAccountID"`
+	Type                 string            `json:"type"`
+	Validated            bool              `json:"validated"`
+}
+
+func parseCreateTransferInitiationRequest(data []byte) (createTransferInitiationRequestFile, error) {
+	var raw struct {
+		Amount               json.RawMessage   `json:"amount"`
+		Asset                string            `json:"asset"`
+		ConnectorID          string            `json:"connectorID"`
+		Description          string            `json:"description"`
+		DestinationAccountID string            `json:"destinationAccountID"`
+		Metadata             map[string]string `json:"metadata"`
+		Reference            string            `json:"reference"`
+		ScheduledAt          time.Time         `json:"scheduledAt"`
+		SourceAccountID      string            `json:"sourceAccountID"`
+		Type                 string            `json:"type"`
+		Validated            bool              `json:"validated"`
+	}
+	if err := json.Unmarshal(data, &raw); err != nil {
+		return createTransferInitiationRequestFile{}, err
+	}
+	if len(raw.Amount) == 0 {
+		return createTransferInitiationRequestFile{}, fmt.Errorf("transfer initiation amount is required")
+	}
+	amount, err := parseBigIntJSON(raw.Amount)
+	if err != nil {
+		return createTransferInitiationRequestFile{}, fmt.Errorf("invalid transfer initiation amount: %w", err)
+	}
+	return createTransferInitiationRequestFile{
+		Amount:               amount,
+		Asset:                raw.Asset,
+		ConnectorID:          raw.ConnectorID,
+		Description:          raw.Description,
+		DestinationAccountID: raw.DestinationAccountID,
+		Metadata:             raw.Metadata,
+		Reference:            raw.Reference,
+		ScheduledAt:          raw.ScheduledAt,
+		SourceAccountID:      raw.SourceAccountID,
+		Type:                 strings.ToUpper(raw.Type),
+		Validated:            raw.Validated,
+	}, nil
+}
+
+func renderPaymentTransferInitiationCreated(cmd *cobra.Command, output paymentscmd.CreateTransferInitiationOutput) error {
+	if err := writeStyledAPIVersion(cmd, output.APIVersion); err != nil {
+		return err
+	}
+	if output.TaskID != "" {
+		if err := writeStyledColonKeyValues(cmd, styledKeyValue{Label: "Task ID", Value: output.TaskID}); err != nil {
+			return err
+		}
+	}
+	_, err := fmt.Fprintln(cmd.OutOrStdout(), styledSuccessLine(cmd, fmt.Sprintf("Transfer initiation created with ID: %s", output.TransferInitiationID)))
+	return err
+}
+
+func newPaymentsTransferInitiationShowCommand(use string, aliases []string, deprecated bool) *cobra.Command {
+	var apiVersion string
+
+	command := &cobra.Command{
+		Use:     use + " <transfer-initiation-id>",
+		Aliases: aliases,
+		Short:   "Show a payment transfer initiation",
+		Args:    cobra.ExactArgs(1),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			if deprecated {
+				fmt.Fprintln(cmd.ErrOrStderr(), "Command payments transfer-initiation get has been deprecated, use payments transfer-initiation show")
+			}
+			rt, err := stackRuntimeFromCommand(cmd)
+			if err != nil {
+				return err
+			}
+			httpClient, err := rt.HTTPClient(cmd.Context())
+			if err != nil {
+				return err
+			}
+			sdk := formance.New(formance.WithServerURL(rt.Target.URL), formance.WithClient(httpClient))
+			service := paymentscmd.GetTransferInitiationService{
+				Handlers: paymentscmd.SDKGetTransferInitiationHandlers(sdk),
+				Resolve: func(ctx context.Context, handlerVersions []capabilities.APIVersion) (capabilities.APIVersion, error) {
+					request := capabilities.VersionResolutionRequest{
+						Product:         paymentscmd.ProductPayments,
+						Feature:         paymentscmd.FeatureGetTransferInitiation,
+						HandlerVersions: handlerVersions,
+					}
+					if apiVersion != "" {
+						request.Policy = capabilities.VersionPolicyPinned
+						request.PinnedVersion = capabilities.APIVersion(apiVersion)
+					}
+					return rt.ResolveAPIVersion(ctx, request)
+				},
+			}
+			output, err := service.Run(cmd.Context(), paymentscmd.GetTransferInitiationInput{TransferInitiationID: args[0]})
+			if err != nil {
+				return err
+			}
+			if handled, err := writeStructuredOutput(cmd, output); handled || err != nil {
+				return err
+			}
+			return renderPaymentTransferInitiation(cmd, output)
+		},
+	}
+	if deprecated {
+		command.Deprecated = "use payments transfer-initiation show"
+	}
+	command.Flags().StringVar(&apiVersion, "api-version", "", "Pin payments API version")
+	return command
+}
+
+func renderPaymentTransferInitiations(cmd *cobra.Command, output paymentscmd.ListTransferInitiationsOutput) error {
+	if err := writeStyledAPIVersion(cmd, output.APIVersion); err != nil {
+		return err
+	}
+	if len(output.TransferInitiations) == 0 {
+		_, err := fmt.Fprintln(cmd.OutOrStdout(), styledEmptyLine(cmd, "No transfer initiations found."))
+		return err
+	}
+	rows := make([][]string, 0, len(output.TransferInitiations))
+	for _, transfer := range output.TransferInitiations {
+		rows = append(rows, []string{transfer.ID, transfer.Type, transfer.Amount, transfer.Asset, transfer.Status, transfer.CreatedAt.Format(time.RFC3339)})
+	}
+	if err := writeStyledRows(cmd, []string{"ID", "Type", "Amount", "Asset", "Status", "Created at"}, rows); err != nil {
+		return err
+	}
+	if output.HasMore && output.Next != nil {
+		return writeStyledNext(cmd, *output.Next)
+	}
+	return nil
+}
+
+func renderPaymentTransferInitiation(cmd *cobra.Command, output paymentscmd.GetTransferInitiationOutput) error {
+	if err := writeStyledAPIVersion(cmd, output.APIVersion); err != nil {
+		return err
+	}
+	transfer := output.TransferInitiation
+	return writeStyledKeyValues(cmd,
+		styledKeyValue{Label: "ID", Value: transfer.ID},
+		styledKeyValue{Label: "Reference", Value: transfer.Reference},
+		styledKeyValue{Label: "Amount", Value: transfer.Amount},
+		styledKeyValue{Label: "Asset", Value: transfer.Asset},
+		styledKeyValue{Label: "Status", Value: transfer.Status},
+		styledKeyValue{Label: "Connector ID", Value: transfer.ConnectorID},
+		styledKeyValue{Label: "Created at", Value: transfer.CreatedAt.Format(time.RFC3339)},
+	)
+}
+
+func newPaymentsTransferInitiationActionCommand(
+	use string,
+	aliases []string,
+	short string,
+	feature capabilities.Feature,
+	handlers func(*formance.Formance) []paymentscmd.TransferInitiationActionHandler,
+	done string,
+	requiresConfirm bool,
+) *cobra.Command {
+	var confirm bool
+	var apiVersion string
+
+	command := &cobra.Command{
+		Use:     use + " <transfer-initiation-id>",
+		Aliases: aliases,
+		Short:   short,
+		Args:    cobra.ExactArgs(1),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			if requiresConfirm && !confirm {
+				return fmt.Errorf("payments transfer-initiation %s requires --confirm", use)
+			}
+			rt, err := stackRuntimeFromCommand(cmd)
+			if err != nil {
+				return err
+			}
+			httpClient, err := rt.HTTPClient(cmd.Context())
+			if err != nil {
+				return err
+			}
+			sdk := formance.New(formance.WithServerURL(rt.Target.URL), formance.WithClient(httpClient))
+			service := paymentscmd.TransferInitiationActionService{
+				Handlers: handlers(sdk),
+				Resolve: func(ctx context.Context, handlerVersions []capabilities.APIVersion) (capabilities.APIVersion, error) {
+					request := capabilities.VersionResolutionRequest{
+						Product:         paymentscmd.ProductPayments,
+						Feature:         feature,
+						HandlerVersions: handlerVersions,
+					}
+					if apiVersion != "" {
+						request.Policy = capabilities.VersionPolicyPinned
+						request.PinnedVersion = capabilities.APIVersion(apiVersion)
+					}
+					return rt.ResolveAPIVersion(ctx, request)
+				},
+			}
+			output, err := service.Run(cmd.Context(), paymentscmd.TransferInitiationActionInput{TransferInitiationID: args[0]})
+			if err != nil {
+				return err
+			}
+			if handled, err := writeStructuredOutput(cmd, output); handled || err != nil {
+				return err
+			}
+			return renderPaymentTransferInitiationAction(cmd, output, done)
+		},
+	}
+	if requiresConfirm {
+		command.Flags().BoolVar(&confirm, "confirm", false, "Confirm transfer initiation action")
+	}
+	command.Flags().StringVar(&apiVersion, "api-version", "", "Pin payments API version")
+	return command
+}
+
+func renderPaymentTransferInitiationAction(cmd *cobra.Command, output paymentscmd.TransferInitiationActionOutput, done string) error {
+	if err := writeStyledAPIVersion(cmd, output.APIVersion); err != nil {
+		return err
+	}
+	if output.TaskID != "" {
+		if err := writeStyledColonKeyValues(cmd, styledKeyValue{Label: "Task ID", Value: output.TaskID}); err != nil {
+			return err
+		}
+	}
+	_, err := fmt.Fprintln(cmd.OutOrStdout(), styledSuccessLine(cmd, fmt.Sprintf("Transfer initiation %s %s.", output.TransferInitiationID, done)))
+	return err
+}
+
+func newPaymentsTransferInitiationUpdateStatusCommand(use string, aliases []string, deprecated bool) *cobra.Command {
+	var confirm bool
+	var apiVersion string
+
+	command := &cobra.Command{
+		Use:     use + " <transfer-initiation-id> <status>",
+		Aliases: aliases,
+		Short:   "Update a payment transfer initiation status",
+		Args:    cobra.ExactArgs(2),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			if deprecated {
+				fmt.Fprintln(cmd.ErrOrStderr(), "Command payments transfer-initiation update_status has been deprecated, use payments transfer-initiation update-status")
+			}
+			if !confirm {
+				return fmt.Errorf("payments transfer-initiation %s requires --confirm", use)
+			}
+			status := strings.ToUpper(args[1])
+			if status != "REJECTED" && status != "VALIDATED" {
+				return fmt.Errorf("unsupported transfer initiation status %q: expected REJECTED or VALIDATED", args[1])
+			}
+			rt, err := stackRuntimeFromCommand(cmd)
+			if err != nil {
+				return err
+			}
+			httpClient, err := rt.HTTPClient(cmd.Context())
+			if err != nil {
+				return err
+			}
+			sdk := formance.New(formance.WithServerURL(rt.Target.URL), formance.WithClient(httpClient))
+			service := paymentscmd.UpdateTransferInitiationStatusService{
+				Handlers: paymentscmd.SDKUpdateTransferInitiationStatusHandlers(sdk),
+				Resolve: func(ctx context.Context, handlerVersions []capabilities.APIVersion) (capabilities.APIVersion, error) {
+					request := capabilities.VersionResolutionRequest{
+						Product:         paymentscmd.ProductPayments,
+						Feature:         paymentscmd.FeatureUpdateTransferInitiationStatus,
+						HandlerVersions: handlerVersions,
+					}
+					if apiVersion != "" {
+						request.Policy = capabilities.VersionPolicyPinned
+						request.PinnedVersion = capabilities.APIVersion(apiVersion)
+					}
+					return rt.ResolveAPIVersion(ctx, request)
+				},
+			}
+			output, err := service.Run(cmd.Context(), paymentscmd.UpdateTransferInitiationStatusInput{TransferInitiationID: args[0], Status: status})
+			if err != nil {
+				return err
+			}
+			if handled, err := writeStructuredOutput(cmd, output); handled || err != nil {
+				return err
+			}
+			return renderPaymentTransferInitiationStatusUpdated(cmd, output)
+		},
+	}
+	if deprecated {
+		command.Deprecated = "use payments transfer-initiation update-status"
+	}
+	command.Flags().BoolVar(&confirm, "confirm", false, "Confirm transfer initiation status update")
+	command.Flags().StringVar(&apiVersion, "api-version", "", "Pin payments API version")
+	return command
+}
+
+func renderPaymentTransferInitiationStatusUpdated(cmd *cobra.Command, output paymentscmd.UpdateTransferInitiationStatusOutput) error {
+	if err := writeStyledAPIVersion(cmd, output.APIVersion); err != nil {
+		return err
+	}
+	_, err := fmt.Fprintln(cmd.OutOrStdout(), styledSuccessLine(cmd, fmt.Sprintf("Transfer initiation %s status updated to %s.", output.TransferInitiationID, output.Status)))
+	return err
+}
+
+func newPaymentsTransferInitiationReverseCommand() *cobra.Command {
+	var confirm bool
+	var file string
+	var apiVersion string
+
+	command := &cobra.Command{
+		Use:     "reverse <transfer-initiation-id>",
+		Aliases: []string{"re"},
+		Short:   "Reverse a payment transfer initiation",
+		Args: func(cmd *cobra.Command, args []string) error {
+			if len(args) == 1 {
+				return nil
+			}
+			if len(args) == 2 {
+				return nil
+			}
+			return fmt.Errorf("accepts 1 arg(s), received %d", len(args))
+		},
+		RunE: func(cmd *cobra.Command, args []string) error {
+			if !confirm {
+				return fmt.Errorf("payments transfer-initiation reverse requires --confirm")
+			}
+			if len(args) == 2 {
+				if file != "" {
+					return fmt.Errorf("use either --file or positional file, not both")
+				}
+				file = args[1]
+				fmt.Fprintln(cmd.ErrOrStderr(), "Positional file has been deprecated, use payments transfer-initiation reverse <transfer-initiation-id> --file <path>|-")
+			}
+			if file == "" {
+				return fmt.Errorf("payments transfer-initiation reverse requires --file <path>|-")
+			}
+			data, err := readPaymentCommandFile(cmd, file)
+			if err != nil {
+				return err
+			}
+			request, err := parseReverseTransferInitiationRequest(data)
+			if err != nil {
+				return err
+			}
+			rt, err := stackRuntimeFromCommand(cmd)
+			if err != nil {
+				return err
+			}
+			httpClient, err := rt.HTTPClient(cmd.Context())
+			if err != nil {
+				return err
+			}
+			sdk := formance.New(formance.WithServerURL(rt.Target.URL), formance.WithClient(httpClient))
+			service := paymentscmd.ReverseTransferInitiationService{
+				Handlers: paymentscmd.SDKReverseTransferInitiationHandlers(sdk),
+				Resolve: func(ctx context.Context, handlerVersions []capabilities.APIVersion) (capabilities.APIVersion, error) {
+					request := capabilities.VersionResolutionRequest{
+						Product:         paymentscmd.ProductPayments,
+						Feature:         paymentscmd.FeatureReversePaymentInitiation,
+						HandlerVersions: handlerVersions,
+					}
+					if apiVersion != "" {
+						request.Policy = capabilities.VersionPolicyPinned
+						request.PinnedVersion = capabilities.APIVersion(apiVersion)
+					}
+					return rt.ResolveAPIVersion(ctx, request)
+				},
+			}
+			output, err := service.Run(cmd.Context(), paymentscmd.ReverseTransferInitiationInput{
+				TransferInitiationID: args[0],
+				Amount:               request.Amount,
+				Asset:                request.Asset,
+				Description:          request.Description,
+				Metadata:             request.Metadata,
+				Reference:            request.Reference,
+			})
+			if err != nil {
+				return err
+			}
+			if handled, err := writeStructuredOutput(cmd, output); handled || err != nil {
+				return err
+			}
+			return renderPaymentTransferInitiationReversed(cmd, output)
+		},
+	}
+	command.Flags().BoolVar(&confirm, "confirm", false, "Confirm transfer initiation reversal")
+	command.Flags().StringVar(&file, "file", "", "JSON reverse request file, or - for stdin")
+	command.Flags().StringVar(&apiVersion, "api-version", "", "Pin payments API version")
+	return command
+}
+
+type reverseTransferInitiationRequestFile struct {
+	Amount      *big.Int          `json:"amount"`
+	Asset       string            `json:"asset"`
+	Description string            `json:"description"`
+	Metadata    map[string]string `json:"metadata"`
+	Reference   string            `json:"reference"`
+}
+
+func parseReverseTransferInitiationRequest(data []byte) (reverseTransferInitiationRequestFile, error) {
+	var raw struct {
+		Amount      json.RawMessage   `json:"amount"`
+		Asset       string            `json:"asset"`
+		Description string            `json:"description"`
+		Metadata    map[string]string `json:"metadata"`
+		Reference   string            `json:"reference"`
+	}
+	if err := json.Unmarshal(data, &raw); err != nil {
+		return reverseTransferInitiationRequestFile{}, err
+	}
+	if len(raw.Amount) == 0 {
+		return reverseTransferInitiationRequestFile{}, fmt.Errorf("reverse transfer initiation amount is required")
+	}
+	amount, err := parseBigIntJSON(raw.Amount)
+	if err != nil {
+		return reverseTransferInitiationRequestFile{}, fmt.Errorf("invalid reverse transfer initiation amount: %w", err)
+	}
+	return reverseTransferInitiationRequestFile{
+		Amount:      amount,
+		Asset:       raw.Asset,
+		Description: raw.Description,
+		Metadata:    raw.Metadata,
+		Reference:   raw.Reference,
+	}, nil
+}
+
+func parseBigIntJSON(data []byte) (*big.Int, error) {
+	value := strings.TrimSpace(string(data))
+	value = strings.Trim(value, `"`)
+	if value == "" {
+		return nil, fmt.Errorf("empty integer")
+	}
+	amount, ok := new(big.Int).SetString(value, 10)
+	if !ok {
+		return nil, fmt.Errorf("expected integer")
+	}
+	return amount, nil
+}
+
+func renderPaymentTransferInitiationReversed(cmd *cobra.Command, output paymentscmd.ReverseTransferInitiationOutput) error {
+	if err := writeStyledAPIVersion(cmd, output.APIVersion); err != nil {
+		return err
+	}
+	if output.TaskID != "" {
+		if err := writeStyledColonKeyValues(cmd, styledKeyValue{Label: "Task ID", Value: output.TaskID}); err != nil {
+			return err
+		}
+	}
+	if output.ReversalID != "" {
+		if err := writeStyledColonKeyValues(cmd, styledKeyValue{Label: "Reversal ID", Value: output.ReversalID}); err != nil {
+			return err
+		}
+	}
+	_, err := fmt.Fprintln(cmd.OutOrStdout(), styledSuccessLine(cmd, fmt.Sprintf("Transfer initiation %s reversed.", output.TransferInitiationID)))
+	return err
+}
diff --git a/v4/cmd/reconciliation.go b/v4/cmd/reconciliation.go
new file mode 100644
index 00000000..5cf74d45
--- /dev/null
+++ b/v4/cmd/reconciliation.go
@@ -0,0 +1,621 @@
+package cmd
+
+import (
+	"context"
+	"fmt"
+	"io"
+	"os"
+	"time"
+
+	formance "github.com/formancehq/formance-sdk-go/v3"
+	"github.com/spf13/cobra"
+
+	"github.com/formancehq/fctl/v4/internal/capabilities"
+	reconciliationcmd "github.com/formancehq/fctl/v4/internal/commands/reconciliation"
+)
+
+func newReconciliationCommand() *cobra.Command {
+	command := &cobra.Command{
+		Use:   "reconciliation",
+		Short: "Manage reconciliation policies and runs",
+	}
+	command.AddCommand(newReconciliationListCommand())
+	command.AddCommand(newReconciliationShowCommand("show", []string{"sh"}, false))
+	command.AddCommand(newReconciliationShowCommand("get", nil, true))
+	command.AddCommand(newReconciliationPoliciesCommand())
+	return command
+}
+
+func newReconciliationPoliciesCommand() *cobra.Command {
+	command := &cobra.Command{
+		Use:   "policies",
+		Short: "Manage reconciliation policies",
+	}
+	command.AddCommand(newReconciliationPoliciesListCommand())
+	command.AddCommand(newReconciliationPoliciesCreateCommand())
+	command.AddCommand(newReconciliationPoliciesShowCommand("show", []string{"sh"}, false))
+	command.AddCommand(newReconciliationPoliciesShowCommand("get", nil, true))
+	command.AddCommand(newReconciliationPoliciesDeleteCommand())
+	command.AddCommand(newReconciliationPoliciesReconcileCommand())
+	return command
+}
+
+func newReconciliationListCommand() *cobra.Command {
+	var pageSize int64 = 15
+	var cursor string
+	var policyID string
+	var status string
+	var query []string
+	var apiVersion string
+
+	command := &cobra.Command{
+		Use:     "list",
+		Aliases: []string{"ls", "l"},
+		Short:   "List reconciliations",
+		Args:    cobra.NoArgs,
+		RunE: func(cmd *cobra.Command, _ []string) error {
+			queryMap, err := parseReconciliationQueryFlags(query, map[string]string{
+				"policyID": policyID,
+				"status":   status,
+			})
+			if err != nil {
+				return err
+			}
+			service, err := newListReconciliationsService(cmd, apiVersion)
+			if err != nil {
+				return err
+			}
+			output, err := service.Run(cmd.Context(), reconciliationcmd.ListReconciliationsInput{
+				PageSize: pageSize,
+				Cursor:   cursor,
+				Query:    queryMap,
+			})
+			if err != nil {
+				return err
+			}
+			if handled, err := writeStructuredOutput(cmd, output); handled || err != nil {
+				return err
+			}
+			return renderReconciliations(cmd, output)
+		},
+	}
+	command.Flags().Int64Var(&pageSize, "page-size", 15, "Page size")
+	command.Flags().StringVar(&cursor, "cursor", "", "Pagination cursor")
+	command.Flags().StringVar(&policyID, "policy-id", "", "Filter by policy ID")
+	command.Flags().StringVar(&status, "status", "", "Filter by status")
+	command.Flags().StringArrayVar(&query, "query", nil, "Query filter as key=value")
+	command.Flags().StringVar(&apiVersion, "api-version", "", "Pin reconciliation API version")
+	return command
+}
+
+func newReconciliationShowCommand(use string, aliases []string, deprecated bool) *cobra.Command {
+	var apiVersion string
+
+	command := &cobra.Command{
+		Use:     use + " <reconciliation-id>",
+		Aliases: aliases,
+		Short:   "Show a reconciliation",
+		Args:    cobra.ExactArgs(1),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			if deprecated {
+				fmt.Fprintln(cmd.ErrOrStderr(), "Command reconciliation get has been deprecated, use reconciliation show")
+			}
+			service, err := newGetReconciliationService(cmd, apiVersion)
+			if err != nil {
+				return err
+			}
+			output, err := service.Run(cmd.Context(), reconciliationcmd.GetReconciliationInput{ReconciliationID: args[0]})
+			if err != nil {
+				return err
+			}
+			if handled, err := writeStructuredOutput(cmd, output); handled || err != nil {
+				return err
+			}
+			return renderReconciliation(cmd, output)
+		},
+	}
+	if deprecated {
+		command.Deprecated = "use reconciliation show"
+	}
+	command.Flags().StringVar(&apiVersion, "api-version", "", "Pin reconciliation API version")
+	return command
+}
+
+func newReconciliationPoliciesListCommand() *cobra.Command {
+	var pageSize int64 = 15
+	var cursor string
+	var name string
+	var ledger string
+	var paymentsPoolID string
+	var query []string
+	var apiVersion string
+
+	command := &cobra.Command{
+		Use:     "list",
+		Aliases: []string{"ls", "l"},
+		Short:   "List reconciliation policies",
+		Args:    cobra.NoArgs,
+		RunE: func(cmd *cobra.Command, _ []string) error {
+			queryMap, err := parseReconciliationQueryFlags(query, map[string]string{
+				"name":           name,
+				"ledgerName":     ledger,
+				"paymentsPoolID": paymentsPoolID,
+			})
+			if err != nil {
+				return err
+			}
+			service, err := newListPoliciesService(cmd, apiVersion)
+			if err != nil {
+				return err
+			}
+			output, err := service.Run(cmd.Context(), reconciliationcmd.ListPoliciesInput{
+				PageSize: pageSize,
+				Cursor:   cursor,
+				Query:    queryMap,
+			})
+			if err != nil {
+				return err
+			}
+			if handled, err := writeStructuredOutput(cmd, output); handled || err != nil {
+				return err
+			}
+			return renderReconciliationPolicies(cmd, output)
+		},
+	}
+	command.Flags().Int64Var(&pageSize, "page-size", 15, "Page size")
+	command.Flags().StringVar(&cursor, "cursor", "", "Pagination cursor")
+	command.Flags().StringVar(&name, "name", "", "Filter by policy name")
+	command.Flags().StringVar(&ledger, "ledger", "", "Filter by ledger name")
+	command.Flags().StringVar(&paymentsPoolID, "payments-pool-id", "", "Filter by payments pool ID")
+	command.Flags().StringArrayVar(&query, "query", nil, "Query filter as key=value")
+	command.Flags().StringVar(&apiVersion, "api-version", "", "Pin reconciliation API version")
+	return command
+}
+
+func newReconciliationPoliciesCreateCommand() *cobra.Command {
+	var confirm bool
+	var file string
+	var apiVersion string
+
+	command := &cobra.Command{
+		Use:   "create",
+		Short: "Create a reconciliation policy",
+		Args: func(cmd *cobra.Command, args []string) error {
+			if len(args) == 0 {
+				return nil
+			}
+			if len(args) == 1 {
+				return nil
+			}
+			return fmt.Errorf("accepts 0 arg(s), received %d", len(args))
+		},
+		RunE: func(cmd *cobra.Command, args []string) error {
+			if !confirm {
+				return fmt.Errorf("reconciliation policies create requires --confirm")
+			}
+			if len(args) == 1 {
+				if file != "" {
+					return fmt.Errorf("use either --file or positional file, not both")
+				}
+				file = args[0]
+				fmt.Fprintln(cmd.ErrOrStderr(), "Positional file has been deprecated, use reconciliation policies create --file <path>|-")
+			}
+			if file == "" {
+				return fmt.Errorf("reconciliation policies create requires --file <path>|-")
+			}
+			payload, err := readReconciliationCommandFile(cmd, file)
+			if err != nil {
+				return err
+			}
+			service, err := newCreatePolicyService(cmd, apiVersion)
+			if err != nil {
+				return err
+			}
+			output, err := service.Run(cmd.Context(), reconciliationcmd.CreatePolicyInput{Payload: payload})
+			if err != nil {
+				return err
+			}
+			if handled, err := writeStructuredOutput(cmd, output); handled || err != nil {
+				return err
+			}
+			return renderReconciliationPolicyCreated(cmd, output)
+		},
+	}
+	command.Flags().BoolVar(&confirm, "confirm", false, "Confirm policy creation")
+	command.Flags().StringVar(&file, "file", "", "JSON policy request file, or - for stdin")
+	command.Flags().StringVar(&apiVersion, "api-version", "", "Pin reconciliation API version")
+	return command
+}
+
+func newReconciliationPoliciesShowCommand(use string, aliases []string, deprecated bool) *cobra.Command {
+	var apiVersion string
+
+	command := &cobra.Command{
+		Use:     use + " <policy-id>",
+		Aliases: aliases,
+		Short:   "Show a reconciliation policy",
+		Args:    cobra.ExactArgs(1),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			if deprecated {
+				fmt.Fprintln(cmd.ErrOrStderr(), "Command reconciliation policies get has been deprecated, use reconciliation policies show")
+			}
+			service, err := newGetPolicyService(cmd, apiVersion)
+			if err != nil {
+				return err
+			}
+			output, err := service.Run(cmd.Context(), reconciliationcmd.GetPolicyInput{PolicyID: args[0]})
+			if err != nil {
+				return err
+			}
+			if handled, err := writeStructuredOutput(cmd, output); handled || err != nil {
+				return err
+			}
+			return renderReconciliationPolicy(cmd, output)
+		},
+	}
+	if deprecated {
+		command.Deprecated = "use reconciliation policies show"
+	}
+	command.Flags().StringVar(&apiVersion, "api-version", "", "Pin reconciliation API version")
+	return command
+}
+
+func newReconciliationPoliciesDeleteCommand() *cobra.Command {
+	var confirm bool
+	var apiVersion string
+
+	command := &cobra.Command{
+		Use:   "delete <policy-id>",
+		Short: "Delete a reconciliation policy",
+		Args:  cobra.ExactArgs(1),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			if !confirm {
+				return fmt.Errorf("reconciliation policies delete requires --confirm")
+			}
+			service, err := newDeletePolicyService(cmd, apiVersion)
+			if err != nil {
+				return err
+			}
+			output, err := service.Run(cmd.Context(), reconciliationcmd.DeletePolicyInput{PolicyID: args[0]})
+			if err != nil {
+				return err
+			}
+			if handled, err := writeStructuredOutput(cmd, output); handled || err != nil {
+				return err
+			}
+			return renderReconciliationPolicyDeleted(cmd, output)
+		},
+	}
+	command.Flags().BoolVar(&confirm, "confirm", false, "Confirm policy deletion")
+	command.Flags().StringVar(&apiVersion, "api-version", "", "Pin reconciliation API version")
+	return command
+}
+
+func newReconciliationPoliciesReconcileCommand() *cobra.Command {
+	var confirm bool
+	var ledgerAt string
+	var paymentsAt string
+	var apiVersion string
+
+	command := &cobra.Command{
+		Use:   "reconcile <policy-id> [ledger-at payments-at]",
+		Short: "Run reconciliation for a policy",
+		Args: func(_ *cobra.Command, args []string) error {
+			if len(args) == 1 || len(args) == 3 {
+				return nil
+			}
+			return fmt.Errorf("accepts either <policy-id> or deprecated <policy-id> <ledger-at> <payments-at>, received %d", len(args))
+		},
+		RunE: func(cmd *cobra.Command, args []string) error {
+			if !confirm {
+				return fmt.Errorf("reconciliation policies reconcile requires --confirm")
+			}
+			if len(args) == 3 {
+				if ledgerAt != "" || paymentsAt != "" {
+					return fmt.Errorf("deprecated positional reconciliation timestamps cannot be combined with --ledger-at or --payments-at")
+				}
+				fmt.Fprintln(cmd.ErrOrStderr(), "Positional reconciliation timestamps have been deprecated, use --ledger-at and --payments-at")
+				ledgerAt = args[1]
+				paymentsAt = args[2]
+			}
+			parsedLedgerAt, err := parseOptionalRFC3339(ledgerAt, "ledger-at")
+			if err != nil {
+				return err
+			}
+			if parsedLedgerAt == nil {
+				return fmt.Errorf("reconciliation policies reconcile requires --ledger-at")
+			}
+			parsedPaymentsAt, err := parseOptionalRFC3339(paymentsAt, "payments-at")
+			if err != nil {
+				return err
+			}
+			if parsedPaymentsAt == nil {
+				return fmt.Errorf("reconciliation policies reconcile requires --payments-at")
+			}
+			service, err := newReconcileService(cmd, apiVersion)
+			if err != nil {
+				return err
+			}
+			output, err := service.Run(cmd.Context(), reconciliationcmd.ReconcileInput{
+				PolicyID:             args[0],
+				ReconciledAtLedger:   *parsedLedgerAt,
+				ReconciledAtPayments: *parsedPaymentsAt,
+			})
+			if err != nil {
+				return err
+			}
+			if handled, err := writeStructuredOutput(cmd, output); handled || err != nil {
+				return err
+			}
+			return renderReconciliationStarted(cmd, output)
+		},
+	}
+	command.Flags().BoolVar(&confirm, "confirm", false, "Confirm reconciliation run")
+	command.Flags().StringVar(&ledgerAt, "ledger-at", "", "Ledger reconciliation timestamp (RFC3339)")
+	command.Flags().StringVar(&paymentsAt, "payments-at", "", "Payments reconciliation timestamp (RFC3339)")
+	command.Flags().StringVar(&apiVersion, "api-version", "", "Pin reconciliation API version")
+	return command
+}
+
+func newCreatePolicyService(cmd *cobra.Command, apiVersion string) (reconciliationcmd.CreatePolicyService, error) {
+	rt, err := stackRuntimeFromCommand(cmd)
+	if err != nil {
+		return reconciliationcmd.CreatePolicyService{}, err
+	}
+	httpClient, err := rt.HTTPClient(cmd.Context())
+	if err != nil {
+		return reconciliationcmd.CreatePolicyService{}, err
+	}
+	sdk := formance.New(formance.WithServerURL(rt.Target.URL), formance.WithClient(httpClient))
+	return reconciliationcmd.CreatePolicyService{
+		Handlers: reconciliationcmd.SDKCreatePolicyHandlers(sdk),
+		Resolve:  reconciliationVersionResolver(rt, reconciliationcmd.FeatureCreatePolicy, apiVersion),
+	}, nil
+}
+
+func newListPoliciesService(cmd *cobra.Command, apiVersion string) (reconciliationcmd.ListPoliciesService, error) {
+	rt, err := stackRuntimeFromCommand(cmd)
+	if err != nil {
+		return reconciliationcmd.ListPoliciesService{}, err
+	}
+	httpClient, err := rt.HTTPClient(cmd.Context())
+	if err != nil {
+		return reconciliationcmd.ListPoliciesService{}, err
+	}
+	sdk := formance.New(formance.WithServerURL(rt.Target.URL), formance.WithClient(httpClient))
+	return reconciliationcmd.ListPoliciesService{
+		Handlers: reconciliationcmd.SDKListPoliciesHandlers(sdk),
+		Resolve:  reconciliationVersionResolver(rt, reconciliationcmd.FeatureListPolicies, apiVersion),
+	}, nil
+}
+
+func newGetPolicyService(cmd *cobra.Command, apiVersion string) (reconciliationcmd.GetPolicyService, error) {
+	rt, err := stackRuntimeFromCommand(cmd)
+	if err != nil {
+		return reconciliationcmd.GetPolicyService{}, err
+	}
+	httpClient, err := rt.HTTPClient(cmd.Context())
+	if err != nil {
+		return reconciliationcmd.GetPolicyService{}, err
+	}
+	sdk := formance.New(formance.WithServerURL(rt.Target.URL), formance.WithClient(httpClient))
+	return reconciliationcmd.GetPolicyService{
+		Handlers: reconciliationcmd.SDKGetPolicyHandlers(sdk),
+		Resolve:  reconciliationVersionResolver(rt, reconciliationcmd.FeatureGetPolicy, apiVersion),
+	}, nil
+}
+
+func newDeletePolicyService(cmd *cobra.Command, apiVersion string) (reconciliationcmd.DeletePolicyService, error) {
+	rt, err := stackRuntimeFromCommand(cmd)
+	if err != nil {
+		return reconciliationcmd.DeletePolicyService{}, err
+	}
+	httpClient, err := rt.HTTPClient(cmd.Context())
+	if err != nil {
+		return reconciliationcmd.DeletePolicyService{}, err
+	}
+	sdk := formance.New(formance.WithServerURL(rt.Target.URL), formance.WithClient(httpClient))
+	return reconciliationcmd.DeletePolicyService{
+		Handlers: reconciliationcmd.SDKDeletePolicyHandlers(sdk),
+		Resolve:  reconciliationVersionResolver(rt, reconciliationcmd.FeatureDeletePolicy, apiVersion),
+	}, nil
+}
+
+func newListReconciliationsService(cmd *cobra.Command, apiVersion string) (reconciliationcmd.ListReconciliationsService, error) {
+	rt, err := stackRuntimeFromCommand(cmd)
+	if err != nil {
+		return reconciliationcmd.ListReconciliationsService{}, err
+	}
+	httpClient, err := rt.HTTPClient(cmd.Context())
+	if err != nil {
+		return reconciliationcmd.ListReconciliationsService{}, err
+	}
+	sdk := formance.New(formance.WithServerURL(rt.Target.URL), formance.WithClient(httpClient))
+	return reconciliationcmd.ListReconciliationsService{
+		Handlers: reconciliationcmd.SDKListReconciliationsHandlers(sdk),
+		Resolve:  reconciliationVersionResolver(rt, reconciliationcmd.FeatureListReconciliations, apiVersion),
+	}, nil
+}
+
+func newGetReconciliationService(cmd *cobra.Command, apiVersion string) (reconciliationcmd.GetReconciliationService, error) {
+	rt, err := stackRuntimeFromCommand(cmd)
+	if err != nil {
+		return reconciliationcmd.GetReconciliationService{}, err
+	}
+	httpClient, err := rt.HTTPClient(cmd.Context())
+	if err != nil {
+		return reconciliationcmd.GetReconciliationService{}, err
+	}
+	sdk := formance.New(formance.WithServerURL(rt.Target.URL), formance.WithClient(httpClient))
+	return reconciliationcmd.GetReconciliationService{
+		Handlers: reconciliationcmd.SDKGetReconciliationHandlers(sdk),
+		Resolve:  reconciliationVersionResolver(rt, reconciliationcmd.FeatureGetReconciliation, apiVersion),
+	}, nil
+}
+
+func newReconcileService(cmd *cobra.Command, apiVersion string) (reconciliationcmd.ReconcileService, error) {
+	rt, err := stackRuntimeFromCommand(cmd)
+	if err != nil {
+		return reconciliationcmd.ReconcileService{}, err
+	}
+	httpClient, err := rt.HTTPClient(cmd.Context())
+	if err != nil {
+		return reconciliationcmd.ReconcileService{}, err
+	}
+	sdk := formance.New(formance.WithServerURL(rt.Target.URL), formance.WithClient(httpClient))
+	return reconciliationcmd.ReconcileService{
+		Handlers: reconciliationcmd.SDKReconcileHandlers(sdk),
+		Resolve:  reconciliationVersionResolver(rt, reconciliationcmd.FeatureReconcile, apiVersion),
+	}, nil
+}
+
+func reconciliationVersionResolver(rt interface {
+	ResolveAPIVersion(context.Context, capabilities.VersionResolutionRequest) (capabilities.APIVersion, error)
+}, feature capabilities.Feature, apiVersion string) func(context.Context, []capabilities.APIVersion) (capabilities.APIVersion, error) {
+	return func(ctx context.Context, handlerVersions []capabilities.APIVersion) (capabilities.APIVersion, error) {
+		request := capabilities.VersionResolutionRequest{
+			Product:         reconciliationcmd.ProductReconciliation,
+			Feature:         feature,
+			HandlerVersions: handlerVersions,
+		}
+		if apiVersion != "" {
+			request.Policy = capabilities.VersionPolicyPinned
+			request.PinnedVersion = capabilities.APIVersion(apiVersion)
+		}
+		return rt.ResolveAPIVersion(ctx, request)
+	}
+}
+
+func readReconciliationCommandFile(cmd *cobra.Command, file string) ([]byte, error) {
+	if file == "-" {
+		return io.ReadAll(cmd.InOrStdin())
+	}
+	return os.ReadFile(file)
+}
+
+func parseReconciliationQueryFlags(values []string, filters map[string]string) (map[string]any, error) {
+	query, err := parseAnyMapFlags(values)
+	if err != nil {
+		return nil, err
+	}
+	if len(query) == 0 {
+		query = map[string]any{}
+	}
+	for key, value := range filters {
+		if value != "" {
+			query[key] = value
+		}
+	}
+	if len(query) == 0 {
+		return nil, nil
+	}
+	return query, nil
+}
+
+func renderReconciliationPolicyCreated(cmd *cobra.Command, output reconciliationcmd.CreatePolicyOutput) error {
+	if err := writeStyledAPIVersion(cmd, output.APIVersion); err != nil {
+		return err
+	}
+	_, err := fmt.Fprintln(cmd.OutOrStdout(), styledSuccessLine(cmd, fmt.Sprintf("Policy created with ID: %s", output.Policy.ID)))
+	return err
+}
+
+func renderReconciliationPolicies(cmd *cobra.Command, output reconciliationcmd.ListPoliciesOutput) error {
+	if err := writeStyledAPIVersion(cmd, output.APIVersion); err != nil {
+		return err
+	}
+	if len(output.Policies) == 0 {
+		_, err := fmt.Fprintln(cmd.OutOrStdout(), styledEmptyLine(cmd, "No reconciliation policies found."))
+		return err
+	}
+	rows := make([][]string, 0, len(output.Policies))
+	for _, policy := range output.Policies {
+		rows = append(rows, []string{policy.ID, policy.Name, policy.LedgerName, policy.PaymentsPoolID})
+	}
+	if err := writeStyledRows(cmd, []string{"ID", "Name", "Ledger", "Payments pool ID"}, rows); err != nil {
+		return err
+	}
+	if output.HasMore && output.Next != nil {
+		return writeStyledNext(cmd, *output.Next)
+	}
+	return nil
+}
+
+func renderReconciliationPolicy(cmd *cobra.Command, output reconciliationcmd.GetPolicyOutput) error {
+	if err := writeStyledAPIVersion(cmd, output.APIVersion); err != nil {
+		return err
+	}
+	policy := output.Policy
+	rows := []styledKeyValue{
+		{Label: "ID", Value: policy.ID},
+		{Label: "Name", Value: policy.Name},
+		{Label: "Ledger", Value: policy.LedgerName},
+		{Label: "Payments pool ID", Value: policy.PaymentsPoolID},
+	}
+	if !policy.CreatedAt.IsZero() {
+		rows = append(rows, styledKeyValue{Label: "Created at", Value: policy.CreatedAt.Format(time.RFC3339)})
+	}
+	return writeStyledKeyValues(cmd, rows...)
+}
+
+func renderReconciliationPolicyDeleted(cmd *cobra.Command, output reconciliationcmd.DeletePolicyOutput) error {
+	if err := writeStyledAPIVersion(cmd, output.APIVersion); err != nil {
+		return err
+	}
+	_, err := fmt.Fprintln(cmd.OutOrStdout(), styledSuccessLine(cmd, fmt.Sprintf("Policy %s deleted.", output.PolicyID)))
+	return err
+}
+
+func renderReconciliationStarted(cmd *cobra.Command, output reconciliationcmd.ReconcileOutput) error {
+	if err := writeStyledAPIVersion(cmd, output.APIVersion); err != nil {
+		return err
+	}
+	_, err := fmt.Fprintln(cmd.OutOrStdout(), styledSuccessLine(cmd, fmt.Sprintf("Reconciliation started with ID: %s", output.Reconciliation.ID)))
+	return err
+}
+
+func renderReconciliations(cmd *cobra.Command, output reconciliationcmd.ListReconciliationsOutput) error {
+	if err := writeStyledAPIVersion(cmd, output.APIVersion); err != nil {
+		return err
+	}
+	if len(output.Reconciliations) == 0 {
+		_, err := fmt.Fprintln(cmd.OutOrStdout(), styledEmptyLine(cmd, "No reconciliations found."))
+		return err
+	}
+	rows := make([][]string, 0, len(output.Reconciliations))
+	for _, reconciliation := range output.Reconciliations {
+		rows = append(rows, []string{reconciliation.ID, reconciliation.PolicyID, reconciliation.Status, reconciliation.CreatedAt.Format(time.RFC3339)})
+	}
+	if err := writeStyledRows(cmd, []string{"ID", "Policy ID", "Status", "Created at"}, rows); err != nil {
+		return err
+	}
+	if output.HasMore && output.Next != nil {
+		return writeStyledNext(cmd, *output.Next)
+	}
+	return nil
+}
+
+func renderReconciliation(cmd *cobra.Command, output reconciliationcmd.GetReconciliationOutput) error {
+	if err := writeStyledAPIVersion(cmd, output.APIVersion); err != nil {
+		return err
+	}
+	reconciliation := output.Reconciliation
+	rows := []styledKeyValue{
+		{Label: "ID", Value: reconciliation.ID},
+		{Label: "Policy ID", Value: reconciliation.PolicyID},
+		{Label: "Status", Value: reconciliation.Status},
+	}
+	if reconciliation.Error != "" {
+		rows = append(rows, styledKeyValue{Label: "Error", Value: reconciliation.Error})
+	}
+	if !reconciliation.ReconciledAtLedger.IsZero() {
+		rows = append(rows, styledKeyValue{Label: "Reconciled at ledger", Value: reconciliation.ReconciledAtLedger.Format(time.RFC3339)})
+	}
+	if !reconciliation.ReconciledAtPayments.IsZero() {
+		rows = append(rows, styledKeyValue{Label: "Reconciled at payments", Value: reconciliation.ReconciledAtPayments.Format(time.RFC3339)})
+	}
+	if !reconciliation.CreatedAt.IsZero() {
+		rows = append(rows, styledKeyValue{Label: "Created at", Value: reconciliation.CreatedAt.Format(time.RFC3339)})
+	}
+	return writeStyledKeyValues(cmd, rows...)
+}
diff --git a/v4/cmd/rendering_policy_test.go b/v4/cmd/rendering_policy_test.go
new file mode 100644
index 00000000..141aab72
--- /dev/null
+++ b/v4/cmd/rendering_policy_test.go
@@ -0,0 +1,151 @@
+package cmd
+
+import (
+	"fmt"
+	"go/ast"
+	"go/parser"
+	"go/token"
+	"os"
+	"path/filepath"
+	"sort"
+	"strings"
+	"testing"
+)
+
+func TestHumanOutputUsesStyledRendering(t *testing.T) {
+	allowedRawOutputFunctions := map[string]bool{
+		"choosePlatformAuth":                                       true,
+		"chooseTarget":                                             true,
+		"input":                                                    true,
+		"newCloudAppsCreateCommand":                                true,
+		"newCloudAppsDeleteCommand":                                true,
+		"newCloudAppsDeployCommand":                                true,
+		"newCloudAppsVariablesDeleteCommand":                       true,
+		"newCloudAppsVersionsArchiveShowCommand":                   true,
+		"newCloudAppsVersionsManifestCommand":                      true,
+		"newCloudOrganizationsAuthenticationProviderDeleteCommand": true,
+		"newCloudOrganizationsDeleteCommand":                       true,
+		"newCloudOrganizationsInvitationsDeleteCommand":            true,
+		"newCloudOrganizationsInvitationsSendCommand":              true,
+		"newCloudOrganizationsOAuthClientsDeleteCommand":           true,
+		"newCloudRegionsDeleteCommand":                             true,
+		"newConfigMigrateV3Command":                                true,
+		"newContextListCommand":                                    true,
+		"newLedgerExportCommand":                                   true,
+		"newPaymentsVersionsCommand":                               true,
+		"newSessionLoginClientCredentialsCommand":                  true,
+		"newSessionLoginNoneCommand":                               true,
+		"newSessionLoginTokenCommand":                              true,
+		"newSessionLogoutCommand":                                  true,
+		"newSessionStatusCommand":                                  true,
+		"newSessionTokenCommand":                                   true,
+		"newTargetInspectCommand":                                  true,
+		"newVersionCommand":                                        true,
+		"promptValue":                                              true,
+		"renderCloudApp":                                           true,
+		"renderCloudApps":                                          true,
+		"renderCloudRun":                                           true,
+		"renderCloudRunLogs":                                       true,
+		"renderCloudRuns":                                          true,
+		"renderCloudVariable":                                      true,
+		"renderCloudVariables":                                     true,
+		"renderCloudVersion":                                       true,
+		"renderCloudVersions":                                      true,
+		"renderPaymentConnectorConfig":                             true,
+		"renderSetupGuidance":                                      true,
+		"selectValue":                                              true,
+	}
+
+	fset := token.NewFileSet()
+	files, err := filepath.Glob("*.go")
+	if err != nil {
+		t.Fatalf("list cmd files: %v", err)
+	}
+
+	var violations []string
+	for _, file := range files {
+		if strings.HasSuffix(file, "_test.go") || file == "terminal_ui.go" || file == "output.go" {
+			continue
+		}
+		source, err := os.ReadFile(file)
+		if err != nil {
+			t.Fatalf("read %s: %v", file, err)
+		}
+		parsed, err := parser.ParseFile(fset, file, source, 0)
+		if err != nil {
+			t.Fatalf("parse %s: %v", file, err)
+		}
+		ast.Inspect(parsed, func(node ast.Node) bool {
+			fn, ok := node.(*ast.FuncDecl)
+			if !ok {
+				return true
+			}
+			ast.Inspect(fn.Body, func(inner ast.Node) bool {
+				call, ok := inner.(*ast.CallExpr)
+				if !ok || !isRawCommandOutputCall(call) || allowedRawOutputFunctions[fn.Name.Name] {
+					return true
+				}
+				pos := fset.Position(call.Pos())
+				violations = append(violations, fmt.Sprintf("%s:%d in %s", pos.Filename, pos.Line, fn.Name.Name))
+				return true
+			})
+			return false
+		})
+	}
+
+	sort.Strings(violations)
+	if len(violations) > 0 {
+		t.Fatalf("human plain output must use styled rendering helpers; found raw cmd.OutOrStdout writes:\n%s", strings.Join(violations, "\n"))
+	}
+}
+
+func isRawCommandOutputCall(call *ast.CallExpr) bool {
+	selector, ok := call.Fun.(*ast.SelectorExpr)
+	if !ok {
+		return false
+	}
+	if isFmtPrintSelector(selector) {
+		return len(call.Args) > 0 && isCommandOutputCall(call.Args[0]) && !usesStyledOutputHelper(call.Args[1:])
+	}
+	return selector.Sel.Name == "Write" && isCommandOutputCall(selector.X)
+}
+
+func isFmtPrintSelector(selector *ast.SelectorExpr) bool {
+	pkg, ok := selector.X.(*ast.Ident)
+	if !ok || pkg.Name != "fmt" {
+		return false
+	}
+	switch selector.Sel.Name {
+	case "Fprint", "Fprintf", "Fprintln":
+		return true
+	default:
+		return false
+	}
+}
+
+func isCommandOutputCall(expr ast.Expr) bool {
+	call, ok := expr.(*ast.CallExpr)
+	if !ok {
+		return false
+	}
+	selector, ok := call.Fun.(*ast.SelectorExpr)
+	return ok && selector.Sel.Name == "OutOrStdout"
+}
+
+func usesStyledOutputHelper(args []ast.Expr) bool {
+	for _, arg := range args {
+		call, ok := arg.(*ast.CallExpr)
+		if !ok {
+			continue
+		}
+		ident, ok := call.Fun.(*ast.Ident)
+		if !ok {
+			continue
+		}
+		switch ident.Name {
+		case "styledEmptyLine", "styledInfoLine", "styledKeyValueLine", "styledSuccessLine":
+			return true
+		}
+	}
+	return false
+}
diff --git a/v4/cmd/root.go b/v4/cmd/root.go
new file mode 100644
index 00000000..f09b2edc
--- /dev/null
+++ b/v4/cmd/root.go
@@ -0,0 +1,116 @@
+package cmd
+
+import (
+	"errors"
+	"fmt"
+	"os"
+
+	"github.com/spf13/cobra"
+
+	v4prompt "github.com/formancehq/fctl/v4/internal/prompt"
+)
+
+const (
+	contextFlag        = "context"
+	profileFlag        = "profile"
+	organizationFlag   = "organization"
+	stackFlag          = "stack"
+	configDirFlag      = "config-dir"
+	credentialDirFlag  = "credential-dir"
+	outputFlag         = "output"
+	nonInteractiveFlag = "non-interactive"
+	insecureTLSFlag    = "insecure-tls"
+	debugFlag          = "debug"
+	noColorFlag        = "no-color"
+)
+
+// NewRootCommand builds the v4 command tree. Keep this package focused on
+// parsing and dispatch; runtime work belongs under internal packages.
+func NewRootCommand(version string) *cobra.Command {
+	if version == "" {
+		version = "dev"
+	}
+
+	root := &cobra.Command{
+		Use:           "fctl",
+		Short:         "Formance Control CLI v4",
+		Long:          "Formance Control CLI v4 targets Cloud, self-hosted, and local Formance stacks through explicit profiles.",
+		Version:       version,
+		SilenceErrors: true,
+		SilenceUsage:  true,
+		RunE: func(cmd *cobra.Command, _ []string) error {
+			return cmd.Help()
+		},
+	}
+
+	root.SetVersionTemplate("fctl v4 {{.Version}}\n")
+	root.PersistentFlags().String(profileFlag, "", "Profile to use")
+	root.PersistentFlags().String(contextFlag, "", "Deprecated alias for --profile")
+	root.PersistentFlags().String(organizationFlag, "", "Cloud or EE organization to target")
+	root.PersistentFlags().String(stackFlag, "", "Cloud or EE stack to target")
+	root.PersistentFlags().StringP(configDirFlag, "c", "", "Path to the v4 configuration directory")
+	root.PersistentFlags().String(credentialDirFlag, "", "Credential directory (defaults to the v4 config directory credentials subdirectory)")
+	root.PersistentFlags().StringP(outputFlag, "o", "plain", "Output format (plain, json, yaml)")
+	root.PersistentFlags().Bool(nonInteractiveFlag, false, "Disable interactive prompts")
+	root.PersistentFlags().Bool(insecureTLSFlag, false, "Skip TLS certificate verification")
+	root.PersistentFlags().BoolP(debugFlag, "d", false, "Enable technical debug logs on stderr")
+	root.PersistentFlags().Bool(noColorFlag, false, "Disable colored output")
+	_ = root.PersistentFlags().MarkDeprecated(contextFlag, "use --profile")
+	_ = root.PersistentFlags().MarkHidden(contextFlag)
+
+	root.AddCommand(newVersionCommand())
+	root.AddCommand(newLoginCommand())
+	root.AddCommand(newLogoutCommand())
+	root.AddCommand(newWhoamiCommand())
+	root.AddCommand(newProfileCommand())
+	root.AddCommand(newContextCommand())
+	root.AddCommand(newProfilesCommand())
+	root.AddCommand(newConfigCommand())
+	root.AddCommand(newSetupCommand(false))
+	root.AddCommand(newSetupCommand(true))
+	root.AddCommand(newSessionCommand())
+	root.AddCommand(newUICommand(true))
+	root.AddCommand(newTargetCommand())
+	root.AddCommand(newCloudCommand())
+	root.AddCommand(newCloudStacksCommand("cloud_stacks", "cloud stacks", true))
+	root.AddCommand(newCloudStacksCommand("stack", "cloud stacks", true))
+	root.AddCommand(newCloudStacksCommand("stacks", "cloud stacks", true))
+	root.AddCommand(newLedgerCommand())
+	root.AddCommand(newPaymentsCommand())
+	root.AddCommand(newWalletsCommand())
+	root.AddCommand(newFlowsCommand(false))
+	root.AddCommand(newFlowsCommand(true))
+	root.AddCommand(newReconciliationCommand())
+	root.AddCommand(newAuthCommand())
+	root.AddCommand(newWebhooksCommand())
+
+	return root
+}
+
+func newVersionCommand() *cobra.Command {
+	return &cobra.Command{
+		Use:   "version",
+		Short: "Print the fctl v4 version",
+		Args:  cobra.NoArgs,
+		RunE: func(cmd *cobra.Command, _ []string) error {
+			_, err := fmt.Fprintln(cmd.OutOrStdout(), styledSuccessLine(cmd, fmt.Sprintf("fctl v4 %s", cmd.Root().Version)))
+			return err
+		},
+	}
+}
+
+// Execute runs the v4 command tree.
+func Execute(version string) {
+	root := NewRootCommand(version)
+	if err := root.Execute(); err != nil {
+		if isSilentExitError(err) {
+			return
+		}
+		fmt.Fprintln(os.Stderr, err)
+		os.Exit(1)
+	}
+}
+
+func isSilentExitError(err error) bool {
+	return errors.Is(err, v4prompt.ErrCancelled)
+}
diff --git a/v4/cmd/root_test.go b/v4/cmd/root_test.go
new file mode 100644
index 00000000..05ac48ba
--- /dev/null
+++ b/v4/cmd/root_test.go
@@ -0,0 +1,10860 @@
+package cmd
+
+import (
+	"bytes"
+	"encoding/base64"
+	"encoding/json"
+	"errors"
+	"fmt"
+	"io"
+	"net/http"
+	"net/http/httptest"
+	"os"
+	"path/filepath"
+	"strings"
+	"testing"
+	"time"
+
+	"github.com/spf13/cobra"
+
+	v4config "github.com/formancehq/fctl/v4/internal/config"
+	v4prompt "github.com/formancehq/fctl/v4/internal/prompt"
+)
+
+func executeCommand(t *testing.T, args ...string) (string, string, error) {
+	t.Helper()
+
+	return executeCommandWithInput(t, "", args...)
+}
+
+func executeCommandWithInput(t *testing.T, input string, args ...string) (string, string, error) {
+	t.Helper()
+
+	command := NewRootCommand("test-version")
+	stdout := bytes.Buffer{}
+	stderr := bytes.Buffer{}
+	command.SetOut(&stdout)
+	command.SetErr(&stderr)
+	if input != "" {
+		command.SetIn(strings.NewReader(input))
+	}
+	command.SetArgs(args)
+
+	err := command.Execute()
+	return stdout.String(), stderr.String(), err
+}
+
+func readRequestBody(t *testing.T, r *http.Request) string {
+	t.Helper()
+
+	body, err := io.ReadAll(r.Body)
+	if err != nil {
+		t.Fatalf("read request body: %v", err)
+	}
+	return string(body)
+}
+
+type roundTripFunc func(req *http.Request) (*http.Response, error)
+
+func (fn roundTripFunc) RoundTrip(req *http.Request) (*http.Response, error) {
+	return fn(req)
+}
+
+func TestRootHelp(t *testing.T) {
+	stdout, stderr, err := executeCommand(t, "--help")
+	if err != nil {
+		t.Fatalf("expected no error, got %v", err)
+	}
+	if stderr != "" {
+		t.Fatalf("expected empty stderr, got %q", stderr)
+	}
+	for _, expected := range []string{
+		"Formance Control CLI v4",
+		"--profile",
+		"--organization",
+		"--stack",
+		"--config-dir",
+		"-c, --config-dir",
+		"-d, --debug",
+		"--insecure-tls",
+		"--no-color",
+		"--non-interactive",
+		"login",
+		"logout",
+		"profile",
+		"version",
+		"whoami",
+	} {
+		if !strings.Contains(stdout, expected) {
+			t.Fatalf("expected help output to contain %q, got:\n%s", expected, stdout)
+		}
+	}
+	for _, hidden := range []string{"--context", "session", " context "} {
+		if strings.Contains(stdout, hidden) {
+			t.Fatalf("expected help output not to contain hidden %q, got:\n%s", hidden, stdout)
+		}
+	}
+}
+
+func TestCloudHelpHidesApps(t *testing.T) {
+	stdout, stderr, err := executeCommand(t, "cloud", "--help")
+	if err != nil {
+		t.Fatalf("cloud help: %v stderr=%s", err, stderr)
+	}
+	if strings.Contains(stdout, "apps") || strings.Contains(stdout, "app ") {
+		t.Fatalf("cloud help should not expose apps commands, got:\n%s", stdout)
+	}
+	if !strings.Contains(stdout, "stacks") {
+		t.Fatalf("expected cloud help to keep visible stack commands, got:\n%s", stdout)
+	}
+}
+
+func TestVisibleLeafCommandHelpIsRoutable(t *testing.T) {
+	leaves := visibleLeafCommandPaths(NewRootCommand("test-version"))
+	if len(leaves) == 0 {
+		t.Fatal("expected visible leaf commands")
+	}
+	for _, leaf := range leaves {
+		leaf := leaf
+		t.Run(strings.Join(leaf, "_"), func(t *testing.T) {
+			args := append(append([]string{}, leaf...), "--help")
+			stdout, stderr, err := executeCommand(t, args...)
+			if err != nil {
+				t.Fatalf("%s --help failed: %v stderr=%s", strings.Join(leaf, " "), err, stderr)
+			}
+			if stdout == "" {
+				t.Fatalf("%s --help returned empty stdout", strings.Join(leaf, " "))
+			}
+		})
+	}
+}
+
+func visibleLeafCommandPaths(root *cobra.Command) [][]string {
+	paths := [][]string{}
+	var walk func(command *cobra.Command, path []string)
+	walk = func(command *cobra.Command, path []string) {
+		children := visibleRunnableSubcommands(command)
+		if len(children) == 0 {
+			if len(path) > 0 {
+				paths = append(paths, append([]string{}, path...))
+			}
+			return
+		}
+		for _, child := range children {
+			walk(child, append(path, child.Name()))
+		}
+	}
+	walk(root, nil)
+	paths = append(paths, []string{"help"})
+	return paths
+}
+
+func visibleRunnableSubcommands(command *cobra.Command) []*cobra.Command {
+	children := []*cobra.Command{}
+	for _, child := range command.Commands() {
+		if child.Hidden || child.Name() == "help" {
+			continue
+		}
+		children = append(children, child)
+	}
+	return children
+}
+
+func TestPromptCancelledIsSilentExit(t *testing.T) {
+	if !isSilentExitError(v4prompt.ErrCancelled) {
+		t.Fatal("expected prompt cancellation to be a silent exit")
+	}
+	if !isSilentExitError(fmt.Errorf("wrapped: %w", v4prompt.ErrCancelled)) {
+		t.Fatal("expected wrapped prompt cancellation to be a silent exit")
+	}
+	if isSilentExitError(errors.New("other error")) {
+		t.Fatal("unexpected silent exit for unrelated error")
+	}
+}
+
+func TestLoginOpenSourceWizardCreatesDefaultProfile(t *testing.T) {
+	configDir := t.TempDir()
+
+	stdout, stderr, err := executeCommandWithInput(t,
+		"3\nhttp://localhost:8080\n",
+		"--config-dir", configDir,
+		"login",
+	)
+	if err != nil {
+		t.Fatalf("login wizard open-source: %v stderr=%s", err, stderr)
+	}
+	if !strings.Contains(stdout, "Logged in with profile default.") {
+		t.Fatalf("unexpected login output:\n%s", stdout)
+	}
+	for _, expected := range []string{
+		"Target\tFormance Open Source / local\n",
+		"Stack URL\thttp://localhost:8080\n",
+	} {
+		if !strings.Contains(stdout, expected) {
+			t.Fatalf("expected login output to contain %q, got:\n%s", expected, stdout)
+		}
+	}
+
+	cfg, err := v4config.LoadFile(filepath.Join(configDir, "config.yaml"))
+	if err != nil {
+		t.Fatalf("load login config: %v", err)
+	}
+	profile := cfg.Contexts["default"]
+	if cfg.CurrentContext != "default" ||
+		profile.Kind != v4config.ContextKindStack ||
+		profile.StackURL != "http://localhost:8080" ||
+		profile.Auth.Method != v4config.AuthMethodNone {
+		t.Fatalf("unexpected default profile: current=%q profile=%#v", cfg.CurrentContext, profile)
+	}
+}
+
+func TestLoginBrowserDeviceFlowCreatesCloudAndEEProfiles(t *testing.T) {
+	for _, tc := range []struct {
+		name       string
+		target     string
+		input      string
+		wantKind   v4config.ContextKind
+		extraFlags []string
+		wantOutput []string
+	}{
+		{
+			name:     "cloud",
+			input:    "1\n1\n",
+			wantKind: v4config.ContextKindCloud,
+			wantOutput: []string{
+				"Target\tFormance Cloud\n",
+				"Authentication\tBrowser/device login\n",
+			},
+		},
+		{
+			name:     "ee",
+			target:   "ee",
+			input:    "1\n",
+			wantKind: v4config.ContextKindCloudStack,
+			extraFlags: []string{
+				"--organization", "org_1",
+				"--stack", "stack_1",
+			},
+			wantOutput: []string{
+				"Authentication\tBrowser/device login\n",
+			},
+		},
+	} {
+		t.Run(tc.name, func(t *testing.T) {
+			configDir := t.TempDir()
+			openedURL := ""
+			previousOpenURL := loginOpenURL
+			loginOpenURL = func(url string) error {
+				openedURL = url
+				return nil
+			}
+			t.Cleanup(func() {
+				loginOpenURL = previousOpenURL
+			})
+
+			server := newDeviceLoginOIDCServer(t)
+			defer server.Close()
+
+			args := []string{"--config-dir", configDir}
+			args = append(args, tc.extraFlags...)
+			args = append(args,
+				"login",
+				"--membership-url", server.URL,
+			)
+			if tc.target != "" {
+				args = append(args, "--target", tc.target)
+			}
+
+			stdout, stderr, err := executeCommandWithInput(t,
+				tc.input,
+				args...,
+			)
+			if err != nil {
+				t.Fatalf("login browser/device: %v stderr=%s", err, stderr)
+			}
+			if stderr != "" {
+				t.Fatalf("expected empty stderr, got %q", stderr)
+			}
+			if strings.Contains(stdout, "Static token") {
+				t.Fatalf("login prompt must not offer static token auth, got:\n%s", stdout)
+			}
+			if !strings.Contains(stdout, "A browser window has been opened on https://verify.example?user_code=USER-CODE") ||
+				!strings.Contains(stdout, "Waiting for authentication...") ||
+				!strings.Contains(stdout, "Logged in with profile default.") {
+				t.Fatalf("unexpected login output:\n%s", stdout)
+			}
+			for _, expected := range tc.wantOutput {
+				if !strings.Contains(stdout, expected) {
+					t.Fatalf("expected login output to contain %q, got:\n%s", expected, stdout)
+				}
+			}
+			if openedURL != "https://verify.example?user_code=USER-CODE" {
+				t.Fatalf("unexpected opened URL %q", openedURL)
+			}
+
+			cfg, err := v4config.LoadFile(filepath.Join(configDir, "config.yaml"))
+			if err != nil {
+				t.Fatalf("load login config: %v", err)
+			}
+			profile := cfg.Contexts["default"]
+			if cfg.CurrentContext != "default" ||
+				profile.Kind != tc.wantKind ||
+				profile.CloudURL != server.URL ||
+				profile.Auth.Method != v4config.AuthMethodCloudDevice ||
+				profile.Auth.IssuerURL != server.URL ||
+				profile.Auth.TokenRef != "contexts/default/root-tokens" ||
+				profile.Auth.Account != "user@example.com" {
+				t.Fatalf("unexpected device login profile: current=%q profile=%#v", cfg.CurrentContext, profile)
+			}
+			if tc.wantKind == v4config.ContextKindCloudStack &&
+				(profile.Organization != "org_1" || profile.Stack != "stack_1") {
+				t.Fatalf("unexpected cloud-stack selection: %#v", profile)
+			}
+			storedTokens, err := os.ReadFile(filepath.Join(configDir, "credentials", "contexts", "default", "root-tokens"))
+			if err != nil {
+				t.Fatalf("expected stored root tokens: %v", err)
+			}
+			if !strings.Contains(string(storedTokens), "access-token") ||
+				!strings.Contains(string(storedTokens), "refresh-token") {
+				t.Fatalf("unexpected stored root tokens: %s", string(storedTokens))
+			}
+		})
+	}
+}
+
+func newDeviceLoginOIDCServer(t *testing.T) *httptest.Server {
+	t.Helper()
+
+	var server *httptest.Server
+	server = httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		switch r.URL.Path {
+		case "/_info":
+			fmt.Fprint(w, `{"version":"v1.0.0","consoleURL":"https://portal.example"}`)
+		case "/.well-known/openid-configuration":
+			fmt.Fprintf(w, `{"device_authorization_endpoint":%q,"token_endpoint":%q}`, server.URL+"/device", server.URL+"/token")
+		case "/device":
+			clientID, clientSecret, ok := r.BasicAuth()
+			if !ok || clientID != "fctl" || clientSecret != "" {
+				t.Fatalf("unexpected device basic auth: %q %q %v", clientID, clientSecret, ok)
+			}
+			if err := r.ParseForm(); err != nil {
+				t.Fatalf("parse device form: %v", err)
+			}
+			if r.Form.Get("scope") != "openid offline_access accesses on_behalf" {
+				t.Fatalf("unexpected device scope %q", r.Form.Get("scope"))
+			}
+			if r.Form.Get("prompt") != "no-org" {
+				t.Fatalf("unexpected device prompt %q", r.Form.Get("prompt"))
+			}
+			fmt.Fprint(w, `{"device_code":"device-code","user_code":"USER-CODE","verification_uri":"https://verify.example","interval":1}`)
+		case "/token":
+			clientID, clientSecret, ok := r.BasicAuth()
+			if !ok || clientID != "fctl" || clientSecret != "" {
+				t.Fatalf("unexpected token basic auth: %q %q %v", clientID, clientSecret, ok)
+			}
+			if err := r.ParseForm(); err != nil {
+				t.Fatalf("parse token form: %v", err)
+			}
+			if r.Form.Get("grant_type") != "urn:ietf:params:oauth:grant-type:device_code" ||
+				r.Form.Get("device_code") != "device-code" {
+				t.Fatalf("unexpected token form: %s", r.Form.Encode())
+			}
+			fmt.Fprintf(w, `{"access_token":"access-token","token_type":"Bearer","refresh_token":"refresh-token","id_token":%q,"expires_in":3600}`,
+				testJWT(t, map[string]any{"email": "user@example.com"}))
+		default:
+			t.Fatalf("unexpected path %s", r.URL.Path)
+		}
+	}))
+	return server
+}
+
+func testJWT(t *testing.T, claims map[string]any) string {
+	t.Helper()
+
+	header, err := json.Marshal(map[string]string{"alg": "none"})
+	if err != nil {
+		t.Fatalf("marshal jwt header: %v", err)
+	}
+	payload, err := json.Marshal(claims)
+	if err != nil {
+		t.Fatalf("marshal jwt payload: %v", err)
+	}
+	return base64.RawURLEncoding.EncodeToString(header) + "." + base64.RawURLEncoding.EncodeToString(payload) + "."
+}
+
+func TestLoginDoesNotExposeStaticTokenAuth(t *testing.T) {
+	stdout, stderr, err := executeCommand(t, "login", "--help")
+	if err != nil {
+		t.Fatalf("login help: %v stderr=%s", err, stderr)
+	}
+	for _, hidden := range []string{"Static token", "--token", "--token-stdin"} {
+		if strings.Contains(stdout, hidden) {
+			t.Fatalf("login help must not expose %q, got:\n%s", hidden, stdout)
+		}
+	}
+
+	_, stderr, err = executeCommand(t, "login", "--target", "cloud", "--token", "secret")
+	if err == nil {
+		t.Fatal("expected --token to be rejected by login")
+	}
+	if !strings.Contains(err.Error(), "unknown flag: --token") {
+		t.Fatalf("unexpected --token error: %v stderr=%s", err, stderr)
+	}
+}
+
+func TestLoginCloudClientCredentialsAndLogout(t *testing.T) {
+	configDir := t.TempDir()
+
+	stdout, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"--profile", "production",
+		"--organization", "org_1",
+		"--stack", "stack_1",
+		"login",
+		"--target", "cloud",
+		"--client-id", "client",
+		"--client-secret", "super-secret",
+	)
+	if err != nil {
+		t.Fatalf("login cloud client credentials: %v stderr=%s", err, stderr)
+	}
+	if stdout != "Logged in with profile production.\n" {
+		t.Fatalf("unexpected login output: %q", stdout)
+	}
+
+	cfg, err := v4config.LoadFile(filepath.Join(configDir, "config.yaml"))
+	if err != nil {
+		t.Fatalf("load login config: %v", err)
+	}
+	profile := cfg.Contexts["production"]
+	if cfg.CurrentContext != "production" ||
+		profile.Kind != v4config.ContextKindCloudStack ||
+		profile.CloudURL != v4config.DefaultCloudURL ||
+		profile.Organization != "org_1" ||
+		profile.Stack != "stack_1" ||
+		profile.Auth.Method != v4config.AuthMethodClientCredentials ||
+		profile.Auth.ClientID != "client" ||
+		profile.Auth.SecretRef != "contexts/production/client-secret" {
+		t.Fatalf("unexpected production profile: current=%q profile=%#v", cfg.CurrentContext, profile)
+	}
+	if !stringSliceContains(profile.Auth.Scopes, "organization:ListStacks") {
+		t.Fatalf("expected cloud client credentials to include organization scopes, got %#v", profile.Auth.Scopes)
+	}
+	if strings.Contains(fmt.Sprintf("%#v", profile), "super-secret") {
+		t.Fatalf("profile must not contain clear client secret: %#v", profile)
+	}
+	if _, err := os.Stat(filepath.Join(configDir, "credentials", "contexts", "production", "client-secret")); err != nil {
+		t.Fatalf("expected stored client secret: %v", err)
+	}
+
+	stdout, stderr, err = executeCommand(t,
+		"--config-dir", configDir,
+		"whoami",
+	)
+	if err != nil {
+		t.Fatalf("whoami: %v stderr=%s", err, stderr)
+	}
+	for _, expected := range []string{
+		"Profile\tproduction\n",
+		"Target\tcloud-stack\n",
+		"Auth\tclient_credentials\n",
+		"Organization\torg_1\n",
+		"Stack\tstack_1\n",
+	} {
+		if !strings.Contains(stdout, expected) {
+			t.Fatalf("expected whoami output to contain %q, got:\n%s", expected, stdout)
+		}
+	}
+
+	stdout, stderr, err = executeCommand(t,
+		"--config-dir", configDir,
+		"logout",
+	)
+	if err != nil {
+		t.Fatalf("logout: %v stderr=%s", err, stderr)
+	}
+	if stdout != "Logged out from profile production.\n" {
+		t.Fatalf("unexpected logout output: %q", stdout)
+	}
+	cfg, err = v4config.LoadFile(filepath.Join(configDir, "config.yaml"))
+	if err != nil {
+		t.Fatalf("load logout config: %v", err)
+	}
+	if cfg.Contexts["production"].Auth.Method != v4config.AuthMethodNone {
+		t.Fatalf("expected logout to clear auth: %#v", cfg.Contexts["production"].Auth)
+	}
+}
+
+func TestLoginNonInteractiveDoesNotPrompt(t *testing.T) {
+	configDir := t.TempDir()
+
+	_, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"--non-interactive",
+		"login",
+	)
+	if err == nil {
+		t.Fatal("expected missing target to fail in non-interactive mode")
+	}
+	if stderr != "" {
+		t.Fatalf("expected empty stderr, got %q", stderr)
+	}
+	if !strings.Contains(err.Error(), "login requires --target in non-interactive mode") {
+		t.Fatalf("unexpected missing target error: %v", err)
+	}
+
+	_, stderr, err = executeCommand(t,
+		"--config-dir", configDir,
+		"--non-interactive",
+		"login",
+		"--target", "open-source",
+	)
+	if err == nil {
+		t.Fatal("expected missing stack URL to fail in non-interactive mode")
+	}
+	if stderr != "" {
+		t.Fatalf("expected empty stderr, got %q", stderr)
+	}
+	if !strings.Contains(err.Error(), "login open-source requires --stack-url") {
+		t.Fatalf("unexpected missing stack URL error: %v", err)
+	}
+}
+
+func TestInsecureTLSFlagAllowsSelfSignedStackTarget(t *testing.T) {
+	server := httptest.NewTLSServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		if r.URL.Path != "/versions" {
+			t.Fatalf("unexpected path %s", r.URL.Path)
+		}
+		fmt.Fprint(w, `{"versions":[{"name":"ledger","version":"2.3.4","health":true}]}`)
+	}))
+	defer server.Close()
+
+	configDir := t.TempDir()
+	_, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"context", "create", "stack", "tls-local",
+		"--stack-url", server.URL,
+	)
+	if err != nil {
+		t.Fatalf("create TLS context: %v stderr=%s", err, stderr)
+	}
+
+	_, _, err = executeCommand(t, "--config-dir", configDir, "target", "inspect")
+	if err == nil {
+		t.Fatal("expected self-signed TLS target to fail without --insecure-tls")
+	}
+
+	stdout, stderr, err := executeCommand(t, "--config-dir", configDir, "--insecure-tls", "target", "inspect")
+	if err != nil {
+		t.Fatalf("inspect target with --insecure-tls: %v stderr=%s", err, stderr)
+	}
+	if !strings.Contains(stdout, "Context: tls-local") || !strings.Contains(stdout, "ledger 2.3.4 healthy") {
+		t.Fatalf("unexpected inspect output:\n%s", stdout)
+	}
+}
+
+func TestConfigDirShortFlag(t *testing.T) {
+	configDir := t.TempDir()
+	stdout, stderr, err := executeCommand(t,
+		"-c", configDir,
+		"context", "create", "stack", "local",
+		"--stack-url", "http://localhost/api",
+	)
+	if err != nil {
+		t.Fatalf("create context with -c: %v stderr=%s", err, stderr)
+	}
+	if stdout != "Context local created.\n" {
+		t.Fatalf("unexpected create output: %q", stdout)
+	}
+	if _, err := os.Stat(filepath.Join(configDir, "config.yaml")); err != nil {
+		t.Fatalf("expected config written through -c: %v", err)
+	}
+}
+
+func TestVersionCommand(t *testing.T) {
+	stdout, stderr, err := executeCommand(t, "version")
+	if err != nil {
+		t.Fatalf("expected no error, got %v", err)
+	}
+	if stderr != "" {
+		t.Fatalf("expected empty stderr, got %q", stderr)
+	}
+	if stdout != "fctl v4 test-version\n" {
+		t.Fatalf("unexpected version output: %q", stdout)
+	}
+}
+
+func TestSetupAndPromptAlias(t *testing.T) {
+	stdout, stderr, err := executeCommand(t, "setup")
+	if err != nil {
+		t.Fatalf("setup: %v stderr=%s", err, stderr)
+	}
+	if stderr != "" {
+		t.Fatalf("expected empty stderr, got %q", stderr)
+	}
+	if !strings.Contains(stdout, "fctl login") ||
+		!strings.Contains(stdout, "fctl profile create stack <name> --stack-url <url>") {
+		t.Fatalf("unexpected setup output:\n%s", stdout)
+	}
+
+	stdout, stderr, err = executeCommand(t, "prompt")
+	if err != nil {
+		t.Fatalf("prompt alias: %v stderr=%s", err, stderr)
+	}
+	if !strings.Contains(stderr, "Command prompt has been deprecated, use setup or login") {
+		t.Fatalf("expected prompt warning, got:\n%s", stderr)
+	}
+	if !strings.Contains(stdout, "fctl login") ||
+		!strings.Contains(stdout, "fctl profile create stack <name> --stack-url <url>") {
+		t.Fatalf("unexpected prompt output:\n%s", stdout)
+	}
+}
+
+func TestUIPrintsCloudConsoleURL(t *testing.T) {
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		if r.URL.Path != "/_info" {
+			t.Fatalf("unexpected path %s", r.URL.Path)
+		}
+		w.Header().Set("Content-Type", "application/json")
+		fmt.Fprint(w, `{"version":"test","consoleURL":"https://console.example"}`)
+	}))
+	defer server.Close()
+
+	configDir := t.TempDir()
+	_, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"context", "create", "cloud", "cloud",
+		"--cloud-url", server.URL,
+		"--auth-method", "none",
+	)
+	if err != nil {
+		t.Fatalf("create cloud context: %v stderr=%s", err, stderr)
+	}
+
+	stdout, stderr, err := executeCommand(t, "--config-dir", configDir, "cloud", "ui", "--print")
+	if err != nil {
+		t.Fatalf("cloud ui print: %v stderr=%s", err, stderr)
+	}
+	if stdout != "Console URL: https://console.example\n" {
+		t.Fatalf("unexpected cloud ui output: %q", stdout)
+	}
+
+	stdout, stderr, err = executeCommand(t, "--config-dir", configDir, "ui", "--print")
+	if err != nil {
+		t.Fatalf("root ui alias print: %v stderr=%s", err, stderr)
+	}
+	if !strings.Contains(stderr, "Command ui has been deprecated, use cloud ui") {
+		t.Fatalf("expected root ui deprecation warning, got:\n%s", stderr)
+	}
+	if stdout != "Console URL: https://console.example\n" {
+		t.Fatalf("unexpected root ui alias output: %q", stdout)
+	}
+}
+
+func TestUIPrintsDefaultConsoleURLWhenCloudInfoOmitsIt(t *testing.T) {
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		if r.URL.Path != "/_info" {
+			t.Fatalf("unexpected path %s", r.URL.Path)
+		}
+		w.Header().Set("Content-Type", "application/json")
+		fmt.Fprint(w, `{"version":"test"}`)
+	}))
+	defer server.Close()
+
+	configDir := t.TempDir()
+	_, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"context", "create", "cloud", "cloud",
+		"--cloud-url", server.URL,
+		"--auth-method", "none",
+	)
+	if err != nil {
+		t.Fatalf("create cloud context: %v stderr=%s", err, stderr)
+	}
+
+	stdout, stderr, err := executeCommand(t, "--config-dir", configDir, "cloud", "ui", "--print")
+	if err != nil {
+		t.Fatalf("cloud ui print: %v stderr=%s", err, stderr)
+	}
+	if stdout != "Console URL: https://portal.formance.cloud\n" {
+		t.Fatalf("unexpected cloud ui fallback output: %q", stdout)
+	}
+}
+
+func TestUIRejectsStackContext(t *testing.T) {
+	configDir := t.TempDir()
+	_, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"context", "create", "stack", "local",
+		"--stack-url", "http://localhost/api",
+	)
+	if err != nil {
+		t.Fatalf("create stack context: %v stderr=%s", err, stderr)
+	}
+
+	_, stderr, err = executeCommand(t, "--config-dir", configDir, "cloud", "ui", "--print")
+	if err == nil {
+		t.Fatal("expected cloud ui to reject stack contexts")
+	}
+	if !strings.Contains(err.Error(), "cloud commands require a cloud or cloud-stack context") {
+		t.Fatalf("unexpected ui error: %v stderr=%s", err, stderr)
+	}
+}
+
+func TestContextCreateListShowUse(t *testing.T) {
+	configDir := t.TempDir()
+
+	stdout, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"context", "create", "stack", "local",
+		"--stack-url", "http://localhost/api",
+		"--default-ledger", "default",
+	)
+	if err != nil {
+		t.Fatalf("create context: %v stderr=%s", err, stderr)
+	}
+	if stdout != "Context local created.\n" {
+		t.Fatalf("unexpected create output: %q", stdout)
+	}
+
+	cfg, err := v4config.LoadFile(filepath.Join(configDir, "config.yaml"))
+	if err != nil {
+		t.Fatalf("load config: %v", err)
+	}
+	if cfg.CurrentContext != "local" {
+		t.Fatalf("expected current context local, got %q", cfg.CurrentContext)
+	}
+	if cfg.Contexts["local"].Defaults["ledger"] != "default" {
+		t.Fatalf("expected default ledger to be persisted")
+	}
+
+	stdout, stderr, err = executeCommand(t, "--config-dir", configDir, "context", "list")
+	if err != nil {
+		t.Fatalf("list contexts: %v stderr=%s", err, stderr)
+	}
+	if stdout != "* local\n" {
+		t.Fatalf("unexpected list output: %q", stdout)
+	}
+
+	stdout, stderr, err = executeCommand(t, "--config-dir", configDir, "context", "show", "local")
+	if err != nil {
+		t.Fatalf("show context: %v stderr=%s", err, stderr)
+	}
+	if !strings.Contains(stdout, "Name: local") || !strings.Contains(stdout, "Kind: stack") {
+		t.Fatalf("unexpected show output: %q", stdout)
+	}
+
+	stdout, stderr, err = executeCommand(t,
+		"--config-dir", configDir,
+		"context", "create", "stack", "other",
+		"--stack-url", "http://other/api",
+	)
+	if err != nil {
+		t.Fatalf("create second context: %v stderr=%s", err, stderr)
+	}
+	if stdout != "Context other created.\n" {
+		t.Fatalf("unexpected second create output: %q", stdout)
+	}
+
+	stdout, stderr, err = executeCommand(t, "--config-dir", configDir, "context", "use", "other")
+	if err != nil {
+		t.Fatalf("use context: %v stderr=%s", err, stderr)
+	}
+	if stdout != "Current context set to other.\n" {
+		t.Fatalf("unexpected use output: %q", stdout)
+	}
+
+	cfg, err = v4config.LoadFile(filepath.Join(configDir, "config.yaml"))
+	if err != nil {
+		t.Fatalf("load config after use: %v", err)
+	}
+	if cfg.CurrentContext != "other" {
+		t.Fatalf("expected current context other, got %q", cfg.CurrentContext)
+	}
+}
+
+func TestContextCreateCloudAndCloudStack(t *testing.T) {
+	configDir := t.TempDir()
+
+	stdout, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"context", "create", "cloud", "cloud",
+		"--cloud-url", "https://cloud.example/api",
+		"--auth-method", "none",
+	)
+	if err != nil {
+		t.Fatalf("create cloud context: %v stderr=%s", err, stderr)
+	}
+	if stdout != "Context cloud created.\n" {
+		t.Fatalf("unexpected cloud create output: %q", stdout)
+	}
+
+	stdout, stderr, err = executeCommand(t,
+		"--config-dir", configDir,
+		"context", "create", "cloud-stack", "prod",
+		"--cloud-url", "https://cloud.example/api",
+		"--organization", "org_1",
+		"--stack", "stack_1",
+		"--auth-method", "none",
+		"--default-ledger", "default",
+	)
+	if err != nil {
+		t.Fatalf("create cloud-stack context: %v stderr=%s", err, stderr)
+	}
+	if stdout != "Context prod created.\n" {
+		t.Fatalf("unexpected cloud-stack create output: %q", stdout)
+	}
+
+	cfg, err := v4config.LoadFile(filepath.Join(configDir, "config.yaml"))
+	if err != nil {
+		t.Fatalf("load config: %v", err)
+	}
+	if cfg.Contexts["cloud"].Kind != v4config.ContextKindCloud {
+		t.Fatalf("expected cloud context kind, got %q", cfg.Contexts["cloud"].Kind)
+	}
+	prod := cfg.Contexts["prod"]
+	if prod.Kind != v4config.ContextKindCloudStack || prod.Organization != "org_1" || prod.Stack != "stack_1" {
+		t.Fatalf("unexpected cloud-stack context: %#v", prod)
+	}
+	if prod.Defaults["ledger"] != "default" {
+		t.Fatalf("expected default ledger")
+	}
+}
+
+func TestGlobalOrganizationStackOverride(t *testing.T) {
+	stackServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		if r.URL.Path != "/versions" {
+			t.Fatalf("unexpected path %s", r.URL.Path)
+		}
+		w.Header().Set("Content-Type", "application/json")
+		fmt.Fprint(w, `{"versions":[{"name":"ledger","version":"3.2.4","health":true}]}`)
+	}))
+	defer stackServer.Close()
+
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		if r.URL.Path != "/organizations/org_1/stacks/stack_1" {
+			t.Fatalf("unexpected path %s", r.URL.Path)
+		}
+		w.Header().Set("Content-Type", "application/json")
+		fmt.Fprintf(w, `{"data":{"id":"stack_1","name":"Production","organizationId":"org_1","uri":%q,"regionID":"eu-west-1","version":"v3.2.4","status":"READY","state":"ACTIVE","expectedStatus":"READY","lastStateUpdate":"2026-01-01T00:00:00Z","lastExpectedStatusUpdate":"2026-01-01T00:00:00Z","lastStatusUpdate":"2026-01-01T00:00:00Z","reachable":true,"stargateEnabled":true,"synchronised":true,"modules":[]}}`, stackServer.URL)
+	}))
+	defer server.Close()
+
+	configDir := t.TempDir()
+	_, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"profile", "create", "cloud", "cloud",
+		"--cloud-url", server.URL,
+		"--auth-method", "none",
+	)
+	if err != nil {
+		t.Fatalf("create cloud profile: %v stderr=%s", err, stderr)
+	}
+
+	stdout, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"--organization", "org_1",
+		"--stack", "stack_1",
+		"target", "inspect",
+	)
+	if err != nil {
+		t.Fatalf("inspect cloud-stack override: %v stderr=%s", err, stderr)
+	}
+	if !strings.Contains(stdout, "Target: "+stackServer.URL+" (cloud-stack)") ||
+		!strings.Contains(stdout, "ledger 3.2.4 healthy") {
+		t.Fatalf("unexpected target inspect output:\n%s", stdout)
+	}
+
+	_, stderr, err = executeCommand(t,
+		"--config-dir", configDir,
+		"--stack", "stack_1",
+		"target", "inspect",
+	)
+	if err == nil {
+		t.Fatal("expected stack override without organization to fail")
+	}
+	if !strings.Contains(err.Error(), "organization is required for cloud-stack targets") {
+		t.Fatalf("unexpected missing organization error: %v stderr=%s", err, stderr)
+	}
+
+	_, stderr, err = executeCommand(t,
+		"--config-dir", configDir,
+		"profile", "create", "stack", "local",
+		"--stack-url", server.URL,
+	)
+	if err != nil {
+		t.Fatalf("create stack profile: %v stderr=%s", err, stderr)
+	}
+
+	_, stderr, err = executeCommand(t,
+		"--config-dir", configDir,
+		"--profile", "local",
+		"--organization", "org_1",
+		"target", "inspect",
+	)
+	if err == nil {
+		t.Fatal("expected organization override on stack profile to fail")
+	}
+	if !strings.Contains(err.Error(), "--organization and --stack can only be used with Cloud or EE profiles") {
+		t.Fatalf("unexpected stack profile override error: %v stderr=%s", err, stderr)
+	}
+}
+
+func TestContextSetUpdatesCloudStack(t *testing.T) {
+	configDir := t.TempDir()
+	_, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"context", "create", "cloud-stack", "prod",
+		"--cloud-url", "https://cloud.example/api",
+		"--organization", "org_1",
+		"--stack", "stack_1",
+		"--auth-method", "none",
+	)
+	if err != nil {
+		t.Fatalf("create cloud-stack context: %v stderr=%s", err, stderr)
+	}
+
+	stdout, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"context", "set", "prod",
+		"--organization", "org_2",
+		"--stack", "stack_2",
+		"--default-ledger", "ledger_2",
+	)
+	if err != nil {
+		t.Fatalf("set context: %v stderr=%s", err, stderr)
+	}
+	if stdout != "Context prod updated.\n" {
+		t.Fatalf("unexpected set output: %q", stdout)
+	}
+	cfg, err := v4config.LoadFile(filepath.Join(configDir, "config.yaml"))
+	if err != nil {
+		t.Fatalf("load config: %v", err)
+	}
+	prod := cfg.Contexts["prod"]
+	if prod.Organization != "org_2" || prod.Stack != "stack_2" || prod.Defaults["ledger"] != "ledger_2" {
+		t.Fatalf("unexpected updated context: %#v", prod)
+	}
+
+	_, _, err = executeCommand(t, "--config-dir", configDir, "context", "unset-defaults", "prod")
+	if err == nil {
+		t.Fatal("expected context unset-defaults to require --confirm")
+	}
+	stdout, stderr, err = executeCommand(t, "--config-dir", configDir, "context", "unset-defaults", "prod", "--confirm")
+	if err != nil {
+		t.Fatalf("unset context defaults: %v stderr=%s", err, stderr)
+	}
+	if stdout != "Context prod defaults cleared.\n" {
+		t.Fatalf("unexpected unset-defaults output: %q", stdout)
+	}
+	cfg, err = v4config.LoadFile(filepath.Join(configDir, "config.yaml"))
+	if err != nil {
+		t.Fatalf("load config after unset defaults: %v", err)
+	}
+	if cfg.Contexts["prod"].Defaults != nil {
+		t.Fatalf("expected defaults to be cleared, got %#v", cfg.Contexts["prod"].Defaults)
+	}
+}
+
+func TestProfilesDefaultAliases(t *testing.T) {
+	configDir := t.TempDir()
+	_, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"context", "create", "cloud-stack", "prod",
+		"--cloud-url", "https://cloud.example/api",
+		"--organization", "org_1",
+		"--stack", "stack_1",
+		"--auth-method", "none",
+		"--default-ledger", "default",
+	)
+	if err != nil {
+		t.Fatalf("create cloud-stack context: %v stderr=%s", err, stderr)
+	}
+
+	stdout, stderr, err := executeCommand(t, "--config-dir", configDir, "profiles", "set-default-organization", "org_2")
+	if err != nil {
+		t.Fatalf("profiles set-default-organization: %v stderr=%s", err, stderr)
+	}
+	if stdout != "Context prod updated.\n" {
+		t.Fatalf("unexpected set-default-organization output: %q", stdout)
+	}
+	if !strings.Contains(stderr, "Command profiles has been deprecated, use profile") ||
+		!strings.Contains(stderr, "use profile set --organization <organization-id>") {
+		t.Fatalf("expected profiles organization deprecation warnings, got:\n%s", stderr)
+	}
+
+	stdout, stderr, err = executeCommand(t, "--config-dir", configDir, "profiles", "set-default-stack", "stack_2")
+	if err != nil {
+		t.Fatalf("profiles set-default-stack: %v stderr=%s", err, stderr)
+	}
+	if stdout != "Context prod updated.\n" {
+		t.Fatalf("unexpected set-default-stack output: %q", stdout)
+	}
+	if !strings.Contains(stderr, "Command profiles has been deprecated, use profile") ||
+		!strings.Contains(stderr, "use profile set --stack <stack-id>") {
+		t.Fatalf("expected profiles stack deprecation warnings, got:\n%s", stderr)
+	}
+
+	cfg, err := v4config.LoadFile(filepath.Join(configDir, "config.yaml"))
+	if err != nil {
+		t.Fatalf("load config: %v", err)
+	}
+	if cfg.Contexts["prod"].Organization != "org_2" || cfg.Contexts["prod"].Stack != "stack_2" {
+		t.Fatalf("expected profile aliases to update cloud-stack defaults: %#v", cfg.Contexts["prod"])
+	}
+
+	stdout, stderr, err = executeCommand(t, "--config-dir", configDir, "profiles", "reset", "prod", "--confirm")
+	if err != nil {
+		t.Fatalf("profiles reset: %v stderr=%s", err, stderr)
+	}
+	if stdout != "Context prod defaults cleared.\n" {
+		t.Fatalf("unexpected profiles reset output: %q", stdout)
+	}
+	if !strings.Contains(stderr, "Command profiles has been deprecated, use profile") ||
+		!strings.Contains(stderr, "use profile unset-defaults <name> --confirm") {
+		t.Fatalf("expected profiles reset deprecation warnings, got:\n%s", stderr)
+	}
+	cfg, err = v4config.LoadFile(filepath.Join(configDir, "config.yaml"))
+	if err != nil {
+		t.Fatalf("load config after reset: %v", err)
+	}
+	if cfg.Contexts["prod"].Defaults != nil {
+		t.Fatalf("expected profile reset alias to clear defaults, got %#v", cfg.Contexts["prod"].Defaults)
+	}
+}
+
+func TestContextRenameAndDelete(t *testing.T) {
+	configDir := t.TempDir()
+	_, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"context", "create", "stack", "local",
+		"--stack-url", "http://localhost/api",
+	)
+	if err != nil {
+		t.Fatalf("create local context: %v stderr=%s", err, stderr)
+	}
+	_, stderr, err = executeCommand(t,
+		"--config-dir", configDir,
+		"context", "create", "stack", "other",
+		"--stack-url", "http://other/api",
+	)
+	if err != nil {
+		t.Fatalf("create other context: %v stderr=%s", err, stderr)
+	}
+
+	stdout, stderr, err := executeCommand(t, "--config-dir", configDir, "context", "rename", "local", "renamed")
+	if err != nil {
+		t.Fatalf("rename context: %v stderr=%s", err, stderr)
+	}
+	if stdout != "Context local renamed to renamed.\n" {
+		t.Fatalf("unexpected rename output: %q", stdout)
+	}
+	cfg, err := v4config.LoadFile(filepath.Join(configDir, "config.yaml"))
+	if err != nil {
+		t.Fatalf("load config: %v", err)
+	}
+	if cfg.CurrentContext != "renamed" {
+		t.Fatalf("expected current context renamed, got %q", cfg.CurrentContext)
+	}
+	if _, ok := cfg.Contexts["local"]; ok {
+		t.Fatalf("old context name still exists")
+	}
+
+	_, _, err = executeCommand(t, "--config-dir", configDir, "context", "delete", "renamed")
+	if err == nil {
+		t.Fatal("expected context delete to require --confirm")
+	}
+	_, _, err = executeCommand(t, "--config-dir", configDir, "context", "delete", "renamed", "--confirm")
+	if err == nil {
+		t.Fatal("expected current context delete to require --force")
+	}
+	stdout, stderr, err = executeCommand(t, "--config-dir", configDir, "context", "delete", "renamed", "--confirm", "--force")
+	if err != nil {
+		t.Fatalf("delete context: %v stderr=%s", err, stderr)
+	}
+	if stdout != "Context renamed deleted.\n" {
+		t.Fatalf("unexpected delete output: %q", stdout)
+	}
+	cfg, err = v4config.LoadFile(filepath.Join(configDir, "config.yaml"))
+	if err != nil {
+		t.Fatalf("load config after delete: %v", err)
+	}
+	if _, ok := cfg.Contexts["renamed"]; ok {
+		t.Fatalf("deleted context still exists")
+	}
+	if cfg.CurrentContext != "" {
+		t.Fatalf("expected current context to be cleared, got %q", cfg.CurrentContext)
+	}
+}
+
+func TestProfilesDeprecatedAlias(t *testing.T) {
+	configDir := t.TempDir()
+	_, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"context", "create", "stack", "local",
+		"--stack-url", "http://localhost/api",
+	)
+	if err != nil {
+		t.Fatalf("create context: %v stderr=%s", err, stderr)
+	}
+
+	stdout, stderr, err := executeCommand(t, "--config-dir", configDir, "profiles", "list")
+	if err != nil {
+		t.Fatalf("profiles list: %v stderr=%s", err, stderr)
+	}
+	if !strings.Contains(stderr, "Command profiles has been deprecated, use profile") {
+		t.Fatalf("expected profiles warning, got:\n%s", stderr)
+	}
+	if stdout != "* local\n" {
+		t.Fatalf("unexpected profiles list output: %q", stdout)
+	}
+}
+
+func TestCloudMeShow(t *testing.T) {
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		if r.URL.Path != "/me" {
+			t.Fatalf("unexpected path %s", r.URL.Path)
+		}
+		w.Header().Set("Content-Type", "application/json")
+		fmt.Fprint(w, `{"data":{"id":"user_1","email":"user@example.com","role":"USER"}}`)
+	}))
+	defer server.Close()
+
+	configDir := t.TempDir()
+	_, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"context", "create", "cloud", "cloud",
+		"--cloud-url", server.URL,
+		"--auth-method", "none",
+	)
+	if err != nil {
+		t.Fatalf("create cloud context: %v stderr=%s", err, stderr)
+	}
+
+	stdout, stderr, err := executeCommand(t, "--config-dir", configDir, "cloud", "me", "show")
+	if err != nil {
+		t.Fatalf("cloud me show: %v stderr=%s", err, stderr)
+	}
+	if stderr != "" {
+		t.Fatalf("expected empty stderr, got %q", stderr)
+	}
+	for _, expected := range []string{"ID\tuser_1", "Email\tuser@example.com", "Role\tUSER"} {
+		if !strings.Contains(stdout, expected) {
+			t.Fatalf("expected cloud me output to contain %q, got:\n%s", expected, stdout)
+		}
+	}
+}
+
+func TestCloudMeInvitations(t *testing.T) {
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.Header().Set("Content-Type", "application/json")
+		switch {
+		case r.Method == http.MethodGet && r.URL.Path == "/me/invitations":
+			if got := r.URL.Query().Get("status"); got != "PENDING" {
+				t.Fatalf("expected status PENDING, got %q", got)
+			}
+			if got := r.URL.Query().Get("organization"); got != "org_1" {
+				t.Fatalf("expected organization org_1, got %q", got)
+			}
+			fmt.Fprint(w, `{"data":[{"id":"inv_1","organizationId":"org_1","userEmail":"user@example.com","status":"PENDING","creationDate":"2026-01-01T00:00:00Z"}]}`)
+		case r.Method == http.MethodPost && r.URL.Path == "/me/invitations/inv_1/accept":
+			w.WriteHeader(http.StatusNoContent)
+		case r.Method == http.MethodPost && r.URL.Path == "/me/invitations/inv_1/reject":
+			w.WriteHeader(http.StatusNoContent)
+		default:
+			t.Fatalf("unexpected request %s %s", r.Method, r.URL.String())
+		}
+	}))
+	defer server.Close()
+
+	configDir := t.TempDir()
+	_, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"context", "create", "cloud", "cloud",
+		"--cloud-url", server.URL,
+		"--auth-method", "none",
+	)
+	if err != nil {
+		t.Fatalf("create cloud context: %v stderr=%s", err, stderr)
+	}
+
+	stdout, stderr, err := executeCommand(t, "--config-dir", configDir, "cloud", "me", "invitations", "list", "--status", "PENDING", "--organization", "org_1")
+	if err != nil {
+		t.Fatalf("cloud me invitations list: %v stderr=%s", err, stderr)
+	}
+	if !strings.Contains(stdout, "inv_1\torg_1\tuser@example.com\tPENDING") {
+		t.Fatalf("unexpected invitations list output:\n%s", stdout)
+	}
+
+	_, _, err = executeCommand(t, "--config-dir", configDir, "cloud", "me", "invitations", "accept", "inv_1")
+	if err == nil {
+		t.Fatal("expected invitation accept to require --confirm")
+	}
+	stdout, stderr, err = executeCommand(t, "--config-dir", configDir, "cloud", "me", "invitations", "accept", "inv_1", "--confirm")
+	if err != nil {
+		t.Fatalf("cloud me invitations accept: %v stderr=%s", err, stderr)
+	}
+	if stdout != "Cloud invitation inv_1 accepted.\n" {
+		t.Fatalf("unexpected accept output: %q", stdout)
+	}
+
+	stdout, stderr, err = executeCommand(t, "--config-dir", configDir, "cloud", "me", "invitations", "decline", "inv_1", "--confirm")
+	if err != nil {
+		t.Fatalf("cloud me invitations decline: %v stderr=%s", err, stderr)
+	}
+	if stdout != "Cloud invitation inv_1 declined.\n" {
+		t.Fatalf("unexpected decline output: %q", stdout)
+	}
+}
+
+func TestCloudOrganizationsListAndShow(t *testing.T) {
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.Header().Set("Content-Type", "application/json")
+		switch r.URL.Path {
+		case "/organizations":
+			fmt.Fprint(w, `{"data":[{"id":"org_1","name":"Acme","ownerId":"user_1","domain":"acme.test","totalStacks":2,"totalUsers":3}]}`)
+		case "/organizations/org_1":
+			fmt.Fprint(w, `{"data":{"id":"org_1","name":"Acme","ownerId":"user_1","domain":"acme.test","totalStacks":2,"totalUsers":3}}`)
+		default:
+			t.Fatalf("unexpected path %s", r.URL.Path)
+		}
+	}))
+	defer server.Close()
+
+	configDir := t.TempDir()
+	_, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"context", "create", "cloud-stack", "prod",
+		"--cloud-url", server.URL,
+		"--organization", "org_1",
+		"--stack", "stack_1",
+		"--auth-method", "none",
+	)
+	if err != nil {
+		t.Fatalf("create cloud-stack context: %v stderr=%s", err, stderr)
+	}
+
+	stdout, stderr, err := executeCommand(t, "--config-dir", configDir, "cloud", "organizations", "list")
+	if err != nil {
+		t.Fatalf("cloud organizations list: %v stderr=%s", err, stderr)
+	}
+	if stderr != "" {
+		t.Fatalf("expected empty stderr, got %q", stderr)
+	}
+	if !strings.Contains(stdout, "org_1\tAcme\tuser_1") {
+		t.Fatalf("unexpected organizations list output:\n%s", stdout)
+	}
+
+	stdout, stderr, err = executeCommand(t, "--config-dir", configDir, "cloud", "organizations", "describe", "org_1")
+	if err != nil {
+		t.Fatalf("cloud organizations describe: %v stderr=%s", err, stderr)
+	}
+	if !strings.Contains(stderr, "Command cloud organizations describe has been deprecated, use cloud organizations show") {
+		t.Fatalf("expected describe deprecation warning, got:\n%s", stderr)
+	}
+	for _, expected := range []string{"ID\torg_1", "Name\tAcme", "Owner\tuser_1", "Domain\tacme.test"} {
+		if !strings.Contains(stdout, expected) {
+			t.Fatalf("expected organization output to contain %q, got:\n%s", expected, stdout)
+		}
+	}
+}
+
+func TestCloudDeviceUsesRootTokenForMembershipAndOrganizationTokenForStacks(t *testing.T) {
+	var server *httptest.Server
+	server = httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.Header().Set("Content-Type", "application/json")
+		switch r.URL.Path {
+		case "/_info":
+			fmt.Fprint(w, `{"version":"v1.0.0","consoleURL":"https://portal.example"}`)
+		case "/.well-known/openid-configuration":
+			fmt.Fprintf(w, `{"device_authorization_endpoint":%q,"token_endpoint":%q}`, server.URL+"/device", server.URL+"/token")
+		case "/organizations":
+			if got := r.Header.Get("Authorization"); got != "Bearer root-token" {
+				t.Fatalf("expected root token for organizations list, got %q", got)
+			}
+			fmt.Fprint(w, `{"data":[{"id":"org_1","name":"Acme","ownerId":"user_1","domain":"acme.test","totalStacks":1,"totalUsers":3}]}`)
+		case "/organizations/org_1":
+			if got := r.Header.Get("Authorization"); got != "Bearer org-token" {
+				t.Fatalf("expected organization token for organization show, got %q", got)
+			}
+			fmt.Fprint(w, `{"data":{"id":"org_1","name":"Acme","ownerId":"user_1","domain":"acme.test","totalStacks":1,"totalUsers":3}}`)
+		case "/organizations/org_1/users":
+			if got := r.Header.Get("Authorization"); got != "Bearer org-token" {
+				t.Fatalf("expected organization token for organization users list, got %q", got)
+			}
+			fmt.Fprint(w, `{"data":[{"id":"user_1","email":"user@example.com","policyId":8}]}`)
+		case "/organizations/org_1/policies":
+			if got := r.Header.Get("Authorization"); got != "Bearer org-token" {
+				t.Fatalf("expected organization token for organization policies list, got %q", got)
+			}
+			fmt.Fprint(w, `{"data":[{"id":8,"name":"OrganizationAdmin","description":"Admin policy","organizationId":"org_1","protected":true,"createdAt":"2026-01-01T00:00:00Z","updatedAt":"2026-01-01T00:00:00Z"}]}`)
+		case "/device":
+			if err := r.ParseForm(); err != nil {
+				t.Fatalf("parse device form: %v", err)
+			}
+			if r.Form.Get("organization_id") != "org_1" {
+				t.Fatalf("unexpected organization_id %q", r.Form.Get("organization_id"))
+			}
+			if r.Form.Get("id_token_hint") != "root-id-token" {
+				t.Fatalf("unexpected id_token_hint %q", r.Form.Get("id_token_hint"))
+			}
+			if !strings.Contains(r.Form.Get("scope"), "openid offline_access") ||
+				!strings.Contains(r.Form.Get("scope"), "organization:ListStacks") ||
+				!strings.Contains(r.Form.Get("scope"), "organization:ListRegions") {
+				t.Fatalf("unexpected organization device scope %q", r.Form.Get("scope"))
+			}
+			fmt.Fprint(w, `{"device_code":"org-device-code","user_code":"ORG-CODE","verification_uri":"https://verify.example","interval":1}`)
+		case "/token":
+			if err := r.ParseForm(); err != nil {
+				t.Fatalf("parse token form: %v", err)
+			}
+			if r.Form.Get("grant_type") != "urn:ietf:params:oauth:grant-type:device_code" ||
+				r.Form.Get("device_code") != "org-device-code" {
+				t.Fatalf("unexpected token form: %s", r.Form.Encode())
+			}
+			fmt.Fprint(w, `{"access_token":"org-token","token_type":"Bearer","refresh_token":"org-refresh-token","expires_in":3600}`)
+		case "/organizations/org_1/stacks":
+			if got := r.Header.Get("Authorization"); got != "Bearer org-token" {
+				t.Fatalf("expected organization token for stacks list, got %q", got)
+			}
+			fmt.Fprint(w, `{"data":[{"id":"stack_1","name":"Production","organizationId":"org_1","uri":"https://stack.example/api","regionID":"eu-west-1","version":"v3.2.4","status":"READY","state":"ACTIVE","expectedStatus":"READY","lastStateUpdate":"2026-01-01T00:00:00Z","lastExpectedStatusUpdate":"2026-01-01T00:00:00Z","lastStatusUpdate":"2026-01-01T00:00:00Z","reachable":true,"stargateEnabled":true,"auditEnabled":false,"synchronised":true,"modules":[]}]}`)
+		case "/organizations/org_1/regions":
+			if got := r.Header.Get("Authorization"); got != "Bearer org-token" {
+				t.Fatalf("expected organization token for regions list, got %q", got)
+			}
+			fmt.Fprint(w, `{"data":[{"id":"eu-west-1","name":"EU West","baseUrl":"https://region.example","createdAt":"2026-01-01T00:00:00Z","active":true,"public":true,"agentID":"agent_1","outdated":false,"version":"v1"}]}`)
+		case "/organizations/org_1/stacks/stack_1":
+			if r.Method != http.MethodDelete {
+				t.Fatalf("unexpected method %s for stack endpoint", r.Method)
+			}
+			if got := r.Header.Get("Authorization"); got != "Bearer org-token" {
+				t.Fatalf("expected organization token for stack delete, got %q", got)
+			}
+			w.WriteHeader(http.StatusNoContent)
+		default:
+			t.Fatalf("unexpected path %s", r.URL.Path)
+		}
+	}))
+	defer server.Close()
+
+	openedURL := ""
+	previousOpenURL := loginOpenURL
+	loginOpenURL = func(url string) error {
+		openedURL = url
+		return nil
+	}
+	t.Cleanup(func() {
+		loginOpenURL = previousOpenURL
+	})
+
+	configDir := t.TempDir()
+	cfg := v4config.Config{
+		Version:        v4config.Version,
+		CurrentContext: "cloud",
+		Contexts: map[string]v4config.Context{
+			"cloud": {
+				Kind:     v4config.ContextKindCloud,
+				CloudURL: server.URL,
+				Auth: v4config.Auth{
+					Method:    v4config.AuthMethodCloudDevice,
+					IssuerURL: server.URL,
+					TokenRef:  "contexts/cloud/root-tokens",
+					Scopes:    []string{"organization:ListStacks"},
+				},
+			},
+		},
+	}
+	if err := v4config.SaveFile(filepath.Join(configDir, "config.yaml"), cfg); err != nil {
+		t.Fatalf("write config: %v", err)
+	}
+	tokenPath := filepath.Join(configDir, "credentials", "contexts", "cloud", "root-tokens")
+	if err := os.MkdirAll(filepath.Dir(tokenPath), 0o700); err != nil {
+		t.Fatalf("create credential dir: %v", err)
+	}
+	if err := os.WriteFile(tokenPath, []byte(`{"accessToken":{"token":"root-token","tokenType":"Bearer","refreshToken":"root-refresh"},"idToken":"root-id-token","refreshToken":"root-refresh"}`), 0o600); err != nil {
+		t.Fatalf("write root token: %v", err)
+	}
+
+	stdout, stderr, err := executeCommand(t, "--config-dir", configDir, "cloud", "organizations", "list")
+	if err != nil {
+		t.Fatalf("cloud organizations list: %v stderr=%s", err, stderr)
+	}
+	if !strings.Contains(stdout, "org_1\tAcme\tuser_1") {
+		t.Fatalf("unexpected organizations output:\n%s", stdout)
+	}
+
+	stdout, stderr, err = executeCommand(t, "--config-dir", configDir, "cloud", "organizations", "show", "org_1")
+	if err != nil {
+		t.Fatalf("cloud organizations show: %v stderr=%s", err, stderr)
+	}
+	if openedURL != "https://verify.example?user_code=ORG-CODE" {
+		t.Fatalf("unexpected organization auth URL %q", openedURL)
+	}
+	if !strings.Contains(stdout, "ID\torg_1") {
+		t.Fatalf("unexpected organization show output:\n%s", stdout)
+	}
+
+	stdout, stderr, err = executeCommand(t, "--config-dir", configDir, "cloud", "organizations", "users", "list", "--organization", "org_1")
+	if err != nil {
+		t.Fatalf("cloud organizations users list: %v stderr=%s", err, stderr)
+	}
+	if !strings.Contains(stdout, "user_1\tuser@example.com\t8") {
+		t.Fatalf("unexpected organization users output:\n%s", stdout)
+	}
+
+	stdout, stderr, err = executeCommand(t, "--config-dir", configDir, "cloud", "organizations", "policies", "list", "--organization", "org_1")
+	if err != nil {
+		t.Fatalf("cloud organizations policies list: %v stderr=%s", err, stderr)
+	}
+	if !strings.Contains(stdout, "8\tOrganizationAdmin\ttrue") {
+		t.Fatalf("unexpected organization policies output:\n%s", stdout)
+	}
+
+	stdout, stderr, err = executeCommand(t, "--config-dir", configDir, "cloud", "stacks", "list", "--organization", "org_1")
+	if err != nil {
+		t.Fatalf("cloud stacks list: %v stderr=%s", err, stderr)
+	}
+	if !strings.Contains(stdout, "stack_1") {
+		t.Fatalf("unexpected stacks output:\n%s", stdout)
+	}
+
+	stdout, stderr, err = executeCommand(t, "--config-dir", configDir, "cloud", "regions", "list", "--organization", "org_1")
+	if err != nil {
+		t.Fatalf("cloud regions list: %v stderr=%s", err, stderr)
+	}
+	if !strings.Contains(stdout, "eu-west-1") {
+		t.Fatalf("unexpected regions output:\n%s", stdout)
+	}
+
+	stdout, stderr, err = executeCommand(t, "--config-dir", configDir, "cloud", "stacks", "delete", "stack_1", "--organization", "org_1", "--confirm")
+	if err != nil {
+		t.Fatalf("cloud stacks delete: %v stderr=%s", err, stderr)
+	}
+	if stdout != "Cloud stack stack_1 deleted.\n" {
+		t.Fatalf("unexpected delete output: %q", stdout)
+	}
+}
+
+func TestLedgerInfoCloudDeviceScopesOrganizationAndStackTokens(t *testing.T) {
+	var stackServer *httptest.Server
+	stackServer = httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.Header().Set("Content-Type", "application/json")
+		switch r.URL.Path {
+		case "/api/auth/.well-known/openid-configuration":
+			fmt.Fprintf(w, `{"token_endpoint":%q}`, stackServer.URL+"/api/auth/token")
+		case "/api/auth/token":
+			if err := r.ParseForm(); err != nil {
+				t.Fatalf("parse stack token form: %v", err)
+			}
+			if r.Form.Get("assertion") != "stack-assertion" {
+				t.Fatalf("unexpected stack assertion %q", r.Form.Get("assertion"))
+			}
+			fmt.Fprint(w, `{"access_token":"stack-token","token_type":"Bearer","expires_in":3600}`)
+		case "/versions":
+			if got := r.Header.Get("Authorization"); got != "Bearer stack-token" {
+				t.Fatalf("expected stack token on versions, got %q", got)
+			}
+			fmt.Fprint(w, `{"versions":[{"name":"ledger","version":"1.9.0","health":true},{"name":"payments","version":"3.2.0","health":true}]}`)
+		case "/api/ledger/_info":
+			if got := r.Header.Get("Authorization"); got != "Bearer stack-token" {
+				t.Fatalf("expected stack token on ledger info, got %q", got)
+			}
+			fmt.Fprint(w, `{"data":{"server":"ledger","version":"1.9.0","config":{}}}`)
+		default:
+			t.Fatalf("unexpected stack path %s", r.URL.Path)
+		}
+	}))
+	defer stackServer.Close()
+
+	var membershipServer *httptest.Server
+	membershipServer = httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.Header().Set("Content-Type", "application/json")
+		switch r.URL.Path {
+		case "/.well-known/openid-configuration":
+			fmt.Fprintf(w, `{"device_authorization_endpoint":%q,"token_endpoint":%q}`, membershipServer.URL+"/device", membershipServer.URL+"/token")
+		case "/device":
+			if err := r.ParseForm(); err != nil {
+				t.Fatalf("parse device form: %v", err)
+			}
+			if r.Form.Get("organization_id") != "org_1" {
+				t.Fatalf("unexpected organization_id %q", r.Form.Get("organization_id"))
+			}
+			if r.Form.Get("id_token_hint") != "root-id-token" {
+				t.Fatalf("unexpected id_token_hint %q", r.Form.Get("id_token_hint"))
+			}
+			switch {
+			case r.Form.Get("resource") == "":
+				if !strings.Contains(r.Form.Get("scope"), "organization:ReadStack") {
+					t.Fatalf("expected organization scopes, got %q", r.Form.Get("scope"))
+				}
+				fmt.Fprint(w, `{"device_code":"org-device-code","user_code":"ORG-CODE","verification_uri":"https://verify.example","interval":1}`)
+			case r.Form.Get("resource") == "stack://org_1/stack_1|stack:Read stack:Write":
+				if r.Form.Get("scope") != "openid offline_access" {
+					t.Fatalf("unexpected stack scope %q", r.Form.Get("scope"))
+				}
+				fmt.Fprint(w, `{"device_code":"stack-device-code","user_code":"STACK-CODE","verification_uri":"https://verify.example","interval":1}`)
+			default:
+				t.Fatalf("unexpected resource %q", r.Form.Get("resource"))
+			}
+		case "/token":
+			if err := r.ParseForm(); err != nil {
+				t.Fatalf("parse token form: %v", err)
+			}
+			switch r.Form.Get("device_code") {
+			case "org-device-code":
+				fmt.Fprint(w, `{"access_token":"org-token","token_type":"Bearer","refresh_token":"org-refresh-token","expires_in":3600}`)
+			case "stack-device-code":
+				if r.Form.Get("resource") != "stack://org_1/stack_1|stack:Read stack:Write" {
+					t.Fatalf("unexpected token resource %q", r.Form.Get("resource"))
+				}
+				fmt.Fprint(w, `{"access_token":"stack-assertion","token_type":"Bearer","refresh_token":"stack-refresh-token","expires_in":3600}`)
+			default:
+				t.Fatalf("unexpected device_code %q", r.Form.Get("device_code"))
+			}
+		case "/organizations/org_1/stacks/stack_1":
+			if got := r.Header.Get("Authorization"); got != "Bearer org-token" {
+				t.Fatalf("expected organization token on stack lookup, got %q", got)
+			}
+			fmt.Fprintf(w, `{"data":{"id":"stack_1","name":"Production","organizationId":"org_1","uri":%q,"regionID":"eu-west-1","version":"v3.2.4","status":"READY","state":"ACTIVE","expectedStatus":"READY","lastStateUpdate":"2026-01-01T00:00:00Z","lastExpectedStatusUpdate":"2026-01-01T00:00:00Z","lastStatusUpdate":"2026-01-01T00:00:00Z","reachable":true,"stargateEnabled":true,"synchronised":true,"modules":[]}}`, stackServer.URL)
+		default:
+			t.Fatalf("unexpected membership path %s", r.URL.Path)
+		}
+	}))
+	defer membershipServer.Close()
+
+	openedURLs := []string{}
+	previousOpenURL := loginOpenURL
+	loginOpenURL = func(url string) error {
+		openedURLs = append(openedURLs, url)
+		return nil
+	}
+	t.Cleanup(func() {
+		loginOpenURL = previousOpenURL
+	})
+
+	configDir := t.TempDir()
+	cfg := v4config.Config{
+		Version:        v4config.Version,
+		CurrentContext: "cloud",
+		Contexts: map[string]v4config.Context{
+			"cloud": {
+				Kind:     v4config.ContextKindCloud,
+				CloudURL: membershipServer.URL,
+				Auth: v4config.Auth{
+					Method:    v4config.AuthMethodCloudDevice,
+					IssuerURL: membershipServer.URL,
+					TokenRef:  "contexts/cloud/root-tokens",
+				},
+			},
+		},
+	}
+	if err := v4config.SaveFile(filepath.Join(configDir, "config.yaml"), cfg); err != nil {
+		t.Fatalf("write config: %v", err)
+	}
+	tokenPath := filepath.Join(configDir, "credentials", "contexts", "cloud", "root-tokens")
+	if err := os.MkdirAll(filepath.Dir(tokenPath), 0o700); err != nil {
+		t.Fatalf("create credential dir: %v", err)
+	}
+	if err := os.WriteFile(tokenPath, []byte(`{"accessToken":{"token":"root-token","tokenType":"Bearer","refreshToken":"root-refresh"},"idToken":"root-id-token","refreshToken":"root-refresh"}`), 0o600); err != nil {
+		t.Fatalf("write root token: %v", err)
+	}
+
+	stdout, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"--organization", "org_1",
+		"--stack", "stack_1",
+		"ledger", "info",
+	)
+	if err != nil {
+		t.Fatalf("ledger info cloud device: %v stderr=%s", err, stderr)
+	}
+	if len(openedURLs) != 2 ||
+		openedURLs[0] != "https://verify.example?user_code=ORG-CODE" ||
+		openedURLs[1] != "https://verify.example?user_code=STACK-CODE" {
+		t.Fatalf("unexpected opened URLs: %#v", openedURLs)
+	}
+	for _, expected := range []string{"API version: v1", "Server", "ledger", "Version", "1.9.0"} {
+		if !strings.Contains(stdout, expected) {
+			t.Fatalf("expected ledger info output to contain %q, got:\n%s", expected, stdout)
+		}
+	}
+
+	stdout, stderr, err = executeCommand(t,
+		"--config-dir", configDir,
+		"--organization", "org_1",
+		"--stack", "stack_1",
+		"payments", "versions",
+	)
+	if err != nil {
+		t.Fatalf("payments versions cloud device: %v stderr=%s", err, stderr)
+	}
+	if len(openedURLs) != 2 {
+		t.Fatalf("expected cached stack auth after ledger info, got opened URLs: %#v", openedURLs)
+	}
+	if !strings.Contains(stdout, "payments 3.2.0 healthy api=[v1 v3] policy=latest-compatible") {
+		t.Fatalf("unexpected payments versions output:\n%s", stdout)
+	}
+}
+
+func TestCloudOrganizationsHistory(t *testing.T) {
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.Header().Set("Content-Type", "application/json")
+		if r.Method != http.MethodGet || r.URL.Path != "/organizations/org_1/logs" {
+			t.Fatalf("unexpected request %s %s", r.Method, r.URL.String())
+		}
+		if got := r.URL.Query().Get("pageSize"); got != "10" {
+			t.Fatalf("expected pageSize 10, got %q", got)
+		}
+		if got := r.URL.Query().Get("action"); got != "regions.created" {
+			t.Fatalf("expected action regions.created, got %q", got)
+		}
+		if got := r.URL.Query().Get("userId"); got != "user_1" {
+			t.Fatalf("expected userId user_1, got %q", got)
+		}
+		if got := r.URL.Query().Get("key"); got != "region.id" {
+			t.Fatalf("expected key region.id, got %q", got)
+		}
+		if got := r.URL.Query().Get("value"); got != "reg_1" {
+			t.Fatalf("expected value reg_1, got %q", got)
+		}
+		fmt.Fprint(w, `{"data":{"pageSize":10,"hasMore":false,"data":[{"seq":"1","organizationId":"org_1","userId":"user_1","action":"regions.created","date":"2026-01-01T00:00:00Z","data":{}}]}}`)
+	}))
+	defer server.Close()
+
+	configDir := t.TempDir()
+	_, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"context", "create", "cloud-stack", "prod",
+		"--cloud-url", server.URL,
+		"--organization", "org_1",
+		"--stack", "stack_1",
+		"--auth-method", "none",
+	)
+	if err != nil {
+		t.Fatalf("create cloud-stack context: %v stderr=%s", err, stderr)
+	}
+
+	stdout, stderr, err := executeCommand(t, "--config-dir", configDir, "cloud", "organizations", "history", "--action", "regions.created", "--user-id", "user_1", "--data", "region.id=reg_1")
+	if err != nil {
+		t.Fatalf("cloud organizations history: %v stderr=%s", err, stderr)
+	}
+	if !strings.Contains(stdout, "1\torg_1\tuser_1\tregions.created\t2026-01-01T00:00:00Z") {
+		t.Fatalf("unexpected history output:\n%s", stdout)
+	}
+}
+
+func TestCloudOrganizationsMutations(t *testing.T) {
+	orgBody := `{"data":{"id":"org_1","name":"Acme","ownerId":"user_1","domain":"acme.test","defaultPolicyID":42}}`
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.Header().Set("Content-Type", "application/json")
+		switch {
+		case r.Method == http.MethodPost && r.URL.Path == "/organizations":
+			body := readRequestBody(t, r)
+			for _, expected := range []string{`"name":"Acme"`, `"domain":"acme.test"`, `"defaultPolicyID":42`, `"ownerID":"user_1"`} {
+				if !strings.Contains(body, expected) {
+					t.Fatalf("expected create organization body to contain %s, got %s", expected, body)
+				}
+			}
+			w.WriteHeader(http.StatusCreated)
+			fmt.Fprint(w, orgBody)
+		case r.Method == http.MethodPut && r.URL.Path == "/organizations/org_1":
+			body := readRequestBody(t, r)
+			for _, expected := range []string{`"name":"Acme Updated"`, `"domain":"acme.test"`, `"defaultPolicyID":42`} {
+				if !strings.Contains(body, expected) {
+					t.Fatalf("expected update organization body to contain %s, got %s", expected, body)
+				}
+			}
+			fmt.Fprint(w, orgBody)
+		case r.Method == http.MethodDelete && r.URL.Path == "/organizations/org_1":
+			w.WriteHeader(http.StatusNoContent)
+		default:
+			t.Fatalf("unexpected request %s %s", r.Method, r.URL.String())
+		}
+	}))
+	defer server.Close()
+
+	configDir := t.TempDir()
+	_, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"context", "create", "cloud", "cloud",
+		"--cloud-url", server.URL,
+		"--auth-method", "none",
+	)
+	if err != nil {
+		t.Fatalf("create cloud context: %v stderr=%s", err, stderr)
+	}
+
+	stdout, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"cloud", "organizations", "create", "Acme",
+		"--domain", "acme.test",
+		"--default-policy-id", "42",
+		"--owner-id", "user_1",
+	)
+	if err != nil {
+		t.Fatalf("cloud organizations create: %v stderr=%s", err, stderr)
+	}
+	if stdout != "Cloud organization org_1 created.\n" {
+		t.Fatalf("unexpected create output: %q", stdout)
+	}
+
+	stdout, stderr, err = executeCommand(t,
+		"--config-dir", configDir,
+		"cloud", "organizations", "update", "org_1",
+		"--name", "Acme Updated",
+		"--domain", "acme.test",
+		"--default-policy-id", "42",
+	)
+	if err != nil {
+		t.Fatalf("cloud organizations update: %v stderr=%s", err, stderr)
+	}
+	if stdout != "Cloud organization org_1 updated.\n" {
+		t.Fatalf("unexpected update output: %q", stdout)
+	}
+
+	_, _, err = executeCommand(t, "--config-dir", configDir, "cloud", "organizations", "delete", "org_1")
+	if err == nil {
+		t.Fatal("expected organization delete to require --confirm")
+	}
+	stdout, stderr, err = executeCommand(t, "--config-dir", configDir, "cloud", "organizations", "delete", "org_1", "--confirm")
+	if err != nil {
+		t.Fatalf("cloud organizations delete: %v stderr=%s", err, stderr)
+	}
+	if stdout != "Cloud organization org_1 deleted.\n" {
+		t.Fatalf("unexpected delete output: %q", stdout)
+	}
+}
+
+func TestCloudOrganizationApplications(t *testing.T) {
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.Header().Set("Content-Type", "application/json")
+		switch {
+		case r.Method == http.MethodGet && r.URL.Path == "/organizations/org_1/applications":
+			if got := r.URL.Query().Get("page"); got != "0" {
+				t.Fatalf("expected page 0, got %q", got)
+			}
+			if got := r.URL.Query().Get("pageSize"); got != "15" {
+				t.Fatalf("expected pageSize 15, got %q", got)
+			}
+			fmt.Fprint(w, `{"cursor":{"pageSize":15,"hasMore":false,"data":[{"id":"app_1","name":"Console","alias":"console","url":"https://console.example","description":"Cloud console","createdAt":"2026-01-01T00:00:00Z","updatedAt":"2026-01-02T00:00:00Z"}]}}`)
+		case r.Method == http.MethodGet && r.URL.Path == "/organizations/org_1/applications/app_1":
+			fmt.Fprint(w, `{"data":{"id":"app_1","name":"Console","alias":"console","url":"https://console.example","description":"Cloud console","createdAt":"2026-01-01T00:00:00Z","updatedAt":"2026-01-02T00:00:00Z","scopes":[{"id":7,"label":"ledger:read","protected":false,"createdAt":"2026-01-01T00:00:00Z","updatedAt":"2026-01-02T00:00:00Z"}]}}`)
+		default:
+			t.Fatalf("unexpected request %s %s", r.Method, r.URL.String())
+		}
+	}))
+	defer server.Close()
+
+	configDir := t.TempDir()
+	_, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"context", "create", "cloud-stack", "prod",
+		"--cloud-url", server.URL,
+		"--organization", "org_1",
+		"--stack", "stack_1",
+		"--auth-method", "none",
+	)
+	if err != nil {
+		t.Fatalf("create cloud-stack context: %v stderr=%s", err, stderr)
+	}
+
+	stdout, stderr, err := executeCommand(t, "--config-dir", configDir, "cloud", "organizations", "applications", "list")
+	if err != nil {
+		t.Fatalf("cloud organizations applications list: %v stderr=%s", err, stderr)
+	}
+	if !strings.Contains(stdout, "app_1\tConsole\tconsole\thttps://console.example") {
+		t.Fatalf("unexpected applications list output:\n%s", stdout)
+	}
+
+	stdout, stderr, err = executeCommand(t, "--config-dir", configDir, "cloud", "organizations", "applications", "show", "app_1")
+	if err != nil {
+		t.Fatalf("cloud organizations applications show: %v stderr=%s", err, stderr)
+	}
+	for _, expected := range []string{"ID\tapp_1", "Name\tConsole", "Alias\tconsole", "URL\thttps://console.example", "Description\tCloud console", "Scope\t7\tledger:read"} {
+		if !strings.Contains(stdout, expected) {
+			t.Fatalf("expected application output to contain %q, got:\n%s", expected, stdout)
+		}
+	}
+}
+
+func TestCloudOrganizationAuthenticationProvider(t *testing.T) {
+	providerBody := `{"data":{"type":"oidc","name":"Acme OIDC","clientID":"client_1","clientSecret":"secret","config":{"issuer":"https://issuer.example"},"organizationID":"org_1","createdAt":"2026-01-01T00:00:00Z","updatedAt":"2026-01-02T00:00:00Z","redirectURI":"https://cloud.example/callback"}}`
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.Header().Set("Content-Type", "application/json")
+		switch {
+		case r.Method == http.MethodGet && r.URL.Path == "/organizations/org_1/authentication-provider":
+			fmt.Fprint(w, providerBody)
+		case r.Method == http.MethodPut && r.URL.Path == "/organizations/org_1/authentication-provider":
+			body := readRequestBody(t, r)
+			for _, expected := range []string{`"type":"oidc"`, `"name":"Acme OIDC"`, `"clientID":"client_1"`, `"clientSecret":"secret"`, `"issuer":"https://issuer.example"`} {
+				if !strings.Contains(body, expected) {
+					t.Fatalf("expected authentication provider body to contain %s, got %s", expected, body)
+				}
+			}
+			fmt.Fprint(w, providerBody)
+		case r.Method == http.MethodDelete && r.URL.Path == "/organizations/org_1/authentication-provider":
+			w.WriteHeader(http.StatusNoContent)
+		default:
+			t.Fatalf("unexpected request %s %s", r.Method, r.URL.String())
+		}
+	}))
+	defer server.Close()
+
+	configDir := t.TempDir()
+	_, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"context", "create", "cloud-stack", "prod",
+		"--cloud-url", server.URL,
+		"--organization", "org_1",
+		"--stack", "stack_1",
+		"--auth-method", "none",
+	)
+	if err != nil {
+		t.Fatalf("create cloud-stack context: %v stderr=%s", err, stderr)
+	}
+
+	stdout, stderr, err := executeCommand(t, "--config-dir", configDir, "cloud", "organizations", "authentication-provider", "show")
+	if err != nil {
+		t.Fatalf("cloud organizations authentication-provider show: %v stderr=%s", err, stderr)
+	}
+	for _, expected := range []string{"Type\toidc", "Name\tAcme OIDC", "ClientID\tclient_1", "RedirectURI\thttps://cloud.example/callback", "Issuer\thttps://issuer.example"} {
+		if !strings.Contains(stdout, expected) {
+			t.Fatalf("expected provider output to contain %q, got:\n%s", expected, stdout)
+		}
+	}
+
+	stdout, stderr, err = executeCommand(t,
+		"--config-dir", configDir,
+		"cloud", "organizations", "authentication-provider", "configure",
+		"--type", "oidc",
+		"--name", "Acme OIDC",
+		"--client-id", "client_1",
+		"--client-secret", "secret",
+		"--oidc-issuer", "https://issuer.example",
+	)
+	if err != nil {
+		t.Fatalf("cloud organizations authentication-provider configure: %v stderr=%s", err, stderr)
+	}
+	if stdout != "Cloud authentication provider Acme OIDC configured.\n" {
+		t.Fatalf("unexpected configure output: %q", stdout)
+	}
+
+	_, _, err = executeCommand(t, "--config-dir", configDir, "cloud", "organizations", "authentication-provider", "delete")
+	if err == nil {
+		t.Fatal("expected authentication provider delete to require --confirm")
+	}
+	stdout, stderr, err = executeCommand(t, "--config-dir", configDir, "cloud", "organizations", "authentication-provider", "delete", "--confirm")
+	if err != nil {
+		t.Fatalf("cloud organizations authentication-provider delete: %v stderr=%s", err, stderr)
+	}
+	if stdout != "Cloud authentication provider for organization org_1 deleted.\n" {
+		t.Fatalf("unexpected delete output: %q", stdout)
+	}
+}
+
+func TestCloudOrganizationAuthenticationProviderConfigureDeprecatedPositionalArgs(t *testing.T) {
+	providerBody := `{"data":{"type":"github","name":"GitHub","clientID":"client_1","clientSecret":"secret","config":{},"organizationID":"org_1","createdAt":"2026-01-01T00:00:00Z","updatedAt":"2026-01-02T00:00:00Z"}}`
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.Header().Set("Content-Type", "application/json")
+		switch {
+		case r.Method == http.MethodPut && r.URL.Path == "/organizations/org_1/authentication-provider":
+			body := readRequestBody(t, r)
+			for _, expected := range []string{`"type":"github"`, `"name":"GitHub"`, `"clientID":"client_1"`, `"clientSecret":"secret"`} {
+				if !strings.Contains(body, expected) {
+					t.Fatalf("expected authentication provider body to contain %s, got %s", expected, body)
+				}
+			}
+			fmt.Fprint(w, providerBody)
+		default:
+			t.Fatalf("unexpected request %s %s", r.Method, r.URL.String())
+		}
+	}))
+	defer server.Close()
+
+	configDir := t.TempDir()
+	_, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"context", "create", "cloud-stack", "prod",
+		"--cloud-url", server.URL,
+		"--organization", "org_1",
+		"--stack", "stack_1",
+		"--auth-method", "none",
+	)
+	if err != nil {
+		t.Fatalf("create cloud-stack context: %v stderr=%s", err, stderr)
+	}
+
+	stdout, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"cloud", "organizations", "authentication-provider", "configure",
+		"github", "GitHub", "client_1", "secret",
+	)
+	if err != nil {
+		t.Fatalf("cloud organizations authentication-provider configure positional: %v stderr=%s", err, stderr)
+	}
+	if !strings.Contains(stderr, "Positional authentication provider arguments have been deprecated") {
+		t.Fatalf("expected positional deprecation warning, got:\n%s", stderr)
+	}
+	if stdout != "Cloud authentication provider GitHub configured.\n" {
+		t.Fatalf("unexpected configure output: %q", stdout)
+	}
+}
+
+func TestCloudOrganizationOAuthClients(t *testing.T) {
+	clientBody := `{"data":{"id":"client_1","name":"Robot","description":"CI client","secret":{"lastDigits":"1234"},"createdAt":"2026-01-01T00:00:00Z","updatedAt":"2026-01-02T00:00:00Z"}}`
+	createdClientBody := `{"data":{"id":"client_1","name":"Robot","description":"CI client","secret":{"lastDigits":"1234","clear":"clear-secret"},"createdAt":"2026-01-01T00:00:00Z","updatedAt":"2026-01-02T00:00:00Z"}}`
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.Header().Set("Content-Type", "application/json")
+		switch {
+		case r.Method == http.MethodGet && r.URL.Path == "/organizations/org_1/clients":
+			fmt.Fprint(w, `{"data":{"pageSize":15,"hasMore":false,"data":[{"id":"client_1","name":"Robot","description":"CI client","secret":{"lastDigits":"1234"},"createdAt":"2026-01-01T00:00:00Z","updatedAt":"2026-01-02T00:00:00Z"}]}}`)
+		case r.Method == http.MethodGet && r.URL.Path == "/organizations/org_1/clients/client_1":
+			fmt.Fprint(w, clientBody)
+		case r.Method == http.MethodPost && r.URL.Path == "/organizations/org_1/clients":
+			body := readRequestBody(t, r)
+			for _, expected := range []string{`"name":"Robot"`, `"description":"CI client"`} {
+				if !strings.Contains(body, expected) {
+					t.Fatalf("expected OAuth client create body to contain %s, got %s", expected, body)
+				}
+			}
+			w.WriteHeader(http.StatusCreated)
+			fmt.Fprint(w, createdClientBody)
+		case r.Method == http.MethodPut && r.URL.Path == "/organizations/org_1/clients/client_1":
+			body := readRequestBody(t, r)
+			for _, expected := range []string{`"name":"Robot Updated"`, `"description":"Updated client"`} {
+				if !strings.Contains(body, expected) {
+					t.Fatalf("expected OAuth client update body to contain %s, got %s", expected, body)
+				}
+			}
+			w.WriteHeader(http.StatusNoContent)
+		case r.Method == http.MethodDelete && r.URL.Path == "/organizations/org_1/clients/client_1":
+			w.WriteHeader(http.StatusNoContent)
+		default:
+			t.Fatalf("unexpected request %s %s", r.Method, r.URL.String())
+		}
+	}))
+	defer server.Close()
+
+	configDir := t.TempDir()
+	_, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"context", "create", "cloud-stack", "prod",
+		"--cloud-url", server.URL,
+		"--organization", "org_1",
+		"--stack", "stack_1",
+		"--auth-method", "none",
+	)
+	if err != nil {
+		t.Fatalf("create cloud-stack context: %v stderr=%s", err, stderr)
+	}
+
+	stdout, stderr, err := executeCommand(t, "--config-dir", configDir, "cloud", "organizations", "oauth-clients", "list")
+	if err != nil {
+		t.Fatalf("cloud organizations oauth-clients list: %v stderr=%s", err, stderr)
+	}
+	if !strings.Contains(stdout, "organization_client_1\tRobot\t1234\tCI client") {
+		t.Fatalf("unexpected oauth clients list output:\n%s", stdout)
+	}
+
+	stdout, stderr, err = executeCommand(t, "--config-dir", configDir, "cloud", "organizations", "oauth-clients", "show", "organization_client_1")
+	if err != nil {
+		t.Fatalf("cloud organizations oauth-clients show: %v stderr=%s", err, stderr)
+	}
+	for _, expected := range []string{"ClientID\torganization_client_1", "Name\tRobot", "SecretLastDigits\t1234", "Description\tCI client"} {
+		if !strings.Contains(stdout, expected) {
+			t.Fatalf("expected oauth client output to contain %q, got:\n%s", expected, stdout)
+		}
+	}
+
+	_, _, err = executeCommand(t, "--config-dir", configDir, "cloud", "organizations", "oauth-clients", "create", "--name", "Robot", "--description", "CI client")
+	if err == nil {
+		t.Fatal("expected oauth client create to require --confirm")
+	}
+	stdout, stderr, err = executeCommand(t, "--config-dir", configDir, "cloud", "organizations", "oauth-clients", "create", "--name", "Robot", "--description", "CI client", "--confirm")
+	if err != nil {
+		t.Fatalf("cloud organizations oauth-clients create: %v stderr=%s", err, stderr)
+	}
+	for _, expected := range []string{"ClientID\torganization_client_1", "Secret\tclear-secret"} {
+		if !strings.Contains(stdout, expected) {
+			t.Fatalf("expected create output to contain %q, got:\n%s", expected, stdout)
+		}
+	}
+
+	_, _, err = executeCommand(t, "--config-dir", configDir, "cloud", "organizations", "oauth-clients", "update", "organization_client_1", "--name", "Robot Updated", "--description", "Updated client")
+	if err == nil {
+		t.Fatal("expected oauth client update to require --confirm")
+	}
+	stdout, stderr, err = executeCommand(t, "--config-dir", configDir, "cloud", "organizations", "oauth-clients", "update", "organization_client_1", "--name", "Robot Updated", "--description", "Updated client", "--confirm")
+	if err != nil {
+		t.Fatalf("cloud organizations oauth-clients update: %v stderr=%s", err, stderr)
+	}
+	if stdout != "Cloud OAuth client organization_client_1 updated.\n" {
+		t.Fatalf("unexpected update output: %q", stdout)
+	}
+
+	_, _, err = executeCommand(t, "--config-dir", configDir, "cloud", "organizations", "oauth-clients", "delete", "organization_client_1")
+	if err == nil {
+		t.Fatal("expected oauth client delete to require --confirm")
+	}
+	stdout, stderr, err = executeCommand(t, "--config-dir", configDir, "cloud", "organizations", "oauth-clients", "delete", "organization_client_1", "--confirm")
+	if err != nil {
+		t.Fatalf("cloud organizations oauth-clients delete: %v stderr=%s", err, stderr)
+	}
+	if stdout != "Cloud OAuth client organization_client_1 deleted.\n" {
+		t.Fatalf("unexpected delete output: %q", stdout)
+	}
+}
+
+func TestCloudOrganizationInvitations(t *testing.T) {
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.Header().Set("Content-Type", "application/json")
+		switch {
+		case r.Method == http.MethodGet && r.URL.Path == "/organizations/org_1/invitations":
+			if got := r.URL.Query().Get("status"); got != "PENDING" {
+				t.Fatalf("expected status PENDING, got %q", got)
+			}
+			fmt.Fprint(w, `{"data":[{"id":"inv_1","organizationId":"org_1","userEmail":"user@example.com","status":"PENDING","creationDate":"2026-01-01T00:00:00Z"}]}`)
+		case r.Method == http.MethodPost && r.URL.Path == "/organizations/org_1/invitations":
+			if got := r.URL.Query().Get("email"); got != "user@example.com" {
+				t.Fatalf("expected email query, got %q", got)
+			}
+			fmt.Fprint(w, `{"data":{"id":"inv_1","organizationId":"org_1","userEmail":"user@example.com","status":"PENDING","creationDate":"2026-01-01T00:00:00Z"}}`)
+		case r.Method == http.MethodDelete && r.URL.Path == "/organizations/org_1/invitations/inv_1":
+			w.WriteHeader(http.StatusNoContent)
+		default:
+			t.Fatalf("unexpected request %s %s", r.Method, r.URL.String())
+		}
+	}))
+	defer server.Close()
+
+	configDir := t.TempDir()
+	_, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"context", "create", "cloud-stack", "prod",
+		"--cloud-url", server.URL,
+		"--organization", "org_1",
+		"--stack", "stack_1",
+		"--auth-method", "none",
+	)
+	if err != nil {
+		t.Fatalf("create cloud-stack context: %v stderr=%s", err, stderr)
+	}
+
+	stdout, stderr, err := executeCommand(t, "--config-dir", configDir, "cloud", "organizations", "invitations", "list", "--status", "PENDING")
+	if err != nil {
+		t.Fatalf("cloud organizations invitations list: %v stderr=%s", err, stderr)
+	}
+	if !strings.Contains(stdout, "inv_1\torg_1\tuser@example.com\tPENDING") {
+		t.Fatalf("unexpected invitations list output:\n%s", stdout)
+	}
+
+	stdout, stderr, err = executeCommand(t, "--config-dir", configDir, "cloud", "organizations", "invitations", "send", "user@example.com")
+	if err != nil {
+		t.Fatalf("cloud organizations invitations send: %v stderr=%s", err, stderr)
+	}
+	if stdout != "Cloud invitation inv_1 sent.\n" {
+		t.Fatalf("unexpected invitation send output: %q", stdout)
+	}
+
+	_, _, err = executeCommand(t, "--config-dir", configDir, "cloud", "organizations", "invitations", "delete", "inv_1")
+	if err == nil {
+		t.Fatal("expected invitation delete to require --confirm")
+	}
+	stdout, stderr, err = executeCommand(t, "--config-dir", configDir, "cloud", "organizations", "invitations", "delete", "inv_1", "--confirm")
+	if err != nil {
+		t.Fatalf("cloud organizations invitations delete: %v stderr=%s", err, stderr)
+	}
+	if stdout != "Cloud invitation inv_1 deleted.\n" {
+		t.Fatalf("unexpected invitation delete output: %q", stdout)
+	}
+}
+
+func TestCloudOrganizationUsers(t *testing.T) {
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.Header().Set("Content-Type", "application/json")
+		switch {
+		case r.Method == http.MethodGet && r.URL.Path == "/organizations/org_1/users":
+			fmt.Fprint(w, `{"data":[{"id":"user_1","email":"user@example.com","policyId":42}]}`)
+		case r.Method == http.MethodGet && r.URL.Path == "/organizations/org_1/users/user_1":
+			fmt.Fprint(w, `{"data":{"id":"user_1","email":"user@example.com","policyId":42}}`)
+		case r.Method == http.MethodPut && r.URL.Path == "/organizations/org_1/users/user_1":
+			body := readRequestBody(t, r)
+			if !strings.Contains(body, `"policyId":42`) {
+				t.Fatalf("expected policy id body, got %s", body)
+			}
+			w.WriteHeader(http.StatusNoContent)
+		case r.Method == http.MethodDelete && r.URL.Path == "/organizations/org_1/users/user_1":
+			w.WriteHeader(http.StatusNoContent)
+		default:
+			t.Fatalf("unexpected request %s %s", r.Method, r.URL.String())
+		}
+	}))
+	defer server.Close()
+
+	configDir := t.TempDir()
+	_, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"context", "create", "cloud-stack", "prod",
+		"--cloud-url", server.URL,
+		"--organization", "org_1",
+		"--stack", "stack_1",
+		"--auth-method", "none",
+	)
+	if err != nil {
+		t.Fatalf("create cloud-stack context: %v stderr=%s", err, stderr)
+	}
+
+	stdout, stderr, err := executeCommand(t, "--config-dir", configDir, "cloud", "organizations", "users", "list")
+	if err != nil {
+		t.Fatalf("cloud organizations users list: %v stderr=%s", err, stderr)
+	}
+	if !strings.Contains(stdout, "user_1\tuser@example.com\t42") {
+		t.Fatalf("unexpected users list output:\n%s", stdout)
+	}
+
+	stdout, stderr, err = executeCommand(t, "--config-dir", configDir, "cloud", "organizations", "users", "show", "user_1")
+	if err != nil {
+		t.Fatalf("cloud organizations users show: %v stderr=%s", err, stderr)
+	}
+	for _, expected := range []string{"ID\tuser_1", "Email\tuser@example.com", "Policy\t42"} {
+		if !strings.Contains(stdout, expected) {
+			t.Fatalf("expected user output to contain %q, got:\n%s", expected, stdout)
+		}
+	}
+
+	stdout, stderr, err = executeCommand(t, "--config-dir", configDir, "cloud", "organizations", "users", "link", "user_1", "--policy-id", "42")
+	if err != nil {
+		t.Fatalf("cloud organizations users link: %v stderr=%s", err, stderr)
+	}
+	if stdout != "Cloud organization org_1 user user_1 linked.\n" {
+		t.Fatalf("unexpected link output: %q", stdout)
+	}
+
+	_, _, err = executeCommand(t, "--config-dir", configDir, "cloud", "organizations", "users", "unlink", "user_1")
+	if err == nil {
+		t.Fatal("expected users unlink to require --confirm")
+	}
+	stdout, stderr, err = executeCommand(t, "--config-dir", configDir, "cloud", "organizations", "users", "unlink", "user_1", "--confirm")
+	if err != nil {
+		t.Fatalf("cloud organizations users unlink: %v stderr=%s", err, stderr)
+	}
+	if stdout != "Cloud organization org_1 user user_1 unlinked.\n" {
+		t.Fatalf("unexpected unlink output: %q", stdout)
+	}
+}
+
+func TestCloudOrganizationPolicies(t *testing.T) {
+	policyBody := `{"data":{"id":42,"name":"Admin","description":"Admin policy","organizationId":"org_1","protected":false,"createdAt":"2026-01-01T00:00:00Z","updatedAt":"2026-01-01T00:00:00Z","scopes":[{"id":7,"label":"ledger:read","protected":false,"createdAt":"2026-01-01T00:00:00Z","updatedAt":"2026-01-01T00:00:00Z"}]}}`
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.Header().Set("Content-Type", "application/json")
+		switch {
+		case r.Method == http.MethodGet && r.URL.Path == "/organizations/org_1/policies":
+			fmt.Fprint(w, `{"data":[{"id":42,"name":"Admin","description":"Admin policy","organizationId":"org_1","protected":false,"createdAt":"2026-01-01T00:00:00Z","updatedAt":"2026-01-01T00:00:00Z"}]}`)
+		case r.Method == http.MethodGet && r.URL.Path == "/organizations/org_1/policies/42":
+			fmt.Fprint(w, policyBody)
+		case r.Method == http.MethodPost && r.URL.Path == "/organizations/org_1/policies":
+			body := readRequestBody(t, r)
+			for _, expected := range []string{`"name":"Admin"`, `"description":"Admin policy"`} {
+				if !strings.Contains(body, expected) {
+					t.Fatalf("expected create policy body to contain %s, got %s", expected, body)
+				}
+			}
+			w.WriteHeader(http.StatusCreated)
+			fmt.Fprint(w, policyBody)
+		case r.Method == http.MethodPut && r.URL.Path == "/organizations/org_1/policies/42":
+			body := readRequestBody(t, r)
+			if !strings.Contains(body, `"name":"Admin updated"`) {
+				t.Fatalf("expected update policy body, got %s", body)
+			}
+			fmt.Fprint(w, policyBody)
+		case r.Method == http.MethodDelete && r.URL.Path == "/organizations/org_1/policies/42":
+			w.WriteHeader(http.StatusNoContent)
+		case r.Method == http.MethodPut && r.URL.Path == "/organizations/org_1/policies/42/scopes/7":
+			w.WriteHeader(http.StatusNoContent)
+		case r.Method == http.MethodDelete && r.URL.Path == "/organizations/org_1/policies/42/scopes/7":
+			w.WriteHeader(http.StatusNoContent)
+		default:
+			t.Fatalf("unexpected request %s %s", r.Method, r.URL.String())
+		}
+	}))
+	defer server.Close()
+
+	configDir := t.TempDir()
+	_, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"context", "create", "cloud-stack", "prod",
+		"--cloud-url", server.URL,
+		"--organization", "org_1",
+		"--stack", "stack_1",
+		"--auth-method", "none",
+	)
+	if err != nil {
+		t.Fatalf("create cloud-stack context: %v stderr=%s", err, stderr)
+	}
+
+	stdout, stderr, err := executeCommand(t, "--config-dir", configDir, "cloud", "organizations", "policies", "list")
+	if err != nil {
+		t.Fatalf("cloud organizations policies list: %v stderr=%s", err, stderr)
+	}
+	if !strings.Contains(stdout, "42\tAdmin\tfalse") {
+		t.Fatalf("unexpected policies list output:\n%s", stdout)
+	}
+
+	stdout, stderr, err = executeCommand(t, "--config-dir", configDir, "cloud", "organizations", "policies", "show", "42")
+	if err != nil {
+		t.Fatalf("cloud organizations policies show: %v stderr=%s", err, stderr)
+	}
+	for _, expected := range []string{"ID\t42", "Name\tAdmin", "Scope\t7\tledger:read"} {
+		if !strings.Contains(stdout, expected) {
+			t.Fatalf("expected policy output to contain %q, got:\n%s", expected, stdout)
+		}
+	}
+
+	stdout, stderr, err = executeCommand(t, "--config-dir", configDir, "cloud", "organizations", "policies", "create", "Admin", "--description", "Admin policy")
+	if err != nil {
+		t.Fatalf("cloud organizations policies create: %v stderr=%s", err, stderr)
+	}
+	if stdout != "Cloud policy 42 created.\n" {
+		t.Fatalf("unexpected policy create output: %q", stdout)
+	}
+
+	stdout, stderr, err = executeCommand(t, "--config-dir", configDir, "cloud", "organizations", "policies", "update", "42", "--name", "Admin updated")
+	if err != nil {
+		t.Fatalf("cloud organizations policies update: %v stderr=%s", err, stderr)
+	}
+	if stdout != "Cloud policy 42 updated.\n" {
+		t.Fatalf("unexpected policy update output: %q", stdout)
+	}
+
+	stdout, stderr, err = executeCommand(t, "--config-dir", configDir, "cloud", "organizations", "policies", "add-scope", "42", "7")
+	if err != nil {
+		t.Fatalf("cloud organizations policies add-scope: %v stderr=%s", err, stderr)
+	}
+	if stdout != "Cloud policy 42 scope 7 added.\n" {
+		t.Fatalf("unexpected add-scope output: %q", stdout)
+	}
+
+	_, _, err = executeCommand(t, "--config-dir", configDir, "cloud", "organizations", "policies", "remove-scope", "42", "7")
+	if err == nil {
+		t.Fatal("expected remove-scope to require --confirm")
+	}
+	stdout, stderr, err = executeCommand(t, "--config-dir", configDir, "cloud", "organizations", "policies", "remove-scope", "42", "7", "--confirm")
+	if err != nil {
+		t.Fatalf("cloud organizations policies remove-scope: %v stderr=%s", err, stderr)
+	}
+	if stdout != "Cloud policy 42 scope 7 removed.\n" {
+		t.Fatalf("unexpected remove-scope output: %q", stdout)
+	}
+
+	_, _, err = executeCommand(t, "--config-dir", configDir, "cloud", "organizations", "policies", "delete", "42")
+	if err == nil {
+		t.Fatal("expected policy delete to require --confirm")
+	}
+	stdout, stderr, err = executeCommand(t, "--config-dir", configDir, "cloud", "organizations", "policies", "delete", "42", "--confirm")
+	if err != nil {
+		t.Fatalf("cloud organizations policies delete: %v stderr=%s", err, stderr)
+	}
+	if stdout != "Cloud policy 42 deleted.\n" {
+		t.Fatalf("unexpected policy delete output: %q", stdout)
+	}
+}
+
+func TestCloudRegions(t *testing.T) {
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.Header().Set("Content-Type", "application/json")
+		switch {
+		case r.Method == http.MethodGet && r.URL.Path == "/organizations/org_1/regions":
+			fmt.Fprint(w, `{"data":[{"id":"reg_1","name":"EU","baseUrl":"https://region.example","createdAt":"2026-01-01T00:00:00Z","active":true,"public":false,"agentID":"agent_1","outdated":false,"version":"v1"}]}`)
+		case r.Method == http.MethodGet && r.URL.Path == "/organizations/org_1/regions/reg_1":
+			fmt.Fprint(w, `{"data":{"id":"reg_1","name":"EU","baseUrl":"https://region.example","createdAt":"2026-01-01T00:00:00Z","active":true,"public":false,"agentID":"agent_1","outdated":false,"version":"v1"}}`)
+		case r.Method == http.MethodPost && r.URL.Path == "/organizations/org_1/regions":
+			body := readRequestBody(t, r)
+			if !strings.Contains(body, `"name":"EU Private"`) {
+				t.Fatalf("expected region create body, got %s", body)
+			}
+			w.WriteHeader(http.StatusCreated)
+			fmt.Fprint(w, `{"data":{"id":"reg_2","name":"EU Private","baseUrl":"https://private.example","createdAt":"2026-01-01T00:00:00Z","active":true,"agentID":"agent_2","outdated":false,"organizationID":"org_1","version":"v1"}}`)
+		case r.Method == http.MethodDelete && r.URL.Path == "/organizations/org_1/regions/reg_1":
+			w.WriteHeader(http.StatusNoContent)
+		default:
+			t.Fatalf("unexpected request %s %s", r.Method, r.URL.String())
+		}
+	}))
+	defer server.Close()
+
+	configDir := t.TempDir()
+	_, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"context", "create", "cloud-stack", "prod",
+		"--cloud-url", server.URL,
+		"--organization", "org_1",
+		"--stack", "stack_1",
+		"--auth-method", "none",
+	)
+	if err != nil {
+		t.Fatalf("create cloud-stack context: %v stderr=%s", err, stderr)
+	}
+
+	stdout, stderr, err := executeCommand(t, "--config-dir", configDir, "cloud", "regions", "list")
+	if err != nil {
+		t.Fatalf("cloud regions list: %v stderr=%s", err, stderr)
+	}
+	if !strings.Contains(stdout, "reg_1\tEU\ttrue\tfalse") {
+		t.Fatalf("unexpected regions list output:\n%s", stdout)
+	}
+
+	stdout, stderr, err = executeCommand(t, "--config-dir", configDir, "cloud", "regions", "show", "reg_1")
+	if err != nil {
+		t.Fatalf("cloud regions show: %v stderr=%s", err, stderr)
+	}
+	for _, expected := range []string{"ID\treg_1", "Name\tEU", "Active\ttrue", "Public\tfalse", "BaseURL\thttps://region.example", "Version\tv1"} {
+		if !strings.Contains(stdout, expected) {
+			t.Fatalf("expected region output to contain %q, got:\n%s", expected, stdout)
+		}
+	}
+
+	stdout, stderr, err = executeCommand(t, "--config-dir", configDir, "cloud", "regions", "create", "EU Private")
+	if err != nil {
+		t.Fatalf("cloud regions create: %v stderr=%s", err, stderr)
+	}
+	if stdout != "Cloud region reg_2 created.\n" {
+		t.Fatalf("unexpected region create output: %q", stdout)
+	}
+
+	_, _, err = executeCommand(t, "--config-dir", configDir, "cloud", "regions", "delete", "reg_1")
+	if err == nil {
+		t.Fatal("expected region delete to require --confirm")
+	}
+	stdout, stderr, err = executeCommand(t, "--config-dir", configDir, "cloud", "regions", "delete", "reg_1", "--confirm")
+	if err != nil {
+		t.Fatalf("cloud regions delete: %v stderr=%s", err, stderr)
+	}
+	if stdout != "Cloud region reg_1 deleted.\n" {
+		t.Fatalf("unexpected region delete output: %q", stdout)
+	}
+}
+
+func TestCloudAppsLifecycle(t *testing.T) {
+	manifestFile := filepath.Join(t.TempDir(), "manifest.yaml")
+	if err := os.WriteFile(manifestFile, []byte("stack:\n  name: prod\n"), 0o600); err != nil {
+		t.Fatalf("write manifest: %v", err)
+	}
+
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.Header().Set("Content-Type", "application/json")
+		switch {
+		case r.Method == http.MethodGet && r.URL.Path == "/apps":
+			if got := r.URL.Query().Get("organizationId"); got != "org_1" {
+				t.Fatalf("expected organization org_1, got %q", got)
+			}
+			if got := r.URL.Query().Get("pageNumber"); got != "1" {
+				t.Fatalf("expected pageNumber 1, got %q", got)
+			}
+			fmt.Fprint(w, `{"data":{"currentPage":1,"totalCount":1,"items":[{"id":"app_1","name":"prod","currentRun":{"id":"run_1","createdAt":"2026-01-01T00:00:00Z","status":"applied","message":"ok"},"currentConfigurationVersion":{"id":"ver_1","autoQueueRuns":true,"status":"uploaded"}}]}}`)
+		case r.Method == http.MethodGet && r.URL.Path == "/apps/app_1":
+			fmt.Fprint(w, `{"data":{"id":"app_1","name":"prod","currentRun":{"id":"run_1","createdAt":"2026-01-01T00:00:00Z","status":"applied","message":"ok"},"currentConfigurationVersion":{"id":"ver_1","autoQueueRuns":true,"status":"uploaded"}}}`)
+		case r.Method == http.MethodGet && r.URL.Path == "/apps/app_1/current-state-version":
+			fmt.Fprint(w, `{"data":{"stack":{"id":"stack_1","region_id":"reg_1"}}}`)
+		case r.Method == http.MethodPost && r.URL.Path == "/apps":
+			body := readRequestBody(t, r)
+			if !strings.Contains(body, `"organizationId":"org_1"`) {
+				t.Fatalf("expected create app body to contain organization, got %s", body)
+			}
+			w.WriteHeader(http.StatusCreated)
+			fmt.Fprint(w, `{"data":{"id":"app_1","name":"prod"}}`)
+		case r.Method == http.MethodPost && r.URL.Path == "/apps/app_1/deploy":
+			body := readRequestBody(t, r)
+			if !strings.Contains(body, "stack:") {
+				t.Fatalf("expected manifest body, got %s", body)
+			}
+			w.WriteHeader(http.StatusAccepted)
+			fmt.Fprint(w, `{"data":{"id":"run_1","createdAt":"2026-01-01T00:00:00Z","status":"planned","message":"queued","configurationVersion":{"id":"ver_1","autoQueueRuns":true,"status":"uploaded"}}}`)
+		case r.Method == http.MethodDelete && r.URL.Path == "/apps/app_1":
+			w.WriteHeader(http.StatusNoContent)
+		default:
+			t.Fatalf("unexpected request %s %s", r.Method, r.URL.String())
+		}
+	}))
+	defer server.Close()
+
+	configDir := t.TempDir()
+	_, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"context", "create", "cloud-stack", "prod",
+		"--cloud-url", server.URL,
+		"--organization", "org_1",
+		"--stack", "stack_1",
+		"--auth-method", "none",
+	)
+	if err != nil {
+		t.Fatalf("create cloud-stack context: %v stderr=%s", err, stderr)
+	}
+
+	stdout, stderr, err := executeCommand(t, "--config-dir", configDir, "cloud", "apps", "--deploy-url", server.URL, "list")
+	if err != nil {
+		t.Fatalf("cloud apps list: %v stderr=%s", err, stderr)
+	}
+	if !strings.Contains(stdout, "app_1\tprod\tapplied\tver_1") {
+		t.Fatalf("unexpected cloud apps list output:\n%s", stdout)
+	}
+
+	stdout, stderr, err = executeCommand(t, "--config-dir", configDir, "cloud", "apps", "--deploy-url", server.URL, "show", "app_1")
+	if err != nil {
+		t.Fatalf("cloud apps show: %v stderr=%s", err, stderr)
+	}
+	for _, expected := range []string{"ID\tapp_1", "Name\tprod", "RunStatus\tapplied", "State\tid\tstack_1"} {
+		if !strings.Contains(stdout, expected) {
+			t.Fatalf("expected cloud app output to contain %q, got:\n%s", expected, stdout)
+		}
+	}
+
+	stdout, stderr, err = executeCommand(t, "--config-dir", configDir, "cloud", "apps", "--deploy-url", server.URL, "create")
+	if err != nil {
+		t.Fatalf("cloud apps create: %v stderr=%s", err, stderr)
+	}
+	if stdout != "Cloud app app_1 created.\n" {
+		t.Fatalf("unexpected cloud apps create output: %q", stdout)
+	}
+
+	stdout, stderr, err = executeCommand(t, "--config-dir", configDir, "cloud", "apps", "--deploy-url", server.URL, "deploy", "app_1", "--file", manifestFile)
+	if err != nil {
+		t.Fatalf("cloud apps deploy: %v stderr=%s", err, stderr)
+	}
+	if stdout != "Cloud app deployment accepted with run run_1.\n" {
+		t.Fatalf("unexpected cloud apps deploy output: %q", stdout)
+	}
+
+	_, _, err = executeCommand(t, "--config-dir", configDir, "cloud", "apps", "--deploy-url", server.URL, "delete", "app_1")
+	if err == nil {
+		t.Fatal("expected cloud apps delete to require --confirm")
+	}
+	stdout, stderr, err = executeCommand(t, "--config-dir", configDir, "cloud", "apps", "--deploy-url", server.URL, "delete", "app_1", "--confirm")
+	if err != nil {
+		t.Fatalf("cloud apps delete: %v stderr=%s", err, stderr)
+	}
+	if stdout != "Cloud app app_1 deleted.\n" {
+		t.Fatalf("unexpected cloud apps delete output: %q", stdout)
+	}
+}
+
+func TestCloudAppsRunsVersionsAndVariables(t *testing.T) {
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.Header().Set("Content-Type", "application/json")
+		switch {
+		case r.Method == http.MethodGet && r.URL.Path == "/apps/app_1/runs":
+			if got := r.URL.Query().Get("pageSize"); got != "25" {
+				t.Fatalf("expected pageSize 25, got %q", got)
+			}
+			fmt.Fprint(w, `{"data":{"items":[{"id":"run_1","createdAt":"2026-01-01T00:00:00Z","status":"applied","message":"ok","configurationVersion":{"id":"ver_1","autoQueueRuns":true,"status":"uploaded"}}]}}`)
+		case r.Method == http.MethodGet && r.URL.Path == "/runs/run_1":
+			fmt.Fprint(w, `{"data":{"id":"run_1","createdAt":"2026-01-01T00:00:00Z","status":"applied","message":"ok","configurationVersion":{"id":"ver_1","autoQueueRuns":true,"status":"uploaded"}}}`)
+		case r.Method == http.MethodGet && r.URL.Path == "/runs/run_1/logs":
+			fmt.Fprint(w, `{"data":[{"timestamp":"2026-01-01T00:00:00Z","module":"terraform","message":"done","diagnostic":{"severity":"info","summary":"ok","detail":"done"}}]}`)
+		case r.Method == http.MethodGet && r.URL.Path == "/apps/app_1/versions":
+			fmt.Fprint(w, `{"data":{"items":[{"id":"ver_1","autoQueueRuns":true,"status":"uploaded"}]}}`)
+		case r.Method == http.MethodGet && r.URL.Path == "/versions/ver_1" && strings.Contains(r.Header.Get("Accept"), "application/json"):
+			fmt.Fprint(w, `{"data":{"id":"ver_1","autoQueueRuns":true,"status":"uploaded"}}`)
+		case r.Method == http.MethodGet && r.URL.Path == "/versions/ver_1" && r.Header.Get("Accept") == "application/yaml":
+			w.Header().Set("Content-Type", "application/yaml")
+			fmt.Fprint(w, "stack:\n  name: prod\n")
+		case r.Method == http.MethodGet && r.URL.Path == "/versions/ver_1" && r.Header.Get("Accept") == "application/gzip":
+			w.Header().Set("Content-Type", "application/gzip")
+			fmt.Fprint(w, "archive")
+		case r.Method == http.MethodGet && r.URL.Path == "/apps/app_1/variables":
+			fmt.Fprint(w, `{"data":{"items":[{"id":"var_1","key":"TOKEN","value":"secret","sensitive":true},{"id":"var_2","key":"ENV","value":"prod","description":"Environment","sensitive":false}]}}`)
+		case r.Method == http.MethodPost && r.URL.Path == "/apps/app_1/variables":
+			body := readRequestBody(t, r)
+			for _, expected := range []string{`"key":"TOKEN"`, `"value":"secret"`, `"sensitive":true`} {
+				if !strings.Contains(body, expected) {
+					t.Fatalf("expected variable body to contain %s, got %s", expected, body)
+				}
+			}
+			w.WriteHeader(http.StatusCreated)
+			fmt.Fprint(w, `{"data":{"id":"var_1","key":"TOKEN","value":"secret","sensitive":true}}`)
+		case r.Method == http.MethodDelete && r.URL.Path == "/apps/app_1/variables/var_1":
+			w.WriteHeader(http.StatusNoContent)
+		default:
+			t.Fatalf("unexpected request %s %s accept=%s", r.Method, r.URL.String(), r.Header.Get("Accept"))
+		}
+	}))
+	defer server.Close()
+
+	configDir := t.TempDir()
+	_, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"context", "create", "cloud", "cloud",
+		"--cloud-url", server.URL,
+		"--auth-method", "none",
+	)
+	if err != nil {
+		t.Fatalf("create cloud context: %v stderr=%s", err, stderr)
+	}
+
+	stdout, stderr, err := executeCommand(t, "--config-dir", configDir, "cloud", "apps", "--deploy-url", server.URL, "runs", "list", "app_1", "--page-size", "25")
+	if err != nil {
+		t.Fatalf("cloud apps runs list: %v stderr=%s", err, stderr)
+	}
+	if !strings.Contains(stdout, "run_1\tapplied\tver_1\tok") {
+		t.Fatalf("unexpected runs list output:\n%s", stdout)
+	}
+
+	stdout, stderr, err = executeCommand(t, "--config-dir", configDir, "cloud", "apps", "--deploy-url", server.URL, "runs", "show", "run_1")
+	if err != nil {
+		t.Fatalf("cloud apps runs show: %v stderr=%s", err, stderr)
+	}
+	if !strings.Contains(stdout, "Status\tapplied") || !strings.Contains(stdout, "ConfigurationVersionID\tver_1") {
+		t.Fatalf("unexpected run show output:\n%s", stdout)
+	}
+
+	stdout, stderr, err = executeCommand(t, "--config-dir", configDir, "cloud", "apps", "--deploy-url", server.URL, "runs", "logs", "run_1")
+	if err != nil {
+		t.Fatalf("cloud apps runs logs: %v stderr=%s", err, stderr)
+	}
+	if !strings.Contains(stdout, "2026-01-01T00:00:00Z\tterraform\tdone\tinfo") {
+		t.Fatalf("unexpected run logs output:\n%s", stdout)
+	}
+
+	stdout, stderr, err = executeCommand(t, "--config-dir", configDir, "cloud", "apps", "--deploy-url", server.URL, "versions", "list", "app_1")
+	if err != nil {
+		t.Fatalf("cloud apps versions list: %v stderr=%s", err, stderr)
+	}
+	if !strings.Contains(stdout, "ver_1\tuploaded\ttrue") {
+		t.Fatalf("unexpected versions list output:\n%s", stdout)
+	}
+
+	stdout, stderr, err = executeCommand(t, "--config-dir", configDir, "cloud", "apps", "--deploy-url", server.URL, "versions", "show", "ver_1")
+	if err != nil {
+		t.Fatalf("cloud apps versions show: %v stderr=%s", err, stderr)
+	}
+	if !strings.Contains(stdout, "ID\tver_1") || !strings.Contains(stdout, "Status\tuploaded") {
+		t.Fatalf("unexpected version show output:\n%s", stdout)
+	}
+
+	stdout, stderr, err = executeCommand(t, "--config-dir", configDir, "cloud", "apps", "--deploy-url", server.URL, "versions", "manifest", "ver_1")
+	if err != nil {
+		t.Fatalf("cloud apps versions manifest: %v stderr=%s", err, stderr)
+	}
+	if stdout != "stack:\n  name: prod\n" {
+		t.Fatalf("unexpected manifest output: %q", stdout)
+	}
+
+	stdout, stderr, err = executeCommand(t, "--config-dir", configDir, "cloud", "apps", "--deploy-url", server.URL, "versions", "archive", "show", "ver_1")
+	if err != nil {
+		t.Fatalf("cloud apps versions archive show: %v stderr=%s", err, stderr)
+	}
+	if stdout != "archive" {
+		t.Fatalf("unexpected archive output: %q", stdout)
+	}
+
+	stdout, stderr, err = executeCommand(t, "--config-dir", configDir, "cloud", "apps", "--deploy-url", server.URL, "versions", "show-archive", "ver_1")
+	if err != nil {
+		t.Fatalf("cloud apps versions show-archive: %v stderr=%s", err, stderr)
+	}
+	if stdout != "archive" {
+		t.Fatalf("unexpected deprecated archive output: %q", stdout)
+	}
+	if !strings.Contains(stderr, "Command cloud apps versions show-archive has been deprecated, use cloud apps versions archive show") {
+		t.Fatalf("expected show-archive deprecation warning, got:\n%s", stderr)
+	}
+
+	stdout, stderr, err = executeCommand(t, "--config-dir", configDir, "cloud", "apps", "--deploy-url", server.URL, "variables", "list", "app_1")
+	if err != nil {
+		t.Fatalf("cloud apps variables list: %v stderr=%s", err, stderr)
+	}
+	if !strings.Contains(stdout, "var_1\tTOKEN\t****") || !strings.Contains(stdout, "var_2\tENV\tprod\tEnvironment") {
+		t.Fatalf("unexpected variables list output:\n%s", stdout)
+	}
+
+	stdout, stderr, err = executeCommand(t, "--config-dir", configDir, "cloud", "apps", "--deploy-url", server.URL, "variables", "create", "app_1", "--key", "TOKEN", "--value", "secret")
+	if err != nil {
+		t.Fatalf("cloud apps variables create: %v stderr=%s", err, stderr)
+	}
+	if !strings.Contains(stdout, "ID\tvar_1") || !strings.Contains(stdout, "Value\t****") {
+		t.Fatalf("unexpected variable create output:\n%s", stdout)
+	}
+
+	_, _, err = executeCommand(t, "--config-dir", configDir, "cloud", "apps", "--deploy-url", server.URL, "variables", "delete", "app_1", "var_1")
+	if err == nil {
+		t.Fatal("expected cloud apps variables delete to require --confirm")
+	}
+	stdout, stderr, err = executeCommand(t, "--config-dir", configDir, "cloud", "apps", "--deploy-url", server.URL, "variables", "delete", "app_1", "var_1", "--confirm")
+	if err != nil {
+		t.Fatalf("cloud apps variables delete: %v stderr=%s", err, stderr)
+	}
+	if stdout != "Cloud app variable var_1 deleted.\n" {
+		t.Fatalf("unexpected variable delete output: %q", stdout)
+	}
+}
+
+func TestCloudCommandsRejectStackContext(t *testing.T) {
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		t.Fatalf("cloud command must reject stack contexts before network calls")
+	}))
+	defer server.Close()
+
+	configDir := t.TempDir()
+	_, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"context", "create", "stack", "local",
+		"--stack-url", server.URL,
+	)
+	if err != nil {
+		t.Fatalf("create stack context: %v stderr=%s", err, stderr)
+	}
+
+	_, stderr, err = executeCommand(t, "--config-dir", configDir, "cloud", "me", "show")
+	if err == nil {
+		t.Fatal("expected cloud command to reject stack context")
+	}
+	if !strings.Contains(err.Error(), "cloud commands require a cloud or cloud-stack context") {
+		t.Fatalf("unexpected error: %v stderr=%s", err, stderr)
+	}
+}
+
+func TestCloudStacksListShowAndDeprecatedAliases(t *testing.T) {
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.Header().Set("Content-Type", "application/json")
+		switch r.URL.Path {
+		case "/_info":
+			fmt.Fprint(w, `{"version":"v1.0.0","consoleURL":"https://portal.example"}`)
+		case "/organizations/org_1/stacks":
+			fmt.Fprint(w, `{"data":[{"id":"stack_1","name":"Production","organizationId":"org_1","uri":"https://stack.example/api","regionID":"eu-west-1","version":"v3.2.4","status":"READY","state":"ACTIVE","expectedStatus":"READY","lastStateUpdate":"2026-01-01T00:00:00Z","lastExpectedStatusUpdate":"2026-01-01T00:00:00Z","lastStatusUpdate":"2026-01-01T00:00:00Z","reachable":true,"stargateEnabled":true,"auditEnabled":false,"synchronised":true,"modules":[]}]}`)
+		case "/organizations/org_1/stacks/stack_1":
+			fmt.Fprint(w, `{"data":{"id":"stack_1","name":"Production","organizationId":"org_1","uri":"https://stack.example/api","regionID":"eu-west-1","version":"v3.2.4","status":"READY","state":"ACTIVE","expectedStatus":"READY","lastStateUpdate":"2026-01-01T00:00:00Z","lastExpectedStatusUpdate":"2026-01-01T00:00:00Z","lastStatusUpdate":"2026-01-01T00:00:00Z","reachable":true,"stargateEnabled":true,"synchronised":true,"modules":[]}}`)
+		default:
+			t.Fatalf("unexpected path %s", r.URL.Path)
+		}
+	}))
+	defer server.Close()
+
+	configDir := t.TempDir()
+	_, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"context", "create", "cloud-stack", "prod",
+		"--cloud-url", server.URL,
+		"--organization", "org_1",
+		"--stack", "stack_1",
+		"--auth-method", "none",
+	)
+	if err != nil {
+		t.Fatalf("create cloud-stack context: %v stderr=%s", err, stderr)
+	}
+
+	stdout, stderr, err := executeCommand(t, "--config-dir", configDir, "cloud", "stacks", "list")
+	if err != nil {
+		t.Fatalf("cloud stacks list: %v stderr=%s", err, stderr)
+	}
+	if stderr != "" {
+		t.Fatalf("expected empty stderr, got %q", stderr)
+	}
+	for _, expected := range []string{"ID", "Dashboard", "Audit Enabled", "stack_1", "Production", "https://portal.example", "eu-west-1", "ACTIVE", "No"} {
+		if !strings.Contains(stdout, expected) {
+			t.Fatalf("expected cloud stacks list output to contain %q, got:\n%s", expected, stdout)
+		}
+	}
+
+	stdout, stderr, err = executeCommand(t, "--config-dir", configDir, "cloud", "stacks", "show", "stack_1")
+	if err != nil {
+		t.Fatalf("cloud stacks show: %v stderr=%s", err, stderr)
+	}
+	for _, expected := range []string{"ID\tstack_1", "Name\tProduction", "Status\tREADY", "URI\thttps://stack.example/api", "Version\tv3.2.4"} {
+		if !strings.Contains(stdout, expected) {
+			t.Fatalf("expected stack output to contain %q, got:\n%s", expected, stdout)
+		}
+	}
+
+	_, stderr, err = executeCommand(t, "--config-dir", configDir, "stacks", "list")
+	if err != nil {
+		t.Fatalf("stacks alias list: %v stderr=%s", err, stderr)
+	}
+	if !strings.Contains(stderr, "Command stacks has been deprecated, use cloud stacks") {
+		t.Fatalf("expected stacks deprecation warning, got:\n%s", stderr)
+	}
+
+	_, stderr, err = executeCommand(t, "--config-dir", configDir, "cloud_stacks", "list")
+	if err != nil {
+		t.Fatalf("cloud_stacks alias list: %v stderr=%s", err, stderr)
+	}
+	if !strings.Contains(stderr, "Command cloud_stacks has been deprecated, use cloud stacks") {
+		t.Fatalf("expected cloud_stacks deprecation warning, got:\n%s", stderr)
+	}
+}
+
+func TestCloudStacksListMissingOrganizationIsActionable(t *testing.T) {
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		t.Fatalf("cloud stacks list without organization must not call membership in non-interactive tests")
+	}))
+	defer server.Close()
+
+	configDir := t.TempDir()
+	_, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"context", "create", "cloud", "prod",
+		"--cloud-url", server.URL,
+		"--auth-method", "none",
+	)
+	if err != nil {
+		t.Fatalf("create cloud context: %v stderr=%s", err, stderr)
+	}
+
+	_, _, err = executeCommand(t, "--config-dir", configDir, "cloud", "stacks", "list")
+	if err == nil {
+		t.Fatal("expected cloud stacks list to require an organization")
+	}
+	if !strings.Contains(err.Error(), "organization id is required; pass --organization or select a cloud-stack profile") {
+		t.Fatalf("unexpected error: %v", err)
+	}
+}
+
+func TestCloudStacksMutations(t *testing.T) {
+	stackBody := `{"data":{"id":"stack_1","name":"Production","organizationId":"org_1","uri":"https://stack.example/api","regionID":"eu-west-1","version":"v3.2.4","status":"READY","state":"ACTIVE","expectedStatus":"READY","lastStateUpdate":"2026-01-01T00:00:00Z","lastExpectedStatusUpdate":"2026-01-01T00:00:00Z","lastStatusUpdate":"2026-01-01T00:00:00Z","reachable":true,"stargateEnabled":true,"synchronised":true,"modules":[]}}`
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.Header().Set("Content-Type", "application/json")
+		switch {
+		case r.Method == http.MethodPost && r.URL.Path == "/organizations/org_1/stacks":
+			body := readRequestBody(t, r)
+			for _, expected := range []string{`"name":"Production"`, `"regionID":"eu-west-1"`, `"version":"v3.2.4"`, `"metadata":{"env":"prod"}`} {
+				if !strings.Contains(body, expected) {
+					t.Fatalf("expected create body to contain %s, got %s", expected, body)
+				}
+			}
+			w.WriteHeader(http.StatusAccepted)
+			fmt.Fprint(w, stackBody)
+		case r.Method == http.MethodPut && r.URL.Path == "/organizations/org_1/stacks/stack_1":
+			body := readRequestBody(t, r)
+			for _, expected := range []string{`"name":"Renamed"`, `"metadata":{"env":"prod"}`} {
+				if !strings.Contains(body, expected) {
+					t.Fatalf("expected update body to contain %s, got %s", expected, body)
+				}
+			}
+			fmt.Fprint(w, stackBody)
+		case r.Method == http.MethodDelete && r.URL.Path == "/organizations/org_1/stacks/stack_1":
+			if got := r.URL.Query().Get("force"); got != "true" {
+				t.Fatalf("expected force=true, got %q", got)
+			}
+			w.WriteHeader(http.StatusNoContent)
+		case r.Method == http.MethodPut && r.URL.Path == "/organizations/org_1/stacks/stack_1/enable":
+			w.WriteHeader(http.StatusAccepted)
+		case r.Method == http.MethodPut && r.URL.Path == "/organizations/org_1/stacks/stack_1/disable":
+			w.WriteHeader(http.StatusAccepted)
+		case r.Method == http.MethodPut && r.URL.Path == "/organizations/org_1/stacks/stack_1/restore":
+			w.WriteHeader(http.StatusAccepted)
+			fmt.Fprint(w, stackBody)
+		case r.Method == http.MethodPut && r.URL.Path == "/organizations/org_1/stacks/stack_1/upgrade":
+			body := readRequestBody(t, r)
+			if !strings.Contains(body, `"version":"v3.2.5"`) {
+				t.Fatalf("expected upgrade body to contain version, got %s", body)
+			}
+			w.WriteHeader(http.StatusAccepted)
+		default:
+			t.Fatalf("unexpected request %s %s", r.Method, r.URL.String())
+		}
+	}))
+	defer server.Close()
+
+	configDir := t.TempDir()
+	_, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"context", "create", "cloud-stack", "prod",
+		"--cloud-url", server.URL,
+		"--organization", "org_1",
+		"--stack", "stack_1",
+		"--auth-method", "none",
+	)
+	if err != nil {
+		t.Fatalf("create cloud-stack context: %v stderr=%s", err, stderr)
+	}
+
+	stdout, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"cloud", "stacks", "create", "Production",
+		"--region", "eu-west-1",
+		"--version", "v3.2.4",
+		"--metadata", "env=prod",
+	)
+	if err != nil {
+		t.Fatalf("cloud stacks create: %v stderr=%s", err, stderr)
+	}
+	if stdout != "Cloud stack stack_1 created.\nURL	https://stack.example/api\n" {
+		t.Fatalf("unexpected create output: %q", stdout)
+	}
+
+	stdout, stderr, err = executeCommand(t,
+		"--config-dir", configDir,
+		"cloud", "stacks", "update", "stack_1",
+		"--name", "Renamed",
+		"--metadata", "env=prod",
+	)
+	if err != nil {
+		t.Fatalf("cloud stacks update: %v stderr=%s", err, stderr)
+	}
+	if stdout != "Cloud stack stack_1 updated.\n" {
+		t.Fatalf("unexpected update output: %q", stdout)
+	}
+
+	_, _, err = executeCommand(t, "--config-dir", configDir, "cloud", "stacks", "delete", "stack_1")
+	if err == nil {
+		t.Fatal("expected delete to require --confirm")
+	}
+	stdout, stderr, err = executeCommand(t, "--config-dir", configDir, "cloud", "stacks", "delete", "stack_1", "--force", "--confirm")
+	if err != nil {
+		t.Fatalf("cloud stacks delete: %v stderr=%s", err, stderr)
+	}
+	if stdout != "Cloud stack stack_1 deleted.\n" {
+		t.Fatalf("unexpected delete output: %q", stdout)
+	}
+
+	for _, args := range [][]string{
+		{"enable", "stack_1"},
+		{"disable", "stack_1", "--confirm"},
+		{"restore", "stack_1", "--confirm"},
+		{"upgrade", "stack_1", "--version", "v3.2.5", "--confirm"},
+	} {
+		stdout, stderr, err = executeCommand(t, append([]string{"--config-dir", configDir, "cloud", "stacks"}, args...)...)
+		if err != nil {
+			t.Fatalf("cloud stacks %v: %v stderr=%s", args, err, stderr)
+		}
+		if !strings.Contains(stdout, "Cloud stack stack_1") {
+			t.Fatalf("unexpected action output for %v: %q", args, stdout)
+		}
+	}
+}
+
+func TestCloudStacksCreatePromptsForNameRegionAndVersion(t *testing.T) {
+	stackBody := `{"data":{"id":"stack_1","name":"Production","organizationId":"org_1","uri":"https://stack.example/api","regionID":"eu-west-1","version":"v3.2.4","status":"READY","state":"ACTIVE","expectedStatus":"READY","lastStateUpdate":"2026-01-01T00:00:00Z","lastExpectedStatusUpdate":"2026-01-01T00:00:00Z","lastStatusUpdate":"2026-01-01T00:00:00Z","reachable":true,"stargateEnabled":true,"synchronised":true,"modules":[]}}`
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.Header().Set("Content-Type", "application/json")
+		switch {
+		case r.Method == http.MethodGet && r.URL.Path == "/organizations/org_1/regions":
+			fmt.Fprint(w, `{"data":[{"id":"eu-west-1","name":"Europe","active":true,"public":true},{"id":"private-1","name":"Private region","active":true,"public":false}]}`)
+		case r.Method == http.MethodGet && r.URL.Path == "/organizations/org_1/regions/eu-west-1/versions":
+			fmt.Fprint(w, `{"data":[{"name":"v2.2","regionID":"eu-west-1"},{"name":"v3.2-rc","regionID":"eu-west-1"},{"name":"v3.1","regionID":"eu-west-1"},{"name":"v3.2","regionID":"eu-west-1"}]}`)
+		case r.Method == http.MethodPost && r.URL.Path == "/organizations/org_1/stacks":
+			body := readRequestBody(t, r)
+			for _, expected := range []string{`"name":"Production"`, `"regionID":"eu-west-1"`, `"version":"v3.2"`} {
+				if !strings.Contains(body, expected) {
+					t.Fatalf("expected create body to contain %s, got %s", expected, body)
+				}
+			}
+			w.WriteHeader(http.StatusAccepted)
+			fmt.Fprint(w, stackBody)
+		default:
+			t.Fatalf("unexpected request %s %s", r.Method, r.URL.String())
+		}
+	}))
+	defer server.Close()
+
+	configDir := t.TempDir()
+	_, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"context", "create", "cloud", "prod",
+		"--cloud-url", server.URL,
+		"--auth-method", "none",
+	)
+	if err != nil {
+		t.Fatalf("create cloud context: %v stderr=%s", err, stderr)
+	}
+
+	stdout, stderr, err := executeCommandWithInput(t,
+		"Production\n1\n1\n",
+		"--config-dir", configDir,
+		"--organization", "org_1",
+		"cloud", "stacks", "create",
+	)
+	if err != nil {
+		t.Fatalf("cloud stacks create wizard: %v stderr=%s stdout=%s", err, stderr, stdout)
+	}
+	for _, expected := range []string{
+		"Enter a name:",
+		"Name\tProduction",
+		"Please select a region",
+		"1. eu-west-1 | Public | Europe",
+		"Region\teu-west-1",
+		"Please select a version",
+		"1. v3.2",
+		"2. v3.2-rc",
+		"3. v3.1",
+		"4. v2.2",
+		"Version\tv3.2",
+		"Cloud stack stack_1 created.",
+	} {
+		if !strings.Contains(stdout, expected) {
+			t.Fatalf("expected wizard output to contain %q, got:\n%s", expected, stdout)
+		}
+	}
+}
+
+func TestCloudStacksCreateWaitsUntilReady(t *testing.T) {
+	stackVersionsCalls := 0
+	stackServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		if r.Method != http.MethodGet || r.URL.Path != "/versions" {
+			t.Fatalf("unexpected stack request %s %s", r.Method, r.URL.String())
+		}
+		stackVersionsCalls++
+		w.Header().Set("Content-Type", "application/json")
+		fmt.Fprint(w, `{"versions":[{"name":"ledger","version":"v2.0.0","health":false}]}`)
+	}))
+	defer stackServer.Close()
+
+	progressingBody := fmt.Sprintf(`{"data":{"id":"stack_1","name":"Production","organizationId":"org_1","uri":%q,"regionID":"eu-west-1","version":"v3.2","status":"PROGRESSING","state":"ACTIVE","expectedStatus":"READY","lastStateUpdate":"2026-01-01T00:00:00Z","lastExpectedStatusUpdate":"2026-01-01T00:00:00Z","lastStatusUpdate":"2026-01-01T00:00:00Z","reachable":false,"stargateEnabled":true,"synchronised":false,"modules":[]}}`, stackServer.URL)
+	readyBody := fmt.Sprintf(`{"data":{"id":"stack_1","name":"Production","organizationId":"org_1","uri":%q,"regionID":"eu-west-1","version":"v3.2","status":"READY","state":"ACTIVE","expectedStatus":"READY","lastStateUpdate":"2026-01-01T00:00:00Z","lastExpectedStatusUpdate":"2026-01-01T00:00:00Z","lastStatusUpdate":"2026-01-01T00:00:00Z","reachable":true,"stargateEnabled":true,"synchronised":true,"modules":[]}}`, stackServer.URL)
+	getStackCalls := 0
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.Header().Set("Content-Type", "application/json")
+		switch {
+		case r.Method == http.MethodPost && r.URL.Path == "/organizations/org_1/stacks":
+			w.WriteHeader(http.StatusAccepted)
+			fmt.Fprint(w, progressingBody)
+		case r.Method == http.MethodGet && r.URL.Path == "/organizations/org_1/stacks/stack_1":
+			getStackCalls++
+			fmt.Fprint(w, readyBody)
+		default:
+			t.Fatalf("unexpected request %s %s", r.Method, r.URL.String())
+		}
+	}))
+	defer server.Close()
+
+	configDir := t.TempDir()
+	_, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"context", "create", "cloud-stack", "prod",
+		"--cloud-url", server.URL,
+		"--organization", "org_1",
+		"--stack", "stack_1",
+		"--auth-method", "none",
+	)
+	if err != nil {
+		t.Fatalf("create cloud-stack context: %v stderr=%s", err, stderr)
+	}
+
+	stdout, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"cloud", "stacks", "create", "Production",
+		"--region", "eu-west-1",
+		"--version", "v3.2",
+	)
+	if err != nil {
+		t.Fatalf("cloud stacks create waits: %v stderr=%s", err, stderr)
+	}
+	if stdout != "Cloud stack stack_1 created.\nURL	"+stackServer.URL+"\n" {
+		t.Fatalf("unexpected create output: %q", stdout)
+	}
+	if getStackCalls != 1 {
+		t.Fatalf("expected one readiness poll, got %d", getStackCalls)
+	}
+	if stackVersionsCalls != 1 {
+		t.Fatalf("expected one stack /versions fallback attempt, got %d", stackVersionsCalls)
+	}
+}
+
+func TestCloudStacksCreateAvailabilityUsesStackVersionsFirst(t *testing.T) {
+	stackVersionsCalls := 0
+	stackServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		if r.Method != http.MethodGet || r.URL.Path != "/versions" {
+			t.Fatalf("unexpected stack request %s %s", r.Method, r.URL.String())
+		}
+		stackVersionsCalls++
+		w.Header().Set("Content-Type", "application/json")
+		fmt.Fprint(w, `{"versions":[{"name":"ledger","version":"v2.0.0","health":true}]}`)
+	}))
+	defer stackServer.Close()
+
+	progressingBody := fmt.Sprintf(`{"data":{"id":"stack_1","name":"Production","organizationId":"org_1","uri":%q,"regionID":"eu-west-1","version":"v3.2","status":"PROGRESSING","state":"ACTIVE","expectedStatus":"READY","lastStateUpdate":"2026-01-01T00:00:00Z","lastExpectedStatusUpdate":"2026-01-01T00:00:00Z","lastStatusUpdate":"2026-01-01T00:00:00Z","reachable":false,"stargateEnabled":true,"synchronised":false,"modules":[]}}`, stackServer.URL)
+	getStackCalls := 0
+	membershipServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.Header().Set("Content-Type", "application/json")
+		switch {
+		case r.Method == http.MethodPost && r.URL.Path == "/organizations/org_1/stacks":
+			w.WriteHeader(http.StatusAccepted)
+			fmt.Fprint(w, progressingBody)
+		case r.Method == http.MethodGet && r.URL.Path == "/organizations/org_1/stacks/stack_1":
+			getStackCalls++
+			t.Fatalf("membership readiness fallback should not be used after stack /versions succeeds")
+		default:
+			t.Fatalf("unexpected membership request %s %s", r.Method, r.URL.String())
+		}
+	}))
+	defer membershipServer.Close()
+
+	configDir := t.TempDir()
+	_, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"context", "create", "cloud-stack", "prod",
+		"--cloud-url", membershipServer.URL,
+		"--organization", "org_1",
+		"--stack", "stack_1",
+		"--auth-method", "none",
+	)
+	if err != nil {
+		t.Fatalf("create cloud-stack context: %v stderr=%s", err, stderr)
+	}
+
+	stdout, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"cloud", "stacks", "create", "Production",
+		"--region", "eu-west-1",
+		"--version", "v3.2",
+	)
+	if err != nil {
+		t.Fatalf("cloud stacks create direct availability: %v stderr=%s", err, stderr)
+	}
+	if stdout != "Cloud stack stack_1 created.\nURL	"+stackServer.URL+"\n" {
+		t.Fatalf("unexpected create output: %q", stdout)
+	}
+	if stackVersionsCalls != 1 {
+		t.Fatalf("expected one stack /versions check, got %d", stackVersionsCalls)
+	}
+	if getStackCalls != 0 {
+		t.Fatalf("expected no membership fallback calls, got %d", getStackCalls)
+	}
+}
+
+func TestCloudStacksHistory(t *testing.T) {
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.Header().Set("Content-Type", "application/json")
+		if r.Method != http.MethodGet || r.URL.Path != "/organizations/org_1/logs" {
+			t.Fatalf("unexpected request %s %s", r.Method, r.URL.String())
+		}
+		if got := r.URL.Query().Get("stackId"); got != "stack_1" {
+			t.Fatalf("expected stackId stack_1, got %q", got)
+		}
+		if got := r.URL.Query().Get("pageSize"); got != "10" {
+			t.Fatalf("expected pageSize 10, got %q", got)
+		}
+		if got := r.URL.Query().Get("action"); got != "stacks.updated" {
+			t.Fatalf("expected action stacks.updated, got %q", got)
+		}
+		fmt.Fprint(w, `{"data":{"pageSize":10,"hasMore":false,"data":[{"seq":"1","organizationId":"org_1","userId":"user_1","action":"stacks.updated","date":"2026-01-01T00:00:00Z","data":{}}]}}`)
+	}))
+	defer server.Close()
+
+	configDir := t.TempDir()
+	_, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"context", "create", "cloud-stack", "prod",
+		"--cloud-url", server.URL,
+		"--organization", "org_1",
+		"--stack", "stack_1",
+		"--auth-method", "none",
+	)
+	if err != nil {
+		t.Fatalf("create cloud-stack context: %v stderr=%s", err, stderr)
+	}
+
+	stdout, stderr, err := executeCommand(t, "--config-dir", configDir, "cloud", "stacks", "history", "stack_1", "--action", "stacks.updated")
+	if err != nil {
+		t.Fatalf("cloud stacks history: %v stderr=%s", err, stderr)
+	}
+	if !strings.Contains(stdout, "1\torg_1\tuser_1\tstacks.updated\t2026-01-01T00:00:00Z") {
+		t.Fatalf("unexpected stack history output:\n%s", stdout)
+	}
+}
+
+func TestCloudStacksUsersAndModules(t *testing.T) {
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.Header().Set("Content-Type", "application/json")
+		switch {
+		case r.Method == http.MethodGet && r.URL.Path == "/organizations/org_1/stacks/stack_1/users":
+			fmt.Fprint(w, `{"data":[{"stackId":"stack_1","userId":"user_1","email":"user@example.com","policyId":42}]}`)
+		case r.Method == http.MethodPut && r.URL.Path == "/organizations/org_1/stacks/stack_1/users/user_1":
+			body := readRequestBody(t, r)
+			if !strings.Contains(body, `"policyId":42`) {
+				t.Fatalf("expected policy id body, got %s", body)
+			}
+			w.WriteHeader(http.StatusNoContent)
+		case r.Method == http.MethodDelete && r.URL.Path == "/organizations/org_1/stacks/stack_1/users/user_1":
+			w.WriteHeader(http.StatusNoContent)
+		case r.Method == http.MethodGet && r.URL.Path == "/organizations/org_1/stacks/stack_1/modules":
+			fmt.Fprint(w, `{"data":[{"name":"ledger","state":"ENABLED","status":"READY","lastStatusUpdate":"2026-01-01T00:00:00Z","lastStateUpdate":"2026-01-01T00:00:00Z"}]}`)
+		case r.Method == http.MethodPost && r.URL.Path == "/organizations/org_1/stacks/stack_1/modules":
+			if got := r.URL.Query().Get("name"); got != "ledger" {
+				t.Fatalf("expected module name ledger, got %q", got)
+			}
+			w.WriteHeader(http.StatusAccepted)
+		case r.Method == http.MethodDelete && r.URL.Path == "/organizations/org_1/stacks/stack_1/modules":
+			if got := r.URL.Query().Get("name"); got != "ledger" {
+				t.Fatalf("expected module name ledger, got %q", got)
+			}
+			w.WriteHeader(http.StatusAccepted)
+		default:
+			t.Fatalf("unexpected request %s %s", r.Method, r.URL.String())
+		}
+	}))
+	defer server.Close()
+
+	configDir := t.TempDir()
+	_, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"context", "create", "cloud-stack", "prod",
+		"--cloud-url", server.URL,
+		"--organization", "org_1",
+		"--stack", "stack_1",
+		"--auth-method", "none",
+	)
+	if err != nil {
+		t.Fatalf("create cloud-stack context: %v stderr=%s", err, stderr)
+	}
+
+	stdout, stderr, err := executeCommand(t, "--config-dir", configDir, "cloud", "stacks", "users", "list", "stack_1")
+	if err != nil {
+		t.Fatalf("cloud stacks users list: %v stderr=%s", err, stderr)
+	}
+	if !strings.Contains(stdout, "user_1\tuser@example.com\tstack_1\t42") {
+		t.Fatalf("unexpected users list output:\n%s", stdout)
+	}
+
+	stdout, stderr, err = executeCommand(t, "--config-dir", configDir, "cloud", "stacks", "users", "link", "stack_1", "user_1", "--policy-id", "42")
+	if err != nil {
+		t.Fatalf("cloud stacks users link: %v stderr=%s", err, stderr)
+	}
+	if stdout != "Cloud stack stack_1 user user_1 linked.\n" {
+		t.Fatalf("unexpected user link output: %q", stdout)
+	}
+
+	_, _, err = executeCommand(t, "--config-dir", configDir, "cloud", "stacks", "users", "unlink", "stack_1", "user_1")
+	if err == nil {
+		t.Fatal("expected users unlink to require --confirm")
+	}
+	stdout, stderr, err = executeCommand(t, "--config-dir", configDir, "cloud", "stacks", "users", "unlink", "stack_1", "user_1", "--confirm")
+	if err != nil {
+		t.Fatalf("cloud stacks users unlink: %v stderr=%s", err, stderr)
+	}
+	if stdout != "Cloud stack stack_1 user user_1 unlinked.\n" {
+		t.Fatalf("unexpected user unlink output: %q", stdout)
+	}
+
+	stdout, stderr, err = executeCommand(t, "--config-dir", configDir, "cloud", "stacks", "modules", "list", "stack_1")
+	if err != nil {
+		t.Fatalf("cloud stacks modules list: %v stderr=%s", err, stderr)
+	}
+	if !strings.Contains(stdout, "ledger\tENABLED\tREADY") {
+		t.Fatalf("unexpected modules list output:\n%s", stdout)
+	}
+
+	stdout, stderr, err = executeCommand(t, "--config-dir", configDir, "cloud", "stacks", "modules", "enable", "stack_1", "ledger")
+	if err != nil {
+		t.Fatalf("cloud stacks modules enable: %v stderr=%s", err, stderr)
+	}
+	if stdout != "Cloud stack stack_1 module ledger enabled.\n" {
+		t.Fatalf("unexpected module enable output: %q", stdout)
+	}
+
+	_, _, err = executeCommand(t, "--config-dir", configDir, "cloud", "stacks", "modules", "disable", "stack_1", "ledger")
+	if err == nil {
+		t.Fatal("expected modules disable to require --confirm")
+	}
+	stdout, stderr, err = executeCommand(t, "--config-dir", configDir, "cloud", "stacks", "modules", "disable", "stack_1", "ledger", "--confirm")
+	if err != nil {
+		t.Fatalf("cloud stacks modules disable: %v stderr=%s", err, stderr)
+	}
+	if stdout != "Cloud stack stack_1 module ledger disabled.\n" {
+		t.Fatalf("unexpected module disable output: %q", stdout)
+	}
+}
+
+func TestCloudStacksRejectStackContext(t *testing.T) {
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		t.Fatalf("cloud stacks command must reject stack contexts before network calls")
+	}))
+	defer server.Close()
+
+	configDir := t.TempDir()
+	_, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"context", "create", "stack", "local",
+		"--stack-url", server.URL,
+	)
+	if err != nil {
+		t.Fatalf("create stack context: %v stderr=%s", err, stderr)
+	}
+
+	_, stderr, err = executeCommand(t, "--config-dir", configDir, "cloud", "stacks", "list", "--organization", "org_1")
+	if err == nil {
+		t.Fatal("expected cloud stacks command to reject stack context")
+	}
+	if !strings.Contains(err.Error(), "cloud commands require a cloud or cloud-stack context") {
+		t.Fatalf("unexpected error: %v stderr=%s", err, stderr)
+	}
+}
+
+func TestContextCommandsJSON(t *testing.T) {
+	configDir := t.TempDir()
+
+	_, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"context", "create", "stack", "local",
+		"--stack-url", "http://localhost/api",
+		"--auth-method", "client_credentials",
+		"--issuer-url", "http://localhost/api/auth",
+		"--client-id", "testing",
+		"--secret-ref", "keyring://local/testing",
+	)
+	if err != nil {
+		t.Fatalf("create context: %v stderr=%s", err, stderr)
+	}
+
+	stdout, stderr, err := executeCommand(t, "--config-dir", configDir, "-o", "json", "context", "list")
+	if err != nil {
+		t.Fatalf("list contexts json: %v stderr=%s", err, stderr)
+	}
+	for _, expected := range []string{`"currentContext": "local"`, `"contexts": [`, `"local"`} {
+		if !strings.Contains(stdout, expected) {
+			t.Fatalf("expected JSON output to contain %q, got:\n%s", expected, stdout)
+		}
+	}
+}
+
+func TestTargetInspect(t *testing.T) {
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		if r.URL.Path != "/api/versions" {
+			t.Fatalf("unexpected path %s", r.URL.Path)
+		}
+		fmt.Fprint(w, `{"versions":[{"name":"ledger","version":"2.3.4","health":true}]}`)
+	}))
+	defer server.Close()
+
+	configDir := t.TempDir()
+	_, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"context", "create", "stack", "local",
+		"--stack-url", server.URL+"/api",
+	)
+	if err != nil {
+		t.Fatalf("create context: %v stderr=%s", err, stderr)
+	}
+
+	stdout, stderr, err := executeCommand(t, "--config-dir", configDir, "target", "inspect")
+	if err != nil {
+		t.Fatalf("inspect target: %v stderr=%s", err, stderr)
+	}
+	for _, expected := range []string{
+		"Context: local",
+		"Target: " + server.URL + "/api (stack)",
+		"- ledger 2.3.4 healthy api=[v1 v2] policy=latest-compatible",
+	} {
+		if !strings.Contains(stdout, expected) {
+			t.Fatalf("expected inspect output to contain %q, got:\n%s", expected, stdout)
+		}
+	}
+
+	stdout, stderr, err = executeCommand(t, "--config-dir", configDir, "--debug", "target", "inspect")
+	if err != nil {
+		t.Fatalf("inspect target with debug: %v stderr=%s", err, stderr)
+	}
+	if !strings.Contains(stdout, "Context: local") {
+		t.Fatalf("expected inspect stdout, got:\n%s", stdout)
+	}
+	if !strings.Contains(stderr, "debug: context=local target=stack url="+server.URL+"/api") {
+		t.Fatalf("expected debug stderr, got:\n%s", stderr)
+	}
+	if !strings.Contains(stderr, ">>> GET "+server.URL+"/api/versions") ||
+		!strings.Contains(stderr, "<<< HTTP 200 OK") ||
+		!strings.Contains(stderr, `"name": "ledger"`) {
+		t.Fatalf("expected HTTP debug trace, got:\n%s", stderr)
+	}
+}
+
+func TestDebugHTTPTraceRedactsSensitiveHeaders(t *testing.T) {
+	transport := debugRoundTripper{
+		base: roundTripFunc(func(req *http.Request) (*http.Response, error) {
+			if got := req.Header.Get("Authorization"); got != "Bearer secret-token" {
+				t.Fatalf("expected original authorization header to reach base transport, got %q", got)
+			}
+			return &http.Response{
+				StatusCode: http.StatusOK,
+				Status:     "200 OK",
+				Header:     http.Header{"Set-Cookie": []string{"session=secret"}},
+				Body:       io.NopCloser(strings.NewReader(`{"ok":true}`)),
+				Request:    req,
+			}, nil
+		}),
+		writer: &bytes.Buffer{},
+	}
+	writer := transport.writer.(*bytes.Buffer)
+	req, err := http.NewRequest(http.MethodPost, "https://api.example.test/resource", strings.NewReader(`{"secret":"value"}`))
+	if err != nil {
+		t.Fatalf("new request: %v", err)
+	}
+	req.Header.Set("Authorization", "Bearer secret-token")
+	req.Header.Set("Content-Type", "application/json")
+
+	rsp, err := transport.RoundTrip(req)
+	if err != nil {
+		t.Fatalf("round trip: %v", err)
+	}
+	_, _ = io.ReadAll(rsp.Body)
+	trace := writer.String()
+	for _, expected := range []string{
+		">>> POST https://api.example.test/resource",
+		"Authorization: <redacted>",
+		"Content-Type: application/json",
+		`"secret": "value"`,
+		"<<< HTTP 200 OK",
+		"Set-Cookie: <redacted>",
+		`"ok": true`,
+	} {
+		if !strings.Contains(trace, expected) {
+			t.Fatalf("expected debug trace to contain %q, got:\n%s", expected, trace)
+		}
+	}
+	if strings.Contains(trace, "Bearer secret-token") || strings.Contains(trace, "session=secret") {
+		t.Fatalf("debug trace leaked sensitive header:\n%s", trace)
+	}
+}
+
+func TestSpinnerMessageWithElapsed(t *testing.T) {
+	if got := spinnerMessageWithElapsed("Waiting services availability at https://stack.example", 6*time.Second); got != "Waiting services availability at https://stack.example (6s)" {
+		t.Fatalf("unexpected spinner message %q", got)
+	}
+}
+
+func TestTargetInspectJSON(t *testing.T) {
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		fmt.Fprint(w, `{"versions":[{"name":"ledger","version":"2.3.4","health":true}]}`)
+	}))
+	defer server.Close()
+
+	configDir := t.TempDir()
+	_, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"context", "create", "stack", "local",
+		"--stack-url", server.URL+"/api",
+	)
+	if err != nil {
+		t.Fatalf("create context: %v stderr=%s", err, stderr)
+	}
+
+	stdout, stderr, err := executeCommand(t, "--config-dir", configDir, "-o", "json", "target", "inspect")
+	if err != nil {
+		t.Fatalf("inspect target json: %v stderr=%s", err, stderr)
+	}
+	for _, expected := range []string{
+		`"context": "local"`,
+		`"targetKind": "stack"`,
+		`"name": "ledger"`,
+		`"apiVersions": [`,
+		`"v2"`,
+	} {
+		if !strings.Contains(stdout, expected) {
+			t.Fatalf("expected JSON inspect output to contain %q, got:\n%s", expected, stdout)
+		}
+	}
+}
+
+func TestDeferredCloudAndOIDCLoginCommandsReturnActionableErrors(t *testing.T) {
+	_, stderr, err := executeCommand(t, "session", "login", "cloud", "--cloud-url", "https://cloud.example")
+	if err == nil {
+		t.Fatal("expected session login cloud to be deferred")
+	}
+	if !strings.Contains(err.Error(), "session login cloud is deferred") {
+		t.Fatalf("unexpected cloud login error: %v stderr=%s", err, stderr)
+	}
+
+	_, stderr, err = executeCommand(t, "login")
+	if err == nil {
+		t.Fatal("expected interactive root login without input to fail")
+	}
+	if !strings.Contains(err.Error(), "unsupported login choice") {
+		t.Fatalf("unexpected root login error: %v stderr=%s", err, stderr)
+	}
+
+	_, stderr, err = executeCommand(t, "auth", "login")
+	if err == nil {
+		t.Fatal("expected auth login alias to be removed")
+	}
+	if !strings.Contains(err.Error(), `unknown command "login"`) {
+		t.Fatalf("unexpected auth login error: %v stderr=%s", err, stderr)
+	}
+
+	_, stderr, err = executeCommand(t, "session", "login", "oidc", "--issuer-url", "https://issuer.example", "--client-id", "client")
+	if err == nil {
+		t.Fatal("expected session login oidc to be deferred")
+	}
+	if !strings.Contains(err.Error(), "session login oidc is deferred") {
+		t.Fatalf("unexpected oidc login error: %v stderr=%s", err, stderr)
+	}
+}
+
+func TestSessionLoginTokenStoresCredentialAndUpdatesContext(t *testing.T) {
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		if r.Header.Get("Authorization") != "Bearer stack-token" {
+			t.Fatalf("expected bearer token, got %q", r.Header.Get("Authorization"))
+		}
+		if r.URL.Path != "/versions" {
+			t.Fatalf("unexpected path %s", r.URL.Path)
+		}
+		fmt.Fprint(w, `{"versions":[{"name":"ledger","version":"2.3.4","health":true}]}`)
+	}))
+	defer server.Close()
+
+	configDir := t.TempDir()
+	credentialDir := t.TempDir()
+	_, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"context", "create", "stack", "local",
+		"--stack-url", server.URL,
+	)
+	if err != nil {
+		t.Fatalf("create context: %v stderr=%s", err, stderr)
+	}
+
+	stdout, stderr, err := executeCommandWithInput(t,
+		"stack-token\n",
+		"--config-dir", configDir,
+		"--credential-dir", credentialDir,
+		"session", "login", "token",
+		"--token-stdin",
+	)
+	if err != nil {
+		t.Fatalf("session login token: %v stderr=%s", err, stderr)
+	}
+	if stdout != "Authentication for context local set to token.\n" {
+		t.Fatalf("unexpected session login output: %q", stdout)
+	}
+
+	configData, err := os.ReadFile(filepath.Join(configDir, "config.yaml"))
+	if err != nil {
+		t.Fatalf("read config: %v", err)
+	}
+	if strings.Contains(string(configData), "stack-token") {
+		t.Fatalf("config should not contain clear token:\n%s", string(configData))
+	}
+	if !strings.Contains(string(configData), "tokenRef: contexts/local/token") {
+		t.Fatalf("expected token ref in config:\n%s", string(configData))
+	}
+	credentialPath := filepath.Join(credentialDir, "contexts", "local", "token")
+	credentialData, err := os.ReadFile(credentialPath)
+	if err != nil {
+		t.Fatalf("read stored token: %v", err)
+	}
+	if string(credentialData) != "stack-token" {
+		t.Fatalf("unexpected stored token %q", credentialData)
+	}
+
+	stdout, stderr, err = executeCommand(t,
+		"--config-dir", configDir,
+		"session", "status",
+	)
+	if err != nil {
+		t.Fatalf("session status: %v stderr=%s", err, stderr)
+	}
+	for _, expected := range []string{
+		"Context\tlocal\n",
+		"Method\ttoken\n",
+		"TokenRef\tcontexts/local/token\n",
+	} {
+		if !strings.Contains(stdout, expected) {
+			t.Fatalf("expected session status output to contain %q, got:\n%s", expected, stdout)
+		}
+	}
+
+	stdout, stderr, err = executeCommand(t,
+		"--config-dir", configDir,
+		"--credential-dir", credentialDir,
+		"session", "token",
+	)
+	if err != nil {
+		t.Fatalf("session token: %v stderr=%s", err, stderr)
+	}
+	if stdout != "stack-token\n" {
+		t.Fatalf("unexpected session token output: %q", stdout)
+	}
+
+	stdout, stderr, err = executeCommand(t,
+		"--config-dir", configDir,
+		"--credential-dir", credentialDir,
+		"target", "inspect",
+	)
+	if err != nil {
+		t.Fatalf("target inspect with stored token: %v stderr=%s", err, stderr)
+	}
+	if !strings.Contains(stdout, "Context: local") {
+		t.Fatalf("unexpected inspect output:\n%s", stdout)
+	}
+
+	_, stderr, err = executeCommand(t,
+		"--config-dir", configDir,
+		"--credential-dir", credentialDir,
+		"session", "logout",
+	)
+	if err == nil {
+		t.Fatal("expected session logout to require confirmation")
+	}
+	if !strings.Contains(err.Error(), "session logout requires --confirm") {
+		t.Fatalf("unexpected logout error: %v stderr=%s", err, stderr)
+	}
+
+	stdout, stderr, err = executeCommand(t,
+		"--config-dir", configDir,
+		"--credential-dir", credentialDir,
+		"session", "logout",
+		"--confirm",
+	)
+	if err != nil {
+		t.Fatalf("session logout: %v stderr=%s", err, stderr)
+	}
+	if stdout != "Authentication for context local cleared.\n" {
+		t.Fatalf("unexpected session logout output: %q", stdout)
+	}
+	if _, err := os.Stat(credentialPath); !os.IsNotExist(err) {
+		t.Fatalf("expected stored token to be deleted, got %v", err)
+	}
+	configData, err = os.ReadFile(filepath.Join(configDir, "config.yaml"))
+	if err != nil {
+		t.Fatalf("read config after logout: %v", err)
+	}
+	if !strings.Contains(string(configData), "method: none") || strings.Contains(string(configData), "tokenRef") {
+		t.Fatalf("expected session logout to clear token auth:\n%s", string(configData))
+	}
+	_, stderr, err = executeCommand(t,
+		"--config-dir", configDir,
+		"--credential-dir", credentialDir,
+		"session", "token",
+	)
+	if err == nil {
+		t.Fatal("expected session token to require an authenticated context")
+	}
+	if !strings.Contains(err.Error(), "session token requires an authenticated context") {
+		t.Fatalf("unexpected session token error: %v stderr=%s", err, stderr)
+	}
+}
+
+func TestSessionLoginTokenUsesDefaultCredentialDir(t *testing.T) {
+	configDir := t.TempDir()
+	_, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"context", "create", "stack", "local",
+		"--stack-url", "http://localhost",
+	)
+	if err != nil {
+		t.Fatalf("create context: %v stderr=%s", err, stderr)
+	}
+
+	_, stderr, err = executeCommand(t,
+		"--config-dir", configDir,
+		"session", "login", "token",
+		"--token", "stack-token",
+	)
+	if err != nil {
+		t.Fatalf("session login token with default credential dir: %v stderr=%s", err, stderr)
+	}
+
+	stdout, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"session", "token",
+	)
+	if err != nil {
+		t.Fatalf("session token with default credential dir: %v stderr=%s", err, stderr)
+	}
+	if stdout != "stack-token\n" {
+		t.Fatalf("unexpected session token output: %q", stdout)
+	}
+	if _, err := os.Stat(filepath.Join(configDir, "credentials", "contexts", "local", "token")); err != nil {
+		t.Fatalf("expected token in default credential dir: %v", err)
+	}
+}
+
+func TestSessionLoginClientCredentialsStoresSecret(t *testing.T) {
+	configDir := t.TempDir()
+	credentialDir := t.TempDir()
+	_, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"context", "create", "stack", "local",
+		"--stack-url", "http://localhost",
+	)
+	if err != nil {
+		t.Fatalf("create context: %v stderr=%s", err, stderr)
+	}
+
+	stdout, stderr, err := executeCommandWithInput(t,
+		"super-secret\n",
+		"--config-dir", configDir,
+		"--credential-dir", credentialDir,
+		"session", "login", "client-credentials",
+		"--issuer-url", "http://issuer",
+		"--client-id", "client",
+		"--client-secret-stdin",
+	)
+	if err != nil {
+		t.Fatalf("session login client-credentials: %v stderr=%s", err, stderr)
+	}
+	if stdout != "Authentication for context local set to client credentials.\n" {
+		t.Fatalf("unexpected session login output: %q", stdout)
+	}
+
+	configData, err := os.ReadFile(filepath.Join(configDir, "config.yaml"))
+	if err != nil {
+		t.Fatalf("read config: %v", err)
+	}
+	if strings.Contains(string(configData), "super-secret") {
+		t.Fatalf("config should not contain clear client secret:\n%s", string(configData))
+	}
+	if !strings.Contains(string(configData), "method: client_credentials") ||
+		!strings.Contains(string(configData), "secretRef: contexts/local/client-secret") {
+		t.Fatalf("expected client credentials config:\n%s", string(configData))
+	}
+	secretData, err := os.ReadFile(filepath.Join(credentialDir, "contexts", "local", "client-secret"))
+	if err != nil {
+		t.Fatalf("read stored secret: %v", err)
+	}
+	if string(secretData) != "super-secret" {
+		t.Fatalf("unexpected stored secret %q", secretData)
+	}
+}
+
+func TestSessionLoginClientCredentialsBootstrapsDefaultCloudContext(t *testing.T) {
+	configDir := t.TempDir()
+
+	stdout, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"session", "login", "client-credentials",
+		"--issuer-url", "https://app.formance.cloud/api",
+		"--client-id", "client",
+		"--client-secret", "super-secret",
+	)
+	if err != nil {
+		t.Fatalf("session login client-credentials bootstrap: %v stderr=%s", err, stderr)
+	}
+	if stdout != "Authentication for context formance-cloud set to client credentials.\n" {
+		t.Fatalf("unexpected session login output: %q", stdout)
+	}
+
+	cfg, err := v4config.LoadFile(filepath.Join(configDir, "config.yaml"))
+	if err != nil {
+		t.Fatalf("load bootstrapped config: %v", err)
+	}
+	context := cfg.Contexts[v4config.DefaultCloudContextName]
+	if cfg.CurrentContext != v4config.DefaultCloudContextName ||
+		context.Kind != v4config.ContextKindCloud ||
+		context.CloudURL != v4config.DefaultCloudURL ||
+		context.Auth.Method != v4config.AuthMethodClientCredentials ||
+		context.Auth.ClientID != "client" ||
+		context.Auth.SecretRef != "contexts/formance-cloud/client-secret" {
+		t.Fatalf("unexpected bootstrapped context: current=%q context=%#v", cfg.CurrentContext, context)
+	}
+	if !stringSliceContains(context.Auth.Scopes, "organization:ListStacks") {
+		t.Fatalf("expected cloud client credentials to include organization scopes, got %#v", context.Auth.Scopes)
+	}
+	secretData, err := os.ReadFile(filepath.Join(configDir, "credentials", "contexts", "formance-cloud", "client-secret"))
+	if err != nil {
+		t.Fatalf("read stored secret: %v", err)
+	}
+	if string(secretData) != "super-secret" {
+		t.Fatalf("unexpected stored secret %q", secretData)
+	}
+}
+
+func TestSessionLoginClientCredentialsUsesDefaultFctlConfigDir(t *testing.T) {
+	homeDir := t.TempDir()
+	t.Setenv("HOME", homeDir)
+	t.Setenv("XDG_CONFIG_HOME", filepath.Join(homeDir, ".config"))
+
+	stdout, stderr, err := executeCommand(t,
+		"session", "login", "client-credentials",
+		"--issuer-url", "https://app.formance.cloud/api",
+		"--client-id", "client",
+		"--client-secret", "super-secret",
+	)
+	if err != nil {
+		t.Fatalf("session login client-credentials with default config dir: %v stderr=%s", err, stderr)
+	}
+	if stdout != "Authentication for context formance-cloud set to client credentials.\n" {
+		t.Fatalf("unexpected session login output: %q", stdout)
+	}
+
+	userConfigDir, err := os.UserConfigDir()
+	if err != nil {
+		t.Fatalf("resolve user config dir: %v", err)
+	}
+	expectedDir := filepath.Join(userConfigDir, "formance", "fctl")
+	if _, err := os.Stat(filepath.Join(expectedDir, "config.yaml")); err != nil {
+		t.Fatalf("expected config in default fctl dir: %v", err)
+	}
+	if _, err := os.Stat(filepath.Join(expectedDir, "credentials", "contexts", "formance-cloud", "client-secret")); err != nil {
+		t.Fatalf("expected credentials in default fctl dir: %v", err)
+	}
+	if _, err := os.Stat(filepath.Join(userConfigDir, "formance", "fctl-v4", "config.yaml")); !os.IsNotExist(err) {
+		t.Fatalf("did not expect config in fctl-v4 dir, got %v", err)
+	}
+}
+
+func TestSessionLoginNoneRequiresConfirmForCloudContext(t *testing.T) {
+	configDir := t.TempDir()
+	_, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"context", "create", "cloud", "cloud",
+		"--cloud-url", "http://localhost",
+		"--auth-method", "none",
+	)
+	if err != nil {
+		t.Fatalf("create cloud context: %v stderr=%s", err, stderr)
+	}
+
+	_, stderr, err = executeCommand(t, "--config-dir", configDir, "session", "login", "none")
+	if err == nil {
+		t.Fatal("expected session login none to require confirmation on cloud contexts")
+	}
+	if !strings.Contains(err.Error(), "session login none on cloud contexts requires --confirm") {
+		t.Fatalf("unexpected error: %v stderr=%s", err, stderr)
+	}
+}
+
+func TestProfileFlagSelectsContext(t *testing.T) {
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		if r.URL.Path != "/api/versions" {
+			t.Fatalf("unexpected path %s", r.URL.Path)
+		}
+		fmt.Fprint(w, `{"versions":[{"name":"ledger","version":"2.3.4","health":true}]}`)
+	}))
+	defer server.Close()
+
+	configDir := t.TempDir()
+	_, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"context", "create", "stack", "local",
+		"--stack-url", server.URL+"/api",
+	)
+	if err != nil {
+		t.Fatalf("create context: %v stderr=%s", err, stderr)
+	}
+
+	stdout, stderr, err := executeCommand(t, "--config-dir", configDir, "--profile", "local", "target", "inspect")
+	if err != nil {
+		t.Fatalf("inspect target with profile: %v stderr=%s", err, stderr)
+	}
+	if stderr != "" {
+		t.Fatalf("expected empty stderr for primary profile flag, got:\n%s", stderr)
+	}
+	if !strings.Contains(stdout, "Context: local") {
+		t.Fatalf("unexpected inspect output:\n%s", stdout)
+	}
+}
+
+func TestContextFlagSelectsProfileWithDeprecationWarning(t *testing.T) {
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		if r.URL.Path != "/api/versions" {
+			t.Fatalf("unexpected path %s", r.URL.Path)
+		}
+		fmt.Fprint(w, `{"versions":[{"name":"ledger","version":"2.3.4","health":true}]}`)
+	}))
+	defer server.Close()
+
+	configDir := t.TempDir()
+	_, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"context", "create", "stack", "local",
+		"--stack-url", server.URL+"/api",
+	)
+	if err != nil {
+		t.Fatalf("create context: %v stderr=%s", err, stderr)
+	}
+
+	stdout, stderr, err := executeCommand(t, "--config-dir", configDir, "--context", "local", "target", "inspect")
+	if err != nil {
+		t.Fatalf("inspect target with context alias: %v stderr=%s", err, stderr)
+	}
+	if !strings.Contains(stderr, "Flag --context has been deprecated, use --profile") {
+		t.Fatalf("expected context deprecation warning, got:\n%s", stderr)
+	}
+	if !strings.Contains(stdout, "Context: local") {
+		t.Fatalf("unexpected inspect output:\n%s", stdout)
+	}
+}
+
+func TestProfileAndContextFlagsAreMutuallyExclusive(t *testing.T) {
+	configDir := t.TempDir()
+	_, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"context", "create", "stack", "local",
+		"--stack-url", "http://localhost",
+	)
+	if err != nil {
+		t.Fatalf("create context: %v stderr=%s", err, stderr)
+	}
+
+	_, stderr, err = executeCommand(t, "--config-dir", configDir, "--context", "local", "--profile", "local", "target", "inspect")
+	if err == nil {
+		t.Fatal("expected mutually exclusive context/profile error")
+	}
+	if !strings.Contains(err.Error(), "--profile and --context are mutually exclusive") {
+		t.Fatalf("unexpected error: %v stderr=%s", err, stderr)
+	}
+}
+
+func TestTargetProxyRejectsCloudContext(t *testing.T) {
+	configDir := t.TempDir()
+	_, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"context", "create", "cloud", "cloud",
+		"--cloud-url", "http://localhost",
+		"--auth-method", "none",
+	)
+	if err != nil {
+		t.Fatalf("create cloud context: %v stderr=%s", err, stderr)
+	}
+
+	_, stderr, err = executeCommand(t, "--config-dir", configDir, "target", "proxy")
+	if err == nil {
+		t.Fatal("expected target proxy to reject cloud context")
+	}
+	if !strings.Contains(err.Error(), "stack target commands on Cloud profiles require --organization and --stack") {
+		t.Fatalf("unexpected proxy error: %v stderr=%s", err, stderr)
+	}
+}
+
+func TestStackProxyAliasRoutesToTargetProxy(t *testing.T) {
+	configDir := t.TempDir()
+	_, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"profile", "create", "cloud", "cloud",
+		"--cloud-url", "http://localhost:8080",
+		"--auth-method", "none",
+	)
+	if err != nil {
+		t.Fatalf("create cloud profile: %v stderr=%s", err, stderr)
+	}
+
+	_, stderr, err = executeCommand(t,
+		"--config-dir", configDir,
+		"stack", "proxy",
+	)
+	if err == nil {
+		t.Fatal("expected stack proxy alias to reach target proxy and reject cloud profile")
+	}
+	if !strings.Contains(stderr, "Command stack proxy has been deprecated, use target proxy") {
+		t.Fatalf("expected stack proxy deprecation warning, got:\n%s", stderr)
+	}
+	if !strings.Contains(err.Error(), "stack target commands on Cloud profiles require --organization and --stack") {
+		t.Fatalf("unexpected stack proxy error: %v stderr=%s", err, stderr)
+	}
+}
+
+func TestLedgerListSelectsV2(t *testing.T) {
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		switch r.URL.Path {
+		case "/versions":
+			w.Header().Set("Content-Type", "application/json")
+			fmt.Fprint(w, `{"versions":[{"name":"ledger","version":"2.3.4","health":true}]}`)
+		case "/api/ledger/v2":
+			if got := r.URL.Query().Get("pageSize"); got != "10" {
+				t.Fatalf("expected pageSize 10, got %q", got)
+			}
+			if got := r.URL.Query().Get("includeDeleted"); got != "true" {
+				t.Fatalf("expected includeDeleted true, got %q", got)
+			}
+			w.Header().Set("Content-Type", "application/json")
+			fmt.Fprint(w, `{"cursor":{"data":[{"name":"default","bucket":"bucket","addedAt":"2026-01-01T00:00:00Z","metadata":{"env":"dev"}}],"hasMore":false,"pageSize":10}}`)
+		default:
+			t.Fatalf("unexpected path %s", r.URL.Path)
+		}
+	}))
+	defer server.Close()
+
+	configDir := t.TempDir()
+	_, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"context", "create", "stack", "local",
+		"--stack-url", server.URL,
+	)
+	if err != nil {
+		t.Fatalf("create context: %v stderr=%s", err, stderr)
+	}
+
+	stdout, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"ledger", "list",
+		"--page-size", "10",
+		"--include-deleted",
+	)
+	if err != nil {
+		t.Fatalf("list ledgers: %v stderr=%s", err, stderr)
+	}
+	for _, expected := range []string{
+		"API version: v2",
+		"Name",
+		"Bucket",
+		"Created at",
+		"default",
+		"bucket",
+		"2026-01-01T00:00:00Z",
+	} {
+		if !strings.Contains(stdout, expected) {
+			t.Fatalf("expected ledger list output to contain %q, got:\n%s", expected, stdout)
+		}
+	}
+}
+
+func TestLedgerListCloudStackExchangesStackToken(t *testing.T) {
+	var stackServer *httptest.Server
+	stackServer = httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.Header().Set("Content-Type", "application/json")
+		switch r.URL.Path {
+		case "/api/auth/.well-known/openid-configuration":
+			fmt.Fprintf(w, `{"token_endpoint":%q}`, stackServer.URL+"/api/auth/oauth/token")
+		case "/api/auth/oauth/token":
+			if err := r.ParseForm(); err != nil {
+				t.Fatalf("parse stack token form: %v", err)
+			}
+			if r.Form.Get("grant_type") != "urn:ietf:params:oauth:grant-type:jwt-bearer" ||
+				r.Form.Get("assertion") != "stack-assertion" ||
+				r.Form.Get("scope") != "openid email" {
+				t.Fatalf("unexpected stack token form: %v", r.Form)
+			}
+			fmt.Fprint(w, `{"access_token":"stack-token","token_type":"Bearer"}`)
+		case "/versions":
+			if got := r.Header.Get("Authorization"); got != "Bearer stack-token" {
+				t.Fatalf("expected stack token on versions, got %q", got)
+			}
+			fmt.Fprint(w, `{"versions":[{"name":"ledger","version":"2.3.4","health":true}]}`)
+		case "/api/ledger/v2":
+			if got := r.Header.Get("Authorization"); got != "Bearer stack-token" {
+				t.Fatalf("expected stack token on ledger list, got %q", got)
+			}
+			fmt.Fprint(w, `{"cursor":{"data":[{"name":"default","bucket":"bucket","addedAt":"2026-01-01T00:00:00Z"}],"hasMore":false,"pageSize":15}}`)
+		default:
+			t.Fatalf("unexpected stack path %s", r.URL.Path)
+		}
+	}))
+	defer stackServer.Close()
+
+	membershipTokenRequests := 0
+	var membershipServer *httptest.Server
+	membershipServer = httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.Header().Set("Content-Type", "application/json")
+		switch r.URL.Path {
+		case "/.well-known/openid-configuration":
+			fmt.Fprintf(w, `{"token_endpoint":%q}`, membershipServer.URL+"/token")
+		case "/token":
+			clientID, clientSecret, ok := r.BasicAuth()
+			if !ok || clientID != "client" || clientSecret != "secret" {
+				t.Fatalf("unexpected basic auth: %q %q %v", clientID, clientSecret, ok)
+			}
+			if err := r.ParseForm(); err != nil {
+				t.Fatalf("parse membership token form: %v", err)
+			}
+			membershipTokenRequests++
+			switch membershipTokenRequests {
+			case 1:
+				if !strings.Contains(r.Form.Get("scope"), "organization:ReadStack") {
+					t.Fatalf("expected organization scopes, got %q", r.Form.Get("scope"))
+				}
+				fmt.Fprint(w, `{"access_token":"org-token","token_type":"Bearer"}`)
+			case 2:
+				if r.Form.Get("resource") != "stack://org_1/stack_1|stack:Read stack:Write" {
+					t.Fatalf("unexpected stack resource: %q", r.Form.Get("resource"))
+				}
+				if r.Form.Get("scope") != "openid offline_access" {
+					t.Fatalf("unexpected stack assertion scope: %q", r.Form.Get("scope"))
+				}
+				fmt.Fprint(w, `{"access_token":"stack-assertion","token_type":"Bearer"}`)
+			default:
+				t.Fatalf("unexpected membership token request %d", membershipTokenRequests)
+			}
+		case "/organizations/org_1/stacks/stack_1":
+			if got := r.Header.Get("Authorization"); got != "Bearer org-token" {
+				t.Fatalf("expected org token on stack lookup, got %q", got)
+			}
+			fmt.Fprintf(w, `{"data":{"id":"stack_1","name":"Production","organizationId":"org_1","uri":%q,"regionID":"eu-west-1","version":"v3.2.4","status":"READY","state":"ACTIVE","expectedStatus":"READY","lastStateUpdate":"2026-01-01T00:00:00Z","lastExpectedStatusUpdate":"2026-01-01T00:00:00Z","lastStatusUpdate":"2026-01-01T00:00:00Z","reachable":true,"stargateEnabled":true,"synchronised":true,"modules":[]}}`, stackServer.URL)
+		default:
+			t.Fatalf("unexpected membership path %s", r.URL.Path)
+		}
+	}))
+	defer membershipServer.Close()
+
+	configDir := t.TempDir()
+	stdout, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"--organization", "org_1",
+		"--stack", "stack_1",
+		"login",
+		"--target", "cloud",
+		"--membership-url", membershipServer.URL,
+		"--client-id", "client",
+		"--client-secret", "secret",
+	)
+	if err != nil {
+		t.Fatalf("login cloud client credentials: %v stderr=%s", err, stderr)
+	}
+	if stdout != "Logged in with profile default.\n" {
+		t.Fatalf("unexpected login output: %q", stdout)
+	}
+
+	stdout, stderr, err = executeCommand(t,
+		"--config-dir", configDir,
+		"ledger", "list",
+	)
+	if err != nil {
+		t.Fatalf("ledger list cloud-stack: %v stderr=%s", err, stderr)
+	}
+	for _, expected := range []string{"API version: v2", "Name", "Bucket", "default", "bucket"} {
+		if !strings.Contains(stdout, expected) {
+			t.Fatalf("expected cloud-stack ledger list output to contain %q, got:\n%s", expected, stdout)
+		}
+	}
+}
+
+func TestLedgerCloudOrganizationAutoSelectsSingleStack(t *testing.T) {
+	stackServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.Header().Set("Content-Type", "application/json")
+		switch r.URL.Path {
+		case "/versions":
+			fmt.Fprint(w, `{"versions":[{"name":"ledger","version":"1.9.0","health":true}]}`)
+		case "/api/ledger/_info":
+			fmt.Fprint(w, `{"data":{"server":"ledger","version":"1.9.0","config":{}}}`)
+		default:
+			t.Fatalf("unexpected stack path %s", r.URL.Path)
+		}
+	}))
+	defer stackServer.Close()
+
+	membershipServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.Header().Set("Content-Type", "application/json")
+		switch r.URL.Path {
+		case "/_info":
+			fmt.Fprint(w, `{"version":"v1.0.0","consoleURL":"https://portal.example"}`)
+		case "/organizations/org_1/stacks":
+			fmt.Fprintf(w, `{"data":[{"id":"stack_1","name":"Production","organizationId":"org_1","uri":%q,"regionID":"eu-west-1","version":"v3.2.4","status":"READY","state":"ACTIVE","expectedStatus":"READY","lastStateUpdate":"2026-01-01T00:00:00Z","lastExpectedStatusUpdate":"2026-01-01T00:00:00Z","lastStatusUpdate":"2026-01-01T00:00:00Z","reachable":true,"stargateEnabled":true,"synchronised":true,"modules":[]}]}`, stackServer.URL)
+		default:
+			t.Fatalf("unexpected membership path %s", r.URL.Path)
+		}
+	}))
+	defer membershipServer.Close()
+
+	configDir := t.TempDir()
+	_, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"profile", "create", "cloud", "cloud",
+		"--cloud-url", membershipServer.URL,
+		"--auth-method", "none",
+	)
+	if err != nil {
+		t.Fatalf("create cloud profile: %v stderr=%s", err, stderr)
+	}
+
+	stdout, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"--organization", "org_1",
+		"ledger", "info",
+	)
+	if err != nil {
+		t.Fatalf("ledger info with single cloud stack: %v stderr=%s", err, stderr)
+	}
+	for _, expected := range []string{"API version: v1", "Server", "ledger", "Version", "1.9.0"} {
+		if !strings.Contains(stdout, expected) {
+			t.Fatalf("expected ledger info output to contain %q, got:\n%s", expected, stdout)
+		}
+	}
+}
+
+func TestLedgerCloudOrganizationRequiresStackWhenMultipleStacks(t *testing.T) {
+	membershipServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.Header().Set("Content-Type", "application/json")
+		switch r.URL.Path {
+		case "/_info":
+			fmt.Fprint(w, `{"version":"v1.0.0","consoleURL":"https://portal.example"}`)
+		case "/organizations/org_1/stacks":
+			fmt.Fprint(w, `{"data":[{"id":"stack_1","name":"Production","organizationId":"org_1","uri":"https://stack1.example","regionID":"eu-west-1","version":"v3.2.4","status":"READY","state":"ACTIVE","expectedStatus":"READY","lastStateUpdate":"2026-01-01T00:00:00Z","lastExpectedStatusUpdate":"2026-01-01T00:00:00Z","lastStatusUpdate":"2026-01-01T00:00:00Z","reachable":true,"stargateEnabled":true,"synchronised":true,"modules":[]},{"id":"stack_2","name":"Staging","organizationId":"org_1","uri":"https://stack2.example","regionID":"eu-west-1","version":"v3.2.4","status":"READY","state":"ACTIVE","expectedStatus":"READY","lastStateUpdate":"2026-01-01T00:00:00Z","lastExpectedStatusUpdate":"2026-01-01T00:00:00Z","lastStatusUpdate":"2026-01-01T00:00:00Z","reachable":true,"stargateEnabled":true,"synchronised":true,"modules":[]}]}`)
+		default:
+			t.Fatalf("unexpected membership path %s", r.URL.Path)
+		}
+	}))
+	defer membershipServer.Close()
+
+	configDir := t.TempDir()
+	_, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"profile", "create", "cloud", "cloud",
+		"--cloud-url", membershipServer.URL,
+		"--auth-method", "none",
+	)
+	if err != nil {
+		t.Fatalf("create cloud profile: %v stderr=%s", err, stderr)
+	}
+
+	_, stderr, err = executeCommand(t,
+		"--config-dir", configDir,
+		"--organization", "org_1",
+		"ledger", "info",
+	)
+	if err == nil {
+		t.Fatal("expected multiple stacks to require --stack")
+	}
+	for _, expected := range []string{
+		`--stack is required when organization "org_1" has multiple stacks`,
+		"available stacks: stack_1 (Production), stack_2 (Staging)",
+	} {
+		if !strings.Contains(err.Error(), expected) {
+			t.Fatalf("expected error to contain %q, got err=%v stderr=%s", expected, err, stderr)
+		}
+	}
+}
+
+func TestLedgerCloudStackMissingStackSuggestsAvailableStacks(t *testing.T) {
+	membershipTokenRequests := 0
+	var membershipServer *httptest.Server
+	membershipServer = httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.Header().Set("Content-Type", "application/json")
+		switch r.URL.Path {
+		case "/.well-known/openid-configuration":
+			fmt.Fprintf(w, `{"token_endpoint":%q}`, membershipServer.URL+"/token")
+		case "/token":
+			membershipTokenRequests++
+			fmt.Fprint(w, `{"access_token":"org-token","token_type":"Bearer"}`)
+		case "/organizations/org_1/stacks/missing":
+			w.WriteHeader(http.StatusInternalServerError)
+			fmt.Fprint(w, `{"errorCode":"INTERNAL","errorMessage":"not found"}`)
+		case "/_info":
+			fmt.Fprint(w, `{"version":"v1.0.0","consoleURL":"https://portal.example"}`)
+		case "/organizations/org_1/stacks":
+			fmt.Fprint(w, `{"data":[{"id":"stack_1","name":"Production","organizationId":"org_1","uri":"https://stack.example/api","regionID":"eu-west-1","version":"v3.2.4","status":"READY","state":"ACTIVE","expectedStatus":"READY","lastStateUpdate":"2026-01-01T00:00:00Z","lastExpectedStatusUpdate":"2026-01-01T00:00:00Z","lastStatusUpdate":"2026-01-01T00:00:00Z","reachable":true,"stargateEnabled":true,"synchronised":true,"modules":[]}]}`)
+		default:
+			t.Fatalf("unexpected membership path %s", r.URL.Path)
+		}
+	}))
+	defer membershipServer.Close()
+
+	configDir := t.TempDir()
+	_, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"--organization", "org_1",
+		"--stack", "missing",
+		"login",
+		"--target", "cloud",
+		"--membership-url", membershipServer.URL,
+		"--client-id", "client",
+		"--client-secret", "secret",
+	)
+	if err != nil {
+		t.Fatalf("login cloud client credentials: %v stderr=%s", err, stderr)
+	}
+
+	_, stderr, err = executeCommand(t, "--config-dir", configDir, "ledger", "info")
+	if err == nil {
+		t.Fatal("expected missing stack to fail")
+	}
+	for _, expected := range []string{
+		`stack "missing" was not found in organization "org_1"`,
+		"available stacks: stack_1 (Production)",
+	} {
+		if !strings.Contains(err.Error(), expected) {
+			t.Fatalf("expected error to contain %q, got err=%v stderr=%s", expected, err, stderr)
+		}
+	}
+	if membershipTokenRequests == 0 {
+		t.Fatal("expected membership token request")
+	}
+}
+
+func TestLedgerInfoUsesCanonicalCommand(t *testing.T) {
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		switch r.URL.Path {
+		case "/versions":
+			w.Header().Set("Content-Type", "application/json")
+			fmt.Fprint(w, `{"versions":[{"name":"ledger","version":"1.9.0","health":true}]}`)
+		case "/api/ledger/_info":
+			w.Header().Set("Content-Type", "application/json")
+			fmt.Fprint(w, `{"data":{"server":"ledger","version":"1.9.0","config":{}}}`)
+		default:
+			t.Fatalf("unexpected path %s", r.URL.Path)
+		}
+	}))
+	defer server.Close()
+
+	configDir := t.TempDir()
+	_, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"context", "create", "stack", "local",
+		"--stack-url", server.URL,
+	)
+	if err != nil {
+		t.Fatalf("create context: %v stderr=%s", err, stderr)
+	}
+
+	stdout, stderr, err := executeCommand(t, "--config-dir", configDir, "ledger", "info")
+	if err != nil {
+		t.Fatalf("read ledger info: %v stderr=%s", err, stderr)
+	}
+	if stderr != "" {
+		t.Fatalf("expected canonical command to keep stderr empty, got:\n%s", stderr)
+	}
+	for _, expected := range []string{
+		"API version: v1",
+		"Server",
+		"ledger",
+		"Version",
+		"1.9.0",
+	} {
+		if !strings.Contains(stdout, expected) {
+			t.Fatalf("expected info output to contain %q, got:\n%s", expected, stdout)
+		}
+	}
+}
+
+func TestLedgerServerInfosDeprecatedAlias(t *testing.T) {
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		switch r.URL.Path {
+		case "/versions":
+			w.Header().Set("Content-Type", "application/json")
+			fmt.Fprint(w, `{"versions":[{"name":"ledger","version":"1.9.0","health":true}]}`)
+		case "/api/ledger/_info":
+			w.Header().Set("Content-Type", "application/json")
+			fmt.Fprint(w, `{"data":{"server":"ledger","version":"1.9.0","config":{}}}`)
+		default:
+			t.Fatalf("unexpected path %s", r.URL.Path)
+		}
+	}))
+	defer server.Close()
+
+	configDir := t.TempDir()
+	_, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"context", "create", "stack", "local",
+		"--stack-url", server.URL,
+	)
+	if err != nil {
+		t.Fatalf("create context: %v stderr=%s", err, stderr)
+	}
+
+	_, stderr, err = executeCommand(t, "--config-dir", configDir, "ledger", "server-infos")
+	if err != nil {
+		t.Fatalf("read ledger info through alias: %v stderr=%s", err, stderr)
+	}
+	if !strings.Contains(stderr, "use ledger info") {
+		t.Fatalf("expected deprecation warning, got:\n%s", stderr)
+	}
+}
+
+func TestLedgerCreateRequiresConfirm(t *testing.T) {
+	stdout, stderr, err := executeCommand(t, "ledger", "create", "default")
+	if err == nil {
+		t.Fatal("expected ledger create to require confirmation")
+	}
+	if stdout != "" {
+		t.Fatalf("expected empty stdout, got %q", stdout)
+	}
+	if stderr != "" {
+		t.Fatalf("expected empty stderr, got %q", stderr)
+	}
+	if !strings.Contains(err.Error(), "ledger create requires --confirm") {
+		t.Fatalf("expected confirmation error, got: %v", err)
+	}
+}
+
+func TestLedgerCreateRequiresNameWhenNonInteractive(t *testing.T) {
+	stdout, stderr, err := executeCommand(t, "ledger", "create")
+	if err == nil {
+		t.Fatal("expected ledger create to require a name without an interactive prompt")
+	}
+	if stdout != "" {
+		t.Fatalf("expected empty stdout, got %q", stdout)
+	}
+	if stderr != "" {
+		t.Fatalf("expected empty stderr, got %q", stderr)
+	}
+	if !strings.Contains(err.Error(), "ledger create requires <name>") {
+		t.Fatalf("expected missing name error, got: %v", err)
+	}
+	if strings.Contains(err.Error(), "accepts") {
+		t.Fatalf("expected ledger create to own missing-name validation, got: %v", err)
+	}
+}
+
+func TestLedgerCreateSelectsV2(t *testing.T) {
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		switch r.URL.Path {
+		case "/versions":
+			w.Header().Set("Content-Type", "application/json")
+			fmt.Fprint(w, `{"versions":[{"name":"ledger","version":"2.3.4","health":true}]}`)
+		case "/api/ledger/v2/default":
+			if r.Method != http.MethodPost {
+				t.Fatalf("expected POST, got %s", r.Method)
+			}
+			body := readRequestBody(t, r)
+			for _, expected := range []string{
+				`"bucket":"bucket-a"`,
+				`"features":{"hash":"true"}`,
+				`"metadata":{"tier":"gold"}`,
+			} {
+				if !strings.Contains(body, expected) {
+					t.Fatalf("expected body to contain %q, got %s", expected, body)
+				}
+			}
+			w.WriteHeader(http.StatusNoContent)
+		default:
+			t.Fatalf("unexpected path %s", r.URL.Path)
+		}
+	}))
+	defer server.Close()
+
+	configDir := t.TempDir()
+	_, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"context", "create", "stack", "local",
+		"--stack-url", server.URL,
+	)
+	if err != nil {
+		t.Fatalf("create context: %v stderr=%s", err, stderr)
+	}
+
+	stdout, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"ledger", "create", "default",
+		"--bucket", "bucket-a",
+		"--feature", "hash=true",
+		"--metadata", "tier=gold",
+		"--confirm",
+	)
+	if err != nil {
+		t.Fatalf("create ledger: %v stderr=%s", err, stderr)
+	}
+	for _, expected := range []string{
+		"API version: v2",
+		"Ledger default created.",
+	} {
+		if !strings.Contains(stdout, expected) {
+			t.Fatalf("expected output to contain %q, got:\n%s", expected, stdout)
+		}
+	}
+}
+
+func TestLedgerSetMetadataSelectsV2(t *testing.T) {
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		switch r.URL.Path {
+		case "/versions":
+			w.Header().Set("Content-Type", "application/json")
+			fmt.Fprint(w, `{"versions":[{"name":"ledger","version":"2.3.4","health":true}]}`)
+		case "/api/ledger/v2/default/metadata":
+			if r.Method != http.MethodPut {
+				t.Fatalf("expected PUT, got %s", r.Method)
+			}
+			body := readRequestBody(t, r)
+			if !strings.Contains(body, `"tier":"gold"`) {
+				t.Fatalf("expected metadata body, got %s", body)
+			}
+			if !strings.Contains(body, `"team":"finance"`) {
+				t.Fatalf("expected metadata file body, got %s", body)
+			}
+			w.WriteHeader(http.StatusNoContent)
+		default:
+			t.Fatalf("unexpected path %s", r.URL.Path)
+		}
+	}))
+	defer server.Close()
+
+	configDir := t.TempDir()
+	_, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"context", "create", "stack", "local",
+		"--stack-url", server.URL,
+	)
+	if err != nil {
+		t.Fatalf("create context: %v stderr=%s", err, stderr)
+	}
+
+	metadataPath := filepath.Join(t.TempDir(), "metadata.json")
+	if err := os.WriteFile(metadataPath, []byte(`{"team":"finance","tier":"silver"}`), 0o600); err != nil {
+		t.Fatalf("write metadata fixture: %v", err)
+	}
+	stdout, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"ledger", "set-metadata", "default", "tier=gold",
+		"--metadata-file", metadataPath,
+		"--confirm",
+	)
+	if err != nil {
+		t.Fatalf("set ledger metadata: %v stderr=%s", err, stderr)
+	}
+	for _, expected := range []string{
+		"API version: v2",
+		"Metadata added.",
+	} {
+		if !strings.Contains(stdout, expected) {
+			t.Fatalf("expected output to contain %q, got:\n%s", expected, stdout)
+		}
+	}
+}
+
+func TestLedgerDeleteMetadataSelectsV2(t *testing.T) {
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		switch r.URL.Path {
+		case "/versions":
+			w.Header().Set("Content-Type", "application/json")
+			fmt.Fprint(w, `{"versions":[{"name":"ledger","version":"2.3.4","health":true}]}`)
+		case "/api/ledger/v2/default/metadata/tier":
+			if r.Method != http.MethodDelete {
+				t.Fatalf("expected DELETE, got %s", r.Method)
+			}
+			w.WriteHeader(http.StatusNoContent)
+		default:
+			t.Fatalf("unexpected path %s", r.URL.Path)
+		}
+	}))
+	defer server.Close()
+
+	configDir := t.TempDir()
+	_, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"context", "create", "stack", "local",
+		"--stack-url", server.URL,
+	)
+	if err != nil {
+		t.Fatalf("create context: %v stderr=%s", err, stderr)
+	}
+
+	stdout, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"ledger", "delete-metadata", "default", "tier",
+		"--confirm",
+	)
+	if err != nil {
+		t.Fatalf("delete ledger metadata: %v stderr=%s", err, stderr)
+	}
+	for _, expected := range []string{
+		"API version: v2",
+		"Metadata deleted.",
+	} {
+		if !strings.Contains(stdout, expected) {
+			t.Fatalf("expected output to contain %q, got:\n%s", expected, stdout)
+		}
+	}
+}
+
+func TestLedgerExportSelectsV2ToFile(t *testing.T) {
+	export := "log-entry-1\nlog-entry-2\n"
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		switch r.URL.Path {
+		case "/versions":
+			w.Header().Set("Content-Type", "application/json")
+			fmt.Fprint(w, `{"versions":[{"name":"ledger","version":"2.3.4","health":true}]}`)
+		case "/api/ledger/v2/default/logs/export":
+			if r.Method != http.MethodPost {
+				t.Fatalf("expected POST, got %s", r.Method)
+			}
+			w.Header().Set("Content-Type", "application/octet-stream")
+			fmt.Fprint(w, export)
+		default:
+			t.Fatalf("unexpected path %s", r.URL.Path)
+		}
+	}))
+	defer server.Close()
+
+	configDir := t.TempDir()
+	_, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"context", "create", "stack", "local",
+		"--stack-url", server.URL,
+		"--default-ledger", "default",
+	)
+	if err != nil {
+		t.Fatalf("create context: %v stderr=%s", err, stderr)
+	}
+
+	outputPath := filepath.Join(t.TempDir(), "export.jsonl")
+	stdout, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"ledger", "export",
+		"--file", outputPath,
+	)
+	if err != nil {
+		t.Fatalf("export ledger: %v stderr=%s", err, stderr)
+	}
+	for _, expected := range []string{
+		"API version: v2",
+		"Ledger default exported to " + outputPath + ".",
+	} {
+		if !strings.Contains(stdout, expected) {
+			t.Fatalf("expected output to contain %q, got:\n%s", expected, stdout)
+		}
+	}
+	data, err := os.ReadFile(outputPath)
+	if err != nil {
+		t.Fatalf("read export: %v", err)
+	}
+	if string(data) != export {
+		t.Fatalf("unexpected export data: %q", string(data))
+	}
+}
+
+func TestLedgerExportSelectsV2ToStdout(t *testing.T) {
+	export := "log-entry-1\nlog-entry-2\n"
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		switch r.URL.Path {
+		case "/versions":
+			w.Header().Set("Content-Type", "application/json")
+			fmt.Fprint(w, `{"versions":[{"name":"ledger","version":"2.3.4","health":true}]}`)
+		case "/api/ledger/v2/default/logs/export":
+			if r.Method != http.MethodPost {
+				t.Fatalf("expected POST, got %s", r.Method)
+			}
+			w.Header().Set("Content-Type", "application/octet-stream")
+			fmt.Fprint(w, export)
+		default:
+			t.Fatalf("unexpected path %s", r.URL.Path)
+		}
+	}))
+	defer server.Close()
+
+	configDir := t.TempDir()
+	_, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"context", "create", "stack", "local",
+		"--stack-url", server.URL,
+		"--default-ledger", "default",
+	)
+	if err != nil {
+		t.Fatalf("create context: %v stderr=%s", err, stderr)
+	}
+
+	stdout, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"ledger", "export",
+		"--file", "-",
+	)
+	if err != nil {
+		t.Fatalf("export ledger: %v stderr=%s", err, stderr)
+	}
+	if stdout != export {
+		t.Fatalf("unexpected stdout export: %q", stdout)
+	}
+}
+
+func TestLedgerImportSelectsV2FromFile(t *testing.T) {
+	input := "{\"id\":1}\n{\"id\":2}\n"
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		switch r.URL.Path {
+		case "/versions":
+			w.Header().Set("Content-Type", "application/json")
+			fmt.Fprint(w, `{"versions":[{"name":"ledger","version":"2.3.4","health":true}]}`)
+		case "/api/ledger/v2/default/logs/import":
+			if r.Method != http.MethodPost {
+				t.Fatalf("expected POST, got %s", r.Method)
+			}
+			body := readRequestBody(t, r)
+			if body != input {
+				t.Fatalf("unexpected import body: %q", body)
+			}
+			w.WriteHeader(http.StatusNoContent)
+		default:
+			t.Fatalf("unexpected path %s", r.URL.Path)
+		}
+	}))
+	defer server.Close()
+
+	configDir := t.TempDir()
+	_, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"context", "create", "stack", "local",
+		"--stack-url", server.URL,
+	)
+	if err != nil {
+		t.Fatalf("create context: %v stderr=%s", err, stderr)
+	}
+
+	inputPath := filepath.Join(t.TempDir(), "import.jsonl")
+	if err := os.WriteFile(inputPath, []byte(input), 0o600); err != nil {
+		t.Fatalf("write import file: %v", err)
+	}
+	stdout, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"ledger", "import", "default",
+		"--file", inputPath,
+	)
+	if err != nil {
+		t.Fatalf("import ledger: %v stderr=%s", err, stderr)
+	}
+	for _, expected := range []string{
+		"API version: v2",
+		"Ledger default imported.",
+	} {
+		if !strings.Contains(stdout, expected) {
+			t.Fatalf("expected output to contain %q, got:\n%s", expected, stdout)
+		}
+	}
+}
+
+func TestLedgerImportAcceptsDeprecatedPositionalFile(t *testing.T) {
+	input := "{\"id\":1}\n"
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		switch r.URL.Path {
+		case "/versions":
+			w.Header().Set("Content-Type", "application/json")
+			fmt.Fprint(w, `{"versions":[{"name":"ledger","version":"2.3.4","health":true}]}`)
+		case "/api/ledger/v2/default/logs/import":
+			if body := readRequestBody(t, r); body != input {
+				t.Fatalf("unexpected import body: %q", body)
+			}
+			w.WriteHeader(http.StatusNoContent)
+		default:
+			t.Fatalf("unexpected path %s", r.URL.Path)
+		}
+	}))
+	defer server.Close()
+
+	configDir := t.TempDir()
+	_, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"context", "create", "stack", "local",
+		"--stack-url", server.URL,
+	)
+	if err != nil {
+		t.Fatalf("create context: %v stderr=%s", err, stderr)
+	}
+
+	inputPath := filepath.Join(t.TempDir(), "import.jsonl")
+	if err := os.WriteFile(inputPath, []byte(input), 0o600); err != nil {
+		t.Fatalf("write import file: %v", err)
+	}
+	stdout, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"ledger", "import", "default", inputPath,
+	)
+	if err != nil {
+		t.Fatalf("import ledger: %v stderr=%s", err, stderr)
+	}
+	if !strings.Contains(stdout, "Ledger default imported.") {
+		t.Fatalf("unexpected output:\n%s", stdout)
+	}
+}
+
+func TestLedgerSchemasListSelectsV2(t *testing.T) {
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		switch r.URL.Path {
+		case "/versions":
+			w.Header().Set("Content-Type", "application/json")
+			fmt.Fprint(w, `{"versions":[{"name":"ledger","version":"2.3.4","health":true}]}`)
+		case "/api/ledger/v2/default/schemas":
+			if got := r.URL.Query().Get("pageSize"); got != "15" {
+				t.Fatalf("expected pageSize 15, got %q", got)
+			}
+			w.Header().Set("Content-Type", "application/json")
+			fmt.Fprint(w, `{"cursor":{"data":[{"version":"v1","createdAt":"2026-01-01T00:00:00Z","chart":{}}],"hasMore":false,"pageSize":15}}`)
+		default:
+			t.Fatalf("unexpected path %s", r.URL.Path)
+		}
+	}))
+	defer server.Close()
+
+	configDir := t.TempDir()
+	_, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"context", "create", "stack", "local",
+		"--stack-url", server.URL,
+		"--default-ledger", "default",
+	)
+	if err != nil {
+		t.Fatalf("create context: %v stderr=%s", err, stderr)
+	}
+
+	stdout, stderr, err := executeCommand(t, "--config-dir", configDir, "ledger", "schemas", "list")
+	if err != nil {
+		t.Fatalf("list schemas: %v stderr=%s", err, stderr)
+	}
+	for _, expected := range []string{"API version: v2", "Version", "Created at", "Chart segments", "v1", "2026-01-01T00:00:00Z"} {
+		if !strings.Contains(stdout, expected) {
+			t.Fatalf("expected schemas output to contain %q, got:\n%s", expected, stdout)
+		}
+	}
+}
+
+func TestLedgerSchemasShowSelectsV2(t *testing.T) {
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		switch r.URL.Path {
+		case "/versions":
+			w.Header().Set("Content-Type", "application/json")
+			fmt.Fprint(w, `{"versions":[{"name":"ledger","version":"2.3.4","health":true}]}`)
+		case "/api/ledger/v2/default/schemas/v1":
+			w.Header().Set("Content-Type", "application/json")
+			fmt.Fprint(w, `{"data":{"version":"v1","createdAt":"2026-01-01T00:00:00Z","chart":{}}}`)
+		default:
+			t.Fatalf("unexpected path %s", r.URL.Path)
+		}
+	}))
+	defer server.Close()
+
+	configDir := t.TempDir()
+	_, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"context", "create", "stack", "local",
+		"--stack-url", server.URL,
+		"--default-ledger", "default",
+	)
+	if err != nil {
+		t.Fatalf("create context: %v stderr=%s", err, stderr)
+	}
+
+	stdout, stderr, err := executeCommand(t, "--config-dir", configDir, "ledger", "schemas", "show", "v1")
+	if err != nil {
+		t.Fatalf("show schema: %v stderr=%s", err, stderr)
+	}
+	for _, expected := range []string{
+		"API version: v2",
+		"Version",
+		"v1",
+		"Created at",
+		"2026-01-01T00:00:00Z",
+	} {
+		if !strings.Contains(stdout, expected) {
+			t.Fatalf("expected output to contain %q, got:\n%s", expected, stdout)
+		}
+	}
+}
+
+func TestLedgerSchemasInsertSelectsV2(t *testing.T) {
+	schema := `{"chart":{}}`
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		switch r.URL.Path {
+		case "/versions":
+			w.Header().Set("Content-Type", "application/json")
+			fmt.Fprint(w, `{"versions":[{"name":"ledger","version":"2.3.4","health":true}]}`)
+		case "/api/ledger/v2/default/schemas/v1":
+			if r.Method != http.MethodPost {
+				t.Fatalf("expected POST, got %s", r.Method)
+			}
+			if got := r.Header.Get("Idempotency-Key"); got != "schema-key" {
+				t.Fatalf("expected idempotency key, got %q", got)
+			}
+			body := readRequestBody(t, r)
+			if !strings.Contains(body, `"chart":{}`) {
+				t.Fatalf("expected schema body, got %s", body)
+			}
+			w.WriteHeader(http.StatusNoContent)
+		default:
+			t.Fatalf("unexpected path %s", r.URL.Path)
+		}
+	}))
+	defer server.Close()
+
+	configDir := t.TempDir()
+	_, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"context", "create", "stack", "local",
+		"--stack-url", server.URL,
+		"--default-ledger", "default",
+	)
+	if err != nil {
+		t.Fatalf("create context: %v stderr=%s", err, stderr)
+	}
+
+	schemaPath := filepath.Join(t.TempDir(), "schema.json")
+	if err := os.WriteFile(schemaPath, []byte(schema), 0o600); err != nil {
+		t.Fatalf("write schema file: %v", err)
+	}
+	stdout, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"ledger", "schemas", "insert", "v1",
+		"--file", schemaPath,
+		"--idempotency-key", "schema-key",
+		"--confirm",
+	)
+	if err != nil {
+		t.Fatalf("insert schema: %v stderr=%s", err, stderr)
+	}
+	if !strings.Contains(stdout, "Schema v1 inserted in ledger default.") {
+		t.Fatalf("unexpected output:\n%s", stdout)
+	}
+}
+
+func TestLedgerAccountsListSelectsV2(t *testing.T) {
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		switch r.URL.Path {
+		case "/versions":
+			w.Header().Set("Content-Type", "application/json")
+			fmt.Fprint(w, `{"versions":[{"name":"ledger","version":"2.3.4","health":true}]}`)
+		case "/api/ledger/v2/default/accounts":
+			query := r.URL.Query().Get("query")
+			if !strings.Contains(query, `"address":"users:123"`) {
+				t.Fatalf("expected query to contain account address, got %q", query)
+			}
+			if !strings.Contains(query, `"metadata[tier]":"gold"`) {
+				t.Fatalf("expected query to contain metadata filter, got %q", query)
+			}
+			w.Header().Set("Content-Type", "application/json")
+			fmt.Fprint(w, `{"cursor":{"data":[{"address":"users:123","metadata":{"tier":"gold"}}],"hasMore":false,"pageSize":15}}`)
+		default:
+			t.Fatalf("unexpected path %s", r.URL.Path)
+		}
+	}))
+	defer server.Close()
+
+	configDir := t.TempDir()
+	_, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"context", "create", "stack", "local",
+		"--stack-url", server.URL,
+		"--default-ledger", "default",
+	)
+	if err != nil {
+		t.Fatalf("create context: %v stderr=%s", err, stderr)
+	}
+
+	stdout, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"ledger", "accounts", "list",
+		"--account", "users:123",
+		"--metadata", "tier=gold",
+	)
+	if err != nil {
+		t.Fatalf("list accounts: %v stderr=%s", err, stderr)
+	}
+	if !strings.Contains(stdout, "API version: v2") || !strings.Contains(stdout, "users:123") {
+		t.Fatalf("unexpected accounts output:\n%s", stdout)
+	}
+}
+
+func TestLedgerAccountsListDeprecatedAddressAlias(t *testing.T) {
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		switch r.URL.Path {
+		case "/versions":
+			w.Header().Set("Content-Type", "application/json")
+			fmt.Fprint(w, `{"versions":[{"name":"ledger","version":"2.3.4","health":true}]}`)
+		case "/api/ledger/v2/default/accounts":
+			w.Header().Set("Content-Type", "application/json")
+			fmt.Fprint(w, `{"cursor":{"data":[],"hasMore":false,"pageSize":15}}`)
+		default:
+			t.Fatalf("unexpected path %s", r.URL.Path)
+		}
+	}))
+	defer server.Close()
+
+	configDir := t.TempDir()
+	_, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"context", "create", "stack", "local",
+		"--stack-url", server.URL,
+		"--default-ledger", "default",
+	)
+	if err != nil {
+		t.Fatalf("create context: %v stderr=%s", err, stderr)
+	}
+
+	_, stderr, err = executeCommand(t,
+		"--config-dir", configDir,
+		"ledger", "accounts", "list",
+		"--address", "users:123",
+	)
+	if err != nil {
+		t.Fatalf("list accounts with deprecated alias: %v stderr=%s", err, stderr)
+	}
+	if !strings.Contains(stderr, "Flag --address has been deprecated, use --account") {
+		t.Fatalf("expected deprecation warning, got:\n%s", stderr)
+	}
+}
+
+func TestLedgerAccountsQuerySelectsV2(t *testing.T) {
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		switch r.URL.Path {
+		case "/versions":
+			w.Header().Set("Content-Type", "application/json")
+			fmt.Fprint(w, `{"versions":[{"name":"ledger","version":"2.3.4","health":true}]}`)
+		case "/api/ledger/v2/default/queries/active_accounts/run":
+			if r.Method != http.MethodPost {
+				t.Fatalf("expected POST, got %s", r.Method)
+			}
+			if got := r.URL.Query().Get("schemaVersion"); got != "v1" {
+				t.Fatalf("expected schemaVersion v1, got %q", got)
+			}
+			if got := r.URL.Query().Get("pageSize"); got != "10" {
+				t.Fatalf("expected pageSize 10, got %q", got)
+			}
+			if got := r.URL.Query().Get("sort"); got != "address:asc" {
+				t.Fatalf("expected sort address:asc, got %q", got)
+			}
+			body := readRequestBody(t, r)
+			if !strings.Contains(body, `"resource":"accounts"`) {
+				t.Fatalf("expected account query params, got %s", body)
+			}
+			if !strings.Contains(body, `"segment":"vip"`) {
+				t.Fatalf("expected query variable, got %s", body)
+			}
+			w.Header().Set("Content-Type", "application/json")
+			fmt.Fprint(w, `{"cursor":{"data":[{"address":"users:123","metadata":{"segment":"vip"}}],"hasMore":true,"pageSize":10,"next":"next"},"resource":"accounts"}`)
+		default:
+			t.Fatalf("unexpected path %s", r.URL.Path)
+		}
+	}))
+	defer server.Close()
+
+	configDir := t.TempDir()
+	_, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"context", "create", "stack", "local",
+		"--stack-url", server.URL,
+		"--default-ledger", "default",
+	)
+	if err != nil {
+		t.Fatalf("create context: %v stderr=%s", err, stderr)
+	}
+
+	stdout, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"ledger", "accounts", "query", "active_accounts",
+		"--schema-version", "v1",
+		"--page-size", "10",
+		"--sort", "address:asc",
+		"--var", "segment=vip",
+	)
+	if err != nil {
+		t.Fatalf("run account query: %v stderr=%s", err, stderr)
+	}
+	for _, expected := range []string{
+		"API version: v2",
+		"Query",
+		"active_accounts",
+		"Address",
+		"users:123",
+		"Next: next",
+	} {
+		if !strings.Contains(stdout, expected) {
+			t.Fatalf("expected account query output to contain %q, got:\n%s", expected, stdout)
+		}
+	}
+}
+
+func TestLedgerAccountsQueryRequiresSchemaVersion(t *testing.T) {
+	configDir := t.TempDir()
+	_, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"context", "create", "stack", "local",
+		"--stack-url", "http://localhost",
+		"--default-ledger", "default",
+	)
+	if err != nil {
+		t.Fatalf("create context: %v stderr=%s", err, stderr)
+	}
+
+	_, stderr, err = executeCommand(t,
+		"--config-dir", configDir,
+		"ledger", "accounts", "query", "active_accounts",
+	)
+	if err == nil {
+		t.Fatal("expected account query without schema version to fail")
+	}
+	if !strings.Contains(err.Error(), "schema version is required") {
+		t.Fatalf("expected schema version error, got err=%v stderr=%s", err, stderr)
+	}
+}
+
+func TestLedgerAccountsShowSelectsV2(t *testing.T) {
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		switch r.URL.Path {
+		case "/versions":
+			w.Header().Set("Content-Type", "application/json")
+			fmt.Fprint(w, `{"versions":[{"name":"ledger","version":"2.3.4","health":true}]}`)
+		case "/api/ledger/v2/default/accounts/users:123":
+			w.Header().Set("Content-Type", "application/json")
+			fmt.Fprint(w, `{"data":{"address":"users:123","metadata":{"tier":"gold"},"volumes":{"USD/2":{"input":100,"output":40,"balance":60}}}}`)
+		default:
+			t.Fatalf("unexpected path %s", r.URL.Path)
+		}
+	}))
+	defer server.Close()
+
+	configDir := t.TempDir()
+	_, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"context", "create", "stack", "local",
+		"--stack-url", server.URL,
+		"--default-ledger", "default",
+	)
+	if err != nil {
+		t.Fatalf("create context: %v stderr=%s", err, stderr)
+	}
+
+	stdout, stderr, err := executeCommand(t, "--config-dir", configDir, "ledger", "accounts", "show", "users:123")
+	if err != nil {
+		t.Fatalf("show account: %v stderr=%s", err, stderr)
+	}
+	for _, expected := range []string{
+		"API version: v2",
+		"Address",
+		"users:123",
+		"Asset",
+		"Input",
+		"Output",
+		"Balance",
+		"USD/2",
+		"100",
+		"40",
+		"60",
+	} {
+		if !strings.Contains(stdout, expected) {
+			t.Fatalf("expected account output to contain %q, got:\n%s", expected, stdout)
+		}
+	}
+}
+
+func TestLedgerAccountsSetMetadataSelectsV2(t *testing.T) {
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		switch r.URL.Path {
+		case "/versions":
+			w.Header().Set("Content-Type", "application/json")
+			fmt.Fprint(w, `{"versions":[{"name":"ledger","version":"2.3.4","health":true}]}`)
+		case "/api/ledger/v2/default/accounts/users:123/metadata":
+			if r.Method != http.MethodPost {
+				t.Fatalf("expected POST, got %s", r.Method)
+			}
+			body := readRequestBody(t, r)
+			if !strings.Contains(body, `"foo":"bar"`) {
+				t.Fatalf("expected metadata body, got %s", body)
+			}
+			w.WriteHeader(http.StatusNoContent)
+		default:
+			t.Fatalf("unexpected path %s", r.URL.Path)
+		}
+	}))
+	defer server.Close()
+
+	configDir := t.TempDir()
+	_, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"context", "create", "stack", "local",
+		"--stack-url", server.URL,
+		"--default-ledger", "default",
+	)
+	if err != nil {
+		t.Fatalf("create context: %v stderr=%s", err, stderr)
+	}
+
+	stdout, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"ledger", "accounts", "set-metadata", "users:123", "foo=bar",
+		"--confirm",
+	)
+	if err != nil {
+		t.Fatalf("set account metadata: %v stderr=%s", err, stderr)
+	}
+	for _, expected := range []string{
+		"API version: v2",
+		"Metadata added.",
+	} {
+		if !strings.Contains(stdout, expected) {
+			t.Fatalf("expected output to contain %q, got:\n%s", expected, stdout)
+		}
+	}
+}
+
+func TestLedgerAccountsDeleteMetadataSelectsV2(t *testing.T) {
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		switch r.URL.Path {
+		case "/versions":
+			w.Header().Set("Content-Type", "application/json")
+			fmt.Fprint(w, `{"versions":[{"name":"ledger","version":"2.3.4","health":true}]}`)
+		case "/api/ledger/v2/default/accounts/users:123/metadata/foo":
+			if r.Method != http.MethodDelete {
+				t.Fatalf("expected DELETE, got %s", r.Method)
+			}
+			w.WriteHeader(http.StatusNoContent)
+		default:
+			t.Fatalf("unexpected path %s", r.URL.Path)
+		}
+	}))
+	defer server.Close()
+
+	configDir := t.TempDir()
+	_, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"context", "create", "stack", "local",
+		"--stack-url", server.URL,
+		"--default-ledger", "default",
+	)
+	if err != nil {
+		t.Fatalf("create context: %v stderr=%s", err, stderr)
+	}
+
+	stdout, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"ledger", "accounts", "delete-metadata", "users:123", "foo",
+		"--confirm",
+	)
+	if err != nil {
+		t.Fatalf("delete account metadata: %v stderr=%s", err, stderr)
+	}
+	for _, expected := range []string{
+		"API version: v2",
+		"Metadata deleted.",
+	} {
+		if !strings.Contains(stdout, expected) {
+			t.Fatalf("expected output to contain %q, got:\n%s", expected, stdout)
+		}
+	}
+}
+
+func TestLedgerStatsSelectsV2(t *testing.T) {
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		switch r.URL.Path {
+		case "/versions":
+			w.Header().Set("Content-Type", "application/json")
+			fmt.Fprint(w, `{"versions":[{"name":"ledger","version":"2.3.4","health":true}]}`)
+		case "/api/ledger/v2/default/stats":
+			w.Header().Set("Content-Type", "application/json")
+			fmt.Fprint(w, `{"data":{"accounts":2,"transactions":42}}`)
+		default:
+			t.Fatalf("unexpected path %s", r.URL.Path)
+		}
+	}))
+	defer server.Close()
+
+	configDir := t.TempDir()
+	_, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"context", "create", "stack", "local",
+		"--stack-url", server.URL,
+		"--default-ledger", "default",
+	)
+	if err != nil {
+		t.Fatalf("create context: %v stderr=%s", err, stderr)
+	}
+
+	stdout, stderr, err := executeCommand(t, "--config-dir", configDir, "ledger", "stats")
+	if err != nil {
+		t.Fatalf("read stats: %v stderr=%s", err, stderr)
+	}
+	for _, expected := range []string{
+		"API version: v2",
+		"Transactions",
+		"42",
+		"Accounts",
+		"2",
+	} {
+		if !strings.Contains(stdout, expected) {
+			t.Fatalf("expected stats output to contain %q, got:\n%s", expected, stdout)
+		}
+	}
+}
+
+func TestLedgerTransactionsListSelectsV2(t *testing.T) {
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		switch r.URL.Path {
+		case "/versions":
+			w.Header().Set("Content-Type", "application/json")
+			fmt.Fprint(w, `{"versions":[{"name":"ledger","version":"2.3.4","health":true}]}`)
+		case "/api/ledger/v2/default/transactions":
+			if got := r.URL.Query().Get("pageSize"); got != "15" {
+				t.Fatalf("expected pageSize 15, got %q", got)
+			}
+			query := r.URL.Query().Get("query")
+			if !strings.Contains(query, `"source":"world"`) {
+				t.Fatalf("expected query to contain source world, got %q", query)
+			}
+			if !strings.Contains(query, `"destination":"users:123"`) {
+				t.Fatalf("expected query to contain destination users:123, got %q", query)
+			}
+			if !strings.Contains(query, `"metadata[tier]":"gold"`) {
+				t.Fatalf("expected query to contain metadata tier, got %q", query)
+			}
+			w.Header().Set("Content-Type", "application/json")
+			fmt.Fprint(w, `{"cursor":{"data":[{"id":1,"metadata":{"foo":"bar"},"postings":[],"reverted":false,"timestamp":"2026-01-01T00:00:00Z","reference":"ref"}],"hasMore":false,"pageSize":15}}`)
+		default:
+			t.Fatalf("unexpected path %s", r.URL.Path)
+		}
+	}))
+	defer server.Close()
+
+	configDir := t.TempDir()
+	_, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"context", "create", "stack", "local",
+		"--stack-url", server.URL,
+		"--default-ledger", "default",
+	)
+	if err != nil {
+		t.Fatalf("create context: %v stderr=%s", err, stderr)
+	}
+
+	stdout, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"ledger", "transactions", "list",
+		"--source", "world",
+		"--destination", "users:123",
+		"--metadata", "tier=gold",
+	)
+	if err != nil {
+		t.Fatalf("list transactions: %v stderr=%s", err, stderr)
+	}
+	for _, expected := range []string{
+		"API version: v2",
+		"ID",
+		"Reference",
+		"Timestamp",
+		"1",
+		"ref",
+		"2026-01-01T00:00:00Z",
+	} {
+		if !strings.Contains(stdout, expected) {
+			t.Fatalf("expected ledger output to contain %q, got:\n%s", expected, stdout)
+		}
+	}
+}
+
+func TestLedgerTransactionsListTimeFiltersSelectV1(t *testing.T) {
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		switch r.URL.Path {
+		case "/versions":
+			w.Header().Set("Content-Type", "application/json")
+			fmt.Fprint(w, `{"versions":[{"name":"ledger","version":"2.3.4","health":true}]}`)
+		case "/api/ledger/default/transactions":
+			if got := r.URL.Query().Get("startTime"); got != "2026-01-01T00:00:00Z" {
+				t.Fatalf("expected startTime, got %q", got)
+			}
+			if got := r.URL.Query().Get("endTime"); got != "2026-01-02T00:00:00Z" {
+				t.Fatalf("expected endTime, got %q", got)
+			}
+			w.Header().Set("Content-Type", "application/json")
+			fmt.Fprint(w, `{"cursor":{"data":[{"txid":1,"metadata":{"foo":"bar"},"postings":[],"timestamp":"2026-01-01T00:00:00Z","reference":"ref"}],"hasMore":false,"pageSize":15}}`)
+		default:
+			t.Fatalf("unexpected path %s", r.URL.Path)
+		}
+	}))
+	defer server.Close()
+
+	configDir := t.TempDir()
+	_, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"context", "create", "stack", "local",
+		"--stack-url", server.URL,
+		"--default-ledger", "default",
+	)
+	if err != nil {
+		t.Fatalf("create context: %v stderr=%s", err, stderr)
+	}
+
+	stdout, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"ledger", "transactions", "list",
+		"--start", "2026-01-01T00:00:00Z",
+		"--end", "2026-01-02T00:00:00Z",
+	)
+	if err != nil {
+		t.Fatalf("list transactions: %v stderr=%s", err, stderr)
+	}
+	if !strings.Contains(stdout, "API version: v1") {
+		t.Fatalf("expected v1 output, got:\n%s", stdout)
+	}
+}
+
+func TestLedgerTransactionsCountSelectsV2(t *testing.T) {
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		switch r.URL.Path {
+		case "/versions":
+			w.Header().Set("Content-Type", "application/json")
+			fmt.Fprint(w, `{"versions":[{"name":"ledger","version":"2.3.4","health":true}]}`)
+		case "/api/ledger/v2/default/transactions":
+			if r.Method != http.MethodHead {
+				t.Fatalf("expected HEAD, got %s", r.Method)
+			}
+			query := r.URL.Query().Get("query")
+			if !strings.Contains(query, `"source":"world"`) {
+				t.Fatalf("expected query to contain source world, got %q", query)
+			}
+			if !strings.Contains(query, `"destination":"users:123"`) {
+				t.Fatalf("expected query to contain destination users:123, got %q", query)
+			}
+			w.Header().Set("Count", "42")
+			w.WriteHeader(http.StatusNoContent)
+		default:
+			t.Fatalf("unexpected path %s", r.URL.Path)
+		}
+	}))
+	defer server.Close()
+
+	configDir := t.TempDir()
+	_, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"context", "create", "stack", "local",
+		"--stack-url", server.URL,
+		"--default-ledger", "default",
+	)
+	if err != nil {
+		t.Fatalf("create context: %v stderr=%s", err, stderr)
+	}
+
+	stdout, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"ledger", "transactions", "count",
+		"--source", "world",
+		"--destination", "users:123",
+	)
+	if err != nil {
+		t.Fatalf("count transactions: %v stderr=%s", err, stderr)
+	}
+	for _, expected := range []string{
+		"API version: v2",
+		"Count",
+		"42",
+	} {
+		if !strings.Contains(stdout, expected) {
+			t.Fatalf("expected ledger output to contain %q, got:\n%s", expected, stdout)
+		}
+	}
+}
+
+func TestLedgerTransactionsExplainRequiresV3(t *testing.T) {
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		switch r.URL.Path {
+		case "/versions":
+			w.Header().Set("Content-Type", "application/json")
+			fmt.Fprint(w, `{"versions":[{"name":"ledger","version":"2.3.4","health":true}]}`)
+		default:
+			t.Fatalf("unexpected path %s", r.URL.Path)
+		}
+	}))
+	defer server.Close()
+
+	configDir := t.TempDir()
+	_, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"context", "create", "stack", "local",
+		"--stack-url", server.URL,
+		"--default-ledger", "default",
+	)
+	if err != nil {
+		t.Fatalf("create context: %v stderr=%s", err, stderr)
+	}
+
+	_, _, err = executeCommand(t,
+		"--config-dir", configDir,
+		"ledger", "transactions", "explain", "42",
+	)
+	if err == nil {
+		t.Fatal("expected ledger transactions explain to require ledger API v3")
+	}
+	for _, expected := range []string{
+		"ledger transactions explain requires ledger API v3+",
+		"target ledger component 2.3.4 supports v1,v2",
+	} {
+		if !strings.Contains(err.Error(), expected) {
+			t.Fatalf("expected error to contain %q, got %v", expected, err)
+		}
+	}
+}
+
+func TestLedgerTransactionsExplainHiddenUntilSDKSupport(t *testing.T) {
+	stdout, stderr, err := executeCommand(t, "ledger", "transactions", "--help")
+	if err != nil {
+		t.Fatalf("show ledger transactions help: %v stderr=%s", err, stderr)
+	}
+	if strings.Contains(stdout, "explain") {
+		t.Fatalf("ledger transactions explain must stay hidden until SDK/spec support is available, got:\n%s", stdout)
+	}
+}
+
+func TestLedgerTransactionsExplainDocumentsCurrentSDKGapOnV3(t *testing.T) {
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		switch r.URL.Path {
+		case "/versions":
+			w.Header().Set("Content-Type", "application/json")
+			fmt.Fprint(w, `{"versions":[{"name":"ledger","version":"3.2.4","health":true}]}`)
+		default:
+			t.Fatalf("unexpected path %s", r.URL.Path)
+		}
+	}))
+	defer server.Close()
+
+	configDir := t.TempDir()
+	_, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"context", "create", "stack", "local",
+		"--stack-url", server.URL,
+		"--default-ledger", "default",
+	)
+	if err != nil {
+		t.Fatalf("create context: %v stderr=%s", err, stderr)
+	}
+
+	_, _, err = executeCommand(t,
+		"--config-dir", configDir,
+		"ledger", "transactions", "explain", "42",
+	)
+	if err == nil {
+		t.Fatal("expected ledger transactions explain to report the current SDK/spec gap")
+	}
+	for _, expected := range []string{
+		"ledger transactions explain resolved v3",
+		"explainTransaction is not exposed by the current stack v3.2.4 spec or formance-sdk-go yet",
+	} {
+		if !strings.Contains(err.Error(), expected) {
+			t.Fatalf("expected error to contain %q, got %v", expected, err)
+		}
+	}
+}
+
+func TestLedgerTransactionsSendSelectsV2(t *testing.T) {
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		switch r.URL.Path {
+		case "/versions":
+			w.Header().Set("Content-Type", "application/json")
+			fmt.Fprint(w, `{"versions":[{"name":"ledger","version":"2.3.4","health":true}]}`)
+		case "/api/ledger/v2/default/transactions":
+			if r.Method != http.MethodPost {
+				t.Fatalf("expected POST, got %s", r.Method)
+			}
+			body := readRequestBody(t, r)
+			for _, expected := range []string{
+				`"amount":100`,
+				`"asset":"USD/2"`,
+				`"source":"world"`,
+				`"destination":"users:123"`,
+				`"metadata":{"foo":"bar"}`,
+				`"reference":"ref"`,
+			} {
+				if !strings.Contains(body, expected) {
+					t.Fatalf("expected body to contain %q, got %s", expected, body)
+				}
+			}
+			w.Header().Set("Content-Type", "application/json")
+			fmt.Fprint(w, `{"data":{"id":42,"metadata":{"foo":"bar"},"postings":[],"reverted":false,"timestamp":"2026-01-01T00:00:00Z","reference":"ref"}}`)
+		default:
+			t.Fatalf("unexpected path %s", r.URL.Path)
+		}
+	}))
+	defer server.Close()
+
+	configDir := t.TempDir()
+	_, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"context", "create", "stack", "local",
+		"--stack-url", server.URL,
+		"--default-ledger", "default",
+	)
+	if err != nil {
+		t.Fatalf("create context: %v stderr=%s", err, stderr)
+	}
+
+	stdout, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"ledger", "transactions", "send",
+		"--source", "world",
+		"--destination", "users:123",
+		"--amount", "100",
+		"--asset", "USD/2",
+		"--metadata", "foo=bar",
+		"--reference", "ref",
+		"--confirm",
+	)
+	if err != nil {
+		t.Fatalf("send transaction: %v stderr=%s", err, stderr)
+	}
+	for _, expected := range []string{
+		"API version: v2",
+		"ID",
+		"42",
+		"Reference",
+		"ref",
+		"Timestamp",
+		"2026-01-01T00:00:00Z",
+	} {
+		if !strings.Contains(stdout, expected) {
+			t.Fatalf("expected output to contain %q, got:\n%s", expected, stdout)
+		}
+	}
+}
+
+func TestLedgerTransactionsRunScriptSelectsV2(t *testing.T) {
+	scriptFile := filepath.Join(t.TempDir(), "script.num")
+	if err := os.WriteFile(scriptFile, []byte("send [COIN 100] (\n  source = @world\n  destination = @user\n)\n"), 0o600); err != nil {
+		t.Fatalf("write script: %v", err)
+	}
+
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		switch r.URL.Path {
+		case "/versions":
+			w.Header().Set("Content-Type", "application/json")
+			fmt.Fprint(w, `{"versions":[{"name":"ledger","version":"2.3.4","health":true}]}`)
+		case "/api/ledger/v2/default/transactions":
+			if r.Method != http.MethodPost {
+				t.Fatalf("expected POST, got %s", r.Method)
+			}
+			body := readRequestBody(t, r)
+			for _, expected := range []string{
+				`"metadata":{"foo":"bar"}`,
+				`"reference":"ref"`,
+				`"timestamp":"2026-01-01T00:00:00Z"`,
+				`"script":`,
+				`"plain":"send [COIN 100]`,
+				`"vars":{"amount":"100/USD/2","destination":"users:123","portion":"1/2"}`,
+			} {
+				if !strings.Contains(body, expected) {
+					t.Fatalf("expected body to contain %q, got %s", expected, body)
+				}
+			}
+			w.Header().Set("Content-Type", "application/json")
+			fmt.Fprint(w, `{"data":{"id":43,"metadata":{"foo":"bar"},"postings":[],"reverted":false,"timestamp":"2026-01-01T00:00:00Z","reference":"ref"}}`)
+		default:
+			t.Fatalf("unexpected path %s", r.URL.Path)
+		}
+	}))
+	defer server.Close()
+
+	configDir := t.TempDir()
+	_, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"context", "create", "stack", "local",
+		"--stack-url", server.URL,
+		"--default-ledger", "default",
+	)
+	if err != nil {
+		t.Fatalf("create context: %v stderr=%s", err, stderr)
+	}
+
+	_, _, err = executeCommand(t,
+		"--config-dir", configDir,
+		"ledger", "transactions", "run-script",
+		"--file", scriptFile,
+	)
+	if err == nil {
+		t.Fatal("expected run-script to require --confirm")
+	}
+
+	stdout, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"ledger", "transactions", "run-script",
+		"--file", scriptFile,
+		"--account-var", "destination=users:123",
+		"--amount-var", "amount=100/USD/2",
+		"--portion-var", "portion=1/2",
+		"--metadata", "foo=bar",
+		"--reference", "ref",
+		"--timestamp", "2026-01-01T00:00:00Z",
+		"--confirm",
+	)
+	if err != nil {
+		t.Fatalf("run script: %v stderr=%s", err, stderr)
+	}
+	for _, expected := range []string{
+		"API version: v2",
+		"ID",
+		"43",
+		"Reference",
+		"ref",
+	} {
+		if !strings.Contains(stdout, expected) {
+			t.Fatalf("expected output to contain %q, got:\n%s", expected, stdout)
+		}
+	}
+}
+
+func TestLedgerTransactionsNumDeprecatedAlias(t *testing.T) {
+	scriptFile := filepath.Join(t.TempDir(), "script.num")
+	if err := os.WriteFile(scriptFile, []byte("send [COIN 100] (\n  source = @world\n  destination = @user\n)\n"), 0o600); err != nil {
+		t.Fatalf("write script: %v", err)
+	}
+
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		switch r.URL.Path {
+		case "/versions":
+			w.Header().Set("Content-Type", "application/json")
+			fmt.Fprint(w, `{"versions":[{"name":"ledger","version":"2.3.4","health":true}]}`)
+		case "/api/ledger/v2/default/transactions":
+			body := readRequestBody(t, r)
+			if !strings.Contains(body, `"script":`) {
+				t.Fatalf("expected script body, got %s", body)
+			}
+			w.Header().Set("Content-Type", "application/json")
+			fmt.Fprint(w, `{"data":{"id":43,"metadata":{},"postings":[],"reverted":false,"timestamp":"2026-01-01T00:00:00Z"}}`)
+		default:
+			t.Fatalf("unexpected path %s", r.URL.Path)
+		}
+	}))
+	defer server.Close()
+
+	configDir := t.TempDir()
+	_, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"context", "create", "stack", "local",
+		"--stack-url", server.URL,
+		"--default-ledger", "default",
+	)
+	if err != nil {
+		t.Fatalf("create context: %v stderr=%s", err, stderr)
+	}
+
+	_, stderr, err = executeCommand(t,
+		"--config-dir", configDir,
+		"ledger", "transactions", "num",
+		scriptFile,
+		"--confirm",
+	)
+	if err != nil {
+		t.Fatalf("run script through deprecated num alias: %v stderr=%s", err, stderr)
+	}
+	if !strings.Contains(stderr, "Command ledger transactions num has been deprecated, use ledger transactions run-script --file <path>|-") {
+		t.Fatalf("expected num deprecation warning, got:\n%s", stderr)
+	}
+	if !strings.Contains(stderr, "Positional file has been deprecated") {
+		t.Fatalf("expected positional deprecation warning, got:\n%s", stderr)
+	}
+}
+
+func TestLedgerSendDeprecatedAlias(t *testing.T) {
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		switch r.URL.Path {
+		case "/versions":
+			w.Header().Set("Content-Type", "application/json")
+			fmt.Fprint(w, `{"versions":[{"name":"ledger","version":"2.3.4","health":true}]}`)
+		case "/api/ledger/v2/default/transactions":
+			body := readRequestBody(t, r)
+			for _, expected := range []string{
+				`"source":"world"`,
+				`"destination":"users:123"`,
+				`"amount":100`,
+				`"asset":"USD/2"`,
+			} {
+				if !strings.Contains(body, expected) {
+					t.Fatalf("expected body to contain %q, got %s", expected, body)
+				}
+			}
+			w.Header().Set("Content-Type", "application/json")
+			fmt.Fprint(w, `{"data":{"id":42,"metadata":{},"postings":[],"reverted":false,"timestamp":"2026-01-01T00:00:00Z"}}`)
+		default:
+			t.Fatalf("unexpected path %s", r.URL.Path)
+		}
+	}))
+	defer server.Close()
+
+	configDir := t.TempDir()
+	_, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"context", "create", "stack", "local",
+		"--stack-url", server.URL,
+		"--default-ledger", "default",
+	)
+	if err != nil {
+		t.Fatalf("create context: %v stderr=%s", err, stderr)
+	}
+
+	_, stderr, err = executeCommand(t,
+		"--config-dir", configDir,
+		"ledger", "send",
+		"users:123", "100", "USD/2",
+		"--confirm",
+	)
+	if err != nil {
+		t.Fatalf("send through deprecated alias: %v stderr=%s", err, stderr)
+	}
+	if !strings.Contains(stderr, "use ledger transactions send") {
+		t.Fatalf("expected deprecation warning, got:\n%s", stderr)
+	}
+	if !strings.Contains(stderr, "Positional ledger send arguments have been deprecated") {
+		t.Fatalf("expected positional deprecation warning, got:\n%s", stderr)
+	}
+}
+
+func TestLedgerTransactionsShowSelectsV2(t *testing.T) {
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		switch r.URL.Path {
+		case "/versions":
+			w.Header().Set("Content-Type", "application/json")
+			fmt.Fprint(w, `{"versions":[{"name":"ledger","version":"2.3.4","health":true}]}`)
+		case "/api/ledger/v2/default/transactions/42":
+			w.Header().Set("Content-Type", "application/json")
+			fmt.Fprint(w, `{"data":{"id":42,"metadata":{"foo":"bar"},"postings":[],"reverted":false,"timestamp":"2026-01-01T00:00:00Z","reference":"ref"}}`)
+		default:
+			t.Fatalf("unexpected path %s", r.URL.Path)
+		}
+	}))
+	defer server.Close()
+
+	configDir := t.TempDir()
+	_, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"context", "create", "stack", "local",
+		"--stack-url", server.URL,
+		"--default-ledger", "default",
+	)
+	if err != nil {
+		t.Fatalf("create context: %v stderr=%s", err, stderr)
+	}
+
+	stdout, stderr, err := executeCommand(t, "--config-dir", configDir, "ledger", "transactions", "show", "42")
+	if err != nil {
+		t.Fatalf("show transaction: %v stderr=%s", err, stderr)
+	}
+	for _, expected := range []string{
+		"API version: v2",
+		"ID",
+		"42",
+		"Reference",
+		"ref",
+		"Timestamp",
+		"2026-01-01T00:00:00Z",
+	} {
+		if !strings.Contains(stdout, expected) {
+			t.Fatalf("expected transaction output to contain %q, got:\n%s", expected, stdout)
+		}
+	}
+}
+
+func TestLedgerTransactionsRevertRequiresConfirm(t *testing.T) {
+	stdout, stderr, err := executeCommand(t, "ledger", "transactions", "revert", "42")
+	if err == nil {
+		t.Fatal("expected revert to require confirmation")
+	}
+	if stdout != "" {
+		t.Fatalf("expected empty stdout, got %q", stdout)
+	}
+	if stderr != "" {
+		t.Fatalf("expected empty stderr, got %q", stderr)
+	}
+	if !strings.Contains(err.Error(), "ledger transactions revert requires --confirm") {
+		t.Fatalf("expected confirmation error, got: %v", err)
+	}
+}
+
+func TestLedgerTransactionsRevertSelectsV2(t *testing.T) {
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		switch r.URL.Path {
+		case "/versions":
+			w.Header().Set("Content-Type", "application/json")
+			fmt.Fprint(w, `{"versions":[{"name":"ledger","version":"2.3.4","health":true}]}`)
+		case "/api/ledger/v2/default/transactions/42/revert":
+			if r.Method != http.MethodPost {
+				t.Fatalf("expected POST, got %s", r.Method)
+			}
+			if got := r.URL.Query().Get("atEffectiveDate"); got != "true" {
+				t.Fatalf("expected atEffectiveDate true, got %q", got)
+			}
+			if got := r.URL.Query().Get("force"); got != "true" {
+				t.Fatalf("expected force true, got %q", got)
+			}
+			w.Header().Set("Content-Type", "application/json")
+			w.WriteHeader(http.StatusCreated)
+			fmt.Fprint(w, `{"data":{"id":43,"metadata":{"foo":"bar"},"postings":[],"reverted":false,"timestamp":"2026-01-01T00:00:00Z","reference":"revert-ref"}}`)
+		default:
+			t.Fatalf("unexpected path %s", r.URL.Path)
+		}
+	}))
+	defer server.Close()
+
+	configDir := t.TempDir()
+	_, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"context", "create", "stack", "local",
+		"--stack-url", server.URL,
+		"--default-ledger", "default",
+	)
+	if err != nil {
+		t.Fatalf("create context: %v stderr=%s", err, stderr)
+	}
+
+	stdout, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"ledger", "transactions", "revert", "42",
+		"--at-effective-date",
+		"--force",
+		"--confirm",
+	)
+	if err != nil {
+		t.Fatalf("revert transaction: %v stderr=%s", err, stderr)
+	}
+	for _, expected := range []string{
+		"API version: v2",
+		"ID",
+		"43",
+		"Reference",
+		"revert-ref",
+		"Timestamp",
+		"2026-01-01T00:00:00Z",
+	} {
+		if !strings.Contains(stdout, expected) {
+			t.Fatalf("expected transaction output to contain %q, got:\n%s", expected, stdout)
+		}
+	}
+}
+
+func TestLedgerTransactionsSetMetadataSelectsV2(t *testing.T) {
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		switch r.URL.Path {
+		case "/versions":
+			w.Header().Set("Content-Type", "application/json")
+			fmt.Fprint(w, `{"versions":[{"name":"ledger","version":"2.3.4","health":true}]}`)
+		case "/api/ledger/v2/default/transactions/42/metadata":
+			if r.Method != http.MethodPost {
+				t.Fatalf("expected POST, got %s", r.Method)
+			}
+			body := readRequestBody(t, r)
+			if !strings.Contains(body, `"foo":"bar"`) {
+				t.Fatalf("expected metadata body, got %s", body)
+			}
+			w.WriteHeader(http.StatusNoContent)
+		default:
+			t.Fatalf("unexpected path %s", r.URL.Path)
+		}
+	}))
+	defer server.Close()
+
+	configDir := t.TempDir()
+	_, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"context", "create", "stack", "local",
+		"--stack-url", server.URL,
+		"--default-ledger", "default",
+	)
+	if err != nil {
+		t.Fatalf("create context: %v stderr=%s", err, stderr)
+	}
+
+	stdout, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"ledger", "transactions", "set-metadata", "42", "foo=bar",
+		"--confirm",
+	)
+	if err != nil {
+		t.Fatalf("set transaction metadata: %v stderr=%s", err, stderr)
+	}
+	for _, expected := range []string{
+		"API version: v2",
+		"Metadata added.",
+	} {
+		if !strings.Contains(stdout, expected) {
+			t.Fatalf("expected output to contain %q, got:\n%s", expected, stdout)
+		}
+	}
+}
+
+func TestLedgerTransactionsDeleteMetadataSelectsV2(t *testing.T) {
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		switch r.URL.Path {
+		case "/versions":
+			w.Header().Set("Content-Type", "application/json")
+			fmt.Fprint(w, `{"versions":[{"name":"ledger","version":"2.3.4","health":true}]}`)
+		case "/api/ledger/v2/default/transactions/42/metadata/foo":
+			if r.Method != http.MethodDelete {
+				t.Fatalf("expected DELETE, got %s", r.Method)
+			}
+			w.WriteHeader(http.StatusNoContent)
+		default:
+			t.Fatalf("unexpected path %s", r.URL.Path)
+		}
+	}))
+	defer server.Close()
+
+	configDir := t.TempDir()
+	_, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"context", "create", "stack", "local",
+		"--stack-url", server.URL,
+		"--default-ledger", "default",
+	)
+	if err != nil {
+		t.Fatalf("create context: %v stderr=%s", err, stderr)
+	}
+
+	stdout, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"ledger", "transactions", "delete-metadata", "42", "foo",
+		"--confirm",
+	)
+	if err != nil {
+		t.Fatalf("delete transaction metadata: %v stderr=%s", err, stderr)
+	}
+	for _, expected := range []string{
+		"API version: v2",
+		"Metadata deleted.",
+	} {
+		if !strings.Contains(stdout, expected) {
+			t.Fatalf("expected output to contain %q, got:\n%s", expected, stdout)
+		}
+	}
+}
+
+func TestLedgerVolumesListSelectsV2(t *testing.T) {
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		switch r.URL.Path {
+		case "/versions":
+			w.Header().Set("Content-Type", "application/json")
+			fmt.Fprint(w, `{"versions":[{"name":"ledger","version":"2.3.4","health":true}]}`)
+		case "/api/ledger/v2/default/volumes":
+			if got := r.URL.Query().Get("startTime"); got != "2026-01-01T00:00:00Z" {
+				t.Fatalf("expected startTime, got %q", got)
+			}
+			if got := r.URL.Query().Get("endTime"); got != "2026-01-02T00:00:00Z" {
+				t.Fatalf("expected endTime, got %q", got)
+			}
+			if got := r.URL.Query().Get("insertionDate"); got != "true" {
+				t.Fatalf("expected insertionDate true, got %q", got)
+			}
+			query := r.URL.Query().Get("query")
+			if !strings.Contains(query, `"account":"users:123"`) {
+				t.Fatalf("expected query to contain account, got %q", query)
+			}
+			w.Header().Set("Content-Type", "application/json")
+			fmt.Fprint(w, `{"cursor":{"data":[{"account":"users:123","asset":"USD/2","input":100,"output":40,"balance":60}],"hasMore":false,"pageSize":10}}`)
+		default:
+			t.Fatalf("unexpected path %s", r.URL.Path)
+		}
+	}))
+	defer server.Close()
+
+	configDir := t.TempDir()
+	_, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"context", "create", "stack", "local",
+		"--stack-url", server.URL,
+		"--default-ledger", "default",
+	)
+	if err != nil {
+		t.Fatalf("create context: %v stderr=%s", err, stderr)
+	}
+
+	stdout, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"ledger", "volumes", "list",
+		"--account", "users:123",
+		"--start-time", "2026-01-01T00:00:00Z",
+		"--end-time", "2026-01-02T00:00:00Z",
+		"--use-insertion-date",
+	)
+	if err != nil {
+		t.Fatalf("list volumes: %v stderr=%s", err, stderr)
+	}
+	for _, expected := range []string{
+		"API version: v2",
+		"Account",
+		"Asset",
+		"Input",
+		"Output",
+		"Balance",
+		"users:123",
+		"USD/2",
+		"100",
+		"40",
+		"60",
+	} {
+		if !strings.Contains(stdout, expected) {
+			t.Fatalf("expected volumes output to contain %q, got:\n%s", expected, stdout)
+		}
+	}
+}
+
+func TestLedgerVolumesListDeprecatedAliases(t *testing.T) {
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		switch r.URL.Path {
+		case "/versions":
+			w.Header().Set("Content-Type", "application/json")
+			fmt.Fprint(w, `{"versions":[{"name":"ledger","version":"2.3.4","health":true}]}`)
+		case "/api/ledger/v2/default/volumes":
+			w.Header().Set("Content-Type", "application/json")
+			fmt.Fprint(w, `{"cursor":{"data":[],"hasMore":false,"pageSize":10}}`)
+		default:
+			t.Fatalf("unexpected path %s", r.URL.Path)
+		}
+	}))
+	defer server.Close()
+
+	configDir := t.TempDir()
+	_, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"context", "create", "stack", "local",
+		"--stack-url", server.URL,
+		"--default-ledger", "default",
+	)
+	if err != nil {
+		t.Fatalf("create context: %v stderr=%s", err, stderr)
+	}
+
+	_, stderr, err = executeCommand(t,
+		"--config-dir", configDir,
+		"ledger", "volumes", "list",
+		"--address", "users:123",
+		"--oot", "2026-01-01T00:00:00Z",
+		"--pit", "2026-01-02T00:00:00Z",
+		"--insertion-date",
+	)
+	if err != nil {
+		t.Fatalf("list volumes with deprecated aliases: %v stderr=%s", err, stderr)
+	}
+	for _, expected := range []string{
+		"Flag --address has been deprecated, use --account",
+		"Flag --oot has been deprecated, use --start-time",
+		"Flag --pit has been deprecated, use --end-time",
+		"Flag --insertion-date has been deprecated, use --use-insertion-date",
+	} {
+		if !strings.Contains(stderr, expected) {
+			t.Fatalf("expected stderr to contain %q, got:\n%s", expected, stderr)
+		}
+	}
+}
+
+func TestLedgerTransactionsListDeprecatedSourceDestinationAliases(t *testing.T) {
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		switch r.URL.Path {
+		case "/versions":
+			w.Header().Set("Content-Type", "application/json")
+			fmt.Fprint(w, `{"versions":[{"name":"ledger","version":"2.3.4","health":true}]}`)
+		case "/api/ledger/v2/default/transactions":
+			query := r.URL.Query().Get("query")
+			if !strings.Contains(query, `"source":"world"`) {
+				t.Fatalf("expected query to contain source world, got %q", query)
+			}
+			if !strings.Contains(query, `"destination":"users:123"`) {
+				t.Fatalf("expected query to contain destination users:123, got %q", query)
+			}
+			w.Header().Set("Content-Type", "application/json")
+			fmt.Fprint(w, `{"cursor":{"data":[],"hasMore":false,"pageSize":15}}`)
+		default:
+			t.Fatalf("unexpected path %s", r.URL.Path)
+		}
+	}))
+	defer server.Close()
+
+	configDir := t.TempDir()
+	_, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"context", "create", "stack", "local",
+		"--stack-url", server.URL,
+		"--default-ledger", "default",
+	)
+	if err != nil {
+		t.Fatalf("create context: %v stderr=%s", err, stderr)
+	}
+
+	_, stderr, err = executeCommand(t,
+		"--config-dir", configDir,
+		"ledger", "transactions", "list",
+		"--src", "world",
+		"--dst", "users:123",
+	)
+	if err != nil {
+		t.Fatalf("list transactions with deprecated aliases: %v stderr=%s", err, stderr)
+	}
+	for _, expected := range []string{
+		"Flag --src has been deprecated, use --source",
+		"Flag --dst has been deprecated, use --destination",
+	} {
+		if !strings.Contains(stderr, expected) {
+			t.Fatalf("expected stderr to contain %q, got:\n%s", expected, stderr)
+		}
+	}
+}
+
+func TestLedgerTransactionsListJSON(t *testing.T) {
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		switch r.URL.Path {
+		case "/versions":
+			w.Header().Set("Content-Type", "application/json")
+			fmt.Fprint(w, `{"versions":[{"name":"ledger","version":"2.3.4","health":true}]}`)
+		case "/api/ledger/v2/default/transactions":
+			w.Header().Set("Content-Type", "application/json")
+			fmt.Fprint(w, `{"cursor":{"data":[],"hasMore":false,"pageSize":15}}`)
+		default:
+			t.Fatalf("unexpected path %s", r.URL.Path)
+		}
+	}))
+	defer server.Close()
+
+	configDir := t.TempDir()
+	_, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"context", "create", "stack", "local",
+		"--stack-url", server.URL,
+	)
+	if err != nil {
+		t.Fatalf("create context: %v stderr=%s", err, stderr)
+	}
+
+	stdout, stderr, err := executeCommand(t, "--config-dir", configDir, "-o", "json", "ledger", "transactions", "list")
+	if err != nil {
+		t.Fatalf("list transactions json: %v stderr=%s", err, stderr)
+	}
+	for _, expected := range []string{
+		`"apiVersion": "v2"`,
+		`"transactions": []`,
+		`"pageSize": 15`,
+	} {
+		if !strings.Contains(stdout, expected) {
+			t.Fatalf("expected ledger JSON output to contain %q, got:\n%s", expected, stdout)
+		}
+	}
+}
+
+func TestPaymentsAccountsListSelectsV3(t *testing.T) {
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		switch r.URL.Path {
+		case "/versions":
+			w.Header().Set("Content-Type", "application/json")
+			fmt.Fprint(w, `{"versions":[{"name":"payments","version":"3.1.0","health":true}]}`)
+		case "/api/payments/v3/accounts":
+			if got := r.URL.Query().Get("pageSize"); got != "10" {
+				t.Fatalf("expected pageSize 10, got %q", got)
+			}
+			w.Header().Set("Content-Type", "application/json")
+			fmt.Fprint(w, `{"cursor":{"data":[{"id":"acc_1","reference":"ref","createdAt":"2026-01-01T00:00:00Z","connectorID":"conn_1","defaultAsset":"USD/2","provider":"stripe","type":"INTERNAL","metadata":{"env":"dev"},"raw":{},"name":"Main"}],"hasMore":false,"pageSize":10}}`)
+		default:
+			t.Fatalf("unexpected path %s", r.URL.Path)
+		}
+	}))
+	defer server.Close()
+
+	configDir := t.TempDir()
+	_, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"context", "create", "stack", "local",
+		"--stack-url", server.URL,
+	)
+	if err != nil {
+		t.Fatalf("create context: %v stderr=%s", err, stderr)
+	}
+
+	stdout, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"payments", "accounts", "list",
+		"--page-size", "10",
+	)
+	if err != nil {
+		t.Fatalf("list payment accounts: %v stderr=%s", err, stderr)
+	}
+	for _, expected := range []string{
+		"API version: v3",
+		"acc_1\tref\t2026-01-01T00:00:00Z\tMain\tUSD/2\tconn_1",
+	} {
+		if !strings.Contains(stdout, expected) {
+			t.Fatalf("expected payments accounts output to contain %q, got:\n%s", expected, stdout)
+		}
+	}
+}
+
+func TestPaymentsVersionsShowsPaymentsComponent(t *testing.T) {
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		switch r.URL.Path {
+		case "/versions":
+			w.Header().Set("Content-Type", "application/json")
+			fmt.Fprint(w, `{"versions":[{"name":"payments","version":"3.1.0","health":true},{"name":"ledger","version":"2.3.4","health":true}]}`)
+		default:
+			t.Fatalf("unexpected path %s", r.URL.Path)
+		}
+	}))
+	defer server.Close()
+
+	configDir := t.TempDir()
+	_, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"context", "create", "stack", "local",
+		"--stack-url", server.URL,
+	)
+	if err != nil {
+		t.Fatalf("create context: %v stderr=%s", err, stderr)
+	}
+
+	stdout, stderr, err := executeCommand(t, "--config-dir", configDir, "payments", "versions")
+	if err != nil {
+		t.Fatalf("show payments versions: %v stderr=%s", err, stderr)
+	}
+	expected := "payments 3.1.0 healthy api=[v1 v3] policy=latest-compatible"
+	if !strings.Contains(stdout, expected) {
+		t.Fatalf("expected payments versions output to contain %q, got:\n%s", expected, stdout)
+	}
+}
+
+func TestPaymentsAccountsCreateRequiresConfirm(t *testing.T) {
+	stdout, stderr, err := executeCommand(t, "payments", "accounts", "create", "--file", "request.json")
+	if err == nil {
+		t.Fatal("expected payments accounts create to require confirmation")
+	}
+	if stdout != "" {
+		t.Fatalf("expected empty stdout, got %q", stdout)
+	}
+	if stderr != "" {
+		t.Fatalf("expected empty stderr, got %q", stderr)
+	}
+	if !strings.Contains(err.Error(), "payments accounts create requires --confirm") {
+		t.Fatalf("expected confirmation error, got: %v", err)
+	}
+}
+
+func TestPaymentsAccountsCreateSelectsV3(t *testing.T) {
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		switch r.URL.Path {
+		case "/versions":
+			w.Header().Set("Content-Type", "application/json")
+			fmt.Fprint(w, `{"versions":[{"name":"payments","version":"3.1.0","health":true}]}`)
+		case "/api/payments/v3/accounts":
+			if r.Method != http.MethodPost {
+				t.Fatalf("expected POST, got %s", r.Method)
+			}
+			body := readRequestBody(t, r)
+			for _, expected := range []string{
+				`"accountName":"Main"`,
+				`"connectorID":"conn_1"`,
+				`"defaultAsset":"USD/2"`,
+				`"type":"INTERNAL"`,
+			} {
+				if !strings.Contains(body, expected) {
+					t.Fatalf("expected create account body to contain %q, got %s", expected, body)
+				}
+			}
+			w.Header().Set("Content-Type", "application/json")
+			w.WriteHeader(http.StatusCreated)
+			fmt.Fprint(w, `{"data":{"id":"acc_1","reference":"ref","createdAt":"2026-01-01T00:00:00Z","connectorID":"conn_1","defaultAsset":"USD/2","provider":"stripe","type":"INTERNAL","metadata":{"env":"dev"},"raw":{},"name":"Main"}}`)
+		default:
+			t.Fatalf("unexpected path %s", r.URL.Path)
+		}
+	}))
+	defer server.Close()
+
+	configDir := t.TempDir()
+	_, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"context", "create", "stack", "local",
+		"--stack-url", server.URL,
+	)
+	if err != nil {
+		t.Fatalf("create context: %v stderr=%s", err, stderr)
+	}
+
+	requestFile := filepath.Join(t.TempDir(), "account.json")
+	if err := os.WriteFile(requestFile, []byte(`{"accountName":"Main","connectorID":"conn_1","createdAt":"2026-01-01T00:00:00Z","defaultAsset":"USD/2","metadata":{"env":"dev"},"reference":"ref","type":"internal"}`), 0o600); err != nil {
+		t.Fatalf("write request file: %v", err)
+	}
+
+	stdout, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"payments", "accounts", "create",
+		"--file", requestFile,
+		"--confirm",
+	)
+	if err != nil {
+		t.Fatalf("create payment account: %v stderr=%s", err, stderr)
+	}
+	if !strings.Contains(stdout, "API version: v3") || !strings.Contains(stdout, "Account created with ID: acc_1") {
+		t.Fatalf("unexpected create account output:\n%s", stdout)
+	}
+}
+
+func TestPaymentsAccountsCreateDeprecatedPositionalFile(t *testing.T) {
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		switch r.URL.Path {
+		case "/versions":
+			w.Header().Set("Content-Type", "application/json")
+			fmt.Fprint(w, `{"versions":[{"name":"payments","version":"3.1.0","health":true}]}`)
+		case "/api/payments/v3/accounts":
+			w.Header().Set("Content-Type", "application/json")
+			w.WriteHeader(http.StatusCreated)
+			fmt.Fprint(w, `{"data":{"id":"acc_1","reference":"ref","createdAt":"2026-01-01T00:00:00Z","connectorID":"conn_1","defaultAsset":"USD/2","provider":"stripe","type":"INTERNAL","metadata":{},"raw":{},"name":"Main"}}`)
+		default:
+			t.Fatalf("unexpected path %s", r.URL.Path)
+		}
+	}))
+	defer server.Close()
+
+	configDir := t.TempDir()
+	_, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"context", "create", "stack", "local",
+		"--stack-url", server.URL,
+	)
+	if err != nil {
+		t.Fatalf("create context: %v stderr=%s", err, stderr)
+	}
+
+	requestFile := filepath.Join(t.TempDir(), "account.json")
+	if err := os.WriteFile(requestFile, []byte(`{"accountName":"Main","connectorID":"conn_1","createdAt":"2026-01-01T00:00:00Z","type":"INTERNAL"}`), 0o600); err != nil {
+		t.Fatalf("write request file: %v", err)
+	}
+
+	_, stderr, err = executeCommand(t,
+		"--config-dir", configDir,
+		"payments", "accounts", "create", requestFile,
+		"--confirm",
+	)
+	if err != nil {
+		t.Fatalf("create payment account with positional file: %v stderr=%s", err, stderr)
+	}
+	if !strings.Contains(stderr, "use payments accounts create --file <path>|-") {
+		t.Fatalf("expected positional file deprecation warning, got:\n%s", stderr)
+	}
+}
+
+func TestPaymentsAccountsShowSelectsV3(t *testing.T) {
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		switch r.URL.Path {
+		case "/versions":
+			w.Header().Set("Content-Type", "application/json")
+			fmt.Fprint(w, `{"versions":[{"name":"payments","version":"3.1.0","health":true}]}`)
+		case "/api/payments/v3/accounts/acc_1":
+			w.Header().Set("Content-Type", "application/json")
+			fmt.Fprint(w, `{"data":{"id":"acc_1","reference":"ref","createdAt":"2026-01-01T00:00:00Z","connectorID":"conn_1","defaultAsset":"USD/2","provider":"stripe","type":"INTERNAL","metadata":{"env":"dev"},"raw":{},"name":"Main"}}`)
+		default:
+			t.Fatalf("unexpected path %s", r.URL.Path)
+		}
+	}))
+	defer server.Close()
+
+	configDir := t.TempDir()
+	_, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"context", "create", "stack", "local",
+		"--stack-url", server.URL,
+	)
+	if err != nil {
+		t.Fatalf("create context: %v stderr=%s", err, stderr)
+	}
+
+	stdout, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"payments", "accounts", "show", "acc_1",
+	)
+	if err != nil {
+		t.Fatalf("show payment account: %v stderr=%s", err, stderr)
+	}
+	for _, expected := range []string{
+		"API version: v3",
+		"ID\tacc_1",
+		"Reference\tref",
+		"Name\tMain",
+	} {
+		if !strings.Contains(stdout, expected) {
+			t.Fatalf("expected payment account output to contain %q, got:\n%s", expected, stdout)
+		}
+	}
+}
+
+func TestPaymentsAccountsGetDeprecatedAlias(t *testing.T) {
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		switch r.URL.Path {
+		case "/versions":
+			w.Header().Set("Content-Type", "application/json")
+			fmt.Fprint(w, `{"versions":[{"name":"payments","version":"3.1.0","health":true}]}`)
+		case "/api/payments/v3/accounts/acc_1":
+			w.Header().Set("Content-Type", "application/json")
+			fmt.Fprint(w, `{"data":{"id":"acc_1","reference":"ref","createdAt":"2026-01-01T00:00:00Z","connectorID":"conn_1","defaultAsset":"USD/2","provider":"stripe","type":"INTERNAL","metadata":{},"raw":{},"name":"Main"}}`)
+		default:
+			t.Fatalf("unexpected path %s", r.URL.Path)
+		}
+	}))
+	defer server.Close()
+
+	configDir := t.TempDir()
+	_, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"context", "create", "stack", "local",
+		"--stack-url", server.URL,
+	)
+	if err != nil {
+		t.Fatalf("create context: %v stderr=%s", err, stderr)
+	}
+
+	_, stderr, err = executeCommand(t,
+		"--config-dir", configDir,
+		"payments", "accounts", "get", "acc_1",
+	)
+	if err != nil {
+		t.Fatalf("show payment account through alias: %v stderr=%s", err, stderr)
+	}
+	if !strings.Contains(stderr, "use payments accounts show") {
+		t.Fatalf("expected deprecation warning, got:\n%s", stderr)
+	}
+}
+
+func TestPaymentsAccountsBalancesSelectsV3(t *testing.T) {
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		switch r.URL.Path {
+		case "/versions":
+			w.Header().Set("Content-Type", "application/json")
+			fmt.Fprint(w, `{"versions":[{"name":"payments","version":"3.1.0","health":true}]}`)
+		case "/api/payments/v3/accounts/acc_1/balances":
+			if got := r.URL.Query().Get("pageSize"); got != "10" {
+				t.Fatalf("expected pageSize 10, got %q", got)
+			}
+			if got := r.URL.Query().Get("asset"); got != "USD/2" {
+				t.Fatalf("expected asset USD/2, got %q", got)
+			}
+			w.Header().Set("Content-Type", "application/json")
+			fmt.Fprint(w, `{"cursor":{"data":[{"accountID":"acc_1","asset":"USD/2","balance":100,"createdAt":"2026-01-01T00:00:00Z","lastUpdatedAt":"2026-01-02T00:00:00Z"}],"hasMore":false,"pageSize":10}}`)
+		default:
+			t.Fatalf("unexpected path %s", r.URL.Path)
+		}
+	}))
+	defer server.Close()
+
+	configDir := t.TempDir()
+	_, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"context", "create", "stack", "local",
+		"--stack-url", server.URL,
+	)
+	if err != nil {
+		t.Fatalf("create context: %v stderr=%s", err, stderr)
+	}
+
+	stdout, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"payments", "accounts", "balances", "acc_1",
+		"--asset", "USD/2",
+		"--page-size", "10",
+	)
+	if err != nil {
+		t.Fatalf("list account balances: %v stderr=%s", err, stderr)
+	}
+	for _, expected := range []string{
+		"API version: v3",
+		"acc_1\tUSD/2\t100\t2026-01-01T00:00:00Z\t2026-01-02T00:00:00Z",
+	} {
+		if !strings.Contains(stdout, expected) {
+			t.Fatalf("expected account balances output to contain %q, got:\n%s", expected, stdout)
+		}
+	}
+}
+
+func TestPaymentsBankAccountsCreateRequiresConfirm(t *testing.T) {
+	stdout, stderr, err := executeCommand(t, "payments", "bank-accounts", "create", "--file", "request.json")
+	if err == nil {
+		t.Fatal("expected payments bank-accounts create to require confirmation")
+	}
+	if stdout != "" {
+		t.Fatalf("expected empty stdout, got %q", stdout)
+	}
+	if stderr != "" {
+		t.Fatalf("expected empty stderr, got %q", stderr)
+	}
+	if !strings.Contains(err.Error(), "payments bank-accounts create requires --confirm") {
+		t.Fatalf("expected confirmation error, got: %v", err)
+	}
+}
+
+func TestPaymentsBankAccountsCreateSelectsV3(t *testing.T) {
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		switch r.URL.Path {
+		case "/versions":
+			w.Header().Set("Content-Type", "application/json")
+			fmt.Fprint(w, `{"versions":[{"name":"payments","version":"3.1.0","health":true}]}`)
+		case "/api/payments/v3/bank-accounts":
+			if r.Method != http.MethodPost {
+				t.Fatalf("expected POST, got %s", r.Method)
+			}
+			body := readRequestBody(t, r)
+			for _, expected := range []string{
+				`"name":"Main"`,
+				`"country":"FR"`,
+				`"iban":"FR7630006000011234567890189"`,
+			} {
+				if !strings.Contains(body, expected) {
+					t.Fatalf("expected create bank account body to contain %q, got %s", expected, body)
+				}
+			}
+			if strings.Contains(body, "connectorID") {
+				t.Fatalf("v3 bank account create body must not contain connectorID, got %s", body)
+			}
+			w.Header().Set("Content-Type", "application/json")
+			w.WriteHeader(http.StatusCreated)
+			fmt.Fprint(w, `{"data":"ba_1"}`)
+		default:
+			t.Fatalf("unexpected path %s", r.URL.Path)
+		}
+	}))
+	defer server.Close()
+
+	configDir := t.TempDir()
+	_, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"context", "create", "stack", "local",
+		"--stack-url", server.URL,
+	)
+	if err != nil {
+		t.Fatalf("create context: %v stderr=%s", err, stderr)
+	}
+
+	requestFile := filepath.Join(t.TempDir(), "bank-account.json")
+	if err := os.WriteFile(requestFile, []byte(`{"accountNumber":"123","connectorID":"conn_1","country":"FR","iban":"FR7630006000011234567890189","metadata":{"env":"dev"},"name":"Main","swiftBicCode":"AGRIFRPP"}`), 0o600); err != nil {
+		t.Fatalf("write request file: %v", err)
+	}
+
+	stdout, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"payments", "bank-accounts", "create",
+		"--file", requestFile,
+		"--confirm",
+	)
+	if err != nil {
+		t.Fatalf("create payment bank account: %v stderr=%s", err, stderr)
+	}
+	if !strings.Contains(stdout, "API version: v3") || !strings.Contains(stdout, "Bank account created with ID: ba_1") {
+		t.Fatalf("unexpected create bank account output:\n%s", stdout)
+	}
+}
+
+func TestPaymentsBankAccountsCreateDeprecatedAliases(t *testing.T) {
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		switch r.URL.Path {
+		case "/versions":
+			w.Header().Set("Content-Type", "application/json")
+			fmt.Fprint(w, `{"versions":[{"name":"payments","version":"3.1.0","health":true}]}`)
+		case "/api/payments/v3/bank-accounts":
+			w.Header().Set("Content-Type", "application/json")
+			w.WriteHeader(http.StatusCreated)
+			fmt.Fprint(w, `{"data":"ba_1"}`)
+		default:
+			t.Fatalf("unexpected path %s", r.URL.Path)
+		}
+	}))
+	defer server.Close()
+
+	configDir := t.TempDir()
+	_, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"context", "create", "stack", "local",
+		"--stack-url", server.URL,
+	)
+	if err != nil {
+		t.Fatalf("create context: %v stderr=%s", err, stderr)
+	}
+
+	requestFile := filepath.Join(t.TempDir(), "bank-account.json")
+	if err := os.WriteFile(requestFile, []byte(`{"country":"FR","name":"Main"}`), 0o600); err != nil {
+		t.Fatalf("write request file: %v", err)
+	}
+
+	_, stderr, err = executeCommand(t,
+		"--config-dir", configDir,
+		"payments", "bank_accounts", "create", requestFile,
+		"--confirm",
+	)
+	if err != nil {
+		t.Fatalf("create payment bank account with aliases: %v stderr=%s", err, stderr)
+	}
+	if !strings.Contains(stderr, "use payments bank-accounts") || !strings.Contains(stderr, "use payments bank-accounts create --file <path>|-") {
+		t.Fatalf("expected bank account deprecation warnings, got:\n%s", stderr)
+	}
+}
+
+func TestPaymentsBankAccountsForwardSelectsV3(t *testing.T) {
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		switch r.URL.Path {
+		case "/versions":
+			w.Header().Set("Content-Type", "application/json")
+			fmt.Fprint(w, `{"versions":[{"name":"payments","version":"3.1.0","health":true}]}`)
+		case "/api/payments/v3/bank-accounts/ba_1/forward":
+			if r.Method != http.MethodPost {
+				t.Fatalf("expected POST, got %s", r.Method)
+			}
+			body := readRequestBody(t, r)
+			if !strings.Contains(body, `"connectorID":"conn_1"`) {
+				t.Fatalf("expected connector body, got %s", body)
+			}
+			w.Header().Set("Content-Type", "application/json")
+			w.WriteHeader(http.StatusAccepted)
+			fmt.Fprint(w, `{"data":{"taskID":"task_1"}}`)
+		default:
+			t.Fatalf("unexpected path %s", r.URL.Path)
+		}
+	}))
+	defer server.Close()
+
+	configDir := t.TempDir()
+	_, stderr, err := executeCommand(t, "--config-dir", configDir, "context", "create", "stack", "local", "--stack-url", server.URL)
+	if err != nil {
+		t.Fatalf("create context: %v stderr=%s", err, stderr)
+	}
+
+	stdout, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"payments", "bank-accounts", "forward", "ba_1", "conn_1",
+		"--confirm",
+	)
+	if err != nil {
+		t.Fatalf("forward payment bank account: %v stderr=%s", err, stderr)
+	}
+	if !strings.Contains(stdout, "API version: v3") || !strings.Contains(stdout, "Bank account forwarding scheduled with task ID: task_1") {
+		t.Fatalf("unexpected forward bank account output:\n%s", stdout)
+	}
+}
+
+func TestPaymentsBankAccountsForwardRequiresConfirm(t *testing.T) {
+	stdout, stderr, err := executeCommand(t, "payments", "bank-accounts", "forward", "ba_1", "conn_1")
+	if err == nil {
+		t.Fatal("expected payments bank-accounts forward to require confirmation")
+	}
+	if stdout != "" || stderr != "" {
+		t.Fatalf("expected empty output, got stdout=%q stderr=%q", stdout, stderr)
+	}
+	if !strings.Contains(err.Error(), "payments bank-accounts forward requires --confirm") {
+		t.Fatalf("expected confirmation error, got: %v", err)
+	}
+}
+
+func TestPaymentsBankAccountsSetMetadataSelectsV3(t *testing.T) {
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		switch r.URL.Path {
+		case "/versions":
+			w.Header().Set("Content-Type", "application/json")
+			fmt.Fprint(w, `{"versions":[{"name":"payments","version":"3.1.0","health":true}]}`)
+		case "/api/payments/v3/bank-accounts/ba_1/metadata":
+			if r.Method != http.MethodPatch {
+				t.Fatalf("expected PATCH, got %s", r.Method)
+			}
+			body := readRequestBody(t, r)
+			if !strings.Contains(body, `"metadata":{"env":"dev"}`) {
+				t.Fatalf("expected metadata body, got %s", body)
+			}
+			w.WriteHeader(http.StatusNoContent)
+		default:
+			t.Fatalf("unexpected path %s", r.URL.Path)
+		}
+	}))
+	defer server.Close()
+
+	configDir := t.TempDir()
+	_, stderr, err := executeCommand(t, "--config-dir", configDir, "context", "create", "stack", "local", "--stack-url", server.URL)
+	if err != nil {
+		t.Fatalf("create context: %v stderr=%s", err, stderr)
+	}
+
+	stdout, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"payments", "bank-accounts", "set-metadata", "ba_1", "env=dev",
+		"--confirm",
+	)
+	if err != nil {
+		t.Fatalf("set payment bank account metadata: %v stderr=%s", err, stderr)
+	}
+	if !strings.Contains(stdout, "API version: v3") || !strings.Contains(stdout, "Metadata set on bank account ba_1.") {
+		t.Fatalf("unexpected set bank account metadata output:\n%s", stdout)
+	}
+}
+
+func TestPaymentsBankAccountsUpdateMetadataDeprecatedAlias(t *testing.T) {
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		switch r.URL.Path {
+		case "/versions":
+			w.Header().Set("Content-Type", "application/json")
+			fmt.Fprint(w, `{"versions":[{"name":"payments","version":"3.1.0","health":true}]}`)
+		case "/api/payments/v3/bank-accounts/ba_1/metadata":
+			w.WriteHeader(http.StatusNoContent)
+		default:
+			t.Fatalf("unexpected path %s", r.URL.Path)
+		}
+	}))
+	defer server.Close()
+
+	configDir := t.TempDir()
+	_, stderr, err := executeCommand(t, "--config-dir", configDir, "context", "create", "stack", "local", "--stack-url", server.URL)
+	if err != nil {
+		t.Fatalf("create context: %v stderr=%s", err, stderr)
+	}
+
+	_, stderr, err = executeCommand(t,
+		"--config-dir", configDir,
+		"payments", "bank-accounts", "update-metadata", "ba_1", "env=dev",
+		"--confirm",
+	)
+	if err != nil {
+		t.Fatalf("set payment bank account metadata through alias: %v stderr=%s", err, stderr)
+	}
+	if !strings.Contains(stderr, "use payments bank-accounts set-metadata") {
+		t.Fatalf("expected update-metadata deprecation warning, got:\n%s", stderr)
+	}
+}
+
+func TestPaymentsBankAccountsListSelectsV3(t *testing.T) {
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		switch r.URL.Path {
+		case "/versions":
+			w.Header().Set("Content-Type", "application/json")
+			fmt.Fprint(w, `{"versions":[{"name":"payments","version":"3.1.0","health":true}]}`)
+		case "/api/payments/v3/bank-accounts":
+			if got := r.URL.Query().Get("pageSize"); got != "10" {
+				t.Fatalf("expected pageSize 10, got %q", got)
+			}
+			w.Header().Set("Content-Type", "application/json")
+			fmt.Fprint(w, `{"cursor":{"data":[{"id":"ba_1","name":"Main","createdAt":"2026-01-01T00:00:00Z","country":"FR","metadata":{}}],"hasMore":false,"pageSize":10}}`)
+		default:
+			t.Fatalf("unexpected path %s", r.URL.Path)
+		}
+	}))
+	defer server.Close()
+
+	configDir := t.TempDir()
+	_, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"context", "create", "stack", "local",
+		"--stack-url", server.URL,
+	)
+	if err != nil {
+		t.Fatalf("create context: %v stderr=%s", err, stderr)
+	}
+
+	stdout, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"payments", "bank-accounts", "list",
+		"--page-size", "10",
+	)
+	if err != nil {
+		t.Fatalf("list bank accounts: %v stderr=%s", err, stderr)
+	}
+	if !strings.Contains(stdout, "API version: v3") || !strings.Contains(stdout, "ba_1\tMain\t2026-01-01T00:00:00Z\tFR") {
+		t.Fatalf("unexpected bank accounts output:\n%s", stdout)
+	}
+}
+
+func TestPaymentsBankAccountsShowSelectsV3(t *testing.T) {
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		switch r.URL.Path {
+		case "/versions":
+			w.Header().Set("Content-Type", "application/json")
+			fmt.Fprint(w, `{"versions":[{"name":"payments","version":"3.1.0","health":true}]}`)
+		case "/api/payments/v3/bank-accounts/ba_1":
+			w.Header().Set("Content-Type", "application/json")
+			fmt.Fprint(w, `{"data":{"id":"ba_1","name":"Main","createdAt":"2026-01-01T00:00:00Z","country":"FR","iban":"FR7630006000011234567890189","swiftBicCode":"BNPAFRPP","metadata":{}}}`)
+		default:
+			t.Fatalf("unexpected path %s", r.URL.Path)
+		}
+	}))
+	defer server.Close()
+
+	configDir := t.TempDir()
+	_, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"context", "create", "stack", "local",
+		"--stack-url", server.URL,
+	)
+	if err != nil {
+		t.Fatalf("create context: %v stderr=%s", err, stderr)
+	}
+
+	stdout, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"payments", "bank-accounts", "show", "ba_1",
+	)
+	if err != nil {
+		t.Fatalf("show bank account: %v stderr=%s", err, stderr)
+	}
+	for _, expected := range []string{
+		"API version: v3",
+		"ID\tba_1",
+		"Country\tFR",
+		"IBAN\tFR7630006000011234567890189",
+	} {
+		if !strings.Contains(stdout, expected) {
+			t.Fatalf("expected bank account output to contain %q, got:\n%s", expected, stdout)
+		}
+	}
+}
+
+func TestPaymentsBankAccountsDeprecatedAlias(t *testing.T) {
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		switch r.URL.Path {
+		case "/versions":
+			w.Header().Set("Content-Type", "application/json")
+			fmt.Fprint(w, `{"versions":[{"name":"payments","version":"3.1.0","health":true}]}`)
+		case "/api/payments/v3/bank-accounts":
+			w.Header().Set("Content-Type", "application/json")
+			fmt.Fprint(w, `{"cursor":{"data":[],"hasMore":false,"pageSize":15}}`)
+		default:
+			t.Fatalf("unexpected path %s", r.URL.Path)
+		}
+	}))
+	defer server.Close()
+
+	configDir := t.TempDir()
+	_, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"context", "create", "stack", "local",
+		"--stack-url", server.URL,
+	)
+	if err != nil {
+		t.Fatalf("create context: %v stderr=%s", err, stderr)
+	}
+
+	_, stderr, err = executeCommand(t,
+		"--config-dir", configDir,
+		"payments", "bank_accounts", "list",
+	)
+	if err != nil {
+		t.Fatalf("list bank accounts through alias: %v stderr=%s", err, stderr)
+	}
+	if !strings.Contains(stderr, "use payments bank-accounts") {
+		t.Fatalf("expected deprecation warning, got:\n%s", stderr)
+	}
+}
+
+func TestPaymentsPaymentsListSelectsV3(t *testing.T) {
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		switch r.URL.Path {
+		case "/versions":
+			w.Header().Set("Content-Type", "application/json")
+			fmt.Fprint(w, `{"versions":[{"name":"payments","version":"3.1.0","health":true}]}`)
+		case "/api/payments/v3/payments":
+			if got := r.URL.Query().Get("pageSize"); got != "10" {
+				t.Fatalf("expected pageSize 10, got %q", got)
+			}
+			w.Header().Set("Content-Type", "application/json")
+			fmt.Fprint(w, `{"cursor":{"data":[{"id":"pay_1","reference":"ref","type":"PAYOUT","status":"SUCCEEDED","scheme":"visa","asset":"USD/2","amount":100,"initialAmount":100,"connectorID":"conn_1","createdAt":"2026-01-01T00:00:00Z","provider":"stripe","metadata":{}}],"hasMore":false,"pageSize":10}}`)
+		default:
+			t.Fatalf("unexpected path %s", r.URL.Path)
+		}
+	}))
+	defer server.Close()
+
+	configDir := t.TempDir()
+	_, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"context", "create", "stack", "local",
+		"--stack-url", server.URL,
+	)
+	if err != nil {
+		t.Fatalf("create context: %v stderr=%s", err, stderr)
+	}
+
+	stdout, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"payments", "payments", "list",
+		"--page-size", "10",
+	)
+	if err != nil {
+		t.Fatalf("list payments: %v stderr=%s", err, stderr)
+	}
+	if !strings.Contains(stdout, "API version: v3") || !strings.Contains(stdout, "pay_1\tPAYOUT\t100\tUSD/2\tSUCCEEDED\t2026-01-01T00:00:00Z") {
+		t.Fatalf("unexpected payments output:\n%s", stdout)
+	}
+}
+
+func TestPaymentsPaymentsCreateRequiresConfirm(t *testing.T) {
+	stdout, stderr, err := executeCommand(t, "payments", "payments", "create", "--file", "request.json")
+	if err == nil {
+		t.Fatal("expected payments payments create to require confirmation")
+	}
+	if stdout != "" || stderr != "" {
+		t.Fatalf("expected empty output, got stdout=%q stderr=%q", stdout, stderr)
+	}
+	if !strings.Contains(err.Error(), "payments payments create requires --confirm") {
+		t.Fatalf("expected confirmation error, got: %v", err)
+	}
+}
+
+func TestPaymentsPaymentsCreateSelectsV3(t *testing.T) {
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		switch r.URL.Path {
+		case "/versions":
+			w.Header().Set("Content-Type", "application/json")
+			fmt.Fprint(w, `{"versions":[{"name":"payments","version":"3.1.0","health":true}]}`)
+		case "/api/payments/v3/payments":
+			if r.Method != http.MethodPost {
+				t.Fatalf("expected POST, got %s", r.Method)
+			}
+			body := readRequestBody(t, r)
+			for _, expected := range []string{
+				`"amount":100`,
+				`"initialAmount":100`,
+				`"asset":"USD/2"`,
+				`"connectorID":"conn_1"`,
+				`"type":"PAYOUT"`,
+			} {
+				if !strings.Contains(body, expected) {
+					t.Fatalf("expected create payment body to contain %q, got %s", expected, body)
+				}
+			}
+			w.Header().Set("Content-Type", "application/json")
+			w.WriteHeader(http.StatusCreated)
+			fmt.Fprint(w, `{"data":{"id":"pay_1","reference":"ref","type":"PAYOUT","status":"SUCCEEDED","scheme":"visa","asset":"USD/2","amount":100,"initialAmount":100,"connectorID":"conn_1","createdAt":"2026-01-01T00:00:00Z","provider":"stripe","metadata":{}}}`)
+		default:
+			t.Fatalf("unexpected path %s", r.URL.Path)
+		}
+	}))
+	defer server.Close()
+
+	configDir := t.TempDir()
+	_, stderr, err := executeCommand(t, "--config-dir", configDir, "context", "create", "stack", "local", "--stack-url", server.URL)
+	if err != nil {
+		t.Fatalf("create context: %v stderr=%s", err, stderr)
+	}
+
+	requestFile := filepath.Join(t.TempDir(), "payment.json")
+	if err := os.WriteFile(requestFile, []byte(`{"amount":100,"asset":"USD/2","connectorID":"conn_1","createdAt":"2026-01-01T00:00:00Z","metadata":{"env":"dev"},"reference":"ref","scheme":"visa","type":"PAYOUT","status":"SUCCEEDED"}`), 0o600); err != nil {
+		t.Fatalf("write request file: %v", err)
+	}
+
+	stdout, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"payments", "payments", "create",
+		"--file", requestFile,
+		"--confirm",
+	)
+	if err != nil {
+		t.Fatalf("create payment: %v stderr=%s", err, stderr)
+	}
+	if !strings.Contains(stdout, "API version: v3") || !strings.Contains(stdout, "Payment created with ID: pay_1") {
+		t.Fatalf("unexpected create payment output:\n%s", stdout)
+	}
+}
+
+func TestPaymentsPaymentsCreateDeprecatedPositionalFile(t *testing.T) {
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		switch r.URL.Path {
+		case "/versions":
+			w.Header().Set("Content-Type", "application/json")
+			fmt.Fprint(w, `{"versions":[{"name":"payments","version":"3.1.0","health":true}]}`)
+		case "/api/payments/v3/payments":
+			w.Header().Set("Content-Type", "application/json")
+			w.WriteHeader(http.StatusCreated)
+			fmt.Fprint(w, `{"data":{"id":"pay_1","reference":"ref","type":"PAYOUT","status":"SUCCEEDED","scheme":"visa","asset":"USD/2","amount":100,"initialAmount":100,"connectorID":"conn_1","createdAt":"2026-01-01T00:00:00Z","provider":"stripe","metadata":{}}}`)
+		default:
+			t.Fatalf("unexpected path %s", r.URL.Path)
+		}
+	}))
+	defer server.Close()
+
+	configDir := t.TempDir()
+	_, stderr, err := executeCommand(t, "--config-dir", configDir, "context", "create", "stack", "local", "--stack-url", server.URL)
+	if err != nil {
+		t.Fatalf("create context: %v stderr=%s", err, stderr)
+	}
+
+	requestFile := filepath.Join(t.TempDir(), "payment.json")
+	if err := os.WriteFile(requestFile, []byte(`{"amount":100,"asset":"USD/2","connectorID":"conn_1","createdAt":"2026-01-01T00:00:00Z","reference":"ref","scheme":"visa","type":"PAYOUT","status":"SUCCEEDED"}`), 0o600); err != nil {
+		t.Fatalf("write request file: %v", err)
+	}
+
+	_, stderr, err = executeCommand(t,
+		"--config-dir", configDir,
+		"payments", "payments", "create", requestFile,
+		"--confirm",
+	)
+	if err != nil {
+		t.Fatalf("create payment with positional file: %v stderr=%s", err, stderr)
+	}
+	if !strings.Contains(stderr, "use payments payments create --file <path>|-") {
+		t.Fatalf("expected positional file deprecation warning, got:\n%s", stderr)
+	}
+}
+
+func TestPaymentsPaymentsShowSelectsV3(t *testing.T) {
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		switch r.URL.Path {
+		case "/versions":
+			w.Header().Set("Content-Type", "application/json")
+			fmt.Fprint(w, `{"versions":[{"name":"payments","version":"3.1.0","health":true}]}`)
+		case "/api/payments/v3/payments/pay_1":
+			w.Header().Set("Content-Type", "application/json")
+			fmt.Fprint(w, `{"data":{"id":"pay_1","reference":"ref","type":"PAYOUT","status":"SUCCEEDED","scheme":"visa","asset":"USD/2","amount":100,"initialAmount":100,"connectorID":"conn_1","createdAt":"2026-01-01T00:00:00Z","provider":"stripe","metadata":{}}}`)
+		default:
+			t.Fatalf("unexpected path %s", r.URL.Path)
+		}
+	}))
+	defer server.Close()
+
+	configDir := t.TempDir()
+	_, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"context", "create", "stack", "local",
+		"--stack-url", server.URL,
+	)
+	if err != nil {
+		t.Fatalf("create context: %v stderr=%s", err, stderr)
+	}
+
+	stdout, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"payments", "payments", "show", "pay_1",
+	)
+	if err != nil {
+		t.Fatalf("show payment: %v stderr=%s", err, stderr)
+	}
+	for _, expected := range []string{
+		"API version: v3",
+		"ID\tpay_1",
+		"Reference\tref",
+		"Amount\t100",
+	} {
+		if !strings.Contains(stdout, expected) {
+			t.Fatalf("expected payment output to contain %q, got:\n%s", expected, stdout)
+		}
+	}
+}
+
+func TestPaymentsPaymentsSetMetadataSelectsV3(t *testing.T) {
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		switch r.URL.Path {
+		case "/versions":
+			w.Header().Set("Content-Type", "application/json")
+			fmt.Fprint(w, `{"versions":[{"name":"payments","version":"3.1.0","health":true}]}`)
+		case "/api/payments/v3/payments/pay_1/metadata":
+			if r.Method != http.MethodPatch {
+				t.Fatalf("expected PATCH, got %s", r.Method)
+			}
+			body := readRequestBody(t, r)
+			if !strings.Contains(body, `"metadata":{"env":"dev"}`) {
+				t.Fatalf("expected metadata body, got %s", body)
+			}
+			w.WriteHeader(http.StatusNoContent)
+		default:
+			t.Fatalf("unexpected path %s", r.URL.Path)
+		}
+	}))
+	defer server.Close()
+
+	configDir := t.TempDir()
+	_, stderr, err := executeCommand(t, "--config-dir", configDir, "context", "create", "stack", "local", "--stack-url", server.URL)
+	if err != nil {
+		t.Fatalf("create context: %v stderr=%s", err, stderr)
+	}
+
+	stdout, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"payments", "payments", "set-metadata", "pay_1", "env=dev",
+		"--confirm",
+	)
+	if err != nil {
+		t.Fatalf("set payment metadata: %v stderr=%s", err, stderr)
+	}
+	if !strings.Contains(stdout, "API version: v3") || !strings.Contains(stdout, "Metadata set on payment pay_1.") {
+		t.Fatalf("unexpected set payment metadata output:\n%s", stdout)
+	}
+}
+
+func TestPaymentsPaymentsSetMetadataRequiresConfirm(t *testing.T) {
+	stdout, stderr, err := executeCommand(t, "payments", "payments", "set-metadata", "pay_1", "env=dev")
+	if err == nil {
+		t.Fatal("expected payments payments set-metadata to require confirmation")
+	}
+	if stdout != "" || stderr != "" {
+		t.Fatalf("expected empty output, got stdout=%q stderr=%q", stdout, stderr)
+	}
+	if !strings.Contains(err.Error(), "payments payments set-metadata requires --confirm") {
+		t.Fatalf("expected confirmation error, got: %v", err)
+	}
+}
+
+func TestPaymentsPoolsCreateRequiresConfirm(t *testing.T) {
+	stdout, stderr, err := executeCommand(t, "payments", "pools", "create", "--file", "request.json")
+	if err == nil {
+		t.Fatal("expected payments pools create to require confirmation")
+	}
+	if stdout != "" {
+		t.Fatalf("expected empty stdout, got %q", stdout)
+	}
+	if stderr != "" {
+		t.Fatalf("expected empty stderr, got %q", stderr)
+	}
+	if !strings.Contains(err.Error(), "payments pools create requires --confirm") {
+		t.Fatalf("expected confirmation error, got: %v", err)
+	}
+}
+
+func TestPaymentsPoolsCreateSelectsV3(t *testing.T) {
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		switch r.URL.Path {
+		case "/versions":
+			w.Header().Set("Content-Type", "application/json")
+			fmt.Fprint(w, `{"versions":[{"name":"payments","version":"3.1.0","health":true}]}`)
+		case "/api/payments/v3/pools":
+			if r.Method != http.MethodPost {
+				t.Fatalf("expected POST, got %s", r.Method)
+			}
+			body := readRequestBody(t, r)
+			for _, expected := range []string{`"name":"Main"`, `"accountIDs":["acc_1"]`} {
+				if !strings.Contains(body, expected) {
+					t.Fatalf("expected create pool body to contain %q, got:\n%s", expected, body)
+				}
+			}
+			w.Header().Set("Content-Type", "application/json")
+			w.WriteHeader(http.StatusCreated)
+			fmt.Fprint(w, `{"data":"pool_1"}`)
+		default:
+			t.Fatalf("unexpected path %s", r.URL.Path)
+		}
+	}))
+	defer server.Close()
+
+	configDir := t.TempDir()
+	_, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"context", "create", "stack", "local",
+		"--stack-url", server.URL,
+	)
+	if err != nil {
+		t.Fatalf("create context: %v stderr=%s", err, stderr)
+	}
+	requestFile := filepath.Join(t.TempDir(), "pool.json")
+	if err := os.WriteFile(requestFile, []byte(`{"name":"Main","accountIDs":["acc_1"]}`), 0o600); err != nil {
+		t.Fatalf("write request file: %v", err)
+	}
+
+	stdout, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"payments", "pools", "create",
+		"--file", requestFile,
+		"--confirm",
+	)
+	if err != nil {
+		t.Fatalf("create payment pool: %v stderr=%s", err, stderr)
+	}
+	for _, expected := range []string{
+		"API version: v3",
+		"Pool created with ID: pool_1",
+	} {
+		if !strings.Contains(stdout, expected) {
+			t.Fatalf("expected payment pool create output to contain %q, got:\n%s", expected, stdout)
+		}
+	}
+}
+
+func TestPaymentsPoolsListSelectsV3(t *testing.T) {
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		switch r.URL.Path {
+		case "/versions":
+			w.Header().Set("Content-Type", "application/json")
+			fmt.Fprint(w, `{"versions":[{"name":"payments","version":"3.1.0","health":true}]}`)
+		case "/api/payments/v3/pools":
+			if got := r.URL.Query().Get("pageSize"); got != "10" {
+				t.Fatalf("expected pageSize 10, got %q", got)
+			}
+			w.Header().Set("Content-Type", "application/json")
+			fmt.Fprint(w, `{"cursor":{"data":[{"id":"pool_1","name":"Main","poolAccounts":["acc_1"],"createdAt":"2026-01-01T00:00:00Z","type":"STATIC","query":{}}],"hasMore":false,"pageSize":10}}`)
+		default:
+			t.Fatalf("unexpected path %s", r.URL.Path)
+		}
+	}))
+	defer server.Close()
+
+	configDir := t.TempDir()
+	_, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"context", "create", "stack", "local",
+		"--stack-url", server.URL,
+	)
+	if err != nil {
+		t.Fatalf("create context: %v stderr=%s", err, stderr)
+	}
+
+	stdout, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"payments", "pools", "list",
+		"--page-size", "10",
+	)
+	if err != nil {
+		t.Fatalf("list payment pools: %v stderr=%s", err, stderr)
+	}
+	if !strings.Contains(stdout, "API version: v3") || !strings.Contains(stdout, "pool_1\tMain\tacc_1") {
+		t.Fatalf("unexpected payment pools output:\n%s", stdout)
+	}
+}
+
+func TestPaymentsPoolsShowSelectsV3(t *testing.T) {
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		switch r.URL.Path {
+		case "/versions":
+			w.Header().Set("Content-Type", "application/json")
+			fmt.Fprint(w, `{"versions":[{"name":"payments","version":"3.1.0","health":true}]}`)
+		case "/api/payments/v3/pools/pool_1":
+			w.Header().Set("Content-Type", "application/json")
+			fmt.Fprint(w, `{"data":{"id":"pool_1","name":"Main","poolAccounts":["acc_1","acc_2"],"createdAt":"2026-01-01T00:00:00Z","type":"STATIC","query":{}}}`)
+		default:
+			t.Fatalf("unexpected path %s", r.URL.Path)
+		}
+	}))
+	defer server.Close()
+
+	configDir := t.TempDir()
+	_, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"context", "create", "stack", "local",
+		"--stack-url", server.URL,
+	)
+	if err != nil {
+		t.Fatalf("create context: %v stderr=%s", err, stderr)
+	}
+
+	stdout, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"payments", "pools", "show", "pool_1",
+	)
+	if err != nil {
+		t.Fatalf("show payment pool: %v stderr=%s", err, stderr)
+	}
+	for _, expected := range []string{
+		"API version: v3",
+		"ID\tpool_1",
+		"Name\tMain",
+		"Accounts\tacc_1,acc_2",
+	} {
+		if !strings.Contains(stdout, expected) {
+			t.Fatalf("expected payment pool output to contain %q, got:\n%s", expected, stdout)
+		}
+	}
+}
+
+func TestPaymentsPoolsGetDeprecatedAlias(t *testing.T) {
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		switch r.URL.Path {
+		case "/versions":
+			w.Header().Set("Content-Type", "application/json")
+			fmt.Fprint(w, `{"versions":[{"name":"payments","version":"3.1.0","health":true}]}`)
+		case "/api/payments/v3/pools/pool_1":
+			w.Header().Set("Content-Type", "application/json")
+			fmt.Fprint(w, `{"data":{"id":"pool_1","name":"Main","poolAccounts":["acc_1"],"createdAt":"2026-01-01T00:00:00Z","type":"STATIC","query":{}}}`)
+		default:
+			t.Fatalf("unexpected path %s", r.URL.Path)
+		}
+	}))
+	defer server.Close()
+
+	configDir := t.TempDir()
+	_, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"context", "create", "stack", "local",
+		"--stack-url", server.URL,
+	)
+	if err != nil {
+		t.Fatalf("create context: %v stderr=%s", err, stderr)
+	}
+
+	_, stderr, err = executeCommand(t,
+		"--config-dir", configDir,
+		"payments", "pools", "get", "pool_1",
+	)
+	if err != nil {
+		t.Fatalf("show payment pool through alias: %v stderr=%s", err, stderr)
+	}
+	if !strings.Contains(stderr, "use payments pools show") {
+		t.Fatalf("expected deprecation warning, got:\n%s", stderr)
+	}
+}
+
+func TestPaymentsPoolsDeleteRequiresConfirm(t *testing.T) {
+	stdout, stderr, err := executeCommand(t, "payments", "pools", "delete", "pool_1")
+	if err == nil {
+		t.Fatal("expected payments pools delete to require confirmation")
+	}
+	if stdout != "" {
+		t.Fatalf("expected empty stdout, got %q", stdout)
+	}
+	if stderr != "" {
+		t.Fatalf("expected empty stderr, got %q", stderr)
+	}
+	if !strings.Contains(err.Error(), "payments pools delete requires --confirm") {
+		t.Fatalf("expected confirmation error, got: %v", err)
+	}
+}
+
+func TestPaymentsPoolsDeleteSelectsV3(t *testing.T) {
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		switch r.URL.Path {
+		case "/versions":
+			w.Header().Set("Content-Type", "application/json")
+			fmt.Fprint(w, `{"versions":[{"name":"payments","version":"3.1.0","health":true}]}`)
+		case "/api/payments/v3/pools/pool_1":
+			if r.Method != http.MethodDelete {
+				t.Fatalf("expected DELETE, got %s", r.Method)
+			}
+			w.WriteHeader(http.StatusNoContent)
+		default:
+			t.Fatalf("unexpected path %s", r.URL.Path)
+		}
+	}))
+	defer server.Close()
+
+	configDir := t.TempDir()
+	_, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"context", "create", "stack", "local",
+		"--stack-url", server.URL,
+	)
+	if err != nil {
+		t.Fatalf("create context: %v stderr=%s", err, stderr)
+	}
+
+	stdout, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"payments", "pools", "delete", "pool_1",
+		"--confirm",
+	)
+	if err != nil {
+		t.Fatalf("delete payment pool: %v stderr=%s", err, stderr)
+	}
+	for _, expected := range []string{
+		"API version: v3",
+		"Pool pool_1 deleted.",
+	} {
+		if !strings.Contains(stdout, expected) {
+			t.Fatalf("expected payment pool delete output to contain %q, got:\n%s", expected, stdout)
+		}
+	}
+}
+
+func TestPaymentsPoolsAddAccountSelectsV3(t *testing.T) {
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		switch r.URL.Path {
+		case "/versions":
+			w.Header().Set("Content-Type", "application/json")
+			fmt.Fprint(w, `{"versions":[{"name":"payments","version":"3.1.0","health":true}]}`)
+		case "/api/payments/v3/pools/pool_1/accounts/acc_1":
+			if r.Method != http.MethodPost {
+				t.Fatalf("expected POST, got %s", r.Method)
+			}
+			w.WriteHeader(http.StatusNoContent)
+		default:
+			t.Fatalf("unexpected path %s", r.URL.Path)
+		}
+	}))
+	defer server.Close()
+
+	configDir := t.TempDir()
+	_, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"context", "create", "stack", "local",
+		"--stack-url", server.URL,
+	)
+	if err != nil {
+		t.Fatalf("create context: %v stderr=%s", err, stderr)
+	}
+
+	stdout, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"payments", "pools", "add-account", "pool_1", "acc_1",
+	)
+	if err != nil {
+		t.Fatalf("add account to payment pool: %v stderr=%s", err, stderr)
+	}
+	for _, expected := range []string{
+		"API version: v3",
+		"Account acc_1 added to pool pool_1.",
+	} {
+		if !strings.Contains(stdout, expected) {
+			t.Fatalf("expected payment pool add-account output to contain %q, got:\n%s", expected, stdout)
+		}
+	}
+}
+
+func TestPaymentsPoolsRemoveAccountRequiresConfirm(t *testing.T) {
+	stdout, stderr, err := executeCommand(t, "payments", "pools", "remove-account", "pool_1", "acc_1")
+	if err == nil {
+		t.Fatal("expected payments pools remove-account to require confirmation")
+	}
+	if stdout != "" {
+		t.Fatalf("expected empty stdout, got %q", stdout)
+	}
+	if stderr != "" {
+		t.Fatalf("expected empty stderr, got %q", stderr)
+	}
+	if !strings.Contains(err.Error(), "payments pools remove-account requires --confirm") {
+		t.Fatalf("expected confirmation error, got: %v", err)
+	}
+}
+
+func TestPaymentsPoolsRemoveAccountSelectsV3(t *testing.T) {
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		switch r.URL.Path {
+		case "/versions":
+			w.Header().Set("Content-Type", "application/json")
+			fmt.Fprint(w, `{"versions":[{"name":"payments","version":"3.1.0","health":true}]}`)
+		case "/api/payments/v3/pools/pool_1/accounts/acc_1":
+			if r.Method != http.MethodDelete {
+				t.Fatalf("expected DELETE, got %s", r.Method)
+			}
+			w.WriteHeader(http.StatusNoContent)
+		default:
+			t.Fatalf("unexpected path %s", r.URL.Path)
+		}
+	}))
+	defer server.Close()
+
+	configDir := t.TempDir()
+	_, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"context", "create", "stack", "local",
+		"--stack-url", server.URL,
+	)
+	if err != nil {
+		t.Fatalf("create context: %v stderr=%s", err, stderr)
+	}
+
+	stdout, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"payments", "pools", "remove-account", "pool_1", "acc_1",
+		"--confirm",
+	)
+	if err != nil {
+		t.Fatalf("remove account from payment pool: %v stderr=%s", err, stderr)
+	}
+	for _, expected := range []string{
+		"API version: v3",
+		"Account acc_1 removed from pool pool_1.",
+	} {
+		if !strings.Contains(stdout, expected) {
+			t.Fatalf("expected payment pool remove-account output to contain %q, got:\n%s", expected, stdout)
+		}
+	}
+}
+
+func TestPaymentsPoolsUpdateQuerySelectsV3(t *testing.T) {
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		switch r.URL.Path {
+		case "/versions":
+			w.Header().Set("Content-Type", "application/json")
+			fmt.Fprint(w, `{"versions":[{"name":"payments","version":"3.1.0","health":true}]}`)
+		case "/api/payments/v3/pools/pool_1/query":
+			if r.Method != http.MethodPatch {
+				t.Fatalf("expected PATCH, got %s", r.Method)
+			}
+			body := readRequestBody(t, r)
+			if !strings.Contains(body, `"query":{"accountID":"acc_1"}`) {
+				t.Fatalf("expected query body, got %s", body)
+			}
+			w.WriteHeader(http.StatusNoContent)
+		default:
+			t.Fatalf("unexpected path %s", r.URL.Path)
+		}
+	}))
+	defer server.Close()
+
+	configDir := t.TempDir()
+	_, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"context", "create", "stack", "local",
+		"--stack-url", server.URL,
+	)
+	if err != nil {
+		t.Fatalf("create context: %v stderr=%s", err, stderr)
+	}
+
+	queryPath := filepath.Join(t.TempDir(), "query.json")
+	if err := os.WriteFile(queryPath, []byte(`{"query":{"accountID":"acc_1"}}`), 0o600); err != nil {
+		t.Fatalf("write query fixture: %v", err)
+	}
+
+	stdout, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"payments", "pools", "update-query", "pool_1",
+		"--file", queryPath,
+		"--confirm",
+	)
+	if err != nil {
+		t.Fatalf("update pool query: %v stderr=%s", err, stderr)
+	}
+	for _, expected := range []string{
+		"API version: v3",
+		"Query updated for pool pool_1.",
+	} {
+		if !strings.Contains(stdout, expected) {
+			t.Fatalf("expected payment pool update-query output to contain %q, got:\n%s", expected, stdout)
+		}
+	}
+}
+
+func TestPaymentsPoolsBalancesSelectsV3(t *testing.T) {
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		switch r.URL.Path {
+		case "/versions":
+			w.Header().Set("Content-Type", "application/json")
+			fmt.Fprint(w, `{"versions":[{"name":"payments","version":"3.1.0","health":true}]}`)
+		case "/api/payments/v3/pools/pool_1/balances":
+			if got := r.URL.Query().Get("at"); got == "" {
+				t.Fatal("expected at query parameter")
+			}
+			w.Header().Set("Content-Type", "application/json")
+			fmt.Fprint(w, `{"data":[{"asset":"USD/2","amount":100,"relatedAccounts":["acc_1"]}]}`)
+		default:
+			t.Fatalf("unexpected path %s", r.URL.Path)
+		}
+	}))
+	defer server.Close()
+
+	configDir := t.TempDir()
+	_, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"context", "create", "stack", "local",
+		"--stack-url", server.URL,
+	)
+	if err != nil {
+		t.Fatalf("create context: %v stderr=%s", err, stderr)
+	}
+
+	stdout, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"payments", "pools", "balances", "pool_1",
+		"--at", "2026-01-01T00:00:00Z",
+	)
+	if err != nil {
+		t.Fatalf("list pool balances: %v stderr=%s", err, stderr)
+	}
+	if !strings.Contains(stdout, "API version: v3") || !strings.Contains(stdout, "USD/2\t100\tacc_1") {
+		t.Fatalf("unexpected pool balances output:\n%s", stdout)
+	}
+}
+
+func TestPaymentsPoolsLatestBalancesSelectsV3(t *testing.T) {
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		switch r.URL.Path {
+		case "/versions":
+			w.Header().Set("Content-Type", "application/json")
+			fmt.Fprint(w, `{"versions":[{"name":"payments","version":"3.1.0","health":true}]}`)
+		case "/api/payments/v3/pools/pool_1/balances/latest":
+			w.Header().Set("Content-Type", "application/json")
+			fmt.Fprint(w, `{"data":[{"asset":"USD/2","amount":100,"relatedAccounts":["acc_1"]}]}`)
+		default:
+			t.Fatalf("unexpected path %s", r.URL.Path)
+		}
+	}))
+	defer server.Close()
+
+	configDir := t.TempDir()
+	_, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"context", "create", "stack", "local",
+		"--stack-url", server.URL,
+	)
+	if err != nil {
+		t.Fatalf("create context: %v stderr=%s", err, stderr)
+	}
+
+	stdout, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"payments", "pools", "latest-balances", "pool_1",
+	)
+	if err != nil {
+		t.Fatalf("list latest pool balances: %v stderr=%s", err, stderr)
+	}
+	if !strings.Contains(stdout, "API version: v3") || !strings.Contains(stdout, "USD/2\t100\tacc_1") {
+		t.Fatalf("unexpected latest pool balances output:\n%s", stdout)
+	}
+}
+
+func TestPaymentsTasksShowSelectsV3(t *testing.T) {
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		switch r.URL.Path {
+		case "/versions":
+			w.Header().Set("Content-Type", "application/json")
+			fmt.Fprint(w, `{"versions":[{"name":"payments","version":"3.1.0","health":true}]}`)
+		case "/api/payments/v3/tasks/task_1":
+			w.Header().Set("Content-Type", "application/json")
+			fmt.Fprint(w, `{"data":{"id":"task_1","connectorID":"conn_1","createdObjectID":"pay_1","status":"SUCCEEDED","createdAt":"2026-01-01T00:00:00Z","updatedAt":"2026-01-01T00:01:00Z"}}`)
+		default:
+			t.Fatalf("unexpected path %s", r.URL.Path)
+		}
+	}))
+	defer server.Close()
+
+	configDir := t.TempDir()
+	_, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"context", "create", "stack", "local",
+		"--stack-url", server.URL,
+	)
+	if err != nil {
+		t.Fatalf("create context: %v stderr=%s", err, stderr)
+	}
+
+	stdout, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"payments", "tasks", "show", "task_1",
+	)
+	if err != nil {
+		t.Fatalf("show payment task: %v stderr=%s", err, stderr)
+	}
+	for _, expected := range []string{
+		"API version: v3",
+		"ID\ttask_1",
+		"Connector ID\tconn_1",
+		"Status\tSUCCEEDED",
+	} {
+		if !strings.Contains(stdout, expected) {
+			t.Fatalf("expected payment task output to contain %q, got:\n%s", expected, stdout)
+		}
+	}
+}
+
+func TestPaymentsTasksGetDeprecatedAlias(t *testing.T) {
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		switch r.URL.Path {
+		case "/versions":
+			w.Header().Set("Content-Type", "application/json")
+			fmt.Fprint(w, `{"versions":[{"name":"payments","version":"3.1.0","health":true}]}`)
+		case "/api/payments/v3/tasks/task_1":
+			w.Header().Set("Content-Type", "application/json")
+			fmt.Fprint(w, `{"data":{"id":"task_1","status":"SUCCEEDED","createdAt":"2026-01-01T00:00:00Z","updatedAt":"2026-01-01T00:01:00Z"}}`)
+		default:
+			t.Fatalf("unexpected path %s", r.URL.Path)
+		}
+	}))
+	defer server.Close()
+
+	configDir := t.TempDir()
+	_, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"context", "create", "stack", "local",
+		"--stack-url", server.URL,
+	)
+	if err != nil {
+		t.Fatalf("create context: %v stderr=%s", err, stderr)
+	}
+
+	_, stderr, err = executeCommand(t,
+		"--config-dir", configDir,
+		"payments", "tasks", "get", "task_1",
+	)
+	if err != nil {
+		t.Fatalf("show payment task through alias: %v stderr=%s", err, stderr)
+	}
+	if !strings.Contains(stderr, "use payments tasks show") {
+		t.Fatalf("expected deprecation warning, got:\n%s", stderr)
+	}
+}
+
+func TestPaymentsTransferInitiationListSelectsV3(t *testing.T) {
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		switch r.URL.Path {
+		case "/versions":
+			w.Header().Set("Content-Type", "application/json")
+			fmt.Fprint(w, `{"versions":[{"name":"payments","version":"3.1.0","health":true}]}`)
+		case "/api/payments/v3/payment-initiations":
+			if got := r.URL.Query().Get("pageSize"); got != "10" {
+				t.Fatalf("expected pageSize 10, got %q", got)
+			}
+			w.Header().Set("Content-Type", "application/json")
+			fmt.Fprint(w, `{"cursor":{"data":[{"id":"ti_1","reference":"ref","type":"TRANSFER","status":"PROCESSED","asset":"USD/2","amount":100,"connectorID":"conn_1","provider":"stripe","createdAt":"2026-01-01T00:00:00Z","scheduledAt":"2026-01-02T00:00:00Z","description":"desc","metadata":{}}],"hasMore":false,"pageSize":10}}`)
+		default:
+			t.Fatalf("unexpected path %s", r.URL.Path)
+		}
+	}))
+	defer server.Close()
+
+	configDir := t.TempDir()
+	_, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"context", "create", "stack", "local",
+		"--stack-url", server.URL,
+	)
+	if err != nil {
+		t.Fatalf("create context: %v stderr=%s", err, stderr)
+	}
+
+	stdout, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"payments", "transfer-initiation", "list",
+		"--page-size", "10",
+	)
+	if err != nil {
+		t.Fatalf("list transfer initiations: %v stderr=%s", err, stderr)
+	}
+	if !strings.Contains(stdout, "API version: v3") || !strings.Contains(stdout, "ti_1\tTRANSFER\t100\tUSD/2\tPROCESSED\t2026-01-01T00:00:00Z") {
+		t.Fatalf("unexpected transfer initiation output:\n%s", stdout)
+	}
+}
+
+func TestPaymentsTransferInitiationCreateRequiresConfirm(t *testing.T) {
+	stdout, stderr, err := executeCommand(t, "payments", "transfer-initiation", "create", "--file", "request.json")
+	if err == nil {
+		t.Fatal("expected payments transfer-initiation create to require confirmation")
+	}
+	if stdout != "" {
+		t.Fatalf("expected empty stdout, got %q", stdout)
+	}
+	if stderr != "" {
+		t.Fatalf("expected empty stderr, got %q", stderr)
+	}
+	if !strings.Contains(err.Error(), "payments transfer-initiation create requires --confirm") {
+		t.Fatalf("expected confirmation error, got: %v", err)
+	}
+}
+
+func TestPaymentsTransferInitiationCreateSelectsV3(t *testing.T) {
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		switch r.URL.Path {
+		case "/versions":
+			w.Header().Set("Content-Type", "application/json")
+			fmt.Fprint(w, `{"versions":[{"name":"payments","version":"3.1.0","health":true}]}`)
+		case "/api/payments/v3/payment-initiations":
+			if r.Method != http.MethodPost {
+				t.Fatalf("expected POST, got %s", r.Method)
+			}
+			if got := r.URL.Query().Get("noValidation"); got != "true" {
+				t.Fatalf("expected noValidation=true, got %q", got)
+			}
+			body := readRequestBody(t, r)
+			for _, expected := range []string{
+				`"amount":100`,
+				`"asset":"USD/2"`,
+				`"connectorID":"conn_1"`,
+				`"sourceAccountID":"acc_src"`,
+				`"destinationAccountID":"acc_dst"`,
+				`"type":"TRANSFER"`,
+			} {
+				if !strings.Contains(body, expected) {
+					t.Fatalf("expected create body to contain %q, got %s", expected, body)
+				}
+			}
+			w.Header().Set("Content-Type", "application/json")
+			w.WriteHeader(http.StatusAccepted)
+			fmt.Fprint(w, `{"data":{"paymentInitiationID":"ti_1","taskID":"task_1"}}`)
+		default:
+			t.Fatalf("unexpected path %s", r.URL.Path)
+		}
+	}))
+	defer server.Close()
+
+	configDir := t.TempDir()
+	_, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"context", "create", "stack", "local",
+		"--stack-url", server.URL,
+	)
+	if err != nil {
+		t.Fatalf("create context: %v stderr=%s", err, stderr)
+	}
+
+	requestFile := filepath.Join(t.TempDir(), "create.json")
+	if err := os.WriteFile(requestFile, []byte(`{"amount":100,"asset":"USD/2","connectorID":"conn_1","description":"desc","destinationAccountID":"acc_dst","metadata":{"env":"dev"},"reference":"ref","scheduledAt":"2026-01-02T00:00:00Z","sourceAccountID":"acc_src","type":"transfer","validated":true}`), 0o600); err != nil {
+		t.Fatalf("write request file: %v", err)
+	}
+
+	stdout, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"payments", "transfer-initiation", "create",
+		"--file", requestFile,
+		"--confirm",
+	)
+	if err != nil {
+		t.Fatalf("create transfer initiation: %v stderr=%s", err, stderr)
+	}
+	for _, expected := range []string{
+		"API version: v3",
+		"Task ID: task_1",
+		"Transfer initiation created with ID: ti_1",
+	} {
+		if !strings.Contains(stdout, expected) {
+			t.Fatalf("expected create output to contain %q, got:\n%s", expected, stdout)
+		}
+	}
+}
+
+func TestPaymentsTransferInitiationCreateDeprecatedPositionalFile(t *testing.T) {
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		switch r.URL.Path {
+		case "/versions":
+			w.Header().Set("Content-Type", "application/json")
+			fmt.Fprint(w, `{"versions":[{"name":"payments","version":"3.1.0","health":true}]}`)
+		case "/api/payments/v3/payment-initiations":
+			w.Header().Set("Content-Type", "application/json")
+			w.WriteHeader(http.StatusAccepted)
+			fmt.Fprint(w, `{"data":{"paymentInitiationID":"ti_1"}}`)
+		default:
+			t.Fatalf("unexpected path %s", r.URL.Path)
+		}
+	}))
+	defer server.Close()
+
+	configDir := t.TempDir()
+	_, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"context", "create", "stack", "local",
+		"--stack-url", server.URL,
+	)
+	if err != nil {
+		t.Fatalf("create context: %v stderr=%s", err, stderr)
+	}
+
+	requestFile := filepath.Join(t.TempDir(), "create.json")
+	if err := os.WriteFile(requestFile, []byte(`{"amount":"100","asset":"USD/2","connectorID":"conn_1","reference":"ref","scheduledAt":"2026-01-02T00:00:00Z","type":"PAYOUT"}`), 0o600); err != nil {
+		t.Fatalf("write request file: %v", err)
+	}
+
+	_, stderr, err = executeCommand(t,
+		"--config-dir", configDir,
+		"payments", "transfer-initiation", "create", requestFile,
+		"--confirm",
+	)
+	if err != nil {
+		t.Fatalf("create transfer initiation with positional file: %v stderr=%s", err, stderr)
+	}
+	if !strings.Contains(stderr, "use payments transfer-initiation create --file <path>|-") {
+		t.Fatalf("expected positional file deprecation warning, got:\n%s", stderr)
+	}
+}
+
+func TestPaymentsTransferInitiationShowSelectsV3(t *testing.T) {
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		switch r.URL.Path {
+		case "/versions":
+			w.Header().Set("Content-Type", "application/json")
+			fmt.Fprint(w, `{"versions":[{"name":"payments","version":"3.1.0","health":true}]}`)
+		case "/api/payments/v3/payment-initiations/ti_1":
+			w.Header().Set("Content-Type", "application/json")
+			fmt.Fprint(w, `{"data":{"id":"ti_1","reference":"ref","type":"TRANSFER","status":"PROCESSED","asset":"USD/2","amount":100,"connectorID":"conn_1","provider":"stripe","createdAt":"2026-01-01T00:00:00Z","scheduledAt":"2026-01-02T00:00:00Z","description":"desc","metadata":{}}}`)
+		default:
+			t.Fatalf("unexpected path %s", r.URL.Path)
+		}
+	}))
+	defer server.Close()
+
+	configDir := t.TempDir()
+	_, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"context", "create", "stack", "local",
+		"--stack-url", server.URL,
+	)
+	if err != nil {
+		t.Fatalf("create context: %v stderr=%s", err, stderr)
+	}
+
+	stdout, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"payments", "transfer-initiation", "show", "ti_1",
+	)
+	if err != nil {
+		t.Fatalf("show transfer initiation: %v stderr=%s", err, stderr)
+	}
+	for _, expected := range []string{
+		"API version: v3",
+		"ID\tti_1",
+		"Reference\tref",
+		"Amount\t100",
+	} {
+		if !strings.Contains(stdout, expected) {
+			t.Fatalf("expected transfer initiation output to contain %q, got:\n%s", expected, stdout)
+		}
+	}
+}
+
+func TestPaymentsTransferInitiationDeprecatedAliases(t *testing.T) {
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		switch r.URL.Path {
+		case "/versions":
+			w.Header().Set("Content-Type", "application/json")
+			fmt.Fprint(w, `{"versions":[{"name":"payments","version":"3.1.0","health":true}]}`)
+		case "/api/payments/v3/payment-initiations":
+			w.Header().Set("Content-Type", "application/json")
+			fmt.Fprint(w, `{"cursor":{"data":[],"hasMore":false,"pageSize":15}}`)
+		case "/api/payments/v3/payment-initiations/ti_1":
+			w.Header().Set("Content-Type", "application/json")
+			fmt.Fprint(w, `{"data":{"id":"ti_1","reference":"ref","type":"TRANSFER","status":"PROCESSED","asset":"USD/2","amount":100,"connectorID":"conn_1","provider":"stripe","createdAt":"2026-01-01T00:00:00Z","scheduledAt":"2026-01-02T00:00:00Z","description":"desc","metadata":{}}}`)
+		default:
+			t.Fatalf("unexpected path %s", r.URL.Path)
+		}
+	}))
+	defer server.Close()
+
+	configDir := t.TempDir()
+	_, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"context", "create", "stack", "local",
+		"--stack-url", server.URL,
+	)
+	if err != nil {
+		t.Fatalf("create context: %v stderr=%s", err, stderr)
+	}
+
+	_, stderr, err = executeCommand(t,
+		"--config-dir", configDir,
+		"payments", "transfer_initiation", "list",
+	)
+	if err != nil {
+		t.Fatalf("list transfer initiations through prefix alias: %v stderr=%s", err, stderr)
+	}
+	if !strings.Contains(stderr, "use payments transfer-initiation") {
+		t.Fatalf("expected prefix deprecation warning, got:\n%s", stderr)
+	}
+
+	_, stderr, err = executeCommand(t,
+		"--config-dir", configDir,
+		"payments", "transfer-initiation", "get", "ti_1",
+	)
+	if err != nil {
+		t.Fatalf("show transfer initiation through get alias: %v stderr=%s", err, stderr)
+	}
+	if !strings.Contains(stderr, "use payments transfer-initiation show") {
+		t.Fatalf("expected get deprecation warning, got:\n%s", stderr)
+	}
+}
+
+func TestPaymentsTransferInitiationApproveSelectsV3(t *testing.T) {
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		switch r.URL.Path {
+		case "/versions":
+			w.Header().Set("Content-Type", "application/json")
+			fmt.Fprint(w, `{"versions":[{"name":"payments","version":"3.1.0","health":true}]}`)
+		case "/api/payments/v3/payment-initiations/ti_1/approve":
+			if r.Method != http.MethodPost {
+				t.Fatalf("expected POST, got %s", r.Method)
+			}
+			w.Header().Set("Content-Type", "application/json")
+			w.WriteHeader(http.StatusAccepted)
+			fmt.Fprint(w, `{"data":{"taskID":"task_1"}}`)
+		default:
+			t.Fatalf("unexpected path %s", r.URL.Path)
+		}
+	}))
+	defer server.Close()
+
+	configDir := t.TempDir()
+	_, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"context", "create", "stack", "local",
+		"--stack-url", server.URL,
+	)
+	if err != nil {
+		t.Fatalf("create context: %v stderr=%s", err, stderr)
+	}
+
+	stdout, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"payments", "transfer-initiation", "approve", "ti_1",
+		"--confirm",
+	)
+	if err != nil {
+		t.Fatalf("approve transfer initiation: %v stderr=%s", err, stderr)
+	}
+	for _, expected := range []string{
+		"API version: v3",
+		"Task ID: task_1",
+		"Transfer initiation ti_1 approved.",
+	} {
+		if !strings.Contains(stdout, expected) {
+			t.Fatalf("expected approve output to contain %q, got:\n%s", expected, stdout)
+		}
+	}
+}
+
+func TestPaymentsTransferInitiationRejectRequiresConfirm(t *testing.T) {
+	stdout, stderr, err := executeCommand(t, "payments", "transfer-initiation", "reject", "ti_1")
+	if err == nil {
+		t.Fatal("expected payments transfer-initiation reject to require confirmation")
+	}
+	if stdout != "" {
+		t.Fatalf("expected empty stdout, got %q", stdout)
+	}
+	if stderr != "" {
+		t.Fatalf("expected empty stderr, got %q", stderr)
+	}
+	if !strings.Contains(err.Error(), "payments transfer-initiation reject requires --confirm") {
+		t.Fatalf("expected confirmation error, got: %v", err)
+	}
+}
+
+func TestPaymentsTransferInitiationRetrySelectsV3(t *testing.T) {
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		switch r.URL.Path {
+		case "/versions":
+			w.Header().Set("Content-Type", "application/json")
+			fmt.Fprint(w, `{"versions":[{"name":"payments","version":"3.1.0","health":true}]}`)
+		case "/api/payments/v3/payment-initiations/ti_1/retry":
+			if r.Method != http.MethodPost {
+				t.Fatalf("expected POST, got %s", r.Method)
+			}
+			w.Header().Set("Content-Type", "application/json")
+			w.WriteHeader(http.StatusAccepted)
+			fmt.Fprint(w, `{"data":{"taskID":"task_1"}}`)
+		default:
+			t.Fatalf("unexpected path %s", r.URL.Path)
+		}
+	}))
+	defer server.Close()
+
+	configDir := t.TempDir()
+	_, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"context", "create", "stack", "local",
+		"--stack-url", server.URL,
+	)
+	if err != nil {
+		t.Fatalf("create context: %v stderr=%s", err, stderr)
+	}
+
+	stdout, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"payments", "transfer-initiation", "retry", "ti_1",
+		"--confirm",
+	)
+	if err != nil {
+		t.Fatalf("retry transfer initiation: %v stderr=%s", err, stderr)
+	}
+	if !strings.Contains(stdout, "API version: v3") || !strings.Contains(stdout, "Transfer initiation ti_1 queued for retry.") {
+		t.Fatalf("unexpected retry output:\n%s", stdout)
+	}
+}
+
+func TestPaymentsTransferInitiationDeleteSelectsV3(t *testing.T) {
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		switch r.URL.Path {
+		case "/versions":
+			w.Header().Set("Content-Type", "application/json")
+			fmt.Fprint(w, `{"versions":[{"name":"payments","version":"3.1.0","health":true}]}`)
+		case "/api/payments/v3/payment-initiations/ti_1":
+			if r.Method != http.MethodDelete {
+				t.Fatalf("expected DELETE, got %s", r.Method)
+			}
+			w.WriteHeader(http.StatusNoContent)
+		default:
+			t.Fatalf("unexpected path %s", r.URL.Path)
+		}
+	}))
+	defer server.Close()
+
+	configDir := t.TempDir()
+	_, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"context", "create", "stack", "local",
+		"--stack-url", server.URL,
+	)
+	if err != nil {
+		t.Fatalf("create context: %v stderr=%s", err, stderr)
+	}
+
+	stdout, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"payments", "transfer-initiation", "delete", "ti_1",
+		"--confirm",
+	)
+	if err != nil {
+		t.Fatalf("delete transfer initiation: %v stderr=%s", err, stderr)
+	}
+	if !strings.Contains(stdout, "API version: v3") || !strings.Contains(stdout, "Transfer initiation ti_1 deleted.") {
+		t.Fatalf("unexpected delete output:\n%s", stdout)
+	}
+}
+
+func TestPaymentsTransferInitiationReverseRequiresConfirm(t *testing.T) {
+	stdout, stderr, err := executeCommand(t, "payments", "transfer-initiation", "reverse", "ti_1", "--file", "request.json")
+	if err == nil {
+		t.Fatal("expected payments transfer-initiation reverse to require confirmation")
+	}
+	if stdout != "" {
+		t.Fatalf("expected empty stdout, got %q", stdout)
+	}
+	if stderr != "" {
+		t.Fatalf("expected empty stderr, got %q", stderr)
+	}
+	if !strings.Contains(err.Error(), "payments transfer-initiation reverse requires --confirm") {
+		t.Fatalf("expected confirmation error, got: %v", err)
+	}
+}
+
+func TestPaymentsTransferInitiationReverseSelectsV3(t *testing.T) {
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		switch r.URL.Path {
+		case "/versions":
+			w.Header().Set("Content-Type", "application/json")
+			fmt.Fprint(w, `{"versions":[{"name":"payments","version":"3.1.0","health":true}]}`)
+		case "/api/payments/v3/payment-initiations/ti_1/reverse":
+			if r.Method != http.MethodPost {
+				t.Fatalf("expected POST, got %s", r.Method)
+			}
+			body := readRequestBody(t, r)
+			for _, expected := range []string{`"amount":100`, `"asset":"USD/2"`, `"reference":"ref"`} {
+				if !strings.Contains(body, expected) {
+					t.Fatalf("expected reverse body to contain %q, got %s", expected, body)
+				}
+			}
+			w.Header().Set("Content-Type", "application/json")
+			w.WriteHeader(http.StatusAccepted)
+			fmt.Fprint(w, `{"data":{"taskID":"task_1","paymentInitiationReversalID":"rev_1"}}`)
+		default:
+			t.Fatalf("unexpected path %s", r.URL.Path)
+		}
+	}))
+	defer server.Close()
+
+	configDir := t.TempDir()
+	_, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"context", "create", "stack", "local",
+		"--stack-url", server.URL,
+	)
+	if err != nil {
+		t.Fatalf("create context: %v stderr=%s", err, stderr)
+	}
+
+	requestFile := filepath.Join(t.TempDir(), "reverse.json")
+	if err := os.WriteFile(requestFile, []byte(`{"amount":100,"asset":"USD/2","description":"desc","metadata":{"env":"dev"},"reference":"ref"}`), 0o600); err != nil {
+		t.Fatalf("write request file: %v", err)
+	}
+
+	stdout, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"payments", "transfer-initiation", "reverse", "ti_1",
+		"--file", requestFile,
+		"--confirm",
+	)
+	if err != nil {
+		t.Fatalf("reverse transfer initiation: %v stderr=%s", err, stderr)
+	}
+	for _, expected := range []string{
+		"API version: v3",
+		"Task ID: task_1",
+		"Reversal ID: rev_1",
+		"Transfer initiation ti_1 reversed.",
+	} {
+		if !strings.Contains(stdout, expected) {
+			t.Fatalf("expected reverse output to contain %q, got:\n%s", expected, stdout)
+		}
+	}
+}
+
+func TestPaymentsTransferInitiationReverseDeprecatedPositionalFile(t *testing.T) {
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		switch r.URL.Path {
+		case "/versions":
+			w.Header().Set("Content-Type", "application/json")
+			fmt.Fprint(w, `{"versions":[{"name":"payments","version":"3.1.0","health":true}]}`)
+		case "/api/payments/v3/payment-initiations/ti_1/reverse":
+			w.Header().Set("Content-Type", "application/json")
+			w.WriteHeader(http.StatusAccepted)
+			fmt.Fprint(w, `{"data":{"taskID":"task_1"}}`)
+		default:
+			t.Fatalf("unexpected path %s", r.URL.Path)
+		}
+	}))
+	defer server.Close()
+
+	configDir := t.TempDir()
+	_, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"context", "create", "stack", "local",
+		"--stack-url", server.URL,
+	)
+	if err != nil {
+		t.Fatalf("create context: %v stderr=%s", err, stderr)
+	}
+
+	requestFile := filepath.Join(t.TempDir(), "reverse.json")
+	if err := os.WriteFile(requestFile, []byte(`{"amount":"100","asset":"USD/2","reference":"ref"}`), 0o600); err != nil {
+		t.Fatalf("write request file: %v", err)
+	}
+
+	_, stderr, err = executeCommand(t,
+		"--config-dir", configDir,
+		"payments", "transfer-initiation", "reverse", "ti_1", requestFile,
+		"--confirm",
+	)
+	if err != nil {
+		t.Fatalf("reverse transfer initiation with positional file: %v stderr=%s", err, stderr)
+	}
+	if !strings.Contains(stderr, "use payments transfer-initiation reverse <transfer-initiation-id> --file <path>|-") {
+		t.Fatalf("expected positional file deprecation warning, got:\n%s", stderr)
+	}
+}
+
+func TestPaymentsTransferInitiationUpdateStatusRequiresConfirm(t *testing.T) {
+	stdout, stderr, err := executeCommand(t, "payments", "transfer-initiation", "update-status", "ti_1", "VALIDATED")
+	if err == nil {
+		t.Fatal("expected payments transfer-initiation update-status to require confirmation")
+	}
+	if stdout != "" {
+		t.Fatalf("expected empty stdout, got %q", stdout)
+	}
+	if stderr != "" {
+		t.Fatalf("expected empty stderr, got %q", stderr)
+	}
+	if !strings.Contains(err.Error(), "payments transfer-initiation update-status requires --confirm") {
+		t.Fatalf("expected confirmation error, got: %v", err)
+	}
+}
+
+func TestPaymentsTransferInitiationUpdateStatusSelectsV1(t *testing.T) {
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		switch r.URL.Path {
+		case "/versions":
+			w.Header().Set("Content-Type", "application/json")
+			fmt.Fprint(w, `{"versions":[{"name":"payments","version":"3.1.0","health":true}]}`)
+		case "/api/payments/transfer-initiations/ti_1/status":
+			if r.Method != http.MethodPost {
+				t.Fatalf("expected POST, got %s", r.Method)
+			}
+			body := readRequestBody(t, r)
+			if !strings.Contains(body, `"status":"VALIDATED"`) {
+				t.Fatalf("expected status body, got %s", body)
+			}
+			w.WriteHeader(http.StatusNoContent)
+		default:
+			t.Fatalf("unexpected path %s", r.URL.Path)
+		}
+	}))
+	defer server.Close()
+
+	configDir := t.TempDir()
+	_, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"context", "create", "stack", "local",
+		"--stack-url", server.URL,
+	)
+	if err != nil {
+		t.Fatalf("create context: %v stderr=%s", err, stderr)
+	}
+
+	stdout, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"payments", "transfer-initiation", "update-status", "ti_1", "validated",
+		"--confirm",
+	)
+	if err != nil {
+		t.Fatalf("update transfer initiation status: %v stderr=%s", err, stderr)
+	}
+	if !strings.Contains(stdout, "API version: v1") || !strings.Contains(stdout, "Transfer initiation ti_1 status updated to VALIDATED.") {
+		t.Fatalf("unexpected update-status output:\n%s", stdout)
+	}
+}
+
+func TestPaymentsTransferInitiationUpdateStatusDeprecatedAlias(t *testing.T) {
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		switch r.URL.Path {
+		case "/versions":
+			w.Header().Set("Content-Type", "application/json")
+			fmt.Fprint(w, `{"versions":[{"name":"payments","version":"3.1.0","health":true}]}`)
+		case "/api/payments/transfer-initiations/ti_1/status":
+			w.WriteHeader(http.StatusNoContent)
+		default:
+			t.Fatalf("unexpected path %s", r.URL.Path)
+		}
+	}))
+	defer server.Close()
+
+	configDir := t.TempDir()
+	_, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"context", "create", "stack", "local",
+		"--stack-url", server.URL,
+	)
+	if err != nil {
+		t.Fatalf("create context: %v stderr=%s", err, stderr)
+	}
+
+	_, stderr, err = executeCommand(t,
+		"--config-dir", configDir,
+		"payments", "transfer-initiation", "update_status", "ti_1", "REJECTED",
+		"--confirm",
+	)
+	if err != nil {
+		t.Fatalf("update transfer initiation status through alias: %v stderr=%s", err, stderr)
+	}
+	if !strings.Contains(stderr, "use payments transfer-initiation update-status") {
+		t.Fatalf("expected update_status deprecation warning, got:\n%s", stderr)
+	}
+}
+
+func TestPaymentsConnectorsListSelectsV3(t *testing.T) {
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		switch r.URL.Path {
+		case "/versions":
+			w.Header().Set("Content-Type", "application/json")
+			fmt.Fprint(w, `{"versions":[{"name":"payments","version":"3.1.0","health":true}]}`)
+		case "/api/payments/v3/connectors":
+			if got := r.URL.Query().Get("pageSize"); got != "10" {
+				t.Fatalf("expected pageSize 10, got %q", got)
+			}
+			w.Header().Set("Content-Type", "application/json")
+			fmt.Fprint(w, `{"cursor":{"data":[{"id":"conn_1","name":"Stripe EU","provider":"stripe","reference":"ref","createdAt":"2026-01-01T00:00:00Z","scheduledForDeletion":false,"config":{}}],"hasMore":false,"pageSize":10}}`)
+		default:
+			t.Fatalf("unexpected path %s", r.URL.Path)
+		}
+	}))
+	defer server.Close()
+
+	configDir := t.TempDir()
+	_, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"context", "create", "stack", "local",
+		"--stack-url", server.URL,
+	)
+	if err != nil {
+		t.Fatalf("create context: %v stderr=%s", err, stderr)
+	}
+
+	stdout, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"payments", "connectors", "list",
+		"--page-size", "10",
+	)
+	if err != nil {
+		t.Fatalf("list payment connectors: %v stderr=%s", err, stderr)
+	}
+	for _, expected := range []string{
+		"API version: v3",
+		"stripe\tStripe EU\tconn_1",
+	} {
+		if !strings.Contains(stdout, expected) {
+			t.Fatalf("expected payment connectors output to contain %q, got:\n%s", expected, stdout)
+		}
+	}
+}
+
+func TestPaymentsConnectorsUninstallRequiresConfirm(t *testing.T) {
+	stdout, stderr, err := executeCommand(t, "payments", "connectors", "uninstall", "conn_1")
+	if err == nil {
+		t.Fatal("expected payments connectors uninstall to require confirmation")
+	}
+	if stdout != "" {
+		t.Fatalf("expected empty stdout, got %q", stdout)
+	}
+	if stderr != "" {
+		t.Fatalf("expected empty stderr, got %q", stderr)
+	}
+	if !strings.Contains(err.Error(), "payments connectors uninstall requires --confirm") {
+		t.Fatalf("expected confirmation error, got: %v", err)
+	}
+}
+
+func TestPaymentsConnectorsUninstallSelectsV3(t *testing.T) {
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		switch r.URL.Path {
+		case "/versions":
+			w.Header().Set("Content-Type", "application/json")
+			fmt.Fprint(w, `{"versions":[{"name":"payments","version":"3.1.0","health":true}]}`)
+		case "/api/payments/v3/connectors/conn_1":
+			if r.Method != http.MethodDelete {
+				t.Fatalf("expected DELETE, got %s", r.Method)
+			}
+			w.Header().Set("Content-Type", "application/json")
+			w.WriteHeader(http.StatusAccepted)
+			fmt.Fprint(w, `{"data":{"taskID":"task_1"}}`)
+		default:
+			t.Fatalf("unexpected path %s", r.URL.Path)
+		}
+	}))
+	defer server.Close()
+
+	configDir := t.TempDir()
+	_, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"context", "create", "stack", "local",
+		"--stack-url", server.URL,
+	)
+	if err != nil {
+		t.Fatalf("create context: %v stderr=%s", err, stderr)
+	}
+
+	stdout, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"payments", "connectors", "uninstall", "conn_1",
+		"--confirm",
+	)
+	if err != nil {
+		t.Fatalf("uninstall payment connector: %v stderr=%s", err, stderr)
+	}
+	for _, expected := range []string{
+		"API version: v3",
+		"Task ID: task_1",
+		"Connector conn_1 uninstall scheduled.",
+	} {
+		if !strings.Contains(stdout, expected) {
+			t.Fatalf("expected payment connector uninstall output to contain %q, got:\n%s", expected, stdout)
+		}
+	}
+}
+
+func TestPaymentsConnectorsUninstallPinnedV1RequiresProvider(t *testing.T) {
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		switch r.URL.Path {
+		case "/versions":
+			w.Header().Set("Content-Type", "application/json")
+			fmt.Fprint(w, `{"versions":[{"name":"payments","version":"1.9.0","health":true}]}`)
+		default:
+			t.Fatalf("unexpected path %s", r.URL.Path)
+		}
+	}))
+	defer server.Close()
+
+	configDir := t.TempDir()
+	_, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"context", "create", "stack", "local",
+		"--stack-url", server.URL,
+	)
+	if err != nil {
+		t.Fatalf("create context: %v stderr=%s", err, stderr)
+	}
+
+	_, stderr, err = executeCommand(t,
+		"--config-dir", configDir,
+		"payments", "connectors", "uninstall", "conn_1",
+		"--api-version", "v1",
+		"--confirm",
+	)
+	if err == nil {
+		t.Fatal("expected v1 uninstall without provider to fail")
+	}
+	if !strings.Contains(err.Error(), "provider is required") {
+		t.Fatalf("expected provider error, got: %v stderr=%s", err, stderr)
+	}
+}
+
+func TestPaymentsConnectorsInstallRequiresConfirm(t *testing.T) {
+	stdout, stderr, err := executeCommand(t, "payments", "connectors", "install", "stripe", "--file", "request.json")
+	if err == nil {
+		t.Fatal("expected payments connectors install to require confirmation")
+	}
+	if stdout != "" {
+		t.Fatalf("expected empty stdout, got %q", stdout)
+	}
+	if stderr != "" {
+		t.Fatalf("expected empty stderr, got %q", stderr)
+	}
+	if !strings.Contains(err.Error(), "payments connectors install requires --confirm") {
+		t.Fatalf("expected confirmation error, got: %v", err)
+	}
+}
+
+func TestPaymentsConnectorsInstallSelectsV3(t *testing.T) {
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		switch r.URL.Path {
+		case "/versions":
+			w.Header().Set("Content-Type", "application/json")
+			fmt.Fprint(w, `{"versions":[{"name":"payments","version":"3.1.0","health":true}]}`)
+		case "/api/payments/v3/connectors/install/stripe":
+			if r.Method != http.MethodPost {
+				t.Fatalf("expected POST, got %s", r.Method)
+			}
+			body := readRequestBody(t, r)
+			for _, expected := range []string{`"apiKey":"sk_test"`, `"name":"Stripe EU"`, `"provider":"Stripe"`} {
+				if !strings.Contains(body, expected) {
+					t.Fatalf("expected install body to contain %q, got:\n%s", expected, body)
+				}
+			}
+			w.Header().Set("Content-Type", "application/json")
+			w.WriteHeader(http.StatusAccepted)
+			fmt.Fprint(w, `{"data":"conn_1"}`)
+		default:
+			t.Fatalf("unexpected path %s", r.URL.Path)
+		}
+	}))
+	defer server.Close()
+
+	configDir := t.TempDir()
+	_, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"context", "create", "stack", "local",
+		"--stack-url", server.URL,
+	)
+	if err != nil {
+		t.Fatalf("create context: %v stderr=%s", err, stderr)
+	}
+	requestFile := filepath.Join(t.TempDir(), "stripe.json")
+	if err := os.WriteFile(requestFile, []byte(`{"apiKey":"sk_test","name":"Stripe EU"}`), 0o600); err != nil {
+		t.Fatalf("write request file: %v", err)
+	}
+
+	stdout, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"payments", "connectors", "install", "stripe",
+		"--file", requestFile,
+		"--confirm",
+	)
+	if err != nil {
+		t.Fatalf("install payment connector: %v stderr=%s", err, stderr)
+	}
+	for _, expected := range []string{
+		"API version: v3",
+		"Connector stripe installed with ID: conn_1",
+	} {
+		if !strings.Contains(stdout, expected) {
+			t.Fatalf("expected payment connector install output to contain %q, got:\n%s", expected, stdout)
+		}
+	}
+}
+
+func TestPaymentsConnectorsConfigShowSelectsV3(t *testing.T) {
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		switch r.URL.Path {
+		case "/versions":
+			w.Header().Set("Content-Type", "application/json")
+			fmt.Fprint(w, `{"versions":[{"name":"payments","version":"3.1.0","health":true}]}`)
+		case "/api/payments/v3/connectors/conn_1/config":
+			w.Header().Set("Content-Type", "application/json")
+			fmt.Fprint(w, `{"data":{"apiKey":"sk_test","name":"Stripe EU","provider":"Stripe"}}`)
+		default:
+			t.Fatalf("unexpected path %s", r.URL.Path)
+		}
+	}))
+	defer server.Close()
+
+	configDir := t.TempDir()
+	_, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"context", "create", "stack", "local",
+		"--stack-url", server.URL,
+	)
+	if err != nil {
+		t.Fatalf("create context: %v stderr=%s", err, stderr)
+	}
+
+	stdout, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"payments", "connectors", "config", "show", "conn_1",
+	)
+	if err != nil {
+		t.Fatalf("show payment connector config: %v stderr=%s", err, stderr)
+	}
+	for _, expected := range []string{
+		"API version: v3",
+		"Connector ID: conn_1",
+		"Provider: stripe",
+		`"name": "Stripe EU"`,
+	} {
+		if !strings.Contains(stdout, expected) {
+			t.Fatalf("expected payment connector config output to contain %q, got:\n%s", expected, stdout)
+		}
+	}
+
+	stdout, stderr, err = executeCommand(t,
+		"--config-dir", configDir,
+		"payments", "connectors", "get-config",
+		"--connector-id", "conn_1",
+	)
+	if err != nil {
+		t.Fatalf("show payment connector config through deprecated get-config: %v stderr=%s", err, stderr)
+	}
+	if !strings.Contains(stderr, "Command payments connectors get-config has been deprecated, use payments connectors config show <connector-id>") {
+		t.Fatalf("expected get-config deprecation warning, got:\n%s", stderr)
+	}
+	if !strings.Contains(stdout, "API version: v3") || !strings.Contains(stdout, "Connector ID: conn_1") {
+		t.Fatalf("unexpected deprecated get-config output:\n%s", stdout)
+	}
+}
+
+func TestPaymentsConnectorsConfigUpdateSelectsV3(t *testing.T) {
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		switch r.URL.Path {
+		case "/versions":
+			w.Header().Set("Content-Type", "application/json")
+			fmt.Fprint(w, `{"versions":[{"name":"payments","version":"3.1.0","health":true}]}`)
+		case "/api/payments/v3/connectors/conn_1/config":
+			if r.Method != http.MethodPatch {
+				t.Fatalf("expected PATCH, got %s", r.Method)
+			}
+			body := readRequestBody(t, r)
+			for _, expected := range []string{`"apiKey":"sk_test"`, `"name":"Stripe EU"`, `"provider":"Stripe"`} {
+				if !strings.Contains(body, expected) {
+					t.Fatalf("expected update body to contain %q, got:\n%s", expected, body)
+				}
+			}
+			w.WriteHeader(http.StatusNoContent)
+		default:
+			t.Fatalf("unexpected path %s", r.URL.Path)
+		}
+	}))
+	defer server.Close()
+
+	configDir := t.TempDir()
+	_, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"context", "create", "stack", "local",
+		"--stack-url", server.URL,
+	)
+	if err != nil {
+		t.Fatalf("create context: %v stderr=%s", err, stderr)
+	}
+	requestFile := filepath.Join(t.TempDir(), "stripe.json")
+	if err := os.WriteFile(requestFile, []byte(`{"apiKey":"sk_test","name":"Stripe EU"}`), 0o600); err != nil {
+		t.Fatalf("write request file: %v", err)
+	}
+
+	stdout, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"payments", "connectors", "config", "update", "conn_1",
+		"--provider", "stripe",
+		"--file", requestFile,
+		"--confirm",
+	)
+	if err != nil {
+		t.Fatalf("update payment connector config: %v stderr=%s", err, stderr)
+	}
+	for _, expected := range []string{
+		"API version: v3",
+		"Connector conn_1 config updated.",
+	} {
+		if !strings.Contains(stdout, expected) {
+			t.Fatalf("expected payment connector update output to contain %q, got:\n%s", expected, stdout)
+		}
+	}
+}
+
+func TestWalletsCreateRequiresConfirm(t *testing.T) {
+	stdout, stderr, err := executeCommand(t, "wallets", "create", "Main")
+	if err == nil {
+		t.Fatal("expected wallets create to require confirmation")
+	}
+	if stdout != "" {
+		t.Fatalf("expected empty stdout, got %q", stdout)
+	}
+	if stderr != "" {
+		t.Fatalf("expected empty stderr, got %q", stderr)
+	}
+	if !strings.Contains(err.Error(), "wallets create requires --confirm") {
+		t.Fatalf("expected confirmation error, got: %v", err)
+	}
+}
+
+func TestWalletsCreateSelectsV1(t *testing.T) {
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		switch r.URL.Path {
+		case "/versions":
+			w.Header().Set("Content-Type", "application/json")
+			fmt.Fprint(w, `{"versions":[{"name":"wallets","version":"1.2.0","health":true}]}`)
+		case "/api/wallets/wallets":
+			if r.Method != http.MethodPost {
+				t.Fatalf("expected POST, got %s", r.Method)
+			}
+			if got := r.Header.Get("Idempotency-Key"); got != "ik_1" {
+				t.Fatalf("expected idempotency key ik_1, got %q", got)
+			}
+			body := readRequestBody(t, r)
+			for _, expected := range []string{`"name":"Main"`, `"env":"dev"`} {
+				if !strings.Contains(body, expected) {
+					t.Fatalf("expected create wallet body to contain %q, got:\n%s", expected, body)
+				}
+			}
+			w.Header().Set("Content-Type", "application/json")
+			w.WriteHeader(http.StatusCreated)
+			fmt.Fprint(w, `{"data":{"id":"wallet_1","name":"Main","ledger":"default","createdAt":"2026-01-01T00:00:00Z","metadata":{"env":"dev"}}}`)
+		default:
+			t.Fatalf("unexpected path %s", r.URL.Path)
+		}
+	}))
+	defer server.Close()
+
+	configDir := t.TempDir()
+	_, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"context", "create", "stack", "local",
+		"--stack-url", server.URL,
+	)
+	if err != nil {
+		t.Fatalf("create context: %v stderr=%s", err, stderr)
+	}
+
+	stdout, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"wallets", "create", "Main",
+		"--metadata", "env=dev",
+		"--idempotency-key", "ik_1",
+		"--confirm",
+	)
+	if err != nil {
+		t.Fatalf("create wallet: %v stderr=%s", err, stderr)
+	}
+	if !strings.Contains(stdout, "API version: v1") || !strings.Contains(stdout, "Wallet created with ID: wallet_1") {
+		t.Fatalf("unexpected create wallet output:\n%s", stdout)
+	}
+}
+
+func TestWalletsListSelectsV1(t *testing.T) {
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		switch r.URL.Path {
+		case "/versions":
+			w.Header().Set("Content-Type", "application/json")
+			fmt.Fprint(w, `{"versions":[{"name":"wallets","version":"1.2.0","health":true}]}`)
+		case "/api/wallets/wallets":
+			if got := r.URL.Query().Get("pageSize"); got != "10" {
+				t.Fatalf("expected pageSize 10, got %q", got)
+			}
+			w.Header().Set("Content-Type", "application/json")
+			fmt.Fprint(w, `{"cursor":{"data":[{"id":"wallet_1","name":"Main","ledger":"default","createdAt":"2026-01-01T00:00:00Z","metadata":{"env":"dev"}}],"hasMore":false,"pageSize":10}}`)
+		default:
+			t.Fatalf("unexpected path %s", r.URL.Path)
+		}
+	}))
+	defer server.Close()
+
+	configDir := t.TempDir()
+	_, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"context", "create", "stack", "local",
+		"--stack-url", server.URL,
+	)
+	if err != nil {
+		t.Fatalf("create context: %v stderr=%s", err, stderr)
+	}
+
+	stdout, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"wallets", "list",
+		"--page-size", "10",
+	)
+	if err != nil {
+		t.Fatalf("list wallets: %v stderr=%s", err, stderr)
+	}
+	if !strings.Contains(stdout, "API version: v1") || !strings.Contains(stdout, "wallet_1\tMain\tdefault\t2026-01-01T00:00:00Z") {
+		t.Fatalf("unexpected wallets list output:\n%s", stdout)
+	}
+}
+
+func TestWalletsShowSelectsV1(t *testing.T) {
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		switch r.URL.Path {
+		case "/versions":
+			w.Header().Set("Content-Type", "application/json")
+			fmt.Fprint(w, `{"versions":[{"name":"wallets","version":"1.2.0","health":true}]}`)
+		case "/api/wallets/wallets/wallet_1":
+			w.Header().Set("Content-Type", "application/json")
+			fmt.Fprint(w, `{"data":{"id":"wallet_1","name":"Main","ledger":"default","createdAt":"2026-01-01T00:00:00Z","metadata":{"env":"dev"},"balances":{"main":{"assets":{}}}}}`)
+		default:
+			t.Fatalf("unexpected path %s", r.URL.Path)
+		}
+	}))
+	defer server.Close()
+
+	configDir := t.TempDir()
+	_, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"context", "create", "stack", "local",
+		"--stack-url", server.URL,
+	)
+	if err != nil {
+		t.Fatalf("create context: %v stderr=%s", err, stderr)
+	}
+
+	stdout, stderr, err := executeCommand(t, "--config-dir", configDir, "wallets", "show", "wallet_1")
+	if err != nil {
+		t.Fatalf("show wallet: %v stderr=%s", err, stderr)
+	}
+	for _, expected := range []string{"API version: v1", "ID\twallet_1", "Name\tMain", "Ledger\tdefault"} {
+		if !strings.Contains(stdout, expected) {
+			t.Fatalf("expected wallet output to contain %q, got:\n%s", expected, stdout)
+		}
+	}
+}
+
+func TestWalletsUpdateSelectsV1(t *testing.T) {
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		switch r.URL.Path {
+		case "/versions":
+			w.Header().Set("Content-Type", "application/json")
+			fmt.Fprint(w, `{"versions":[{"name":"wallets","version":"1.2.0","health":true}]}`)
+		case "/api/wallets/wallets/wallet_1":
+			if r.Method != http.MethodPatch {
+				t.Fatalf("expected PATCH, got %s", r.Method)
+			}
+			body := readRequestBody(t, r)
+			if !strings.Contains(body, `"env":"prod"`) {
+				t.Fatalf("expected update wallet body to contain metadata, got:\n%s", body)
+			}
+			w.WriteHeader(http.StatusNoContent)
+		default:
+			t.Fatalf("unexpected path %s", r.URL.Path)
+		}
+	}))
+	defer server.Close()
+
+	configDir := t.TempDir()
+	_, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"context", "create", "stack", "local",
+		"--stack-url", server.URL,
+	)
+	if err != nil {
+		t.Fatalf("create context: %v stderr=%s", err, stderr)
+	}
+
+	stdout, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"wallets", "update", "wallet_1",
+		"--metadata", "env=prod",
+		"--confirm",
+	)
+	if err != nil {
+		t.Fatalf("update wallet: %v stderr=%s", err, stderr)
+	}
+	if !strings.Contains(stdout, "API version: v1") || !strings.Contains(stdout, "Wallet wallet_1 updated.") {
+		t.Fatalf("unexpected update wallet output:\n%s", stdout)
+	}
+}
+
+func TestWalletsCreditRequiresExplicitWalletID(t *testing.T) {
+	stdout, stderr, err := executeCommand(t, "wallets", "credit", "--amount", "100", "--asset", "USD/2", "--confirm")
+	if err == nil {
+		t.Fatal("expected wallets credit to require wallet id")
+	}
+	if stdout != "" {
+		t.Fatalf("expected empty stdout, got %q", stdout)
+	}
+	if stderr != "" {
+		t.Fatalf("expected empty stderr, got %q", stderr)
+	}
+	if !strings.Contains(err.Error(), "accepts 1 arg") {
+		t.Fatalf("expected explicit wallet id error, got: %v", err)
+	}
+}
+
+func TestWalletsCreditSelectsV1(t *testing.T) {
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		switch r.URL.Path {
+		case "/versions":
+			w.Header().Set("Content-Type", "application/json")
+			fmt.Fprint(w, `{"versions":[{"name":"wallets","version":"1.2.0","health":true}]}`)
+		case "/api/wallets/wallets/wallet_1/credit":
+			if r.Method != http.MethodPost {
+				t.Fatalf("expected POST, got %s", r.Method)
+			}
+			body := readRequestBody(t, r)
+			for _, expected := range []string{`"amount":100`, `"asset":"USD/2"`, `"balance":"main"`, `"env":"dev"`} {
+				if !strings.Contains(body, expected) {
+					t.Fatalf("expected credit body to contain %q, got:\n%s", expected, body)
+				}
+			}
+			w.WriteHeader(http.StatusNoContent)
+		default:
+			t.Fatalf("unexpected path %s", r.URL.Path)
+		}
+	}))
+	defer server.Close()
+
+	configDir := t.TempDir()
+	_, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"context", "create", "stack", "local",
+		"--stack-url", server.URL,
+	)
+	if err != nil {
+		t.Fatalf("create context: %v stderr=%s", err, stderr)
+	}
+
+	stdout, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"wallets", "credit", "wallet_1",
+		"--amount", "100",
+		"--asset", "USD/2",
+		"--balance", "main",
+		"--metadata", "env=dev",
+		"--confirm",
+	)
+	if err != nil {
+		t.Fatalf("credit wallet: %v stderr=%s", err, stderr)
+	}
+	if !strings.Contains(stdout, "API version: v1") || !strings.Contains(stdout, "Wallet wallet_1 credited.") {
+		t.Fatalf("unexpected credit wallet output:\n%s", stdout)
+	}
+}
+
+func TestWalletsDebitSelectsV1(t *testing.T) {
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		switch r.URL.Path {
+		case "/versions":
+			w.Header().Set("Content-Type", "application/json")
+			fmt.Fprint(w, `{"versions":[{"name":"wallets","version":"1.2.0","health":true}]}`)
+		case "/api/wallets/wallets/wallet_1/debit":
+			if r.Method != http.MethodPost {
+				t.Fatalf("expected POST, got %s", r.Method)
+			}
+			body := readRequestBody(t, r)
+			for _, expected := range []string{`"amount":100`, `"asset":"USD/2"`, `"balances":["main"]`, `"pending":true`} {
+				if !strings.Contains(body, expected) {
+					t.Fatalf("expected debit body to contain %q, got:\n%s", expected, body)
+				}
+			}
+			w.Header().Set("Content-Type", "application/json")
+			w.WriteHeader(http.StatusCreated)
+			fmt.Fprint(w, `{"data":{"id":"hold_1","walletID":"wallet_1","asset":"USD/2","description":"test","metadata":{}}}`)
+		default:
+			t.Fatalf("unexpected path %s", r.URL.Path)
+		}
+	}))
+	defer server.Close()
+
+	configDir := t.TempDir()
+	_, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"context", "create", "stack", "local",
+		"--stack-url", server.URL,
+	)
+	if err != nil {
+		t.Fatalf("create context: %v stderr=%s", err, stderr)
+	}
+
+	stdout, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"wallets", "debit", "wallet_1",
+		"--amount", "100",
+		"--asset", "USD/2",
+		"--balance", "main",
+		"--pending",
+		"--confirm",
+	)
+	if err != nil {
+		t.Fatalf("debit wallet: %v stderr=%s", err, stderr)
+	}
+	for _, expected := range []string{"API version: v1", "Hold ID: hold_1", "Wallet wallet_1 debited."} {
+		if !strings.Contains(stdout, expected) {
+			t.Fatalf("expected debit wallet output to contain %q, got:\n%s", expected, stdout)
+		}
+	}
+}
+
+func TestWalletsBalancesCreateRequiresConfirm(t *testing.T) {
+	stdout, stderr, err := executeCommand(t, "wallets", "balances", "create", "wallet_1", "main")
+	if err == nil {
+		t.Fatal("expected wallets balances create to require confirmation")
+	}
+	if stdout != "" {
+		t.Fatalf("expected empty stdout, got %q", stdout)
+	}
+	if stderr != "" {
+		t.Fatalf("expected empty stderr, got %q", stderr)
+	}
+	if !strings.Contains(err.Error(), "wallets balances create requires --confirm") {
+		t.Fatalf("expected confirmation error, got: %v", err)
+	}
+}
+
+func TestWalletsBalancesCreateSelectsV1(t *testing.T) {
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		switch r.URL.Path {
+		case "/versions":
+			w.Header().Set("Content-Type", "application/json")
+			fmt.Fprint(w, `{"versions":[{"name":"wallets","version":"1.2.0","health":true}]}`)
+		case "/api/wallets/wallets/wallet_1/balances":
+			if r.Method != http.MethodPost {
+				t.Fatalf("expected POST, got %s", r.Method)
+			}
+			if got := r.Header.Get("Idempotency-Key"); got != "ik_1" {
+				t.Fatalf("expected idempotency key ik_1, got %q", got)
+			}
+			body := readRequestBody(t, r)
+			for _, expected := range []string{`"name":"main"`, `"priority":10`} {
+				if !strings.Contains(body, expected) {
+					t.Fatalf("expected create balance body to contain %q, got:\n%s", expected, body)
+				}
+			}
+			w.Header().Set("Content-Type", "application/json")
+			w.WriteHeader(http.StatusCreated)
+			fmt.Fprint(w, `{"data":{"name":"main","priority":10}}`)
+		default:
+			t.Fatalf("unexpected path %s", r.URL.Path)
+		}
+	}))
+	defer server.Close()
+
+	configDir := t.TempDir()
+	_, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"context", "create", "stack", "local",
+		"--stack-url", server.URL,
+	)
+	if err != nil {
+		t.Fatalf("create context: %v stderr=%s", err, stderr)
+	}
+
+	stdout, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"wallets", "balances", "create", "wallet_1", "main",
+		"--priority", "10",
+		"--idempotency-key", "ik_1",
+		"--confirm",
+	)
+	if err != nil {
+		t.Fatalf("create wallet balance: %v stderr=%s", err, stderr)
+	}
+	if !strings.Contains(stdout, "API version: v1") || !strings.Contains(stdout, "Balance main created on wallet wallet_1.") {
+		t.Fatalf("unexpected create wallet balance output:\n%s", stdout)
+	}
+}
+
+func TestWalletsBalancesListSelectsV1(t *testing.T) {
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		switch r.URL.Path {
+		case "/versions":
+			w.Header().Set("Content-Type", "application/json")
+			fmt.Fprint(w, `{"versions":[{"name":"wallets","version":"1.2.0","health":true}]}`)
+		case "/api/wallets/wallets/wallet_1/balances":
+			if r.Method != http.MethodGet {
+				t.Fatalf("expected GET, got %s", r.Method)
+			}
+			w.Header().Set("Content-Type", "application/json")
+			fmt.Fprint(w, `{"cursor":{"data":[{"name":"main","priority":10}],"hasMore":false,"pageSize":15}}`)
+		default:
+			t.Fatalf("unexpected path %s", r.URL.Path)
+		}
+	}))
+	defer server.Close()
+
+	configDir := t.TempDir()
+	_, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"context", "create", "stack", "local",
+		"--stack-url", server.URL,
+	)
+	if err != nil {
+		t.Fatalf("create context: %v stderr=%s", err, stderr)
+	}
+
+	stdout, stderr, err := executeCommand(t, "--config-dir", configDir, "wallets", "balances", "list", "wallet_1")
+	if err != nil {
+		t.Fatalf("list wallet balances: %v stderr=%s", err, stderr)
+	}
+	if !strings.Contains(stdout, "API version: v1") || !strings.Contains(stdout, "main\t10") {
+		t.Fatalf("unexpected list wallet balances output:\n%s", stdout)
+	}
+}
+
+func TestWalletsBalancesShowSelectsV1(t *testing.T) {
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		switch r.URL.Path {
+		case "/versions":
+			w.Header().Set("Content-Type", "application/json")
+			fmt.Fprint(w, `{"versions":[{"name":"wallets","version":"1.2.0","health":true}]}`)
+		case "/api/wallets/wallets/wallet_1/balances/main":
+			if r.Method != http.MethodGet {
+				t.Fatalf("expected GET, got %s", r.Method)
+			}
+			w.Header().Set("Content-Type", "application/json")
+			fmt.Fprint(w, `{"data":{"name":"main","priority":10,"assets":{"USD/2":100}}}`)
+		default:
+			t.Fatalf("unexpected path %s", r.URL.Path)
+		}
+	}))
+	defer server.Close()
+
+	configDir := t.TempDir()
+	_, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"context", "create", "stack", "local",
+		"--stack-url", server.URL,
+	)
+	if err != nil {
+		t.Fatalf("create context: %v stderr=%s", err, stderr)
+	}
+
+	stdout, stderr, err := executeCommand(t, "--config-dir", configDir, "wallets", "balances", "show", "wallet_1", "main")
+	if err != nil {
+		t.Fatalf("show wallet balance: %v stderr=%s", err, stderr)
+	}
+	for _, expected := range []string{"API version: v1", "Name\tmain", "Priority\t10", "Asset\tUSD/2\t100"} {
+		if !strings.Contains(stdout, expected) {
+			t.Fatalf("expected wallet balance output to contain %q, got:\n%s", expected, stdout)
+		}
+	}
+}
+
+func TestWalletsHoldsListSelectsV1(t *testing.T) {
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		switch r.URL.Path {
+		case "/versions":
+			w.Header().Set("Content-Type", "application/json")
+			fmt.Fprint(w, `{"versions":[{"name":"wallets","version":"1.2.0","health":true}]}`)
+		case "/api/wallets/holds":
+			if r.Method != http.MethodGet {
+				t.Fatalf("expected GET, got %s", r.Method)
+			}
+			if got := r.URL.Query().Get("walletID"); got != "wallet_1" {
+				t.Fatalf("expected walletID wallet_1, got %q", got)
+			}
+			if got := r.URL.Query().Get("pageSize"); got != "10" {
+				t.Fatalf("expected pageSize 10, got %q", got)
+			}
+			w.Header().Set("Content-Type", "application/json")
+			fmt.Fprint(w, `{"cursor":{"data":[{"id":"hold_1","walletID":"wallet_1","asset":"USD/2","description":"test","metadata":{"env":"dev"}}],"hasMore":false,"pageSize":10}}`)
+		default:
+			t.Fatalf("unexpected path %s", r.URL.Path)
+		}
+	}))
+	defer server.Close()
+
+	configDir := t.TempDir()
+	_, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"context", "create", "stack", "local",
+		"--stack-url", server.URL,
+	)
+	if err != nil {
+		t.Fatalf("create context: %v stderr=%s", err, stderr)
+	}
+
+	stdout, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"wallets", "holds", "list",
+		"--wallet-id", "wallet_1",
+		"--page-size", "10",
+	)
+	if err != nil {
+		t.Fatalf("list wallet holds: %v stderr=%s", err, stderr)
+	}
+	if !strings.Contains(stdout, "API version: v1") || !strings.Contains(stdout, "hold_1\twallet_1\tUSD/2") {
+		t.Fatalf("unexpected list wallet holds output:\n%s", stdout)
+	}
+}
+
+func TestWalletsHoldsShowSelectsV1(t *testing.T) {
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		switch r.URL.Path {
+		case "/versions":
+			w.Header().Set("Content-Type", "application/json")
+			fmt.Fprint(w, `{"versions":[{"name":"wallets","version":"1.2.0","health":true}]}`)
+		case "/api/wallets/holds/hold_1":
+			if r.Method != http.MethodGet {
+				t.Fatalf("expected GET, got %s", r.Method)
+			}
+			w.Header().Set("Content-Type", "application/json")
+			fmt.Fprint(w, `{"data":{"id":"hold_1","walletID":"wallet_1","asset":"USD/2","description":"test","originalAmount":100,"remaining":40,"metadata":{"env":"dev"}}}`)
+		default:
+			t.Fatalf("unexpected path %s", r.URL.Path)
+		}
+	}))
+	defer server.Close()
+
+	configDir := t.TempDir()
+	_, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"context", "create", "stack", "local",
+		"--stack-url", server.URL,
+	)
+	if err != nil {
+		t.Fatalf("create context: %v stderr=%s", err, stderr)
+	}
+
+	stdout, stderr, err := executeCommand(t, "--config-dir", configDir, "wallets", "holds", "show", "hold_1")
+	if err != nil {
+		t.Fatalf("show wallet hold: %v stderr=%s", err, stderr)
+	}
+	for _, expected := range []string{"API version: v1", "ID\thold_1", "Wallet ID\twallet_1", "Asset\tUSD/2", "Remaining\t40"} {
+		if !strings.Contains(stdout, expected) {
+			t.Fatalf("expected wallet hold output to contain %q, got:\n%s", expected, stdout)
+		}
+	}
+}
+
+func TestWalletsHoldsVoidRequiresConfirm(t *testing.T) {
+	stdout, stderr, err := executeCommand(t, "wallets", "holds", "void", "hold_1")
+	if err == nil {
+		t.Fatal("expected wallets holds void to require confirmation")
+	}
+	if stdout != "" {
+		t.Fatalf("expected empty stdout, got %q", stdout)
+	}
+	if stderr != "" {
+		t.Fatalf("expected empty stderr, got %q", stderr)
+	}
+	if !strings.Contains(err.Error(), "wallets holds void requires --confirm") {
+		t.Fatalf("expected confirmation error, got: %v", err)
+	}
+}
+
+func TestWalletsHoldsVoidSelectsV1(t *testing.T) {
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		switch r.URL.Path {
+		case "/versions":
+			w.Header().Set("Content-Type", "application/json")
+			fmt.Fprint(w, `{"versions":[{"name":"wallets","version":"1.2.0","health":true}]}`)
+		case "/api/wallets/holds/hold_1/void":
+			if r.Method != http.MethodPost {
+				t.Fatalf("expected POST, got %s", r.Method)
+			}
+			if got := r.Header.Get("Idempotency-Key"); got != "ik_1" {
+				t.Fatalf("expected idempotency key ik_1, got %q", got)
+			}
+			w.WriteHeader(http.StatusNoContent)
+		default:
+			t.Fatalf("unexpected path %s", r.URL.Path)
+		}
+	}))
+	defer server.Close()
+
+	configDir := t.TempDir()
+	_, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"context", "create", "stack", "local",
+		"--stack-url", server.URL,
+	)
+	if err != nil {
+		t.Fatalf("create context: %v stderr=%s", err, stderr)
+	}
+
+	stdout, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"wallets", "holds", "void", "hold_1",
+		"--idempotency-key", "ik_1",
+		"--confirm",
+	)
+	if err != nil {
+		t.Fatalf("void wallet hold: %v stderr=%s", err, stderr)
+	}
+	if !strings.Contains(stdout, "API version: v1") || !strings.Contains(stdout, "Hold hold_1 voided.") {
+		t.Fatalf("unexpected void wallet hold output:\n%s", stdout)
+	}
+}
+
+func TestWalletsHoldsConfirmSelectsV1(t *testing.T) {
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		switch r.URL.Path {
+		case "/versions":
+			w.Header().Set("Content-Type", "application/json")
+			fmt.Fprint(w, `{"versions":[{"name":"wallets","version":"1.2.0","health":true}]}`)
+		case "/api/wallets/holds/hold_1/confirm":
+			if r.Method != http.MethodPost {
+				t.Fatalf("expected POST, got %s", r.Method)
+			}
+			body := readRequestBody(t, r)
+			for _, expected := range []string{`"amount":40`, `"final":true`} {
+				if !strings.Contains(body, expected) {
+					t.Fatalf("expected confirm hold body to contain %q, got:\n%s", expected, body)
+				}
+			}
+			w.WriteHeader(http.StatusNoContent)
+		default:
+			t.Fatalf("unexpected path %s", r.URL.Path)
+		}
+	}))
+	defer server.Close()
+
+	configDir := t.TempDir()
+	_, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"context", "create", "stack", "local",
+		"--stack-url", server.URL,
+	)
+	if err != nil {
+		t.Fatalf("create context: %v stderr=%s", err, stderr)
+	}
+
+	stdout, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"wallets", "holds", "confirm", "hold_1",
+		"--amount", "40",
+		"--final",
+		"--confirm",
+	)
+	if err != nil {
+		t.Fatalf("confirm wallet hold: %v stderr=%s", err, stderr)
+	}
+	if !strings.Contains(stdout, "API version: v1") || !strings.Contains(stdout, "Hold hold_1 confirmed.") {
+		t.Fatalf("unexpected confirm wallet hold output:\n%s", stdout)
+	}
+}
+
+func TestWalletsTransactionsListSelectsV1(t *testing.T) {
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		switch r.URL.Path {
+		case "/versions":
+			w.Header().Set("Content-Type", "application/json")
+			fmt.Fprint(w, `{"versions":[{"name":"wallets","version":"1.2.0","health":true}]}`)
+		case "/api/wallets/transactions":
+			if r.Method != http.MethodGet {
+				t.Fatalf("expected GET, got %s", r.Method)
+			}
+			if got := r.URL.Query().Get("walletID"); got != "wallet_1" {
+				t.Fatalf("expected walletID wallet_1, got %q", got)
+			}
+			if got := r.URL.Query().Get("pageSize"); got != "10" {
+				t.Fatalf("expected pageSize 10, got %q", got)
+			}
+			w.Header().Set("Content-Type", "application/json")
+			fmt.Fprint(w, `{"cursor":{"data":[{"id":42,"ledger":"default","reference":"ref_1","timestamp":"2026-01-01T00:00:00Z","postings":[],"metadata":{"env":"dev"}}],"hasMore":false,"pageSize":10}}`)
+		default:
+			t.Fatalf("unexpected path %s", r.URL.Path)
+		}
+	}))
+	defer server.Close()
+
+	configDir := t.TempDir()
+	_, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"context", "create", "stack", "local",
+		"--stack-url", server.URL,
+	)
+	if err != nil {
+		t.Fatalf("create context: %v stderr=%s", err, stderr)
+	}
+
+	stdout, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"wallets", "transactions", "list",
+		"--wallet-id", "wallet_1",
+		"--page-size", "10",
+	)
+	if err != nil {
+		t.Fatalf("list wallet transactions: %v stderr=%s", err, stderr)
+	}
+	if !strings.Contains(stdout, "API version: v1") || !strings.Contains(stdout, "42\t2026-01-01T00:00:00Z\tdefault\tref_1") {
+		t.Fatalf("unexpected list wallet transactions output:\n%s", stdout)
+	}
+}
+
+func TestFlowsWorkflowsListSelectsV2(t *testing.T) {
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		switch r.URL.Path {
+		case "/versions":
+			w.Header().Set("Content-Type", "application/json")
+			fmt.Fprint(w, `{"versions":[{"name":"orchestration","version":"2.1.0","health":true}]}`)
+		case "/api/orchestration/v2/workflows":
+			if r.Method != http.MethodGet {
+				t.Fatalf("expected GET, got %s", r.Method)
+			}
+			if got := r.URL.Query().Get("pageSize"); got != "10" {
+				t.Fatalf("expected pageSize 10, got %q", got)
+			}
+			w.Header().Set("Content-Type", "application/json")
+			fmt.Fprint(w, `{"cursor":{"data":[{"id":"workflow_1","config":{"name":"Payout","stages":[]},"createdAt":"2026-01-01T00:00:00Z","updatedAt":"2026-01-01T00:00:00Z"}],"hasMore":false,"pageSize":10}}`)
+		default:
+			t.Fatalf("unexpected path %s", r.URL.Path)
+		}
+	}))
+	defer server.Close()
+
+	configDir := t.TempDir()
+	_, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"context", "create", "stack", "local",
+		"--stack-url", server.URL,
+	)
+	if err != nil {
+		t.Fatalf("create context: %v stderr=%s", err, stderr)
+	}
+
+	stdout, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"flows", "workflows", "list",
+		"--page-size", "10",
+	)
+	if err != nil {
+		t.Fatalf("list workflows: %v stderr=%s", err, stderr)
+	}
+	if !strings.Contains(stdout, "API version: v2") || !strings.Contains(stdout, "workflow_1\tPayout\t2026-01-01T00:00:00Z") {
+		t.Fatalf("unexpected workflows list output:\n%s", stdout)
+	}
+}
+
+func TestFlowsWorkflowsShowSelectsV1(t *testing.T) {
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		switch r.URL.Path {
+		case "/versions":
+			w.Header().Set("Content-Type", "application/json")
+			fmt.Fprint(w, `{"versions":[{"name":"orchestration","version":"1.5.0","health":true}]}`)
+		case "/api/orchestration/workflows/workflow_1":
+			if r.Method != http.MethodGet {
+				t.Fatalf("expected GET, got %s", r.Method)
+			}
+			w.Header().Set("Content-Type", "application/json")
+			fmt.Fprint(w, `{"data":{"id":"workflow_1","config":{"name":"Payout","stages":[]},"createdAt":"2026-01-01T00:00:00Z","updatedAt":"2026-01-02T00:00:00Z"}}`)
+		default:
+			t.Fatalf("unexpected path %s", r.URL.Path)
+		}
+	}))
+	defer server.Close()
+
+	configDir := t.TempDir()
+	_, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"context", "create", "stack", "local",
+		"--stack-url", server.URL,
+	)
+	if err != nil {
+		t.Fatalf("create context: %v stderr=%s", err, stderr)
+	}
+
+	stdout, stderr, err := executeCommand(t, "--config-dir", configDir, "flows", "workflows", "show", "workflow_1")
+	if err != nil {
+		t.Fatalf("show workflow: %v stderr=%s", err, stderr)
+	}
+	for _, expected := range []string{"API version: v1", "ID\tworkflow_1", "Name\tPayout", "Updated at\t2026-01-02T00:00:00Z"} {
+		if !strings.Contains(stdout, expected) {
+			t.Fatalf("expected workflow output to contain %q, got:\n%s", expected, stdout)
+		}
+	}
+}
+
+func TestFlowsWorkflowsCreateSelectsV2(t *testing.T) {
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		switch r.URL.Path {
+		case "/versions":
+			w.Header().Set("Content-Type", "application/json")
+			fmt.Fprint(w, `{"versions":[{"name":"orchestration","version":"2.1.0","health":true}]}`)
+		case "/api/orchestration/v2/workflows":
+			if r.Method != http.MethodPost {
+				t.Fatalf("expected POST, got %s", r.Method)
+			}
+			body := readRequestBody(t, r)
+			if !strings.Contains(body, `"name":"Payout"`) {
+				t.Fatalf("expected create workflow body to contain name, got:\n%s", body)
+			}
+			w.Header().Set("Content-Type", "application/json")
+			w.WriteHeader(http.StatusCreated)
+			fmt.Fprint(w, `{"data":{"id":"workflow_1","config":{"name":"Payout","stages":[]},"createdAt":"2026-01-01T00:00:00Z","updatedAt":"2026-01-01T00:00:00Z"}}`)
+		default:
+			t.Fatalf("unexpected path %s", r.URL.Path)
+		}
+	}))
+	defer server.Close()
+
+	configDir := t.TempDir()
+	requestFile := filepath.Join(t.TempDir(), "workflow.json")
+	if err := os.WriteFile(requestFile, []byte(`{"name":"Payout","stages":[]}`), 0o600); err != nil {
+		t.Fatalf("write workflow request: %v", err)
+	}
+	_, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"context", "create", "stack", "local",
+		"--stack-url", server.URL,
+	)
+	if err != nil {
+		t.Fatalf("create context: %v stderr=%s", err, stderr)
+	}
+
+	stdout, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"flows", "workflows", "create",
+		"--file", requestFile,
+		"--confirm",
+	)
+	if err != nil {
+		t.Fatalf("create workflow: %v stderr=%s", err, stderr)
+	}
+	if !strings.Contains(stdout, "API version: v2") || !strings.Contains(stdout, "Workflow created with ID: workflow_1") {
+		t.Fatalf("unexpected workflow create output:\n%s", stdout)
+	}
+
+	stdout, stderr, err = executeCommand(t,
+		"--config-dir", configDir,
+		"flows", "workflows", "create",
+		requestFile,
+		"--confirm",
+	)
+	if err != nil {
+		t.Fatalf("create workflow with deprecated positional file: %v stderr=%s", err, stderr)
+	}
+	if !strings.Contains(stderr, "Positional file has been deprecated, use flows workflows create --file <path>|-") {
+		t.Fatalf("expected positional file warning, got:\n%s", stderr)
+	}
+	if !strings.Contains(stdout, "API version: v2") || !strings.Contains(stdout, "Workflow created with ID: workflow_1") {
+		t.Fatalf("unexpected deprecated workflow create output:\n%s", stdout)
+	}
+}
+
+func TestFlowsWorkflowsDeleteSelectsV2(t *testing.T) {
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		switch r.URL.Path {
+		case "/versions":
+			w.Header().Set("Content-Type", "application/json")
+			fmt.Fprint(w, `{"versions":[{"name":"orchestration","version":"2.1.0","health":true}]}`)
+		case "/api/orchestration/v2/workflows/workflow_1":
+			if r.Method != http.MethodDelete {
+				t.Fatalf("expected DELETE, got %s", r.Method)
+			}
+			w.WriteHeader(http.StatusNoContent)
+		default:
+			t.Fatalf("unexpected path %s", r.URL.Path)
+		}
+	}))
+	defer server.Close()
+
+	configDir := t.TempDir()
+	_, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"context", "create", "stack", "local",
+		"--stack-url", server.URL,
+	)
+	if err != nil {
+		t.Fatalf("create context: %v stderr=%s", err, stderr)
+	}
+
+	stdout, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"flows", "workflows", "delete", "workflow_1",
+		"--confirm",
+	)
+	if err != nil {
+		t.Fatalf("delete workflow: %v stderr=%s", err, stderr)
+	}
+	if !strings.Contains(stdout, "API version: v2") || !strings.Contains(stdout, "Workflow workflow_1 deleted.") {
+		t.Fatalf("unexpected workflow delete output:\n%s", stdout)
+	}
+}
+
+func TestFlowsWorkflowsRunSelectsV2(t *testing.T) {
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		switch r.URL.Path {
+		case "/versions":
+			w.Header().Set("Content-Type", "application/json")
+			fmt.Fprint(w, `{"versions":[{"name":"orchestration","version":"2.1.0","health":true}]}`)
+		case "/api/orchestration/v2/workflows/workflow_1/instances":
+			if r.Method != http.MethodPost {
+				t.Fatalf("expected POST, got %s", r.Method)
+			}
+			if got := r.URL.Query().Get("wait"); got != "true" {
+				t.Fatalf("expected wait=true, got %q", got)
+			}
+			body := readRequestBody(t, r)
+			if !strings.Contains(body, `"env":"dev"`) {
+				t.Fatalf("expected workflow run body to contain vars, got:\n%s", body)
+			}
+			w.Header().Set("Content-Type", "application/json")
+			w.WriteHeader(http.StatusCreated)
+			fmt.Fprint(w, `{"data":{"id":"instance_1","workflowID":"workflow_1","createdAt":"2026-01-01T00:00:00Z","updatedAt":"2026-01-01T00:00:00Z","terminated":false,"status":[]}}`)
+		default:
+			t.Fatalf("unexpected path %s", r.URL.Path)
+		}
+	}))
+	defer server.Close()
+
+	configDir := t.TempDir()
+	_, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"context", "create", "stack", "local",
+		"--stack-url", server.URL,
+	)
+	if err != nil {
+		t.Fatalf("create context: %v stderr=%s", err, stderr)
+	}
+
+	stdout, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"flows", "workflows", "run", "workflow_1",
+		"--variable", "env=dev",
+		"--wait",
+	)
+	if err != nil {
+		t.Fatalf("run workflow: %v stderr=%s", err, stderr)
+	}
+	if !strings.Contains(stdout, "API version: v2") || !strings.Contains(stdout, "Workflow instance created with ID: instance_1") {
+		t.Fatalf("unexpected workflow run output:\n%s", stdout)
+	}
+}
+
+func TestFlowsInstancesListSelectsV2(t *testing.T) {
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		switch r.URL.Path {
+		case "/versions":
+			w.Header().Set("Content-Type", "application/json")
+			fmt.Fprint(w, `{"versions":[{"name":"orchestration","version":"2.1.0","health":true}]}`)
+		case "/api/orchestration/v2/instances":
+			if r.Method != http.MethodGet {
+				t.Fatalf("expected GET, got %s", r.Method)
+			}
+			if got := r.URL.Query().Get("workflowID"); got != "workflow_1" {
+				t.Fatalf("expected workflowID workflow_1, got %q", got)
+			}
+			if got := r.URL.Query().Get("running"); got != "true" {
+				t.Fatalf("expected running true, got %q", got)
+			}
+			w.Header().Set("Content-Type", "application/json")
+			fmt.Fprint(w, `{"cursor":{"data":[{"id":"instance_1","workflowID":"workflow_1","createdAt":"2026-01-01T00:00:00Z","updatedAt":"2026-01-01T00:00:00Z","terminated":false,"status":[]}],"hasMore":false,"pageSize":10}}`)
+		default:
+			t.Fatalf("unexpected path %s", r.URL.Path)
+		}
+	}))
+	defer server.Close()
+
+	configDir := t.TempDir()
+	_, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"context", "create", "stack", "local",
+		"--stack-url", server.URL,
+	)
+	if err != nil {
+		t.Fatalf("create context: %v stderr=%s", err, stderr)
+	}
+
+	stdout, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"flows", "instances", "list",
+		"--workflow-id", "workflow_1",
+		"--running",
+		"--page-size", "10",
+	)
+	if err != nil {
+		t.Fatalf("list flow instances: %v stderr=%s", err, stderr)
+	}
+	if !strings.Contains(stdout, "API version: v2") || !strings.Contains(stdout, "instance_1\tworkflow_1\tfalse\t2026-01-01T00:00:00Z") {
+		t.Fatalf("unexpected flow instances output:\n%s", stdout)
+	}
+}
+
+func TestFlowsInstancesShowSelectsV1(t *testing.T) {
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		switch r.URL.Path {
+		case "/versions":
+			w.Header().Set("Content-Type", "application/json")
+			fmt.Fprint(w, `{"versions":[{"name":"orchestration","version":"1.5.0","health":true}]}`)
+		case "/api/orchestration/instances/instance_1":
+			if r.Method != http.MethodGet {
+				t.Fatalf("expected GET, got %s", r.Method)
+			}
+			w.Header().Set("Content-Type", "application/json")
+			fmt.Fprint(w, `{"data":{"id":"instance_1","workflowID":"workflow_1","createdAt":"2026-01-01T00:00:00Z","updatedAt":"2026-01-01T00:00:00Z","terminated":false,"status":[]}}`)
+		default:
+			t.Fatalf("unexpected path %s", r.URL.Path)
+		}
+	}))
+	defer server.Close()
+
+	configDir := t.TempDir()
+	_, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"context", "create", "stack", "local",
+		"--stack-url", server.URL,
+	)
+	if err != nil {
+		t.Fatalf("create context: %v stderr=%s", err, stderr)
+	}
+
+	stdout, stderr, err := executeCommand(t, "--config-dir", configDir, "flows", "instances", "show", "instance_1")
+	if err != nil {
+		t.Fatalf("show flow instance: %v stderr=%s", err, stderr)
+	}
+	for _, expected := range []string{"API version: v1", "ID\tinstance_1", "Workflow ID\tworkflow_1", "Terminated\tfalse"} {
+		if !strings.Contains(stdout, expected) {
+			t.Fatalf("expected instance output to contain %q, got:\n%s", expected, stdout)
+		}
+	}
+}
+
+func TestFlowsInstancesSendEventSelectsV2(t *testing.T) {
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		switch r.URL.Path {
+		case "/versions":
+			w.Header().Set("Content-Type", "application/json")
+			fmt.Fprint(w, `{"versions":[{"name":"orchestration","version":"2.1.0","health":true}]}`)
+		case "/api/orchestration/v2/instances/instance_1/events":
+			if r.Method != http.MethodPost {
+				t.Fatalf("expected POST, got %s", r.Method)
+			}
+			body := readRequestBody(t, r)
+			if !strings.Contains(body, `"name":"approved"`) {
+				t.Fatalf("expected send event body to contain event name, got:\n%s", body)
+			}
+			w.WriteHeader(http.StatusNoContent)
+		default:
+			t.Fatalf("unexpected path %s", r.URL.Path)
+		}
+	}))
+	defer server.Close()
+
+	configDir := t.TempDir()
+	_, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"context", "create", "stack", "local",
+		"--stack-url", server.URL,
+	)
+	if err != nil {
+		t.Fatalf("create context: %v stderr=%s", err, stderr)
+	}
+
+	stdout, stderr, err := executeCommand(t, "--config-dir", configDir, "flows", "instances", "send-event", "instance_1", "approved")
+	if err != nil {
+		t.Fatalf("send flow instance event: %v stderr=%s", err, stderr)
+	}
+	if !strings.Contains(stdout, "API version: v2") || !strings.Contains(stdout, "Event approved sent to instance instance_1.") {
+		t.Fatalf("unexpected send event output:\n%s", stdout)
+	}
+}
+
+func TestFlowsInstancesStopSelectsV2(t *testing.T) {
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		switch r.URL.Path {
+		case "/versions":
+			w.Header().Set("Content-Type", "application/json")
+			fmt.Fprint(w, `{"versions":[{"name":"orchestration","version":"2.1.0","health":true}]}`)
+		case "/api/orchestration/v2/instances/instance_1/abort":
+			if r.Method != http.MethodPut {
+				t.Fatalf("expected PUT, got %s", r.Method)
+			}
+			w.WriteHeader(http.StatusNoContent)
+		default:
+			t.Fatalf("unexpected path %s", r.URL.Path)
+		}
+	}))
+	defer server.Close()
+
+	configDir := t.TempDir()
+	_, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"context", "create", "stack", "local",
+		"--stack-url", server.URL,
+	)
+	if err != nil {
+		t.Fatalf("create context: %v stderr=%s", err, stderr)
+	}
+
+	stdout, stderr, err := executeCommand(t, "--config-dir", configDir, "flows", "instances", "stop", "instance_1", "--confirm")
+	if err != nil {
+		t.Fatalf("stop flow instance: %v stderr=%s", err, stderr)
+	}
+	if !strings.Contains(stdout, "API version: v2") || !strings.Contains(stdout, "Workflow instance instance_1 stopped.") {
+		t.Fatalf("unexpected stop instance output:\n%s", stdout)
+	}
+}
+
+func TestFlowsTriggersCreateSelectsV2(t *testing.T) {
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		switch r.URL.Path {
+		case "/versions":
+			w.Header().Set("Content-Type", "application/json")
+			fmt.Fprint(w, `{"versions":[{"name":"orchestration","version":"2.1.0","health":true}]}`)
+		case "/api/orchestration/v2/triggers":
+			if r.Method != http.MethodPost {
+				t.Fatalf("expected POST, got %s", r.Method)
+			}
+			body := readRequestBody(t, r)
+			for _, expected := range []string{`"event":"approved"`, `"workflowID":"workflow_1"`, `"name":"Payout"`} {
+				if !strings.Contains(body, expected) {
+					t.Fatalf("expected trigger create body to contain %q, got:\n%s", expected, body)
+				}
+			}
+			w.Header().Set("Content-Type", "application/json")
+			w.WriteHeader(http.StatusCreated)
+			fmt.Fprint(w, `{"data":{"id":"trigger_1","name":"Payout","event":"approved","workflowID":"workflow_1","createdAt":"2026-01-01T00:00:00Z"}}`)
+		default:
+			t.Fatalf("unexpected path %s", r.URL.Path)
+		}
+	}))
+	defer server.Close()
+
+	configDir := t.TempDir()
+	_, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"context", "create", "stack", "local",
+		"--stack-url", server.URL,
+	)
+	if err != nil {
+		t.Fatalf("create context: %v stderr=%s", err, stderr)
+	}
+
+	stdout, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"flows", "triggers", "create", "approved", "workflow_1",
+		"--name", "Payout",
+		"--confirm",
+	)
+	if err != nil {
+		t.Fatalf("create flow trigger: %v stderr=%s", err, stderr)
+	}
+	if !strings.Contains(stdout, "API version: v2") || !strings.Contains(stdout, "Trigger created with ID: trigger_1") {
+		t.Fatalf("unexpected create trigger output:\n%s", stdout)
+	}
+}
+
+func TestFlowsTriggersListSelectsV2(t *testing.T) {
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		switch r.URL.Path {
+		case "/versions":
+			w.Header().Set("Content-Type", "application/json")
+			fmt.Fprint(w, `{"versions":[{"name":"orchestration","version":"2.1.0","health":true}]}`)
+		case "/api/orchestration/v2/triggers":
+			if r.Method != http.MethodGet {
+				t.Fatalf("expected GET, got %s", r.Method)
+			}
+			if got := r.URL.Query().Get("name"); got != "Payout" {
+				t.Fatalf("expected name Payout, got %q", got)
+			}
+			w.Header().Set("Content-Type", "application/json")
+			fmt.Fprint(w, `{"cursor":{"data":[{"id":"trigger_1","name":"Payout","event":"approved","workflowID":"workflow_1","createdAt":"2026-01-01T00:00:00Z"}],"hasMore":false,"pageSize":10}}`)
+		default:
+			t.Fatalf("unexpected path %s", r.URL.Path)
+		}
+	}))
+	defer server.Close()
+
+	configDir := t.TempDir()
+	_, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"context", "create", "stack", "local",
+		"--stack-url", server.URL,
+	)
+	if err != nil {
+		t.Fatalf("create context: %v stderr=%s", err, stderr)
+	}
+
+	stdout, stderr, err := executeCommand(t, "--config-dir", configDir, "flows", "triggers", "list", "--name", "Payout")
+	if err != nil {
+		t.Fatalf("list flow triggers: %v stderr=%s", err, stderr)
+	}
+	if !strings.Contains(stdout, "API version: v2") || !strings.Contains(stdout, "trigger_1\tPayout\tapproved\tworkflow_1") {
+		t.Fatalf("unexpected list triggers output:\n%s", stdout)
+	}
+}
+
+func TestFlowsTriggersShowSelectsV1(t *testing.T) {
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		switch r.URL.Path {
+		case "/versions":
+			w.Header().Set("Content-Type", "application/json")
+			fmt.Fprint(w, `{"versions":[{"name":"orchestration","version":"1.5.0","health":true}]}`)
+		case "/api/orchestration/triggers/trigger_1":
+			if r.Method != http.MethodGet {
+				t.Fatalf("expected GET, got %s", r.Method)
+			}
+			w.Header().Set("Content-Type", "application/json")
+			fmt.Fprint(w, `{"data":{"id":"trigger_1","name":"Payout","event":"approved","workflowID":"workflow_1","createdAt":"2026-01-01T00:00:00Z"}}`)
+		default:
+			t.Fatalf("unexpected path %s", r.URL.Path)
+		}
+	}))
+	defer server.Close()
+
+	configDir := t.TempDir()
+	_, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"context", "create", "stack", "local",
+		"--stack-url", server.URL,
+	)
+	if err != nil {
+		t.Fatalf("create context: %v stderr=%s", err, stderr)
+	}
+
+	stdout, stderr, err := executeCommand(t, "--config-dir", configDir, "flows", "triggers", "show", "trigger_1")
+	if err != nil {
+		t.Fatalf("show flow trigger: %v stderr=%s", err, stderr)
+	}
+	for _, expected := range []string{"API version: v1", "ID\ttrigger_1", "Name\tPayout", "Event\tapproved"} {
+		if !strings.Contains(stdout, expected) {
+			t.Fatalf("expected trigger output to contain %q, got:\n%s", expected, stdout)
+		}
+	}
+}
+
+func TestFlowsTriggersDeleteSelectsV2(t *testing.T) {
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		switch r.URL.Path {
+		case "/versions":
+			w.Header().Set("Content-Type", "application/json")
+			fmt.Fprint(w, `{"versions":[{"name":"orchestration","version":"2.1.0","health":true}]}`)
+		case "/api/orchestration/v2/triggers/trigger_1":
+			if r.Method != http.MethodDelete {
+				t.Fatalf("expected DELETE, got %s", r.Method)
+			}
+			w.WriteHeader(http.StatusNoContent)
+		default:
+			t.Fatalf("unexpected path %s", r.URL.Path)
+		}
+	}))
+	defer server.Close()
+
+	configDir := t.TempDir()
+	_, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"context", "create", "stack", "local",
+		"--stack-url", server.URL,
+	)
+	if err != nil {
+		t.Fatalf("create context: %v stderr=%s", err, stderr)
+	}
+
+	stdout, stderr, err := executeCommand(t, "--config-dir", configDir, "flows", "triggers", "delete", "trigger_1", "--confirm")
+	if err != nil {
+		t.Fatalf("delete flow trigger: %v stderr=%s", err, stderr)
+	}
+	if !strings.Contains(stdout, "API version: v2") || !strings.Contains(stdout, "Trigger trigger_1 deleted.") {
+		t.Fatalf("unexpected delete trigger output:\n%s", stdout)
+	}
+}
+
+func TestFlowsTriggersTestSelectsV2(t *testing.T) {
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		switch r.URL.Path {
+		case "/versions":
+			w.Header().Set("Content-Type", "application/json")
+			fmt.Fprint(w, `{"versions":[{"name":"orchestration","version":"2.1.0","health":true}]}`)
+		case "/api/orchestration/v2/triggers/trigger_1/test":
+			if r.Method != http.MethodPost {
+				t.Fatalf("expected POST, got %s", r.Method)
+			}
+			body := readRequestBody(t, r)
+			if !strings.Contains(body, `"name":"approved"`) {
+				t.Fatalf("expected trigger test body to contain event name, got:\n%s", body)
+			}
+			w.Header().Set("Content-Type", "application/json")
+			fmt.Fprint(w, `{"data":{"filter":{"match":true},"variables":{}}}`)
+		default:
+			t.Fatalf("unexpected path %s", r.URL.Path)
+		}
+	}))
+	defer server.Close()
+
+	configDir := t.TempDir()
+	_, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"context", "create", "stack", "local",
+		"--stack-url", server.URL,
+	)
+	if err != nil {
+		t.Fatalf("create context: %v stderr=%s", err, stderr)
+	}
+
+	stdout, stderr, err := executeCommand(t, "--config-dir", configDir, "flows", "triggers", "test", "trigger_1", `{"name":"approved"}`)
+	if err != nil {
+		t.Fatalf("test flow trigger: %v stderr=%s", err, stderr)
+	}
+	if !strings.Contains(stdout, "API version: v2") || !strings.Contains(stdout, "Filter match\ttrue") {
+		t.Fatalf("unexpected trigger test output:\n%s", stdout)
+	}
+}
+
+func TestFlowsTriggersOccurrencesListSelectsV2(t *testing.T) {
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		switch r.URL.Path {
+		case "/versions":
+			w.Header().Set("Content-Type", "application/json")
+			fmt.Fprint(w, `{"versions":[{"name":"orchestration","version":"2.1.0","health":true}]}`)
+		case "/api/orchestration/v2/triggers/trigger_1/occurrences":
+			if r.Method != http.MethodGet {
+				t.Fatalf("expected GET, got %s", r.Method)
+			}
+			if got := r.URL.Query().Get("pageSize"); got != "10" {
+				t.Fatalf("expected pageSize 10, got %q", got)
+			}
+			w.Header().Set("Content-Type", "application/json")
+			fmt.Fprint(w, `{"cursor":{"data":[{"triggerID":"trigger_1","workflowInstanceID":"instance_1","date":"2026-01-01T00:00:00Z","event":{"name":"approved"}}],"hasMore":false,"pageSize":10}}`)
+		default:
+			t.Fatalf("unexpected path %s", r.URL.Path)
+		}
+	}))
+	defer server.Close()
+
+	configDir := t.TempDir()
+	_, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"context", "create", "stack", "local",
+		"--stack-url", server.URL,
+	)
+	if err != nil {
+		t.Fatalf("create context: %v stderr=%s", err, stderr)
+	}
+
+	stdout, stderr, err := executeCommand(t, "--config-dir", configDir, "flows", "triggers", "occurrences", "list", "trigger_1", "--page-size", "10")
+	if err != nil {
+		t.Fatalf("list trigger occurrences: %v stderr=%s", err, stderr)
+	}
+	if !strings.Contains(stdout, "API version: v2") || !strings.Contains(stdout, "trigger_1\tinstance_1\t2026-01-01T00:00:00Z") {
+		t.Fatalf("unexpected trigger occurrences output:\n%s", stdout)
+	}
+}
+
+func TestOrchestrationAliasWarns(t *testing.T) {
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		switch r.URL.Path {
+		case "/versions":
+			w.Header().Set("Content-Type", "application/json")
+			fmt.Fprint(w, `{"versions":[{"name":"orchestration","version":"2.1.0","health":true}]}`)
+		case "/api/orchestration/v2/workflows":
+			w.Header().Set("Content-Type", "application/json")
+			fmt.Fprint(w, `{"cursor":{"data":[],"hasMore":false,"pageSize":15}}`)
+		default:
+			t.Fatalf("unexpected path %s", r.URL.Path)
+		}
+	}))
+	defer server.Close()
+
+	configDir := t.TempDir()
+	_, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"context", "create", "stack", "local",
+		"--stack-url", server.URL,
+	)
+	if err != nil {
+		t.Fatalf("create context: %v stderr=%s", err, stderr)
+	}
+
+	_, stderr, err = executeCommand(t, "--config-dir", configDir, "orchestration", "workflows", "list")
+	if err != nil {
+		t.Fatalf("list workflows through alias: %v stderr=%s", err, stderr)
+	}
+	if !strings.Contains(stderr, "Command orchestration has been deprecated, use flows") {
+		t.Fatalf("expected orchestration alias warning, got:\n%s", stderr)
+	}
+}
+
+func TestFlowsHelpUsesCanonicalProductName(t *testing.T) {
+	stdout, stderr, err := executeCommand(t, "flows", "workflows", "create", "--help")
+	if err != nil {
+		t.Fatalf("flows workflows create help: %v stderr=%s", err, stderr)
+	}
+	if !strings.Contains(stdout, "Pin flows API version") {
+		t.Fatalf("expected flows API version help, got:\n%s", stdout)
+	}
+	if strings.Contains(stdout, "Pin orchestration API version") {
+		t.Fatalf("help should not expose orchestration as the canonical product name:\n%s", stdout)
+	}
+}
+
+func TestReconciliationListSelectsV1(t *testing.T) {
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		switch r.URL.Path {
+		case "/versions":
+			w.Header().Set("Content-Type", "application/json")
+			fmt.Fprint(w, `{"versions":[{"name":"reconciliation","version":"1.0.0","health":true}]}`)
+		case "/api/reconciliation/reconciliations":
+			if got := r.URL.Query().Get("pageSize"); got != "10" {
+				t.Fatalf("expected pageSize 10, got %q", got)
+			}
+			if got := r.URL.Query().Get("query"); !strings.Contains(got, "policy_1") || !strings.Contains(got, "COMPLETED") {
+				t.Fatalf("expected policy and status query filters, got %q", got)
+			}
+			w.Header().Set("Content-Type", "application/json")
+			fmt.Fprint(w, `{"cursor":{"data":[{"id":"rec_1","policyID":"policy_1","status":"COMPLETED","ledgerBalances":{},"paymentsBalances":{},"driftBalances":{},"reconciledAtLedger":"2026-01-01T00:00:00Z","reconciledAtPayments":"2026-01-01T00:00:00Z","createdAt":"2026-01-01T00:01:00Z"}],"hasMore":false,"pageSize":10}}`)
+		default:
+			t.Fatalf("unexpected path %s", r.URL.Path)
+		}
+	}))
+	defer server.Close()
+
+	configDir := t.TempDir()
+	_, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"context", "create", "stack", "local",
+		"--stack-url", server.URL,
+	)
+	if err != nil {
+		t.Fatalf("create context: %v stderr=%s", err, stderr)
+	}
+
+	stdout, stderr, err := executeCommand(t, "--config-dir", configDir, "reconciliation", "list", "--page-size", "10", "--policy-id", "policy_1", "--status", "COMPLETED")
+	if err != nil {
+		t.Fatalf("list reconciliations: %v stderr=%s", err, stderr)
+	}
+	if !strings.Contains(stdout, "API version: v1") || !strings.Contains(stdout, "rec_1\tpolicy_1\tCOMPLETED\t2026-01-01T00:01:00Z") {
+		t.Fatalf("unexpected reconciliations output:\n%s", stdout)
+	}
+}
+
+func TestReconciliationShowGetWarns(t *testing.T) {
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		switch r.URL.Path {
+		case "/versions":
+			w.Header().Set("Content-Type", "application/json")
+			fmt.Fprint(w, `{"versions":[{"name":"reconciliation","version":"1.0.0","health":true}]}`)
+		case "/api/reconciliation/reconciliations/rec_1":
+			w.Header().Set("Content-Type", "application/json")
+			fmt.Fprint(w, `{"data":{"id":"rec_1","policyID":"policy_1","status":"FAILED","error":"drift detected","ledgerBalances":{},"paymentsBalances":{},"driftBalances":{},"reconciledAtLedger":"2026-01-01T00:00:00Z","reconciledAtPayments":"2026-01-01T00:00:00Z","createdAt":"2026-01-01T00:01:00Z"}}`)
+		default:
+			t.Fatalf("unexpected path %s", r.URL.Path)
+		}
+	}))
+	defer server.Close()
+
+	configDir := t.TempDir()
+	_, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"context", "create", "stack", "local",
+		"--stack-url", server.URL,
+	)
+	if err != nil {
+		t.Fatalf("create context: %v stderr=%s", err, stderr)
+	}
+
+	stdout, stderr, err := executeCommand(t, "--config-dir", configDir, "reconciliation", "get", "rec_1")
+	if err != nil {
+		t.Fatalf("show reconciliation through alias: %v stderr=%s", err, stderr)
+	}
+	if !strings.Contains(stderr, "Command reconciliation get has been deprecated, use reconciliation show") {
+		t.Fatalf("expected get deprecation warning, got:\n%s", stderr)
+	}
+	if !strings.Contains(stdout, "Status\tFAILED") || !strings.Contains(stdout, "Error\tdrift detected") {
+		t.Fatalf("unexpected reconciliation output:\n%s", stdout)
+	}
+}
+
+func TestReconciliationPoliciesListSelectsV1(t *testing.T) {
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		switch r.URL.Path {
+		case "/versions":
+			w.Header().Set("Content-Type", "application/json")
+			fmt.Fprint(w, `{"versions":[{"name":"reconciliation","version":"1.0.0","health":true}]}`)
+		case "/api/reconciliation/policies":
+			if got := r.URL.Query().Get("pageSize"); got != "10" {
+				t.Fatalf("expected pageSize 10, got %q", got)
+			}
+			if got := r.URL.Query().Get("query"); !strings.Contains(got, "default") || !strings.Contains(got, "pool_1") {
+				t.Fatalf("expected ledger and pool query filters, got %q", got)
+			}
+			w.Header().Set("Content-Type", "application/json")
+			fmt.Fprint(w, `{"cursor":{"data":[{"id":"policy_1","name":"daily","ledgerName":"default","paymentsPoolID":"pool_1","ledgerQuery":{},"createdAt":"2026-01-01T00:00:00Z"}],"hasMore":false,"pageSize":10}}`)
+		default:
+			t.Fatalf("unexpected path %s", r.URL.Path)
+		}
+	}))
+	defer server.Close()
+
+	configDir := t.TempDir()
+	_, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"context", "create", "stack", "local",
+		"--stack-url", server.URL,
+	)
+	if err != nil {
+		t.Fatalf("create context: %v stderr=%s", err, stderr)
+	}
+
+	stdout, stderr, err := executeCommand(t, "--config-dir", configDir, "reconciliation", "policies", "list", "--page-size", "10", "--ledger", "default", "--payments-pool-id", "pool_1")
+	if err != nil {
+		t.Fatalf("list policies: %v stderr=%s", err, stderr)
+	}
+	if !strings.Contains(stdout, "API version: v1") || !strings.Contains(stdout, "policy_1\tdaily\tdefault\tpool_1") {
+		t.Fatalf("unexpected policies output:\n%s", stdout)
+	}
+}
+
+func TestReconciliationPoliciesShowGetWarns(t *testing.T) {
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		switch r.URL.Path {
+		case "/versions":
+			w.Header().Set("Content-Type", "application/json")
+			fmt.Fprint(w, `{"versions":[{"name":"reconciliation","version":"1.0.0","health":true}]}`)
+		case "/api/reconciliation/policies/policy_1":
+			w.Header().Set("Content-Type", "application/json")
+			fmt.Fprint(w, `{"data":{"id":"policy_1","name":"daily","ledgerName":"default","paymentsPoolID":"pool_1","ledgerQuery":{},"createdAt":"2026-01-01T00:00:00Z"}}`)
+		default:
+			t.Fatalf("unexpected path %s", r.URL.Path)
+		}
+	}))
+	defer server.Close()
+
+	configDir := t.TempDir()
+	_, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"context", "create", "stack", "local",
+		"--stack-url", server.URL,
+	)
+	if err != nil {
+		t.Fatalf("create context: %v stderr=%s", err, stderr)
+	}
+
+	stdout, stderr, err := executeCommand(t, "--config-dir", configDir, "reconciliation", "policies", "get", "policy_1")
+	if err != nil {
+		t.Fatalf("show policy through alias: %v stderr=%s", err, stderr)
+	}
+	if !strings.Contains(stderr, "Command reconciliation policies get has been deprecated, use reconciliation policies show") {
+		t.Fatalf("expected get deprecation warning, got:\n%s", stderr)
+	}
+	if !strings.Contains(stdout, "ID\tpolicy_1") || !strings.Contains(stdout, "Payments pool ID\tpool_1") {
+		t.Fatalf("unexpected policy output:\n%s", stdout)
+	}
+}
+
+func TestReconciliationPoliciesCreateSelectsV1(t *testing.T) {
+	var requestBody string
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		switch r.URL.Path {
+		case "/versions":
+			w.Header().Set("Content-Type", "application/json")
+			fmt.Fprint(w, `{"versions":[{"name":"reconciliation","version":"1.0.0","health":true}]}`)
+		case "/api/reconciliation/policies":
+			if r.Method != http.MethodPost {
+				t.Fatalf("expected POST, got %s", r.Method)
+			}
+			requestBody = readRequestBody(t, r)
+			w.Header().Set("Content-Type", "application/json")
+			w.WriteHeader(http.StatusCreated)
+			fmt.Fprint(w, `{"data":{"id":"policy_1","name":"daily","ledgerName":"default","paymentsPoolID":"pool_1","ledgerQuery":{},"createdAt":"2026-01-01T00:00:00Z"}}`)
+		default:
+			t.Fatalf("unexpected path %s", r.URL.Path)
+		}
+	}))
+	defer server.Close()
+
+	configDir := t.TempDir()
+	requestFile := filepath.Join(t.TempDir(), "policy.json")
+	if err := os.WriteFile(requestFile, []byte(`{"name":"daily","ledgerName":"default","paymentsPoolID":"pool_1","ledgerQuery":{}}`), 0o600); err != nil {
+		t.Fatalf("write request file: %v", err)
+	}
+	_, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"context", "create", "stack", "local",
+		"--stack-url", server.URL,
+	)
+	if err != nil {
+		t.Fatalf("create context: %v stderr=%s", err, stderr)
+	}
+
+	stdout, stderr, err := executeCommand(t, "--config-dir", configDir, "reconciliation", "policies", "create", "--file", requestFile, "--confirm")
+	if err != nil {
+		t.Fatalf("create policy: %v stderr=%s", err, stderr)
+	}
+	if !strings.Contains(requestBody, `"ledgerName":"default"`) || !strings.Contains(requestBody, `"paymentsPoolID":"pool_1"`) {
+		t.Fatalf("unexpected policy request body: %s", requestBody)
+	}
+	if !strings.Contains(stdout, "API version: v1") || !strings.Contains(stdout, "Policy created with ID: policy_1") {
+		t.Fatalf("unexpected create policy output:\n%s", stdout)
+	}
+}
+
+func TestReconciliationPoliciesDeleteRequiresConfirm(t *testing.T) {
+	_, _, err := executeCommand(t, "reconciliation", "policies", "delete", "policy_1")
+	if err == nil || !strings.Contains(err.Error(), "requires --confirm") {
+		t.Fatalf("expected confirm error, got %v", err)
+	}
+}
+
+func TestReconciliationPoliciesDeleteSelectsV1(t *testing.T) {
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		switch r.URL.Path {
+		case "/versions":
+			w.Header().Set("Content-Type", "application/json")
+			fmt.Fprint(w, `{"versions":[{"name":"reconciliation","version":"1.0.0","health":true}]}`)
+		case "/api/reconciliation/policies/policy_1":
+			if r.Method != http.MethodDelete {
+				t.Fatalf("expected DELETE, got %s", r.Method)
+			}
+			w.WriteHeader(http.StatusNoContent)
+		default:
+			t.Fatalf("unexpected path %s", r.URL.Path)
+		}
+	}))
+	defer server.Close()
+
+	configDir := t.TempDir()
+	_, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"context", "create", "stack", "local",
+		"--stack-url", server.URL,
+	)
+	if err != nil {
+		t.Fatalf("create context: %v stderr=%s", err, stderr)
+	}
+
+	stdout, stderr, err := executeCommand(t, "--config-dir", configDir, "reconciliation", "policies", "delete", "policy_1", "--confirm")
+	if err != nil {
+		t.Fatalf("delete policy: %v stderr=%s", err, stderr)
+	}
+	if !strings.Contains(stdout, "API version: v1") || !strings.Contains(stdout, "Policy policy_1 deleted.") {
+		t.Fatalf("unexpected delete policy output:\n%s", stdout)
+	}
+}
+
+func TestReconciliationPoliciesReconcileSelectsV1(t *testing.T) {
+	var requestBody string
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		switch r.URL.Path {
+		case "/versions":
+			w.Header().Set("Content-Type", "application/json")
+			fmt.Fprint(w, `{"versions":[{"name":"reconciliation","version":"1.0.0","health":true}]}`)
+		case "/api/reconciliation/policies/policy_1/reconciliation":
+			if r.Method != http.MethodPost {
+				t.Fatalf("expected POST, got %s", r.Method)
+			}
+			requestBody = readRequestBody(t, r)
+			w.Header().Set("Content-Type", "application/json")
+			fmt.Fprint(w, `{"data":{"id":"rec_1","policyID":"policy_1","status":"PENDING","ledgerBalances":{},"paymentsBalances":{},"driftBalances":{},"reconciledAtLedger":"2026-01-01T00:00:00Z","reconciledAtPayments":"2026-01-01T00:05:00Z","createdAt":"2026-01-01T00:06:00Z"}}`)
+		default:
+			t.Fatalf("unexpected path %s", r.URL.Path)
+		}
+	}))
+	defer server.Close()
+
+	configDir := t.TempDir()
+	_, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"context", "create", "stack", "local",
+		"--stack-url", server.URL,
+	)
+	if err != nil {
+		t.Fatalf("create context: %v stderr=%s", err, stderr)
+	}
+
+	stdout, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"reconciliation", "policies", "reconcile", "policy_1",
+		"--ledger-at", "2026-01-01T00:00:00Z",
+		"--payments-at", "2026-01-01T00:05:00Z",
+		"--confirm",
+	)
+	if err != nil {
+		t.Fatalf("reconcile policy: %v stderr=%s", err, stderr)
+	}
+	if !strings.Contains(requestBody, `"reconciledAtLedger":"2026-01-01T00:00:00Z"`) || !strings.Contains(requestBody, `"reconciledAtPayments":"2026-01-01T00:05:00Z"`) {
+		t.Fatalf("unexpected reconcile request body: %s", requestBody)
+	}
+	if !strings.Contains(stdout, "API version: v1") || !strings.Contains(stdout, "Reconciliation started with ID: rec_1") {
+		t.Fatalf("unexpected reconcile output:\n%s", stdout)
+	}
+
+	requestBody = ""
+	stdout, stderr, err = executeCommand(t,
+		"--config-dir", configDir,
+		"reconciliation", "policies", "reconcile", "policy_1",
+		"2026-01-01T00:00:00Z",
+		"2026-01-01T00:05:00Z",
+		"--confirm",
+	)
+	if err != nil {
+		t.Fatalf("reconcile policy with deprecated positionals: %v stderr=%s", err, stderr)
+	}
+	if !strings.Contains(stderr, "Positional reconciliation timestamps have been deprecated, use --ledger-at and --payments-at") {
+		t.Fatalf("expected positional timestamp deprecation warning, got:\n%s", stderr)
+	}
+	if !strings.Contains(requestBody, `"reconciledAtLedger":"2026-01-01T00:00:00Z"`) || !strings.Contains(requestBody, `"reconciledAtPayments":"2026-01-01T00:05:00Z"`) {
+		t.Fatalf("unexpected deprecated reconcile request body: %s", requestBody)
+	}
+	if !strings.Contains(stdout, "API version: v1") || !strings.Contains(stdout, "Reconciliation started with ID: rec_1") {
+		t.Fatalf("unexpected deprecated reconcile output:\n%s", stdout)
+	}
+}
+
+func TestAuthClientsListSelectsV1(t *testing.T) {
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		switch r.URL.Path {
+		case "/versions":
+			w.Header().Set("Content-Type", "application/json")
+			fmt.Fprint(w, `{"versions":[{"name":"auth","version":"1.0.0","health":true}]}`)
+		case "/api/auth/clients":
+			w.Header().Set("Content-Type", "application/json")
+			fmt.Fprint(w, `{"data":[{"id":"client_1","name":"backend","scopes":["ledger:read"],"redirectUris":["http://localhost/callback"],"secrets":[{"id":"secret_1","name":"default","lastDigits":"1234"}]}]}`)
+		default:
+			t.Fatalf("unexpected path %s", r.URL.Path)
+		}
+	}))
+	defer server.Close()
+
+	configDir := t.TempDir()
+	_, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"context", "create", "stack", "local",
+		"--stack-url", server.URL,
+	)
+	if err != nil {
+		t.Fatalf("create context: %v stderr=%s", err, stderr)
+	}
+
+	stdout, stderr, err := executeCommand(t, "--config-dir", configDir, "auth", "clients", "list")
+	if err != nil {
+		t.Fatalf("list auth clients: %v stderr=%s", err, stderr)
+	}
+	if !strings.Contains(stdout, "API version: v1") || !strings.Contains(stdout, "client_1\tbackend\tledger:read") {
+		t.Fatalf("unexpected auth clients output:\n%s", stdout)
+	}
+}
+
+func TestAuthClientsShowGetWarns(t *testing.T) {
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		switch r.URL.Path {
+		case "/versions":
+			w.Header().Set("Content-Type", "application/json")
+			fmt.Fprint(w, `{"versions":[{"name":"auth","version":"1.0.0","health":true}]}`)
+		case "/api/auth/clients/client_1":
+			w.Header().Set("Content-Type", "application/json")
+			fmt.Fprint(w, `{"data":{"id":"client_1","name":"backend","scopes":["ledger:read"],"redirectUris":["http://localhost/callback"],"secrets":[{"id":"secret_1","name":"default","lastDigits":"1234"}]}}`)
+		default:
+			t.Fatalf("unexpected path %s", r.URL.Path)
+		}
+	}))
+	defer server.Close()
+
+	configDir := t.TempDir()
+	_, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"context", "create", "stack", "local",
+		"--stack-url", server.URL,
+	)
+	if err != nil {
+		t.Fatalf("create context: %v stderr=%s", err, stderr)
+	}
+
+	stdout, stderr, err := executeCommand(t, "--config-dir", configDir, "auth", "clients", "get", "client_1")
+	if err != nil {
+		t.Fatalf("show auth client through alias: %v stderr=%s", err, stderr)
+	}
+	if !strings.Contains(stderr, "Command auth clients get has been deprecated, use auth clients show") {
+		t.Fatalf("expected get deprecation warning, got:\n%s", stderr)
+	}
+	if !strings.Contains(stdout, "ID\tclient_1") || !strings.Contains(stdout, "Secrets\t1") {
+		t.Fatalf("unexpected auth client output:\n%s", stdout)
+	}
+}
+
+func TestAuthUsersListSelectsV1(t *testing.T) {
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		switch r.URL.Path {
+		case "/versions":
+			w.Header().Set("Content-Type", "application/json")
+			fmt.Fprint(w, `{"versions":[{"name":"auth","version":"1.0.0","health":true}]}`)
+		case "/api/auth/users":
+			w.Header().Set("Content-Type", "application/json")
+			fmt.Fprint(w, `{"data":[{"id":"user_1","email":"user@example.com","subject":"sub_1"}]}`)
+		default:
+			t.Fatalf("unexpected path %s", r.URL.Path)
+		}
+	}))
+	defer server.Close()
+
+	configDir := t.TempDir()
+	_, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"context", "create", "stack", "local",
+		"--stack-url", server.URL,
+	)
+	if err != nil {
+		t.Fatalf("create context: %v stderr=%s", err, stderr)
+	}
+
+	stdout, stderr, err := executeCommand(t, "--config-dir", configDir, "auth", "users", "list")
+	if err != nil {
+		t.Fatalf("list auth users: %v stderr=%s", err, stderr)
+	}
+	if !strings.Contains(stdout, "API version: v1") || !strings.Contains(stdout, "user_1\tuser@example.com\tsub_1") {
+		t.Fatalf("unexpected auth users output:\n%s", stdout)
+	}
+
+	stdout, stderr, err = executeCommand(t, "--config-dir", configDir, "auth", "clients", "users", "list")
+	if err != nil {
+		t.Fatalf("list auth users through clients alias: %v stderr=%s", err, stderr)
+	}
+	if !strings.Contains(stderr, "Command auth clients users has been deprecated, use auth users") {
+		t.Fatalf("expected auth clients users deprecation warning, got:\n%s", stderr)
+	}
+	if !strings.Contains(stdout, "API version: v1") || !strings.Contains(stdout, "user_1\tuser@example.com\tsub_1") {
+		t.Fatalf("unexpected auth clients users output:\n%s", stdout)
+	}
+}
+
+func TestAuthUsersShowGetWarns(t *testing.T) {
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		switch r.URL.Path {
+		case "/versions":
+			w.Header().Set("Content-Type", "application/json")
+			fmt.Fprint(w, `{"versions":[{"name":"auth","version":"1.0.0","health":true}]}`)
+		case "/api/auth/users/user_1":
+			w.Header().Set("Content-Type", "application/json")
+			fmt.Fprint(w, `{"data":{"id":"user_1","email":"user@example.com","subject":"sub_1"}}`)
+		default:
+			t.Fatalf("unexpected path %s", r.URL.Path)
+		}
+	}))
+	defer server.Close()
+
+	configDir := t.TempDir()
+	_, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"context", "create", "stack", "local",
+		"--stack-url", server.URL,
+	)
+	if err != nil {
+		t.Fatalf("create context: %v stderr=%s", err, stderr)
+	}
+
+	stdout, stderr, err := executeCommand(t, "--config-dir", configDir, "auth", "users", "get", "user_1")
+	if err != nil {
+		t.Fatalf("show auth user through alias: %v stderr=%s", err, stderr)
+	}
+	if !strings.Contains(stderr, "Command auth users get has been deprecated, use auth users show") {
+		t.Fatalf("expected get deprecation warning, got:\n%s", stderr)
+	}
+	if !strings.Contains(stdout, "ID\tuser_1") || !strings.Contains(stdout, "Email\tuser@example.com") {
+		t.Fatalf("unexpected auth user output:\n%s", stdout)
+	}
+}
+
+func TestAuthClientsCreateSelectsV1(t *testing.T) {
+	var requestBody string
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		switch r.URL.Path {
+		case "/versions":
+			w.Header().Set("Content-Type", "application/json")
+			fmt.Fprint(w, `{"versions":[{"name":"auth","version":"1.0.0","health":true}]}`)
+		case "/api/auth/clients":
+			if r.Method != http.MethodPost {
+				t.Fatalf("expected POST, got %s", r.Method)
+			}
+			requestBody = readRequestBody(t, r)
+			w.Header().Set("Content-Type", "application/json")
+			w.WriteHeader(http.StatusCreated)
+			fmt.Fprint(w, `{"data":{"id":"client_1","name":"backend","scopes":["ledger:read"],"redirectUris":["http://localhost/callback"],"trusted":true}}`)
+		default:
+			t.Fatalf("unexpected path %s", r.URL.Path)
+		}
+	}))
+	defer server.Close()
+
+	configDir := t.TempDir()
+	_, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"context", "create", "stack", "local",
+		"--stack-url", server.URL,
+	)
+	if err != nil {
+		t.Fatalf("create context: %v stderr=%s", err, stderr)
+	}
+
+	stdout, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"auth", "clients", "create", "backend",
+		"--scope", "ledger:read",
+		"--redirect-uri", "http://localhost/callback",
+		"--trusted",
+	)
+	if err != nil {
+		t.Fatalf("create auth client: %v stderr=%s", err, stderr)
+	}
+	for _, expected := range []string{`"name":"backend"`, `"scopes":["ledger:read"]`, `"redirectUris":["http://localhost/callback"]`, `"trusted":true`} {
+		if !strings.Contains(requestBody, expected) {
+			t.Fatalf("expected request body to contain %s, got %s", expected, requestBody)
+		}
+	}
+	if !strings.Contains(stdout, "API version: v1") || !strings.Contains(stdout, "Client client_1 created.") {
+		t.Fatalf("unexpected create auth client output:\n%s", stdout)
+	}
+}
+
+func TestAuthClientsDeleteRequiresConfirm(t *testing.T) {
+	_, _, err := executeCommand(t, "auth", "clients", "delete", "client_1")
+	if err == nil || !strings.Contains(err.Error(), "requires --confirm") {
+		t.Fatalf("expected confirm error, got %v", err)
+	}
+}
+
+func TestAuthClientsSecretsCreateDoesNotPrintClearSecretInPlainOutput(t *testing.T) {
+	var requestBody string
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		switch r.URL.Path {
+		case "/versions":
+			w.Header().Set("Content-Type", "application/json")
+			fmt.Fprint(w, `{"versions":[{"name":"auth","version":"1.0.0","health":true}]}`)
+		case "/api/auth/clients/client_1/secrets":
+			if r.Method != http.MethodPost {
+				t.Fatalf("expected POST, got %s", r.Method)
+			}
+			requestBody = readRequestBody(t, r)
+			w.Header().Set("Content-Type", "application/json")
+			fmt.Fprint(w, `{"data":{"id":"secret_1","name":"default","lastDigits":"1234","clear":"super-secret"}}`)
+		default:
+			t.Fatalf("unexpected path %s", r.URL.Path)
+		}
+	}))
+	defer server.Close()
+
+	configDir := t.TempDir()
+	_, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"context", "create", "stack", "local",
+		"--stack-url", server.URL,
+	)
+	if err != nil {
+		t.Fatalf("create context: %v stderr=%s", err, stderr)
+	}
+
+	stdout, stderr, err := executeCommand(t, "--config-dir", configDir, "auth", "clients", "secrets", "create", "client_1", "default")
+	if err != nil {
+		t.Fatalf("create auth secret: %v stderr=%s", err, stderr)
+	}
+	if !strings.Contains(requestBody, `"name":"default"`) {
+		t.Fatalf("unexpected secret request body: %s", requestBody)
+	}
+	if strings.Contains(stdout, "super-secret") {
+		t.Fatalf("plain output must not include clear secret:\n%s", stdout)
+	}
+	if !strings.Contains(stdout, "Secret default created for client client_1") {
+		t.Fatalf("unexpected create secret output:\n%s", stdout)
+	}
+}
+
+func TestWebhooksListSelectsV1(t *testing.T) {
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		switch r.URL.Path {
+		case "/versions":
+			w.Header().Set("Content-Type", "application/json")
+			fmt.Fprint(w, `{"versions":[{"name":"webhooks","version":"1.0.0","health":true}]}`)
+		case "/api/webhooks/configs":
+			if got := r.URL.Query().Get("endpoint"); got != "https://example.com/webhook" {
+				t.Fatalf("expected endpoint filter, got %q", got)
+			}
+			w.Header().Set("Content-Type", "application/json")
+			fmt.Fprint(w, `{"cursor":{"data":[{"id":"wh_1","endpoint":"https://example.com/webhook","eventTypes":["ledger.transaction.created"],"active":true,"secret":"super-secret","createdAt":"2026-01-01T00:00:00Z","updatedAt":"2026-01-01T00:00:00Z"}],"hasMore":false}}`)
+		default:
+			t.Fatalf("unexpected path %s", r.URL.Path)
+		}
+	}))
+	defer server.Close()
+
+	configDir := t.TempDir()
+	_, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"context", "create", "stack", "local",
+		"--stack-url", server.URL,
+	)
+	if err != nil {
+		t.Fatalf("create context: %v stderr=%s", err, stderr)
+	}
+
+	stdout, stderr, err := executeCommand(t, "--config-dir", configDir, "webhooks", "list", "--endpoint", "https://example.com/webhook")
+	if err != nil {
+		t.Fatalf("list webhooks: %v stderr=%s", err, stderr)
+	}
+	if strings.Contains(stdout, "super-secret") {
+		t.Fatalf("plain output must not include webhook secret:\n%s", stdout)
+	}
+	if !strings.Contains(stdout, "API version: v1") || !strings.Contains(stdout, "wh_1\thttps://example.com/webhook\ttrue\tledger.transaction.created") {
+		t.Fatalf("unexpected webhooks output:\n%s", stdout)
+	}
+}
+
+func TestWebhooksCreateSelectsV1AndMasksSecret(t *testing.T) {
+	var requestBody string
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		switch r.URL.Path {
+		case "/versions":
+			w.Header().Set("Content-Type", "application/json")
+			fmt.Fprint(w, `{"versions":[{"name":"webhooks","version":"1.0.0","health":true}]}`)
+		case "/api/webhooks/configs":
+			if r.Method != http.MethodPost {
+				t.Fatalf("expected POST, got %s", r.Method)
+			}
+			requestBody = readRequestBody(t, r)
+			w.Header().Set("Content-Type", "application/json")
+			fmt.Fprint(w, `{"data":{"id":"wh_1","endpoint":"https://example.com/webhook","eventTypes":["ledger.transaction.created"],"active":false,"secret":"super-secret","createdAt":"2026-01-01T00:00:00Z","updatedAt":"2026-01-01T00:00:00Z"}}`)
+		default:
+			t.Fatalf("unexpected path %s", r.URL.Path)
+		}
+	}))
+	defer server.Close()
+
+	configDir := t.TempDir()
+	_, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"context", "create", "stack", "local",
+		"--stack-url", server.URL,
+	)
+	if err != nil {
+		t.Fatalf("create context: %v stderr=%s", err, stderr)
+	}
+
+	stdout, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"webhooks", "create", "https://example.com/webhook", "ledger.transaction.created",
+		"--secret", "super-secret",
+	)
+	if err != nil {
+		t.Fatalf("create webhook: %v stderr=%s", err, stderr)
+	}
+	for _, expected := range []string{`"endpoint":"https://example.com/webhook"`, `"eventTypes":["ledger.transaction.created"]`, `"secret":"super-secret"`} {
+		if !strings.Contains(requestBody, expected) {
+			t.Fatalf("expected request body to contain %s, got %s", expected, requestBody)
+		}
+	}
+	if strings.Contains(stdout, "super-secret") {
+		t.Fatalf("plain output must not include webhook secret:\n%s", stdout)
+	}
+	if !strings.Contains(stdout, "Webhook config wh_1 created.") {
+		t.Fatalf("unexpected create webhook output:\n%s", stdout)
+	}
+}
+
+func TestWebhooksDeleteRequiresConfirm(t *testing.T) {
+	_, _, err := executeCommand(t, "webhooks", "delete", "wh_1")
+	if err == nil || !strings.Contains(err.Error(), "requires --confirm") {
+		t.Fatalf("expected confirm error, got %v", err)
+	}
+}
+
+func TestWebhooksActionsSelectV1(t *testing.T) {
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		switch r.URL.Path {
+		case "/versions":
+			w.Header().Set("Content-Type", "application/json")
+			fmt.Fprint(w, `{"versions":[{"name":"webhooks","version":"1.0.0","health":true}]}`)
+		case "/api/webhooks/configs/wh_1/activate":
+			if r.Method != http.MethodPut {
+				t.Fatalf("expected PUT activate, got %s", r.Method)
+			}
+			w.Header().Set("Content-Type", "application/json")
+			fmt.Fprint(w, `{"data":{"id":"wh_1","endpoint":"https://example.com/webhook","eventTypes":["ledger.transaction.created"],"active":true,"secret":"secret","createdAt":"2026-01-01T00:00:00Z","updatedAt":"2026-01-01T00:01:00Z"}}`)
+		case "/api/webhooks/configs/wh_1/deactivate":
+			if r.Method != http.MethodPut {
+				t.Fatalf("expected PUT deactivate, got %s", r.Method)
+			}
+			w.Header().Set("Content-Type", "application/json")
+			fmt.Fprint(w, `{"data":{"id":"wh_1","endpoint":"https://example.com/webhook","eventTypes":["ledger.transaction.created"],"active":false,"secret":"secret","createdAt":"2026-01-01T00:00:00Z","updatedAt":"2026-01-01T00:02:00Z"}}`)
+		case "/api/webhooks/configs/wh_1":
+			if r.Method != http.MethodDelete {
+				t.Fatalf("expected DELETE, got %s", r.Method)
+			}
+			w.WriteHeader(http.StatusOK)
+		default:
+			t.Fatalf("unexpected path %s", r.URL.Path)
+		}
+	}))
+	defer server.Close()
+
+	configDir := t.TempDir()
+	_, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"context", "create", "stack", "local",
+		"--stack-url", server.URL,
+	)
+	if err != nil {
+		t.Fatalf("create context: %v stderr=%s", err, stderr)
+	}
+
+	stdout, stderr, err := executeCommand(t, "--config-dir", configDir, "webhooks", "activate", "wh_1")
+	if err != nil {
+		t.Fatalf("activate webhook: %v stderr=%s", err, stderr)
+	}
+	if !strings.Contains(stdout, "Webhook config wh_1 activated.") {
+		t.Fatalf("unexpected activate output:\n%s", stdout)
+	}
+
+	stdout, stderr, err = executeCommand(t, "--config-dir", configDir, "webhooks", "deactivate", "wh_1", "--confirm")
+	if err != nil {
+		t.Fatalf("deactivate webhook: %v stderr=%s", err, stderr)
+	}
+	if !strings.Contains(stdout, "Webhook config wh_1 deactivated.") {
+		t.Fatalf("unexpected deactivate output:\n%s", stdout)
+	}
+
+	stdout, stderr, err = executeCommand(t, "--config-dir", configDir, "webhooks", "delete", "wh_1", "--confirm")
+	if err != nil {
+		t.Fatalf("delete webhook: %v stderr=%s", err, stderr)
+	}
+	if !strings.Contains(stdout, "Webhook config wh_1 deleted.") {
+		t.Fatalf("unexpected delete output:\n%s", stdout)
+	}
+}
+
+func TestWebhooksChangeSecretAliasWarns(t *testing.T) {
+	var requestBody string
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		switch r.URL.Path {
+		case "/versions":
+			w.Header().Set("Content-Type", "application/json")
+			fmt.Fprint(w, `{"versions":[{"name":"webhooks","version":"1.0.0","health":true}]}`)
+		case "/api/webhooks/configs/wh_1/secret/change":
+			if r.Method != http.MethodPut {
+				t.Fatalf("expected PUT, got %s", r.Method)
+			}
+			requestBody = readRequestBody(t, r)
+			w.Header().Set("Content-Type", "application/json")
+			fmt.Fprint(w, `{"data":{"id":"wh_1","endpoint":"https://example.com/webhook","eventTypes":["ledger.transaction.created"],"active":true,"secret":"rotated-secret","createdAt":"2026-01-01T00:00:00Z","updatedAt":"2026-01-01T00:01:00Z"}}`)
+		default:
+			t.Fatalf("unexpected path %s", r.URL.Path)
+		}
+	}))
+	defer server.Close()
+
+	configDir := t.TempDir()
+	_, stderr, err := executeCommand(t,
+		"--config-dir", configDir,
+		"context", "create", "stack", "local",
+		"--stack-url", server.URL,
+	)
+	if err != nil {
+		t.Fatalf("create context: %v stderr=%s", err, stderr)
+	}
+
+	stdout, stderr, err := executeCommand(t, "--config-dir", configDir, "webhooks", "change-secret", "wh_1", "--secret", "rotated-secret")
+	if err != nil {
+		t.Fatalf("rotate webhook secret through alias: %v stderr=%s", err, stderr)
+	}
+	if !strings.Contains(stderr, "Command webhooks change-secret has been deprecated, use webhooks secret rotate") {
+		t.Fatalf("expected change-secret deprecation warning, got:\n%s", stderr)
+	}
+	if !strings.Contains(requestBody, `"secret":"rotated-secret"`) {
+		t.Fatalf("unexpected change secret request body: %s", requestBody)
+	}
+	if strings.Contains(stdout, "rotated-secret") {
+		t.Fatalf("plain output must not include webhook secret:\n%s", stdout)
+	}
+	if !strings.Contains(stdout, "Webhook config wh_1 secret rotated.") {
+		t.Fatalf("unexpected change secret output:\n%s", stdout)
+	}
+}
+
+func TestConfigMigrateV3DryRun(t *testing.T) {
+	v3Dir := writeV3CommandFixture(t, true)
+
+	stdout, stderr, err := executeCommand(t, "config", "migrate-v3", "--from", v3Dir, "--dry-run")
+	if err != nil {
+		t.Fatalf("migrate dry-run: %v stderr=%s", err, stderr)
+	}
+	for _, expected := range []string{
+		"Current context: default",
+		"- default (cloud-stack)",
+		"Credential moves: 1",
+	} {
+		if !strings.Contains(stdout, expected) {
+			t.Fatalf("expected migration output to contain %q, got:\n%s", expected, stdout)
+		}
+	}
+}
+
+func TestConfigMigrateV3Write(t *testing.T) {
+	v3Dir := writeV3CommandFixture(t, false)
+	configDir := t.TempDir()
+
+	stdout, stderr, err := executeCommand(t, "--config-dir", configDir, "config", "migrate-v3", "--from", v3Dir)
+	if err != nil {
+		t.Fatalf("migrate write: %v stderr=%s", err, stderr)
+	}
+	if !strings.Contains(stdout, "Migrated 1 context(s)") {
+		t.Fatalf("unexpected migration output: %q", stdout)
+	}
+
+	cfg, err := v4config.LoadFile(filepath.Join(configDir, "config.yaml"))
+	if err != nil {
+		t.Fatalf("load migrated config: %v", err)
+	}
+	if cfg.CurrentContext != "default" || cfg.Contexts["default"].Kind != v4config.ContextKindCloudStack {
+		t.Fatalf("unexpected migrated config: %#v", cfg)
+	}
+}
+
+func TestConfigMigrateV3UsesDefaultSourceDir(t *testing.T) {
+	homeDir := t.TempDir()
+	t.Setenv("HOME", homeDir)
+
+	v3Dir := filepath.Join(homeDir, ".config", "formance", "fctl")
+	writeV3CommandFixtureInDir(t, v3Dir, false)
+	configDir := t.TempDir()
+
+	stdout, stderr, err := executeCommand(t, "--config-dir", configDir, "config", "migrate-v3")
+	if err != nil {
+		t.Fatalf("migrate write from default v3 dir: %v stderr=%s", err, stderr)
+	}
+	if !strings.Contains(stdout, "Migrated 1 context(s)") {
+		t.Fatalf("unexpected migration output: %q", stdout)
+	}
+	if _, err := v4config.LoadFile(filepath.Join(configDir, "config.yaml")); err != nil {
+		t.Fatalf("load migrated config: %v", err)
+	}
+}
+
+func TestMissingConfigErrorsAreActionable(t *testing.T) {
+	configDir := filepath.Join(t.TempDir(), "missing")
+
+	for _, tc := range []struct {
+		name string
+		args []string
+	}{
+		{name: "session", args: []string{"session", "status"}},
+		{name: "runtime", args: []string{"target", "inspect"}},
+	} {
+		t.Run(tc.name, func(t *testing.T) {
+			_, stderr, err := executeCommand(t, append([]string{"--config-dir", configDir}, tc.args...)...)
+			if err == nil {
+				t.Fatal("expected missing config error")
+			}
+			for _, expected := range []string{
+				"v4 config not found",
+				filepath.Join(configDir, "config.yaml"),
+				"fctl login",
+				"fctl profile create stack",
+				"fctl profile create cloud",
+				"fctl profile create cloud-stack",
+				"fctl config migrate-v3",
+			} {
+				if !strings.Contains(err.Error(), expected) {
+					t.Fatalf("expected missing config error to contain %q, got %v stderr=%s", expected, err, stderr)
+				}
+			}
+		})
+	}
+}
+
+func writeV3CommandFixture(t *testing.T, withTokens bool) string {
+	t.Helper()
+	dir := t.TempDir()
+	writeV3CommandFixtureInDir(t, dir, withTokens)
+	return dir
+}
+
+func stringSliceContains(values []string, expected string) bool {
+	for _, value := range values {
+		if value == expected {
+			return true
+		}
+	}
+	return false
+}
+
+func writeV3CommandFixtureInDir(t *testing.T, dir string, withTokens bool) {
+	t.Helper()
+	if err := os.MkdirAll(filepath.Join(dir, "profiles", "default"), 0o700); err != nil {
+		t.Fatalf("create v3 fixture dirs: %v", err)
+	}
+	if err := os.WriteFile(filepath.Join(dir, "config.yml"), []byte(`{"currentProfile":"default"}`), 0o600); err != nil {
+		t.Fatalf("write v3 config: %v", err)
+	}
+	rootTokens := "null"
+	if withTokens {
+		rootTokens = `{"access":{"token":"access-token"},"id":{"token":"id-token"}}`
+	}
+	profile := `{
+	  "membershipURI": "https://app.formance.cloud/api",
+	  "rootTokens": ` + rootTokens + `,
+	  "defaultOrganization": "org_123",
+	  "defaultStack": "stack_123"
+	}`
+	if err := os.WriteFile(filepath.Join(dir, "profiles", "default", "profile.json"), []byte(profile), 0o600); err != nil {
+		t.Fatalf("write v3 profile: %v", err)
+	}
+}
diff --git a/v4/cmd/runtime.go b/v4/cmd/runtime.go
new file mode 100644
index 00000000..ad9574f1
--- /dev/null
+++ b/v4/cmd/runtime.go
@@ -0,0 +1,313 @@
+package cmd
+
+import (
+	"crypto/tls"
+	"errors"
+	"fmt"
+	"net/http"
+	"os"
+	"path/filepath"
+	"strings"
+
+	"github.com/spf13/cobra"
+
+	v4auth "github.com/formancehq/fctl/v4/internal/auth"
+	"github.com/formancehq/fctl/v4/internal/capabilities"
+	cloudcmd "github.com/formancehq/fctl/v4/internal/commands/cloud"
+	v4config "github.com/formancehq/fctl/v4/internal/config"
+	"github.com/formancehq/fctl/v4/internal/credentials"
+	"github.com/formancehq/fctl/v4/internal/runtime"
+)
+
+func runtimeFromCommand(cmd *cobra.Command) (*runtime.Runtime, error) {
+	path, err := configPath(cmd)
+	if err != nil {
+		return nil, err
+	}
+	contextName, err := contextNameFromCommand(cmd)
+	if err != nil {
+		return nil, err
+	}
+	organization, stack, err := organizationAndStackFromCommand(cmd)
+	if err != nil {
+		return nil, err
+	}
+
+	store, err := credentialStoreFromCommand(cmd)
+	if err != nil {
+		return nil, err
+	}
+	authOptions, err := authOptionsFromCommand(cmd)
+	if err != nil {
+		return nil, err
+	}
+
+	rt, err := runtime.New(cmd.Context(), runtime.Options{
+		ConfigPath:      path,
+		ContextOverride: v4config.ContextOverride{Name: contextName, Organization: organization, Stack: stack},
+		Credentials:     store,
+		Auth:            authOptions,
+		Manifest:        capabilities.GeneratedManifest,
+		Compatibility:   capabilities.DefaultComponentCompatibility,
+	})
+	if err != nil {
+		if errors.Is(err, os.ErrNotExist) {
+			return nil, missingConfigError(path)
+		}
+		return nil, err
+	}
+	if debug, err := cmd.Root().PersistentFlags().GetBool(debugFlag); err != nil {
+		return nil, err
+	} else if debug {
+		fmt.Fprintf(cmd.ErrOrStderr(), "debug: context=%s target=%s url=%s\n", rt.ContextName, rt.Target.Kind, rt.Target.URL)
+	}
+	return rt, nil
+}
+
+func stackRuntimeFromCommand(cmd *cobra.Command) (*runtime.Runtime, error) {
+	rt, err := runtimeFromCommand(cmd)
+	if err != nil {
+		return nil, err
+	}
+	switch rt.Target.Kind {
+	case runtime.TargetKindStack:
+		return rt, nil
+	case runtime.TargetKindCloud:
+		return resolveCloudProfileStackRuntime(cmd, rt)
+	case runtime.TargetKindCloudStack:
+		return resolveExplicitCloudStackRuntime(cmd, rt)
+	default:
+		return rt, nil
+	}
+}
+
+func resolveCloudProfileStackRuntime(cmd *cobra.Command, rt *runtime.Runtime) (*runtime.Runtime, error) {
+	if rt.Context.CloudURL == "" {
+		return nil, fmt.Errorf("cloud profiles require a cloud URL")
+	}
+	if rt.Target.Organization == "" {
+		return nil, fmt.Errorf("stack target commands on Cloud profiles require --organization and --stack, or a cloud-stack profile")
+	}
+	httpClient, err := rt.HTTPClient(cmd.Context())
+	if err != nil {
+		return nil, err
+	}
+	client, err := organizationMembershipClientFromRuntime(cmd, rt, rt.Target.Organization)
+	if err != nil {
+		return nil, err
+	}
+	output, err := cloudcmd.ListStacksService{Client: client}.Run(cmd.Context(), cloudcmd.ListStacksInput{
+		OrganizationID: rt.Target.Organization,
+	})
+	if err != nil {
+		return nil, fmt.Errorf("resolve cloud stack target: %w", err)
+	}
+	if len(output.Stacks) == 0 {
+		return nil, fmt.Errorf("resolve cloud stack target: no stacks found in organization %q", rt.Target.Organization)
+	}
+	if len(output.Stacks) > 1 {
+		return nil, fmt.Errorf("resolve cloud stack target: --stack is required when organization %q has multiple stacks; available stacks: %s", rt.Target.Organization, stackLabels(output.Stacks))
+	}
+	return useCloudStackRuntime(cmd, rt, httpClient, output.Stacks[0])
+}
+
+func resolveExplicitCloudStackRuntime(cmd *cobra.Command, rt *runtime.Runtime) (*runtime.Runtime, error) {
+	if rt.Context.CloudURL == "" {
+		return nil, fmt.Errorf("cloud-stack profiles require a cloud URL")
+	}
+	httpClient, err := rt.HTTPClient(cmd.Context())
+	if err != nil {
+		return nil, err
+	}
+	client, err := organizationMembershipClientFromRuntime(cmd, rt, rt.Target.Organization)
+	if err != nil {
+		return nil, err
+	}
+	output, err := cloudcmd.ReadStackService{Client: client}.Run(cmd.Context(), cloudcmd.StackIDInput{
+		OrganizationID: rt.Target.Organization,
+		StackID:        rt.Target.Stack,
+	})
+	if err != nil {
+		if notFoundErr := cloudStackNotFoundError(cmd, rt, client); notFoundErr != nil {
+			return nil, notFoundErr
+		}
+		return nil, fmt.Errorf("resolve cloud stack target: %w", err)
+	}
+	return useCloudStackRuntime(cmd, rt, httpClient, output.Stack)
+}
+
+func useCloudStackRuntime(cmd *cobra.Command, rt *runtime.Runtime, httpClient *http.Client, stack cloudcmd.StackSummary) (*runtime.Runtime, error) {
+	if stack.ID == "" {
+		return nil, fmt.Errorf("resolve cloud stack target: stack id is empty")
+	}
+	if stack.URI == "" {
+		return nil, fmt.Errorf("resolve cloud stack target: stack %s has no URI", stack.ID)
+	}
+	rt.Target.Kind = runtime.TargetKindCloudStack
+	rt.Target.Stack = stack.ID
+	rt.Context.Kind = v4config.ContextKindCloudStack
+	rt.Context.Stack = stack.ID
+	rt.Target.URL = stack.URI
+	rt.Context.StackURL = stack.URI
+	assertionAuth := rt.Context.Auth
+	if assertionAuth.Method == v4config.AuthMethodClientCredentials {
+		assertionAuth.Scopes = []string{"openid", "offline_access"}
+		assertionAuth.Resources = []string{v4auth.StackResource(rt.Target.Organization, rt.Target.Stack)}
+	} else if assertionAuth.Method == v4config.AuthMethodCloudDevice {
+		var err error
+		assertionAuth, err = ensureCloudDeviceStackAuth(cmd, rt, stack)
+		if err != nil {
+			return nil, err
+		}
+	}
+	source, err := v4auth.NewTokenSource(assertionAuth, rt.Credentials, rt.AuthOptions)
+	if err != nil {
+		return nil, err
+	}
+	if source == nil {
+		return rt, nil
+	}
+	assertion, err := source.Token(cmd.Context())
+	if err != nil {
+		return nil, fmt.Errorf("resolve cloud stack target token: %w", err)
+	}
+	stackToken, err := v4auth.ExchangeStackToken(cmd.Context(), baseHTTPClient(rt.AuthOptions), stack.URI, assertion.AccessToken)
+	if err != nil {
+		return nil, fmt.Errorf("resolve cloud stack target token: %w", err)
+	}
+	store := credentials.NewMemoryStore()
+	const tokenRef = "runtime/cloud-stack-token"
+	if err := store.Set(cmd.Context(), tokenRef, stackToken.AccessToken); err != nil {
+		return nil, err
+	}
+	rt.Credentials = store
+	rt.Context.Auth = v4config.Auth{Method: v4config.AuthMethodToken, TokenRef: tokenRef}
+	return rt, nil
+}
+
+func cloudStackNotFoundError(cmd *cobra.Command, rt *runtime.Runtime, client cloudcmd.StackClient) error {
+	output, err := cloudcmd.ListStacksService{Client: client}.Run(cmd.Context(), cloudcmd.ListStacksInput{
+		OrganizationID: rt.Target.Organization,
+	})
+	if err != nil {
+		return nil
+	}
+	for _, stack := range output.Stacks {
+		if stack.ID == rt.Target.Stack {
+			return nil
+		}
+	}
+	if len(output.Stacks) == 0 {
+		return fmt.Errorf("resolve cloud stack target: stack %q was not found in organization %q", rt.Target.Stack, rt.Target.Organization)
+	}
+	return fmt.Errorf("resolve cloud stack target: stack %q was not found in organization %q; available stacks: %s", rt.Target.Stack, rt.Target.Organization, stackLabels(output.Stacks))
+}
+
+func stackLabels(stacks []cloudcmd.StackSummary) string {
+	available := make([]string, 0, len(stacks))
+	for _, stack := range stacks {
+		label := stack.ID
+		if stack.Name != "" {
+			label += " (" + stack.Name + ")"
+		}
+		available = append(available, label)
+	}
+	return strings.Join(available, ", ")
+}
+
+func baseHTTPClient(options v4auth.Options) *http.Client {
+	if options.HTTPClient != nil {
+		return options.HTTPClient
+	}
+	return http.DefaultClient
+}
+
+func contextNameFromCommand(cmd *cobra.Command) (string, error) {
+	flags := cmd.Root().PersistentFlags()
+	profileName, err := flags.GetString(profileFlag)
+	if err != nil {
+		return "", err
+	}
+	contextName, err := flags.GetString(contextFlag)
+	if err != nil {
+		return "", err
+	}
+	if contextName != "" && profileName != "" {
+		return "", fmt.Errorf("--profile and --context are mutually exclusive")
+	}
+	if contextName != "" {
+		fmt.Fprintln(cmd.ErrOrStderr(), "Flag --context has been deprecated, use --profile")
+		return contextName, nil
+	}
+	return profileName, nil
+}
+
+func organizationAndStackFromCommand(cmd *cobra.Command) (string, string, error) {
+	flags := cmd.Root().PersistentFlags()
+	organization, err := flags.GetString(organizationFlag)
+	if err != nil {
+		return "", "", err
+	}
+	stack, err := flags.GetString(stackFlag)
+	if err != nil {
+		return "", "", err
+	}
+	return organization, stack, nil
+}
+
+func credentialStoreFromCommand(cmd *cobra.Command) (credentials.Store, error) {
+	dir, err := credentialDirFromCommand(cmd)
+	if err != nil {
+		return nil, err
+	}
+	return credentials.NewInsecureFileStore(dir), nil
+}
+
+func persistentCredentialStoreFromCommand(cmd *cobra.Command) (credentials.Store, error) {
+	dir, err := credentialDirFromCommand(cmd)
+	if err != nil {
+		return nil, err
+	}
+	return credentials.NewInsecureFileStore(dir), nil
+}
+
+func credentialDirFromCommand(cmd *cobra.Command) (string, error) {
+	dir, err := cmd.Root().PersistentFlags().GetString(credentialDirFlag)
+	if err != nil {
+		return "", err
+	}
+	if dir != "" {
+		return dir, nil
+	}
+	path, err := configPath(cmd)
+	if err != nil {
+		return "", err
+	}
+	return filepath.Join(filepath.Dir(path), "credentials"), nil
+}
+
+func authOptionsFromCommand(cmd *cobra.Command) (v4auth.Options, error) {
+	insecureTLS, err := cmd.Root().PersistentFlags().GetBool(insecureTLSFlag)
+	if err != nil {
+		return v4auth.Options{}, err
+	}
+	debug, err := cmd.Root().PersistentFlags().GetBool(debugFlag)
+	if err != nil {
+		return v4auth.Options{}, err
+	}
+	if !insecureTLS && !debug {
+		return v4auth.Options{}, nil
+	}
+
+	transport := http.DefaultTransport.(*http.Transport).Clone()
+	if insecureTLS {
+		transport.TLSClientConfig = &tls.Config{InsecureSkipVerify: true} //nolint:gosec // Explicit user opt-in via --insecure-tls.
+	}
+	var roundTripper http.RoundTripper = transport
+	if debug {
+		roundTripper = debugRoundTripper{base: roundTripper, writer: cmd.ErrOrStderr()}
+	}
+	return v4auth.Options{
+		HTTPClient: &http.Client{Transport: roundTripper},
+	}, nil
+}
diff --git a/v4/cmd/setup.go b/v4/cmd/setup.go
new file mode 100644
index 00000000..9beda47d
--- /dev/null
+++ b/v4/cmd/setup.go
@@ -0,0 +1,66 @@
+package cmd
+
+import (
+	"fmt"
+
+	"github.com/spf13/cobra"
+)
+
+type setupOutput struct {
+	Commands []string `json:"commands" yaml:"commands"`
+}
+
+func newSetupCommand(deprecatedPromptAlias bool) *cobra.Command {
+	command := &cobra.Command{
+		Use:   "setup",
+		Short: "Show setup commands",
+		Args:  cobra.NoArgs,
+		RunE: func(cmd *cobra.Command, _ []string) error {
+			if deprecatedPromptAlias {
+				fmt.Fprintln(cmd.ErrOrStderr(), "Command prompt has been deprecated, use setup or login")
+			}
+			return renderSetupGuidance(cmd)
+		},
+	}
+	if deprecatedPromptAlias {
+		command.Use = "prompt"
+		command.Hidden = true
+		command.Deprecated = "use setup or login"
+	}
+	return command
+}
+
+func newContextWizardCommand() *cobra.Command {
+	return &cobra.Command{
+		Use:   "wizard",
+		Short: "Show context setup commands",
+		Args:  cobra.NoArgs,
+		RunE: func(cmd *cobra.Command, _ []string) error {
+			return renderSetupGuidance(cmd)
+		},
+	}
+}
+
+func renderSetupGuidance(cmd *cobra.Command) error {
+	output := setupOutput{
+		Commands: []string{
+			"fctl login",
+			"fctl profile create stack <name> --stack-url <url>",
+			"fctl profile use <name>",
+			"fctl config migrate-v3",
+		},
+	}
+	if handled, err := writeStructuredOutput(cmd, output); handled || err != nil {
+		return err
+	}
+	for _, command := range output.Commands {
+		line := command
+		if terminalOutputEnabled(cmd) {
+			line = styledInfoLine(cmd, "Run", command)
+		}
+		if _, err := fmt.Fprintln(cmd.OutOrStdout(), line); err != nil {
+			return err
+		}
+	}
+	return nil
+}
diff --git a/v4/cmd/target.go b/v4/cmd/target.go
new file mode 100644
index 00000000..d0e94966
--- /dev/null
+++ b/v4/cmd/target.go
@@ -0,0 +1,219 @@
+package cmd
+
+import (
+	"context"
+	"fmt"
+	"net"
+	"net/http"
+	"os"
+	"os/signal"
+	"syscall"
+	"time"
+
+	"github.com/spf13/cobra"
+
+	"github.com/formancehq/fctl/v4/internal/capabilities"
+	targetcmd "github.com/formancehq/fctl/v4/internal/commands/target"
+	"github.com/formancehq/fctl/v4/internal/runtime"
+)
+
+func newTargetCommand() *cobra.Command {
+	command := &cobra.Command{
+		Use:   "target",
+		Short: "Inspect the active fctl v4 target",
+	}
+	command.AddCommand(newTargetInspectCommand())
+	command.AddCommand(newTargetProxyCommand())
+	return command
+}
+
+func newTargetInspectCommand() *cobra.Command {
+	return &cobra.Command{
+		Use:   "inspect",
+		Short: "Inspect the current target and inferred capabilities",
+		Args:  cobra.NoArgs,
+		RunE: func(cmd *cobra.Command, _ []string) error {
+			rt, err := stackRuntimeFromCommand(cmd)
+			if err != nil {
+				return err
+			}
+			versions, err := rt.ComponentVersions(cmd.Context())
+			if err != nil {
+				return err
+			}
+
+			components := make([]targetInspectComponent, 0, len(versions))
+			for _, version := range versions {
+				apiVersions, _ := rt.Compatibility.APIVersionsFor(version.Product, version.Version)
+				components = append(components, targetInspectComponent{
+					Name:        string(version.Product),
+					Version:     version.Version,
+					Health:      version.Health,
+					APIVersions: apiVersionsToStrings(apiVersions),
+					APIPolicy:   string(rt.APIPolicyFor(version.Product)),
+				})
+			}
+			output := targetInspectOutput{
+				Context:    rt.ContextName,
+				TargetURL:  rt.Target.URL,
+				TargetKind: string(rt.Target.Kind),
+				Components: components,
+			}
+
+			if handled, err := writeStructuredOutput(cmd, output); handled || err != nil {
+				return err
+			}
+
+			if !terminalOutputEnabled(cmd) {
+				if _, err := fmt.Fprintf(cmd.OutOrStdout(), "Context: %s\nTarget: %s (%s)\n", output.Context, output.TargetURL, output.TargetKind); err != nil {
+					return err
+				}
+				if len(output.Components) == 0 {
+					_, err := fmt.Fprintln(cmd.OutOrStdout(), "Components: none")
+					return err
+				}
+				if _, err := fmt.Fprintln(cmd.OutOrStdout(), "Components:"); err != nil {
+					return err
+				}
+				for _, component := range output.Components {
+					health := "unhealthy"
+					if component.Health {
+						health = "healthy"
+					}
+					apiVersions := "<none>"
+					if len(component.APIVersions) > 0 {
+						apiVersions = fmt.Sprintf("%v", component.APIVersions)
+					}
+					if _, err := fmt.Fprintf(cmd.OutOrStdout(), "- %s %s %s api=%s policy=%s\n",
+						component.Name, component.Version, health, apiVersions, component.APIPolicy); err != nil {
+						return err
+					}
+				}
+				return nil
+			}
+			if err := writeStyledKeyValues(cmd,
+				styledKeyValue{Label: "Context", Value: output.Context},
+				styledKeyValue{Label: "Target", Value: output.TargetURL},
+				styledKeyValue{Label: "Kind", Value: output.TargetKind},
+			); err != nil {
+				return err
+			}
+			if len(output.Components) == 0 {
+				_, err := fmt.Fprintln(cmd.OutOrStdout(), styledEmptyLine(cmd, "No components found."))
+				return err
+			}
+			rows := make([][]string, 0, len(output.Components))
+			for _, component := range output.Components {
+				health := "unhealthy"
+				if component.Health {
+					health = "healthy"
+				}
+				apiVersions := "<none>"
+				if len(component.APIVersions) > 0 {
+					apiVersions = fmt.Sprintf("%v", component.APIVersions)
+				}
+				rows = append(rows, []string{component.Name, component.Version, health, apiVersions, component.APIPolicy})
+			}
+			return writeStyledRows(cmd, []string{"Component", "Version", "Health", "API", "Policy"}, rows)
+		},
+	}
+}
+
+func newTargetProxyCommand() *cobra.Command {
+	var port int
+	var allowedOrigins []string
+
+	command := &cobra.Command{
+		Use:   "proxy",
+		Short: "Start a local proxy for the current stack target",
+		Args:  cobra.NoArgs,
+		RunE: func(cmd *cobra.Command, _ []string) error {
+			rt, err := stackRuntimeFromCommand(cmd)
+			if err != nil {
+				return err
+			}
+			if rt.Target.Kind != runtime.TargetKindStack && rt.Target.Kind != runtime.TargetKindCloudStack {
+				return fmt.Errorf("target proxy requires a stack context")
+			}
+			httpClient, err := rt.HTTPClient(cmd.Context())
+			if err != nil {
+				return err
+			}
+			transport := http.DefaultTransport
+			if httpClient.Transport != nil {
+				transport = httpClient.Transport
+			}
+			handler, err := targetcmd.NewProxyHandler(targetcmd.ProxyInput{
+				TargetURL:      rt.Target.URL,
+				Transport:      transport,
+				AllowedOrigins: allowedOrigins,
+				LogWriter:      cmd.OutOrStdout(),
+				ErrorWriter:    cmd.ErrOrStderr(),
+			})
+			if err != nil {
+				return err
+			}
+			listener, err := net.Listen("tcp", fmt.Sprintf(":%d", port))
+			if err != nil {
+				return fmt.Errorf("listen on port %d: %w", port, err)
+			}
+			defer listener.Close()
+
+			server := &http.Server{
+				Handler:           handler,
+				ReadHeaderTimeout: 10 * time.Second,
+			}
+			serverErrors := make(chan error, 1)
+			go func() {
+				if err := server.Serve(listener); err != nil && err != http.ErrServerClosed {
+					serverErrors <- err
+				}
+			}()
+
+			_, _ = fmt.Fprintln(cmd.OutOrStdout(), styledInfoLine(cmd, "Proxy", fmt.Sprintf("http://%s -> %s", listener.Addr().String(), rt.Target.URL)))
+			_, _ = fmt.Fprintln(cmd.OutOrStdout(), styledEmptyLine(cmd, "Press Ctrl+C to stop the server"))
+
+			ctx, stop := signal.NotifyContext(cmd.Context(), os.Interrupt, syscall.SIGTERM)
+			defer stop()
+			select {
+			case err := <-serverErrors:
+				return err
+			case <-ctx.Done():
+			}
+
+			shutdownCtx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
+			defer cancel()
+			if err := server.Shutdown(shutdownCtx); err != nil {
+				return fmt.Errorf("shutdown proxy: %w", err)
+			}
+			_, _ = fmt.Fprintln(cmd.OutOrStdout(), styledSuccessLine(cmd, "Server stopped successfully."))
+			return nil
+		},
+	}
+	command.Flags().IntVar(&port, "port", 55001, "Local proxy port")
+	command.Flags().StringSliceVar(&allowedOrigins, "allowed-origins", nil, "Allowed CORS origins; CORS is disabled when empty")
+	return command
+}
+
+type targetInspectOutput struct {
+	Context    string                   `json:"context" yaml:"context"`
+	TargetURL  string                   `json:"targetUrl" yaml:"targetUrl"`
+	TargetKind string                   `json:"targetKind" yaml:"targetKind"`
+	Components []targetInspectComponent `json:"components" yaml:"components"`
+}
+
+type targetInspectComponent struct {
+	Name        string   `json:"name" yaml:"name"`
+	Version     string   `json:"version" yaml:"version"`
+	Health      bool     `json:"health" yaml:"health"`
+	APIVersions []string `json:"apiVersions" yaml:"apiVersions"`
+	APIPolicy   string   `json:"apiPolicy" yaml:"apiPolicy"`
+}
+
+func apiVersionsToStrings(versions []capabilities.APIVersion) []string {
+	ret := make([]string, len(versions))
+	for i, version := range versions {
+		ret[i] = string(version)
+	}
+	return ret
+}
diff --git a/v4/cmd/terminal_ui.go b/v4/cmd/terminal_ui.go
new file mode 100644
index 00000000..d26f4015
--- /dev/null
+++ b/v4/cmd/terminal_ui.go
@@ -0,0 +1,327 @@
+package cmd
+
+import (
+	"fmt"
+	"io"
+	"os"
+	"strings"
+	"time"
+
+	"github.com/charmbracelet/bubbles/spinner"
+	"github.com/charmbracelet/lipgloss"
+	"github.com/mattn/go-isatty"
+	"github.com/spf13/cobra"
+
+	v4render "github.com/formancehq/fctl/v4/internal/render"
+)
+
+func withTerminalSpinner[T any](cmd *cobra.Command, enabled bool, message string, doneMessage string, fn func() (T, error)) (T, error) {
+	return withTerminalSpinnerUpdates(cmd, enabled, message, doneMessage, func(func(string)) (T, error) {
+		return fn()
+	})
+}
+
+func withTerminalSpinnerUpdates[T any](cmd *cobra.Command, enabled bool, message string, doneMessage string, fn func(update func(string)) (T, error)) (T, error) {
+	if !enabled || !terminalSpinnerEnabled(cmd) {
+		return fn(func(string) {})
+	}
+
+	spinner := startTerminalSpinner(cmd.ErrOrStderr(), message, doneMessage, commandColorEnabled(cmd))
+	output, err := fn(spinner.Update)
+	spinner.Stop(err == nil)
+	return output, err
+}
+
+type terminalSpinner struct {
+	update  chan string
+	done    chan bool
+	stopped chan struct{}
+}
+
+func startTerminalSpinner(writer io.Writer, message string, doneMessage string, color bool) *terminalSpinner {
+	model := spinner.MiniDot
+	spinnerStyle := lipgloss.NewStyle()
+	messageStyle := lipgloss.NewStyle()
+	doneStyle := lipgloss.NewStyle()
+	if color {
+		spinnerStyle = spinnerStyle.Foreground(v4render.FormancePalette.Mint)
+		messageStyle = messageStyle.Foreground(v4render.FormancePalette.Text)
+		doneStyle = doneStyle.Foreground(v4render.FormancePalette.Success).Bold(true)
+	}
+
+	update := make(chan string, 1)
+	done := make(chan bool)
+	stopped := make(chan struct{})
+	go func() {
+		defer close(stopped)
+		frame := 0
+		currentMessage := message
+		startedAt := time.Now()
+		render := func() {
+			fmt.Fprintf(writer, "\r\033[2K%s %s", spinnerStyle.Render(model.Frames[frame]), messageStyle.Render(spinnerMessageWithElapsed(currentMessage, time.Since(startedAt))))
+		}
+		render()
+		ticker := time.NewTicker(model.FPS)
+		defer ticker.Stop()
+		for {
+			select {
+			case success := <-done:
+				fmt.Fprint(writer, "\r\033[2K")
+				if success && strings.TrimSpace(doneMessage) != "" {
+					fmt.Fprintf(writer, "%s %s\n", doneStyle.Render("OK"), doneMessage)
+				}
+				return
+			case nextMessage := <-update:
+				if strings.TrimSpace(nextMessage) != "" {
+					currentMessage = nextMessage
+				}
+				render()
+			case <-ticker.C:
+				frame = (frame + 1) % len(model.Frames)
+				render()
+			}
+		}
+	}()
+	return &terminalSpinner{update: update, done: done, stopped: stopped}
+}
+
+func (s *terminalSpinner) Update(message string) {
+	select {
+	case s.update <- message:
+	default:
+		select {
+		case <-s.update:
+		default:
+		}
+		s.update <- message
+	}
+}
+
+func (s *terminalSpinner) Stop(success bool) {
+	s.done <- success
+	<-s.stopped
+}
+
+func spinnerMessageWithElapsed(message string, elapsed time.Duration) string {
+	return fmt.Sprintf("%s (%ds)", message, int(elapsed.Seconds()))
+}
+
+func terminalSpinnerEnabled(cmd *cobra.Command) bool {
+	if nonInteractive, err := cmd.Root().PersistentFlags().GetBool(nonInteractiveFlag); err != nil || nonInteractive {
+		return false
+	}
+	format, err := outputFormat(cmd)
+	if err != nil || format != "plain" {
+		return false
+	}
+	return terminalWriter(cmd.ErrOrStderr())
+}
+
+func terminalOutputEnabled(cmd *cobra.Command) bool {
+	format, err := outputFormat(cmd)
+	if err != nil || format != "plain" {
+		return false
+	}
+	return terminalWriter(cmd.OutOrStdout())
+}
+
+func terminalWriter(writer io.Writer) bool {
+	file, ok := writer.(*os.File)
+	return ok && isatty.IsTerminal(file.Fd())
+}
+
+func commandColorEnabled(cmd *cobra.Command) bool {
+	noColor, err := cmd.Root().PersistentFlags().GetBool(noColorFlag)
+	return err == nil && !noColor
+}
+
+func styledKeyValueLine(cmd *cobra.Command, label string, value string) string {
+	return styledKeyValueLineWithWidth(cmd, label, value, 8)
+}
+
+type styledKeyValue struct {
+	Label string
+	Value string
+}
+
+func writeStyledKeyValues(cmd *cobra.Command, rows ...styledKeyValue) error {
+	if !terminalOutputEnabled(cmd) {
+		for _, row := range rows {
+			if _, err := fmt.Fprintf(cmd.OutOrStdout(), "%s\t%s\n", row.Label, row.Value); err != nil {
+				return err
+			}
+		}
+		return nil
+	}
+
+	width := 8
+	for _, row := range rows {
+		if len(row.Label) > width {
+			width = len(row.Label)
+		}
+	}
+	for _, row := range rows {
+		if _, err := fmt.Fprintln(cmd.OutOrStdout(), styledKeyValueLineWithWidth(cmd, row.Label, row.Value, width)); err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+func writeStyledKeyValueRows(cmd *cobra.Command, rows [][]string) error {
+	values := make([]styledKeyValue, 0, len(rows))
+	for _, row := range rows {
+		if len(row) < 2 {
+			continue
+		}
+		values = append(values, styledKeyValue{Label: row[0], Value: row[1]})
+	}
+	return writeStyledKeyValues(cmd, values...)
+}
+
+func writeStyledNamedKeyValueRows(cmd *cobra.Command, label string, rows [][]string) error {
+	if !terminalOutputEnabled(cmd) {
+		for _, row := range rows {
+			if len(row) < 2 {
+				continue
+			}
+			if _, err := fmt.Fprintf(cmd.OutOrStdout(), "%s\t%s\t%s\n", label, row[0], row[1]); err != nil {
+				return err
+			}
+		}
+		return nil
+	}
+	values := make([]styledKeyValue, 0, len(rows))
+	for _, row := range rows {
+		if len(row) < 2 {
+			continue
+		}
+		values = append(values, styledKeyValue{Label: label + " " + row[0], Value: row[1]})
+	}
+	return writeStyledKeyValues(cmd, values...)
+}
+
+func writeStyledColonKeyValues(cmd *cobra.Command, rows ...styledKeyValue) error {
+	if !terminalOutputEnabled(cmd) {
+		for _, row := range rows {
+			if _, err := fmt.Fprintf(cmd.OutOrStdout(), "%s: %s\n", row.Label, row.Value); err != nil {
+				return err
+			}
+		}
+		return nil
+	}
+	return writeStyledKeyValues(cmd, rows...)
+}
+
+func writeStyledSectionTitle(cmd *cobra.Command, title string) error {
+	if !terminalOutputEnabled(cmd) {
+		_, err := fmt.Fprintf(cmd.OutOrStdout(), "%s:\n", title)
+		return err
+	}
+	style := lipgloss.NewStyle().Bold(true)
+	if commandColorEnabled(cmd) {
+		style = style.Foreground(v4render.FormancePalette.Muted)
+	}
+	_, err := fmt.Fprintln(cmd.OutOrStdout(), style.Render(title))
+	return err
+}
+
+func writeStyledBulletedPairRows(cmd *cobra.Command, headers []string, rows [][]string) error {
+	if !terminalOutputEnabled(cmd) {
+		for _, row := range rows {
+			if len(row) < 2 {
+				continue
+			}
+			if _, err := fmt.Fprintf(cmd.OutOrStdout(), "- %s (%s)\n", row[0], row[1]); err != nil {
+				return err
+			}
+		}
+		return nil
+	}
+	return writeStyledRows(cmd, headers, rows)
+}
+
+func writeStyledRows(cmd *cobra.Command, headers []string, rows [][]string) error {
+	if !terminalOutputEnabled(cmd) {
+		for _, row := range rows {
+			if _, err := fmt.Fprintln(cmd.OutOrStdout(), strings.Join(row, "\t")); err != nil {
+				return err
+			}
+		}
+		return nil
+	}
+	return v4render.Table(cmd.OutOrStdout(), headers, rows)
+}
+
+func writeStyledTable(cmd *cobra.Command, headers []string, rows [][]string) error {
+	if !terminalOutputEnabled(cmd) {
+		return v4render.Table(cmd.OutOrStdout(), headers, rows)
+	}
+	return writeStyledRows(cmd, headers, rows)
+}
+
+func styledKeyValueLineWithWidth(cmd *cobra.Command, label string, value string, width int) string {
+	if !terminalOutputEnabled(cmd) {
+		return fmt.Sprintf("%s\t%s", label, value)
+	}
+
+	labelStyle := lipgloss.NewStyle().Width(width + 1)
+	valueStyle := lipgloss.NewStyle().Bold(true)
+	prefixStyle := lipgloss.NewStyle()
+	if commandColorEnabled(cmd) {
+		labelStyle = labelStyle.Foreground(v4render.FormancePalette.Muted)
+		valueStyle = valueStyle.Foreground(v4render.FormancePalette.Text)
+		prefixStyle = prefixStyle.Foreground(v4render.FormancePalette.Success).Bold(true)
+	}
+	return fmt.Sprintf("%s %s %s", prefixStyle.Render("OK"), labelStyle.Render(label), valueStyle.Render(value))
+}
+
+func styledEmptyLine(cmd *cobra.Command, message string) string {
+	if !terminalOutputEnabled(cmd) {
+		return message
+	}
+
+	style := lipgloss.NewStyle()
+	if commandColorEnabled(cmd) {
+		style = style.Foreground(v4render.FormancePalette.Muted)
+	}
+	return style.Render(message)
+}
+
+func styledInfoLine(cmd *cobra.Command, label string, value string) string {
+	if !terminalOutputEnabled(cmd) {
+		return fmt.Sprintf("%s: %s", label, value)
+	}
+
+	labelStyle := lipgloss.NewStyle()
+	valueStyle := lipgloss.NewStyle().Bold(true)
+	if commandColorEnabled(cmd) {
+		labelStyle = labelStyle.Foreground(v4render.FormancePalette.Muted)
+		valueStyle = valueStyle.Foreground(v4render.FormancePalette.Text)
+	}
+	return fmt.Sprintf("%s %s", labelStyle.Render(label), valueStyle.Render(value))
+}
+
+func writeStyledAPIVersion(cmd *cobra.Command, version any) error {
+	_, err := fmt.Fprintln(cmd.OutOrStdout(), styledInfoLine(cmd, "API version", fmt.Sprint(version)))
+	return err
+}
+
+func writeStyledNext(cmd *cobra.Command, next string) error {
+	_, err := fmt.Fprintln(cmd.OutOrStdout(), styledInfoLine(cmd, "Next", next))
+	return err
+}
+
+func styledSuccessLine(cmd *cobra.Command, message string) string {
+	if !terminalOutputEnabled(cmd) {
+		return message
+	}
+
+	prefixStyle := lipgloss.NewStyle()
+	messageStyle := lipgloss.NewStyle().Bold(true)
+	if commandColorEnabled(cmd) {
+		prefixStyle = prefixStyle.Foreground(v4render.FormancePalette.Success).Bold(true)
+		messageStyle = messageStyle.Foreground(v4render.FormancePalette.Text)
+	}
+	return fmt.Sprintf("%s %s", prefixStyle.Render("OK"), messageStyle.Render(message))
+}
diff --git a/v4/cmd/ui.go b/v4/cmd/ui.go
new file mode 100644
index 00000000..f4c928d6
--- /dev/null
+++ b/v4/cmd/ui.go
@@ -0,0 +1,91 @@
+package cmd
+
+import (
+	"fmt"
+	"net/url"
+	"os/exec"
+	goruntime "runtime"
+
+	"github.com/spf13/cobra"
+
+	cloudcmd "github.com/formancehq/fctl/v4/internal/commands/cloud"
+)
+
+var openBrowserURL = openURL
+
+func newUICommand(deprecatedRootAlias bool) *cobra.Command {
+	var printOnly bool
+
+	command := &cobra.Command{
+		Use:   "ui",
+		Short: "Open the Formance Cloud console",
+		Args:  cobra.NoArgs,
+		RunE: func(cmd *cobra.Command, _ []string) error {
+			if deprecatedRootAlias {
+				fmt.Fprintln(cmd.ErrOrStderr(), "Command ui has been deprecated, use cloud ui")
+			}
+			_, client, err := cloudRuntimeAndMembershipClientFromCommand(cmd)
+			if err != nil {
+				return err
+			}
+			response, err := client.GetServerInfo(cmd.Context())
+			if err != nil {
+				return err
+			}
+			consoleURL := cloudcmd.ConsoleURL(response)
+
+			nonInteractive, err := cmd.Root().PersistentFlags().GetBool(nonInteractiveFlag)
+			if err != nil {
+				return err
+			}
+			opened := false
+			if !printOnly && !nonInteractive {
+				if err := openBrowserURL(consoleURL); err != nil {
+					return err
+				}
+				opened = true
+			}
+
+			output := uiOutput{URL: consoleURL, Opened: opened}
+			if handled, err := writeStructuredOutput(cmd, output); handled || err != nil {
+				return err
+			}
+			if opened {
+				_, err = fmt.Fprintln(cmd.OutOrStdout(), styledInfoLine(cmd, "Opening console", consoleURL))
+				return err
+			}
+			_, err = fmt.Fprintln(cmd.OutOrStdout(), styledInfoLine(cmd, "Console URL", consoleURL))
+			return err
+		},
+	}
+	if deprecatedRootAlias {
+		command.Hidden = true
+	}
+	command.Flags().BoolVar(&printOnly, "print", false, "Print the console URL without opening a browser")
+	return command
+}
+
+func openURL(rawURL string) error {
+	if _, err := url.ParseRequestURI(rawURL); err != nil {
+		return fmt.Errorf("invalid URL: %s", rawURL)
+	}
+
+	var command string
+	var args []string
+	switch goruntime.GOOS {
+	case "windows":
+		command = "cmd"
+		args = []string{"/c", "start"}
+	case "darwin":
+		command = "open"
+	default:
+		command = "xdg-open"
+	}
+	args = append(args, rawURL)
+	return exec.Command(command, args...).Start() //nolint:gosec // URL opener is selected by OS and URL is parsed above.
+}
+
+type uiOutput struct {
+	URL    string `json:"url" yaml:"url"`
+	Opened bool   `json:"opened" yaml:"opened"`
+}
diff --git a/v4/cmd/wallets.go b/v4/cmd/wallets.go
new file mode 100644
index 00000000..b1bb2cae
--- /dev/null
+++ b/v4/cmd/wallets.go
@@ -0,0 +1,1200 @@
+package cmd
+
+import (
+	"context"
+	"fmt"
+	"math/big"
+	"sort"
+	"time"
+
+	formance "github.com/formancehq/formance-sdk-go/v3"
+	"github.com/spf13/cobra"
+
+	"github.com/formancehq/fctl/v4/internal/capabilities"
+	walletscmd "github.com/formancehq/fctl/v4/internal/commands/wallets"
+)
+
+func newWalletsCommand() *cobra.Command {
+	command := &cobra.Command{
+		Use:   "wallets",
+		Short: "Manage wallets",
+	}
+	command.AddCommand(newWalletsCreateCommand())
+	command.AddCommand(newWalletsCreditCommand())
+	command.AddCommand(newWalletsDebitCommand())
+	command.AddCommand(newWalletsBalancesCommand())
+	command.AddCommand(newWalletsHoldsCommand())
+	command.AddCommand(newWalletsTransactionsCommand())
+	command.AddCommand(newWalletsListCommand())
+	command.AddCommand(newWalletsShowCommand("show", nil, false))
+	command.AddCommand(newWalletsShowCommand("get", []string{"g"}, true))
+	command.AddCommand(newWalletsUpdateCommand())
+	return command
+}
+
+func newWalletsTransactionsCommand() *cobra.Command {
+	command := &cobra.Command{
+		Use:   "transactions",
+		Short: "Manage wallet transactions",
+	}
+	command.AddCommand(newWalletsTransactionsListCommand())
+	return command
+}
+
+func newWalletsTransactionsListCommand() *cobra.Command {
+	var pageSize int64 = 15
+	var cursor string
+	var walletID string
+	var apiVersion string
+
+	command := &cobra.Command{
+		Use:     "list",
+		Aliases: []string{"ls", "l"},
+		Short:   "List wallet transactions",
+		Args:    cobra.NoArgs,
+		RunE: func(cmd *cobra.Command, _ []string) error {
+			rt, err := stackRuntimeFromCommand(cmd)
+			if err != nil {
+				return err
+			}
+			httpClient, err := rt.HTTPClient(cmd.Context())
+			if err != nil {
+				return err
+			}
+			sdk := formance.New(formance.WithServerURL(rt.Target.URL), formance.WithClient(httpClient))
+			service := walletscmd.ListTransactionsService{
+				Handlers: walletscmd.SDKListTransactionsHandlers(sdk),
+				Resolve: func(ctx context.Context, handlerVersions []capabilities.APIVersion) (capabilities.APIVersion, error) {
+					request := capabilities.VersionResolutionRequest{
+						Product:         walletscmd.ProductWallets,
+						Feature:         walletscmd.FeatureListTransactions,
+						HandlerVersions: handlerVersions,
+					}
+					if apiVersion != "" {
+						request.Policy = capabilities.VersionPolicyPinned
+						request.PinnedVersion = capabilities.APIVersion(apiVersion)
+					}
+					return rt.ResolveAPIVersion(ctx, request)
+				},
+			}
+			output, err := service.Run(cmd.Context(), walletscmd.ListTransactionsInput{
+				PageSize: pageSize,
+				Cursor:   cursor,
+				WalletID: walletID,
+			})
+			if err != nil {
+				return err
+			}
+			if handled, err := writeStructuredOutput(cmd, output); handled || err != nil {
+				return err
+			}
+			return renderWalletTransactions(cmd, output)
+		},
+	}
+	command.Flags().Int64Var(&pageSize, "page-size", 15, "Page size")
+	command.Flags().StringVar(&cursor, "cursor", "", "Pagination cursor")
+	command.Flags().StringVar(&walletID, "wallet-id", "", "Filter transactions by wallet ID")
+	command.Flags().StringVar(&apiVersion, "api-version", "", "Pin wallets API version")
+	return command
+}
+
+func newWalletsHoldsCommand() *cobra.Command {
+	command := &cobra.Command{
+		Use:   "holds",
+		Short: "Manage wallet holds",
+	}
+	command.AddCommand(newWalletsHoldsListCommand())
+	command.AddCommand(newWalletsHoldsShowCommand())
+	command.AddCommand(newWalletsHoldsVoidCommand())
+	command.AddCommand(newWalletsHoldsConfirmCommand())
+	return command
+}
+
+func newWalletsHoldsListCommand() *cobra.Command {
+	var pageSize int64 = 15
+	var cursor string
+	var walletID string
+	var metadata []string
+	var apiVersion string
+
+	command := &cobra.Command{
+		Use:     "list",
+		Aliases: []string{"ls", "l"},
+		Short:   "List wallet holds",
+		Args:    cobra.NoArgs,
+		RunE: func(cmd *cobra.Command, _ []string) error {
+			parsedMetadata, err := parseMetadataFlags(metadata)
+			if err != nil {
+				return err
+			}
+			rt, err := stackRuntimeFromCommand(cmd)
+			if err != nil {
+				return err
+			}
+			httpClient, err := rt.HTTPClient(cmd.Context())
+			if err != nil {
+				return err
+			}
+			sdk := formance.New(formance.WithServerURL(rt.Target.URL), formance.WithClient(httpClient))
+			service := walletscmd.ListHoldsService{
+				Handlers: walletscmd.SDKListHoldsHandlers(sdk),
+				Resolve: func(ctx context.Context, handlerVersions []capabilities.APIVersion) (capabilities.APIVersion, error) {
+					request := capabilities.VersionResolutionRequest{
+						Product:         walletscmd.ProductWallets,
+						Feature:         walletscmd.FeatureListHolds,
+						HandlerVersions: handlerVersions,
+					}
+					if apiVersion != "" {
+						request.Policy = capabilities.VersionPolicyPinned
+						request.PinnedVersion = capabilities.APIVersion(apiVersion)
+					}
+					return rt.ResolveAPIVersion(ctx, request)
+				},
+			}
+			output, err := service.Run(cmd.Context(), walletscmd.ListHoldsInput{
+				PageSize: pageSize,
+				Cursor:   cursor,
+				WalletID: walletID,
+				Metadata: parsedMetadata,
+			})
+			if err != nil {
+				return err
+			}
+			if handled, err := writeStructuredOutput(cmd, output); handled || err != nil {
+				return err
+			}
+			return renderWalletHolds(cmd, output)
+		},
+	}
+	command.Flags().Int64Var(&pageSize, "page-size", 15, "Page size")
+	command.Flags().StringVar(&cursor, "cursor", "", "Pagination cursor")
+	command.Flags().StringVar(&walletID, "wallet-id", "", "Filter holds by wallet ID")
+	command.Flags().StringArrayVar(&metadata, "metadata", nil, "Metadata filter as key=value")
+	command.Flags().StringVar(&apiVersion, "api-version", "", "Pin wallets API version")
+	return command
+}
+
+func newWalletsHoldsShowCommand() *cobra.Command {
+	var apiVersion string
+
+	command := &cobra.Command{
+		Use:   "show <hold-id>",
+		Short: "Show a wallet hold",
+		Args:  cobra.ExactArgs(1),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			rt, err := stackRuntimeFromCommand(cmd)
+			if err != nil {
+				return err
+			}
+			httpClient, err := rt.HTTPClient(cmd.Context())
+			if err != nil {
+				return err
+			}
+			sdk := formance.New(formance.WithServerURL(rt.Target.URL), formance.WithClient(httpClient))
+			service := walletscmd.GetHoldService{
+				Handlers: walletscmd.SDKGetHoldHandlers(sdk),
+				Resolve: func(ctx context.Context, handlerVersions []capabilities.APIVersion) (capabilities.APIVersion, error) {
+					request := capabilities.VersionResolutionRequest{
+						Product:         walletscmd.ProductWallets,
+						Feature:         walletscmd.FeatureGetHold,
+						HandlerVersions: handlerVersions,
+					}
+					if apiVersion != "" {
+						request.Policy = capabilities.VersionPolicyPinned
+						request.PinnedVersion = capabilities.APIVersion(apiVersion)
+					}
+					return rt.ResolveAPIVersion(ctx, request)
+				},
+			}
+			output, err := service.Run(cmd.Context(), walletscmd.GetHoldInput{HoldID: args[0]})
+			if err != nil {
+				return err
+			}
+			if handled, err := writeStructuredOutput(cmd, output); handled || err != nil {
+				return err
+			}
+			return renderWalletHold(cmd, output)
+		},
+	}
+	command.Flags().StringVar(&apiVersion, "api-version", "", "Pin wallets API version")
+	return command
+}
+
+func newWalletsHoldsVoidCommand() *cobra.Command {
+	var confirm bool
+	var idempotencyKey string
+	var apiVersion string
+
+	command := &cobra.Command{
+		Use:   "void <hold-id>",
+		Short: "Void a wallet hold",
+		Args:  cobra.ExactArgs(1),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			if !confirm {
+				return fmt.Errorf("wallets holds void requires --confirm")
+			}
+			if cmd.Flags().Changed("ik") {
+				fmt.Fprintln(cmd.ErrOrStderr(), "Flag --ik has been deprecated, use --idempotency-key")
+			}
+			output, err := runWalletHoldActionCommand(cmd, walletHoldActionCommandRequest{
+				Feature:        walletscmd.FeatureVoidHold,
+				Handlers:       walletscmd.SDKVoidHoldHandlers,
+				HoldID:         args[0],
+				IdempotencyKey: idempotencyKey,
+				APIVersion:     apiVersion,
+			})
+			if err != nil {
+				return err
+			}
+			if handled, err := writeStructuredOutput(cmd, output); handled || err != nil {
+				return err
+			}
+			return renderWalletHoldVoided(cmd, output)
+		},
+	}
+	command.Flags().BoolVar(&confirm, "confirm", false, "Confirm hold void")
+	command.Flags().StringVar(&idempotencyKey, "idempotency-key", "", "Idempotency key")
+	command.Flags().StringVar(&idempotencyKey, "ik", "", "Deprecated alias for --idempotency-key")
+	command.Flags().StringVar(&apiVersion, "api-version", "", "Pin wallets API version")
+	return command
+}
+
+func newWalletsHoldsConfirmCommand() *cobra.Command {
+	var confirm bool
+	var amount string
+	var final bool
+	var idempotencyKey string
+	var apiVersion string
+
+	command := &cobra.Command{
+		Use:   "confirm <hold-id>",
+		Short: "Confirm a wallet hold",
+		Args:  cobra.ExactArgs(1),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			if !confirm {
+				return fmt.Errorf("wallets holds confirm requires --confirm")
+			}
+			if cmd.Flags().Changed("ik") {
+				fmt.Fprintln(cmd.ErrOrStderr(), "Flag --ik has been deprecated, use --idempotency-key")
+			}
+			parsedAmount, err := parseOptionalBigInt(amount, "amount")
+			if err != nil {
+				return err
+			}
+			var finalPtr *bool
+			if cmd.Flags().Changed("final") {
+				finalPtr = &final
+			}
+			output, err := runWalletHoldActionCommand(cmd, walletHoldActionCommandRequest{
+				Feature:        walletscmd.FeatureConfirmHold,
+				Handlers:       walletscmd.SDKConfirmHoldHandlers,
+				HoldID:         args[0],
+				Amount:         parsedAmount,
+				Final:          finalPtr,
+				IdempotencyKey: idempotencyKey,
+				APIVersion:     apiVersion,
+			})
+			if err != nil {
+				return err
+			}
+			if handled, err := writeStructuredOutput(cmd, output); handled || err != nil {
+				return err
+			}
+			return renderWalletHoldConfirmed(cmd, output)
+		},
+	}
+	command.Flags().BoolVar(&confirm, "confirm", false, "Confirm hold confirmation")
+	command.Flags().StringVar(&amount, "amount", "", "Amount to confirm")
+	command.Flags().BoolVar(&final, "final", false, "Finalize the hold confirmation")
+	command.Flags().StringVar(&idempotencyKey, "idempotency-key", "", "Idempotency key")
+	command.Flags().StringVar(&idempotencyKey, "ik", "", "Deprecated alias for --idempotency-key")
+	command.Flags().StringVar(&apiVersion, "api-version", "", "Pin wallets API version")
+	return command
+}
+
+type walletHoldActionCommandRequest struct {
+	Feature        capabilities.Feature
+	Handlers       func(*formance.Formance) []walletscmd.HoldActionHandler
+	HoldID         string
+	Amount         *big.Int
+	Final          *bool
+	IdempotencyKey string
+	APIVersion     string
+}
+
+func runWalletHoldActionCommand(cmd *cobra.Command, request walletHoldActionCommandRequest) (walletscmd.HoldActionOutput, error) {
+	rt, err := stackRuntimeFromCommand(cmd)
+	if err != nil {
+		return walletscmd.HoldActionOutput{}, err
+	}
+	httpClient, err := rt.HTTPClient(cmd.Context())
+	if err != nil {
+		return walletscmd.HoldActionOutput{}, err
+	}
+	sdk := formance.New(formance.WithServerURL(rt.Target.URL), formance.WithClient(httpClient))
+	service := walletscmd.VoidHoldService{
+		Handlers: request.Handlers(sdk),
+		Resolve: func(ctx context.Context, handlerVersions []capabilities.APIVersion) (capabilities.APIVersion, error) {
+			versionRequest := capabilities.VersionResolutionRequest{
+				Product:         walletscmd.ProductWallets,
+				Feature:         request.Feature,
+				HandlerVersions: handlerVersions,
+			}
+			if request.APIVersion != "" {
+				versionRequest.Policy = capabilities.VersionPolicyPinned
+				versionRequest.PinnedVersion = capabilities.APIVersion(request.APIVersion)
+			}
+			return rt.ResolveAPIVersion(ctx, versionRequest)
+		},
+	}
+	return service.Run(cmd.Context(), walletscmd.HoldActionInput{
+		HoldID:         request.HoldID,
+		Amount:         request.Amount,
+		Final:          request.Final,
+		IdempotencyKey: request.IdempotencyKey,
+	})
+}
+
+func newWalletsBalancesCommand() *cobra.Command {
+	command := &cobra.Command{
+		Use:   "balances",
+		Short: "Manage wallet balances",
+	}
+	command.AddCommand(newWalletsBalancesCreateCommand())
+	command.AddCommand(newWalletsBalancesListCommand())
+	command.AddCommand(newWalletsBalancesShowCommand())
+	return command
+}
+
+func newWalletsBalancesCreateCommand() *cobra.Command {
+	var confirm bool
+	var expiresAt string
+	var priority string
+	var idempotencyKey string
+	var apiVersion string
+
+	command := &cobra.Command{
+		Use:   "create <wallet-id> <balance-name>",
+		Short: "Create a wallet balance",
+		Args:  cobra.ExactArgs(2),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			if !confirm {
+				return fmt.Errorf("wallets balances create requires --confirm")
+			}
+			if cmd.Flags().Changed("ik") {
+				fmt.Fprintln(cmd.ErrOrStderr(), "Flag --ik has been deprecated, use --idempotency-key")
+			}
+			parsedPriority, err := parseOptionalBigInt(priority, "priority")
+			if err != nil {
+				return err
+			}
+			parsedExpiresAt, err := parseOptionalRFC3339(expiresAt, "expires-at")
+			if err != nil {
+				return err
+			}
+			rt, err := stackRuntimeFromCommand(cmd)
+			if err != nil {
+				return err
+			}
+			httpClient, err := rt.HTTPClient(cmd.Context())
+			if err != nil {
+				return err
+			}
+			sdk := formance.New(formance.WithServerURL(rt.Target.URL), formance.WithClient(httpClient))
+			service := walletscmd.CreateBalanceService{
+				Handlers: walletscmd.SDKCreateBalanceHandlers(sdk),
+				Resolve: func(ctx context.Context, handlerVersions []capabilities.APIVersion) (capabilities.APIVersion, error) {
+					request := capabilities.VersionResolutionRequest{
+						Product:         walletscmd.ProductWallets,
+						Feature:         walletscmd.FeatureCreateBalance,
+						HandlerVersions: handlerVersions,
+					}
+					if apiVersion != "" {
+						request.Policy = capabilities.VersionPolicyPinned
+						request.PinnedVersion = capabilities.APIVersion(apiVersion)
+					}
+					return rt.ResolveAPIVersion(ctx, request)
+				},
+			}
+			output, err := service.Run(cmd.Context(), walletscmd.CreateBalanceInput{
+				WalletID:       args[0],
+				Name:           args[1],
+				Priority:       parsedPriority,
+				ExpiresAt:      parsedExpiresAt,
+				IdempotencyKey: idempotencyKey,
+			})
+			if err != nil {
+				return err
+			}
+			if handled, err := writeStructuredOutput(cmd, output); handled || err != nil {
+				return err
+			}
+			return renderWalletBalanceCreated(cmd, output)
+		},
+	}
+	command.Flags().BoolVar(&confirm, "confirm", false, "Confirm balance creation")
+	command.Flags().StringVar(&expiresAt, "expires-at", "", "Balance expiration time as RFC3339")
+	command.Flags().StringVar(&priority, "priority", "", "Balance priority")
+	command.Flags().StringVar(&idempotencyKey, "idempotency-key", "", "Idempotency key")
+	command.Flags().StringVar(&idempotencyKey, "ik", "", "Deprecated alias for --idempotency-key")
+	command.Flags().StringVar(&apiVersion, "api-version", "", "Pin wallets API version")
+	return command
+}
+
+func newWalletsBalancesListCommand() *cobra.Command {
+	var apiVersion string
+
+	command := &cobra.Command{
+		Use:     "list <wallet-id>",
+		Aliases: []string{"ls", "l"},
+		Short:   "List wallet balances",
+		Args:    cobra.ExactArgs(1),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			rt, err := stackRuntimeFromCommand(cmd)
+			if err != nil {
+				return err
+			}
+			httpClient, err := rt.HTTPClient(cmd.Context())
+			if err != nil {
+				return err
+			}
+			sdk := formance.New(formance.WithServerURL(rt.Target.URL), formance.WithClient(httpClient))
+			service := walletscmd.ListBalancesService{
+				Handlers: walletscmd.SDKListBalancesHandlers(sdk),
+				Resolve: func(ctx context.Context, handlerVersions []capabilities.APIVersion) (capabilities.APIVersion, error) {
+					request := capabilities.VersionResolutionRequest{
+						Product:         walletscmd.ProductWallets,
+						Feature:         walletscmd.FeatureListBalances,
+						HandlerVersions: handlerVersions,
+					}
+					if apiVersion != "" {
+						request.Policy = capabilities.VersionPolicyPinned
+						request.PinnedVersion = capabilities.APIVersion(apiVersion)
+					}
+					return rt.ResolveAPIVersion(ctx, request)
+				},
+			}
+			output, err := service.Run(cmd.Context(), walletscmd.ListBalancesInput{WalletID: args[0]})
+			if err != nil {
+				return err
+			}
+			if handled, err := writeStructuredOutput(cmd, output); handled || err != nil {
+				return err
+			}
+			return renderWalletBalances(cmd, output)
+		},
+	}
+	command.Flags().StringVar(&apiVersion, "api-version", "", "Pin wallets API version")
+	return command
+}
+
+func newWalletsBalancesShowCommand() *cobra.Command {
+	var apiVersion string
+
+	command := &cobra.Command{
+		Use:     "show <wallet-id> <balance-name>",
+		Aliases: []string{"get"},
+		Short:   "Show a wallet balance",
+		Args:    cobra.ExactArgs(2),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			rt, err := stackRuntimeFromCommand(cmd)
+			if err != nil {
+				return err
+			}
+			httpClient, err := rt.HTTPClient(cmd.Context())
+			if err != nil {
+				return err
+			}
+			sdk := formance.New(formance.WithServerURL(rt.Target.URL), formance.WithClient(httpClient))
+			service := walletscmd.GetBalanceService{
+				Handlers: walletscmd.SDKGetBalanceHandlers(sdk),
+				Resolve: func(ctx context.Context, handlerVersions []capabilities.APIVersion) (capabilities.APIVersion, error) {
+					request := capabilities.VersionResolutionRequest{
+						Product:         walletscmd.ProductWallets,
+						Feature:         walletscmd.FeatureGetBalance,
+						HandlerVersions: handlerVersions,
+					}
+					if apiVersion != "" {
+						request.Policy = capabilities.VersionPolicyPinned
+						request.PinnedVersion = capabilities.APIVersion(apiVersion)
+					}
+					return rt.ResolveAPIVersion(ctx, request)
+				},
+			}
+			output, err := service.Run(cmd.Context(), walletscmd.GetBalanceInput{WalletID: args[0], BalanceName: args[1]})
+			if err != nil {
+				return err
+			}
+			if handled, err := writeStructuredOutput(cmd, output); handled || err != nil {
+				return err
+			}
+			return renderWalletBalance(cmd, output)
+		},
+	}
+	command.Flags().StringVar(&apiVersion, "api-version", "", "Pin wallets API version")
+	return command
+}
+
+func newWalletsCreditCommand() *cobra.Command {
+	var confirm bool
+	var amount string
+	var asset string
+	var balance string
+	var metadata []string
+	var idempotencyKey string
+	var apiVersion string
+
+	command := &cobra.Command{
+		Use:     "credit <wallet-id>",
+		Aliases: []string{"cr"},
+		Short:   "Credit a wallet",
+		Args:    cobra.ExactArgs(1),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			if !confirm {
+				return fmt.Errorf("wallets credit requires --confirm")
+			}
+			if cmd.Flags().Changed("ik") {
+				fmt.Fprintln(cmd.ErrOrStderr(), "Flag --ik has been deprecated, use --idempotency-key")
+			}
+			parsedAmount, err := parseBigAmount(amount)
+			if err != nil {
+				return err
+			}
+			parsedMetadata, err := parseMetadataFlags(metadata)
+			if err != nil {
+				return err
+			}
+			output, err := runWalletMovementCommand(cmd, walletMovementCommandRequest{
+				Feature:        walletscmd.FeatureCreditWallet,
+				Handlers:       walletscmd.SDKCreditWalletHandlers,
+				WalletID:       args[0],
+				Amount:         parsedAmount,
+				Asset:          asset,
+				Balance:        balance,
+				Metadata:       parsedMetadata,
+				IdempotencyKey: idempotencyKey,
+				APIVersion:     apiVersion,
+			})
+			if err != nil {
+				return err
+			}
+			if handled, err := writeStructuredOutput(cmd, output); handled || err != nil {
+				return err
+			}
+			return renderWalletCredited(cmd, output)
+		},
+	}
+	command.Flags().BoolVar(&confirm, "confirm", false, "Confirm wallet credit")
+	command.Flags().StringVar(&amount, "amount", "", "Amount to credit")
+	command.Flags().StringVar(&asset, "asset", "", "Asset to credit")
+	command.Flags().StringVar(&balance, "balance", "", "Balance to credit")
+	command.Flags().StringArrayVar(&metadata, "metadata", nil, "Metadata as key=value")
+	command.Flags().StringVar(&idempotencyKey, "idempotency-key", "", "Idempotency key")
+	command.Flags().StringVar(&idempotencyKey, "ik", "", "Deprecated alias for --idempotency-key")
+	command.Flags().StringVar(&apiVersion, "api-version", "", "Pin wallets API version")
+	return command
+}
+
+func newWalletsDebitCommand() *cobra.Command {
+	var confirm bool
+	var amount string
+	var asset string
+	var balance string
+	var description string
+	var metadata []string
+	var pending bool
+	var idempotencyKey string
+	var apiVersion string
+
+	command := &cobra.Command{
+		Use:     "debit <wallet-id>",
+		Aliases: []string{"deb"},
+		Short:   "Debit a wallet",
+		Args:    cobra.ExactArgs(1),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			if !confirm {
+				return fmt.Errorf("wallets debit requires --confirm")
+			}
+			if cmd.Flags().Changed("ik") {
+				fmt.Fprintln(cmd.ErrOrStderr(), "Flag --ik has been deprecated, use --idempotency-key")
+			}
+			parsedAmount, err := parseBigAmount(amount)
+			if err != nil {
+				return err
+			}
+			parsedMetadata, err := parseMetadataFlags(metadata)
+			if err != nil {
+				return err
+			}
+			output, err := runWalletMovementCommand(cmd, walletMovementCommandRequest{
+				Feature:        walletscmd.FeatureDebitWallet,
+				Handlers:       walletscmd.SDKDebitWalletHandlers,
+				WalletID:       args[0],
+				Amount:         parsedAmount,
+				Asset:          asset,
+				Balance:        balance,
+				Description:    description,
+				Metadata:       parsedMetadata,
+				Pending:        pending,
+				IdempotencyKey: idempotencyKey,
+				APIVersion:     apiVersion,
+			})
+			if err != nil {
+				return err
+			}
+			if handled, err := writeStructuredOutput(cmd, output); handled || err != nil {
+				return err
+			}
+			return renderWalletDebited(cmd, output)
+		},
+	}
+	command.Flags().BoolVar(&confirm, "confirm", false, "Confirm wallet debit")
+	command.Flags().StringVar(&amount, "amount", "", "Amount to debit")
+	command.Flags().StringVar(&asset, "asset", "", "Asset to debit")
+	command.Flags().StringVar(&balance, "balance", "", "Balance to debit")
+	command.Flags().StringVar(&description, "description", "", "Debit description")
+	command.Flags().BoolVar(&pending, "pending", false, "Create a pending hold")
+	command.Flags().StringArrayVar(&metadata, "metadata", nil, "Metadata as key=value")
+	command.Flags().StringVar(&idempotencyKey, "idempotency-key", "", "Idempotency key")
+	command.Flags().StringVar(&idempotencyKey, "ik", "", "Deprecated alias for --idempotency-key")
+	command.Flags().StringVar(&apiVersion, "api-version", "", "Pin wallets API version")
+	return command
+}
+
+type walletMovementCommandRequest struct {
+	Feature        capabilities.Feature
+	Handlers       func(*formance.Formance) []walletscmd.WalletMovementHandler
+	WalletID       string
+	Amount         *big.Int
+	Asset          string
+	Balance        string
+	Description    string
+	Metadata       map[string]string
+	Pending        bool
+	IdempotencyKey string
+	APIVersion     string
+}
+
+func runWalletMovementCommand(cmd *cobra.Command, request walletMovementCommandRequest) (walletscmd.WalletMovementOutput, error) {
+	rt, err := stackRuntimeFromCommand(cmd)
+	if err != nil {
+		return walletscmd.WalletMovementOutput{}, err
+	}
+	httpClient, err := rt.HTTPClient(cmd.Context())
+	if err != nil {
+		return walletscmd.WalletMovementOutput{}, err
+	}
+	sdk := formance.New(formance.WithServerURL(rt.Target.URL), formance.WithClient(httpClient))
+	service := walletscmd.CreditWalletService{
+		Handlers: request.Handlers(sdk),
+		Resolve: func(ctx context.Context, handlerVersions []capabilities.APIVersion) (capabilities.APIVersion, error) {
+			versionRequest := capabilities.VersionResolutionRequest{
+				Product:         walletscmd.ProductWallets,
+				Feature:         request.Feature,
+				HandlerVersions: handlerVersions,
+			}
+			if request.APIVersion != "" {
+				versionRequest.Policy = capabilities.VersionPolicyPinned
+				versionRequest.PinnedVersion = capabilities.APIVersion(request.APIVersion)
+			}
+			return rt.ResolveAPIVersion(ctx, versionRequest)
+		},
+	}
+	return service.Run(cmd.Context(), walletscmd.WalletMovementInput{
+		WalletID:       request.WalletID,
+		Amount:         request.Amount,
+		Asset:          request.Asset,
+		Balance:        request.Balance,
+		Description:    request.Description,
+		Metadata:       request.Metadata,
+		Pending:        request.Pending,
+		IdempotencyKey: request.IdempotencyKey,
+	})
+}
+
+func newWalletsCreateCommand() *cobra.Command {
+	var confirm bool
+	var metadata []string
+	var idempotencyKey string
+	var apiVersion string
+
+	command := &cobra.Command{
+		Use:     "create <name>",
+		Aliases: []string{"cr"},
+		Short:   "Create a wallet",
+		Args:    cobra.ExactArgs(1),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			if !confirm {
+				return fmt.Errorf("wallets create requires --confirm")
+			}
+			if cmd.Flags().Changed("ik") {
+				fmt.Fprintln(cmd.ErrOrStderr(), "Flag --ik has been deprecated, use --idempotency-key")
+			}
+			parsedMetadata, err := parseMetadataFlags(metadata)
+			if err != nil {
+				return err
+			}
+			rt, err := stackRuntimeFromCommand(cmd)
+			if err != nil {
+				return err
+			}
+			httpClient, err := rt.HTTPClient(cmd.Context())
+			if err != nil {
+				return err
+			}
+			sdk := formance.New(formance.WithServerURL(rt.Target.URL), formance.WithClient(httpClient))
+			service := walletscmd.CreateWalletService{
+				Handlers: walletscmd.SDKCreateWalletHandlers(sdk),
+				Resolve: func(ctx context.Context, handlerVersions []capabilities.APIVersion) (capabilities.APIVersion, error) {
+					request := capabilities.VersionResolutionRequest{
+						Product:         walletscmd.ProductWallets,
+						Feature:         walletscmd.FeatureCreateWallet,
+						HandlerVersions: handlerVersions,
+					}
+					if apiVersion != "" {
+						request.Policy = capabilities.VersionPolicyPinned
+						request.PinnedVersion = capabilities.APIVersion(apiVersion)
+					}
+					return rt.ResolveAPIVersion(ctx, request)
+				},
+			}
+			output, err := service.Run(cmd.Context(), walletscmd.CreateWalletInput{
+				Name:           args[0],
+				Metadata:       parsedMetadata,
+				IdempotencyKey: idempotencyKey,
+			})
+			if err != nil {
+				return err
+			}
+			if handled, err := writeStructuredOutput(cmd, output); handled || err != nil {
+				return err
+			}
+			return renderWalletCreated(cmd, output)
+		},
+	}
+	command.Flags().BoolVar(&confirm, "confirm", false, "Confirm wallet creation")
+	command.Flags().StringArrayVar(&metadata, "metadata", nil, "Metadata as key=value")
+	command.Flags().StringVar(&idempotencyKey, "idempotency-key", "", "Idempotency key")
+	command.Flags().StringVar(&idempotencyKey, "ik", "", "Deprecated alias for --idempotency-key")
+	command.Flags().StringVar(&apiVersion, "api-version", "", "Pin wallets API version")
+	return command
+}
+
+func newWalletsListCommand() *cobra.Command {
+	var pageSize int64 = 15
+	var cursor string
+	var name string
+	var metadata []string
+	var apiVersion string
+
+	command := &cobra.Command{
+		Use:     "list",
+		Aliases: []string{"ls", "l"},
+		Short:   "List wallets",
+		Args:    cobra.NoArgs,
+		RunE: func(cmd *cobra.Command, _ []string) error {
+			parsedMetadata, err := parseMetadataFlags(metadata)
+			if err != nil {
+				return err
+			}
+			rt, err := stackRuntimeFromCommand(cmd)
+			if err != nil {
+				return err
+			}
+			httpClient, err := rt.HTTPClient(cmd.Context())
+			if err != nil {
+				return err
+			}
+			sdk := formance.New(formance.WithServerURL(rt.Target.URL), formance.WithClient(httpClient))
+			service := walletscmd.ListWalletsService{
+				Handlers: walletscmd.SDKListWalletsHandlers(sdk),
+				Resolve: func(ctx context.Context, handlerVersions []capabilities.APIVersion) (capabilities.APIVersion, error) {
+					request := capabilities.VersionResolutionRequest{
+						Product:         walletscmd.ProductWallets,
+						Feature:         walletscmd.FeatureListWallets,
+						HandlerVersions: handlerVersions,
+					}
+					if apiVersion != "" {
+						request.Policy = capabilities.VersionPolicyPinned
+						request.PinnedVersion = capabilities.APIVersion(apiVersion)
+					}
+					return rt.ResolveAPIVersion(ctx, request)
+				},
+			}
+			output, err := service.Run(cmd.Context(), walletscmd.ListWalletsInput{
+				PageSize: pageSize,
+				Cursor:   cursor,
+				Name:     name,
+				Metadata: parsedMetadata,
+			})
+			if err != nil {
+				return err
+			}
+			if handled, err := writeStructuredOutput(cmd, output); handled || err != nil {
+				return err
+			}
+			return renderWallets(cmd, output)
+		},
+	}
+	command.Flags().Int64Var(&pageSize, "page-size", 15, "Page size")
+	command.Flags().StringVar(&cursor, "cursor", "", "Pagination cursor")
+	command.Flags().StringVar(&name, "name", "", "Filter wallets by name")
+	command.Flags().StringArrayVar(&metadata, "metadata", nil, "Metadata filter as key=value")
+	command.Flags().StringVar(&apiVersion, "api-version", "", "Pin wallets API version")
+	return command
+}
+
+func newWalletsShowCommand(use string, aliases []string, deprecated bool) *cobra.Command {
+	var apiVersion string
+
+	command := &cobra.Command{
+		Use:     use + " <wallet-id>",
+		Aliases: aliases,
+		Short:   "Show a wallet",
+		Args:    cobra.ExactArgs(1),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			if deprecated {
+				fmt.Fprintln(cmd.ErrOrStderr(), "Command wallets get has been deprecated, use wallets show")
+			}
+			rt, err := stackRuntimeFromCommand(cmd)
+			if err != nil {
+				return err
+			}
+			httpClient, err := rt.HTTPClient(cmd.Context())
+			if err != nil {
+				return err
+			}
+			sdk := formance.New(formance.WithServerURL(rt.Target.URL), formance.WithClient(httpClient))
+			service := walletscmd.GetWalletService{
+				Handlers: walletscmd.SDKGetWalletHandlers(sdk),
+				Resolve: func(ctx context.Context, handlerVersions []capabilities.APIVersion) (capabilities.APIVersion, error) {
+					request := capabilities.VersionResolutionRequest{
+						Product:         walletscmd.ProductWallets,
+						Feature:         walletscmd.FeatureGetWallet,
+						HandlerVersions: handlerVersions,
+					}
+					if apiVersion != "" {
+						request.Policy = capabilities.VersionPolicyPinned
+						request.PinnedVersion = capabilities.APIVersion(apiVersion)
+					}
+					return rt.ResolveAPIVersion(ctx, request)
+				},
+			}
+			output, err := service.Run(cmd.Context(), walletscmd.GetWalletInput{WalletID: args[0]})
+			if err != nil {
+				return err
+			}
+			if handled, err := writeStructuredOutput(cmd, output); handled || err != nil {
+				return err
+			}
+			return renderWallet(cmd, output)
+		},
+	}
+	if deprecated {
+		command.Deprecated = "use wallets show"
+	}
+	command.Flags().StringVar(&apiVersion, "api-version", "", "Pin wallets API version")
+	return command
+}
+
+func newWalletsUpdateCommand() *cobra.Command {
+	var confirm bool
+	var metadata []string
+	var idempotencyKey string
+	var apiVersion string
+
+	command := &cobra.Command{
+		Use:     "update <wallet-id>",
+		Aliases: []string{"up"},
+		Short:   "Update a wallet",
+		Args:    cobra.ExactArgs(1),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			if !confirm {
+				return fmt.Errorf("wallets update requires --confirm")
+			}
+			if cmd.Flags().Changed("ik") {
+				fmt.Fprintln(cmd.ErrOrStderr(), "Flag --ik has been deprecated, use --idempotency-key")
+			}
+			parsedMetadata, err := parseMetadataFlags(metadata)
+			if err != nil {
+				return err
+			}
+			rt, err := stackRuntimeFromCommand(cmd)
+			if err != nil {
+				return err
+			}
+			httpClient, err := rt.HTTPClient(cmd.Context())
+			if err != nil {
+				return err
+			}
+			sdk := formance.New(formance.WithServerURL(rt.Target.URL), formance.WithClient(httpClient))
+			service := walletscmd.UpdateWalletService{
+				Handlers: walletscmd.SDKUpdateWalletHandlers(sdk),
+				Resolve: func(ctx context.Context, handlerVersions []capabilities.APIVersion) (capabilities.APIVersion, error) {
+					request := capabilities.VersionResolutionRequest{
+						Product:         walletscmd.ProductWallets,
+						Feature:         walletscmd.FeatureUpdateWallet,
+						HandlerVersions: handlerVersions,
+					}
+					if apiVersion != "" {
+						request.Policy = capabilities.VersionPolicyPinned
+						request.PinnedVersion = capabilities.APIVersion(apiVersion)
+					}
+					return rt.ResolveAPIVersion(ctx, request)
+				},
+			}
+			output, err := service.Run(cmd.Context(), walletscmd.UpdateWalletInput{
+				WalletID:       args[0],
+				Metadata:       parsedMetadata,
+				IdempotencyKey: idempotencyKey,
+			})
+			if err != nil {
+				return err
+			}
+			if handled, err := writeStructuredOutput(cmd, output); handled || err != nil {
+				return err
+			}
+			return renderWalletUpdated(cmd, output)
+		},
+	}
+	command.Flags().BoolVar(&confirm, "confirm", false, "Confirm wallet update")
+	command.Flags().StringArrayVar(&metadata, "metadata", nil, "Metadata as key=value")
+	command.Flags().StringVar(&idempotencyKey, "idempotency-key", "", "Idempotency key")
+	command.Flags().StringVar(&idempotencyKey, "ik", "", "Deprecated alias for --idempotency-key")
+	command.Flags().StringVar(&apiVersion, "api-version", "", "Pin wallets API version")
+	return command
+}
+
+func parseBigAmount(value string) (*big.Int, error) {
+	if value == "" {
+		return nil, fmt.Errorf("amount is required")
+	}
+	amount, ok := big.NewInt(0).SetString(value, 10)
+	if !ok {
+		return nil, fmt.Errorf("amount must be an integer")
+	}
+	return amount, nil
+}
+
+func parseOptionalBigInt(value string, name string) (*big.Int, error) {
+	if value == "" {
+		return nil, nil
+	}
+	parsed, ok := big.NewInt(0).SetString(value, 10)
+	if !ok {
+		return nil, fmt.Errorf("%s must be an integer", name)
+	}
+	return parsed, nil
+}
+
+func renderWalletCreated(cmd *cobra.Command, output walletscmd.CreateWalletOutput) error {
+	if err := writeStyledAPIVersion(cmd, output.APIVersion); err != nil {
+		return err
+	}
+	_, err := fmt.Fprintln(cmd.OutOrStdout(), styledSuccessLine(cmd, fmt.Sprintf("Wallet created with ID: %s", output.WalletID)))
+	return err
+}
+
+func renderWalletBalanceCreated(cmd *cobra.Command, output walletscmd.CreateBalanceOutput) error {
+	if err := writeStyledAPIVersion(cmd, output.APIVersion); err != nil {
+		return err
+	}
+	_, err := fmt.Fprintln(cmd.OutOrStdout(), styledSuccessLine(cmd, fmt.Sprintf("Balance %s created on wallet %s.", output.BalanceName, output.WalletID)))
+	return err
+}
+
+func renderWalletBalances(cmd *cobra.Command, output walletscmd.ListBalancesOutput) error {
+	if err := writeStyledAPIVersion(cmd, output.APIVersion); err != nil {
+		return err
+	}
+	if len(output.Balances) == 0 {
+		_, err := fmt.Fprintln(cmd.OutOrStdout(), styledEmptyLine(cmd, "No balances found."))
+		return err
+	}
+	rows := make([][]string, 0, len(output.Balances))
+	for _, balance := range output.Balances {
+		rows = append(rows, []string{balance.Name, balance.Priority})
+	}
+	if err := writeStyledRows(cmd, []string{"Name", "Priority"}, rows); err != nil {
+		return err
+	}
+	if output.HasMore && output.Next != nil {
+		return writeStyledNext(cmd, *output.Next)
+	}
+	return nil
+}
+
+func renderWalletBalance(cmd *cobra.Command, output walletscmd.GetBalanceOutput) error {
+	if err := writeStyledAPIVersion(cmd, output.APIVersion); err != nil {
+		return err
+	}
+	balance := output.Balance
+	rows := []styledKeyValue{{Label: "Name", Value: balance.Name}}
+	if balance.Priority != "" {
+		rows = append(rows, styledKeyValue{Label: "Priority", Value: balance.Priority})
+	}
+	if balance.ExpiresAt != nil {
+		rows = append(rows, styledKeyValue{Label: "Expires at", Value: balance.ExpiresAt.Format(time.RFC3339)})
+	}
+	if len(balance.Assets) > 0 {
+		assets := make([]string, 0, len(balance.Assets))
+		for asset := range balance.Assets {
+			assets = append(assets, asset)
+		}
+		sort.Strings(assets)
+		if err := writeStyledKeyValues(cmd, rows...); err != nil {
+			return err
+		}
+		assetRows := make([][]string, 0, len(assets))
+		for _, asset := range assets {
+			assetRows = append(assetRows, []string{asset, balance.Assets[asset].String()})
+		}
+		return writeStyledNamedKeyValueRows(cmd, "Asset", assetRows)
+	}
+	return writeStyledKeyValues(cmd, rows...)
+}
+
+func renderWalletHolds(cmd *cobra.Command, output walletscmd.ListHoldsOutput) error {
+	if err := writeStyledAPIVersion(cmd, output.APIVersion); err != nil {
+		return err
+	}
+	if len(output.Holds) == 0 {
+		_, err := fmt.Fprintln(cmd.OutOrStdout(), styledEmptyLine(cmd, "No holds found."))
+		return err
+	}
+	rows := make([][]string, 0, len(output.Holds))
+	for _, hold := range output.Holds {
+		rows = append(rows, []string{hold.ID, hold.WalletID, hold.Asset})
+	}
+	if err := writeStyledRows(cmd, []string{"ID", "Wallet ID", "Asset"}, rows); err != nil {
+		return err
+	}
+	if output.HasMore && output.Next != nil {
+		return writeStyledNext(cmd, *output.Next)
+	}
+	return nil
+}
+
+func renderWalletHold(cmd *cobra.Command, output walletscmd.GetHoldOutput) error {
+	if err := writeStyledAPIVersion(cmd, output.APIVersion); err != nil {
+		return err
+	}
+	hold := output.Hold
+	rows := []styledKeyValue{
+		{Label: "ID", Value: hold.ID},
+		{Label: "Wallet ID", Value: hold.WalletID},
+		{Label: "Asset", Value: hold.Asset},
+	}
+	if hold.OriginalAmount != "" {
+		rows = append(rows, styledKeyValue{Label: "Original amount", Value: hold.OriginalAmount})
+	}
+	if hold.Remaining != "" {
+		rows = append(rows, styledKeyValue{Label: "Remaining", Value: hold.Remaining})
+	}
+	return writeStyledKeyValues(cmd, rows...)
+}
+
+func renderWalletHoldVoided(cmd *cobra.Command, output walletscmd.HoldActionOutput) error {
+	if err := writeStyledAPIVersion(cmd, output.APIVersion); err != nil {
+		return err
+	}
+	_, err := fmt.Fprintln(cmd.OutOrStdout(), styledSuccessLine(cmd, fmt.Sprintf("Hold %s voided.", output.HoldID)))
+	return err
+}
+
+func renderWalletHoldConfirmed(cmd *cobra.Command, output walletscmd.HoldActionOutput) error {
+	if err := writeStyledAPIVersion(cmd, output.APIVersion); err != nil {
+		return err
+	}
+	_, err := fmt.Fprintln(cmd.OutOrStdout(), styledSuccessLine(cmd, fmt.Sprintf("Hold %s confirmed.", output.HoldID)))
+	return err
+}
+
+func renderWalletTransactions(cmd *cobra.Command, output walletscmd.ListTransactionsOutput) error {
+	if err := writeStyledAPIVersion(cmd, output.APIVersion); err != nil {
+		return err
+	}
+	if len(output.Transactions) == 0 {
+		_, err := fmt.Fprintln(cmd.OutOrStdout(), styledEmptyLine(cmd, "No transactions found."))
+		return err
+	}
+	rows := make([][]string, 0, len(output.Transactions))
+	for _, transaction := range output.Transactions {
+		rows = append(rows, []string{
+			fmt.Sprintf("%d", transaction.ID),
+			transaction.Timestamp.Format(time.RFC3339),
+			transaction.Ledger,
+			transaction.Reference,
+		})
+	}
+	if err := writeStyledRows(cmd, []string{"ID", "Timestamp", "Ledger", "Reference"}, rows); err != nil {
+		return err
+	}
+	if output.HasMore && output.Next != nil {
+		return writeStyledNext(cmd, *output.Next)
+	}
+	return nil
+}
+
+func renderWalletCredited(cmd *cobra.Command, output walletscmd.WalletMovementOutput) error {
+	if err := writeStyledAPIVersion(cmd, output.APIVersion); err != nil {
+		return err
+	}
+	_, err := fmt.Fprintln(cmd.OutOrStdout(), styledSuccessLine(cmd, fmt.Sprintf("Wallet %s credited.", output.WalletID)))
+	return err
+}
+
+func renderWalletDebited(cmd *cobra.Command, output walletscmd.WalletMovementOutput) error {
+	if err := writeStyledAPIVersion(cmd, output.APIVersion); err != nil {
+		return err
+	}
+	if output.HoldID != "" {
+		if err := writeStyledColonKeyValues(cmd, styledKeyValue{Label: "Hold ID", Value: output.HoldID}); err != nil {
+			return err
+		}
+	}
+	_, err := fmt.Fprintln(cmd.OutOrStdout(), styledSuccessLine(cmd, fmt.Sprintf("Wallet %s debited.", output.WalletID)))
+	return err
+}
+
+func renderWallets(cmd *cobra.Command, output walletscmd.ListWalletsOutput) error {
+	if err := writeStyledAPIVersion(cmd, output.APIVersion); err != nil {
+		return err
+	}
+	if len(output.Wallets) == 0 {
+		_, err := fmt.Fprintln(cmd.OutOrStdout(), styledEmptyLine(cmd, "No wallets found."))
+		return err
+	}
+	rows := make([][]string, 0, len(output.Wallets))
+	for _, wallet := range output.Wallets {
+		rows = append(rows, []string{wallet.ID, wallet.Name, wallet.Ledger, wallet.CreatedAt.Format(time.RFC3339)})
+	}
+	if err := writeStyledRows(cmd, []string{"ID", "Name", "Ledger", "Created at"}, rows); err != nil {
+		return err
+	}
+	if output.HasMore && output.Next != nil {
+		return writeStyledNext(cmd, *output.Next)
+	}
+	return nil
+}
+
+func renderWallet(cmd *cobra.Command, output walletscmd.GetWalletOutput) error {
+	if err := writeStyledAPIVersion(cmd, output.APIVersion); err != nil {
+		return err
+	}
+	wallet := output.Wallet
+	return writeStyledKeyValues(cmd,
+		styledKeyValue{Label: "ID", Value: wallet.ID},
+		styledKeyValue{Label: "Name", Value: wallet.Name},
+		styledKeyValue{Label: "Ledger", Value: wallet.Ledger},
+		styledKeyValue{Label: "Created at", Value: wallet.CreatedAt.Format(time.RFC3339)},
+	)
+}
+
+func renderWalletUpdated(cmd *cobra.Command, output walletscmd.UpdateWalletOutput) error {
+	if err := writeStyledAPIVersion(cmd, output.APIVersion); err != nil {
+		return err
+	}
+	_, err := fmt.Fprintln(cmd.OutOrStdout(), styledSuccessLine(cmd, fmt.Sprintf("Wallet %s updated.", output.WalletID)))
+	return err
+}
diff --git a/v4/cmd/webhooks.go b/v4/cmd/webhooks.go
new file mode 100644
index 00000000..7f3265e4
--- /dev/null
+++ b/v4/cmd/webhooks.go
@@ -0,0 +1,451 @@
+package cmd
+
+import (
+	"context"
+	"fmt"
+	"io"
+	"strings"
+	"time"
+
+	formance "github.com/formancehq/formance-sdk-go/v3"
+	"github.com/spf13/cobra"
+
+	"github.com/formancehq/fctl/v4/internal/capabilities"
+	webhookscmd "github.com/formancehq/fctl/v4/internal/commands/webhooks"
+)
+
+func newWebhooksCommand() *cobra.Command {
+	command := &cobra.Command{
+		Use:   "webhooks",
+		Short: "Manage webhooks",
+	}
+	command.AddCommand(newWebhooksCreateCommand())
+	command.AddCommand(newWebhooksListCommand())
+	command.AddCommand(newWebhooksActivateCommand())
+	command.AddCommand(newWebhooksDeactivateCommand())
+	command.AddCommand(newWebhooksDeleteCommand())
+	command.AddCommand(newWebhooksSecretCommand())
+	command.AddCommand(newWebhooksChangeSecretCommand())
+	return command
+}
+
+func newWebhooksSecretCommand() *cobra.Command {
+	command := &cobra.Command{
+		Use:   "secret",
+		Short: "Manage webhook secrets",
+	}
+	command.AddCommand(newWebhooksSecretRotateCommand("rotate", nil, false))
+	return command
+}
+
+func newWebhooksCreateCommand() *cobra.Command {
+	var name string
+	var secret string
+	var secretStdin bool
+	var apiVersion string
+
+	command := &cobra.Command{
+		Use:   "create <endpoint> <event-type>...",
+		Short: "Create a webhook config",
+		Args:  cobra.MinimumNArgs(2),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			secretValue, err := webhookSecretValue(cmd, secret, secretStdin, false)
+			if err != nil {
+				return err
+			}
+			var namePtr *string
+			if name != "" {
+				namePtr = &name
+			}
+			var secretPtr *string
+			if secretValue != "" {
+				secretPtr = &secretValue
+			}
+			service, err := newInsertWebhookConfigService(cmd, apiVersion)
+			if err != nil {
+				return err
+			}
+			output, err := service.Run(cmd.Context(), webhookscmd.ConfigInput{
+				Endpoint:   args[0],
+				EventTypes: args[1:],
+				Name:       namePtr,
+				Secret:     secretPtr,
+			})
+			if err != nil {
+				return err
+			}
+			if handled, err := writeStructuredOutput(cmd, output); handled || err != nil {
+				return err
+			}
+			return renderWebhookConfigMutated(cmd, output, "created")
+		},
+	}
+	command.Flags().StringVar(&name, "name", "", "Webhook config name")
+	command.Flags().StringVar(&secret, "secret", "", "Webhook signing secret")
+	command.Flags().BoolVar(&secretStdin, "secret-stdin", false, "Read webhook signing secret from stdin")
+	command.Flags().StringVar(&apiVersion, "api-version", "", "Pin webhooks API version")
+	return command
+}
+
+func newWebhooksListCommand() *cobra.Command {
+	var configID string
+	var endpoint string
+	var apiVersion string
+
+	command := &cobra.Command{
+		Use:     "list",
+		Aliases: []string{"ls", "l"},
+		Short:   "List webhook configs",
+		Args:    cobra.NoArgs,
+		RunE: func(cmd *cobra.Command, _ []string) error {
+			service, err := newListWebhookConfigsService(cmd, apiVersion)
+			if err != nil {
+				return err
+			}
+			output, err := service.Run(cmd.Context(), webhookscmd.ListConfigsInput{
+				ConfigID: configID,
+				Endpoint: endpoint,
+			})
+			if err != nil {
+				return err
+			}
+			if handled, err := writeStructuredOutput(cmd, output); handled || err != nil {
+				return err
+			}
+			return renderWebhookConfigs(cmd, output)
+		},
+	}
+	command.Flags().StringVar(&configID, "id", "", "Filter by config ID")
+	command.Flags().StringVar(&endpoint, "endpoint", "", "Filter by endpoint URL")
+	command.Flags().StringVar(&apiVersion, "api-version", "", "Pin webhooks API version")
+	return command
+}
+
+func newWebhooksActivateCommand() *cobra.Command {
+	var apiVersion string
+
+	command := &cobra.Command{
+		Use:   "activate <config-id>",
+		Short: "Activate a webhook config",
+		Args:  cobra.ExactArgs(1),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			service, err := newActivateWebhookConfigService(cmd, apiVersion)
+			if err != nil {
+				return err
+			}
+			output, err := service.Run(cmd.Context(), webhookscmd.ConfigIDInput{ConfigID: args[0]})
+			if err != nil {
+				return err
+			}
+			if handled, err := writeStructuredOutput(cmd, output); handled || err != nil {
+				return err
+			}
+			return renderWebhookConfigMutated(cmd, output, "activated")
+		},
+	}
+	command.Flags().StringVar(&apiVersion, "api-version", "", "Pin webhooks API version")
+	return command
+}
+
+func newWebhooksDeactivateCommand() *cobra.Command {
+	var confirm bool
+	var apiVersion string
+
+	command := &cobra.Command{
+		Use:   "deactivate <config-id>",
+		Short: "Deactivate a webhook config",
+		Args:  cobra.ExactArgs(1),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			if !confirm {
+				return fmt.Errorf("webhooks deactivate requires --confirm")
+			}
+			service, err := newDeactivateWebhookConfigService(cmd, apiVersion)
+			if err != nil {
+				return err
+			}
+			output, err := service.Run(cmd.Context(), webhookscmd.ConfigIDInput{ConfigID: args[0]})
+			if err != nil {
+				return err
+			}
+			if handled, err := writeStructuredOutput(cmd, output); handled || err != nil {
+				return err
+			}
+			return renderWebhookConfigMutated(cmd, output, "deactivated")
+		},
+	}
+	command.Flags().BoolVar(&confirm, "confirm", false, "Confirm webhook deactivation")
+	command.Flags().StringVar(&apiVersion, "api-version", "", "Pin webhooks API version")
+	return command
+}
+
+func newWebhooksDeleteCommand() *cobra.Command {
+	var confirm bool
+	var apiVersion string
+
+	command := &cobra.Command{
+		Use:   "delete <config-id>",
+		Short: "Delete a webhook config",
+		Args:  cobra.ExactArgs(1),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			if !confirm {
+				return fmt.Errorf("webhooks delete requires --confirm")
+			}
+			service, err := newDeleteWebhookConfigService(cmd, apiVersion)
+			if err != nil {
+				return err
+			}
+			output, err := service.Run(cmd.Context(), webhookscmd.ConfigIDInput{ConfigID: args[0]})
+			if err != nil {
+				return err
+			}
+			if handled, err := writeStructuredOutput(cmd, output); handled || err != nil {
+				return err
+			}
+			return renderWebhookConfigDeleted(cmd, output)
+		},
+	}
+	command.Flags().BoolVar(&confirm, "confirm", false, "Confirm webhook deletion")
+	command.Flags().StringVar(&apiVersion, "api-version", "", "Pin webhooks API version")
+	return command
+}
+
+func newWebhooksSecretRotateCommand(use string, aliases []string, deprecated bool) *cobra.Command {
+	var secret string
+	var secretStdin bool
+	var apiVersion string
+
+	command := &cobra.Command{
+		Use:     use + " <config-id>",
+		Aliases: aliases,
+		Short:   "Rotate a webhook signing secret",
+		Args: func(cmd *cobra.Command, args []string) error {
+			if len(args) == 1 || len(args) == 2 {
+				return nil
+			}
+			return fmt.Errorf("accepts 1 arg(s), received %d", len(args))
+		},
+		RunE: func(cmd *cobra.Command, args []string) error {
+			if deprecated {
+				fmt.Fprintln(cmd.ErrOrStderr(), "Command webhooks change-secret has been deprecated, use webhooks secret rotate <config-id> --secret-stdin")
+			}
+			positionalSecret := ""
+			if len(args) == 2 {
+				positionalSecret = args[1]
+				fmt.Fprintln(cmd.ErrOrStderr(), "Positional secret has been deprecated, use --secret or --secret-stdin")
+			}
+			secretValue, err := webhookSecretValue(cmd, firstNonEmpty(secret, positionalSecret), secretStdin, true)
+			if err != nil {
+				return err
+			}
+			service, err := newChangeWebhookSecretService(cmd, apiVersion)
+			if err != nil {
+				return err
+			}
+			output, err := service.Run(cmd.Context(), webhookscmd.ChangeSecretInput{ConfigID: args[0], Secret: secretValue})
+			if err != nil {
+				return err
+			}
+			if handled, err := writeStructuredOutput(cmd, output); handled || err != nil {
+				return err
+			}
+			return renderWebhookConfigMutated(cmd, output, "secret rotated")
+		},
+	}
+	if deprecated {
+		command.Deprecated = "use webhooks secret rotate"
+	}
+	command.Flags().StringVar(&secret, "secret", "", "Webhook signing secret")
+	command.Flags().BoolVar(&secretStdin, "secret-stdin", false, "Read webhook signing secret from stdin")
+	command.Flags().StringVar(&apiVersion, "api-version", "", "Pin webhooks API version")
+	return command
+}
+
+func newWebhooksChangeSecretCommand() *cobra.Command {
+	command := newWebhooksSecretRotateCommand("change-secret", nil, true)
+	command.Use = "change-secret <config-id>"
+	return command
+}
+
+func newListWebhookConfigsService(cmd *cobra.Command, apiVersion string) (webhookscmd.ListConfigsService, error) {
+	rt, err := stackRuntimeFromCommand(cmd)
+	if err != nil {
+		return webhookscmd.ListConfigsService{}, err
+	}
+	httpClient, err := rt.HTTPClient(cmd.Context())
+	if err != nil {
+		return webhookscmd.ListConfigsService{}, err
+	}
+	sdk := formance.New(formance.WithServerURL(rt.Target.URL), formance.WithClient(httpClient))
+	return webhookscmd.ListConfigsService{
+		Handlers: webhookscmd.SDKListConfigsHandlers(sdk),
+		Resolve:  webhooksVersionResolver(rt, webhookscmd.FeatureGetManyConfigs, apiVersion),
+	}, nil
+}
+
+func newInsertWebhookConfigService(cmd *cobra.Command, apiVersion string) (webhookscmd.InsertConfigService, error) {
+	rt, err := stackRuntimeFromCommand(cmd)
+	if err != nil {
+		return webhookscmd.InsertConfigService{}, err
+	}
+	httpClient, err := rt.HTTPClient(cmd.Context())
+	if err != nil {
+		return webhookscmd.InsertConfigService{}, err
+	}
+	sdk := formance.New(formance.WithServerURL(rt.Target.URL), formance.WithClient(httpClient))
+	return webhookscmd.InsertConfigService{
+		Handlers: webhookscmd.SDKInsertConfigHandlers(sdk),
+		Resolve:  webhooksVersionResolver(rt, webhookscmd.FeatureInsertConfig, apiVersion),
+	}, nil
+}
+
+func newActivateWebhookConfigService(cmd *cobra.Command, apiVersion string) (webhookscmd.ActivateConfigService, error) {
+	rt, err := stackRuntimeFromCommand(cmd)
+	if err != nil {
+		return webhookscmd.ActivateConfigService{}, err
+	}
+	httpClient, err := rt.HTTPClient(cmd.Context())
+	if err != nil {
+		return webhookscmd.ActivateConfigService{}, err
+	}
+	sdk := formance.New(formance.WithServerURL(rt.Target.URL), formance.WithClient(httpClient))
+	return webhookscmd.ActivateConfigService{
+		Handlers: webhookscmd.SDKActivateConfigHandlers(sdk),
+		Resolve:  webhooksVersionResolver(rt, webhookscmd.FeatureActivateConfig, apiVersion),
+	}, nil
+}
+
+func newDeactivateWebhookConfigService(cmd *cobra.Command, apiVersion string) (webhookscmd.DeactivateConfigService, error) {
+	rt, err := stackRuntimeFromCommand(cmd)
+	if err != nil {
+		return webhookscmd.DeactivateConfigService{}, err
+	}
+	httpClient, err := rt.HTTPClient(cmd.Context())
+	if err != nil {
+		return webhookscmd.DeactivateConfigService{}, err
+	}
+	sdk := formance.New(formance.WithServerURL(rt.Target.URL), formance.WithClient(httpClient))
+	return webhookscmd.DeactivateConfigService{
+		Handlers: webhookscmd.SDKDeactivateConfigHandlers(sdk),
+		Resolve:  webhooksVersionResolver(rt, webhookscmd.FeatureDeactivateConfig, apiVersion),
+	}, nil
+}
+
+func newDeleteWebhookConfigService(cmd *cobra.Command, apiVersion string) (webhookscmd.DeleteConfigService, error) {
+	rt, err := stackRuntimeFromCommand(cmd)
+	if err != nil {
+		return webhookscmd.DeleteConfigService{}, err
+	}
+	httpClient, err := rt.HTTPClient(cmd.Context())
+	if err != nil {
+		return webhookscmd.DeleteConfigService{}, err
+	}
+	sdk := formance.New(formance.WithServerURL(rt.Target.URL), formance.WithClient(httpClient))
+	return webhookscmd.DeleteConfigService{
+		Handlers: webhookscmd.SDKDeleteConfigHandlers(sdk),
+		Resolve:  webhooksVersionResolver(rt, webhookscmd.FeatureDeleteConfig, apiVersion),
+	}, nil
+}
+
+func newChangeWebhookSecretService(cmd *cobra.Command, apiVersion string) (webhookscmd.ChangeSecretService, error) {
+	rt, err := stackRuntimeFromCommand(cmd)
+	if err != nil {
+		return webhookscmd.ChangeSecretService{}, err
+	}
+	httpClient, err := rt.HTTPClient(cmd.Context())
+	if err != nil {
+		return webhookscmd.ChangeSecretService{}, err
+	}
+	sdk := formance.New(formance.WithServerURL(rt.Target.URL), formance.WithClient(httpClient))
+	return webhookscmd.ChangeSecretService{
+		Handlers: webhookscmd.SDKChangeSecretHandlers(sdk),
+		Resolve:  webhooksVersionResolver(rt, webhookscmd.FeatureChangeConfigSecret, apiVersion),
+	}, nil
+}
+
+func webhooksVersionResolver(rt interface {
+	ResolveAPIVersion(context.Context, capabilities.VersionResolutionRequest) (capabilities.APIVersion, error)
+}, feature capabilities.Feature, apiVersion string) func(context.Context, []capabilities.APIVersion) (capabilities.APIVersion, error) {
+	return func(ctx context.Context, handlerVersions []capabilities.APIVersion) (capabilities.APIVersion, error) {
+		request := capabilities.VersionResolutionRequest{
+			Product:         webhookscmd.ProductWebhooks,
+			Feature:         feature,
+			HandlerVersions: handlerVersions,
+		}
+		if apiVersion != "" {
+			request.Policy = capabilities.VersionPolicyPinned
+			request.PinnedVersion = capabilities.APIVersion(apiVersion)
+		}
+		return rt.ResolveAPIVersion(ctx, request)
+	}
+}
+
+func webhookSecretValue(cmd *cobra.Command, secret string, secretStdin bool, required bool) (string, error) {
+	if secret != "" && secretStdin {
+		return "", fmt.Errorf("use either --secret or --secret-stdin, not both")
+	}
+	if secretStdin {
+		data, err := io.ReadAll(cmd.InOrStdin())
+		if err != nil {
+			return "", fmt.Errorf("read secret from stdin: %w", err)
+		}
+		secret = strings.TrimSpace(string(data))
+	}
+	if required && secret == "" {
+		return "", fmt.Errorf("webhook secret is required")
+	}
+	return secret, nil
+}
+
+func renderWebhookConfigs(cmd *cobra.Command, output webhookscmd.ListConfigsOutput) error {
+	if err := writeStyledAPIVersion(cmd, output.APIVersion); err != nil {
+		return err
+	}
+	if len(output.Configs) == 0 {
+		_, err := fmt.Fprintln(cmd.OutOrStdout(), styledEmptyLine(cmd, "No webhook configs found."))
+		return err
+	}
+	rows := make([][]string, 0, len(output.Configs))
+	for _, config := range output.Configs {
+		rows = append(rows, []string{config.ID, config.Endpoint, fmt.Sprintf("%t", config.Active), strings.Join(config.EventTypes, ",")})
+	}
+	if err := writeStyledRows(cmd, []string{"ID", "Endpoint", "Active", "Event types"}, rows); err != nil {
+		return err
+	}
+	if output.HasMore {
+		_, err := fmt.Fprintln(cmd.OutOrStdout(), styledInfoLine(cmd, "More", "webhook configs are available"))
+		return err
+	}
+	return nil
+}
+
+func renderWebhookConfigMutated(cmd *cobra.Command, output webhookscmd.ConfigOutput, action string) error {
+	if err := writeStyledAPIVersion(cmd, output.APIVersion); err != nil {
+		return err
+	}
+	_, err := fmt.Fprintln(cmd.OutOrStdout(), styledSuccessLine(cmd, fmt.Sprintf("Webhook config %s %s.", output.Config.ID, action)))
+	return err
+}
+
+func renderWebhookConfigDeleted(cmd *cobra.Command, output webhookscmd.DeleteConfigOutput) error {
+	if err := writeStyledAPIVersion(cmd, output.APIVersion); err != nil {
+		return err
+	}
+	_, err := fmt.Fprintln(cmd.OutOrStdout(), styledSuccessLine(cmd, fmt.Sprintf("Webhook config %s deleted.", output.ConfigID)))
+	return err
+}
+
+func firstNonEmpty(values ...string) string {
+	for _, value := range values {
+		if value != "" {
+			return value
+		}
+	}
+	return ""
+}
+
+func formatWebhookTime(value time.Time) string {
+	if value.IsZero() {
+		return ""
+	}
+	return value.Format(time.RFC3339)
+}
diff --git a/v4/go.mod b/v4/go.mod
new file mode 100644
index 00000000..75fa0802
--- /dev/null
+++ b/v4/go.mod
@@ -0,0 +1,56 @@
+module github.com/formancehq/fctl/v4
+
+go 1.25.0
+
+toolchain go1.25.7
+
+require (
+	github.com/charmbracelet/bubbles v0.21.1-0.20250623103423-23b8fd6302d7
+	github.com/charmbracelet/huh v1.0.0
+	github.com/charmbracelet/lipgloss v1.1.0
+	github.com/formancehq/formance-sdk-go/v3 v3.8.1
+	github.com/mattn/go-isatty v0.0.20
+	github.com/spf13/cobra v1.10.2
+	golang.org/x/mod v0.36.0
+	gopkg.in/yaml.v3 v3.0.1
+)
+
+require (
+	github.com/atotto/clipboard v0.1.4 // indirect
+	github.com/aymanbagabas/go-osc52/v2 v2.0.1 // indirect
+	github.com/catppuccin/go v0.3.0 // indirect
+	github.com/charmbracelet/bubbletea v1.3.6 // indirect
+	github.com/charmbracelet/colorprofile v0.2.3-0.20250311203215-f60798e515dc // indirect
+	github.com/charmbracelet/x/ansi v0.9.3 // indirect
+	github.com/charmbracelet/x/cellbuf v0.0.13 // indirect
+	github.com/charmbracelet/x/exp/strings v0.0.0-20240722160745-212f7b056ed0 // indirect
+	github.com/charmbracelet/x/term v0.2.1 // indirect
+	github.com/clipperhouse/uax29/v2 v2.7.0 // indirect
+	github.com/dustin/go-humanize v1.0.1 // indirect
+	github.com/erikgeiser/coninput v0.0.0-20211004153227-1c3628e74d0f // indirect
+	github.com/kr/pretty v0.1.0 // indirect
+	github.com/lucasb-eyer/go-colorful v1.2.0 // indirect
+	github.com/mattn/go-localereader v0.0.1 // indirect
+	github.com/mattn/go-runewidth v0.0.20 // indirect
+	github.com/mitchellh/hashstructure/v2 v2.0.2 // indirect
+	github.com/muesli/ansi v0.0.0-20230316100256-276c6243b2f6 // indirect
+	github.com/muesli/cancelreader v0.2.2 // indirect
+	github.com/muesli/termenv v0.16.0 // indirect
+	github.com/rivo/uniseg v0.4.7 // indirect
+	github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e // indirect
+	golang.org/x/sys v0.41.0 // indirect
+	golang.org/x/text v0.34.0 // indirect
+	gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15 // indirect
+)
+
+require (
+	github.com/formancehq/fctl/internal/deployserverclient/v3 v3.1.1
+	github.com/formancehq/fctl/internal/membershipclient/v3 v3.1.1
+	github.com/inconshreveable/mousetrap v1.1.0 // indirect
+	github.com/spf13/pflag v1.0.9 // indirect
+	golang.org/x/sync v0.19.0 // indirect
+)
+
+replace github.com/formancehq/fctl/internal/membershipclient/v3 => ../internal/membershipclient
+
+replace github.com/formancehq/fctl/internal/deployserverclient/v3 => ../internal/deployserverclient
diff --git a/v4/go.sum b/v4/go.sum
new file mode 100644
index 00000000..b13a86a9
--- /dev/null
+++ b/v4/go.sum
@@ -0,0 +1,105 @@
+github.com/MakeNowJust/heredoc v1.0.0 h1:cXCdzVdstXyiTqTvfqk9SDHpKNjxuom+DOlyEeQ4pzQ=
+github.com/MakeNowJust/heredoc v1.0.0/go.mod h1:mG5amYoWBHf8vpLOuehzbGGw0EHxpZZ6lCpQ4fNJ8LE=
+github.com/atotto/clipboard v0.1.4 h1:EH0zSVneZPSuFR11BlR9YppQTVDbh5+16AmcJi4g1z4=
+github.com/atotto/clipboard v0.1.4/go.mod h1:ZY9tmq7sm5xIbd9bOK4onWV4S6X0u6GY7Vn0Yu86PYI=
+github.com/aymanbagabas/go-osc52/v2 v2.0.1 h1:HwpRHbFMcZLEVr42D4p7XBqjyuxQH5SMiErDT4WkJ2k=
+github.com/aymanbagabas/go-osc52/v2 v2.0.1/go.mod h1:uYgXzlJ7ZpABp8OJ+exZzJJhRNQ2ASbcXHWsFqH8hp8=
+github.com/aymanbagabas/go-udiff v0.3.1 h1:LV+qyBQ2pqe0u42ZsUEtPiCaUoqgA9gYRDs3vj1nolY=
+github.com/aymanbagabas/go-udiff v0.3.1/go.mod h1:G0fsKmG+P6ylD0r6N/KgQD/nWzgfnl8ZBcNLgcbrw8E=
+github.com/catppuccin/go v0.3.0 h1:d+0/YicIq+hSTo5oPuRi5kOpqkVA5tAsU6dNhvRu+aY=
+github.com/catppuccin/go v0.3.0/go.mod h1:8IHJuMGaUUjQM82qBrGNBv7LFq6JI3NnQCF6MOlZjpc=
+github.com/charmbracelet/bubbles v0.21.1-0.20250623103423-23b8fd6302d7 h1:JFgG/xnwFfbezlUnFMJy0nusZvytYysV4SCS2cYbvws=
+github.com/charmbracelet/bubbles v0.21.1-0.20250623103423-23b8fd6302d7/go.mod h1:ISC1gtLcVilLOf23wvTfoQuYbW2q0JevFxPfUzZ9Ybw=
+github.com/charmbracelet/bubbletea v1.3.6 h1:VkHIxPJQeDt0aFJIsVxw8BQdh/F/L2KKZGsK6et5taU=
+github.com/charmbracelet/bubbletea v1.3.6/go.mod h1:oQD9VCRQFF8KplacJLo28/jofOI2ToOfGYeFgBBxHOc=
+github.com/charmbracelet/colorprofile v0.2.3-0.20250311203215-f60798e515dc h1:4pZI35227imm7yK2bGPcfpFEmuY1gc2YSTShr4iJBfs=
+github.com/charmbracelet/colorprofile v0.2.3-0.20250311203215-f60798e515dc/go.mod h1:X4/0JoqgTIPSFcRA/P6INZzIuyqdFY5rm8tb41s9okk=
+github.com/charmbracelet/huh v1.0.0 h1:wOnedH8G4qzJbmhftTqrpppyqHakl/zbbNdXIWJyIxw=
+github.com/charmbracelet/huh v1.0.0/go.mod h1:5YVc+SlZ1IhQALxRPpkGwwEKftN/+OlJlnJYlDRFqN4=
+github.com/charmbracelet/lipgloss v1.1.0 h1:vYXsiLHVkK7fp74RkV7b2kq9+zDLoEU4MZoFqR/noCY=
+github.com/charmbracelet/lipgloss v1.1.0/go.mod h1:/6Q8FR2o+kj8rz4Dq0zQc3vYf7X+B0binUUBwA0aL30=
+github.com/charmbracelet/x/ansi v0.9.3 h1:BXt5DHS/MKF+LjuK4huWrC6NCvHtexww7dMayh6GXd0=
+github.com/charmbracelet/x/ansi v0.9.3/go.mod h1:3RQDQ6lDnROptfpWuUVIUG64bD2g2BgntdxH0Ya5TeE=
+github.com/charmbracelet/x/cellbuf v0.0.13 h1:/KBBKHuVRbq1lYx5BzEHBAFBP8VcQzJejZ/IA3iR28k=
+github.com/charmbracelet/x/cellbuf v0.0.13/go.mod h1:xe0nKWGd3eJgtqZRaN9RjMtK7xUYchjzPr7q6kcvCCs=
+github.com/charmbracelet/x/conpty v0.1.0 h1:4zc8KaIcbiL4mghEON8D72agYtSeIgq8FSThSPQIb+U=
+github.com/charmbracelet/x/conpty v0.1.0/go.mod h1:rMFsDJoDwVmiYM10aD4bH2XiRgwI7NYJtQgl5yskjEQ=
+github.com/charmbracelet/x/errors v0.0.0-20240508181413-e8d8b6e2de86 h1:JSt3B+U9iqk37QUU2Rvb6DSBYRLtWqFqfxf8l5hOZUA=
+github.com/charmbracelet/x/errors v0.0.0-20240508181413-e8d8b6e2de86/go.mod h1:2P0UgXMEa6TsToMSuFqKFQR+fZTO9CNGUNokkPatT/0=
+github.com/charmbracelet/x/exp/golden v0.0.0-20241011142426-46044092ad91 h1:payRxjMjKgx2PaCWLZ4p3ro9y97+TVLZNaRZgJwSVDQ=
+github.com/charmbracelet/x/exp/golden v0.0.0-20241011142426-46044092ad91/go.mod h1:wDlXFlCrmJ8J+swcL/MnGUuYnqgQdW9rhSD61oNMb6U=
+github.com/charmbracelet/x/exp/strings v0.0.0-20240722160745-212f7b056ed0 h1:qko3AQ4gK1MTS/de7F5hPGx6/k1u0w4TeYmBFwzYVP4=
+github.com/charmbracelet/x/exp/strings v0.0.0-20240722160745-212f7b056ed0/go.mod h1:pBhA0ybfXv6hDjQUZ7hk1lVxBiUbupdw5R31yPUViVQ=
+github.com/charmbracelet/x/term v0.2.1 h1:AQeHeLZ1OqSXhrAWpYUtZyX1T3zVxfpZuEQMIQaGIAQ=
+github.com/charmbracelet/x/term v0.2.1/go.mod h1:oQ4enTYFV7QN4m0i9mzHrViD7TQKvNEEkHUMCmsxdUg=
+github.com/charmbracelet/x/termios v0.1.1 h1:o3Q2bT8eqzGnGPOYheoYS8eEleT5ZVNYNy8JawjaNZY=
+github.com/charmbracelet/x/termios v0.1.1/go.mod h1:rB7fnv1TgOPOyyKRJ9o+AsTU/vK5WHJ2ivHeut/Pcwo=
+github.com/charmbracelet/x/xpty v0.1.2 h1:Pqmu4TEJ8KeA9uSkISKMU3f+C1F6OGBn8ABuGlqCbtI=
+github.com/charmbracelet/x/xpty v0.1.2/go.mod h1:XK2Z0id5rtLWcpeNiMYBccNNBrP2IJnzHI0Lq13Xzq4=
+github.com/clipperhouse/uax29/v2 v2.7.0 h1:+gs4oBZ2gPfVrKPthwbMzWZDaAFPGYK72F0NJv2v7Vk=
+github.com/clipperhouse/uax29/v2 v2.7.0/go.mod h1:EFJ2TJMRUaplDxHKj1qAEhCtQPW2tJSwu5BF98AuoVM=
+github.com/cpuguy83/go-md2man/v2 v2.0.6/go.mod h1:oOW0eioCTA6cOiMLiUPZOpcVxMig6NIQQ7OS05n1F4g=
+github.com/creack/pty v1.1.24 h1:bJrF4RRfyJnbTJqzRLHzcGaZK1NeM5kTC9jGgovnR1s=
+github.com/creack/pty v1.1.24/go.mod h1:08sCNb52WyoAwi2QDyzUCTgcvVFhUzewun7wtTfvcwE=
+github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
+github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/dustin/go-humanize v1.0.1 h1:GzkhY7T5VNhEkwH0PVJgjz+fX1rhBrR7pRT3mDkpeCY=
+github.com/dustin/go-humanize v1.0.1/go.mod h1:Mu1zIs6XwVuF/gI1OepvI0qD18qycQx+mFykh5fBlto=
+github.com/erikgeiser/coninput v0.0.0-20211004153227-1c3628e74d0f h1:Y/CXytFA4m6baUTXGLOoWe4PQhGxaX0KpnayAqC48p4=
+github.com/erikgeiser/coninput v0.0.0-20211004153227-1c3628e74d0f/go.mod h1:vw97MGsxSvLiUE2X8qFplwetxpGLQrlU1Q9AUEIzCaM=
+github.com/formancehq/formance-sdk-go/v3 v3.8.1 h1:nKWcpZT70vegEUV+/Xl/wekiI1PsCFVe7mvGgwaA9fk=
+github.com/formancehq/formance-sdk-go/v3 v3.8.1/go.mod h1:2Kb2Z4bN8/I4MQQnuSilvThqeaUtuLaTdmMGIb3nMJY=
+github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8=
+github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw=
+github.com/kr/pretty v0.1.0 h1:L/CwN0zerZDmRFUapSPitk6f+Q3+0za1rQkzVuMiMFI=
+github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
+github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
+github.com/kr/text v0.1.0 h1:45sCR5RtlFHMR4UwH9sdQ5TC8v0qDQCHnXt+kaKSTVE=
+github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
+github.com/lucasb-eyer/go-colorful v1.2.0 h1:1nnpGOrhyZZuNyfu1QjKiUICQ74+3FNCN69Aj6K7nkY=
+github.com/lucasb-eyer/go-colorful v1.2.0/go.mod h1:R4dSotOR9KMtayYi1e77YzuveK+i7ruzyGqttikkLy0=
+github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY=
+github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
+github.com/mattn/go-localereader v0.0.1 h1:ygSAOl7ZXTx4RdPYinUpg6W99U8jWvWi9Ye2JC/oIi4=
+github.com/mattn/go-localereader v0.0.1/go.mod h1:8fBrzywKY7BI3czFoHkuzRoWE9C+EiG4R1k4Cjx5p88=
+github.com/mattn/go-runewidth v0.0.20 h1:WcT52H91ZUAwy8+HUkdM3THM6gXqXuLJi9O3rjcQQaQ=
+github.com/mattn/go-runewidth v0.0.20/go.mod h1:XBkDxAl56ILZc9knddidhrOlY5R/pDhgLpndooCuJAs=
+github.com/mitchellh/hashstructure/v2 v2.0.2 h1:vGKWl0YJqUNxE8d+h8f6NJLcCJrgbhC4NcD46KavDd4=
+github.com/mitchellh/hashstructure/v2 v2.0.2/go.mod h1:MG3aRVU/N29oo/V/IhBX8GR/zz4kQkprJgF2EVszyDE=
+github.com/muesli/ansi v0.0.0-20230316100256-276c6243b2f6 h1:ZK8zHtRHOkbHy6Mmr5D264iyp3TiX5OmNcI5cIARiQI=
+github.com/muesli/ansi v0.0.0-20230316100256-276c6243b2f6/go.mod h1:CJlz5H+gyd6CUWT45Oy4q24RdLyn7Md9Vj2/ldJBSIo=
+github.com/muesli/cancelreader v0.2.2 h1:3I4Kt4BQjOR54NavqnDogx/MIoWBFa0StPA8ELUXHmA=
+github.com/muesli/cancelreader v0.2.2/go.mod h1:3XuTXfFS2VjM+HTLZY9Ak0l6eUKfijIfMUZ4EgX0QYo=
+github.com/muesli/termenv v0.16.0 h1:S5AlUN9dENB57rsbnkPyfdGuWIlkmzJjbFf0Tf5FWUc=
+github.com/muesli/termenv v0.16.0/go.mod h1:ZRfOIKPFDYQoDFF4Olj7/QJbW60Ol/kL1pU3VfY/Cnk=
+github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
+github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+github.com/rivo/uniseg v0.4.7 h1:WUdvkW8uEhrYfLC4ZzdpI2ztxP1I582+49Oc5Mq64VQ=
+github.com/rivo/uniseg v0.4.7/go.mod h1:FN3SvrM+Zdj16jyLfmOkMNblXMcoc8DfTHruCPUcx88=
+github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
+github.com/spf13/cobra v1.10.2 h1:DMTTonx5m65Ic0GOoRY2c16WCbHxOOw6xxezuLaBpcU=
+github.com/spf13/cobra v1.10.2/go.mod h1:7C1pvHqHw5A4vrJfjNwvOdzYu0Gml16OCs2GRiTUUS4=
+github.com/spf13/pflag v1.0.9 h1:9exaQaMOCwffKiiiYk6/BndUBv+iRViNW+4lEMi0PvY=
+github.com/spf13/pflag v1.0.9/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
+github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu7U=
+github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U=
+github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e h1:JVG44RsyaB9T2KIHavMF/ppJZNG9ZpyihvCd0w101no=
+github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e/go.mod h1:RbqR21r5mrJuqunuUZ/Dhy/avygyECGrLceyNeo4LiM=
+go.yaml.in/yaml/v3 v3.0.4/go.mod h1:DhzuOOF2ATzADvBadXxruRBLzYTpT36CKvDb3+aBEFg=
+golang.org/x/exp v0.0.0-20231006140011-7918f672742d h1:jtJma62tbqLibJ5sFQz8bKtEM8rJBtfilJ2qTU199MI=
+golang.org/x/exp v0.0.0-20231006140011-7918f672742d/go.mod h1:ldy0pHrwJyGW56pPQzzkH36rKxoZW1tw7ZJpeKx+hdo=
+golang.org/x/mod v0.36.0 h1:JJjpVx6myfUsUdAzZuOSTTmRE0PfZeNWzzvKrP7amb4=
+golang.org/x/mod v0.36.0/go.mod h1:moc6ELqsWcOw5Ef3xVprK5ul/MvtVvkIXLziUOICjUQ=
+golang.org/x/sync v0.19.0 h1:vV+1eWNmZ5geRlYjzm2adRgW2/mcpevXNg50YZtPCE4=
+golang.org/x/sync v0.19.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
+golang.org/x/sys v0.0.0-20210809222454-d867a43fc93e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.41.0 h1:Ivj+2Cp/ylzLiEU89QhWblYnOE9zerudt9Ftecq2C6k=
+golang.org/x/sys v0.41.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
+golang.org/x/text v0.34.0 h1:oL/Qq0Kdaqxa1KbNeMKwQq0reLCCaFtqu2eNuSeNHbk=
+golang.org/x/text v0.34.0/go.mod h1:homfLqTYRFyVYemLBFl5GgL/DWEiH5wcsQ5gSh1yziA=
+gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15 h1:YR8cESwS4TdDjEe65xsg0ogRM/Nc3DYOhEAlW+xobZo=
+gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
+gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
diff --git a/v4/internal/auth/auth.go b/v4/internal/auth/auth.go
new file mode 100644
index 00000000..9a2a5b0b
--- /dev/null
+++ b/v4/internal/auth/auth.go
@@ -0,0 +1,373 @@
+// Package auth resolves v4 target-local authentication into HTTP clients.
+package auth
+
+import (
+	"context"
+	"encoding/json"
+	"errors"
+	"fmt"
+	"io"
+	"net/http"
+	"net/url"
+	"os"
+	"strings"
+	"sync"
+
+	v4config "github.com/formancehq/fctl/v4/internal/config"
+	"github.com/formancehq/fctl/v4/internal/credentials"
+)
+
+type Options struct {
+	HTTPClient *http.Client
+	Env        func(string) string
+	Stdin      io.Reader
+}
+
+type Token struct {
+	AccessToken string
+	TokenType   string
+}
+
+type TokenSource interface {
+	Token(ctx context.Context) (Token, error)
+}
+
+func NewHTTPClient(ctx context.Context, authConfig v4config.Auth, store credentials.Store, options Options) (*http.Client, error) {
+	base := options.HTTPClient
+	if base == nil {
+		base = http.DefaultClient
+	}
+
+	source, err := NewTokenSource(authConfig, store, options)
+	if err != nil {
+		return nil, err
+	}
+	if source == nil {
+		return base, nil
+	}
+
+	transport := base.Transport
+	if transport == nil {
+		transport = http.DefaultTransport
+	}
+	return &http.Client{
+		Transport:     &bearerTransport{source: source, base: transport},
+		CheckRedirect: base.CheckRedirect,
+		Jar:           base.Jar,
+		Timeout:       base.Timeout,
+	}, nil
+}
+
+func NewTokenSource(authConfig v4config.Auth, store credentials.Store, options Options) (TokenSource, error) {
+	switch authConfig.Method {
+	case v4config.AuthMethodNone:
+		return nil, nil
+	case v4config.AuthMethodToken:
+		return tokenSourceForRef(authConfig.TokenRef, store, options)
+	case v4config.AuthMethodClientCredentials:
+		if store == nil {
+			return nil, errors.New("credential store is required for client_credentials auth")
+		}
+		httpClient := options.HTTPClient
+		if httpClient == nil {
+			httpClient = http.DefaultClient
+		}
+		return &ClientCredentialsSource{
+			IssuerURL:  authConfig.IssuerURL,
+			ClientID:   authConfig.ClientID,
+			SecretRef:  authConfig.SecretRef,
+			Scopes:     authConfig.Scopes,
+			Resources:  authConfig.Resources,
+			Store:      store,
+			HTTPClient: httpClient,
+		}, nil
+	case v4config.AuthMethodCloudDevice, v4config.AuthMethodOIDCDevice:
+		if store == nil {
+			return nil, errors.New("credential store is required for device auth")
+		}
+		httpClient := options.HTTPClient
+		if httpClient == nil {
+			httpClient = http.DefaultClient
+		}
+		return &DeviceTokenSource{
+			IssuerURL:  authConfig.IssuerURL,
+			TokenRef:   authConfig.TokenRef,
+			Scopes:     authConfig.Scopes,
+			Store:      store,
+			HTTPClient: httpClient,
+			ClientID:   DeviceClientID,
+		}, nil
+	default:
+		return nil, fmt.Errorf("unsupported auth method %q", authConfig.Method)
+	}
+}
+
+type StaticTokenSource struct {
+	TokenValue Token
+}
+
+func (s StaticTokenSource) Token(context.Context) (Token, error) {
+	return normalizeToken(s.TokenValue), nil
+}
+
+type CredentialTokenSource struct {
+	Ref   string
+	Store credentials.Store
+}
+
+func (s CredentialTokenSource) Token(ctx context.Context) (Token, error) {
+	if s.Store == nil {
+		return Token{}, errors.New("credential store is required")
+	}
+	value, err := s.Store.Get(ctx, s.Ref)
+	if err != nil {
+		return Token{}, err
+	}
+	return normalizeToken(Token{AccessToken: value, TokenType: "Bearer"}), nil
+}
+
+type ClientCredentialsSource struct {
+	IssuerURL  string
+	ClientID   string
+	SecretRef  string
+	Scopes     []string
+	Resources  []string
+	Store      credentials.Store
+	HTTPClient *http.Client
+
+	mu          sync.Mutex
+	cachedToken *Token
+	tokenURL    string
+}
+
+func (s *ClientCredentialsSource) Token(ctx context.Context) (Token, error) {
+	s.mu.Lock()
+	defer s.mu.Unlock()
+
+	if s.cachedToken != nil {
+		return *s.cachedToken, nil
+	}
+	if s.HTTPClient == nil {
+		s.HTTPClient = http.DefaultClient
+	}
+	if s.Store == nil {
+		return Token{}, errors.New("credential store is required")
+	}
+	if s.IssuerURL == "" {
+		return Token{}, errors.New("issuer URL is required")
+	}
+	if s.ClientID == "" {
+		return Token{}, errors.New("client ID is required")
+	}
+
+	secret, err := s.Store.Get(ctx, s.SecretRef)
+	if err != nil {
+		return Token{}, err
+	}
+	tokenURL, err := s.resolveTokenURL(ctx)
+	if err != nil {
+		return Token{}, err
+	}
+
+	form := url.Values{}
+	form.Set("grant_type", "client_credentials")
+	if len(s.Scopes) > 0 {
+		form.Set("scope", strings.Join(s.Scopes, " "))
+	}
+	for _, resource := range s.Resources {
+		form.Add("resource", resource)
+	}
+	req, err := http.NewRequestWithContext(ctx, http.MethodPost, tokenURL, strings.NewReader(form.Encode()))
+	if err != nil {
+		return Token{}, err
+	}
+	req.SetBasicAuth(s.ClientID, secret)
+	req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
+
+	rsp, err := s.HTTPClient.Do(req)
+	if err != nil {
+		return Token{}, err
+	}
+	defer rsp.Body.Close()
+	if rsp.StatusCode < 200 || rsp.StatusCode >= 300 {
+		body, _ := io.ReadAll(io.LimitReader(rsp.Body, 4096))
+		return Token{}, fmt.Errorf("client credentials token request failed: status %d: %s", rsp.StatusCode, string(body))
+	}
+
+	var tokenResponse struct {
+		AccessToken string `json:"access_token"`
+		TokenType   string `json:"token_type"`
+	}
+	if err := json.NewDecoder(rsp.Body).Decode(&tokenResponse); err != nil {
+		return Token{}, fmt.Errorf("decode token response: %w", err)
+	}
+	token := normalizeToken(Token{
+		AccessToken: tokenResponse.AccessToken,
+		TokenType:   tokenResponse.TokenType,
+	})
+	if token.AccessToken == "" {
+		return Token{}, errors.New("token response did not include access_token")
+	}
+	s.cachedToken = &token
+	return token, nil
+}
+
+func StackResource(organizationID string, stackID string) string {
+	return "stack://" + organizationID + "/" + stackID + "|" + strings.Join(StackScopes, " ")
+}
+
+func ExchangeStackToken(ctx context.Context, httpClient *http.Client, stackURL string, assertion string) (Token, error) {
+	if httpClient == nil {
+		httpClient = http.DefaultClient
+	}
+	if stackURL == "" {
+		return Token{}, errors.New("stack URL is required")
+	}
+	if assertion == "" {
+		return Token{}, errors.New("assertion token is required")
+	}
+
+	discoveryURL := strings.TrimRight(stackURL, "/") + "/api/auth/.well-known/openid-configuration"
+	req, err := http.NewRequestWithContext(ctx, http.MethodGet, discoveryURL, nil)
+	if err != nil {
+		return Token{}, err
+	}
+	rsp, err := httpClient.Do(req)
+	if err != nil {
+		return Token{}, err
+	}
+	defer rsp.Body.Close()
+	if rsp.StatusCode < 200 || rsp.StatusCode >= 300 {
+		body, _ := io.ReadAll(io.LimitReader(rsp.Body, 4096))
+		return Token{}, fmt.Errorf("stack oidc discovery failed: status %d: %s", rsp.StatusCode, string(body))
+	}
+
+	var discovery struct {
+		TokenEndpoint string `json:"token_endpoint"`
+	}
+	if err := json.NewDecoder(rsp.Body).Decode(&discovery); err != nil {
+		return Token{}, fmt.Errorf("decode stack oidc discovery: %w", err)
+	}
+	if discovery.TokenEndpoint == "" {
+		return Token{}, errors.New("stack oidc discovery did not include token_endpoint")
+	}
+
+	form := url.Values{}
+	form.Set("grant_type", "urn:ietf:params:oauth:grant-type:jwt-bearer")
+	form.Set("assertion", assertion)
+	form.Set("scope", "openid email")
+	req, err = http.NewRequestWithContext(ctx, http.MethodPost, discovery.TokenEndpoint, strings.NewReader(form.Encode()))
+	if err != nil {
+		return Token{}, err
+	}
+	req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
+
+	rsp, err = httpClient.Do(req)
+	if err != nil {
+		return Token{}, err
+	}
+	defer rsp.Body.Close()
+	if rsp.StatusCode < 200 || rsp.StatusCode >= 300 {
+		body, _ := io.ReadAll(io.LimitReader(rsp.Body, 4096))
+		return Token{}, fmt.Errorf("stack token exchange failed: status %d: %s", rsp.StatusCode, string(body))
+	}
+
+	var tokenResponse struct {
+		AccessToken string `json:"access_token"`
+		TokenType   string `json:"token_type"`
+	}
+	if err := json.NewDecoder(rsp.Body).Decode(&tokenResponse); err != nil {
+		return Token{}, fmt.Errorf("decode stack token response: %w", err)
+	}
+	token := normalizeToken(Token{AccessToken: tokenResponse.AccessToken, TokenType: tokenResponse.TokenType})
+	if token.AccessToken == "" {
+		return Token{}, errors.New("stack token response did not include access_token")
+	}
+	return token, nil
+}
+
+func (s *ClientCredentialsSource) resolveTokenURL(ctx context.Context) (string, error) {
+	if s.tokenURL != "" {
+		return s.tokenURL, nil
+	}
+
+	discoveryURL := strings.TrimRight(s.IssuerURL, "/") + "/.well-known/openid-configuration"
+	req, err := http.NewRequestWithContext(ctx, http.MethodGet, discoveryURL, nil)
+	if err != nil {
+		return "", err
+	}
+	rsp, err := s.HTTPClient.Do(req)
+	if err != nil {
+		return "", err
+	}
+	defer rsp.Body.Close()
+	if rsp.StatusCode < 200 || rsp.StatusCode >= 300 {
+		body, _ := io.ReadAll(io.LimitReader(rsp.Body, 4096))
+		return "", fmt.Errorf("oidc discovery failed: status %d: %s", rsp.StatusCode, string(body))
+	}
+
+	var discovery struct {
+		TokenEndpoint string `json:"token_endpoint"`
+	}
+	if err := json.NewDecoder(rsp.Body).Decode(&discovery); err != nil {
+		return "", fmt.Errorf("decode oidc discovery: %w", err)
+	}
+	if discovery.TokenEndpoint == "" {
+		return "", errors.New("oidc discovery did not include token_endpoint")
+	}
+	s.tokenURL = discovery.TokenEndpoint
+	return s.tokenURL, nil
+}
+
+type bearerTransport struct {
+	source TokenSource
+	base   http.RoundTripper
+}
+
+func (t *bearerTransport) RoundTrip(req *http.Request) (*http.Response, error) {
+	token, err := t.source.Token(req.Context())
+	if err != nil {
+		return nil, err
+	}
+
+	cloned := req.Clone(req.Context())
+	cloned.Header = req.Header.Clone()
+	cloned.Header.Set("Authorization", token.TokenType+" "+token.AccessToken)
+	return t.base.RoundTrip(cloned)
+}
+
+func tokenSourceForRef(ref string, store credentials.Store, options Options) (TokenSource, error) {
+	switch {
+	case ref == "stdin://":
+		if options.Stdin == nil {
+			return nil, errors.New("stdin token source requires stdin")
+		}
+		data, err := io.ReadAll(options.Stdin)
+		if err != nil {
+			return nil, fmt.Errorf("read token from stdin: %w", err)
+		}
+		return StaticTokenSource{TokenValue: Token{AccessToken: strings.TrimSpace(string(data)), TokenType: "Bearer"}}, nil
+	case strings.HasPrefix(ref, "env://"):
+		getenv := options.Env
+		if getenv == nil {
+			getenv = os.Getenv
+		}
+		name := strings.TrimPrefix(ref, "env://")
+		value := strings.TrimSpace(getenv(name))
+		if value == "" {
+			return nil, fmt.Errorf("environment variable %s is empty", name)
+		}
+		return StaticTokenSource{TokenValue: Token{AccessToken: value, TokenType: "Bearer"}}, nil
+	default:
+		return CredentialTokenSource{Ref: ref, Store: store}, nil
+	}
+}
+
+func normalizeToken(token Token) Token {
+	token.AccessToken = strings.TrimSpace(token.AccessToken)
+	token.TokenType = strings.TrimSpace(token.TokenType)
+	if token.TokenType == "" {
+		token.TokenType = "Bearer"
+	}
+	return token
+}
diff --git a/v4/internal/auth/auth_test.go b/v4/internal/auth/auth_test.go
new file mode 100644
index 00000000..bb9fba95
--- /dev/null
+++ b/v4/internal/auth/auth_test.go
@@ -0,0 +1,356 @@
+package auth
+
+import (
+	"context"
+	"encoding/base64"
+	"encoding/json"
+	"fmt"
+	"net/http"
+	"net/http/httptest"
+	"strings"
+	"testing"
+	"time"
+
+	v4config "github.com/formancehq/fctl/v4/internal/config"
+	"github.com/formancehq/fctl/v4/internal/credentials"
+)
+
+func TestNoneAuthDoesNotSetAuthorization(t *testing.T) {
+	server := authHeaderServer(t, "")
+	defer server.Close()
+
+	client, err := NewHTTPClient(context.Background(), v4config.Auth{Method: v4config.AuthMethodNone}, nil, Options{})
+	if err != nil {
+		t.Fatalf("new http client: %v", err)
+	}
+	if _, err := client.Get(server.URL); err != nil {
+		t.Fatalf("request: %v", err)
+	}
+}
+
+func TestTokenAuthFromCredentialRef(t *testing.T) {
+	ctx := context.Background()
+	store := credentials.NewMemoryStore()
+	if err := store.Set(ctx, "token-ref", "abc123"); err != nil {
+		t.Fatalf("set token: %v", err)
+	}
+	server := authHeaderServer(t, "Bearer abc123")
+	defer server.Close()
+
+	client, err := NewHTTPClient(ctx, v4config.Auth{
+		Method:   v4config.AuthMethodToken,
+		TokenRef: "token-ref",
+	}, store, Options{})
+	if err != nil {
+		t.Fatalf("new http client: %v", err)
+	}
+	if _, err := client.Get(server.URL); err != nil {
+		t.Fatalf("request: %v", err)
+	}
+}
+
+func TestTokenAuthFromEnvRef(t *testing.T) {
+	source, err := NewTokenSource(v4config.Auth{
+		Method:   v4config.AuthMethodToken,
+		TokenRef: "env://FCTL_TOKEN",
+	}, nil, Options{Env: func(key string) string {
+		if key != "FCTL_TOKEN" {
+			t.Fatalf("unexpected env key %q", key)
+		}
+		return "from-env"
+	}})
+	if err != nil {
+		t.Fatalf("new token source: %v", err)
+	}
+	token, err := source.Token(context.Background())
+	if err != nil {
+		t.Fatalf("get token: %v", err)
+	}
+	if token.AccessToken != "from-env" || token.TokenType != "Bearer" {
+		t.Fatalf("unexpected token: %#v", token)
+	}
+}
+
+func TestCloudDeviceAuthFromCredentialRef(t *testing.T) {
+	ctx := context.Background()
+	store := credentials.NewMemoryStore()
+	encoded, err := MarshalDeviceTokens(DeviceTokens{
+		AccessToken: StoredAccessToken{
+			Token:     "device-token",
+			TokenType: "Bearer",
+		},
+	})
+	if err != nil {
+		t.Fatalf("marshal device tokens: %v", err)
+	}
+	if err := store.Set(ctx, "root-token-ref", encoded); err != nil {
+		t.Fatalf("set device tokens: %v", err)
+	}
+	server := authHeaderServer(t, "Bearer device-token")
+	defer server.Close()
+
+	client, err := NewHTTPClient(ctx, v4config.Auth{
+		Method:   v4config.AuthMethodCloudDevice,
+		TokenRef: "root-token-ref",
+	}, store, Options{})
+	if err != nil {
+		t.Fatalf("new http client: %v", err)
+	}
+	if _, err := client.Get(server.URL); err != nil {
+		t.Fatalf("request: %v", err)
+	}
+}
+
+func TestCloudDeviceAuthReadsMigratedV3RootTokens(t *testing.T) {
+	ctx := context.Background()
+	store := credentials.NewMemoryStore()
+	if err := store.Set(ctx, "root-token-ref", `{"access":{"token":"migrated-token"},"id":{"token":"id-token"}}`); err != nil {
+		t.Fatalf("set migrated tokens: %v", err)
+	}
+
+	source, err := NewTokenSource(v4config.Auth{
+		Method:   v4config.AuthMethodCloudDevice,
+		TokenRef: "root-token-ref",
+	}, store, Options{})
+	if err != nil {
+		t.Fatalf("new token source: %v", err)
+	}
+	token, err := source.Token(ctx)
+	if err != nil {
+		t.Fatalf("get token: %v", err)
+	}
+	if token.AccessToken != "migrated-token" || token.TokenType != "Bearer" {
+		t.Fatalf("unexpected token: %#v", token)
+	}
+}
+
+func TestCloudDeviceAuthRefreshesWhenScopesAreMissing(t *testing.T) {
+	ctx := context.Background()
+	store := credentials.NewMemoryStore()
+	encoded, err := MarshalDeviceTokens(DeviceTokens{
+		AccessToken: StoredAccessToken{
+			Token:        authTestJWT(t, map[string]any{"scope": "openid", "exp": time.Now().Add(time.Hour).Unix()}),
+			TokenType:    "Bearer",
+			RefreshToken: "refresh-token",
+		},
+		RefreshToken: "refresh-token",
+	})
+	if err != nil {
+		t.Fatalf("marshal device tokens: %v", err)
+	}
+	if err := store.Set(ctx, "root-token-ref", encoded); err != nil {
+		t.Fatalf("set device tokens: %v", err)
+	}
+
+	var server *httptest.Server
+	server = httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		switch r.URL.Path {
+		case "/.well-known/openid-configuration":
+			fmt.Fprintf(w, `{"token_endpoint":%q}`, server.URL+"/token")
+		case "/token":
+			clientID, clientSecret, ok := r.BasicAuth()
+			if !ok || clientID != DeviceClientID || clientSecret != "" {
+				t.Fatalf("unexpected basic auth: %q %q %v", clientID, clientSecret, ok)
+			}
+			if err := r.ParseForm(); err != nil {
+				t.Fatalf("parse form: %v", err)
+			}
+			if r.Form.Get("grant_type") != "refresh_token" {
+				t.Fatalf("unexpected grant_type %q", r.Form.Get("grant_type"))
+			}
+			if r.Form.Get("refresh_token") != "refresh-token" {
+				t.Fatalf("unexpected refresh_token %q", r.Form.Get("refresh_token"))
+			}
+			if r.Form.Get("scope") != "organization:ListStacks" {
+				t.Fatalf("unexpected scope %q", r.Form.Get("scope"))
+			}
+			fmt.Fprint(w, `{"access_token":"scoped-token","token_type":"Bearer","refresh_token":"next-refresh-token","expires_in":3600}`)
+		default:
+			t.Fatalf("unexpected path %s", r.URL.Path)
+		}
+	}))
+	defer server.Close()
+
+	source, err := NewTokenSource(v4config.Auth{
+		Method:    v4config.AuthMethodCloudDevice,
+		IssuerURL: server.URL,
+		TokenRef:  "root-token-ref",
+		Scopes:    []string{"organization:ListStacks"},
+	}, store, Options{})
+	if err != nil {
+		t.Fatalf("new token source: %v", err)
+	}
+	token, err := source.Token(ctx)
+	if err != nil {
+		t.Fatalf("get token: %v", err)
+	}
+	if token.AccessToken != "scoped-token" {
+		t.Fatalf("unexpected token: %#v", token)
+	}
+	stored, err := store.Get(ctx, "root-token-ref")
+	if err != nil {
+		t.Fatalf("get stored refreshed token: %v", err)
+	}
+	if !strings.Contains(stored, "next-refresh-token") {
+		t.Fatalf("expected refreshed token to be stored, got %s", stored)
+	}
+	if !strings.Contains(stored, "organization:ListStacks") {
+		t.Fatalf("expected refreshed token scopes to be stored, got %s", stored)
+	}
+}
+
+func TestCloudDeviceAuthRefreshesOpaqueTokenWithoutStoredScopes(t *testing.T) {
+	ctx := context.Background()
+	store := credentials.NewMemoryStore()
+	encoded, err := MarshalDeviceTokens(DeviceTokens{
+		AccessToken: StoredAccessToken{
+			Token:        "opaque-token",
+			TokenType:    "Bearer",
+			RefreshToken: "refresh-token",
+			Expiry:       time.Now().Add(time.Hour),
+		},
+		RefreshToken: "refresh-token",
+	})
+	if err != nil {
+		t.Fatalf("marshal device tokens: %v", err)
+	}
+	if err := store.Set(ctx, "root-token-ref", encoded); err != nil {
+		t.Fatalf("set device tokens: %v", err)
+	}
+
+	var server *httptest.Server
+	server = httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		switch r.URL.Path {
+		case "/.well-known/openid-configuration":
+			fmt.Fprintf(w, `{"token_endpoint":%q}`, server.URL+"/token")
+		case "/token":
+			if err := r.ParseForm(); err != nil {
+				t.Fatalf("parse form: %v", err)
+			}
+			if r.Form.Get("scope") != "organization:ListRegions organization:ListStacks" {
+				t.Fatalf("unexpected scope %q", r.Form.Get("scope"))
+			}
+			fmt.Fprint(w, `{"access_token":"refreshed-token","token_type":"Bearer","refresh_token":"next-refresh-token","expires_in":3600}`)
+		default:
+			t.Fatalf("unexpected path %s", r.URL.Path)
+		}
+	}))
+	defer server.Close()
+
+	source, err := NewTokenSource(v4config.Auth{
+		Method:    v4config.AuthMethodCloudDevice,
+		IssuerURL: server.URL,
+		TokenRef:  "root-token-ref",
+		Scopes:    []string{"organization:ListRegions", "organization:ListStacks"},
+	}, store, Options{})
+	if err != nil {
+		t.Fatalf("new token source: %v", err)
+	}
+	token, err := source.Token(ctx)
+	if err != nil {
+		t.Fatalf("get token: %v", err)
+	}
+	if token.AccessToken != "refreshed-token" {
+		t.Fatalf("unexpected token: %#v", token)
+	}
+}
+
+func TestClientCredentialsAuth(t *testing.T) {
+	ctx := context.Background()
+	store := credentials.NewMemoryStore()
+	if err := store.Set(ctx, "secret-ref", "secret"); err != nil {
+		t.Fatalf("set secret: %v", err)
+	}
+
+	var server *httptest.Server
+	server = httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		switch r.URL.Path {
+		case "/.well-known/openid-configuration":
+			fmt.Fprintf(w, `{"token_endpoint":%q}`, server.URL+"/token")
+		case "/token":
+			clientID, clientSecret, ok := r.BasicAuth()
+			if !ok || clientID != "client" || clientSecret != "secret" {
+				t.Fatalf("unexpected basic auth: %q %q %v", clientID, clientSecret, ok)
+			}
+			if err := r.ParseForm(); err != nil {
+				t.Fatalf("parse form: %v", err)
+			}
+			if r.Form.Get("grant_type") != "client_credentials" {
+				t.Fatalf("unexpected grant_type %q", r.Form.Get("grant_type"))
+			}
+			if r.Form.Get("scope") != "organization:Read organization:ListStacks" {
+				t.Fatalf("unexpected scope %q", r.Form.Get("scope"))
+			}
+			fmt.Fprint(w, `{"access_token":"cc-token","token_type":"Bearer"}`)
+		case "/resource":
+			if got := r.Header.Get("Authorization"); got != "Bearer cc-token" {
+				t.Fatalf("unexpected authorization header %q", got)
+			}
+			w.WriteHeader(http.StatusNoContent)
+		default:
+			t.Fatalf("unexpected path %s", r.URL.Path)
+		}
+	}))
+	defer server.Close()
+
+	client, err := NewHTTPClient(ctx, v4config.Auth{
+		Method:    v4config.AuthMethodClientCredentials,
+		IssuerURL: server.URL,
+		ClientID:  "client",
+		SecretRef: "secret-ref",
+		Scopes:    []string{"organization:Read", "organization:ListStacks"},
+	}, store, Options{})
+	if err != nil {
+		t.Fatalf("new http client: %v", err)
+	}
+	rsp, err := client.Get(server.URL + "/resource")
+	if err != nil {
+		t.Fatalf("request: %v", err)
+	}
+	defer rsp.Body.Close()
+	if rsp.StatusCode != http.StatusNoContent {
+		t.Fatalf("expected status 204, got %d", rsp.StatusCode)
+	}
+}
+
+func authHeaderServer(t *testing.T, expected string) *httptest.Server {
+	t.Helper()
+	return httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		got := r.Header.Get("Authorization")
+		if got != expected {
+			t.Fatalf("expected authorization header %q, got %q", expected, got)
+		}
+		w.WriteHeader(http.StatusNoContent)
+	}))
+}
+
+func TestTokenAuthFromStdinRef(t *testing.T) {
+	source, err := NewTokenSource(v4config.Auth{
+		Method:   v4config.AuthMethodToken,
+		TokenRef: "stdin://",
+	}, nil, Options{Stdin: strings.NewReader("from-stdin\n")})
+	if err != nil {
+		t.Fatalf("new token source: %v", err)
+	}
+	token, err := source.Token(context.Background())
+	if err != nil {
+		t.Fatalf("get token: %v", err)
+	}
+	if token.AccessToken != "from-stdin" {
+		t.Fatalf("unexpected token: %#v", token)
+	}
+}
+
+func authTestJWT(t *testing.T, claims map[string]any) string {
+	t.Helper()
+
+	header, err := json.Marshal(map[string]string{"alg": "none"})
+	if err != nil {
+		t.Fatalf("marshal jwt header: %v", err)
+	}
+	payload, err := json.Marshal(claims)
+	if err != nil {
+		t.Fatalf("marshal jwt payload: %v", err)
+	}
+	return base64.RawURLEncoding.EncodeToString(header) + "." + base64.RawURLEncoding.EncodeToString(payload) + "."
+}
diff --git a/v4/internal/auth/device.go b/v4/internal/auth/device.go
new file mode 100644
index 00000000..751909f6
--- /dev/null
+++ b/v4/internal/auth/device.go
@@ -0,0 +1,599 @@
+package auth
+
+import (
+	"context"
+	"encoding/base64"
+	"encoding/json"
+	"errors"
+	"fmt"
+	"io"
+	"net/http"
+	"net/url"
+	"os/exec"
+	"runtime"
+	"strconv"
+	"strings"
+	"time"
+
+	"github.com/formancehq/fctl/v4/internal/credentials"
+)
+
+const DeviceClientID = "fctl"
+
+var ErrOpeningBrowser = errors.New("opening browser")
+
+type DeviceLoginOptions struct {
+	IssuerURL      string
+	ClientID       string
+	Scopes         []string
+	Resources      []string
+	Prompt         []string
+	OrganizationID string
+	IDTokenHint    string
+	HTTPClient     *http.Client
+	OpenURL        func(string) error
+	Out            io.Writer
+}
+
+type DeviceTokens struct {
+	AccessToken  StoredAccessToken `json:"accessToken"`
+	IDToken      string            `json:"idToken,omitempty"`
+	RefreshToken string            `json:"refreshToken,omitempty"`
+	Scopes       []string          `json:"scopes,omitempty"`
+}
+
+type StoredAccessToken struct {
+	Token        string    `json:"token"`
+	TokenType    string    `json:"tokenType,omitempty"`
+	RefreshToken string    `json:"refreshToken,omitempty"`
+	Expiry       time.Time `json:"expiry,omitempty"`
+}
+
+func MarshalDeviceTokens(tokens DeviceTokens) (string, error) {
+	encoded, err := json.Marshal(tokens)
+	if err != nil {
+		return "", err
+	}
+	return string(encoded), nil
+}
+
+func ParseDeviceTokens(value string) (DeviceTokens, error) {
+	return parseStoredDeviceTokens(value)
+}
+
+func DeviceLogin(ctx context.Context, options DeviceLoginOptions) (DeviceTokens, error) {
+	if options.IssuerURL == "" {
+		return DeviceTokens{}, errors.New("issuer URL is required")
+	}
+	clientID := options.ClientID
+	if clientID == "" {
+		clientID = DeviceClientID
+	}
+	httpClient := options.HTTPClient
+	if httpClient == nil {
+		httpClient = http.DefaultClient
+	}
+
+	discovery, err := discoverOIDC(ctx, httpClient, options.IssuerURL)
+	if err != nil {
+		return DeviceTokens{}, err
+	}
+	if discovery.DeviceAuthorizationEndpoint == "" {
+		return DeviceTokens{}, errors.New("oidc discovery did not include device_authorization_endpoint")
+	}
+
+	deviceCode, err := initiateDeviceAuthorization(ctx, httpClient, discovery.DeviceAuthorizationEndpoint, clientID, options)
+	if err != nil {
+		return DeviceTokens{}, fmt.Errorf("failed to initiate device authorization flow: %w", err)
+	}
+
+	verificationURL := deviceVerificationURL(deviceCode)
+	openURL := options.OpenURL
+	if openURL == nil {
+		openURL = OpenURL
+	}
+	if err := openURL(verificationURL); err != nil {
+		if !errors.Is(err, ErrOpeningBrowser) {
+			return DeviceTokens{}, err
+		}
+		writeDeviceMessage(options.Out, "No browser detected")
+		writeDeviceMessage(options.Out, "Please open the following URL in your browser: "+verificationURL)
+	} else {
+		writeDeviceMessage(options.Out, "A browser window has been opened on "+verificationURL)
+	}
+	writeDeviceMessage(options.Out, "Waiting for authentication...")
+
+	token, err := pollDeviceToken(ctx, httpClient, discovery.TokenEndpoint, clientID, deviceCode)
+	if err != nil {
+		return DeviceTokens{}, fmt.Errorf("failed to get access token: %w", err)
+	}
+	token.Scopes = append([]string(nil), options.Scopes...)
+	return token, nil
+}
+
+func OpenURL(urlString string) error {
+	var cmd string
+	var args []string
+
+	if _, err := url.Parse(urlString); err != nil {
+		return fmt.Errorf("invalid URL: %s", urlString)
+	}
+
+	switch runtime.GOOS {
+	case "windows":
+		cmd = "cmd"
+		args = []string{"/c", "start"}
+	case "darwin":
+		cmd = "open"
+	default:
+		cmd = "xdg-open"
+	}
+
+	if _, err := exec.LookPath(cmd); err == nil {
+		args = append(args, urlString)
+		return exec.Command(cmd, args...).Start() //nolint:gosec
+	}
+	return ErrOpeningBrowser
+}
+
+type DeviceTokenSource struct {
+	IssuerURL  string
+	TokenRef   string
+	Scopes     []string
+	Store      credentials.Store
+	HTTPClient *http.Client
+	ClientID   string
+	now        func() time.Time
+}
+
+func (s *DeviceTokenSource) Token(ctx context.Context) (Token, error) {
+	if s.Store == nil {
+		return Token{}, errors.New("credential store is required")
+	}
+	if s.TokenRef == "" {
+		return Token{}, errors.New("tokenRef is required for device auth")
+	}
+	value, err := s.Store.Get(ctx, s.TokenRef)
+	if err != nil {
+		return Token{}, err
+	}
+	tokens, err := parseStoredDeviceTokens(value)
+	if err != nil {
+		return Token{}, err
+	}
+	if tokens.AccessToken.Token == "" {
+		return Token{}, errors.New("stored device credentials do not include an access token")
+	}
+	if !s.tokenExpired(tokens.AccessToken) && s.tokensHaveScopes(tokens) {
+		return normalizeToken(Token{AccessToken: tokens.AccessToken.Token, TokenType: tokens.AccessToken.TokenType}), nil
+	}
+	if tokens.AccessToken.RefreshToken == "" && tokens.RefreshToken == "" {
+		return Token{}, errors.New("device access token is expired or missing required scopes; run `fctl login` again")
+	}
+	refreshed, err := s.refresh(ctx, tokens)
+	if err != nil {
+		return Token{}, err
+	}
+	encoded, err := json.Marshal(refreshed)
+	if err != nil {
+		return Token{}, err
+	}
+	if err := s.Store.Set(ctx, s.TokenRef, string(encoded)); err != nil {
+		return Token{}, err
+	}
+	return normalizeToken(Token{AccessToken: refreshed.AccessToken.Token, TokenType: refreshed.AccessToken.TokenType}), nil
+}
+
+func (s *DeviceTokenSource) tokenExpired(token StoredAccessToken) bool {
+	if token.Expiry.IsZero() {
+		if expiry, ok := tokenExpiry(token.Token); ok {
+			return !expiry.After(s.currentTime().Add(30 * time.Second))
+		}
+		return false
+	}
+	return !token.Expiry.After(s.currentTime().Add(30 * time.Second))
+}
+
+func (s *DeviceTokenSource) tokensHaveScopes(tokens DeviceTokens) bool {
+	if len(s.Scopes) == 0 {
+		return true
+	}
+	token := tokens.AccessToken
+	claims, ok := jwtClaims(token.Token)
+	if ok {
+		available := map[string]struct{}{}
+		switch value := claims["scope"].(type) {
+		case string:
+			for _, scope := range strings.Fields(value) {
+				available[scope] = struct{}{}
+			}
+		case []any:
+			for _, scope := range value {
+				if text, ok := scope.(string); ok {
+					available[text] = struct{}{}
+				}
+			}
+		}
+		return containsAllScopes(available, s.Scopes)
+	}
+
+	available := map[string]struct{}{}
+	for _, scope := range tokens.Scopes {
+		available[scope] = struct{}{}
+	}
+	return containsAllScopes(available, s.Scopes)
+}
+
+func containsAllScopes(available map[string]struct{}, required []string) bool {
+	for _, scope := range required {
+		if _, ok := available[scope]; !ok {
+			return false
+		}
+	}
+	return true
+}
+
+func (s *DeviceTokenSource) currentTime() time.Time {
+	if s.now != nil {
+		return s.now()
+	}
+	return time.Now()
+}
+
+func (s *DeviceTokenSource) refresh(ctx context.Context, tokens DeviceTokens) (DeviceTokens, error) {
+	if s.IssuerURL == "" {
+		return DeviceTokens{}, errors.New("issuer URL is required to refresh device auth")
+	}
+	httpClient := s.HTTPClient
+	if httpClient == nil {
+		httpClient = http.DefaultClient
+	}
+	clientID := s.ClientID
+	if clientID == "" {
+		clientID = DeviceClientID
+	}
+	discovery, err := discoverOIDC(ctx, httpClient, s.IssuerURL)
+	if err != nil {
+		return DeviceTokens{}, err
+	}
+	refreshToken := tokens.AccessToken.RefreshToken
+	if refreshToken == "" {
+		refreshToken = tokens.RefreshToken
+	}
+	next, err := refreshDeviceToken(ctx, httpClient, discovery.TokenEndpoint, clientID, refreshToken, s.Scopes)
+	if err != nil {
+		return DeviceTokens{}, err
+	}
+	if next.AccessToken.RefreshToken == "" {
+		next.AccessToken.RefreshToken = refreshToken
+	}
+	if next.RefreshToken == "" {
+		next.RefreshToken = next.AccessToken.RefreshToken
+	}
+	if next.IDToken == "" {
+		next.IDToken = tokens.IDToken
+	}
+	next.Scopes = append([]string(nil), s.Scopes...)
+	return next, nil
+}
+
+type oidcDiscovery struct {
+	TokenEndpoint               string `json:"token_endpoint"`
+	DeviceAuthorizationEndpoint string `json:"device_authorization_endpoint"`
+}
+
+func discoverOIDC(ctx context.Context, httpClient *http.Client, issuerURL string) (oidcDiscovery, error) {
+	discoveryURL := strings.TrimRight(issuerURL, "/") + "/.well-known/openid-configuration"
+	req, err := http.NewRequestWithContext(ctx, http.MethodGet, discoveryURL, nil)
+	if err != nil {
+		return oidcDiscovery{}, err
+	}
+	rsp, err := httpClient.Do(req)
+	if err != nil {
+		return oidcDiscovery{}, err
+	}
+	defer rsp.Body.Close()
+	if rsp.StatusCode < 200 || rsp.StatusCode >= 300 {
+		body, _ := io.ReadAll(io.LimitReader(rsp.Body, 4096))
+		return oidcDiscovery{}, fmt.Errorf("oidc discovery failed: status %d: %s", rsp.StatusCode, string(body))
+	}
+	var discovery oidcDiscovery
+	if err := json.NewDecoder(rsp.Body).Decode(&discovery); err != nil {
+		return oidcDiscovery{}, fmt.Errorf("decode oidc discovery: %w", err)
+	}
+	if discovery.TokenEndpoint == "" {
+		return oidcDiscovery{}, errors.New("oidc discovery did not include token_endpoint")
+	}
+	return discovery, nil
+}
+
+type deviceAuthorizationResponse struct {
+	DeviceCode              string `json:"device_code"`
+	UserCode                string `json:"user_code"`
+	VerificationURI         string `json:"verification_uri"`
+	VerificationURIComplete string `json:"verification_uri_complete"`
+	Interval                int    `json:"interval"`
+	ExpiresIn               int    `json:"expires_in"`
+	Resources               []string
+}
+
+func initiateDeviceAuthorization(ctx context.Context, httpClient *http.Client, endpoint string, clientID string, options DeviceLoginOptions) (deviceAuthorizationResponse, error) {
+	form := url.Values{}
+	if len(options.Scopes) > 0 {
+		form.Set("scope", strings.Join(options.Scopes, " "))
+	}
+	if len(options.Prompt) > 0 {
+		form.Set("prompt", strings.Join(options.Prompt, " "))
+	}
+	if options.OrganizationID != "" {
+		form.Set("organization_id", options.OrganizationID)
+	}
+	if options.IDTokenHint != "" {
+		form.Set("id_token_hint", options.IDTokenHint)
+	}
+	for _, resource := range options.Resources {
+		form.Add("resource", resource)
+	}
+	req, err := http.NewRequestWithContext(ctx, http.MethodPost, endpoint, strings.NewReader(form.Encode()))
+	if err != nil {
+		return deviceAuthorizationResponse{}, err
+	}
+	req.SetBasicAuth(clientID, "")
+	req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
+
+	rsp, err := httpClient.Do(req)
+	if err != nil {
+		return deviceAuthorizationResponse{}, err
+	}
+	defer rsp.Body.Close()
+	if rsp.StatusCode < 200 || rsp.StatusCode >= 300 {
+		body, _ := io.ReadAll(io.LimitReader(rsp.Body, 4096))
+		return deviceAuthorizationResponse{}, fmt.Errorf("device authorization request failed: status %d: %s", rsp.StatusCode, string(body))
+	}
+	var output deviceAuthorizationResponse
+	if err := json.NewDecoder(rsp.Body).Decode(&output); err != nil {
+		return deviceAuthorizationResponse{}, fmt.Errorf("decode device authorization response: %w", err)
+	}
+	if output.DeviceCode == "" {
+		return deviceAuthorizationResponse{}, errors.New("device authorization response did not include device_code")
+	}
+	output.Resources = append([]string(nil), options.Resources...)
+	return output, nil
+}
+
+func deviceVerificationURL(deviceCode deviceAuthorizationResponse) string {
+	if deviceCode.VerificationURI == "" {
+		return deviceCode.VerificationURIComplete
+	}
+	uri, err := url.Parse(deviceCode.VerificationURI)
+	if err != nil {
+		return deviceCode.VerificationURI
+	}
+	query := uri.Query()
+	query.Set("user_code", deviceCode.UserCode)
+	uri.RawQuery = query.Encode()
+	return uri.String()
+}
+
+func pollDeviceToken(ctx context.Context, httpClient *http.Client, endpoint string, clientID string, deviceCode deviceAuthorizationResponse) (DeviceTokens, error) {
+	interval := time.Duration(deviceCode.Interval) * time.Second
+	if interval <= 0 {
+		interval = 5 * time.Second
+	}
+	deadline := time.Time{}
+	if deviceCode.ExpiresIn > 0 {
+		deadline = time.Now().Add(time.Duration(deviceCode.ExpiresIn) * time.Second)
+	}
+	for {
+		form := url.Values{
+			"grant_type":  {"urn:ietf:params:oauth:grant-type:device_code"},
+			"device_code": {deviceCode.DeviceCode},
+		}
+		for _, resource := range deviceCode.Resources {
+			form.Add("resource", resource)
+		}
+		tokens, retry, nextInterval, err := requestDeviceToken(ctx, httpClient, endpoint, clientID, form, interval)
+		if err == nil {
+			return tokens, nil
+		}
+		if !retry {
+			return DeviceTokens{}, err
+		}
+		interval = nextInterval
+		if !deadline.IsZero() && time.Now().Add(interval).After(deadline) {
+			return DeviceTokens{}, errors.New("device authorization expired")
+		}
+		timer := time.NewTimer(interval)
+		select {
+		case <-ctx.Done():
+			timer.Stop()
+			return DeviceTokens{}, ctx.Err()
+		case <-timer.C:
+		}
+	}
+}
+
+func refreshDeviceToken(ctx context.Context, httpClient *http.Client, endpoint string, clientID string, refreshToken string, scopes []string) (DeviceTokens, error) {
+	if refreshToken == "" {
+		return DeviceTokens{}, errors.New("refresh token is required")
+	}
+	form := url.Values{
+		"grant_type":    {"refresh_token"},
+		"refresh_token": {refreshToken},
+	}
+	if len(scopes) > 0 {
+		form.Set("scope", strings.Join(scopes, " "))
+	}
+	tokens, _, _, err := requestDeviceToken(ctx, httpClient, endpoint, clientID, form, 0)
+	return tokens, err
+}
+
+func requestDeviceToken(ctx context.Context, httpClient *http.Client, endpoint string, clientID string, form url.Values, interval time.Duration) (DeviceTokens, bool, time.Duration, error) {
+	req, err := http.NewRequestWithContext(ctx, http.MethodPost, endpoint, strings.NewReader(form.Encode()))
+	if err != nil {
+		return DeviceTokens{}, false, interval, err
+	}
+	req.SetBasicAuth(clientID, "")
+	req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
+
+	rsp, err := httpClient.Do(req)
+	if err != nil {
+		return DeviceTokens{}, false, interval, err
+	}
+	defer rsp.Body.Close()
+
+	if rsp.StatusCode >= 200 && rsp.StatusCode < 300 {
+		var tokenResponse struct {
+			AccessToken  string `json:"access_token"`
+			TokenType    string `json:"token_type"`
+			RefreshToken string `json:"refresh_token"`
+			IDToken      string `json:"id_token"`
+			ExpiresIn    int64  `json:"expires_in"`
+		}
+		if err := json.NewDecoder(rsp.Body).Decode(&tokenResponse); err != nil {
+			return DeviceTokens{}, false, interval, fmt.Errorf("decode token response: %w", err)
+		}
+		if tokenResponse.AccessToken == "" {
+			return DeviceTokens{}, false, interval, errors.New("token response did not include access_token")
+		}
+		expiry := time.Time{}
+		if tokenResponse.ExpiresIn > 0 {
+			expiry = time.Now().Add(time.Duration(tokenResponse.ExpiresIn) * time.Second)
+		} else if jwtExpiry, ok := tokenExpiry(tokenResponse.AccessToken); ok {
+			expiry = jwtExpiry
+		}
+		return DeviceTokens{
+			AccessToken: StoredAccessToken{
+				Token:        tokenResponse.AccessToken,
+				TokenType:    tokenResponse.TokenType,
+				RefreshToken: tokenResponse.RefreshToken,
+				Expiry:       expiry,
+			},
+			IDToken:      tokenResponse.IDToken,
+			RefreshToken: tokenResponse.RefreshToken,
+		}, false, interval, nil
+	}
+
+	var tokenError struct {
+		Error            string `json:"error"`
+		ErrorDescription string `json:"error_description"`
+	}
+	body, _ := io.ReadAll(io.LimitReader(rsp.Body, 4096))
+	_ = json.Unmarshal(body, &tokenError)
+	switch tokenError.Error {
+	case "authorization_pending":
+		return DeviceTokens{}, true, interval, errors.New(tokenError.Error)
+	case "slow_down":
+		return DeviceTokens{}, true, interval + 5*time.Second, errors.New(tokenError.Error)
+	case "access_denied", "expired_token":
+		if tokenError.ErrorDescription != "" {
+			return DeviceTokens{}, false, interval, fmt.Errorf("%s: %s", tokenError.Error, tokenError.ErrorDescription)
+		}
+		return DeviceTokens{}, false, interval, errors.New(tokenError.Error)
+	default:
+		if tokenError.Error != "" {
+			if tokenError.ErrorDescription != "" {
+				return DeviceTokens{}, false, interval, fmt.Errorf("%s: %s", tokenError.Error, tokenError.ErrorDescription)
+			}
+			return DeviceTokens{}, false, interval, errors.New(tokenError.Error)
+		}
+		return DeviceTokens{}, false, interval, fmt.Errorf("token request failed: status %d: %s", rsp.StatusCode, string(body))
+	}
+}
+
+func parseStoredDeviceTokens(value string) (DeviceTokens, error) {
+	var tokens DeviceTokens
+	if err := json.Unmarshal([]byte(value), &tokens); err == nil && tokens.AccessToken.Token != "" {
+		return tokens, nil
+	}
+
+	var raw map[string]any
+	if err := json.Unmarshal([]byte(value), &raw); err != nil {
+		return DeviceTokens{AccessToken: StoredAccessToken{Token: strings.TrimSpace(value), TokenType: "Bearer"}}, nil
+	}
+	access := objectValue(raw, "accessToken")
+	if len(access) == 0 {
+		access = objectValue(raw, "access")
+	}
+	id := objectValue(raw, "idToken")
+	if len(id) == 0 {
+		id = objectValue(raw, "id")
+	}
+
+	tokens.AccessToken.Token = stringValue(access, "token")
+	tokens.AccessToken.TokenType = stringValue(access, "tokenType")
+	tokens.AccessToken.RefreshToken = stringValue(access, "refreshToken")
+	tokens.RefreshToken = tokens.AccessToken.RefreshToken
+	tokens.IDToken = stringValue(id, "token")
+	if expiry, ok := tokenExpiry(tokens.AccessToken.Token); ok {
+		tokens.AccessToken.Expiry = expiry
+	}
+	if tokens.AccessToken.Token == "" {
+		return DeviceTokens{}, errors.New("stored device credentials do not include an access token")
+	}
+	return tokens, nil
+}
+
+func objectValue(values map[string]any, key string) map[string]any {
+	value, _ := values[key].(map[string]any)
+	return value
+}
+
+func stringValue(values map[string]any, key string) string {
+	value, _ := values[key].(string)
+	return value
+}
+
+func tokenExpiry(token string) (time.Time, bool) {
+	claims, ok := jwtClaims(token)
+	if !ok {
+		return time.Time{}, false
+	}
+	exp, ok := claims["exp"]
+	if !ok {
+		return time.Time{}, false
+	}
+	switch value := exp.(type) {
+	case float64:
+		return time.Unix(int64(value), 0), true
+	case json.Number:
+		seconds, err := strconv.ParseInt(value.String(), 10, 64)
+		return time.Unix(seconds, 0), err == nil
+	default:
+		return time.Time{}, false
+	}
+}
+
+func EmailFromIDToken(token string) string {
+	claims, ok := jwtClaims(token)
+	if !ok {
+		return ""
+	}
+	email, _ := claims["email"].(string)
+	return email
+}
+
+func jwtClaims(token string) (map[string]any, bool) {
+	parts := strings.Split(token, ".")
+	if len(parts) < 2 {
+		return nil, false
+	}
+	payload, err := base64.RawURLEncoding.DecodeString(parts[1])
+	if err != nil {
+		return nil, false
+	}
+	var claims map[string]any
+	decoder := json.NewDecoder(strings.NewReader(string(payload)))
+	decoder.UseNumber()
+	if err := decoder.Decode(&claims); err != nil {
+		return nil, false
+	}
+	return claims, true
+}
+
+func writeDeviceMessage(out io.Writer, message string) {
+	if out == nil {
+		return
+	}
+	fmt.Fprintln(out, message)
+}
diff --git a/v4/internal/auth/scopes.go b/v4/internal/auth/scopes.go
new file mode 100644
index 00000000..e8268daa
--- /dev/null
+++ b/v4/internal/auth/scopes.go
@@ -0,0 +1,63 @@
+package auth
+
+var OrganizationScopes = []string{
+	"organization:Read",
+	"organization:Create",
+	"organization:Update",
+	"organization:Delete",
+	"organization:ListUsers",
+	"organization:ReadUser",
+	"organization:CreateUser",
+	"organization:UpdateUser",
+	"organization:DeleteUser",
+	"organization:ListPolicies",
+	"organization:ReadPolicy",
+	"organization:CreatePolicy",
+	"organization:UpdatePolicy",
+	"organization:DeletePolicy",
+	"organization:ListInvitations",
+	"organization:ReadInvitation",
+	"organization:CreateInvitation",
+	"organization:UpdateInvitation",
+	"organization:AcceptInvitation",
+	"organization:RejectInvitation",
+	"organization:DeleteInvitation",
+	"organization:ListRegions",
+	"organization:ReadRegion",
+	"organization:CreateRegion",
+	"organization:UpdateRegion",
+	"organization:DeleteRegion",
+	"organization:ListStacks",
+	"organization:ReadStack",
+	"organization:CreateStack",
+	"organization:UpdateStack",
+	"organization:DeleteStack",
+	"organization:EnableStack",
+	"organization:DisableStack",
+	"organization:RestoreStack",
+	"organization:UpgradeStack",
+	"organization:ListStackUsers",
+	"organization:ReadStackUser",
+	"organization:CreateStackUser",
+	"organization:UpdateStackUser",
+	"organization:DeleteStackUser",
+	"organization:ListStackModules",
+	"organization:EnableStackModule",
+	"organization:DisableStackModule",
+	"organization:ListClients",
+	"organization:ReadClient",
+	"organization:CreateClient",
+	"organization:UpdateClient",
+	"organization:DeleteClient",
+	"organization:ReadAuthProvider",
+	"organization:UpdateAuthProvider",
+	"organization:DeleteAuthProvider",
+	"organization:ReadLogs",
+	"organization:ListFeatures",
+	"organization:ReadFeature",
+}
+
+var StackScopes = []string{
+	"stack:Read",
+	"stack:Write",
+}
diff --git a/v4/internal/capabilities/README.md b/v4/internal/capabilities/README.md
new file mode 100644
index 00000000..4913d042
--- /dev/null
+++ b/v4/internal/capabilities/README.md
@@ -0,0 +1,15 @@
+# Capabilities Manifest
+
+`manifest_generated.go` is generated from the stack OpenAPI document.
+
+Regenerate it from the v4 module directory:
+
+```bash
+curl -L https://github.com/formancehq/stack/releases/download/v3.2.4/generate.json -o /tmp/formance-stack-generate.json
+go run ./internal/capabilities/genmanifest \
+  -input /tmp/formance-stack-generate.json \
+  -output internal/capabilities/manifest_generated.go
+go test ./internal/capabilities ./internal/capabilities/genmanifest
+```
+
+The manual component-version compatibility ranges live in `compatibility.go`.
diff --git a/v4/internal/capabilities/capabilities.go b/v4/internal/capabilities/capabilities.go
new file mode 100644
index 00000000..79ae87f5
--- /dev/null
+++ b/v4/internal/capabilities/capabilities.go
@@ -0,0 +1,178 @@
+// Package capabilities models stack component versions, API namespaces, and
+// generated operation metadata used by the v4 runtime resolver.
+package capabilities
+
+import (
+	"errors"
+	"fmt"
+	"sort"
+	"strconv"
+	"strings"
+
+	"golang.org/x/mod/semver"
+)
+
+type Product string
+type Feature string
+type APIVersion string
+
+type Manifest struct {
+	SpecVersion string                      `json:"specVersion"`
+	Products    map[Product]ProductManifest `json:"products"`
+}
+
+type ProductManifest struct {
+	APIVersions []APIVersion                         `json:"apiVersions"`
+	Operations  map[Feature]map[APIVersion]Operation `json:"operations"`
+}
+
+type Operation struct {
+	OperationID string   `json:"operationId"`
+	Method      string   `json:"method"`
+	Path        string   `json:"path"`
+	Tags        []string `json:"tags,omitempty"`
+}
+
+type ComponentVersion struct {
+	Product Product
+	Version string
+	Health  bool
+}
+
+type ComponentRange struct {
+	Product     Product
+	Range       string
+	APIVersions []APIVersion
+}
+
+type ComponentCompatibility []ComponentRange
+
+func (c ComponentCompatibility) APIVersionsFor(product Product, componentVersion string) ([]APIVersion, error) {
+	var matches []APIVersion
+	for _, candidate := range c {
+		if candidate.Product != product {
+			continue
+		}
+		ok, err := MatchVersionRange(componentVersion, candidate.Range)
+		if err != nil {
+			return nil, fmt.Errorf("match %s range %q: %w", product, candidate.Range, err)
+		}
+		if ok {
+			matches = append(matches, candidate.APIVersions...)
+		}
+	}
+	if len(matches) == 0 {
+		return nil, fmt.Errorf("no api versions for %s component version %q", product, componentVersion)
+	}
+	return UniqueSortedAPIVersions(matches), nil
+}
+
+func MatchVersionRange(version string, versionRange string) (bool, error) {
+	normalizedVersion, err := normalizeSemver(version)
+	if err != nil {
+		return false, err
+	}
+	if strings.TrimSpace(versionRange) == "" {
+		return false, errors.New("range cannot be empty")
+	}
+
+	for _, constraint := range strings.Fields(versionRange) {
+		if constraint == "" {
+			continue
+		}
+		if ok, err := matchConstraint(normalizedVersion, constraint); err != nil || !ok {
+			return ok, err
+		}
+	}
+	return true, nil
+}
+
+func matchConstraint(version string, constraint string) (bool, error) {
+	for _, operator := range []string{">=", "<=", ">", "<", "="} {
+		if strings.HasPrefix(constraint, operator) {
+			target, err := normalizeSemver(strings.TrimPrefix(constraint, operator))
+			if err != nil {
+				return false, err
+			}
+			cmp := semver.Compare(version, target)
+			switch operator {
+			case ">=":
+				return cmp >= 0, nil
+			case "<=":
+				return cmp <= 0, nil
+			case ">":
+				return cmp > 0, nil
+			case "<":
+				return cmp < 0, nil
+			case "=":
+				return cmp == 0, nil
+			}
+		}
+	}
+
+	target, err := normalizeSemver(constraint)
+	if err != nil {
+		return false, err
+	}
+	return semver.Compare(version, target) == 0, nil
+}
+
+func normalizeSemver(version string) (string, error) {
+	version = strings.TrimSpace(version)
+	if version == "" {
+		return "", errors.New("version cannot be empty")
+	}
+	if !strings.HasPrefix(version, "v") {
+		version = "v" + version
+	}
+	if !semver.IsValid(version) {
+		return "", fmt.Errorf("invalid semver %q", version)
+	}
+	return version, nil
+}
+
+func UniqueSortedAPIVersions(versions []APIVersion) []APIVersion {
+	seen := map[APIVersion]struct{}{}
+	ret := make([]APIVersion, 0, len(versions))
+	for _, version := range versions {
+		if _, ok := seen[version]; ok {
+			continue
+		}
+		seen[version] = struct{}{}
+		ret = append(ret, version)
+	}
+	sort.Slice(ret, func(i, j int) bool {
+		return compareAPIVersion(ret[i], ret[j]) < 0
+	})
+	return ret
+}
+
+func HighestAPIVersion(versions []APIVersion) (APIVersion, bool) {
+	versions = UniqueSortedAPIVersions(versions)
+	if len(versions) == 0 {
+		return "", false
+	}
+	return versions[len(versions)-1], true
+}
+
+func compareAPIVersion(a, b APIVersion) int {
+	an := apiVersionNumber(a)
+	bn := apiVersionNumber(b)
+	switch {
+	case an < bn:
+		return -1
+	case an > bn:
+		return 1
+	default:
+		return strings.Compare(string(a), string(b))
+	}
+}
+
+func apiVersionNumber(version APIVersion) int {
+	raw := strings.TrimPrefix(string(version), "v")
+	n, err := strconv.Atoi(raw)
+	if err != nil {
+		return 0
+	}
+	return n
+}
diff --git a/v4/internal/capabilities/capabilities_test.go b/v4/internal/capabilities/capabilities_test.go
new file mode 100644
index 00000000..f227cb31
--- /dev/null
+++ b/v4/internal/capabilities/capabilities_test.go
@@ -0,0 +1,71 @@
+package capabilities
+
+import "testing"
+
+func TestMatchVersionRange(t *testing.T) {
+	tests := []struct {
+		name      string
+		rangeExpr string
+		version   string
+		want      bool
+	}{
+		{name: "inside lower inclusive upper exclusive", rangeExpr: ">=2.0.0 <3.0.0", version: "2.3.4", want: true},
+		{name: "below lower", rangeExpr: ">=2.0.0 <3.0.0", version: "1.9.9", want: false},
+		{name: "at upper exclusive", rangeExpr: ">=2.0.0 <3.0.0", version: "3.0.0", want: false},
+		{name: "accepts v prefix", rangeExpr: ">=v2.0.0 <v3.0.0", version: "v2.0.0", want: true},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got, err := MatchVersionRange(tt.version, tt.rangeExpr)
+			if err != nil {
+				t.Fatalf("expected no error, got %v", err)
+			}
+			if got != tt.want {
+				t.Fatalf("expected %v, got %v", tt.want, got)
+			}
+		})
+	}
+}
+
+func TestAPIVersionsFor(t *testing.T) {
+	compatibility := ComponentCompatibility{
+		{Product: "ledger", Range: ">=1.0.0 <2.0.0", APIVersions: []APIVersion{"v1"}},
+		{Product: "ledger", Range: ">=2.0.0 <3.0.0", APIVersions: []APIVersion{"v1", "v2"}},
+		{Product: "payments", Range: ">=3.0.0", APIVersions: []APIVersion{"v1", "v3"}},
+	}
+
+	versions, err := compatibility.APIVersionsFor("ledger", "2.3.4")
+	if err != nil {
+		t.Fatalf("expected no error, got %v", err)
+	}
+	assertAPIVersions(t, versions, []APIVersion{"v1", "v2"})
+
+	versions, err = compatibility.APIVersionsFor("payments", "3.1.0")
+	if err != nil {
+		t.Fatalf("expected no error, got %v", err)
+	}
+	assertAPIVersions(t, versions, []APIVersion{"v1", "v3"})
+}
+
+func TestHighestAPIVersion(t *testing.T) {
+	highest, ok := HighestAPIVersion([]APIVersion{"v1", "v3", "v2"})
+	if !ok {
+		t.Fatal("expected highest api version")
+	}
+	if highest != "v3" {
+		t.Fatalf("expected v3, got %q", highest)
+	}
+}
+
+func assertAPIVersions(t *testing.T, got []APIVersion, want []APIVersion) {
+	t.Helper()
+	if len(got) != len(want) {
+		t.Fatalf("expected %v, got %v", want, got)
+	}
+	for i := range want {
+		if got[i] != want[i] {
+			t.Fatalf("expected %v, got %v", want, got)
+		}
+	}
+}
diff --git a/v4/internal/capabilities/compatibility.go b/v4/internal/capabilities/compatibility.go
new file mode 100644
index 00000000..356be93a
--- /dev/null
+++ b/v4/internal/capabilities/compatibility.go
@@ -0,0 +1,15 @@
+package capabilities
+
+var DefaultComponentCompatibility = ComponentCompatibility{
+	{Product: "ledger", Range: ">=1.0.0 <2.0.0", APIVersions: []APIVersion{"v1"}},
+	{Product: "ledger", Range: ">=2.0.0 <3.0.0", APIVersions: []APIVersion{"v1", "v2"}},
+	{Product: "ledger", Range: ">=3.0.0", APIVersions: []APIVersion{"v1", "v2", "v3"}},
+	{Product: "payments", Range: ">=1.0.0 <3.0.0", APIVersions: []APIVersion{"v1"}},
+	{Product: "payments", Range: ">=3.0.0", APIVersions: []APIVersion{"v1", "v3"}},
+	{Product: "orchestration", Range: ">=1.0.0 <2.0.0", APIVersions: []APIVersion{"v1"}},
+	{Product: "orchestration", Range: ">=2.0.0", APIVersions: []APIVersion{"v1", "v2"}},
+	{Product: "auth", Range: ">=0.0.0", APIVersions: []APIVersion{"v1"}},
+	{Product: "wallets", Range: ">=0.0.0", APIVersions: []APIVersion{"v1"}},
+	{Product: "webhooks", Range: ">=0.0.0", APIVersions: []APIVersion{"v1"}},
+	{Product: "reconciliation", Range: ">=0.0.0", APIVersions: []APIVersion{"v1"}},
+}
diff --git a/v4/internal/capabilities/genmanifest/main.go b/v4/internal/capabilities/genmanifest/main.go
new file mode 100644
index 00000000..abefb5d5
--- /dev/null
+++ b/v4/internal/capabilities/genmanifest/main.go
@@ -0,0 +1,122 @@
+package main
+
+import (
+	"bytes"
+	"flag"
+	"fmt"
+	"go/format"
+	"os"
+	"sort"
+	"strconv"
+
+	"github.com/formancehq/fctl/v4/internal/capabilities"
+)
+
+func main() {
+	input := flag.String("input", "", "Path to OpenAPI JSON document")
+	output := flag.String("output", "", "Path to generated Go manifest")
+	flag.Parse()
+
+	if *input == "" || *output == "" {
+		fmt.Fprintln(os.Stderr, "usage: genmanifest -input generate.json -output manifest_generated.go")
+		os.Exit(2)
+	}
+
+	file, err := os.Open(*input)
+	if err != nil {
+		fail("open input", err)
+	}
+	defer file.Close()
+
+	manifest, err := capabilities.ParseOpenAPIManifest(file)
+	if err != nil {
+		fail("parse openapi", err)
+	}
+
+	data, err := renderGo(manifest)
+	if err != nil {
+		fail("render go", err)
+	}
+	if err := os.WriteFile(*output, data, 0o644); err != nil {
+		fail("write output", err)
+	}
+}
+
+func renderGo(manifest capabilities.Manifest) ([]byte, error) {
+	buffer := bytes.Buffer{}
+	buffer.WriteString("// Code generated by genmanifest; DO NOT EDIT.\n\n")
+	buffer.WriteString("package capabilities\n\n")
+	buffer.WriteString("var GeneratedManifest = Manifest{\n")
+	fmt.Fprintf(&buffer, "\tSpecVersion: %s,\n", strconv.Quote(manifest.SpecVersion))
+	buffer.WriteString("\tProducts: map[Product]ProductManifest{\n")
+
+	products := make([]string, 0, len(manifest.Products))
+	for product := range manifest.Products {
+		products = append(products, string(product))
+	}
+	sort.Strings(products)
+
+	for _, product := range products {
+		productManifest := manifest.Products[capabilities.Product(product)]
+		fmt.Fprintf(&buffer, "\t\tProduct(%s): {\n", strconv.Quote(product))
+		buffer.WriteString("\t\t\tAPIVersions: []APIVersion{")
+		for i, apiVersion := range productManifest.APIVersions {
+			if i > 0 {
+				buffer.WriteString(", ")
+			}
+			fmt.Fprintf(&buffer, "APIVersion(%s)", strconv.Quote(string(apiVersion)))
+		}
+		buffer.WriteString("},\n")
+		buffer.WriteString("\t\t\tOperations: map[Feature]map[APIVersion]Operation{\n")
+
+		features := make([]string, 0, len(productManifest.Operations))
+		for feature := range productManifest.Operations {
+			features = append(features, string(feature))
+		}
+		sort.Strings(features)
+
+		for _, feature := range features {
+			fmt.Fprintf(&buffer, "\t\t\t\tFeature(%s): {\n", strconv.Quote(feature))
+			operations := productManifest.Operations[capabilities.Feature(feature)]
+			apiVersions := make([]string, 0, len(operations))
+			for apiVersion := range operations {
+				apiVersions = append(apiVersions, string(apiVersion))
+			}
+			sort.Strings(apiVersions)
+			for _, apiVersion := range apiVersions {
+				operation := operations[capabilities.APIVersion(apiVersion)]
+				fmt.Fprintf(&buffer, "\t\t\t\t\tAPIVersion(%s): {OperationID: %s, Method: %s, Path: %s",
+					strconv.Quote(apiVersion),
+					strconv.Quote(operation.OperationID),
+					strconv.Quote(operation.Method),
+					strconv.Quote(operation.Path),
+				)
+				if len(operation.Tags) > 0 {
+					buffer.WriteString(", Tags: []string{")
+					for i, tag := range operation.Tags {
+						if i > 0 {
+							buffer.WriteString(", ")
+						}
+						buffer.WriteString(strconv.Quote(tag))
+					}
+					buffer.WriteString("}")
+				}
+				buffer.WriteString("},\n")
+			}
+			buffer.WriteString("\t\t\t\t},\n")
+		}
+
+		buffer.WriteString("\t\t\t},\n")
+		buffer.WriteString("\t\t},\n")
+	}
+
+	buffer.WriteString("\t},\n")
+	buffer.WriteString("}\n")
+
+	return format.Source(buffer.Bytes())
+}
+
+func fail(message string, err error) {
+	fmt.Fprintf(os.Stderr, "%s: %v\n", message, err)
+	os.Exit(1)
+}
diff --git a/v4/internal/capabilities/manifest_generated.go b/v4/internal/capabilities/manifest_generated.go
new file mode 100644
index 00000000..ac93a98e
--- /dev/null
+++ b/v4/internal/capabilities/manifest_generated.go
@@ -0,0 +1,676 @@
+// Code generated by genmanifest; DO NOT EDIT.
+
+package capabilities
+
+var GeneratedManifest = Manifest{
+	SpecVersion: "v3.2.4",
+	Products: map[Product]ProductManifest{
+		Product("auth"): {
+			APIVersions: []APIVersion{APIVersion("v1")},
+			Operations: map[Feature]map[APIVersion]Operation{
+				Feature("createClient"): {
+					APIVersion("v1"): {OperationID: "createClient", Method: "POST", Path: "/api/auth/clients", Tags: []string{"auth.v1"}},
+				},
+				Feature("createSecret"): {
+					APIVersion("v1"): {OperationID: "createSecret", Method: "POST", Path: "/api/auth/clients/{clientId}/secrets", Tags: []string{"auth.v1"}},
+				},
+				Feature("deleteClient"): {
+					APIVersion("v1"): {OperationID: "deleteClient", Method: "DELETE", Path: "/api/auth/clients/{clientId}", Tags: []string{"auth.v1"}},
+				},
+				Feature("deleteSecret"): {
+					APIVersion("v1"): {OperationID: "deleteSecret", Method: "DELETE", Path: "/api/auth/clients/{clientId}/secrets/{secretId}", Tags: []string{"auth.v1"}},
+				},
+				Feature("getOIDCWellKnowns"): {
+					APIVersion("v1"): {OperationID: "getOIDCWellKnowns", Method: "GET", Path: "/api/auth/.well-known/openid-configuration", Tags: []string{"auth.v1"}},
+				},
+				Feature("getServerInfo_auth"): {
+					APIVersion("v1"): {OperationID: "getServerInfo_auth", Method: "GET", Path: "/api/auth/_info", Tags: []string{"auth.v1"}},
+				},
+				Feature("listClients"): {
+					APIVersion("v1"): {OperationID: "listClients", Method: "GET", Path: "/api/auth/clients", Tags: []string{"auth.v1"}},
+				},
+				Feature("listUsers"): {
+					APIVersion("v1"): {OperationID: "listUsers", Method: "GET", Path: "/api/auth/users", Tags: []string{"auth.v1"}},
+				},
+				Feature("readClient"): {
+					APIVersion("v1"): {OperationID: "readClient", Method: "GET", Path: "/api/auth/clients/{clientId}", Tags: []string{"auth.v1"}},
+				},
+				Feature("readUser"): {
+					APIVersion("v1"): {OperationID: "readUser", Method: "GET", Path: "/api/auth/users/{userId}", Tags: []string{"auth.v1"}},
+				},
+				Feature("updateClient"): {
+					APIVersion("v1"): {OperationID: "updateClient", Method: "PUT", Path: "/api/auth/clients/{clientId}", Tags: []string{"auth.v1"}},
+				},
+			},
+		},
+		Product("ledger"): {
+			APIVersions: []APIVersion{APIVersion("v1"), APIVersion("v2")},
+			Operations: map[Feature]map[APIVersion]Operation{
+				Feature("addMetadataOnTransaction"): {
+					APIVersion("v1"): {OperationID: "addMetadataOnTransaction", Method: "POST", Path: "/api/ledger/{ledger}/transactions/{txid}/metadata", Tags: []string{"ledger.v1"}},
+					APIVersion("v2"): {OperationID: "v2AddMetadataOnTransaction", Method: "POST", Path: "/api/ledger/v2/{ledger}/transactions/{id}/metadata", Tags: []string{"ledger.v2"}},
+				},
+				Feature("addMetadataToAccount"): {
+					APIVersion("v1"): {OperationID: "addMetadataToAccount", Method: "POST", Path: "/api/ledger/{ledger}/accounts/{address}/metadata", Tags: []string{"ledger.v1"}},
+					APIVersion("v2"): {OperationID: "v2AddMetadataToAccount", Method: "POST", Path: "/api/ledger/v2/{ledger}/accounts/{address}/metadata", Tags: []string{"ledger.v2"}},
+				},
+				Feature("countAccounts"): {
+					APIVersion("v1"): {OperationID: "countAccounts", Method: "HEAD", Path: "/api/ledger/{ledger}/accounts", Tags: []string{"ledger.v1"}},
+					APIVersion("v2"): {OperationID: "v2CountAccounts", Method: "HEAD", Path: "/api/ledger/v2/{ledger}/accounts", Tags: []string{"ledger.v2"}},
+				},
+				Feature("countTransactions"): {
+					APIVersion("v1"): {OperationID: "countTransactions", Method: "HEAD", Path: "/api/ledger/{ledger}/transactions", Tags: []string{"ledger.v1"}},
+					APIVersion("v2"): {OperationID: "v2CountTransactions", Method: "HEAD", Path: "/api/ledger/v2/{ledger}/transactions", Tags: []string{"ledger.v2"}},
+				},
+				Feature("createBulk"): {
+					APIVersion("v2"): {OperationID: "v2CreateBulk", Method: "POST", Path: "/api/ledger/v2/{ledger}/_bulk", Tags: []string{"ledger.v2"}},
+				},
+				Feature("createExporter"): {
+					APIVersion("v2"): {OperationID: "v2CreateExporter", Method: "POST", Path: "/api/ledger/v2/_/exporters", Tags: []string{"ledger.v2"}},
+				},
+				Feature("createLedger"): {
+					APIVersion("v2"): {OperationID: "v2CreateLedger", Method: "POST", Path: "/api/ledger/v2/{ledger}", Tags: []string{"ledger.v2"}},
+				},
+				Feature("createPipeline"): {
+					APIVersion("v2"): {OperationID: "v2CreatePipeline", Method: "POST", Path: "/api/ledger/v2/{ledger}/pipelines", Tags: []string{"ledger.v2"}},
+				},
+				Feature("createTransaction"): {
+					APIVersion("v1"): {OperationID: "createTransaction", Method: "POST", Path: "/api/ledger/{ledger}/transactions", Tags: []string{"ledger.v1"}},
+					APIVersion("v2"): {OperationID: "v2CreateTransaction", Method: "POST", Path: "/api/ledger/v2/{ledger}/transactions", Tags: []string{"ledger.v2"}},
+				},
+				Feature("createTransactions"): {
+					APIVersion("v1"): {OperationID: "CreateTransactions", Method: "POST", Path: "/api/ledger/{ledger}/transactions/batch", Tags: []string{"ledger.v1"}},
+				},
+				Feature("deleteAccountMetadata"): {
+					APIVersion("v2"): {OperationID: "v2DeleteAccountMetadata", Method: "DELETE", Path: "/api/ledger/v2/{ledger}/accounts/{address}/metadata/{key}", Tags: []string{"ledger.v2"}},
+				},
+				Feature("deleteBucket"): {
+					APIVersion("v2"): {OperationID: "v2DeleteBucket", Method: "DELETE", Path: "/api/ledger/v2/_/buckets/{bucket}", Tags: []string{"ledger.v2"}},
+				},
+				Feature("deleteExporter"): {
+					APIVersion("v2"): {OperationID: "v2DeleteExporter", Method: "DELETE", Path: "/api/ledger/v2/_/exporters/{exporterID}", Tags: []string{"ledger.v2"}},
+				},
+				Feature("deleteLedgerMetadata"): {
+					APIVersion("v2"): {OperationID: "v2DeleteLedgerMetadata", Method: "DELETE", Path: "/api/ledger/v2/{ledger}/metadata/{key}", Tags: []string{"ledger.v2"}},
+				},
+				Feature("deletePipeline"): {
+					APIVersion("v2"): {OperationID: "v2DeletePipeline", Method: "DELETE", Path: "/api/ledger/v2/{ledger}/pipelines/{pipelineID}", Tags: []string{"ledger.v2"}},
+				},
+				Feature("deleteTransactionMetadata"): {
+					APIVersion("v2"): {OperationID: "v2DeleteTransactionMetadata", Method: "DELETE", Path: "/api/ledger/v2/{ledger}/transactions/{id}/metadata/{key}", Tags: []string{"ledger.v2"}},
+				},
+				Feature("exportLogs"): {
+					APIVersion("v2"): {OperationID: "v2ExportLogs", Method: "POST", Path: "/api/ledger/v2/{ledger}/logs/export", Tags: []string{"ledger.v2"}},
+				},
+				Feature("getAccount"): {
+					APIVersion("v2"): {OperationID: "v2GetAccount", Method: "GET", Path: "/api/ledger/v2/{ledger}/accounts/{address}", Tags: []string{"ledger.v2"}},
+				},
+				Feature("getAccount_ledger"): {
+					APIVersion("v1"): {OperationID: "getAccount_ledger", Method: "GET", Path: "/api/ledger/{ledger}/accounts/{address}", Tags: []string{"ledger.v1"}},
+				},
+				Feature("getBalances"): {
+					APIVersion("v1"): {OperationID: "getBalances", Method: "GET", Path: "/api/ledger/{ledger}/balances", Tags: []string{"ledger.v1"}},
+				},
+				Feature("getBalancesAggregated"): {
+					APIVersion("v1"): {OperationID: "getBalancesAggregated", Method: "GET", Path: "/api/ledger/{ledger}/aggregate/balances", Tags: []string{"ledger.v1"}},
+					APIVersion("v2"): {OperationID: "v2GetBalancesAggregated", Method: "GET", Path: "/api/ledger/v2/{ledger}/aggregate/balances", Tags: []string{"ledger.v2"}},
+				},
+				Feature("getExporterState"): {
+					APIVersion("v2"): {OperationID: "v2GetExporterState", Method: "GET", Path: "/api/ledger/v2/_/exporters/{exporterID}", Tags: []string{"ledger.v2"}},
+				},
+				Feature("getInfo"): {
+					APIVersion("v1"): {OperationID: "getInfo", Method: "GET", Path: "/api/ledger/_info", Tags: []string{"ledger.v1"}},
+				},
+				Feature("getLedger"): {
+					APIVersion("v2"): {OperationID: "v2GetLedger", Method: "GET", Path: "/api/ledger/v2/{ledger}", Tags: []string{"ledger.v2"}},
+				},
+				Feature("getLedgerInfo"): {
+					APIVersion("v1"): {OperationID: "getLedgerInfo", Method: "GET", Path: "/api/ledger/{ledger}/_info", Tags: []string{"ledger.v1"}},
+					APIVersion("v2"): {OperationID: "v2GetLedgerInfo", Method: "GET", Path: "/api/ledger/v2/{ledger}/_info", Tags: []string{"ledger.v2"}},
+				},
+				Feature("getMapping"): {
+					APIVersion("v1"): {OperationID: "getMapping", Method: "GET", Path: "/api/ledger/{ledger}/mapping", Tags: []string{"ledger.v1"}},
+				},
+				Feature("getPipelineState"): {
+					APIVersion("v2"): {OperationID: "v2GetPipelineState", Method: "GET", Path: "/api/ledger/v2/{ledger}/pipelines/{pipelineID}", Tags: []string{"ledger.v2"}},
+				},
+				Feature("getSchema"): {
+					APIVersion("v2"): {OperationID: "v2GetSchema", Method: "GET", Path: "/api/ledger/v2/{ledger}/schemas/{version}", Tags: []string{"ledger.v2"}},
+				},
+				Feature("getTransaction"): {
+					APIVersion("v1"): {OperationID: "getTransaction", Method: "GET", Path: "/api/ledger/{ledger}/transactions/{txid}", Tags: []string{"ledger.v1"}},
+					APIVersion("v2"): {OperationID: "v2GetTransaction", Method: "GET", Path: "/api/ledger/v2/{ledger}/transactions/{id}", Tags: []string{"ledger.v2"}},
+				},
+				Feature("getVolumesWithBalances"): {
+					APIVersion("v2"): {OperationID: "v2GetVolumesWithBalances", Method: "GET", Path: "/api/ledger/v2/{ledger}/volumes", Tags: []string{"ledger.v2"}},
+				},
+				Feature("importLogs"): {
+					APIVersion("v2"): {OperationID: "v2ImportLogs", Method: "POST", Path: "/api/ledger/v2/{ledger}/logs/import", Tags: []string{"ledger.v2"}},
+				},
+				Feature("insertSchema"): {
+					APIVersion("v2"): {OperationID: "v2InsertSchema", Method: "POST", Path: "/api/ledger/v2/{ledger}/schemas/{version}", Tags: []string{"ledger.v2"}},
+				},
+				Feature("listAccounts"): {
+					APIVersion("v2"): {OperationID: "v2ListAccounts", Method: "GET", Path: "/api/ledger/v2/{ledger}/accounts", Tags: []string{"ledger.v2"}},
+				},
+				Feature("listAccounts_ledger"): {
+					APIVersion("v1"): {OperationID: "listAccounts_ledger", Method: "GET", Path: "/api/ledger/{ledger}/accounts", Tags: []string{"ledger.v1"}},
+				},
+				Feature("listExporters"): {
+					APIVersion("v2"): {OperationID: "v2ListExporters", Method: "GET", Path: "/api/ledger/v2/_/exporters", Tags: []string{"ledger.v2"}},
+				},
+				Feature("listLedgers"): {
+					APIVersion("v2"): {OperationID: "v2ListLedgers", Method: "GET", Path: "/api/ledger/v2", Tags: []string{"ledger.v2"}},
+				},
+				Feature("listLogs"): {
+					APIVersion("v1"): {OperationID: "listLogs", Method: "GET", Path: "/api/ledger/{ledger}/logs", Tags: []string{"ledger.v1"}},
+					APIVersion("v2"): {OperationID: "v2ListLogs", Method: "GET", Path: "/api/ledger/v2/{ledger}/logs", Tags: []string{"ledger.v2"}},
+				},
+				Feature("listPipelines"): {
+					APIVersion("v2"): {OperationID: "v2ListPipelines", Method: "GET", Path: "/api/ledger/v2/{ledger}/pipelines", Tags: []string{"ledger.v2"}},
+				},
+				Feature("listSchemas"): {
+					APIVersion("v2"): {OperationID: "v2ListSchemas", Method: "GET", Path: "/api/ledger/v2/{ledger}/schemas", Tags: []string{"ledger.v2"}},
+				},
+				Feature("listTransactions"): {
+					APIVersion("v1"): {OperationID: "listTransactions", Method: "GET", Path: "/api/ledger/{ledger}/transactions", Tags: []string{"ledger.v1"}},
+					APIVersion("v2"): {OperationID: "v2ListTransactions", Method: "GET", Path: "/api/ledger/v2/{ledger}/transactions", Tags: []string{"ledger.v2"}},
+				},
+				Feature("readStats"): {
+					APIVersion("v1"): {OperationID: "readStats", Method: "GET", Path: "/api/ledger/{ledger}/stats", Tags: []string{"ledger.v1"}},
+					APIVersion("v2"): {OperationID: "v2ReadStats", Method: "GET", Path: "/api/ledger/v2/{ledger}/stats", Tags: []string{"ledger.v2"}},
+				},
+				Feature("resetPipeline"): {
+					APIVersion("v2"): {OperationID: "v2ResetPipeline", Method: "POST", Path: "/api/ledger/v2/{ledger}/pipelines/{pipelineID}/reset", Tags: []string{"ledger.v2"}},
+				},
+				Feature("restoreBucket"): {
+					APIVersion("v2"): {OperationID: "v2RestoreBucket", Method: "POST", Path: "/api/ledger/v2/_/buckets/{bucket}/restore", Tags: []string{"ledger.v2"}},
+				},
+				Feature("revertTransaction"): {
+					APIVersion("v1"): {OperationID: "revertTransaction", Method: "POST", Path: "/api/ledger/{ledger}/transactions/{txid}/revert", Tags: []string{"ledger.v1"}},
+					APIVersion("v2"): {OperationID: "v2RevertTransaction", Method: "POST", Path: "/api/ledger/v2/{ledger}/transactions/{id}/revert", Tags: []string{"ledger.v2"}},
+				},
+				Feature("runQuery"): {
+					APIVersion("v2"): {OperationID: "v2RunQuery", Method: "POST", Path: "/api/ledger/v2/{ledger}/queries/{id}/run", Tags: []string{"ledger.v2"}},
+				},
+				Feature("runScript"): {
+					APIVersion("v1"): {OperationID: "runScript", Method: "POST", Path: "/api/ledger/{ledger}/script", Tags: []string{"ledger.v1"}},
+				},
+				Feature("startPipeline"): {
+					APIVersion("v2"): {OperationID: "v2StartPipeline", Method: "POST", Path: "/api/ledger/v2/{ledger}/pipelines/{pipelineID}/start", Tags: []string{"ledger.v2"}},
+				},
+				Feature("stopPipeline"): {
+					APIVersion("v2"): {OperationID: "v2StopPipeline", Method: "POST", Path: "/api/ledger/v2/{ledger}/pipelines/{pipelineID}/stop", Tags: []string{"ledger.v2"}},
+				},
+				Feature("updateExporter"): {
+					APIVersion("v2"): {OperationID: "v2UpdateExporter", Method: "PUT", Path: "/api/ledger/v2/_/exporters/{exporterID}", Tags: []string{"ledger.v2"}},
+				},
+				Feature("updateLedgerMetadata"): {
+					APIVersion("v2"): {OperationID: "v2UpdateLedgerMetadata", Method: "PUT", Path: "/api/ledger/v2/{ledger}/metadata", Tags: []string{"ledger.v2"}},
+				},
+				Feature("updateMapping"): {
+					APIVersion("v1"): {OperationID: "updateMapping", Method: "PUT", Path: "/api/ledger/{ledger}/mapping", Tags: []string{"ledger.v1"}},
+				},
+			},
+		},
+		Product("orchestration"): {
+			APIVersions: []APIVersion{APIVersion("v1"), APIVersion("v2")},
+			Operations: map[Feature]map[APIVersion]Operation{
+				Feature("cancelEvent"): {
+					APIVersion("v1"): {OperationID: "cancelEvent", Method: "PUT", Path: "/api/orchestration/instances/{instanceID}/abort", Tags: []string{"orchestration.v1"}},
+					APIVersion("v2"): {OperationID: "v2CancelEvent", Method: "PUT", Path: "/api/orchestration/v2/instances/{instanceID}/abort", Tags: []string{"orchestration.v2"}},
+				},
+				Feature("createTrigger"): {
+					APIVersion("v1"): {OperationID: "createTrigger", Method: "POST", Path: "/api/orchestration/triggers", Tags: []string{"orchestration.v1"}},
+					APIVersion("v2"): {OperationID: "v2CreateTrigger", Method: "POST", Path: "/api/orchestration/v2/triggers", Tags: []string{"orchestration.v2"}},
+				},
+				Feature("createWorkflow"): {
+					APIVersion("v1"): {OperationID: "createWorkflow", Method: "POST", Path: "/api/orchestration/workflows", Tags: []string{"orchestration.v1"}},
+					APIVersion("v2"): {OperationID: "v2CreateWorkflow", Method: "POST", Path: "/api/orchestration/v2/workflows", Tags: []string{"orchestration.v2"}},
+				},
+				Feature("deleteTrigger"): {
+					APIVersion("v1"): {OperationID: "deleteTrigger", Method: "DELETE", Path: "/api/orchestration/triggers/{triggerID}", Tags: []string{"orchestration.v1"}},
+					APIVersion("v2"): {OperationID: "v2DeleteTrigger", Method: "DELETE", Path: "/api/orchestration/v2/triggers/{triggerID}", Tags: []string{"orchestration.v2"}},
+				},
+				Feature("deleteWorkflow"): {
+					APIVersion("v1"): {OperationID: "deleteWorkflow", Method: "DELETE", Path: "/api/orchestration/workflows/{flowId}", Tags: []string{"orchestration.v1"}},
+					APIVersion("v2"): {OperationID: "v2DeleteWorkflow", Method: "DELETE", Path: "/api/orchestration/v2/workflows/{flowId}", Tags: []string{"orchestration.v2"}},
+				},
+				Feature("getInstance"): {
+					APIVersion("v1"): {OperationID: "getInstance", Method: "GET", Path: "/api/orchestration/instances/{instanceID}", Tags: []string{"orchestration.v1"}},
+					APIVersion("v2"): {OperationID: "v2GetInstance", Method: "GET", Path: "/api/orchestration/v2/instances/{instanceID}", Tags: []string{"orchestration.v2"}},
+				},
+				Feature("getInstanceHistory"): {
+					APIVersion("v1"): {OperationID: "getInstanceHistory", Method: "GET", Path: "/api/orchestration/instances/{instanceID}/history", Tags: []string{"orchestration.v1"}},
+					APIVersion("v2"): {OperationID: "v2GetInstanceHistory", Method: "GET", Path: "/api/orchestration/v2/instances/{instanceID}/history", Tags: []string{"orchestration.v2"}},
+				},
+				Feature("getInstanceStageHistory"): {
+					APIVersion("v1"): {OperationID: "getInstanceStageHistory", Method: "GET", Path: "/api/orchestration/instances/{instanceID}/stages/{number}/history", Tags: []string{"orchestration.v1"}},
+					APIVersion("v2"): {OperationID: "v2GetInstanceStageHistory", Method: "GET", Path: "/api/orchestration/v2/instances/{instanceID}/stages/{number}/history", Tags: []string{"orchestration.v2"}},
+				},
+				Feature("getServerInfo"): {
+					APIVersion("v2"): {OperationID: "v2GetServerInfo", Method: "GET", Path: "/api/orchestration/v2/_info", Tags: []string{"orchestration.v2"}},
+				},
+				Feature("getServerInfo_orchestration"): {
+					APIVersion("v1"): {OperationID: "getServerInfo_orchestration", Method: "GET", Path: "/api/orchestration/_info", Tags: []string{"orchestration.v1"}},
+				},
+				Feature("getWorkflow"): {
+					APIVersion("v1"): {OperationID: "getWorkflow", Method: "GET", Path: "/api/orchestration/workflows/{flowId}", Tags: []string{"orchestration.v1"}},
+					APIVersion("v2"): {OperationID: "v2GetWorkflow", Method: "GET", Path: "/api/orchestration/v2/workflows/{flowId}", Tags: []string{"orchestration.v2"}},
+				},
+				Feature("listInstances"): {
+					APIVersion("v1"): {OperationID: "listInstances", Method: "GET", Path: "/api/orchestration/instances", Tags: []string{"orchestration.v1"}},
+					APIVersion("v2"): {OperationID: "v2ListInstances", Method: "GET", Path: "/api/orchestration/v2/instances", Tags: []string{"orchestration.v2"}},
+				},
+				Feature("listTriggers"): {
+					APIVersion("v1"): {OperationID: "listTriggers", Method: "GET", Path: "/api/orchestration/triggers", Tags: []string{"orchestration.v1"}},
+					APIVersion("v2"): {OperationID: "v2ListTriggers", Method: "GET", Path: "/api/orchestration/v2/triggers", Tags: []string{"orchestration.v2"}},
+				},
+				Feature("listTriggersOccurrences"): {
+					APIVersion("v1"): {OperationID: "listTriggersOccurrences", Method: "GET", Path: "/api/orchestration/triggers/{triggerID}/occurrences", Tags: []string{"orchestration.v1"}},
+					APIVersion("v2"): {OperationID: "v2ListTriggersOccurrences", Method: "GET", Path: "/api/orchestration/v2/triggers/{triggerID}/occurrences", Tags: []string{"orchestration.v2"}},
+				},
+				Feature("listWorkflows"): {
+					APIVersion("v1"): {OperationID: "listWorkflows", Method: "GET", Path: "/api/orchestration/workflows", Tags: []string{"orchestration.v1"}},
+					APIVersion("v2"): {OperationID: "v2ListWorkflows", Method: "GET", Path: "/api/orchestration/v2/workflows", Tags: []string{"orchestration.v2"}},
+				},
+				Feature("readTrigger"): {
+					APIVersion("v1"): {OperationID: "readTrigger", Method: "GET", Path: "/api/orchestration/triggers/{triggerID}", Tags: []string{"orchestration.v1"}},
+					APIVersion("v2"): {OperationID: "v2ReadTrigger", Method: "GET", Path: "/api/orchestration/v2/triggers/{triggerID}", Tags: []string{"orchestration.v2"}},
+				},
+				Feature("runWorkflow"): {
+					APIVersion("v1"): {OperationID: "runWorkflow", Method: "POST", Path: "/api/orchestration/workflows/{workflowID}/instances", Tags: []string{"orchestration.v1"}},
+					APIVersion("v2"): {OperationID: "v2RunWorkflow", Method: "POST", Path: "/api/orchestration/v2/workflows/{workflowID}/instances", Tags: []string{"orchestration.v2"}},
+				},
+				Feature("sendEvent"): {
+					APIVersion("v1"): {OperationID: "sendEvent", Method: "POST", Path: "/api/orchestration/instances/{instanceID}/events", Tags: []string{"orchestration.v1"}},
+					APIVersion("v2"): {OperationID: "v2SendEvent", Method: "POST", Path: "/api/orchestration/v2/instances/{instanceID}/events", Tags: []string{"orchestration.v2"}},
+				},
+				Feature("testTrigger"): {
+					APIVersion("v2"): {OperationID: "testTrigger", Method: "POST", Path: "/api/orchestration/v2/triggers/{triggerID}/test", Tags: []string{"orchestration.v2"}},
+				},
+			},
+		},
+		Product("payments"): {
+			APIVersions: []APIVersion{APIVersion("v1"), APIVersion("v3")},
+			Operations: map[Feature]map[APIVersion]Operation{
+				Feature("addAccountToPool"): {
+					APIVersion("v1"): {OperationID: "addAccountToPool", Method: "POST", Path: "/api/payments/pools/{poolId}/accounts", Tags: []string{"payments.v1"}},
+					APIVersion("v3"): {OperationID: "v3AddAccountToPool", Method: "POST", Path: "/api/payments/v3/pools/{poolID}/accounts/{accountID}", Tags: []string{"payments.v3"}},
+				},
+				Feature("addBankAccountToPaymentServiceUser"): {
+					APIVersion("v3"): {OperationID: "v3AddBankAccountToPaymentServiceUser", Method: "POST", Path: "/api/payments/v3/payment-service-users/{paymentServiceUserID}/bank-accounts/{bankAccountID}", Tags: []string{"payments.v3"}},
+				},
+				Feature("approvePaymentInitiation"): {
+					APIVersion("v3"): {OperationID: "v3ApprovePaymentInitiation", Method: "POST", Path: "/api/payments/v3/payment-initiations/{paymentInitiationID}/approve", Tags: []string{"payments.v3"}},
+				},
+				Feature("connectorsTransfer"): {
+					APIVersion("v1"): {OperationID: "connectorsTransfer", Method: "POST", Path: "/api/payments/connectors/{connector}/transfers", Tags: []string{"payments.v1"}},
+				},
+				Feature("createAccount"): {
+					APIVersion("v1"): {OperationID: "createAccount", Method: "POST", Path: "/api/payments/accounts", Tags: []string{"payments.v1"}},
+					APIVersion("v3"): {OperationID: "v3CreateAccount", Method: "POST", Path: "/api/payments/v3/accounts", Tags: []string{"payments.v3"}},
+				},
+				Feature("createBankAccount"): {
+					APIVersion("v1"): {OperationID: "createBankAccount", Method: "POST", Path: "/api/payments/bank-accounts", Tags: []string{"payments.v1"}},
+					APIVersion("v3"): {OperationID: "v3CreateBankAccount", Method: "POST", Path: "/api/payments/v3/bank-accounts", Tags: []string{"payments.v3"}},
+				},
+				Feature("createLinkForPaymentServiceUser"): {
+					APIVersion("v3"): {OperationID: "v3CreateLinkForPaymentServiceUser", Method: "POST", Path: "/api/payments/v3/payment-service-users/{paymentServiceUserID}/connectors/{connectorID}/create-link", Tags: []string{"payments.v3"}},
+				},
+				Feature("createPayment"): {
+					APIVersion("v1"): {OperationID: "createPayment", Method: "POST", Path: "/api/payments/payments", Tags: []string{"payments.v1"}},
+					APIVersion("v3"): {OperationID: "v3CreatePayment", Method: "POST", Path: "/api/payments/v3/payments", Tags: []string{"payments.v3"}},
+				},
+				Feature("createPaymentServiceUser"): {
+					APIVersion("v3"): {OperationID: "v3CreatePaymentServiceUser", Method: "POST", Path: "/api/payments/v3/payment-service-users", Tags: []string{"payments.v3"}},
+				},
+				Feature("createPool"): {
+					APIVersion("v1"): {OperationID: "createPool", Method: "POST", Path: "/api/payments/pools", Tags: []string{"payments.v1"}},
+					APIVersion("v3"): {OperationID: "v3CreatePool", Method: "POST", Path: "/api/payments/v3/pools", Tags: []string{"payments.v3"}},
+				},
+				Feature("createTransferInitiation"): {
+					APIVersion("v1"): {OperationID: "createTransferInitiation", Method: "POST", Path: "/api/payments/transfer-initiations", Tags: []string{"payments.v1"}},
+				},
+				Feature("deletePaymentInitiation"): {
+					APIVersion("v3"): {OperationID: "v3DeletePaymentInitiation", Method: "DELETE", Path: "/api/payments/v3/payment-initiations/{paymentInitiationID}", Tags: []string{"payments.v3"}},
+				},
+				Feature("deletePaymentServiceUser"): {
+					APIVersion("v3"): {OperationID: "v3DeletePaymentServiceUser", Method: "DELETE", Path: "/api/payments/v3/payment-service-users/{paymentServiceUserID}", Tags: []string{"payments.v3"}},
+				},
+				Feature("deletePaymentServiceUserConnectionFromConnectorID"): {
+					APIVersion("v3"): {OperationID: "v3DeletePaymentServiceUserConnectionFromConnectorID", Method: "DELETE", Path: "/api/payments/v3/payment-service-users/{paymentServiceUserID}/connectors/{connectorID}/connections/{connectionID}", Tags: []string{"payments.v3"}},
+				},
+				Feature("deletePaymentServiceUserConnector"): {
+					APIVersion("v3"): {OperationID: "v3DeletePaymentServiceUserConnector", Method: "DELETE", Path: "/api/payments/v3/payment-service-users/{paymentServiceUserID}/connectors/{connectorID}", Tags: []string{"payments.v3"}},
+				},
+				Feature("deletePool"): {
+					APIVersion("v1"): {OperationID: "deletePool", Method: "DELETE", Path: "/api/payments/pools/{poolId}", Tags: []string{"payments.v1"}},
+					APIVersion("v3"): {OperationID: "v3DeletePool", Method: "DELETE", Path: "/api/payments/v3/pools/{poolID}", Tags: []string{"payments.v3"}},
+				},
+				Feature("deleteTransferInitiation"): {
+					APIVersion("v1"): {OperationID: "deleteTransferInitiation", Method: "DELETE", Path: "/api/payments/transfer-initiations/{transferId}", Tags: []string{"payments.v1"}},
+				},
+				Feature("forwardBankAccount"): {
+					APIVersion("v1"): {OperationID: "forwardBankAccount", Method: "POST", Path: "/api/payments/bank-accounts/{bankAccountId}/forward", Tags: []string{"payments.v1"}},
+					APIVersion("v3"): {OperationID: "v3ForwardBankAccount", Method: "POST", Path: "/api/payments/v3/bank-accounts/{bankAccountID}/forward", Tags: []string{"payments.v3"}},
+				},
+				Feature("forwardPaymentServiceUserBankAccount"): {
+					APIVersion("v3"): {OperationID: "v3ForwardPaymentServiceUserBankAccount", Method: "POST", Path: "/api/payments/v3/payment-service-users/{paymentServiceUserID}/bank-accounts/{bankAccountID}/forward", Tags: []string{"payments.v3"}},
+				},
+				Feature("forwardPaymentServiceUserToProvider"): {
+					APIVersion("v3"): {OperationID: "v3ForwardPaymentServiceUserToProvider", Method: "POST", Path: "/api/payments/v3/payment-service-users/{paymentServiceUserID}/connectors/{connectorID}/forward", Tags: []string{"payments.v3"}},
+				},
+				Feature("getAccount"): {
+					APIVersion("v3"): {OperationID: "v3GetAccount", Method: "GET", Path: "/api/payments/v3/accounts/{accountID}", Tags: []string{"payments.v3"}},
+				},
+				Feature("getAccountBalances"): {
+					APIVersion("v1"): {OperationID: "getAccountBalances", Method: "GET", Path: "/api/payments/accounts/{accountId}/balances", Tags: []string{"payments.v1"}},
+					APIVersion("v3"): {OperationID: "v3GetAccountBalances", Method: "GET", Path: "/api/payments/v3/accounts/{accountID}/balances", Tags: []string{"payments.v3"}},
+				},
+				Feature("getAccount_payments"): {
+					APIVersion("v1"): {OperationID: "getAccount_payments", Method: "GET", Path: "/api/payments/accounts/{accountId}", Tags: []string{"payments.v1"}},
+				},
+				Feature("getBankAccount"): {
+					APIVersion("v1"): {OperationID: "getBankAccount", Method: "GET", Path: "/api/payments/bank-accounts/{bankAccountId}", Tags: []string{"payments.v1"}},
+					APIVersion("v3"): {OperationID: "v3GetBankAccount", Method: "GET", Path: "/api/payments/v3/bank-accounts/{bankAccountID}", Tags: []string{"payments.v3"}},
+				},
+				Feature("getConnectorConfig"): {
+					APIVersion("v3"): {OperationID: "v3GetConnectorConfig", Method: "GET", Path: "/api/payments/v3/connectors/{connectorID}/config", Tags: []string{"payments.v3"}},
+				},
+				Feature("getConnectorSchedule"): {
+					APIVersion("v3"): {OperationID: "v3GetConnectorSchedule", Method: "GET", Path: "/api/payments/v3/connectors/{connectorID}/schedules/{scheduleID}", Tags: []string{"payments.v3"}},
+				},
+				Feature("getConnectorTask"): {
+					APIVersion("v1"): {OperationID: "getConnectorTask", Method: "GET", Path: "/api/payments/connectors/{connector}/tasks/{taskId}", Tags: []string{"payments.v1"}},
+				},
+				Feature("getConnectorTaskV1"): {
+					APIVersion("v1"): {OperationID: "getConnectorTaskV1", Method: "GET", Path: "/api/payments/connectors/{connector}/{connectorId}/tasks/{taskId}", Tags: []string{"payments.v1"}},
+				},
+				Feature("getPayment"): {
+					APIVersion("v1"): {OperationID: "getPayment", Method: "GET", Path: "/api/payments/payments/{paymentId}", Tags: []string{"payments.v1"}},
+					APIVersion("v3"): {OperationID: "v3GetPayment", Method: "GET", Path: "/api/payments/v3/payments/{paymentID}", Tags: []string{"payments.v3"}},
+				},
+				Feature("getPaymentInitiation"): {
+					APIVersion("v3"): {OperationID: "v3GetPaymentInitiation", Method: "GET", Path: "/api/payments/v3/payment-initiations/{paymentInitiationID}", Tags: []string{"payments.v3"}},
+				},
+				Feature("getPaymentServiceUser"): {
+					APIVersion("v3"): {OperationID: "v3GetPaymentServiceUser", Method: "GET", Path: "/api/payments/v3/payment-service-users/{paymentServiceUserID}", Tags: []string{"payments.v3"}},
+				},
+				Feature("getPaymentServiceUserLinkAttemptFromConnectorID"): {
+					APIVersion("v3"): {OperationID: "v3GetPaymentServiceUserLinkAttemptFromConnectorID", Method: "GET", Path: "/api/payments/v3/payment-service-users/{paymentServiceUserID}/connectors/{connectorID}/link-attempts/{attemptID}", Tags: []string{"payments.v3"}},
+				},
+				Feature("getPool"): {
+					APIVersion("v1"): {OperationID: "getPool", Method: "GET", Path: "/api/payments/pools/{poolId}", Tags: []string{"payments.v1"}},
+					APIVersion("v3"): {OperationID: "v3GetPool", Method: "GET", Path: "/api/payments/v3/pools/{poolID}", Tags: []string{"payments.v3"}},
+				},
+				Feature("getPoolBalances"): {
+					APIVersion("v1"): {OperationID: "getPoolBalances", Method: "GET", Path: "/api/payments/pools/{poolId}/balances", Tags: []string{"payments.v1"}},
+					APIVersion("v3"): {OperationID: "v3GetPoolBalances", Method: "GET", Path: "/api/payments/v3/pools/{poolID}/balances", Tags: []string{"payments.v3"}},
+				},
+				Feature("getPoolBalancesLatest"): {
+					APIVersion("v1"): {OperationID: "getPoolBalancesLatest", Method: "GET", Path: "/api/payments/pools/{poolId}/balances/latest", Tags: []string{"payments.v1"}},
+					APIVersion("v3"): {OperationID: "v3GetPoolBalancesLatest", Method: "GET", Path: "/api/payments/v3/pools/{poolID}/balances/latest", Tags: []string{"payments.v3"}},
+				},
+				Feature("getServerInfo_payments"): {
+					APIVersion("v1"): {OperationID: "getServerInfo_payments", Method: "GET", Path: "/api/payments/_info", Tags: []string{"payments.v1"}},
+				},
+				Feature("getTask"): {
+					APIVersion("v3"): {OperationID: "v3GetTask", Method: "GET", Path: "/api/payments/v3/tasks/{taskID}", Tags: []string{"payments.v3"}},
+				},
+				Feature("getTransferInitiation"): {
+					APIVersion("v1"): {OperationID: "getTransferInitiation", Method: "GET", Path: "/api/payments/transfer-initiations/{transferId}", Tags: []string{"payments.v1"}},
+				},
+				Feature("initiatePayment"): {
+					APIVersion("v3"): {OperationID: "v3InitiatePayment", Method: "POST", Path: "/api/payments/v3/payment-initiations", Tags: []string{"payments.v3"}},
+				},
+				Feature("installConnector"): {
+					APIVersion("v1"): {OperationID: "installConnector", Method: "POST", Path: "/api/payments/connectors/{connector}", Tags: []string{"payments.v1"}},
+					APIVersion("v3"): {OperationID: "v3InstallConnector", Method: "POST", Path: "/api/payments/v3/connectors/install/{connector}", Tags: []string{"payments.v3"}},
+				},
+				Feature("listAccounts"): {
+					APIVersion("v3"): {OperationID: "v3ListAccounts", Method: "GET", Path: "/api/payments/v3/accounts", Tags: []string{"payments.v3"}},
+				},
+				Feature("listAccounts_payments"): {
+					APIVersion("v1"): {OperationID: "listAccounts_payments", Method: "GET", Path: "/api/payments/accounts", Tags: []string{"payments.v1"}},
+				},
+				Feature("listAllConnectors"): {
+					APIVersion("v1"): {OperationID: "listAllConnectors", Method: "GET", Path: "/api/payments/connectors", Tags: []string{"payments.v1"}},
+				},
+				Feature("listBankAccounts"): {
+					APIVersion("v1"): {OperationID: "listBankAccounts", Method: "GET", Path: "/api/payments/bank-accounts", Tags: []string{"payments.v1"}},
+					APIVersion("v3"): {OperationID: "v3ListBankAccounts", Method: "GET", Path: "/api/payments/v3/bank-accounts", Tags: []string{"payments.v3"}},
+				},
+				Feature("listConfigsAvailableConnectors"): {
+					APIVersion("v1"): {OperationID: "listConfigsAvailableConnectors", Method: "GET", Path: "/api/payments/connectors/configs", Tags: []string{"payments.v1"}},
+				},
+				Feature("listConnectorConfigs"): {
+					APIVersion("v3"): {OperationID: "v3ListConnectorConfigs", Method: "GET", Path: "/api/payments/v3/connectors/configs", Tags: []string{"payments.v3"}},
+				},
+				Feature("listConnectorScheduleInstances"): {
+					APIVersion("v3"): {OperationID: "v3ListConnectorScheduleInstances", Method: "GET", Path: "/api/payments/v3/connectors/{connectorID}/schedules/{scheduleID}/instances", Tags: []string{"payments.v3"}},
+				},
+				Feature("listConnectorSchedules"): {
+					APIVersion("v3"): {OperationID: "v3ListConnectorSchedules", Method: "GET", Path: "/api/payments/v3/connectors/{connectorID}/schedules", Tags: []string{"payments.v3"}},
+				},
+				Feature("listConnectorTasks"): {
+					APIVersion("v1"): {OperationID: "listConnectorTasks", Method: "GET", Path: "/api/payments/connectors/{connector}/tasks", Tags: []string{"payments.v1"}},
+				},
+				Feature("listConnectorTasksV1"): {
+					APIVersion("v1"): {OperationID: "listConnectorTasksV1", Method: "GET", Path: "/api/payments/connectors/{connector}/{connectorId}/tasks", Tags: []string{"payments.v1"}},
+				},
+				Feature("listConnectors"): {
+					APIVersion("v3"): {OperationID: "v3ListConnectors", Method: "GET", Path: "/api/payments/v3/connectors", Tags: []string{"payments.v3"}},
+				},
+				Feature("listPaymentInitiationAdjustments"): {
+					APIVersion("v3"): {OperationID: "v3ListPaymentInitiationAdjustments", Method: "GET", Path: "/api/payments/v3/payment-initiations/{paymentInitiationID}/adjustments", Tags: []string{"payments.v3"}},
+				},
+				Feature("listPaymentInitiationRelatedPayments"): {
+					APIVersion("v3"): {OperationID: "v3ListPaymentInitiationRelatedPayments", Method: "GET", Path: "/api/payments/v3/payment-initiations/{paymentInitiationID}/payments", Tags: []string{"payments.v3"}},
+				},
+				Feature("listPaymentInitiations"): {
+					APIVersion("v3"): {OperationID: "v3ListPaymentInitiations", Method: "GET", Path: "/api/payments/v3/payment-initiations", Tags: []string{"payments.v3"}},
+				},
+				Feature("listPaymentServiceUserConnections"): {
+					APIVersion("v3"): {OperationID: "v3ListPaymentServiceUserConnections", Method: "GET", Path: "/api/payments/v3/payment-service-users/{paymentServiceUserID}/connections", Tags: []string{"payments.v3"}},
+				},
+				Feature("listPaymentServiceUserConnectionsFromConnectorID"): {
+					APIVersion("v3"): {OperationID: "v3ListPaymentServiceUserConnectionsFromConnectorID", Method: "GET", Path: "/api/payments/v3/payment-service-users/{paymentServiceUserID}/connectors/{connectorID}/connections", Tags: []string{"payments.v3"}},
+				},
+				Feature("listPaymentServiceUserLinkAttemptsFromConnectorID"): {
+					APIVersion("v3"): {OperationID: "v3ListPaymentServiceUserLinkAttemptsFromConnectorID", Method: "GET", Path: "/api/payments/v3/payment-service-users/{paymentServiceUserID}/connectors/{connectorID}/link-attempts", Tags: []string{"payments.v3"}},
+				},
+				Feature("listPaymentServiceUsers"): {
+					APIVersion("v3"): {OperationID: "v3ListPaymentServiceUsers", Method: "GET", Path: "/api/payments/v3/payment-service-users", Tags: []string{"payments.v3"}},
+				},
+				Feature("listPayments"): {
+					APIVersion("v1"): {OperationID: "listPayments", Method: "GET", Path: "/api/payments/payments", Tags: []string{"payments.v1"}},
+					APIVersion("v3"): {OperationID: "v3ListPayments", Method: "GET", Path: "/api/payments/v3/payments", Tags: []string{"payments.v3"}},
+				},
+				Feature("listPools"): {
+					APIVersion("v1"): {OperationID: "listPools", Method: "GET", Path: "/api/payments/pools", Tags: []string{"payments.v1"}},
+					APIVersion("v3"): {OperationID: "v3ListPools", Method: "GET", Path: "/api/payments/v3/pools", Tags: []string{"payments.v3"}},
+				},
+				Feature("listTransferInitiations"): {
+					APIVersion("v1"): {OperationID: "listTransferInitiations", Method: "GET", Path: "/api/payments/transfer-initiations", Tags: []string{"payments.v1"}},
+				},
+				Feature("readConnectorConfig"): {
+					APIVersion("v1"): {OperationID: "readConnectorConfig", Method: "GET", Path: "/api/payments/connectors/{connector}/config", Tags: []string{"payments.v1"}},
+				},
+				Feature("readConnectorConfigV1"): {
+					APIVersion("v1"): {OperationID: "readConnectorConfigV1", Method: "GET", Path: "/api/payments/connectors/{connector}/{connectorId}/config", Tags: []string{"payments.v1"}},
+				},
+				Feature("rejectPaymentInitiation"): {
+					APIVersion("v3"): {OperationID: "v3RejectPaymentInitiation", Method: "POST", Path: "/api/payments/v3/payment-initiations/{paymentInitiationID}/reject", Tags: []string{"payments.v3"}},
+				},
+				Feature("removeAccountFromPool"): {
+					APIVersion("v1"): {OperationID: "removeAccountFromPool", Method: "DELETE", Path: "/api/payments/pools/{poolId}/accounts/{accountId}", Tags: []string{"payments.v1"}},
+					APIVersion("v3"): {OperationID: "v3RemoveAccountFromPool", Method: "DELETE", Path: "/api/payments/v3/pools/{poolID}/accounts/{accountID}", Tags: []string{"payments.v3"}},
+				},
+				Feature("resetConnector"): {
+					APIVersion("v1"): {OperationID: "resetConnector", Method: "POST", Path: "/api/payments/connectors/{connector}/reset", Tags: []string{"payments.v1"}},
+					APIVersion("v3"): {OperationID: "v3ResetConnector", Method: "POST", Path: "/api/payments/v3/connectors/{connectorID}/reset", Tags: []string{"payments.v3"}},
+				},
+				Feature("resetConnectorV1"): {
+					APIVersion("v1"): {OperationID: "resetConnectorV1", Method: "POST", Path: "/api/payments/connectors/{connector}/{connectorId}/reset", Tags: []string{"payments.v1"}},
+				},
+				Feature("retryPaymentInitiation"): {
+					APIVersion("v3"): {OperationID: "v3RetryPaymentInitiation", Method: "POST", Path: "/api/payments/v3/payment-initiations/{paymentInitiationID}/retry", Tags: []string{"payments.v3"}},
+				},
+				Feature("retryTransferInitiation"): {
+					APIVersion("v1"): {OperationID: "retryTransferInitiation", Method: "POST", Path: "/api/payments/transfer-initiations/{transferId}/retry", Tags: []string{"payments.v1"}},
+				},
+				Feature("reversePaymentInitiation"): {
+					APIVersion("v3"): {OperationID: "v3ReversePaymentInitiation", Method: "POST", Path: "/api/payments/v3/payment-initiations/{paymentInitiationID}/reverse", Tags: []string{"payments.v3"}},
+				},
+				Feature("reverseTransferInitiation"): {
+					APIVersion("v1"): {OperationID: "reverseTransferInitiation", Method: "POST", Path: "/api/payments/transfer-initiations/{transferId}/reverse", Tags: []string{"payments.v1"}},
+				},
+				Feature("uninstallConnector"): {
+					APIVersion("v1"): {OperationID: "uninstallConnector", Method: "DELETE", Path: "/api/payments/connectors/{connector}", Tags: []string{"payments.v1"}},
+					APIVersion("v3"): {OperationID: "v3UninstallConnector", Method: "DELETE", Path: "/api/payments/v3/connectors/{connectorID}", Tags: []string{"payments.v3"}},
+				},
+				Feature("uninstallConnectorV1"): {
+					APIVersion("v1"): {OperationID: "uninstallConnectorV1", Method: "DELETE", Path: "/api/payments/connectors/{connector}/{connectorId}", Tags: []string{"payments.v1"}},
+				},
+				Feature("updateBankAccountMetadata"): {
+					APIVersion("v1"): {OperationID: "updateBankAccountMetadata", Method: "PATCH", Path: "/api/payments/bank-accounts/{bankAccountId}/metadata", Tags: []string{"payments.v1"}},
+					APIVersion("v3"): {OperationID: "v3UpdateBankAccountMetadata", Method: "PATCH", Path: "/api/payments/v3/bank-accounts/{bankAccountID}/metadata", Tags: []string{"payments.v3"}},
+				},
+				Feature("updateConnectorConfig"): {
+					APIVersion("v3"): {OperationID: "v3UpdateConnectorConfig", Method: "PATCH", Path: "/api/payments/v3/connectors/{connectorID}/config", Tags: []string{"payments.v3"}},
+				},
+				Feature("updateConnectorConfigV1"): {
+					APIVersion("v1"): {OperationID: "updateConnectorConfigV1", Method: "POST", Path: "/api/payments/connectors/{connector}/{connectorId}/config", Tags: []string{"payments.v1"}},
+				},
+				Feature("updateLinkForPaymentServiceUserOnConnector"): {
+					APIVersion("v3"): {OperationID: "v3UpdateLinkForPaymentServiceUserOnConnector", Method: "POST", Path: "/api/payments/v3/payment-service-users/{paymentServiceUserID}/connectors/{connectorID}/connections/{connectionID}/update-link", Tags: []string{"payments.v3"}},
+				},
+				Feature("updateMetadata"): {
+					APIVersion("v1"): {OperationID: "updateMetadata", Method: "PATCH", Path: "/api/payments/payments/{paymentId}/metadata", Tags: []string{"payments.v1"}},
+				},
+				Feature("updatePaymentMetadata"): {
+					APIVersion("v3"): {OperationID: "v3UpdatePaymentMetadata", Method: "PATCH", Path: "/api/payments/v3/payments/{paymentID}/metadata", Tags: []string{"payments.v3"}},
+				},
+				Feature("updatePoolQuery"): {
+					APIVersion("v1"): {OperationID: "updatePoolQuery", Method: "PATCH", Path: "/api/payments/pools/{poolId}/query", Tags: []string{"payments.v1"}},
+					APIVersion("v3"): {OperationID: "v3UpdatePoolQuery", Method: "PATCH", Path: "/api/payments/v3/pools/{poolID}/query", Tags: []string{"payments.v3"}},
+				},
+				Feature("updateTransferInitiationStatus"): {
+					APIVersion("v1"): {OperationID: "updateTransferInitiationStatus", Method: "POST", Path: "/api/payments/transfer-initiations/{transferId}/status", Tags: []string{"payments.v1"}},
+				},
+			},
+		},
+		Product("reconciliation"): {
+			APIVersions: []APIVersion{APIVersion("v1")},
+			Operations: map[Feature]map[APIVersion]Operation{
+				Feature("createPolicy"): {
+					APIVersion("v1"): {OperationID: "createPolicy", Method: "POST", Path: "/api/reconciliation/policies", Tags: []string{"reconciliation.v1"}},
+				},
+				Feature("deletePolicy"): {
+					APIVersion("v1"): {OperationID: "deletePolicy", Method: "DELETE", Path: "/api/reconciliation/policies/{policyID}", Tags: []string{"reconciliation.v1"}},
+				},
+				Feature("getPolicy"): {
+					APIVersion("v1"): {OperationID: "getPolicy", Method: "GET", Path: "/api/reconciliation/policies/{policyID}", Tags: []string{"reconciliation.v1"}},
+				},
+				Feature("getReconciliation"): {
+					APIVersion("v1"): {OperationID: "getReconciliation", Method: "GET", Path: "/api/reconciliation/reconciliations/{reconciliationID}", Tags: []string{"reconciliation.v1"}},
+				},
+				Feature("getServerInfo_reconciliation"): {
+					APIVersion("v1"): {OperationID: "getServerInfo_reconciliation", Method: "GET", Path: "/api/reconciliation/_info", Tags: []string{"reconciliation.v1"}},
+				},
+				Feature("listPolicies"): {
+					APIVersion("v1"): {OperationID: "listPolicies", Method: "GET", Path: "/api/reconciliation/policies", Tags: []string{"reconciliation.v1"}},
+				},
+				Feature("listReconciliations"): {
+					APIVersion("v1"): {OperationID: "listReconciliations", Method: "GET", Path: "/api/reconciliation/reconciliations", Tags: []string{"reconciliation.v1"}},
+				},
+				Feature("reconcile"): {
+					APIVersion("v1"): {OperationID: "reconcile", Method: "POST", Path: "/api/reconciliation/policies/{policyID}/reconciliation", Tags: []string{"reconciliation.v1"}},
+				},
+			},
+		},
+		Product("wallets"): {
+			APIVersions: []APIVersion{APIVersion("v1")},
+			Operations: map[Feature]map[APIVersion]Operation{
+				Feature("confirmHold"): {
+					APIVersion("v1"): {OperationID: "confirmHold", Method: "POST", Path: "/api/wallets/holds/{hold_id}/confirm", Tags: []string{"wallets.v1"}},
+				},
+				Feature("createBalance"): {
+					APIVersion("v1"): {OperationID: "createBalance", Method: "POST", Path: "/api/wallets/wallets/{id}/balances", Tags: []string{"wallets.v1"}},
+				},
+				Feature("createWallet"): {
+					APIVersion("v1"): {OperationID: "createWallet", Method: "POST", Path: "/api/wallets/wallets", Tags: []string{"wallets.v1"}},
+				},
+				Feature("creditWallet"): {
+					APIVersion("v1"): {OperationID: "creditWallet", Method: "POST", Path: "/api/wallets/wallets/{id}/credit", Tags: []string{"wallets.v1"}},
+				},
+				Feature("debitWallet"): {
+					APIVersion("v1"): {OperationID: "debitWallet", Method: "POST", Path: "/api/wallets/wallets/{id}/debit", Tags: []string{"wallets.v1"}},
+				},
+				Feature("getBalance"): {
+					APIVersion("v1"): {OperationID: "getBalance", Method: "GET", Path: "/api/wallets/wallets/{id}/balances/{balanceName}", Tags: []string{"wallets.v1"}},
+				},
+				Feature("getHold"): {
+					APIVersion("v1"): {OperationID: "getHold", Method: "GET", Path: "/api/wallets/holds/{holdID}", Tags: []string{"wallets.v1"}},
+				},
+				Feature("getHolds"): {
+					APIVersion("v1"): {OperationID: "getHolds", Method: "GET", Path: "/api/wallets/holds", Tags: []string{"wallets.v1"}},
+				},
+				Feature("getServerInfo_wallets"): {
+					APIVersion("v1"): {OperationID: "getServerInfo_wallets", Method: "GET", Path: "/api/wallets/_info", Tags: []string{"wallets.v1"}},
+				},
+				Feature("getTransactions"): {
+					APIVersion("v1"): {OperationID: "getTransactions", Method: "GET", Path: "/api/wallets/transactions", Tags: []string{"wallets.v1"}},
+				},
+				Feature("getWallet"): {
+					APIVersion("v1"): {OperationID: "getWallet", Method: "GET", Path: "/api/wallets/wallets/{id}", Tags: []string{"wallets.v1"}},
+				},
+				Feature("getWalletSummary"): {
+					APIVersion("v1"): {OperationID: "getWalletSummary", Method: "GET", Path: "/api/wallets/wallets/{id}/summary", Tags: []string{"wallets.v1"}},
+				},
+				Feature("listBalances"): {
+					APIVersion("v1"): {OperationID: "listBalances", Method: "GET", Path: "/api/wallets/wallets/{id}/balances", Tags: []string{"wallets.v1"}},
+				},
+				Feature("listWallets"): {
+					APIVersion("v1"): {OperationID: "listWallets", Method: "GET", Path: "/api/wallets/wallets", Tags: []string{"wallets.v1"}},
+				},
+				Feature("updateWallet"): {
+					APIVersion("v1"): {OperationID: "updateWallet", Method: "PATCH", Path: "/api/wallets/wallets/{id}", Tags: []string{"wallets.v1"}},
+				},
+				Feature("voidHold"): {
+					APIVersion("v1"): {OperationID: "voidHold", Method: "POST", Path: "/api/wallets/holds/{hold_id}/void", Tags: []string{"wallets.v1"}},
+				},
+			},
+		},
+		Product("webhooks"): {
+			APIVersions: []APIVersion{APIVersion("v1")},
+			Operations: map[Feature]map[APIVersion]Operation{
+				Feature("activateConfig"): {
+					APIVersion("v1"): {OperationID: "activateConfig", Method: "PUT", Path: "/api/webhooks/configs/{id}/activate", Tags: []string{"webhooks.v1"}},
+				},
+				Feature("changeConfigSecret"): {
+					APIVersion("v1"): {OperationID: "changeConfigSecret", Method: "PUT", Path: "/api/webhooks/configs/{id}/secret/change", Tags: []string{"webhooks.v1"}},
+				},
+				Feature("deactivateConfig"): {
+					APIVersion("v1"): {OperationID: "deactivateConfig", Method: "PUT", Path: "/api/webhooks/configs/{id}/deactivate", Tags: []string{"webhooks.v1"}},
+				},
+				Feature("deleteConfig"): {
+					APIVersion("v1"): {OperationID: "deleteConfig", Method: "DELETE", Path: "/api/webhooks/configs/{id}", Tags: []string{"webhooks.v1"}},
+				},
+				Feature("getManyConfigs"): {
+					APIVersion("v1"): {OperationID: "getManyConfigs", Method: "GET", Path: "/api/webhooks/configs", Tags: []string{"webhooks.v1"}},
+				},
+				Feature("insertConfig"): {
+					APIVersion("v1"): {OperationID: "insertConfig", Method: "POST", Path: "/api/webhooks/configs", Tags: []string{"webhooks.v1"}},
+				},
+				Feature("testConfig"): {
+					APIVersion("v1"): {OperationID: "testConfig", Method: "GET", Path: "/api/webhooks/configs/{id}/test", Tags: []string{"webhooks.v1"}},
+				},
+				Feature("updateConfig"): {
+					APIVersion("v1"): {OperationID: "updateConfig", Method: "PUT", Path: "/api/webhooks/configs/{id}", Tags: []string{"webhooks.v1"}},
+				},
+			},
+		},
+	},
+}
diff --git a/v4/internal/capabilities/openapi.go b/v4/internal/capabilities/openapi.go
new file mode 100644
index 00000000..ff28a835
--- /dev/null
+++ b/v4/internal/capabilities/openapi.go
@@ -0,0 +1,155 @@
+package capabilities
+
+import (
+	"encoding/json"
+	"fmt"
+	"io"
+	"regexp"
+	"sort"
+	"strings"
+	"unicode"
+	"unicode/utf8"
+)
+
+var versionedTagPattern = regexp.MustCompile(`^([A-Za-z0-9_-]+)\.(v[0-9]+)$`)
+var pathVersionPattern = regexp.MustCompile(`^/api/([^/]+)/((?:v)[0-9]+)(?:/|$)`)
+var retiredProducts = map[Product]struct{}{
+	"search": {},
+}
+
+func ParseOpenAPIManifest(reader io.Reader) (Manifest, error) {
+	var document openAPIDocument
+	if err := json.NewDecoder(reader).Decode(&document); err != nil {
+		return Manifest{}, fmt.Errorf("decode openapi document: %w", err)
+	}
+
+	manifest := Manifest{
+		SpecVersion: document.Info.Version,
+		Products:    map[Product]ProductManifest{},
+	}
+
+	paths := make([]string, 0, len(document.Paths))
+	for path := range document.Paths {
+		paths = append(paths, path)
+	}
+	sort.Strings(paths)
+
+	for _, path := range paths {
+		pathItem := document.Paths[path]
+		methods := make([]string, 0, len(pathItem))
+		for method := range pathItem {
+			methods = append(methods, method)
+		}
+		sort.Strings(methods)
+
+		for _, method := range methods {
+			if !isHTTPMethod(method) {
+				continue
+			}
+			var operation openAPIOperation
+			if err := json.Unmarshal(pathItem[method], &operation); err != nil {
+				return Manifest{}, fmt.Errorf("decode operation %s %s: %w", method, path, err)
+			}
+			if operation.OperationID == "" {
+				continue
+			}
+
+			product, apiVersion, ok := operationProductVersion(path, operation.Tags)
+			if !ok {
+				continue
+			}
+			if _, retired := retiredProducts[product]; retired {
+				continue
+			}
+
+			productManifest := manifest.Products[product]
+			if productManifest.Operations == nil {
+				productManifest.Operations = map[Feature]map[APIVersion]Operation{}
+			}
+			productManifest.APIVersions = append(productManifest.APIVersions, apiVersion)
+
+			feature := Feature(canonicalFeature(operation.OperationID))
+			if productManifest.Operations[feature] == nil {
+				productManifest.Operations[feature] = map[APIVersion]Operation{}
+			}
+			productManifest.Operations[feature][apiVersion] = Operation{
+				OperationID: operation.OperationID,
+				Method:      strings.ToUpper(method),
+				Path:        path,
+				Tags:        append([]string(nil), operation.Tags...),
+			}
+			manifest.Products[product] = productManifest
+		}
+	}
+
+	for product, productManifest := range manifest.Products {
+		productManifest.APIVersions = UniqueSortedAPIVersions(productManifest.APIVersions)
+		manifest.Products[product] = productManifest
+	}
+
+	return manifest, nil
+}
+
+func operationProductVersion(path string, tags []string) (Product, APIVersion, bool) {
+	for _, tag := range tags {
+		matches := versionedTagPattern.FindStringSubmatch(tag)
+		if len(matches) == 3 {
+			return Product(matches[1]), APIVersion(matches[2]), true
+		}
+	}
+
+	matches := pathVersionPattern.FindStringSubmatch(path)
+	if len(matches) == 3 {
+		return Product(matches[1]), APIVersion(matches[2]), true
+	}
+
+	return "", "", false
+}
+
+func canonicalFeature(operationID string) string {
+	for {
+		if len(operationID) < 3 || operationID[0] != 'v' {
+			break
+		}
+		i := 1
+		for i < len(operationID) && operationID[i] >= '0' && operationID[i] <= '9' {
+			i++
+		}
+		if i == 1 || i >= len(operationID) {
+			break
+		}
+		operationID = operationID[i:]
+		break
+	}
+	if operationID == "" {
+		return operationID
+	}
+	r, size := utf8.DecodeRuneInString(operationID)
+	if r == utf8.RuneError {
+		return operationID
+	}
+	return string(unicode.ToLower(r)) + operationID[size:]
+}
+
+type openAPIDocument struct {
+	Info  openAPIInfo                           `json:"info"`
+	Paths map[string]map[string]json.RawMessage `json:"paths"`
+}
+
+type openAPIInfo struct {
+	Version string `json:"version"`
+}
+
+type openAPIOperation struct {
+	OperationID string   `json:"operationId"`
+	Tags        []string `json:"tags"`
+}
+
+func isHTTPMethod(method string) bool {
+	switch strings.ToLower(method) {
+	case "get", "put", "post", "delete", "options", "head", "patch", "trace":
+		return true
+	default:
+		return false
+	}
+}
diff --git a/v4/internal/capabilities/openapi_test.go b/v4/internal/capabilities/openapi_test.go
new file mode 100644
index 00000000..a1eecfc5
--- /dev/null
+++ b/v4/internal/capabilities/openapi_test.go
@@ -0,0 +1,71 @@
+package capabilities
+
+import (
+	"strings"
+	"testing"
+)
+
+func TestParseOpenAPIManifest(t *testing.T) {
+	const document = `{
+	  "info": {"version": "v-test"},
+	  "paths": {
+	    "/api/ledger/{ledger}/transactions": {
+	      "get": {"operationId": "listTransactions", "tags": ["ledger.v1"]}
+	    },
+	    "/api/ledger/v2/{ledger}/transactions": {
+	      "get": {"operationId": "v2ListTransactions", "tags": ["ledger.v2"]}
+	    },
+	    "/api/payments/v3/payments": {
+	      "get": {"operationId": "v3ListPayments", "tags": ["payments.v3"]}
+	    },
+	    "/api/search/": {
+	      "post": {"operationId": "search", "tags": ["search.v1"]}
+	    },
+	    "/versions": {
+	      "get": {"operationId": "getVersions", "tags": []}
+	    }
+	  }
+	}`
+
+	manifest, err := ParseOpenAPIManifest(strings.NewReader(document))
+	if err != nil {
+		t.Fatalf("parse manifest: %v", err)
+	}
+	if manifest.SpecVersion != "v-test" {
+		t.Fatalf("expected spec version v-test, got %q", manifest.SpecVersion)
+	}
+
+	ledger := manifest.Products["ledger"]
+	assertAPIVersions(t, ledger.APIVersions, []APIVersion{"v1", "v2"})
+	if ledger.Operations["listTransactions"]["v1"].OperationID != "listTransactions" {
+		t.Fatalf("missing ledger v1 listTransactions operation")
+	}
+	if ledger.Operations["listTransactions"]["v2"].OperationID != "v2ListTransactions" {
+		t.Fatalf("missing ledger v2 listTransactions operation")
+	}
+
+	payments := manifest.Products["payments"]
+	assertAPIVersions(t, payments.APIVersions, []APIVersion{"v3"})
+	if payments.Operations["listPayments"]["v3"].Path != "/api/payments/v3/payments" {
+		t.Fatalf("missing payments v3 listPayments operation")
+	}
+	if _, ok := manifest.Products["versions"]; ok {
+		t.Fatalf("/versions should not be included as a product")
+	}
+	if _, ok := manifest.Products["search"]; ok {
+		t.Fatalf("retired search product should not be included")
+	}
+}
+
+func TestCanonicalFeature(t *testing.T) {
+	tests := map[string]string{
+		"listTransactions":   "listTransactions",
+		"v2ListTransactions": "listTransactions",
+		"CreateTransactions": "createTransactions",
+	}
+	for input, expected := range tests {
+		if got := canonicalFeature(input); got != expected {
+			t.Fatalf("expected %s -> %s, got %s", input, expected, got)
+		}
+	}
+}
diff --git a/v4/internal/capabilities/resolver.go b/v4/internal/capabilities/resolver.go
new file mode 100644
index 00000000..f73ec619
--- /dev/null
+++ b/v4/internal/capabilities/resolver.go
@@ -0,0 +1,128 @@
+package capabilities
+
+import (
+	"errors"
+	"fmt"
+	"strings"
+)
+
+type VersionPolicy string
+
+const (
+	VersionPolicyLatestCompatible VersionPolicy = "latest-compatible"
+	VersionPolicyPinned           VersionPolicy = "pinned"
+	VersionPolicyLatest           VersionPolicy = "latest"
+)
+
+type VersionResolutionRequest struct {
+	Product          Product
+	Feature          Feature
+	ComponentVersion string
+	Compatibility    ComponentCompatibility
+	HandlerVersions  []APIVersion
+	Policy           VersionPolicy
+	PinnedVersion    APIVersion
+}
+
+type UnsupportedFeatureError struct {
+	Product          Product
+	Feature          Feature
+	ComponentVersion string
+	Supported        []APIVersion
+	Handlers         []APIVersion
+	PinnedVersion    APIVersion
+}
+
+func (e *UnsupportedFeatureError) Error() string {
+	if e.PinnedVersion != "" {
+		return fmt.Sprintf("%s.%s does not support pinned api version %s; target supports %s and command supports %s",
+			e.Product, e.Feature, e.PinnedVersion, joinAPIVersions(e.Supported), joinAPIVersions(e.Handlers))
+	}
+	return fmt.Sprintf("%s.%s is not supported by component version %s; target supports %s and command supports %s",
+		e.Product, e.Feature, e.ComponentVersion, joinAPIVersions(e.Supported), joinAPIVersions(e.Handlers))
+}
+
+func ResolveAPIVersion(request VersionResolutionRequest) (APIVersion, error) {
+	if request.Policy == "" {
+		request.Policy = VersionPolicyLatestCompatible
+	}
+	if request.Product == "" {
+		return "", errors.New("product is required")
+	}
+	if request.ComponentVersion == "" {
+		return "", errors.New("component version is required")
+	}
+	if len(request.HandlerVersions) == 0 {
+		return "", errors.New("handler versions are required")
+	}
+
+	supported, err := request.Compatibility.APIVersionsFor(request.Product, request.ComponentVersion)
+	if err != nil {
+		return "", err
+	}
+	handlers := UniqueSortedAPIVersions(request.HandlerVersions)
+
+	if request.Policy == VersionPolicyPinned {
+		if request.PinnedVersion == "" {
+			return "", errors.New("pinned api version is required")
+		}
+		if containsAPIVersion(supported, request.PinnedVersion) && containsAPIVersion(handlers, request.PinnedVersion) {
+			return request.PinnedVersion, nil
+		}
+		return "", &UnsupportedFeatureError{
+			Product:          request.Product,
+			Feature:          request.Feature,
+			ComponentVersion: request.ComponentVersion,
+			Supported:        supported,
+			Handlers:         handlers,
+			PinnedVersion:    request.PinnedVersion,
+		}
+	}
+
+	intersection := intersectAPIVersions(supported, handlers)
+	if selected, ok := HighestAPIVersion(intersection); ok {
+		return selected, nil
+	}
+	return "", &UnsupportedFeatureError{
+		Product:          request.Product,
+		Feature:          request.Feature,
+		ComponentVersion: request.ComponentVersion,
+		Supported:        supported,
+		Handlers:         handlers,
+	}
+}
+
+func intersectAPIVersions(a, b []APIVersion) []APIVersion {
+	seen := map[APIVersion]struct{}{}
+	for _, version := range a {
+		seen[version] = struct{}{}
+	}
+	var ret []APIVersion
+	for _, version := range b {
+		if _, ok := seen[version]; ok {
+			ret = append(ret, version)
+		}
+	}
+	return UniqueSortedAPIVersions(ret)
+}
+
+func containsAPIVersion(versions []APIVersion, version APIVersion) bool {
+	for _, candidate := range versions {
+		if candidate == version {
+			return true
+		}
+	}
+	return false
+}
+
+func joinAPIVersions(versions []APIVersion) string {
+	versions = UniqueSortedAPIVersions(versions)
+	if len(versions) == 0 {
+		return "<none>"
+	}
+	parts := make([]string, len(versions))
+	for i, version := range versions {
+		parts[i] = string(version)
+	}
+	return strings.Join(parts, ",")
+}
diff --git a/v4/internal/capabilities/resolver_test.go b/v4/internal/capabilities/resolver_test.go
new file mode 100644
index 00000000..e753236c
--- /dev/null
+++ b/v4/internal/capabilities/resolver_test.go
@@ -0,0 +1,65 @@
+package capabilities
+
+import (
+	"errors"
+	"testing"
+)
+
+func TestResolveAPIVersionSelectsHighestCompatible(t *testing.T) {
+	selected, err := ResolveAPIVersion(VersionResolutionRequest{
+		Product:          "ledger",
+		Feature:          "listTransactions",
+		ComponentVersion: "2.3.4",
+		Compatibility: ComponentCompatibility{
+			{Product: "ledger", Range: ">=2.0.0 <3.0.0", APIVersions: []APIVersion{"v1", "v2"}},
+		},
+		HandlerVersions: []APIVersion{"v1", "v2", "v3"},
+		Policy:          VersionPolicyLatestCompatible,
+	})
+	if err != nil {
+		t.Fatalf("expected no error, got %v", err)
+	}
+	if selected != "v2" {
+		t.Fatalf("expected v2, got %q", selected)
+	}
+}
+
+func TestResolveAPIVersionHonorsPinned(t *testing.T) {
+	selected, err := ResolveAPIVersion(VersionResolutionRequest{
+		Product:          "ledger",
+		Feature:          "listTransactions",
+		ComponentVersion: "2.3.4",
+		Compatibility: ComponentCompatibility{
+			{Product: "ledger", Range: ">=2.0.0 <3.0.0", APIVersions: []APIVersion{"v1", "v2"}},
+		},
+		HandlerVersions: []APIVersion{"v1", "v2"},
+		Policy:          VersionPolicyPinned,
+		PinnedVersion:   "v1",
+	})
+	if err != nil {
+		t.Fatalf("expected no error, got %v", err)
+	}
+	if selected != "v1" {
+		t.Fatalf("expected v1, got %q", selected)
+	}
+}
+
+func TestResolveAPIVersionReturnsUnsupportedFeatureError(t *testing.T) {
+	_, err := ResolveAPIVersion(VersionResolutionRequest{
+		Product:          "ledger",
+		Feature:          "explainTransaction",
+		ComponentVersion: "2.3.4",
+		Compatibility: ComponentCompatibility{
+			{Product: "ledger", Range: ">=2.0.0 <3.0.0", APIVersions: []APIVersion{"v1", "v2"}},
+		},
+		HandlerVersions: []APIVersion{"v3"},
+		Policy:          VersionPolicyLatestCompatible,
+	})
+	if err == nil {
+		t.Fatal("expected unsupported feature error")
+	}
+	var unsupported *UnsupportedFeatureError
+	if !errors.As(err, &unsupported) {
+		t.Fatalf("expected UnsupportedFeatureError, got %T %v", err, err)
+	}
+}
diff --git a/v4/internal/commands/auth/auth.go b/v4/internal/commands/auth/auth.go
new file mode 100644
index 00000000..a5f54d69
--- /dev/null
+++ b/v4/internal/commands/auth/auth.go
@@ -0,0 +1,653 @@
+package auth
+
+import (
+	"context"
+	"fmt"
+
+	formance "github.com/formancehq/formance-sdk-go/v3"
+	"github.com/formancehq/formance-sdk-go/v3/pkg/models/operations"
+	"github.com/formancehq/formance-sdk-go/v3/pkg/models/shared"
+
+	"github.com/formancehq/fctl/v4/internal/capabilities"
+)
+
+const (
+	ProductAuth capabilities.Product = "auth"
+
+	FeatureCreateClient capabilities.Feature = "createClient"
+	FeatureCreateSecret capabilities.Feature = "createSecret"
+	FeatureDeleteClient capabilities.Feature = "deleteClient"
+	FeatureDeleteSecret capabilities.Feature = "deleteSecret"
+	FeatureListClients  capabilities.Feature = "listClients"
+	FeatureReadClient   capabilities.Feature = "readClient"
+	FeatureListUsers    capabilities.Feature = "listUsers"
+	FeatureReadUser     capabilities.Feature = "readUser"
+	FeatureUpdateClient capabilities.Feature = "updateClient"
+)
+
+type ClientSecretSummary struct {
+	ID         string            `json:"id" yaml:"id"`
+	Name       string            `json:"name" yaml:"name"`
+	LastDigits string            `json:"lastDigits" yaml:"lastDigits"`
+	Metadata   map[string]string `json:"metadata,omitempty" yaml:"metadata,omitempty"`
+}
+
+type ClientSummary struct {
+	ID                     string                `json:"id" yaml:"id"`
+	Name                   string                `json:"name" yaml:"name"`
+	Description            string                `json:"description,omitempty" yaml:"description,omitempty"`
+	Metadata               map[string]string     `json:"metadata,omitempty" yaml:"metadata,omitempty"`
+	Scopes                 []string              `json:"scopes,omitempty" yaml:"scopes,omitempty"`
+	RedirectURIs           []string              `json:"redirectUris,omitempty" yaml:"redirectUris,omitempty"`
+	PostLogoutRedirectURIs []string              `json:"postLogoutRedirectUris,omitempty" yaml:"postLogoutRedirectUris,omitempty"`
+	Public                 *bool                 `json:"public,omitempty" yaml:"public,omitempty"`
+	Trusted                *bool                 `json:"trusted,omitempty" yaml:"trusted,omitempty"`
+	Secrets                []ClientSecretSummary `json:"secrets,omitempty" yaml:"secrets,omitempty"`
+}
+
+type UserSummary struct {
+	ID      string `json:"id,omitempty" yaml:"id,omitempty"`
+	Email   string `json:"email,omitempty" yaml:"email,omitempty"`
+	Subject string `json:"subject,omitempty" yaml:"subject,omitempty"`
+}
+
+type ListClientsOutput struct {
+	APIVersion capabilities.APIVersion `json:"apiVersion" yaml:"apiVersion"`
+	Clients    []ClientSummary         `json:"clients" yaml:"clients"`
+}
+
+type ClientMutationInput struct {
+	ClientID               string
+	Name                   string
+	Description            *string
+	Metadata               map[string]string
+	Scopes                 []string
+	RedirectURIs           []string
+	PostLogoutRedirectURIs []string
+	Public                 *bool
+	Trusted                *bool
+}
+
+type ClientMutationOutput struct {
+	APIVersion capabilities.APIVersion `json:"apiVersion" yaml:"apiVersion"`
+	Client     ClientSummary           `json:"client" yaml:"client"`
+}
+
+type GetClientInput struct {
+	ClientID string
+}
+
+type GetClientOutput struct {
+	APIVersion capabilities.APIVersion `json:"apiVersion" yaml:"apiVersion"`
+	Client     ClientSummary           `json:"client" yaml:"client"`
+}
+
+type DeleteClientInput struct {
+	ClientID string
+}
+
+type DeleteClientOutput struct {
+	APIVersion capabilities.APIVersion `json:"apiVersion" yaml:"apiVersion"`
+	ClientID   string                  `json:"clientID" yaml:"clientID"`
+}
+
+type CreateSecretInput struct {
+	ClientID string
+	Name     string
+	Metadata map[string]string
+}
+
+type SecretSummary struct {
+	ID         string            `json:"id" yaml:"id"`
+	Name       string            `json:"name" yaml:"name"`
+	LastDigits string            `json:"lastDigits" yaml:"lastDigits"`
+	Clear      string            `json:"clear,omitempty" yaml:"clear,omitempty"`
+	Metadata   map[string]string `json:"metadata,omitempty" yaml:"metadata,omitempty"`
+}
+
+type CreateSecretOutput struct {
+	APIVersion capabilities.APIVersion `json:"apiVersion" yaml:"apiVersion"`
+	ClientID   string                  `json:"clientID" yaml:"clientID"`
+	Secret     SecretSummary           `json:"secret" yaml:"secret"`
+}
+
+type DeleteSecretInput struct {
+	ClientID string
+	SecretID string
+}
+
+type DeleteSecretOutput struct {
+	APIVersion capabilities.APIVersion `json:"apiVersion" yaml:"apiVersion"`
+	ClientID   string                  `json:"clientID" yaml:"clientID"`
+	SecretID   string                  `json:"secretID" yaml:"secretID"`
+}
+
+type ListUsersOutput struct {
+	APIVersion capabilities.APIVersion `json:"apiVersion" yaml:"apiVersion"`
+	Users      []UserSummary           `json:"users" yaml:"users"`
+}
+
+type GetUserInput struct {
+	UserID string
+}
+
+type GetUserOutput struct {
+	APIVersion capabilities.APIVersion `json:"apiVersion" yaml:"apiVersion"`
+	User       UserSummary             `json:"user" yaml:"user"`
+}
+
+type ListClientsHandler struct {
+	APIVersion capabilities.APIVersion
+	Run        func(context.Context) (ListClientsOutput, error)
+}
+
+type ClientMutationHandler struct {
+	APIVersion capabilities.APIVersion
+	Run        func(context.Context, ClientMutationInput) (ClientMutationOutput, error)
+}
+
+type GetClientHandler struct {
+	APIVersion capabilities.APIVersion
+	Run        func(context.Context, GetClientInput) (GetClientOutput, error)
+}
+
+type DeleteClientHandler struct {
+	APIVersion capabilities.APIVersion
+	Run        func(context.Context, DeleteClientInput) (DeleteClientOutput, error)
+}
+
+type CreateSecretHandler struct {
+	APIVersion capabilities.APIVersion
+	Run        func(context.Context, CreateSecretInput) (CreateSecretOutput, error)
+}
+
+type DeleteSecretHandler struct {
+	APIVersion capabilities.APIVersion
+	Run        func(context.Context, DeleteSecretInput) (DeleteSecretOutput, error)
+}
+
+type ListUsersHandler struct {
+	APIVersion capabilities.APIVersion
+	Run        func(context.Context) (ListUsersOutput, error)
+}
+
+type GetUserHandler struct {
+	APIVersion capabilities.APIVersion
+	Run        func(context.Context, GetUserInput) (GetUserOutput, error)
+}
+
+type ListClientsService struct {
+	Handlers []ListClientsHandler
+	Resolve  func(context.Context, []capabilities.APIVersion) (capabilities.APIVersion, error)
+}
+
+type CreateClientService struct {
+	Handlers []ClientMutationHandler
+	Resolve  func(context.Context, []capabilities.APIVersion) (capabilities.APIVersion, error)
+}
+
+type GetClientService struct {
+	Handlers []GetClientHandler
+	Resolve  func(context.Context, []capabilities.APIVersion) (capabilities.APIVersion, error)
+}
+
+type UpdateClientService struct {
+	Handlers []ClientMutationHandler
+	Resolve  func(context.Context, []capabilities.APIVersion) (capabilities.APIVersion, error)
+}
+
+type DeleteClientService struct {
+	Handlers []DeleteClientHandler
+	Resolve  func(context.Context, []capabilities.APIVersion) (capabilities.APIVersion, error)
+}
+
+type CreateSecretService struct {
+	Handlers []CreateSecretHandler
+	Resolve  func(context.Context, []capabilities.APIVersion) (capabilities.APIVersion, error)
+}
+
+type DeleteSecretService struct {
+	Handlers []DeleteSecretHandler
+	Resolve  func(context.Context, []capabilities.APIVersion) (capabilities.APIVersion, error)
+}
+
+type ListUsersService struct {
+	Handlers []ListUsersHandler
+	Resolve  func(context.Context, []capabilities.APIVersion) (capabilities.APIVersion, error)
+}
+
+type GetUserService struct {
+	Handlers []GetUserHandler
+	Resolve  func(context.Context, []capabilities.APIVersion) (capabilities.APIVersion, error)
+}
+
+func (s ListClientsService) Run(ctx context.Context) (ListClientsOutput, error) {
+	handler, selected, err := resolveHandler(ctx, s.Handlers, s.Resolve, func(handler ListClientsHandler) capabilities.APIVersion {
+		return handler.APIVersion
+	})
+	if err != nil {
+		return ListClientsOutput{}, err
+	}
+	output, err := handler.Run(ctx)
+	if err != nil {
+		return ListClientsOutput{}, err
+	}
+	output.APIVersion = selected
+	return output, nil
+}
+
+func (s CreateClientService) Run(ctx context.Context, input ClientMutationInput) (ClientMutationOutput, error) {
+	if input.Name == "" {
+		return ClientMutationOutput{}, fmt.Errorf("client name is required")
+	}
+	return runClientMutationService(ctx, input, s.Handlers, s.Resolve)
+}
+
+func (s GetClientService) Run(ctx context.Context, input GetClientInput) (GetClientOutput, error) {
+	if input.ClientID == "" {
+		return GetClientOutput{}, fmt.Errorf("client id is required")
+	}
+	handler, selected, err := resolveHandler(ctx, s.Handlers, s.Resolve, func(handler GetClientHandler) capabilities.APIVersion {
+		return handler.APIVersion
+	})
+	if err != nil {
+		return GetClientOutput{}, err
+	}
+	output, err := handler.Run(ctx, input)
+	if err != nil {
+		return GetClientOutput{}, err
+	}
+	output.APIVersion = selected
+	return output, nil
+}
+
+func (s UpdateClientService) Run(ctx context.Context, input ClientMutationInput) (ClientMutationOutput, error) {
+	if input.ClientID == "" {
+		return ClientMutationOutput{}, fmt.Errorf("client id is required")
+	}
+	if input.Name == "" {
+		return ClientMutationOutput{}, fmt.Errorf("client name is required")
+	}
+	return runClientMutationService(ctx, input, s.Handlers, s.Resolve)
+}
+
+func (s DeleteClientService) Run(ctx context.Context, input DeleteClientInput) (DeleteClientOutput, error) {
+	if input.ClientID == "" {
+		return DeleteClientOutput{}, fmt.Errorf("client id is required")
+	}
+	handler, selected, err := resolveHandler(ctx, s.Handlers, s.Resolve, func(handler DeleteClientHandler) capabilities.APIVersion {
+		return handler.APIVersion
+	})
+	if err != nil {
+		return DeleteClientOutput{}, err
+	}
+	output, err := handler.Run(ctx, input)
+	if err != nil {
+		return DeleteClientOutput{}, err
+	}
+	output.APIVersion = selected
+	return output, nil
+}
+
+func (s CreateSecretService) Run(ctx context.Context, input CreateSecretInput) (CreateSecretOutput, error) {
+	if input.ClientID == "" {
+		return CreateSecretOutput{}, fmt.Errorf("client id is required")
+	}
+	if input.Name == "" {
+		return CreateSecretOutput{}, fmt.Errorf("secret name is required")
+	}
+	handler, selected, err := resolveHandler(ctx, s.Handlers, s.Resolve, func(handler CreateSecretHandler) capabilities.APIVersion {
+		return handler.APIVersion
+	})
+	if err != nil {
+		return CreateSecretOutput{}, err
+	}
+	output, err := handler.Run(ctx, input)
+	if err != nil {
+		return CreateSecretOutput{}, err
+	}
+	output.APIVersion = selected
+	return output, nil
+}
+
+func (s DeleteSecretService) Run(ctx context.Context, input DeleteSecretInput) (DeleteSecretOutput, error) {
+	if input.ClientID == "" {
+		return DeleteSecretOutput{}, fmt.Errorf("client id is required")
+	}
+	if input.SecretID == "" {
+		return DeleteSecretOutput{}, fmt.Errorf("secret id is required")
+	}
+	handler, selected, err := resolveHandler(ctx, s.Handlers, s.Resolve, func(handler DeleteSecretHandler) capabilities.APIVersion {
+		return handler.APIVersion
+	})
+	if err != nil {
+		return DeleteSecretOutput{}, err
+	}
+	output, err := handler.Run(ctx, input)
+	if err != nil {
+		return DeleteSecretOutput{}, err
+	}
+	output.APIVersion = selected
+	return output, nil
+}
+
+func (s ListUsersService) Run(ctx context.Context) (ListUsersOutput, error) {
+	handler, selected, err := resolveHandler(ctx, s.Handlers, s.Resolve, func(handler ListUsersHandler) capabilities.APIVersion {
+		return handler.APIVersion
+	})
+	if err != nil {
+		return ListUsersOutput{}, err
+	}
+	output, err := handler.Run(ctx)
+	if err != nil {
+		return ListUsersOutput{}, err
+	}
+	output.APIVersion = selected
+	return output, nil
+}
+
+func (s GetUserService) Run(ctx context.Context, input GetUserInput) (GetUserOutput, error) {
+	if input.UserID == "" {
+		return GetUserOutput{}, fmt.Errorf("user id is required")
+	}
+	handler, selected, err := resolveHandler(ctx, s.Handlers, s.Resolve, func(handler GetUserHandler) capabilities.APIVersion {
+		return handler.APIVersion
+	})
+	if err != nil {
+		return GetUserOutput{}, err
+	}
+	output, err := handler.Run(ctx, input)
+	if err != nil {
+		return GetUserOutput{}, err
+	}
+	output.APIVersion = selected
+	return output, nil
+}
+
+func runClientMutationService(
+	ctx context.Context,
+	input ClientMutationInput,
+	serviceHandlers []ClientMutationHandler,
+	resolve func(context.Context, []capabilities.APIVersion) (capabilities.APIVersion, error),
+) (ClientMutationOutput, error) {
+	handler, selected, err := resolveHandler(ctx, serviceHandlers, resolve, func(handler ClientMutationHandler) capabilities.APIVersion {
+		return handler.APIVersion
+	})
+	if err != nil {
+		return ClientMutationOutput{}, err
+	}
+	output, err := handler.Run(ctx, input)
+	if err != nil {
+		return ClientMutationOutput{}, err
+	}
+	output.APIVersion = selected
+	return output, nil
+}
+
+func resolveHandler[H any](
+	ctx context.Context,
+	serviceHandlers []H,
+	resolve func(context.Context, []capabilities.APIVersion) (capabilities.APIVersion, error),
+	versionOf func(H) capabilities.APIVersion,
+) (H, capabilities.APIVersion, error) {
+	var zero H
+	handlerVersions := make([]capabilities.APIVersion, 0, len(serviceHandlers))
+	handlers := map[capabilities.APIVersion]H{}
+	for _, handler := range serviceHandlers {
+		version := versionOf(handler)
+		handlerVersions = append(handlerVersions, version)
+		handlers[version] = handler
+	}
+	selected, err := resolve(ctx, handlerVersions)
+	if err != nil {
+		return zero, "", err
+	}
+	handler, ok := handlers[selected]
+	if !ok {
+		return zero, "", fmt.Errorf("resolved api version %s has no handler", selected)
+	}
+	return handler, selected, nil
+}
+
+func SDKCreateClientHandlers(sdk *formance.Formance) []ClientMutationHandler {
+	return []ClientMutationHandler{
+		{
+			APIVersion: "v1",
+			Run: func(ctx context.Context, input ClientMutationInput) (ClientMutationOutput, error) {
+				response, err := sdk.Auth.V1.CreateClient(ctx, clientRequest(input))
+				if err != nil {
+					return ClientMutationOutput{}, err
+				}
+				if response.CreateClientResponse == nil || response.CreateClientResponse.Data == nil {
+					return ClientMutationOutput{}, fmt.Errorf("auth v1 create client returned no data")
+				}
+				return ClientMutationOutput{Client: fromClient(*response.CreateClientResponse.Data)}, nil
+			},
+		},
+	}
+}
+
+func SDKListClientsHandlers(sdk *formance.Formance) []ListClientsHandler {
+	return []ListClientsHandler{
+		{
+			APIVersion: "v1",
+			Run: func(ctx context.Context) (ListClientsOutput, error) {
+				response, err := sdk.Auth.V1.ListClients(ctx)
+				if err != nil {
+					return ListClientsOutput{}, err
+				}
+				if response.ListClientsResponse == nil {
+					return ListClientsOutput{}, fmt.Errorf("auth v1 list clients returned no data")
+				}
+				clients := make([]ClientSummary, 0, len(response.ListClientsResponse.Data))
+				for _, client := range response.ListClientsResponse.Data {
+					clients = append(clients, fromClient(client))
+				}
+				return ListClientsOutput{Clients: clients}, nil
+			},
+		},
+	}
+}
+
+func SDKGetClientHandlers(sdk *formance.Formance) []GetClientHandler {
+	return []GetClientHandler{
+		{
+			APIVersion: "v1",
+			Run: func(ctx context.Context, input GetClientInput) (GetClientOutput, error) {
+				response, err := sdk.Auth.V1.ReadClient(ctx, operations.ReadClientRequest{ClientID: input.ClientID})
+				if err != nil {
+					return GetClientOutput{}, err
+				}
+				if response.ReadClientResponse == nil || response.ReadClientResponse.Data == nil {
+					return GetClientOutput{}, fmt.Errorf("auth v1 read client returned no data")
+				}
+				return GetClientOutput{Client: fromClient(*response.ReadClientResponse.Data)}, nil
+			},
+		},
+	}
+}
+
+func SDKUpdateClientHandlers(sdk *formance.Formance) []ClientMutationHandler {
+	return []ClientMutationHandler{
+		{
+			APIVersion: "v1",
+			Run: func(ctx context.Context, input ClientMutationInput) (ClientMutationOutput, error) {
+				response, err := sdk.Auth.V1.UpdateClient(ctx, operations.UpdateClientRequest{
+					ClientID:            input.ClientID,
+					CreateClientRequest: clientRequest(input),
+				})
+				if err != nil {
+					return ClientMutationOutput{}, err
+				}
+				if response.UpdateClientResponse == nil || response.UpdateClientResponse.Data == nil {
+					return ClientMutationOutput{}, fmt.Errorf("auth v1 update client returned no data")
+				}
+				return ClientMutationOutput{Client: fromClient(*response.UpdateClientResponse.Data)}, nil
+			},
+		},
+	}
+}
+
+func SDKDeleteClientHandlers(sdk *formance.Formance) []DeleteClientHandler {
+	return []DeleteClientHandler{
+		{
+			APIVersion: "v1",
+			Run: func(ctx context.Context, input DeleteClientInput) (DeleteClientOutput, error) {
+				if _, err := sdk.Auth.V1.DeleteClient(ctx, operations.DeleteClientRequest{ClientID: input.ClientID}); err != nil {
+					return DeleteClientOutput{}, err
+				}
+				return DeleteClientOutput{ClientID: input.ClientID}, nil
+			},
+		},
+	}
+}
+
+func SDKCreateSecretHandlers(sdk *formance.Formance) []CreateSecretHandler {
+	return []CreateSecretHandler{
+		{
+			APIVersion: "v1",
+			Run: func(ctx context.Context, input CreateSecretInput) (CreateSecretOutput, error) {
+				response, err := sdk.Auth.V1.CreateSecret(ctx, operations.CreateSecretRequest{
+					ClientID: input.ClientID,
+					CreateSecretRequest: &shared.CreateSecretRequest{
+						Name:     input.Name,
+						Metadata: input.Metadata,
+					},
+				})
+				if err != nil {
+					return CreateSecretOutput{}, err
+				}
+				if response.CreateSecretResponse == nil || response.CreateSecretResponse.Data == nil {
+					return CreateSecretOutput{}, fmt.Errorf("auth v1 create secret returned no data")
+				}
+				return CreateSecretOutput{
+					ClientID: input.ClientID,
+					Secret:   fromSecret(*response.CreateSecretResponse.Data),
+				}, nil
+			},
+		},
+	}
+}
+
+func SDKDeleteSecretHandlers(sdk *formance.Formance) []DeleteSecretHandler {
+	return []DeleteSecretHandler{
+		{
+			APIVersion: "v1",
+			Run: func(ctx context.Context, input DeleteSecretInput) (DeleteSecretOutput, error) {
+				if _, err := sdk.Auth.V1.DeleteSecret(ctx, operations.DeleteSecretRequest{
+					ClientID: input.ClientID,
+					SecretID: input.SecretID,
+				}); err != nil {
+					return DeleteSecretOutput{}, err
+				}
+				return DeleteSecretOutput{ClientID: input.ClientID, SecretID: input.SecretID}, nil
+			},
+		},
+	}
+}
+
+func SDKListUsersHandlers(sdk *formance.Formance) []ListUsersHandler {
+	return []ListUsersHandler{
+		{
+			APIVersion: "v1",
+			Run: func(ctx context.Context) (ListUsersOutput, error) {
+				response, err := sdk.Auth.V1.ListUsers(ctx)
+				if err != nil {
+					return ListUsersOutput{}, err
+				}
+				if response.ListUsersResponse == nil {
+					return ListUsersOutput{}, fmt.Errorf("auth v1 list users returned no data")
+				}
+				users := make([]UserSummary, 0, len(response.ListUsersResponse.Data))
+				for _, user := range response.ListUsersResponse.Data {
+					users = append(users, fromUser(user))
+				}
+				return ListUsersOutput{Users: users}, nil
+			},
+		},
+	}
+}
+
+func SDKGetUserHandlers(sdk *formance.Formance) []GetUserHandler {
+	return []GetUserHandler{
+		{
+			APIVersion: "v1",
+			Run: func(ctx context.Context, input GetUserInput) (GetUserOutput, error) {
+				response, err := sdk.Auth.V1.ReadUser(ctx, operations.ReadUserRequest{UserID: input.UserID})
+				if err != nil {
+					return GetUserOutput{}, err
+				}
+				if response.ReadUserResponse == nil || response.ReadUserResponse.Data == nil {
+					return GetUserOutput{}, fmt.Errorf("auth v1 read user returned no data")
+				}
+				return GetUserOutput{User: fromUser(*response.ReadUserResponse.Data)}, nil
+			},
+		},
+	}
+}
+
+func clientRequest(input ClientMutationInput) *shared.CreateClientRequest {
+	return &shared.CreateClientRequest{
+		Description:            input.Description,
+		Metadata:               input.Metadata,
+		Name:                   input.Name,
+		PostLogoutRedirectUris: input.PostLogoutRedirectURIs,
+		Public:                 input.Public,
+		RedirectUris:           input.RedirectURIs,
+		Scopes:                 input.Scopes,
+		Trusted:                input.Trusted,
+	}
+}
+
+func fromClient(client shared.Client) ClientSummary {
+	description := ""
+	if client.Description != nil {
+		description = *client.Description
+	}
+	secrets := make([]ClientSecretSummary, 0, len(client.Secrets))
+	for _, secret := range client.Secrets {
+		secrets = append(secrets, ClientSecretSummary{
+			ID:         secret.ID,
+			Name:       secret.Name,
+			LastDigits: secret.LastDigits,
+			Metadata:   secret.Metadata,
+		})
+	}
+	return ClientSummary{
+		ID:                     client.ID,
+		Name:                   client.Name,
+		Description:            description,
+		Metadata:               client.Metadata,
+		Scopes:                 client.Scopes,
+		RedirectURIs:           client.RedirectUris,
+		PostLogoutRedirectURIs: client.PostLogoutRedirectUris,
+		Public:                 client.Public,
+		Trusted:                client.Trusted,
+		Secrets:                secrets,
+	}
+}
+
+func fromSecret(secret shared.Secret) SecretSummary {
+	return SecretSummary{
+		ID:         secret.ID,
+		Name:       secret.Name,
+		LastDigits: secret.LastDigits,
+		Clear:      secret.Clear,
+		Metadata:   secret.Metadata,
+	}
+}
+
+func fromUser(user shared.User) UserSummary {
+	return UserSummary{
+		ID:      stringValue(user.ID),
+		Email:   stringValue(user.Email),
+		Subject: stringValue(user.Subject),
+	}
+}
+
+func stringValue(value *string) string {
+	if value == nil {
+		return ""
+	}
+	return *value
+}
diff --git a/v4/internal/commands/cloud/apps.go b/v4/internal/commands/cloud/apps.go
new file mode 100644
index 00000000..5b336bb0
--- /dev/null
+++ b/v4/internal/commands/cloud/apps.go
@@ -0,0 +1,548 @@
+package cloud
+
+import (
+	"context"
+	"fmt"
+	"io"
+	"time"
+
+	"github.com/formancehq/fctl/internal/deployserverclient/v3/models/components"
+	"github.com/formancehq/fctl/internal/deployserverclient/v3/models/operations"
+)
+
+type DeployClient interface {
+	ListApps(context.Context, string, *int64, *int64, ...operations.Option) (*operations.ListAppsResponse, error)
+	CreateApp(context.Context, components.CreateAppRequest, ...operations.Option) (*operations.CreateAppResponse, error)
+	ReadApp(context.Context, string, ...operations.Option) (*operations.ReadAppResponse, error)
+	DeleteApp(context.Context, string, ...operations.Option) (*operations.DeleteAppResponse, error)
+	DeployAppConfigurationRaw(context.Context, string, any, ...operations.Option) (*operations.DeployAppConfigurationRawResponse, error)
+	ReadAppCurrentStateVersion(context.Context, string, ...operations.Option) (*operations.ReadAppCurrentStateVersionResponse, error)
+	ReadAppRuns(context.Context, string, *int64, *int64, ...operations.Option) (*operations.ReadAppRunsResponse, error)
+	ReadRun(context.Context, string, ...operations.Option) (*operations.ReadRunResponse, error)
+	ReadRunLogs(context.Context, string, ...operations.Option) (*operations.ReadRunLogsResponse, error)
+	ReadAppVersions(context.Context, string, *int64, *int64, ...operations.Option) (*operations.ReadAppVersionsResponse, error)
+	ReadVersion(context.Context, string, ...operations.Option) (*operations.ReadVersionResponse, error)
+	ReadAppVariables(context.Context, string, *int64, *int64, ...operations.Option) (*operations.ReadAppVariablesResponse, error)
+	CreateAppVariable(context.Context, string, components.CreateVariableRequest, ...operations.Option) (*operations.CreateAppVariableResponse, error)
+	DeleteAppVariable(context.Context, string, string, ...operations.Option) (*operations.DeleteAppVariableResponse, error)
+}
+
+type CloudAppSummary struct {
+	ID                            string         `json:"id" yaml:"id"`
+	Name                          string         `json:"name" yaml:"name"`
+	RunStatus                     string         `json:"runStatus,omitempty" yaml:"runStatus,omitempty"`
+	CurrentConfigurationVersionID string         `json:"currentConfigurationVersionID,omitempty" yaml:"currentConfigurationVersionID,omitempty"`
+	CurrentRunID                  string         `json:"currentRunID,omitempty" yaml:"currentRunID,omitempty"`
+	StateStack                    map[string]any `json:"stateStack,omitempty" yaml:"stateStack,omitempty"`
+}
+
+type ListCloudAppsInput struct {
+	OrganizationID string
+	Page           int64
+	PageSize       int64
+}
+
+type ListCloudAppsOutput struct {
+	OrganizationID string            `json:"organizationID" yaml:"organizationID"`
+	Apps           []CloudAppSummary `json:"apps" yaml:"apps"`
+	CurrentPage    *int64            `json:"currentPage,omitempty" yaml:"currentPage,omitempty"`
+	NextPage       *int64            `json:"nextPage,omitempty" yaml:"nextPage,omitempty"`
+	PreviousPage   *int64            `json:"previousPage,omitempty" yaml:"previousPage,omitempty"`
+	TotalPages     *int64            `json:"totalPages,omitempty" yaml:"totalPages,omitempty"`
+	TotalCount     *int64            `json:"totalCount,omitempty" yaml:"totalCount,omitempty"`
+}
+
+type CloudAppInput struct {
+	OrganizationID string
+	AppID          string
+}
+
+type CloudAppOutput struct {
+	OrganizationID string          `json:"organizationID" yaml:"organizationID"`
+	App            CloudAppSummary `json:"app" yaml:"app"`
+}
+
+type CloudAppActionOutput struct {
+	OrganizationID string `json:"organizationID" yaml:"organizationID"`
+	AppID          string `json:"appID" yaml:"appID"`
+	Action         string `json:"action" yaml:"action"`
+}
+
+type CloudRunSummary struct {
+	ID                     string    `json:"id" yaml:"id"`
+	CreatedAt              time.Time `json:"createdAt" yaml:"createdAt"`
+	Status                 string    `json:"status" yaml:"status"`
+	Message                string    `json:"message,omitempty" yaml:"message,omitempty"`
+	ConfigurationVersionID string    `json:"configurationVersionID,omitempty" yaml:"configurationVersionID,omitempty"`
+	AutoApply              bool      `json:"autoApply" yaml:"autoApply"`
+	HasChanges             bool      `json:"hasChanges" yaml:"hasChanges"`
+	IsDestroy              bool      `json:"isDestroy" yaml:"isDestroy"`
+}
+
+type ListCloudRunsOutput struct {
+	AppID        string            `json:"appID" yaml:"appID"`
+	Runs         []CloudRunSummary `json:"runs" yaml:"runs"`
+	CurrentPage  *int64            `json:"currentPage,omitempty" yaml:"currentPage,omitempty"`
+	NextPage     *int64            `json:"nextPage,omitempty" yaml:"nextPage,omitempty"`
+	PreviousPage *int64            `json:"previousPage,omitempty" yaml:"previousPage,omitempty"`
+	TotalPages   *int64            `json:"totalPages,omitempty" yaml:"totalPages,omitempty"`
+	TotalCount   *int64            `json:"totalCount,omitempty" yaml:"totalCount,omitempty"`
+}
+
+type CloudRunOutput struct {
+	Run CloudRunSummary `json:"run" yaml:"run"`
+}
+
+type CloudLogSummary struct {
+	Timestamp string `json:"timestamp" yaml:"timestamp"`
+	Module    string `json:"module,omitempty" yaml:"module,omitempty"`
+	Message   string `json:"message" yaml:"message"`
+	Severity  string `json:"severity,omitempty" yaml:"severity,omitempty"`
+	Summary   string `json:"summary,omitempty" yaml:"summary,omitempty"`
+	Detail    string `json:"detail,omitempty" yaml:"detail,omitempty"`
+}
+
+type CloudRunLogsOutput struct {
+	RunID string            `json:"runID" yaml:"runID"`
+	Logs  []CloudLogSummary `json:"logs" yaml:"logs"`
+}
+
+type CloudVersionSummary struct {
+	ID            string `json:"id" yaml:"id"`
+	AutoQueueRuns bool   `json:"autoQueueRuns" yaml:"autoQueueRuns"`
+	Status        string `json:"status" yaml:"status"`
+	Error         string `json:"error,omitempty" yaml:"error,omitempty"`
+	ErrorMessage  string `json:"errorMessage,omitempty" yaml:"errorMessage,omitempty"`
+}
+
+type ListCloudVersionsOutput struct {
+	AppID        string                `json:"appID" yaml:"appID"`
+	Versions     []CloudVersionSummary `json:"versions" yaml:"versions"`
+	CurrentPage  *int64                `json:"currentPage,omitempty" yaml:"currentPage,omitempty"`
+	NextPage     *int64                `json:"nextPage,omitempty" yaml:"nextPage,omitempty"`
+	PreviousPage *int64                `json:"previousPage,omitempty" yaml:"previousPage,omitempty"`
+	TotalPages   *int64                `json:"totalPages,omitempty" yaml:"totalPages,omitempty"`
+	TotalCount   *int64                `json:"totalCount,omitempty" yaml:"totalCount,omitempty"`
+}
+
+type CloudVersionOutput struct {
+	Version CloudVersionSummary `json:"version" yaml:"version"`
+}
+
+type CloudVersionBlobOutput struct {
+	VersionID string `json:"versionID" yaml:"versionID"`
+	Data      []byte `json:"data" yaml:"data"`
+}
+
+type CloudVariableSummary struct {
+	ID          string `json:"id" yaml:"id"`
+	Key         string `json:"key" yaml:"key"`
+	Value       string `json:"value,omitempty" yaml:"value,omitempty"`
+	Description string `json:"description,omitempty" yaml:"description,omitempty"`
+	Sensitive   bool   `json:"sensitive" yaml:"sensitive"`
+}
+
+type ListCloudVariablesOutput struct {
+	AppID        string                 `json:"appID" yaml:"appID"`
+	Variables    []CloudVariableSummary `json:"variables" yaml:"variables"`
+	CurrentPage  *int64                 `json:"currentPage,omitempty" yaml:"currentPage,omitempty"`
+	NextPage     *int64                 `json:"nextPage,omitempty" yaml:"nextPage,omitempty"`
+	PreviousPage *int64                 `json:"previousPage,omitempty" yaml:"previousPage,omitempty"`
+	TotalPages   *int64                 `json:"totalPages,omitempty" yaml:"totalPages,omitempty"`
+	TotalCount   *int64                 `json:"totalCount,omitempty" yaml:"totalCount,omitempty"`
+}
+
+type CloudVariableInput struct {
+	AppID       string
+	VariableID  string
+	Key         string
+	Value       string
+	Description string
+	Sensitive   bool
+}
+
+type CloudVariableOutput struct {
+	AppID    string               `json:"appID" yaml:"appID"`
+	Variable CloudVariableSummary `json:"variable" yaml:"variable"`
+}
+
+type CloudVariableActionOutput struct {
+	AppID      string `json:"appID" yaml:"appID"`
+	VariableID string `json:"variableID" yaml:"variableID"`
+	Action     string `json:"action" yaml:"action"`
+}
+
+type ListCloudAppsService struct {
+	Client DeployClient
+}
+
+func (s ListCloudAppsService) Run(ctx context.Context, input ListCloudAppsInput) (ListCloudAppsOutput, error) {
+	if s.Client == nil {
+		return ListCloudAppsOutput{}, fmt.Errorf("deploy client is required")
+	}
+	response, err := s.Client.ListApps(ctx, input.OrganizationID, &input.Page, &input.PageSize)
+	if err != nil {
+		return ListCloudAppsOutput{}, err
+	}
+	if response.ListAppsResponse == nil {
+		return ListCloudAppsOutput{}, fmt.Errorf("cloud apps list returned no data")
+	}
+	data := response.ListAppsResponse.Data
+	apps := make([]CloudAppSummary, 0, len(data.Items))
+	for _, app := range data.Items {
+		apps = append(apps, cloudAppSummary(app, nil))
+	}
+	return ListCloudAppsOutput{
+		OrganizationID: input.OrganizationID,
+		Apps:           apps,
+		CurrentPage:    data.CurrentPage,
+		NextPage:       data.NextPage,
+		PreviousPage:   data.PreviousPage,
+		TotalPages:     data.TotalPages,
+		TotalCount:     data.TotalCount,
+	}, nil
+}
+
+type CreateCloudAppService struct {
+	Client DeployClient
+}
+
+func (s CreateCloudAppService) Run(ctx context.Context, organizationID string) (CloudAppOutput, error) {
+	if s.Client == nil {
+		return CloudAppOutput{}, fmt.Errorf("deploy client is required")
+	}
+	response, err := s.Client.CreateApp(ctx, components.CreateAppRequest{OrganizationID: organizationID})
+	if err != nil {
+		return CloudAppOutput{}, err
+	}
+	if response.AppResponse == nil {
+		return CloudAppOutput{}, fmt.Errorf("cloud apps create returned no data")
+	}
+	return CloudAppOutput{OrganizationID: organizationID, App: cloudAppSummary(response.AppResponse.Data, nil)}, nil
+}
+
+type GetCloudAppService struct {
+	Client DeployClient
+}
+
+func (s GetCloudAppService) Run(ctx context.Context, input CloudAppInput) (CloudAppOutput, error) {
+	if s.Client == nil {
+		return CloudAppOutput{}, fmt.Errorf("deploy client is required")
+	}
+	response, err := s.Client.ReadApp(ctx, input.AppID)
+	if err != nil {
+		return CloudAppOutput{}, err
+	}
+	if response.AppResponse == nil {
+		return CloudAppOutput{}, fmt.Errorf("cloud apps show returned no data")
+	}
+	var stack map[string]any
+	if stateResponse, err := s.Client.ReadAppCurrentStateVersion(ctx, input.AppID); err == nil && stateResponse.ReadStateResponse != nil {
+		stack = stateResponse.ReadStateResponse.Data.Stack
+	}
+	return CloudAppOutput{OrganizationID: input.OrganizationID, App: cloudAppSummary(response.AppResponse.Data, stack)}, nil
+}
+
+type DeleteCloudAppService struct {
+	Client DeployClient
+}
+
+func (s DeleteCloudAppService) Run(ctx context.Context, input CloudAppInput) (CloudAppActionOutput, error) {
+	if s.Client == nil {
+		return CloudAppActionOutput{}, fmt.Errorf("deploy client is required")
+	}
+	if _, err := s.Client.DeleteApp(ctx, input.AppID); err != nil {
+		return CloudAppActionOutput{}, err
+	}
+	return CloudAppActionOutput{OrganizationID: input.OrganizationID, AppID: input.AppID, Action: "deleted"}, nil
+}
+
+type DeployCloudAppService struct {
+	Client DeployClient
+}
+
+func (s DeployCloudAppService) Run(ctx context.Context, appID string, data []byte) (CloudRunOutput, error) {
+	if s.Client == nil {
+		return CloudRunOutput{}, fmt.Errorf("deploy client is required")
+	}
+	response, err := s.Client.DeployAppConfigurationRaw(ctx, appID, data)
+	if err != nil {
+		return CloudRunOutput{}, err
+	}
+	if response.RunResponse == nil {
+		return CloudRunOutput{}, fmt.Errorf("cloud apps deploy returned no run")
+	}
+	return CloudRunOutput{Run: cloudRunSummary(response.RunResponse.Data)}, nil
+}
+
+type ListCloudRunsService struct {
+	Client DeployClient
+}
+
+func (s ListCloudRunsService) Run(ctx context.Context, appID string, page int64, pageSize int64) (ListCloudRunsOutput, error) {
+	if s.Client == nil {
+		return ListCloudRunsOutput{}, fmt.Errorf("deploy client is required")
+	}
+	response, err := s.Client.ReadAppRuns(ctx, appID, &page, &pageSize)
+	if err != nil {
+		return ListCloudRunsOutput{}, err
+	}
+	if response.ListRunsResponse == nil {
+		return ListCloudRunsOutput{}, fmt.Errorf("cloud apps runs list returned no data")
+	}
+	data := response.ListRunsResponse.Data
+	runs := make([]CloudRunSummary, 0, len(data.Items))
+	for _, run := range data.Items {
+		runs = append(runs, cloudRunSummary(run))
+	}
+	return ListCloudRunsOutput{AppID: appID, Runs: runs, CurrentPage: data.CurrentPage, NextPage: data.NextPage, PreviousPage: data.PreviousPage, TotalPages: data.TotalPages, TotalCount: data.TotalCount}, nil
+}
+
+type GetCloudRunService struct {
+	Client DeployClient
+}
+
+func (s GetCloudRunService) Run(ctx context.Context, runID string) (CloudRunOutput, error) {
+	if s.Client == nil {
+		return CloudRunOutput{}, fmt.Errorf("deploy client is required")
+	}
+	response, err := s.Client.ReadRun(ctx, runID)
+	if err != nil {
+		return CloudRunOutput{}, err
+	}
+	if response.RunResponse == nil {
+		return CloudRunOutput{}, fmt.Errorf("cloud apps runs show returned no data")
+	}
+	return CloudRunOutput{Run: cloudRunSummary(response.RunResponse.Data)}, nil
+}
+
+type GetCloudRunLogsService struct {
+	Client DeployClient
+}
+
+func (s GetCloudRunLogsService) Run(ctx context.Context, runID string) (CloudRunLogsOutput, error) {
+	if s.Client == nil {
+		return CloudRunLogsOutput{}, fmt.Errorf("deploy client is required")
+	}
+	response, err := s.Client.ReadRunLogs(ctx, runID)
+	if err != nil {
+		return CloudRunLogsOutput{}, err
+	}
+	if response.ReadLogsResponse == nil {
+		return CloudRunLogsOutput{}, fmt.Errorf("cloud apps runs logs returned no data")
+	}
+	logs := make([]CloudLogSummary, 0, len(response.ReadLogsResponse.Data))
+	for _, log := range response.ReadLogsResponse.Data {
+		logs = append(logs, cloudLogSummary(log))
+	}
+	return CloudRunLogsOutput{RunID: runID, Logs: logs}, nil
+}
+
+type ListCloudVersionsService struct {
+	Client DeployClient
+}
+
+func (s ListCloudVersionsService) Run(ctx context.Context, appID string, page int64, pageSize int64) (ListCloudVersionsOutput, error) {
+	if s.Client == nil {
+		return ListCloudVersionsOutput{}, fmt.Errorf("deploy client is required")
+	}
+	response, err := s.Client.ReadAppVersions(ctx, appID, &page, &pageSize)
+	if err != nil {
+		return ListCloudVersionsOutput{}, err
+	}
+	if response.ListVersionsResponse == nil {
+		return ListCloudVersionsOutput{}, fmt.Errorf("cloud apps versions list returned no data")
+	}
+	data := response.ListVersionsResponse.Data
+	versions := make([]CloudVersionSummary, 0, len(data.Items))
+	for _, version := range data.Items {
+		versions = append(versions, cloudVersionSummary(version))
+	}
+	return ListCloudVersionsOutput{AppID: appID, Versions: versions, CurrentPage: data.CurrentPage, NextPage: data.NextPage, PreviousPage: data.PreviousPage, TotalPages: data.TotalPages, TotalCount: data.TotalCount}, nil
+}
+
+type GetCloudVersionService struct {
+	Client DeployClient
+}
+
+func (s GetCloudVersionService) Run(ctx context.Context, versionID string) (CloudVersionOutput, error) {
+	if s.Client == nil {
+		return CloudVersionOutput{}, fmt.Errorf("deploy client is required")
+	}
+	response, err := s.Client.ReadVersion(ctx, versionID)
+	if err != nil {
+		return CloudVersionOutput{}, err
+	}
+	if response.AppVersionResponse == nil {
+		return CloudVersionOutput{}, fmt.Errorf("cloud apps versions show returned no data")
+	}
+	return CloudVersionOutput{Version: cloudVersionSummary(response.AppVersionResponse.Data)}, nil
+}
+
+type GetCloudVersionBlobService struct {
+	Client DeployClient
+	Accept operations.AcceptHeaderEnum
+}
+
+func (s GetCloudVersionBlobService) Run(ctx context.Context, versionID string) (CloudVersionBlobOutput, error) {
+	if s.Client == nil {
+		return CloudVersionBlobOutput{}, fmt.Errorf("deploy client is required")
+	}
+	response, err := s.Client.ReadVersion(ctx, versionID, operations.WithAcceptHeaderOverride(s.Accept))
+	if err != nil {
+		return CloudVersionBlobOutput{}, err
+	}
+	var stream io.ReadCloser
+	switch s.Accept {
+	case operations.AcceptHeaderEnumApplicationYaml:
+		stream = response.TwoHundredApplicationYamlResponseStream
+	case operations.AcceptHeaderEnumApplicationGzip:
+		stream = response.TwoHundredApplicationGzipResponseStream
+	}
+	if stream == nil {
+		return CloudVersionBlobOutput{}, fmt.Errorf("cloud apps versions returned no stream")
+	}
+	defer stream.Close()
+	data, err := io.ReadAll(stream)
+	if err != nil {
+		return CloudVersionBlobOutput{}, err
+	}
+	return CloudVersionBlobOutput{VersionID: versionID, Data: data}, nil
+}
+
+type ListCloudVariablesService struct {
+	Client DeployClient
+}
+
+func (s ListCloudVariablesService) Run(ctx context.Context, appID string, page int64, pageSize int64) (ListCloudVariablesOutput, error) {
+	if s.Client == nil {
+		return ListCloudVariablesOutput{}, fmt.Errorf("deploy client is required")
+	}
+	response, err := s.Client.ReadAppVariables(ctx, appID, &page, &pageSize)
+	if err != nil {
+		return ListCloudVariablesOutput{}, err
+	}
+	if response.ReadVariablesResponse == nil {
+		return ListCloudVariablesOutput{}, fmt.Errorf("cloud apps variables list returned no data")
+	}
+	data := response.ReadVariablesResponse.Data
+	variables := make([]CloudVariableSummary, 0, len(data.Items))
+	for _, variable := range data.Items {
+		variables = append(variables, cloudVariableSummary(variable))
+	}
+	return ListCloudVariablesOutput{AppID: appID, Variables: variables, CurrentPage: data.CurrentPage, NextPage: data.NextPage, PreviousPage: data.PreviousPage, TotalPages: data.TotalPages, TotalCount: data.TotalCount}, nil
+}
+
+type CreateCloudVariableService struct {
+	Client DeployClient
+}
+
+func (s CreateCloudVariableService) Run(ctx context.Context, input CloudVariableInput) (CloudVariableOutput, error) {
+	if s.Client == nil {
+		return CloudVariableOutput{}, fmt.Errorf("deploy client is required")
+	}
+	var description *string
+	if input.Description != "" {
+		description = &input.Description
+	}
+	response, err := s.Client.CreateAppVariable(ctx, input.AppID, components.CreateVariableRequest{
+		Variable: components.VariableData{
+			Key:         input.Key,
+			Value:       input.Value,
+			Description: description,
+			Sensitive:   input.Sensitive,
+		},
+	})
+	if err != nil {
+		return CloudVariableOutput{}, err
+	}
+	if response.CreateVariableResponse == nil {
+		return CloudVariableOutput{}, fmt.Errorf("cloud apps variables create returned no data")
+	}
+	return CloudVariableOutput{AppID: input.AppID, Variable: cloudVariableSummary(response.CreateVariableResponse.Data)}, nil
+}
+
+type DeleteCloudVariableService struct {
+	Client DeployClient
+}
+
+func (s DeleteCloudVariableService) Run(ctx context.Context, input CloudVariableInput) (CloudVariableActionOutput, error) {
+	if s.Client == nil {
+		return CloudVariableActionOutput{}, fmt.Errorf("deploy client is required")
+	}
+	if _, err := s.Client.DeleteAppVariable(ctx, input.AppID, input.VariableID); err != nil {
+		return CloudVariableActionOutput{}, err
+	}
+	return CloudVariableActionOutput{AppID: input.AppID, VariableID: input.VariableID, Action: "deleted"}, nil
+}
+
+func cloudAppSummary(app components.App, stateStack map[string]any) CloudAppSummary {
+	summary := CloudAppSummary{ID: app.ID, Name: app.Name, StateStack: stateStack}
+	if app.CurrentRun != nil {
+		summary.CurrentRunID = app.CurrentRun.ID
+		summary.RunStatus = app.CurrentRun.Status
+	}
+	if app.CurrentConfigurationVersion != nil {
+		summary.CurrentConfigurationVersionID = app.CurrentConfigurationVersion.ID
+	}
+	return summary
+}
+
+func cloudRunSummary(run components.Run) CloudRunSummary {
+	versionID := ""
+	if run.ConfigurationVersion != nil {
+		versionID = run.ConfigurationVersion.ID
+	}
+	return CloudRunSummary{
+		ID:                     run.ID,
+		CreatedAt:              run.CreatedAt,
+		Status:                 run.Status,
+		Message:                run.Message,
+		ConfigurationVersionID: versionID,
+		AutoApply:              run.AutoApply,
+		HasChanges:             run.HasChanges,
+		IsDestroy:              run.IsDestroy,
+	}
+}
+
+func cloudLogSummary(log components.Log) CloudLogSummary {
+	summary := CloudLogSummary{
+		Timestamp: log.Timestamp.Format(time.RFC3339),
+		Module:    log.Module,
+		Message:   log.Message,
+	}
+	if log.Diagnostic != nil {
+		summary.Severity = log.Diagnostic.Severity
+		summary.Summary = log.Diagnostic.Summary
+		summary.Detail = log.Diagnostic.Detail
+	}
+	return summary
+}
+
+func cloudVersionSummary(version components.ConfigurationVersion) CloudVersionSummary {
+	return CloudVersionSummary{
+		ID:            version.ID,
+		AutoQueueRuns: version.AutoQueueRuns,
+		Status:        string(version.Status),
+		Error:         version.Error,
+		ErrorMessage:  version.ErrorMessage,
+	}
+}
+
+func cloudVariableSummary(variable components.Variable) CloudVariableSummary {
+	value := variable.Value
+	if variable.Sensitive {
+		value = ""
+	}
+	description := ""
+	if variable.Description != nil {
+		description = *variable.Description
+	}
+	return CloudVariableSummary{
+		ID:          variable.ID,
+		Key:         variable.Key,
+		Value:       value,
+		Description: description,
+		Sensitive:   variable.Sensitive,
+	}
+}
diff --git a/v4/internal/commands/cloud/cloud.go b/v4/internal/commands/cloud/cloud.go
new file mode 100644
index 00000000..56168aef
--- /dev/null
+++ b/v4/internal/commands/cloud/cloud.go
@@ -0,0 +1,1776 @@
+package cloud
+
+import (
+	"context"
+	"fmt"
+	"strings"
+	"time"
+
+	"github.com/formancehq/fctl/internal/membershipclient/v3/models/components"
+	"github.com/formancehq/fctl/internal/membershipclient/v3/models/operations"
+)
+
+type MembershipClient interface {
+	ReadConnectedUser(context.Context, ...operations.Option) (*operations.ReadConnectedUserResponse, error)
+	ListOrganizations(context.Context, operations.ListOrganizationsRequest, ...operations.Option) (*operations.ListOrganizationsResponse, error)
+	ReadOrganization(context.Context, operations.ReadOrganizationRequest, ...operations.Option) (*operations.ReadOrganizationResponse, error)
+	CreateOrganization(context.Context, *components.CreateOrganizationRequest, ...operations.Option) (*operations.CreateOrganizationResponse, error)
+	UpdateOrganization(context.Context, operations.UpdateOrganizationRequest, ...operations.Option) (*operations.UpdateOrganizationResponse, error)
+	DeleteOrganization(context.Context, operations.DeleteOrganizationRequest, ...operations.Option) (*operations.DeleteOrganizationResponse, error)
+	ListInvitations(context.Context, operations.ListInvitationsRequest, ...operations.Option) (*operations.ListInvitationsResponse, error)
+	AcceptInvitation(context.Context, operations.AcceptInvitationRequest, ...operations.Option) (*operations.AcceptInvitationResponse, error)
+	DeclineInvitation(context.Context, operations.DeclineInvitationRequest, ...operations.Option) (*operations.DeclineInvitationResponse, error)
+	ListOrganizationInvitations(context.Context, operations.ListOrganizationInvitationsRequest, ...operations.Option) (*operations.ListOrganizationInvitationsResponse, error)
+	CreateInvitation(context.Context, operations.CreateInvitationRequest, ...operations.Option) (*operations.CreateInvitationResponse, error)
+	DeleteInvitation(context.Context, operations.DeleteInvitationRequest, ...operations.Option) (*operations.DeleteInvitationResponse, error)
+	ListUsersOfOrganization(context.Context, operations.ListUsersOfOrganizationRequest, ...operations.Option) (*operations.ListUsersOfOrganizationResponse, error)
+	ReadUserOfOrganization(context.Context, operations.ReadUserOfOrganizationRequest, ...operations.Option) (*operations.ReadUserOfOrganizationResponse, error)
+	UpsertOrganizationUser(context.Context, operations.UpsertOrganizationUserRequest, ...operations.Option) (*operations.UpsertOrganizationUserResponse, error)
+	DeleteUserFromOrganization(context.Context, operations.DeleteUserFromOrganizationRequest, ...operations.Option) (*operations.DeleteUserFromOrganizationResponse, error)
+	ListPolicies(context.Context, operations.ListPoliciesRequest, ...operations.Option) (*operations.ListPoliciesResponse, error)
+	CreatePolicy(context.Context, operations.CreatePolicyRequest, ...operations.Option) (*operations.CreatePolicyResponse, error)
+	ReadPolicy(context.Context, operations.ReadPolicyRequest, ...operations.Option) (*operations.ReadPolicyResponse, error)
+	UpdatePolicy(context.Context, operations.UpdatePolicyRequest, ...operations.Option) (*operations.UpdatePolicyResponse, error)
+	DeletePolicy(context.Context, operations.DeletePolicyRequest, ...operations.Option) (*operations.DeletePolicyResponse, error)
+	AddScopeToPolicy(context.Context, operations.AddScopeToPolicyRequest, ...operations.Option) (*operations.AddScopeToPolicyResponse, error)
+	RemoveScopeFromPolicy(context.Context, operations.RemoveScopeFromPolicyRequest, ...operations.Option) (*operations.RemoveScopeFromPolicyResponse, error)
+	ListRegions(context.Context, operations.ListRegionsRequest, ...operations.Option) (*operations.ListRegionsResponse, error)
+	GetRegion(context.Context, operations.GetRegionRequest, ...operations.Option) (*operations.GetRegionResponse, error)
+	CreatePrivateRegion(context.Context, operations.CreatePrivateRegionRequest, ...operations.Option) (*operations.CreatePrivateRegionResponse, error)
+	DeleteRegion(context.Context, operations.DeleteRegionRequest, ...operations.Option) (*operations.DeleteRegionResponse, error)
+	GetRegionVersions(context.Context, operations.GetRegionVersionsRequest, ...operations.Option) (*operations.GetRegionVersionsResponse, error)
+	ListOrganizationApplications(context.Context, operations.ListOrganizationApplicationsRequest, ...operations.Option) (*operations.ListOrganizationApplicationsResponse, error)
+	GetOrganizationApplication(context.Context, operations.GetOrganizationApplicationRequest, ...operations.Option) (*operations.GetOrganizationApplicationResponse, error)
+	ReadAuthenticationProvider(context.Context, operations.ReadAuthenticationProviderRequest, ...operations.Option) (*operations.ReadAuthenticationProviderResponse, error)
+	UpsertAuthenticationProvider(context.Context, operations.UpsertAuthenticationProviderRequest, ...operations.Option) (*operations.UpsertAuthenticationProviderResponse, error)
+	DeleteAuthenticationProvider(context.Context, operations.DeleteAuthenticationProviderRequest, ...operations.Option) (*operations.DeleteAuthenticationProviderResponse, error)
+	OrganizationClientsRead(context.Context, operations.OrganizationClientsReadRequest, ...operations.Option) (*operations.OrganizationClientsReadResponse, error)
+	OrganizationClientRead(context.Context, operations.OrganizationClientReadRequest, ...operations.Option) (*operations.OrganizationClientReadResponse, error)
+	OrganizationClientCreate(context.Context, operations.OrganizationClientCreateRequest, ...operations.Option) (*operations.OrganizationClientCreateResponse, error)
+	OrganizationClientUpdate(context.Context, operations.OrganizationClientUpdateRequest, ...operations.Option) (*operations.OrganizationClientUpdateResponse, error)
+	OrganizationClientDelete(context.Context, operations.OrganizationClientDeleteRequest, ...operations.Option) (*operations.OrganizationClientDeleteResponse, error)
+	ListLogs(context.Context, operations.ListLogsRequest, ...operations.Option) (*operations.ListLogsResponse, error)
+}
+
+type UserSummary struct {
+	ID    string `json:"id" yaml:"id"`
+	Email string `json:"email" yaml:"email"`
+	Role  string `json:"role,omitempty" yaml:"role,omitempty"`
+}
+
+type OrganizationSummary struct {
+	ID                 string       `json:"id" yaml:"id"`
+	Name               string       `json:"name" yaml:"name"`
+	OwnerID            string       `json:"ownerID,omitempty" yaml:"ownerID,omitempty"`
+	Domain             string       `json:"domain,omitempty" yaml:"domain,omitempty"`
+	DefaultPolicyID    *int64       `json:"defaultPolicyID,omitempty" yaml:"defaultPolicyID,omitempty"`
+	AvailableStacks    *int64       `json:"availableStacks,omitempty" yaml:"availableStacks,omitempty"`
+	AvailableSandboxes *int64       `json:"availableSandboxes,omitempty" yaml:"availableSandboxes,omitempty"`
+	TotalStacks        *int64       `json:"totalStacks,omitempty" yaml:"totalStacks,omitempty"`
+	TotalUsers         *int64       `json:"totalUsers,omitempty" yaml:"totalUsers,omitempty"`
+	CreatedAt          *time.Time   `json:"createdAt,omitempty" yaml:"createdAt,omitempty"`
+	UpdatedAt          *time.Time   `json:"updatedAt,omitempty" yaml:"updatedAt,omitempty"`
+	Owner              *UserSummary `json:"owner,omitempty" yaml:"owner,omitempty"`
+}
+
+type MeOutput struct {
+	User UserSummary `json:"user" yaml:"user"`
+}
+
+type ListOrganizationsInput struct {
+	Expand bool
+}
+
+type ListOrganizationsOutput struct {
+	Organizations []OrganizationSummary `json:"organizations" yaml:"organizations"`
+}
+
+type OrganizationIDInput struct {
+	OrganizationID string
+	Expand         bool
+}
+
+type OrganizationOutput struct {
+	Organization OrganizationSummary `json:"organization" yaml:"organization"`
+}
+
+type CreateOrganizationInput struct {
+	Name            string
+	Domain          string
+	DefaultPolicyID *int64
+	OwnerID         string
+}
+
+type UpdateOrganizationInput struct {
+	OrganizationID  string
+	Name            string
+	Domain          string
+	DefaultPolicyID *int64
+}
+
+type DeleteOrganizationOutput struct {
+	OrganizationID string `json:"organizationID" yaml:"organizationID"`
+}
+
+type InvitationSummary struct {
+	ID             string     `json:"id" yaml:"id"`
+	OrganizationID string     `json:"organizationID" yaml:"organizationID"`
+	UserEmail      string     `json:"userEmail" yaml:"userEmail"`
+	Status         string     `json:"status" yaml:"status"`
+	CreationDate   time.Time  `json:"creationDate" yaml:"creationDate"`
+	ExpiresAt      *time.Time `json:"expiresAt,omitempty" yaml:"expiresAt,omitempty"`
+	UserID         string     `json:"userID,omitempty" yaml:"userID,omitempty"`
+	CreatorID      string     `json:"creatorID,omitempty" yaml:"creatorID,omitempty"`
+}
+
+type ListInvitationsInput struct {
+	Status       string
+	Organization string
+}
+
+type ListInvitationsOutput struct {
+	Invitations []InvitationSummary `json:"invitations" yaml:"invitations"`
+}
+
+type InvitationActionOutput struct {
+	InvitationID string `json:"invitationID" yaml:"invitationID"`
+	Action       string `json:"action" yaml:"action"`
+}
+
+type ListOrganizationInvitationsInput struct {
+	OrganizationID string
+	Status         string
+}
+
+type CreateInvitationInput struct {
+	OrganizationID string
+	Email          string
+}
+
+type OrganizationInvitationActionInput struct {
+	OrganizationID string
+	InvitationID   string
+}
+
+type OrganizationInvitationActionOutput struct {
+	OrganizationID string `json:"organizationID" yaml:"organizationID"`
+	InvitationID   string `json:"invitationID" yaml:"invitationID"`
+	Action         string `json:"action" yaml:"action"`
+}
+
+type OrganizationUserSummary struct {
+	ID       string `json:"id" yaml:"id"`
+	Email    string `json:"email" yaml:"email"`
+	PolicyID int64  `json:"policyID" yaml:"policyID"`
+}
+
+type ListOrganizationUsersOutput struct {
+	OrganizationID string                    `json:"organizationID" yaml:"organizationID"`
+	Users          []OrganizationUserSummary `json:"users" yaml:"users"`
+}
+
+type OrganizationUserOutput struct {
+	OrganizationID string                  `json:"organizationID" yaml:"organizationID"`
+	User           OrganizationUserSummary `json:"user" yaml:"user"`
+}
+
+type OrganizationUserActionInput struct {
+	OrganizationID string
+	UserID         string
+	PolicyID       int64
+}
+
+type OrganizationUserActionOutput struct {
+	OrganizationID string `json:"organizationID" yaml:"organizationID"`
+	UserID         string `json:"userID" yaml:"userID"`
+	Action         string `json:"action" yaml:"action"`
+	PolicyID       int64  `json:"policyID,omitempty" yaml:"policyID,omitempty"`
+}
+
+type ScopeSummary struct {
+	ID            int64  `json:"id" yaml:"id"`
+	Label         string `json:"label" yaml:"label"`
+	Description   string `json:"description,omitempty" yaml:"description,omitempty"`
+	ApplicationID string `json:"applicationID,omitempty" yaml:"applicationID,omitempty"`
+	Protected     *bool  `json:"protected,omitempty" yaml:"protected,omitempty"`
+}
+
+type PolicySummary struct {
+	ID             int64          `json:"id" yaml:"id"`
+	Name           string         `json:"name" yaml:"name"`
+	Description    string         `json:"description,omitempty" yaml:"description,omitempty"`
+	OrganizationID string         `json:"organizationID,omitempty" yaml:"organizationID,omitempty"`
+	Protected      bool           `json:"protected" yaml:"protected"`
+	Scopes         []ScopeSummary `json:"scopes,omitempty" yaml:"scopes,omitempty"`
+	CreatedAt      time.Time      `json:"createdAt" yaml:"createdAt"`
+	UpdatedAt      time.Time      `json:"updatedAt" yaml:"updatedAt"`
+}
+
+type ListPoliciesOutput struct {
+	OrganizationID string          `json:"organizationID" yaml:"organizationID"`
+	Policies       []PolicySummary `json:"policies" yaml:"policies"`
+}
+
+type PolicyOutput struct {
+	OrganizationID string        `json:"organizationID" yaml:"organizationID"`
+	Policy         PolicySummary `json:"policy" yaml:"policy"`
+}
+
+type PolicyInput struct {
+	OrganizationID string
+	PolicyID       int64
+	Name           string
+	Description    string
+}
+
+type PolicyActionInput struct {
+	OrganizationID string
+	PolicyID       int64
+	ScopeID        int64
+}
+
+type PolicyActionOutput struct {
+	OrganizationID string `json:"organizationID" yaml:"organizationID"`
+	PolicyID       int64  `json:"policyID" yaml:"policyID"`
+	ScopeID        int64  `json:"scopeID,omitempty" yaml:"scopeID,omitempty"`
+	Action         string `json:"action" yaml:"action"`
+}
+
+type RegionSummary struct {
+	ID             string `json:"id" yaml:"id"`
+	Name           string `json:"name" yaml:"name"`
+	BaseURL        string `json:"baseURL,omitempty" yaml:"baseURL,omitempty"`
+	Active         bool   `json:"active" yaml:"active"`
+	Public         bool   `json:"public" yaml:"public"`
+	Version        string `json:"version,omitempty" yaml:"version,omitempty"`
+	OrganizationID string `json:"organizationID,omitempty" yaml:"organizationID,omitempty"`
+}
+
+type ListRegionsOutput struct {
+	OrganizationID string          `json:"organizationID" yaml:"organizationID"`
+	Regions        []RegionSummary `json:"regions" yaml:"regions"`
+}
+
+type RegionVersionSummary struct {
+	Name       string `json:"name" yaml:"name"`
+	RegionID   string `json:"regionID,omitempty" yaml:"regionID,omitempty"`
+	Deprecated bool   `json:"deprecated,omitempty" yaml:"deprecated,omitempty"`
+}
+
+type ListRegionVersionsOutput struct {
+	OrganizationID string                 `json:"organizationID" yaml:"organizationID"`
+	RegionID       string                 `json:"regionID" yaml:"regionID"`
+	Versions       []RegionVersionSummary `json:"versions" yaml:"versions"`
+}
+
+type RegionInput struct {
+	OrganizationID string
+	RegionID       string
+	Name           string
+}
+
+type RegionOutput struct {
+	OrganizationID string        `json:"organizationID" yaml:"organizationID"`
+	Region         RegionSummary `json:"region" yaml:"region"`
+}
+
+type RegionActionOutput struct {
+	OrganizationID string `json:"organizationID" yaml:"organizationID"`
+	RegionID       string `json:"regionID" yaml:"regionID"`
+	Action         string `json:"action" yaml:"action"`
+}
+
+type ApplicationSummary struct {
+	ID          string         `json:"id" yaml:"id"`
+	Name        string         `json:"name" yaml:"name"`
+	Alias       string         `json:"alias" yaml:"alias"`
+	URL         string         `json:"url" yaml:"url"`
+	Description string         `json:"description,omitempty" yaml:"description,omitempty"`
+	Scopes      []ScopeSummary `json:"scopes,omitempty" yaml:"scopes,omitempty"`
+	CreatedAt   time.Time      `json:"createdAt" yaml:"createdAt"`
+	UpdatedAt   time.Time      `json:"updatedAt" yaml:"updatedAt"`
+}
+
+type ListApplicationsInput struct {
+	OrganizationID string
+	Page           int64
+	PageSize       int64
+}
+
+type ListApplicationsOutput struct {
+	OrganizationID string               `json:"organizationID" yaml:"organizationID"`
+	Applications   []ApplicationSummary `json:"applications" yaml:"applications"`
+	HasMore        bool                 `json:"hasMore" yaml:"hasMore"`
+	PageSize       int64                `json:"pageSize" yaml:"pageSize"`
+	Next           string               `json:"next,omitempty" yaml:"next,omitempty"`
+	Previous       string               `json:"previous,omitempty" yaml:"previous,omitempty"`
+}
+
+type ApplicationInput struct {
+	OrganizationID string
+	ApplicationID  string
+}
+
+type ApplicationOutput struct {
+	OrganizationID string             `json:"organizationID" yaml:"organizationID"`
+	Application    ApplicationSummary `json:"application" yaml:"application"`
+}
+
+type AuthenticationProviderSummary struct {
+	Type         string    `json:"type" yaml:"type"`
+	Name         string    `json:"name" yaml:"name"`
+	ClientID     string    `json:"clientID" yaml:"clientID"`
+	RedirectURI  string    `json:"redirectURI,omitempty" yaml:"redirectURI,omitempty"`
+	Issuer       string    `json:"issuer,omitempty" yaml:"issuer,omitempty"`
+	Tenant       string    `json:"tenant,omitempty" yaml:"tenant,omitempty"`
+	CreatedAt    time.Time `json:"createdAt" yaml:"createdAt"`
+	UpdatedAt    time.Time `json:"updatedAt" yaml:"updatedAt"`
+	Organization string    `json:"organizationID,omitempty" yaml:"organizationID,omitempty"`
+}
+
+type AuthenticationProviderInput struct {
+	OrganizationID  string
+	Type            string
+	Name            string
+	ClientID        string
+	ClientSecret    string
+	OIDCIssuer      string
+	OIDCDiscovery   string
+	MicrosoftTenant string
+}
+
+type AuthenticationProviderOutput struct {
+	OrganizationID string                        `json:"organizationID" yaml:"organizationID"`
+	Provider       AuthenticationProviderSummary `json:"provider" yaml:"provider"`
+}
+
+type AuthenticationProviderActionOutput struct {
+	OrganizationID string `json:"organizationID" yaml:"organizationID"`
+	Action         string `json:"action" yaml:"action"`
+}
+
+type OAuthClientSummary struct {
+	ID               string    `json:"id" yaml:"id"`
+	ClientID         string    `json:"clientID" yaml:"clientID"`
+	Name             string    `json:"name" yaml:"name"`
+	Description      string    `json:"description,omitempty" yaml:"description,omitempty"`
+	SecretLastDigits string    `json:"secretLastDigits,omitempty" yaml:"secretLastDigits,omitempty"`
+	Secret           string    `json:"secret,omitempty" yaml:"secret,omitempty"`
+	CreatedAt        time.Time `json:"createdAt" yaml:"createdAt"`
+	UpdatedAt        time.Time `json:"updatedAt" yaml:"updatedAt"`
+}
+
+type ListOAuthClientsInput struct {
+	OrganizationID string
+	Cursor         string
+	PageSize       int64
+}
+
+type ListOAuthClientsOutput struct {
+	OrganizationID string               `json:"organizationID" yaml:"organizationID"`
+	Clients        []OAuthClientSummary `json:"clients" yaml:"clients"`
+	HasMore        bool                 `json:"hasMore" yaml:"hasMore"`
+	PageSize       int64                `json:"pageSize" yaml:"pageSize"`
+	Next           string               `json:"next,omitempty" yaml:"next,omitempty"`
+	Previous       string               `json:"previous,omitempty" yaml:"previous,omitempty"`
+}
+
+type OAuthClientInput struct {
+	OrganizationID string
+	ClientID       string
+	Name           string
+	Description    string
+}
+
+type OAuthClientOutput struct {
+	OrganizationID string             `json:"organizationID" yaml:"organizationID"`
+	Client         OAuthClientSummary `json:"client" yaml:"client"`
+}
+
+type OAuthClientActionOutput struct {
+	OrganizationID string `json:"organizationID" yaml:"organizationID"`
+	ClientID       string `json:"clientID" yaml:"clientID"`
+	Action         string `json:"action" yaml:"action"`
+}
+
+type LogSummary struct {
+	Seq            string    `json:"seq" yaml:"seq"`
+	OrganizationID string    `json:"organizationID" yaml:"organizationID"`
+	UserID         string    `json:"userID" yaml:"userID"`
+	Action         string    `json:"action" yaml:"action"`
+	Date           time.Time `json:"date" yaml:"date"`
+}
+
+type ListLogsInput struct {
+	OrganizationID string
+	StackID        string
+	Cursor         string
+	PageSize       int64
+	Action         string
+	UserID         string
+	Data           string
+}
+
+type ListLogsOutput struct {
+	OrganizationID string       `json:"organizationID" yaml:"organizationID"`
+	Logs           []LogSummary `json:"logs" yaml:"logs"`
+	HasMore        bool         `json:"hasMore" yaml:"hasMore"`
+	PageSize       int64        `json:"pageSize" yaml:"pageSize"`
+	Next           string       `json:"next,omitempty" yaml:"next,omitempty"`
+	Previous       string       `json:"previous,omitempty" yaml:"previous,omitempty"`
+}
+
+type MeService struct {
+	Client MembershipClient
+}
+
+func (s MeService) Run(ctx context.Context) (MeOutput, error) {
+	if s.Client == nil {
+		return MeOutput{}, fmt.Errorf("membership client is required")
+	}
+	response, err := s.Client.ReadConnectedUser(ctx)
+	if err != nil {
+		return MeOutput{}, err
+	}
+	if response.GetReadUserResponse().GetData() == nil {
+		return MeOutput{}, fmt.Errorf("cloud me show returned no user")
+	}
+	return MeOutput{User: userSummary(response.GetReadUserResponse().GetData())}, nil
+}
+
+type ListOrganizationsService struct {
+	Client MembershipClient
+}
+
+func (s ListOrganizationsService) Run(ctx context.Context, input ListOrganizationsInput) (ListOrganizationsOutput, error) {
+	if s.Client == nil {
+		return ListOrganizationsOutput{}, fmt.Errorf("membership client is required")
+	}
+	response, err := s.Client.ListOrganizations(ctx, operations.ListOrganizationsRequest{Expand: &input.Expand})
+	if err != nil {
+		return ListOrganizationsOutput{}, err
+	}
+	data := response.GetListOrganizationExpandedResponse().GetData()
+	organizations := make([]OrganizationSummary, 0, len(data))
+	for i := range data {
+		organizations = append(organizations, organizationSummary(&data[i]))
+	}
+	return ListOrganizationsOutput{Organizations: organizations}, nil
+}
+
+type ReadOrganizationService struct {
+	Client MembershipClient
+}
+
+func (s ReadOrganizationService) Run(ctx context.Context, input OrganizationIDInput) (OrganizationOutput, error) {
+	if s.Client == nil {
+		return OrganizationOutput{}, fmt.Errorf("membership client is required")
+	}
+	if input.OrganizationID == "" {
+		return OrganizationOutput{}, fmt.Errorf("organization id is required")
+	}
+	response, err := s.Client.ReadOrganization(ctx, operations.ReadOrganizationRequest{
+		OrganizationID: input.OrganizationID,
+		Expand:         &input.Expand,
+	})
+	if err != nil {
+		return OrganizationOutput{}, err
+	}
+	if response.GetReadOrganizationResponse().GetData() == nil {
+		return OrganizationOutput{}, fmt.Errorf("cloud organizations show returned no organization")
+	}
+	return OrganizationOutput{Organization: organizationSummary(response.GetReadOrganizationResponse().GetData())}, nil
+}
+
+type CreateOrganizationService struct {
+	Client MembershipClient
+}
+
+func (s CreateOrganizationService) Run(ctx context.Context, input CreateOrganizationInput) (OrganizationOutput, error) {
+	if s.Client == nil {
+		return OrganizationOutput{}, fmt.Errorf("membership client is required")
+	}
+	if input.Name == "" {
+		return OrganizationOutput{}, fmt.Errorf("organization name is required")
+	}
+	body := &components.CreateOrganizationRequest{
+		Name:            input.Name,
+		DefaultPolicyID: input.DefaultPolicyID,
+	}
+	if input.Domain != "" {
+		body.Domain = &input.Domain
+	}
+	if input.OwnerID != "" {
+		body.OwnerID = &input.OwnerID
+	}
+	response, err := s.Client.CreateOrganization(ctx, body)
+	if err != nil {
+		return OrganizationOutput{}, err
+	}
+	if response.GetCreateOrganizationResponse().GetData() == nil {
+		return OrganizationOutput{}, fmt.Errorf("cloud organizations create returned no organization")
+	}
+	return OrganizationOutput{Organization: organizationSummary(response.GetCreateOrganizationResponse().GetData())}, nil
+}
+
+type UpdateOrganizationService struct {
+	Client MembershipClient
+}
+
+func (s UpdateOrganizationService) Run(ctx context.Context, input UpdateOrganizationInput) (OrganizationOutput, error) {
+	if s.Client == nil {
+		return OrganizationOutput{}, fmt.Errorf("membership client is required")
+	}
+	if input.OrganizationID == "" {
+		return OrganizationOutput{}, fmt.Errorf("organization id is required")
+	}
+	if input.Name == "" {
+		return OrganizationOutput{}, fmt.Errorf("organization name is required")
+	}
+	body := &components.OrganizationData{
+		Name:            input.Name,
+		DefaultPolicyID: input.DefaultPolicyID,
+	}
+	if input.Domain != "" {
+		body.Domain = &input.Domain
+	}
+	response, err := s.Client.UpdateOrganization(ctx, operations.UpdateOrganizationRequest{
+		OrganizationID: input.OrganizationID,
+		Body:           body,
+	})
+	if err != nil {
+		return OrganizationOutput{}, err
+	}
+	if response.GetReadOrganizationResponse().GetData() == nil {
+		return OrganizationOutput{}, fmt.Errorf("cloud organizations update returned no organization")
+	}
+	return OrganizationOutput{Organization: organizationSummary(response.GetReadOrganizationResponse().GetData())}, nil
+}
+
+type DeleteOrganizationService struct {
+	Client MembershipClient
+}
+
+func (s DeleteOrganizationService) Run(ctx context.Context, organizationID string) (DeleteOrganizationOutput, error) {
+	if s.Client == nil {
+		return DeleteOrganizationOutput{}, fmt.Errorf("membership client is required")
+	}
+	if organizationID == "" {
+		return DeleteOrganizationOutput{}, fmt.Errorf("organization id is required")
+	}
+	_, err := s.Client.DeleteOrganization(ctx, operations.DeleteOrganizationRequest{OrganizationID: organizationID})
+	if err != nil {
+		return DeleteOrganizationOutput{}, err
+	}
+	return DeleteOrganizationOutput{OrganizationID: organizationID}, nil
+}
+
+type ListInvitationsService struct {
+	Client MembershipClient
+}
+
+func (s ListInvitationsService) Run(ctx context.Context, input ListInvitationsInput) (ListInvitationsOutput, error) {
+	if s.Client == nil {
+		return ListInvitationsOutput{}, fmt.Errorf("membership client is required")
+	}
+	request := operations.ListInvitationsRequest{}
+	if input.Status != "" {
+		request.Status = &input.Status
+	}
+	if input.Organization != "" {
+		request.Organization = &input.Organization
+	}
+	response, err := s.Client.ListInvitations(ctx, request)
+	if err != nil {
+		return ListInvitationsOutput{}, err
+	}
+	data := response.GetListInvitationsResponse().GetData()
+	invitations := make([]InvitationSummary, 0, len(data))
+	for i := range data {
+		invitations = append(invitations, invitationSummary(&data[i]))
+	}
+	return ListInvitationsOutput{Invitations: invitations}, nil
+}
+
+type InvitationActionService struct {
+	Client MembershipClient
+	Action string
+}
+
+func (s InvitationActionService) Run(ctx context.Context, invitationID string) (InvitationActionOutput, error) {
+	if s.Client == nil {
+		return InvitationActionOutput{}, fmt.Errorf("membership client is required")
+	}
+	if invitationID == "" {
+		return InvitationActionOutput{}, fmt.Errorf("invitation id is required")
+	}
+	switch s.Action {
+	case "accept":
+		_, err := s.Client.AcceptInvitation(ctx, operations.AcceptInvitationRequest{InvitationID: invitationID})
+		return InvitationActionOutput{InvitationID: invitationID, Action: s.Action}, err
+	case "decline":
+		_, err := s.Client.DeclineInvitation(ctx, operations.DeclineInvitationRequest{InvitationID: invitationID})
+		return InvitationActionOutput{InvitationID: invitationID, Action: s.Action}, err
+	default:
+		return InvitationActionOutput{}, fmt.Errorf("unsupported invitation action %q", s.Action)
+	}
+}
+
+type ListOrganizationInvitationsService struct {
+	Client MembershipClient
+}
+
+func (s ListOrganizationInvitationsService) Run(ctx context.Context, input ListOrganizationInvitationsInput) (ListInvitationsOutput, error) {
+	if s.Client == nil {
+		return ListInvitationsOutput{}, fmt.Errorf("membership client is required")
+	}
+	if input.OrganizationID == "" {
+		return ListInvitationsOutput{}, fmt.Errorf("organization id is required")
+	}
+	request := operations.ListOrganizationInvitationsRequest{OrganizationID: input.OrganizationID}
+	if input.Status != "" {
+		request.Status = &input.Status
+	}
+	response, err := s.Client.ListOrganizationInvitations(ctx, request)
+	if err != nil {
+		return ListInvitationsOutput{}, err
+	}
+	data := response.GetListInvitationsResponse().GetData()
+	invitations := make([]InvitationSummary, 0, len(data))
+	for i := range data {
+		invitations = append(invitations, invitationSummary(&data[i]))
+	}
+	return ListInvitationsOutput{Invitations: invitations}, nil
+}
+
+type CreateInvitationService struct {
+	Client MembershipClient
+}
+
+func (s CreateInvitationService) Run(ctx context.Context, input CreateInvitationInput) (InvitationSummary, error) {
+	if s.Client == nil {
+		return InvitationSummary{}, fmt.Errorf("membership client is required")
+	}
+	if input.OrganizationID == "" {
+		return InvitationSummary{}, fmt.Errorf("organization id is required")
+	}
+	if input.Email == "" {
+		return InvitationSummary{}, fmt.Errorf("invitation email is required")
+	}
+	response, err := s.Client.CreateInvitation(ctx, operations.CreateInvitationRequest{
+		OrganizationID: input.OrganizationID,
+		Email:          input.Email,
+	})
+	if err != nil {
+		return InvitationSummary{}, err
+	}
+	if response.GetCreateInvitationResponse().GetData() == nil {
+		return InvitationSummary{}, fmt.Errorf("cloud organizations invitations send returned no invitation")
+	}
+	return invitationSummary(response.GetCreateInvitationResponse().GetData()), nil
+}
+
+type DeleteInvitationService struct {
+	Client MembershipClient
+}
+
+func (s DeleteInvitationService) Run(ctx context.Context, input OrganizationInvitationActionInput) (OrganizationInvitationActionOutput, error) {
+	if s.Client == nil {
+		return OrganizationInvitationActionOutput{}, fmt.Errorf("membership client is required")
+	}
+	if input.OrganizationID == "" {
+		return OrganizationInvitationActionOutput{}, fmt.Errorf("organization id is required")
+	}
+	if input.InvitationID == "" {
+		return OrganizationInvitationActionOutput{}, fmt.Errorf("invitation id is required")
+	}
+	_, err := s.Client.DeleteInvitation(ctx, operations.DeleteInvitationRequest{
+		OrganizationID: input.OrganizationID,
+		InvitationID:   input.InvitationID,
+	})
+	if err != nil {
+		return OrganizationInvitationActionOutput{}, err
+	}
+	return OrganizationInvitationActionOutput{OrganizationID: input.OrganizationID, InvitationID: input.InvitationID, Action: "delete"}, nil
+}
+
+type ListOrganizationUsersService struct {
+	Client MembershipClient
+}
+
+func (s ListOrganizationUsersService) Run(ctx context.Context, organizationID string) (ListOrganizationUsersOutput, error) {
+	if s.Client == nil {
+		return ListOrganizationUsersOutput{}, fmt.Errorf("membership client is required")
+	}
+	if organizationID == "" {
+		return ListOrganizationUsersOutput{}, fmt.Errorf("organization id is required")
+	}
+	response, err := s.Client.ListUsersOfOrganization(ctx, operations.ListUsersOfOrganizationRequest{OrganizationID: organizationID})
+	if err != nil {
+		return ListOrganizationUsersOutput{}, err
+	}
+	data := response.GetListUsersResponse().GetData()
+	users := make([]OrganizationUserSummary, 0, len(data))
+	for _, user := range data {
+		users = append(users, OrganizationUserSummary{
+			ID:       user.ID,
+			Email:    user.Email,
+			PolicyID: user.PolicyID,
+		})
+	}
+	return ListOrganizationUsersOutput{OrganizationID: organizationID, Users: users}, nil
+}
+
+type ReadOrganizationUserService struct {
+	Client MembershipClient
+}
+
+func (s ReadOrganizationUserService) Run(ctx context.Context, input OrganizationUserActionInput) (OrganizationUserOutput, error) {
+	if s.Client == nil {
+		return OrganizationUserOutput{}, fmt.Errorf("membership client is required")
+	}
+	if input.OrganizationID == "" {
+		return OrganizationUserOutput{}, fmt.Errorf("organization id is required")
+	}
+	if input.UserID == "" {
+		return OrganizationUserOutput{}, fmt.Errorf("user id is required")
+	}
+	response, err := s.Client.ReadUserOfOrganization(ctx, operations.ReadUserOfOrganizationRequest{OrganizationID: input.OrganizationID, UserID: input.UserID})
+	if err != nil {
+		return OrganizationUserOutput{}, err
+	}
+	data := response.GetReadOrganizationUserResponse().GetData()
+	if data == nil {
+		return OrganizationUserOutput{}, fmt.Errorf("cloud organizations users show returned no user")
+	}
+	return OrganizationUserOutput{OrganizationID: input.OrganizationID, User: OrganizationUserSummary{ID: data.ID, Email: data.Email, PolicyID: data.PolicyID}}, nil
+}
+
+type OrganizationUserActionService struct {
+	Client MembershipClient
+	Action string
+}
+
+func (s OrganizationUserActionService) Run(ctx context.Context, input OrganizationUserActionInput) (OrganizationUserActionOutput, error) {
+	if s.Client == nil {
+		return OrganizationUserActionOutput{}, fmt.Errorf("membership client is required")
+	}
+	if input.OrganizationID == "" {
+		return OrganizationUserActionOutput{}, fmt.Errorf("organization id is required")
+	}
+	if input.UserID == "" {
+		return OrganizationUserActionOutput{}, fmt.Errorf("user id is required")
+	}
+	output := OrganizationUserActionOutput{OrganizationID: input.OrganizationID, UserID: input.UserID, Action: s.Action, PolicyID: input.PolicyID}
+	switch s.Action {
+	case "link":
+		body := &components.UpdateOrganizationUserRequest{}
+		if input.PolicyID != 0 {
+			body.PolicyID = &input.PolicyID
+		}
+		_, err := s.Client.UpsertOrganizationUser(ctx, operations.UpsertOrganizationUserRequest{OrganizationID: input.OrganizationID, UserID: input.UserID, Body: body})
+		return output, err
+	case "unlink":
+		_, err := s.Client.DeleteUserFromOrganization(ctx, operations.DeleteUserFromOrganizationRequest{OrganizationID: input.OrganizationID, UserID: input.UserID})
+		return output, err
+	default:
+		return OrganizationUserActionOutput{}, fmt.Errorf("unsupported organization user action %q", s.Action)
+	}
+}
+
+type ListPoliciesService struct {
+	Client MembershipClient
+}
+
+func (s ListPoliciesService) Run(ctx context.Context, organizationID string) (ListPoliciesOutput, error) {
+	if s.Client == nil {
+		return ListPoliciesOutput{}, fmt.Errorf("membership client is required")
+	}
+	if organizationID == "" {
+		return ListPoliciesOutput{}, fmt.Errorf("organization id is required")
+	}
+	response, err := s.Client.ListPolicies(ctx, operations.ListPoliciesRequest{OrganizationID: organizationID})
+	if err != nil {
+		return ListPoliciesOutput{}, err
+	}
+	data := response.GetListPoliciesResponse().GetData()
+	policies := make([]PolicySummary, 0, len(data))
+	for i := range data {
+		policies = append(policies, policySummary(&data[i]))
+	}
+	return ListPoliciesOutput{OrganizationID: organizationID, Policies: policies}, nil
+}
+
+type CreatePolicyService struct {
+	Client MembershipClient
+}
+
+func (s CreatePolicyService) Run(ctx context.Context, input PolicyInput) (PolicyOutput, error) {
+	if s.Client == nil {
+		return PolicyOutput{}, fmt.Errorf("membership client is required")
+	}
+	if input.OrganizationID == "" {
+		return PolicyOutput{}, fmt.Errorf("organization id is required")
+	}
+	if input.Name == "" {
+		return PolicyOutput{}, fmt.Errorf("policy name is required")
+	}
+	body := &components.CreatePolicyRequest{Name: input.Name}
+	if input.Description != "" {
+		body.Description = &input.Description
+	}
+	response, err := s.Client.CreatePolicy(ctx, operations.CreatePolicyRequest{OrganizationID: input.OrganizationID, Body: body})
+	if err != nil {
+		return PolicyOutput{}, err
+	}
+	if response.GetCreatePolicyResponse().GetData() == nil {
+		return PolicyOutput{}, fmt.Errorf("cloud organizations policies create returned no policy")
+	}
+	return PolicyOutput{OrganizationID: input.OrganizationID, Policy: policySummary(response.GetCreatePolicyResponse().GetData())}, nil
+}
+
+type ReadPolicyService struct {
+	Client MembershipClient
+}
+
+func (s ReadPolicyService) Run(ctx context.Context, input PolicyInput) (PolicyOutput, error) {
+	if err := validatePolicyTarget(input.OrganizationID, input.PolicyID); err != nil {
+		return PolicyOutput{}, err
+	}
+	response, err := s.Client.ReadPolicy(ctx, operations.ReadPolicyRequest{OrganizationID: input.OrganizationID, PolicyID: input.PolicyID})
+	if err != nil {
+		return PolicyOutput{}, err
+	}
+	if response.GetReadPolicyResponse().GetData() == nil {
+		return PolicyOutput{}, fmt.Errorf("cloud organizations policies show returned no policy")
+	}
+	return PolicyOutput{OrganizationID: input.OrganizationID, Policy: policySummary(response.GetReadPolicyResponse().GetData())}, nil
+}
+
+type UpdatePolicyService struct {
+	Client MembershipClient
+}
+
+func (s UpdatePolicyService) Run(ctx context.Context, input PolicyInput) (PolicyOutput, error) {
+	if err := validatePolicyTarget(input.OrganizationID, input.PolicyID); err != nil {
+		return PolicyOutput{}, err
+	}
+	if input.Name == "" {
+		return PolicyOutput{}, fmt.Errorf("policy name is required")
+	}
+	body := &components.CreatePolicyRequest{Name: input.Name}
+	if input.Description != "" {
+		body.Description = &input.Description
+	}
+	response, err := s.Client.UpdatePolicy(ctx, operations.UpdatePolicyRequest{OrganizationID: input.OrganizationID, PolicyID: input.PolicyID, Body: body})
+	if err != nil {
+		return PolicyOutput{}, err
+	}
+	if response.GetUpdatePolicyResponse().GetData() == nil {
+		return PolicyOutput{}, fmt.Errorf("cloud organizations policies update returned no policy")
+	}
+	return PolicyOutput{OrganizationID: input.OrganizationID, Policy: policySummary(response.GetUpdatePolicyResponse().GetData())}, nil
+}
+
+type PolicyActionService struct {
+	Client MembershipClient
+	Action string
+}
+
+func (s PolicyActionService) Run(ctx context.Context, input PolicyActionInput) (PolicyActionOutput, error) {
+	if err := validatePolicyTarget(input.OrganizationID, input.PolicyID); err != nil {
+		return PolicyActionOutput{}, err
+	}
+	output := PolicyActionOutput{OrganizationID: input.OrganizationID, PolicyID: input.PolicyID, ScopeID: input.ScopeID, Action: s.Action}
+	switch s.Action {
+	case "delete":
+		_, err := s.Client.DeletePolicy(ctx, operations.DeletePolicyRequest{OrganizationID: input.OrganizationID, PolicyID: input.PolicyID})
+		return output, err
+	case "add-scope":
+		if input.ScopeID == 0 {
+			return PolicyActionOutput{}, fmt.Errorf("scope id is required")
+		}
+		_, err := s.Client.AddScopeToPolicy(ctx, operations.AddScopeToPolicyRequest{OrganizationID: input.OrganizationID, PolicyID: input.PolicyID, ScopeID: input.ScopeID})
+		return output, err
+	case "remove-scope":
+		if input.ScopeID == 0 {
+			return PolicyActionOutput{}, fmt.Errorf("scope id is required")
+		}
+		_, err := s.Client.RemoveScopeFromPolicy(ctx, operations.RemoveScopeFromPolicyRequest{OrganizationID: input.OrganizationID, PolicyID: input.PolicyID, ScopeID: input.ScopeID})
+		return output, err
+	default:
+		return PolicyActionOutput{}, fmt.Errorf("unsupported policy action %q", s.Action)
+	}
+}
+
+type ListRegionsService struct {
+	Client MembershipClient
+}
+
+func (s ListRegionsService) Run(ctx context.Context, organizationID string) (ListRegionsOutput, error) {
+	if s.Client == nil {
+		return ListRegionsOutput{}, fmt.Errorf("membership client is required")
+	}
+	if organizationID == "" {
+		return ListRegionsOutput{}, fmt.Errorf("organization id is required")
+	}
+	response, err := s.Client.ListRegions(ctx, operations.ListRegionsRequest{OrganizationID: organizationID})
+	if err != nil {
+		return ListRegionsOutput{}, err
+	}
+	if response.GetListRegionsResponse() == nil {
+		return ListRegionsOutput{}, fmt.Errorf("cloud regions list returned no regions")
+	}
+	data := response.GetListRegionsResponse().GetData()
+	regions := make([]RegionSummary, 0, len(data))
+	for i := range data {
+		regions = append(regions, regionSummaryFromAny(&data[i]))
+	}
+	return ListRegionsOutput{OrganizationID: organizationID, Regions: regions}, nil
+}
+
+type ListRegionVersionsService struct {
+	Client MembershipClient
+}
+
+func (s ListRegionVersionsService) Run(ctx context.Context, input RegionInput) (ListRegionVersionsOutput, error) {
+	if s.Client == nil {
+		return ListRegionVersionsOutput{}, fmt.Errorf("membership client is required")
+	}
+	if input.OrganizationID == "" {
+		return ListRegionVersionsOutput{}, fmt.Errorf("organization id is required")
+	}
+	if input.RegionID == "" {
+		return ListRegionVersionsOutput{}, fmt.Errorf("region id is required")
+	}
+	response, err := s.Client.GetRegionVersions(ctx, operations.GetRegionVersionsRequest{
+		OrganizationID: input.OrganizationID,
+		RegionID:       input.RegionID,
+	})
+	if err != nil {
+		return ListRegionVersionsOutput{}, err
+	}
+	if response.GetGetRegionVersionsResponse() == nil {
+		return ListRegionVersionsOutput{}, fmt.Errorf("cloud region versions list returned no versions")
+	}
+	data := response.GetGetRegionVersionsResponse().GetData()
+	versions := make([]RegionVersionSummary, 0, len(data))
+	for i := range data {
+		deprecated := false
+		if data[i].Deprecated != nil {
+			deprecated = *data[i].Deprecated
+		}
+		versions = append(versions, RegionVersionSummary{
+			Name:       data[i].Name,
+			RegionID:   data[i].RegionID,
+			Deprecated: deprecated,
+		})
+	}
+	return ListRegionVersionsOutput{OrganizationID: input.OrganizationID, RegionID: input.RegionID, Versions: versions}, nil
+}
+
+type ReadRegionService struct {
+	Client MembershipClient
+}
+
+func (s ReadRegionService) Run(ctx context.Context, input RegionInput) (RegionOutput, error) {
+	if s.Client == nil {
+		return RegionOutput{}, fmt.Errorf("membership client is required")
+	}
+	if err := validateRegionTarget(input.OrganizationID, input.RegionID); err != nil {
+		return RegionOutput{}, err
+	}
+	response, err := s.Client.GetRegion(ctx, operations.GetRegionRequest{
+		OrganizationID: input.OrganizationID,
+		RegionID:       input.RegionID,
+	})
+	if err != nil {
+		return RegionOutput{}, err
+	}
+	if response.GetGetRegionResponse() == nil {
+		return RegionOutput{}, fmt.Errorf("cloud regions show returned no region")
+	}
+	region := response.GetGetRegionResponse().GetData()
+	return RegionOutput{OrganizationID: input.OrganizationID, Region: regionSummaryFromAny(&region)}, nil
+}
+
+type CreateRegionService struct {
+	Client MembershipClient
+}
+
+func (s CreateRegionService) Run(ctx context.Context, input RegionInput) (RegionOutput, error) {
+	if s.Client == nil {
+		return RegionOutput{}, fmt.Errorf("membership client is required")
+	}
+	if input.OrganizationID == "" {
+		return RegionOutput{}, fmt.Errorf("organization id is required")
+	}
+	if input.Name == "" {
+		return RegionOutput{}, fmt.Errorf("region name is required")
+	}
+	response, err := s.Client.CreatePrivateRegion(ctx, operations.CreatePrivateRegionRequest{
+		OrganizationID: input.OrganizationID,
+		Body:           &components.CreatePrivateRegionRequest{Name: input.Name},
+	})
+	if err != nil {
+		return RegionOutput{}, err
+	}
+	if response.GetCreatedPrivateRegionResponse() == nil {
+		return RegionOutput{}, fmt.Errorf("cloud regions create returned no region")
+	}
+	region := response.GetCreatedPrivateRegionResponse().GetData()
+	return RegionOutput{OrganizationID: input.OrganizationID, Region: regionSummaryFromPrivate(&region)}, nil
+}
+
+type DeleteRegionService struct {
+	Client MembershipClient
+}
+
+func (s DeleteRegionService) Run(ctx context.Context, input RegionInput) (RegionActionOutput, error) {
+	if s.Client == nil {
+		return RegionActionOutput{}, fmt.Errorf("membership client is required")
+	}
+	if err := validateRegionTarget(input.OrganizationID, input.RegionID); err != nil {
+		return RegionActionOutput{}, err
+	}
+	_, err := s.Client.DeleteRegion(ctx, operations.DeleteRegionRequest{
+		OrganizationID: input.OrganizationID,
+		RegionID:       input.RegionID,
+	})
+	if err != nil {
+		return RegionActionOutput{}, err
+	}
+	return RegionActionOutput{OrganizationID: input.OrganizationID, RegionID: input.RegionID, Action: "delete"}, nil
+}
+
+type ListApplicationsService struct {
+	Client MembershipClient
+}
+
+func (s ListApplicationsService) Run(ctx context.Context, input ListApplicationsInput) (ListApplicationsOutput, error) {
+	if s.Client == nil {
+		return ListApplicationsOutput{}, fmt.Errorf("membership client is required")
+	}
+	if input.OrganizationID == "" {
+		return ListApplicationsOutput{}, fmt.Errorf("organization id is required")
+	}
+	if input.Page < 0 {
+		return ListApplicationsOutput{}, fmt.Errorf("page must be zero or greater")
+	}
+	if input.PageSize <= 0 {
+		return ListApplicationsOutput{}, fmt.Errorf("page-size must be a positive integer")
+	}
+	response, err := s.Client.ListOrganizationApplications(ctx, operations.ListOrganizationApplicationsRequest{
+		OrganizationID: input.OrganizationID,
+		Page:           &input.Page,
+		PageSize:       &input.PageSize,
+	})
+	if err != nil {
+		return ListApplicationsOutput{}, err
+	}
+	if response.GetListApplicationsResponse() == nil || response.GetListApplicationsResponse().GetCursor() == nil {
+		return ListApplicationsOutput{}, fmt.Errorf("cloud organizations applications list returned no applications")
+	}
+	cursor := response.GetListApplicationsResponse().GetCursor()
+	data := cursor.GetData()
+	applications := make([]ApplicationSummary, 0, len(data))
+	for i := range data {
+		applications = append(applications, applicationSummary(&data[i]))
+	}
+	output := ListApplicationsOutput{
+		OrganizationID: input.OrganizationID,
+		Applications:   applications,
+		HasMore:        cursor.GetHasMore(),
+		PageSize:       cursor.GetPageSize(),
+	}
+	if cursor.GetNext() != nil {
+		output.Next = *cursor.GetNext()
+	}
+	if cursor.GetPrevious() != nil {
+		output.Previous = *cursor.GetPrevious()
+	}
+	return output, nil
+}
+
+type ReadApplicationService struct {
+	Client MembershipClient
+}
+
+func (s ReadApplicationService) Run(ctx context.Context, input ApplicationInput) (ApplicationOutput, error) {
+	if s.Client == nil {
+		return ApplicationOutput{}, fmt.Errorf("membership client is required")
+	}
+	if input.OrganizationID == "" {
+		return ApplicationOutput{}, fmt.Errorf("organization id is required")
+	}
+	if input.ApplicationID == "" {
+		return ApplicationOutput{}, fmt.Errorf("application id is required")
+	}
+	response, err := s.Client.GetOrganizationApplication(ctx, operations.GetOrganizationApplicationRequest{
+		OrganizationID: input.OrganizationID,
+		ApplicationID:  input.ApplicationID,
+	})
+	if err != nil {
+		return ApplicationOutput{}, err
+	}
+	if response.GetGetApplicationResponse() == nil || response.GetGetApplicationResponse().GetData() == nil {
+		return ApplicationOutput{}, fmt.Errorf("cloud organizations applications show returned no application")
+	}
+	return ApplicationOutput{OrganizationID: input.OrganizationID, Application: applicationSummaryWithScopes(response.GetGetApplicationResponse().GetData())}, nil
+}
+
+type ReadAuthenticationProviderService struct {
+	Client MembershipClient
+}
+
+func (s ReadAuthenticationProviderService) Run(ctx context.Context, organizationID string) (AuthenticationProviderOutput, error) {
+	if s.Client == nil {
+		return AuthenticationProviderOutput{}, fmt.Errorf("membership client is required")
+	}
+	if organizationID == "" {
+		return AuthenticationProviderOutput{}, fmt.Errorf("organization id is required")
+	}
+	response, err := s.Client.ReadAuthenticationProvider(ctx, operations.ReadAuthenticationProviderRequest{OrganizationID: organizationID})
+	if err != nil {
+		return AuthenticationProviderOutput{}, err
+	}
+	if response.GetAuthenticationProviderResponse() == nil || response.GetAuthenticationProviderResponse().GetData() == nil {
+		return AuthenticationProviderOutput{}, fmt.Errorf("cloud organizations authentication-provider show returned no provider")
+	}
+	return AuthenticationProviderOutput{OrganizationID: organizationID, Provider: authenticationProviderSummary(response.GetAuthenticationProviderResponse().GetData())}, nil
+}
+
+type ConfigureAuthenticationProviderService struct {
+	Client MembershipClient
+}
+
+func (s ConfigureAuthenticationProviderService) Run(ctx context.Context, input AuthenticationProviderInput) (AuthenticationProviderOutput, error) {
+	if s.Client == nil {
+		return AuthenticationProviderOutput{}, fmt.Errorf("membership client is required")
+	}
+	body, err := authenticationProviderRequest(input)
+	if err != nil {
+		return AuthenticationProviderOutput{}, err
+	}
+	response, err := s.Client.UpsertAuthenticationProvider(ctx, operations.UpsertAuthenticationProviderRequest{
+		OrganizationID: input.OrganizationID,
+		Body:           &body,
+	})
+	if err != nil {
+		return AuthenticationProviderOutput{}, err
+	}
+	if response.GetAuthenticationProviderResponse() == nil || response.GetAuthenticationProviderResponse().GetData() == nil {
+		return AuthenticationProviderOutput{}, fmt.Errorf("cloud organizations authentication-provider configure returned no provider")
+	}
+	return AuthenticationProviderOutput{OrganizationID: input.OrganizationID, Provider: authenticationProviderSummary(response.GetAuthenticationProviderResponse().GetData())}, nil
+}
+
+type DeleteAuthenticationProviderService struct {
+	Client MembershipClient
+}
+
+func (s DeleteAuthenticationProviderService) Run(ctx context.Context, organizationID string) (AuthenticationProviderActionOutput, error) {
+	if s.Client == nil {
+		return AuthenticationProviderActionOutput{}, fmt.Errorf("membership client is required")
+	}
+	if organizationID == "" {
+		return AuthenticationProviderActionOutput{}, fmt.Errorf("organization id is required")
+	}
+	_, err := s.Client.DeleteAuthenticationProvider(ctx, operations.DeleteAuthenticationProviderRequest{OrganizationID: organizationID})
+	if err != nil {
+		return AuthenticationProviderActionOutput{}, err
+	}
+	return AuthenticationProviderActionOutput{OrganizationID: organizationID, Action: "delete"}, nil
+}
+
+type ListOAuthClientsService struct {
+	Client MembershipClient
+}
+
+func (s ListOAuthClientsService) Run(ctx context.Context, input ListOAuthClientsInput) (ListOAuthClientsOutput, error) {
+	if s.Client == nil {
+		return ListOAuthClientsOutput{}, fmt.Errorf("membership client is required")
+	}
+	if input.OrganizationID == "" {
+		return ListOAuthClientsOutput{}, fmt.Errorf("organization id is required")
+	}
+	if input.PageSize < 0 {
+		return ListOAuthClientsOutput{}, fmt.Errorf("page-size must be zero or greater")
+	}
+	request := operations.OrganizationClientsReadRequest{OrganizationID: input.OrganizationID}
+	if input.Cursor != "" {
+		request.Cursor = &input.Cursor
+	}
+	if input.PageSize > 0 {
+		request.PageSize = &input.PageSize
+	}
+	response, err := s.Client.OrganizationClientsRead(ctx, request)
+	if err != nil {
+		return ListOAuthClientsOutput{}, err
+	}
+	if response.GetReadOrganizationClientsResponse() == nil {
+		return ListOAuthClientsOutput{}, fmt.Errorf("cloud organizations oauth-clients list returned no clients")
+	}
+	cursor := response.GetReadOrganizationClientsResponse().GetData()
+	data := cursor.GetData()
+	clients := make([]OAuthClientSummary, 0, len(data))
+	for i := range data {
+		clients = append(clients, oauthClientSummary(&data[i], false))
+	}
+	output := ListOAuthClientsOutput{OrganizationID: input.OrganizationID, Clients: clients, HasMore: cursor.GetHasMore(), PageSize: cursor.GetPageSize()}
+	if cursor.GetNext() != nil {
+		output.Next = *cursor.GetNext()
+	}
+	if cursor.GetPrevious() != nil {
+		output.Previous = *cursor.GetPrevious()
+	}
+	return output, nil
+}
+
+type ReadOAuthClientService struct {
+	Client MembershipClient
+}
+
+func (s ReadOAuthClientService) Run(ctx context.Context, input OAuthClientInput) (OAuthClientOutput, error) {
+	if s.Client == nil {
+		return OAuthClientOutput{}, fmt.Errorf("membership client is required")
+	}
+	clientID, err := validateOAuthClientTarget(input.OrganizationID, input.ClientID)
+	if err != nil {
+		return OAuthClientOutput{}, err
+	}
+	response, err := s.Client.OrganizationClientRead(ctx, operations.OrganizationClientReadRequest{OrganizationID: input.OrganizationID, ClientID: clientID})
+	if err != nil {
+		return OAuthClientOutput{}, err
+	}
+	if response.GetReadOrganizationClientResponse() == nil {
+		return OAuthClientOutput{}, fmt.Errorf("cloud organizations oauth-clients show returned no client")
+	}
+	client := response.GetReadOrganizationClientResponse().GetData()
+	return OAuthClientOutput{OrganizationID: input.OrganizationID, Client: oauthClientSummary(&client, false)}, nil
+}
+
+type CreateOAuthClientService struct {
+	Client MembershipClient
+}
+
+func (s CreateOAuthClientService) Run(ctx context.Context, input OAuthClientInput) (OAuthClientOutput, error) {
+	if s.Client == nil {
+		return OAuthClientOutput{}, fmt.Errorf("membership client is required")
+	}
+	if input.OrganizationID == "" {
+		return OAuthClientOutput{}, fmt.Errorf("organization id is required")
+	}
+	body := &components.CreateOrganizationClientRequest{}
+	if input.Name != "" {
+		body.Name = &input.Name
+	}
+	if input.Description != "" {
+		body.Description = &input.Description
+	}
+	response, err := s.Client.OrganizationClientCreate(ctx, operations.OrganizationClientCreateRequest{OrganizationID: input.OrganizationID, Body: body})
+	if err != nil {
+		return OAuthClientOutput{}, err
+	}
+	if response.GetCreateOrganizationClientResponse() == nil {
+		return OAuthClientOutput{}, fmt.Errorf("cloud organizations oauth-clients create returned no client")
+	}
+	client := response.GetCreateOrganizationClientResponse().GetData()
+	return OAuthClientOutput{OrganizationID: input.OrganizationID, Client: oauthClientSummary(&client, true)}, nil
+}
+
+type UpdateOAuthClientService struct {
+	Client MembershipClient
+}
+
+func (s UpdateOAuthClientService) Run(ctx context.Context, input OAuthClientInput) (OAuthClientOutput, error) {
+	if s.Client == nil {
+		return OAuthClientOutput{}, fmt.Errorf("membership client is required")
+	}
+	clientID, err := validateOAuthClientTarget(input.OrganizationID, input.ClientID)
+	if err != nil {
+		return OAuthClientOutput{}, err
+	}
+	if input.Name == "" {
+		return OAuthClientOutput{}, fmt.Errorf("oauth client name is required")
+	}
+	body := &components.UpdateOrganizationClientRequest{Name: input.Name}
+	if input.Description != "" {
+		body.Description = &input.Description
+	}
+	if _, err := s.Client.OrganizationClientUpdate(ctx, operations.OrganizationClientUpdateRequest{OrganizationID: input.OrganizationID, ClientID: clientID, Body: body}); err != nil {
+		return OAuthClientOutput{}, err
+	}
+	response, err := s.Client.OrganizationClientRead(ctx, operations.OrganizationClientReadRequest{OrganizationID: input.OrganizationID, ClientID: clientID})
+	if err != nil {
+		return OAuthClientOutput{}, err
+	}
+	if response.GetReadOrganizationClientResponse() == nil {
+		return OAuthClientOutput{}, fmt.Errorf("cloud organizations oauth-clients update returned no client")
+	}
+	client := response.GetReadOrganizationClientResponse().GetData()
+	return OAuthClientOutput{OrganizationID: input.OrganizationID, Client: oauthClientSummary(&client, false)}, nil
+}
+
+type DeleteOAuthClientService struct {
+	Client MembershipClient
+}
+
+func (s DeleteOAuthClientService) Run(ctx context.Context, input OAuthClientInput) (OAuthClientActionOutput, error) {
+	if s.Client == nil {
+		return OAuthClientActionOutput{}, fmt.Errorf("membership client is required")
+	}
+	clientID, err := validateOAuthClientTarget(input.OrganizationID, input.ClientID)
+	if err != nil {
+		return OAuthClientActionOutput{}, err
+	}
+	_, err = s.Client.OrganizationClientDelete(ctx, operations.OrganizationClientDeleteRequest{OrganizationID: input.OrganizationID, ClientID: clientID})
+	if err != nil {
+		return OAuthClientActionOutput{}, err
+	}
+	return OAuthClientActionOutput{OrganizationID: input.OrganizationID, ClientID: oauthClientDisplayID(clientID), Action: "delete"}, nil
+}
+
+type ListLogsService struct {
+	Client MembershipClient
+}
+
+func (s ListLogsService) Run(ctx context.Context, input ListLogsInput) (ListLogsOutput, error) {
+	if s.Client == nil {
+		return ListLogsOutput{}, fmt.Errorf("membership client is required")
+	}
+	if input.OrganizationID == "" {
+		return ListLogsOutput{}, fmt.Errorf("organization id is required")
+	}
+	if input.PageSize <= 0 {
+		return ListLogsOutput{}, fmt.Errorf("page-size must be a positive integer")
+	}
+	if input.Cursor != "" && (input.UserID != "" || input.Action != "" || input.Data != "" || input.StackID != "") {
+		return ListLogsOutput{}, fmt.Errorf("cursor cannot be used with other filters")
+	}
+	request := operations.ListLogsRequest{OrganizationID: input.OrganizationID, PageSize: &input.PageSize}
+	if input.Cursor != "" {
+		request.Cursor = &input.Cursor
+	}
+	if input.StackID != "" {
+		request.StackID = &input.StackID
+	}
+	if input.UserID != "" {
+		request.UserID = &input.UserID
+	}
+	if input.Action != "" {
+		action := components.Action(input.Action)
+		request.Action = &action
+	}
+	if input.Data != "" {
+		key, value, ok := strings.Cut(input.Data, "=")
+		if !ok || key == "" {
+			return ListLogsOutput{}, fmt.Errorf("data filter must be in the form key=value")
+		}
+		request.Key = &key
+		request.Value = &value
+	}
+	response, err := s.Client.ListLogs(ctx, request)
+	if err != nil {
+		return ListLogsOutput{}, err
+	}
+	if response.GetLogCursor() == nil {
+		return ListLogsOutput{}, fmt.Errorf("cloud organizations history returned no logs")
+	}
+	cursor := response.GetLogCursor().GetData()
+	data := cursor.GetData()
+	logs := make([]LogSummary, 0, len(data))
+	for i := range data {
+		logs = append(logs, logSummary(&data[i]))
+	}
+	output := ListLogsOutput{OrganizationID: input.OrganizationID, Logs: logs, HasMore: cursor.GetHasMore(), PageSize: cursor.GetPageSize()}
+	if cursor.GetNext() != nil {
+		output.Next = *cursor.GetNext()
+	}
+	if cursor.GetPrevious() != nil {
+		output.Previous = *cursor.GetPrevious()
+	}
+	return output, nil
+}
+
+func authenticationProviderRequest(input AuthenticationProviderInput) (components.UpsertAuthenticationProviderRequest, error) {
+	if input.OrganizationID == "" {
+		return components.UpsertAuthenticationProviderRequest{}, fmt.Errorf("organization id is required")
+	}
+	if input.Type == "" {
+		return components.UpsertAuthenticationProviderRequest{}, fmt.Errorf("authentication provider type is required")
+	}
+	if input.Name == "" {
+		return components.UpsertAuthenticationProviderRequest{}, fmt.Errorf("authentication provider name is required")
+	}
+	if input.ClientID == "" {
+		return components.UpsertAuthenticationProviderRequest{}, fmt.Errorf("authentication provider client id is required")
+	}
+	if input.ClientSecret == "" {
+		return components.UpsertAuthenticationProviderRequest{}, fmt.Errorf("authentication provider client secret is required")
+	}
+	switch input.Type {
+	case "github":
+		return components.CreateUpsertAuthenticationProviderRequestUpsertAuthenticationProviderRequestGithubIDPConfig(components.UpsertAuthenticationProviderRequestGithubIDPConfig{
+			Type:         components.UpsertAuthenticationProviderRequestGithubIDPConfigTypeGithub,
+			Name:         input.Name,
+			ClientID:     input.ClientID,
+			ClientSecret: input.ClientSecret,
+			Config:       components.UpsertAuthenticationProviderRequestGithubIDPConfigConfig{},
+		}), nil
+	case "google":
+		return components.CreateUpsertAuthenticationProviderRequestUpsertAuthenticationProviderRequestGoogleIDPConfig(components.UpsertAuthenticationProviderRequestGoogleIDPConfig{
+			Type:         components.UpsertAuthenticationProviderRequestGoogleIDPConfigTypeGoogle,
+			Name:         input.Name,
+			ClientID:     input.ClientID,
+			ClientSecret: input.ClientSecret,
+			Config:       components.UpsertAuthenticationProviderRequestGoogleIDPConfigConfig{},
+		}), nil
+	case "microsoft":
+		tenant := input.MicrosoftTenant
+		return components.CreateUpsertAuthenticationProviderRequestUpsertAuthenticationProviderRequestMicrosoftIDPConfig(components.UpsertAuthenticationProviderRequestMicrosoftIDPConfig{
+			Type:         components.UpsertAuthenticationProviderRequestMicrosoftIDPConfigTypeMicrosoft,
+			Name:         input.Name,
+			ClientID:     input.ClientID,
+			ClientSecret: input.ClientSecret,
+			Config:       components.UpsertAuthenticationProviderRequestMicrosoftIDPConfigConfig{Tenant: &tenant},
+		}), nil
+	case "oidc":
+		if input.OIDCIssuer == "" {
+			return components.UpsertAuthenticationProviderRequest{}, fmt.Errorf("oidc issuer is required")
+		}
+		config := components.UpsertAuthenticationProviderRequestOIDCConfigConfig{Issuer: input.OIDCIssuer}
+		if input.OIDCDiscovery != "" {
+			config.DiscoveryPath = &input.OIDCDiscovery
+		}
+		return components.CreateUpsertAuthenticationProviderRequestUpsertAuthenticationProviderRequestOIDCConfig(components.UpsertAuthenticationProviderRequestOIDCConfig{
+			Type:         components.UpsertAuthenticationProviderRequestOIDCConfigTypeOidc,
+			Name:         input.Name,
+			ClientID:     input.ClientID,
+			ClientSecret: input.ClientSecret,
+			Config:       config,
+		}), nil
+	default:
+		return components.UpsertAuthenticationProviderRequest{}, fmt.Errorf("unsupported authentication provider type %q", input.Type)
+	}
+}
+
+func validateRegionTarget(organizationID string, regionID string) error {
+	if organizationID == "" {
+		return fmt.Errorf("organization id is required")
+	}
+	if regionID == "" {
+		return fmt.Errorf("region id is required")
+	}
+	return nil
+}
+
+func validateOAuthClientTarget(organizationID string, clientID string) (string, error) {
+	if organizationID == "" {
+		return "", fmt.Errorf("organization id is required")
+	}
+	clientID = normalizeOAuthClientID(clientID)
+	if clientID == "" {
+		return "", fmt.Errorf("oauth client id is required")
+	}
+	return clientID, nil
+}
+
+func validatePolicyTarget(organizationID string, policyID int64) error {
+	if organizationID == "" {
+		return fmt.Errorf("organization id is required")
+	}
+	if policyID == 0 {
+		return fmt.Errorf("policy id is required")
+	}
+	return nil
+}
+
+func organizationSummary(organization *components.OrganizationExpanded) OrganizationSummary {
+	if organization == nil {
+		return OrganizationSummary{}
+	}
+	summary := OrganizationSummary{
+		ID:                 organization.ID,
+		Name:               organization.Name,
+		OwnerID:            organization.OwnerID,
+		DefaultPolicyID:    organization.DefaultPolicyID,
+		AvailableStacks:    organization.AvailableStacks,
+		AvailableSandboxes: organization.AvailableSandboxes,
+		TotalStacks:        organization.TotalStacks,
+		TotalUsers:         organization.TotalUsers,
+		CreatedAt:          organization.CreatedAt,
+		UpdatedAt:          organization.UpdatedAt,
+	}
+	if organization.Domain != nil {
+		summary.Domain = *organization.Domain
+	}
+	if organization.Owner != nil {
+		owner := userSummary(organization.Owner)
+		summary.Owner = &owner
+	}
+	return summary
+}
+
+func policySummary(policy *components.Policy) PolicySummary {
+	if policy == nil {
+		return PolicySummary{}
+	}
+	summary := PolicySummary{
+		ID:        policy.ID,
+		Name:      policy.Name,
+		Protected: policy.Protected,
+		CreatedAt: policy.CreatedAt,
+		UpdatedAt: policy.UpdatedAt,
+	}
+	if policy.Description != nil {
+		summary.Description = *policy.Description
+	}
+	if policy.OrganizationID != nil {
+		summary.OrganizationID = *policy.OrganizationID
+	}
+	if len(policy.Scopes) > 0 {
+		summary.Scopes = make([]ScopeSummary, 0, len(policy.Scopes))
+		for i := range policy.Scopes {
+			summary.Scopes = append(summary.Scopes, scopeSummary(&policy.Scopes[i]))
+		}
+	}
+	return summary
+}
+
+func scopeSummary(scope *components.Scope) ScopeSummary {
+	if scope == nil {
+		return ScopeSummary{}
+	}
+	summary := ScopeSummary{ID: scope.ID, Label: scope.Label, Protected: scope.Protected}
+	if scope.Description != nil {
+		summary.Description = *scope.Description
+	}
+	if scope.ApplicationID != nil {
+		summary.ApplicationID = *scope.ApplicationID
+	}
+	return summary
+}
+
+func regionSummaryFromAny(region *components.AnyRegion) RegionSummary {
+	if region == nil {
+		return RegionSummary{}
+	}
+	summary := RegionSummary{
+		ID:      region.ID,
+		Name:    region.Name,
+		BaseURL: region.BaseURL,
+		Active:  region.Active,
+		Public:  region.Public,
+	}
+	if region.Version != nil {
+		summary.Version = *region.Version
+	}
+	if region.OrganizationID != nil {
+		summary.OrganizationID = *region.OrganizationID
+	}
+	return summary
+}
+
+func regionSummaryFromPrivate(region *components.PrivateRegion) RegionSummary {
+	if region == nil {
+		return RegionSummary{}
+	}
+	summary := RegionSummary{
+		ID:             region.ID,
+		Name:           region.Name,
+		BaseURL:        region.BaseURL,
+		Active:         region.Active,
+		OrganizationID: region.OrganizationID,
+	}
+	if region.Version != nil {
+		summary.Version = *region.Version
+	}
+	return summary
+}
+
+func applicationSummary(application *components.Application) ApplicationSummary {
+	if application == nil {
+		return ApplicationSummary{}
+	}
+	summary := ApplicationSummary{
+		ID:        application.ID,
+		Name:      application.Name,
+		Alias:     application.Alias,
+		URL:       application.URL,
+		CreatedAt: application.CreatedAt,
+		UpdatedAt: application.UpdatedAt,
+	}
+	if application.Description != nil {
+		summary.Description = *application.Description
+	}
+	return summary
+}
+
+func applicationSummaryWithScopes(application *components.ApplicationWithScope) ApplicationSummary {
+	if application == nil {
+		return ApplicationSummary{}
+	}
+	summary := ApplicationSummary{
+		ID:        application.ID,
+		Name:      application.Name,
+		Alias:     application.Alias,
+		URL:       application.URL,
+		CreatedAt: application.CreatedAt,
+		UpdatedAt: application.UpdatedAt,
+	}
+	if application.Description != nil {
+		summary.Description = *application.Description
+	}
+	if len(application.Scopes) > 0 {
+		summary.Scopes = make([]ScopeSummary, 0, len(application.Scopes))
+		for i := range application.Scopes {
+			summary.Scopes = append(summary.Scopes, scopeSummary(&application.Scopes[i]))
+		}
+	}
+	return summary
+}
+
+func authenticationProviderSummary(provider *components.Data) AuthenticationProviderSummary {
+	if provider == nil {
+		return AuthenticationProviderSummary{}
+	}
+	switch provider.Type {
+	case components.DataTypeAuthenticationProviderResponseGithubIDPConfig:
+		if p := provider.AuthenticationProviderResponseGithubIDPConfig; p != nil {
+			return AuthenticationProviderSummary{
+				Type:         string(p.GetType()),
+				Name:         p.GetName(),
+				ClientID:     p.GetClientID(),
+				RedirectURI:  p.GetRedirectURI(),
+				CreatedAt:    p.GetCreatedAt(),
+				UpdatedAt:    p.GetUpdatedAt(),
+				Organization: p.GetOrganizationID(),
+			}
+		}
+	case components.DataTypeAuthenticationProviderResponseGoogleIDPConfig:
+		if p := provider.AuthenticationProviderResponseGoogleIDPConfig; p != nil {
+			return AuthenticationProviderSummary{
+				Type:         string(p.GetType()),
+				Name:         p.GetName(),
+				ClientID:     p.GetClientID(),
+				RedirectURI:  p.GetRedirectURI(),
+				CreatedAt:    p.GetCreatedAt(),
+				UpdatedAt:    p.GetUpdatedAt(),
+				Organization: p.GetOrganizationID(),
+			}
+		}
+	case components.DataTypeAuthenticationProviderResponseMicrosoftIDPConfig:
+		if p := provider.AuthenticationProviderResponseMicrosoftIDPConfig; p != nil {
+			summary := AuthenticationProviderSummary{
+				Type:         string(p.GetType()),
+				Name:         p.GetName(),
+				ClientID:     p.GetClientID(),
+				RedirectURI:  p.GetRedirectURI(),
+				CreatedAt:    p.GetCreatedAt(),
+				UpdatedAt:    p.GetUpdatedAt(),
+				Organization: p.GetOrganizationID(),
+			}
+			config := p.GetConfig()
+			if config.GetTenant() != nil {
+				summary.Tenant = *config.GetTenant()
+			}
+			return summary
+		}
+	case components.DataTypeAuthenticationProviderResponseOIDCConfig:
+		if p := provider.AuthenticationProviderResponseOIDCConfig; p != nil {
+			config := p.GetConfig()
+			return AuthenticationProviderSummary{
+				Type:         string(p.GetType()),
+				Name:         p.GetName(),
+				ClientID:     p.GetClientID(),
+				RedirectURI:  p.GetRedirectURI(),
+				Issuer:       config.GetIssuer(),
+				CreatedAt:    p.GetCreatedAt(),
+				UpdatedAt:    p.GetUpdatedAt(),
+				Organization: p.GetOrganizationID(),
+			}
+		}
+	}
+	return AuthenticationProviderSummary{}
+}
+
+func oauthClientSummary(client *components.OrganizationClient, includeSecret bool) OAuthClientSummary {
+	if client == nil {
+		return OAuthClientSummary{}
+	}
+	secret := client.GetSecret()
+	summary := OAuthClientSummary{
+		ID:               client.GetID(),
+		ClientID:         oauthClientDisplayID(client.GetID()),
+		Name:             client.GetName(),
+		Description:      client.GetDescription(),
+		SecretLastDigits: secret.GetLastDigits(),
+		CreatedAt:        client.GetCreatedAt(),
+		UpdatedAt:        client.GetUpdatedAt(),
+	}
+	if includeSecret && secret.GetClear() != nil {
+		summary.Secret = *secret.GetClear()
+	}
+	return summary
+}
+
+func normalizeOAuthClientID(clientID string) string {
+	return strings.TrimPrefix(clientID, "organization_")
+}
+
+func oauthClientDisplayID(clientID string) string {
+	clientID = normalizeOAuthClientID(clientID)
+	if clientID == "" {
+		return ""
+	}
+	return "organization_" + clientID
+}
+
+func logSummary(log *components.Log) LogSummary {
+	if log == nil {
+		return LogSummary{}
+	}
+	return LogSummary{
+		Seq:            log.Seq,
+		OrganizationID: log.OrganizationID,
+		UserID:         log.UserID,
+		Action:         log.Action,
+		Date:           log.Date,
+	}
+}
+
+func invitationSummary(invitation *components.Invitation) InvitationSummary {
+	if invitation == nil {
+		return InvitationSummary{}
+	}
+	summary := InvitationSummary{
+		ID:             invitation.ID,
+		OrganizationID: invitation.OrganizationID,
+		UserEmail:      invitation.UserEmail,
+		Status:         string(invitation.Status),
+		CreationDate:   invitation.CreationDate,
+		ExpiresAt:      invitation.ExpiresAt,
+	}
+	if invitation.UserID != nil {
+		summary.UserID = *invitation.UserID
+	}
+	if invitation.CreatorID != nil {
+		summary.CreatorID = *invitation.CreatorID
+	}
+	return summary
+}
+
+func userSummary(user *components.User) UserSummary {
+	if user == nil {
+		return UserSummary{}
+	}
+	summary := UserSummary{
+		ID:    user.ID,
+		Email: user.Email,
+	}
+	if user.Role != nil {
+		summary.Role = string(*user.Role)
+	}
+	return summary
+}
diff --git a/v4/internal/commands/cloud/stacks.go b/v4/internal/commands/cloud/stacks.go
new file mode 100644
index 00000000..02b0e960
--- /dev/null
+++ b/v4/internal/commands/cloud/stacks.go
@@ -0,0 +1,718 @@
+package cloud
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"net/http"
+	"strings"
+	"time"
+
+	"github.com/formancehq/fctl/internal/membershipclient/v3/models/components"
+	"github.com/formancehq/fctl/internal/membershipclient/v3/models/operations"
+)
+
+type StackClient interface {
+	GetServerInfo(context.Context, ...operations.Option) (*operations.GetServerInfoResponse, error)
+	ListStacks(context.Context, operations.ListStacksRequest, ...operations.Option) (*operations.ListStacksResponse, error)
+	GetStack(context.Context, operations.GetStackRequest, ...operations.Option) (*operations.GetStackResponse, error)
+	CreateStack(context.Context, operations.CreateStackRequest, ...operations.Option) (*operations.CreateStackResponse, error)
+	UpdateStack(context.Context, operations.UpdateStackRequest, ...operations.Option) (*operations.UpdateStackResponse, error)
+	DeleteStack(context.Context, operations.DeleteStackRequest, ...operations.Option) (*operations.DeleteStackResponse, error)
+	EnableStack(context.Context, operations.EnableStackRequest, ...operations.Option) (*operations.EnableStackResponse, error)
+	DisableStack(context.Context, operations.DisableStackRequest, ...operations.Option) (*operations.DisableStackResponse, error)
+	RestoreStack(context.Context, operations.RestoreStackRequest, ...operations.Option) (*operations.RestoreStackResponse, error)
+	UpgradeStack(context.Context, operations.UpgradeStackRequest, ...operations.Option) (*operations.UpgradeStackResponse, error)
+	ListModules(context.Context, operations.ListModulesRequest, ...operations.Option) (*operations.ListModulesResponse, error)
+	EnableModule(context.Context, operations.EnableModuleRequest, ...operations.Option) (*operations.EnableModuleResponse, error)
+	DisableModule(context.Context, operations.DisableModuleRequest, ...operations.Option) (*operations.DisableModuleResponse, error)
+	ListStackUsersAccesses(context.Context, operations.ListStackUsersAccessesRequest, ...operations.Option) (*operations.ListStackUsersAccessesResponse, error)
+	UpsertStackUserAccess(context.Context, operations.UpsertStackUserAccessRequest, ...operations.Option) (*operations.UpsertStackUserAccessResponse, error)
+	DeleteStackUserAccess(context.Context, operations.DeleteStackUserAccessRequest, ...operations.Option) (*operations.DeleteStackUserAccessResponse, error)
+}
+
+type StackSummary struct {
+	ID              string            `json:"id" yaml:"id"`
+	Name            string            `json:"name" yaml:"name"`
+	OrganizationID  string            `json:"organizationID" yaml:"organizationID"`
+	Dashboard       string            `json:"dashboard,omitempty" yaml:"dashboard,omitempty"`
+	URI             string            `json:"uri,omitempty" yaml:"uri,omitempty"`
+	RegionID        string            `json:"regionID,omitempty" yaml:"regionID,omitempty"`
+	Version         string            `json:"version,omitempty" yaml:"version,omitempty"`
+	Status          string            `json:"status" yaml:"status"`
+	State           string            `json:"state" yaml:"state"`
+	ExpectedStatus  string            `json:"expectedStatus" yaml:"expectedStatus"`
+	Reachable       bool              `json:"reachable" yaml:"reachable"`
+	StargateEnabled bool              `json:"stargateEnabled" yaml:"stargateEnabled"`
+	AuditEnabled    *bool             `json:"auditEnabled,omitempty" yaml:"auditEnabled,omitempty"`
+	Metadata        map[string]string `json:"metadata,omitempty" yaml:"metadata,omitempty"`
+	CreatedAt       *time.Time        `json:"createdAt,omitempty" yaml:"createdAt,omitempty"`
+	UpdatedAt       *time.Time        `json:"updatedAt,omitempty" yaml:"updatedAt,omitempty"`
+	DeletedAt       *time.Time        `json:"deletedAt,omitempty" yaml:"deletedAt,omitempty"`
+	DisabledAt      *time.Time        `json:"disabledAt,omitempty" yaml:"disabledAt,omitempty"`
+}
+
+type ListStacksInput struct {
+	OrganizationID string
+	All            bool
+}
+
+type ListStacksOutput struct {
+	OrganizationID string         `json:"organizationID" yaml:"organizationID"`
+	Stacks         []StackSummary `json:"stacks" yaml:"stacks"`
+}
+
+type StackIDInput struct {
+	OrganizationID string
+	StackID        string
+}
+
+type StackOutput struct {
+	OrganizationID string       `json:"organizationID" yaml:"organizationID"`
+	Stack          StackSummary `json:"stack" yaml:"stack"`
+}
+
+type CreateStackInput struct {
+	OrganizationID string
+	Name           string
+	RegionID       string
+	Version        string
+	Metadata       map[string]string
+	Wait           bool
+	WaitProgress   func(StackWaitProgress)
+}
+
+type UpdateStackInput struct {
+	OrganizationID string
+	StackID        string
+	Name           string
+	Metadata       map[string]string
+}
+
+type DeleteStackInput struct {
+	OrganizationID string
+	StackID        string
+	Force          bool
+}
+
+type StackActionInput struct {
+	OrganizationID string
+	StackID        string
+	Version        string
+}
+
+type WaitStackReadyInput struct {
+	OrganizationID string
+	StackID        string
+	StackURL       string
+	InitialStack   StackSummary
+	PollInterval   time.Duration
+	Timeout        time.Duration
+	Progress       func(StackWaitProgress)
+}
+
+type StackWaitProgress struct {
+	StackURL string
+}
+
+type DeleteStackOutput struct {
+	OrganizationID string `json:"organizationID" yaml:"organizationID"`
+	StackID        string `json:"stackID" yaml:"stackID"`
+}
+
+type StackActionOutput struct {
+	OrganizationID string        `json:"organizationID" yaml:"organizationID"`
+	StackID        string        `json:"stackID" yaml:"stackID"`
+	Action         string        `json:"action" yaml:"action"`
+	Version        string        `json:"version,omitempty" yaml:"version,omitempty"`
+	Stack          *StackSummary `json:"stack,omitempty" yaml:"stack,omitempty"`
+}
+
+type ModuleSummary struct {
+	Name             string    `json:"name" yaml:"name"`
+	State            string    `json:"state" yaml:"state"`
+	Status           string    `json:"status" yaml:"status"`
+	LastStatusUpdate time.Time `json:"lastStatusUpdate" yaml:"lastStatusUpdate"`
+	LastStateUpdate  time.Time `json:"lastStateUpdate" yaml:"lastStateUpdate"`
+}
+
+type ListModulesOutput struct {
+	OrganizationID string          `json:"organizationID" yaml:"organizationID"`
+	StackID        string          `json:"stackID" yaml:"stackID"`
+	Modules        []ModuleSummary `json:"modules" yaml:"modules"`
+}
+
+type ModuleActionInput struct {
+	OrganizationID string
+	StackID        string
+	Name           string
+}
+
+type ModuleActionOutput struct {
+	OrganizationID string `json:"organizationID" yaml:"organizationID"`
+	StackID        string `json:"stackID" yaml:"stackID"`
+	Name           string `json:"name" yaml:"name"`
+	Action         string `json:"action" yaml:"action"`
+}
+
+type StackUserAccessSummary struct {
+	StackID  string `json:"stackID" yaml:"stackID"`
+	UserID   string `json:"userID" yaml:"userID"`
+	Email    string `json:"email" yaml:"email"`
+	PolicyID int64  `json:"policyID" yaml:"policyID"`
+}
+
+type ListStackUsersOutput struct {
+	OrganizationID string                   `json:"organizationID" yaml:"organizationID"`
+	StackID        string                   `json:"stackID" yaml:"stackID"`
+	Users          []StackUserAccessSummary `json:"users" yaml:"users"`
+}
+
+type StackUserAccessInput struct {
+	OrganizationID string
+	StackID        string
+	UserID         string
+	PolicyID       int64
+}
+
+type StackUserAccessOutput struct {
+	OrganizationID string `json:"organizationID" yaml:"organizationID"`
+	StackID        string `json:"stackID" yaml:"stackID"`
+	UserID         string `json:"userID" yaml:"userID"`
+	Action         string `json:"action" yaml:"action"`
+	PolicyID       int64  `json:"policyID,omitempty" yaml:"policyID,omitempty"`
+}
+
+type ListStacksService struct {
+	Client StackClient
+}
+
+func (s ListStacksService) Run(ctx context.Context, input ListStacksInput) (ListStacksOutput, error) {
+	if s.Client == nil {
+		return ListStacksOutput{}, fmt.Errorf("membership client is required")
+	}
+	if input.OrganizationID == "" {
+		return ListStacksOutput{}, fmt.Errorf("organization id is required")
+	}
+	response, err := s.Client.ListStacks(ctx, operations.ListStacksRequest{
+		OrganizationID: input.OrganizationID,
+		All:            &input.All,
+	})
+	if err != nil {
+		return ListStacksOutput{}, err
+	}
+	data := response.GetListStacksResponse().GetData()
+	dashboard, err := stackDashboardURL(ctx, s.Client)
+	if err != nil {
+		return ListStacksOutput{}, err
+	}
+	stacks := make([]StackSummary, 0, len(data))
+	for i := range data {
+		stacks = append(stacks, stackSummary(&data[i], dashboard))
+	}
+	return ListStacksOutput{OrganizationID: input.OrganizationID, Stacks: stacks}, nil
+}
+
+type ReadStackService struct {
+	Client StackClient
+}
+
+func (s ReadStackService) Run(ctx context.Context, input StackIDInput) (StackOutput, error) {
+	if s.Client == nil {
+		return StackOutput{}, fmt.Errorf("membership client is required")
+	}
+	if input.OrganizationID == "" {
+		return StackOutput{}, fmt.Errorf("organization id is required")
+	}
+	if input.StackID == "" {
+		return StackOutput{}, fmt.Errorf("stack id is required")
+	}
+	response, err := s.Client.GetStack(ctx, operations.GetStackRequest{
+		OrganizationID: input.OrganizationID,
+		StackID:        input.StackID,
+	})
+	if err != nil {
+		return StackOutput{}, err
+	}
+	if response.GetReadStackResponse().GetData() == nil {
+		return StackOutput{}, fmt.Errorf("cloud stacks show returned no stack")
+	}
+	return StackOutput{
+		OrganizationID: input.OrganizationID,
+		Stack:          stackSummary(response.GetReadStackResponse().GetData(), DefaultConsoleURL),
+	}, nil
+}
+
+type CreateStackService struct {
+	Client     StackClient
+	HTTPClient *http.Client
+}
+
+func (s CreateStackService) Run(ctx context.Context, input CreateStackInput) (StackOutput, error) {
+	if s.Client == nil {
+		return StackOutput{}, fmt.Errorf("membership client is required")
+	}
+	if input.OrganizationID == "" {
+		return StackOutput{}, fmt.Errorf("organization id is required")
+	}
+	if input.Name == "" {
+		return StackOutput{}, fmt.Errorf("stack name is required")
+	}
+	if input.RegionID == "" {
+		return StackOutput{}, fmt.Errorf("region id is required")
+	}
+	body := &components.CreateStackRequest{
+		Name:     input.Name,
+		RegionID: input.RegionID,
+		Metadata: input.Metadata,
+	}
+	if input.Version != "" {
+		body.Version = &input.Version
+	}
+	response, err := s.Client.CreateStack(ctx, operations.CreateStackRequest{
+		OrganizationID: input.OrganizationID,
+		Body:           body,
+	})
+	if err != nil {
+		return StackOutput{}, err
+	}
+	if response.GetReadStackResponse().GetData() == nil {
+		return StackOutput{}, fmt.Errorf("cloud stacks create returned no stack")
+	}
+	output := StackOutput{OrganizationID: input.OrganizationID, Stack: stackSummary(response.GetReadStackResponse().GetData(), DefaultConsoleURL)}
+	if input.Wait && output.Stack.Status != string(components.StackStatusReady) {
+		return WaitStackReadyService{Client: s.Client, HTTPClient: s.HTTPClient}.Run(ctx, WaitStackReadyInput{
+			OrganizationID: input.OrganizationID,
+			StackID:        output.Stack.ID,
+			StackURL:       output.Stack.URI,
+			InitialStack:   output.Stack,
+			Progress:       input.WaitProgress,
+		})
+	}
+	return output, nil
+}
+
+type WaitStackReadyService struct {
+	Client     StackClient
+	HTTPClient *http.Client
+}
+
+func (s WaitStackReadyService) Run(ctx context.Context, input WaitStackReadyInput) (StackOutput, error) {
+	if s.Client == nil {
+		return StackOutput{}, fmt.Errorf("membership client is required")
+	}
+	if err := validateStackTarget(input.OrganizationID, input.StackID); err != nil {
+		return StackOutput{}, err
+	}
+	pollInterval := input.PollInterval
+	if pollInterval <= 0 {
+		pollInterval = 2 * time.Second
+	}
+	timeout := input.Timeout
+	if timeout <= 0 {
+		timeout = 10 * time.Minute
+	}
+
+	timeoutTimer := time.NewTimer(timeout)
+	defer timeoutTimer.Stop()
+
+	last := StackOutput{OrganizationID: input.OrganizationID, Stack: input.InitialStack}
+	stackURL := input.StackURL
+	if stackURL == "" {
+		stackURL = input.InitialStack.URI
+	}
+	reportStackWaitProgress(input.Progress, stackURL)
+	for attempt := 0; ; attempt++ {
+		if attempt > 0 {
+			waitTimer := time.NewTimer(pollInterval)
+			select {
+			case <-ctx.Done():
+				waitTimer.Stop()
+				return StackOutput{}, ctx.Err()
+			case <-timeoutTimer.C:
+				waitTimer.Stop()
+				return last, stackReadyTimeoutError(input.OrganizationID, input.StackID, timeout, last.Stack.Status)
+			case <-waitTimer.C:
+			}
+		}
+
+		if stackVersionsEndpointReady(ctx, s.HTTPClient, stackURL) {
+			if last.Stack.ID == "" {
+				last.Stack.ID = input.StackID
+			}
+			if last.Stack.OrganizationID == "" {
+				last.Stack.OrganizationID = input.OrganizationID
+			}
+			if last.Stack.URI == "" {
+				last.Stack.URI = stackURL
+			}
+			last.Stack.Status = string(components.StackStatusReady)
+			last.Stack.Reachable = true
+			return last, nil
+		}
+
+		output, err := ReadStackService{Client: s.Client}.Run(ctx, StackIDInput{
+			OrganizationID: input.OrganizationID,
+			StackID:        input.StackID,
+		})
+		if err != nil {
+			return StackOutput{}, err
+		}
+		last = output
+		if stackURL == "" {
+			stackURL = output.Stack.URI
+			reportStackWaitProgress(input.Progress, stackURL)
+		}
+		if output.Stack.Status == string(components.StackStatusReady) {
+			return output, nil
+		}
+	}
+}
+
+func reportStackWaitProgress(progress func(StackWaitProgress), stackURL string) {
+	if progress == nil {
+		return
+	}
+	progress(StackWaitProgress{StackURL: stackURL})
+}
+
+func stackVersionsEndpointReady(ctx context.Context, client *http.Client, stackURL string) bool {
+	if stackURL == "" {
+		return false
+	}
+	if client == nil {
+		client = http.DefaultClient
+	}
+	requestCtx, cancel := context.WithTimeout(ctx, 2*time.Second)
+	defer cancel()
+	request, err := http.NewRequestWithContext(requestCtx, http.MethodGet, stackVersionsURL(stackURL), nil)
+	if err != nil {
+		return false
+	}
+	response, err := client.Do(request)
+	if err != nil {
+		return false
+	}
+	defer response.Body.Close()
+	if response.StatusCode != http.StatusOK {
+		return false
+	}
+	var versions stackVersionsResponse
+	if err := json.NewDecoder(response.Body).Decode(&versions); err != nil {
+		return false
+	}
+	if len(versions.Versions) == 0 {
+		return false
+	}
+	for _, version := range versions.Versions {
+		if !version.Health {
+			return false
+		}
+	}
+	return true
+}
+
+type stackVersionsResponse struct {
+	Versions []stackVersionHealth `json:"versions"`
+}
+
+type stackVersionHealth struct {
+	Health bool `json:"health"`
+}
+
+func stackVersionsURL(stackURL string) string {
+	for len(stackURL) > 0 && stackURL[len(stackURL)-1] == '/' {
+		stackURL = stackURL[:len(stackURL)-1]
+	}
+	return stackURL + "/versions"
+}
+
+func stackReadyTimeoutError(organizationID string, stackID string, timeout time.Duration, lastStatus string) error {
+	if lastStatus == "" {
+		lastStatus = "unknown"
+	}
+	return fmt.Errorf("stack %s did not become READY after %s (last status: %s); check stack status with: fctl cloud stacks show %s --organization %s", stackID, timeout, lastStatus, stackID, organizationID)
+}
+
+type UpdateStackService struct {
+	Client StackClient
+}
+
+func (s UpdateStackService) Run(ctx context.Context, input UpdateStackInput) (StackOutput, error) {
+	if s.Client == nil {
+		return StackOutput{}, fmt.Errorf("membership client is required")
+	}
+	if input.OrganizationID == "" {
+		return StackOutput{}, fmt.Errorf("organization id is required")
+	}
+	if input.StackID == "" {
+		return StackOutput{}, fmt.Errorf("stack id is required")
+	}
+	if input.Name == "" {
+		return StackOutput{}, fmt.Errorf("stack name is required")
+	}
+	response, err := s.Client.UpdateStack(ctx, operations.UpdateStackRequest{
+		OrganizationID: input.OrganizationID,
+		StackID:        input.StackID,
+		Body: &components.StackData{
+			Name:     input.Name,
+			Metadata: input.Metadata,
+		},
+	})
+	if err != nil {
+		return StackOutput{}, err
+	}
+	if response.GetReadStackResponse().GetData() == nil {
+		return StackOutput{}, fmt.Errorf("cloud stacks update returned no stack")
+	}
+	return StackOutput{OrganizationID: input.OrganizationID, Stack: stackSummary(response.GetReadStackResponse().GetData(), DefaultConsoleURL)}, nil
+}
+
+type DeleteStackService struct {
+	Client StackClient
+}
+
+func (s DeleteStackService) Run(ctx context.Context, input DeleteStackInput) (DeleteStackOutput, error) {
+	if s.Client == nil {
+		return DeleteStackOutput{}, fmt.Errorf("membership client is required")
+	}
+	if input.OrganizationID == "" {
+		return DeleteStackOutput{}, fmt.Errorf("organization id is required")
+	}
+	if input.StackID == "" {
+		return DeleteStackOutput{}, fmt.Errorf("stack id is required")
+	}
+	_, err := s.Client.DeleteStack(ctx, operations.DeleteStackRequest{
+		OrganizationID: input.OrganizationID,
+		StackID:        input.StackID,
+		Force:          &input.Force,
+	})
+	if err != nil {
+		return DeleteStackOutput{}, err
+	}
+	return DeleteStackOutput{OrganizationID: input.OrganizationID, StackID: input.StackID}, nil
+}
+
+type StackActionService struct {
+	Client StackClient
+	Action string
+}
+
+func (s StackActionService) Run(ctx context.Context, input StackActionInput) (StackActionOutput, error) {
+	if s.Client == nil {
+		return StackActionOutput{}, fmt.Errorf("membership client is required")
+	}
+	if input.OrganizationID == "" {
+		return StackActionOutput{}, fmt.Errorf("organization id is required")
+	}
+	if input.StackID == "" {
+		return StackActionOutput{}, fmt.Errorf("stack id is required")
+	}
+	output := StackActionOutput{
+		OrganizationID: input.OrganizationID,
+		StackID:        input.StackID,
+		Action:         s.Action,
+	}
+	switch s.Action {
+	case "enable":
+		_, err := s.Client.EnableStack(ctx, operations.EnableStackRequest{OrganizationID: input.OrganizationID, StackID: input.StackID})
+		return output, err
+	case "disable":
+		_, err := s.Client.DisableStack(ctx, operations.DisableStackRequest{OrganizationID: input.OrganizationID, StackID: input.StackID})
+		return output, err
+	case "restore":
+		response, err := s.Client.RestoreStack(ctx, operations.RestoreStackRequest{OrganizationID: input.OrganizationID, StackID: input.StackID})
+		if err != nil {
+			return StackActionOutput{}, err
+		}
+		if response.GetReadStackResponse().GetData() != nil {
+			stack := stackSummary(response.GetReadStackResponse().GetData(), DefaultConsoleURL)
+			output.Stack = &stack
+		}
+		return output, nil
+	case "upgrade":
+		body := &components.StackVersion{}
+		if input.Version != "" {
+			body.Version = &input.Version
+			output.Version = input.Version
+		}
+		_, err := s.Client.UpgradeStack(ctx, operations.UpgradeStackRequest{
+			OrganizationID: input.OrganizationID,
+			StackID:        input.StackID,
+			Body:           body,
+		})
+		return output, err
+	default:
+		return StackActionOutput{}, fmt.Errorf("unsupported stack action %q", s.Action)
+	}
+}
+
+type ListModulesService struct {
+	Client StackClient
+}
+
+func (s ListModulesService) Run(ctx context.Context, input StackIDInput) (ListModulesOutput, error) {
+	if err := validateStackTarget(input.OrganizationID, input.StackID); err != nil {
+		return ListModulesOutput{}, err
+	}
+	response, err := s.Client.ListModules(ctx, operations.ListModulesRequest{OrganizationID: input.OrganizationID, StackID: input.StackID})
+	if err != nil {
+		return ListModulesOutput{}, err
+	}
+	data := response.GetListModulesResponse().GetData()
+	modules := make([]ModuleSummary, 0, len(data))
+	for _, module := range data {
+		modules = append(modules, ModuleSummary{
+			Name:             module.Name,
+			State:            string(module.State),
+			Status:           string(module.Status),
+			LastStatusUpdate: module.LastStatusUpdate,
+			LastStateUpdate:  module.LastStateUpdate,
+		})
+	}
+	return ListModulesOutput{OrganizationID: input.OrganizationID, StackID: input.StackID, Modules: modules}, nil
+}
+
+type ModuleActionService struct {
+	Client StackClient
+	Action string
+}
+
+func (s ModuleActionService) Run(ctx context.Context, input ModuleActionInput) (ModuleActionOutput, error) {
+	if err := validateStackTarget(input.OrganizationID, input.StackID); err != nil {
+		return ModuleActionOutput{}, err
+	}
+	if input.Name == "" {
+		return ModuleActionOutput{}, fmt.Errorf("module name is required")
+	}
+	output := ModuleActionOutput{OrganizationID: input.OrganizationID, StackID: input.StackID, Name: input.Name, Action: s.Action}
+	switch s.Action {
+	case "enable":
+		_, err := s.Client.EnableModule(ctx, operations.EnableModuleRequest{OrganizationID: input.OrganizationID, StackID: input.StackID, Name: input.Name})
+		return output, err
+	case "disable":
+		_, err := s.Client.DisableModule(ctx, operations.DisableModuleRequest{OrganizationID: input.OrganizationID, StackID: input.StackID, Name: input.Name})
+		return output, err
+	default:
+		return ModuleActionOutput{}, fmt.Errorf("unsupported module action %q", s.Action)
+	}
+}
+
+type ListStackUsersService struct {
+	Client StackClient
+}
+
+func (s ListStackUsersService) Run(ctx context.Context, input StackIDInput) (ListStackUsersOutput, error) {
+	if err := validateStackTarget(input.OrganizationID, input.StackID); err != nil {
+		return ListStackUsersOutput{}, err
+	}
+	response, err := s.Client.ListStackUsersAccesses(ctx, operations.ListStackUsersAccessesRequest{OrganizationID: input.OrganizationID, StackID: input.StackID})
+	if err != nil {
+		return ListStackUsersOutput{}, err
+	}
+	data := response.GetStackUserAccessResponse().GetData()
+	users := make([]StackUserAccessSummary, 0, len(data))
+	for _, user := range data {
+		users = append(users, StackUserAccessSummary{
+			StackID:  user.StackID,
+			UserID:   user.UserID,
+			Email:    user.Email,
+			PolicyID: user.PolicyID,
+		})
+	}
+	return ListStackUsersOutput{OrganizationID: input.OrganizationID, StackID: input.StackID, Users: users}, nil
+}
+
+type StackUserAccessService struct {
+	Client StackClient
+	Action string
+}
+
+func (s StackUserAccessService) Run(ctx context.Context, input StackUserAccessInput) (StackUserAccessOutput, error) {
+	if err := validateStackTarget(input.OrganizationID, input.StackID); err != nil {
+		return StackUserAccessOutput{}, err
+	}
+	if input.UserID == "" {
+		return StackUserAccessOutput{}, fmt.Errorf("user id is required")
+	}
+	output := StackUserAccessOutput{OrganizationID: input.OrganizationID, StackID: input.StackID, UserID: input.UserID, Action: s.Action, PolicyID: input.PolicyID}
+	switch s.Action {
+	case "link":
+		if input.PolicyID == 0 {
+			return StackUserAccessOutput{}, fmt.Errorf("policy id is required")
+		}
+		_, err := s.Client.UpsertStackUserAccess(ctx, operations.UpsertStackUserAccessRequest{
+			OrganizationID: input.OrganizationID,
+			StackID:        input.StackID,
+			UserID:         input.UserID,
+			Body:           &components.UpdateStackUserRequest{PolicyID: input.PolicyID},
+		})
+		return output, err
+	case "unlink":
+		_, err := s.Client.DeleteStackUserAccess(ctx, operations.DeleteStackUserAccessRequest{OrganizationID: input.OrganizationID, StackID: input.StackID, UserID: input.UserID})
+		return output, err
+	default:
+		return StackUserAccessOutput{}, fmt.Errorf("unsupported stack user action %q", s.Action)
+	}
+}
+
+func validateStackTarget(organizationID string, stackID string) error {
+	if organizationID == "" {
+		return fmt.Errorf("organization id is required")
+	}
+	if stackID == "" {
+		return fmt.Errorf("stack id is required")
+	}
+	return nil
+}
+
+const DefaultConsoleURL = "https://portal.formance.cloud"
+
+func stackDashboardURL(ctx context.Context, client StackClient) (string, error) {
+	response, err := client.GetServerInfo(ctx)
+	if err != nil {
+		return "", err
+	}
+	return ConsoleURL(response), nil
+}
+
+func ConsoleURL(response *operations.GetServerInfoResponse) string {
+	if response != nil {
+		info := response.GetServerInfo()
+		if info != nil && info.GetConsoleURL() != nil {
+			if consoleURL := strings.TrimSpace(*info.GetConsoleURL()); consoleURL != "" {
+				return consoleURL
+			}
+		}
+	}
+	return DefaultConsoleURL
+}
+
+func stackSummary(stack *components.Stack, dashboard string) StackSummary {
+	if stack == nil {
+		return StackSummary{}
+	}
+	summary := StackSummary{
+		ID:              stack.ID,
+		Name:            stack.Name,
+		OrganizationID:  stack.OrganizationID,
+		Dashboard:       dashboard,
+		URI:             stack.URI,
+		RegionID:        stack.RegionID,
+		Status:          string(stack.Status),
+		State:           string(stack.State),
+		ExpectedStatus:  string(stack.ExpectedStatus),
+		Reachable:       stack.Reachable,
+		StargateEnabled: stack.StargateEnabled,
+		AuditEnabled:    stack.AuditEnabled,
+		Metadata:        stack.Metadata,
+		CreatedAt:       stack.CreatedAt,
+		UpdatedAt:       stack.UpdatedAt,
+		DeletedAt:       stack.DeletedAt,
+		DisabledAt:      stack.DisabledAt,
+	}
+	if stack.Version != nil {
+		summary.Version = *stack.Version
+	}
+	return summary
+}
diff --git a/v4/internal/commands/doc.go b/v4/internal/commands/doc.go
new file mode 100644
index 00000000..bc1bdef7
--- /dev/null
+++ b/v4/internal/commands/doc.go
@@ -0,0 +1,4 @@
+// Package commands contains typed product-level command implementations.
+// Cobra command files should call into this package instead of embedding
+// business logic directly.
+package commands
diff --git a/v4/internal/commands/flows/flows.go b/v4/internal/commands/flows/flows.go
new file mode 100644
index 00000000..e75957de
--- /dev/null
+++ b/v4/internal/commands/flows/flows.go
@@ -0,0 +1,1465 @@
+package flows
+
+import (
+	"context"
+	"fmt"
+	"time"
+
+	formance "github.com/formancehq/formance-sdk-go/v3"
+	"github.com/formancehq/formance-sdk-go/v3/pkg/models/operations"
+	"github.com/formancehq/formance-sdk-go/v3/pkg/models/shared"
+
+	"github.com/formancehq/fctl/v4/internal/capabilities"
+)
+
+const (
+	ProductOrchestration          capabilities.Product = "orchestration"
+	FeatureCancelEvent            capabilities.Feature = "cancelEvent"
+	FeatureCreateTrigger          capabilities.Feature = "createTrigger"
+	FeatureCreateWorkflow         capabilities.Feature = "createWorkflow"
+	FeatureDeleteTrigger          capabilities.Feature = "deleteTrigger"
+	FeatureDeleteWorkflow         capabilities.Feature = "deleteWorkflow"
+	FeatureGetInstance            capabilities.Feature = "getInstance"
+	FeatureGetWorkflow            capabilities.Feature = "getWorkflow"
+	FeatureListInstances          capabilities.Feature = "listInstances"
+	FeatureListTriggers           capabilities.Feature = "listTriggers"
+	FeatureListTriggerOccurrences capabilities.Feature = "listTriggersOccurrences"
+	FeatureListWorkflows          capabilities.Feature = "listWorkflows"
+	FeatureReadTrigger            capabilities.Feature = "readTrigger"
+	FeatureRunWorkflow            capabilities.Feature = "runWorkflow"
+	FeatureSendEvent              capabilities.Feature = "sendEvent"
+	FeatureTestTrigger            capabilities.Feature = "testTrigger"
+)
+
+type WorkflowSummary struct {
+	ID        string    `json:"id" yaml:"id"`
+	Name      string    `json:"name,omitempty" yaml:"name,omitempty"`
+	CreatedAt time.Time `json:"createdAt,omitempty" yaml:"createdAt,omitempty"`
+	UpdatedAt time.Time `json:"updatedAt,omitempty" yaml:"updatedAt,omitempty"`
+}
+
+type InstanceSummary struct {
+	ID           string     `json:"id" yaml:"id"`
+	WorkflowID   string     `json:"workflowID" yaml:"workflowID"`
+	CreatedAt    time.Time  `json:"createdAt,omitempty" yaml:"createdAt,omitempty"`
+	UpdatedAt    time.Time  `json:"updatedAt,omitempty" yaml:"updatedAt,omitempty"`
+	Terminated   bool       `json:"terminated" yaml:"terminated"`
+	TerminatedAt *time.Time `json:"terminatedAt,omitempty" yaml:"terminatedAt,omitempty"`
+}
+
+type TriggerSummary struct {
+	ID         string    `json:"id" yaml:"id"`
+	Name       string    `json:"name,omitempty" yaml:"name,omitempty"`
+	Event      string    `json:"event" yaml:"event"`
+	WorkflowID string    `json:"workflowID" yaml:"workflowID"`
+	CreatedAt  time.Time `json:"createdAt,omitempty" yaml:"createdAt,omitempty"`
+	Version    string    `json:"version,omitempty" yaml:"version,omitempty"`
+}
+
+type TriggerOccurrenceSummary struct {
+	TriggerID          string    `json:"triggerID" yaml:"triggerID"`
+	WorkflowInstanceID string    `json:"workflowInstanceID,omitempty" yaml:"workflowInstanceID,omitempty"`
+	Date               time.Time `json:"date" yaml:"date"`
+	Error              string    `json:"error,omitempty" yaml:"error,omitempty"`
+}
+
+type ListWorkflowsInput struct {
+	PageSize int64
+	Cursor   string
+}
+
+type ListWorkflowsOutput struct {
+	APIVersion capabilities.APIVersion `json:"apiVersion" yaml:"apiVersion"`
+	Workflows  []WorkflowSummary       `json:"workflows" yaml:"workflows"`
+	HasMore    bool                    `json:"hasMore" yaml:"hasMore"`
+	PageSize   int64                   `json:"pageSize" yaml:"pageSize"`
+	Next       *string                 `json:"next,omitempty" yaml:"next,omitempty"`
+	Previous   *string                 `json:"previous,omitempty" yaml:"previous,omitempty"`
+}
+
+type GetWorkflowInput struct {
+	WorkflowID string
+}
+
+type GetWorkflowOutput struct {
+	APIVersion capabilities.APIVersion `json:"apiVersion" yaml:"apiVersion"`
+	Workflow   WorkflowSummary         `json:"workflow" yaml:"workflow"`
+}
+
+type CreateWorkflowInput struct {
+	Workflow shared.CreateWorkflowRequest
+}
+
+type CreateWorkflowOutput struct {
+	APIVersion capabilities.APIVersion `json:"apiVersion" yaml:"apiVersion"`
+	Workflow   WorkflowSummary         `json:"workflow" yaml:"workflow"`
+}
+
+type DeleteWorkflowInput struct {
+	WorkflowID string
+}
+
+type DeleteWorkflowOutput struct {
+	APIVersion capabilities.APIVersion `json:"apiVersion" yaml:"apiVersion"`
+	WorkflowID string                  `json:"workflowID" yaml:"workflowID"`
+}
+
+type RunWorkflowInput struct {
+	WorkflowID string
+	Vars       map[string]string
+	Wait       *bool
+}
+
+type RunWorkflowOutput struct {
+	APIVersion capabilities.APIVersion `json:"apiVersion" yaml:"apiVersion"`
+	Instance   InstanceSummary         `json:"instance" yaml:"instance"`
+}
+
+type ListInstancesInput struct {
+	PageSize   int64
+	Cursor     string
+	WorkflowID string
+	Running    *bool
+}
+
+type ListInstancesOutput struct {
+	APIVersion capabilities.APIVersion `json:"apiVersion" yaml:"apiVersion"`
+	Instances  []InstanceSummary       `json:"instances" yaml:"instances"`
+	HasMore    bool                    `json:"hasMore" yaml:"hasMore"`
+	PageSize   int64                   `json:"pageSize" yaml:"pageSize"`
+	Next       *string                 `json:"next,omitempty" yaml:"next,omitempty"`
+	Previous   *string                 `json:"previous,omitempty" yaml:"previous,omitempty"`
+}
+
+type GetInstanceInput struct {
+	InstanceID string
+}
+
+type GetInstanceOutput struct {
+	APIVersion capabilities.APIVersion `json:"apiVersion" yaml:"apiVersion"`
+	Instance   InstanceSummary         `json:"instance" yaml:"instance"`
+}
+
+type InstanceActionInput struct {
+	InstanceID string
+	Event      string
+}
+
+type InstanceActionOutput struct {
+	APIVersion capabilities.APIVersion `json:"apiVersion" yaml:"apiVersion"`
+	InstanceID string                  `json:"instanceID" yaml:"instanceID"`
+	Event      string                  `json:"event,omitempty" yaml:"event,omitempty"`
+}
+
+type ListTriggersInput struct {
+	PageSize int64
+	Cursor   string
+	Name     string
+}
+
+type ListTriggersOutput struct {
+	APIVersion capabilities.APIVersion `json:"apiVersion" yaml:"apiVersion"`
+	Triggers   []TriggerSummary        `json:"triggers" yaml:"triggers"`
+	HasMore    bool                    `json:"hasMore" yaml:"hasMore"`
+	PageSize   int64                   `json:"pageSize" yaml:"pageSize"`
+	Next       *string                 `json:"next,omitempty" yaml:"next,omitempty"`
+	Previous   *string                 `json:"previous,omitempty" yaml:"previous,omitempty"`
+}
+
+type GetTriggerInput struct {
+	TriggerID string
+}
+
+type GetTriggerOutput struct {
+	APIVersion capabilities.APIVersion `json:"apiVersion" yaml:"apiVersion"`
+	Trigger    TriggerSummary          `json:"trigger" yaml:"trigger"`
+}
+
+type CreateTriggerInput struct {
+	Event      string
+	WorkflowID string
+	Name       string
+	Filter     string
+	Version    string
+	Vars       map[string]any
+}
+
+type CreateTriggerOutput struct {
+	APIVersion capabilities.APIVersion `json:"apiVersion" yaml:"apiVersion"`
+	Trigger    TriggerSummary          `json:"trigger" yaml:"trigger"`
+}
+
+type DeleteTriggerInput struct {
+	TriggerID string
+}
+
+type DeleteTriggerOutput struct {
+	APIVersion capabilities.APIVersion `json:"apiVersion" yaml:"apiVersion"`
+	TriggerID  string                  `json:"triggerID" yaml:"triggerID"`
+}
+
+type TestTriggerInput struct {
+	TriggerID string
+	Event     map[string]any
+}
+
+type TestTriggerOutput struct {
+	APIVersion capabilities.APIVersion `json:"apiVersion" yaml:"apiVersion"`
+	TriggerID  string                  `json:"triggerID" yaml:"triggerID"`
+	Matched    *bool                   `json:"matched,omitempty" yaml:"matched,omitempty"`
+}
+
+type ListTriggerOccurrencesInput struct {
+	TriggerID string
+	PageSize  int64
+	Cursor    string
+}
+
+type ListTriggerOccurrencesOutput struct {
+	APIVersion  capabilities.APIVersion    `json:"apiVersion" yaml:"apiVersion"`
+	Occurrences []TriggerOccurrenceSummary `json:"occurrences" yaml:"occurrences"`
+	HasMore     bool                       `json:"hasMore" yaml:"hasMore"`
+	PageSize    int64                      `json:"pageSize" yaml:"pageSize"`
+	Next        *string                    `json:"next,omitempty" yaml:"next,omitempty"`
+	Previous    *string                    `json:"previous,omitempty" yaml:"previous,omitempty"`
+}
+
+type ListWorkflowsHandler struct {
+	APIVersion capabilities.APIVersion
+	Run        func(context.Context, ListWorkflowsInput) (ListWorkflowsOutput, error)
+}
+
+type GetWorkflowHandler struct {
+	APIVersion capabilities.APIVersion
+	Run        func(context.Context, GetWorkflowInput) (GetWorkflowOutput, error)
+}
+
+type CreateWorkflowHandler struct {
+	APIVersion capabilities.APIVersion
+	Run        func(context.Context, CreateWorkflowInput) (CreateWorkflowOutput, error)
+}
+
+type DeleteWorkflowHandler struct {
+	APIVersion capabilities.APIVersion
+	Run        func(context.Context, DeleteWorkflowInput) (DeleteWorkflowOutput, error)
+}
+
+type RunWorkflowHandler struct {
+	APIVersion capabilities.APIVersion
+	Run        func(context.Context, RunWorkflowInput) (RunWorkflowOutput, error)
+}
+
+type ListInstancesHandler struct {
+	APIVersion capabilities.APIVersion
+	Run        func(context.Context, ListInstancesInput) (ListInstancesOutput, error)
+}
+
+type GetInstanceHandler struct {
+	APIVersion capabilities.APIVersion
+	Run        func(context.Context, GetInstanceInput) (GetInstanceOutput, error)
+}
+
+type InstanceActionHandler struct {
+	APIVersion capabilities.APIVersion
+	Run        func(context.Context, InstanceActionInput) (InstanceActionOutput, error)
+}
+
+type ListTriggersHandler struct {
+	APIVersion capabilities.APIVersion
+	Run        func(context.Context, ListTriggersInput) (ListTriggersOutput, error)
+}
+
+type GetTriggerHandler struct {
+	APIVersion capabilities.APIVersion
+	Run        func(context.Context, GetTriggerInput) (GetTriggerOutput, error)
+}
+
+type CreateTriggerHandler struct {
+	APIVersion capabilities.APIVersion
+	Run        func(context.Context, CreateTriggerInput) (CreateTriggerOutput, error)
+}
+
+type DeleteTriggerHandler struct {
+	APIVersion capabilities.APIVersion
+	Run        func(context.Context, DeleteTriggerInput) (DeleteTriggerOutput, error)
+}
+
+type TestTriggerHandler struct {
+	APIVersion capabilities.APIVersion
+	Run        func(context.Context, TestTriggerInput) (TestTriggerOutput, error)
+}
+
+type ListTriggerOccurrencesHandler struct {
+	APIVersion capabilities.APIVersion
+	Run        func(context.Context, ListTriggerOccurrencesInput) (ListTriggerOccurrencesOutput, error)
+}
+
+type ListWorkflowsService struct {
+	Handlers []ListWorkflowsHandler
+	Resolve  func(context.Context, []capabilities.APIVersion) (capabilities.APIVersion, error)
+}
+
+type GetWorkflowService struct {
+	Handlers []GetWorkflowHandler
+	Resolve  func(context.Context, []capabilities.APIVersion) (capabilities.APIVersion, error)
+}
+
+type CreateWorkflowService struct {
+	Handlers []CreateWorkflowHandler
+	Resolve  func(context.Context, []capabilities.APIVersion) (capabilities.APIVersion, error)
+}
+
+type DeleteWorkflowService struct {
+	Handlers []DeleteWorkflowHandler
+	Resolve  func(context.Context, []capabilities.APIVersion) (capabilities.APIVersion, error)
+}
+
+type RunWorkflowService struct {
+	Handlers []RunWorkflowHandler
+	Resolve  func(context.Context, []capabilities.APIVersion) (capabilities.APIVersion, error)
+}
+
+type ListInstancesService struct {
+	Handlers []ListInstancesHandler
+	Resolve  func(context.Context, []capabilities.APIVersion) (capabilities.APIVersion, error)
+}
+
+type GetInstanceService struct {
+	Handlers []GetInstanceHandler
+	Resolve  func(context.Context, []capabilities.APIVersion) (capabilities.APIVersion, error)
+}
+
+type SendEventService struct {
+	Handlers []InstanceActionHandler
+	Resolve  func(context.Context, []capabilities.APIVersion) (capabilities.APIVersion, error)
+}
+
+type StopInstanceService struct {
+	Handlers []InstanceActionHandler
+	Resolve  func(context.Context, []capabilities.APIVersion) (capabilities.APIVersion, error)
+}
+
+type ListTriggersService struct {
+	Handlers []ListTriggersHandler
+	Resolve  func(context.Context, []capabilities.APIVersion) (capabilities.APIVersion, error)
+}
+
+type GetTriggerService struct {
+	Handlers []GetTriggerHandler
+	Resolve  func(context.Context, []capabilities.APIVersion) (capabilities.APIVersion, error)
+}
+
+type CreateTriggerService struct {
+	Handlers []CreateTriggerHandler
+	Resolve  func(context.Context, []capabilities.APIVersion) (capabilities.APIVersion, error)
+}
+
+type DeleteTriggerService struct {
+	Handlers []DeleteTriggerHandler
+	Resolve  func(context.Context, []capabilities.APIVersion) (capabilities.APIVersion, error)
+}
+
+type TestTriggerService struct {
+	Handlers []TestTriggerHandler
+	Resolve  func(context.Context, []capabilities.APIVersion) (capabilities.APIVersion, error)
+}
+
+type ListTriggerOccurrencesService struct {
+	Handlers []ListTriggerOccurrencesHandler
+	Resolve  func(context.Context, []capabilities.APIVersion) (capabilities.APIVersion, error)
+}
+
+func (s ListWorkflowsService) Run(ctx context.Context, input ListWorkflowsInput) (ListWorkflowsOutput, error) {
+	handlerVersions := make([]capabilities.APIVersion, 0, len(s.Handlers))
+	handlers := map[capabilities.APIVersion]ListWorkflowsHandler{}
+	for _, handler := range s.Handlers {
+		handlerVersions = append(handlerVersions, handler.APIVersion)
+		handlers[handler.APIVersion] = handler
+	}
+	selected, err := s.Resolve(ctx, handlerVersions)
+	if err != nil {
+		return ListWorkflowsOutput{}, err
+	}
+	handler, ok := handlers[selected]
+	if !ok {
+		return ListWorkflowsOutput{}, fmt.Errorf("resolved api version %s has no handler", selected)
+	}
+	output, err := handler.Run(ctx, input)
+	if err != nil {
+		return ListWorkflowsOutput{}, err
+	}
+	output.APIVersion = selected
+	return output, nil
+}
+
+func (s GetWorkflowService) Run(ctx context.Context, input GetWorkflowInput) (GetWorkflowOutput, error) {
+	if input.WorkflowID == "" {
+		return GetWorkflowOutput{}, fmt.Errorf("workflow id is required")
+	}
+	handlerVersions := make([]capabilities.APIVersion, 0, len(s.Handlers))
+	handlers := map[capabilities.APIVersion]GetWorkflowHandler{}
+	for _, handler := range s.Handlers {
+		handlerVersions = append(handlerVersions, handler.APIVersion)
+		handlers[handler.APIVersion] = handler
+	}
+	selected, err := s.Resolve(ctx, handlerVersions)
+	if err != nil {
+		return GetWorkflowOutput{}, err
+	}
+	handler, ok := handlers[selected]
+	if !ok {
+		return GetWorkflowOutput{}, fmt.Errorf("resolved api version %s has no handler", selected)
+	}
+	output, err := handler.Run(ctx, input)
+	if err != nil {
+		return GetWorkflowOutput{}, err
+	}
+	output.APIVersion = selected
+	return output, nil
+}
+
+func (s CreateWorkflowService) Run(ctx context.Context, input CreateWorkflowInput) (CreateWorkflowOutput, error) {
+	handlerVersions := make([]capabilities.APIVersion, 0, len(s.Handlers))
+	handlers := map[capabilities.APIVersion]CreateWorkflowHandler{}
+	for _, handler := range s.Handlers {
+		handlerVersions = append(handlerVersions, handler.APIVersion)
+		handlers[handler.APIVersion] = handler
+	}
+	selected, err := s.Resolve(ctx, handlerVersions)
+	if err != nil {
+		return CreateWorkflowOutput{}, err
+	}
+	handler, ok := handlers[selected]
+	if !ok {
+		return CreateWorkflowOutput{}, fmt.Errorf("resolved api version %s has no handler", selected)
+	}
+	output, err := handler.Run(ctx, input)
+	if err != nil {
+		return CreateWorkflowOutput{}, err
+	}
+	output.APIVersion = selected
+	return output, nil
+}
+
+func (s DeleteWorkflowService) Run(ctx context.Context, input DeleteWorkflowInput) (DeleteWorkflowOutput, error) {
+	if input.WorkflowID == "" {
+		return DeleteWorkflowOutput{}, fmt.Errorf("workflow id is required")
+	}
+	handlerVersions := make([]capabilities.APIVersion, 0, len(s.Handlers))
+	handlers := map[capabilities.APIVersion]DeleteWorkflowHandler{}
+	for _, handler := range s.Handlers {
+		handlerVersions = append(handlerVersions, handler.APIVersion)
+		handlers[handler.APIVersion] = handler
+	}
+	selected, err := s.Resolve(ctx, handlerVersions)
+	if err != nil {
+		return DeleteWorkflowOutput{}, err
+	}
+	handler, ok := handlers[selected]
+	if !ok {
+		return DeleteWorkflowOutput{}, fmt.Errorf("resolved api version %s has no handler", selected)
+	}
+	output, err := handler.Run(ctx, input)
+	if err != nil {
+		return DeleteWorkflowOutput{}, err
+	}
+	output.APIVersion = selected
+	if output.WorkflowID == "" {
+		output.WorkflowID = input.WorkflowID
+	}
+	return output, nil
+}
+
+func (s RunWorkflowService) Run(ctx context.Context, input RunWorkflowInput) (RunWorkflowOutput, error) {
+	if input.WorkflowID == "" {
+		return RunWorkflowOutput{}, fmt.Errorf("workflow id is required")
+	}
+	handlerVersions := make([]capabilities.APIVersion, 0, len(s.Handlers))
+	handlers := map[capabilities.APIVersion]RunWorkflowHandler{}
+	for _, handler := range s.Handlers {
+		handlerVersions = append(handlerVersions, handler.APIVersion)
+		handlers[handler.APIVersion] = handler
+	}
+	selected, err := s.Resolve(ctx, handlerVersions)
+	if err != nil {
+		return RunWorkflowOutput{}, err
+	}
+	handler, ok := handlers[selected]
+	if !ok {
+		return RunWorkflowOutput{}, fmt.Errorf("resolved api version %s has no handler", selected)
+	}
+	output, err := handler.Run(ctx, input)
+	if err != nil {
+		return RunWorkflowOutput{}, err
+	}
+	output.APIVersion = selected
+	return output, nil
+}
+
+func (s ListInstancesService) Run(ctx context.Context, input ListInstancesInput) (ListInstancesOutput, error) {
+	handlerVersions := make([]capabilities.APIVersion, 0, len(s.Handlers))
+	handlers := map[capabilities.APIVersion]ListInstancesHandler{}
+	for _, handler := range s.Handlers {
+		handlerVersions = append(handlerVersions, handler.APIVersion)
+		handlers[handler.APIVersion] = handler
+	}
+	selected, err := s.Resolve(ctx, handlerVersions)
+	if err != nil {
+		return ListInstancesOutput{}, err
+	}
+	handler, ok := handlers[selected]
+	if !ok {
+		return ListInstancesOutput{}, fmt.Errorf("resolved api version %s has no handler", selected)
+	}
+	output, err := handler.Run(ctx, input)
+	if err != nil {
+		return ListInstancesOutput{}, err
+	}
+	output.APIVersion = selected
+	return output, nil
+}
+
+func (s GetInstanceService) Run(ctx context.Context, input GetInstanceInput) (GetInstanceOutput, error) {
+	if input.InstanceID == "" {
+		return GetInstanceOutput{}, fmt.Errorf("instance id is required")
+	}
+	handlerVersions := make([]capabilities.APIVersion, 0, len(s.Handlers))
+	handlers := map[capabilities.APIVersion]GetInstanceHandler{}
+	for _, handler := range s.Handlers {
+		handlerVersions = append(handlerVersions, handler.APIVersion)
+		handlers[handler.APIVersion] = handler
+	}
+	selected, err := s.Resolve(ctx, handlerVersions)
+	if err != nil {
+		return GetInstanceOutput{}, err
+	}
+	handler, ok := handlers[selected]
+	if !ok {
+		return GetInstanceOutput{}, fmt.Errorf("resolved api version %s has no handler", selected)
+	}
+	output, err := handler.Run(ctx, input)
+	if err != nil {
+		return GetInstanceOutput{}, err
+	}
+	output.APIVersion = selected
+	return output, nil
+}
+
+func (s SendEventService) Run(ctx context.Context, input InstanceActionInput) (InstanceActionOutput, error) {
+	if input.Event == "" {
+		return InstanceActionOutput{}, fmt.Errorf("event is required")
+	}
+	return runInstanceActionService(ctx, input, s.Handlers, s.Resolve)
+}
+
+func (s StopInstanceService) Run(ctx context.Context, input InstanceActionInput) (InstanceActionOutput, error) {
+	return runInstanceActionService(ctx, input, s.Handlers, s.Resolve)
+}
+
+func runInstanceActionService(
+	ctx context.Context,
+	input InstanceActionInput,
+	handlers []InstanceActionHandler,
+	resolve func(context.Context, []capabilities.APIVersion) (capabilities.APIVersion, error),
+) (InstanceActionOutput, error) {
+	if input.InstanceID == "" {
+		return InstanceActionOutput{}, fmt.Errorf("instance id is required")
+	}
+	handlerVersions := make([]capabilities.APIVersion, 0, len(handlers))
+	handlersByVersion := map[capabilities.APIVersion]InstanceActionHandler{}
+	for _, handler := range handlers {
+		handlerVersions = append(handlerVersions, handler.APIVersion)
+		handlersByVersion[handler.APIVersion] = handler
+	}
+	selected, err := resolve(ctx, handlerVersions)
+	if err != nil {
+		return InstanceActionOutput{}, err
+	}
+	handler, ok := handlersByVersion[selected]
+	if !ok {
+		return InstanceActionOutput{}, fmt.Errorf("resolved api version %s has no handler", selected)
+	}
+	output, err := handler.Run(ctx, input)
+	if err != nil {
+		return InstanceActionOutput{}, err
+	}
+	output.APIVersion = selected
+	if output.InstanceID == "" {
+		output.InstanceID = input.InstanceID
+	}
+	if output.Event == "" {
+		output.Event = input.Event
+	}
+	return output, nil
+}
+
+func (s ListTriggersService) Run(ctx context.Context, input ListTriggersInput) (ListTriggersOutput, error) {
+	handlerVersions := make([]capabilities.APIVersion, 0, len(s.Handlers))
+	handlers := map[capabilities.APIVersion]ListTriggersHandler{}
+	for _, handler := range s.Handlers {
+		handlerVersions = append(handlerVersions, handler.APIVersion)
+		handlers[handler.APIVersion] = handler
+	}
+	selected, err := s.Resolve(ctx, handlerVersions)
+	if err != nil {
+		return ListTriggersOutput{}, err
+	}
+	handler, ok := handlers[selected]
+	if !ok {
+		return ListTriggersOutput{}, fmt.Errorf("resolved api version %s has no handler", selected)
+	}
+	output, err := handler.Run(ctx, input)
+	if err != nil {
+		return ListTriggersOutput{}, err
+	}
+	output.APIVersion = selected
+	return output, nil
+}
+
+func (s GetTriggerService) Run(ctx context.Context, input GetTriggerInput) (GetTriggerOutput, error) {
+	if input.TriggerID == "" {
+		return GetTriggerOutput{}, fmt.Errorf("trigger id is required")
+	}
+	handlerVersions := make([]capabilities.APIVersion, 0, len(s.Handlers))
+	handlers := map[capabilities.APIVersion]GetTriggerHandler{}
+	for _, handler := range s.Handlers {
+		handlerVersions = append(handlerVersions, handler.APIVersion)
+		handlers[handler.APIVersion] = handler
+	}
+	selected, err := s.Resolve(ctx, handlerVersions)
+	if err != nil {
+		return GetTriggerOutput{}, err
+	}
+	handler, ok := handlers[selected]
+	if !ok {
+		return GetTriggerOutput{}, fmt.Errorf("resolved api version %s has no handler", selected)
+	}
+	output, err := handler.Run(ctx, input)
+	if err != nil {
+		return GetTriggerOutput{}, err
+	}
+	output.APIVersion = selected
+	return output, nil
+}
+
+func (s CreateTriggerService) Run(ctx context.Context, input CreateTriggerInput) (CreateTriggerOutput, error) {
+	if input.Event == "" {
+		return CreateTriggerOutput{}, fmt.Errorf("event is required")
+	}
+	if input.WorkflowID == "" {
+		return CreateTriggerOutput{}, fmt.Errorf("workflow id is required")
+	}
+	handlerVersions := make([]capabilities.APIVersion, 0, len(s.Handlers))
+	handlers := map[capabilities.APIVersion]CreateTriggerHandler{}
+	for _, handler := range s.Handlers {
+		handlerVersions = append(handlerVersions, handler.APIVersion)
+		handlers[handler.APIVersion] = handler
+	}
+	selected, err := s.Resolve(ctx, handlerVersions)
+	if err != nil {
+		return CreateTriggerOutput{}, err
+	}
+	handler, ok := handlers[selected]
+	if !ok {
+		return CreateTriggerOutput{}, fmt.Errorf("resolved api version %s has no handler", selected)
+	}
+	output, err := handler.Run(ctx, input)
+	if err != nil {
+		return CreateTriggerOutput{}, err
+	}
+	output.APIVersion = selected
+	return output, nil
+}
+
+func (s DeleteTriggerService) Run(ctx context.Context, input DeleteTriggerInput) (DeleteTriggerOutput, error) {
+	if input.TriggerID == "" {
+		return DeleteTriggerOutput{}, fmt.Errorf("trigger id is required")
+	}
+	handlerVersions := make([]capabilities.APIVersion, 0, len(s.Handlers))
+	handlers := map[capabilities.APIVersion]DeleteTriggerHandler{}
+	for _, handler := range s.Handlers {
+		handlerVersions = append(handlerVersions, handler.APIVersion)
+		handlers[handler.APIVersion] = handler
+	}
+	selected, err := s.Resolve(ctx, handlerVersions)
+	if err != nil {
+		return DeleteTriggerOutput{}, err
+	}
+	handler, ok := handlers[selected]
+	if !ok {
+		return DeleteTriggerOutput{}, fmt.Errorf("resolved api version %s has no handler", selected)
+	}
+	output, err := handler.Run(ctx, input)
+	if err != nil {
+		return DeleteTriggerOutput{}, err
+	}
+	output.APIVersion = selected
+	if output.TriggerID == "" {
+		output.TriggerID = input.TriggerID
+	}
+	return output, nil
+}
+
+func (s TestTriggerService) Run(ctx context.Context, input TestTriggerInput) (TestTriggerOutput, error) {
+	if input.TriggerID == "" {
+		return TestTriggerOutput{}, fmt.Errorf("trigger id is required")
+	}
+	handlerVersions := make([]capabilities.APIVersion, 0, len(s.Handlers))
+	handlers := map[capabilities.APIVersion]TestTriggerHandler{}
+	for _, handler := range s.Handlers {
+		handlerVersions = append(handlerVersions, handler.APIVersion)
+		handlers[handler.APIVersion] = handler
+	}
+	selected, err := s.Resolve(ctx, handlerVersions)
+	if err != nil {
+		return TestTriggerOutput{}, err
+	}
+	handler, ok := handlers[selected]
+	if !ok {
+		return TestTriggerOutput{}, fmt.Errorf("resolved api version %s has no handler", selected)
+	}
+	output, err := handler.Run(ctx, input)
+	if err != nil {
+		return TestTriggerOutput{}, err
+	}
+	output.APIVersion = selected
+	if output.TriggerID == "" {
+		output.TriggerID = input.TriggerID
+	}
+	return output, nil
+}
+
+func (s ListTriggerOccurrencesService) Run(ctx context.Context, input ListTriggerOccurrencesInput) (ListTriggerOccurrencesOutput, error) {
+	if input.TriggerID == "" {
+		return ListTriggerOccurrencesOutput{}, fmt.Errorf("trigger id is required")
+	}
+	handlerVersions := make([]capabilities.APIVersion, 0, len(s.Handlers))
+	handlers := map[capabilities.APIVersion]ListTriggerOccurrencesHandler{}
+	for _, handler := range s.Handlers {
+		handlerVersions = append(handlerVersions, handler.APIVersion)
+		handlers[handler.APIVersion] = handler
+	}
+	selected, err := s.Resolve(ctx, handlerVersions)
+	if err != nil {
+		return ListTriggerOccurrencesOutput{}, err
+	}
+	handler, ok := handlers[selected]
+	if !ok {
+		return ListTriggerOccurrencesOutput{}, fmt.Errorf("resolved api version %s has no handler", selected)
+	}
+	output, err := handler.Run(ctx, input)
+	if err != nil {
+		return ListTriggerOccurrencesOutput{}, err
+	}
+	output.APIVersion = selected
+	return output, nil
+}
+
+func SDKListWorkflowsHandlers(sdk *formance.Formance) []ListWorkflowsHandler {
+	return []ListWorkflowsHandler{
+		{
+			APIVersion: "v1",
+			Run: func(ctx context.Context, _ ListWorkflowsInput) (ListWorkflowsOutput, error) {
+				response, err := sdk.Orchestration.V1.ListWorkflows(ctx)
+				if err != nil {
+					return ListWorkflowsOutput{}, err
+				}
+				if response.ListWorkflowsResponse == nil {
+					return ListWorkflowsOutput{}, fmt.Errorf("orchestration v1 list workflows returned no data")
+				}
+				return fromV1Workflows(response.ListWorkflowsResponse.Data), nil
+			},
+		},
+		{
+			APIVersion: "v2",
+			Run: func(ctx context.Context, input ListWorkflowsInput) (ListWorkflowsOutput, error) {
+				response, err := sdk.Orchestration.V2.ListWorkflows(ctx, operations.V2ListWorkflowsRequest{
+					PageSize: optionalInt64(input.PageSize),
+					Cursor:   optionalString(input.Cursor),
+				})
+				if err != nil {
+					return ListWorkflowsOutput{}, err
+				}
+				if response.V2ListWorkflowsResponse == nil {
+					return ListWorkflowsOutput{}, fmt.Errorf("orchestration v2 list workflows returned no cursor")
+				}
+				return fromV2WorkflowsCursor(response.V2ListWorkflowsResponse.Cursor), nil
+			},
+		},
+	}
+}
+
+func SDKGetWorkflowHandlers(sdk *formance.Formance) []GetWorkflowHandler {
+	return []GetWorkflowHandler{
+		{
+			APIVersion: "v1",
+			Run: func(ctx context.Context, input GetWorkflowInput) (GetWorkflowOutput, error) {
+				response, err := sdk.Orchestration.V1.GetWorkflow(ctx, operations.GetWorkflowRequest{FlowID: input.WorkflowID})
+				if err != nil {
+					return GetWorkflowOutput{}, err
+				}
+				if response.GetWorkflowResponse == nil {
+					return GetWorkflowOutput{}, fmt.Errorf("orchestration v1 get workflow returned no data")
+				}
+				return GetWorkflowOutput{Workflow: fromV1Workflow(response.GetWorkflowResponse.Data)}, nil
+			},
+		},
+		{
+			APIVersion: "v2",
+			Run: func(ctx context.Context, input GetWorkflowInput) (GetWorkflowOutput, error) {
+				response, err := sdk.Orchestration.V2.GetWorkflow(ctx, operations.V2GetWorkflowRequest{FlowID: input.WorkflowID})
+				if err != nil {
+					return GetWorkflowOutput{}, err
+				}
+				if response.V2GetWorkflowResponse == nil {
+					return GetWorkflowOutput{}, fmt.Errorf("orchestration v2 get workflow returned no data")
+				}
+				return GetWorkflowOutput{Workflow: fromV2Workflow(response.V2GetWorkflowResponse.Data)}, nil
+			},
+		},
+	}
+}
+
+func SDKCreateWorkflowHandlers(sdk *formance.Formance) []CreateWorkflowHandler {
+	return []CreateWorkflowHandler{
+		{
+			APIVersion: "v1",
+			Run: func(ctx context.Context, input CreateWorkflowInput) (CreateWorkflowOutput, error) {
+				response, err := sdk.Orchestration.V1.CreateWorkflow(ctx, &input.Workflow)
+				if err != nil {
+					return CreateWorkflowOutput{}, err
+				}
+				if response.CreateWorkflowResponse == nil {
+					return CreateWorkflowOutput{}, fmt.Errorf("orchestration v1 create workflow returned no data")
+				}
+				return CreateWorkflowOutput{Workflow: fromV1Workflow(response.CreateWorkflowResponse.Data)}, nil
+			},
+		},
+		{
+			APIVersion: "v2",
+			Run: func(ctx context.Context, input CreateWorkflowInput) (CreateWorkflowOutput, error) {
+				request := shared.V2CreateWorkflowRequest{
+					Name:   input.Workflow.Name,
+					Stages: input.Workflow.Stages,
+				}
+				response, err := sdk.Orchestration.V2.CreateWorkflow(ctx, &request)
+				if err != nil {
+					return CreateWorkflowOutput{}, err
+				}
+				if response.V2CreateWorkflowResponse == nil {
+					return CreateWorkflowOutput{}, fmt.Errorf("orchestration v2 create workflow returned no data")
+				}
+				return CreateWorkflowOutput{Workflow: fromV2Workflow(response.V2CreateWorkflowResponse.Data)}, nil
+			},
+		},
+	}
+}
+
+func SDKDeleteWorkflowHandlers(sdk *formance.Formance) []DeleteWorkflowHandler {
+	return []DeleteWorkflowHandler{
+		{
+			APIVersion: "v1",
+			Run: func(ctx context.Context, input DeleteWorkflowInput) (DeleteWorkflowOutput, error) {
+				_, err := sdk.Orchestration.V1.DeleteWorkflow(ctx, operations.DeleteWorkflowRequest{FlowID: input.WorkflowID})
+				if err != nil {
+					return DeleteWorkflowOutput{}, err
+				}
+				return DeleteWorkflowOutput{WorkflowID: input.WorkflowID}, nil
+			},
+		},
+		{
+			APIVersion: "v2",
+			Run: func(ctx context.Context, input DeleteWorkflowInput) (DeleteWorkflowOutput, error) {
+				_, err := sdk.Orchestration.V2.DeleteWorkflow(ctx, operations.V2DeleteWorkflowRequest{FlowID: input.WorkflowID})
+				if err != nil {
+					return DeleteWorkflowOutput{}, err
+				}
+				return DeleteWorkflowOutput{WorkflowID: input.WorkflowID}, nil
+			},
+		},
+	}
+}
+
+func SDKRunWorkflowHandlers(sdk *formance.Formance) []RunWorkflowHandler {
+	return []RunWorkflowHandler{
+		{
+			APIVersion: "v1",
+			Run: func(ctx context.Context, input RunWorkflowInput) (RunWorkflowOutput, error) {
+				response, err := sdk.Orchestration.V1.RunWorkflow(ctx, operations.RunWorkflowRequest{
+					WorkflowID:  input.WorkflowID,
+					RequestBody: input.Vars,
+					Wait:        input.Wait,
+				})
+				if err != nil {
+					return RunWorkflowOutput{}, err
+				}
+				if response.RunWorkflowResponse == nil {
+					return RunWorkflowOutput{}, fmt.Errorf("orchestration v1 run workflow returned no data")
+				}
+				return RunWorkflowOutput{Instance: fromV1Instance(response.RunWorkflowResponse.Data)}, nil
+			},
+		},
+		{
+			APIVersion: "v2",
+			Run: func(ctx context.Context, input RunWorkflowInput) (RunWorkflowOutput, error) {
+				response, err := sdk.Orchestration.V2.RunWorkflow(ctx, operations.V2RunWorkflowRequest{
+					WorkflowID:  input.WorkflowID,
+					RequestBody: input.Vars,
+					Wait:        input.Wait,
+				})
+				if err != nil {
+					return RunWorkflowOutput{}, err
+				}
+				if response.V2RunWorkflowResponse == nil {
+					return RunWorkflowOutput{}, fmt.Errorf("orchestration v2 run workflow returned no data")
+				}
+				return RunWorkflowOutput{Instance: fromV2Instance(response.V2RunWorkflowResponse.Data)}, nil
+			},
+		},
+	}
+}
+
+func SDKListInstancesHandlers(sdk *formance.Formance) []ListInstancesHandler {
+	return []ListInstancesHandler{
+		{
+			APIVersion: "v1",
+			Run: func(ctx context.Context, input ListInstancesInput) (ListInstancesOutput, error) {
+				response, err := sdk.Orchestration.V1.ListInstances(ctx, operations.ListInstancesRequest{
+					WorkflowID: optionalString(input.WorkflowID),
+					Running:    input.Running,
+				})
+				if err != nil {
+					return ListInstancesOutput{}, err
+				}
+				if response.ListRunsResponse == nil {
+					return ListInstancesOutput{}, fmt.Errorf("orchestration v1 list instances returned no data")
+				}
+				return fromV1Instances(response.ListRunsResponse.Data), nil
+			},
+		},
+		{
+			APIVersion: "v2",
+			Run: func(ctx context.Context, input ListInstancesInput) (ListInstancesOutput, error) {
+				response, err := sdk.Orchestration.V2.ListInstances(ctx, operations.V2ListInstancesRequest{
+					PageSize:   optionalInt64(input.PageSize),
+					Cursor:     optionalString(input.Cursor),
+					WorkflowID: optionalString(input.WorkflowID),
+					Running:    input.Running,
+				})
+				if err != nil {
+					return ListInstancesOutput{}, err
+				}
+				if response.V2ListRunsResponse == nil {
+					return ListInstancesOutput{}, fmt.Errorf("orchestration v2 list instances returned no cursor")
+				}
+				return fromV2InstancesCursor(response.V2ListRunsResponse.Cursor), nil
+			},
+		},
+	}
+}
+
+func SDKGetInstanceHandlers(sdk *formance.Formance) []GetInstanceHandler {
+	return []GetInstanceHandler{
+		{
+			APIVersion: "v1",
+			Run: func(ctx context.Context, input GetInstanceInput) (GetInstanceOutput, error) {
+				response, err := sdk.Orchestration.V1.GetInstance(ctx, operations.GetInstanceRequest{InstanceID: input.InstanceID})
+				if err != nil {
+					return GetInstanceOutput{}, err
+				}
+				if response.GetWorkflowInstanceResponse == nil {
+					return GetInstanceOutput{}, fmt.Errorf("orchestration v1 get instance returned no data")
+				}
+				return GetInstanceOutput{Instance: fromV1Instance(response.GetWorkflowInstanceResponse.Data)}, nil
+			},
+		},
+		{
+			APIVersion: "v2",
+			Run: func(ctx context.Context, input GetInstanceInput) (GetInstanceOutput, error) {
+				response, err := sdk.Orchestration.V2.GetInstance(ctx, operations.V2GetInstanceRequest{InstanceID: input.InstanceID})
+				if err != nil {
+					return GetInstanceOutput{}, err
+				}
+				if response.V2GetWorkflowInstanceResponse == nil {
+					return GetInstanceOutput{}, fmt.Errorf("orchestration v2 get instance returned no data")
+				}
+				return GetInstanceOutput{Instance: fromV2Instance(response.V2GetWorkflowInstanceResponse.Data)}, nil
+			},
+		},
+	}
+}
+
+func SDKSendEventHandlers(sdk *formance.Formance) []InstanceActionHandler {
+	return []InstanceActionHandler{
+		{
+			APIVersion: "v1",
+			Run: func(ctx context.Context, input InstanceActionInput) (InstanceActionOutput, error) {
+				_, err := sdk.Orchestration.V1.SendEvent(ctx, operations.SendEventRequest{
+					InstanceID: input.InstanceID,
+					RequestBody: &operations.SendEventRequestBody{
+						Name: input.Event,
+					},
+				})
+				if err != nil {
+					return InstanceActionOutput{}, err
+				}
+				return InstanceActionOutput{InstanceID: input.InstanceID, Event: input.Event}, nil
+			},
+		},
+		{
+			APIVersion: "v2",
+			Run: func(ctx context.Context, input InstanceActionInput) (InstanceActionOutput, error) {
+				_, err := sdk.Orchestration.V2.SendEvent(ctx, operations.V2SendEventRequest{
+					InstanceID: input.InstanceID,
+					RequestBody: &operations.V2SendEventRequestBody{
+						Name: input.Event,
+					},
+				})
+				if err != nil {
+					return InstanceActionOutput{}, err
+				}
+				return InstanceActionOutput{InstanceID: input.InstanceID, Event: input.Event}, nil
+			},
+		},
+	}
+}
+
+func SDKStopInstanceHandlers(sdk *formance.Formance) []InstanceActionHandler {
+	return []InstanceActionHandler{
+		{
+			APIVersion: "v1",
+			Run: func(ctx context.Context, input InstanceActionInput) (InstanceActionOutput, error) {
+				_, err := sdk.Orchestration.V1.CancelEvent(ctx, operations.CancelEventRequest{InstanceID: input.InstanceID})
+				if err != nil {
+					return InstanceActionOutput{}, err
+				}
+				return InstanceActionOutput{InstanceID: input.InstanceID}, nil
+			},
+		},
+		{
+			APIVersion: "v2",
+			Run: func(ctx context.Context, input InstanceActionInput) (InstanceActionOutput, error) {
+				_, err := sdk.Orchestration.V2.CancelEvent(ctx, operations.V2CancelEventRequest{InstanceID: input.InstanceID})
+				if err != nil {
+					return InstanceActionOutput{}, err
+				}
+				return InstanceActionOutput{InstanceID: input.InstanceID}, nil
+			},
+		},
+	}
+}
+
+func SDKListTriggersHandlers(sdk *formance.Formance) []ListTriggersHandler {
+	return []ListTriggersHandler{
+		{
+			APIVersion: "v1",
+			Run: func(ctx context.Context, input ListTriggersInput) (ListTriggersOutput, error) {
+				response, err := sdk.Orchestration.V1.ListTriggers(ctx, operations.ListTriggersRequest{Name: optionalString(input.Name)})
+				if err != nil {
+					return ListTriggersOutput{}, err
+				}
+				if response.ListTriggersResponse == nil {
+					return ListTriggersOutput{}, fmt.Errorf("orchestration v1 list triggers returned no data")
+				}
+				return fromV1Triggers(response.ListTriggersResponse.Data), nil
+			},
+		},
+		{
+			APIVersion: "v2",
+			Run: func(ctx context.Context, input ListTriggersInput) (ListTriggersOutput, error) {
+				response, err := sdk.Orchestration.V2.ListTriggers(ctx, operations.V2ListTriggersRequest{
+					PageSize: optionalInt64(input.PageSize),
+					Cursor:   optionalString(input.Cursor),
+					Name:     optionalString(input.Name),
+				})
+				if err != nil {
+					return ListTriggersOutput{}, err
+				}
+				if response.V2ListTriggersResponse == nil {
+					return ListTriggersOutput{}, fmt.Errorf("orchestration v2 list triggers returned no cursor")
+				}
+				return fromV2TriggersCursor(response.V2ListTriggersResponse.Cursor), nil
+			},
+		},
+	}
+}
+
+func SDKGetTriggerHandlers(sdk *formance.Formance) []GetTriggerHandler {
+	return []GetTriggerHandler{
+		{
+			APIVersion: "v1",
+			Run: func(ctx context.Context, input GetTriggerInput) (GetTriggerOutput, error) {
+				response, err := sdk.Orchestration.V1.ReadTrigger(ctx, operations.ReadTriggerRequest{TriggerID: input.TriggerID})
+				if err != nil {
+					return GetTriggerOutput{}, err
+				}
+				if response.ReadTriggerResponse == nil {
+					return GetTriggerOutput{}, fmt.Errorf("orchestration v1 read trigger returned no data")
+				}
+				return GetTriggerOutput{Trigger: fromV1Trigger(response.ReadTriggerResponse.Data)}, nil
+			},
+		},
+		{
+			APIVersion: "v2",
+			Run: func(ctx context.Context, input GetTriggerInput) (GetTriggerOutput, error) {
+				response, err := sdk.Orchestration.V2.ReadTrigger(ctx, operations.V2ReadTriggerRequest{TriggerID: input.TriggerID})
+				if err != nil {
+					return GetTriggerOutput{}, err
+				}
+				if response.V2ReadTriggerResponse == nil {
+					return GetTriggerOutput{}, fmt.Errorf("orchestration v2 read trigger returned no data")
+				}
+				return GetTriggerOutput{Trigger: fromV2Trigger(response.V2ReadTriggerResponse.Data)}, nil
+			},
+		},
+	}
+}
+
+func SDKCreateTriggerHandlers(sdk *formance.Formance) []CreateTriggerHandler {
+	return []CreateTriggerHandler{
+		{
+			APIVersion: "v1",
+			Run: func(ctx context.Context, input CreateTriggerInput) (CreateTriggerOutput, error) {
+				response, err := sdk.Orchestration.V1.CreateTrigger(ctx, &shared.TriggerData{
+					Event:      input.Event,
+					WorkflowID: input.WorkflowID,
+					Name:       optionalString(input.Name),
+					Filter:     optionalString(input.Filter),
+					Version:    optionalString(input.Version),
+					Vars:       input.Vars,
+				})
+				if err != nil {
+					return CreateTriggerOutput{}, err
+				}
+				if response.CreateTriggerResponse == nil {
+					return CreateTriggerOutput{}, fmt.Errorf("orchestration v1 create trigger returned no data")
+				}
+				return CreateTriggerOutput{Trigger: fromV1Trigger(response.CreateTriggerResponse.Data)}, nil
+			},
+		},
+		{
+			APIVersion: "v2",
+			Run: func(ctx context.Context, input CreateTriggerInput) (CreateTriggerOutput, error) {
+				response, err := sdk.Orchestration.V2.CreateTrigger(ctx, &shared.V2TriggerData{
+					Event:      input.Event,
+					WorkflowID: input.WorkflowID,
+					Name:       optionalString(input.Name),
+					Filter:     optionalString(input.Filter),
+					Version:    optionalString(input.Version),
+					Vars:       input.Vars,
+				})
+				if err != nil {
+					return CreateTriggerOutput{}, err
+				}
+				if response.V2CreateTriggerResponse == nil {
+					return CreateTriggerOutput{}, fmt.Errorf("orchestration v2 create trigger returned no data")
+				}
+				return CreateTriggerOutput{Trigger: fromV2Trigger(response.V2CreateTriggerResponse.Data)}, nil
+			},
+		},
+	}
+}
+
+func SDKDeleteTriggerHandlers(sdk *formance.Formance) []DeleteTriggerHandler {
+	return []DeleteTriggerHandler{
+		{
+			APIVersion: "v1",
+			Run: func(ctx context.Context, input DeleteTriggerInput) (DeleteTriggerOutput, error) {
+				_, err := sdk.Orchestration.V1.DeleteTrigger(ctx, operations.DeleteTriggerRequest{TriggerID: input.TriggerID})
+				if err != nil {
+					return DeleteTriggerOutput{}, err
+				}
+				return DeleteTriggerOutput{TriggerID: input.TriggerID}, nil
+			},
+		},
+		{
+			APIVersion: "v2",
+			Run: func(ctx context.Context, input DeleteTriggerInput) (DeleteTriggerOutput, error) {
+				_, err := sdk.Orchestration.V2.DeleteTrigger(ctx, operations.V2DeleteTriggerRequest{TriggerID: input.TriggerID})
+				if err != nil {
+					return DeleteTriggerOutput{}, err
+				}
+				return DeleteTriggerOutput{TriggerID: input.TriggerID}, nil
+			},
+		},
+	}
+}
+
+func SDKTestTriggerHandlers(sdk *formance.Formance) []TestTriggerHandler {
+	return []TestTriggerHandler{
+		{
+			APIVersion: "v2",
+			Run: func(ctx context.Context, input TestTriggerInput) (TestTriggerOutput, error) {
+				response, err := sdk.Orchestration.V2.TestTrigger(ctx, operations.TestTriggerRequest{
+					TriggerID:   input.TriggerID,
+					RequestBody: input.Event,
+				})
+				if err != nil {
+					return TestTriggerOutput{}, err
+				}
+				output := TestTriggerOutput{TriggerID: input.TriggerID}
+				if response.V2TestTriggerResponse != nil && response.V2TestTriggerResponse.Data.Filter != nil {
+					output.Matched = response.V2TestTriggerResponse.Data.Filter.Match
+				}
+				return output, nil
+			},
+		},
+	}
+}
+
+func SDKListTriggerOccurrencesHandlers(sdk *formance.Formance) []ListTriggerOccurrencesHandler {
+	return []ListTriggerOccurrencesHandler{
+		{
+			APIVersion: "v1",
+			Run: func(ctx context.Context, input ListTriggerOccurrencesInput) (ListTriggerOccurrencesOutput, error) {
+				response, err := sdk.Orchestration.V1.ListTriggersOccurrences(ctx, operations.ListTriggersOccurrencesRequest{TriggerID: input.TriggerID})
+				if err != nil {
+					return ListTriggerOccurrencesOutput{}, err
+				}
+				if response.ListTriggersOccurrencesResponse == nil {
+					return ListTriggerOccurrencesOutput{}, fmt.Errorf("orchestration v1 list trigger occurrences returned no data")
+				}
+				return fromV1TriggerOccurrences(response.ListTriggersOccurrencesResponse.Data), nil
+			},
+		},
+		{
+			APIVersion: "v2",
+			Run: func(ctx context.Context, input ListTriggerOccurrencesInput) (ListTriggerOccurrencesOutput, error) {
+				response, err := sdk.Orchestration.V2.ListTriggersOccurrences(ctx, operations.V2ListTriggersOccurrencesRequest{
+					TriggerID: input.TriggerID,
+					PageSize:  optionalInt64(input.PageSize),
+					Cursor:    optionalString(input.Cursor),
+				})
+				if err != nil {
+					return ListTriggerOccurrencesOutput{}, err
+				}
+				if response.V2ListTriggersOccurrencesResponse == nil {
+					return ListTriggerOccurrencesOutput{}, fmt.Errorf("orchestration v2 list trigger occurrences returned no cursor")
+				}
+				return fromV2TriggerOccurrencesCursor(response.V2ListTriggersOccurrencesResponse.Cursor), nil
+			},
+		},
+	}
+}
+
+func fromV1Workflows(workflows []shared.Workflow) ListWorkflowsOutput {
+	ret := make([]WorkflowSummary, 0, len(workflows))
+	for _, workflow := range workflows {
+		ret = append(ret, fromV1Workflow(workflow))
+	}
+	return ListWorkflowsOutput{Workflows: ret, PageSize: int64(len(ret))}
+}
+
+func fromV2WorkflowsCursor(cursor shared.V2ListWorkflowsResponseCursor) ListWorkflowsOutput {
+	workflows := make([]WorkflowSummary, 0, len(cursor.Data))
+	for _, workflow := range cursor.Data {
+		workflows = append(workflows, fromV2Workflow(workflow))
+	}
+	return ListWorkflowsOutput{
+		Workflows: workflows,
+		HasMore:   cursor.HasMore,
+		PageSize:  cursor.PageSize,
+		Next:      cursor.Next,
+		Previous:  cursor.Previous,
+	}
+}
+
+func fromV1Workflow(workflow shared.Workflow) WorkflowSummary {
+	name := ""
+	if workflow.Config.Name != nil {
+		name = *workflow.Config.Name
+	}
+	return WorkflowSummary{
+		ID:        workflow.ID,
+		Name:      name,
+		CreatedAt: workflow.CreatedAt,
+		UpdatedAt: workflow.UpdatedAt,
+	}
+}
+
+func fromV2Workflow(workflow shared.V2Workflow) WorkflowSummary {
+	name := ""
+	if workflow.Config.Name != nil {
+		name = *workflow.Config.Name
+	}
+	return WorkflowSummary{
+		ID:        workflow.ID,
+		Name:      name,
+		CreatedAt: workflow.CreatedAt,
+		UpdatedAt: workflow.UpdatedAt,
+	}
+}
+
+func fromV1Triggers(triggers []shared.Trigger) ListTriggersOutput {
+	ret := make([]TriggerSummary, 0, len(triggers))
+	for _, trigger := range triggers {
+		ret = append(ret, fromV1Trigger(trigger))
+	}
+	return ListTriggersOutput{Triggers: ret, PageSize: int64(len(ret))}
+}
+
+func fromV2TriggersCursor(cursor shared.V2ListTriggersResponseCursor) ListTriggersOutput {
+	triggers := make([]TriggerSummary, 0, len(cursor.Data))
+	for _, trigger := range cursor.Data {
+		triggers = append(triggers, fromV2Trigger(trigger))
+	}
+	return ListTriggersOutput{
+		Triggers: triggers,
+		HasMore:  cursor.HasMore,
+		PageSize: cursor.PageSize,
+		Next:     cursor.Next,
+		Previous: cursor.Previous,
+	}
+}
+
+func fromV1Trigger(trigger shared.Trigger) TriggerSummary {
+	name := ""
+	if trigger.Name != nil {
+		name = *trigger.Name
+	}
+	version := ""
+	if trigger.Version != nil {
+		version = *trigger.Version
+	}
+	return TriggerSummary{
+		ID:         trigger.ID,
+		Name:       name,
+		Event:      trigger.Event,
+		WorkflowID: trigger.WorkflowID,
+		CreatedAt:  trigger.CreatedAt,
+		Version:    version,
+	}
+}
+
+func fromV2Trigger(trigger shared.V2Trigger) TriggerSummary {
+	name := ""
+	if trigger.Name != nil {
+		name = *trigger.Name
+	}
+	version := ""
+	if trigger.Version != nil {
+		version = *trigger.Version
+	}
+	return TriggerSummary{
+		ID:         trigger.ID,
+		Name:       name,
+		Event:      trigger.Event,
+		WorkflowID: trigger.WorkflowID,
+		CreatedAt:  trigger.CreatedAt,
+		Version:    version,
+	}
+}
+
+func fromV1TriggerOccurrences(occurrences []shared.TriggerOccurrence) ListTriggerOccurrencesOutput {
+	ret := make([]TriggerOccurrenceSummary, 0, len(occurrences))
+	for _, occurrence := range occurrences {
+		ret = append(ret, fromV1TriggerOccurrence(occurrence))
+	}
+	return ListTriggerOccurrencesOutput{Occurrences: ret, PageSize: int64(len(ret))}
+}
+
+func fromV2TriggerOccurrencesCursor(cursor shared.V2ListTriggersOccurrencesResponseCursor) ListTriggerOccurrencesOutput {
+	occurrences := make([]TriggerOccurrenceSummary, 0, len(cursor.Data))
+	for _, occurrence := range cursor.Data {
+		occurrences = append(occurrences, fromV2TriggerOccurrence(occurrence))
+	}
+	return ListTriggerOccurrencesOutput{
+		Occurrences: occurrences,
+		HasMore:     cursor.HasMore,
+		PageSize:    cursor.PageSize,
+		Next:        cursor.Next,
+		Previous:    cursor.Previous,
+	}
+}
+
+func fromV1TriggerOccurrence(occurrence shared.TriggerOccurrence) TriggerOccurrenceSummary {
+	instanceID := ""
+	if occurrence.WorkflowInstanceID != nil {
+		instanceID = *occurrence.WorkflowInstanceID
+	}
+	errText := ""
+	if occurrence.Error != nil {
+		errText = *occurrence.Error
+	}
+	return TriggerOccurrenceSummary{
+		TriggerID:          occurrence.TriggerID,
+		WorkflowInstanceID: instanceID,
+		Date:               occurrence.Date,
+		Error:              errText,
+	}
+}
+
+func fromV2TriggerOccurrence(occurrence shared.V2TriggerOccurrence) TriggerOccurrenceSummary {
+	instanceID := ""
+	if occurrence.WorkflowInstanceID != nil {
+		instanceID = *occurrence.WorkflowInstanceID
+	}
+	errText := ""
+	if occurrence.Error != nil {
+		errText = *occurrence.Error
+	}
+	return TriggerOccurrenceSummary{
+		TriggerID:          occurrence.TriggerID,
+		WorkflowInstanceID: instanceID,
+		Date:               occurrence.Date,
+		Error:              errText,
+	}
+}
+
+func fromV1Instances(instances []shared.WorkflowInstance) ListInstancesOutput {
+	ret := make([]InstanceSummary, 0, len(instances))
+	for _, instance := range instances {
+		ret = append(ret, fromV1Instance(instance))
+	}
+	return ListInstancesOutput{Instances: ret, PageSize: int64(len(ret))}
+}
+
+func fromV2InstancesCursor(cursor shared.V2ListRunsResponseCursor) ListInstancesOutput {
+	instances := make([]InstanceSummary, 0, len(cursor.Data))
+	for _, instance := range cursor.Data {
+		instances = append(instances, fromV2Instance(instance))
+	}
+	return ListInstancesOutput{
+		Instances: instances,
+		HasMore:   cursor.HasMore,
+		PageSize:  cursor.PageSize,
+		Next:      cursor.Next,
+		Previous:  cursor.Previous,
+	}
+}
+
+func fromV1Instance(instance shared.WorkflowInstance) InstanceSummary {
+	return InstanceSummary{
+		ID:           instance.ID,
+		WorkflowID:   instance.WorkflowID,
+		CreatedAt:    instance.CreatedAt,
+		UpdatedAt:    instance.UpdatedAt,
+		Terminated:   instance.Terminated,
+		TerminatedAt: instance.TerminatedAt,
+	}
+}
+
+func fromV2Instance(instance shared.V2WorkflowInstance) InstanceSummary {
+	return InstanceSummary{
+		ID:           instance.ID,
+		WorkflowID:   instance.WorkflowID,
+		CreatedAt:    instance.CreatedAt,
+		UpdatedAt:    instance.UpdatedAt,
+		Terminated:   instance.Terminated,
+		TerminatedAt: instance.TerminatedAt,
+	}
+}
+
+func optionalString(value string) *string {
+	if value == "" {
+		return nil
+	}
+	return &value
+}
+
+func optionalInt64(value int64) *int64 {
+	if value == 0 {
+		return nil
+	}
+	return &value
+}
diff --git a/v4/internal/commands/flows/flows_test.go b/v4/internal/commands/flows/flows_test.go
new file mode 100644
index 00000000..3d57e346
--- /dev/null
+++ b/v4/internal/commands/flows/flows_test.go
@@ -0,0 +1,274 @@
+package flows
+
+import (
+	"context"
+	"testing"
+
+	"github.com/formancehq/fctl/v4/internal/capabilities"
+)
+
+func TestListWorkflowsServiceSelectsResolvedHandler(t *testing.T) {
+	service := ListWorkflowsService{
+		Handlers: []ListWorkflowsHandler{
+			{
+				APIVersion: "v2",
+				Run: func(_ context.Context, input ListWorkflowsInput) (ListWorkflowsOutput, error) {
+					if input.PageSize != 10 || input.Cursor != "cursor" {
+						t.Fatalf("unexpected input: %#v", input)
+					}
+					return ListWorkflowsOutput{PageSize: input.PageSize}, nil
+				},
+			},
+		},
+		Resolve: func(_ context.Context, versions []capabilities.APIVersion) (capabilities.APIVersion, error) {
+			assertAPIVersions(t, versions, []capabilities.APIVersion{"v2"})
+			return "v2", nil
+		},
+	}
+
+	output, err := service.Run(context.Background(), ListWorkflowsInput{PageSize: 10, Cursor: "cursor"})
+	if err != nil {
+		t.Fatalf("run service: %v", err)
+	}
+	if output.APIVersion != "v2" || output.PageSize != 10 {
+		t.Fatalf("unexpected output: %#v", output)
+	}
+}
+
+func TestGetWorkflowServiceRequiresWorkflowID(t *testing.T) {
+	service := GetWorkflowService{
+		Handlers: []GetWorkflowHandler{{APIVersion: "v2"}},
+		Resolve: func(context.Context, []capabilities.APIVersion) (capabilities.APIVersion, error) {
+			t.Fatal("resolver should not run")
+			return "", nil
+		},
+	}
+
+	if _, err := service.Run(context.Background(), GetWorkflowInput{}); err == nil {
+		t.Fatal("expected workflow id validation error")
+	}
+}
+
+func TestDeleteWorkflowServiceRequiresWorkflowID(t *testing.T) {
+	service := DeleteWorkflowService{
+		Handlers: []DeleteWorkflowHandler{{APIVersion: "v2"}},
+		Resolve: func(context.Context, []capabilities.APIVersion) (capabilities.APIVersion, error) {
+			t.Fatal("resolver should not run")
+			return "", nil
+		},
+	}
+
+	if _, err := service.Run(context.Background(), DeleteWorkflowInput{}); err == nil {
+		t.Fatal("expected workflow id validation error")
+	}
+}
+
+func TestRunWorkflowServiceSelectsResolvedHandler(t *testing.T) {
+	service := RunWorkflowService{
+		Handlers: []RunWorkflowHandler{
+			{
+				APIVersion: "v2",
+				Run: func(_ context.Context, input RunWorkflowInput) (RunWorkflowOutput, error) {
+					if input.WorkflowID != "workflow_1" || input.Vars["env"] != "dev" {
+						t.Fatalf("unexpected input: %#v", input)
+					}
+					return RunWorkflowOutput{Instance: InstanceSummary{ID: "instance_1"}}, nil
+				},
+			},
+		},
+		Resolve: func(_ context.Context, versions []capabilities.APIVersion) (capabilities.APIVersion, error) {
+			assertAPIVersions(t, versions, []capabilities.APIVersion{"v2"})
+			return "v2", nil
+		},
+	}
+
+	output, err := service.Run(context.Background(), RunWorkflowInput{WorkflowID: "workflow_1", Vars: map[string]string{"env": "dev"}})
+	if err != nil {
+		t.Fatalf("run service: %v", err)
+	}
+	if output.APIVersion != "v2" || output.Instance.ID != "instance_1" {
+		t.Fatalf("unexpected output: %#v", output)
+	}
+}
+
+func TestListInstancesServiceSelectsResolvedHandler(t *testing.T) {
+	service := ListInstancesService{
+		Handlers: []ListInstancesHandler{
+			{
+				APIVersion: "v2",
+				Run: func(_ context.Context, input ListInstancesInput) (ListInstancesOutput, error) {
+					if input.PageSize != 10 || input.WorkflowID != "workflow_1" || input.Running == nil || !*input.Running {
+						t.Fatalf("unexpected input: %#v", input)
+					}
+					return ListInstancesOutput{PageSize: input.PageSize}, nil
+				},
+			},
+		},
+		Resolve: func(_ context.Context, versions []capabilities.APIVersion) (capabilities.APIVersion, error) {
+			assertAPIVersions(t, versions, []capabilities.APIVersion{"v2"})
+			return "v2", nil
+		},
+	}
+
+	running := true
+	output, err := service.Run(context.Background(), ListInstancesInput{PageSize: 10, WorkflowID: "workflow_1", Running: &running})
+	if err != nil {
+		t.Fatalf("run service: %v", err)
+	}
+	if output.APIVersion != "v2" || output.PageSize != 10 {
+		t.Fatalf("unexpected output: %#v", output)
+	}
+}
+
+func TestGetInstanceServiceRequiresInstanceID(t *testing.T) {
+	service := GetInstanceService{
+		Handlers: []GetInstanceHandler{{APIVersion: "v2"}},
+		Resolve: func(context.Context, []capabilities.APIVersion) (capabilities.APIVersion, error) {
+			t.Fatal("resolver should not run")
+			return "", nil
+		},
+	}
+
+	if _, err := service.Run(context.Background(), GetInstanceInput{}); err == nil {
+		t.Fatal("expected instance id validation error")
+	}
+}
+
+func TestSendEventServiceRequiresEvent(t *testing.T) {
+	service := SendEventService{
+		Handlers: []InstanceActionHandler{{APIVersion: "v2"}},
+		Resolve: func(context.Context, []capabilities.APIVersion) (capabilities.APIVersion, error) {
+			t.Fatal("resolver should not run")
+			return "", nil
+		},
+	}
+
+	if _, err := service.Run(context.Background(), InstanceActionInput{InstanceID: "instance_1"}); err == nil {
+		t.Fatal("expected event validation error")
+	}
+}
+
+func TestStopInstanceServiceRequiresInstanceID(t *testing.T) {
+	service := StopInstanceService{
+		Handlers: []InstanceActionHandler{{APIVersion: "v2"}},
+		Resolve: func(context.Context, []capabilities.APIVersion) (capabilities.APIVersion, error) {
+			t.Fatal("resolver should not run")
+			return "", nil
+		},
+	}
+
+	if _, err := service.Run(context.Background(), InstanceActionInput{}); err == nil {
+		t.Fatal("expected instance id validation error")
+	}
+}
+
+func TestCreateTriggerServiceRequiresWorkflowID(t *testing.T) {
+	service := CreateTriggerService{
+		Handlers: []CreateTriggerHandler{{APIVersion: "v2"}},
+		Resolve: func(context.Context, []capabilities.APIVersion) (capabilities.APIVersion, error) {
+			t.Fatal("resolver should not run")
+			return "", nil
+		},
+	}
+
+	if _, err := service.Run(context.Background(), CreateTriggerInput{Event: "approved"}); err == nil {
+		t.Fatal("expected workflow id validation error")
+	}
+}
+
+func TestListTriggersServiceSelectsResolvedHandler(t *testing.T) {
+	service := ListTriggersService{
+		Handlers: []ListTriggersHandler{
+			{
+				APIVersion: "v2",
+				Run: func(_ context.Context, input ListTriggersInput) (ListTriggersOutput, error) {
+					if input.PageSize != 10 || input.Name != "Payout" {
+						t.Fatalf("unexpected input: %#v", input)
+					}
+					return ListTriggersOutput{PageSize: input.PageSize}, nil
+				},
+			},
+		},
+		Resolve: func(_ context.Context, versions []capabilities.APIVersion) (capabilities.APIVersion, error) {
+			assertAPIVersions(t, versions, []capabilities.APIVersion{"v2"})
+			return "v2", nil
+		},
+	}
+
+	output, err := service.Run(context.Background(), ListTriggersInput{PageSize: 10, Name: "Payout"})
+	if err != nil {
+		t.Fatalf("run service: %v", err)
+	}
+	if output.APIVersion != "v2" || output.PageSize != 10 {
+		t.Fatalf("unexpected output: %#v", output)
+	}
+}
+
+func TestDeleteTriggerServiceRequiresTriggerID(t *testing.T) {
+	service := DeleteTriggerService{
+		Handlers: []DeleteTriggerHandler{{APIVersion: "v2"}},
+		Resolve: func(context.Context, []capabilities.APIVersion) (capabilities.APIVersion, error) {
+			t.Fatal("resolver should not run")
+			return "", nil
+		},
+	}
+
+	if _, err := service.Run(context.Background(), DeleteTriggerInput{}); err == nil {
+		t.Fatal("expected trigger id validation error")
+	}
+}
+
+func TestTestTriggerServiceSelectsV2Handler(t *testing.T) {
+	service := TestTriggerService{
+		Handlers: []TestTriggerHandler{
+			{
+				APIVersion: "v2",
+				Run: func(_ context.Context, input TestTriggerInput) (TestTriggerOutput, error) {
+					if input.TriggerID != "trigger_1" || input.Event["name"] != "approved" {
+						t.Fatalf("unexpected input: %#v", input)
+					}
+					matched := true
+					return TestTriggerOutput{TriggerID: input.TriggerID, Matched: &matched}, nil
+				},
+			},
+		},
+		Resolve: func(_ context.Context, versions []capabilities.APIVersion) (capabilities.APIVersion, error) {
+			assertAPIVersions(t, versions, []capabilities.APIVersion{"v2"})
+			return "v2", nil
+		},
+	}
+
+	output, err := service.Run(context.Background(), TestTriggerInput{TriggerID: "trigger_1", Event: map[string]any{"name": "approved"}})
+	if err != nil {
+		t.Fatalf("run service: %v", err)
+	}
+	if output.APIVersion != "v2" || output.Matched == nil || !*output.Matched {
+		t.Fatalf("unexpected output: %#v", output)
+	}
+}
+
+func TestListTriggerOccurrencesServiceRequiresTriggerID(t *testing.T) {
+	service := ListTriggerOccurrencesService{
+		Handlers: []ListTriggerOccurrencesHandler{{APIVersion: "v2"}},
+		Resolve: func(context.Context, []capabilities.APIVersion) (capabilities.APIVersion, error) {
+			t.Fatal("resolver should not run")
+			return "", nil
+		},
+	}
+
+	if _, err := service.Run(context.Background(), ListTriggerOccurrencesInput{}); err == nil {
+		t.Fatal("expected trigger id validation error")
+	}
+}
+
+func assertAPIVersions(t *testing.T, got []capabilities.APIVersion, want []capabilities.APIVersion) {
+	t.Helper()
+	if len(got) != len(want) {
+		t.Fatalf("expected versions %v, got %v", want, got)
+	}
+	for i := range got {
+		if got[i] != want[i] {
+			t.Fatalf("expected versions %v, got %v", want, got)
+		}
+	}
+}
diff --git a/v4/internal/commands/ledger/account_metadata.go b/v4/internal/commands/ledger/account_metadata.go
new file mode 100644
index 00000000..b295d128
--- /dev/null
+++ b/v4/internal/commands/ledger/account_metadata.go
@@ -0,0 +1,175 @@
+package ledger
+
+import (
+	"context"
+	"fmt"
+
+	formance "github.com/formancehq/formance-sdk-go/v3"
+	"github.com/formancehq/formance-sdk-go/v3/pkg/models/operations"
+
+	"github.com/formancehq/fctl/v4/internal/capabilities"
+)
+
+type AddAccountMetadataInput struct {
+	Ledger   string
+	Account  string
+	Metadata map[string]string
+}
+
+type AddAccountMetadataOutput struct {
+	APIVersion capabilities.APIVersion `json:"apiVersion" yaml:"apiVersion"`
+	Updated    bool                    `json:"updated" yaml:"updated"`
+}
+
+type DeleteAccountMetadataInput struct {
+	Ledger  string
+	Account string
+	Key     string
+}
+
+type DeleteAccountMetadataOutput struct {
+	APIVersion capabilities.APIVersion `json:"apiVersion" yaml:"apiVersion"`
+	Deleted    bool                    `json:"deleted" yaml:"deleted"`
+}
+
+type AddAccountMetadataHandler struct {
+	APIVersion capabilities.APIVersion
+	Run        func(context.Context, AddAccountMetadataInput) (AddAccountMetadataOutput, error)
+}
+
+type AddAccountMetadataService struct {
+	Handlers []AddAccountMetadataHandler
+	Resolve  func(context.Context, []capabilities.APIVersion) (capabilities.APIVersion, error)
+}
+
+type DeleteAccountMetadataHandler struct {
+	APIVersion capabilities.APIVersion
+	Run        func(context.Context, DeleteAccountMetadataInput) (DeleteAccountMetadataOutput, error)
+}
+
+type DeleteAccountMetadataService struct {
+	Handlers []DeleteAccountMetadataHandler
+	Resolve  func(context.Context, []capabilities.APIVersion) (capabilities.APIVersion, error)
+}
+
+func (s AddAccountMetadataService) Run(ctx context.Context, input AddAccountMetadataInput) (AddAccountMetadataOutput, error) {
+	if input.Ledger == "" {
+		return AddAccountMetadataOutput{}, fmt.Errorf("ledger is required")
+	}
+	if input.Account == "" {
+		return AddAccountMetadataOutput{}, fmt.Errorf("account is required")
+	}
+	if len(input.Metadata) == 0 {
+		return AddAccountMetadataOutput{}, fmt.Errorf("metadata is required")
+	}
+
+	handlerVersions := make([]capabilities.APIVersion, 0, len(s.Handlers))
+	handlers := map[capabilities.APIVersion]AddAccountMetadataHandler{}
+	for _, handler := range s.Handlers {
+		handlerVersions = append(handlerVersions, handler.APIVersion)
+		handlers[handler.APIVersion] = handler
+	}
+
+	selected, err := s.Resolve(ctx, handlerVersions)
+	if err != nil {
+		return AddAccountMetadataOutput{}, err
+	}
+	handler, ok := handlers[selected]
+	if !ok {
+		return AddAccountMetadataOutput{}, fmt.Errorf("resolved api version %s has no handler", selected)
+	}
+
+	output, err := handler.Run(ctx, input)
+	if err != nil {
+		return AddAccountMetadataOutput{}, err
+	}
+	output.APIVersion = selected
+	return output, nil
+}
+
+func SDKAddAccountMetadataHandlers(sdk *formance.Formance) []AddAccountMetadataHandler {
+	return []AddAccountMetadataHandler{
+		{
+			APIVersion: "v1",
+			Run: func(ctx context.Context, input AddAccountMetadataInput) (AddAccountMetadataOutput, error) {
+				response, err := sdk.Ledger.V1.AddMetadataToAccount(ctx, operations.AddMetadataToAccountRequest{
+					Ledger:      input.Ledger,
+					Address:     input.Account,
+					RequestBody: stringMapToAny(input.Metadata),
+				})
+				if err != nil {
+					return AddAccountMetadataOutput{}, err
+				}
+				return AddAccountMetadataOutput{Updated: response.StatusCode == 204}, nil
+			},
+		},
+		{
+			APIVersion: "v2",
+			Run: func(ctx context.Context, input AddAccountMetadataInput) (AddAccountMetadataOutput, error) {
+				response, err := sdk.Ledger.V2.AddMetadataToAccount(ctx, operations.V2AddMetadataToAccountRequest{
+					Ledger:      input.Ledger,
+					Address:     input.Account,
+					RequestBody: input.Metadata,
+				})
+				if err != nil {
+					return AddAccountMetadataOutput{}, err
+				}
+				return AddAccountMetadataOutput{Updated: response.StatusCode == 204}, nil
+			},
+		},
+	}
+}
+
+func (s DeleteAccountMetadataService) Run(ctx context.Context, input DeleteAccountMetadataInput) (DeleteAccountMetadataOutput, error) {
+	if input.Ledger == "" {
+		return DeleteAccountMetadataOutput{}, fmt.Errorf("ledger is required")
+	}
+	if input.Account == "" {
+		return DeleteAccountMetadataOutput{}, fmt.Errorf("account is required")
+	}
+	if input.Key == "" {
+		return DeleteAccountMetadataOutput{}, fmt.Errorf("metadata key is required")
+	}
+
+	handlerVersions := make([]capabilities.APIVersion, 0, len(s.Handlers))
+	handlers := map[capabilities.APIVersion]DeleteAccountMetadataHandler{}
+	for _, handler := range s.Handlers {
+		handlerVersions = append(handlerVersions, handler.APIVersion)
+		handlers[handler.APIVersion] = handler
+	}
+
+	selected, err := s.Resolve(ctx, handlerVersions)
+	if err != nil {
+		return DeleteAccountMetadataOutput{}, err
+	}
+	handler, ok := handlers[selected]
+	if !ok {
+		return DeleteAccountMetadataOutput{}, fmt.Errorf("resolved api version %s has no handler", selected)
+	}
+
+	output, err := handler.Run(ctx, input)
+	if err != nil {
+		return DeleteAccountMetadataOutput{}, err
+	}
+	output.APIVersion = selected
+	return output, nil
+}
+
+func SDKDeleteAccountMetadataHandlers(sdk *formance.Formance) []DeleteAccountMetadataHandler {
+	return []DeleteAccountMetadataHandler{
+		{
+			APIVersion: "v2",
+			Run: func(ctx context.Context, input DeleteAccountMetadataInput) (DeleteAccountMetadataOutput, error) {
+				response, err := sdk.Ledger.V2.DeleteAccountMetadata(ctx, operations.V2DeleteAccountMetadataRequest{
+					Ledger:  input.Ledger,
+					Address: input.Account,
+					Key:     input.Key,
+				})
+				if err != nil {
+					return DeleteAccountMetadataOutput{}, err
+				}
+				return DeleteAccountMetadataOutput{Deleted: response.StatusCode == 204}, nil
+			},
+		},
+	}
+}
diff --git a/v4/internal/commands/ledger/account_metadata_test.go b/v4/internal/commands/ledger/account_metadata_test.go
new file mode 100644
index 00000000..3800a5d7
--- /dev/null
+++ b/v4/internal/commands/ledger/account_metadata_test.go
@@ -0,0 +1,99 @@
+package ledger
+
+import (
+	"context"
+	"testing"
+
+	"github.com/formancehq/fctl/v4/internal/capabilities"
+)
+
+func TestAddAccountMetadataServiceSelectsResolvedHandler(t *testing.T) {
+	service := AddAccountMetadataService{
+		Handlers: []AddAccountMetadataHandler{
+			{
+				APIVersion: "v1",
+				Run: func(context.Context, AddAccountMetadataInput) (AddAccountMetadataOutput, error) {
+					t.Fatal("v1 handler should not run")
+					return AddAccountMetadataOutput{}, nil
+				},
+			},
+			{
+				APIVersion: "v2",
+				Run: func(_ context.Context, input AddAccountMetadataInput) (AddAccountMetadataOutput, error) {
+					if input.Ledger != "default" || input.Account != "users:123" || input.Metadata["foo"] != "bar" {
+						t.Fatalf("unexpected input: %#v", input)
+					}
+					return AddAccountMetadataOutput{Updated: true}, nil
+				},
+			},
+		},
+		Resolve: func(_ context.Context, versions []capabilities.APIVersion) (capabilities.APIVersion, error) {
+			assertAPIVersions(t, versions, []capabilities.APIVersion{"v1", "v2"})
+			return "v2", nil
+		},
+	}
+
+	output, err := service.Run(context.Background(), AddAccountMetadataInput{
+		Ledger:   "default",
+		Account:  "users:123",
+		Metadata: map[string]string{"foo": "bar"},
+	})
+	if err != nil {
+		t.Fatalf("run service: %v", err)
+	}
+	if output.APIVersion != "v2" || !output.Updated {
+		t.Fatalf("unexpected output: %#v", output)
+	}
+}
+
+func TestAddAccountMetadataServiceRequiresInput(t *testing.T) {
+	service := AddAccountMetadataService{
+		Handlers: []AddAccountMetadataHandler{{APIVersion: "v2"}},
+		Resolve: func(context.Context, []capabilities.APIVersion) (capabilities.APIVersion, error) {
+			t.Fatal("resolver should not run")
+			return "", nil
+		},
+	}
+
+	if _, err := service.Run(context.Background(), AddAccountMetadataInput{Account: "users:123", Metadata: map[string]string{"foo": "bar"}}); err == nil {
+		t.Fatal("expected ledger validation error")
+	}
+	if _, err := service.Run(context.Background(), AddAccountMetadataInput{Ledger: "default", Metadata: map[string]string{"foo": "bar"}}); err == nil {
+		t.Fatal("expected account validation error")
+	}
+	if _, err := service.Run(context.Background(), AddAccountMetadataInput{Ledger: "default", Account: "users:123"}); err == nil {
+		t.Fatal("expected metadata validation error")
+	}
+}
+
+func TestDeleteAccountMetadataServiceSelectsResolvedHandler(t *testing.T) {
+	service := DeleteAccountMetadataService{
+		Handlers: []DeleteAccountMetadataHandler{
+			{
+				APIVersion: "v2",
+				Run: func(_ context.Context, input DeleteAccountMetadataInput) (DeleteAccountMetadataOutput, error) {
+					if input.Ledger != "default" || input.Account != "users:123" || input.Key != "foo" {
+						t.Fatalf("unexpected input: %#v", input)
+					}
+					return DeleteAccountMetadataOutput{Deleted: true}, nil
+				},
+			},
+		},
+		Resolve: func(_ context.Context, versions []capabilities.APIVersion) (capabilities.APIVersion, error) {
+			assertAPIVersions(t, versions, []capabilities.APIVersion{"v2"})
+			return "v2", nil
+		},
+	}
+
+	output, err := service.Run(context.Background(), DeleteAccountMetadataInput{
+		Ledger:  "default",
+		Account: "users:123",
+		Key:     "foo",
+	})
+	if err != nil {
+		t.Fatalf("run service: %v", err)
+	}
+	if output.APIVersion != "v2" || !output.Deleted {
+		t.Fatalf("unexpected output: %#v", output)
+	}
+}
diff --git a/v4/internal/commands/ledger/account_query.go b/v4/internal/commands/ledger/account_query.go
new file mode 100644
index 00000000..d40521ba
--- /dev/null
+++ b/v4/internal/commands/ledger/account_query.go
@@ -0,0 +1,162 @@
+package ledger
+
+import (
+	"context"
+	"fmt"
+	"time"
+
+	formance "github.com/formancehq/formance-sdk-go/v3"
+	"github.com/formancehq/formance-sdk-go/v3/pkg/models/operations"
+	"github.com/formancehq/formance-sdk-go/v3/pkg/models/shared"
+
+	"github.com/formancehq/fctl/v4/internal/capabilities"
+)
+
+const FeatureRunQuery capabilities.Feature = "runQuery"
+
+type RunAccountQueryInput struct {
+	Ledger        string
+	QueryID       string
+	SchemaVersion string
+	PageSize      int64
+	Cursor        string
+	Expand        string
+	Pit           *time.Time
+	Reverse       bool
+	Sort          string
+	Vars          map[string]string
+}
+
+type RunAccountQueryOutput struct {
+	APIVersion    capabilities.APIVersion `json:"apiVersion" yaml:"apiVersion"`
+	QueryID       string                  `json:"queryId" yaml:"queryId"`
+	SchemaVersion string                  `json:"schemaVersion" yaml:"schemaVersion"`
+	Accounts      []AccountSummary        `json:"accounts" yaml:"accounts"`
+	HasMore       bool                    `json:"hasMore" yaml:"hasMore"`
+	PageSize      int64                   `json:"pageSize" yaml:"pageSize"`
+	Next          *string                 `json:"next,omitempty" yaml:"next,omitempty"`
+	Previous      *string                 `json:"previous,omitempty" yaml:"previous,omitempty"`
+}
+
+type RunAccountQueryHandler struct {
+	APIVersion capabilities.APIVersion
+	Run        func(context.Context, RunAccountQueryInput) (RunAccountQueryOutput, error)
+}
+
+type RunAccountQueryService struct {
+	Handlers []RunAccountQueryHandler
+	Resolve  func(context.Context, []capabilities.APIVersion) (capabilities.APIVersion, error)
+}
+
+func (s RunAccountQueryService) Run(ctx context.Context, input RunAccountQueryInput) (RunAccountQueryOutput, error) {
+	if input.Ledger == "" {
+		return RunAccountQueryOutput{}, fmt.Errorf("ledger is required")
+	}
+	if input.QueryID == "" {
+		return RunAccountQueryOutput{}, fmt.Errorf("query id is required")
+	}
+	if input.SchemaVersion == "" {
+		return RunAccountQueryOutput{}, fmt.Errorf("schema version is required")
+	}
+
+	handlerVersions := make([]capabilities.APIVersion, 0, len(s.Handlers))
+	handlers := map[capabilities.APIVersion]RunAccountQueryHandler{}
+	for _, handler := range s.Handlers {
+		handlerVersions = append(handlerVersions, handler.APIVersion)
+		handlers[handler.APIVersion] = handler
+	}
+
+	selected, err := s.Resolve(ctx, handlerVersions)
+	if err != nil {
+		return RunAccountQueryOutput{}, err
+	}
+	handler, ok := handlers[selected]
+	if !ok {
+		return RunAccountQueryOutput{}, fmt.Errorf("resolved api version %s has no handler", selected)
+	}
+
+	output, err := handler.Run(ctx, input)
+	if err != nil {
+		return RunAccountQueryOutput{}, err
+	}
+	output.APIVersion = selected
+	output.QueryID = input.QueryID
+	output.SchemaVersion = input.SchemaVersion
+	return output, nil
+}
+
+func SDKRunAccountQueryHandlers(sdk *formance.Formance) []RunAccountQueryHandler {
+	return []RunAccountQueryHandler{
+		{
+			APIVersion: "v2",
+			Run: func(ctx context.Context, input RunAccountQueryInput) (RunAccountQueryOutput, error) {
+				response, err := sdk.Ledger.V2.RunQuery(ctx, toV2RunAccountQueryRequest(input))
+				if err != nil {
+					return RunAccountQueryOutput{}, err
+				}
+				if response.OneOf == nil || response.OneOf.V2AccountsCursorResponse == nil {
+					return RunAccountQueryOutput{}, fmt.Errorf("ledger v2 run query returned no accounts cursor")
+				}
+				return fromV2RunAccountQuery(response.OneOf.V2AccountsCursorResponse.Cursor), nil
+			},
+		},
+	}
+}
+
+func toV2RunAccountQueryRequest(input RunAccountQueryInput) operations.V2RunQueryRequest {
+	params := shared.QueryTemplateAccountParams{
+		Resource: shared.V2QueryParamsResourceAccounts.ToPointer(),
+	}
+	request := operations.V2RunQueryRequest{
+		ID:            input.QueryID,
+		Ledger:        input.Ledger,
+		SchemaVersion: input.SchemaVersion,
+		RequestBody: operations.V2RunQueryRequestBody{
+			Params: pointer(shared.CreateV2QueryParamsQueryTemplateAccountParams(params)),
+			Vars:   input.Vars,
+		},
+	}
+	if input.PageSize > 0 {
+		request.PageSize = pointer(input.PageSize)
+		params.PageSize = pointer(input.PageSize)
+	}
+	if input.Cursor != "" {
+		request.Cursor = pointer(input.Cursor)
+		request.RequestBody.Cursor = pointer(input.Cursor)
+		params.Cursor = pointer(input.Cursor)
+	}
+	if input.Expand != "" {
+		request.Expand = pointer(input.Expand)
+		params.Expand = pointer(input.Expand)
+	}
+	if input.Pit != nil {
+		request.Pit = input.Pit
+		params.Pit = input.Pit
+	}
+	if input.Reverse {
+		request.Reverse = pointer(input.Reverse)
+	}
+	if input.Sort != "" {
+		request.Sort = pointer(input.Sort)
+		params.Sort = pointer(input.Sort)
+	}
+	request.RequestBody.Params = pointer(shared.CreateV2QueryParamsQueryTemplateAccountParams(params))
+	return request
+}
+
+func fromV2RunAccountQuery(cursor shared.V2AccountsCursorResponseCursor) RunAccountQueryOutput {
+	accounts := make([]AccountSummary, 0, len(cursor.Data))
+	for _, account := range cursor.Data {
+		accounts = append(accounts, AccountSummary{
+			Address:  account.Address,
+			Metadata: stringMapToAny(account.Metadata),
+		})
+	}
+	return RunAccountQueryOutput{
+		Accounts: accounts,
+		HasMore:  cursor.HasMore,
+		PageSize: cursor.PageSize,
+		Next:     cursor.Next,
+		Previous: cursor.Previous,
+	}
+}
diff --git a/v4/internal/commands/ledger/account_query_test.go b/v4/internal/commands/ledger/account_query_test.go
new file mode 100644
index 00000000..290d71d6
--- /dev/null
+++ b/v4/internal/commands/ledger/account_query_test.go
@@ -0,0 +1,140 @@
+package ledger
+
+import (
+	"context"
+	"errors"
+	"testing"
+	"time"
+
+	"github.com/formancehq/fctl/v4/internal/capabilities"
+	"github.com/formancehq/formance-sdk-go/v3/pkg/models/shared"
+)
+
+func TestRunAccountQueryServiceSelectsResolvedHandler(t *testing.T) {
+	service := RunAccountQueryService{
+		Handlers: []RunAccountQueryHandler{
+			{
+				APIVersion: "v2",
+				Run: func(_ context.Context, input RunAccountQueryInput) (RunAccountQueryOutput, error) {
+					if input.Ledger != "default" || input.QueryID != "active_accounts" || input.SchemaVersion != "v1" {
+						t.Fatalf("unexpected input: %#v", input)
+					}
+					return RunAccountQueryOutput{PageSize: input.PageSize}, nil
+				},
+			},
+		},
+		Resolve: func(_ context.Context, versions []capabilities.APIVersion) (capabilities.APIVersion, error) {
+			assertAPIVersions(t, versions, []capabilities.APIVersion{"v2"})
+			return "v2", nil
+		},
+	}
+
+	output, err := service.Run(context.Background(), RunAccountQueryInput{
+		Ledger:        "default",
+		QueryID:       "active_accounts",
+		SchemaVersion: "v1",
+		PageSize:      10,
+	})
+	if err != nil {
+		t.Fatalf("run service: %v", err)
+	}
+	if output.APIVersion != "v2" || output.QueryID != "active_accounts" || output.SchemaVersion != "v1" || output.PageSize != 10 {
+		t.Fatalf("unexpected output: %#v", output)
+	}
+}
+
+func TestRunAccountQueryServiceRequiresInputs(t *testing.T) {
+	service := RunAccountQueryService{
+		Handlers: []RunAccountQueryHandler{{APIVersion: "v2"}},
+		Resolve: func(context.Context, []capabilities.APIVersion) (capabilities.APIVersion, error) {
+			t.Fatal("resolver should not run")
+			return "", nil
+		},
+	}
+
+	if _, err := service.Run(context.Background(), RunAccountQueryInput{}); err == nil || err.Error() != "ledger is required" {
+		t.Fatalf("expected ledger required error, got %v", err)
+	}
+	if _, err := service.Run(context.Background(), RunAccountQueryInput{Ledger: "default"}); err == nil || err.Error() != "query id is required" {
+		t.Fatalf("expected query id required error, got %v", err)
+	}
+	if _, err := service.Run(context.Background(), RunAccountQueryInput{Ledger: "default", QueryID: "q"}); err == nil || err.Error() != "schema version is required" {
+		t.Fatalf("expected schema version required error, got %v", err)
+	}
+}
+
+func TestRunAccountQueryServiceReturnsResolverError(t *testing.T) {
+	expected := errors.New("requires ledger API v2")
+	service := RunAccountQueryService{
+		Handlers: []RunAccountQueryHandler{{APIVersion: "v2"}},
+		Resolve: func(context.Context, []capabilities.APIVersion) (capabilities.APIVersion, error) {
+			return "", expected
+		},
+	}
+
+	_, err := service.Run(context.Background(), RunAccountQueryInput{
+		Ledger:        "default",
+		QueryID:       "active_accounts",
+		SchemaVersion: "v1",
+	})
+	if !errors.Is(err, expected) {
+		t.Fatalf("expected resolver error, got %v", err)
+	}
+}
+
+func TestRunAccountQueryRequestMapsCanonicalInput(t *testing.T) {
+	pit := time.Date(2026, 1, 1, 0, 0, 0, 0, time.UTC)
+	request := toV2RunAccountQueryRequest(RunAccountQueryInput{
+		Ledger:        "default",
+		QueryID:       "active_accounts",
+		SchemaVersion: "v1",
+		PageSize:      10,
+		Cursor:        "cursor",
+		Expand:        "metadata",
+		Pit:           &pit,
+		Reverse:       true,
+		Sort:          "address:asc",
+		Vars:          map[string]string{"segment": "vip"},
+	})
+
+	if request.Ledger != "default" || request.ID != "active_accounts" || request.SchemaVersion != "v1" {
+		t.Fatalf("unexpected request identity: %#v", request)
+	}
+	if request.PageSize == nil || *request.PageSize != 10 || request.Cursor == nil || *request.Cursor != "cursor" {
+		t.Fatalf("unexpected pagination mapping: %#v", request)
+	}
+	if request.Reverse == nil || !*request.Reverse || request.Sort == nil || *request.Sort != "address:asc" {
+		t.Fatalf("unexpected order mapping: %#v", request)
+	}
+	if request.RequestBody.Vars["segment"] != "vip" {
+		t.Fatalf("unexpected vars mapping: %#v", request.RequestBody.Vars)
+	}
+	if request.RequestBody.Params == nil || request.RequestBody.Params.QueryTemplateAccountParams == nil {
+		t.Fatalf("expected account query params, got %#v", request.RequestBody.Params)
+	}
+	params := request.RequestBody.Params.QueryTemplateAccountParams
+	if params.Resource == nil || *params.Resource != shared.V2QueryParamsResourceAccounts {
+		t.Fatalf("expected account resource, got %#v", params.Resource)
+	}
+	if params.Pit == nil || !params.Pit.Equal(pit) || params.Expand == nil || *params.Expand != "metadata" {
+		t.Fatalf("unexpected params mapping: %#v", params)
+	}
+}
+
+func TestRunAccountQueryMapping(t *testing.T) {
+	next := "next"
+	output := fromV2RunAccountQuery(shared.V2AccountsCursorResponseCursor{
+		Data: []shared.V2Account{
+			{Address: "users:123", Metadata: map[string]string{"tier": "gold"}},
+		},
+		HasMore:  true,
+		Next:     &next,
+		PageSize: 10,
+	})
+	if len(output.Accounts) != 1 || output.Accounts[0].Address != "users:123" || output.Accounts[0].Metadata["tier"] != "gold" {
+		t.Fatalf("unexpected accounts: %#v", output.Accounts)
+	}
+	if !output.HasMore || output.Next == nil || *output.Next != "next" || output.PageSize != 10 {
+		t.Fatalf("unexpected cursor mapping: %#v", output)
+	}
+}
diff --git a/v4/internal/commands/ledger/accounts.go b/v4/internal/commands/ledger/accounts.go
new file mode 100644
index 00000000..b09301ba
--- /dev/null
+++ b/v4/internal/commands/ledger/accounts.go
@@ -0,0 +1,337 @@
+package ledger
+
+import (
+	"context"
+	"fmt"
+
+	formance "github.com/formancehq/formance-sdk-go/v3"
+	"github.com/formancehq/formance-sdk-go/v3/pkg/models/operations"
+	"github.com/formancehq/formance-sdk-go/v3/pkg/models/shared"
+
+	"github.com/formancehq/fctl/v4/internal/capabilities"
+)
+
+const (
+	FeatureAddAccountMetadata    capabilities.Feature = "addMetadataToAccount"
+	FeatureDeleteAccountMetadata capabilities.Feature = "deleteAccountMetadata"
+	FeatureListAccounts          capabilities.Feature = "listAccounts"
+	FeatureGetAccount            capabilities.Feature = "getAccount"
+)
+
+type ListAccountsInput struct {
+	Ledger   string
+	PageSize int64
+	Cursor   string
+	Account  string
+	Metadata map[string]string
+}
+
+type ListAccountsOutput struct {
+	APIVersion capabilities.APIVersion `json:"apiVersion" yaml:"apiVersion"`
+	Accounts   []AccountSummary        `json:"accounts" yaml:"accounts"`
+	HasMore    bool                    `json:"hasMore" yaml:"hasMore"`
+	PageSize   int64                   `json:"pageSize" yaml:"pageSize"`
+	Next       *string                 `json:"next,omitempty" yaml:"next,omitempty"`
+	Previous   *string                 `json:"previous,omitempty" yaml:"previous,omitempty"`
+}
+
+type AccountSummary struct {
+	Address  string         `json:"address" yaml:"address"`
+	Metadata map[string]any `json:"metadata,omitempty" yaml:"metadata,omitempty"`
+}
+
+type GetAccountInput struct {
+	Ledger  string
+	Account string
+}
+
+type GetAccountOutput struct {
+	APIVersion capabilities.APIVersion `json:"apiVersion" yaml:"apiVersion"`
+	Account    AccountDetail           `json:"account" yaml:"account"`
+}
+
+type AccountDetail struct {
+	Address  string              `json:"address" yaml:"address"`
+	Metadata map[string]any      `json:"metadata,omitempty" yaml:"metadata,omitempty"`
+	Volumes  map[string]VolumeIO `json:"volumes,omitempty" yaml:"volumes,omitempty"`
+}
+
+type VolumeIO struct {
+	Input   string `json:"input" yaml:"input"`
+	Output  string `json:"output" yaml:"output"`
+	Balance string `json:"balance,omitempty" yaml:"balance,omitempty"`
+}
+
+type ListAccountsHandler struct {
+	APIVersion capabilities.APIVersion
+	Run        func(context.Context, ListAccountsInput) (ListAccountsOutput, error)
+}
+
+type ListAccountsService struct {
+	Handlers []ListAccountsHandler
+	Resolve  func(context.Context, []capabilities.APIVersion) (capabilities.APIVersion, error)
+}
+
+func (s ListAccountsService) Run(ctx context.Context, input ListAccountsInput) (ListAccountsOutput, error) {
+	if input.Ledger == "" {
+		return ListAccountsOutput{}, fmt.Errorf("ledger is required")
+	}
+
+	handlerVersions := make([]capabilities.APIVersion, 0, len(s.Handlers))
+	handlers := map[capabilities.APIVersion]ListAccountsHandler{}
+	for _, handler := range s.Handlers {
+		handlerVersions = append(handlerVersions, handler.APIVersion)
+		handlers[handler.APIVersion] = handler
+	}
+
+	selected, err := s.Resolve(ctx, handlerVersions)
+	if err != nil {
+		return ListAccountsOutput{}, err
+	}
+	handler, ok := handlers[selected]
+	if !ok {
+		return ListAccountsOutput{}, fmt.Errorf("resolved api version %s has no handler", selected)
+	}
+
+	output, err := handler.Run(ctx, input)
+	if err != nil {
+		return ListAccountsOutput{}, err
+	}
+	output.APIVersion = selected
+	return output, nil
+}
+
+type GetAccountHandler struct {
+	APIVersion capabilities.APIVersion
+	Run        func(context.Context, GetAccountInput) (GetAccountOutput, error)
+}
+
+type GetAccountService struct {
+	Handlers []GetAccountHandler
+	Resolve  func(context.Context, []capabilities.APIVersion) (capabilities.APIVersion, error)
+}
+
+func (s GetAccountService) Run(ctx context.Context, input GetAccountInput) (GetAccountOutput, error) {
+	if input.Ledger == "" {
+		return GetAccountOutput{}, fmt.Errorf("ledger is required")
+	}
+	if input.Account == "" {
+		return GetAccountOutput{}, fmt.Errorf("account is required")
+	}
+
+	handlerVersions := make([]capabilities.APIVersion, 0, len(s.Handlers))
+	handlers := map[capabilities.APIVersion]GetAccountHandler{}
+	for _, handler := range s.Handlers {
+		handlerVersions = append(handlerVersions, handler.APIVersion)
+		handlers[handler.APIVersion] = handler
+	}
+
+	selected, err := s.Resolve(ctx, handlerVersions)
+	if err != nil {
+		return GetAccountOutput{}, err
+	}
+	handler, ok := handlers[selected]
+	if !ok {
+		return GetAccountOutput{}, fmt.Errorf("resolved api version %s has no handler", selected)
+	}
+
+	output, err := handler.Run(ctx, input)
+	if err != nil {
+		return GetAccountOutput{}, err
+	}
+	output.APIVersion = selected
+	return output, nil
+}
+
+func SDKListAccountsHandlers(sdk *formance.Formance) []ListAccountsHandler {
+	return []ListAccountsHandler{
+		{
+			APIVersion: "v1",
+			Run: func(ctx context.Context, input ListAccountsInput) (ListAccountsOutput, error) {
+				response, err := sdk.Ledger.V1.ListAccounts(ctx, toV1ListAccountsRequest(input))
+				if err != nil {
+					return ListAccountsOutput{}, err
+				}
+				if response.AccountsCursorResponse == nil {
+					return ListAccountsOutput{}, fmt.Errorf("ledger v1 list accounts returned no cursor")
+				}
+				return fromV1ListAccounts(response.AccountsCursorResponse.Cursor), nil
+			},
+		},
+		{
+			APIVersion: "v2",
+			Run: func(ctx context.Context, input ListAccountsInput) (ListAccountsOutput, error) {
+				response, err := sdk.Ledger.V2.ListAccounts(ctx, toV2ListAccountsRequest(input))
+				if err != nil {
+					return ListAccountsOutput{}, err
+				}
+				if response.V2AccountsCursorResponse == nil {
+					return ListAccountsOutput{}, fmt.Errorf("ledger v2 list accounts returned no cursor")
+				}
+				return fromV2ListAccounts(response.V2AccountsCursorResponse.Cursor), nil
+			},
+		},
+	}
+}
+
+func SDKGetAccountHandlers(sdk *formance.Formance) []GetAccountHandler {
+	return []GetAccountHandler{
+		{
+			APIVersion: "v1",
+			Run: func(ctx context.Context, input GetAccountInput) (GetAccountOutput, error) {
+				response, err := sdk.Ledger.V1.GetAccount(ctx, operations.GetAccountRequest{
+					Ledger:  input.Ledger,
+					Address: input.Account,
+				})
+				if err != nil {
+					return GetAccountOutput{}, err
+				}
+				if response.AccountResponse == nil {
+					return GetAccountOutput{}, fmt.Errorf("ledger v1 get account returned no data")
+				}
+				return GetAccountOutput{Account: fromV1AccountDetail(response.AccountResponse.Data)}, nil
+			},
+		},
+		{
+			APIVersion: "v2",
+			Run: func(ctx context.Context, input GetAccountInput) (GetAccountOutput, error) {
+				response, err := sdk.Ledger.V2.GetAccount(ctx, operations.V2GetAccountRequest{
+					Ledger:  input.Ledger,
+					Address: input.Account,
+				})
+				if err != nil {
+					return GetAccountOutput{}, err
+				}
+				if response.V2AccountResponse == nil {
+					return GetAccountOutput{}, fmt.Errorf("ledger v2 get account returned no data")
+				}
+				return GetAccountOutput{Account: fromV2AccountDetail(response.V2AccountResponse.Data)}, nil
+			},
+		},
+	}
+}
+
+func toV1ListAccountsRequest(input ListAccountsInput) operations.ListAccountsRequest {
+	request := operations.ListAccountsRequest{
+		Ledger:   input.Ledger,
+		PageSize: pointer(input.PageSize),
+	}
+	if input.Cursor != "" {
+		request.Cursor = pointer(input.Cursor)
+	}
+	if input.Account != "" {
+		request.Address = pointer(input.Account)
+	}
+	if len(input.Metadata) > 0 {
+		request.Metadata = stringMapToAny(input.Metadata)
+	}
+	return request
+}
+
+func toV2ListAccountsRequest(input ListAccountsInput) operations.V2ListAccountsRequest {
+	request := operations.V2ListAccountsRequest{
+		Ledger:   input.Ledger,
+		PageSize: pointer(input.PageSize),
+	}
+	if input.Cursor != "" {
+		request.Cursor = pointer(input.Cursor)
+	}
+	queryParts := make([]map[string]any, 0, len(input.Metadata)+1)
+	if input.Account != "" {
+		queryParts = append(queryParts, map[string]any{
+			"$match": map[string]any{"address": input.Account},
+		})
+	}
+	for key, value := range input.Metadata {
+		queryParts = append(queryParts, map[string]any{
+			"$match": map[string]any{"metadata[" + key + "]": value},
+		})
+	}
+	if len(queryParts) == 1 {
+		request.Query = queryParts[0]
+	}
+	if len(queryParts) > 1 {
+		request.Query = map[string]any{"$and": queryParts}
+	}
+	return request
+}
+
+func fromV1ListAccounts(cursor shared.AccountsCursorResponseCursor) ListAccountsOutput {
+	accounts := make([]AccountSummary, 0, len(cursor.Data))
+	for _, account := range cursor.Data {
+		accounts = append(accounts, AccountSummary{
+			Address:  account.Address,
+			Metadata: account.Metadata,
+		})
+	}
+	return ListAccountsOutput{
+		Accounts: accounts,
+		HasMore:  cursor.HasMore,
+		PageSize: cursor.PageSize,
+		Next:     cursor.Next,
+		Previous: cursor.Previous,
+	}
+}
+
+func fromV2ListAccounts(cursor shared.V2AccountsCursorResponseCursor) ListAccountsOutput {
+	accounts := make([]AccountSummary, 0, len(cursor.Data))
+	for _, account := range cursor.Data {
+		accounts = append(accounts, AccountSummary{
+			Address:  account.Address,
+			Metadata: stringMapToAny(account.Metadata),
+		})
+	}
+	return ListAccountsOutput{
+		Accounts: accounts,
+		HasMore:  cursor.HasMore,
+		PageSize: cursor.PageSize,
+		Next:     cursor.Next,
+		Previous: cursor.Previous,
+	}
+}
+
+func fromV1AccountDetail(account shared.AccountWithVolumesAndBalances) AccountDetail {
+	return AccountDetail{
+		Address:  account.Address,
+		Metadata: account.Metadata,
+		Volumes:  fromV1Volumes(account.Volumes),
+	}
+}
+
+func fromV2AccountDetail(account shared.V2Account) AccountDetail {
+	return AccountDetail{
+		Address:  account.Address,
+		Metadata: stringMapToAny(account.Metadata),
+		Volumes:  fromV2Volumes(account.Volumes),
+	}
+}
+
+func fromV1Volumes(volumes map[string]shared.Volume) map[string]VolumeIO {
+	if len(volumes) == 0 {
+		return nil
+	}
+	ret := make(map[string]VolumeIO, len(volumes))
+	for asset, volume := range volumes {
+		ret[asset] = VolumeIO{
+			Input:   bigIntString(volume.Input),
+			Output:  bigIntString(volume.Output),
+			Balance: bigIntString(volume.Balance),
+		}
+	}
+	return ret
+}
+
+func fromV2Volumes(volumes map[string]shared.V2Volume) map[string]VolumeIO {
+	if len(volumes) == 0 {
+		return nil
+	}
+	ret := make(map[string]VolumeIO, len(volumes))
+	for asset, volume := range volumes {
+		ret[asset] = VolumeIO{
+			Input:   bigIntString(volume.Input),
+			Output:  bigIntString(volume.Output),
+			Balance: bigIntString(volume.Balance),
+		}
+	}
+	return ret
+}
diff --git a/v4/internal/commands/ledger/accounts_test.go b/v4/internal/commands/ledger/accounts_test.go
new file mode 100644
index 00000000..da63690a
--- /dev/null
+++ b/v4/internal/commands/ledger/accounts_test.go
@@ -0,0 +1,106 @@
+package ledger
+
+import (
+	"context"
+	"math/big"
+	"testing"
+
+	"github.com/formancehq/fctl/v4/internal/capabilities"
+	"github.com/formancehq/formance-sdk-go/v3/pkg/models/shared"
+)
+
+func TestListAccountsServiceSelectsResolvedHandler(t *testing.T) {
+	service := ListAccountsService{
+		Handlers: []ListAccountsHandler{
+			{
+				APIVersion: "v1",
+				Run: func(context.Context, ListAccountsInput) (ListAccountsOutput, error) {
+					t.Fatal("v1 handler should not run")
+					return ListAccountsOutput{}, nil
+				},
+			},
+			{
+				APIVersion: "v2",
+				Run: func(_ context.Context, input ListAccountsInput) (ListAccountsOutput, error) {
+					if input.Ledger != "default" || input.Account != "users:123" {
+						t.Fatalf("unexpected input: %#v", input)
+					}
+					return ListAccountsOutput{PageSize: input.PageSize}, nil
+				},
+			},
+		},
+		Resolve: func(_ context.Context, versions []capabilities.APIVersion) (capabilities.APIVersion, error) {
+			assertAPIVersions(t, versions, []capabilities.APIVersion{"v1", "v2"})
+			return "v2", nil
+		},
+	}
+
+	output, err := service.Run(context.Background(), ListAccountsInput{Ledger: "default", Account: "users:123", PageSize: 15})
+	if err != nil {
+		t.Fatalf("run service: %v", err)
+	}
+	if output.APIVersion != "v2" || output.PageSize != 15 {
+		t.Fatalf("unexpected output: %#v", output)
+	}
+}
+
+func TestToListAccountsRequestsMapCanonicalInput(t *testing.T) {
+	input := ListAccountsInput{
+		Ledger:   "default",
+		PageSize: 15,
+		Cursor:   "cursor",
+		Account:  "users:123",
+		Metadata: map[string]string{"tier": "gold"},
+	}
+
+	v1 := toV1ListAccountsRequest(input)
+	if v1.Ledger != "default" || *v1.PageSize != 15 || *v1.Cursor != "cursor" || *v1.Address != "users:123" {
+		t.Fatalf("unexpected v1 request: %#v", v1)
+	}
+	if v1.Metadata["tier"] != "gold" {
+		t.Fatalf("unexpected v1 metadata: %#v", v1.Metadata)
+	}
+
+	v2 := toV2ListAccountsRequest(input)
+	if v2.Ledger != "default" || *v2.PageSize != 15 || *v2.Cursor != "cursor" {
+		t.Fatalf("unexpected v2 request: %#v", v2)
+	}
+	andParts, ok := v2.Query["$and"].([]map[string]any)
+	if !ok || len(andParts) != 2 {
+		t.Fatalf("unexpected v2 query: %#v", v2.Query)
+	}
+}
+
+func TestGetAccountServiceRequiresInputs(t *testing.T) {
+	service := GetAccountService{}
+	if _, err := service.Run(context.Background(), GetAccountInput{}); err == nil || err.Error() != "ledger is required" {
+		t.Fatalf("expected ledger required error, got %v", err)
+	}
+	if _, err := service.Run(context.Background(), GetAccountInput{Ledger: "default"}); err == nil || err.Error() != "account is required" {
+		t.Fatalf("expected account required error, got %v", err)
+	}
+}
+
+func TestAccountMapping(t *testing.T) {
+	v1 := fromV1AccountDetail(shared.AccountWithVolumesAndBalances{
+		Address:  "users:123",
+		Metadata: map[string]any{"tier": "gold"},
+		Volumes: map[string]shared.Volume{
+			"USD/2": {Input: big.NewInt(100), Output: big.NewInt(40), Balance: big.NewInt(60)},
+		},
+	})
+	if v1.Address != "users:123" || v1.Metadata["tier"] != "gold" || v1.Volumes["USD/2"].Balance != "60" {
+		t.Fatalf("unexpected v1 detail: %#v", v1)
+	}
+
+	v2 := fromV2AccountDetail(shared.V2Account{
+		Address:  "users:123",
+		Metadata: map[string]string{"tier": "gold"},
+		Volumes: map[string]shared.V2Volume{
+			"USD/2": {Input: big.NewInt(100), Output: big.NewInt(40), Balance: big.NewInt(60)},
+		},
+	})
+	if v2.Address != "users:123" || v2.Metadata["tier"] != "gold" || v2.Volumes["USD/2"].Input != "100" {
+		t.Fatalf("unexpected v2 detail: %#v", v2)
+	}
+}
diff --git a/v4/internal/commands/ledger/export_logs.go b/v4/internal/commands/ledger/export_logs.go
new file mode 100644
index 00000000..40257a37
--- /dev/null
+++ b/v4/internal/commands/ledger/export_logs.go
@@ -0,0 +1,97 @@
+package ledger
+
+import (
+	"context"
+	"fmt"
+	"os"
+
+	formance "github.com/formancehq/formance-sdk-go/v3"
+	"github.com/formancehq/formance-sdk-go/v3/pkg/models/operations"
+
+	"github.com/formancehq/fctl/v4/internal/capabilities"
+)
+
+type ExportLogsInput struct {
+	Ledger string
+}
+
+type ExportLogsOutput struct {
+	APIVersion capabilities.APIVersion `json:"apiVersion" yaml:"apiVersion"`
+	Ledger     string                  `json:"ledger" yaml:"ledger"`
+	Data       []byte                  `json:"-" yaml:"-"`
+}
+
+type ExportLogsHandler struct {
+	APIVersion capabilities.APIVersion
+	Run        func(context.Context, ExportLogsInput) (ExportLogsOutput, error)
+}
+
+type ExportLogsService struct {
+	Handlers []ExportLogsHandler
+	Resolve  func(context.Context, []capabilities.APIVersion) (capabilities.APIVersion, error)
+}
+
+func (s ExportLogsService) Run(ctx context.Context, input ExportLogsInput) (ExportLogsOutput, error) {
+	if input.Ledger == "" {
+		return ExportLogsOutput{}, fmt.Errorf("ledger is required")
+	}
+
+	handlerVersions := make([]capabilities.APIVersion, 0, len(s.Handlers))
+	handlers := map[capabilities.APIVersion]ExportLogsHandler{}
+	for _, handler := range s.Handlers {
+		handlerVersions = append(handlerVersions, handler.APIVersion)
+		handlers[handler.APIVersion] = handler
+	}
+
+	selected, err := s.Resolve(ctx, handlerVersions)
+	if err != nil {
+		return ExportLogsOutput{}, err
+	}
+	handler, ok := handlers[selected]
+	if !ok {
+		return ExportLogsOutput{}, fmt.Errorf("resolved api version %s has no handler", selected)
+	}
+
+	output, err := handler.Run(ctx, input)
+	if err != nil {
+		return ExportLogsOutput{}, err
+	}
+	output.APIVersion = selected
+	return output, nil
+}
+
+func SDKExportLogsHandlers(sdk *formance.Formance) []ExportLogsHandler {
+	return []ExportLogsHandler{
+		{
+			APIVersion: "v2",
+			Run: func(ctx context.Context, input ExportLogsInput) (ExportLogsOutput, error) {
+				file, err := os.CreateTemp("", "fctl-ledger-export-*.jsonl")
+				if err != nil {
+					return ExportLogsOutput{}, err
+				}
+				path := file.Name()
+				if err := file.Close(); err != nil {
+					return ExportLogsOutput{}, err
+				}
+				defer os.Remove(path)
+
+				ctx = context.WithValue(ctx, "path", path)
+				response, err := sdk.Ledger.V2.ExportLogs(ctx, operations.V2ExportLogsRequest{
+					Ledger: input.Ledger,
+				})
+				if err != nil {
+					return ExportLogsOutput{}, err
+				}
+				if response.RawResponse == nil {
+					return ExportLogsOutput{}, fmt.Errorf("ledger v2 export logs returned no response")
+				}
+
+				data, err := os.ReadFile(path)
+				if err != nil {
+					return ExportLogsOutput{}, err
+				}
+				return ExportLogsOutput{Ledger: input.Ledger, Data: data}, nil
+			},
+		},
+	}
+}
diff --git a/v4/internal/commands/ledger/export_logs_test.go b/v4/internal/commands/ledger/export_logs_test.go
new file mode 100644
index 00000000..14ae6111
--- /dev/null
+++ b/v4/internal/commands/ledger/export_logs_test.go
@@ -0,0 +1,50 @@
+package ledger
+
+import (
+	"context"
+	"testing"
+
+	"github.com/formancehq/fctl/v4/internal/capabilities"
+)
+
+func TestExportLogsServiceSelectsResolvedHandler(t *testing.T) {
+	service := ExportLogsService{
+		Handlers: []ExportLogsHandler{
+			{
+				APIVersion: "v2",
+				Run: func(_ context.Context, input ExportLogsInput) (ExportLogsOutput, error) {
+					if input.Ledger != "default" {
+						t.Fatalf("unexpected input: %#v", input)
+					}
+					return ExportLogsOutput{Ledger: input.Ledger, Data: []byte("entry\n")}, nil
+				},
+			},
+		},
+		Resolve: func(_ context.Context, versions []capabilities.APIVersion) (capabilities.APIVersion, error) {
+			assertAPIVersions(t, versions, []capabilities.APIVersion{"v2"})
+			return "v2", nil
+		},
+	}
+
+	output, err := service.Run(context.Background(), ExportLogsInput{Ledger: "default"})
+	if err != nil {
+		t.Fatalf("run service: %v", err)
+	}
+	if output.APIVersion != "v2" || output.Ledger != "default" || string(output.Data) != "entry\n" {
+		t.Fatalf("unexpected output: %#v", output)
+	}
+}
+
+func TestExportLogsServiceRequiresLedger(t *testing.T) {
+	service := ExportLogsService{
+		Handlers: []ExportLogsHandler{{APIVersion: "v2"}},
+		Resolve: func(context.Context, []capabilities.APIVersion) (capabilities.APIVersion, error) {
+			t.Fatal("resolver should not run")
+			return "", nil
+		},
+	}
+
+	if _, err := service.Run(context.Background(), ExportLogsInput{}); err == nil {
+		t.Fatal("expected ledger validation error")
+	}
+}
diff --git a/v4/internal/commands/ledger/import_logs.go b/v4/internal/commands/ledger/import_logs.go
new file mode 100644
index 00000000..8a89d38e
--- /dev/null
+++ b/v4/internal/commands/ledger/import_logs.go
@@ -0,0 +1,184 @@
+package ledger
+
+import (
+	"bufio"
+	"bytes"
+	"context"
+	"encoding/json"
+	"fmt"
+	"math/big"
+	"os"
+	"path/filepath"
+
+	formance "github.com/formancehq/formance-sdk-go/v3"
+	"github.com/formancehq/formance-sdk-go/v3/pkg/models/operations"
+
+	"github.com/formancehq/fctl/v4/internal/capabilities"
+)
+
+type ImportLogsInput struct {
+	Ledger            string
+	FilePath          string
+	Data              []byte
+	ResumeFromLastLog bool
+}
+
+type ImportLogsOutput struct {
+	APIVersion capabilities.APIVersion `json:"apiVersion" yaml:"apiVersion"`
+	Ledger     string                  `json:"ledger" yaml:"ledger"`
+	Imported   bool                    `json:"imported" yaml:"imported"`
+}
+
+type ImportLogsHandler struct {
+	APIVersion capabilities.APIVersion
+	Run        func(context.Context, ImportLogsInput) (ImportLogsOutput, error)
+}
+
+type ImportLogsService struct {
+	Handlers []ImportLogsHandler
+	Resolve  func(context.Context, []capabilities.APIVersion) (capabilities.APIVersion, error)
+}
+
+func (s ImportLogsService) Run(ctx context.Context, input ImportLogsInput) (ImportLogsOutput, error) {
+	if input.Ledger == "" {
+		return ImportLogsOutput{}, fmt.Errorf("ledger is required")
+	}
+	if input.FilePath == "" && len(input.Data) == 0 {
+		return ImportLogsOutput{}, fmt.Errorf("file is required")
+	}
+	if input.FilePath != "" && len(input.Data) > 0 {
+		return ImportLogsOutput{}, fmt.Errorf("file and data are mutually exclusive")
+	}
+	if input.ResumeFromLastLog && (input.FilePath == "" || input.FilePath == "-") {
+		return ImportLogsOutput{}, fmt.Errorf("resume requires a file path")
+	}
+
+	handlerVersions := make([]capabilities.APIVersion, 0, len(s.Handlers))
+	handlers := map[capabilities.APIVersion]ImportLogsHandler{}
+	for _, handler := range s.Handlers {
+		handlerVersions = append(handlerVersions, handler.APIVersion)
+		handlers[handler.APIVersion] = handler
+	}
+
+	selected, err := s.Resolve(ctx, handlerVersions)
+	if err != nil {
+		return ImportLogsOutput{}, err
+	}
+	handler, ok := handlers[selected]
+	if !ok {
+		return ImportLogsOutput{}, fmt.Errorf("resolved api version %s has no handler", selected)
+	}
+
+	output, err := handler.Run(ctx, input)
+	if err != nil {
+		return ImportLogsOutput{}, err
+	}
+	output.APIVersion = selected
+	return output, nil
+}
+
+func SDKImportLogsHandlers(sdk *formance.Formance) []ImportLogsHandler {
+	return []ImportLogsHandler{
+		{
+			APIVersion: "v2",
+			Run: func(ctx context.Context, input ImportLogsInput) (ImportLogsOutput, error) {
+				body, closeBody, err := v2ImportLogsBody(ctx, sdk, input)
+				if err != nil {
+					return ImportLogsOutput{}, err
+				}
+				if closeBody != nil {
+					defer closeBody()
+				}
+
+				_, err = sdk.Ledger.V2.ImportLogs(ctx, operations.V2ImportLogsRequest{
+					Ledger:              input.Ledger,
+					V2ImportLogsRequest: body,
+				})
+				if err != nil {
+					return ImportLogsOutput{}, err
+				}
+				return ImportLogsOutput{Ledger: input.Ledger, Imported: true}, nil
+			},
+		},
+	}
+}
+
+func v2ImportLogsBody(ctx context.Context, sdk *formance.Formance, input ImportLogsInput) (any, func(), error) {
+	if input.ResumeFromLastLog {
+		file, err := openImportFileAfterLastLog(ctx, sdk, input)
+		if err != nil {
+			return nil, nil, err
+		}
+		return file, func() { _ = file.Close() }, nil
+	}
+	if input.FilePath != "" {
+		return []byte("file:" + filepath.Clean(input.FilePath)), nil, nil
+	}
+	return bytes.NewReader(input.Data), nil, nil
+}
+
+func openImportFileAfterLastLog(ctx context.Context, sdk *formance.Formance, input ImportLogsInput) (*os.File, error) {
+	pageSize := int64(1)
+	response, err := sdk.Ledger.V2.ListLogs(ctx, operations.V2ListLogsRequest{
+		Ledger:   input.Ledger,
+		PageSize: &pageSize,
+	})
+	if err != nil {
+		return nil, err
+	}
+	if response.V2LogsCursorResponse == nil || len(response.V2LogsCursorResponse.Cursor.Data) == 0 {
+		return os.Open(filepath.Clean(input.FilePath))
+	}
+	lastID := response.V2LogsCursorResponse.Cursor.Data[0].ID
+	if lastID == nil {
+		return nil, fmt.Errorf("last ledger log has no id")
+	}
+	return openImportFileAfterLogID(input.FilePath, lastID)
+}
+
+func openImportFileAfterLogID(filePath string, id *big.Int) (*os.File, error) {
+	file, err := os.Open(filepath.Clean(filePath))
+	if err != nil {
+		return nil, err
+	}
+	defer file.Close()
+
+	offset, err := importOffsetAfterLogID(file, id)
+	if err != nil {
+		return nil, err
+	}
+
+	resumed, err := os.Open(filepath.Clean(filePath))
+	if err != nil {
+		return nil, err
+	}
+	if _, err := resumed.Seek(offset, 0); err != nil {
+		_ = resumed.Close()
+		return nil, err
+	}
+	return resumed, nil
+}
+
+func importOffsetAfterLogID(file *os.File, id *big.Int) (int64, error) {
+	scanner := bufio.NewScanner(file)
+	scanner.Buffer(make([]byte, 64*1024), 10*1024*1024)
+
+	var offset int64
+	for scanner.Scan() {
+		line := scanner.Bytes()
+		var log struct {
+			ID *big.Int `json:"id"`
+		}
+		if err := json.Unmarshal(line, &log); err != nil {
+			return 0, err
+		}
+		offset += int64(len(line) + 1)
+		if log.ID != nil && log.ID.Cmp(id) == 0 {
+			return offset, nil
+		}
+	}
+	if err := scanner.Err(); err != nil {
+		return 0, err
+	}
+	return 0, fmt.Errorf("log id %s was not found in import file", id.String())
+}
diff --git a/v4/internal/commands/ledger/import_logs_test.go b/v4/internal/commands/ledger/import_logs_test.go
new file mode 100644
index 00000000..99fd7ddc
--- /dev/null
+++ b/v4/internal/commands/ledger/import_logs_test.go
@@ -0,0 +1,90 @@
+package ledger
+
+import (
+	"context"
+	"math/big"
+	"os"
+	"testing"
+
+	"github.com/formancehq/fctl/v4/internal/capabilities"
+)
+
+func TestImportLogsServiceSelectsResolvedHandler(t *testing.T) {
+	service := ImportLogsService{
+		Handlers: []ImportLogsHandler{
+			{
+				APIVersion: "v2",
+				Run: func(_ context.Context, input ImportLogsInput) (ImportLogsOutput, error) {
+					if input.Ledger != "default" || string(input.Data) != "entry\n" {
+						t.Fatalf("unexpected input: %#v", input)
+					}
+					return ImportLogsOutput{Ledger: input.Ledger, Imported: true}, nil
+				},
+			},
+		},
+		Resolve: func(_ context.Context, versions []capabilities.APIVersion) (capabilities.APIVersion, error) {
+			assertAPIVersions(t, versions, []capabilities.APIVersion{"v2"})
+			return "v2", nil
+		},
+	}
+
+	output, err := service.Run(context.Background(), ImportLogsInput{Ledger: "default", Data: []byte("entry\n")})
+	if err != nil {
+		t.Fatalf("run service: %v", err)
+	}
+	if output.APIVersion != "v2" || output.Ledger != "default" || !output.Imported {
+		t.Fatalf("unexpected output: %#v", output)
+	}
+}
+
+func TestImportLogsServiceRequiresLedger(t *testing.T) {
+	service := ImportLogsService{
+		Handlers: []ImportLogsHandler{{APIVersion: "v2"}},
+		Resolve: func(context.Context, []capabilities.APIVersion) (capabilities.APIVersion, error) {
+			t.Fatal("resolver should not run")
+			return "", nil
+		},
+	}
+
+	if _, err := service.Run(context.Background(), ImportLogsInput{Data: []byte("entry\n")}); err == nil {
+		t.Fatal("expected ledger validation error")
+	}
+}
+
+func TestImportLogsServiceRequiresFileOrData(t *testing.T) {
+	service := ImportLogsService{
+		Handlers: []ImportLogsHandler{{APIVersion: "v2"}},
+		Resolve: func(context.Context, []capabilities.APIVersion) (capabilities.APIVersion, error) {
+			t.Fatal("resolver should not run")
+			return "", nil
+		},
+	}
+
+	if _, err := service.Run(context.Background(), ImportLogsInput{Ledger: "default"}); err == nil {
+		t.Fatal("expected file validation error")
+	}
+}
+
+func TestImportOffsetAfterLogID(t *testing.T) {
+	file, err := os.CreateTemp(t.TempDir(), "logs-*.jsonl")
+	if err != nil {
+		t.Fatalf("create temp file: %v", err)
+	}
+	defer file.Close()
+
+	_, err = file.WriteString("{\"id\":1}\n{\"id\":2}\n{\"id\":3}\n")
+	if err != nil {
+		t.Fatalf("write temp file: %v", err)
+	}
+	if _, err := file.Seek(0, 0); err != nil {
+		t.Fatalf("seek temp file: %v", err)
+	}
+
+	offset, err := importOffsetAfterLogID(file, big.NewInt(2))
+	if err != nil {
+		t.Fatalf("find offset: %v", err)
+	}
+	if offset != int64(len("{\"id\":1}\n{\"id\":2}\n")) {
+		t.Fatalf("unexpected offset: %d", offset)
+	}
+}
diff --git a/v4/internal/commands/ledger/ledger_metadata.go b/v4/internal/commands/ledger/ledger_metadata.go
new file mode 100644
index 00000000..8b20b9df
--- /dev/null
+++ b/v4/internal/commands/ledger/ledger_metadata.go
@@ -0,0 +1,151 @@
+package ledger
+
+import (
+	"context"
+	"fmt"
+
+	formance "github.com/formancehq/formance-sdk-go/v3"
+	"github.com/formancehq/formance-sdk-go/v3/pkg/models/operations"
+
+	"github.com/formancehq/fctl/v4/internal/capabilities"
+)
+
+type UpdateLedgerMetadataInput struct {
+	Ledger   string
+	Metadata map[string]string
+}
+
+type UpdateLedgerMetadataOutput struct {
+	APIVersion capabilities.APIVersion `json:"apiVersion" yaml:"apiVersion"`
+	Updated    bool                    `json:"updated" yaml:"updated"`
+}
+
+type DeleteLedgerMetadataInput struct {
+	Ledger string
+	Key    string
+}
+
+type DeleteLedgerMetadataOutput struct {
+	APIVersion capabilities.APIVersion `json:"apiVersion" yaml:"apiVersion"`
+	Deleted    bool                    `json:"deleted" yaml:"deleted"`
+}
+
+type UpdateLedgerMetadataHandler struct {
+	APIVersion capabilities.APIVersion
+	Run        func(context.Context, UpdateLedgerMetadataInput) (UpdateLedgerMetadataOutput, error)
+}
+
+type UpdateLedgerMetadataService struct {
+	Handlers []UpdateLedgerMetadataHandler
+	Resolve  func(context.Context, []capabilities.APIVersion) (capabilities.APIVersion, error)
+}
+
+type DeleteLedgerMetadataHandler struct {
+	APIVersion capabilities.APIVersion
+	Run        func(context.Context, DeleteLedgerMetadataInput) (DeleteLedgerMetadataOutput, error)
+}
+
+type DeleteLedgerMetadataService struct {
+	Handlers []DeleteLedgerMetadataHandler
+	Resolve  func(context.Context, []capabilities.APIVersion) (capabilities.APIVersion, error)
+}
+
+func (s UpdateLedgerMetadataService) Run(ctx context.Context, input UpdateLedgerMetadataInput) (UpdateLedgerMetadataOutput, error) {
+	if input.Ledger == "" {
+		return UpdateLedgerMetadataOutput{}, fmt.Errorf("ledger is required")
+	}
+	if len(input.Metadata) == 0 {
+		return UpdateLedgerMetadataOutput{}, fmt.Errorf("metadata is required")
+	}
+
+	handlerVersions := make([]capabilities.APIVersion, 0, len(s.Handlers))
+	handlers := map[capabilities.APIVersion]UpdateLedgerMetadataHandler{}
+	for _, handler := range s.Handlers {
+		handlerVersions = append(handlerVersions, handler.APIVersion)
+		handlers[handler.APIVersion] = handler
+	}
+
+	selected, err := s.Resolve(ctx, handlerVersions)
+	if err != nil {
+		return UpdateLedgerMetadataOutput{}, err
+	}
+	handler, ok := handlers[selected]
+	if !ok {
+		return UpdateLedgerMetadataOutput{}, fmt.Errorf("resolved api version %s has no handler", selected)
+	}
+
+	output, err := handler.Run(ctx, input)
+	if err != nil {
+		return UpdateLedgerMetadataOutput{}, err
+	}
+	output.APIVersion = selected
+	return output, nil
+}
+
+func SDKUpdateLedgerMetadataHandlers(sdk *formance.Formance) []UpdateLedgerMetadataHandler {
+	return []UpdateLedgerMetadataHandler{
+		{
+			APIVersion: "v2",
+			Run: func(ctx context.Context, input UpdateLedgerMetadataInput) (UpdateLedgerMetadataOutput, error) {
+				response, err := sdk.Ledger.V2.UpdateLedgerMetadata(ctx, operations.V2UpdateLedgerMetadataRequest{
+					Ledger:      input.Ledger,
+					RequestBody: input.Metadata,
+				})
+				if err != nil {
+					return UpdateLedgerMetadataOutput{}, err
+				}
+				return UpdateLedgerMetadataOutput{Updated: response.StatusCode == 204}, nil
+			},
+		},
+	}
+}
+
+func (s DeleteLedgerMetadataService) Run(ctx context.Context, input DeleteLedgerMetadataInput) (DeleteLedgerMetadataOutput, error) {
+	if input.Ledger == "" {
+		return DeleteLedgerMetadataOutput{}, fmt.Errorf("ledger is required")
+	}
+	if input.Key == "" {
+		return DeleteLedgerMetadataOutput{}, fmt.Errorf("metadata key is required")
+	}
+
+	handlerVersions := make([]capabilities.APIVersion, 0, len(s.Handlers))
+	handlers := map[capabilities.APIVersion]DeleteLedgerMetadataHandler{}
+	for _, handler := range s.Handlers {
+		handlerVersions = append(handlerVersions, handler.APIVersion)
+		handlers[handler.APIVersion] = handler
+	}
+
+	selected, err := s.Resolve(ctx, handlerVersions)
+	if err != nil {
+		return DeleteLedgerMetadataOutput{}, err
+	}
+	handler, ok := handlers[selected]
+	if !ok {
+		return DeleteLedgerMetadataOutput{}, fmt.Errorf("resolved api version %s has no handler", selected)
+	}
+
+	output, err := handler.Run(ctx, input)
+	if err != nil {
+		return DeleteLedgerMetadataOutput{}, err
+	}
+	output.APIVersion = selected
+	return output, nil
+}
+
+func SDKDeleteLedgerMetadataHandlers(sdk *formance.Formance) []DeleteLedgerMetadataHandler {
+	return []DeleteLedgerMetadataHandler{
+		{
+			APIVersion: "v2",
+			Run: func(ctx context.Context, input DeleteLedgerMetadataInput) (DeleteLedgerMetadataOutput, error) {
+				response, err := sdk.Ledger.V2.DeleteLedgerMetadata(ctx, operations.V2DeleteLedgerMetadataRequest{
+					Ledger: input.Ledger,
+					Key:    input.Key,
+				})
+				if err != nil {
+					return DeleteLedgerMetadataOutput{}, err
+				}
+				return DeleteLedgerMetadataOutput{Deleted: response.StatusCode == 204}, nil
+			},
+		},
+	}
+}
diff --git a/v4/internal/commands/ledger/ledger_metadata_test.go b/v4/internal/commands/ledger/ledger_metadata_test.go
new file mode 100644
index 00000000..c982f9db
--- /dev/null
+++ b/v4/internal/commands/ledger/ledger_metadata_test.go
@@ -0,0 +1,87 @@
+package ledger
+
+import (
+	"context"
+	"testing"
+
+	"github.com/formancehq/fctl/v4/internal/capabilities"
+)
+
+func TestUpdateLedgerMetadataServiceSelectsResolvedHandler(t *testing.T) {
+	service := UpdateLedgerMetadataService{
+		Handlers: []UpdateLedgerMetadataHandler{
+			{
+				APIVersion: "v2",
+				Run: func(_ context.Context, input UpdateLedgerMetadataInput) (UpdateLedgerMetadataOutput, error) {
+					if input.Ledger != "default" || input.Metadata["tier"] != "gold" {
+						t.Fatalf("unexpected input: %#v", input)
+					}
+					return UpdateLedgerMetadataOutput{Updated: true}, nil
+				},
+			},
+		},
+		Resolve: func(_ context.Context, versions []capabilities.APIVersion) (capabilities.APIVersion, error) {
+			assertAPIVersions(t, versions, []capabilities.APIVersion{"v2"})
+			return "v2", nil
+		},
+	}
+
+	output, err := service.Run(context.Background(), UpdateLedgerMetadataInput{
+		Ledger:   "default",
+		Metadata: map[string]string{"tier": "gold"},
+	})
+	if err != nil {
+		t.Fatalf("run service: %v", err)
+	}
+	if output.APIVersion != "v2" || !output.Updated {
+		t.Fatalf("unexpected output: %#v", output)
+	}
+}
+
+func TestUpdateLedgerMetadataServiceRequiresInput(t *testing.T) {
+	service := UpdateLedgerMetadataService{
+		Handlers: []UpdateLedgerMetadataHandler{{APIVersion: "v2"}},
+		Resolve: func(context.Context, []capabilities.APIVersion) (capabilities.APIVersion, error) {
+			t.Fatal("resolver should not run")
+			return "", nil
+		},
+	}
+
+	if _, err := service.Run(context.Background(), UpdateLedgerMetadataInput{Metadata: map[string]string{"tier": "gold"}}); err == nil {
+		t.Fatal("expected ledger validation error")
+	}
+	if _, err := service.Run(context.Background(), UpdateLedgerMetadataInput{Ledger: "default"}); err == nil {
+		t.Fatal("expected metadata validation error")
+	}
+}
+
+func TestDeleteLedgerMetadataServiceSelectsResolvedHandler(t *testing.T) {
+	service := DeleteLedgerMetadataService{
+		Handlers: []DeleteLedgerMetadataHandler{
+			{
+				APIVersion: "v2",
+				Run: func(_ context.Context, input DeleteLedgerMetadataInput) (DeleteLedgerMetadataOutput, error) {
+					if input.Ledger != "default" || input.Key != "tier" {
+						t.Fatalf("unexpected input: %#v", input)
+					}
+					return DeleteLedgerMetadataOutput{Deleted: true}, nil
+				},
+			},
+		},
+		Resolve: func(_ context.Context, versions []capabilities.APIVersion) (capabilities.APIVersion, error) {
+			assertAPIVersions(t, versions, []capabilities.APIVersion{"v2"})
+			return "v2", nil
+		},
+	}
+
+	output, err := service.Run(context.Background(), DeleteLedgerMetadataInput{
+		Ledger: "default",
+		Key:    "tier",
+	})
+	if err != nil {
+		t.Fatalf("run service: %v", err)
+	}
+	if output.APIVersion != "v2" || !output.Deleted {
+		t.Fatalf("unexpected output: %#v", output)
+	}
+}
diff --git a/v4/internal/commands/ledger/list_ledgers.go b/v4/internal/commands/ledger/list_ledgers.go
new file mode 100644
index 00000000..9bbf2f62
--- /dev/null
+++ b/v4/internal/commands/ledger/list_ledgers.go
@@ -0,0 +1,213 @@
+package ledger
+
+import (
+	"context"
+	"fmt"
+	"time"
+
+	formance "github.com/formancehq/formance-sdk-go/v3"
+	"github.com/formancehq/formance-sdk-go/v3/pkg/models/operations"
+	"github.com/formancehq/formance-sdk-go/v3/pkg/models/shared"
+
+	"github.com/formancehq/fctl/v4/internal/capabilities"
+)
+
+const (
+	FeatureCreateLedger         capabilities.Feature = "createLedger"
+	FeatureDeleteLedgerMetadata capabilities.Feature = "deleteLedgerMetadata"
+	FeatureExportLogs           capabilities.Feature = "exportLogs"
+	FeatureImportLogs           capabilities.Feature = "importLogs"
+	FeatureListLedgers          capabilities.Feature = "listLedgers"
+	FeatureUpdateLedgerMetadata capabilities.Feature = "updateLedgerMetadata"
+)
+
+type ListLedgersInput struct {
+	PageSize       int64
+	Cursor         string
+	IncludeDeleted bool
+	Sort           string
+}
+
+type CreateLedgerInput struct {
+	Name     string
+	Bucket   string
+	Features map[string]string
+	Metadata map[string]string
+}
+
+type CreateLedgerOutput struct {
+	APIVersion capabilities.APIVersion `json:"apiVersion" yaml:"apiVersion"`
+	Name       string                  `json:"name" yaml:"name"`
+	Created    bool                    `json:"created" yaml:"created"`
+}
+
+type ListLedgersOutput struct {
+	APIVersion capabilities.APIVersion `json:"apiVersion" yaml:"apiVersion"`
+	Ledgers    []LedgerSummary         `json:"ledgers" yaml:"ledgers"`
+	HasMore    bool                    `json:"hasMore" yaml:"hasMore"`
+	PageSize   int64                   `json:"pageSize" yaml:"pageSize"`
+	Next       *string                 `json:"next,omitempty" yaml:"next,omitempty"`
+	Previous   *string                 `json:"previous,omitempty" yaml:"previous,omitempty"`
+}
+
+type LedgerSummary struct {
+	Name      string            `json:"name" yaml:"name"`
+	Bucket    string            `json:"bucket" yaml:"bucket"`
+	AddedAt   time.Time         `json:"addedAt" yaml:"addedAt"`
+	DeletedAt *time.Time        `json:"deletedAt,omitempty" yaml:"deletedAt,omitempty"`
+	Metadata  map[string]string `json:"metadata,omitempty" yaml:"metadata,omitempty"`
+}
+
+type ListLedgersHandler struct {
+	APIVersion capabilities.APIVersion
+	Run        func(context.Context, ListLedgersInput) (ListLedgersOutput, error)
+}
+
+type ListLedgersService struct {
+	Handlers []ListLedgersHandler
+	Resolve  func(context.Context, []capabilities.APIVersion) (capabilities.APIVersion, error)
+}
+
+type CreateLedgerHandler struct {
+	APIVersion capabilities.APIVersion
+	Run        func(context.Context, CreateLedgerInput) (CreateLedgerOutput, error)
+}
+
+type CreateLedgerService struct {
+	Handlers []CreateLedgerHandler
+	Resolve  func(context.Context, []capabilities.APIVersion) (capabilities.APIVersion, error)
+}
+
+func (s ListLedgersService) Run(ctx context.Context, input ListLedgersInput) (ListLedgersOutput, error) {
+	handlerVersions := make([]capabilities.APIVersion, 0, len(s.Handlers))
+	handlers := map[capabilities.APIVersion]ListLedgersHandler{}
+	for _, handler := range s.Handlers {
+		handlerVersions = append(handlerVersions, handler.APIVersion)
+		handlers[handler.APIVersion] = handler
+	}
+
+	selected, err := s.Resolve(ctx, handlerVersions)
+	if err != nil {
+		return ListLedgersOutput{}, err
+	}
+	handler, ok := handlers[selected]
+	if !ok {
+		return ListLedgersOutput{}, fmt.Errorf("resolved api version %s has no handler", selected)
+	}
+
+	output, err := handler.Run(ctx, input)
+	if err != nil {
+		return ListLedgersOutput{}, err
+	}
+	output.APIVersion = selected
+	return output, nil
+}
+
+func (s CreateLedgerService) Run(ctx context.Context, input CreateLedgerInput) (CreateLedgerOutput, error) {
+	if input.Name == "" {
+		return CreateLedgerOutput{}, fmt.Errorf("ledger name is required")
+	}
+
+	handlerVersions := make([]capabilities.APIVersion, 0, len(s.Handlers))
+	handlers := map[capabilities.APIVersion]CreateLedgerHandler{}
+	for _, handler := range s.Handlers {
+		handlerVersions = append(handlerVersions, handler.APIVersion)
+		handlers[handler.APIVersion] = handler
+	}
+
+	selected, err := s.Resolve(ctx, handlerVersions)
+	if err != nil {
+		return CreateLedgerOutput{}, err
+	}
+	handler, ok := handlers[selected]
+	if !ok {
+		return CreateLedgerOutput{}, fmt.Errorf("resolved api version %s has no handler", selected)
+	}
+
+	output, err := handler.Run(ctx, input)
+	if err != nil {
+		return CreateLedgerOutput{}, err
+	}
+	output.APIVersion = selected
+	return output, nil
+}
+
+func SDKListLedgersHandlers(sdk *formance.Formance) []ListLedgersHandler {
+	return []ListLedgersHandler{
+		{
+			APIVersion: "v2",
+			Run: func(ctx context.Context, input ListLedgersInput) (ListLedgersOutput, error) {
+				response, err := sdk.Ledger.V2.ListLedgers(ctx, toV2ListLedgersRequest(input))
+				if err != nil {
+					return ListLedgersOutput{}, err
+				}
+				if response.V2LedgerListResponse == nil {
+					return ListLedgersOutput{}, fmt.Errorf("ledger v2 list ledgers returned no cursor")
+				}
+				return fromV2ListLedgers(response.V2LedgerListResponse.Cursor), nil
+			},
+		},
+	}
+}
+
+func SDKCreateLedgerHandlers(sdk *formance.Formance) []CreateLedgerHandler {
+	return []CreateLedgerHandler{
+		{
+			APIVersion: "v2",
+			Run: func(ctx context.Context, input CreateLedgerInput) (CreateLedgerOutput, error) {
+				request := operations.V2CreateLedgerRequest{
+					Ledger: input.Name,
+					V2CreateLedgerRequest: shared.V2CreateLedgerRequest{
+						Features: input.Features,
+						Metadata: input.Metadata,
+					},
+				}
+				if input.Bucket != "" {
+					request.V2CreateLedgerRequest.Bucket = pointer(input.Bucket)
+				}
+				response, err := sdk.Ledger.V2.CreateLedger(ctx, request)
+				if err != nil {
+					return CreateLedgerOutput{}, err
+				}
+				return CreateLedgerOutput{
+					Name:    input.Name,
+					Created: response.StatusCode == 204,
+				}, nil
+			},
+		},
+	}
+}
+
+func toV2ListLedgersRequest(input ListLedgersInput) operations.V2ListLedgersRequest {
+	request := operations.V2ListLedgersRequest{
+		PageSize:       pointer(input.PageSize),
+		IncludeDeleted: pointer(input.IncludeDeleted),
+	}
+	if input.Cursor != "" {
+		request.Cursor = pointer(input.Cursor)
+	}
+	if input.Sort != "" {
+		request.Sort = pointer(input.Sort)
+	}
+	return request
+}
+
+func fromV2ListLedgers(cursor shared.V2LedgerListResponseCursor) ListLedgersOutput {
+	ledgers := make([]LedgerSummary, 0, len(cursor.Data))
+	for _, ledger := range cursor.Data {
+		ledgers = append(ledgers, LedgerSummary{
+			Name:      ledger.Name,
+			Bucket:    ledger.Bucket,
+			AddedAt:   ledger.AddedAt,
+			DeletedAt: ledger.DeletedAt,
+			Metadata:  ledger.Metadata,
+		})
+	}
+	return ListLedgersOutput{
+		Ledgers:  ledgers,
+		HasMore:  cursor.HasMore,
+		PageSize: cursor.PageSize,
+		Next:     cursor.Next,
+		Previous: cursor.Previous,
+	}
+}
diff --git a/v4/internal/commands/ledger/list_ledgers_test.go b/v4/internal/commands/ledger/list_ledgers_test.go
new file mode 100644
index 00000000..e39a4314
--- /dev/null
+++ b/v4/internal/commands/ledger/list_ledgers_test.go
@@ -0,0 +1,135 @@
+package ledger
+
+import (
+	"context"
+	"testing"
+	"time"
+
+	"github.com/formancehq/formance-sdk-go/v3/pkg/models/shared"
+
+	"github.com/formancehq/fctl/v4/internal/capabilities"
+)
+
+func TestListLedgersServiceSelectsResolvedHandler(t *testing.T) {
+	service := ListLedgersService{
+		Handlers: []ListLedgersHandler{
+			{
+				APIVersion: "v2",
+				Run: func(_ context.Context, input ListLedgersInput) (ListLedgersOutput, error) {
+					if input.PageSize != 10 || !input.IncludeDeleted {
+						t.Fatalf("unexpected input: %#v", input)
+					}
+					return ListLedgersOutput{PageSize: input.PageSize}, nil
+				},
+			},
+		},
+		Resolve: func(_ context.Context, versions []capabilities.APIVersion) (capabilities.APIVersion, error) {
+			assertAPIVersions(t, versions, []capabilities.APIVersion{"v2"})
+			return "v2", nil
+		},
+	}
+
+	output, err := service.Run(context.Background(), ListLedgersInput{PageSize: 10, IncludeDeleted: true})
+	if err != nil {
+		t.Fatalf("run service: %v", err)
+	}
+	if output.APIVersion != "v2" || output.PageSize != 10 {
+		t.Fatalf("unexpected output: %#v", output)
+	}
+}
+
+func TestCreateLedgerServiceSelectsResolvedHandler(t *testing.T) {
+	service := CreateLedgerService{
+		Handlers: []CreateLedgerHandler{
+			{
+				APIVersion: "v2",
+				Run: func(_ context.Context, input CreateLedgerInput) (CreateLedgerOutput, error) {
+					if input.Name != "default" || input.Bucket != "bucket" || input.Features["hash"] != "true" || input.Metadata["tier"] != "gold" {
+						t.Fatalf("unexpected input: %#v", input)
+					}
+					return CreateLedgerOutput{Name: input.Name, Created: true}, nil
+				},
+			},
+		},
+		Resolve: func(_ context.Context, versions []capabilities.APIVersion) (capabilities.APIVersion, error) {
+			assertAPIVersions(t, versions, []capabilities.APIVersion{"v2"})
+			return "v2", nil
+		},
+	}
+
+	output, err := service.Run(context.Background(), CreateLedgerInput{
+		Name:     "default",
+		Bucket:   "bucket",
+		Features: map[string]string{"hash": "true"},
+		Metadata: map[string]string{"tier": "gold"},
+	})
+	if err != nil {
+		t.Fatalf("run service: %v", err)
+	}
+	if output.APIVersion != "v2" || output.Name != "default" || !output.Created {
+		t.Fatalf("unexpected output: %#v", output)
+	}
+}
+
+func TestCreateLedgerServiceRequiresName(t *testing.T) {
+	service := CreateLedgerService{
+		Handlers: []CreateLedgerHandler{{APIVersion: "v2"}},
+		Resolve: func(context.Context, []capabilities.APIVersion) (capabilities.APIVersion, error) {
+			t.Fatal("resolver should not run")
+			return "", nil
+		},
+	}
+
+	if _, err := service.Run(context.Background(), CreateLedgerInput{}); err == nil {
+		t.Fatal("expected ledger name validation error")
+	}
+}
+
+func TestToV2ListLedgersRequestMapsCanonicalInput(t *testing.T) {
+	request := toV2ListLedgersRequest(ListLedgersInput{
+		PageSize:       10,
+		Cursor:         "cursor",
+		IncludeDeleted: true,
+		Sort:           "name:asc",
+	})
+
+	if request.PageSize == nil || *request.PageSize != 10 {
+		t.Fatalf("unexpected page size: %#v", request.PageSize)
+	}
+	if request.Cursor == nil || *request.Cursor != "cursor" {
+		t.Fatalf("unexpected cursor: %#v", request.Cursor)
+	}
+	if request.IncludeDeleted == nil || !*request.IncludeDeleted {
+		t.Fatalf("unexpected include deleted: %#v", request.IncludeDeleted)
+	}
+	if request.Sort == nil || *request.Sort != "name:asc" {
+		t.Fatalf("unexpected sort: %#v", request.Sort)
+	}
+}
+
+func TestFromV2ListLedgersMapsCursor(t *testing.T) {
+	addedAt := time.Date(2026, 1, 2, 3, 4, 5, 0, time.UTC)
+	output := fromV2ListLedgers(shared.V2LedgerListResponseCursor{
+		Data: []shared.V2Ledger{
+			{
+				Name:    "default",
+				Bucket:  "bucket",
+				AddedAt: addedAt,
+			},
+		},
+		PageSize: 15,
+	})
+
+	if len(output.Ledgers) != 1 {
+		t.Fatalf("expected one ledger, got %#v", output.Ledgers)
+	}
+	if output.Ledgers[0].Name != "default" || output.Ledgers[0].Bucket != "bucket" {
+		t.Fatalf("unexpected ledger: %#v", output.Ledgers[0])
+	}
+	if !output.Ledgers[0].AddedAt.Equal(addedAt) {
+		t.Fatalf("unexpected addedAt: %s", output.Ledgers[0].AddedAt)
+	}
+	if output.PageSize != 15 || output.HasMore {
+		t.Fatalf("unexpected cursor fields: %#v", output)
+	}
+}
diff --git a/v4/internal/commands/ledger/list_transactions.go b/v4/internal/commands/ledger/list_transactions.go
new file mode 100644
index 00000000..0a39b3a8
--- /dev/null
+++ b/v4/internal/commands/ledger/list_transactions.go
@@ -0,0 +1,745 @@
+package ledger
+
+import (
+	"context"
+	"fmt"
+	"math/big"
+	"strconv"
+	"time"
+
+	formance "github.com/formancehq/formance-sdk-go/v3"
+	"github.com/formancehq/formance-sdk-go/v3/pkg/models/operations"
+	"github.com/formancehq/formance-sdk-go/v3/pkg/models/shared"
+
+	"github.com/formancehq/fctl/v4/internal/capabilities"
+)
+
+const (
+	ProductLedger                    capabilities.Product = "ledger"
+	FeatureAddTransactionMetadata    capabilities.Feature = "addMetadataOnTransaction"
+	FeatureCountTransactions         capabilities.Feature = "countTransactions"
+	FeatureCreateTransaction         capabilities.Feature = "createTransaction"
+	FeatureDeleteTransactionMetadata capabilities.Feature = "deleteTransactionMetadata"
+	FeatureExplainTransaction        capabilities.Feature = "explainTransaction"
+	FeatureListTransactions          capabilities.Feature = "listTransactions"
+	FeatureGetTransaction            capabilities.Feature = "getTransaction"
+	FeatureRevertTransaction         capabilities.Feature = "revertTransaction"
+)
+
+type ListTransactionsInput struct {
+	Ledger      string
+	PageSize    int64
+	Cursor      string
+	Account     string
+	Source      string
+	Destination string
+	Reference   string
+	Metadata    map[string]string
+	StartTime   *time.Time
+	EndTime     *time.Time
+}
+
+type ListTransactionsOutput struct {
+	APIVersion   capabilities.APIVersion `json:"apiVersion" yaml:"apiVersion"`
+	Transactions []TransactionSummary    `json:"transactions" yaml:"transactions"`
+	HasMore      bool                    `json:"hasMore" yaml:"hasMore"`
+	PageSize     int64                   `json:"pageSize" yaml:"pageSize"`
+	Next         *string                 `json:"next,omitempty" yaml:"next,omitempty"`
+	Previous     *string                 `json:"previous,omitempty" yaml:"previous,omitempty"`
+}
+
+type CountTransactionsInput struct {
+	Ledger      string
+	Account     string
+	Source      string
+	Destination string
+	Reference   string
+}
+
+type CountTransactionsOutput struct {
+	APIVersion capabilities.APIVersion `json:"apiVersion" yaml:"apiVersion"`
+	Count      int64                   `json:"count" yaml:"count"`
+}
+
+type SendTransactionInput struct {
+	Ledger      string
+	Source      string
+	Destination string
+	Amount      string
+	Asset       string
+	Reference   string
+	Metadata    map[string]string
+}
+
+type SendTransactionOutput struct {
+	APIVersion  capabilities.APIVersion `json:"apiVersion" yaml:"apiVersion"`
+	Transaction TransactionSummary      `json:"transaction" yaml:"transaction"`
+}
+
+type TransactionSummary struct {
+	ID        string         `json:"id" yaml:"id"`
+	Reference *string        `json:"reference,omitempty" yaml:"reference,omitempty"`
+	Timestamp time.Time      `json:"timestamp" yaml:"timestamp"`
+	Metadata  map[string]any `json:"metadata,omitempty" yaml:"metadata,omitempty"`
+}
+
+type GetTransactionInput struct {
+	Ledger        string
+	TransactionID string
+}
+
+type GetTransactionOutput struct {
+	APIVersion  capabilities.APIVersion `json:"apiVersion" yaml:"apiVersion"`
+	Transaction TransactionSummary      `json:"transaction" yaml:"transaction"`
+}
+
+type RevertTransactionInput struct {
+	Ledger          string
+	TransactionID   string
+	AtEffectiveDate bool
+	Force           bool
+}
+
+type RevertTransactionOutput struct {
+	APIVersion  capabilities.APIVersion `json:"apiVersion" yaml:"apiVersion"`
+	Transaction TransactionSummary      `json:"transaction" yaml:"transaction"`
+}
+
+type ListTransactionsHandler struct {
+	APIVersion capabilities.APIVersion
+	Run        func(context.Context, ListTransactionsInput) (ListTransactionsOutput, error)
+}
+
+type ListTransactionsService struct {
+	Handlers []ListTransactionsHandler
+	Resolve  func(context.Context, []capabilities.APIVersion) (capabilities.APIVersion, error)
+}
+
+type CountTransactionsHandler struct {
+	APIVersion capabilities.APIVersion
+	Run        func(context.Context, CountTransactionsInput) (CountTransactionsOutput, error)
+}
+
+type CountTransactionsService struct {
+	Handlers []CountTransactionsHandler
+	Resolve  func(context.Context, []capabilities.APIVersion) (capabilities.APIVersion, error)
+}
+
+type SendTransactionHandler struct {
+	APIVersion capabilities.APIVersion
+	Run        func(context.Context, SendTransactionInput) (SendTransactionOutput, error)
+}
+
+type SendTransactionService struct {
+	Handlers []SendTransactionHandler
+	Resolve  func(context.Context, []capabilities.APIVersion) (capabilities.APIVersion, error)
+}
+
+type GetTransactionHandler struct {
+	APIVersion capabilities.APIVersion
+	Run        func(context.Context, GetTransactionInput) (GetTransactionOutput, error)
+}
+
+type GetTransactionService struct {
+	Handlers []GetTransactionHandler
+	Resolve  func(context.Context, []capabilities.APIVersion) (capabilities.APIVersion, error)
+}
+
+type RevertTransactionHandler struct {
+	APIVersion capabilities.APIVersion
+	Run        func(context.Context, RevertTransactionInput) (RevertTransactionOutput, error)
+}
+
+type RevertTransactionService struct {
+	Handlers []RevertTransactionHandler
+	Resolve  func(context.Context, []capabilities.APIVersion) (capabilities.APIVersion, error)
+}
+
+func (s ListTransactionsService) Run(ctx context.Context, input ListTransactionsInput) (ListTransactionsOutput, error) {
+	if input.Ledger == "" {
+		return ListTransactionsOutput{}, fmt.Errorf("ledger is required")
+	}
+
+	handlerVersions := make([]capabilities.APIVersion, 0, len(s.Handlers))
+	handlers := map[capabilities.APIVersion]ListTransactionsHandler{}
+	for _, handler := range s.Handlers {
+		if (input.StartTime != nil || input.EndTime != nil) && handler.APIVersion != "v1" {
+			continue
+		}
+		handlerVersions = append(handlerVersions, handler.APIVersion)
+		handlers[handler.APIVersion] = handler
+	}
+
+	selected, err := s.Resolve(ctx, handlerVersions)
+	if err != nil {
+		return ListTransactionsOutput{}, err
+	}
+	handler, ok := handlers[selected]
+	if !ok {
+		return ListTransactionsOutput{}, fmt.Errorf("resolved api version %s has no handler", selected)
+	}
+
+	output, err := handler.Run(ctx, input)
+	if err != nil {
+		return ListTransactionsOutput{}, err
+	}
+	output.APIVersion = selected
+	return output, nil
+}
+
+func (s CountTransactionsService) Run(ctx context.Context, input CountTransactionsInput) (CountTransactionsOutput, error) {
+	if input.Ledger == "" {
+		return CountTransactionsOutput{}, fmt.Errorf("ledger is required")
+	}
+
+	handlerVersions := make([]capabilities.APIVersion, 0, len(s.Handlers))
+	handlers := map[capabilities.APIVersion]CountTransactionsHandler{}
+	for _, handler := range s.Handlers {
+		handlerVersions = append(handlerVersions, handler.APIVersion)
+		handlers[handler.APIVersion] = handler
+	}
+
+	selected, err := s.Resolve(ctx, handlerVersions)
+	if err != nil {
+		return CountTransactionsOutput{}, err
+	}
+	handler, ok := handlers[selected]
+	if !ok {
+		return CountTransactionsOutput{}, fmt.Errorf("resolved api version %s has no handler", selected)
+	}
+
+	output, err := handler.Run(ctx, input)
+	if err != nil {
+		return CountTransactionsOutput{}, err
+	}
+	output.APIVersion = selected
+	return output, nil
+}
+
+func SDKListTransactionsHandlers(sdk *formance.Formance) []ListTransactionsHandler {
+	return []ListTransactionsHandler{
+		{
+			APIVersion: "v1",
+			Run: func(ctx context.Context, input ListTransactionsInput) (ListTransactionsOutput, error) {
+				response, err := sdk.Ledger.V1.ListTransactions(ctx, toV1ListTransactionsRequest(input))
+				if err != nil {
+					return ListTransactionsOutput{}, err
+				}
+				if response.TransactionsCursorResponse == nil {
+					return ListTransactionsOutput{}, fmt.Errorf("ledger v1 list transactions returned no cursor")
+				}
+				return fromV1ListTransactions(response.TransactionsCursorResponse.Cursor), nil
+			},
+		},
+		{
+			APIVersion: "v2",
+			Run: func(ctx context.Context, input ListTransactionsInput) (ListTransactionsOutput, error) {
+				response, err := sdk.Ledger.V2.ListTransactions(ctx, toV2ListTransactionsRequest(input))
+				if err != nil {
+					return ListTransactionsOutput{}, err
+				}
+				if response.V2TransactionsCursorResponse == nil {
+					return ListTransactionsOutput{}, fmt.Errorf("ledger v2 list transactions returned no cursor")
+				}
+				return fromV2ListTransactions(response.V2TransactionsCursorResponse.Cursor), nil
+			},
+		},
+	}
+}
+
+func SDKCountTransactionsHandlers(sdk *formance.Formance) []CountTransactionsHandler {
+	return []CountTransactionsHandler{
+		{
+			APIVersion: "v1",
+			Run: func(ctx context.Context, input CountTransactionsInput) (CountTransactionsOutput, error) {
+				response, err := sdk.Ledger.V1.CountTransactions(ctx, toV1CountTransactionsRequest(input))
+				if err != nil {
+					return CountTransactionsOutput{}, err
+				}
+				count, err := countHeader(response.Headers)
+				if err != nil {
+					return CountTransactionsOutput{}, err
+				}
+				return CountTransactionsOutput{Count: count}, nil
+			},
+		},
+		{
+			APIVersion: "v2",
+			Run: func(ctx context.Context, input CountTransactionsInput) (CountTransactionsOutput, error) {
+				response, err := sdk.Ledger.V2.CountTransactions(ctx, toV2CountTransactionsRequest(input))
+				if err != nil {
+					return CountTransactionsOutput{}, err
+				}
+				count, err := countHeader(response.Headers)
+				if err != nil {
+					return CountTransactionsOutput{}, err
+				}
+				return CountTransactionsOutput{Count: count}, nil
+			},
+		},
+	}
+}
+
+func (s SendTransactionService) Run(ctx context.Context, input SendTransactionInput) (SendTransactionOutput, error) {
+	if input.Ledger == "" {
+		return SendTransactionOutput{}, fmt.Errorf("ledger is required")
+	}
+	if input.Source == "" {
+		return SendTransactionOutput{}, fmt.Errorf("source is required")
+	}
+	if input.Destination == "" {
+		return SendTransactionOutput{}, fmt.Errorf("destination is required")
+	}
+	if input.Amount == "" {
+		return SendTransactionOutput{}, fmt.Errorf("amount is required")
+	}
+	if input.Asset == "" {
+		return SendTransactionOutput{}, fmt.Errorf("asset is required")
+	}
+
+	handlerVersions := make([]capabilities.APIVersion, 0, len(s.Handlers))
+	handlers := map[capabilities.APIVersion]SendTransactionHandler{}
+	for _, handler := range s.Handlers {
+		handlerVersions = append(handlerVersions, handler.APIVersion)
+		handlers[handler.APIVersion] = handler
+	}
+
+	selected, err := s.Resolve(ctx, handlerVersions)
+	if err != nil {
+		return SendTransactionOutput{}, err
+	}
+	handler, ok := handlers[selected]
+	if !ok {
+		return SendTransactionOutput{}, fmt.Errorf("resolved api version %s has no handler", selected)
+	}
+
+	output, err := handler.Run(ctx, input)
+	if err != nil {
+		return SendTransactionOutput{}, err
+	}
+	output.APIVersion = selected
+	return output, nil
+}
+
+func SDKSendTransactionHandlers(sdk *formance.Formance) []SendTransactionHandler {
+	return []SendTransactionHandler{
+		{
+			APIVersion: "v1",
+			Run: func(ctx context.Context, input SendTransactionInput) (SendTransactionOutput, error) {
+				amount, err := parseAmount(input.Amount)
+				if err != nil {
+					return SendTransactionOutput{}, err
+				}
+				response, err := sdk.Ledger.V1.CreateTransaction(ctx, operations.CreateTransactionRequest{
+					Ledger: input.Ledger,
+					PostTransaction: shared.PostTransaction{
+						Metadata: stringMapToAny(input.Metadata),
+						Postings: []shared.Posting{{
+							Amount:      amount,
+							Asset:       input.Asset,
+							Destination: input.Destination,
+							Source:      input.Source,
+						}},
+						Reference: optionalString(input.Reference),
+					},
+				})
+				if err != nil {
+					return SendTransactionOutput{}, err
+				}
+				if response.TransactionsResponse == nil || len(response.TransactionsResponse.Data) == 0 {
+					return SendTransactionOutput{}, fmt.Errorf("ledger v1 create transaction returned no data")
+				}
+				return SendTransactionOutput{Transaction: fromV1Transaction(response.TransactionsResponse.Data[0])}, nil
+			},
+		},
+		{
+			APIVersion: "v2",
+			Run: func(ctx context.Context, input SendTransactionInput) (SendTransactionOutput, error) {
+				amount, err := parseAmount(input.Amount)
+				if err != nil {
+					return SendTransactionOutput{}, err
+				}
+				response, err := sdk.Ledger.V2.CreateTransaction(ctx, operations.V2CreateTransactionRequest{
+					Ledger: input.Ledger,
+					V2PostTransaction: shared.V2PostTransaction{
+						Metadata: input.Metadata,
+						Postings: []shared.V2Posting{{
+							Amount:      amount,
+							Asset:       input.Asset,
+							Destination: input.Destination,
+							Source:      input.Source,
+						}},
+						Reference: optionalString(input.Reference),
+					},
+				})
+				if err != nil {
+					return SendTransactionOutput{}, err
+				}
+				if response.V2CreateTransactionResponse == nil {
+					return SendTransactionOutput{}, fmt.Errorf("ledger v2 create transaction returned no data")
+				}
+				return SendTransactionOutput{Transaction: fromV2Transaction(response.V2CreateTransactionResponse.Data)}, nil
+			},
+		},
+	}
+}
+
+func (s GetTransactionService) Run(ctx context.Context, input GetTransactionInput) (GetTransactionOutput, error) {
+	if input.Ledger == "" {
+		return GetTransactionOutput{}, fmt.Errorf("ledger is required")
+	}
+	if input.TransactionID == "" {
+		return GetTransactionOutput{}, fmt.Errorf("transaction id is required")
+	}
+
+	handlerVersions := make([]capabilities.APIVersion, 0, len(s.Handlers))
+	handlers := map[capabilities.APIVersion]GetTransactionHandler{}
+	for _, handler := range s.Handlers {
+		handlerVersions = append(handlerVersions, handler.APIVersion)
+		handlers[handler.APIVersion] = handler
+	}
+
+	selected, err := s.Resolve(ctx, handlerVersions)
+	if err != nil {
+		return GetTransactionOutput{}, err
+	}
+	handler, ok := handlers[selected]
+	if !ok {
+		return GetTransactionOutput{}, fmt.Errorf("resolved api version %s has no handler", selected)
+	}
+
+	output, err := handler.Run(ctx, input)
+	if err != nil {
+		return GetTransactionOutput{}, err
+	}
+	output.APIVersion = selected
+	return output, nil
+}
+
+func SDKGetTransactionHandlers(sdk *formance.Formance) []GetTransactionHandler {
+	return []GetTransactionHandler{
+		{
+			APIVersion: "v1",
+			Run: func(ctx context.Context, input GetTransactionInput) (GetTransactionOutput, error) {
+				txid, ok := new(big.Int).SetString(input.TransactionID, 10)
+				if !ok {
+					return GetTransactionOutput{}, fmt.Errorf("transaction id must be an integer")
+				}
+				response, err := sdk.Ledger.V1.GetTransaction(ctx, operations.GetTransactionRequest{
+					Ledger: input.Ledger,
+					Txid:   txid,
+				})
+				if err != nil {
+					return GetTransactionOutput{}, err
+				}
+				if response.TransactionResponse == nil {
+					return GetTransactionOutput{}, fmt.Errorf("ledger v1 get transaction returned no data")
+				}
+				return GetTransactionOutput{Transaction: fromV1Transaction(response.TransactionResponse.Data)}, nil
+			},
+		},
+		{
+			APIVersion: "v2",
+			Run: func(ctx context.Context, input GetTransactionInput) (GetTransactionOutput, error) {
+				txid, ok := new(big.Int).SetString(input.TransactionID, 10)
+				if !ok {
+					return GetTransactionOutput{}, fmt.Errorf("transaction id must be an integer")
+				}
+				response, err := sdk.Ledger.V2.GetTransaction(ctx, operations.V2GetTransactionRequest{
+					Ledger: input.Ledger,
+					ID:     txid,
+				})
+				if err != nil {
+					return GetTransactionOutput{}, err
+				}
+				if response.V2GetTransactionResponse == nil {
+					return GetTransactionOutput{}, fmt.Errorf("ledger v2 get transaction returned no data")
+				}
+				return GetTransactionOutput{Transaction: fromV2Transaction(response.V2GetTransactionResponse.Data)}, nil
+			},
+		},
+	}
+}
+
+func (s RevertTransactionService) Run(ctx context.Context, input RevertTransactionInput) (RevertTransactionOutput, error) {
+	if input.Ledger == "" {
+		return RevertTransactionOutput{}, fmt.Errorf("ledger is required")
+	}
+	if input.TransactionID == "" {
+		return RevertTransactionOutput{}, fmt.Errorf("transaction id is required")
+	}
+
+	handlerVersions := make([]capabilities.APIVersion, 0, len(s.Handlers))
+	handlers := map[capabilities.APIVersion]RevertTransactionHandler{}
+	for _, handler := range s.Handlers {
+		handlerVersions = append(handlerVersions, handler.APIVersion)
+		handlers[handler.APIVersion] = handler
+	}
+
+	selected, err := s.Resolve(ctx, handlerVersions)
+	if err != nil {
+		return RevertTransactionOutput{}, err
+	}
+	handler, ok := handlers[selected]
+	if !ok {
+		return RevertTransactionOutput{}, fmt.Errorf("resolved api version %s has no handler", selected)
+	}
+
+	output, err := handler.Run(ctx, input)
+	if err != nil {
+		return RevertTransactionOutput{}, err
+	}
+	output.APIVersion = selected
+	return output, nil
+}
+
+func SDKRevertTransactionHandlers(sdk *formance.Formance) []RevertTransactionHandler {
+	return []RevertTransactionHandler{
+		{
+			APIVersion: "v1",
+			Run: func(ctx context.Context, input RevertTransactionInput) (RevertTransactionOutput, error) {
+				if input.AtEffectiveDate {
+					return RevertTransactionOutput{}, fmt.Errorf("--at-effective-date requires ledger API v2+")
+				}
+				txid, ok := new(big.Int).SetString(input.TransactionID, 10)
+				if !ok {
+					return RevertTransactionOutput{}, fmt.Errorf("transaction id must be an integer")
+				}
+				response, err := sdk.Ledger.V1.RevertTransaction(ctx, operations.RevertTransactionRequest{
+					Ledger:        input.Ledger,
+					Txid:          txid,
+					DisableChecks: pointer(input.Force),
+				})
+				if err != nil {
+					return RevertTransactionOutput{}, err
+				}
+				if response.TransactionResponse == nil {
+					return RevertTransactionOutput{}, fmt.Errorf("ledger v1 revert transaction returned no data")
+				}
+				return RevertTransactionOutput{Transaction: fromV1Transaction(response.TransactionResponse.Data)}, nil
+			},
+		},
+		{
+			APIVersion: "v2",
+			Run: func(ctx context.Context, input RevertTransactionInput) (RevertTransactionOutput, error) {
+				txid, ok := new(big.Int).SetString(input.TransactionID, 10)
+				if !ok {
+					return RevertTransactionOutput{}, fmt.Errorf("transaction id must be an integer")
+				}
+				response, err := sdk.Ledger.V2.RevertTransaction(ctx, operations.V2RevertTransactionRequest{
+					Ledger:                     input.Ledger,
+					ID:                         txid,
+					AtEffectiveDate:            pointer(input.AtEffectiveDate),
+					Force:                      pointer(input.Force),
+					V2RevertTransactionRequest: &shared.V2RevertTransactionRequest{},
+				})
+				if err != nil {
+					return RevertTransactionOutput{}, err
+				}
+				if response.V2RevertTransactionResponse == nil {
+					return RevertTransactionOutput{}, fmt.Errorf("ledger v2 revert transaction returned no data")
+				}
+				return RevertTransactionOutput{Transaction: fromV2Transaction(response.V2RevertTransactionResponse.Data)}, nil
+			},
+		},
+	}
+}
+
+func toV1ListTransactionsRequest(input ListTransactionsInput) operations.ListTransactionsRequest {
+	request := operations.ListTransactionsRequest{
+		Ledger:   input.Ledger,
+		PageSize: pointer(input.PageSize),
+	}
+	if input.Cursor != "" {
+		request.Cursor = pointer(input.Cursor)
+	}
+	if input.Account != "" {
+		request.Account = pointer(input.Account)
+	}
+	if input.Source != "" {
+		request.Source = pointer(input.Source)
+	}
+	if input.Destination != "" {
+		request.Destination = pointer(input.Destination)
+	}
+	if input.Reference != "" {
+		request.Reference = pointer(input.Reference)
+	}
+	if len(input.Metadata) > 0 {
+		request.Metadata = stringMapToAny(input.Metadata)
+	}
+	if input.StartTime != nil {
+		request.StartTime = input.StartTime
+	}
+	if input.EndTime != nil {
+		request.EndTime = input.EndTime
+	}
+	return request
+}
+
+func toV2ListTransactionsRequest(input ListTransactionsInput) operations.V2ListTransactionsRequest {
+	request := operations.V2ListTransactionsRequest{
+		Ledger:   input.Ledger,
+		PageSize: pointer(input.PageSize),
+	}
+	if input.Cursor != "" {
+		request.Cursor = pointer(input.Cursor)
+	}
+	query := map[string]any{}
+	if input.Account != "" {
+		query["account"] = input.Account
+	}
+	if input.Source != "" {
+		query["source"] = input.Source
+	}
+	if input.Destination != "" {
+		query["destination"] = input.Destination
+	}
+	if input.Reference != "" {
+		query["reference"] = input.Reference
+	}
+	for key, value := range input.Metadata {
+		query["metadata["+key+"]"] = value
+	}
+	if len(query) > 0 {
+		request.Query = query
+	}
+	return request
+}
+
+func toV1CountTransactionsRequest(input CountTransactionsInput) operations.CountTransactionsRequest {
+	request := operations.CountTransactionsRequest{
+		Ledger: input.Ledger,
+	}
+	if input.Account != "" {
+		request.Account = pointer(input.Account)
+	}
+	if input.Source != "" {
+		request.Source = pointer(input.Source)
+	}
+	if input.Destination != "" {
+		request.Destination = pointer(input.Destination)
+	}
+	if input.Reference != "" {
+		request.Reference = pointer(input.Reference)
+	}
+	return request
+}
+
+func toV2CountTransactionsRequest(input CountTransactionsInput) operations.V2CountTransactionsRequest {
+	request := operations.V2CountTransactionsRequest{
+		Ledger: input.Ledger,
+	}
+	query := map[string]any{}
+	if input.Account != "" {
+		query["account"] = input.Account
+	}
+	if input.Source != "" {
+		query["source"] = input.Source
+	}
+	if input.Destination != "" {
+		query["destination"] = input.Destination
+	}
+	if input.Reference != "" {
+		query["reference"] = input.Reference
+	}
+	if len(query) > 0 {
+		request.Query = query
+	}
+	return request
+}
+
+func fromV1ListTransactions(cursor shared.TransactionsCursorResponseCursor) ListTransactionsOutput {
+	transactions := make([]TransactionSummary, 0, len(cursor.Data))
+	for _, transaction := range cursor.Data {
+		transactions = append(transactions, fromV1Transaction(transaction))
+	}
+	return ListTransactionsOutput{
+		Transactions: transactions,
+		HasMore:      cursor.HasMore,
+		PageSize:     cursor.PageSize,
+		Next:         cursor.Next,
+		Previous:     cursor.Previous,
+	}
+}
+
+func fromV2ListTransactions(cursor shared.V2TransactionsCursorResponseCursor) ListTransactionsOutput {
+	transactions := make([]TransactionSummary, 0, len(cursor.Data))
+	for _, transaction := range cursor.Data {
+		transactions = append(transactions, fromV2Transaction(transaction))
+	}
+	return ListTransactionsOutput{
+		Transactions: transactions,
+		HasMore:      cursor.HasMore,
+		PageSize:     cursor.PageSize,
+		Next:         cursor.Next,
+		Previous:     cursor.Previous,
+	}
+}
+
+func fromV1Transaction(transaction shared.Transaction) TransactionSummary {
+	return TransactionSummary{
+		ID:        bigIntString(transaction.Txid),
+		Reference: transaction.Reference,
+		Timestamp: transaction.Timestamp,
+		Metadata:  transaction.Metadata,
+	}
+}
+
+func fromV2Transaction(transaction shared.V2Transaction) TransactionSummary {
+	return TransactionSummary{
+		ID:        bigIntString(transaction.ID),
+		Reference: transaction.Reference,
+		Timestamp: transaction.Timestamp,
+		Metadata:  stringMapToAny(transaction.Metadata),
+	}
+}
+
+func pointer[T any](value T) *T {
+	return &value
+}
+
+func optionalString(value string) *string {
+	if value == "" {
+		return nil
+	}
+	return &value
+}
+
+func parseAmount(value string) (*big.Int, error) {
+	amount, ok := new(big.Int).SetString(value, 10)
+	if !ok {
+		return nil, fmt.Errorf("amount must be an integer")
+	}
+	return amount, nil
+}
+
+func bigIntString(value *big.Int) string {
+	if value == nil {
+		return ""
+	}
+	return value.String()
+}
+
+func stringMapToAny(values map[string]string) map[string]any {
+	if len(values) == 0 {
+		return nil
+	}
+	ret := make(map[string]any, len(values))
+	for key, value := range values {
+		ret[key] = value
+	}
+	return ret
+}
+
+func countHeader(headers map[string][]string) (int64, error) {
+	values := headers["Count"]
+	if len(values) == 0 || values[0] == "" {
+		return 0, fmt.Errorf("count response missing Count header")
+	}
+	count, err := strconv.ParseInt(values[0], 10, 64)
+	if err != nil {
+		return 0, fmt.Errorf("invalid Count header %q: %w", values[0], err)
+	}
+	return count, nil
+}
diff --git a/v4/internal/commands/ledger/list_transactions_test.go b/v4/internal/commands/ledger/list_transactions_test.go
new file mode 100644
index 00000000..1c62962d
--- /dev/null
+++ b/v4/internal/commands/ledger/list_transactions_test.go
@@ -0,0 +1,419 @@
+package ledger
+
+import (
+	"context"
+	"errors"
+	"math/big"
+	"testing"
+	"time"
+
+	"github.com/formancehq/fctl/v4/internal/capabilities"
+	"github.com/formancehq/formance-sdk-go/v3/pkg/models/shared"
+)
+
+func TestListTransactionsServiceSelectsResolvedHandler(t *testing.T) {
+	service := ListTransactionsService{
+		Handlers: []ListTransactionsHandler{
+			{
+				APIVersion: "v1",
+				Run: func(context.Context, ListTransactionsInput) (ListTransactionsOutput, error) {
+					t.Fatal("v1 handler should not run")
+					return ListTransactionsOutput{}, nil
+				},
+			},
+			{
+				APIVersion: "v2",
+				Run: func(_ context.Context, input ListTransactionsInput) (ListTransactionsOutput, error) {
+					if input.Ledger != "default" {
+						t.Fatalf("unexpected ledger %q", input.Ledger)
+					}
+					return ListTransactionsOutput{PageSize: input.PageSize}, nil
+				},
+			},
+		},
+		Resolve: func(_ context.Context, versions []capabilities.APIVersion) (capabilities.APIVersion, error) {
+			assertAPIVersions(t, versions, []capabilities.APIVersion{"v1", "v2"})
+			return "v2", nil
+		},
+	}
+
+	output, err := service.Run(context.Background(), ListTransactionsInput{Ledger: "default", PageSize: 10})
+	if err != nil {
+		t.Fatalf("run service: %v", err)
+	}
+	if output.APIVersion != "v2" || output.PageSize != 10 {
+		t.Fatalf("unexpected output: %#v", output)
+	}
+}
+
+func TestListTransactionsServiceReturnsResolverError(t *testing.T) {
+	expected := errors.New("unsupported")
+	service := ListTransactionsService{
+		Handlers: []ListTransactionsHandler{{APIVersion: "v3", Run: nil}},
+		Resolve: func(context.Context, []capabilities.APIVersion) (capabilities.APIVersion, error) {
+			return "", expected
+		},
+	}
+
+	_, err := service.Run(context.Background(), ListTransactionsInput{Ledger: "default"})
+	if !errors.Is(err, expected) {
+		t.Fatalf("expected resolver error, got %v", err)
+	}
+}
+
+func TestCountTransactionsServiceSelectsResolvedHandler(t *testing.T) {
+	service := CountTransactionsService{
+		Handlers: []CountTransactionsHandler{
+			{
+				APIVersion: "v1",
+				Run: func(context.Context, CountTransactionsInput) (CountTransactionsOutput, error) {
+					t.Fatal("v1 handler should not run")
+					return CountTransactionsOutput{}, nil
+				},
+			},
+			{
+				APIVersion: "v2",
+				Run: func(_ context.Context, input CountTransactionsInput) (CountTransactionsOutput, error) {
+					if input.Ledger != "default" || input.Source != "world" || input.Destination != "users:123" {
+						t.Fatalf("unexpected input: %#v", input)
+					}
+					return CountTransactionsOutput{Count: 42}, nil
+				},
+			},
+		},
+		Resolve: func(_ context.Context, versions []capabilities.APIVersion) (capabilities.APIVersion, error) {
+			assertAPIVersions(t, versions, []capabilities.APIVersion{"v1", "v2"})
+			return "v2", nil
+		},
+	}
+
+	output, err := service.Run(context.Background(), CountTransactionsInput{
+		Ledger:      "default",
+		Source:      "world",
+		Destination: "users:123",
+	})
+	if err != nil {
+		t.Fatalf("run service: %v", err)
+	}
+	if output.APIVersion != "v2" || output.Count != 42 {
+		t.Fatalf("unexpected output: %#v", output)
+	}
+}
+
+func TestCountTransactionsRequestMapsCanonicalFilters(t *testing.T) {
+	input := CountTransactionsInput{
+		Ledger:      "default",
+		Account:     "users:123",
+		Source:      "world",
+		Destination: "users:123",
+		Reference:   "ref",
+	}
+
+	v1 := toV1CountTransactionsRequest(input)
+	if v1.Ledger != "default" || *v1.Account != "users:123" || *v1.Source != "world" ||
+		*v1.Destination != "users:123" || *v1.Reference != "ref" {
+		t.Fatalf("unexpected v1 request: %#v", v1)
+	}
+
+	v2 := toV2CountTransactionsRequest(input)
+	if v2.Ledger != "default" || v2.Query["account"] != "users:123" || v2.Query["source"] != "world" ||
+		v2.Query["destination"] != "users:123" || v2.Query["reference"] != "ref" {
+		t.Fatalf("unexpected v2 request: %#v", v2)
+	}
+}
+
+func TestCountHeader(t *testing.T) {
+	count, err := countHeader(map[string][]string{"Count": {"42"}})
+	if err != nil {
+		t.Fatalf("parse count header: %v", err)
+	}
+	if count != 42 {
+		t.Fatalf("expected count 42, got %d", count)
+	}
+
+	if _, err := countHeader(map[string][]string{}); err == nil {
+		t.Fatal("expected missing Count header error")
+	}
+	if _, err := countHeader(map[string][]string{"Count": {"wat"}}); err == nil {
+		t.Fatal("expected invalid Count header error")
+	}
+}
+
+func TestSendTransactionServiceSelectsResolvedHandler(t *testing.T) {
+	service := SendTransactionService{
+		Handlers: []SendTransactionHandler{
+			{
+				APIVersion: "v1",
+				Run: func(context.Context, SendTransactionInput) (SendTransactionOutput, error) {
+					t.Fatal("v1 handler should not run")
+					return SendTransactionOutput{}, nil
+				},
+			},
+			{
+				APIVersion: "v2",
+				Run: func(_ context.Context, input SendTransactionInput) (SendTransactionOutput, error) {
+					if input.Ledger != "default" || input.Source != "world" || input.Destination != "users:123" ||
+						input.Amount != "100" || input.Asset != "USD/2" || input.Metadata["foo"] != "bar" {
+						t.Fatalf("unexpected input: %#v", input)
+					}
+					return SendTransactionOutput{Transaction: TransactionSummary{ID: "42"}}, nil
+				},
+			},
+		},
+		Resolve: func(_ context.Context, versions []capabilities.APIVersion) (capabilities.APIVersion, error) {
+			assertAPIVersions(t, versions, []capabilities.APIVersion{"v1", "v2"})
+			return "v2", nil
+		},
+	}
+
+	output, err := service.Run(context.Background(), SendTransactionInput{
+		Ledger:      "default",
+		Source:      "world",
+		Destination: "users:123",
+		Amount:      "100",
+		Asset:       "USD/2",
+		Metadata:    map[string]string{"foo": "bar"},
+	})
+	if err != nil {
+		t.Fatalf("run service: %v", err)
+	}
+	if output.APIVersion != "v2" || output.Transaction.ID != "42" {
+		t.Fatalf("unexpected output: %#v", output)
+	}
+}
+
+func TestSendTransactionServiceRequiresInput(t *testing.T) {
+	service := SendTransactionService{
+		Handlers: []SendTransactionHandler{{APIVersion: "v2"}},
+		Resolve: func(context.Context, []capabilities.APIVersion) (capabilities.APIVersion, error) {
+			t.Fatal("resolver should not run")
+			return "", nil
+		},
+	}
+
+	if _, err := service.Run(context.Background(), SendTransactionInput{}); err == nil {
+		t.Fatal("expected ledger validation error")
+	}
+	if _, err := service.Run(context.Background(), SendTransactionInput{Ledger: "default"}); err == nil {
+		t.Fatal("expected source validation error")
+	}
+}
+
+func TestParseAmount(t *testing.T) {
+	amount, err := parseAmount("100")
+	if err != nil {
+		t.Fatalf("parse amount: %v", err)
+	}
+	if amount.String() != "100" {
+		t.Fatalf("expected amount 100, got %s", amount)
+	}
+
+	if _, err := parseAmount("not-an-int"); err == nil {
+		t.Fatal("expected invalid amount error")
+	}
+}
+
+func TestToV2ListTransactionsRequestMapsCanonicalFilters(t *testing.T) {
+	request := toV2ListTransactionsRequest(ListTransactionsInput{
+		Ledger:      "default",
+		PageSize:    10,
+		Account:     "users:123",
+		Source:      "world",
+		Destination: "users:123",
+		Reference:   "ref",
+		Metadata:    map[string]string{"tier": "gold"},
+	})
+
+	if request.Ledger != "default" || *request.PageSize != 10 {
+		t.Fatalf("unexpected base request: %#v", request)
+	}
+	if request.Query["account"] != "users:123" || request.Query["source"] != "world" ||
+		request.Query["destination"] != "users:123" || request.Query["reference"] != "ref" ||
+		request.Query["metadata[tier]"] != "gold" {
+		t.Fatalf("unexpected query mapping: %#v", request.Query)
+	}
+}
+
+func TestToV1ListTransactionsRequestMapsTimeAndMetadataFilters(t *testing.T) {
+	start := time.Date(2026, 1, 1, 0, 0, 0, 0, time.UTC)
+	end := time.Date(2026, 1, 2, 0, 0, 0, 0, time.UTC)
+	request := toV1ListTransactionsRequest(ListTransactionsInput{
+		Ledger:    "default",
+		PageSize:  10,
+		Metadata:  map[string]string{"tier": "gold"},
+		StartTime: &start,
+		EndTime:   &end,
+	})
+
+	if request.StartTime == nil || !request.StartTime.Equal(start) {
+		t.Fatalf("unexpected start time: %#v", request.StartTime)
+	}
+	if request.EndTime == nil || !request.EndTime.Equal(end) {
+		t.Fatalf("unexpected end time: %#v", request.EndTime)
+	}
+	if request.Metadata["tier"] != "gold" {
+		t.Fatalf("unexpected metadata: %#v", request.Metadata)
+	}
+}
+
+func TestListTransactionsServiceUsesV1ForTimeFilters(t *testing.T) {
+	start := time.Date(2026, 1, 1, 0, 0, 0, 0, time.UTC)
+	service := ListTransactionsService{
+		Handlers: []ListTransactionsHandler{
+			{
+				APIVersion: "v1",
+				Run: func(context.Context, ListTransactionsInput) (ListTransactionsOutput, error) {
+					return ListTransactionsOutput{}, nil
+				},
+			},
+			{
+				APIVersion: "v2",
+				Run: func(context.Context, ListTransactionsInput) (ListTransactionsOutput, error) {
+					t.Fatal("v2 handler should not run for time filters")
+					return ListTransactionsOutput{}, nil
+				},
+			},
+		},
+		Resolve: func(_ context.Context, versions []capabilities.APIVersion) (capabilities.APIVersion, error) {
+			assertAPIVersions(t, versions, []capabilities.APIVersion{"v1"})
+			return "v1", nil
+		},
+	}
+
+	output, err := service.Run(context.Background(), ListTransactionsInput{Ledger: "default", StartTime: &start})
+	if err != nil {
+		t.Fatalf("run service: %v", err)
+	}
+	if output.APIVersion != "v1" {
+		t.Fatalf("unexpected API version: %s", output.APIVersion)
+	}
+}
+
+func TestGetTransactionServiceSelectsResolvedHandler(t *testing.T) {
+	service := GetTransactionService{
+		Handlers: []GetTransactionHandler{
+			{
+				APIVersion: "v1",
+				Run: func(context.Context, GetTransactionInput) (GetTransactionOutput, error) {
+					t.Fatal("v1 handler should not run")
+					return GetTransactionOutput{}, nil
+				},
+			},
+			{
+				APIVersion: "v2",
+				Run: func(_ context.Context, input GetTransactionInput) (GetTransactionOutput, error) {
+					if input.Ledger != "default" || input.TransactionID != "42" {
+						t.Fatalf("unexpected input: %#v", input)
+					}
+					return GetTransactionOutput{Transaction: TransactionSummary{ID: input.TransactionID}}, nil
+				},
+			},
+		},
+		Resolve: func(_ context.Context, versions []capabilities.APIVersion) (capabilities.APIVersion, error) {
+			assertAPIVersions(t, versions, []capabilities.APIVersion{"v1", "v2"})
+			return "v2", nil
+		},
+	}
+
+	output, err := service.Run(context.Background(), GetTransactionInput{Ledger: "default", TransactionID: "42"})
+	if err != nil {
+		t.Fatalf("run service: %v", err)
+	}
+	if output.APIVersion != "v2" || output.Transaction.ID != "42" {
+		t.Fatalf("unexpected output: %#v", output)
+	}
+}
+
+func TestRevertTransactionServiceSelectsResolvedHandler(t *testing.T) {
+	service := RevertTransactionService{
+		Handlers: []RevertTransactionHandler{
+			{
+				APIVersion: "v1",
+				Run: func(context.Context, RevertTransactionInput) (RevertTransactionOutput, error) {
+					t.Fatal("v1 handler should not run")
+					return RevertTransactionOutput{}, nil
+				},
+			},
+			{
+				APIVersion: "v2",
+				Run: func(_ context.Context, input RevertTransactionInput) (RevertTransactionOutput, error) {
+					if input.Ledger != "default" || input.TransactionID != "42" || !input.AtEffectiveDate || !input.Force {
+						t.Fatalf("unexpected input: %#v", input)
+					}
+					return RevertTransactionOutput{Transaction: TransactionSummary{ID: input.TransactionID}}, nil
+				},
+			},
+		},
+		Resolve: func(_ context.Context, versions []capabilities.APIVersion) (capabilities.APIVersion, error) {
+			assertAPIVersions(t, versions, []capabilities.APIVersion{"v1", "v2"})
+			return "v2", nil
+		},
+	}
+
+	output, err := service.Run(context.Background(), RevertTransactionInput{
+		Ledger:          "default",
+		TransactionID:   "42",
+		AtEffectiveDate: true,
+		Force:           true,
+	})
+	if err != nil {
+		t.Fatalf("run service: %v", err)
+	}
+	if output.APIVersion != "v2" || output.Transaction.ID != "42" {
+		t.Fatalf("unexpected output: %#v", output)
+	}
+}
+
+func TestRevertTransactionServiceRequiresInput(t *testing.T) {
+	service := RevertTransactionService{
+		Handlers: []RevertTransactionHandler{{APIVersion: "v2"}},
+		Resolve: func(context.Context, []capabilities.APIVersion) (capabilities.APIVersion, error) {
+			t.Fatal("resolver should not run")
+			return "", nil
+		},
+	}
+
+	if _, err := service.Run(context.Background(), RevertTransactionInput{TransactionID: "42"}); err == nil {
+		t.Fatal("expected ledger validation error")
+	}
+	if _, err := service.Run(context.Background(), RevertTransactionInput{Ledger: "default"}); err == nil {
+		t.Fatal("expected transaction id validation error")
+	}
+}
+
+func TestTransactionMapping(t *testing.T) {
+	timestamp := time.Date(2026, 1, 2, 3, 4, 5, 0, time.UTC)
+	reference := "ref"
+
+	v1 := fromV1Transaction(shared.Transaction{
+		Txid:      big.NewInt(42),
+		Reference: &reference,
+		Timestamp: timestamp,
+		Metadata:  map[string]any{"foo": "bar"},
+	})
+	if v1.ID != "42" || *v1.Reference != "ref" || !v1.Timestamp.Equal(timestamp) || v1.Metadata["foo"] != "bar" {
+		t.Fatalf("unexpected v1 transaction: %#v", v1)
+	}
+
+	v2 := fromV2Transaction(shared.V2Transaction{
+		ID:        big.NewInt(43),
+		Reference: &reference,
+		Timestamp: timestamp,
+		Metadata:  map[string]string{"foo": "bar"},
+	})
+	if v2.ID != "43" || *v2.Reference != "ref" || !v2.Timestamp.Equal(timestamp) || v2.Metadata["foo"] != "bar" {
+		t.Fatalf("unexpected v2 transaction: %#v", v2)
+	}
+}
+
+func assertAPIVersions(t *testing.T, got []capabilities.APIVersion, want []capabilities.APIVersion) {
+	t.Helper()
+	if len(got) != len(want) {
+		t.Fatalf("expected versions %v, got %v", want, got)
+	}
+	for i := range want {
+		if got[i] != want[i] {
+			t.Fatalf("expected versions %v, got %v", want, got)
+		}
+	}
+}
diff --git a/v4/internal/commands/ledger/list_volumes.go b/v4/internal/commands/ledger/list_volumes.go
new file mode 100644
index 00000000..2f04936c
--- /dev/null
+++ b/v4/internal/commands/ledger/list_volumes.go
@@ -0,0 +1,165 @@
+package ledger
+
+import (
+	"context"
+	"fmt"
+	"time"
+
+	formance "github.com/formancehq/formance-sdk-go/v3"
+	"github.com/formancehq/formance-sdk-go/v3/pkg/models/operations"
+	"github.com/formancehq/formance-sdk-go/v3/pkg/models/shared"
+
+	"github.com/formancehq/fctl/v4/internal/capabilities"
+)
+
+const FeatureGetVolumesWithBalances capabilities.Feature = "getVolumesWithBalances"
+
+type ListVolumesInput struct {
+	Ledger           string
+	PageSize         int64
+	Cursor           string
+	Account          string
+	Metadata         map[string]string
+	StartTime        *time.Time
+	EndTime          *time.Time
+	UseInsertionDate bool
+	GroupBy          int64
+	Sort             string
+}
+
+type ListVolumesOutput struct {
+	APIVersion capabilities.APIVersion `json:"apiVersion" yaml:"apiVersion"`
+	Volumes    []VolumeBalance         `json:"volumes" yaml:"volumes"`
+	HasMore    bool                    `json:"hasMore" yaml:"hasMore"`
+	PageSize   int64                   `json:"pageSize" yaml:"pageSize"`
+	Next       *string                 `json:"next,omitempty" yaml:"next,omitempty"`
+	Previous   *string                 `json:"previous,omitempty" yaml:"previous,omitempty"`
+}
+
+type VolumeBalance struct {
+	Account string `json:"account" yaml:"account"`
+	Asset   string `json:"asset" yaml:"asset"`
+	Input   string `json:"input" yaml:"input"`
+	Output  string `json:"output" yaml:"output"`
+	Balance string `json:"balance" yaml:"balance"`
+}
+
+type ListVolumesHandler struct {
+	APIVersion capabilities.APIVersion
+	Run        func(context.Context, ListVolumesInput) (ListVolumesOutput, error)
+}
+
+type ListVolumesService struct {
+	Handlers []ListVolumesHandler
+	Resolve  func(context.Context, []capabilities.APIVersion) (capabilities.APIVersion, error)
+}
+
+func (s ListVolumesService) Run(ctx context.Context, input ListVolumesInput) (ListVolumesOutput, error) {
+	if input.Ledger == "" {
+		return ListVolumesOutput{}, fmt.Errorf("ledger is required")
+	}
+
+	handlerVersions := make([]capabilities.APIVersion, 0, len(s.Handlers))
+	handlers := map[capabilities.APIVersion]ListVolumesHandler{}
+	for _, handler := range s.Handlers {
+		handlerVersions = append(handlerVersions, handler.APIVersion)
+		handlers[handler.APIVersion] = handler
+	}
+
+	selected, err := s.Resolve(ctx, handlerVersions)
+	if err != nil {
+		return ListVolumesOutput{}, err
+	}
+	handler, ok := handlers[selected]
+	if !ok {
+		return ListVolumesOutput{}, fmt.Errorf("resolved api version %s has no handler", selected)
+	}
+
+	output, err := handler.Run(ctx, input)
+	if err != nil {
+		return ListVolumesOutput{}, err
+	}
+	output.APIVersion = selected
+	return output, nil
+}
+
+func SDKListVolumesHandlers(sdk *formance.Formance) []ListVolumesHandler {
+	return []ListVolumesHandler{
+		{
+			APIVersion: "v2",
+			Run: func(ctx context.Context, input ListVolumesInput) (ListVolumesOutput, error) {
+				response, err := sdk.Ledger.V2.GetVolumesWithBalances(ctx, toV2ListVolumesRequest(input))
+				if err != nil {
+					return ListVolumesOutput{}, err
+				}
+				if response.V2VolumesWithBalanceCursorResponse == nil {
+					return ListVolumesOutput{}, fmt.Errorf("ledger v2 list volumes returned no cursor")
+				}
+				return fromV2ListVolumes(response.V2VolumesWithBalanceCursorResponse.Cursor), nil
+			},
+		},
+	}
+}
+
+func toV2ListVolumesRequest(input ListVolumesInput) operations.V2GetVolumesWithBalancesRequest {
+	request := operations.V2GetVolumesWithBalancesRequest{
+		Ledger:        input.Ledger,
+		PageSize:      pointer(input.PageSize),
+		InsertionDate: pointer(input.UseInsertionDate),
+	}
+	if input.Cursor != "" {
+		request.Cursor = pointer(input.Cursor)
+	}
+	if input.StartTime != nil {
+		request.StartTime = input.StartTime
+	}
+	if input.EndTime != nil {
+		request.EndTime = input.EndTime
+	}
+	if input.GroupBy > 0 {
+		request.GroupBy = pointer(input.GroupBy)
+	}
+	if input.Sort != "" {
+		request.Sort = pointer(input.Sort)
+	}
+
+	queryParts := make([]map[string]any, 0, len(input.Metadata)+1)
+	if input.Account != "" {
+		queryParts = append(queryParts, map[string]any{
+			"$match": map[string]any{"account": input.Account},
+		})
+	}
+	for key, value := range input.Metadata {
+		queryParts = append(queryParts, map[string]any{
+			"$match": map[string]any{"metadata[" + key + "]": value},
+		})
+	}
+	if len(queryParts) == 1 {
+		request.Query = queryParts[0]
+	}
+	if len(queryParts) > 1 {
+		request.Query = map[string]any{"$and": queryParts}
+	}
+
+	return request
+}
+
+func fromV2ListVolumes(cursor shared.V2VolumesWithBalanceCursorResponseCursor) ListVolumesOutput {
+	volumes := make([]VolumeBalance, 0, len(cursor.Data))
+	for _, volume := range cursor.Data {
+		volumes = append(volumes, VolumeBalance{
+			Account: volume.Account,
+			Asset:   volume.Asset,
+			Input:   bigIntString(volume.Input),
+			Output:  bigIntString(volume.Output),
+			Balance: bigIntString(volume.Balance),
+		})
+	}
+	return ListVolumesOutput{
+		Volumes:  volumes,
+		HasMore:  cursor.HasMore,
+		PageSize: cursor.PageSize,
+		Next:     cursor.Next,
+		Previous: cursor.Previous,
+	}
+}
diff --git a/v4/internal/commands/ledger/list_volumes_test.go b/v4/internal/commands/ledger/list_volumes_test.go
new file mode 100644
index 00000000..bdba6709
--- /dev/null
+++ b/v4/internal/commands/ledger/list_volumes_test.go
@@ -0,0 +1,92 @@
+package ledger
+
+import (
+	"context"
+	"math/big"
+	"testing"
+	"time"
+
+	"github.com/formancehq/fctl/v4/internal/capabilities"
+	"github.com/formancehq/formance-sdk-go/v3/pkg/models/shared"
+)
+
+func TestListVolumesServiceSelectsResolvedHandler(t *testing.T) {
+	service := ListVolumesService{
+		Handlers: []ListVolumesHandler{
+			{
+				APIVersion: "v2",
+				Run: func(_ context.Context, input ListVolumesInput) (ListVolumesOutput, error) {
+					if input.Ledger != "default" || input.Account != "users:123" {
+						t.Fatalf("unexpected input: %#v", input)
+					}
+					return ListVolumesOutput{PageSize: input.PageSize}, nil
+				},
+			},
+		},
+		Resolve: func(_ context.Context, versions []capabilities.APIVersion) (capabilities.APIVersion, error) {
+			assertAPIVersions(t, versions, []capabilities.APIVersion{"v2"})
+			return "v2", nil
+		},
+	}
+
+	output, err := service.Run(context.Background(), ListVolumesInput{Ledger: "default", Account: "users:123", PageSize: 10})
+	if err != nil {
+		t.Fatalf("run service: %v", err)
+	}
+	if output.APIVersion != "v2" || output.PageSize != 10 {
+		t.Fatalf("unexpected output: %#v", output)
+	}
+}
+
+func TestToV2ListVolumesRequestMapsCanonicalInput(t *testing.T) {
+	start := time.Date(2026, 1, 1, 0, 0, 0, 0, time.UTC)
+	end := time.Date(2026, 1, 2, 0, 0, 0, 0, time.UTC)
+	request := toV2ListVolumesRequest(ListVolumesInput{
+		Ledger:           "default",
+		PageSize:         10,
+		Cursor:           "cursor",
+		Account:          "users:123",
+		Metadata:         map[string]string{"tier": "gold"},
+		StartTime:        &start,
+		EndTime:          &end,
+		UseInsertionDate: true,
+		GroupBy:          1,
+		Sort:             "account:asc",
+	})
+
+	if request.Ledger != "default" || *request.PageSize != 10 || *request.Cursor != "cursor" {
+		t.Fatalf("unexpected request: %#v", request)
+	}
+	if request.StartTime == nil || !request.StartTime.Equal(start) || request.EndTime == nil || !request.EndTime.Equal(end) {
+		t.Fatalf("unexpected times: %#v", request)
+	}
+	if request.InsertionDate == nil || !*request.InsertionDate || request.GroupBy == nil || *request.GroupBy != 1 {
+		t.Fatalf("unexpected grouping fields: %#v", request)
+	}
+	andParts, ok := request.Query["$and"].([]map[string]any)
+	if !ok || len(andParts) != 2 {
+		t.Fatalf("unexpected query: %#v", request.Query)
+	}
+}
+
+func TestFromV2ListVolumesMapsCursor(t *testing.T) {
+	output := fromV2ListVolumes(shared.V2VolumesWithBalanceCursorResponseCursor{
+		Data: []shared.V2VolumesWithBalance{
+			{
+				Account: "users:123",
+				Asset:   "USD/2",
+				Input:   big.NewInt(100),
+				Output:  big.NewInt(40),
+				Balance: big.NewInt(60),
+			},
+		},
+		PageSize: 10,
+	})
+
+	if len(output.Volumes) != 1 {
+		t.Fatalf("expected one volume, got %#v", output.Volumes)
+	}
+	if output.Volumes[0].Account != "users:123" || output.Volumes[0].Balance != "60" {
+		t.Fatalf("unexpected volume: %#v", output.Volumes[0])
+	}
+}
diff --git a/v4/internal/commands/ledger/read_info.go b/v4/internal/commands/ledger/read_info.go
new file mode 100644
index 00000000..43263329
--- /dev/null
+++ b/v4/internal/commands/ledger/read_info.go
@@ -0,0 +1,79 @@
+package ledger
+
+import (
+	"context"
+	"fmt"
+
+	formance "github.com/formancehq/formance-sdk-go/v3"
+	"github.com/formancehq/formance-sdk-go/v3/pkg/models/shared"
+
+	"github.com/formancehq/fctl/v4/internal/capabilities"
+)
+
+const FeatureGetInfo capabilities.Feature = "getInfo"
+
+type ReadInfoOutput struct {
+	APIVersion capabilities.APIVersion `json:"apiVersion" yaml:"apiVersion"`
+	Server     string                  `json:"server" yaml:"server"`
+	Version    string                  `json:"version" yaml:"version"`
+}
+
+type ReadInfoHandler struct {
+	APIVersion capabilities.APIVersion
+	Run        func(context.Context) (ReadInfoOutput, error)
+}
+
+type ReadInfoService struct {
+	Handlers []ReadInfoHandler
+	Resolve  func(context.Context, []capabilities.APIVersion) (capabilities.APIVersion, error)
+}
+
+func (s ReadInfoService) Run(ctx context.Context) (ReadInfoOutput, error) {
+	handlerVersions := make([]capabilities.APIVersion, 0, len(s.Handlers))
+	handlers := map[capabilities.APIVersion]ReadInfoHandler{}
+	for _, handler := range s.Handlers {
+		handlerVersions = append(handlerVersions, handler.APIVersion)
+		handlers[handler.APIVersion] = handler
+	}
+
+	selected, err := s.Resolve(ctx, handlerVersions)
+	if err != nil {
+		return ReadInfoOutput{}, err
+	}
+	handler, ok := handlers[selected]
+	if !ok {
+		return ReadInfoOutput{}, fmt.Errorf("resolved api version %s has no handler", selected)
+	}
+
+	output, err := handler.Run(ctx)
+	if err != nil {
+		return ReadInfoOutput{}, err
+	}
+	output.APIVersion = selected
+	return output, nil
+}
+
+func SDKReadInfoHandlers(sdk *formance.Formance) []ReadInfoHandler {
+	return []ReadInfoHandler{
+		{
+			APIVersion: "v1",
+			Run: func(ctx context.Context) (ReadInfoOutput, error) {
+				response, err := sdk.Ledger.V1.GetInfo(ctx)
+				if err != nil {
+					return ReadInfoOutput{}, err
+				}
+				if response.ConfigInfoResponse == nil {
+					return ReadInfoOutput{}, fmt.Errorf("ledger v1 info returned no data")
+				}
+				return fromV1Info(response.ConfigInfoResponse.Data), nil
+			},
+		},
+	}
+}
+
+func fromV1Info(info shared.ConfigInfo) ReadInfoOutput {
+	return ReadInfoOutput{
+		Server:  info.Server,
+		Version: info.Version,
+	}
+}
diff --git a/v4/internal/commands/ledger/read_info_test.go b/v4/internal/commands/ledger/read_info_test.go
new file mode 100644
index 00000000..9e44cd33
--- /dev/null
+++ b/v4/internal/commands/ledger/read_info_test.go
@@ -0,0 +1,41 @@
+package ledger
+
+import (
+	"context"
+	"testing"
+
+	"github.com/formancehq/fctl/v4/internal/capabilities"
+	"github.com/formancehq/formance-sdk-go/v3/pkg/models/shared"
+)
+
+func TestReadInfoServiceSelectsResolvedHandler(t *testing.T) {
+	service := ReadInfoService{
+		Handlers: []ReadInfoHandler{
+			{
+				APIVersion: "v1",
+				Run: func(context.Context) (ReadInfoOutput, error) {
+					return ReadInfoOutput{Server: "ledger", Version: "1.0.0"}, nil
+				},
+			},
+		},
+		Resolve: func(_ context.Context, versions []capabilities.APIVersion) (capabilities.APIVersion, error) {
+			assertAPIVersions(t, versions, []capabilities.APIVersion{"v1"})
+			return "v1", nil
+		},
+	}
+
+	output, err := service.Run(context.Background())
+	if err != nil {
+		t.Fatalf("run service: %v", err)
+	}
+	if output.APIVersion != "v1" || output.Server != "ledger" || output.Version != "1.0.0" {
+		t.Fatalf("unexpected output: %#v", output)
+	}
+}
+
+func TestFromV1Info(t *testing.T) {
+	output := fromV1Info(shared.ConfigInfo{Server: "ledger", Version: "1.2.3"})
+	if output.Server != "ledger" || output.Version != "1.2.3" {
+		t.Fatalf("unexpected output: %#v", output)
+	}
+}
diff --git a/v4/internal/commands/ledger/read_stats.go b/v4/internal/commands/ledger/read_stats.go
new file mode 100644
index 00000000..7ad17522
--- /dev/null
+++ b/v4/internal/commands/ledger/read_stats.go
@@ -0,0 +1,108 @@
+package ledger
+
+import (
+	"context"
+	"fmt"
+
+	formance "github.com/formancehq/formance-sdk-go/v3"
+	"github.com/formancehq/formance-sdk-go/v3/pkg/models/operations"
+	"github.com/formancehq/formance-sdk-go/v3/pkg/models/shared"
+
+	"github.com/formancehq/fctl/v4/internal/capabilities"
+)
+
+const FeatureReadStats capabilities.Feature = "readStats"
+
+type ReadStatsInput struct {
+	Ledger string
+}
+
+type ReadStatsOutput struct {
+	APIVersion   capabilities.APIVersion `json:"apiVersion" yaml:"apiVersion"`
+	Accounts     int64                   `json:"accounts" yaml:"accounts"`
+	Transactions string                  `json:"transactions" yaml:"transactions"`
+}
+
+type ReadStatsHandler struct {
+	APIVersion capabilities.APIVersion
+	Run        func(context.Context, ReadStatsInput) (ReadStatsOutput, error)
+}
+
+type ReadStatsService struct {
+	Handlers []ReadStatsHandler
+	Resolve  func(context.Context, []capabilities.APIVersion) (capabilities.APIVersion, error)
+}
+
+func (s ReadStatsService) Run(ctx context.Context, input ReadStatsInput) (ReadStatsOutput, error) {
+	if input.Ledger == "" {
+		return ReadStatsOutput{}, fmt.Errorf("ledger is required")
+	}
+
+	handlerVersions := make([]capabilities.APIVersion, 0, len(s.Handlers))
+	handlers := map[capabilities.APIVersion]ReadStatsHandler{}
+	for _, handler := range s.Handlers {
+		handlerVersions = append(handlerVersions, handler.APIVersion)
+		handlers[handler.APIVersion] = handler
+	}
+
+	selected, err := s.Resolve(ctx, handlerVersions)
+	if err != nil {
+		return ReadStatsOutput{}, err
+	}
+	handler, ok := handlers[selected]
+	if !ok {
+		return ReadStatsOutput{}, fmt.Errorf("resolved api version %s has no handler", selected)
+	}
+
+	output, err := handler.Run(ctx, input)
+	if err != nil {
+		return ReadStatsOutput{}, err
+	}
+	output.APIVersion = selected
+	return output, nil
+}
+
+func SDKReadStatsHandlers(sdk *formance.Formance) []ReadStatsHandler {
+	return []ReadStatsHandler{
+		{
+			APIVersion: "v1",
+			Run: func(ctx context.Context, input ReadStatsInput) (ReadStatsOutput, error) {
+				response, err := sdk.Ledger.V1.ReadStats(ctx, operations.ReadStatsRequest{Ledger: input.Ledger})
+				if err != nil {
+					return ReadStatsOutput{}, err
+				}
+				if response.StatsResponse == nil {
+					return ReadStatsOutput{}, fmt.Errorf("ledger v1 read stats returned no data")
+				}
+				return fromV1Stats(response.StatsResponse.Data), nil
+			},
+		},
+		{
+			APIVersion: "v2",
+			Run: func(ctx context.Context, input ReadStatsInput) (ReadStatsOutput, error) {
+				response, err := sdk.Ledger.V2.ReadStats(ctx, operations.V2ReadStatsRequest{Ledger: input.Ledger})
+				if err != nil {
+					return ReadStatsOutput{}, err
+				}
+				if response.V2StatsResponse == nil {
+					return ReadStatsOutput{}, fmt.Errorf("ledger v2 read stats returned no data")
+				}
+				return fromV2Stats(response.V2StatsResponse.Data), nil
+			},
+		},
+	}
+}
+
+func fromV1Stats(stats shared.Stats) ReadStatsOutput {
+	return ReadStatsOutput{
+		Accounts:     stats.Accounts,
+		Transactions: fmt.Sprintf("%d", stats.Transactions),
+	}
+}
+
+func fromV2Stats(stats shared.V2Stats) ReadStatsOutput {
+	return ReadStatsOutput{
+		Accounts:     stats.Accounts,
+		Transactions: bigIntString(stats.Transactions),
+	}
+}
diff --git a/v4/internal/commands/ledger/read_stats_test.go b/v4/internal/commands/ledger/read_stats_test.go
new file mode 100644
index 00000000..c6cdf33f
--- /dev/null
+++ b/v4/internal/commands/ledger/read_stats_test.go
@@ -0,0 +1,81 @@
+package ledger
+
+import (
+	"context"
+	"errors"
+	"math/big"
+	"testing"
+
+	"github.com/formancehq/fctl/v4/internal/capabilities"
+	"github.com/formancehq/formance-sdk-go/v3/pkg/models/shared"
+)
+
+func TestReadStatsServiceSelectsResolvedHandler(t *testing.T) {
+	service := ReadStatsService{
+		Handlers: []ReadStatsHandler{
+			{
+				APIVersion: "v1",
+				Run: func(context.Context, ReadStatsInput) (ReadStatsOutput, error) {
+					t.Fatal("v1 handler should not run")
+					return ReadStatsOutput{}, nil
+				},
+			},
+			{
+				APIVersion: "v2",
+				Run: func(_ context.Context, input ReadStatsInput) (ReadStatsOutput, error) {
+					if input.Ledger != "default" {
+						t.Fatalf("unexpected ledger %q", input.Ledger)
+					}
+					return ReadStatsOutput{Accounts: 2, Transactions: "42"}, nil
+				},
+			},
+		},
+		Resolve: func(_ context.Context, versions []capabilities.APIVersion) (capabilities.APIVersion, error) {
+			assertAPIVersions(t, versions, []capabilities.APIVersion{"v1", "v2"})
+			return "v2", nil
+		},
+	}
+
+	output, err := service.Run(context.Background(), ReadStatsInput{Ledger: "default"})
+	if err != nil {
+		t.Fatalf("run service: %v", err)
+	}
+	if output.APIVersion != "v2" || output.Accounts != 2 || output.Transactions != "42" {
+		t.Fatalf("unexpected output: %#v", output)
+	}
+}
+
+func TestReadStatsServiceReturnsResolverError(t *testing.T) {
+	expected := errors.New("unsupported")
+	service := ReadStatsService{
+		Handlers: []ReadStatsHandler{{APIVersion: "v1", Run: nil}},
+		Resolve: func(context.Context, []capabilities.APIVersion) (capabilities.APIVersion, error) {
+			return "", expected
+		},
+	}
+
+	_, err := service.Run(context.Background(), ReadStatsInput{Ledger: "default"})
+	if !errors.Is(err, expected) {
+		t.Fatalf("expected resolver error, got %v", err)
+	}
+}
+
+func TestReadStatsServiceRequiresLedger(t *testing.T) {
+	service := ReadStatsService{}
+	_, err := service.Run(context.Background(), ReadStatsInput{})
+	if err == nil || err.Error() != "ledger is required" {
+		t.Fatalf("expected ledger required error, got %v", err)
+	}
+}
+
+func TestStatsMapping(t *testing.T) {
+	v1 := fromV1Stats(shared.Stats{Accounts: 2, Transactions: 42})
+	if v1.Accounts != 2 || v1.Transactions != "42" {
+		t.Fatalf("unexpected v1 stats: %#v", v1)
+	}
+
+	v2 := fromV2Stats(shared.V2Stats{Accounts: 3, Transactions: big.NewInt(420000000000)})
+	if v2.Accounts != 3 || v2.Transactions != "420000000000" {
+		t.Fatalf("unexpected v2 stats: %#v", v2)
+	}
+}
diff --git a/v4/internal/commands/ledger/run_script.go b/v4/internal/commands/ledger/run_script.go
new file mode 100644
index 00000000..e19f83f1
--- /dev/null
+++ b/v4/internal/commands/ledger/run_script.go
@@ -0,0 +1,188 @@
+package ledger
+
+import (
+	"context"
+	"fmt"
+	"time"
+
+	formance "github.com/formancehq/formance-sdk-go/v3"
+	"github.com/formancehq/formance-sdk-go/v3/pkg/models/operations"
+	"github.com/formancehq/formance-sdk-go/v3/pkg/models/shared"
+
+	"github.com/formancehq/fctl/v4/internal/capabilities"
+)
+
+type RunScriptInput struct {
+	Ledger      string
+	Script      string
+	AccountVars map[string]string
+	AmountVars  map[string]string
+	PortionVars map[string]string
+	Metadata    map[string]string
+	Reference   string
+	Timestamp   *time.Time
+}
+
+type RunScriptOutput struct {
+	APIVersion  capabilities.APIVersion `json:"apiVersion" yaml:"apiVersion"`
+	Transaction TransactionSummary      `json:"transaction" yaml:"transaction"`
+}
+
+type RunScriptHandler struct {
+	APIVersion capabilities.APIVersion
+	Run        func(context.Context, RunScriptInput) (RunScriptOutput, error)
+}
+
+type RunScriptService struct {
+	Handlers []RunScriptHandler
+	Resolve  func(context.Context, []capabilities.APIVersion) (capabilities.APIVersion, error)
+}
+
+func (s RunScriptService) Run(ctx context.Context, input RunScriptInput) (RunScriptOutput, error) {
+	if input.Ledger == "" {
+		return RunScriptOutput{}, fmt.Errorf("ledger is required")
+	}
+	if input.Script == "" {
+		return RunScriptOutput{}, fmt.Errorf("script is required")
+	}
+
+	handlerVersions := make([]capabilities.APIVersion, 0, len(s.Handlers))
+	handlers := map[capabilities.APIVersion]RunScriptHandler{}
+	for _, handler := range s.Handlers {
+		handlerVersions = append(handlerVersions, handler.APIVersion)
+		handlers[handler.APIVersion] = handler
+	}
+
+	selected, err := s.Resolve(ctx, handlerVersions)
+	if err != nil {
+		return RunScriptOutput{}, err
+	}
+	handler, ok := handlers[selected]
+	if !ok {
+		return RunScriptOutput{}, fmt.Errorf("resolved api version %s has no handler", selected)
+	}
+
+	output, err := handler.Run(ctx, input)
+	if err != nil {
+		return RunScriptOutput{}, err
+	}
+	output.APIVersion = selected
+	return output, nil
+}
+
+func SDKRunScriptHandlers(sdk *formance.Formance) []RunScriptHandler {
+	return []RunScriptHandler{
+		{
+			APIVersion: "v1",
+			Run: func(ctx context.Context, input RunScriptInput) (RunScriptOutput, error) {
+				vars, err := toV1ScriptVars(input)
+				if err != nil {
+					return RunScriptOutput{}, err
+				}
+				response, err := sdk.Ledger.V1.CreateTransaction(ctx, operations.CreateTransactionRequest{
+					Ledger: input.Ledger,
+					PostTransaction: shared.PostTransaction{
+						Metadata:  stringMapToAny(input.Metadata),
+						Reference: optionalString(input.Reference),
+						Script: &shared.PostTransactionScript{
+							Plain: input.Script,
+							Vars:  vars,
+						},
+						Timestamp: input.Timestamp,
+					},
+				})
+				if err != nil {
+					return RunScriptOutput{}, err
+				}
+				if response.TransactionsResponse == nil || len(response.TransactionsResponse.Data) == 0 {
+					return RunScriptOutput{}, fmt.Errorf("ledger v1 run script returned no data")
+				}
+				return RunScriptOutput{Transaction: fromV1Transaction(response.TransactionsResponse.Data[0])}, nil
+			},
+		},
+		{
+			APIVersion: "v2",
+			Run: func(ctx context.Context, input RunScriptInput) (RunScriptOutput, error) {
+				vars := toV2ScriptVars(input)
+				response, err := sdk.Ledger.V2.CreateTransaction(ctx, operations.V2CreateTransactionRequest{
+					Ledger: input.Ledger,
+					V2PostTransaction: shared.V2PostTransaction{
+						Metadata:  input.Metadata,
+						Reference: optionalString(input.Reference),
+						Script: &shared.V2PostTransactionScript{
+							Plain: &input.Script,
+							Vars:  vars,
+						},
+						Timestamp: input.Timestamp,
+					},
+				})
+				if err != nil {
+					return RunScriptOutput{}, err
+				}
+				if response.V2CreateTransactionResponse == nil {
+					return RunScriptOutput{}, fmt.Errorf("ledger v2 run script returned no data")
+				}
+				return RunScriptOutput{Transaction: fromV2Transaction(response.V2CreateTransactionResponse.Data)}, nil
+			},
+		},
+	}
+}
+
+func toV1ScriptVars(input RunScriptInput) (map[string]any, error) {
+	vars := map[string]any{}
+	for key, value := range input.AccountVars {
+		vars[key] = value
+	}
+	for key, value := range input.PortionVars {
+		vars[key] = value
+	}
+	for key, value := range input.AmountVars {
+		amount, asset, err := splitAmountAsset(value)
+		if err != nil {
+			return nil, fmt.Errorf("amount var %s: %w", key, err)
+		}
+		vars[key] = map[string]any{"amount": amount, "asset": asset}
+	}
+	if len(vars) == 0 {
+		return nil, nil
+	}
+	return vars, nil
+}
+
+func toV2ScriptVars(input RunScriptInput) map[string]string {
+	vars := map[string]string{}
+	for key, value := range input.AccountVars {
+		vars[key] = value
+	}
+	for key, value := range input.PortionVars {
+		vars[key] = value
+	}
+	for key, value := range input.AmountVars {
+		vars[key] = value
+	}
+	if len(vars) == 0 {
+		return nil
+	}
+	return vars
+}
+
+func splitAmountAsset(value string) (any, string, error) {
+	amount, asset, ok := stringsCut(value, "/")
+	if !ok || amount == "" || asset == "" {
+		return nil, "", fmt.Errorf("must use amount/asset format")
+	}
+	parsed, err := parseAmount(amount)
+	if err != nil {
+		return nil, "", err
+	}
+	return parsed, asset, nil
+}
+
+func stringsCut(value string, sep string) (string, string, bool) {
+	for i := 0; i+len(sep) <= len(value); i++ {
+		if value[i:i+len(sep)] == sep {
+			return value[:i], value[i+len(sep):], true
+		}
+	}
+	return value, "", false
+}
diff --git a/v4/internal/commands/ledger/schemas.go b/v4/internal/commands/ledger/schemas.go
new file mode 100644
index 00000000..ad1fb23e
--- /dev/null
+++ b/v4/internal/commands/ledger/schemas.go
@@ -0,0 +1,292 @@
+package ledger
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"time"
+
+	formance "github.com/formancehq/formance-sdk-go/v3"
+	"github.com/formancehq/formance-sdk-go/v3/pkg/models/operations"
+	"github.com/formancehq/formance-sdk-go/v3/pkg/models/shared"
+
+	"github.com/formancehq/fctl/v4/internal/capabilities"
+)
+
+const (
+	FeatureGetSchema    capabilities.Feature = "getSchema"
+	FeatureInsertSchema capabilities.Feature = "insertSchema"
+	FeatureListSchemas  capabilities.Feature = "listSchemas"
+)
+
+type ListSchemasInput struct {
+	Ledger   string
+	PageSize int64
+	Cursor   string
+}
+
+type ListSchemasOutput struct {
+	APIVersion capabilities.APIVersion `json:"apiVersion" yaml:"apiVersion"`
+	Schemas    []SchemaSummary         `json:"schemas" yaml:"schemas"`
+	HasMore    bool                    `json:"hasMore" yaml:"hasMore"`
+	PageSize   int64                   `json:"pageSize" yaml:"pageSize"`
+	Next       *string                 `json:"next,omitempty" yaml:"next,omitempty"`
+	Previous   *string                 `json:"previous,omitempty" yaml:"previous,omitempty"`
+}
+
+type SchemaSummary struct {
+	Version           string    `json:"version" yaml:"version"`
+	CreatedAt         time.Time `json:"createdAt" yaml:"createdAt"`
+	ChartSegments     int       `json:"chartSegments" yaml:"chartSegments"`
+	QueryTemplates    int       `json:"queryTemplates" yaml:"queryTemplates"`
+	TransactionModels int       `json:"transactionModels" yaml:"transactionModels"`
+}
+
+type GetSchemaInput struct {
+	Ledger  string
+	Version string
+}
+
+type GetSchemaOutput struct {
+	APIVersion capabilities.APIVersion `json:"apiVersion" yaml:"apiVersion"`
+	Schema     shared.V2Schema         `json:"schema" yaml:"schema"`
+}
+
+type InsertSchemaInput struct {
+	Ledger         string
+	Version        string
+	Data           []byte
+	IdempotencyKey string
+}
+
+type InsertSchemaOutput struct {
+	APIVersion capabilities.APIVersion `json:"apiVersion" yaml:"apiVersion"`
+	Ledger     string                  `json:"ledger" yaml:"ledger"`
+	Version    string                  `json:"version" yaml:"version"`
+	Inserted   bool                    `json:"inserted" yaml:"inserted"`
+}
+
+type ListSchemasHandler struct {
+	APIVersion capabilities.APIVersion
+	Run        func(context.Context, ListSchemasInput) (ListSchemasOutput, error)
+}
+
+type GetSchemaHandler struct {
+	APIVersion capabilities.APIVersion
+	Run        func(context.Context, GetSchemaInput) (GetSchemaOutput, error)
+}
+
+type InsertSchemaHandler struct {
+	APIVersion capabilities.APIVersion
+	Run        func(context.Context, InsertSchemaInput) (InsertSchemaOutput, error)
+}
+
+type ListSchemasService struct {
+	Handlers []ListSchemasHandler
+	Resolve  func(context.Context, []capabilities.APIVersion) (capabilities.APIVersion, error)
+}
+
+type GetSchemaService struct {
+	Handlers []GetSchemaHandler
+	Resolve  func(context.Context, []capabilities.APIVersion) (capabilities.APIVersion, error)
+}
+
+type InsertSchemaService struct {
+	Handlers []InsertSchemaHandler
+	Resolve  func(context.Context, []capabilities.APIVersion) (capabilities.APIVersion, error)
+}
+
+func (s ListSchemasService) Run(ctx context.Context, input ListSchemasInput) (ListSchemasOutput, error) {
+	if input.Ledger == "" {
+		return ListSchemasOutput{}, fmt.Errorf("ledger is required")
+	}
+	return runListSchemas(ctx, s, input)
+}
+
+func (s GetSchemaService) Run(ctx context.Context, input GetSchemaInput) (GetSchemaOutput, error) {
+	if input.Ledger == "" {
+		return GetSchemaOutput{}, fmt.Errorf("ledger is required")
+	}
+	if input.Version == "" {
+		return GetSchemaOutput{}, fmt.Errorf("schema version is required")
+	}
+	return runGetSchema(ctx, s, input)
+}
+
+func (s InsertSchemaService) Run(ctx context.Context, input InsertSchemaInput) (InsertSchemaOutput, error) {
+	if input.Ledger == "" {
+		return InsertSchemaOutput{}, fmt.Errorf("ledger is required")
+	}
+	if input.Version == "" {
+		return InsertSchemaOutput{}, fmt.Errorf("schema version is required")
+	}
+	if len(input.Data) == 0 {
+		return InsertSchemaOutput{}, fmt.Errorf("schema data is required")
+	}
+	return runInsertSchema(ctx, s, input)
+}
+
+func SDKListSchemasHandlers(sdk *formance.Formance) []ListSchemasHandler {
+	return []ListSchemasHandler{
+		{
+			APIVersion: "v2",
+			Run: func(ctx context.Context, input ListSchemasInput) (ListSchemasOutput, error) {
+				request := operations.V2ListSchemasRequest{
+					Ledger:   input.Ledger,
+					PageSize: pointer(input.PageSize),
+				}
+				if input.Cursor != "" {
+					request.Cursor = pointer(input.Cursor)
+				}
+				response, err := sdk.Ledger.V2.ListSchemas(ctx, request)
+				if err != nil {
+					return ListSchemasOutput{}, err
+				}
+				if response.V2SchemasCursorResponse == nil {
+					return ListSchemasOutput{}, fmt.Errorf("ledger v2 list schemas returned no cursor")
+				}
+				return fromV2SchemasCursor(response.V2SchemasCursorResponse.Cursor), nil
+			},
+		},
+	}
+}
+
+func SDKGetSchemaHandlers(sdk *formance.Formance) []GetSchemaHandler {
+	return []GetSchemaHandler{
+		{
+			APIVersion: "v2",
+			Run: func(ctx context.Context, input GetSchemaInput) (GetSchemaOutput, error) {
+				response, err := sdk.Ledger.V2.GetSchema(ctx, operations.V2GetSchemaRequest{
+					Ledger:  input.Ledger,
+					Version: input.Version,
+				})
+				if err != nil {
+					return GetSchemaOutput{}, err
+				}
+				if response.V2SchemaResponse == nil {
+					return GetSchemaOutput{}, fmt.Errorf("ledger v2 get schema returned no schema")
+				}
+				return GetSchemaOutput{Schema: response.V2SchemaResponse.Data}, nil
+			},
+		},
+	}
+}
+
+func SDKInsertSchemaHandlers(sdk *formance.Formance) []InsertSchemaHandler {
+	return []InsertSchemaHandler{
+		{
+			APIVersion: "v2",
+			Run: func(ctx context.Context, input InsertSchemaInput) (InsertSchemaOutput, error) {
+				var data shared.V2SchemaData
+				if err := json.Unmarshal(input.Data, &data); err != nil {
+					return InsertSchemaOutput{}, err
+				}
+				request := operations.V2InsertSchemaRequest{
+					V2SchemaData: data,
+					Ledger:       input.Ledger,
+					Version:      input.Version,
+				}
+				if input.IdempotencyKey != "" {
+					request.IdempotencyKey = pointer(input.IdempotencyKey)
+				}
+				if _, err := sdk.Ledger.V2.InsertSchema(ctx, request); err != nil {
+					return InsertSchemaOutput{}, err
+				}
+				return InsertSchemaOutput{Ledger: input.Ledger, Version: input.Version, Inserted: true}, nil
+			},
+		},
+	}
+}
+
+func runListSchemas(ctx context.Context, service ListSchemasService, input ListSchemasInput) (ListSchemasOutput, error) {
+	handlerVersions := make([]capabilities.APIVersion, 0, len(service.Handlers))
+	handlers := map[capabilities.APIVersion]ListSchemasHandler{}
+	for _, handler := range service.Handlers {
+		handlerVersions = append(handlerVersions, handler.APIVersion)
+		handlers[handler.APIVersion] = handler
+	}
+	selected, err := service.Resolve(ctx, handlerVersions)
+	if err != nil {
+		return ListSchemasOutput{}, err
+	}
+	handler, ok := handlers[selected]
+	if !ok {
+		return ListSchemasOutput{}, fmt.Errorf("resolved api version %s has no handler", selected)
+	}
+	output, err := handler.Run(ctx, input)
+	if err != nil {
+		return ListSchemasOutput{}, err
+	}
+	output.APIVersion = selected
+	return output, nil
+}
+
+func runGetSchema(ctx context.Context, service GetSchemaService, input GetSchemaInput) (GetSchemaOutput, error) {
+	handlerVersions := make([]capabilities.APIVersion, 0, len(service.Handlers))
+	handlers := map[capabilities.APIVersion]GetSchemaHandler{}
+	for _, handler := range service.Handlers {
+		handlerVersions = append(handlerVersions, handler.APIVersion)
+		handlers[handler.APIVersion] = handler
+	}
+	selected, err := service.Resolve(ctx, handlerVersions)
+	if err != nil {
+		return GetSchemaOutput{}, err
+	}
+	handler, ok := handlers[selected]
+	if !ok {
+		return GetSchemaOutput{}, fmt.Errorf("resolved api version %s has no handler", selected)
+	}
+	output, err := handler.Run(ctx, input)
+	if err != nil {
+		return GetSchemaOutput{}, err
+	}
+	output.APIVersion = selected
+	return output, nil
+}
+
+func runInsertSchema(ctx context.Context, service InsertSchemaService, input InsertSchemaInput) (InsertSchemaOutput, error) {
+	handlerVersions := make([]capabilities.APIVersion, 0, len(service.Handlers))
+	handlers := map[capabilities.APIVersion]InsertSchemaHandler{}
+	for _, handler := range service.Handlers {
+		handlerVersions = append(handlerVersions, handler.APIVersion)
+		handlers[handler.APIVersion] = handler
+	}
+	selected, err := service.Resolve(ctx, handlerVersions)
+	if err != nil {
+		return InsertSchemaOutput{}, err
+	}
+	handler, ok := handlers[selected]
+	if !ok {
+		return InsertSchemaOutput{}, fmt.Errorf("resolved api version %s has no handler", selected)
+	}
+	output, err := handler.Run(ctx, input)
+	if err != nil {
+		return InsertSchemaOutput{}, err
+	}
+	output.APIVersion = selected
+	return output, nil
+}
+
+func fromV2SchemasCursor(cursor shared.V2SchemasCursor) ListSchemasOutput {
+	schemas := make([]SchemaSummary, 0, len(cursor.Data))
+	for _, schema := range cursor.Data {
+		schemas = append(schemas, fromV2SchemaSummary(schema))
+	}
+	return ListSchemasOutput{
+		Schemas:  schemas,
+		HasMore:  cursor.HasMore,
+		PageSize: cursor.PageSize,
+		Next:     cursor.Next,
+		Previous: cursor.Previous,
+	}
+}
+
+func fromV2SchemaSummary(schema shared.V2Schema) SchemaSummary {
+	return SchemaSummary{
+		Version:           schema.Version,
+		CreatedAt:         schema.CreatedAt,
+		ChartSegments:     len(schema.Chart),
+		QueryTemplates:    len(schema.Queries),
+		TransactionModels: len(schema.Transactions),
+	}
+}
diff --git a/v4/internal/commands/ledger/schemas_test.go b/v4/internal/commands/ledger/schemas_test.go
new file mode 100644
index 00000000..8b2db2c0
--- /dev/null
+++ b/v4/internal/commands/ledger/schemas_test.go
@@ -0,0 +1,64 @@
+package ledger
+
+import (
+	"context"
+	"testing"
+
+	"github.com/formancehq/fctl/v4/internal/capabilities"
+)
+
+func TestListSchemasServiceSelectsResolvedHandler(t *testing.T) {
+	service := ListSchemasService{
+		Handlers: []ListSchemasHandler{
+			{
+				APIVersion: "v2",
+				Run: func(_ context.Context, input ListSchemasInput) (ListSchemasOutput, error) {
+					if input.Ledger != "default" || input.PageSize != 15 {
+						t.Fatalf("unexpected input: %#v", input)
+					}
+					return ListSchemasOutput{PageSize: input.PageSize}, nil
+				},
+			},
+		},
+		Resolve: func(_ context.Context, versions []capabilities.APIVersion) (capabilities.APIVersion, error) {
+			assertAPIVersions(t, versions, []capabilities.APIVersion{"v2"})
+			return "v2", nil
+		},
+	}
+
+	output, err := service.Run(context.Background(), ListSchemasInput{Ledger: "default", PageSize: 15})
+	if err != nil {
+		t.Fatalf("run service: %v", err)
+	}
+	if output.APIVersion != "v2" || output.PageSize != 15 {
+		t.Fatalf("unexpected output: %#v", output)
+	}
+}
+
+func TestGetSchemaServiceRequiresVersion(t *testing.T) {
+	service := GetSchemaService{
+		Handlers: []GetSchemaHandler{{APIVersion: "v2"}},
+		Resolve: func(context.Context, []capabilities.APIVersion) (capabilities.APIVersion, error) {
+			t.Fatal("resolver should not run")
+			return "", nil
+		},
+	}
+
+	if _, err := service.Run(context.Background(), GetSchemaInput{Ledger: "default"}); err == nil {
+		t.Fatal("expected schema version validation error")
+	}
+}
+
+func TestInsertSchemaServiceRequiresData(t *testing.T) {
+	service := InsertSchemaService{
+		Handlers: []InsertSchemaHandler{{APIVersion: "v2"}},
+		Resolve: func(context.Context, []capabilities.APIVersion) (capabilities.APIVersion, error) {
+			t.Fatal("resolver should not run")
+			return "", nil
+		},
+	}
+
+	if _, err := service.Run(context.Background(), InsertSchemaInput{Ledger: "default", Version: "v1"}); err == nil {
+		t.Fatal("expected schema data validation error")
+	}
+}
diff --git a/v4/internal/commands/ledger/transaction_metadata.go b/v4/internal/commands/ledger/transaction_metadata.go
new file mode 100644
index 00000000..26b7bfec
--- /dev/null
+++ b/v4/internal/commands/ledger/transaction_metadata.go
@@ -0,0 +1,196 @@
+package ledger
+
+import (
+	"context"
+	"fmt"
+	"math/big"
+
+	formance "github.com/formancehq/formance-sdk-go/v3"
+	"github.com/formancehq/formance-sdk-go/v3/pkg/models/operations"
+
+	"github.com/formancehq/fctl/v4/internal/capabilities"
+)
+
+type AddTransactionMetadataInput struct {
+	Ledger        string
+	TransactionID string
+	Metadata      map[string]string
+}
+
+type AddTransactionMetadataOutput struct {
+	APIVersion capabilities.APIVersion `json:"apiVersion" yaml:"apiVersion"`
+	Updated    bool                    `json:"updated" yaml:"updated"`
+}
+
+type DeleteTransactionMetadataInput struct {
+	Ledger        string
+	TransactionID string
+	Key           string
+}
+
+type DeleteTransactionMetadataOutput struct {
+	APIVersion capabilities.APIVersion `json:"apiVersion" yaml:"apiVersion"`
+	Deleted    bool                    `json:"deleted" yaml:"deleted"`
+}
+
+type AddTransactionMetadataHandler struct {
+	APIVersion capabilities.APIVersion
+	Run        func(context.Context, AddTransactionMetadataInput) (AddTransactionMetadataOutput, error)
+}
+
+type AddTransactionMetadataService struct {
+	Handlers []AddTransactionMetadataHandler
+	Resolve  func(context.Context, []capabilities.APIVersion) (capabilities.APIVersion, error)
+}
+
+type DeleteTransactionMetadataHandler struct {
+	APIVersion capabilities.APIVersion
+	Run        func(context.Context, DeleteTransactionMetadataInput) (DeleteTransactionMetadataOutput, error)
+}
+
+type DeleteTransactionMetadataService struct {
+	Handlers []DeleteTransactionMetadataHandler
+	Resolve  func(context.Context, []capabilities.APIVersion) (capabilities.APIVersion, error)
+}
+
+func (s AddTransactionMetadataService) Run(ctx context.Context, input AddTransactionMetadataInput) (AddTransactionMetadataOutput, error) {
+	if input.Ledger == "" {
+		return AddTransactionMetadataOutput{}, fmt.Errorf("ledger is required")
+	}
+	if input.TransactionID == "" {
+		return AddTransactionMetadataOutput{}, fmt.Errorf("transaction id is required")
+	}
+	if len(input.Metadata) == 0 {
+		return AddTransactionMetadataOutput{}, fmt.Errorf("metadata is required")
+	}
+
+	handlerVersions := make([]capabilities.APIVersion, 0, len(s.Handlers))
+	handlers := map[capabilities.APIVersion]AddTransactionMetadataHandler{}
+	for _, handler := range s.Handlers {
+		handlerVersions = append(handlerVersions, handler.APIVersion)
+		handlers[handler.APIVersion] = handler
+	}
+
+	selected, err := s.Resolve(ctx, handlerVersions)
+	if err != nil {
+		return AddTransactionMetadataOutput{}, err
+	}
+	handler, ok := handlers[selected]
+	if !ok {
+		return AddTransactionMetadataOutput{}, fmt.Errorf("resolved api version %s has no handler", selected)
+	}
+
+	output, err := handler.Run(ctx, input)
+	if err != nil {
+		return AddTransactionMetadataOutput{}, err
+	}
+	output.APIVersion = selected
+	return output, nil
+}
+
+func SDKAddTransactionMetadataHandlers(sdk *formance.Formance) []AddTransactionMetadataHandler {
+	return []AddTransactionMetadataHandler{
+		{
+			APIVersion: "v1",
+			Run: func(ctx context.Context, input AddTransactionMetadataInput) (AddTransactionMetadataOutput, error) {
+				txid, err := parseTransactionID(input.TransactionID)
+				if err != nil {
+					return AddTransactionMetadataOutput{}, err
+				}
+				response, err := sdk.Ledger.V1.AddMetadataOnTransaction(ctx, operations.AddMetadataOnTransactionRequest{
+					Ledger:      input.Ledger,
+					Txid:        txid,
+					RequestBody: stringMapToAny(input.Metadata),
+				})
+				if err != nil {
+					return AddTransactionMetadataOutput{}, err
+				}
+				return AddTransactionMetadataOutput{Updated: response.StatusCode == 204}, nil
+			},
+		},
+		{
+			APIVersion: "v2",
+			Run: func(ctx context.Context, input AddTransactionMetadataInput) (AddTransactionMetadataOutput, error) {
+				txid, err := parseTransactionID(input.TransactionID)
+				if err != nil {
+					return AddTransactionMetadataOutput{}, err
+				}
+				response, err := sdk.Ledger.V2.AddMetadataOnTransaction(ctx, operations.V2AddMetadataOnTransactionRequest{
+					Ledger:      input.Ledger,
+					ID:          txid,
+					RequestBody: input.Metadata,
+				})
+				if err != nil {
+					return AddTransactionMetadataOutput{}, err
+				}
+				return AddTransactionMetadataOutput{Updated: response.StatusCode == 204}, nil
+			},
+		},
+	}
+}
+
+func (s DeleteTransactionMetadataService) Run(ctx context.Context, input DeleteTransactionMetadataInput) (DeleteTransactionMetadataOutput, error) {
+	if input.Ledger == "" {
+		return DeleteTransactionMetadataOutput{}, fmt.Errorf("ledger is required")
+	}
+	if input.TransactionID == "" {
+		return DeleteTransactionMetadataOutput{}, fmt.Errorf("transaction id is required")
+	}
+	if input.Key == "" {
+		return DeleteTransactionMetadataOutput{}, fmt.Errorf("metadata key is required")
+	}
+
+	handlerVersions := make([]capabilities.APIVersion, 0, len(s.Handlers))
+	handlers := map[capabilities.APIVersion]DeleteTransactionMetadataHandler{}
+	for _, handler := range s.Handlers {
+		handlerVersions = append(handlerVersions, handler.APIVersion)
+		handlers[handler.APIVersion] = handler
+	}
+
+	selected, err := s.Resolve(ctx, handlerVersions)
+	if err != nil {
+		return DeleteTransactionMetadataOutput{}, err
+	}
+	handler, ok := handlers[selected]
+	if !ok {
+		return DeleteTransactionMetadataOutput{}, fmt.Errorf("resolved api version %s has no handler", selected)
+	}
+
+	output, err := handler.Run(ctx, input)
+	if err != nil {
+		return DeleteTransactionMetadataOutput{}, err
+	}
+	output.APIVersion = selected
+	return output, nil
+}
+
+func SDKDeleteTransactionMetadataHandlers(sdk *formance.Formance) []DeleteTransactionMetadataHandler {
+	return []DeleteTransactionMetadataHandler{
+		{
+			APIVersion: "v2",
+			Run: func(ctx context.Context, input DeleteTransactionMetadataInput) (DeleteTransactionMetadataOutput, error) {
+				txid, err := parseTransactionID(input.TransactionID)
+				if err != nil {
+					return DeleteTransactionMetadataOutput{}, err
+				}
+				response, err := sdk.Ledger.V2.DeleteTransactionMetadata(ctx, operations.V2DeleteTransactionMetadataRequest{
+					Ledger: input.Ledger,
+					ID:     txid,
+					Key:    input.Key,
+				})
+				if err != nil {
+					return DeleteTransactionMetadataOutput{}, err
+				}
+				return DeleteTransactionMetadataOutput{Deleted: response.StatusCode == 204}, nil
+			},
+		},
+	}
+}
+
+func parseTransactionID(value string) (*big.Int, error) {
+	txid, ok := new(big.Int).SetString(value, 10)
+	if !ok {
+		return nil, fmt.Errorf("transaction id must be an integer")
+	}
+	return txid, nil
+}
diff --git a/v4/internal/commands/ledger/transaction_metadata_test.go b/v4/internal/commands/ledger/transaction_metadata_test.go
new file mode 100644
index 00000000..a9273f9c
--- /dev/null
+++ b/v4/internal/commands/ledger/transaction_metadata_test.go
@@ -0,0 +1,113 @@
+package ledger
+
+import (
+	"context"
+	"testing"
+
+	"github.com/formancehq/fctl/v4/internal/capabilities"
+)
+
+func TestAddTransactionMetadataServiceSelectsResolvedHandler(t *testing.T) {
+	service := AddTransactionMetadataService{
+		Handlers: []AddTransactionMetadataHandler{
+			{
+				APIVersion: "v1",
+				Run: func(context.Context, AddTransactionMetadataInput) (AddTransactionMetadataOutput, error) {
+					t.Fatal("v1 handler should not run")
+					return AddTransactionMetadataOutput{}, nil
+				},
+			},
+			{
+				APIVersion: "v2",
+				Run: func(_ context.Context, input AddTransactionMetadataInput) (AddTransactionMetadataOutput, error) {
+					if input.Ledger != "default" || input.TransactionID != "42" || input.Metadata["foo"] != "bar" {
+						t.Fatalf("unexpected input: %#v", input)
+					}
+					return AddTransactionMetadataOutput{Updated: true}, nil
+				},
+			},
+		},
+		Resolve: func(_ context.Context, versions []capabilities.APIVersion) (capabilities.APIVersion, error) {
+			assertAPIVersions(t, versions, []capabilities.APIVersion{"v1", "v2"})
+			return "v2", nil
+		},
+	}
+
+	output, err := service.Run(context.Background(), AddTransactionMetadataInput{
+		Ledger:        "default",
+		TransactionID: "42",
+		Metadata:      map[string]string{"foo": "bar"},
+	})
+	if err != nil {
+		t.Fatalf("run service: %v", err)
+	}
+	if output.APIVersion != "v2" || !output.Updated {
+		t.Fatalf("unexpected output: %#v", output)
+	}
+}
+
+func TestAddTransactionMetadataServiceRequiresInput(t *testing.T) {
+	service := AddTransactionMetadataService{
+		Handlers: []AddTransactionMetadataHandler{{APIVersion: "v2"}},
+		Resolve: func(context.Context, []capabilities.APIVersion) (capabilities.APIVersion, error) {
+			t.Fatal("resolver should not run")
+			return "", nil
+		},
+	}
+
+	if _, err := service.Run(context.Background(), AddTransactionMetadataInput{TransactionID: "42", Metadata: map[string]string{"foo": "bar"}}); err == nil {
+		t.Fatal("expected ledger validation error")
+	}
+	if _, err := service.Run(context.Background(), AddTransactionMetadataInput{Ledger: "default", Metadata: map[string]string{"foo": "bar"}}); err == nil {
+		t.Fatal("expected transaction id validation error")
+	}
+	if _, err := service.Run(context.Background(), AddTransactionMetadataInput{Ledger: "default", TransactionID: "42"}); err == nil {
+		t.Fatal("expected metadata validation error")
+	}
+}
+
+func TestDeleteTransactionMetadataServiceSelectsResolvedHandler(t *testing.T) {
+	service := DeleteTransactionMetadataService{
+		Handlers: []DeleteTransactionMetadataHandler{
+			{
+				APIVersion: "v2",
+				Run: func(_ context.Context, input DeleteTransactionMetadataInput) (DeleteTransactionMetadataOutput, error) {
+					if input.Ledger != "default" || input.TransactionID != "42" || input.Key != "foo" {
+						t.Fatalf("unexpected input: %#v", input)
+					}
+					return DeleteTransactionMetadataOutput{Deleted: true}, nil
+				},
+			},
+		},
+		Resolve: func(_ context.Context, versions []capabilities.APIVersion) (capabilities.APIVersion, error) {
+			assertAPIVersions(t, versions, []capabilities.APIVersion{"v2"})
+			return "v2", nil
+		},
+	}
+
+	output, err := service.Run(context.Background(), DeleteTransactionMetadataInput{
+		Ledger:        "default",
+		TransactionID: "42",
+		Key:           "foo",
+	})
+	if err != nil {
+		t.Fatalf("run service: %v", err)
+	}
+	if output.APIVersion != "v2" || !output.Deleted {
+		t.Fatalf("unexpected output: %#v", output)
+	}
+}
+
+func TestParseTransactionID(t *testing.T) {
+	txid, err := parseTransactionID("42")
+	if err != nil {
+		t.Fatalf("parse transaction id: %v", err)
+	}
+	if txid.String() != "42" {
+		t.Fatalf("expected transaction id 42, got %s", txid)
+	}
+
+	if _, err := parseTransactionID("not-an-int"); err == nil {
+		t.Fatal("expected invalid transaction id error")
+	}
+}
diff --git a/v4/internal/commands/payments/accounts.go b/v4/internal/commands/payments/accounts.go
new file mode 100644
index 00000000..4b79d517
--- /dev/null
+++ b/v4/internal/commands/payments/accounts.go
@@ -0,0 +1,561 @@
+package payments
+
+import (
+	"context"
+	"fmt"
+	"math/big"
+	"time"
+
+	formance "github.com/formancehq/formance-sdk-go/v3"
+	"github.com/formancehq/formance-sdk-go/v3/pkg/models/operations"
+	"github.com/formancehq/formance-sdk-go/v3/pkg/models/shared"
+
+	"github.com/formancehq/fctl/v4/internal/capabilities"
+)
+
+const (
+	ProductPayments           capabilities.Product = "payments"
+	FeatureCreateAccount      capabilities.Feature = "createAccount"
+	FeatureGetAccount         capabilities.Feature = "getAccount"
+	FeatureGetAccountBalances capabilities.Feature = "getAccountBalances"
+	FeatureListAccounts       capabilities.Feature = "listAccounts"
+)
+
+type CreateAccountInput struct {
+	AccountName  string
+	ConnectorID  string
+	CreatedAt    time.Time
+	DefaultAsset string
+	Metadata     map[string]string
+	Reference    string
+	Type         string
+}
+
+type CreateAccountOutput struct {
+	APIVersion capabilities.APIVersion `json:"apiVersion" yaml:"apiVersion"`
+	AccountID  string                  `json:"accountID" yaml:"accountID"`
+}
+
+type ListAccountsInput struct {
+	PageSize int64
+	Cursor   string
+}
+
+type AccountSummary struct {
+	ID              string            `json:"id" yaml:"id"`
+	Reference       string            `json:"reference" yaml:"reference"`
+	Name            string            `json:"name" yaml:"name"`
+	CreatedAt       time.Time         `json:"createdAt" yaml:"createdAt"`
+	ConnectorID     string            `json:"connectorID" yaml:"connectorID"`
+	DefaultAsset    string            `json:"defaultAsset,omitempty" yaml:"defaultAsset,omitempty"`
+	DefaultCurrency string            `json:"defaultCurrency,omitempty" yaml:"defaultCurrency,omitempty"`
+	Provider        string            `json:"provider,omitempty" yaml:"provider,omitempty"`
+	Type            string            `json:"type" yaml:"type"`
+	Metadata        map[string]string `json:"metadata,omitempty" yaml:"metadata,omitempty"`
+}
+
+type ListAccountsOutput struct {
+	APIVersion capabilities.APIVersion `json:"apiVersion" yaml:"apiVersion"`
+	Accounts   []AccountSummary        `json:"accounts" yaml:"accounts"`
+	HasMore    bool                    `json:"hasMore" yaml:"hasMore"`
+	PageSize   int64                   `json:"pageSize" yaml:"pageSize"`
+	Next       *string                 `json:"next,omitempty" yaml:"next,omitempty"`
+	Previous   *string                 `json:"previous,omitempty" yaml:"previous,omitempty"`
+}
+
+type GetAccountInput struct {
+	AccountID string
+}
+
+type GetAccountOutput struct {
+	APIVersion capabilities.APIVersion `json:"apiVersion" yaml:"apiVersion"`
+	Account    AccountSummary          `json:"account" yaml:"account"`
+}
+
+type ListAccountBalancesInput struct {
+	AccountID string
+	PageSize  int64
+	Cursor    string
+	Asset     string
+}
+
+type AccountBalance struct {
+	AccountID     string    `json:"accountID" yaml:"accountID"`
+	Asset         string    `json:"asset" yaml:"asset"`
+	Balance       string    `json:"balance" yaml:"balance"`
+	CreatedAt     time.Time `json:"createdAt" yaml:"createdAt"`
+	LastUpdatedAt time.Time `json:"lastUpdatedAt" yaml:"lastUpdatedAt"`
+}
+
+type ListAccountBalancesOutput struct {
+	APIVersion capabilities.APIVersion `json:"apiVersion" yaml:"apiVersion"`
+	Balances   []AccountBalance        `json:"balances" yaml:"balances"`
+	HasMore    bool                    `json:"hasMore" yaml:"hasMore"`
+	PageSize   int64                   `json:"pageSize" yaml:"pageSize"`
+	Next       *string                 `json:"next,omitempty" yaml:"next,omitempty"`
+	Previous   *string                 `json:"previous,omitempty" yaml:"previous,omitempty"`
+}
+
+type ListAccountsHandler struct {
+	APIVersion capabilities.APIVersion
+	Run        func(context.Context, ListAccountsInput) (ListAccountsOutput, error)
+}
+
+type CreateAccountHandler struct {
+	APIVersion capabilities.APIVersion
+	Run        func(context.Context, CreateAccountInput) (CreateAccountOutput, error)
+}
+
+type GetAccountHandler struct {
+	APIVersion capabilities.APIVersion
+	Run        func(context.Context, GetAccountInput) (GetAccountOutput, error)
+}
+
+type ListAccountBalancesHandler struct {
+	APIVersion capabilities.APIVersion
+	Run        func(context.Context, ListAccountBalancesInput) (ListAccountBalancesOutput, error)
+}
+
+type ListAccountsService struct {
+	Handlers []ListAccountsHandler
+	Resolve  func(context.Context, []capabilities.APIVersion) (capabilities.APIVersion, error)
+}
+
+type CreateAccountService struct {
+	Handlers []CreateAccountHandler
+	Resolve  func(context.Context, []capabilities.APIVersion) (capabilities.APIVersion, error)
+}
+
+type GetAccountService struct {
+	Handlers []GetAccountHandler
+	Resolve  func(context.Context, []capabilities.APIVersion) (capabilities.APIVersion, error)
+}
+
+type ListAccountBalancesService struct {
+	Handlers []ListAccountBalancesHandler
+	Resolve  func(context.Context, []capabilities.APIVersion) (capabilities.APIVersion, error)
+}
+
+func (s ListAccountsService) Run(ctx context.Context, input ListAccountsInput) (ListAccountsOutput, error) {
+	handlerVersions := make([]capabilities.APIVersion, 0, len(s.Handlers))
+	handlers := map[capabilities.APIVersion]ListAccountsHandler{}
+	for _, handler := range s.Handlers {
+		handlerVersions = append(handlerVersions, handler.APIVersion)
+		handlers[handler.APIVersion] = handler
+	}
+	selected, err := s.Resolve(ctx, handlerVersions)
+	if err != nil {
+		return ListAccountsOutput{}, err
+	}
+	handler, ok := handlers[selected]
+	if !ok {
+		return ListAccountsOutput{}, fmt.Errorf("resolved api version %s has no handler", selected)
+	}
+	output, err := handler.Run(ctx, input)
+	if err != nil {
+		return ListAccountsOutput{}, err
+	}
+	output.APIVersion = selected
+	return output, nil
+}
+
+func (s CreateAccountService) Run(ctx context.Context, input CreateAccountInput) (CreateAccountOutput, error) {
+	if input.ConnectorID == "" {
+		return CreateAccountOutput{}, fmt.Errorf("connector id is required")
+	}
+	if input.Type != "INTERNAL" && input.Type != "EXTERNAL" && input.Type != "UNKNOWN" {
+		return CreateAccountOutput{}, fmt.Errorf("unsupported account type %q: expected INTERNAL, EXTERNAL, or UNKNOWN", input.Type)
+	}
+	handlerVersions := make([]capabilities.APIVersion, 0, len(s.Handlers))
+	handlers := map[capabilities.APIVersion]CreateAccountHandler{}
+	for _, handler := range s.Handlers {
+		handlerVersions = append(handlerVersions, handler.APIVersion)
+		handlers[handler.APIVersion] = handler
+	}
+	selected, err := s.Resolve(ctx, handlerVersions)
+	if err != nil {
+		return CreateAccountOutput{}, err
+	}
+	handler, ok := handlers[selected]
+	if !ok {
+		return CreateAccountOutput{}, fmt.Errorf("resolved api version %s has no handler", selected)
+	}
+	output, err := handler.Run(ctx, input)
+	if err != nil {
+		return CreateAccountOutput{}, err
+	}
+	output.APIVersion = selected
+	return output, nil
+}
+
+func (s GetAccountService) Run(ctx context.Context, input GetAccountInput) (GetAccountOutput, error) {
+	if input.AccountID == "" {
+		return GetAccountOutput{}, fmt.Errorf("account id is required")
+	}
+	handlerVersions := make([]capabilities.APIVersion, 0, len(s.Handlers))
+	handlers := map[capabilities.APIVersion]GetAccountHandler{}
+	for _, handler := range s.Handlers {
+		handlerVersions = append(handlerVersions, handler.APIVersion)
+		handlers[handler.APIVersion] = handler
+	}
+	selected, err := s.Resolve(ctx, handlerVersions)
+	if err != nil {
+		return GetAccountOutput{}, err
+	}
+	handler, ok := handlers[selected]
+	if !ok {
+		return GetAccountOutput{}, fmt.Errorf("resolved api version %s has no handler", selected)
+	}
+	output, err := handler.Run(ctx, input)
+	if err != nil {
+		return GetAccountOutput{}, err
+	}
+	output.APIVersion = selected
+	return output, nil
+}
+
+func (s ListAccountBalancesService) Run(ctx context.Context, input ListAccountBalancesInput) (ListAccountBalancesOutput, error) {
+	if input.AccountID == "" {
+		return ListAccountBalancesOutput{}, fmt.Errorf("account id is required")
+	}
+	handlerVersions := make([]capabilities.APIVersion, 0, len(s.Handlers))
+	handlers := map[capabilities.APIVersion]ListAccountBalancesHandler{}
+	for _, handler := range s.Handlers {
+		handlerVersions = append(handlerVersions, handler.APIVersion)
+		handlers[handler.APIVersion] = handler
+	}
+	selected, err := s.Resolve(ctx, handlerVersions)
+	if err != nil {
+		return ListAccountBalancesOutput{}, err
+	}
+	handler, ok := handlers[selected]
+	if !ok {
+		return ListAccountBalancesOutput{}, fmt.Errorf("resolved api version %s has no handler", selected)
+	}
+	output, err := handler.Run(ctx, input)
+	if err != nil {
+		return ListAccountBalancesOutput{}, err
+	}
+	output.APIVersion = selected
+	return output, nil
+}
+
+func SDKCreateAccountHandlers(sdk *formance.Formance) []CreateAccountHandler {
+	return []CreateAccountHandler{
+		{
+			APIVersion: "v1",
+			Run: func(ctx context.Context, input CreateAccountInput) (CreateAccountOutput, error) {
+				response, err := sdk.Payments.V1.CreateAccount(ctx, shared.AccountRequest{
+					AccountName:  optionalString(input.AccountName),
+					ConnectorID:  input.ConnectorID,
+					CreatedAt:    input.CreatedAt,
+					DefaultAsset: optionalString(input.DefaultAsset),
+					Metadata:     input.Metadata,
+					Reference:    input.Reference,
+					Type:         shared.AccountType(input.Type),
+				})
+				if err != nil {
+					return CreateAccountOutput{}, err
+				}
+				if response.PaymentsAccountResponse == nil {
+					return CreateAccountOutput{}, fmt.Errorf("payments v1 create account returned no data")
+				}
+				return CreateAccountOutput{AccountID: response.PaymentsAccountResponse.Data.ID}, nil
+			},
+		},
+		{
+			APIVersion: "v3",
+			Run: func(ctx context.Context, input CreateAccountInput) (CreateAccountOutput, error) {
+				response, err := sdk.Payments.V3.CreateAccount(ctx, &shared.V3CreateAccountRequest{
+					AccountName:  input.AccountName,
+					ConnectorID:  input.ConnectorID,
+					CreatedAt:    input.CreatedAt,
+					DefaultAsset: optionalString(input.DefaultAsset),
+					Metadata:     input.Metadata,
+					Reference:    input.Reference,
+					Type:         shared.V3AccountTypeEnum(input.Type),
+				})
+				if err != nil {
+					return CreateAccountOutput{}, err
+				}
+				if response.V3CreateAccountResponse == nil {
+					return CreateAccountOutput{}, fmt.Errorf("payments v3 create account returned no data")
+				}
+				return CreateAccountOutput{AccountID: response.V3CreateAccountResponse.Data.ID}, nil
+			},
+		},
+	}
+}
+
+func SDKListAccountsHandlers(sdk *formance.Formance) []ListAccountsHandler {
+	return []ListAccountsHandler{
+		{
+			APIVersion: "v1",
+			Run: func(ctx context.Context, input ListAccountsInput) (ListAccountsOutput, error) {
+				response, err := sdk.Payments.V1.PaymentslistAccounts(ctx, toV1ListAccountsRequest(input))
+				if err != nil {
+					return ListAccountsOutput{}, err
+				}
+				if response.AccountsCursor == nil {
+					return ListAccountsOutput{}, fmt.Errorf("payments v1 list accounts returned no cursor")
+				}
+				return fromV1AccountsCursor(response.AccountsCursor.Cursor), nil
+			},
+		},
+		{
+			APIVersion: "v3",
+			Run: func(ctx context.Context, input ListAccountsInput) (ListAccountsOutput, error) {
+				response, err := sdk.Payments.V3.ListAccounts(ctx, toV3ListAccountsRequest(input))
+				if err != nil {
+					return ListAccountsOutput{}, err
+				}
+				if response.V3AccountsCursorResponse == nil {
+					return ListAccountsOutput{}, fmt.Errorf("payments v3 list accounts returned no cursor")
+				}
+				return fromV3AccountsCursor(response.V3AccountsCursorResponse.Cursor), nil
+			},
+		},
+	}
+}
+
+func SDKGetAccountHandlers(sdk *formance.Formance) []GetAccountHandler {
+	return []GetAccountHandler{
+		{
+			APIVersion: "v1",
+			Run: func(ctx context.Context, input GetAccountInput) (GetAccountOutput, error) {
+				response, err := sdk.Payments.V1.PaymentsgetAccount(ctx, operations.PaymentsgetAccountRequest{
+					AccountID: input.AccountID,
+				})
+				if err != nil {
+					return GetAccountOutput{}, err
+				}
+				if response.PaymentsAccountResponse == nil {
+					return GetAccountOutput{}, fmt.Errorf("payments v1 get account returned no data")
+				}
+				return GetAccountOutput{Account: fromV1Account(response.PaymentsAccountResponse.Data)}, nil
+			},
+		},
+		{
+			APIVersion: "v3",
+			Run: func(ctx context.Context, input GetAccountInput) (GetAccountOutput, error) {
+				response, err := sdk.Payments.V3.GetAccount(ctx, operations.V3GetAccountRequest{
+					AccountID: input.AccountID,
+				})
+				if err != nil {
+					return GetAccountOutput{}, err
+				}
+				if response.V3GetAccountResponse == nil {
+					return GetAccountOutput{}, fmt.Errorf("payments v3 get account returned no data")
+				}
+				return GetAccountOutput{Account: fromV3Account(response.V3GetAccountResponse.Data)}, nil
+			},
+		},
+	}
+}
+
+func SDKListAccountBalancesHandlers(sdk *formance.Formance) []ListAccountBalancesHandler {
+	return []ListAccountBalancesHandler{
+		{
+			APIVersion: "v1",
+			Run: func(ctx context.Context, input ListAccountBalancesInput) (ListAccountBalancesOutput, error) {
+				response, err := sdk.Payments.V1.GetAccountBalances(ctx, toV1ListAccountBalancesRequest(input))
+				if err != nil {
+					return ListAccountBalancesOutput{}, err
+				}
+				if response.BalancesCursor == nil {
+					return ListAccountBalancesOutput{}, fmt.Errorf("payments v1 account balances returned no cursor")
+				}
+				return fromV1BalancesCursor(response.BalancesCursor.Cursor), nil
+			},
+		},
+		{
+			APIVersion: "v3",
+			Run: func(ctx context.Context, input ListAccountBalancesInput) (ListAccountBalancesOutput, error) {
+				response, err := sdk.Payments.V3.GetAccountBalances(ctx, toV3ListAccountBalancesRequest(input))
+				if err != nil {
+					return ListAccountBalancesOutput{}, err
+				}
+				if response.V3BalancesCursorResponse == nil {
+					return ListAccountBalancesOutput{}, fmt.Errorf("payments v3 account balances returned no cursor")
+				}
+				return fromV3BalancesCursor(response.V3BalancesCursorResponse.Cursor), nil
+			},
+		},
+	}
+}
+
+func toV1ListAccountsRequest(input ListAccountsInput) operations.PaymentslistAccountsRequest {
+	request := operations.PaymentslistAccountsRequest{
+		PageSize: pointer(input.PageSize),
+	}
+	if input.Cursor != "" {
+		request.Cursor = pointer(input.Cursor)
+	}
+	return request
+}
+
+func toV3ListAccountsRequest(input ListAccountsInput) operations.V3ListAccountsRequest {
+	request := operations.V3ListAccountsRequest{
+		PageSize: pointer(input.PageSize),
+	}
+	if input.Cursor != "" {
+		request.Cursor = pointer(input.Cursor)
+	}
+	return request
+}
+
+func toV1ListAccountBalancesRequest(input ListAccountBalancesInput) operations.GetAccountBalancesRequest {
+	request := operations.GetAccountBalancesRequest{
+		AccountID: input.AccountID,
+		PageSize:  pointer(input.PageSize),
+	}
+	if input.Cursor != "" {
+		request.Cursor = pointer(input.Cursor)
+	}
+	if input.Asset != "" {
+		request.Asset = pointer(input.Asset)
+	}
+	return request
+}
+
+func toV3ListAccountBalancesRequest(input ListAccountBalancesInput) operations.V3GetAccountBalancesRequest {
+	request := operations.V3GetAccountBalancesRequest{
+		AccountID: input.AccountID,
+		PageSize:  pointer(input.PageSize),
+	}
+	if input.Cursor != "" {
+		request.Cursor = pointer(input.Cursor)
+	}
+	if input.Asset != "" {
+		request.Asset = pointer(input.Asset)
+	}
+	return request
+}
+
+func fromV1AccountsCursor(cursor shared.Cursor) ListAccountsOutput {
+	accounts := make([]AccountSummary, 0, len(cursor.Data))
+	for _, account := range cursor.Data {
+		accounts = append(accounts, fromV1Account(account))
+	}
+	return ListAccountsOutput{
+		Accounts: accounts,
+		HasMore:  cursor.HasMore,
+		PageSize: cursor.PageSize,
+		Next:     cursor.Next,
+		Previous: cursor.Previous,
+	}
+}
+
+func fromV3AccountsCursor(cursor shared.V3AccountsCursorResponseCursor) ListAccountsOutput {
+	accounts := make([]AccountSummary, 0, len(cursor.Data))
+	for _, account := range cursor.Data {
+		accounts = append(accounts, fromV3Account(account))
+	}
+	return ListAccountsOutput{
+		Accounts: accounts,
+		HasMore:  cursor.HasMore,
+		PageSize: cursor.PageSize,
+		Next:     cursor.Next,
+		Previous: cursor.Previous,
+	}
+}
+
+func fromV1BalancesCursor(cursor shared.BalancesCursorCursor) ListAccountBalancesOutput {
+	balances := make([]AccountBalance, 0, len(cursor.Data))
+	for _, balance := range cursor.Data {
+		balances = append(balances, fromV1Balance(balance))
+	}
+	return ListAccountBalancesOutput{
+		Balances: balances,
+		HasMore:  cursor.HasMore,
+		PageSize: cursor.PageSize,
+		Next:     cursor.Next,
+		Previous: cursor.Previous,
+	}
+}
+
+func fromV3BalancesCursor(cursor shared.V3BalancesCursorResponseCursor) ListAccountBalancesOutput {
+	balances := make([]AccountBalance, 0, len(cursor.Data))
+	for _, balance := range cursor.Data {
+		balances = append(balances, fromV3Balance(balance))
+	}
+	return ListAccountBalancesOutput{
+		Balances: balances,
+		HasMore:  cursor.HasMore,
+		PageSize: cursor.PageSize,
+		Next:     cursor.Next,
+		Previous: cursor.Previous,
+	}
+}
+
+func fromV1Account(account shared.PaymentsAccount) AccountSummary {
+	provider := ""
+	if account.Provider != nil {
+		provider = *account.Provider
+	}
+	return AccountSummary{
+		ID:              account.ID,
+		Reference:       account.Reference,
+		Name:            account.AccountName,
+		CreatedAt:       account.CreatedAt,
+		ConnectorID:     account.ConnectorID,
+		DefaultAsset:    account.DefaultAsset,
+		DefaultCurrency: account.DefaultCurrency,
+		Provider:        provider,
+		Type:            string(account.Type),
+		Metadata:        account.Metadata,
+	}
+}
+
+func fromV3Account(account shared.V3Account) AccountSummary {
+	name := ""
+	if account.Name != nil {
+		name = *account.Name
+	}
+	defaultAsset := ""
+	if account.DefaultAsset != nil {
+		defaultAsset = *account.DefaultAsset
+	}
+	return AccountSummary{
+		ID:           account.ID,
+		Reference:    account.Reference,
+		Name:         name,
+		CreatedAt:    account.CreatedAt,
+		ConnectorID:  account.ConnectorID,
+		DefaultAsset: defaultAsset,
+		Provider:     account.Provider,
+		Type:         string(account.Type),
+		Metadata:     account.Metadata,
+	}
+}
+
+func fromV1Balance(balance shared.AccountBalance) AccountBalance {
+	return AccountBalance{
+		AccountID:     balance.AccountID,
+		Asset:         balance.Asset,
+		Balance:       bigIntString(balance.Balance),
+		CreatedAt:     balance.CreatedAt,
+		LastUpdatedAt: balance.LastUpdatedAt,
+	}
+}
+
+func fromV3Balance(balance shared.V3Balance) AccountBalance {
+	return AccountBalance{
+		AccountID:     balance.AccountID,
+		Asset:         balance.Asset,
+		Balance:       bigIntString(balance.Balance),
+		CreatedAt:     balance.CreatedAt,
+		LastUpdatedAt: balance.LastUpdatedAt,
+	}
+}
+
+func bigIntString(value *big.Int) string {
+	if value == nil {
+		return "0"
+	}
+	return value.String()
+}
+
+func pointer[T any](value T) *T {
+	return &value
+}
diff --git a/v4/internal/commands/payments/accounts_test.go b/v4/internal/commands/payments/accounts_test.go
new file mode 100644
index 00000000..3484ea91
--- /dev/null
+++ b/v4/internal/commands/payments/accounts_test.go
@@ -0,0 +1,159 @@
+package payments
+
+import (
+	"context"
+	"testing"
+	"time"
+
+	"github.com/formancehq/fctl/v4/internal/capabilities"
+)
+
+func TestListAccountsServiceSelectsResolvedHandler(t *testing.T) {
+	service := ListAccountsService{
+		Handlers: []ListAccountsHandler{
+			{
+				APIVersion: "v1",
+				Run: func(context.Context, ListAccountsInput) (ListAccountsOutput, error) {
+					t.Fatal("v1 handler should not run")
+					return ListAccountsOutput{}, nil
+				},
+			},
+			{
+				APIVersion: "v3",
+				Run: func(_ context.Context, input ListAccountsInput) (ListAccountsOutput, error) {
+					if input.PageSize != 10 || input.Cursor != "cursor" {
+						t.Fatalf("unexpected input: %#v", input)
+					}
+					return ListAccountsOutput{PageSize: input.PageSize}, nil
+				},
+			},
+		},
+		Resolve: func(_ context.Context, versions []capabilities.APIVersion) (capabilities.APIVersion, error) {
+			assertAPIVersions(t, versions, []capabilities.APIVersion{"v1", "v3"})
+			return "v3", nil
+		},
+	}
+
+	output, err := service.Run(context.Background(), ListAccountsInput{PageSize: 10, Cursor: "cursor"})
+	if err != nil {
+		t.Fatalf("run service: %v", err)
+	}
+	if output.APIVersion != "v3" || output.PageSize != 10 {
+		t.Fatalf("unexpected output: %#v", output)
+	}
+}
+
+func TestCreateAccountServiceSelectsResolvedHandler(t *testing.T) {
+	service := CreateAccountService{
+		Handlers: []CreateAccountHandler{
+			{
+				APIVersion: "v1",
+				Run: func(context.Context, CreateAccountInput) (CreateAccountOutput, error) {
+					t.Fatal("v1 handler should not run")
+					return CreateAccountOutput{}, nil
+				},
+			},
+			{
+				APIVersion: "v3",
+				Run: func(_ context.Context, input CreateAccountInput) (CreateAccountOutput, error) {
+					if input.ConnectorID != "conn_1" || input.Type != "INTERNAL" {
+						t.Fatalf("unexpected input: %#v", input)
+					}
+					return CreateAccountOutput{AccountID: "acc_1"}, nil
+				},
+			},
+		},
+		Resolve: func(_ context.Context, versions []capabilities.APIVersion) (capabilities.APIVersion, error) {
+			assertAPIVersions(t, versions, []capabilities.APIVersion{"v1", "v3"})
+			return "v3", nil
+		},
+	}
+
+	output, err := service.Run(context.Background(), CreateAccountInput{
+		AccountName: "Main",
+		ConnectorID: "conn_1",
+		CreatedAt:   time.Date(2026, 1, 1, 0, 0, 0, 0, time.UTC),
+		Type:        "INTERNAL",
+	})
+	if err != nil {
+		t.Fatalf("run service: %v", err)
+	}
+	if output.APIVersion != "v3" || output.AccountID != "acc_1" {
+		t.Fatalf("unexpected output: %#v", output)
+	}
+}
+
+func TestCreateAccountServiceRequiresConnectorID(t *testing.T) {
+	service := CreateAccountService{
+		Handlers: []CreateAccountHandler{{APIVersion: "v3"}},
+		Resolve: func(context.Context, []capabilities.APIVersion) (capabilities.APIVersion, error) {
+			t.Fatal("resolver should not run")
+			return "", nil
+		},
+	}
+
+	if _, err := service.Run(context.Background(), CreateAccountInput{Type: "INTERNAL"}); err == nil {
+		t.Fatal("expected connector id validation error")
+	}
+}
+
+func TestGetAccountServiceRequiresAccountID(t *testing.T) {
+	service := GetAccountService{
+		Handlers: []GetAccountHandler{{APIVersion: "v3"}},
+		Resolve: func(context.Context, []capabilities.APIVersion) (capabilities.APIVersion, error) {
+			t.Fatal("resolver should not run")
+			return "", nil
+		},
+	}
+
+	if _, err := service.Run(context.Background(), GetAccountInput{}); err == nil {
+		t.Fatal("expected account id validation error")
+	}
+}
+
+func TestListAccountBalancesServiceSelectsResolvedHandler(t *testing.T) {
+	service := ListAccountBalancesService{
+		Handlers: []ListAccountBalancesHandler{
+			{
+				APIVersion: "v1",
+				Run: func(context.Context, ListAccountBalancesInput) (ListAccountBalancesOutput, error) {
+					t.Fatal("v1 handler should not run")
+					return ListAccountBalancesOutput{}, nil
+				},
+			},
+			{
+				APIVersion: "v3",
+				Run: func(_ context.Context, input ListAccountBalancesInput) (ListAccountBalancesOutput, error) {
+					if input.AccountID != "acc_1" || input.Asset != "USD/2" {
+						t.Fatalf("unexpected input: %#v", input)
+					}
+					return ListAccountBalancesOutput{PageSize: input.PageSize}, nil
+				},
+			},
+		},
+		Resolve: func(_ context.Context, versions []capabilities.APIVersion) (capabilities.APIVersion, error) {
+			assertAPIVersions(t, versions, []capabilities.APIVersion{"v1", "v3"})
+			return "v3", nil
+		},
+	}
+
+	output, err := service.Run(context.Background(), ListAccountBalancesInput{AccountID: "acc_1", Asset: "USD/2", PageSize: 10})
+	if err != nil {
+		t.Fatalf("run service: %v", err)
+	}
+	if output.APIVersion != "v3" || output.PageSize != 10 {
+		t.Fatalf("unexpected output: %#v", output)
+	}
+}
+
+func assertAPIVersions(t *testing.T, got []capabilities.APIVersion, want []capabilities.APIVersion) {
+	t.Helper()
+	if len(got) != len(want) {
+		t.Fatalf("expected versions %v, got %v", want, got)
+	}
+	for i := range want {
+		if got[i] != want[i] {
+			t.Fatalf("expected versions %v, got %v", want, got)
+		}
+	}
+}
diff --git a/v4/internal/commands/payments/bank_accounts.go b/v4/internal/commands/payments/bank_accounts.go
new file mode 100644
index 00000000..ee815c7e
--- /dev/null
+++ b/v4/internal/commands/payments/bank_accounts.go
@@ -0,0 +1,531 @@
+package payments
+
+import (
+	"context"
+	"fmt"
+	"time"
+
+	formance "github.com/formancehq/formance-sdk-go/v3"
+	"github.com/formancehq/formance-sdk-go/v3/pkg/models/operations"
+	"github.com/formancehq/formance-sdk-go/v3/pkg/models/shared"
+
+	"github.com/formancehq/fctl/v4/internal/capabilities"
+)
+
+const (
+	FeatureCreateBankAccount      capabilities.Feature = "createBankAccount"
+	FeatureForwardBankAccount     capabilities.Feature = "forwardBankAccount"
+	FeatureGetBankAccount         capabilities.Feature = "getBankAccount"
+	FeatureListBankAccounts       capabilities.Feature = "listBankAccounts"
+	FeatureSetBankAccountMetadata capabilities.Feature = "updateBankAccountMetadata"
+)
+
+type CreateBankAccountInput struct {
+	AccountNumber string
+	ConnectorID   string
+	Country       string
+	Iban          string
+	Metadata      map[string]string
+	Name          string
+	SwiftBicCode  string
+}
+
+type CreateBankAccountOutput struct {
+	APIVersion    capabilities.APIVersion `json:"apiVersion" yaml:"apiVersion"`
+	BankAccountID string                  `json:"bankAccountID" yaml:"bankAccountID"`
+}
+
+type ForwardBankAccountInput struct {
+	BankAccountID string
+	ConnectorID   string
+}
+
+type ForwardBankAccountOutput struct {
+	APIVersion    capabilities.APIVersion `json:"apiVersion" yaml:"apiVersion"`
+	BankAccountID string                  `json:"bankAccountID" yaml:"bankAccountID"`
+	ConnectorID   string                  `json:"connectorID" yaml:"connectorID"`
+	TaskID        string                  `json:"taskID,omitempty" yaml:"taskID,omitempty"`
+}
+
+type SetBankAccountMetadataInput struct {
+	BankAccountID string
+	Metadata      map[string]string
+}
+
+type SetBankAccountMetadataOutput struct {
+	APIVersion    capabilities.APIVersion `json:"apiVersion" yaml:"apiVersion"`
+	BankAccountID string                  `json:"bankAccountID" yaml:"bankAccountID"`
+}
+
+type BankAccountSummary struct {
+	ID            string            `json:"id" yaml:"id"`
+	Name          string            `json:"name" yaml:"name"`
+	CreatedAt     time.Time         `json:"createdAt" yaml:"createdAt"`
+	Country       string            `json:"country,omitempty" yaml:"country,omitempty"`
+	AccountNumber string            `json:"accountNumber,omitempty" yaml:"accountNumber,omitempty"`
+	Iban          string            `json:"iban,omitempty" yaml:"iban,omitempty"`
+	SwiftBicCode  string            `json:"swiftBicCode,omitempty" yaml:"swiftBicCode,omitempty"`
+	Metadata      map[string]string `json:"metadata,omitempty" yaml:"metadata,omitempty"`
+}
+
+type ListBankAccountsInput struct {
+	PageSize int64
+	Cursor   string
+}
+
+type ListBankAccountsOutput struct {
+	APIVersion   capabilities.APIVersion `json:"apiVersion" yaml:"apiVersion"`
+	BankAccounts []BankAccountSummary    `json:"bankAccounts" yaml:"bankAccounts"`
+	HasMore      bool                    `json:"hasMore" yaml:"hasMore"`
+	PageSize     int64                   `json:"pageSize" yaml:"pageSize"`
+	Next         *string                 `json:"next,omitempty" yaml:"next,omitempty"`
+	Previous     *string                 `json:"previous,omitempty" yaml:"previous,omitempty"`
+}
+
+type GetBankAccountInput struct {
+	BankAccountID string
+}
+
+type GetBankAccountOutput struct {
+	APIVersion  capabilities.APIVersion `json:"apiVersion" yaml:"apiVersion"`
+	BankAccount BankAccountSummary      `json:"bankAccount" yaml:"bankAccount"`
+}
+
+type ListBankAccountsHandler struct {
+	APIVersion capabilities.APIVersion
+	Run        func(context.Context, ListBankAccountsInput) (ListBankAccountsOutput, error)
+}
+
+type CreateBankAccountHandler struct {
+	APIVersion capabilities.APIVersion
+	Run        func(context.Context, CreateBankAccountInput) (CreateBankAccountOutput, error)
+}
+
+type ForwardBankAccountHandler struct {
+	APIVersion capabilities.APIVersion
+	Run        func(context.Context, ForwardBankAccountInput) (ForwardBankAccountOutput, error)
+}
+
+type SetBankAccountMetadataHandler struct {
+	APIVersion capabilities.APIVersion
+	Run        func(context.Context, SetBankAccountMetadataInput) (SetBankAccountMetadataOutput, error)
+}
+
+type GetBankAccountHandler struct {
+	APIVersion capabilities.APIVersion
+	Run        func(context.Context, GetBankAccountInput) (GetBankAccountOutput, error)
+}
+
+type ListBankAccountsService struct {
+	Handlers []ListBankAccountsHandler
+	Resolve  func(context.Context, []capabilities.APIVersion) (capabilities.APIVersion, error)
+}
+
+type CreateBankAccountService struct {
+	Handlers []CreateBankAccountHandler
+	Resolve  func(context.Context, []capabilities.APIVersion) (capabilities.APIVersion, error)
+}
+
+type ForwardBankAccountService struct {
+	Handlers []ForwardBankAccountHandler
+	Resolve  func(context.Context, []capabilities.APIVersion) (capabilities.APIVersion, error)
+}
+
+type SetBankAccountMetadataService struct {
+	Handlers []SetBankAccountMetadataHandler
+	Resolve  func(context.Context, []capabilities.APIVersion) (capabilities.APIVersion, error)
+}
+
+type GetBankAccountService struct {
+	Handlers []GetBankAccountHandler
+	Resolve  func(context.Context, []capabilities.APIVersion) (capabilities.APIVersion, error)
+}
+
+func (s ListBankAccountsService) Run(ctx context.Context, input ListBankAccountsInput) (ListBankAccountsOutput, error) {
+	handlerVersions := make([]capabilities.APIVersion, 0, len(s.Handlers))
+	handlers := map[capabilities.APIVersion]ListBankAccountsHandler{}
+	for _, handler := range s.Handlers {
+		handlerVersions = append(handlerVersions, handler.APIVersion)
+		handlers[handler.APIVersion] = handler
+	}
+	selected, err := s.Resolve(ctx, handlerVersions)
+	if err != nil {
+		return ListBankAccountsOutput{}, err
+	}
+	handler, ok := handlers[selected]
+	if !ok {
+		return ListBankAccountsOutput{}, fmt.Errorf("resolved api version %s has no handler", selected)
+	}
+	output, err := handler.Run(ctx, input)
+	if err != nil {
+		return ListBankAccountsOutput{}, err
+	}
+	output.APIVersion = selected
+	return output, nil
+}
+
+func (s CreateBankAccountService) Run(ctx context.Context, input CreateBankAccountInput) (CreateBankAccountOutput, error) {
+	if input.Name == "" {
+		return CreateBankAccountOutput{}, fmt.Errorf("bank account name is required")
+	}
+	handlerVersions := make([]capabilities.APIVersion, 0, len(s.Handlers))
+	handlers := map[capabilities.APIVersion]CreateBankAccountHandler{}
+	for _, handler := range s.Handlers {
+		handlerVersions = append(handlerVersions, handler.APIVersion)
+		handlers[handler.APIVersion] = handler
+	}
+	selected, err := s.Resolve(ctx, handlerVersions)
+	if err != nil {
+		return CreateBankAccountOutput{}, err
+	}
+	handler, ok := handlers[selected]
+	if !ok {
+		return CreateBankAccountOutput{}, fmt.Errorf("resolved api version %s has no handler", selected)
+	}
+	output, err := handler.Run(ctx, input)
+	if err != nil {
+		return CreateBankAccountOutput{}, err
+	}
+	output.APIVersion = selected
+	return output, nil
+}
+
+func (s ForwardBankAccountService) Run(ctx context.Context, input ForwardBankAccountInput) (ForwardBankAccountOutput, error) {
+	if input.BankAccountID == "" {
+		return ForwardBankAccountOutput{}, fmt.Errorf("bank account id is required")
+	}
+	if input.ConnectorID == "" {
+		return ForwardBankAccountOutput{}, fmt.Errorf("connector id is required")
+	}
+	handlerVersions := make([]capabilities.APIVersion, 0, len(s.Handlers))
+	handlers := map[capabilities.APIVersion]ForwardBankAccountHandler{}
+	for _, handler := range s.Handlers {
+		handlerVersions = append(handlerVersions, handler.APIVersion)
+		handlers[handler.APIVersion] = handler
+	}
+	selected, err := s.Resolve(ctx, handlerVersions)
+	if err != nil {
+		return ForwardBankAccountOutput{}, err
+	}
+	handler, ok := handlers[selected]
+	if !ok {
+		return ForwardBankAccountOutput{}, fmt.Errorf("resolved api version %s has no handler", selected)
+	}
+	output, err := handler.Run(ctx, input)
+	if err != nil {
+		return ForwardBankAccountOutput{}, err
+	}
+	output.APIVersion = selected
+	return output, nil
+}
+
+func (s SetBankAccountMetadataService) Run(ctx context.Context, input SetBankAccountMetadataInput) (SetBankAccountMetadataOutput, error) {
+	if input.BankAccountID == "" {
+		return SetBankAccountMetadataOutput{}, fmt.Errorf("bank account id is required")
+	}
+	if len(input.Metadata) == 0 {
+		return SetBankAccountMetadataOutput{}, fmt.Errorf("bank account metadata is required")
+	}
+	handlerVersions := make([]capabilities.APIVersion, 0, len(s.Handlers))
+	handlers := map[capabilities.APIVersion]SetBankAccountMetadataHandler{}
+	for _, handler := range s.Handlers {
+		handlerVersions = append(handlerVersions, handler.APIVersion)
+		handlers[handler.APIVersion] = handler
+	}
+	selected, err := s.Resolve(ctx, handlerVersions)
+	if err != nil {
+		return SetBankAccountMetadataOutput{}, err
+	}
+	handler, ok := handlers[selected]
+	if !ok {
+		return SetBankAccountMetadataOutput{}, fmt.Errorf("resolved api version %s has no handler", selected)
+	}
+	output, err := handler.Run(ctx, input)
+	if err != nil {
+		return SetBankAccountMetadataOutput{}, err
+	}
+	output.APIVersion = selected
+	return output, nil
+}
+
+func (s GetBankAccountService) Run(ctx context.Context, input GetBankAccountInput) (GetBankAccountOutput, error) {
+	if input.BankAccountID == "" {
+		return GetBankAccountOutput{}, fmt.Errorf("bank account id is required")
+	}
+	handlerVersions := make([]capabilities.APIVersion, 0, len(s.Handlers))
+	handlers := map[capabilities.APIVersion]GetBankAccountHandler{}
+	for _, handler := range s.Handlers {
+		handlerVersions = append(handlerVersions, handler.APIVersion)
+		handlers[handler.APIVersion] = handler
+	}
+	selected, err := s.Resolve(ctx, handlerVersions)
+	if err != nil {
+		return GetBankAccountOutput{}, err
+	}
+	handler, ok := handlers[selected]
+	if !ok {
+		return GetBankAccountOutput{}, fmt.Errorf("resolved api version %s has no handler", selected)
+	}
+	output, err := handler.Run(ctx, input)
+	if err != nil {
+		return GetBankAccountOutput{}, err
+	}
+	output.APIVersion = selected
+	return output, nil
+}
+
+func SDKCreateBankAccountHandlers(sdk *formance.Formance) []CreateBankAccountHandler {
+	return []CreateBankAccountHandler{
+		{
+			APIVersion: "v1",
+			Run: func(ctx context.Context, input CreateBankAccountInput) (CreateBankAccountOutput, error) {
+				response, err := sdk.Payments.V1.CreateBankAccount(ctx, shared.BankAccountRequest{
+					AccountNumber: optionalString(input.AccountNumber),
+					ConnectorID:   optionalString(input.ConnectorID),
+					Country:       input.Country,
+					Iban:          optionalString(input.Iban),
+					Metadata:      input.Metadata,
+					Name:          input.Name,
+					SwiftBicCode:  optionalString(input.SwiftBicCode),
+				})
+				if err != nil {
+					return CreateBankAccountOutput{}, err
+				}
+				if response.BankAccountResponse == nil {
+					return CreateBankAccountOutput{}, fmt.Errorf("payments v1 create bank account returned no data")
+				}
+				return CreateBankAccountOutput{BankAccountID: response.BankAccountResponse.Data.ID}, nil
+			},
+		},
+		{
+			APIVersion: "v3",
+			Run: func(ctx context.Context, input CreateBankAccountInput) (CreateBankAccountOutput, error) {
+				response, err := sdk.Payments.V3.CreateBankAccount(ctx, &shared.V3CreateBankAccountRequest{
+					AccountNumber: optionalString(input.AccountNumber),
+					Country:       optionalString(input.Country),
+					Iban:          optionalString(input.Iban),
+					Metadata:      input.Metadata,
+					Name:          input.Name,
+					SwiftBicCode:  optionalString(input.SwiftBicCode),
+				})
+				if err != nil {
+					return CreateBankAccountOutput{}, err
+				}
+				if response.V3CreateBankAccountResponse == nil {
+					return CreateBankAccountOutput{}, fmt.Errorf("payments v3 create bank account returned no data")
+				}
+				return CreateBankAccountOutput{BankAccountID: response.V3CreateBankAccountResponse.Data}, nil
+			},
+		},
+	}
+}
+
+func SDKForwardBankAccountHandlers(sdk *formance.Formance) []ForwardBankAccountHandler {
+	return []ForwardBankAccountHandler{
+		{
+			APIVersion: "v1",
+			Run: func(ctx context.Context, input ForwardBankAccountInput) (ForwardBankAccountOutput, error) {
+				response, err := sdk.Payments.V1.ForwardBankAccount(ctx, operations.ForwardBankAccountRequest{
+					BankAccountID: input.BankAccountID,
+					ForwardBankAccountRequest: shared.ForwardBankAccountRequest{
+						ConnectorID: input.ConnectorID,
+					},
+				})
+				if err != nil {
+					return ForwardBankAccountOutput{}, err
+				}
+				if response.BankAccountResponse == nil {
+					return ForwardBankAccountOutput{}, fmt.Errorf("payments v1 forward bank account returned no data")
+				}
+				bankAccount := response.BankAccountResponse.Data
+				return ForwardBankAccountOutput{
+					BankAccountID: bankAccount.ID,
+					ConnectorID:   stringValue(bankAccount.ConnectorID),
+				}, nil
+			},
+		},
+		{
+			APIVersion: "v3",
+			Run: func(ctx context.Context, input ForwardBankAccountInput) (ForwardBankAccountOutput, error) {
+				response, err := sdk.Payments.V3.ForwardBankAccount(ctx, operations.V3ForwardBankAccountRequest{
+					BankAccountID: input.BankAccountID,
+					V3ForwardBankAccountRequest: &shared.V3ForwardBankAccountRequest{
+						ConnectorID: input.ConnectorID,
+					},
+				})
+				if err != nil {
+					return ForwardBankAccountOutput{}, err
+				}
+				if response.V3ForwardBankAccountResponse == nil {
+					return ForwardBankAccountOutput{}, fmt.Errorf("payments v3 forward bank account returned no data")
+				}
+				return ForwardBankAccountOutput{
+					BankAccountID: input.BankAccountID,
+					ConnectorID:   input.ConnectorID,
+					TaskID:        response.V3ForwardBankAccountResponse.Data.TaskID,
+				}, nil
+			},
+		},
+	}
+}
+
+func SDKSetBankAccountMetadataHandlers(sdk *formance.Formance) []SetBankAccountMetadataHandler {
+	return []SetBankAccountMetadataHandler{
+		{
+			APIVersion: "v1",
+			Run: func(ctx context.Context, input SetBankAccountMetadataInput) (SetBankAccountMetadataOutput, error) {
+				if _, err := sdk.Payments.V1.UpdateBankAccountMetadata(ctx, operations.UpdateBankAccountMetadataRequest{
+					BankAccountID: input.BankAccountID,
+					UpdateBankAccountMetadataRequest: shared.UpdateBankAccountMetadataRequest{
+						Metadata: input.Metadata,
+					},
+				}); err != nil {
+					return SetBankAccountMetadataOutput{}, err
+				}
+				return SetBankAccountMetadataOutput{BankAccountID: input.BankAccountID}, nil
+			},
+		},
+		{
+			APIVersion: "v3",
+			Run: func(ctx context.Context, input SetBankAccountMetadataInput) (SetBankAccountMetadataOutput, error) {
+				if _, err := sdk.Payments.V3.UpdateBankAccountMetadata(ctx, operations.V3UpdateBankAccountMetadataRequest{
+					BankAccountID: input.BankAccountID,
+					V3UpdateBankAccountMetadataRequest: &shared.V3UpdateBankAccountMetadataRequest{
+						Metadata: input.Metadata,
+					},
+				}); err != nil {
+					return SetBankAccountMetadataOutput{}, err
+				}
+				return SetBankAccountMetadataOutput{BankAccountID: input.BankAccountID}, nil
+			},
+		},
+	}
+}
+
+func SDKListBankAccountsHandlers(sdk *formance.Formance) []ListBankAccountsHandler {
+	return []ListBankAccountsHandler{
+		{
+			APIVersion: "v1",
+			Run: func(ctx context.Context, input ListBankAccountsInput) (ListBankAccountsOutput, error) {
+				response, err := sdk.Payments.V1.ListBankAccounts(ctx, operations.ListBankAccountsRequest{
+					PageSize: pointer(input.PageSize),
+					Cursor:   optionalString(input.Cursor),
+				})
+				if err != nil {
+					return ListBankAccountsOutput{}, err
+				}
+				if response.BankAccountsCursor == nil {
+					return ListBankAccountsOutput{}, fmt.Errorf("payments v1 list bank accounts returned no cursor")
+				}
+				return fromV1BankAccountsCursor(response.BankAccountsCursor.Cursor), nil
+			},
+		},
+		{
+			APIVersion: "v3",
+			Run: func(ctx context.Context, input ListBankAccountsInput) (ListBankAccountsOutput, error) {
+				response, err := sdk.Payments.V3.ListBankAccounts(ctx, operations.V3ListBankAccountsRequest{
+					PageSize: pointer(input.PageSize),
+					Cursor:   optionalString(input.Cursor),
+				})
+				if err != nil {
+					return ListBankAccountsOutput{}, err
+				}
+				if response.V3BankAccountsCursorResponse == nil {
+					return ListBankAccountsOutput{}, fmt.Errorf("payments v3 list bank accounts returned no cursor")
+				}
+				return fromV3BankAccountsCursor(response.V3BankAccountsCursorResponse.Cursor), nil
+			},
+		},
+	}
+}
+
+func SDKGetBankAccountHandlers(sdk *formance.Formance) []GetBankAccountHandler {
+	return []GetBankAccountHandler{
+		{
+			APIVersion: "v1",
+			Run: func(ctx context.Context, input GetBankAccountInput) (GetBankAccountOutput, error) {
+				response, err := sdk.Payments.V1.GetBankAccount(ctx, operations.GetBankAccountRequest{
+					BankAccountID: input.BankAccountID,
+				})
+				if err != nil {
+					return GetBankAccountOutput{}, err
+				}
+				if response.BankAccountResponse == nil {
+					return GetBankAccountOutput{}, fmt.Errorf("payments v1 get bank account returned no data")
+				}
+				return GetBankAccountOutput{BankAccount: fromV1BankAccount(response.BankAccountResponse.Data)}, nil
+			},
+		},
+		{
+			APIVersion: "v3",
+			Run: func(ctx context.Context, input GetBankAccountInput) (GetBankAccountOutput, error) {
+				response, err := sdk.Payments.V3.GetBankAccount(ctx, operations.V3GetBankAccountRequest{
+					BankAccountID: input.BankAccountID,
+				})
+				if err != nil {
+					return GetBankAccountOutput{}, err
+				}
+				if response.V3GetBankAccountResponse == nil {
+					return GetBankAccountOutput{}, fmt.Errorf("payments v3 get bank account returned no data")
+				}
+				return GetBankAccountOutput{BankAccount: fromV3BankAccount(response.V3GetBankAccountResponse.Data)}, nil
+			},
+		},
+	}
+}
+
+func fromV1BankAccountsCursor(cursor shared.BankAccountsCursorCursor) ListBankAccountsOutput {
+	accounts := make([]BankAccountSummary, 0, len(cursor.Data))
+	for _, account := range cursor.Data {
+		accounts = append(accounts, fromV1BankAccount(account))
+	}
+	return ListBankAccountsOutput{BankAccounts: accounts, HasMore: cursor.HasMore, PageSize: cursor.PageSize, Next: cursor.Next, Previous: cursor.Previous}
+}
+
+func fromV3BankAccountsCursor(cursor shared.V3BankAccountsCursorResponseCursor) ListBankAccountsOutput {
+	accounts := make([]BankAccountSummary, 0, len(cursor.Data))
+	for _, account := range cursor.Data {
+		accounts = append(accounts, fromV3BankAccount(account))
+	}
+	return ListBankAccountsOutput{BankAccounts: accounts, HasMore: cursor.HasMore, PageSize: cursor.PageSize, Next: cursor.Next, Previous: cursor.Previous}
+}
+
+func fromV1BankAccount(account shared.BankAccount) BankAccountSummary {
+	return BankAccountSummary{
+		ID:            account.ID,
+		Name:          account.Name,
+		CreatedAt:     account.CreatedAt,
+		Country:       account.Country,
+		AccountNumber: stringValue(account.AccountNumber),
+		Iban:          stringValue(account.Iban),
+		SwiftBicCode:  stringValue(account.SwiftBicCode),
+		Metadata:      account.Metadata,
+	}
+}
+
+func fromV3BankAccount(account shared.V3BankAccount) BankAccountSummary {
+	return BankAccountSummary{
+		ID:            account.ID,
+		Name:          account.Name,
+		CreatedAt:     account.CreatedAt,
+		Country:       stringValue(account.Country),
+		AccountNumber: stringValue(account.AccountNumber),
+		Iban:          stringValue(account.Iban),
+		SwiftBicCode:  stringValue(account.SwiftBicCode),
+		Metadata:      account.Metadata,
+	}
+}
+
+func optionalString(value string) *string {
+	if value == "" {
+		return nil
+	}
+	return &value
+}
+
+func stringValue(value *string) string {
+	if value == nil {
+		return ""
+	}
+	return *value
+}
diff --git a/v4/internal/commands/payments/bank_accounts_test.go b/v4/internal/commands/payments/bank_accounts_test.go
new file mode 100644
index 00000000..61146703
--- /dev/null
+++ b/v4/internal/commands/payments/bank_accounts_test.go
@@ -0,0 +1,155 @@
+package payments
+
+import (
+	"context"
+	"testing"
+
+	"github.com/formancehq/fctl/v4/internal/capabilities"
+)
+
+func TestListBankAccountsServiceSelectsResolvedHandler(t *testing.T) {
+	service := ListBankAccountsService{
+		Handlers: []ListBankAccountsHandler{
+			{
+				APIVersion: "v1",
+				Run: func(context.Context, ListBankAccountsInput) (ListBankAccountsOutput, error) {
+					t.Fatal("v1 handler should not run")
+					return ListBankAccountsOutput{}, nil
+				},
+			},
+			{
+				APIVersion: "v3",
+				Run: func(_ context.Context, input ListBankAccountsInput) (ListBankAccountsOutput, error) {
+					if input.PageSize != 10 {
+						t.Fatalf("unexpected input: %#v", input)
+					}
+					return ListBankAccountsOutput{PageSize: input.PageSize}, nil
+				},
+			},
+		},
+		Resolve: func(_ context.Context, versions []capabilities.APIVersion) (capabilities.APIVersion, error) {
+			assertAPIVersions(t, versions, []capabilities.APIVersion{"v1", "v3"})
+			return "v3", nil
+		},
+	}
+
+	output, err := service.Run(context.Background(), ListBankAccountsInput{PageSize: 10})
+	if err != nil {
+		t.Fatalf("run service: %v", err)
+	}
+	if output.APIVersion != "v3" || output.PageSize != 10 {
+		t.Fatalf("unexpected output: %#v", output)
+	}
+}
+
+func TestCreateBankAccountServiceSelectsResolvedHandler(t *testing.T) {
+	service := CreateBankAccountService{
+		Handlers: []CreateBankAccountHandler{
+			{
+				APIVersion: "v1",
+				Run: func(context.Context, CreateBankAccountInput) (CreateBankAccountOutput, error) {
+					t.Fatal("v1 handler should not run")
+					return CreateBankAccountOutput{}, nil
+				},
+			},
+			{
+				APIVersion: "v3",
+				Run: func(_ context.Context, input CreateBankAccountInput) (CreateBankAccountOutput, error) {
+					if input.Name != "Main" || input.Country != "FR" {
+						t.Fatalf("unexpected input: %#v", input)
+					}
+					return CreateBankAccountOutput{BankAccountID: "ba_1"}, nil
+				},
+			},
+		},
+		Resolve: func(_ context.Context, versions []capabilities.APIVersion) (capabilities.APIVersion, error) {
+			assertAPIVersions(t, versions, []capabilities.APIVersion{"v1", "v3"})
+			return "v3", nil
+		},
+	}
+
+	output, err := service.Run(context.Background(), CreateBankAccountInput{Name: "Main", Country: "FR"})
+	if err != nil {
+		t.Fatalf("run service: %v", err)
+	}
+	if output.APIVersion != "v3" || output.BankAccountID != "ba_1" {
+		t.Fatalf("unexpected output: %#v", output)
+	}
+}
+
+func TestCreateBankAccountServiceRequiresName(t *testing.T) {
+	service := CreateBankAccountService{
+		Handlers: []CreateBankAccountHandler{{APIVersion: "v3"}},
+		Resolve: func(context.Context, []capabilities.APIVersion) (capabilities.APIVersion, error) {
+			t.Fatal("resolver should not run")
+			return "", nil
+		},
+	}
+
+	if _, err := service.Run(context.Background(), CreateBankAccountInput{}); err == nil {
+		t.Fatal("expected bank account name validation error")
+	}
+}
+
+func TestForwardBankAccountServiceSelectsResolvedHandler(t *testing.T) {
+	service := ForwardBankAccountService{
+		Handlers: []ForwardBankAccountHandler{
+			{
+				APIVersion: "v1",
+				Run: func(context.Context, ForwardBankAccountInput) (ForwardBankAccountOutput, error) {
+					t.Fatal("v1 handler should not run")
+					return ForwardBankAccountOutput{}, nil
+				},
+			},
+			{
+				APIVersion: "v3",
+				Run: func(_ context.Context, input ForwardBankAccountInput) (ForwardBankAccountOutput, error) {
+					if input.BankAccountID != "ba_1" || input.ConnectorID != "conn_1" {
+						t.Fatalf("unexpected input: %#v", input)
+					}
+					return ForwardBankAccountOutput{BankAccountID: input.BankAccountID, ConnectorID: input.ConnectorID, TaskID: "task_1"}, nil
+				},
+			},
+		},
+		Resolve: func(_ context.Context, versions []capabilities.APIVersion) (capabilities.APIVersion, error) {
+			assertAPIVersions(t, versions, []capabilities.APIVersion{"v1", "v3"})
+			return "v3", nil
+		},
+	}
+
+	output, err := service.Run(context.Background(), ForwardBankAccountInput{BankAccountID: "ba_1", ConnectorID: "conn_1"})
+	if err != nil {
+		t.Fatalf("run service: %v", err)
+	}
+	if output.APIVersion != "v3" || output.TaskID != "task_1" {
+		t.Fatalf("unexpected output: %#v", output)
+	}
+}
+
+func TestSetBankAccountMetadataServiceRequiresMetadata(t *testing.T) {
+	service := SetBankAccountMetadataService{
+		Handlers: []SetBankAccountMetadataHandler{{APIVersion: "v3"}},
+		Resolve: func(context.Context, []capabilities.APIVersion) (capabilities.APIVersion, error) {
+			t.Fatal("resolver should not run")
+			return "", nil
+		},
+	}
+
+	if _, err := service.Run(context.Background(), SetBankAccountMetadataInput{BankAccountID: "ba_1"}); err == nil {
+		t.Fatal("expected bank account metadata validation error")
+	}
+}
+
+func TestGetBankAccountServiceRequiresID(t *testing.T) {
+	service := GetBankAccountService{
+		Handlers: []GetBankAccountHandler{{APIVersion: "v3"}},
+		Resolve: func(context.Context, []capabilities.APIVersion) (capabilities.APIVersion, error) {
+			t.Fatal("resolver should not run")
+			return "", nil
+		},
+	}
+
+	if _, err := service.Run(context.Background(), GetBankAccountInput{}); err == nil {
+		t.Fatal("expected bank account id validation error")
+	}
+}
diff --git a/v4/internal/commands/payments/connectors.go b/v4/internal/commands/payments/connectors.go
new file mode 100644
index 00000000..e8062451
--- /dev/null
+++ b/v4/internal/commands/payments/connectors.go
@@ -0,0 +1,634 @@
+package payments
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"strings"
+	"time"
+
+	formance "github.com/formancehq/formance-sdk-go/v3"
+	"github.com/formancehq/formance-sdk-go/v3/pkg/models/operations"
+	"github.com/formancehq/formance-sdk-go/v3/pkg/models/shared"
+
+	"github.com/formancehq/fctl/v4/internal/capabilities"
+)
+
+const (
+	FeatureListConnectors        capabilities.Feature = "listConnectors"
+	FeatureUninstallConnector    capabilities.Feature = "uninstallConnector"
+	FeatureInstallConnector      capabilities.Feature = "installConnector"
+	FeatureGetConnectorConfig    capabilities.Feature = "getConnectorConfig"
+	FeatureUpdateConnectorConfig capabilities.Feature = "updateConnectorConfig"
+)
+
+type ListConnectorsInput struct {
+	PageSize int64
+	Cursor   string
+}
+
+type ConnectorSummary struct {
+	ID                   string    `json:"id" yaml:"id"`
+	Name                 string    `json:"name" yaml:"name"`
+	Provider             string    `json:"provider" yaml:"provider"`
+	Reference            string    `json:"reference,omitempty" yaml:"reference,omitempty"`
+	CreatedAt            time.Time `json:"createdAt,omitempty" yaml:"createdAt,omitempty"`
+	ScheduledForDeletion bool      `json:"scheduledForDeletion,omitempty" yaml:"scheduledForDeletion,omitempty"`
+}
+
+type ListConnectorsOutput struct {
+	APIVersion capabilities.APIVersion `json:"apiVersion" yaml:"apiVersion"`
+	Connectors []ConnectorSummary      `json:"connectors" yaml:"connectors"`
+	HasMore    bool                    `json:"hasMore" yaml:"hasMore"`
+	PageSize   int64                   `json:"pageSize" yaml:"pageSize"`
+	Next       *string                 `json:"next,omitempty" yaml:"next,omitempty"`
+	Previous   *string                 `json:"previous,omitempty" yaml:"previous,omitempty"`
+}
+
+type UninstallConnectorInput struct {
+	ConnectorID string
+	Provider    string
+}
+
+type UninstallConnectorOutput struct {
+	APIVersion  capabilities.APIVersion `json:"apiVersion" yaml:"apiVersion"`
+	ConnectorID string                  `json:"connectorID" yaml:"connectorID"`
+	TaskID      string                  `json:"taskID,omitempty" yaml:"taskID,omitempty"`
+}
+
+type InstallConnectorInput struct {
+	Connector string
+	Config    []byte
+}
+
+type InstallConnectorOutput struct {
+	APIVersion  capabilities.APIVersion `json:"apiVersion" yaml:"apiVersion"`
+	Connector   string                  `json:"connector" yaml:"connector"`
+	ConnectorID string                  `json:"connectorID,omitempty" yaml:"connectorID,omitempty"`
+}
+
+type GetConnectorConfigInput struct {
+	ConnectorID string
+	Provider    string
+}
+
+type GetConnectorConfigOutput struct {
+	APIVersion  capabilities.APIVersion `json:"apiVersion" yaml:"apiVersion"`
+	ConnectorID string                  `json:"connectorID" yaml:"connectorID"`
+	Provider    string                  `json:"provider,omitempty" yaml:"provider,omitempty"`
+	Config      json.RawMessage         `json:"config" yaml:"config"`
+}
+
+type UpdateConnectorConfigInput struct {
+	ConnectorID string
+	Provider    string
+	Config      []byte
+}
+
+type UpdateConnectorConfigOutput struct {
+	APIVersion  capabilities.APIVersion `json:"apiVersion" yaml:"apiVersion"`
+	ConnectorID string                  `json:"connectorID" yaml:"connectorID"`
+}
+
+type ListConnectorsHandler struct {
+	APIVersion capabilities.APIVersion
+	Run        func(context.Context, ListConnectorsInput) (ListConnectorsOutput, error)
+}
+
+type UninstallConnectorHandler struct {
+	APIVersion capabilities.APIVersion
+	Run        func(context.Context, UninstallConnectorInput) (UninstallConnectorOutput, error)
+}
+
+type InstallConnectorHandler struct {
+	APIVersion capabilities.APIVersion
+	Run        func(context.Context, InstallConnectorInput) (InstallConnectorOutput, error)
+}
+
+type GetConnectorConfigHandler struct {
+	APIVersion capabilities.APIVersion
+	Run        func(context.Context, GetConnectorConfigInput) (GetConnectorConfigOutput, error)
+}
+
+type UpdateConnectorConfigHandler struct {
+	APIVersion capabilities.APIVersion
+	Run        func(context.Context, UpdateConnectorConfigInput) (UpdateConnectorConfigOutput, error)
+}
+
+type ListConnectorsService struct {
+	Handlers []ListConnectorsHandler
+	Resolve  func(context.Context, []capabilities.APIVersion) (capabilities.APIVersion, error)
+}
+
+type UninstallConnectorService struct {
+	Handlers []UninstallConnectorHandler
+	Resolve  func(context.Context, []capabilities.APIVersion) (capabilities.APIVersion, error)
+}
+
+type InstallConnectorService struct {
+	Handlers []InstallConnectorHandler
+	Resolve  func(context.Context, []capabilities.APIVersion) (capabilities.APIVersion, error)
+}
+
+type GetConnectorConfigService struct {
+	Handlers []GetConnectorConfigHandler
+	Resolve  func(context.Context, []capabilities.APIVersion) (capabilities.APIVersion, error)
+}
+
+type UpdateConnectorConfigService struct {
+	Handlers []UpdateConnectorConfigHandler
+	Resolve  func(context.Context, []capabilities.APIVersion) (capabilities.APIVersion, error)
+}
+
+func (s ListConnectorsService) Run(ctx context.Context, input ListConnectorsInput) (ListConnectorsOutput, error) {
+	handlerVersions := make([]capabilities.APIVersion, 0, len(s.Handlers))
+	handlers := map[capabilities.APIVersion]ListConnectorsHandler{}
+	for _, handler := range s.Handlers {
+		handlerVersions = append(handlerVersions, handler.APIVersion)
+		handlers[handler.APIVersion] = handler
+	}
+	selected, err := s.Resolve(ctx, handlerVersions)
+	if err != nil {
+		return ListConnectorsOutput{}, err
+	}
+	handler, ok := handlers[selected]
+	if !ok {
+		return ListConnectorsOutput{}, fmt.Errorf("resolved api version %s has no handler", selected)
+	}
+	output, err := handler.Run(ctx, input)
+	if err != nil {
+		return ListConnectorsOutput{}, err
+	}
+	output.APIVersion = selected
+	return output, nil
+}
+
+func (s UninstallConnectorService) Run(ctx context.Context, input UninstallConnectorInput) (UninstallConnectorOutput, error) {
+	if input.ConnectorID == "" {
+		return UninstallConnectorOutput{}, fmt.Errorf("connector id is required")
+	}
+	handlerVersions := make([]capabilities.APIVersion, 0, len(s.Handlers))
+	handlers := map[capabilities.APIVersion]UninstallConnectorHandler{}
+	for _, handler := range s.Handlers {
+		handlerVersions = append(handlerVersions, handler.APIVersion)
+		handlers[handler.APIVersion] = handler
+	}
+	selected, err := s.Resolve(ctx, handlerVersions)
+	if err != nil {
+		return UninstallConnectorOutput{}, err
+	}
+	handler, ok := handlers[selected]
+	if !ok {
+		return UninstallConnectorOutput{}, fmt.Errorf("resolved api version %s has no handler", selected)
+	}
+	output, err := handler.Run(ctx, input)
+	if err != nil {
+		return UninstallConnectorOutput{}, err
+	}
+	output.APIVersion = selected
+	if output.ConnectorID == "" {
+		output.ConnectorID = input.ConnectorID
+	}
+	return output, nil
+}
+
+func (s InstallConnectorService) Run(ctx context.Context, input InstallConnectorInput) (InstallConnectorOutput, error) {
+	if input.Connector == "" {
+		return InstallConnectorOutput{}, fmt.Errorf("connector is required")
+	}
+	if len(input.Config) == 0 {
+		return InstallConnectorOutput{}, fmt.Errorf("connector config is required")
+	}
+	handlerVersions := make([]capabilities.APIVersion, 0, len(s.Handlers))
+	handlers := map[capabilities.APIVersion]InstallConnectorHandler{}
+	for _, handler := range s.Handlers {
+		handlerVersions = append(handlerVersions, handler.APIVersion)
+		handlers[handler.APIVersion] = handler
+	}
+	selected, err := s.Resolve(ctx, handlerVersions)
+	if err != nil {
+		return InstallConnectorOutput{}, err
+	}
+	handler, ok := handlers[selected]
+	if !ok {
+		return InstallConnectorOutput{}, fmt.Errorf("resolved api version %s has no handler", selected)
+	}
+	output, err := handler.Run(ctx, input)
+	if err != nil {
+		return InstallConnectorOutput{}, err
+	}
+	output.APIVersion = selected
+	if output.Connector == "" {
+		output.Connector = input.Connector
+	}
+	return output, nil
+}
+
+func (s GetConnectorConfigService) Run(ctx context.Context, input GetConnectorConfigInput) (GetConnectorConfigOutput, error) {
+	if input.ConnectorID == "" {
+		return GetConnectorConfigOutput{}, fmt.Errorf("connector id is required")
+	}
+	handlerVersions := make([]capabilities.APIVersion, 0, len(s.Handlers))
+	handlers := map[capabilities.APIVersion]GetConnectorConfigHandler{}
+	for _, handler := range s.Handlers {
+		handlerVersions = append(handlerVersions, handler.APIVersion)
+		handlers[handler.APIVersion] = handler
+	}
+	selected, err := s.Resolve(ctx, handlerVersions)
+	if err != nil {
+		return GetConnectorConfigOutput{}, err
+	}
+	handler, ok := handlers[selected]
+	if !ok {
+		return GetConnectorConfigOutput{}, fmt.Errorf("resolved api version %s has no handler", selected)
+	}
+	output, err := handler.Run(ctx, input)
+	if err != nil {
+		return GetConnectorConfigOutput{}, err
+	}
+	output.APIVersion = selected
+	if output.ConnectorID == "" {
+		output.ConnectorID = input.ConnectorID
+	}
+	return output, nil
+}
+
+func (s UpdateConnectorConfigService) Run(ctx context.Context, input UpdateConnectorConfigInput) (UpdateConnectorConfigOutput, error) {
+	if input.ConnectorID == "" {
+		return UpdateConnectorConfigOutput{}, fmt.Errorf("connector id is required")
+	}
+	if len(input.Config) == 0 {
+		return UpdateConnectorConfigOutput{}, fmt.Errorf("connector config is required")
+	}
+	handlerVersions := make([]capabilities.APIVersion, 0, len(s.Handlers))
+	handlers := map[capabilities.APIVersion]UpdateConnectorConfigHandler{}
+	for _, handler := range s.Handlers {
+		handlerVersions = append(handlerVersions, handler.APIVersion)
+		handlers[handler.APIVersion] = handler
+	}
+	selected, err := s.Resolve(ctx, handlerVersions)
+	if err != nil {
+		return UpdateConnectorConfigOutput{}, err
+	}
+	handler, ok := handlers[selected]
+	if !ok {
+		return UpdateConnectorConfigOutput{}, fmt.Errorf("resolved api version %s has no handler", selected)
+	}
+	output, err := handler.Run(ctx, input)
+	if err != nil {
+		return UpdateConnectorConfigOutput{}, err
+	}
+	output.APIVersion = selected
+	if output.ConnectorID == "" {
+		output.ConnectorID = input.ConnectorID
+	}
+	return output, nil
+}
+
+func SDKListConnectorsHandlers(sdk *formance.Formance) []ListConnectorsHandler {
+	return []ListConnectorsHandler{
+		{
+			APIVersion: "v1",
+			Run: func(ctx context.Context, input ListConnectorsInput) (ListConnectorsOutput, error) {
+				response, err := sdk.Payments.V1.ListAllConnectors(ctx)
+				if err != nil {
+					return ListConnectorsOutput{}, err
+				}
+				if response.ConnectorsResponse == nil {
+					return ListConnectorsOutput{}, fmt.Errorf("payments v1 list connectors returned no data")
+				}
+				return fromV1Connectors(response.ConnectorsResponse.Data, input.PageSize), nil
+			},
+		},
+		{
+			APIVersion: "v3",
+			Run: func(ctx context.Context, input ListConnectorsInput) (ListConnectorsOutput, error) {
+				response, err := sdk.Payments.V3.ListConnectors(ctx, toV3ListConnectorsRequest(input))
+				if err != nil {
+					return ListConnectorsOutput{}, err
+				}
+				if response.V3ConnectorsCursorResponse == nil {
+					return ListConnectorsOutput{}, fmt.Errorf("payments v3 list connectors returned no cursor")
+				}
+				return fromV3ConnectorsCursor(response.V3ConnectorsCursorResponse.Cursor), nil
+			},
+		},
+	}
+}
+
+func SDKUninstallConnectorHandlers(sdk *formance.Formance) []UninstallConnectorHandler {
+	return []UninstallConnectorHandler{
+		{
+			APIVersion: "v1",
+			Run: func(ctx context.Context, input UninstallConnectorInput) (UninstallConnectorOutput, error) {
+				if input.Provider == "" {
+					return UninstallConnectorOutput{}, fmt.Errorf("provider is required when uninstalling a connector through payments API v1")
+				}
+				_, err := sdk.Payments.V1.UninstallConnectorV1(ctx, operations.UninstallConnectorV1Request{
+					Connector:   shared.Connector(input.Provider),
+					ConnectorID: input.ConnectorID,
+				})
+				if err != nil {
+					return UninstallConnectorOutput{}, err
+				}
+				return UninstallConnectorOutput{ConnectorID: input.ConnectorID}, nil
+			},
+		},
+		{
+			APIVersion: "v3",
+			Run: func(ctx context.Context, input UninstallConnectorInput) (UninstallConnectorOutput, error) {
+				response, err := sdk.Payments.V3.UninstallConnector(ctx, operations.V3UninstallConnectorRequest{
+					ConnectorID: input.ConnectorID,
+				})
+				if err != nil {
+					return UninstallConnectorOutput{}, err
+				}
+				if response.V3UninstallConnectorResponse == nil {
+					return UninstallConnectorOutput{}, fmt.Errorf("payments v3 uninstall connector returned no data")
+				}
+				return UninstallConnectorOutput{
+					ConnectorID: input.ConnectorID,
+					TaskID:      response.V3UninstallConnectorResponse.Data.TaskID,
+				}, nil
+			},
+		},
+	}
+}
+
+func SDKInstallConnectorHandlers(sdk *formance.Formance) []InstallConnectorHandler {
+	return []InstallConnectorHandler{
+		{
+			APIVersion: "v1",
+			Run: func(ctx context.Context, input InstallConnectorInput) (InstallConnectorOutput, error) {
+				config, err := parseV1ConnectorConfig(input.Connector, input.Config)
+				if err != nil {
+					return InstallConnectorOutput{}, err
+				}
+				response, err := sdk.Payments.V1.InstallConnector(ctx, operations.InstallConnectorRequest{
+					Connector:       shared.Connector(toV1ConnectorPath(input.Connector)),
+					ConnectorConfig: config,
+				})
+				if err != nil {
+					return InstallConnectorOutput{}, err
+				}
+				output := InstallConnectorOutput{Connector: input.Connector}
+				if response.ConnectorResponse != nil {
+					output.ConnectorID = response.ConnectorResponse.Data.ConnectorID
+				}
+				return output, nil
+			},
+		},
+		{
+			APIVersion: "v3",
+			Run: func(ctx context.Context, input InstallConnectorInput) (InstallConnectorOutput, error) {
+				config, err := parseV3ConnectorConfig(input.Connector, input.Config)
+				if err != nil {
+					return InstallConnectorOutput{}, err
+				}
+				response, err := sdk.Payments.V3.InstallConnector(ctx, operations.V3InstallConnectorRequest{
+					Connector:                 normalizeConnectorName(input.Connector),
+					V3InstallConnectorRequest: &config,
+				})
+				if err != nil {
+					return InstallConnectorOutput{}, err
+				}
+				if response.V3InstallConnectorResponse == nil {
+					return InstallConnectorOutput{}, fmt.Errorf("payments v3 install connector returned no data")
+				}
+				return InstallConnectorOutput{
+					Connector:   input.Connector,
+					ConnectorID: response.V3InstallConnectorResponse.Data,
+				}, nil
+			},
+		},
+	}
+}
+
+func SDKGetConnectorConfigHandlers(sdk *formance.Formance) []GetConnectorConfigHandler {
+	return []GetConnectorConfigHandler{
+		{
+			APIVersion: "v1",
+			Run: func(ctx context.Context, input GetConnectorConfigInput) (GetConnectorConfigOutput, error) {
+				if input.Provider == "" {
+					return GetConnectorConfigOutput{}, fmt.Errorf("provider is required when reading a connector config through payments API v1")
+				}
+				response, err := sdk.Payments.V1.ReadConnectorConfigV1(ctx, operations.ReadConnectorConfigV1Request{
+					Connector:   shared.Connector(toV1ConnectorPath(input.Provider)),
+					ConnectorID: input.ConnectorID,
+				})
+				if err != nil {
+					return GetConnectorConfigOutput{}, err
+				}
+				if response.ConnectorConfigResponse == nil {
+					return GetConnectorConfigOutput{}, fmt.Errorf("payments v1 get connector config returned no data")
+				}
+				config, err := json.Marshal(response.ConnectorConfigResponse.Data)
+				if err != nil {
+					return GetConnectorConfigOutput{}, err
+				}
+				return GetConnectorConfigOutput{
+					ConnectorID: input.ConnectorID,
+					Provider:    strings.ToLower(input.Provider),
+					Config:      config,
+				}, nil
+			},
+		},
+		{
+			APIVersion: "v3",
+			Run: func(ctx context.Context, input GetConnectorConfigInput) (GetConnectorConfigOutput, error) {
+				response, err := sdk.Payments.V3.GetConnectorConfig(ctx, operations.V3GetConnectorConfigRequest{
+					ConnectorID: input.ConnectorID,
+				})
+				if err != nil {
+					return GetConnectorConfigOutput{}, err
+				}
+				if response.V3GetConnectorConfigResponse == nil {
+					return GetConnectorConfigOutput{}, fmt.Errorf("payments v3 get connector config returned no data")
+				}
+				config, err := json.Marshal(response.V3GetConnectorConfigResponse.Data)
+				if err != nil {
+					return GetConnectorConfigOutput{}, err
+				}
+				return GetConnectorConfigOutput{
+					ConnectorID: input.ConnectorID,
+					Provider:    strings.ToLower(string(response.V3GetConnectorConfigResponse.Data.Type)),
+					Config:      config,
+				}, nil
+			},
+		},
+	}
+}
+
+func SDKUpdateConnectorConfigHandlers(sdk *formance.Formance) []UpdateConnectorConfigHandler {
+	return []UpdateConnectorConfigHandler{
+		{
+			APIVersion: "v1",
+			Run: func(ctx context.Context, input UpdateConnectorConfigInput) (UpdateConnectorConfigOutput, error) {
+				if input.Provider == "" {
+					return UpdateConnectorConfigOutput{}, fmt.Errorf("provider is required when updating a connector config through payments API v1")
+				}
+				config, err := parseV1ConnectorConfig(input.Provider, input.Config)
+				if err != nil {
+					return UpdateConnectorConfigOutput{}, err
+				}
+				_, err = sdk.Payments.V1.UpdateConnectorConfigV1(ctx, operations.UpdateConnectorConfigV1Request{
+					Connector:       shared.Connector(toV1ConnectorPath(input.Provider)),
+					ConnectorID:     input.ConnectorID,
+					ConnectorConfig: config,
+				})
+				if err != nil {
+					return UpdateConnectorConfigOutput{}, err
+				}
+				return UpdateConnectorConfigOutput{ConnectorID: input.ConnectorID}, nil
+			},
+		},
+		{
+			APIVersion: "v3",
+			Run: func(ctx context.Context, input UpdateConnectorConfigInput) (UpdateConnectorConfigOutput, error) {
+				config, err := parseV3ConnectorConfig(input.Provider, input.Config)
+				if err != nil {
+					return UpdateConnectorConfigOutput{}, err
+				}
+				_, err = sdk.Payments.V3.V3UpdateConnectorConfig(ctx, operations.V3UpdateConnectorConfigRequest{
+					ConnectorID:               input.ConnectorID,
+					V3InstallConnectorRequest: &config,
+				})
+				if err != nil {
+					return UpdateConnectorConfigOutput{}, err
+				}
+				return UpdateConnectorConfigOutput{ConnectorID: input.ConnectorID}, nil
+			},
+		},
+	}
+}
+
+func toV3ListConnectorsRequest(input ListConnectorsInput) operations.V3ListConnectorsRequest {
+	request := operations.V3ListConnectorsRequest{
+		PageSize: pointer(input.PageSize),
+	}
+	if input.Cursor != "" {
+		request.Cursor = pointer(input.Cursor)
+	}
+	return request
+}
+
+func fromV1Connectors(data []shared.ConnectorsResponseData, pageSize int64) ListConnectorsOutput {
+	if pageSize > 0 && int64(len(data)) > pageSize {
+		data = data[:pageSize]
+	}
+	connectors := make([]ConnectorSummary, 0, len(data))
+	for _, connector := range data {
+		connectors = append(connectors, ConnectorSummary{
+			ID:       connector.ConnectorID,
+			Name:     connector.Name,
+			Provider: string(connector.Provider),
+		})
+	}
+	return ListConnectorsOutput{
+		Connectors: connectors,
+		PageSize:   pageSize,
+	}
+}
+
+func fromV3ConnectorsCursor(cursor shared.V3ConnectorsCursorResponseCursor) ListConnectorsOutput {
+	connectors := make([]ConnectorSummary, 0, len(cursor.Data))
+	for _, connector := range cursor.Data {
+		connectors = append(connectors, ConnectorSummary{
+			ID:                   connector.ID,
+			Name:                 connector.Name,
+			Provider:             connector.Provider,
+			Reference:            connector.Reference,
+			CreatedAt:            connector.CreatedAt,
+			ScheduledForDeletion: connector.ScheduledForDeletion,
+		})
+	}
+	return ListConnectorsOutput{
+		Connectors: connectors,
+		HasMore:    cursor.HasMore,
+		PageSize:   cursor.PageSize,
+		Next:       cursor.Next,
+		Previous:   cursor.Previous,
+	}
+}
+
+func parseV1ConnectorConfig(connector string, data []byte) (shared.ConnectorConfig, error) {
+	data, err := ensureConnectorProvider(data, connector)
+	if err != nil {
+		return shared.ConnectorConfig{}, err
+	}
+	var config shared.ConnectorConfig
+	if err := json.Unmarshal(data, &config); err != nil {
+		return shared.ConnectorConfig{}, err
+	}
+	return config, nil
+}
+
+func parseV3ConnectorConfig(connector string, data []byte) (shared.V3InstallConnectorRequest, error) {
+	data, err := ensureConnectorProvider(data, connector)
+	if err != nil {
+		return shared.V3InstallConnectorRequest{}, err
+	}
+	var config shared.V3InstallConnectorRequest
+	if err := json.Unmarshal(data, &config); err != nil {
+		return shared.V3InstallConnectorRequest{}, err
+	}
+	return config, nil
+}
+
+func ensureConnectorProvider(data []byte, connector string) ([]byte, error) {
+	if connector == "" {
+		return data, nil
+	}
+	var payload map[string]any
+	if err := json.Unmarshal(data, &payload); err != nil {
+		return nil, err
+	}
+	if _, ok := payload["provider"]; !ok {
+		payload["provider"] = connectorProviderDiscriminator(connector)
+	}
+	return json.Marshal(payload)
+}
+
+func connectorProviderDiscriminator(connector string) string {
+	switch normalizeConnectorName(connector) {
+	case "bankingcircle", "banking-circle":
+		return "Bankingcircle"
+	case "coinbaseprime", "coinbase-prime":
+		return "Coinbaseprime"
+	case "currencycloud", "currency-cloud":
+		return "Currencycloud"
+	case "dummy-pay", "dummypay":
+		return "Dummypay"
+	case "fireblocks":
+		return "Fireblocks"
+	case "generic":
+		return "Generic"
+	case "mangopay", "mango-pay":
+		return "Mangopay"
+	case "moneycorp":
+		return "Moneycorp"
+	default:
+		normalized := normalizeConnectorName(connector)
+		if normalized == "" {
+			return ""
+		}
+		return strings.ToUpper(normalized[:1]) + normalized[1:]
+	}
+}
+
+func normalizeConnectorName(connector string) string {
+	return strings.ToLower(strings.TrimSpace(connector))
+}
+
+func toV1ConnectorPath(connector string) string {
+	switch normalizeConnectorName(connector) {
+	case "bankingcircle", "banking-circle":
+		return string(shared.ConnectorBankingCircle)
+	case "currencycloud", "currency-cloud":
+		return string(shared.ConnectorCurrencyCloud)
+	case "dummy-pay", "dummypay":
+		return string(shared.ConnectorDummyPay)
+	default:
+		return strings.ToUpper(normalizeConnectorName(connector))
+	}
+}
diff --git a/v4/internal/commands/payments/connectors_test.go b/v4/internal/commands/payments/connectors_test.go
new file mode 100644
index 00000000..55f9b03d
--- /dev/null
+++ b/v4/internal/commands/payments/connectors_test.go
@@ -0,0 +1,109 @@
+package payments
+
+import (
+	"context"
+	"strings"
+	"testing"
+
+	"github.com/formancehq/fctl/v4/internal/capabilities"
+)
+
+func TestListConnectorsServiceSelectsResolvedHandler(t *testing.T) {
+	service := ListConnectorsService{
+		Handlers: []ListConnectorsHandler{
+			{
+				APIVersion: "v1",
+				Run: func(context.Context, ListConnectorsInput) (ListConnectorsOutput, error) {
+					t.Fatal("v1 handler should not run")
+					return ListConnectorsOutput{}, nil
+				},
+			},
+			{
+				APIVersion: "v3",
+				Run: func(_ context.Context, input ListConnectorsInput) (ListConnectorsOutput, error) {
+					if input.PageSize != 10 || input.Cursor != "cursor" {
+						t.Fatalf("unexpected input: %#v", input)
+					}
+					return ListConnectorsOutput{
+						PageSize: input.PageSize,
+						Connectors: []ConnectorSummary{
+							{ID: "conn_1", Name: "Stripe", Provider: "stripe"},
+						},
+					}, nil
+				},
+			},
+		},
+		Resolve: func(_ context.Context, versions []capabilities.APIVersion) (capabilities.APIVersion, error) {
+			assertAPIVersions(t, versions, []capabilities.APIVersion{"v1", "v3"})
+			return "v3", nil
+		},
+	}
+
+	output, err := service.Run(context.Background(), ListConnectorsInput{PageSize: 10, Cursor: "cursor"})
+	if err != nil {
+		t.Fatalf("run service: %v", err)
+	}
+	if output.APIVersion != "v3" || output.PageSize != 10 || output.Connectors[0].ID != "conn_1" {
+		t.Fatalf("unexpected output: %#v", output)
+	}
+}
+
+func TestUninstallConnectorServiceSelectsResolvedHandler(t *testing.T) {
+	service := UninstallConnectorService{
+		Handlers: []UninstallConnectorHandler{
+			{
+				APIVersion: "v1",
+				Run: func(context.Context, UninstallConnectorInput) (UninstallConnectorOutput, error) {
+					t.Fatal("v1 handler should not run")
+					return UninstallConnectorOutput{}, nil
+				},
+			},
+			{
+				APIVersion: "v3",
+				Run: func(_ context.Context, input UninstallConnectorInput) (UninstallConnectorOutput, error) {
+					if input.ConnectorID != "conn_1" {
+						t.Fatalf("unexpected input: %#v", input)
+					}
+					return UninstallConnectorOutput{ConnectorID: input.ConnectorID, TaskID: "task_1"}, nil
+				},
+			},
+		},
+		Resolve: func(_ context.Context, versions []capabilities.APIVersion) (capabilities.APIVersion, error) {
+			assertAPIVersions(t, versions, []capabilities.APIVersion{"v1", "v3"})
+			return "v3", nil
+		},
+	}
+
+	output, err := service.Run(context.Background(), UninstallConnectorInput{ConnectorID: "conn_1"})
+	if err != nil {
+		t.Fatalf("run service: %v", err)
+	}
+	if output.APIVersion != "v3" || output.ConnectorID != "conn_1" || output.TaskID != "task_1" {
+		t.Fatalf("unexpected output: %#v", output)
+	}
+}
+
+func TestUninstallConnectorServiceRequiresConnectorID(t *testing.T) {
+	service := UninstallConnectorService{
+		Handlers: []UninstallConnectorHandler{{APIVersion: "v3"}},
+		Resolve: func(context.Context, []capabilities.APIVersion) (capabilities.APIVersion, error) {
+			t.Fatal("resolver should not run")
+			return "", nil
+		},
+	}
+
+	if _, err := service.Run(context.Background(), UninstallConnectorInput{}); err == nil {
+		t.Fatal("expected connector id validation error")
+	}
+}
+
+func TestUninstallConnectorV1HandlerRequiresProvider(t *testing.T) {
+	handler := SDKUninstallConnectorHandlers(nil)[0]
+	_, err := handler.Run(context.Background(), UninstallConnectorInput{ConnectorID: "conn_1"})
+	if err == nil {
+		t.Fatal("expected provider validation error")
+	}
+	if !strings.Contains(err.Error(), "provider is required") {
+		t.Fatalf("unexpected error: %v", err)
+	}
+}
diff --git a/v4/internal/commands/payments/payments.go b/v4/internal/commands/payments/payments.go
new file mode 100644
index 00000000..b9650e7d
--- /dev/null
+++ b/v4/internal/commands/payments/payments.go
@@ -0,0 +1,411 @@
+package payments
+
+import (
+	"context"
+	"fmt"
+	"time"
+
+	formance "github.com/formancehq/formance-sdk-go/v3"
+	"github.com/formancehq/formance-sdk-go/v3/pkg/models/operations"
+	"github.com/formancehq/formance-sdk-go/v3/pkg/models/shared"
+
+	"github.com/formancehq/fctl/v4/internal/capabilities"
+)
+
+const (
+	FeatureCreatePayment      capabilities.Feature = "createPayment"
+	FeatureGetPayment         capabilities.Feature = "getPayment"
+	FeatureListPayments       capabilities.Feature = "listPayments"
+	FeatureSetPaymentMetadata capabilities.Feature = "updatePaymentMetadata"
+)
+
+type CreatePaymentInput struct {
+	V1 shared.PaymentRequest
+	V3 shared.V3CreatePaymentRequest
+}
+
+type CreatePaymentOutput struct {
+	APIVersion capabilities.APIVersion `json:"apiVersion" yaml:"apiVersion"`
+	PaymentID  string                  `json:"paymentID" yaml:"paymentID"`
+}
+
+type PaymentSummary struct {
+	ID                   string            `json:"id" yaml:"id"`
+	Reference            string            `json:"reference" yaml:"reference"`
+	Type                 string            `json:"type" yaml:"type"`
+	Status               string            `json:"status" yaml:"status"`
+	Scheme               string            `json:"scheme" yaml:"scheme"`
+	Asset                string            `json:"asset" yaml:"asset"`
+	Amount               string            `json:"amount" yaml:"amount"`
+	InitialAmount        string            `json:"initialAmount" yaml:"initialAmount"`
+	ConnectorID          string            `json:"connectorID" yaml:"connectorID"`
+	SourceAccountID      string            `json:"sourceAccountID,omitempty" yaml:"sourceAccountID,omitempty"`
+	DestinationAccountID string            `json:"destinationAccountID,omitempty" yaml:"destinationAccountID,omitempty"`
+	CreatedAt            time.Time         `json:"createdAt" yaml:"createdAt"`
+	Metadata             map[string]string `json:"metadata,omitempty" yaml:"metadata,omitempty"`
+}
+
+type ListPaymentsInput struct {
+	PageSize int64
+	Cursor   string
+}
+
+type ListPaymentsOutput struct {
+	APIVersion capabilities.APIVersion `json:"apiVersion" yaml:"apiVersion"`
+	Payments   []PaymentSummary        `json:"payments" yaml:"payments"`
+	HasMore    bool                    `json:"hasMore" yaml:"hasMore"`
+	PageSize   int64                   `json:"pageSize" yaml:"pageSize"`
+	Next       *string                 `json:"next,omitempty" yaml:"next,omitempty"`
+	Previous   *string                 `json:"previous,omitempty" yaml:"previous,omitempty"`
+}
+
+type GetPaymentInput struct {
+	PaymentID string
+}
+
+type GetPaymentOutput struct {
+	APIVersion capabilities.APIVersion `json:"apiVersion" yaml:"apiVersion"`
+	Payment    PaymentSummary          `json:"payment" yaml:"payment"`
+}
+
+type SetPaymentMetadataInput struct {
+	PaymentID string
+	Metadata  map[string]string
+}
+
+type SetPaymentMetadataOutput struct {
+	APIVersion capabilities.APIVersion `json:"apiVersion" yaml:"apiVersion"`
+	PaymentID  string                  `json:"paymentID" yaml:"paymentID"`
+}
+
+type ListPaymentsHandler struct {
+	APIVersion capabilities.APIVersion
+	Run        func(context.Context, ListPaymentsInput) (ListPaymentsOutput, error)
+}
+
+type CreatePaymentHandler struct {
+	APIVersion capabilities.APIVersion
+	Run        func(context.Context, CreatePaymentInput) (CreatePaymentOutput, error)
+}
+
+type SetPaymentMetadataHandler struct {
+	APIVersion capabilities.APIVersion
+	Run        func(context.Context, SetPaymentMetadataInput) (SetPaymentMetadataOutput, error)
+}
+
+type GetPaymentHandler struct {
+	APIVersion capabilities.APIVersion
+	Run        func(context.Context, GetPaymentInput) (GetPaymentOutput, error)
+}
+
+type ListPaymentsService struct {
+	Handlers []ListPaymentsHandler
+	Resolve  func(context.Context, []capabilities.APIVersion) (capabilities.APIVersion, error)
+}
+
+type CreatePaymentService struct {
+	Handlers []CreatePaymentHandler
+	Resolve  func(context.Context, []capabilities.APIVersion) (capabilities.APIVersion, error)
+}
+
+type SetPaymentMetadataService struct {
+	Handlers []SetPaymentMetadataHandler
+	Resolve  func(context.Context, []capabilities.APIVersion) (capabilities.APIVersion, error)
+}
+
+type GetPaymentService struct {
+	Handlers []GetPaymentHandler
+	Resolve  func(context.Context, []capabilities.APIVersion) (capabilities.APIVersion, error)
+}
+
+func (s ListPaymentsService) Run(ctx context.Context, input ListPaymentsInput) (ListPaymentsOutput, error) {
+	handlerVersions := make([]capabilities.APIVersion, 0, len(s.Handlers))
+	handlers := map[capabilities.APIVersion]ListPaymentsHandler{}
+	for _, handler := range s.Handlers {
+		handlerVersions = append(handlerVersions, handler.APIVersion)
+		handlers[handler.APIVersion] = handler
+	}
+	selected, err := s.Resolve(ctx, handlerVersions)
+	if err != nil {
+		return ListPaymentsOutput{}, err
+	}
+	handler, ok := handlers[selected]
+	if !ok {
+		return ListPaymentsOutput{}, fmt.Errorf("resolved api version %s has no handler", selected)
+	}
+	output, err := handler.Run(ctx, input)
+	if err != nil {
+		return ListPaymentsOutput{}, err
+	}
+	output.APIVersion = selected
+	return output, nil
+}
+
+func (s CreatePaymentService) Run(ctx context.Context, input CreatePaymentInput) (CreatePaymentOutput, error) {
+	if input.V3.Amount == nil {
+		return CreatePaymentOutput{}, fmt.Errorf("payment amount is required")
+	}
+	if input.V3.Asset == "" {
+		return CreatePaymentOutput{}, fmt.Errorf("payment asset is required")
+	}
+	if input.V3.ConnectorID == "" {
+		return CreatePaymentOutput{}, fmt.Errorf("connector id is required")
+	}
+	handlerVersions := make([]capabilities.APIVersion, 0, len(s.Handlers))
+	handlers := map[capabilities.APIVersion]CreatePaymentHandler{}
+	for _, handler := range s.Handlers {
+		handlerVersions = append(handlerVersions, handler.APIVersion)
+		handlers[handler.APIVersion] = handler
+	}
+	selected, err := s.Resolve(ctx, handlerVersions)
+	if err != nil {
+		return CreatePaymentOutput{}, err
+	}
+	handler, ok := handlers[selected]
+	if !ok {
+		return CreatePaymentOutput{}, fmt.Errorf("resolved api version %s has no handler", selected)
+	}
+	output, err := handler.Run(ctx, input)
+	if err != nil {
+		return CreatePaymentOutput{}, err
+	}
+	output.APIVersion = selected
+	return output, nil
+}
+
+func (s GetPaymentService) Run(ctx context.Context, input GetPaymentInput) (GetPaymentOutput, error) {
+	if input.PaymentID == "" {
+		return GetPaymentOutput{}, fmt.Errorf("payment id is required")
+	}
+	handlerVersions := make([]capabilities.APIVersion, 0, len(s.Handlers))
+	handlers := map[capabilities.APIVersion]GetPaymentHandler{}
+	for _, handler := range s.Handlers {
+		handlerVersions = append(handlerVersions, handler.APIVersion)
+		handlers[handler.APIVersion] = handler
+	}
+	selected, err := s.Resolve(ctx, handlerVersions)
+	if err != nil {
+		return GetPaymentOutput{}, err
+	}
+	handler, ok := handlers[selected]
+	if !ok {
+		return GetPaymentOutput{}, fmt.Errorf("resolved api version %s has no handler", selected)
+	}
+	output, err := handler.Run(ctx, input)
+	if err != nil {
+		return GetPaymentOutput{}, err
+	}
+	output.APIVersion = selected
+	return output, nil
+}
+
+func (s SetPaymentMetadataService) Run(ctx context.Context, input SetPaymentMetadataInput) (SetPaymentMetadataOutput, error) {
+	if input.PaymentID == "" {
+		return SetPaymentMetadataOutput{}, fmt.Errorf("payment id is required")
+	}
+	if len(input.Metadata) == 0 {
+		return SetPaymentMetadataOutput{}, fmt.Errorf("payment metadata is required")
+	}
+	handlerVersions := make([]capabilities.APIVersion, 0, len(s.Handlers))
+	handlers := map[capabilities.APIVersion]SetPaymentMetadataHandler{}
+	for _, handler := range s.Handlers {
+		handlerVersions = append(handlerVersions, handler.APIVersion)
+		handlers[handler.APIVersion] = handler
+	}
+	selected, err := s.Resolve(ctx, handlerVersions)
+	if err != nil {
+		return SetPaymentMetadataOutput{}, err
+	}
+	handler, ok := handlers[selected]
+	if !ok {
+		return SetPaymentMetadataOutput{}, fmt.Errorf("resolved api version %s has no handler", selected)
+	}
+	output, err := handler.Run(ctx, input)
+	if err != nil {
+		return SetPaymentMetadataOutput{}, err
+	}
+	output.APIVersion = selected
+	return output, nil
+}
+
+func SDKCreatePaymentHandlers(sdk *formance.Formance) []CreatePaymentHandler {
+	return []CreatePaymentHandler{
+		{
+			APIVersion: "v1",
+			Run: func(ctx context.Context, input CreatePaymentInput) (CreatePaymentOutput, error) {
+				response, err := sdk.Payments.V1.CreatePayment(ctx, input.V1)
+				if err != nil {
+					return CreatePaymentOutput{}, err
+				}
+				if response.PaymentResponse == nil {
+					return CreatePaymentOutput{}, fmt.Errorf("payments v1 create payment returned no data")
+				}
+				return CreatePaymentOutput{PaymentID: response.PaymentResponse.Data.ID}, nil
+			},
+		},
+		{
+			APIVersion: "v3",
+			Run: func(ctx context.Context, input CreatePaymentInput) (CreatePaymentOutput, error) {
+				response, err := sdk.Payments.V3.CreatePayment(ctx, &input.V3)
+				if err != nil {
+					return CreatePaymentOutput{}, err
+				}
+				if response.V3CreatePaymentResponse == nil {
+					return CreatePaymentOutput{}, fmt.Errorf("payments v3 create payment returned no data")
+				}
+				return CreatePaymentOutput{PaymentID: response.V3CreatePaymentResponse.Data.ID}, nil
+			},
+		},
+	}
+}
+
+func SDKListPaymentsHandlers(sdk *formance.Formance) []ListPaymentsHandler {
+	return []ListPaymentsHandler{
+		{
+			APIVersion: "v1",
+			Run: func(ctx context.Context, input ListPaymentsInput) (ListPaymentsOutput, error) {
+				response, err := sdk.Payments.V1.ListPayments(ctx, operations.ListPaymentsRequest{
+					PageSize: pointer(input.PageSize),
+					Cursor:   optionalString(input.Cursor),
+				})
+				if err != nil {
+					return ListPaymentsOutput{}, err
+				}
+				if response.PaymentsCursor == nil {
+					return ListPaymentsOutput{}, fmt.Errorf("payments v1 list payments returned no cursor")
+				}
+				return fromV1PaymentsCursor(response.PaymentsCursor.Cursor), nil
+			},
+		},
+		{
+			APIVersion: "v3",
+			Run: func(ctx context.Context, input ListPaymentsInput) (ListPaymentsOutput, error) {
+				response, err := sdk.Payments.V3.ListPayments(ctx, operations.V3ListPaymentsRequest{
+					PageSize: pointer(input.PageSize),
+					Cursor:   optionalString(input.Cursor),
+				})
+				if err != nil {
+					return ListPaymentsOutput{}, err
+				}
+				if response.V3PaymentsCursorResponse == nil {
+					return ListPaymentsOutput{}, fmt.Errorf("payments v3 list payments returned no cursor")
+				}
+				return fromV3PaymentsCursor(response.V3PaymentsCursorResponse.Cursor), nil
+			},
+		},
+	}
+}
+
+func SDKSetPaymentMetadataHandlers(sdk *formance.Formance) []SetPaymentMetadataHandler {
+	return []SetPaymentMetadataHandler{
+		{
+			APIVersion: "v1",
+			Run: func(ctx context.Context, input SetPaymentMetadataInput) (SetPaymentMetadataOutput, error) {
+				if _, err := sdk.Payments.V1.UpdateMetadata(ctx, operations.UpdateMetadataRequest{
+					PaymentID:   input.PaymentID,
+					RequestBody: input.Metadata,
+				}); err != nil {
+					return SetPaymentMetadataOutput{}, err
+				}
+				return SetPaymentMetadataOutput{PaymentID: input.PaymentID}, nil
+			},
+		},
+		{
+			APIVersion: "v3",
+			Run: func(ctx context.Context, input SetPaymentMetadataInput) (SetPaymentMetadataOutput, error) {
+				if _, err := sdk.Payments.V3.UpdatePaymentMetadata(ctx, operations.V3UpdatePaymentMetadataRequest{
+					PaymentID: input.PaymentID,
+					V3UpdatePaymentMetadataRequest: &shared.V3UpdatePaymentMetadataRequest{
+						Metadata: input.Metadata,
+					},
+				}); err != nil {
+					return SetPaymentMetadataOutput{}, err
+				}
+				return SetPaymentMetadataOutput{PaymentID: input.PaymentID}, nil
+			},
+		},
+	}
+}
+
+func SDKGetPaymentHandlers(sdk *formance.Formance) []GetPaymentHandler {
+	return []GetPaymentHandler{
+		{
+			APIVersion: "v1",
+			Run: func(ctx context.Context, input GetPaymentInput) (GetPaymentOutput, error) {
+				response, err := sdk.Payments.V1.GetPayment(ctx, operations.GetPaymentRequest{PaymentID: input.PaymentID})
+				if err != nil {
+					return GetPaymentOutput{}, err
+				}
+				if response.PaymentResponse == nil {
+					return GetPaymentOutput{}, fmt.Errorf("payments v1 get payment returned no data")
+				}
+				return GetPaymentOutput{Payment: fromV1Payment(response.PaymentResponse.Data)}, nil
+			},
+		},
+		{
+			APIVersion: "v3",
+			Run: func(ctx context.Context, input GetPaymentInput) (GetPaymentOutput, error) {
+				response, err := sdk.Payments.V3.GetPayment(ctx, operations.V3GetPaymentRequest{PaymentID: input.PaymentID})
+				if err != nil {
+					return GetPaymentOutput{}, err
+				}
+				if response.V3GetPaymentResponse == nil {
+					return GetPaymentOutput{}, fmt.Errorf("payments v3 get payment returned no data")
+				}
+				return GetPaymentOutput{Payment: fromV3Payment(response.V3GetPaymentResponse.Data)}, nil
+			},
+		},
+	}
+}
+
+func fromV1PaymentsCursor(cursor shared.PaymentsCursorCursor) ListPaymentsOutput {
+	payments := make([]PaymentSummary, 0, len(cursor.Data))
+	for _, payment := range cursor.Data {
+		payments = append(payments, fromV1Payment(payment))
+	}
+	return ListPaymentsOutput{Payments: payments, HasMore: cursor.HasMore, PageSize: cursor.PageSize, Next: cursor.Next, Previous: cursor.Previous}
+}
+
+func fromV3PaymentsCursor(cursor shared.V3PaymentsCursorResponseCursor) ListPaymentsOutput {
+	payments := make([]PaymentSummary, 0, len(cursor.Data))
+	for _, payment := range cursor.Data {
+		payments = append(payments, fromV3Payment(payment))
+	}
+	return ListPaymentsOutput{Payments: payments, HasMore: cursor.HasMore, PageSize: cursor.PageSize, Next: cursor.Next, Previous: cursor.Previous}
+}
+
+func fromV1Payment(payment shared.Payment) PaymentSummary {
+	return PaymentSummary{
+		ID:                   payment.ID,
+		Reference:            payment.Reference,
+		Type:                 string(payment.Type),
+		Status:               string(payment.Status),
+		Scheme:               string(payment.Scheme),
+		Asset:                payment.Asset,
+		Amount:               bigIntString(payment.Amount),
+		InitialAmount:        bigIntString(payment.InitialAmount),
+		ConnectorID:          payment.ConnectorID,
+		SourceAccountID:      payment.SourceAccountID,
+		DestinationAccountID: payment.DestinationAccountID,
+		CreatedAt:            payment.CreatedAt,
+		Metadata:             payment.Metadata,
+	}
+}
+
+func fromV3Payment(payment shared.V3Payment) PaymentSummary {
+	return PaymentSummary{
+		ID:                   payment.ID,
+		Reference:            payment.Reference,
+		Type:                 string(payment.Type),
+		Status:               string(payment.Status),
+		Scheme:               payment.Scheme,
+		Asset:                payment.Asset,
+		Amount:               bigIntString(payment.Amount),
+		InitialAmount:        bigIntString(payment.InitialAmount),
+		ConnectorID:          payment.ConnectorID,
+		SourceAccountID:      stringValue(payment.SourceAccountID),
+		DestinationAccountID: stringValue(payment.DestinationAccountID),
+		CreatedAt:            payment.CreatedAt,
+		Metadata:             payment.Metadata,
+	}
+}
diff --git a/v4/internal/commands/payments/payments_test.go b/v4/internal/commands/payments/payments_test.go
new file mode 100644
index 00000000..655d1f0a
--- /dev/null
+++ b/v4/internal/commands/payments/payments_test.go
@@ -0,0 +1,172 @@
+package payments
+
+import (
+	"context"
+	"math/big"
+	"testing"
+
+	"github.com/formancehq/formance-sdk-go/v3/pkg/models/shared"
+
+	"github.com/formancehq/fctl/v4/internal/capabilities"
+)
+
+func TestListPaymentsServiceSelectsResolvedHandler(t *testing.T) {
+	service := ListPaymentsService{
+		Handlers: []ListPaymentsHandler{
+			{
+				APIVersion: "v1",
+				Run: func(context.Context, ListPaymentsInput) (ListPaymentsOutput, error) {
+					t.Fatal("v1 handler should not run")
+					return ListPaymentsOutput{}, nil
+				},
+			},
+			{
+				APIVersion: "v3",
+				Run: func(_ context.Context, input ListPaymentsInput) (ListPaymentsOutput, error) {
+					if input.PageSize != 10 {
+						t.Fatalf("unexpected input: %#v", input)
+					}
+					return ListPaymentsOutput{PageSize: input.PageSize}, nil
+				},
+			},
+		},
+		Resolve: func(_ context.Context, versions []capabilities.APIVersion) (capabilities.APIVersion, error) {
+			assertAPIVersions(t, versions, []capabilities.APIVersion{"v1", "v3"})
+			return "v3", nil
+		},
+	}
+
+	output, err := service.Run(context.Background(), ListPaymentsInput{PageSize: 10})
+	if err != nil {
+		t.Fatalf("run service: %v", err)
+	}
+	if output.APIVersion != "v3" || output.PageSize != 10 {
+		t.Fatalf("unexpected output: %#v", output)
+	}
+}
+
+func TestCreatePaymentServiceSelectsResolvedHandler(t *testing.T) {
+	service := CreatePaymentService{
+		Handlers: []CreatePaymentHandler{
+			{
+				APIVersion: "v1",
+				Run: func(context.Context, CreatePaymentInput) (CreatePaymentOutput, error) {
+					t.Fatal("v1 handler should not run")
+					return CreatePaymentOutput{}, nil
+				},
+			},
+			{
+				APIVersion: "v3",
+				Run: func(_ context.Context, input CreatePaymentInput) (CreatePaymentOutput, error) {
+					if input.V3.Amount.String() != "100" || input.V3.Asset != "USD/2" || input.V3.ConnectorID != "conn_1" {
+						t.Fatalf("unexpected input: %#v", input)
+					}
+					return CreatePaymentOutput{PaymentID: "pay_1"}, nil
+				},
+			},
+		},
+		Resolve: func(_ context.Context, versions []capabilities.APIVersion) (capabilities.APIVersion, error) {
+			assertAPIVersions(t, versions, []capabilities.APIVersion{"v1", "v3"})
+			return "v3", nil
+		},
+	}
+
+	output, err := service.Run(context.Background(), CreatePaymentInput{
+		V3: newTestCreatePaymentRequest(),
+	})
+	if err != nil {
+		t.Fatalf("run service: %v", err)
+	}
+	if output.APIVersion != "v3" || output.PaymentID != "pay_1" {
+		t.Fatalf("unexpected output: %#v", output)
+	}
+}
+
+func TestCreatePaymentServiceRequiresAmount(t *testing.T) {
+	service := CreatePaymentService{
+		Handlers: []CreatePaymentHandler{{APIVersion: "v3"}},
+		Resolve: func(context.Context, []capabilities.APIVersion) (capabilities.APIVersion, error) {
+			t.Fatal("resolver should not run")
+			return "", nil
+		},
+	}
+
+	request := newTestCreatePaymentRequest()
+	request.Amount = nil
+	if _, err := service.Run(context.Background(), CreatePaymentInput{V3: request}); err == nil {
+		t.Fatal("expected payment amount validation error")
+	}
+}
+
+func TestGetPaymentServiceRequiresID(t *testing.T) {
+	service := GetPaymentService{
+		Handlers: []GetPaymentHandler{{APIVersion: "v3"}},
+		Resolve: func(context.Context, []capabilities.APIVersion) (capabilities.APIVersion, error) {
+			t.Fatal("resolver should not run")
+			return "", nil
+		},
+	}
+
+	if _, err := service.Run(context.Background(), GetPaymentInput{}); err == nil {
+		t.Fatal("expected payment id validation error")
+	}
+}
+
+func newTestCreatePaymentRequest() shared.V3CreatePaymentRequest {
+	return shared.V3CreatePaymentRequest{
+		Amount:        big.NewInt(100),
+		InitialAmount: big.NewInt(100),
+		Asset:         "USD/2",
+		ConnectorID:   "conn_1",
+		Type:          shared.V3PaymentTypeEnumPayout,
+	}
+}
+
+func TestSetPaymentMetadataServiceSelectsResolvedHandler(t *testing.T) {
+	service := SetPaymentMetadataService{
+		Handlers: []SetPaymentMetadataHandler{
+			{
+				APIVersion: "v1",
+				Run: func(context.Context, SetPaymentMetadataInput) (SetPaymentMetadataOutput, error) {
+					t.Fatal("v1 handler should not run")
+					return SetPaymentMetadataOutput{}, nil
+				},
+			},
+			{
+				APIVersion: "v3",
+				Run: func(_ context.Context, input SetPaymentMetadataInput) (SetPaymentMetadataOutput, error) {
+					if input.PaymentID != "pay_1" || input.Metadata["env"] != "dev" {
+						t.Fatalf("unexpected input: %#v", input)
+					}
+					return SetPaymentMetadataOutput{PaymentID: input.PaymentID}, nil
+				},
+			},
+		},
+		Resolve: func(_ context.Context, versions []capabilities.APIVersion) (capabilities.APIVersion, error) {
+			assertAPIVersions(t, versions, []capabilities.APIVersion{"v1", "v3"})
+			return "v3", nil
+		},
+	}
+
+	output, err := service.Run(context.Background(), SetPaymentMetadataInput{PaymentID: "pay_1", Metadata: map[string]string{"env": "dev"}})
+	if err != nil {
+		t.Fatalf("run service: %v", err)
+	}
+	if output.APIVersion != "v3" || output.PaymentID != "pay_1" {
+		t.Fatalf("unexpected output: %#v", output)
+	}
+}
+
+func TestSetPaymentMetadataServiceRequiresMetadata(t *testing.T) {
+	service := SetPaymentMetadataService{
+		Handlers: []SetPaymentMetadataHandler{{APIVersion: "v3"}},
+		Resolve: func(context.Context, []capabilities.APIVersion) (capabilities.APIVersion, error) {
+			t.Fatal("resolver should not run")
+			return "", nil
+		},
+	}
+
+	if _, err := service.Run(context.Background(), SetPaymentMetadataInput{PaymentID: "pay_1"}); err == nil {
+		t.Fatal("expected payment metadata validation error")
+	}
+}
diff --git a/v4/internal/commands/payments/pools.go b/v4/internal/commands/payments/pools.go
new file mode 100644
index 00000000..50e1b550
--- /dev/null
+++ b/v4/internal/commands/payments/pools.go
@@ -0,0 +1,740 @@
+package payments
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"time"
+
+	formance "github.com/formancehq/formance-sdk-go/v3"
+	"github.com/formancehq/formance-sdk-go/v3/pkg/models/operations"
+	"github.com/formancehq/formance-sdk-go/v3/pkg/models/shared"
+
+	"github.com/formancehq/fctl/v4/internal/capabilities"
+)
+
+const (
+	FeatureAddAccountToPool      capabilities.Feature = "addAccountToPool"
+	FeatureCreatePool            capabilities.Feature = "createPool"
+	FeatureDeletePool            capabilities.Feature = "deletePool"
+	FeatureGetPool               capabilities.Feature = "getPool"
+	FeatureGetPoolBalances       capabilities.Feature = "getPoolBalances"
+	FeatureGetPoolBalancesLatest capabilities.Feature = "getPoolBalancesLatest"
+	FeatureListPools             capabilities.Feature = "listPools"
+	FeatureRemoveAccountFromPool capabilities.Feature = "removeAccountFromPool"
+	FeatureUpdatePoolQuery       capabilities.Feature = "updatePoolQuery"
+)
+
+type PoolSummary struct {
+	ID        string         `json:"id" yaml:"id"`
+	Name      string         `json:"name" yaml:"name"`
+	Accounts  []string       `json:"accounts" yaml:"accounts"`
+	CreatedAt time.Time      `json:"createdAt,omitempty" yaml:"createdAt,omitempty"`
+	Type      string         `json:"type,omitempty" yaml:"type,omitempty"`
+	Query     map[string]any `json:"query,omitempty" yaml:"query,omitempty"`
+}
+
+type ListPoolsInput struct {
+	PageSize int64
+	Cursor   string
+	Query    string
+}
+
+type ListPoolsOutput struct {
+	APIVersion capabilities.APIVersion `json:"apiVersion" yaml:"apiVersion"`
+	Pools      []PoolSummary           `json:"pools" yaml:"pools"`
+	HasMore    bool                    `json:"hasMore" yaml:"hasMore"`
+	PageSize   int64                   `json:"pageSize" yaml:"pageSize"`
+	Next       *string                 `json:"next,omitempty" yaml:"next,omitempty"`
+	Previous   *string                 `json:"previous,omitempty" yaml:"previous,omitempty"`
+}
+
+type CreatePoolInput struct {
+	Payload []byte
+}
+
+type CreatePoolOutput struct {
+	APIVersion capabilities.APIVersion `json:"apiVersion" yaml:"apiVersion"`
+	PoolID     string                  `json:"poolID" yaml:"poolID"`
+}
+
+type GetPoolInput struct {
+	PoolID string
+}
+
+type GetPoolOutput struct {
+	APIVersion capabilities.APIVersion `json:"apiVersion" yaml:"apiVersion"`
+	Pool       PoolSummary             `json:"pool" yaml:"pool"`
+}
+
+type DeletePoolInput struct {
+	PoolID string
+}
+
+type DeletePoolOutput struct {
+	APIVersion capabilities.APIVersion `json:"apiVersion" yaml:"apiVersion"`
+	PoolID     string                  `json:"poolID" yaml:"poolID"`
+}
+
+type PoolAccountInput struct {
+	PoolID    string
+	AccountID string
+}
+
+type PoolAccountOutput struct {
+	APIVersion capabilities.APIVersion `json:"apiVersion" yaml:"apiVersion"`
+	PoolID     string                  `json:"poolID" yaml:"poolID"`
+	AccountID  string                  `json:"accountID" yaml:"accountID"`
+}
+
+type UpdatePoolQueryInput struct {
+	PoolID string
+	Query  map[string]any
+}
+
+type UpdatePoolQueryOutput struct {
+	APIVersion capabilities.APIVersion `json:"apiVersion" yaml:"apiVersion"`
+	PoolID     string                  `json:"poolID" yaml:"poolID"`
+}
+
+type PoolBalanceSummary struct {
+	Asset           string   `json:"asset" yaml:"asset"`
+	Amount          string   `json:"amount" yaml:"amount"`
+	RelatedAccounts []string `json:"relatedAccounts,omitempty" yaml:"relatedAccounts,omitempty"`
+}
+
+type GetPoolBalancesInput struct {
+	PoolID string
+	At     time.Time
+	Latest bool
+}
+
+type GetPoolBalancesOutput struct {
+	APIVersion capabilities.APIVersion `json:"apiVersion" yaml:"apiVersion"`
+	PoolID     string                  `json:"poolID" yaml:"poolID"`
+	Balances   []PoolBalanceSummary    `json:"balances" yaml:"balances"`
+}
+
+type ListPoolsHandler struct {
+	APIVersion capabilities.APIVersion
+	Run        func(context.Context, ListPoolsInput) (ListPoolsOutput, error)
+}
+
+type CreatePoolHandler struct {
+	APIVersion capabilities.APIVersion
+	Run        func(context.Context, CreatePoolInput) (CreatePoolOutput, error)
+}
+
+type GetPoolHandler struct {
+	APIVersion capabilities.APIVersion
+	Run        func(context.Context, GetPoolInput) (GetPoolOutput, error)
+}
+
+type DeletePoolHandler struct {
+	APIVersion capabilities.APIVersion
+	Run        func(context.Context, DeletePoolInput) (DeletePoolOutput, error)
+}
+
+type PoolAccountHandler struct {
+	APIVersion capabilities.APIVersion
+	Run        func(context.Context, PoolAccountInput) (PoolAccountOutput, error)
+}
+
+type UpdatePoolQueryHandler struct {
+	APIVersion capabilities.APIVersion
+	Run        func(context.Context, UpdatePoolQueryInput) (UpdatePoolQueryOutput, error)
+}
+
+type GetPoolBalancesHandler struct {
+	APIVersion capabilities.APIVersion
+	Run        func(context.Context, GetPoolBalancesInput) (GetPoolBalancesOutput, error)
+}
+
+type ListPoolsService struct {
+	Handlers []ListPoolsHandler
+	Resolve  func(context.Context, []capabilities.APIVersion) (capabilities.APIVersion, error)
+}
+
+type CreatePoolService struct {
+	Handlers []CreatePoolHandler
+	Resolve  func(context.Context, []capabilities.APIVersion) (capabilities.APIVersion, error)
+}
+
+type GetPoolService struct {
+	Handlers []GetPoolHandler
+	Resolve  func(context.Context, []capabilities.APIVersion) (capabilities.APIVersion, error)
+}
+
+type DeletePoolService struct {
+	Handlers []DeletePoolHandler
+	Resolve  func(context.Context, []capabilities.APIVersion) (capabilities.APIVersion, error)
+}
+
+type AddAccountToPoolService struct {
+	Handlers []PoolAccountHandler
+	Resolve  func(context.Context, []capabilities.APIVersion) (capabilities.APIVersion, error)
+}
+
+type RemoveAccountFromPoolService struct {
+	Handlers []PoolAccountHandler
+	Resolve  func(context.Context, []capabilities.APIVersion) (capabilities.APIVersion, error)
+}
+
+type UpdatePoolQueryService struct {
+	Handlers []UpdatePoolQueryHandler
+	Resolve  func(context.Context, []capabilities.APIVersion) (capabilities.APIVersion, error)
+}
+
+type GetPoolBalancesService struct {
+	Handlers []GetPoolBalancesHandler
+	Resolve  func(context.Context, []capabilities.APIVersion) (capabilities.APIVersion, error)
+}
+
+func (s ListPoolsService) Run(ctx context.Context, input ListPoolsInput) (ListPoolsOutput, error) {
+	handlerVersions := make([]capabilities.APIVersion, 0, len(s.Handlers))
+	handlers := map[capabilities.APIVersion]ListPoolsHandler{}
+	for _, handler := range s.Handlers {
+		handlerVersions = append(handlerVersions, handler.APIVersion)
+		handlers[handler.APIVersion] = handler
+	}
+	selected, err := s.Resolve(ctx, handlerVersions)
+	if err != nil {
+		return ListPoolsOutput{}, err
+	}
+	handler, ok := handlers[selected]
+	if !ok {
+		return ListPoolsOutput{}, fmt.Errorf("resolved api version %s has no handler", selected)
+	}
+	output, err := handler.Run(ctx, input)
+	if err != nil {
+		return ListPoolsOutput{}, err
+	}
+	output.APIVersion = selected
+	return output, nil
+}
+
+func (s CreatePoolService) Run(ctx context.Context, input CreatePoolInput) (CreatePoolOutput, error) {
+	if len(input.Payload) == 0 {
+		return CreatePoolOutput{}, fmt.Errorf("pool request is required")
+	}
+	handlerVersions := make([]capabilities.APIVersion, 0, len(s.Handlers))
+	handlers := map[capabilities.APIVersion]CreatePoolHandler{}
+	for _, handler := range s.Handlers {
+		handlerVersions = append(handlerVersions, handler.APIVersion)
+		handlers[handler.APIVersion] = handler
+	}
+	selected, err := s.Resolve(ctx, handlerVersions)
+	if err != nil {
+		return CreatePoolOutput{}, err
+	}
+	handler, ok := handlers[selected]
+	if !ok {
+		return CreatePoolOutput{}, fmt.Errorf("resolved api version %s has no handler", selected)
+	}
+	output, err := handler.Run(ctx, input)
+	if err != nil {
+		return CreatePoolOutput{}, err
+	}
+	output.APIVersion = selected
+	return output, nil
+}
+
+func (s GetPoolService) Run(ctx context.Context, input GetPoolInput) (GetPoolOutput, error) {
+	if input.PoolID == "" {
+		return GetPoolOutput{}, fmt.Errorf("pool id is required")
+	}
+	handlerVersions := make([]capabilities.APIVersion, 0, len(s.Handlers))
+	handlers := map[capabilities.APIVersion]GetPoolHandler{}
+	for _, handler := range s.Handlers {
+		handlerVersions = append(handlerVersions, handler.APIVersion)
+		handlers[handler.APIVersion] = handler
+	}
+	selected, err := s.Resolve(ctx, handlerVersions)
+	if err != nil {
+		return GetPoolOutput{}, err
+	}
+	handler, ok := handlers[selected]
+	if !ok {
+		return GetPoolOutput{}, fmt.Errorf("resolved api version %s has no handler", selected)
+	}
+	output, err := handler.Run(ctx, input)
+	if err != nil {
+		return GetPoolOutput{}, err
+	}
+	output.APIVersion = selected
+	return output, nil
+}
+
+func (s DeletePoolService) Run(ctx context.Context, input DeletePoolInput) (DeletePoolOutput, error) {
+	if input.PoolID == "" {
+		return DeletePoolOutput{}, fmt.Errorf("pool id is required")
+	}
+	handlerVersions := make([]capabilities.APIVersion, 0, len(s.Handlers))
+	handlers := map[capabilities.APIVersion]DeletePoolHandler{}
+	for _, handler := range s.Handlers {
+		handlerVersions = append(handlerVersions, handler.APIVersion)
+		handlers[handler.APIVersion] = handler
+	}
+	selected, err := s.Resolve(ctx, handlerVersions)
+	if err != nil {
+		return DeletePoolOutput{}, err
+	}
+	handler, ok := handlers[selected]
+	if !ok {
+		return DeletePoolOutput{}, fmt.Errorf("resolved api version %s has no handler", selected)
+	}
+	output, err := handler.Run(ctx, input)
+	if err != nil {
+		return DeletePoolOutput{}, err
+	}
+	output.APIVersion = selected
+	return output, nil
+}
+
+func (s AddAccountToPoolService) Run(ctx context.Context, input PoolAccountInput) (PoolAccountOutput, error) {
+	return runPoolAccountService(ctx, input, s.Handlers, s.Resolve)
+}
+
+func (s RemoveAccountFromPoolService) Run(ctx context.Context, input PoolAccountInput) (PoolAccountOutput, error) {
+	return runPoolAccountService(ctx, input, s.Handlers, s.Resolve)
+}
+
+func (s UpdatePoolQueryService) Run(ctx context.Context, input UpdatePoolQueryInput) (UpdatePoolQueryOutput, error) {
+	if input.PoolID == "" {
+		return UpdatePoolQueryOutput{}, fmt.Errorf("pool id is required")
+	}
+	if input.Query == nil {
+		return UpdatePoolQueryOutput{}, fmt.Errorf("pool query is required")
+	}
+	handlerVersions := make([]capabilities.APIVersion, 0, len(s.Handlers))
+	handlers := map[capabilities.APIVersion]UpdatePoolQueryHandler{}
+	for _, handler := range s.Handlers {
+		handlerVersions = append(handlerVersions, handler.APIVersion)
+		handlers[handler.APIVersion] = handler
+	}
+	selected, err := s.Resolve(ctx, handlerVersions)
+	if err != nil {
+		return UpdatePoolQueryOutput{}, err
+	}
+	handler, ok := handlers[selected]
+	if !ok {
+		return UpdatePoolQueryOutput{}, fmt.Errorf("resolved api version %s has no handler", selected)
+	}
+	output, err := handler.Run(ctx, input)
+	if err != nil {
+		return UpdatePoolQueryOutput{}, err
+	}
+	output.APIVersion = selected
+	return output, nil
+}
+
+func (s GetPoolBalancesService) Run(ctx context.Context, input GetPoolBalancesInput) (GetPoolBalancesOutput, error) {
+	if input.PoolID == "" {
+		return GetPoolBalancesOutput{}, fmt.Errorf("pool id is required")
+	}
+	if !input.Latest && input.At.IsZero() {
+		return GetPoolBalancesOutput{}, fmt.Errorf("pool balances at time is required")
+	}
+	handlerVersions := make([]capabilities.APIVersion, 0, len(s.Handlers))
+	handlers := map[capabilities.APIVersion]GetPoolBalancesHandler{}
+	for _, handler := range s.Handlers {
+		handlerVersions = append(handlerVersions, handler.APIVersion)
+		handlers[handler.APIVersion] = handler
+	}
+	selected, err := s.Resolve(ctx, handlerVersions)
+	if err != nil {
+		return GetPoolBalancesOutput{}, err
+	}
+	handler, ok := handlers[selected]
+	if !ok {
+		return GetPoolBalancesOutput{}, fmt.Errorf("resolved api version %s has no handler", selected)
+	}
+	output, err := handler.Run(ctx, input)
+	if err != nil {
+		return GetPoolBalancesOutput{}, err
+	}
+	output.APIVersion = selected
+	return output, nil
+}
+
+func runPoolAccountService(
+	ctx context.Context,
+	input PoolAccountInput,
+	serviceHandlers []PoolAccountHandler,
+	resolve func(context.Context, []capabilities.APIVersion) (capabilities.APIVersion, error),
+) (PoolAccountOutput, error) {
+	if input.PoolID == "" {
+		return PoolAccountOutput{}, fmt.Errorf("pool id is required")
+	}
+	if input.AccountID == "" {
+		return PoolAccountOutput{}, fmt.Errorf("account id is required")
+	}
+	handlerVersions := make([]capabilities.APIVersion, 0, len(serviceHandlers))
+	handlers := map[capabilities.APIVersion]PoolAccountHandler{}
+	for _, handler := range serviceHandlers {
+		handlerVersions = append(handlerVersions, handler.APIVersion)
+		handlers[handler.APIVersion] = handler
+	}
+	selected, err := resolve(ctx, handlerVersions)
+	if err != nil {
+		return PoolAccountOutput{}, err
+	}
+	handler, ok := handlers[selected]
+	if !ok {
+		return PoolAccountOutput{}, fmt.Errorf("resolved api version %s has no handler", selected)
+	}
+	output, err := handler.Run(ctx, input)
+	if err != nil {
+		return PoolAccountOutput{}, err
+	}
+	output.APIVersion = selected
+	return output, nil
+}
+
+func SDKListPoolsHandlers(sdk *formance.Formance) []ListPoolsHandler {
+	return []ListPoolsHandler{
+		{
+			APIVersion: "v1",
+			Run: func(ctx context.Context, input ListPoolsInput) (ListPoolsOutput, error) {
+				response, err := sdk.Payments.V1.ListPools(ctx, operations.ListPoolsRequest{
+					PageSize: pointer(input.PageSize),
+					Cursor:   optionalString(input.Cursor),
+					Query:    optionalString(input.Query),
+				})
+				if err != nil {
+					return ListPoolsOutput{}, err
+				}
+				if response.PoolsCursor == nil {
+					return ListPoolsOutput{}, fmt.Errorf("payments v1 list pools returned no cursor")
+				}
+				return fromV1PoolsCursor(response.PoolsCursor.Cursor), nil
+			},
+		},
+		{
+			APIVersion: "v3",
+			Run: func(ctx context.Context, input ListPoolsInput) (ListPoolsOutput, error) {
+				response, err := sdk.Payments.V3.ListPools(ctx, operations.V3ListPoolsRequest{
+					PageSize: pointer(input.PageSize),
+					Cursor:   optionalString(input.Cursor),
+				})
+				if err != nil {
+					return ListPoolsOutput{}, err
+				}
+				if response.V3PoolsCursorResponse == nil {
+					return ListPoolsOutput{}, fmt.Errorf("payments v3 list pools returned no cursor")
+				}
+				return fromV3PoolsCursor(response.V3PoolsCursorResponse.Cursor), nil
+			},
+		},
+	}
+}
+
+func SDKCreatePoolHandlers(sdk *formance.Formance) []CreatePoolHandler {
+	return []CreatePoolHandler{
+		{
+			APIVersion: "v1",
+			Run: func(ctx context.Context, input CreatePoolInput) (CreatePoolOutput, error) {
+				var request shared.PoolRequest
+				if err := json.Unmarshal(input.Payload, &request); err != nil {
+					return CreatePoolOutput{}, err
+				}
+				response, err := sdk.Payments.V1.CreatePool(ctx, request)
+				if err != nil {
+					return CreatePoolOutput{}, err
+				}
+				if response.PoolResponse == nil {
+					return CreatePoolOutput{}, fmt.Errorf("payments v1 create pool returned no data")
+				}
+				return CreatePoolOutput{PoolID: response.PoolResponse.Data.ID}, nil
+			},
+		},
+		{
+			APIVersion: "v3",
+			Run: func(ctx context.Context, input CreatePoolInput) (CreatePoolOutput, error) {
+				var request shared.V3CreatePoolRequest
+				if err := json.Unmarshal(input.Payload, &request); err != nil {
+					return CreatePoolOutput{}, err
+				}
+				response, err := sdk.Payments.V3.CreatePool(ctx, &request)
+				if err != nil {
+					return CreatePoolOutput{}, err
+				}
+				if response.V3CreatePoolResponse == nil {
+					return CreatePoolOutput{}, fmt.Errorf("payments v3 create pool returned no data")
+				}
+				return CreatePoolOutput{PoolID: response.V3CreatePoolResponse.Data}, nil
+			},
+		},
+	}
+}
+
+func SDKGetPoolHandlers(sdk *formance.Formance) []GetPoolHandler {
+	return []GetPoolHandler{
+		{
+			APIVersion: "v1",
+			Run: func(ctx context.Context, input GetPoolInput) (GetPoolOutput, error) {
+				response, err := sdk.Payments.V1.GetPool(ctx, operations.GetPoolRequest{PoolID: input.PoolID})
+				if err != nil {
+					return GetPoolOutput{}, err
+				}
+				if response.PoolResponse == nil {
+					return GetPoolOutput{}, fmt.Errorf("payments v1 get pool returned no data")
+				}
+				return GetPoolOutput{Pool: fromV1Pool(response.PoolResponse.Data)}, nil
+			},
+		},
+		{
+			APIVersion: "v3",
+			Run: func(ctx context.Context, input GetPoolInput) (GetPoolOutput, error) {
+				response, err := sdk.Payments.V3.GetPool(ctx, operations.V3GetPoolRequest{PoolID: input.PoolID})
+				if err != nil {
+					return GetPoolOutput{}, err
+				}
+				if response.V3GetPoolResponse == nil {
+					return GetPoolOutput{}, fmt.Errorf("payments v3 get pool returned no data")
+				}
+				return GetPoolOutput{Pool: fromV3Pool(response.V3GetPoolResponse.Data)}, nil
+			},
+		},
+	}
+}
+
+func SDKDeletePoolHandlers(sdk *formance.Formance) []DeletePoolHandler {
+	return []DeletePoolHandler{
+		{
+			APIVersion: "v1",
+			Run: func(ctx context.Context, input DeletePoolInput) (DeletePoolOutput, error) {
+				if _, err := sdk.Payments.V1.DeletePool(ctx, operations.DeletePoolRequest{PoolID: input.PoolID}); err != nil {
+					return DeletePoolOutput{}, err
+				}
+				return DeletePoolOutput{PoolID: input.PoolID}, nil
+			},
+		},
+		{
+			APIVersion: "v3",
+			Run: func(ctx context.Context, input DeletePoolInput) (DeletePoolOutput, error) {
+				if _, err := sdk.Payments.V3.DeletePool(ctx, operations.V3DeletePoolRequest{PoolID: input.PoolID}); err != nil {
+					return DeletePoolOutput{}, err
+				}
+				return DeletePoolOutput{PoolID: input.PoolID}, nil
+			},
+		},
+	}
+}
+
+func SDKAddAccountToPoolHandlers(sdk *formance.Formance) []PoolAccountHandler {
+	return []PoolAccountHandler{
+		{
+			APIVersion: "v1",
+			Run: func(ctx context.Context, input PoolAccountInput) (PoolAccountOutput, error) {
+				if _, err := sdk.Payments.V1.AddAccountToPool(ctx, operations.AddAccountToPoolRequest{
+					PoolID: input.PoolID,
+					AddAccountToPoolRequest: shared.AddAccountToPoolRequest{
+						AccountID: input.AccountID,
+					},
+				}); err != nil {
+					return PoolAccountOutput{}, err
+				}
+				return PoolAccountOutput{PoolID: input.PoolID, AccountID: input.AccountID}, nil
+			},
+		},
+		{
+			APIVersion: "v3",
+			Run: func(ctx context.Context, input PoolAccountInput) (PoolAccountOutput, error) {
+				if _, err := sdk.Payments.V3.AddAccountToPool(ctx, operations.V3AddAccountToPoolRequest{
+					PoolID:    input.PoolID,
+					AccountID: input.AccountID,
+				}); err != nil {
+					return PoolAccountOutput{}, err
+				}
+				return PoolAccountOutput{PoolID: input.PoolID, AccountID: input.AccountID}, nil
+			},
+		},
+	}
+}
+
+func SDKRemoveAccountFromPoolHandlers(sdk *formance.Formance) []PoolAccountHandler {
+	return []PoolAccountHandler{
+		{
+			APIVersion: "v1",
+			Run: func(ctx context.Context, input PoolAccountInput) (PoolAccountOutput, error) {
+				if _, err := sdk.Payments.V1.RemoveAccountFromPool(ctx, operations.RemoveAccountFromPoolRequest{
+					PoolID:    input.PoolID,
+					AccountID: input.AccountID,
+				}); err != nil {
+					return PoolAccountOutput{}, err
+				}
+				return PoolAccountOutput{PoolID: input.PoolID, AccountID: input.AccountID}, nil
+			},
+		},
+		{
+			APIVersion: "v3",
+			Run: func(ctx context.Context, input PoolAccountInput) (PoolAccountOutput, error) {
+				if _, err := sdk.Payments.V3.RemoveAccountFromPool(ctx, operations.V3RemoveAccountFromPoolRequest{
+					PoolID:    input.PoolID,
+					AccountID: input.AccountID,
+				}); err != nil {
+					return PoolAccountOutput{}, err
+				}
+				return PoolAccountOutput{PoolID: input.PoolID, AccountID: input.AccountID}, nil
+			},
+		},
+	}
+}
+
+func SDKUpdatePoolQueryHandlers(sdk *formance.Formance) []UpdatePoolQueryHandler {
+	return []UpdatePoolQueryHandler{
+		{
+			APIVersion: "v1",
+			Run: func(ctx context.Context, input UpdatePoolQueryInput) (UpdatePoolQueryOutput, error) {
+				if _, err := sdk.Payments.V1.UpdatePoolQuery(ctx, operations.UpdatePoolQueryRequest{
+					PoolID: input.PoolID,
+					UpdatePoolQueryRequest: shared.UpdatePoolQueryRequest{
+						Query: input.Query,
+					},
+				}); err != nil {
+					return UpdatePoolQueryOutput{}, err
+				}
+				return UpdatePoolQueryOutput{PoolID: input.PoolID}, nil
+			},
+		},
+		{
+			APIVersion: "v3",
+			Run: func(ctx context.Context, input UpdatePoolQueryInput) (UpdatePoolQueryOutput, error) {
+				if _, err := sdk.Payments.V3.UpdatePoolQuery(ctx, operations.V3UpdatePoolQueryRequest{
+					PoolID: input.PoolID,
+					V3UpdatePoolQueryRequest: &shared.V3UpdatePoolQueryRequest{
+						Query: input.Query,
+					},
+				}); err != nil {
+					return UpdatePoolQueryOutput{}, err
+				}
+				return UpdatePoolQueryOutput{PoolID: input.PoolID}, nil
+			},
+		},
+	}
+}
+
+func SDKGetPoolBalancesHandlers(sdk *formance.Formance) []GetPoolBalancesHandler {
+	return []GetPoolBalancesHandler{
+		{
+			APIVersion: "v1",
+			Run: func(ctx context.Context, input GetPoolBalancesInput) (GetPoolBalancesOutput, error) {
+				if input.Latest {
+					response, err := sdk.Payments.V1.GetPoolBalancesLatest(ctx, operations.GetPoolBalancesLatestRequest{PoolID: input.PoolID})
+					if err != nil {
+						return GetPoolBalancesOutput{}, err
+					}
+					if response.PoolBalancesLatestResponse == nil {
+						return GetPoolBalancesOutput{}, fmt.Errorf("payments v1 get latest pool balances returned no data")
+					}
+					return GetPoolBalancesOutput{PoolID: input.PoolID, Balances: fromV1PoolBalances(response.PoolBalancesLatestResponse.Data)}, nil
+				}
+				response, err := sdk.Payments.V1.GetPoolBalances(ctx, operations.GetPoolBalancesRequest{
+					PoolID: input.PoolID,
+					At:     input.At,
+				})
+				if err != nil {
+					return GetPoolBalancesOutput{}, err
+				}
+				if response.PoolBalancesResponse == nil {
+					return GetPoolBalancesOutput{}, fmt.Errorf("payments v1 get pool balances returned no data")
+				}
+				return GetPoolBalancesOutput{PoolID: input.PoolID, Balances: fromV1PoolBalances(response.PoolBalancesResponse.Data.Balances)}, nil
+			},
+		},
+		{
+			APIVersion: "v3",
+			Run: func(ctx context.Context, input GetPoolBalancesInput) (GetPoolBalancesOutput, error) {
+				if input.Latest {
+					response, err := sdk.Payments.V3.GetPoolBalancesLatest(ctx, operations.V3GetPoolBalancesLatestRequest{PoolID: input.PoolID})
+					if err != nil {
+						return GetPoolBalancesOutput{}, err
+					}
+					if response.V3PoolBalancesResponse == nil {
+						return GetPoolBalancesOutput{}, fmt.Errorf("payments v3 get latest pool balances returned no data")
+					}
+					return GetPoolBalancesOutput{PoolID: input.PoolID, Balances: fromV3PoolBalances(response.V3PoolBalancesResponse.Data)}, nil
+				}
+				response, err := sdk.Payments.V3.GetPoolBalances(ctx, operations.V3GetPoolBalancesRequest{
+					PoolID: input.PoolID,
+					At:     &input.At,
+				})
+				if err != nil {
+					return GetPoolBalancesOutput{}, err
+				}
+				if response.V3PoolBalancesResponse == nil {
+					return GetPoolBalancesOutput{}, fmt.Errorf("payments v3 get pool balances returned no data")
+				}
+				return GetPoolBalancesOutput{PoolID: input.PoolID, Balances: fromV3PoolBalances(response.V3PoolBalancesResponse.Data)}, nil
+			},
+		},
+	}
+}
+
+func fromV1PoolsCursor(cursor shared.PoolsCursorCursor) ListPoolsOutput {
+	pools := make([]PoolSummary, 0, len(cursor.Data))
+	for _, pool := range cursor.Data {
+		pools = append(pools, fromV1Pool(pool))
+	}
+	return ListPoolsOutput{Pools: pools, HasMore: cursor.HasMore, PageSize: cursor.PageSize, Next: cursor.Next, Previous: cursor.Previous}
+}
+
+func fromV3PoolsCursor(cursor shared.V3PoolsCursorResponseCursor) ListPoolsOutput {
+	pools := make([]PoolSummary, 0, len(cursor.Data))
+	for _, pool := range cursor.Data {
+		pools = append(pools, fromV3Pool(pool))
+	}
+	return ListPoolsOutput{Pools: pools, HasMore: cursor.HasMore, PageSize: cursor.PageSize, Next: cursor.Next, Previous: cursor.Previous}
+}
+
+func fromV1Pool(pool shared.Pool) PoolSummary {
+	summary := PoolSummary{
+		ID:       pool.ID,
+		Name:     pool.Name,
+		Accounts: pool.Accounts,
+		Query:    pool.Query,
+	}
+	if pool.Type != nil {
+		summary.Type = string(*pool.Type)
+	}
+	return summary
+}
+
+func fromV3Pool(pool shared.V3Pool) PoolSummary {
+	summary := PoolSummary{
+		ID:        pool.ID,
+		Name:      pool.Name,
+		Accounts:  pool.PoolAccounts,
+		CreatedAt: pool.CreatedAt,
+		Query:     pool.Query,
+	}
+	if pool.Type != nil {
+		summary.Type = string(*pool.Type)
+	}
+	return summary
+}
+
+func fromV1PoolBalances(balances []shared.PoolBalance) []PoolBalanceSummary {
+	summaries := make([]PoolBalanceSummary, 0, len(balances))
+	for _, balance := range balances {
+		summaries = append(summaries, PoolBalanceSummary{
+			Asset:           balance.Asset,
+			Amount:          bigIntString(balance.Amount),
+			RelatedAccounts: balance.RelatedAccounts,
+		})
+	}
+	return summaries
+}
+
+func fromV3PoolBalances(balances []shared.V3PoolBalance) []PoolBalanceSummary {
+	summaries := make([]PoolBalanceSummary, 0, len(balances))
+	for _, balance := range balances {
+		summaries = append(summaries, PoolBalanceSummary{
+			Asset:           balance.Asset,
+			Amount:          bigIntString(balance.Amount),
+			RelatedAccounts: balance.RelatedAccounts,
+		})
+	}
+	return summaries
+}
diff --git a/v4/internal/commands/payments/pools_test.go b/v4/internal/commands/payments/pools_test.go
new file mode 100644
index 00000000..b2474e22
--- /dev/null
+++ b/v4/internal/commands/payments/pools_test.go
@@ -0,0 +1,197 @@
+package payments
+
+import (
+	"context"
+	"testing"
+
+	"github.com/formancehq/fctl/v4/internal/capabilities"
+)
+
+func TestListPoolsServiceSelectsResolvedHandler(t *testing.T) {
+	service := ListPoolsService{
+		Handlers: []ListPoolsHandler{
+			{
+				APIVersion: "v1",
+				Run: func(context.Context, ListPoolsInput) (ListPoolsOutput, error) {
+					t.Fatal("v1 handler should not run")
+					return ListPoolsOutput{}, nil
+				},
+			},
+			{
+				APIVersion: "v3",
+				Run: func(_ context.Context, input ListPoolsInput) (ListPoolsOutput, error) {
+					if input.PageSize != 10 {
+						t.Fatalf("unexpected input: %#v", input)
+					}
+					return ListPoolsOutput{PageSize: input.PageSize}, nil
+				},
+			},
+		},
+		Resolve: func(_ context.Context, versions []capabilities.APIVersion) (capabilities.APIVersion, error) {
+			assertAPIVersions(t, versions, []capabilities.APIVersion{"v1", "v3"})
+			return "v3", nil
+		},
+	}
+
+	output, err := service.Run(context.Background(), ListPoolsInput{PageSize: 10})
+	if err != nil {
+		t.Fatalf("run service: %v", err)
+	}
+	if output.APIVersion != "v3" || output.PageSize != 10 {
+		t.Fatalf("unexpected output: %#v", output)
+	}
+}
+
+func TestCreatePoolServiceSelectsResolvedHandler(t *testing.T) {
+	service := CreatePoolService{
+		Handlers: []CreatePoolHandler{
+			{
+				APIVersion: "v1",
+				Run: func(context.Context, CreatePoolInput) (CreatePoolOutput, error) {
+					t.Fatal("v1 handler should not run")
+					return CreatePoolOutput{}, nil
+				},
+			},
+			{
+				APIVersion: "v3",
+				Run: func(_ context.Context, input CreatePoolInput) (CreatePoolOutput, error) {
+					if string(input.Payload) != `{"name":"Pool"}` {
+						t.Fatalf("unexpected input: %#v", input)
+					}
+					return CreatePoolOutput{PoolID: "pool_1"}, nil
+				},
+			},
+		},
+		Resolve: func(_ context.Context, versions []capabilities.APIVersion) (capabilities.APIVersion, error) {
+			assertAPIVersions(t, versions, []capabilities.APIVersion{"v1", "v3"})
+			return "v3", nil
+		},
+	}
+
+	output, err := service.Run(context.Background(), CreatePoolInput{Payload: []byte(`{"name":"Pool"}`)})
+	if err != nil {
+		t.Fatalf("run service: %v", err)
+	}
+	if output.APIVersion != "v3" || output.PoolID != "pool_1" {
+		t.Fatalf("unexpected output: %#v", output)
+	}
+}
+
+func TestCreatePoolServiceRequiresPayload(t *testing.T) {
+	service := CreatePoolService{
+		Handlers: []CreatePoolHandler{{APIVersion: "v3"}},
+		Resolve: func(context.Context, []capabilities.APIVersion) (capabilities.APIVersion, error) {
+			t.Fatal("resolver should not run")
+			return "", nil
+		},
+	}
+
+	if _, err := service.Run(context.Background(), CreatePoolInput{}); err == nil {
+		t.Fatal("expected pool request validation error")
+	}
+}
+
+func TestGetPoolServiceRequiresID(t *testing.T) {
+	service := GetPoolService{
+		Handlers: []GetPoolHandler{{APIVersion: "v3"}},
+		Resolve: func(context.Context, []capabilities.APIVersion) (capabilities.APIVersion, error) {
+			t.Fatal("resolver should not run")
+			return "", nil
+		},
+	}
+
+	if _, err := service.Run(context.Background(), GetPoolInput{}); err == nil {
+		t.Fatal("expected pool id validation error")
+	}
+}
+
+func TestDeletePoolServiceRequiresID(t *testing.T) {
+	service := DeletePoolService{
+		Handlers: []DeletePoolHandler{{APIVersion: "v3"}},
+		Resolve: func(context.Context, []capabilities.APIVersion) (capabilities.APIVersion, error) {
+			t.Fatal("resolver should not run")
+			return "", nil
+		},
+	}
+
+	if _, err := service.Run(context.Background(), DeletePoolInput{}); err == nil {
+		t.Fatal("expected pool id validation error")
+	}
+}
+
+func TestAddAccountToPoolServiceSelectsResolvedHandler(t *testing.T) {
+	service := AddAccountToPoolService{
+		Handlers: []PoolAccountHandler{
+			{
+				APIVersion: "v1",
+				Run: func(context.Context, PoolAccountInput) (PoolAccountOutput, error) {
+					t.Fatal("v1 handler should not run")
+					return PoolAccountOutput{}, nil
+				},
+			},
+			{
+				APIVersion: "v3",
+				Run: func(_ context.Context, input PoolAccountInput) (PoolAccountOutput, error) {
+					if input.PoolID != "pool_1" || input.AccountID != "acc_1" {
+						t.Fatalf("unexpected input: %#v", input)
+					}
+					return PoolAccountOutput{PoolID: input.PoolID, AccountID: input.AccountID}, nil
+				},
+			},
+		},
+		Resolve: func(_ context.Context, versions []capabilities.APIVersion) (capabilities.APIVersion, error) {
+			assertAPIVersions(t, versions, []capabilities.APIVersion{"v1", "v3"})
+			return "v3", nil
+		},
+	}
+
+	output, err := service.Run(context.Background(), PoolAccountInput{PoolID: "pool_1", AccountID: "acc_1"})
+	if err != nil {
+		t.Fatalf("run service: %v", err)
+	}
+	if output.APIVersion != "v3" || output.PoolID != "pool_1" || output.AccountID != "acc_1" {
+		t.Fatalf("unexpected output: %#v", output)
+	}
+}
+
+func TestRemoveAccountFromPoolServiceRequiresAccountID(t *testing.T) {
+	service := RemoveAccountFromPoolService{
+		Handlers: []PoolAccountHandler{{APIVersion: "v3"}},
+		Resolve: func(context.Context, []capabilities.APIVersion) (capabilities.APIVersion, error) {
+			t.Fatal("resolver should not run")
+			return "", nil
+		},
+	}
+
+	if _, err := service.Run(context.Background(), PoolAccountInput{PoolID: "pool_1"}); err == nil {
+		t.Fatal("expected account id validation error")
+	}
+}
+
+func TestUpdatePoolQueryServiceRequiresQuery(t *testing.T) {
+	service := UpdatePoolQueryService{
+		Handlers: []UpdatePoolQueryHandler{{APIVersion: "v3"}},
+		Resolve: func(context.Context, []capabilities.APIVersion) (capabilities.APIVersion, error) {
+			t.Fatal("resolver should not run")
+			return "", nil
+		},
+	}
+
+	if _, err := service.Run(context.Background(), UpdatePoolQueryInput{PoolID: "pool_1"}); err == nil {
+		t.Fatal("expected pool query validation error")
+	}
+}
+
+func TestGetPoolBalancesServiceRequiresAtForHistoricalBalances(t *testing.T) {
+	service := GetPoolBalancesService{
+		Handlers: []GetPoolBalancesHandler{{APIVersion: "v3"}},
+		Resolve: func(context.Context, []capabilities.APIVersion) (capabilities.APIVersion, error) {
+			t.Fatal("resolver should not run")
+			return "", nil
+		},
+	}
+
+	if _, err := service.Run(context.Background(), GetPoolBalancesInput{PoolID: "pool_1"}); err == nil {
+		t.Fatal("expected at validation error")
+	}
+}
diff --git a/v4/internal/commands/payments/tasks.go b/v4/internal/commands/payments/tasks.go
new file mode 100644
index 00000000..e3328dc4
--- /dev/null
+++ b/v4/internal/commands/payments/tasks.go
@@ -0,0 +1,100 @@
+package payments
+
+import (
+	"context"
+	"fmt"
+	"time"
+
+	formance "github.com/formancehq/formance-sdk-go/v3"
+	"github.com/formancehq/formance-sdk-go/v3/pkg/models/operations"
+	"github.com/formancehq/formance-sdk-go/v3/pkg/models/shared"
+
+	"github.com/formancehq/fctl/v4/internal/capabilities"
+)
+
+const FeatureGetTask capabilities.Feature = "getTask"
+
+type TaskSummary struct {
+	ID              string    `json:"id" yaml:"id"`
+	ConnectorID     string    `json:"connectorID,omitempty" yaml:"connectorID,omitempty"`
+	CreatedObjectID string    `json:"createdObjectID,omitempty" yaml:"createdObjectID,omitempty"`
+	Status          string    `json:"status" yaml:"status"`
+	Error           string    `json:"error,omitempty" yaml:"error,omitempty"`
+	CreatedAt       time.Time `json:"createdAt" yaml:"createdAt"`
+	UpdatedAt       time.Time `json:"updatedAt" yaml:"updatedAt"`
+}
+
+type GetTaskInput struct {
+	TaskID string
+}
+
+type GetTaskOutput struct {
+	APIVersion capabilities.APIVersion `json:"apiVersion" yaml:"apiVersion"`
+	Task       TaskSummary             `json:"task" yaml:"task"`
+}
+
+type GetTaskHandler struct {
+	APIVersion capabilities.APIVersion
+	Run        func(context.Context, GetTaskInput) (GetTaskOutput, error)
+}
+
+type GetTaskService struct {
+	Handlers []GetTaskHandler
+	Resolve  func(context.Context, []capabilities.APIVersion) (capabilities.APIVersion, error)
+}
+
+func (s GetTaskService) Run(ctx context.Context, input GetTaskInput) (GetTaskOutput, error) {
+	if input.TaskID == "" {
+		return GetTaskOutput{}, fmt.Errorf("task id is required")
+	}
+	handlerVersions := make([]capabilities.APIVersion, 0, len(s.Handlers))
+	handlers := map[capabilities.APIVersion]GetTaskHandler{}
+	for _, handler := range s.Handlers {
+		handlerVersions = append(handlerVersions, handler.APIVersion)
+		handlers[handler.APIVersion] = handler
+	}
+	selected, err := s.Resolve(ctx, handlerVersions)
+	if err != nil {
+		return GetTaskOutput{}, err
+	}
+	handler, ok := handlers[selected]
+	if !ok {
+		return GetTaskOutput{}, fmt.Errorf("resolved api version %s has no handler", selected)
+	}
+	output, err := handler.Run(ctx, input)
+	if err != nil {
+		return GetTaskOutput{}, err
+	}
+	output.APIVersion = selected
+	return output, nil
+}
+
+func SDKGetTaskHandlers(sdk *formance.Formance) []GetTaskHandler {
+	return []GetTaskHandler{
+		{
+			APIVersion: "v3",
+			Run: func(ctx context.Context, input GetTaskInput) (GetTaskOutput, error) {
+				response, err := sdk.Payments.V3.GetTask(ctx, operations.V3GetTaskRequest{TaskID: input.TaskID})
+				if err != nil {
+					return GetTaskOutput{}, err
+				}
+				if response.V3GetTaskResponse == nil {
+					return GetTaskOutput{}, fmt.Errorf("payments v3 get task returned no data")
+				}
+				return GetTaskOutput{Task: fromV3Task(response.V3GetTaskResponse.Data)}, nil
+			},
+		},
+	}
+}
+
+func fromV3Task(task shared.V3Task) TaskSummary {
+	return TaskSummary{
+		ID:              task.ID,
+		ConnectorID:     stringValue(task.ConnectorID),
+		CreatedObjectID: stringValue(task.CreatedObjectID),
+		Status:          string(task.Status),
+		Error:           stringValue(task.Error),
+		CreatedAt:       task.CreatedAt,
+		UpdatedAt:       task.UpdatedAt,
+	}
+}
diff --git a/v4/internal/commands/payments/tasks_test.go b/v4/internal/commands/payments/tasks_test.go
new file mode 100644
index 00000000..bd5b6af0
--- /dev/null
+++ b/v4/internal/commands/payments/tasks_test.go
@@ -0,0 +1,50 @@
+package payments
+
+import (
+	"context"
+	"testing"
+
+	"github.com/formancehq/fctl/v4/internal/capabilities"
+)
+
+func TestGetTaskServiceSelectsResolvedHandler(t *testing.T) {
+	service := GetTaskService{
+		Handlers: []GetTaskHandler{
+			{
+				APIVersion: "v3",
+				Run: func(_ context.Context, input GetTaskInput) (GetTaskOutput, error) {
+					if input.TaskID != "task_1" {
+						t.Fatalf("unexpected input: %#v", input)
+					}
+					return GetTaskOutput{Task: TaskSummary{ID: input.TaskID}}, nil
+				},
+			},
+		},
+		Resolve: func(_ context.Context, versions []capabilities.APIVersion) (capabilities.APIVersion, error) {
+			assertAPIVersions(t, versions, []capabilities.APIVersion{"v3"})
+			return "v3", nil
+		},
+	}
+
+	output, err := service.Run(context.Background(), GetTaskInput{TaskID: "task_1"})
+	if err != nil {
+		t.Fatalf("run service: %v", err)
+	}
+	if output.APIVersion != "v3" || output.Task.ID != "task_1" {
+		t.Fatalf("unexpected output: %#v", output)
+	}
+}
+
+func TestGetTaskServiceRequiresID(t *testing.T) {
+	service := GetTaskService{
+		Handlers: []GetTaskHandler{{APIVersion: "v3"}},
+		Resolve: func(context.Context, []capabilities.APIVersion) (capabilities.APIVersion, error) {
+			t.Fatal("resolver should not run")
+			return "", nil
+		},
+	}
+
+	if _, err := service.Run(context.Background(), GetTaskInput{}); err == nil {
+		t.Fatal("expected task id validation error")
+	}
+}
diff --git a/v4/internal/commands/payments/transfer_initiations.go b/v4/internal/commands/payments/transfer_initiations.go
new file mode 100644
index 00000000..d2b5a363
--- /dev/null
+++ b/v4/internal/commands/payments/transfer_initiations.go
@@ -0,0 +1,713 @@
+package payments
+
+import (
+	"context"
+	"fmt"
+	"math/big"
+	"time"
+
+	formance "github.com/formancehq/formance-sdk-go/v3"
+	"github.com/formancehq/formance-sdk-go/v3/pkg/models/operations"
+	"github.com/formancehq/formance-sdk-go/v3/pkg/models/shared"
+
+	"github.com/formancehq/fctl/v4/internal/capabilities"
+)
+
+const (
+	FeatureApprovePaymentInitiation       capabilities.Feature = "approvePaymentInitiation"
+	FeatureCreateTransferInitiation       capabilities.Feature = "createTransferInitiation"
+	FeatureDeletePaymentInitiation        capabilities.Feature = "deletePaymentInitiation"
+	FeatureGetTransferInitiation          capabilities.Feature = "getTransferInitiation"
+	FeatureListTransferInitiation         capabilities.Feature = "listTransferInitiations"
+	FeatureRejectPaymentInitiation        capabilities.Feature = "rejectPaymentInitiation"
+	FeatureRetryPaymentInitiation         capabilities.Feature = "retryPaymentInitiation"
+	FeatureReversePaymentInitiation       capabilities.Feature = "reversePaymentInitiation"
+	FeatureUpdateTransferInitiationStatus capabilities.Feature = "updateTransferInitiationStatus"
+)
+
+type TransferInitiationSummary struct {
+	ID                   string            `json:"id" yaml:"id"`
+	Reference            string            `json:"reference" yaml:"reference"`
+	Type                 string            `json:"type" yaml:"type"`
+	Status               string            `json:"status" yaml:"status"`
+	Asset                string            `json:"asset" yaml:"asset"`
+	Amount               string            `json:"amount" yaml:"amount"`
+	InitialAmount        string            `json:"initialAmount,omitempty" yaml:"initialAmount,omitempty"`
+	ConnectorID          string            `json:"connectorID" yaml:"connectorID"`
+	Provider             string            `json:"provider,omitempty" yaml:"provider,omitempty"`
+	SourceAccountID      string            `json:"sourceAccountID,omitempty" yaml:"sourceAccountID,omitempty"`
+	DestinationAccountID string            `json:"destinationAccountID,omitempty" yaml:"destinationAccountID,omitempty"`
+	Description          string            `json:"description,omitempty" yaml:"description,omitempty"`
+	Error                string            `json:"error,omitempty" yaml:"error,omitempty"`
+	CreatedAt            time.Time         `json:"createdAt" yaml:"createdAt"`
+	ScheduledAt          time.Time         `json:"scheduledAt" yaml:"scheduledAt"`
+	Metadata             map[string]string `json:"metadata,omitempty" yaml:"metadata,omitempty"`
+}
+
+type ListTransferInitiationsInput struct {
+	PageSize int64
+	Cursor   string
+	Query    string
+}
+
+type CreateTransferInitiationInput struct {
+	Amount               *big.Int
+	Asset                string
+	ConnectorID          string
+	Description          string
+	DestinationAccountID string
+	Metadata             map[string]string
+	Reference            string
+	ScheduledAt          time.Time
+	SourceAccountID      string
+	Type                 string
+	Validated            bool
+}
+
+type CreateTransferInitiationOutput struct {
+	APIVersion           capabilities.APIVersion `json:"apiVersion" yaml:"apiVersion"`
+	TransferInitiationID string                  `json:"transferInitiationID" yaml:"transferInitiationID"`
+	TaskID               string                  `json:"taskID,omitempty" yaml:"taskID,omitempty"`
+}
+
+type ListTransferInitiationsOutput struct {
+	APIVersion          capabilities.APIVersion     `json:"apiVersion" yaml:"apiVersion"`
+	TransferInitiations []TransferInitiationSummary `json:"transferInitiations" yaml:"transferInitiations"`
+	HasMore             bool                        `json:"hasMore" yaml:"hasMore"`
+	PageSize            int64                       `json:"pageSize" yaml:"pageSize"`
+	Next                *string                     `json:"next,omitempty" yaml:"next,omitempty"`
+	Previous            *string                     `json:"previous,omitempty" yaml:"previous,omitempty"`
+}
+
+type GetTransferInitiationInput struct {
+	TransferInitiationID string
+}
+
+type GetTransferInitiationOutput struct {
+	APIVersion         capabilities.APIVersion   `json:"apiVersion" yaml:"apiVersion"`
+	TransferInitiation TransferInitiationSummary `json:"transferInitiation" yaml:"transferInitiation"`
+}
+
+type TransferInitiationActionInput struct {
+	TransferInitiationID string
+}
+
+type TransferInitiationActionOutput struct {
+	APIVersion           capabilities.APIVersion `json:"apiVersion" yaml:"apiVersion"`
+	TransferInitiationID string                  `json:"transferInitiationID" yaml:"transferInitiationID"`
+	TaskID               string                  `json:"taskID,omitempty" yaml:"taskID,omitempty"`
+}
+
+type UpdateTransferInitiationStatusInput struct {
+	TransferInitiationID string
+	Status               string
+}
+
+type UpdateTransferInitiationStatusOutput struct {
+	APIVersion           capabilities.APIVersion `json:"apiVersion" yaml:"apiVersion"`
+	TransferInitiationID string                  `json:"transferInitiationID" yaml:"transferInitiationID"`
+	Status               string                  `json:"status" yaml:"status"`
+}
+
+type ReverseTransferInitiationInput struct {
+	TransferInitiationID string
+	Amount               *big.Int
+	Asset                string
+	Description          string
+	Metadata             map[string]string
+	Reference            string
+}
+
+type ReverseTransferInitiationOutput struct {
+	APIVersion           capabilities.APIVersion `json:"apiVersion" yaml:"apiVersion"`
+	TransferInitiationID string                  `json:"transferInitiationID" yaml:"transferInitiationID"`
+	TaskID               string                  `json:"taskID,omitempty" yaml:"taskID,omitempty"`
+	ReversalID           string                  `json:"reversalID,omitempty" yaml:"reversalID,omitempty"`
+}
+
+type ListTransferInitiationsHandler struct {
+	APIVersion capabilities.APIVersion
+	Run        func(context.Context, ListTransferInitiationsInput) (ListTransferInitiationsOutput, error)
+}
+
+type CreateTransferInitiationHandler struct {
+	APIVersion capabilities.APIVersion
+	Run        func(context.Context, CreateTransferInitiationInput) (CreateTransferInitiationOutput, error)
+}
+
+type GetTransferInitiationHandler struct {
+	APIVersion capabilities.APIVersion
+	Run        func(context.Context, GetTransferInitiationInput) (GetTransferInitiationOutput, error)
+}
+
+type TransferInitiationActionHandler struct {
+	APIVersion capabilities.APIVersion
+	Run        func(context.Context, TransferInitiationActionInput) (TransferInitiationActionOutput, error)
+}
+
+type UpdateTransferInitiationStatusHandler struct {
+	APIVersion capabilities.APIVersion
+	Run        func(context.Context, UpdateTransferInitiationStatusInput) (UpdateTransferInitiationStatusOutput, error)
+}
+
+type ReverseTransferInitiationHandler struct {
+	APIVersion capabilities.APIVersion
+	Run        func(context.Context, ReverseTransferInitiationInput) (ReverseTransferInitiationOutput, error)
+}
+
+type ListTransferInitiationsService struct {
+	Handlers []ListTransferInitiationsHandler
+	Resolve  func(context.Context, []capabilities.APIVersion) (capabilities.APIVersion, error)
+}
+
+type CreateTransferInitiationService struct {
+	Handlers []CreateTransferInitiationHandler
+	Resolve  func(context.Context, []capabilities.APIVersion) (capabilities.APIVersion, error)
+}
+
+type GetTransferInitiationService struct {
+	Handlers []GetTransferInitiationHandler
+	Resolve  func(context.Context, []capabilities.APIVersion) (capabilities.APIVersion, error)
+}
+
+type TransferInitiationActionService struct {
+	Handlers []TransferInitiationActionHandler
+	Resolve  func(context.Context, []capabilities.APIVersion) (capabilities.APIVersion, error)
+}
+
+type UpdateTransferInitiationStatusService struct {
+	Handlers []UpdateTransferInitiationStatusHandler
+	Resolve  func(context.Context, []capabilities.APIVersion) (capabilities.APIVersion, error)
+}
+
+type ReverseTransferInitiationService struct {
+	Handlers []ReverseTransferInitiationHandler
+	Resolve  func(context.Context, []capabilities.APIVersion) (capabilities.APIVersion, error)
+}
+
+func (s ListTransferInitiationsService) Run(ctx context.Context, input ListTransferInitiationsInput) (ListTransferInitiationsOutput, error) {
+	handlerVersions := make([]capabilities.APIVersion, 0, len(s.Handlers))
+	handlers := map[capabilities.APIVersion]ListTransferInitiationsHandler{}
+	for _, handler := range s.Handlers {
+		handlerVersions = append(handlerVersions, handler.APIVersion)
+		handlers[handler.APIVersion] = handler
+	}
+	selected, err := s.Resolve(ctx, handlerVersions)
+	if err != nil {
+		return ListTransferInitiationsOutput{}, err
+	}
+	handler, ok := handlers[selected]
+	if !ok {
+		return ListTransferInitiationsOutput{}, fmt.Errorf("resolved api version %s has no handler", selected)
+	}
+	output, err := handler.Run(ctx, input)
+	if err != nil {
+		return ListTransferInitiationsOutput{}, err
+	}
+	output.APIVersion = selected
+	return output, nil
+}
+
+func (s CreateTransferInitiationService) Run(ctx context.Context, input CreateTransferInitiationInput) (CreateTransferInitiationOutput, error) {
+	if input.Amount == nil {
+		return CreateTransferInitiationOutput{}, fmt.Errorf("transfer initiation amount is required")
+	}
+	if input.Asset == "" {
+		return CreateTransferInitiationOutput{}, fmt.Errorf("transfer initiation asset is required")
+	}
+	if input.Type != "TRANSFER" && input.Type != "PAYOUT" {
+		return CreateTransferInitiationOutput{}, fmt.Errorf("unsupported transfer initiation type %q: expected TRANSFER or PAYOUT", input.Type)
+	}
+	handlerVersions := make([]capabilities.APIVersion, 0, len(s.Handlers))
+	handlers := map[capabilities.APIVersion]CreateTransferInitiationHandler{}
+	for _, handler := range s.Handlers {
+		handlerVersions = append(handlerVersions, handler.APIVersion)
+		handlers[handler.APIVersion] = handler
+	}
+	selected, err := s.Resolve(ctx, handlerVersions)
+	if err != nil {
+		return CreateTransferInitiationOutput{}, err
+	}
+	handler, ok := handlers[selected]
+	if !ok {
+		return CreateTransferInitiationOutput{}, fmt.Errorf("resolved api version %s has no handler", selected)
+	}
+	output, err := handler.Run(ctx, input)
+	if err != nil {
+		return CreateTransferInitiationOutput{}, err
+	}
+	output.APIVersion = selected
+	return output, nil
+}
+
+func (s GetTransferInitiationService) Run(ctx context.Context, input GetTransferInitiationInput) (GetTransferInitiationOutput, error) {
+	if input.TransferInitiationID == "" {
+		return GetTransferInitiationOutput{}, fmt.Errorf("transfer initiation id is required")
+	}
+	handlerVersions := make([]capabilities.APIVersion, 0, len(s.Handlers))
+	handlers := map[capabilities.APIVersion]GetTransferInitiationHandler{}
+	for _, handler := range s.Handlers {
+		handlerVersions = append(handlerVersions, handler.APIVersion)
+		handlers[handler.APIVersion] = handler
+	}
+	selected, err := s.Resolve(ctx, handlerVersions)
+	if err != nil {
+		return GetTransferInitiationOutput{}, err
+	}
+	handler, ok := handlers[selected]
+	if !ok {
+		return GetTransferInitiationOutput{}, fmt.Errorf("resolved api version %s has no handler", selected)
+	}
+	output, err := handler.Run(ctx, input)
+	if err != nil {
+		return GetTransferInitiationOutput{}, err
+	}
+	output.APIVersion = selected
+	return output, nil
+}
+
+func (s TransferInitiationActionService) Run(ctx context.Context, input TransferInitiationActionInput) (TransferInitiationActionOutput, error) {
+	if input.TransferInitiationID == "" {
+		return TransferInitiationActionOutput{}, fmt.Errorf("transfer initiation id is required")
+	}
+	handlerVersions := make([]capabilities.APIVersion, 0, len(s.Handlers))
+	handlers := map[capabilities.APIVersion]TransferInitiationActionHandler{}
+	for _, handler := range s.Handlers {
+		handlerVersions = append(handlerVersions, handler.APIVersion)
+		handlers[handler.APIVersion] = handler
+	}
+	selected, err := s.Resolve(ctx, handlerVersions)
+	if err != nil {
+		return TransferInitiationActionOutput{}, err
+	}
+	handler, ok := handlers[selected]
+	if !ok {
+		return TransferInitiationActionOutput{}, fmt.Errorf("resolved api version %s has no handler", selected)
+	}
+	output, err := handler.Run(ctx, input)
+	if err != nil {
+		return TransferInitiationActionOutput{}, err
+	}
+	output.APIVersion = selected
+	return output, nil
+}
+
+func (s UpdateTransferInitiationStatusService) Run(ctx context.Context, input UpdateTransferInitiationStatusInput) (UpdateTransferInitiationStatusOutput, error) {
+	if input.TransferInitiationID == "" {
+		return UpdateTransferInitiationStatusOutput{}, fmt.Errorf("transfer initiation id is required")
+	}
+	if input.Status == "" {
+		return UpdateTransferInitiationStatusOutput{}, fmt.Errorf("transfer initiation status is required")
+	}
+	handlerVersions := make([]capabilities.APIVersion, 0, len(s.Handlers))
+	handlers := map[capabilities.APIVersion]UpdateTransferInitiationStatusHandler{}
+	for _, handler := range s.Handlers {
+		handlerVersions = append(handlerVersions, handler.APIVersion)
+		handlers[handler.APIVersion] = handler
+	}
+	selected, err := s.Resolve(ctx, handlerVersions)
+	if err != nil {
+		return UpdateTransferInitiationStatusOutput{}, err
+	}
+	handler, ok := handlers[selected]
+	if !ok {
+		return UpdateTransferInitiationStatusOutput{}, fmt.Errorf("resolved api version %s has no handler", selected)
+	}
+	output, err := handler.Run(ctx, input)
+	if err != nil {
+		return UpdateTransferInitiationStatusOutput{}, err
+	}
+	output.APIVersion = selected
+	return output, nil
+}
+
+func (s ReverseTransferInitiationService) Run(ctx context.Context, input ReverseTransferInitiationInput) (ReverseTransferInitiationOutput, error) {
+	if input.TransferInitiationID == "" {
+		return ReverseTransferInitiationOutput{}, fmt.Errorf("transfer initiation id is required")
+	}
+	if input.Amount == nil {
+		return ReverseTransferInitiationOutput{}, fmt.Errorf("reverse transfer initiation amount is required")
+	}
+	if input.Asset == "" {
+		return ReverseTransferInitiationOutput{}, fmt.Errorf("reverse transfer initiation asset is required")
+	}
+	handlerVersions := make([]capabilities.APIVersion, 0, len(s.Handlers))
+	handlers := map[capabilities.APIVersion]ReverseTransferInitiationHandler{}
+	for _, handler := range s.Handlers {
+		handlerVersions = append(handlerVersions, handler.APIVersion)
+		handlers[handler.APIVersion] = handler
+	}
+	selected, err := s.Resolve(ctx, handlerVersions)
+	if err != nil {
+		return ReverseTransferInitiationOutput{}, err
+	}
+	handler, ok := handlers[selected]
+	if !ok {
+		return ReverseTransferInitiationOutput{}, fmt.Errorf("resolved api version %s has no handler", selected)
+	}
+	output, err := handler.Run(ctx, input)
+	if err != nil {
+		return ReverseTransferInitiationOutput{}, err
+	}
+	output.APIVersion = selected
+	return output, nil
+}
+
+func SDKListTransferInitiationsHandlers(sdk *formance.Formance) []ListTransferInitiationsHandler {
+	return []ListTransferInitiationsHandler{
+		{
+			APIVersion: "v1",
+			Run: func(ctx context.Context, input ListTransferInitiationsInput) (ListTransferInitiationsOutput, error) {
+				response, err := sdk.Payments.V1.ListTransferInitiations(ctx, operations.ListTransferInitiationsRequest{
+					PageSize: pointer(input.PageSize),
+					Cursor:   optionalString(input.Cursor),
+					Query:    optionalString(input.Query),
+				})
+				if err != nil {
+					return ListTransferInitiationsOutput{}, err
+				}
+				if response.TransferInitiationsCursor == nil {
+					return ListTransferInitiationsOutput{}, fmt.Errorf("payments v1 list transfer initiations returned no cursor")
+				}
+				return fromV1TransferInitiationsCursor(response.TransferInitiationsCursor.Cursor), nil
+			},
+		},
+		{
+			APIVersion: "v3",
+			Run: func(ctx context.Context, input ListTransferInitiationsInput) (ListTransferInitiationsOutput, error) {
+				response, err := sdk.Payments.V3.ListPaymentInitiations(ctx, operations.V3ListPaymentInitiationsRequest{
+					PageSize: pointer(input.PageSize),
+					Cursor:   optionalString(input.Cursor),
+				})
+				if err != nil {
+					return ListTransferInitiationsOutput{}, err
+				}
+				if response.V3PaymentInitiationsCursorResponse == nil {
+					return ListTransferInitiationsOutput{}, fmt.Errorf("payments v3 list payment initiations returned no cursor")
+				}
+				return fromV3PaymentInitiationsCursor(response.V3PaymentInitiationsCursorResponse.Cursor), nil
+			},
+		},
+	}
+}
+
+func SDKCreateTransferInitiationHandlers(sdk *formance.Formance) []CreateTransferInitiationHandler {
+	return []CreateTransferInitiationHandler{
+		{
+			APIVersion: "v1",
+			Run: func(ctx context.Context, input CreateTransferInitiationInput) (CreateTransferInitiationOutput, error) {
+				response, err := sdk.Payments.V1.CreateTransferInitiation(ctx, shared.TransferInitiationRequest{
+					Amount:               input.Amount,
+					Asset:                input.Asset,
+					ConnectorID:          optionalString(input.ConnectorID),
+					Description:          input.Description,
+					DestinationAccountID: input.DestinationAccountID,
+					Metadata:             input.Metadata,
+					Reference:            input.Reference,
+					ScheduledAt:          input.ScheduledAt,
+					SourceAccountID:      input.SourceAccountID,
+					Type:                 shared.TransferInitiationRequestType(input.Type),
+					Validated:            input.Validated,
+				})
+				if err != nil {
+					return CreateTransferInitiationOutput{}, err
+				}
+				if response.TransferInitiationResponse == nil {
+					return CreateTransferInitiationOutput{}, fmt.Errorf("payments v1 create transfer initiation returned no data")
+				}
+				return CreateTransferInitiationOutput{TransferInitiationID: response.TransferInitiationResponse.Data.ID}, nil
+			},
+		},
+		{
+			APIVersion: "v3",
+			Run: func(ctx context.Context, input CreateTransferInitiationInput) (CreateTransferInitiationOutput, error) {
+				response, err := sdk.Payments.V3.InitiatePayment(ctx, operations.V3InitiatePaymentRequest{
+					NoValidation: pointer(input.Validated),
+					V3InitiatePaymentRequest: &shared.V3InitiatePaymentRequest{
+						Amount:               input.Amount,
+						Asset:                input.Asset,
+						ConnectorID:          input.ConnectorID,
+						Description:          input.Description,
+						DestinationAccountID: optionalString(input.DestinationAccountID),
+						Metadata:             input.Metadata,
+						Reference:            input.Reference,
+						ScheduledAt:          input.ScheduledAt,
+						SourceAccountID:      optionalString(input.SourceAccountID),
+						Type:                 shared.V3PaymentInitiationTypeEnum(input.Type),
+					},
+				})
+				if err != nil {
+					return CreateTransferInitiationOutput{}, err
+				}
+				if response.V3InitiatePaymentResponse == nil {
+					return CreateTransferInitiationOutput{}, fmt.Errorf("payments v3 initiate payment returned no data")
+				}
+				data := response.V3InitiatePaymentResponse.Data
+				return CreateTransferInitiationOutput{
+					TransferInitiationID: stringValue(data.PaymentInitiationID),
+					TaskID:               stringValue(data.TaskID),
+				}, nil
+			},
+		},
+	}
+}
+
+func SDKGetTransferInitiationHandlers(sdk *formance.Formance) []GetTransferInitiationHandler {
+	return []GetTransferInitiationHandler{
+		{
+			APIVersion: "v1",
+			Run: func(ctx context.Context, input GetTransferInitiationInput) (GetTransferInitiationOutput, error) {
+				response, err := sdk.Payments.V1.GetTransferInitiation(ctx, operations.GetTransferInitiationRequest{TransferID: input.TransferInitiationID})
+				if err != nil {
+					return GetTransferInitiationOutput{}, err
+				}
+				if response.TransferInitiationResponse == nil {
+					return GetTransferInitiationOutput{}, fmt.Errorf("payments v1 get transfer initiation returned no data")
+				}
+				return GetTransferInitiationOutput{TransferInitiation: fromV1TransferInitiation(response.TransferInitiationResponse.Data)}, nil
+			},
+		},
+		{
+			APIVersion: "v3",
+			Run: func(ctx context.Context, input GetTransferInitiationInput) (GetTransferInitiationOutput, error) {
+				response, err := sdk.Payments.V3.GetPaymentInitiation(ctx, operations.V3GetPaymentInitiationRequest{PaymentInitiationID: input.TransferInitiationID})
+				if err != nil {
+					return GetTransferInitiationOutput{}, err
+				}
+				if response.V3GetPaymentInitiationResponse == nil {
+					return GetTransferInitiationOutput{}, fmt.Errorf("payments v3 get payment initiation returned no data")
+				}
+				return GetTransferInitiationOutput{TransferInitiation: fromV3PaymentInitiation(response.V3GetPaymentInitiationResponse.Data)}, nil
+			},
+		},
+	}
+}
+
+func SDKApprovePaymentInitiationHandlers(sdk *formance.Formance) []TransferInitiationActionHandler {
+	return []TransferInitiationActionHandler{
+		{
+			APIVersion: "v3",
+			Run: func(ctx context.Context, input TransferInitiationActionInput) (TransferInitiationActionOutput, error) {
+				response, err := sdk.Payments.V3.ApprovePaymentInitiation(ctx, operations.V3ApprovePaymentInitiationRequest{
+					PaymentInitiationID: input.TransferInitiationID,
+				})
+				if err != nil {
+					return TransferInitiationActionOutput{}, err
+				}
+				if response.V3ApprovePaymentInitiationResponse == nil {
+					return TransferInitiationActionOutput{}, fmt.Errorf("payments v3 approve payment initiation returned no data")
+				}
+				return TransferInitiationActionOutput{
+					TransferInitiationID: input.TransferInitiationID,
+					TaskID:               response.V3ApprovePaymentInitiationResponse.Data.TaskID,
+				}, nil
+			},
+		},
+	}
+}
+
+func SDKRejectPaymentInitiationHandlers(sdk *formance.Formance) []TransferInitiationActionHandler {
+	return []TransferInitiationActionHandler{
+		{
+			APIVersion: "v3",
+			Run: func(ctx context.Context, input TransferInitiationActionInput) (TransferInitiationActionOutput, error) {
+				if _, err := sdk.Payments.V3.RejectPaymentInitiation(ctx, operations.V3RejectPaymentInitiationRequest{
+					PaymentInitiationID: input.TransferInitiationID,
+				}); err != nil {
+					return TransferInitiationActionOutput{}, err
+				}
+				return TransferInitiationActionOutput{TransferInitiationID: input.TransferInitiationID}, nil
+			},
+		},
+	}
+}
+
+func SDKRetryPaymentInitiationHandlers(sdk *formance.Formance) []TransferInitiationActionHandler {
+	return []TransferInitiationActionHandler{
+		{
+			APIVersion: "v1",
+			Run: func(ctx context.Context, input TransferInitiationActionInput) (TransferInitiationActionOutput, error) {
+				if _, err := sdk.Payments.V1.RetryTransferInitiation(ctx, operations.RetryTransferInitiationRequest{
+					TransferID: input.TransferInitiationID,
+				}); err != nil {
+					return TransferInitiationActionOutput{}, err
+				}
+				return TransferInitiationActionOutput{TransferInitiationID: input.TransferInitiationID}, nil
+			},
+		},
+		{
+			APIVersion: "v3",
+			Run: func(ctx context.Context, input TransferInitiationActionInput) (TransferInitiationActionOutput, error) {
+				response, err := sdk.Payments.V3.RetryPaymentInitiation(ctx, operations.V3RetryPaymentInitiationRequest{
+					PaymentInitiationID: input.TransferInitiationID,
+				})
+				if err != nil {
+					return TransferInitiationActionOutput{}, err
+				}
+				if response.V3RetryPaymentInitiationResponse == nil {
+					return TransferInitiationActionOutput{}, fmt.Errorf("payments v3 retry payment initiation returned no data")
+				}
+				return TransferInitiationActionOutput{
+					TransferInitiationID: input.TransferInitiationID,
+					TaskID:               response.V3RetryPaymentInitiationResponse.Data.TaskID,
+				}, nil
+			},
+		},
+	}
+}
+
+func SDKDeletePaymentInitiationHandlers(sdk *formance.Formance) []TransferInitiationActionHandler {
+	return []TransferInitiationActionHandler{
+		{
+			APIVersion: "v1",
+			Run: func(ctx context.Context, input TransferInitiationActionInput) (TransferInitiationActionOutput, error) {
+				if _, err := sdk.Payments.V1.DeleteTransferInitiation(ctx, operations.DeleteTransferInitiationRequest{
+					TransferID: input.TransferInitiationID,
+				}); err != nil {
+					return TransferInitiationActionOutput{}, err
+				}
+				return TransferInitiationActionOutput{TransferInitiationID: input.TransferInitiationID}, nil
+			},
+		},
+		{
+			APIVersion: "v3",
+			Run: func(ctx context.Context, input TransferInitiationActionInput) (TransferInitiationActionOutput, error) {
+				if _, err := sdk.Payments.V3.DeletePaymentInitiation(ctx, operations.V3DeletePaymentInitiationRequest{
+					PaymentInitiationID: input.TransferInitiationID,
+				}); err != nil {
+					return TransferInitiationActionOutput{}, err
+				}
+				return TransferInitiationActionOutput{TransferInitiationID: input.TransferInitiationID}, nil
+			},
+		},
+	}
+}
+
+func SDKUpdateTransferInitiationStatusHandlers(sdk *formance.Formance) []UpdateTransferInitiationStatusHandler {
+	return []UpdateTransferInitiationStatusHandler{
+		{
+			APIVersion: "v1",
+			Run: func(ctx context.Context, input UpdateTransferInitiationStatusInput) (UpdateTransferInitiationStatusOutput, error) {
+				if _, err := sdk.Payments.V1.UpdateTransferInitiationStatus(ctx, operations.UpdateTransferInitiationStatusRequest{
+					TransferID: input.TransferInitiationID,
+					UpdateTransferInitiationStatusRequest: shared.UpdateTransferInitiationStatusRequest{
+						Status: shared.Status(input.Status),
+					},
+				}); err != nil {
+					return UpdateTransferInitiationStatusOutput{}, err
+				}
+				return UpdateTransferInitiationStatusOutput{
+					TransferInitiationID: input.TransferInitiationID,
+					Status:               input.Status,
+				}, nil
+			},
+		},
+	}
+}
+
+func SDKReverseTransferInitiationHandlers(sdk *formance.Formance) []ReverseTransferInitiationHandler {
+	return []ReverseTransferInitiationHandler{
+		{
+			APIVersion: "v1",
+			Run: func(ctx context.Context, input ReverseTransferInitiationInput) (ReverseTransferInitiationOutput, error) {
+				if _, err := sdk.Payments.V1.ReverseTransferInitiation(ctx, operations.ReverseTransferInitiationRequest{
+					TransferID: input.TransferInitiationID,
+					ReverseTransferInitiationRequest: shared.ReverseTransferInitiationRequest{
+						Amount:      input.Amount,
+						Asset:       input.Asset,
+						Description: input.Description,
+						Metadata:    input.Metadata,
+						Reference:   input.Reference,
+					},
+				}); err != nil {
+					return ReverseTransferInitiationOutput{}, err
+				}
+				return ReverseTransferInitiationOutput{TransferInitiationID: input.TransferInitiationID}, nil
+			},
+		},
+		{
+			APIVersion: "v3",
+			Run: func(ctx context.Context, input ReverseTransferInitiationInput) (ReverseTransferInitiationOutput, error) {
+				response, err := sdk.Payments.V3.ReversePaymentInitiation(ctx, operations.V3ReversePaymentInitiationRequest{
+					PaymentInitiationID: input.TransferInitiationID,
+					V3ReversePaymentInitiationRequest: &shared.V3ReversePaymentInitiationRequest{
+						Amount:      input.Amount,
+						Asset:       input.Asset,
+						Description: input.Description,
+						Metadata:    input.Metadata,
+						Reference:   input.Reference,
+					},
+				})
+				if err != nil {
+					return ReverseTransferInitiationOutput{}, err
+				}
+				if response.V3ReversePaymentInitiationResponse == nil {
+					return ReverseTransferInitiationOutput{}, fmt.Errorf("payments v3 reverse payment initiation returned no data")
+				}
+				data := response.V3ReversePaymentInitiationResponse.Data
+				return ReverseTransferInitiationOutput{
+					TransferInitiationID: input.TransferInitiationID,
+					TaskID:               stringValue(data.TaskID),
+					ReversalID:           stringValue(data.PaymentInitiationReversalID),
+				}, nil
+			},
+		},
+	}
+}
+
+func fromV1TransferInitiationsCursor(cursor shared.TransferInitiationsCursorCursor) ListTransferInitiationsOutput {
+	transfers := make([]TransferInitiationSummary, 0, len(cursor.Data))
+	for _, transfer := range cursor.Data {
+		transfers = append(transfers, fromV1TransferInitiation(transfer))
+	}
+	return ListTransferInitiationsOutput{TransferInitiations: transfers, HasMore: cursor.HasMore, PageSize: cursor.PageSize, Next: cursor.Next, Previous: cursor.Previous}
+}
+
+func fromV3PaymentInitiationsCursor(cursor shared.V3PaymentInitiationsCursorResponseCursor) ListTransferInitiationsOutput {
+	transfers := make([]TransferInitiationSummary, 0, len(cursor.Data))
+	for _, transfer := range cursor.Data {
+		transfers = append(transfers, fromV3PaymentInitiation(transfer))
+	}
+	return ListTransferInitiationsOutput{TransferInitiations: transfers, HasMore: cursor.HasMore, PageSize: cursor.PageSize, Next: cursor.Next, Previous: cursor.Previous}
+}
+
+func fromV1TransferInitiation(transfer shared.TransferInitiation) TransferInitiationSummary {
+	return TransferInitiationSummary{
+		ID:                   transfer.ID,
+		Reference:            transfer.Reference,
+		Type:                 string(transfer.Type),
+		Status:               string(transfer.Status),
+		Asset:                transfer.Asset,
+		Amount:               bigIntString(transfer.Amount),
+		InitialAmount:        bigIntString(transfer.InitialAmount),
+		ConnectorID:          transfer.ConnectorID,
+		Provider:             stringValue(transfer.Provider),
+		SourceAccountID:      transfer.SourceAccountID,
+		DestinationAccountID: transfer.DestinationAccountID,
+		Description:          transfer.Description,
+		Error:                stringValue(transfer.Error),
+		CreatedAt:            transfer.CreatedAt,
+		ScheduledAt:          transfer.ScheduledAt,
+		Metadata:             transfer.Metadata,
+	}
+}
+
+func fromV3PaymentInitiation(transfer shared.V3PaymentInitiation) TransferInitiationSummary {
+	return TransferInitiationSummary{
+		ID:                   transfer.ID,
+		Reference:            transfer.Reference,
+		Type:                 string(transfer.Type),
+		Status:               string(transfer.Status),
+		Asset:                transfer.Asset,
+		Amount:               bigIntString(transfer.Amount),
+		ConnectorID:          transfer.ConnectorID,
+		Provider:             transfer.Provider,
+		SourceAccountID:      stringValue(transfer.SourceAccountID),
+		DestinationAccountID: stringValue(transfer.DestinationAccountID),
+		Description:          transfer.Description,
+		Error:                stringValue(transfer.Error),
+		CreatedAt:            transfer.CreatedAt,
+		ScheduledAt:          transfer.ScheduledAt,
+		Metadata:             transfer.Metadata,
+	}
+}
diff --git a/v4/internal/commands/payments/transfer_initiations_test.go b/v4/internal/commands/payments/transfer_initiations_test.go
new file mode 100644
index 00000000..18a2e11c
--- /dev/null
+++ b/v4/internal/commands/payments/transfer_initiations_test.go
@@ -0,0 +1,229 @@
+package payments
+
+import (
+	"context"
+	"math/big"
+	"testing"
+	"time"
+
+	"github.com/formancehq/fctl/v4/internal/capabilities"
+)
+
+func TestListTransferInitiationsServiceSelectsResolvedHandler(t *testing.T) {
+	service := ListTransferInitiationsService{
+		Handlers: []ListTransferInitiationsHandler{
+			{
+				APIVersion: "v1",
+				Run: func(context.Context, ListTransferInitiationsInput) (ListTransferInitiationsOutput, error) {
+					t.Fatal("v1 handler should not run")
+					return ListTransferInitiationsOutput{}, nil
+				},
+			},
+			{
+				APIVersion: "v3",
+				Run: func(_ context.Context, input ListTransferInitiationsInput) (ListTransferInitiationsOutput, error) {
+					if input.PageSize != 10 {
+						t.Fatalf("unexpected input: %#v", input)
+					}
+					return ListTransferInitiationsOutput{PageSize: input.PageSize}, nil
+				},
+			},
+		},
+		Resolve: func(_ context.Context, versions []capabilities.APIVersion) (capabilities.APIVersion, error) {
+			assertAPIVersions(t, versions, []capabilities.APIVersion{"v1", "v3"})
+			return "v3", nil
+		},
+	}
+
+	output, err := service.Run(context.Background(), ListTransferInitiationsInput{PageSize: 10})
+	if err != nil {
+		t.Fatalf("run service: %v", err)
+	}
+	if output.APIVersion != "v3" || output.PageSize != 10 {
+		t.Fatalf("unexpected output: %#v", output)
+	}
+}
+
+func TestCreateTransferInitiationServiceSelectsResolvedHandler(t *testing.T) {
+	service := CreateTransferInitiationService{
+		Handlers: []CreateTransferInitiationHandler{
+			{
+				APIVersion: "v1",
+				Run: func(context.Context, CreateTransferInitiationInput) (CreateTransferInitiationOutput, error) {
+					t.Fatal("v1 handler should not run")
+					return CreateTransferInitiationOutput{}, nil
+				},
+			},
+			{
+				APIVersion: "v3",
+				Run: func(_ context.Context, input CreateTransferInitiationInput) (CreateTransferInitiationOutput, error) {
+					if input.Amount.String() != "100" || input.Asset != "USD/2" || input.Type != "TRANSFER" {
+						t.Fatalf("unexpected input: %#v", input)
+					}
+					return CreateTransferInitiationOutput{TransferInitiationID: "ti_1", TaskID: "task_1"}, nil
+				},
+			},
+		},
+		Resolve: func(_ context.Context, versions []capabilities.APIVersion) (capabilities.APIVersion, error) {
+			assertAPIVersions(t, versions, []capabilities.APIVersion{"v1", "v3"})
+			return "v3", nil
+		},
+	}
+
+	output, err := service.Run(context.Background(), CreateTransferInitiationInput{
+		Amount:      big.NewInt(100),
+		Asset:       "USD/2",
+		Type:        "TRANSFER",
+		ScheduledAt: time.Date(2026, 1, 1, 0, 0, 0, 0, time.UTC),
+	})
+	if err != nil {
+		t.Fatalf("run service: %v", err)
+	}
+	if output.APIVersion != "v3" || output.TransferInitiationID != "ti_1" || output.TaskID != "task_1" {
+		t.Fatalf("unexpected output: %#v", output)
+	}
+}
+
+func TestCreateTransferInitiationServiceRequiresSupportedType(t *testing.T) {
+	service := CreateTransferInitiationService{
+		Handlers: []CreateTransferInitiationHandler{{APIVersion: "v3"}},
+		Resolve: func(context.Context, []capabilities.APIVersion) (capabilities.APIVersion, error) {
+			t.Fatal("resolver should not run")
+			return "", nil
+		},
+	}
+
+	if _, err := service.Run(context.Background(), CreateTransferInitiationInput{Amount: big.NewInt(100), Asset: "USD/2", Type: "UNKNOWN"}); err == nil {
+		t.Fatal("expected transfer initiation type validation error")
+	}
+}
+
+func TestGetTransferInitiationServiceRequiresID(t *testing.T) {
+	service := GetTransferInitiationService{
+		Handlers: []GetTransferInitiationHandler{{APIVersion: "v3"}},
+		Resolve: func(context.Context, []capabilities.APIVersion) (capabilities.APIVersion, error) {
+			t.Fatal("resolver should not run")
+			return "", nil
+		},
+	}
+
+	if _, err := service.Run(context.Background(), GetTransferInitiationInput{}); err == nil {
+		t.Fatal("expected transfer initiation id validation error")
+	}
+}
+
+func TestTransferInitiationActionServiceSelectsResolvedHandler(t *testing.T) {
+	service := TransferInitiationActionService{
+		Handlers: []TransferInitiationActionHandler{
+			{
+				APIVersion: "v1",
+				Run: func(context.Context, TransferInitiationActionInput) (TransferInitiationActionOutput, error) {
+					t.Fatal("v1 handler should not run")
+					return TransferInitiationActionOutput{}, nil
+				},
+			},
+			{
+				APIVersion: "v3",
+				Run: func(_ context.Context, input TransferInitiationActionInput) (TransferInitiationActionOutput, error) {
+					if input.TransferInitiationID != "ti_1" {
+						t.Fatalf("unexpected input: %#v", input)
+					}
+					return TransferInitiationActionOutput{TransferInitiationID: input.TransferInitiationID}, nil
+				},
+			},
+		},
+		Resolve: func(_ context.Context, versions []capabilities.APIVersion) (capabilities.APIVersion, error) {
+			assertAPIVersions(t, versions, []capabilities.APIVersion{"v1", "v3"})
+			return "v3", nil
+		},
+	}
+
+	output, err := service.Run(context.Background(), TransferInitiationActionInput{TransferInitiationID: "ti_1"})
+	if err != nil {
+		t.Fatalf("run service: %v", err)
+	}
+	if output.APIVersion != "v3" || output.TransferInitiationID != "ti_1" {
+		t.Fatalf("unexpected output: %#v", output)
+	}
+}
+
+func TestTransferInitiationActionServiceRequiresID(t *testing.T) {
+	service := TransferInitiationActionService{
+		Handlers: []TransferInitiationActionHandler{{APIVersion: "v3"}},
+		Resolve: func(context.Context, []capabilities.APIVersion) (capabilities.APIVersion, error) {
+			t.Fatal("resolver should not run")
+			return "", nil
+		},
+	}
+
+	if _, err := service.Run(context.Background(), TransferInitiationActionInput{}); err == nil {
+		t.Fatal("expected transfer initiation id validation error")
+	}
+}
+
+func TestUpdateTransferInitiationStatusServiceRequiresStatus(t *testing.T) {
+	service := UpdateTransferInitiationStatusService{
+		Handlers: []UpdateTransferInitiationStatusHandler{{APIVersion: "v1"}},
+		Resolve: func(context.Context, []capabilities.APIVersion) (capabilities.APIVersion, error) {
+			t.Fatal("resolver should not run")
+			return "", nil
+		},
+	}
+
+	if _, err := service.Run(context.Background(), UpdateTransferInitiationStatusInput{TransferInitiationID: "ti_1"}); err == nil {
+		t.Fatal("expected transfer initiation status validation error")
+	}
+}
+
+func TestReverseTransferInitiationServiceSelectsResolvedHandler(t *testing.T) {
+	service := ReverseTransferInitiationService{
+		Handlers: []ReverseTransferInitiationHandler{
+			{
+				APIVersion: "v1",
+				Run: func(context.Context, ReverseTransferInitiationInput) (ReverseTransferInitiationOutput, error) {
+					t.Fatal("v1 handler should not run")
+					return ReverseTransferInitiationOutput{}, nil
+				},
+			},
+			{
+				APIVersion: "v3",
+				Run: func(_ context.Context, input ReverseTransferInitiationInput) (ReverseTransferInitiationOutput, error) {
+					if input.TransferInitiationID != "ti_1" || input.Amount.String() != "100" || input.Asset != "USD/2" {
+						t.Fatalf("unexpected input: %#v", input)
+					}
+					return ReverseTransferInitiationOutput{TransferInitiationID: input.TransferInitiationID, TaskID: "task_1"}, nil
+				},
+			},
+		},
+		Resolve: func(_ context.Context, versions []capabilities.APIVersion) (capabilities.APIVersion, error) {
+			assertAPIVersions(t, versions, []capabilities.APIVersion{"v1", "v3"})
+			return "v3", nil
+		},
+	}
+
+	output, err := service.Run(context.Background(), ReverseTransferInitiationInput{
+		TransferInitiationID: "ti_1",
+		Amount:               big.NewInt(100),
+		Asset:                "USD/2",
+	})
+	if err != nil {
+		t.Fatalf("run service: %v", err)
+	}
+	if output.APIVersion != "v3" || output.TaskID != "task_1" {
+		t.Fatalf("unexpected output: %#v", output)
+	}
+}
+
+func TestReverseTransferInitiationServiceRequiresAmount(t *testing.T) {
+	service := ReverseTransferInitiationService{
+		Handlers: []ReverseTransferInitiationHandler{{APIVersion: "v3"}},
+		Resolve: func(context.Context, []capabilities.APIVersion) (capabilities.APIVersion, error) {
+			t.Fatal("resolver should not run")
+			return "", nil
+		},
+	}
+
+	if _, err := service.Run(context.Background(), ReverseTransferInitiationInput{TransferInitiationID: "ti_1", Asset: "USD/2"}); err == nil {
+		t.Fatal("expected reverse transfer initiation amount validation error")
+	}
+}
diff --git a/v4/internal/commands/reconciliation/reconciliation.go b/v4/internal/commands/reconciliation/reconciliation.go
new file mode 100644
index 00000000..4314a9d4
--- /dev/null
+++ b/v4/internal/commands/reconciliation/reconciliation.go
@@ -0,0 +1,550 @@
+package reconciliation
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"math/big"
+	"time"
+
+	formance "github.com/formancehq/formance-sdk-go/v3"
+	"github.com/formancehq/formance-sdk-go/v3/pkg/models/operations"
+	"github.com/formancehq/formance-sdk-go/v3/pkg/models/shared"
+
+	"github.com/formancehq/fctl/v4/internal/capabilities"
+)
+
+const (
+	ProductReconciliation capabilities.Product = "reconciliation"
+
+	FeatureCreatePolicy        capabilities.Feature = "createPolicy"
+	FeatureDeletePolicy        capabilities.Feature = "deletePolicy"
+	FeatureGetPolicy           capabilities.Feature = "getPolicy"
+	FeatureGetReconciliation   capabilities.Feature = "getReconciliation"
+	FeatureListPolicies        capabilities.Feature = "listPolicies"
+	FeatureListReconciliations capabilities.Feature = "listReconciliations"
+	FeatureReconcile           capabilities.Feature = "reconcile"
+)
+
+type PolicySummary struct {
+	ID             string         `json:"id" yaml:"id"`
+	Name           string         `json:"name" yaml:"name"`
+	LedgerName     string         `json:"ledgerName" yaml:"ledgerName"`
+	PaymentsPoolID string         `json:"paymentsPoolID" yaml:"paymentsPoolID"`
+	LedgerQuery    map[string]any `json:"ledgerQuery,omitempty" yaml:"ledgerQuery,omitempty"`
+	CreatedAt      time.Time      `json:"createdAt,omitempty" yaml:"createdAt,omitempty"`
+}
+
+type ReconciliationSummary struct {
+	ID                   string              `json:"id" yaml:"id"`
+	PolicyID             string              `json:"policyID" yaml:"policyID"`
+	Status               string              `json:"status" yaml:"status"`
+	Error                string              `json:"error,omitempty" yaml:"error,omitempty"`
+	LedgerBalances       map[string]*big.Int `json:"ledgerBalances,omitempty" yaml:"ledgerBalances,omitempty"`
+	PaymentsBalances     map[string]*big.Int `json:"paymentsBalances,omitempty" yaml:"paymentsBalances,omitempty"`
+	DriftBalances        map[string]*big.Int `json:"driftBalances,omitempty" yaml:"driftBalances,omitempty"`
+	ReconciledAtLedger   time.Time           `json:"reconciledAtLedger,omitempty" yaml:"reconciledAtLedger,omitempty"`
+	ReconciledAtPayments time.Time           `json:"reconciledAtPayments,omitempty" yaml:"reconciledAtPayments,omitempty"`
+	CreatedAt            time.Time           `json:"createdAt,omitempty" yaml:"createdAt,omitempty"`
+}
+
+type ListPoliciesInput struct {
+	PageSize int64
+	Cursor   string
+	Query    map[string]any
+}
+
+type ListPoliciesOutput struct {
+	APIVersion capabilities.APIVersion `json:"apiVersion" yaml:"apiVersion"`
+	Policies   []PolicySummary         `json:"policies" yaml:"policies"`
+	HasMore    bool                    `json:"hasMore" yaml:"hasMore"`
+	PageSize   int64                   `json:"pageSize" yaml:"pageSize"`
+	Next       *string                 `json:"next,omitempty" yaml:"next,omitempty"`
+	Previous   *string                 `json:"previous,omitempty" yaml:"previous,omitempty"`
+}
+
+type CreatePolicyInput struct {
+	Payload []byte
+}
+
+type CreatePolicyOutput struct {
+	APIVersion capabilities.APIVersion `json:"apiVersion" yaml:"apiVersion"`
+	Policy     PolicySummary           `json:"policy" yaml:"policy"`
+}
+
+type GetPolicyInput struct {
+	PolicyID string
+}
+
+type GetPolicyOutput struct {
+	APIVersion capabilities.APIVersion `json:"apiVersion" yaml:"apiVersion"`
+	Policy     PolicySummary           `json:"policy" yaml:"policy"`
+}
+
+type DeletePolicyInput struct {
+	PolicyID string
+}
+
+type DeletePolicyOutput struct {
+	APIVersion capabilities.APIVersion `json:"apiVersion" yaml:"apiVersion"`
+	PolicyID   string                  `json:"policyID" yaml:"policyID"`
+}
+
+type ListReconciliationsInput struct {
+	PageSize int64
+	Cursor   string
+	Query    map[string]any
+}
+
+type ListReconciliationsOutput struct {
+	APIVersion      capabilities.APIVersion `json:"apiVersion" yaml:"apiVersion"`
+	Reconciliations []ReconciliationSummary `json:"reconciliations" yaml:"reconciliations"`
+	HasMore         bool                    `json:"hasMore" yaml:"hasMore"`
+	PageSize        int64                   `json:"pageSize" yaml:"pageSize"`
+	Next            *string                 `json:"next,omitempty" yaml:"next,omitempty"`
+	Previous        *string                 `json:"previous,omitempty" yaml:"previous,omitempty"`
+}
+
+type GetReconciliationInput struct {
+	ReconciliationID string
+}
+
+type GetReconciliationOutput struct {
+	APIVersion     capabilities.APIVersion `json:"apiVersion" yaml:"apiVersion"`
+	Reconciliation ReconciliationSummary   `json:"reconciliation" yaml:"reconciliation"`
+}
+
+type ReconcileInput struct {
+	PolicyID             string
+	ReconciledAtLedger   time.Time
+	ReconciledAtPayments time.Time
+}
+
+type ReconcileOutput struct {
+	APIVersion     capabilities.APIVersion `json:"apiVersion" yaml:"apiVersion"`
+	Reconciliation ReconciliationSummary   `json:"reconciliation" yaml:"reconciliation"`
+}
+
+type ListPoliciesHandler struct {
+	APIVersion capabilities.APIVersion
+	Run        func(context.Context, ListPoliciesInput) (ListPoliciesOutput, error)
+}
+
+type CreatePolicyHandler struct {
+	APIVersion capabilities.APIVersion
+	Run        func(context.Context, CreatePolicyInput) (CreatePolicyOutput, error)
+}
+
+type GetPolicyHandler struct {
+	APIVersion capabilities.APIVersion
+	Run        func(context.Context, GetPolicyInput) (GetPolicyOutput, error)
+}
+
+type DeletePolicyHandler struct {
+	APIVersion capabilities.APIVersion
+	Run        func(context.Context, DeletePolicyInput) (DeletePolicyOutput, error)
+}
+
+type ListReconciliationsHandler struct {
+	APIVersion capabilities.APIVersion
+	Run        func(context.Context, ListReconciliationsInput) (ListReconciliationsOutput, error)
+}
+
+type GetReconciliationHandler struct {
+	APIVersion capabilities.APIVersion
+	Run        func(context.Context, GetReconciliationInput) (GetReconciliationOutput, error)
+}
+
+type ReconcileHandler struct {
+	APIVersion capabilities.APIVersion
+	Run        func(context.Context, ReconcileInput) (ReconcileOutput, error)
+}
+
+type ListPoliciesService struct {
+	Handlers []ListPoliciesHandler
+	Resolve  func(context.Context, []capabilities.APIVersion) (capabilities.APIVersion, error)
+}
+
+type CreatePolicyService struct {
+	Handlers []CreatePolicyHandler
+	Resolve  func(context.Context, []capabilities.APIVersion) (capabilities.APIVersion, error)
+}
+
+type GetPolicyService struct {
+	Handlers []GetPolicyHandler
+	Resolve  func(context.Context, []capabilities.APIVersion) (capabilities.APIVersion, error)
+}
+
+type DeletePolicyService struct {
+	Handlers []DeletePolicyHandler
+	Resolve  func(context.Context, []capabilities.APIVersion) (capabilities.APIVersion, error)
+}
+
+type ListReconciliationsService struct {
+	Handlers []ListReconciliationsHandler
+	Resolve  func(context.Context, []capabilities.APIVersion) (capabilities.APIVersion, error)
+}
+
+type GetReconciliationService struct {
+	Handlers []GetReconciliationHandler
+	Resolve  func(context.Context, []capabilities.APIVersion) (capabilities.APIVersion, error)
+}
+
+type ReconcileService struct {
+	Handlers []ReconcileHandler
+	Resolve  func(context.Context, []capabilities.APIVersion) (capabilities.APIVersion, error)
+}
+
+func (s ListPoliciesService) Run(ctx context.Context, input ListPoliciesInput) (ListPoliciesOutput, error) {
+	handler, selected, err := resolveHandler(ctx, s.Handlers, s.Resolve, func(handler ListPoliciesHandler) capabilities.APIVersion {
+		return handler.APIVersion
+	})
+	if err != nil {
+		return ListPoliciesOutput{}, err
+	}
+	output, err := handler.Run(ctx, input)
+	if err != nil {
+		return ListPoliciesOutput{}, err
+	}
+	output.APIVersion = selected
+	return output, nil
+}
+
+func (s CreatePolicyService) Run(ctx context.Context, input CreatePolicyInput) (CreatePolicyOutput, error) {
+	if len(input.Payload) == 0 {
+		return CreatePolicyOutput{}, fmt.Errorf("policy request is required")
+	}
+	handler, selected, err := resolveHandler(ctx, s.Handlers, s.Resolve, func(handler CreatePolicyHandler) capabilities.APIVersion {
+		return handler.APIVersion
+	})
+	if err != nil {
+		return CreatePolicyOutput{}, err
+	}
+	output, err := handler.Run(ctx, input)
+	if err != nil {
+		return CreatePolicyOutput{}, err
+	}
+	output.APIVersion = selected
+	return output, nil
+}
+
+func (s GetPolicyService) Run(ctx context.Context, input GetPolicyInput) (GetPolicyOutput, error) {
+	if input.PolicyID == "" {
+		return GetPolicyOutput{}, fmt.Errorf("policy id is required")
+	}
+	handler, selected, err := resolveHandler(ctx, s.Handlers, s.Resolve, func(handler GetPolicyHandler) capabilities.APIVersion {
+		return handler.APIVersion
+	})
+	if err != nil {
+		return GetPolicyOutput{}, err
+	}
+	output, err := handler.Run(ctx, input)
+	if err != nil {
+		return GetPolicyOutput{}, err
+	}
+	output.APIVersion = selected
+	return output, nil
+}
+
+func (s DeletePolicyService) Run(ctx context.Context, input DeletePolicyInput) (DeletePolicyOutput, error) {
+	if input.PolicyID == "" {
+		return DeletePolicyOutput{}, fmt.Errorf("policy id is required")
+	}
+	handler, selected, err := resolveHandler(ctx, s.Handlers, s.Resolve, func(handler DeletePolicyHandler) capabilities.APIVersion {
+		return handler.APIVersion
+	})
+	if err != nil {
+		return DeletePolicyOutput{}, err
+	}
+	output, err := handler.Run(ctx, input)
+	if err != nil {
+		return DeletePolicyOutput{}, err
+	}
+	output.APIVersion = selected
+	return output, nil
+}
+
+func (s ListReconciliationsService) Run(ctx context.Context, input ListReconciliationsInput) (ListReconciliationsOutput, error) {
+	handler, selected, err := resolveHandler(ctx, s.Handlers, s.Resolve, func(handler ListReconciliationsHandler) capabilities.APIVersion {
+		return handler.APIVersion
+	})
+	if err != nil {
+		return ListReconciliationsOutput{}, err
+	}
+	output, err := handler.Run(ctx, input)
+	if err != nil {
+		return ListReconciliationsOutput{}, err
+	}
+	output.APIVersion = selected
+	return output, nil
+}
+
+func (s GetReconciliationService) Run(ctx context.Context, input GetReconciliationInput) (GetReconciliationOutput, error) {
+	if input.ReconciliationID == "" {
+		return GetReconciliationOutput{}, fmt.Errorf("reconciliation id is required")
+	}
+	handler, selected, err := resolveHandler(ctx, s.Handlers, s.Resolve, func(handler GetReconciliationHandler) capabilities.APIVersion {
+		return handler.APIVersion
+	})
+	if err != nil {
+		return GetReconciliationOutput{}, err
+	}
+	output, err := handler.Run(ctx, input)
+	if err != nil {
+		return GetReconciliationOutput{}, err
+	}
+	output.APIVersion = selected
+	return output, nil
+}
+
+func (s ReconcileService) Run(ctx context.Context, input ReconcileInput) (ReconcileOutput, error) {
+	if input.PolicyID == "" {
+		return ReconcileOutput{}, fmt.Errorf("policy id is required")
+	}
+	if input.ReconciledAtLedger.IsZero() {
+		return ReconcileOutput{}, fmt.Errorf("ledger reconciliation time is required")
+	}
+	if input.ReconciledAtPayments.IsZero() {
+		return ReconcileOutput{}, fmt.Errorf("payments reconciliation time is required")
+	}
+	handler, selected, err := resolveHandler(ctx, s.Handlers, s.Resolve, func(handler ReconcileHandler) capabilities.APIVersion {
+		return handler.APIVersion
+	})
+	if err != nil {
+		return ReconcileOutput{}, err
+	}
+	output, err := handler.Run(ctx, input)
+	if err != nil {
+		return ReconcileOutput{}, err
+	}
+	output.APIVersion = selected
+	return output, nil
+}
+
+func resolveHandler[H any](
+	ctx context.Context,
+	serviceHandlers []H,
+	resolve func(context.Context, []capabilities.APIVersion) (capabilities.APIVersion, error),
+	versionOf func(H) capabilities.APIVersion,
+) (H, capabilities.APIVersion, error) {
+	var zero H
+	handlerVersions := make([]capabilities.APIVersion, 0, len(serviceHandlers))
+	handlers := map[capabilities.APIVersion]H{}
+	for _, handler := range serviceHandlers {
+		version := versionOf(handler)
+		handlerVersions = append(handlerVersions, version)
+		handlers[version] = handler
+	}
+	selected, err := resolve(ctx, handlerVersions)
+	if err != nil {
+		return zero, "", err
+	}
+	handler, ok := handlers[selected]
+	if !ok {
+		return zero, "", fmt.Errorf("resolved api version %s has no handler", selected)
+	}
+	return handler, selected, nil
+}
+
+func SDKListPoliciesHandlers(sdk *formance.Formance) []ListPoliciesHandler {
+	return []ListPoliciesHandler{
+		{
+			APIVersion: "v1",
+			Run: func(ctx context.Context, input ListPoliciesInput) (ListPoliciesOutput, error) {
+				response, err := sdk.Reconciliation.V1.ListPolicies(ctx, operations.ListPoliciesRequest{
+					PageSize: pointer(input.PageSize),
+					Cursor:   optionalString(input.Cursor),
+					Query:    input.Query,
+				})
+				if err != nil {
+					return ListPoliciesOutput{}, err
+				}
+				if response.PoliciesCursorResponse == nil {
+					return ListPoliciesOutput{}, fmt.Errorf("reconciliation v1 list policies returned no cursor")
+				}
+				cursor := response.PoliciesCursorResponse.Cursor
+				policies := make([]PolicySummary, 0, len(cursor.Data))
+				for _, policy := range cursor.Data {
+					policies = append(policies, fromPolicy(policy))
+				}
+				return ListPoliciesOutput{
+					Policies: policies,
+					HasMore:  cursor.HasMore,
+					PageSize: cursor.PageSize,
+					Next:     cursor.Next,
+					Previous: cursor.Previous,
+				}, nil
+			},
+		},
+	}
+}
+
+func SDKCreatePolicyHandlers(sdk *formance.Formance) []CreatePolicyHandler {
+	return []CreatePolicyHandler{
+		{
+			APIVersion: "v1",
+			Run: func(ctx context.Context, input CreatePolicyInput) (CreatePolicyOutput, error) {
+				var request shared.PolicyRequest
+				if err := json.Unmarshal(input.Payload, &request); err != nil {
+					return CreatePolicyOutput{}, err
+				}
+				response, err := sdk.Reconciliation.V1.CreatePolicy(ctx, request)
+				if err != nil {
+					return CreatePolicyOutput{}, err
+				}
+				if response.PolicyResponse == nil {
+					return CreatePolicyOutput{}, fmt.Errorf("reconciliation v1 create policy returned no data")
+				}
+				return CreatePolicyOutput{Policy: fromPolicy(response.PolicyResponse.Data)}, nil
+			},
+		},
+	}
+}
+
+func SDKGetPolicyHandlers(sdk *formance.Formance) []GetPolicyHandler {
+	return []GetPolicyHandler{
+		{
+			APIVersion: "v1",
+			Run: func(ctx context.Context, input GetPolicyInput) (GetPolicyOutput, error) {
+				response, err := sdk.Reconciliation.V1.GetPolicy(ctx, operations.GetPolicyRequest{PolicyID: input.PolicyID})
+				if err != nil {
+					return GetPolicyOutput{}, err
+				}
+				if response.PolicyResponse == nil {
+					return GetPolicyOutput{}, fmt.Errorf("reconciliation v1 get policy returned no data")
+				}
+				return GetPolicyOutput{Policy: fromPolicy(response.PolicyResponse.Data)}, nil
+			},
+		},
+	}
+}
+
+func SDKDeletePolicyHandlers(sdk *formance.Formance) []DeletePolicyHandler {
+	return []DeletePolicyHandler{
+		{
+			APIVersion: "v1",
+			Run: func(ctx context.Context, input DeletePolicyInput) (DeletePolicyOutput, error) {
+				if _, err := sdk.Reconciliation.V1.DeletePolicy(ctx, operations.DeletePolicyRequest{PolicyID: input.PolicyID}); err != nil {
+					return DeletePolicyOutput{}, err
+				}
+				return DeletePolicyOutput{PolicyID: input.PolicyID}, nil
+			},
+		},
+	}
+}
+
+func SDKListReconciliationsHandlers(sdk *formance.Formance) []ListReconciliationsHandler {
+	return []ListReconciliationsHandler{
+		{
+			APIVersion: "v1",
+			Run: func(ctx context.Context, input ListReconciliationsInput) (ListReconciliationsOutput, error) {
+				response, err := sdk.Reconciliation.V1.ListReconciliations(ctx, operations.ListReconciliationsRequest{
+					PageSize: pointer(input.PageSize),
+					Cursor:   optionalString(input.Cursor),
+					Query:    input.Query,
+				})
+				if err != nil {
+					return ListReconciliationsOutput{}, err
+				}
+				if response.ReconciliationsCursorResponse == nil {
+					return ListReconciliationsOutput{}, fmt.Errorf("reconciliation v1 list reconciliations returned no cursor")
+				}
+				cursor := response.ReconciliationsCursorResponse.Cursor
+				reconciliations := make([]ReconciliationSummary, 0, len(cursor.Data))
+				for _, reconciliation := range cursor.Data {
+					reconciliations = append(reconciliations, fromReconciliation(reconciliation))
+				}
+				return ListReconciliationsOutput{
+					Reconciliations: reconciliations,
+					HasMore:         cursor.HasMore,
+					PageSize:        cursor.PageSize,
+					Next:            cursor.Next,
+					Previous:        cursor.Previous,
+				}, nil
+			},
+		},
+	}
+}
+
+func SDKGetReconciliationHandlers(sdk *formance.Formance) []GetReconciliationHandler {
+	return []GetReconciliationHandler{
+		{
+			APIVersion: "v1",
+			Run: func(ctx context.Context, input GetReconciliationInput) (GetReconciliationOutput, error) {
+				response, err := sdk.Reconciliation.V1.GetReconciliation(ctx, operations.GetReconciliationRequest{ReconciliationID: input.ReconciliationID})
+				if err != nil {
+					return GetReconciliationOutput{}, err
+				}
+				if response.ReconciliationResponse == nil {
+					return GetReconciliationOutput{}, fmt.Errorf("reconciliation v1 get reconciliation returned no data")
+				}
+				return GetReconciliationOutput{Reconciliation: fromReconciliation(response.ReconciliationResponse.Data)}, nil
+			},
+		},
+	}
+}
+
+func SDKReconcileHandlers(sdk *formance.Formance) []ReconcileHandler {
+	return []ReconcileHandler{
+		{
+			APIVersion: "v1",
+			Run: func(ctx context.Context, input ReconcileInput) (ReconcileOutput, error) {
+				response, err := sdk.Reconciliation.V1.Reconcile(ctx, operations.ReconcileRequest{
+					PolicyID: input.PolicyID,
+					ReconciliationRequest: shared.ReconciliationRequest{
+						ReconciledAtLedger:   input.ReconciledAtLedger,
+						ReconciledAtPayments: input.ReconciledAtPayments,
+					},
+				})
+				if err != nil {
+					return ReconcileOutput{}, err
+				}
+				if response.ReconciliationResponse == nil {
+					return ReconcileOutput{}, fmt.Errorf("reconciliation v1 reconcile returned no data")
+				}
+				return ReconcileOutput{Reconciliation: fromReconciliation(response.ReconciliationResponse.Data)}, nil
+			},
+		},
+	}
+}
+
+func fromPolicy(policy shared.Policy) PolicySummary {
+	return PolicySummary{
+		ID:             policy.ID,
+		Name:           policy.Name,
+		LedgerName:     policy.LedgerName,
+		PaymentsPoolID: policy.PaymentsPoolID,
+		LedgerQuery:    policy.LedgerQuery,
+		CreatedAt:      policy.CreatedAt,
+	}
+}
+
+func fromReconciliation(reconciliation shared.Reconciliation) ReconciliationSummary {
+	errorMessage := ""
+	if reconciliation.Error != nil {
+		errorMessage = *reconciliation.Error
+	}
+	return ReconciliationSummary{
+		ID:                   reconciliation.ID,
+		PolicyID:             reconciliation.PolicyID,
+		Status:               reconciliation.Status,
+		Error:                errorMessage,
+		LedgerBalances:       reconciliation.LedgerBalances,
+		PaymentsBalances:     reconciliation.PaymentsBalances,
+		DriftBalances:        reconciliation.DriftBalances,
+		ReconciledAtLedger:   reconciliation.ReconciledAtLedger,
+		ReconciledAtPayments: reconciliation.ReconciledAtPayments,
+		CreatedAt:            reconciliation.CreatedAt,
+	}
+}
+
+func pointer[T any](value T) *T {
+	return &value
+}
+
+func optionalString(value string) *string {
+	if value == "" {
+		return nil
+	}
+	return &value
+}
diff --git a/v4/internal/commands/target/proxy.go b/v4/internal/commands/target/proxy.go
new file mode 100644
index 00000000..1ca2d5ac
--- /dev/null
+++ b/v4/internal/commands/target/proxy.go
@@ -0,0 +1,118 @@
+package target
+
+import (
+	"fmt"
+	"io"
+	"net/http"
+	"net/http/httputil"
+	"net/url"
+	"strings"
+	"time"
+)
+
+type ProxyInput struct {
+	TargetURL      string
+	Transport      http.RoundTripper
+	AllowedOrigins []string
+	LogWriter      io.Writer
+	ErrorWriter    io.Writer
+}
+
+func NewProxyHandler(input ProxyInput) (http.Handler, error) {
+	targetURL, err := url.Parse(input.TargetURL)
+	if err != nil {
+		return nil, fmt.Errorf("parse target URL: %w", err)
+	}
+	if targetURL.Scheme == "" || targetURL.Host == "" {
+		return nil, fmt.Errorf("target URL must include scheme and host")
+	}
+	proxy := httputil.NewSingleHostReverseProxy(targetURL)
+	if input.Transport != nil {
+		proxy.Transport = input.Transport
+	} else {
+		proxy.Transport = http.DefaultTransport
+	}
+
+	originalDirector := proxy.Director
+	proxy.Director = func(req *http.Request) {
+		originalDirector(req)
+		req.Host = targetURL.Host
+		if input.LogWriter != nil {
+			_, _ = fmt.Fprintf(input.LogWriter, "[%s] Proxying %s %s\n", time.Now().Format(time.RFC3339), req.Method, req.URL.String())
+		}
+	}
+	proxy.ErrorHandler = func(w http.ResponseWriter, r *http.Request, err error) {
+		if input.ErrorWriter != nil {
+			_, _ = fmt.Fprintf(input.ErrorWriter, "[%s] ERROR proxying %s: %v\n", time.Now().Format(time.RFC3339), r.URL.String(), err)
+		}
+		w.Header().Set("Content-Type", "text/plain")
+		w.WriteHeader(http.StatusBadGateway)
+		_, _ = fmt.Fprintf(w, "Proxy Error: %v\n", err)
+	}
+	proxy.ModifyResponse = func(resp *http.Response) error {
+		clearCORSHeaders(resp.Header)
+		return nil
+	}
+
+	var handler http.Handler = proxy
+	if len(input.AllowedOrigins) > 0 {
+		handler = CORSMiddleware(input.AllowedOrigins, proxy)
+	}
+	return handler, nil
+}
+
+func CORSMiddleware(allowedOrigins []string, next http.Handler) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		origin := r.Header.Get("Origin")
+		if originAllowed(origin, allowedOrigins) {
+			if allowsWildcard(allowedOrigins) {
+				w.Header().Set("Access-Control-Allow-Origin", "*")
+			} else if origin != "" {
+				w.Header().Set("Access-Control-Allow-Origin", origin)
+			}
+			w.Header().Set("Access-Control-Allow-Methods", "GET, POST, PUT, DELETE, PATCH, OPTIONS")
+			w.Header().Set("Access-Control-Expose-Headers", "Count")
+			w.Header().Set("Access-Control-Allow-Headers", "Accept, Authorization, Content-Type, X-CSRF-Token, X-Requested-With")
+			w.Header().Set("Access-Control-Allow-Credentials", "true")
+			w.Header().Set("Access-Control-Max-Age", "86400")
+		}
+		if r.Method == http.MethodOptions {
+			w.WriteHeader(http.StatusOK)
+			return
+		}
+		next.ServeHTTP(w, r)
+	})
+}
+
+func originAllowed(origin string, allowedOrigins []string) bool {
+	if len(allowedOrigins) == 0 {
+		return false
+	}
+	for _, allowedOrigin := range allowedOrigins {
+		allowedOrigin = strings.TrimSpace(allowedOrigin)
+		if allowedOrigin == "*" || allowedOrigin == origin {
+			return true
+		}
+	}
+	return false
+}
+
+func allowsWildcard(allowedOrigins []string) bool {
+	for _, allowedOrigin := range allowedOrigins {
+		if strings.TrimSpace(allowedOrigin) == "*" {
+			return true
+		}
+	}
+	return false
+}
+
+func clearCORSHeaders(header http.Header) {
+	header.Del("Access-Control-Allow-Origin")
+	header.Del("Access-Control-Allow-Methods")
+	header.Del("Access-Control-Allow-Headers")
+	header.Del("Access-Control-Allow-Credentials")
+	header.Del("Access-Control-Max-Age")
+	header.Del("Access-Control-Expose-Headers")
+	header.Del("Access-Control-Request-Method")
+	header.Del("Access-Control-Request-Headers")
+}
diff --git a/v4/internal/commands/target/proxy_test.go b/v4/internal/commands/target/proxy_test.go
new file mode 100644
index 00000000..c4c3aabf
--- /dev/null
+++ b/v4/internal/commands/target/proxy_test.go
@@ -0,0 +1,59 @@
+package target
+
+import (
+	"net/http"
+	"net/http/httptest"
+	"strings"
+	"testing"
+)
+
+func TestNewProxyHandlerForwardsRequests(t *testing.T) {
+	upstream := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		if r.URL.Path != "/api/ledger" {
+			t.Fatalf("unexpected upstream path %s", r.URL.Path)
+		}
+		w.Header().Set("Access-Control-Allow-Origin", "https://upstream.example")
+		_, _ = w.Write([]byte("ok"))
+	}))
+	defer upstream.Close()
+
+	handler, err := NewProxyHandler(ProxyInput{TargetURL: upstream.URL + "/api"})
+	if err != nil {
+		t.Fatalf("new proxy handler: %v", err)
+	}
+
+	request := httptest.NewRequest(http.MethodGet, "http://proxy.test/ledger", nil)
+	response := httptest.NewRecorder()
+	handler.ServeHTTP(response, request)
+
+	if response.Code != http.StatusOK {
+		t.Fatalf("unexpected response code %d", response.Code)
+	}
+	if body := strings.TrimSpace(response.Body.String()); body != "ok" {
+		t.Fatalf("unexpected body %q", body)
+	}
+	if got := response.Header().Get("Access-Control-Allow-Origin"); got != "" {
+		t.Fatalf("expected upstream CORS header to be cleared, got %q", got)
+	}
+}
+
+func TestCORSMiddlewareAllowsConfiguredOrigin(t *testing.T) {
+	handler := CORSMiddleware([]string{"https://app.example"}, http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
+		_, _ = w.Write([]byte("ok"))
+	}))
+
+	request := httptest.NewRequest(http.MethodOptions, "http://proxy.test/ledger", nil)
+	request.Header.Set("Origin", "https://app.example")
+	response := httptest.NewRecorder()
+	handler.ServeHTTP(response, request)
+
+	if response.Code != http.StatusOK {
+		t.Fatalf("unexpected response code %d", response.Code)
+	}
+	if got := response.Header().Get("Access-Control-Allow-Origin"); got != "https://app.example" {
+		t.Fatalf("unexpected allow origin %q", got)
+	}
+	if got := response.Header().Get("Access-Control-Expose-Headers"); got != "Count" {
+		t.Fatalf("unexpected exposed headers %q", got)
+	}
+}
diff --git a/v4/internal/commands/wallets/wallets.go b/v4/internal/commands/wallets/wallets.go
new file mode 100644
index 00000000..ce8c2c7b
--- /dev/null
+++ b/v4/internal/commands/wallets/wallets.go
@@ -0,0 +1,1208 @@
+package wallets
+
+import (
+	"context"
+	"fmt"
+	"math/big"
+	"time"
+
+	formance "github.com/formancehq/formance-sdk-go/v3"
+	"github.com/formancehq/formance-sdk-go/v3/pkg/models/operations"
+	"github.com/formancehq/formance-sdk-go/v3/pkg/models/shared"
+
+	"github.com/formancehq/fctl/v4/internal/capabilities"
+)
+
+const (
+	ProductWallets          capabilities.Product = "wallets"
+	FeatureCreateWallet     capabilities.Feature = "createWallet"
+	FeatureCreateBalance    capabilities.Feature = "createBalance"
+	FeatureCreditWallet     capabilities.Feature = "creditWallet"
+	FeatureDebitWallet      capabilities.Feature = "debitWallet"
+	FeatureConfirmHold      capabilities.Feature = "confirmHold"
+	FeatureGetBalance       capabilities.Feature = "getBalance"
+	FeatureGetHold          capabilities.Feature = "getHold"
+	FeatureGetWallet        capabilities.Feature = "getWallet"
+	FeatureListBalances     capabilities.Feature = "listBalances"
+	FeatureListHolds        capabilities.Feature = "listHolds"
+	FeatureListTransactions capabilities.Feature = "listTransactions"
+	FeatureListWallets      capabilities.Feature = "listWallets"
+	FeatureUpdateWallet     capabilities.Feature = "updateWallet"
+	FeatureVoidHold         capabilities.Feature = "voidHold"
+)
+
+type WalletSummary struct {
+	ID        string            `json:"id" yaml:"id"`
+	Name      string            `json:"name" yaml:"name"`
+	Ledger    string            `json:"ledger" yaml:"ledger"`
+	CreatedAt time.Time         `json:"createdAt,omitempty" yaml:"createdAt,omitempty"`
+	Metadata  map[string]string `json:"metadata,omitempty" yaml:"metadata,omitempty"`
+}
+
+type BalanceSummary struct {
+	Name      string              `json:"name" yaml:"name"`
+	Priority  string              `json:"priority,omitempty" yaml:"priority,omitempty"`
+	ExpiresAt *time.Time          `json:"expiresAt,omitempty" yaml:"expiresAt,omitempty"`
+	Assets    map[string]*big.Int `json:"assets,omitempty" yaml:"assets,omitempty"`
+}
+
+type HoldSummary struct {
+	ID             string            `json:"id" yaml:"id"`
+	WalletID       string            `json:"walletID" yaml:"walletID"`
+	Asset          string            `json:"asset" yaml:"asset"`
+	Description    string            `json:"description,omitempty" yaml:"description,omitempty"`
+	OriginalAmount string            `json:"originalAmount,omitempty" yaml:"originalAmount,omitempty"`
+	Remaining      string            `json:"remaining,omitempty" yaml:"remaining,omitempty"`
+	Metadata       map[string]string `json:"metadata,omitempty" yaml:"metadata,omitempty"`
+}
+
+type TransactionSummary struct {
+	ID        int64             `json:"id" yaml:"id"`
+	Ledger    string            `json:"ledger,omitempty" yaml:"ledger,omitempty"`
+	Reference string            `json:"reference,omitempty" yaml:"reference,omitempty"`
+	Timestamp time.Time         `json:"timestamp" yaml:"timestamp"`
+	Metadata  map[string]string `json:"metadata,omitempty" yaml:"metadata,omitempty"`
+}
+
+type CreateWalletInput struct {
+	Name           string
+	Metadata       map[string]string
+	IdempotencyKey string
+}
+
+type CreateWalletOutput struct {
+	APIVersion capabilities.APIVersion `json:"apiVersion" yaml:"apiVersion"`
+	WalletID   string                  `json:"walletID" yaml:"walletID"`
+}
+
+type ListWalletsInput struct {
+	PageSize int64
+	Cursor   string
+	Name     string
+	Metadata map[string]string
+}
+
+type ListWalletsOutput struct {
+	APIVersion capabilities.APIVersion `json:"apiVersion" yaml:"apiVersion"`
+	Wallets    []WalletSummary         `json:"wallets" yaml:"wallets"`
+	HasMore    bool                    `json:"hasMore" yaml:"hasMore"`
+	PageSize   int64                   `json:"pageSize" yaml:"pageSize"`
+	Next       *string                 `json:"next,omitempty" yaml:"next,omitempty"`
+	Previous   *string                 `json:"previous,omitempty" yaml:"previous,omitempty"`
+}
+
+type GetWalletInput struct {
+	WalletID string
+}
+
+type GetWalletOutput struct {
+	APIVersion capabilities.APIVersion `json:"apiVersion" yaml:"apiVersion"`
+	Wallet     WalletSummary           `json:"wallet" yaml:"wallet"`
+}
+
+type UpdateWalletInput struct {
+	WalletID       string
+	Metadata       map[string]string
+	IdempotencyKey string
+}
+
+type UpdateWalletOutput struct {
+	APIVersion capabilities.APIVersion `json:"apiVersion" yaml:"apiVersion"`
+	WalletID   string                  `json:"walletID" yaml:"walletID"`
+}
+
+type WalletMovementInput struct {
+	WalletID       string
+	Amount         *big.Int
+	Asset          string
+	Balance        string
+	Metadata       map[string]string
+	IdempotencyKey string
+	Description    string
+	Pending        bool
+}
+
+type WalletMovementOutput struct {
+	APIVersion capabilities.APIVersion `json:"apiVersion" yaml:"apiVersion"`
+	WalletID   string                  `json:"walletID" yaml:"walletID"`
+	HoldID     string                  `json:"holdID,omitempty" yaml:"holdID,omitempty"`
+}
+
+type CreateBalanceInput struct {
+	WalletID       string
+	Name           string
+	Priority       *big.Int
+	ExpiresAt      *time.Time
+	IdempotencyKey string
+}
+
+type CreateBalanceOutput struct {
+	APIVersion  capabilities.APIVersion `json:"apiVersion" yaml:"apiVersion"`
+	WalletID    string                  `json:"walletID" yaml:"walletID"`
+	BalanceName string                  `json:"balanceName" yaml:"balanceName"`
+}
+
+type ListBalancesInput struct {
+	WalletID string
+}
+
+type ListBalancesOutput struct {
+	APIVersion capabilities.APIVersion `json:"apiVersion" yaml:"apiVersion"`
+	WalletID   string                  `json:"walletID" yaml:"walletID"`
+	Balances   []BalanceSummary        `json:"balances" yaml:"balances"`
+	HasMore    bool                    `json:"hasMore" yaml:"hasMore"`
+	PageSize   int64                   `json:"pageSize" yaml:"pageSize"`
+	Next       *string                 `json:"next,omitempty" yaml:"next,omitempty"`
+	Previous   *string                 `json:"previous,omitempty" yaml:"previous,omitempty"`
+}
+
+type GetBalanceInput struct {
+	WalletID    string
+	BalanceName string
+}
+
+type GetBalanceOutput struct {
+	APIVersion capabilities.APIVersion `json:"apiVersion" yaml:"apiVersion"`
+	WalletID   string                  `json:"walletID" yaml:"walletID"`
+	Balance    BalanceSummary          `json:"balance" yaml:"balance"`
+}
+
+type ListHoldsInput struct {
+	PageSize int64
+	Cursor   string
+	WalletID string
+	Metadata map[string]string
+}
+
+type ListHoldsOutput struct {
+	APIVersion capabilities.APIVersion `json:"apiVersion" yaml:"apiVersion"`
+	Holds      []HoldSummary           `json:"holds" yaml:"holds"`
+	HasMore    bool                    `json:"hasMore" yaml:"hasMore"`
+	PageSize   int64                   `json:"pageSize" yaml:"pageSize"`
+	Next       *string                 `json:"next,omitempty" yaml:"next,omitempty"`
+	Previous   *string                 `json:"previous,omitempty" yaml:"previous,omitempty"`
+}
+
+type GetHoldInput struct {
+	HoldID string
+}
+
+type GetHoldOutput struct {
+	APIVersion capabilities.APIVersion `json:"apiVersion" yaml:"apiVersion"`
+	Hold       HoldSummary             `json:"hold" yaml:"hold"`
+}
+
+type HoldActionInput struct {
+	HoldID         string
+	Amount         *big.Int
+	Final          *bool
+	IdempotencyKey string
+}
+
+type HoldActionOutput struct {
+	APIVersion capabilities.APIVersion `json:"apiVersion" yaml:"apiVersion"`
+	HoldID     string                  `json:"holdID" yaml:"holdID"`
+}
+
+type ListTransactionsInput struct {
+	PageSize int64
+	Cursor   string
+	WalletID string
+}
+
+type ListTransactionsOutput struct {
+	APIVersion   capabilities.APIVersion `json:"apiVersion" yaml:"apiVersion"`
+	Transactions []TransactionSummary    `json:"transactions" yaml:"transactions"`
+	HasMore      bool                    `json:"hasMore" yaml:"hasMore"`
+	PageSize     int64                   `json:"pageSize" yaml:"pageSize"`
+	Next         *string                 `json:"next,omitempty" yaml:"next,omitempty"`
+	Previous     *string                 `json:"previous,omitempty" yaml:"previous,omitempty"`
+}
+
+type CreateWalletHandler struct {
+	APIVersion capabilities.APIVersion
+	Run        func(context.Context, CreateWalletInput) (CreateWalletOutput, error)
+}
+
+type ListWalletsHandler struct {
+	APIVersion capabilities.APIVersion
+	Run        func(context.Context, ListWalletsInput) (ListWalletsOutput, error)
+}
+
+type GetWalletHandler struct {
+	APIVersion capabilities.APIVersion
+	Run        func(context.Context, GetWalletInput) (GetWalletOutput, error)
+}
+
+type UpdateWalletHandler struct {
+	APIVersion capabilities.APIVersion
+	Run        func(context.Context, UpdateWalletInput) (UpdateWalletOutput, error)
+}
+
+type WalletMovementHandler struct {
+	APIVersion capabilities.APIVersion
+	Run        func(context.Context, WalletMovementInput) (WalletMovementOutput, error)
+}
+
+type CreateBalanceHandler struct {
+	APIVersion capabilities.APIVersion
+	Run        func(context.Context, CreateBalanceInput) (CreateBalanceOutput, error)
+}
+
+type ListBalancesHandler struct {
+	APIVersion capabilities.APIVersion
+	Run        func(context.Context, ListBalancesInput) (ListBalancesOutput, error)
+}
+
+type GetBalanceHandler struct {
+	APIVersion capabilities.APIVersion
+	Run        func(context.Context, GetBalanceInput) (GetBalanceOutput, error)
+}
+
+type ListHoldsHandler struct {
+	APIVersion capabilities.APIVersion
+	Run        func(context.Context, ListHoldsInput) (ListHoldsOutput, error)
+}
+
+type GetHoldHandler struct {
+	APIVersion capabilities.APIVersion
+	Run        func(context.Context, GetHoldInput) (GetHoldOutput, error)
+}
+
+type HoldActionHandler struct {
+	APIVersion capabilities.APIVersion
+	Run        func(context.Context, HoldActionInput) (HoldActionOutput, error)
+}
+
+type ListTransactionsHandler struct {
+	APIVersion capabilities.APIVersion
+	Run        func(context.Context, ListTransactionsInput) (ListTransactionsOutput, error)
+}
+
+type CreateWalletService struct {
+	Handlers []CreateWalletHandler
+	Resolve  func(context.Context, []capabilities.APIVersion) (capabilities.APIVersion, error)
+}
+
+type ListWalletsService struct {
+	Handlers []ListWalletsHandler
+	Resolve  func(context.Context, []capabilities.APIVersion) (capabilities.APIVersion, error)
+}
+
+type GetWalletService struct {
+	Handlers []GetWalletHandler
+	Resolve  func(context.Context, []capabilities.APIVersion) (capabilities.APIVersion, error)
+}
+
+type UpdateWalletService struct {
+	Handlers []UpdateWalletHandler
+	Resolve  func(context.Context, []capabilities.APIVersion) (capabilities.APIVersion, error)
+}
+
+type CreditWalletService struct {
+	Handlers []WalletMovementHandler
+	Resolve  func(context.Context, []capabilities.APIVersion) (capabilities.APIVersion, error)
+}
+
+type DebitWalletService struct {
+	Handlers []WalletMovementHandler
+	Resolve  func(context.Context, []capabilities.APIVersion) (capabilities.APIVersion, error)
+}
+
+type CreateBalanceService struct {
+	Handlers []CreateBalanceHandler
+	Resolve  func(context.Context, []capabilities.APIVersion) (capabilities.APIVersion, error)
+}
+
+type ListBalancesService struct {
+	Handlers []ListBalancesHandler
+	Resolve  func(context.Context, []capabilities.APIVersion) (capabilities.APIVersion, error)
+}
+
+type GetBalanceService struct {
+	Handlers []GetBalanceHandler
+	Resolve  func(context.Context, []capabilities.APIVersion) (capabilities.APIVersion, error)
+}
+
+type ListHoldsService struct {
+	Handlers []ListHoldsHandler
+	Resolve  func(context.Context, []capabilities.APIVersion) (capabilities.APIVersion, error)
+}
+
+type GetHoldService struct {
+	Handlers []GetHoldHandler
+	Resolve  func(context.Context, []capabilities.APIVersion) (capabilities.APIVersion, error)
+}
+
+type VoidHoldService struct {
+	Handlers []HoldActionHandler
+	Resolve  func(context.Context, []capabilities.APIVersion) (capabilities.APIVersion, error)
+}
+
+type ConfirmHoldService struct {
+	Handlers []HoldActionHandler
+	Resolve  func(context.Context, []capabilities.APIVersion) (capabilities.APIVersion, error)
+}
+
+type ListTransactionsService struct {
+	Handlers []ListTransactionsHandler
+	Resolve  func(context.Context, []capabilities.APIVersion) (capabilities.APIVersion, error)
+}
+
+func (s CreateWalletService) Run(ctx context.Context, input CreateWalletInput) (CreateWalletOutput, error) {
+	if input.Name == "" {
+		return CreateWalletOutput{}, fmt.Errorf("wallet name is required")
+	}
+	handlerVersions := make([]capabilities.APIVersion, 0, len(s.Handlers))
+	handlers := map[capabilities.APIVersion]CreateWalletHandler{}
+	for _, handler := range s.Handlers {
+		handlerVersions = append(handlerVersions, handler.APIVersion)
+		handlers[handler.APIVersion] = handler
+	}
+	selected, err := s.Resolve(ctx, handlerVersions)
+	if err != nil {
+		return CreateWalletOutput{}, err
+	}
+	handler, ok := handlers[selected]
+	if !ok {
+		return CreateWalletOutput{}, fmt.Errorf("resolved api version %s has no handler", selected)
+	}
+	output, err := handler.Run(ctx, input)
+	if err != nil {
+		return CreateWalletOutput{}, err
+	}
+	output.APIVersion = selected
+	return output, nil
+}
+
+func (s ListWalletsService) Run(ctx context.Context, input ListWalletsInput) (ListWalletsOutput, error) {
+	handlerVersions := make([]capabilities.APIVersion, 0, len(s.Handlers))
+	handlers := map[capabilities.APIVersion]ListWalletsHandler{}
+	for _, handler := range s.Handlers {
+		handlerVersions = append(handlerVersions, handler.APIVersion)
+		handlers[handler.APIVersion] = handler
+	}
+	selected, err := s.Resolve(ctx, handlerVersions)
+	if err != nil {
+		return ListWalletsOutput{}, err
+	}
+	handler, ok := handlers[selected]
+	if !ok {
+		return ListWalletsOutput{}, fmt.Errorf("resolved api version %s has no handler", selected)
+	}
+	output, err := handler.Run(ctx, input)
+	if err != nil {
+		return ListWalletsOutput{}, err
+	}
+	output.APIVersion = selected
+	return output, nil
+}
+
+func (s GetWalletService) Run(ctx context.Context, input GetWalletInput) (GetWalletOutput, error) {
+	if input.WalletID == "" {
+		return GetWalletOutput{}, fmt.Errorf("wallet id is required")
+	}
+	handlerVersions := make([]capabilities.APIVersion, 0, len(s.Handlers))
+	handlers := map[capabilities.APIVersion]GetWalletHandler{}
+	for _, handler := range s.Handlers {
+		handlerVersions = append(handlerVersions, handler.APIVersion)
+		handlers[handler.APIVersion] = handler
+	}
+	selected, err := s.Resolve(ctx, handlerVersions)
+	if err != nil {
+		return GetWalletOutput{}, err
+	}
+	handler, ok := handlers[selected]
+	if !ok {
+		return GetWalletOutput{}, fmt.Errorf("resolved api version %s has no handler", selected)
+	}
+	output, err := handler.Run(ctx, input)
+	if err != nil {
+		return GetWalletOutput{}, err
+	}
+	output.APIVersion = selected
+	return output, nil
+}
+
+func (s UpdateWalletService) Run(ctx context.Context, input UpdateWalletInput) (UpdateWalletOutput, error) {
+	if input.WalletID == "" {
+		return UpdateWalletOutput{}, fmt.Errorf("wallet id is required")
+	}
+	if input.Metadata == nil {
+		return UpdateWalletOutput{}, fmt.Errorf("wallet metadata is required")
+	}
+	handlerVersions := make([]capabilities.APIVersion, 0, len(s.Handlers))
+	handlers := map[capabilities.APIVersion]UpdateWalletHandler{}
+	for _, handler := range s.Handlers {
+		handlerVersions = append(handlerVersions, handler.APIVersion)
+		handlers[handler.APIVersion] = handler
+	}
+	selected, err := s.Resolve(ctx, handlerVersions)
+	if err != nil {
+		return UpdateWalletOutput{}, err
+	}
+	handler, ok := handlers[selected]
+	if !ok {
+		return UpdateWalletOutput{}, fmt.Errorf("resolved api version %s has no handler", selected)
+	}
+	output, err := handler.Run(ctx, input)
+	if err != nil {
+		return UpdateWalletOutput{}, err
+	}
+	output.APIVersion = selected
+	if output.WalletID == "" {
+		output.WalletID = input.WalletID
+	}
+	return output, nil
+}
+
+func (s CreditWalletService) Run(ctx context.Context, input WalletMovementInput) (WalletMovementOutput, error) {
+	return runWalletMovementService(ctx, input, s.Handlers, s.Resolve)
+}
+
+func (s DebitWalletService) Run(ctx context.Context, input WalletMovementInput) (WalletMovementOutput, error) {
+	return runWalletMovementService(ctx, input, s.Handlers, s.Resolve)
+}
+
+func runWalletMovementService(
+	ctx context.Context,
+	input WalletMovementInput,
+	handlers []WalletMovementHandler,
+	resolve func(context.Context, []capabilities.APIVersion) (capabilities.APIVersion, error),
+) (WalletMovementOutput, error) {
+	if input.WalletID == "" {
+		return WalletMovementOutput{}, fmt.Errorf("wallet id is required")
+	}
+	if input.Amount == nil {
+		return WalletMovementOutput{}, fmt.Errorf("amount is required")
+	}
+	if input.Asset == "" {
+		return WalletMovementOutput{}, fmt.Errorf("asset is required")
+	}
+	handlerVersions := make([]capabilities.APIVersion, 0, len(handlers))
+	handlersByVersion := map[capabilities.APIVersion]WalletMovementHandler{}
+	for _, handler := range handlers {
+		handlerVersions = append(handlerVersions, handler.APIVersion)
+		handlersByVersion[handler.APIVersion] = handler
+	}
+	selected, err := resolve(ctx, handlerVersions)
+	if err != nil {
+		return WalletMovementOutput{}, err
+	}
+	handler, ok := handlersByVersion[selected]
+	if !ok {
+		return WalletMovementOutput{}, fmt.Errorf("resolved api version %s has no handler", selected)
+	}
+	output, err := handler.Run(ctx, input)
+	if err != nil {
+		return WalletMovementOutput{}, err
+	}
+	output.APIVersion = selected
+	if output.WalletID == "" {
+		output.WalletID = input.WalletID
+	}
+	return output, nil
+}
+
+func (s CreateBalanceService) Run(ctx context.Context, input CreateBalanceInput) (CreateBalanceOutput, error) {
+	if input.WalletID == "" {
+		return CreateBalanceOutput{}, fmt.Errorf("wallet id is required")
+	}
+	if input.Name == "" {
+		return CreateBalanceOutput{}, fmt.Errorf("balance name is required")
+	}
+	handlerVersions := make([]capabilities.APIVersion, 0, len(s.Handlers))
+	handlers := map[capabilities.APIVersion]CreateBalanceHandler{}
+	for _, handler := range s.Handlers {
+		handlerVersions = append(handlerVersions, handler.APIVersion)
+		handlers[handler.APIVersion] = handler
+	}
+	selected, err := s.Resolve(ctx, handlerVersions)
+	if err != nil {
+		return CreateBalanceOutput{}, err
+	}
+	handler, ok := handlers[selected]
+	if !ok {
+		return CreateBalanceOutput{}, fmt.Errorf("resolved api version %s has no handler", selected)
+	}
+	output, err := handler.Run(ctx, input)
+	if err != nil {
+		return CreateBalanceOutput{}, err
+	}
+	output.APIVersion = selected
+	if output.WalletID == "" {
+		output.WalletID = input.WalletID
+	}
+	return output, nil
+}
+
+func (s ListBalancesService) Run(ctx context.Context, input ListBalancesInput) (ListBalancesOutput, error) {
+	if input.WalletID == "" {
+		return ListBalancesOutput{}, fmt.Errorf("wallet id is required")
+	}
+	handlerVersions := make([]capabilities.APIVersion, 0, len(s.Handlers))
+	handlers := map[capabilities.APIVersion]ListBalancesHandler{}
+	for _, handler := range s.Handlers {
+		handlerVersions = append(handlerVersions, handler.APIVersion)
+		handlers[handler.APIVersion] = handler
+	}
+	selected, err := s.Resolve(ctx, handlerVersions)
+	if err != nil {
+		return ListBalancesOutput{}, err
+	}
+	handler, ok := handlers[selected]
+	if !ok {
+		return ListBalancesOutput{}, fmt.Errorf("resolved api version %s has no handler", selected)
+	}
+	output, err := handler.Run(ctx, input)
+	if err != nil {
+		return ListBalancesOutput{}, err
+	}
+	output.APIVersion = selected
+	if output.WalletID == "" {
+		output.WalletID = input.WalletID
+	}
+	return output, nil
+}
+
+func (s GetBalanceService) Run(ctx context.Context, input GetBalanceInput) (GetBalanceOutput, error) {
+	if input.WalletID == "" {
+		return GetBalanceOutput{}, fmt.Errorf("wallet id is required")
+	}
+	if input.BalanceName == "" {
+		return GetBalanceOutput{}, fmt.Errorf("balance name is required")
+	}
+	handlerVersions := make([]capabilities.APIVersion, 0, len(s.Handlers))
+	handlers := map[capabilities.APIVersion]GetBalanceHandler{}
+	for _, handler := range s.Handlers {
+		handlerVersions = append(handlerVersions, handler.APIVersion)
+		handlers[handler.APIVersion] = handler
+	}
+	selected, err := s.Resolve(ctx, handlerVersions)
+	if err != nil {
+		return GetBalanceOutput{}, err
+	}
+	handler, ok := handlers[selected]
+	if !ok {
+		return GetBalanceOutput{}, fmt.Errorf("resolved api version %s has no handler", selected)
+	}
+	output, err := handler.Run(ctx, input)
+	if err != nil {
+		return GetBalanceOutput{}, err
+	}
+	output.APIVersion = selected
+	if output.WalletID == "" {
+		output.WalletID = input.WalletID
+	}
+	return output, nil
+}
+
+func (s ListHoldsService) Run(ctx context.Context, input ListHoldsInput) (ListHoldsOutput, error) {
+	handlerVersions := make([]capabilities.APIVersion, 0, len(s.Handlers))
+	handlers := map[capabilities.APIVersion]ListHoldsHandler{}
+	for _, handler := range s.Handlers {
+		handlerVersions = append(handlerVersions, handler.APIVersion)
+		handlers[handler.APIVersion] = handler
+	}
+	selected, err := s.Resolve(ctx, handlerVersions)
+	if err != nil {
+		return ListHoldsOutput{}, err
+	}
+	handler, ok := handlers[selected]
+	if !ok {
+		return ListHoldsOutput{}, fmt.Errorf("resolved api version %s has no handler", selected)
+	}
+	output, err := handler.Run(ctx, input)
+	if err != nil {
+		return ListHoldsOutput{}, err
+	}
+	output.APIVersion = selected
+	return output, nil
+}
+
+func (s GetHoldService) Run(ctx context.Context, input GetHoldInput) (GetHoldOutput, error) {
+	if input.HoldID == "" {
+		return GetHoldOutput{}, fmt.Errorf("hold id is required")
+	}
+	handlerVersions := make([]capabilities.APIVersion, 0, len(s.Handlers))
+	handlers := map[capabilities.APIVersion]GetHoldHandler{}
+	for _, handler := range s.Handlers {
+		handlerVersions = append(handlerVersions, handler.APIVersion)
+		handlers[handler.APIVersion] = handler
+	}
+	selected, err := s.Resolve(ctx, handlerVersions)
+	if err != nil {
+		return GetHoldOutput{}, err
+	}
+	handler, ok := handlers[selected]
+	if !ok {
+		return GetHoldOutput{}, fmt.Errorf("resolved api version %s has no handler", selected)
+	}
+	output, err := handler.Run(ctx, input)
+	if err != nil {
+		return GetHoldOutput{}, err
+	}
+	output.APIVersion = selected
+	return output, nil
+}
+
+func (s VoidHoldService) Run(ctx context.Context, input HoldActionInput) (HoldActionOutput, error) {
+	return runHoldActionService(ctx, input, s.Handlers, s.Resolve)
+}
+
+func (s ConfirmHoldService) Run(ctx context.Context, input HoldActionInput) (HoldActionOutput, error) {
+	return runHoldActionService(ctx, input, s.Handlers, s.Resolve)
+}
+
+func runHoldActionService(
+	ctx context.Context,
+	input HoldActionInput,
+	handlers []HoldActionHandler,
+	resolve func(context.Context, []capabilities.APIVersion) (capabilities.APIVersion, error),
+) (HoldActionOutput, error) {
+	if input.HoldID == "" {
+		return HoldActionOutput{}, fmt.Errorf("hold id is required")
+	}
+	handlerVersions := make([]capabilities.APIVersion, 0, len(handlers))
+	handlersByVersion := map[capabilities.APIVersion]HoldActionHandler{}
+	for _, handler := range handlers {
+		handlerVersions = append(handlerVersions, handler.APIVersion)
+		handlersByVersion[handler.APIVersion] = handler
+	}
+	selected, err := resolve(ctx, handlerVersions)
+	if err != nil {
+		return HoldActionOutput{}, err
+	}
+	handler, ok := handlersByVersion[selected]
+	if !ok {
+		return HoldActionOutput{}, fmt.Errorf("resolved api version %s has no handler", selected)
+	}
+	output, err := handler.Run(ctx, input)
+	if err != nil {
+		return HoldActionOutput{}, err
+	}
+	output.APIVersion = selected
+	if output.HoldID == "" {
+		output.HoldID = input.HoldID
+	}
+	return output, nil
+}
+
+func (s ListTransactionsService) Run(ctx context.Context, input ListTransactionsInput) (ListTransactionsOutput, error) {
+	handlerVersions := make([]capabilities.APIVersion, 0, len(s.Handlers))
+	handlers := map[capabilities.APIVersion]ListTransactionsHandler{}
+	for _, handler := range s.Handlers {
+		handlerVersions = append(handlerVersions, handler.APIVersion)
+		handlers[handler.APIVersion] = handler
+	}
+	selected, err := s.Resolve(ctx, handlerVersions)
+	if err != nil {
+		return ListTransactionsOutput{}, err
+	}
+	handler, ok := handlers[selected]
+	if !ok {
+		return ListTransactionsOutput{}, fmt.Errorf("resolved api version %s has no handler", selected)
+	}
+	output, err := handler.Run(ctx, input)
+	if err != nil {
+		return ListTransactionsOutput{}, err
+	}
+	output.APIVersion = selected
+	return output, nil
+}
+
+func SDKCreateWalletHandlers(sdk *formance.Formance) []CreateWalletHandler {
+	return []CreateWalletHandler{
+		{
+			APIVersion: "v1",
+			Run: func(ctx context.Context, input CreateWalletInput) (CreateWalletOutput, error) {
+				response, err := sdk.Wallets.V1.CreateWallet(ctx, operations.CreateWalletRequest{
+					CreateWalletRequest: &shared.CreateWalletRequest{
+						Name:     input.Name,
+						Metadata: input.Metadata,
+					},
+					IdempotencyKey: optionalString(input.IdempotencyKey),
+				})
+				if err != nil {
+					return CreateWalletOutput{}, err
+				}
+				if response.CreateWalletResponse == nil {
+					return CreateWalletOutput{}, fmt.Errorf("wallets v1 create wallet returned no data")
+				}
+				return CreateWalletOutput{WalletID: response.CreateWalletResponse.Data.ID}, nil
+			},
+		},
+	}
+}
+
+func SDKListWalletsHandlers(sdk *formance.Formance) []ListWalletsHandler {
+	return []ListWalletsHandler{
+		{
+			APIVersion: "v1",
+			Run: func(ctx context.Context, input ListWalletsInput) (ListWalletsOutput, error) {
+				response, err := sdk.Wallets.V1.ListWallets(ctx, operations.ListWalletsRequest{
+					PageSize: optionalInt64(input.PageSize),
+					Cursor:   optionalString(input.Cursor),
+					Name:     optionalString(input.Name),
+					Metadata: input.Metadata,
+				})
+				if err != nil {
+					return ListWalletsOutput{}, err
+				}
+				if response.ListWalletsResponse == nil {
+					return ListWalletsOutput{}, fmt.Errorf("wallets v1 list wallets returned no cursor")
+				}
+				return fromWalletsCursor(response.ListWalletsResponse.Cursor), nil
+			},
+		},
+	}
+}
+
+func SDKGetWalletHandlers(sdk *formance.Formance) []GetWalletHandler {
+	return []GetWalletHandler{
+		{
+			APIVersion: "v1",
+			Run: func(ctx context.Context, input GetWalletInput) (GetWalletOutput, error) {
+				response, err := sdk.Wallets.V1.GetWallet(ctx, operations.GetWalletRequest{ID: input.WalletID})
+				if err != nil {
+					return GetWalletOutput{}, err
+				}
+				if response.GetWalletResponse == nil {
+					return GetWalletOutput{}, fmt.Errorf("wallets v1 get wallet returned no data")
+				}
+				return GetWalletOutput{Wallet: fromWalletWithBalances(response.GetWalletResponse.Data)}, nil
+			},
+		},
+	}
+}
+
+func SDKUpdateWalletHandlers(sdk *formance.Formance) []UpdateWalletHandler {
+	return []UpdateWalletHandler{
+		{
+			APIVersion: "v1",
+			Run: func(ctx context.Context, input UpdateWalletInput) (UpdateWalletOutput, error) {
+				_, err := sdk.Wallets.V1.UpdateWallet(ctx, operations.UpdateWalletRequest{
+					ID:             input.WalletID,
+					IdempotencyKey: optionalString(input.IdempotencyKey),
+					RequestBody: &operations.UpdateWalletRequestBody{
+						Metadata: input.Metadata,
+					},
+				})
+				if err != nil {
+					return UpdateWalletOutput{}, err
+				}
+				return UpdateWalletOutput{WalletID: input.WalletID}, nil
+			},
+		},
+	}
+}
+
+func SDKCreditWalletHandlers(sdk *formance.Formance) []WalletMovementHandler {
+	return []WalletMovementHandler{
+		{
+			APIVersion: "v1",
+			Run: func(ctx context.Context, input WalletMovementInput) (WalletMovementOutput, error) {
+				_, err := sdk.Wallets.V1.CreditWallet(ctx, operations.CreditWalletRequest{
+					ID:             input.WalletID,
+					IdempotencyKey: optionalString(input.IdempotencyKey),
+					CreditWalletRequest: &shared.CreditWalletRequest{
+						Amount: shared.Monetary{
+							Amount: input.Amount,
+							Asset:  input.Asset,
+						},
+						Balance:  optionalString(input.Balance),
+						Metadata: input.Metadata,
+					},
+				})
+				if err != nil {
+					return WalletMovementOutput{}, err
+				}
+				return WalletMovementOutput{WalletID: input.WalletID}, nil
+			},
+		},
+	}
+}
+
+func SDKDebitWalletHandlers(sdk *formance.Formance) []WalletMovementHandler {
+	return []WalletMovementHandler{
+		{
+			APIVersion: "v1",
+			Run: func(ctx context.Context, input WalletMovementInput) (WalletMovementOutput, error) {
+				response, err := sdk.Wallets.V1.DebitWallet(ctx, operations.DebitWalletRequest{
+					ID:             input.WalletID,
+					IdempotencyKey: optionalString(input.IdempotencyKey),
+					DebitWalletRequest: &shared.DebitWalletRequest{
+						Amount: shared.Monetary{
+							Amount: input.Amount,
+							Asset:  input.Asset,
+						},
+						Balances:    optionalStringSlice(input.Balance),
+						Description: optionalString(input.Description),
+						Metadata:    input.Metadata,
+						Pending:     &input.Pending,
+					},
+				})
+				if err != nil {
+					return WalletMovementOutput{}, err
+				}
+				output := WalletMovementOutput{WalletID: input.WalletID}
+				if response.DebitWalletResponse != nil {
+					output.HoldID = response.DebitWalletResponse.Data.ID
+				}
+				return output, nil
+			},
+		},
+	}
+}
+
+func SDKCreateBalanceHandlers(sdk *formance.Formance) []CreateBalanceHandler {
+	return []CreateBalanceHandler{
+		{
+			APIVersion: "v1",
+			Run: func(ctx context.Context, input CreateBalanceInput) (CreateBalanceOutput, error) {
+				response, err := sdk.Wallets.V1.CreateBalance(ctx, operations.CreateBalanceRequest{
+					ID:             input.WalletID,
+					IdempotencyKey: optionalString(input.IdempotencyKey),
+					CreateBalanceRequest: &shared.CreateBalanceRequest{
+						Name:      input.Name,
+						Priority:  input.Priority,
+						ExpiresAt: input.ExpiresAt,
+					},
+				})
+				if err != nil {
+					return CreateBalanceOutput{}, err
+				}
+				if response.CreateBalanceResponse == nil {
+					return CreateBalanceOutput{}, fmt.Errorf("wallets v1 create balance returned no data")
+				}
+				return CreateBalanceOutput{WalletID: input.WalletID, BalanceName: response.CreateBalanceResponse.Data.Name}, nil
+			},
+		},
+	}
+}
+
+func SDKListBalancesHandlers(sdk *formance.Formance) []ListBalancesHandler {
+	return []ListBalancesHandler{
+		{
+			APIVersion: "v1",
+			Run: func(ctx context.Context, input ListBalancesInput) (ListBalancesOutput, error) {
+				response, err := sdk.Wallets.V1.ListBalances(ctx, operations.ListBalancesRequest{ID: input.WalletID})
+				if err != nil {
+					return ListBalancesOutput{}, err
+				}
+				if response.ListBalancesResponse == nil {
+					return ListBalancesOutput{}, fmt.Errorf("wallets v1 list balances returned no cursor")
+				}
+				return fromBalancesCursor(input.WalletID, response.ListBalancesResponse.Cursor), nil
+			},
+		},
+	}
+}
+
+func SDKGetBalanceHandlers(sdk *formance.Formance) []GetBalanceHandler {
+	return []GetBalanceHandler{
+		{
+			APIVersion: "v1",
+			Run: func(ctx context.Context, input GetBalanceInput) (GetBalanceOutput, error) {
+				response, err := sdk.Wallets.V1.GetBalance(ctx, operations.GetBalanceRequest{ID: input.WalletID, BalanceName: input.BalanceName})
+				if err != nil {
+					return GetBalanceOutput{}, err
+				}
+				if response.GetBalanceResponse == nil {
+					return GetBalanceOutput{}, fmt.Errorf("wallets v1 get balance returned no data")
+				}
+				return GetBalanceOutput{WalletID: input.WalletID, Balance: fromBalanceWithAssets(response.GetBalanceResponse.Data)}, nil
+			},
+		},
+	}
+}
+
+func SDKListHoldsHandlers(sdk *formance.Formance) []ListHoldsHandler {
+	return []ListHoldsHandler{
+		{
+			APIVersion: "v1",
+			Run: func(ctx context.Context, input ListHoldsInput) (ListHoldsOutput, error) {
+				response, err := sdk.Wallets.V1.GetHolds(ctx, operations.GetHoldsRequest{
+					PageSize: optionalInt64(input.PageSize),
+					Cursor:   optionalString(input.Cursor),
+					WalletID: optionalString(input.WalletID),
+					Metadata: input.Metadata,
+				})
+				if err != nil {
+					return ListHoldsOutput{}, err
+				}
+				if response.GetHoldsResponse == nil {
+					return ListHoldsOutput{}, fmt.Errorf("wallets v1 list holds returned no cursor")
+				}
+				return fromHoldsCursor(response.GetHoldsResponse.Cursor), nil
+			},
+		},
+	}
+}
+
+func SDKGetHoldHandlers(sdk *formance.Formance) []GetHoldHandler {
+	return []GetHoldHandler{
+		{
+			APIVersion: "v1",
+			Run: func(ctx context.Context, input GetHoldInput) (GetHoldOutput, error) {
+				response, err := sdk.Wallets.V1.GetHold(ctx, operations.GetHoldRequest{HoldID: input.HoldID})
+				if err != nil {
+					return GetHoldOutput{}, err
+				}
+				if response.GetHoldResponse == nil {
+					return GetHoldOutput{}, fmt.Errorf("wallets v1 get hold returned no data")
+				}
+				return GetHoldOutput{Hold: fromExpandedHold(response.GetHoldResponse.Data)}, nil
+			},
+		},
+	}
+}
+
+func SDKVoidHoldHandlers(sdk *formance.Formance) []HoldActionHandler {
+	return []HoldActionHandler{
+		{
+			APIVersion: "v1",
+			Run: func(ctx context.Context, input HoldActionInput) (HoldActionOutput, error) {
+				_, err := sdk.Wallets.V1.VoidHold(ctx, operations.VoidHoldRequest{
+					HoldID:         input.HoldID,
+					IdempotencyKey: optionalString(input.IdempotencyKey),
+				})
+				if err != nil {
+					return HoldActionOutput{}, err
+				}
+				return HoldActionOutput{HoldID: input.HoldID}, nil
+			},
+		},
+	}
+}
+
+func SDKConfirmHoldHandlers(sdk *formance.Formance) []HoldActionHandler {
+	return []HoldActionHandler{
+		{
+			APIVersion: "v1",
+			Run: func(ctx context.Context, input HoldActionInput) (HoldActionOutput, error) {
+				_, err := sdk.Wallets.V1.ConfirmHold(ctx, operations.ConfirmHoldRequest{
+					HoldID:         input.HoldID,
+					IdempotencyKey: optionalString(input.IdempotencyKey),
+					ConfirmHoldRequest: &shared.ConfirmHoldRequest{
+						Amount: input.Amount,
+						Final:  input.Final,
+					},
+				})
+				if err != nil {
+					return HoldActionOutput{}, err
+				}
+				return HoldActionOutput{HoldID: input.HoldID}, nil
+			},
+		},
+	}
+}
+
+func SDKListTransactionsHandlers(sdk *formance.Formance) []ListTransactionsHandler {
+	return []ListTransactionsHandler{
+		{
+			APIVersion: "v1",
+			Run: func(ctx context.Context, input ListTransactionsInput) (ListTransactionsOutput, error) {
+				response, err := sdk.Wallets.V1.GetTransactions(ctx, operations.GetTransactionsRequest{
+					PageSize: optionalInt64(input.PageSize),
+					Cursor:   optionalString(input.Cursor),
+					WalletID: optionalString(input.WalletID),
+				})
+				if err != nil {
+					return ListTransactionsOutput{}, err
+				}
+				if response.GetTransactionsResponse == nil {
+					return ListTransactionsOutput{}, fmt.Errorf("wallets v1 list transactions returned no cursor")
+				}
+				return fromTransactionsCursor(response.GetTransactionsResponse.Cursor), nil
+			},
+		},
+	}
+}
+
+func fromWalletsCursor(cursor shared.ListWalletsResponseCursor) ListWalletsOutput {
+	wallets := make([]WalletSummary, 0, len(cursor.Data))
+	for _, wallet := range cursor.Data {
+		wallets = append(wallets, fromWallet(wallet))
+	}
+	hasMore := false
+	if cursor.HasMore != nil {
+		hasMore = *cursor.HasMore
+	}
+	return ListWalletsOutput{
+		Wallets:  wallets,
+		HasMore:  hasMore,
+		PageSize: cursor.PageSize,
+		Next:     cursor.Next,
+		Previous: cursor.Previous,
+	}
+}
+
+func fromBalancesCursor(walletID string, cursor shared.ListBalancesResponseCursor) ListBalancesOutput {
+	balances := make([]BalanceSummary, 0, len(cursor.Data))
+	for _, balance := range cursor.Data {
+		balances = append(balances, fromBalance(balance))
+	}
+	hasMore := false
+	if cursor.HasMore != nil {
+		hasMore = *cursor.HasMore
+	}
+	return ListBalancesOutput{
+		WalletID: walletID,
+		Balances: balances,
+		HasMore:  hasMore,
+		PageSize: cursor.PageSize,
+		Next:     cursor.Next,
+		Previous: cursor.Previous,
+	}
+}
+
+func fromHoldsCursor(cursor shared.GetHoldsResponseCursor) ListHoldsOutput {
+	holds := make([]HoldSummary, 0, len(cursor.Data))
+	for _, hold := range cursor.Data {
+		holds = append(holds, fromHold(hold))
+	}
+	hasMore := false
+	if cursor.HasMore != nil {
+		hasMore = *cursor.HasMore
+	}
+	return ListHoldsOutput{
+		Holds:    holds,
+		HasMore:  hasMore,
+		PageSize: cursor.PageSize,
+		Next:     cursor.Next,
+		Previous: cursor.Previous,
+	}
+}
+
+func fromHold(hold shared.Hold) HoldSummary {
+	return HoldSummary{
+		ID:          hold.ID,
+		WalletID:    hold.WalletID,
+		Asset:       hold.Asset,
+		Description: hold.Description,
+		Metadata:    hold.Metadata,
+	}
+}
+
+func fromExpandedHold(hold shared.ExpandedDebitHold) HoldSummary {
+	originalAmount := ""
+	if hold.OriginalAmount != nil {
+		originalAmount = hold.OriginalAmount.String()
+	}
+	remaining := ""
+	if hold.Remaining != nil {
+		remaining = hold.Remaining.String()
+	}
+	return HoldSummary{
+		ID:             hold.ID,
+		WalletID:       hold.WalletID,
+		Asset:          hold.Asset,
+		Description:    hold.Description,
+		OriginalAmount: originalAmount,
+		Remaining:      remaining,
+		Metadata:       hold.Metadata,
+	}
+}
+
+func fromTransactionsCursor(cursor shared.GetTransactionsResponseCursor) ListTransactionsOutput {
+	transactions := make([]TransactionSummary, 0, len(cursor.Data))
+	for _, transaction := range cursor.Data {
+		transactions = append(transactions, fromWalletTransaction(transaction))
+	}
+	hasMore := false
+	if cursor.HasMore != nil {
+		hasMore = *cursor.HasMore
+	}
+	return ListTransactionsOutput{
+		Transactions: transactions,
+		HasMore:      hasMore,
+		PageSize:     cursor.PageSize,
+		Next:         cursor.Next,
+		Previous:     cursor.Previous,
+	}
+}
+
+func fromWalletTransaction(transaction shared.WalletsTransaction) TransactionSummary {
+	ledger := ""
+	if transaction.Ledger != nil {
+		ledger = *transaction.Ledger
+	}
+	reference := ""
+	if transaction.Reference != nil {
+		reference = *transaction.Reference
+	}
+	return TransactionSummary{
+		ID:        transaction.ID,
+		Ledger:    ledger,
+		Reference: reference,
+		Timestamp: transaction.Timestamp,
+		Metadata:  transaction.Metadata,
+	}
+}
+
+func fromBalance(balance shared.Balance) BalanceSummary {
+	priority := ""
+	if balance.Priority != nil {
+		priority = balance.Priority.String()
+	}
+	return BalanceSummary{
+		Name:      balance.Name,
+		Priority:  priority,
+		ExpiresAt: balance.ExpiresAt,
+	}
+}
+
+func fromBalanceWithAssets(balance shared.BalanceWithAssets) BalanceSummary {
+	priority := ""
+	if balance.Priority != nil {
+		priority = balance.Priority.String()
+	}
+	return BalanceSummary{
+		Name:      balance.Name,
+		Priority:  priority,
+		ExpiresAt: balance.ExpiresAt,
+		Assets:    balance.Assets,
+	}
+}
+
+func fromWallet(wallet shared.Wallet) WalletSummary {
+	return WalletSummary{
+		ID:        wallet.ID,
+		Name:      wallet.Name,
+		Ledger:    wallet.Ledger,
+		CreatedAt: wallet.CreatedAt,
+		Metadata:  wallet.Metadata,
+	}
+}
+
+func fromWalletWithBalances(wallet shared.WalletWithBalances) WalletSummary {
+	return WalletSummary{
+		ID:        wallet.ID,
+		Name:      wallet.Name,
+		Ledger:    wallet.Ledger,
+		CreatedAt: wallet.CreatedAt,
+		Metadata:  wallet.Metadata,
+	}
+}
+
+func optionalString(value string) *string {
+	if value == "" {
+		return nil
+	}
+	return &value
+}
+
+func optionalInt64(value int64) *int64 {
+	if value == 0 {
+		return nil
+	}
+	return &value
+}
+
+func optionalStringSlice(value string) []string {
+	if value == "" {
+		return nil
+	}
+	return []string{value}
+}
diff --git a/v4/internal/commands/wallets/wallets_test.go b/v4/internal/commands/wallets/wallets_test.go
new file mode 100644
index 00000000..2365f7fe
--- /dev/null
+++ b/v4/internal/commands/wallets/wallets_test.go
@@ -0,0 +1,344 @@
+package wallets
+
+import (
+	"context"
+	"math/big"
+	"testing"
+
+	"github.com/formancehq/fctl/v4/internal/capabilities"
+)
+
+func TestCreateWalletServiceSelectsResolvedHandler(t *testing.T) {
+	service := CreateWalletService{
+		Handlers: []CreateWalletHandler{
+			{
+				APIVersion: "v1",
+				Run: func(_ context.Context, input CreateWalletInput) (CreateWalletOutput, error) {
+					if input.Name != "Main" || input.Metadata["env"] != "dev" {
+						t.Fatalf("unexpected input: %#v", input)
+					}
+					return CreateWalletOutput{WalletID: "wallet_1"}, nil
+				},
+			},
+		},
+		Resolve: func(_ context.Context, versions []capabilities.APIVersion) (capabilities.APIVersion, error) {
+			assertAPIVersions(t, versions, []capabilities.APIVersion{"v1"})
+			return "v1", nil
+		},
+	}
+
+	output, err := service.Run(context.Background(), CreateWalletInput{Name: "Main", Metadata: map[string]string{"env": "dev"}})
+	if err != nil {
+		t.Fatalf("run service: %v", err)
+	}
+	if output.APIVersion != "v1" || output.WalletID != "wallet_1" {
+		t.Fatalf("unexpected output: %#v", output)
+	}
+}
+
+func TestCreateWalletServiceRequiresName(t *testing.T) {
+	service := CreateWalletService{
+		Handlers: []CreateWalletHandler{{APIVersion: "v1"}},
+		Resolve: func(context.Context, []capabilities.APIVersion) (capabilities.APIVersion, error) {
+			t.Fatal("resolver should not run")
+			return "", nil
+		},
+	}
+
+	if _, err := service.Run(context.Background(), CreateWalletInput{}); err == nil {
+		t.Fatal("expected wallet name validation error")
+	}
+}
+
+func TestListWalletsServiceSelectsResolvedHandler(t *testing.T) {
+	service := ListWalletsService{
+		Handlers: []ListWalletsHandler{
+			{
+				APIVersion: "v1",
+				Run: func(_ context.Context, input ListWalletsInput) (ListWalletsOutput, error) {
+					if input.PageSize != 10 || input.Cursor != "cursor" {
+						t.Fatalf("unexpected input: %#v", input)
+					}
+					return ListWalletsOutput{PageSize: input.PageSize}, nil
+				},
+			},
+		},
+		Resolve: func(_ context.Context, versions []capabilities.APIVersion) (capabilities.APIVersion, error) {
+			assertAPIVersions(t, versions, []capabilities.APIVersion{"v1"})
+			return "v1", nil
+		},
+	}
+
+	output, err := service.Run(context.Background(), ListWalletsInput{PageSize: 10, Cursor: "cursor"})
+	if err != nil {
+		t.Fatalf("run service: %v", err)
+	}
+	if output.APIVersion != "v1" || output.PageSize != 10 {
+		t.Fatalf("unexpected output: %#v", output)
+	}
+}
+
+func TestGetWalletServiceRequiresID(t *testing.T) {
+	service := GetWalletService{
+		Handlers: []GetWalletHandler{{APIVersion: "v1"}},
+		Resolve: func(context.Context, []capabilities.APIVersion) (capabilities.APIVersion, error) {
+			t.Fatal("resolver should not run")
+			return "", nil
+		},
+	}
+
+	if _, err := service.Run(context.Background(), GetWalletInput{}); err == nil {
+		t.Fatal("expected wallet id validation error")
+	}
+}
+
+func TestUpdateWalletServiceRequiresMetadata(t *testing.T) {
+	service := UpdateWalletService{
+		Handlers: []UpdateWalletHandler{{APIVersion: "v1"}},
+		Resolve: func(context.Context, []capabilities.APIVersion) (capabilities.APIVersion, error) {
+			t.Fatal("resolver should not run")
+			return "", nil
+		},
+	}
+
+	if _, err := service.Run(context.Background(), UpdateWalletInput{WalletID: "wallet_1"}); err == nil {
+		t.Fatal("expected metadata validation error")
+	}
+}
+
+func TestCreditWalletServiceRequiresExplicitWalletID(t *testing.T) {
+	service := CreditWalletService{
+		Handlers: []WalletMovementHandler{{APIVersion: "v1"}},
+		Resolve: func(context.Context, []capabilities.APIVersion) (capabilities.APIVersion, error) {
+			t.Fatal("resolver should not run")
+			return "", nil
+		},
+	}
+
+	if _, err := service.Run(context.Background(), WalletMovementInput{Amount: big.NewInt(100), Asset: "USD/2"}); err == nil {
+		t.Fatal("expected wallet id validation error")
+	}
+}
+
+func TestDebitWalletServiceSelectsResolvedHandler(t *testing.T) {
+	service := DebitWalletService{
+		Handlers: []WalletMovementHandler{
+			{
+				APIVersion: "v1",
+				Run: func(_ context.Context, input WalletMovementInput) (WalletMovementOutput, error) {
+					if input.WalletID != "wallet_1" || input.Amount.String() != "100" || input.Asset != "USD/2" {
+						t.Fatalf("unexpected input: %#v", input)
+					}
+					return WalletMovementOutput{WalletID: input.WalletID, HoldID: "hold_1"}, nil
+				},
+			},
+		},
+		Resolve: func(_ context.Context, versions []capabilities.APIVersion) (capabilities.APIVersion, error) {
+			assertAPIVersions(t, versions, []capabilities.APIVersion{"v1"})
+			return "v1", nil
+		},
+	}
+
+	output, err := service.Run(context.Background(), WalletMovementInput{WalletID: "wallet_1", Amount: big.NewInt(100), Asset: "USD/2"})
+	if err != nil {
+		t.Fatalf("run service: %v", err)
+	}
+	if output.APIVersion != "v1" || output.HoldID != "hold_1" {
+		t.Fatalf("unexpected output: %#v", output)
+	}
+}
+
+func TestCreateBalanceServiceSelectsResolvedHandler(t *testing.T) {
+	service := CreateBalanceService{
+		Handlers: []CreateBalanceHandler{
+			{
+				APIVersion: "v1",
+				Run: func(_ context.Context, input CreateBalanceInput) (CreateBalanceOutput, error) {
+					if input.WalletID != "wallet_1" || input.Name != "main" || input.Priority.String() != "10" {
+						t.Fatalf("unexpected input: %#v", input)
+					}
+					return CreateBalanceOutput{BalanceName: input.Name}, nil
+				},
+			},
+		},
+		Resolve: func(_ context.Context, versions []capabilities.APIVersion) (capabilities.APIVersion, error) {
+			assertAPIVersions(t, versions, []capabilities.APIVersion{"v1"})
+			return "v1", nil
+		},
+	}
+
+	output, err := service.Run(context.Background(), CreateBalanceInput{WalletID: "wallet_1", Name: "main", Priority: big.NewInt(10)})
+	if err != nil {
+		t.Fatalf("run service: %v", err)
+	}
+	if output.APIVersion != "v1" || output.WalletID != "wallet_1" || output.BalanceName != "main" {
+		t.Fatalf("unexpected output: %#v", output)
+	}
+}
+
+func TestCreateBalanceServiceRequiresExplicitWalletID(t *testing.T) {
+	service := CreateBalanceService{
+		Handlers: []CreateBalanceHandler{{APIVersion: "v1"}},
+		Resolve: func(context.Context, []capabilities.APIVersion) (capabilities.APIVersion, error) {
+			t.Fatal("resolver should not run")
+			return "", nil
+		},
+	}
+
+	if _, err := service.Run(context.Background(), CreateBalanceInput{Name: "main"}); err == nil {
+		t.Fatal("expected wallet id validation error")
+	}
+}
+
+func TestListBalancesServiceRequiresExplicitWalletID(t *testing.T) {
+	service := ListBalancesService{
+		Handlers: []ListBalancesHandler{{APIVersion: "v1"}},
+		Resolve: func(context.Context, []capabilities.APIVersion) (capabilities.APIVersion, error) {
+			t.Fatal("resolver should not run")
+			return "", nil
+		},
+	}
+
+	if _, err := service.Run(context.Background(), ListBalancesInput{}); err == nil {
+		t.Fatal("expected wallet id validation error")
+	}
+}
+
+func TestGetBalanceServiceRequiresBalanceName(t *testing.T) {
+	service := GetBalanceService{
+		Handlers: []GetBalanceHandler{{APIVersion: "v1"}},
+		Resolve: func(context.Context, []capabilities.APIVersion) (capabilities.APIVersion, error) {
+			t.Fatal("resolver should not run")
+			return "", nil
+		},
+	}
+
+	if _, err := service.Run(context.Background(), GetBalanceInput{WalletID: "wallet_1"}); err == nil {
+		t.Fatal("expected balance name validation error")
+	}
+}
+
+func TestListHoldsServiceSelectsResolvedHandler(t *testing.T) {
+	service := ListHoldsService{
+		Handlers: []ListHoldsHandler{
+			{
+				APIVersion: "v1",
+				Run: func(_ context.Context, input ListHoldsInput) (ListHoldsOutput, error) {
+					if input.PageSize != 10 || input.WalletID != "wallet_1" || input.Metadata["env"] != "dev" {
+						t.Fatalf("unexpected input: %#v", input)
+					}
+					return ListHoldsOutput{PageSize: input.PageSize}, nil
+				},
+			},
+		},
+		Resolve: func(_ context.Context, versions []capabilities.APIVersion) (capabilities.APIVersion, error) {
+			assertAPIVersions(t, versions, []capabilities.APIVersion{"v1"})
+			return "v1", nil
+		},
+	}
+
+	output, err := service.Run(context.Background(), ListHoldsInput{PageSize: 10, WalletID: "wallet_1", Metadata: map[string]string{"env": "dev"}})
+	if err != nil {
+		t.Fatalf("run service: %v", err)
+	}
+	if output.APIVersion != "v1" || output.PageSize != 10 {
+		t.Fatalf("unexpected output: %#v", output)
+	}
+}
+
+func TestGetHoldServiceRequiresHoldID(t *testing.T) {
+	service := GetHoldService{
+		Handlers: []GetHoldHandler{{APIVersion: "v1"}},
+		Resolve: func(context.Context, []capabilities.APIVersion) (capabilities.APIVersion, error) {
+			t.Fatal("resolver should not run")
+			return "", nil
+		},
+	}
+
+	if _, err := service.Run(context.Background(), GetHoldInput{}); err == nil {
+		t.Fatal("expected hold id validation error")
+	}
+}
+
+func TestConfirmHoldServiceSelectsResolvedHandler(t *testing.T) {
+	service := ConfirmHoldService{
+		Handlers: []HoldActionHandler{
+			{
+				APIVersion: "v1",
+				Run: func(_ context.Context, input HoldActionInput) (HoldActionOutput, error) {
+					if input.HoldID != "hold_1" || input.Amount.String() != "100" || input.Final == nil || !*input.Final {
+						t.Fatalf("unexpected input: %#v", input)
+					}
+					return HoldActionOutput{HoldID: input.HoldID}, nil
+				},
+			},
+		},
+		Resolve: func(_ context.Context, versions []capabilities.APIVersion) (capabilities.APIVersion, error) {
+			assertAPIVersions(t, versions, []capabilities.APIVersion{"v1"})
+			return "v1", nil
+		},
+	}
+
+	final := true
+	output, err := service.Run(context.Background(), HoldActionInput{HoldID: "hold_1", Amount: big.NewInt(100), Final: &final})
+	if err != nil {
+		t.Fatalf("run service: %v", err)
+	}
+	if output.APIVersion != "v1" || output.HoldID != "hold_1" {
+		t.Fatalf("unexpected output: %#v", output)
+	}
+}
+
+func TestVoidHoldServiceRequiresHoldID(t *testing.T) {
+	service := VoidHoldService{
+		Handlers: []HoldActionHandler{{APIVersion: "v1"}},
+		Resolve: func(context.Context, []capabilities.APIVersion) (capabilities.APIVersion, error) {
+			t.Fatal("resolver should not run")
+			return "", nil
+		},
+	}
+
+	if _, err := service.Run(context.Background(), HoldActionInput{}); err == nil {
+		t.Fatal("expected hold id validation error")
+	}
+}
+
+func TestListTransactionsServiceSelectsResolvedHandler(t *testing.T) {
+	service := ListTransactionsService{
+		Handlers: []ListTransactionsHandler{
+			{
+				APIVersion: "v1",
+				Run: func(_ context.Context, input ListTransactionsInput) (ListTransactionsOutput, error) {
+					if input.PageSize != 10 || input.WalletID != "wallet_1" {
+						t.Fatalf("unexpected input: %#v", input)
+					}
+					return ListTransactionsOutput{PageSize: input.PageSize}, nil
+				},
+			},
+		},
+		Resolve: func(_ context.Context, versions []capabilities.APIVersion) (capabilities.APIVersion, error) {
+			assertAPIVersions(t, versions, []capabilities.APIVersion{"v1"})
+			return "v1", nil
+		},
+	}
+
+	output, err := service.Run(context.Background(), ListTransactionsInput{PageSize: 10, WalletID: "wallet_1"})
+	if err != nil {
+		t.Fatalf("run service: %v", err)
+	}
+	if output.APIVersion != "v1" || output.PageSize != 10 {
+		t.Fatalf("unexpected output: %#v", output)
+	}
+}
+
+func assertAPIVersions(t *testing.T, got []capabilities.APIVersion, want []capabilities.APIVersion) {
+	t.Helper()
+	if len(got) != len(want) {
+		t.Fatalf("expected versions %v, got %v", want, got)
+	}
+	for i := range got {
+		if got[i] != want[i] {
+			t.Fatalf("expected versions %v, got %v", want, got)
+		}
+	}
+}
diff --git a/v4/internal/commands/webhooks/webhooks.go b/v4/internal/commands/webhooks/webhooks.go
new file mode 100644
index 00000000..de935a63
--- /dev/null
+++ b/v4/internal/commands/webhooks/webhooks.go
@@ -0,0 +1,408 @@
+package webhooks
+
+import (
+	"context"
+	"fmt"
+	"time"
+
+	formance "github.com/formancehq/formance-sdk-go/v3"
+	"github.com/formancehq/formance-sdk-go/v3/pkg/models/operations"
+	"github.com/formancehq/formance-sdk-go/v3/pkg/models/shared"
+
+	"github.com/formancehq/fctl/v4/internal/capabilities"
+)
+
+const (
+	ProductWebhooks capabilities.Product = "webhooks"
+
+	FeatureActivateConfig     capabilities.Feature = "activateConfig"
+	FeatureChangeConfigSecret capabilities.Feature = "changeConfigSecret"
+	FeatureDeactivateConfig   capabilities.Feature = "deactivateConfig"
+	FeatureDeleteConfig       capabilities.Feature = "deleteConfig"
+	FeatureGetManyConfigs     capabilities.Feature = "getManyConfigs"
+	FeatureInsertConfig       capabilities.Feature = "insertConfig"
+)
+
+type ConfigSummary struct {
+	ID         string    `json:"id" yaml:"id"`
+	Endpoint   string    `json:"endpoint" yaml:"endpoint"`
+	EventTypes []string  `json:"eventTypes" yaml:"eventTypes"`
+	Active     bool      `json:"active" yaml:"active"`
+	CreatedAt  time.Time `json:"createdAt,omitempty" yaml:"createdAt,omitempty"`
+	UpdatedAt  time.Time `json:"updatedAt,omitempty" yaml:"updatedAt,omitempty"`
+}
+
+type ConfigInput struct {
+	ConfigID   string
+	Endpoint   string
+	EventTypes []string
+	Name       *string
+	Secret     *string
+}
+
+type ListConfigsInput struct {
+	ConfigID string
+	Endpoint string
+}
+
+type ListConfigsOutput struct {
+	APIVersion capabilities.APIVersion `json:"apiVersion" yaml:"apiVersion"`
+	Configs    []ConfigSummary         `json:"configs" yaml:"configs"`
+	HasMore    bool                    `json:"hasMore" yaml:"hasMore"`
+}
+
+type ConfigOutput struct {
+	APIVersion capabilities.APIVersion `json:"apiVersion" yaml:"apiVersion"`
+	Config     ConfigSummary           `json:"config" yaml:"config"`
+}
+
+type ConfigIDInput struct {
+	ConfigID string
+}
+
+type DeleteConfigOutput struct {
+	APIVersion capabilities.APIVersion `json:"apiVersion" yaml:"apiVersion"`
+	ConfigID   string                  `json:"configID" yaml:"configID"`
+}
+
+type ChangeSecretInput struct {
+	ConfigID string
+	Secret   string
+}
+
+type ListConfigsHandler struct {
+	APIVersion capabilities.APIVersion
+	Run        func(context.Context, ListConfigsInput) (ListConfigsOutput, error)
+}
+
+type ConfigHandler struct {
+	APIVersion capabilities.APIVersion
+	Run        func(context.Context, ConfigInput) (ConfigOutput, error)
+}
+
+type ConfigIDHandler struct {
+	APIVersion capabilities.APIVersion
+	Run        func(context.Context, ConfigIDInput) (ConfigOutput, error)
+}
+
+type DeleteConfigHandler struct {
+	APIVersion capabilities.APIVersion
+	Run        func(context.Context, ConfigIDInput) (DeleteConfigOutput, error)
+}
+
+type ChangeSecretHandler struct {
+	APIVersion capabilities.APIVersion
+	Run        func(context.Context, ChangeSecretInput) (ConfigOutput, error)
+}
+
+type ListConfigsService struct {
+	Handlers []ListConfigsHandler
+	Resolve  func(context.Context, []capabilities.APIVersion) (capabilities.APIVersion, error)
+}
+
+type InsertConfigService struct {
+	Handlers []ConfigHandler
+	Resolve  func(context.Context, []capabilities.APIVersion) (capabilities.APIVersion, error)
+}
+
+type ActivateConfigService struct {
+	Handlers []ConfigIDHandler
+	Resolve  func(context.Context, []capabilities.APIVersion) (capabilities.APIVersion, error)
+}
+
+type DeactivateConfigService struct {
+	Handlers []ConfigIDHandler
+	Resolve  func(context.Context, []capabilities.APIVersion) (capabilities.APIVersion, error)
+}
+
+type DeleteConfigService struct {
+	Handlers []DeleteConfigHandler
+	Resolve  func(context.Context, []capabilities.APIVersion) (capabilities.APIVersion, error)
+}
+
+type ChangeSecretService struct {
+	Handlers []ChangeSecretHandler
+	Resolve  func(context.Context, []capabilities.APIVersion) (capabilities.APIVersion, error)
+}
+
+func (s ListConfigsService) Run(ctx context.Context, input ListConfigsInput) (ListConfigsOutput, error) {
+	handler, selected, err := resolveHandler(ctx, s.Handlers, s.Resolve, func(handler ListConfigsHandler) capabilities.APIVersion {
+		return handler.APIVersion
+	})
+	if err != nil {
+		return ListConfigsOutput{}, err
+	}
+	output, err := handler.Run(ctx, input)
+	if err != nil {
+		return ListConfigsOutput{}, err
+	}
+	output.APIVersion = selected
+	return output, nil
+}
+
+func (s InsertConfigService) Run(ctx context.Context, input ConfigInput) (ConfigOutput, error) {
+	if input.Endpoint == "" {
+		return ConfigOutput{}, fmt.Errorf("webhook endpoint is required")
+	}
+	if len(input.EventTypes) == 0 {
+		return ConfigOutput{}, fmt.Errorf("at least one event type is required")
+	}
+	return runConfigService(ctx, input, s.Handlers, s.Resolve)
+}
+
+func (s ActivateConfigService) Run(ctx context.Context, input ConfigIDInput) (ConfigOutput, error) {
+	return runConfigIDService(ctx, input, s.Handlers, s.Resolve)
+}
+
+func (s DeactivateConfigService) Run(ctx context.Context, input ConfigIDInput) (ConfigOutput, error) {
+	return runConfigIDService(ctx, input, s.Handlers, s.Resolve)
+}
+
+func (s DeleteConfigService) Run(ctx context.Context, input ConfigIDInput) (DeleteConfigOutput, error) {
+	if input.ConfigID == "" {
+		return DeleteConfigOutput{}, fmt.Errorf("config id is required")
+	}
+	handler, selected, err := resolveHandler(ctx, s.Handlers, s.Resolve, func(handler DeleteConfigHandler) capabilities.APIVersion {
+		return handler.APIVersion
+	})
+	if err != nil {
+		return DeleteConfigOutput{}, err
+	}
+	output, err := handler.Run(ctx, input)
+	if err != nil {
+		return DeleteConfigOutput{}, err
+	}
+	output.APIVersion = selected
+	return output, nil
+}
+
+func (s ChangeSecretService) Run(ctx context.Context, input ChangeSecretInput) (ConfigOutput, error) {
+	if input.ConfigID == "" {
+		return ConfigOutput{}, fmt.Errorf("config id is required")
+	}
+	if input.Secret == "" {
+		return ConfigOutput{}, fmt.Errorf("webhook secret is required")
+	}
+	handler, selected, err := resolveHandler(ctx, s.Handlers, s.Resolve, func(handler ChangeSecretHandler) capabilities.APIVersion {
+		return handler.APIVersion
+	})
+	if err != nil {
+		return ConfigOutput{}, err
+	}
+	output, err := handler.Run(ctx, input)
+	if err != nil {
+		return ConfigOutput{}, err
+	}
+	output.APIVersion = selected
+	return output, nil
+}
+
+func runConfigService(
+	ctx context.Context,
+	input ConfigInput,
+	serviceHandlers []ConfigHandler,
+	resolve func(context.Context, []capabilities.APIVersion) (capabilities.APIVersion, error),
+) (ConfigOutput, error) {
+	handler, selected, err := resolveHandler(ctx, serviceHandlers, resolve, func(handler ConfigHandler) capabilities.APIVersion {
+		return handler.APIVersion
+	})
+	if err != nil {
+		return ConfigOutput{}, err
+	}
+	output, err := handler.Run(ctx, input)
+	if err != nil {
+		return ConfigOutput{}, err
+	}
+	output.APIVersion = selected
+	return output, nil
+}
+
+func runConfigIDService(
+	ctx context.Context,
+	input ConfigIDInput,
+	serviceHandlers []ConfigIDHandler,
+	resolve func(context.Context, []capabilities.APIVersion) (capabilities.APIVersion, error),
+) (ConfigOutput, error) {
+	if input.ConfigID == "" {
+		return ConfigOutput{}, fmt.Errorf("config id is required")
+	}
+	handler, selected, err := resolveHandler(ctx, serviceHandlers, resolve, func(handler ConfigIDHandler) capabilities.APIVersion {
+		return handler.APIVersion
+	})
+	if err != nil {
+		return ConfigOutput{}, err
+	}
+	output, err := handler.Run(ctx, input)
+	if err != nil {
+		return ConfigOutput{}, err
+	}
+	output.APIVersion = selected
+	return output, nil
+}
+
+func resolveHandler[H any](
+	ctx context.Context,
+	serviceHandlers []H,
+	resolve func(context.Context, []capabilities.APIVersion) (capabilities.APIVersion, error),
+	versionOf func(H) capabilities.APIVersion,
+) (H, capabilities.APIVersion, error) {
+	var zero H
+	handlerVersions := make([]capabilities.APIVersion, 0, len(serviceHandlers))
+	handlers := map[capabilities.APIVersion]H{}
+	for _, handler := range serviceHandlers {
+		version := versionOf(handler)
+		handlerVersions = append(handlerVersions, version)
+		handlers[version] = handler
+	}
+	selected, err := resolve(ctx, handlerVersions)
+	if err != nil {
+		return zero, "", err
+	}
+	handler, ok := handlers[selected]
+	if !ok {
+		return zero, "", fmt.Errorf("resolved api version %s has no handler", selected)
+	}
+	return handler, selected, nil
+}
+
+func SDKListConfigsHandlers(sdk *formance.Formance) []ListConfigsHandler {
+	return []ListConfigsHandler{
+		{
+			APIVersion: "v1",
+			Run: func(ctx context.Context, input ListConfigsInput) (ListConfigsOutput, error) {
+				response, err := sdk.Webhooks.V1.GetManyConfigs(ctx, operations.GetManyConfigsRequest{
+					ID:       optionalString(input.ConfigID),
+					Endpoint: optionalString(input.Endpoint),
+				})
+				if err != nil {
+					return ListConfigsOutput{}, err
+				}
+				if response.ConfigsResponse == nil {
+					return ListConfigsOutput{}, fmt.Errorf("webhooks v1 list configs returned no data")
+				}
+				cursor := response.ConfigsResponse.Cursor
+				configs := make([]ConfigSummary, 0, len(cursor.Data))
+				for _, config := range cursor.Data {
+					configs = append(configs, fromConfig(config))
+				}
+				return ListConfigsOutput{Configs: configs, HasMore: cursor.HasMore}, nil
+			},
+		},
+	}
+}
+
+func SDKInsertConfigHandlers(sdk *formance.Formance) []ConfigHandler {
+	return []ConfigHandler{
+		{
+			APIVersion: "v1",
+			Run: func(ctx context.Context, input ConfigInput) (ConfigOutput, error) {
+				response, err := sdk.Webhooks.V1.InsertConfig(ctx, configUser(input))
+				if err != nil {
+					return ConfigOutput{}, err
+				}
+				if response.ConfigResponse == nil {
+					return ConfigOutput{}, fmt.Errorf("webhooks v1 insert config returned no data")
+				}
+				return ConfigOutput{Config: fromConfig(response.ConfigResponse.Data)}, nil
+			},
+		},
+	}
+}
+
+func SDKActivateConfigHandlers(sdk *formance.Formance) []ConfigIDHandler {
+	return []ConfigIDHandler{
+		{
+			APIVersion: "v1",
+			Run: func(ctx context.Context, input ConfigIDInput) (ConfigOutput, error) {
+				response, err := sdk.Webhooks.V1.ActivateConfig(ctx, operations.ActivateConfigRequest{ID: input.ConfigID})
+				if err != nil {
+					return ConfigOutput{}, err
+				}
+				if response.ConfigResponse == nil {
+					return ConfigOutput{}, fmt.Errorf("webhooks v1 activate config returned no data")
+				}
+				return ConfigOutput{Config: fromConfig(response.ConfigResponse.Data)}, nil
+			},
+		},
+	}
+}
+
+func SDKDeactivateConfigHandlers(sdk *formance.Formance) []ConfigIDHandler {
+	return []ConfigIDHandler{
+		{
+			APIVersion: "v1",
+			Run: func(ctx context.Context, input ConfigIDInput) (ConfigOutput, error) {
+				response, err := sdk.Webhooks.V1.DeactivateConfig(ctx, operations.DeactivateConfigRequest{ID: input.ConfigID})
+				if err != nil {
+					return ConfigOutput{}, err
+				}
+				if response.ConfigResponse == nil {
+					return ConfigOutput{}, fmt.Errorf("webhooks v1 deactivate config returned no data")
+				}
+				return ConfigOutput{Config: fromConfig(response.ConfigResponse.Data)}, nil
+			},
+		},
+	}
+}
+
+func SDKDeleteConfigHandlers(sdk *formance.Formance) []DeleteConfigHandler {
+	return []DeleteConfigHandler{
+		{
+			APIVersion: "v1",
+			Run: func(ctx context.Context, input ConfigIDInput) (DeleteConfigOutput, error) {
+				if _, err := sdk.Webhooks.V1.DeleteConfig(ctx, operations.DeleteConfigRequest{ID: input.ConfigID}); err != nil {
+					return DeleteConfigOutput{}, err
+				}
+				return DeleteConfigOutput{ConfigID: input.ConfigID}, nil
+			},
+		},
+	}
+}
+
+func SDKChangeSecretHandlers(sdk *formance.Formance) []ChangeSecretHandler {
+	return []ChangeSecretHandler{
+		{
+			APIVersion: "v1",
+			Run: func(ctx context.Context, input ChangeSecretInput) (ConfigOutput, error) {
+				response, err := sdk.Webhooks.V1.ChangeConfigSecret(ctx, operations.ChangeConfigSecretRequest{
+					ID:                 input.ConfigID,
+					ConfigChangeSecret: &shared.ConfigChangeSecret{Secret: input.Secret},
+				})
+				if err != nil {
+					return ConfigOutput{}, err
+				}
+				if response.ConfigResponse == nil {
+					return ConfigOutput{}, fmt.Errorf("webhooks v1 change config secret returned no data")
+				}
+				return ConfigOutput{Config: fromConfig(response.ConfigResponse.Data)}, nil
+			},
+		},
+	}
+}
+
+func configUser(input ConfigInput) shared.ConfigUser {
+	return shared.ConfigUser{
+		Endpoint:   input.Endpoint,
+		EventTypes: input.EventTypes,
+		Name:       input.Name,
+		Secret:     input.Secret,
+	}
+}
+
+func fromConfig(config shared.WebhooksConfig) ConfigSummary {
+	return ConfigSummary{
+		ID:         config.ID,
+		Endpoint:   config.Endpoint,
+		EventTypes: config.EventTypes,
+		Active:     config.Active,
+		CreatedAt:  config.CreatedAt,
+		UpdatedAt:  config.UpdatedAt,
+	}
+}
+
+func optionalString(value string) *string {
+	if value == "" {
+		return nil
+	}
+	return &value
+}
diff --git a/v4/internal/config/config.go b/v4/internal/config/config.go
new file mode 100644
index 00000000..d588b609
--- /dev/null
+++ b/v4/internal/config/config.go
@@ -0,0 +1,283 @@
+// Package config owns the fctl v4 context configuration format, validation,
+// persistence, and migration-facing types.
+package config
+
+import (
+	"errors"
+	"fmt"
+	"os"
+	"path/filepath"
+	"sort"
+	"strings"
+
+	"gopkg.in/yaml.v3"
+)
+
+const (
+	Version = 4
+
+	EnvContext              = "FCTL_CONTEXT"
+	DefaultCloudContextName = "formance-cloud"
+	DefaultCloudURL         = "https://app.formance.cloud/api"
+)
+
+type ContextKind string
+
+const (
+	ContextKindStack      ContextKind = "stack"
+	ContextKindCloud      ContextKind = "cloud"
+	ContextKindCloudStack ContextKind = "cloud-stack"
+)
+
+type AuthMethod string
+
+const (
+	AuthMethodCloudDevice       AuthMethod = "cloud_device"
+	AuthMethodOIDCDevice        AuthMethod = "oidc_device"
+	AuthMethodClientCredentials AuthMethod = "client_credentials"
+	AuthMethodToken             AuthMethod = "token"
+	AuthMethodNone              AuthMethod = "none"
+)
+
+type APIPolicy string
+
+const (
+	APIPolicyLatestCompatible APIPolicy = "latest-compatible"
+	APIPolicyPinned           APIPolicy = "pinned"
+	APIPolicyLatest           APIPolicy = "latest"
+)
+
+type Config struct {
+	Version        int                `json:"version" yaml:"version"`
+	CurrentContext string             `json:"currentContext,omitempty" yaml:"currentContext,omitempty"`
+	Contexts       map[string]Context `json:"contexts,omitempty" yaml:"contexts,omitempty"`
+}
+
+type Context struct {
+	Kind         ContextKind       `json:"kind" yaml:"kind"`
+	StackURL     string            `json:"stackURL,omitempty" yaml:"stackURL,omitempty"`
+	CloudURL     string            `json:"cloudURL,omitempty" yaml:"cloudURL,omitempty"`
+	Organization string            `json:"organization,omitempty" yaml:"organization,omitempty"`
+	Stack        string            `json:"stack,omitempty" yaml:"stack,omitempty"`
+	Auth         Auth              `json:"auth" yaml:"auth"`
+	Defaults     map[string]string `json:"defaults,omitempty" yaml:"defaults,omitempty"`
+	API          map[string]string `json:"api,omitempty" yaml:"api,omitempty"`
+}
+
+type Auth struct {
+	Method    AuthMethod `json:"method" yaml:"method"`
+	IssuerURL string     `json:"issuerURL,omitempty" yaml:"issuerURL,omitempty"`
+	ClientID  string     `json:"clientID,omitempty" yaml:"clientID,omitempty"`
+	SecretRef string     `json:"secretRef,omitempty" yaml:"secretRef,omitempty"`
+	TokenRef  string     `json:"tokenRef,omitempty" yaml:"tokenRef,omitempty"`
+	Account   string     `json:"account,omitempty" yaml:"account,omitempty"`
+	Scopes    []string   `json:"scopes,omitempty" yaml:"scopes,omitempty"`
+	Resources []string   `json:"resources,omitempty" yaml:"resources,omitempty"`
+}
+
+type ContextOverride struct {
+	Name         string
+	Organization string
+	Stack        string
+}
+
+func New() Config {
+	return Config{
+		Version:  Version,
+		Contexts: map[string]Context{},
+	}
+}
+
+func DefaultCloudContext() Context {
+	return Context{
+		Kind:     ContextKindCloud,
+		CloudURL: DefaultCloudURL,
+		Auth:     Auth{Method: AuthMethodNone},
+	}
+}
+
+func LoadFile(path string) (Config, error) {
+	data, err := os.ReadFile(path)
+	if err != nil {
+		return Config{}, err
+	}
+
+	var cfg Config
+	if err := yaml.Unmarshal(data, &cfg); err != nil {
+		return Config{}, fmt.Errorf("parse config: %w", err)
+	}
+	if err := cfg.Validate(); err != nil {
+		return Config{}, err
+	}
+	return cfg, nil
+}
+
+func SaveFile(path string, cfg Config) error {
+	if err := cfg.Validate(); err != nil {
+		return err
+	}
+	if err := os.MkdirAll(filepath.Dir(path), 0o700); err != nil {
+		return fmt.Errorf("create config directory: %w", err)
+	}
+
+	data, err := yaml.Marshal(cfg)
+	if err != nil {
+		return fmt.Errorf("marshal config: %w", err)
+	}
+	if err := os.WriteFile(path, data, 0o600); err != nil {
+		return fmt.Errorf("write config: %w", err)
+	}
+	return nil
+}
+
+func (c Config) Validate() error {
+	var errs []error
+
+	if c.Version != Version {
+		errs = append(errs, fmt.Errorf("unsupported config version %d", c.Version))
+	}
+	if len(c.Contexts) == 0 {
+		errs = append(errs, errors.New("at least one context is required"))
+	}
+	if c.CurrentContext != "" {
+		if _, ok := c.Contexts[c.CurrentContext]; !ok {
+			errs = append(errs, fmt.Errorf("current context %q does not exist", c.CurrentContext))
+		}
+	}
+
+	for name, context := range c.Contexts {
+		if strings.TrimSpace(name) == "" {
+			errs = append(errs, errors.New("context name cannot be empty"))
+			continue
+		}
+		if err := context.Validate(); err != nil {
+			errs = append(errs, fmt.Errorf("context %q: %w", name, err))
+		}
+	}
+
+	return errors.Join(errs...)
+}
+
+func (c Context) Validate() error {
+	var errs []error
+
+	switch c.Kind {
+	case ContextKindStack:
+		if c.StackURL == "" {
+			errs = append(errs, errors.New("stackURL is required for stack contexts"))
+		}
+	case ContextKindCloud:
+		if c.CloudURL == "" {
+			errs = append(errs, errors.New("cloudURL is required for cloud contexts"))
+		}
+	case ContextKindCloudStack:
+		if c.CloudURL == "" {
+			errs = append(errs, errors.New("cloudURL is required for cloud-stack contexts"))
+		}
+		if c.Organization == "" {
+			errs = append(errs, errors.New("organization is required for cloud-stack contexts"))
+		}
+		if c.Stack == "" {
+			errs = append(errs, errors.New("stack is required for cloud-stack contexts"))
+		}
+	default:
+		errs = append(errs, fmt.Errorf("unsupported kind %q", c.Kind))
+	}
+
+	if err := c.Auth.Validate(); err != nil {
+		errs = append(errs, err)
+	}
+	for product, policy := range c.API {
+		if strings.TrimSpace(product) == "" {
+			errs = append(errs, errors.New("api product cannot be empty"))
+			continue
+		}
+		if err := ValidateAPIPolicy(policy); err != nil {
+			errs = append(errs, fmt.Errorf("api policy for %q: %w", product, err))
+		}
+	}
+
+	return errors.Join(errs...)
+}
+
+func (a Auth) Validate() error {
+	switch a.Method {
+	case AuthMethodCloudDevice:
+		return nil
+	case AuthMethodOIDCDevice:
+		if a.IssuerURL == "" {
+			return errors.New("issuerURL is required for oidc_device auth")
+		}
+	case AuthMethodClientCredentials:
+		var errs []error
+		if a.IssuerURL == "" {
+			errs = append(errs, errors.New("issuerURL is required for client_credentials auth"))
+		}
+		if a.ClientID == "" {
+			errs = append(errs, errors.New("clientID is required for client_credentials auth"))
+		}
+		if a.SecretRef == "" {
+			errs = append(errs, errors.New("secretRef is required for client_credentials auth"))
+		}
+		return errors.Join(errs...)
+	case AuthMethodToken:
+		if a.TokenRef == "" {
+			return errors.New("tokenRef is required for token auth")
+		}
+	case AuthMethodNone:
+		return nil
+	default:
+		return fmt.Errorf("unsupported auth method %q", a.Method)
+	}
+	return nil
+}
+
+func ValidateAPIPolicy(policy string) error {
+	switch APIPolicy(policy) {
+	case APIPolicyLatestCompatible, APIPolicyPinned, APIPolicyLatest:
+		return nil
+	default:
+		return fmt.Errorf("unsupported api policy %q", policy)
+	}
+}
+
+func ResolveCurrentContext(cfg Config, override ContextOverride) (string, Context, error) {
+	name := override.Name
+	if name == "" {
+		name = cfg.CurrentContext
+	}
+	if name == "" {
+		switch len(cfg.Contexts) {
+		case 0:
+			return "", Context{}, errors.New("no contexts configured")
+		case 1:
+			for only := range cfg.Contexts {
+				name = only
+			}
+		default:
+			return "", Context{}, fmt.Errorf("no current context configured; available contexts: %s", strings.Join(cfg.ContextNames(), ", "))
+		}
+	}
+
+	context, ok := cfg.Contexts[name]
+	if !ok {
+		return "", Context{}, fmt.Errorf("context %q does not exist", name)
+	}
+	return name, context, nil
+}
+
+func ContextOverrideFromEnv(getenv func(string) string) ContextOverride {
+	if getenv == nil {
+		getenv = os.Getenv
+	}
+	return ContextOverride{Name: getenv(EnvContext)}
+}
+
+func (c Config) ContextNames() []string {
+	names := make([]string, 0, len(c.Contexts))
+	for name := range c.Contexts {
+		names = append(names, name)
+	}
+	sort.Strings(names)
+	return names
+}
diff --git a/v4/internal/config/config_test.go b/v4/internal/config/config_test.go
new file mode 100644
index 00000000..bb045b80
--- /dev/null
+++ b/v4/internal/config/config_test.go
@@ -0,0 +1,133 @@
+package config
+
+import (
+	"os"
+	"path/filepath"
+	"strings"
+	"testing"
+)
+
+func validConfig() Config {
+	return Config{
+		Version:        Version,
+		CurrentContext: "local",
+		Contexts: map[string]Context{
+			"local": {
+				Kind:     ContextKindStack,
+				StackURL: "http://localhost/api",
+				Auth: Auth{
+					Method:    AuthMethodClientCredentials,
+					IssuerURL: "http://localhost/api/auth",
+					ClientID:  "testing",
+					SecretRef: "keyring://formance/local/testing",
+				},
+				Defaults: map[string]string{"ledger": "default"},
+				API:      map[string]string{"ledger": string(APIPolicyLatestCompatible)},
+			},
+		},
+	}
+}
+
+func TestValidateAcceptsStackContext(t *testing.T) {
+	if err := validConfig().Validate(); err != nil {
+		t.Fatalf("expected valid config, got %v", err)
+	}
+}
+
+func TestValidateRejectsMissingCurrentContext(t *testing.T) {
+	cfg := validConfig()
+	cfg.CurrentContext = "missing"
+
+	err := cfg.Validate()
+	if err == nil || !strings.Contains(err.Error(), `current context "missing" does not exist`) {
+		t.Fatalf("expected missing current context error, got %v", err)
+	}
+}
+
+func TestValidateRejectsSecretInlineByRequiringReference(t *testing.T) {
+	cfg := validConfig()
+	cfg.Contexts["local"] = Context{
+		Kind:     ContextKindStack,
+		StackURL: "http://localhost/api",
+		Auth: Auth{
+			Method:    AuthMethodClientCredentials,
+			IssuerURL: "http://localhost/api/auth",
+			ClientID:  "testing",
+		},
+	}
+
+	err := cfg.Validate()
+	if err == nil || !strings.Contains(err.Error(), "secretRef is required") {
+		t.Fatalf("expected secretRef validation error, got %v", err)
+	}
+}
+
+func TestResolveCurrentContextUsesOverride(t *testing.T) {
+	cfg := validConfig()
+	cfg.Contexts["other"] = Context{
+		Kind:     ContextKindStack,
+		StackURL: "http://other/api",
+		Auth:     Auth{Method: AuthMethodNone},
+	}
+
+	name, context, err := ResolveCurrentContext(cfg, ContextOverride{Name: "other"})
+	if err != nil {
+		t.Fatalf("expected no error, got %v", err)
+	}
+	if name != "other" || context.StackURL != "http://other/api" {
+		t.Fatalf("unexpected context resolution: %s %#v", name, context)
+	}
+}
+
+func TestResolveCurrentContextUsesSingleContextWhenCurrentUnset(t *testing.T) {
+	cfg := validConfig()
+	cfg.CurrentContext = ""
+
+	name, _, err := ResolveCurrentContext(cfg, ContextOverride{})
+	if err != nil {
+		t.Fatalf("expected no error, got %v", err)
+	}
+	if name != "local" {
+		t.Fatalf("expected local context, got %q", name)
+	}
+}
+
+func TestContextOverrideFromEnv(t *testing.T) {
+	override := ContextOverrideFromEnv(func(key string) string {
+		if key != EnvContext {
+			t.Fatalf("unexpected env key %q", key)
+		}
+		return "local"
+	})
+	if override.Name != "local" {
+		t.Fatalf("expected local override, got %q", override.Name)
+	}
+}
+
+func TestLoadSaveFileRoundTrip(t *testing.T) {
+	path := filepath.Join(t.TempDir(), "nested", "config.yaml")
+	cfg := validConfig()
+
+	if err := SaveFile(path, cfg); err != nil {
+		t.Fatalf("save config: %v", err)
+	}
+
+	info, err := os.Stat(path)
+	if err != nil {
+		t.Fatalf("stat config: %v", err)
+	}
+	if mode := info.Mode().Perm(); mode != 0o600 {
+		t.Fatalf("expected config mode 0600, got %o", mode)
+	}
+
+	loaded, err := LoadFile(path)
+	if err != nil {
+		t.Fatalf("load config: %v", err)
+	}
+	if loaded.CurrentContext != cfg.CurrentContext {
+		t.Fatalf("expected current context %q, got %q", cfg.CurrentContext, loaded.CurrentContext)
+	}
+	if loaded.Contexts["local"].Auth.SecretRef != cfg.Contexts["local"].Auth.SecretRef {
+		t.Fatalf("expected secret ref to round trip")
+	}
+}
diff --git a/v4/internal/config/v3migration.go b/v4/internal/config/v3migration.go
new file mode 100644
index 00000000..bc0216a5
--- /dev/null
+++ b/v4/internal/config/v3migration.go
@@ -0,0 +1,163 @@
+package config
+
+import (
+	"context"
+	"encoding/json"
+	"errors"
+	"fmt"
+	"os"
+	"path/filepath"
+
+	"gopkg.in/yaml.v3"
+
+	"github.com/formancehq/fctl/v4/internal/credentials"
+)
+
+type V3State struct {
+	Config   V3Config
+	Profiles map[string]V3Profile
+}
+
+type V3Config struct {
+	CurrentProfile string `json:"currentProfile" yaml:"currentProfile"`
+}
+
+type V3Profile struct {
+	MembershipURI       string          `json:"membershipURI" yaml:"membershipURI"`
+	RootTokens          json.RawMessage `json:"rootTokens" yaml:"rootTokens"`
+	DefaultOrganization string          `json:"defaultOrganization" yaml:"defaultOrganization"`
+	DefaultStack        string          `json:"defaultStack" yaml:"defaultStack"`
+}
+
+type MigrationPlan struct {
+	CurrentContext  string
+	Contexts        map[string]Context
+	CredentialMoves []CredentialMove
+}
+
+type CredentialMove struct {
+	Profile string
+	Ref     string
+	Value   string
+}
+
+func LoadV3State(dir string) (V3State, error) {
+	if dir == "" {
+		return V3State{}, errors.New("v3 config directory is required")
+	}
+
+	configBytes, err := os.ReadFile(filepath.Join(dir, "config.yml"))
+	if err != nil {
+		if errors.Is(err, os.ErrNotExist) {
+			return V3State{}, fmt.Errorf("read v3 config: %w; --from must point to the fctl v3 config directory containing config.yml and profiles/", err)
+		}
+		return V3State{}, fmt.Errorf("read v3 config: %w", err)
+	}
+	var v3Config V3Config
+	if err := yaml.Unmarshal(configBytes, &v3Config); err != nil {
+		return V3State{}, fmt.Errorf("parse v3 config: %w", err)
+	}
+
+	profilesDir := filepath.Join(dir, "profiles")
+	entries, err := os.ReadDir(profilesDir)
+	if err != nil {
+		if errors.Is(err, os.ErrNotExist) {
+			return V3State{}, fmt.Errorf("read v3 profiles: %w; --from must point to the fctl v3 config directory containing config.yml and profiles/", err)
+		}
+		return V3State{}, fmt.Errorf("read v3 profiles: %w", err)
+	}
+
+	profiles := map[string]V3Profile{}
+	for _, entry := range entries {
+		if !entry.IsDir() {
+			continue
+		}
+		name := entry.Name()
+		profileBytes, err := os.ReadFile(filepath.Join(profilesDir, name, "profile.json"))
+		if err != nil {
+			return V3State{}, fmt.Errorf("read v3 profile %q: %w", name, err)
+		}
+		var profile V3Profile
+		if err := json.Unmarshal(profileBytes, &profile); err != nil {
+			return V3State{}, fmt.Errorf("parse v3 profile %q: %w", name, err)
+		}
+		profiles[name] = profile
+	}
+
+	return V3State{Config: v3Config, Profiles: profiles}, nil
+}
+
+func PlanV3Migration(state V3State) (MigrationPlan, error) {
+	if len(state.Profiles) == 0 {
+		return MigrationPlan{}, errors.New("no v3 profiles found")
+	}
+
+	plan := MigrationPlan{
+		CurrentContext: state.Config.CurrentProfile,
+		Contexts:       map[string]Context{},
+	}
+	for name, profile := range state.Profiles {
+		cloudURL := profile.MembershipURI
+		if cloudURL == "" {
+			cloudURL = DefaultCloudURL
+		}
+
+		kind := ContextKindCloud
+		if profile.DefaultOrganization != "" && profile.DefaultStack != "" {
+			kind = ContextKindCloudStack
+		}
+
+		auth := Auth{Method: AuthMethodCloudDevice}
+		if len(profile.RootTokens) > 0 && string(profile.RootTokens) != "null" {
+			ref := "keyring://formance/fctl/" + name + "/rootTokens"
+			auth.TokenRef = ref
+			plan.CredentialMoves = append(plan.CredentialMoves, CredentialMove{
+				Profile: name,
+				Ref:     ref,
+				Value:   string(profile.RootTokens),
+			})
+		}
+
+		plan.Contexts[name] = Context{
+			Kind:         kind,
+			CloudURL:     cloudURL,
+			Organization: profile.DefaultOrganization,
+			Stack:        profile.DefaultStack,
+			Auth:         auth,
+			API: map[string]string{
+				"ledger": string(APIPolicyLatestCompatible),
+			},
+		}
+	}
+	if plan.CurrentContext == "" {
+		if _, ok := plan.Contexts["default"]; ok {
+			plan.CurrentContext = "default"
+		}
+	}
+	if plan.CurrentContext != "" {
+		if _, ok := plan.Contexts[plan.CurrentContext]; !ok {
+			return MigrationPlan{}, fmt.Errorf("current v3 profile %q has no matching profile", plan.CurrentContext)
+		}
+	}
+	return plan, nil
+}
+
+func (p MigrationPlan) Config() Config {
+	return Config{
+		Version:        Version,
+		CurrentContext: p.CurrentContext,
+		Contexts:       p.Contexts,
+	}
+}
+
+func WriteMigration(ctx context.Context, path string, plan MigrationPlan, store credentials.Store) error {
+	if len(plan.CredentialMoves) > 0 && store == nil {
+		return errors.New("credential store is required to migrate v3 tokens")
+	}
+	for _, move := range plan.CredentialMoves {
+		if err := store.Set(ctx, move.Ref, move.Value); err != nil {
+			return fmt.Errorf("store credential for profile %q: %w", move.Profile, err)
+		}
+	}
+	return SaveFile(path, plan.Config())
+}
diff --git a/v4/internal/config/v3migration_test.go b/v4/internal/config/v3migration_test.go
new file mode 100644
index 00000000..748cc232
--- /dev/null
+++ b/v4/internal/config/v3migration_test.go
@@ -0,0 +1,117 @@
+package config
+
+import (
+	"context"
+	"os"
+	"path/filepath"
+	"strings"
+	"testing"
+
+	"github.com/formancehq/fctl/v4/internal/credentials"
+)
+
+func TestLoadAndPlanV3Migration(t *testing.T) {
+	dir := writeV3Fixture(t, true)
+
+	state, err := LoadV3State(dir)
+	if err != nil {
+		t.Fatalf("load v3 state: %v", err)
+	}
+	plan, err := PlanV3Migration(state)
+	if err != nil {
+		t.Fatalf("plan migration: %v", err)
+	}
+
+	if plan.CurrentContext != "default" {
+		t.Fatalf("expected current context default, got %q", plan.CurrentContext)
+	}
+	context := plan.Contexts["default"]
+	if context.Kind != ContextKindCloudStack {
+		t.Fatalf("expected cloud-stack context, got %q", context.Kind)
+	}
+	if context.CloudURL != "https://app.formance.cloud/api" ||
+		context.Organization != "org_123" ||
+		context.Stack != "stack_123" {
+		t.Fatalf("unexpected migrated context: %#v", context)
+	}
+	if len(plan.CredentialMoves) != 1 {
+		t.Fatalf("expected one credential move, got %d", len(plan.CredentialMoves))
+	}
+	if plan.CredentialMoves[0].Ref != context.Auth.TokenRef {
+		t.Fatalf("expected auth token ref to match credential move")
+	}
+	if err := plan.Config().Validate(); err != nil {
+		t.Fatalf("expected valid v4 config, got %v", err)
+	}
+}
+
+func TestWriteMigrationStoresCredentials(t *testing.T) {
+	dir := writeV3Fixture(t, true)
+	state, err := LoadV3State(dir)
+	if err != nil {
+		t.Fatalf("load v3 state: %v", err)
+	}
+	plan, err := PlanV3Migration(state)
+	if err != nil {
+		t.Fatalf("plan migration: %v", err)
+	}
+
+	store := credentials.NewMemoryStore()
+	output := filepath.Join(t.TempDir(), "config.yaml")
+	if err := WriteMigration(context.Background(), output, plan, store); err != nil {
+		t.Fatalf("write migration: %v", err)
+	}
+
+	loaded, err := LoadFile(output)
+	if err != nil {
+		t.Fatalf("load migrated config: %v", err)
+	}
+	if loaded.CurrentContext != "default" {
+		t.Fatalf("expected default current context, got %q", loaded.CurrentContext)
+	}
+
+	value, err := store.Get(context.Background(), plan.CredentialMoves[0].Ref)
+	if err != nil {
+		t.Fatalf("get migrated credential: %v", err)
+	}
+	if value == "" {
+		t.Fatalf("expected migrated credential value")
+	}
+}
+
+func TestLoadV3StateExplainsMissingConfigDirectory(t *testing.T) {
+	_, err := LoadV3State(t.TempDir())
+	if err == nil {
+		t.Fatal("expected missing v3 config error")
+	}
+	for _, expected := range []string{"read v3 config", "config.yml", "profiles/"} {
+		if !strings.Contains(err.Error(), expected) {
+			t.Fatalf("expected error to contain %q, got %v", expected, err)
+		}
+	}
+}
+
+func writeV3Fixture(t *testing.T, withTokens bool) string {
+	t.Helper()
+	dir := t.TempDir()
+	if err := os.MkdirAll(filepath.Join(dir, "profiles", "default"), 0o700); err != nil {
+		t.Fatalf("create fixture dirs: %v", err)
+	}
+	if err := os.WriteFile(filepath.Join(dir, "config.yml"), []byte(`{"currentProfile":"default"}`), 0o600); err != nil {
+		t.Fatalf("write v3 config: %v", err)
+	}
+	rootTokens := "null"
+	if withTokens {
+		rootTokens = `{"access":{"token":"access-token"},"id":{"token":"id-token"}}`
+	}
+	profile := `{
+	  "membershipURI": "https://app.formance.cloud/api",
+	  "rootTokens": ` + rootTokens + `,
+	  "defaultOrganization": "org_123",
+	  "defaultStack": "stack_123"
+	}`
+	if err := os.WriteFile(filepath.Join(dir, "profiles", "default", "profile.json"), []byte(profile), 0o600); err != nil {
+		t.Fatalf("write v3 profile: %v", err)
+	}
+	return dir
+}
diff --git a/v4/internal/credentials/store.go b/v4/internal/credentials/store.go
new file mode 100644
index 00000000..ff93fd87
--- /dev/null
+++ b/v4/internal/credentials/store.go
@@ -0,0 +1,133 @@
+// Package credentials abstracts secure and explicit-insecure secret storage for
+// authentication providers.
+package credentials
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"os"
+	"path/filepath"
+	"strings"
+	"sync"
+)
+
+var ErrNotFound = errors.New("credential not found")
+
+type Store interface {
+	Get(ctx context.Context, ref string) (string, error)
+	Set(ctx context.Context, ref string, value string) error
+	Delete(ctx context.Context, ref string) error
+}
+
+type MemoryStore struct {
+	mu      sync.RWMutex
+	secrets map[string]string
+}
+
+func NewMemoryStore() *MemoryStore {
+	return &MemoryStore{secrets: map[string]string{}}
+}
+
+func (s *MemoryStore) Get(_ context.Context, ref string) (string, error) {
+	s.mu.RLock()
+	defer s.mu.RUnlock()
+
+	value, ok := s.secrets[ref]
+	if !ok {
+		return "", fmt.Errorf("%w: %s", ErrNotFound, ref)
+	}
+	return value, nil
+}
+
+func (s *MemoryStore) Set(_ context.Context, ref string, value string) error {
+	if ref == "" {
+		return errors.New("credential ref cannot be empty")
+	}
+
+	s.mu.Lock()
+	defer s.mu.Unlock()
+	s.secrets[ref] = value
+	return nil
+}
+
+func (s *MemoryStore) Delete(_ context.Context, ref string) error {
+	s.mu.Lock()
+	defer s.mu.Unlock()
+	delete(s.secrets, ref)
+	return nil
+}
+
+// InsecureFileStore stores secrets in plain text files. It is intended for
+// development and tests only, and must be selected explicitly by callers.
+type InsecureFileStore struct {
+	dir string
+}
+
+func NewInsecureFileStore(dir string) *InsecureFileStore {
+	return &InsecureFileStore{dir: dir}
+}
+
+func (s *InsecureFileStore) Get(_ context.Context, ref string) (string, error) {
+	path, err := s.path(ref)
+	if err != nil {
+		return "", err
+	}
+
+	data, err := os.ReadFile(path)
+	if err != nil {
+		if errors.Is(err, os.ErrNotExist) {
+			return "", fmt.Errorf("%w: %s", ErrNotFound, ref)
+		}
+		return "", fmt.Errorf("read credential: %w", err)
+	}
+	return string(data), nil
+}
+
+func (s *InsecureFileStore) Set(_ context.Context, ref string, value string) error {
+	path, err := s.path(ref)
+	if err != nil {
+		return err
+	}
+	if err := os.MkdirAll(filepath.Dir(path), 0o700); err != nil {
+		return fmt.Errorf("create credential directory: %w", err)
+	}
+	if err := os.WriteFile(path, []byte(value), 0o600); err != nil {
+		return fmt.Errorf("write credential: %w", err)
+	}
+	return nil
+}
+
+func (s *InsecureFileStore) Delete(_ context.Context, ref string) error {
+	path, err := s.path(ref)
+	if err != nil {
+		return err
+	}
+	if err := os.Remove(path); err != nil && !errors.Is(err, os.ErrNotExist) {
+		return fmt.Errorf("delete credential: %w", err)
+	}
+	return nil
+}
+
+func (s *InsecureFileStore) path(ref string) (string, error) {
+	if s.dir == "" {
+		return "", errors.New("credential directory cannot be empty")
+	}
+	if ref == "" {
+		return "", errors.New("credential ref cannot be empty")
+	}
+	clean := filepath.Clean(ref)
+	if filepath.IsAbs(clean) || clean == "." || clean == ".." || hasPathTraversal(clean) {
+		return "", fmt.Errorf("invalid credential ref %q", ref)
+	}
+	return filepath.Join(s.dir, clean), nil
+}
+
+func hasPathTraversal(path string) bool {
+	for _, part := range strings.Split(filepath.ToSlash(path), "/") {
+		if part == ".." {
+			return true
+		}
+	}
+	return false
+}
diff --git a/v4/internal/credentials/store_test.go b/v4/internal/credentials/store_test.go
new file mode 100644
index 00000000..612a9f4f
--- /dev/null
+++ b/v4/internal/credentials/store_test.go
@@ -0,0 +1,74 @@
+package credentials
+
+import (
+	"context"
+	"errors"
+	"os"
+	"path/filepath"
+	"testing"
+)
+
+func TestMemoryStoreRoundTrip(t *testing.T) {
+	ctx := context.Background()
+	store := NewMemoryStore()
+
+	if err := store.Set(ctx, "keyring://local/testing", "secret"); err != nil {
+		t.Fatalf("set credential: %v", err)
+	}
+
+	value, err := store.Get(ctx, "keyring://local/testing")
+	if err != nil {
+		t.Fatalf("get credential: %v", err)
+	}
+	if value != "secret" {
+		t.Fatalf("expected secret, got %q", value)
+	}
+
+	if err := store.Delete(ctx, "keyring://local/testing"); err != nil {
+		t.Fatalf("delete credential: %v", err)
+	}
+	if _, err := store.Get(ctx, "keyring://local/testing"); !errors.Is(err, ErrNotFound) {
+		t.Fatalf("expected ErrNotFound, got %v", err)
+	}
+}
+
+func TestInsecureFileStoreRoundTrip(t *testing.T) {
+	ctx := context.Background()
+	dir := t.TempDir()
+	store := NewInsecureFileStore(dir)
+
+	if err := store.Set(ctx, "local/testing", "secret"); err != nil {
+		t.Fatalf("set credential: %v", err)
+	}
+
+	path := filepath.Join(dir, "local", "testing")
+	info, err := os.Stat(path)
+	if err != nil {
+		t.Fatalf("stat credential: %v", err)
+	}
+	if mode := info.Mode().Perm(); mode != 0o600 {
+		t.Fatalf("expected credential mode 0600, got %o", mode)
+	}
+
+	value, err := store.Get(ctx, "local/testing")
+	if err != nil {
+		t.Fatalf("get credential: %v", err)
+	}
+	if value != "secret" {
+		t.Fatalf("expected secret, got %q", value)
+	}
+
+	if err := store.Delete(ctx, "local/testing"); err != nil {
+		t.Fatalf("delete credential: %v", err)
+	}
+	if _, err := store.Get(ctx, "local/testing"); !errors.Is(err, ErrNotFound) {
+		t.Fatalf("expected ErrNotFound, got %v", err)
+	}
+}
+
+func TestInsecureFileStoreRejectsTraversal(t *testing.T) {
+	store := NewInsecureFileStore(t.TempDir())
+	if err := store.Set(context.Background(), "../secret", "secret"); err == nil {
+		t.Fatal("expected traversal error")
+	}
+}
diff --git a/v4/internal/prompt/doc.go b/v4/internal/prompt/doc.go
new file mode 100644
index 00000000..eff46783
--- /dev/null
+++ b/v4/internal/prompt/doc.go
@@ -0,0 +1,3 @@
+// Package prompt contains optional interactive flows. Commands must remain
+// usable in non-interactive mode.
+package prompt
diff --git a/v4/internal/prompt/wizard.go b/v4/internal/prompt/wizard.go
new file mode 100644
index 00000000..a995c108
--- /dev/null
+++ b/v4/internal/prompt/wizard.go
@@ -0,0 +1,206 @@
+package prompt
+
+import (
+	"errors"
+	"io"
+	"os"
+
+	"github.com/charmbracelet/huh"
+	"github.com/charmbracelet/lipgloss"
+	"github.com/mattn/go-isatty"
+
+	v4render "github.com/formancehq/fctl/v4/internal/render"
+)
+
+type Choice struct {
+	Title string
+	Value string
+}
+
+var ErrCancelled = errors.New("prompt cancelled")
+
+type Wizard struct {
+	in          io.Reader
+	out         io.Writer
+	interactive bool
+	color       bool
+}
+
+func NewWizard(in io.Reader, out io.Writer) Wizard {
+	return NewWizardWithColor(in, out, true)
+}
+
+func NewWizardWithColor(in io.Reader, out io.Writer, color bool) Wizard {
+	return Wizard{
+		in:          in,
+		out:         out,
+		interactive: isTerminal(in) && isTerminal(out),
+		color:       color,
+	}
+}
+
+func (w Wizard) Available() bool {
+	return w.interactive
+}
+
+func (w Wizard) Select(title string, choices []Choice) (string, error) {
+	if !w.Available() {
+		return "", errors.New("interactive prompt is not available")
+	}
+	if len(choices) == 0 {
+		return "", errors.New("select prompt requires at least one choice")
+	}
+
+	value := choices[0].Value
+	options := make([]huh.Option[string], len(choices))
+	for i, choice := range choices {
+		options[i] = huh.NewOption(choice.Title, choice.Value)
+	}
+
+	err := w.run(
+		huh.NewSelect[string]().
+			Title(title).
+			Options(options...).
+			Value(&value).
+			Height(len(options) + 1),
+	)
+	if err != nil {
+		return "", err
+	}
+	return value, nil
+}
+
+func (w Wizard) Input(title string, placeholder string, secret bool) (string, error) {
+	if !w.Available() {
+		return "", errors.New("interactive prompt is not available")
+	}
+
+	value := ""
+	input := huh.NewInput().
+		Title(title).
+		Value(&value)
+	if placeholder != "" {
+		input.Placeholder(placeholder)
+	}
+	if secret {
+		input.EchoMode(huh.EchoModePassword)
+	}
+
+	if err := w.run(input); err != nil {
+		return "", err
+	}
+	return value, nil
+}
+
+func (w Wizard) Confirm(title string, affirmative string, negative string) (bool, error) {
+	if !w.Available() {
+		return false, errors.New("interactive prompt is not available")
+	}
+
+	value := true
+	confirm := huh.NewConfirm().
+		Title(title).
+		Value(&value)
+	if affirmative != "" {
+		confirm.Affirmative(affirmative)
+	}
+	if negative != "" {
+		confirm.Negative(negative)
+	}
+	if err := w.run(confirm); err != nil {
+		return false, err
+	}
+	return value, nil
+}
+
+func (w Wizard) run(field huh.Field) error {
+	form := huh.NewForm(huh.NewGroup(field)).
+		WithInput(w.in).
+		WithOutput(w.out).
+		WithTheme(w.theme()).
+		WithShowHelp(false)
+	if err := form.Run(); err != nil {
+		if errors.Is(err, huh.ErrUserAborted) {
+			return ErrCancelled
+		}
+		return err
+	}
+	return nil
+}
+
+func (w Wizard) theme() *huh.Theme {
+	if !w.color {
+		return huh.ThemeBase()
+	}
+
+	theme := huh.ThemeBase()
+	text := v4render.FormancePalette.Text
+	muted := v4render.FormancePalette.Muted
+	accent := v4render.FormancePalette.Mint
+	warning := v4render.FormancePalette.Gold
+	errorColor := v4render.FormancePalette.Error
+
+	theme.Focused.Base = theme.Focused.Base.
+		BorderForeground(accent).
+		PaddingLeft(1)
+	theme.Focused.Card = theme.Focused.Base
+	theme.Focused.Title = theme.Focused.Title.
+		Foreground(accent).
+		Bold(true)
+	theme.Focused.NoteTitle = theme.Focused.NoteTitle.
+		Foreground(accent).
+		Bold(true)
+	theme.Focused.Description = theme.Focused.Description.Foreground(muted)
+	theme.Focused.ErrorIndicator = theme.Focused.ErrorIndicator.Foreground(errorColor)
+	theme.Focused.ErrorMessage = theme.Focused.ErrorMessage.Foreground(errorColor)
+	theme.Focused.SelectSelector = lipgloss.NewStyle().
+		Foreground(accent).
+		Bold(true).
+		SetString("› ")
+	theme.Focused.Option = theme.Focused.Option.Foreground(text)
+	theme.Focused.NextIndicator = theme.Focused.NextIndicator.Foreground(warning)
+	theme.Focused.PrevIndicator = theme.Focused.PrevIndicator.Foreground(warning)
+	theme.Focused.MultiSelectSelector = theme.Focused.MultiSelectSelector.Foreground(accent)
+	theme.Focused.SelectedOption = theme.Focused.SelectedOption.Foreground(accent).Bold(true)
+	theme.Focused.SelectedPrefix = lipgloss.NewStyle().
+		Foreground(accent).
+		Bold(true).
+		SetString("✓ ")
+	theme.Focused.UnselectedOption = theme.Focused.UnselectedOption.Foreground(text)
+	theme.Focused.UnselectedPrefix = lipgloss.NewStyle().
+		Foreground(muted).
+		SetString("• ")
+	theme.Focused.TextInput.Cursor = theme.Focused.TextInput.Cursor.Foreground(accent)
+	theme.Focused.TextInput.CursorText = theme.Focused.TextInput.CursorText.Foreground(text)
+	theme.Focused.TextInput.Placeholder = theme.Focused.TextInput.Placeholder.Foreground(muted)
+	theme.Focused.TextInput.Prompt = lipgloss.NewStyle().
+		Foreground(accent).
+		Bold(true).
+		SetString("› ")
+	theme.Focused.FocusedButton = theme.Focused.FocusedButton.
+		Foreground(lipgloss.Color("#081A16")).
+		Background(accent).
+		Bold(true)
+	theme.Focused.BlurredButton = theme.Focused.BlurredButton.
+		Foreground(text).
+		Background(v4render.FormancePalette.Slate)
+	theme.Focused.Next = theme.Focused.FocusedButton
+
+	theme.Blurred = theme.Focused
+	theme.Blurred.Base = theme.Blurred.Base.BorderStyle(lipgloss.HiddenBorder())
+	theme.Blurred.Card = theme.Blurred.Base
+	theme.Blurred.Title = theme.Blurred.Title.Foreground(muted).Bold(false)
+	theme.Blurred.TextInput.Prompt = theme.Blurred.TextInput.Prompt.Foreground(muted).Bold(false)
+	theme.Blurred.SelectSelector = lipgloss.NewStyle().SetString("  ")
+	theme.Blurred.NextIndicator = lipgloss.NewStyle()
+	theme.Blurred.PrevIndicator = lipgloss.NewStyle()
+
+	theme.Group.Title = theme.Focused.Title
+	theme.Group.Description = theme.Focused.Description
+	return theme
+}
+
+func isTerminal(value any) bool {
+	file, ok := value.(*os.File)
+	return ok && isatty.IsTerminal(file.Fd())
+}
diff --git a/v4/internal/render/doc.go b/v4/internal/render/doc.go
new file mode 100644
index 00000000..6477efe1
--- /dev/null
+++ b/v4/internal/render/doc.go
@@ -0,0 +1,3 @@
+// Package render converts typed command results into human and machine-readable
+// output formats.
+package render
diff --git a/v4/internal/render/json.go b/v4/internal/render/json.go
new file mode 100644
index 00000000..1e9dcc8d
--- /dev/null
+++ b/v4/internal/render/json.go
@@ -0,0 +1,12 @@
+package render
+
+import (
+	"encoding/json"
+	"io"
+)
+
+func JSON(w io.Writer, value any) error {
+	encoder := json.NewEncoder(w)
+	encoder.SetIndent("", "  ")
+	return encoder.Encode(value)
+}
diff --git a/v4/internal/render/table.go b/v4/internal/render/table.go
new file mode 100644
index 00000000..1ce523db
--- /dev/null
+++ b/v4/internal/render/table.go
@@ -0,0 +1,50 @@
+package render
+
+import (
+	"fmt"
+	"io"
+	"strings"
+
+	"github.com/charmbracelet/lipgloss"
+	"github.com/charmbracelet/lipgloss/table"
+)
+
+func Table(writer io.Writer, headers []string, rows [][]string) error {
+	rendered := table.New().
+		Border(lipgloss.NormalBorder()).
+		BorderTop(false).
+		BorderBottom(false).
+		BorderLeft(false).
+		BorderRight(false).
+		BorderHeader(false).
+		Headers(headers...).
+		Rows(rows...).
+		StyleFunc(func(row, _ int) lipgloss.Style {
+			if row == table.HeaderRow {
+				return Styles.TableHeader
+			}
+			return Styles.TableCell
+		}).
+		String()
+	_, err := fmt.Fprintln(writer, rendered)
+	return err
+}
+
+func KeyValues(writer io.Writer, rows [][]string) error {
+	width := 0
+	for _, row := range rows {
+		if len(row) > 0 && len(row[0]) > width {
+			width = len(row[0])
+		}
+	}
+	for _, row := range rows {
+		if len(row) < 2 {
+			continue
+		}
+		key := row[0] + strings.Repeat(" ", width-len(row[0]))
+		if _, err := fmt.Fprintf(writer, "%s │ %s\n", Styles.TableHeader.Render(key), row[1]); err != nil {
+			return err
+		}
+	}
+	return nil
+}
diff --git a/v4/internal/render/theme.go b/v4/internal/render/theme.go
new file mode 100644
index 00000000..f0ebac8a
--- /dev/null
+++ b/v4/internal/render/theme.go
@@ -0,0 +1,49 @@
+package render
+
+import "github.com/charmbracelet/lipgloss"
+
+type Palette struct {
+	Emerald lipgloss.Color
+	Slate   lipgloss.Color
+	Gold    lipgloss.Color
+	Lilac   lipgloss.Color
+	Cobalt  lipgloss.Color
+	Mint    lipgloss.Color
+
+	Text    lipgloss.Color
+	Muted   lipgloss.Color
+	Success lipgloss.Color
+	Warning lipgloss.Color
+	Error   lipgloss.Color
+}
+
+var FormancePalette = Palette{
+	Emerald: lipgloss.Color("#007A5E"),
+	Slate:   lipgloss.Color("#416266"),
+	Gold:    lipgloss.Color("#D6A84F"),
+	Lilac:   lipgloss.Color("#B9A7FF"),
+	Cobalt:  lipgloss.Color("#3366FF"),
+	Mint:    lipgloss.Color("#7FE7C4"),
+
+	Text:    lipgloss.Color("#EAF2EF"),
+	Muted:   lipgloss.Color("#7A8A8D"),
+	Success: lipgloss.Color("#7FE7C4"),
+	Warning: lipgloss.Color("#D6A84F"),
+	Error:   lipgloss.Color("#FF6B6B"),
+}
+
+var Styles = struct {
+	TableHeader lipgloss.Style
+	TableCell   lipgloss.Style
+	Muted       lipgloss.Style
+	Success     lipgloss.Style
+	Warning     lipgloss.Style
+	Error       lipgloss.Style
+}{
+	TableHeader: lipgloss.NewStyle().Foreground(FormancePalette.Mint).PaddingRight(1),
+	TableCell:   lipgloss.NewStyle().PaddingRight(1),
+	Muted:       lipgloss.NewStyle().Foreground(FormancePalette.Muted),
+	Success:     lipgloss.NewStyle().Foreground(FormancePalette.Success),
+	Warning:     lipgloss.NewStyle().Foreground(FormancePalette.Warning),
+	Error:       lipgloss.NewStyle().Foreground(FormancePalette.Error),
+}
diff --git a/v4/internal/render/yaml.go b/v4/internal/render/yaml.go
new file mode 100644
index 00000000..705acf18
--- /dev/null
+++ b/v4/internal/render/yaml.go
@@ -0,0 +1,14 @@
+package render
+
+import (
+	"io"
+
+	"gopkg.in/yaml.v3"
+)
+
+func YAML(w io.Writer, value any) error {
+	encoder := yaml.NewEncoder(w)
+	encoder.SetIndent(2)
+	defer encoder.Close()
+	return encoder.Encode(value)
+}
diff --git a/v4/internal/runtime/runtime.go b/v4/internal/runtime/runtime.go
new file mode 100644
index 00000000..c51ba57a
--- /dev/null
+++ b/v4/internal/runtime/runtime.go
@@ -0,0 +1,214 @@
+// Package runtime resolves contexts, targets, authentication, component
+// versions, and API version policy for v4 commands.
+package runtime
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"net/http"
+
+	"github.com/formancehq/fctl/v4/internal/auth"
+	"github.com/formancehq/fctl/v4/internal/capabilities"
+	"github.com/formancehq/fctl/v4/internal/config"
+	"github.com/formancehq/fctl/v4/internal/credentials"
+)
+
+type TargetKind string
+
+const (
+	TargetKindStack      TargetKind = "stack"
+	TargetKindCloud      TargetKind = "cloud"
+	TargetKindCloudStack TargetKind = "cloud-stack"
+)
+
+type Options struct {
+	ConfigPath      string
+	ContextOverride config.ContextOverride
+	Credentials     credentials.Store
+	Auth            auth.Options
+	VersionsClient  VersionsClient
+	Manifest        capabilities.Manifest
+	Compatibility   capabilities.ComponentCompatibility
+}
+
+type Runtime struct {
+	Config      config.Config
+	ContextName string
+	Context     config.Context
+	Target      Target
+
+	Credentials    credentials.Store
+	AuthOptions    auth.Options
+	VersionsClient VersionsClient
+	Manifest       capabilities.Manifest
+	Compatibility  capabilities.ComponentCompatibility
+}
+
+type Target struct {
+	Kind         TargetKind
+	URL          string
+	Organization string
+	Stack        string
+}
+
+func New(ctx context.Context, options Options) (*Runtime, error) {
+	if ctx == nil {
+		ctx = context.Background()
+	}
+	if options.ConfigPath == "" {
+		return nil, errors.New("config path is required")
+	}
+
+	cfg, err := config.LoadFile(options.ConfigPath)
+	if err != nil {
+		return nil, err
+	}
+
+	contextName, selectedContext, err := config.ResolveCurrentContext(cfg, options.ContextOverride)
+	if err != nil {
+		return nil, err
+	}
+	selectedContext, err = applyTargetOverrides(selectedContext, options.ContextOverride)
+	if err != nil {
+		return nil, err
+	}
+
+	target, err := TargetFromContext(selectedContext)
+	if err != nil {
+		return nil, err
+	}
+
+	return &Runtime{
+		Config:         cfg,
+		ContextName:    contextName,
+		Context:        selectedContext,
+		Target:         target,
+		Credentials:    options.Credentials,
+		AuthOptions:    options.Auth,
+		VersionsClient: options.VersionsClient,
+		Manifest:       options.Manifest,
+		Compatibility:  options.Compatibility,
+	}, nil
+}
+
+func applyTargetOverrides(selectedContext config.Context, override config.ContextOverride) (config.Context, error) {
+	if override.Organization == "" && override.Stack == "" {
+		return selectedContext, nil
+	}
+	if selectedContext.Kind == config.ContextKindStack {
+		return config.Context{}, fmt.Errorf("--organization and --stack can only be used with Cloud or EE profiles")
+	}
+	if override.Organization != "" {
+		selectedContext.Organization = override.Organization
+	}
+	if override.Stack != "" {
+		selectedContext.Stack = override.Stack
+		if selectedContext.Kind == config.ContextKindCloud {
+			selectedContext.Kind = config.ContextKindCloudStack
+		}
+	}
+	return selectedContext, nil
+}
+
+func TargetFromContext(context config.Context) (Target, error) {
+	switch context.Kind {
+	case config.ContextKindStack:
+		return Target{
+			Kind: TargetKindStack,
+			URL:  context.StackURL,
+		}, nil
+	case config.ContextKindCloud:
+		return Target{
+			Kind:         TargetKindCloud,
+			URL:          context.CloudURL,
+			Organization: context.Organization,
+			Stack:        context.Stack,
+		}, nil
+	case config.ContextKindCloudStack:
+		if context.Organization == "" {
+			return Target{}, fmt.Errorf("organization is required for cloud-stack targets")
+		}
+		if context.Stack == "" {
+			return Target{}, fmt.Errorf("stack is required for cloud-stack targets")
+		}
+		return Target{
+			Kind:         TargetKindCloudStack,
+			URL:          context.CloudURL,
+			Organization: context.Organization,
+			Stack:        context.Stack,
+		}, nil
+	default:
+		return Target{}, fmt.Errorf("unsupported context kind %q", context.Kind)
+	}
+}
+
+func (r *Runtime) APIPolicyFor(product capabilities.Product) config.APIPolicy {
+	if r == nil {
+		return config.APIPolicyLatestCompatible
+	}
+	if policy := r.Context.API[string(product)]; policy != "" {
+		return config.APIPolicy(policy)
+	}
+	return config.APIPolicyLatestCompatible
+}
+
+func (r *Runtime) HTTPClient(ctx context.Context) (*http.Client, error) {
+	if r == nil {
+		return nil, errors.New("runtime is nil")
+	}
+	return auth.NewHTTPClient(ctx, r.authForTarget(), r.Credentials, r.AuthOptions)
+}
+
+func (r *Runtime) authForTarget() config.Auth {
+	authConfig := r.Context.Auth
+	if authConfig.Method == config.AuthMethodCloudDevice {
+		authConfig.Scopes = nil
+	}
+	if authConfig.Method == config.AuthMethodClientCredentials && len(authConfig.Scopes) == 0 {
+		switch r.Target.Kind {
+		case TargetKindCloud, TargetKindCloudStack:
+			authConfig.Scopes = append([]string(nil), auth.OrganizationScopes...)
+		}
+	}
+	return authConfig
+}
+
+func (r *Runtime) ComponentVersions(ctx context.Context) ([]capabilities.ComponentVersion, error) {
+	client := r.VersionsClient
+	if client == nil {
+		httpClient, err := r.HTTPClient(ctx)
+		if err != nil {
+			return nil, err
+		}
+		client = HTTPVersionsClient{
+			BaseURL:    r.Target.URL,
+			HTTPClient: httpClient,
+		}
+	}
+	return client.GetVersions(ctx)
+}
+
+func (r *Runtime) ResolveAPIVersion(ctx context.Context, request capabilities.VersionResolutionRequest) (capabilities.APIVersion, error) {
+	if request.Compatibility == nil {
+		request.Compatibility = r.Compatibility
+	}
+	if request.Compatibility == nil {
+		request.Compatibility = capabilities.DefaultComponentCompatibility
+	}
+	if request.Policy == "" {
+		request.Policy = capabilities.VersionPolicy(r.APIPolicyFor(request.Product))
+	}
+	if request.ComponentVersion == "" {
+		versions, err := r.ComponentVersions(ctx)
+		if err != nil {
+			return "", err
+		}
+		componentVersion, ok := componentVersionFor(versions, request.Product)
+		if !ok {
+			return "", fmt.Errorf("component version for %s not found", request.Product)
+		}
+		request.ComponentVersion = componentVersion.Version
+	}
+	return capabilities.ResolveAPIVersion(request)
+}
diff --git a/v4/internal/runtime/runtime_test.go b/v4/internal/runtime/runtime_test.go
new file mode 100644
index 00000000..1c278a09
--- /dev/null
+++ b/v4/internal/runtime/runtime_test.go
@@ -0,0 +1,284 @@
+package runtime
+
+import (
+	"context"
+	"fmt"
+	"net/http"
+	"net/http/httptest"
+	"path/filepath"
+	"testing"
+
+	"github.com/formancehq/fctl/v4/internal/capabilities"
+	"github.com/formancehq/fctl/v4/internal/config"
+	"github.com/formancehq/fctl/v4/internal/credentials"
+)
+
+func TestNewResolvesCurrentStackContext(t *testing.T) {
+	configPath := writeRuntimeConfig(t, config.Config{
+		Version:        config.Version,
+		CurrentContext: "local",
+		Contexts: map[string]config.Context{
+			"local": {
+				Kind:     config.ContextKindStack,
+				StackURL: "http://localhost/api",
+				Auth:     config.Auth{Method: config.AuthMethodNone},
+				API:      map[string]string{"ledger": string(config.APIPolicyPinned)},
+			},
+		},
+	})
+
+	rt, err := New(context.Background(), Options{
+		ConfigPath:      configPath,
+		Credentials:     credentials.NewMemoryStore(),
+		Manifest:        capabilities.Manifest{SpecVersion: "test"},
+		Compatibility:   capabilities.ComponentCompatibility{},
+		ContextOverride: config.ContextOverride{},
+	})
+	if err != nil {
+		t.Fatalf("expected no error, got %v", err)
+	}
+
+	if rt.ContextName != "local" {
+		t.Fatalf("expected local context, got %q", rt.ContextName)
+	}
+	if rt.Target.Kind != TargetKindStack || rt.Target.URL != "http://localhost/api" {
+		t.Fatalf("unexpected target: %#v", rt.Target)
+	}
+	if policy := rt.APIPolicyFor("ledger"); policy != config.APIPolicyPinned {
+		t.Fatalf("expected pinned policy, got %q", policy)
+	}
+	if policy := rt.APIPolicyFor("payments"); policy != config.APIPolicyLatestCompatible {
+		t.Fatalf("expected default latest-compatible policy, got %q", policy)
+	}
+}
+
+func TestNewUsesContextOverride(t *testing.T) {
+	configPath := writeRuntimeConfig(t, config.Config{
+		Version:        config.Version,
+		CurrentContext: "local",
+		Contexts: map[string]config.Context{
+			"local": {
+				Kind:     config.ContextKindStack,
+				StackURL: "http://localhost/api",
+				Auth:     config.Auth{Method: config.AuthMethodNone},
+			},
+			"cloud": {
+				Kind:     config.ContextKindCloud,
+				CloudURL: "https://app.formance.cloud/api",
+				Auth:     config.Auth{Method: config.AuthMethodCloudDevice},
+			},
+		},
+	})
+
+	rt, err := New(context.Background(), Options{
+		ConfigPath:      configPath,
+		ContextOverride: config.ContextOverride{Name: "cloud"},
+	})
+	if err != nil {
+		t.Fatalf("expected no error, got %v", err)
+	}
+	if rt.ContextName != "cloud" {
+		t.Fatalf("expected cloud context, got %q", rt.ContextName)
+	}
+	if rt.Target.Kind != TargetKindCloud || rt.Target.URL != "https://app.formance.cloud/api" {
+		t.Fatalf("unexpected target: %#v", rt.Target)
+	}
+}
+
+func TestNewRequiresConfigPath(t *testing.T) {
+	_, err := New(context.Background(), Options{})
+	if err == nil {
+		t.Fatal("expected config path error")
+	}
+}
+
+func TestHTTPClientUsesContextAuth(t *testing.T) {
+	ctx := context.Background()
+	store := credentials.NewMemoryStore()
+	if err := store.Set(ctx, "token-ref", "runtime-token"); err != nil {
+		t.Fatalf("set token: %v", err)
+	}
+
+	configPath := writeRuntimeConfig(t, config.Config{
+		Version:        config.Version,
+		CurrentContext: "local",
+		Contexts: map[string]config.Context{
+			"local": {
+				Kind:     config.ContextKindStack,
+				StackURL: "http://localhost/api",
+				Auth: config.Auth{
+					Method:   config.AuthMethodToken,
+					TokenRef: "token-ref",
+				},
+			},
+		},
+	})
+
+	rt, err := New(ctx, Options{ConfigPath: configPath, Credentials: store})
+	if err != nil {
+		t.Fatalf("new runtime: %v", err)
+	}
+	client, err := rt.HTTPClient(ctx)
+	if err != nil {
+		t.Fatalf("runtime http client: %v", err)
+	}
+
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		if got := r.Header.Get("Authorization"); got != "Bearer runtime-token" {
+			t.Fatalf("unexpected authorization header %q", got)
+		}
+		w.WriteHeader(http.StatusNoContent)
+	}))
+	defer server.Close()
+
+	rsp, err := client.Get(server.URL)
+	if err != nil {
+		t.Fatalf("request: %v", err)
+	}
+	defer rsp.Body.Close()
+	if rsp.StatusCode != http.StatusNoContent {
+		t.Fatalf("expected 204, got %d", rsp.StatusCode)
+	}
+}
+
+func TestCloudClientCredentialsDefaultOrganizationScopes(t *testing.T) {
+	rt := &Runtime{
+		Context: config.Context{
+			Kind: config.ContextKindCloud,
+			Auth: config.Auth{
+				Method:    config.AuthMethodClientCredentials,
+				IssuerURL: "https://app.formance.cloud/api",
+				ClientID:  "client",
+				SecretRef: "secret-ref",
+			},
+		},
+		Target: Target{Kind: TargetKindCloud},
+	}
+
+	authConfig := rt.authForTarget()
+	if !containsString(authConfig.Scopes, "organization:ListStacks") {
+		t.Fatalf("expected default organization scopes, got %#v", authConfig.Scopes)
+	}
+}
+
+func TestCloudDeviceClearsStoredOrganizationScopesForMembershipClient(t *testing.T) {
+	rt := &Runtime{
+		Context: config.Context{
+			Kind: config.ContextKindCloud,
+			Auth: config.Auth{
+				Method: config.AuthMethodCloudDevice,
+				Scopes: []string{
+					"organization:ListStacks",
+				},
+			},
+		},
+		Target: Target{Kind: TargetKindCloud},
+	}
+
+	authConfig := rt.authForTarget()
+	if len(authConfig.Scopes) != 0 {
+		t.Fatalf("expected root cloud_device auth to clear organization scopes, got %#v", authConfig.Scopes)
+	}
+}
+
+func TestStackClientCredentialsDoNotDefaultOrganizationScopes(t *testing.T) {
+	rt := &Runtime{
+		Context: config.Context{
+			Kind: config.ContextKindStack,
+			Auth: config.Auth{
+				Method:    config.AuthMethodClientCredentials,
+				IssuerURL: "https://auth.example",
+				ClientID:  "client",
+				SecretRef: "secret-ref",
+			},
+		},
+		Target: Target{Kind: TargetKindStack},
+	}
+
+	authConfig := rt.authForTarget()
+	if len(authConfig.Scopes) != 0 {
+		t.Fatalf("expected no default scopes for stack targets, got %#v", authConfig.Scopes)
+	}
+}
+
+func TestHTTPVersionsClientParsesVersions(t *testing.T) {
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		if r.URL.Path != "/api/versions" {
+			t.Fatalf("unexpected path %s", r.URL.Path)
+		}
+		fmt.Fprint(w, `{"versions":[{"name":"ledger","version":"2.3.4","health":true}]}`)
+	}))
+	defer server.Close()
+
+	versions, err := HTTPVersionsClient{BaseURL: server.URL + "/api"}.GetVersions(context.Background())
+	if err != nil {
+		t.Fatalf("get versions: %v", err)
+	}
+	if len(versions) != 1 || versions[0].Product != "ledger" || versions[0].Version != "2.3.4" || !versions[0].Health {
+		t.Fatalf("unexpected versions: %#v", versions)
+	}
+}
+
+func TestResolveAPIVersionFetchesComponentVersion(t *testing.T) {
+	configPath := writeRuntimeConfig(t, config.Config{
+		Version:        config.Version,
+		CurrentContext: "local",
+		Contexts: map[string]config.Context{
+			"local": {
+				Kind:     config.ContextKindStack,
+				StackURL: "http://localhost/api",
+				Auth:     config.Auth{Method: config.AuthMethodNone},
+			},
+		},
+	})
+	rt, err := New(context.Background(), Options{
+		ConfigPath: configPath,
+		VersionsClient: staticVersionsClient{versions: []capabilities.ComponentVersion{
+			{Product: "ledger", Version: "2.3.4", Health: true},
+		}},
+		Compatibility: capabilities.ComponentCompatibility{
+			{Product: "ledger", Range: ">=2.0.0 <3.0.0", APIVersions: []capabilities.APIVersion{"v1", "v2"}},
+		},
+	})
+	if err != nil {
+		t.Fatalf("new runtime: %v", err)
+	}
+
+	selected, err := rt.ResolveAPIVersion(context.Background(), capabilities.VersionResolutionRequest{
+		Product:         "ledger",
+		Feature:         "listTransactions",
+		HandlerVersions: []capabilities.APIVersion{"v1", "v2", "v3"},
+	})
+	if err != nil {
+		t.Fatalf("resolve api version: %v", err)
+	}
+	if selected != "v2" {
+		t.Fatalf("expected v2, got %q", selected)
+	}
+}
+
+type staticVersionsClient struct {
+	versions []capabilities.ComponentVersion
+}
+
+func (c staticVersionsClient) GetVersions(context.Context) ([]capabilities.ComponentVersion, error) {
+	return c.versions, nil
+}
+
+func containsString(values []string, expected string) bool {
+	for _, value := range values {
+		if value == expected {
+			return true
+		}
+	}
+	return false
+}
+
+func writeRuntimeConfig(t *testing.T, cfg config.Config) string {
+	t.Helper()
+	path := filepath.Join(t.TempDir(), "config.yaml")
+	if err := config.SaveFile(path, cfg); err != nil {
+		t.Fatalf("save runtime config: %v", err)
+	}
+	return path
+}
diff --git a/v4/internal/runtime/versions.go b/v4/internal/runtime/versions.go
new file mode 100644
index 00000000..72907295
--- /dev/null
+++ b/v4/internal/runtime/versions.go
@@ -0,0 +1,75 @@
+package runtime
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"net/http"
+	"net/url"
+
+	"github.com/formancehq/fctl/v4/internal/capabilities"
+)
+
+type VersionsClient interface {
+	GetVersions(ctx context.Context) ([]capabilities.ComponentVersion, error)
+}
+
+type HTTPVersionsClient struct {
+	BaseURL    string
+	HTTPClient *http.Client
+}
+
+func (c HTTPVersionsClient) GetVersions(ctx context.Context) ([]capabilities.ComponentVersion, error) {
+	httpClient := c.HTTPClient
+	if httpClient == nil {
+		httpClient = http.DefaultClient
+	}
+	endpoint, err := url.JoinPath(c.BaseURL, "versions")
+	if err != nil {
+		return nil, fmt.Errorf("build versions url: %w", err)
+	}
+	req, err := http.NewRequestWithContext(ctx, http.MethodGet, endpoint, nil)
+	if err != nil {
+		return nil, err
+	}
+	rsp, err := httpClient.Do(req)
+	if err != nil {
+		return nil, err
+	}
+	defer rsp.Body.Close()
+	if rsp.StatusCode < 200 || rsp.StatusCode >= 300 {
+		return nil, fmt.Errorf("get versions failed: status %d", rsp.StatusCode)
+	}
+
+	var response versionsResponse
+	if err := json.NewDecoder(rsp.Body).Decode(&response); err != nil {
+		return nil, fmt.Errorf("decode versions response: %w", err)
+	}
+
+	versions := make([]capabilities.ComponentVersion, 0, len(response.Versions))
+	for _, version := range response.Versions {
+		versions = append(versions, capabilities.ComponentVersion{
+			Product: capabilities.Product(version.Name),
+			Version: version.Version,
+			Health:  version.Health,
+		})
+	}
+	return versions, nil
+}
+
+type versionsResponse struct {
+	Versions []struct {
+		Name    string `json:"name"`
+		Version string `json:"version"`
+		Health  bool   `json:"health"`
+	} `json:"versions"`
+}
+
+func componentVersionFor(versions []capabilities.ComponentVersion, product capabilities.Product) (capabilities.ComponentVersion, bool) {
+	for _, version := range versions {
+		if version.Product == product {
+			return version, true
+		}
+	}
+	return capabilities.ComponentVersion{}, false
+}
diff --git a/v4/main.go b/v4/main.go
new file mode 100644
index 00000000..5098d0b2
--- /dev/null
+++ b/v4/main.go
@@ -0,0 +1,9 @@
+package main
+
+import "github.com/formancehq/fctl/v4/cmd"
+
+var version = "dev"
+
+func main() {
+	cmd.Execute(version)
+}
diff --git a/v4/testdata/v3-command-inventory.json b/v4/testdata/v3-command-inventory.json
new file mode 100644
index 00000000..d2109665
--- /dev/null
+++ b/v4/testdata/v3-command-inventory.json
@@ -0,0 +1,23980 @@
+{
+  "schemaVersion": 1,
+  "sourceModule": "github.com/formancehq/fctl/v3",
+  "rootUse": "fctl",
+  "commandCount": 279,
+  "commands": [
+    {
+      "path": "fctl",
+      "pathParts": [
+        "fctl"
+      ],
+      "use": "fctl",
+      "short": "Formance Control CLI",
+      "runnable": false,
+      "hasSubcommands": true,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "local",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "config-dir",
+          "scope": "persistent",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "debug",
+          "scope": "local",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "debug",
+          "scope": "persistent",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "local",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "persistent",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "output",
+          "scope": "local",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "persistent",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "local",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "persistent",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "local",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "telemetry",
+          "scope": "persistent",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl auth",
+      "pathParts": [
+        "fctl",
+        "auth"
+      ],
+      "use": "auth",
+      "short": "Manage the auth server",
+      "runnable": false,
+      "hasSubcommands": true,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "organization",
+          "scope": "local",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "organization",
+          "scope": "persistent",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "stack",
+          "scope": "local",
+          "usage": "Specific stack (not required if only one stack is present)",
+          "type": "string"
+        },
+        {
+          "name": "stack",
+          "scope": "persistent",
+          "usage": "Specific stack (not required if only one stack is present)",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl auth clients",
+      "pathParts": [
+        "fctl",
+        "auth",
+        "clients"
+      ],
+      "use": "clients",
+      "aliases": [
+        "c",
+        "client"
+      ],
+      "short": "Manage clients",
+      "runnable": false,
+      "hasSubcommands": true,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "organization",
+          "scope": "inherited",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "stack",
+          "scope": "inherited",
+          "usage": "Specific stack (not required if only one stack is present)",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl auth clients create",
+      "pathParts": [
+        "fctl",
+        "auth",
+        "clients",
+        "create"
+      ],
+      "use": "create \u003cname\u003e",
+      "aliases": [
+        "c"
+      ],
+      "short": "Create a client",
+      "runnable": true,
+      "hasSubcommands": false,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "confirm",
+          "scope": "local",
+          "usage": "Confirm action",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "description",
+          "scope": "local",
+          "usage": "Client description",
+          "type": "string"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "organization",
+          "scope": "inherited",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "post-logout-redirect-uri",
+          "scope": "local",
+          "usage": "Post logout redirect uris",
+          "default": "[]",
+          "type": "stringSlice"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "public",
+          "scope": "local",
+          "usage": "Mark the client as public",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "redirect-uri",
+          "scope": "local",
+          "usage": "Redirect URIS",
+          "default": "[]",
+          "type": "stringSlice"
+        },
+        {
+          "name": "scopes",
+          "scope": "local",
+          "usage": "Scopes",
+          "default": "[]",
+          "type": "stringSlice"
+        },
+        {
+          "name": "stack",
+          "scope": "inherited",
+          "usage": "Specific stack (not required if only one stack is present)",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "trusted",
+          "scope": "local",
+          "usage": "Mark the client as trusted",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl auth clients delete",
+      "pathParts": [
+        "fctl",
+        "auth",
+        "clients",
+        "delete"
+      ],
+      "use": "delete \u003cclient-id\u003e",
+      "aliases": [
+        "d",
+        "del"
+      ],
+      "short": "Delete a client",
+      "runnable": true,
+      "hasSubcommands": false,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "confirm",
+          "scope": "local",
+          "usage": "Confirm action",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "organization",
+          "scope": "inherited",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "stack",
+          "scope": "inherited",
+          "usage": "Specific stack (not required if only one stack is present)",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl auth clients list",
+      "pathParts": [
+        "fctl",
+        "auth",
+        "clients",
+        "list"
+      ],
+      "use": "list",
+      "aliases": [
+        "l",
+        "ls"
+      ],
+      "short": "List clients",
+      "runnable": true,
+      "hasSubcommands": false,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "organization",
+          "scope": "inherited",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "stack",
+          "scope": "inherited",
+          "usage": "Specific stack (not required if only one stack is present)",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl auth clients secrets",
+      "pathParts": [
+        "fctl",
+        "auth",
+        "clients",
+        "secrets"
+      ],
+      "use": "secrets",
+      "aliases": [
+        "sec"
+      ],
+      "short": "Manage secrets",
+      "runnable": false,
+      "hasSubcommands": true,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "organization",
+          "scope": "inherited",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "stack",
+          "scope": "inherited",
+          "usage": "Specific stack (not required if only one stack is present)",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl auth clients secrets create",
+      "pathParts": [
+        "fctl",
+        "auth",
+        "clients",
+        "secrets",
+        "create"
+      ],
+      "use": "create \u003cclient-id\u003e \u003csecret-name\u003e",
+      "aliases": [
+        "c"
+      ],
+      "short": "Create a secret",
+      "runnable": true,
+      "hasSubcommands": false,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "confirm",
+          "scope": "local",
+          "usage": "Confirm action",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "organization",
+          "scope": "inherited",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "stack",
+          "scope": "inherited",
+          "usage": "Specific stack (not required if only one stack is present)",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl auth clients secrets delete",
+      "pathParts": [
+        "fctl",
+        "auth",
+        "clients",
+        "secrets",
+        "delete"
+      ],
+      "use": "delete \u003cclient-id\u003e \u003csecret-id\u003e",
+      "aliases": [
+        "d"
+      ],
+      "short": "Delete a secret",
+      "runnable": true,
+      "hasSubcommands": false,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "confirm",
+          "scope": "local",
+          "usage": "Confirm action",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "organization",
+          "scope": "inherited",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "stack",
+          "scope": "inherited",
+          "usage": "Specific stack (not required if only one stack is present)",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl auth clients show",
+      "pathParts": [
+        "fctl",
+        "auth",
+        "clients",
+        "show"
+      ],
+      "use": "show \u003cclient-id\u003e",
+      "aliases": [
+        "s"
+      ],
+      "short": "Show a client",
+      "runnable": true,
+      "hasSubcommands": false,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "organization",
+          "scope": "inherited",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "stack",
+          "scope": "inherited",
+          "usage": "Specific stack (not required if only one stack is present)",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl auth clients update",
+      "pathParts": [
+        "fctl",
+        "auth",
+        "clients",
+        "update"
+      ],
+      "use": "update \u003cclient-id\u003e",
+      "aliases": [
+        "u",
+        "upd"
+      ],
+      "short": "Update a client",
+      "runnable": true,
+      "hasSubcommands": false,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "confirm",
+          "scope": "local",
+          "usage": "Confirm action",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "description",
+          "scope": "local",
+          "usage": "Client description",
+          "type": "string"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "organization",
+          "scope": "inherited",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "post-logout-redirect-uri",
+          "scope": "local",
+          "usage": "Post logout redirect uris",
+          "default": "[]",
+          "type": "stringSlice"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "public",
+          "scope": "local",
+          "usage": "Mark the client as public",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "redirect-uri",
+          "scope": "local",
+          "usage": "Redirect URIS",
+          "default": "[]",
+          "type": "stringSlice"
+        },
+        {
+          "name": "scopes",
+          "scope": "local",
+          "usage": "Scopes",
+          "default": "[]",
+          "type": "stringSlice"
+        },
+        {
+          "name": "stack",
+          "scope": "inherited",
+          "usage": "Specific stack (not required if only one stack is present)",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "trusted",
+          "scope": "local",
+          "usage": "Mark the client as trusted",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl auth clients users",
+      "pathParts": [
+        "fctl",
+        "auth",
+        "clients",
+        "users"
+      ],
+      "use": "users",
+      "aliases": [
+        "u",
+        "user"
+      ],
+      "short": "Manage users",
+      "runnable": false,
+      "hasSubcommands": true,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "organization",
+          "scope": "inherited",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "stack",
+          "scope": "inherited",
+          "usage": "Specific stack (not required if only one stack is present)",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl auth clients users list",
+      "pathParts": [
+        "fctl",
+        "auth",
+        "clients",
+        "users",
+        "list"
+      ],
+      "use": "list",
+      "aliases": [
+        "l",
+        "ls"
+      ],
+      "short": "List users",
+      "runnable": true,
+      "hasSubcommands": false,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "organization",
+          "scope": "inherited",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "stack",
+          "scope": "inherited",
+          "usage": "Specific stack (not required if only one stack is present)",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl auth clients users show",
+      "pathParts": [
+        "fctl",
+        "auth",
+        "clients",
+        "users",
+        "show"
+      ],
+      "use": "show \u003cuser-id\u003e",
+      "aliases": [
+        "s"
+      ],
+      "short": "Show a user",
+      "runnable": true,
+      "hasSubcommands": false,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "organization",
+          "scope": "inherited",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "stack",
+          "scope": "inherited",
+          "usage": "Specific stack (not required if only one stack is present)",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl auth users",
+      "pathParts": [
+        "fctl",
+        "auth",
+        "users"
+      ],
+      "use": "users",
+      "aliases": [
+        "u",
+        "user"
+      ],
+      "short": "Manage users",
+      "runnable": false,
+      "hasSubcommands": true,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "organization",
+          "scope": "inherited",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "stack",
+          "scope": "inherited",
+          "usage": "Specific stack (not required if only one stack is present)",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl auth users list",
+      "pathParts": [
+        "fctl",
+        "auth",
+        "users",
+        "list"
+      ],
+      "use": "list",
+      "aliases": [
+        "l",
+        "ls"
+      ],
+      "short": "List users",
+      "runnable": true,
+      "hasSubcommands": false,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "organization",
+          "scope": "inherited",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "stack",
+          "scope": "inherited",
+          "usage": "Specific stack (not required if only one stack is present)",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl auth users show",
+      "pathParts": [
+        "fctl",
+        "auth",
+        "users",
+        "show"
+      ],
+      "use": "show \u003cuser-id\u003e",
+      "aliases": [
+        "s"
+      ],
+      "short": "Show a user",
+      "runnable": true,
+      "hasSubcommands": false,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "organization",
+          "scope": "inherited",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "stack",
+          "scope": "inherited",
+          "usage": "Specific stack (not required if only one stack is present)",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl cloud",
+      "pathParts": [
+        "fctl",
+        "cloud"
+      ],
+      "use": "cloud",
+      "aliases": [
+        "c"
+      ],
+      "short": "Cloud management",
+      "runnable": false,
+      "hasSubcommands": true,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl cloud apps",
+      "pathParts": [
+        "fctl",
+        "cloud",
+        "apps"
+      ],
+      "use": "apps",
+      "aliases": [
+        "app"
+      ],
+      "short": "Manage app manifests",
+      "runnable": false,
+      "hasSubcommands": true,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "experimental",
+          "scope": "local",
+          "usage": "Enable experimental commands",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "experimental",
+          "scope": "persistent",
+          "usage": "Enable experimental commands",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "framework-uri",
+          "scope": "local",
+          "usage": "Framework URI",
+          "default": "https://deploy.formance.cloud",
+          "type": "string"
+        },
+        {
+          "name": "framework-uri",
+          "scope": "persistent",
+          "usage": "Framework URI",
+          "default": "https://deploy.formance.cloud",
+          "type": "string"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "organization",
+          "scope": "local",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "organization",
+          "scope": "persistent",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl cloud apps create",
+      "pathParts": [
+        "fctl",
+        "cloud",
+        "apps",
+        "create"
+      ],
+      "use": "create",
+      "short": "Create an app",
+      "runnable": true,
+      "hasSubcommands": false,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "experimental",
+          "scope": "inherited",
+          "usage": "Enable experimental commands",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "framework-uri",
+          "scope": "inherited",
+          "usage": "Framework URI",
+          "default": "https://deploy.formance.cloud",
+          "type": "string"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "organization",
+          "scope": "inherited",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl cloud apps delete",
+      "pathParts": [
+        "fctl",
+        "cloud",
+        "apps",
+        "delete"
+      ],
+      "use": "delete",
+      "short": "Delete an app",
+      "runnable": true,
+      "hasSubcommands": false,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "experimental",
+          "scope": "inherited",
+          "usage": "Enable experimental commands",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "framework-uri",
+          "scope": "inherited",
+          "usage": "Framework URI",
+          "default": "https://deploy.formance.cloud",
+          "type": "string"
+        },
+        {
+          "name": "id",
+          "scope": "local",
+          "usage": "App ID",
+          "type": "string"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "organization",
+          "scope": "inherited",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl cloud apps deploy",
+      "pathParts": [
+        "fctl",
+        "cloud",
+        "apps",
+        "deploy"
+      ],
+      "use": "deploy",
+      "short": "Deploy an app",
+      "runnable": true,
+      "hasSubcommands": false,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "experimental",
+          "scope": "inherited",
+          "usage": "Enable experimental commands",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "framework-uri",
+          "scope": "inherited",
+          "usage": "Framework URI",
+          "default": "https://deploy.formance.cloud",
+          "type": "string"
+        },
+        {
+          "name": "id",
+          "scope": "local",
+          "usage": "App ID",
+          "type": "string"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "organization",
+          "scope": "inherited",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "path",
+          "scope": "local",
+          "usage": "Path to the manifest file",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "wait",
+          "scope": "local",
+          "usage": "Wait for the deployment to complete",
+          "default": "true",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl cloud apps list",
+      "pathParts": [
+        "fctl",
+        "cloud",
+        "apps",
+        "list"
+      ],
+      "use": "list",
+      "aliases": [
+        "ls"
+      ],
+      "short": "List apps",
+      "runnable": true,
+      "hasSubcommands": false,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "experimental",
+          "scope": "inherited",
+          "usage": "Enable experimental commands",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "framework-uri",
+          "scope": "inherited",
+          "usage": "Framework URI",
+          "default": "https://deploy.formance.cloud",
+          "type": "string"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "organization",
+          "scope": "inherited",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "page",
+          "scope": "local",
+          "usage": "Page number",
+          "default": "1",
+          "type": "int"
+        },
+        {
+          "name": "page-size",
+          "scope": "local",
+          "usage": "Page size",
+          "default": "100",
+          "type": "int"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl cloud apps runs",
+      "pathParts": [
+        "fctl",
+        "cloud",
+        "apps",
+        "runs"
+      ],
+      "use": "runs",
+      "short": "Manage app runs",
+      "runnable": false,
+      "hasSubcommands": true,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "experimental",
+          "scope": "inherited",
+          "usage": "Enable experimental commands",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "framework-uri",
+          "scope": "inherited",
+          "usage": "Framework URI",
+          "default": "https://deploy.formance.cloud",
+          "type": "string"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "organization",
+          "scope": "inherited",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl cloud apps runs list",
+      "pathParts": [
+        "fctl",
+        "cloud",
+        "apps",
+        "runs",
+        "list"
+      ],
+      "use": "list",
+      "aliases": [
+        "ls"
+      ],
+      "short": "List runs for an app",
+      "runnable": true,
+      "hasSubcommands": false,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "experimental",
+          "scope": "inherited",
+          "usage": "Enable experimental commands",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "framework-uri",
+          "scope": "inherited",
+          "usage": "Framework URI",
+          "default": "https://deploy.formance.cloud",
+          "type": "string"
+        },
+        {
+          "name": "id",
+          "scope": "local",
+          "usage": "App ID",
+          "type": "string"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "organization",
+          "scope": "inherited",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "page",
+          "scope": "local",
+          "usage": "Page number",
+          "default": "1",
+          "type": "int"
+        },
+        {
+          "name": "page-size",
+          "scope": "local",
+          "usage": "Page size",
+          "default": "100",
+          "type": "int"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl cloud apps runs logs",
+      "pathParts": [
+        "fctl",
+        "cloud",
+        "apps",
+        "runs",
+        "logs"
+      ],
+      "use": "logs",
+      "aliases": [
+        "ls"
+      ],
+      "short": "Read logs related to an app run",
+      "runnable": true,
+      "hasSubcommands": false,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "experimental",
+          "scope": "inherited",
+          "usage": "Enable experimental commands",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "framework-uri",
+          "scope": "inherited",
+          "usage": "Framework URI",
+          "default": "https://deploy.formance.cloud",
+          "type": "string"
+        },
+        {
+          "name": "id",
+          "scope": "local",
+          "usage": "Run ID",
+          "type": "string"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "organization",
+          "scope": "inherited",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl cloud apps runs show",
+      "pathParts": [
+        "fctl",
+        "cloud",
+        "apps",
+        "runs",
+        "show"
+      ],
+      "use": "show",
+      "short": "Show a run",
+      "runnable": true,
+      "hasSubcommands": false,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "experimental",
+          "scope": "inherited",
+          "usage": "Enable experimental commands",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "framework-uri",
+          "scope": "inherited",
+          "usage": "Framework URI",
+          "default": "https://deploy.formance.cloud",
+          "type": "string"
+        },
+        {
+          "name": "id",
+          "scope": "local",
+          "usage": "Run ID",
+          "type": "string"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "organization",
+          "scope": "inherited",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl cloud apps show",
+      "pathParts": [
+        "fctl",
+        "cloud",
+        "apps",
+        "show"
+      ],
+      "use": "show",
+      "short": "Show an app",
+      "runnable": true,
+      "hasSubcommands": false,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "experimental",
+          "scope": "inherited",
+          "usage": "Enable experimental commands",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "framework-uri",
+          "scope": "inherited",
+          "usage": "Framework URI",
+          "default": "https://deploy.formance.cloud",
+          "type": "string"
+        },
+        {
+          "name": "id",
+          "scope": "local",
+          "usage": "App ID",
+          "type": "string"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "organization",
+          "scope": "inherited",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl cloud apps variables",
+      "pathParts": [
+        "fctl",
+        "cloud",
+        "apps",
+        "variables"
+      ],
+      "use": "variables",
+      "aliases": [
+        "var",
+        "vars"
+      ],
+      "short": "Manage app variables",
+      "runnable": false,
+      "hasSubcommands": true,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "experimental",
+          "scope": "inherited",
+          "usage": "Enable experimental commands",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "framework-uri",
+          "scope": "inherited",
+          "usage": "Framework URI",
+          "default": "https://deploy.formance.cloud",
+          "type": "string"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "organization",
+          "scope": "inherited",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl cloud apps variables create",
+      "pathParts": [
+        "fctl",
+        "cloud",
+        "apps",
+        "variables",
+        "create"
+      ],
+      "use": "create",
+      "short": "Create a new variable for an app",
+      "runnable": true,
+      "hasSubcommands": false,
+      "flags": [
+        {
+          "name": "category",
+          "scope": "local",
+          "usage": "Variable category (env or terraform)",
+          "type": "string"
+        },
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "description",
+          "scope": "local",
+          "usage": "Variable description",
+          "type": "string"
+        },
+        {
+          "name": "experimental",
+          "scope": "inherited",
+          "usage": "Enable experimental commands",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "framework-uri",
+          "scope": "inherited",
+          "usage": "Framework URI",
+          "default": "https://deploy.formance.cloud",
+          "type": "string"
+        },
+        {
+          "name": "id",
+          "scope": "local",
+          "usage": "App ID",
+          "type": "string"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "key",
+          "scope": "local",
+          "usage": "Variable key",
+          "type": "string"
+        },
+        {
+          "name": "organization",
+          "scope": "inherited",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "sensitive",
+          "scope": "local",
+          "usage": "Mark the variable as sensitive",
+          "default": "true",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "value",
+          "scope": "local",
+          "usage": "Variable value",
+          "type": "string"
+        }
+      ]
+    },
+    {
+      "path": "fctl cloud apps variables delete",
+      "pathParts": [
+        "fctl",
+        "cloud",
+        "apps",
+        "variables",
+        "delete"
+      ],
+      "use": "delete",
+      "short": "Delete a variable",
+      "runnable": true,
+      "hasSubcommands": false,
+      "flags": [
+        {
+          "name": "app-id",
+          "scope": "local",
+          "usage": "App ID",
+          "type": "string"
+        },
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "experimental",
+          "scope": "inherited",
+          "usage": "Enable experimental commands",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "framework-uri",
+          "scope": "inherited",
+          "usage": "Framework URI",
+          "default": "https://deploy.formance.cloud",
+          "type": "string"
+        },
+        {
+          "name": "id",
+          "scope": "local",
+          "usage": "Variable ID",
+          "type": "string"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "organization",
+          "scope": "inherited",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl cloud apps variables list",
+      "pathParts": [
+        "fctl",
+        "cloud",
+        "apps",
+        "variables",
+        "list"
+      ],
+      "use": "list",
+      "aliases": [
+        "ls"
+      ],
+      "short": "List variables for an app",
+      "runnable": true,
+      "hasSubcommands": false,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "experimental",
+          "scope": "inherited",
+          "usage": "Enable experimental commands",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "framework-uri",
+          "scope": "inherited",
+          "usage": "Framework URI",
+          "default": "https://deploy.formance.cloud",
+          "type": "string"
+        },
+        {
+          "name": "id",
+          "scope": "local",
+          "usage": "App ID",
+          "type": "string"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "organization",
+          "scope": "inherited",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "page",
+          "scope": "local",
+          "usage": "Page number",
+          "default": "1",
+          "type": "int"
+        },
+        {
+          "name": "page-size",
+          "scope": "local",
+          "usage": "Page size",
+          "default": "100",
+          "type": "int"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl cloud apps versions",
+      "pathParts": [
+        "fctl",
+        "cloud",
+        "apps",
+        "versions"
+      ],
+      "use": "versions",
+      "short": "Manage app versions",
+      "runnable": false,
+      "hasSubcommands": true,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "experimental",
+          "scope": "inherited",
+          "usage": "Enable experimental commands",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "framework-uri",
+          "scope": "inherited",
+          "usage": "Framework URI",
+          "default": "https://deploy.formance.cloud",
+          "type": "string"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "organization",
+          "scope": "inherited",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl cloud apps versions list",
+      "pathParts": [
+        "fctl",
+        "cloud",
+        "apps",
+        "versions",
+        "list"
+      ],
+      "use": "list",
+      "aliases": [
+        "ls"
+      ],
+      "short": "List versions for an app",
+      "runnable": true,
+      "hasSubcommands": false,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "experimental",
+          "scope": "inherited",
+          "usage": "Enable experimental commands",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "framework-uri",
+          "scope": "inherited",
+          "usage": "Framework URI",
+          "default": "https://deploy.formance.cloud",
+          "type": "string"
+        },
+        {
+          "name": "id",
+          "scope": "local",
+          "usage": "App ID",
+          "type": "string"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "organization",
+          "scope": "inherited",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "page",
+          "scope": "local",
+          "usage": "Page number",
+          "default": "1",
+          "type": "int"
+        },
+        {
+          "name": "page-size",
+          "scope": "local",
+          "usage": "Page size",
+          "default": "100",
+          "type": "int"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl cloud apps versions show",
+      "pathParts": [
+        "fctl",
+        "cloud",
+        "apps",
+        "versions",
+        "show"
+      ],
+      "use": "show",
+      "short": "Show a version",
+      "runnable": true,
+      "hasSubcommands": false,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "experimental",
+          "scope": "inherited",
+          "usage": "Enable experimental commands",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "framework-uri",
+          "scope": "inherited",
+          "usage": "Framework URI",
+          "default": "https://deploy.formance.cloud",
+          "type": "string"
+        },
+        {
+          "name": "id",
+          "scope": "local",
+          "usage": "Version ID",
+          "type": "string"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "organization",
+          "scope": "inherited",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl cloud apps versions show-archive",
+      "pathParts": [
+        "fctl",
+        "cloud",
+        "apps",
+        "versions",
+        "show-archive"
+      ],
+      "use": "show-archive",
+      "short": "Archive versions for an app",
+      "runnable": true,
+      "hasSubcommands": false,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "experimental",
+          "scope": "inherited",
+          "usage": "Enable experimental commands",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "framework-uri",
+          "scope": "inherited",
+          "usage": "Framework URI",
+          "default": "https://deploy.formance.cloud",
+          "type": "string"
+        },
+        {
+          "name": "id",
+          "scope": "local",
+          "usage": "App ID",
+          "type": "string"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "organization",
+          "scope": "inherited",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl cloud apps versions show-manifest",
+      "pathParts": [
+        "fctl",
+        "cloud",
+        "apps",
+        "versions",
+        "show-manifest"
+      ],
+      "use": "show-manifest",
+      "short": "Show the manifest for an app version",
+      "runnable": true,
+      "hasSubcommands": false,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "experimental",
+          "scope": "inherited",
+          "usage": "Enable experimental commands",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "framework-uri",
+          "scope": "inherited",
+          "usage": "Framework URI",
+          "default": "https://deploy.formance.cloud",
+          "type": "string"
+        },
+        {
+          "name": "id",
+          "scope": "local",
+          "usage": "App ID",
+          "type": "string"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "organization",
+          "scope": "inherited",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl cloud generate-personal-token",
+      "pathParts": [
+        "fctl",
+        "cloud",
+        "generate-personal-token"
+      ],
+      "use": "generate-personal-token",
+      "aliases": [
+        "gpt"
+      ],
+      "short": "Generate a personal bearer token",
+      "long": "Generate a personal bearer token",
+      "runnable": true,
+      "hasSubcommands": false,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "organization",
+          "scope": "local",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "organization",
+          "scope": "persistent",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "stack",
+          "scope": "local",
+          "usage": "Specific stack (not required if only one stack is present)",
+          "type": "string"
+        },
+        {
+          "name": "stack",
+          "scope": "persistent",
+          "usage": "Specific stack (not required if only one stack is present)",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl cloud me",
+      "pathParts": [
+        "fctl",
+        "cloud",
+        "me"
+      ],
+      "use": "me",
+      "short": "Manage current user settings",
+      "runnable": false,
+      "hasSubcommands": true,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl cloud me info",
+      "pathParts": [
+        "fctl",
+        "cloud",
+        "me",
+        "info"
+      ],
+      "use": "info",
+      "aliases": [
+        "i",
+        "in"
+      ],
+      "short": "Display user information",
+      "runnable": true,
+      "hasSubcommands": false,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl cloud me invitations",
+      "pathParts": [
+        "fctl",
+        "cloud",
+        "me",
+        "invitations"
+      ],
+      "use": "invitations",
+      "aliases": [
+        "i",
+        "inv",
+        "invit"
+      ],
+      "short": "Manage invitations",
+      "runnable": false,
+      "hasSubcommands": true,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl cloud me invitations accept",
+      "pathParts": [
+        "fctl",
+        "cloud",
+        "me",
+        "invitations",
+        "accept"
+      ],
+      "use": "accept \u003cinvitation-id\u003e",
+      "aliases": [
+        "a"
+      ],
+      "short": "Accept an invitation",
+      "runnable": true,
+      "hasSubcommands": false,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "confirm",
+          "scope": "local",
+          "usage": "Confirm action",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl cloud me invitations decline",
+      "pathParts": [
+        "fctl",
+        "cloud",
+        "me",
+        "invitations",
+        "decline"
+      ],
+      "use": "decline \u003cinvitation-id\u003e",
+      "aliases": [
+        "d",
+        "dec"
+      ],
+      "short": "Decline an invitation",
+      "runnable": true,
+      "hasSubcommands": false,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "confirm",
+          "scope": "local",
+          "usage": "Confirm action",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl cloud me invitations list",
+      "pathParts": [
+        "fctl",
+        "cloud",
+        "me",
+        "invitations",
+        "list"
+      ],
+      "use": "list",
+      "aliases": [
+        "l",
+        "ls"
+      ],
+      "short": "List invitations",
+      "runnable": true,
+      "hasSubcommands": false,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "organization",
+          "scope": "local",
+          "usage": "Filter invitations by organization",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "status",
+          "scope": "local",
+          "usage": "Filter invitations by status",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl cloud organizations",
+      "pathParts": [
+        "fctl",
+        "cloud",
+        "organizations"
+      ],
+      "use": "organizations",
+      "aliases": [
+        "o",
+        "org",
+        "organization"
+      ],
+      "short": "Manage organizations",
+      "runnable": false,
+      "hasSubcommands": true,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl cloud organizations applications",
+      "pathParts": [
+        "fctl",
+        "cloud",
+        "organizations",
+        "applications"
+      ],
+      "use": "applications",
+      "aliases": [
+        "app",
+        "apps"
+      ],
+      "short": "Manage applications",
+      "runnable": false,
+      "hasSubcommands": true,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "organization",
+          "scope": "local",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "organization",
+          "scope": "persistent",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl cloud organizations applications list",
+      "pathParts": [
+        "fctl",
+        "cloud",
+        "organizations",
+        "applications",
+        "list"
+      ],
+      "use": "list",
+      "aliases": [
+        "l",
+        "ls"
+      ],
+      "short": "List applications available for the organization",
+      "runnable": true,
+      "hasSubcommands": false,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "organization",
+          "scope": "inherited",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "page",
+          "scope": "local",
+          "usage": "Page number",
+          "default": "0",
+          "type": "int"
+        },
+        {
+          "name": "page-size",
+          "scope": "local",
+          "usage": "Page size",
+          "default": "15",
+          "type": "int"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl cloud organizations applications show",
+      "pathParts": [
+        "fctl",
+        "cloud",
+        "organizations",
+        "applications",
+        "show"
+      ],
+      "use": "show \u003capplication-id\u003e",
+      "aliases": [
+        "s",
+        "sh"
+      ],
+      "short": "Show application details",
+      "runnable": true,
+      "hasSubcommands": false,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "organization",
+          "scope": "inherited",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl cloud organizations authentication-provider",
+      "pathParts": [
+        "fctl",
+        "cloud",
+        "organizations",
+        "authentication-provider"
+      ],
+      "use": "authentication-provider",
+      "short": "Manage the authentication provider",
+      "runnable": false,
+      "hasSubcommands": true,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "organization",
+          "scope": "local",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "organization",
+          "scope": "persistent",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl cloud organizations authentication-provider configure",
+      "pathParts": [
+        "fctl",
+        "cloud",
+        "organizations",
+        "authentication-provider",
+        "configure"
+      ],
+      "use": "configure \u003ctype\u003e \u003cname\u003e \u003cclient-id\u003e \u003cclient-secret\u003e",
+      "short": "Configure the authorization provider for the organization",
+      "runnable": true,
+      "hasSubcommands": false,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "microsoft-tenant",
+          "scope": "local",
+          "usage": "Microsoft tenant ID (used when type is 'microsoft')",
+          "default": "tenant",
+          "type": "string"
+        },
+        {
+          "name": "oidc-issuer",
+          "scope": "local",
+          "usage": "OIDC issuer URL (used when type is 'oidc')",
+          "type": "string"
+        },
+        {
+          "name": "organization",
+          "scope": "inherited",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl cloud organizations authentication-provider delete",
+      "pathParts": [
+        "fctl",
+        "cloud",
+        "organizations",
+        "authentication-provider",
+        "delete"
+      ],
+      "use": "delete",
+      "short": "Delete the authorization provider for the organization",
+      "runnable": true,
+      "hasSubcommands": false,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "organization",
+          "scope": "inherited",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl cloud organizations authentication-provider show",
+      "pathParts": [
+        "fctl",
+        "cloud",
+        "organizations",
+        "authentication-provider",
+        "show"
+      ],
+      "use": "show",
+      "short": "Show the authorization provider for the organization",
+      "runnable": true,
+      "hasSubcommands": false,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "organization",
+          "scope": "inherited",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl cloud organizations create",
+      "pathParts": [
+        "fctl",
+        "cloud",
+        "organizations",
+        "create"
+      ],
+      "use": "create \u003cname\u003e --default-stack-role \"ADMIN\" --default-organization-role \"ADMIN\"",
+      "aliases": [
+        "c",
+        "cr"
+      ],
+      "short": "Create an organization",
+      "runnable": true,
+      "hasSubcommands": false,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "confirm",
+          "scope": "local",
+          "usage": "Confirm action",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "default-policy-id",
+          "scope": "local",
+          "usage": "Default policy ID",
+          "default": "0",
+          "type": "int"
+        },
+        {
+          "name": "domain",
+          "scope": "local",
+          "usage": "Organization domain",
+          "type": "string"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl cloud organizations delete",
+      "pathParts": [
+        "fctl",
+        "cloud",
+        "organizations",
+        "delete"
+      ],
+      "use": "delete \u003corganization-id\u003e",
+      "aliases": [
+        "d",
+        "del"
+      ],
+      "short": "Delete an organization",
+      "runnable": true,
+      "hasSubcommands": false,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "confirm",
+          "scope": "local",
+          "usage": "Confirm action",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl cloud organizations describe",
+      "pathParts": [
+        "fctl",
+        "cloud",
+        "organizations",
+        "describe"
+      ],
+      "use": "describe \u003corganizationId\u003e",
+      "short": "Describe an organization",
+      "runnable": true,
+      "hasSubcommands": false,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "confirm",
+          "scope": "local",
+          "usage": "Confirm action",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "expand",
+          "scope": "local",
+          "usage": "Expand the organization",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl cloud organizations history",
+      "pathParts": [
+        "fctl",
+        "cloud",
+        "organizations",
+        "history"
+      ],
+      "use": "history [organization-id]",
+      "aliases": [
+        "hist"
+      ],
+      "short": "Query organization history",
+      "runnable": true,
+      "hasSubcommands": false,
+      "flags": [
+        {
+          "name": "action",
+          "scope": "local",
+          "usage": "Filter by action",
+          "type": "string"
+        },
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "cursor",
+          "scope": "local",
+          "usage": "Pagination cursor",
+          "type": "string"
+        },
+        {
+          "name": "data",
+          "scope": "local",
+          "usage": "Filter by modified data (format: key=value, key is a JSONB text path)",
+          "type": "string"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "display-data",
+          "scope": "local",
+          "usage": "Display data",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "organization",
+          "scope": "local",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "organization",
+          "scope": "persistent",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "page-size",
+          "scope": "local",
+          "usage": "Page size",
+          "default": "10",
+          "type": "int"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "user-id",
+          "scope": "local",
+          "usage": "Filter by user ID (use SYSTEM for system logs)",
+          "type": "string"
+        }
+      ]
+    },
+    {
+      "path": "fctl cloud organizations invitations",
+      "pathParts": [
+        "fctl",
+        "cloud",
+        "organizations",
+        "invitations"
+      ],
+      "use": "invitations",
+      "aliases": [
+        "i",
+        "inv",
+        "invit",
+        "invitation"
+      ],
+      "short": "Manage invitations",
+      "runnable": false,
+      "hasSubcommands": true,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "organization",
+          "scope": "local",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "organization",
+          "scope": "persistent",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl cloud organizations invitations delete",
+      "pathParts": [
+        "fctl",
+        "cloud",
+        "organizations",
+        "invitations",
+        "delete"
+      ],
+      "use": "delete \u003cid\u003e",
+      "aliases": [
+        "del"
+      ],
+      "short": "Delete an invitation",
+      "runnable": true,
+      "hasSubcommands": false,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "confirm",
+          "scope": "local",
+          "usage": "Confirm action",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "organization",
+          "scope": "inherited",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl cloud organizations invitations list",
+      "pathParts": [
+        "fctl",
+        "cloud",
+        "organizations",
+        "invitations",
+        "list"
+      ],
+      "use": "list",
+      "aliases": [
+        "s"
+      ],
+      "short": "List invitations",
+      "runnable": true,
+      "hasSubcommands": false,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "organization",
+          "scope": "inherited",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "status",
+          "scope": "local",
+          "usage": "Filter invitations by status",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl cloud organizations invitations send",
+      "pathParts": [
+        "fctl",
+        "cloud",
+        "organizations",
+        "invitations",
+        "send"
+      ],
+      "use": "send \u003cemail\u003e",
+      "aliases": [
+        "s"
+      ],
+      "short": "Invite a user by email",
+      "runnable": true,
+      "hasSubcommands": false,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "confirm",
+          "scope": "local",
+          "usage": "Confirm action",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "organization",
+          "scope": "inherited",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl cloud organizations list",
+      "pathParts": [
+        "fctl",
+        "cloud",
+        "organizations",
+        "list"
+      ],
+      "use": "list",
+      "aliases": [
+        "l",
+        "ls"
+      ],
+      "short": "List organizations",
+      "runnable": true,
+      "hasSubcommands": false,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "expand",
+          "scope": "local",
+          "usage": "Expand the organization",
+          "default": "true",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl cloud organizations oauth-clients",
+      "pathParts": [
+        "fctl",
+        "cloud",
+        "organizations",
+        "oauth-clients"
+      ],
+      "use": "oauth-clients",
+      "short": "Manage OAuth clients",
+      "runnable": false,
+      "hasSubcommands": true,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "organization",
+          "scope": "local",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "organization",
+          "scope": "persistent",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl cloud organizations oauth-clients create",
+      "pathParts": [
+        "fctl",
+        "cloud",
+        "organizations",
+        "oauth-clients",
+        "create"
+      ],
+      "use": "create",
+      "short": "Create an organization OAuth client",
+      "runnable": true,
+      "hasSubcommands": false,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "confirm",
+          "scope": "local",
+          "usage": "Confirm action",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "description",
+          "scope": "local",
+          "usage": "Description of the OAuth client usage",
+          "type": "string"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "name",
+          "scope": "local",
+          "usage": "Name of the OAuth client",
+          "type": "string"
+        },
+        {
+          "name": "organization",
+          "scope": "inherited",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl cloud organizations oauth-clients delete",
+      "pathParts": [
+        "fctl",
+        "cloud",
+        "organizations",
+        "oauth-clients",
+        "delete"
+      ],
+      "use": "delete \u003cclient_id\u003e",
+      "short": "Delete an organization OAuth client",
+      "runnable": true,
+      "hasSubcommands": false,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "confirm",
+          "scope": "local",
+          "usage": "Confirm action",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "organization",
+          "scope": "inherited",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl cloud organizations oauth-clients list",
+      "pathParts": [
+        "fctl",
+        "cloud",
+        "organizations",
+        "oauth-clients",
+        "list"
+      ],
+      "use": "list",
+      "short": "List organization OAuth clients",
+      "runnable": true,
+      "hasSubcommands": false,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "cursor",
+          "scope": "local",
+          "usage": "Cursor for pagination",
+          "type": "string"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "organization",
+          "scope": "inherited",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "page-size",
+          "scope": "local",
+          "usage": "Number of items per page",
+          "default": "15",
+          "type": "int32"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl cloud organizations oauth-clients show",
+      "pathParts": [
+        "fctl",
+        "cloud",
+        "organizations",
+        "oauth-clients",
+        "show"
+      ],
+      "use": "show \u003cclient_id\u003e",
+      "short": "Show an organization OAuth client",
+      "runnable": true,
+      "hasSubcommands": false,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "organization",
+          "scope": "inherited",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl cloud organizations oauth-clients update",
+      "pathParts": [
+        "fctl",
+        "cloud",
+        "organizations",
+        "oauth-clients",
+        "update"
+      ],
+      "use": "update \u003cclientId\u003e",
+      "short": "Update an organization OAuth client",
+      "runnable": true,
+      "hasSubcommands": false,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "confirm",
+          "scope": "local",
+          "usage": "Confirm action",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "description",
+          "scope": "local",
+          "usage": "Description of the OAuth client usage",
+          "type": "string"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "name",
+          "scope": "local",
+          "usage": "Name of the OAuth client",
+          "type": "string"
+        },
+        {
+          "name": "organization",
+          "scope": "inherited",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl cloud organizations policies",
+      "pathParts": [
+        "fctl",
+        "cloud",
+        "organizations",
+        "policies"
+      ],
+      "use": "policies",
+      "short": "Manage policies",
+      "runnable": false,
+      "hasSubcommands": true,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "organization",
+          "scope": "local",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "organization",
+          "scope": "persistent",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl cloud organizations policies add-scope",
+      "pathParts": [
+        "fctl",
+        "cloud",
+        "organizations",
+        "policies",
+        "add-scope"
+      ],
+      "use": "add-scope \u003cpolicy-id\u003e \u003cscope-id\u003e",
+      "aliases": [
+        "a",
+        "add"
+      ],
+      "short": "Add a scope to a policy",
+      "runnable": true,
+      "hasSubcommands": false,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "confirm",
+          "scope": "local",
+          "usage": "Confirm action",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "organization",
+          "scope": "inherited",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl cloud organizations policies create",
+      "pathParts": [
+        "fctl",
+        "cloud",
+        "organizations",
+        "policies",
+        "create"
+      ],
+      "use": "create \u003cname\u003e",
+      "aliases": [
+        "c",
+        "cr"
+      ],
+      "short": "Create a policy",
+      "runnable": true,
+      "hasSubcommands": false,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "confirm",
+          "scope": "local",
+          "usage": "Confirm action",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "description",
+          "scope": "local",
+          "usage": "Policy description",
+          "type": "string"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "organization",
+          "scope": "inherited",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl cloud organizations policies delete",
+      "pathParts": [
+        "fctl",
+        "cloud",
+        "organizations",
+        "policies",
+        "delete"
+      ],
+      "use": "delete \u003cpolicy-id\u003e",
+      "aliases": [
+        "d",
+        "del"
+      ],
+      "short": "Delete a policy",
+      "runnable": true,
+      "hasSubcommands": false,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "confirm",
+          "scope": "local",
+          "usage": "Confirm action",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "organization",
+          "scope": "inherited",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl cloud organizations policies list",
+      "pathParts": [
+        "fctl",
+        "cloud",
+        "organizations",
+        "policies",
+        "list"
+      ],
+      "use": "list",
+      "aliases": [
+        "l",
+        "ls"
+      ],
+      "short": "List organization policies",
+      "runnable": true,
+      "hasSubcommands": false,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "organization",
+          "scope": "inherited",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl cloud organizations policies remove-scope",
+      "pathParts": [
+        "fctl",
+        "cloud",
+        "organizations",
+        "policies",
+        "remove-scope"
+      ],
+      "use": "remove-scope \u003cpolicy-id\u003e \u003cscope-id\u003e",
+      "aliases": [
+        "r",
+        "remove",
+        "rm"
+      ],
+      "short": "Remove a scope from a policy",
+      "runnable": true,
+      "hasSubcommands": false,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "confirm",
+          "scope": "local",
+          "usage": "Confirm action",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "organization",
+          "scope": "inherited",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl cloud organizations policies show",
+      "pathParts": [
+        "fctl",
+        "cloud",
+        "organizations",
+        "policies",
+        "show"
+      ],
+      "use": "show \u003cpolicy-id\u003e",
+      "aliases": [
+        "s",
+        "sh"
+      ],
+      "short": "Show policy details",
+      "runnable": true,
+      "hasSubcommands": false,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "organization",
+          "scope": "inherited",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl cloud organizations policies update",
+      "pathParts": [
+        "fctl",
+        "cloud",
+        "organizations",
+        "policies",
+        "update"
+      ],
+      "use": "update \u003cpolicy-id\u003e",
+      "aliases": [
+        "u",
+        "up"
+      ],
+      "short": "Update a policy",
+      "runnable": true,
+      "hasSubcommands": false,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "confirm",
+          "scope": "local",
+          "usage": "Confirm action",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "description",
+          "scope": "local",
+          "usage": "Policy description",
+          "type": "string"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "name",
+          "scope": "local",
+          "usage": "Policy name",
+          "type": "string"
+        },
+        {
+          "name": "organization",
+          "scope": "inherited",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl cloud organizations update",
+      "pathParts": [
+        "fctl",
+        "cloud",
+        "organizations",
+        "update"
+      ],
+      "use": "update \u003corganizationId\u003e --name \u003cname\u003e --default-policy-id \u003cdefaultPolicyID...\u003e",
+      "aliases": [
+        "update"
+      ],
+      "short": "Update an organization",
+      "runnable": true,
+      "hasSubcommands": false,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "confirm",
+          "scope": "local",
+          "usage": "Confirm action",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "default-policy-id",
+          "scope": "local",
+          "usage": "Default policy ID",
+          "default": "0",
+          "type": "int"
+        },
+        {
+          "name": "domain",
+          "scope": "local",
+          "usage": "Organization domain",
+          "type": "string"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "name",
+          "scope": "local",
+          "usage": "Organization name",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl cloud organizations users",
+      "pathParts": [
+        "fctl",
+        "cloud",
+        "organizations",
+        "users"
+      ],
+      "use": "users",
+      "aliases": [
+        "u",
+        "user"
+      ],
+      "short": "Manage users",
+      "runnable": false,
+      "hasSubcommands": true,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "organization",
+          "scope": "local",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "organization",
+          "scope": "persistent",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl cloud organizations users link",
+      "pathParts": [
+        "fctl",
+        "cloud",
+        "organizations",
+        "users",
+        "link"
+      ],
+      "use": "link \u003cuser-id\u003e",
+      "short": "Link user to an organization with properties",
+      "runnable": true,
+      "hasSubcommands": false,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "organization",
+          "scope": "inherited",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "policy-id",
+          "scope": "local",
+          "usage": "Policy ID",
+          "default": "0",
+          "type": "int"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl cloud organizations users list",
+      "pathParts": [
+        "fctl",
+        "cloud",
+        "organizations",
+        "users",
+        "list"
+      ],
+      "use": "list",
+      "aliases": [
+        "l",
+        "ls"
+      ],
+      "short": "List users",
+      "runnable": true,
+      "hasSubcommands": false,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "organization",
+          "scope": "inherited",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl cloud organizations users show",
+      "pathParts": [
+        "fctl",
+        "cloud",
+        "organizations",
+        "users",
+        "show"
+      ],
+      "use": "show \u003cuser-id\u003e",
+      "aliases": [
+        "s"
+      ],
+      "short": "Show a user by ID",
+      "runnable": true,
+      "hasSubcommands": false,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "organization",
+          "scope": "inherited",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl cloud organizations users unlink",
+      "pathParts": [
+        "fctl",
+        "cloud",
+        "organizations",
+        "users",
+        "unlink"
+      ],
+      "use": "unlink \u003cuser-id\u003e",
+      "aliases": [
+        "u",
+        "un"
+      ],
+      "short": "Unlink a user from the organization",
+      "runnable": true,
+      "hasSubcommands": false,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "organization",
+          "scope": "inherited",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl cloud regions",
+      "pathParts": [
+        "fctl",
+        "cloud",
+        "regions"
+      ],
+      "use": "regions",
+      "aliases": [
+        "reg",
+        "region"
+      ],
+      "short": "Manage regions",
+      "runnable": false,
+      "hasSubcommands": true,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "organization",
+          "scope": "local",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "organization",
+          "scope": "persistent",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl cloud regions create",
+      "pathParts": [
+        "fctl",
+        "cloud",
+        "regions",
+        "create"
+      ],
+      "use": "create [name]",
+      "aliases": [
+        "s",
+        "sh"
+      ],
+      "short": "Create a region",
+      "runnable": true,
+      "hasSubcommands": false,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "organization",
+          "scope": "inherited",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl cloud regions delete",
+      "pathParts": [
+        "fctl",
+        "cloud",
+        "regions",
+        "delete"
+      ],
+      "use": "delete \u003cregion-id\u003e",
+      "aliases": [
+        "d",
+        "del"
+      ],
+      "short": "Delete a private region",
+      "runnable": true,
+      "hasSubcommands": false,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "organization",
+          "scope": "inherited",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl cloud regions list",
+      "pathParts": [
+        "fctl",
+        "cloud",
+        "regions",
+        "list"
+      ],
+      "use": "list",
+      "aliases": [
+        "l",
+        "ls"
+      ],
+      "short": "List regions",
+      "runnable": true,
+      "hasSubcommands": false,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "organization",
+          "scope": "inherited",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl cloud regions show",
+      "pathParts": [
+        "fctl",
+        "cloud",
+        "regions",
+        "show"
+      ],
+      "use": "show \u003cregion-id\u003e",
+      "aliases": [
+        "s",
+        "sh"
+      ],
+      "short": "Show region details",
+      "runnable": true,
+      "hasSubcommands": false,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "organization",
+          "scope": "inherited",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl ledger",
+      "pathParts": [
+        "fctl",
+        "ledger"
+      ],
+      "use": "ledger",
+      "aliases": [
+        "l"
+      ],
+      "short": "Manage ledgers",
+      "runnable": false,
+      "hasSubcommands": true,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "ledger",
+          "scope": "local",
+          "usage": "Specific ledger",
+          "default": "default",
+          "type": "string"
+        },
+        {
+          "name": "ledger",
+          "scope": "persistent",
+          "usage": "Specific ledger",
+          "default": "default",
+          "type": "string"
+        },
+        {
+          "name": "organization",
+          "scope": "local",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "organization",
+          "scope": "persistent",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "stack",
+          "scope": "local",
+          "usage": "Specific stack (not required if only one stack is present)",
+          "type": "string"
+        },
+        {
+          "name": "stack",
+          "scope": "persistent",
+          "usage": "Specific stack (not required if only one stack is present)",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl ledger accounts",
+      "pathParts": [
+        "fctl",
+        "ledger",
+        "accounts"
+      ],
+      "use": "accounts",
+      "aliases": [
+        "a",
+        "ac",
+        "acc",
+        "account"
+      ],
+      "short": "Manage accounts",
+      "runnable": false,
+      "hasSubcommands": true,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "ledger",
+          "scope": "inherited",
+          "usage": "Specific ledger",
+          "default": "default",
+          "type": "string"
+        },
+        {
+          "name": "organization",
+          "scope": "inherited",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "stack",
+          "scope": "inherited",
+          "usage": "Specific stack (not required if only one stack is present)",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl ledger accounts delete-metadata",
+      "pathParts": [
+        "fctl",
+        "ledger",
+        "accounts",
+        "delete-metadata"
+      ],
+      "use": "delete-metadata \u003caddress\u003e \u003ckey\u003e",
+      "aliases": [
+        "del-meta",
+        "dm"
+      ],
+      "short": "Delete metadata from an account (requires ledger v2 or later)",
+      "runnable": true,
+      "hasSubcommands": false,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "confirm",
+          "scope": "local",
+          "usage": "Confirm action",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "ledger",
+          "scope": "inherited",
+          "usage": "Specific ledger",
+          "default": "default",
+          "type": "string"
+        },
+        {
+          "name": "organization",
+          "scope": "inherited",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "stack",
+          "scope": "inherited",
+          "usage": "Specific stack (not required if only one stack is present)",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl ledger accounts list",
+      "pathParts": [
+        "fctl",
+        "ledger",
+        "accounts",
+        "list"
+      ],
+      "use": "list",
+      "aliases": [
+        "l",
+        "ls"
+      ],
+      "short": "List accounts",
+      "runnable": true,
+      "hasSubcommands": false,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "ledger",
+          "scope": "inherited",
+          "usage": "Specific ledger",
+          "default": "default",
+          "type": "string"
+        },
+        {
+          "name": "metadata",
+          "scope": "local",
+          "usage": "Filter accounts with metadata",
+          "default": "[]",
+          "type": "stringSlice"
+        },
+        {
+          "name": "organization",
+          "scope": "inherited",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "stack",
+          "scope": "inherited",
+          "usage": "Specific stack (not required if only one stack is present)",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl ledger accounts set-metadata",
+      "pathParts": [
+        "fctl",
+        "ledger",
+        "accounts",
+        "set-metadata"
+      ],
+      "use": "set-metadata \u003caddress\u003e [\u003ckey\u003e=\u003cvalue\u003e...]",
+      "aliases": [
+        "set-meta",
+        "sm"
+      ],
+      "short": "Set metadata on an account",
+      "runnable": true,
+      "hasSubcommands": false,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "confirm",
+          "scope": "local",
+          "usage": "Confirm action",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "ledger",
+          "scope": "inherited",
+          "usage": "Specific ledger",
+          "default": "default",
+          "type": "string"
+        },
+        {
+          "name": "organization",
+          "scope": "inherited",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "stack",
+          "scope": "inherited",
+          "usage": "Specific stack (not required if only one stack is present)",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl ledger accounts show",
+      "pathParts": [
+        "fctl",
+        "ledger",
+        "accounts",
+        "show"
+      ],
+      "use": "show \u003caddress\u003e",
+      "aliases": [
+        "s",
+        "sh"
+      ],
+      "short": "Show an account",
+      "runnable": true,
+      "hasSubcommands": false,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "ledger",
+          "scope": "inherited",
+          "usage": "Specific ledger",
+          "default": "default",
+          "type": "string"
+        },
+        {
+          "name": "organization",
+          "scope": "inherited",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "stack",
+          "scope": "inherited",
+          "usage": "Specific stack (not required if only one stack is present)",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl ledger create",
+      "pathParts": [
+        "fctl",
+        "ledger",
+        "create"
+      ],
+      "use": "create \u003cname\u003e",
+      "aliases": [
+        "c",
+        "cr"
+      ],
+      "short": "Create a new ledger (requires ledger v2 or later)",
+      "runnable": true,
+      "hasSubcommands": false,
+      "flags": [
+        {
+          "name": "bucket",
+          "scope": "local",
+          "usage": "Bucket in which to install the new ledger",
+          "type": "string"
+        },
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "confirm",
+          "scope": "local",
+          "usage": "Confirm action",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "features",
+          "scope": "local",
+          "usage": "Experimental! Features to enable on the newly created ledger (default: all)\nStarting from ledger v2.2",
+          "default": "[]",
+          "type": "stringSlice"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "ledger",
+          "scope": "inherited",
+          "usage": "Specific ledger",
+          "default": "default",
+          "type": "string"
+        },
+        {
+          "name": "metadata",
+          "scope": "local",
+          "usage": "Metadata to apply on the newly created ledger",
+          "default": "[]",
+          "type": "stringSlice"
+        },
+        {
+          "name": "organization",
+          "scope": "inherited",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "stack",
+          "scope": "inherited",
+          "usage": "Specific stack (not required if only one stack is present)",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl ledger delete-metadata",
+      "pathParts": [
+        "fctl",
+        "ledger",
+        "delete-metadata"
+      ],
+      "use": "delete-metadata \u003cledger-name\u003e \u003ckey\u003e",
+      "aliases": [
+        "del-meta",
+        "dm"
+      ],
+      "short": "Delete metadata from a ledger (requires ledger v2 or later)",
+      "runnable": true,
+      "hasSubcommands": false,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "confirm",
+          "scope": "local",
+          "usage": "Confirm action",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "ledger",
+          "scope": "inherited",
+          "usage": "Specific ledger",
+          "default": "default",
+          "type": "string"
+        },
+        {
+          "name": "organization",
+          "scope": "inherited",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "stack",
+          "scope": "inherited",
+          "usage": "Specific stack (not required if only one stack is present)",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl ledger export",
+      "pathParts": [
+        "fctl",
+        "ledger",
+        "export"
+      ],
+      "use": "export",
+      "short": "Export a ledger",
+      "runnable": true,
+      "hasSubcommands": false,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "file",
+          "scope": "local",
+          "usage": "Export to file",
+          "type": "string"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "ledger",
+          "scope": "inherited",
+          "usage": "Specific ledger",
+          "default": "default",
+          "type": "string"
+        },
+        {
+          "name": "organization",
+          "scope": "inherited",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "stack",
+          "scope": "inherited",
+          "usage": "Specific stack (not required if only one stack is present)",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl ledger import",
+      "pathParts": [
+        "fctl",
+        "ledger",
+        "import"
+      ],
+      "use": "import \u003cledger name\u003e \u003cfile path\u003e",
+      "short": "Import a ledger",
+      "runnable": true,
+      "hasSubcommands": false,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "file",
+          "scope": "local",
+          "usage": "Import from stdin or file",
+          "type": "string"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "ledger",
+          "scope": "inherited",
+          "usage": "Specific ledger",
+          "default": "default",
+          "type": "string"
+        },
+        {
+          "name": "organization",
+          "scope": "inherited",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "resume-from-last-log",
+          "scope": "local",
+          "usage": "Recover interrupted import",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "stack",
+          "scope": "inherited",
+          "usage": "Specific stack (not required if only one stack is present)",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl ledger list",
+      "pathParts": [
+        "fctl",
+        "ledger",
+        "list"
+      ],
+      "use": "list",
+      "aliases": [
+        "l",
+        "ls"
+      ],
+      "short": "List ledgers (requires ledger v2 or later)",
+      "runnable": true,
+      "hasSubcommands": false,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "ledger",
+          "scope": "inherited",
+          "usage": "Specific ledger",
+          "default": "default",
+          "type": "string"
+        },
+        {
+          "name": "organization",
+          "scope": "inherited",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "stack",
+          "scope": "inherited",
+          "usage": "Specific stack (not required if only one stack is present)",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl ledger send",
+      "pathParts": [
+        "fctl",
+        "ledger",
+        "send"
+      ],
+      "use": "send [\u003csource\u003e] \u003cdestination\u003e \u003camount\u003e \u003casset\u003e",
+      "aliases": [
+        "s",
+        "se"
+      ],
+      "short": "Send from one account to another",
+      "runnable": true,
+      "hasSubcommands": false,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "confirm",
+          "scope": "local",
+          "usage": "Confirm action",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "ledger",
+          "scope": "inherited",
+          "usage": "Specific ledger",
+          "default": "default",
+          "type": "string"
+        },
+        {
+          "name": "metadata",
+          "scope": "local",
+          "usage": "Metadata to use",
+          "default": "[]",
+          "type": "stringSlice"
+        },
+        {
+          "name": "organization",
+          "scope": "inherited",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "reference",
+          "scope": "local",
+          "usage": "Reference to add to the generated transaction",
+          "type": "string"
+        },
+        {
+          "name": "stack",
+          "scope": "inherited",
+          "usage": "Specific stack (not required if only one stack is present)",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl ledger server-infos",
+      "pathParts": [
+        "fctl",
+        "ledger",
+        "server-infos"
+      ],
+      "use": "server-infos",
+      "aliases": [
+        "si"
+      ],
+      "short": "Read server info",
+      "runnable": true,
+      "hasSubcommands": false,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "ledger",
+          "scope": "inherited",
+          "usage": "Specific ledger",
+          "default": "default",
+          "type": "string"
+        },
+        {
+          "name": "organization",
+          "scope": "inherited",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "stack",
+          "scope": "inherited",
+          "usage": "Specific stack (not required if only one stack is present)",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl ledger set-metadata",
+      "pathParts": [
+        "fctl",
+        "ledger",
+        "set-metadata"
+      ],
+      "use": "set-metadata \u003cledger-name\u003e [\u003ckey\u003e=\u003cvalue\u003e...]",
+      "aliases": [
+        "set-meta",
+        "sm"
+      ],
+      "short": "Set metadata on a ledger (requires ledger v2 or later)",
+      "runnable": true,
+      "hasSubcommands": false,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "confirm",
+          "scope": "local",
+          "usage": "Confirm action",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "ledger",
+          "scope": "inherited",
+          "usage": "Specific ledger",
+          "default": "default",
+          "type": "string"
+        },
+        {
+          "name": "organization",
+          "scope": "inherited",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "stack",
+          "scope": "inherited",
+          "usage": "Specific stack (not required if only one stack is present)",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl ledger stats",
+      "pathParts": [
+        "fctl",
+        "ledger",
+        "stats"
+      ],
+      "use": "stats",
+      "aliases": [
+        "st"
+      ],
+      "short": "Read ledger stats",
+      "runnable": true,
+      "hasSubcommands": false,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "ledger",
+          "scope": "inherited",
+          "usage": "Specific ledger",
+          "default": "default",
+          "type": "string"
+        },
+        {
+          "name": "organization",
+          "scope": "inherited",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "stack",
+          "scope": "inherited",
+          "usage": "Specific stack (not required if only one stack is present)",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl ledger transactions",
+      "pathParts": [
+        "fctl",
+        "ledger",
+        "transactions"
+      ],
+      "use": "transactions",
+      "aliases": [
+        "t",
+        "tx",
+        "txs"
+      ],
+      "short": "Manage transactions",
+      "runnable": false,
+      "hasSubcommands": true,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "ledger",
+          "scope": "inherited",
+          "usage": "Specific ledger",
+          "default": "default",
+          "type": "string"
+        },
+        {
+          "name": "organization",
+          "scope": "inherited",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "stack",
+          "scope": "inherited",
+          "usage": "Specific stack (not required if only one stack is present)",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl ledger transactions delete-metadata",
+      "pathParts": [
+        "fctl",
+        "ledger",
+        "transactions",
+        "delete-metadata"
+      ],
+      "use": "delete-metadata \u003ctransaction-id\u003e \u003ckey\u003e",
+      "aliases": [
+        "del-meta",
+        "dm"
+      ],
+      "short": "Delete metadata from a transaction (requires ledger v2 or later)",
+      "runnable": true,
+      "hasSubcommands": false,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "confirm",
+          "scope": "local",
+          "usage": "Confirm action",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "ledger",
+          "scope": "inherited",
+          "usage": "Specific ledger",
+          "default": "default",
+          "type": "string"
+        },
+        {
+          "name": "organization",
+          "scope": "inherited",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "stack",
+          "scope": "inherited",
+          "usage": "Specific stack (not required if only one stack is present)",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl ledger transactions list",
+      "pathParts": [
+        "fctl",
+        "ledger",
+        "transactions",
+        "list"
+      ],
+      "use": "list",
+      "aliases": [
+        "l",
+        "ls"
+      ],
+      "short": "List transactions",
+      "runnable": true,
+      "hasSubcommands": false,
+      "flags": [
+        {
+          "name": "account",
+          "scope": "local",
+          "usage": "Filter by account",
+          "type": "string"
+        },
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "dst",
+          "scope": "local",
+          "usage": "Filter by destination account",
+          "type": "string"
+        },
+        {
+          "name": "end",
+          "scope": "local",
+          "usage": "Include only transactions before this date",
+          "type": "string"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "ledger",
+          "scope": "inherited",
+          "usage": "Specific ledger",
+          "default": "default",
+          "type": "string"
+        },
+        {
+          "name": "metadata",
+          "scope": "local",
+          "usage": "Filter transactions with metadata",
+          "default": "[]",
+          "type": "stringSlice",
+          "hidden": true
+        },
+        {
+          "name": "organization",
+          "scope": "inherited",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "page-size",
+          "scope": "local",
+          "usage": "Page size",
+          "default": "5",
+          "type": "int"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "reference",
+          "scope": "local",
+          "usage": "Filter by reference",
+          "type": "string"
+        },
+        {
+          "name": "src",
+          "scope": "local",
+          "usage": "Filter by source account",
+          "type": "string"
+        },
+        {
+          "name": "stack",
+          "scope": "inherited",
+          "usage": "Specific stack (not required if only one stack is present)",
+          "type": "string"
+        },
+        {
+          "name": "start",
+          "scope": "local",
+          "usage": "Include only transactions after this date",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl ledger transactions num",
+      "pathParts": [
+        "fctl",
+        "ledger",
+        "transactions",
+        "num"
+      ],
+      "use": "num -|\u003cfilename\u003e",
+      "short": "Execute a Numscript program on a ledger",
+      "long": "More help on variables can be found here: https://docs.formance.com/oss/ledger/reference/numscript/variables",
+      "runnable": true,
+      "hasSubcommands": false,
+      "flags": [
+        {
+          "name": "account-var",
+          "scope": "local",
+          "usage": "Pass a variable of type 'account'",
+          "default": "[]",
+          "type": "stringSlice"
+        },
+        {
+          "name": "amount-var",
+          "scope": "local",
+          "usage": "Pass a variable of type 'amount'",
+          "default": "[]",
+          "type": "stringSlice"
+        },
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "confirm",
+          "scope": "local",
+          "usage": "Confirm action",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "ledger",
+          "scope": "inherited",
+          "usage": "Specific ledger",
+          "default": "default",
+          "type": "string"
+        },
+        {
+          "name": "metadata",
+          "scope": "local",
+          "usage": "Metadata to use",
+          "default": "[]",
+          "type": "stringSlice"
+        },
+        {
+          "name": "organization",
+          "scope": "inherited",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "portion-var",
+          "scope": "local",
+          "usage": "Pass a variable of type 'portion'",
+          "default": "[]",
+          "type": "stringSlice"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "reference",
+          "scope": "local",
+          "usage": "Reference to add to the generated transaction",
+          "type": "string"
+        },
+        {
+          "name": "stack",
+          "scope": "inherited",
+          "usage": "Specific stack (not required if only one stack is present)",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "timestamp",
+          "scope": "local",
+          "usage": "Timestamp to use (format RFC3339)",
+          "type": "string"
+        }
+      ]
+    },
+    {
+      "path": "fctl ledger transactions revert",
+      "pathParts": [
+        "fctl",
+        "ledger",
+        "transactions",
+        "revert"
+      ],
+      "use": "revert \u003ctransaction-id\u003e",
+      "short": "Revert a transaction",
+      "runnable": true,
+      "hasSubcommands": false,
+      "flags": [
+        {
+          "name": "at-effective-date",
+          "scope": "local",
+          "usage": "Use the original transaction's timestamp",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "confirm",
+          "scope": "local",
+          "usage": "Confirm action",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "force",
+          "scope": "local",
+          "usage": "Force the revert even if the account does not have enough funds",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "ledger",
+          "scope": "inherited",
+          "usage": "Specific ledger",
+          "default": "default",
+          "type": "string"
+        },
+        {
+          "name": "organization",
+          "scope": "inherited",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "stack",
+          "scope": "inherited",
+          "usage": "Specific stack (not required if only one stack is present)",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl ledger transactions set-metadata",
+      "pathParts": [
+        "fctl",
+        "ledger",
+        "transactions",
+        "set-metadata"
+      ],
+      "use": "set-metadata \u003ctransaction-id\u003e [\u003ckey\u003e=\u003cvalue\u003e...]",
+      "aliases": [
+        "set-meta",
+        "sm"
+      ],
+      "short": "Set metadata on a transaction",
+      "runnable": true,
+      "hasSubcommands": false,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "confirm",
+          "scope": "local",
+          "usage": "Confirm action",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "ledger",
+          "scope": "inherited",
+          "usage": "Specific ledger",
+          "default": "default",
+          "type": "string"
+        },
+        {
+          "name": "organization",
+          "scope": "inherited",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "stack",
+          "scope": "inherited",
+          "usage": "Specific stack (not required if only one stack is present)",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl ledger transactions show",
+      "pathParts": [
+        "fctl",
+        "ledger",
+        "transactions",
+        "show"
+      ],
+      "use": "show \u003ctransaction-id\u003e",
+      "aliases": [
+        "sh"
+      ],
+      "short": "Show a transaction",
+      "runnable": true,
+      "hasSubcommands": false,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "ledger",
+          "scope": "inherited",
+          "usage": "Specific ledger",
+          "default": "default",
+          "type": "string"
+        },
+        {
+          "name": "organization",
+          "scope": "inherited",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "stack",
+          "scope": "inherited",
+          "usage": "Specific stack (not required if only one stack is present)",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl ledger volumes",
+      "pathParts": [
+        "fctl",
+        "ledger",
+        "volumes"
+      ],
+      "use": "volumes",
+      "aliases": [
+        "vlm",
+        "vol",
+        "vols",
+        "volume"
+      ],
+      "short": "Get volumes and balances for accounts",
+      "runnable": false,
+      "hasSubcommands": true,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "ledger",
+          "scope": "inherited",
+          "usage": "Specific ledger",
+          "default": "default",
+          "type": "string"
+        },
+        {
+          "name": "organization",
+          "scope": "inherited",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "stack",
+          "scope": "inherited",
+          "usage": "Specific stack (not required if only one stack is present)",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl ledger volumes list",
+      "pathParts": [
+        "fctl",
+        "ledger",
+        "volumes",
+        "list"
+      ],
+      "use": "list",
+      "aliases": [
+        "l",
+        "ls"
+      ],
+      "short": "List volumes and balances for a time period (OOT–PIT)",
+      "runnable": true,
+      "hasSubcommands": false,
+      "flags": [
+        {
+          "name": "address",
+          "scope": "local",
+          "usage": "Filter accounts by address",
+          "type": "string"
+        },
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "cursor",
+          "scope": "local",
+          "usage": "Pagination cursor",
+          "type": "string"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "end-time",
+          "scope": "local",
+          "usage": "PIT (Point in Time)",
+          "type": "string"
+        },
+        {
+          "name": "group-by",
+          "scope": "local",
+          "usage": "Group by address segment level",
+          "default": "0",
+          "type": "int"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "insertion-date",
+          "scope": "local",
+          "usage": "Use insertion date",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "ledger",
+          "scope": "inherited",
+          "usage": "Specific ledger",
+          "default": "default",
+          "type": "string"
+        },
+        {
+          "name": "metadata",
+          "scope": "local",
+          "usage": "Filter accounts with metadata",
+          "default": "[]",
+          "type": "stringSlice"
+        },
+        {
+          "name": "organization",
+          "scope": "inherited",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "page-size",
+          "scope": "local",
+          "usage": "Page size",
+          "default": "10",
+          "type": "int"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "stack",
+          "scope": "inherited",
+          "usage": "Specific stack (not required if only one stack is present)",
+          "type": "string"
+        },
+        {
+          "name": "start-time",
+          "scope": "local",
+          "usage": "OOT (Origin of Time)",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl login",
+      "pathParts": [
+        "fctl",
+        "login"
+      ],
+      "use": "login",
+      "short": "Login",
+      "runnable": true,
+      "hasSubcommands": false,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "membership-uri",
+          "scope": "local",
+          "usage": "service url",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl orchestration",
+      "pathParts": [
+        "fctl",
+        "orchestration"
+      ],
+      "use": "orchestration",
+      "aliases": [
+        "or",
+        "orch"
+      ],
+      "short": "Orchestration",
+      "hidden": true,
+      "runnable": false,
+      "hasSubcommands": true,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "organization",
+          "scope": "local",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "organization",
+          "scope": "persistent",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "stack",
+          "scope": "local",
+          "usage": "Specific stack (not required if only one stack is present)",
+          "type": "string"
+        },
+        {
+          "name": "stack",
+          "scope": "persistent",
+          "usage": "Specific stack (not required if only one stack is present)",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl orchestration instances",
+      "pathParts": [
+        "fctl",
+        "orchestration",
+        "instances"
+      ],
+      "use": "instances",
+      "aliases": [
+        "i",
+        "ins"
+      ],
+      "short": "Manage instances",
+      "runnable": false,
+      "hasSubcommands": true,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "organization",
+          "scope": "local",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "organization",
+          "scope": "persistent",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "stack",
+          "scope": "local",
+          "usage": "Specific stack (not required if only one stack is present)",
+          "type": "string"
+        },
+        {
+          "name": "stack",
+          "scope": "persistent",
+          "usage": "Specific stack (not required if only one stack is present)",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl orchestration instances describe",
+      "pathParts": [
+        "fctl",
+        "orchestration",
+        "instances",
+        "describe"
+      ],
+      "use": "describe \u003cinstance-id\u003e",
+      "short": "Describe a specific workflow instance",
+      "runnable": true,
+      "hasSubcommands": false,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "organization",
+          "scope": "inherited",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "stack",
+          "scope": "inherited",
+          "usage": "Specific stack (not required if only one stack is present)",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl orchestration instances list",
+      "pathParts": [
+        "fctl",
+        "orchestration",
+        "instances",
+        "list"
+      ],
+      "use": "list",
+      "aliases": [
+        "l",
+        "ls"
+      ],
+      "short": "List all workflow instances",
+      "runnable": true,
+      "hasSubcommands": false,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "organization",
+          "scope": "inherited",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "running",
+          "scope": "local",
+          "usage": "Show only running instances",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "stack",
+          "scope": "inherited",
+          "usage": "Specific stack (not required if only one stack is present)",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "workflow",
+          "scope": "local",
+          "usage": "Filter by workflow ID",
+          "type": "string"
+        }
+      ]
+    },
+    {
+      "path": "fctl orchestration instances send-event",
+      "pathParts": [
+        "fctl",
+        "orchestration",
+        "instances",
+        "send-event"
+      ],
+      "use": "send-event \u003cinstance-id\u003e \u003cevent\u003e",
+      "short": "Send an event to an instance",
+      "runnable": true,
+      "hasSubcommands": false,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "organization",
+          "scope": "inherited",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "stack",
+          "scope": "inherited",
+          "usage": "Specific stack (not required if only one stack is present)",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl orchestration instances show",
+      "pathParts": [
+        "fctl",
+        "orchestration",
+        "instances",
+        "show"
+      ],
+      "use": "show \u003cinstance-id\u003e",
+      "short": "Show a specific workflow instance",
+      "runnable": true,
+      "hasSubcommands": false,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "organization",
+          "scope": "inherited",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "stack",
+          "scope": "inherited",
+          "usage": "Specific stack (not required if only one stack is present)",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl orchestration instances stop",
+      "pathParts": [
+        "fctl",
+        "orchestration",
+        "instances",
+        "stop"
+      ],
+      "use": "stop \u003cinstance-id\u003e",
+      "short": "Stop a specific workflow instance",
+      "runnable": true,
+      "hasSubcommands": false,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "organization",
+          "scope": "inherited",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "stack",
+          "scope": "inherited",
+          "usage": "Specific stack (not required if only one stack is present)",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl orchestration triggers",
+      "pathParts": [
+        "fctl",
+        "orchestration",
+        "triggers"
+      ],
+      "use": "triggers",
+      "aliases": [
+        "t",
+        "trig"
+      ],
+      "short": "Manage triggers",
+      "runnable": false,
+      "hasSubcommands": true,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "organization",
+          "scope": "local",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "organization",
+          "scope": "persistent",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "stack",
+          "scope": "local",
+          "usage": "Specific stack (not required if only one stack is present)",
+          "type": "string"
+        },
+        {
+          "name": "stack",
+          "scope": "persistent",
+          "usage": "Specific stack (not required if only one stack is present)",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl orchestration triggers create",
+      "pathParts": [
+        "fctl",
+        "orchestration",
+        "triggers",
+        "create"
+      ],
+      "use": "create \u003cevent\u003e \u003cworkflow-id\u003e",
+      "short": "Create a trigger",
+      "runnable": true,
+      "hasSubcommands": false,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "filter",
+          "scope": "local",
+          "usage": "Filter events",
+          "type": "string"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "name",
+          "scope": "local",
+          "usage": "Trigger name",
+          "type": "string"
+        },
+        {
+          "name": "organization",
+          "scope": "inherited",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "stack",
+          "scope": "inherited",
+          "usage": "Specific stack (not required if only one stack is present)",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "vars",
+          "scope": "local",
+          "usage": "Variables to pass to the workflow",
+          "default": "[]",
+          "type": "stringSlice"
+        }
+      ]
+    },
+    {
+      "path": "fctl orchestration triggers delete",
+      "pathParts": [
+        "fctl",
+        "orchestration",
+        "triggers",
+        "delete"
+      ],
+      "use": "delete \u003ctrigger-id\u003e",
+      "short": "Delete a specific workflow trigger",
+      "runnable": true,
+      "hasSubcommands": false,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "organization",
+          "scope": "inherited",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "stack",
+          "scope": "inherited",
+          "usage": "Specific stack (not required if only one stack is present)",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl orchestration triggers list",
+      "pathParts": [
+        "fctl",
+        "orchestration",
+        "triggers",
+        "list"
+      ],
+      "use": "list",
+      "aliases": [
+        "l",
+        "ls"
+      ],
+      "short": "List all workflow triggers",
+      "runnable": true,
+      "hasSubcommands": false,
+      "flags": [
+        {
+          "name": "",
+          "scope": "local",
+          "usage": "Search by name",
+          "type": "string"
+        },
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "organization",
+          "scope": "inherited",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "stack",
+          "scope": "inherited",
+          "usage": "Specific stack (not required if only one stack is present)",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl orchestration triggers occurrences",
+      "pathParts": [
+        "fctl",
+        "orchestration",
+        "triggers",
+        "occurrences"
+      ],
+      "use": "occurrences",
+      "aliases": [
+        "o",
+        "oc"
+      ],
+      "short": "Manage trigger occurrences",
+      "runnable": false,
+      "hasSubcommands": true,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "organization",
+          "scope": "local",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "organization",
+          "scope": "persistent",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "stack",
+          "scope": "local",
+          "usage": "Specific stack (not required if only one stack is present)",
+          "type": "string"
+        },
+        {
+          "name": "stack",
+          "scope": "persistent",
+          "usage": "Specific stack (not required if only one stack is present)",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl orchestration triggers occurrences list",
+      "pathParts": [
+        "fctl",
+        "orchestration",
+        "triggers",
+        "occurrences",
+        "list"
+      ],
+      "use": "list",
+      "aliases": [
+        "l",
+        "ls"
+      ],
+      "short": "List all workflow occurrences",
+      "runnable": true,
+      "hasSubcommands": false,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "organization",
+          "scope": "inherited",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "stack",
+          "scope": "inherited",
+          "usage": "Specific stack (not required if only one stack is present)",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl orchestration triggers show",
+      "pathParts": [
+        "fctl",
+        "orchestration",
+        "triggers",
+        "show"
+      ],
+      "use": "show \u003ctrigger-id\u003e",
+      "short": "Show a specific workflow trigger",
+      "runnable": true,
+      "hasSubcommands": false,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "organization",
+          "scope": "inherited",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "stack",
+          "scope": "inherited",
+          "usage": "Specific stack (not required if only one stack is present)",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl orchestration triggers test",
+      "pathParts": [
+        "fctl",
+        "orchestration",
+        "triggers",
+        "test"
+      ],
+      "use": "test \u003ctrigger-id\u003e \u003cevent\u003e",
+      "short": "Test a specific workflow trigger",
+      "runnable": true,
+      "hasSubcommands": false,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "organization",
+          "scope": "inherited",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "stack",
+          "scope": "inherited",
+          "usage": "Specific stack (not required if only one stack is present)",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl orchestration workflows",
+      "pathParts": [
+        "fctl",
+        "orchestration",
+        "workflows"
+      ],
+      "use": "workflows",
+      "aliases": [
+        "w",
+        "work"
+      ],
+      "short": "Manage workflows",
+      "runnable": false,
+      "hasSubcommands": true,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "organization",
+          "scope": "local",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "organization",
+          "scope": "persistent",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "stack",
+          "scope": "local",
+          "usage": "Specific stack (not required if only one stack is present)",
+          "type": "string"
+        },
+        {
+          "name": "stack",
+          "scope": "persistent",
+          "usage": "Specific stack (not required if only one stack is present)",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl orchestration workflows create",
+      "pathParts": [
+        "fctl",
+        "orchestration",
+        "workflows",
+        "create"
+      ],
+      "use": "create \u003cfile\u003e|-",
+      "aliases": [
+        "c",
+        "cr"
+      ],
+      "short": "Create a workflow",
+      "runnable": true,
+      "hasSubcommands": false,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "organization",
+          "scope": "inherited",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "stack",
+          "scope": "inherited",
+          "usage": "Specific stack (not required if only one stack is present)",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl orchestration workflows delete",
+      "pathParts": [
+        "fctl",
+        "orchestration",
+        "workflows",
+        "delete"
+      ],
+      "use": "delete \u003cworkflow-id\u003e",
+      "aliases": [
+        "d",
+        "del"
+      ],
+      "short": "Soft delete a workflow",
+      "runnable": true,
+      "hasSubcommands": false,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "organization",
+          "scope": "inherited",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "stack",
+          "scope": "inherited",
+          "usage": "Specific stack (not required if only one stack is present)",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl orchestration workflows list",
+      "pathParts": [
+        "fctl",
+        "orchestration",
+        "workflows",
+        "list"
+      ],
+      "use": "list",
+      "aliases": [
+        "l",
+        "ls"
+      ],
+      "short": "List all workflows",
+      "runnable": true,
+      "hasSubcommands": false,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "organization",
+          "scope": "inherited",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "stack",
+          "scope": "inherited",
+          "usage": "Specific stack (not required if only one stack is present)",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl orchestration workflows run",
+      "pathParts": [
+        "fctl",
+        "orchestration",
+        "workflows",
+        "run"
+      ],
+      "use": "run \u003cid\u003e",
+      "aliases": [
+        "r"
+      ],
+      "short": "Run a workflow",
+      "runnable": true,
+      "hasSubcommands": false,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "organization",
+          "scope": "inherited",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "stack",
+          "scope": "inherited",
+          "usage": "Specific stack (not required if only one stack is present)",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "variable",
+          "scope": "local",
+          "usage": "Variable to pass to the workflow",
+          "default": "[]",
+          "type": "stringSlice"
+        },
+        {
+          "name": "wait",
+          "scope": "local",
+          "usage": "Wait for the run to complete",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl orchestration workflows show",
+      "pathParts": [
+        "fctl",
+        "orchestration",
+        "workflows",
+        "show"
+      ],
+      "use": "show \u003cid\u003e",
+      "aliases": [
+        "s"
+      ],
+      "short": "Show a workflow",
+      "runnable": true,
+      "hasSubcommands": false,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "organization",
+          "scope": "inherited",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "stack",
+          "scope": "inherited",
+          "usage": "Specific stack (not required if only one stack is present)",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl payments",
+      "pathParts": [
+        "fctl",
+        "payments"
+      ],
+      "use": "payments",
+      "short": "Manage payments",
+      "runnable": false,
+      "hasSubcommands": true,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "organization",
+          "scope": "local",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "organization",
+          "scope": "persistent",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "stack",
+          "scope": "local",
+          "usage": "Specific stack (not required if only one stack is present)",
+          "type": "string"
+        },
+        {
+          "name": "stack",
+          "scope": "persistent",
+          "usage": "Specific stack (not required if only one stack is present)",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl payments accounts",
+      "pathParts": [
+        "fctl",
+        "payments",
+        "accounts"
+      ],
+      "use": "accounts",
+      "aliases": [
+        "a",
+        "ac",
+        "acc",
+        "account"
+      ],
+      "short": "Manage accounts",
+      "runnable": false,
+      "hasSubcommands": true,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "organization",
+          "scope": "inherited",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "stack",
+          "scope": "inherited",
+          "usage": "Specific stack (not required if only one stack is present)",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl payments accounts balances",
+      "pathParts": [
+        "fctl",
+        "payments",
+        "accounts",
+        "balances"
+      ],
+      "use": "balances \u003caccountID\u003e",
+      "short": "List account balances",
+      "runnable": true,
+      "hasSubcommands": false,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "cursor",
+          "scope": "local",
+          "usage": "Pagination cursor",
+          "type": "string"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "organization",
+          "scope": "inherited",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "page-size",
+          "scope": "local",
+          "usage": "Page size",
+          "default": "0",
+          "type": "int"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "stack",
+          "scope": "inherited",
+          "usage": "Specific stack (not required if only one stack is present)",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl payments accounts create",
+      "pathParts": [
+        "fctl",
+        "payments",
+        "accounts",
+        "create"
+      ],
+      "use": "create \u003cfile\u003e|-",
+      "aliases": [
+        "c",
+        "cr"
+      ],
+      "short": "Create an account on the Formance platform",
+      "runnable": true,
+      "hasSubcommands": false,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "confirm",
+          "scope": "local",
+          "usage": "Confirm action",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "organization",
+          "scope": "inherited",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "stack",
+          "scope": "inherited",
+          "usage": "Specific stack (not required if only one stack is present)",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl payments accounts get",
+      "pathParts": [
+        "fctl",
+        "payments",
+        "accounts",
+        "get"
+      ],
+      "use": "get \u003caccountID\u003e",
+      "aliases": [
+        "s",
+        "sh"
+      ],
+      "short": "Get an account",
+      "runnable": true,
+      "hasSubcommands": false,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "organization",
+          "scope": "inherited",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "stack",
+          "scope": "inherited",
+          "usage": "Specific stack (not required if only one stack is present)",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl payments accounts list",
+      "pathParts": [
+        "fctl",
+        "payments",
+        "accounts",
+        "list"
+      ],
+      "use": "list",
+      "aliases": [
+        "l",
+        "ls"
+      ],
+      "short": "List connector accounts",
+      "runnable": true,
+      "hasSubcommands": false,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "cursor",
+          "scope": "local",
+          "usage": "Pagination cursor",
+          "type": "string"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "organization",
+          "scope": "inherited",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "page-size",
+          "scope": "local",
+          "usage": "Page size",
+          "default": "0",
+          "type": "int"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "stack",
+          "scope": "inherited",
+          "usage": "Specific stack (not required if only one stack is present)",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl payments bank_accounts",
+      "pathParts": [
+        "fctl",
+        "payments",
+        "bank_accounts"
+      ],
+      "use": "bank_accounts",
+      "aliases": [
+        "ba",
+        "bac",
+        "bacc",
+        "baccount"
+      ],
+      "short": "Manage bank accounts",
+      "runnable": false,
+      "hasSubcommands": true,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "organization",
+          "scope": "inherited",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "stack",
+          "scope": "inherited",
+          "usage": "Specific stack (not required if only one stack is present)",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl payments bank_accounts create",
+      "pathParts": [
+        "fctl",
+        "payments",
+        "bank_accounts",
+        "create"
+      ],
+      "use": "create \u003cfile\u003e|-",
+      "aliases": [
+        "c",
+        "cr"
+      ],
+      "short": "Create a bank account",
+      "runnable": true,
+      "hasSubcommands": false,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "confirm",
+          "scope": "local",
+          "usage": "Confirm action",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "organization",
+          "scope": "inherited",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "stack",
+          "scope": "inherited",
+          "usage": "Specific stack (not required if only one stack is present)",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl payments bank_accounts forward",
+      "pathParts": [
+        "fctl",
+        "payments",
+        "bank_accounts",
+        "forward"
+      ],
+      "use": "forward \u003cbankAccountID\u003e \u003cconnectorID\u003e",
+      "aliases": [
+        "f",
+        "fo"
+      ],
+      "short": "Forward a bank account to a connector",
+      "runnable": true,
+      "hasSubcommands": false,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "confirm",
+          "scope": "local",
+          "usage": "Confirm action",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "organization",
+          "scope": "inherited",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "stack",
+          "scope": "inherited",
+          "usage": "Specific stack (not required if only one stack is present)",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl payments bank_accounts get",
+      "pathParts": [
+        "fctl",
+        "payments",
+        "bank_accounts",
+        "get"
+      ],
+      "use": "get \u003cbankAccountID\u003e",
+      "aliases": [
+        "s",
+        "sh"
+      ],
+      "short": "Get a bank account",
+      "runnable": true,
+      "hasSubcommands": false,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "organization",
+          "scope": "inherited",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "stack",
+          "scope": "inherited",
+          "usage": "Specific stack (not required if only one stack is present)",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl payments bank_accounts list",
+      "pathParts": [
+        "fctl",
+        "payments",
+        "bank_accounts",
+        "list"
+      ],
+      "use": "list",
+      "aliases": [
+        "l",
+        "ls"
+      ],
+      "short": "List bank accounts",
+      "runnable": true,
+      "hasSubcommands": false,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "cursor",
+          "scope": "local",
+          "usage": "Pagination cursor",
+          "type": "string"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "organization",
+          "scope": "inherited",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "page-size",
+          "scope": "local",
+          "usage": "Page size",
+          "default": "0",
+          "type": "int"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "stack",
+          "scope": "inherited",
+          "usage": "Specific stack (not required if only one stack is present)",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl payments bank_accounts update-metadata",
+      "pathParts": [
+        "fctl",
+        "payments",
+        "bank_accounts",
+        "update-metadata"
+      ],
+      "use": "update-metadata \u003cbankAccountID\u003e [\u003ckey\u003e=\u003cvalue\u003e...]",
+      "aliases": [
+        "um",
+        "update-meta"
+      ],
+      "short": "Set metadata on a bank account",
+      "runnable": true,
+      "hasSubcommands": false,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "confirm",
+          "scope": "local",
+          "usage": "Confirm action",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "organization",
+          "scope": "inherited",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "stack",
+          "scope": "inherited",
+          "usage": "Specific stack (not required if only one stack is present)",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl payments connectors",
+      "pathParts": [
+        "fctl",
+        "payments",
+        "connectors"
+      ],
+      "use": "connectors",
+      "aliases": [
+        "c",
+        "co",
+        "con"
+      ],
+      "short": "Manage connectors",
+      "runnable": false,
+      "hasSubcommands": true,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "organization",
+          "scope": "inherited",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "stack",
+          "scope": "inherited",
+          "usage": "Specific stack (not required if only one stack is present)",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl payments connectors get-config",
+      "pathParts": [
+        "fctl",
+        "payments",
+        "connectors",
+        "get-config"
+      ],
+      "use": "get-config",
+      "aliases": [
+        "g",
+        "gc",
+        "get",
+        "getconf",
+        "getconfig"
+      ],
+      "short": "Read a connector config (Connectors available: [adyen atlar bankingcircle currencycloud modulr stripe wise mangopay moneycorp generic qonto column fireblocks coinbaseprime increase powens tink plaid])",
+      "runnable": true,
+      "hasSubcommands": false,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "connector-id",
+          "scope": "local",
+          "usage": "Connector ID",
+          "type": "string"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "organization",
+          "scope": "inherited",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "provider",
+          "scope": "local",
+          "usage": "Provider name (only used for v0, v1 or v2)",
+          "type": "string"
+        },
+        {
+          "name": "stack",
+          "scope": "inherited",
+          "usage": "Specific stack (not required if only one stack is present)",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl payments connectors install",
+      "pathParts": [
+        "fctl",
+        "payments",
+        "connectors",
+        "install"
+      ],
+      "use": "install",
+      "aliases": [
+        "i"
+      ],
+      "short": "Install a connector (Connectors available: [adyen atlar bankingcircle currencycloud modulr stripe wise mangopay moneycorp generic qonto column fireblocks coinbaseprime increase powens tink plaid])",
+      "runnable": false,
+      "hasSubcommands": true,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "organization",
+          "scope": "inherited",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "stack",
+          "scope": "inherited",
+          "usage": "Specific stack (not required if only one stack is present)",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl payments connectors install adyen",
+      "pathParts": [
+        "fctl",
+        "payments",
+        "connectors",
+        "install",
+        "adyen"
+      ],
+      "use": "adyen \u003cfile\u003e|-",
+      "short": "Install an Adyen connector",
+      "runnable": true,
+      "hasSubcommands": false,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "confirm",
+          "scope": "local",
+          "usage": "Confirm action",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "organization",
+          "scope": "inherited",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "stack",
+          "scope": "inherited",
+          "usage": "Specific stack (not required if only one stack is present)",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl payments connectors install atlar",
+      "pathParts": [
+        "fctl",
+        "payments",
+        "connectors",
+        "install",
+        "atlar"
+      ],
+      "use": "atlar \u003cfile\u003e|-",
+      "short": "Install an Atlar connector",
+      "runnable": true,
+      "hasSubcommands": false,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "confirm",
+          "scope": "local",
+          "usage": "Confirm action",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "organization",
+          "scope": "inherited",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "stack",
+          "scope": "inherited",
+          "usage": "Specific stack (not required if only one stack is present)",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl payments connectors install bankingcircle",
+      "pathParts": [
+        "fctl",
+        "payments",
+        "connectors",
+        "install",
+        "bankingcircle"
+      ],
+      "use": "bankingcircle \u003cfile\u003e|-",
+      "short": "Install a Banking Circle connector",
+      "runnable": true,
+      "hasSubcommands": false,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "confirm",
+          "scope": "local",
+          "usage": "Confirm action",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "organization",
+          "scope": "inherited",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "stack",
+          "scope": "inherited",
+          "usage": "Specific stack (not required if only one stack is present)",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl payments connectors install coinbaseprime",
+      "pathParts": [
+        "fctl",
+        "payments",
+        "connectors",
+        "install",
+        "coinbaseprime"
+      ],
+      "use": "coinbaseprime \u003cfile\u003e|-",
+      "short": "Install a Coinbase Prime connector",
+      "runnable": true,
+      "hasSubcommands": false,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "confirm",
+          "scope": "local",
+          "usage": "Confirm action",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "organization",
+          "scope": "inherited",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "stack",
+          "scope": "inherited",
+          "usage": "Specific stack (not required if only one stack is present)",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl payments connectors install column",
+      "pathParts": [
+        "fctl",
+        "payments",
+        "connectors",
+        "install",
+        "column"
+      ],
+      "use": "column \u003cfile\u003e|-",
+      "short": "Install a Column connector",
+      "runnable": true,
+      "hasSubcommands": false,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "confirm",
+          "scope": "local",
+          "usage": "Confirm action",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "organization",
+          "scope": "inherited",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "stack",
+          "scope": "inherited",
+          "usage": "Specific stack (not required if only one stack is present)",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl payments connectors install currencycloud",
+      "pathParts": [
+        "fctl",
+        "payments",
+        "connectors",
+        "install",
+        "currencycloud"
+      ],
+      "use": "currencycloud \u003cfile\u003e|-",
+      "short": "Install a Currency Cloud connector",
+      "runnable": true,
+      "hasSubcommands": false,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "confirm",
+          "scope": "local",
+          "usage": "Confirm action",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "organization",
+          "scope": "inherited",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "stack",
+          "scope": "inherited",
+          "usage": "Specific stack (not required if only one stack is present)",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl payments connectors install fireblocks",
+      "pathParts": [
+        "fctl",
+        "payments",
+        "connectors",
+        "install",
+        "fireblocks"
+      ],
+      "use": "fireblocks \u003cfile\u003e|-",
+      "short": "Install a Fireblocks connector",
+      "runnable": true,
+      "hasSubcommands": false,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "confirm",
+          "scope": "local",
+          "usage": "Confirm action",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "organization",
+          "scope": "inherited",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "stack",
+          "scope": "inherited",
+          "usage": "Specific stack (not required if only one stack is present)",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl payments connectors install generic",
+      "pathParts": [
+        "fctl",
+        "payments",
+        "connectors",
+        "install",
+        "generic"
+      ],
+      "use": "generic \u003cfile\u003e|-",
+      "short": "Install a generic connector",
+      "runnable": true,
+      "hasSubcommands": false,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "confirm",
+          "scope": "local",
+          "usage": "Confirm action",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "organization",
+          "scope": "inherited",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "stack",
+          "scope": "inherited",
+          "usage": "Specific stack (not required if only one stack is present)",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl payments connectors install increase",
+      "pathParts": [
+        "fctl",
+        "payments",
+        "connectors",
+        "install",
+        "increase"
+      ],
+      "use": "increase \u003cfile\u003e|-",
+      "short": "Install an Increase connector",
+      "runnable": true,
+      "hasSubcommands": false,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "confirm",
+          "scope": "local",
+          "usage": "Confirm action",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "organization",
+          "scope": "inherited",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "stack",
+          "scope": "inherited",
+          "usage": "Specific stack (not required if only one stack is present)",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl payments connectors install mangopay",
+      "pathParts": [
+        "fctl",
+        "payments",
+        "connectors",
+        "install",
+        "mangopay"
+      ],
+      "use": "mangopay \u003cfile\u003e|-",
+      "short": "Install a MangoPay connector",
+      "runnable": true,
+      "hasSubcommands": false,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "confirm",
+          "scope": "local",
+          "usage": "Confirm action",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "organization",
+          "scope": "inherited",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "stack",
+          "scope": "inherited",
+          "usage": "Specific stack (not required if only one stack is present)",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl payments connectors install modulr",
+      "pathParts": [
+        "fctl",
+        "payments",
+        "connectors",
+        "install",
+        "modulr"
+      ],
+      "use": "modulr \u003cfile\u003e|-",
+      "short": "Install a Modulr connector",
+      "runnable": true,
+      "hasSubcommands": false,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "confirm",
+          "scope": "local",
+          "usage": "Confirm action",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "organization",
+          "scope": "inherited",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "stack",
+          "scope": "inherited",
+          "usage": "Specific stack (not required if only one stack is present)",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl payments connectors install moneycorp",
+      "pathParts": [
+        "fctl",
+        "payments",
+        "connectors",
+        "install",
+        "moneycorp"
+      ],
+      "use": "moneycorp \u003cfile\u003e|-",
+      "short": "Install a Moneycorp connector",
+      "runnable": true,
+      "hasSubcommands": false,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "confirm",
+          "scope": "local",
+          "usage": "Confirm action",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "organization",
+          "scope": "inherited",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "stack",
+          "scope": "inherited",
+          "usage": "Specific stack (not required if only one stack is present)",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl payments connectors install plaid",
+      "pathParts": [
+        "fctl",
+        "payments",
+        "connectors",
+        "install",
+        "plaid"
+      ],
+      "use": "plaid \u003cfile\u003e|-",
+      "short": "Install a Plaid connector",
+      "runnable": true,
+      "hasSubcommands": false,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "confirm",
+          "scope": "local",
+          "usage": "Confirm action",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "organization",
+          "scope": "inherited",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "stack",
+          "scope": "inherited",
+          "usage": "Specific stack (not required if only one stack is present)",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl payments connectors install powens",
+      "pathParts": [
+        "fctl",
+        "payments",
+        "connectors",
+        "install",
+        "powens"
+      ],
+      "use": "powens \u003cfile\u003e|-",
+      "short": "Install a Powens connector",
+      "runnable": true,
+      "hasSubcommands": false,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "confirm",
+          "scope": "local",
+          "usage": "Confirm action",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "organization",
+          "scope": "inherited",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "stack",
+          "scope": "inherited",
+          "usage": "Specific stack (not required if only one stack is present)",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl payments connectors install qonto",
+      "pathParts": [
+        "fctl",
+        "payments",
+        "connectors",
+        "install",
+        "qonto"
+      ],
+      "use": "qonto \u003cfile\u003e|-",
+      "short": "Install a Qonto connector",
+      "runnable": true,
+      "hasSubcommands": false,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "confirm",
+          "scope": "local",
+          "usage": "Confirm action",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "organization",
+          "scope": "inherited",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "stack",
+          "scope": "inherited",
+          "usage": "Specific stack (not required if only one stack is present)",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl payments connectors install stripe",
+      "pathParts": [
+        "fctl",
+        "payments",
+        "connectors",
+        "install",
+        "stripe"
+      ],
+      "use": "stripe \u003cfile\u003e|-",
+      "short": "Install a Stripe connector",
+      "runnable": true,
+      "hasSubcommands": false,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "confirm",
+          "scope": "local",
+          "usage": "Confirm action",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "organization",
+          "scope": "inherited",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "stack",
+          "scope": "inherited",
+          "usage": "Specific stack (not required if only one stack is present)",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl payments connectors install tink",
+      "pathParts": [
+        "fctl",
+        "payments",
+        "connectors",
+        "install",
+        "tink"
+      ],
+      "use": "tink \u003cfile\u003e|-",
+      "short": "Install a Tink connector",
+      "runnable": true,
+      "hasSubcommands": false,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "confirm",
+          "scope": "local",
+          "usage": "Confirm action",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "organization",
+          "scope": "inherited",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "stack",
+          "scope": "inherited",
+          "usage": "Specific stack (not required if only one stack is present)",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl payments connectors install wise",
+      "pathParts": [
+        "fctl",
+        "payments",
+        "connectors",
+        "install",
+        "wise"
+      ],
+      "use": "wise \u003cfile\u003e|-",
+      "short": "Install a Wise connector",
+      "runnable": true,
+      "hasSubcommands": false,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "confirm",
+          "scope": "local",
+          "usage": "Confirm action",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "organization",
+          "scope": "inherited",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "stack",
+          "scope": "inherited",
+          "usage": "Specific stack (not required if only one stack is present)",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl payments connectors list",
+      "pathParts": [
+        "fctl",
+        "payments",
+        "connectors",
+        "list"
+      ],
+      "use": "list",
+      "aliases": [
+        "l",
+        "ls"
+      ],
+      "short": "List all enabled connectors",
+      "runnable": true,
+      "hasSubcommands": false,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "organization",
+          "scope": "inherited",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "page-size",
+          "scope": "local",
+          "usage": "Page size",
+          "default": "10",
+          "type": "int"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "stack",
+          "scope": "inherited",
+          "usage": "Specific stack (not required if only one stack is present)",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl payments connectors uninstall",
+      "pathParts": [
+        "fctl",
+        "payments",
+        "connectors",
+        "uninstall"
+      ],
+      "use": "uninstall",
+      "aliases": [
+        "u",
+        "un",
+        "uninstall"
+      ],
+      "short": "Uninstall a connector",
+      "runnable": true,
+      "hasSubcommands": false,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "confirm",
+          "scope": "local",
+          "usage": "Confirm action",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "connector-id",
+          "scope": "local",
+          "usage": "Connector ID",
+          "type": "string"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "organization",
+          "scope": "inherited",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "provider",
+          "scope": "local",
+          "usage": "Provider name",
+          "type": "string"
+        },
+        {
+          "name": "stack",
+          "scope": "inherited",
+          "usage": "Specific stack (not required if only one stack is present)",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl payments connectors update-config",
+      "pathParts": [
+        "fctl",
+        "payments",
+        "connectors",
+        "update-config"
+      ],
+      "use": "update-config",
+      "aliases": [
+        "uc"
+      ],
+      "short": "Update the config of a connector (Connectors available: [adyen atlar bankingcircle currencycloud modulr stripe wise mangopay moneycorp generic qonto column fireblocks coinbaseprime increase powens tink plaid])",
+      "runnable": false,
+      "hasSubcommands": true,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "organization",
+          "scope": "inherited",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "stack",
+          "scope": "inherited",
+          "usage": "Specific stack (not required if only one stack is present)",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl payments connectors update-config adyen",
+      "pathParts": [
+        "fctl",
+        "payments",
+        "connectors",
+        "update-config",
+        "adyen"
+      ],
+      "use": "adyen \u003cfile\u003e|-",
+      "short": "Update the config of an Adyen connector",
+      "runnable": true,
+      "hasSubcommands": false,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "confirm",
+          "scope": "local",
+          "usage": "Confirm action",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "connector-id",
+          "scope": "local",
+          "usage": "Connector ID",
+          "type": "string"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "organization",
+          "scope": "inherited",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "stack",
+          "scope": "inherited",
+          "usage": "Specific stack (not required if only one stack is present)",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl payments connectors update-config atlar",
+      "pathParts": [
+        "fctl",
+        "payments",
+        "connectors",
+        "update-config",
+        "atlar"
+      ],
+      "use": "atlar \u003cfile\u003e|-",
+      "short": "Update the config of an Atlar connector",
+      "runnable": true,
+      "hasSubcommands": false,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "confirm",
+          "scope": "local",
+          "usage": "Confirm action",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "connector-id",
+          "scope": "local",
+          "usage": "Connector ID",
+          "type": "string"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "organization",
+          "scope": "inherited",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "stack",
+          "scope": "inherited",
+          "usage": "Specific stack (not required if only one stack is present)",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl payments connectors update-config bankingcircle",
+      "pathParts": [
+        "fctl",
+        "payments",
+        "connectors",
+        "update-config",
+        "bankingcircle"
+      ],
+      "use": "bankingcircle \u003cfile\u003e|-",
+      "short": "Update the config of a Banking Circle connector",
+      "runnable": true,
+      "hasSubcommands": false,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "confirm",
+          "scope": "local",
+          "usage": "Confirm action",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "connector-id",
+          "scope": "local",
+          "usage": "Connector ID",
+          "type": "string"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "organization",
+          "scope": "inherited",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "stack",
+          "scope": "inherited",
+          "usage": "Specific stack (not required if only one stack is present)",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl payments connectors update-config coinbaseprime",
+      "pathParts": [
+        "fctl",
+        "payments",
+        "connectors",
+        "update-config",
+        "coinbaseprime"
+      ],
+      "use": "coinbaseprime \u003cfile\u003e|-",
+      "short": "Update the config of a Coinbase Prime connector",
+      "runnable": true,
+      "hasSubcommands": false,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "confirm",
+          "scope": "local",
+          "usage": "Confirm action",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "connector-id",
+          "scope": "local",
+          "usage": "Connector ID",
+          "type": "string"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "organization",
+          "scope": "inherited",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "stack",
+          "scope": "inherited",
+          "usage": "Specific stack (not required if only one stack is present)",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl payments connectors update-config column",
+      "pathParts": [
+        "fctl",
+        "payments",
+        "connectors",
+        "update-config",
+        "column"
+      ],
+      "use": "column \u003cfile\u003e|-",
+      "short": "Update the config of a Column connector",
+      "runnable": true,
+      "hasSubcommands": false,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "confirm",
+          "scope": "local",
+          "usage": "Confirm action",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "connector-id",
+          "scope": "local",
+          "usage": "Connector ID",
+          "type": "string"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "organization",
+          "scope": "inherited",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "stack",
+          "scope": "inherited",
+          "usage": "Specific stack (not required if only one stack is present)",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl payments connectors update-config currencycloud",
+      "pathParts": [
+        "fctl",
+        "payments",
+        "connectors",
+        "update-config",
+        "currencycloud"
+      ],
+      "use": "currencycloud \u003cfile\u003e|-",
+      "short": "Update the config of a CurrencyCloud connector",
+      "runnable": true,
+      "hasSubcommands": false,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "confirm",
+          "scope": "local",
+          "usage": "Confirm action",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "connector-id",
+          "scope": "local",
+          "usage": "Connector ID",
+          "type": "string"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "organization",
+          "scope": "inherited",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "stack",
+          "scope": "inherited",
+          "usage": "Specific stack (not required if only one stack is present)",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl payments connectors update-config fireblocks",
+      "pathParts": [
+        "fctl",
+        "payments",
+        "connectors",
+        "update-config",
+        "fireblocks"
+      ],
+      "use": "fireblocks \u003cfile\u003e|-",
+      "short": "Update the config of a Fireblocks connector",
+      "runnable": true,
+      "hasSubcommands": false,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "confirm",
+          "scope": "local",
+          "usage": "Confirm action",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "connector-id",
+          "scope": "local",
+          "usage": "Connector ID",
+          "type": "string"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "organization",
+          "scope": "inherited",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "stack",
+          "scope": "inherited",
+          "usage": "Specific stack (not required if only one stack is present)",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl payments connectors update-config increase",
+      "pathParts": [
+        "fctl",
+        "payments",
+        "connectors",
+        "update-config",
+        "increase"
+      ],
+      "use": "increase \u003cfile\u003e|-",
+      "short": "Update the config of an Increase connector",
+      "runnable": true,
+      "hasSubcommands": false,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "confirm",
+          "scope": "local",
+          "usage": "Confirm action",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "connector-id",
+          "scope": "local",
+          "usage": "Connector ID",
+          "type": "string"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "organization",
+          "scope": "inherited",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "stack",
+          "scope": "inherited",
+          "usage": "Specific stack (not required if only one stack is present)",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl payments connectors update-config mangopay",
+      "pathParts": [
+        "fctl",
+        "payments",
+        "connectors",
+        "update-config",
+        "mangopay"
+      ],
+      "use": "mangopay \u003cfile\u003e|-",
+      "short": "Update the config of a Mangopay connector",
+      "runnable": true,
+      "hasSubcommands": false,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "confirm",
+          "scope": "local",
+          "usage": "Confirm action",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "connector-id",
+          "scope": "local",
+          "usage": "Connector ID",
+          "type": "string"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "organization",
+          "scope": "inherited",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "stack",
+          "scope": "inherited",
+          "usage": "Specific stack (not required if only one stack is present)",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl payments connectors update-config modulr",
+      "pathParts": [
+        "fctl",
+        "payments",
+        "connectors",
+        "update-config",
+        "modulr"
+      ],
+      "use": "modulr \u003cfile\u003e|-",
+      "short": "Update the config of a Modulr connector",
+      "runnable": true,
+      "hasSubcommands": false,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "confirm",
+          "scope": "local",
+          "usage": "Confirm action",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "connector-id",
+          "scope": "local",
+          "usage": "Connector ID",
+          "type": "string"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "organization",
+          "scope": "inherited",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "stack",
+          "scope": "inherited",
+          "usage": "Specific stack (not required if only one stack is present)",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl payments connectors update-config moneycorp",
+      "pathParts": [
+        "fctl",
+        "payments",
+        "connectors",
+        "update-config",
+        "moneycorp"
+      ],
+      "use": "moneycorp \u003cfile\u003e|-",
+      "short": "Update the config of a Moneycorp connector",
+      "runnable": true,
+      "hasSubcommands": false,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "confirm",
+          "scope": "local",
+          "usage": "Confirm action",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "connector-id",
+          "scope": "local",
+          "usage": "Connector ID",
+          "type": "string"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "organization",
+          "scope": "inherited",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "stack",
+          "scope": "inherited",
+          "usage": "Specific stack (not required if only one stack is present)",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl payments connectors update-config plaid",
+      "pathParts": [
+        "fctl",
+        "payments",
+        "connectors",
+        "update-config",
+        "plaid"
+      ],
+      "use": "plaid \u003cfile\u003e|-",
+      "short": "Update the config of a Plaid connector",
+      "runnable": true,
+      "hasSubcommands": false,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "confirm",
+          "scope": "local",
+          "usage": "Confirm action",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "connector-id",
+          "scope": "local",
+          "usage": "Connector ID",
+          "type": "string"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "organization",
+          "scope": "inherited",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "stack",
+          "scope": "inherited",
+          "usage": "Specific stack (not required if only one stack is present)",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl payments connectors update-config powens",
+      "pathParts": [
+        "fctl",
+        "payments",
+        "connectors",
+        "update-config",
+        "powens"
+      ],
+      "use": "powens \u003cfile\u003e|-",
+      "short": "Update the config of a Powens connector",
+      "runnable": true,
+      "hasSubcommands": false,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "confirm",
+          "scope": "local",
+          "usage": "Confirm action",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "connector-id",
+          "scope": "local",
+          "usage": "Connector ID",
+          "type": "string"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "organization",
+          "scope": "inherited",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "stack",
+          "scope": "inherited",
+          "usage": "Specific stack (not required if only one stack is present)",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl payments connectors update-config qonto",
+      "pathParts": [
+        "fctl",
+        "payments",
+        "connectors",
+        "update-config",
+        "qonto"
+      ],
+      "use": "qonto \u003cfile\u003e|-",
+      "short": "Update the config of a Qonto connector",
+      "runnable": true,
+      "hasSubcommands": false,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "confirm",
+          "scope": "local",
+          "usage": "Confirm action",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "connector-id",
+          "scope": "local",
+          "usage": "Connector ID",
+          "type": "string"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "organization",
+          "scope": "inherited",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "stack",
+          "scope": "inherited",
+          "usage": "Specific stack (not required if only one stack is present)",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl payments connectors update-config stripe",
+      "pathParts": [
+        "fctl",
+        "payments",
+        "connectors",
+        "update-config",
+        "stripe"
+      ],
+      "use": "stripe \u003cfile\u003e|-",
+      "short": "Update the config of a Stripe connector",
+      "runnable": true,
+      "hasSubcommands": false,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "confirm",
+          "scope": "local",
+          "usage": "Confirm action",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "connector-id",
+          "scope": "local",
+          "usage": "Connector ID",
+          "type": "string"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "organization",
+          "scope": "inherited",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "stack",
+          "scope": "inherited",
+          "usage": "Specific stack (not required if only one stack is present)",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl payments connectors update-config tink",
+      "pathParts": [
+        "fctl",
+        "payments",
+        "connectors",
+        "update-config",
+        "tink"
+      ],
+      "use": "tink \u003cfile\u003e|-",
+      "short": "Update the config of a Tink connector",
+      "runnable": true,
+      "hasSubcommands": false,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "confirm",
+          "scope": "local",
+          "usage": "Confirm action",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "connector-id",
+          "scope": "local",
+          "usage": "Connector ID",
+          "type": "string"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "organization",
+          "scope": "inherited",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "stack",
+          "scope": "inherited",
+          "usage": "Specific stack (not required if only one stack is present)",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl payments connectors update-config wise",
+      "pathParts": [
+        "fctl",
+        "payments",
+        "connectors",
+        "update-config",
+        "wise"
+      ],
+      "use": "wise \u003cfile\u003e|-",
+      "short": "Update the config of a Wise connector",
+      "runnable": true,
+      "hasSubcommands": false,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "confirm",
+          "scope": "local",
+          "usage": "Confirm action",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "connector-id",
+          "scope": "local",
+          "usage": "Connector ID",
+          "type": "string"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "organization",
+          "scope": "inherited",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "stack",
+          "scope": "inherited",
+          "usage": "Specific stack (not required if only one stack is present)",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl payments payments",
+      "pathParts": [
+        "fctl",
+        "payments",
+        "payments"
+      ],
+      "use": "payments",
+      "aliases": [
+        "p"
+      ],
+      "short": "Manage payments",
+      "runnable": false,
+      "hasSubcommands": true,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "organization",
+          "scope": "inherited",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "stack",
+          "scope": "inherited",
+          "usage": "Specific stack (not required if only one stack is present)",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl payments payments create",
+      "pathParts": [
+        "fctl",
+        "payments",
+        "payments",
+        "create"
+      ],
+      "use": "create \u003cfile\u003e|-",
+      "aliases": [
+        "c",
+        "cr"
+      ],
+      "short": "Create a payment on the Formance platform",
+      "runnable": true,
+      "hasSubcommands": false,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "confirm",
+          "scope": "local",
+          "usage": "Confirm action",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "organization",
+          "scope": "inherited",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "stack",
+          "scope": "inherited",
+          "usage": "Specific stack (not required if only one stack is present)",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl payments payments get",
+      "pathParts": [
+        "fctl",
+        "payments",
+        "payments",
+        "get"
+      ],
+      "use": "get \u003cpaymentID\u003e",
+      "aliases": [
+        "s",
+        "sh"
+      ],
+      "short": "Get a payment",
+      "runnable": true,
+      "hasSubcommands": false,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "organization",
+          "scope": "inherited",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "stack",
+          "scope": "inherited",
+          "usage": "Specific stack (not required if only one stack is present)",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl payments payments list",
+      "pathParts": [
+        "fctl",
+        "payments",
+        "payments",
+        "list"
+      ],
+      "use": "list",
+      "aliases": [
+        "ls"
+      ],
+      "short": "List payments",
+      "runnable": true,
+      "hasSubcommands": false,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "cursor",
+          "scope": "local",
+          "usage": "Pagination cursor",
+          "type": "string"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "organization",
+          "scope": "inherited",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "page-size",
+          "scope": "local",
+          "usage": "Page size",
+          "default": "0",
+          "type": "int"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "stack",
+          "scope": "inherited",
+          "usage": "Specific stack (not required if only one stack is present)",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl payments payments set-metadata",
+      "pathParts": [
+        "fctl",
+        "payments",
+        "payments",
+        "set-metadata"
+      ],
+      "use": "set-metadata \u003cpaymentID\u003e [\u003ckey\u003e=\u003cvalue\u003e...]",
+      "aliases": [
+        "set-meta",
+        "sm"
+      ],
+      "short": "Set metadata on a payment",
+      "runnable": true,
+      "hasSubcommands": false,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "confirm",
+          "scope": "local",
+          "usage": "Confirm action",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "organization",
+          "scope": "inherited",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "stack",
+          "scope": "inherited",
+          "usage": "Specific stack (not required if only one stack is present)",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl payments pools",
+      "pathParts": [
+        "fctl",
+        "payments",
+        "pools"
+      ],
+      "use": "pools",
+      "aliases": [
+        "p"
+      ],
+      "short": "Manage pools",
+      "runnable": false,
+      "hasSubcommands": true,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "organization",
+          "scope": "inherited",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "stack",
+          "scope": "inherited",
+          "usage": "Specific stack (not required if only one stack is present)",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl payments pools add-account",
+      "pathParts": [
+        "fctl",
+        "payments",
+        "pools",
+        "add-account"
+      ],
+      "use": "add-account \u003cpoolID\u003e \u003caccountID\u003e",
+      "aliases": [
+        "a",
+        "add"
+      ],
+      "short": "Add an account to a pool",
+      "runnable": true,
+      "hasSubcommands": false,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "organization",
+          "scope": "inherited",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "stack",
+          "scope": "inherited",
+          "usage": "Specific stack (not required if only one stack is present)",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl payments pools balances",
+      "pathParts": [
+        "fctl",
+        "payments",
+        "pools",
+        "balances"
+      ],
+      "use": "balances \u003cpoolID\u003e \u003cat\u003e",
+      "short": "List pool balances",
+      "runnable": true,
+      "hasSubcommands": false,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "organization",
+          "scope": "inherited",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "stack",
+          "scope": "inherited",
+          "usage": "Specific stack (not required if only one stack is present)",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl payments pools create",
+      "pathParts": [
+        "fctl",
+        "payments",
+        "pools",
+        "create"
+      ],
+      "use": "create \u003cfile\u003e|-",
+      "aliases": [
+        "c",
+        "cr"
+      ],
+      "short": "Create a pool",
+      "runnable": true,
+      "hasSubcommands": false,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "confirm",
+          "scope": "local",
+          "usage": "Confirm action",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "organization",
+          "scope": "inherited",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "stack",
+          "scope": "inherited",
+          "usage": "Specific stack (not required if only one stack is present)",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl payments pools delete",
+      "pathParts": [
+        "fctl",
+        "payments",
+        "pools",
+        "delete"
+      ],
+      "use": "delete \u003cpoolID\u003e",
+      "aliases": [
+        "d"
+      ],
+      "short": "Delete a pool",
+      "runnable": true,
+      "hasSubcommands": false,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "confirm",
+          "scope": "local",
+          "usage": "Confirm action",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "organization",
+          "scope": "inherited",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "stack",
+          "scope": "inherited",
+          "usage": "Specific stack (not required if only one stack is present)",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl payments pools get",
+      "pathParts": [
+        "fctl",
+        "payments",
+        "pools",
+        "get"
+      ],
+      "use": "get \u003cpoolID\u003e",
+      "aliases": [
+        "s",
+        "sh"
+      ],
+      "short": "Get a pool",
+      "runnable": true,
+      "hasSubcommands": false,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "organization",
+          "scope": "inherited",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "stack",
+          "scope": "inherited",
+          "usage": "Specific stack (not required if only one stack is present)",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl payments pools latest-balances",
+      "pathParts": [
+        "fctl",
+        "payments",
+        "pools",
+        "latest-balances"
+      ],
+      "use": "latest-balances \u003cpoolID\u003e",
+      "short": "List pool latest balances",
+      "runnable": true,
+      "hasSubcommands": false,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "organization",
+          "scope": "inherited",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "stack",
+          "scope": "inherited",
+          "usage": "Specific stack (not required if only one stack is present)",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl payments pools list",
+      "pathParts": [
+        "fctl",
+        "payments",
+        "pools",
+        "list"
+      ],
+      "use": "list",
+      "aliases": [
+        "l",
+        "ls"
+      ],
+      "short": "List pools",
+      "runnable": true,
+      "hasSubcommands": false,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "cursor",
+          "scope": "local",
+          "usage": "Pagination cursor",
+          "type": "string"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "organization",
+          "scope": "inherited",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "page-size",
+          "scope": "local",
+          "usage": "Page size",
+          "default": "0",
+          "type": "int"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "stack",
+          "scope": "inherited",
+          "usage": "Specific stack (not required if only one stack is present)",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl payments pools remove-account",
+      "pathParts": [
+        "fctl",
+        "payments",
+        "pools",
+        "remove-account"
+      ],
+      "use": "remove-account \u003cpoolID\u003e \u003caccountID\u003e",
+      "aliases": [
+        "remove",
+        "rm"
+      ],
+      "short": "Remove an account from a pool",
+      "runnable": true,
+      "hasSubcommands": false,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "organization",
+          "scope": "inherited",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "stack",
+          "scope": "inherited",
+          "usage": "Specific stack (not required if only one stack is present)",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl payments pools update-query",
+      "pathParts": [
+        "fctl",
+        "payments",
+        "pools",
+        "update-query"
+      ],
+      "use": "update-query \u003cpoolID\u003e \u003cfile\u003e|-",
+      "aliases": [
+        "uq"
+      ],
+      "short": "Update the query of a dynamic pool",
+      "runnable": true,
+      "hasSubcommands": false,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "confirm",
+          "scope": "local",
+          "usage": "Confirm action",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "organization",
+          "scope": "inherited",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "stack",
+          "scope": "inherited",
+          "usage": "Specific stack (not required if only one stack is present)",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl payments tasks",
+      "pathParts": [
+        "fctl",
+        "payments",
+        "tasks"
+      ],
+      "use": "tasks",
+      "aliases": [
+        "t"
+      ],
+      "short": "Manage tasks",
+      "runnable": false,
+      "hasSubcommands": true,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "organization",
+          "scope": "inherited",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "stack",
+          "scope": "inherited",
+          "usage": "Specific stack (not required if only one stack is present)",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl payments tasks get",
+      "pathParts": [
+        "fctl",
+        "payments",
+        "tasks",
+        "get"
+      ],
+      "use": "get \u003ctaskID\u003e",
+      "aliases": [
+        "s",
+        "sh"
+      ],
+      "short": "Get a task",
+      "runnable": true,
+      "hasSubcommands": false,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "organization",
+          "scope": "inherited",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "stack",
+          "scope": "inherited",
+          "usage": "Specific stack (not required if only one stack is present)",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl payments transfer_initiation",
+      "pathParts": [
+        "fctl",
+        "payments",
+        "transfer_initiation"
+      ],
+      "use": "transfer_initiation",
+      "aliases": [
+        "ti"
+      ],
+      "short": "Manage transfer initiations",
+      "runnable": false,
+      "hasSubcommands": true,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "organization",
+          "scope": "inherited",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "stack",
+          "scope": "inherited",
+          "usage": "Specific stack (not required if only one stack is present)",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl payments transfer_initiation approve",
+      "pathParts": [
+        "fctl",
+        "payments",
+        "transfer_initiation",
+        "approve"
+      ],
+      "use": "approve \u003ctransferInitiationID\u003e",
+      "aliases": [
+        "a"
+      ],
+      "short": "Approve a transfer initiation",
+      "runnable": true,
+      "hasSubcommands": false,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "confirm",
+          "scope": "local",
+          "usage": "Confirm action",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "organization",
+          "scope": "inherited",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "stack",
+          "scope": "inherited",
+          "usage": "Specific stack (not required if only one stack is present)",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl payments transfer_initiation create",
+      "pathParts": [
+        "fctl",
+        "payments",
+        "transfer_initiation",
+        "create"
+      ],
+      "use": "create \u003cfile\u003e|-",
+      "aliases": [
+        "c",
+        "cr"
+      ],
+      "short": "Create a transfer initiation",
+      "runnable": true,
+      "hasSubcommands": false,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "confirm",
+          "scope": "local",
+          "usage": "Confirm action",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "organization",
+          "scope": "inherited",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "stack",
+          "scope": "inherited",
+          "usage": "Specific stack (not required if only one stack is present)",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl payments transfer_initiation delete",
+      "pathParts": [
+        "fctl",
+        "payments",
+        "transfer_initiation",
+        "delete"
+      ],
+      "use": "delete \u003ctransferID\u003e",
+      "aliases": [
+        "d"
+      ],
+      "short": "Delete a transfer initiation",
+      "runnable": true,
+      "hasSubcommands": false,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "confirm",
+          "scope": "local",
+          "usage": "Confirm action",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "organization",
+          "scope": "inherited",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "stack",
+          "scope": "inherited",
+          "usage": "Specific stack (not required if only one stack is present)",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl payments transfer_initiation get",
+      "pathParts": [
+        "fctl",
+        "payments",
+        "transfer_initiation",
+        "get"
+      ],
+      "use": "get \u003ctransferID\u003e",
+      "aliases": [
+        "s",
+        "sh"
+      ],
+      "short": "Get a transfer initiation",
+      "runnable": true,
+      "hasSubcommands": false,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "organization",
+          "scope": "inherited",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "stack",
+          "scope": "inherited",
+          "usage": "Specific stack (not required if only one stack is present)",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl payments transfer_initiation list",
+      "pathParts": [
+        "fctl",
+        "payments",
+        "transfer_initiation",
+        "list"
+      ],
+      "use": "list",
+      "aliases": [
+        "l",
+        "ls"
+      ],
+      "short": "List transfer initiations",
+      "runnable": true,
+      "hasSubcommands": false,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "cursor",
+          "scope": "local",
+          "usage": "Pagination cursor",
+          "type": "string"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "organization",
+          "scope": "inherited",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "page-size",
+          "scope": "local",
+          "usage": "Page size",
+          "default": "0",
+          "type": "int"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "stack",
+          "scope": "inherited",
+          "usage": "Specific stack (not required if only one stack is present)",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl payments transfer_initiation reject",
+      "pathParts": [
+        "fctl",
+        "payments",
+        "transfer_initiation",
+        "reject"
+      ],
+      "use": "reject \u003ctransferInitiationID\u003e",
+      "aliases": [
+        "rj"
+      ],
+      "short": "Reject a transfer initiation",
+      "runnable": true,
+      "hasSubcommands": false,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "confirm",
+          "scope": "local",
+          "usage": "Confirm action",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "organization",
+          "scope": "inherited",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "stack",
+          "scope": "inherited",
+          "usage": "Specific stack (not required if only one stack is present)",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl payments transfer_initiation retry",
+      "pathParts": [
+        "fctl",
+        "payments",
+        "transfer_initiation",
+        "retry"
+      ],
+      "use": "retry \u003ctransferID\u003e",
+      "aliases": [
+        "r"
+      ],
+      "short": "Retry a failed transfer initiation",
+      "runnable": true,
+      "hasSubcommands": false,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "confirm",
+          "scope": "local",
+          "usage": "Confirm action",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "organization",
+          "scope": "inherited",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "stack",
+          "scope": "inherited",
+          "usage": "Specific stack (not required if only one stack is present)",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl payments transfer_initiation reverse",
+      "pathParts": [
+        "fctl",
+        "payments",
+        "transfer_initiation",
+        "reverse"
+      ],
+      "use": "reverse \u003ctransferID\u003e \u003cfile\u003e|-",
+      "aliases": [
+        "r",
+        "re"
+      ],
+      "short": "Reverse a transfer initiation",
+      "runnable": true,
+      "hasSubcommands": false,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "confirm",
+          "scope": "local",
+          "usage": "Confirm action",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "organization",
+          "scope": "inherited",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "stack",
+          "scope": "inherited",
+          "usage": "Specific stack (not required if only one stack is present)",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl payments transfer_initiation update_status",
+      "pathParts": [
+        "fctl",
+        "payments",
+        "transfer_initiation",
+        "update_status"
+      ],
+      "use": "update_status \u003ctransferID\u003e \u003cstatus\u003e",
+      "aliases": [
+        "u"
+      ],
+      "short": "Update the status of a transfer initiation (deprecated in \u003e= v3.0.0)",
+      "runnable": true,
+      "hasSubcommands": false,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "confirm",
+          "scope": "local",
+          "usage": "Confirm action",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "organization",
+          "scope": "inherited",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "stack",
+          "scope": "inherited",
+          "usage": "Specific stack (not required if only one stack is present)",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl profiles",
+      "pathParts": [
+        "fctl",
+        "profiles"
+      ],
+      "use": "profiles",
+      "aliases": [
+        "p",
+        "prof",
+        "profile"
+      ],
+      "short": "Manage profiles",
+      "runnable": false,
+      "hasSubcommands": true,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl profiles delete",
+      "pathParts": [
+        "fctl",
+        "profiles",
+        "delete"
+      ],
+      "use": "delete \u003cname\u003e",
+      "short": "Delete a profile",
+      "runnable": true,
+      "hasSubcommands": false,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl profiles list",
+      "pathParts": [
+        "fctl",
+        "profiles",
+        "list"
+      ],
+      "use": "list",
+      "aliases": [
+        "l"
+      ],
+      "short": "List profiles",
+      "runnable": true,
+      "hasSubcommands": false,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl profiles rename",
+      "pathParts": [
+        "fctl",
+        "profiles",
+        "rename"
+      ],
+      "use": "rename \u003cold-name\u003e \u003cnew-name\u003e",
+      "short": "Rename a profile",
+      "runnable": true,
+      "hasSubcommands": false,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl profiles reset",
+      "pathParts": [
+        "fctl",
+        "profiles",
+        "reset"
+      ],
+      "use": "reset \u003cname\u003e",
+      "short": "Reset a profile keeping the environment",
+      "runnable": true,
+      "hasSubcommands": false,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl profiles set-default-organization",
+      "pathParts": [
+        "fctl",
+        "profiles",
+        "set-default-organization"
+      ],
+      "use": "set-default-organization \u003corganization-id\u003e",
+      "aliases": [
+        "sdo"
+      ],
+      "short": "Set default organization",
+      "runnable": true,
+      "hasSubcommands": false,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl profiles set-default-stack",
+      "pathParts": [
+        "fctl",
+        "profiles",
+        "set-default-stack"
+      ],
+      "use": "set-default-stack \u003cstack-id\u003e",
+      "aliases": [
+        "sds"
+      ],
+      "short": "Set default stack",
+      "runnable": true,
+      "hasSubcommands": false,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl profiles show",
+      "pathParts": [
+        "fctl",
+        "profiles",
+        "show"
+      ],
+      "use": "show \u003cname\u003e",
+      "aliases": [
+        "s"
+      ],
+      "short": "Show a profile",
+      "runnable": true,
+      "hasSubcommands": false,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl profiles use",
+      "pathParts": [
+        "fctl",
+        "profiles",
+        "use"
+      ],
+      "use": "use \u003cname\u003e",
+      "aliases": [
+        "u"
+      ],
+      "short": "Use profile",
+      "runnable": true,
+      "hasSubcommands": false,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl prompt",
+      "pathParts": [
+        "fctl",
+        "prompt"
+      ],
+      "use": "prompt",
+      "short": "Start a prompt",
+      "runnable": true,
+      "hasSubcommands": false,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl reconciliation",
+      "pathParts": [
+        "fctl",
+        "reconciliation"
+      ],
+      "use": "reconciliation",
+      "short": "Manage reconciliation",
+      "runnable": false,
+      "hasSubcommands": true,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "organization",
+          "scope": "local",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "organization",
+          "scope": "persistent",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "stack",
+          "scope": "local",
+          "usage": "Specific stack (not required if only one stack is present)",
+          "type": "string"
+        },
+        {
+          "name": "stack",
+          "scope": "persistent",
+          "usage": "Specific stack (not required if only one stack is present)",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl reconciliation get",
+      "pathParts": [
+        "fctl",
+        "reconciliation",
+        "get"
+      ],
+      "use": "get \u003creconciliationID\u003e",
+      "aliases": [
+        "s",
+        "sh"
+      ],
+      "short": "Get a reconciliation",
+      "runnable": true,
+      "hasSubcommands": false,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "organization",
+          "scope": "inherited",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "stack",
+          "scope": "inherited",
+          "usage": "Specific stack (not required if only one stack is present)",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl reconciliation list",
+      "pathParts": [
+        "fctl",
+        "reconciliation",
+        "list"
+      ],
+      "use": "list",
+      "aliases": [
+        "l",
+        "ls"
+      ],
+      "short": "List reconciliations",
+      "runnable": true,
+      "hasSubcommands": false,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "cursor",
+          "scope": "local",
+          "usage": "Pagination cursor",
+          "type": "string"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "organization",
+          "scope": "inherited",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "page-size",
+          "scope": "local",
+          "usage": "Page size",
+          "default": "0",
+          "type": "int"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "stack",
+          "scope": "inherited",
+          "usage": "Specific stack (not required if only one stack is present)",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl reconciliation policies",
+      "pathParts": [
+        "fctl",
+        "reconciliation",
+        "policies"
+      ],
+      "use": "policies",
+      "aliases": [
+        "p"
+      ],
+      "short": "Manage policies",
+      "runnable": false,
+      "hasSubcommands": true,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "organization",
+          "scope": "inherited",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "stack",
+          "scope": "inherited",
+          "usage": "Specific stack (not required if only one stack is present)",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl reconciliation policies create",
+      "pathParts": [
+        "fctl",
+        "reconciliation",
+        "policies",
+        "create"
+      ],
+      "use": "create \u003cfile\u003e|-",
+      "aliases": [
+        "c",
+        "cr"
+      ],
+      "short": "Create a policy",
+      "runnable": true,
+      "hasSubcommands": false,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "confirm",
+          "scope": "local",
+          "usage": "Confirm action",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "organization",
+          "scope": "inherited",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "stack",
+          "scope": "inherited",
+          "usage": "Specific stack (not required if only one stack is present)",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl reconciliation policies delete",
+      "pathParts": [
+        "fctl",
+        "reconciliation",
+        "policies",
+        "delete"
+      ],
+      "use": "delete \u003cpolicyID\u003e",
+      "aliases": [
+        "d"
+      ],
+      "short": "Delete a policy",
+      "runnable": true,
+      "hasSubcommands": false,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "confirm",
+          "scope": "local",
+          "usage": "Confirm action",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "organization",
+          "scope": "inherited",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "stack",
+          "scope": "inherited",
+          "usage": "Specific stack (not required if only one stack is present)",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl reconciliation policies get",
+      "pathParts": [
+        "fctl",
+        "reconciliation",
+        "policies",
+        "get"
+      ],
+      "use": "get \u003cpolicyID\u003e",
+      "aliases": [
+        "s",
+        "sh"
+      ],
+      "short": "Get a policy",
+      "runnable": true,
+      "hasSubcommands": false,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "organization",
+          "scope": "inherited",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "stack",
+          "scope": "inherited",
+          "usage": "Specific stack (not required if only one stack is present)",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl reconciliation policies list",
+      "pathParts": [
+        "fctl",
+        "reconciliation",
+        "policies",
+        "list"
+      ],
+      "use": "list",
+      "aliases": [
+        "l",
+        "ls"
+      ],
+      "short": "List policies",
+      "runnable": true,
+      "hasSubcommands": false,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "cursor",
+          "scope": "local",
+          "usage": "Pagination cursor",
+          "type": "string"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "organization",
+          "scope": "inherited",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "page-size",
+          "scope": "local",
+          "usage": "Page size",
+          "default": "0",
+          "type": "int"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "stack",
+          "scope": "inherited",
+          "usage": "Specific stack (not required if only one stack is present)",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl reconciliation policies reconcile",
+      "pathParts": [
+        "fctl",
+        "reconciliation",
+        "policies",
+        "reconcile"
+      ],
+      "use": "reconcile \u003cpolicyID\u003e \u003catLedger\u003e \u003catPayments\u003e",
+      "aliases": [
+        "r"
+      ],
+      "short": "Launch a reconciliation from a policy",
+      "runnable": true,
+      "hasSubcommands": false,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "organization",
+          "scope": "inherited",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "stack",
+          "scope": "inherited",
+          "usage": "Specific stack (not required if only one stack is present)",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl search",
+      "pathParts": [
+        "fctl",
+        "search"
+      ],
+      "use": "search \u003cobject-type\u003e \u003cterms\u003e...",
+      "aliases": [
+        "se"
+      ],
+      "short": "Search in all services (Default: ANY), or in a specific service (ACCOUNT, TRANSACTION, ASSET, PAYMENT)",
+      "runnable": true,
+      "hasSubcommands": false,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "organization",
+          "scope": "local",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "organization",
+          "scope": "persistent",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "size",
+          "scope": "local",
+          "usage": "Number of items to fetch",
+          "default": "5",
+          "type": "int"
+        },
+        {
+          "name": "stack",
+          "scope": "local",
+          "usage": "Specific stack (not required if only one stack is present)",
+          "type": "string"
+        },
+        {
+          "name": "stack",
+          "scope": "persistent",
+          "usage": "Specific stack (not required if only one stack is present)",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl stack",
+      "pathParts": [
+        "fctl",
+        "stack"
+      ],
+      "use": "stack",
+      "aliases": [
+        "st",
+        "stack",
+        "stacks"
+      ],
+      "short": "Manage your stack",
+      "runnable": false,
+      "hasSubcommands": true,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "organization",
+          "scope": "local",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "organization",
+          "scope": "persistent",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl stack create",
+      "pathParts": [
+        "fctl",
+        "stack",
+        "create"
+      ],
+      "use": "create [name]",
+      "aliases": [
+        "c",
+        "cr"
+      ],
+      "short": "Create a new stack",
+      "runnable": true,
+      "hasSubcommands": false,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "no-wait",
+          "scope": "local",
+          "usage": "Not wait stack availability",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "organization",
+          "scope": "local",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "organization",
+          "scope": "persistent",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "region",
+          "scope": "local",
+          "usage": "Region on which deploy the stack",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "version",
+          "scope": "local",
+          "usage": "Version of the stack",
+          "type": "string"
+        }
+      ]
+    },
+    {
+      "path": "fctl stack delete",
+      "pathParts": [
+        "fctl",
+        "stack",
+        "delete"
+      ],
+      "use": "delete (\u003cstack-id\u003e | --name=\u003cstack-name\u003e)",
+      "aliases": [
+        "d",
+        "del"
+      ],
+      "short": "Delete a stack",
+      "runnable": true,
+      "hasSubcommands": false,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "confirm",
+          "scope": "local",
+          "usage": "Confirm action",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "force",
+          "scope": "local",
+          "usage": "Force to delete a stack without retention policy",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "name",
+          "scope": "local",
+          "usage": "Stack to delete",
+          "type": "string"
+        },
+        {
+          "name": "organization",
+          "scope": "local",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "organization",
+          "scope": "persistent",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl stack disable",
+      "pathParts": [
+        "fctl",
+        "stack",
+        "disable"
+      ],
+      "use": "disable (\u003cstack-id\u003e | --name=\u003cstack-name\u003e)",
+      "short": "Disable a stack",
+      "runnable": true,
+      "hasSubcommands": false,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "confirm",
+          "scope": "local",
+          "usage": "Confirm action",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "name",
+          "scope": "local",
+          "usage": "Stack to disable",
+          "type": "string"
+        },
+        {
+          "name": "organization",
+          "scope": "local",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "organization",
+          "scope": "persistent",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl stack enable",
+      "pathParts": [
+        "fctl",
+        "stack",
+        "enable"
+      ],
+      "use": "enable (\u003cstack-id\u003e | --name=\u003cstack-name\u003e)",
+      "short": "Enable a stack",
+      "runnable": true,
+      "hasSubcommands": false,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "confirm",
+          "scope": "local",
+          "usage": "Confirm action",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "name",
+          "scope": "local",
+          "usage": "Stack to enable",
+          "type": "string"
+        },
+        {
+          "name": "organization",
+          "scope": "local",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "organization",
+          "scope": "persistent",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl stack history",
+      "pathParts": [
+        "fctl",
+        "stack",
+        "history"
+      ],
+      "use": "history [id]",
+      "aliases": [
+        "hist"
+      ],
+      "short": "Query stack history",
+      "runnable": true,
+      "hasSubcommands": false,
+      "flags": [
+        {
+          "name": "action",
+          "scope": "local",
+          "usage": "Filter by action",
+          "type": "string"
+        },
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "cursor",
+          "scope": "local",
+          "usage": "Pagination cursor",
+          "type": "string"
+        },
+        {
+          "name": "data",
+          "scope": "local",
+          "usage": "Filter by modified data (format: key=value, key is a JSONB text path)",
+          "type": "string"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "display-data",
+          "scope": "local",
+          "usage": "Display data",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "organization",
+          "scope": "local",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "organization",
+          "scope": "persistent",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "page-size",
+          "scope": "local",
+          "usage": "Page size",
+          "default": "10",
+          "type": "int"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "user-id",
+          "scope": "local",
+          "usage": "Filter by user ID (use SYSTEM to filter by system logs)",
+          "type": "string"
+        }
+      ]
+    },
+    {
+      "path": "fctl stack list",
+      "pathParts": [
+        "fctl",
+        "stack",
+        "list"
+      ],
+      "use": "list",
+      "aliases": [
+        "l",
+        "ls"
+      ],
+      "short": "List stacks",
+      "runnable": true,
+      "hasSubcommands": false,
+      "flags": [
+        {
+          "name": "all",
+          "scope": "local",
+          "usage": "Display deleted stacks",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "deleted",
+          "scope": "local",
+          "usage": "Display deleted stacks",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true",
+          "hidden": true,
+          "deprecated": "Use --all instead"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "organization",
+          "scope": "local",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "organization",
+          "scope": "persistent",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl stack modules",
+      "pathParts": [
+        "fctl",
+        "stack",
+        "modules"
+      ],
+      "use": "modules",
+      "aliases": [
+        "mod",
+        "module"
+      ],
+      "short": "Manage your modules",
+      "runnable": false,
+      "hasSubcommands": true,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "organization",
+          "scope": "local",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "organization",
+          "scope": "persistent",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "stack",
+          "scope": "local",
+          "usage": "Specific stack (not required if only one stack is present)",
+          "type": "string"
+        },
+        {
+          "name": "stack",
+          "scope": "persistent",
+          "usage": "Specific stack (not required if only one stack is present)",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl stack modules disable",
+      "pathParts": [
+        "fctl",
+        "stack",
+        "modules",
+        "disable"
+      ],
+      "use": "disable \u003cmodule-name\u003e",
+      "aliases": [
+        "d",
+        "dis"
+      ],
+      "short": "Disable a module",
+      "runnable": true,
+      "hasSubcommands": false,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "confirm",
+          "scope": "local",
+          "usage": "Confirm action",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "organization",
+          "scope": "local",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "organization",
+          "scope": "persistent",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "stack",
+          "scope": "local",
+          "usage": "Specific stack (not required if only one stack is present)",
+          "type": "string"
+        },
+        {
+          "name": "stack",
+          "scope": "persistent",
+          "usage": "Specific stack (not required if only one stack is present)",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl stack modules enable",
+      "pathParts": [
+        "fctl",
+        "stack",
+        "modules",
+        "enable"
+      ],
+      "use": "enable \u003cmodule-name\u003e",
+      "short": "Enable a module",
+      "runnable": true,
+      "hasSubcommands": false,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "confirm",
+          "scope": "local",
+          "usage": "Confirm action",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "organization",
+          "scope": "local",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "organization",
+          "scope": "persistent",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "stack",
+          "scope": "local",
+          "usage": "Specific stack (not required if only one stack is present)",
+          "type": "string"
+        },
+        {
+          "name": "stack",
+          "scope": "persistent",
+          "usage": "Specific stack (not required if only one stack is present)",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl stack modules list",
+      "pathParts": [
+        "fctl",
+        "stack",
+        "modules",
+        "list"
+      ],
+      "use": "list --stack=\u003cstack-id\u003e",
+      "aliases": [
+        "ls"
+      ],
+      "short": "List modules in a stack",
+      "runnable": true,
+      "hasSubcommands": false,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "confirm",
+          "scope": "local",
+          "usage": "Confirm action",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "organization",
+          "scope": "local",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "organization",
+          "scope": "persistent",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "stack",
+          "scope": "inherited",
+          "usage": "Specific stack (not required if only one stack is present)",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl stack proxy",
+      "pathParts": [
+        "fctl",
+        "stack",
+        "proxy"
+      ],
+      "use": "proxy",
+      "short": "Start a local proxy server to access the stack with authentication",
+      "long": "Start a local proxy server that adds authentication headers to requests to the stack",
+      "runnable": true,
+      "hasSubcommands": false,
+      "flags": [
+        {
+          "name": "allowed-origins",
+          "scope": "local",
+          "usage": "Allowed origins for CORS (comma-separated). If not specified, CORS is disabled.",
+          "default": "[]",
+          "type": "stringSlice"
+        },
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "organization",
+          "scope": "local",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "organization",
+          "scope": "persistent",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "port",
+          "scope": "local",
+          "usage": "Port to use for the local proxy server",
+          "default": "55001",
+          "type": "int"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "stack",
+          "scope": "local",
+          "usage": "Specific stack (not required if only one stack is present)",
+          "type": "string"
+        },
+        {
+          "name": "stack",
+          "scope": "persistent",
+          "usage": "Specific stack (not required if only one stack is present)",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl stack restore",
+      "pathParts": [
+        "fctl",
+        "stack",
+        "restore"
+      ],
+      "use": "restore \u003cstack-id\u003e",
+      "short": "Restore a deleted stack",
+      "runnable": true,
+      "hasSubcommands": false,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "name",
+          "scope": "local",
+          "type": "string"
+        },
+        {
+          "name": "organization",
+          "scope": "local",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "organization",
+          "scope": "persistent",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl stack show",
+      "pathParts": [
+        "fctl",
+        "stack",
+        "show"
+      ],
+      "use": "show (\u003cstack-id\u003e | --name=\u003cstack-name\u003e)",
+      "aliases": [
+        "s",
+        "sh"
+      ],
+      "short": "Show a stack",
+      "runnable": true,
+      "hasSubcommands": false,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "name",
+          "scope": "local",
+          "type": "string"
+        },
+        {
+          "name": "organization",
+          "scope": "local",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "organization",
+          "scope": "persistent",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl stack update",
+      "pathParts": [
+        "fctl",
+        "stack",
+        "update"
+      ],
+      "use": "update \u003cstack-id\u003e",
+      "short": "Update a created stack, name, or metadata",
+      "runnable": true,
+      "hasSubcommands": false,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "name",
+          "scope": "local",
+          "usage": "Name of the stack",
+          "type": "string"
+        },
+        {
+          "name": "organization",
+          "scope": "local",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "organization",
+          "scope": "persistent",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl stack upgrade",
+      "pathParts": [
+        "fctl",
+        "stack",
+        "upgrade"
+      ],
+      "use": "upgrade \u003cstack-id\u003e \u003cversion\u003e",
+      "short": "Upgrade a stack to specified version",
+      "runnable": true,
+      "hasSubcommands": false,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "no-wait",
+          "scope": "local",
+          "usage": "Wait stack availability",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "organization",
+          "scope": "local",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "organization",
+          "scope": "persistent",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl stack users",
+      "pathParts": [
+        "fctl",
+        "stack",
+        "users"
+      ],
+      "use": "users",
+      "aliases": [
+        "u",
+        "user"
+      ],
+      "short": "Manage stack users within an organization",
+      "runnable": false,
+      "hasSubcommands": true,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "organization",
+          "scope": "local",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "organization",
+          "scope": "persistent",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "stack",
+          "scope": "local",
+          "usage": "Specific stack (not required if only one stack is present)",
+          "type": "string"
+        },
+        {
+          "name": "stack",
+          "scope": "persistent",
+          "usage": "Specific stack (not required if only one stack is present)",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl stack users link",
+      "pathParts": [
+        "fctl",
+        "stack",
+        "users",
+        "link"
+      ],
+      "use": "link \u003cuser-id\u003e",
+      "short": "Link a stack user to the current stack",
+      "runnable": true,
+      "hasSubcommands": false,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "organization",
+          "scope": "inherited",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "policy-id",
+          "scope": "local",
+          "usage": "Policy ID",
+          "default": "0",
+          "type": "int"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "stack",
+          "scope": "inherited",
+          "usage": "Specific stack (not required if only one stack is present)",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl stack users list",
+      "pathParts": [
+        "fctl",
+        "stack",
+        "users",
+        "list"
+      ],
+      "use": "list",
+      "aliases": [
+        "l"
+      ],
+      "short": "List stack access roles within an organization",
+      "runnable": true,
+      "hasSubcommands": false,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "organization",
+          "scope": "inherited",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "stack",
+          "scope": "inherited",
+          "usage": "Specific stack (not required if only one stack is present)",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl stack users unlink",
+      "pathParts": [
+        "fctl",
+        "stack",
+        "users",
+        "unlink"
+      ],
+      "use": "unlink \u003cuser-id\u003e",
+      "short": "Unlink a stack user from the current stack",
+      "runnable": true,
+      "hasSubcommands": false,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "organization",
+          "scope": "local",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "organization",
+          "scope": "persistent",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "stack",
+          "scope": "inherited",
+          "usage": "Specific stack (not required if only one stack is present)",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl ui",
+      "pathParts": [
+        "fctl",
+        "ui"
+      ],
+      "use": "ui",
+      "short": "Open UI",
+      "runnable": true,
+      "hasSubcommands": false,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "organization",
+          "scope": "local",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "organization",
+          "scope": "persistent",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "stack",
+          "scope": "local",
+          "usage": "Specific stack (not required if only one stack is present)",
+          "type": "string"
+        },
+        {
+          "name": "stack",
+          "scope": "persistent",
+          "usage": "Specific stack (not required if only one stack is present)",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl version",
+      "pathParts": [
+        "fctl",
+        "version"
+      ],
+      "use": "version",
+      "short": "Get version",
+      "runnable": true,
+      "hasSubcommands": false,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl wallets",
+      "pathParts": [
+        "fctl",
+        "wallets"
+      ],
+      "use": "wallets",
+      "aliases": [
+        "wa",
+        "wal",
+        "wallet"
+      ],
+      "short": "Manage wallets",
+      "runnable": false,
+      "hasSubcommands": true,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "organization",
+          "scope": "local",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "organization",
+          "scope": "persistent",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "stack",
+          "scope": "local",
+          "usage": "Specific stack (not required if only one stack is present)",
+          "type": "string"
+        },
+        {
+          "name": "stack",
+          "scope": "persistent",
+          "usage": "Specific stack (not required if only one stack is present)",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl wallets balances",
+      "pathParts": [
+        "fctl",
+        "wallets",
+        "balances"
+      ],
+      "use": "balances",
+      "aliases": [
+        "bal",
+        "balance",
+        "bls"
+      ],
+      "short": "Wallet balances",
+      "runnable": false,
+      "hasSubcommands": true,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "organization",
+          "scope": "inherited",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "stack",
+          "scope": "inherited",
+          "usage": "Specific stack (not required if only one stack is present)",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl wallets balances create",
+      "pathParts": [
+        "fctl",
+        "wallets",
+        "balances",
+        "create"
+      ],
+      "use": "create \u003cbalance-name\u003e",
+      "aliases": [
+        "c",
+        "cr"
+      ],
+      "short": "Create a new balance",
+      "runnable": true,
+      "hasSubcommands": false,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "confirm",
+          "scope": "local",
+          "usage": "Confirm action",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "expires-at",
+          "scope": "local",
+          "usage": "Balance expiration date",
+          "type": "string"
+        },
+        {
+          "name": "id",
+          "scope": "local",
+          "usage": "Wallet ID to use",
+          "type": "string"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "name",
+          "scope": "local",
+          "usage": "Wallet name to use",
+          "type": "string"
+        },
+        {
+          "name": "organization",
+          "scope": "inherited",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "priority",
+          "scope": "local",
+          "usage": "Balance priority",
+          "default": "0",
+          "type": "int"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "stack",
+          "scope": "inherited",
+          "usage": "Specific stack (not required if only one stack is present)",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl wallets balances list",
+      "pathParts": [
+        "fctl",
+        "wallets",
+        "balances",
+        "list"
+      ],
+      "use": "list",
+      "aliases": [
+        "l",
+        "ls"
+      ],
+      "short": "List balances",
+      "runnable": true,
+      "hasSubcommands": false,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "id",
+          "scope": "local",
+          "usage": "Wallet ID to use",
+          "type": "string"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "name",
+          "scope": "local",
+          "usage": "Wallet name to use",
+          "type": "string"
+        },
+        {
+          "name": "organization",
+          "scope": "inherited",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "stack",
+          "scope": "inherited",
+          "usage": "Specific stack (not required if only one stack is present)",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl wallets balances show",
+      "pathParts": [
+        "fctl",
+        "wallets",
+        "balances",
+        "show"
+      ],
+      "use": "show \u003cbalance-name\u003e",
+      "aliases": [
+        "sh"
+      ],
+      "short": "Show a balance",
+      "runnable": true,
+      "hasSubcommands": false,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "id",
+          "scope": "local",
+          "usage": "Wallet ID to use",
+          "type": "string"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "name",
+          "scope": "local",
+          "usage": "Wallet name to use",
+          "type": "string"
+        },
+        {
+          "name": "organization",
+          "scope": "inherited",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "stack",
+          "scope": "inherited",
+          "usage": "Specific stack (not required if only one stack is present)",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl wallets create",
+      "pathParts": [
+        "fctl",
+        "wallets",
+        "create"
+      ],
+      "use": "create \u003cname\u003e",
+      "aliases": [
+        "cr"
+      ],
+      "short": "Create a new wallet",
+      "runnable": true,
+      "hasSubcommands": false,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "confirm",
+          "scope": "local",
+          "usage": "Confirm action",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "ik",
+          "scope": "local",
+          "usage": "Idempotency key",
+          "type": "string"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "metadata",
+          "scope": "local",
+          "usage": "Metadata to use",
+          "default": "[]",
+          "type": "stringSlice"
+        },
+        {
+          "name": "organization",
+          "scope": "inherited",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "stack",
+          "scope": "inherited",
+          "usage": "Specific stack (not required if only one stack is present)",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl wallets credit",
+      "pathParts": [
+        "fctl",
+        "wallets",
+        "credit"
+      ],
+      "use": "credit \u003camount\u003e \u003casset\u003e",
+      "aliases": [
+        "cr"
+      ],
+      "short": "Credit a wallet",
+      "runnable": true,
+      "hasSubcommands": false,
+      "flags": [
+        {
+          "name": "balance",
+          "scope": "local",
+          "usage": "Balance to credit",
+          "type": "string"
+        },
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "confirm",
+          "scope": "local",
+          "usage": "Confirm action",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "id",
+          "scope": "local",
+          "usage": "Wallet ID to use",
+          "type": "string"
+        },
+        {
+          "name": "ik",
+          "scope": "local",
+          "usage": "Idempotency Key",
+          "type": "string"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "metadata",
+          "scope": "local",
+          "usage": "Metadata to use",
+          "default": "[]",
+          "type": "stringSlice"
+        },
+        {
+          "name": "name",
+          "scope": "local",
+          "usage": "Wallet name to use",
+          "type": "string"
+        },
+        {
+          "name": "organization",
+          "scope": "inherited",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "source",
+          "scope": "local",
+          "usage": "Use --source account=\u003caccount\u003e | --source wallet=id:\u003cwallet-id\u003e[/\u003cbalance\u003e] | --source wallet=name:\u003cwallet-name\u003e[/\u003cbalance\u003e]",
+          "default": "[]",
+          "type": "stringSlice"
+        },
+        {
+          "name": "stack",
+          "scope": "inherited",
+          "usage": "Specific stack (not required if only one stack is present)",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl wallets debit",
+      "pathParts": [
+        "fctl",
+        "wallets",
+        "debit"
+      ],
+      "use": "debit \u003camount\u003e \u003casset\u003e",
+      "aliases": [
+        "deb"
+      ],
+      "short": "Debit a wallet",
+      "runnable": true,
+      "hasSubcommands": false,
+      "flags": [
+        {
+          "name": "balance",
+          "scope": "local",
+          "usage": "Balance to debit",
+          "default": "[]",
+          "type": "stringSlice"
+        },
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "confirm",
+          "scope": "local",
+          "usage": "Confirm action",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "description",
+          "scope": "local",
+          "usage": "Debit description",
+          "type": "string"
+        },
+        {
+          "name": "destination",
+          "scope": "local",
+          "usage": "Use --destination account=\u003caccount\u003e | --destination wallet=id:\u003cwallet-id\u003e[/\u003cbalance\u003e] | --destination wallet=name:\u003cwallet-name\u003e[/\u003cbalance\u003e]",
+          "type": "string"
+        },
+        {
+          "name": "id",
+          "scope": "local",
+          "usage": "Wallet ID to use",
+          "type": "string"
+        },
+        {
+          "name": "ik",
+          "scope": "local",
+          "usage": "Idempotency Key",
+          "type": "string"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "metadata",
+          "scope": "local",
+          "usage": "Metadata to use",
+          "default": "[]",
+          "type": "stringSlice"
+        },
+        {
+          "name": "name",
+          "scope": "local",
+          "usage": "Wallet name to use",
+          "type": "string"
+        },
+        {
+          "name": "organization",
+          "scope": "inherited",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "pending",
+          "scope": "local",
+          "usage": "Create a pending debit",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "stack",
+          "scope": "inherited",
+          "usage": "Specific stack (not required if only one stack is present)",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl wallets holds",
+      "pathParts": [
+        "fctl",
+        "wallets",
+        "holds"
+      ],
+      "use": "holds",
+      "aliases": [
+        "h",
+        "hold"
+      ],
+      "short": "Manage wallet holds",
+      "runnable": false,
+      "hasSubcommands": true,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "organization",
+          "scope": "inherited",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "stack",
+          "scope": "inherited",
+          "usage": "Specific stack (not required if only one stack is present)",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl wallets holds confirm",
+      "pathParts": [
+        "fctl",
+        "wallets",
+        "holds",
+        "confirm"
+      ],
+      "use": "confirm \u003chold-id\u003e",
+      "aliases": [
+        "c",
+        "conf"
+      ],
+      "short": "Confirm a hold",
+      "runnable": true,
+      "hasSubcommands": false,
+      "flags": [
+        {
+          "name": "amount",
+          "scope": "local",
+          "usage": "Amount to confirm",
+          "default": "0",
+          "type": "int"
+        },
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "final",
+          "scope": "local",
+          "usage": "Is final debit (close hold)",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "ik",
+          "scope": "local",
+          "usage": "Idempotency Key",
+          "type": "string"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "organization",
+          "scope": "inherited",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "stack",
+          "scope": "inherited",
+          "usage": "Specific stack (not required if only one stack is present)",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl wallets holds list",
+      "pathParts": [
+        "fctl",
+        "wallets",
+        "holds",
+        "list"
+      ],
+      "use": "list",
+      "aliases": [
+        "l",
+        "ls"
+      ],
+      "short": "List holds of a wallet",
+      "runnable": true,
+      "hasSubcommands": false,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "id",
+          "scope": "local",
+          "usage": "Wallet ID to use",
+          "type": "string"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "metadata",
+          "scope": "local",
+          "usage": "Metadata to use",
+          "default": "[]",
+          "type": "stringSlice"
+        },
+        {
+          "name": "name",
+          "scope": "local",
+          "usage": "Wallet name to use",
+          "type": "string"
+        },
+        {
+          "name": "organization",
+          "scope": "inherited",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "stack",
+          "scope": "inherited",
+          "usage": "Specific stack (not required if only one stack is present)",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl wallets holds show",
+      "pathParts": [
+        "fctl",
+        "wallets",
+        "holds",
+        "show"
+      ],
+      "use": "show \u003chold-id\u003e",
+      "aliases": [
+        "sh"
+      ],
+      "short": "Show a hold",
+      "runnable": true,
+      "hasSubcommands": false,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "organization",
+          "scope": "inherited",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "stack",
+          "scope": "inherited",
+          "usage": "Specific stack (not required if only one stack is present)",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl wallets holds void",
+      "pathParts": [
+        "fctl",
+        "wallets",
+        "holds",
+        "void"
+      ],
+      "use": "void \u003chold-id\u003e",
+      "aliases": [
+        "v"
+      ],
+      "short": "Void a hold",
+      "runnable": true,
+      "hasSubcommands": false,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "ik",
+          "scope": "local",
+          "usage": "Idempotency Key",
+          "type": "string"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "organization",
+          "scope": "inherited",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "stack",
+          "scope": "inherited",
+          "usage": "Specific stack (not required if only one stack is present)",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl wallets list",
+      "pathParts": [
+        "fctl",
+        "wallets",
+        "list"
+      ],
+      "use": "list",
+      "aliases": [
+        "l",
+        "ls"
+      ],
+      "short": "List all wallets",
+      "runnable": true,
+      "hasSubcommands": false,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "metadata",
+          "scope": "local",
+          "usage": "Metadata to use",
+          "default": "[]",
+          "type": "stringSlice"
+        },
+        {
+          "name": "organization",
+          "scope": "inherited",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "stack",
+          "scope": "inherited",
+          "usage": "Specific stack (not required if only one stack is present)",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl wallets show",
+      "pathParts": [
+        "fctl",
+        "wallets",
+        "show"
+      ],
+      "use": "show",
+      "aliases": [
+        "sh"
+      ],
+      "short": "Show a wallet",
+      "runnable": true,
+      "hasSubcommands": false,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "confirm",
+          "scope": "local",
+          "usage": "Confirm action",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "id",
+          "scope": "local",
+          "usage": "Wallet ID to use",
+          "type": "string"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "name",
+          "scope": "local",
+          "usage": "Wallet name to use",
+          "type": "string"
+        },
+        {
+          "name": "organization",
+          "scope": "inherited",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "stack",
+          "scope": "inherited",
+          "usage": "Specific stack (not required if only one stack is present)",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl wallets transactions",
+      "pathParts": [
+        "fctl",
+        "wallets",
+        "transactions"
+      ],
+      "use": "transactions",
+      "aliases": [
+        "transaction",
+        "tx",
+        "txs"
+      ],
+      "short": "Wallet transactions",
+      "runnable": false,
+      "hasSubcommands": true,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "organization",
+          "scope": "inherited",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "stack",
+          "scope": "inherited",
+          "usage": "Specific stack (not required if only one stack is present)",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl wallets transactions list",
+      "pathParts": [
+        "fctl",
+        "wallets",
+        "transactions",
+        "list"
+      ],
+      "use": "list",
+      "aliases": [
+        "l",
+        "ls"
+      ],
+      "short": "List transactions",
+      "runnable": true,
+      "hasSubcommands": false,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "id",
+          "scope": "local",
+          "usage": "Wallet ID to use",
+          "type": "string"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "name",
+          "scope": "local",
+          "usage": "Wallet name to use",
+          "type": "string"
+        },
+        {
+          "name": "organization",
+          "scope": "inherited",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "stack",
+          "scope": "inherited",
+          "usage": "Specific stack (not required if only one stack is present)",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl wallets update",
+      "pathParts": [
+        "fctl",
+        "wallets",
+        "update"
+      ],
+      "use": "update \u003cwallet-id\u003e",
+      "aliases": [
+        "up"
+      ],
+      "short": "Update a wallet",
+      "runnable": true,
+      "hasSubcommands": false,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "confirm",
+          "scope": "local",
+          "usage": "Confirm action",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "ik",
+          "scope": "local",
+          "usage": "Idempotency Key",
+          "type": "string"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "metadata",
+          "scope": "local",
+          "usage": "Metadata to use",
+          "default": "[]",
+          "type": "stringSlice"
+        },
+        {
+          "name": "organization",
+          "scope": "inherited",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "stack",
+          "scope": "inherited",
+          "usage": "Specific stack (not required if only one stack is present)",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl webhooks",
+      "pathParts": [
+        "fctl",
+        "webhooks"
+      ],
+      "use": "webhooks",
+      "aliases": [
+        "web",
+        "wh"
+      ],
+      "short": "Manage webhooks",
+      "runnable": false,
+      "hasSubcommands": true,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "organization",
+          "scope": "local",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "organization",
+          "scope": "persistent",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "stack",
+          "scope": "local",
+          "usage": "Specific stack (not required if only one stack is present)",
+          "type": "string"
+        },
+        {
+          "name": "stack",
+          "scope": "persistent",
+          "usage": "Specific stack (not required if only one stack is present)",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl webhooks activate",
+      "pathParts": [
+        "fctl",
+        "webhooks",
+        "activate"
+      ],
+      "use": "activate \u003cconfig-id\u003e",
+      "aliases": [
+        "a",
+        "ac"
+      ],
+      "short": "Activate a config",
+      "runnable": true,
+      "hasSubcommands": false,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "confirm",
+          "scope": "local",
+          "usage": "Confirm action",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "organization",
+          "scope": "inherited",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "stack",
+          "scope": "inherited",
+          "usage": "Specific stack (not required if only one stack is present)",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl webhooks change-secret",
+      "pathParts": [
+        "fctl",
+        "webhooks",
+        "change-secret"
+      ],
+      "use": "change-secret \u003cconfig-id\u003e \u003csecret\u003e",
+      "aliases": [
+        "cs"
+      ],
+      "short": "Change the signing secret of a webhook config. Optionally provide your own secret; if omitted, one is generated automatically (24-byte, base64-encoded string).",
+      "runnable": true,
+      "hasSubcommands": false,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "confirm",
+          "scope": "local",
+          "usage": "Confirm action",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "organization",
+          "scope": "inherited",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "stack",
+          "scope": "inherited",
+          "usage": "Specific stack (not required if only one stack is present)",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl webhooks create",
+      "pathParts": [
+        "fctl",
+        "webhooks",
+        "create"
+      ],
+      "use": "create \u003cendpoint\u003e [\u003cevent-type\u003e...]",
+      "aliases": [
+        "cr"
+      ],
+      "short": "Create a new config. At least one event type is required.",
+      "runnable": true,
+      "hasSubcommands": false,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "confirm",
+          "scope": "local",
+          "usage": "Confirm action",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "organization",
+          "scope": "inherited",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "secret",
+          "scope": "local",
+          "usage": "Bring your own webhooks signing secret. If not passed or empty, a secret is automatically generated. The format is a string of bytes of size 24, base64 encoded. (larger size after encoding)",
+          "type": "string"
+        },
+        {
+          "name": "stack",
+          "scope": "inherited",
+          "usage": "Specific stack (not required if only one stack is present)",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl webhooks deactivate",
+      "pathParts": [
+        "fctl",
+        "webhooks",
+        "deactivate"
+      ],
+      "use": "deactivate \u003cconfig-id\u003e",
+      "aliases": [
+        "deac"
+      ],
+      "short": "Deactivate a config",
+      "runnable": true,
+      "hasSubcommands": false,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "confirm",
+          "scope": "local",
+          "usage": "Confirm action",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "organization",
+          "scope": "inherited",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "stack",
+          "scope": "inherited",
+          "usage": "Specific stack (not required if only one stack is present)",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl webhooks delete",
+      "pathParts": [
+        "fctl",
+        "webhooks",
+        "delete"
+      ],
+      "use": "delete \u003cconfig-id\u003e",
+      "aliases": [
+        "del"
+      ],
+      "short": "Delete a config",
+      "runnable": true,
+      "hasSubcommands": false,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "confirm",
+          "scope": "local",
+          "usage": "Confirm action",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "organization",
+          "scope": "inherited",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "stack",
+          "scope": "inherited",
+          "usage": "Specific stack (not required if only one stack is present)",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    },
+    {
+      "path": "fctl webhooks list",
+      "pathParts": [
+        "fctl",
+        "webhooks",
+        "list"
+      ],
+      "use": "list",
+      "aliases": [
+        "l",
+        "ls"
+      ],
+      "short": "List all configs",
+      "runnable": true,
+      "hasSubcommands": false,
+      "flags": [
+        {
+          "name": "config-dir",
+          "scope": "inherited",
+          "shorthand": "c",
+          "usage": "Path to configuration dir",
+          "default": "$HOME/.config/formance/fctl",
+          "type": "string"
+        },
+        {
+          "name": "debug",
+          "scope": "inherited",
+          "shorthand": "d",
+          "usage": "Enable debug mode",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "insecure-tls",
+          "scope": "inherited",
+          "usage": "Allow insecure TLS connections",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        },
+        {
+          "name": "organization",
+          "scope": "inherited",
+          "usage": "Selected organization (not required if only one organization is present)",
+          "type": "string"
+        },
+        {
+          "name": "output",
+          "scope": "inherited",
+          "shorthand": "o",
+          "usage": "Output format (plain, json)",
+          "default": "plain",
+          "type": "string"
+        },
+        {
+          "name": "profile",
+          "scope": "inherited",
+          "shorthand": "p",
+          "usage": "Configuration profile to use",
+          "type": "string"
+        },
+        {
+          "name": "stack",
+          "scope": "inherited",
+          "usage": "Specific stack (not required if only one stack is present)",
+          "type": "string"
+        },
+        {
+          "name": "telemetry",
+          "scope": "inherited",
+          "usage": "Enable telemetry",
+          "default": "false",
+          "type": "bool",
+          "noOptDefVal": "true"
+        }
+      ]
+    }
+  ]
+}
diff --git a/v4/todos/01-v4-isolated-skeleton.md b/v4/todos/01-v4-isolated-skeleton.md
new file mode 100644
index 00000000..a86009c7
--- /dev/null
+++ b/v4/todos/01-v4-isolated-skeleton.md
@@ -0,0 +1,36 @@
+# Goal 01 - v4 isolated skeleton
+
+```text
+/goal
+Create the isolated fctl v4 skeleton under the top-level v4/ directory.
+
+Read first:
+- AGENTS.md
+- docs/rfcs/0001-fctl-v4-architecture.md
+- docs/adr/0005-build-v4-in-isolated-directory.md
+- docs/cli-v4/config-format.md
+
+Deliverables:
+- v4 Go module or buildable v4 application skeleton.
+- v4/cmd root command with Cobra wired as a thin parser/router.
+- v4/internal package directories for config, credentials, capabilities, runtime, commands, render, and prompt.
+- minimal v4 main entrypoint that can print version/help.
+- documentation note explaining how to build/run v4 without touching v3.
+
+Constraints:
+- stay on branch feat/v4.
+- do not modify or delete existing v3 command behavior.
+- do not move root files yet.
+- keep new code isolated under v4/.
+- commit each logical step separately.
+- run git diff --check before each commit.
+
+Tests:
+- run go test for the v4 module/package if a module is created.
+- run the v4 binary help/version command if buildable.
+
+Done when:
+- v4 can be built or at least tested independently.
+- v3 root remains untouched except documentation/build notes if needed.
+- all changes are committed in small reviewable commits.
+```
diff --git a/v4/todos/02-v4-foundation-packages.md b/v4/todos/02-v4-foundation-packages.md
new file mode 100644
index 00000000..b3985c42
--- /dev/null
+++ b/v4/todos/02-v4-foundation-packages.md
@@ -0,0 +1,37 @@
+# Goal 02 - v4 foundation packages
+
+```text
+/goal
+Implement the v4 foundation packages without migrating product commands.
+
+Read first:
+- docs/rfcs/0001-fctl-v4-architecture.md
+- docs/cli-v4/config-format.md
+- docs/cli-v4/compatibility-manifest.md
+- docs/adr/0001-contexts-as-primary-target.md
+- docs/adr/0002-auth-is-decoupled-from-cloud.md
+- docs/adr/0003-api-version-resolution.md
+
+Deliverables:
+- v4/internal/config for versioned context config structs, load, save, validate, current context resolution, and env/flag override hooks.
+- v4/internal/credentials with interfaces for secret get/set/delete and an explicit insecure file implementation for development tests.
+- v4/internal/capabilities with APIVersion, Product, Feature, Manifest, ComponentCompatibility, and resolver data types.
+- v4/internal/runtime with a typed Runtime shell that resolves config, context, target, and API policy.
+- unit tests for config validation, context selection, and compatibility range resolution.
+
+Constraints:
+- do not add real auth flows yet.
+- do not migrate existing v3 commands.
+- do not store long-lived secrets in config structs except secret references.
+- commit after each package or cohesive test set.
+- run git diff --check before each commit.
+
+Tests:
+- go test ./... in v4.
+- targeted unit tests for each new package.
+
+Done when:
+- the foundation packages compile and are tested.
+- no v3 behavior changes.
+- commits are small and reviewable.
+```
diff --git a/v4/todos/03-context-commands.md b/v4/todos/03-context-commands.md
new file mode 100644
index 00000000..6fdc2f5d
--- /dev/null
+++ b/v4/todos/03-context-commands.md
@@ -0,0 +1,35 @@
+# Goal 03 - v4 context commands
+
+```text
+/goal
+Add the first v4 context management commands.
+
+Read first:
+- docs/cli-v4/config-format.md
+- docs/adr/0001-contexts-as-primary-target.md
+- v4/internal/config and v4/internal/runtime from prior goals.
+
+Deliverables:
+- fctl v4 context list.
+- fctl v4 context show [name].
+- fctl v4 context use <name>.
+- fctl v4 context create stack <name> --stack-url ... with minimal auth reference support.
+- JSON output support for these commands.
+- tests for config mutation and command output.
+
+Constraints:
+- commands must be non-destructive.
+- no Cloud membership dependency.
+- support non-interactive usage.
+- keep Cobra command files thin.
+- commit after each command group or test group.
+- run git diff --check before each commit.
+
+Tests:
+- go test ./... in v4.
+- command-level tests for list/show/use/create.
+
+Done when:
+- contexts can be created, listed, inspected, and selected in v4 config.
+- command output is stable enough for scripts.
+```
diff --git a/v4/todos/04-auth-providers.md b/v4/todos/04-auth-providers.md
new file mode 100644
index 00000000..83c0e397
--- /dev/null
+++ b/v4/todos/04-auth-providers.md
@@ -0,0 +1,35 @@
+# Goal 04 - v4 auth providers
+
+```text
+/goal
+Implement initial v4 authentication providers for stack targets.
+
+Read first:
+- docs/adr/0002-auth-is-decoupled-from-cloud.md
+- docs/cli-v4/config-format.md
+- v4/internal/credentials from prior goals.
+
+Deliverables:
+- auth provider interface in v4/internal/runtime or v4/internal/auth if the split is warranted.
+- client_credentials provider using issuer URL, client ID, and secret reference.
+- token provider using token from env, stdin, or credential reference.
+- explicit none provider for local development targets.
+- credential storage through the credentials interface.
+- clear errors for missing credentials.
+
+Constraints:
+- do not implement Cloud device flow yet unless it is needed for tests.
+- do not store secrets directly in config.
+- none auth must be explicit.
+- keep CI/non-interactive behavior deterministic.
+- commit each provider separately when practical.
+- run git diff --check before each commit.
+
+Tests:
+- unit tests for provider selection.
+- unit tests with fake HTTP token endpoint for client_credentials.
+- no tests should require real Formance Cloud.
+
+Done when:
+- stack contexts can resolve an HTTP client/token source for client_credentials, token, and none.
+```
diff --git a/v4/todos/05-capabilities-manifest-generator.md b/v4/todos/05-capabilities-manifest-generator.md
new file mode 100644
index 00000000..f007a4b3
--- /dev/null
+++ b/v4/todos/05-capabilities-manifest-generator.md
@@ -0,0 +1,35 @@
+# Goal 05 - capabilities manifest generator
+
+```text
+/goal
+Generate the v4 compatibility manifest from the stack OpenAPI spec.
+
+Read first:
+- docs/cli-v4/compatibility-manifest.md
+- docs/adr/0003-api-version-resolution.md
+
+Reference spec:
+- https://github.com/formancehq/stack/releases/download/v3.2.4/generate.json
+
+Deliverables:
+- generator script or Go tool that reads generate.json.
+- generated v4/internal/capabilities manifest containing spec version, products, API namespaces, operation IDs, HTTP methods, paths, and tags.
+- manual component version compatibility table kept separate from generated data.
+- test fixture based on a reduced OpenAPI sample.
+- documentation for regenerating the manifest.
+
+Constraints:
+- generated files must be deterministic.
+- do not require network in normal tests.
+- keep manual compatibility ranges small and explicit.
+- commit generator and generated output separately if useful for review.
+- run git diff --check before each commit.
+
+Tests:
+- unit tests for generator parsing.
+- go test ./... in v4.
+- optional check that generated output is up to date.
+
+Done when:
+- v4 has generated operation metadata from OpenAPI and manual component compatibility ranges.
+```
diff --git a/v4/todos/06-runtime-version-resolver.md b/v4/todos/06-runtime-version-resolver.md
new file mode 100644
index 00000000..aa6f469d
--- /dev/null
+++ b/v4/todos/06-runtime-version-resolver.md
@@ -0,0 +1,35 @@
+# Goal 06 - runtime API version resolver
+
+```text
+/goal
+Implement runtime API version resolution using /versions and the compatibility manifest.
+
+Read first:
+- docs/cli-v4/compatibility-manifest.md
+- docs/adr/0003-api-version-resolution.md
+- v4/internal/capabilities from prior goals.
+
+Deliverables:
+- Runtime support for calling SDK GetVersions or an abstract versions client.
+- parser for /versions response into component versions.
+- resolver that maps component version -> supported API namespaces.
+- resolver that selects the highest compatible command handler unless pinned by policy.
+- support for policies: latest-compatible, pinned, latest if feasible.
+- clean unsupported-feature errors.
+
+Constraints:
+- make resolver testable without network.
+- do not add Ledger command migration yet.
+- avoid probing endpoints as a substitute for /versions.
+- commit resolver model, implementation, and tests in small chunks.
+- run git diff --check before each commit.
+
+Tests:
+- unit tests for component version mapping.
+- unit tests for handler selection.
+- unit tests for pinned version errors.
+- go test ./... in v4.
+
+Done when:
+- a command can ask runtime for the correct API handler based on target versions and policy.
+```
diff --git a/v4/todos/07-stack-inspection-command.md b/v4/todos/07-stack-inspection-command.md
new file mode 100644
index 00000000..48a5c5f6
--- /dev/null
+++ b/v4/todos/07-stack-inspection-command.md
@@ -0,0 +1,32 @@
+# Goal 07 - first stack inspection command
+
+```text
+/goal
+Add a first non-destructive v4 stack inspection command to validate runtime resolution.
+
+Read first:
+- docs/rfcs/0001-fctl-v4-architecture.md
+- docs/cli-v4/compatibility-manifest.md
+- v4/internal/runtime from prior goals.
+
+Deliverables:
+- fctl v4 target inspect or fctl v4 capabilities inspect.
+- command calls /versions for the current stack target.
+- output includes target URL, component versions, health, inferred API namespaces, and API policy.
+- JSON output support.
+- command-level tests with fake versions response.
+
+Constraints:
+- no Cloud membership requirement.
+- no mutation of remote state.
+- command must work against local/self-hosted contexts.
+- commit command, renderers, and tests in reviewable chunks.
+- run git diff --check before each commit.
+
+Tests:
+- go test ./... in v4.
+- command-level tests for table and JSON output.
+
+Done when:
+- v4 can inspect a configured stack and show inferred capabilities without touching Ledger data.
+```
diff --git a/v4/todos/08-first-ledger-versioned-command.md b/v4/todos/08-first-ledger-versioned-command.md
new file mode 100644
index 00000000..68977930
--- /dev/null
+++ b/v4/todos/08-first-ledger-versioned-command.md
@@ -0,0 +1,39 @@
+# Goal 08 - first Ledger versioned command
+
+```text
+/goal
+Implement the first Ledger command using versioned handlers.
+
+Read first:
+- docs/cli-v4/command-design.md
+- docs/cli-v4/compatibility-manifest.md
+- docs/adr/0003-api-version-resolution.md
+
+Suggested command:
+- fctl v4 ledger transactions list
+
+Deliverables:
+- canonical input model for listing Ledger transactions.
+- versioned handlers for the SDK namespaces available in the public SDK.
+- adapters from canonical input to generated SDK request types.
+- runtime selection of the best compatible handler.
+- JSON and table rendering.
+- clear error when no compatible API version exists.
+
+Constraints:
+- do not migrate all Ledger commands.
+- avoid exposing v1/v2 in the primary command path.
+- support --api-version for pinning if the runtime already supports it.
+- keep Cobra thin.
+- commit adapters, runtime wiring, and command tests separately where practical.
+- run git diff --check before each commit.
+
+Tests:
+- unit tests for canonical input parsing.
+- unit tests for handler selection.
+- command-level tests using fake SDK/runtime boundaries.
+- go test ./... in v4.
+
+Done when:
+- one Ledger command proves the versioned command pattern end to end.
+```
diff --git a/v4/todos/09-v3-config-migration.md b/v4/todos/09-v3-config-migration.md
new file mode 100644
index 00000000..49c4fbc3
--- /dev/null
+++ b/v4/todos/09-v3-config-migration.md
@@ -0,0 +1,35 @@
+# Goal 09 - v3 config migration
+
+```text
+/goal
+Implement explicit v3 to v4 configuration migration.
+
+Read first:
+- docs/cli-v4/migration-from-v3.md
+- docs/cli-v4/config-format.md
+- docs/adr/0001-contexts-as-primary-target.md
+
+Deliverables:
+- fctl v4 config migrate-v3 command.
+- read-only parser for existing v3 config/profile files.
+- migration planner that shows contexts and credential moves before writing.
+- migration writer that creates v4 config and stores credentials through the credentials interface when possible.
+- dry-run mode.
+- tests with fixture v3 configs.
+
+Constraints:
+- do not delete or mutate v3 files.
+- do not silently migrate during normal command execution.
+- never print secrets in logs or normal output.
+- commit parser, planner, writer, and command in separate reviewable commits.
+- run git diff --check before each commit.
+
+Tests:
+- unit tests for v3 fixture parsing.
+- unit tests for migration plan output.
+- command-level tests for dry-run and write mode.
+- go test ./... in v4.
+
+Done when:
+- users can explicitly migrate v3 profiles to v4 contexts without losing v3 data.
+```
diff --git a/v4/todos/10-integration-tests-and-ux-hardening.md b/v4/todos/10-integration-tests-and-ux-hardening.md
new file mode 100644
index 00000000..4d2fbc32
--- /dev/null
+++ b/v4/todos/10-integration-tests-and-ux-hardening.md
@@ -0,0 +1,32 @@
+# Goal 10 - integration tests and UX hardening
+
+```text
+/goal
+Harden v4 CLI behavior with integration-style tests and user-facing error/output polish.
+
+Read first:
+- docs/rfcs/0001-fctl-v4-architecture.md
+- docs/cli-v4/command-design.md
+- all prior todos that have been completed.
+
+Deliverables:
+- testscript-style integration tests or equivalent command execution harness.
+- stable stdout/stderr assertions for context, inspect, auth, and first Ledger command.
+- consistent error types and exit codes for unsupported target, missing auth, unsupported API, and invalid config.
+- JSON/YAML output checks.
+- non-interactive mode checks.
+
+Constraints:
+- do not require real Formance Cloud.
+- prefer fake local HTTP servers or fixtures.
+- do not add broad refactors unrelated to UX/test hardening.
+- commit test harness first, then behavior changes in small commits.
+- run git diff --check before each commit.
+
+Tests:
+- go test ./... in v4.
+- integration harness runs in CI-friendly mode.
+
+Done when:
+- core v4 workflows are covered as real CLI usage, not only unit tests.
+```
diff --git a/v4/todos/11-cutover-plan.md b/v4/todos/11-cutover-plan.md
new file mode 100644
index 00000000..c231d2aa
--- /dev/null
+++ b/v4/todos/11-cutover-plan.md
@@ -0,0 +1,32 @@
+# Goal 11 - v4 cutover plan
+
+```text
+/goal
+Prepare the final cutover plan for moving the completed v4 implementation from v4/ to the repository root.
+
+Read first:
+- docs/adr/0005-build-v4-in-isolated-directory.md
+- docs/rfcs/0001-fctl-v4-architecture.md
+- all completed todos.
+
+Deliverables:
+- written cutover checklist.
+- inventory of root files to delete, move, or preserve.
+- module path and import path plan.
+- release and packaging plan.
+- compatibility notes for users and contributors.
+- final validation matrix before the cutover commit.
+
+Constraints:
+- this goal is planning only unless the user explicitly asks to execute cutover.
+- do not delete v3 root files during this goal.
+- do not move v4 to root yet.
+- commit the cutover plan as documentation.
+- run git diff --check before commit.
+
+Tests:
+- documentation-only unless build metadata is touched.
+
+Done when:
+- the team has an explicit, reviewable checklist for the final root replacement.
+```
diff --git a/v4/todos/STATUS.md b/v4/todos/STATUS.md
new file mode 100644
index 00000000..9669145d
--- /dev/null
+++ b/v4/todos/STATUS.md
@@ -0,0 +1,15 @@
+# v4 Todo Status
+
+- [x] 01 - v4 isolated skeleton
+- [x] 02 - v4 foundation packages
+- [x] 03 - context commands
+- [x] 04 - auth providers
+- [x] 05 - capabilities manifest generator
+- [x] 06 - runtime API version resolver
+- [x] 07 - first stack inspection command
+- [x] 08 - first Ledger versioned command
+- [x] 09 - v3 config migration
+- [x] 10 - integration tests and UX hardening
+- [x] 11 - v4 cutover plan
+
+Update this file after each completed todo. Keep implementation commits separate from status-only commits when practical.