npm - @base44-preview/cli - Versions diffs - 0.0.51-pr.503.a910f3e → 0.0.51-pr.516.5cdf28c - Mend

@base44-preview/cli 0.0.51-pr.503.a910f3e → 0.0.51-pr.516.5cdf28c

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/dist/cli/index.js CHANGED Viewed

@@ -8935,8 +8935,8 @@ var require_ejs = __commonJS((exports) => {
   exports.resolveInclude = function(name2, filename, isDir) {
     var dirname6 = path11.dirname;
     var extname = path11.extname;
-    var resolve2 = path11.resolve;
-    var includePath = resolve2(isDir ? filename : dirname6(filename), name2);
+    var resolve = path11.resolve;
+    var includePath = resolve(isDir ? filename : dirname6(filename), name2);
     var ext = extname(name2);
     if (!ext) {
       includePath += ".ejs";
@@ -9011,10 +9011,10 @@ var require_ejs = __commonJS((exports) => {
     var result;
     if (!cb) {
       if (typeof exports.promiseImpl == "function") {
-        return new exports.promiseImpl(function(resolve2, reject) {
+        return new exports.promiseImpl(function(resolve, reject) {
           try {
             result = handleCache(options)(data);
-            resolve2(result);
+            resolve(result);
           } catch (err) {
             reject(err);
           }
@@ -12452,12 +12452,12 @@ var require_isexe = __commonJS((exports, module) => {
       if (typeof Promise !== "function") {
         throw new TypeError("callback not provided");
       }
-      return new Promise(function(resolve3, reject) {
+      return new Promise(function(resolve2, reject) {
         isexe(path11, options || {}, function(er, is) {
           if (er) {
             reject(er);
           } else {
-            resolve3(is);
+            resolve2(is);
           }
         });
       });
@@ -12519,27 +12519,27 @@ var require_which = __commonJS((exports, module) => {
       opt = {};
     const { pathEnv, pathExt, pathExtExe } = getPathInfo(cmd, opt);
     const found = [];
-    const step = (i) => new Promise((resolve3, reject) => {
+    const step = (i) => new Promise((resolve2, reject) => {
       if (i === pathEnv.length)
-        return opt.all && found.length ? resolve3(found) : reject(getNotFoundError(cmd));
+        return opt.all && found.length ? resolve2(found) : reject(getNotFoundError(cmd));
       const ppRaw = pathEnv[i];
       const pathPart = /^".*"$/.test(ppRaw) ? ppRaw.slice(1, -1) : ppRaw;
       const pCmd = path11.join(pathPart, cmd);
       const p = !pathPart && /^\.[\\\/]/.test(cmd) ? cmd.slice(0, 2) + pCmd : pCmd;
-      resolve3(subStep(p, i, 0));
+      resolve2(subStep(p, i, 0));
     });
-    const subStep = (p, i, ii) => new Promise((resolve3, reject) => {
+    const subStep = (p, i, ii) => new Promise((resolve2, reject) => {
       if (ii === pathExt.length)
-        return resolve3(step(i + 1));
+        return resolve2(step(i + 1));
       const ext = pathExt[ii];
       isexe(p + ext, { pathExt: pathExtExe }, (er, is) => {
         if (!er && is) {
           if (opt.all)
             found.push(p + ext);
           else
-            return resolve3(p + ext);
+            return resolve2(p + ext);
         }
-        return resolve3(subStep(p, i, ii + 1));
+        return resolve2(subStep(p, i, ii + 1));
       });
     });
     return cb ? step(0).then((res) => cb(null, res), cb) : step(0);
@@ -27503,7 +27503,7 @@ function cleanDoc(doc2) {
   return mapDoc(doc2, (currentDoc) => cleanDocFn(currentDoc));
 }
 function replaceEndOfLine(doc2, replacement = literalline) {
-  return mapDoc(doc2, (currentDoc) => typeof currentDoc === "string" ? join19(replacement, currentDoc.split(`
+  return mapDoc(doc2, (currentDoc) => typeof currentDoc === "string" ? join20(replacement, currentDoc.split(`
 `)) : currentDoc);
 }
 function canBreakFn(doc2) {
@@ -27583,7 +27583,7 @@ function indentIfBreak(contents, options) {
     negate: options.negate
   };
 }
-function join19(separator, docs) {
+function join20(separator, docs) {
   assertDoc(separator);
   assertDocArray(docs);
   const parts = [];
@@ -28294,7 +28294,7 @@ var init_doc = __esm(() => {
   MODE_FLAT = Symbol("MODE_FLAT");
   DOC_FILL_PRINTED_LENGTH = Symbol("DOC_FILL_PRINTED_LENGTH");
   builders = {
-    join: join19,
+    join: join20,
     line,
     softline,
     hardline,
@@ -115559,7 +115559,7 @@ import { fileURLToPath as fileURLToPath22 } from "url";
 import v8 from "v8";
 import assert22 from "assert";
 import { format as format2, inspect as inspect3 } from "util";
-import { createRequire as createRequire3 } from "module";
+import { createRequire as createRequire2 } from "module";
 import { equal, ok, strictEqual } from "assert";
 import path112 from "path";
 import { fileURLToPath as fileURLToPath52 } from "url";
@@ -118133,7 +118133,7 @@ function importFromFile(specifier, parent) {
   return import(url3);
 }
 function requireFromFile(id2, parent) {
-  const require22 = createRequire3(parent);
+  const require22 = createRequire2(parent);
   return require22(id2);
 }
 async function loadExternalConfig(externalConfig, configFile) {
@@ -124338,7 +124338,7 @@ var init_prettier = __esm(() => {
         const absolute = [];
         const relative22 = [];
         for (const pattern of patterns) {
-          if (isAbsolute3(pattern)) {
+          if (isAbsolute2(pattern)) {
             absolute.push(pattern);
           } else {
             relative22.push(pattern);
@@ -124347,10 +124347,10 @@ var init_prettier = __esm(() => {
         return [absolute, relative22];
       }
       exports.partitionAbsoluteAndRelative = partitionAbsoluteAndRelative;
-      function isAbsolute3(pattern) {
+      function isAbsolute2(pattern) {
         return path152.isAbsolute(pattern);
       }
-      exports.isAbsolute = isAbsolute3;
+      exports.isAbsolute = isAbsolute2;
     }
   });
   require_merge22 = __commonJS2({
@@ -133208,7 +133208,7 @@ Expected it to be ${EXPECTED_TYPE_VALUES}.`;
       return mapDoc2(doc2, (currentDoc) => cleanDocFn2(currentDoc));
     }
     function replaceEndOfLine2(doc2, replacement = literalline2) {
-      return mapDoc2(doc2, (currentDoc) => typeof currentDoc === "string" ? join21(replacement, currentDoc.split(`
+      return mapDoc2(doc2, (currentDoc) => typeof currentDoc === "string" ? join22(replacement, currentDoc.split(`
 `)) : currentDoc);
     }
     function canBreakFn2(doc2) {
@@ -133294,7 +133294,7 @@ Expected it to be ${EXPECTED_TYPE_VALUES}.`;
         negate: options8.negate
       };
     }
-    function join21(separator, docs) {
+    function join22(separator, docs) {
       assertDoc2(separator);
       assertDocArray2(docs);
       const parts = [];
@@ -133959,7 +133959,7 @@ Expected it to be ${EXPECTED_TYPE_VALUES}.`;
       }
     }
     var builders2 = {
-      join: join21,
+      join: join22,
       line: line3,
       softline: softline2,
       hardline: hardline4,
@@ -160399,10 +160399,10 @@ var require_view = __commonJS((exports, module) => {
   var debug = require_src4()("express:view");
   var path18 = __require("node:path");
   var fs28 = __require("node:fs");
-  var dirname15 = path18.dirname;
+  var dirname16 = path18.dirname;
   var basename4 = path18.basename;
   var extname2 = path18.extname;
-  var join22 = path18.join;
+  var join23 = path18.join;
   var resolve8 = path18.resolve;
   module.exports = View;
   function View(name2, options8) {
@@ -160438,7 +160438,7 @@ var require_view = __commonJS((exports, module) => {
     for (var i5 = 0;i5 < roots.length && !path19; i5++) {
       var root2 = roots[i5];
       var loc = resolve8(root2, name2);
-      var dir = dirname15(loc);
+      var dir = dirname16(loc);
       var file2 = basename4(loc);
       path19 = this.resolve(dir, file2);
     }
@@ -160464,12 +160464,12 @@ var require_view = __commonJS((exports, module) => {
   };
   View.prototype.resolve = function resolve9(dir, file2) {
     var ext = this.ext;
-    var path19 = join22(dir, file2);
+    var path19 = join23(dir, file2);
     var stat2 = tryStat(path19);
     if (stat2 && stat2.isFile()) {
       return path19;
     }
-    path19 = join22(dir, basename4(file2, ext), "index" + ext);
+    path19 = join23(dir, basename4(file2, ext), "index" + ext);
     stat2 = tryStat(path19);
     if (stat2 && stat2.isFile()) {
       return path19;
@@ -164164,7 +164164,7 @@ var require_send = __commonJS((exports, module) => {
   var Stream2 = __require("stream");
   var util2 = __require("util");
   var extname2 = path18.extname;
-  var join22 = path18.join;
+  var join23 = path18.join;
   var normalize2 = path18.normalize;
   var resolve8 = path18.resolve;
   var sep = path18.sep;
@@ -164336,7 +164336,7 @@ var require_send = __commonJS((exports, module) => {
         return res;
       }
       parts = path19.split(sep);
-      path19 = normalize2(join22(root2, path19));
+      path19 = normalize2(join23(root2, path19));
     } else {
       if (UP_PATH_REGEXP.test(path19)) {
         debug('malicious path "%s"', path19);
@@ -164476,7 +164476,7 @@ var require_send = __commonJS((exports, module) => {
           return self2.onStatError(err);
         return self2.error(404);
       }
-      var p4 = join22(path19, self2._index[i5]);
+      var p4 = join23(path19, self2._index[i5]);
       debug('stat "%s"', p4);
       fs28.stat(p4, function(err2, stat2) {
         if (err2)
@@ -214616,7 +214616,7 @@ var require_buffer_list = __commonJS((exports, module) => {
       }
     }, {
       key: "join",
-      value: function join22(s5) {
+      value: function join23(s5) {
         if (this.length === 0)
           return "";
         var p4 = this.head;
@@ -218270,7 +218270,7 @@ var require_dist5 = __commonJS((exports, module) => {
 });
 // src/cli/index.ts
-import { dirname as dirname19, join as join25 } from "node:path";
+import { dirname as dirname20, join as join26 } from "node:path";
 import { fileURLToPath as fileURLToPath6 } from "node:url";
 // ../../node_modules/@clack/core/dist/index.mjs
@@ -234632,8 +234632,7 @@ var ProjectConfigSchema = exports_external.object({
   functionsDir: exports_external.string().optional().default("functions"),
   agentsDir: exports_external.string().optional().default("agents"),
   connectorsDir: exports_external.string().optional().default("connectors"),
-  authDir: exports_external.string().optional().default("auth"),
-  plugins: exports_external.array(exports_external.string()).optional().default([])
+  authDir: exports_external.string().optional().default("auth")
 });
 var AppConfigSchema = exports_external.object({
   id: exports_external.string().min(1, "id cannot be empty")
@@ -241580,8 +241579,7 @@ var generateGlobTasks = normalizeArguments(generateTasks);
 var generateGlobTasksSync = normalizeArgumentsSync(generateTasksSync);
 // src/core/project/config.ts
-import { createRequire as createRequire2 } from "node:module";
-import { dirname as dirname5, isAbsolute as isAbsolute2, join as join8, resolve } from "node:path";
+import { dirname as dirname5, join as join8 } from "node:path";
 // src/core/resources/agent/schema.ts
 var EntityOperationSchema = exports_external.enum(["create", "update", "delete", "read"]);
@@ -241976,7 +241974,11 @@ async function updateSocialLoginConfig(authDir, provider, enable, customOAuth) {
   const current = await readAuthConfig(authDir) ?? DEFAULT_AUTH_CONFIG;
   const merged = {
     ...current,
-    [providerInfo.field]: enable
+    [providerInfo.field]: enable,
+    ...enable && {
+      enableSSOLogin: false,
+      ssoProviderName: null
+    }
   };
   if (providerInfo.customOAuth) {
     const oauth = providerInfo.customOAuth;
@@ -242000,6 +242002,192 @@ async function pushCustomOAuthSecret(provider, clientSecret) {
     [providerInfo.customOAuth.secretKey]: clientSecret
   });
 }
+// src/core/resources/auth-config/sso/secret-keys.ts
+var SSOSecretKey;
+((SSOSecretKey2) => {
+  SSOSecretKey2["Name"] = "sso_name";
+  SSOSecretKey2["ClientId"] = "sso_client_id";
+  SSOSecretKey2["ClientSecret"] = "sso_client_secret";
+  SSOSecretKey2["Scope"] = "sso_scope";
+  SSOSecretKey2["DiscoveryUrl"] = "sso_discovery_url";
+  SSOSecretKey2["TenantId"] = "sso_tenant_id";
+  SSOSecretKey2["AuthEndpoint"] = "sso_auth_endpoint";
+  SSOSecretKey2["TokenEndpoint"] = "sso_token_endpoint";
+  SSOSecretKey2["UserinfoEndpoint"] = "sso_userinfo_endpoint";
+  SSOSecretKey2["OktaDomain"] = "sso_okta_domain";
+  SSOSecretKey2["JwksUri"] = "sso_jwks_uri";
+})(SSOSecretKey ||= {});
+var ALL_SSO_SECRET_KEYS = Object.values(SSOSecretKey);
+var DEFAULT_OIDC_SCOPE = "openid email profile";
+var DEFAULT_GITHUB_SCOPE = "user:email";
+// src/core/resources/auth-config/sso/providers/custom.ts
+var customProvider = {
+  requiredKeys: [
+    "sso_auth_endpoint" /* AuthEndpoint */,
+    "sso_token_endpoint" /* TokenEndpoint */,
+    "sso_userinfo_endpoint" /* UserinfoEndpoint */,
+    "sso_jwks_uri" /* JwksUri */
+  ],
+  defaults: {
+    ["sso_scope" /* Scope */]: DEFAULT_OIDC_SCOPE
+  }
+};
+// src/core/resources/auth-config/sso/providers/github.ts
+var githubProvider = {
+  requiredKeys: [],
+  defaults: {
+    ["sso_scope" /* Scope */]: DEFAULT_GITHUB_SCOPE,
+    ["sso_auth_endpoint" /* AuthEndpoint */]: "https://github.com/login/oauth/authorize",
+    ["sso_token_endpoint" /* TokenEndpoint */]: "https://github.com/login/oauth/access_token",
+    ["sso_userinfo_endpoint" /* UserinfoEndpoint */]: "https://api.github.com/user"
+  }
+};
+// src/core/resources/auth-config/sso/providers/google.ts
+var googleProvider = {
+  requiredKeys: [],
+  defaults: {
+    ["sso_scope" /* Scope */]: DEFAULT_OIDC_SCOPE,
+    ["sso_discovery_url" /* DiscoveryUrl */]: "https://accounts.google.com/.well-known/openid-configuration"
+  }
+};
+// src/core/resources/auth-config/sso/providers/microsoft.ts
+var microsoftProvider = {
+  requiredKeys: ["sso_tenant_id" /* TenantId */],
+  defaults: {
+    ["sso_scope" /* Scope */]: DEFAULT_OIDC_SCOPE
+  },
+  deriveDefaults: (secrets) => {
+    const tenantId = secrets["sso_tenant_id" /* TenantId */];
+    if (tenantId) {
+      return {
+        ["sso_discovery_url" /* DiscoveryUrl */]: `https://login.microsoftonline.com/${tenantId}/v2.0/.well-known/openid-configuration`
+      };
+    }
+    return {};
+  }
+};
+// src/core/resources/auth-config/sso/providers/okta.ts
+var oktaProvider = {
+  requiredKeys: ["sso_okta_domain" /* OktaDomain */],
+  defaults: {
+    ["sso_scope" /* Scope */]: DEFAULT_OIDC_SCOPE
+  },
+  deriveDefaults: (secrets) => {
+    const domain2 = secrets["sso_okta_domain" /* OktaDomain */];
+    if (domain2) {
+      return {
+        ["sso_discovery_url" /* DiscoveryUrl */]: `https://${domain2}/.well-known/openid-configuration`
+      };
+    }
+    return {};
+  }
+};
+// src/core/resources/auth-config/sso/providers/index.ts
+var SSO_PROVIDER_SCHEMAS = {
+  google: googleProvider,
+  microsoft: microsoftProvider,
+  github: githubProvider,
+  okta: oktaProvider,
+  custom: customProvider
+};
+// src/core/resources/auth-config/sso/types.ts
+var KNOWN_SSO_PROVIDERS = {
+  google: "google",
+  microsoft: "microsoft",
+  github: "github",
+  okta: "okta",
+  custom: "custom"
+};
+// src/core/resources/auth-config/sso/operations.ts
+var OPTION_TO_SECRET_KEY = {
+  scope: "sso_scope" /* Scope */,
+  discoveryUrl: "sso_discovery_url" /* DiscoveryUrl */,
+  tenantId: "sso_tenant_id" /* TenantId */,
+  oktaDomain: "sso_okta_domain" /* OktaDomain */,
+  authEndpoint: "sso_auth_endpoint" /* AuthEndpoint */,
+  tokenEndpoint: "sso_token_endpoint" /* TokenEndpoint */,
+  userinfoEndpoint: "sso_userinfo_endpoint" /* UserinfoEndpoint */,
+  jwksUri: "sso_jwks_uri" /* JwksUri */
+};
+async function updateSSOConfig(authDir, provider, enable) {
+  const current = await readAuthConfig(authDir) ?? DEFAULT_AUTH_CONFIG;
+  const merged = {
+    ...current,
+    enableSSOLogin: enable,
+    ssoProviderName: enable && provider ? provider : null,
+    ...enable && {
+      enableGoogleLogin: false,
+      enableMicrosoftLogin: false,
+      enableFacebookLogin: false,
+      enableAppleLogin: false
+    }
+  };
+  await writeAuthConfig(authDir, merged);
+  return merged;
+}
+class MissingSSOFieldsError extends InvalidInputError {
+  missingKeys;
+  provider;
+  constructor(provider, missingKeys) {
+    super(`Missing required fields for ${provider}: ${missingKeys.join(", ")}`);
+    this.provider = provider;
+    this.missingKeys = missingKeys;
+  }
+}
+function buildSSOSecrets(provider, options) {
+  const schema3 = SSO_PROVIDER_SCHEMAS[provider];
+  const secrets = {};
+  secrets["sso_name" /* Name */] = options.ssoName ?? provider;
+  secrets["sso_client_id" /* ClientId */] = options.clientId;
+  secrets["sso_client_secret" /* ClientSecret */] = options.clientSecret;
+  for (const [optionKey, secretKey] of Object.entries(OPTION_TO_SECRET_KEY)) {
+    const value = options[optionKey];
+    if (typeof value === "string" && value.length > 0) {
+      secrets[secretKey] = value;
+    }
+  }
+  if (schema3.deriveDefaults) {
+    const derived = schema3.deriveDefaults(secrets);
+    for (const [key, val] of Object.entries(derived)) {
+      if (!secrets[key]) {
+        secrets[key] = val;
+      }
+    }
+  }
+  for (const [key, val] of Object.entries(schema3.defaults)) {
+    if (!secrets[key]) {
+      secrets[key] = val;
+    }
+  }
+  const missing = [];
+  for (const key of schema3.requiredKeys) {
+    if (!secrets[key]) {
+      missing.push(key);
+    }
+  }
+  if (provider === KNOWN_SSO_PROVIDERS.custom && !options.ssoName) {
+    missing.push("sso_name" /* Name */);
+  }
+  if (missing.length > 0) {
+    throw new MissingSSOFieldsError(provider, missing);
+  }
+  return Object.fromEntries(Object.entries(secrets).filter(([, v]) => v.length > 0));
+}
+async function pushSSOSecrets(secrets) {
+  await setSecrets(secrets);
+}
+async function deleteSSOSecrets() {
+  await Promise.allSettled(ALL_SSO_SECRET_KEYS.map((key) => deleteSecret(key)));
+}
 // src/core/resources/connector/schema.ts
 var GoogleCalendarConnectorSchema = exports_external.object({
   type: exports_external.literal("googlecalendar"),
@@ -242657,55 +242845,6 @@ var SyncEntitiesResponseSchema = exports_external.object({
   deleted: exports_external.array(exports_external.string())
 });
-// src/core/resources/entity/config.ts
-async function readEntityFile(entityPath) {
-  const parsed = await readJsonFile(entityPath);
-  const result = EntitySchema.safeParse(parsed);
-  if (!result.success) {
-    throw new SchemaValidationError("Invalid entity file", result.error, entityPath);
-  }
-  return result.data;
-}
-async function readAllEntities(entitiesDir) {
-  if (!await pathExists(entitiesDir)) {
-    return [];
-  }
-  const files = await globby(`*.${CONFIG_FILE_EXTENSION_GLOB}`, {
-    cwd: entitiesDir,
-    absolute: true
-  });
-  const entities = await Promise.all(files.map((filePath) => readEntityFile(filePath)));
-  return entities;
-}
-function mergeEntities(appEntities, pluginEntities) {
-  const appEntitiesByName = new Map(appEntities.map((entity) => [entity.name, entity]));
-  let mergedEntities = [];
-  pluginEntities.forEach((pluginEntity) => {
-    const appEntityToMerge = appEntitiesByName.get(pluginEntity.name);
-    if (appEntityToMerge) {
-      const appEntityProperties = Object.keys(appEntityToMerge.properties);
-      const pluginEntityProperties = Object.keys(pluginEntity.properties);
-      const collidingProperties = appEntityProperties.filter((prop) => pluginEntityProperties.includes(prop));
-      if (collidingProperties.length) {
-        const collidingPropertiesNames = collidingProperties.map((name2) => `"${name2}"`).join(", ");
-        throw new ConfigInvalidError(`Entity "${appEntityToMerge.name}" cannot override plugin-defined properties: ${collidingPropertiesNames}.
-        Plugin properties are protected — remove or rename them in your local entity.`);
-      }
-      mergedEntities.push({
-        ...pluginEntity,
-        properties: {
-          ...pluginEntity.properties,
-          ...appEntityToMerge.properties
-        }
-      });
-      appEntitiesByName.delete(appEntityToMerge.name);
-    } else {
-      mergedEntities.push(pluginEntity);
-    }
-  });
-  return [...mergedEntities, ...appEntitiesByName.values()];
-}
 // src/core/resources/entity/api.ts
 async function syncEntities(entities) {
   const appClient = getAppClient();
@@ -242727,6 +242866,26 @@ async function syncEntities(entities) {
   }
   return result.data;
 }
+// src/core/resources/entity/config.ts
+async function readEntityFile(entityPath) {
+  const parsed = await readJsonFile(entityPath);
+  const result = EntitySchema.safeParse(parsed);
+  if (!result.success) {
+    throw new SchemaValidationError("Invalid entity file", result.error, entityPath);
+  }
+  return result.data;
+}
+async function readAllEntities(entitiesDir) {
+  if (!await pathExists(entitiesDir)) {
+    return [];
+  }
+  const files = await globby(`*.${CONFIG_FILE_EXTENSION_GLOB}`, {
+    cwd: entitiesDir,
+    absolute: true
+  });
+  const entities = await Promise.all(files.map((filePath) => readEntityFile(filePath)));
+  return entities;
+}
 // src/core/resources/entity/deploy.ts
 async function pushEntities(entities) {
   if (entities.length === 0) {
@@ -243152,13 +243311,6 @@ var functionResource = {
   push: (functions) => deployFunctionsSequentially(functions)
 };
 // src/core/project/config.ts
-function resolvePluginRoot(pluginRef, fromRoot) {
-  if (pluginRef.startsWith(".") || isAbsolute2(pluginRef)) {
-    return resolve(fromRoot, pluginRef);
-  }
-  const req = createRequire2(join8(fromRoot, "package.json"));
-  return dirname5(req.resolve(`${pluginRef}/package.json`));
-}
 async function findConfigInDir(dir) {
   const files = await globby(PROJECT_CONFIG_PATTERNS, {
     cwd: dir,
@@ -243196,20 +243348,13 @@ async function readProjectConfig(projectRoot) {
   }
   const project = result.data;
   const configDir = dirname5(configPath);
-  const [appEntities, functions, agents, connectors, authConfig] = await Promise.all([
+  const [entities, functions, agents, connectors, authConfig] = await Promise.all([
     entityResource.readAll(join8(configDir, project.entitiesDir)),
     functionResource.readAll(join8(configDir, project.functionsDir)),
     agentResource.readAll(join8(configDir, project.agentsDir)),
     connectorResource.readAll(join8(configDir, project.connectorsDir)),
     authConfigResource.readAll(join8(configDir, project.authDir))
   ]);
-  let entities = appEntities;
-  for (const pluginRef of project.plugins) {
-    const plugin = await readProjectConfig(resolvePluginRoot(pluginRef, root));
-    entities = mergeEntities(appEntities, plugin.entities);
-    functions.push(...plugin.functions);
-    agents.push(...plugin.agents);
-  }
   return {
     project: { ...project, root, configPath },
     entities,
@@ -243586,7 +243731,7 @@ async function createProjectFilesForExistingProject(options) {
   };
 }
 // src/core/project/deploy.ts
-import { resolve as resolve2 } from "node:path";
+import { resolve } from "node:path";
 // src/core/site/api.ts
 async function uploadSite(archivePath) {
@@ -243675,7 +243820,7 @@ async function deployAll(projectData, options) {
   await authConfigResource.push(authConfig);
   const { results: connectorResults } = await pushConnectors(connectors);
   if (project.site?.outputDirectory) {
-    const outputDir = resolve2(project.root, project.site.outputDirectory);
+    const outputDir = resolve(project.root, project.site.outputDirectory);
     const { appUrl } = await deploySite(outputDir);
     return { appUrl, connectorResults };
   }
@@ -245490,8 +245635,8 @@ var disconnect = (anyProcess) => {
 // ../../node_modules/execa/lib/utils/deferred.js
 var createDeferred = () => {
   const methods = {};
-  const promise2 = new Promise((resolve3, reject) => {
-    Object.assign(methods, { resolve: resolve3, reject });
+  const promise2 = new Promise((resolve2, reject) => {
+    Object.assign(methods, { resolve: resolve2, reject });
   });
   return Object.assign(promise2, methods);
 };
@@ -249855,11 +250000,11 @@ var addConcurrentStream = (concurrentStreams, stream, waitName) => {
   const promises = weakMap.get(stream);
   const promise2 = createDeferred();
   promises.push(promise2);
-  const resolve3 = promise2.resolve.bind(promise2);
-  return { resolve: resolve3, promises };
+  const resolve2 = promise2.resolve.bind(promise2);
+  return { resolve: resolve2, promises };
 };
-var waitForConcurrentStreams = async ({ resolve: resolve3, promises }, subprocess) => {
-  resolve3();
+var waitForConcurrentStreams = async ({ resolve: resolve2, promises }, subprocess) => {
+  resolve2();
   const [isSubprocessExit] = await Promise.race([
     Promise.allSettled([true, subprocess]),
     Promise.all([false, ...promises])
@@ -250986,7 +251131,7 @@ function getAuthPushCommand() {
 }
 // src/cli/commands/auth/social-login.ts
-import { dirname as dirname10, join as join15, resolve as resolve3 } from "node:path";
+import { dirname as dirname10, join as join15, resolve as resolve2 } from "node:path";
 var PROVIDER_LABELS = {
   google: "Google",
   microsoft: "Microsoft",
@@ -251026,7 +251171,7 @@ async function socialLoginAction({ log, isNonInteractive, runTask: runTask2 }, p
   let clientSecret;
   if (useCustomOAuth && oauth && oauthCli && hasSecretOptions(options)) {
     if (options.envFile) {
-      const secrets = await parseEnvFile(resolve3(options.envFile));
+      const secrets = await parseEnvFile(resolve2(options.envFile));
       const value = secrets[oauthCli.envVar];
       if (!value) {
         throw new InvalidInputError(`Key "${oauthCli.envVar}" not found in ${options.envFile}.`);
@@ -251081,9 +251226,213 @@ function getSocialLoginCommand() {
   ])).option("--client-id <id>", "custom OAuth client ID (Google only)").option("--client-secret <secret>", "custom OAuth client secret (Google only)").option("--client-secret-stdin", "read client secret from stdin (Google only)").option("--env-file <path>", "read client secret from a .env file (Google only)").action(socialLoginAction);
 }
+// src/cli/commands/auth/sso.ts
+import { dirname as dirname11, join as join16, resolve as resolve3 } from "node:path";
+var SSOConfigFileSchema = exports_external.object({
+  provider: exports_external.enum(Object.values(KNOWN_SSO_PROVIDERS)),
+  clientId: exports_external.string(),
+  clientSecret: exports_external.string(),
+  scope: exports_external.string().optional(),
+  discoveryUrl: exports_external.string().optional(),
+  tenantId: exports_external.string().optional(),
+  oktaDomain: exports_external.string().optional(),
+  authEndpoint: exports_external.string().optional(),
+  tokenEndpoint: exports_external.string().optional(),
+  userinfoEndpoint: exports_external.string().optional(),
+  jwksUri: exports_external.string().optional(),
+  ssoName: exports_external.string().optional()
+});
+async function loadSSOConfigFile(filePath) {
+  const resolved = resolve3(filePath);
+  const raw2 = await readJsonFile(resolved);
+  const result = SSOConfigFileSchema.safeParse(raw2);
+  if (!result.success) {
+    throw new SchemaValidationError("Invalid SSO config file", result.error, filePath);
+  }
+  return result.data;
+}
+function mergeFileWithFlags(fileConfig, options) {
+  return {
+    provider: options.provider ?? fileConfig.provider,
+    clientId: options.clientId ?? fileConfig.clientId,
+    clientSecret: options.clientSecret ?? fileConfig.clientSecret,
+    clientSecretStdin: options.clientSecretStdin,
+    envFile: options.envFile,
+    scope: options.scope ?? fileConfig.scope,
+    discoveryUrl: options.discoveryUrl ?? fileConfig.discoveryUrl,
+    tenantId: options.tenantId ?? fileConfig.tenantId,
+    oktaDomain: options.oktaDomain ?? fileConfig.oktaDomain,
+    authEndpoint: options.authEndpoint ?? fileConfig.authEndpoint,
+    tokenEndpoint: options.tokenEndpoint ?? fileConfig.tokenEndpoint,
+    userinfoEndpoint: options.userinfoEndpoint ?? fileConfig.userinfoEndpoint,
+    jwksUri: options.jwksUri ?? fileConfig.jwksUri,
+    ssoName: options.ssoName ?? fileConfig.ssoName
+  };
+}
+var providerNames = Object.keys(KNOWN_SSO_PROVIDERS);
+var SECRET_KEY_TO_FLAG = {
+  ["sso_name" /* Name */]: "--sso-name",
+  ["sso_client_id" /* ClientId */]: "--client-id",
+  ["sso_client_secret" /* ClientSecret */]: "--client-secret",
+  ["sso_scope" /* Scope */]: "--scope",
+  ["sso_discovery_url" /* DiscoveryUrl */]: "--discovery-url",
+  ["sso_tenant_id" /* TenantId */]: "--tenant-id",
+  ["sso_auth_endpoint" /* AuthEndpoint */]: "--auth-endpoint",
+  ["sso_token_endpoint" /* TokenEndpoint */]: "--token-endpoint",
+  ["sso_userinfo_endpoint" /* UserinfoEndpoint */]: "--userinfo-endpoint",
+  ["sso_okta_domain" /* OktaDomain */]: "--okta-domain",
+  ["sso_jwks_uri" /* JwksUri */]: "--jwks-uri"
+};
+function secretKeyToFlag(key) {
+  return SECRET_KEY_TO_FLAG[key];
+}
+function exampleCommand(provider) {
+  let cmd = `base44 auth sso enable --provider ${provider} --client-id <id> --client-secret <secret>`;
+  if (provider === KNOWN_SSO_PROVIDERS.microsoft)
+    cmd += " --tenant-id <id>";
+  if (provider === KNOWN_SSO_PROVIDERS.okta)
+    cmd += " --okta-domain <domain>";
+  if (provider === KNOWN_SSO_PROVIDERS.custom)
+    cmd += " --sso-name <name> --auth-endpoint <url> --token-endpoint <url> --userinfo-endpoint <url> --jwks-uri <url>";
+  return cmd;
+}
+function validateProvider(provider) {
+  if (!provider) {
+    throw new InvalidInputError("Missing --provider.", {
+      hints: [
+        {
+          message: `Valid providers: ${providerNames.join(", ")}`,
+          command: "base44 auth sso enable --provider <provider> --client-id <id> --client-secret <secret>"
+        }
+      ]
+    });
+  }
+  return provider;
+}
+async function ssoEnableAction({ isNonInteractive, runTask: runTask2 }, options) {
+  if (options.file && options.envFile) {
+    throw new InvalidInputError("--file and --env-file cannot be used together. Provide the client secret either inside --file or via --env-file.");
+  }
+  let merged = options;
+  if (options.file) {
+    const fileConfig = await loadSSOConfigFile(options.file);
+    merged = mergeFileWithFlags(fileConfig, options);
+  }
+  const provider = validateProvider(merged.provider);
+  if (!merged.clientId) {
+    throw new InvalidInputError("Missing --client-id.", {
+      hints: [
+        {
+          message: `Example: base44 auth sso enable --provider ${provider} --client-id <id> --client-secret <secret>`,
+          command: `base44 auth sso enable --provider ${provider} --client-id <id> --client-secret <secret>`
+        }
+      ]
+    });
+  }
+  let clientSecret;
+  if (merged.envFile && !merged.clientSecret) {
+    const secrets2 = await parseEnvFile(resolve3(merged.envFile));
+    const value = secrets2.sso_client_secret;
+    if (!value) {
+      throw new InvalidInputError(`Key "sso_client_secret" not found in ${merged.envFile}.`);
+    }
+    clientSecret = value;
+  } else {
+    clientSecret = await resolveSecret({
+      flagValue: merged.clientSecret,
+      fromStdin: merged.clientSecretStdin,
+      envVar: "sso_client_secret",
+      promptMessage: "Enter SSO client secret",
+      isNonInteractive,
+      name: "client secret",
+      hints: [
+        {
+          message: `Provide via flag:   base44 auth sso enable --provider ${provider} --client-id <id> --client-secret <secret>`,
+          command: `base44 auth sso enable --provider ${provider} --client-id <id> --client-secret <secret>`
+        },
+        {
+          message: `Provide via stdin:  echo <secret> | base44 auth sso enable --provider ${provider} --client-id <id> --client-secret-stdin`
+        },
+        {
+          message: `Provide via env:    sso_client_secret=<secret> base44 auth sso enable --provider ${provider} --client-id <id>`
+        }
+      ]
+    });
+  }
+  const secretOptions = {
+    clientId: merged.clientId,
+    clientSecret,
+    scope: merged.scope,
+    discoveryUrl: merged.discoveryUrl,
+    tenantId: merged.tenantId,
+    oktaDomain: merged.oktaDomain,
+    authEndpoint: merged.authEndpoint,
+    tokenEndpoint: merged.tokenEndpoint,
+    userinfoEndpoint: merged.userinfoEndpoint,
+    jwksUri: merged.jwksUri,
+    ssoName: merged.ssoName
+  };
+  let secrets;
+  try {
+    secrets = buildSSOSecrets(provider, secretOptions);
+  } catch (error48) {
+    if (error48 instanceof MissingSSOFieldsError) {
+      const flagNames = error48.missingKeys.map(secretKeyToFlag);
+      throw new InvalidInputError(`Missing required fields for ${error48.provider}: ${flagNames.join(", ")}`, {
+        hints: [
+          {
+            message: `Example: ${exampleCommand(provider)}`,
+            command: exampleCommand(provider)
+          }
+        ]
+      });
+    }
+    throw error48;
+  }
+  const { project: project2 } = await readProjectConfig();
+  const configDir = dirname11(project2.configPath);
+  const authDir = join16(configDir, project2.authDir);
+  await runTask2("Updating local auth config", async () => updateSSOConfig(authDir, provider, true));
+  await runTask2("Saving SSO credentials", async () => pushSSOSecrets(secrets));
+  return {
+    outroMessage: `SSO configured with ${provider} in local config. Run \`base44 auth push\` or \`base44 deploy\` to apply.`
+  };
+}
+function hasEnableOnlyOptions(options) {
+  return Boolean(options.provider || options.clientId || options.clientSecret || options.clientSecretStdin || options.envFile || options.file || options.scope || options.discoveryUrl || options.tenantId || options.oktaDomain || options.authEndpoint || options.tokenEndpoint || options.userinfoEndpoint || options.jwksUri || options.ssoName);
+}
+async function ssoDisableAction({ log, runTask: runTask2 }, options) {
+  if (hasEnableOnlyOptions(options)) {
+    throw new InvalidInputError("Configuration options cannot be used with disable. To disable SSO: base44 auth sso disable");
+  }
+  const { project: project2 } = await readProjectConfig();
+  const configDir = dirname11(project2.configPath);
+  const authDir = join16(configDir, project2.authDir);
+  const updated = await runTask2("Updating local auth config", async () => updateSSOConfig(authDir, null, false));
+  await runTask2("Removing SSO credentials", async () => deleteSSOSecrets());
+  if (!hasAnyLoginMethod(updated)) {
+    log.warn("Disabling SSO will leave no login methods enabled. Users will be locked out.");
+  }
+  return {
+    outroMessage: "SSO disabled in local config and credentials removed. Run `base44 auth push` or `base44 deploy` to apply."
+  };
+}
+async function ssoAction(context, action, options) {
+  if (action === "disable") {
+    return ssoDisableAction(context, options);
+  }
+  return ssoEnableAction(context, options);
+}
+function getSSOCommand() {
+  return new Base44Command("sso").description("Configure SSO identity provider (google, microsoft, github, okta, custom). SSO and social login are mutually exclusive — enabling one disables the other in the local auth config.").addArgument(new Argument("<action>", "enable or disable SSO").choices([
+    "enable",
+    "disable"
+  ])).addOption(new Option("--provider <provider>", "SSO provider").choices(Object.values(KNOWN_SSO_PROVIDERS))).option("--client-id <id>", "OAuth client ID").option("--client-secret <secret>", "OAuth client secret").option("--client-secret-stdin", "Read client secret from stdin").option("--env-file <path>", "Read client secret from a .env file (key: sso_client_secret)").option("--file <path>", "JSON config file with all SSO settings").option("--scope <scope>", "OAuth scope (defaults per provider)").option("--discovery-url <url>", "OIDC discovery URL").option("--tenant-id <id>", "Microsoft tenant ID (required for microsoft)").option("--okta-domain <domain>", "Okta domain (required for okta)").option("--auth-endpoint <url>", "Authorization endpoint (required for custom)").option("--token-endpoint <url>", "Token endpoint (required for custom)").option("--userinfo-endpoint <url>", "Userinfo endpoint (required for custom)").option("--jwks-uri <url>", "JWKS URI (required for custom)").option("--sso-name <name>", "Provider display name (required for custom)").action(ssoAction);
+}
 // src/cli/commands/auth/index.ts
 function getAuthCommand() {
-  return new Command("auth").description("Manage app authentication settings").addCommand(getPasswordLoginCommand()).addCommand(getSocialLoginCommand()).addCommand(getAuthPullCommand()).addCommand(getAuthPushCommand());
+  return new Command("auth").description("Manage app authentication settings").addCommand(getPasswordLoginCommand()).addCommand(getSocialLoginCommand()).addCommand(getSSOCommand()).addCommand(getAuthPullCommand()).addCommand(getAuthPushCommand());
 }
 // src/cli/commands/auth/login.ts
@@ -251145,14 +251494,14 @@ function getConnectorsListAvailableCommand() {
 }
 // src/cli/commands/connectors/pull.ts
-import { dirname as dirname11, join as join16 } from "node:path";
+import { dirname as dirname12, join as join17 } from "node:path";
 async function pullConnectorsAction({
   log,
   runTask: runTask2
 }) {
   const { project: project2 } = await readProjectConfig();
-  const configDir = dirname11(project2.configPath);
-  const connectorsDir = join16(configDir, project2.connectorsDir);
+  const configDir = dirname12(project2.configPath);
+  const connectorsDir = join17(configDir, project2.connectorsDir);
   const remoteConnectors = await runTask2("Fetching connectors from Base44", async () => {
     return await pullAllConnectors();
   }, {
@@ -252156,6 +252505,11 @@ async function deployFunctionsAction({ log }, names, options) {
       formatDeployResult(result, log);
     }
   });
+  const hasFailures = results.some((r) => r.status === "error");
+  if (hasFailures) {
+    log.message(buildDeploySummary(results));
+    throw new CLIExitError(1);
+  }
   if (options.force) {
     const allLocalNames = functions.map((f) => f.name);
     let pruneCompleted = 0;
@@ -252207,11 +252561,11 @@ function getListCommand() {
 }
 // src/cli/commands/functions/pull.ts
-import { dirname as dirname12, join as join17 } from "node:path";
+import { dirname as dirname13, join as join18 } from "node:path";
 async function pullFunctionsAction({ log, runTask: runTask2 }, name2) {
   const { project: project2 } = await readProjectConfig();
-  const configDir = dirname12(project2.configPath);
-  const functionsDir = join17(configDir, project2.functionsDir);
+  const configDir = dirname13(project2.configPath);
+  const functionsDir = join18(configDir, project2.functionsDir);
   const remoteFunctions = await runTask2("Fetching functions from Base44", async () => {
     const { functions } = await listDeployedFunctions();
     return functions;
@@ -252254,7 +252608,7 @@ function getFunctionsCommand() {
 }
 // src/cli/commands/project/create.ts
-import { basename as basename3, join as join18, resolve as resolve4 } from "node:path";
+import { basename as basename3, join as join19, resolve as resolve4 } from "node:path";
 var import_kebabCase = __toESM(require_kebabCase(), 1);
 var DEFAULT_TEMPLATE_ID = "backend-only";
 async function getTemplateById(templateId) {
@@ -252391,7 +252745,7 @@ async function executeCreate({
         updateMessage("Building project...");
         await execa({ cwd: resolvedPath, shell: true })`${buildCommand}`;
         updateMessage("Deploying site...");
-        return await deploySite(join18(resolvedPath, outputDirectory));
+        return await deploySite(join19(resolvedPath, outputDirectory));
       }, {
         successMessage: theme.colors.base44Orange("Site deployed successfully"),
         errorMessage: "Failed to deploy site"
@@ -253057,10 +253411,10 @@ function toPascalCase(name2) {
   return name2.split(/[-_\s]+/).map((w8) => w8.charAt(0).toUpperCase() + w8.slice(1)).join("");
 }
 // src/core/types/update-project.ts
-import { join as join21 } from "node:path";
+import { join as join22 } from "node:path";
 var TYPES_INCLUDE_PATH = `${PROJECT_SUBDIR}/${TYPES_OUTPUT_SUBDIR}/*.d.ts`;
 async function updateProjectConfig(projectRoot) {
-  const tsconfigPath = join21(projectRoot, "tsconfig.json");
+  const tsconfigPath = join22(projectRoot, "tsconfig.json");
   if (!await pathExists(tsconfigPath)) {
     return false;
   }
@@ -253108,7 +253462,7 @@ import process21 from "node:process";
 // src/cli/dev/dev-server/main.ts
 var import_cors = __toESM(require_lib4(), 1);
 var import_express6 = __toESM(require_express(), 1);
-import { dirname as dirname17, join as join24 } from "node:path";
+import { dirname as dirname18, join as join25 } from "node:path";
 // ../../node_modules/get-port/index.js
 import net from "node:net";
@@ -253450,9 +253804,7 @@ function createFunctionRouter(manager, logger2) {
         if (xAppId) {
           proxyReq.setHeader("Base44-App-Id", xAppId);
         }
-        if (authorization) {
-          proxyReq.setHeader("Base44-Service-Authorization", authorization);
-        }
+        proxyReq.setHeader("Base44-Service-Authorization", authorization ?? "Bearer base44-dev-service-token");
         proxyReq.setHeader("Base44-Api-Url", `${req.protocol}://${req.headers.host}`);
       },
       error: (err, _req, res) => {
@@ -255346,9 +255698,9 @@ class NodeFsHandler {
     if (this.fsw.closed) {
       return;
     }
-    const dirname16 = sp2.dirname(file2);
+    const dirname17 = sp2.dirname(file2);
     const basename5 = sp2.basename(file2);
-    const parent = this.fsw._getWatchedDir(dirname16);
+    const parent = this.fsw._getWatchedDir(dirname17);
     let prevStats = stats;
     if (parent.has(basename5))
       return;
@@ -255375,7 +255727,7 @@ class NodeFsHandler {
             prevStats = newStats2;
           }
         } catch (error48) {
-          this.fsw._remove(dirname16, basename5);
+          this.fsw._remove(dirname17, basename5);
         }
       } else if (parent.has(basename5)) {
         const at13 = newStats.atimeMs;
@@ -256402,8 +256754,8 @@ async function createDevServer(options8) {
     broadcastEntityEvent(io6, appId, entityName, event);
   };
   const base44ConfigWatcher = new WatchBase44({
-    functions: join24(dirname17(project2.configPath), project2.functionsDir),
-    entities: join24(dirname17(project2.configPath), project2.entitiesDir)
+    functions: join25(dirname18(project2.configPath), project2.functionsDir),
+    entities: join25(dirname18(project2.configPath), project2.entitiesDir)
   }, devLogger);
   base44ConfigWatcher.on("change", async (name2) => {
     try {
@@ -256692,7 +257044,7 @@ var import_detect_agent = __toESM(require_dist5(), 1);
 import { release, type } from "node:os";
 // ../../node_modules/posthog-node/dist/extensions/error-tracking/modifiers/module.node.mjs
-import { dirname as dirname18, posix, sep } from "path";
+import { dirname as dirname19, posix, sep } from "path";
 function createModulerModifier() {
   const getModuleFromFileName = createGetModuleFromFilename();
   return async (frames) => {
@@ -256701,7 +257053,7 @@ function createModulerModifier() {
     return frames;
   };
 }
-function createGetModuleFromFilename(basePath = process.argv[1] ? dirname18(process.argv[1]) : process.cwd(), isWindows5 = sep === "\\") {
+function createGetModuleFromFilename(basePath = process.argv[1] ? dirname19(process.argv[1]) : process.cwd(), isWindows5 = sep === "\\") {
   const normalizedBase = isWindows5 ? normalizeWindowsPath2(basePath) : basePath;
   return (filename) => {
     if (!filename)
@@ -260890,9 +261242,9 @@ function addCommandInfoToErrorReporter(program2, errorReporter) {
   });
 }
 // src/cli/index.ts
-var __dirname4 = dirname19(fileURLToPath6(import.meta.url));
+var __dirname4 = dirname20(fileURLToPath6(import.meta.url));
 async function runCLI(options8) {
-  ensureNpmAssets(join25(__dirname4, "../assets"));
+  ensureNpmAssets(join26(__dirname4, "../assets"));
   const errorReporter = new ErrorReporter;
   errorReporter.registerProcessErrorHandlers();
   const isNonInteractive = !process.stdin.isTTY || !process.stdout.isTTY;
@@ -260929,4 +261281,4 @@ export {
   CLIExitError
 };
-//# debugId=9C297F3E77E38E4B64756E2164756E21
+//# debugId=1A2210510CD4F25D64756E2164756E21