@capawesome/cli 4.12.0 → 4.14.0

package/CHANGELOG.md

@@ -2,6 +2,26 @@
 
 All notable changes to this project will be documented in this file. See [commit-and-tag-version](https://github.com/absolute-version/commit-and-tag-version) for commit guidelines.
 
+## [4.14.0](https://github.com/capawesome-team/cli/compare/v4.13.0...v4.14.0) (2026-06-22)
+
+
+### Features
+
+* hint that failure summary can take up to a minute ([9e75e4f](https://github.com/capawesome-team/cli/commit/9e75e4f211aedae075a9509059a8fd2c7fb5c1f5))
+* store authentication token in OS secure storage ([#175](https://github.com/capawesome-team/cli/issues/175)) ([337213d](https://github.com/capawesome-team/cli/commit/337213d4de900fef6ac52b9c0ae0166cdeded630))
+* **telemetry:** add crash report notice and opt-out ([#173](https://github.com/capawesome-team/cli/issues/173)) ([0027ff2](https://github.com/capawesome-team/cli/commit/0027ff258ef18a293646330fd3d46b29e7b0c324))
+* **telemetry:** attach user ID to crash reports ([#174](https://github.com/capawesome-team/cli/issues/174)) ([eeef34a](https://github.com/capawesome-team/cli/commit/eeef34a1aadbdd2a9b8f013e765155cdb1ea9b44))
+
+## [4.13.0](https://github.com/capawesome-team/cli/compare/v4.12.0...v4.13.0) (2026-06-09)
+
+
+### Features
+
+* **cli:** add `--json` output to create and register commands ([#171](https://github.com/capawesome-team/cli/issues/171)) ([aa84e81](https://github.com/capawesome-team/cli/commit/aa84e81b9dcf564f9196af3c2b2d72ab7ccd755c))
+* **deployments:** include app build data in `list` and `get` JSON output ([#170](https://github.com/capawesome-team/cli/issues/170)) ([d257dd4](https://github.com/capawesome-team/cli/commit/d257dd4bf87260bd703e7d26fb33509ef71227a5))
+* **environments:** include variable and secret keys in get and list output ([#172](https://github.com/capawesome-team/cli/issues/172)) ([b75098b](https://github.com/capawesome-team/cli/commit/b75098b1f206e4896be1c225b0d04551f37cd35b))
+* **liveupdates:** add `--json` output to `upload` and align JSON keys in `create` ([#169](https://github.com/capawesome-team/cli/issues/169)) ([e671294](https://github.com/capawesome-team/cli/commit/e671294770495aab06792cac354663f70c92a7b9))
+
 ## [4.12.0](https://github.com/capawesome-team/cli/compare/v4.11.0...v4.12.0) (2026-06-08)
 
 

package/README.md

@@ -32,6 +32,18 @@ The Capawesome Cloud CLI ships with command documentation that is accessible wit
 npx @capawesome/cli --help
 ```
 
+## Telemetry
+
+The Capawesome Cloud CLI sends crash reports to help us identify and fix bugs. No usage analytics are collected.
+
+To opt out, set the following environment variable:
+
+```bash
+export CAPAWESOME_TELEMETRY_DISABLED=1
+```
+
+Learn more in the [Telemetry documentation](https://capawesome.io/docs/cloud/cli/telemetry/).
+
 ## Development
 
 ### Getting Started

package/dist/commands/apps/certificates/create.js

@@ -15,6 +15,7 @@ export default defineCommand({
     options: defineOptions(z.object({
         appId: z.string().optional().describe('ID of the app.'),
         file: z.string().optional().describe('Path to the certificate file.'),
+        json: z.boolean().optional().describe('Output in JSON format.'),
         keyAlias: z.string().optional().describe('Key alias for the certificate.'),
         keyPassword: z.string().optional().describe('Key password for the certificate.'),
         name: z.string().optional().describe('Name of the certificate.'),
@@ -34,7 +35,7 @@ export default defineCommand({
         yes: z.boolean().optional().describe('Skip confirmation prompts.'),
     }), { y: 'yes' }),
     action: withAuth(async (options, args) => {
-        let { appId, file, keyAlias, keyPassword, name, password, platform, provisioningProfile, type } = options;
+        let { appId, file, json, keyAlias, keyPassword, name, password, platform, provisioningProfile, type } = options;
         // 1. Select organization and app
         if (!appId) {
             if (!isInteractive()) {
@@ -183,7 +184,12 @@ export default defineCommand({
                 appCertificateId: certificate.id,
             });
         }
-        consola.info(`Certificate ID: ${certificate.id}`);
-        consola.success('Certificate created successfully.');
+        if (json) {
+            console.log(JSON.stringify({ id: certificate.id }, null, 2));
+        }
+        else {
+            consola.info(`Certificate ID: ${certificate.id}`);
+            consola.success('Certificate created successfully.');
+        }
     }),
 });

package/dist/commands/apps/channels/create.js

@@ -20,11 +20,12 @@ export default defineCommand({
             .optional()
             .describe('The number of days until the channel is automatically deleted.'),
         ignoreErrors: z.boolean().optional().describe('Whether to ignore errors or not.'),
+        json: z.boolean().optional().describe('Output in JSON format.'),
         name: z.string().optional().describe('Name of the channel.'),
         protected: z.boolean().optional().describe('Whether to protect the channel or not. Default is `false`.'),
     })),
     action: withAuth(async (options, args) => {
-        let { appId, expiresInDays, ignoreErrors, name, protected: _protected } = options;
+        let { appId, expiresInDays, ignoreErrors, json, name, protected: _protected } = options;
         if (expiresInDays) {
             consola.warn('The `--expires-in-days` option is deprecated and will be removed in a future version. Channel expiration is now managed by the data retention policy of your organization billing plan.');
         }
@@ -51,8 +52,13 @@ export default defineCommand({
                 protected: _protected,
                 name,
             });
-            consola.info(`Channel ID: ${response.id}`);
-            consola.success('Channel created successfully.');
+            if (json) {
+                console.log(JSON.stringify({ id: response.id }, null, 2));
+            }
+            else {
+                consola.info(`Channel ID: ${response.id}`);
+                consola.success('Channel created successfully.');
+            }
         }
         catch (error) {
             if (ignoreErrors) {

package/dist/commands/apps/channels/create.test.js

@@ -54,6 +54,26 @@ describe('apps-channels-create', () => {
         expect(mockConsola.success).toHaveBeenCalledWith('Channel created successfully.');
         expect(mockConsola.info).toHaveBeenCalledWith(`Channel ID: ${channelId}`);
     });
+    it('should output JSON when json flag is set', async () => {
+        const appId = 'app-123';
+        const channelName = 'production';
+        const channelId = 'channel-456';
+        const testToken = 'test-token';
+        const options = { appId, json: true, name: channelName };
+        const logSpy = vi.spyOn(console, 'log').mockImplementation(() => { });
+        const scope = nock(DEFAULT_API_BASE_URL)
+            .post(`/v1/apps/${appId}/channels`, {
+            appId,
+            name: channelName,
+            protected: undefined,
+        })
+            .matchHeader('Authorization', `Bearer ${testToken}`)
+            .reply(201, { id: channelId, name: channelName });
+        await createChannelCommand.action(options, undefined);
+        expect(scope.isDone()).toBe(true);
+        expect(logSpy).toHaveBeenCalledWith(JSON.stringify({ id: channelId }, null, 2));
+        expect(mockConsola.info).not.toHaveBeenCalled();
+    });
     it('should prompt for app when not provided', async () => {
         const channelName = 'staging';
         const orgId = 'org-1';

package/dist/commands/apps/deployments/create.js

@@ -36,9 +36,10 @@ export default defineCommand({
             .boolean()
             .optional()
             .describe('Request an AI-powered failure summary (Capawesome Cloud Assist) if the deployment fails.'),
+        json: z.boolean().optional().describe('Output in JSON format.'),
     })),
     action: withAuth(async (options) => {
-        let { appId, buildId, buildNumber, channel, destination } = options;
+        let { appId, buildId, buildNumber, channel, destination, json } = options;
         // Prompt for app ID if not provided
         if (!appId) {
             if (!isInteractive()) {
@@ -172,7 +173,9 @@ export default defineCommand({
                 }),
             });
             consola.success('Deployment completed successfully.');
-            process.exit(0);
+        }
+        if (json) {
+            console.log(JSON.stringify({ id: response.id }, null, 2));
         }
     }),
 });

package/dist/commands/apps/deployments/get.js

@@ -23,7 +23,7 @@ export default defineCommand({
         const deployment = await appDeploymentsService.findOne({
             appId,
             appDeploymentId: deploymentId,
-            relations: json ? 'job' : undefined,
+            relations: json ? 'appBuild,job' : undefined,
         });
         if (json) {
             console.log(JSON.stringify(deployment, null, 2));

package/dist/commands/apps/deployments/list.js

@@ -33,7 +33,7 @@ export default defineCommand({
             appDestinationId: destinationId,
             limit,
             offset,
-            relations: json ? 'job' : undefined,
+            relations: json ? 'appBuild,job' : undefined,
         });
         if (json) {
             console.log(JSON.stringify(foundDeployments, null, 2));

package/dist/commands/apps/destinations/create.js

@@ -15,6 +15,7 @@ export default defineCommand({
     description: 'Create a new app destination.',
     options: defineOptions(z.object({
         appId: z.string().optional().describe('ID of the app.'),
+        json: z.boolean().optional().describe('Output in JSON format.'),
         name: z.string().optional().describe('Name of the destination.'),
         platform: z.enum(['android', 'ios']).optional().describe('Platform of the destination (android, ios).'),
         appleId: z.string().optional().describe('Apple ID for the destination.'),
@@ -33,7 +34,7 @@ export default defineCommand({
         googlePlayTrack: z.string().optional().describe('Google Play track for the destination.'),
     })),
     action: withAuth(async (options, args) => {
-        let { appId, name, platform, appleId, appleAppId, appleTeamId, appleAppPassword, appleApiKeyFile, appleIssuerId, androidPackageName, androidBuildArtifactType, androidReleaseStatus, googleServiceAccountKeyFile, googlePlayTrack, } = options;
+        let { appId, json, name, platform, appleId, appleAppId, appleTeamId, appleAppPassword, appleApiKeyFile, appleIssuerId, androidPackageName, androidBuildArtifactType, androidReleaseStatus, googleServiceAccountKeyFile, googlePlayTrack, } = options;
         let appleApiKeyId;
         let appAppleApiKeyId;
         let appGoogleServiceAccountKeyId;
@@ -325,7 +326,12 @@ export default defineCommand({
             appGoogleServiceAccountKeyId,
             googlePlayTrack,
         });
-        consola.info(`Destination ID: ${response.id}`);
-        consola.success('Destination created successfully.');
+        if (json) {
+            console.log(JSON.stringify({ id: response.id }, null, 2));
+        }
+        else {
+            consola.info(`Destination ID: ${response.id}`);
+            consola.success('Destination created successfully.');
+        }
     }),
 });

package/dist/commands/apps/environments/create.js

@@ -9,10 +9,11 @@ export default defineCommand({
     description: 'Create a new environment.',
     options: defineOptions(z.object({
         appId: z.string().optional().describe('ID of the app.'),
+        json: z.boolean().optional().describe('Output in JSON format.'),
         name: z.string().optional().describe('Name of the environment.'),
     })),
     action: withAuth(async (options, args) => {
-        let { appId, name } = options;
+        let { appId, json, name } = options;
         if (!appId) {
             if (!isInteractive()) {
                 consola.error('You must provide an app ID when running in non-interactive environment.');
@@ -32,7 +33,12 @@ export default defineCommand({
             appId,
             name,
         });
-        consola.info(`Environment ID: ${response.id}`);
-        consola.success('Environment created successfully.');
+        if (json) {
+            console.log(JSON.stringify({ id: response.id }, null, 2));
+        }
+        else {
+            consola.info(`Environment ID: ${response.id}`);
+            consola.success('Environment created successfully.');
+        }
     }),
 });

package/dist/commands/apps/environments/get.js

@@ -39,12 +39,13 @@ export default defineCommand({
                 options: environments.map((env) => ({ label: env.name, value: env.id })),
             });
         }
+        const relations = 'appEnvironmentVariables,appEnvironmentSecrets';
         let environment;
         if (environmentId) {
-            environment = await appEnvironmentsService.findOneById({ appId, id: environmentId });
+            environment = await appEnvironmentsService.findOneById({ appId, id: environmentId, relations });
         }
         else if (name) {
-            const environments = await appEnvironmentsService.findAll({ appId, name });
+            const environments = await appEnvironmentsService.findAll({ appId, name, relations });
             environment = environments[0];
         }
         if (!environment) {
@@ -55,7 +56,14 @@ export default defineCommand({
             console.log(JSON.stringify(environment, null, 2));
         }
         else {
-            console.table(environment);
+            const { appEnvironmentVariables, appEnvironmentSecrets, ...rest } = environment;
+            console.table(rest);
+            if (appEnvironmentVariables?.length) {
+                console.table(appEnvironmentVariables.map(({ id, key, value }) => ({ id, key, value })));
+            }
+            if (appEnvironmentSecrets?.length) {
+                console.table(appEnvironmentSecrets.map(({ id, key }) => ({ id, key })));
+            }
             consola.success('Environment retrieved successfully.');
         }
     }),

package/dist/commands/apps/environments/list.js

@@ -25,6 +25,7 @@ export default defineCommand({
         }
         const environments = await appEnvironmentsService.findAll({
             appId,
+            relations: json ? 'appEnvironmentVariables,appEnvironmentSecrets' : undefined,
             limit,
             offset,
         });
@@ -33,6 +34,7 @@ export default defineCommand({
         }
         else {
             console.table(environments);
+            consola.info('Run with --json to include variable keys/values and secret keys.');
             consola.success('Environments retrieved successfully.');
         }
     }),

package/dist/commands/apps/liveupdates/create.js

@@ -273,7 +273,7 @@ export default defineCommand({
         }
         // Deploy to channels
         const rolloutPercentage = (options.rolloutPercentage ?? 100) / 100;
-        const deploymentIds = [];
+        const appDeploymentIds = [];
         for (const channelName of channel) {
             consola.start(`Creating deployment for channel "${channelName}"...`);
             const deployment = await appDeploymentsService.create({
@@ -282,7 +282,7 @@ export default defineCommand({
                 appChannelName: channelName,
                 rolloutPercentage,
             });
-            deploymentIds.push(deployment.id);
+            appDeploymentIds.push(deployment.id);
             consola.info(`Deployment ID: ${deployment.id}`);
             consola.info(`Deployment URL: ${DEFAULT_CONSOLE_BASE_URL}/apps/${appId}/deployments/${deployment.id}`);
             consola.success('Deployment created successfully.');
@@ -290,9 +290,12 @@ export default defineCommand({
         // Output JSON if json flag is set
         if (json) {
             console.log(JSON.stringify({
-                buildId: response.id,
-                buildNumberAsString: response.numberAsString,
-                deploymentIds,
+                appBuildId: response.id,
+                appBuildNumberAsString: response.numberAsString,
+                appDeploymentIds,
+                buildId: response.id, // Deprecated, use appBuildId instead
+                buildNumberAsString: response.numberAsString, // Deprecated, use appBuildNumberAsString instead
+                deploymentIds: appDeploymentIds, // Deprecated, use appDeploymentIds instead
             }, null, 2));
         }
     }),

package/dist/commands/apps/liveupdates/create.test.js

@@ -244,6 +244,9 @@ describe('apps-liveupdates-create', () => {
             .reply(201, { id: deploymentId });
         await createCommand.action(options, undefined);
         expect(console.log).toHaveBeenCalledWith(JSON.stringify({
+            appBuildId: buildId,
+            appBuildNumberAsString: '42',
+            appDeploymentIds: [deploymentId],
             buildId,
             buildNumberAsString: '42',
             deploymentIds: [deploymentId],

package/dist/commands/apps/liveupdates/register.js

@@ -81,6 +81,7 @@ export default defineCommand({
             .string()
             .optional()
             .describe('The exact iOS bundle version (`CFBundleVersion`) that the bundle does not support.'),
+        json: z.boolean().optional().describe('Output in JSON format.'),
         path: z.string().optional().describe('Path to zip file for code signing only.'),
         privateKey: z
             .string()
@@ -103,7 +104,7 @@ export default defineCommand({
         yes: z.boolean().optional().describe('Skip confirmation prompts.'),
     }), { y: 'yes' }),
     action: withAuth(async (options, args) => {
-        let { androidEq, androidMax, androidMin, appId, channel, commitMessage, commitRef, commitSha, customProperty, expiresInDays, gitRef, iosEq, iosMax, iosMin, path, privateKey, rolloutPercentage, url, } = options;
+        let { androidEq, androidMax, androidMin, appId, channel, commitMessage, commitRef, commitSha, customProperty, expiresInDays, gitRef, iosEq, iosMax, iosMin, json, path, privateKey, rolloutPercentage, url, } = options;
         if (expiresInDays) {
             consola.warn('The `--expires-in-days` option is deprecated and will be removed in a future version. Bundle expiration is now managed by the data retention policy of your organization billing plan.');
         }
@@ -243,5 +244,11 @@ export default defineCommand({
             consola.info(`Deployment URL: ${DEFAULT_CONSOLE_BASE_URL}/apps/${appId}/deployments/${response.appDeploymentId}`);
         }
         consola.success('Live Update successfully registered.');
+        if (json) {
+            console.log(JSON.stringify({
+                appBuildId: response.appBuildId,
+                appBuildArtifactId: response.id,
+            }, null, 2));
+        }
     }),
 });

package/dist/commands/apps/liveupdates/register.test.js

@@ -73,6 +73,34 @@ describe('apps-liveupdates-register', () => {
         expect(mockConsola.info).toHaveBeenCalledWith(`Bundle Artifact ID: ${bundleId}`);
         expect(mockConsola.success).toHaveBeenCalledWith('Live Update successfully registered.');
     });
+    it('should output JSON when json flag is set', async () => {
+        const appId = 'app-123';
+        const bundleUrl = 'https://example.com/bundle.zip';
+        const bundleId = 'bundle-456';
+        const appBuildId = 'build-789';
+        const testToken = 'test-token';
+        const options = {
+            appId,
+            url: bundleUrl,
+            rolloutPercentage: 1,
+            json: true,
+            yes: true,
+        };
+        const logSpy = vi.spyOn(console, 'log').mockImplementation(() => { });
+        nock(DEFAULT_API_BASE_URL)
+            .get(`/v1/apps/${appId}`)
+            .matchHeader('Authorization', `Bearer ${testToken}`)
+            .reply(200, { id: appId, name: 'Test App' });
+        nock(DEFAULT_API_BASE_URL)
+            .post(`/v1/apps/${appId}/bundles`)
+            .matchHeader('Authorization', `Bearer ${testToken}`)
+            .reply(201, { id: bundleId, appBuildId });
+        await registerCommand.action(options, undefined);
+        expect(logSpy).toHaveBeenCalledWith(JSON.stringify({
+            appBuildId,
+            appBuildArtifactId: bundleId,
+        }, null, 2));
+    });
     it('should pass gitRef to API when provided', async () => {
         const appId = 'app-123';
         const bundleUrl = 'https://example.com/bundle.zip';

package/dist/commands/apps/liveupdates/upload.js

@@ -92,6 +92,7 @@ export default defineCommand({
             .string()
             .optional()
             .describe('The exact iOS bundle version (`CFBundleVersion`) that the bundle does not support.'),
+        json: z.boolean().optional().describe('Output in JSON format.'),
         path: z
             .string()
             .optional()
@@ -116,7 +117,7 @@ export default defineCommand({
         yes: z.boolean().optional().describe('Skip confirmation prompt.'),
     }), { y: 'yes' }),
     action: withAuth(async (options, args) => {
-        let { androidEq, androidMax, androidMin, appId, artifactType, channel, commitMessage, commitRef, commitSha, customProperty, expiresInDays, gitRef, iosEq, iosMax, iosMin, path, privateKey, rolloutPercentage, } = options;
+        let { androidEq, androidMax, androidMin, appId, artifactType, channel, commitMessage, commitRef, commitSha, customProperty, expiresInDays, gitRef, iosEq, iosMax, iosMin, json, path, privateKey, rolloutPercentage, } = options;
         if (expiresInDays) {
             consola.warn('The `--expires-in-days` option is deprecated and will be removed in a future version. Bundle expiration is now managed by the data retention policy of your organization billing plan.');
         }
@@ -289,6 +290,12 @@ export default defineCommand({
             consola.info(`Deployment URL: ${DEFAULT_CONSOLE_BASE_URL}/apps/${appId}/deployments/${updateBundleResponse.appDeploymentId}`);
         }
         consola.success('Live Update successfully uploaded.');
+        if (json) {
+            console.log(JSON.stringify({
+                appBuildId: createBundleResponse.appBuildId,
+                appBuildArtifactId: createBundleResponse.id,
+            }, null, 2));
+        }
     }),
 });
 const uploadFile = async (options) => {

package/dist/commands/apps/liveupdates/upload.test.js

@@ -180,6 +180,53 @@ describe('apps-liveupdates-upload', () => {
         expect(mockConsola.info).toHaveBeenCalledWith(`Build Artifact ID: ${bundleId}`);
         expect(mockConsola.success).toHaveBeenCalledWith('Live Update successfully uploaded.');
     });
+    it('should output JSON when json flag is set', async () => {
+        const appId = 'app-123';
+        const bundlePath = './dist';
+        const bundleId = 'bundle-456';
+        const appBuildId = 'build-789';
+        const testToken = 'test-token';
+        const testBuffer = Buffer.from('test');
+        const options = {
+            appId,
+            path: bundlePath,
+            artifactType: 'zip',
+            rollout: 1,
+            json: true,
+        };
+        mockIsReadable.mockResolvedValue(true);
+        mockIsDirectory.mockResolvedValue(true);
+        mockGetFilesInDirectoryAndSubdirectories.mockResolvedValue([
+            { href: 'index.html', mimeType: 'text/html', name: 'index.html', path: 'index.html' },
+        ]);
+        const mockZip = await import('../../../utils/zip.js');
+        const mockHash = await import('../../../utils/hash.js');
+        vi.mocked(mockZip.default.isZipped).mockReturnValue(false);
+        vi.mocked(mockZip.default.zipFolder).mockResolvedValue(testBuffer);
+        vi.mocked(mockHash.createHash).mockResolvedValue('test-hash');
+        const logSpy = vi.spyOn(console, 'log').mockImplementation(() => { });
+        nock(DEFAULT_API_BASE_URL)
+            .get(`/v1/apps/${appId}`)
+            .matchHeader('Authorization', `Bearer ${testToken}`)
+            .reply(200, { id: appId, name: 'Test App' });
+        nock(DEFAULT_API_BASE_URL)
+            .post(`/v1/apps/${appId}/bundles`)
+            .matchHeader('Authorization', `Bearer ${testToken}`)
+            .reply(201, { id: bundleId, appBuildId });
+        nock(DEFAULT_API_BASE_URL)
+            .post(`/v1/apps/${appId}/bundles/${bundleId}/files`)
+            .matchHeader('Authorization', `Bearer ${testToken}`)
+            .reply(201, { id: 'file-123' });
+        nock(DEFAULT_API_BASE_URL)
+            .patch(`/v1/apps/${appId}/bundles/${bundleId}`)
+            .matchHeader('Authorization', `Bearer ${testToken}`)
+            .reply(200, { id: bundleId });
+        await uploadCommand.action(options, undefined);
+        expect(logSpy).toHaveBeenCalledWith(JSON.stringify({
+            appBuildId,
+            appBuildArtifactId: bundleId,
+        }, null, 2));
+    });
     it('should handle private key file path', async () => {
         const appId = 'app-123';
         const bundlePath = './dist';

package/dist/commands/login.js

@@ -4,6 +4,7 @@ import sessionsService from '../services/sessions.js';
 import usersService from '../services/users.js';
 import { isInteractive } from '../utils/environment.js';
 import { prompt } from '../utils/prompt.js';
+import credentialStore from '../utils/credential-store.js';
 import userConfig from '../utils/user-config.js';
 import { defineCommand, defineOptions } from '@robingenz/zli';
 import { AxiosError } from 'axios';
@@ -81,15 +82,19 @@ export default defineCommand({
         }
         // Sign in with the provided token
         consola.start('Signing in...');
-        userConfig.write({
-            token: sessionIdOrToken,
-        });
+        // Drop the previous user ID but keep other flags,
+        // so a crash during sign-in isn't attributed to the previous account
+        const { token: _previousToken, userId: _previousUserId, ...persistentConfig } = userConfig.read();
+        userConfig.write(persistentConfig);
+        credentialStore.setToken(sessionIdOrToken);
         try {
-            await usersService.me();
+            const user = await usersService.me();
+            userConfig.write({ ...persistentConfig, userId: user.id });
             consola.success(`Successfully signed in.`);
         }
         catch (error) {
-            userConfig.write({});
+            // Clear the credentials on failure while preserving the other flags
+            credentialStore.deleteToken();
             if (error instanceof AxiosError && error.response?.status === 401) {
                 consola.error(`Invalid token. Please provide a valid token. You can create a token at ${consoleBaseUrl}/settings/tokens.`);
                 process.exit(1);

package/dist/commands/login.test.js

@@ -2,6 +2,7 @@ import { DEFAULT_API_BASE_URL, DEFAULT_CONSOLE_BASE_URL } from '../config/consts
 import configService from '../services/config.js';
 import sessionCodesService from '../services/session-code.js';
 import sessionsService from '../services/sessions.js';
+import credentialStore from '../utils/credential-store.js';
 import { prompt } from '../utils/prompt.js';
 import userConfig from '../utils/user-config.js';
 import consola from 'consola';
@@ -11,6 +12,7 @@ import { afterEach, beforeEach, describe, expect, it, vi } from 'vitest';
 import loginCommand from './login.js';
 // Mock dependencies
 vi.mock('@/utils/user-config.js');
+vi.mock('@/utils/credential-store.js');
 vi.mock('@/services/session-code.js');
 vi.mock('@/services/sessions.js');
 vi.mock('@/services/config.js');
@@ -20,11 +22,9 @@ vi.mock('@/utils/prompt.js');
 vi.mock('@/utils/environment.js', () => ({
     isInteractive: () => true,
 }));
-vi.mock('@/utils/environment.js', () => ({
-    isInteractive: () => true,
-}));
 describe('login', () => {
     const mockUserConfig = vi.mocked(userConfig);
+    const mockCredentialStore = vi.mocked(credentialStore);
     const mockSessionCodesService = vi.mocked(sessionCodesService);
     const mockSessionsService = vi.mocked(sessionsService);
     const mockConfigService = vi.mocked(configService);
@@ -35,6 +35,9 @@ describe('login', () => {
         vi.clearAllMocks();
         mockUserConfig.write.mockImplementation(() => { });
         mockUserConfig.read.mockReturnValue({});
+        mockCredentialStore.setToken.mockImplementation(() => { });
+        mockCredentialStore.deleteToken.mockImplementation(() => { });
+        mockCredentialStore.getToken.mockReturnValue(null);
         // Mock config service to return consistent URLs
         mockConfigService.getValueForKey.mockImplementation((key) => {
             if (key === 'CONSOLE_BASE_URL')
@@ -54,18 +57,38 @@ describe('login', () => {
     it('should use the provided token for authentication', async () => {
         const testToken = 'valid-token-123';
         const options = { token: testToken };
-        // Mock userConfig.read to return our test token after it's written
-        mockUserConfig.read.mockReturnValue({ token: testToken });
+        // Mock credentialStore.getToken to return our test token after it's written
+        mockCredentialStore.getToken.mockReturnValue(testToken);
         // Set up nock to intercept the /v1/users/me request
         const scope = nock(DEFAULT_API_BASE_URL)
             .get('/v1/users/me')
             .matchHeader('Authorization', `Bearer ${testToken}`)
             .reply(200, { id: 'user-123', email: 'test@example.com' });
         await loginCommand.action(options, undefined);
-        expect(mockUserConfig.write).toHaveBeenCalledWith({ token: testToken });
+        expect(mockCredentialStore.setToken).toHaveBeenCalledWith(testToken);
         expect(scope.isDone()).toBe(true);
         expect(mockConsola.success).toHaveBeenCalledWith('Successfully signed in.');
     });
+    it('should preserve other config flags and replace the previous user ID', async () => {
+        const testToken = 'valid-token-123';
+        const options = { token: testToken };
+        mockCredentialStore.getToken.mockReturnValue(testToken);
+        mockUserConfig.read.mockReturnValue({
+            token: 'previous-token',
+            userId: 'previous-user',
+            telemetryNoticeShown: true,
+        });
+        const scope = nock(DEFAULT_API_BASE_URL)
+            .get('/v1/users/me')
+            .matchHeader('Authorization', `Bearer ${testToken}`)
+            .reply(200, { id: 'user-123', email: 'test@example.com' });
+        await loginCommand.action(options, undefined);
+        // The previous user ID is dropped before the new account is confirmed.
+        expect(mockUserConfig.write).toHaveBeenNthCalledWith(1, { telemetryNoticeShown: true });
+        // The new user ID is stored while other flags are preserved.
+        expect(mockUserConfig.write).toHaveBeenNthCalledWith(2, { telemetryNoticeShown: true, userId: 'user-123' });
+        expect(scope.isDone()).toBe(true);
+    });
     it('should open the browser', async () => {
         const options = {};
         mockPrompt
@@ -76,8 +99,8 @@ describe('login', () => {
             code: 'ABCD1234',
         });
         mockSessionsService.create.mockResolvedValue({ id: 'session-123' });
-        // Mock userConfig.read to return the session token
-        mockUserConfig.read.mockReturnValue({ token: 'session-123' });
+        // Mock credentialStore.getToken to return the session token
+        mockCredentialStore.getToken.mockReturnValue('session-123');
         // Set up nock to intercept the /v1/users/me request
         const scope = nock(DEFAULT_API_BASE_URL)
             .get('/v1/users/me')
@@ -106,16 +129,16 @@ describe('login', () => {
     it('should throw an error because the provided token is invalid', async () => {
         const invalidToken = 'invalid-token';
         const options = { token: invalidToken };
-        // Mock userConfig.read to return our invalid token after it's written
-        mockUserConfig.read.mockReturnValue({ token: invalidToken });
+        // Mock credentialStore.getToken to return our invalid token after it's written
+        mockCredentialStore.getToken.mockReturnValue(invalidToken);
         // Set up nock to intercept the /v1/users/me request and return 401
         const scope = nock(DEFAULT_API_BASE_URL)
             .get('/v1/users/me')
             .matchHeader('Authorization', `Bearer ${invalidToken}`)
             .reply(401, { message: 'Unauthorized' });
         await expect(loginCommand.action(options, undefined)).rejects.toThrow('Process exited with code 1');
-        expect(mockUserConfig.write).toHaveBeenCalledWith({ token: invalidToken });
-        expect(mockUserConfig.write).toHaveBeenCalledWith({}); // Clears token on error
+        expect(mockCredentialStore.setToken).toHaveBeenCalledWith(invalidToken);
+        expect(mockCredentialStore.deleteToken).toHaveBeenCalled(); // Clears token on error
         expect(scope.isDone()).toBe(true);
         expect(mockConsola.error).toHaveBeenCalledWith(`Invalid token. Please provide a valid token. You can create a token at ${DEFAULT_CONSOLE_BASE_URL}/settings/tokens.`);
     });

package/dist/commands/logout.js

@@ -2,6 +2,7 @@ import { defineCommand } from '@robingenz/zli';
 import consola from 'consola';
 import authorizationService from '../services/authorization-service.js';
 import sessionsService from '../services/sessions.js';
+import credentialStore from '../utils/credential-store.js';
 import userConfig from '../utils/user-config.js';
 export default defineCommand({
     description: 'Sign out from the Capawesome Cloud Console.',
@@ -10,7 +11,10 @@ export default defineCommand({
         if (token && !token.startsWith('ca_')) {
             await sessionsService.delete({ id: token }).catch(() => { });
         }
-        userConfig.write({});
+        credentialStore.deleteToken();
+        // Clear the user ID but keep other flags (e.g. the telemetry notice).
+        const { token: _token, userId: _userId, ...persistentConfig } = userConfig.read();
+        userConfig.write(persistentConfig);
         consola.success('Successfully signed out.');
     },
 });

package/dist/commands/logout.test.js

@@ -1,5 +1,6 @@
 import { DEFAULT_API_BASE_URL } from '../config/consts.js';
 import authorizationService from '../services/authorization-service.js';
+import credentialStore from '../utils/credential-store.js';
 import userConfig from '../utils/user-config.js';
 import consola from 'consola';
 import nock from 'nock';
@@ -7,41 +8,51 @@ import { afterEach, beforeEach, describe, expect, it, vi } from 'vitest';
 import logoutCommand from './logout.js';
 // Mock dependencies
 vi.mock('@/services/authorization-service.js');
+vi.mock('@/utils/credential-store.js');
 vi.mock('@/utils/user-config.js');
 vi.mock('consola');
 describe('logout', () => {
     const mockAuthorizationService = vi.mocked(authorizationService);
+    const mockCredentialStore = vi.mocked(credentialStore);
     const mockUserConfig = vi.mocked(userConfig);
     const mockConsola = vi.mocked(consola);
     beforeEach(() => {
         vi.clearAllMocks();
+        mockCredentialStore.deleteToken.mockImplementation(() => { });
         mockUserConfig.write.mockImplementation(() => { });
+        mockUserConfig.read.mockReturnValue({});
     });
     afterEach(() => {
         nock.cleanAll();
         vi.restoreAllMocks();
     });
-    it('should delete session and clear user config with session token', async () => {
+    it('should delete session and clear credentials with session token', async () => {
         const sessionToken = 'session-123';
         mockAuthorizationService.getCurrentAuthorizationToken.mockReturnValue(sessionToken);
         // Set up nock to intercept the DELETE request
         const scope = nock(DEFAULT_API_BASE_URL).delete('/v1/sessions/session-123').reply(200);
         await logoutCommand.action({}, undefined);
         expect(scope.isDone()).toBe(true);
-        expect(mockUserConfig.write).toHaveBeenCalledWith({});
+        expect(mockCredentialStore.deleteToken).toHaveBeenCalled();
         expect(mockConsola.success).toHaveBeenCalledWith('Successfully signed out.');
     });
-    it('should only clear user config with API token', async () => {
+    it('should only clear credentials with API token', async () => {
         const apiToken = 'ca_abc123';
         mockAuthorizationService.getCurrentAuthorizationToken.mockReturnValue(apiToken);
         await logoutCommand.action({}, undefined);
-        expect(mockUserConfig.write).toHaveBeenCalledWith({});
+        expect(mockCredentialStore.deleteToken).toHaveBeenCalled();
         expect(mockConsola.success).toHaveBeenCalledWith('Successfully signed out.');
     });
+    it('should clear the user ID but preserve other flags', async () => {
+        mockAuthorizationService.getCurrentAuthorizationToken.mockReturnValue('ca_abc123');
+        mockUserConfig.read.mockReturnValue({ token: 'ca_abc123', userId: 'user-1', telemetryNoticeShown: true });
+        await logoutCommand.action({}, undefined);
+        expect(mockUserConfig.write).toHaveBeenCalledWith({ telemetryNoticeShown: true });
+    });
     it('should handle no token gracefully', async () => {
         mockAuthorizationService.getCurrentAuthorizationToken.mockReturnValue(null);
         await logoutCommand.action({}, undefined);
-        expect(mockUserConfig.write).toHaveBeenCalledWith({});
+        expect(mockCredentialStore.deleteToken).toHaveBeenCalled();
         expect(mockConsola.success).toHaveBeenCalledWith('Successfully signed out.');
     });
 });

package/dist/commands/organizations/create.js

@@ -8,10 +8,11 @@ import { z } from 'zod';
 export default defineCommand({
     description: 'Create a new organization.',
     options: defineOptions(z.object({
+        json: z.boolean().optional().describe('Output in JSON format.'),
         name: z.string().optional().describe('Name of the organization.'),
     })),
     action: withAuth(async (options, args) => {
-        let { name } = options;
+        let { json, name } = options;
         if (!name) {
             if (!isInteractive()) {
                 consola.error('You must provide the organization name when running in non-interactive environment.');
@@ -20,7 +21,12 @@ export default defineCommand({
             name = await prompt('Enter the name of the organization:', { type: 'text' });
         }
         const response = await organizationsService.create({ name });
-        consola.info(`Organization ID: ${response.id}`);
-        consola.success('Organization created successfully.');
+        if (json) {
+            console.log(JSON.stringify({ id: response.id }, null, 2));
+        }
+        else {
+            consola.info(`Organization ID: ${response.id}`);
+            consola.success('Organization created successfully.');
+        }
     }),
 });

package/dist/commands/organizations/create.test.js

@@ -46,6 +46,21 @@ describe('organizations-create', () => {
         expect(mockConsola.success).toHaveBeenCalledWith('Organization created successfully.');
         expect(mockConsola.info).toHaveBeenCalledWith(`Organization ID: ${organizationId}`);
     });
+    it('should output JSON when json flag is set', async () => {
+        const organizationName = 'Test Organization';
+        const organizationId = 'org-456';
+        const testToken = 'test-token';
+        const options = { json: true, name: organizationName };
+        const logSpy = vi.spyOn(console, 'log').mockImplementation(() => { });
+        const scope = nock(DEFAULT_API_BASE_URL)
+            .post('/v1/organizations', { name: organizationName })
+            .matchHeader('Authorization', `Bearer ${testToken}`)
+            .reply(201, { id: organizationId, name: organizationName });
+        await createOrganizationCommand.action(options, undefined);
+        expect(scope.isDone()).toBe(true);
+        expect(logSpy).toHaveBeenCalledWith(JSON.stringify({ id: organizationId }, null, 2));
+        expect(mockConsola.info).not.toHaveBeenCalled();
+    });
     it('should prompt for organization name when not provided', async () => {
         const promptedOrganizationName = 'Prompted Organization';
         const organizationId = 'org-456';

package/dist/commands/whoami.js

@@ -1,12 +1,12 @@
+import authorizationService from '../services/authorization-service.js';
 import usersService from '../services/users.js';
-import userConfig from '../utils/user-config.js';
 import { defineCommand } from '@robingenz/zli';
 import { AxiosError } from 'axios';
 import consola from 'consola';
 export default defineCommand({
     description: 'Show current user',
     action: async (options, args) => {
-        const { token } = userConfig.read();
+        const token = authorizationService.getCurrentAuthorizationToken();
         if (token) {
             try {
                 const user = await usersService.me();

package/dist/commands/whoami.test.js

@@ -1,12 +1,12 @@
 import { DEFAULT_API_BASE_URL } from '../config/consts.js';
-import userConfig from '../utils/user-config.js';
+import authorizationService from '../services/authorization-service.js';
 import nock from 'nock';
 import { afterEach, beforeEach, describe, expect, it, vi } from 'vitest';
 import whoamiCommand from './whoami.js';
 // Mock only the dependencies we need to control
-vi.mock('@/utils/user-config.js');
+vi.mock('@/services/authorization-service.js');
 describe('whoami', () => {
-    const mockUserConfig = vi.mocked(userConfig);
+    const mockAuthorizationService = vi.mocked(authorizationService);
     beforeEach(() => {
         vi.clearAllMocks();
         vi.spyOn(process, 'exit').mockImplementation(() => undefined);
@@ -17,8 +17,8 @@ describe('whoami', () => {
     });
     it('should send Bearer token in Authorization header when checking current user', async () => {
         const testToken = 'user-token-456';
-        // Mock userConfig.read to return our test token
-        mockUserConfig.read.mockReturnValue({ token: testToken });
+        // Mock the authorization service to return our test token
+        mockAuthorizationService.getCurrentAuthorizationToken.mockReturnValue(testToken);
         // Set up nock to intercept the /v1/users/me request
         const scope = nock(DEFAULT_API_BASE_URL)
             .get('/v1/users/me')

package/dist/index.js

@@ -1,7 +1,9 @@
 #!/usr/bin/env node
 import configService from './services/config.js';
+import telemetryService from './services/telemetry.js';
 import updateService from './services/update.js';
 import { getMessageFromUnknownError, UserError } from './utils/error.js';
+import userConfig from './utils/user-config.js';
 import { defineConfig, processConfig, ZliError } from '@robingenz/zli';
 import * as Sentry from '@sentry/node';
 import { AxiosError } from 'axios';
@@ -103,6 +105,10 @@ const captureException = async (error) => {
     if (error instanceof ZodError) {
         return;
     }
+    // Respect telemetry opt-out
+    if (!telemetryService.isEnabled()) {
+        return;
+    }
     const environment = await configService.getValueForKey('ENVIRONMENT');
     if (environment !== 'production') {
         return;
@@ -111,6 +117,15 @@ const captureException = async (error) => {
         dsn: 'https://19f30f2ec4b91899abc33818568ceb42@o4507446340747264.ingest.de.sentry.io/4508506426966096',
         release: `capawesome-team-cli@${pkg.version}`,
     });
+    try {
+        const { userId } = userConfig.read();
+        if (userId) {
+            Sentry.setUser({ id: userId });
+        }
+    }
+    catch {
+        // Still report the crash even if the user ID can't be read.
+    }
     if (process.argv.slice(2).length > 0) {
         Sentry.setTag('cli_command', process.argv.slice(2)[0]);
     }
@@ -134,6 +149,8 @@ catch (error) {
         // Suggest opening an issue
         consola.log('If you think this is a bug, please open an issue at:');
         consola.log('  https://github.com/capawesome-team/cli/issues/new/choose');
+        // Show the telemetry notice
+        telemetryService.showNoticeIfNeeded();
         // Check for updates
         await updateService.checkForUpdate();
         // Exit with a non-zero code
@@ -141,6 +158,8 @@ catch (error) {
     }
 }
 finally {
+    // Show the telemetry notice
+    telemetryService.showNoticeIfNeeded();
     // Check for updates
     await updateService.checkForUpdate();
 }

package/dist/services/app-environments.js

@@ -37,6 +37,9 @@ class AppEnvironmentsServiceImpl {
         if (dto.name) {
             queryParams.append('name', dto.name);
         }
+        if (dto.relations) {
+            queryParams.append('relations', dto.relations);
+        }
         if (dto.limit) {
             queryParams.append('limit', dto.limit.toString());
         }
@@ -59,6 +62,7 @@ class AppEnvironmentsServiceImpl {
             headers: {
                 Authorization: `Bearer ${authorizationService.getCurrentAuthorizationToken()}`,
             },
+            params: dto.relations ? { relations: dto.relations } : undefined,
         });
         return response.data;
     }

package/dist/services/authorization-service.js

@@ -1,11 +1,11 @@
-import userConfig from '../utils/user-config.js';
+import credentialStore from '../utils/credential-store.js';
 class AuthorizationServiceImpl {
-    userConfig;
-    constructor(userConfig) {
-        this.userConfig = userConfig;
+    credentialStore;
+    constructor(credentialStore) {
+        this.credentialStore = credentialStore;
     }
     getCurrentAuthorizationToken() {
-        const token = this.userConfig.read().token || process.env.CAPAWESOME_CLOUD_TOKEN || process.env.CAPAWESOME_TOKEN || null;
+        const token = this.credentialStore.getToken() || process.env.CAPAWESOME_CLOUD_TOKEN || process.env.CAPAWESOME_TOKEN || null;
         // Trim to remove newline characters that may be included when pasting a token,
         // which would cause an invalid character error in the Authorization header.
         const trimmedToken = token?.trim();
@@ -15,5 +15,5 @@ class AuthorizationServiceImpl {
         return !!this.getCurrentAuthorizationToken();
     }
 }
-const authorizationService = new AuthorizationServiceImpl(userConfig);
+const authorizationService = new AuthorizationServiceImpl(credentialStore);
 export default authorizationService;

package/dist/services/telemetry.js

@@ -0,0 +1,31 @@
+import { isInteractive } from '../utils/environment.js';
+import userConfig from '../utils/user-config.js';
+import consola from 'consola';
+const TELEMETRY_DISABLED_VALUES = ['1', 'true'];
+class TelemetryServiceImpl {
+    isEnabled() {
+        const value = process.env.CAPAWESOME_TELEMETRY_DISABLED?.toLowerCase();
+        return !value || !TELEMETRY_DISABLED_VALUES.includes(value);
+    }
+    showNoticeIfNeeded() {
+        if (!this.isEnabled() || !isInteractive()) {
+            return;
+        }
+        try {
+            const config = userConfig.read();
+            if (config.telemetryNoticeShown) {
+                return;
+            }
+            console.log(''); // Add an empty line for better readability
+            consola.info('Capawesome CLI sends crash reports to help us fix bugs.\n' +
+                'To opt out: export CAPAWESOME_TELEMETRY_DISABLED=1\n' +
+                'Learn more: https://capawesome.io/docs/cloud/cli/telemetry/');
+            userConfig.write({ ...config, telemetryNoticeShown: true });
+        }
+        catch {
+            // Never let the telemetry notice break the CLI.
+        }
+    }
+}
+const telemetryService = new TelemetryServiceImpl();
+export default telemetryService;

package/dist/services/telemetry.test.js

@@ -0,0 +1,67 @@
+import consola from 'consola';
+import { afterEach, beforeEach, describe, expect, it, vi } from 'vitest';
+import { isInteractive } from '../utils/environment.js';
+import userConfig from '../utils/user-config.js';
+import telemetryService from './telemetry.js';
+vi.mock('@/utils/environment.js');
+vi.mock('@/utils/user-config.js');
+vi.mock('consola');
+describe('telemetryService', () => {
+    const mockIsInteractive = vi.mocked(isInteractive);
+    const mockRead = vi.mocked(userConfig.read);
+    const mockWrite = vi.mocked(userConfig.write);
+    beforeEach(() => {
+        vi.clearAllMocks();
+        delete process.env.CAPAWESOME_TELEMETRY_DISABLED;
+        mockIsInteractive.mockReturnValue(true);
+        mockRead.mockReturnValue({});
+    });
+    afterEach(() => {
+        delete process.env.CAPAWESOME_TELEMETRY_DISABLED;
+    });
+    describe('isEnabled', () => {
+        it('should be enabled by default', () => {
+            expect(telemetryService.isEnabled()).toBe(true);
+        });
+        it.each(['1', 'true', 'TRUE'])('should be disabled when CAPAWESOME_TELEMETRY_DISABLED is "%s"', (value) => {
+            process.env.CAPAWESOME_TELEMETRY_DISABLED = value;
+            expect(telemetryService.isEnabled()).toBe(false);
+        });
+        it('should stay enabled for other values', () => {
+            process.env.CAPAWESOME_TELEMETRY_DISABLED = '0';
+            expect(telemetryService.isEnabled()).toBe(true);
+        });
+    });
+    describe('showNoticeIfNeeded', () => {
+        it('should show the notice once and persist the flag', () => {
+            mockRead.mockReturnValue({ token: 'abc' });
+            telemetryService.showNoticeIfNeeded();
+            expect(consola.info).toHaveBeenCalledOnce();
+            expect(mockWrite).toHaveBeenCalledWith({ token: 'abc', telemetryNoticeShown: true });
+        });
+        it('should not show the notice when it was already shown', () => {
+            mockRead.mockReturnValue({ telemetryNoticeShown: true });
+            telemetryService.showNoticeIfNeeded();
+            expect(consola.info).not.toHaveBeenCalled();
+            expect(mockWrite).not.toHaveBeenCalled();
+        });
+        it('should not show the notice when telemetry is disabled', () => {
+            process.env.CAPAWESOME_TELEMETRY_DISABLED = '1';
+            telemetryService.showNoticeIfNeeded();
+            expect(consola.info).not.toHaveBeenCalled();
+            expect(mockWrite).not.toHaveBeenCalled();
+        });
+        it('should not show the notice in non-interactive environments', () => {
+            mockIsInteractive.mockReturnValue(false);
+            telemetryService.showNoticeIfNeeded();
+            expect(consola.info).not.toHaveBeenCalled();
+            expect(mockWrite).not.toHaveBeenCalled();
+        });
+        it('should not throw when reading or writing the config fails', () => {
+            mockRead.mockImplementation(() => {
+                throw new Error('read failed');
+            });
+            expect(() => telemetryService.showNoticeIfNeeded()).not.toThrow();
+        });
+    });
+});

package/dist/utils/credential-store.js

@@ -0,0 +1,84 @@
+import userConfig from '../utils/user-config.js';
+import { Entry } from '@napi-rs/keyring';
+const SERVICE_NAME = 'capawesome-cli';
+const ACCOUNT_NAME = 'token';
+/**
+ * Stores the authentication token in the operating system's secure storage
+ * (macOS Keychain, Windows Credential Manager, Linux Secret Service) when
+ * available and falls back to the plaintext user config file otherwise
+ * (e.g. headless CI environments without a keyring backend).
+ */
+class CredentialStoreImpl {
+    keyringAvailable = null;
+    getToken() {
+        if (!this.isKeyringAvailable()) {
+            return userConfig.read().token ?? null;
+        }
+        const token = this.createEntry().getPassword();
+        if (token) {
+            return token;
+        }
+        return this.migrateFileToken();
+    }
+    setToken(token) {
+        if (!this.isKeyringAvailable()) {
+            this.writeFileToken(token);
+            return;
+        }
+        this.createEntry().setPassword(token);
+        this.clearFileToken();
+    }
+    deleteToken() {
+        if (this.isKeyringAvailable()) {
+            try {
+                this.createEntry().deletePassword();
+            }
+            catch {
+                // Ignore errors when there is no credential to delete.
+            }
+        }
+        this.clearFileToken();
+    }
+    createEntry() {
+        return new Entry(SERVICE_NAME, ACCOUNT_NAME);
+    }
+    isKeyringAvailable() {
+        if (this.keyringAvailable === null) {
+            try {
+                // Probe the backend with a read. This throws if no keyring backend is
+                // available, but returns null for a missing credential.
+                this.createEntry().getPassword();
+                this.keyringAvailable = true;
+            }
+            catch {
+                this.keyringAvailable = false;
+            }
+        }
+        return this.keyringAvailable;
+    }
+    /**
+     * Moves a token stored in the plaintext config file into the keyring and
+     * removes the plaintext copy. Returns the migrated token or null.
+     */
+    migrateFileToken() {
+        const fileToken = userConfig.read().token;
+        if (!fileToken) {
+            return null;
+        }
+        this.setToken(fileToken);
+        return fileToken;
+    }
+    writeFileToken(token) {
+        const config = userConfig.read();
+        userConfig.write({ ...config, token });
+    }
+    clearFileToken() {
+        const { token, ...rest } = userConfig.read();
+        if (token === undefined) {
+            return;
+        }
+        userConfig.write(rest);
+    }
+}
+const credentialStore = new CredentialStoreImpl();
+export default credentialStore;

package/dist/utils/credential-store.test.js

@@ -0,0 +1,84 @@
+import { beforeEach, describe, expect, it, vi } from 'vitest';
+const { mockGetPassword, mockSetPassword, mockDeletePassword, mockRead, mockWrite } = vi.hoisted(() => ({
+    mockGetPassword: vi.fn(),
+    mockSetPassword: vi.fn(),
+    mockDeletePassword: vi.fn(),
+    mockRead: vi.fn(),
+    mockWrite: vi.fn(),
+}));
+vi.mock('@napi-rs/keyring', () => ({
+    Entry: vi.fn(function () {
+        return {
+            getPassword: mockGetPassword,
+            setPassword: mockSetPassword,
+            deletePassword: mockDeletePassword,
+        };
+    }),
+}));
+vi.mock('@/utils/user-config.js', () => ({
+    default: { read: mockRead, write: mockWrite },
+}));
+const loadCredentialStore = async () => {
+    const module = await import('./credential-store.js');
+    return module.default;
+};
+describe('credentialStore', () => {
+    beforeEach(() => {
+        vi.clearAllMocks();
+        vi.resetModules();
+        mockRead.mockReturnValue({});
+    });
+    describe('when the keyring is available', () => {
+        beforeEach(() => {
+            mockGetPassword.mockReturnValue(null);
+        });
+        it('should return the token from the keyring', async () => {
+            mockGetPassword.mockReturnValue('keyring-token');
+            const credentialStore = await loadCredentialStore();
+            expect(credentialStore.getToken()).toBe('keyring-token');
+        });
+        it('should return null when no token is stored', async () => {
+            const credentialStore = await loadCredentialStore();
+            expect(credentialStore.getToken()).toBeNull();
+        });
+        it('should migrate a plaintext token from the config file into the keyring', async () => {
+            mockRead.mockReturnValue({ token: 'file-token', userId: 'user-1' });
+            const credentialStore = await loadCredentialStore();
+            expect(credentialStore.getToken()).toBe('file-token');
+            expect(mockSetPassword).toHaveBeenCalledWith('file-token');
+            expect(mockWrite).toHaveBeenCalledWith({ userId: 'user-1' });
+        });
+        it('should store the token in the keyring and strip the plaintext copy', async () => {
+            mockRead.mockReturnValue({ token: 'old-token', userId: 'user-1' });
+            const credentialStore = await loadCredentialStore();
+            credentialStore.setToken('new-token');
+            expect(mockSetPassword).toHaveBeenCalledWith('new-token');
+            expect(mockWrite).toHaveBeenCalledWith({ userId: 'user-1' });
+        });
+        it('should delete the token from the keyring', async () => {
+            const credentialStore = await loadCredentialStore();
+            credentialStore.deleteToken();
+            expect(mockDeletePassword).toHaveBeenCalled();
+        });
+    });
+    describe('when the keyring is unavailable', () => {
+        beforeEach(() => {
+            mockGetPassword.mockImplementation(() => {
+                throw new Error('no keyring backend');
+            });
+        });
+        it('should return the token from the config file', async () => {
+            mockRead.mockReturnValue({ token: 'file-token' });
+            const credentialStore = await loadCredentialStore();
+            expect(credentialStore.getToken()).toBe('file-token');
+            expect(mockSetPassword).not.toHaveBeenCalled();
+        });
+        it('should store the token in the config file while preserving other fields', async () => {
+            mockRead.mockReturnValue({ userId: 'user-1' });
+            const credentialStore = await loadCredentialStore();
+            credentialStore.setToken('file-token');
+            expect(mockWrite).toHaveBeenCalledWith({ userId: 'user-1', token: 'file-token' });
+            expect(mockSetPassword).not.toHaveBeenCalled();
+        });
+    });
+});

package/dist/utils/job-failure-summary.js

@@ -10,6 +10,7 @@ import consola from 'consola';
  */
 export const printJobFailureSummary = async (options) => {
     const { jobId } = options;
+    consola.info('Hang tight, this can take up to a minute.');
     consola.start('Generating failure summary with Capawesome Cloud Assist...');
     const { summary } = await jobsService.generateFailureSummary({ jobId });
     consola.success('Failure summary generated by Capawesome Cloud Assist:');

package/package.json

@@ -1,12 +1,13 @@
 {
   "name": "@capawesome/cli",
-  "version": "4.12.0",
+  "version": "4.14.0",
   "description": "The Capawesome Cloud Command Line Interface (CLI) to manage Live Updates and more.",
   "type": "module",
   "scripts": {
     "build": "rimraf ./dist && tsc && tsc-alias",
     "start": "npm run build && node ./dist/index.js",
     "test": "vitest run",
+    "test:coverage": "vitest run --coverage",
     "test:watch": "vitest --watch",
     "test:ui": "vitest --ui",
     "lint": "npm run prettier -- --check",
@@ -53,14 +54,15 @@
   ],
   "dependencies": {
     "@clack/prompts": "0.7.0",
+    "@napi-rs/keyring": "1.3.0",
     "@robingenz/zli": "0.2.0",
-    "@sentry/node": "8.55.0",
+    "@sentry/node": "10.58.0",
     "adm-zip": "0.5.16",
     "axios": "1.16.0",
     "axios-retry": "4.5.0",
     "c12": "3.3.3",
     "consola": "3.3.0",
-    "form-data": "4.0.4",
+    "form-data": "4.0.6",
     "globby": "16.1.1",
     "http-proxy-agent": "7.0.2",
     "https-proxy-agent": "7.0.6",
@@ -78,6 +80,7 @@
     "@types/mime": "3.0.4",
     "@types/node": "24.2.1",
     "@types/semver": "7.5.8",
+    "@vitest/coverage-v8": "4.1.7",
     "@vitest/ui": "4.1.7",
     "commit-and-tag-version": "12.6.1",
     "nock": "14.0.10",