@cognite/cli 1.1.0 → 1.3.0

package/LICENSE.md

@@ -0,0 +1,6 @@
+Commercial Software Licence Agreement
+
+Copyright (c) Cognite AS 2026
+
+See Master Subscription and Professional Services Agreement for details:
+https://www.cognite.com/en/company/legal/master-subscription-services-agreement-2025

package/README.md

@@ -47,6 +47,18 @@ Browse available skills at [cognitedata/builder-skills](https://github.com/cogni
 - Node.js ≥ 20
 - React ≥ 18 (optional peer dependency — only needed for auth components)
 
+## Telemetry
+
+`@cognite/cli` collects anonymous usage data (commands run, success/failure, CLI and Node.js versions) to help improve the tool.
+
+To opt out:
+
+```bash
+export COGNITE_TELEMETRY_DISABLED=1
+```
+
+`DO_NOT_TRACK=1` is also honoured.
+
 ## Development
 
 ### Running tests

package/_templates/app/new/claude/mcp.json.ejs.t

@@ -0,0 +1,11 @@
+---
+to: '<%= useCurrentDir ? "" : ((directoryName || name) + "/") %>.mcp.json'
+---
+{
+  "mcpServers": {
+    "cognite-docs": {
+      "type": "http",
+      "url": "https://docs.cognite.com/mcp"
+    }
+  }
+}

package/_templates/app/new/config/vitest.config.ts.ejs.t

@@ -10,5 +10,10 @@ export default defineConfig({
     globals: true,
     environment: 'happy-dom',
     setupFiles: ['vitest.setup.ts'],
+    coverage: {
+      provider: 'v8',
+      reporter: ['text', 'json', 'html', 'lcov'],
+      exclude: ['node_modules/', 'dist/', 'vitest.setup.ts', '**/*.config.ts', '**/*.d.ts'],
+    },
   },
 });

package/_templates/app/new/cursor/mcp.json.ejs.t

@@ -0,0 +1,10 @@
+---
+to: '<%= useCurrentDir ? "" : ((directoryName || name) + "/") %>.cursor/mcp.json'
+---
+{
+  "mcpServers": {
+    "cognite-docs": {
+      "url": "https://docs.cognite.com/mcp"
+    }
+  }
+}

package/_templates/app/new/root/.npmrc.ejs.t

@@ -2,3 +2,4 @@
 to: '<%= useCurrentDir ? "" : ((directoryName || name) + "/") %>.npmrc'
 ---
 engine-strict=true
+min-release-age=2

package/_templates/app/new/root/AGENTS.md.ejs.t

@@ -22,7 +22,60 @@ This app uses [github/spec-kit](https://github.com/github/spec-kit) for spec-dri
 
 ---
 
-## 1. Dependency Injection
+## 1. UI Components
+
+Always check `@cognite/aura/components` before reaching for a raw HTML element or custom CSS/Tailwind solution. If Aura has a component that covers the need, use it. Only fall back to custom solutions when Aura genuinely doesn't cover the use case.
+
+---
+
+## 2. Host integration (`@cognite/app-sdk`)
+
+The Fusion host exposes a `HostAppAPI` (imported as `HostAppAPI` from `@cognite/app-sdk`) via `connectToHostApp(...)`. Reach for it whenever the situation calls for it — don't hand-roll an equivalent or read browser globals directly.
+
+### Decision rule for any new piece of state
+
+Before adding `useState`, `useReducer`, or a store entry, ask: **"would a user expect this to survive a page reload, or to be restored when someone opens a shared link?"** If yes, it belongs in `syncInternalState` + `initialState`, **not** in plain React state.
+
+- **Yes, host-synced:** current page / active view / route, selected tab, active filters, selected resource id, search query, sort order, expanded rows, focused row, side-panel open/closed — anything that drives what the user sees.
+- **No, local-only:** in-flight form input before submit, hover/focus, transient toasts, animation state, optimistic UI mid-flight.
+
+When in doubt, host-synced is the safer default — over-syncing is cheap, under-syncing breaks reload and share.
+
+### API surface
+
+- **Host-synced UI state** → on startup, seed your state from the `initialState` string returned by `connectToHostApp`. On every change, call `api.syncInternalState(JSON.stringify(state))`. The host serializes this into the URL so reloads and shared links restore the same state. **Do not** hold state from the "host-synced" category above in plain `useState` / `useRef` / a local store.
+- **Navigating elsewhere in Fusion** (another app, a Fusion route) → `api.navigateInternal({ path, queryParams, hash })`. Never set `window.location` directly.
+- **Navigating to an external URL** → `api.navigateExternal({ url, openInNewTab })`. Only `https:` is allowed.
+- **Needing a CDF base URL or access token** for API requests → `api.getBaseUrl()` / `api.getAccessToken()`. Never hardcode the cluster URL.
+- **Needing the current CDF project name** → `api.getProject()`. Don't read it from config or URL params.
+- **Exposing the app's capabilities to a Fusion agent** → register a custom agent server with `api.registerAgentServer(handle)` and clean up on unmount with `api.unregisterAgentServer(uri)`.
+
+Get `api` once at app startup and surface it to the rest of the app via React context so view models can depend on it through the patterns below.
+
+### Round-trip example: host-synced state
+
+```typescript
+import { connectToHostApp, type HostAppAPI } from '@cognite/app-sdk';
+
+type AppState = { page: 'a' | 'b'; filters: string[] };
+const DEFAULT_STATE: AppState = { page: 'a', filters: [] };
+
+// On startup — seed from initialState, not from a hardcoded default.
+const { api, initialState } = await connectToHostApp({ applicationName: '<%= name %>' });
+const seeded: AppState = initialState ? (JSON.parse(initialState) as AppState) : DEFAULT_STATE;
+
+// On every change — push the new state to the host so the URL stays in sync.
+async function updateState(next: AppState, api: HostAppAPI) {
+  setState(next); // your local React/store setter
+  await api.syncInternalState(JSON.stringify(next));
+}
+```
+
+`initialState` is the JSON string the host extracted from the URL on this load — the host owns the URL plumbing, the app just reads/writes the string.
+
+---
+
+## 3. Dependency Injection
 
 Inject dependencies via React context (hooks/components) or factory-override pattern (plain functions). Never hard-code dependencies.
 
@@ -51,7 +104,7 @@ export const doWork = async (props: Props, overrides?: Partial<Deps>) => {
 
 ---
 
-## 2. Interface-Based Services
+## 4. Interface-Based Services
 
 Define an interface; implement with a class. Never reference the concrete class outside its own file.
 
@@ -68,7 +121,7 @@ export class ApiDataService implements DataService {
 
 ---
 
-## 3. ViewModel Pattern
+## 5. ViewModel Pattern
 
 Business logic lives in `use<Name>ViewModel`. Components only render.
 
@@ -89,9 +142,26 @@ export const TodoView = () => {
 };
 ```
 
+### Where state lives
+
+A ViewModel hook must **not** hold state with `useState` / `useReducer` directly. State lives in a shared storage layer — a context-backed hook (like `useTodoStorage` above), a store, or a `*StateProvider` rendered once near the root of the view tree. The ViewModel composes that storage with commands and derivations; it is itself stateless.
+
+This matters because each call to a `useState`-backed hook creates an **independent** piece of React state. Two components calling the same ViewModel hook would each get their own copy and never sync.
+
+> ⚠️ Anti-pattern: `useState` inside `useFooViewModel`, then two sibling components each call `useFooViewModel()`. Clicks update one copy; the other renders stale data.
+
+### How many times to call a ViewModel hook
+
+- **Backed by shared context / store** → multiple components may call the hook; they all observe the same value. This is the default for non-trivial views.
+- **Not backed by shared state** → call the hook **once** at the top of the view tree and pass values down as props. Never call it twice and expect them to stay in sync.
+
+### Host-synced state inside a ViewModel
+
+When a ViewModel exposes state that falls under §2's "host-synced" category, the **ViewModel** — not the view component — is responsible for seeding from `initialState` and pushing changes via `syncInternalState`. The state itself still lives in the shared storage layer described above; the ViewModel just owns the read/write contract with the host.
+
 ---
 
-## 4. Test-First Development
+## 6. Test-First Development
 
 Write tests before implementation for all non-trivial behavior changes.
 
@@ -187,7 +257,7 @@ Place reusable factories in `src/__mocks__/`. Use `.test` TLD for fake URLs (RFC
 
 ---
 
-## 5. TypeScript Rules
+## 7. TypeScript Rules
 
 - Never use `any`; prefer `unknown` or explicit strong types
 - Never use `as unknown as T`; for partial test doubles use `{ ...defaults, ...overrides } as T`
@@ -201,7 +271,14 @@ function createMockWindow(overrides: Partial<Window> = {}): Window {
 
 ---
 
-## 6. Commits and pull requests
+## 7. CogniteClient / authentication
+
+Auth is handled by `CogniteSdkProvider` from `@cognite/app-sdk/react` (see `App.tsx`). Nested components get the client via `useCogniteSdk()`. To wire up or migrate auth, run the `/setup-flows-auth` skill.
+
+---
+
+
+## 8. Commits and pull requests
 
 Use [Conventional Commits v1.0.0](https://www.conventionalcommits.org/en/v1.0.0/).
 

package/_templates/app/new/root/gitignore.ejs.t

@@ -6,6 +6,7 @@ node_modules
 
 # Build output
 dist
+coverage
 
 # Environment variables
 .env

package/_templates/app/new/root/package.json.ejs.t

@@ -18,6 +18,7 @@ to: '<%= useCurrentDir ? "" : ((directoryName || name) + "/") %>package.json'
     "test": "vitest run",
     "test:watch": "vitest",
     "test:ui": "vitest --ui",
+    "test:coverage": "vitest run --coverage",
     "lint": "eslint . --ext .js,.mjs,.cjs,.ts,.tsx",
     "lint:fix": "eslint . --fix --ext .js,.mjs,.cjs,.ts,.tsx",
     "deploy": "npx @cognite/cli@latest apps deploy --interactive",
@@ -26,7 +27,7 @@ to: '<%= useCurrentDir ? "" : ((directoryName || name) + "/") %>package.json'
   "dependencies": {
     "@cognite/aura": "^0.1.7",
     "@cognite/sdk": "^10.3.0",
-    "@cognite/app-sdk": "^0.4.0",
+    "@cognite/app-sdk": "^0.5.1",
     "@tabler/icons-react": "^3.35.0",
     "@tanstack/react-query": "^5.90.10",
     "clsx": "^2.1.1",
@@ -44,6 +45,7 @@ to: '<%= useCurrentDir ? "" : ((directoryName || name) + "/") %>package.json'
     "@types/react": "^18.3.1",
     "@types/react-dom": "^18.3.1",
     "@vitejs/plugin-react": "^5.1.1",
+    "@vitest/coverage-v8": "^2.1.8",
     "@vitest/ui": "^2.1.8",
     "autoprefixer": "^10.4.22",
     "eslint": "9.39.4",

package/_templates/app/new/src/App.test.tsx.ejs.t

@@ -1,13 +1,45 @@
 ---
 to: '<%= useCurrentDir ? "" : ((directoryName || name) + "/") %>src/App.test.tsx'
 ---
-import * as appSdk from '@cognite/app-sdk';
 import { render, screen, waitFor } from '@testing-library/react';
 import { beforeEach, describe, expect, it, vi } from 'vitest';
+import type { HostAppAPI, ConnectToHostAppResult } from '@cognite/app-sdk';
+import { CogniteClient } from '@cognite/sdk';
+import type { ComponentProps } from 'react';
 
 import App from './App';
 
-vi.mock(import('@cognite/app-sdk'));
+type AppDeps = NonNullable<ComponentProps<typeof App>['deps']>;
+
+function makeApi(): HostAppAPI {
+  return {
+    getProject: vi.fn<HostAppAPI['getProject']>(() => Promise.resolve('<%= project %>')),
+    getBaseUrl: vi.fn<HostAppAPI['getBaseUrl']>(() => Promise.resolve('https://cognite.test')),
+    getAccessToken: vi.fn<HostAppAPI['getAccessToken']>(() => Promise.resolve('test-token')),
+    getAppId: vi.fn<HostAppAPI['getAppId']>(() => Promise.resolve('test-app-id')),
+    syncInternalState: vi.fn<HostAppAPI['syncInternalState']>(() => Promise.resolve(true)),
+    navigateInternal: vi.fn<HostAppAPI['navigateInternal']>(() => Promise.resolve(true)),
+    navigateExternal: vi.fn<HostAppAPI['navigateExternal']>(() => Promise.resolve(true)),
+    registerAgentServer: vi.fn<HostAppAPI['registerAgentServer']>(() => Promise.resolve()),
+    unregisterAgentServer: vi.fn<HostAppAPI['unregisterAgentServer']>(() => Promise.resolve()),
+    sendAgentLayoutMode: vi.fn<HostAppAPI['sendAgentLayoutMode']>(() => Promise.resolve()),
+    sendAgentMessage: vi.fn<HostAppAPI['sendAgentMessage']>(() => Promise.resolve()),
+  };
+}
+
+function makeLoadingDeps(): AppDeps {
+  return {
+    connectToHostApp: vi.fn<AppDeps['connectToHostApp']>(() => new Promise<ConnectToHostAppResult>(() => undefined)),
+    createClient: vi.fn<AppDeps['createClient']>((config) => new CogniteClient(config)),
+  };
+}
+
+function makeConnectedDeps(): AppDeps {
+  return {
+    connectToHostApp: vi.fn<AppDeps['connectToHostApp']>(() => Promise.resolve({ api: makeApi() })),
+    createClient: vi.fn<AppDeps['createClient']>((config) => new CogniteClient(config)),
+  };
+}
 
 describe('App', () => {
   beforeEach(() => {
@@ -15,19 +47,13 @@ describe('App', () => {
   });
 
   it('renders loading state', () => {
-    vi.mocked(appSdk.connectToHostApp).mockReturnValue(new Promise(() => {}));
-
-    render(<App />);
+    render(<App deps={makeLoadingDeps()} />);
     expect(screen.getByText('Loading project...')).toBeInTheDocument();
   });
 
   it('renders splash with deployment targets and checklist copy', async () => {
-    vi.mocked(appSdk.connectToHostApp).mockResolvedValue({
-      api: { getProject: vi.fn().mockResolvedValue('my-test-project') } as Partial<appSdk.HostAppAPI> as appSdk.HostAppAPI,
-    });
-
-    render(<App />);
-    await waitFor(() => expect(screen.getByText('Welcome to Flows')).toBeInTheDocument());
+    render(<App deps={makeConnectedDeps()} />);
+    await waitFor(() => expect(screen.getByText('Welcome to Flows custom apps')).toBeInTheDocument());
     expect(screen.getByText('App deployment checklist')).toBeInTheDocument();
     expect(screen.getByText('Plan')).toBeInTheDocument();
     expect(screen.getByText('Explore')).toBeInTheDocument();

package/_templates/app/new/src/App.tsx.ejs.t

@@ -1,7 +1,8 @@
 ---
 to: '<%= useCurrentDir ? "" : ((directoryName || name) + "/") %>src/App.tsx'
 ---
-import { connectToHostApp } from '@cognite/app-sdk';
+import type { ComponentProps } from 'react';
+import { CogniteSdkProvider, useCogniteSdk } from '@cognite/app-sdk/react';
 import {
   Alert,
   AlertDescription,
@@ -18,7 +19,6 @@ import {
   Separator,
 } from '@cognite/aura/components';
 import { IconCaretUpDown, IconRocket } from '@tabler/icons-react';
-import { useEffect, useState } from 'react';
 
 import appConfig from '../app.json';
 
@@ -62,71 +62,41 @@ const CHECKLIST_STEPS = [
   },
 ] as const;
 
-function App() {
-  // Connect to the Fusion host via @cognite/app-sdk. The handshake is
-  // asynchronous — `project` is only populated after Comlink finishes
-  // exposing the host API, so we render a loader until then.
-  const [project, setProject] = useState<string | null>(null);
-  const [isLoading, setIsLoading] = useState(true);
-  const [error, setError] = useState<string | undefined>();
-
-  useEffect(() => {
-    let cancelled = false;
-    connectToHostApp({ applicationName: '<%= name %>' })
-      .then(async ({ api }) => {
-        if (cancelled) return;
-        const proj = await api.getProject();
-        if (cancelled) return;
-        setProject(proj);
-      })
-      .catch((err: unknown) => {
-        if (cancelled) return;
-        setError(err instanceof Error ? err.message : String(err));
-      })
-      .finally(() => {
-        if (!cancelled) setIsLoading(false);
-      });
-    return () => {
-      cancelled = true;
-    };
-  }, []);
-
-  if (isLoading) {
-    return (
-      <main className="min-h-screen bg-muted/50 text-foreground">
-        <section className="mx-auto flex min-h-screen w-full max-w-lg flex-col justify-center p-4 sm:p-8">
-          <div className="mx-auto w-full max-w-sm">
-            <Card aria-label="Loading project" aria-live="polite">
-              <CardContent>
-                <div className="inline-flex items-center gap-3 text-muted-foreground">
-                  <Loader size={20} />
-                  <span>Loading project...</span>
-                </div>
-              </CardContent>
-            </Card>
-          </div>
-        </section>
-      </main>
-    );
-  }
-
-  if (error) {
-    return (
-      <main className="min-h-screen bg-muted/50 text-foreground">
-        <section className="mx-auto flex min-h-screen w-full max-w-lg flex-col justify-center p-4 sm:p-8">
-          <div className="mx-auto w-full max-w-sm">
-            <Alert>
-              <AlertDescription>Failed to connect to Fusion host: {error}</AlertDescription>
-            </Alert>
-          </div>
-        </section>
-      </main>
-    );
-  }
+const loadingFallback = (
+  <main className="min-h-screen bg-muted/50 text-foreground">
+    <section className="mx-auto flex min-h-screen w-full max-w-lg flex-col justify-center p-4 sm:p-8">
+      <div className="mx-auto w-full max-w-sm">
+        <Card aria-label="Loading project" aria-live="polite">
+          <CardContent>
+            <div className="inline-flex items-center gap-3 text-muted-foreground">
+              <Loader size={20} />
+              <span>Loading project...</span>
+            </div>
+          </CardContent>
+        </Card>
+      </div>
+    </section>
+  </main>
+);
+
+const errorFallback = (
+  <main className="min-h-screen bg-muted/50 text-foreground">
+    <section className="mx-auto flex min-h-screen w-full max-w-lg flex-col justify-center p-4 sm:p-8">
+      <div className="mx-auto w-full max-w-sm">
+        <Alert>
+          <AlertDescription>Failed to connect to Fusion host</AlertDescription>
+        </Alert>
+      </div>
+    </section>
+  </main>
+);
+
+function AppContent() {
+  const client = useCogniteSdk();
 
   const deployment = appConfig.deployments?.[0];
   const orgLabel = deployment?.org ?? '';
-  const projectLabel = deployment?.project ?? project ?? '';
+  const projectLabel = deployment?.project ?? client.project ?? '';
 
   return (
     <main className="min-h-screen bg-muted/50 text-foreground">
@@ -230,4 +200,16 @@ function App() {
   );
 }
 
+type AppProps = {
+  deps?: ComponentProps<typeof CogniteSdkProvider>['deps'];
+};
+
+function App({ deps }: AppProps) {
+  return (
+    <CogniteSdkProvider loadingFallback={loadingFallback} errorFallback={errorFallback} deps={deps}>
+      <AppContent />
+    </CogniteSdkProvider>
+  );
+}
+
 export default App;

package/_templates/app/new/vscode/mcp.json.ejs.t

@@ -0,0 +1,11 @@
+---
+to: '<%= useCurrentDir ? "" : ((directoryName || name) + "/") %>.vscode/mcp.json'
+---
+{
+  "servers": {
+    "cognite-docs": {
+      "type": "http",
+      "url": "https://docs.cognite.com/mcp"
+    }
+  }
+}

package/dist/{chunk-VJMFH4MH.js → chunk-QOJVLP7E.js}

@@ -1,9 +1,9 @@
-var W=Object.defineProperty;var s=(e,t)=>W(e,"name",{value:t,configurable:!0});import Y from"fs";import gt from"path";var N="https://docs.cognite.com/cdf/access/";function m(e){return e!==null&&typeof e=="object"}s(m,"isRecord");function S(e){return e instanceof Error&&"status"in e&&typeof e.status=="number"}s(S,"isHttpError");function Z(e){switch(e){case 401:return`Your credentials are invalid or expired. Check your client ID and secret.
-  See: ${N}`;case 403:return`You don't have the required CDF capabilities. Please contact your CDF admin.
-  See: ${N}`;default:return}}s(Z,"httpStatusHint");function w(e){let t=e instanceof Error?e:new Error(String(e));if(!S(t))return null;let n=Z(t.status);return n?Object.assign(new Error(`${t.message}
-  ${n}`),{cause:t}):null}s(w,"enrichedHttpError");function X(e){if(!m(e))return null;let t=e.missing;if(Array.isArray(t))return t;let n=e.data;if(m(n)){let r=n.error;if(m(r)&&Array.isArray(r.missing))return r.missing;if(Array.isArray(n.missing))return n.missing}return null}s(X,"findMissingArray");function Q(e,t){if(!S(e)||e.status!==400)return!1;let n=X(e);return n?n.some(r=>m(r)&&typeof r.externalId=="string"&&t.includes(r.externalId)):!1}s(Q,"isMissingExternalIdError");function v(e,t){return S(e)&&e.status===404||Q(e,t)}s(v,"isNotFoundError");var M=["DRAFT","PUBLISHED","DEPRECATED","ARCHIVED"],J=["ACTIVE","PREVIEW"],I=class I extends Error{constructor(t,n){super(`Version ${n} of app ${t} not found`),this.name="AppVersionNotFoundError",this.appExternalId=t,this.version=n}};s(I,"AppVersionNotFoundError");var C=I;function q(e,t){return e.includes(t)}s(q,"includesValue");function tt(e){return q(M,e)}s(tt,"isAppVersionLifecycleState");function et(e){return q(J,e)}s(et,"isAppVersionAlias");function nt(e){return typeof e.version=="string"&&tt(e.lifecycleState)&&typeof e.entrypoint=="string"&&typeof e.createdTime=="number"&&typeof e.createdBy=="string"&&typeof e.appExternalId=="string"&&(e.alias===void 0||et(e.alias))&&(e.comment===void 0||typeof e.comment=="string")}s(nt,"isAppVersion");function H(e){if(!m(e))throw new Error("Invalid version response: not an object");if(!nt(e))throw new Error("Invalid version response: missing or malformed fields");return e}s(H,"parseAppVersion");var T=class T{constructor(t){this.client=t}get appsBasePath(){return`/api/v1/projects/${encodeURIComponent(this.client.project)}/apphosting/apps`}async createApp(t,n,r){try{await this.client.post(this.appsBasePath,{data:{items:[{externalId:t,name:n,description:r}]}})}catch(o){throw w(o)??o}}async uploadVersion(t,n,r,o,i="index.html"){console.log(`\u{1F4E4} Uploading version ${n}...`);let a=new FormData;a.append("file",new Blob([new Uint8Array(r)]),o),a.append("version",n),a.append("entryPath",i);let l=encodeURIComponent(t),c=`${this.appsBasePath}/${l}/versions`,p=await this.client.authenticate(),g=`${this.client.getBaseUrl()}${c}`,u=new AbortController,G=setTimeout(()=>u.abort(),300*1e3),y;try{y=await fetch(g,{method:"POST",headers:{Authorization:`Bearer ${p}`},body:a,signal:u.signal})}catch(f){throw f instanceof Error&&f.name==="AbortError"?new Error("Upload timed out after 5 minutes"):f}finally{clearTimeout(G)}if(!y.ok){let f=await y.text(),k=f;try{let $=JSON.parse(f);if(m($)){let A=$.error;if(typeof A=="string")k=A;else if(m(A)){let E=A.message,F=A.code;k=typeof E=="string"?E:F!=null?`Unknown error (code: ${F})`:f}else{let E=$.message;k=typeof E=="string"?E:f}}}catch{}let j=y.headers.get("x-request-id"),K=j?` | X-Request-ID: ${j}`:"",B=Object.assign(new Error(`Upload failed: ${y.status} \u2014 ${k}${K}`),{status:y.status});throw w(B)??B}console.log(`\u2705 Version ${n} uploaded`)}async getVersion(t,n){let r=encodeURIComponent(t),o=encodeURIComponent(n),i=`${this.appsBasePath}/${r}/versions/${o}`;try{let a=await this.client.get(i);return H(a.data)}catch(a){throw v(a,[t,n])?new C(t,n):w(a)??a}}async getActiveVersion(t){let n=encodeURIComponent(t),r=`${this.appsBasePath}/${n}/active`;try{let o=await this.client.get(r);return H(o.data)}catch(o){if(v(o,[t]))return null;throw w(o)??o}}async updateVersions(t,n){let r=encodeURIComponent(t),o=`${this.appsBasePath}/${r}/versions/update`;try{await this.client.post(o,{data:{items:n}})}catch(i){throw w(i)??i}}};s(T,"AppHostingApi");var x=T;var b=class b{constructor(t){this.api=new x(t)}getVersion(t,n){return this.api.getVersion(t,n)}uploadVersion(t,n,r,o,i){return this.api.uploadVersion(t,n,r,o,i)}async ensureApp(t,n,r){console.log("\u{1F50D} Ensuring app exists...");try{await this.api.createApp(t,n,r),console.log(`\u2705 App '${t}' created`)}catch(o){if(S(o)&&o.status===409){console.log(`\u2705 App '${t}' already exists`);return}throw o}}async publishVersion(t,n){await this.api.updateVersions(t,[{version:n,update:{lifecycleState:{set:"PUBLISHED"}}}])}async publishAndActivate(t,n){console.log(`\u{1F680} Publishing and activating version ${n}...`),await this.api.updateVersions(t,[{version:n,update:{lifecycleState:{set:"PUBLISHED"},alias:{set:"ACTIVE"}}}]),console.log(`\u2705 Version ${n} is now PUBLISHED and ACTIVE`)}async activateVersion(t,n){let r=null;try{r=await this.api.getActiveVersion(t)}catch{r=null}let o=r&&r.version!==n?r.version:void 0;return await this.api.updateVersions(t,[{version:n,update:{alias:{set:"ACTIVE"}}}]),{supersededVersion:o}}async deploy(t,n,r,o,i,a,l=!1){console.log(`
+var W=Object.defineProperty;var s=(e,t)=>W(e,"name",{value:t,configurable:!0});import Y from"fs";import gt from"path";var F="https://docs.cognite.com/cdf/access/";function m(e){return e!==null&&typeof e=="object"}s(m,"isRecord");function P(e){return e instanceof Error&&"status"in e&&typeof e.status=="number"}s(P,"isHttpError");function Z(e){switch(e){case 401:return`Your credentials are invalid or expired. Check your client ID and secret.
+  See: ${F}`;case 403:return`You don't have the required CDF capabilities. Please contact your CDF admin.
+  See: ${F}`;default:return}}s(Z,"httpStatusHint");function A(e){let t=e instanceof Error?e:new Error(String(e));if(!P(t))return null;let n=Z(t.status);return n?Object.assign(new Error(`${t.message}
+  ${n}`),{cause:t}):null}s(A,"enrichedHttpError");function X(e){if(!m(e))return null;let t=e.missing;if(Array.isArray(t))return t;let n=e.data;if(m(n)){let r=n.error;if(m(r)&&Array.isArray(r.missing))return r.missing;if(Array.isArray(n.missing))return n.missing}return null}s(X,"findMissingArray");function Q(e,t){if(!P(e)||e.status!==400)return!1;let n=X(e);return n?n.some(r=>m(r)&&typeof r.externalId=="string"&&t.includes(r.externalId)):!1}s(Q,"isMissingExternalIdError");function $(e,t){return P(e)&&e.status===404||Q(e,t)}s($,"isNotFoundError");var M=["DRAFT","PUBLISHED","DEPRECATED","ARCHIVED"],J=["ACTIVE","PREVIEW"],I=class I extends Error{constructor(t,n){super(`Version ${n} of app ${t} not found`),this.name="AppVersionNotFoundError",this.appExternalId=t,this.version=n}};s(I,"AppVersionNotFoundError");var k=I;function q(e,t){return e.includes(t)}s(q,"includesValue");function tt(e){return q(M,e)}s(tt,"isAppVersionLifecycleState");function et(e){return q(J,e)}s(et,"isAppVersionAlias");function nt(e){return typeof e.version=="string"&&tt(e.lifecycleState)&&typeof e.entrypoint=="string"&&typeof e.createdTime=="number"&&typeof e.createdBy=="string"&&typeof e.appExternalId=="string"&&(e.alias===void 0||et(e.alias))&&(e.comment===void 0||typeof e.comment=="string")}s(nt,"isAppVersion");function H(e){if(!m(e))throw new Error("Invalid version response: not an object");if(!nt(e))throw new Error("Invalid version response: missing or malformed fields");return e}s(H,"parseAppVersion");var T=class T{constructor(t){this.client=t}get appsBasePath(){return`/api/v1/projects/${encodeURIComponent(this.client.project)}/apphosting/apps`}async createApp(t,n,r){try{await this.client.post(this.appsBasePath,{data:{items:[{externalId:t,name:n,description:r}]}})}catch(o){throw A(o)??o}}async uploadVersion(t,n,r,o,i="index.html"){console.log(`\u{1F4E4} Uploading version ${n}...`);let a=new FormData;a.append("file",new Blob([new Uint8Array(r)]),o),a.append("version",n),a.append("entryPath",i);let l=encodeURIComponent(t),c=`${this.appsBasePath}/${l}/versions`,p=await this.client.authenticate(),g=`${this.client.getBaseUrl()}${c}`,u=new AbortController,G=setTimeout(()=>u.abort(),300*1e3),h;try{h=await fetch(g,{method:"POST",headers:{Authorization:`Bearer ${p}`},body:a,signal:u.signal})}catch(f){throw f instanceof Error&&f.name==="AbortError"?new Error("Upload timed out after 5 minutes"):f}finally{clearTimeout(G)}if(!h.ok){let f=await h.text(),V=f;try{let x=JSON.parse(f);if(m(x)){let w=x.error;if(typeof w=="string")V=w;else if(m(w)){let E=w.message,B=w.code;V=typeof E=="string"?E:B!=null?`Unknown error (code: ${B})`:f}else{let E=x.message;V=typeof E=="string"?E:f}}}catch{}let j=h.headers.get("x-request-id"),K=j?` | X-Request-ID: ${j}`:"",N=Object.assign(new Error(`Upload failed: ${h.status} \u2014 ${V}${K}`),{status:h.status});throw A(N)??N}console.log(`\u2705 Version ${n} uploaded`)}async getVersion(t,n){let r=encodeURIComponent(t),o=encodeURIComponent(n),i=`${this.appsBasePath}/${r}/versions/${o}`;try{let a=await this.client.get(i);return H(a.data)}catch(a){throw $(a,[t,n])?new k(t,n):A(a)??a}}async getActiveVersion(t){let n=encodeURIComponent(t),r=`${this.appsBasePath}/${n}/active`;try{let o=await this.client.get(r);return H(o.data)}catch(o){if($(o,[t]))return null;throw A(o)??o}}async updateVersions(t,n){let r=encodeURIComponent(t),o=`${this.appsBasePath}/${r}/versions/update`;try{await this.client.post(o,{data:{items:n}})}catch(i){throw A(i)??i}}};s(T,"AppHostingApi");var v=T;var b=class b{constructor(t){this.api=new v(t)}getVersion(t,n){return this.api.getVersion(t,n)}uploadVersion(t,n,r,o,i){return this.api.uploadVersion(t,n,r,o,i)}async ensureApp(t,n,r){console.log("\u{1F50D} Ensuring app exists...");try{await this.api.createApp(t,n,r),console.log(`\u2705 App '${t}' created`)}catch(o){if(P(o)&&o.status===409){console.log(`\u2705 App '${t}' already exists`);return}throw o}}async publishVersion(t,n){await this.api.updateVersions(t,[{version:n,update:{lifecycleState:{set:"PUBLISHED"}}}])}async publishAndActivate(t,n){console.log(`\u{1F680} Publishing and activating version ${n}...`),await this.api.updateVersions(t,[{version:n,update:{lifecycleState:{set:"PUBLISHED"},alias:{set:"ACTIVE"}}}]),console.log(`\u2705 Version ${n} is now PUBLISHED and ACTIVE`)}getActiveVersion(t){return this.api.getActiveVersion(t)}async deactivateVersion(t,n){await this.api.updateVersions(t,[{version:n,update:{alias:{setNull:!0}}}])}async activateVersion(t,n){let r=null;try{r=await this.api.getActiveVersion(t)}catch{r=null}let o=r&&r.version!==n?r.version:void 0;return await this.api.updateVersions(t,[{version:n,update:{alias:{set:"ACTIVE"}}}]),{supersededVersion:o}}async deploy(t,n,r,o,i,a,l=!1){console.log(`
 \u{1F680} Deploying application via App Hosting API...
 `);try{await this.ensureApp(t,n,r),await this.uploadVersion(t,o,i,a),l&&await this.publishAndActivate(t,o),console.log(`
-\u2705 Deployment successful!`)}catch(c){let p=c instanceof Error?c.message:String(c);throw Object.assign(new Error(`Deployment failed: ${p}`),{cause:c})}}};s(b,"AppHostingClient");var P=b;import h from"fs";import d from"path";import{parseAndValidateManifestConfig as rt}from"@cognite/app-sdk/vite";import{BlobReader as ot,Uint8ArrayWriter as st,ZipWriter as it}from"@zip.js/zip.js";var R="package.json",D="package-lock.json",z="manifest.json",_=".cognite",L=class L{constructor(t="dist"){this.distPath=d.isAbsolute(t)?t:d.join(process.cwd(),t),this.appRoot=d.dirname(this.distPath)}validateBuildDirectory(){if(!h.existsSync(this.distPath))throw new Error(`Build directory "${this.distPath}" not found. Run build first.`);let t=d.join(this.appRoot,R);if(!h.existsSync(t))throw new Error(`"${t}" not found. It is required for deployment.`);let n=d.join(this.appRoot,D);if(!h.existsSync(n))throw new Error(`"${n}" not found. It is required for deployment.`)}async createZip(t="app.zip",n=!1){this.validateBuildDirectory(),console.log("\u{1F4E6} Packaging application...");let r=new it(new st,{level:9}),o=s(async(c,p)=>{await r.add(p,new ot(await h.openAsBlob(c))),n&&console.log(`  \u{1F4C4} ${p}`)},"addFile"),i=s(async c=>{let p=await h.promises.readdir(c,{withFileTypes:!0});for(let g of p){let u=d.join(c,g.name);g.isDirectory()?await i(u):await o(u,d.relative(this.distPath,u).replace(/\\/g,"/"))}},"addDir"),a;try{await i(this.distPath);let c=d.join(this.appRoot,R);await o(c,d.posix.join(_,R));let p=d.join(this.appRoot,z);if(h.existsSync(p)){let u=h.readFileSync(p,"utf-8");rt(u,p),await o(p,d.posix.join(_,z))}let g=d.join(this.appRoot,D);await o(g,d.posix.join(_,D)),a=await r.close()}catch(c){let p=c instanceof Error?c.message:String(c);throw new Error(`Failed to create zip: ${p}`)}await h.promises.writeFile(t,a);let l=(a.byteLength/1024/1024).toFixed(2);return console.log(`\u2705 App packaged: ${t} (${l} MB)`),t}};s(L,"ApplicationPackager");var V=L;import{CogniteClient as ut}from"@cognite/sdk";var at=s(()=>{let e=process.env.DEPLOYMENT_SECRETS;if(!e)return{};try{let t=JSON.parse(e),n={};for(let[r,o]of Object.entries(t))if(typeof o=="string"){let i=r.toLowerCase().replace(/_/g,"-");n[i]=o}return n}catch(t){return console.error("Error parsing DEPLOYMENT_SECRETS:",t),{}}},"loadSecretsFromEnv"),ct=s(e=>{let t;if(process.env.DEPLOYMENT_SECRET&&(t=process.env.DEPLOYMENT_SECRET),t||(t=at()[e]),t||(t=process.env[e]),!t)throw new Error(`Secret not found in environment: ${e}`);return t},"getSecretFromEnv"),pt=s(e=>{if(!e)return"";try{return new URL(e).hostname.replace(/\.cognitedata\.com$/,"")}catch{let t=e.replace(/^https?:\/\//,"");return t=t.split("/")[0],t=t.split(":")[0],t=t.replace(/\.cognitedata\.com$/,""),t}},"extractClusterFromUrl"),lt=s(async(e,t)=>{let n=`Basic ${btoa(`${e}:${t}`)}`,r=await fetch("https://auth.cognite.com/oauth2/token",{method:"POST",headers:{Authorization:n,"Content-Type":"application/x-www-form-urlencoded"},body:new URLSearchParams({grant_type:"client_credentials"})});if(!r.ok){let i=await r.text();throw new Error(`Failed to get token from CDF: ${r.status} ${r.statusText}
+\u2705 Deployment successful!`)}catch(c){let p=c instanceof Error?c.message:String(c);throw Object.assign(new Error(`Deployment failed: ${p}`),{cause:c})}}};s(b,"AppHostingClient");var S=b;import y from"fs";import d from"path";import{parseAndValidateManifestConfig as rt}from"@cognite/app-sdk/vite";import{BlobReader as ot,Uint8ArrayWriter as st,ZipWriter as it}from"@zip.js/zip.js";var R="package.json",D="package-lock.json",z="manifest.json",_=".cognite",L=class L{constructor(t="dist"){this.distPath=d.isAbsolute(t)?t:d.join(process.cwd(),t),this.appRoot=d.dirname(this.distPath)}validateBuildDirectory(){if(!y.existsSync(this.distPath))throw new Error(`Build directory "${this.distPath}" not found. Run build first.`);let t=d.join(this.appRoot,R);if(!y.existsSync(t))throw new Error(`"${t}" not found. It is required for deployment.`);let n=d.join(this.appRoot,D);if(!y.existsSync(n))throw new Error(`"${n}" not found. It is required for deployment.`)}async createZip(t="app.zip",n=!1){this.validateBuildDirectory(),console.log("\u{1F4E6} Packaging application...");let r=new it(new st,{level:9}),o=s(async(c,p)=>{await r.add(p,new ot(await y.openAsBlob(c))),n&&console.log(`  \u{1F4C4} ${p}`)},"addFile"),i=s(async c=>{let p=await y.promises.readdir(c,{withFileTypes:!0});for(let g of p){let u=d.join(c,g.name);g.isDirectory()?await i(u):await o(u,d.relative(this.distPath,u).replace(/\\/g,"/"))}},"addDir"),a;try{await i(this.distPath);let c=d.join(this.appRoot,R);await o(c,d.posix.join(_,R));let p=d.join(this.appRoot,z);if(y.existsSync(p)){let u=y.readFileSync(p,"utf-8");rt(u,p),await o(p,d.posix.join(_,z))}let g=d.join(this.appRoot,D);await o(g,d.posix.join(_,D)),a=await r.close()}catch(c){let p=c instanceof Error?c.message:String(c);throw new Error(`Failed to create zip: ${p}`)}await y.promises.writeFile(t,a);let l=(a.byteLength/1024/1024).toFixed(2);return console.log(`\u2705 App packaged: ${t} (${l} MB)`),t}};s(L,"ApplicationPackager");var C=L;import{CogniteClient as ut}from"@cognite/sdk";var at=s(()=>{let e=process.env.DEPLOYMENT_SECRETS;if(!e)return{};try{let t=JSON.parse(e),n={};for(let[r,o]of Object.entries(t))if(typeof o=="string"){let i=r.toLowerCase().replace(/_/g,"-");n[i]=o}return n}catch(t){return console.error("Error parsing DEPLOYMENT_SECRETS:",t),{}}},"loadSecretsFromEnv"),ct=s(e=>{let t;if(process.env.DEPLOYMENT_SECRET&&(t=process.env.DEPLOYMENT_SECRET),t||(t=at()[e]),t||(t=process.env[e]),!t)throw new Error(`Secret not found in environment: ${e}`);return t},"getSecretFromEnv"),pt=s(e=>{if(!e)return"";try{return new URL(e).hostname.replace(/\.cognitedata\.com$/,"")}catch{let t=e.replace(/^https?:\/\//,"");return t=t.split("/")[0],t=t.split(":")[0],t=t.replace(/\.cognitedata\.com$/,""),t}},"extractClusterFromUrl"),lt=s(async(e,t)=>{let n=`Basic ${btoa(`${e}:${t}`)}`,r=await fetch("https://auth.cognite.com/oauth2/token",{method:"POST",headers:{Authorization:n,"Content-Type":"application/x-www-form-urlencoded"},body:new URLSearchParams({grant_type:"client_credentials"})});if(!r.ok){let i=await r.text();throw new Error(`Failed to get token from CDF: ${r.status} ${r.statusText}
 ${i}`)}let o=await r.json();if(!o.access_token)throw new Error("No access token returned from CDF authentication");return o.access_token},"getTokenCdf"),dt=s(async(e,t,n,r)=>{if(!r)throw new Error("Entra ID authentication requires 'baseUrl' to be set in deployment configuration");let o=pt(r);if(!o)throw new Error(`Entra ID authentication requires 'baseUrl' to be a valid CDF URL (e.g., https://cluster.cognitedata.com), got: ${r}`);let i=`https://login.microsoftonline.com/${n}/oauth2/v2.0/token`,a=`https://${o}.cognitedata.com/.default`,l=await fetch(i,{method:"POST",headers:{"Content-Type":"application/x-www-form-urlencoded"},body:new URLSearchParams({client_id:e,client_secret:t,scope:a,grant_type:"client_credentials"})});if(!l.ok){let p=await l.text();throw new Error(`Failed to get token from Entra ID: ${l.status} ${l.statusText}
-${p}`)}let c=await l.json();if(!c.access_token)throw new Error("No access token returned from Entra ID authentication");return c.access_token},"getTokenEntra"),U=s(async(e,t=process.env)=>{if(t.COGNITE_TOKEN)return t.COGNITE_TOKEN;let{deployClientId:n,deploySecretName:r,idpType:o="cdf",tenantId:i,baseUrl:a}=e,l=ct(r);if(o==="entra_id"){if(!i)throw new Error("Entra ID authentication requires 'tenantId' in deployment configuration");return dt(n,l,i,a)}return lt(n,l)},"getToken");var O=s(async(e,t,n=process.env)=>{let r=await U(e,n),o=n.COGNITE_BASE_URL??e.baseUrl,i=new ut({appId:t,project:e.project,baseUrl:o,oidcTokenProvider:s(async()=>r,"oidcTokenProvider")});return await i.authenticate(),i},"getSdk");var ft=s(async(e,t,n)=>{let r=await new V(`${n}/dist`).createZip("app.zip",!0);try{let{externalId:o,name:i,description:a,versionTag:l}=t,c=await O(e,n),p=new P(c),g=Y.readFileSync(r),u=gt.basename(r);await p.deploy(o,i,a,l,g,u,e.published)}finally{try{Y.unlinkSync(r)}catch{}}},"deploy");export{P as a,V as b,U as c,O as d,ft as e};
+${p}`)}let c=await l.json();if(!c.access_token)throw new Error("No access token returned from Entra ID authentication");return c.access_token},"getTokenEntra"),O=s(async(e,t=process.env)=>{if(t.COGNITE_TOKEN)return t.COGNITE_TOKEN;let{deployClientId:n,deploySecretName:r,idpType:o="cdf",tenantId:i,baseUrl:a}=e,l=ct(r);if(o==="entra_id"){if(!i)throw new Error("Entra ID authentication requires 'tenantId' in deployment configuration");return dt(n,l,i,a)}return lt(n,l)},"getToken");async function U(e,t,n=process.env,r){let o=await O(e,n),i=n.COGNITE_BASE_URL??e.baseUrl,a=(r??(l=>new ut(l)))({appId:t,project:e.project,baseUrl:i,oidcTokenProvider:s(async()=>o,"oidcTokenProvider")});return await a.authenticate(),a}s(U,"getSdk");var ft=s(async(e,t,n)=>{let r=await new C(`${n}/dist`).createZip("app.zip",!0);try{let{externalId:o,name:i,description:a,versionTag:l}=t,c=await U(e,n),p=new S(c),g=Y.readFileSync(r),u=gt.basename(r);await p.deploy(o,i,a,l,g,u,e.published)}finally{try{Y.unlinkSync(r)}catch{}}},"deploy");export{S as a,C as b,O as c,U as d,ft as e};

package/dist/cli/cli.js

@@ -1,13 +1,13 @@
 #!/usr/bin/env node
-import{a as o,e as He}from"../chunk-A5ASLC6T.js";import{writeSync as Ki}from"fs";import{Command as ji}from"commander";var Be="https://docs.cognite.com/cdf/access/";function k(e){return e!==null&&typeof e=="object"}o(k,"isRecord");function G(e){return e instanceof Error&&"status"in e&&typeof e.status=="number"}o(G,"isHttpError");function $n(e){switch(e){case 401:return`Your credentials are invalid or expired. Check your client ID and secret.
-  See: ${Be}`;case 403:return`You don't have the required CDF capabilities. Please contact your CDF admin.
-  See: ${Be}`;default:return}}o($n,"httpStatusHint");function V(e){let t=e instanceof Error?e:new Error(String(e));if(!G(t))return null;let n=$n(t.status);return n?Object.assign(new Error(`${t.message}
-  ${n}`),{cause:t}):null}o(V,"enrichedHttpError");function Fn(e){if(!k(e))return null;let t=e.missing;if(Array.isArray(t))return t;let n=e.data;if(k(n)){let r=n.error;if(k(r)&&Array.isArray(r.missing))return r.missing;if(Array.isArray(n.missing))return n.missing}return null}o(Fn,"findMissingArray");function Rn(e,t){if(!G(e)||e.status!==400)return!1;let n=Fn(e);return n?n.some(r=>k(r)&&typeof r.externalId=="string"&&t.includes(r.externalId)):!1}o(Rn,"isMissingExternalIdError");function ce(e,t){return G(e)&&e.status===404||Rn(e,t)}o(ce,"isNotFoundError");var Ye=["DRAFT","PUBLISHED","DEPRECATED","ARCHIVED"],Je=["ACTIVE","PREVIEW"],pe=class pe extends Error{constructor(t,n){super(`Version ${n} of app ${t} not found`),this.name="AppVersionNotFoundError",this.appExternalId=t,this.version=n}};o(pe,"AppVersionNotFoundError");var S=pe;function Xe(e,t){return e.includes(t)}o(Xe,"includesValue");function On(e){return Xe(Ye,e)}o(On,"isAppVersionLifecycleState");function _n(e){return Xe(Je,e)}o(_n,"isAppVersionAlias");function Un(e){return typeof e.version=="string"&&On(e.lifecycleState)&&typeof e.entrypoint=="string"&&typeof e.createdTime=="number"&&typeof e.createdBy=="string"&&typeof e.appExternalId=="string"&&(e.alias===void 0||_n(e.alias))&&(e.comment===void 0||typeof e.comment=="string")}o(Un,"isAppVersion");function Ge(e){if(!k(e))throw new Error("Invalid version response: not an object");if(!Un(e))throw new Error("Invalid version response: missing or malformed fields");return e}o(Ge,"parseAppVersion");var le=class le{constructor(t){this.client=t}get appsBasePath(){return`/api/v1/projects/${encodeURIComponent(this.client.project)}/apphosting/apps`}async createApp(t,n,r){try{await this.client.post(this.appsBasePath,{data:{items:[{externalId:t,name:n,description:r}]}})}catch(i){throw V(i)??i}}async uploadVersion(t,n,r,i,s="index.html"){console.log(`\u{1F4E4} Uploading version ${n}...`);let a=new FormData;a.append("file",new Blob([new Uint8Array(r)]),i),a.append("version",n),a.append("entryPath",s);let c=encodeURIComponent(t),p=`${this.appsBasePath}/${c}/versions`,l=await this.client.authenticate(),m=`${this.client.getBaseUrl()}${p}`,d=new AbortController,u=setTimeout(()=>d.abort(),300*1e3),f;try{f=await fetch(m,{method:"POST",headers:{Authorization:`Bearer ${l}`},body:a,signal:d.signal})}catch(g){throw g instanceof Error&&g.name==="AbortError"?new Error("Upload timed out after 5 minutes"):g}finally{clearTimeout(u)}if(!f.ok){let g=await f.text(),b=g;try{let _=JSON.parse(g);if(k(_)){let x=_.error;if(typeof x=="string")b=x;else if(k(x)){let A=x.message,y=x.code;b=typeof A=="string"?A:y!=null?`Unknown error (code: ${y})`:g}else{let A=_.message;b=typeof A=="string"?A:g}}}catch{}let v=f.headers.get("x-request-id"),Z=v?` | X-Request-ID: ${v}`:"",M=Object.assign(new Error(`Upload failed: ${f.status} \u2014 ${b}${Z}`),{status:f.status});throw V(M)??M}console.log(`\u2705 Version ${n} uploaded`)}async getVersion(t,n){let r=encodeURIComponent(t),i=encodeURIComponent(n),s=`${this.appsBasePath}/${r}/versions/${i}`;try{let a=await this.client.get(s);return Ge(a.data)}catch(a){throw ce(a,[t,n])?new S(t,n):V(a)??a}}async getActiveVersion(t){let n=encodeURIComponent(t),r=`${this.appsBasePath}/${n}/active`;try{let i=await this.client.get(r);return Ge(i.data)}catch(i){if(ce(i,[t]))return null;throw V(i)??i}}async updateVersions(t,n){let r=encodeURIComponent(t),i=`${this.appsBasePath}/${r}/versions/update`;try{await this.client.post(i,{data:{items:n}})}catch(s){throw V(s)??s}}};o(le,"AppHostingApi");var ee=le;var me=class me{constructor(t){this.api=new ee(t)}getVersion(t,n){return this.api.getVersion(t,n)}uploadVersion(t,n,r,i,s){return this.api.uploadVersion(t,n,r,i,s)}async ensureApp(t,n,r){console.log("\u{1F50D} Ensuring app exists...");try{await this.api.createApp(t,n,r),console.log(`\u2705 App '${t}' created`)}catch(i){if(G(i)&&i.status===409){console.log(`\u2705 App '${t}' already exists`);return}throw i}}async publishVersion(t,n){await this.api.updateVersions(t,[{version:n,update:{lifecycleState:{set:"PUBLISHED"}}}])}async publishAndActivate(t,n){console.log(`\u{1F680} Publishing and activating version ${n}...`),await this.api.updateVersions(t,[{version:n,update:{lifecycleState:{set:"PUBLISHED"},alias:{set:"ACTIVE"}}}]),console.log(`\u2705 Version ${n} is now PUBLISHED and ACTIVE`)}async activateVersion(t,n){let r=null;try{r=await this.api.getActiveVersion(t)}catch{r=null}let i=r&&r.version!==n?r.version:void 0;return await this.api.updateVersions(t,[{version:n,update:{alias:{set:"ACTIVE"}}}]),{supersededVersion:i}}async deploy(t,n,r,i,s,a,c=!1){console.log(`
+import{a as o,e as qe}from"../chunk-A5ASLC6T.js";import{writeSync as os}from"fs";import{Command as is}from"commander";var Qe="https://docs.cognite.com/cdf/access/";function _(e){return e!==null&&typeof e=="object"}o(_,"isRecord");function z(e){return e instanceof Error&&"status"in e&&typeof e.status=="number"}o(z,"isHttpError");function Yn(e){switch(e){case 401:return`Your credentials are invalid or expired. Check your client ID and secret.
+  See: ${Qe}`;case 403:return`You don't have the required CDF capabilities. Please contact your CDF admin.
+  See: ${Qe}`;default:return}}o(Yn,"httpStatusHint");function B(e){let t=e instanceof Error?e:new Error(String(e));if(!z(t))return null;let n=Yn(t.status);return n?Object.assign(new Error(`${t.message}
+  ${n}`),{cause:t}):null}o(B,"enrichedHttpError");function Jn(e){if(!_(e))return null;let t=e.missing;if(Array.isArray(t))return t;let n=e.data;if(_(n)){let r=n.error;if(_(r)&&Array.isArray(r.missing))return r.missing;if(Array.isArray(n.missing))return n.missing}return null}o(Jn,"findMissingArray");function Xn(e,t){if(!z(e)||e.status!==400)return!1;let n=Jn(e);return n?n.some(r=>_(r)&&typeof r.externalId=="string"&&t.includes(r.externalId)):!1}o(Xn,"isMissingExternalIdError");function ye(e,t){return z(e)&&e.status===404||Xn(e,t)}o(ye,"isNotFoundError");var et=["DRAFT","PUBLISHED","DEPRECATED","ARCHIVED"],tt=["ACTIVE","PREVIEW"],he=class he extends Error{constructor(t,n){super(`Version ${n} of app ${t} not found`),this.name="AppVersionNotFoundError",this.appExternalId=t,this.version=n}};o(he,"AppVersionNotFoundError");var k=he;function nt(e,t){return e.includes(t)}o(nt,"includesValue");function zn(e){return nt(et,e)}o(zn,"isAppVersionLifecycleState");function Wn(e){return nt(tt,e)}o(Wn,"isAppVersionAlias");function qn(e){return typeof e.version=="string"&&zn(e.lifecycleState)&&typeof e.entrypoint=="string"&&typeof e.createdTime=="number"&&typeof e.createdBy=="string"&&typeof e.appExternalId=="string"&&(e.alias===void 0||Wn(e.alias))&&(e.comment===void 0||typeof e.comment=="string")}o(qn,"isAppVersion");function Ze(e){if(!_(e))throw new Error("Invalid version response: not an object");if(!qn(e))throw new Error("Invalid version response: missing or malformed fields");return e}o(Ze,"parseAppVersion");var Ce=class Ce{constructor(t){this.client=t}get appsBasePath(){return`/api/v1/projects/${encodeURIComponent(this.client.project)}/apphosting/apps`}async createApp(t,n,r){try{await this.client.post(this.appsBasePath,{data:{items:[{externalId:t,name:n,description:r}]}})}catch(i){throw B(i)??i}}async uploadVersion(t,n,r,i,a="index.html"){console.log(`\u{1F4E4} Uploading version ${n}...`);let s=new FormData;s.append("file",new Blob([new Uint8Array(r)]),i),s.append("version",n),s.append("entryPath",a);let p=encodeURIComponent(t),c=`${this.appsBasePath}/${p}/versions`,l=await this.client.authenticate(),m=`${this.client.getBaseUrl()}${c}`,d=new AbortController,u=setTimeout(()=>d.abort(),300*1e3),C;try{C=await fetch(m,{method:"POST",headers:{Authorization:`Bearer ${l}`},body:s,signal:d.signal})}catch(g){throw g instanceof Error&&g.name==="AbortError"?new Error("Upload timed out after 5 minutes"):g}finally{clearTimeout(u)}if(!C.ok){let g=await C.text(),E=g;try{let A=JSON.parse(g);if(_(A)){let x=A.error;if(typeof x=="string")E=x;else if(_(x)){let P=x.message,f=x.code;E=typeof P=="string"?P:f!=null?`Unknown error (code: ${f})`:g}else{let P=A.message;E=typeof P=="string"?P:g}}}catch{}let S=C.headers.get("x-request-id"),y=S?` | X-Request-ID: ${S}`:"",R=Object.assign(new Error(`Upload failed: ${C.status} \u2014 ${E}${y}`),{status:C.status});throw B(R)??R}console.log(`\u2705 Version ${n} uploaded`)}async getVersion(t,n){let r=encodeURIComponent(t),i=encodeURIComponent(n),a=`${this.appsBasePath}/${r}/versions/${i}`;try{let s=await this.client.get(a);return Ze(s.data)}catch(s){throw ye(s,[t,n])?new k(t,n):B(s)??s}}async getActiveVersion(t){let n=encodeURIComponent(t),r=`${this.appsBasePath}/${n}/active`;try{let i=await this.client.get(r);return Ze(i.data)}catch(i){if(ye(i,[t]))return null;throw B(i)??i}}async updateVersions(t,n){let r=encodeURIComponent(t),i=`${this.appsBasePath}/${r}/versions/update`;try{await this.client.post(i,{data:{items:n}})}catch(a){throw B(a)??a}}};o(Ce,"AppHostingApi");var ie=Ce;var we=class we{constructor(t){this.api=new ie(t)}getVersion(t,n){return this.api.getVersion(t,n)}uploadVersion(t,n,r,i,a){return this.api.uploadVersion(t,n,r,i,a)}async ensureApp(t,n,r){console.log("\u{1F50D} Ensuring app exists...");try{await this.api.createApp(t,n,r),console.log(`\u2705 App '${t}' created`)}catch(i){if(z(i)&&i.status===409){console.log(`\u2705 App '${t}' already exists`);return}throw i}}async publishVersion(t,n){await this.api.updateVersions(t,[{version:n,update:{lifecycleState:{set:"PUBLISHED"}}}])}async publishAndActivate(t,n){console.log(`\u{1F680} Publishing and activating version ${n}...`),await this.api.updateVersions(t,[{version:n,update:{lifecycleState:{set:"PUBLISHED"},alias:{set:"ACTIVE"}}}]),console.log(`\u2705 Version ${n} is now PUBLISHED and ACTIVE`)}getActiveVersion(t){return this.api.getActiveVersion(t)}async deactivateVersion(t,n){await this.api.updateVersions(t,[{version:n,update:{alias:{setNull:!0}}}])}async activateVersion(t,n){let r=null;try{r=await this.api.getActiveVersion(t)}catch{r=null}let i=r&&r.version!==n?r.version:void 0;return await this.api.updateVersions(t,[{version:n,update:{alias:{set:"ACTIVE"}}}]),{supersededVersion:i}}async deploy(t,n,r,i,a,s,p=!1){console.log(`
 \u{1F680} Deploying application via App Hosting API...
-`);try{await this.ensureApp(t,n,r),await this.uploadVersion(t,i,s,a),c&&await this.publishAndActivate(t,i),console.log(`
-\u2705 Deployment successful!`)}catch(p){let l=p instanceof Error?p.message:String(p);throw Object.assign(new Error(`Deployment failed: ${l}`),{cause:p})}}};o(me,"AppHostingClient");var h=me;import{existsSync as Jn,readFileSync as Xn}from"fs";import{resolve as zn}from"path";import{array as Ln,boolean as Nn,check as ze,forward as We,literal as Kn,maxLength as jn,minLength as Mn,nonEmpty as H,object as qe,optional as U,picklist as Vn,pipe as D,safeParse as Hn,string as C,url as Bn}from"valibot";var de=D(C(),H("must not be empty")),ue=D(C(),H("must not be empty"),jn(256,"must be 256 characters or fewer")),ge=D(C(),H("must not be empty"),Bn("must be a valid URL")),fe=D(C(),H("must not be empty")),ye=D(C(),H("must not be empty")),Gn=D(qe({org:fe,project:ye,baseUrl:ge,deployClientId:U(C(),""),deploySecretName:U(C(),""),published:U(Nn(),!1),idpType:U(Vn(["cdf","entra_id"]),"cdf"),tenantId:U(C())}),We(ze(e=>e.idpType!=="entra_id"||!!e.tenantId,'must be set when idpType is "entra_id"'),["tenantId"]),We(ze(e=>!e.deployClientId||!!e.deploySecretName,"must be set when deployClientId is set"),["deploySecretName"])),Yn=qe({name:de,externalId:ue,versionTag:D(C(),H("must not be empty")),description:U(C(),""),deployments:D(Ln(Gn),Mn(1,"must contain at least one deployment")),infra:U(Kn("appsApi"))});function he(e){let t=Hn(Yn,e);if(t.success)return t.output;let n=t.issues[0],r=n.path?.map(s=>s.key).join(".")??"",i=r?`"${r}" `:"";throw new Error(`app.json: ${i}${n.message}`)}o(he,"validateAppConfig");function w(e,t={}){let{validator:n=he,existsSync:r=Jn,readFileSync:i=Xn}=t,s=zn(e,"app.json");if(!r(s))throw new Error("No app.json found in current directory. Make sure you're running this command from your app's root directory.");let a=i(s,"utf-8"),c;try{c=JSON.parse(a)}catch{throw new Error("Failed to parse app.json \u2014 check that it contains valid JSON.")}return n(c)}o(w,"loadAppConfig");import{CogniteClient as wr}from"@cognite/sdk";import{CogniteClient as tr}from"@cognite/sdk";var Wn=o(()=>{let e=process.env.DEPLOYMENT_SECRETS;if(!e)return{};try{let t=JSON.parse(e),n={};for(let[r,i]of Object.entries(t))if(typeof i=="string"){let s=r.toLowerCase().replace(/_/g,"-");n[s]=i}return n}catch(t){return console.error("Error parsing DEPLOYMENT_SECRETS:",t),{}}},"loadSecretsFromEnv"),qn=o(e=>{let t;if(process.env.DEPLOYMENT_SECRET&&(t=process.env.DEPLOYMENT_SECRET),t||(t=Wn()[e]),t||(t=process.env[e]),!t)throw new Error(`Secret not found in environment: ${e}`);return t},"getSecretFromEnv"),Qn=o(e=>{if(!e)return"";try{return new URL(e).hostname.replace(/\.cognitedata\.com$/,"")}catch{let t=e.replace(/^https?:\/\//,"");return t=t.split("/")[0],t=t.split(":")[0],t=t.replace(/\.cognitedata\.com$/,""),t}},"extractClusterFromUrl"),Zn=o(async(e,t)=>{let n=`Basic ${btoa(`${e}:${t}`)}`,r=await fetch("https://auth.cognite.com/oauth2/token",{method:"POST",headers:{Authorization:n,"Content-Type":"application/x-www-form-urlencoded"},body:new URLSearchParams({grant_type:"client_credentials"})});if(!r.ok){let s=await r.text();throw new Error(`Failed to get token from CDF: ${r.status} ${r.statusText}
-${s}`)}let i=await r.json();if(!i.access_token)throw new Error("No access token returned from CDF authentication");return i.access_token},"getTokenCdf"),er=o(async(e,t,n,r)=>{if(!r)throw new Error("Entra ID authentication requires 'baseUrl' to be set in deployment configuration");let i=Qn(r);if(!i)throw new Error(`Entra ID authentication requires 'baseUrl' to be a valid CDF URL (e.g., https://cluster.cognitedata.com), got: ${r}`);let s=`https://login.microsoftonline.com/${n}/oauth2/v2.0/token`,a=`https://${i}.cognitedata.com/.default`,c=await fetch(s,{method:"POST",headers:{"Content-Type":"application/x-www-form-urlencoded"},body:new URLSearchParams({client_id:e,client_secret:t,scope:a,grant_type:"client_credentials"})});if(!c.ok){let l=await c.text();throw new Error(`Failed to get token from Entra ID: ${c.status} ${c.statusText}
-${l}`)}let p=await c.json();if(!p.access_token)throw new Error("No access token returned from Entra ID authentication");return p.access_token},"getTokenEntra"),Ee=o(async(e,t=process.env)=>{if(t.COGNITE_TOKEN)return t.COGNITE_TOKEN;let{deployClientId:n,deploySecretName:r,idpType:i="cdf",tenantId:s,baseUrl:a}=e,c=qn(r);if(i==="entra_id"){if(!s)throw new Error("Entra ID authentication requires 'tenantId' in deployment configuration");return er(n,c,s,a)}return Zn(n,c)},"getToken");var Y=o(async(e,t,n=process.env)=>{let r=await Ee(e,n),i=n.COGNITE_BASE_URL??e.baseUrl,s=new tr({appId:t,project:e.project,baseUrl:i,oidcTokenProvider:o(async()=>r,"oidcTokenProvider")});return await s.authenticate(),s},"getSdk");import cr from"os";import pr from"path";import lr from"open";import{buildAuthorizationUrl as mr,calculatePKCECodeChallenge as dr,discovery as ur,None as gr,randomPKCECodeVerifier as fr,randomState as yr}from"openid-client";import nr from"https";import{authorizationCodeGrant as rr}from"openid-client";function Qe(e){return e.replace(/[&<>"']/g,t=>({"&":"&amp;","<":"&lt;",">":"&gt;",'"':"&quot;","'":"&#39;"})[t]??t)}o(Qe,"escapeHtml");function we(e,t,n){let r=Qe(t),i=Qe(n);return`<html><body style="font-family: system-ui; padding: 40px; text-align: center;">
+`);try{await this.ensureApp(t,n,r),await this.uploadVersion(t,i,a,s),p&&await this.publishAndActivate(t,i),console.log(`
+\u2705 Deployment successful!`)}catch(c){let l=c instanceof Error?c.message:String(c);throw Object.assign(new Error(`Deployment failed: ${l}`),{cause:c})}}};o(we,"AppHostingClient");var h=we;import{existsSync as pr,readFileSync as cr}from"fs";import{resolve as lr}from"path";import{array as Qn,boolean as Zn,check as rt,forward as ot,literal as er,maxLength as tr,minLength as nr,nonEmpty as Y,object as it,optional as M,picklist as rr,pipe as U,safeParse as or,string as D,url as ir}from"valibot";var ve=U(D(),Y("must not be empty")),Ee=U(D(),Y("must not be empty"),tr(256,"must be 256 characters or fewer")),Se=U(D(),Y("must not be empty"),ir("must be a valid URL")),xe=U(D(),Y("must not be empty")),Pe=U(D(),Y("must not be empty")),sr=U(it({org:xe,project:Pe,baseUrl:Se,deployClientId:M(D(),""),deploySecretName:M(D(),""),published:M(Zn(),!1),idpType:M(rr(["cdf","entra_id"]),"cdf"),tenantId:M(D())}),ot(rt(e=>e.idpType!=="entra_id"||!!e.tenantId,'must be set when idpType is "entra_id"'),["tenantId"]),ot(rt(e=>!e.deployClientId||!!e.deploySecretName,"must be set when deployClientId is set"),["deploySecretName"])),ar=it({name:ve,externalId:Ee,versionTag:U(D(),Y("must not be empty")),description:M(D(),""),deployments:U(Qn(sr),nr(1,"must contain at least one deployment")),infra:M(er("appsApi"))});function be(e){let t=or(ar,e);if(t.success)return t.output;let n=t.issues[0],r=n.path?.map(a=>a.key).join(".")??"",i=r?`"${r}" `:"";throw new Error(`app.json: ${i}${n.message}`)}o(be,"validateAppConfig");function w(e,t={}){let{validator:n=be,existsSync:r=pr,readFileSync:i=cr}=t,a=lr(e,"app.json");if(!r(a))throw new Error("No app.json found in current directory. Make sure you're running this command from your app's root directory.");let s=i(a,"utf-8"),p;try{p=JSON.parse(s)}catch{throw new Error("Failed to parse app.json \u2014 check that it contains valid JSON.")}return n(p)}o(w,"loadAppConfig");import{CogniteClient as Rr}from"@cognite/sdk";import{CogniteClient as yr}from"@cognite/sdk";var mr=o(()=>{let e=process.env.DEPLOYMENT_SECRETS;if(!e)return{};try{let t=JSON.parse(e),n={};for(let[r,i]of Object.entries(t))if(typeof i=="string"){let a=r.toLowerCase().replace(/_/g,"-");n[a]=i}return n}catch(t){return console.error("Error parsing DEPLOYMENT_SECRETS:",t),{}}},"loadSecretsFromEnv"),dr=o(e=>{let t;if(process.env.DEPLOYMENT_SECRET&&(t=process.env.DEPLOYMENT_SECRET),t||(t=mr()[e]),t||(t=process.env[e]),!t)throw new Error(`Secret not found in environment: ${e}`);return t},"getSecretFromEnv"),ur=o(e=>{if(!e)return"";try{return new URL(e).hostname.replace(/\.cognitedata\.com$/,"")}catch{let t=e.replace(/^https?:\/\//,"");return t=t.split("/")[0],t=t.split(":")[0],t=t.replace(/\.cognitedata\.com$/,""),t}},"extractClusterFromUrl"),gr=o(async(e,t)=>{let n=`Basic ${btoa(`${e}:${t}`)}`,r=await fetch("https://auth.cognite.com/oauth2/token",{method:"POST",headers:{Authorization:n,"Content-Type":"application/x-www-form-urlencoded"},body:new URLSearchParams({grant_type:"client_credentials"})});if(!r.ok){let a=await r.text();throw new Error(`Failed to get token from CDF: ${r.status} ${r.statusText}
+${a}`)}let i=await r.json();if(!i.access_token)throw new Error("No access token returned from CDF authentication");return i.access_token},"getTokenCdf"),fr=o(async(e,t,n,r)=>{if(!r)throw new Error("Entra ID authentication requires 'baseUrl' to be set in deployment configuration");let i=ur(r);if(!i)throw new Error(`Entra ID authentication requires 'baseUrl' to be a valid CDF URL (e.g., https://cluster.cognitedata.com), got: ${r}`);let a=`https://login.microsoftonline.com/${n}/oauth2/v2.0/token`,s=`https://${i}.cognitedata.com/.default`,p=await fetch(a,{method:"POST",headers:{"Content-Type":"application/x-www-form-urlencoded"},body:new URLSearchParams({client_id:e,client_secret:t,scope:s,grant_type:"client_credentials"})});if(!p.ok){let l=await p.text();throw new Error(`Failed to get token from Entra ID: ${p.status} ${p.statusText}
+${l}`)}let c=await p.json();if(!c.access_token)throw new Error("No access token returned from Entra ID authentication");return c.access_token},"getTokenEntra"),Ae=o(async(e,t=process.env)=>{if(t.COGNITE_TOKEN)return t.COGNITE_TOKEN;let{deployClientId:n,deploySecretName:r,idpType:i="cdf",tenantId:a,baseUrl:s}=e,p=dr(r);if(i==="entra_id"){if(!a)throw new Error("Entra ID authentication requires 'tenantId' in deployment configuration");return fr(n,p,a,s)}return gr(n,p)},"getToken");async function W(e,t,n=process.env,r){let i=await Ae(e,n),a=n.COGNITE_BASE_URL??e.baseUrl,s=(r??(p=>new yr(p)))({appId:t,project:e.project,baseUrl:a,oidcTokenProvider:o(async()=>i,"oidcTokenProvider")});return await s.authenticate(),s}o(W,"getSdk");import xr from"os";import Pr from"path";import br from"open";import{buildAuthorizationUrl as Ar,calculatePKCECodeChallenge as kr,discovery as Dr,None as Ir,randomPKCECodeVerifier as Tr,randomState as $r}from"openid-client";import hr from"https";import{authorizationCodeGrant as Cr}from"openid-client";function st(e){return e.replace(/[&<>"']/g,t=>({"&":"&amp;","<":"&lt;",">":"&gt;",'"':"&quot;","'":"&#39;"})[t]??t)}o(st,"escapeHtml");function ke(e,t,n){let r=st(t),i=st(n);return`<html><body style="font-family: system-ui; padding: 40px; text-align: center;">
     <h1>${r}</h1><p>${i}</p><p>You can close this window.</p>${e==="success"?`<style>
       @keyframes checkmark {
         0% { transform: scale(0); }
@@ -16,40 +16,40 @@ ${l}`)}let p=await c.json();if(!p.access_token)throw new Error("No access token
       }
       h1 { animation: checkmark 0.5s ease-out; }
     </style>`:""}
-  </body></html>`}o(we,"generateHtml");async function or(e,t,n,r,i,s){let a=new URL(e.url??"/",`https://${e.headers.host??"localhost"}`);if(a.pathname!=="/")return t.writeHead(404),t.end("Not found"),{shouldClose:!1};try{console.log("\u{1F504} Exchanging authorization code for tokens...");let c=await s.authorizationCodeGrant(n,a,{pkceCodeVerifier:r,expectedState:i});return t.writeHead(200,{"Content-Type":"text/html"}),t.end(we("success","Login Successful!","You can close this window and return to the terminal.")),{shouldClose:!0,tokens:c}}catch(c){let p=c instanceof Error?c:new Error(String(c));return t.writeHead(400,{"Content-Type":"text/html"}),t.end(we("error","Authentication Error",p.message)),{shouldClose:!0,error:p}}}o(or,"handleCallback");function ir(e){let t=e/6e4,n=Math.round(t*10)/10;return`${n} ${n===1?"minute":"minutes"}`}o(ir,"formatTimeoutMinutes");function Ze(e,t,n,r,i,s={createServer:nr.createServer,setTimeout:globalThis.setTimeout,clearTimeout:globalThis.clearTimeout,authorizationCodeGrant:rr}){return new Promise((a,c)=>{let p,l=s.setTimeout(()=>{p?.close(),c(new Error(`Login timeout - no response received within ${ir(e.loginTimeout)}`))},e.loginTimeout);p=s.createServer(t,async(m,d)=>{try{let u=await or(m,d,n,r,i,s);u.shouldClose&&(s.clearTimeout(l),p?.close(),u.error?c(u.error):u.tokens?a(u.tokens):c(new Error("No tokens received")))}catch(u){s.clearTimeout(l),p?.close(),c(u instanceof Error?u:new Error(String(u)))}}),p.on("error",m=>{s.clearTimeout(l),m.code==="EADDRINUSE"?console.error(`\u274C Port ${e.port} is already in use.`):console.error(`\u274C Server error: ${m.message}`),c(m)}),p.listen(e.port,"127.0.0.1",()=>{console.log(`\u{1F310} Local HTTPS server started on https://localhost:${e.port}`)})})}o(Ze,"startCallbackServer");import{execFileSync as sr}from"child_process";import Se from"fs";import et from"path";function tt(e,t,n){return{key:n.readFileSync(e),cert:n.readFileSync(t)}}o(tt,"loadCertificates");function ar(e,t,n,r){console.log("\u{1F510} Generating self-signed certificate for HTTPS..."),r.existsSync(e)||r.mkdirSync(e,{recursive:!0});try{return r.execFileSync("openssl",["req","-x509","-newkey","rsa:2048","-nodes","-sha256","-subj","/CN=localhost","-keyout",t,"-out",n,"-days","365"],{stdio:["ignore","pipe","ignore"]}),console.log("\u2705 Certificate generated and saved locally"),tt(t,n,r)}catch{throw new Error(`Failed to generate self-signed certificate. Make sure openssl is installed.
+  </body></html>`}o(ke,"generateHtml");async function wr(e,t,n,r,i,a){let s=new URL(e.url??"/",`https://${e.headers.host??"localhost"}`);if(s.pathname!=="/")return t.writeHead(404),t.end("Not found"),{shouldClose:!1};try{console.log("\u{1F504} Exchanging authorization code for tokens...");let p=await a.authorizationCodeGrant(n,s,{pkceCodeVerifier:r,expectedState:i});return t.writeHead(200,{"Content-Type":"text/html"}),t.end(ke("success","Login Successful!","You can close this window and return to the terminal.")),{shouldClose:!0,tokens:p}}catch(p){let c=p instanceof Error?p:new Error(String(p));return t.writeHead(400,{"Content-Type":"text/html"}),t.end(ke("error","Authentication Error",c.message)),{shouldClose:!0,error:c}}}o(wr,"handleCallback");function vr(e){let t=e/6e4,n=Math.round(t*10)/10;return`${n} ${n===1?"minute":"minutes"}`}o(vr,"formatTimeoutMinutes");function at(e,t,n,r,i,a={createServer:hr.createServer,setTimeout:globalThis.setTimeout,clearTimeout:globalThis.clearTimeout,authorizationCodeGrant:Cr}){return new Promise((s,p)=>{let c,l=a.setTimeout(()=>{c?.close(),p(new Error(`Login timeout - no response received within ${vr(e.loginTimeout)}`))},e.loginTimeout);c=a.createServer(t,async(m,d)=>{try{let u=await wr(m,d,n,r,i,a);u.shouldClose&&(a.clearTimeout(l),c?.close(),u.error?p(u.error):u.tokens?s(u.tokens):p(new Error("No tokens received")))}catch(u){a.clearTimeout(l),c?.close(),p(u instanceof Error?u:new Error(String(u)))}}),c.on("error",m=>{a.clearTimeout(l),m.code==="EADDRINUSE"?console.error(`\u274C Port ${e.port} is already in use.`):console.error(`\u274C Server error: ${m.message}`),p(m)}),c.listen(e.port,"127.0.0.1",()=>{console.log(`\u{1F310} Local HTTPS server started on https://localhost:${e.port}`)})})}o(at,"startCallbackServer");import{execFileSync as Er}from"child_process";import De from"fs";import pt from"path";function ct(e,t,n){return{key:n.readFileSync(e),cert:n.readFileSync(t)}}o(ct,"loadCertificates");function Sr(e,t,n,r){console.log("\u{1F510} Generating self-signed certificate for HTTPS..."),r.existsSync(e)||r.mkdirSync(e,{recursive:!0});try{return r.execFileSync("openssl",["req","-x509","-newkey","rsa:2048","-nodes","-sha256","-subj","/CN=localhost","-keyout",t,"-out",n,"-days","365"],{stdio:["ignore","pipe","ignore"]}),console.log("\u2705 Certificate generated and saved locally"),ct(t,n,r)}catch{throw new Error(`Failed to generate self-signed certificate. Make sure openssl is installed.
   On macOS: openssl is pre-installed
   On Linux: sudo apt-get install openssl
-  On Windows: Install OpenSSL or use WSL`)}}o(ar,"generateCertificate");function nt(e,t={existsSync:Se.existsSync,readFileSync:o(n=>Se.readFileSync(n),"readFileSync"),mkdirSync:o((n,r)=>{Se.mkdirSync(n,r)},"mkdirSync"),execFileSync:sr}){let n=et.join(e,"localhost-key.pem"),r=et.join(e,"localhost-cert.pem");return t.existsSync(n)&&t.existsSync(r)?tt(n,r,t):ar(e,n,r,t)}o(nt,"getOrCreateCertificates");var hr={authority:"https://auth.cognite.com",clientId:"0404baaa-0a90-43a2-aba7-a110b53fb41c",redirectUri:"https://localhost:3000/",port:3e3,loginTimeout:300*1e3,certDir:pr.join(cr.homedir(),".cdf-login")},Er={open:lr,getOrCreateCertificates:nt,startCallbackServer:Ze,discovery:ur,buildAuthorizationUrl:mr,randomPKCECodeVerifier:fr,calculatePKCECodeChallenge:dr,randomState:yr,logger:console};async function ot(e,t=hr,n){return n===void 0?rt(e,t,Er):rt(e,t,n)}o(ot,"login");async function rt(e,t,n){n.logger.log(`\u{1F510} Starting CDF login flow...
-`),n.logger.log(`\u{1F4E1} Fetching OpenID configuration from ${t.authority}...`);let r=await n.discovery(new URL(t.authority),t.clientId,void 0,gr()),i=n.randomPKCECodeVerifier(),s=await n.calculatePKCECodeChallenge(i),a=n.randomState(),c={redirect_uri:t.redirectUri,scope:"openid profile email",code_challenge:s,code_challenge_method:"S256",state:a};e&&(c.organization_hint=e);let p=n.buildAuthorizationUrl(r,c).toString(),l=n.getOrCreateCertificates(t.certDir);e&&n.logger.log(`\u{1F3E2} Organization: ${e}`),n.logger.log(`\u{1F680} Opening browser for authentication...
-`);try{await n.open(p)}catch(m){let d=m instanceof Error?m.message:String(m);n.logger.error("\u274C Failed to open browser automatically."),n.logger.error(`  Reason: ${d}`),n.logger.error(`Please open this URL manually:
-`),n.logger.error(p),n.logger.error("")}return n.startCallbackServer(t,l,r,i,a)}o(rt,"loginImpl");async function I(e,t,n={}){let{login:r=ot,getSdk:i=Y,createClient:s=o(a=>new wr(a),"createClient")}=n;if(t.interactive){let a=t.orgHint||e.org||void 0,c=await r(a),p=s({appId:t.appId,project:e.project,baseUrl:e.baseUrl,getToken:o(async()=>c.access_token,"getToken")});return await p.authenticate(),p}return i(e,t.appId)}o(I,"getClientForDeployment");import it from"enquirer";var st="Enter custom target...";function at(e,t){let n=t.map((r,i)=>`  ${i}: ${r.org}/${r.project}`).join(`
+  On Windows: Install OpenSSL or use WSL`)}}o(Sr,"generateCertificate");function lt(e,t={existsSync:De.existsSync,readFileSync:o(n=>De.readFileSync(n),"readFileSync"),mkdirSync:o((n,r)=>{De.mkdirSync(n,r)},"mkdirSync"),execFileSync:Er}){let n=pt.join(e,"localhost-key.pem"),r=pt.join(e,"localhost-cert.pem");return t.existsSync(n)&&t.existsSync(r)?ct(n,r,t):Sr(e,n,r,t)}o(lt,"getOrCreateCertificates");var Fr={authority:"https://auth.cognite.com",clientId:"0404baaa-0a90-43a2-aba7-a110b53fb41c",redirectUri:"https://localhost:3000/",port:3e3,loginTimeout:300*1e3,certDir:Pr.join(xr.homedir(),".cdf-login")},Or={open:br,getOrCreateCertificates:lt,startCallbackServer:at,discovery:Dr,buildAuthorizationUrl:Ar,randomPKCECodeVerifier:Tr,calculatePKCECodeChallenge:kr,randomState:$r,logger:console};async function dt(e,t=Fr,n){return n===void 0?mt(e,t,Or):mt(e,t,n)}o(dt,"login");async function mt(e,t,n){n.logger.log(`\u{1F510} Starting CDF login flow...
+`),n.logger.log(`\u{1F4E1} Fetching OpenID configuration from ${t.authority}...`);let r=await n.discovery(new URL(t.authority),t.clientId,void 0,Ir()),i=n.randomPKCECodeVerifier(),a=await n.calculatePKCECodeChallenge(i),s=n.randomState(),p={redirect_uri:t.redirectUri,scope:"openid profile email",code_challenge:a,code_challenge_method:"S256",state:s};e&&(p.organization_hint=e);let c=n.buildAuthorizationUrl(r,p).toString(),l=n.getOrCreateCertificates(t.certDir);e&&n.logger.log(`\u{1F3E2} Organization: ${e}`),n.logger.log(`\u{1F680} Opening browser for authentication...
+`);try{await n.open(c)}catch(m){let d=m instanceof Error?m.message:String(m);n.logger.error("\u274C Failed to open browser automatically."),n.logger.error(`  Reason: ${d}`),n.logger.error(`Please open this URL manually:
+`),n.logger.error(c),n.logger.error("")}return n.startCallbackServer(t,l,r,i,s)}o(mt,"loginImpl");async function I(e,t,n={}){let{login:r=dt,getSdk:i=W,createClient:a=o(s=>new Rr(s),"createClient")}=n;if(t.interactive){let s=t.orgHint||e.org||void 0,p=await r(s),c=a({appId:t.appId,project:e.project,baseUrl:e.baseUrl,getToken:o(async()=>p.access_token,"getToken")});return await c.authenticate(),c}return i(e,t.appId)}o(I,"getClientForDeployment");import ut from"enquirer";var gt="Enter custom target...";function ft(e,t){let n=t.map((r,i)=>`  ${i}: ${r.org}/${r.project}`).join(`
 `);throw new Error(`Deployment "${e}" not found. Available deployments:
-${n}`)}o(at,"deploymentNotFoundError");function P(e,t){if(e.length===0)throw new Error("No deployments configured in app.json");if(t===void 0)return e[0];if(/^\d+$/.test(t)){let r=e[Number.parseInt(t)];if(r)return r;at(t,e)}let n=e.find(r=>r.project===t||`${r.org}/${r.project}`===t);if(n)return n;at(t,e)}o(P,"findDeployment");function T(e){let t=[];return e.deployClientId||t.push("deployClientId"),e.deploySecretName||t.push("deploySecretName"),t}o(T,"getMissingCredentials");async function $(e,t){if(t.baseUrl&&t.project)return{org:t.org??"",project:t.project,baseUrl:t.baseUrl,deployClientId:"",deploySecretName:"",published:!1,idpType:"cdf"};if(t.deployment!==void 0)return P(e.deployments,t.deployment);let n=[...e.deployments.map(s=>`${s.org}/${s.project}`),st],{selected:r}=await it.prompt({type:"select",name:"selected",message:"Select deployment target",choices:n});if(r!==st){let s=e.deployments.find(a=>`${a.org}/${a.project}`===r);if(s)return s;throw new Error(`Deployment "${r}" could not be resolved from app.json.`)}let i=await it.prompt([{type:"input",name:"baseUrl",message:"CDF Base URL",initial:"https://api.cognitedata.com"},{type:"input",name:"project",message:"CDF Project",validate:o(s=>s?!0:"Project is required","validate")},{type:"input",name:"org",message:"Organization (for login hint)",initial:""}]);return{org:i.org||"",project:i.project,baseUrl:i.baseUrl,deployClientId:"",deploySecretName:"",published:!1,idpType:"cdf"}}o($,"resolveDeployment");import{existsSync as Sr}from"fs";import{resolve as Cr}from"path";import{config as vr}from"dotenv";function F(e,t={existsSync:Sr,config:vr}){let n=Cr(e,".env");t.existsSync(n)&&(console.log(`Loading environment variables from ${n}`),t.config({path:n}))}o(F,"loadEnvFile");function R(e){e.infra!=="appsApi"&&(console.error(`
+${n}`)}o(ft,"deploymentNotFoundError");function b(e,t){if(e.length===0)throw new Error("No deployments configured in app.json");if(t===void 0)return e[0];if(/^\d+$/.test(t)){let r=e[Number.parseInt(t)];if(r)return r;ft(t,e)}let n=e.find(r=>r.project===t||`${r.org}/${r.project}`===t);if(n)return n;ft(t,e)}o(b,"findDeployment");function T(e){let t=[];return e.deployClientId||t.push("deployClientId"),e.deploySecretName||t.push("deploySecretName"),t}o(T,"getMissingCredentials");async function $(e,t){if(t.baseUrl&&t.project)return{org:t.org??"",project:t.project,baseUrl:t.baseUrl,deployClientId:"",deploySecretName:"",published:!1,idpType:"cdf"};if(t.deployment!==void 0)return b(e.deployments,t.deployment);let n=[...e.deployments.map(a=>`${a.org}/${a.project}`),gt],{selected:r}=await ut.prompt({type:"select",name:"selected",message:"Select deployment target",choices:n});if(r!==gt){let a=e.deployments.find(s=>`${s.org}/${s.project}`===r);if(a)return a;throw new Error(`Deployment "${r}" could not be resolved from app.json.`)}let i=await ut.prompt([{type:"input",name:"baseUrl",message:"CDF Base URL",initial:"https://api.cognitedata.com"},{type:"input",name:"project",message:"CDF Project",validate:o(a=>a?!0:"Project is required","validate")},{type:"input",name:"org",message:"Organization (for login hint)",initial:""}]);return{org:i.org||"",project:i.project,baseUrl:i.baseUrl,deployClientId:"",deploySecretName:"",published:!1,idpType:"cdf"}}o($,"resolveDeployment");import{existsSync as _r}from"fs";import{resolve as Ur}from"path";import{config as Lr}from"dotenv";function F(e,t={existsSync:_r,config:Lr}){let n=Ur(e,".env");t.existsSync(n)&&(console.log(`Loading environment variables from ${n}`),t.config({path:n}))}o(F,"loadEnvFile");function O(e){e.infra!=="appsApi"&&(console.error(`
 \u26A0\uFE0F  Legacy infrastructure is no longer supported.
 
 Your app.json is missing \`"infra": "appsApi"\`, which means it was created for
 the old CDF Application Registry. This deploy path has been removed.
 
 To migrate: add \`"infra": "appsApi"\` to your app.json, wire up the correct authentication and re-deploy.
-`),process.exit(1))}o(R,"assertAppHostingInfra");async function xr(e){let t=process.cwd();F(t);let n=w(t);R(n);let r=e.interactive?await $(n,e):P(n.deployments,e.deployment);if(!e.interactive){let m=T(r);if(m.length>0)throw new Error(`Deployment ${r.org}/${r.project} is missing ${m.join(" and ")} in app.json. Use \`npx @cognite/cli@latest apps activate --interactive\` for browser-based authentication instead.`)}let i=await I(r,{interactive:e.interactive,appId:n.externalId,orgHint:e.org}),s=new h(i),{externalId:a,versionTag:c}=n,p;try{p=await s.getVersion(a,c)}catch(m){throw m instanceof S?new Error(`Version ${c} of ${a} has not been deployed yet. Run \`npx @cognite/cli apps deploy\` first.`):m}if(p.alias==="ACTIVE"){console.log(`  ${a} @ ${c} is already ACTIVE \u2014 nothing to do.`);return}if(p.lifecycleState==="DEPRECATED"||p.lifecycleState==="ARCHIVED")throw new Error(`Cannot activate ${a} @ ${c}: version is ${p.lifecycleState} (terminal).`);p.lifecycleState==="DRAFT"&&(await s.publishVersion(a,c),console.log(`\u2713 Published  ${a} @ ${c} is now PUBLISHED`));let{supersededVersion:l}=await s.activateVersion(a,c);console.log(`\u2713 Activated   ${a} @ ${c} is now ACTIVE`),l&&console.log(`  Superseded  ${l} \u2192 PUBLISHED`)}o(xr,"handleActivate");function ct(e){return e.command("activate").description("Activate the current app version (publish if needed, then set ACTIVE alias)").argument("[path]","Path to the app folder (only `.` is currently supported)",".").option("-d, --deployment <target>","Deployment target from app.json (index or name)").option("--interactive","Use browser-based authentication instead of env-var credentials",!1).option("--base-url <url>","CDF base URL (only with --interactive)").option("--project <project>","CDF project name (only with --interactive)").option("--org <org>","Organization hint for login (only with --interactive)").addHelpText("after",`
+`),process.exit(1))}o(O,"assertAppHostingInfra");async function Nr(e){let t=process.cwd();F(t);let n=w(t);O(n);let r=e.interactive?await $(n,e):b(n.deployments,e.deployment);if(!e.interactive){let m=T(r);if(m.length>0)throw new Error(`Deployment ${r.org}/${r.project} is missing ${m.join(" and ")} in app.json. Use \`npx @cognite/cli@latest apps activate --interactive\` for browser-based authentication instead.`)}let i=await I(r,{interactive:e.interactive,appId:n.externalId,orgHint:e.org}),a=new h(i),{externalId:s,versionTag:p}=n,c;try{c=await a.getVersion(s,p)}catch(m){throw m instanceof k?new Error(`Version ${p} of ${s} has not been deployed yet. Run \`npx @cognite/cli apps deploy\` first.`):m}if(c.alias==="ACTIVE"){console.log(`  ${s} @ ${p} is already ACTIVE \u2014 nothing to do.`);return}if(c.lifecycleState==="DEPRECATED"||c.lifecycleState==="ARCHIVED")throw new Error(`Cannot activate ${s} @ ${p}: version is ${c.lifecycleState} (terminal).`);c.lifecycleState==="DRAFT"&&(await a.publishVersion(s,p),console.log(`\u2713 Published  ${s} @ ${p} is now PUBLISHED`));let{supersededVersion:l}=await a.activateVersion(s,p);console.log(`\u2713 Activated   ${s} @ ${p} is now ACTIVE`),l&&console.log(`  Superseded  ${l} \u2192 PUBLISHED`)}o(Nr,"handleActivate");function yt(e){return e.command("activate").description("Activate the current app version (publish if needed, then set ACTIVE alias)").argument("[path]","Path to the app folder (only `.` is currently supported)",".").option("-d, --deployment <target>","Deployment target from app.json (index or name)").option("--interactive","Use browser-based authentication instead of env-var credentials",!1).option("--base-url <url>","CDF base URL (only with --interactive)").option("--project <project>","CDF project name (only with --interactive)").option("--org <org>","Organization hint for login (only with --interactive)").addHelpText("after",`
 Examples:
   npx @cognite/cli apps activate .                   Activate using env-var auth
-  npx @cognite/cli apps activate . --interactive     Activate using browser auth (no secrets needed)`).action((t,n)=>xr(n))}o(ct,"registerActivateCommand");import{readdirSync as Ur}from"fs";import{basename as Et,dirname as Lr,normalize as Nr,resolve as X}from"path";import{fileURLToPath as Kr,pathToFileURL as jr}from"url";import{Logger as Mr,runner as Vr}from"hygen";import{safeParse as Pr}from"valibot";function J(e,t){return n=>{let r=Pr(t,n);return r.success?!0:`${e} ${r.issues[0].message}`}}o(J,"toPromptValidator");var pt={name:J("App name",ue),displayName:J("Display name",de),baseUrl:J("Base URL",ge),org:J("Org",fe),project:J("Project",ye)};function br(e,t){return e?async n=>{let r=t(n);return r===!0?e(n):r}:t}o(br,"composeValidators");function te(e){return e.map(t=>{if(!(t.name in pt))return t;let n=pt[t.name];return{...t,validate:br(t.validate,n)}})}o(te,"applySchemaValidators");import{basename as mt}from"path";import dt from"enquirer";function lt(e){return e.replace(/[A-Z]/g,(t,n)=>n===0?t.toLowerCase():`-${t.toLowerCase()}`)}o(lt,"kebabCase");var Ar={type:"confirm",name:"useSpecKit",message:["Enable spec-driven development?","  Adds the github/spec-kit slash commands (/speckit.specify, .clarify, .plan, .tasks, .implement)","  to your app for use in Claude Code or Cursor. They walk you through writing SPEC.md and","  generating a plan, tasks, and implementation."].join(`
-`),initial:!1};async function kr(e){return!!(await e([Ar])).useSpecKit}o(kr,"promptForSpecKit");async function Dr(e,t,n){return e!==void 0?e:t?kr(n):!1}o(Dr,"resolveSpecKit");function ut({isCurrentDir:e,dirName:t,onAppName:n,onUseSpecKit:r,presets:i={},specKit:s,prompt:a=dt.prompt.bind(dt)}){return()=>({prompt:o(async c=>{if(!Array.isArray(c))return a([c]);let p=Object.fromEntries(Object.entries(i).filter(y=>y[1]!==void 0)),l=Object.keys(p).length>0,m=e?mt(process.cwd()):t?mt(t):null,d=l&&m!==null,u=!d&&m?c.map(y=>y.name==="name"?{...y,initial:m}:y):c,f=te(u),g=d?{...p,name:m}:p,b=new Set(Object.keys(g)),v=f.filter(y=>!b.has(y.name)),Z=v.findIndex(y=>y.name==="baseUrl"),M;if(Z!==-1){let y=v.filter(Tn=>Tn.name!=="baseUrl"),ae=y.length>0?await a(y):{},bn=typeof ae.cluster=="string"?ae.cluster:"",An=typeof g.cluster=="string"?g.cluster:"",kn=`https://${(bn||An).trim().replace(/\/+$/,"")||"api"}.cognitedata.com`,Dn=v[Z],In=await a([{...Dn,initial:kn}]);M={...ae,...In}}else M=v.length>0?await a(v):{};let _={...g,...M},x=typeof _.name=="string"?_.name:"";x&&n(x);let A=await Dr(s,v.length>0,a);return r?.(A),{..._,name:x,useCurrentDir:e,directoryName:e?void 0:t??void 0,useSpecKit:A}},"prompt")})}o(ut,"createAppPrompter");async function gt(e,t,n){let r=[];Object.values(t).some(s=>s!==void 0)&&n!==null&&r.push({key:"name",value:n,label:"directory"});for(let[s,a]of Object.entries(t))a!==void 0&&r.push({key:s,value:a,label:`--${lt(s)}`});for(let{key:s,value:a,label:c}of r){let p=e.find(m=>m.name===s)?.validate;if(!p)continue;let l=await p(a);if(l!==!0)throw new Error(`Invalid ${c}: ${l}`)}}o(gt,"validatePresets");import{cpSync as Tr,mkdirSync as ft,writeFileSync as $r}from"fs";import{dirname as yt,resolve as L}from"path";import{fileURLToPath as Fr}from"url";import{symlinkSync as Ir}from"fs";function ne({target:e,linkPath:t,label:n,symlink:r=Ir}){try{return r(e,t),!0}catch(i){if(i instanceof Error&&"code"in i&&i.code==="EEXIST")return!0;let s=i instanceof Error?i.message:String(i);return console.warn(`\u26A0\uFE0F  Could not create ${n} symlink:`,s),!1}}o(ne,"symlinkOrWarn");var Rr=L(yt(Fr(import.meta.url)),"..","..","_vendor","spec-kit"),Or={branch_numbering:"sequential"},_r=[{from:"templates",to:".specify/templates"},{from:"scripts/bash",to:".specify/scripts/bash"},{from:"commands",to:".claude/commands"},{from:"commands",to:".cursor/commands"}];function ht({appDir:e,vendorDir:t=Rr}){let n=L(e,".specify"),r=L(n,"memory"),i=`prepare spec-kit install for appDir=${e}`;try{for(let{from:s,to:a}of _r){let c=L(e,a);i=`copy ${s} to ${a}`,ft(yt(c),{recursive:!0}),Tr(L(t,s),c,{recursive:!0})}i=`write init-options.json under specifyDir=${n}`,$r(L(n,"init-options.json"),`${JSON.stringify(Or,null,2)}
-`),i=`link .specify/memory/constitution.md in specifyDir=${n}`,ft(r,{recursive:!0}),ne({target:"../../AGENTS.md",linkPath:L(r,"constitution.md"),label:".specify/memory/constitution.md"})}catch(s){let a=s instanceof Error?s.message:String(s);throw new Error(`installSpecKit failed while ${i} (appDir=${e}, vendorDir=${t}): ${a}`,{cause:s})}}o(ht,"installSpecKit");var wt=X(Lr(Kr(import.meta.url)),"..","..","_templates");async function Hr(){let e=X(wt,"app","new","prompt.js");return(await import(jr(e).href)).default}o(Hr,"loadPromptDefs");function Br(e,t){return!e||t?null:Nr(e)}o(Br,"resolveDirName");function Gr(e,t,n){if(e)return{cwd:process.cwd(),display:"."};let r=t??n;if(!r)throw new Error("App creation completed without a target directory or name.");return{cwd:X(process.cwd(),r),display:r}}o(Gr,"resolveAppLocation");function Yr(e,t,n){let r=`  npm install
-  npm run dev`,i="To deploy your app:",s="npx @cognite/cli apps deploy --interactive",a=n?`
+  npx @cognite/cli apps activate . --interactive     Activate using browser auth (no secrets needed)`).action((t,n)=>Nr(n))}o(yt,"registerActivateCommand");import{readdirSync as to}from"fs";import{basename as $t,dirname as no,normalize as ro,resolve as Q}from"path";import{fileURLToPath as oo,pathToFileURL as io}from"url";import{Logger as so,runner as ao}from"hygen";import{execFileSync as se}from"child_process";function ht(e={}){let{execFileSync:t=se}=e;try{return t("git",["--version"],{stdio:"ignore"}),!0}catch{return!1}}o(ht,"isGitInstalled");function Ct(e,t={}){let{execFileSync:n=se}=t;try{return n("git",["-C",e,"status"],{stdio:"ignore"}),!0}catch{return!1}}o(Ct,"isInsideGitRepo");function wt(e,t={}){let{execFileSync:n=se}=t;n("git",["-C",e,"init"],{stdio:"pipe"}),n("git",["-C",e,"add","."],{stdio:"pipe"}),n("git",["-C",e,"commit","-m","Initial commit","--no-gpg-sign","--no-verify"],{stdio:"pipe"})}o(wt,"gitInitAndCommit");function vt(e={}){let{execFileSync:t=se}=e;try{return String(t("git",["config","--get","user.email"],{encoding:"utf-8",stdio:["ignore","pipe","ignore"]})).trim()||void 0}catch{return}}o(vt,"gitUserEmail");import{safeParse as jr}from"valibot";function q(e,t){return n=>{let r=jr(t,n);return r.success?!0:`${e} ${r.issues[0].message}`}}o(q,"toPromptValidator");var Et={name:q("App name",Ee),displayName:q("Display name",ve),baseUrl:q("Base URL",Se),org:q("Org",xe),project:q("Project",Pe)};function Kr(e,t){return e?async n=>{let r=t(n);return r===!0?e(n):r}:t}o(Kr,"composeValidators");function ae(e){return e.map(t=>{if(!(t.name in Et))return t;let n=Et[t.name];return{...t,validate:Kr(t.validate,n)}})}o(ae,"applySchemaValidators");import{basename as xt}from"path";import Pt from"enquirer";function St(e){return e.replace(/[A-Z]/g,(t,n)=>n===0?t.toLowerCase():`-${t.toLowerCase()}`)}o(St,"kebabCase");var Mr={type:"confirm",name:"useSpecKit",message:["Enable spec-driven development?","  Adds the github/spec-kit slash commands (/speckit.specify, .clarify, .plan, .tasks, .implement)","  to your app for use in Claude Code or Cursor. They walk you through writing SPEC.md and","  generating a plan, tasks, and implementation."].join(`
+`),initial:!1};async function Vr(e){return!!(await e([Mr])).useSpecKit}o(Vr,"promptForSpecKit");async function Hr(e,t,n){return e!==void 0?e:t?Vr(n):!1}o(Hr,"resolveSpecKit");function bt({isCurrentDir:e,dirName:t,onAppName:n,onUseSpecKit:r,presets:i={},specKit:a,prompt:s=Pt.prompt.bind(Pt)}){return()=>({prompt:o(async p=>{if(!Array.isArray(p))return s([p]);let c=Object.fromEntries(Object.entries(i).filter(f=>f[1]!==void 0)),l=Object.keys(c).length>0,m=e?xt(process.cwd()):t?xt(t):null,d=l&&m!==null,u=!d&&m?p.map(f=>f.name==="name"?{...f,initial:m}:f):p,C=ae(u),g=d?{...c,name:m}:c,E=new Set(Object.keys(g)),S=C.filter(f=>!E.has(f.name)),y=S.findIndex(f=>f.name==="baseUrl"),R;if(y!==-1){let f=S.filter(Bn=>Bn.name!=="baseUrl"),j=f.length>0?await s(f):{},oe=typeof j.cluster=="string"?j.cluster:"",K=typeof g.cluster=="string"?g.cluster:"",Vn=`https://${(oe||K).trim().replace(/\/+$/,"")||"api"}.cognitedata.com`,Hn=S[y],Gn=await s([{...Hn,initial:Vn}]);R={...j,...Gn}}else R=S.length>0?await s(S):{};let A={...g,...R},x=typeof A.name=="string"?A.name:"";x&&n(x);let P=await Hr(a,S.length>0,s);return r?.(P),{...A,name:x,useCurrentDir:e,directoryName:e?void 0:t??void 0,useSpecKit:P}},"prompt")})}o(bt,"createAppPrompter");async function At(e,t,n){let r=[];Object.values(t).some(a=>a!==void 0)&&n!==null&&r.push({key:"name",value:n,label:"directory"});for(let[a,s]of Object.entries(t))s!==void 0&&r.push({key:a,value:s,label:`--${St(a)}`});for(let{key:a,value:s,label:p}of r){let c=e.find(m=>m.name===a)?.validate;if(!c)continue;let l=await c(s);if(l!==!0)throw new Error(`Invalid ${p}: ${l}`)}}o(At,"validatePresets");import{cpSync as zr,mkdirSync as Dt,writeFileSync as Wr}from"fs";import{dirname as It,resolve as V}from"path";import{fileURLToPath as qr}from"url";import{copyFileSync as Gr,symlinkSync as Br}from"fs";import{dirname as Yr,join as Jr}from"path";function Xr(e){if(e&&typeof e=="object"&&"code"in e&&typeof e.code=="string")return e.code}o(Xr,"errno");function kt(e){return e instanceof Error?e.message:String(e)}o(kt,"messageOf");function pe({target:e,linkPath:t,label:n,symlink:r=Br,copyFile:i=Gr}){try{return r(e,t),!0}catch(a){let s=Xr(a);if(s==="EEXIST")return!0;let p=kt(a);if(s==="EPERM"||s==="EACCES")try{let c=Jr(Yr(t),e);return i(c,t),console.log(`\u2139\uFE0F  Wrote ${n} as a copy of ${e} (symlinks need Developer Mode or an elevated shell on Windows).`),!0}catch(c){return console.warn(`\u26A0\uFE0F  Could not create ${n} symlink: ${p} (copy fallback also failed: ${kt(c)})`),!1}return console.warn(`\u26A0\uFE0F  Could not create ${n} symlink:`,p),!1}}o(pe,"linkOrCopyOrWarn");var Qr=V(It(qr(import.meta.url)),"..","..","_vendor","spec-kit"),Zr={branch_numbering:"sequential"},eo=[{from:"templates",to:".specify/templates"},{from:"scripts/bash",to:".specify/scripts/bash"},{from:"commands",to:".claude/commands"},{from:"commands",to:".cursor/commands"}];function Tt({appDir:e,vendorDir:t=Qr}){let n=V(e,".specify"),r=V(n,"memory"),i=`prepare spec-kit install for appDir=${e}`;try{for(let{from:a,to:s}of eo){let p=V(e,s);i=`copy ${a} to ${s}`,Dt(It(p),{recursive:!0}),zr(V(t,a),p,{recursive:!0})}i=`write init-options.json under specifyDir=${n}`,Wr(V(n,"init-options.json"),`${JSON.stringify(Zr,null,2)}
+`),i=`link .specify/memory/constitution.md in specifyDir=${n}`,Dt(r,{recursive:!0}),pe({target:"../../AGENTS.md",linkPath:V(r,"constitution.md"),label:".specify/memory/constitution.md"})}catch(a){let s=a instanceof Error?a.message:String(a);throw new Error(`installSpecKit failed while ${i} (appDir=${e}, vendorDir=${t}): ${s}`,{cause:a})}}o(Tt,"installSpecKit");var Ft=Q(no(oo(import.meta.url)),"..","..","_templates");async function po(){let e=Q(Ft,"app","new","prompt.js");return(await import(io(e).href)).default}o(po,"loadPromptDefs");function co(e,t){return!e||t?null:ro(e)}o(co,"resolveDirName");function lo(e,t,n){if(e)return{cwd:process.cwd(),display:"."};let r=t??n;if(!r)throw new Error("App creation completed without a target directory or name.");return{cwd:Q(process.cwd(),r),display:r}}o(lo,"resolveAppLocation");function mo(e,t,n){let r=`  npm install
+  npm run dev`,i="To deploy your app:",a="npx @cognite/cli apps deploy --interactive",s=n?`
 To start spec-driven development:
   Run /speckit.specify in Claude Code or Cursor and describe your app.
-`:"",c=`  # Or fully non-interactive (deploys first target from app.json):
+`:"",p=`  # Or fully non-interactive (deploys first target from app.json):
   npx @cognite/cli apps deploy`;if(e){console.log(`
 \u2705 App created successfully in current directory!
 
 Next steps:
 ${r}
-${a}
+${s}
 ${i}
-  ${s}
-${c}
+  ${a}
+${p}
 `);return}console.log(`
 \u2705 App created successfully!
 
@@ -58,13 +58,13 @@ To open in Cursor:
 Or:
   cd "${t}"
 ${r}
-${a}
+${s}
 ${i}
   cd "${t}"
-  ${s}
-${c}
-`)}o(Yr,"printSuccessMessage");async function Jr(e){try{let{execSkillsCli:t,pullAllArgs:n}=await import("../skills-GQ5TZKCM.js");console.log("\u{1F9E0} Pulling skills into your app..."),t(n(),{cwd:e,timeout:3e4,stdio:["pipe","pipe","inherit"]});let r=X(e,".agents","skills"),i=0;try{i=Ur(r).length}catch{console.warn(`Skills directory not found after pull \u2014 no skills may have been installed (expected: ${r})`)}let s=i>0?`${i} skills`:"skills";console.log(`\u2705 Installed ${s} successfully to
- ${r}`)}catch(t){let n=t instanceof Error?t.message:String(t);console.warn("\u26A0\uFE0F  Could not pull skills:",n)}}o(Jr,"pullSkillsInto");async function Xr(e,t){let n=e==="."||e==="./",r=Br(e,n),i=null,s=!1,a={displayName:t.displayName,description:t.description,org:t.org,project:t.project,cluster:t.cluster,baseUrl:t.baseUrl},c=await Hr(),p=te(c),l=n?Et(process.cwd()):r?Et(r):null;await gt(p,a,l);let m=ut({isCurrentDir:n,dirName:r,onAppName:o(u=>{i=u},"onAppName"),onUseSpecKit:o(u=>{s=u},"onUseSpecKit"),presets:a,specKit:t.specKit});await Vr(["app","new"],{templates:wt,cwd:process.cwd(),logger:new Mr(console.log.bind(console)),createPrompter:m,debug:!!process.env.DEBUG});let d=Gr(n,r,i);ne({target:"AGENTS.md",linkPath:X(d.cwd,"CLAUDE.md"),label:"CLAUDE.md"}),s&&ht({appDir:d.cwd}),Yr(n,d.display,s),await Jr(d.cwd)}o(Xr,"handleCreate");function St(e){return e.command("create").description("Create a new application.").argument("[directory]","Target directory (. for current, or subdirectory name)").option("--display-name <name>","App display name (skips the prompt)").option("--description <description>","App description (skips the prompt)").option("--org <org>","Deployment org (skips the prompt)").option("--project <project>","Deployment project (skips the prompt)").option("--cluster <cluster>","CDF cluster, e.g. greenfield (skips the prompt)").option("--base-url <url>","CDF base URL, e.g. https://greenfield.cognitedata.com (skips the prompt; defaults to cluster-derived URL when omitted)").option("--spec-kit","Install spec-kit slash commands (skips the prompt)").option("--no-spec-kit","Skip spec-kit installation (skips the prompt)").addHelpText("after",`
+  ${a}
+${p}
+`)}o(mo,"printSuccessMessage");async function uo(e){try{let{execSkillsCli:t,pullAllArgs:n}=await import("../skills-GQ5TZKCM.js");console.log("\u{1F9E0} Pulling skills into your app..."),t(n(),{cwd:e,timeout:3e4,stdio:["pipe","pipe","inherit"]});let r=Q(e,".agents","skills"),i=0;try{i=to(r).length}catch{console.warn(`Skills directory not found after pull \u2014 no skills may have been installed (expected: ${r})`)}let a=i>0?`${i} skills`:"skills";console.log(`\u2705 Installed ${a} successfully to
+ ${r}`)}catch(t){let n=t instanceof Error?t.message:String(t);console.warn("\u26A0\uFE0F  Could not pull skills:",n)}}o(uo,"pullSkillsInto");function go(e,t={}){let{isGitInstalled:n=ht,isInsideGitRepo:r=Ct,gitInitAndCommit:i=wt}=t;if(!n()){console.warn("git not found \u2014 skipping git repository initialisation");return}if(!r(e)){console.log("Initialising git repository...");try{i(e)}catch(a){let p=(a&&typeof a=="object"&&"stderr"in a&&a.stderr?String(a.stderr).trim():"")||(a instanceof Error?a.message:String(a));console.warn("Could not initialise git repository:",p)}}}o(go,"maybeInitGit");async function fo(e,t){let n=e==="."||e==="./",r=co(e,n),i=null,a=!1,s={displayName:t.displayName,description:t.description,org:t.org,project:t.project,cluster:t.cluster,baseUrl:t.baseUrl},p=await po(),c=ae(p),l=n?$t(process.cwd()):r?$t(r):null;await At(c,s,l);let m=bt({isCurrentDir:n,dirName:r,onAppName:o(u=>{i=u},"onAppName"),onUseSpecKit:o(u=>{a=u},"onUseSpecKit"),presets:s,specKit:t.specKit});await ao(["app","new"],{templates:Ft,cwd:process.cwd(),logger:new so(console.log.bind(console)),createPrompter:m,debug:!!process.env.DEBUG});let d=lo(n,r,i);pe({target:"AGENTS.md",linkPath:Q(d.cwd,"CLAUDE.md"),label:"CLAUDE.md"}),a&&Tt({appDir:d.cwd}),await uo(d.cwd),go(d.cwd),mo(n,d.display,a)}o(fo,"handleCreate");function Ot(e){return e.command("create").description("Create a new application.").argument("[directory]","Target directory (. for current, or subdirectory name)").option("--display-name <name>","App display name (skips the prompt)").option("--description <description>","App description (skips the prompt)").option("--org <org>","Deployment org (skips the prompt)").option("--project <project>","Deployment project (skips the prompt)").option("--cluster <cluster>","CDF cluster, e.g. greenfield (skips the prompt)").option("--base-url <url>","CDF base URL, e.g. https://greenfield.cognitedata.com (skips the prompt; defaults to cluster-derived URL when omitted)").option("--spec-kit","Install spec-kit slash commands (skips the prompt)").option("--no-spec-kit","Skip spec-kit installation (skips the prompt)").addHelpText("after",`
 Non-interactive use (CI, scripts, AI agents):
   Pass [directory] plus --display-name, --description, --org, --project, --cluster, --base-url
   to skip every prompt. Missing flags fall back to the interactive prompt.
@@ -77,14 +77,17 @@ Examples:
     --display-name "My App" --description "My app" \\
     --org cog-atlas --project atlas-greenfield --cluster greenfield \\
     --base-url https://greenfield.cognitedata.com
-                                             Fully non-interactive`).action(Xr)}o(St,"registerCreateCommand");import{readFile as to,unlink as no}from"fs/promises";import{basename as ro}from"path";import vt from"fs";import Zr from"path";import O from"fs";import E from"path";import{parseAndValidateManifestConfig as zr}from"@cognite/app-sdk/vite";import{BlobReader as Wr,Uint8ArrayWriter as qr,ZipWriter as Qr}from"@zip.js/zip.js";var Ce="package.json",ve="package-lock.json",Ct="manifest.json",xe=".cognite",Pe=class Pe{constructor(t="dist"){this.distPath=E.isAbsolute(t)?t:E.join(process.cwd(),t),this.appRoot=E.dirname(this.distPath)}validateBuildDirectory(){if(!O.existsSync(this.distPath))throw new Error(`Build directory "${this.distPath}" not found. Run build first.`);let t=E.join(this.appRoot,Ce);if(!O.existsSync(t))throw new Error(`"${t}" not found. It is required for deployment.`);let n=E.join(this.appRoot,ve);if(!O.existsSync(n))throw new Error(`"${n}" not found. It is required for deployment.`)}async createZip(t="app.zip",n=!1){this.validateBuildDirectory(),console.log("\u{1F4E6} Packaging application...");let r=new Qr(new qr,{level:9}),i=o(async(p,l)=>{await r.add(l,new Wr(await O.openAsBlob(p))),n&&console.log(`  \u{1F4C4} ${l}`)},"addFile"),s=o(async p=>{let l=await O.promises.readdir(p,{withFileTypes:!0});for(let m of l){let d=E.join(p,m.name);m.isDirectory()?await s(d):await i(d,E.relative(this.distPath,d).replace(/\\/g,"/"))}},"addDir"),a;try{await s(this.distPath);let p=E.join(this.appRoot,Ce);await i(p,E.posix.join(xe,Ce));let l=E.join(this.appRoot,Ct);if(O.existsSync(l)){let d=O.readFileSync(l,"utf-8");zr(d,l),await i(l,E.posix.join(xe,Ct))}let m=E.join(this.appRoot,ve);await i(m,E.posix.join(xe,ve)),a=await r.close()}catch(p){let l=p instanceof Error?p.message:String(p);throw new Error(`Failed to create zip: ${l}`)}await O.promises.writeFile(t,a);let c=(a.byteLength/1024/1024).toFixed(2);return console.log(`\u2705 App packaged: ${t} (${c} MB)`),t}};o(Pe,"ApplicationPackager");var N=Pe;var be=o(async(e,t,n)=>{let r=await new N(`${n}/dist`).createZip("app.zip",!0);try{let{externalId:i,name:s,description:a,versionTag:c}=t,p=await Y(e,n),l=new h(p),m=vt.readFileSync(r),d=Zr.basename(r);await l.deploy(i,s,a,c,m,d,e.published)}finally{try{vt.unlinkSync(r)}catch{}}},"deploy");import{execSync as eo}from"child_process";function Ae(e,t=!0,n={execSync:eo}){console.log("\u{1F4E6} Building app with npm..."),n.execSync("npm run build",{cwd:e,stdio:t?"inherit":"pipe"}),console.log("\u2705 Build successful")}o(Ae,"buildApp");function xt(e,t){let{org:n,project:r,baseUrl:i}=e,s;try{s=new URL(i).hostname}catch{return null}let{externalId:a,versionTag:c}=t,p=new URLSearchParams({cluster:s,customAppVersion:c,workspace:"industrial-tools"});return`https://${n}.fusion.cognite.com/${r}/flows-apps/app/${encodeURIComponent(a)}?${p}`}o(xt,"generateFusionUrl");function Pt(e,t,n){let r=n?"\u{1F680} Deploy (Interactive)":"\u{1F680} Deploy",i=n?`${t.project} @ ${t.baseUrl}`:`${t.org}/${t.project}`;console.log(["",r,"=".repeat(r.length),`App: ${e.name} (${e.externalId})`,`Version: ${e.versionTag}`,`Target: ${i}`,""].join(`
-`))}o(Pt,"printDeployInfo");function bt(e,t){console.log(`
+                                             Fully non-interactive`).action(fo)}o(Ot,"registerCreateCommand");import yo from"path";async function ho(e,t,n){let r=await I(e,{interactive:t.interactive,appId:n,orgHint:t.org});return new h(r)}o(ho,"defaultGetApiClient");async function Co(e,t,n={}){let{loadEnvFile:r=F,loadAppConfig:i=w,getApiClient:a=ho}=n,s=yo.resolve(process.cwd(),e);r(s);let p=i(s);O(p);let c=t.interactive?await $(p,t):b(p.deployments,t.deployment);if(!t.interactive){let u=T(c);if(u.length>0)throw new Error(`Deployment ${c.org}/${c.project} is missing ${u.join(" and ")} in app.json. Use \`npx @cognite/cli@latest apps deactivate --interactive\` for browser-based authentication instead.`)}let l=await a(c,t,p.externalId),{externalId:m}=p,d=await l.getActiveVersion(m);if(!d){console.log(`  ${m} has no active version \u2014 nothing to deactivate.`);return}await l.deactivateVersion(m,d.version),console.log(`\u2713 Deactivated  ${m} @ ${d.version} \u2014 active alias removed`)}o(Co,"handleDeactivate");function Rt(e){return e.command("deactivate").description("Deactivate the app by removing its active version from service").argument("[path]","Path to the app folder (only `.` is currently supported)",".").option("-d, --deployment <target>","Deployment target from app.json (index or name)").option("--interactive","Use browser-based authentication instead of env-var credentials",!1).option("--base-url <url>","CDF base URL (only with --interactive)").option("--project <project>","CDF project name (only with --interactive)").option("--org <org>","Organization hint for login (only with --interactive)").addHelpText("after",`
+Examples:
+  npx @cognite/cli apps deactivate .                   Deactivate using env-var auth
+  npx @cognite/cli apps deactivate . --interactive     Deactivate using browser auth (no secrets needed)`).action((t,n)=>Co(t,n))}o(Rt,"registerDeactivateCommand");import{readFile as bo,unlink as Ao}from"fs/promises";import{basename as ko}from"path";import Ut from"fs";import xo from"path";import L from"fs";import v from"path";import{parseAndValidateManifestConfig as wo}from"@cognite/app-sdk/vite";import{BlobReader as vo,Uint8ArrayWriter as Eo,ZipWriter as So}from"@zip.js/zip.js";var Ie="package.json",Te="package-lock.json",_t="manifest.json",$e=".cognite",Fe=class Fe{constructor(t="dist"){this.distPath=v.isAbsolute(t)?t:v.join(process.cwd(),t),this.appRoot=v.dirname(this.distPath)}validateBuildDirectory(){if(!L.existsSync(this.distPath))throw new Error(`Build directory "${this.distPath}" not found. Run build first.`);let t=v.join(this.appRoot,Ie);if(!L.existsSync(t))throw new Error(`"${t}" not found. It is required for deployment.`);let n=v.join(this.appRoot,Te);if(!L.existsSync(n))throw new Error(`"${n}" not found. It is required for deployment.`)}async createZip(t="app.zip",n=!1){this.validateBuildDirectory(),console.log("\u{1F4E6} Packaging application...");let r=new So(new Eo,{level:9}),i=o(async(c,l)=>{await r.add(l,new vo(await L.openAsBlob(c))),n&&console.log(`  \u{1F4C4} ${l}`)},"addFile"),a=o(async c=>{let l=await L.promises.readdir(c,{withFileTypes:!0});for(let m of l){let d=v.join(c,m.name);m.isDirectory()?await a(d):await i(d,v.relative(this.distPath,d).replace(/\\/g,"/"))}},"addDir"),s;try{await a(this.distPath);let c=v.join(this.appRoot,Ie);await i(c,v.posix.join($e,Ie));let l=v.join(this.appRoot,_t);if(L.existsSync(l)){let d=L.readFileSync(l,"utf-8");wo(d,l),await i(l,v.posix.join($e,_t))}let m=v.join(this.appRoot,Te);await i(m,v.posix.join($e,Te)),s=await r.close()}catch(c){let l=c instanceof Error?c.message:String(c);throw new Error(`Failed to create zip: ${l}`)}await L.promises.writeFile(t,s);let p=(s.byteLength/1024/1024).toFixed(2);return console.log(`\u2705 App packaged: ${t} (${p} MB)`),t}};o(Fe,"ApplicationPackager");var H=Fe;var Oe=o(async(e,t,n)=>{let r=await new H(`${n}/dist`).createZip("app.zip",!0);try{let{externalId:i,name:a,description:s,versionTag:p}=t,c=await W(e,n),l=new h(c),m=Ut.readFileSync(r),d=xo.basename(r);await l.deploy(i,a,s,p,m,d,e.published)}finally{try{Ut.unlinkSync(r)}catch{}}},"deploy");import{execSync as Po}from"child_process";function Re(e,t=!0,n={execSync:Po}){console.log("\u{1F4E6} Building app with npm..."),n.execSync("npm run build",{cwd:e,stdio:t?"inherit":"pipe"}),console.log("\u2705 Build successful")}o(Re,"buildApp");function Lt(e,t){let{org:n,project:r,baseUrl:i}=e,a;try{a=new URL(i).hostname}catch{return null}let{externalId:s,versionTag:p}=t,c=new URLSearchParams({cluster:a,customAppVersion:p,workspace:"industrial-tools"});return`https://${n}.fusion.cognite.com/${r}/flows-apps/app/${encodeURIComponent(s)}?${c}`}o(Lt,"generateFusionUrl");function Nt(e,t,n){let r=n?"\u{1F680} Deploy (Interactive)":"\u{1F680} Deploy",i=n?`${t.project} @ ${t.baseUrl}`:`${t.org}/${t.project}`;console.log(["",r,"=".repeat(r.length),`App: ${e.name} (${e.externalId})`,`Version: ${e.versionTag}`,`Target: ${i}`,""].join(`
+`))}o(Nt,"printDeployInfo");function jt(e,t){console.log(`
 \u2705 Successfully deployed ${e.name} version ${e.versionTag} to ${t.org?`${t.org}/`:""}${t.project}`),console.log("\u{1F512} App is deployed in draft mode");let n=e.deployments.length>1?` -d ${t.project}`:"";console.log(`
-To publish:  npx @cognite/cli apps publish .${n}`),console.log(`To activate: npx @cognite/cli apps activate .${n}`);let r=xt(t,e);r&&console.log(`
+To publish:  npx @cognite/cli apps publish .${n}`),console.log(`To activate: npx @cognite/cli apps activate .${n}`);let r=Lt(t,e);r&&console.log(`
 \u{1F517} Open your app:
-   ${r}`)}o(bt,"printDeployResult");async function oo(e,t,n,r,i){let s=T(t);if(s.length>0)throw new Error(`Deployment ${t.org}/${t.project} is missing ${s.join(" and ")} in app.json. Use \`cognite apps deploy --interactive\` for browser-based authentication instead.`);Pt(e,t,!1),r.skipBuild||Ae(n),console.log(`
-\u{1F4E4} Deploying to ${t.org}/${t.project}...`),await i({...t,published:!1},{externalId:e.externalId,name:e.name,description:e.description,versionTag:e.versionTag},n),bt(e,t)}o(oo,"handleDeployNonInteractive");async function io(e,t,n,r){Pt(e,t,!0),r.skipBuild||Ae(n);let i=await I(t,{interactive:!0,appId:e.externalId,orgHint:r.org});console.log(`
-\u{1F4E4} Deploying to ${t.project}...`);let s=await new N(`${n}/dist`).createZip("app.zip",!0);try{let a=await to(s);await new h(i).deploy(e.externalId,e.name,e.description,e.versionTag,a,ro(s),!1),bt(e,t)}finally{await no(s).catch(()=>{})}}o(io,"handleDeployInteractive");async function so(e,t=process.cwd(),n={}){let{loadEnvFile:r=F,loadAppConfig:i=w,deploy:s=be}=n;r(t);let a=i(t);if(R(a),e.interactive){let p=await $(a,e);await io(a,p,t,e);return}let c=P(a.deployments,e.deployment);await oo(a,c,t,e,s)}o(so,"handleDeploy");function At(e){return e.command("deploy").description("Deploy your app to Cognite Data Fusion. Use --interactive for browser-based login (no env-var secrets required).").option("-d, --deployment <target>","Deployment target (index or project name)").option("--skip-build","Skip the build step",!1).option("--interactive","Use browser-based authentication instead of env-var credentials",!1).option("--base-url <url>","CDF base URL (only with --interactive)").option("--project <project>","CDF project name (only with --interactive)").option("--org <org>","Organization hint for login (only with --interactive)").addHelpText("after",`
+   ${r}`)}o(jt,"printDeployResult");async function Do(e,t,n,r,i){let a=T(t);if(a.length>0)throw new Error(`Deployment ${t.org}/${t.project} is missing ${a.join(" and ")} in app.json. Use \`cognite apps deploy --interactive\` for browser-based authentication instead.`);Nt(e,t,!1),r.skipBuild||Re(n),console.log(`
+\u{1F4E4} Deploying to ${t.org}/${t.project}...`),await i({...t,published:!1},{externalId:e.externalId,name:e.name,description:e.description,versionTag:e.versionTag},n),jt(e,t)}o(Do,"handleDeployNonInteractive");async function Io(e,t,n,r){Nt(e,t,!0),r.skipBuild||Re(n);let i=await I(t,{interactive:!0,appId:e.externalId,orgHint:r.org});console.log(`
+\u{1F4E4} Deploying to ${t.project}...`);let a=await new H(`${n}/dist`).createZip("app.zip",!0);try{let s=await bo(a);await new h(i).deploy(e.externalId,e.name,e.description,e.versionTag,s,ko(a),!1),jt(e,t)}finally{await Ao(a).catch(()=>{})}}o(Io,"handleDeployInteractive");async function To(e,t=process.cwd(),n={}){let{loadEnvFile:r=F,loadAppConfig:i=w,deploy:a=Oe}=n;r(t);let s=i(t);if(O(s),e.interactive){let c=await $(s,e);await Io(s,c,t,e);return}let p=b(s.deployments,e.deployment);await Do(s,p,t,e,a)}o(To,"handleDeploy");function Kt(e){return e.command("deploy").description("Deploy your app to Cognite Data Fusion. Use --interactive for browser-based login (no env-var secrets required).").option("-d, --deployment <target>","Deployment target (index or project name)").option("--skip-build","Skip the build step",!1).option("--interactive","Use browser-based authentication instead of env-var credentials",!1).option("--base-url <url>","CDF base URL (only with --interactive)").option("--project <project>","CDF project name (only with --interactive)").option("--org <org>","Organization hint for login (only with --interactive)").addHelpText("after",`
 Environment (non-interactive):
   deployClientId and deploySecretName are configured per deployment in app.json.
   deploySecretName is the name of the environment variable that holds the client
@@ -98,42 +101,43 @@ Examples:
   npx @cognite/cli apps deploy -d my-project      Deploy to project by name
   npx @cognite/cli apps deploy --skip-build       Deploy without rebuilding
   npx @cognite/cli apps deploy --interactive      Browser auth, prompts for target
-  npx @cognite/cli apps deploy --interactive -d 0 Browser auth, target chosen non-interactively`).action(t=>so(t))}o(At,"registerDeployCommand");async function ao(e){let t=process.cwd();F(t);let n=w(t);R(n);let r=e.interactive?await $(n,e):P(n.deployments,e.deployment);if(!e.interactive){let l=T(r);if(l.length>0)throw new Error(`Deployment ${r.org}/${r.project} is missing ${l.join(" and ")} in app.json. Use \`cognite apps publish --interactive\` for browser-based authentication instead.`)}let i=await I(r,{interactive:e.interactive,appId:n.externalId,orgHint:e.org}),s=new h(i),{externalId:a,versionTag:c}=n,p;try{p=await s.getVersion(a,c)}catch(l){throw l instanceof S?new Error(`Version ${c} of ${a} has not been deployed yet. Run \`npx @cognite/cli apps deploy\` first.`):l}if(p.alias==="ACTIVE"){console.log(`  ${a} @ ${c} is already ACTIVE \u2014 nothing to do.`);return}if(p.lifecycleState==="PUBLISHED"){console.log(`  ${a} @ ${c} is already PUBLISHED \u2014 nothing to do.`);return}if(p.lifecycleState==="DEPRECATED"||p.lifecycleState==="ARCHIVED")throw new Error(`Cannot publish ${a} @ ${c}: version is ${p.lifecycleState} (terminal).`);await s.publishVersion(a,c),console.log(`\u2713 Published  ${a} @ ${c} is now PUBLISHED`),console.log(""),console.log("Run `npx @cognite/cli apps activate .` to make it active.")}o(ao,"handlePublish");function kt(e){return e.command("publish").description("Publish the current app version (transition DRAFT \u2192 PUBLISHED)").argument("[path]","Path to the app folder (only `.` is currently supported)",".").option("-d, --deployment <target>","Deployment target from app.json (index or name)").option("--interactive","Use browser-based authentication instead of env-var credentials",!1).option("--base-url <url>","CDF base URL (only with --interactive)").option("--project <project>","CDF project name (only with --interactive)").option("--org <org>","Organization hint for login (only with --interactive)").addHelpText("after",`
+  npx @cognite/cli apps deploy --interactive -d 0 Browser auth, target chosen non-interactively`).action(t=>To(t))}o(Kt,"registerDeployCommand");async function $o(e){let t=process.cwd();F(t);let n=w(t);O(n);let r=e.interactive?await $(n,e):b(n.deployments,e.deployment);if(!e.interactive){let l=T(r);if(l.length>0)throw new Error(`Deployment ${r.org}/${r.project} is missing ${l.join(" and ")} in app.json. Use \`cognite apps publish --interactive\` for browser-based authentication instead.`)}let i=await I(r,{interactive:e.interactive,appId:n.externalId,orgHint:e.org}),a=new h(i),{externalId:s,versionTag:p}=n,c;try{c=await a.getVersion(s,p)}catch(l){throw l instanceof k?new Error(`Version ${p} of ${s} has not been deployed yet. Run \`npx @cognite/cli apps deploy\` first.`):l}if(c.alias==="ACTIVE"){console.log(`  ${s} @ ${p} is already ACTIVE \u2014 nothing to do.`);return}if(c.lifecycleState==="PUBLISHED"){console.log(`  ${s} @ ${p} is already PUBLISHED \u2014 nothing to do.`);return}if(c.lifecycleState==="DEPRECATED"||c.lifecycleState==="ARCHIVED")throw new Error(`Cannot publish ${s} @ ${p}: version is ${c.lifecycleState} (terminal).`);await a.publishVersion(s,p),console.log(`\u2713 Published  ${s} @ ${p} is now PUBLISHED`),console.log(""),console.log("Run `npx @cognite/cli apps activate .` to make it active.")}o($o,"handlePublish");function Mt(e){return e.command("publish").description("Publish the current app version (transition DRAFT \u2192 PUBLISHED)").argument("[path]","Path to the app folder (only `.` is currently supported)",".").option("-d, --deployment <target>","Deployment target from app.json (index or name)").option("--interactive","Use browser-based authentication instead of env-var credentials",!1).option("--base-url <url>","CDF base URL (only with --interactive)").option("--project <project>","CDF project name (only with --interactive)").option("--org <org>","Organization hint for login (only with --interactive)").addHelpText("after",`
 Examples:
   npx @cognite/cli apps publish .                    Publish using env-var auth
-  npx @cognite/cli apps publish . --interactive      Publish using browser auth (no secrets needed)`).action((t,n)=>ao(n))}o(kt,"registerPublishCommand");function co(e){return e.alias==="ACTIVE"?"ACTIVE":e.lifecycleState}o(co,"describeStatus");async function po(e){let t=process.cwd();F(t);let n=w(t);R(n);let r=e.interactive?await $(n,e):P(n.deployments,e.deployment);if(!e.interactive){let a=T(r);if(a.length>0)throw new Error(`Deployment ${r.org}/${r.project} is missing ${a.join(" and ")} in app.json. Use \`cognite apps status --interactive\` for browser-based authentication instead.`)}let i=await I(r,{interactive:e.interactive,appId:n.externalId,orgHint:e.org}),s=new h(i);console.log(""),console.log(`App:     ${n.name} (${n.externalId})`),console.log(`Version: ${n.versionTag}  (local)`);try{let a=await s.getVersion(n.externalId,n.versionTag),c=co(a);console.log(`Status:  ${c}`),a.lifecycleState==="DRAFT"&&(console.log(""),console.log("Run `npx @cognite/cli apps publish .` to publish this version."))}catch(a){if(a instanceof S){console.log("Status:  not deployed yet"),console.log(""),console.log("Run `npx @cognite/cli apps deploy` to upload this version.");return}throw a}}o(po,"handleStatus");function Dt(e){return e.command("status").description("Show the deployment status of the current app version").argument("[path]","Path to the app folder (only `.` is currently supported)",".").option("-d, --deployment <target>","Deployment target from app.json (index or name)").option("--interactive","Use browser-based authentication instead of env-var credentials",!1).option("--base-url <url>","CDF base URL (only with --interactive)").option("--project <project>","CDF project name (only with --interactive)").option("--org <org>","Organization hint for login (only with --interactive)").addHelpText("after",`
+  npx @cognite/cli apps publish . --interactive      Publish using browser auth (no secrets needed)`).action((t,n)=>$o(n))}o(Mt,"registerPublishCommand");function Fo(e){return e.alias==="ACTIVE"?"ACTIVE":e.lifecycleState}o(Fo,"describeStatus");async function Oo(e){let t=process.cwd();F(t);let n=w(t);O(n);let r=e.interactive?await $(n,e):b(n.deployments,e.deployment);if(!e.interactive){let s=T(r);if(s.length>0)throw new Error(`Deployment ${r.org}/${r.project} is missing ${s.join(" and ")} in app.json. Use \`cognite apps status --interactive\` for browser-based authentication instead.`)}let i=await I(r,{interactive:e.interactive,appId:n.externalId,orgHint:e.org}),a=new h(i);console.log(""),console.log(`App:     ${n.name} (${n.externalId})`),console.log(`Version: ${n.versionTag}  (local)`);try{let s=await a.getVersion(n.externalId,n.versionTag),p=Fo(s);console.log(`Status:  ${p}`),s.lifecycleState==="DRAFT"&&(console.log(""),console.log("Run `npx @cognite/cli apps publish .` to publish this version."))}catch(s){if(s instanceof k){console.log("Status:  not deployed yet"),console.log(""),console.log("Run `npx @cognite/cli apps deploy` to upload this version.");return}throw s}}o(Oo,"handleStatus");function Vt(e){return e.command("status").description("Show the deployment status of the current app version").argument("[path]","Path to the app folder (only `.` is currently supported)",".").option("-d, --deployment <target>","Deployment target from app.json (index or name)").option("--interactive","Use browser-based authentication instead of env-var credentials",!1).option("--base-url <url>","CDF base URL (only with --interactive)").option("--project <project>","CDF project name (only with --interactive)").option("--org <org>","Organization hint for login (only with --interactive)").addHelpText("after",`
 Examples:
   npx @cognite/cli apps status .                     Status using env-var auth
-  npx @cognite/cli apps status . --interactive       Status using browser auth (no secrets needed)`).action((t,n)=>po(n))}o(Dt,"registerStatusCommand");function It(e){let t=e.command("apps").description("Manage Fusion Custom Apps \u2014 create, deploy, and manage version lifecycle");return St(t),At(t),Dt(t),kt(t),ct(t),He(t),t}o(It,"registerAppsCommand");import{existsSync as oi,mkdirSync as ii,writeFileSync as si}from"fs";import{dirname as _e,join as Ue}from"path";import{execFile as mo}from"child_process";import{promisify as uo}from"util";import{platform as lo}from"os";function K(e={}){let{platform:t=lo}=e;return t()==="darwin"}o(K,"isMacOS");var Tt="cognite-flows",go=uo(mo),$t=o((e,t)=>go(e,t),"defaultExecFile"),fo=-25300,yo=fo&255;function ho(e){if(!(e instanceof Error)||!("code"in e)||e.code!==yo)return!1;let t="stderr"in e?String(e.stderr):"";return/could not be found/i.test(t)||t===""}o(ho,"isKeychainNotFoundError");async function Ft(e,t,n={}){if(!K(n))throw new Error("Keychain storage is only supported on macOS");let{execFile:r=$t}=n;await r("security",["add-generic-password","-a",e,"-s",Tt,"-w",Buffer.from(t,"utf-8").toString("base64"),"-U"])}o(Ft,"storeKeyInKeychain");async function Rt(e,t={}){if(!K(t))return null;let{execFile:n=$t}=t;try{let{stdout:r}=await n("security",["find-generic-password","-a",e,"-s",Tt,"-w"]);return Buffer.from(r.trim(),"base64").toString("utf-8")}catch(r){if(ho(r))return null;throw r}}o(Rt,"readKeyFromKeychain");import{pbkdf2 as So,randomBytes as Co}from"crypto";import{promisify as vo}from"util";import{CompactEncrypt as xo,base64url as Po,compactDecrypt as tp}from"jose";var Eo=new TextEncoder,wo=new TextDecoder,Ot={encode:o(e=>Eo.encode(e),"encode"),decode:o(e=>wo.decode(e),"decode")};var bo=vo(So),ke=6e5,Ao="sha512",ko="PBKDF2-HMAC-SHA512",Do=16,Io="A256GCM",To=32,_t=2e6;async function $o(e,t,n){return await bo(e,t,n,To,Ao)}o($o,"deriveKey");async function Ut(e,t,n=ke){if(!Number.isInteger(n)||n<1||n>_t)throw new Error(`Invalid iterations: must be an integer between 1 and ${_t}`);let r=Co(Do),i=await $o(t,r,n);return await new xo(Ot.encode(e)).setProtectedHeader({alg:"dir",enc:Io,kdf:ko,kdf_iter:n,kdf_salt:Po.encode(r)}).encrypt(i)}o(Ut,"encryptStringAsJwe");import{calculateJwkThumbprint as Fo,exportJWK as Ro,exportPKCS8 as Oo,exportSPKI as _o,generateKeyPair as Uo}from"jose";async function Lt(){let{publicKey:e,privateKey:t}=await Uo("EdDSA",{extractable:!0}),n=await Oo(t),r=await _o(e),i=await Ro(e),s=await Fo(i);return{privateKeyPem:n,publicKeyPem:r,kid:s}}o(Lt,"generateSigningKeyPair");import{existsSync as No,readdirSync as Ko,readFileSync as jo}from"fs";import{join as re}from"path";import{homedir as Lo}from"os";import{join as Nt}from"path";function j(e={}){let{env:t=process.env,homedir:n=Lo}=e,r=t.DUNE_HOME?.trim()||Nt(n(),".dune");return{home:r,keysDir:Nt(r,"keys")}}o(j,"getConfig");var oe=".pub.pem",De=".key.jwe",Mo=".pem",Ie=".meta.json";function Kt(e){switch(e.kind){case"keychain":return"Keychain";case"encrypted-file":return e.path;case"legacy-unencrypted-file":return`${e.path} (unencrypted \u2014 rotate)`;case"public-only":return"public-only (private key missing)"}}o(Kt,"formatLocalKeySource");function Vo(e){return{existsSync:e.existsSync??No,readdirSync:e.readdirSync??Ko,readFileSync:e.readFileSync??((t,n)=>jo(t,n)),isMacOS:e.isMacOS??(()=>K()),readKeyFromKeychain:e.readKeyFromKeychain??(t=>Rt(t))}}o(Vo,"resolveDeps");function Ho(e){try{let t=JSON.parse(e);if(typeof t=="object"&&t!==null&&!Array.isArray(t)&&"email"in t&&typeof t.email=="string")return t.email}catch{}}o(Ho,"readEmailFromMeta");function Bo(e,t){return t.existsSync(e)?t.readdirSync(e).filter(n=>n.endsWith(oe)):[]}o(Bo,"publicKeyEntries");function Go(e){return e.slice(0,-oe.length)}o(Go,"kidFromPublicKeyFilename");async function Yo(e,t,n){if(n.isMacOS()&&await n.readKeyFromKeychain(e).catch(()=>null)!==null)return{kind:"keychain"};let r=re(t,`${e}${De}`);if(n.existsSync(r))return{kind:"encrypted-file",path:r};let i=re(t,`${e}${Mo}`);return n.existsSync(i)?{kind:"legacy-unencrypted-file",path:i}:{kind:"public-only"}}o(Yo,"resolveSource");async function jt(e=j().keysDir,t={}){let n=Vo(t),r=new Set,i=Bo(e,n).flatMap(s=>{let a=Go(s);return!a||r.has(a)?[]:(r.add(a),[{kid:a,entry:s}])});return Promise.all(i.map(async({kid:s,entry:a})=>{let c=await Yo(s,e,n),p=re(e,`${s}${Ie}`),l;try{l=Ho(n.readFileSync(p,"utf8"))}catch{}return{kid:s,source:c,publicKeyPath:re(e,a),email:l}}))}o(jt,"discoverLocalKeys");function Mt(e,t){let n=e.getUTCFullYear(),r=e.getUTCMonth()+t,i=new Date(Date.UTC(n,r+1,0)).getUTCDate(),s=Math.min(e.getUTCDate(),i);return new Date(Date.UTC(n,r,s))}o(Mt,"addMonthsClamped");function Te(e){return e.toISOString().slice(0,10)}o(Te,"formatIsoDate");function Vt(e=new Date){return Te(e)}o(Vt,"todayIso");import Jo,{Chalk as Xo}from"chalk";var $e=new Xo({level:0});function Ht(e){return e.isTTY?Jo:$e}o(Ht,"chalkForStream");function zo(e){return e.replace(/-----BEGIN [^-]+-----/g,"").replace(/-----END [^-]+-----/g,"").replace(/\s+/g,"")}o(zo,"pemBodyOneLine");function Bt(e,t=$e,n=new Date){let r=e.issuedAt??Vt(n),i=zo(e.publicKeyPem),s="  ",a=o((p,l)=>`${s}${t.cyan(p)}${t.dim(":")} ${l}
-`,"kv"),c="";return c+=`
+  npx @cognite/cli apps status . --interactive       Status using browser auth (no secrets needed)`).action((t,n)=>Oo(n))}o(Vt,"registerStatusCommand");function Ht(e){let t=e.command("apps").description("Manage Fusion Custom Apps \u2014 create, deploy, and manage version lifecycle");return Ot(t),Kt(t),Vt(t),Mt(t),yt(t),Rt(t),qe(t),t}o(Ht,"registerAppsCommand");import{existsSync as Ei,mkdirSync as Si,writeFileSync as xi}from"fs";import{dirname as He,join as ue}from"path";import{generateSigningKeyPair as Pi}from"@cognite/app-sdk/codesigning";import{execFile as _o}from"child_process";import{promisify as Uo}from"util";import{platform as Ro}from"os";function G(e={}){let{platform:t=Ro}=e;return t()==="darwin"}o(G,"isMacOS");var Gt="cognite-flows",Lo=Uo(_o),Bt=o((e,t)=>Lo(e,t),"defaultExecFile"),No=-25300,jo=No&255;function Ko(e){if(!(e instanceof Error)||!("code"in e)||e.code!==jo)return!1;let t="stderr"in e?String(e.stderr):"";return/could not be found/i.test(t)||t===""}o(Ko,"isKeychainNotFoundError");async function Yt(e,t,n={}){if(!G(n))throw new Error("Keychain storage is only supported on macOS");let{execFile:r=Bt}=n;await r("security",["add-generic-password","-a",e,"-s",Gt,"-w",Buffer.from(t,"utf-8").toString("base64"),"-U"])}o(Yt,"storeKeyInKeychain");async function Jt(e,t={}){if(!G(t))return null;let{execFile:n=Bt}=t;try{let{stdout:r}=await n("security",["find-generic-password","-a",e,"-s",Gt,"-w"]);return Buffer.from(r.trim(),"base64").toString("utf-8")}catch(r){if(Ko(r))return null;throw r}}o(Jt,"readKeyFromKeychain");import{pbkdf2 as Ho,randomBytes as Go}from"crypto";import{promisify as Bo}from"util";import{CompactEncrypt as Yo,base64url as Jo,compactDecrypt as Oc}from"jose";var Mo=new TextEncoder,Vo=new TextDecoder,Xt={encode:o(e=>Mo.encode(e),"encode"),decode:o(e=>Vo.decode(e),"decode")};var Xo=Bo(Ho),_e=6e5,zo="sha512",Wo="PBKDF2-HMAC-SHA512",qo=16,Qo="A256GCM",Zo=32,zt=2e6;async function ei(e,t,n){return await Xo(e,t,n,Zo,zo)}o(ei,"deriveKey");async function Wt(e,t,n=_e){if(!Number.isInteger(n)||n<1||n>zt)throw new Error(`Invalid iterations: must be an integer between 1 and ${zt}`);let r=Go(qo),i=await ei(t,r,n);return await new Yo(Xt.encode(e)).setProtectedHeader({alg:"dir",enc:Qo,kdf:Wo,kdf_iter:n,kdf_salt:Jo.encode(r)}).encrypt(i)}o(Wt,"encryptStringAsJwe");import{existsSync as ni,readdirSync as ri,readFileSync as oi}from"fs";import{join as ce}from"path";import{homedir as ti}from"os";import{join as qt}from"path";function N(e={}){let{env:t=process.env,homedir:n=ti}=e,r=t.DUNE_HOME?.trim()||qt(n(),".dune");return{home:r,keysDir:qt(r,"keys")}}o(N,"getConfig");var ee=".pub.pem",Ue=".key.jwe",ii=".pem",Le=".meta.json";function Qt(e){switch(e.kind){case"keychain":return"Keychain";case"encrypted-file":return e.path;case"legacy-unencrypted-file":return`${e.path} (unencrypted \u2014 rotate)`;case"public-only":return"public-only (private key missing)"}}o(Qt,"formatLocalKeySource");function si(e){return{existsSync:e.existsSync??ni,readdirSync:e.readdirSync??ri,readFileSync:e.readFileSync??((t,n)=>oi(t,n)),isMacOS:e.isMacOS??(()=>G()),readKeyFromKeychain:e.readKeyFromKeychain??(t=>Jt(t))}}o(si,"resolveDeps");function ai(e){try{let t=JSON.parse(e);if(typeof t=="object"&&t!==null&&!Array.isArray(t)&&"email"in t&&typeof t.email=="string")return t.email}catch{}}o(ai,"readEmailFromMeta");function pi(e,t){return t.existsSync(e)?t.readdirSync(e).filter(n=>n.endsWith(ee)):[]}o(pi,"publicKeyEntries");function ci(e){return e.slice(0,-ee.length)}o(ci,"kidFromPublicKeyFilename");async function li(e,t,n){if(n.isMacOS()&&await n.readKeyFromKeychain(e).catch(()=>null)!==null)return{kind:"keychain"};let r=ce(t,`${e}${Ue}`);if(n.existsSync(r))return{kind:"encrypted-file",path:r};let i=ce(t,`${e}${ii}`);return n.existsSync(i)?{kind:"legacy-unencrypted-file",path:i}:{kind:"public-only"}}o(li,"resolveSource");async function Zt(e=N().keysDir,t={}){let n=si(t),r=new Set,i=pi(e,n).flatMap(a=>{let s=ci(a);return!s||r.has(s)?[]:(r.add(s),[{kid:s,entry:a}])});return Promise.all(i.map(async({kid:a,entry:s})=>{let p=await li(a,e,n),c=ce(e,`${a}${Le}`),l;try{l=ai(n.readFileSync(c,"utf8"))}catch{}return{kid:a,source:p,publicKeyPath:ce(e,s),email:l}}))}o(Zt,"discoverLocalKeys");function en(e,t){let n=e.getUTCFullYear(),r=e.getUTCMonth()+t,i=new Date(Date.UTC(n,r+1,0)).getUTCDate(),a=Math.min(e.getUTCDate(),i);return new Date(Date.UTC(n,r,a))}o(en,"addMonthsClamped");function Ne(e){return e.toISOString().slice(0,10)}o(Ne,"formatIsoDate");function tn(e=new Date){return Ne(e)}o(tn,"todayIso");import mi,{Chalk as di}from"chalk";var je=new di({level:0});function nn(e){return e.isTTY?mi:je}o(nn,"chalkForStream");function ui(e){return e.replace(/-----BEGIN [^-]+-----/g,"").replace(/-----END [^-]+-----/g,"").replace(/\s+/g,"")}o(ui,"pemBodyOneLine");function rn(e,t=je,n=new Date){let r=e.issuedAt??tn(n),i=ui(e.publicKeyPem),a="  ",s=o((c,l)=>`${a}${t.cyan(c)}${t.dim(":")} ${l}
+`,"kv"),p="";return p+=`
 ${t.bold("Add this entry to")} ${t.magenta("services/app-hosting/config/signing-keys.yaml")} ${t.bold("under")} ${t.cyan("public_keys:")}
 
-`,c+=`${t.dim("-")} ${t.cyan("kid")}${t.dim(":")} ${t.green(e.kid)}
-`,c+=a("public_key",t.green(i)),c+=a("email",t.yellow(e.email)),c+=a("capabilities",`${t.dim("[")}${t.yellow("developer")}${t.dim("]")}`),c+=a("issued_at",t.green(r)),c+=a("expires",t.green(e.expires)),c+=a("revoked_at",t.dim("null")),c}o(Bt,"renderRegistryEntry");import{email as Wo,pipe as qo,safeParse as Qo,string as Zo}from"valibot";var ei=qo(Zo(),Wo());function W(e,t="email"){let n=e.trim();if(!n)throw new Error(`${t} is required`);if(!Qo(ei,n).success)throw new Error(`${t} must look like an email (user@example.com); got "${e}"`);return n}o(W,"parseEmail");function q(e,t="--expires"){let n=Number(e);if(!Number.isInteger(n)||n<1||n>12)throw new Error(`${t} must be an integer between 1 and 12 (months); got "${e}"`);return n}o(q,"parseExpiryMonths");import ri from"enquirer";import{execFileSync as ti}from"child_process";function Gt(e={}){let{execFileSync:t=ti}=e;try{return String(t("git",["config","--get","user.email"],{encoding:"utf-8",stdio:["ignore","pipe","ignore"]})).trim()||void 0}catch{return}}o(Gt,"gitUserEmail");var ie=3,Yt=`Key expiry in months (${1}-${12})`,Jt="Email address for the registry entry",Xt=`Passphrase for the encrypted private key (min ${15} chars)`,zt="Confirm passphrase",Wt=o(()=>`Passphrase must be at least ${15} characters`,"passphraseTooShortMsg"),qt=o(e=>`Passphrases do not match (attempt ${e}/${ie}).
-`,"passphraseMismatchMsg"),Qt=`Passphrase confirmation failed after ${ie} attempts`;async function Oe(e){return ri.prompt(e)}o(Oe,"defaultPrompt");function Zt(e){return t=>{try{return e(t),!0}catch(n){return n instanceof Error?n.message:"Invalid"}}}o(Zt,"parserAsValidator");async function en(e={}){let{prompt:t=Oe}=e,{months:n}=await t({type:"input",name:"months",message:Yt,initial:String(6),validate:Zt(r=>q(r,"expiry"))});return q(n,"expiry")}o(en,"promptExpiryMonths");async function tn(e={}){let{prompt:t=Oe,gitUserEmail:n=Gt}=e,{email:r}=await t({type:"input",name:"email",message:Jt,initial:n(),validate:Zt(i=>W(i,"email"))});return W(r,"email")}o(tn,"promptEmail");async function nn(e={}){let{prompt:t=Oe,stderr:n=process.stderr}=e;for(let r=1;r<=ie;r+=1){let{passphrase:i}=await t({type:"password",name:"passphrase",message:Xt,validate:o(a=>a.length>=15?!0:Wt(),"validate")}),{confirm:s}=await t({type:"password",name:"confirm",message:zt});if(i===s)return i;n.write(qt(r))}throw new Error(Qt)}o(nn,"promptPassphrase");function ai(e){return{writeFileSync:e.writeFileSync??si,mkdirSync:e.mkdirSync??ii,existsSync:e.existsSync??oi,generateSigningKeyPair:e.generateSigningKeyPair??Lt,encryptStringAsJwe:e.encryptStringAsJwe??Ut,storeKeyInKeychain:e.storeKeyInKeychain??Ft,isMacOS:e.isMacOS??K,promptExpiryMonths:e.promptExpiryMonths??en,promptEmail:e.promptEmail??tn,promptPassphrase:e.promptPassphrase??nn,discoverLocalKeys:e.discoverLocalKeys??(()=>jt())}}o(ai,"resolveDeps");function on(e,t={}){let n=ai(t),r=e.command("keys").description("Manage code signing keys");r.command("generate").description("Generate an Ed25519 keypair for code signing").option("-o, --output <path>","Encrypted private key output path (forces file storage even on macOS)").option("--no-keychain","Skip macOS Keychain and write a passphrase-encrypted private key under ~/.dune/keys/ instead").option("-e, --expires <months>",`Validity in months (${1}-${12}); skips the interactive prompt`).option("--email <address>","Email address for the registry entry; skips the interactive prompt").action(i=>li(i,n)),r.command("list").description("List local signing identities and their storage location").action(()=>ci(n))}o(on,"registerKeysCommand");async function ci(e){let t=await e.discoverLocalKeys();if(t.length===0){process.stdout.write(`No signing identities found.
-`),process.stdout.write(`Run \`cognite keys generate\` to create one (storage: ${j().keysDir}).
-`);return}let n=["KID","SOURCE","EMAIL"],r=t.map(a=>[a.kid,Kt(a.source),a.email??"\u2014"]),i=n.map((a,c)=>Math.max(a.length,...r.map(p=>p[c].length))),s=o(a=>a.map((c,p)=>c.padEnd(i[p])).join("  ").trimEnd(),"fmt");process.stdout.write(`${s(n)}
-`);for(let a of r)process.stdout.write(`${s(a)}
-`)}o(ci,"handleList");function rn(e,t,n){let r=Ue(j().keysDir,`${e}${oe}`);return n.mkdirSync(_e(r),{recursive:!0}),n.writeFileSync(r,t),r}o(rn,"writePublicKey");async function pi(e,t,n,r,i){let s=r??Ue(j().keysDir,`${e}${De}`);if(i.mkdirSync(_e(s),{recursive:!0}),i.existsSync(s))throw new Error(`Refusing to overwrite existing key at ${s}. Delete it first if you really want to regenerate: rm ${s}`);let a=await i.encryptStringAsJwe(t,n);return i.writeFileSync(s,a,{mode:384}),s}o(pi,"writeEncryptedPrivateKey");async function li(e,t,n=new Date){let r=e.keychain!==!1&&t.isMacOS()&&!e.output,i=e.expires!==void 0?q(e.expires):await t.promptExpiryMonths(),s=Te(Mt(n,i)),a=e.email!==void 0?W(e.email,"--email"):await t.promptEmail(),c=r?null:await t.promptPassphrase();process.stderr.write(`
+`,p+=`${t.dim("-")} ${t.cyan("kid")}${t.dim(":")} ${t.green(e.kid)}
+`,p+=s("public_key",t.green(i)),p+=s("email",t.yellow(e.email)),p+=s("capabilities",`${t.dim("[")}${t.yellow("developer")}${t.dim("]")}`),p+=s("issued_at",t.green(r)),p+=s("expires",t.green(e.expires)),p+=s("revoked_at",t.dim("null")),p}o(rn,"renderRegistryEntry");import{email as gi,pipe as fi,safeParse as yi,string as hi}from"valibot";var Ci=fi(hi(),gi());function te(e,t="email"){let n=e.trim();if(!n)throw new Error(`${t} is required`);if(!yi(Ci,n).success)throw new Error(`${t} must look like an email (user@example.com); got "${e}"`);return n}o(te,"parseEmail");function ne(e,t="--expires"){let n=Number(e);if(!Number.isInteger(n)||n<1||n>12)throw new Error(`${t} must be an integer between 1 and 12 (months); got "${e}"`);return n}o(ne,"parseExpiryMonths");import gn from"enquirer";var le=3,on="Signing identity (kid) \u2014 e.g. jsmith-dev-001 (lowercase letters, digits, hyphens)",sn=`Key expiry in months (${1}-${12})`,an="Email address for the registry entry",pn=`Passphrase for the encrypted private key (min ${15} chars)`,cn="Confirm passphrase",ln=o(()=>`Passphrase must be at least ${15} characters`,"passphraseTooShortMsg"),mn=o(e=>`Passphrases do not match (attempt ${e}/${le}).
+`,"passphraseMismatchMsg"),dn=`Passphrase confirmation failed after ${le} attempts`,un=o(e=>`A signing key with kid "${e}" already exists. Overwrite it?`,"confirmOverwriteMsg");async function de(e){return gn.prompt(e)}o(de,"defaultPrompt");function Ve(e){return t=>{try{return e(t),!0}catch(n){return n instanceof Error?n.message:"Invalid"}}}o(Ve,"parserAsValidator");var vi=/^[a-z0-9]([a-z0-9-]*[a-z0-9])?$/;function me(e){let t=e.trim();if(!t)throw new Error("--kid must not be empty");if(t.length>64)throw new Error("--kid must be 64 characters or fewer");if(!vi.test(t))throw new Error("--kid must contain only lowercase letters, digits, and hyphens, and must not start or end with a hyphen (e.g. jsmith-dev-001)");return t}o(me,"parseKid");async function fn(e={}){let{prompt:t=de}=e,{kid:n}=await t({type:"input",name:"kid",message:on,validate:Ve(me)});return me(n)}o(fn,"promptKid");async function yn(e={}){let{prompt:t=de}=e,{months:n}=await t({type:"input",name:"months",message:sn,initial:String(6),validate:Ve(r=>ne(r,"expiry"))});return ne(n,"expiry")}o(yn,"promptExpiryMonths");async function hn(e={}){let{prompt:t=de,gitUserEmail:n=vt}=e,{email:r}=await t({type:"input",name:"email",message:an,initial:n(),validate:Ve(i=>te(i,"email"))});return te(r,"email")}o(hn,"promptEmail");async function Cn(e={}){let{prompt:t=de,stderr:n=process.stderr}=e;for(let r=1;r<=le;r+=1){let{passphrase:i}=await t({type:"password",name:"passphrase",message:pn,validate:o(s=>s.length>=15?!0:ln(),"validate")}),{confirm:a}=await t({type:"password",name:"confirm",message:cn});if(i===a)return i;n.write(mn(r))}throw new Error(dn)}o(Cn,"promptPassphrase");async function wn(e,t={}){let{prompt:n=o(i=>gn.prompt(i),"prompt")}=t,{confirmed:r}=await n({type:"confirm",name:"confirmed",message:un(e),initial:!1});return r}o(wn,"promptConfirmOverwrite");function bi(e){return{writeFileSync:e.writeFileSync??xi,mkdirSync:e.mkdirSync??Si,existsSync:e.existsSync??Ei,generateSigningKeyPair:e.generateSigningKeyPair??Pi,encryptStringAsJwe:e.encryptStringAsJwe??Wt,storeKeyInKeychain:e.storeKeyInKeychain??Yt,isMacOS:e.isMacOS??G,promptKid:e.promptKid??fn,promptExpiryMonths:e.promptExpiryMonths??yn,promptEmail:e.promptEmail??hn,promptPassphrase:e.promptPassphrase??Cn,promptConfirmOverwrite:e.promptConfirmOverwrite??wn,discoverLocalKeys:e.discoverLocalKeys??(()=>Zt())}}o(bi,"resolveDeps");function En(e,t={}){let n=bi(t),r=e.command("keys").description("Manage code signing keys");r.command("generate").description("Generate an Ed25519 keypair for code signing").option("-o, --output <path>","Encrypted private key output path (forces file storage even on macOS)").option("--no-keychain","Skip macOS Keychain and write a passphrase-encrypted private key under ~/.dune/keys/ instead").option("-e, --expires <months>",`Validity in months (${1}-${12}); skips the interactive prompt`).option("--email <address>","Email address for the registry entry; skips the interactive prompt").option("--kid <identifier>","Signing identity name for the registry (e.g. jsmith-dev-001); skips the interactive prompt").option("--force","Overwrite an existing key without prompting for confirmation").action(i=>Di(i,n)),r.command("list").description("List local signing identities and their storage location").action(()=>Ai(n))}o(En,"registerKeysCommand");async function Ai(e){let t=await e.discoverLocalKeys();if(t.length===0){process.stdout.write(`No signing identities found.
+`),process.stdout.write(`Run \`cognite keys generate\` to create one (storage: ${N().keysDir}).
+`);return}let n=["KID","SOURCE","EMAIL"],r=t.map(s=>[s.kid,Qt(s.source),s.email??"\u2014"]),i=n.map((s,p)=>Math.max(s.length,...r.map(c=>c[p].length))),a=o(s=>s.map((p,c)=>p.padEnd(i[c])).join("  ").trimEnd(),"fmt");process.stdout.write(`${a(n)}
+`);for(let s of r)process.stdout.write(`${a(s)}
+`)}o(Ai,"handleList");function vn(e,t,n){let r=ue(N().keysDir,`${e}${ee}`);return n.mkdirSync(He(r),{recursive:!0}),n.writeFileSync(r,t),r}o(vn,"writePublicKey");async function ki(e,t,n,r,i,{force:a=!1}={}){let s=r??ue(N().keysDir,`${e}${Ue}`);if(i.mkdirSync(He(s),{recursive:!0}),!a&&i.existsSync(s))throw new Error(`Refusing to overwrite existing key at ${s}. Delete it first if you really want to regenerate: rm ${s}`);let p=await i.encryptStringAsJwe(t,n);return i.writeFileSync(s,p,{mode:384}),s}o(ki,"writeEncryptedPrivateKey");async function Di(e,t,n=new Date){let{isMacOS:r,existsSync:i,mkdirSync:a,writeFileSync:s,generateSigningKeyPair:p,storeKeyInKeychain:c,promptExpiryMonths:l,promptKid:m,promptEmail:d,promptPassphrase:u,promptConfirmOverwrite:C}=t,g=e.keychain!==!1&&r()&&!e.output,E=e.expires!==void 0?ne(e.expires):await l(),S=Ne(en(n,E)),y=e.kid!==void 0?me(e.kid):await m(),R=ue(N().keysDir,`${y}${ee}`),A=i(R);if(A&&!e.force&&!await C(y)){process.stderr.write(`Aborted.
+`);return}let x=e.email!==void 0?te(e.email,"--email"):await d(),P=g?null:await u();process.stderr.write(`
 Generating Ed25519 keypair...
 
-`);let{privateKeyPem:p,publicKeyPem:l,kid:m}=await t.generateSigningKeyPair();if(r){await t.storeKeyInKeychain(m,p);let f=rn(m,l,t);process.stderr.write(`Public key:  ${f}
-`),process.stderr.write(`Private key: macOS Keychain (service: cognite-dune, account: ${m})
-`)}else{if(c===null)throw new Error("passphrase is required when not using Keychain");let f=await pi(m,p,c,e.output,t),g=rn(m,l,t);process.stderr.write(`Public key:  ${g}
-`),process.stderr.write(`Private key: ${f} (JWE, AES-256-GCM, PBKDF2-SHA512 x${ke.toLocaleString()})
-`),t.isMacOS()||process.stderr.write(`   (macOS Keychain integration is the default on darwin; on this OS we use the file.)
-`)}let d=Ue(j().keysDir,`${m}${Ie}`);t.mkdirSync(_e(d),{recursive:!0}),t.writeFileSync(d,JSON.stringify({email:a}));let u=Ht(process.stderr);process.stderr.write(`
-Signing identity (kid): ${u.green(m)}
-`),process.stderr.write(`Expires: ${s} (${i} month${i===1?"":"s"} from today)
-`),process.stderr.write(Bt({kid:m,publicKeyPem:l,email:a,expires:s},u,n)),process.stderr.write(`
-${u.bold("Next:")} open a PR against the ${u.magenta("infrastructure")} repo with that block, then \`${u.cyan(`cognite sign -s ${m}`)}\`
-`)}o(li,"handleGenerate");var sn=1e3,mi=new Set(["baseUrl","url","project","deployment","source","path","name","displayName","description"]);function di(e){return Object.fromEntries(Object.entries(e).map(([t,n])=>typeof n=="boolean"?[t,n]:mi.has(t)?[t,n]:[t,"[REDACTED]"]))}o(di,"sanitize");function ui(e){let t=[],n=e;for(;n;)n.parent&&t.unshift(n.name()),n=n.parent;return t.join(" ")}o(ui,"getCommandPath");function an(e){try{let t=e(process.cwd());return{appExternalId:t.externalId,appVersionTag:t.versionTag}}catch{return{}}}o(an,"tryLoadAppConfig");function Le(e){return e.filter(t=>!t.startsWith("-")).join(" ")||"unknown"}o(Le,"commandFromArgv");function cn(e,t,n=w){e.hook("postAction",async(r,i)=>{try{let s={command:ui(i),options:di(i.opts()),success:!0,...an(n)};t.track("Flows.CLI.Command",s),await t.flush(sn)}catch{}})}o(cn,"instrument");async function pn(e,t,n=w){try{let r={command:Le(t),options:{},success:!1,...an(n)};e.track("Flows.CLI.Command",r),await e.flush(sn)}catch{}}o(pn,"trackFailure");var gi="ERR_USE_AFTER_CLOSE";function mn(e){return e instanceof Error&&"code"in e&&e.code===gi}o(mn,"isReadlineClosedError");function fi(e){let t=Object.getPrototypeOf(e);return t===Object.prototype||t===null}o(fi,"isPlainObject");function Ne(e){return e==null||mn(e)?!0:e instanceof Error?!1:!!(typeof e=="object"&&e!==null&&fi(e)&&Object.keys(e).length===0)}o(Ne,"isPromptCancel");var ln=!1;function dn(){ln||(ln=!0,process.on("uncaughtException",e=>{mn(e)&&(console.error(`
-Cancelled.`),process.exit(130)),console.error(e),process.exit(1)}),process.on("unhandledRejection",e=>{Ne(e)&&(console.error(`
-Cancelled.`),process.exit(130)),console.error(e),process.exit(1)}))}o(dn,"installCancelHandler");import un from"mixpanel";var yi="5c4d853e7c3b77b1eb4468d5329b278c",Q="cognite-cli",hi=2e3,gn={env:process.env,init:un.init.bind(un)},Ei={track:o(()=>{},"track"),flush:o(async()=>{},"flush")};function Ke(e=process.env){return e.COGNITE_TELEMETRY_DISABLED==="1"||e.DO_NOT_TRACK==="1"}o(Ke,"isTelemetryDisabled");function wi(e){return e.COGNITE_TELEMETRY_DEBUG==="1"}o(wi,"isDebug");function fn(e={}){let t=e.env??gn.env,n=e.init??gn.init,r=e.packageName,i=e.cliVersion,s=wi(t);if(Ke(t))return s&&process.stderr.write(`[telemetry] disabled \u2014 noop tracker
-`),Ei;let a,c=new Set;function p(){if(a)return a;try{return a=n(yi,{geolocate:!1,keepAlive:!1}),a}catch{return}}return o(p,"getClient"),{track(l,m={}){let d=p();if(!d)return;let u={...m,applicationId:Q,...r&&{packageName:r},...i&&{cliVersion:i},nodeVersion:process.version,platform:process.platform};s&&process.stderr.write(`[telemetry] track ${l} ${JSON.stringify(u)}
-`);let f=o(()=>{},"finish"),g=new Promise(b=>{f=b});c.add(g);try{d.track(l,u,f)}catch{f()}g.finally(()=>c.delete(g))},async flush(l=hi){if(c.size===0)return;let m,d=new Promise(u=>{m=setTimeout(u,l),m.unref?.()});try{await Promise.race([Promise.allSettled([...c]),d])}finally{m&&clearTimeout(m)}s&&process.stderr.write(`[telemetry] flush done (${c.size} still pending)
-`)}}}o(fn,"createTelemetry");var Si=1e3,Ci="https://0a118cb02e3be57b1838bcfb5783a2bf@o4508040730968064.ingest.de.sentry.io/4510719268290640",vi={captureError:o(async()=>{},"captureError"),flush:o(async()=>{},"flush")};function xi(e){return e.packageName&&e.cliVersion?`${e.packageName}@${e.cliVersion}`:e.cliVersion??"unknown"}o(xi,"buildRelease");var Pi="192.0.2.0";function bi(e){let t={...e.user,email:void 0,username:void 0,ip_address:Pi,id:void 0};return{...e,user:t,server_name:void 0}}o(bi,"scrubPii");function yn(e={}){let t=e.env??process.env;if(Ke(t))return vi;let n=xi(e),r="production",i=null,s=null;function a(){return{dsn:Ci,release:n,environment:r,defaultIntegrations:!1,integrations:[],sendDefaultPii:!1,enableLogs:!1,initialScope:{tags:{component:"cli",applicationId:Q},contexts:{cli:{applicationId:Q,node:process.version,platform:process.platform}}},beforeSend:bi}}o(a,"buildInitOptions");async function c(){return i||(s||(s=(async()=>{try{let p=e.sdk??await import("@sentry/node");return p.init(a()),i=p,p}catch{return null}})()),s)}return o(c,"ensureSdk"),{async captureError(p,l){try{let m=await c();if(!m)return;let d={level:"fatal"};l?.command&&(d.tags={command:l.command},d.contexts={cli:{applicationId:Q,node:process.version,platform:process.platform,command:l.command}}),m.captureException(p,d)}catch{}},async flush(p=Si){try{if(!i)return;await i.flush(p)}catch{}}}}o(yn,"createErrorReporter");import{mkdirSync as Ai,readFileSync as ki,writeFileSync as Di}from"fs";import{homedir as Ii}from"os";import{resolve as se}from"path";import{debuglog as Ti}from"util";import{lt as $i,parse as hn}from"semver";var Fi="https://registry.npmjs.org/@cognite/cli/latest",Ri=1500,En="upgrade-check.json",wn=se(process.env.XDG_CACHE_HOME||se(Ii(),".cache"),"@cognite","cli"),je=Ti("cognite-flows");function Oi(e,t){return!e||!t||!hn(e)||!hn(t)?!1:$i(e,t)}o(Oi,"isOutdated");async function _i({timeout:e=Ri,registryUrl:t=Fi,fetchImpl:n=globalThis.fetch}={}){if(typeof n!="function")return null;try{let r=await n(t,{signal:AbortSignal.timeout(e)});if(!r?.ok)return null;let i=await r.json();return typeof i?.version=="string"?i.version:null}catch(r){return je("fetchLatestVersion failed (%s): %O",t,r),null}}o(_i,"fetchLatestVersion");function Ui(e=wn,t=864e5){try{let n=ki(se(e,En),"utf-8"),r=JSON.parse(n);return typeof r.latest!="string"||typeof r.fetchedAt!="number"||Date.now()-r.fetchedAt>t?null:{latest:r.latest,fetchedAt:r.fetchedAt}}catch(n){return je("readUpgradeCheckCache failed (%s): %O",e,n),null}}o(Ui,"readUpgradeCheckCache");function Li(e,t){try{Ai(e,{recursive:!0});let n={latest:t,fetchedAt:Date.now()};Di(se(e,En),JSON.stringify(n))}catch(n){je("writeUpgradeCheckCache failed (%s): %O",e,n)}}o(Li,"writeUpgradeCheckCache");async function Ni({cacheDir:e=wn,...t}={}){let n=await _i(t);n&&Li(e,n)}o(Ni,"startBackgroundUpgradeCheck");function Sn(e,{onOutdated:t,cacheDir:n,...r}={}){let i=Ui(n);if(i){Oi(e,i.latest)&&t?.(e,i.latest);return}Ni({cacheDir:n,...r})}o(Sn,"preActionUpgradeCheck");import{default as $l,chalkStderr as Cn}from"chalk";function vn(e,t){let n=[`\u26A0  Update available: ${e} -> ${t}`,"   Run npx @cognite/cli@latest"],r=Math.max(...n.map(c=>[...c].length))+2,i="\u2500".repeat(r),s=o(c=>`\u2502 ${c}${" ".repeat(r-1-[...c].length)}\u2502`,"pad"),a=[`\u250C${i}\u2510`,...n.map(s),`\u2514${i}\u2518`].join(`
-`);return Cn.bold.yellow(a)}o(vn,"formatUpgradeWarning");function Mi(e){return e instanceof Error&&"code"in e&&typeof e.code=="string"&&e.code==="DEP0040"}o(Mi,"isDep0040Warning");var Ve=process,Vi=Ve.emit.bind(Ve);Ve.emit=function(e,...t){return e==="warning"&&Mi(t[0])?!1:Vi(e,...t)};dn();var B=new ji;B.name("cognite").description("Build and deploy React apps to Cognite Data Fusion").version("1.1.0").showHelpAfterError().configureOutput({writeOut:o(e=>Ki(1,e),"writeOut")});B.hook("preAction",()=>{Sn("1.1.0",{onOutdated:o((e,t)=>{console.warn(`
-${vn(e,t)}
-`)},"onOutdated")})});It(B);on(B);var Pn=fn({packageName:"@cognite/cli",cliVersion:"1.1.0"}),xn=yn({packageName:"@cognite/cli",cliVersion:"1.1.0"});cn(B,Pn);var Me=process.argv.slice(2);B.parseAsync(Me,{from:"user"}).catch(async e=>{await pn(Pn,Me),Ne(e)&&(console.error(`
-Cancelled.`),process.exit(130)),await xn.captureError(e,{command:Le(Me)}),await xn.flush(),console.error(e instanceof Error?`\u274C ${e.message}`:e),process.exit(1)});
+`);let{privateKeyPem:f,publicKeyPem:j}=await p(y);if(g){await c(y,f);let X=vn(y,j,t);process.stderr.write(`Public key:  ${X}
+`),process.stderr.write(`Private key: macOS Keychain (service: cognite-dune, account: ${y})
+`)}else{if(P===null)throw new Error("passphrase is required when not using Keychain");let X=await ki(y,f,P,e.output,t,{force:A}),We=vn(y,j,t);process.stderr.write(`Public key:  ${We}
+`),process.stderr.write(`Private key: ${X} (JWE, AES-256-GCM, PBKDF2-SHA512 x${_e.toLocaleString()})
+`),r()||process.stderr.write(`   (macOS Keychain integration is the default on darwin; on this OS we use the file.)
+`)}let oe=ue(N().keysDir,`${y}${Le}`);a(He(oe),{recursive:!0}),s(oe,JSON.stringify({email:x}));let K=nn(process.stderr);process.stderr.write(`
+Signing identity (kid): ${K.green(y)}
+`),process.stderr.write(`Expires: ${S} (${E} month${E===1?"":"s"} from today)
+`),process.stderr.write(rn({kid:y,publicKeyPem:j,email:x,expires:S},K,n)),process.stderr.write(`
+${K.bold("Next:")} open a PR against the ${K.magenta("infrastructure")} repo with that block, then \`${K.cyan(`cognite sign -s ${y}`)}\`
+`)}o(Di,"handleGenerate");var Sn=1e3,Ii=new Set(["baseUrl","url","project","deployment","source","path","name","displayName","description"]);function Ti(e){return Object.fromEntries(Object.entries(e).map(([t,n])=>typeof n=="boolean"?[t,n]:Ii.has(t)?[t,n]:[t,"[REDACTED]"]))}o(Ti,"sanitize");function $i(e){let t=[],n=e;for(;n;)n.parent&&t.unshift(n.name()),n=n.parent;return t.join(" ")}o($i,"getCommandPath");function xn(e){try{let t=e(process.cwd());return{appExternalId:t.externalId,appVersionTag:t.versionTag}}catch{return{}}}o(xn,"tryLoadAppConfig");function Ge(e){return e.filter(t=>!t.startsWith("-")).join(" ")||"unknown"}o(Ge,"commandFromArgv");function Pn(e,t,n=w){e.hook("postAction",async(r,i)=>{try{let a={command:$i(i),options:Ti(i.opts()),success:!0,...xn(n)};t.track("Flows.CLI.Command",a),await t.flush(Sn)}catch{}})}o(Pn,"instrument");async function bn(e,t,n=w){try{let r={command:Ge(t),options:{},success:!1,...xn(n)};e.track("Flows.CLI.Command",r),await e.flush(Sn)}catch{}}o(bn,"trackFailure");var Fi="ERR_USE_AFTER_CLOSE";function kn(e){return e instanceof Error&&"code"in e&&e.code===Fi}o(kn,"isReadlineClosedError");function Oi(e){let t=Object.getPrototypeOf(e);return t===Object.prototype||t===null}o(Oi,"isPlainObject");function Be(e){return e==null||kn(e)?!0:e instanceof Error?!1:!!(typeof e=="object"&&e!==null&&Oi(e)&&Object.keys(e).length===0)}o(Be,"isPromptCancel");var An=!1;function Dn(){An||(An=!0,process.on("uncaughtException",e=>{kn(e)&&(console.error(`
+Cancelled.`),process.exit(130)),console.error(e),process.exit(1)}),process.on("unhandledRejection",e=>{Be(e)&&(console.error(`
+Cancelled.`),process.exit(130)),console.error(e),process.exit(1)}))}o(Dn,"installCancelHandler");import{homedir as Ni}from"os";import In from"mixpanel";var Ri="5c4d853e7c3b77b1eb4468d5329b278c",re="cognite-cli",_i=2e3,Tn={env:process.env,init:In.init.bind(In)},Ui={track:o(()=>{},"track"),flush:o(async()=>{},"flush")};function Ye(e=process.env){return e.COGNITE_TELEMETRY_DISABLED==="1"||e.DO_NOT_TRACK==="1"}o(Ye,"isTelemetryDisabled");function Li(e){return e.COGNITE_TELEMETRY_DEBUG==="1"}o(Li,"isDebug");function $n(e={}){let t=e.env??Tn.env,n=e.init??Tn.init,r=e.packageName,i=e.cliVersion,a=Li(t);if(Ye(t))return a&&process.stderr.write(`[telemetry] disabled \u2014 noop tracker
+`),Ui;let s,p=new Set;function c(){if(s)return s;try{return s=n(Ri,{geolocate:!1,keepAlive:!1}),s}catch{return}}return o(c,"getClient"),{track(l,m={}){let d=c();if(!d)return;let u={...m,applicationId:re,...r&&{packageName:r},...i&&{cliVersion:i},nodeVersion:process.version,platform:process.platform};a&&process.stderr.write(`[telemetry] track ${l} ${JSON.stringify(u)}
+`);let C=o(()=>{},"finish"),g=new Promise(E=>{C=E});p.add(g);try{d.track(l,u,C)}catch{C()}g.finally(()=>p.delete(g))},async flush(l=_i){if(p.size===0)return;let m,d=new Promise(u=>{m=setTimeout(u,l),m.unref?.()});try{await Promise.race([Promise.allSettled([...p]),d])}finally{m&&clearTimeout(m)}a&&process.stderr.write(`[telemetry] flush done (${p.size} still pending)
+`)}}}o($n,"createTelemetry");var ge=Ni();function Fn(e,t=ge){if(!t||t==="/")return e;let n=e.replaceAll(t,"~"),r=t.replaceAll("\\","/");return r!==t&&(n=n.replaceAll(r,"~")),n}o(Fn,"redactHomedir");var ji=1e3,Ki="https://0a118cb02e3be57b1838bcfb5783a2bf@o4508040730968064.ingest.de.sentry.io/4510719268290640",Mi={captureError:o(async()=>{},"captureError"),flush:o(async()=>{},"flush")};function Vi(e){return e.packageName&&e.cliVersion?`${e.packageName}@${e.cliVersion}`:e.cliVersion??"unknown"}o(Vi,"buildRelease");var Hi="192.0.2.0";function Gi(e){let t={...e.user,email:void 0,username:void 0,ip_address:Hi,id:void 0},n=e.exception?.values?.map(r=>({...r,value:r.value!==void 0?Fn(r.value):r.value}));return{...e,message:e.message!==void 0?Fn(e.message):e.message,user:t,server_name:void 0,...n!==void 0&&{exception:{...e.exception,values:n}}}}o(Gi,"scrubPii");function On(e={}){let t=e.env??process.env;if(Ye(t))return Mi;let n=Vi(e),r="production",i=null,a=null;function s(c){let l=ge&&ge!=="/"?[c.rewriteFramesIntegration({root:ge})]:[];return{dsn:Ki,release:n,environment:r,defaultIntegrations:!1,integrations:l,sendDefaultPii:!1,enableLogs:!1,initialScope:{tags:{component:"cli",applicationId:re},contexts:{cli:{applicationId:re,node:process.version,platform:process.platform}}},beforeSend:Gi}}o(s,"buildInitOptions");async function p(){return i||(a||(a=(async()=>{try{let c=e.sdk??await import("@sentry/node");return c.init(s(c)),i=c,c}catch{return null}})()),a)}return o(p,"ensureSdk"),{async captureError(c,l){try{let m=await p();if(!m)return;let d={level:"fatal"};l?.command&&(d.tags={command:l.command},d.contexts={cli:{applicationId:re,node:process.version,platform:process.platform,command:l.command}}),m.captureException(c,d)}catch{}},async flush(c=ji){try{if(!i)return;await i.flush(c)}catch{}}}}o(On,"createErrorReporter");import{mkdirSync as Bi,readFileSync as Yi,writeFileSync as Ji}from"fs";import{homedir as Xi}from"os";import{resolve as fe}from"path";import{debuglog as zi}from"util";import{lt as Wi,parse as Rn}from"semver";var qi="https://registry.npmjs.org/@cognite/cli/latest",Qi=1500,_n="upgrade-check.json",Un=fe(process.env.XDG_CACHE_HOME||fe(Xi(),".cache"),"@cognite","cli"),Je=zi("cognite-flows");function Zi(e,t){return!e||!t||!Rn(e)||!Rn(t)?!1:Wi(e,t)}o(Zi,"isOutdated");async function es({timeout:e=Qi,registryUrl:t=qi,fetchImpl:n=globalThis.fetch}={}){if(typeof n!="function")return null;try{let r=await n(t,{signal:AbortSignal.timeout(e)});if(!r?.ok)return null;let i=await r.json();return typeof i?.version=="string"?i.version:null}catch(r){return Je("fetchLatestVersion failed (%s): %O",t,r),null}}o(es,"fetchLatestVersion");function ts(e=Un,t=864e5){try{let n=Yi(fe(e,_n),"utf-8"),r=JSON.parse(n);return typeof r.latest!="string"||typeof r.fetchedAt!="number"||Date.now()-r.fetchedAt>t?null:{latest:r.latest,fetchedAt:r.fetchedAt}}catch(n){return Je("readUpgradeCheckCache failed (%s): %O",e,n),null}}o(ts,"readUpgradeCheckCache");function ns(e,t){try{Bi(e,{recursive:!0});let n={latest:t,fetchedAt:Date.now()};Ji(fe(e,_n),JSON.stringify(n))}catch(n){Je("writeUpgradeCheckCache failed (%s): %O",e,n)}}o(ns,"writeUpgradeCheckCache");async function rs({cacheDir:e=Un,...t}={}){let n=await es(t);n&&ns(e,n)}o(rs,"startBackgroundUpgradeCheck");function Ln(e,{onOutdated:t,cacheDir:n,...r}={}){let i=ts(n);if(i){Zi(e,i.latest)&&t?.(e,i.latest);return}rs({cacheDir:n,...r})}o(Ln,"preActionUpgradeCheck");import{default as om,chalkStderr as Nn}from"chalk";function jn(e,t){let n=[`\u26A0  Update available: ${e} -> ${t}`,"   Run npx @cognite/cli@latest"],r=Math.max(...n.map(p=>[...p].length))+2,i="\u2500".repeat(r),a=o(p=>`\u2502 ${p}${" ".repeat(r-1-[...p].length)}\u2502`,"pad"),s=[`\u250C${i}\u2510`,...n.map(a),`\u2514${i}\u2518`].join(`
+`);return Nn.bold.yellow(s)}o(jn,"formatUpgradeWarning");function ss(e){return e instanceof Error&&"code"in e&&typeof e.code=="string"&&e.code==="DEP0040"}o(ss,"isDep0040Warning");var ze=process,as=ze.emit.bind(ze);ze.emit=function(e,...t){return e==="warning"&&ss(t[0])?!1:as(e,...t)};Dn();var J=new is;J.name("cognite").description("Build and deploy React apps to Cognite Data Fusion").version("1.3.0").showHelpAfterError().configureOutput({writeOut:o(e=>os(1,e),"writeOut")});J.hook("preAction",()=>{Ln("1.3.0",{onOutdated:o((e,t)=>{console.warn(`
+${jn(e,t)}
+`)},"onOutdated")})});Ht(J);En(J);var Mn=$n({packageName:"@cognite/cli",cliVersion:"1.3.0"}),Kn=On({packageName:"@cognite/cli",cliVersion:"1.3.0"});Pn(J,Mn);var Xe=process.argv.slice(2);J.parseAsync(Xe,{from:"user"}).catch(async e=>{await bn(Mn,Xe),Be(e)&&(console.error(`
+Cancelled.`),process.exit(130)),await Kn.captureError(e,{command:Ge(Xe)}),await Kn.flush(),console.error(e instanceof Error?`\u274C ${e.message}`:e),process.exit(1)});

package/dist/deploy/index.d.ts

@@ -1,4 +1,4 @@
-import { CogniteClient } from '@cognite/sdk';
+import { CogniteClient, ClientOptions } from '@cognite/sdk';
 
 type Deployment = {
     org: string;
@@ -60,6 +60,9 @@ declare class AppHostingClient {
     publishVersion(appExternalId: string, version: string): Promise<void>;
     /** Publish the version and immediately set it as the ACTIVE alias. */
     publishAndActivate(appExternalId: string, version: string): Promise<void>;
+    getActiveVersion(appExternalId: string): Promise<AppVersion | null>;
+    /** Remove the ACTIVE alias from a version, taking it out of service without changing its lifecycle state. */
+    deactivateVersion(appExternalId: string, version: string): Promise<void>;
     /**
      * Set the ACTIVE alias on a version. Returns the version that was
      * previously active (if any) so callers can surface "Superseded X"
@@ -95,7 +98,9 @@ declare class ApplicationPackager {
     createZip(outputFilename?: string, verbose?: boolean): Promise<string>;
 }
 
-declare const getSdk: (deployment: Deployment, folder: string, env?: NodeJS.ProcessEnv) => Promise<CogniteClient>;
+type Authenticatable = Pick<CogniteClient, 'authenticate'>;
+declare function getSdk(deployment: Deployment, folder: string, env?: NodeJS.ProcessEnv): Promise<CogniteClient>;
+declare function getSdk<C extends Authenticatable>(deployment: Deployment, folder: string, env: NodeJS.ProcessEnv, createClient: (opts: ClientOptions) => C): Promise<C>;
 
 /**
  * Get access token for deployment using the appropriate identity provider.

package/dist/deploy/index.js

@@ -1 +1 @@
-import{a,b,c,d,e}from"../chunk-VJMFH4MH.js";export{a as AppHostingClient,b as ApplicationPackager,e as deploy,d as getSdk,c as getToken};
+import{a,b,c,d,e}from"../chunk-QOJVLP7E.js";export{a as AppHostingClient,b as ApplicationPackager,e as deploy,d as getSdk,c as getToken};

package/dist/index.js

@@ -1 +1 @@
-import{a as o,b as r,c as e,d as f,e as m}from"./chunk-VJMFH4MH.js";export{o as AppHostingClient,r as ApplicationPackager,m as deploy,f as getSdk,e as getToken};
+import{a as o,b as r,c as e,d as f,e as m}from"./chunk-QOJVLP7E.js";export{o as AppHostingClient,r as ApplicationPackager,m as deploy,f as getSdk,e as getToken};

package/package.json

@@ -1,8 +1,8 @@
 {
   "name": "@cognite/cli",
-  "version": "1.1.0",
+  "version": "1.3.0",
   "description": "CLI for Cognite Data Fusion",
-  "license": "Apache-2.0",
+  "license": "SEE LICENSE IN LICENSE.md",
   "author": "Cognite",
   "repository": {
     "type": "git",
@@ -44,7 +44,7 @@
     "refresh-spec-kit": "bash scripts/refresh-spec-kit.sh"
   },
   "dependencies": {
-    "@cognite/app-sdk": "^0.4.0",
+    "@cognite/app-sdk": "^0.5.1",
     "@cognite/sdk": "^10.10.0",
     "@sentry/node": "^10.51.0",
     "@zip.js/zip.js": "^2.7.0",