npm - @cognite/cli - Versions diffs - 1.3.0 → 1.3.2-alpha-zendesk - Mend

@cognite/cli 1.3.0 → 1.3.2-alpha-zendesk

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (11) hide show

package/_templates/app/new/root/.npmrc.ejs.t +1 -1
package/_templates/app/new/root/AGENTS.md.ejs.t +26 -8
package/_templates/app/new/root/gitignore.ejs.t +3 -0
package/dist/chunk-TYYH4NWG.js +9 -0
package/dist/cli/cli.js +77 -62
package/dist/deploy/index.d.ts +77 -22
package/dist/deploy/index.js +1 -1
package/dist/index.d.ts +1 -1
package/dist/index.js +1 -1
package/package.json +4 -3
package/dist/chunk-QOJVLP7E.js +0 -9

package/_templates/app/new/root/.npmrc.ejs.t CHANGED Viewed

@@ -2,4 +2,4 @@
 to: '<%= useCurrentDir ? "" : ((directoryName || name) + "/") %>.npmrc'
 ---
 engine-strict=true
-min-release-age=2
+# min-release-age=2

package/_templates/app/new/root/AGENTS.md.ejs.t CHANGED Viewed

@@ -77,9 +77,14 @@ async function updateState(next: AppState, api: HostAppAPI) {
 ## 3. Dependency Injection
-Inject dependencies via React context (hooks/components) or factory-override pattern (plain functions). Never hard-code dependencies.
+**All non-stateless dependencies must be injected.** Never import and call a service, SDK client, or stateful module directly inside a component or hook — it makes the code untestable and tightly coupled.
-### React context
+What to inject: SDK clients, API services, analytics, timers (`Date.now`, `setTimeout`), random generators, external stores.
+What not to inject: pure functions, constants, type utilities.
+Use **narrow interfaces** — depend only on the subset of a service you actually need.
+### React context (hooks and components)
 ```typescript
 const defaultDeps = { useDataSource, useAnalytics };
@@ -91,7 +96,7 @@ export function useMyHook() {
 }
 ```
-### Factory overrides
+### Factory overrides (plain functions)
 ```typescript
 type Deps = { serviceFactory: () => SomeService };
@@ -260,25 +265,38 @@ Place reusable factories in `src/__mocks__/`. Use `.test` TLD for fake URLs (RFC
 ## 7. TypeScript Rules
 - Never use `any`; prefer `unknown` or explicit strong types
-- Never use `as unknown as T`; for partial test doubles use `{ ...defaults, ...overrides } as T`
+- Never use `as` casts — they silence the compiler without providing safety. Use type guards instead.
+- Exception: `Partial<T> as T` is acceptable for test mocks only.
+- All function parameters must have type annotations.
 - Use direct React type imports: `import type { ComponentType, ReactNode } from 'react'`
 ```typescript
-function createMockWindow(overrides: Partial<Window> = {}): Window {
-  return { postMessage: vi.fn(), ...overrides } as Window;
+// ❌ Never
+const x: any = data;
+const y = data as SomeType;
+const z = {} as unknown as Window;
+function process(data) { ... }         // missing parameter type
+// ✅ Type guard
+function isSomeType(value: unknown): value is SomeType {
+  return typeof value === 'object' && value !== null && 'id' in value;
 }
+if (isSomeType(data)) { /* TypeScript now knows */ }
+// ✅ Test mock only
+const mock = { postMessage: vi.fn() } as Partial<Window> as Window;
 ```
 ---
-## 7. CogniteClient / authentication
+## 8. CogniteClient / authentication
 Auth is handled by `CogniteSdkProvider` from `@cognite/app-sdk/react` (see `App.tsx`). Nested components get the client via `useCogniteSdk()`. To wire up or migrate auth, run the `/setup-flows-auth` skill.
 ---
-## 8. Commits and pull requests
+## 9. Commits and pull requests
 Use [Conventional Commits v1.0.0](https://www.conventionalcommits.org/en/v1.0.0/).

package/_templates/app/new/root/gitignore.ejs.t CHANGED Viewed

@@ -8,6 +8,9 @@ node_modules
 dist
 coverage
+# Retained app bundles from `cognite apps deploy` (signed before publish)
+.cognite-bundles
 # Environment variables
 .env
 .env.local

package/dist/chunk-TYYH4NWG.js ADDED Viewed

@@ -0,0 +1,9 @@
+var tt=Object.defineProperty;var s=(n,t)=>tt(n,"name",{value:t,configurable:!0});import{mkdir as At,readFile as wt}from"fs/promises";import{basename as Et,dirname as St}from"path";var H="https://docs.cognite.com/cdf/access/";function f(n){return n!==null&&typeof n=="object"}s(f,"isRecord");function S(n){return n instanceof Error&&"status"in n&&typeof n.status=="number"}s(S,"isHttpError");function et(n){switch(n){case 401:return`Your credentials are invalid or expired. Check your client ID and secret.
+  See: ${H}`;case 403:return`You don't have the required CDF capabilities. Please contact your CDF admin.
+  See: ${H}`;default:return}}s(et,"httpStatusHint");function h(n){let t=n instanceof Error?n:new Error(String(n));if(!S(t))return null;let e=et(t.status);return e?Object.assign(new Error(`${t.message}
+  ${e}`),{cause:t}):null}s(h,"enrichedHttpError");function nt(n){if(!f(n))return null;let t=n.missing;if(Array.isArray(t))return t;let e=n.data;if(f(e)){let r=e.error;if(f(r)&&Array.isArray(r.missing))return r.missing;if(Array.isArray(e.missing))return e.missing}return null}s(nt,"findMissingArray");function rt(n,t){if(!S(n)||n.status!==400)return!1;let e=nt(n);return e?e.some(r=>f(r)&&typeof r.externalId=="string"&&t.includes(r.externalId)):!1}s(rt,"isMissingExternalIdError");function $(n,t){return S(n)&&n.status===404||rt(n,t)}s($,"isNotFoundError");var J=["DRAFT","PUBLISHED","DEPRECATED","ARCHIVED"],q=["ACTIVE","PREVIEW"],I=class I extends Error{constructor(t,e){super(`Version ${e} of app ${t} not found`),this.name="AppVersionNotFoundError",this.appExternalId=t,this.version=e}};s(I,"AppVersionNotFoundError");var C=I;function z(n,t){return n.includes(t)}s(z,"includesValue");function ot(n){return z(J,n)}s(ot,"isAppVersionLifecycleState");function st(n){return z(q,n)}s(st,"isAppVersionAlias");function it(n){return typeof n.version=="string"&&ot(n.lifecycleState)&&typeof n.entrypoint=="string"&&typeof n.createdTime=="number"&&typeof n.createdBy=="string"&&typeof n.appExternalId=="string"&&(n.alias===void 0||st(n.alias))&&(n.comment===void 0||typeof n.comment=="string")}s(it,"isAppVersion");function M(n){if(!f(n))throw new Error("Invalid version response: not an object");if(!it(n))throw new Error("Invalid version response: missing or malformed fields");return n}s(M,"parseAppVersion");var b=class b{constructor(t){this.client=t}get appsBasePath(){return`/api/v1/projects/${encodeURIComponent(this.client.project)}/apphosting/apps`}async createApp(t,e,r){try{await this.client.post(this.appsBasePath,{data:{items:[{externalId:t,name:e,description:r}]}})}catch(o){throw h(o)??o}}async uploadVersion(t,e,r,o,i="index.html"){console.log(`\u{1F4E4} Uploading version ${e}...`);let a=new FormData;a.append("file",new Blob([new Uint8Array(r)]),o),a.append("version",e),a.append("entryPath",i);let c=encodeURIComponent(t),p=`${this.appsBasePath}/${c}/versions`,l=await this.client.authenticate(),y=`${this.client.getBaseUrl()}${p}`,u=new AbortController,Z=setTimeout(()=>u.abort(),300*1e3),A;try{A=await fetch(y,{method:"POST",headers:{Authorization:`Bearer ${l}`},body:a,signal:u.signal})}catch(g){throw g instanceof Error&&g.name==="AbortError"?new Error("Upload timed out after 5 minutes"):g}finally{clearTimeout(Z)}if(!A.ok){let g=await A.text(),v=g;try{let V=JSON.parse(g);if(f(V)){let w=V.error;if(typeof w=="string")v=w;else if(f(w)){let E=w.message,B=w.code;v=typeof E=="string"?E:B!=null?`Unknown error (code: ${B})`:g}else{let E=V.message;v=typeof E=="string"?E:g}}}catch{}let O=A.headers.get("x-request-id"),Q=O?` | X-Request-ID: ${O}`:"",j=Object.assign(new Error(`Upload failed: ${A.status} \u2014 ${v}${Q}`),{status:A.status});throw h(j)??j}console.log(`\u2705 Version ${e} uploaded`)}async getVersion(t,e){let r=encodeURIComponent(t),o=encodeURIComponent(e),i=`${this.appsBasePath}/${r}/versions/${o}`;try{let a=await this.client.get(i);return M(a.data)}catch(a){throw $(a,[t,e])?new C(t,e):h(a)??a}}async getActiveVersion(t){let e=encodeURIComponent(t),r=`${this.appsBasePath}/${e}/active`;try{let o=await this.client.get(r);return M(o.data)}catch(o){if($(o,[t]))return null;throw h(o)??o}}async updateVersions(t,e){let r=encodeURIComponent(t),o=`${this.appsBasePath}/${r}/versions/update`;try{await this.client.post(o,{data:{items:e}})}catch(i){throw h(i)??i}}async submitSignatures(t,e,r){let o=encodeURIComponent(t),i=encodeURIComponent(e),a=`${this.appsBasePath}/${o}/versions/${i}/signatures`;try{await this.client.post(a,{data:{items:r}})}catch(c){throw h(c)??c}}};s(b,"AppHostingApi");var k=b;var T=class T{constructor(t){this.api=new k(t)}getVersion(t,e){return this.api.getVersion(t,e)}uploadVersion(t,e,r,o,i){return this.api.uploadVersion(t,e,r,o,i)}async ensureApp(t,e,r){console.log("\u{1F50D} Ensuring app exists...");try{await this.api.createApp(t,e,r),console.log(`\u2705 App '${t}' created`)}catch(o){if(S(o)&&o.status===409){console.log(`\u2705 App '${t}' already exists`);return}throw o}}async submitSignatures(t,e,r){r.length!==0&&(console.log(`\u{1F50F} Submitting ${r.length} signature${r.length===1?"":"s"} for version ${e}...`),await this.api.submitSignatures(t,e,r),console.log("\u2705 Signatures stored"))}async publishVersion(t,e){await this.api.updateVersions(t,[{version:e,update:{lifecycleState:{set:"PUBLISHED"}}}])}async publishAndActivate(t,e){console.log(`\u{1F680} Publishing and activating version ${e}...`),await this.api.updateVersions(t,[{version:e,update:{lifecycleState:{set:"PUBLISHED"},alias:{set:"ACTIVE"}}}]),console.log(`\u2705 Version ${e} is now PUBLISHED and ACTIVE`)}getActiveVersion(t){return this.api.getActiveVersion(t)}async deactivateVersion(t,e){await this.api.updateVersions(t,[{version:e,update:{alias:{setNull:!0}}}])}async activateVersion(t,e){let r=null;try{r=await this.api.getActiveVersion(t)}catch{r=null}let o=r&&r.version!==e?r.version:void 0;return await this.api.updateVersions(t,[{version:e,update:{alias:{set:"ACTIVE"}}}]),{supersededVersion:o}}async deploy(t,e,r,o,i,a,c=!1){console.log(`
+\u{1F680} Deploying application via App Hosting API...
+`);try{await this.ensureApp(t,e,r),await this.uploadVersion(t,o,i,a),c&&await this.publishAndActivate(t,o),console.log(`
+\u2705 Deployment successful!`)}catch(p){let l=p instanceof Error?p.message:String(p);throw Object.assign(new Error(`Deployment failed: ${l}`),{cause:p})}}};s(T,"AppHostingClient");var P=T;import m from"fs";import d from"path";import{parseAndValidateManifestConfig as at}from"@cognite/app-sdk/vite";import{BlobReader as ct,Uint8ArrayWriter as pt,ZipWriter as lt}from"@zip.js/zip.js";var R="package.json",D="package-lock.json",Y="manifest.json",U=".cognite",_=class _{constructor(t="dist"){this.distPath=d.isAbsolute(t)?t:d.join(process.cwd(),t),this.appRoot=d.dirname(this.distPath)}validateBuildDirectory(){if(!m.existsSync(this.distPath))throw new Error(`Build directory "${this.distPath}" not found. Run build first.`);let t=d.join(this.appRoot,R);if(!m.existsSync(t))throw new Error(`"${t}" not found. It is required for deployment.`);let e=d.join(this.appRoot,D);if(!m.existsSync(e))throw new Error(`"${e}" not found. It is required for deployment.`)}async createZip(t="app.zip",e=!1){this.validateBuildDirectory(),console.log("\u{1F4E6} Packaging application...");let r=new lt(new pt,{level:9}),o=s(async(p,l)=>{await r.add(l,new ct(await m.openAsBlob(p))),e&&console.log(`  \u{1F4C4} ${l}`)},"addFile"),i=s(async p=>{let l=await m.promises.readdir(p,{withFileTypes:!0});for(let y of l){let u=d.join(p,y.name);y.isDirectory()?await i(u):await o(u,d.relative(this.distPath,u).replace(/\\/g,"/"))}},"addDir"),a;try{await i(this.distPath);let p=d.join(this.appRoot,R);await o(p,d.posix.join(U,R));let l=d.join(this.appRoot,Y);if(m.existsSync(l)){let u=m.readFileSync(l,"utf-8");at(u,l),await o(l,d.posix.join(U,Y))}let y=d.join(this.appRoot,D);await o(y,d.posix.join(U,D)),a=await r.close()}catch(p){let l=p instanceof Error?p.message:String(p);throw new Error(`Failed to create zip: ${l}`)}await m.promises.writeFile(t,a);let c=(a.byteLength/1024/1024).toFixed(2);return console.log(`\u2705 App packaged: ${t} (${c} MB)`),t}};s(_,"ApplicationPackager");var x=_;import dt from"path";var G=".cognite-bundles";function K(n,t){return`${n}-${t}.zip`}s(K,"bundleFileName");function F(n,t,e){return dt.join(n,G,K(t,e))}s(F,"bundlePath");import{CogniteClient as yt}from"@cognite/sdk";var ut=s(()=>{let n=process.env.DEPLOYMENT_SECRETS;if(!n)return{};try{let t=JSON.parse(n),e={};for(let[r,o]of Object.entries(t))if(typeof o=="string"){let i=r.toLowerCase().replace(/_/g,"-");e[i]=o}return e}catch(t){return console.error("Error parsing DEPLOYMENT_SECRETS:",t),{}}},"loadSecretsFromEnv"),gt=s(n=>{let t;if(process.env.DEPLOYMENT_SECRET&&(t=process.env.DEPLOYMENT_SECRET),t||(t=ut()[n]),t||(t=process.env[n]),!t)throw new Error(`Secret not found in environment: ${n}`);return t},"getSecretFromEnv"),ft=s(n=>{if(!n)return"";try{return new URL(n).hostname.replace(/\.cognitedata\.com$/,"")}catch{let t=n.replace(/^https?:\/\//,"");return t=t.split("/")[0],t=t.split(":")[0],t=t.replace(/\.cognitedata\.com$/,""),t}},"extractClusterFromUrl"),mt=s(async(n,t)=>{let e=`Basic ${btoa(`${n}:${t}`)}`,r=await fetch("https://auth.cognite.com/oauth2/token",{method:"POST",headers:{Authorization:e,"Content-Type":"application/x-www-form-urlencoded"},body:new URLSearchParams({grant_type:"client_credentials"})});if(!r.ok){let i=await r.text();throw new Error(`Failed to get token from CDF: ${r.status} ${r.statusText}
+${i}`)}let o=await r.json();if(!o.access_token)throw new Error("No access token returned from CDF authentication");return o.access_token},"getTokenCdf"),ht=s(async(n,t,e,r)=>{if(!r)throw new Error("Entra ID authentication requires 'baseUrl' to be set in deployment configuration");let o=ft(r);if(!o)throw new Error(`Entra ID authentication requires 'baseUrl' to be a valid CDF URL (e.g., https://cluster.cognitedata.com), got: ${r}`);let i=`https://login.microsoftonline.com/${e}/oauth2/v2.0/token`,a=`https://${o}.cognitedata.com/.default`,c=await fetch(i,{method:"POST",headers:{"Content-Type":"application/x-www-form-urlencoded"},body:new URLSearchParams({client_id:n,client_secret:t,scope:a,grant_type:"client_credentials"})});if(!c.ok){let l=await c.text();throw new Error(`Failed to get token from Entra ID: ${c.status} ${c.statusText}
+${l}`)}let p=await c.json();if(!p.access_token)throw new Error("No access token returned from Entra ID authentication");return p.access_token},"getTokenEntra"),L=s(async(n,t=process.env)=>{if(t.COGNITE_TOKEN)return t.COGNITE_TOKEN;let{deployClientId:e,deploySecretName:r,idpType:o="cdf",tenantId:i,baseUrl:a}=n,c=gt(r);if(o==="entra_id"){if(!i)throw new Error("Entra ID authentication requires 'tenantId' in deployment configuration");return ht(e,c,i,a)}return mt(e,c)},"getToken");async function N(n,t,e=process.env,r){let o=await L(n,e),i=e.COGNITE_BASE_URL??n.baseUrl,a=(r??(c=>new yt(c)))({appId:t,project:n.project,baseUrl:i,oidcTokenProvider:s(async()=>o,"oidcTokenProvider")});return await a.authenticate(),a}s(N,"getSdk");async function W(n,t,e,r){let{externalId:o,name:i,description:a,versionTag:c}=t,p=F(e,o,c);await At(St(p),{recursive:!0}),await new x(`${e}/dist`).createZip(p,!0);let l=await wt(p);await new P(n).deploy(o,i,a,c,l,Et(p),r)}s(W,"packageAndUpload");var Pt=s(async(n,t,e)=>{let r=await N(n,e);await W(r,t,e,n.published)},"deploy");import{existsSync as xt,readFileSync as vt}from"fs";var X=[".dev.sig",".cert.sig"];function Ct(n,t={}){let e=t.existsSync??xt,r=t.readFileSync??((i,a)=>vt(i,a)),o=[];for(let i of X){let a=`${n}${i}`;if(!e(a))continue;let c=r(a,"utf8").trim();c.length>0&&o.push(c)}return o}s(Ct,"discoverSignatures");export{P as a,x as b,G as c,K as d,F as e,L as f,N as g,W as h,Pt as i,X as j,Ct as k};

package/dist/cli/cli.js CHANGED Viewed

@@ -1,13 +1,13 @@
 #!/usr/bin/env node
-import{a as o,e as qe}from"../chunk-A5ASLC6T.js";import{writeSync as os}from"fs";import{Command as is}from"commander";var Qe="https://docs.cognite.com/cdf/access/";function _(e){return e!==null&&typeof e=="object"}o(_,"isRecord");function z(e){return e instanceof Error&&"status"in e&&typeof e.status=="number"}o(z,"isHttpError");function Yn(e){switch(e){case 401:return`Your credentials are invalid or expired. Check your client ID and secret.
-  See: ${Qe}`;case 403:return`You don't have the required CDF capabilities. Please contact your CDF admin.
-  See: ${Qe}`;default:return}}o(Yn,"httpStatusHint");function B(e){let t=e instanceof Error?e:new Error(String(e));if(!z(t))return null;let n=Yn(t.status);return n?Object.assign(new Error(`${t.message}
-  ${n}`),{cause:t}):null}o(B,"enrichedHttpError");function Jn(e){if(!_(e))return null;let t=e.missing;if(Array.isArray(t))return t;let n=e.data;if(_(n)){let r=n.error;if(_(r)&&Array.isArray(r.missing))return r.missing;if(Array.isArray(n.missing))return n.missing}return null}o(Jn,"findMissingArray");function Xn(e,t){if(!z(e)||e.status!==400)return!1;let n=Jn(e);return n?n.some(r=>_(r)&&typeof r.externalId=="string"&&t.includes(r.externalId)):!1}o(Xn,"isMissingExternalIdError");function ye(e,t){return z(e)&&e.status===404||Xn(e,t)}o(ye,"isNotFoundError");var et=["DRAFT","PUBLISHED","DEPRECATED","ARCHIVED"],tt=["ACTIVE","PREVIEW"],he=class he extends Error{constructor(t,n){super(`Version ${n} of app ${t} not found`),this.name="AppVersionNotFoundError",this.appExternalId=t,this.version=n}};o(he,"AppVersionNotFoundError");var k=he;function nt(e,t){return e.includes(t)}o(nt,"includesValue");function zn(e){return nt(et,e)}o(zn,"isAppVersionLifecycleState");function Wn(e){return nt(tt,e)}o(Wn,"isAppVersionAlias");function qn(e){return typeof e.version=="string"&&zn(e.lifecycleState)&&typeof e.entrypoint=="string"&&typeof e.createdTime=="number"&&typeof e.createdBy=="string"&&typeof e.appExternalId=="string"&&(e.alias===void 0||Wn(e.alias))&&(e.comment===void 0||typeof e.comment=="string")}o(qn,"isAppVersion");function Ze(e){if(!_(e))throw new Error("Invalid version response: not an object");if(!qn(e))throw new Error("Invalid version response: missing or malformed fields");return e}o(Ze,"parseAppVersion");var Ce=class Ce{constructor(t){this.client=t}get appsBasePath(){return`/api/v1/projects/${encodeURIComponent(this.client.project)}/apphosting/apps`}async createApp(t,n,r){try{await this.client.post(this.appsBasePath,{data:{items:[{externalId:t,name:n,description:r}]}})}catch(i){throw B(i)??i}}async uploadVersion(t,n,r,i,a="index.html"){console.log(`\u{1F4E4} Uploading version ${n}...`);let s=new FormData;s.append("file",new Blob([new Uint8Array(r)]),i),s.append("version",n),s.append("entryPath",a);let p=encodeURIComponent(t),c=`${this.appsBasePath}/${p}/versions`,l=await this.client.authenticate(),m=`${this.client.getBaseUrl()}${c}`,d=new AbortController,u=setTimeout(()=>d.abort(),300*1e3),C;try{C=await fetch(m,{method:"POST",headers:{Authorization:`Bearer ${l}`},body:s,signal:d.signal})}catch(g){throw g instanceof Error&&g.name==="AbortError"?new Error("Upload timed out after 5 minutes"):g}finally{clearTimeout(u)}if(!C.ok){let g=await C.text(),E=g;try{let A=JSON.parse(g);if(_(A)){let x=A.error;if(typeof x=="string")E=x;else if(_(x)){let P=x.message,f=x.code;E=typeof P=="string"?P:f!=null?`Unknown error (code: ${f})`:g}else{let P=A.message;E=typeof P=="string"?P:g}}}catch{}let S=C.headers.get("x-request-id"),y=S?` | X-Request-ID: ${S}`:"",R=Object.assign(new Error(`Upload failed: ${C.status} \u2014 ${E}${y}`),{status:C.status});throw B(R)??R}console.log(`\u2705 Version ${n} uploaded`)}async getVersion(t,n){let r=encodeURIComponent(t),i=encodeURIComponent(n),a=`${this.appsBasePath}/${r}/versions/${i}`;try{let s=await this.client.get(a);return Ze(s.data)}catch(s){throw ye(s,[t,n])?new k(t,n):B(s)??s}}async getActiveVersion(t){let n=encodeURIComponent(t),r=`${this.appsBasePath}/${n}/active`;try{let i=await this.client.get(r);return Ze(i.data)}catch(i){if(ye(i,[t]))return null;throw B(i)??i}}async updateVersions(t,n){let r=encodeURIComponent(t),i=`${this.appsBasePath}/${r}/versions/update`;try{await this.client.post(i,{data:{items:n}})}catch(a){throw B(a)??a}}};o(Ce,"AppHostingApi");var ie=Ce;var we=class we{constructor(t){this.api=new ie(t)}getVersion(t,n){return this.api.getVersion(t,n)}uploadVersion(t,n,r,i,a){return this.api.uploadVersion(t,n,r,i,a)}async ensureApp(t,n,r){console.log("\u{1F50D} Ensuring app exists...");try{await this.api.createApp(t,n,r),console.log(`\u2705 App '${t}' created`)}catch(i){if(z(i)&&i.status===409){console.log(`\u2705 App '${t}' already exists`);return}throw i}}async publishVersion(t,n){await this.api.updateVersions(t,[{version:n,update:{lifecycleState:{set:"PUBLISHED"}}}])}async publishAndActivate(t,n){console.log(`\u{1F680} Publishing and activating version ${n}...`),await this.api.updateVersions(t,[{version:n,update:{lifecycleState:{set:"PUBLISHED"},alias:{set:"ACTIVE"}}}]),console.log(`\u2705 Version ${n} is now PUBLISHED and ACTIVE`)}getActiveVersion(t){return this.api.getActiveVersion(t)}async deactivateVersion(t,n){await this.api.updateVersions(t,[{version:n,update:{alias:{setNull:!0}}}])}async activateVersion(t,n){let r=null;try{r=await this.api.getActiveVersion(t)}catch{r=null}let i=r&&r.version!==n?r.version:void 0;return await this.api.updateVersions(t,[{version:n,update:{alias:{set:"ACTIVE"}}}]),{supersededVersion:i}}async deploy(t,n,r,i,a,s,p=!1){console.log(`
+import{a as o,e as gt}from"../chunk-A5ASLC6T.js";import{writeSync as ca}from"fs";import{Command as la}from"commander";import{createReadStream as Go,existsSync as Jo,readFileSync as Yo,writeFileSync as qo}from"fs";import{basename as zo,dirname as Wo,join as Xo,resolve as he}from"path";import{hashDevSignature as Zo,parseScope as Qo,signBundle as ei,validateScopes as ti}from"@cognite/app-sdk/codesigning";var ft="https://docs.cognite.com/cdf/access/";function K(e){return e!==null&&typeof e=="object"}o(K,"isRecord");function X(e){return e instanceof Error&&"status"in e&&typeof e.status=="number"}o(X,"isHttpError");function hr(e){switch(e){case 401:return`Your credentials are invalid or expired. Check your client ID and secret.
+  See: ${ft}`;case 403:return`You don't have the required CDF capabilities. Please contact your CDF admin.
+  See: ${ft}`;default:return}}o(hr,"httpStatusHint");function M(e){let t=e instanceof Error?e:new Error(String(e));if(!X(t))return null;let n=hr(t.status);return n?Object.assign(new Error(`${t.message}
+  ${n}`),{cause:t}):null}o(M,"enrichedHttpError");function Sr(e){if(!K(e))return null;let t=e.missing;if(Array.isArray(t))return t;let n=e.data;if(K(n)){let r=n.error;if(K(r)&&Array.isArray(r.missing))return r.missing;if(Array.isArray(n.missing))return n.missing}return null}o(Sr,"findMissingArray");function wr(e,t){if(!X(e)||e.status!==400)return!1;let n=Sr(e);return n?n.some(r=>K(r)&&typeof r.externalId=="string"&&t.includes(r.externalId)):!1}o(wr,"isMissingExternalIdError");function Ie(e,t){return X(e)&&e.status===404||wr(e,t)}o(Ie,"isNotFoundError");var ht=["DRAFT","PUBLISHED","DEPRECATED","ARCHIVED"],St=["ACTIVE","PREVIEW"],$e=class $e extends Error{constructor(t,n){super(`Version ${n} of app ${t} not found`),this.name="AppVersionNotFoundError",this.appExternalId=t,this.version=n}};o($e,"AppVersionNotFoundError");var T=$e;function wt(e,t){return e.includes(t)}o(wt,"includesValue");function vr(e){return wt(ht,e)}o(vr,"isAppVersionLifecycleState");function Cr(e){return wt(St,e)}o(Cr,"isAppVersionAlias");function Pr(e){return typeof e.version=="string"&&vr(e.lifecycleState)&&typeof e.entrypoint=="string"&&typeof e.createdTime=="number"&&typeof e.createdBy=="string"&&typeof e.appExternalId=="string"&&(e.alias===void 0||Cr(e.alias))&&(e.comment===void 0||typeof e.comment=="string")}o(Pr,"isAppVersion");function yt(e){if(!K(e))throw new Error("Invalid version response: not an object");if(!Pr(e))throw new Error("Invalid version response: missing or malformed fields");return e}o(yt,"parseAppVersion");var Fe=class Fe{constructor(t){this.client=t}get appsBasePath(){return`/api/v1/projects/${encodeURIComponent(this.client.project)}/apphosting/apps`}async createApp(t,n,r){try{await this.client.post(this.appsBasePath,{data:{items:[{externalId:t,name:n,description:r}]}})}catch(i){throw M(i)??i}}async uploadVersion(t,n,r,i,s="index.html"){console.log(`\u{1F4E4} Uploading version ${n}...`);let a=new FormData;a.append("file",new Blob([new Uint8Array(r)]),i),a.append("version",n),a.append("entryPath",s);let p=encodeURIComponent(t),c=`${this.appsBasePath}/${p}/versions`,l=await this.client.authenticate(),d=`${this.client.getBaseUrl()}${c}`,m=new AbortController,g=setTimeout(()=>m.abort(),300*1e3),u;try{u=await fetch(d,{method:"POST",headers:{Authorization:`Bearer ${l}`},body:a,signal:m.signal})}catch(f){throw f instanceof Error&&f.name==="AbortError"?new Error("Upload timed out after 5 minutes"):f}finally{clearTimeout(g)}if(!u.ok){let f=await u.text(),S=f;try{let y=JSON.parse(f);if(K(y)){let C=y.error;if(typeof C=="string")S=C;else if(K(C)){let $=C.message,w=C.code;S=typeof $=="string"?$:w!=null?`Unknown error (code: ${w})`:f}else{let $=y.message;S=typeof $=="string"?$:f}}}catch{}let v=u.headers.get("x-request-id"),h=v?` | X-Request-ID: ${v}`:"",b=Object.assign(new Error(`Upload failed: ${u.status} \u2014 ${S}${h}`),{status:u.status});throw M(b)??b}console.log(`\u2705 Version ${n} uploaded`)}async getVersion(t,n){let r=encodeURIComponent(t),i=encodeURIComponent(n),s=`${this.appsBasePath}/${r}/versions/${i}`;try{let a=await this.client.get(s);return yt(a.data)}catch(a){throw Ie(a,[t,n])?new T(t,n):M(a)??a}}async getActiveVersion(t){let n=encodeURIComponent(t),r=`${this.appsBasePath}/${n}/active`;try{let i=await this.client.get(r);return yt(i.data)}catch(i){if(Ie(i,[t]))return null;throw M(i)??i}}async updateVersions(t,n){let r=encodeURIComponent(t),i=`${this.appsBasePath}/${r}/versions/update`;try{await this.client.post(i,{data:{items:n}})}catch(s){throw M(s)??s}}async submitSignatures(t,n,r){let i=encodeURIComponent(t),s=encodeURIComponent(n),a=`${this.appsBasePath}/${i}/versions/${s}/signatures`;try{await this.client.post(a,{data:{items:r}})}catch(p){throw M(p)??p}}};o(Fe,"AppHostingApi");var de=Fe;var Te=class Te{constructor(t){this.api=new de(t)}getVersion(t,n){return this.api.getVersion(t,n)}uploadVersion(t,n,r,i,s){return this.api.uploadVersion(t,n,r,i,s)}async ensureApp(t,n,r){console.log("\u{1F50D} Ensuring app exists...");try{await this.api.createApp(t,n,r),console.log(`\u2705 App '${t}' created`)}catch(i){if(X(i)&&i.status===409){console.log(`\u2705 App '${t}' already exists`);return}throw i}}async submitSignatures(t,n,r){r.length!==0&&(console.log(`\u{1F50F} Submitting ${r.length} signature${r.length===1?"":"s"} for version ${n}...`),await this.api.submitSignatures(t,n,r),console.log("\u2705 Signatures stored"))}async publishVersion(t,n){await this.api.updateVersions(t,[{version:n,update:{lifecycleState:{set:"PUBLISHED"}}}])}async publishAndActivate(t,n){console.log(`\u{1F680} Publishing and activating version ${n}...`),await this.api.updateVersions(t,[{version:n,update:{lifecycleState:{set:"PUBLISHED"},alias:{set:"ACTIVE"}}}]),console.log(`\u2705 Version ${n} is now PUBLISHED and ACTIVE`)}getActiveVersion(t){return this.api.getActiveVersion(t)}async deactivateVersion(t,n){await this.api.updateVersions(t,[{version:n,update:{alias:{setNull:!0}}}])}async activateVersion(t,n){let r=null;try{r=await this.api.getActiveVersion(t)}catch{r=null}let i=r&&r.version!==n?r.version:void 0;return await this.api.updateVersions(t,[{version:n,update:{alias:{set:"ACTIVE"}}}]),{supersededVersion:i}}async deploy(t,n,r,i,s,a,p=!1){console.log(`
 \u{1F680} Deploying application via App Hosting API...
-`);try{await this.ensureApp(t,n,r),await this.uploadVersion(t,i,a,s),p&&await this.publishAndActivate(t,i),console.log(`
-\u2705 Deployment successful!`)}catch(c){let l=c instanceof Error?c.message:String(c);throw Object.assign(new Error(`Deployment failed: ${l}`),{cause:c})}}};o(we,"AppHostingClient");var h=we;import{existsSync as pr,readFileSync as cr}from"fs";import{resolve as lr}from"path";import{array as Qn,boolean as Zn,check as rt,forward as ot,literal as er,maxLength as tr,minLength as nr,nonEmpty as Y,object as it,optional as M,picklist as rr,pipe as U,safeParse as or,string as D,url as ir}from"valibot";var ve=U(D(),Y("must not be empty")),Ee=U(D(),Y("must not be empty"),tr(256,"must be 256 characters or fewer")),Se=U(D(),Y("must not be empty"),ir("must be a valid URL")),xe=U(D(),Y("must not be empty")),Pe=U(D(),Y("must not be empty")),sr=U(it({org:xe,project:Pe,baseUrl:Se,deployClientId:M(D(),""),deploySecretName:M(D(),""),published:M(Zn(),!1),idpType:M(rr(["cdf","entra_id"]),"cdf"),tenantId:M(D())}),ot(rt(e=>e.idpType!=="entra_id"||!!e.tenantId,'must be set when idpType is "entra_id"'),["tenantId"]),ot(rt(e=>!e.deployClientId||!!e.deploySecretName,"must be set when deployClientId is set"),["deploySecretName"])),ar=it({name:ve,externalId:Ee,versionTag:U(D(),Y("must not be empty")),description:M(D(),""),deployments:U(Qn(sr),nr(1,"must contain at least one deployment")),infra:M(er("appsApi"))});function be(e){let t=or(ar,e);if(t.success)return t.output;let n=t.issues[0],r=n.path?.map(a=>a.key).join(".")??"",i=r?`"${r}" `:"";throw new Error(`app.json: ${i}${n.message}`)}o(be,"validateAppConfig");function w(e,t={}){let{validator:n=be,existsSync:r=pr,readFileSync:i=cr}=t,a=lr(e,"app.json");if(!r(a))throw new Error("No app.json found in current directory. Make sure you're running this command from your app's root directory.");let s=i(a,"utf-8"),p;try{p=JSON.parse(s)}catch{throw new Error("Failed to parse app.json \u2014 check that it contains valid JSON.")}return n(p)}o(w,"loadAppConfig");import{CogniteClient as Rr}from"@cognite/sdk";import{CogniteClient as yr}from"@cognite/sdk";var mr=o(()=>{let e=process.env.DEPLOYMENT_SECRETS;if(!e)return{};try{let t=JSON.parse(e),n={};for(let[r,i]of Object.entries(t))if(typeof i=="string"){let a=r.toLowerCase().replace(/_/g,"-");n[a]=i}return n}catch(t){return console.error("Error parsing DEPLOYMENT_SECRETS:",t),{}}},"loadSecretsFromEnv"),dr=o(e=>{let t;if(process.env.DEPLOYMENT_SECRET&&(t=process.env.DEPLOYMENT_SECRET),t||(t=mr()[e]),t||(t=process.env[e]),!t)throw new Error(`Secret not found in environment: ${e}`);return t},"getSecretFromEnv"),ur=o(e=>{if(!e)return"";try{return new URL(e).hostname.replace(/\.cognitedata\.com$/,"")}catch{let t=e.replace(/^https?:\/\//,"");return t=t.split("/")[0],t=t.split(":")[0],t=t.replace(/\.cognitedata\.com$/,""),t}},"extractClusterFromUrl"),gr=o(async(e,t)=>{let n=`Basic ${btoa(`${e}:${t}`)}`,r=await fetch("https://auth.cognite.com/oauth2/token",{method:"POST",headers:{Authorization:n,"Content-Type":"application/x-www-form-urlencoded"},body:new URLSearchParams({grant_type:"client_credentials"})});if(!r.ok){let a=await r.text();throw new Error(`Failed to get token from CDF: ${r.status} ${r.statusText}
-${a}`)}let i=await r.json();if(!i.access_token)throw new Error("No access token returned from CDF authentication");return i.access_token},"getTokenCdf"),fr=o(async(e,t,n,r)=>{if(!r)throw new Error("Entra ID authentication requires 'baseUrl' to be set in deployment configuration");let i=ur(r);if(!i)throw new Error(`Entra ID authentication requires 'baseUrl' to be a valid CDF URL (e.g., https://cluster.cognitedata.com), got: ${r}`);let a=`https://login.microsoftonline.com/${n}/oauth2/v2.0/token`,s=`https://${i}.cognitedata.com/.default`,p=await fetch(a,{method:"POST",headers:{"Content-Type":"application/x-www-form-urlencoded"},body:new URLSearchParams({client_id:e,client_secret:t,scope:s,grant_type:"client_credentials"})});if(!p.ok){let l=await p.text();throw new Error(`Failed to get token from Entra ID: ${p.status} ${p.statusText}
-${l}`)}let c=await p.json();if(!c.access_token)throw new Error("No access token returned from Entra ID authentication");return c.access_token},"getTokenEntra"),Ae=o(async(e,t=process.env)=>{if(t.COGNITE_TOKEN)return t.COGNITE_TOKEN;let{deployClientId:n,deploySecretName:r,idpType:i="cdf",tenantId:a,baseUrl:s}=e,p=dr(r);if(i==="entra_id"){if(!a)throw new Error("Entra ID authentication requires 'tenantId' in deployment configuration");return fr(n,p,a,s)}return gr(n,p)},"getToken");async function W(e,t,n=process.env,r){let i=await Ae(e,n),a=n.COGNITE_BASE_URL??e.baseUrl,s=(r??(p=>new yr(p)))({appId:t,project:e.project,baseUrl:a,oidcTokenProvider:o(async()=>i,"oidcTokenProvider")});return await s.authenticate(),s}o(W,"getSdk");import xr from"os";import Pr from"path";import br from"open";import{buildAuthorizationUrl as Ar,calculatePKCECodeChallenge as kr,discovery as Dr,None as Ir,randomPKCECodeVerifier as Tr,randomState as $r}from"openid-client";import hr from"https";import{authorizationCodeGrant as Cr}from"openid-client";function st(e){return e.replace(/[&<>"']/g,t=>({"&":"&amp;","<":"&lt;",">":"&gt;",'"':"&quot;","'":"&#39;"})[t]??t)}o(st,"escapeHtml");function ke(e,t,n){let r=st(t),i=st(n);return`<html><body style="font-family: system-ui; padding: 40px; text-align: center;">
+`);try{await this.ensureApp(t,n,r),await this.uploadVersion(t,i,s,a),p&&await this.publishAndActivate(t,i),console.log(`
+\u2705 Deployment successful!`)}catch(c){let l=c instanceof Error?c.message:String(c);throw Object.assign(new Error(`Deployment failed: ${l}`),{cause:c})}}};o(Te,"AppHostingClient");var P=Te;import Er from"path";var vt=".cognite-bundles";function Ct(e,t){return`${e}-${t}.zip`}o(Ct,"bundleFileName");function V(e,t,n){return Er.join(e,vt,Ct(t,n))}o(V,"bundlePath");import{existsSync as br,readFileSync as kr}from"fs";var Pt=[".dev.sig",".cert.sig"];function Z(e,t={}){let n=t.existsSync??br,r=t.readFileSync??((s,a)=>kr(s,a)),i=[];for(let s of Pt){let a=`${e}${s}`;if(!n(a))continue;let p=r(a,"utf8").trim();p.length>0&&i.push(p)}return i}o(Z,"discoverSignatures");import{existsSync as Ur,readFileSync as Kr}from"fs";import{resolve as Lr}from"path";import{array as xr,boolean as Ar,check as Et,forward as bt,literal as Dr,maxLength as Ir,minLength as $r,nonEmpty as z,object as kt,optional as H,picklist as Fr,pipe as L,safeParse as Tr,string as O,url as Or}from"valibot";var Oe=L(O(),z("must not be empty")),Re=L(O(),z("must not be empty"),Ir(256,"must be 256 characters or fewer")),_e=L(O(),z("must not be empty"),Or("must be a valid URL")),Ue=L(O(),z("must not be empty")),Ke=L(O(),z("must not be empty")),Rr=L(kt({org:Ue,project:Ke,baseUrl:_e,deployClientId:H(O(),""),deploySecretName:H(O(),""),published:H(Ar(),!1),idpType:H(Fr(["cdf","entra_id"]),"cdf"),tenantId:H(O())}),bt(Et(e=>e.idpType!=="entra_id"||!!e.tenantId,'must be set when idpType is "entra_id"'),["tenantId"]),bt(Et(e=>!e.deployClientId||!!e.deploySecretName,"must be set when deployClientId is set"),["deploySecretName"])),_r=kt({name:Oe,externalId:Re,versionTag:L(O(),z("must not be empty")),description:H(O(),""),deployments:L(xr(Rr),$r(1,"must contain at least one deployment")),infra:H(Dr("appsApi"))});function Le(e){let t=Tr(_r,e);if(t.success)return t.output;let n=t.issues[0],r=n.path?.map(s=>s.key).join(".")??"",i=r?`"${r}" `:"";throw new Error(`app.json: ${i}${n.message}`)}o(Le,"validateAppConfig");function E(e,t={}){let{validator:n=Le,existsSync:r=Ur,readFileSync:i=Kr}=t,s=Lr(e,"app.json");if(!r(s))throw new Error("No app.json found in current directory. Make sure you're running this command from your app's root directory.");let a=i(s,"utf-8"),p;try{p=JSON.parse(a)}catch{throw new Error("Failed to parse app.json \u2014 check that it contains valid JSON.")}return n(p)}o(E,"loadAppConfig");import{CogniteClient as po}from"@cognite/sdk";import{CogniteClient as Br}from"@cognite/sdk";var jr=o(()=>{let e=process.env.DEPLOYMENT_SECRETS;if(!e)return{};try{let t=JSON.parse(e),n={};for(let[r,i]of Object.entries(t))if(typeof i=="string"){let s=r.toLowerCase().replace(/_/g,"-");n[s]=i}return n}catch(t){return console.error("Error parsing DEPLOYMENT_SECRETS:",t),{}}},"loadSecretsFromEnv"),Nr=o(e=>{let t;if(process.env.DEPLOYMENT_SECRET&&(t=process.env.DEPLOYMENT_SECRET),t||(t=jr()[e]),t||(t=process.env[e]),!t)throw new Error(`Secret not found in environment: ${e}`);return t},"getSecretFromEnv"),Mr=o(e=>{if(!e)return"";try{return new URL(e).hostname.replace(/\.cognitedata\.com$/,"")}catch{let t=e.replace(/^https?:\/\//,"");return t=t.split("/")[0],t=t.split(":")[0],t=t.replace(/\.cognitedata\.com$/,""),t}},"extractClusterFromUrl"),Vr=o(async(e,t)=>{let n=`Basic ${btoa(`${e}:${t}`)}`,r=await fetch("https://auth.cognite.com/oauth2/token",{method:"POST",headers:{Authorization:n,"Content-Type":"application/x-www-form-urlencoded"},body:new URLSearchParams({grant_type:"client_credentials"})});if(!r.ok){let s=await r.text();throw new Error(`Failed to get token from CDF: ${r.status} ${r.statusText}
+${s}`)}let i=await r.json();if(!i.access_token)throw new Error("No access token returned from CDF authentication");return i.access_token},"getTokenCdf"),Hr=o(async(e,t,n,r)=>{if(!r)throw new Error("Entra ID authentication requires 'baseUrl' to be set in deployment configuration");let i=Mr(r);if(!i)throw new Error(`Entra ID authentication requires 'baseUrl' to be a valid CDF URL (e.g., https://cluster.cognitedata.com), got: ${r}`);let s=`https://login.microsoftonline.com/${n}/oauth2/v2.0/token`,a=`https://${i}.cognitedata.com/.default`,p=await fetch(s,{method:"POST",headers:{"Content-Type":"application/x-www-form-urlencoded"},body:new URLSearchParams({client_id:e,client_secret:t,scope:a,grant_type:"client_credentials"})});if(!p.ok){let l=await p.text();throw new Error(`Failed to get token from Entra ID: ${p.status} ${p.statusText}
+${l}`)}let c=await p.json();if(!c.access_token)throw new Error("No access token returned from Entra ID authentication");return c.access_token},"getTokenEntra"),je=o(async(e,t=process.env)=>{if(t.COGNITE_TOKEN)return t.COGNITE_TOKEN;let{deployClientId:n,deploySecretName:r,idpType:i="cdf",tenantId:s,baseUrl:a}=e,p=Nr(r);if(i==="entra_id"){if(!s)throw new Error("Entra ID authentication requires 'tenantId' in deployment configuration");return Hr(n,p,s,a)}return Vr(n,p)},"getToken");async function Q(e,t,n=process.env,r){let i=await je(e,n),s=n.COGNITE_BASE_URL??e.baseUrl,a=(r??(p=>new Br(p)))({appId:t,project:e.project,baseUrl:s,oidcTokenProvider:o(async()=>i,"oidcTokenProvider")});return await a.authenticate(),a}o(Q,"getSdk");import Xr from"os";import Zr from"path";import Qr from"open";import{buildAuthorizationUrl as eo,calculatePKCECodeChallenge as to,discovery as no,None as ro,randomPKCECodeVerifier as oo,randomState as io}from"openid-client";import Gr from"https";import{authorizationCodeGrant as Jr}from"openid-client";function xt(e){return e.replace(/[&<>"']/g,t=>({"&":"&amp;","<":"&lt;",">":"&gt;",'"':"&quot;","'":"&#39;"})[t]??t)}o(xt,"escapeHtml");function Ne(e,t,n){let r=xt(t),i=xt(n);return`<html><body style="font-family: system-ui; padding: 40px; text-align: center;">
     <h1>${r}</h1><p>${i}</p><p>You can close this window.</p>${e==="success"?`<style>
       @keyframes checkmark {
         0% { transform: scale(0); }
@@ -16,28 +16,32 @@ ${l}`)}let c=await p.json();if(!c.access_token)throw new Error("No access token
       }
       h1 { animation: checkmark 0.5s ease-out; }
     </style>`:""}
-  </body></html>`}o(ke,"generateHtml");async function wr(e,t,n,r,i,a){let s=new URL(e.url??"/",`https://${e.headers.host??"localhost"}`);if(s.pathname!=="/")return t.writeHead(404),t.end("Not found"),{shouldClose:!1};try{console.log("\u{1F504} Exchanging authorization code for tokens...");let p=await a.authorizationCodeGrant(n,s,{pkceCodeVerifier:r,expectedState:i});return t.writeHead(200,{"Content-Type":"text/html"}),t.end(ke("success","Login Successful!","You can close this window and return to the terminal.")),{shouldClose:!0,tokens:p}}catch(p){let c=p instanceof Error?p:new Error(String(p));return t.writeHead(400,{"Content-Type":"text/html"}),t.end(ke("error","Authentication Error",c.message)),{shouldClose:!0,error:c}}}o(wr,"handleCallback");function vr(e){let t=e/6e4,n=Math.round(t*10)/10;return`${n} ${n===1?"minute":"minutes"}`}o(vr,"formatTimeoutMinutes");function at(e,t,n,r,i,a={createServer:hr.createServer,setTimeout:globalThis.setTimeout,clearTimeout:globalThis.clearTimeout,authorizationCodeGrant:Cr}){return new Promise((s,p)=>{let c,l=a.setTimeout(()=>{c?.close(),p(new Error(`Login timeout - no response received within ${vr(e.loginTimeout)}`))},e.loginTimeout);c=a.createServer(t,async(m,d)=>{try{let u=await wr(m,d,n,r,i,a);u.shouldClose&&(a.clearTimeout(l),c?.close(),u.error?p(u.error):u.tokens?s(u.tokens):p(new Error("No tokens received")))}catch(u){a.clearTimeout(l),c?.close(),p(u instanceof Error?u:new Error(String(u)))}}),c.on("error",m=>{a.clearTimeout(l),m.code==="EADDRINUSE"?console.error(`\u274C Port ${e.port} is already in use.`):console.error(`\u274C Server error: ${m.message}`),p(m)}),c.listen(e.port,"127.0.0.1",()=>{console.log(`\u{1F310} Local HTTPS server started on https://localhost:${e.port}`)})})}o(at,"startCallbackServer");import{execFileSync as Er}from"child_process";import De from"fs";import pt from"path";function ct(e,t,n){return{key:n.readFileSync(e),cert:n.readFileSync(t)}}o(ct,"loadCertificates");function Sr(e,t,n,r){console.log("\u{1F510} Generating self-signed certificate for HTTPS..."),r.existsSync(e)||r.mkdirSync(e,{recursive:!0});try{return r.execFileSync("openssl",["req","-x509","-newkey","rsa:2048","-nodes","-sha256","-subj","/CN=localhost","-keyout",t,"-out",n,"-days","365"],{stdio:["ignore","pipe","ignore"]}),console.log("\u2705 Certificate generated and saved locally"),ct(t,n,r)}catch{throw new Error(`Failed to generate self-signed certificate. Make sure openssl is installed.
+  </body></html>`}o(Ne,"generateHtml");async function Yr(e,t,n,r,i,s){let a=new URL(e.url??"/",`https://${e.headers.host??"localhost"}`);if(a.pathname!=="/")return t.writeHead(404),t.end("Not found"),{shouldClose:!1};try{console.log("\u{1F504} Exchanging authorization code for tokens...");let p=await s.authorizationCodeGrant(n,a,{pkceCodeVerifier:r,expectedState:i});return t.writeHead(200,{"Content-Type":"text/html"}),t.end(Ne("success","Login Successful!","You can close this window and return to the terminal.")),{shouldClose:!0,tokens:p}}catch(p){let c=p instanceof Error?p:new Error(String(p));return t.writeHead(400,{"Content-Type":"text/html"}),t.end(Ne("error","Authentication Error",c.message)),{shouldClose:!0,error:c}}}o(Yr,"handleCallback");function qr(e){let t=e/6e4,n=Math.round(t*10)/10;return`${n} ${n===1?"minute":"minutes"}`}o(qr,"formatTimeoutMinutes");function At(e,t,n,r,i,s={createServer:Gr.createServer,setTimeout:globalThis.setTimeout,clearTimeout:globalThis.clearTimeout,authorizationCodeGrant:Jr}){return new Promise((a,p)=>{let c=s.createServer(t,async(m,g)=>{try{let u=await Yr(m,g,n,r,i,s);u.shouldClose&&(d(),u.error?p(u.error):u.tokens?a(u.tokens):p(new Error("No tokens received")))}catch(u){d(),p(u instanceof Error?u:new Error(String(u)))}}),l=s.setTimeout(()=>{d(),p(new Error(`Login timeout - no response received within ${qr(e.loginTimeout)}`))},e.loginTimeout);function d(){s.clearTimeout(l),c.close()}o(d,"cleanup"),c.on("error",m=>{d(),m.code==="EADDRINUSE"?console.error(`\u274C Port ${e.port} is already in use.`):console.error(`\u274C Server error: ${m.message}`),p(m)}),c.listen(e.port,"127.0.0.1",()=>{console.log(`\u{1F310} Local HTTPS server started on https://localhost:${e.port}`)})})}o(At,"startCallbackServer");import{execFileSync as zr}from"child_process";import Me from"fs";import Dt from"path";function It(e,t,n){return{key:n.readFileSync(e),cert:n.readFileSync(t)}}o(It,"loadCertificates");function Wr(e,t,n,r){console.log("\u{1F510} Generating self-signed certificate for HTTPS..."),r.existsSync(e)||r.mkdirSync(e,{recursive:!0});try{return r.execFileSync("openssl",["req","-x509","-newkey","rsa:2048","-nodes","-sha256","-subj","/CN=localhost","-keyout",t,"-out",n,"-days","365"],{stdio:["ignore","pipe","ignore"]}),console.log("\u2705 Certificate generated and saved locally"),It(t,n,r)}catch{throw new Error(`Failed to generate self-signed certificate. Make sure openssl is installed.
   On macOS: openssl is pre-installed
   On Linux: sudo apt-get install openssl
-  On Windows: Install OpenSSL or use WSL`)}}o(Sr,"generateCertificate");function lt(e,t={existsSync:De.existsSync,readFileSync:o(n=>De.readFileSync(n),"readFileSync"),mkdirSync:o((n,r)=>{De.mkdirSync(n,r)},"mkdirSync"),execFileSync:Er}){let n=pt.join(e,"localhost-key.pem"),r=pt.join(e,"localhost-cert.pem");return t.existsSync(n)&&t.existsSync(r)?ct(n,r,t):Sr(e,n,r,t)}o(lt,"getOrCreateCertificates");var Fr={authority:"https://auth.cognite.com",clientId:"0404baaa-0a90-43a2-aba7-a110b53fb41c",redirectUri:"https://localhost:3000/",port:3e3,loginTimeout:300*1e3,certDir:Pr.join(xr.homedir(),".cdf-login")},Or={open:br,getOrCreateCertificates:lt,startCallbackServer:at,discovery:Dr,buildAuthorizationUrl:Ar,randomPKCECodeVerifier:Tr,calculatePKCECodeChallenge:kr,randomState:$r,logger:console};async function dt(e,t=Fr,n){return n===void 0?mt(e,t,Or):mt(e,t,n)}o(dt,"login");async function mt(e,t,n){n.logger.log(`\u{1F510} Starting CDF login flow...
-`),n.logger.log(`\u{1F4E1} Fetching OpenID configuration from ${t.authority}...`);let r=await n.discovery(new URL(t.authority),t.clientId,void 0,Ir()),i=n.randomPKCECodeVerifier(),a=await n.calculatePKCECodeChallenge(i),s=n.randomState(),p={redirect_uri:t.redirectUri,scope:"openid profile email",code_challenge:a,code_challenge_method:"S256",state:s};e&&(p.organization_hint=e);let c=n.buildAuthorizationUrl(r,p).toString(),l=n.getOrCreateCertificates(t.certDir);e&&n.logger.log(`\u{1F3E2} Organization: ${e}`),n.logger.log(`\u{1F680} Opening browser for authentication...
-`);try{await n.open(c)}catch(m){let d=m instanceof Error?m.message:String(m);n.logger.error("\u274C Failed to open browser automatically."),n.logger.error(`  Reason: ${d}`),n.logger.error(`Please open this URL manually:
-`),n.logger.error(c),n.logger.error("")}return n.startCallbackServer(t,l,r,i,s)}o(mt,"loginImpl");async function I(e,t,n={}){let{login:r=dt,getSdk:i=W,createClient:a=o(s=>new Rr(s),"createClient")}=n;if(t.interactive){let s=t.orgHint||e.org||void 0,p=await r(s),c=a({appId:t.appId,project:e.project,baseUrl:e.baseUrl,getToken:o(async()=>p.access_token,"getToken")});return await c.authenticate(),c}return i(e,t.appId)}o(I,"getClientForDeployment");import ut from"enquirer";var gt="Enter custom target...";function ft(e,t){let n=t.map((r,i)=>`  ${i}: ${r.org}/${r.project}`).join(`
+  On Windows: Install OpenSSL or use WSL`)}}o(Wr,"generateCertificate");function $t(e,t={existsSync:Me.existsSync,readFileSync:o(n=>Me.readFileSync(n),"readFileSync"),mkdirSync:o((n,r)=>{Me.mkdirSync(n,r)},"mkdirSync"),execFileSync:zr}){let n=Dt.join(e,"localhost-key.pem"),r=Dt.join(e,"localhost-cert.pem");return t.existsSync(n)&&t.existsSync(r)?It(n,r,t):Wr(e,n,r,t)}o($t,"getOrCreateCertificates");var so={authority:"https://auth.cognite.com",clientId:"0404baaa-0a90-43a2-aba7-a110b53fb41c",redirectUri:"https://localhost:3000/",port:3e3,loginTimeout:300*1e3,certDir:Zr.join(Xr.homedir(),".cdf-login")},ao={open:Qr,getOrCreateCertificates:$t,startCallbackServer:At,discovery:no,buildAuthorizationUrl:eo,randomPKCECodeVerifier:oo,calculatePKCECodeChallenge:to,randomState:io,logger:console};async function Tt(e,t=so,n){return n===void 0?Ft(e,t,ao):Ft(e,t,n)}o(Tt,"login");async function Ft(e,t,n){n.logger.log(`\u{1F510} Starting CDF login flow...
+`),n.logger.log(`\u{1F4E1} Fetching OpenID configuration from ${t.authority}...`);let r=await n.discovery(new URL(t.authority),t.clientId,void 0,ro()),i=n.randomPKCECodeVerifier(),s=await n.calculatePKCECodeChallenge(i),a=n.randomState(),p={redirect_uri:t.redirectUri,scope:"openid profile email",code_challenge:s,code_challenge_method:"S256",state:a};e&&(p.organization_hint=e);let c=n.buildAuthorizationUrl(r,p).toString(),l=n.getOrCreateCertificates(t.certDir);e&&n.logger.log(`\u{1F3E2} Organization: ${e}`),n.logger.log(`\u{1F680} Opening browser for authentication...
+`);try{await n.open(c)}catch(d){let m=d instanceof Error?d.message:String(d);n.logger.error("\u274C Failed to open browser automatically."),n.logger.error(`  Reason: ${m}`),n.logger.error(`Please open this URL manually:
+`),n.logger.error(c),n.logger.error("")}return n.startCallbackServer(t,l,r,i,a)}o(Ft,"loginImpl");async function A(e,t,n={}){let{login:r=Tt,getSdk:i=Q,createClient:s=o(a=>new po(a),"createClient")}=n;if(t.interactive){let a=t.orgHint||e.org||void 0,p=await r(a),c=s({appId:t.appId,project:e.project,baseUrl:e.baseUrl,getToken:o(async()=>p.access_token,"getToken")});return await c.authenticate(),c}return i(e,t.appId)}o(A,"getClientForDeployment");import Ot from"enquirer";var Rt="Enter custom target...";function _t(e,t){let n=t.map((r,i)=>`  ${i}: ${r.org}/${r.project}`).join(`
 `);throw new Error(`Deployment "${e}" not found. Available deployments:
-${n}`)}o(ft,"deploymentNotFoundError");function b(e,t){if(e.length===0)throw new Error("No deployments configured in app.json");if(t===void 0)return e[0];if(/^\d+$/.test(t)){let r=e[Number.parseInt(t)];if(r)return r;ft(t,e)}let n=e.find(r=>r.project===t||`${r.org}/${r.project}`===t);if(n)return n;ft(t,e)}o(b,"findDeployment");function T(e){let t=[];return e.deployClientId||t.push("deployClientId"),e.deploySecretName||t.push("deploySecretName"),t}o(T,"getMissingCredentials");async function $(e,t){if(t.baseUrl&&t.project)return{org:t.org??"",project:t.project,baseUrl:t.baseUrl,deployClientId:"",deploySecretName:"",published:!1,idpType:"cdf"};if(t.deployment!==void 0)return b(e.deployments,t.deployment);let n=[...e.deployments.map(a=>`${a.org}/${a.project}`),gt],{selected:r}=await ut.prompt({type:"select",name:"selected",message:"Select deployment target",choices:n});if(r!==gt){let a=e.deployments.find(s=>`${s.org}/${s.project}`===r);if(a)return a;throw new Error(`Deployment "${r}" could not be resolved from app.json.`)}let i=await ut.prompt([{type:"input",name:"baseUrl",message:"CDF Base URL",initial:"https://api.cognitedata.com"},{type:"input",name:"project",message:"CDF Project",validate:o(a=>a?!0:"Project is required","validate")},{type:"input",name:"org",message:"Organization (for login hint)",initial:""}]);return{org:i.org||"",project:i.project,baseUrl:i.baseUrl,deployClientId:"",deploySecretName:"",published:!1,idpType:"cdf"}}o($,"resolveDeployment");import{existsSync as _r}from"fs";import{resolve as Ur}from"path";import{config as Lr}from"dotenv";function F(e,t={existsSync:_r,config:Lr}){let n=Ur(e,".env");t.existsSync(n)&&(console.log(`Loading environment variables from ${n}`),t.config({path:n}))}o(F,"loadEnvFile");function O(e){e.infra!=="appsApi"&&(console.error(`
+${n}`)}o(_t,"deploymentNotFoundError");function k(e,t){if(e.length===0)throw new Error("No deployments configured in app.json");if(t===void 0)return e[0];if(/^\d+$/.test(t)){let r=e[Number.parseInt(t)];if(r)return r;_t(t,e)}let n=e.find(r=>r.project===t||`${r.org}/${r.project}`===t);if(n)return n;_t(t,e)}o(k,"findDeployment");function D(e){let t=[];return e.deployClientId||t.push("deployClientId"),e.deploySecretName||t.push("deploySecretName"),t}o(D,"getMissingCredentials");async function I(e,t){if(t.baseUrl&&t.project)return{org:t.org??"",project:t.project,baseUrl:t.baseUrl,deployClientId:"",deploySecretName:"",published:!1,idpType:"cdf"};if(t.deployment!==void 0)return k(e.deployments,t.deployment);let n=[...e.deployments.map(s=>`${s.org}/${s.project}`),Rt],{selected:r}=await Ot.prompt({type:"select",name:"selected",message:"Select deployment target",choices:n});if(r!==Rt){let s=e.deployments.find(a=>`${a.org}/${a.project}`===r);if(s)return s;throw new Error(`Deployment "${r}" could not be resolved from app.json.`)}let i=await Ot.prompt([{type:"input",name:"baseUrl",message:"CDF Base URL",initial:"https://api.cognitedata.com"},{type:"input",name:"project",message:"CDF Project",validate:o(s=>s?!0:"Project is required","validate")},{type:"input",name:"org",message:"Organization (for login hint)",initial:""}]);return{org:i.org||"",project:i.project,baseUrl:i.baseUrl,deployClientId:"",deploySecretName:"",published:!1,idpType:"cdf"}}o(I,"resolveDeployment");import{existsSync as Vo,readFileSync as Ho}from"fs";import{execFile as lo}from"child_process";import{promisify as mo}from"util";import{platform as co}from"os";function B(e,t={}){let{platform:n=co}=t;switch(n()){case"darwin":return e==="macos";case"win32":return e==="windows";default:return e==="other"}}o(B,"isOS");var Kt="cognite-flows",uo=mo(lo),Lt=o((e,t)=>uo(e,t),"defaultExecFile"),go=-25300,fo=go&255;function yo(e){if(!(e instanceof Error)||!("code"in e)||e.code!==fo)return!1;let t="stderr"in e?String(e.stderr):"";return/could not be found/i.test(t)||t===""}o(yo,"isKeychainNotFoundError");async function jt(e,t,n={}){if(!B("macos",n))throw new Error("Keychain storage is only supported on macOS");let{execFile:r=Lt}=n;await r("security",["add-generic-password","-a",e,"-s",Kt,"-w",Buffer.from(t,"utf-8").toString("base64"),"-U"])}o(jt,"storeKeyInKeychain");async function me(e,t={}){if(!B("macos",t))return null;let{execFile:n=Lt}=t;try{let{stdout:r}=await n("security",["find-generic-password","-a",e,"-s",Kt,"-w"]);return Buffer.from(r.trim(),"base64").toString("utf-8")}catch(r){if(yo(r))return null;throw r}}o(me,"readKeyFromKeychain");import{pbkdf2 as wo,randomBytes as vo}from"crypto";import{promisify as Co}from"util";import{CompactEncrypt as Po,base64url as Nt,compactDecrypt as Eo}from"jose";var ho=new TextEncoder,So=new TextDecoder,Ve={encode:o(e=>ho.encode(e),"encode"),decode:o(e=>So.decode(e),"decode")};var bo=Co(wo),Ge=6e5,ko="sha512",He="PBKDF2-HMAC-SHA512",Be=16,ue="A256GCM",xo=32,ge=2e6;async function Mt(e,t,n){return await bo(e,t,n,xo,ko)}o(Mt,"deriveKey");async function Vt(e,t,n=Ge){if(!Number.isInteger(n)||n<1||n>ge)throw new Error(`Invalid iterations: must be an integer between 1 and ${ge}`);let r=vo(Be),i=await Mt(t,r,n);return await new Po(Ve.encode(e)).setProtectedHeader({alg:"dir",enc:ue,kdf:He,kdf_iter:n,kdf_salt:Nt.encode(r)}).encrypt(i)}o(Vt,"encryptStringAsJwe");async function Ht(e,t){let{plaintext:n}=await Eo(e,async r=>{if(!e.length)throw new Error("Unexpected JWE empty value");if(t.length<15)throw new Error(`Invalid passphrase it should be at least ${15} but got ${t.length}`);if(r.alg!=="dir")throw new Error(`Unexpected JWE alg "${String(r.alg)}"; only "dir" is supported`);if(r.enc!==ue)throw new Error(`Unexpected JWE enc "${String(r.enc)}"; only "${ue}" is supported`);if(r.kdf!==He)throw new Error(`Unexpected KDF "${String(r.kdf)}"; only "${He}" is supported`);let i=Number(r.kdf_iter);if(!Number.isInteger(i)||i<1||i>ge)throw new Error(`Invalid kdf_iter in JWE header: must be an integer between 1 and ${ge}`);if(typeof r.kdf_salt!="string")throw new Error("Missing kdf_salt in JWE header");let s=Nt.decode(r.kdf_salt);if(s.length!==Be)throw new Error(`Invalid kdf_salt length in JWE header: expected ${Be} bytes, got ${s.length}`);return await Mt(t,s,i)},{keyManagementAlgorithms:["dir"],contentEncryptionAlgorithms:[ue]});return Ve.decode(n)}o(Ht,"decryptJweAsString");function Ao(e){let t=e.trim();return t.startsWith("eyJ")&&t.split(".").length===5}o(Ao,"isJweCompact");var Bt=Ao;import{existsSync as Io,readdirSync as $o,readFileSync as Fo}from"fs";import{join as Je}from"path";import{homedir as Do}from"os";import{join as Gt}from"path";function F(e={}){let{env:t=process.env,homedir:n=Do}=e,r=t.COGNITE_CLI_HOME?.trim()||Gt(n(),".cognite-cli");return{home:r,keysDir:Gt(r,"keys")}}o(F,"getConfig");var ee=".pub.pem",Ye=".key.jwe",qe=".meta.json";function fe(e){switch(e.kind){case"keychain":return"Keychain";case"encrypted-file":return e.path;case"public-only":return"public-only (private key missing)"}}o(fe,"formatLocalKeySource");function To(e){return{existsSync:e.existsSync??Io,readdirSync:e.readdirSync??$o,readFileSync:e.readFileSync??((t,n)=>Fo(t,n)),isOS:e.isOS??(t=>B(t)),readKeyFromKeychain:e.readKeyFromKeychain??(t=>me(t))}}o(To,"resolveDeps");function Oo(e){try{let t=JSON.parse(e);if(typeof t=="object"&&t!==null&&!Array.isArray(t)&&"email"in t&&typeof t.email=="string")return t.email}catch{}}o(Oo,"readEmailFromMeta");function Ro(e,t){return t.existsSync(e)?t.readdirSync(e).filter(n=>n.endsWith(ee)):[]}o(Ro,"publicKeyEntries");function _o(e){return e.slice(0,-ee.length)}o(_o,"kidFromPublicKeyFilename");async function Uo(e,t,n){if(n.isOS("macos")&&await n.readKeyFromKeychain(e).catch(()=>null)!==null)return{kind:"keychain"};let r=Je(t,`${e}${Ye}`);return n.existsSync(r)?{kind:"encrypted-file",path:r}:{kind:"public-only"}}o(Uo,"resolveSource");async function ye(e=F().keysDir,t={}){let n=To(t),r=new Set,i=Ro(e,n).flatMap(s=>{let a=_o(s);return!a||r.has(a)?[]:(r.add(a),[{kid:a,entry:s}])});return Promise.all(i.map(async({kid:s,entry:a})=>{let p=await Uo(s,e,n),c=Je(e,`${s}${qe}`),l;try{l=Oo(n.readFileSync(c,"utf8"))}catch{}return{kid:s,source:p,publicKeyPath:Je(e,a),email:l}}))}o(ye,"discoverLocalKeys");import Ko from"enquirer";async function Lo(e){return Ko.prompt(e)}o(Lo,"defaultPrompt");async function Jt(e,t={}){let{prompt:n=Lo}=t,{passphrase:r}=await n({type:"password",name:"passphrase",message:e});return r}o(Jt,"promptPassphrase");import No from"enquirer";import{statSync as jo}from"fs";function Yt(e,t=jo){return e.map(n=>({key:n,mtime:t(n.publicKeyPath).mtimeMs})).sort((n,r)=>r.mtime-n.mtime).map(({key:n})=>n)}o(Yt,"sortByMtime");async function Mo(e){return No.prompt(e)}o(Mo,"defaultPrompt");async function qt(e,t={}){if(e.length===1)return e[0];let{prompt:n=Mo,sortByMtime:r=Yt}=t,i=r(e),s=i[0],{choice:a}=await n({type:"select",name:"choice",message:"Select signing identity",choices:[{name:"latest",message:`Use latest: ${s.kid}`},{name:"pick",message:"Pick from list"}]});if(a==="latest")return s;if(a==="pick"){let{kid:p}=await n({type:"select",name:"kid",message:"Select signing identity",choices:i.map(l=>({name:l.kid,message:[l.kid,l.email,fe(l.source)].filter(Boolean).join("  \u2014  ")}))}),c=i.find(l=>l.kid===p);if(!c)throw new Error("No signing identity selected");return c}else throw new Error(`Unexpected choice: "${a}"`)}o(qt,"promptSigningIdentity");function Bo(e){return{existsSync:e.existsSync??Vo,readFileSync:e.readFileSync??((t,n)=>Ho(t,n)),readKeyFromKeychain:e.readKeyFromKeychain??me,decryptJweAsString:e.decryptJweAsString??Ht,discoverLocalKeys:e.discoverLocalKeys??ye,keysDir:e.keysDir??F().keysDir,promptPassphrase:e.promptPassphrase??Jt,promptSigningIdentity:e.promptSigningIdentity??qt}}o(Bo,"resolveDeps");async function zt(e,t={}){let n=Bo(t);if(e.keyPath){if(!n.existsSync(e.keyPath))throw new Error(`Key file not found: ${e.keyPath}`);if(!e.kid)throw new Error("--signing-identity <kid> is required when using --key");let s=n.readFileSync(e.keyPath,"utf-8").trim();if(Bt(s)){let a=await n.promptPassphrase(`Passphrase for key ${e.kid}: `);return{privateKeyPem:await n.decryptJweAsString(s,a),kid:e.kid}}return{privateKeyPem:s,kid:e.kid}}let r=await n.discoverLocalKeys(n.keysDir);if(r.length===0)throw new Error("No signing keys found. Run `cognite keys generate` or pass --key.");let i=e.kid?r.find(s=>s.kid===e.kid):await n.promptSigningIdentity(r);if(!i)throw new Error(`No key found with kid "${e.kid}"`);switch(i.source.kind){case"keychain":{let s=await n.readKeyFromKeychain(i.kid);if(!s)throw new Error(`Key "${i.kid}" not found in Keychain`);return{privateKeyPem:s,kid:i.kid}}case"encrypted-file":{let s=await n.promptPassphrase(`Passphrase for key ${i.kid}: `);return{privateKeyPem:await n.decryptJweAsString(n.readFileSync(i.source.path,"utf-8"),s),kid:i.kid}}case"public-only":throw new Error(`Key "${i.kid}" has no private key on this machine (public-only).`)}}o(zt,"resolvePrivateKey");var ni=o(async(e,t,n,r,i)=>{let s=await A(e,{interactive:i.interactive??!1,appId:t,orgHint:i.org});await new P(s).submitSignatures(t,n,r)},"defaultSubmitSignatures");function ri(e){let t=Go(e);return new ReadableStream({start(n){t.on("data",r=>n.enqueue(new Uint8Array(r))),t.on("end",()=>n.close()),t.on("error",r=>n.error(r))},cancel(){t.destroy()}})}o(ri,"createWebStreamFromFile");function oi(e){return{existsSync:e.existsSync??Jo,readFileSync:e.readFileSync??((t,n)=>Yo(t,n)),writeFileSync:e.writeFileSync??qo,createBundleStream:e.createBundleStream??ri,signBundle:e.signBundle??ei,hashDevSignature:e.hashDevSignature??Zo,parseScope:e.parseScope??Qo,validateScopes:e.validateScopes??ti,loadAppConfig:e.loadAppConfig??E,resolvePrivateKey:e.resolvePrivateKey??(t=>zt(t)),submitSignatures:e.submitSignatures??ni,discoverSignatures:e.discoverSignatures??Z}}o(oi,"resolveDeps");async function Wt(e,t,n={},r=process.cwd()){let i=oi(n),s=t.appid,a=t.appVersion,p=[],c=i.loadAppConfig(r);if(s=s??c.externalId,a=a??c.versionTag,t.scope&&t.scope.length>0?p=t.scope.map(i.parseScope):p=c.deployments.map(y=>({org:y.org,project:y.project})),!s)throw new Error("--appid is required (or set externalId in app.json)");if(!a)throw new Error("--app-version is required (or set versionTag in app.json)");let l=e?he(r,e):V(r,s,a);if(!i.existsSync(l)){let y=e?"":" (default derived from app.json \u2014 pass [bundle] explicitly to override, or run `cognite apps deploy` first to populate .cognite-bundles/)";throw new Error(`Bundle not found: ${l}${y}`)}let d=i.validateScopes(p);if(d.length>0)throw new Error(`Invalid scopes:
+  ${d.join(`
+  `)}`);let{privateKeyPem:m,kid:g}=await i.resolvePrivateKey({keyPath:t.key?he(r,t.key):void 0,kid:t.signingIdentity}),u;if(t.devSig){let y=he(r,t.devSig);if(!i.existsSync(y))throw new Error(`Dev signature file not found: ${y}`);let C=i.readFileSync(y,"utf-8").trim();u=await i.hashDevSignature(C)}let f=i.createBundleStream(l),S=await i.signBundle({privateKeyPem:m,kid:g,appId:s,version:a,bundleStream:f,role:t.asCertifier?"certifier":"developer",scopes:p,devSignatureSha256:u}),v=t.output?he(r,t.output):Xo(Wo(l),`${zo(l)}.${t.asCertifier?"cert":"dev"}.sig`);i.writeFileSync(v,S.token,"utf-8"),console.log(`\u2705 Signed: ${v}`),console.log(`   kid:    ${S.kid}`),console.log(`   bundle: ${S.payload.bundleSha256}`),console.log(`   scopes: ${S.payload.scopes.map(y=>`${y.org}/${y.project}`).join(", ")}`),t.verbose&&console.log(`
+Payload:`,JSON.stringify(S.payload,null,2));let h=Array.from(new Set([...i.discoverSignatures(l),S.token])),b=t.interactive?await I(c,{interactive:!0,deployment:t.deployment,baseUrl:t.baseUrl,project:t.project,org:t.org}):k(c.deployments,t.deployment);if(!t.interactive){let y=D(b);if(y.length>0)throw new Error(`Deployment ${b.org}/${b.project} is missing ${y.join(" and ")} in app.json. Use \`cognite apps sign --interactive\` for browser-based authentication instead.`)}await i.submitSignatures(b,s,a,h,t),console.log(`
+To publish:  npx @cognite/cli apps publish .`)}o(Wt,"handleSign");function Xt(e,t={}){return e.command("sign [bundle]").description("Sign an app bundle (defaults to .cognite-bundles/<app>-<version>.zip)").option("--key <path>","Private key PEM file path").option("-s, --signing-identity <kid>","Key ID for Keychain or file lookup").option("--appid <id>","Application ID (default: externalId from app.json)").option("-i, --identifier <id>","Alias for --appid").option("--app-version <version>","App version (default: versionTag from app.json)").option("--scope <org/project...>","Deployment scope(s) (default: deployments from app.json)").option("-r, --requirements <org/project...>","Alias for --scope").option("-o, --output <path>","Output file path (default: <bundle>.<dev|cert>.sig)").option("-v, --verbose","Display full payload after signing").option("--as-certifier","Counter-sign a developer signature as certifier").option("--interactive","After signing, submit the signature to App Hosting using browser-based auth",!1).option("-d, --deployment <target>","Deployment target from app.json (index or name; submit step only)").option("--base-url <url>","CDF base URL (only with --interactive)").option("--project <project>","CDF project name (only with --interactive)").option("--org <org>","Organization hint for login (only with --interactive)").action((n,r)=>{let i={...r,appid:r.identifier??r.appid,scope:r.requirements??r.scope};return Wt(n,i,t)})}o(Xt,"registerSignCommand");import{existsSync as ii}from"fs";import{resolve as si}from"path";import{config as ai}from"dotenv";function R(e,t={existsSync:ii,config:ai}){let n=si(e,".env");t.existsSync(n)&&(console.log(`Loading environment variables from ${n}`),t.config({path:n}))}o(R,"loadEnvFile");function _(e){e.infra!=="appsApi"&&(console.error(`
 \u26A0\uFE0F  Legacy infrastructure is no longer supported.
 Your app.json is missing \`"infra": "appsApi"\`, which means it was created for
 the old CDF Application Registry. This deploy path has been removed.
 To migrate: add \`"infra": "appsApi"\` to your app.json, wire up the correct authentication and re-deploy.
-`),process.exit(1))}o(O,"assertAppHostingInfra");async function Nr(e){let t=process.cwd();F(t);let n=w(t);O(n);let r=e.interactive?await $(n,e):b(n.deployments,e.deployment);if(!e.interactive){let m=T(r);if(m.length>0)throw new Error(`Deployment ${r.org}/${r.project} is missing ${m.join(" and ")} in app.json. Use \`npx @cognite/cli@latest apps activate --interactive\` for browser-based authentication instead.`)}let i=await I(r,{interactive:e.interactive,appId:n.externalId,orgHint:e.org}),a=new h(i),{externalId:s,versionTag:p}=n,c;try{c=await a.getVersion(s,p)}catch(m){throw m instanceof k?new Error(`Version ${p} of ${s} has not been deployed yet. Run \`npx @cognite/cli apps deploy\` first.`):m}if(c.alias==="ACTIVE"){console.log(`  ${s} @ ${p} is already ACTIVE \u2014 nothing to do.`);return}if(c.lifecycleState==="DEPRECATED"||c.lifecycleState==="ARCHIVED")throw new Error(`Cannot activate ${s} @ ${p}: version is ${c.lifecycleState} (terminal).`);c.lifecycleState==="DRAFT"&&(await a.publishVersion(s,p),console.log(`\u2713 Published  ${s} @ ${p} is now PUBLISHED`));let{supersededVersion:l}=await a.activateVersion(s,p);console.log(`\u2713 Activated   ${s} @ ${p} is now ACTIVE`),l&&console.log(`  Superseded  ${l} \u2192 PUBLISHED`)}o(Nr,"handleActivate");function yt(e){return e.command("activate").description("Activate the current app version (publish if needed, then set ACTIVE alias)").argument("[path]","Path to the app folder (only `.` is currently supported)",".").option("-d, --deployment <target>","Deployment target from app.json (index or name)").option("--interactive","Use browser-based authentication instead of env-var credentials",!1).option("--base-url <url>","CDF base URL (only with --interactive)").option("--project <project>","CDF project name (only with --interactive)").option("--org <org>","Organization hint for login (only with --interactive)").addHelpText("after",`
+`),process.exit(1))}o(_,"assertAppHostingInfra");async function pi(e){let t=process.cwd();R(t);let n=E(t);_(n);let r=e.interactive?await I(n,e):k(n.deployments,e.deployment);if(!e.interactive){let d=D(r);if(d.length>0)throw new Error(`Deployment ${r.org}/${r.project} is missing ${d.join(" and ")} in app.json. Use \`npx @cognite/cli@latest apps activate --interactive\` for browser-based authentication instead.`)}let i=await A(r,{interactive:e.interactive,appId:n.externalId,orgHint:e.org}),s=new P(i),{externalId:a,versionTag:p}=n,c;try{c=await s.getVersion(a,p)}catch(d){throw d instanceof T?new Error(`Version ${p} of ${a} has not been deployed yet. Run \`npx @cognite/cli apps deploy\` first.`):d}if(c.alias==="ACTIVE"){console.log(`  ${a} @ ${p} is already ACTIVE \u2014 nothing to do.`);return}if(c.lifecycleState==="DEPRECATED"||c.lifecycleState==="ARCHIVED")throw new Error(`Cannot activate ${a} @ ${p}: version is ${c.lifecycleState} (terminal).`);c.lifecycleState==="DRAFT"&&(await s.publishVersion(a,p),console.log(`\u2713 Published  ${a} @ ${p} is now PUBLISHED`));let{supersededVersion:l}=await s.activateVersion(a,p);console.log(`\u2713 Activated   ${a} @ ${p} is now ACTIVE`),l&&console.log(`  Superseded  ${l} \u2192 PUBLISHED`)}o(pi,"handleActivate");function Zt(e){return e.command("activate").description("Activate the current app version (publish if needed, then set ACTIVE alias)").argument("[path]","Path to the app folder (only `.` is currently supported)",".").option("-d, --deployment <target>","Deployment target from app.json (index or name)").option("--interactive","Use browser-based authentication instead of env-var credentials",!1).option("--base-url <url>","CDF base URL (only with --interactive)").option("--project <project>","CDF project name (only with --interactive)").option("--org <org>","Organization hint for login (only with --interactive)").addHelpText("after",`
 Examples:
   npx @cognite/cli apps activate .                   Activate using env-var auth
-  npx @cognite/cli apps activate . --interactive     Activate using browser auth (no secrets needed)`).action((t,n)=>Nr(n))}o(yt,"registerActivateCommand");import{readdirSync as to}from"fs";import{basename as $t,dirname as no,normalize as ro,resolve as Q}from"path";import{fileURLToPath as oo,pathToFileURL as io}from"url";import{Logger as so,runner as ao}from"hygen";import{execFileSync as se}from"child_process";function ht(e={}){let{execFileSync:t=se}=e;try{return t("git",["--version"],{stdio:"ignore"}),!0}catch{return!1}}o(ht,"isGitInstalled");function Ct(e,t={}){let{execFileSync:n=se}=t;try{return n("git",["-C",e,"status"],{stdio:"ignore"}),!0}catch{return!1}}o(Ct,"isInsideGitRepo");function wt(e,t={}){let{execFileSync:n=se}=t;n("git",["-C",e,"init"],{stdio:"pipe"}),n("git",["-C",e,"add","."],{stdio:"pipe"}),n("git",["-C",e,"commit","-m","Initial commit","--no-gpg-sign","--no-verify"],{stdio:"pipe"})}o(wt,"gitInitAndCommit");function vt(e={}){let{execFileSync:t=se}=e;try{return String(t("git",["config","--get","user.email"],{encoding:"utf-8",stdio:["ignore","pipe","ignore"]})).trim()||void 0}catch{return}}o(vt,"gitUserEmail");import{safeParse as jr}from"valibot";function q(e,t){return n=>{let r=jr(t,n);return r.success?!0:`${e} ${r.issues[0].message}`}}o(q,"toPromptValidator");var Et={name:q("App name",Ee),displayName:q("Display name",ve),baseUrl:q("Base URL",Se),org:q("Org",xe),project:q("Project",Pe)};function Kr(e,t){return e?async n=>{let r=t(n);return r===!0?e(n):r}:t}o(Kr,"composeValidators");function ae(e){return e.map(t=>{if(!(t.name in Et))return t;let n=Et[t.name];return{...t,validate:Kr(t.validate,n)}})}o(ae,"applySchemaValidators");import{basename as xt}from"path";import Pt from"enquirer";function St(e){return e.replace(/[A-Z]/g,(t,n)=>n===0?t.toLowerCase():`-${t.toLowerCase()}`)}o(St,"kebabCase");var Mr={type:"confirm",name:"useSpecKit",message:["Enable spec-driven development?","  Adds the github/spec-kit slash commands (/speckit.specify, .clarify, .plan, .tasks, .implement)","  to your app for use in Claude Code or Cursor. They walk you through writing SPEC.md and","  generating a plan, tasks, and implementation."].join(`
-`),initial:!1};async function Vr(e){return!!(await e([Mr])).useSpecKit}o(Vr,"promptForSpecKit");async function Hr(e,t,n){return e!==void 0?e:t?Vr(n):!1}o(Hr,"resolveSpecKit");function bt({isCurrentDir:e,dirName:t,onAppName:n,onUseSpecKit:r,presets:i={},specKit:a,prompt:s=Pt.prompt.bind(Pt)}){return()=>({prompt:o(async p=>{if(!Array.isArray(p))return s([p]);let c=Object.fromEntries(Object.entries(i).filter(f=>f[1]!==void 0)),l=Object.keys(c).length>0,m=e?xt(process.cwd()):t?xt(t):null,d=l&&m!==null,u=!d&&m?p.map(f=>f.name==="name"?{...f,initial:m}:f):p,C=ae(u),g=d?{...c,name:m}:c,E=new Set(Object.keys(g)),S=C.filter(f=>!E.has(f.name)),y=S.findIndex(f=>f.name==="baseUrl"),R;if(y!==-1){let f=S.filter(Bn=>Bn.name!=="baseUrl"),j=f.length>0?await s(f):{},oe=typeof j.cluster=="string"?j.cluster:"",K=typeof g.cluster=="string"?g.cluster:"",Vn=`https://${(oe||K).trim().replace(/\/+$/,"")||"api"}.cognitedata.com`,Hn=S[y],Gn=await s([{...Hn,initial:Vn}]);R={...j,...Gn}}else R=S.length>0?await s(S):{};let A={...g,...R},x=typeof A.name=="string"?A.name:"";x&&n(x);let P=await Hr(a,S.length>0,s);return r?.(P),{...A,name:x,useCurrentDir:e,directoryName:e?void 0:t??void 0,useSpecKit:P}},"prompt")})}o(bt,"createAppPrompter");async function At(e,t,n){let r=[];Object.values(t).some(a=>a!==void 0)&&n!==null&&r.push({key:"name",value:n,label:"directory"});for(let[a,s]of Object.entries(t))s!==void 0&&r.push({key:a,value:s,label:`--${St(a)}`});for(let{key:a,value:s,label:p}of r){let c=e.find(m=>m.name===a)?.validate;if(!c)continue;let l=await c(s);if(l!==!0)throw new Error(`Invalid ${p}: ${l}`)}}o(At,"validatePresets");import{cpSync as zr,mkdirSync as Dt,writeFileSync as Wr}from"fs";import{dirname as It,resolve as V}from"path";import{fileURLToPath as qr}from"url";import{copyFileSync as Gr,symlinkSync as Br}from"fs";import{dirname as Yr,join as Jr}from"path";function Xr(e){if(e&&typeof e=="object"&&"code"in e&&typeof e.code=="string")return e.code}o(Xr,"errno");function kt(e){return e instanceof Error?e.message:String(e)}o(kt,"messageOf");function pe({target:e,linkPath:t,label:n,symlink:r=Br,copyFile:i=Gr}){try{return r(e,t),!0}catch(a){let s=Xr(a);if(s==="EEXIST")return!0;let p=kt(a);if(s==="EPERM"||s==="EACCES")try{let c=Jr(Yr(t),e);return i(c,t),console.log(`\u2139\uFE0F  Wrote ${n} as a copy of ${e} (symlinks need Developer Mode or an elevated shell on Windows).`),!0}catch(c){return console.warn(`\u26A0\uFE0F  Could not create ${n} symlink: ${p} (copy fallback also failed: ${kt(c)})`),!1}return console.warn(`\u26A0\uFE0F  Could not create ${n} symlink:`,p),!1}}o(pe,"linkOrCopyOrWarn");var Qr=V(It(qr(import.meta.url)),"..","..","_vendor","spec-kit"),Zr={branch_numbering:"sequential"},eo=[{from:"templates",to:".specify/templates"},{from:"scripts/bash",to:".specify/scripts/bash"},{from:"commands",to:".claude/commands"},{from:"commands",to:".cursor/commands"}];function Tt({appDir:e,vendorDir:t=Qr}){let n=V(e,".specify"),r=V(n,"memory"),i=`prepare spec-kit install for appDir=${e}`;try{for(let{from:a,to:s}of eo){let p=V(e,s);i=`copy ${a} to ${s}`,Dt(It(p),{recursive:!0}),zr(V(t,a),p,{recursive:!0})}i=`write init-options.json under specifyDir=${n}`,Wr(V(n,"init-options.json"),`${JSON.stringify(Zr,null,2)}
-`),i=`link .specify/memory/constitution.md in specifyDir=${n}`,Dt(r,{recursive:!0}),pe({target:"../../AGENTS.md",linkPath:V(r,"constitution.md"),label:".specify/memory/constitution.md"})}catch(a){let s=a instanceof Error?a.message:String(a);throw new Error(`installSpecKit failed while ${i} (appDir=${e}, vendorDir=${t}): ${s}`,{cause:a})}}o(Tt,"installSpecKit");var Ft=Q(no(oo(import.meta.url)),"..","..","_templates");async function po(){let e=Q(Ft,"app","new","prompt.js");return(await import(io(e).href)).default}o(po,"loadPromptDefs");function co(e,t){return!e||t?null:ro(e)}o(co,"resolveDirName");function lo(e,t,n){if(e)return{cwd:process.cwd(),display:"."};let r=t??n;if(!r)throw new Error("App creation completed without a target directory or name.");return{cwd:Q(process.cwd(),r),display:r}}o(lo,"resolveAppLocation");function mo(e,t,n){let r=`  npm install
-  npm run dev`,i="To deploy your app:",a="npx @cognite/cli apps deploy --interactive",s=n?`
+  npx @cognite/cli apps activate . --interactive     Activate using browser auth (no secrets needed)`).action((t,n)=>pi(n))}o(Zt,"registerActivateCommand");import{readdirSync as ki}from"fs";import{basename as gn,dirname as xi,normalize as Ai,resolve as ne}from"path";import{fileURLToPath as Di,pathToFileURL as Ii}from"url";import{Logger as $i,runner as Fi}from"hygen";import{execFileSync as Se}from"child_process";function Qt(e={}){let{execFileSync:t=Se}=e;try{return t("git",["--version"],{stdio:"ignore"}),!0}catch{return!1}}o(Qt,"isGitInstalled");function en(e,t={}){let{execFileSync:n=Se}=t;try{return n("git",["-C",e,"status"],{stdio:"ignore"}),!0}catch{return!1}}o(en,"isInsideGitRepo");function tn(e,t={}){let{execFileSync:n=Se}=t;n("git",["-C",e,"init"],{stdio:"pipe"}),n("git",["-C",e,"add","."],{stdio:"pipe"}),n("git",["-C",e,"commit","-m","Initial commit","--no-gpg-sign","--no-verify"],{stdio:"pipe"})}o(tn,"gitInitAndCommit");function nn(e={}){let{execFileSync:t=Se}=e;try{return String(t("git",["config","--get","user.email"],{encoding:"utf-8",stdio:["ignore","pipe","ignore"]})).trim()||void 0}catch{return}}o(nn,"gitUserEmail");import{safeParse as ci}from"valibot";function te(e,t){return n=>{let r=ci(t,n);return r.success?!0:`${e} ${r.issues[0].message}`}}o(te,"toPromptValidator");var rn={name:te("App name",Re),displayName:te("Display name",Oe),baseUrl:te("Base URL",_e),org:te("Org",Ue),project:te("Project",Ke)};function li(e,t){return e?async n=>{let r=t(n);return r===!0?e(n):r}:t}o(li,"composeValidators");function we(e){return e.map(t=>{if(!(t.name in rn))return t;let n=rn[t.name];return{...t,validate:li(t.validate,n)}})}o(we,"applySchemaValidators");import{basename as sn}from"path";import an from"enquirer";function on(e){return e.replace(/[A-Z]/g,(t,n)=>n===0?t.toLowerCase():`-${t.toLowerCase()}`)}o(on,"kebabCase");var di={type:"confirm",name:"useSpecKit",message:["Enable spec-driven development?","  Adds the github/spec-kit slash commands (/speckit.specify, .clarify, .plan, .tasks, .implement)","  to your app for use in Claude Code or Cursor. They walk you through writing SPEC.md and","  generating a plan, tasks, and implementation."].join(`
+`),initial:!1};async function mi(e){return!!(await e([di])).useSpecKit}o(mi,"promptForSpecKit");async function ui(e,t,n){return e!==void 0?e:t?mi(n):!1}o(ui,"resolveSpecKit");function pn({isCurrentDir:e,dirName:t,onAppName:n,onUseSpecKit:r,presets:i={},specKit:s,prompt:a=an.prompt.bind(an)}){return()=>({prompt:o(async p=>{if(!Array.isArray(p))return a([p]);let c=Object.fromEntries(Object.entries(i).filter(w=>w[1]!==void 0)),l=Object.keys(c).length>0,d=e?sn(process.cwd()):t?sn(t):null,m=l&&d!==null,g=!m&&d?p.map(w=>w.name==="name"?{...w,initial:d}:w):p,u=we(g),f=m?{...c,name:d}:c,S=new Set(Object.keys(f)),v=u.filter(w=>!S.has(w.name)),h=v.findIndex(w=>w.name==="baseUrl"),b;if(h!==-1){let w=v.filter(yr=>yr.name!=="baseUrl"),N=w.length>0?await a(w):{},ce=typeof N.cluster=="string"?N.cluster:"",Y=typeof f.cluster=="string"?f.cluster:"",le=`https://${(ce||Y).trim().replace(/\/+$/,"")||"api"}.cognitedata.com`,U=v[h],De=await a([{...U,initial:le}]);b={...N,...De}}else b=v.length>0?await a(v):{};let y={...f,...b},C=typeof y.name=="string"?y.name:"";C&&n(C);let $=await ui(s,v.length>0,a);return r?.($),{...y,name:C,useCurrentDir:e,directoryName:e?void 0:t??void 0,useSpecKit:$}},"prompt")})}o(pn,"createAppPrompter");async function cn(e,t,n){let r=[];Object.values(t).some(s=>s!==void 0)&&n!==null&&r.push({key:"name",value:n,label:"directory"});for(let[s,a]of Object.entries(t))a!==void 0&&r.push({key:s,value:a,label:`--${on(s)}`});for(let{key:s,value:a,label:p}of r){let c=e.find(d=>d.name===s)?.validate;if(!c)continue;let l=await c(a);if(l!==!0)throw new Error(`Invalid ${p}: ${l}`)}}o(cn,"validatePresets");import{cpSync as wi,mkdirSync as dn,writeFileSync as vi}from"fs";import{dirname as mn,resolve as J}from"path";import{fileURLToPath as Ci}from"url";import{copyFileSync as gi,symlinkSync as fi}from"fs";import{dirname as yi,join as hi}from"path";function Si(e){if(e&&typeof e=="object"&&"code"in e&&typeof e.code=="string")return e.code}o(Si,"errno");function ln(e){return e instanceof Error?e.message:String(e)}o(ln,"messageOf");function ve({target:e,linkPath:t,label:n,symlink:r=fi,copyFile:i=gi}){try{return r(e,t),!0}catch(s){let a=Si(s);if(a==="EEXIST")return!0;let p=ln(s);if(a==="EPERM"||a==="EACCES")try{let c=hi(yi(t),e);return i(c,t),console.log(`\u2139\uFE0F  Wrote ${n} as a copy of ${e} (symlinks need Developer Mode or an elevated shell on Windows).`),!0}catch(c){return console.warn(`\u26A0\uFE0F  Could not create ${n} symlink: ${p} (copy fallback also failed: ${ln(c)})`),!1}return console.warn(`\u26A0\uFE0F  Could not create ${n} symlink:`,p),!1}}o(ve,"linkOrCopyOrWarn");var Pi=J(mn(Ci(import.meta.url)),"..","..","_vendor","spec-kit"),Ei={branch_numbering:"sequential"},bi=[{from:"templates",to:".specify/templates"},{from:"scripts/bash",to:".specify/scripts/bash"},{from:"commands",to:".claude/commands"},{from:"commands",to:".cursor/commands"}];function un({appDir:e,vendorDir:t=Pi}){let n=J(e,".specify"),r=J(n,"memory"),i=`prepare spec-kit install for appDir=${e}`;try{for(let{from:s,to:a}of bi){let p=J(e,a);i=`copy ${s} to ${a}`,dn(mn(p),{recursive:!0}),wi(J(t,s),p,{recursive:!0})}i=`write init-options.json under specifyDir=${n}`,vi(J(n,"init-options.json"),`${JSON.stringify(Ei,null,2)}
+`),i=`link .specify/memory/constitution.md in specifyDir=${n}`,dn(r,{recursive:!0}),ve({target:"../../AGENTS.md",linkPath:J(r,"constitution.md"),label:".specify/memory/constitution.md"})}catch(s){let a=s instanceof Error?s.message:String(s);throw new Error(`installSpecKit failed while ${i} (appDir=${e}, vendorDir=${t}): ${a}`,{cause:s})}}o(un,"installSpecKit");var fn=ne(xi(Di(import.meta.url)),"..","..","_templates");async function Ti(){let e=ne(fn,"app","new","prompt.js");return(await import(Ii(e).href)).default}o(Ti,"loadPromptDefs");function Oi(e,t){return!e||t?null:Ai(e)}o(Oi,"resolveDirName");function Ri(e,t,n){if(e)return{cwd:process.cwd(),display:"."};let r=t??n;if(!r)throw new Error("App creation completed without a target directory or name.");return{cwd:ne(process.cwd(),r),display:r}}o(Ri,"resolveAppLocation");function _i(e,t,n){let r=`  npm install
+  npm run dev`,i="To deploy your app:",s="npx @cognite/cli apps deploy --interactive",a=n?`
 To start spec-driven development:
   Run /speckit.specify in Claude Code or Cursor and describe your app.
 `:"",p=`  # Or fully non-interactive (deploys first target from app.json):
@@ -46,9 +50,9 @@ To start spec-driven development:
 Next steps:
 ${r}
-${s}
+${a}
 ${i}
-  ${a}
+  ${s}
 ${p}
 `);return}console.log(`
 \u2705 App created successfully!
@@ -58,13 +62,13 @@ To open in Cursor:
 Or:
   cd "${t}"
 ${r}
-${s}
+${a}
 ${i}
   cd "${t}"
-  ${a}
+  ${s}
 ${p}
-`)}o(mo,"printSuccessMessage");async function uo(e){try{let{execSkillsCli:t,pullAllArgs:n}=await import("../skills-GQ5TZKCM.js");console.log("\u{1F9E0} Pulling skills into your app..."),t(n(),{cwd:e,timeout:3e4,stdio:["pipe","pipe","inherit"]});let r=Q(e,".agents","skills"),i=0;try{i=to(r).length}catch{console.warn(`Skills directory not found after pull \u2014 no skills may have been installed (expected: ${r})`)}let a=i>0?`${i} skills`:"skills";console.log(`\u2705 Installed ${a} successfully to
- ${r}`)}catch(t){let n=t instanceof Error?t.message:String(t);console.warn("\u26A0\uFE0F  Could not pull skills:",n)}}o(uo,"pullSkillsInto");function go(e,t={}){let{isGitInstalled:n=ht,isInsideGitRepo:r=Ct,gitInitAndCommit:i=wt}=t;if(!n()){console.warn("git not found \u2014 skipping git repository initialisation");return}if(!r(e)){console.log("Initialising git repository...");try{i(e)}catch(a){let p=(a&&typeof a=="object"&&"stderr"in a&&a.stderr?String(a.stderr).trim():"")||(a instanceof Error?a.message:String(a));console.warn("Could not initialise git repository:",p)}}}o(go,"maybeInitGit");async function fo(e,t){let n=e==="."||e==="./",r=co(e,n),i=null,a=!1,s={displayName:t.displayName,description:t.description,org:t.org,project:t.project,cluster:t.cluster,baseUrl:t.baseUrl},p=await po(),c=ae(p),l=n?$t(process.cwd()):r?$t(r):null;await At(c,s,l);let m=bt({isCurrentDir:n,dirName:r,onAppName:o(u=>{i=u},"onAppName"),onUseSpecKit:o(u=>{a=u},"onUseSpecKit"),presets:s,specKit:t.specKit});await ao(["app","new"],{templates:Ft,cwd:process.cwd(),logger:new so(console.log.bind(console)),createPrompter:m,debug:!!process.env.DEBUG});let d=lo(n,r,i);pe({target:"AGENTS.md",linkPath:Q(d.cwd,"CLAUDE.md"),label:"CLAUDE.md"}),a&&Tt({appDir:d.cwd}),await uo(d.cwd),go(d.cwd),mo(n,d.display,a)}o(fo,"handleCreate");function Ot(e){return e.command("create").description("Create a new application.").argument("[directory]","Target directory (. for current, or subdirectory name)").option("--display-name <name>","App display name (skips the prompt)").option("--description <description>","App description (skips the prompt)").option("--org <org>","Deployment org (skips the prompt)").option("--project <project>","Deployment project (skips the prompt)").option("--cluster <cluster>","CDF cluster, e.g. greenfield (skips the prompt)").option("--base-url <url>","CDF base URL, e.g. https://greenfield.cognitedata.com (skips the prompt; defaults to cluster-derived URL when omitted)").option("--spec-kit","Install spec-kit slash commands (skips the prompt)").option("--no-spec-kit","Skip spec-kit installation (skips the prompt)").addHelpText("after",`
+`)}o(_i,"printSuccessMessage");async function Ui(e){try{let{execSkillsCli:t,pullAllArgs:n}=await import("../skills-GQ5TZKCM.js");console.log("\u{1F9E0} Pulling skills into your app..."),t(n(),{cwd:e,timeout:3e4,stdio:["pipe","pipe","inherit"]});let r=ne(e,".agents","skills"),i=0;try{i=ki(r).length}catch{console.warn(`Skills directory not found after pull \u2014 no skills may have been installed (expected: ${r})`)}let s=i>0?`${i} skills`:"skills";console.log(`\u2705 Installed ${s} successfully to
+ ${r}`)}catch(t){let n=t instanceof Error?t.message:String(t);console.warn("\u26A0\uFE0F  Could not pull skills:",n)}}o(Ui,"pullSkillsInto");function Ki(e,t={}){let{isGitInstalled:n=Qt,isInsideGitRepo:r=en,gitInitAndCommit:i=tn}=t;if(!n()){console.warn("git not found \u2014 skipping git repository initialisation");return}if(!r(e)){console.log("Initialising git repository...");try{i(e)}catch(s){let p=(s&&typeof s=="object"&&"stderr"in s&&s.stderr?String(s.stderr).trim():"")||(s instanceof Error?s.message:String(s));console.warn("Could not initialise git repository:",p)}}}o(Ki,"maybeInitGit");async function Li(e,t){let n=e==="."||e==="./",r=Oi(e,n),i=null,s=!1,a={displayName:t.displayName,description:t.description,org:t.org,project:t.project,cluster:t.cluster,baseUrl:t.baseUrl},p=await Ti(),c=we(p),l=n?gn(process.cwd()):r?gn(r):null;await cn(c,a,l);let d=pn({isCurrentDir:n,dirName:r,onAppName:o(g=>{i=g},"onAppName"),onUseSpecKit:o(g=>{s=g},"onUseSpecKit"),presets:a,specKit:t.specKit});await Fi(["app","new"],{templates:fn,cwd:process.cwd(),logger:new $i(console.log.bind(console)),createPrompter:d,debug:!!process.env.DEBUG});let m=Ri(n,r,i);ve({target:"AGENTS.md",linkPath:ne(m.cwd,"CLAUDE.md"),label:"CLAUDE.md"}),s&&un({appDir:m.cwd}),await Ui(m.cwd),Ki(m.cwd),_i(n,m.display,s)}o(Li,"handleCreate");function yn(e){return e.command("create").description("Create a new application.").argument("[directory]","Target directory (. for current, or subdirectory name)").option("--display-name <name>","App display name (skips the prompt)").option("--description <description>","App description (skips the prompt)").option("--org <org>","Deployment org (skips the prompt)").option("--project <project>","Deployment project (skips the prompt)").option("--cluster <cluster>","CDF cluster, e.g. greenfield (skips the prompt)").option("--base-url <url>","CDF base URL, e.g. https://greenfield.cognitedata.com (skips the prompt; defaults to cluster-derived URL when omitted)").option("--spec-kit","Install spec-kit slash commands (skips the prompt)").option("--no-spec-kit","Skip spec-kit installation (skips the prompt)").addHelpText("after",`
 Non-interactive use (CI, scripts, AI agents):
   Pass [directory] plus --display-name, --description, --org, --project, --cluster, --base-url
   to skip every prompt. Missing flags fall back to the interactive prompt.
@@ -77,17 +81,17 @@ Examples:
     --display-name "My App" --description "My app" \\
     --org cog-atlas --project atlas-greenfield --cluster greenfield \\
     --base-url https://greenfield.cognitedata.com
-                                             Fully non-interactive`).action(fo)}o(Ot,"registerCreateCommand");import yo from"path";async function ho(e,t,n){let r=await I(e,{interactive:t.interactive,appId:n,orgHint:t.org});return new h(r)}o(ho,"defaultGetApiClient");async function Co(e,t,n={}){let{loadEnvFile:r=F,loadAppConfig:i=w,getApiClient:a=ho}=n,s=yo.resolve(process.cwd(),e);r(s);let p=i(s);O(p);let c=t.interactive?await $(p,t):b(p.deployments,t.deployment);if(!t.interactive){let u=T(c);if(u.length>0)throw new Error(`Deployment ${c.org}/${c.project} is missing ${u.join(" and ")} in app.json. Use \`npx @cognite/cli@latest apps deactivate --interactive\` for browser-based authentication instead.`)}let l=await a(c,t,p.externalId),{externalId:m}=p,d=await l.getActiveVersion(m);if(!d){console.log(`  ${m} has no active version \u2014 nothing to deactivate.`);return}await l.deactivateVersion(m,d.version),console.log(`\u2713 Deactivated  ${m} @ ${d.version} \u2014 active alias removed`)}o(Co,"handleDeactivate");function Rt(e){return e.command("deactivate").description("Deactivate the app by removing its active version from service").argument("[path]","Path to the app folder (only `.` is currently supported)",".").option("-d, --deployment <target>","Deployment target from app.json (index or name)").option("--interactive","Use browser-based authentication instead of env-var credentials",!1).option("--base-url <url>","CDF base URL (only with --interactive)").option("--project <project>","CDF project name (only with --interactive)").option("--org <org>","Organization hint for login (only with --interactive)").addHelpText("after",`
+                                             Fully non-interactive`).action(Li)}o(yn,"registerCreateCommand");import ji from"path";async function Ni(e,t,n){let r=await A(e,{interactive:t.interactive,appId:n,orgHint:t.org});return new P(r)}o(Ni,"defaultGetApiClient");async function Mi(e,t,n={}){let{loadEnvFile:r=R,loadAppConfig:i=E,getApiClient:s=Ni}=n,a=ji.resolve(process.cwd(),e);r(a);let p=i(a);_(p);let c=t.interactive?await I(p,t):k(p.deployments,t.deployment);if(!t.interactive){let g=D(c);if(g.length>0)throw new Error(`Deployment ${c.org}/${c.project} is missing ${g.join(" and ")} in app.json. Use \`npx @cognite/cli@latest apps deactivate --interactive\` for browser-based authentication instead.`)}let l=await s(c,t,p.externalId),{externalId:d}=p,m=await l.getActiveVersion(d);if(!m){console.log(`  ${d} has no active version \u2014 nothing to deactivate.`);return}await l.deactivateVersion(d,m.version),console.log(`\u2713 Deactivated  ${d} @ ${m.version} \u2014 active alias removed`)}o(Mi,"handleDeactivate");function hn(e){return e.command("deactivate").description("Deactivate the app by removing its active version from service").argument("[path]","Path to the app folder (only `.` is currently supported)",".").option("-d, --deployment <target>","Deployment target from app.json (index or name)").option("--interactive","Use browser-based authentication instead of env-var credentials",!1).option("--base-url <url>","CDF base URL (only with --interactive)").option("--project <project>","CDF project name (only with --interactive)").option("--org <org>","Organization hint for login (only with --interactive)").addHelpText("after",`
 Examples:
   npx @cognite/cli apps deactivate .                   Deactivate using env-var auth
-  npx @cognite/cli apps deactivate . --interactive     Deactivate using browser auth (no secrets needed)`).action((t,n)=>Co(t,n))}o(Rt,"registerDeactivateCommand");import{readFile as bo,unlink as Ao}from"fs/promises";import{basename as ko}from"path";import Ut from"fs";import xo from"path";import L from"fs";import v from"path";import{parseAndValidateManifestConfig as wo}from"@cognite/app-sdk/vite";import{BlobReader as vo,Uint8ArrayWriter as Eo,ZipWriter as So}from"@zip.js/zip.js";var Ie="package.json",Te="package-lock.json",_t="manifest.json",$e=".cognite",Fe=class Fe{constructor(t="dist"){this.distPath=v.isAbsolute(t)?t:v.join(process.cwd(),t),this.appRoot=v.dirname(this.distPath)}validateBuildDirectory(){if(!L.existsSync(this.distPath))throw new Error(`Build directory "${this.distPath}" not found. Run build first.`);let t=v.join(this.appRoot,Ie);if(!L.existsSync(t))throw new Error(`"${t}" not found. It is required for deployment.`);let n=v.join(this.appRoot,Te);if(!L.existsSync(n))throw new Error(`"${n}" not found. It is required for deployment.`)}async createZip(t="app.zip",n=!1){this.validateBuildDirectory(),console.log("\u{1F4E6} Packaging application...");let r=new So(new Eo,{level:9}),i=o(async(c,l)=>{await r.add(l,new vo(await L.openAsBlob(c))),n&&console.log(`  \u{1F4C4} ${l}`)},"addFile"),a=o(async c=>{let l=await L.promises.readdir(c,{withFileTypes:!0});for(let m of l){let d=v.join(c,m.name);m.isDirectory()?await a(d):await i(d,v.relative(this.distPath,d).replace(/\\/g,"/"))}},"addDir"),s;try{await a(this.distPath);let c=v.join(this.appRoot,Ie);await i(c,v.posix.join($e,Ie));let l=v.join(this.appRoot,_t);if(L.existsSync(l)){let d=L.readFileSync(l,"utf-8");wo(d,l),await i(l,v.posix.join($e,_t))}let m=v.join(this.appRoot,Te);await i(m,v.posix.join($e,Te)),s=await r.close()}catch(c){let l=c instanceof Error?c.message:String(c);throw new Error(`Failed to create zip: ${l}`)}await L.promises.writeFile(t,s);let p=(s.byteLength/1024/1024).toFixed(2);return console.log(`\u2705 App packaged: ${t} (${p} MB)`),t}};o(Fe,"ApplicationPackager");var H=Fe;var Oe=o(async(e,t,n)=>{let r=await new H(`${n}/dist`).createZip("app.zip",!0);try{let{externalId:i,name:a,description:s,versionTag:p}=t,c=await W(e,n),l=new h(c),m=Ut.readFileSync(r),d=xo.basename(r);await l.deploy(i,a,s,p,m,d,e.published)}finally{try{Ut.unlinkSync(r)}catch{}}},"deploy");import{execSync as Po}from"child_process";function Re(e,t=!0,n={execSync:Po}){console.log("\u{1F4E6} Building app with npm..."),n.execSync("npm run build",{cwd:e,stdio:t?"inherit":"pipe"}),console.log("\u2705 Build successful")}o(Re,"buildApp");function Lt(e,t){let{org:n,project:r,baseUrl:i}=e,a;try{a=new URL(i).hostname}catch{return null}let{externalId:s,versionTag:p}=t,c=new URLSearchParams({cluster:a,customAppVersion:p,workspace:"industrial-tools"});return`https://${n}.fusion.cognite.com/${r}/flows-apps/app/${encodeURIComponent(s)}?${c}`}o(Lt,"generateFusionUrl");function Nt(e,t,n){let r=n?"\u{1F680} Deploy (Interactive)":"\u{1F680} Deploy",i=n?`${t.project} @ ${t.baseUrl}`:`${t.org}/${t.project}`;console.log(["",r,"=".repeat(r.length),`App: ${e.name} (${e.externalId})`,`Version: ${e.versionTag}`,`Target: ${i}`,""].join(`
-`))}o(Nt,"printDeployInfo");function jt(e,t){console.log(`
+  npx @cognite/cli apps deactivate . --interactive     Deactivate using browser auth (no secrets needed)`).action((t,n)=>Mi(t,n))}o(hn,"registerDeactivateCommand");import{mkdir as Ji,readFile as Yi}from"fs/promises";import{basename as qi,dirname as zi}from"path";import j from"fs";import x from"path";import{parseAndValidateManifestConfig as Vi}from"@cognite/app-sdk/vite";import{BlobReader as Hi,Uint8ArrayWriter as Bi,ZipWriter as Gi}from"@zip.js/zip.js";var ze="package.json",We="package-lock.json",Sn="manifest.json",Xe=".cognite",Ze=class Ze{constructor(t="dist"){this.distPath=x.isAbsolute(t)?t:x.join(process.cwd(),t),this.appRoot=x.dirname(this.distPath)}validateBuildDirectory(){if(!j.existsSync(this.distPath))throw new Error(`Build directory "${this.distPath}" not found. Run build first.`);let t=x.join(this.appRoot,ze);if(!j.existsSync(t))throw new Error(`"${t}" not found. It is required for deployment.`);let n=x.join(this.appRoot,We);if(!j.existsSync(n))throw new Error(`"${n}" not found. It is required for deployment.`)}async createZip(t="app.zip",n=!1){this.validateBuildDirectory(),console.log("\u{1F4E6} Packaging application...");let r=new Gi(new Bi,{level:9}),i=o(async(c,l)=>{await r.add(l,new Hi(await j.openAsBlob(c))),n&&console.log(`  \u{1F4C4} ${l}`)},"addFile"),s=o(async c=>{let l=await j.promises.readdir(c,{withFileTypes:!0});for(let d of l){let m=x.join(c,d.name);d.isDirectory()?await s(m):await i(m,x.relative(this.distPath,m).replace(/\\/g,"/"))}},"addDir"),a;try{await s(this.distPath);let c=x.join(this.appRoot,ze);await i(c,x.posix.join(Xe,ze));let l=x.join(this.appRoot,Sn);if(j.existsSync(l)){let m=j.readFileSync(l,"utf-8");Vi(m,l),await i(l,x.posix.join(Xe,Sn))}let d=x.join(this.appRoot,We);await i(d,x.posix.join(Xe,We)),a=await r.close()}catch(c){let l=c instanceof Error?c.message:String(c);throw new Error(`Failed to create zip: ${l}`)}await j.promises.writeFile(t,a);let p=(a.byteLength/1024/1024).toFixed(2);return console.log(`\u2705 App packaged: ${t} (${p} MB)`),t}};o(Ze,"ApplicationPackager");var re=Ze;async function Ce(e,t,n,r){let{externalId:i,name:s,description:a,versionTag:p}=t,c=V(n,i,p);await Ji(zi(c),{recursive:!0}),await new re(`${n}/dist`).createZip(c,!0);let l=await Yi(c);await new P(e).deploy(i,s,a,p,l,qi(c),r)}o(Ce,"packageAndUpload");var Qe=o(async(e,t,n)=>{let r=await Q(e,n);await Ce(r,t,n,e.published)},"deploy");import{execSync as Wi}from"child_process";function et(e,t=!0,n={execSync:Wi}){console.log("\u{1F4E6} Building app with npm..."),n.execSync("npm run build",{cwd:e,stdio:t?"inherit":"pipe"}),console.log("\u2705 Build successful")}o(et,"buildApp");function wn(e,t){let{org:n,project:r,baseUrl:i}=e,s;try{s=new URL(i).hostname}catch{return null}let{externalId:a,versionTag:p}=t,c=new URLSearchParams({cluster:s,customAppVersion:p,workspace:"industrial-tools"});return`https://${n}.fusion.cognite.com/${r}/flows-apps/app/${encodeURIComponent(a)}?${c}`}o(wn,"generateFusionUrl");function vn(e,t,n){let r=n?"\u{1F680} Deploy (Interactive)":"\u{1F680} Deploy",i=n?`${t.project} @ ${t.baseUrl}`:`${t.org}/${t.project}`;console.log(["",r,"=".repeat(r.length),`App: ${e.name} (${e.externalId})`,`Version: ${e.versionTag}`,`Target: ${i}`,""].join(`
+`))}o(vn,"printDeployInfo");function Cn(e,t){console.log(`
 \u2705 Successfully deployed ${e.name} version ${e.versionTag} to ${t.org?`${t.org}/`:""}${t.project}`),console.log("\u{1F512} App is deployed in draft mode");let n=e.deployments.length>1?` -d ${t.project}`:"";console.log(`
-To publish:  npx @cognite/cli apps publish .${n}`),console.log(`To activate: npx @cognite/cli apps activate .${n}`);let r=Lt(t,e);r&&console.log(`
+To sign:     npx @cognite/cli apps sign --interactive${n}`),console.log(`To publish:  npx @cognite/cli apps publish .${n}`),console.log(`To activate: npx @cognite/cli apps activate .${n}`);let r=wn(t,e);r&&console.log(`
 \u{1F517} Open your app:
-   ${r}`)}o(jt,"printDeployResult");async function Do(e,t,n,r,i){let a=T(t);if(a.length>0)throw new Error(`Deployment ${t.org}/${t.project} is missing ${a.join(" and ")} in app.json. Use \`cognite apps deploy --interactive\` for browser-based authentication instead.`);Nt(e,t,!1),r.skipBuild||Re(n),console.log(`
-\u{1F4E4} Deploying to ${t.org}/${t.project}...`),await i({...t,published:!1},{externalId:e.externalId,name:e.name,description:e.description,versionTag:e.versionTag},n),jt(e,t)}o(Do,"handleDeployNonInteractive");async function Io(e,t,n,r){Nt(e,t,!0),r.skipBuild||Re(n);let i=await I(t,{interactive:!0,appId:e.externalId,orgHint:r.org});console.log(`
-\u{1F4E4} Deploying to ${t.project}...`);let a=await new H(`${n}/dist`).createZip("app.zip",!0);try{let s=await bo(a);await new h(i).deploy(e.externalId,e.name,e.description,e.versionTag,s,ko(a),!1),jt(e,t)}finally{await Ao(a).catch(()=>{})}}o(Io,"handleDeployInteractive");async function To(e,t=process.cwd(),n={}){let{loadEnvFile:r=F,loadAppConfig:i=w,deploy:a=Oe}=n;r(t);let s=i(t);if(O(s),e.interactive){let c=await $(s,e);await Io(s,c,t,e);return}let p=b(s.deployments,e.deployment);await Do(s,p,t,e,a)}o(To,"handleDeploy");function Kt(e){return e.command("deploy").description("Deploy your app to Cognite Data Fusion. Use --interactive for browser-based login (no env-var secrets required).").option("-d, --deployment <target>","Deployment target (index or project name)").option("--skip-build","Skip the build step",!1).option("--interactive","Use browser-based authentication instead of env-var credentials",!1).option("--base-url <url>","CDF base URL (only with --interactive)").option("--project <project>","CDF project name (only with --interactive)").option("--org <org>","Organization hint for login (only with --interactive)").addHelpText("after",`
+   ${r}`)}o(Cn,"printDeployResult");async function Xi(e,t,n,r,i){let s=D(t);if(s.length>0)throw new Error(`Deployment ${t.org}/${t.project} is missing ${s.join(" and ")} in app.json. Use \`cognite apps deploy --interactive\` for browser-based authentication instead.`);vn(e,t,!1),r.skipBuild||et(n),console.log(`
+\u{1F4E4} Deploying to ${t.org}/${t.project}...`),await i({...t,published:!1},{externalId:e.externalId,name:e.name,description:e.description,versionTag:e.versionTag},n),Cn(e,t)}o(Xi,"handleDeployNonInteractive");async function Zi(e,t,n,r){vn(e,t,!0),r.skipBuild||et(n);let i=await A(t,{interactive:!0,appId:e.externalId,orgHint:r.org});console.log(`
+\u{1F4E4} Deploying to ${t.project}...`),await Ce(i,{externalId:e.externalId,name:e.name,description:e.description,versionTag:e.versionTag},n,!1),Cn(e,t)}o(Zi,"handleDeployInteractive");async function Qi(e,t=process.cwd(),n={}){let{loadEnvFile:r=R,loadAppConfig:i=E,deploy:s=Qe}=n;r(t);let a=i(t);if(_(a),e.interactive){let c=await I(a,e);await Zi(a,c,t,e);return}let p=k(a.deployments,e.deployment);await Xi(a,p,t,e,s)}o(Qi,"handleDeploy");function Pn(e){return e.command("deploy").description("Deploy your app to Cognite Data Fusion. Use --interactive for browser-based login (no env-var secrets required).").option("-d, --deployment <target>","Deployment target (index or project name)").option("--skip-build","Skip the build step",!1).option("--interactive","Use browser-based authentication instead of env-var credentials",!1).option("--base-url <url>","CDF base URL (only with --interactive)").option("--project <project>","CDF project name (only with --interactive)").option("--org <org>","Organization hint for login (only with --interactive)").addHelpText("after",`
 Environment (non-interactive):
   deployClientId and deploySecretName are configured per deployment in app.json.
   deploySecretName is the name of the environment variable that holds the client
@@ -101,43 +105,54 @@ Examples:
   npx @cognite/cli apps deploy -d my-project      Deploy to project by name
   npx @cognite/cli apps deploy --skip-build       Deploy without rebuilding
   npx @cognite/cli apps deploy --interactive      Browser auth, prompts for target
-  npx @cognite/cli apps deploy --interactive -d 0 Browser auth, target chosen non-interactively`).action(t=>To(t))}o(Kt,"registerDeployCommand");async function $o(e){let t=process.cwd();F(t);let n=w(t);O(n);let r=e.interactive?await $(n,e):b(n.deployments,e.deployment);if(!e.interactive){let l=T(r);if(l.length>0)throw new Error(`Deployment ${r.org}/${r.project} is missing ${l.join(" and ")} in app.json. Use \`cognite apps publish --interactive\` for browser-based authentication instead.`)}let i=await I(r,{interactive:e.interactive,appId:n.externalId,orgHint:e.org}),a=new h(i),{externalId:s,versionTag:p}=n,c;try{c=await a.getVersion(s,p)}catch(l){throw l instanceof k?new Error(`Version ${p} of ${s} has not been deployed yet. Run \`npx @cognite/cli apps deploy\` first.`):l}if(c.alias==="ACTIVE"){console.log(`  ${s} @ ${p} is already ACTIVE \u2014 nothing to do.`);return}if(c.lifecycleState==="PUBLISHED"){console.log(`  ${s} @ ${p} is already PUBLISHED \u2014 nothing to do.`);return}if(c.lifecycleState==="DEPRECATED"||c.lifecycleState==="ARCHIVED")throw new Error(`Cannot publish ${s} @ ${p}: version is ${c.lifecycleState} (terminal).`);await a.publishVersion(s,p),console.log(`\u2713 Published  ${s} @ ${p} is now PUBLISHED`),console.log(""),console.log("Run `npx @cognite/cli apps activate .` to make it active.")}o($o,"handlePublish");function Mt(e){return e.command("publish").description("Publish the current app version (transition DRAFT \u2192 PUBLISHED)").argument("[path]","Path to the app folder (only `.` is currently supported)",".").option("-d, --deployment <target>","Deployment target from app.json (index or name)").option("--interactive","Use browser-based authentication instead of env-var credentials",!1).option("--base-url <url>","CDF base URL (only with --interactive)").option("--project <project>","CDF project name (only with --interactive)").option("--org <org>","Organization hint for login (only with --interactive)").addHelpText("after",`
+  npx @cognite/cli apps deploy --interactive -d 0 Browser auth, target chosen non-interactively`).action(t=>Qi(t))}o(Pn,"registerDeployCommand");async function es(e,t,n){let r=await A(e,{interactive:t.interactive,appId:n.externalId,orgHint:t.org});return new P(r)}o(es,"defaultBuildApiClient");async function ts(e,t={}){let n=t.loadEnvFile??R,r=t.loadAppConfig??E,i=t.buildApiClient??es,s=t.discoverSignatures??Z,a=process.cwd();n(a);let p=r(a);_(p);let c=e.interactive?await I(p,e):k(p.deployments,e.deployment);if(!e.interactive){let f=D(c);if(f.length>0)throw new Error(`Deployment ${c.org}/${c.project} is missing ${f.join(" and ")} in app.json. Use \`cognite apps publish --interactive\` for browser-based authentication instead.`)}let l=await i(c,e,p),{externalId:d,versionTag:m}=p,g;try{g=await l.getVersion(d,m)}catch(f){throw f instanceof T?new Error(`Version ${m} of ${d} has not been deployed yet. Run \`npx @cognite/cli apps deploy\` first.`):f}if(g.alias==="ACTIVE"){console.log(`  ${d} @ ${m} is already ACTIVE \u2014 nothing to do.`);return}if(g.lifecycleState==="PUBLISHED"){console.log(`  ${d} @ ${m} is already PUBLISHED \u2014 nothing to do.`);return}if(g.lifecycleState==="DEPRECATED"||g.lifecycleState==="ARCHIVED")throw new Error(`Cannot publish ${d} @ ${m}: version is ${g.lifecycleState} (terminal).`);let u=s(V(a,d,m));u.length>0&&await l.submitSignatures(d,m,u),await l.publishVersion(d,m),console.log(`\u2713 Published  ${d} @ ${m} is now PUBLISHED`),console.log(""),console.log("Run `npx @cognite/cli apps activate .` to make it active.")}o(ts,"handlePublish");function En(e){return e.command("publish").description("Publish the current app version (transition DRAFT \u2192 PUBLISHED)").argument("[path]","Path to the app folder (only `.` is currently supported)",".").option("-d, --deployment <target>","Deployment target from app.json (index or name)").option("--interactive","Use browser-based authentication instead of env-var credentials",!1).option("--base-url <url>","CDF base URL (only with --interactive)").option("--project <project>","CDF project name (only with --interactive)").option("--org <org>","Organization hint for login (only with --interactive)").addHelpText("after",`
 Examples:
   npx @cognite/cli apps publish .                    Publish using env-var auth
-  npx @cognite/cli apps publish . --interactive      Publish using browser auth (no secrets needed)`).action((t,n)=>$o(n))}o(Mt,"registerPublishCommand");function Fo(e){return e.alias==="ACTIVE"?"ACTIVE":e.lifecycleState}o(Fo,"describeStatus");async function Oo(e){let t=process.cwd();F(t);let n=w(t);O(n);let r=e.interactive?await $(n,e):b(n.deployments,e.deployment);if(!e.interactive){let s=T(r);if(s.length>0)throw new Error(`Deployment ${r.org}/${r.project} is missing ${s.join(" and ")} in app.json. Use \`cognite apps status --interactive\` for browser-based authentication instead.`)}let i=await I(r,{interactive:e.interactive,appId:n.externalId,orgHint:e.org}),a=new h(i);console.log(""),console.log(`App:     ${n.name} (${n.externalId})`),console.log(`Version: ${n.versionTag}  (local)`);try{let s=await a.getVersion(n.externalId,n.versionTag),p=Fo(s);console.log(`Status:  ${p}`),s.lifecycleState==="DRAFT"&&(console.log(""),console.log("Run `npx @cognite/cli apps publish .` to publish this version."))}catch(s){if(s instanceof k){console.log("Status:  not deployed yet"),console.log(""),console.log("Run `npx @cognite/cli apps deploy` to upload this version.");return}throw s}}o(Oo,"handleStatus");function Vt(e){return e.command("status").description("Show the deployment status of the current app version").argument("[path]","Path to the app folder (only `.` is currently supported)",".").option("-d, --deployment <target>","Deployment target from app.json (index or name)").option("--interactive","Use browser-based authentication instead of env-var credentials",!1).option("--base-url <url>","CDF base URL (only with --interactive)").option("--project <project>","CDF project name (only with --interactive)").option("--org <org>","Organization hint for login (only with --interactive)").addHelpText("after",`
+  npx @cognite/cli apps publish . --interactive      Publish using browser auth (no secrets needed)`).action((t,n)=>ts(n))}o(En,"registerPublishCommand");function ns(e){return e.alias==="ACTIVE"?"ACTIVE":e.lifecycleState}o(ns,"describeStatus");async function rs(e){let t=process.cwd();R(t);let n=E(t);_(n);let r=e.interactive?await I(n,e):k(n.deployments,e.deployment);if(!e.interactive){let a=D(r);if(a.length>0)throw new Error(`Deployment ${r.org}/${r.project} is missing ${a.join(" and ")} in app.json. Use \`cognite apps status --interactive\` for browser-based authentication instead.`)}let i=await A(r,{interactive:e.interactive,appId:n.externalId,orgHint:e.org}),s=new P(i);console.log(""),console.log(`App:     ${n.name} (${n.externalId})`),console.log(`Version: ${n.versionTag}  (local)`);try{let a=await s.getVersion(n.externalId,n.versionTag),p=ns(a);console.log(`Status:  ${p}`),a.lifecycleState==="DRAFT"&&(console.log(""),console.log("Run `npx @cognite/cli apps publish .` to publish this version."))}catch(a){if(a instanceof T){console.log("Status:  not deployed yet"),console.log(""),console.log("Run `npx @cognite/cli apps deploy` to upload this version.");return}throw a}}o(rs,"handleStatus");function bn(e){return e.command("status").description("Show the deployment status of the current app version").argument("[path]","Path to the app folder (only `.` is currently supported)",".").option("-d, --deployment <target>","Deployment target from app.json (index or name)").option("--interactive","Use browser-based authentication instead of env-var credentials",!1).option("--base-url <url>","CDF base URL (only with --interactive)").option("--project <project>","CDF project name (only with --interactive)").option("--org <org>","Organization hint for login (only with --interactive)").addHelpText("after",`
 Examples:
   npx @cognite/cli apps status .                     Status using env-var auth
-  npx @cognite/cli apps status . --interactive       Status using browser auth (no secrets needed)`).action((t,n)=>Oo(n))}o(Vt,"registerStatusCommand");function Ht(e){let t=e.command("apps").description("Manage Fusion Custom Apps \u2014 create, deploy, and manage version lifecycle");return Ot(t),Kt(t),Vt(t),Mt(t),yt(t),Rt(t),qe(t),t}o(Ht,"registerAppsCommand");import{existsSync as Ei,mkdirSync as Si,writeFileSync as xi}from"fs";import{dirname as He,join as ue}from"path";import{generateSigningKeyPair as Pi}from"@cognite/app-sdk/codesigning";import{execFile as _o}from"child_process";import{promisify as Uo}from"util";import{platform as Ro}from"os";function G(e={}){let{platform:t=Ro}=e;return t()==="darwin"}o(G,"isMacOS");var Gt="cognite-flows",Lo=Uo(_o),Bt=o((e,t)=>Lo(e,t),"defaultExecFile"),No=-25300,jo=No&255;function Ko(e){if(!(e instanceof Error)||!("code"in e)||e.code!==jo)return!1;let t="stderr"in e?String(e.stderr):"";return/could not be found/i.test(t)||t===""}o(Ko,"isKeychainNotFoundError");async function Yt(e,t,n={}){if(!G(n))throw new Error("Keychain storage is only supported on macOS");let{execFile:r=Bt}=n;await r("security",["add-generic-password","-a",e,"-s",Gt,"-w",Buffer.from(t,"utf-8").toString("base64"),"-U"])}o(Yt,"storeKeyInKeychain");async function Jt(e,t={}){if(!G(t))return null;let{execFile:n=Bt}=t;try{let{stdout:r}=await n("security",["find-generic-password","-a",e,"-s",Gt,"-w"]);return Buffer.from(r.trim(),"base64").toString("utf-8")}catch(r){if(Ko(r))return null;throw r}}o(Jt,"readKeyFromKeychain");import{pbkdf2 as Ho,randomBytes as Go}from"crypto";import{promisify as Bo}from"util";import{CompactEncrypt as Yo,base64url as Jo,compactDecrypt as Oc}from"jose";var Mo=new TextEncoder,Vo=new TextDecoder,Xt={encode:o(e=>Mo.encode(e),"encode"),decode:o(e=>Vo.decode(e),"decode")};var Xo=Bo(Ho),_e=6e5,zo="sha512",Wo="PBKDF2-HMAC-SHA512",qo=16,Qo="A256GCM",Zo=32,zt=2e6;async function ei(e,t,n){return await Xo(e,t,n,Zo,zo)}o(ei,"deriveKey");async function Wt(e,t,n=_e){if(!Number.isInteger(n)||n<1||n>zt)throw new Error(`Invalid iterations: must be an integer between 1 and ${zt}`);let r=Go(qo),i=await ei(t,r,n);return await new Yo(Xt.encode(e)).setProtectedHeader({alg:"dir",enc:Qo,kdf:Wo,kdf_iter:n,kdf_salt:Jo.encode(r)}).encrypt(i)}o(Wt,"encryptStringAsJwe");import{existsSync as ni,readdirSync as ri,readFileSync as oi}from"fs";import{join as ce}from"path";import{homedir as ti}from"os";import{join as qt}from"path";function N(e={}){let{env:t=process.env,homedir:n=ti}=e,r=t.DUNE_HOME?.trim()||qt(n(),".dune");return{home:r,keysDir:qt(r,"keys")}}o(N,"getConfig");var ee=".pub.pem",Ue=".key.jwe",ii=".pem",Le=".meta.json";function Qt(e){switch(e.kind){case"keychain":return"Keychain";case"encrypted-file":return e.path;case"legacy-unencrypted-file":return`${e.path} (unencrypted \u2014 rotate)`;case"public-only":return"public-only (private key missing)"}}o(Qt,"formatLocalKeySource");function si(e){return{existsSync:e.existsSync??ni,readdirSync:e.readdirSync??ri,readFileSync:e.readFileSync??((t,n)=>oi(t,n)),isMacOS:e.isMacOS??(()=>G()),readKeyFromKeychain:e.readKeyFromKeychain??(t=>Jt(t))}}o(si,"resolveDeps");function ai(e){try{let t=JSON.parse(e);if(typeof t=="object"&&t!==null&&!Array.isArray(t)&&"email"in t&&typeof t.email=="string")return t.email}catch{}}o(ai,"readEmailFromMeta");function pi(e,t){return t.existsSync(e)?t.readdirSync(e).filter(n=>n.endsWith(ee)):[]}o(pi,"publicKeyEntries");function ci(e){return e.slice(0,-ee.length)}o(ci,"kidFromPublicKeyFilename");async function li(e,t,n){if(n.isMacOS()&&await n.readKeyFromKeychain(e).catch(()=>null)!==null)return{kind:"keychain"};let r=ce(t,`${e}${Ue}`);if(n.existsSync(r))return{kind:"encrypted-file",path:r};let i=ce(t,`${e}${ii}`);return n.existsSync(i)?{kind:"legacy-unencrypted-file",path:i}:{kind:"public-only"}}o(li,"resolveSource");async function Zt(e=N().keysDir,t={}){let n=si(t),r=new Set,i=pi(e,n).flatMap(a=>{let s=ci(a);return!s||r.has(s)?[]:(r.add(s),[{kid:s,entry:a}])});return Promise.all(i.map(async({kid:a,entry:s})=>{let p=await li(a,e,n),c=ce(e,`${a}${Le}`),l;try{l=ai(n.readFileSync(c,"utf8"))}catch{}return{kid:a,source:p,publicKeyPath:ce(e,s),email:l}}))}o(Zt,"discoverLocalKeys");function en(e,t){let n=e.getUTCFullYear(),r=e.getUTCMonth()+t,i=new Date(Date.UTC(n,r+1,0)).getUTCDate(),a=Math.min(e.getUTCDate(),i);return new Date(Date.UTC(n,r,a))}o(en,"addMonthsClamped");function Ne(e){return e.toISOString().slice(0,10)}o(Ne,"formatIsoDate");function tn(e=new Date){return Ne(e)}o(tn,"todayIso");import mi,{Chalk as di}from"chalk";var je=new di({level:0});function nn(e){return e.isTTY?mi:je}o(nn,"chalkForStream");function ui(e){return e.replace(/-----BEGIN [^-]+-----/g,"").replace(/-----END [^-]+-----/g,"").replace(/\s+/g,"")}o(ui,"pemBodyOneLine");function rn(e,t=je,n=new Date){let r=e.issuedAt??tn(n),i=ui(e.publicKeyPem),a="  ",s=o((c,l)=>`${a}${t.cyan(c)}${t.dim(":")} ${l}
+  npx @cognite/cli apps status . --interactive       Status using browser auth (no secrets needed)`).action((t,n)=>rs(n))}o(bn,"registerStatusCommand");function kn(e){let t=e.command("apps").description("Manage Fusion Custom Apps \u2014 create, deploy, and manage version lifecycle");return yn(t),Pn(t),bn(t),En(t),Zt(t),hn(t),gt(t),Xt(t),t}o(kn,"registerAppsCommand");import{existsSync as Es,mkdirSync as bs,writeFileSync as ks}from"fs";import{dirname as at,join as ke}from"path";import{generateSigningKeyPair as xs}from"@cognite/app-sdk/codesigning";import As from"open";function xn(e,t){let n=e.getUTCFullYear(),r=e.getUTCMonth()+t,i=new Date(Date.UTC(n,r+1,0)).getUTCDate(),s=Math.min(e.getUTCDate(),i);return new Date(Date.UTC(n,r,s))}o(xn,"addMonthsClamped");function tt(e){return e.toISOString().slice(0,10)}o(tt,"formatIsoDate");function An(e=new Date){return tt(e)}o(An,"todayIso");import os,{Chalk as is}from"chalk";var oe=new is({level:0});function Dn(e){return e.isTTY?os:oe}o(Dn,"chalkForStream");function ss(e){return e.replace(/-----BEGIN [^-]+-----/g,"").replace(/-----END [^-]+-----/g,"").replace(/\s+/g,"")}o(ss,"pemBodyOneLine");function nt(e,t=oe,n=new Date){let r=e.issuedAt??An(n),i=ss(e.publicKeyPem),s="  ",a=o((c,l)=>`${s}${t.cyan(c)}${t.dim(":")} ${l}
 `,"kv"),p="";return p+=`
 ${t.bold("Add this entry to")} ${t.magenta("services/app-hosting/config/signing-keys.yaml")} ${t.bold("under")} ${t.cyan("public_keys:")}
 `,p+=`${t.dim("-")} ${t.cyan("kid")}${t.dim(":")} ${t.green(e.kid)}
-`,p+=s("public_key",t.green(i)),p+=s("email",t.yellow(e.email)),p+=s("capabilities",`${t.dim("[")}${t.yellow("developer")}${t.dim("]")}`),p+=s("issued_at",t.green(r)),p+=s("expires",t.green(e.expires)),p+=s("revoked_at",t.dim("null")),p}o(rn,"renderRegistryEntry");import{email as gi,pipe as fi,safeParse as yi,string as hi}from"valibot";var Ci=fi(hi(),gi());function te(e,t="email"){let n=e.trim();if(!n)throw new Error(`${t} is required`);if(!yi(Ci,n).success)throw new Error(`${t} must look like an email (user@example.com); got "${e}"`);return n}o(te,"parseEmail");function ne(e,t="--expires"){let n=Number(e);if(!Number.isInteger(n)||n<1||n>12)throw new Error(`${t} must be an integer between 1 and 12 (months); got "${e}"`);return n}o(ne,"parseExpiryMonths");import gn from"enquirer";var le=3,on="Signing identity (kid) \u2014 e.g. jsmith-dev-001 (lowercase letters, digits, hyphens)",sn=`Key expiry in months (${1}-${12})`,an="Email address for the registry entry",pn=`Passphrase for the encrypted private key (min ${15} chars)`,cn="Confirm passphrase",ln=o(()=>`Passphrase must be at least ${15} characters`,"passphraseTooShortMsg"),mn=o(e=>`Passphrases do not match (attempt ${e}/${le}).
-`,"passphraseMismatchMsg"),dn=`Passphrase confirmation failed after ${le} attempts`,un=o(e=>`A signing key with kid "${e}" already exists. Overwrite it?`,"confirmOverwriteMsg");async function de(e){return gn.prompt(e)}o(de,"defaultPrompt");function Ve(e){return t=>{try{return e(t),!0}catch(n){return n instanceof Error?n.message:"Invalid"}}}o(Ve,"parserAsValidator");var vi=/^[a-z0-9]([a-z0-9-]*[a-z0-9])?$/;function me(e){let t=e.trim();if(!t)throw new Error("--kid must not be empty");if(t.length>64)throw new Error("--kid must be 64 characters or fewer");if(!vi.test(t))throw new Error("--kid must contain only lowercase letters, digits, and hyphens, and must not start or end with a hyphen (e.g. jsmith-dev-001)");return t}o(me,"parseKid");async function fn(e={}){let{prompt:t=de}=e,{kid:n}=await t({type:"input",name:"kid",message:on,validate:Ve(me)});return me(n)}o(fn,"promptKid");async function yn(e={}){let{prompt:t=de}=e,{months:n}=await t({type:"input",name:"months",message:sn,initial:String(6),validate:Ve(r=>ne(r,"expiry"))});return ne(n,"expiry")}o(yn,"promptExpiryMonths");async function hn(e={}){let{prompt:t=de,gitUserEmail:n=vt}=e,{email:r}=await t({type:"input",name:"email",message:an,initial:n(),validate:Ve(i=>te(i,"email"))});return te(r,"email")}o(hn,"promptEmail");async function Cn(e={}){let{prompt:t=de,stderr:n=process.stderr}=e;for(let r=1;r<=le;r+=1){let{passphrase:i}=await t({type:"password",name:"passphrase",message:pn,validate:o(s=>s.length>=15?!0:ln(),"validate")}),{confirm:a}=await t({type:"password",name:"confirm",message:cn});if(i===a)return i;n.write(mn(r))}throw new Error(dn)}o(Cn,"promptPassphrase");async function wn(e,t={}){let{prompt:n=o(i=>gn.prompt(i),"prompt")}=t,{confirmed:r}=await n({type:"confirm",name:"confirmed",message:un(e),initial:!1});return r}o(wn,"promptConfirmOverwrite");function bi(e){return{writeFileSync:e.writeFileSync??xi,mkdirSync:e.mkdirSync??Si,existsSync:e.existsSync??Ei,generateSigningKeyPair:e.generateSigningKeyPair??Pi,encryptStringAsJwe:e.encryptStringAsJwe??Wt,storeKeyInKeychain:e.storeKeyInKeychain??Yt,isMacOS:e.isMacOS??G,promptKid:e.promptKid??fn,promptExpiryMonths:e.promptExpiryMonths??yn,promptEmail:e.promptEmail??hn,promptPassphrase:e.promptPassphrase??Cn,promptConfirmOverwrite:e.promptConfirmOverwrite??wn,discoverLocalKeys:e.discoverLocalKeys??(()=>Zt())}}o(bi,"resolveDeps");function En(e,t={}){let n=bi(t),r=e.command("keys").description("Manage code signing keys");r.command("generate").description("Generate an Ed25519 keypair for code signing").option("-o, --output <path>","Encrypted private key output path (forces file storage even on macOS)").option("--no-keychain","Skip macOS Keychain and write a passphrase-encrypted private key under ~/.dune/keys/ instead").option("-e, --expires <months>",`Validity in months (${1}-${12}); skips the interactive prompt`).option("--email <address>","Email address for the registry entry; skips the interactive prompt").option("--kid <identifier>","Signing identity name for the registry (e.g. jsmith-dev-001); skips the interactive prompt").option("--force","Overwrite an existing key without prompting for confirmation").action(i=>Di(i,n)),r.command("list").description("List local signing identities and their storage location").action(()=>Ai(n))}o(En,"registerKeysCommand");async function Ai(e){let t=await e.discoverLocalKeys();if(t.length===0){process.stdout.write(`No signing identities found.
-`),process.stdout.write(`Run \`cognite keys generate\` to create one (storage: ${N().keysDir}).
-`);return}let n=["KID","SOURCE","EMAIL"],r=t.map(s=>[s.kid,Qt(s.source),s.email??"\u2014"]),i=n.map((s,p)=>Math.max(s.length,...r.map(c=>c[p].length))),a=o(s=>s.map((p,c)=>p.padEnd(i[c])).join("  ").trimEnd(),"fmt");process.stdout.write(`${a(n)}
-`);for(let s of r)process.stdout.write(`${a(s)}
-`)}o(Ai,"handleList");function vn(e,t,n){let r=ue(N().keysDir,`${e}${ee}`);return n.mkdirSync(He(r),{recursive:!0}),n.writeFileSync(r,t),r}o(vn,"writePublicKey");async function ki(e,t,n,r,i,{force:a=!1}={}){let s=r??ue(N().keysDir,`${e}${Ue}`);if(i.mkdirSync(He(s),{recursive:!0}),!a&&i.existsSync(s))throw new Error(`Refusing to overwrite existing key at ${s}. Delete it first if you really want to regenerate: rm ${s}`);let p=await i.encryptStringAsJwe(t,n);return i.writeFileSync(s,p,{mode:384}),s}o(ki,"writeEncryptedPrivateKey");async function Di(e,t,n=new Date){let{isMacOS:r,existsSync:i,mkdirSync:a,writeFileSync:s,generateSigningKeyPair:p,storeKeyInKeychain:c,promptExpiryMonths:l,promptKid:m,promptEmail:d,promptPassphrase:u,promptConfirmOverwrite:C}=t,g=e.keychain!==!1&&r()&&!e.output,E=e.expires!==void 0?ne(e.expires):await l(),S=Ne(en(n,E)),y=e.kid!==void 0?me(e.kid):await m(),R=ue(N().keysDir,`${y}${ee}`),A=i(R);if(A&&!e.force&&!await C(y)){process.stderr.write(`Aborted.
-`);return}let x=e.email!==void 0?te(e.email,"--email"):await d(),P=g?null:await u();process.stderr.write(`
+`,p+=a("public_key",t.green(i)),p+=a("email",t.yellow(e.email)),p+=a("capabilities",`${t.dim("[")}${t.yellow("developer")}${t.dim("]")}`),p+=a("issued_at",t.green(r)),p+=a("expires",t.green(e.expires)),p+=a("revoked_at",t.dim("null")),p}o(nt,"renderRegistryEntry");import as from"clipboardy";function In(e){return as.write(e)}o(In,"copyToClipboard");import{email as ps,pipe as cs,safeParse as ls,string as ds}from"valibot";var ms=cs(ds(),ps());function ie(e,t="email"){let n=e.trim();if(!n)throw new Error(`${t} is required`);if(!ls(ms,n).success)throw new Error(`${t} must look like an email (user@example.com); got "${e}"`);return n}o(ie,"parseEmail");function se(e,t="--expires"){let n=Number(e);if(!Number.isInteger(n)||n<1||n>12)throw new Error(`${t} must be an integer between 1 and 12 (months); got "${e}"`);return n}o(se,"parseExpiryMonths");var us="https://cognite.zendesk.com",gs="360001234312",fs="tf_360015295097",ys="cognite_flows",hs="360004885031";function Ss(e,t){let n=new URLSearchParams({locale:"en-us",brand_id:hs,return_to:e});return`${t}/access?${n}`}o(Ss,"withLogin");function ws(e,t,n){let r=new URLSearchParams({ticket_form_id:gs,tf_priority:"normal",tf_subject:e,[fs]:ys,tf_description:t});return Ss(`${n}/hc/en-us/requests/new?${r}`,n)}o(ws,"buildUrl");function vs(e){return e.join("<br>")}o(vs,"toHtml");function $n(e,t,n,r,i=us){return ws(`Public Key Registration: ${t}`,vs(["Dear Cognite Platform Team,","","I would like to register my Flows app signing key for certified deployments.","",`Key ID (kid): ${e}`,`Developer email: ${t}`,`Expires: ${n}`,"","Please add the following entry to signing-keys.yaml:","",...r.replace(/\r\n/g,`
+`).split(`
+`),"","Best Regards,","[Your name]","","(This registration request was generated by `npx @cognite/cli keys generate`.)"]),i)}o($n,"buildKeyRegistrationUrl");import it from"enquirer";var Pe=3,Fn="Signing identity (kid) \u2014 e.g. jsmith-dev-001 (lowercase letters, digits, hyphens)",Tn=`Key expiry in months (${1}-${12})`,On="Email address for the registry entry",Rn=`Passphrase for the encrypted private key (min ${15} chars)`,_n="Confirm passphrase",Un=o(()=>`Passphrase must be at least ${15} characters`,"passphraseTooShortMsg"),Kn=o(e=>`Passphrases do not match (attempt ${e}/${Pe}).
+`,"passphraseMismatchMsg"),Ln=`Passphrase confirmation failed after ${Pe} attempts`,jn=o(e=>`A signing key with kid "${e}" already exists. Overwrite it?`,"confirmOverwriteMsg"),Nn="How would you like to submit your key registration?",Mn="Open in browser",Vn="Copy link to clipboard";async function be(e){return it.prompt(e)}o(be,"defaultPrompt");function st(e){return t=>{try{return e(t),!0}catch(n){return n instanceof Error?n.message:"Invalid"}}}o(st,"parserAsValidator");var Ps=/^[a-z0-9]([a-z0-9-]*[a-z0-9])?$/;function Ee(e){let t=e.trim();if(!t)throw new Error("--kid must not be empty");if(t.length>64)throw new Error("--kid must be 64 characters or fewer");if(!Ps.test(t))throw new Error("--kid must contain only lowercase letters, digits, and hyphens, and must not start or end with a hyphen (e.g. jsmith-dev-001)");return t}o(Ee,"parseKid");async function Hn(e={}){let{prompt:t=be}=e,{kid:n}=await t({type:"input",name:"kid",message:Fn,validate:st(Ee)});return Ee(n)}o(Hn,"promptKid");async function Bn(e={}){let{prompt:t=o(r=>it.prompt(r),"prompt")}=e,{action:n}=await t({type:"select",name:"action",message:Nn,choices:[{name:"browser",message:Mn},{name:"clipboard",message:Vn}]});if(n!=="browser"&&n!=="clipboard")throw new Error(`Unexpected Zendesk action: ${n}`);return n}o(Bn,"promptZendeskAction");async function Gn(e={}){let{prompt:t=be}=e,{months:n}=await t({type:"input",name:"months",message:Tn,initial:String(6),validate:st(r=>se(r,"expiry"))});return se(n,"expiry")}o(Gn,"promptExpiryMonths");async function Jn(e={}){let{prompt:t=be,gitUserEmail:n=nn}=e,{email:r}=await t({type:"input",name:"email",message:On,initial:n(),validate:st(i=>ie(i,"email"))});return ie(r,"email")}o(Jn,"promptEmail");async function Yn(e={}){let{prompt:t=be,stderr:n=process.stderr}=e;for(let r=1;r<=Pe;r+=1){let{passphrase:i}=await t({type:"password",name:"passphrase",message:Rn,validate:o(a=>a.length>=15?!0:Un(),"validate")}),{confirm:s}=await t({type:"password",name:"confirm",message:_n});if(i===s)return i;n.write(Kn(r))}throw new Error(Ln)}o(Yn,"promptPassphrase");async function qn(e,t={}){let{prompt:n=o(i=>it.prompt(i),"prompt")}=t,{confirmed:r}=await n({type:"confirm",name:"confirmed",message:jn(e),initial:!1});return r}o(qn,"promptConfirmOverwrite");function Ds(e){return{writeFileSync:e.writeFileSync??ks,mkdirSync:e.mkdirSync??bs,existsSync:e.existsSync??Es,generateSigningKeyPair:e.generateSigningKeyPair??xs,encryptStringAsJwe:e.encryptStringAsJwe??Vt,storeKeyInKeychain:e.storeKeyInKeychain??jt,isOS:e.isOS??(t=>B(t)),promptKid:e.promptKid??Hn,promptExpiryMonths:e.promptExpiryMonths??Gn,promptEmail:e.promptEmail??Jn,promptPassphrase:e.promptPassphrase??Yn,promptConfirmOverwrite:e.promptConfirmOverwrite??qn,discoverLocalKeys:e.discoverLocalKeys??(()=>ye()),promptZendeskAction:e.promptZendeskAction??Bn,openUrl:e.openUrl??(t=>As(t)),copyToClipboard:e.copyToClipboard??In,isInteractive:e.isInteractive??(()=>process.stdout.isTTY===!0)}}o(Ds,"resolveDeps");function Wn(e,t={}){let n=Ds(t),r=e.command("keys").description("Manage code signing keys");r.command("generate").description("Generate an Ed25519 keypair for code signing").option("-o, --output <path>","Encrypted private key output path (forces file storage even on macOS)").option("--no-keychain",`Skip macOS Keychain and write a passphrase-encrypted private key under ${F().keysDir} instead`).option("-e, --expires <months>",`Validity in months (${1}-${12}); skips the interactive prompt`).option("--email <address>","Email address for the registry entry; skips the interactive prompt").option("--kid <identifier>","Signing identity name for the registry (e.g. jsmith-dev-001); skips the interactive prompt").option("--force","Overwrite an existing key without prompting for confirmation").option("--copy-link","Copy the Zendesk registration link to the clipboard without prompting").action(i=>Fs(i,n)),r.command("list").description("List local signing identities and their storage location").action(()=>Is(n))}o(Wn,"registerKeysCommand");async function Is(e){let t=await e.discoverLocalKeys();if(t.length===0){process.stdout.write(`No signing identities found.
+`),process.stdout.write(`Run \`cognite keys generate\` to create one (storage: ${F().keysDir}).
+`);return}let n=["KID","SOURCE","EMAIL"],r=t.map(a=>[a.kid,fe(a.source),a.email??"\u2014"]),i=n.map((a,p)=>Math.max(a.length,...r.map(c=>c[p].length))),s=o(a=>a.map((p,c)=>p.padEnd(i[c])).join("  ").trimEnd(),"fmt");process.stdout.write(`${s(n)}
+`);for(let a of r)process.stdout.write(`${s(a)}
+`)}o(Is,"handleList");function zn(e,t,n){let r=ke(F().keysDir,`${e}${ee}`);return n.mkdirSync(at(r),{recursive:!0}),n.writeFileSync(r,t),r}o(zn,"writePublicKey");async function $s(e,t,n,r,i,{force:s=!1}={}){let a=r??ke(F().keysDir,`${e}${Ye}`);if(i.mkdirSync(at(a),{recursive:!0}),!s&&i.existsSync(a))throw new Error(`Refusing to overwrite existing key at ${a}. Delete it first if you really want to regenerate: rm ${a}`);let p=await i.encryptStringAsJwe(t,n);return i.writeFileSync(a,p,{mode:384}),a}o($s,"writeEncryptedPrivateKey");async function Fs(e,t,n=new Date){let{isOS:r,existsSync:i,mkdirSync:s,writeFileSync:a,generateSigningKeyPair:p,storeKeyInKeychain:c,promptExpiryMonths:l,promptKid:d,promptEmail:m,promptPassphrase:g,promptConfirmOverwrite:u}=t,f=e.keychain!==!1&&r("macos")&&!e.output,S=e.expires!==void 0?se(e.expires):await l(),v=tt(xn(n,S)),h=e.kid!==void 0?Ee(e.kid):await d(),b=ke(F().keysDir,`${h}${ee}`),y=i(b);if(y&&!e.force&&!await u(h)){process.stderr.write(`Aborted.
+`);return}let C=e.email!==void 0?ie(e.email,"--email"):await m(),$=f?null:await g();process.stderr.write(`
 Generating Ed25519 keypair...
-`);let{privateKeyPem:f,publicKeyPem:j}=await p(y);if(g){await c(y,f);let X=vn(y,j,t);process.stderr.write(`Public key:  ${X}
-`),process.stderr.write(`Private key: macOS Keychain (service: cognite-dune, account: ${y})
-`)}else{if(P===null)throw new Error("passphrase is required when not using Keychain");let X=await ki(y,f,P,e.output,t,{force:A}),We=vn(y,j,t);process.stderr.write(`Public key:  ${We}
-`),process.stderr.write(`Private key: ${X} (JWE, AES-256-GCM, PBKDF2-SHA512 x${_e.toLocaleString()})
-`),r()||process.stderr.write(`   (macOS Keychain integration is the default on darwin; on this OS we use the file.)
-`)}let oe=ue(N().keysDir,`${y}${Le}`);a(He(oe),{recursive:!0}),s(oe,JSON.stringify({email:x}));let K=nn(process.stderr);process.stderr.write(`
-Signing identity (kid): ${K.green(y)}
-`),process.stderr.write(`Expires: ${S} (${E} month${E===1?"":"s"} from today)
-`),process.stderr.write(rn({kid:y,publicKeyPem:j,email:x,expires:S},K,n)),process.stderr.write(`
-${K.bold("Next:")} open a PR against the ${K.magenta("infrastructure")} repo with that block, then \`${K.cyan(`cognite sign -s ${y}`)}\`
-`)}o(Di,"handleGenerate");var Sn=1e3,Ii=new Set(["baseUrl","url","project","deployment","source","path","name","displayName","description"]);function Ti(e){return Object.fromEntries(Object.entries(e).map(([t,n])=>typeof n=="boolean"?[t,n]:Ii.has(t)?[t,n]:[t,"[REDACTED]"]))}o(Ti,"sanitize");function $i(e){let t=[],n=e;for(;n;)n.parent&&t.unshift(n.name()),n=n.parent;return t.join(" ")}o($i,"getCommandPath");function xn(e){try{let t=e(process.cwd());return{appExternalId:t.externalId,appVersionTag:t.versionTag}}catch{return{}}}o(xn,"tryLoadAppConfig");function Ge(e){return e.filter(t=>!t.startsWith("-")).join(" ")||"unknown"}o(Ge,"commandFromArgv");function Pn(e,t,n=w){e.hook("postAction",async(r,i)=>{try{let a={command:$i(i),options:Ti(i.opts()),success:!0,...xn(n)};t.track("Flows.CLI.Command",a),await t.flush(Sn)}catch{}})}o(Pn,"instrument");async function bn(e,t,n=w){try{let r={command:Ge(t),options:{},success:!1,...xn(n)};e.track("Flows.CLI.Command",r),await e.flush(Sn)}catch{}}o(bn,"trackFailure");var Fi="ERR_USE_AFTER_CLOSE";function kn(e){return e instanceof Error&&"code"in e&&e.code===Fi}o(kn,"isReadlineClosedError");function Oi(e){let t=Object.getPrototypeOf(e);return t===Object.prototype||t===null}o(Oi,"isPlainObject");function Be(e){return e==null||kn(e)?!0:e instanceof Error?!1:!!(typeof e=="object"&&e!==null&&Oi(e)&&Object.keys(e).length===0)}o(Be,"isPromptCancel");var An=!1;function Dn(){An||(An=!0,process.on("uncaughtException",e=>{kn(e)&&(console.error(`
-Cancelled.`),process.exit(130)),console.error(e),process.exit(1)}),process.on("unhandledRejection",e=>{Be(e)&&(console.error(`
-Cancelled.`),process.exit(130)),console.error(e),process.exit(1)}))}o(Dn,"installCancelHandler");import{homedir as Ni}from"os";import In from"mixpanel";var Ri="5c4d853e7c3b77b1eb4468d5329b278c",re="cognite-cli",_i=2e3,Tn={env:process.env,init:In.init.bind(In)},Ui={track:o(()=>{},"track"),flush:o(async()=>{},"flush")};function Ye(e=process.env){return e.COGNITE_TELEMETRY_DISABLED==="1"||e.DO_NOT_TRACK==="1"}o(Ye,"isTelemetryDisabled");function Li(e){return e.COGNITE_TELEMETRY_DEBUG==="1"}o(Li,"isDebug");function $n(e={}){let t=e.env??Tn.env,n=e.init??Tn.init,r=e.packageName,i=e.cliVersion,a=Li(t);if(Ye(t))return a&&process.stderr.write(`[telemetry] disabled \u2014 noop tracker
-`),Ui;let s,p=new Set;function c(){if(s)return s;try{return s=n(Ri,{geolocate:!1,keepAlive:!1}),s}catch{return}}return o(c,"getClient"),{track(l,m={}){let d=c();if(!d)return;let u={...m,applicationId:re,...r&&{packageName:r},...i&&{cliVersion:i},nodeVersion:process.version,platform:process.platform};a&&process.stderr.write(`[telemetry] track ${l} ${JSON.stringify(u)}
-`);let C=o(()=>{},"finish"),g=new Promise(E=>{C=E});p.add(g);try{d.track(l,u,C)}catch{C()}g.finally(()=>p.delete(g))},async flush(l=_i){if(p.size===0)return;let m,d=new Promise(u=>{m=setTimeout(u,l),m.unref?.()});try{await Promise.race([Promise.allSettled([...p]),d])}finally{m&&clearTimeout(m)}a&&process.stderr.write(`[telemetry] flush done (${p.size} still pending)
-`)}}}o($n,"createTelemetry");var ge=Ni();function Fn(e,t=ge){if(!t||t==="/")return e;let n=e.replaceAll(t,"~"),r=t.replaceAll("\\","/");return r!==t&&(n=n.replaceAll(r,"~")),n}o(Fn,"redactHomedir");var ji=1e3,Ki="https://0a118cb02e3be57b1838bcfb5783a2bf@o4508040730968064.ingest.de.sentry.io/4510719268290640",Mi={captureError:o(async()=>{},"captureError"),flush:o(async()=>{},"flush")};function Vi(e){return e.packageName&&e.cliVersion?`${e.packageName}@${e.cliVersion}`:e.cliVersion??"unknown"}o(Vi,"buildRelease");var Hi="192.0.2.0";function Gi(e){let t={...e.user,email:void 0,username:void 0,ip_address:Hi,id:void 0},n=e.exception?.values?.map(r=>({...r,value:r.value!==void 0?Fn(r.value):r.value}));return{...e,message:e.message!==void 0?Fn(e.message):e.message,user:t,server_name:void 0,...n!==void 0&&{exception:{...e.exception,values:n}}}}o(Gi,"scrubPii");function On(e={}){let t=e.env??process.env;if(Ye(t))return Mi;let n=Vi(e),r="production",i=null,a=null;function s(c){let l=ge&&ge!=="/"?[c.rewriteFramesIntegration({root:ge})]:[];return{dsn:Ki,release:n,environment:r,defaultIntegrations:!1,integrations:l,sendDefaultPii:!1,enableLogs:!1,initialScope:{tags:{component:"cli",applicationId:re},contexts:{cli:{applicationId:re,node:process.version,platform:process.platform}}},beforeSend:Gi}}o(s,"buildInitOptions");async function p(){return i||(a||(a=(async()=>{try{let c=e.sdk??await import("@sentry/node");return c.init(s(c)),i=c,c}catch{return null}})()),a)}return o(p,"ensureSdk"),{async captureError(c,l){try{let m=await p();if(!m)return;let d={level:"fatal"};l?.command&&(d.tags={command:l.command},d.contexts={cli:{applicationId:re,node:process.version,platform:process.platform,command:l.command}}),m.captureException(c,d)}catch{}},async flush(c=ji){try{if(!i)return;await i.flush(c)}catch{}}}}o(On,"createErrorReporter");import{mkdirSync as Bi,readFileSync as Yi,writeFileSync as Ji}from"fs";import{homedir as Xi}from"os";import{resolve as fe}from"path";import{debuglog as zi}from"util";import{lt as Wi,parse as Rn}from"semver";var qi="https://registry.npmjs.org/@cognite/cli/latest",Qi=1500,_n="upgrade-check.json",Un=fe(process.env.XDG_CACHE_HOME||fe(Xi(),".cache"),"@cognite","cli"),Je=zi("cognite-flows");function Zi(e,t){return!e||!t||!Rn(e)||!Rn(t)?!1:Wi(e,t)}o(Zi,"isOutdated");async function es({timeout:e=Qi,registryUrl:t=qi,fetchImpl:n=globalThis.fetch}={}){if(typeof n!="function")return null;try{let r=await n(t,{signal:AbortSignal.timeout(e)});if(!r?.ok)return null;let i=await r.json();return typeof i?.version=="string"?i.version:null}catch(r){return Je("fetchLatestVersion failed (%s): %O",t,r),null}}o(es,"fetchLatestVersion");function ts(e=Un,t=864e5){try{let n=Yi(fe(e,_n),"utf-8"),r=JSON.parse(n);return typeof r.latest!="string"||typeof r.fetchedAt!="number"||Date.now()-r.fetchedAt>t?null:{latest:r.latest,fetchedAt:r.fetchedAt}}catch(n){return Je("readUpgradeCheckCache failed (%s): %O",e,n),null}}o(ts,"readUpgradeCheckCache");function ns(e,t){try{Bi(e,{recursive:!0});let n={latest:t,fetchedAt:Date.now()};Ji(fe(e,_n),JSON.stringify(n))}catch(n){Je("writeUpgradeCheckCache failed (%s): %O",e,n)}}o(ns,"writeUpgradeCheckCache");async function rs({cacheDir:e=Un,...t}={}){let n=await es(t);n&&ns(e,n)}o(rs,"startBackgroundUpgradeCheck");function Ln(e,{onOutdated:t,cacheDir:n,...r}={}){let i=ts(n);if(i){Zi(e,i.latest)&&t?.(e,i.latest);return}rs({cacheDir:n,...r})}o(Ln,"preActionUpgradeCheck");import{default as om,chalkStderr as Nn}from"chalk";function jn(e,t){let n=[`\u26A0  Update available: ${e} -> ${t}`,"   Run npx @cognite/cli@latest"],r=Math.max(...n.map(p=>[...p].length))+2,i="\u2500".repeat(r),a=o(p=>`\u2502 ${p}${" ".repeat(r-1-[...p].length)}\u2502`,"pad"),s=[`\u250C${i}\u2510`,...n.map(a),`\u2514${i}\u2518`].join(`
-`);return Nn.bold.yellow(s)}o(jn,"formatUpgradeWarning");function ss(e){return e instanceof Error&&"code"in e&&typeof e.code=="string"&&e.code==="DEP0040"}o(ss,"isDep0040Warning");var ze=process,as=ze.emit.bind(ze);ze.emit=function(e,...t){return e==="warning"&&ss(t[0])?!1:as(e,...t)};Dn();var J=new is;J.name("cognite").description("Build and deploy React apps to Cognite Data Fusion").version("1.3.0").showHelpAfterError().configureOutput({writeOut:o(e=>os(1,e),"writeOut")});J.hook("preAction",()=>{Ln("1.3.0",{onOutdated:o((e,t)=>{console.warn(`
-${jn(e,t)}
-`)},"onOutdated")})});Ht(J);En(J);var Mn=$n({packageName:"@cognite/cli",cliVersion:"1.3.0"}),Kn=On({packageName:"@cognite/cli",cliVersion:"1.3.0"});Pn(J,Mn);var Xe=process.argv.slice(2);J.parseAsync(Xe,{from:"user"}).catch(async e=>{await bn(Mn,Xe),Be(e)&&(console.error(`
-Cancelled.`),process.exit(130)),await Kn.captureError(e,{command:Ge(Xe)}),await Kn.flush(),console.error(e instanceof Error?`\u274C ${e.message}`:e),process.exit(1)});
+`);let{privateKeyPem:w,publicKeyPem:N}=await p(h);if(f){await c(h,w);let U=zn(h,N,t);process.stderr.write(`Public key:  ${U}
+`),process.stderr.write(`Private key: macOS Keychain (service: cognite-dune, account: ${h})
+`)}else{if($===null)throw new Error("passphrase is required when not using Keychain");let U=await $s(h,w,$,e.output,t,{force:y}),De=zn(h,N,t);process.stderr.write(`Public key:  ${De}
+`),process.stderr.write(`Private key: ${U} (JWE, AES-256-GCM, PBKDF2-SHA512 x${Ge.toLocaleString()})
+`),r("macos")||process.stderr.write(`   (macOS Keychain integration is the default on darwin; on this OS we use the file.)
+`)}let ce=ke(F().keysDir,`${h}${qe}`);s(at(ce),{recursive:!0}),a(ce,JSON.stringify({email:C}));let Y=Dn(process.stderr);process.stderr.write(`
+Signing identity (kid): ${Y.green(h)}
+`),process.stderr.write(`Expires: ${v} (${S} month${S===1?"":"s"} from today)
+`);let Ae={kid:h,publicKeyPem:N,email:C,expires:v};process.stderr.write(nt(Ae,Y,n));let q=$n(h,C,v,nt(Ae,oe,n));process.stderr.write(`
+${Y.bold("Next:")}
+`),process.stderr.write(`  1. Register your signing key \u2014 submit this pre-filled Zendesk request:
+`);let le=e.copyLink?"clipboard":t.isInteractive()?await t.promptZendeskAction():null;if(le==="browser")try{await t.openUrl(q),process.stderr.write(`     Opening in browser...
+`)}catch{process.stderr.write(`     URL: ${q}
+`)}else if(le==="clipboard"){let U=!1;try{await t.copyToClipboard(q),U=!0}catch{}process.stderr.write(U&&!e.copyLink?`     Link copied to clipboard.
+`:`     URL: ${q}
+`)}else process.stderr.write(`     URL: ${q}
+`);process.stderr.write(`
+  2. Once your key is approved, sign your Dune app:
+`),process.stderr.write(`     ${Y.cyan(`cognite sign -s ${h}`)}
+`)}o(Fs,"handleGenerate");var Xn=1e3,Ts=new Set(["baseUrl","url","project","deployment","source","path","name","displayName","description"]);function Os(e){return Object.fromEntries(Object.entries(e).map(([t,n])=>typeof n=="boolean"?[t,n]:Ts.has(t)?[t,n]:[t,"[REDACTED]"]))}o(Os,"sanitize");function Rs(e){let t=[],n=e;for(;n;)n.parent&&t.unshift(n.name()),n=n.parent;return t.join(" ")}o(Rs,"getCommandPath");function Zn(e){try{let t=e(process.cwd());return{appExternalId:t.externalId,appVersionTag:t.versionTag}}catch{return{}}}o(Zn,"tryLoadAppConfig");function pt(e){return e.filter(t=>!t.startsWith("-")).join(" ")||"unknown"}o(pt,"commandFromArgv");function Qn(e,t,n=E){e.hook("postAction",async(r,i)=>{try{let s={command:Rs(i),options:Os(i.opts()),success:!0,...Zn(n)};t.track("Flows.CLI.Command",s),await t.flush(Xn)}catch{}})}o(Qn,"instrument");async function er(e,t,n=E){try{let r={command:pt(t),options:{},success:!1,...Zn(n)};e.track("Flows.CLI.Command",r),await e.flush(Xn)}catch{}}o(er,"trackFailure");var _s="ERR_USE_AFTER_CLOSE";function nr(e){return e instanceof Error&&"code"in e&&e.code===_s}o(nr,"isReadlineClosedError");function Us(e){let t=Object.getPrototypeOf(e);return t===Object.prototype||t===null}o(Us,"isPlainObject");function ct(e){return e==null||nr(e)?!0:e instanceof Error?!1:!!(typeof e=="object"&&e!==null&&Us(e)&&Object.keys(e).length===0)}o(ct,"isPromptCancel");var tr=!1;function rr(){tr||(tr=!0,process.on("uncaughtException",e=>{nr(e)&&(console.error(`
+Cancelled.`),process.exit(130)),console.error(e),process.exit(1)}),process.on("unhandledRejection",e=>{ct(e)&&(console.error(`
+Cancelled.`),process.exit(130)),console.error(e),process.exit(1)}))}o(rr,"installCancelHandler");import{homedir as Ms}from"os";import or from"mixpanel";var Ks="5c4d853e7c3b77b1eb4468d5329b278c",ae="cognite-cli",Ls=2e3,ir={env:process.env,init:or.init.bind(or)},js={track:o(()=>{},"track"),flush:o(async()=>{},"flush")};function lt(e=process.env){return e.COGNITE_TELEMETRY_DISABLED==="1"||e.DO_NOT_TRACK==="1"}o(lt,"isTelemetryDisabled");function Ns(e){return e.COGNITE_TELEMETRY_DEBUG==="1"}o(Ns,"isDebug");function sr(e={}){let t=e.env??ir.env,n=e.init??ir.init,r=e.packageName,i=e.cliVersion,s=Ns(t);if(lt(t))return s&&process.stderr.write(`[telemetry] disabled \u2014 noop tracker
+`),js;let a,p=new Set;function c(){if(a)return a;try{return a=n(Ks,{geolocate:!1,keepAlive:!1}),a}catch{return}}return o(c,"getClient"),{track(l,d={}){let m=c();if(!m)return;let g={...d,applicationId:ae,...r&&{packageName:r},...i&&{cliVersion:i},nodeVersion:process.version,platform:process.platform};s&&process.stderr.write(`[telemetry] track ${l} ${JSON.stringify(g)}
+`);let u=o(()=>{},"finish"),f=new Promise(S=>{u=S});p.add(f);try{m.track(l,g,u)}catch{u()}f.finally(()=>p.delete(f))},async flush(l=Ls){if(p.size===0)return;let d,m=new Promise(g=>{d=setTimeout(g,l),d.unref?.()});try{await Promise.race([Promise.allSettled([...p]),m])}finally{d&&clearTimeout(d)}s&&process.stderr.write(`[telemetry] flush done (${p.size} still pending)
+`)}}}o(sr,"createTelemetry");var Vs=Ms();function pe(e,t=Vs){if(!t||t==="/")return e;let n=e.replaceAll(t,"~"),r=t.replaceAll("\\","/");return r!==t&&(n=n.replaceAll(r,"~")),n=n.replace(/(?<![A-Za-z0-9_])[A-Za-z]:[/\\]Users[/\\][^\s/\\]+(?=[/\\]|$)/g,"~"),n=n.replace(/(?<![A-Za-z0-9_])\/(?:Users|home)\/[^\s/]+(?=[/\\]|$)/g,"~"),n}o(pe,"redactHomedir");var Hs=1e3,Bs="https://0a118cb02e3be57b1838bcfb5783a2bf@o4508040730968064.ingest.de.sentry.io/4510719268290640",Gs={captureError:o(async()=>{},"captureError"),flush:o(async()=>{},"flush")};function Js(e){return e.packageName&&e.cliVersion?`${e.packageName}@${e.cliVersion}`:e.cliVersion??"unknown"}o(Js,"buildRelease");var Ys="192.0.2.0";function qs(e){return e?.map(t=>({...t,...t.filename!==void 0&&{filename:pe(t.filename)},...t.abs_path!==void 0&&{abs_path:pe(t.abs_path)},...t.module!==void 0&&{module:pe(t.module)}}))}o(qs,"scrubStackFrames");function zs(e){let t={...e.user,email:void 0,username:void 0,ip_address:Ys,id:void 0},n=e.exception?.values?.map(r=>({...r,value:r.value!==void 0?pe(r.value):r.value,...r.stacktrace!==void 0&&{stacktrace:{...r.stacktrace,frames:qs(r.stacktrace.frames)}}}));return{...e,message:e.message!==void 0?pe(e.message):e.message,user:t,server_name:void 0,...n!==void 0&&{exception:{...e.exception,values:n}}}}o(zs,"scrubPii");function ar(e={}){let t=e.env??process.env;if(lt(t))return Gs;let n=Js(e),r="production",i=null,s=null;function a(){return{dsn:Bs,release:n,environment:r,defaultIntegrations:!1,integrations:[],sendDefaultPii:!1,enableLogs:!1,initialScope:{tags:{component:"cli",applicationId:ae},contexts:{cli:{applicationId:ae,node:process.version,platform:process.platform}}},beforeSend:zs}}o(a,"buildInitOptions");async function p(){return i||(s||(s=(async()=>{try{let c=e.sdk??await import("@sentry/node");return c.init(a()),i=c,c}catch{return null}})()),s)}return o(p,"ensureSdk"),{async captureError(c,l){try{let d=await p();if(!d)return;let m={level:"fatal"};l?.command&&(m.tags={command:l.command},m.contexts={cli:{applicationId:ae,node:process.version,platform:process.platform,command:l.command}}),d.captureException(c,m)}catch{}},async flush(c=Hs){try{if(!i)return;await i.flush(c)}catch{}}}}o(ar,"createErrorReporter");import{mkdirSync as Ws,readFileSync as Xs,writeFileSync as Zs}from"fs";import{homedir as Qs}from"os";import{resolve as xe}from"path";import{debuglog as ea}from"util";import{lt as ta,parse as pr}from"semver";var na="https://registry.npmjs.org/@cognite/cli/latest",ra=1500,cr="upgrade-check.json",lr=xe(process.env.XDG_CACHE_HOME||xe(Qs(),".cache"),"@cognite","cli"),dt=ea("cognite-flows");function oa(e,t){return!e||!t||!pr(e)||!pr(t)?!1:ta(e,t)}o(oa,"isOutdated");async function ia({timeout:e=ra,registryUrl:t=na,fetchImpl:n=globalThis.fetch}={}){if(typeof n!="function")return null;try{let r=await n(t,{signal:AbortSignal.timeout(e)});if(!r?.ok)return null;let i=await r.json();return typeof i?.version=="string"?i.version:null}catch(r){return dt("fetchLatestVersion failed (%s): %O",t,r),null}}o(ia,"fetchLatestVersion");function sa(e=lr,t=864e5){try{let n=Xs(xe(e,cr),"utf-8"),r=JSON.parse(n);return typeof r.latest!="string"||typeof r.fetchedAt!="number"||Date.now()-r.fetchedAt>t?null:{latest:r.latest,fetchedAt:r.fetchedAt}}catch(n){return dt("readUpgradeCheckCache failed (%s): %O",e,n),null}}o(sa,"readUpgradeCheckCache");function aa(e,t){try{Ws(e,{recursive:!0});let n={latest:t,fetchedAt:Date.now()};Zs(xe(e,cr),JSON.stringify(n))}catch(n){dt("writeUpgradeCheckCache failed (%s): %O",e,n)}}o(aa,"writeUpgradeCheckCache");async function pa({cacheDir:e=lr,...t}={}){let n=await ia(t);n&&aa(e,n)}o(pa,"startBackgroundUpgradeCheck");function dr(e,{onOutdated:t,cacheDir:n,...r}={}){let i=sa(n);if(i){oa(e,i.latest)&&t?.(e,i.latest);return}pa({cacheDir:n,...r})}o(dr,"preActionUpgradeCheck");import{default as lu,chalkStderr as mr}from"chalk";function ur(e,t){let n=[`\u26A0  Update available: ${e} -> ${t}`,"   Run npx @cognite/cli@latest"],r=Math.max(...n.map(p=>[...p].length))+2,i="\u2500".repeat(r),s=o(p=>`\u2502 ${p}${" ".repeat(r-1-[...p].length)}\u2502`,"pad"),a=[`\u250C${i}\u2510`,...n.map(s),`\u2514${i}\u2518`].join(`
+`);return mr.bold.yellow(a)}o(ur,"formatUpgradeWarning");function da(e){return e instanceof Error&&"code"in e&&typeof e.code=="string"&&e.code==="DEP0040"}o(da,"isDep0040Warning");var ut=process,ma=ut.emit.bind(ut);ut.emit=function(e,...t){return e==="warning"&&da(t[0])?!1:ma(e,...t)};rr();var W=new la;W.name("cognite").description("Build and deploy React apps to Cognite Data Fusion").version("1.3.2-alpha-zendesk").showHelpAfterError().configureOutput({writeOut:o(e=>ca(1,e),"writeOut")});W.hook("preAction",()=>{dr("1.3.2-alpha-zendesk",{onOutdated:o((e,t)=>{console.warn(`
+${ur(e,t)}
+`)},"onOutdated")})});kn(W);Wn(W);var fr=sr({packageName:"@cognite/cli",cliVersion:"1.3.2-alpha-zendesk"}),gr=ar({packageName:"@cognite/cli",cliVersion:"1.3.2-alpha-zendesk"});Qn(W,fr);var mt=process.argv.slice(2);W.parseAsync(mt,{from:"user"}).catch(async e=>{await er(fr,mt),ct(e)&&(console.error(`
+Cancelled.`),process.exit(130)),await gr.captureError(e,{command:pt(mt)}),await gr.flush(),console.error(e instanceof Error?`\u274C ${e.message}`:e),process.exit(1)});

package/dist/deploy/index.d.ts CHANGED Viewed

@@ -1,26 +1,5 @@
 import { CogniteClient, ClientOptions } from '@cognite/sdk';
-type Deployment = {
-    org: string;
-    project: string;
-    baseUrl: string;
-    deployClientId: string;
-    deploySecretName: string;
-    published: boolean;
-    /** Identity provider type. Defaults to "cdf" if not specified */
-    idpType?: "cdf" | "entra_id";
-    /** Tenant ID for Entra ID authentication. Required when idpType is "entra_id" */
-    tenantId?: string;
-};
-type App = {
-    externalId: string;
-    name: string;
-    description: string;
-    versionTag: string;
-};
-declare const deploy: (deployment: Deployment, app: App, folder: string) => Promise<void>;
 /**
  * App Hosting HTTP API layer.
  *
@@ -56,6 +35,13 @@ declare class AppHostingClient {
      * success so the call is safe to repeat.
      */
     ensureApp(externalId: string, name: string, description: string): Promise<void>;
+    /**
+     * Submit verified compact-JWS signatures for a version uploaded earlier.
+     * No-op when `items` is empty so callers can wire it unconditionally.
+     * The backend accepts and stores well-formed tokens; tier-policy
+     * verification happens on the subsequent publish step.
+     */
+    submitSignatures(appExternalId: string, version: string, items: string[]): Promise<void>;
     /** Transition a version from DRAFT to PUBLISHED. */
     publishVersion(appExternalId: string, version: string): Promise<void>;
     /** Publish the version and immediately set it as the ACTIVE alias. */
@@ -85,6 +71,42 @@ declare class AppHostingClient {
     deploy(appExternalId: string, name: string, description: string, versionTag: string, fileContent: Buffer, fileName: string, published?: boolean): Promise<void>;
 }
+type Deployment = {
+    org: string;
+    project: string;
+    baseUrl: string;
+    deployClientId: string;
+    deploySecretName: string;
+    published: boolean;
+    /** Identity provider type. Defaults to "cdf" if not specified */
+    idpType?: 'cdf' | 'entra_id';
+    /** Tenant ID for Entra ID authentication. Required when idpType is "entra_id" */
+    tenantId?: string;
+};
+type App = {
+    externalId: string;
+    name: string;
+    description: string;
+    versionTag: string;
+};
+/**
+ * Package `dist/` into `<folder>/.cognite-bundles/<externalId>-<versionTag>.zip`
+ * and upload it via an already-authenticated `AppHostingClient`. Both deploy
+ * entry points (programmatic `deploy()` and the CLI's interactive path) reuse
+ * this so packaging/upload behaviour stays in one place.
+ *
+ * The bundle file is intentionally left on disk so the follow-on
+ * `cognite apps sign` + `cognite apps publish` flow can operate on the
+ * exact bytes the backend received.
+ */
+declare function packageAndUpload(client: AppHostingApiClient, app: App, folder: string, published: boolean): Promise<void>;
+/**
+ * Programmatic deploy used by CI scripts: resolves an SDK from the
+ * deployment's env-var credentials, then runs `packageAndUpload`.
+ */
+declare const deploy: (deployment: Deployment, app: App, folder: string) => Promise<void>;
 /**
  * Application Packaging
  *
@@ -111,4 +133,37 @@ declare function getSdk<C extends Authenticatable>(deployment: Deployment, folde
  */
 declare const getToken: (deployment: Deployment, env?: NodeJS.ProcessEnv) => Promise<string>;
-export { type App, AppHostingClient, ApplicationPackager, type Deployment, deploy, getSdk, getToken };
+/**
+ * Sibling-file discovery for bundle signatures written by `cognite sign`.
+ *
+ *   <bundle>.dev.sig     — developer signature
+ *   <bundle>.cert.sig    — certifier counter-signature (`--as-certifier`)
+ *
+ * Tokens are passed verbatim to the App Hosting `/signatures` endpoint; the
+ * backend verifies them against its key registry and tier policy.
+ *
+ * Collaborators are injected via `deps` so tests can stub fs without `vi.mock`.
+ */
+declare const SIGNATURE_SUFFIXES: readonly [".dev.sig", ".cert.sig"];
+type DiscoverSignaturesDeps = {
+    existsSync?: (path: string) => boolean;
+    readFileSync?: (path: string, encoding: 'utf8') => string;
+};
+declare function discoverSignatures(bundlePath: string, deps?: DiscoverSignaturesDeps): string[];
+/**
+ * Stable on-disk location for a packaged app bundle, keyed on app + version.
+ *
+ * `cognite apps deploy` writes the zip here and leaves it in place, so the
+ * subsequent `cognite apps sign` + `cognite apps publish` steps operate on
+ * the *exact bytes* that were uploaded — the bundle SHA in the signed
+ * payload matches what the backend has on hand.
+ *
+ * Lives under a single gitignored folder (`.cognite-bundles/`) so signed
+ * artefacts don't accidentally land in version control.
+ */
+declare const BUNDLE_DIR = ".cognite-bundles";
+declare function bundleFileName(externalId: string, versionTag: string): string;
+declare function bundlePath(cwd: string, externalId: string, versionTag: string): string;
+export { type App, AppHostingClient, ApplicationPackager, BUNDLE_DIR, type Deployment, SIGNATURE_SUFFIXES, bundleFileName, bundlePath, deploy, discoverSignatures, getSdk, getToken, packageAndUpload };

package/dist/deploy/index.js CHANGED Viewed

	@@ -1 +1 @@
1	- import{a,b,c,d,e}from"../chunk-~~QOJVLP7E~~.js";export{a as AppHostingClient,b as ApplicationPackager,e as deploy,d as getSdk,c as getToken};
1	+ import{a,b,c,d,e,f,g,h,i,j,k}from"../chunk-TYYH4NWG.js";export{a as AppHostingClient,b as ApplicationPackager,c as BUNDLE_DIR,j as SIGNATURE_SUFFIXES,d as bundleFileName,e as bundlePath,i as deploy,k as discoverSignatures,g as getSdk,f as getToken,h as packageAndUpload};

package/dist/index.d.ts CHANGED Viewed

@@ -1,2 +1,2 @@
-export { App, AppHostingClient, ApplicationPackager, Deployment, deploy, getSdk, getToken } from './deploy/index.js';
+export { App, AppHostingClient, ApplicationPackager, BUNDLE_DIR, Deployment, SIGNATURE_SUFFIXES, bundleFileName, bundlePath, deploy, discoverSignatures, getSdk, getToken, packageAndUpload } from './deploy/index.js';
 import '@cognite/sdk';

package/dist/index.js CHANGED Viewed

	@@ -1 +1 @@
1	- import{a as o,b as r,c as e,d as f,e as m}from"./chunk-~~QOJVLP7E~~.js";export{o as AppHostingClient,r as ApplicationPackager,m as deploy,f as getSdk,e as getToken};
1	+ import{a as o,b as r,c as e,d as f,e as m,f as p,g as t,h as x,i as a,j as b,k as c}from"./chunk-TYYH4NWG.js";export{o as AppHostingClient,r as ApplicationPackager,e as BUNDLE_DIR,b as SIGNATURE_SUFFIXES,f as bundleFileName,m as bundlePath,a as deploy,c as discoverSignatures,t as getSdk,p as getToken,x as packageAndUpload};

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@cognite/cli",
-  "version": "1.3.0",
+  "version": "1.3.2-alpha-zendesk",
   "description": "CLI for Cognite Data Fusion",
   "license": "SEE LICENSE IN LICENSE.md",
   "author": "Cognite",
@@ -49,6 +49,7 @@
     "@sentry/node": "^10.51.0",
     "@zip.js/zip.js": "^2.7.0",
     "chalk": "^5.6.2",
+    "clipboardy": "5.3.1",
     "commander": "^14.0.3",
     "dotenv": "^17.4.2",
     "enquirer": "^2.4.1",
@@ -75,14 +76,14 @@
     }
   },
   "devDependencies": {
-    "@types/ejs": "^3.1.5",
-    "ejs": "^3.1.10",
     "@mswjs/http-middleware": "^0.10.3",
+    "@types/ejs": "^3.1.5",
     "@types/express": "^5.0.6",
     "@types/node": "^24.10.1",
     "@types/react": "^19.2.6",
     "@types/react-dom": "^19.2.3",
     "@types/semver": "^7.7.0",
+    "ejs": "^3.1.10",
     "express": "^5.2.1",
     "msw": "^2.13.6",
     "react": "^19.2.6",

package/dist/chunk-QOJVLP7E.js DELETED Viewed

@@ -1,9 +0,0 @@
-var W=Object.defineProperty;var s=(e,t)=>W(e,"name",{value:t,configurable:!0});import Y from"fs";import gt from"path";var F="https://docs.cognite.com/cdf/access/";function m(e){return e!==null&&typeof e=="object"}s(m,"isRecord");function P(e){return e instanceof Error&&"status"in e&&typeof e.status=="number"}s(P,"isHttpError");function Z(e){switch(e){case 401:return`Your credentials are invalid or expired. Check your client ID and secret.
-  See: ${F}`;case 403:return`You don't have the required CDF capabilities. Please contact your CDF admin.
-  See: ${F}`;default:return}}s(Z,"httpStatusHint");function A(e){let t=e instanceof Error?e:new Error(String(e));if(!P(t))return null;let n=Z(t.status);return n?Object.assign(new Error(`${t.message}
-  ${n}`),{cause:t}):null}s(A,"enrichedHttpError");function X(e){if(!m(e))return null;let t=e.missing;if(Array.isArray(t))return t;let n=e.data;if(m(n)){let r=n.error;if(m(r)&&Array.isArray(r.missing))return r.missing;if(Array.isArray(n.missing))return n.missing}return null}s(X,"findMissingArray");function Q(e,t){if(!P(e)||e.status!==400)return!1;let n=X(e);return n?n.some(r=>m(r)&&typeof r.externalId=="string"&&t.includes(r.externalId)):!1}s(Q,"isMissingExternalIdError");function $(e,t){return P(e)&&e.status===404||Q(e,t)}s($,"isNotFoundError");var M=["DRAFT","PUBLISHED","DEPRECATED","ARCHIVED"],J=["ACTIVE","PREVIEW"],I=class I extends Error{constructor(t,n){super(`Version ${n} of app ${t} not found`),this.name="AppVersionNotFoundError",this.appExternalId=t,this.version=n}};s(I,"AppVersionNotFoundError");var k=I;function q(e,t){return e.includes(t)}s(q,"includesValue");function tt(e){return q(M,e)}s(tt,"isAppVersionLifecycleState");function et(e){return q(J,e)}s(et,"isAppVersionAlias");function nt(e){return typeof e.version=="string"&&tt(e.lifecycleState)&&typeof e.entrypoint=="string"&&typeof e.createdTime=="number"&&typeof e.createdBy=="string"&&typeof e.appExternalId=="string"&&(e.alias===void 0||et(e.alias))&&(e.comment===void 0||typeof e.comment=="string")}s(nt,"isAppVersion");function H(e){if(!m(e))throw new Error("Invalid version response: not an object");if(!nt(e))throw new Error("Invalid version response: missing or malformed fields");return e}s(H,"parseAppVersion");var T=class T{constructor(t){this.client=t}get appsBasePath(){return`/api/v1/projects/${encodeURIComponent(this.client.project)}/apphosting/apps`}async createApp(t,n,r){try{await this.client.post(this.appsBasePath,{data:{items:[{externalId:t,name:n,description:r}]}})}catch(o){throw A(o)??o}}async uploadVersion(t,n,r,o,i="index.html"){console.log(`\u{1F4E4} Uploading version ${n}...`);let a=new FormData;a.append("file",new Blob([new Uint8Array(r)]),o),a.append("version",n),a.append("entryPath",i);let l=encodeURIComponent(t),c=`${this.appsBasePath}/${l}/versions`,p=await this.client.authenticate(),g=`${this.client.getBaseUrl()}${c}`,u=new AbortController,G=setTimeout(()=>u.abort(),300*1e3),h;try{h=await fetch(g,{method:"POST",headers:{Authorization:`Bearer ${p}`},body:a,signal:u.signal})}catch(f){throw f instanceof Error&&f.name==="AbortError"?new Error("Upload timed out after 5 minutes"):f}finally{clearTimeout(G)}if(!h.ok){let f=await h.text(),V=f;try{let x=JSON.parse(f);if(m(x)){let w=x.error;if(typeof w=="string")V=w;else if(m(w)){let E=w.message,B=w.code;V=typeof E=="string"?E:B!=null?`Unknown error (code: ${B})`:f}else{let E=x.message;V=typeof E=="string"?E:f}}}catch{}let j=h.headers.get("x-request-id"),K=j?` | X-Request-ID: ${j}`:"",N=Object.assign(new Error(`Upload failed: ${h.status} \u2014 ${V}${K}`),{status:h.status});throw A(N)??N}console.log(`\u2705 Version ${n} uploaded`)}async getVersion(t,n){let r=encodeURIComponent(t),o=encodeURIComponent(n),i=`${this.appsBasePath}/${r}/versions/${o}`;try{let a=await this.client.get(i);return H(a.data)}catch(a){throw $(a,[t,n])?new k(t,n):A(a)??a}}async getActiveVersion(t){let n=encodeURIComponent(t),r=`${this.appsBasePath}/${n}/active`;try{let o=await this.client.get(r);return H(o.data)}catch(o){if($(o,[t]))return null;throw A(o)??o}}async updateVersions(t,n){let r=encodeURIComponent(t),o=`${this.appsBasePath}/${r}/versions/update`;try{await this.client.post(o,{data:{items:n}})}catch(i){throw A(i)??i}}};s(T,"AppHostingApi");var v=T;var b=class b{constructor(t){this.api=new v(t)}getVersion(t,n){return this.api.getVersion(t,n)}uploadVersion(t,n,r,o,i){return this.api.uploadVersion(t,n,r,o,i)}async ensureApp(t,n,r){console.log("\u{1F50D} Ensuring app exists...");try{await this.api.createApp(t,n,r),console.log(`\u2705 App '${t}' created`)}catch(o){if(P(o)&&o.status===409){console.log(`\u2705 App '${t}' already exists`);return}throw o}}async publishVersion(t,n){await this.api.updateVersions(t,[{version:n,update:{lifecycleState:{set:"PUBLISHED"}}}])}async publishAndActivate(t,n){console.log(`\u{1F680} Publishing and activating version ${n}...`),await this.api.updateVersions(t,[{version:n,update:{lifecycleState:{set:"PUBLISHED"},alias:{set:"ACTIVE"}}}]),console.log(`\u2705 Version ${n} is now PUBLISHED and ACTIVE`)}getActiveVersion(t){return this.api.getActiveVersion(t)}async deactivateVersion(t,n){await this.api.updateVersions(t,[{version:n,update:{alias:{setNull:!0}}}])}async activateVersion(t,n){let r=null;try{r=await this.api.getActiveVersion(t)}catch{r=null}let o=r&&r.version!==n?r.version:void 0;return await this.api.updateVersions(t,[{version:n,update:{alias:{set:"ACTIVE"}}}]),{supersededVersion:o}}async deploy(t,n,r,o,i,a,l=!1){console.log(`
-\u{1F680} Deploying application via App Hosting API...
-`);try{await this.ensureApp(t,n,r),await this.uploadVersion(t,o,i,a),l&&await this.publishAndActivate(t,o),console.log(`
-\u2705 Deployment successful!`)}catch(c){let p=c instanceof Error?c.message:String(c);throw Object.assign(new Error(`Deployment failed: ${p}`),{cause:c})}}};s(b,"AppHostingClient");var S=b;import y from"fs";import d from"path";import{parseAndValidateManifestConfig as rt}from"@cognite/app-sdk/vite";import{BlobReader as ot,Uint8ArrayWriter as st,ZipWriter as it}from"@zip.js/zip.js";var R="package.json",D="package-lock.json",z="manifest.json",_=".cognite",L=class L{constructor(t="dist"){this.distPath=d.isAbsolute(t)?t:d.join(process.cwd(),t),this.appRoot=d.dirname(this.distPath)}validateBuildDirectory(){if(!y.existsSync(this.distPath))throw new Error(`Build directory "${this.distPath}" not found. Run build first.`);let t=d.join(this.appRoot,R);if(!y.existsSync(t))throw new Error(`"${t}" not found. It is required for deployment.`);let n=d.join(this.appRoot,D);if(!y.existsSync(n))throw new Error(`"${n}" not found. It is required for deployment.`)}async createZip(t="app.zip",n=!1){this.validateBuildDirectory(),console.log("\u{1F4E6} Packaging application...");let r=new it(new st,{level:9}),o=s(async(c,p)=>{await r.add(p,new ot(await y.openAsBlob(c))),n&&console.log(`  \u{1F4C4} ${p}`)},"addFile"),i=s(async c=>{let p=await y.promises.readdir(c,{withFileTypes:!0});for(let g of p){let u=d.join(c,g.name);g.isDirectory()?await i(u):await o(u,d.relative(this.distPath,u).replace(/\\/g,"/"))}},"addDir"),a;try{await i(this.distPath);let c=d.join(this.appRoot,R);await o(c,d.posix.join(_,R));let p=d.join(this.appRoot,z);if(y.existsSync(p)){let u=y.readFileSync(p,"utf-8");rt(u,p),await o(p,d.posix.join(_,z))}let g=d.join(this.appRoot,D);await o(g,d.posix.join(_,D)),a=await r.close()}catch(c){let p=c instanceof Error?c.message:String(c);throw new Error(`Failed to create zip: ${p}`)}await y.promises.writeFile(t,a);let l=(a.byteLength/1024/1024).toFixed(2);return console.log(`\u2705 App packaged: ${t} (${l} MB)`),t}};s(L,"ApplicationPackager");var C=L;import{CogniteClient as ut}from"@cognite/sdk";var at=s(()=>{let e=process.env.DEPLOYMENT_SECRETS;if(!e)return{};try{let t=JSON.parse(e),n={};for(let[r,o]of Object.entries(t))if(typeof o=="string"){let i=r.toLowerCase().replace(/_/g,"-");n[i]=o}return n}catch(t){return console.error("Error parsing DEPLOYMENT_SECRETS:",t),{}}},"loadSecretsFromEnv"),ct=s(e=>{let t;if(process.env.DEPLOYMENT_SECRET&&(t=process.env.DEPLOYMENT_SECRET),t||(t=at()[e]),t||(t=process.env[e]),!t)throw new Error(`Secret not found in environment: ${e}`);return t},"getSecretFromEnv"),pt=s(e=>{if(!e)return"";try{return new URL(e).hostname.replace(/\.cognitedata\.com$/,"")}catch{let t=e.replace(/^https?:\/\//,"");return t=t.split("/")[0],t=t.split(":")[0],t=t.replace(/\.cognitedata\.com$/,""),t}},"extractClusterFromUrl"),lt=s(async(e,t)=>{let n=`Basic ${btoa(`${e}:${t}`)}`,r=await fetch("https://auth.cognite.com/oauth2/token",{method:"POST",headers:{Authorization:n,"Content-Type":"application/x-www-form-urlencoded"},body:new URLSearchParams({grant_type:"client_credentials"})});if(!r.ok){let i=await r.text();throw new Error(`Failed to get token from CDF: ${r.status} ${r.statusText}
-${i}`)}let o=await r.json();if(!o.access_token)throw new Error("No access token returned from CDF authentication");return o.access_token},"getTokenCdf"),dt=s(async(e,t,n,r)=>{if(!r)throw new Error("Entra ID authentication requires 'baseUrl' to be set in deployment configuration");let o=pt(r);if(!o)throw new Error(`Entra ID authentication requires 'baseUrl' to be a valid CDF URL (e.g., https://cluster.cognitedata.com), got: ${r}`);let i=`https://login.microsoftonline.com/${n}/oauth2/v2.0/token`,a=`https://${o}.cognitedata.com/.default`,l=await fetch(i,{method:"POST",headers:{"Content-Type":"application/x-www-form-urlencoded"},body:new URLSearchParams({client_id:e,client_secret:t,scope:a,grant_type:"client_credentials"})});if(!l.ok){let p=await l.text();throw new Error(`Failed to get token from Entra ID: ${l.status} ${l.statusText}
-${p}`)}let c=await l.json();if(!c.access_token)throw new Error("No access token returned from Entra ID authentication");return c.access_token},"getTokenEntra"),O=s(async(e,t=process.env)=>{if(t.COGNITE_TOKEN)return t.COGNITE_TOKEN;let{deployClientId:n,deploySecretName:r,idpType:o="cdf",tenantId:i,baseUrl:a}=e,l=ct(r);if(o==="entra_id"){if(!i)throw new Error("Entra ID authentication requires 'tenantId' in deployment configuration");return dt(n,l,i,a)}return lt(n,l)},"getToken");async function U(e,t,n=process.env,r){let o=await O(e,n),i=n.COGNITE_BASE_URL??e.baseUrl,a=(r??(l=>new ut(l)))({appId:t,project:e.project,baseUrl:i,oidcTokenProvider:s(async()=>o,"oidcTokenProvider")});return await a.authenticate(),a}s(U,"getSdk");var ft=s(async(e,t,n)=>{let r=await new C(`${n}/dist`).createZip("app.zip",!0);try{let{externalId:o,name:i,description:a,versionTag:l}=t,c=await U(e,n),p=new S(c),g=Y.readFileSync(r),u=gt.basename(r);await p.deploy(o,i,a,l,g,u,e.published)}finally{try{Y.unlinkSync(r)}catch{}}},"deploy");export{S as a,C as b,O as c,U as d,ft as e};