@cxtms/cx-schema 1.5.10 → 1.6.0

package/dist/cli.js

@@ -42,12 +42,43 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
 Object.defineProperty(exports, "__esModule", { value: true });
 const fs = __importStar(require("fs"));
 const path = __importStar(require("path"));
+const http = __importStar(require("http"));
+const https = __importStar(require("https"));
+const crypto = __importStar(require("crypto"));
+const os = __importStar(require("os"));
 const chalk_1 = __importDefault(require("chalk"));
 const yaml_1 = __importStar(require("yaml"));
 const validator_1 = require("./validator");
 const workflowValidator_1 = require("./workflowValidator");
 const extractUtils_1 = require("./extractUtils");
 // ============================================================================
+// .env loader — load KEY=VALUE pairs from .env in CWD into process.env
+// ============================================================================
+function loadEnvFile() {
+    const envPath = path.join(process.cwd(), '.env');
+    if (!fs.existsSync(envPath))
+        return;
+    const lines = fs.readFileSync(envPath, 'utf-8').split('\n');
+    for (const line of lines) {
+        const trimmed = line.trim();
+        if (!trimmed || trimmed.startsWith('#'))
+            continue;
+        const eqIdx = trimmed.indexOf('=');
+        if (eqIdx < 1)
+            continue;
+        const key = trimmed.slice(0, eqIdx).trim();
+        let value = trimmed.slice(eqIdx + 1).trim();
+        // Strip surrounding quotes
+        if ((value.startsWith('"') && value.endsWith('"')) || (value.startsWith("'") && value.endsWith("'"))) {
+            value = value.slice(1, -1);
+        }
+        if (!process.env[key]) {
+            process.env[key] = value;
+        }
+    }
+}
+loadEnvFile();
+// ============================================================================
 // Constants
 // ============================================================================
 const VERSION = require('../package.json').version;
@@ -79,6 +110,13 @@ ${chalk_1.default.bold.yellow('COMMANDS:')}
   ${chalk_1.default.green('install-skills')}  Install Claude Code skills into project .claude/skills/
   ${chalk_1.default.green('setup-claude')}    Add CX project instructions to CLAUDE.md
   ${chalk_1.default.green('update')}          Update @cxtms/cx-schema to the latest version
+  ${chalk_1.default.green('login')}           Login to a CX environment (OAuth2 + PKCE)
+  ${chalk_1.default.green('logout')}          Logout from a CX environment
+  ${chalk_1.default.green('pat')}             Manage personal access tokens (create, list, revoke)
+  ${chalk_1.default.green('orgs')}            List, select, or set active organization
+  ${chalk_1.default.green('appmodule')}       Manage app modules on a CX server (push, delete)
+  ${chalk_1.default.green('workflow')}        Manage workflows on a CX server (push, delete, executions, logs)
+  ${chalk_1.default.green('publish')}         Publish all modules and workflows to a CX server
   ${chalk_1.default.green('schema')}          Show JSON schema for a component or task
   ${chalk_1.default.green('example')}         Show example YAML for a component or task
   ${chalk_1.default.green('list')}            List available schemas (modules, workflows, tasks)
@@ -101,6 +139,7 @@ ${chalk_1.default.bold.yellow('OPTIONS:')}
   ${chalk_1.default.green('--tasks <list>')}         Comma-separated task enums for create task-schema
   ${chalk_1.default.green('--to <file>')}            Target file for extract command
   ${chalk_1.default.green('--copy')}                 Copy component instead of moving (source unchanged, target gets higher priority)
+  ${chalk_1.default.green('--org <id>')}             Organization ID for appmodule commands
 
 ${chalk_1.default.bold.yellow('VALIDATION EXAMPLES:')}
   ${chalk_1.default.gray('# Validate a module YAML file')}
@@ -166,6 +205,77 @@ ${chalk_1.default.bold.yellow('SCHEMA COMMANDS:')}
   ${chalk_1.default.cyan(`${PROGRAM_NAME} list`)}
   ${chalk_1.default.cyan(`${PROGRAM_NAME} list --type workflow`)}
 
+${chalk_1.default.bold.yellow('AUTH COMMANDS:')}
+  ${chalk_1.default.gray('# Login to a CX environment')}
+  ${chalk_1.default.cyan(`${PROGRAM_NAME} login https://qa.storevista.acuitive.net`)}
+
+  ${chalk_1.default.gray('# Logout from a CX environment')}
+  ${chalk_1.default.cyan(`${PROGRAM_NAME} logout https://qa.storevista.acuitive.net`)}
+
+  ${chalk_1.default.gray('# List stored sessions')}
+  ${chalk_1.default.cyan(`${PROGRAM_NAME} logout`)}
+
+${chalk_1.default.bold.yellow('PAT COMMANDS:')}
+  ${chalk_1.default.gray('# Check PAT token status and setup instructions')}
+  ${chalk_1.default.cyan(`${PROGRAM_NAME} pat setup`)}
+
+  ${chalk_1.default.gray('# Create a new PAT token')}
+  ${chalk_1.default.cyan(`${PROGRAM_NAME} pat create "my-token-name"`)}
+
+  ${chalk_1.default.gray('# List active PAT tokens')}
+  ${chalk_1.default.cyan(`${PROGRAM_NAME} pat list`)}
+
+  ${chalk_1.default.gray('# Revoke a PAT token by ID')}
+  ${chalk_1.default.cyan(`${PROGRAM_NAME} pat revoke <tokenId>`)}
+
+${chalk_1.default.bold.yellow('ORG COMMANDS:')}
+  ${chalk_1.default.gray('# List organizations on the server')}
+  ${chalk_1.default.cyan(`${PROGRAM_NAME} orgs list`)}
+
+  ${chalk_1.default.gray('# Interactively select an organization')}
+  ${chalk_1.default.cyan(`${PROGRAM_NAME} orgs select`)}
+
+  ${chalk_1.default.gray('# Set active organization by ID')}
+  ${chalk_1.default.cyan(`${PROGRAM_NAME} orgs use <orgId>`)}
+
+  ${chalk_1.default.gray('# Show current context (server, org, app)')}
+  ${chalk_1.default.cyan(`${PROGRAM_NAME} orgs use`)}
+
+${chalk_1.default.bold.yellow('APPMODULE COMMANDS:')}
+  ${chalk_1.default.gray('# Push a module YAML to the server (creates or updates)')}
+  ${chalk_1.default.cyan(`${PROGRAM_NAME} appmodule push modules/my-module.yaml`)}
+
+  ${chalk_1.default.gray('# Push with explicit org ID')}
+  ${chalk_1.default.cyan(`${PROGRAM_NAME} appmodule push modules/my-module.yaml --org 42`)}
+
+  ${chalk_1.default.gray('# Delete an app module by UUID')}
+  ${chalk_1.default.cyan(`${PROGRAM_NAME} appmodule delete <appModuleId>`)}
+
+${chalk_1.default.bold.yellow('WORKFLOW COMMANDS:')}
+  ${chalk_1.default.gray('# Push a workflow YAML to the server (creates or updates)')}
+  ${chalk_1.default.cyan(`${PROGRAM_NAME} workflow push workflows/my-workflow.yaml`)}
+
+  ${chalk_1.default.gray('# Delete a workflow by UUID')}
+  ${chalk_1.default.cyan(`${PROGRAM_NAME} workflow delete <workflowId>`)}
+
+  ${chalk_1.default.gray('# List recent executions for a workflow')}
+  ${chalk_1.default.cyan(`${PROGRAM_NAME} workflow executions <workflowId>`)}
+  ${chalk_1.default.cyan(`${PROGRAM_NAME} workflow executions workflows/my-workflow.yaml`)}
+
+  ${chalk_1.default.gray('# Show execution details and logs')}
+  ${chalk_1.default.cyan(`${PROGRAM_NAME} workflow logs <executionId>`)}
+
+${chalk_1.default.bold.yellow('PUBLISH COMMANDS:')}
+  ${chalk_1.default.gray('# Publish all modules and workflows from current project')}
+  ${chalk_1.default.cyan(`${PROGRAM_NAME} publish`)}
+
+  ${chalk_1.default.gray('# Publish only a specific feature directory')}
+  ${chalk_1.default.cyan(`${PROGRAM_NAME} publish --feature billing`)}
+  ${chalk_1.default.cyan(`${PROGRAM_NAME} publish billing`)}
+
+  ${chalk_1.default.gray('# Publish with explicit org ID')}
+  ${chalk_1.default.cyan(`${PROGRAM_NAME} publish --org 42`)}
+
 ${chalk_1.default.bold.yellow('VALIDATION TYPES:')}
   ${chalk_1.default.bold('module')}     - CargoXplorer UI module definitions (components, routes, entities)
   ${chalk_1.default.bold('workflow')}   - CargoXplorer workflow definitions (activities, tasks, triggers)
@@ -182,6 +292,8 @@ ${chalk_1.default.bold.yellow('EXIT CODES:')}
   ${chalk_1.default.red('2')}  - CLI error (invalid arguments, file not found, etc.)
 
 ${chalk_1.default.bold.yellow('ENVIRONMENT VARIABLES:')}
+  ${chalk_1.default.green('CXTMS_AUTH')}         - PAT token for authentication (skips OAuth login)
+  ${chalk_1.default.green('CXTMS_SERVER')}       - Server URL when using PAT auth (or set \`server\` in app.yaml)
   ${chalk_1.default.green('CX_SCHEMA_PATH')}     - Default path to schemas directory
   ${chalk_1.default.green('NO_COLOR')}           - Disable colored output
 
@@ -1338,6 +1450,1203 @@ function runSetupClaude() {
     console.log('');
 }
 // ============================================================================
+// Auth (Login / Logout)
+// ============================================================================
+const AUTH_CALLBACK_PORT = 9000;
+const AUTH_TIMEOUT_MS = 2 * 60 * 1000; // 2 minutes
+function getTokenDir() {
+    return path.join(os.homedir(), '.cxtms');
+}
+function getTokenFilePath(domain) {
+    const hostname = new URL(domain).hostname;
+    return path.join(getTokenDir(), `${hostname}.json`);
+}
+function readTokenFile(domain) {
+    const filePath = getTokenFilePath(domain);
+    if (!fs.existsSync(filePath))
+        return null;
+    return JSON.parse(fs.readFileSync(filePath, 'utf-8'));
+}
+function writeTokenFile(data) {
+    const dir = getTokenDir();
+    if (!fs.existsSync(dir)) {
+        fs.mkdirSync(dir, { recursive: true });
+    }
+    fs.writeFileSync(getTokenFilePath(data.domain), JSON.stringify(data, null, 2), 'utf-8');
+}
+function deleteTokenFile(domain) {
+    const filePath = getTokenFilePath(domain);
+    if (fs.existsSync(filePath)) {
+        fs.unlinkSync(filePath);
+    }
+}
+function generateCodeVerifier() {
+    return crypto.randomBytes(32).toString('base64').replace(/\+/g, '-').replace(/\//g, '_').replace(/=/g, '');
+}
+function generateCodeChallenge(verifier) {
+    return crypto.createHash('sha256').update(verifier).digest('base64').replace(/\+/g, '-').replace(/\//g, '_').replace(/=/g, '');
+}
+function httpsPost(url, body, contentType) {
+    return new Promise((resolve, reject) => {
+        const parsed = new URL(url);
+        const isHttps = parsed.protocol === 'https:';
+        const lib = isHttps ? https : http;
+        const req = lib.request({
+            hostname: parsed.hostname,
+            port: parsed.port || (isHttps ? 443 : 80),
+            path: parsed.pathname + parsed.search,
+            method: 'POST',
+            headers: {
+                'Content-Type': contentType,
+                'Content-Length': Buffer.byteLength(body),
+            },
+        }, (res) => {
+            let data = '';
+            res.on('data', (chunk) => data += chunk);
+            res.on('end', () => resolve({ statusCode: res.statusCode || 0, body: data }));
+        });
+        req.on('error', reject);
+        req.write(body);
+        req.end();
+    });
+}
+function openBrowser(url) {
+    const { exec } = require('child_process');
+    const cmd = process.platform === 'win32' ? `start "" "${url}"`
+        : process.platform === 'darwin' ? `open "${url}"`
+            : `xdg-open "${url}"`;
+    exec(cmd);
+}
+function startCallbackServer() {
+    return new Promise((resolve, reject) => {
+        const server = http.createServer((req, res) => {
+            const reqUrl = new URL(req.url || '/', `http://127.0.0.1:${AUTH_CALLBACK_PORT}`);
+            if (reqUrl.pathname === '/callback') {
+                const code = reqUrl.searchParams.get('code');
+                const error = reqUrl.searchParams.get('error');
+                if (error) {
+                    res.writeHead(200, { 'Content-Type': 'text/html' });
+                    res.end('<html><body><h2>Login failed</h2><p>You can close this tab.</p></body></html>');
+                    reject(new Error(`OAuth error: ${error} - ${reqUrl.searchParams.get('error_description') || ''}`));
+                    server.close();
+                    return;
+                }
+                if (code) {
+                    res.writeHead(200, { 'Content-Type': 'text/html' });
+                    res.end('<html><body><h2>Login successful!</h2><p>You can close this tab and return to the terminal.</p></body></html>');
+                    resolve({ code, close: () => server.close() });
+                    return;
+                }
+            }
+            res.writeHead(404);
+            res.end();
+        });
+        server.on('error', (err) => {
+            if (err.code === 'EADDRINUSE') {
+                reject(new Error(`Port ${AUTH_CALLBACK_PORT} is already in use. Close the process using it and try again.`));
+            }
+            else {
+                reject(err);
+            }
+        });
+        server.listen(AUTH_CALLBACK_PORT, '127.0.0.1');
+    });
+}
+async function registerOAuthClient(domain) {
+    const res = await httpsPost(`${domain}/connect/register`, JSON.stringify({
+        client_name: `cx-cli-${crypto.randomBytes(4).toString('hex')}`,
+        redirect_uris: [`http://localhost:${AUTH_CALLBACK_PORT}/callback`],
+        grant_types: ['authorization_code', 'refresh_token'],
+        response_types: ['code'],
+        token_endpoint_auth_method: 'none',
+    }), 'application/json');
+    if (res.statusCode !== 200 && res.statusCode !== 201) {
+        throw new Error(`Client registration failed (${res.statusCode}): ${res.body}`);
+    }
+    const data = JSON.parse(res.body);
+    if (!data.client_id) {
+        throw new Error('Client registration response missing client_id');
+    }
+    return data.client_id;
+}
+async function exchangeCodeForTokens(domain, clientId, code, codeVerifier) {
+    const body = new URLSearchParams({
+        grant_type: 'authorization_code',
+        client_id: clientId,
+        code,
+        redirect_uri: `http://localhost:${AUTH_CALLBACK_PORT}/callback`,
+        code_verifier: codeVerifier,
+    }).toString();
+    const res = await httpsPost(`${domain}/connect/token`, body, 'application/x-www-form-urlencoded');
+    if (res.statusCode !== 200) {
+        throw new Error(`Token exchange failed (${res.statusCode}): ${res.body}`);
+    }
+    const data = JSON.parse(res.body);
+    return {
+        domain,
+        client_id: clientId,
+        access_token: data.access_token,
+        refresh_token: data.refresh_token,
+        expires_at: Math.floor(Date.now() / 1000) + (data.expires_in || 3600),
+    };
+}
+async function revokeToken(domain, clientId, token) {
+    try {
+        await httpsPost(`${domain}/connect/revoke`, new URLSearchParams({ client_id: clientId, token }).toString(), 'application/x-www-form-urlencoded');
+    }
+    catch {
+        // Revocation failures are non-fatal
+    }
+}
+async function refreshTokens(stored) {
+    const body = new URLSearchParams({
+        grant_type: 'refresh_token',
+        client_id: stored.client_id,
+        refresh_token: stored.refresh_token,
+    }).toString();
+    const res = await httpsPost(`${stored.domain}/connect/token`, body, 'application/x-www-form-urlencoded');
+    if (res.statusCode !== 200) {
+        throw new Error(`Token refresh failed (${res.statusCode}): ${res.body}`);
+    }
+    const data = JSON.parse(res.body);
+    const updated = {
+        ...stored,
+        access_token: data.access_token,
+        refresh_token: data.refresh_token || stored.refresh_token,
+        expires_at: Math.floor(Date.now() / 1000) + (data.expires_in || 3600),
+    };
+    writeTokenFile(updated);
+    return updated;
+}
+async function runLogin(domain) {
+    // Normalize URL
+    if (!domain.startsWith('http://') && !domain.startsWith('https://')) {
+        domain = `https://${domain}`;
+    }
+    domain = domain.replace(/\/+$/, '');
+    try {
+        new URL(domain);
+    }
+    catch {
+        console.error(chalk_1.default.red('Error: Invalid URL'));
+        process.exit(2);
+    }
+    console.log(chalk_1.default.bold.cyan('\n  CX CLI Login\n'));
+    // Step 1: Register client
+    console.log(chalk_1.default.gray('  Registering OAuth client...'));
+    const clientId = await registerOAuthClient(domain);
+    console.log(chalk_1.default.green('  ✓ Client registered'));
+    // Step 2: PKCE
+    const codeVerifier = generateCodeVerifier();
+    const codeChallenge = generateCodeChallenge(codeVerifier);
+    // Step 3: Start callback server
+    const callbackPromise = startCallbackServer();
+    // Step 4: Open browser
+    const authUrl = `${domain}/connect/authorize?` + new URLSearchParams({
+        client_id: clientId,
+        redirect_uri: `http://localhost:${AUTH_CALLBACK_PORT}/callback`,
+        response_type: 'code',
+        scope: 'openid offline_access TMS.ApiAPI',
+        code_challenge: codeChallenge,
+        code_challenge_method: 'S256',
+    }).toString();
+    console.log(chalk_1.default.gray('  Opening browser for login...'));
+    openBrowser(authUrl);
+    console.log(chalk_1.default.gray(`  Waiting for login (timeout: 2 min)...`));
+    // Step 5: Wait for callback with timeout
+    const timeoutPromise = new Promise((_, reject) => setTimeout(() => reject(new Error('Login timed out after 2 minutes. Please try again.')), AUTH_TIMEOUT_MS));
+    const { code, close } = await Promise.race([callbackPromise, timeoutPromise]);
+    // Step 6: Exchange code for tokens
+    console.log(chalk_1.default.gray('  Exchanging authorization code...'));
+    const tokens = await exchangeCodeForTokens(domain, clientId, code, codeVerifier);
+    // Step 7: Store tokens
+    writeTokenFile(tokens);
+    close();
+    console.log(chalk_1.default.green(`  ✓ Logged in to ${new URL(domain).hostname}`));
+    console.log(chalk_1.default.gray(`  Token stored at: ${getTokenFilePath(domain)}\n`));
+}
+async function runLogout(domain) {
+    if (!domain) {
+        // List stored sessions
+        const dir = getTokenDir();
+        if (!fs.existsSync(dir)) {
+            console.log(chalk_1.default.gray('\n  No stored sessions.\n'));
+            return;
+        }
+        const files = fs.readdirSync(dir).filter(f => f.endsWith('.json'));
+        if (files.length === 0) {
+            console.log(chalk_1.default.gray('\n  No stored sessions.\n'));
+            return;
+        }
+        console.log(chalk_1.default.bold.cyan('\n  Stored sessions:\n'));
+        for (const f of files) {
+            const hostname = f.replace('.json', '');
+            console.log(chalk_1.default.white(`    ${hostname}`));
+        }
+        console.log(chalk_1.default.gray(`\n  Usage: ${PROGRAM_NAME} logout <url>\n`));
+        return;
+    }
+    // Normalize URL
+    if (!domain.startsWith('http://') && !domain.startsWith('https://')) {
+        domain = `https://${domain}`;
+    }
+    domain = domain.replace(/\/+$/, '');
+    const stored = readTokenFile(domain);
+    if (!stored) {
+        console.log(chalk_1.default.gray(`\n  No session found for ${new URL(domain).hostname}\n`));
+        return;
+    }
+    console.log(chalk_1.default.bold.cyan('\n  CX CLI Logout\n'));
+    // Revoke tokens (non-fatal)
+    console.log(chalk_1.default.gray('  Revoking tokens...'));
+    await revokeToken(domain, stored.client_id, stored.access_token);
+    await revokeToken(domain, stored.client_id, stored.refresh_token);
+    // Delete local file
+    deleteTokenFile(domain);
+    console.log(chalk_1.default.green(`  ✓ Logged out from ${new URL(domain).hostname}\n`));
+}
+// ============================================================================
+// AppModule Commands
+// ============================================================================
+async function graphqlRequest(domain, token, query, variables) {
+    const body = JSON.stringify({ query, variables });
+    let res = await graphqlPostWithAuth(domain, token, body);
+    if (res.statusCode === 401) {
+        // PAT tokens have no refresh — fail immediately
+        if (process.env.CXTMS_AUTH)
+            throw new Error('PAT token unauthorized (401). Check your CXTMS_AUTH token.');
+        // Try refresh for OAuth sessions
+        const stored = readTokenFile(domain);
+        if (!stored)
+            throw new Error('Session expired. Run `cx-cli login <url>` again.');
+        try {
+            const refreshed = await refreshTokens(stored);
+            res = await graphqlPostWithAuth(domain, refreshed.access_token, body);
+        }
+        catch {
+            throw new Error('Session expired. Run `cx-cli login <url>` again.');
+        }
+    }
+    // Try to parse GraphQL errors from 400 responses too
+    let json;
+    try {
+        json = JSON.parse(res.body);
+    }
+    catch {
+        if (res.statusCode !== 200) {
+            throw new Error(`GraphQL request failed (${res.statusCode}): ${res.body}`);
+        }
+        throw new Error('Invalid JSON response from GraphQL endpoint');
+    }
+    if (json.errors && json.errors.length > 0) {
+        const messages = json.errors.map((e) => {
+            const ext = e.extensions?.message;
+            return ext && ext !== e.message ? `${e.message} — ${ext}` : e.message;
+        });
+        throw new Error(`GraphQL error: ${messages.join('; ')}`);
+    }
+    if (res.statusCode !== 200) {
+        throw new Error(`GraphQL request failed (${res.statusCode}): ${res.body}`);
+    }
+    return json.data;
+}
+function graphqlPostWithAuth(domain, token, body) {
+    return new Promise((resolve, reject) => {
+        const url = `${domain}/api/graphql`;
+        const parsed = new URL(url);
+        const isHttps = parsed.protocol === 'https:';
+        const lib = isHttps ? https : http;
+        const req = lib.request({
+            hostname: parsed.hostname,
+            port: parsed.port || (isHttps ? 443 : 80),
+            path: parsed.pathname + parsed.search,
+            method: 'POST',
+            headers: {
+                'Content-Type': 'application/json',
+                'Content-Length': Buffer.byteLength(body),
+                'Authorization': `Bearer ${token}`,
+            },
+        }, (res) => {
+            let data = '';
+            res.on('data', (chunk) => data += chunk);
+            res.on('end', () => resolve({ statusCode: res.statusCode || 0, body: data }));
+        });
+        req.on('error', reject);
+        req.write(body);
+        req.end();
+    });
+}
+function resolveDomainFromAppYaml() {
+    const appYamlPath = path.join(process.cwd(), 'app.yaml');
+    if (!fs.existsSync(appYamlPath))
+        return null;
+    const appYaml = yaml_1.default.parse(fs.readFileSync(appYamlPath, 'utf-8'));
+    const serverDomain = appYaml?.server || appYaml?.domain;
+    if (!serverDomain)
+        return null;
+    let domain = serverDomain;
+    if (!domain.startsWith('http://') && !domain.startsWith('https://')) {
+        domain = `https://${domain}`;
+    }
+    return domain.replace(/\/+$/, '');
+}
+function resolveSession() {
+    // 0. Check for PAT token in env (CXTMS_AUTH) — skips OAuth entirely
+    const patToken = process.env.CXTMS_AUTH;
+    if (patToken) {
+        const domain = process.env.CXTMS_SERVER ? process.env.CXTMS_SERVER.replace(/\/+$/, '') : resolveDomainFromAppYaml();
+        if (!domain) {
+            console.error(chalk_1.default.red('CXTMS_AUTH is set but no server domain found.'));
+            console.error(chalk_1.default.gray('Add `server` to app.yaml or set CXTMS_SERVER in .env'));
+            process.exit(2);
+        }
+        return {
+            domain,
+            client_id: '',
+            access_token: patToken,
+            refresh_token: '',
+            expires_at: 0,
+        };
+    }
+    // 1. Check app.yaml in CWD for server field
+    const appDomain = resolveDomainFromAppYaml();
+    if (appDomain) {
+        const stored = readTokenFile(appDomain);
+        if (stored)
+            return stored;
+        console.error(chalk_1.default.red(`Not logged in to ${appDomain}. Run \`cx-cli login ${appDomain}\` first.`));
+        process.exit(2);
+    }
+    // 2. Check for single session
+    const dir = getTokenDir();
+    if (!fs.existsSync(dir)) {
+        console.error(chalk_1.default.red('Not logged in. Run `cx-cli login <url>` first.'));
+        process.exit(2);
+    }
+    const files = fs.readdirSync(dir).filter(f => f.endsWith('.json'));
+    if (files.length === 0) {
+        console.error(chalk_1.default.red('Not logged in. Run `cx-cli login <url>` first.'));
+        process.exit(2);
+    }
+    if (files.length === 1) {
+        return JSON.parse(fs.readFileSync(path.join(dir, files[0]), 'utf-8'));
+    }
+    // 3. Multiple sessions — error
+    console.error(chalk_1.default.red('Multiple sessions found:'));
+    for (const f of files) {
+        console.error(chalk_1.default.white(`  ${f.replace('.json', '')}`));
+    }
+    console.error(chalk_1.default.gray('Add `server` field to app.yaml or use a single login session.'));
+    process.exit(2);
+}
+async function resolveOrgId(domain, token, override) {
+    // 1. Explicit override
+    if (override !== undefined)
+        return override;
+    // 2. Cached in token file
+    const stored = readTokenFile(domain);
+    if (stored?.organization_id)
+        return stored.organization_id;
+    // 3. Query server
+    const data = await graphqlRequest(domain, token, `
+    query { organizations(take: 100) { items { organizationId companyName } } }
+  `, {});
+    const orgs = data?.organizations?.items;
+    if (!orgs || orgs.length === 0) {
+        throw new Error('No organizations found for this account.');
+    }
+    if (orgs.length === 1) {
+        const orgId = orgs[0].organizationId;
+        // Cache it
+        if (stored) {
+            stored.organization_id = orgId;
+            writeTokenFile(stored);
+        }
+        return orgId;
+    }
+    // Multiple orgs — list and exit
+    console.error(chalk_1.default.yellow('\n  Multiple organizations found:\n'));
+    for (const org of orgs) {
+        console.error(chalk_1.default.white(`    ${org.organizationId}  ${org.companyName}`));
+    }
+    console.error(chalk_1.default.gray(`\n  Run \`cx-cli orgs select\` to choose, or pass --org <id>.\n`));
+    process.exit(2);
+}
+async function runAppModulePush(file, orgOverride) {
+    if (!file) {
+        console.error(chalk_1.default.red('Error: File path required'));
+        console.error(chalk_1.default.gray(`Usage: ${PROGRAM_NAME} appmodule push <file.yaml> [--org <id>]`));
+        process.exit(2);
+    }
+    if (!fs.existsSync(file)) {
+        console.error(chalk_1.default.red(`Error: File not found: ${file}`));
+        process.exit(2);
+    }
+    const session = resolveSession();
+    const domain = session.domain;
+    const token = session.access_token;
+    const orgId = await resolveOrgId(domain, token, orgOverride);
+    // Read and parse YAML
+    const yamlContent = fs.readFileSync(file, 'utf-8');
+    const parsed = yaml_1.default.parse(yamlContent);
+    const appModuleId = parsed?.module?.appModuleId;
+    if (!appModuleId) {
+        console.error(chalk_1.default.red('Error: Module YAML is missing module.appModuleId'));
+        process.exit(2);
+    }
+    // Read app.yaml for appManifestId, fall back to cached session
+    let appManifestId;
+    const appYamlPath = path.join(process.cwd(), 'app.yaml');
+    if (fs.existsSync(appYamlPath)) {
+        const appYaml = yaml_1.default.parse(fs.readFileSync(appYamlPath, 'utf-8'));
+        appManifestId = appYaml?.id;
+    }
+    if (!appManifestId && session.app_manifest_id) {
+        appManifestId = session.app_manifest_id;
+    }
+    console.log(chalk_1.default.bold.cyan('\n  AppModule Push\n'));
+    console.log(chalk_1.default.gray(`  Server:  ${new URL(domain).hostname}`));
+    console.log(chalk_1.default.gray(`  Org:     ${orgId}`));
+    console.log(chalk_1.default.gray(`  Module:  ${appModuleId}`));
+    console.log('');
+    // Check if module exists
+    const checkData = await graphqlRequest(domain, token, `
+    query ($organizationId: Int!, $appModuleId: UUID!) {
+      appModule(organizationId: $organizationId, appModuleId: $appModuleId) {
+        appModuleId
+      }
+    }
+  `, { organizationId: orgId, appModuleId });
+    if (checkData?.appModule) {
+        // Update
+        console.log(chalk_1.default.gray('  Updating existing module...'));
+        const result = await graphqlRequest(domain, token, `
+      mutation ($input: UpdateAppModuleInput!) {
+        updateAppModule(input: $input) {
+          appModule { appModuleId name }
+        }
+      }
+    `, {
+            input: {
+                organizationId: orgId,
+                appModuleId,
+                values: { appModuleYamlDocument: yamlContent },
+            },
+        });
+        const mod = result?.updateAppModule?.appModule;
+        console.log(chalk_1.default.green(`  ✓ Updated: ${mod?.name || appModuleId}\n`));
+    }
+    else {
+        // Create
+        console.log(chalk_1.default.gray('  Creating new module...'));
+        const values = { appModuleYamlDocument: yamlContent };
+        if (appManifestId)
+            values.appManifestId = appManifestId;
+        const result = await graphqlRequest(domain, token, `
+      mutation ($input: CreateAppModuleInput!) {
+        createAppModule(input: $input) {
+          appModule { appModuleId name }
+        }
+      }
+    `, {
+            input: {
+                organizationId: orgId,
+                values,
+            },
+        });
+        const mod = result?.createAppModule?.appModule;
+        console.log(chalk_1.default.green(`  ✓ Created: ${mod?.name || appModuleId}\n`));
+    }
+}
+async function runAppModuleDelete(uuid, orgOverride) {
+    if (!uuid) {
+        console.error(chalk_1.default.red('Error: AppModule ID required'));
+        console.error(chalk_1.default.gray(`Usage: ${PROGRAM_NAME} appmodule delete <appModuleId> [--org <id>]`));
+        process.exit(2);
+    }
+    const session = resolveSession();
+    const domain = session.domain;
+    const token = session.access_token;
+    const orgId = await resolveOrgId(domain, token, orgOverride);
+    console.log(chalk_1.default.bold.cyan('\n  AppModule Delete\n'));
+    console.log(chalk_1.default.gray(`  Server:  ${new URL(domain).hostname}`));
+    console.log(chalk_1.default.gray(`  Org:     ${orgId}`));
+    console.log(chalk_1.default.gray(`  Module:  ${uuid}`));
+    console.log('');
+    await graphqlRequest(domain, token, `
+    mutation ($input: DeleteAppModuleInput!) {
+      deleteAppModule(input: $input) {
+        deleteResult { __typename }
+      }
+    }
+  `, {
+        input: {
+            organizationId: orgId,
+            appModuleId: uuid,
+        },
+    });
+    console.log(chalk_1.default.green(`  ✓ Deleted: ${uuid}\n`));
+}
+async function runOrgsList() {
+    const session = resolveSession();
+    const domain = session.domain;
+    const token = session.access_token;
+    const data = await graphqlRequest(domain, token, `
+    query { organizations(take: 100) { items { organizationId companyName } } }
+  `, {});
+    const orgs = data?.organizations?.items;
+    if (!orgs || orgs.length === 0) {
+        console.log(chalk_1.default.gray('\n  No organizations found.\n'));
+        return;
+    }
+    console.log(chalk_1.default.bold.cyan('\n  Organizations\n'));
+    console.log(chalk_1.default.gray(`  Server: ${new URL(domain).hostname}\n`));
+    for (const org of orgs) {
+        const current = session.organization_id === org.organizationId;
+        const marker = current ? chalk_1.default.green(' ← current') : '';
+        console.log(chalk_1.default.white(`    ${org.organizationId}  ${org.companyName}${marker}`));
+    }
+    console.log('');
+}
+async function runOrgsUse(orgIdStr) {
+    if (!orgIdStr) {
+        // Show current context
+        const session = resolveSession();
+        const domain = session.domain;
+        console.log(chalk_1.default.bold.cyan('\n  Current Context\n'));
+        console.log(chalk_1.default.white(`  Server:  ${new URL(domain).hostname}`));
+        if (session.organization_id) {
+            console.log(chalk_1.default.white(`  Org:     ${session.organization_id}`));
+        }
+        else {
+            console.log(chalk_1.default.gray(`  Org:     (not set)`));
+        }
+        if (session.app_manifest_id) {
+            console.log(chalk_1.default.white(`  App:     ${session.app_manifest_id}`));
+        }
+        else {
+            // Try reading from app.yaml
+            const appYamlPath = path.join(process.cwd(), 'app.yaml');
+            if (fs.existsSync(appYamlPath)) {
+                const appYaml = yaml_1.default.parse(fs.readFileSync(appYamlPath, 'utf-8'));
+                if (appYaml?.id) {
+                    console.log(chalk_1.default.white(`  App:     ${appYaml.id} ${chalk_1.default.gray('(from app.yaml)')}`));
+                }
+                else {
+                    console.log(chalk_1.default.gray(`  App:     (not set)`));
+                }
+            }
+            else {
+                console.log(chalk_1.default.gray(`  App:     (not set)`));
+            }
+        }
+        console.log('');
+        return;
+    }
+    const orgId = parseInt(orgIdStr, 10);
+    if (isNaN(orgId)) {
+        console.error(chalk_1.default.red(`Invalid organization ID: ${orgIdStr}. Must be a number.`));
+        process.exit(2);
+    }
+    const session = resolveSession();
+    const domain = session.domain;
+    const token = session.access_token;
+    // Validate the org exists
+    const data = await graphqlRequest(domain, token, `
+    query { organizations(take: 100) { items { organizationId companyName } } }
+  `, {});
+    const orgs = data?.organizations?.items;
+    const match = orgs?.find((o) => o.organizationId === orgId);
+    if (!match) {
+        console.error(chalk_1.default.red(`Organization ${orgId} not found.`));
+        if (orgs?.length) {
+            console.error(chalk_1.default.gray('\n  Available organizations:'));
+            for (const org of orgs) {
+                console.error(chalk_1.default.white(`    ${org.organizationId}  ${org.companyName}`));
+            }
+        }
+        console.error('');
+        process.exit(2);
+    }
+    // Save to token file
+    session.organization_id = orgId;
+    writeTokenFile(session);
+    console.log(chalk_1.default.green(`\n  ✓ Context set to: ${match.companyName} (${orgId})\n`));
+}
+async function runOrgsSelect() {
+    const session = resolveSession();
+    const domain = session.domain;
+    const token = session.access_token;
+    const data = await graphqlRequest(domain, token, `
+    query { organizations(take: 100) { items { organizationId companyName } } }
+  `, {});
+    const orgs = data?.organizations?.items;
+    if (!orgs || orgs.length === 0) {
+        console.log(chalk_1.default.gray('\n  No organizations found.\n'));
+        return;
+    }
+    console.log(chalk_1.default.bold.cyan('\n  Select Organization\n'));
+    console.log(chalk_1.default.gray(`  Server: ${new URL(domain).hostname}\n`));
+    for (let i = 0; i < orgs.length; i++) {
+        const org = orgs[i];
+        const current = session.organization_id === org.organizationId;
+        const marker = current ? chalk_1.default.green(' ← current') : '';
+        console.log(chalk_1.default.white(`    ${i + 1}) ${org.organizationId}  ${org.companyName}${marker}`));
+    }
+    console.log('');
+    const readline = require('readline');
+    const rl = readline.createInterface({ input: process.stdin, output: process.stdout });
+    const answer = await new Promise((resolve) => {
+        rl.question(chalk_1.default.yellow('  Enter number: '), (ans) => {
+            rl.close();
+            resolve(ans.trim());
+        });
+    });
+    const idx = parseInt(answer, 10) - 1;
+    if (isNaN(idx) || idx < 0 || idx >= orgs.length) {
+        console.error(chalk_1.default.red('\n  Invalid selection.\n'));
+        process.exit(2);
+    }
+    const selected = orgs[idx];
+    session.organization_id = selected.organizationId;
+    writeTokenFile(session);
+    console.log(chalk_1.default.green(`\n  ✓ Context set to: ${selected.companyName} (${selected.organizationId})\n`));
+}
+// ============================================================================
+// Workflow Commands
+// ============================================================================
+async function runWorkflowPush(file, orgOverride) {
+    if (!file) {
+        console.error(chalk_1.default.red('Error: File path required'));
+        console.error(chalk_1.default.gray(`Usage: ${PROGRAM_NAME} workflow push <file.yaml> [--org <id>]`));
+        process.exit(2);
+    }
+    if (!fs.existsSync(file)) {
+        console.error(chalk_1.default.red(`Error: File not found: ${file}`));
+        process.exit(2);
+    }
+    const session = resolveSession();
+    const domain = session.domain;
+    const token = session.access_token;
+    const orgId = await resolveOrgId(domain, token, orgOverride);
+    const yamlContent = fs.readFileSync(file, 'utf-8');
+    const parsed = yaml_1.default.parse(yamlContent);
+    const workflowId = parsed?.workflow?.workflowId;
+    if (!workflowId) {
+        console.error(chalk_1.default.red('Error: Workflow YAML is missing workflow.workflowId'));
+        process.exit(2);
+    }
+    const workflowName = parsed?.workflow?.name || workflowId;
+    console.log(chalk_1.default.bold.cyan('\n  Workflow Push\n'));
+    console.log(chalk_1.default.gray(`  Server:    ${new URL(domain).hostname}`));
+    console.log(chalk_1.default.gray(`  Org:       ${orgId}`));
+    console.log(chalk_1.default.gray(`  Workflow:  ${workflowName}`));
+    console.log('');
+    // Check if workflow exists
+    const checkData = await graphqlRequest(domain, token, `
+    query ($organizationId: Int!, $workflowId: UUID!) {
+      workflow(organizationId: $organizationId, workflowId: $workflowId) {
+        workflowId
+      }
+    }
+  `, { organizationId: orgId, workflowId });
+    if (checkData?.workflow) {
+        console.log(chalk_1.default.gray('  Updating existing workflow...'));
+        const result = await graphqlRequest(domain, token, `
+      mutation ($input: UpdateWorkflowInput!) {
+        updateWorkflow(input: $input) {
+          workflow { workflowId }
+        }
+      }
+    `, {
+            input: {
+                organizationId: orgId,
+                workflowId,
+                workflowYamlDocument: yamlContent,
+            },
+        });
+        console.log(chalk_1.default.green(`  ✓ Updated: ${workflowName}\n`));
+    }
+    else {
+        console.log(chalk_1.default.gray('  Creating new workflow...'));
+        const result = await graphqlRequest(domain, token, `
+      mutation ($input: CreateWorkflowInput!) {
+        createWorkflow(input: $input) {
+          workflow { workflowId }
+        }
+      }
+    `, {
+            input: {
+                organizationId: orgId,
+                workflowYamlDocument: yamlContent,
+            },
+        });
+        console.log(chalk_1.default.green(`  ✓ Created: ${workflowName}\n`));
+    }
+}
+async function runWorkflowDelete(uuid, orgOverride) {
+    if (!uuid) {
+        console.error(chalk_1.default.red('Error: Workflow ID required'));
+        console.error(chalk_1.default.gray(`Usage: ${PROGRAM_NAME} workflow delete <workflowId> [--org <id>]`));
+        process.exit(2);
+    }
+    const session = resolveSession();
+    const domain = session.domain;
+    const token = session.access_token;
+    const orgId = await resolveOrgId(domain, token, orgOverride);
+    console.log(chalk_1.default.bold.cyan('\n  Workflow Delete\n'));
+    console.log(chalk_1.default.gray(`  Server:    ${new URL(domain).hostname}`));
+    console.log(chalk_1.default.gray(`  Org:       ${orgId}`));
+    console.log(chalk_1.default.gray(`  Workflow:  ${uuid}`));
+    console.log('');
+    await graphqlRequest(domain, token, `
+    mutation ($input: DeleteWorkflowInput!) {
+      deleteWorkflow(input: $input) {
+        deleteResult { __typename }
+      }
+    }
+  `, {
+        input: {
+            organizationId: orgId,
+            workflowId: uuid,
+        },
+    });
+    console.log(chalk_1.default.green(`  ✓ Deleted: ${uuid}\n`));
+}
+async function runWorkflowExecutions(workflowIdOrFile, orgOverride) {
+    if (!workflowIdOrFile) {
+        console.error(chalk_1.default.red('Error: Workflow ID or YAML file required'));
+        console.error(chalk_1.default.gray(`Usage: ${PROGRAM_NAME} workflow executions <workflowId|file.yaml> [--org <id>]`));
+        process.exit(2);
+    }
+    const session = resolveSession();
+    const domain = session.domain;
+    const token = session.access_token;
+    const orgId = await resolveOrgId(domain, token, orgOverride);
+    // Resolve workflowId — accept UUID directly or extract from YAML file
+    let workflowId = workflowIdOrFile;
+    if (workflowIdOrFile.endsWith('.yaml') || workflowIdOrFile.endsWith('.yml')) {
+        if (!fs.existsSync(workflowIdOrFile)) {
+            console.error(chalk_1.default.red(`Error: File not found: ${workflowIdOrFile}`));
+            process.exit(2);
+        }
+        const parsed = yaml_1.default.parse(fs.readFileSync(workflowIdOrFile, 'utf-8'));
+        workflowId = parsed?.workflow?.workflowId;
+        if (!workflowId) {
+            console.error(chalk_1.default.red('Error: Workflow YAML is missing workflow.workflowId'));
+            process.exit(2);
+        }
+    }
+    const data = await graphqlRequest(domain, token, `
+    query ($organizationId: Int!, $workflowId: UUID!) {
+      workflowExecutions(organizationId: $organizationId, workflowId: $workflowId, take: 25) {
+        totalCount
+        items { executionId executionStatus executedAt durationMs userId }
+      }
+    }
+  `, { organizationId: orgId, workflowId });
+    const items = data?.workflowExecutions?.items || [];
+    const total = data?.workflowExecutions?.totalCount || 0;
+    console.log(chalk_1.default.bold.cyan('\n  Workflow Executions\n'));
+    console.log(chalk_1.default.gray(`  Server:    ${new URL(domain).hostname}`));
+    console.log(chalk_1.default.gray(`  Workflow:  ${workflowId}`));
+    console.log(chalk_1.default.gray(`  Total:     ${total}\n`));
+    if (items.length === 0) {
+        console.log(chalk_1.default.gray('  No executions found.\n'));
+        return;
+    }
+    // Sort descending by executedAt (API may not support ordering)
+    items.sort((a, b) => new Date(b.executedAt).getTime() - new Date(a.executedAt).getTime());
+    for (const ex of items) {
+        const date = new Date(ex.executedAt).toLocaleString();
+        const duration = ex.durationMs != null ? `${(ex.durationMs / 1000).toFixed(1)}s` : '?';
+        const statusColor = ex.executionStatus === 'Success' ? chalk_1.default.green : ex.executionStatus === 'Failed' ? chalk_1.default.red : chalk_1.default.yellow;
+        console.log(chalk_1.default.white(`    ${ex.executionId}  ${statusColor(ex.executionStatus.padEnd(10))}  ${date}  ${chalk_1.default.gray(duration)}`));
+    }
+    console.log('');
+}
+async function runWorkflowLogs(executionId, orgOverride) {
+    if (!executionId) {
+        console.error(chalk_1.default.red('Error: Execution ID required'));
+        console.error(chalk_1.default.gray(`Usage: ${PROGRAM_NAME} workflow logs <executionId> [--org <id>]`));
+        process.exit(2);
+    }
+    const session = resolveSession();
+    const domain = session.domain;
+    const token = session.access_token;
+    const orgId = await resolveOrgId(domain, token, orgOverride);
+    // Fetch execution details
+    const data = await graphqlRequest(domain, token, `
+    query ($organizationId: Int!, $executionId: UUID!) {
+      workflowExecution(organizationId: $organizationId, executionId: $executionId) {
+        executionId workflowId executionStatus executedAt durationMs
+      }
+    }
+  `, { organizationId: orgId, executionId });
+    const ex = data?.workflowExecution;
+    if (!ex) {
+        console.error(chalk_1.default.red(`Execution not found: ${executionId}`));
+        process.exit(2);
+    }
+    const date = new Date(ex.executedAt).toLocaleString();
+    const duration = ex.durationMs != null ? `${(ex.durationMs / 1000).toFixed(1)}s` : '?';
+    const statusColor = ex.executionStatus === 'Success' ? chalk_1.default.green : ex.executionStatus === 'Failed' ? chalk_1.default.red : chalk_1.default.yellow;
+    console.log(chalk_1.default.bold.cyan('\n  Workflow Execution\n'));
+    console.log(chalk_1.default.white(`  ID:        ${ex.executionId}`));
+    console.log(chalk_1.default.white(`  Workflow:  ${ex.workflowId}`));
+    console.log(chalk_1.default.white(`  Status:    ${statusColor(ex.executionStatus)}`));
+    console.log(chalk_1.default.white(`  Executed:  ${date}`));
+    console.log(chalk_1.default.white(`  Duration:  ${duration}`));
+    // Try to fetch log via REST endpoint
+    const logUrl = `${domain}/api/workflow-executions/${executionId}/log?organizationId=${orgId}`;
+    try {
+        const logRes = await new Promise((resolve, reject) => {
+            const parsed = new URL(logUrl);
+            const isHttps = parsed.protocol === 'https:';
+            const lib = isHttps ? https : http;
+            const req = lib.request({
+                hostname: parsed.hostname,
+                port: parsed.port || (isHttps ? 443 : 80),
+                path: parsed.pathname + parsed.search,
+                method: 'GET',
+                headers: { 'Authorization': `Bearer ${token}` },
+            }, (res) => {
+                let d = '';
+                res.on('data', (chunk) => d += chunk);
+                res.on('end', () => resolve({ statusCode: res.statusCode || 0, body: d }));
+            });
+            req.on('error', reject);
+            req.end();
+        });
+        if (logRes.statusCode === 200 && logRes.body) {
+            console.log(chalk_1.default.gray('\n  --- Log ---\n'));
+            console.log(logRes.body);
+        }
+        else {
+            console.log(chalk_1.default.gray('\n  Logs not available via REST API.'));
+            console.log(chalk_1.default.gray(`  Use TMS MCP to download execution logs.\n`));
+        }
+    }
+    catch {
+        console.log(chalk_1.default.gray('\n  Logs not available via REST API.'));
+        console.log(chalk_1.default.gray(`  Use TMS MCP to download execution logs.\n`));
+    }
+}
+// ============================================================================
+// Publish Command
+// ============================================================================
+async function pushWorkflowQuiet(domain, token, orgId, file) {
+    let name = path.basename(file);
+    try {
+        const yamlContent = fs.readFileSync(file, 'utf-8');
+        const parsed = yaml_1.default.parse(yamlContent);
+        const workflowId = parsed?.workflow?.workflowId;
+        name = parsed?.workflow?.name || name;
+        if (!workflowId)
+            return { ok: false, name, error: 'Missing workflow.workflowId' };
+        const checkData = await graphqlRequest(domain, token, `
+      query ($organizationId: Int!, $workflowId: UUID!) {
+        workflow(organizationId: $organizationId, workflowId: $workflowId) { workflowId }
+      }
+    `, { organizationId: orgId, workflowId });
+        if (checkData?.workflow) {
+            await graphqlRequest(domain, token, `
+        mutation ($input: UpdateWorkflowInput!) {
+          updateWorkflow(input: $input) { workflow { workflowId } }
+        }
+      `, { input: { organizationId: orgId, workflowId, workflowYamlDocument: yamlContent } });
+        }
+        else {
+            await graphqlRequest(domain, token, `
+        mutation ($input: CreateWorkflowInput!) {
+          createWorkflow(input: $input) { workflow { workflowId } }
+        }
+      `, { input: { organizationId: orgId, workflowYamlDocument: yamlContent } });
+        }
+        return { ok: true, name };
+    }
+    catch (e) {
+        return { ok: false, name, error: e.message };
+    }
+}
+async function pushModuleQuiet(domain, token, orgId, file, appManifestId) {
+    let name = path.basename(file);
+    try {
+        const yamlContent = fs.readFileSync(file, 'utf-8');
+        const parsed = yaml_1.default.parse(yamlContent);
+        const appModuleId = parsed?.module?.appModuleId;
+        name = parsed?.module?.name || name;
+        if (!appModuleId)
+            return { ok: false, name, error: 'Missing module.appModuleId' };
+        const checkData = await graphqlRequest(domain, token, `
+      query ($organizationId: Int!, $appModuleId: UUID!) {
+        appModule(organizationId: $organizationId, appModuleId: $appModuleId) { appModuleId }
+      }
+    `, { organizationId: orgId, appModuleId });
+        if (checkData?.appModule) {
+            await graphqlRequest(domain, token, `
+        mutation ($input: UpdateAppModuleInput!) {
+          updateAppModule(input: $input) { appModule { appModuleId name } }
+        }
+      `, { input: { organizationId: orgId, appModuleId, values: { appModuleYamlDocument: yamlContent } } });
+        }
+        else {
+            const values = { appModuleYamlDocument: yamlContent };
+            if (appManifestId)
+                values.appManifestId = appManifestId;
+            await graphqlRequest(domain, token, `
+        mutation ($input: CreateAppModuleInput!) {
+          createAppModule(input: $input) { appModule { appModuleId name } }
+        }
+      `, { input: { organizationId: orgId, values } });
+        }
+        return { ok: true, name };
+    }
+    catch (e) {
+        return { ok: false, name, error: e.message };
+    }
+}
+// ============================================================================
+// PAT Token Commands
+// ============================================================================
+async function runPatCreate(name) {
+    const session = resolveSession();
+    const { domain, access_token: token } = session;
+    const data = await graphqlRequest(domain, token, `
+    mutation ($input: CreatePersonalAccessTokenInput!) {
+      createPersonalAccessToken(input: $input) {
+        createPatPayload {
+          token
+          personalAccessToken { id name scopes }
+        }
+      }
+    }
+  `, { input: { input: { name, scopes: ['TMS.ApiAPI'] } } });
+    const payload = data?.createPersonalAccessToken?.createPatPayload;
+    const patToken = payload?.token;
+    const pat = payload?.personalAccessToken;
+    if (!patToken) {
+        console.error(chalk_1.default.red('Failed to create PAT token — no token returned.'));
+        process.exit(2);
+    }
+    console.log(chalk_1.default.green('PAT token created successfully!'));
+    console.log();
+    console.log(chalk_1.default.bold('  Token:'), chalk_1.default.cyan(patToken));
+    console.log(chalk_1.default.bold('  ID:   '), chalk_1.default.gray(pat?.id || 'unknown'));
+    console.log(chalk_1.default.bold('  Name: '), pat?.name || name);
+    console.log();
+    console.log(chalk_1.default.yellow('⚠  Copy the token now — it will not be shown again.'));
+    console.log();
+    console.log(chalk_1.default.bold('To use PAT authentication, add to your project .env file:'));
+    console.log();
+    console.log(chalk_1.default.cyan(`  CXTMS_AUTH=${patToken}`));
+    console.log(chalk_1.default.cyan(`  CXTMS_SERVER=${domain}`));
+    console.log();
+    console.log(chalk_1.default.gray('When CXTMS_AUTH is set, cx-cli will skip OAuth login and use the PAT token directly.'));
+    console.log(chalk_1.default.gray('You can also export these as environment variables instead of using .env.'));
+}
+async function runPatList() {
+    const session = resolveSession();
+    const { domain, access_token: token } = session;
+    const data = await graphqlRequest(domain, token, `
+    {
+      personalAccessTokens(skip: 0, take: 50) {
+        items { id name createdAt expiresAt lastUsedAt scopes }
+        totalCount
+      }
+    }
+  `, {});
+    const items = data?.personalAccessTokens?.items || [];
+    const total = data?.personalAccessTokens?.totalCount ?? items.length;
+    if (items.length === 0) {
+        console.log(chalk_1.default.gray('No active PAT tokens found.'));
+        return;
+    }
+    console.log(chalk_1.default.bold(`PAT tokens (${total}):\n`));
+    for (const t of items) {
+        const expires = t.expiresAt ? new Date(t.expiresAt).toLocaleDateString() : 'never';
+        const lastUsed = t.lastUsedAt ? new Date(t.lastUsedAt).toLocaleDateString() : 'never';
+        console.log(`  ${chalk_1.default.cyan(t.name || '(unnamed)')}`);
+        console.log(`    ID:        ${chalk_1.default.gray(t.id)}`);
+        console.log(`    Created:   ${new Date(t.createdAt).toLocaleDateString()}`);
+        console.log(`    Expires:   ${expires}`);
+        console.log(`    Last used: ${lastUsed}`);
+        console.log(`    Scopes:    ${(t.scopes || []).join(', ') || 'none'}`);
+        console.log();
+    }
+}
+async function runPatRevoke(id) {
+    const session = resolveSession();
+    const { domain, access_token: token } = session;
+    const data = await graphqlRequest(domain, token, `
+    mutation ($input: RevokePersonalAccessTokenInput!) {
+      revokePersonalAccessToken(input: $input) {
+        personalAccessToken { id name revokedAt }
+      }
+    }
+  `, { input: { id } });
+    const revoked = data?.revokePersonalAccessToken?.personalAccessToken;
+    if (revoked) {
+        console.log(chalk_1.default.green(`PAT token revoked: ${revoked.name || revoked.id}`));
+    }
+    else {
+        console.log(chalk_1.default.green('PAT token revoked.'));
+    }
+}
+async function runPatSetup() {
+    const patToken = process.env.CXTMS_AUTH;
+    const server = process.env.CXTMS_SERVER || resolveDomainFromAppYaml();
+    console.log(chalk_1.default.bold('PAT Token Status:\n'));
+    if (patToken) {
+        const masked = patToken.slice(0, 8) + '...' + patToken.slice(-4);
+        console.log(chalk_1.default.green(`  CXTMS_AUTH is set: ${masked}`));
+    }
+    else {
+        console.log(chalk_1.default.yellow('  CXTMS_AUTH is not set'));
+    }
+    if (server) {
+        console.log(chalk_1.default.green(`  Server:           ${server}`));
+    }
+    else {
+        console.log(chalk_1.default.yellow('  Server:           not configured (add `server` to app.yaml or set CXTMS_SERVER)'));
+    }
+    console.log();
+    if (patToken && server) {
+        console.log(chalk_1.default.green('PAT authentication is active. OAuth login will be skipped.'));
+    }
+    else {
+        console.log(chalk_1.default.bold('To set up PAT authentication:'));
+        console.log();
+        console.log(chalk_1.default.white('  1. Create a token:'));
+        console.log(chalk_1.default.cyan('     cx-cli pat create "my-token-name"'));
+        console.log();
+        console.log(chalk_1.default.white('  2. Add to your project .env file:'));
+        console.log(chalk_1.default.cyan('     CXTMS_AUTH=pat_xxxxx'));
+        console.log(chalk_1.default.cyan('     CXTMS_SERVER=https://your-server.com'));
+        console.log();
+        console.log(chalk_1.default.gray('  Or set `server` in app.yaml instead of CXTMS_SERVER.'));
+    }
+}
+async function runPublish(featureDir, orgOverride) {
+    const session = resolveSession();
+    const domain = session.domain;
+    const token = session.access_token;
+    const orgId = await resolveOrgId(domain, token, orgOverride);
+    // Read app.yaml
+    const appYamlPath = path.join(process.cwd(), 'app.yaml');
+    if (!fs.existsSync(appYamlPath)) {
+        console.error(chalk_1.default.red('Error: app.yaml not found in current directory'));
+        process.exit(2);
+    }
+    const appYaml = yaml_1.default.parse(fs.readFileSync(appYamlPath, 'utf-8'));
+    const appManifestId = appYaml?.id;
+    const appName = appYaml?.name || 'unknown';
+    console.log(chalk_1.default.bold.cyan('\n  Publish\n'));
+    console.log(chalk_1.default.gray(`  Server:  ${new URL(domain).hostname}`));
+    console.log(chalk_1.default.gray(`  Org:     ${orgId}`));
+    console.log(chalk_1.default.gray(`  App:     ${appName}`));
+    if (featureDir) {
+        console.log(chalk_1.default.gray(`  Feature: ${featureDir}`));
+    }
+    console.log('');
+    // Step 1: Create or update app manifest
+    if (appManifestId) {
+        console.log(chalk_1.default.gray('  Publishing app manifest...'));
+        try {
+            const checkData = await graphqlRequest(domain, token, `
+        query ($organizationId: Int!, $appManifestId: UUID!) {
+          appManifest(organizationId: $organizationId, appManifestId: $appManifestId) { appManifestId }
+        }
+      `, { organizationId: orgId, appManifestId });
+            if (checkData?.appManifest) {
+                await graphqlRequest(domain, token, `
+          mutation ($input: UpdateAppManifestInput!) {
+            updateAppManifest(input: $input) { appManifest { appManifestId name } }
+          }
+        `, { input: { organizationId: orgId, appManifestId, values: { name: appName, description: appYaml?.description || '' } } });
+                console.log(chalk_1.default.green('  ✓ App manifest updated'));
+            }
+            else {
+                await graphqlRequest(domain, token, `
+          mutation ($input: CreateAppManifestInput!) {
+            createAppManifest(input: $input) { appManifest { appManifestId name } }
+          }
+        `, { input: { organizationId: orgId, values: { appManifestId, name: appName, description: appYaml?.description || '' } } });
+                console.log(chalk_1.default.green('  ✓ App manifest created'));
+            }
+        }
+        catch (e) {
+            console.log(chalk_1.default.red(`  ✗ App manifest failed: ${e.message}`));
+        }
+    }
+    // Step 2: Discover files
+    const baseDir = featureDir ? path.join(process.cwd(), 'features', featureDir) : process.cwd();
+    if (featureDir && !fs.existsSync(baseDir)) {
+        console.error(chalk_1.default.red(`Error: Feature directory not found: features/${featureDir}`));
+        process.exit(2);
+    }
+    const workflowDirs = [path.join(baseDir, 'workflows')];
+    const moduleDirs = [path.join(baseDir, 'modules')];
+    // Collect YAML files
+    const workflowFiles = [];
+    const moduleFiles = [];
+    for (const dir of workflowDirs) {
+        if (fs.existsSync(dir)) {
+            for (const f of fs.readdirSync(dir)) {
+                if (f.endsWith('.yaml') || f.endsWith('.yml')) {
+                    workflowFiles.push(path.join(dir, f));
+                }
+            }
+        }
+    }
+    for (const dir of moduleDirs) {
+        if (fs.existsSync(dir)) {
+            for (const f of fs.readdirSync(dir)) {
+                if (f.endsWith('.yaml') || f.endsWith('.yml')) {
+                    moduleFiles.push(path.join(dir, f));
+                }
+            }
+        }
+    }
+    console.log(chalk_1.default.gray(`\n  Found ${workflowFiles.length} workflow(s), ${moduleFiles.length} module(s)\n`));
+    let succeeded = 0;
+    let failed = 0;
+    // Step 3: Push workflows
+    for (const file of workflowFiles) {
+        const relPath = path.relative(process.cwd(), file);
+        const result = await pushWorkflowQuiet(domain, token, orgId, file);
+        if (result.ok) {
+            console.log(chalk_1.default.green(`  ✓ ${relPath}`));
+            succeeded++;
+        }
+        else {
+            console.log(chalk_1.default.red(`  ✗ ${relPath}: ${result.error}`));
+            failed++;
+        }
+    }
+    // Step 4: Push modules
+    for (const file of moduleFiles) {
+        const relPath = path.relative(process.cwd(), file);
+        const result = await pushModuleQuiet(domain, token, orgId, file, appManifestId);
+        if (result.ok) {
+            console.log(chalk_1.default.green(`  ✓ ${relPath}`));
+            succeeded++;
+        }
+        else {
+            console.log(chalk_1.default.red(`  ✗ ${relPath}: ${result.error}`));
+            failed++;
+        }
+    }
+    // Summary
+    console.log('');
+    if (failed === 0) {
+        console.log(chalk_1.default.green(`  ✓ Published ${succeeded} file(s) successfully\n`));
+    }
+    else {
+        console.log(chalk_1.default.yellow(`  Published ${succeeded} file(s), ${failed} failed\n`));
+    }
+}
+// ============================================================================
 // Extract Command
 // ============================================================================
 function runExtract(sourceFile, componentName, targetFile, copy) {
@@ -1548,7 +2857,7 @@ function parseArgs(args) {
         reportFormat: 'json'
     };
     // Check for commands
-    const commands = ['validate', 'schema', 'example', 'list', 'help', 'version', 'report', 'init', 'create', 'extract', 'sync-schemas', 'install-skills', 'update', 'setup-claude'];
+    const commands = ['validate', 'schema', 'example', 'list', 'help', 'version', 'report', 'init', 'create', 'extract', 'sync-schemas', 'install-skills', 'update', 'setup-claude', 'login', 'logout', 'pat', 'appmodule', 'orgs', 'workflow', 'publish'];
     if (args.length > 0 && commands.includes(args[0])) {
         command = args[0];
         args = args.slice(1);
@@ -1624,6 +2933,15 @@ function parseArgs(args) {
         else if (arg === '--copy') {
             options.extractCopy = true;
         }
+        else if (arg === '--org') {
+            const orgArg = args[++i];
+            const parsed = parseInt(orgArg, 10);
+            if (isNaN(parsed)) {
+                console.error(chalk_1.default.red(`Invalid --org value: ${orgArg}. Must be a number.`));
+                process.exit(2);
+            }
+            options.orgId = parsed;
+        }
         else if (!arg.startsWith('-')) {
             files.push(arg);
         }
@@ -2413,6 +3731,115 @@ async function main() {
         console.log(`cx-cli v${VERSION}`);
         process.exit(0);
     }
+    // Handle login command (no schemas needed)
+    if (command === 'login') {
+        if (!files[0]) {
+            console.error(chalk_1.default.red('Error: URL required'));
+            console.error(chalk_1.default.gray(`Usage: ${PROGRAM_NAME} login <url>`));
+            process.exit(2);
+        }
+        await runLogin(files[0]);
+        process.exit(0);
+    }
+    // Handle logout command (no schemas needed)
+    if (command === 'logout') {
+        await runLogout(files[0]);
+        process.exit(0);
+    }
+    // Handle pat command (no schemas needed)
+    if (command === 'pat') {
+        const sub = files[0];
+        if (sub === 'create') {
+            if (!files[1]) {
+                console.error(chalk_1.default.red('Error: Token name required'));
+                console.error(chalk_1.default.gray(`Usage: ${PROGRAM_NAME} pat create <name>`));
+                process.exit(2);
+            }
+            await runPatCreate(files[1]);
+        }
+        else if (sub === 'list' || !sub) {
+            await runPatList();
+        }
+        else if (sub === 'revoke') {
+            if (!files[1]) {
+                console.error(chalk_1.default.red('Error: Token ID required'));
+                console.error(chalk_1.default.gray(`Usage: ${PROGRAM_NAME} pat revoke <tokenId>`));
+                process.exit(2);
+            }
+            await runPatRevoke(files[1]);
+        }
+        else if (sub === 'setup') {
+            await runPatSetup();
+        }
+        else {
+            console.error(chalk_1.default.red(`Unknown pat subcommand: ${sub}`));
+            console.error(chalk_1.default.gray(`Usage: ${PROGRAM_NAME} pat <create|list|revoke|setup>`));
+            process.exit(2);
+        }
+        process.exit(0);
+    }
+    // Handle orgs command (no schemas needed)
+    if (command === 'orgs') {
+        const sub = files[0];
+        if (sub === 'list' || !sub) {
+            await runOrgsList();
+        }
+        else if (sub === 'use') {
+            await runOrgsUse(files[1]);
+        }
+        else if (sub === 'select') {
+            await runOrgsSelect();
+        }
+        else {
+            console.error(chalk_1.default.red(`Unknown orgs subcommand: ${sub}`));
+            console.error(chalk_1.default.gray(`Usage: ${PROGRAM_NAME} orgs <list|use|select>`));
+            process.exit(2);
+        }
+        process.exit(0);
+    }
+    // Handle appmodule command (no schemas needed)
+    if (command === 'appmodule') {
+        const sub = files[0];
+        if (sub === 'push') {
+            await runAppModulePush(files[1], options.orgId);
+        }
+        else if (sub === 'delete') {
+            await runAppModuleDelete(files[1], options.orgId);
+        }
+        else {
+            console.error(chalk_1.default.red(`Unknown appmodule subcommand: ${sub || '(none)'}`));
+            console.error(chalk_1.default.gray(`Usage: ${PROGRAM_NAME} appmodule <push|delete> ...`));
+            process.exit(2);
+        }
+        process.exit(0);
+    }
+    // Handle workflow command (no schemas needed)
+    if (command === 'workflow') {
+        const sub = files[0];
+        if (sub === 'push') {
+            await runWorkflowPush(files[1], options.orgId);
+        }
+        else if (sub === 'delete') {
+            await runWorkflowDelete(files[1], options.orgId);
+        }
+        else if (sub === 'executions') {
+            await runWorkflowExecutions(files[1], options.orgId);
+        }
+        else if (sub === 'logs') {
+            await runWorkflowLogs(files[1], options.orgId);
+        }
+        else {
+            console.error(chalk_1.default.red(`Unknown workflow subcommand: ${sub || '(none)'}`));
+            console.error(chalk_1.default.gray(`Usage: ${PROGRAM_NAME} workflow <push|delete|executions|logs> ...`));
+            process.exit(2);
+        }
+        process.exit(0);
+    }
+    // Handle publish command (no schemas needed)
+    if (command === 'publish') {
+        await runPublish(files[0] || options.feature, options.orgId);
+        process.exit(0);
+    }
     // Find schemas path
     const schemasPath = options.schemasPath || findSchemasPath();
     if (!schemasPath) {