@cxtms/cx-schema 1.8.1 → 1.8.2

package/dist/cli.js

@@ -42,16 +42,47 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
 Object.defineProperty(exports, "__esModule", { value: true });
 const fs = __importStar(require("fs"));
 const path = __importStar(require("path"));
+const http = __importStar(require("http"));
+const https = __importStar(require("https"));
+const crypto = __importStar(require("crypto"));
+const os = __importStar(require("os"));
 const chalk_1 = __importDefault(require("chalk"));
 const yaml_1 = __importStar(require("yaml"));
 const validator_1 = require("./validator");
 const workflowValidator_1 = require("./workflowValidator");
 const extractUtils_1 = require("./extractUtils");
 // ============================================================================
+// .env loader — load KEY=VALUE pairs from .env in CWD into process.env
+// ============================================================================
+function loadEnvFile() {
+    const envPath = path.join(process.cwd(), '.env');
+    if (!fs.existsSync(envPath))
+        return;
+    const lines = fs.readFileSync(envPath, 'utf-8').split('\n');
+    for (const line of lines) {
+        const trimmed = line.trim();
+        if (!trimmed || trimmed.startsWith('#'))
+            continue;
+        const eqIdx = trimmed.indexOf('=');
+        if (eqIdx < 1)
+            continue;
+        const key = trimmed.slice(0, eqIdx).trim();
+        let value = trimmed.slice(eqIdx + 1).trim();
+        // Strip surrounding quotes
+        if ((value.startsWith('"') && value.endsWith('"')) || (value.startsWith("'") && value.endsWith("'"))) {
+            value = value.slice(1, -1);
+        }
+        if (!process.env[key]) {
+            process.env[key] = value;
+        }
+    }
+}
+loadEnvFile();
+// ============================================================================
 // Constants
 // ============================================================================
 const VERSION = require('../package.json').version;
-const PROGRAM_NAME = 'cx-cli';
+const PROGRAM_NAME = 'cxtms';
 // ============================================================================
 // Help Text
 // ============================================================================
@@ -79,6 +110,16 @@ ${chalk_1.default.bold.yellow('COMMANDS:')}
   ${chalk_1.default.green('install-skills')}  Install Claude Code skills into project .claude/skills/
   ${chalk_1.default.green('setup-claude')}    Add CX project instructions to CLAUDE.md
   ${chalk_1.default.green('update')}          Update @cxtms/cx-schema to the latest version
+  ${chalk_1.default.green('login')}           Login to a CX environment (OAuth2 + PKCE)
+  ${chalk_1.default.green('logout')}          Logout from a CX environment
+  ${chalk_1.default.green('pat')}             Manage personal access tokens (create, list, revoke)
+  ${chalk_1.default.green('orgs')}            List, select, or set active organization
+  ${chalk_1.default.green('appmodule')}       Manage app modules on a CX server (deploy, undeploy)
+  ${chalk_1.default.green('workflow')}        Manage workflows on a CX server (deploy, undeploy, execute, logs, log)
+  ${chalk_1.default.green('publish')}         Publish all modules and workflows to a CX server
+  ${chalk_1.default.green('app')}             Manage app manifests (install/upgrade from git, release to git, list)
+  ${chalk_1.default.green('query')}           Run a GraphQL query against the CX server
+  ${chalk_1.default.green('gql')}             Explore GraphQL schema (types, queries, mutations)
   ${chalk_1.default.green('schema')}          Show JSON schema for a component or task
   ${chalk_1.default.green('example')}         Show example YAML for a component or task
   ${chalk_1.default.green('list')}            List available schemas (modules, workflows, tasks)
@@ -101,6 +142,17 @@ ${chalk_1.default.bold.yellow('OPTIONS:')}
   ${chalk_1.default.green('--tasks <list>')}         Comma-separated task enums for create task-schema
   ${chalk_1.default.green('--to <file>')}            Target file for extract command
   ${chalk_1.default.green('--copy')}                 Copy component instead of moving (source unchanged, target gets higher priority)
+  ${chalk_1.default.green('--org <id>')}             Organization ID for server commands
+  ${chalk_1.default.green('--vars <json>')}          JSON variables for workflow execute
+  ${chalk_1.default.green('--from <date>')}          Filter logs from date (YYYY-MM-DD)
+  ${chalk_1.default.green('--to <date>')}            Filter logs to date (YYYY-MM-DD)
+  ${chalk_1.default.green('--output <file>')}        Save workflow log to file (or -o)
+  ${chalk_1.default.green('--console')}              Print workflow log to stdout
+  ${chalk_1.default.green('--json')}                 Download JSON log instead of text
+  ${chalk_1.default.green('-m, --message <msg>')}     Release message for app release (required)
+  ${chalk_1.default.green('-b, --branch <branch>')}   Branch override for app install/publish
+  ${chalk_1.default.green('--force')}                Force install (even if same version) or publish all
+  ${chalk_1.default.green('--skip-changed')}         Skip modules with unpublished changes during install
 
 ${chalk_1.default.bold.yellow('VALIDATION EXAMPLES:')}
   ${chalk_1.default.gray('# Validate a module YAML file')}
@@ -166,6 +218,136 @@ ${chalk_1.default.bold.yellow('SCHEMA COMMANDS:')}
   ${chalk_1.default.cyan(`${PROGRAM_NAME} list`)}
   ${chalk_1.default.cyan(`${PROGRAM_NAME} list --type workflow`)}
 
+${chalk_1.default.bold.yellow('AUTH COMMANDS:')}
+  ${chalk_1.default.gray('# Login to a CX environment')}
+  ${chalk_1.default.cyan(`${PROGRAM_NAME} login https://qa.storevista.acuitive.net`)}
+
+  ${chalk_1.default.gray('# Logout from current session')}
+  ${chalk_1.default.cyan(`${PROGRAM_NAME} logout`)}
+
+${chalk_1.default.bold.yellow('PAT COMMANDS:')}
+  ${chalk_1.default.gray('# Check PAT token status and setup instructions')}
+  ${chalk_1.default.cyan(`${PROGRAM_NAME} pat setup`)}
+
+  ${chalk_1.default.gray('# Create a new PAT token')}
+  ${chalk_1.default.cyan(`${PROGRAM_NAME} pat create "my-token-name"`)}
+
+  ${chalk_1.default.gray('# List active PAT tokens')}
+  ${chalk_1.default.cyan(`${PROGRAM_NAME} pat list`)}
+
+  ${chalk_1.default.gray('# Revoke a PAT token by ID')}
+  ${chalk_1.default.cyan(`${PROGRAM_NAME} pat revoke <tokenId>`)}
+
+${chalk_1.default.bold.yellow('ORG COMMANDS:')}
+  ${chalk_1.default.gray('# List organizations on the server')}
+  ${chalk_1.default.cyan(`${PROGRAM_NAME} orgs list`)}
+
+  ${chalk_1.default.gray('# Interactively select an organization')}
+  ${chalk_1.default.cyan(`${PROGRAM_NAME} orgs select`)}
+
+  ${chalk_1.default.gray('# Set active organization by ID')}
+  ${chalk_1.default.cyan(`${PROGRAM_NAME} orgs use <orgId>`)}
+
+  ${chalk_1.default.gray('# Show current context (server, org, app)')}
+  ${chalk_1.default.cyan(`${PROGRAM_NAME} orgs use`)}
+
+${chalk_1.default.bold.yellow('APPMODULE COMMANDS:')}
+  ${chalk_1.default.gray('# Deploy a module YAML to the server (creates or updates)')}
+  ${chalk_1.default.cyan(`${PROGRAM_NAME} appmodule deploy modules/my-module.yaml`)}
+
+  ${chalk_1.default.gray('# Deploy with explicit org ID')}
+  ${chalk_1.default.cyan(`${PROGRAM_NAME} appmodule deploy modules/my-module.yaml --org 42`)}
+
+  ${chalk_1.default.gray('# Undeploy an app module by UUID')}
+  ${chalk_1.default.cyan(`${PROGRAM_NAME} appmodule undeploy <appModuleId>`)}
+
+${chalk_1.default.bold.yellow('WORKFLOW COMMANDS:')}
+  ${chalk_1.default.gray('# Deploy a workflow YAML to the server (creates or updates)')}
+  ${chalk_1.default.cyan(`${PROGRAM_NAME} workflow deploy workflows/my-workflow.yaml`)}
+
+  ${chalk_1.default.gray('# Undeploy a workflow by UUID')}
+  ${chalk_1.default.cyan(`${PROGRAM_NAME} workflow undeploy <workflowId>`)}
+
+  ${chalk_1.default.gray('# Execute a workflow')}
+  ${chalk_1.default.cyan(`${PROGRAM_NAME} workflow execute <workflowId|file.yaml>`)}
+  ${chalk_1.default.cyan(`${PROGRAM_NAME} workflow execute <workflowId> --vars '{"city":"London"}'`)}
+
+  ${chalk_1.default.gray('# List execution logs for a workflow (sorted desc)')}
+  ${chalk_1.default.cyan(`${PROGRAM_NAME} workflow logs <workflowId|file.yaml>`)}
+  ${chalk_1.default.cyan(`${PROGRAM_NAME} workflow logs <workflowId> --from 2026-01-01 --to 2026-01-31`)}
+
+  ${chalk_1.default.gray('# Download a specific execution log')}
+  ${chalk_1.default.cyan(`${PROGRAM_NAME} workflow log <executionId>`)}                  ${chalk_1.default.gray('# save txt log to temp dir')}
+  ${chalk_1.default.cyan(`${PROGRAM_NAME} workflow log <executionId> --output log.txt`)}  ${chalk_1.default.gray('# save to file')}
+  ${chalk_1.default.cyan(`${PROGRAM_NAME} workflow log <executionId> --console`)}         ${chalk_1.default.gray('# print to stdout')}
+  ${chalk_1.default.cyan(`${PROGRAM_NAME} workflow log <executionId> --json`)}            ${chalk_1.default.gray('# download JSON log (more detail)')}
+  ${chalk_1.default.cyan(`${PROGRAM_NAME} workflow log <executionId> --json --console`)}  ${chalk_1.default.gray('# JSON log to stdout')}
+
+${chalk_1.default.bold.yellow('PUBLISH COMMANDS:')}
+  ${chalk_1.default.gray('# Publish all modules and workflows from current project')}
+  ${chalk_1.default.cyan(`${PROGRAM_NAME} publish`)}
+
+  ${chalk_1.default.gray('# Publish only a specific feature directory')}
+  ${chalk_1.default.cyan(`${PROGRAM_NAME} publish --feature billing`)}
+  ${chalk_1.default.cyan(`${PROGRAM_NAME} publish billing`)}
+
+  ${chalk_1.default.gray('# Publish with explicit org ID')}
+  ${chalk_1.default.cyan(`${PROGRAM_NAME} publish --org 42`)}
+
+${chalk_1.default.bold.yellow('APP COMMANDS:')}
+  ${chalk_1.default.gray('# Install/refresh app from git repository into the CX server')}
+  ${chalk_1.default.cyan(`${PROGRAM_NAME} app install`)}
+
+  ${chalk_1.default.gray('# Force reinstall even if same version')}
+  ${chalk_1.default.cyan(`${PROGRAM_NAME} app install --force`)}
+
+  ${chalk_1.default.gray('# Install from a specific branch')}
+  ${chalk_1.default.cyan(`${PROGRAM_NAME} app install --branch develop`)}
+
+  ${chalk_1.default.gray('# Install but skip modules that have local changes')}
+  ${chalk_1.default.cyan(`${PROGRAM_NAME} app install --skip-changed`)}
+
+  ${chalk_1.default.gray('# Upgrade app from git (alias for install)')}
+  ${chalk_1.default.cyan(`${PROGRAM_NAME} app upgrade`)}
+  ${chalk_1.default.cyan(`${PROGRAM_NAME} app upgrade --force`)}
+
+  ${chalk_1.default.gray('# Release server changes to git (creates a PR) — message is required')}
+  ${chalk_1.default.cyan(`${PROGRAM_NAME} app release -m "Add new shipping module"`)}
+
+  ${chalk_1.default.gray('# Release specific workflows and/or modules by YAML file')}
+  ${chalk_1.default.cyan(`${PROGRAM_NAME} app release -m "Fix order workflow" workflows/my-workflow.yaml`)}
+  ${chalk_1.default.cyan(`${PROGRAM_NAME} app release -m "Update billing" workflows/a.yaml modules/b.yaml`)}
+
+  ${chalk_1.default.gray('# Force release all modules and workflows')}
+  ${chalk_1.default.cyan(`${PROGRAM_NAME} app release -m "Full republish" --force`)}
+
+  ${chalk_1.default.gray('# List installed app manifests on the server')}
+  ${chalk_1.default.cyan(`${PROGRAM_NAME} app list`)}
+
+${chalk_1.default.bold.yellow('QUERY COMMANDS:')}
+  ${chalk_1.default.gray('# Run an inline GraphQL query')}
+  ${chalk_1.default.cyan(`${PROGRAM_NAME} query '{ organizations(take: 5) { items { organizationId companyName } } }'`)}
+
+  ${chalk_1.default.gray('# Run a query from a .graphql file')}
+  ${chalk_1.default.cyan(`${PROGRAM_NAME} query my-query.graphql`)}
+
+  ${chalk_1.default.gray('# Pass variables as JSON')}
+  ${chalk_1.default.cyan(`${PROGRAM_NAME} query my-query.graphql --vars '{"id": 42}'`)}
+
+${chalk_1.default.bold.yellow('GRAPHQL SCHEMA EXPLORATION:')}
+  ${chalk_1.default.gray('# List all queries, mutations, and types')}
+  ${chalk_1.default.cyan(`${PROGRAM_NAME} gql queries`)}
+  ${chalk_1.default.cyan(`${PROGRAM_NAME} gql mutations`)}
+  ${chalk_1.default.cyan(`${PROGRAM_NAME} gql types`)}
+
+  ${chalk_1.default.gray('# Filter by name')}
+  ${chalk_1.default.cyan(`${PROGRAM_NAME} gql types --filter audit`)}
+  ${chalk_1.default.cyan(`${PROGRAM_NAME} gql queries --filter order`)}
+
+  ${chalk_1.default.gray('# Inspect a specific type')}
+  ${chalk_1.default.cyan(`${PROGRAM_NAME} gql type OrderGqlDto`)}
+  ${chalk_1.default.cyan(`${PROGRAM_NAME} gql type AuditChangeEntry`)}
+
 ${chalk_1.default.bold.yellow('VALIDATION TYPES:')}
   ${chalk_1.default.bold('module')}     - CargoXplorer UI module definitions (components, routes, entities)
   ${chalk_1.default.bold('workflow')}   - CargoXplorer workflow definitions (activities, tasks, triggers)
@@ -182,6 +364,8 @@ ${chalk_1.default.bold.yellow('EXIT CODES:')}
   ${chalk_1.default.red('2')}  - CLI error (invalid arguments, file not found, etc.)
 
 ${chalk_1.default.bold.yellow('ENVIRONMENT VARIABLES:')}
+  ${chalk_1.default.green('CXTMS_AUTH')}         - PAT token for authentication (skips OAuth login)
+  ${chalk_1.default.green('CXTMS_SERVER')}       - Server URL when using PAT auth (or set \`server\` in app.yaml)
   ${chalk_1.default.green('CX_SCHEMA_PATH')}     - Default path to schemas directory
   ${chalk_1.default.green('NO_COLOR')}           - Disable colored output
 
@@ -327,7 +511,8 @@ function generateAppYaml(name) {
     const dirName = path.basename(process.cwd());
     const appName = name || dirName;
     const scopedName = appName.startsWith('@') ? appName : `@cargox/${appName}`;
-    return `name: "${scopedName}"
+    return `id: "${generateUUID()}"
+name: "${scopedName}"
 description: ""
 author: "CargoX"
 version: "1.0.0"
@@ -367,39 +552,39 @@ npm install @cxtms/cx-schema
 
 \`\`\`bash
 # Validate all modules
-npx cx-cli modules/*.yaml
+npx cxtms modules/*.yaml
 
 # Validate all workflows
-npx cx-cli workflows/*.yaml
+npx cxtms workflows/*.yaml
 
 # Validate with detailed output
-npx cx-cli --verbose modules/my-module.yaml
+npx cxtms --verbose modules/my-module.yaml
 
 # Generate validation report
-npx cx-cli report modules/*.yaml workflows/*.yaml --report report.html
+npx cxtms report modules/*.yaml workflows/*.yaml --report report.html
 \`\`\`
 
 ### Create new files
 
 \`\`\`bash
 # Create a new module
-npx cx-cli create module my-module
+npx cxtms create module my-module
 
 # Create a new workflow
-npx cx-cli create workflow my-workflow
+npx cxtms create workflow my-workflow
 \`\`\`
 
 ### View schemas and examples
 
 \`\`\`bash
 # List available schemas
-npx cx-cli list
+npx cxtms list
 
 # View schema for a component
-npx cx-cli schema form
+npx cxtms schema form
 
 # View example YAML
-npx cx-cli example workflow
+npx cxtms example workflow
 \`\`\`
 
 ## Documentation
@@ -420,13 +605,13 @@ When making changes to YAML files, always validate them:
 
 \`\`\`bash
 # Validate a specific module file
-npx cx-cli modules/<module-name>.yaml
+npx cxtms modules/<module-name>.yaml
 
 # Validate a specific workflow file
-npx cx-cli workflows/<workflow-name>.yaml
+npx cxtms workflows/<workflow-name>.yaml
 
 # Validate all files with a report
-npx cx-cli report modules/*.yaml workflows/*.yaml --report validation-report.md
+npx cxtms report modules/*.yaml workflows/*.yaml --report validation-report.md
 \`\`\`
 
 ## Schema Reference
@@ -435,14 +620,14 @@ Before editing components or tasks, check the schema:
 
 \`\`\`bash
 # View schema for components
-npx cx-cli schema form
-npx cx-cli schema dataGrid
-npx cx-cli schema layout
+npx cxtms schema form
+npx cxtms schema dataGrid
+npx cxtms schema layout
 
 # View schema for workflow tasks
-npx cx-cli schema foreach
-npx cx-cli schema graphql
-npx cx-cli schema switch
+npx cxtms schema foreach
+npx cxtms schema graphql
+npx cxtms schema switch
 \`\`\`
 
 ## Creating New Files
@@ -451,16 +636,16 @@ Use templates to create properly structured files:
 
 \`\`\`bash
 # Create a new module
-npx cx-cli create module <name>
+npx cxtms create module <name>
 
 # Create a new workflow
-npx cx-cli create workflow <name>
+npx cxtms create workflow <name>
 
 # Create from a specific template variant
-npx cx-cli create workflow <name> --template basic
+npx cxtms create workflow <name> --template basic
 
 # Create inside a feature folder (features/<name>/workflows/)
-npx cx-cli create workflow <name> --feature billing
+npx cxtms create workflow <name> --feature billing
 \`\`\`
 
 ## Module Structure
@@ -705,6 +890,23 @@ function applyFieldsToForm(form, fields) {
         }
     }
 }
+function applyFieldsToConfiguration(layout, fields) {
+    // Configuration fields are stored under customValues, so prefix all field names
+    const configFields = fields.map(f => ({
+        component: 'field',
+        name: `customValues.${f.name}`,
+        props: {
+            type: f.type,
+            label: { 'en-US': f.label || fieldNameToLabel(f.name) },
+            ...(f.required ? { required: true } : {})
+        }
+    }));
+    if (!layout.children)
+        layout.children = [];
+    layout.children.push(...configFields);
+    // Update defaultValue in configurations if present
+    // (handled separately since configurations is a top-level key)
+}
 function findDataGridComponents(obj) {
     const grids = [];
     if (!obj || typeof obj !== 'object')
@@ -832,9 +1034,16 @@ function applyCreateOptions(content, optionsArg) {
     if (!doc)
         throw new Error('Failed to parse template YAML for --options processing');
     let applied = false;
+    const isConfiguration = Array.isArray(doc.configurations);
     if (doc.components && Array.isArray(doc.components)) {
         for (const comp of doc.components) {
-            // Apply to form components (configuration template)
+            // Apply to configuration templates (fields go directly into layout children)
+            if (isConfiguration && comp.layout) {
+                applyFieldsToConfiguration(comp.layout, fields);
+                applied = true;
+                continue;
+            }
+            // Apply to form components
             const forms = findFormComponents(comp);
             for (const form of forms) {
                 applyFieldsToForm(form, fields);
@@ -862,6 +1071,18 @@ function applyCreateOptions(content, optionsArg) {
         applyFieldsToEntities(doc, fields, opts.entityName);
         applied = true;
     }
+    // Apply defaults to configuration defaultValue
+    if (isConfiguration && doc.configurations) {
+        for (const config of doc.configurations) {
+            if (!config.defaultValue)
+                config.defaultValue = {};
+            for (const f of fields) {
+                if (f.default !== undefined) {
+                    config.defaultValue[f.name] = f.default;
+                }
+            }
+        }
+    }
     if (!applied) {
         console.warn(chalk_1.default.yellow('Warning: --options provided but no form or dataGrid component found in template'));
         return content;
@@ -1224,19 +1445,27 @@ function runUpdate() {
     const { execSync } = require('child_process');
     console.log('  Updating to latest version...\n');
     try {
-        const output = execSync('npm install @cxtms/cx-schema@latest', {
+        execSync('npm install @cxtms/cx-schema@latest', {
             stdio: 'inherit',
             cwd: process.cwd()
         });
+        // Read installed version from the updated package
+        const installedPkgPath = path.join(process.cwd(), 'node_modules', '@cxtms', 'cx-schema', 'package.json');
+        let installedVersion = 'unknown';
+        if (fs.existsSync(installedPkgPath)) {
+            installedVersion = JSON.parse(fs.readFileSync(installedPkgPath, 'utf-8')).version;
+        }
         console.log('');
-        console.log(chalk_1.default.green('✓ @cxtms/cx-schema updated successfully!'));
-        console.log('');
+        console.log(chalk_1.default.green(`✓ @cxtms/cx-schema updated to v${installedVersion}`));
     }
     catch (error) {
         console.error(chalk_1.default.red('\nError: Failed to update @cxtms/cx-schema'));
         console.error(chalk_1.default.gray(error.message));
         process.exit(1);
     }
+    // Reinstall skills and update CLAUDE.md (postinstall handles schemas)
+    runInstallSkills();
+    runSetupClaude();
 }
 // ============================================================================
 // Setup Claude Command
@@ -1260,23 +1489,23 @@ features/             # Feature-scoped modules and workflows
     workflows/
 \`\`\`
 
-### CLI — \`cx-cli\`
+### CLI — \`cxtms\`
 
 **Always scaffold via CLI, never write YAML from scratch.**
 
 | Command | Description |
 |---------|-------------|
-| \`npx cx-cli create module <name>\` | Scaffold a UI module |
-| \`npx cx-cli create workflow <name>\` | Scaffold a workflow |
-| \`npx cx-cli create module <name> --template <t>\` | Use a specific template |
-| \`npx cx-cli create workflow <name> --template <t>\` | Use a specific template |
-| \`npx cx-cli create module <name> --feature <f>\` | Place under features/<f>/modules/ |
-| \`npx cx-cli <file.yaml>\` | Validate a YAML file |
-| \`npx cx-cli <file.yaml> --verbose\` | Validate with detailed errors |
-| \`npx cx-cli schema <name>\` | Show JSON schema for a component or task |
-| \`npx cx-cli example <name>\` | Show example YAML |
-| \`npx cx-cli list\` | List all available schemas |
-| \`npx cx-cli extract <src> <comp> --to <tgt>\` | Move component between modules |
+| \`npx cxtms create module <name>\` | Scaffold a UI module |
+| \`npx cxtms create workflow <name>\` | Scaffold a workflow |
+| \`npx cxtms create module <name> --template <t>\` | Use a specific template |
+| \`npx cxtms create workflow <name> --template <t>\` | Use a specific template |
+| \`npx cxtms create module <name> --feature <f>\` | Place under features/<f>/modules/ |
+| \`npx cxtms <file.yaml>\` | Validate a YAML file |
+| \`npx cxtms <file.yaml> --verbose\` | Validate with detailed errors |
+| \`npx cxtms schema <name>\` | Show JSON schema for a component or task |
+| \`npx cxtms example <name>\` | Show example YAML |
+| \`npx cxtms list\` | List all available schemas |
+| \`npx cxtms extract <src> <comp> --to <tgt>\` | Move component between modules |
 
 **Module templates:** \`default\`, \`form\`, \`grid\`, \`select\`, \`configuration\`
 **Workflow templates:** \`basic\`, \`entity-trigger\`, \`document\`, \`scheduled\`, \`utility\`, \`webhook\`, \`public-api\`, \`mcp-tool\`, \`ftp-tracking\`, \`ftp-edi\`, \`api-tracking\`
@@ -1291,10 +1520,10 @@ features/             # Feature-scoped modules and workflows
 
 ### Workflow: Scaffold → Customize → Validate
 
-1. **Scaffold** — \`npx cx-cli create module|workflow <name> --template <t>\`
+1. **Scaffold** — \`npx cxtms create module|workflow <name> --template <t>\`
 2. **Read** the generated file
 3. **Customize** for the use case
-4. **Validate** — \`npx cx-cli <file.yaml>\` — run after every change, fix all errors
+4. **Validate** — \`npx cxtms <file.yaml>\` — run after every change, fix all errors
 ${CX_CLAUDE_MARKER}`;
 }
 function runSetupClaude() {
@@ -1329,151 +1558,1962 @@ function runSetupClaude() {
     console.log('');
 }
 // ============================================================================
-// Extract Command
+// Auth (Login / Logout)
 // ============================================================================
-function runExtract(sourceFile, componentName, targetFile, copy) {
-    // Validate args
-    if (!sourceFile || !componentName || !targetFile) {
-        console.error(chalk_1.default.red('Error: Missing required arguments'));
-        console.error(chalk_1.default.gray(`Usage: ${PROGRAM_NAME} extract <source-file> <component-name> --to <target-file> [--copy]`));
-        process.exit(2);
+const AUTH_CALLBACK_PORT = 9000;
+const AUTH_TIMEOUT_MS = 2 * 60 * 1000; // 2 minutes
+function getSessionDir() {
+    const projectName = path.basename(process.cwd());
+    return path.join(os.homedir(), '.cxtms', projectName);
+}
+function getSessionFilePath() {
+    return path.join(getSessionDir(), '.session.json');
+}
+function readSessionFile() {
+    const filePath = getSessionFilePath();
+    if (!fs.existsSync(filePath))
+        return null;
+    try {
+        return JSON.parse(fs.readFileSync(filePath, 'utf-8'));
     }
-    // Check source exists
-    if (!fs.existsSync(sourceFile)) {
-        console.error(chalk_1.default.red(`Error: Source file not found: ${sourceFile}`));
-        process.exit(2);
+    catch {
+        return null;
     }
-    // Read and parse source (Document API preserves comments)
-    const sourceContent = fs.readFileSync(sourceFile, 'utf-8');
-    const srcDoc = yaml_1.default.parseDocument(sourceContent);
-    const sourceJS = srcDoc.toJS();
-    if (!sourceJS || !Array.isArray(sourceJS.components)) {
-        console.error(chalk_1.default.red(`Error: Source file is not a valid module (missing components array): ${sourceFile}`));
-        process.exit(2);
+}
+function writeSessionFile(data) {
+    const dir = getSessionDir();
+    if (!fs.existsSync(dir)) {
+        fs.mkdirSync(dir, { recursive: true });
     }
-    // Get the AST components sequence
-    const srcComponents = srcDoc.get('components', true);
-    if (!(0, yaml_1.isSeq)(srcComponents)) {
-        console.error(chalk_1.default.red(`Error: Source components is not a sequence: ${sourceFile}`));
-        process.exit(2);
+    fs.writeFileSync(getSessionFilePath(), JSON.stringify(data, null, 2), 'utf-8');
+}
+function deleteSessionFile() {
+    const filePath = getSessionFilePath();
+    if (fs.existsSync(filePath)) {
+        fs.unlinkSync(filePath);
     }
-    // Find component by exact name match
-    const compIndex = srcComponents.items.findIndex((item) => {
-        return (0, yaml_1.isMap)(item) && item.get('name') === componentName;
+}
+function generateCodeVerifier() {
+    return crypto.randomBytes(32).toString('base64').replace(/\+/g, '-').replace(/\//g, '_').replace(/=/g, '');
+}
+function generateCodeChallenge(verifier) {
+    return crypto.createHash('sha256').update(verifier).digest('base64').replace(/\+/g, '-').replace(/\//g, '_').replace(/=/g, '');
+}
+function httpsPost(url, body, contentType) {
+    return new Promise((resolve, reject) => {
+        const parsed = new URL(url);
+        const isHttps = parsed.protocol === 'https:';
+        const lib = isHttps ? https : http;
+        const req = lib.request({
+            hostname: parsed.hostname,
+            port: parsed.port || (isHttps ? 443 : 80),
+            path: parsed.pathname + parsed.search,
+            method: 'POST',
+            headers: {
+                'Content-Type': contentType,
+                'Content-Length': Buffer.byteLength(body),
+            },
+        }, (res) => {
+            let data = '';
+            res.on('data', (chunk) => data += chunk);
+            res.on('end', () => resolve({ statusCode: res.statusCode || 0, body: data }));
+        });
+        req.on('error', reject);
+        req.write(body);
+        req.end();
     });
-    if (compIndex === -1) {
-        const available = sourceJS.components.map((c) => c.name).filter(Boolean);
-        console.error(chalk_1.default.red(`Error: Component not found: ${componentName}`));
-        if (available.length > 0) {
-            console.error(chalk_1.default.gray('Available components:'));
-            for (const name of available) {
-                console.error(chalk_1.default.gray(`  - ${name}`));
+}
+function openBrowser(url) {
+    const { exec } = require('child_process');
+    const cmd = process.platform === 'win32' ? `start "" "${url}"`
+        : process.platform === 'darwin' ? `open "${url}"`
+            : `xdg-open "${url}"`;
+    exec(cmd);
+}
+function startCallbackServer() {
+    return new Promise((resolve, reject) => {
+        const server = http.createServer((req, res) => {
+            const reqUrl = new URL(req.url || '/', `http://127.0.0.1:${AUTH_CALLBACK_PORT}`);
+            if (reqUrl.pathname === '/callback') {
+                const code = reqUrl.searchParams.get('code');
+                const error = reqUrl.searchParams.get('error');
+                if (error) {
+                    res.writeHead(200, { 'Content-Type': 'text/html' });
+                    res.end('<html><body><h2>Login failed</h2><p>You can close this tab.</p></body></html>');
+                    reject(new Error(`OAuth error: ${error} - ${reqUrl.searchParams.get('error_description') || ''}`));
+                    server.close();
+                    return;
+                }
+                if (code) {
+                    res.writeHead(200, { 'Content-Type': 'text/html' });
+                    res.end('<html><body><h2>Login successful!</h2><p>You can close this tab and return to the terminal.</p></body></html>');
+                    resolve({ code, close: () => server.close() });
+                    return;
+                }
             }
-        }
+            res.writeHead(404);
+            res.end();
+        });
+        server.on('error', (err) => {
+            if (err.code === 'EADDRINUSE') {
+                reject(new Error(`Port ${AUTH_CALLBACK_PORT} is already in use. Close the process using it and try again.`));
+            }
+            else {
+                reject(err);
+            }
+        });
+        server.listen(AUTH_CALLBACK_PORT, '127.0.0.1');
+    });
+}
+async function registerOAuthClient(domain) {
+    const res = await httpsPost(`${domain}/connect/register`, JSON.stringify({
+        client_name: `cxtms-${crypto.randomBytes(4).toString('hex')}`,
+        redirect_uris: [`http://localhost:${AUTH_CALLBACK_PORT}/callback`],
+        grant_types: ['authorization_code', 'refresh_token'],
+        response_types: ['code'],
+        token_endpoint_auth_method: 'none',
+    }), 'application/json');
+    if (res.statusCode !== 200 && res.statusCode !== 201) {
+        throw new Error(`Client registration failed (${res.statusCode}): ${res.body}`);
+    }
+    const data = JSON.parse(res.body);
+    if (!data.client_id) {
+        throw new Error('Client registration response missing client_id');
+    }
+    return data.client_id;
+}
+async function exchangeCodeForTokens(domain, clientId, code, codeVerifier) {
+    const body = new URLSearchParams({
+        grant_type: 'authorization_code',
+        client_id: clientId,
+        code,
+        redirect_uri: `http://localhost:${AUTH_CALLBACK_PORT}/callback`,
+        code_verifier: codeVerifier,
+    }).toString();
+    const res = await httpsPost(`${domain}/connect/token`, body, 'application/x-www-form-urlencoded');
+    if (res.statusCode !== 200) {
+        throw new Error(`Token exchange failed (${res.statusCode}): ${res.body}`);
+    }
+    const data = JSON.parse(res.body);
+    return {
+        domain,
+        client_id: clientId,
+        access_token: data.access_token,
+        refresh_token: data.refresh_token,
+        expires_at: Math.floor(Date.now() / 1000) + (data.expires_in || 3600),
+    };
+}
+async function revokeToken(domain, clientId, token) {
+    try {
+        await httpsPost(`${domain}/connect/revoke`, new URLSearchParams({ client_id: clientId, token }).toString(), 'application/x-www-form-urlencoded');
+    }
+    catch {
+        // Revocation failures are non-fatal
+    }
+}
+async function refreshTokens(stored) {
+    const body = new URLSearchParams({
+        grant_type: 'refresh_token',
+        client_id: stored.client_id,
+        refresh_token: stored.refresh_token,
+    }).toString();
+    const res = await httpsPost(`${stored.domain}/connect/token`, body, 'application/x-www-form-urlencoded');
+    if (res.statusCode !== 200) {
+        throw new Error(`Token refresh failed (${res.statusCode}): ${res.body}`);
+    }
+    const data = JSON.parse(res.body);
+    const updated = {
+        ...stored,
+        access_token: data.access_token,
+        refresh_token: data.refresh_token || stored.refresh_token,
+        expires_at: Math.floor(Date.now() / 1000) + (data.expires_in || 3600),
+    };
+    writeSessionFile(updated);
+    return updated;
+}
+async function runLogin(domain) {
+    // Normalize URL
+    if (!domain.startsWith('http://') && !domain.startsWith('https://')) {
+        domain = `https://${domain}`;
+    }
+    domain = domain.replace(/\/+$/, '');
+    try {
+        new URL(domain);
+    }
+    catch {
+        console.error(chalk_1.default.red('Error: Invalid URL'));
         process.exit(2);
     }
-    // Get the component AST node (clone for copy, take for move)
-    const componentNode = copy
-        ? srcDoc.createNode(sourceJS.components[compIndex])
-        : srcComponents.items[compIndex];
-    // Capture comment: if this is the first item, the comment lives on the parent seq
-    let componentComment;
-    if (compIndex === 0 && srcComponents.commentBefore) {
-        componentComment = srcComponents.commentBefore;
-        if (!copy) {
-            // Transfer the comment away from the source seq (it belongs to the extracted component)
-            srcComponents.commentBefore = undefined;
+    console.log(chalk_1.default.bold.cyan('\n  CX CLI Login\n'));
+    // Step 1: Register client
+    console.log(chalk_1.default.gray('  Registering OAuth client...'));
+    const clientId = await registerOAuthClient(domain);
+    console.log(chalk_1.default.green('  ✓ Client registered'));
+    // Step 2: PKCE
+    const codeVerifier = generateCodeVerifier();
+    const codeChallenge = generateCodeChallenge(codeVerifier);
+    // Step 3: Start callback server
+    const callbackPromise = startCallbackServer();
+    // Step 4: Open browser
+    const authUrl = `${domain}/connect/authorize?` + new URLSearchParams({
+        client_id: clientId,
+        redirect_uri: `http://localhost:${AUTH_CALLBACK_PORT}/callback`,
+        response_type: 'code',
+        scope: 'openid offline_access TMS.ApiAPI',
+        code_challenge: codeChallenge,
+        code_challenge_method: 'S256',
+    }).toString();
+    console.log(chalk_1.default.gray('  Opening browser for login...'));
+    openBrowser(authUrl);
+    console.log(chalk_1.default.gray(`  Waiting for login (timeout: 2 min)...`));
+    // Step 5: Wait for callback with timeout
+    const timeoutPromise = new Promise((_, reject) => setTimeout(() => reject(new Error('Login timed out after 2 minutes. Please try again.')), AUTH_TIMEOUT_MS));
+    const { code, close } = await Promise.race([callbackPromise, timeoutPromise]);
+    // Step 6: Exchange code for tokens
+    console.log(chalk_1.default.gray('  Exchanging authorization code...'));
+    const tokens = await exchangeCodeForTokens(domain, clientId, code, codeVerifier);
+    // Step 7: Store session locally
+    writeSessionFile(tokens);
+    close();
+    console.log(chalk_1.default.green(`  ✓ Logged in to ${new URL(domain).hostname}`));
+    console.log(chalk_1.default.gray(`  Session stored at: ${getSessionFilePath()}\n`));
+}
+async function runLogout(_domain) {
+    const session = readSessionFile();
+    if (!session) {
+        console.log(chalk_1.default.gray('\n  No active session in this project.\n'));
+        console.log(chalk_1.default.gray(`  Login first: ${PROGRAM_NAME} login <url>\n`));
+        return;
+    }
+    console.log(chalk_1.default.bold.cyan('\n  CX CLI Logout\n'));
+    console.log(chalk_1.default.gray(`  Server: ${new URL(session.domain).hostname}`));
+    // Revoke tokens (non-fatal)
+    if (session.client_id && session.refresh_token) {
+        console.log(chalk_1.default.gray('  Revoking tokens...'));
+        await revokeToken(session.domain, session.client_id, session.access_token);
+        await revokeToken(session.domain, session.client_id, session.refresh_token);
+    }
+    // Delete local session file
+    deleteSessionFile();
+    console.log(chalk_1.default.green(`  ✓ Logged out from ${new URL(session.domain).hostname}\n`));
+}
+// ============================================================================
+// AppModule Commands
+// ============================================================================
+async function graphqlRequest(domain, token, query, variables) {
+    const body = JSON.stringify({ query, variables });
+    let res = await graphqlPostWithAuth(domain, token, body);
+    if (res.statusCode === 401) {
+        // PAT tokens have no refresh — fail immediately
+        if (process.env.CXTMS_AUTH)
+            throw new Error('PAT token unauthorized (401). Check your CXTMS_AUTH token.');
+        // Try refresh for OAuth sessions
+        const stored = readSessionFile();
+        if (!stored)
+            throw new Error('Session expired. Run `cxtms login <url>` again.');
+        try {
+            const refreshed = await refreshTokens(stored);
+            res = await graphqlPostWithAuth(domain, refreshed.access_token, body);
+        }
+        catch {
+            throw new Error('Session expired. Run `cxtms login <url>` again.');
         }
     }
-    else {
-        componentComment = componentNode.commentBefore;
+    // Try to parse GraphQL errors from 400 responses too
+    let json;
+    try {
+        json = JSON.parse(res.body);
     }
-    // Find matching routes (by index in AST)
-    const srcRoutes = srcDoc.get('routes', true);
-    const matchedRouteIndices = [];
-    if ((0, yaml_1.isSeq)(srcRoutes)) {
-        srcRoutes.items.forEach((item, idx) => {
-            if ((0, yaml_1.isMap)(item) && item.get('component') === componentName) {
-                matchedRouteIndices.push(idx);
-            }
+    catch {
+        if (res.statusCode !== 200) {
+            throw new Error(`GraphQL request failed (${res.statusCode}): ${res.body}`);
+        }
+        throw new Error('Invalid JSON response from GraphQL endpoint');
+    }
+    if (json.errors && json.errors.length > 0) {
+        const messages = json.errors.map((e) => {
+            const parts = [e.message];
+            const ext = e.extensions?.message;
+            if (ext && ext !== e.message)
+                parts.push(ext);
+            if (e.path)
+                parts.push(`path: ${e.path.join('.')}`);
+            return parts.join(' — ');
         });
+        throw new Error(`GraphQL error: ${messages.join('; ')}`);
     }
-    // Collect route AST nodes (clone for copy, reference for move)
-    const routeNodes = matchedRouteIndices.map(idx => {
-        if (copy) {
-            return srcDoc.createNode(sourceJS.routes[idx]);
-        }
-        return srcRoutes.items[idx];
+    if (res.statusCode !== 200) {
+        throw new Error(`GraphQL request failed (${res.statusCode}): ${res.body}`);
+    }
+    return json.data;
+}
+function graphqlPostWithAuth(domain, token, body) {
+    return new Promise((resolve, reject) => {
+        const url = `${domain}/api/graphql`;
+        const parsed = new URL(url);
+        const isHttps = parsed.protocol === 'https:';
+        const lib = isHttps ? https : http;
+        const req = lib.request({
+            hostname: parsed.hostname,
+            port: parsed.port || (isHttps ? 443 : 80),
+            path: parsed.pathname + parsed.search,
+            method: 'POST',
+            headers: {
+                'Content-Type': 'application/json',
+                'Content-Length': Buffer.byteLength(body),
+                'Authorization': `Bearer ${token}`,
+            },
+        }, (res) => {
+            let data = '';
+            res.on('data', (chunk) => data += chunk);
+            res.on('end', () => resolve({ statusCode: res.statusCode || 0, body: data }));
+        });
+        req.on('error', reject);
+        req.write(body);
+        req.end();
     });
-    // Load or create target document
-    let tgtDoc;
-    let targetCreated = false;
-    if (fs.existsSync(targetFile)) {
-        const targetContent = fs.readFileSync(targetFile, 'utf-8');
-        tgtDoc = yaml_1.default.parseDocument(targetContent);
-        const targetJS = tgtDoc.toJS();
-        if (!targetJS || !Array.isArray(targetJS.components)) {
-            console.error(chalk_1.default.red(`Error: Target file is not a valid module (missing components array): ${targetFile}`));
-            process.exit(2);
-        }
-        // Check for duplicate component name
-        const duplicate = targetJS.components.find((c) => c.name === componentName);
-        if (duplicate) {
-            console.error(chalk_1.default.red(`Error: Target already contains a component named "${componentName}"`));
+}
+function resolveDomainFromAppYaml() {
+    const appYamlPath = path.join(process.cwd(), 'app.yaml');
+    if (!fs.existsSync(appYamlPath))
+        return null;
+    const appYaml = yaml_1.default.parse(fs.readFileSync(appYamlPath, 'utf-8'));
+    const serverDomain = appYaml?.server || appYaml?.domain;
+    if (!serverDomain)
+        return null;
+    let domain = serverDomain;
+    if (!domain.startsWith('http://') && !domain.startsWith('https://')) {
+        domain = `https://${domain}`;
+    }
+    return domain.replace(/\/+$/, '');
+}
+function resolveSession() {
+    // 0. Check for PAT token in env (CXTMS_AUTH) — skips OAuth entirely
+    const patToken = process.env.CXTMS_AUTH;
+    if (patToken) {
+        const domain = process.env.CXTMS_SERVER ? process.env.CXTMS_SERVER.replace(/\/+$/, '') : resolveDomainFromAppYaml();
+        if (!domain) {
+            console.error(chalk_1.default.red('CXTMS_AUTH is set but no server domain found.'));
+            console.error(chalk_1.default.gray('Add `server` to app.yaml or set CXTMS_SERVER in .env'));
             process.exit(2);
         }
-    }
-    else {
-        // Create new module scaffold
-        const baseName = path.basename(targetFile, path.extname(targetFile));
-        const moduleName = baseName
-            .split('-')
-            .map((w) => w.charAt(0).toUpperCase() + w.slice(1))
-            .join('');
-        const sourceModule = typeof sourceJS.module === 'object' ? sourceJS.module : null;
-        const displayName = moduleName.replace(/([a-z])([A-Z])/g, '$1 $2');
-        const moduleObj = {
-            name: moduleName,
-            appModuleId: generateUUID(),
-            displayName: { 'en-US': displayName },
-            description: { 'en-US': `${displayName} module` },
-            application: sourceModule?.application || sourceJS.application || 'cx',
+        return {
+            domain,
+            client_id: '',
+            access_token: patToken,
+            refresh_token: '',
+            expires_at: 0,
         };
-        // In copy mode, set priority higher than source
-        if (copy) {
-            const sourcePriority = sourceModule?.priority;
-            moduleObj.priority = (0, extractUtils_1.computeExtractPriority)(sourcePriority);
+    }
+    // 1. Check local .cxtms/.session.json
+    const session = readSessionFile();
+    if (session)
+        return session;
+    // 2. Not logged in
+    console.error(chalk_1.default.red('Not logged in. Run `cxtms login <url>` first.'));
+    process.exit(2);
+}
+async function resolveOrgId(domain, token, override) {
+    // 1. Explicit override
+    if (override !== undefined)
+        return override;
+    // 2. Cached in session file
+    const stored = readSessionFile();
+    if (stored?.organization_id)
+        return stored.organization_id;
+    // 3. Query server
+    const data = await graphqlRequest(domain, token, `
+    query { organizations(take: 100) { items { organizationId companyName } } }
+  `, {});
+    const orgs = data?.organizations?.items;
+    if (!orgs || orgs.length === 0) {
+        throw new Error('No organizations found for this account.');
+    }
+    if (orgs.length === 1) {
+        const orgId = orgs[0].organizationId;
+        // Cache it
+        if (stored) {
+            stored.organization_id = orgId;
+            writeSessionFile(stored);
         }
-        // Parse from string so the document has proper AST context for comment preservation
-        const scaffoldStr = yaml_1.default.stringify({
-            module: moduleObj,
-            entities: [],
-            permissions: [],
-            components: [],
-            routes: []
-        }, { indent: 2, lineWidth: 0, singleQuote: false });
-        tgtDoc = yaml_1.default.parseDocument(scaffoldStr);
-        targetCreated = true;
+        return orgId;
     }
-    // Add component to target (ensure block style so comments are preserved)
-    const tgtComponents = tgtDoc.get('components', true);
-    if ((0, yaml_1.isSeq)(tgtComponents)) {
-        tgtComponents.flow = false;
-        // Apply the captured comment: if it's the first item in target, set on seq; otherwise on node
-        if (componentComment) {
-            if (tgtComponents.items.length === 0) {
-                tgtComponents.commentBefore = componentComment;
-            }
-            else {
-                componentNode.commentBefore = componentComment;
-            }
+    // Multiple orgs — list and exit
+    console.error(chalk_1.default.yellow('\n  Multiple organizations found:\n'));
+    for (const org of orgs) {
+        console.error(chalk_1.default.white(`    ${org.organizationId}  ${org.companyName}`));
+    }
+    console.error(chalk_1.default.gray(`\n  Run \`cxtms orgs select\` to choose, or pass --org <id>.\n`));
+    process.exit(2);
+}
+async function runAppModuleDeploy(file, orgOverride) {
+    if (!file) {
+        console.error(chalk_1.default.red('Error: File path required'));
+        console.error(chalk_1.default.gray(`Usage: ${PROGRAM_NAME} appmodule deploy <file.yaml> [--org <id>]`));
+        process.exit(2);
+    }
+    if (!fs.existsSync(file)) {
+        console.error(chalk_1.default.red(`Error: File not found: ${file}`));
+        process.exit(2);
+    }
+    const session = resolveSession();
+    const domain = session.domain;
+    const token = session.access_token;
+    const orgId = await resolveOrgId(domain, token, orgOverride);
+    // Read and parse YAML
+    const yamlContent = fs.readFileSync(file, 'utf-8');
+    const parsed = yaml_1.default.parse(yamlContent);
+    const appModuleId = parsed?.module?.appModuleId;
+    if (!appModuleId) {
+        console.error(chalk_1.default.red('Error: Module YAML is missing module.appModuleId'));
+        process.exit(2);
+    }
+    // Read app.yaml for appManifestId
+    let appManifestId;
+    const appYamlPath = path.join(process.cwd(), 'app.yaml');
+    if (fs.existsSync(appYamlPath)) {
+        const appYaml = yaml_1.default.parse(fs.readFileSync(appYamlPath, 'utf-8'));
+        appManifestId = appYaml?.id;
+    }
+    console.log(chalk_1.default.bold.cyan('\n  AppModule Deploy\n'));
+    console.log(chalk_1.default.gray(`  Server:  ${new URL(domain).hostname}`));
+    console.log(chalk_1.default.gray(`  Org:     ${orgId}`));
+    console.log(chalk_1.default.gray(`  Module:  ${appModuleId}`));
+    console.log('');
+    // Check if module exists
+    const checkData = await graphqlRequest(domain, token, `
+    query ($organizationId: Int!, $appModuleId: UUID!) {
+      appModule(organizationId: $organizationId, appModuleId: $appModuleId) {
+        appModuleId
+      }
+    }
+  `, { organizationId: orgId, appModuleId });
+    if (checkData?.appModule) {
+        // Update
+        console.log(chalk_1.default.gray('  Updating existing module...'));
+        const updateValues = { appModuleYamlDocument: yamlContent };
+        if (appManifestId)
+            updateValues.appManifestId = appManifestId;
+        const result = await graphqlRequest(domain, token, `
+      mutation ($input: UpdateAppModuleInput!) {
+        updateAppModule(input: $input) {
+          appModule { appModuleId name }
         }
-        tgtComponents.items.push(componentNode);
+      }
+    `, {
+            input: {
+                organizationId: orgId,
+                appModuleId,
+                values: updateValues,
+            },
+        });
+        const mod = result?.updateAppModule?.appModule;
+        console.log(chalk_1.default.green(`  ✓ Updated: ${mod?.name || appModuleId}\n`));
     }
     else {
-        tgtDoc.addIn(['components'], componentNode);
+        // Create
+        console.log(chalk_1.default.gray('  Creating new module...'));
+        const values = { appModuleYamlDocument: yamlContent };
+        if (appManifestId)
+            values.appManifestId = appManifestId;
+        const result = await graphqlRequest(domain, token, `
+      mutation ($input: CreateAppModuleInput!) {
+        createAppModule(input: $input) {
+          appModule { appModuleId name }
+        }
+      }
+    `, {
+            input: {
+                organizationId: orgId,
+                values,
+            },
+        });
+        const mod = result?.createAppModule?.appModule;
+        console.log(chalk_1.default.green(`  ✓ Created: ${mod?.name || appModuleId}\n`));
     }
-    // In move mode, remove component from source
+}
+async function runAppModuleUndeploy(uuid, orgOverride) {
+    if (!uuid) {
+        console.error(chalk_1.default.red('Error: AppModule ID required'));
+        console.error(chalk_1.default.gray(`Usage: ${PROGRAM_NAME} appmodule undeploy <appModuleId> [--org <id>]`));
+        process.exit(2);
+    }
+    const session = resolveSession();
+    const domain = session.domain;
+    const token = session.access_token;
+    const orgId = await resolveOrgId(domain, token, orgOverride);
+    console.log(chalk_1.default.bold.cyan('\n  AppModule Undeploy\n'));
+    console.log(chalk_1.default.gray(`  Server:  ${new URL(domain).hostname}`));
+    console.log(chalk_1.default.gray(`  Org:     ${orgId}`));
+    console.log(chalk_1.default.gray(`  Module:  ${uuid}`));
+    console.log('');
+    await graphqlRequest(domain, token, `
+    mutation ($input: DeleteAppModuleInput!) {
+      deleteAppModule(input: $input) {
+        deleteResult { __typename }
+      }
+    }
+  `, {
+        input: {
+            organizationId: orgId,
+            appModuleId: uuid,
+        },
+    });
+    console.log(chalk_1.default.green(`  ✓ Deleted: ${uuid}\n`));
+}
+async function runOrgsList() {
+    const session = resolveSession();
+    const domain = session.domain;
+    const token = session.access_token;
+    const data = await graphqlRequest(domain, token, `
+    query { organizations(take: 100) { items { organizationId companyName } } }
+  `, {});
+    const orgs = data?.organizations?.items;
+    if (!orgs || orgs.length === 0) {
+        console.log(chalk_1.default.gray('\n  No organizations found.\n'));
+        return;
+    }
+    console.log(chalk_1.default.bold.cyan('\n  Organizations\n'));
+    console.log(chalk_1.default.gray(`  Server: ${new URL(domain).hostname}\n`));
+    for (const org of orgs) {
+        const current = session.organization_id === org.organizationId;
+        const marker = current ? chalk_1.default.green(' ← current') : '';
+        console.log(chalk_1.default.white(`    ${org.organizationId}  ${org.companyName}${marker}`));
+    }
+    console.log('');
+}
+async function runOrgsUse(orgIdStr) {
+    if (!orgIdStr) {
+        // Show current context
+        const session = resolveSession();
+        const domain = session.domain;
+        console.log(chalk_1.default.bold.cyan('\n  Current Context\n'));
+        console.log(chalk_1.default.white(`  Server:  ${new URL(domain).hostname}`));
+        if (session.organization_id) {
+            console.log(chalk_1.default.white(`  Org:     ${session.organization_id}`));
+        }
+        else {
+            console.log(chalk_1.default.gray(`  Org:     (not set)`));
+        }
+        const appYamlPath = path.join(process.cwd(), 'app.yaml');
+        if (fs.existsSync(appYamlPath)) {
+            const appYaml = yaml_1.default.parse(fs.readFileSync(appYamlPath, 'utf-8'));
+            if (appYaml?.id) {
+                console.log(chalk_1.default.white(`  App:     ${appYaml.id} ${chalk_1.default.gray('(from app.yaml)')}`));
+            }
+            else {
+                console.log(chalk_1.default.gray(`  App:     (not set)`));
+            }
+        }
+        else {
+            console.log(chalk_1.default.gray(`  App:     (not set)`));
+        }
+        console.log('');
+        return;
+    }
+    const orgId = parseInt(orgIdStr, 10);
+    if (isNaN(orgId)) {
+        console.error(chalk_1.default.red(`Invalid organization ID: ${orgIdStr}. Must be a number.`));
+        process.exit(2);
+    }
+    const session = resolveSession();
+    const domain = session.domain;
+    const token = session.access_token;
+    // Validate the org exists
+    const data = await graphqlRequest(domain, token, `
+    query { organizations(take: 100) { items { organizationId companyName } } }
+  `, {});
+    const orgs = data?.organizations?.items;
+    const match = orgs?.find((o) => o.organizationId === orgId);
+    if (!match) {
+        console.error(chalk_1.default.red(`Organization ${orgId} not found.`));
+        if (orgs?.length) {
+            console.error(chalk_1.default.gray('\n  Available organizations:'));
+            for (const org of orgs) {
+                console.error(chalk_1.default.white(`    ${org.organizationId}  ${org.companyName}`));
+            }
+        }
+        console.error('');
+        process.exit(2);
+    }
+    // Save to session file
+    session.organization_id = orgId;
+    writeSessionFile(session);
+    console.log(chalk_1.default.green(`\n  ✓ Context set to: ${match.companyName} (${orgId})\n`));
+}
+async function runOrgsSelect() {
+    const session = resolveSession();
+    const domain = session.domain;
+    const token = session.access_token;
+    const data = await graphqlRequest(domain, token, `
+    query { organizations(take: 100) { items { organizationId companyName } } }
+  `, {});
+    const orgs = data?.organizations?.items;
+    if (!orgs || orgs.length === 0) {
+        console.log(chalk_1.default.gray('\n  No organizations found.\n'));
+        return;
+    }
+    console.log(chalk_1.default.bold.cyan('\n  Select Organization\n'));
+    console.log(chalk_1.default.gray(`  Server: ${new URL(domain).hostname}\n`));
+    for (let i = 0; i < orgs.length; i++) {
+        const org = orgs[i];
+        const current = session.organization_id === org.organizationId;
+        const marker = current ? chalk_1.default.green(' ← current') : '';
+        console.log(chalk_1.default.white(`    ${i + 1}) ${org.organizationId}  ${org.companyName}${marker}`));
+    }
+    console.log('');
+    const readline = require('readline');
+    const rl = readline.createInterface({ input: process.stdin, output: process.stdout });
+    const answer = await new Promise((resolve) => {
+        rl.question(chalk_1.default.yellow('  Enter number: '), (ans) => {
+            rl.close();
+            resolve(ans.trim());
+        });
+    });
+    const idx = parseInt(answer, 10) - 1;
+    if (isNaN(idx) || idx < 0 || idx >= orgs.length) {
+        console.error(chalk_1.default.red('\n  Invalid selection.\n'));
+        process.exit(2);
+    }
+    const selected = orgs[idx];
+    session.organization_id = selected.organizationId;
+    writeSessionFile(session);
+    console.log(chalk_1.default.green(`\n  ✓ Context set to: ${selected.companyName} (${selected.organizationId})\n`));
+}
+// ============================================================================
+// Workflow Commands
+// ============================================================================
+async function runWorkflowDeploy(file, orgOverride) {
+    if (!file) {
+        console.error(chalk_1.default.red('Error: File path required'));
+        console.error(chalk_1.default.gray(`Usage: ${PROGRAM_NAME} workflow deploy <file.yaml> [--org <id>]`));
+        process.exit(2);
+    }
+    if (!fs.existsSync(file)) {
+        console.error(chalk_1.default.red(`Error: File not found: ${file}`));
+        process.exit(2);
+    }
+    const session = resolveSession();
+    const domain = session.domain;
+    const token = session.access_token;
+    const orgId = await resolveOrgId(domain, token, orgOverride);
+    const yamlContent = fs.readFileSync(file, 'utf-8');
+    const parsed = yaml_1.default.parse(yamlContent);
+    const workflowId = parsed?.workflow?.workflowId;
+    if (!workflowId) {
+        console.error(chalk_1.default.red('Error: Workflow YAML is missing workflow.workflowId'));
+        process.exit(2);
+    }
+    const workflowName = parsed?.workflow?.name || workflowId;
+    // Read app.yaml for appManifestId
+    let appManifestId;
+    const appYamlPath = path.join(process.cwd(), 'app.yaml');
+    if (fs.existsSync(appYamlPath)) {
+        const appYaml = yaml_1.default.parse(fs.readFileSync(appYamlPath, 'utf-8'));
+        appManifestId = appYaml?.id;
+    }
+    console.log(chalk_1.default.bold.cyan('\n  Workflow Deploy\n'));
+    console.log(chalk_1.default.gray(`  Server:    ${new URL(domain).hostname}`));
+    console.log(chalk_1.default.gray(`  Org:       ${orgId}`));
+    console.log(chalk_1.default.gray(`  Workflow:  ${workflowName}`));
+    console.log('');
+    // Check if workflow exists
+    const checkData = await graphqlRequest(domain, token, `
+    query ($organizationId: Int!, $workflowId: UUID!) {
+      workflow(organizationId: $organizationId, workflowId: $workflowId) {
+        workflowId
+      }
+    }
+  `, { organizationId: orgId, workflowId });
+    if (checkData?.workflow) {
+        console.log(chalk_1.default.gray('  Updating existing workflow...'));
+        const updateInput = {
+            organizationId: orgId,
+            workflowId,
+            workflowYamlDocument: yamlContent,
+        };
+        if (appManifestId)
+            updateInput.appManifestId = appManifestId;
+        const result = await graphqlRequest(domain, token, `
+      mutation ($input: UpdateWorkflowInput!) {
+        updateWorkflow(input: $input) {
+          workflow { workflowId }
+        }
+      }
+    `, {
+            input: updateInput,
+        });
+        console.log(chalk_1.default.green(`  ✓ Updated: ${workflowName}\n`));
+    }
+    else {
+        console.log(chalk_1.default.gray('  Creating new workflow...'));
+        const createInput = {
+            organizationId: orgId,
+            workflowYamlDocument: yamlContent,
+        };
+        if (appManifestId)
+            createInput.appManifestId = appManifestId;
+        const result = await graphqlRequest(domain, token, `
+      mutation ($input: CreateWorkflowInput!) {
+        createWorkflow(input: $input) {
+          workflow { workflowId }
+        }
+      }
+    `, {
+            input: createInput,
+        });
+        console.log(chalk_1.default.green(`  ✓ Created: ${workflowName}\n`));
+    }
+}
+async function runWorkflowUndeploy(uuid, orgOverride) {
+    if (!uuid) {
+        console.error(chalk_1.default.red('Error: Workflow ID required'));
+        console.error(chalk_1.default.gray(`Usage: ${PROGRAM_NAME} workflow undeploy <workflowId> [--org <id>]`));
+        process.exit(2);
+    }
+    const session = resolveSession();
+    const domain = session.domain;
+    const token = session.access_token;
+    const orgId = await resolveOrgId(domain, token, orgOverride);
+    console.log(chalk_1.default.bold.cyan('\n  Workflow Undeploy\n'));
+    console.log(chalk_1.default.gray(`  Server:    ${new URL(domain).hostname}`));
+    console.log(chalk_1.default.gray(`  Org:       ${orgId}`));
+    console.log(chalk_1.default.gray(`  Workflow:  ${uuid}`));
+    console.log('');
+    await graphqlRequest(domain, token, `
+    mutation ($input: DeleteWorkflowInput!) {
+      deleteWorkflow(input: $input) {
+        deleteResult { __typename }
+      }
+    }
+  `, {
+        input: {
+            organizationId: orgId,
+            workflowId: uuid,
+        },
+    });
+    console.log(chalk_1.default.green(`  ✓ Deleted: ${uuid}\n`));
+}
+async function uploadFileToServer(domain, token, orgId, localPath) {
+    const fileName = path.basename(localPath);
+    const ext = path.extname(localPath).toLowerCase();
+    const contentTypeMap = {
+        '.csv': 'text/csv', '.json': 'application/json', '.xml': 'application/xml',
+        '.xlsx': 'application/vnd.openxmlformats-officedocument.spreadsheetml.sheet',
+        '.xls': 'application/vnd.ms-excel', '.pdf': 'application/pdf',
+        '.txt': 'text/plain', '.zip': 'application/zip',
+    };
+    const contentType = contentTypeMap[ext] || 'application/octet-stream';
+    // Step 1: Get presigned upload URL
+    const data = await graphqlRequest(domain, token, `
+    query ($organizationId: Int!, $fileName: String!, $contentType: String!) {
+      uploadUrl(organizationId: $organizationId, fileName: $fileName, contentType: $contentType) {
+        presignedUrl
+        fileUrl
+      }
+    }
+  `, { organizationId: orgId, fileName, contentType });
+    const presignedUrl = data?.uploadUrl?.presignedUrl;
+    const fileUrl = data?.uploadUrl?.fileUrl;
+    if (!presignedUrl || !fileUrl) {
+        throw new Error('Failed to get upload URL from server');
+    }
+    // Step 2: PUT file content to presigned URL
+    const fileContent = fs.readFileSync(localPath);
+    const url = new URL(presignedUrl);
+    const httpModule = url.protocol === 'https:' ? https : http;
+    await new Promise((resolve, reject) => {
+        const req = httpModule.request(url, {
+            method: 'PUT',
+            headers: {
+                'Content-Type': contentType,
+                'Content-Length': fileContent.length,
+                'x-ms-blob-type': 'BlockBlob',
+            },
+        }, (res) => {
+            let body = '';
+            res.on('data', (chunk) => body += chunk);
+            res.on('end', () => {
+                if (res.statusCode && res.statusCode >= 200 && res.statusCode < 300) {
+                    resolve();
+                }
+                else {
+                    reject(new Error(`File upload failed (${res.statusCode}): ${body}`));
+                }
+            });
+        });
+        req.on('error', reject);
+        req.write(fileContent);
+        req.end();
+    });
+    return fileUrl;
+}
+async function runWorkflowExecute(workflowIdOrFile, orgOverride, variables, fileArgs) {
+    if (!workflowIdOrFile) {
+        console.error(chalk_1.default.red('Error: Workflow ID or YAML file required'));
+        console.error(chalk_1.default.gray(`Usage: ${PROGRAM_NAME} workflow execute <workflowId|file.yaml> [--org <id>] [--vars '{"key":"value"}'] [--file varName=path]`));
+        process.exit(2);
+    }
+    const session = resolveSession();
+    const { domain, access_token: token } = session;
+    const orgId = await resolveOrgId(domain, token, orgOverride);
+    // Resolve workflowId
+    let workflowId = workflowIdOrFile;
+    let workflowName = workflowIdOrFile;
+    if (workflowIdOrFile.endsWith('.yaml') || workflowIdOrFile.endsWith('.yml')) {
+        if (!fs.existsSync(workflowIdOrFile)) {
+            console.error(chalk_1.default.red(`Error: File not found: ${workflowIdOrFile}`));
+            process.exit(2);
+        }
+        const parsed = yaml_1.default.parse(fs.readFileSync(workflowIdOrFile, 'utf-8'));
+        workflowId = parsed?.workflow?.workflowId;
+        workflowName = parsed?.workflow?.name || path.basename(workflowIdOrFile);
+        if (!workflowId) {
+            console.error(chalk_1.default.red('Error: Workflow YAML is missing workflow.workflowId'));
+            process.exit(2);
+        }
+    }
+    // Parse variables if provided
+    let vars;
+    if (variables) {
+        try {
+            vars = JSON.parse(variables);
+        }
+        catch {
+            console.error(chalk_1.default.red('Error: --vars must be valid JSON'));
+            process.exit(2);
+        }
+    }
+    // Process --file args: upload files and set URLs as variables
+    if (fileArgs && fileArgs.length > 0) {
+        if (!vars)
+            vars = {};
+        for (const fileArg of fileArgs) {
+            const eqIdx = fileArg.indexOf('=');
+            if (eqIdx < 1) {
+                console.error(chalk_1.default.red(`Error: --file must be in format varName=path (got: ${fileArg})`));
+                process.exit(2);
+            }
+            const varName = fileArg.substring(0, eqIdx);
+            const filePath = fileArg.substring(eqIdx + 1);
+            if (!fs.existsSync(filePath)) {
+                console.error(chalk_1.default.red(`Error: File not found: ${filePath}`));
+                process.exit(2);
+            }
+            console.log(chalk_1.default.gray(`  Uploading ${path.basename(filePath)}...`));
+            const fileUrl = await uploadFileToServer(domain, token, orgId, filePath);
+            vars[varName] = fileUrl;
+            console.log(chalk_1.default.gray(`  → ${varName} = ${fileUrl}`));
+        }
+    }
+    console.log(chalk_1.default.bold.cyan('\n  Workflow Execute\n'));
+    console.log(chalk_1.default.gray(`  Server:    ${new URL(domain).hostname}`));
+    console.log(chalk_1.default.gray(`  Org:       ${orgId}`));
+    console.log(chalk_1.default.gray(`  Workflow:  ${workflowName}`));
+    if (vars)
+        console.log(chalk_1.default.gray(`  Variables: ${JSON.stringify(vars)}`));
+    console.log('');
+    const input = { organizationId: orgId, workflowId };
+    if (vars)
+        input.variables = vars;
+    const data = await graphqlRequest(domain, token, `
+    mutation ($input: ExecuteWorkflowInput!) {
+      executeWorkflow(input: $input) {
+        workflowExecutionResult {
+          executionId workflowId isAsync outputs
+        }
+      }
+    }
+  `, { input });
+    const result = data?.executeWorkflow?.workflowExecutionResult;
+    if (!result) {
+        console.error(chalk_1.default.red('  No execution result returned.\n'));
+        process.exit(2);
+    }
+    console.log(chalk_1.default.green(`  ✓ Executed: ${workflowName}`));
+    console.log(chalk_1.default.white(`  Execution ID: ${result.executionId}`));
+    console.log(chalk_1.default.white(`  Async:        ${result.isAsync}`));
+    if (result.outputs && Object.keys(result.outputs).length > 0) {
+        console.log(chalk_1.default.white(`  Outputs:`));
+        console.log(chalk_1.default.gray(`    ${JSON.stringify(result.outputs, null, 2).split('\n').join('\n    ')}`));
+    }
+    console.log('');
+}
+function resolveWorkflowId(workflowIdOrFile) {
+    if (workflowIdOrFile.endsWith('.yaml') || workflowIdOrFile.endsWith('.yml')) {
+        if (!fs.existsSync(workflowIdOrFile)) {
+            console.error(chalk_1.default.red(`Error: File not found: ${workflowIdOrFile}`));
+            process.exit(2);
+        }
+        const parsed = yaml_1.default.parse(fs.readFileSync(workflowIdOrFile, 'utf-8'));
+        const id = parsed?.workflow?.workflowId;
+        if (!id) {
+            console.error(chalk_1.default.red('Error: Workflow YAML is missing workflow.workflowId'));
+            process.exit(2);
+        }
+        return id;
+    }
+    return workflowIdOrFile;
+}
+async function runWorkflowLogs(workflowIdOrFile, orgOverride, fromDate, toDate) {
+    if (!workflowIdOrFile) {
+        console.error(chalk_1.default.red('Error: Workflow ID or YAML file required'));
+        console.error(chalk_1.default.gray(`Usage: ${PROGRAM_NAME} workflow logs <workflowId|file.yaml> [--from <date>] [--to <date>]`));
+        process.exit(2);
+    }
+    const session = resolveSession();
+    const { domain, access_token: token } = session;
+    const orgId = await resolveOrgId(domain, token, orgOverride);
+    const workflowId = resolveWorkflowId(workflowIdOrFile);
+    // Parse date filters
+    const fromTs = fromDate ? new Date(fromDate).getTime() : 0;
+    const toTs = toDate ? new Date(toDate + 'T23:59:59').getTime() : Infinity;
+    if (fromDate && isNaN(fromTs)) {
+        console.error(chalk_1.default.red(`Invalid --from date: ${fromDate}. Use YYYY-MM-DD format.`));
+        process.exit(2);
+    }
+    if (toDate && isNaN(toTs)) {
+        console.error(chalk_1.default.red(`Invalid --to date: ${toDate}. Use YYYY-MM-DD format.`));
+        process.exit(2);
+    }
+    const data = await graphqlRequest(domain, token, `
+    query ($organizationId: Int!, $workflowId: UUID!) {
+      workflowExecutions(organizationId: $organizationId, workflowId: $workflowId, take: 100) {
+        totalCount
+        items { executionId executionStatus executedAt durationMs txtLogUrl user { fullName email } }
+      }
+    }
+  `, { organizationId: orgId, workflowId });
+    let items = data?.workflowExecutions?.items || [];
+    const total = data?.workflowExecutions?.totalCount || 0;
+    // Filter by date range
+    if (fromDate || toDate) {
+        items = items.filter((ex) => {
+            const t = new Date(ex.executedAt).getTime();
+            return t >= fromTs && t <= toTs;
+        });
+    }
+    // Sort descending
+    items.sort((a, b) => new Date(b.executedAt).getTime() - new Date(a.executedAt).getTime());
+    console.log(chalk_1.default.bold.cyan('\n  Workflow Logs\n'));
+    console.log(chalk_1.default.gray(`  Server:    ${new URL(domain).hostname}`));
+    console.log(chalk_1.default.gray(`  Workflow:  ${workflowId}`));
+    console.log(chalk_1.default.gray(`  Total:     ${total}`));
+    if (fromDate || toDate) {
+        console.log(chalk_1.default.gray(`  Filter:    ${fromDate || '...'} → ${toDate || '...'}`));
+    }
+    console.log(chalk_1.default.gray(`  Showing:   ${items.length}\n`));
+    if (items.length === 0) {
+        console.log(chalk_1.default.gray('  No executions found.\n'));
+        return;
+    }
+    for (const ex of items) {
+        const date = new Date(ex.executedAt).toLocaleString();
+        const duration = ex.durationMs != null ? `${(ex.durationMs / 1000).toFixed(1)}s` : '?';
+        const statusColor = ex.executionStatus === 'Success' ? chalk_1.default.green : ex.executionStatus === 'Failed' ? chalk_1.default.red : chalk_1.default.yellow;
+        const logIcon = ex.txtLogUrl ? chalk_1.default.green('●') : chalk_1.default.gray('○');
+        const user = ex.user?.fullName || ex.user?.email || '';
+        console.log(`  ${logIcon} ${chalk_1.default.white(ex.executionId)}  ${statusColor(ex.executionStatus.padEnd(10))}  ${date}  ${chalk_1.default.gray(duration)}${user ? '  ' + chalk_1.default.gray(user) : ''}`);
+    }
+    console.log();
+    console.log(chalk_1.default.gray(`  ${chalk_1.default.green('●')} log available  ${chalk_1.default.gray('○')} no log`));
+    console.log(chalk_1.default.gray(`  Download: ${PROGRAM_NAME} workflow log <executionId> [--output <file>] [--console]\n`));
+}
+function fetchGzipText(url) {
+    const zlib = require('zlib');
+    return new Promise((resolve, reject) => {
+        const lib = url.startsWith('https') ? https : http;
+        lib.get(url, (res) => {
+            if (res.statusCode !== 200) {
+                reject(new Error(`HTTP ${res.statusCode}`));
+                res.resume();
+                return;
+            }
+            const rawChunks = [];
+            res.on('data', (chunk) => rawChunks.push(chunk));
+            res.on('end', () => {
+                const raw = Buffer.concat(rawChunks);
+                if (raw.length === 0) {
+                    resolve('(empty log)');
+                    return;
+                }
+                zlib.gunzip(raw, (err, result) => {
+                    if (err) {
+                        resolve(raw.toString('utf-8'));
+                        return;
+                    }
+                    resolve(result.toString('utf-8'));
+                });
+            });
+        }).on('error', reject);
+    });
+}
+async function runWorkflowLog(executionId, orgOverride, outputFile, toConsole, useJson) {
+    if (!executionId) {
+        console.error(chalk_1.default.red('Error: Execution ID required'));
+        console.error(chalk_1.default.gray(`Usage: ${PROGRAM_NAME} workflow log <executionId> [--output <file>] [--console] [--json]`));
+        process.exit(2);
+    }
+    const session = resolveSession();
+    const { domain, access_token: token } = session;
+    const orgId = await resolveOrgId(domain, token, orgOverride);
+    const data = await graphqlRequest(domain, token, `
+    query ($organizationId: Int!, $executionId: UUID!) {
+      workflowExecution(organizationId: $organizationId, executionId: $executionId) {
+        executionId workflowId executionStatus executedAt durationMs
+        txtLogUrl jsonLogUrl
+        user { fullName email }
+      }
+    }
+  `, { organizationId: orgId, executionId });
+    const ex = data?.workflowExecution;
+    if (!ex) {
+        console.error(chalk_1.default.red(`Execution not found: ${executionId}`));
+        process.exit(2);
+    }
+    const logUrl = useJson ? ex.jsonLogUrl : ex.txtLogUrl;
+    const logType = useJson ? 'json' : 'txt';
+    const ext = useJson ? '.json' : '.log';
+    if (!logUrl) {
+        console.error(chalk_1.default.yellow(`No ${logType} log available for this execution.`));
+        process.exit(0);
+    }
+    const date = new Date(ex.executedAt).toLocaleString();
+    const duration = ex.durationMs != null ? `${(ex.durationMs / 1000).toFixed(1)}s` : '?';
+    const statusColor = ex.executionStatus === 'Success' ? chalk_1.default.green : ex.executionStatus === 'Failed' ? chalk_1.default.red : chalk_1.default.yellow;
+    const userName = ex.user?.fullName || ex.user?.email || '';
+    // Download log
+    let logText;
+    try {
+        logText = await fetchGzipText(logUrl);
+    }
+    catch (e) {
+        console.error(chalk_1.default.red(`Failed to download log: ${e.message}`));
+        process.exit(2);
+    }
+    // Pretty-print JSON if it's valid JSON
+    if (useJson) {
+        try {
+            const parsed = JSON.parse(logText);
+            logText = JSON.stringify(parsed, null, 2);
+        }
+        catch { /* keep as-is */ }
+    }
+    if (toConsole) {
+        console.log(chalk_1.default.bold.cyan('\n  Workflow Execution\n'));
+        console.log(chalk_1.default.white(`  ID:        ${ex.executionId}`));
+        console.log(chalk_1.default.white(`  Workflow:  ${ex.workflowId}`));
+        console.log(chalk_1.default.white(`  Status:    ${statusColor(ex.executionStatus)}`));
+        console.log(chalk_1.default.white(`  Executed:  ${date}`));
+        console.log(chalk_1.default.white(`  Duration:  ${duration}`));
+        if (userName)
+            console.log(chalk_1.default.white(`  User:      ${userName}`));
+        console.log(chalk_1.default.gray(`\n  --- ${logType.toUpperCase()} Log ---\n`));
+        console.log(logText);
+        return;
+    }
+    // Save to file
+    let filePath;
+    if (outputFile) {
+        filePath = path.resolve(outputFile);
+    }
+    else {
+        const tmpDir = os.tmpdir();
+        const dateStr = new Date(ex.executedAt).toISOString().slice(0, 10);
+        filePath = path.join(tmpDir, `workflow-${ex.workflowId}-${dateStr}-${executionId}${ext}`);
+    }
+    fs.writeFileSync(filePath, logText, 'utf-8');
+    console.log(chalk_1.default.green(`  ✓ ${logType.toUpperCase()} log saved: ${filePath}`));
+    console.log(chalk_1.default.gray(`    Execution: ${executionId}  ${statusColor(ex.executionStatus)}  ${date}  ${duration}`));
+}
+// ============================================================================
+// Publish Command
+// ============================================================================
+async function pushWorkflowQuiet(domain, token, orgId, file, appManifestId) {
+    let name = path.basename(file);
+    try {
+        const yamlContent = fs.readFileSync(file, 'utf-8');
+        const parsed = yaml_1.default.parse(yamlContent);
+        const workflowId = parsed?.workflow?.workflowId;
+        name = parsed?.workflow?.name || name;
+        if (!workflowId)
+            return { ok: false, name, error: 'Missing workflow.workflowId' };
+        const checkData = await graphqlRequest(domain, token, `
+      query ($organizationId: Int!, $workflowId: UUID!) {
+        workflow(organizationId: $organizationId, workflowId: $workflowId) { workflowId }
+      }
+    `, { organizationId: orgId, workflowId });
+        if (checkData?.workflow) {
+            const updateInput = { organizationId: orgId, workflowId, workflowYamlDocument: yamlContent };
+            if (appManifestId)
+                updateInput.appManifestId = appManifestId;
+            await graphqlRequest(domain, token, `
+        mutation ($input: UpdateWorkflowInput!) {
+          updateWorkflow(input: $input) { workflow { workflowId } }
+        }
+      `, { input: updateInput });
+        }
+        else {
+            const createInput = { organizationId: orgId, workflowYamlDocument: yamlContent };
+            if (appManifestId)
+                createInput.appManifestId = appManifestId;
+            await graphqlRequest(domain, token, `
+        mutation ($input: CreateWorkflowInput!) {
+          createWorkflow(input: $input) { workflow { workflowId } }
+        }
+      `, { input: createInput });
+        }
+        return { ok: true, name };
+    }
+    catch (e) {
+        return { ok: false, name, error: e.message };
+    }
+}
+async function pushModuleQuiet(domain, token, orgId, file, appManifestId) {
+    let name = path.basename(file);
+    try {
+        const yamlContent = fs.readFileSync(file, 'utf-8');
+        const parsed = yaml_1.default.parse(yamlContent);
+        const appModuleId = parsed?.module?.appModuleId;
+        name = parsed?.module?.name || name;
+        if (!appModuleId)
+            return { ok: false, name, error: 'Missing module.appModuleId' };
+        const checkData = await graphqlRequest(domain, token, `
+      query ($organizationId: Int!, $appModuleId: UUID!) {
+        appModule(organizationId: $organizationId, appModuleId: $appModuleId) { appModuleId }
+      }
+    `, { organizationId: orgId, appModuleId });
+        if (checkData?.appModule) {
+            const updateValues = { appModuleYamlDocument: yamlContent };
+            if (appManifestId)
+                updateValues.appManifestId = appManifestId;
+            await graphqlRequest(domain, token, `
+        mutation ($input: UpdateAppModuleInput!) {
+          updateAppModule(input: $input) { appModule { appModuleId name } }
+        }
+      `, { input: { organizationId: orgId, appModuleId, values: updateValues } });
+        }
+        else {
+            const values = { appModuleYamlDocument: yamlContent };
+            if (appManifestId)
+                values.appManifestId = appManifestId;
+            await graphqlRequest(domain, token, `
+        mutation ($input: CreateAppModuleInput!) {
+          createAppModule(input: $input) { appModule { appModuleId name } }
+        }
+      `, { input: { organizationId: orgId, values } });
+        }
+        return { ok: true, name };
+    }
+    catch (e) {
+        return { ok: false, name, error: e.message };
+    }
+}
+// ============================================================================
+// PAT Token Commands
+// ============================================================================
+async function runPatCreate(name) {
+    const session = resolveSession();
+    const { domain, access_token: token } = session;
+    const data = await graphqlRequest(domain, token, `
+    mutation ($input: CreatePersonalAccessTokenInput!) {
+      createPersonalAccessToken(input: $input) {
+        createPatPayload {
+          token
+          personalAccessToken { id name scopes }
+        }
+      }
+    }
+  `, { input: { input: { name, scopes: ['TMS.ApiAPI'] } } });
+    const payload = data?.createPersonalAccessToken?.createPatPayload;
+    const patToken = payload?.token;
+    const pat = payload?.personalAccessToken;
+    if (!patToken) {
+        console.error(chalk_1.default.red('Failed to create PAT token — no token returned.'));
+        process.exit(2);
+    }
+    console.log(chalk_1.default.green('PAT token created successfully!'));
+    console.log();
+    console.log(chalk_1.default.bold('  Token:'), chalk_1.default.cyan(patToken));
+    console.log(chalk_1.default.bold('  ID:   '), chalk_1.default.gray(pat?.id || 'unknown'));
+    console.log(chalk_1.default.bold('  Name: '), pat?.name || name);
+    console.log();
+    console.log(chalk_1.default.yellow('⚠  Copy the token now — it will not be shown again.'));
+    console.log();
+    console.log(chalk_1.default.bold('To use PAT authentication, add to your project .env file:'));
+    console.log();
+    console.log(chalk_1.default.cyan(`  CXTMS_AUTH=${patToken}`));
+    console.log(chalk_1.default.cyan(`  CXTMS_SERVER=${domain}`));
+    console.log();
+    console.log(chalk_1.default.gray('When CXTMS_AUTH is set, cxtms will skip OAuth login and use the PAT token directly.'));
+    console.log(chalk_1.default.gray('You can also export these as environment variables instead of using .env.'));
+}
+async function runPatList() {
+    const session = resolveSession();
+    const { domain, access_token: token } = session;
+    const data = await graphqlRequest(domain, token, `
+    {
+      personalAccessTokens(skip: 0, take: 50) {
+        items { id name createdAt expiresAt lastUsedAt scopes }
+        totalCount
+      }
+    }
+  `, {});
+    const items = data?.personalAccessTokens?.items || [];
+    const total = data?.personalAccessTokens?.totalCount ?? items.length;
+    if (items.length === 0) {
+        console.log(chalk_1.default.gray('No active PAT tokens found.'));
+        return;
+    }
+    console.log(chalk_1.default.bold(`PAT tokens (${total}):\n`));
+    for (const t of items) {
+        const expires = t.expiresAt ? new Date(t.expiresAt).toLocaleDateString() : 'never';
+        const lastUsed = t.lastUsedAt ? new Date(t.lastUsedAt).toLocaleDateString() : 'never';
+        console.log(`  ${chalk_1.default.cyan(t.name || '(unnamed)')}`);
+        console.log(`    ID:        ${chalk_1.default.gray(t.id)}`);
+        console.log(`    Created:   ${new Date(t.createdAt).toLocaleDateString()}`);
+        console.log(`    Expires:   ${expires}`);
+        console.log(`    Last used: ${lastUsed}`);
+        console.log(`    Scopes:    ${(t.scopes || []).join(', ') || 'none'}`);
+        console.log();
+    }
+}
+async function runPatRevoke(id) {
+    const session = resolveSession();
+    const { domain, access_token: token } = session;
+    const data = await graphqlRequest(domain, token, `
+    mutation ($input: RevokePersonalAccessTokenInput!) {
+      revokePersonalAccessToken(input: $input) {
+        personalAccessToken { id name revokedAt }
+      }
+    }
+  `, { input: { id } });
+    const revoked = data?.revokePersonalAccessToken?.personalAccessToken;
+    if (revoked) {
+        console.log(chalk_1.default.green(`PAT token revoked: ${revoked.name || revoked.id}`));
+    }
+    else {
+        console.log(chalk_1.default.green('PAT token revoked.'));
+    }
+}
+async function runPatSetup() {
+    const patToken = process.env.CXTMS_AUTH;
+    const server = process.env.CXTMS_SERVER || resolveDomainFromAppYaml();
+    console.log(chalk_1.default.bold('PAT Token Status:\n'));
+    if (patToken) {
+        const masked = patToken.slice(0, 8) + '...' + patToken.slice(-4);
+        console.log(chalk_1.default.green(`  CXTMS_AUTH is set: ${masked}`));
+    }
+    else {
+        console.log(chalk_1.default.yellow('  CXTMS_AUTH is not set'));
+    }
+    if (server) {
+        console.log(chalk_1.default.green(`  Server:           ${server}`));
+    }
+    else {
+        console.log(chalk_1.default.yellow('  Server:           not configured (add `server` to app.yaml or set CXTMS_SERVER)'));
+    }
+    console.log();
+    if (patToken && server) {
+        console.log(chalk_1.default.green('PAT authentication is active. OAuth login will be skipped.'));
+    }
+    else {
+        console.log(chalk_1.default.bold('To set up PAT authentication:'));
+        console.log();
+        console.log(chalk_1.default.white('  1. Create a token:'));
+        console.log(chalk_1.default.cyan('     cxtms pat create "my-token-name"'));
+        console.log();
+        console.log(chalk_1.default.white('  2. Add to your project .env file:'));
+        console.log(chalk_1.default.cyan('     CXTMS_AUTH=pat_xxxxx'));
+        console.log(chalk_1.default.cyan('     CXTMS_SERVER=https://your-server.com'));
+        console.log();
+        console.log(chalk_1.default.gray('  Or set `server` in app.yaml instead of CXTMS_SERVER.'));
+    }
+}
+async function runPublish(featureDir, orgOverride) {
+    const session = resolveSession();
+    const domain = session.domain;
+    const token = session.access_token;
+    const orgId = await resolveOrgId(domain, token, orgOverride);
+    // Read app.yaml
+    const appYamlPath = path.join(process.cwd(), 'app.yaml');
+    if (!fs.existsSync(appYamlPath)) {
+        console.error(chalk_1.default.red('Error: app.yaml not found in current directory'));
+        process.exit(2);
+    }
+    const appYaml = yaml_1.default.parse(fs.readFileSync(appYamlPath, 'utf-8'));
+    const appManifestId = appYaml?.id;
+    const appName = appYaml?.name || 'unknown';
+    console.log(chalk_1.default.bold.cyan('\n  Publish\n'));
+    console.log(chalk_1.default.gray(`  Server:  ${new URL(domain).hostname}`));
+    console.log(chalk_1.default.gray(`  Org:     ${orgId}`));
+    console.log(chalk_1.default.gray(`  App:     ${appName}`));
+    if (featureDir) {
+        console.log(chalk_1.default.gray(`  Feature: ${featureDir}`));
+    }
+    console.log('');
+    // Step 1: Create or update app manifest
+    if (appManifestId) {
+        console.log(chalk_1.default.gray('  Publishing app manifest...'));
+        try {
+            const checkData = await graphqlRequest(domain, token, `
+        query ($organizationId: Int!, $appManifestId: UUID!) {
+          appManifest(organizationId: $organizationId, appManifestId: $appManifestId) { appManifestId }
+        }
+      `, { organizationId: orgId, appManifestId });
+            if (checkData?.appManifest) {
+                await graphqlRequest(domain, token, `
+          mutation ($input: UpdateAppManifestInput!) {
+            updateAppManifest(input: $input) { appManifest { appManifestId name } }
+          }
+        `, { input: { organizationId: orgId, appManifestId, values: { name: appName, description: appYaml?.description || '' } } });
+                console.log(chalk_1.default.green('  ✓ App manifest updated'));
+            }
+            else {
+                await graphqlRequest(domain, token, `
+          mutation ($input: CreateAppManifestInput!) {
+            createAppManifest(input: $input) { appManifest { appManifestId name } }
+          }
+        `, { input: { organizationId: orgId, values: { appManifestId, name: appName, description: appYaml?.description || '' } } });
+                console.log(chalk_1.default.green('  ✓ App manifest created'));
+            }
+        }
+        catch (e) {
+            console.log(chalk_1.default.red(`  ✗ App manifest failed: ${e.message}`));
+        }
+    }
+    // Step 2: Discover files
+    const baseDir = featureDir ? path.join(process.cwd(), 'features', featureDir) : process.cwd();
+    if (featureDir && !fs.existsSync(baseDir)) {
+        console.error(chalk_1.default.red(`Error: Feature directory not found: features/${featureDir}`));
+        process.exit(2);
+    }
+    const workflowDirs = [path.join(baseDir, 'workflows')];
+    const moduleDirs = [path.join(baseDir, 'modules')];
+    // Collect YAML files
+    const workflowFiles = [];
+    const moduleFiles = [];
+    for (const dir of workflowDirs) {
+        if (fs.existsSync(dir)) {
+            for (const f of fs.readdirSync(dir)) {
+                if (f.endsWith('.yaml') || f.endsWith('.yml')) {
+                    workflowFiles.push(path.join(dir, f));
+                }
+            }
+        }
+    }
+    for (const dir of moduleDirs) {
+        if (fs.existsSync(dir)) {
+            for (const f of fs.readdirSync(dir)) {
+                if (f.endsWith('.yaml') || f.endsWith('.yml')) {
+                    moduleFiles.push(path.join(dir, f));
+                }
+            }
+        }
+    }
+    console.log(chalk_1.default.gray(`\n  Found ${workflowFiles.length} workflow(s), ${moduleFiles.length} module(s)\n`));
+    let succeeded = 0;
+    let failed = 0;
+    // Step 3: Deploy workflows
+    for (const file of workflowFiles) {
+        const relPath = path.relative(process.cwd(), file);
+        const result = await pushWorkflowQuiet(domain, token, orgId, file, appManifestId);
+        if (result.ok) {
+            console.log(chalk_1.default.green(`  ✓ ${relPath}`));
+            succeeded++;
+        }
+        else {
+            console.log(chalk_1.default.red(`  ✗ ${relPath}: ${result.error}`));
+            failed++;
+        }
+    }
+    // Step 4: Deploy modules
+    for (const file of moduleFiles) {
+        const relPath = path.relative(process.cwd(), file);
+        const result = await pushModuleQuiet(domain, token, orgId, file, appManifestId);
+        if (result.ok) {
+            console.log(chalk_1.default.green(`  ✓ ${relPath}`));
+            succeeded++;
+        }
+        else {
+            console.log(chalk_1.default.red(`  ✗ ${relPath}: ${result.error}`));
+            failed++;
+        }
+    }
+    // Summary
+    console.log('');
+    if (failed === 0) {
+        console.log(chalk_1.default.green(`  ✓ Published ${succeeded} file(s) successfully\n`));
+    }
+    else {
+        console.log(chalk_1.default.yellow(`  Published ${succeeded} file(s), ${failed} failed\n`));
+    }
+}
+// ============================================================================
+// App Manifest Commands (install from git, publish to git, list)
+// ============================================================================
+function readAppYaml() {
+    const appYamlPath = path.join(process.cwd(), 'app.yaml');
+    if (!fs.existsSync(appYamlPath)) {
+        console.error(chalk_1.default.red('Error: app.yaml not found in current directory'));
+        process.exit(2);
+    }
+    return yaml_1.default.parse(fs.readFileSync(appYamlPath, 'utf-8'));
+}
+async function runAppInstall(orgOverride, branch, force, skipChanged) {
+    const session = resolveSession();
+    const domain = session.domain;
+    const token = session.access_token;
+    const orgId = await resolveOrgId(domain, token, orgOverride);
+    const appYaml = readAppYaml();
+    const repository = appYaml.repository;
+    if (!repository) {
+        console.error(chalk_1.default.red('Error: app.yaml must have a `repository` field'));
+        process.exit(2);
+    }
+    const repositoryBranch = branch || appYaml.branch || 'main';
+    console.log(chalk_1.default.bold.cyan('\n  App Install\n'));
+    console.log(chalk_1.default.gray(`  Server:     ${new URL(domain).hostname}`));
+    console.log(chalk_1.default.gray(`  Org:        ${orgId}`));
+    console.log(chalk_1.default.gray(`  Repository: ${repository}`));
+    console.log(chalk_1.default.gray(`  Branch:     ${repositoryBranch}`));
+    if (force)
+        console.log(chalk_1.default.gray(`  Force:      yes`));
+    if (skipChanged)
+        console.log(chalk_1.default.gray(`  Skip changed: yes`));
+    console.log('');
+    try {
+        const data = await graphqlRequest(domain, token, `
+      mutation ($input: InstallAppManifestInput!) {
+        installAppManifest(input: $input) {
+          appManifest {
+            appManifestId
+            name
+            currentVersion
+            isEnabled
+            hasUnpublishedChanges
+            isUpdateAvailable
+          }
+        }
+      }
+    `, {
+            input: {
+                organizationId: orgId,
+                values: {
+                    repository,
+                    repositoryBranch,
+                    force: force || false,
+                    skipModulesWithChanges: skipChanged || false,
+                }
+            }
+        });
+        const manifest = data?.installAppManifest?.appManifest;
+        if (manifest) {
+            console.log(chalk_1.default.green(`  ✓ Installed ${manifest.name} v${manifest.currentVersion}`));
+            if (manifest.hasUnpublishedChanges) {
+                console.log(chalk_1.default.yellow(`    Has unpublished changes`));
+            }
+        }
+        else {
+            console.log(chalk_1.default.green('  ✓ Install completed'));
+        }
+    }
+    catch (e) {
+        console.error(chalk_1.default.red(`  ✗ Install failed: ${e.message}`));
+        process.exit(1);
+    }
+    console.log('');
+}
+async function runAppPublish(orgOverride, message, branch, force, targetFiles) {
+    const session = resolveSession();
+    const domain = session.domain;
+    const token = session.access_token;
+    const orgId = await resolveOrgId(domain, token, orgOverride);
+    if (!message) {
+        console.error(chalk_1.default.red('Error: --message (-m) is required for app release'));
+        console.error(chalk_1.default.gray('Describe what changed, similar to a git commit message.'));
+        console.error(chalk_1.default.gray(`Example: ${PROGRAM_NAME} app release -m "Add new shipping module"`));
+        process.exit(2);
+    }
+    const appYaml = readAppYaml();
+    const appManifestId = appYaml.id;
+    if (!appManifestId) {
+        console.error(chalk_1.default.red('Error: app.yaml must have an `id` field'));
+        process.exit(2);
+    }
+    console.log(chalk_1.default.bold.cyan('\n  App Release\n'));
+    console.log(chalk_1.default.gray(`  Server:  ${new URL(domain).hostname}`));
+    console.log(chalk_1.default.gray(`  Org:     ${orgId}`));
+    console.log(chalk_1.default.gray(`  App:     ${appYaml.name || appManifestId}`));
+    if (message)
+        console.log(chalk_1.default.gray(`  Message: ${message}`));
+    if (branch)
+        console.log(chalk_1.default.gray(`  Branch:  ${branch}`));
+    if (force)
+        console.log(chalk_1.default.gray(`  Force:   yes`));
+    // Extract workflow/module IDs from target files
+    const workflowIds = [];
+    const moduleIds = [];
+    if (targetFiles && targetFiles.length > 0) {
+        for (const file of targetFiles) {
+            if (!fs.existsSync(file)) {
+                console.error(chalk_1.default.red(`  Error: File not found: ${file}`));
+                process.exit(2);
+            }
+            const parsed = yaml_1.default.parse(fs.readFileSync(file, 'utf-8'));
+            if (parsed?.workflow?.workflowId) {
+                workflowIds.push(parsed.workflow.workflowId);
+                console.log(chalk_1.default.gray(`  Workflow: ${parsed.workflow.name || parsed.workflow.workflowId}`));
+            }
+            else if (parsed?.module?.appModuleId) {
+                moduleIds.push(parsed.module.appModuleId);
+                console.log(chalk_1.default.gray(`  Module:   ${parsed.module.name || parsed.module.appModuleId}`));
+            }
+            else {
+                console.error(chalk_1.default.red(`  Error: Cannot identify file type: ${file}`));
+                process.exit(2);
+            }
+        }
+    }
+    console.log('');
+    try {
+        const publishValues = {
+            message: message || undefined,
+            branch: branch || undefined,
+            force: force || false,
+        };
+        if (workflowIds.length > 0)
+            publishValues.workflowIds = workflowIds;
+        if (moduleIds.length > 0)
+            publishValues.moduleIds = moduleIds;
+        const data = await graphqlRequest(domain, token, `
+      mutation ($input: PublishAppManifestInput!) {
+        publishAppManifest(input: $input) {
+          appManifest {
+            appManifestId
+            name
+            currentVersion
+            hasUnpublishedChanges
+          }
+        }
+      }
+    `, {
+            input: {
+                organizationId: orgId,
+                appManifestId,
+                values: publishValues,
+            }
+        });
+        const manifest = data?.publishAppManifest?.appManifest;
+        if (manifest) {
+            console.log(chalk_1.default.green(`  ✓ Published ${manifest.name} v${manifest.currentVersion}`));
+        }
+        else {
+            console.log(chalk_1.default.green('  ✓ Publish completed'));
+        }
+    }
+    catch (e) {
+        console.error(chalk_1.default.red(`  ✗ Publish failed: ${e.message}`));
+        process.exit(1);
+    }
+    console.log('');
+}
+async function runAppList(orgOverride) {
+    const session = resolveSession();
+    const domain = session.domain;
+    const token = session.access_token;
+    const orgId = await resolveOrgId(domain, token, orgOverride);
+    console.log(chalk_1.default.bold.cyan('\n  App Manifests\n'));
+    console.log(chalk_1.default.gray(`  Server: ${new URL(domain).hostname}`));
+    console.log(chalk_1.default.gray(`  Org:    ${orgId}\n`));
+    try {
+        const data = await graphqlRequest(domain, token, `
+      query ($organizationId: Int!) {
+        appManifests(organizationId: $organizationId) {
+          items {
+            appManifestId
+            name
+            currentVersion
+            isEnabled
+            hasUnpublishedChanges
+            isUpdateAvailable
+            repository
+            repositoryBranch
+          }
+        }
+      }
+    `, { organizationId: orgId });
+        const items = data?.appManifests?.items || [];
+        if (items.length === 0) {
+            console.log(chalk_1.default.gray('  No app manifests installed\n'));
+            return;
+        }
+        for (const app of items) {
+            const flags = [];
+            if (!app.isEnabled)
+                flags.push(chalk_1.default.red('disabled'));
+            if (app.hasUnpublishedChanges)
+                flags.push(chalk_1.default.yellow('unpublished'));
+            if (app.isUpdateAvailable)
+                flags.push(chalk_1.default.cyan('update available'));
+            const flagStr = flags.length > 0 ? ` [${flags.join(', ')}]` : '';
+            console.log(`  ${chalk_1.default.bold(app.name)} ${chalk_1.default.gray(`v${app.currentVersion}`)}${flagStr}`);
+            console.log(chalk_1.default.gray(`    ID:   ${app.appManifestId}`));
+            if (app.repository) {
+                console.log(chalk_1.default.gray(`    Repo: ${app.repository} (${app.repositoryBranch || 'main'})`));
+            }
+        }
+        console.log('');
+    }
+    catch (e) {
+        console.error(chalk_1.default.red(`  ✗ Failed to list apps: ${e.message}`));
+        process.exit(1);
+    }
+}
+// ============================================================================
+// Query Command
+// ============================================================================
+async function runQuery(queryArg, variables) {
+    if (!queryArg) {
+        console.error(chalk_1.default.red('Error: query argument required (inline GraphQL string or .graphql/.gql file path)'));
+        process.exit(2);
+    }
+    // Resolve query: file path or inline string
+    let query;
+    if (queryArg.endsWith('.graphql') || queryArg.endsWith('.gql')) {
+        if (!fs.existsSync(queryArg)) {
+            console.error(chalk_1.default.red(`Error: file not found: ${queryArg}`));
+            process.exit(2);
+        }
+        query = fs.readFileSync(queryArg, 'utf-8');
+    }
+    else {
+        query = queryArg;
+    }
+    // Parse variables if provided
+    let vars = {};
+    if (variables) {
+        try {
+            vars = JSON.parse(variables);
+        }
+        catch {
+            console.error(chalk_1.default.red('Error: --vars must be valid JSON'));
+            process.exit(2);
+        }
+    }
+    const session = resolveSession();
+    const data = await graphqlRequest(session.domain, session.access_token, query, vars);
+    console.log(JSON.stringify(data, null, 2));
+}
+// ============================================================================
+// GQL Schema Exploration Command
+// ============================================================================
+async function runGql(sub, filter) {
+    if (!sub) {
+        console.error(chalk_1.default.red('Error: subcommand required'));
+        console.error(chalk_1.default.gray(`Usage: ${PROGRAM_NAME} gql <queries|mutations|types|type> [name] [--filter <text>]`));
+        process.exit(2);
+    }
+    const session = resolveSession();
+    if (sub === 'type') {
+        if (!filter) {
+            console.error(chalk_1.default.red('Error: type name required'));
+            console.error(chalk_1.default.gray(`Usage: ${PROGRAM_NAME} gql type <TypeName>`));
+            process.exit(2);
+        }
+        await runGqlType(session, filter);
+    }
+    else if (sub === 'queries') {
+        await runGqlRootFields(session, 'queryType', filter);
+    }
+    else if (sub === 'mutations') {
+        await runGqlRootFields(session, 'mutationType', filter);
+    }
+    else if (sub === 'types') {
+        await runGqlTypes(session, filter);
+    }
+    else {
+        console.error(chalk_1.default.red(`Unknown gql subcommand: ${sub}`));
+        console.error(chalk_1.default.gray(`Usage: ${PROGRAM_NAME} gql <queries|mutations|types|type> [--filter <text>]`));
+        process.exit(2);
+    }
+}
+function formatGqlType(t) {
+    if (!t)
+        return 'unknown';
+    if (t.kind === 'NON_NULL')
+        return `${formatGqlType(t.ofType)}!`;
+    if (t.kind === 'LIST')
+        return `[${formatGqlType(t.ofType)}]`;
+    return t.name || 'unknown';
+}
+async function runGqlType(session, typeName) {
+    const query = `{
+    __type(name: "${typeName}") {
+      name kind description
+      fields { name description type { name kind ofType { name kind ofType { name kind ofType { name kind } } } } args { name type { name kind ofType { name kind ofType { name kind } } } defaultValue } }
+      inputFields { name type { name kind ofType { name kind ofType { name kind } } } defaultValue }
+      enumValues { name description }
+    }
+  }`;
+    const data = await graphqlRequest(session.domain, session.access_token, query, {});
+    const type = data.__type;
+    if (!type) {
+        console.error(chalk_1.default.red(`Type "${typeName}" not found`));
+        process.exit(1);
+    }
+    console.log(chalk_1.default.bold.cyan(`${type.name}`) + chalk_1.default.gray(` (${type.kind})`));
+    if (type.description)
+        console.log(chalk_1.default.gray(type.description));
+    console.log('');
+    if (type.fields && type.fields.length > 0) {
+        console.log(chalk_1.default.bold.yellow('Fields:'));
+        for (const f of type.fields) {
+            const typeStr = formatGqlType(f.type);
+            let line = `  ${chalk_1.default.green(f.name)}: ${chalk_1.default.cyan(typeStr)}`;
+            if (f.args && f.args.length > 0) {
+                const argsStr = f.args.map((a) => {
+                    const argType = formatGqlType(a.type);
+                    return a.defaultValue ? `${a.name}: ${argType} = ${a.defaultValue}` : `${a.name}: ${argType}`;
+                }).join(', ');
+                line += chalk_1.default.gray(` (${argsStr})`);
+            }
+            if (f.description)
+                line += chalk_1.default.gray(` — ${f.description}`);
+            console.log(line);
+        }
+    }
+    if (type.inputFields && type.inputFields.length > 0) {
+        console.log(chalk_1.default.bold.yellow('Input Fields:'));
+        for (const f of type.inputFields) {
+            const typeStr = formatGqlType(f.type);
+            let line = `  ${chalk_1.default.green(f.name)}: ${chalk_1.default.cyan(typeStr)}`;
+            if (f.defaultValue)
+                line += chalk_1.default.gray(` = ${f.defaultValue}`);
+            console.log(line);
+        }
+    }
+    if (type.enumValues && type.enumValues.length > 0) {
+        console.log(chalk_1.default.bold.yellow('Enum Values:'));
+        for (const v of type.enumValues) {
+            let line = `  ${chalk_1.default.green(v.name)}`;
+            if (v.description)
+                line += chalk_1.default.gray(` — ${v.description}`);
+            console.log(line);
+        }
+    }
+}
+async function runGqlRootFields(session, rootType, filter) {
+    const query = `{
+    __schema {
+      ${rootType} {
+        fields { name description args { name type { name kind ofType { name kind ofType { name kind } } } defaultValue } type { name kind ofType { name kind ofType { name kind } } } }
+      }
+    }
+  }`;
+    const data = await graphqlRequest(session.domain, session.access_token, query, {});
+    const fields = data.__schema?.[rootType]?.fields || [];
+    const filtered = filter
+        ? fields.filter((f) => f.name.toLowerCase().includes(filter.toLowerCase()))
+        : fields;
+    const label = rootType === 'queryType' ? 'Queries' : 'Mutations';
+    console.log(chalk_1.default.bold.yellow(`${label}${filter ? ` (filter: "${filter}")` : ''}:`));
+    console.log('');
+    for (const f of filtered) {
+        const returnType = formatGqlType(f.type);
+        console.log(`  ${chalk_1.default.green(f.name)}: ${chalk_1.default.cyan(returnType)}`);
+        if (f.description)
+            console.log(`    ${chalk_1.default.gray(f.description)}`);
+        if (f.args && f.args.length > 0) {
+            for (const a of f.args) {
+                const argType = formatGqlType(a.type);
+                const def = a.defaultValue ? chalk_1.default.gray(` = ${a.defaultValue}`) : '';
+                console.log(`    ${chalk_1.default.white(a.name)}: ${chalk_1.default.cyan(argType)}${def}`);
+            }
+        }
+        console.log('');
+    }
+    console.log(chalk_1.default.gray(`${filtered.length} ${label.toLowerCase()} found`));
+}
+async function runGqlTypes(session, filter) {
+    const query = `{
+    __schema {
+      types { name kind description }
+    }
+  }`;
+    const data = await graphqlRequest(session.domain, session.access_token, query, {});
+    const types = (data.__schema?.types || [])
+        .filter((t) => !t.name.startsWith('__'))
+        .filter((t) => !filter || t.name.toLowerCase().includes(filter.toLowerCase()));
+    const grouped = {};
+    for (const t of types) {
+        const kind = t.kind || 'OTHER';
+        if (!grouped[kind])
+            grouped[kind] = [];
+        grouped[kind].push(t);
+    }
+    const kindOrder = ['OBJECT', 'INPUT_OBJECT', 'ENUM', 'INTERFACE', 'UNION', 'SCALAR'];
+    for (const kind of kindOrder) {
+        const items = grouped[kind];
+        if (!items || items.length === 0)
+            continue;
+        console.log(chalk_1.default.bold.yellow(`${kind} (${items.length}):`));
+        for (const t of items.sort((a, b) => a.name.localeCompare(b.name))) {
+            let line = `  ${chalk_1.default.green(t.name)}`;
+            if (t.description)
+                line += chalk_1.default.gray(` — ${t.description}`);
+            console.log(line);
+        }
+        console.log('');
+    }
+    console.log(chalk_1.default.gray(`${types.length} types found${filter ? ` matching "${filter}"` : ''}`));
+}
+// ============================================================================
+// Extract Command
+// ============================================================================
+function runExtract(sourceFile, componentName, targetFile, copy) {
+    // Validate args
+    if (!sourceFile || !componentName || !targetFile) {
+        console.error(chalk_1.default.red('Error: Missing required arguments'));
+        console.error(chalk_1.default.gray(`Usage: ${PROGRAM_NAME} extract <source-file> <component-name> --to <target-file> [--copy]`));
+        process.exit(2);
+    }
+    // Check source exists
+    if (!fs.existsSync(sourceFile)) {
+        console.error(chalk_1.default.red(`Error: Source file not found: ${sourceFile}`));
+        process.exit(2);
+    }
+    // Read and parse source (Document API preserves comments)
+    const sourceContent = fs.readFileSync(sourceFile, 'utf-8');
+    const srcDoc = yaml_1.default.parseDocument(sourceContent);
+    const sourceJS = srcDoc.toJS();
+    if (!sourceJS || !Array.isArray(sourceJS.components)) {
+        console.error(chalk_1.default.red(`Error: Source file is not a valid module (missing components array): ${sourceFile}`));
+        process.exit(2);
+    }
+    // Get the AST components sequence
+    const srcComponents = srcDoc.get('components', true);
+    if (!(0, yaml_1.isSeq)(srcComponents)) {
+        console.error(chalk_1.default.red(`Error: Source components is not a sequence: ${sourceFile}`));
+        process.exit(2);
+    }
+    // Find component by exact name match
+    const compIndex = srcComponents.items.findIndex((item) => {
+        return (0, yaml_1.isMap)(item) && item.get('name') === componentName;
+    });
+    if (compIndex === -1) {
+        const available = sourceJS.components.map((c) => c.name).filter(Boolean);
+        console.error(chalk_1.default.red(`Error: Component not found: ${componentName}`));
+        if (available.length > 0) {
+            console.error(chalk_1.default.gray('Available components:'));
+            for (const name of available) {
+                console.error(chalk_1.default.gray(`  - ${name}`));
+            }
+        }
+        process.exit(2);
+    }
+    // Get the component AST node (clone for copy, take for move)
+    const componentNode = copy
+        ? srcDoc.createNode(sourceJS.components[compIndex])
+        : srcComponents.items[compIndex];
+    // Capture comment: if this is the first item, the comment lives on the parent seq
+    let componentComment;
+    if (compIndex === 0 && srcComponents.commentBefore) {
+        componentComment = srcComponents.commentBefore;
+        if (!copy) {
+            // Transfer the comment away from the source seq (it belongs to the extracted component)
+            srcComponents.commentBefore = undefined;
+        }
+    }
+    else {
+        componentComment = componentNode.commentBefore;
+    }
+    // Find matching routes (by index in AST)
+    const srcRoutes = srcDoc.get('routes', true);
+    const matchedRouteIndices = [];
+    if ((0, yaml_1.isSeq)(srcRoutes)) {
+        srcRoutes.items.forEach((item, idx) => {
+            if ((0, yaml_1.isMap)(item) && item.get('component') === componentName) {
+                matchedRouteIndices.push(idx);
+            }
+        });
+    }
+    // Collect route AST nodes (clone for copy, reference for move)
+    const routeNodes = matchedRouteIndices.map(idx => {
+        if (copy) {
+            return srcDoc.createNode(sourceJS.routes[idx]);
+        }
+        return srcRoutes.items[idx];
+    });
+    // Load or create target document
+    let tgtDoc;
+    let targetCreated = false;
+    if (fs.existsSync(targetFile)) {
+        const targetContent = fs.readFileSync(targetFile, 'utf-8');
+        tgtDoc = yaml_1.default.parseDocument(targetContent);
+        const targetJS = tgtDoc.toJS();
+        if (!targetJS || !Array.isArray(targetJS.components)) {
+            console.error(chalk_1.default.red(`Error: Target file is not a valid module (missing components array): ${targetFile}`));
+            process.exit(2);
+        }
+        // Check for duplicate component name
+        const duplicate = targetJS.components.find((c) => c.name === componentName);
+        if (duplicate) {
+            console.error(chalk_1.default.red(`Error: Target already contains a component named "${componentName}"`));
+            process.exit(2);
+        }
+    }
+    else {
+        // Create new module scaffold
+        const baseName = path.basename(targetFile, path.extname(targetFile));
+        const moduleName = baseName
+            .split('-')
+            .map((w) => w.charAt(0).toUpperCase() + w.slice(1))
+            .join('');
+        const sourceModule = typeof sourceJS.module === 'object' ? sourceJS.module : null;
+        const displayName = moduleName.replace(/([a-z])([A-Z])/g, '$1 $2');
+        const moduleObj = {
+            name: moduleName,
+            appModuleId: generateUUID(),
+            displayName: { 'en-US': displayName },
+            description: { 'en-US': `${displayName} module` },
+            application: 'System',
+        };
+        // In copy mode, set priority higher than source
+        if (copy) {
+            const sourcePriority = sourceModule?.priority;
+            moduleObj.priority = (0, extractUtils_1.computeExtractPriority)(sourcePriority);
+        }
+        // Parse from string so the document has proper AST context for comment preservation
+        const scaffoldStr = yaml_1.default.stringify({
+            module: moduleObj,
+            entities: [],
+            permissions: [],
+            components: [],
+            routes: []
+        }, { indent: 2, lineWidth: 0, singleQuote: false });
+        tgtDoc = yaml_1.default.parseDocument(scaffoldStr);
+        targetCreated = true;
+    }
+    // Add component to target (ensure block style so comments are preserved)
+    const tgtComponents = tgtDoc.get('components', true);
+    if ((0, yaml_1.isSeq)(tgtComponents)) {
+        tgtComponents.flow = false;
+        // Apply the captured comment: if it's the first item in target, set on seq; otherwise on node
+        if (componentComment) {
+            if (tgtComponents.items.length === 0) {
+                tgtComponents.commentBefore = componentComment;
+            }
+            else {
+                componentNode.commentBefore = componentComment;
+            }
+        }
+        tgtComponents.items.push(componentNode);
+    }
+    else {
+        tgtDoc.addIn(['components'], componentNode);
+    }
+    // In move mode, remove component from source
     if (!copy) {
         srcComponents.items.splice(compIndex, 1);
     }
@@ -1539,7 +3579,7 @@ function parseArgs(args) {
         reportFormat: 'json'
     };
     // Check for commands
-    const commands = ['validate', 'schema', 'example', 'list', 'help', 'version', 'report', 'init', 'create', 'extract', 'sync-schemas', 'install-skills', 'update', 'setup-claude'];
+    const commands = ['validate', 'schema', 'example', 'list', 'help', 'version', 'report', 'init', 'create', 'extract', 'sync-schemas', 'install-skills', 'update', 'setup-claude', 'login', 'logout', 'pat', 'appmodule', 'orgs', 'workflow', 'publish', 'query', 'gql', 'app'];
     if (args.length > 0 && commands.includes(args[0])) {
         command = args[0];
         args = args.slice(1);
@@ -1615,6 +3655,50 @@ function parseArgs(args) {
         else if (arg === '--copy') {
             options.extractCopy = true;
         }
+        else if (arg === '--org') {
+            const orgArg = args[++i];
+            const parsed = parseInt(orgArg, 10);
+            if (isNaN(parsed)) {
+                console.error(chalk_1.default.red(`Invalid --org value: ${orgArg}. Must be a number.`));
+                process.exit(2);
+            }
+            options.orgId = parsed;
+        }
+        else if (arg === '--vars') {
+            options.vars = args[++i];
+        }
+        else if (arg === '--from') {
+            options.from = args[++i];
+        }
+        else if (arg === '--to') {
+            options.to = args[++i];
+        }
+        else if (arg === '--output' || arg === '-o') {
+            options.output = args[++i];
+        }
+        else if (arg === '--console') {
+            options.console = true;
+        }
+        else if (arg === '--message' || arg === '-m') {
+            options.message = args[++i];
+        }
+        else if (arg === '--branch' || arg === '-b') {
+            options.branch = args[++i];
+        }
+        else if (arg === '--file') {
+            if (!options.file)
+                options.file = [];
+            options.file.push(args[++i]);
+        }
+        else if (arg === '--filter') {
+            options.filter = args[++i];
+        }
+        else if (arg === '--force') {
+            options.force = true;
+        }
+        else if (arg === '--skip-changed') {
+            options.skipChanged = true;
+        }
         else if (!arg.startsWith('-')) {
             files.push(arg);
         }
@@ -2021,13 +4105,13 @@ function getSuggestion(error) {
                 return 'Check that the value type matches the expected type (string, number, boolean, etc.)';
             }
             if (error.message.includes('additionalProperties')) {
-                return 'Remove unrecognized properties. Use `cx-cli schema <type>` to see allowed properties.';
+                return 'Remove unrecognized properties. Use `cxtms schema <type>` to see allowed properties.';
             }
             return 'Review the schema requirements for this property';
         case 'yaml_syntax_error':
             return 'Check YAML indentation and syntax. Use a YAML linter to identify issues.';
         case 'invalid_task_type':
-            return `Use 'cx-cli list --type workflow' to see available task types`;
+            return `Use 'cxtms list --type workflow' to see available task types`;
         case 'invalid_activity':
             return 'Each activity must have a "name" and "steps" array';
         default:
@@ -2401,7 +4485,151 @@ async function main() {
     }
     // Handle version
     if (options.version) {
-        console.log(`cx-cli v${VERSION}`);
+        console.log(`cxtms v${VERSION}`);
+        process.exit(0);
+    }
+    // Handle login command (no schemas needed)
+    if (command === 'login') {
+        if (!files[0]) {
+            console.error(chalk_1.default.red('Error: URL required'));
+            console.error(chalk_1.default.gray(`Usage: ${PROGRAM_NAME} login <url>`));
+            process.exit(2);
+        }
+        await runLogin(files[0]);
+        process.exit(0);
+    }
+    // Handle logout command (no schemas needed)
+    if (command === 'logout') {
+        await runLogout(files[0]);
+        process.exit(0);
+    }
+    // Handle pat command (no schemas needed)
+    if (command === 'pat') {
+        const sub = files[0];
+        if (sub === 'create') {
+            if (!files[1]) {
+                console.error(chalk_1.default.red('Error: Token name required'));
+                console.error(chalk_1.default.gray(`Usage: ${PROGRAM_NAME} pat create <name>`));
+                process.exit(2);
+            }
+            await runPatCreate(files[1]);
+        }
+        else if (sub === 'list' || !sub) {
+            await runPatList();
+        }
+        else if (sub === 'revoke') {
+            if (!files[1]) {
+                console.error(chalk_1.default.red('Error: Token ID required'));
+                console.error(chalk_1.default.gray(`Usage: ${PROGRAM_NAME} pat revoke <tokenId>`));
+                process.exit(2);
+            }
+            await runPatRevoke(files[1]);
+        }
+        else if (sub === 'setup') {
+            await runPatSetup();
+        }
+        else {
+            console.error(chalk_1.default.red(`Unknown pat subcommand: ${sub}`));
+            console.error(chalk_1.default.gray(`Usage: ${PROGRAM_NAME} pat <create|list|revoke|setup>`));
+            process.exit(2);
+        }
+        process.exit(0);
+    }
+    // Handle orgs command (no schemas needed)
+    if (command === 'orgs') {
+        const sub = files[0];
+        if (sub === 'list' || !sub) {
+            await runOrgsList();
+        }
+        else if (sub === 'use') {
+            await runOrgsUse(files[1]);
+        }
+        else if (sub === 'select') {
+            await runOrgsSelect();
+        }
+        else {
+            console.error(chalk_1.default.red(`Unknown orgs subcommand: ${sub}`));
+            console.error(chalk_1.default.gray(`Usage: ${PROGRAM_NAME} orgs <list|use|select>`));
+            process.exit(2);
+        }
+        process.exit(0);
+    }
+    // Handle appmodule command (no schemas needed)
+    if (command === 'appmodule') {
+        const sub = files[0];
+        if (sub === 'deploy') {
+            await runAppModuleDeploy(files[1], options.orgId);
+        }
+        else if (sub === 'undeploy') {
+            await runAppModuleUndeploy(files[1], options.orgId);
+        }
+        else {
+            console.error(chalk_1.default.red(`Unknown appmodule subcommand: ${sub || '(none)'}`));
+            console.error(chalk_1.default.gray(`Usage: ${PROGRAM_NAME} appmodule <deploy|undeploy> ...`));
+            process.exit(2);
+        }
+        process.exit(0);
+    }
+    // Handle workflow command (no schemas needed)
+    if (command === 'workflow') {
+        const sub = files[0];
+        if (sub === 'deploy') {
+            await runWorkflowDeploy(files[1], options.orgId);
+        }
+        else if (sub === 'undeploy') {
+            await runWorkflowUndeploy(files[1], options.orgId);
+        }
+        else if (sub === 'execute') {
+            await runWorkflowExecute(files[1], options.orgId, options.vars, options.file);
+        }
+        else if (sub === 'logs') {
+            await runWorkflowLogs(files[1], options.orgId, options.from, options.to);
+        }
+        else if (sub === 'log') {
+            await runWorkflowLog(files[1], options.orgId, options.output, options.console, options.format === 'json');
+        }
+        else {
+            console.error(chalk_1.default.red(`Unknown workflow subcommand: ${sub || '(none)'}`));
+            console.error(chalk_1.default.gray(`Usage: ${PROGRAM_NAME} workflow <deploy|undeploy|execute|logs|log> ...`));
+            process.exit(2);
+        }
+        process.exit(0);
+    }
+    // Handle publish command (no schemas needed)
+    if (command === 'publish') {
+        await runPublish(files[0] || options.feature, options.orgId);
+        process.exit(0);
+    }
+    // Handle app command (no schemas needed)
+    if (command === 'app') {
+        const sub = files[0];
+        if (sub === 'install' || sub === 'upgrade') {
+            await runAppInstall(options.orgId, options.branch, options.force, options.skipChanged);
+        }
+        else if (sub === 'release' || sub === 'publish') {
+            await runAppPublish(options.orgId, options.message, options.branch, options.force, files.slice(1));
+        }
+        else if (sub === 'list' || !sub) {
+            await runAppList(options.orgId);
+        }
+        else {
+            console.error(chalk_1.default.red(`Unknown app subcommand: ${sub}`));
+            console.error(chalk_1.default.gray(`Usage: ${PROGRAM_NAME} app <install|upgrade|release|list>`));
+            process.exit(2);
+        }
+        process.exit(0);
+    }
+    // Handle gql command (no schemas needed)
+    if (command === 'gql') {
+        const sub = files[0];
+        // For 'gql type <name>', the type name is in files[1] — use it as filter
+        const filterArg = sub === 'type' ? (files[1] || options.filter) : options.filter;
+        await runGql(sub, filterArg);
+        process.exit(0);
+    }
+    // Handle query command (no schemas needed)
+    if (command === 'query') {
+        await runQuery(files[0], options.vars);
         process.exit(0);
     }
     // Find schemas path