@devicecloud.dev/dcd 5.0.0-beta.0 → 5.0.0-beta.2

package/dist/services/test-submission.service.js

@@ -1,27 +1,27 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.TestSubmissionService = void 0;
-const node_crypto_1 = require("node:crypto");
-const path = require("node:path");
-const methods_1 = require("../methods");
-const paths_1 = require("../utils/paths");
+import { createHash } from 'node:crypto';
+import * as path from 'node:path';
+import { compressFilesFromRelativePath } from '../methods.js';
+import { toPortableRelativePath } from '../utils/paths.js';
 const mimeTypeLookupByExtension = {
     zip: 'application/zip',
 };
 /**
  * Service for building test submission form data
  */
-class TestSubmissionService {
+export class TestSubmissionService {
     /**
-     * Build FormData for test submission
+     * Build the test-submission payload: the compressed flow zip plus every
+     * non-`file` field, each encoded exactly as it is sent today. The same
+     * `fields` feed both the new JSON `submitFlowTest` body and the legacy
+     * multipart `buildFormData`, guaranteeing byte-identical field encoding
+     * across both paths.
      * @param config Test submission configuration
-     * @returns FormData ready to be submitted to the API
+     * @returns The flow zip buffer, its SHA-256, and the string-encoded fields
      */
-    async buildTestFormData(config) {
+    async buildTestPayload(config) {
         const { appBinaryId, flowFile, executionPlan, commonRoot, cliVersion, env = [], metadata = [], googlePlay = false, androidApiLevel, androidDevice, androidNoSnapshot, iOSVersion, iOSDevice, name, runnerType, maestroVersion, deviceLocale, orientation, mitmHost, mitmPath, retry, continueOnFailure = true, report, showCrosshairs, maestroChromeOnboarding, raw, disableAnimations, debug = false, logger, } = config;
         const { allExcludeTags, allIncludeTags, flowMetadata, flowOverrides, flowsToRun: testFileNames, referencedFiles, sequence, workspaceConfig, } = executionPlan;
         const { flows: sequentialFlows = [] } = sequence ?? {};
-        const testFormData = new FormData();
         const envObject = this.parseKeyValuePairs(env);
         const metadataObject = this.parseKeyValuePairs(metadata);
         if (Object.keys(envObject).length > 0) {
@@ -42,7 +42,7 @@ class TestSubmissionService {
             }
         }
         this.logDebug(debug, logger, `[DEBUG] Compressing files from path: ${flowFile}`);
-        const buffer = await (0, methods_1.compressFilesFromRelativePath)(flowFile?.endsWith('.yaml') || flowFile?.endsWith('.yml')
+        const buffer = await compressFilesFromRelativePath(flowFile?.endsWith('.yaml') || flowFile?.endsWith('.yml')
             ? path.dirname(flowFile)
             : flowFile, [
             ...new Set([
@@ -53,19 +53,18 @@ class TestSubmissionService {
         ], commonRoot);
         this.logDebug(debug, logger, `[DEBUG] Compressed file size: ${buffer.length} bytes`);
         // Calculate SHA-256 hash of the flow ZIP
-        const sha = (0, node_crypto_1.createHash)('sha256').update(buffer).digest('hex');
+        const sha = createHash('sha256').update(buffer).digest('hex');
         this.logDebug(debug, logger, `[DEBUG] Flow ZIP SHA-256: ${sha}`);
-        const blob = new Blob([buffer], {
-            type: mimeTypeLookupByExtension.zip,
-        });
-        testFormData.set('file', blob, 'flowFile.zip');
-        testFormData.set('sha', sha);
-        testFormData.set('appBinaryId', appBinaryId);
-        testFormData.set('testFileNames', JSON.stringify(this.normalizePaths(testFileNames, commonRoot)));
-        testFormData.set('flowMetadata', JSON.stringify(this.normalizePathMap(flowMetadata, commonRoot)));
-        testFormData.set('testFileOverrides', JSON.stringify(this.normalizePathMap(flowOverrides, commonRoot)));
-        testFormData.set('sequentialFlows', JSON.stringify(this.normalizePaths(sequentialFlows, commonRoot)));
-        testFormData.set('env', JSON.stringify(envObject));
+        // String-encoded fields, in the same order and with the same encoding as
+        // the legacy multipart FormData. Reused verbatim by both submission paths.
+        const fields = {};
+        fields.sha = sha;
+        fields.appBinaryId = appBinaryId;
+        fields.testFileNames = JSON.stringify(this.normalizePaths(testFileNames, commonRoot));
+        fields.flowMetadata = JSON.stringify(this.normalizePathMap(flowMetadata, commonRoot));
+        fields.testFileOverrides = JSON.stringify(this.normalizePathMap(flowOverrides, commonRoot));
+        fields.sequentialFlows = JSON.stringify(this.normalizePaths(sequentialFlows, commonRoot));
+        fields.env = JSON.stringify(envObject);
         // Note: googlePlay is now included in configPayload below instead of as a separate field
         // to work around a FormData parsing issue in the API
         const targetPlatform = iOSDevice || iOSVersion ? 'ios' : 'android';
@@ -92,13 +91,13 @@ class TestSubmissionService {
             disableAnimations: effectiveDisableAnimations,
             version: cliVersion,
         };
-        testFormData.set('config', JSON.stringify(configPayload));
+        fields.config = JSON.stringify(configPayload);
         if (Object.keys(metadataObject).length > 0) {
             const metadataPayload = { userMetadata: metadataObject };
-            testFormData.set('metadata', JSON.stringify(metadataPayload));
+            fields.metadata = JSON.stringify(metadataPayload);
             this.logDebug(debug, logger, `[DEBUG] Sending metadata to API: ${JSON.stringify(metadataPayload)}`);
         }
-        this.setOptionalFields(testFormData, {
+        this.setOptionalFields(fields, {
             androidApiLevel,
             androidDevice,
             iOSDevice,
@@ -107,9 +106,28 @@ class TestSubmissionService {
             runnerType,
         });
         if (workspaceConfig) {
-            testFormData.set('workspaceConfig', JSON.stringify(workspaceConfig));
+            fields.workspaceConfig = JSON.stringify(workspaceConfig);
+        }
+        return { buffer, fields, sha };
+    }
+    /**
+     * Wraps the payload fields and flow zip into multipart FormData for the
+     * legacy `POST /uploads/flow` fallback. `file` is set first to preserve the
+     * exact part ordering the old code produced.
+     * @param fields String-encoded fields from {@link buildTestPayload}
+     * @param buffer The compressed flow zip
+     * @returns FormData ready to be submitted to the multipart API
+     */
+    buildFormData(fields, buffer) {
+        const formData = new FormData();
+        const blob = new Blob([buffer], {
+            type: mimeTypeLookupByExtension.zip,
+        });
+        formData.set('file', blob, 'flowFile.zip');
+        for (const [key, value] of Object.entries(fields)) {
+            formData.set(key, value);
         }
-        return testFormData;
+        return formData;
     }
     logDebug(debug, logger, message) {
         if (debug && logger) {
@@ -117,7 +135,7 @@ class TestSubmissionService {
         }
     }
     normalizeFilePath(filePath, commonRoot) {
-        return (0, paths_1.toPortableRelativePath)(filePath, commonRoot);
+        return toPortableRelativePath(filePath, commonRoot);
     }
     normalizePathMap(map, commonRoot) {
         return Object.fromEntries(Object.entries(map).map(([key, value]) => [
@@ -137,12 +155,11 @@ class TestSubmissionService {
             return acc;
         }, {});
     }
-    setOptionalFields(formData, fields) {
+    setOptionalFields(target, fields) {
         for (const [key, value] of Object.entries(fields)) {
             if (value) {
-                formData.set(key, value.toString());
+                target[key] = value.toString();
             }
         }
     }
 }
-exports.TestSubmissionService = TestSubmissionService;

package/dist/services/version.service.d.ts

@@ -1,4 +1,19 @@
-import { CompatibilityData } from '../utils/compatibility';
+import { CompatibilityData } from '../utils/compatibility.js';
+export type ReleaseChannel = 'beta' | 'stable';
+/**
+ * Outcome of a release-manifest lookup. `ok: true` means the manifest was
+ * reachable — `version` is the published version on the channel, or `null` when
+ * nothing is published there yet. `ok: false` means the lookup itself failed
+ * (network/timeout/non-2xx).
+ */
+export type LatestVersionResult = {
+    ok: true;
+    channel: ReleaseChannel;
+    version: null | string;
+} | {
+    ok: false;
+    error: string;
+};
 /**
  * Service for handling version validation and checking
  */
@@ -6,14 +21,22 @@ export declare class VersionService {
     /**
      * Fetch the latest published CLI version from the release manifest.
      * Works for both npm- and binary-installed users (no `npm` shell-out).
-     * Silently returns null on any failure — this check is informational only.
+     *
+     * The result is discriminated so callers can tell "reachable, but no release
+     * on this channel yet" (`ok: true, version: null`) apart from an actual
+     * network/manifest failure (`ok: false`) — the old single-`null` return
+     * conflated the two and produced a misleading "check your network" error
+     * during the beta. Prerelease installs (current version contains `-`) query
+     * the opt-in beta channel; everyone else gets the stable channel.
      */
-    checkLatestCliVersion(): Promise<null | string>;
+    checkLatestCliVersion(currentVersion?: string): Promise<LatestVersionResult>;
     /**
-     * Compare two semantic version strings
-     * @param current - Current version
-     * @param latest - Latest version
-     * @returns true if current is older than latest
+     * Compare two semantic version strings (SemVer 2.0.0 precedence, including
+     * prerelease tags). Returns true if `current` is strictly older than `latest`.
+     *
+     * Prerelease handling matters here: a beta-to-beta bump such as
+     * "5.0.0-beta.0" -> "5.0.0-beta.1" shares the same major.minor.patch, so we
+     * must compare the prerelease identifiers to detect that an upgrade exists.
      */
     isOutdated(current: string, latest: string): boolean;
     /**

package/dist/services/version.service.js

@@ -1,57 +1,114 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.VersionService = void 0;
 const DEFAULT_MANIFEST_URL = 'https://get.devicecloud.dev/latest.json';
 const MANIFEST_TIMEOUT_MS = 3000;
+/**
+ * Compare two semantic versions per SemVer 2.0.0 precedence rules.
+ * Returns a negative number if `a < b`, positive if `a > b`, and 0 if equal.
+ *
+ * Implements the prerelease rules that the previous naive comparator dropped:
+ *   - A version WITH a prerelease has lower precedence than the same version
+ *     without one ("1.0.0-beta" < "1.0.0").
+ *   - Prerelease identifiers are compared dot-separated, left to right:
+ *     numeric identifiers compare numerically, alphanumeric ones compare
+ *     lexically (ASCII), and numeric always sorts below alphanumeric. A longer
+ *     set of identifiers wins when all preceding ones are equal.
+ */
+function compareSemver(a, b) {
+    const split = (v) => {
+        const [core, ...preParts] = v.trim().replace(/^v/, '').split('-');
+        const nums = core.split('.').map((n) => Number(n) || 0);
+        const pre = preParts.join('-');
+        return {
+            release: [nums[0] || 0, nums[1] || 0, nums[2] || 0],
+            pre: pre ? pre.split('.') : [],
+        };
+    };
+    const left = split(a);
+    const right = split(b);
+    for (let i = 0; i < 3; i++) {
+        if (left.release[i] !== right.release[i]) {
+            return left.release[i] - right.release[i];
+        }
+    }
+    // Equal release: a version with no prerelease outranks one that has it.
+    if (left.pre.length === 0 && right.pre.length === 0)
+        return 0;
+    if (left.pre.length === 0)
+        return 1;
+    if (right.pre.length === 0)
+        return -1;
+    const len = Math.min(left.pre.length, right.pre.length);
+    for (let i = 0; i < len; i++) {
+        const lp = left.pre[i];
+        const rp = right.pre[i];
+        if (lp === rp)
+            continue;
+        const ln = /^\d+$/.test(lp);
+        const rn = /^\d+$/.test(rp);
+        if (ln && rn)
+            return Number(lp) - Number(rp);
+        if (ln)
+            return -1; // numeric identifiers sort below alphanumeric
+        if (rn)
+            return 1;
+        return lp < rp ? -1 : 1;
+    }
+    return left.pre.length - right.pre.length;
+}
 /**
  * Service for handling version validation and checking
  */
-class VersionService {
+export class VersionService {
     /**
      * Fetch the latest published CLI version from the release manifest.
      * Works for both npm- and binary-installed users (no `npm` shell-out).
-     * Silently returns null on any failure — this check is informational only.
+     *
+     * The result is discriminated so callers can tell "reachable, but no release
+     * on this channel yet" (`ok: true, version: null`) apart from an actual
+     * network/manifest failure (`ok: false`) — the old single-`null` return
+     * conflated the two and produced a misleading "check your network" error
+     * during the beta. Prerelease installs (current version contains `-`) query
+     * the opt-in beta channel; everyone else gets the stable channel.
      */
-    async checkLatestCliVersion() {
-        const url = process.env.DCD_MANIFEST_URL ?? DEFAULT_MANIFEST_URL;
+    async checkLatestCliVersion(currentVersion) {
+        const channel = currentVersion?.includes('-') ? 'beta' : 'stable';
+        const base = process.env.DCD_MANIFEST_URL ?? DEFAULT_MANIFEST_URL;
+        const url = channel === 'beta'
+            ? `${base}${base.includes('?') ? '&' : '?'}channel=beta`
+            : base;
         const controller = new AbortController();
         const timer = setTimeout(() => controller.abort(), MANIFEST_TIMEOUT_MS);
         try {
             const res = await fetch(url, { signal: controller.signal });
-            if (!res.ok)
-                return null;
+            if (!res.ok) {
+                return { ok: false, error: `manifest responded with HTTP ${res.status}` };
+            }
             const data = (await res.json());
-            return typeof data.version === 'string' ? data.version : null;
+            return {
+                ok: true,
+                channel,
+                version: typeof data.version === 'string' ? data.version : null,
+            };
         }
-        catch {
-            return null;
+        catch (error) {
+            return {
+                ok: false,
+                error: error instanceof Error ? error.message : String(error),
+            };
         }
         finally {
             clearTimeout(timer);
         }
     }
     /**
-     * Compare two semantic version strings
-     * @param current - Current version
-     * @param latest - Latest version
-     * @returns true if current is older than latest
+     * Compare two semantic version strings (SemVer 2.0.0 precedence, including
+     * prerelease tags). Returns true if `current` is strictly older than `latest`.
+     *
+     * Prerelease handling matters here: a beta-to-beta bump such as
+     * "5.0.0-beta.0" -> "5.0.0-beta.1" shares the same major.minor.patch, so we
+     * must compare the prerelease identifiers to detect that an upgrade exists.
      */
     isOutdated(current, latest) {
-        // Strip any prerelease suffix ("1.2.3-beta.1" -> "1.2.3") and default
-        // missing segments to 0 so short/prerelease versions still compare.
-        const parts = (version) => {
-            const nums = version.split('-')[0].split('.').map(Number);
-            return [nums[0] || 0, nums[1] || 0, nums[2] || 0];
-        };
-        const currentParts = parts(current);
-        const latestParts = parts(latest);
-        for (let i = 0; i < 3; i++) {
-            if (currentParts[i] < latestParts[i])
-                return true;
-            if (currentParts[i] > latestParts[i])
-                return false;
-        }
-        return false;
+        return compareSemver(current, latest) < 0;
     }
     /**
      * Resolve and validate Maestro version against API compatibility data
@@ -95,4 +152,3 @@ class VersionService {
         return resolvedVersion;
     }
 }
-exports.VersionService = VersionService;

package/dist/types/domain/auth.types.d.ts

@@ -1,3 +1,4 @@
+import type { DcdEnvName } from '../../config/environments.js';
 /**
  * Auth context threaded through gateways and services. Callers build this once
  * (via resolveAuth) and the gateway spreads .headers into every fetch.
@@ -5,6 +6,13 @@
 export interface AuthContext {
     headers: Record<string, string>;
     mode: 'apiKey' | 'bearer';
+    /**
+     * Supabase JWT — present when mode === 'bearer'. Lets realtime subscriptions
+     * authenticate the socket (RLS) without re-reading the session from disk.
+     */
+    accessToken?: string;
+    /** Environment the session belongs to — present when mode === 'bearer'. */
+    env?: DcdEnvName;
     /** Present when mode === 'bearer'. */
     orgId?: string;
     /** Present when mode === 'bearer'. */

package/dist/types/domain/auth.types.js

@@ -1,2 +1 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
+export {};

package/dist/types/domain/device.types.js

@@ -1,11 +1,8 @@
-"use strict";
 /**
  * Device type definitions - should be kept in sync with API
  * @see /Users/riglar/repos/dcd/api/src/common/types/device.types.ts
  */
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.EAndroidApiLevels = exports.EiOSVersions = exports.EAndroidDevices = exports.EiOSDevices = void 0;
-var EiOSDevices;
+export var EiOSDevices;
 (function (EiOSDevices) {
     EiOSDevices["ipad-pro-6th-gen"] = "ipad-pro-6th-gen";
     EiOSDevices["iphone-14"] = "iphone-14";
@@ -16,23 +13,23 @@ var EiOSDevices;
     EiOSDevices["iphone-16-plus"] = "iphone-16-plus";
     EiOSDevices["iphone-16-pro"] = "iphone-16-pro";
     EiOSDevices["iphone-16-pro-max"] = "iphone-16-pro-max";
-})(EiOSDevices || (exports.EiOSDevices = EiOSDevices = {}));
-var EAndroidDevices;
+})(EiOSDevices || (EiOSDevices = {}));
+export var EAndroidDevices;
 (function (EAndroidDevices) {
     EAndroidDevices["generic-tablet"] = "generic-tablet";
     EAndroidDevices["pixel-6"] = "pixel-6";
     EAndroidDevices["pixel-6-pro"] = "pixel-6-pro";
     EAndroidDevices["pixel-7"] = "pixel-7";
     EAndroidDevices["pixel-7-pro"] = "pixel-7-pro";
-})(EAndroidDevices || (exports.EAndroidDevices = EAndroidDevices = {}));
-var EiOSVersions;
+})(EAndroidDevices || (EAndroidDevices = {}));
+export var EiOSVersions;
 (function (EiOSVersions) {
     EiOSVersions["eighteen"] = "18";
     EiOSVersions["seventeen"] = "17";
     EiOSVersions["sixteen"] = "16";
     EiOSVersions["twentySix"] = "26";
-})(EiOSVersions || (exports.EiOSVersions = EiOSVersions = {}));
-var EAndroidApiLevels;
+})(EiOSVersions || (EiOSVersions = {}));
+export var EAndroidApiLevels;
 (function (EAndroidApiLevels) {
     EAndroidApiLevels["thirty"] = "30";
     EAndroidApiLevels["thirtyFive"] = "35";
@@ -42,4 +39,4 @@ var EAndroidApiLevels;
     EAndroidApiLevels["thirtyThree"] = "33";
     EAndroidApiLevels["thirtyTwo"] = "32";
     EAndroidApiLevels["twentyNine"] = "29";
-})(EAndroidApiLevels || (exports.EAndroidApiLevels = EAndroidApiLevels = {}));
+})(EAndroidApiLevels || (EAndroidApiLevels = {}));

package/dist/types/domain/live.types.js

@@ -1,4 +1,3 @@
-"use strict";
 // Hand-defined: the swagger spec has no /live routes, so openapi-typescript
 // cannot generate these in schema.types.ts.
-Object.defineProperty(exports, "__esModule", { value: true });
+export {};

package/dist/types/generated/schema.types.js

@@ -1,3 +1,2 @@
-"use strict";
 /* eslint-disable prettier/prettier */
-Object.defineProperty(exports, "__esModule", { value: true });
+export {};

package/dist/types/index.d.ts

@@ -2,5 +2,5 @@
  * Centralized type exports.
  * Types are organized by domain in subdirectories.
  */
-export * from './domain/device.types';
-export * from './generated/schema.types';
+export * from './domain/device.types.js';
+export * from './generated/schema.types.js';

package/dist/types/index.js

@@ -1,24 +1,8 @@
-"use strict";
 /**
  * Centralized type exports.
  * Types are organized by domain in subdirectories.
  */
-var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
-    if (k2 === undefined) k2 = k;
-    var desc = Object.getOwnPropertyDescriptor(m, k);
-    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
-      desc = { enumerable: true, get: function() { return m[k]; } };
-    }
-    Object.defineProperty(o, k2, desc);
-}) : (function(o, m, k, k2) {
-    if (k2 === undefined) k2 = k;
-    o[k2] = m[k];
-}));
-var __exportStar = (this && this.__exportStar) || function(m, exports) {
-    for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
-};
-Object.defineProperty(exports, "__esModule", { value: true });
 // Domain-specific types
-__exportStar(require("./domain/device.types"), exports);
+export * from './domain/device.types.js';
 // Generated types from OpenAPI schema
-__exportStar(require("./generated/schema.types"), exports);
+export * from './generated/schema.types.js';

package/dist/types.js

@@ -1,2 +1 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
+export {};

package/dist/utils/auth.d.ts

@@ -1,4 +1,4 @@
-import type { AuthContext } from '../types/domain/auth.types';
+import type { AuthContext } from '../types/domain/auth.types.js';
 export interface ResolveAuthOptions {
     apiKeyFlag: string | undefined;
     /** When true, bypass stored session entirely (for `dcd login` itself). */

package/dist/utils/auth.js

@@ -1,6 +1,3 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.resolveAuth = resolveAuth;
 /**
  * Resolves which credential a command should use and returns the fetch headers
  * to send. Precedence: --api-key flag > DEVICE_CLOUD_API_KEY env > stored
@@ -10,19 +7,19 @@ exports.resolveAuth = resolveAuth;
  * use the returned AuthContext for the duration of the command — one resolve
  * per invocation, not per request.
  */
-const node_fs_1 = require("node:fs");
-const environments_1 = require("../config/environments");
-const cli_auth_gateway_1 = require("../gateways/cli-auth-gateway");
-const telemetry_service_1 = require("../services/telemetry.service");
-const cli_1 = require("./cli");
-const config_store_1 = require("./config-store");
+import { closeSync, openSync, rmSync, statSync } from 'node:fs';
+import { ENVIRONMENTS } from '../config/environments.js';
+import { CliAuthGateway } from '../gateways/cli-auth-gateway.js';
+import { telemetry } from '../services/telemetry.service.js';
+import { CliError } from './cli.js';
+import { getConfigPath, readConfig, writeConfig, } from './config-store.js';
 const REFRESH_SKEW_SECONDS = 60;
 // Refresh lock tuning: a refresh is a single HTTP round-trip, so anything
 // holding the lock longer than this is presumed dead.
 const LOCK_STALE_MS = 10_000;
 const LOCK_WAIT_MS = 10_000;
 const LOCK_POLL_MS = 250;
-async function resolveAuth(opts) {
+export async function resolveAuth(opts) {
     if (!opts.sessionOnly) {
         const flag = opts.apiKeyFlag?.trim();
         if (flag) {
@@ -30,7 +27,7 @@ async function resolveAuth(opts) {
                 mode: 'apiKey',
                 headers: { 'x-app-api-key': flag },
             };
-            telemetry_service_1.telemetry.configure({ auth });
+            telemetry.configure({ auth });
             return auth;
         }
         const env = process.env.DEVICE_CLOUD_API_KEY?.trim();
@@ -39,14 +36,14 @@ async function resolveAuth(opts) {
                 mode: 'apiKey',
                 headers: { 'x-app-api-key': env },
             };
-            telemetry_service_1.telemetry.configure({ auth });
+            telemetry.configure({ auth });
             return auth;
         }
     }
     if (opts.skipSession) {
         throw missingCredentialsError();
     }
-    let config = (0, config_store_1.readConfig)();
+    let config = readConfig();
     if (!config?.session) {
         throw missingCredentialsError();
     }
@@ -56,10 +53,12 @@ async function resolveAuth(opts) {
         ({ config, session } = await refreshSessionWithLock(config));
     }
     if (!config.current_org_id) {
-        throw new cli_1.CliError('No active organization set. Run `dcd switch-org <slug>` to pick one.');
+        throw new CliError('No active organization set. Run `dcd switch-org <slug>` to pick one.');
     }
     const auth = {
         mode: 'bearer',
+        accessToken: session.access_token,
+        env: config.env,
         orgId: config.current_org_id,
         userEmail: session.user_email,
         headers: {
@@ -67,7 +66,7 @@ async function resolveAuth(opts) {
             'x-dcd-org': config.current_org_id,
         },
     };
-    telemetry_service_1.telemetry.configure({ auth, apiUrl: config.api_url });
+    telemetry.configure({ auth, apiUrl: config.api_url });
     return auth;
 }
 /**
@@ -76,27 +75,27 @@ async function resolveAuth(opts) {
  * Supabase refresh token — token rotation would revoke the session family.
  */
 async function refreshSessionWithLock(initial) {
-    const lockPath = `${(0, config_store_1.getConfigPath)()}.lock`;
+    const lockPath = `${getConfigPath()}.lock`;
     await acquireRefreshLock(lockPath);
     try {
         // Re-read: another process may have refreshed while we waited.
-        const current = (0, config_store_1.readConfig)() ?? initial;
+        const current = readConfig() ?? initial;
         const session = current.session ?? initial.session;
         const now = Math.floor(Date.now() / 1000);
         if (session.expires_at > now + REFRESH_SKEW_SECONDS) {
             return { config: current, session };
         }
-        const { anonKey } = environments_1.ENVIRONMENTS[current.env].supabase;
-        const refreshed = await cli_auth_gateway_1.CliAuthGateway.refresh(current.supabase_url, anonKey, session);
+        const { anonKey } = ENVIRONMENTS[current.env].supabase;
+        const refreshed = await CliAuthGateway.refresh(current.supabase_url, anonKey, session);
         // Re-read again and merge only `session` so a concurrent `switch-org`
         // write (org fields) isn't reverted by our pre-refresh snapshot.
-        const merged = { ...((0, config_store_1.readConfig)() ?? current), session: refreshed };
-        (0, config_store_1.writeConfig)(merged);
+        const merged = { ...(readConfig() ?? current), session: refreshed };
+        writeConfig(merged);
         return { config: merged, session: refreshed };
     }
     finally {
         try {
-            (0, node_fs_1.rmSync)(lockPath, { force: true });
+            rmSync(lockPath, { force: true });
         }
         catch { /* best effort */ }
     }
@@ -105,7 +104,7 @@ async function acquireRefreshLock(lockPath) {
     const deadline = Date.now() + LOCK_WAIT_MS;
     for (;;) {
         try {
-            (0, node_fs_1.closeSync)((0, node_fs_1.openSync)(lockPath, 'wx'));
+            closeSync(openSync(lockPath, 'wx'));
             return;
         }
         catch {
@@ -113,19 +112,19 @@ async function acquireRefreshLock(lockPath) {
                 // Don't hang the command forever: steal the lock if possible and
                 // proceed regardless — worst case we race like the pre-lock code did.
                 try {
-                    (0, node_fs_1.rmSync)(lockPath, { force: true });
+                    rmSync(lockPath, { force: true });
                 }
                 catch { /* best effort */ }
                 try {
-                    (0, node_fs_1.closeSync)((0, node_fs_1.openSync)(lockPath, 'wx'));
+                    closeSync(openSync(lockPath, 'wx'));
                 }
                 catch { /* best effort */ }
                 return;
             }
             try {
-                if (Date.now() - (0, node_fs_1.statSync)(lockPath).mtimeMs > LOCK_STALE_MS) {
+                if (Date.now() - statSync(lockPath).mtimeMs > LOCK_STALE_MS) {
                     // Holder presumed dead — take over.
-                    (0, node_fs_1.rmSync)(lockPath, { force: true });
+                    rmSync(lockPath, { force: true });
                     continue;
                 }
             }
@@ -138,5 +137,5 @@ async function acquireRefreshLock(lockPath) {
     }
 }
 function missingCredentialsError() {
-    return new cli_1.CliError('Not authenticated. Provide an API key via --api-key or the DEVICE_CLOUD_API_KEY environment variable, or run `dcd login`.');
+    return new CliError('Not authenticated. Provide an API key via --api-key or the DEVICE_CLOUD_API_KEY environment variable, or run `dcd login`.');
 }