@eide/foir-cli 0.4.1 → 0.4.3

package/dist/cli.js

@@ -464,6 +464,9 @@ import { SegmentsService as SegmentsService2 } from "@eide/foir-proto-ts/segment
 import { ExperimentsService as ExperimentsService2 } from "@eide/foir-proto-ts/experiments/v1/experiments_pb";
 import { SettingsService as SettingsService2 } from "@eide/foir-proto-ts/settings/v1/settings_pb";
 import { StorageService as StorageService2 } from "@eide/foir-proto-ts/storage/v1/storage_pb";
+import { OperationsService as OperationsService2 } from "@eide/foir-proto-ts/operations/v1/operations_pb";
+import { HooksService as HooksService2 } from "@eide/foir-proto-ts/hooks/v1/hooks_pb";
+import { SchedulesService as SchedulesService2 } from "@eide/foir-proto-ts/schedules/v1/schedules_pb";
 
 // src/lib/rpc/identity.ts
 import { create } from "@bufbuild/protobuf";
@@ -937,13 +940,18 @@ function createIdentityMethods(client) {
     },
     // ── API Keys ──────────────────────────────────────────
     async createApiKey(params) {
-      const resp = await client.createApiKey(
-        create(CreateApiKeyRequestSchema, {
-          name: params.name,
-          keyType: params.keyType,
-          rateLimitPerHour: params.rateLimitPerHour
-        })
-      );
+      const req = create(CreateApiKeyRequestSchema, {
+        name: params.name,
+        keyType: params.keyType,
+        rateLimitPerHour: params.rateLimitPerHour
+      });
+      if (params.allowedModels?.length) {
+        req.allowedModels = params.allowedModels;
+      }
+      if (params.allowedFileTypes?.length) {
+        req.allowedFileTypes = params.allowedFileTypes;
+      }
+      const resp = await client.createApiKey(req);
       return { apiKey: resp.apiKey ?? null };
     },
     async getApiKey(id) {
@@ -1136,7 +1144,8 @@ function createIdentityMethods(client) {
 }
 
 // src/lib/rpc/models.ts
-import { create as create2 } from "@bufbuild/protobuf";
+import { create as create2, fromJson } from "@bufbuild/protobuf";
+import { ValueSchema } from "@bufbuild/protobuf/wkt";
 import {
   FieldSchema as ProtoFieldSchema,
   SharingConfigSchema as ProtoSharingConfigSchema,
@@ -1160,6 +1169,7 @@ function jsFieldToProto(f) {
     required: f.required,
     helpText: f.helpText,
     placeholder: f.placeholder,
+    defaultValue: f.defaultValue !== void 0 ? fromJson(ValueSchema, f.defaultValue) : void 0,
     config: f.config && Object.keys(f.config).length > 0 ? f.config : void 0,
     itemType: f.itemType,
     storage: f.storage,
@@ -1879,7 +1889,12 @@ function createConfigsMethods(client) {
 }
 
 // src/lib/rpc/segments.ts
-import { create as create5 } from "@bufbuild/protobuf";
+import { create as create5, fromJson as fromJson2 } from "@bufbuild/protobuf";
+import { ValueSchema as ValueSchema2 } from "@bufbuild/protobuf/wkt";
+import {
+  RuleExpressionSchema,
+  RuleOperandSchema
+} from "@eide/foir-proto-ts/expressions/v1/expressions_pb";
 import {
   CreateSegmentRequestSchema,
   GetSegmentRequestSchema,
@@ -1894,6 +1909,27 @@ import {
   OptOutOfSegmentRequestSchema,
   OptBackIntoSegmentRequestSchema
 } from "@eide/foir-proto-ts/segments/v1/segments_pb";
+function rawOperandToProto(raw) {
+  return create5(RuleOperandSchema, {
+    type: raw.type,
+    path: raw.path,
+    value: raw.value !== void 0 ? fromJson2(ValueSchema2, raw.value) : void 0,
+    valueType: raw.valueType,
+    label: raw.label
+  });
+}
+function rawRulesToProto(raw) {
+  return create5(RuleExpressionSchema, {
+    type: raw.type,
+    id: raw.id,
+    left: raw.left ? rawOperandToProto(raw.left) : void 0,
+    operator: raw.operator,
+    right: raw.right ? rawOperandToProto(raw.right) : void 0,
+    conditions: Array.isArray(raw.conditions) ? raw.conditions.map((c) => rawRulesToProto(c)) : [],
+    logicalOperator: raw.logicalOperator,
+    value: raw.value !== void 0 ? fromJson2(ValueSchema2, raw.value) : void 0
+  });
+}
 function createSegmentsMethods(client) {
   return {
     // ── Queries ──────────────────────────────────────────────
@@ -1920,12 +1956,13 @@ function createSegmentsMethods(client) {
     },
     // ── Mutations ────────────────────────────────────────────
     async createSegment(params) {
+      const rules = params.rules && !("$typeName" in params.rules) ? rawRulesToProto(params.rules) : params.rules;
       const resp = await client.createSegment(
         create5(CreateSegmentRequestSchema, {
           key: params.key,
           name: params.name,
           description: params.description,
-          rules: params.rules,
+          rules,
           evaluationMode: params.evaluationMode,
           isActive: params.isActive
         })
@@ -1933,12 +1970,13 @@ function createSegmentsMethods(client) {
       return resp.segment ?? null;
     },
     async updateSegment(params) {
+      const rules = params.rules && !("$typeName" in params.rules) ? rawRulesToProto(params.rules) : params.rules;
       const resp = await client.updateSegment(
         create5(UpdateSegmentRequestSchema, {
           id: params.id,
           name: params.name,
           description: params.description,
-          rules: params.rules,
+          rules,
           evaluationMode: params.evaluationMode,
           isActive: params.isActive
         })
@@ -2693,6 +2731,279 @@ function createStorageMethods(client) {
   };
 }
 
+// src/lib/rpc/operations.ts
+import { create as create9 } from "@bufbuild/protobuf";
+import {
+  ListOperationsRequestSchema as ListOperationsRequestSchema2,
+  GetOperationRequestSchema,
+  CreateOperationRequestSchema,
+  UpdateOperationRequestSchema,
+  DeleteOperationRequestSchema,
+  GetSigningSecretRequestSchema
+} from "@eide/foir-proto-ts/operations/v1/operations_pb";
+function createOperationsMethods(client) {
+  return {
+    // ── CRUD ──────────────────────────────────────────────────
+    async listOperations(params = {}) {
+      return client.listOperations(
+        create9(ListOperationsRequestSchema2, {
+          configId: params.configId,
+          category: params.category,
+          isActive: params.isActive,
+          search: params.search,
+          limit: params.limit ?? 50,
+          offset: params.offset ?? 0
+        })
+      );
+    },
+    async getOperation(params) {
+      const resp = await client.getOperation(
+        create9(GetOperationRequestSchema, {
+          id: params.id ?? "",
+          key: params.key
+        })
+      );
+      return resp.operation ?? null;
+    },
+    async createOperation(params) {
+      const resp = await client.createOperation(
+        create9(CreateOperationRequestSchema, {
+          key: params.key,
+          name: params.name,
+          endpoint: params.endpoint,
+          description: params.description,
+          icon: params.icon,
+          category: params.category,
+          timeoutMs: params.timeoutMs,
+          inputSchema: params.inputSchema,
+          outputSchema: params.outputSchema,
+          streamConfig: params.streamConfig,
+          quotas: params.quotas,
+          retryPolicy: params.retryPolicy,
+          allowedRoles: params.allowedRoles ?? [],
+          precondition: params.precondition,
+          configId: params.configId
+        })
+      );
+      return resp.operation ?? null;
+    },
+    async updateOperation(params) {
+      const resp = await client.updateOperation(
+        create9(UpdateOperationRequestSchema, {
+          id: params.id,
+          name: params.name,
+          description: params.description,
+          endpoint: params.endpoint,
+          timeoutMs: params.timeoutMs,
+          inputSchema: params.inputSchema,
+          outputSchema: params.outputSchema,
+          streamConfig: params.streamConfig,
+          quotas: params.quotas,
+          retryPolicy: params.retryPolicy,
+          precondition: params.precondition,
+          isActive: params.isActive
+        })
+      );
+      return resp.operation ?? null;
+    },
+    async deleteOperation(id) {
+      const resp = await client.deleteOperation(
+        create9(DeleteOperationRequestSchema, { id })
+      );
+      return resp.success;
+    },
+    async getSigningSecret() {
+      const resp = await client.getSigningSecret(
+        create9(GetSigningSecretRequestSchema, {})
+      );
+      return { secret: resp.secret, prefix: resp.prefix };
+    }
+  };
+}
+
+// src/lib/rpc/hooks.ts
+import { create as create10 } from "@bufbuild/protobuf";
+import {
+  ListHooksRequestSchema,
+  GetHookRequestSchema,
+  GetHookByKeyRequestSchema,
+  CreateHookRequestSchema,
+  UpdateHookRequestSchema,
+  DeleteHookRequestSchema,
+  ListHookDeliveriesRequestSchema,
+  RetryHookDeliveryRequestSchema,
+  TestHookRequestSchema
+} from "@eide/foir-proto-ts/hooks/v1/hooks_pb";
+function createHooksMethods(client) {
+  return {
+    // ── Queries ──────────────────────────────────────────────
+    async listHooks(params = {}) {
+      return client.listHooks(
+        create10(ListHooksRequestSchema, {
+          event: params.event,
+          isActive: params.isActive,
+          configId: params.configId,
+          limit: params.limit ?? 50,
+          offset: params.offset ?? 0
+        })
+      );
+    },
+    async getHook(id) {
+      const resp = await client.getHook(create10(GetHookRequestSchema, { id }));
+      return resp.hook ?? null;
+    },
+    // ── Mutations ────────────────────────────────────────────
+    async createHook(params) {
+      const resp = await client.createHook(
+        create10(CreateHookRequestSchema, {
+          key: params.key,
+          name: params.name,
+          event: params.event,
+          targetType: params.targetType,
+          description: params.description,
+          operationKey: params.operationKey,
+          notificationConfig: params.notificationConfig ?? void 0,
+          filter: params.filter ?? void 0,
+          configId: params.configId
+        })
+      );
+      return resp.hook ?? null;
+    },
+    async updateHook(params) {
+      const resp = await client.updateHook(
+        create10(UpdateHookRequestSchema, {
+          id: params.id,
+          name: params.name,
+          description: params.description,
+          operationKey: params.operationKey,
+          notificationConfig: params.notificationConfig ?? void 0,
+          filter: params.filter ?? void 0,
+          isActive: params.isActive
+        })
+      );
+      return resp.hook ?? null;
+    },
+    async deleteHook(id) {
+      const resp = await client.deleteHook(
+        create10(DeleteHookRequestSchema, { id })
+      );
+      return resp.success;
+    },
+    // ── Get by Key ──────────────────────────────────────────
+    async getHookByKey(key) {
+      const resp = await client.getHookByKey(
+        create10(GetHookByKeyRequestSchema, { key })
+      );
+      return resp.hook ?? null;
+    },
+    // ── Deliveries ──────────────────────────────────────────
+    async listHookDeliveries(params) {
+      return client.listHookDeliveries(
+        create10(ListHookDeliveriesRequestSchema, {
+          hookId: params.hookId,
+          status: params.status,
+          limit: params.limit ?? 50,
+          offset: params.offset ?? 0
+        })
+      );
+    },
+    async retryHookDelivery(deliveryId) {
+      const resp = await client.retryHookDelivery(
+        create10(RetryHookDeliveryRequestSchema, { deliveryId })
+      );
+      return resp.success;
+    },
+    // ── Testing ─────────────────────────────────────────────
+    async testHook(params) {
+      const resp = await client.testHook(
+        create10(TestHookRequestSchema, {
+          hookId: params.hookId,
+          testPayload: params.testPayload
+        })
+      );
+      return {
+        success: resp.success,
+        error: resp.error ?? void 0
+      };
+    }
+  };
+}
+
+// src/lib/rpc/cron-schedules.ts
+import { create as create11 } from "@bufbuild/protobuf";
+import {
+  ListCronSchedulesRequestSchema,
+  GetCronScheduleRequestSchema,
+  GetCronScheduleByKeyRequestSchema,
+  CreateCronScheduleRequestSchema,
+  UpdateCronScheduleRequestSchema,
+  DeleteCronScheduleRequestSchema
+} from "@eide/foir-proto-ts/schedules/v1/schedules_pb";
+function createCronSchedulesMethods(client) {
+  return {
+    // ── Queries ──────────────────────────────────────────────
+    async listCronSchedules(params = {}) {
+      return client.listCronSchedules(
+        create11(ListCronSchedulesRequestSchema, {
+          configId: params.configId,
+          isActive: params.isActive,
+          limit: params.limit ?? 50,
+          offset: params.offset ?? 0
+        })
+      );
+    },
+    async getCronSchedule(id) {
+      const resp = await client.getCronSchedule(
+        create11(GetCronScheduleRequestSchema, { id })
+      );
+      return resp.schedule ?? null;
+    },
+    async getCronScheduleByKey(key) {
+      const resp = await client.getCronScheduleByKey(
+        create11(GetCronScheduleByKeyRequestSchema, { key })
+      );
+      return resp.schedule ?? null;
+    },
+    // ── Mutations ────────────────────────────────────────────
+    async createCronSchedule(params) {
+      const resp = await client.createCronSchedule(
+        create11(CreateCronScheduleRequestSchema, {
+          key: params.key,
+          name: params.name,
+          description: params.description,
+          cron: params.cron,
+          timezone: params.timezone,
+          operationKey: params.operationKey,
+          configId: params.configId,
+          targetType: params.targetType,
+          targetConfig: params.targetConfig
+        })
+      );
+      return resp.schedule ?? null;
+    },
+    async updateCronSchedule(params) {
+      const resp = await client.updateCronSchedule(
+        create11(UpdateCronScheduleRequestSchema, {
+          id: params.id,
+          name: params.name,
+          description: params.description,
+          cron: params.cron,
+          timezone: params.timezone,
+          operationKey: params.operationKey,
+          isActive: params.isActive
+        })
+      );
+      return resp.schedule ?? null;
+    },
+    async deleteCronSchedule(id) {
+      const resp = await client.deleteCronSchedule(
+        create11(DeleteCronScheduleRequestSchema, { id })
+      );
+      return resp.success;
+    }
+  };
+}
+
 // src/lib/client.ts
 import { GraphQLClient } from "graphql-request";
 async function createPlatformClient(options) {
@@ -2739,7 +3050,14 @@ async function createPlatformClient(options) {
       createRpcClient(ExperimentsService2, transport)
     ),
     settings: createSettingsMethods(createRpcClient(SettingsService2, transport)),
-    storage: createStorageMethods(createRpcClient(StorageService2, transport))
+    storage: createStorageMethods(createRpcClient(StorageService2, transport)),
+    operations: createOperationsMethods(
+      createRpcClient(OperationsService2, transport)
+    ),
+    hooks: createHooksMethods(createRpcClient(HooksService2, transport)),
+    cronSchedules: createCronSchedulesMethods(
+      createRpcClient(SchedulesService2, transport)
+    )
   };
 }
 function createPlatformClientWithHeaders(apiUrl, headers) {
@@ -2764,7 +3082,14 @@ function createPlatformClientWithHeaders(apiUrl, headers) {
       createRpcClient(ExperimentsService2, transport)
     ),
     settings: createSettingsMethods(createRpcClient(SettingsService2, transport)),
-    storage: createStorageMethods(createRpcClient(StorageService2, transport))
+    storage: createStorageMethods(createRpcClient(StorageService2, transport)),
+    operations: createOperationsMethods(
+      createRpcClient(OperationsService2, transport)
+    ),
+    hooks: createHooksMethods(createRpcClient(HooksService2, transport)),
+    cronSchedules: createCronSchedulesMethods(
+      createRpcClient(SchedulesService2, transport)
+    )
   };
 }
 async function getStorageAuth(options) {
@@ -4026,7 +4351,7 @@ import chalk5 from "chalk";
 import inquirer4 from "inquirer";
 var FIELD_DEFAULTS = {
   text: "",
-  richtext: "",
+  content: "",
   number: 0,
   boolean: false,
   date: (/* @__PURE__ */ new Date()).toISOString().split("T")[0],
@@ -4061,7 +4386,7 @@ function generateModelTemplate(key) {
       },
       {
         key: "description",
-        type: "richtext",
+        type: "content",
         label: "Description"
       },
       {
@@ -4235,6 +4560,332 @@ Edit the files, then run:
 import chalk6 from "chalk";
 import { existsSync as existsSync4, readFileSync, writeFileSync as writeFileSync2 } from "fs";
 import { resolve as resolve4 } from "path";
+
+// src/lib/reconciler.ts
+function zeroCounts() {
+  return { created: 0, updated: 0, deleted: 0 };
+}
+async function reconcileConfig(client, configId, manifest) {
+  const summary = {
+    models: zeroCounts(),
+    operations: zeroCounts(),
+    hooks: zeroCounts(),
+    segments: zeroCounts(),
+    cronSchedules: zeroCounts(),
+    authProviders: zeroCounts(),
+    profileSchemaUpdated: false,
+    apiKeys: []
+  };
+  const operationBaseUrl = manifest.operationBaseUrl ?? "";
+  await reconcileModels(client, configId, manifest.models ?? [], summary);
+  await reconcileOperations(client, configId, manifest.operations ?? [], operationBaseUrl, summary);
+  await reconcileHooks(client, configId, manifest.hooks ?? [], summary);
+  await reconcileSegments(client, manifest.segments ?? [], summary);
+  await reconcileCronSchedules(client, configId, manifest.schedules ?? [], summary);
+  await reconcileAuthProviders(client, manifest.authProviders ?? [], summary);
+  await reconcileProfileSchema(client, manifest, summary);
+  await reconcileApiKeys(client, manifest.apiKeys ?? [], summary);
+  return summary;
+}
+async function reconcileModels(client, configId, models, summary) {
+  const existing = await client.models.listModels({ limit: 200 });
+  const configOwned = existing.items.filter(
+    (m) => m.configId === configId
+  );
+  const existingByKey = new Map(
+    configOwned.map((m) => [m.key, m])
+  );
+  const manifestKeys = /* @__PURE__ */ new Set();
+  for (const m of models) {
+    if (!m.key || !m.name) continue;
+    manifestKeys.add(m.key);
+    const config2 = { ...m.config };
+    if (m.pluralName) config2.pluralName = m.pluralName;
+    if (m.description) config2.description = m.description;
+    const ex = existingByKey.get(m.key);
+    if (ex) {
+      await client.models.updateModel({
+        id: ex.id,
+        name: m.name,
+        fields: m.fields,
+        config: config2
+      });
+      summary.models.updated++;
+    } else {
+      await client.models.createModel({
+        key: m.key,
+        name: m.name,
+        fields: m.fields,
+        config: config2,
+        configId
+      });
+      summary.models.created++;
+    }
+  }
+  for (const [key, ex] of existingByKey) {
+    if (!manifestKeys.has(key)) {
+      await client.models.deleteModel(
+        ex.id
+      );
+      summary.models.deleted++;
+    }
+  }
+}
+function resolveEndpoint(endpoint, baseUrl) {
+  if (!endpoint) return "";
+  if (endpoint.startsWith("http://") || endpoint.startsWith("https://")) return endpoint;
+  return baseUrl ? `${baseUrl.replace(/\/+$/, "")}${endpoint.startsWith("/") ? "" : "/"}${endpoint}` : endpoint;
+}
+async function reconcileOperations(client, configId, operations, operationBaseUrl, summary) {
+  const existing = await client.operations.listOperations({ configId, limit: 200 });
+  const existingByKey = new Map(
+    (existing.operations ?? []).map((o) => [o.key, o])
+  );
+  const manifestKeys = /* @__PURE__ */ new Set();
+  for (const op of operations) {
+    if (!op.key || !op.name) continue;
+    manifestKeys.add(op.key);
+    const ex = existingByKey.get(op.key);
+    const endpoint = resolveEndpoint(op.endpoint, operationBaseUrl);
+    if (ex) {
+      await client.operations.updateOperation({
+        id: ex.id,
+        name: op.name,
+        description: op.description,
+        endpoint,
+        timeoutMs: op.timeoutMs,
+        inputSchema: op.inputSchema,
+        outputSchema: op.outputSchema,
+        streamConfig: op.streamConfig,
+        quotas: op.quotas,
+        retryPolicy: op.retryPolicy,
+        precondition: op.precondition,
+        isActive: op.isActive
+      });
+      summary.operations.updated++;
+    } else {
+      await client.operations.createOperation({
+        key: op.key,
+        name: op.name,
+        endpoint,
+        description: op.description,
+        icon: op.icon,
+        category: op.category,
+        timeoutMs: op.timeoutMs,
+        inputSchema: op.inputSchema,
+        outputSchema: op.outputSchema,
+        streamConfig: op.streamConfig,
+        quotas: op.quotas,
+        retryPolicy: op.retryPolicy,
+        allowedRoles: op.allowedRoles,
+        precondition: op.precondition,
+        configId
+      });
+      summary.operations.created++;
+    }
+  }
+  for (const [key, ex] of existingByKey) {
+    if (!manifestKeys.has(key)) {
+      await client.operations.deleteOperation(
+        ex.id
+      );
+      summary.operations.deleted++;
+    }
+  }
+}
+async function reconcileHooks(client, configId, hooks, summary) {
+  const existing = await client.hooks.listHooks({ configId, limit: 200 });
+  const existingByKey = new Map(
+    (existing.hooks ?? []).map((h) => [h.key, h])
+  );
+  const manifestKeys = /* @__PURE__ */ new Set();
+  for (const hook of hooks) {
+    const key = hook.key || `${hook.event}-${hook.operationKey ?? "default"}`;
+    if (!hook.event) continue;
+    manifestKeys.add(key);
+    const name = hook.name || key;
+    const ex = existingByKey.get(key);
+    if (ex) {
+      await client.hooks.updateHook({
+        id: ex.id,
+        name,
+        description: hook.description,
+        operationKey: hook.operationKey,
+        filter: hook.filter,
+        notificationConfig: hook.notificationConfig,
+        isActive: hook.isActive
+      });
+      summary.hooks.updated++;
+    } else {
+      await client.hooks.createHook({
+        key,
+        name,
+        description: hook.description,
+        event: hook.event,
+        targetType: hook.type ?? "operation",
+        operationKey: hook.operationKey,
+        filter: hook.filter,
+        notificationConfig: hook.notificationConfig,
+        configId
+      });
+      summary.hooks.created++;
+    }
+  }
+  for (const [key, ex] of existingByKey) {
+    if (!manifestKeys.has(key)) {
+      await client.hooks.deleteHook(
+        ex.id
+      );
+      summary.hooks.deleted++;
+    }
+  }
+}
+async function reconcileSegments(client, segments, summary) {
+  const existing = await client.segments.listSegments({ limit: 200 });
+  const existingByKey = new Map(
+    (existing.segments ?? []).map((s) => [s.key, s])
+  );
+  for (const seg of segments) {
+    if (!seg.key || !seg.name) continue;
+    const ex = existingByKey.get(seg.key);
+    if (ex) {
+      await client.segments.updateSegment({
+        id: ex.id,
+        name: seg.name,
+        description: seg.description,
+        rules: seg.rules,
+        evaluationMode: seg.evaluationMode,
+        isActive: seg.isActive
+      });
+      summary.segments.updated++;
+    } else {
+      await client.segments.createSegment({
+        key: seg.key,
+        name: seg.name,
+        description: seg.description,
+        rules: seg.rules,
+        evaluationMode: seg.evaluationMode,
+        isActive: seg.isActive
+      });
+      summary.segments.created++;
+    }
+  }
+}
+async function reconcileCronSchedules(client, configId, schedules, summary) {
+  const existing = await client.cronSchedules.listCronSchedules({ configId, limit: 200 });
+  const schedulesList = existing.schedules ?? [];
+  const existingByKey = new Map(
+    schedulesList.map((s) => [s.key, s])
+  );
+  const manifestKeys = /* @__PURE__ */ new Set();
+  for (const sched of schedules) {
+    const key = sched.key ?? sched.operationKey;
+    if (!key || !sched.cron) continue;
+    manifestKeys.add(key);
+    const name = sched.name ?? key;
+    const ex = existingByKey.get(key);
+    if (ex) {
+      await client.cronSchedules.updateCronSchedule({
+        id: ex.id,
+        name,
+        description: sched.description,
+        cron: sched.cron,
+        timezone: sched.timezone,
+        operationKey: sched.operationKey,
+        isActive: sched.enabled
+      });
+      summary.cronSchedules.updated++;
+    } else {
+      await client.cronSchedules.createCronSchedule({
+        key,
+        name,
+        description: sched.description,
+        cron: sched.cron,
+        timezone: sched.timezone,
+        operationKey: sched.operationKey,
+        configId
+      });
+      summary.cronSchedules.created++;
+    }
+  }
+  for (const [key, ex] of existingByKey) {
+    if (!manifestKeys.has(key)) {
+      await client.cronSchedules.deleteCronSchedule(
+        ex.id
+      );
+      summary.cronSchedules.deleted++;
+    }
+  }
+}
+async function reconcileAuthProviders(client, providers, summary) {
+  const existing = await client.identity.listAuthProviders({ limit: 200 });
+  const existingByKey = new Map(
+    existing.items.map((p) => [p.key, p])
+  );
+  for (const prov of providers) {
+    if (!prov.key || !prov.name || !prov.type) continue;
+    const ex = existingByKey.get(prov.key);
+    if (ex) {
+      await client.identity.updateAuthProvider({
+        id: ex.id,
+        name: prov.name,
+        config: prov.config,
+        enabled: prov.enabled,
+        isDefault: prov.isDefault,
+        priority: prov.priority
+      });
+      summary.authProviders.updated++;
+    } else {
+      await client.identity.createAuthProvider({
+        key: prov.key,
+        name: prov.name,
+        type: prov.type.toUpperCase(),
+        config: prov.config,
+        enabled: prov.enabled ?? true,
+        isDefault: prov.isDefault ?? false,
+        priority: prov.priority ?? 0
+      });
+      summary.authProviders.created++;
+    }
+  }
+}
+async function reconcileProfileSchema(client, manifest, summary) {
+  const profileSchema = manifest["customerProfileSchema"];
+  if (!profileSchema) return;
+  await client.settings.updateCustomerProfileSchema({
+    fields: profileSchema.fields,
+    publicFields: profileSchema.publicFields ?? []
+  });
+  summary.profileSchemaUpdated = true;
+}
+async function reconcileApiKeys(client, apiKeys, summary) {
+  if (apiKeys.length === 0) return;
+  const existing = await client.identity.listApiKeys({ limit: 200 });
+  const existingByName = new Map(
+    existing.items.map((k) => [k.name, k])
+  );
+  for (const key of apiKeys) {
+    if (!key.name || !key.keyType || !key.envVar) continue;
+    if (existingByName.has(key.name)) continue;
+    const result = await client.identity.createApiKey({
+      name: key.name,
+      keyType: key.keyType === "secret" ? 2 : 1,
+      allowedModels: key.allowedModels,
+      allowedFileTypes: key.allowedFileTypes
+    });
+    const rawKey = result?.apiKey?.rawKey;
+    if (rawKey) {
+      summary.apiKeys.push({
+        name: key.name,
+        keyType: key.keyType,
+        envVar: key.envVar,
+        rawKey
+      });
+    }
+  }
+}
+
+// src/commands/push.ts
 var CONFIG_FILE_NAMES = [
   "foir.config.ts",
   "foir.config.js",
@@ -4265,6 +4916,30 @@ function writeEnvVar(envPath, key, value) {
   writeFileSync2(envPath, content, "utf-8");
   return true;
 }
+function printSummary(summary) {
+  const lines = [];
+  const fmt = (label, c) => {
+    const parts = [];
+    if (c.created) parts.push(`${c.created} created`);
+    if (c.updated) parts.push(`${c.updated} updated`);
+    if (c.deleted) parts.push(`${c.deleted} deleted`);
+    if (parts.length > 0) lines.push(`  ${label.padEnd(13)} ${parts.join(", ")}`);
+  };
+  fmt("Models:", summary.models);
+  fmt("Operations:", summary.operations);
+  fmt("Hooks:", summary.hooks);
+  fmt("Segments:", summary.segments);
+  fmt("Schedules:", summary.cronSchedules);
+  fmt("Auth:", summary.authProviders);
+  if (summary.profileSchemaUpdated) {
+    lines.push("  Profile:      schema updated");
+  }
+  if (lines.length > 0) {
+    for (const line of lines) {
+      console.log(line);
+    }
+  }
+}
 function registerPushCommand(program2, globalOpts) {
   program2.command("push").description("Push foir.config.ts to the platform").option("--config <path>", "Path to config file (default: auto-discover)").option("--force", "Force reinstall (delete and recreate)", false).option("--env <path>", "Path to .env file (default: .env)").action(
     withErrorHandler(
@@ -4286,89 +4961,42 @@ function registerPushCommand(program2, globalOpts) {
             'Config must have at least "key" and "name" fields.'
           );
         }
-        if (opts.force) {
-          config2.force = true;
-        }
         const client = await createPlatformClient(globalOpts());
         console.log(
           chalk6.dim(`Pushing config "${config2.key}" to platform...`)
         );
-        const result = await client.configs.applyConfig(
+        const applyResult = await client.configs.applyConfig(
           config2.key,
           config2
         );
-        if (!result) {
+        if (!applyResult) {
           throw new Error(
             "Failed to apply config \u2014 no response from server."
           );
         }
+        const configId = applyResult.id;
+        console.log(chalk6.dim("Reconciling resources..."));
+        const summary = await reconcileConfig(client, configId, config2);
         console.log();
         console.log(chalk6.green("\u2713 Config applied successfully"));
-        console.log(`  Config ID:  ${chalk6.cyan(result.id)}`);
-        console.log(`  Config Key: ${chalk6.cyan(result.key)}`);
-        const summary = result.summary;
-        if (summary) {
-          console.log();
-          const lines = [];
-          if (summary.modelsCreated || summary.modelsUpdated) {
-            lines.push(
-              `  Models:      ${summary.modelsCreated ?? 0} created, ${summary.modelsUpdated ?? 0} updated`
-            );
-          }
-          if (summary.operationsCreated || summary.operationsUpdated) {
-            lines.push(
-              `  Operations:  ${summary.operationsCreated ?? 0} created, ${summary.operationsUpdated ?? 0} updated`
-            );
-          }
-          if (summary.hooksCreated || summary.hooksUpdated) {
-            lines.push(
-              `  Hooks:       ${summary.hooksCreated ?? 0} created, ${summary.hooksUpdated ?? 0} updated`
-            );
-          }
-          if (summary.segmentsCreated || summary.segmentsUpdated) {
-            lines.push(
-              `  Segments:    ${summary.segmentsCreated ?? 0} created, ${summary.segmentsUpdated ?? 0} updated`
-            );
-          }
-          if (summary.schedulesCreated || summary.schedulesUpdated) {
-            lines.push(
-              `  Schedules:   ${summary.schedulesCreated ?? 0} created, ${summary.schedulesUpdated ?? 0} updated`
-            );
-          }
-          if (summary.authProvidersCreated || summary.authProvidersUpdated) {
-            lines.push(
-              `  Auth:        ${summary.authProvidersCreated ?? 0} created, ${summary.authProvidersUpdated ?? 0} updated`
-            );
-          }
-          if (summary.resourcesDeleted) {
-            lines.push(
-              `  Cleaned up:  ${summary.resourcesDeleted} orphaned resource(s)`
-            );
-          }
-          if (lines.length > 0) {
-            for (const line of lines) {
-              console.log(line);
-            }
-          }
-        }
+        console.log(`  Config ID:  ${chalk6.cyan(configId)}`);
+        console.log(`  Config Key: ${chalk6.cyan(config2.key)}`);
+        console.log();
+        printSummary(summary);
         const envPath = resolve4(opts.env ?? ".env");
-        const r = result;
-        const provisionedKeys = r.provisionedApiKeys;
-        const webhookSecret = r.webhookSecret;
         const envWrites = [];
-        if (provisionedKeys && provisionedKeys.length > 0) {
-          for (const pk of provisionedKeys) {
-            envWrites.push({
-              key: pk.envVar,
-              value: pk.rawKey,
-              label: `${pk.name} (${pk.keyType})`
-            });
-          }
+        for (const pk of summary.apiKeys) {
+          envWrites.push({
+            key: pk.envVar,
+            value: pk.rawKey,
+            label: `${pk.name} (${pk.keyType})`
+          });
         }
-        if (webhookSecret) {
+        const { secret: signingSecret } = await client.operations.getSigningSecret();
+        if (signingSecret) {
           envWrites.push({
             key: "FOIR_WEBHOOK_SECRET",
-            value: webhookSecret,
+            value: signingSecret,
             label: "Webhook signing secret"
           });
         }
@@ -6471,6 +7099,98 @@ function buildDispatchTable() {
       },
       deleteCustomerAuthProvider: async (v, c) => await c.identity.deleteAuthProvider(str(v.id))
     },
+    // ── Rollouts ────────────────────────────────────────────────
+    rollouts: {
+      listPublishBatches: async (v, c) => wrapList(
+        await c.records.listPublishBatches({ limit: num(v.limit, 50) })
+      ),
+      getPublishBatch: async (v, c) => await c.records.getPublishBatch(str(v.id)),
+      createPublishBatch: async (v, c) => {
+        const input = v.input;
+        if (!input) throw new Error("Input required (--data or --file)");
+        return await c.records.createPublishBatch({
+          name: str(input.name),
+          versionIds: input.versionIds ?? [],
+          scheduledAt: input.scheduledAt ? new Date(String(input.scheduledAt)) : void 0
+        });
+      },
+      updatePublishBatch: async (v, c) => {
+        const input = v.input;
+        if (!input) throw new Error("Input required (--data or --file)");
+        return await c.records.updatePublishBatch({
+          batchId: str(input.id ?? v.id),
+          name: str(input.name),
+          scheduledAt: input.scheduledAt ? new Date(String(input.scheduledAt)) : void 0
+        });
+      },
+      cancelPublishBatch: async (v, c) => await c.records.cancelPublishBatch(str(v.id)),
+      rollbackPublishBatch: async (v, c) => await c.records.rollbackPublishBatch(str(v.id)),
+      retryFailedBatchItems: async (v, c) => await c.records.retryFailedBatchItems(str(v.id)),
+      addItemsToPublishBatch: async (v, c) => {
+        const input = v.input;
+        if (!input) throw new Error("Input required (--data or --file)");
+        return await c.records.addItemsToPublishBatch(
+          str(v.id),
+          input.versionIds ?? []
+        );
+      },
+      removeItemsFromPublishBatch: async (v, c) => {
+        const input = v.input;
+        if (!input) throw new Error("Input required (--data or --file)");
+        return await c.records.removeItemsFromPublishBatch(
+          str(v.id),
+          input.versionIds ?? []
+        );
+      }
+    },
+    // ── Hooks ──────────────────────────────────────────────────
+    hooks: {
+      hooks: async (v, c) => {
+        const resp = await c.hooks.listHooks({ limit: num(v.limit, 50) });
+        return { items: resp.hooks ?? [], total: resp.total ?? 0 };
+      },
+      hookByKey: async (v, c) => await c.hooks.getHookByKey(str(v.key)),
+      createHook: async (v, c) => {
+        const input = v.input;
+        if (!input) throw new Error("Input required (--data or --file)");
+        return await c.hooks.createHook({
+          key: str(input.key),
+          name: str(input.name),
+          event: str(input.event),
+          targetType: str(input.targetType) ?? "operation",
+          description: str(input.description),
+          operationKey: str(input.operationKey),
+          filter: input.filter
+        });
+      },
+      updateHook: async (v, c) => {
+        const input = v.input;
+        if (!input) throw new Error("Input required (--data or --file)");
+        return await c.hooks.updateHook({
+          id: str(input.id ?? v.id),
+          name: str(input.name),
+          operationKey: str(input.operationKey),
+          filter: input.filter,
+          isActive: input.isActive
+        });
+      },
+      deleteHook: async (v, c) => await c.hooks.deleteHook(str(v.id)),
+      hookDeliveries: async (v, c) => {
+        const resp = await c.hooks.listHookDeliveries({
+          hookId: str(v.hookId),
+          limit: num(v.limit, 50)
+        });
+        return { items: resp.deliveries ?? [], total: resp.total ?? 0 };
+      },
+      retryHookDelivery: async (v, c) => await c.hooks.retryHookDelivery(str(v.deliveryId)),
+      testHook: async (v, c) => {
+        const data = v.data;
+        return await c.hooks.testHook({
+          hookId: str(v.hookId),
+          testPayload: data
+        });
+      }
+    },
     // ── Configs ─────────────────────────────────────────────────
     configs: {
       configs: async (v, c) => {

package/dist/lib/config-helpers.d.ts

@@ -23,6 +23,7 @@ interface FieldDefinitionInput {
     required?: boolean;
     helpText?: string;
     placeholder?: string;
+    defaultValue?: unknown;
     config?: Record<string, unknown>;
     itemType?: string;
     storage?: string;
@@ -32,6 +33,8 @@ interface FieldDefinitionInput {
 interface ApplyConfigModelInput {
     key: string;
     name: string;
+    pluralName?: string;
+    description?: string;
     fields?: FieldDefinitionInput[];
     config?: Record<string, unknown>;
 }
@@ -39,11 +42,24 @@ interface ApplyConfigOperationInput {
     key: string;
     name: string;
     description?: string;
+    icon?: string;
     category?: string;
     /** HTTP endpoint URL that the platform calls when this operation is triggered. */
     endpoint?: string;
-    config?: Record<string, unknown>;
     isActive?: boolean;
+    timeoutMs?: number;
+    inputSchema?: Record<string, unknown>;
+    outputSchema?: Record<string, unknown>;
+    /** Streaming configuration for SSE/chunked responses. */
+    streamConfig?: Record<string, unknown>;
+    /** Usage quota rules (e.g., rate limits per customer). */
+    quotas?: Record<string, unknown>;
+    /** Retry policy for failed executions. */
+    retryPolicy?: Record<string, unknown>;
+    /** Roles allowed to execute this operation. */
+    allowedRoles?: string[];
+    /** Precondition that must be met before execution (e.g., segment membership). */
+    precondition?: Record<string, unknown>;
 }
 interface ApplyConfigSegmentInput {
     key: string;
@@ -54,11 +70,15 @@ interface ApplyConfigSegmentInput {
     isActive?: boolean;
 }
 interface ApplyConfigScheduleInput {
+    /** Unique key for this schedule. Defaults to operationKey if not provided. */
+    key?: string;
+    /** Display name. Defaults to key if not provided. */
+    name?: string;
+    description?: string;
     operationKey: string;
     cron: string;
     timezone?: string;
     enabled?: boolean;
-    payload?: Record<string, unknown>;
 }
 interface ApplyConfigAuthProviderInput {
     key: string;
@@ -83,20 +103,20 @@ interface ApplyConfigHookInput {
     key?: string;
     /** Display name. */
     name?: string;
+    /** Description of what this hook does. */
+    description?: string;
     /** Lifecycle event that triggers this hook. */
     event: string;
+    /** Target type — defaults to 'operation'. */
+    type?: string;
     /** Key of the operation to execute. */
     operationKey?: string;
     /** Filter to scope the hook (e.g., `{ modelKey: 'redirect' }`). */
     filter?: Record<string, unknown>;
-    type?: string;
-    url?: string;
-    method?: string;
-    async?: boolean;
-    headers?: Record<string, string>;
-    additionalData?: Record<string, unknown>;
-    expression?: Record<string, unknown>;
-    hooks?: ApplyConfigHookInput[];
+    /** Notification config for notification-type hooks. */
+    notificationConfig?: Record<string, unknown>;
+    /** Whether the hook is active. Defaults to true. */
+    isActive?: boolean;
 }
 interface ApplyConfigApiKeyInput {
     /** Name for this API key (e.g. "Tilly iOS", "Tilly BFF"). */
@@ -105,14 +125,20 @@ interface ApplyConfigApiKeyInput {
     keyType: 'public' | 'secret';
     /** Environment variable name to write the key to in .env (e.g. "FOIR_PUBLIC_KEY"). */
     envVar: string;
-    /** Optional scopes to restrict the key. */
-    scopes?: Record<string, unknown>;
+    /** Scopes to restrict the key (e.g. ["configs:read", "records:write"]). Use ["*"] for full access. */
+    scopes?: string[];
+    /** Restrict the key to specific model keys (e.g. ["tilly_note", "tilly_block"]). */
+    allowedModels?: string[];
+    /** Restrict file uploads to specific MIME types (e.g. ["image/*", "video/*"]). */
+    allowedFileTypes?: string[];
 }
 interface ApplyConfigInput {
     key: string;
     name: string;
     configType?: string;
     force?: boolean;
+    /** Base URL prepended to relative operation endpoints. */
+    operationBaseUrl?: string;
     models?: ApplyConfigModelInput[];
     operations?: ApplyConfigOperationInput[];
     segments?: ApplyConfigSegmentInput[];

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@eide/foir-cli",
-  "version": "0.4.1",
+  "version": "0.4.3",
   "description": "Universal platform CLI for Foir platform",
   "type": "module",
   "publishConfig": {
@@ -49,7 +49,7 @@
     "@bufbuild/protobuf": "^2.0.0",
     "@connectrpc/connect": "^2.0.0",
     "@connectrpc/connect-node": "^2.0.0",
-    "@eide/foir-proto-ts": "^0.3.1",
+    "@eide/foir-proto-ts": "^0.3.3",
     "chalk": "^5.3.0",
     "commander": "^12.1.0",
     "dotenv": "^16.4.5",