npm - @hs-x/cli - Versions diffs - 0.1.0 - Mend

@hs-x/cli 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (302) hide show

package/README.md +1001 -0
package/dist/account-store.d.ts +51 -0
package/dist/account-store.d.ts.map +1 -0
package/dist/account-store.js +138 -0
package/dist/account-store.js.map +1 -0
package/dist/bin/hs-x.d.ts +3 -0
package/dist/bin/hs-x.d.ts.map +1 -0
package/dist/bin/hs-x.js +47 -0
package/dist/bin/hs-x.js.map +1 -0
package/dist/cli/index.d.ts +3 -0
package/dist/cli/index.d.ts.map +1 -0
package/dist/cli/index.js +595 -0
package/dist/cli/index.js.map +1 -0
package/dist/cli-error.d.ts +36 -0
package/dist/cli-error.d.ts.map +1 -0
package/dist/cli-error.js +40 -0
package/dist/cli-error.js.map +1 -0
package/dist/cloudflare-auth.d.ts +25 -0
package/dist/cloudflare-auth.d.ts.map +1 -0
package/dist/cloudflare-auth.js +251 -0
package/dist/cloudflare-auth.js.map +1 -0
package/dist/cloudflare-kv.d.ts +23 -0
package/dist/cloudflare-kv.d.ts.map +1 -0
package/dist/cloudflare-kv.js +101 -0
package/dist/cloudflare-kv.js.map +1 -0
package/dist/cloudflare-oauth-store.d.ts +16 -0
package/dist/cloudflare-oauth-store.d.ts.map +1 -0
package/dist/cloudflare-oauth-store.js +80 -0
package/dist/cloudflare-oauth-store.js.map +1 -0
package/dist/cloudflare-oauth.d.ts +82 -0
package/dist/cloudflare-oauth.d.ts.map +1 -0
package/dist/cloudflare-oauth.js +336 -0
package/dist/cloudflare-oauth.js.map +1 -0
package/dist/cloudflare-pointer.d.ts +13 -0
package/dist/cloudflare-pointer.d.ts.map +1 -0
package/dist/cloudflare-pointer.js +46 -0
package/dist/cloudflare-pointer.js.map +1 -0
package/dist/command-history.d.ts +7 -0
package/dist/command-history.d.ts.map +1 -0
package/dist/command-history.js +34 -0
package/dist/command-history.js.map +1 -0
package/dist/commands/account.d.ts +7 -0
package/dist/commands/account.d.ts.map +1 -0
package/dist/commands/account.js +315 -0
package/dist/commands/account.js.map +1 -0
package/dist/commands/api.d.ts +36 -0
package/dist/commands/api.d.ts.map +1 -0
package/dist/commands/api.js +521 -0
package/dist/commands/api.js.map +1 -0
package/dist/commands/completion.d.ts +7 -0
package/dist/commands/completion.d.ts.map +1 -0
package/dist/commands/completion.js +121 -0
package/dist/commands/completion.js.map +1 -0
package/dist/commands/connect.d.ts +7 -0
package/dist/commands/connect.d.ts.map +1 -0
package/dist/commands/connect.js +1123 -0
package/dist/commands/connect.js.map +1 -0
package/dist/commands/control-plane-read.d.ts +22 -0
package/dist/commands/control-plane-read.d.ts.map +1 -0
package/dist/commands/control-plane-read.js +350 -0
package/dist/commands/control-plane-read.js.map +1 -0
package/dist/commands/deploy-promote.d.ts +14 -0
package/dist/commands/deploy-promote.d.ts.map +1 -0
package/dist/commands/deploy-promote.js +105 -0
package/dist/commands/deploy-promote.js.map +1 -0
package/dist/commands/deploy.d.ts +18 -0
package/dist/commands/deploy.d.ts.map +1 -0
package/dist/commands/deploy.js +2764 -0
package/dist/commands/deploy.js.map +1 -0
package/dist/commands/dev.d.ts +7 -0
package/dist/commands/dev.d.ts.map +1 -0
package/dist/commands/dev.js +913 -0
package/dist/commands/dev.js.map +1 -0
package/dist/commands/doctor.d.ts +8 -0
package/dist/commands/doctor.d.ts.map +1 -0
package/dist/commands/doctor.js +258 -0
package/dist/commands/doctor.js.map +1 -0
package/dist/commands/flags.d.ts +22 -0
package/dist/commands/flags.d.ts.map +1 -0
package/dist/commands/flags.js +185 -0
package/dist/commands/flags.js.map +1 -0
package/dist/commands/help-command.d.ts +13 -0
package/dist/commands/help-command.d.ts.map +1 -0
package/dist/commands/help-command.js +482 -0
package/dist/commands/help-command.js.map +1 -0
package/dist/commands/history.d.ts +6 -0
package/dist/commands/history.d.ts.map +1 -0
package/dist/commands/history.js +42 -0
package/dist/commands/history.js.map +1 -0
package/dist/commands/init.d.ts +8 -0
package/dist/commands/init.d.ts.map +1 -0
package/dist/commands/init.js +233 -0
package/dist/commands/init.js.map +1 -0
package/dist/commands/link.d.ts +26 -0
package/dist/commands/link.d.ts.map +1 -0
package/dist/commands/link.js +441 -0
package/dist/commands/link.js.map +1 -0
package/dist/commands/login.d.ts +8 -0
package/dist/commands/login.d.ts.map +1 -0
package/dist/commands/login.js +381 -0
package/dist/commands/login.js.map +1 -0
package/dist/commands/migrate.d.ts +8 -0
package/dist/commands/migrate.d.ts.map +1 -0
package/dist/commands/migrate.js +258 -0
package/dist/commands/migrate.js.map +1 -0
package/dist/commands/rollback.d.ts +21 -0
package/dist/commands/rollback.d.ts.map +1 -0
package/dist/commands/rollback.js +301 -0
package/dist/commands/rollback.js.map +1 -0
package/dist/commands/secrets.d.ts +7 -0
package/dist/commands/secrets.d.ts.map +1 -0
package/dist/commands/secrets.js +230 -0
package/dist/commands/secrets.js.map +1 -0
package/dist/commands/status.d.ts +7 -0
package/dist/commands/status.d.ts.map +1 -0
package/dist/commands/status.js +241 -0
package/dist/commands/status.js.map +1 -0
package/dist/commands/unlink.d.ts +21 -0
package/dist/commands/unlink.d.ts.map +1 -0
package/dist/commands/unlink.js +83 -0
package/dist/commands/unlink.js.map +1 -0
package/dist/commands/update.d.ts +11 -0
package/dist/commands/update.d.ts.map +1 -0
package/dist/commands/update.js +154 -0
package/dist/commands/update.js.map +1 -0
package/dist/commands/validate.d.ts +9 -0
package/dist/commands/validate.d.ts.map +1 -0
package/dist/commands/validate.js +39 -0
package/dist/commands/validate.js.map +1 -0
package/dist/config.d.ts +12 -0
package/dist/config.d.ts.map +1 -0
package/dist/config.js +64 -0
package/dist/config.js.map +1 -0
package/dist/constants.d.ts +4 -0
package/dist/constants.d.ts.map +1 -0
package/dist/constants.js +4 -0
package/dist/constants.js.map +1 -0
package/dist/control-plane-fetch.d.ts +34 -0
package/dist/control-plane-fetch.d.ts.map +1 -0
package/dist/control-plane-fetch.js +73 -0
package/dist/control-plane-fetch.js.map +1 -0
package/dist/control-plane-loader.d.ts +16 -0
package/dist/control-plane-loader.d.ts.map +1 -0
package/dist/control-plane-loader.js +24 -0
package/dist/control-plane-loader.js.map +1 -0
package/dist/dev/compat-shim.d.ts +40 -0
package/dist/dev/compat-shim.d.ts.map +1 -0
package/dist/dev/compat-shim.js +65 -0
package/dist/dev/compat-shim.js.map +1 -0
package/dist/dev/event-bus.d.ts +27 -0
package/dist/dev/event-bus.d.ts.map +1 -0
package/dist/dev/event-bus.js +32 -0
package/dist/dev/event-bus.js.map +1 -0
package/dist/dev/log-server.d.ts +52 -0
package/dist/dev/log-server.d.ts.map +1 -0
package/dist/dev/log-server.js +216 -0
package/dist/dev/log-server.js.map +1 -0
package/dist/dev/session-manager.d.ts +33 -0
package/dist/dev/session-manager.d.ts.map +1 -0
package/dist/dev/session-manager.js +132 -0
package/dist/dev/session-manager.js.map +1 -0
package/dist/dev/stream-renderer.d.ts +22 -0
package/dist/dev/stream-renderer.d.ts.map +1 -0
package/dist/dev/stream-renderer.js +65 -0
package/dist/dev/stream-renderer.js.map +1 -0
package/dist/dev/tunnel.d.ts +40 -0
package/dist/dev/tunnel.d.ts.map +1 -0
package/dist/dev/tunnel.js +139 -0
package/dist/dev/tunnel.js.map +1 -0
package/dist/effect-http.d.ts +10 -0
package/dist/effect-http.d.ts.map +1 -0
package/dist/effect-http.js +38 -0
package/dist/effect-http.js.map +1 -0
package/dist/errors-registry.d.ts +11 -0
package/dist/errors-registry.d.ts.map +1 -0
package/dist/errors-registry.js +554 -0
package/dist/errors-registry.js.map +1 -0
package/dist/errors.d.ts +58 -0
package/dist/errors.d.ts.map +1 -0
package/dist/errors.js +30 -0
package/dist/errors.js.map +1 -0
package/dist/help.d.ts +6 -0
package/dist/help.d.ts.map +1 -0
package/dist/help.js +100 -0
package/dist/help.js.map +1 -0
package/dist/history.d.ts +15 -0
package/dist/history.d.ts.map +1 -0
package/dist/history.js +69 -0
package/dist/history.js.map +1 -0
package/dist/hubspot-auth.d.ts +53 -0
package/dist/hubspot-auth.d.ts.map +1 -0
package/dist/hubspot-auth.js +301 -0
package/dist/hubspot-auth.js.map +1 -0
package/dist/hubspot-developer-client.d.ts +10 -0
package/dist/hubspot-developer-client.d.ts.map +1 -0
package/dist/hubspot-developer-client.js +212 -0
package/dist/hubspot-developer-client.js.map +1 -0
package/dist/index.d.ts +5 -0
package/dist/index.d.ts.map +1 -0
package/dist/index.js +4 -0
package/dist/index.js.map +1 -0
package/dist/init/templates.d.ts +18 -0
package/dist/init/templates.d.ts.map +1 -0
package/dist/init/templates.js +239 -0
package/dist/init/templates.js.map +1 -0
package/dist/load-env.d.ts +16 -0
package/dist/load-env.d.ts.map +1 -0
package/dist/load-env.js +69 -0
package/dist/load-env.js.map +1 -0
package/dist/machine-id.d.ts +3 -0
package/dist/machine-id.d.ts.map +1 -0
package/dist/machine-id.js +41 -0
package/dist/machine-id.js.map +1 -0
package/dist/paths.d.ts +4 -0
package/dist/paths.d.ts.map +1 -0
package/dist/paths.js +19 -0
package/dist/paths.js.map +1 -0
package/dist/prompt.d.ts +43 -0
package/dist/prompt.d.ts.map +1 -0
package/dist/prompt.js +379 -0
package/dist/prompt.js.map +1 -0
package/dist/reporter/human.d.ts +28 -0
package/dist/reporter/human.d.ts.map +1 -0
package/dist/reporter/human.js +126 -0
package/dist/reporter/human.js.map +1 -0
package/dist/reporter/index.d.ts +14 -0
package/dist/reporter/index.d.ts.map +1 -0
package/dist/reporter/index.js +37 -0
package/dist/reporter/index.js.map +1 -0
package/dist/reporter/json.d.ts +43 -0
package/dist/reporter/json.d.ts.map +1 -0
package/dist/reporter/json.js +146 -0
package/dist/reporter/json.js.map +1 -0
package/dist/reporter/style.d.ts +34 -0
package/dist/reporter/style.d.ts.map +1 -0
package/dist/reporter/style.js +97 -0
package/dist/reporter/style.js.map +1 -0
package/dist/reporter/types.d.ts +41 -0
package/dist/reporter/types.d.ts.map +1 -0
package/dist/reporter/types.js +2 -0
package/dist/reporter/types.js.map +1 -0
package/dist/result.d.ts +4 -0
package/dist/result.d.ts.map +1 -0
package/dist/result.js +2 -0
package/dist/result.js.map +1 -0
package/dist/services/account-store.d.ts +31 -0
package/dist/services/account-store.d.ts.map +1 -0
package/dist/services/account-store.js +135 -0
package/dist/services/account-store.js.map +1 -0
package/dist/services/app-paths.d.ts +25 -0
package/dist/services/app-paths.d.ts.map +1 -0
package/dist/services/app-paths.js +34 -0
package/dist/services/app-paths.js.map +1 -0
package/dist/services/cloudflare-auth.d.ts +83 -0
package/dist/services/cloudflare-auth.d.ts.map +1 -0
package/dist/services/cloudflare-auth.js +30 -0
package/dist/services/cloudflare-auth.js.map +1 -0
package/dist/services/cloudflare-kv.d.ts +45 -0
package/dist/services/cloudflare-kv.d.ts.map +1 -0
package/dist/services/cloudflare-kv.js +151 -0
package/dist/services/cloudflare-kv.js.map +1 -0
package/dist/services/command-history.d.ts +29 -0
package/dist/services/command-history.d.ts.map +1 -0
package/dist/services/command-history.js +62 -0
package/dist/services/command-history.js.map +1 -0
package/dist/services/control-plane.d.ts +32 -0
package/dist/services/control-plane.d.ts.map +1 -0
package/dist/services/control-plane.js +57 -0
package/dist/services/control-plane.js.map +1 -0
package/dist/services/env-loader.d.ts +18 -0
package/dist/services/env-loader.d.ts.map +1 -0
package/dist/services/env-loader.js +34 -0
package/dist/services/env-loader.js.map +1 -0
package/dist/services/http.d.ts +19 -0
package/dist/services/http.d.ts.map +1 -0
package/dist/services/http.js +9 -0
package/dist/services/http.js.map +1 -0
package/dist/services/live.d.ts +16 -0
package/dist/services/live.d.ts.map +1 -0
package/dist/services/live.js +26 -0
package/dist/services/live.js.map +1 -0
package/dist/services/machine-id.d.ts +18 -0
package/dist/services/machine-id.d.ts.map +1 -0
package/dist/services/machine-id.js +39 -0
package/dist/services/machine-id.js.map +1 -0
package/dist/services/reporter.d.ts +55 -0
package/dist/services/reporter.d.ts.map +1 -0
package/dist/services/reporter.js +49 -0
package/dist/services/reporter.js.map +1 -0
package/dist/state-store.d.ts +39 -0
package/dist/state-store.d.ts.map +1 -0
package/dist/state-store.js +89 -0
package/dist/state-store.js.map +1 -0
package/dist/telemetry.d.ts +13 -0
package/dist/telemetry.d.ts.map +1 -0
package/dist/telemetry.js +129 -0
package/dist/telemetry.js.map +1 -0
package/dist/tenant-state.d.ts +69 -0
package/dist/tenant-state.d.ts.map +1 -0
package/dist/tenant-state.js +161 -0
package/dist/tenant-state.js.map +1 -0
package/package.json +38 -0

package/dist/commands/connect.js ADDED Viewed

@@ -0,0 +1,1123 @@
+import { join } from 'node:path';
+import { readFile } from 'node:fs/promises';
+import { HttpClientRequest, Schema, schemas } from '@hs-x/types';
+import { loadCreateControlPlane } from '../control-plane-loader.js';
+import { Effect } from 'effect';
+import { emitHelp } from '../help.js';
+import { controlPlaneAuthHeaders } from '../control-plane-fetch.js';
+import { executeCliHttp } from '../effect-http.js';
+import { resolveControlPlaneUrl } from '../config.js';
+import { createReporter } from '../reporter/index.js';
+import { isInteractive, promptConfirm, promptSelect, promptText } from '../prompt.js';
+import { connectHelpText } from './help-command.js';
+async function hostedHttp(input) {
+    const headers = { ...(input.headers ?? {}) };
+    let request = HttpClientRequest.make(input.method ?? 'GET')(input.url).pipe(HttpClientRequest.setHeaders(headers));
+    if (input.body !== undefined) {
+        headers['content-type'] = headers['content-type'] ?? 'application/json';
+        request = request.pipe(HttpClientRequest.setHeaders(headers), HttpClientRequest.bodyText(typeof input.body === 'string' ? input.body : JSON.stringify(input.body), headers['content-type']));
+    }
+    return executeCliHttp(request);
+}
+function isRecord(value) {
+    return typeof value === 'object' && value !== null;
+}
+export async function connectCommand({ argv, cwd, json, }) {
+    const subcommand = argv[1];
+    if (subcommand === 'cloudflare') {
+        return await connectCloudflareCommand({ argv, json });
+    }
+    if (subcommand === 'hubspot') {
+        return await connectHubspotCommand({ argv, cwd, json });
+    }
+    if (subcommand === 'help' || subcommand === '--help' || subcommand === '-h') {
+        emitHelp(connectHelpText(), json);
+        return { exitCode: 0 };
+    }
+    if (subcommand && subcommand.length > 0) {
+        emitHelp(connectHelpText(), json);
+        return { exitCode: 1 };
+    }
+    return await connectWizard({ argv, cwd, json });
+}
+async function connectWizard({ argv, cwd, json, }) {
+    if (json || !isInteractive()) {
+        emitHelp(connectHelpText(), json);
+        return { exitCode: 0 };
+    }
+    const reporter = createReporter({ command: 'connect', argv, entry: true });
+    reporter.banner();
+    reporter.header('platform');
+    reporter.info("Let's connect your accounts so HS-X can deploy and run.");
+    reporter.info('');
+    const hubspotResult = await connectHubspotCommand({
+        argv: ['hubspot', ...argv.slice(1)],
+        cwd,
+        json: false,
+    });
+    if (hubspotResult.exitCode !== 0) {
+        return hubspotResult;
+    }
+    reporter.info('');
+    const wantCloudflare = await promptConfirm({
+        message: 'Connect Cloudflare now? (You can do this later with `hs-x connect cloudflare`.)',
+        default: false,
+    });
+    if (wantCloudflare === undefined)
+        return cancelledResult(argv, 'connect');
+    if (wantCloudflare) {
+        const cfResult = await connectCloudflareCommand({
+            argv: ['cloudflare', ...argv.slice(1)],
+            json: false,
+        });
+        if (cfResult.exitCode !== 0)
+            return cfResult;
+    }
+    else {
+        reporter.info("Skipped Cloudflare. Run `hs-x connect cloudflare` when you're ready.");
+    }
+    reporter.info('');
+    reporter.step('Connected to the HS-X platform').ok();
+    reporter.info('Next: `hs-x dev` to start the local dev server, or `hs-x deploy --plan` to preview.');
+    reporter.done('Connected');
+    return { exitCode: 0 };
+}
+async function connectHubspotCommand({ argv, cwd, json, }) {
+    const interactive = !json && isInteractive();
+    const authMethod = resolveFlag(argv, '--auth-method') ?? 'pak';
+    let accountId = resolveFlag(argv, '--account-id');
+    let developerAccountId = resolveFlag(argv, '--developer-account-id');
+    let displayName = resolveFlag(argv, '--display-name');
+    let personalAccessKey = resolveFlag(argv, '--pak') ?? process.env.HSX_HUBSPOT_PAK;
+    const developerApiKey = resolveFlag(argv, '--developer-api-key') ?? process.env.HSX_HUBSPOT_DEVELOPER_API_KEY;
+    let discoveredDefault;
+    if (interactive && (!developerAccountId || !displayName || !personalAccessKey)) {
+        const { discoverHubSpotAccounts } = await import('../hubspot-auth.js');
+        const discovered = await discoverHubSpotAccounts(cwd);
+        const hasAccounts = discovered && discovered.accounts.length > 0;
+        if (!hasAccounts) {
+            const browserPicked = await promptHubspotBrowserFlow(argv);
+            if (!browserPicked)
+                return cancelledResult(argv, 'connect hubspot');
+            discoveredDefault = {
+                name: browserPicked.name,
+                portalId: browserPicked.portalId,
+                pak: browserPicked.pak,
+                persistInfo: {
+                    accessToken: browserPicked.accessToken,
+                    expiresAt: browserPicked.expiresAt,
+                    ...(browserPicked.accountType ? { accountType: browserPicked.accountType } : {}),
+                    ...(browserPicked.hubName ? { hubName: browserPicked.hubName } : {}),
+                },
+            };
+        }
+        else if (discovered) {
+            const reporter = createReporter({ command: 'connect hubspot', argv });
+            reporter.info(`Found ${discovered.accounts.length} HubSpot account(s) in ${discovered.source}`);
+            const sorted = [...discovered.accounts].sort((a, b) => a.isDefault === b.isDefault ? a.name.localeCompare(b.name) : a.isDefault ? -1 : 1);
+            const NEW_VALUE = '__new__';
+            const defaultId = sorted.find((a) => a.isDefault)?.name ?? sorted[0]?.name;
+            const pickedName = await promptSelect({
+                message: 'Which HubSpot account do you want to bind?',
+                ...(defaultId ? { default: defaultId } : {}),
+                options: [
+                    {
+                        value: NEW_VALUE,
+                        label: '+ Connect a new account',
+                        description: 'opens HubSpot in your browser',
+                    },
+                    ...sorted.map((a) => ({
+                        value: a.name,
+                        label: a.name,
+                        description: `portal ${a.portalId}${a.isDefault ? ' (default)' : ''}`,
+                    })),
+                ],
+            });
+            if (!pickedName)
+                return cancelledResult(argv, 'connect hubspot');
+            if (pickedName === NEW_VALUE) {
+                const browserPicked = await promptHubspotBrowserFlow(argv);
+                if (!browserPicked)
+                    return cancelledResult(argv, 'connect hubspot');
+                discoveredDefault = browserPicked;
+            }
+            else {
+                const picked = sorted.find((a) => a.name === pickedName);
+                if (picked) {
+                    discoveredDefault = {
+                        name: picked.name,
+                        portalId: picked.portalId,
+                        ...(picked.personalAccessKey ? { pak: picked.personalAccessKey } : {}),
+                    };
+                }
+            }
+        }
+    }
+    if (interactive) {
+        if (!developerAccountId) {
+            if (discoveredDefault) {
+                developerAccountId = String(discoveredDefault.portalId);
+            }
+            else {
+                const answer = await promptText({
+                    message: 'HubSpot developer account id (portalId)',
+                    validate: (v) => /^\d+$/.test(v) ? undefined : 'Must be a numeric HubSpot portal id (e.g. 7222370).',
+                });
+                if (answer === undefined)
+                    return cancelledResult(argv, 'connect hubspot');
+                developerAccountId = answer;
+            }
+        }
+        if (!displayName) {
+            if (discoveredDefault) {
+                displayName = discoveredDefault.name;
+            }
+            else {
+                const answer = await promptText({
+                    message: 'Display name',
+                    default: `HubSpot ${developerAccountId ?? ''}`.trim(),
+                });
+                if (answer === undefined)
+                    return cancelledResult(argv, 'connect hubspot');
+                displayName = answer;
+            }
+        }
+        if (authMethod === 'pak' && !personalAccessKey) {
+            if (discoveredDefault?.pak) {
+                personalAccessKey = discoveredDefault.pak;
+            }
+            else {
+                const answer = await promptText({
+                    message: 'HubSpot personal access key',
+                    validate: (v) => (v.length >= 10 ? undefined : 'PAK looks too short.'),
+                });
+                if (answer === undefined)
+                    return cancelledResult(argv, 'connect hubspot');
+                personalAccessKey = answer;
+            }
+        }
+    }
+    if (!accountId) {
+        const source = discoveredDefault?.name ?? displayName ?? `portal-${developerAccountId ?? 'dev'}`;
+        accountId = `acct_${source
+            .toLowerCase()
+            .replace(/[^a-z0-9]+/g, '_')
+            .replace(/^_|_$/g, '')}`;
+    }
+    if (!accountId) {
+        const reporter = createReporter({ command: 'connect hubspot', argv });
+        const code = 'HSX_E_INPUT_MISSING_ACCOUNT_ID';
+        reporter.error(code, 'Missing --account-id.', {
+            hint: 'Pass --account-id <id>, or run interactively to be prompted.',
+            docs_url: `https://hs-x.dev/errors/${code}`,
+        });
+        reporter.done(undefined, 10);
+        return { exitCode: 10 };
+    }
+    if (authMethod === 'pak' && !personalAccessKey) {
+        const reporter = createReporter({ command: 'connect hubspot', argv });
+        const code = 'HSX_E_INPUT_MISSING_PAK';
+        reporter.error(code, 'HubSpot PAK is required.', {
+            hint: 'Pass --pak, set HSX_HUBSPOT_PAK, or run `hs accounts auth` first so we can auto-discover.',
+            docs_url: `https://hs-x.dev/errors/${code}`,
+        });
+        reporter.done(undefined, 10);
+        return { exitCode: 10 };
+    }
+    const request = Schema.decodeUnknownSync(schemas.HubSpotDeveloperConnectRequest)({
+        developerAccountId,
+        displayName,
+        authMethod,
+        ...(personalAccessKey ? { personalAccessKey } : {}),
+        ...(developerApiKey ? { developerApiKey } : {}),
+    });
+    const safeRequest = {
+        developerAccountId: request.developerAccountId,
+        displayName: request.displayName,
+        authMethod: request.authMethod,
+    };
+    const noControlPlane = argv.includes('--no-control-plane');
+    const controlPlaneUrl = !noControlPlane && !argv.includes('--local-control-plane')
+        ? resolveControlPlaneUrl(argv)
+        : undefined;
+    if (controlPlaneUrl) {
+        const connection = await requestHostedControlPlaneHubSpotConnect({
+            accountId,
+            request,
+            controlPlaneUrl,
+            userId: resolveFlag(argv, '--user-id') ?? process.env.HSX_USER_ID ?? 'local-cli-user',
+        });
+        const result = {
+            ok: true,
+            command: 'connect hubspot',
+            mode: 'control-plane-connect',
+            accountId,
+            request: safeRequest,
+            connection,
+        };
+        await persistConnectedAccount({
+            id: accountId,
+            displayName: connection.displayName,
+            hubspotPortalId: Number(developerAccountId),
+        });
+        const hscliResult = await maybePersistToHubSpotCli(discoveredDefault, personalAccessKey);
+        if (json) {
+            write(`${JSON.stringify(result, null, 2)}\n`);
+        }
+        else {
+            const reporter = createReporter({ command: 'connect hubspot', argv });
+            reporter.header(connection.accountId);
+            reporter.step('Connected HubSpot developer account').ok(connection.displayName);
+            renderCredentialDestinations(reporter, {
+                hsxStore: defaultStorePathForLog(),
+                hscli: hscliResult?.written ? hscliResult.path : null,
+                controlPlane: controlPlaneUrl,
+            });
+            reporter.done();
+        }
+        return { exitCode: 0 };
+    }
+    if (!argv.includes('--local-control-plane')) {
+        const result = {
+            ok: true,
+            command: 'connect hubspot',
+            mode: 'request',
+            accountId,
+            request: safeRequest,
+            nextStep: 'Pass --control-plane-url to connect through the control plane or --local-control-plane to exercise the local contract handler.',
+        };
+        if (json) {
+            write(`${JSON.stringify(result, null, 2)}\n`);
+        }
+        else {
+            const reporter = createReporter({ command: 'connect hubspot', argv });
+            reporter.header(accountId);
+            reporter.info(`Prepared HubSpot connect request for ${request.displayName}.`);
+            reporter.warn('HSX_W_CONNECT_NO_TRANSPORT', 'Hosted transport is not wired yet.');
+            reporter.info('Pass --control-plane-url or --local-control-plane to complete the connect.');
+            reporter.done('Prepared');
+        }
+        return { exitCode: 0 };
+    }
+    const connection = await requestLocalControlPlaneHubSpotConnect({ accountId, request });
+    const result = {
+        ok: true,
+        command: 'connect hubspot',
+        mode: 'local-control-plane-connect',
+        accountId,
+        request: safeRequest,
+        connection,
+    };
+    await persistConnectedAccount({
+        id: accountId,
+        displayName: connection.displayName,
+        hubspotPortalId: Number(developerAccountId),
+    });
+    const hscliResult = await maybePersistToHubSpotCli(discoveredDefault, personalAccessKey);
+    if (json) {
+        write(`${JSON.stringify(result, null, 2)}\n`);
+    }
+    else {
+        const reporter = createReporter({ command: 'connect hubspot', argv });
+        reporter.header(connection.accountId);
+        reporter
+            .step('Connected HubSpot developer account (local control plane)')
+            .ok(connection.displayName);
+        renderCredentialDestinations(reporter, {
+            hsxStore: defaultStorePathForLog(),
+            hscli: hscliResult?.written ? hscliResult.path : null,
+            controlPlane: 'local (in-memory)',
+        });
+        reporter.done();
+    }
+    return { exitCode: 0 };
+}
+function renderCredentialDestinations(reporter, destinations) {
+    reporter.info('');
+    reporter.info('Credentials persisted to:');
+    if (destinations.hsxStore)
+        reporter.info(`  ✓ HS-X store        ${destinations.hsxStore}`);
+    if (destinations.hscli)
+        reporter.info(`  ✓ HubSpot CLI       ${destinations.hscli}`);
+    else if (destinations.hscli === null)
+        reporter.info('  · HubSpot CLI       skipped (PAK already there or write failed)');
+    if (destinations.controlPlane)
+        reporter.info(`  ✓ Control plane     ${destinations.controlPlane}`);
+    else
+        reporter.info('  ⚠ Control plane     not uploaded (re-run with --control-plane-url <url> to push)');
+}
+async function maybePersistToHubSpotCli(discoveredDefault, pak) {
+    if (!discoveredDefault?.persistInfo || !pak)
+        return undefined;
+    try {
+        const { persistToHubSpotCliConfig } = await import('../hubspot-auth.js');
+        const result = await persistToHubSpotCliConfig({
+            portalId: discoveredDefault.portalId,
+            pak,
+            accessToken: discoveredDefault.persistInfo.accessToken,
+            expiresAt: discoveredDefault.persistInfo.expiresAt,
+            ...(discoveredDefault.persistInfo.hubName
+                ? { hubName: discoveredDefault.persistInfo.hubName }
+                : {}),
+            ...(discoveredDefault.persistInfo.accountType
+                ? { accountType: discoveredDefault.persistInfo.accountType }
+                : {}),
+        });
+        return result.written ? result : undefined;
+    }
+    catch {
+        return undefined;
+    }
+}
+async function resolveAccountIdOrPrompt(input) {
+    const fromFlag = resolveFlag(input.argv, '--account-id') ?? process.env.HSX_ACCOUNT_ID;
+    if (fromFlag && fromFlag.length > 0)
+        return { accountId: fromFlag, fromPrompt: false };
+    const { loadStore } = await import('../account-store.js');
+    const store = await loadStore();
+    const ids = Object.keys(store.accounts);
+    if (ids.length === 0)
+        return { fromPrompt: false };
+    const defaultId = store.defaultAccountId;
+    // Non-interactive, --json, or --yes: accept the configured default rather than
+    // silently degrading to "no account picked" — that path led deploy to exit 0
+    // after building artifacts only, looking like success.
+    const yes = input.argv.includes('--yes') || input.argv.includes('-y');
+    if (input.json || !isInteractive() || yes) {
+        if (defaultId && ids.includes(defaultId)) {
+            return { accountId: defaultId, fromPrompt: false };
+        }
+        return { fromPrompt: false };
+    }
+    const picked = await promptSelect({
+        message: `Which HS-X account for ${input.purpose}?`,
+        ...(defaultId && ids.includes(defaultId) ? { default: defaultId } : {}),
+        options: ids.map((id) => {
+            const a = store.accounts[id];
+            return {
+                value: id,
+                label: id,
+                description: a
+                    ? `portal ${a.hubspotPortalId} — ${a.displayName}${id === defaultId ? ' (default)' : ''}`
+                    : '',
+            };
+        }),
+    });
+    return picked ? { accountId: picked, fromPrompt: true } : { fromPrompt: false };
+}
+function missingAccountIdError(input) {
+    const code = 'HSX_E_INPUT_MISSING_ACCOUNT_ID';
+    const message = 'Missing --account-id.';
+    const hint = isInteractive()
+        ? 'Run `hs-x accounts list` to see options, then pass --account-id or set HSX_ACCOUNT_ID.'
+        : 'Pass --account-id or set HSX_ACCOUNT_ID. (In a TTY you would be prompted.)';
+    if (input.json) {
+        write(`${JSON.stringify({
+            schema_version: 1,
+            command: input.command,
+            ok: false,
+            error: { code, message, hint },
+        }, null, 2)}\n`);
+    }
+    else {
+        const reporter = createReporter({ command: input.command, argv: input.argv });
+        reporter.error(code, message, { hint, docs_url: `https://hs-x.dev/errors/${code}` });
+        reporter.done(undefined, 10);
+    }
+    return { exitCode: 10 };
+}
+async function promptMissingText(message, current, validate) {
+    if (current && current.length > 0)
+        return current;
+    const answer = await promptText({
+        message,
+        ...(validate ? { validate } : {}),
+    });
+    return answer === undefined ? undefined : answer;
+}
+function missingProjectIdError(input) {
+    const code = 'HSX_E_INPUT_MISSING_PROJECT_ID';
+    const message = 'Missing --project-id.';
+    const hint = 'Pass --project-id, set HSX_PROJECT_ID, or add `name: "..."` to hsx.config.ts so we can derive it.';
+    if (input.json) {
+        write(`${JSON.stringify({
+            schema_version: 1,
+            command: input.command,
+            ok: false,
+            error: { code, message, hint },
+        }, null, 2)}\n`);
+    }
+    else {
+        const reporter = createReporter({ command: input.command, argv: input.argv });
+        reporter.error(code, message, { hint, docs_url: `https://hs-x.dev/errors/${code}` });
+        reporter.done(undefined, 10);
+    }
+    return { exitCode: 10 };
+}
+function inputValidationError(input) {
+    if (input.json) {
+        write(`${JSON.stringify({
+            schema_version: 1,
+            command: input.command,
+            ok: false,
+            error: {
+                code: input.code,
+                message: input.message,
+                hint: input.hint,
+                detail: input.detail,
+            },
+        }, null, 2)}\n`);
+    }
+    else {
+        const reporter = createReporter({ command: input.command, argv: input.argv });
+        reporter.error(input.code, input.message, {
+            hint: input.hint,
+            docs_url: `https://hs-x.dev/errors/${input.code}`,
+        });
+        reporter.done(undefined, 10);
+    }
+    return { exitCode: 10 };
+}
+async function readHsxConfigProjectId(root) {
+    try {
+        const contents = await readFile(join(root, 'hsx.config.ts'), 'utf8');
+        const match = contents.match(/\bname\s*:\s*["'`]([^"'`]+)["'`]/);
+        return match?.[1] ? toProjectId(match[1]) : undefined;
+    }
+    catch {
+        return undefined;
+    }
+}
+function toProjectId(value) {
+    return value
+        .trim()
+        .toLowerCase()
+        .replace(/[^a-z0-9_-]+/g, '-')
+        .replace(/^-+|-+$/g, '');
+}
+function cancelledResult(argv, command) {
+    const reporter = createReporter({ command, argv });
+    reporter.info('Cancelled.');
+    return { exitCode: 130 };
+}
+async function promptCloudflareBrowserFlow(argv) {
+    const reporter = createReporter({ command: 'connect cloudflare', argv });
+    const wantBrowser = await promptConfirm({
+        message: 'Open Cloudflare in your browser to create an API token?',
+        default: true,
+    });
+    if (wantBrowser === undefined)
+        return 'cancel';
+    if (!wantBrowser)
+        return undefined;
+    const { CLOUDFLARE_TOKEN_TEMPLATE_URL, CLOUDFLARE_REQUIRED_PERMISSIONS, verifyCloudflareToken, CloudflareAuthError, } = await import('../cloudflare-auth.js');
+    const { openInBrowser } = await import('../hubspot-auth.js');
+    reporter.info('HS-X needs these Cloudflare permissions:');
+    for (const p of CLOUDFLARE_REQUIRED_PERMISSIONS) {
+        reporter.info(`  • ${p.scope} → ${p.permission}  (${p.reason})`);
+    }
+    reporter.info('');
+    reporter.info('Tip: pick the "Edit Cloudflare Workers" template and add D1 + Queues to it.');
+    reporter.info(`Opening ${CLOUDFLARE_TOKEN_TEMPLATE_URL}`);
+    await openInBrowser(CLOUDFLARE_TOKEN_TEMPLATE_URL);
+    for (;;) {
+        const token = await promptText({
+            message: 'Paste your Cloudflare API token',
+            validate: (v) => (v.length >= 30 ? undefined : 'Token looks too short.'),
+        });
+        if (token === undefined)
+            return 'cancel';
+        try {
+            const info = await verifyCloudflareToken(token);
+            reporter
+                .step('Token verified')
+                .ok(`id ${info.id}${info.accountId ? `, account ${info.accountId}` : ''}`);
+            renderCloudflareTokenPermissions(reporter, info, CLOUDFLARE_REQUIRED_PERMISSIONS);
+            return { token, ...(info.accountId ? { accountId: info.accountId } : {}) };
+        }
+        catch (error) {
+            if (error instanceof CloudflareAuthError) {
+                reporter.warn(error.code, error.message);
+                const retry = await promptConfirm({ message: 'Try again?', default: true });
+                if (retry === undefined)
+                    return 'cancel';
+                if (!retry)
+                    return undefined;
+                continue;
+            }
+            throw error;
+        }
+    }
+}
+function renderCloudflareTokenPermissions(reporter, info, requiredPermissions) {
+    reporter.info('');
+    if (info.permissionInspection === 'unavailable') {
+        reporter.warn('HSX_E_CLOUDFLARE_TOKEN_VERIFY', info.permissionInspectionDetail
+            ? `Could not inspect the token permission groups. ${info.permissionInspectionDetail}`
+            : 'Could not inspect the token permission groups.');
+        reporter.info('Expected Cloudflare token permissions:');
+        for (const permission of requiredPermissions) {
+            reporter.info(`  • ${permission.scope} → ${permission.permission} (${permission.permissionGroupName})`);
+        }
+        return;
+    }
+    reporter.info('Cloudflare approved these token permission groups:');
+    if (info.grantedPermissionGroups.length === 0) {
+        reporter.info('  (none reported)');
+    }
+    else {
+        for (const permission of info.grantedPermissionGroups) {
+            reporter.info(`  ✓ ${permission}`);
+        }
+    }
+    if (info.missingPermissionGroups.length === 0) {
+        reporter.step('Required permissions present').ok();
+        return;
+    }
+    reporter.warn('HSX_E_CLOUDFLARE_TOKEN_VERIFY', 'Token is missing permissions HS-X expects.');
+    for (const permission of requiredPermissions) {
+        if (!info.missingPermissionGroups.includes(permission.permissionGroupName))
+            continue;
+        reporter.info(`  • Missing ${permission.permissionGroupName} — ${permission.reason} (${permission.phase})`);
+    }
+}
+async function runCloudflareOAuthFlow(input) {
+    return Effect.runPromise(Effect.promise(() => runCloudflareOAuthFlowBody(input)).pipe(Effect.withSpan('cli.cloudflare_oauth.flow', {
+        attributes: {
+            account_id: input.hsxAccountId,
+            brokered: Boolean(resolveControlPlaneUrl(input.argv)),
+        },
+    })));
+}
+async function runCloudflareOAuthFlowBody(input) {
+    const { CLOUDFLARE_OAUTH_DEFAULT_PORT, CloudflareOAuthError, buildAuthorizeUrl, exchangeAuthorizationCode, generatePkcePair, generateState, loadCloudflareOAuthConfig, startCallbackListener, } = await import('../cloudflare-oauth.js');
+    const { saveCloudflareOAuthCredential } = await import('../cloudflare-oauth-store.js');
+    const reporter = createReporter({ command: 'connect cloudflare', argv: input.argv });
+    const controlPlaneUrl = resolveControlPlaneUrl(input.argv);
+    let config;
+    try {
+        config = await loadCloudflareOAuthConfig({
+            ...(controlPlaneUrl ? { controlPlaneUrl } : {}),
+            port: Number(resolveFlag(input.argv, '--oauth-port') ?? CLOUDFLARE_OAUTH_DEFAULT_PORT),
+        });
+    }
+    catch (error) {
+        if (error instanceof CloudflareOAuthError) {
+            return {
+                kind: 'error',
+                result: inputValidationError({
+                    argv: input.argv,
+                    command: 'connect cloudflare',
+                    json: input.json,
+                    code: error.code,
+                    message: error.message,
+                    hint: error.detail,
+                    detail: error.detail,
+                }),
+            };
+        }
+        throw error;
+    }
+    const pkce = generatePkcePair();
+    const state = generateState();
+    const authorizeUrl = buildAuthorizeUrl({ config, pkce, state });
+    const port = new URL(config.redirectUri).port
+        ? Number(new URL(config.redirectUri).port)
+        : CLOUDFLARE_OAUTH_DEFAULT_PORT;
+    const timeoutMs = Number(resolveFlag(input.argv, '--oauth-timeout-ms') ?? '180000');
+    const listener = startCallbackListener({ port, expectedState: state, timeoutMs });
+    const { openInBrowser } = await import('../hubspot-auth.js');
+    reporter.info('Opening Cloudflare to authorize HS-X…');
+    reporter.info(`If your browser doesn't open, visit: ${authorizeUrl}`);
+    await openInBrowser(authorizeUrl);
+    let code;
+    try {
+        const callback = await listener.result;
+        code = callback.code;
+    }
+    catch (error) {
+        await listener.close();
+        if (error instanceof CloudflareOAuthError) {
+            return {
+                kind: 'error',
+                result: inputValidationError({
+                    argv: input.argv,
+                    command: 'connect cloudflare',
+                    json: input.json,
+                    code: error.code,
+                    message: error.message,
+                    hint: 'Re-run `hs-x connect cloudflare --auth-method oauth` to retry.',
+                    detail: error.detail,
+                }),
+            };
+        }
+        throw error;
+    }
+    await listener.close();
+    // Brokered path: control plane has a client id AND we didn't take the env
+    // override. The control plane will exchange the code, store the refresh
+    // token, and return the CloudflareConnection in one round trip.
+    const envHasOverride = typeof process.env.HSX_CLOUDFLARE_OAUTH_CLIENT_ID === 'string' &&
+        process.env.HSX_CLOUDFLARE_OAUTH_CLIENT_ID.length > 0;
+    if (controlPlaneUrl && !envHasOverride) {
+        try {
+            const connection = await postCloudflareOAuthComplete({
+                controlPlaneUrl,
+                accountId: input.hsxAccountId,
+                userId: resolveFlag(input.argv, '--user-id') ?? process.env.HSX_USER_ID ?? 'local-cli-user',
+                body: {
+                    code,
+                    codeVerifier: pkce.verifier,
+                    redirectUri: config.redirectUri,
+                    ...(input.displayName ? { displayName: input.displayName } : {}),
+                },
+            });
+            reporter
+                .step('Cloudflare OAuth complete')
+                .ok(`account ${connection.cloudflareAccountId} (via control plane)`);
+            return { kind: 'success-brokered', connection };
+        }
+        catch (error) {
+            const detail = error instanceof Error ? error.message : String(error);
+            return {
+                kind: 'error',
+                result: inputValidationError({
+                    argv: input.argv,
+                    command: 'connect cloudflare',
+                    json: input.json,
+                    code: 'HSX_E_CLOUDFLARE_OAUTH_EXCHANGE',
+                    message: 'Control plane failed to complete the Cloudflare OAuth exchange.',
+                    hint: 'Re-run `hs-x connect cloudflare --auth-method oauth` to retry.',
+                    detail,
+                }),
+            };
+        }
+    }
+    // Local/dev path: exchange the code against Cloudflare directly using the
+    // env-supplied client_id. Used for sandbox development where the control
+    // plane isn't reachable.
+    let tokens;
+    try {
+        tokens = await exchangeAuthorizationCode({ config, code, verifier: pkce.verifier });
+    }
+    catch (error) {
+        if (error instanceof CloudflareOAuthError) {
+            return {
+                kind: 'error',
+                result: inputValidationError({
+                    argv: input.argv,
+                    command: 'connect cloudflare',
+                    json: input.json,
+                    code: error.code,
+                    message: error.message,
+                    hint: 'The OAuth code may have expired. Re-run to retry.',
+                    detail: error.detail,
+                }),
+            };
+        }
+        throw error;
+    }
+    let discoveredAccountId;
+    try {
+        const { verifyCloudflareToken } = await import('../cloudflare-auth.js');
+        const info = await verifyCloudflareToken(tokens.accessToken);
+        discoveredAccountId = info.accountId;
+    }
+    catch {
+        // verification is optional here
+    }
+    if (tokens.refreshToken && discoveredAccountId) {
+        try {
+            await saveCloudflareOAuthCredential(discoveredAccountId, {
+                refreshToken: tokens.refreshToken,
+                ...(tokens.scope ? { scope: tokens.scope } : {}),
+            });
+        }
+        catch {
+            // best-effort
+        }
+    }
+    reporter
+        .step('Cloudflare OAuth complete')
+        .ok(discoveredAccountId ? `account ${discoveredAccountId} (dev)` : 'token acquired (dev)');
+    return {
+        kind: 'success-local',
+        accessToken: tokens.accessToken,
+        ...(discoveredAccountId ? { cloudflareAccountId: discoveredAccountId } : {}),
+    };
+}
+async function postCloudflareOAuthComplete(input) {
+    const url = new URL(`/v1/accounts/${encodeURIComponent(input.accountId)}/cloudflare/oauth/complete`, input.controlPlaneUrl);
+    const response = await hostedHttp({
+        url,
+        method: 'POST',
+        headers: {
+            accept: 'application/json',
+            ...(await controlPlaneAuthHeaders(input.userId)),
+        },
+        body: input.body,
+    });
+    if (!response.ok) {
+        const text = await response.text().catch(() => '');
+        throw new Error(`HTTP ${response.status}: ${text || response.statusText}`);
+    }
+    const raw = (await response.json());
+    return Schema.decodeUnknownSync(schemas.CloudflareConnection)(raw);
+}
+async function promptHubspotBrowserFlow(argv) {
+    const reporter = createReporter({ command: 'connect hubspot', argv });
+    reporter.info('No HubSpot accounts found in the HubSpot CLI config.');
+    const wantBrowser = await promptConfirm({
+        message: 'Open HubSpot in your browser to generate a personal access key?',
+        default: true,
+    });
+    if (!wantBrowser)
+        return undefined;
+    const { HUBSPOT_PAK_GENERATION_URL, openInBrowser, exchangePak, PakExchangeError } = await import('../hubspot-auth.js');
+    reporter.info(`Opening ${HUBSPOT_PAK_GENERATION_URL}`);
+    await openInBrowser(HUBSPOT_PAK_GENERATION_URL);
+    reporter.info('On the HubSpot page: generate a PAK and copy it.');
+    for (;;) {
+        const pak = await promptText({
+            message: 'Paste your HubSpot personal access key',
+            validate: (v) => (v.length >= 20 ? undefined : 'PAK looks too short.'),
+        });
+        if (!pak)
+            return undefined;
+        try {
+            const exchanged = await exchangePak(pak);
+            reporter
+                .step('PAK validated')
+                .ok(`portal ${exchanged.portalId}${exchanged.hubName ? ` (${exchanged.hubName})` : ''}`);
+            return {
+                name: exchanged.hubName ?? `portal-${exchanged.portalId}`,
+                portalId: exchanged.portalId,
+                pak,
+                accessToken: exchanged.accessToken,
+                expiresAt: exchanged.expiresAt,
+                ...(exchanged.accountType ? { accountType: exchanged.accountType } : {}),
+                ...(exchanged.hubName ? { hubName: exchanged.hubName } : {}),
+            };
+        }
+        catch (error) {
+            if (error instanceof PakExchangeError) {
+                reporter.warn(error.code, error.message);
+                const retry = await promptConfirm({ message: 'Try again?', default: true });
+                if (!retry)
+                    return undefined;
+                continue;
+            }
+            throw error;
+        }
+    }
+}
+async function defaultHsxAccountId() {
+    try {
+        const { loadStore } = await import('../account-store.js');
+        const store = await loadStore();
+        if (store.defaultAccountId && store.accounts[store.defaultAccountId]) {
+            return store.defaultAccountId;
+        }
+        const ids = Object.keys(store.accounts);
+        return ids.length === 1 ? ids[0] : undefined;
+    }
+    catch {
+        return undefined;
+    }
+}
+async function persistConnectedAccount(input) {
+    if (!Number.isFinite(input.hubspotPortalId))
+        return;
+    try {
+        const { addAccount } = await import('../account-store.js');
+        await addAccount({
+            id: input.id,
+            displayName: input.displayName,
+            hubspotPortalId: input.hubspotPortalId,
+            source: 'connect',
+        });
+    }
+    catch {
+        // best-effort persistence; failures don't fail the connect
+    }
+}
+function defaultStorePathForLog() {
+    return join(process.env.HOME ?? '~', '.hsx', 'config.json');
+}
+async function connectCloudflareCommand({ argv, json, }) {
+    const accountId = resolveFlag(argv, '--account-id') ??
+        process.env.HSX_ACCOUNT_ID ??
+        (await defaultHsxAccountId());
+    if (!accountId) {
+        const reporter = createReporter({ command: 'connect cloudflare', argv });
+        const code = 'HSX_E_INPUT_NO_HSX_ACCOUNT';
+        reporter.error(code, 'No HS-X account to bind Cloudflare to.', {
+            hint: 'Run `hs-x connect` first to create an HS-X account.',
+            docs_url: `https://hs-x.dev/errors/${code}`,
+        });
+        reporter.done(undefined, 10);
+        return { exitCode: 10 };
+    }
+    const interactive = !json && isInteractive();
+    let cloudflareAccountId = resolveFlag(argv, '--cloudflare-account-id');
+    let displayName = resolveFlag(argv, '--display-name');
+    const authMethod = resolveFlag(argv, '--auth-method') ?? 'api-token';
+    let apiToken = resolveFlag(argv, '--api-token') ?? process.env.HSX_CLOUDFLARE_API_TOKEN;
+    if (authMethod === 'oauth') {
+        const oauthOutcome = await runCloudflareOAuthFlow({
+            argv,
+            json,
+            hsxAccountId: accountId,
+            ...(displayName ? { displayName } : {}),
+        });
+        if (oauthOutcome.kind === 'cancelled') {
+            return cancelledResult(argv, 'connect cloudflare');
+        }
+        if (oauthOutcome.kind === 'error') {
+            return oauthOutcome.result;
+        }
+        if (oauthOutcome.kind === 'success-brokered') {
+            // Control plane already exchanged the code and stored the refresh
+            // token. We just print the connection and we're done — no separate
+            // /cloudflare/connect call needed.
+            const result = {
+                ok: true,
+                command: 'connect cloudflare',
+                mode: 'control-plane-oauth-complete',
+                accountId,
+                connection: oauthOutcome.connection,
+            };
+            if (json) {
+                write(`${JSON.stringify(result, null, 2)}\n`);
+            }
+            else {
+                const reporter = createReporter({ command: 'connect cloudflare', argv });
+                reporter.header(accountId);
+                reporter.block(renderCloudflareConnect(oauthOutcome.connection));
+                reporter.done('Connected');
+            }
+            return { exitCode: 0 };
+        }
+        // success-local: dev path — use access token as if it were an API token,
+        // then go through the existing connect call below.
+        apiToken = oauthOutcome.accessToken;
+        if (!cloudflareAccountId && oauthOutcome.cloudflareAccountId) {
+            cloudflareAccountId = oauthOutcome.cloudflareAccountId;
+        }
+    }
+    else if (interactive && authMethod === 'api-token' && !apiToken) {
+        const browserResult = await promptCloudflareBrowserFlow(argv);
+        if (browserResult === 'cancel')
+            return cancelledResult(argv, 'connect cloudflare');
+        if (browserResult) {
+            apiToken = browserResult.token;
+            if (!cloudflareAccountId && browserResult.accountId) {
+                cloudflareAccountId = browserResult.accountId;
+            }
+        }
+    }
+    if (interactive) {
+        if (!cloudflareAccountId) {
+            const answer = await promptText({
+                message: 'Cloudflare account id',
+                validate: (v) => /^[a-f0-9]{16,}$/i.test(v)
+                    ? undefined
+                    : 'Looks like a Cloudflare account id is 32 hex chars.',
+            });
+            if (answer === undefined)
+                return cancelledResult(argv, 'connect cloudflare');
+            cloudflareAccountId = answer;
+        }
+        if (!displayName) {
+            const answer = await promptText({
+                message: 'Display name for this Cloudflare account',
+                default: `Cloudflare (${accountId})`,
+            });
+            if (answer === undefined)
+                return cancelledResult(argv, 'connect cloudflare');
+            displayName = answer;
+        }
+        if (authMethod === 'api-token' && !apiToken) {
+            const answer = await promptText({
+                message: 'Cloudflare API token',
+                validate: (v) => (v.length >= 20 ? undefined : 'Token looks too short.'),
+            });
+            if (answer === undefined)
+                return cancelledResult(argv, 'connect cloudflare');
+            apiToken = answer;
+        }
+    }
+    if (authMethod === 'api-token' && !apiToken) {
+        const reporter = createReporter({ command: 'connect cloudflare', argv });
+        const code = 'HSX_E_INPUT_MISSING_API_TOKEN';
+        reporter.error(code, 'Cloudflare API token is required.', {
+            hint: 'Pass --api-token, set HSX_CLOUDFLARE_API_TOKEN, or run interactively.',
+            docs_url: `https://hs-x.dev/errors/${code}`,
+        });
+        reporter.done(undefined, 10);
+        return { exitCode: 10 };
+    }
+    const request = Schema.decodeUnknownSync(schemas.CloudflareConnectRequest)({
+        cloudflareAccountId,
+        displayName,
+        authMethod,
+        ...(apiToken ? { apiToken } : {}),
+    });
+    const safeRequest = {
+        cloudflareAccountId: request.cloudflareAccountId,
+        displayName: request.displayName,
+        authMethod: request.authMethod,
+    };
+    const controlPlaneUrl = resolveFlag(argv, '--control-plane-url') ?? process.env.HSX_CONTROL_PLANE_URL;
+    const userId = resolveFlag(argv, '--user-id') ?? process.env.HSX_USER_ID ?? 'local-cli-user';
+    const connection = controlPlaneUrl
+        ? await requestHostedControlPlaneCloudflareConnect({
+            accountId,
+            request,
+            controlPlaneUrl,
+            userId,
+        })
+        : argv.includes('--local-control-plane')
+            ? await requestLocalControlPlaneCloudflareConnect({ accountId, request, userId })
+            : undefined;
+    if (!connection) {
+        const result = {
+            ok: true,
+            command: 'connect cloudflare',
+            mode: 'request',
+            accountId,
+            request: safeRequest,
+            nextStep: 'Pass --control-plane-url to connect through the control plane or --local-control-plane to exercise the local contract handler.',
+        };
+        write(json
+            ? `${JSON.stringify(result, null, 2)}\n`
+            : `Prepared Cloudflare connect request for ${request.displayName}. Hosted transport is not wired yet.\n`);
+        return { exitCode: 0 };
+    }
+    const result = {
+        ok: true,
+        command: 'connect cloudflare',
+        mode: controlPlaneUrl ? 'control-plane-connect' : 'local-control-plane-connect',
+        accountId,
+        request: safeRequest,
+        connection,
+    };
+    if (json) {
+        write(`${JSON.stringify(result, null, 2)}\n`);
+    }
+    else {
+        const reporter = createReporter({ command: 'connect cloudflare', argv });
+        reporter.header(accountId);
+        reporter.block(renderCloudflareConnect(connection));
+        reporter.done('Connected');
+    }
+    return { exitCode: 0 };
+}
+async function requestLocalControlPlaneHubSpotConnect({ accountId, request, }) {
+    const controlPlane = (await loadCreateControlPlane())({
+        now: () => new Date('2026-05-18T14:00:00.000Z'),
+    });
+    const response = await controlPlane.fetch(new Request(`https://api.hs-x.dev/v1/accounts/${accountId}/hubspot/connect`, {
+        method: 'POST',
+        headers: {
+            'content-type': 'application/json',
+            ...(await controlPlaneAuthHeaders('local-cli-user')),
+        },
+        body: JSON.stringify(request),
+    }));
+    const body = await response.json();
+    if (!response.ok) {
+        throw new Error(isRecord(body) && typeof body.message === 'string'
+            ? body.message
+            : `Local control-plane HubSpot connect failed with status ${response.status}`);
+    }
+    return Schema.decodeUnknownSync(schemas.HubSpotDeveloperConnection)(body);
+}
+async function requestHostedControlPlaneHubSpotConnect({ accountId, request, controlPlaneUrl, userId, }) {
+    const response = await hostedHttp({
+        url: new URL(`/v1/accounts/${encodeURIComponent(accountId)}/hubspot/connect`, controlPlaneUrl),
+        method: 'POST',
+        headers: await controlPlaneAuthHeaders(userId),
+        body: request,
+    });
+    const body = await response.json();
+    if (!response.ok) {
+        throw new Error(isRecord(body) && typeof body.message === 'string'
+            ? body.message
+            : `Control-plane HubSpot connect failed with status ${response.status}`);
+    }
+    return Schema.decodeUnknownSync(schemas.HubSpotDeveloperConnection)(body);
+}
+async function requestLocalControlPlaneCloudflareConnect({ accountId, request, userId, }) {
+    const controlPlane = (await loadCreateControlPlane())({
+        now: () => new Date('2026-05-18T14:00:00.000Z'),
+    });
+    const response = await controlPlane.fetch(new Request(`https://api.hs-x.dev/v1/accounts/${accountId}/cloudflare/connect`, {
+        method: 'POST',
+        headers: {
+            'content-type': 'application/json',
+            ...(await controlPlaneAuthHeaders(userId)),
+        },
+        body: JSON.stringify(request),
+    }));
+    const body = await response.json();
+    if (!response.ok) {
+        throw new Error(isRecord(body) && typeof body.message === 'string'
+            ? body.message
+            : `Local control-plane Cloudflare connect failed with status ${response.status}`);
+    }
+    return Schema.decodeUnknownSync(schemas.CloudflareConnection)(body);
+}
+async function requestHostedControlPlaneCloudflareConnect({ accountId, request, controlPlaneUrl, userId, }) {
+    const response = await hostedHttp({
+        url: new URL(`/v1/accounts/${encodeURIComponent(accountId)}/cloudflare/connect`, controlPlaneUrl),
+        method: 'POST',
+        headers: await controlPlaneAuthHeaders(userId),
+        body: request,
+    });
+    const body = await response.json();
+    if (!response.ok) {
+        throw new Error(isRecord(body) && typeof body.message === 'string'
+            ? body.message
+            : `Control-plane Cloudflare connect failed with status ${response.status}`);
+    }
+    return Schema.decodeUnknownSync(schemas.CloudflareConnection)(body);
+}
+function renderCloudflareConnect(connection) {
+    const siblingLine = connection.visibleSiblingAccountIds && connection.visibleSiblingAccountIds.length > 0
+        ? `\nThis Cloudflare account is also connected to HS-X account(s) ${connection.visibleSiblingAccountIds.join(', ')}. Resources will be namespaced by HS-X account id; Cloudflare quota is shared.\n`
+        : '\n';
+    return `Connected Cloudflare account ${connection.displayName} for ${connection.accountId}${siblingLine}`;
+}
+function writeDiagnostics(diagnostics) {
+    for (const diagnostic of diagnostics) {
+        const location = diagnostic.file
+            ? `${diagnostic.file}${diagnostic.line ? `:${diagnostic.line}` : ''}`
+            : 'project';
+        write(`${diagnostic.severity.toUpperCase()} ${diagnostic.code} ${location} ${diagnostic.message}\n`);
+    }
+}
+// A flag value is valid if it exists and doesn't look like another flag.
+// `--account-id --json` must NOT yield `--json` as the account id; the user
+// forgot the value. `--flag=` (explicit empty) is also rejected — treat it
+function isFlagValue(value) {
+    return value !== undefined && value.length > 0 && !value.startsWith('-');
+}
+function resolveFlag(argv, flag) {
+    const index = argv.indexOf(flag);
+    if (index !== -1) {
+        const next = argv[index + 1];
+        if (isFlagValue(next))
+            return next;
+    }
+    const prefix = `${flag}=`;
+    const found = argv.find((arg) => arg.startsWith(prefix));
+    if (!found)
+        return undefined;
+    const value = found.slice(prefix.length);
+    return value.length > 0 ? value : undefined;
+}
+function write(message) {
+    process.stdout.write(message);
+}
+//# sourceMappingURL=connect.js.map