@metabase/cli 0.1.4 → 0.1.6

package/dist/{runtime-Br8L4NPm.mjs → runtime-Dmv5VtUK.mjs}

@@ -1,16 +1,17 @@
-import { package_default } from "./package-D-aVYFKM.mjs";
-import { setMetabaseAugment } from "./command-augment-D9pI9Vbh.mjs";
-import { AbortError, ConfigError, MetabaseError, NetworkError, TimeoutError, VERBOSE_ENV, ValidationError, errorMessage, isNotFoundError, isPlainObject, toMetabaseError } from "./predicates-CGO17Q15.mjs";
+import { AbortError, ConfigError, MetabaseError, NetworkError, ResponseShapeError, TimeoutError, ValidationError, errorMessage, flagConsumesValue, isNotFoundError, normalizeFlag, setMetabaseAugment, toAliasArray } from "./command-augment-BH9qgQ5u.mjs";
+import { DEFAULT_MAX_BYTES, package_default, reportError } from "./error-C9S6PN3-.mjs";
+import { BASELINE_CAPABILITIES, isPlainObject, warn } from "./capabilities-7e9MgquN.mjs";
 import { defineCommand } from "citty";
 import { z } from "zod";
 import { promises } from "node:fs";
 import { dirname, join } from "node:path";
-import { homedir } from "node:os";
 import { Entry } from "@napi-rs/keyring";
+import { homedir } from "node:os";
+import { parse } from "semver";
 import { setTimeout } from "node:timers/promises";
 
 //#region src/runtime/json.ts
-const JSON_CONTENT_TYPE$1 = "application/json";
+const JSON_CONTENT_TYPE = "application/json";
 function parseJson(input, schema, opts = {}) {
 	const result = parseJsonResult(input, schema, opts);
 	if (!result.ok) throw result.error;
@@ -48,88 +49,7 @@ function parseJsonOrPlain(text, contentType, schema, opts = {}) {
 	return parseJson(JSON.stringify(text), schema, opts);
 }
 function isJsonContentType(contentType) {
-	return contentType !== null && contentType.includes(JSON_CONTENT_TYPE$1);
-}
-
-//#endregion
-//#region src/output/types.ts
-const DEFAULT_MAX_BYTES = 65536;
-function listEnvelopeSchema(item) {
-	return z.object({
-		data: z.array(item),
-		returned: z.number().int().nonnegative(),
-		total: z.number().int().nonnegative().nullable().optional(),
-		limit: z.number().int().nonnegative().optional(),
-		truncated: z.object({
-			reason: z.literal("max_bytes"),
-			bytes: z.number().int().nonnegative()
-		}).optional()
-	});
-}
-function wrapList(items) {
-	return {
-		data: items,
-		returned: items.length,
-		total: items.length
-	};
-}
-
-//#endregion
-//#region src/commands/flags.ts
-const outputFlags = {
-	format: {
-		type: "string",
-		description: "auto | json | text",
-		default: "auto"
-	},
-	json: {
-		type: "boolean",
-		description: "Shorthand for --format json"
-	},
-	full: {
-		type: "boolean",
-		description: "Return the full object (default: compact)"
-	},
-	fields: {
-		type: "string",
-		description: "Dot-paths, comma separated (mutually exclusive with --full)"
-	},
-	maxBytes: {
-		type: "string",
-		description: "Output size cap; 0 disables",
-		default: String(DEFAULT_MAX_BYTES),
-		alias: "max-bytes"
-	}
-};
-const profileFlag = { profile: {
-	type: "string",
-	description: "Named profile (default: 'default')"
-} };
-const connectionFlags = {
-	url: {
-		type: "string",
-		description: "Metabase URL"
-	},
-	apiKey: {
-		type: "string",
-		description: "API key",
-		alias: "api-key"
-	}
-};
-
-//#endregion
-//#region src/commands/parse-integer.ts
-const INTEGER_PATTERN = /^-?\d+$/;
-function parseInteger(value, options) {
-	const trimmed = value.trim();
-	if (!INTEGER_PATTERN.test(trimmed)) throw new ConfigError(`invalid ${options.name}: "${value}" (expected integer)`);
-	const parsed = Number.parseInt(trimmed, 10);
-	if (parsed < options.min) throw new ConfigError(`invalid ${options.name}: ${parsed} (must be ≥ ${options.min})`);
-	return parsed;
-}
-function parseOptionalInteger(value, options) {
-	if (value === void 0 || value === "") return null;
-	return parseInteger(value, options);
+	return contentType !== null && contentType.includes(JSON_CONTENT_TYPE);
 }
 
 //#endregion
@@ -145,85 +65,92 @@ function configDir() {
 }
 
 //#endregion
-//#region src/core/auth/rejection.ts
-const REJECTIONS_FILE = "rejections.json";
-const REJECTIONS_FILE_MODE = 384;
-const REJECTIONS_DIR_MODE = 448;
-const RejectionRecord = z.object({
-	reason: z.string(),
-	url: z.string(),
-	rejectedAt: z.string()
+//#region src/domain/session-properties.ts
+const ServerVersion = z.object({
+	tag: z.string(),
+	date: z.string().optional(),
+	hash: z.string().optional()
+}).loose();
+const TokenFeatures = z.record(z.string(), z.boolean());
+const SessionProperties = z.object({
+	version: ServerVersion,
+	"token-features": TokenFeatures.optional()
+}).loose();
+
+//#endregion
+//#region src/core/version/tag.ts
+const ParsedVersionSchema = z.object({
+	tag: z.string(),
+	major: z.number().int().nonnegative(),
+	patch: z.number().int().nonnegative()
 });
-const RejectionsFileSchema = z.record(z.string(), RejectionRecord);
-function rejectionsFilePath() {
-	return join(configDir(), REJECTIONS_FILE);
-}
-async function readRejectionsFile() {
-	const path = rejectionsFilePath();
-	let raw;
-	try {
-		raw = await promises.readFile(path, "utf8");
-	} catch (error) {
-		if (isNotFoundError(error)) return {};
-		throw error;
-	}
-	return parseJson(raw, RejectionsFileSchema, { source: path });
-}
-async function writeRejectionsFile(store) {
-	const path = rejectionsFilePath();
-	if (Object.keys(store).length === 0) {
-		await promises.unlink(path).catch(() => void 0);
-		return;
-	}
-	await promises.mkdir(dirname(path), {
-		recursive: true,
-		mode: REJECTIONS_DIR_MODE
-	});
-	await promises.writeFile(path, JSON.stringify(store, null, 2) + "\n", { mode: REJECTIONS_FILE_MODE });
-	if (process.platform !== "win32") await promises.chmod(path, REJECTIONS_FILE_MODE);
-}
-async function recordRejection(profile, input) {
-	const store = await readRejectionsFile();
-	store[profile] = {
-		reason: input.reason,
-		url: input.url,
-		rejectedAt: new Date().toISOString()
+function tryParseTag(tag) {
+	const parsed = parse(tag);
+	if (parsed === null || parsed.major !== 0 && parsed.major !== 1) return null;
+	return {
+		tag,
+		major: parsed.minor,
+		patch: parsed.patch
 	};
-	await writeRejectionsFile(store);
-}
-async function clearRejection(profile) {
-	const store = await readRejectionsFile();
-	if (!(profile in store)) return false;
-	delete store[profile];
-	await writeRejectionsFile(store);
-	return true;
-}
-async function readRejection(profile) {
-	const store = await readRejectionsFile();
-	return store[profile] ?? null;
 }
 
+//#endregion
+//#region src/core/auth/profile-record.ts
+const ProbedUser = z.object({
+	id: z.number().int(),
+	name: z.string(),
+	isAdmin: z.boolean()
+});
+const ProfileLastProbe = z.object({
+	at: z.iso.datetime(),
+	version: ParsedVersionSchema.nullable(),
+	tokenFeatures: TokenFeatures.nullable(),
+	user: ProbedUser
+});
+const ProfileFailureKind = z.enum([
+	"auth",
+	"network",
+	"server"
+]);
+const ProfileLastFailure = z.object({
+	at: z.iso.datetime(),
+	kind: ProfileFailureKind,
+	reason: z.string()
+});
+const ProfileRecord = z.object({
+	name: z.string(),
+	url: z.string(),
+	apiKey: z.string().nullable(),
+	lastProbe: ProfileLastProbe.nullable(),
+	lastFailure: ProfileLastFailure.nullable()
+});
+const ProfilesFile = z.object({
+	profiles: z.array(ProfileRecord),
+	license: z.string().nullable()
+});
+
 //#endregion
 //#region src/core/auth/storage.ts
-const CredentialsFileSchema = z.record(z.string(), z.string());
 const KEYRING_SERVICE = "metabase-cli";
-const CREDENTIALS_FILE = "credentials.json";
-const PROFILE_INDEX_FILE = "profiles.json";
+const PROFILES_FILE = "profiles.json";
+const LEGACY_CREDENTIALS_FILE = "credentials.json";
+const LEGACY_REJECTIONS_FILE = "rejections.json";
+const PROFILES_FILE_MODE = 384;
+const PROFILES_DIR_MODE = 448;
 const DEFAULT_PROFILE = "default";
-const CREDENTIALS_FILE_MODE = 384;
-const CREDENTIALS_DIR_MODE = 448;
+const LEGACY_STORAGE_NOTICE = "Old profile storage detected and ignored; re-run `mb auth login` for each profile.";
 const account = {
-	profileUrl: (profile) => `profile:${profile}:url`,
 	profileApiKey: (profile) => `profile:${profile}:apiKey`,
 	license: "license"
 };
-const ProfileIndexSchema = z.array(z.string());
-const FILE_STORE_PROFILE_URL_PATTERN = /^profile:(.+):url$/;
-function fallbackFilePath() {
-	return join(configDir(), CREDENTIALS_FILE);
+let legacyWarningPending = false;
+function profilesFilePath() {
+	return join(configDir(), PROFILES_FILE);
 }
-function profileIndexPath() {
-	return join(configDir(), PROFILE_INDEX_FILE);
+function consumeLegacyStorageWarning() {
+	if (!legacyWarningPending) return null;
+	legacyWarningPending = false;
+	return LEGACY_STORAGE_NOTICE;
 }
 function keyringEnabled() {
 	return process.env["METABASE_CLI_DISABLE_KEYRING"] !== "1";
@@ -253,253 +180,221 @@ function tryRemoveKeyring(key) {
 		return void 0;
 	}
 }
-async function readFileStore() {
-	const path = fallbackFilePath();
+async function readProfilesFile() {
+	const path = profilesFilePath();
 	let raw;
 	try {
 		raw = await promises.readFile(path, "utf8");
 	} catch (error) {
-		if (isNotFoundError(error)) return {};
-		throw error;
-	}
-	return parseJson(raw, CredentialsFileSchema, { source: path });
-}
-async function writeFileStore(store) {
-	const path = fallbackFilePath();
-	await promises.mkdir(dirname(path), {
-		recursive: true,
-		mode: CREDENTIALS_DIR_MODE
-	});
-	await promises.writeFile(path, JSON.stringify(store, null, 2) + "\n", { mode: CREDENTIALS_FILE_MODE });
-	if (process.platform !== "win32") await promises.chmod(path, CREDENTIALS_FILE_MODE);
-}
-async function setFile(key, value) {
-	const store = await readFileStore();
-	store[key] = value;
-	await writeFileStore(store);
-}
-async function readFromFile(key) {
-	const store = await readFileStore();
-	return store[key] ?? null;
-}
-async function removeFromFile(key) {
-	const store = await readFileStore();
-	if (!(key in store)) return false;
-	delete store[key];
-	if (Object.keys(store).length === 0) await promises.unlink(fallbackFilePath()).catch(() => void 0);
-	else await writeFileStore(store);
-	return true;
-}
-const credentials = {
-	async set(key, value) {
-		if (trySetKeyring(key, value)) {
-			await removeFromFile(key).catch(() => void 0);
+		if (isNotFoundError(error)) {
+			await detectLegacyArtifacts();
 			return {
-				backend: "keyring",
-				service: KEYRING_SERVICE,
-				account: key
+				profiles: [],
+				license: null
 			};
 		}
-		await setFile(key, value);
-		return {
-			backend: "file",
-			path: fallbackFilePath(),
-			account: key
-		};
-	},
-	async read(key) {
-		const fromKeyring = tryReadKeyring(key);
-		if (fromKeyring !== void 0) return fromKeyring;
-		return readFromFile(key);
-	},
-	async has(key) {
-		return await credentials.read(key) !== null;
-	},
-	async remove(key) {
-		const fromKeyring = tryRemoveKeyring(key);
-		const fromFile = await removeFromFile(key).catch(() => false);
-		if (fromKeyring === void 0) return fromFile;
-		return fromKeyring || fromFile;
-	},
-	async location(key) {
-		if (tryReadKeyring(key) !== void 0) return {
-			backend: "keyring",
-			service: KEYRING_SERVICE,
-			account: key
-		};
+		throw error;
+	}
+	const parsed = parseJsonResult(raw, ProfilesFile, { source: path });
+	if (parsed.ok) return parsed.value;
+	if (parsed.error instanceof ValidationError) {
+		legacyWarningPending = true;
 		return {
-			backend: "file",
-			path: fallbackFilePath(),
-			account: key
+			profiles: [],
+			license: null
 		};
 	}
-};
-async function readProfile(name = DEFAULT_PROFILE) {
-	const [url, apiKey] = await Promise.all([credentials.read(account.profileUrl(name)), credentials.read(account.profileApiKey(name))]);
-	if (!url || !apiKey) return null;
-	return {
-		url,
-		apiKey
-	};
+	throw parsed.error;
 }
-async function writeProfile(profile, name = DEFAULT_PROFILE) {
-	await credentials.set(account.profileUrl(name), profile.url);
-	const location = await credentials.set(account.profileApiKey(name), profile.apiKey);
-	await addToProfileIndex(name);
-	return location;
+async function detectLegacyArtifacts() {
+	const legacyCredentials = join(configDir(), LEGACY_CREDENTIALS_FILE);
+	const legacyRejections = join(configDir(), LEGACY_REJECTIONS_FILE);
+	const [credentialsExists, rejectionsExists] = await Promise.all([fileExists(legacyCredentials), fileExists(legacyRejections)]);
+	if (credentialsExists || rejectionsExists) legacyWarningPending = true;
 }
-async function clearProfile(name = DEFAULT_PROFILE) {
-	const removedUrl = await credentials.remove(account.profileUrl(name));
-	const removedKey = await credentials.remove(account.profileApiKey(name));
-	await removeFromProfileIndex(name);
-	return removedUrl || removedKey;
-}
-async function listProfileNames() {
-	const stored = await readProfileIndex();
-	if (stored !== null) return stored;
-	const backfilled = await backfillProfileIndexFromFile();
-	if (backfilled.length > 0) await writeProfileIndex(backfilled);
-	return backfilled;
-}
-async function readProfileIndex() {
-	const path = profileIndexPath();
-	let raw;
+async function fileExists(path) {
 	try {
-		raw = await promises.readFile(path, "utf8");
-	} catch (error) {
-		if (isNotFoundError(error)) return null;
-		throw error;
+		await promises.access(path);
+		return true;
+	} catch {
+		return false;
 	}
-	return parseJson(raw, ProfileIndexSchema, { source: path });
 }
-async function writeProfileIndex(names) {
-	const path = profileIndexPath();
-	const unique = [...new Set(names)].toSorted();
+async function writeProfilesFile(file) {
+	const path = profilesFilePath();
+	if (file.profiles.length === 0 && file.license === null) {
+		await promises.unlink(path).catch(() => void 0);
+		await cleanupLegacyFiles();
+		return;
+	}
 	await promises.mkdir(dirname(path), {
 		recursive: true,
-		mode: CREDENTIALS_DIR_MODE
+		mode: PROFILES_DIR_MODE
 	});
-	await promises.writeFile(path, JSON.stringify(unique, null, 2) + "\n", { mode: CREDENTIALS_FILE_MODE });
-	if (process.platform !== "win32") await promises.chmod(path, CREDENTIALS_FILE_MODE);
-}
-async function deleteProfileIndex() {
-	await promises.unlink(profileIndexPath()).catch(() => void 0);
-}
-async function addToProfileIndex(name) {
-	const current = await listProfileNames();
-	if (current.includes(name)) return;
-	await writeProfileIndex([...current, name]);
-}
-async function removeFromProfileIndex(name) {
-	const current = await listProfileNames();
-	const next = current.filter((entry) => entry !== name);
-	if (next.length === current.length) return;
-	if (next.length === 0) {
-		await deleteProfileIndex();
-		return;
-	}
-	await writeProfileIndex(next);
-}
-async function backfillProfileIndexFromFile() {
-	const store = await readFileStore();
-	const names = new Set();
-	for (const key of Object.keys(store)) {
-		const name = FILE_STORE_PROFILE_URL_PATTERN.exec(key)?.[1];
-		if (name !== void 0) names.add(name);
-	}
-	return [...names];
+	await promises.writeFile(path, JSON.stringify(file, null, 2) + "\n", { mode: PROFILES_FILE_MODE });
+	if (process.platform !== "win32") await promises.chmod(path, PROFILES_FILE_MODE);
+	await cleanupLegacyFiles();
 }
-async function readLicense() {
-	return credentials.read(account.license);
+async function cleanupLegacyFiles() {
+	await Promise.all([promises.unlink(join(configDir(), LEGACY_CREDENTIALS_FILE)).catch(() => void 0), promises.unlink(join(configDir(), LEGACY_REJECTIONS_FILE)).catch(() => void 0)]);
 }
-async function writeLicense(token) {
-	return credentials.set(account.license, token);
+function findRecord(file, name) {
+	return file.profiles.find((entry) => entry.name === name) ?? null;
 }
-async function clearLicense() {
-	return credentials.remove(account.license);
+function fileLocation(key) {
+	return {
+		backend: "file",
+		path: profilesFilePath(),
+		account: key,
+		reason: keyringEnabled() ? "unavailable" : "disabled"
+	};
 }
-
-//#endregion
-//#region src/core/url.ts
-function normalizeUrl(input) {
-	const trimmed = input.trim().replace(/\/+$/, "");
-	if (!/^https?:\/\//i.test(trimmed)) throw new Error("URL must start with http:// or https://");
-	return trimmed;
+function keyringFallbackWarning(location, subject) {
+	const cause = location.reason === "disabled" ? "OS keychain disabled via METABASE_CLI_DISABLE_KEYRING" : "OS keychain unavailable";
+	return `warning: ${cause}; ${subject} stored as plaintext at ${location.path}`;
 }
-function originOnly(input) {
-	const parsed = new URL(input);
-	parsed.username = "";
-	parsed.password = "";
-	return parsed.origin;
+async function persistApiKey(name, apiKey) {
+	const key = account.profileApiKey(name);
+	if (trySetKeyring(key, apiKey)) return {
+		backend: "keyring",
+		service: KEYRING_SERVICE,
+		account: key
+	};
+	return fileLocation(key);
 }
-function localUrl(port) {
-	return `http://localhost:${port}`;
+async function readProfile(name = DEFAULT_PROFILE) {
+	const file = await readProfilesFile();
+	const record = findRecord(file, name);
+	if (record === null) return null;
+	const apiKey = await resolveApiKey(record);
+	if (apiKey === null) return null;
+	return {
+		url: record.url,
+		apiKey
+	};
 }
-
-//#endregion
-//#region src/core/config.ts
-const ENV_URL = "METABASE_URL";
-const ENV_API_KEY = "METABASE_API_KEY";
-const ENV_PROFILE = "METABASE_PROFILE";
-const ENV_LICENSE_TOKEN = "METABASE_LICENSE_TOKEN";
-function resolveProfileName(profileFlag$1) {
-	return explicitProfileName(profileFlag$1) ?? DEFAULT_PROFILE;
+async function resolveApiKey(record) {
+	const fromKeyring = tryReadKeyring(account.profileApiKey(record.name));
+	if (typeof fromKeyring === "string") return fromKeyring;
+	return record.apiKey;
 }
-function explicitProfileName(profileFlag$1) {
-	return profileFlag$1 || process.env[ENV_PROFILE] || null;
+async function readProfileRecord(name = DEFAULT_PROFILE) {
+	const file = await readProfilesFile();
+	return findRecord(file, name);
 }
-function readEnvCredentials() {
-	return {
-		url: process.env[ENV_URL] ?? null,
-		apiKey: process.env[ENV_API_KEY] ?? null
+async function listProfileRecords() {
+	const file = await readProfilesFile();
+	return file.profiles;
+}
+async function writeProfile(profile, name = DEFAULT_PROFILE) {
+	const location = await persistApiKey(name, profile.apiKey);
+	const inlineApiKey = location.backend === "file" ? profile.apiKey : null;
+	const file = await readProfilesFile();
+	const existing = findRecord(file, name);
+	const updated = existing === null ? {
+		name,
+		url: profile.url,
+		apiKey: inlineApiKey,
+		lastProbe: null,
+		lastFailure: null
+	} : {
+		...existing,
+		url: profile.url,
+		apiKey: inlineApiKey
 	};
+	const profiles = existing === null ? [...file.profiles, updated] : file.profiles.map((entry) => entry.name === name ? updated : entry);
+	await writeProfilesFile({
+		...file,
+		profiles
+	});
+	return location;
 }
-function readEnvLicenseToken() {
-	return process.env[ENV_LICENSE_TOKEN] ?? null;
+async function writeProbeResult(name, input) {
+	const probe = ProfileLastProbe.parse({
+		at: new Date().toISOString(),
+		version: input.server.version,
+		tokenFeatures: input.server.tokenFeatures,
+		user: input.user
+	});
+	const file = await readProfilesFile();
+	const existing = findRecord(file, name);
+	if (existing === null) return null;
+	const profiles = file.profiles.map((entry) => entry.name === name ? {
+		...entry,
+		lastProbe: probe,
+		lastFailure: null
+	} : entry);
+	await writeProfilesFile({
+		...file,
+		profiles
+	});
+	return probe;
 }
-async function resolveConfig(flags) {
-	const profile = resolveProfileName(flags.profile);
-	const env = readEnvCredentials();
-	const flagUrl = flags.url;
-	const flagKey = flags.apiKey;
-	const needsStored = !flagUrl && !env.url || !flagKey && !env.apiKey;
-	const stored = needsStored ? await readProfile(profile) : null;
-	const urlField = pickField(flagUrl, env.url, stored?.url);
-	const keyField = pickField(flagKey, env.apiKey, stored?.apiKey);
-	if (urlField === null || keyField === null) {
-		const rejection = await readRejection(profile);
-		if (rejection !== null) throw new ConfigError(`Last login for profile "${profile}" was rejected by ${originOnly(rejection.url)}: ${rejection.reason}. Re-run \`mb auth login --profile ${profile}\` with valid credentials.`);
-		throw new ConfigError(`Not authenticated for profile "${profile}". Run \`mb auth login\`, set ${ENV_URL}/${ENV_API_KEY}, or pass --url/--api-key.`);
-	}
-	return {
-		url: normalizeUrl(urlField.value),
-		apiKey: keyField.value,
-		profile,
-		source: urlField.source === keyField.source ? urlField.source : "mixed"
-	};
+async function writeProbeFailure(name, input) {
+	const failure = ProfileLastFailure.parse({
+		at: new Date().toISOString(),
+		kind: input.kind,
+		reason: input.reason
+	});
+	const file = await readProfilesFile();
+	const existing = findRecord(file, name);
+	if (existing === null) return null;
+	const profiles = file.profiles.map((entry) => entry.name === name ? {
+		...entry,
+		lastFailure: failure
+	} : entry);
+	await writeProfilesFile({
+		...file,
+		profiles
+	});
+	return failure;
 }
-async function resolveLicenseToken(flags) {
-	const flag = flags.token;
-	const env = readEnvLicenseToken();
-	const stored = !flag && !env ? await readLicense() : null;
-	const value = flag ?? env ?? stored;
-	if (!value) throw new ConfigError(`No license token. Pass --token, set ${ENV_LICENSE_TOKEN}, or store one with \`mb license set\`.`);
-	return value;
+async function clearProfile(name = DEFAULT_PROFILE) {
+	tryRemoveKeyring(account.profileApiKey(name));
+	const file = await readProfilesFile();
+	const existing = findRecord(file, name);
+	if (existing === null) return false;
+	await writeProfilesFile({
+		...file,
+		profiles: file.profiles.filter((entry) => entry.name !== name)
+	});
+	return true;
 }
-function pickField(flag, env, stored) {
-	if (flag) return {
-		value: flag,
-		source: "flag"
-	};
-	if (env) return {
-		value: env,
-		source: "env"
-	};
-	if (stored) return {
-		value: stored,
-		source: "stored"
-	};
-	return null;
+async function readLicense() {
+	const fromKeyring = tryReadKeyring(account.license);
+	if (typeof fromKeyring === "string") return fromKeyring;
+	const file = await readProfilesFile();
+	return file.license;
+}
+async function writeLicense(token) {
+	const key = account.license;
+	const file = await readProfilesFile();
+	if (trySetKeyring(key, token)) {
+		if (file.license !== null) await writeProfilesFile({
+			...file,
+			license: null
+		});
+		return {
+			backend: "keyring",
+			service: KEYRING_SERVICE,
+			account: key
+		};
+	}
+	await writeProfilesFile({
+		...file,
+		license: token
+	});
+	return fileLocation(key);
+}
+async function clearLicense() {
+	const removedFromKeyring = tryRemoveKeyring(account.license);
+	const file = await readProfilesFile();
+	const hadInline = file.license !== null;
+	if (hadInline) await writeProfilesFile({
+		...file,
+		license: null
+	});
+	return removedFromKeyring === true || hadInline;
 }
 
 //#endregion
@@ -568,34 +463,27 @@ function redactBody(body, ctx) {
 
 //#endregion
 //#region src/core/http/errors.ts
+const ROUTE_MISSING_LITERAL = "API endpoint does not exist.";
+const RESOURCE_MISSING_LITERAL = "Not found.";
 const STATUS_CLASSIFICATIONS = {
-	401: {
-		retryable: false,
-		message: "Invalid or unauthorized API key"
-	},
-	403: {
-		retryable: false,
-		message: "Invalid or unauthorized API key"
-	},
-	404: {
-		retryable: false,
-		message: "Endpoint not found — is this a Metabase instance?"
-	},
+	401: { retryable: false },
+	403: { retryable: false },
+	404: { retryable: false },
 	408: {
 		retryable: true,
-		message: "Metabase timed out responding"
+		message: "Metabase timed out responding."
 	},
 	425: { retryable: true },
 	429: {
 		retryable: true,
-		message: "Metabase rate-limited the request"
+		message: "Metabase rate-limited the request."
 	},
 	500: { retryable: true },
 	502: { retryable: true },
 	503: { retryable: true },
 	504: {
 		retryable: true,
-		message: "Metabase timed out responding"
+		message: "Metabase timed out responding."
 	}
 };
 const ErrorEnvelope = z.object({
@@ -612,18 +500,22 @@ var HttpError = class extends MetabaseError {
 	category = "http";
 	exitCode = 1;
 	status;
+	kind;
 	developerDetail;
 	constructor(input) {
 		const sanitizedBody = sanitizeBody(input.rawBody, input.redactionContext);
-		super(input.overrideUserMessage ?? extractUserMessage(input.status, sanitizedBody));
+		const redactedHeaders = redactHeaders(input.responseHeaders);
+		const kind = classifyKind(input.status, sanitizedBody, redactedHeaders);
+		super(input.overrideUserMessage ?? buildUserMessage(kind, input, sanitizedBody));
 		this.name = "HttpError";
 		this.status = input.status;
+		this.kind = kind;
 		this.developerDetail = {
 			status: input.status,
 			statusText: input.statusText,
 			method: input.method,
 			url: input.url,
-			responseHeaders: redactHeaders(input.responseHeaders),
+			responseHeaders: redactedHeaders,
 			body: sanitizedBody
 		};
 	}
@@ -639,10 +531,39 @@ function sanitizeBody(rawBody, ctx) {
 	if (ctx === void 0) return rawBody;
 	return redactBody(rawBody, ctx);
 }
-function extractUserMessage(status, sanitizedBody) {
+function classifyKind(status, sanitizedBody, redactedHeaders) {
+	if (status === 401 || status === 403) return "auth";
+	if (status === 404) return isRouteMissingResponse(sanitizedBody, redactedHeaders) ? "route-missing" : "resource-missing";
+	if (status === 429) return "rate-limit";
+	if (status >= 500 && status < 600) return "server-error";
+	return "generic";
+}
+function isRouteMissingResponse(sanitizedBody, redactedHeaders) {
+	if (sanitizedBody?.includes(ROUTE_MISSING_LITERAL)) return true;
+	if (sanitizedBody?.includes(RESOURCE_MISSING_LITERAL)) return false;
+	if (redactedHeaders["content-type"]?.includes(JSON_CONTENT_TYPE)) return false;
+	if (sanitizedBody === null || sanitizedBody.trim() === "") return true;
+	return !parseJsonResult(sanitizedBody, ErrorEnvelope).ok;
+}
+function buildUserMessage(kind, input, sanitizedBody) {
+	if (kind === "route-missing") return buildRouteMissingMessage(input);
+	if (kind === "resource-missing") return `Not found: ${input.method} ${pathFromUrl(input.url)}.`;
 	const fromBody = parseEnvelopeMessage(sanitizedBody);
-	if (fromBody) return fromBody;
-	return defaultMessageForStatus(status);
+	if (fromBody !== null) return fromBody;
+	if (kind === "auth") return `Invalid or unauthorized API key (host: ${hostFromUrl(input.url)}).`;
+	return defaultMessageForStatus(input.status);
+}
+function buildRouteMissingMessage(input) {
+	const path = pathFromUrl(input.url);
+	if (!input.serverTag) return `This endpoint is not available on the connected Metabase: ${input.method} ${path}.`;
+	return `This endpoint is not available on Metabase ${input.serverTag}: ${input.method} ${path}. The command may require a newer Metabase major version. Run 'mb auth list' to see this server's version, or 'mb __manifest' for per-command requirements.`;
+}
+function pathFromUrl(url) {
+	const parsed = new URL(url);
+	return parsed.pathname + parsed.search;
+}
+function hostFromUrl(url) {
+	return new URL(url).host;
 }
 function parseEnvelopeMessage(sanitizedBody) {
 	if (!sanitizedBody) return null;
@@ -691,7 +612,7 @@ function capLength(message) {
 	return message.slice(0, MAX_EXTRACTED_MESSAGE_LEN - ELLIPSIS.length) + ELLIPSIS;
 }
 function defaultMessageForStatus(status) {
-	return STATUS_CLASSIFICATIONS[status]?.message ?? `Metabase returned ${status}`;
+	return STATUS_CLASSIFICATIONS[status]?.message ?? `Metabase returned ${status}.`;
 }
 
 //#endregion
@@ -716,11 +637,19 @@ function parseRetryAfter(header) {
 function sleep(ms, signal) {
 	return setTimeout(ms, void 0, { signal });
 }
+async function runWithRetries(attempt, signal) {
+	let attemptIndex = 0;
+	while (true) {
+		const outcome = await attempt(attemptIndex);
+		if (outcome.kind === "success") return outcome.response;
+		await sleep(outcome.delayMs, signal);
+		attemptIndex += 1;
+	}
+}
 
 //#endregion
 //#region src/core/http/client.ts
 const DEFAULT_TIMEOUT_MS = 3e4;
-const JSON_CONTENT_TYPE = "application/json";
 const OCTET_STREAM_CONTENT_TYPE = "application/octet-stream";
 const TEXT_CONTENT_TYPE_PREFIX = "text/";
 const ERROR_BODY_BYTE_CAP = 64 * 1024;
@@ -730,8 +659,10 @@ const IDEMPOTENT_METHODS = new Set([
 	"HEAD",
 	"OPTIONS"
 ]);
+const NO_SERVER_TAG = async () => null;
 function createClient(config, overrides = {}) {
 	const fetchImpl = overrides.fetchImpl ?? globalThis.fetch.bind(globalThis);
+	const getServerTag = overrides.getServerTag ?? NO_SERVER_TAG;
 	const redactionContext = { knownSecrets: new Set([config.apiKey]) };
 	async function attemptOnce(prepared, attempt) {
 		const hasRetriesLeft = attempt < prepared.retries;
@@ -757,12 +688,7 @@ function createClient(config, overrides = {}) {
 				url: prepared.url,
 				timeoutMs: prepared.timeoutMs
 			});
-			const message = errorMessage(error);
-			throw new NetworkError(`Could not reach Metabase: ${message}`, {
-				method: prepared.method,
-				url: prepared.url,
-				cause: message
-			});
+			throw buildNetworkError(error, prepared.method, prepared.url);
 		}
 		const canRetryStatus = hasRetriesLeft && prepared.idempotent;
 		if (!response.ok && isRetryableStatus(response.status) && canRetryStatus) {
@@ -778,6 +704,7 @@ function createClient(config, overrides = {}) {
 		}
 		if (!response.ok) {
 			const rawBody = await readBodyForError(response);
+			const serverTag = await getServerTag();
 			throw new HttpError({
 				status: response.status,
 				statusText: response.statusText,
@@ -785,6 +712,7 @@ function createClient(config, overrides = {}) {
 				url: prepared.url,
 				responseHeaders: response.headers,
 				rawBody,
+				serverTag,
 				redactionContext
 			});
 		}
@@ -795,13 +723,7 @@ function createClient(config, overrides = {}) {
 		};
 	}
 	async function executeRaw(prepared) {
-		let attempt = 0;
-		while (true) {
-			const result = await attemptOnce(prepared, attempt);
-			if (result.kind === "success") return result.response;
-			await sleep(result.delayMs, prepared.callerSignal);
-			attempt += 1;
-		}
+		return runWithRetries((attempt) => attemptOnce(prepared, attempt), prepared.callerSignal);
 	}
 	function prepare(path, opts = {}) {
 		const method = opts.method ?? "GET";
@@ -847,14 +769,12 @@ function createClient(config, overrides = {}) {
 			try {
 				return parseJson(text, schema, { source: prepared.url });
 			} catch (error) {
-				if (error instanceof ConfigError) throw new HttpError({
-					status: response.status,
-					statusText: response.statusText,
+				if (error instanceof ValidationError) throw new ResponseShapeError({
 					method: prepared.method,
 					url: prepared.url,
-					responseHeaders: response.headers,
-					rawBody: text,
-					redactionContext
+					status: response.status,
+					zodIssues: error.developerDetail.zodIssues,
+					serverTag: await getServerTag()
 				});
 				throw error;
 			}
@@ -908,6 +828,50 @@ function throwContentTypeMismatch(response, prepared, expected) {
 		overrideUserMessage: `Expected ${expected} response but got ${actual}`
 	});
 }
+const NETWORK_HINTS = {
+	ECONNREFUSED: (t) => `Connection refused by ${t.host} — is Metabase running and is the port correct?`,
+	ENOTFOUND: (t) => `Host not found: ${t.hostname} — check the URL.`,
+	EAI_AGAIN: (t) => `Could not resolve ${t.hostname} — check your network connection and the URL.`,
+	ECONNRESET: (t) => `Connection to ${t.host} was reset — the server may have closed it, or http/https may be mismatched.`,
+	ETIMEDOUT: (t) => `Connection to ${t.host} timed out — check the host, port, and your network.`
+};
+const TLS_ERROR_CODES = new Set([
+	"EPROTO",
+	"DEPTH_ZERO_SELF_SIGNED_CERT",
+	"SELF_SIGNED_CERT_IN_CHAIN",
+	"UNABLE_TO_VERIFY_LEAF_SIGNATURE",
+	"CERT_HAS_EXPIRED",
+	"ERR_TLS_CERT_ALTNAME_INVALID"
+]);
+function buildNetworkError(error, method, url) {
+	const fallback = errorMessage(error);
+	const code = causeCode(error);
+	const target = networkTarget(url);
+	return new NetworkError(networkMessage(code, target, fallback), {
+		method,
+		url,
+		cause: code ?? fallback
+	});
+}
+function networkMessage(code, target, fallback) {
+	if (code === null) return `Could not reach Metabase: ${fallback}`;
+	if (TLS_ERROR_CODES.has(code)) return `Could not reach Metabase: TLS error contacting ${target.host} (${code}) — the certificate could not be verified, or https:// was used against a plain-HTTP server.`;
+	const hint = NETWORK_HINTS[code];
+	if (hint === void 0) return `Could not reach Metabase: ${fallback} (${code})`;
+	return `Could not reach Metabase: ${hint(target)}`;
+}
+function causeCode(error) {
+	const cause = error instanceof Error ? error.cause : void 0;
+	if (cause instanceof Error && "code" in cause && typeof cause.code === "string") return cause.code;
+	return null;
+}
+function networkTarget(url) {
+	const parsed = new URL(url);
+	return {
+		host: parsed.host,
+		hostname: parsed.hostname
+	};
+}
 async function readBodyForError(response) {
 	try {
 		const buffer = Buffer.from(await response.arrayBuffer());
@@ -918,14 +882,159 @@ async function readBodyForError(response) {
 }
 
 //#endregion
-//#region src/output/error.ts
-function reportError(error) {
-	const handled = toMetabaseError(error);
-	process.stderr.write(handled.userMessage + "\n");
-	if (process.env[VERBOSE_ENV] === "1" && handled.developerDetail !== null) process.stderr.write(JSON.stringify(handled.developerDetail, null, 2) + "\n");
-	process.exitCode = handled.exitCode;
+//#region src/core/version/probe.ts
+const PROBE_PATH = "/api/session/properties";
+const PROBE_TIMEOUT_MS = 1e4;
+const EMPTY_SERVER_INFO = Object.freeze({
+	version: null,
+	tokenFeatures: null
+});
+async function probeServer(client, opts = {}) {
+	const properties = await client.requestParsed(SessionProperties, PROBE_PATH, {
+		timeoutMs: PROBE_TIMEOUT_MS,
+		retries: opts.retries ?? 0
+	});
+	const version = tryParseTag(properties.version.tag);
+	return {
+		version,
+		tokenFeatures: properties["token-features"] ?? null
+	};
+}
+
+//#endregion
+//#region src/core/url.ts
+function normalizeUrl(input) {
+	const trimmed = input.trim().replace(/\/+$/, "");
+	if (!/^https?:\/\//i.test(trimmed)) throw new ConfigError("URL must start with http:// or https://");
+	return trimmed;
+}
+function originOnly(input) {
+	const parsed = new URL(input);
+	parsed.username = "";
+	parsed.password = "";
+	return parsed.origin;
+}
+function localUrl(port) {
+	return `http://localhost:${port}`;
+}
+
+//#endregion
+//#region src/core/config.ts
+const ENV_URL = "METABASE_URL";
+const ENV_API_KEY = "METABASE_API_KEY";
+const ENV_PROFILE = "METABASE_PROFILE";
+const ENV_LICENSE_TOKEN = "METABASE_LICENSE_TOKEN";
+const ENV_SKIP_PREFLIGHT = "METABASE_CLI_SKIP_PREFLIGHT";
+function isPreflightSkipped() {
+	return process.env[ENV_SKIP_PREFLIGHT] === "1";
+}
+function resolveProfileName(profileFlag) {
+	return explicitProfileName(profileFlag) ?? DEFAULT_PROFILE;
+}
+function explicitProfileName(profileFlag) {
+	return profileFlag || process.env[ENV_PROFILE] || null;
+}
+function readEnvCredentials() {
+	return {
+		url: process.env[ENV_URL] ?? null,
+		apiKey: process.env[ENV_API_KEY] ?? null
+	};
+}
+function readEnvLicenseToken() {
+	return process.env[ENV_LICENSE_TOKEN] ?? null;
+}
+async function resolveConfig(flags) {
+	const profile = resolveProfileName(flags.profile);
+	const env = readEnvCredentials();
+	const flagUrl = flags.url;
+	const flagKey = flags.apiKey;
+	const needsStored = !flagUrl && !env.url || !flagKey && !env.apiKey;
+	const stored = needsStored ? await readProfile(profile) : null;
+	const urlField = pickField(flagUrl, env.url, stored?.url);
+	const keyField = pickField(flagKey, env.apiKey, stored?.apiKey);
+	if (urlField === null || keyField === null) {
+		const hint = await failureHintForProfile(profile);
+		throw new ConfigError(`Not authenticated for profile "${profile}". Run \`mb auth login\`, set ${ENV_URL}/${ENV_API_KEY}, or pass --url/--api-key.${hint}`);
+	}
+	return {
+		url: normalizeUrl(urlField.value),
+		apiKey: keyField.value,
+		profile,
+		source: urlField.source === keyField.source ? urlField.source : "mixed"
+	};
+}
+async function resolveLicenseToken(flags) {
+	const flag = flags.token;
+	const env = readEnvLicenseToken();
+	const stored = !flag && !env ? await readLicense() : null;
+	const value = flag ?? env ?? stored;
+	if (!value) throw new ConfigError(`No license token. Pass --token, set ${ENV_LICENSE_TOKEN}, or store one with \`mb workspace license set\`.`);
+	return value;
+}
+async function failureHintForProfile(profile) {
+	const record = await readProfileRecord(profile);
+	if (record === null || record.lastFailure === null) return "";
+	if (record.lastProbe !== null && record.lastProbe.at >= record.lastFailure.at) return "";
+	return ` profile "${profile}" last verify failed: ${record.lastFailure.reason}. Run \`mb auth login --profile ${profile}\` to update the token.`;
+}
+function pickField(flag, env, stored) {
+	if (flag) return {
+		value: flag,
+		source: "flag"
+	};
+	if (env) return {
+		value: env,
+		source: "env"
+	};
+	if (stored) return {
+		value: stored,
+		source: "stored"
+	};
+	return null;
+}
+
+//#endregion
+//#region src/core/version/capabilities.ts
+function mergeCapabilities(overrides) {
+	if (overrides === void 0) return BASELINE_CAPABILITIES;
+	return {
+		minVersion: overrides.minVersion ?? BASELINE_CAPABILITIES.minVersion,
+		...overrides.tokenFeature === void 0 ? {} : { tokenFeature: overrides.tokenFeature }
+	};
+}
+function checkCapabilities(info, required) {
+	if (info.version === null) return {
+		reason: "unknown-version",
+		detail: "Could not detect Metabase server version. Proceeding without preflight check; failures may produce confusing errors."
+	};
+	if (info.version.major < required.minVersion) return {
+		reason: "version-too-old",
+		detail: `This command requires Metabase v${required.minVersion}+ (this server is ${info.version.tag}). Upgrade Metabase or pin mb-cli to an older release.`
+	};
+	if (required.tokenFeature !== void 0) {
+		const enabled = info.tokenFeatures?.[required.tokenFeature] === true;
+		if (!enabled) return {
+			reason: "missing-token-feature",
+			detail: `This command requires the '${required.tokenFeature}' premium feature (not enabled on this server).`
+		};
+	}
+	return null;
 }
 
+//#endregion
+//#region src/core/version/preflight-error.ts
+var CapabilityError = class extends MetabaseError {
+	category = "capability";
+	isRetryable = false;
+	exitCode = 2;
+	developerDetail;
+	constructor(failure) {
+		super(failure.detail);
+		this.name = "CapabilityError";
+		this.developerDetail = failure;
+	}
+};
+
 //#endregion
 //#region src/output/format.ts
 function resolveFormat({ json, format, isTty }) {
@@ -969,6 +1078,21 @@ function parseEnum(raw, schema, flagName) {
 	return result.data;
 }
 
+//#endregion
+//#region src/commands/parse-integer.ts
+const INTEGER_PATTERN = /^-?\d+$/;
+function parseInteger(value, options) {
+	const trimmed = value.trim();
+	if (!INTEGER_PATTERN.test(trimmed)) throw new ConfigError(`invalid ${options.name}: "${value}" (expected integer)`);
+	const parsed = Number.parseInt(trimmed, 10);
+	if (parsed < options.min) throw new ConfigError(`invalid ${options.name}: ${parsed} (must be ≥ ${options.min})`);
+	return parsed;
+}
+function parseOptionalInteger(value, options) {
+	if (value === void 0 || value === "") return null;
+	return parseInteger(value, options);
+}
+
 //#endregion
 //#region src/commands/context.ts
 function resolveCommonFlags(args, options = {}) {
@@ -987,7 +1111,8 @@ function resolveCommonFlags(args, options = {}) {
 		maxBytes: parseMaxBytes(args.maxBytes),
 		url: args.url,
 		apiKey: args.apiKey,
-		profile: args.profile
+		profile: args.profile,
+		skipPreflight: args.skipPreflight === true
 	};
 }
 function parseFields(value) {
@@ -1002,48 +1127,151 @@ function parseMaxBytes(value) {
 	});
 }
 
+//#endregion
+//#region src/commands/known-flags.ts
+const ARGUMENT_SEPARATOR = "--";
+const NEGATION_PREFIX = "no-";
+const BUILTIN_FLAGS = [
+	"help",
+	"h",
+	"version",
+	"v"
+];
+function assertKnownFlags(rawArgs, argsDef) {
+	const allowed = allowedFlagKeys(argsDef);
+	let index = 0;
+	while (index < rawArgs.length) {
+		const token = rawArgs[index];
+		if (token === void 0 || token === ARGUMENT_SEPARATOR) return;
+		if (!isFlagToken(token)) {
+			index += 1;
+			continue;
+		}
+		const matched = flagCandidates(token).some((candidate) => allowed.has(candidate));
+		if (!matched) throw new ConfigError(`unknown flag: ${displayFlag(token)}`);
+		index += flagConsumesValue(token, argsDef) ? 2 : 1;
+	}
+}
+function allowedFlagKeys(argsDef) {
+	const keys = new Set(BUILTIN_FLAGS.map(normalizeFlag));
+	for (const [name, def] of Object.entries(argsDef)) {
+		keys.add(normalizeFlag(name));
+		if ("alias" in def) for (const alias of toAliasArray(def.alias)) keys.add(normalizeFlag(alias));
+	}
+	return keys;
+}
+function isFlagToken(token) {
+	return token.startsWith("-") && token !== "-";
+}
+function displayFlag(token) {
+	const equals = token.indexOf("=");
+	return equals === -1 ? token : token.slice(0, equals);
+}
+function flagCandidates(token) {
+	const name = displayFlag(token).replace(/^-+/, "");
+	const candidates = [normalizeFlag(name)];
+	if (name.startsWith(NEGATION_PREFIX)) candidates.push(normalizeFlag(name.slice(NEGATION_PREFIX.length)));
+	return candidates;
+}
+
 //#endregion
 //#region src/commands/runtime.ts
 function defineMetabaseCommand(def) {
+	const required = def.capabilities === null ? null : mergeCapabilities(def.capabilities);
 	const cmd = defineCommand({
 		meta: def.meta,
 		args: def.args,
-		async run({ args }) {
+		async run({ args, rawArgs }) {
+			let reportFormat;
 			try {
 				const ctx = resolveCommonFlags(pickCommonArgs(args));
+				reportFormat = ctx.format;
+				assertKnownFlags(rawArgs, def.args);
 				let cachedConfig = null;
 				let cachedClient = null;
+				let cachedServerInfo = null;
 				const getResolvedConfig = async () => {
 					if (cachedConfig === null) cachedConfig = await resolveConfig(buildConfigFlags(ctx));
 					return cachedConfig;
 				};
-				const getClient = async () => {
+				const getServerInfo = () => {
+					if (cachedServerInfo === null) cachedServerInfo = loadServerInfo(getResolvedConfig);
+					return cachedServerInfo;
+				};
+				const rawGetClient = async () => {
 					if (cachedClient === null) {
 						const resolved = await getResolvedConfig();
 						cachedClient = createClient({
 							url: resolved.url,
 							apiKey: resolved.apiKey
-						});
+						}, { getServerTag: async () => (await getServerInfo())?.version?.tag ?? null });
 					}
 					return cachedClient;
 				};
-				await def.run({
-					args,
-					ctx,
-					getClient,
-					getResolvedConfig
-				});
+				const enforcePreflight = createPreflightEnforcer(required, getServerInfo, ctx.skipPreflight);
+				const getClient = async () => {
+					const client = await rawGetClient();
+					await enforcePreflight();
+					return client;
+				};
+				try {
+					await def.run({
+						args,
+						ctx,
+						getClient,
+						getResolvedConfig,
+						getServerInfo
+					});
+				} finally {
+					emitLegacyStorageWarningIfPending();
+				}
 			} catch (error) {
-				reportError(error);
+				reportError(error, reportFormat);
 			}
 		}
 	});
 	setMetabaseAugment(cmd, {
 		examples: def.examples ?? [],
-		outputSchema: def.outputSchema ?? null
+		details: def.details ? def.details : null,
+		outputSchema: def.outputSchema ?? null,
+		capabilities: required
 	});
 	return cmd;
 }
+function emitLegacyStorageWarningIfPending() {
+	const message = consumeLegacyStorageWarning();
+	if (message !== null) warn(message);
+}
+async function loadServerInfo(getResolvedConfig) {
+	const resolved = await getResolvedConfig();
+	const record = await readProfileRecord(resolved.profile);
+	if (record === null || record.lastProbe === null) return null;
+	return {
+		version: record.lastProbe.version,
+		tokenFeatures: record.lastProbe.tokenFeatures
+	};
+}
+const NO_OP_ENFORCER = async () => {};
+const PROBE_HINT = " Run `mb auth list` (or `mb auth login`) to populate the version cache.";
+function createPreflightEnforcer(required, getServerInfo, skip) {
+	if (required === null || skip || isPreflightSkipped() || isBaseline(required)) return NO_OP_ENFORCER;
+	let done = false;
+	return async () => {
+		if (done) return;
+		done = true;
+		const info = await getServerInfo() ?? EMPTY_SERVER_INFO;
+		const failure = checkCapabilities(info, required);
+		if (failure === null) return;
+		if (failure.reason === "unknown-version") {
+			warn(failure.detail + PROBE_HINT);
+			return;
+		}
+		throw new CapabilityError(failure);
+	};
+}
+function isBaseline(caps) {
+	return caps.minVersion === BASELINE_CAPABILITIES.minVersion && caps.tokenFeature === void 0;
+}
 function pickCommonArgs(args) {
 	const out = {};
 	if (typeof args["format"] === "string") out.format = args["format"];
@@ -1054,6 +1282,7 @@ function pickCommonArgs(args) {
 	if (typeof args["profile"] === "string") out.profile = args["profile"];
 	if (typeof args["url"] === "string") out.url = args["url"];
 	if (typeof args["apiKey"] === "string") out.apiKey = args["apiKey"];
+	if (typeof args["skipPreflight"] === "boolean") out.skipPreflight = args["skipPreflight"];
 	return out;
 }
 function buildConfigFlags(ctx) {
@@ -1065,4 +1294,4 @@ function buildConfigFlags(ctx) {
 }
 
 //#endregion
-export { DEFAULT_PROFILE, HttpError, USER_AGENT, account, clearLicense, clearProfile, clearRejection, combineAborts, connectionFlags, createClient, credentials, defineMetabaseCommand, explicitProfileName, listEnvelopeSchema, listProfileNames, localUrl, normalizeUrl, originOnly, outputFlags, parseCsv, parseEnum, parseEnumCsv, parseInteger, parseJson, parseJsonOrPlain, parseOptionalInteger, profileFlag, readEnvCredentials, readEnvLicenseToken, readProfile, recordRejection, resolveLicenseToken, resolveProfileName, throwIfAborted, wrapList, writeLicense, writeProfile };
+export { DEFAULT_PROFILE, HttpError, ParsedVersionSchema, ProbedUser, ProfileLastFailure, TokenFeatures, USER_AGENT, clearLicense, clearProfile, combineAborts, createClient, defineMetabaseCommand, explicitProfileName, keyringFallbackWarning, listProfileRecords, localUrl, normalizeUrl, originOnly, parseCsv, parseEnum, parseEnumCsv, parseInteger, parseJson, parseJsonOrPlain, parseOptionalInteger, probeServer, readEnvCredentials, readEnvLicenseToken, readLicense, readProfile, readProfileRecord, resolveLicenseToken, resolveProfileName, throwIfAborted, writeLicense, writeProbeFailure, writeProbeResult, writeProfile };