@microsoft/sentinel-cli 0.1.0 → 0.3.0

package/dist/index.js

@@ -44,7 +44,7 @@ var require_correlationService = __commonJS({
     Object.defineProperty(exports2, "__esModule", { value: true });
     exports2.CorrelationService = void 0;
     var crypto_1 = require("crypto");
-    var CorrelationService = class {
+    var CorrelationService17 = class {
       /**
        * Creates a new correlation context with a unique ID for request tracking.
        * @returns A UUID string to be used as a correlation ID in API requests and telemetry.
@@ -61,7 +61,7 @@ var require_correlationService = __commonJS({
         return response?.headers?.["x-ms-correlation-request-id"];
       }
     };
-    exports2.CorrelationService = CorrelationService;
+    exports2.CorrelationService = CorrelationService17;
   }
 });
 
@@ -159,6 +159,7 @@ var require_requestService = __commonJS({
     Object.defineProperty(exports2, "__esModule", { value: true });
     exports2.RequestService = exports2.DEFAULT_RETRY_OPTIONS = void 0;
     exports2.extractErrorInfo = extractErrorInfo;
+    var https_1 = __importDefault(require("https"));
     var axios_1 = __importDefault(require("axios"));
     var correlationService_1 = require_correlationService();
     var httpConstants_1 = require_httpConstants();
@@ -185,13 +186,19 @@ var require_requestService = __commonJS({
       baseDelayMs: 1e3,
       maxDelayMs: 3e4,
       retryableStatusCodes: Object.freeze([429, 500, 502, 503, 504]),
-      retryableErrors: Object.freeze(["ECONNRESET", "ETIMEDOUT", "ENOTFOUND", "ECONNABORTED"])
+      retryableErrors: Object.freeze(["ECONNRESET", "ETIMEDOUT", "ENOTFOUND", "ECONNABORTED"]),
+      retryableErrorMessages: Object.freeze([
+        "socket disconnected",
+        "socket hang up",
+        "client network socket disconnected"
+      ])
     });
-    var RequestService = class {
+    var HTTPS_AGENT = new https_1.default.Agent({ keepAlive: false });
+    var RequestService5 = class {
       telemetry;
       headerBuilder;
-      constructor(telemetry, headerBuilder) {
-        this.telemetry = telemetry;
+      constructor(telemetry2, headerBuilder) {
+        this.telemetry = telemetry2;
         this.headerBuilder = headerBuilder;
       }
       async get(options) {
@@ -273,7 +280,12 @@ var require_requestService = __commonJS({
               mainSpan.addAttributes({ success: "true" });
               return result;
             } catch (error) {
-              if (attempt < clampedMaxRetries && this.shouldRetry(error, retryOptions ?? {})) {
+              const decision = this.shouldRetry(error, retryOptions ?? {});
+              if (attempt < clampedMaxRetries && decision.retry) {
+                mainSpan.addAttributes({
+                  [`retry.${attempt}.reason`]: decision.reason ?? "",
+                  [`retry.${attempt}.detail`]: decision.detail ?? ""
+                });
                 await this.sleep(this.calculateRetryDelay(attempt, clampedBaseDelayMs, clampedMaxDelayMs));
                 continue;
               }
@@ -350,7 +362,8 @@ var require_requestService = __commonJS({
             url,
             method: options?.method?.toLowerCase() || "get",
             headers: { ...options?.headers },
-            data: options?.body
+            data: options?.body,
+            httpsAgent: HTTPS_AGENT
           };
           if (timeoutMs !== void 0) {
             axiosConfig.timeout = timeoutMs;
@@ -402,15 +415,24 @@ var require_requestService = __commonJS({
       shouldRetry(error, retryOptions) {
         const retryableStatusCodes = retryOptions.retryableStatusCodes ?? exports2.DEFAULT_RETRY_OPTIONS.retryableStatusCodes;
         const retryableErrors = retryOptions.retryableErrors ?? exports2.DEFAULT_RETRY_OPTIONS.retryableErrors;
+        const retryableErrorMessages = retryOptions.retryableErrorMessages ?? exports2.DEFAULT_RETRY_OPTIONS.retryableErrorMessages;
         const httpError = error;
         if (typeof httpError?.statusCode === "number") {
-          return retryableStatusCodes.includes(httpError.statusCode);
+          return retryableStatusCodes.includes(httpError.statusCode) ? { retry: true, reason: "statusCode", detail: String(httpError.statusCode) } : { retry: false };
         }
         const codedError = error;
-        if (codedError?.code) {
-          return retryableErrors.includes(codedError.code);
+        if (codedError?.code && retryableErrors.includes(codedError.code)) {
+          return { retry: true, reason: "errorCode", detail: codedError.code };
         }
-        return false;
+        const errorMessage = error?.message;
+        if (typeof errorMessage === "string" && errorMessage.length > 0) {
+          const lowerMessage = errorMessage.toLowerCase();
+          const matchedPattern = retryableErrorMessages.find((pattern) => lowerMessage.includes(pattern.toLowerCase()));
+          if (matchedPattern) {
+            return { retry: true, reason: "errorMessage", detail: matchedPattern };
+          }
+        }
+        return { retry: false };
       }
       /**
        * Exponential backoff with 10% random jitter.
@@ -423,7 +445,7 @@ var require_requestService = __commonJS({
         return Math.min(exponentialDelay + jitter, maxDelayMs);
       }
       sleep(ms) {
-        return new Promise((resolve) => setTimeout(resolve, ms));
+        return new Promise((resolve2) => setTimeout(resolve2, ms));
       }
       // -------------------------------------------------------------------------
       // URL helpers
@@ -439,7 +461,7 @@ var require_requestService = __commonJS({
         return urlObj.toString();
       }
     };
-    exports2.RequestService = RequestService;
+    exports2.RequestService = RequestService5;
     function getPathFromUrl(url) {
       const urlObject = new URL(url);
       return urlObject.pathname;
@@ -466,20 +488,74 @@ var require_client = __commonJS({
       o[k2] = m[k];
     }));
     var __exportStar = exports2 && exports2.__exportStar || function(m, exports3) {
-      for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports3, p)) __createBinding(exports3, m, p);
+      for (var p4 in m) if (p4 !== "default" && !Object.prototype.hasOwnProperty.call(exports3, p4)) __createBinding(exports3, m, p4);
     };
     Object.defineProperty(exports2, "__esModule", { value: true });
     __exportStar(require_requestService(), exports2);
   }
 });
 
-// ../../packages/common/dist/src/constants.js
+// ../../packages/common/dist/src/constants/jobEventNames.js
+var require_jobEventNames = __commonJS({
+  "../../packages/common/dist/src/constants/jobEventNames.js"(exports2) {
+    "use strict";
+    init_cjs_shims();
+    Object.defineProperty(exports2, "__esModule", { value: true });
+    exports2.JobApiEvents = void 0;
+    exports2.JobApiEvents = {
+      LOAD_JOBS: "JobsPanel.Load.Jobs",
+      CREATE_JOB: "Jobs.Create.Job",
+      GET_JOB: "Jobs.Get.Job",
+      DELETE_JOB: "Jobs.Delete.Job",
+      DISABLE_JOB: "Jobs.Disable.Job",
+      ENABLE_JOB: "Jobs.Enable.Job",
+      LIST_JOB_RUNS: "Jobs.List.Runs",
+      GET_JOB_RUN: "Jobs.Get.Run",
+      START_JOB_RUN: "Jobs.Start.Run",
+      CANCEL_JOB_RUN: "Jobs.Cancel.Run"
+    };
+  }
+});
+
+// ../../packages/common/dist/src/constants/lakeEventNames.js
+var require_lakeEventNames = __commonJS({
+  "../../packages/common/dist/src/constants/lakeEventNames.js"(exports2) {
+    "use strict";
+    init_cjs_shims();
+    Object.defineProperty(exports2, "__esModule", { value: true });
+    exports2.LakeApiEvents = void 0;
+    exports2.LakeApiEvents = {
+      LOAD_TABLES: "LakeTablesPanel.Load.Tables",
+      LOAD_DATABASES: "LakeTablesPanel.Load.Databases"
+    };
+  }
+});
+
+// ../../packages/common/dist/src/constants/index.js
 var require_constants = __commonJS({
-  "../../packages/common/dist/src/constants.js"(exports2) {
+  "../../packages/common/dist/src/constants/index.js"(exports2) {
     "use strict";
     init_cjs_shims();
+    var __createBinding = exports2 && exports2.__createBinding || (Object.create ? (function(o, m, k, k2) {
+      if (k2 === void 0) k2 = k;
+      var desc = Object.getOwnPropertyDescriptor(m, k);
+      if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+        desc = { enumerable: true, get: function() {
+          return m[k];
+        } };
+      }
+      Object.defineProperty(o, k2, desc);
+    }) : (function(o, m, k, k2) {
+      if (k2 === void 0) k2 = k;
+      o[k2] = m[k];
+    }));
+    var __exportStar = exports2 && exports2.__exportStar || function(m, exports3) {
+      for (var p4 in m) if (p4 !== "default" && !Object.prototype.hasOwnProperty.call(exports3, p4)) __createBinding(exports3, m, p4);
+    };
     Object.defineProperty(exports2, "__esModule", { value: true });
     exports2.FulfillmentStatus = exports2.PackageManifestIdValues = exports2.PackageManifestTypes = exports2.CANCEL_DEPLOYMENT_REQUEST_TYPE = exports2.NEW_DEPLOYMENT_REQUEST_TYPE = void 0;
+    __exportStar(require_jobEventNames(), exports2);
+    __exportStar(require_lakeEventNames(), exports2);
     exports2.NEW_DEPLOYMENT_REQUEST_TYPE = "NewDeploymentRequest";
     exports2.CANCEL_DEPLOYMENT_REQUEST_TYPE = "CancelSubscription";
     var PackageManifestTypes;
@@ -509,26 +585,26 @@ var require_region = __commonJS({
     init_cjs_shims();
     Object.defineProperty(exports2, "__esModule", { value: true });
     exports2.Region = void 0;
-    var Region2;
-    (function(Region3) {
-      Region3["NorwayEast"] = "norwayeast";
-      Region3["EastUS2EUAP"] = "eastus2euap";
-      Region3["AustraliaEast"] = "australiaeast";
-      Region3["CanadaCentral"] = "canadacentral";
-      Region3["CentralUS"] = "centralus";
-      Region3["EastUS"] = "eastus";
-      Region3["EastUS2"] = "eastus2";
-      Region3["FranceCentral"] = "francecentral";
-      Region3["JapanEast"] = "japaneast";
-      Region3["NorthEurope"] = "northeurope";
-      Region3["SouthCentralUS"] = "southcentralus";
-      Region3["UKSouth"] = "uksouth";
-      Region3["WestEurope"] = "westeurope";
-      Region3["WestUS"] = "westus";
-      Region3["WestUS2"] = "westus2";
-      Region3["Global"] = "global";
-      Region3["Dev"] = "dev";
-    })(Region2 || (exports2.Region = Region2 = {}));
+    var Region14;
+    (function(Region15) {
+      Region15["NorwayEast"] = "norwayeast";
+      Region15["EastUS2EUAP"] = "eastus2euap";
+      Region15["AustraliaEast"] = "australiaeast";
+      Region15["CanadaCentral"] = "canadacentral";
+      Region15["CentralUS"] = "centralus";
+      Region15["EastUS"] = "eastus";
+      Region15["EastUS2"] = "eastus2";
+      Region15["FranceCentral"] = "francecentral";
+      Region15["JapanEast"] = "japaneast";
+      Region15["NorthEurope"] = "northeurope";
+      Region15["SouthCentralUS"] = "southcentralus";
+      Region15["UKSouth"] = "uksouth";
+      Region15["WestEurope"] = "westeurope";
+      Region15["WestUS"] = "westus";
+      Region15["WestUS2"] = "westus2";
+      Region15["Global"] = "global";
+      Region15["Dev"] = "dev";
+    })(Region14 || (exports2.Region = Region14 = {}));
   }
 });
 
@@ -539,10 +615,10 @@ var require_securityPlatformEnvironment = __commonJS({
     init_cjs_shims();
     Object.defineProperty(exports2, "__esModule", { value: true });
     exports2.SecurityPlatformEnvironment = void 0;
-    var SecurityPlatformEnvironment5;
-    (function(SecurityPlatformEnvironment6) {
-      SecurityPlatformEnvironment6["Production"] = "production";
-    })(SecurityPlatformEnvironment5 || (exports2.SecurityPlatformEnvironment = SecurityPlatformEnvironment5 = {}));
+    var SecurityPlatformEnvironment21;
+    (function(SecurityPlatformEnvironment22) {
+      SecurityPlatformEnvironment22["Production"] = "production";
+    })(SecurityPlatformEnvironment21 || (exports2.SecurityPlatformEnvironment = SecurityPlatformEnvironment21 = {}));
   }
 });
 
@@ -563,6 +639,8 @@ var require_production = __commonJS({
       gatewayAuthResourceUri: "73c2949e-da2d-457a-9607-fcc665198967/.default",
       gatewayEndpoint: "https://api.securityplatform.microsoft.com/",
       aadClientId: DeviceCodeApplicationId,
+      armEndpoint: "https://management.azure.com",
+      armScope: "https://management.azure.com/.default",
       regions: {
         [region_1.Region.NorwayEast]: buildRegionConfig(region_1.Region.NorwayEast),
         [region_1.Region.EastUS2EUAP]: buildRegionConfig(region_1.Region.EastUS2EUAP),
@@ -615,7 +693,7 @@ var require_configs = __commonJS({
       o[k2] = m[k];
     }));
     var __exportStar = exports2 && exports2.__exportStar || function(m, exports3) {
-      for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports3, p)) __createBinding(exports3, m, p);
+      for (var p4 in m) if (p4 !== "default" && !Object.prototype.hasOwnProperty.call(exports3, p4)) __createBinding(exports3, m, p4);
     };
     Object.defineProperty(exports2, "__esModule", { value: true });
     __exportStar(require_production(), exports2);
@@ -644,9 +722,9 @@ var require_api_env = __commonJS({
     "use strict";
     init_cjs_shims();
     Object.defineProperty(exports2, "__esModule", { value: true });
-    exports2.getApiEnv = getApiEnv5;
+    exports2.getApiEnv = getApiEnv21;
     var helper_1 = require_helper();
-    function getApiEnv5(env) {
+    function getApiEnv21(env) {
       return (0, helper_1.getEnvironmentConfig)(env);
     }
   }
@@ -680,7 +758,7 @@ var require_environments = __commonJS({
       o[k2] = m[k];
     }));
     var __exportStar = exports2 && exports2.__exportStar || function(m, exports3) {
-      for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports3, p)) __createBinding(exports3, m, p);
+      for (var p4 in m) if (p4 !== "default" && !Object.prototype.hasOwnProperty.call(exports3, p4)) __createBinding(exports3, m, p4);
     };
     Object.defineProperty(exports2, "__esModule", { value: true });
     __exportStar(require_configs(), exports2);
@@ -740,11 +818,11 @@ var require_common = __commonJS({
     init_cjs_shims();
     var __awaiter = exports2 && exports2.__awaiter || function(thisArg, _arguments, P, generator) {
       function adopt(value) {
-        return value instanceof P ? value : new P(function(resolve) {
-          resolve(value);
+        return value instanceof P ? value : new P(function(resolve2) {
+          resolve2(value);
         });
       }
-      return new (P || (P = Promise))(function(resolve, reject) {
+      return new (P || (P = Promise))(function(resolve2, reject) {
         function fulfilled(value) {
           try {
             step(generator.next(value));
@@ -760,7 +838,7 @@ var require_common = __commonJS({
           }
         }
         function step(result) {
-          result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected);
+          result.done ? resolve2(result.value) : adopt(result.value).then(fulfilled, rejected);
         }
         step((generator = generator.apply(thisArg, _arguments || [])).next());
       });
@@ -859,11 +937,11 @@ var require_api = __commonJS({
     init_cjs_shims();
     var __awaiter = exports2 && exports2.__awaiter || function(thisArg, _arguments, P, generator) {
       function adopt(value) {
-        return value instanceof P ? value : new P(function(resolve) {
-          resolve(value);
+        return value instanceof P ? value : new P(function(resolve2) {
+          resolve2(value);
         });
       }
-      return new (P || (P = Promise))(function(resolve, reject) {
+      return new (P || (P = Promise))(function(resolve2, reject) {
         function fulfilled(value) {
           try {
             step(generator.next(value));
@@ -879,7 +957,7 @@ var require_api = __commonJS({
           }
         }
         function step(result) {
-          result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected);
+          result.done ? resolve2(result.value) : adopt(result.value).then(fulfilled, rejected);
         }
         step((generator = generator.apply(thisArg, _arguments || [])).next());
       });
@@ -2324,7 +2402,7 @@ var require_dist = __commonJS({
       o[k2] = m[k];
     }));
     var __exportStar = exports2 && exports2.__exportStar || function(m, exports3) {
-      for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports3, p)) __createBinding(exports3, m, p);
+      for (var p4 in m) if (p4 !== "default" && !Object.prototype.hasOwnProperty.call(exports3, p4)) __createBinding(exports3, m, p4);
     };
     Object.defineProperty(exports2, "__esModule", { value: true });
     __exportStar(require_api(), exports2);
@@ -2611,7 +2689,7 @@ var require_factories = __commonJS({
       o[k2] = m[k];
     }));
     var __exportStar = exports2 && exports2.__exportStar || function(m, exports3) {
-      for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports3, p)) __createBinding(exports3, m, p);
+      for (var p4 in m) if (p4 !== "default" && !Object.prototype.hasOwnProperty.call(exports3, p4)) __createBinding(exports3, m, p4);
     };
     Object.defineProperty(exports2, "__esModule", { value: true });
     __exportStar(require_jobPayloadFactory(), exports2);
@@ -2690,6 +2768,15 @@ var require_jobResponse = __commonJS({
   }
 });
 
+// ../../packages/common/dist/src/models/jobs/listJobsResult.js
+var require_listJobsResult = __commonJS({
+  "../../packages/common/dist/src/models/jobs/listJobsResult.js"(exports2) {
+    "use strict";
+    init_cjs_shims();
+    Object.defineProperty(exports2, "__esModule", { value: true });
+  }
+});
+
 // ../../packages/common/dist/src/models/jobs/index.js
 var require_jobs = __commonJS({
   "../../packages/common/dist/src/models/jobs/index.js"(exports2) {
@@ -2709,7 +2796,7 @@ var require_jobs = __commonJS({
       o[k2] = m[k];
     }));
     var __exportStar = exports2 && exports2.__exportStar || function(m, exports3) {
-      for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports3, p)) __createBinding(exports3, m, p);
+      for (var p4 in m) if (p4 !== "default" && !Object.prototype.hasOwnProperty.call(exports3, p4)) __createBinding(exports3, m, p4);
     };
     Object.defineProperty(exports2, "__esModule", { value: true });
     __exportStar(require_analyticsJobDefinition(), exports2);
@@ -2719,6 +2806,7 @@ var require_jobs = __commonJS({
     __exportStar(require_repeatFrequency(), exports2);
     __exportStar(require_jobTrigger(), exports2);
     __exportStar(require_jobResponse(), exports2);
+    __exportStar(require_listJobsResult(), exports2);
   }
 });
 
@@ -2750,7 +2838,7 @@ var require_lake = __commonJS({
       o[k2] = m[k];
     }));
     var __exportStar = exports2 && exports2.__exportStar || function(m, exports3) {
-      for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports3, p)) __createBinding(exports3, m, p);
+      for (var p4 in m) if (p4 !== "default" && !Object.prototype.hasOwnProperty.call(exports3, p4)) __createBinding(exports3, m, p4);
     };
     Object.defineProperty(exports2, "__esModule", { value: true });
     __exportStar(require_database(), exports2);
@@ -2833,7 +2921,7 @@ var require_models = __commonJS({
       o[k2] = m[k];
     }));
     var __exportStar = exports2 && exports2.__exportStar || function(m, exports3) {
-      for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports3, p)) __createBinding(exports3, m, p);
+      for (var p4 in m) if (p4 !== "default" && !Object.prototype.hasOwnProperty.call(exports3, p4)) __createBinding(exports3, m, p4);
     };
     Object.defineProperty(exports2, "__esModule", { value: true });
     __exportStar(require_jobs(), exports2);
@@ -2844,6 +2932,460 @@ var require_models = __commonJS({
   }
 });
 
+// ../../packages/common/dist/src/services/tenant/types.js
+var require_types = __commonJS({
+  "../../packages/common/dist/src/services/tenant/types.js"(exports2) {
+    "use strict";
+    init_cjs_shims();
+    Object.defineProperty(exports2, "__esModule", { value: true });
+  }
+});
+
+// ../../packages/common/dist/src/services/tenant/tenantApiClient.js
+var require_tenantApiClient = __commonJS({
+  "../../packages/common/dist/src/services/tenant/tenantApiClient.js"(exports2) {
+    "use strict";
+    init_cjs_shims();
+    Object.defineProperty(exports2, "__esModule", { value: true });
+    exports2.TenantApiClient = void 0;
+    var DEFAULT_ARM_ENDPOINT = "https://management.azure.com";
+    var ARM_API_VERSION = "2020-01-01";
+    var MAX_PAGES = 20;
+    var TENANT_LIST_EVENT = "TenantApiClient.fetchAllTenants";
+    var TenantApiClient2 = class {
+      requestService;
+      tenantsUrl;
+      trustedOrigin;
+      constructor(options) {
+        this.requestService = options.requestService;
+        const armEndpoint = options.armEndpoint ?? DEFAULT_ARM_ENDPOINT;
+        this.tenantsUrl = new URL("/tenants", armEndpoint).toString();
+        this.trustedOrigin = new URL(armEndpoint).origin;
+      }
+      /**
+       * Fetches all tenants accessible to the authenticated user from ARM,
+       * following pagination links until exhausted or the page limit is reached.
+       *
+       * @param accessToken - A valid ARM bearer access token.
+       * @returns An array of {@link ArmTenant} objects.
+       */
+      async fetchAllTenants(accessToken) {
+        const allTenants = [];
+        let nextUrl = this.tenantsUrl;
+        let params = { "api-version": ARM_API_VERSION };
+        let pageCount = 0;
+        while (nextUrl && pageCount < MAX_PAGES) {
+          pageCount++;
+          const page = await this.requestService.get({
+            url: nextUrl,
+            eventName: TENANT_LIST_EVENT,
+            params,
+            token: accessToken
+          });
+          if (Array.isArray(page.value)) {
+            allTenants.push(...page.value.map(mapArmTenant));
+          }
+          if (page.nextLink) {
+            this.validateNextLink(page.nextLink);
+            nextUrl = page.nextLink;
+            params = {};
+          } else {
+            nextUrl = void 0;
+          }
+        }
+        if (nextUrl) {
+          throw new Error(`Tenant list is incomplete: maximum page limit of ${MAX_PAGES} reached.`);
+        }
+        return allTenants;
+      }
+      /**
+       * Validates that a pagination URL returned by the ARM API originates from
+       * the trusted ARM endpoint and targets the /tenants path, preventing SSRF
+       * and bearer-token exfiltration to other origins or endpoints.
+       */
+      validateNextLink(nextLink) {
+        let parsedUrl;
+        try {
+          parsedUrl = new URL(nextLink);
+        } catch {
+          throw new Error(`Invalid nextLink URL: ${nextLink}`);
+        }
+        if (parsedUrl.origin !== this.trustedOrigin) {
+          throw new Error(`Untrusted nextLink origin: expected ${this.trustedOrigin}, got ${parsedUrl.origin}`);
+        }
+        if (parsedUrl.pathname !== "/tenants" && !parsedUrl.pathname.startsWith("/tenants/")) {
+          throw new Error(`Untrusted nextLink path detected: ${parsedUrl.pathname}`);
+        }
+      }
+    };
+    exports2.TenantApiClient = TenantApiClient2;
+    function mapArmTenant(raw) {
+      return {
+        id: raw.id,
+        tenantId: raw.tenantId,
+        displayName: raw.displayName ?? "Unknown Tenant",
+        defaultDomain: raw.defaultDomain ?? "",
+        tenantType: raw.tenantType ?? "AAD",
+        tenantCategory: raw.tenantCategory
+      };
+    }
+  }
+});
+
+// ../../packages/common/dist/src/services/tenant/index.js
+var require_tenant = __commonJS({
+  "../../packages/common/dist/src/services/tenant/index.js"(exports2) {
+    "use strict";
+    init_cjs_shims();
+    var __createBinding = exports2 && exports2.__createBinding || (Object.create ? (function(o, m, k, k2) {
+      if (k2 === void 0) k2 = k;
+      var desc = Object.getOwnPropertyDescriptor(m, k);
+      if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+        desc = { enumerable: true, get: function() {
+          return m[k];
+        } };
+      }
+      Object.defineProperty(o, k2, desc);
+    }) : (function(o, m, k, k2) {
+      if (k2 === void 0) k2 = k;
+      o[k2] = m[k];
+    }));
+    var __exportStar = exports2 && exports2.__exportStar || function(m, exports3) {
+      for (var p4 in m) if (p4 !== "default" && !Object.prototype.hasOwnProperty.call(exports3, p4)) __createBinding(exports3, m, p4);
+    };
+    Object.defineProperty(exports2, "__esModule", { value: true });
+    __exportStar(require_types(), exports2);
+    __exportStar(require_tenantApiClient(), exports2);
+  }
+});
+
+// ../../packages/common/dist/src/services/jobs/jobApiClient.js
+var require_jobApiClient = __commonJS({
+  "../../packages/common/dist/src/services/jobs/jobApiClient.js"(exports2) {
+    "use strict";
+    init_cjs_shims();
+    Object.defineProperty(exports2, "__esModule", { value: true });
+    exports2.JobApiClient = void 0;
+    var sentinel_graph_job_1 = require_dist();
+    var jobEventNames_1 = require_jobEventNames();
+    var API_VERSION = "2023-09-30-preview";
+    var JOB_PATHS = {
+      JOBS: "/jobs"
+    };
+    var JobApiClient2 = class {
+      requestService;
+      baseUrl;
+      constructor(options) {
+        this.requestService = options.requestService;
+        this.baseUrl = options.baseUrl.replace(/\/+$/, "");
+      }
+      get jobsUrl() {
+        return `${this.baseUrl}${JOB_PATHS.JOBS}`;
+      }
+      jobUrl(jobName) {
+        return `${this.jobsUrl}/${encodeURIComponent(jobName)}`;
+      }
+      async createJob(jobName, payload, token, requestId) {
+        if (!jobName?.trim()) {
+          throw new Error("Job name is required");
+        }
+        return this.requestService.put({
+          url: this.jobUrl(jobName),
+          params: { "api-version": API_VERSION },
+          eventName: jobEventNames_1.JobApiEvents.CREATE_JOB,
+          body: JSON.stringify(payload),
+          token,
+          requestId
+        });
+      }
+      async getJob(jobName, token, requestId) {
+        if (!jobName?.trim()) {
+          throw new Error("Job name is required");
+        }
+        return this.requestService.get({
+          url: this.jobUrl(jobName),
+          params: { "api-version": API_VERSION },
+          eventName: jobEventNames_1.JobApiEvents.GET_JOB,
+          token,
+          requestId
+        });
+      }
+      async deleteJob(jobName, token, requestId) {
+        if (!jobName?.trim()) {
+          throw new Error("Job name is required");
+        }
+        return this.requestService.delete({
+          url: this.jobUrl(jobName),
+          params: { "api-version": API_VERSION },
+          eventName: jobEventNames_1.JobApiEvents.DELETE_JOB,
+          token,
+          requestId
+        });
+      }
+      async disableJob(jobName, token, requestId) {
+        if (!jobName?.trim()) {
+          throw new Error("Job name is required");
+        }
+        const current = await this.getJob(jobName, token, requestId);
+        const updated = { ...current, jobDefinition: { ...current.jobDefinition, isDisabled: true } };
+        return this.requestService.put({
+          url: this.jobUrl(jobName),
+          params: { "api-version": API_VERSION },
+          eventName: jobEventNames_1.JobApiEvents.DISABLE_JOB,
+          body: JSON.stringify(updated),
+          token,
+          requestId
+        });
+      }
+      async enableJob(jobName, token, requestId) {
+        if (!jobName?.trim()) {
+          throw new Error("Job name is required");
+        }
+        const current = await this.getJob(jobName, token, requestId);
+        const updated = { ...current, jobDefinition: { ...current.jobDefinition, isDisabled: false } };
+        return this.requestService.put({
+          url: this.jobUrl(jobName),
+          params: { "api-version": API_VERSION },
+          eventName: jobEventNames_1.JobApiEvents.ENABLE_JOB,
+          body: JSON.stringify(updated),
+          token,
+          requestId
+        });
+      }
+      jobRunsUrl(jobName) {
+        return `${this.jobUrl(jobName)}/runs`;
+      }
+      jobRunUrl(jobName, runId) {
+        return `${this.jobRunsUrl(jobName)}/${encodeURIComponent(runId)}`;
+      }
+      async listJobRuns(jobName, token, requestId) {
+        if (!jobName?.trim()) {
+          throw new Error("Job name is required");
+        }
+        const runs = [];
+        let continuationToken = void 0;
+        do {
+          const params = { "api-version": API_VERSION };
+          if (continuationToken !== null && continuationToken !== void 0) {
+            params.continuationToken = continuationToken;
+          }
+          const data = await this.requestService.get({
+            url: this.jobRunsUrl(jobName),
+            params,
+            eventName: jobEventNames_1.JobApiEvents.LIST_JOB_RUNS,
+            token,
+            requestId
+          });
+          if (data?.results) {
+            runs.push(...data.results);
+          }
+          continuationToken = data?.continuationToken ?? null;
+        } while (continuationToken !== null);
+        return runs;
+      }
+      async getJobRun(jobName, runId, token, requestId) {
+        if (!jobName?.trim()) {
+          throw new Error("Job name is required");
+        }
+        if (!runId?.trim()) {
+          throw new Error("Run ID is required");
+        }
+        return this.requestService.get({
+          url: this.jobRunUrl(jobName, runId),
+          params: { "api-version": API_VERSION },
+          eventName: jobEventNames_1.JobApiEvents.GET_JOB_RUN,
+          token,
+          requestId
+        });
+      }
+      async startJobRun(jobName, token, requestId) {
+        if (!jobName?.trim()) {
+          throw new Error("Job name is required");
+        }
+        return this.requestService.post({
+          url: `${this.jobUrl(jobName)}:runNow`,
+          params: { "api-version": API_VERSION },
+          eventName: jobEventNames_1.JobApiEvents.START_JOB_RUN,
+          body: JSON.stringify({}),
+          token,
+          requestId
+        });
+      }
+      async cancelJobRun(jobName, runId, token, requestId) {
+        if (!jobName?.trim()) {
+          throw new Error("Job name is required");
+        }
+        if (!runId?.trim()) {
+          throw new Error("Run ID is required");
+        }
+        return this.requestService.post({
+          url: `${this.jobRunUrl(jobName, runId)}:cancel`,
+          params: { "api-version": API_VERSION },
+          eventName: jobEventNames_1.JobApiEvents.CANCEL_JOB_RUN,
+          body: JSON.stringify({}),
+          token,
+          requestId
+        });
+      }
+      async listJobs(token, requestId) {
+        const jobs = [];
+        let continuationToken = void 0;
+        do {
+          const params = { jobType: sentinel_graph_job_1.JobType.Notebook, "api-version": API_VERSION };
+          if (continuationToken !== null && continuationToken !== void 0) {
+            params.continuationToken = continuationToken;
+          }
+          const data = await this.requestService.get({
+            url: this.jobsUrl,
+            params,
+            eventName: jobEventNames_1.JobApiEvents.LOAD_JOBS,
+            token,
+            requestId
+          });
+          if (data?.results) {
+            const pageJobs = data.results.map((result) => {
+              if (!result.jobDefinition.jobName) {
+                return null;
+              }
+              return {
+                jobName: result.jobDefinition.jobName,
+                id: result.jobDefinition.jobDefinitionId,
+                isDisabled: result.jobDefinition.isDisabled,
+                jobType: result.jobDefinition.jobType
+              };
+            }).filter((job) => job !== null);
+            jobs.push(...pageJobs);
+          }
+          continuationToken = data?.continuationToken ?? null;
+        } while (continuationToken !== null);
+        return jobs;
+      }
+    };
+    exports2.JobApiClient = JobApiClient2;
+  }
+});
+
+// ../../packages/common/dist/src/services/jobs/index.js
+var require_jobs2 = __commonJS({
+  "../../packages/common/dist/src/services/jobs/index.js"(exports2) {
+    "use strict";
+    init_cjs_shims();
+    Object.defineProperty(exports2, "__esModule", { value: true });
+    exports2.JobApiClient = void 0;
+    var jobApiClient_1 = require_jobApiClient();
+    Object.defineProperty(exports2, "JobApiClient", { enumerable: true, get: function() {
+      return jobApiClient_1.JobApiClient;
+    } });
+  }
+});
+
+// ../../packages/common/dist/src/services/lake/lakeApiClient.js
+var require_lakeApiClient = __commonJS({
+  "../../packages/common/dist/src/services/lake/lakeApiClient.js"(exports2) {
+    "use strict";
+    init_cjs_shims();
+    Object.defineProperty(exports2, "__esModule", { value: true });
+    exports2.LakeApiClient = void 0;
+    exports2.isFederatedTable = isFederatedTable;
+    exports2.getFederatedDatasourceKind = getFederatedDatasourceKind;
+    var lakeEventNames_1 = require_lakeEventNames();
+    var FEDERATED_TABLE_TYPE = "Federated";
+    function isFederatedTable(table) {
+      return table.tableType === FEDERATED_TABLE_TYPE;
+    }
+    function getFederatedDatasourceKind(table) {
+      return table.fabricDetails?.federationDetails?.federatedDatasourceKind;
+    }
+    var API_VERSION = {
+      DATABASES_API_VERSION: "2024-07-01",
+      TABLES_API_VERSION: "2024-05-01-preview"
+    };
+    var LAKE_PATHS = {
+      TABLES: "/lake/tables",
+      DATABASES: "/lake/databases"
+    };
+    var LakeApiClient2 = class {
+      requestService;
+      telemetry;
+      baseUrl;
+      constructor(options) {
+        this.requestService = options.requestService;
+        this.telemetry = options.telemetry;
+        this.baseUrl = options.baseUrl.replace(/\/+$/, "");
+      }
+      get tablesUrl() {
+        return `${this.baseUrl}${LAKE_PATHS.TABLES}`;
+      }
+      get databasesUrl() {
+        return `${this.baseUrl}${LAKE_PATHS.DATABASES}`;
+      }
+      /**
+       * Fetches all lake tables. If a database is specified, fetches tables for that database only.
+       */
+      async fetchLakeTables(accessToken, clientRequestId, database) {
+        const span = this.telemetry.span(lakeEventNames_1.LakeApiEvents.LOAD_TABLES, { requestId: clientRequestId ?? "" });
+        try {
+          let url = this.tablesUrl;
+          let params = database ? { databaseName: database.databaseName } : void 0;
+          const tables = [];
+          do {
+            const response = await this.fetchTables(url, accessToken, clientRequestId, params);
+            tables.push(...response.items);
+            url = response.nextLink || null;
+            params = void 0;
+          } while (url);
+          return tables;
+        } finally {
+          span.end();
+        }
+      }
+      async fetchDatabases(accessToken, clientRequestId) {
+        const data = await this.requestService.get({
+          url: this.databasesUrl,
+          params: { "api-version": API_VERSION.DATABASES_API_VERSION },
+          eventName: lakeEventNames_1.LakeApiEvents.LOAD_DATABASES,
+          token: accessToken,
+          requestId: clientRequestId
+        });
+        return data.value;
+      }
+      async fetchTables(url, accessToken, clientRequestId, params) {
+        return this.requestService.get({
+          url,
+          params: {
+            "api-version": API_VERSION.TABLES_API_VERSION,
+            ...params
+          },
+          eventName: lakeEventNames_1.LakeApiEvents.LOAD_TABLES,
+          token: accessToken,
+          requestId: clientRequestId
+        });
+      }
+    };
+    exports2.LakeApiClient = LakeApiClient2;
+  }
+});
+
+// ../../packages/common/dist/src/services/lake/index.js
+var require_lake2 = __commonJS({
+  "../../packages/common/dist/src/services/lake/index.js"(exports2) {
+    "use strict";
+    init_cjs_shims();
+    Object.defineProperty(exports2, "__esModule", { value: true });
+    exports2.getFederatedDatasourceKind = exports2.isFederatedTable = exports2.LakeApiClient = void 0;
+    var lakeApiClient_1 = require_lakeApiClient();
+    Object.defineProperty(exports2, "LakeApiClient", { enumerable: true, get: function() {
+      return lakeApiClient_1.LakeApiClient;
+    } });
+    Object.defineProperty(exports2, "isFederatedTable", { enumerable: true, get: function() {
+      return lakeApiClient_1.isFederatedTable;
+    } });
+    Object.defineProperty(exports2, "getFederatedDatasourceKind", { enumerable: true, get: function() {
+      return lakeApiClient_1.getFederatedDatasourceKind;
+    } });
+  }
+});
+
 // ../../packages/common/dist/src/services/httpService.js
 var require_httpService = __commonJS({
   "../../packages/common/dist/src/services/httpService.js"(exports2) {
@@ -2855,7 +3397,7 @@ var require_httpService = __commonJS({
     Object.defineProperty(exports2, "__esModule", { value: true });
     exports2.HttpService = void 0;
     var axios_1 = __importDefault(require("axios"));
-    var HttpService2 = class {
+    var HttpService = class {
       httpInstance;
       // Implement the interface
       constructor(httpInstance) {
@@ -2920,7 +3462,7 @@ var require_httpService = __commonJS({
         }
       }
     };
-    exports2.HttpService = HttpService2;
+    exports2.HttpService = HttpService;
   }
 });
 
@@ -2933,81 +3475,6 @@ var require_httpServiceInterface = __commonJS({
   }
 });
 
-// ../../packages/common/dist/src/services/jobService.js
-var require_jobService = __commonJS({
-  "../../packages/common/dist/src/services/jobService.js"(exports2) {
-    "use strict";
-    init_cjs_shims();
-    Object.defineProperty(exports2, "__esModule", { value: true });
-    exports2.JobService = void 0;
-    var JobService2 = class {
-      env;
-      region;
-      httpInstance;
-      API_VERSION = "2023-09-30-preview";
-      constructor(env, region, httpInstance) {
-        this.env = env;
-        this.region = region;
-        this.httpInstance = httpInstance;
-        if (!env || !region) {
-          throw new Error("Environment and region must be provided.");
-        }
-        if (!env.regions[region]) {
-          throw new Error(`Region ${region} is not configured.`);
-        }
-        if (!httpInstance) {
-          throw new Error("HTTP service instance must be provided.");
-        }
-        this.httpInstance = httpInstance;
-      }
-      async getHttpInstance() {
-        return this.httpInstance;
-      }
-      getBaseUrl() {
-        const regionConfig = this.env.regions[this.region];
-        return regionConfig.gatewayEndpoint;
-      }
-      async createJob(jobName, payload) {
-        if (!jobName?.trim()) {
-          throw new Error("Job name is required");
-        }
-        const httpInstance = await this.getHttpInstance();
-        const url = `${this.getBaseUrl()}jobs/${encodeURIComponent(jobName)}?api-version=${this.API_VERSION}`;
-        const { data } = await httpInstance.put(url, payload);
-        return data;
-      }
-      async getJob(jobName) {
-        if (!jobName?.trim()) {
-          throw new Error("Job name is required");
-        }
-        const httpInstance = await this.getHttpInstance();
-        const url = `${this.getBaseUrl()}jobs/${encodeURIComponent(jobName)}?api-version=${this.API_VERSION}`;
-        const { data } = await httpInstance.get(url);
-        return data;
-      }
-      async deleteJob(jobName) {
-        if (!jobName?.trim()) {
-          throw new Error("Job name is required");
-        }
-        const httpInstance = await this.getHttpInstance();
-        const url = `${this.getBaseUrl()}jobs/${encodeURIComponent(jobName)}?api-version=${this.API_VERSION}`;
-        const { data } = await httpInstance.delete(url);
-        return data;
-      }
-    };
-    exports2.JobService = JobService2;
-  }
-});
-
-// ../../packages/common/dist/src/services/jobServiceInterface.js
-var require_jobServiceInterface = __commonJS({
-  "../../packages/common/dist/src/services/jobServiceInterface.js"(exports2) {
-    "use strict";
-    init_cjs_shims();
-    Object.defineProperty(exports2, "__esModule", { value: true });
-  }
-});
-
 // ../../node_modules/.pnpm/js-yaml@4.1.1/node_modules/js-yaml/lib/common.js
 var require_common2 = __commonJS({
   "../../node_modules/.pnpm/js-yaml@4.1.1/node_modules/js-yaml/lib/common.js"(exports2, module2) {
@@ -3016,7 +3483,7 @@ var require_common2 = __commonJS({
     function isNothing(subject) {
       return typeof subject === "undefined" || subject === null;
     }
-    function isObject(subject) {
+    function isObject2(subject) {
       return typeof subject === "object" && subject !== null;
     }
     function toArray(sequence) {
@@ -3046,7 +3513,7 @@ var require_common2 = __commonJS({
       return number === 0 && Number.NEGATIVE_INFINITY === 1 / number;
     }
     module2.exports.isNothing = isNothing;
-    module2.exports.isObject = isObject;
+    module2.exports.isObject = isObject2;
     module2.exports.toArray = toArray;
     module2.exports.repeat = repeat;
     module2.exports.isNegativeZero = isNegativeZero;
@@ -5874,10 +6341,10 @@ var require_notebookUtils = __commonJS({
     exports2.getJupyterNotebook = getJupyterNotebook;
     exports2.removeCellOutput = removeCellOutput;
     exports2.notebookToBase64 = notebookToBase64;
-    var fs3 = __importStar(require("fs/promises"));
+    var fs7 = __importStar(require("fs/promises"));
     async function getJupyterNotebook(filePath) {
       try {
-        const notebookFile = await fs3.readFile(filePath, "utf-8");
+        const notebookFile = await fs7.readFile(filePath, "utf-8");
         return JSON.parse(notebookFile);
       } catch (error) {
         throw new Error(`Failed to read or parse the notebook file: ${error}`);
@@ -5955,18 +6422,18 @@ var require_secureExchangeManifestUtils = __commonJS({
     })();
     Object.defineProperty(exports2, "__esModule", { value: true });
     exports2.updateSecureExchangeManifest = updateSecureExchangeManifest;
-    var fs3 = __importStar(require("fs-extra"));
+    var fs7 = __importStar(require("fs-extra"));
     var yaml = __importStar(require("yaml"));
     async function updateSecureExchangeManifest(manifestEntries, secureExchangeManifestPath) {
       if (manifestEntries.length > 0) {
-        const existingYaml = await fs3.readFile(secureExchangeManifestPath, "utf-8");
+        const existingYaml = await fs7.readFile(secureExchangeManifestPath, "utf-8");
         const parsedYaml = existingYaml ? yaml.parse(existingYaml) || [] : [];
         const newEntries = manifestEntries.filter((newEntry) => !parsedYaml.some((existingEntry) => existingEntry.id === newEntry.id && existingEntry.type === newEntry.type));
         if (newEntries.length === 0) {
           return;
         }
         const updatedYaml = [...parsedYaml, ...newEntries];
-        await fs3.writeFile(secureExchangeManifestPath, yaml.stringify(updatedYaml), "utf-8");
+        await fs7.writeFile(secureExchangeManifestPath, yaml.stringify(updatedYaml), "utf-8");
       }
     }
   }
@@ -6582,8 +7049,8 @@ var require_zipDirectory = __commonJS({
       try {
         const output = fs_1.default.createWriteStream(outPath);
         const archive = (0, archiver_1.default)("zip", { zlib: { level: 9 } });
-        return new Promise((resolve, reject) => {
-          output.on("close", resolve);
+        return new Promise((resolve2, reject) => {
+          output.on("close", resolve2);
           output.on("error", reject);
           archive.on("error", reject);
           archive.pipe(output);
@@ -6660,8 +7127,8 @@ var require_manifestProcessorService = __commonJS({
     Object.defineProperty(exports2, "__esModule", { value: true });
     exports2.ManifestProcessorService = void 0;
     var crypto_1 = require("crypto");
-    var fs3 = __importStar(require("fs-extra"));
-    var path5 = __importStar(require("path"));
+    var fs7 = __importStar(require("fs-extra"));
+    var path8 = __importStar(require("path"));
     var yaml = __importStar(require("yaml"));
     var constants_1 = require_constants();
     var buildScheduledJobArtifacts_1 = require_buildScheduledJobArtifacts();
@@ -6684,17 +7151,17 @@ var require_manifestProcessorService = __commonJS({
         };
       }
       async buildZipPackage(manifestPath) {
-        const manifestDir = path5.dirname(path5.resolve(manifestPath));
-        const tempPackageDir = path5.join(manifestDir, ".packaging-temp");
+        const manifestDir = path8.dirname(path8.resolve(manifestPath));
+        const tempPackageDir = path8.join(manifestDir, ".packaging-temp");
         try {
-          await fs3.rm(tempPackageDir, { recursive: true, force: true });
-          await fs3.mkdir(tempPackageDir, { recursive: true });
+          await fs7.rm(tempPackageDir, { recursive: true, force: true });
+          await fs7.mkdir(tempPackageDir, { recursive: true });
           const manifest = await (0, manifestParser_1.parseManifest)(manifestPath);
-          const discoveredFiles = await (0, discoverFiles_1.discoverFiles)(manifest.includePaths, path5.dirname(path5.resolve(manifestPath)));
+          const discoveredFiles = await (0, discoverFiles_1.discoverFiles)(manifest.includePaths, path8.dirname(path8.resolve(manifestPath)));
           console.log("Discovered files:", JSON.stringify(discoveredFiles, null, 2));
           (0, manifestValidator_1.validateSingleScAgent)(discoveredFiles);
-          const secureExchangeManifestPath = path5.join(tempPackageDir, "PackageManifest.yaml");
-          await fs3.writeFile(secureExchangeManifestPath, "");
+          const secureExchangeManifestPath = path8.join(tempPackageDir, "PackageManifest.yaml");
+          await fs7.writeFile(secureExchangeManifestPath, "");
           console.log("Empty PackageManifest.yaml created at:", secureExchangeManifestPath);
           await (0, processMainTemplate_1.processMainTemplate)(discoveredFiles, tempPackageDir, secureExchangeManifestPath);
           console.log("mainTemplate.json processed and added to PackageManifest.yaml");
@@ -6704,8 +7171,8 @@ var require_manifestProcessorService = __commonJS({
           console.log("SC Agents processed and PackageManifest.yaml updated.");
           await (0, refactorManifest_1.finalizeManifest)(secureExchangeManifestPath, tempPackageDir);
           const zipName = `${manifest.packageName}.zip`;
-          const manifestDir2 = path5.dirname(path5.resolve(manifestPath));
-          const outputZipPath = path5.join(manifestDir2, zipName);
+          const manifestDir2 = path8.dirname(path8.resolve(manifestPath));
+          const outputZipPath = path8.join(manifestDir2, zipName);
           await (0, zipDirectory_1.zipDirectory)(tempPackageDir, outputZipPath);
           console.log("Package zipped at:", outputZipPath);
           return outputZipPath;
@@ -6717,21 +7184,21 @@ var require_manifestProcessorService = __commonJS({
           }
         } finally {
           try {
-            await fs3.rm(tempPackageDir, { recursive: true, force: true });
+            await fs7.rm(tempPackageDir, { recursive: true, force: true });
           } catch (err) {
             console.warn("Please clean the temp directory as Failed to clean up temp directory:", err);
           }
         }
       }
       async validateManifest(manifestPath) {
-        const manifestDir = path5.dirname(path5.resolve(manifestPath));
-        const tempPackageDir = path5.join(manifestDir, ".packaging-temp");
+        const manifestDir = path8.dirname(path8.resolve(manifestPath));
+        const tempPackageDir = path8.join(manifestDir, ".packaging-temp");
         let parsed;
         try {
-          await fs3.rm(tempPackageDir, { recursive: true, force: true });
-          const content = await fs3.readFile(manifestPath, "utf8");
+          await fs7.rm(tempPackageDir, { recursive: true, force: true });
+          const content = await fs7.readFile(manifestPath, "utf8");
           parsed = yaml.parse(content);
-          const discoveredFiles = await (0, discoverFiles_1.discoverFiles)(parsed.includePaths, path5.dirname(path5.resolve(manifestPath)));
+          const discoveredFiles = await (0, discoverFiles_1.discoverFiles)(parsed.includePaths, path8.dirname(path8.resolve(manifestPath)));
           (0, manifestValidator_1.validateSingleScAgent)(discoveredFiles);
           const yamlType = parsed.yamlType;
           if (!yamlType) {
@@ -6741,8 +7208,8 @@ var require_manifestProcessorService = __commonJS({
           if (!validator) {
             throw new Error(`No validator found for yamlType '${yamlType}'`);
           }
-          const absPath = path5.resolve(manifestPath);
-          const manifestDir2 = path5.dirname(absPath);
+          const absPath = path8.resolve(manifestPath);
+          const manifestDir2 = path8.dirname(absPath);
           await validator(parsed, manifestDir2);
         } catch (err) {
           if (err instanceof Error) {
@@ -6752,30 +7219,30 @@ var require_manifestProcessorService = __commonJS({
           }
         } finally {
           try {
-            await fs3.rm(tempPackageDir, { recursive: true, force: true });
+            await fs7.rm(tempPackageDir, { recursive: true, force: true });
           } catch (err) {
             console.warn("Please clean the temp directory as Failed to clean up temp directory:", err);
           }
         }
       }
       async buildSideLoadRequest(manifestPath) {
-        const manifestDir = path5.dirname(path5.resolve(manifestPath));
-        const tempPackageDir = path5.join(manifestDir, ".packaging-temp");
-        const sentinelLakeDir = path5.join(tempPackageDir, constants_1.PackageManifestIdValues.SentinelLakeId);
+        const manifestDir = path8.dirname(path8.resolve(manifestPath));
+        const tempPackageDir = path8.join(manifestDir, ".packaging-temp");
+        const sentinelLakeDir = path8.join(tempPackageDir, constants_1.PackageManifestIdValues.SentinelLakeId);
         const deploymentId = (0, crypto_1.randomUUID)();
         try {
-          await fs3.rm(tempPackageDir, { recursive: true, force: true });
+          await fs7.rm(tempPackageDir, { recursive: true, force: true });
           const manifest = await (0, manifestParser_1.parseManifest)(manifestPath);
-          const discoveredFiles = await (0, discoverFiles_1.discoverFiles)(manifest.includePaths, path5.dirname(path5.resolve(manifestPath)));
+          const discoveredFiles = await (0, discoverFiles_1.discoverFiles)(manifest.includePaths, path8.dirname(path8.resolve(manifestPath)));
           console.log("Discovered files:", JSON.stringify(discoveredFiles, null, 2));
-          await fs3.mkdir(tempPackageDir, { recursive: true });
+          await fs7.mkdir(tempPackageDir, { recursive: true });
           await (0, buildScheduledJobArtifacts_1.processScheduledJobs)(discoveredFiles, tempPackageDir, "");
-          const jobDirs = await fs3.readdir(sentinelLakeDir);
+          const jobDirs = await fs7.readdir(sentinelLakeDir);
           const artifacts = [];
           for (const dir of jobDirs) {
-            const deploymentJsonPath = path5.join(sentinelLakeDir, dir, "deployment.json");
-            if (await fs3.pathExists(deploymentJsonPath)) {
-              const jsonContent = await fs3.readFile(deploymentJsonPath, "utf8");
+            const deploymentJsonPath = path8.join(sentinelLakeDir, dir, "deployment.json");
+            if (await fs7.pathExists(deploymentJsonPath)) {
+              const jsonContent = await fs7.readFile(deploymentJsonPath, "utf8");
               const escapedJson = JSON.stringify(JSON.parse(jsonContent));
               artifacts.push({
                 name: "deployment.yaml",
@@ -6798,7 +7265,7 @@ var require_manifestProcessorService = __commonJS({
           console.error("Error building side-load request:", error);
           throw error;
         } finally {
-          await fs3.remove(tempPackageDir);
+          await fs7.remove(tempPackageDir);
         }
       }
     };
@@ -7052,14 +7519,15 @@ var require_services = __commonJS({
       o[k2] = m[k];
     }));
     var __exportStar = exports2 && exports2.__exportStar || function(m, exports3) {
-      for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports3, p)) __createBinding(exports3, m, p);
+      for (var p4 in m) if (p4 !== "default" && !Object.prototype.hasOwnProperty.call(exports3, p4)) __createBinding(exports3, m, p4);
     };
     Object.defineProperty(exports2, "__esModule", { value: true });
+    __exportStar(require_tenant(), exports2);
     __exportStar(require_httpConstants(), exports2);
+    __exportStar(require_jobs2(), exports2);
+    __exportStar(require_lake2(), exports2);
     __exportStar(require_httpService(), exports2);
     __exportStar(require_httpServiceInterface(), exports2);
-    __exportStar(require_jobService(), exports2);
-    __exportStar(require_jobServiceInterface(), exports2);
     __exportStar(require_manifestProcessorService(), exports2);
     __exportStar(require_manifestProcessorServiceInterface(), exports2);
     __exportStar(require_packageService(), exports2);
@@ -7086,26 +7554,122 @@ var require_errors = __commonJS({
       o[k2] = m[k];
     }));
     var __exportStar = exports2 && exports2.__exportStar || function(m, exports3) {
-      for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports3, p)) __createBinding(exports3, m, p);
+      for (var p4 in m) if (p4 !== "default" && !Object.prototype.hasOwnProperty.call(exports3, p4)) __createBinding(exports3, m, p4);
     };
     Object.defineProperty(exports2, "__esModule", { value: true });
     __exportStar(require_errorTypes(), exports2);
   }
 });
 
-// ../../packages/common/dist/src/utils/pathUtils.js
-var require_pathUtils = __commonJS({
-  "../../packages/common/dist/src/utils/pathUtils.js"(exports2) {
+// ../../packages/common/dist/src/telemetry/types.js
+var require_types2 = __commonJS({
+  "../../packages/common/dist/src/telemetry/types.js"(exports2) {
     "use strict";
     init_cjs_shims();
-    var __importDefault = exports2 && exports2.__importDefault || function(mod) {
-      return mod && mod.__esModule ? mod : { "default": mod };
+    Object.defineProperty(exports2, "__esModule", { value: true });
+  }
+});
+
+// ../../packages/common/dist/src/telemetry/index.js
+var require_telemetry = __commonJS({
+  "../../packages/common/dist/src/telemetry/index.js"(exports2) {
+    "use strict";
+    init_cjs_shims();
+    var __createBinding = exports2 && exports2.__createBinding || (Object.create ? (function(o, m, k, k2) {
+      if (k2 === void 0) k2 = k;
+      var desc = Object.getOwnPropertyDescriptor(m, k);
+      if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+        desc = { enumerable: true, get: function() {
+          return m[k];
+        } };
+      }
+      Object.defineProperty(o, k2, desc);
+    }) : (function(o, m, k, k2) {
+      if (k2 === void 0) k2 = k;
+      o[k2] = m[k];
+    }));
+    var __exportStar = exports2 && exports2.__exportStar || function(m, exports3) {
+      for (var p4 in m) if (p4 !== "default" && !Object.prototype.hasOwnProperty.call(exports3, p4)) __createBinding(exports3, m, p4);
+    };
+    Object.defineProperty(exports2, "__esModule", { value: true });
+    __exportStar(require_types2(), exports2);
+  }
+});
+
+// ../../packages/common/dist/src/utils/decodeBase64Notebook.js
+var require_decodeBase64Notebook = __commonJS({
+  "../../packages/common/dist/src/utils/decodeBase64Notebook.js"(exports2) {
+    "use strict";
+    init_cjs_shims();
+    Object.defineProperty(exports2, "__esModule", { value: true });
+    exports2.decodeBase64Notebook = decodeBase64Notebook3;
+    var BASE64_RE = /^[A-Za-z0-9+/\r\n]*={0,2}$/;
+    function decodeBase64Notebook3(encoded, label) {
+      if (!encoded?.trim()) {
+        throw new Error(`${label} has no notebook content to decode.`);
+      }
+      if (!BASE64_RE.test(encoded.trim())) {
+        throw new Error(`${label} has an invalid base64-encoded notebook.`);
+      }
+      return Buffer.from(encoded, "base64").toString("utf-8");
+    }
+  }
+});
+
+// ../../packages/common/dist/src/utils/pathUtils.js
+var require_pathUtils = __commonJS({
+  "../../packages/common/dist/src/utils/pathUtils.js"(exports2) {
+    "use strict";
+    init_cjs_shims();
+    var __importDefault = exports2 && exports2.__importDefault || function(mod) {
+      return mod && mod.__esModule ? mod : { "default": mod };
     };
     Object.defineProperty(exports2, "__esModule", { value: true });
     exports2.resolvePath = resolvePath2;
     var path_1 = __importDefault(require("path"));
-    function resolvePath2(p) {
-      return path_1.default.resolve(p);
+    function resolvePath2(p4) {
+      return path_1.default.resolve(p4);
+    }
+  }
+});
+
+// ../../packages/common/dist/src/utils/tokenUtils.js
+var require_tokenUtils = __commonJS({
+  "../../packages/common/dist/src/utils/tokenUtils.js"(exports2) {
+    "use strict";
+    init_cjs_shims();
+    Object.defineProperty(exports2, "__esModule", { value: true });
+    exports2.extractTenantId = extractTenantId2;
+    var TOKEN_PARSING = {
+      SEPARATOR: ".",
+      BASE64_HYPHEN_REPLACEMENT: "+",
+      BASE64_UNDERSCORE_REPLACEMENT: "/",
+      BASE64_HYPHEN_PATTERN: /-/g,
+      BASE64_UNDERSCORE_PATTERN: /_/g,
+      BASE64_ENCODING: "base64",
+      TENANT_ID_CLAIM: "tid",
+      TOKEN_PARTS_LENGTH: 3,
+      PAYLOAD_INDEX: 1
+    };
+    function extractTenantId2(accessToken) {
+      try {
+        const tokenParts = accessToken.split(TOKEN_PARSING.SEPARATOR);
+        if (tokenParts.length !== TOKEN_PARSING.TOKEN_PARTS_LENGTH) {
+          return void 0;
+        }
+        let base64Url = tokenParts[TOKEN_PARSING.PAYLOAD_INDEX].replace(TOKEN_PARSING.BASE64_HYPHEN_PATTERN, TOKEN_PARSING.BASE64_HYPHEN_REPLACEMENT).replace(TOKEN_PARSING.BASE64_UNDERSCORE_PATTERN, TOKEN_PARSING.BASE64_UNDERSCORE_REPLACEMENT);
+        while (base64Url.length % 4 !== 0) {
+          base64Url += "=";
+        }
+        const payload = JSON.parse(Buffer.from(base64Url, TOKEN_PARSING.BASE64_ENCODING).toString());
+        if (typeof payload === "object" && payload !== null) {
+          const tenantId = payload[TOKEN_PARSING.TENANT_ID_CLAIM];
+          return typeof tenantId === "string" ? tenantId : void 0;
+        }
+        return void 0;
+      } catch {
+        return void 0;
+      }
     }
   }
 });
@@ -7129,12 +7693,14 @@ var require_utils = __commonJS({
       o[k2] = m[k];
     }));
     var __exportStar = exports2 && exports2.__exportStar || function(m, exports3) {
-      for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports3, p)) __createBinding(exports3, m, p);
+      for (var p4 in m) if (p4 !== "default" && !Object.prototype.hasOwnProperty.call(exports3, p4)) __createBinding(exports3, m, p4);
     };
     Object.defineProperty(exports2, "__esModule", { value: true });
     __exportStar(require_correlationService(), exports2);
+    __exportStar(require_decodeBase64Notebook(), exports2);
     __exportStar(require_pathUtils(), exports2);
     __exportStar(require_jobPayloadUtils(), exports2);
+    __exportStar(require_tokenUtils(), exports2);
   }
 });
 
@@ -7157,7 +7723,7 @@ var require_src = __commonJS({
       o[k2] = m[k];
     }));
     var __exportStar = exports2 && exports2.__exportStar || function(m, exports3) {
-      for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports3, p)) __createBinding(exports3, m, p);
+      for (var p4 in m) if (p4 !== "default" && !Object.prototype.hasOwnProperty.call(exports3, p4)) __createBinding(exports3, m, p4);
     };
     Object.defineProperty(exports2, "__esModule", { value: true });
     __exportStar(require_client(), exports2);
@@ -7167,6 +7733,7 @@ var require_src = __commonJS({
     __exportStar(require_models(), exports2);
     __exportStar(require_services(), exports2);
     __exportStar(require_errors(), exports2);
+    __exportStar(require_telemetry(), exports2);
     __exportStar(require_utils(), exports2);
   }
 });
@@ -7210,352 +7777,2577 @@ function addCreateZipCommand(packageCommand) {
   });
 }
 
-// src/commands/login.ts
+// src/commands/jobs/jobDefinitionCreate.ts
 init_cjs_shims();
-var os5 = __toESM(require("os"));
 
-// src/actions/authCodeLogin.ts
+// src/actions/jobs/index.ts
+init_cjs_shims();
+
+// src/actions/jobs/listJobs.ts
 init_cjs_shims();
-var import_child_process = require("child_process");
 var import_common3 = __toESM(require_src());
+async function listJobs(jobService, accessToken) {
+  const requestId = import_common3.CorrelationService.createCorrelationContext();
+  console.info("Fetching jobs...");
+  return jobService.listJobs(accessToken, requestId);
+}
 
-// src/auth/msalInstance.ts
+// src/actions/jobs/getJob.ts
 init_cjs_shims();
-var import_msal_node2 = require("@azure/msal-node");
+var import_common4 = __toESM(require_src());
+async function getJob(jobService, accessToken, jobName) {
+  const requestId = import_common4.CorrelationService.createCorrelationContext();
+  console.info(`Fetching job "${jobName}"...`);
+  return jobService.getJob(jobName, accessToken, requestId);
+}
 
-// src/config/msalConfig.ts
+// src/actions/jobs/deleteJob.ts
 init_cjs_shims();
-var import_msal_node = require("@azure/msal-node");
-var import_msal_node_extensions2 = require("@azure/msal-node-extensions");
+var import_common5 = __toESM(require_src());
+async function deleteJob(jobService, accessToken, jobName) {
+  const requestId = import_common5.CorrelationService.createCorrelationContext();
+  console.info(`Deleting job "${jobName}"...`);
+  return jobService.deleteJob(jobName, accessToken, requestId);
+}
 
-// src/auth/persistence/persistence.ts
+// src/actions/jobs/disableJob.ts
 init_cjs_shims();
-var import_msal_node_extensions = require("@azure/msal-node-extensions");
-var import_os = __toESM(require("os"));
+var import_common6 = __toESM(require_src());
+async function disableJob(jobService, accessToken, jobName) {
+  const requestId = import_common6.CorrelationService.createCorrelationContext();
+  console.info(`Disabling job "${jobName}"...`);
+  return jobService.disableJob(jobName, accessToken, requestId);
+}
+
+// src/actions/jobs/enableJob.ts
+init_cjs_shims();
+var import_common7 = __toESM(require_src());
+async function enableJob(jobService, accessToken, jobName) {
+  const requestId = import_common7.CorrelationService.createCorrelationContext();
+  console.info(`Enabling job "${jobName}"...`);
+  return jobService.enableJob(jobName, accessToken, requestId);
+}
+
+// src/actions/jobs/downloadJob.ts
+init_cjs_shims();
+var import_fs = __toESM(require("fs"));
 var import_path = __toESM(require("path"));
-var PlatformType = /* @__PURE__ */ ((PlatformType2) => {
-  PlatformType2["Windows"] = "win32";
-  PlatformType2["MacOS"] = "darwin";
-  PlatformType2["Linux"] = "linux";
-  return PlatformType2;
-})(PlatformType || {});
-async function createPersistence() {
-  const cacheFilePath = import_path.default.join(import_os.default.homedir(), ".nsdcli-cache.json");
-  const platform3 = import_os.default.platform();
-  switch (platform3) {
-    case "win32" /* Windows */:
-      return await import_msal_node_extensions.FilePersistenceWithDataProtection.create(cacheFilePath, import_msal_node_extensions.DataProtectionScope.CurrentUser);
-    case "darwin" /* MacOS */:
-      return await import_msal_node_extensions.KeychainPersistence.create("nsdcli.service", "nsdcli.account", "nsdcli");
-    case "linux" /* Linux */:
-      return await import_msal_node_extensions.LibSecretPersistence.create("nsdcli.service", "nsdcli.account", "nsdcli");
-    default:
-      throw new Error(
-        `Unsupported platform: ${platform3}. Supported platforms are: ${Object.values(PlatformType).join(", ")}`
-      );
+var import_common8 = __toESM(require_src());
+async function downloadJob(jobService, accessToken, jobName, outputPath) {
+  const requestId = import_common8.CorrelationService.createCorrelationContext();
+  console.info(`Fetching job "${jobName}"...`);
+  const job = await jobService.getJob(jobName, accessToken, requestId);
+  const inlineScript = job.jobDefinition.inlineScript;
+  const decoded = (0, import_common8.decodeBase64Notebook)(inlineScript, `job "${jobName}"`);
+  const sanitizedJobName = import_path.default.basename(jobName).replace(/[^a-zA-Z0-9_-]/g, "_");
+  const resolvedPath = import_path.default.resolve(outputPath ?? import_path.default.join(process.cwd(), `${sanitizedJobName}.ipynb`));
+  await import_fs.default.promises.mkdir(import_path.default.dirname(resolvedPath), { recursive: true });
+  await import_fs.default.promises.writeFile(resolvedPath, decoded, "utf-8");
+  return resolvedPath;
+}
+
+// src/actions/jobs/listJobRuns.ts
+init_cjs_shims();
+var import_common9 = __toESM(require_src());
+async function listJobRuns(jobService, accessToken, jobName) {
+  const requestId = import_common9.CorrelationService.createCorrelationContext();
+  console.info(`Fetching runs for job "${jobName}"...`);
+  return jobService.listJobRuns(jobName, accessToken, requestId);
+}
+
+// src/actions/jobs/getJobRun.ts
+init_cjs_shims();
+var import_common10 = __toESM(require_src());
+async function getJobRun(jobService, accessToken, jobName, runId) {
+  const requestId = import_common10.CorrelationService.createCorrelationContext();
+  console.info(`Fetching run "${runId}" for job "${jobName}"...`);
+  return jobService.getJobRun(jobName, runId, accessToken, requestId);
+}
+
+// src/actions/jobs/startJobRun.ts
+init_cjs_shims();
+var import_common11 = __toESM(require_src());
+async function startJobRun(jobService, accessToken, jobName) {
+  const requestId = import_common11.CorrelationService.createCorrelationContext();
+  console.info(`Starting run for job "${jobName}"...`);
+  return jobService.startJobRun(jobName, accessToken, requestId);
+}
+
+// src/actions/jobs/cancelJobRun.ts
+init_cjs_shims();
+var import_common12 = __toESM(require_src());
+async function cancelJobRun(jobService, accessToken, jobName, runId) {
+  const requestId = import_common12.CorrelationService.createCorrelationContext();
+  console.info(`Cancelling run "${runId}" for job "${jobName}"...`);
+  return jobService.cancelJobRun(jobName, runId, accessToken, requestId);
+}
+
+// src/actions/jobs/downloadJobRunNotebook.ts
+init_cjs_shims();
+var import_fs2 = __toESM(require("fs"));
+var import_path2 = __toESM(require("path"));
+var import_common13 = __toESM(require_src());
+async function downloadJobRunNotebook(jobService, accessToken, jobName, runId, outputPath) {
+  const requestId = import_common13.CorrelationService.createCorrelationContext();
+  console.info(`Fetching run "${runId}" for job "${jobName}"...`);
+  const run = await jobService.getJobRun(jobName, runId, accessToken, requestId);
+  const scriptSnapshot = run.scriptSnapshot;
+  const decoded = (0, import_common13.decodeBase64Notebook)(scriptSnapshot, `run "${runId}" for job "${jobName}"`);
+  const sanitizedJobName = import_path2.default.basename(jobName).replace(/[^a-zA-Z0-9_-]/g, "_");
+  const sanitizedRunId = import_path2.default.basename(runId).replace(/[^a-zA-Z0-9_-]/g, "_");
+  const defaultFileName = `${sanitizedJobName}_${sanitizedRunId}.ipynb`;
+  const resolvedPath = import_path2.default.resolve(outputPath ?? import_path2.default.join(process.cwd(), defaultFileName));
+  await import_fs2.default.promises.mkdir(import_path2.default.dirname(resolvedPath), { recursive: true });
+  await import_fs2.default.promises.writeFile(resolvedPath, decoded, "utf-8");
+  return resolvedPath;
+}
+
+// src/actions/jobs/createJobDefinition.ts
+init_cjs_shims();
+var p2 = __toESM(require("@clack/prompts"));
+var path3 = __toESM(require("path"));
+
+// src/utils/validator/jobDefinitionValidator.ts
+init_cjs_shims();
+var import_zod = require("zod");
+var ISO_DATE_PATTERN = /^\d{4}-\d{2}-\d{2}(T\d{2}:\d{2}(:\d{2}(\.\d+)?)?(Z|[+-]\d{2}:\d{2})?)?$/;
+var JOB_TYPES = ["Notebook", "GraphNotebook", "Kql"];
+var NODE_SIZES = ["small", "medium", "large"];
+var REPEAT_FREQUENCIES = ["minutes", "hours", "days", "weeks", "months"];
+var INTERVAL_BOUNDS = {
+  minutes: { min: 15, max: 720 },
+  hours: { min: 1, max: 72 }
+};
+var FIXED_INTERVAL_FREQUENCIES = new Set(
+  REPEAT_FREQUENCIES.filter((f) => !(f in INTERVAL_BOUNDS))
+);
+var JOB_NAME_PATTERN = /^[a-zA-Z0-9 _-]+$/;
+var JOB_NAME_PATTERN_MESSAGE = "Job name may only contain letters, numbers, spaces, hyphens, or underscores";
+var VALID_WEEK_DAYS = ["Monday", "Tuesday", "Wednesday", "Thursday", "Friday", "Saturday", "Sunday"];
+function isValidISODate(value) {
+  if (!ISO_DATE_PATTERN.test(value)) {
+    return false;
   }
+  return !isNaN(new Date(value).getTime());
 }
+var timeTableSchema = import_zod.z.object({
+  weekDays: import_zod.z.array(import_zod.z.enum(VALID_WEEK_DAYS)).optional(),
+  monthDays: import_zod.z.array(import_zod.z.number().int().min(1).max(31)).optional()
+}).optional();
+var scheduleConfigSchema = import_zod.z.object({
+  isEnabled: import_zod.z.boolean(),
+  repeatFrequency: import_zod.z.enum(REPEAT_FREQUENCIES).optional(),
+  interval: import_zod.z.number().int().positive().optional(),
+  startTime: import_zod.z.string().optional(),
+  endTime: import_zod.z.string().optional(),
+  timeTable: timeTableSchema
+});
+var jobDefinitionValidator = import_zod.z.object({
+  jobName: import_zod.z.string().min(1, "Job name is required").regex(JOB_NAME_PATTERN, JOB_NAME_PATTERN_MESSAGE),
+  jobPath: import_zod.z.string().min(1, "Job path is required"),
+  jobType: import_zod.z.enum(JOB_TYPES).optional(),
+  jobDescription: import_zod.z.string().optional(),
+  computeInfo: import_zod.z.object({
+    nodeSize: import_zod.z.enum(NODE_SIZES)
+  }).optional(),
+  scheduleConfig: scheduleConfigSchema.optional(),
+  inputTables: import_zod.z.array(import_zod.z.string()).optional(),
+  outputTables: import_zod.z.array(import_zod.z.string()).optional(),
+  runtimeArgs: import_zod.z.array(import_zod.z.string()).optional(),
+  isDisabled: import_zod.z.boolean().optional()
+}).refine(
+  (data) => {
+    const jobType = data.jobType ?? "Notebook";
+    if (jobType === "Kql") {
+      return true;
+    }
+    return data.jobPath.toLowerCase().endsWith(".ipynb");
+  },
+  { message: "Job path must be a Python notebook (.ipynb) file", path: ["jobPath"] }
+).refine(
+  (data) => {
+    if (data.scheduleConfig?.isEnabled) {
+      return !!data.scheduleConfig.repeatFrequency;
+    }
+    return true;
+  },
+  { message: "repeatFrequency is required for scheduled jobs", path: ["scheduleConfig", "repeatFrequency"] }
+).refine(
+  (data) => {
+    const sc = data.scheduleConfig;
+    if (!sc?.isEnabled || !sc.repeatFrequency) {
+      return true;
+    }
+    return sc.interval !== void 0;
+  },
+  { message: "Interval is required for scheduled jobs", path: ["scheduleConfig", "interval"] }
+).refine(
+  (data) => {
+    const sc = data.scheduleConfig;
+    if (!sc?.isEnabled || sc.interval === void 0 || !sc.repeatFrequency) {
+      return true;
+    }
+    const bounds = INTERVAL_BOUNDS[sc.repeatFrequency];
+    if (bounds) {
+      return sc.interval >= bounds.min && sc.interval <= bounds.max;
+    }
+    if (FIXED_INTERVAL_FREQUENCIES.has(sc.repeatFrequency)) {
+      return sc.interval === 1;
+    }
+    return true;
+  },
+  {
+    message: "Schedule interval is out of range for the selected frequency",
+    path: ["scheduleConfig", "interval"]
+  }
+).refine(
+  (data) => {
+    const sc = data.scheduleConfig;
+    if (!sc?.isEnabled || !sc.startTime) {
+      return true;
+    }
+    return isValidISODate(sc.startTime);
+  },
+  { message: "Start time must be a valid ISO 8601 date", path: ["scheduleConfig", "startTime"] }
+).refine(
+  (data) => {
+    const sc = data.scheduleConfig;
+    if (!sc?.isEnabled || !sc.endTime) {
+      return true;
+    }
+    return isValidISODate(sc.endTime);
+  },
+  { message: "End time must be a valid ISO 8601 date", path: ["scheduleConfig", "endTime"] }
+).refine(
+  (data) => {
+    const sc = data.scheduleConfig;
+    if (!sc?.isEnabled || !sc.startTime || !sc.endTime) {
+      return true;
+    }
+    const start = new Date(sc.startTime);
+    const end = new Date(sc.endTime);
+    if (isNaN(start.getTime()) || isNaN(end.getTime())) {
+      return true;
+    }
+    return end > start;
+  },
+  { message: "End time must be after start time", path: ["scheduleConfig", "endTime"] }
+).refine(
+  (data) => {
+    const sc = data.scheduleConfig;
+    if (!sc?.isEnabled || sc.repeatFrequency !== "weeks") {
+      return true;
+    }
+    const days = sc.timeTable?.weekDays;
+    return Array.isArray(days) && days.length > 0;
+  },
+  { message: "At least one day of the week is required for weekly schedule", path: ["scheduleConfig", "timeTable"] }
+).refine(
+  (data) => {
+    const sc = data.scheduleConfig;
+    if (!sc?.isEnabled || sc.repeatFrequency !== "months") {
+      return true;
+    }
+    const days = sc.timeTable?.monthDays;
+    return Array.isArray(days) && days.length > 0;
+  },
+  {
+    message: "At least one day of the month is required for monthly schedule",
+    path: ["scheduleConfig", "timeTable", "monthDays"]
+  }
+);
 
-// src/config/msalConfig.ts
-var os2 = __toESM(require("os"));
-async function getMsalConfig(environment, useCachePlugin = true, authorityOverride) {
-  let cachePlugin;
-  if (useCachePlugin) {
-    const persistence = await createPersistence();
-    await persistence.verifyPersistence();
-    cachePlugin = new import_msal_node_extensions2.PersistenceCachePlugin(persistence);
+// src/actions/jobs/promptHelpers.ts
+init_cjs_shims();
+var fs3 = __toESM(require("fs"));
+var p = __toESM(require("@clack/prompts"));
+var DEFAULT_NODE_SIZE = "large";
+var NODE_SIZE_OPTIONS = NODE_SIZES.map((size) => ({
+  value: size,
+  label: size === DEFAULT_NODE_SIZE ? `${capitalize(size)} (default)` : capitalize(size)
+}));
+var FREQUENCY_OPTIONS = REPEAT_FREQUENCIES.map((freq) => ({
+  value: freq,
+  label: capitalize(freq)
+}));
+var CONFIGURABLE_INTERVAL_FREQUENCIES = new Set(
+  Object.keys(INTERVAL_BOUNDS)
+);
+var WEEKDAY_OPTIONS = [
+  { value: "Monday", label: "Monday" },
+  { value: "Tuesday", label: "Tuesday" },
+  { value: "Wednesday", label: "Wednesday" },
+  { value: "Thursday", label: "Thursday" },
+  { value: "Friday", label: "Friday" },
+  { value: "Saturday", label: "Saturday" },
+  { value: "Sunday", label: "Sunday" }
+];
+function capitalize(s) {
+  return s.charAt(0).toUpperCase() + s.slice(1);
+}
+function handleCancel(value) {
+  if (p.isCancel(value)) {
+    p.cancel("Operation cancelled.");
+    process.exit(0);
   }
-  const config = {
-    auth: {
-      clientId: environment.aadClientId,
-      authority: authorityOverride ?? environment.aadEndpoint
-    },
-    cache: cachePlugin ? { cachePlugin } : void 0,
-    system: {
-      loggerOptions: {
-        loggerCallback(_level, message, containsPii) {
-          if (!containsPii) {
-            console.log(message);
-          }
-        },
-        logLevel: import_msal_node.LogLevel.Info,
-        piiLoggingEnabled: false
+}
+async function promptIfMissing(flagValue, promptFn) {
+  if (flagValue !== void 0) {
+    return flagValue;
+  }
+  const result = await promptFn();
+  handleCancel(result);
+  return result;
+}
+function validateInterval(frequency) {
+  return (v) => {
+    if (!v || v.trim() === "") {
+      return "Interval is required";
+    }
+    const trimmed = v.trim();
+    if (!/^\d+$/.test(trimmed)) {
+      return "Please enter a whole number";
+    }
+    const n = parseInt(trimmed, 10);
+    const bounds = INTERVAL_BOUNDS[frequency];
+    if (bounds) {
+      if (n < bounds.min) {
+        return `Minimum value is ${bounds.min} ${frequency}`;
+      }
+      if (n > bounds.max) {
+        return `Maximum value is ${bounds.max} ${frequency}`;
+      }
+    } else if (FIXED_INTERVAL_FREQUENCIES.has(frequency)) {
+      if (n !== 1) {
+        return `Interval must be 1 for ${frequency}`;
       }
     }
+    return void 0;
   };
-  if ("win32" /* Windows */ === os2.platform()) {
-    config.broker = {
-      nativeBrokerPlugin: new import_msal_node_extensions2.NativeBrokerPlugin()
-    };
+}
+function validateJobPath(v) {
+  if (!v) {
+    return "Job path is required";
   }
-  return config;
+  if (!v.toLowerCase().endsWith(".ipynb")) {
+    return "Job path must be a Python notebook (.ipynb) file";
+  }
+  if (!fs3.existsSync(v)) {
+    return `File not found at "${v}". Please provide a valid path to an existing .ipynb file`;
+  }
+  return void 0;
 }
-
-// src/auth/msalInstance.ts
-var msalInstances = /* @__PURE__ */ new Map();
-var getMsalInstance = async (env, authorityOverride) => {
-  const key = authorityOverride ?? env.aadEndpoint;
-  if (!msalInstances.has(key)) {
-    const config = await getMsalConfig(env, !process.env.CI, authorityOverride);
-    msalInstances.set(key, new import_msal_node2.PublicClientApplication(config));
+function validateISODate(v) {
+  if (!v) {
+    return "Date/time is required";
   }
-  return msalInstances.get(key);
-};
-
-// src/actions/authCodeLogin.ts
-var apiEnv = (0, import_common3.getApiEnv)(import_common3.SecurityPlatformEnvironment.Production);
-function openSystemBrowser(url) {
-  return new Promise((resolve, reject) => {
-    const command = process.platform === "darwin" ? "open" : "xdg-open";
-    (0, import_child_process.execFile)(command, [url], (error) => {
-      if (error) {
-        reject(new Error(`Failed to open browser: ${error.message}`));
-      } else {
-        resolve();
-      }
-    });
-  });
+  const iso8601Pattern = /^\d{4}-\d{2}-\d{2}(T\d{2}:\d{2}(:\d{2}(\.\d+)?)?(Z|[+-]\d{2}:\d{2})?)?$/;
+  if (!iso8601Pattern.test(v)) {
+    return "Must be a valid ISO 8601 date (e.g. 2026-01-01T09:00:00Z)";
+  }
+  const d = new Date(v);
+  if (isNaN(d.getTime())) {
+    return "Must be a valid ISO 8601 date (e.g. 2026-01-01T09:00:00Z)";
+  }
+  return void 0;
 }
-async function browserAuthLogin(scopes) {
-  const msalInstance = await getMsalInstance(apiEnv);
-  console.log("\u{1F510} Starting browser login. A browser window will open.");
-  const result = await msalInstance.acquireTokenInteractive({
-    scopes,
-    openBrowser: openSystemBrowser,
-    successTemplate: "<h1>Authentication successful</h1><p>You may close this tab and return to the terminal.</p>",
-    errorTemplate: "<h1>Authentication failed</h1><p>{error}</p>"
-  });
-  if (!result?.accessToken) {
-    throw new Error("Token acquisition failed: received null or empty token.");
+function validateEndTimeAfterStart(startTime, endTime) {
+  if (!endTime) {
+    return "End time is required";
   }
-  console.log("\u{1F511} Token acquired successfully.");
-  return result.accessToken;
+  const start = new Date(startTime);
+  const end = new Date(endTime);
+  if (isNaN(start.getTime()) || isNaN(end.getTime())) {
+    return "Please enter valid date and time values";
+  }
+  if (end <= start) {
+    return "End time must be after start time";
+  }
+  return void 0;
+}
+function validateJobName(v) {
+  if (!v) {
+    return "Job name is required";
+  }
+  if (!JOB_NAME_PATTERN.test(v)) {
+    return JOB_NAME_PATTERN_MESSAGE;
+  }
+  return void 0;
+}
+function validateEndTime(startTime) {
+  return (v) => {
+    const isoErr = validateISODate(v);
+    if (isoErr) {
+      return isoErr;
+    }
+    return validateEndTimeAfterStart(startTime, v);
+  };
 }
 
-// src/actions/brokerLogin.ts
+// src/utils/yaml/yamlIO.ts
 init_cjs_shims();
-var import_common4 = __toESM(require_src());
-var import_fs = __toESM(require("fs"));
-var import_os2 = __toESM(require("os"));
-var import_path2 = __toESM(require("path"));
-var apiEnv2 = (0, import_common4.getApiEnv)(import_common4.SecurityPlatformEnvironment.Production);
-var SENTINEL_DIR = import_path2.default.join(import_os2.default.homedir(), ".sentinel");
-var BROKER_ACCOUNT_FILE = import_path2.default.join(SENTINEL_DIR, "broker-account.json");
-function saveBrokerAccount(account, authority) {
-  import_fs.default.mkdirSync(SENTINEL_DIR, { recursive: true, mode: 448 });
-  const session = { account, authority };
-  const tempFile = `${BROKER_ACCOUNT_FILE}.tmp`;
-  import_fs.default.writeFileSync(tempFile, JSON.stringify(session, null, 2), { encoding: "utf8", mode: 384 });
-  import_fs.default.renameSync(tempFile, BROKER_ACCOUNT_FILE);
-}
-function loadBrokerAccount() {
+var fs4 = __toESM(require("fs"));
+var YAML = __toESM(require("yaml"));
+function readJobDefinitionYaml(filePath) {
+  if (!fs4.existsSync(filePath)) {
+    throw new Error(`File not found: ${filePath}`);
+  }
+  let raw;
   try {
-    if (import_fs.default.existsSync(BROKER_ACCOUNT_FILE)) {
-      const raw = import_fs.default.readFileSync(BROKER_ACCOUNT_FILE, "utf8");
-      const session = JSON.parse(raw);
-      if (session.account && typeof session.account === "object" && session.authority && typeof session.authority === "string") {
-        return session;
-      }
-    }
-  } catch {
+    const content = fs4.readFileSync(filePath, "utf-8");
+    raw = YAML.parse(content);
+  } catch (err) {
+    const message = err instanceof Error ? err.message : String(err);
+    throw new Error(`Failed to read/parse YAML: ${message}`);
   }
-  return null;
+  const result = jobDefinitionValidator.safeParse(raw);
+  if (result.success) {
+    return result.data;
+  }
+  const issues = result.error.issues.map((i) => `${i.path.join(".")}: ${i.message}`);
+  throw new Error(`Validation failed:
+${issues.join("\n")}`);
 }
-function deleteBrokerAccount() {
+function writeJobDefinitionYaml(filePath, config) {
+  const result = jobDefinitionValidator.safeParse(config);
+  if (!result.success) {
+    const issues = result.error.issues.map((i) => `${i.path.join(".")}: ${i.message}`);
+    return { success: false, issues };
+  }
   try {
-    if (import_fs.default.existsSync(BROKER_ACCOUNT_FILE)) {
-      import_fs.default.unlinkSync(BROKER_ACCOUNT_FILE);
-    }
-  } catch {
+    const yamlContent = YAML.stringify(result.data, { lineWidth: 0 });
+    fs4.writeFileSync(filePath, yamlContent, "utf-8");
+    return { success: true, issues: [] };
+  } catch (err) {
+    const message = err instanceof Error ? err.message : String(err);
+    return { success: false, issues: [`Failed to write file "${filePath}": ${message}`] };
   }
 }
-async function brokerLogin(scopes, tenant) {
-  const authorityOverride = tenant ? `${new URL(apiEnv2.aadEndpoint).origin}/${tenant}` : void 0;
-  const authority = authorityOverride ?? apiEnv2.aadEndpoint;
-  const msalInstance = await getMsalInstance(apiEnv2, authorityOverride);
-  const savedSession = loadBrokerAccount();
-  const accounts = await msalInstance.getTokenCache().getAllAccounts();
-  if (savedSession) {
-    try {
-      const silentResult = await msalInstance.acquireTokenSilent({
-        account: savedSession.account,
-        scopes,
-        authority: savedSession.authority
-      });
-      if (silentResult?.accessToken) {
-        console.log("\u2705 Authenticated silently via saved broker session.");
-        return silentResult.accessToken;
+
+// src/actions/jobs/createJobDefinition.ts
+function sanitizeFileName(fileName) {
+  return fileName.replace(/[<>:"/\\|?*]/g, "_").replace(/\s+/g, "_");
+}
+function fail(message) {
+  throw new Error(message);
+}
+async function collectJobDetails(jobNameArg, options) {
+  const jobName = await promptIfMissing(
+    jobNameArg,
+    () => p2.text({
+      message: "Job name:",
+      validate: validateJobName
+    })
+  );
+  if (jobNameArg !== void 0) {
+    const nameError = validateJobName(jobName);
+    if (nameError) {
+      fail(nameError);
+    }
+  }
+  const jobDescription = await promptIfMissing(
+    options.description,
+    () => p2.text({ message: "Description (optional):", defaultValue: "" })
+  );
+  const jobPath = await promptIfMissing(
+    options.notebook,
+    () => p2.text({
+      message: "Job path (.ipynb):",
+      placeholder: "path/to/notebook.ipynb",
+      validate: validateJobPath
+    })
+  );
+  if (options.notebook !== void 0) {
+    const pathError = validateJobPath(jobPath);
+    if (pathError) {
+      fail(pathError);
+    }
+  }
+  return { jobName, jobDescription, jobPath };
+}
+async function collectCompute(options) {
+  if (options.cluster) {
+    const normalized = options.cluster.toLowerCase();
+    if (!NODE_SIZES.includes(normalized)) {
+      fail(`Invalid cluster size "${options.cluster}". Must be one of: ${NODE_SIZES.join(", ")}`);
+    }
+    return normalized;
+  }
+  const result = await p2.select({
+    message: "Cluster size:",
+    options: NODE_SIZE_OPTIONS,
+    initialValue: DEFAULT_NODE_SIZE
+  });
+  handleCancel(result);
+  return result;
+}
+async function collectSchedule(options) {
+  let wantsSchedule = !!options.schedule;
+  if (!wantsSchedule) {
+    const result = await p2.confirm({ message: "Schedule this job?", initialValue: true });
+    handleCancel(result);
+    wantsSchedule = result;
+  }
+  if (!wantsSchedule) {
+    return { isEnabled: false };
+  }
+  const repeatFrequency = await promptIfMissing(
+    options.schedule,
+    () => p2.select({ message: "Repeat frequency:", options: FREQUENCY_OPTIONS })
+  );
+  if (options.schedule && !REPEAT_FREQUENCIES.includes(repeatFrequency)) {
+    fail(`Invalid schedule frequency "${options.schedule}". Must be one of: ${REPEAT_FREQUENCIES.join(", ")}`);
+  }
+  let interval = 1;
+  if (CONFIGURABLE_INTERVAL_FREQUENCIES.has(repeatFrequency)) {
+    const intervalStr = await promptIfMissing(
+      options.interval,
+      () => p2.text({
+        message: `Interval (${repeatFrequency}):`,
+        defaultValue: repeatFrequency === "minutes" ? "15" : "1",
+        validate: validateInterval(repeatFrequency)
+      })
+    );
+    if (options.interval) {
+      const intervalError = validateInterval(repeatFrequency)(intervalStr);
+      if (intervalError) {
+        fail(intervalError);
       }
-    } catch {
-      console.warn("\u26A0\uFE0F Silent broker authentication with saved session failed. Trying getAllAccounts()...");
     }
+    interval = Number(intervalStr);
   }
-  if (accounts.length > 0) {
-    try {
-      const silentResult = await msalInstance.acquireTokenSilent({
-        account: accounts[0],
-        scopes
-      });
-      if (silentResult?.accessToken) {
-        saveBrokerAccount(accounts[0], authority);
-        console.log("\u2705 Authenticated silently via Windows Native Broker (SSO).");
-        return silentResult.accessToken;
+  let timeTable;
+  if (repeatFrequency === "weeks") {
+    const result = await p2.multiselect({
+      message: "Which days of the week?",
+      options: [...WEEKDAY_OPTIONS],
+      required: true
+    });
+    handleCancel(result);
+    timeTable = { weekDays: result };
+  }
+  const startTime = await promptIfMissing(
+    options.startTime,
+    () => p2.text({
+      message: "Start time (ISO 8601):",
+      defaultValue: (/* @__PURE__ */ new Date()).toISOString(),
+      validate: validateISODate
+    })
+  );
+  if (options.startTime) {
+    const startError = validateISODate(startTime);
+    if (startError) {
+      fail(startError);
+    }
+  }
+  if (repeatFrequency === "months") {
+    const dayOfMonth = new Date(startTime).getDate();
+    timeTable = { monthDays: [dayOfMonth] };
+  }
+  let endTime;
+  if (options.endTime) {
+    endTime = options.endTime;
+  } else {
+    let endTimeResolved = false;
+    while (!endTimeResolved) {
+      const setEndTime = await p2.confirm({ message: "Set an end time?", initialValue: false });
+      handleCancel(setEndTime);
+      if (setEndTime) {
+        const result = await p2.text({
+          message: "End time (ISO 8601):",
+          validate: validateEndTime(startTime)
+        });
+        handleCancel(result);
+        endTime = result;
+        endTimeResolved = true;
+      } else {
+        p2.log.warn("This job will run indefinitely until manually stopped or deleted.");
+        const confirmIndefinite = await p2.confirm({ message: "Run indefinitely?", initialValue: true });
+        handleCancel(confirmIndefinite);
+        if (confirmIndefinite) {
+          endTimeResolved = true;
+        }
       }
-    } catch {
-      console.warn("\u26A0\uFE0F Silent broker authentication failed. Prompting interactively...");
     }
   }
-  const result = await msalInstance.acquireTokenInteractive({
-    scopes,
-    windowHandle: Buffer.alloc(0),
-    // headless / console window handle
-    openBrowser: async (_url) => {
+  if (options.endTime) {
+    const endError = validateEndTimeAfterStart(startTime, endTime);
+    if (endError) {
+      fail(endError);
     }
-  });
-  if (!result?.accessToken) {
-    throw new Error("Failed to acquire token via Windows Native Broker.");
   }
-  if (result.account) {
-    saveBrokerAccount(result.account, authority);
+  return { isEnabled: true, repeatFrequency, interval, startTime, endTime, timeTable };
+}
+async function createJobDefinition(jobNameArg, options) {
+  p2.intro("Create a job definition");
+  const { jobName, jobDescription, jobPath } = await collectJobDetails(jobNameArg, options);
+  const nodeSize = await collectCompute(options);
+  const schedule = await collectSchedule(options);
+  const config = {
+    jobName,
+    jobPath,
+    jobType: "Notebook",
+    ...jobDescription && { jobDescription },
+    computeInfo: { nodeSize },
+    ...schedule.isEnabled && {
+      scheduleConfig: {
+        isEnabled: true,
+        repeatFrequency: schedule.repeatFrequency,
+        interval: schedule.interval,
+        startTime: schedule.startTime,
+        endTime: schedule.endTime,
+        ...schedule.timeTable && { timeTable: schedule.timeTable }
+      }
+    }
+  };
+  const outputPath = path3.resolve(options.output ?? `${sanitizeFileName(jobName)}.yaml`);
+  const result = writeJobDefinitionYaml(outputPath, config);
+  if (!result.success) {
+    for (const issue of result.issues) {
+      p2.log.error(issue);
+    }
+    throw new Error("Validation failed");
   }
-  console.log("\u2705 Authenticated via Windows Native Broker.");
-  return result.accessToken;
+  p2.log.success(`Written to ${outputPath}`);
+  p2.outro("Job definition created successfully!");
 }
 
-// src/actions/deviceCodeLogin.ts
-init_cjs_shims();
-
-// src/services/msalAuth.ts
+// src/actions/jobs/showJobDefinition.ts
 init_cjs_shims();
-var import_common5 = __toESM(require_src());
 
-// src/actions/defaultLogin.ts
+// src/utils/formatter/outputFormatter.ts
 init_cjs_shims();
-var import_identity = require("@azure/identity");
-var DefaultCredentialProvider = class _DefaultCredentialProvider {
-  static instance;
-  constructor() {
+var COLUMN_SEPARATOR = "  ";
+var HEADER_RULE_CHAR = "\u2500";
+var OutputFormatter = class {
+  format;
+  constructor(options = {}) {
+    this.format = options.output ?? "table";
   }
-  static getInstance() {
-    if (!_DefaultCredentialProvider.instance) {
-      _DefaultCredentialProvider.instance = new _DefaultCredentialProvider();
+  /**
+   * Renders `rows` to stdout using the configured output format.
+   *
+   * @param rows    - The data array to render.
+   * @param columns - Column descriptors that define headers and value extractors.
+   */
+  print(rows, columns) {
+    if (this.format === "json") {
+      this.printJson(rows, columns);
+    } else {
+      this.printTable(rows, columns);
     }
-    return _DefaultCredentialProvider.instance;
   }
-  async getToken(scopes) {
-    const credential = new import_identity.DefaultAzureCredential();
-    const token = await credential.getToken(scopes);
-    if (!token) {
-      throw new Error("Failed to acquire token using DefaultAzureCredential.");
+  // ---------------------------------------------------------------------------
+  // Table rendering
+  // ---------------------------------------------------------------------------
+  printTable(rows, columns) {
+    if (rows.length === 0) {
+      console.log("(no results)");
+      return;
     }
-    return token;
+    const widths = columns.map((col) => {
+      const cellWidths = rows.map((row) => String(col.key(row) ?? "").length);
+      return Math.max(col.header.length, ...cellWidths);
+    });
+    const header = columns.map((col, i) => col.header.padEnd(widths[i])).join(COLUMN_SEPARATOR);
+    console.log(header);
+    const rule = widths.map((w) => HEADER_RULE_CHAR.repeat(w)).join(COLUMN_SEPARATOR);
+    console.log(rule);
+    for (const row of rows) {
+      const line = columns.map((col, i) => String(col.key(row) ?? "").padEnd(widths[i])).join(COLUMN_SEPARATOR);
+      console.log(line);
+    }
+  }
+  // ---------------------------------------------------------------------------
+  // JSON rendering
+  // ---------------------------------------------------------------------------
+  printJson(rows, columns) {
+    const records = rows.map((row) => {
+      const record = {};
+      for (const col of columns) {
+        const key = col.jsonKey ?? col.header.toLowerCase();
+        const value = col.key(row);
+        record[key] = value ?? null;
+      }
+      return record;
+    });
+    console.log(JSON.stringify(records, null, 2));
   }
 };
 
-// src/services/msalAuth.ts
-var import_os3 = __toESM(require("os"));
-var apiEnv3 = (0, import_common5.getApiEnv)(import_common5.SecurityPlatformEnvironment.Production);
-async function loginAndGetDeviceCodeToken(scopes = [apiEnv3.gatewayAuthResourceUri]) {
-  const deviceCodeRequest = {
-    scopes,
-    deviceCodeCallback: (response) => {
-      console.log(response.message);
-    }
+// src/actions/jobs/showJobDefinition.ts
+var FIELD_COLUMNS = [
+  { header: "FIELD", key: (f) => f.label },
+  { header: "VALUE", key: (f) => f.value }
+];
+function buildJobFields(data) {
+  const fields = [
+    { label: "Name", value: data.jobName },
+    { label: "Description", value: data.jobDescription ?? "" },
+    { label: "Type", value: data.jobType ?? "" },
+    { label: "Job Path", value: data.jobPath },
+    { label: "Cluster", value: data.computeInfo?.nodeSize ? capitalize(data.computeInfo.nodeSize) : "" },
+    { label: "Disabled", value: data.isDisabled ? "Yes" : "No" }
+  ];
+  const schedule = data.scheduleConfig;
+  if (schedule?.isEnabled) {
+    const freq = schedule.repeatFrequency ? capitalize(schedule.repeatFrequency) : "";
+    const interval = schedule.interval ?? 1;
+    fields.push({ label: "Schedule", value: `Every ${interval} ${freq}` });
+    if (schedule.timeTable?.weekDays?.length) {
+      fields.push({ label: "Weekly Days", value: schedule.timeTable.weekDays.join(", ") });
+    }
+    if (schedule.timeTable?.monthDays?.length) {
+      fields.push({ label: "Monthly Days", value: schedule.timeTable.monthDays.join(", ") });
+    }
+    fields.push({ label: "Start Time", value: schedule.startTime ?? "" });
+    fields.push({ label: "End Time", value: schedule.endTime ?? "(indefinite)" });
+  } else {
+    fields.push({ label: "Schedule", value: "On-demand" });
+  }
+  fields.push({ label: "Input Tables", value: data.inputTables?.length ? data.inputTables.join(", ") : "(none)" });
+  fields.push({ label: "Output Tables", value: data.outputTables?.length ? data.outputTables.join(", ") : "(none)" });
+  if (data.runtimeArgs?.length) {
+    fields.push({ label: "Runtime Args", value: data.runtimeArgs.join(", ") });
+  }
+  return fields;
+}
+function showJobDefinition(filePath, options) {
+  const data = readJobDefinitionYaml(filePath);
+  const fmt = new OutputFormatter({ output: options.output ?? "table" });
+  const fields = buildJobFields(data);
+  fmt.print(fields, FIELD_COLUMNS);
+}
+
+// src/actions/jobs/updateJobDefinition.ts
+init_cjs_shims();
+var p3 = __toESM(require("@clack/prompts"));
+var UPDATABLE_FIELDS = [
+  { value: "description", label: "Description" },
+  { value: "jobPath", label: "Job path" },
+  { value: "cluster", label: "Cluster size" },
+  { value: "schedule", label: "Schedule" },
+  { value: "inputTables", label: "Input tables" },
+  { value: "outputTables", label: "Output tables" },
+  { value: "runtimeArgs", label: "Runtime arguments" }
+];
+async function updateDescription(config) {
+  const result = await p3.text({
+    message: "New description:",
+    defaultValue: config.jobDescription ?? ""
+  });
+  handleCancel(result);
+  config.jobDescription = result;
+}
+async function updateJobPath(config) {
+  const result = await p3.text({
+    message: "New job path (.ipynb):",
+    defaultValue: config.jobPath,
+    validate: validateJobPath
+  });
+  handleCancel(result);
+  config.jobPath = result;
+}
+async function updateCluster(config) {
+  const result = await p3.select({
+    message: "New cluster size:",
+    options: NODE_SIZE_OPTIONS,
+    initialValue: config.computeInfo?.nodeSize ?? DEFAULT_NODE_SIZE
+  });
+  handleCancel(result);
+  config.computeInfo = { nodeSize: result };
+}
+async function updateSchedule(config) {
+  const existing = config.scheduleConfig;
+  const wantsSchedule = await p3.confirm({
+    message: "Enable schedule?",
+    initialValue: existing?.isEnabled ?? true
+  });
+  handleCancel(wantsSchedule);
+  if (!wantsSchedule) {
+    config.scheduleConfig = { isEnabled: false };
+    return;
+  }
+  const frequency = await p3.select({
+    message: "Repeat frequency:",
+    options: FREQUENCY_OPTIONS,
+    initialValue: existing?.repeatFrequency ?? "days"
+  });
+  handleCancel(frequency);
+  const repeatFrequency = frequency;
+  let interval = 1;
+  if (CONFIGURABLE_INTERVAL_FREQUENCIES.has(repeatFrequency)) {
+    const defaultInterval = existing?.interval ?? (repeatFrequency === "minutes" ? 15 : 1);
+    const intervalStr = await p3.text({
+      message: `Interval (${repeatFrequency}):`,
+      defaultValue: String(defaultInterval),
+      validate: validateInterval(repeatFrequency)
+    });
+    handleCancel(intervalStr);
+    interval = Number(intervalStr);
+  }
+  let timeTable;
+  if (repeatFrequency === "weeks") {
+    const existingDays = existing?.timeTable?.weekDays ?? [];
+    const result = await p3.multiselect({
+      message: "Which days of the week?",
+      options: WEEKDAY_OPTIONS.map((opt) => ({
+        ...opt,
+        selected: existingDays.includes(opt.value)
+      })),
+      required: true
+    });
+    handleCancel(result);
+    timeTable = { weekDays: result };
+  }
+  const startTime = await p3.text({
+    message: "Start time (ISO 8601):",
+    defaultValue: existing?.startTime ?? (/* @__PURE__ */ new Date()).toISOString(),
+    validate: validateISODate
+  });
+  handleCancel(startTime);
+  if (repeatFrequency === "months") {
+    const dayOfMonth = new Date(startTime).getDate();
+    timeTable = { monthDays: [dayOfMonth] };
+  }
+  let endTime;
+  const setEndTime = await p3.confirm({
+    message: "Set an end time?",
+    initialValue: !!existing?.endTime
+  });
+  handleCancel(setEndTime);
+  if (setEndTime) {
+    const result = await p3.text({
+      message: "End time (ISO 8601):",
+      defaultValue: existing?.endTime ?? "",
+      validate: validateEndTime(startTime)
+    });
+    handleCancel(result);
+    endTime = result;
+  }
+  config.scheduleConfig = {
+    isEnabled: true,
+    repeatFrequency,
+    interval,
+    startTime,
+    endTime,
+    ...timeTable && { timeTable }
   };
-  const msalInstance = await getMsalInstance(apiEnv3);
-  const result = await msalInstance.acquireTokenByDeviceCode(deviceCodeRequest);
-  if (!result || !result.accessToken) {
-    throw new Error("Failed to acquire access token.");
+}
+async function updateStringArray(config, field, label) {
+  const current = config[field] ?? [];
+  const result = await p3.text({
+    message: `${label} (comma-separated):`,
+    defaultValue: current.join(", ")
+  });
+  handleCancel(result);
+  const raw = result;
+  config[field] = raw.trim() ? raw.split(",").map((s) => s.trim()) : [];
+}
+async function applyFieldUpdate(field, config) {
+  switch (field) {
+    case "description":
+      return updateDescription(config);
+    case "jobPath":
+      return updateJobPath(config);
+    case "cluster":
+      return updateCluster(config);
+    case "schedule":
+      return updateSchedule(config);
+    case "inputTables":
+      return updateStringArray(config, "inputTables", "Input tables");
+    case "outputTables":
+      return updateStringArray(config, "outputTables", "Output tables");
+    case "runtimeArgs":
+      return updateStringArray(config, "runtimeArgs", "Runtime arguments");
   }
-  console.log("\u2705 Authenticated using Device Code Flow");
-  return result.accessToken;
 }
-async function logout() {
-  try {
-    const msalInstance = await getMsalInstance(apiEnv3);
-    const accounts = await msalInstance.getTokenCache().getAllAccounts();
-    if (accounts.length === 0) {
-      console.log("\u2139 No cached accounts.");
-      return;
-    } else {
-      await msalInstance.getTokenCache().removeAccount(accounts[0]);
-      console.log("\u{1F44B} Logged out successfully.");
+async function updateJobDefinition(filePath) {
+  p3.intro("Update job definition");
+  const data = readJobDefinitionYaml(filePath);
+  let editing = true;
+  while (editing) {
+    const field = await p3.select({
+      message: "Which field to update?",
+      options: [...UPDATABLE_FIELDS]
+    });
+    handleCancel(field);
+    await applyFieldUpdate(field, data);
+    const again = await p3.confirm({ message: "Update another field?", initialValue: false });
+    handleCancel(again);
+    editing = again;
+  }
+  const result = writeJobDefinitionYaml(filePath, data);
+  if (!result.success) {
+    for (const issue of result.issues) {
+      p3.log.error(issue);
     }
-  } catch (error) {
-    console.error("\u274C Logout failed:", error instanceof Error ? error.message : "Unknown error");
-  } finally {
-    deleteBrokerAccount();
+    throw new Error("Validation failed");
   }
+  p3.log.success(`Updated ${filePath}`);
+  p3.outro("Done");
 }
-async function getAccessTokenFromCache(scopes = [apiEnv3.gatewayAuthResourceUri]) {
-  if (process.env.CI) {
-    const defaultCredentialProvider = DefaultCredentialProvider.getInstance();
-    const token = await defaultCredentialProvider.getToken(scopes);
-    return token.token;
+
+// src/utils/error/handleApiError.ts
+init_cjs_shims();
+function hasStatusCode(e) {
+  return e instanceof Error && "statusCode" in e && typeof e.statusCode === "number";
+}
+function hasResponseStatus(e) {
+  return e instanceof Error && "response" in e && e.response !== null && typeof e.response?.status === "number";
+}
+function getStatusInfo(error) {
+  if (hasStatusCode(error)) {
+    return ` (HTTP ${error.statusCode})`;
   }
-  const msalInstance = await getMsalInstance(apiEnv3);
-  const accounts = await msalInstance.getTokenCache().getAllAccounts();
-  console.log("\u{1F510} Checking MSAL cache for tokens...");
-  if (accounts.length > 0) {
+  if (hasResponseStatus(error)) {
+    return ` (HTTP ${error.response.status})`;
+  }
+  return "";
+}
+function handleApiError(context, error) {
+  if (error instanceof Error) {
+    console.error(`Error ${context}${getStatusInfo(error)}:`, error.message);
+    if (process.env.DEBUG && error.stack) {
+      console.error(error.stack);
+    }
+    process.exitCode = 1;
+    throw error;
+  }
+  const wrapped = new Error(`Unknown error ${context}: ${String(error)}`, { cause: error });
+  console.error(wrapped.message);
+  process.exitCode = 1;
+  throw wrapped;
+}
+
+// src/commands/jobs/jobDefinitionCreate.ts
+function addJobDefinitionCreateCommand(definitionCommand) {
+  definitionCommand.command("create [jobName]").description("Interactively create a job definition YAML file").option("--notebook <path>", "Path to the job file (.ipynb)").option("--description <text>", "Job description").option("--cluster <size>", "Cluster size (small | medium | large)").option("--schedule <frequency>", "Schedule frequency (minutes | hours | days | weeks | months)").option("--interval <number>", "Schedule interval").option("--start-time <datetime>", "Schedule start time (ISO 8601)").option("--end-time <datetime>", "Schedule end time (ISO 8601)").option("--output <path>", "Output YAML file path (default: ./<jobName>.yaml)").action(async (jobName, options) => {
     try {
-      const response = await msalInstance.acquireTokenSilent({
-        account: accounts[0],
-        scopes
-      });
-      if (response?.accessToken) {
-        console.log("\u2705 Authenticated using MSAL cache");
-        return response.accessToken;
-      }
-      console.warn("\u26A0\uFE0F Silent token acquisition returned no access token");
-    } catch {
-      console.warn("\u26A0\uFE0F Silent token acquisition failed");
+      await createJobDefinition(jobName, options);
+    } catch (error) {
+      handleApiError("creating job definition", error);
+    }
+  });
+}
+
+// src/commands/jobs/jobDefinitionShow.ts
+init_cjs_shims();
+function addJobDefinitionShowCommand(definitionCommand) {
+  definitionCommand.command("show <path>").description("Display a job definition YAML file").option("--output <format>", "Output format (table | json)", "table").action((filePath, options) => {
+    try {
+      showJobDefinition(filePath, options);
+    } catch (error) {
+      handleApiError("showing job definition", error);
+    }
+  });
+}
+
+// src/commands/jobs/jobDefinitionUpdate.ts
+init_cjs_shims();
+function addJobDefinitionUpdateCommand(definitionCommand) {
+  definitionCommand.command("update <path>").description("Interactively update a job definition YAML file").action(async (filePath) => {
+    try {
+      await updateJobDefinition(filePath);
+    } catch (error) {
+      handleApiError("updating job definition", error);
     }
+  });
+}
+
+// src/commands/jobs/jobDelete.ts
+init_cjs_shims();
+var import_common21 = __toESM(require_src());
+
+// src/services/jobs/index.ts
+init_cjs_shims();
+
+// src/services/jobs/jobService.ts
+init_cjs_shims();
+var JobService = class {
+  constructor(jobApiClient) {
+    this.jobApiClient = jobApiClient;
+  }
+  async listJobs(accessToken, requestId) {
+    return this.jobApiClient.listJobs(accessToken, requestId);
+  }
+  async getJob(jobName, accessToken, requestId) {
+    return this.jobApiClient.getJob(jobName, accessToken, requestId);
+  }
+  async deleteJob(jobName, accessToken, requestId) {
+    return this.jobApiClient.deleteJob(jobName, accessToken, requestId);
+  }
+  async disableJob(jobName, accessToken, requestId) {
+    return this.jobApiClient.disableJob(jobName, accessToken, requestId);
+  }
+  async enableJob(jobName, accessToken, requestId) {
+    return this.jobApiClient.enableJob(jobName, accessToken, requestId);
+  }
+  async listJobRuns(jobName, accessToken, requestId) {
+    return this.jobApiClient.listJobRuns(jobName, accessToken, requestId);
+  }
+  async getJobRun(jobName, runId, accessToken, requestId) {
+    return this.jobApiClient.getJobRun(jobName, runId, accessToken, requestId);
+  }
+  async startJobRun(jobName, accessToken, requestId) {
+    return this.jobApiClient.startJobRun(jobName, accessToken, requestId);
+  }
+  async cancelJobRun(jobName, runId, accessToken, requestId) {
+    return this.jobApiClient.cancelJobRun(jobName, runId, accessToken, requestId);
+  }
+};
+
+// src/services/getToken.ts
+init_cjs_shims();
+var import_common17 = __toESM(require_src());
+
+// src/auth/constants.ts
+init_cjs_shims();
+
+// src/auth/provider/TokenProviderFactory.ts
+init_cjs_shims();
+
+// src/auth/provider/DeviceCodeTokenProvider.ts
+init_cjs_shims();
+
+// src/services/msalAuth.ts
+init_cjs_shims();
+
+// src/auth/msalInstance.ts
+init_cjs_shims();
+var import_msal_node2 = require("@azure/msal-node");
+
+// src/config/msalConfig.ts
+init_cjs_shims();
+var import_msal_node = require("@azure/msal-node");
+var import_msal_node_extensions2 = require("@azure/msal-node-extensions");
+
+// src/auth/persistence/persistence.ts
+init_cjs_shims();
+var import_msal_node_extensions = require("@azure/msal-node-extensions");
+var import_os = __toESM(require("os"));
+var import_path3 = __toESM(require("path"));
+var PlatformType = /* @__PURE__ */ ((PlatformType2) => {
+  PlatformType2["Windows"] = "win32";
+  PlatformType2["MacOS"] = "darwin";
+  PlatformType2["Linux"] = "linux";
+  return PlatformType2;
+})(PlatformType || {});
+async function createPersistence() {
+  const cacheFilePath = import_path3.default.join(import_os.default.homedir(), ".nsdcli-cache.json");
+  const platform5 = import_os.default.platform();
+  switch (platform5) {
+    case "win32" /* Windows */:
+      return await import_msal_node_extensions.FilePersistenceWithDataProtection.create(cacheFilePath, import_msal_node_extensions.DataProtectionScope.CurrentUser);
+    case "darwin" /* MacOS */:
+      return await import_msal_node_extensions.KeychainPersistence.create("nsdcli.service", "nsdcli.account", "nsdcli");
+    case "linux" /* Linux */:
+      return await import_msal_node_extensions.LibSecretPersistence.create("nsdcli.service", "nsdcli.account", "nsdcli");
+    default:
+      throw new Error(
+        `Unsupported platform: ${platform5}. Supported platforms are: ${Object.values(PlatformType).join(", ")}`
+      );
+  }
+}
+
+// src/config/msalConfig.ts
+var os2 = __toESM(require("os"));
+async function getMsalConfig(environment, useCachePlugin = true, authorityOverride) {
+  let cachePlugin;
+  if (useCachePlugin) {
+    const persistence = await createPersistence();
+    await persistence.verifyPersistence();
+    cachePlugin = new import_msal_node_extensions2.PersistenceCachePlugin(persistence);
+  }
+  const config = {
+    auth: {
+      clientId: environment.aadClientId,
+      authority: authorityOverride ?? environment.aadEndpoint
+    },
+    cache: cachePlugin ? { cachePlugin } : void 0,
+    system: {
+      loggerOptions: {
+        // Suppress all MSAL internal logs from appearing in CLI output.
+        // MSAL's Info/Verbose messages are library internals not useful to end users.
+        // Only Warning and above are passed to this callback, and we intentionally
+        // discard them to keep the CLI output clean.
+        loggerCallback() {
+        },
+        logLevel: import_msal_node.LogLevel.Warning,
+        piiLoggingEnabled: false
+      }
+    }
+  };
+  if ("win32" /* Windows */ === os2.platform()) {
+    config.broker = {
+      nativeBrokerPlugin: new import_msal_node_extensions2.NativeBrokerPlugin()
+    };
+  }
+  return config;
+}
+
+// src/auth/msalInstance.ts
+var msalInstances = /* @__PURE__ */ new Map();
+var getMsalInstance = async (env, authorityOverride) => {
+  const key = authorityOverride ?? env.aadEndpoint;
+  if (!msalInstances.has(key)) {
+    const config = await getMsalConfig(env, !process.env.CI, authorityOverride);
+    msalInstances.set(key, new import_msal_node2.PublicClientApplication(config));
+  }
+  return msalInstances.get(key);
+};
+
+// src/services/msalAuth.ts
+var import_common15 = __toESM(require_src());
+
+// src/actions/defaultLogin.ts
+init_cjs_shims();
+var import_identity = require("@azure/identity");
+var DefaultCredentialProvider = class _DefaultCredentialProvider {
+  static instance;
+  constructor() {
+  }
+  static getInstance() {
+    if (!_DefaultCredentialProvider.instance) {
+      _DefaultCredentialProvider.instance = new _DefaultCredentialProvider();
+    }
+    return _DefaultCredentialProvider.instance;
+  }
+  async getToken(scopes) {
+    const credential = new import_identity.DefaultAzureCredential();
+    const token = await credential.getToken(scopes);
+    if (!token) {
+      throw new Error("Failed to acquire token using DefaultAzureCredential.");
+    }
+    return token;
+  }
+};
+
+// src/actions/brokerLogin.ts
+init_cjs_shims();
+var import_common14 = __toESM(require_src());
+var import_fs3 = __toESM(require("fs"));
+var import_os2 = __toESM(require("os"));
+var import_path4 = __toESM(require("path"));
+var apiEnv = (0, import_common14.getApiEnv)(import_common14.SecurityPlatformEnvironment.Production);
+var SENTINEL_DIR = import_path4.default.join(import_os2.default.homedir(), ".sentinel");
+var BROKER_ACCOUNT_FILE = import_path4.default.join(SENTINEL_DIR, "broker-account.json");
+function saveBrokerAccount(account, authority) {
+  import_fs3.default.mkdirSync(SENTINEL_DIR, { recursive: true, mode: 448 });
+  const session = { account, authority };
+  const tempFile = `${BROKER_ACCOUNT_FILE}.tmp`;
+  import_fs3.default.writeFileSync(tempFile, JSON.stringify(session, null, 2), { encoding: "utf8", mode: 384 });
+  import_fs3.default.renameSync(tempFile, BROKER_ACCOUNT_FILE);
+}
+function loadBrokerAccount() {
+  try {
+    if (import_fs3.default.existsSync(BROKER_ACCOUNT_FILE)) {
+      const raw = import_fs3.default.readFileSync(BROKER_ACCOUNT_FILE, "utf8");
+      const session = JSON.parse(raw);
+      if (session.account && typeof session.account === "object" && session.authority && typeof session.authority === "string") {
+        return session;
+      }
+    }
+  } catch {
+  }
+  return null;
+}
+function deleteBrokerAccount() {
+  try {
+    if (import_fs3.default.existsSync(BROKER_ACCOUNT_FILE)) {
+      import_fs3.default.unlinkSync(BROKER_ACCOUNT_FILE);
+    }
+  } catch {
+  }
+}
+async function brokerLogin(scopes, tenant) {
+  const authorityOverride = tenant ? `${new URL(apiEnv.aadEndpoint).origin}/${tenant}` : void 0;
+  const authority = authorityOverride ?? apiEnv.aadEndpoint;
+  const msalInstance = await getMsalInstance(apiEnv, authorityOverride);
+  const savedSession = loadBrokerAccount();
+  const accounts = await msalInstance.getTokenCache().getAllAccounts();
+  if (savedSession) {
+    try {
+      const silentResult = await msalInstance.acquireTokenSilent({
+        account: savedSession.account,
+        scopes,
+        authority: savedSession.authority
+      });
+      if (silentResult?.accessToken) {
+        console.log("\u2705 Authenticated silently via saved broker session.");
+        return silentResult.accessToken;
+      }
+    } catch {
+      console.warn("\u26A0\uFE0F Silent broker authentication with saved session failed. Trying getAllAccounts()...");
+    }
+  }
+  if (accounts.length > 0) {
+    try {
+      const silentResult = await msalInstance.acquireTokenSilent({
+        account: accounts[0],
+        scopes
+      });
+      if (silentResult?.accessToken) {
+        saveBrokerAccount(accounts[0], authority);
+        console.log("\u2705 Authenticated silently via Windows Native Broker (SSO).");
+        return silentResult.accessToken;
+      }
+    } catch {
+      console.warn("\u26A0\uFE0F Silent broker authentication failed. Prompting interactively...");
+    }
+  }
+  const result = await msalInstance.acquireTokenInteractive({
+    scopes,
+    prompt: "select_account",
+    windowHandle: Buffer.alloc(0),
+    // headless / console window handle
+    openBrowser: async (_url) => {
+    }
+  });
+  if (!result?.accessToken) {
+    throw new Error("Failed to acquire token via Windows Native Broker.");
+  }
+  if (result.account) {
+    saveBrokerAccount(result.account, authority);
+  }
+  console.log("\u2705 Authenticated via Windows Native Broker.");
+  return result.accessToken;
+}
+
+// src/services/msalAuth.ts
+var apiEnv2 = (0, import_common15.getApiEnv)(import_common15.SecurityPlatformEnvironment.Production);
+async function loginAndGetDeviceCodeToken(scopes = [apiEnv2.gatewayAuthResourceUri]) {
+  const deviceCodeRequest = {
+    scopes,
+    deviceCodeCallback: (response) => {
+      console.log(response.message);
+    }
+  };
+  const msalInstance = await getMsalInstance(apiEnv2);
+  const result = await msalInstance.acquireTokenByDeviceCode(deviceCodeRequest);
+  if (!result || !result.accessToken) {
+    throw new Error("Failed to acquire access token.");
+  }
+  console.log("\u2705 Authenticated using Device Code Flow");
+  return result.accessToken;
+}
+async function logout() {
+  try {
+    const msalInstance = await getMsalInstance(apiEnv2);
+    const accounts = await msalInstance.getTokenCache().getAllAccounts();
+    if (accounts.length === 0) {
+      console.log("\u2139 No cached accounts.");
+      return;
+    } else {
+      await msalInstance.getTokenCache().removeAccount(accounts[0]);
+      console.log("\u{1F44B} Logged out successfully.");
+    }
+  } catch (error) {
+    console.error("\u274C Logout failed:", error instanceof Error ? error.message : "Unknown error");
+  } finally {
+    deleteBrokerAccount();
+  }
+}
+async function getAccessTokenFromCache(scopes = [apiEnv2.gatewayAuthResourceUri]) {
+  if (process.env.CI) {
+    const defaultCredentialProvider = DefaultCredentialProvider.getInstance();
+    const token = await defaultCredentialProvider.getToken(scopes);
+    return token.token;
+  }
+  console.log("\u{1F510} Checking MSAL cache for tokens...");
+  const savedSession = loadBrokerAccount();
+  if (savedSession) {
+    const authoritySegment = (() => {
+      try {
+        return new URL(savedSession.authority).pathname.split("/").filter(Boolean).pop() ?? "";
+      } catch {
+        return "";
+      }
+    })();
+    const expectedTid = authoritySegment && authoritySegment !== "common" && authoritySegment !== "organizations" && authoritySegment !== "consumers" ? authoritySegment : null;
+    try {
+      const sessionMsal = await getMsalInstance(apiEnv2, savedSession.authority);
+      const response = await sessionMsal.acquireTokenSilent({
+        account: savedSession.account,
+        scopes,
+        authority: savedSession.authority
+      });
+      if (response?.accessToken) {
+        if (expectedTid && response.account?.tenantId && response.account.tenantId !== expectedTid) {
+          throw new Error(
+            `Active tenant is ${expectedTid} but silent acquisition returned a token for ${response.account.tenantId}. Run 'sentinel login --tenant ${expectedTid}' (or 'sentinel tenant select') to mint a tenant-bound token.`
+          );
+        }
+        console.log("\u2705 Authenticated using MSAL cache");
+        return response.accessToken;
+      }
+      throw new Error(
+        `Silent token acquisition returned no access token for the active tenant${expectedTid ? ` (${expectedTid})` : ""}. Run 'sentinel login${expectedTid ? ` --tenant ${expectedTid}` : ""}' to refresh credentials.`
+      );
+    } catch (err) {
+      throw err instanceof Error ? err : new Error(`Silent token acquisition failed: ${String(err)}`);
+    }
+  }
+  const msalInstance = await getMsalInstance(apiEnv2);
+  const accounts = await msalInstance.getTokenCache().getAllAccounts();
+  if (accounts.length > 0) {
+    try {
+      const response = await msalInstance.acquireTokenSilent({
+        account: accounts[0],
+        scopes
+      });
+      if (response?.accessToken) {
+        console.log("\u2705 Authenticated using MSAL cache");
+        return response.accessToken;
+      }
+      console.warn("\u26A0\uFE0F Silent token acquisition returned no access token");
+    } catch {
+      console.warn("\u26A0\uFE0F Silent token acquisition failed");
+    }
+  }
+  return "";
+}
+
+// src/auth/provider/DeviceCodeTokenProvider.ts
+var DeviceCodeTokenProvider = class {
+  options;
+  env;
+  constructor(env, options) {
+    if (!env) {
+      throw new Error("Environment cannot be null or undefined");
+    }
+    this.env = env;
+    this.options = {
+      ...options,
+      // overrides defaults if user provided values
+      scopes: options?.scopes ?? [this.env.gatewayAuthResourceUri]
+    };
+  }
+  async getAccessToken() {
+    let token = await getAccessTokenFromCache(this.options?.scopes);
+    if (token) {
+      return token;
+    }
+    token = await loginAndGetDeviceCodeToken(this.options?.scopes);
+    return token;
+  }
+};
+
+// src/auth/provider/ManagedIdentityTokenProvider.ts
+init_cjs_shims();
+var import_identity2 = require("@azure/identity");
+var ManagedIdentityTokenProvider = class {
+  options;
+  env;
+  constructor(env, options) {
+    if (!env) {
+      throw new Error("Environment cannot be null or undefined");
+    }
+    if (!options?.uamiClientId) {
+      throw new Error("UAMI clientId required for user-assigned managed identity");
+    }
+    this.env = env;
+    this.options = {
+      ...options,
+      // overrides defaults if user provided values
+      scopes: options?.scopes ?? [env.gatewayAuthResourceUri]
+    };
+  }
+  async getAccessToken() {
+    const scopes = this.options?.scopes && this.options.scopes.length > 0 ? this.options.scopes : [this.env.gatewayAuthResourceUri];
+    const credential = new import_identity2.ManagedIdentityCredential({
+      clientId: this.options?.uamiClientId
+    });
+    const token = await credential.getToken(scopes);
+    if (!token) {
+      throw new Error("Failed to get token from Managed Identity");
+    }
+    return token.token;
+  }
+};
+
+// src/auth/provider/MsalCacheTokenProvider.ts
+init_cjs_shims();
+var MsalCacheTokenProvider = class {
+  options;
+  env;
+  constructor(env, options) {
+    if (!env) {
+      throw new Error("Environment cannot be null or undefined");
+    }
+    this.env = env;
+    this.options = {
+      ...options,
+      scopes: options?.scopes?.length ? options.scopes : [this.env.gatewayAuthResourceUri]
+    };
+  }
+  async getAccessToken() {
+    const token = await getAccessTokenFromCache(this.options.scopes);
+    if (!token) {
+      throw new Error("No cached authentication token found. Please run `sentinel login` first.");
+    }
+    return token;
+  }
+};
+
+// src/auth/provider/TokenProviderFactory.ts
+var TokenProviderFactory = class {
+  static createProvider(env, method, options) {
+    switch (method) {
+      case "device_code":
+        return new DeviceCodeTokenProvider(env, options);
+      case "managed_identity":
+        if (!options) {
+          throw new Error("UAMI clientId required for user-assigned managed identity");
+        }
+        return new ManagedIdentityTokenProvider(env, options);
+      case "msal_cache":
+        return new MsalCacheTokenProvider(env, options);
+      default:
+        throw new Error(`Unsupported token method: ${method}`);
+    }
+  }
+};
+
+// src/telemetry/index.ts
+init_cjs_shims();
+
+// src/telemetry/telemetryService.ts
+init_cjs_shims();
+var import_common16 = __toESM(require_src());
+var import_api = require("@opentelemetry/api");
+var import_monitor_opentelemetry = require("@azure/monitor-opentelemetry");
+
+// src/telemetry/connectionString.ts
+init_cjs_shims();
+var APPLICATION_INSIGHTS_CONNECTION_STRING = "InstrumentationKey=0dadb494-ecd4-44a5-bcc1-baa55b3778be;IngestionEndpoint=https://eastus-8.in.applicationinsights.azure.com/;LiveEndpoint=https://eastus.livediagnostics.monitor.azure.com/;ApplicationId=8bc9c85a-22a3-45f8-b4f5-0bb6cd6ddad2";
+
+// src/telemetry/types.ts
+init_cjs_shims();
+var TELEMETRY_OPT_OUT_ENV_VARS = ["SENTINEL_TELEMETRY_OPTOUT", "DO_NOT_TRACK"];
+
+// src/telemetry/commonProperties.ts
+init_cjs_shims();
+var os4 = __toESM(require("os"));
+var import_uuid = require("uuid");
+function readAppVersion() {
+  return true ? "0.3.0" : "unknown";
+}
+function detectCiEnvironment(env = process.env) {
+  if (env.TF_BUILD) {
+    return "AzureDevOps";
+  }
+  if (env.GITHUB_ACTIONS) {
+    return "GitHubActions";
+  }
+  if (env.BUILD_BUILDID) {
+    return "AzureDevOps";
+  }
+  if (env.JENKINS_URL) {
+    return "Jenkins";
+  }
+  if (env.CIRCLECI) {
+    return "CircleCI";
+  }
+  if (env.GITLAB_CI) {
+    return "GitLab";
+  }
+  if (env.CI) {
+    return "Generic";
+  }
+  return "unknown";
+}
+function buildCommonProperties(sessionId = (0, import_uuid.v4)()) {
+  return {
+    appName: "sentinel-cli",
+    appVersion: readAppVersion(),
+    nodeVersion: process.versions.node,
+    platform: process.platform,
+    arch: process.arch,
+    osRelease: os4.release(),
+    sessionId,
+    ciEnvironment: detectCiEnvironment()
+  };
+}
+
+// src/telemetry/redact.ts
+init_cjs_shims();
+var EMAIL_RE = /[a-z0-9._%+-]+@[a-z0-9.-]+\.[a-z]{2,}/gi;
+var GUID_RE = /\b[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}\b/gi;
+var JWT_RE = /(?<![A-Za-z0-9_-])eyJ[A-Za-z0-9_-]{10,}\.[A-Za-z0-9_-]{10,}\.[A-Za-z0-9_-]{10,}(?![A-Za-z0-9_-])/g;
+var UNIX_PATH_RE = /(?<![A-Za-z0-9_./\\-])(?:\/[^\s]+\/([^\s/]+)|\/([^\s/]+))/g;
+var WIN_PATH_RE = /(?<![A-Za-z0-9_./\\-])(?:[a-zA-Z]:\\[^\s]+\\([^\s\\]+)|[a-zA-Z]:\\([^\s\\]+))/g;
+function redactString(input) {
+  if (!input) {
+    return input;
+  }
+  return input.replace(JWT_RE, "<jwt>").replace(EMAIL_RE, "<email>").replace(GUID_RE, "<guid>").replace(UNIX_PATH_RE, (_m, deepBase, rootBase) => `<redacted>/${deepBase ?? rootBase}`).replace(WIN_PATH_RE, (_m, deepBase, rootBase) => `<redacted>\\${deepBase ?? rootBase}`);
+}
+function redactError(error) {
+  const name = error.name || "Error";
+  const message = redactString(error.message ?? "");
+  const stack = error.stack ? error.stack.split("\n").slice(0, 4).map((line) => redactString(line)).join("\n") : "";
+  return {
+    errorName: name,
+    errorMessage: message,
+    errorStack: stack
+  };
+}
+
+// src/telemetry/telemetryService.ts
+var TRACER_NAME = "sentinel-cli";
+var TRACER_VERSION = "1.0.0";
+var azureMonitorInitialized = false;
+var TelemetryService = class _TelemetryService {
+  sharedProperties = {};
+  commonProperties;
+  enabled;
+  initialized = false;
+  disposed = false;
+  tracer;
+  constructor(options = {}) {
+    this.enabled = _TelemetryService.resolveEnabled(options);
+    this.commonProperties = buildCommonProperties(options.sessionId);
+    if (this.enabled) {
+      this.initialize(options.connectionString ?? APPLICATION_INSIGHTS_CONNECTION_STRING);
+    }
+  }
+  /** Determine whether telemetry should be active for this process. */
+  static resolveEnabled(options) {
+    if (options.forceDisabled) {
+      return false;
+    }
+    for (const name of TELEMETRY_OPT_OUT_ENV_VARS) {
+      if (process.env[name] === "1" || process.env[name]?.toLowerCase() === "true") {
+        return false;
+      }
+    }
+    return true;
+  }
+  /**
+   * Initialise the Azure Monitor OpenTelemetry distro exactly once per
+   * process, then acquire this instance's tracer. `useAzureMonitor()`
+   * installs global SDK state (TracerProvider, exporters, processors), so
+   * it is guarded by a module-level flag; `trace.getTracer()` is cheap and
+   * idempotent so it is safe to call for every instance.
+   *
+   * Resource configuration is applied via OpenTelemetry env vars, set
+   * programmatically *before* `useAzureMonitor()` so they're observed by
+   * the SDK's resource-detection bootstrap:
+   *
+   * - `OTEL_NODE_RESOURCE_DETECTORS` — restricted to `env,os,serviceinstance`
+   *   so the `HostDetector` is **never** registered. This suppresses
+   *   `host.name` (device hostname, PII like `User-MacBook-Pro.local`),
+   *   `host.id` (stable hardware fingerprint), and `host.arch`.
+   * - `OTEL_SERVICE_NAME` — populates `service.name`, which Azure Monitor
+   *   maps to `cloud_RoleName`. Without this, the backend records the OTel
+   *   default `"unknown_service:node"`.
+   * - `OTEL_RESOURCE_ATTRIBUTES` — adds `service.version` (no dedicated env
+   *   var exists for it).
+   *
+   * Each variable is set with `??=` so any caller-provided override (e.g.
+   * tests, advanced users) wins.
+   */
+  initialize(connectionString) {
+    if (!azureMonitorInitialized) {
+      process.env.OTEL_NODE_RESOURCE_DETECTORS ??= "env,os,serviceinstance";
+      process.env.OTEL_SERVICE_NAME ??= TRACER_NAME;
+      process.env.OTEL_RESOURCE_ATTRIBUTES ??= `service.version=${TRACER_VERSION}`;
+      (0, import_monitor_opentelemetry.useAzureMonitor)({
+        azureMonitorExporterOptions: { connectionString },
+        tracesPerSecond: 0,
+        samplingRatio: 1
+      });
+      azureMonitorInitialized = true;
+    }
+    this.tracer = import_api.trace.getTracer(TRACER_NAME, TRACER_VERSION);
+    this.initialized = true;
+  }
+  /**
+   * Merge common + shared + caller-supplied properties into a flat
+   * {@link Attributes} bag suitable for an OTel span. Primitive values
+   * (`number`, `boolean`) are passed through unchanged so that downstream
+   * Azure Monitor / Log Analytics queries see their native types instead
+   * of stringified versions (which would break numeric aggregations and
+   * boolean comparisons).
+   */
+  mergeAttributes(extra) {
+    const result = {
+      ...this.commonProperties,
+      ...this.sharedProperties
+    };
+    if (extra) {
+      for (const [key, value] of Object.entries(extra)) {
+        if (value === void 0) {
+          continue;
+        }
+        result[key] = value;
+      }
+    }
+    return result;
+  }
+  event(eventName, data) {
+    if (!this.enabled || this.disposed || !this.tracer) {
+      return;
+    }
+    const span = this.tracer.startSpan(eventName, {
+      attributes: this.mergeAttributes(data?.properties)
+    });
+    if (data?.measurements) {
+      for (const [k, v] of Object.entries(data.measurements)) {
+        span.setAttribute(k, v);
+      }
+    }
+    span.end();
+  }
+  span(eventName, initialAttributes) {
+    if (!this.enabled || this.disposed || !this.tracer) {
+      return new NoopSpanContext(eventName, initialAttributes);
+    }
+    return new TelemetrySpanContext(
+      this.tracer,
+      eventName,
+      initialAttributes,
+      (extras) => this.mergeAttributes(extras)
+    );
+  }
+  setSharedProperty(name, value) {
+    if (value === void 0) {
+      delete this.sharedProperties[name];
+    } else {
+      this.sharedProperties[name] = value;
+    }
+  }
+  getSharedProperties() {
+    return { ...this.sharedProperties };
+  }
+  async dispose() {
+    if (this.disposed) {
+      return;
+    }
+    this.disposed = true;
+    if (!this.enabled || !this.initialized) {
+      return;
+    }
+    try {
+      await (0, import_monitor_opentelemetry.shutdownAzureMonitor)();
+    } catch {
+    } finally {
+      this.tracer = void 0;
+      azureMonitorInitialized = false;
+    }
+  }
+};
+var TelemetrySpanContext = class {
+  startTime = Date.now();
+  eventName;
+  attributes;
+  otSpan;
+  requestId;
+  mergeAttributes;
+  ended = false;
+  constructor(tracer, eventName, initialAttributes, mergeAttributes) {
+    this.eventName = eventName;
+    this.attributes = { ...initialAttributes ?? {} };
+    this.requestId = this.attributes.requestId ?? import_common16.CorrelationService.createCorrelationContext();
+    this.attributes.requestId = this.requestId;
+    this.mergeAttributes = mergeAttributes;
+    this.otSpan = tracer.startSpan(eventName, {
+      attributes: this.mergeAttributes(this.attributes)
+    });
+  }
+  getRequestId() {
+    return this.requestId;
+  }
+  addAttributes(extra) {
+    this.applyAttributes(extra);
+  }
+  end(extra) {
+    if (this.ended) {
+      return;
+    }
+    this.applyAttributes(extra);
+    this.finalize();
+  }
+  error(err, extra) {
+    if (this.ended) {
+      return;
+    }
+    const redacted = redactError(err);
+    this.applyAttributes({ ...extra, ...redacted, success: false });
+    const sanitized = new Error(redacted.errorMessage);
+    sanitized.name = redacted.errorName;
+    sanitized.stack = redacted.errorStack;
+    this.otSpan.recordException(sanitized);
+    this.otSpan.setStatus({ code: import_api.SpanStatusCode.ERROR, message: redacted.errorMessage });
+    this.finalize();
+  }
+  /**
+   * Merge non-undefined entries into both the local bag and the OTel span.
+   * Values keep their native primitive type (`string | number | boolean`)
+   * so the backing SDK records typed attributes rather than stringified ones.
+   */
+  applyAttributes(extra) {
+    if (!extra) {
+      return;
+    }
+    for (const [k, v] of Object.entries(extra)) {
+      if (v === void 0) {
+        continue;
+      }
+      this.attributes[k] = v;
+      this.otSpan.setAttribute(k, v);
+    }
+  }
+  /** Stamp duration, close the OTel span, and flip the ended flag. */
+  finalize() {
+    this.ended = true;
+    const finalAttrs = this.mergeAttributes(this.attributes);
+    for (const [k, v] of Object.entries(finalAttrs)) {
+      if (v !== void 0) {
+        this.otSpan.setAttribute(k, v);
+      }
+    }
+    this.otSpan.setAttribute("durationMs", Date.now() - this.startTime);
+    this.otSpan.end();
+  }
+};
+var NoopSpanContext = class {
+  startTime = Date.now();
+  eventName;
+  attributes;
+  requestId;
+  constructor(eventName, initialAttributes) {
+    this.eventName = eventName;
+    this.attributes = { ...initialAttributes ?? {} };
+    this.requestId = this.attributes.requestId ?? import_common16.CorrelationService.createCorrelationContext();
+    this.attributes.requestId = this.requestId;
+  }
+  getRequestId() {
+    return this.requestId;
+  }
+  addAttributes(extra) {
+    for (const [k, v] of Object.entries(extra)) {
+      if (v !== void 0) {
+        this.attributes[k] = v;
+      }
+    }
+  }
+  end() {
+  }
+  error() {
+  }
+};
+
+// src/telemetry/index.ts
+var singleton;
+function getTelemetry(options) {
+  if (!singleton) {
+    singleton = new TelemetryService(options);
+  }
+  return singleton;
+}
+
+// src/services/getToken.ts
+async function getToken(env, scopes, clientId) {
+  let provider = null;
+  const options = {
+    uamiClientId: clientId,
+    scopes
+  };
+  if (clientId) {
+    provider = TokenProviderFactory.createProvider(env, "managed_identity" /* ManagedIdentity */, options);
+  } else {
+    provider = TokenProviderFactory.createProvider(env, "msal_cache" /* MsalCache */, options);
+  }
+  const token = await provider.getAccessToken();
+  stampTenantTelemetry(token);
+  return token;
+}
+function stampTenantTelemetry(token) {
+  try {
+    const tenantId = (0, import_common17.extractTenantId)(token);
+    getTelemetry().setSharedProperty("tenantId", tenantId || "");
+  } catch {
+  }
+}
+
+// src/client/jobs/index.ts
+init_cjs_shims();
+var import_common19 = __toESM(require_src());
+
+// src/utils/headerBuilder.ts
+init_cjs_shims();
+var import_common18 = __toESM(require_src());
+function buildApiHeaders(token, requestId, extra) {
+  const base = {};
+  if (requestId) {
+    base[import_common18.HTTP_HEADER.REQUEST_ID] = requestId;
+  }
+  if (!extra || !(import_common18.HTTP_HEADER.CONTENT_TYPE in extra)) {
+    base[import_common18.HTTP_HEADER.CONTENT_TYPE] = import_common18.HTTP_HEADER.APPLICATION_JSON;
+  }
+  if (token) {
+    base[import_common18.HTTP_HEADER.AUTHORIZATION] = `${import_common18.HTTP_HEADER.BEARER_PREFIX}${token}`;
+  }
+  const merged = { ...base, ...extra || {} };
+  return Object.fromEntries(
+    Object.entries(merged).filter((entry) => entry[1] !== void 0)
+  );
+}
+
+// src/utils/noopTelemetry.ts
+init_cjs_shims();
+var noopSpan = {
+  addAttributes: () => {
+  },
+  end: () => {
+  },
+  error: () => {
+  }
+};
+var noopTelemetry = {
+  span: () => noopSpan
+};
+
+// src/client/jobs/index.ts
+function createJobApiClient(env, region) {
+  const requestService = new import_common19.RequestService(noopTelemetry, buildApiHeaders);
+  return new import_common19.JobApiClient({
+    requestService,
+    baseUrl: env.regions[region].gatewayEndpoint
+  });
+}
+
+// src/utils/parseRegion.ts
+init_cjs_shims();
+var import_common20 = __toESM(require_src());
+function parseRegion(value) {
+  if (Object.values(import_common20.Region).includes(value)) {
+    return value;
+  }
+  throw new Error(`Invalid region "${value}". Valid regions: ${Object.values(import_common20.Region).join(", ")}`);
+}
+
+// src/commands/jobs/jobDelete.ts
+function addJobDeleteCommand(jobCommand) {
+  jobCommand.command("delete <jobName>").description("Delete a scheduled job").option("-r, --region <region>", "Target region (default: global)", import_common21.Region.Global).action(async (jobName, options) => {
+    try {
+      const apiEnv4 = (0, import_common21.getApiEnv)(import_common21.SecurityPlatformEnvironment.Production);
+      const accessToken = await getToken(apiEnv4);
+      const region = parseRegion(options.region);
+      const jobApiClient = createJobApiClient(apiEnv4, region);
+      const jobService = new JobService(jobApiClient);
+      await deleteJob(jobService, accessToken, jobName);
+      console.log(`Job "${jobName}" deleted successfully.`);
+    } catch (error) {
+      handleApiError("deleting job", error);
+    }
+  });
+}
+
+// src/commands/jobs/jobDisable.ts
+init_cjs_shims();
+var import_common22 = __toESM(require_src());
+function addJobDisableCommand(jobCommand) {
+  jobCommand.command("disable <jobName>").description("Disable a scheduled job").option("-r, --region <region>", "Target region (default: global)", import_common22.Region.Global).action(async (jobName, options) => {
+    try {
+      const apiEnv4 = (0, import_common22.getApiEnv)(import_common22.SecurityPlatformEnvironment.Production);
+      const accessToken = await getToken(apiEnv4);
+      const region = parseRegion(options.region);
+      const jobApiClient = createJobApiClient(apiEnv4, region);
+      const jobService = new JobService(jobApiClient);
+      await disableJob(jobService, accessToken, jobName);
+      console.log(`Job "${jobName}" disabled successfully.`);
+    } catch (error) {
+      handleApiError("disabling job", error);
+    }
+  });
+}
+
+// src/commands/jobs/jobDownload.ts
+init_cjs_shims();
+var import_common23 = __toESM(require_src());
+function addJobDownloadCommand(jobCommand) {
+  jobCommand.command("download <jobName>").description("Download the notebook of a scheduled job").option("-o, --output <path>", "Output file path (defaults to <jobName>.ipynb)").option("-r, --region <region>", "Target region (default: global)", import_common23.Region.Global).action(async (jobName, options) => {
+    try {
+      const apiEnv4 = (0, import_common23.getApiEnv)(import_common23.SecurityPlatformEnvironment.Production);
+      const accessToken = await getToken(apiEnv4);
+      const region = parseRegion(options.region);
+      const jobApiClient = createJobApiClient(apiEnv4, region);
+      const jobService = new JobService(jobApiClient);
+      const writtenPath = await downloadJob(jobService, accessToken, jobName, options.output);
+      console.log(`Notebook downloaded to: ${writtenPath}`);
+    } catch (error) {
+      handleApiError("downloading job notebook", error);
+    }
+  });
+}
+
+// src/commands/jobs/jobEnable.ts
+init_cjs_shims();
+var import_common24 = __toESM(require_src());
+function addJobEnableCommand(jobCommand) {
+  jobCommand.command("enable <jobName>").description("Enable a scheduled job").option("-r, --region <region>", "Target region (default: global)", import_common24.Region.Global).action(async (jobName, options) => {
+    try {
+      const apiEnv4 = (0, import_common24.getApiEnv)(import_common24.SecurityPlatformEnvironment.Production);
+      const accessToken = await getToken(apiEnv4);
+      const region = parseRegion(options.region);
+      const jobApiClient = createJobApiClient(apiEnv4, region);
+      const jobService = new JobService(jobApiClient);
+      await enableJob(jobService, accessToken, jobName);
+      console.log(`Job "${jobName}" enabled successfully.`);
+    } catch (error) {
+      handleApiError("enabling job", error);
+    }
+  });
+}
+
+// src/commands/jobs/jobList.ts
+init_cjs_shims();
+var import_common25 = __toESM(require_src());
+var JOB_COLUMNS = [
+  { header: "NAME", key: (j) => j.jobName },
+  { header: "TYPE", key: (j) => j.jobType },
+  { header: "DISABLED", key: (j) => String(j.isDisabled) }
+];
+function addJobListCommand(jobCommand) {
+  jobCommand.command("list").description("List all scheduled jobs").option("-r, --region <region>", "Target region (default: global)", import_common25.Region.Global).action(async (options) => {
+    try {
+      const apiEnv4 = (0, import_common25.getApiEnv)(import_common25.SecurityPlatformEnvironment.Production);
+      const accessToken = await getToken(apiEnv4);
+      const region = parseRegion(options.region);
+      const jobApiClient = createJobApiClient(apiEnv4, region);
+      const jobService = new JobService(jobApiClient);
+      const jobs = await listJobs(jobService, accessToken);
+      const fmt = new OutputFormatter();
+      fmt.print(jobs, JOB_COLUMNS);
+    } catch (error) {
+      handleApiError("listing jobs", error);
+    }
+  });
+}
+
+// src/commands/jobs/jobRunCancel.ts
+init_cjs_shims();
+var import_common26 = __toESM(require_src());
+function addJobRunCancelCommand(runCommand) {
+  runCommand.command("cancel <jobName> <runId>").description("Cancel a specific job run").option("-r, --region <region>", "Target region (default: global)", import_common26.Region.Global).action(async (jobName, runId, options) => {
+    try {
+      const apiEnv4 = (0, import_common26.getApiEnv)(import_common26.SecurityPlatformEnvironment.Production);
+      const accessToken = await getToken(apiEnv4);
+      const region = parseRegion(options.region);
+      const jobApiClient = createJobApiClient(apiEnv4, region);
+      const jobService = new JobService(jobApiClient);
+      await cancelJobRun(jobService, accessToken, jobName, runId);
+      console.log(`Run "${runId}" for job "${jobName}" cancelled successfully.`);
+    } catch (error) {
+      handleApiError("cancelling job run", error);
+    }
+  });
+}
+
+// src/commands/jobs/jobRunList.ts
+init_cjs_shims();
+var import_common27 = __toESM(require_src());
+var RUN_COLUMNS = [
+  { header: "RUN ID", key: (r) => r.jobRunId ?? "" },
+  { header: "STATUS", key: (r) => r.status ?? "" },
+  { header: "STARTED", key: (r) => r.startTime ?? "" },
+  { header: "ENDED", key: (r) => r.endTime ?? "" }
+];
+function addJobRunListCommand(runCommand) {
+  runCommand.command("list <jobName>").description("List all runs for a scheduled job").option("-r, --region <region>", "Target region (default: global)", import_common27.Region.Global).action(async (jobName, options) => {
+    try {
+      const apiEnv4 = (0, import_common27.getApiEnv)(import_common27.SecurityPlatformEnvironment.Production);
+      const accessToken = await getToken(apiEnv4);
+      const region = parseRegion(options.region);
+      const jobApiClient = createJobApiClient(apiEnv4, region);
+      const jobService = new JobService(jobApiClient);
+      const runs = await listJobRuns(jobService, accessToken, jobName);
+      const fmt = new OutputFormatter();
+      fmt.print(runs, RUN_COLUMNS);
+    } catch (error) {
+      handleApiError("listing job runs", error);
+    }
+  });
+}
+
+// src/commands/jobs/jobRunNotebookDownload.ts
+init_cjs_shims();
+var import_common28 = __toESM(require_src());
+function addJobRunNotebookDownloadCommand(notebookCommand) {
+  notebookCommand.command("download <jobName> <runId>").description("Download the notebook snapshot of a job run").option("-o, --output <path>", "Output file path (defaults to <jobName>_<runId>.ipynb)").option("-r, --region <region>", "Target region (default: global)", import_common28.Region.Global).action(async (jobName, runId, options) => {
+    try {
+      const apiEnv4 = (0, import_common28.getApiEnv)(import_common28.SecurityPlatformEnvironment.Production);
+      const accessToken = await getToken(apiEnv4);
+      const region = parseRegion(options.region);
+      const jobApiClient = createJobApiClient(apiEnv4, region);
+      const jobService = new JobService(jobApiClient);
+      const writtenPath = await downloadJobRunNotebook(jobService, accessToken, jobName, runId, options.output);
+      console.log(`Notebook downloaded to: ${writtenPath}`);
+    } catch (error) {
+      handleApiError("downloading job run notebook", error);
+    }
+  });
+}
+
+// src/commands/jobs/jobRunShow.ts
+init_cjs_shims();
+var import_common29 = __toESM(require_src());
+var RUN_DETAIL_COLUMNS = [
+  { header: "FIELD", key: (f) => f.label },
+  { header: "VALUE", key: (f) => f.value }
+];
+function addJobRunShowCommand(runCommand) {
+  runCommand.command("show <jobName> <runId>").description("Show the details of a job run").option("-r, --region <region>", "Target region (default: global)", import_common29.Region.Global).action(async (jobName, runId, options) => {
+    try {
+      const apiEnv4 = (0, import_common29.getApiEnv)(import_common29.SecurityPlatformEnvironment.Production);
+      const accessToken = await getToken(apiEnv4);
+      const region = parseRegion(options.region);
+      const jobApiClient = createJobApiClient(apiEnv4, region);
+      const jobService = new JobService(jobApiClient);
+      const run = await getJobRun(jobService, accessToken, jobName, runId);
+      printRunDetails(run);
+    } catch (error) {
+      handleApiError("showing job run", error);
+    }
+  });
+}
+function printRunDetails(run) {
+  const fields = [
+    { label: "Run ID", value: run.jobRunId ?? "" },
+    { label: "Status", value: run.status ?? "" },
+    { label: "Schedule", value: run.scheduleName ?? "" },
+    { label: "Started", value: run.startTime ?? "" },
+    { label: "Ended", value: run.endTime ?? "" },
+    { label: "Error", value: run.error?.errorMessage ?? "" }
+  ];
+  const fmt = new OutputFormatter();
+  fmt.print(fields, RUN_DETAIL_COLUMNS);
+}
+
+// src/commands/jobs/jobRunStart.ts
+init_cjs_shims();
+var import_common30 = __toESM(require_src());
+function addJobRunStartCommand(runCommand) {
+  runCommand.command("start <jobName>").description("Start an ad-hoc run of a scheduled job").option("-r, --region <region>", "Target region (default: global)", import_common30.Region.Global).action(async (jobName, options) => {
+    try {
+      const apiEnv4 = (0, import_common30.getApiEnv)(import_common30.SecurityPlatformEnvironment.Production);
+      const accessToken = await getToken(apiEnv4);
+      const region = parseRegion(options.region);
+      const jobApiClient = createJobApiClient(apiEnv4, region);
+      const jobService = new JobService(jobApiClient);
+      const run = await startJobRun(jobService, accessToken, jobName);
+      console.log(`Job run started. Run ID: ${run.jobRunId ?? "(unknown)"}`);
+    } catch (error) {
+      handleApiError("starting job run", error);
+    }
+  });
+}
+
+// src/commands/jobs/jobShow.ts
+init_cjs_shims();
+var import_common31 = __toESM(require_src());
+var JOB_DETAIL_COLUMNS = [
+  { header: "FIELD", key: (f) => f.label },
+  { header: "VALUE", key: (f) => f.value }
+];
+function addJobShowCommand(jobCommand) {
+  jobCommand.command("show <jobName>").description("Show the details of a scheduled job").option("-r, --region <region>", "Target region (default: global)", import_common31.Region.Global).action(async (jobName, options) => {
+    try {
+      const apiEnv4 = (0, import_common31.getApiEnv)(import_common31.SecurityPlatformEnvironment.Production);
+      const accessToken = await getToken(apiEnv4);
+      const region = parseRegion(options.region);
+      const jobApiClient = createJobApiClient(apiEnv4, region);
+      const jobService = new JobService(jobApiClient);
+      const job = await getJob(jobService, accessToken, jobName);
+      printJobDetails(job);
+    } catch (error) {
+      handleApiError("showing job", error);
+    }
+  });
+}
+function printJobDetails(job) {
+  const def = job.jobDefinition;
+  const fields = [
+    { label: "Name", value: def.jobName ?? "" },
+    { label: "Type", value: def.jobType ?? "" },
+    { label: "Disabled", value: String(def.isDisabled ?? false) },
+    { label: "Description", value: def.description ?? "" },
+    { label: "Spark Pool", value: def.computeInfo?.friendlyName ?? "" },
+    { label: "Created At", value: def.createdAt ?? "" },
+    { label: "Last Updated At", value: def.lastUpdatedAt ?? "" }
+  ];
+  const fmt = new OutputFormatter();
+  fmt.print(fields, JOB_DETAIL_COLUMNS);
+}
+
+// src/commands/lake/database.ts
+init_cjs_shims();
+var import_common36 = __toESM(require_src());
+
+// src/actions/lake/index.ts
+init_cjs_shims();
+
+// src/actions/lake/listDatabases.ts
+init_cjs_shims();
+var import_common32 = __toESM(require_src());
+async function listDatabases(databaseService, accessToken) {
+  const requestId = import_common32.CorrelationService.createCorrelationContext();
+  console.info("Fetching databases...");
+  return databaseService.listDatabases(accessToken, requestId);
+}
+
+// src/actions/lake/listTables.ts
+init_cjs_shims();
+var import_common33 = __toESM(require_src());
+async function listTables(tableService, accessToken, database) {
+  const requestId = import_common33.CorrelationService.createCorrelationContext();
+  const scope = database ? ` for database "${database.databaseName}"` : "";
+  console.info(`Fetching lake tables${scope}...`);
+  return tableService.listTables(accessToken, requestId, database);
+}
+
+// src/services/lake/index.ts
+init_cjs_shims();
+
+// src/services/lake/databaseService.ts
+init_cjs_shims();
+var DatabaseService = class {
+  constructor(lakeApiClient) {
+    this.lakeApiClient = lakeApiClient;
+  }
+  async listDatabases(accessToken, requestId) {
+    return this.lakeApiClient.fetchDatabases(accessToken, requestId);
+  }
+};
+
+// src/services/lake/tableService.ts
+init_cjs_shims();
+var TableService = class {
+  constructor(lakeApiClient) {
+    this.lakeApiClient = lakeApiClient;
+  }
+  async listTables(accessToken, requestId, database) {
+    return this.lakeApiClient.fetchLakeTables(accessToken, requestId, database);
+  }
+};
+
+// src/services/lake/databaseLookup.ts
+init_cjs_shims();
+var SYSTEM_TABLES_DISPLAY_NAME = "System tables";
+var DEFAULT_DATABASE = { databaseName: "default" };
+async function lookupDatabase(options, lakeApiClient, accessToken) {
+  if (options.databaseId) {
+    if (options.databaseId === SYSTEM_TABLES_DISPLAY_NAME) {
+      return DEFAULT_DATABASE;
+    }
+    return lookupDatabaseById(options.databaseId, lakeApiClient, accessToken);
+  }
+  if (options.databaseName) {
+    if (options.databaseName === SYSTEM_TABLES_DISPLAY_NAME) {
+      return DEFAULT_DATABASE;
+    }
+    return lookupDatabaseByName(options.databaseName, lakeApiClient, accessToken);
+  }
+  return void 0;
+}
+async function lookupDatabaseById(databaseId, lakeApiClient, accessToken) {
+  const databaseService = new DatabaseService(lakeApiClient);
+  const databases = await listDatabases(databaseService, accessToken);
+  const match = databases.find((db) => db.databaseName === databaseId);
+  if (!match) {
+    console.error(
+      `Error: database "${databaseId}" not found. Run "sentinel database list" to see available databases.`
+    );
+    process.exit(1);
+  }
+  return match;
+}
+async function lookupDatabaseByName(databaseName, lakeApiClient, accessToken) {
+  const databaseService = new DatabaseService(lakeApiClient);
+  const databases = await listDatabases(databaseService, accessToken);
+  const match = databases.find((db) => db.sentinelWorkspace?.name === databaseName);
+  if (!match) {
+    console.error(
+      `Error: database "${databaseName}" not found. Run "sentinel database list" to see available databases.`
+    );
+    process.exit(1);
+  }
+  return match;
+}
+
+// src/client/lake/index.ts
+init_cjs_shims();
+var import_common34 = __toESM(require_src());
+function createLakeApiClient(env) {
+  const requestService = new import_common34.RequestService(noopTelemetry, buildApiHeaders);
+  return new import_common34.LakeApiClient({
+    requestService,
+    telemetry: noopTelemetry,
+    baseUrl: env.gatewayEndpoint
+  });
+}
+
+// src/telemetry/events.ts
+init_cjs_shims();
+var CliEvents = {
+  /** Fired exactly once per CLI process, before Commander parses argv. */
+  Invoked: "cli.invoked",
+  // Top-level commands
+  Login: "cli.login",
+  Logout: "cli.logout",
+  Token: "cli.token",
+  Update: "cli.update",
+  // `package` group
+  PackageCreateZip: "cli.package.createzip",
+  PackageValidate: "cli.package.validate",
+  // `job` group
+  JobPublish: "cli.job.publish",
+  // `database` group
+  DatabaseList: "cli.database.list",
+  // `table` group
+  TableList: "cli.table.list",
+  TableShow: "cli.table.show"
+};
+
+// src/telemetry/withCommandSpan.ts
+init_cjs_shims();
+
+// src/telemetry/commandInterceptor.ts
+init_cjs_shims();
+var ATTACHED_FLAG = /* @__PURE__ */ Symbol.for("sentinel.cli.commandTelemetryAttached");
+function buildCommandPath(cmd) {
+  const segments = [];
+  let cursor = cmd;
+  while (cursor) {
+    segments.unshift(cursor.name());
+    cursor = cursor.parent ?? null;
+  }
+  segments.shift();
+  return segments.join(".");
+}
+function buildCommandInvokedAttributes(cmd) {
+  const path8 = buildCommandPath(cmd);
+  const segments = path8.split(".");
+  const command = segments[0];
+  const subcommand = segments.length > 1 ? segments[segments.length - 1] : "";
+  return {
+    command,
+    subcommand,
+    commandPath: path8
+  };
+}
+function attachCommandTelemetry(program2, telemetry2) {
+  const flagged = program2;
+  if (flagged[ATTACHED_FLAG]) {
+    return;
+  }
+  flagged[ATTACHED_FLAG] = true;
+  program2.hook("preAction", (_thisCommand, actionCommand) => {
+    try {
+      const attrs = buildCommandInvokedAttributes(actionCommand);
+      telemetry2.event("Command.Invoked", { properties: attrs });
+    } catch {
+    }
+  });
+}
+
+// src/telemetry/errorContext.ts
+init_cjs_shims();
+var import_common35 = __toESM(require_src());
+function isObject(v) {
+  return typeof v === "object" && v !== null;
+}
+function extractErrorProperties(error) {
+  const err = error instanceof Error ? error : new Error(String(error));
+  const redacted = redactError(err);
+  const props = {
+    errorName: redacted.errorName,
+    errorMessage: redacted.errorMessage,
+    errorStack: redacted.errorStack,
+    isException: "true"
+  };
+  if (!isObject(error)) {
+    return props;
+  }
+  const axiosErr = error;
+  if (!axiosErr.response) {
+    return props;
+  }
+  props.status = axiosErr.response.status !== void 0 ? String(axiosErr.response.status) : "unknown";
+  const method = axiosErr.config?.method;
+  props.method = typeof method === "string" ? method.toUpperCase() : "unknown";
+  const url = axiosErr.config?.url;
+  props.url = typeof url === "string" ? url : "unknown";
+  const correlationId = import_common35.CorrelationService.extractCorrelationId(axiosErr.response);
+  if (correlationId) {
+    props.correlationId = correlationId;
+  }
+  return props;
+}
+function toTelemetryProperties(props) {
+  const out = {
+    errorName: props.errorName,
+    errorMessage: props.errorMessage,
+    errorStack: props.errorStack,
+    isException: props.isException
+  };
+  if (props.status !== void 0) {
+    out.status = props.status;
+  }
+  if (props.method !== void 0) {
+    out.method = props.method;
+  }
+  if (props.url !== void 0) {
+    out.url = props.url;
+  }
+  if (props.correlationId !== void 0) {
+    out.correlationId = props.correlationId;
+  }
+  return out;
+}
+
+// src/telemetry/withCommandSpan.ts
+function withCommandSpan(eventName, handler, telemetry2) {
+  return async (...args) => {
+    let span;
+    try {
+      const command = extractCommand(args);
+      const initialAttributes = command ? buildCommandInvokedAttributes(command) : void 0;
+      const svc = telemetry2 ?? getTelemetry();
+      span = svc.span(eventName, initialAttributes);
+    } catch {
+      span = void 0;
+    }
+    let success = true;
+    try {
+      await handler(...args);
+    } catch (err) {
+      success = false;
+      const props = extractErrorProperties(err);
+      safeError(span, err, toTelemetryProperties(props));
+      throw err;
+    } finally {
+      safeAddAttributes(span, { success });
+      safeEnd(span);
+    }
+  };
+}
+function extractCommand(args) {
+  const last = args[args.length - 1];
+  if (last && typeof last === "object" && typeof last.name === "function") {
+    return last;
+  }
+  return void 0;
+}
+function safeAddAttributes(span, extra) {
+  if (!span) {
+    return;
+  }
+  try {
+    span.addAttributes(extra);
+  } catch {
+  }
+}
+function safeEnd(span, extra) {
+  if (!span) {
+    return;
+  }
+  try {
+    span.end(extra);
+  } catch {
+  }
+}
+function safeError(span, err, extra) {
+  if (!span) {
+    return;
+  }
+  try {
+    span.error(err instanceof Error ? err : new Error(String(err)), extra);
+  } catch {
+  }
+}
+
+// src/commands/lake/database.ts
+function addDatabaseCommand(databaseCommand) {
+  databaseCommand.command("list").description("List all available databases").action(
+    withCommandSpan(CliEvents.DatabaseList, async () => {
+      try {
+        const apiEnv4 = (0, import_common36.getApiEnv)(import_common36.SecurityPlatformEnvironment.Production);
+        const accessToken = await getToken(apiEnv4);
+        const lakeApiClient = createLakeApiClient(apiEnv4);
+        const databaseService = new DatabaseService(lakeApiClient);
+        const databases = await listDatabases(databaseService, accessToken);
+        const fmt = new OutputFormatter();
+        fmt.print(databases, [
+          { header: "ID", key: (db) => db.databaseName === "default" ? "System tables" : db.databaseName },
+          {
+            header: "NAME",
+            key: (db) => db.databaseName === "default" ? "System tables" : db.sentinelWorkspace?.name ?? ""
+          }
+        ]);
+      } catch (error) {
+        handleApiError("listing databases", error);
+      }
+    })
+  );
+}
+
+// src/commands/lake/lakeTables.ts
+init_cjs_shims();
+var import_common37 = __toESM(require_src());
+var TABLE_COLUMNS = [
+  { header: "TABLE", key: (t) => t.name ?? "" },
+  {
+    header: "DATABASE NAME",
+    key: (t) => t.sgWorkspaceName === "default" ? SYSTEM_TABLES_DISPLAY_NAME : t.sgWorkspaceName ?? ""
+  },
+  { header: "CATEGORY", key: (t) => t.category ?? "" }
+];
+function addLakeTableListCommand(tableCommand) {
+  tableCommand.command("list").description("List lake tables").option("--database-id <databaseId>", "Database ID to fetch tables").option("--database-name <databaseName>", "Database name to fetch tables").action(
+    withCommandSpan(CliEvents.TableList, async (options) => {
+      try {
+        validateOptions(options);
+        const apiEnv4 = (0, import_common37.getApiEnv)(import_common37.SecurityPlatformEnvironment.Production);
+        const accessToken = await getToken(apiEnv4);
+        const lakeApiClient = createLakeApiClient(apiEnv4);
+        const database = await lookupDatabase(options, lakeApiClient, accessToken);
+        const tableService = new TableService(lakeApiClient);
+        const tables = await listTables(tableService, accessToken, database);
+        printTables(tables);
+      } catch (error) {
+        handleApiError("listing lake tables", error);
+      }
+    })
+  );
+}
+function validateOptions(options) {
+  if (options.databaseId && options.databaseName) {
+    throw new Error("--database-id and --database-name are mutually exclusive. Provide only one.");
   }
-  if (import_os3.default.platform() === "win32" /* Windows */) {
-    const session = loadBrokerAccount();
-    if (session) {
+}
+function printTables(tables) {
+  const fmt = new OutputFormatter();
+  fmt.print(tables, TABLE_COLUMNS);
+}
+
+// src/commands/lake/lakeTableSchema.ts
+init_cjs_shims();
+var import_common38 = __toESM(require_src());
+var SCHEMA_COLUMNS = [
+  { header: "COLUMN", key: (col) => col.name },
+  { header: "TYPE", key: (col) => col.type }
+];
+function addLakeTableShowCommand(tableCommand) {
+  tableCommand.command("show <tableName>").description("Show the schema of a lake table").option("--database-id <databaseId>", "Database ID to look up the table in").option("--database-name <databaseName>", "Database name to look up the table in").action(
+    withCommandSpan(CliEvents.TableShow, async (tableName, options) => {
       try {
-        const brokerInstance = await getMsalInstance(apiEnv3, session.authority);
-        const response = await brokerInstance.acquireTokenSilent({
-          account: session.account,
-          scopes
-        });
-        if (response?.accessToken) {
-          console.log("\u2705 Authenticated using Windows Native Broker (WAM) cache");
-          return response.accessToken;
+        validateOptions2(options);
+        const apiEnv4 = (0, import_common38.getApiEnv)(import_common38.SecurityPlatformEnvironment.Production);
+        const accessToken = await getToken(apiEnv4);
+        const lakeApiClient = createLakeApiClient(apiEnv4);
+        const database = await lookupDatabase(options, lakeApiClient, accessToken) ?? DEFAULT_DATABASE;
+        const tableService = new TableService(lakeApiClient);
+        const tables = await listTables(tableService, accessToken, database);
+        const table = findTable(tables, tableName);
+        if (!table) {
+          console.error(
+            `Error: table "${tableName}" not found. Run "sentinel table list" to see available tables.`
+          );
+          throw new Error(`Table not found: ${tableName}`);
         }
-      } catch {
-        console.warn("\u26A0\uFE0F Silent WAM token acquisition failed");
+        printSchema(table);
+      } catch (error) {
+        handleApiError("showing lake table schema", error);
       }
-    }
+    })
+  );
+}
+function validateOptions2(options) {
+  if (options.databaseId && options.databaseName) {
+    throw new Error("--database-id and --database-name are mutually exclusive. Provide only one.");
   }
-  return "";
+}
+function findTable(tables, tableName) {
+  const lowerName = tableName.toLowerCase();
+  return tables.find((t) => t.name?.toLowerCase() === lowerName);
+}
+function printSchema(table) {
+  const fmt = new OutputFormatter();
+  fmt.print(table.schema, SCHEMA_COLUMNS);
+}
+
+// src/commands/login.ts
+init_cjs_shims();
+var os5 = __toESM(require("os"));
+
+// src/actions/authCodeLogin.ts
+init_cjs_shims();
+var import_child_process = require("child_process");
+var import_common39 = __toESM(require_src());
+var apiEnv3 = (0, import_common39.getApiEnv)(import_common39.SecurityPlatformEnvironment.Production);
+function openSystemBrowser(url) {
+  return new Promise((resolve2, reject) => {
+    const command = process.platform === "darwin" ? "open" : "xdg-open";
+    (0, import_child_process.execFile)(command, [url], (error) => {
+      if (error) {
+        reject(new Error(`Failed to open browser: ${error.message}`));
+      } else {
+        resolve2();
+      }
+    });
+  });
+}
+async function browserAuthLogin(scopes, tenant) {
+  const authorityOverride = tenant ? `${new URL(apiEnv3.aadEndpoint).origin}/${encodeURIComponent(tenant)}` : void 0;
+  const authority = authorityOverride ?? apiEnv3.aadEndpoint;
+  const msalInstance = await getMsalInstance(apiEnv3, authorityOverride);
+  console.log("\u{1F510} Starting browser login. A browser window will open.");
+  const result = await msalInstance.acquireTokenInteractive({
+    scopes,
+    prompt: "select_account",
+    openBrowser: openSystemBrowser,
+    successTemplate: "<h1>Authentication successful</h1><p>You may close this tab and return to the terminal.</p>",
+    errorTemplate: "<h1>Authentication failed</h1><p>{error}</p>"
+  });
+  if (!result?.accessToken) {
+    throw new Error("Token acquisition failed: received null or empty token.");
+  }
+  if (result.account) {
+    saveBrokerAccount(result.account, authority);
+  }
+  console.log("\u{1F511} Token acquired successfully.");
+  return result.accessToken;
 }
 
 // src/actions/deviceCodeLogin.ts
+init_cjs_shims();
 async function login(scopes) {
   await loginAndGetDeviceCodeToken(scopes);
 }
 
 // src/actions/managedIdentityLogin.ts
 init_cjs_shims();
-var import_identity2 = require("@azure/identity");
+var import_identity3 = require("@azure/identity");
 async function getTokenManagedIdentity(options) {
   const { scope, clientId, objectId, resourceId, workload } = options;
   let credential;
   try {
     if (workload) {
       console.log("\u{1F510} Using WorkloadIdentityCredential...");
-      credential = new import_identity2.WorkloadIdentityCredential();
+      credential = new import_identity3.WorkloadIdentityCredential();
     } else if (clientId) {
       console.log("\u{1F510} Using ManagedIdentityCredential with Client ID...");
-      credential = new import_identity2.ManagedIdentityCredential(clientId);
+      credential = new import_identity3.ManagedIdentityCredential(clientId);
     } else if (objectId) {
       console.log("\u{1F510} Using ManagedIdentityCredential with Object ID...");
-      credential = new import_identity2.ManagedIdentityCredential({ objectId });
+      credential = new import_identity3.ManagedIdentityCredential({ objectId });
     } else if (resourceId) {
       console.log("\u{1F510} Using ManagedIdentityCredential with Resource ID...");
-      credential = new import_identity2.ManagedIdentityCredential({ resourceId });
+      credential = new import_identity3.ManagedIdentityCredential({ resourceId });
     } else {
       throw new Error("No managed identity parameters provided.");
     }
@@ -7627,7 +10419,7 @@ function loginCommand(program2) {
           console.log("\u2705 Logged in via Windows Native Broker.");
         } else {
           console.log("\u{1F310} Launching Browser Authentication (Auth Code Flow)...");
-          await browserAuthLogin(scope);
+          await browserAuthLogin(scope, tenant);
           console.log("\u2705 Logged in using Browser Authentication.");
         }
       } catch (error) {
@@ -7657,215 +10449,244 @@ function logoutCommand(program2) {
 
 // src/commands/publishJob.ts
 init_cjs_shims();
-var import_common8 = __toESM(require_src());
-var import_path4 = __toESM(require("path"));
+var import_common41 = __toESM(require_src());
+var import_path6 = __toESM(require("path"));
 
 // src/actions/publishJob.ts
 init_cjs_shims();
-var import_common6 = __toESM(require_src());
-var fs2 = __toESM(require("fs"));
-var import_path3 = __toESM(require("path"));
-var YAML = __toESM(require("yaml"));
+var import_common40 = __toESM(require_src());
+var fs6 = __toESM(require("fs"));
+var import_path5 = __toESM(require("path"));
+var YAML2 = __toESM(require("yaml"));
 function parseJobConfig(jobConfigPath) {
-  const jobConfigContent = fs2.readFileSync(jobConfigPath, "utf-8");
-  const ext = import_path3.default.extname(jobConfigPath);
+  const jobConfigContent = fs6.readFileSync(jobConfigPath, "utf-8");
+  const ext = import_path5.default.extname(jobConfigPath);
   switch (ext) {
     case ".json":
       return JSON.parse(jobConfigContent);
     case ".yaml":
     case ".yml":
-      return YAML.parse(jobConfigContent);
+      return YAML2.parse(jobConfigContent);
     default:
       throw new Error(`Unsupported file extension: ${ext}`);
   }
 }
-async function publish(notebookPath, jobConfigPath, jobService) {
-  if (!fs2.existsSync(notebookPath)) {
+async function publish(notebookPath, jobConfigPath, jobClient, accessToken) {
+  if (!fs6.existsSync(notebookPath)) {
     console.error(`File not found: ${notebookPath}`);
     throw new Error(`File not found: ${notebookPath}`);
   }
-  if (!fs2.existsSync(jobConfigPath)) {
+  if (!fs6.existsSync(jobConfigPath)) {
     console.error(`File not found: ${jobConfigPath}`);
     throw new Error(`File not found: ${jobConfigPath}`);
   }
-  const notebookBase64 = fs2.readFileSync(notebookPath).toString("base64");
+  const requestId = import_common40.CorrelationService.createCorrelationContext();
+  const notebookBase64 = fs6.readFileSync(notebookPath).toString("base64");
   const jobConfig = parseJobConfig(jobConfigPath);
-  const payload = (0, import_common6.buildCompleteJobPayload)(jobConfig, notebookBase64);
+  const payload = (0, import_common40.buildCompleteJobPayload)(jobConfig, notebookBase64);
   const jobName = jobConfig.jobName;
-  await jobService.createJob(jobName, payload);
+  await jobClient.createJob(jobName, payload, accessToken, requestId);
   return jobName;
 }
 
-// src/utils/httpServiceUtils.ts
-init_cjs_shims();
-var import_common7 = __toESM(require_src());
-var import_axios = __toESM(require("axios"));
-
-// src/services/getToken.ts
-init_cjs_shims();
+// src/commands/publishJob.ts
+function addPublishCommand(jobCommand) {
+  jobCommand.command("publish <notebookPath>").description("Publish a scheduled job.").option("-c, --config <path>", "Path to job YAML config").option("-r, --region <region>", "Target region (e.g. eastus2)", import_common41.Region.Global).action(async (notebookPath, options) => {
+    try {
+      const resolvedNotebookPath = import_path6.default.resolve(notebookPath);
+      const resolvedConfigPath = import_path6.default.resolve(options.config);
+      const apiEnv4 = (0, import_common41.getApiEnv)(import_common41.SecurityPlatformEnvironment.Production);
+      const region = options.region;
+      const accessToken = await getToken(apiEnv4);
+      const jobApiClient = createJobApiClient(apiEnv4, region);
+      const result = await publish(resolvedNotebookPath, resolvedConfigPath, jobApiClient, accessToken);
+      console.log("Published job:", result);
+    } catch (error) {
+      handleApiError("publishing job", error);
+    }
+  });
+}
 
-// src/auth/constants.ts
+// src/commands/tenant/tenantList.ts
 init_cjs_shims();
+var import_common43 = __toESM(require_src());
 
-// src/auth/provider/TokenProviderFactory.ts
+// src/services/tenant/index.ts
 init_cjs_shims();
 
-// src/auth/provider/DeviceCodeTokenProvider.ts
+// src/services/tenant/tenantService.ts
 init_cjs_shims();
-var DeviceCodeTokenProvider = class {
-  options;
-  env;
-  constructor(env, options) {
-    if (!env) {
-      throw new Error("Environment cannot be null or undefined");
-    }
-    this.env = env;
-    this.options = {
-      ...options,
-      // overrides defaults if user provided values
-      scopes: options?.scopes ?? [this.env.gatewayAuthResourceUri]
-    };
+var import_common42 = __toESM(require_src());
+var TenantService = class {
+  constructor(requestService, armEndpoint) {
+    this.requestService = requestService;
+    this.armEndpoint = armEndpoint;
   }
-  async getAccessToken() {
-    let token = await getAccessTokenFromCache(this.options?.scopes);
-    if (token) {
-      return token;
-    }
-    token = await loginAndGetDeviceCodeToken(this.options?.scopes);
-    return token;
+  /**
+   * Fetches all tenants accessible to the authenticated user from ARM.
+   *
+   * @param accessToken - A valid ARM bearer access token.
+   * @returns An array of {@link ArmTenant} objects.
+   */
+  async fetchAllTenants(accessToken) {
+    const client = new import_common42.TenantApiClient({ requestService: this.requestService, armEndpoint: this.armEndpoint });
+    return client.fetchAllTenants(accessToken);
   }
 };
 
-// src/auth/provider/ManagedIdentityTokenProvider.ts
-init_cjs_shims();
-var import_identity3 = require("@azure/identity");
-var ManagedIdentityTokenProvider = class {
-  options;
-  env;
-  constructor(env, options) {
-    if (!env) {
-      throw new Error("Environment cannot be null or undefined");
-    }
-    if (!options?.uamiClientId) {
-      throw new Error("UAMI clientId required for user-assigned managed identity");
-    }
-    this.env = env;
-    this.options = {
-      ...options,
-      // overrides defaults if user provided values
-      scopes: options?.scopes ?? [env.gatewayAuthResourceUri]
-    };
-  }
-  async getAccessToken() {
-    const scopes = this.options?.scopes && this.options.scopes.length > 0 ? this.options.scopes : [this.env.gatewayAuthResourceUri];
-    const credential = new import_identity3.ManagedIdentityCredential({
-      clientId: this.options?.uamiClientId
-    });
-    const token = await credential.getToken(scopes);
-    if (!token) {
-      throw new Error("Failed to get token from Managed Identity");
+// src/commands/tenant/tenantList.ts
+var TENANT_COLUMNS = [
+  { header: "DISPLAY NAME", key: (t) => t.displayName },
+  { header: "TENANT ID", key: (t) => t.tenantId },
+  { header: "DEFAULT DOMAIN", key: (t) => t.defaultDomain }
+];
+function addTenantListCommand(tenantCommand) {
+  tenantCommand.command("list").description("List accessible tenants for the signed-in user").action(async () => {
+    try {
+      const apiEnv4 = (0, import_common43.getApiEnv)(import_common43.SecurityPlatformEnvironment.Production);
+      const accessToken = await getToken(apiEnv4, [apiEnv4.armScope]);
+      const requestService = new import_common43.RequestService(noopTelemetry, buildApiHeaders);
+      const tenantService = new TenantService(requestService, apiEnv4.armEndpoint);
+      const tenants = await tenantService.fetchAllTenants(accessToken);
+      printTenants(tenants);
+    } catch (error) {
+      handleApiError("listing tenants", error);
     }
-    return token.token;
-  }
-};
+  });
+}
+function printTenants(tenants) {
+  const fmt = new OutputFormatter();
+  fmt.print(tenants, TENANT_COLUMNS);
+}
 
-// src/auth/provider/MsalCacheTokenProvider.ts
+// src/commands/tenant/tenantSelect.ts
 init_cjs_shims();
-var MsalCacheTokenProvider = class {
-  options;
-  env;
-  constructor(env, options) {
-    if (!env) {
-      throw new Error("Environment cannot be null or undefined");
+var import_common44 = __toESM(require_src());
+var os6 = __toESM(require("os"));
+var readline = __toESM(require("readline"));
+var MAX_PROMPT_ATTEMPTS = 3;
+function addTenantSelectCommand(tenantCommand) {
+  tenantCommand.command("select").description(
+    "Select an active tenant for this account from an interactive numbered prompt. Subsequent commands will acquire tokens for the selected tenant."
+  ).action(async () => {
+    try {
+      const apiEnv4 = (0, import_common44.getApiEnv)(import_common44.SecurityPlatformEnvironment.Production);
+      const armToken = await getToken(apiEnv4, [apiEnv4.armScope]);
+      const requestService = new import_common44.RequestService(noopTelemetry, buildApiHeaders);
+      const tenantService = new TenantService(requestService, apiEnv4.armEndpoint);
+      const tenants = await tenantService.fetchAllTenants(armToken);
+      if (tenants.length === 0) {
+        console.error("\u274C No tenants accessible for the signed-in account.");
+        process.exit(1);
+      }
+      const activeTenantId = getActiveTenantId();
+      const activeIndex = activeTenantId ? tenants.findIndex((t) => t.tenantId === activeTenantId) : -1;
+      const chosen = await promptForTenant(tenants, activeIndex);
+      if (!chosen) {
+        console.log("\u2139 Active tenant unchanged.");
+        return;
+      }
+      await switchActiveTenant(apiEnv4, chosen);
+      console.log(`\u2705 Active tenant set to ${chosen.tenantId} (${chosen.displayName}).`);
+    } catch (error) {
+      handleApiError("selecting tenant", error);
     }
-    this.env = env;
-    this.options = {
-      ...options,
-      scopes: options?.scopes?.length ? options.scopes : [this.env.gatewayAuthResourceUri]
-    };
+  });
+}
+function getActiveTenantId() {
+  const session = loadBrokerAccount();
+  if (!session) {
+    return null;
   }
-  async getAccessToken() {
-    const token = await getAccessTokenFromCache(this.options.scopes);
-    if (!token) {
-      throw new Error("No cached authentication token found. Please run `sentinel login` first.");
+  try {
+    const url = new URL(session.authority);
+    const segment = url.pathname.split("/").filter(Boolean).pop();
+    if (!segment || segment === "common" || segment === "organizations" || segment === "consumers") {
+      return null;
     }
-    return token;
+    return segment;
+  } catch {
+    return null;
   }
-};
-
-// src/auth/provider/TokenProviderFactory.ts
-var TokenProviderFactory = class {
-  static createProvider(env, method, options) {
-    switch (method) {
-      case "device_code":
-        return new DeviceCodeTokenProvider(env, options);
-      case "managed_identity":
-        if (!options) {
-          throw new Error("UAMI clientId required for user-assigned managed identity");
+}
+async function promptForTenant(tenants, activeIndex) {
+  const defaultIdx = activeIndex >= 0 ? activeIndex + 1 : 1;
+  console.log("");
+  console.log(formatTenantTable(tenants, activeIndex));
+  console.log("");
+  if (activeIndex >= 0) {
+    console.log(`The default is marked with an *; the default tenant is '${tenants[activeIndex].tenantId}'.`);
+    console.log("");
+  }
+  const rl = readline.createInterface({ input: process.stdin, output: process.stdout });
+  try {
+    for (let attempt = 0; attempt < MAX_PROMPT_ATTEMPTS; attempt++) {
+      const answer = await new Promise((resolve2) => {
+        rl.question(`Select a tenant by number [${defaultIdx}]: `, (a) => resolve2(a));
+      });
+      const trimmed = answer.trim();
+      if (trimmed === "") {
+        if (activeIndex >= 0) {
+          return null;
         }
-        return new ManagedIdentityTokenProvider(env, options);
-      case "msal_cache":
-        return new MsalCacheTokenProvider(env, options);
-      default:
-        throw new Error(`Unsupported token method: ${method}`);
+        return tenants[defaultIdx - 1];
+      }
+      if (/^\d+$/.test(trimmed)) {
+        const idx = Number.parseInt(trimmed, 10);
+        if (idx >= 1 && idx <= tenants.length) {
+          const chosen = tenants[idx - 1];
+          if (activeIndex >= 0 && idx - 1 === activeIndex) {
+            return null;
+          }
+          return chosen;
+        }
+      }
+      console.error(`Invalid selection. Enter a number between 1 and ${tenants.length}.`);
     }
+    throw new Error("Too many invalid attempts. Aborting.");
+  } finally {
+    rl.close();
   }
-};
-
-// src/services/getToken.ts
-async function getToken(env, scopes, clientId) {
-  let provider = null;
-  const options = {
-    uamiClientId: clientId,
-    scopes
-  };
-  if (clientId) {
-    provider = TokenProviderFactory.createProvider(env, "managed_identity" /* ManagedIdentity */, options);
-  } else {
-    provider = TokenProviderFactory.createProvider(env, "msal_cache" /* MsalCache */, options);
-  }
-  const token = await provider.getAccessToken();
-  return token;
 }
-
-// src/utils/httpServiceUtils.ts
-async function getHttpService(env) {
-  try {
-    const accessToken = await getToken(env);
-    return new import_common7.HttpService(
-      import_axios.default.create({
-        headers: {
-          "Content-Type": "application/json",
-          Authorization: `Bearer ${accessToken}`
-        }
-      })
+function formatTenantTable(tenants, activeIndex) {
+  const headers = ["No.", "", "Tenant ID", "Tenant Name", "Default Domain"];
+  const rows = tenants.map((t, i) => {
+    const marker = i === activeIndex ? "*" : "";
+    return [`[${i + 1}]`, marker, t.tenantId, t.displayName, t.defaultDomain ?? ""];
+  });
+  const widths = headers.map((h, col) => Math.max(h.length, ...rows.map((r) => r[col].length)));
+  const pad = (s, w) => s + " ".repeat(Math.max(0, w - s.length));
+  const formatRow = (cells) => cells.map((c, i) => pad(c, widths[i])).join("  ");
+  return [formatRow(headers), ...rows.map(formatRow)].join("\n");
+}
+async function switchActiveTenant(apiEnv4, chosen) {
+  const newAuthority = `${new URL(apiEnv4.aadEndpoint).origin}/${chosen.tenantId}`;
+  const session = loadBrokerAccount();
+  if (!session) {
+    throw new Error(
+      "No active session found. Run 'sentinel login' first. Note: tenant switching is not supported for managed-identity / workload-identity sign-ins."
     );
-  } catch {
-    throw new Error("Failed to retrieve access token");
   }
-}
-
-// src/commands/publishJob.ts
-function addPublishCommand(jobCommand) {
-  jobCommand.command("publish <notebookPath>").description("Publish a scheduled job.").option("-c, --config <path>", "Path to job YAML config").option("-r, --region <region>", "Target region (e.g. eastus2)", import_common8.Region.Global).action(async (notebookPath, options) => {
-    try {
-      const resolvedNotebookPath = import_path4.default.resolve(notebookPath);
-      const resolvedConfigPath = import_path4.default.resolve(options.config);
-      const apiEnv4 = (0, import_common8.getApiEnv)(import_common8.SecurityPlatformEnvironment.Production);
-      const region = options.region;
-      const httpService = await getHttpService(apiEnv4);
-      const jobService = new import_common8.JobService(apiEnv4, region, httpService);
-      const result = await publish(resolvedNotebookPath, resolvedConfigPath, jobService);
-      console.log("Published job:", result);
-    } catch (error) {
-      if (error instanceof Error) {
-        console.error("Publish Error:", error.message);
-      } else {
-        console.error("Unknown error in publish:", error);
-      }
-      process.exit(1);
+  const msalInstance = await getMsalInstance(apiEnv4, newAuthority);
+  try {
+    const result = await msalInstance.acquireTokenSilent({
+      account: session.account,
+      scopes: [apiEnv4.gatewayAuthResourceUri],
+      authority: newAuthority
+    });
+    const acquiredTid = result?.account?.tenantId;
+    if (result?.accessToken && acquiredTid === chosen.tenantId) {
+      saveBrokerAccount(result.account, newAuthority);
+      return;
     }
-  });
+  } catch {
+  }
+  console.log(`\u2139 Silent sign-in to tenant ${chosen.tenantId} not possible \u2014 prompting interactively\u2026`);
+  if (os6.platform() === "win32") {
+    await brokerLogin([apiEnv4.gatewayAuthResourceUri], chosen.tenantId);
+  } else {
+    await browserAuthLogin([apiEnv4.gatewayAuthResourceUri], chosen.tenantId);
+  }
 }
 
 // src/commands/token.ts
@@ -7876,17 +10697,79 @@ function addTokenCommand(program2) {
   });
 }
 
+// src/commands/updateCLI.ts
+init_cjs_shims();
+
+// src/actions/updateCLI.ts
+init_cjs_shims();
+var import_axios = __toESM(require("axios"));
+var import_child_process2 = require("child_process");
+var os7 = __toESM(require("os"));
+var import_semver = __toESM(require("semver"));
+var PACKAGE_NAME = "@microsoft/sentinel-cli";
+var NPM_REGISTRY_URL = `https://registry.npmjs.org/${PACKAGE_NAME}/latest`;
+async function fetchLatestVersion() {
+  const response = await import_axios.default.get(NPM_REGISTRY_URL, { timeout: 5e3 });
+  return response.data.version;
+}
+function isNewerVersion(current, latest) {
+  const c = import_semver.default.coerce(current);
+  const l = import_semver.default.coerce(latest);
+  if (!c || !l) {
+    return false;
+  }
+  return import_semver.default.gt(l, c);
+}
+function runUpdateCommand(version) {
+  if (!import_semver.default.valid(version)) {
+    throw new Error(`Invalid version: ${version}`);
+  }
+  const args = ["install", "-g", `${PACKAGE_NAME}@${version}`];
+  (0, import_child_process2.execFileSync)("npm", args, { stdio: "inherit", shell: true });
+}
+async function checkAndUpdate(currentVersion) {
+  console.log(`\u{1F50D} Current version: ${currentVersion}`);
+  console.log("\u{1F310} Checking for latest version on npm...");
+  const latestVersion = await fetchLatestVersion();
+  if (!isNewerVersion(currentVersion, latestVersion)) {
+    console.log(`\u2705 You are already on the latest version (${currentVersion}).`);
+    return;
+  }
+  console.log(`\u{1F4E6} New version available: ${latestVersion}`);
+  console.log(`\u2B06\uFE0F  Updating from ${currentVersion} to ${latestVersion}...`);
+  if (os7.platform() !== "win32") {
+    console.log(
+      "\u2139\uFE0F  On macOS/Linux, you may need administrator privileges. If the update fails, try running with sudo."
+    );
+  }
+  runUpdateCommand(latestVersion);
+  console.log(`\u2705 Successfully updated to version ${latestVersion}.`);
+}
+
+// src/commands/updateCLI.ts
+function addUpdateCliCommand(program2) {
+  program2.command("update").description("Update the Sentinel CLI to the latest version").action(async () => {
+    try {
+      await checkAndUpdate("0.3.0");
+    } catch (error) {
+      console.error(`\u274C Update failed: ${error instanceof Error ? error.message : error}`);
+      process.exitCode = 1;
+      return;
+    }
+  });
+}
+
 // src/commands/validate.ts
 init_cjs_shims();
 
 // src/actions/validate.ts
 init_cjs_shims();
-var import_common9 = __toESM(require_src());
+var import_common45 = __toESM(require_src());
 async function validateFromFile(filePath) {
   if (!filePath || typeof filePath !== "string" || filePath.trim().length === 0) {
     throw new Error("Invalid file path provided.");
   }
-  const manifestProcessorService = new import_common9.ManifestProcessorService();
+  const manifestProcessorService = new import_common45.ManifestProcessorService();
   console.info("Starting validate process...");
   await manifestProcessorService.validateManifest(filePath);
 }
@@ -7913,15 +10796,56 @@ function addValidateCommand(packageCommand) {
 function registerCommands(program2) {
   const jobCommand = program2.command("job").description("Manage scheduled jobs");
   addPublishCommand(jobCommand);
+  addJobListCommand(jobCommand);
+  addJobShowCommand(jobCommand);
+  addJobDeleteCommand(jobCommand);
+  addJobDisableCommand(jobCommand);
+  addJobEnableCommand(jobCommand);
+  addJobDownloadCommand(jobCommand);
+  const runCommand = jobCommand.command("run").description("Manage job runs");
+  addJobRunListCommand(runCommand);
+  addJobRunShowCommand(runCommand);
+  addJobRunStartCommand(runCommand);
+  addJobRunCancelCommand(runCommand);
+  const notebookCommand = runCommand.command("notebook").description("Manage job run notebooks");
+  addJobRunNotebookDownloadCommand(notebookCommand);
+  const definitionCommand = jobCommand.command("definition").description("Manage job definition YAML files");
+  addJobDefinitionCreateCommand(definitionCommand);
+  addJobDefinitionShowCommand(definitionCommand);
+  addJobDefinitionUpdateCommand(definitionCommand);
   const packageCommand = program2.command("package").description("Manage packages");
   addCreateZipCommand(packageCommand);
   addValidateCommand(packageCommand);
+  const databaseCommand = program2.command("database").description("Manage sentinel lake databases");
+  addDatabaseCommand(databaseCommand);
+  const tableCommand = program2.command("table").description("Manage sentinel lake tables");
+  addLakeTableListCommand(tableCommand);
+  addLakeTableShowCommand(tableCommand);
+  const tenantCommand = program2.command("tenant").description("Manage tenants");
+  addTenantListCommand(tenantCommand);
+  addTenantSelectCommand(tenantCommand);
   loginCommand(program2);
   logoutCommand(program2);
   addTokenCommand(program2);
+  addUpdateCliCommand(program2);
 }
 
 // src/index.ts
-import_commander.program.name("sentinel").description("CLI for MSAL login").version("1.0.0");
+import_commander.program.name("sentinel").description("Sentinel CLI \u2014 manage lake tables, databases, scheduled jobs, packages, and authentication").version("0.3.0");
 registerCommands(import_commander.program);
-import_commander.program.parse(process.argv);
+var telemetry = getTelemetry();
+telemetry.event("cli.invoked", {
+  properties: { command: process.argv[2] ?? "<none>" }
+});
+attachCommandTelemetry(import_commander.program, telemetry);
+(async () => {
+  let exitCode = 0;
+  try {
+    await import_commander.program.parseAsync(process.argv);
+  } catch {
+    exitCode = 1;
+  } finally {
+    await telemetry.dispose();
+  }
+  process.exit(exitCode);
+})();