@mintmcp/hosted-cli 0.0.16 → 0.0.18

package/dist/index.js

@@ -4,20 +4,21 @@ import { createTRPCClient, httpLink } from "@trpc/client";
 import archiver from "archiver";
 import * as fs from "fs";
 import { readFileSync } from "fs";
-import keytar from "keytar";
 import * as path from "path";
 import { dirname, join } from "path";
 import superjson from "superjson";
 import { fileURLToPath } from "url";
 import z, { ZodSchema } from "zod";
 import { HostedIdSchema, UserConfigUpdateSchema, } from "./api.js";
+import { clearAllAuth, clearSelectedAuth, EnvSchema, formatAuthSummary, getAuth, getCurrentAuthAccount, getSelectedAuth, getTokenClaims, listAuthRecords, requestAndStoreAuth, sameStoredAuthAccount, useAuth, } from "./auth.js";
+import { assertImageSupportsPlatform, buildImage, defaultBuildPlatform, defaultLocalTestImageRef, ensureDockerAvailable, ensureDockerBuildxAvailable, ensureImageAvailableLocally, loginToRegistry, pushImage, smokeTestImage, } from "./containerBuilder.js";
 import { buildPartialUpdate, toHostedTransport, } from "./updateBuilder.js";
 const __filename = fileURLToPath(import.meta.url);
 const __dirname = dirname(__filename);
 const packageJson = JSON.parse(readFileSync(join(__dirname, "..", "package.json"), "utf-8"));
 const version = packageJson.version;
-const EnvSchema = z.enum(["staging", "production"]);
 const TransportSchema = z.enum(["http", "stdio"]);
+const parseTransport = argParser(TransportSchema);
 const TRPC_API_URL = {
     staging: "http://localhost:3000/api.trpc",
     production: "https://app.mintmcp.com/api.trpc",
@@ -26,116 +27,43 @@ const WEB_CLIENT_URL = {
     staging: "http://localhost:3000",
     production: "https://app.mintmcp.com",
 };
-const CLIENT_IDS = {
-    staging: "client_01K0WB8ABW72JSBZ62V98AZMPS",
-    production: "client_01K0WB8AHKS2J39SFKAPTHTR90",
-};
 // Where to look for the hosted config, relative to "--base".
 const HOSTED_CONFIG_PATHS = {
     staging: ".mintmcp/hosted-staging.json",
     production: ".mintmcp/hosted.json",
 };
-const HostedConfigSchema = z.object({
+const HostedConfigBaseSchema = z.object({
     hostedId: HostedIdSchema,
-    // Directory containing data to send to hosted server, relative to "--base".
-    mntDataDir: z.string(),
-});
-const AuthSchema = z.object({
-    accessToken: z.string(),
-    email: z.string(),
-    organizationId: z.string(),
+    // Organization that owns this hosted server. Older config files may omit it.
+    organizationId: z.string().optional(),
 });
-async function requestAuth(env) {
-    const clientId = CLIENT_IDS[env];
-    const deviceCodeResponse = await fetch("https://api.workos.com/user_management/authorize/device", {
-        method: "POST",
-        headers: {
-            "Content-Type": "application/x-www-form-urlencoded",
-        },
-        body: new URLSearchParams({
-            client_id: clientId,
-        }),
-    });
-    if (!deviceCodeResponse.ok) {
-        throw new Error(`Failed to get device code: ${await deviceCodeResponse.text()}`);
-    }
-    const deviceData = (await deviceCodeResponse.json());
-    const { device_code: deviceCode, verification_uri_complete: verificationUriComplete, interval = 5, } = deviceData;
-    console.log(`To authenticate, visit ${verificationUriComplete}`);
-    // Poll for access token.
-    const maxAttempts = 60;
-    for (let attempts = 0; attempts < maxAttempts; attempts += 1) {
-        await new Promise((resolve) => {
-            setTimeout(resolve, interval * 1000);
-        });
-        const tokenResponse = await fetch("https://api.workos.com/user_management/authenticate", {
-            method: "POST",
-            headers: {
-                "Content-Type": "application/x-www-form-urlencoded",
-            },
-            body: new URLSearchParams({
-                grant_type: "urn:ietf:params:oauth:grant-type:device_code",
-                device_code: deviceCode,
-                client_id: clientId,
-            }),
-        });
-        if (!tokenResponse.ok) {
-            continue;
-        }
-        const tokenData = (await tokenResponse.json());
-        if (tokenData.error) {
-            if (tokenData.error === "authorization_pending") {
-                continue;
-            }
-            else if (tokenData.error === "slow_down") {
-                // Increase interval as requested
-                await new Promise((resolve) => {
-                    setTimeout(resolve, 5000);
-                });
-                continue;
-            }
-            else {
-                throw new Error(`Authentication failed: ${tokenData.error}`);
-            }
-        }
-        if (tokenData.access_token) {
-            if (!tokenData.user?.email) {
-                throw new Error("Authentication response missing user email");
-            }
-            if (!tokenData.organization_id) {
-                throw new Error("Authentication response missing organization ID");
-            }
-            return {
-                accessToken: tokenData.access_token,
-                email: tokenData.user.email,
-                organizationId: tokenData.organization_id,
-            };
-        }
-    }
-    throw new Error("Authentication timeout");
+const HostedConfigSchema = z.union([
+    HostedConfigBaseSchema.extend({
+        mode: z.literal("container"),
+        image: z.string().optional(),
+        transport: TransportSchema.optional(),
+        // Directory containing data to send to hosted server, relative to "--base".
+        mntDataDir: z.string().optional(),
+    }),
+    HostedConfigBaseSchema.extend({
+        // Directory containing data to send to hosted server, relative to "--base".
+        mntDataDir: z.string(),
+    }),
+]);
+function storedTransport(config) {
+    return "mode" in config ? config.transport : undefined;
 }
-async function getAuth(env) {
-    const keychainServiceName = "mintmcp-credentials";
-    const stored = await keytar.getPassword(keychainServiceName, env);
-    if (stored) {
-        try {
-            const parsedData = JSON.parse(stored);
-            const validatedAuth = AuthSchema.parse(parsedData);
-            return validatedAuth;
-        }
-        catch (error) {
-            console.warn("Invalid stored credentials, re-authenticating:", error);
-            // If validation fails, delete the invalid stored credentials and re-authenticate
-            await keytar.deletePassword(keychainServiceName, env);
-        }
-    }
-    const auth = await requestAuth(env);
-    await keytar.setPassword(keychainServiceName, env, JSON.stringify(auth));
-    return auth;
+function canUseDirectImageStartup(params) {
+    return params.transport === "http" && params.mntDataDir == undefined;
 }
-async function makeAuthenticatedClient(env) {
-    const auth = await getAuth(env);
-    // TODO: Get the organization name because that is more human readable.
+function isTRPCUnauthorized(error) {
+    return (error instanceof Error &&
+        "data" in error &&
+        typeof error.data === "object" &&
+        error.data?.code === "UNAUTHORIZED");
+}
+async function makeAuthenticatedClient(env, options) {
+    const auth = await getAuth(env, options);
     console.log(`Authenticated as ${auth.email} in ${auth.organizationId}.`);
     return createTRPCClient({
         links: [
@@ -149,6 +77,22 @@ async function makeAuthenticatedClient(env) {
         ],
     });
 }
+async function withAuthRetry(env, fn) {
+    const client = await makeAuthenticatedClient(env);
+    try {
+        return await fn(client);
+    }
+    catch (error) {
+        if (isTRPCUnauthorized(error)) {
+            console.warn("Session expired or invalid. Refreshing credentials and retrying...");
+            const newClient = await makeAuthenticatedClient(env, {
+                forceRefresh: true,
+            });
+            return await fn(newClient);
+        }
+        throw error;
+    }
+}
 function argParser(schema) {
     return (value) => {
         const result = schema.safeParse(value);
@@ -211,47 +155,246 @@ async function uploadData(client, mntDataDir) {
     console.log("File uploaded.");
     return { secretDataZipGcsPath: upload.secretDataZipGcsPath };
 }
-const DEPLOY_OPTIONS_NEW_SERVER_DEFAULTS = {
+const DEPLOY_OPTIONS_LEGACY_DEFAULTS = {
     transport: "stdio",
     // Skip install/build if already done (e.g., by startup probe or previous session).
     startupCommand: "([ -d node_modules ] || npm install) && ([ -d dist ] || npm run build) && npm run start",
     mntDataDir: ".",
 };
-async function createNew(client, base, options) {
-    const { name, transport, startupCommand, mntDataDir = ".", } = {
-        ...DEPLOY_OPTIONS_NEW_SERVER_DEFAULTS,
+const DEPLOY_OPTIONS_CONTAINER_DEFAULTS = {
+    transport: "http",
+};
+async function createNew(client, base, organizationId, options) {
+    const defaults = options.image
+        ? DEPLOY_OPTIONS_CONTAINER_DEFAULTS
+        : DEPLOY_OPTIONS_LEGACY_DEFAULTS;
+    const { name, image, transport, startupCommand, mntDataDir } = {
+        ...defaults,
         ...options,
     };
     if (name == undefined) {
         throw new Error("--name is a required option when creating a new server");
     }
-    const upload = await uploadData(client, path.join(base, mntDataDir));
+    if (image != undefined &&
+        startupCommand == undefined &&
+        !canUseDirectImageStartup({ transport, mntDataDir })) {
+        throw new Error("--startup-command is required unless using --transport http without --mnt-data-dir");
+    }
+    if (image == undefined && startupCommand == undefined) {
+        throw new Error("Expected --startup-command to be defined after applying defaults");
+    }
+    const upload = mntDataDir != undefined || image == undefined
+        ? await uploadData(client, path.join(base, mntDataDir ?? "."))
+        : undefined;
     const config = UserConfigUpdateSchema.parse({
         userGivenName: name,
-        command: startupCommand,
+        ...(image != undefined ? { image } : {}),
+        ...(startupCommand != undefined ? { command: startupCommand } : {}),
         transport: toHostedTransport(transport),
         replaceEnv: [],
-        secretDataZipGcsPath: upload.secretDataZipGcsPath,
+        ...(upload ? { secretDataZipGcsPath: upload.secretDataZipGcsPath } : {}),
     });
     const createdServer = await client.mcpHost.createServer.mutate({
         config,
     });
     return {
-        hostedId: createdServer.hostedId,
-        mntDataDir,
+        config: HostedConfigSchema.parse({
+            hostedId: createdServer.hostedId,
+            ...(image != undefined
+                ? { mode: "container", image, transport }
+                : {}),
+            ...(mntDataDir != undefined ? { mntDataDir } : {}),
+            organizationId,
+        }),
+        gatewayId: createdServer.gatewayId,
     };
 }
-async function updateExisting(client, base, config, options) {
-    const newConfig = { ...config };
-    if (options.mntDataDir != undefined) {
-        newConfig.mntDataDir = options.mntDataDir;
+async function updateExisting(client, base, config, organizationId, options) {
+    if (config.organizationId != undefined &&
+        config.organizationId !== organizationId) {
+        throw new Error(`Hosted config belongs to organization ${config.organizationId}, but the selected credentials are for ${organizationId}. Switch organizations with "hosted auth use --organization-id ${config.organizationId}" before deploying.`);
     }
-    const upload = await uploadData(client, path.join(base, newConfig.mntDataDir));
-    await client.mcpHost.partialUpdateServer.mutate({
+    const nextTransport = options.transport ?? storedTransport(config);
+    const clearCommand = options.image != undefined &&
+        options.startupCommand == undefined &&
+        options.mntDataDir == undefined &&
+        nextTransport === "http";
+    if (options.image != undefined &&
+        options.startupCommand == undefined &&
+        !clearCommand) {
+        if (options.mntDataDir != undefined) {
+            throw new Error("--startup-command is required when using --mnt-data-dir with --image");
+        }
+        if (nextTransport == undefined) {
+            throw new Error("--startup-command is required unless the resulting transport is known to be http. Pass --transport http to switch to direct image startup.");
+        }
+        throw new Error("--startup-command is required unless using --transport http without --mnt-data-dir");
+    }
+    const newConfig = HostedConfigSchema.parse({
+        ...config,
+        ...(options.mntDataDir != undefined
+            ? { mntDataDir: options.mntDataDir }
+            : {}),
+        ...(options.image != undefined
+            ? {
+                mode: "container",
+                image: options.image,
+                ...(nextTransport != undefined ? { transport: nextTransport } : {}),
+            }
+            : {}),
+        ...("mode" in config && nextTransport != undefined
+            ? { transport: nextTransport }
+            : {}),
+        organizationId,
+    });
+    const upload = (options.image == undefined || options.mntDataDir != undefined) &&
+        newConfig.mntDataDir != undefined
+        ? await uploadData(client, path.join(base, newConfig.mntDataDir))
+        : undefined;
+    const updatedServer = await client.mcpHost.partialUpdateServer.mutate({
         hostedId: config.hostedId,
-        update: buildPartialUpdate(options, upload.secretDataZipGcsPath),
+        update: buildPartialUpdate(options, upload?.secretDataZipGcsPath, {
+            clearCommand,
+        }),
+    });
+    return {
+        config: newConfig,
+        ...(updatedServer.gatewayId != undefined
+            ? { gatewayId: updatedServer.gatewayId }
+            : {}),
+    };
+}
+function connectorSettingsUrl(env, gatewayId) {
+    const url = new URL("/vmcps", WEB_CLIENT_URL[env]);
+    url.searchParams.set("id", gatewayId);
+    url.searchParams.set("serverTab", "connector-settings");
+    return url.toString();
+}
+function logDeployResult(env, action, result) {
+    if (result.gatewayId == undefined) {
+        console.log(`${action}.`);
+        return;
+    }
+    console.log(`${action} ${connectorSettingsUrl(env, result.gatewayId)}`);
+}
+function updateConfigAfterManagedPush(config, organizationId, managedImageRef) {
+    return HostedConfigSchema.parse({
+        ...config,
+        mode: "container",
+        image: managedImageRef,
+        organizationId,
+        ...("mode" in config && config.transport != undefined
+            ? { transport: config.transport }
+            : {}),
+    });
+}
+function managedRegistryImageRef(session) {
+    return `${session.registryHost}/${session.repository}:${session.imageTag}`;
+}
+async function buildAndPushManagedImage(params) {
+    if (params.config.organizationId != undefined &&
+        params.config.organizationId !== params.organizationId) {
+        throw new Error(`Hosted config belongs to organization ${params.config.organizationId}, but the selected credentials are for ${params.organizationId}. Switch organizations with "hosted auth use --organization-id ${params.config.organizationId}" before building and pushing.`);
+    }
+    const session = await params.client.mcpHost.createRegistryPushSession.mutate({
+        hostedId: params.config.hostedId,
+    });
+    const deployImageRef = managedRegistryImageRef(session);
+    const buildResult = buildImage({
+        dockerfile: params.dockerfile,
+        context: params.context,
+        buildArgs: params.buildArg,
+        ...(params.target != undefined ? { target: params.target } : {}),
+        platform: params.platform,
+        imageRef: deployImageRef,
+    });
+    loginToRegistry(session.registryHost, session.username, session.password);
+    pushImage(buildResult.imageRef);
+    const finalized = await params.client.mcpHost.finalizeRegistryPush.mutate({
+        hostedId: params.config.hostedId,
+        finalizeToken: session.finalizeToken,
+    });
+    return {
+        config: updateConfigAfterManagedPush(params.config, params.organizationId, deployImageRef),
+        ...(finalized.gatewayId != undefined
+            ? { gatewayId: finalized.gatewayId }
+            : {}),
+    };
+}
+function buildManagedImageCreateConfig(params) {
+    const transport = params.transport ?? "http";
+    if (params.name == undefined) {
+        throw new Error("--name is a required option when building and pushing a new managed image connector");
+    }
+    if (params.startupCommand == undefined &&
+        !canUseDirectImageStartup({ transport, mntDataDir: undefined })) {
+        throw new Error("--startup-command is required unless using --transport http");
+    }
+    return UserConfigUpdateSchema.omit({ image: true }).parse({
+        userGivenName: params.name,
+        ...(params.startupCommand != undefined
+            ? { command: params.startupCommand }
+            : {}),
+        transport: toHostedTransport(transport),
+        replaceEnv: [],
+    });
+}
+async function buildAndPushManagedImageForCreate(params) {
+    const config = buildManagedImageCreateConfig({
+        ...(params.name != undefined ? { name: params.name } : {}),
+        ...(params.transport != undefined ? { transport: params.transport } : {}),
+        ...(params.startupCommand != undefined
+            ? { startupCommand: params.startupCommand }
+            : {}),
+    });
+    const session = await params.client.mcpHost.createRegistryPushSessionForCreate.mutate({});
+    const deployImageRef = managedRegistryImageRef(session);
+    const buildResult = buildImage({
+        dockerfile: params.dockerfile,
+        context: params.context,
+        buildArgs: params.buildArg,
+        ...(params.target != undefined ? { target: params.target } : {}),
+        platform: params.platform,
+        imageRef: deployImageRef,
+    });
+    loginToRegistry(session.registryHost, session.username, session.password);
+    pushImage(buildResult.imageRef);
+    const finalized = await params.client.mcpHost.finalizeRegistryPushCreate.mutate({
+        finalizeToken: session.finalizeToken,
+        config,
+    });
+    return {
+        config: HostedConfigSchema.parse({
+            hostedId: finalized.hostedId,
+            organizationId: params.organizationId,
+            mode: "container",
+            image: deployImageRef,
+            ...(params.transport != undefined
+                ? { transport: params.transport }
+                : { transport: "http" }),
+        }),
+        gatewayId: finalized.gatewayId,
+    };
+}
+async function deployWithOptions(env, base, options) {
+    const auth = await getAuth(env);
+    await withAuthRetry(env, async (client) => {
+        const configPath = path.join(base, HOSTED_CONFIG_PATHS[env]);
+        let result;
+        if (fs.existsSync(configPath)) {
+            console.log("Updating existing server...");
+            const configData = fs.readFileSync(configPath, "utf8");
+            result = await updateExisting(client, base, HostedConfigSchema.parse(JSON.parse(configData)), auth.organizationId, options);
+            logDeployResult(env, "Updated", result);
+        }
+        else {
+            console.log("Creating new server...");
+            result = await createNew(client, base, auth.organizationId, options);
+            logDeployResult(env, "Created", result);
+        }
+        fs.mkdirSync(path.dirname(configPath), { recursive: true });
+        fs.writeFileSync(configPath, JSON.stringify(result.config, null, 2));
     });
-    return newConfig;
 }
 const program = new Command()
     .name("hosted")
@@ -260,33 +403,261 @@ const program = new Command()
     .option("-e, --env <environment>", "Target environment.", argParser(EnvSchema), "production")
     .option("-b, --base <base>", "base directory for config and data.", ".");
 function makeDefaultMessage(optionName) {
-    return `Defaults to '${DEPLOY_OPTIONS_NEW_SERVER_DEFAULTS[optionName]}' for new servers.`;
+    return `For new zip-based servers, defaults to '${DEPLOY_OPTIONS_LEGACY_DEFAULTS[optionName]}'.`;
+}
+function collect(value, previous) {
+    return previous.concat([value]);
+}
+function parsePositiveInt(value) {
+    const parsed = Number.parseInt(value, 10);
+    if (!Number.isFinite(parsed) || parsed <= 0) {
+        throw new InvalidArgumentError("Expected a positive integer.");
+    }
+    return parsed;
+}
+function shouldBuildTestImage(options) {
+    if (options.build) {
+        return true;
+    }
+    if (options.image == undefined) {
+        return true;
+    }
+    if (options.dockerfile !== undefined && options.dockerfile !== "Dockerfile") {
+        return true;
+    }
+    if (options.context !== undefined && options.context !== ".") {
+        return true;
+    }
+    if ((options.buildArg?.length ?? 0) > 0) {
+        return true;
+    }
+    return options.target != undefined;
 }
+const authCommand = program
+    .command("auth")
+    .description("Manage cached hosted-cli authentication credentials.");
+authCommand
+    .command("login")
+    .description("Authenticate and cache credentials for the current environment.")
+    .action(async () => {
+    const { env } = program.opts();
+    const auth = await requestAndStoreAuth(env);
+    console.log(`Cached ${formatAuthSummary(auth)}.`);
+});
+authCommand
+    .command("list")
+    .description("List cached credentials for the current environment.")
+    .action(async () => {
+    const { env } = program.opts();
+    const currentAccount = await getCurrentAuthAccount(env);
+    const records = await listAuthRecords(env);
+    if (records.length === 0) {
+        console.log(`No cached credentials found for ${env}.`);
+        return;
+    }
+    for (const record of records) {
+        const marker = currentAccount && sameStoredAuthAccount(record.account, currentAccount)
+            ? "*"
+            : " ";
+        console.log(`${marker} ${formatAuthSummary(record.auth)}`);
+    }
+});
+authCommand
+    .command("use")
+    .description("Select which cached credentials the CLI should use.")
+    .option("--user-id <id>", "WorkOS user ID to select.")
+    .option("--email <email>", "Email address to select.")
+    .option("--organization-id <id>", "Organization ID to select.")
+    .action(async (options) => {
+    const { env } = program.opts();
+    if (!options.userId && !options.email && !options.organizationId) {
+        throw new Error('Specify at least one filter, for example "hosted auth use --organization-id <id>".');
+    }
+    const result = await useAuth(env, options);
+    const message = result.mode === "switched" ? "Cached and selected" : "Selected";
+    console.log(`${message} ${formatAuthSummary(result.auth)}.`);
+});
 program
     .command("deploy")
     .description("Create or update a hosted server.")
     .option("-n, --name <name>", "Name of the hosted server. Required for new servers.")
-    .option("-t, --transport <transport>", `Transport (stdio or http). ${makeDefaultMessage("transport")}`, argParser(TransportSchema))
-    .option("--startup-command <command>", `Command that runs on hosted container to start the server (runs in bash). ${makeDefaultMessage("startupCommand")}`)
+    .option("--image <ref>", "Container image reference (e.g., ghcr.io/org/repo:tag). Skips zip upload when --mnt-data-dir is not also supplied.")
+    .option("-t, --transport <transport>", `Transport (stdio or http). Defaults to 'http' for image-based creates. ${makeDefaultMessage("transport")}`, argParser(TransportSchema))
+    .option("--startup-command <command>", `Command that runs on hosted container to start the server (runs in bash). Required for stdio and zip-backed image deploys. ${makeDefaultMessage("startupCommand")}`)
     .option("--mnt-data-dir <directory>", `Directory to copy to /mnt on the server. ${makeDefaultMessage("mntDataDir")}`)
     .action(async (options) => {
     const { env, base } = program.opts();
-    const client = await makeAuthenticatedClient(env);
-    const configPath = path.join(base, HOSTED_CONFIG_PATHS[env]);
-    let newOrUpdatedConfig;
-    if (fs.existsSync(configPath)) {
-        console.log("Updating existing server...");
-        const configData = fs.readFileSync(configPath, "utf8");
-        newOrUpdatedConfig = await updateExisting(client, base, HostedConfigSchema.parse(JSON.parse(configData)), options);
-        console.log(`Updated ${WEB_CLIENT_URL[env]}/hosted/${newOrUpdatedConfig.hostedId}`);
+    await deployWithOptions(env, base, options);
+});
+program
+    .command("test-image")
+    .description("Run a local MCP smoke test against a container image. Builds the current Dockerfile by default; with --image, tests that existing image directly.")
+    .option("--image <ref>", "Existing image reference to test directly, or the output tag to build when --build or other build options are supplied.")
+    .option("--build", "Force a local build before testing, even when --image is supplied.")
+    .option("--dockerfile <path>", "Path to Dockerfile", "Dockerfile")
+    .option("--context <dir>", "Docker build context directory", ".")
+    .option("--build-arg <arg>", "Build arguments (KEY=VALUE), repeatable", collect, [])
+    .option("--target <target>", "Multi-stage build target")
+    .option("--probe-path <path>", "HTTP path to probe with MCP initialize", "/mcp")
+    .option("--probe-timeout-ms <ms>", "How long to wait for the local MCP probe to succeed", parsePositiveInt, 30_000)
+    .option("--env <entry>", "Container runtime env vars for the local smoke test (KEY=VALUE), repeatable", collect, [])
+    .option("--env-file <path>", "Path to a Docker env file for the local smoke test")
+    .action(async (options) => {
+    ensureDockerAvailable();
+    ensureDockerBuildxAvailable();
+    const shouldBuild = shouldBuildTestImage(options);
+    const imageRef = options.image ?? defaultLocalTestImageRef();
+    if (shouldBuild) {
+        buildImage({
+            dockerfile: options.dockerfile,
+            context: options.context,
+            buildArgs: options.buildArg,
+            ...(options.target != undefined ? { target: options.target } : {}),
+            imageRef,
+        });
     }
     else {
-        console.log("Creating new server...");
-        newOrUpdatedConfig = await createNew(client, base, options);
-        console.log(`Created ${WEB_CLIENT_URL[env]}/hosted/${newOrUpdatedConfig.hostedId}`);
+        ensureImageAvailableLocally(imageRef);
     }
+    await smokeTestImage({
+        imageRef,
+        probePath: options.probePath,
+        probeTimeoutMs: options.probeTimeoutMs,
+        env: options.env,
+        ...(options.envFile != undefined ? { envFile: options.envFile } : {}),
+    });
+});
+program
+    .command("build-and-push")
+    .description("Build a Docker image, push it through the managed registry, and finalize the hosted connector image update or creation.")
+    .option("--dockerfile <path>", "Path to Dockerfile", "Dockerfile")
+    .option("--context <dir>", "Docker build context directory", ".")
+    .option("--build-arg <arg>", "Build arguments (KEY=VALUE), repeatable", collect, [])
+    .option("--target <target>", "Multi-stage build target")
+    .option("--platform <platform>", `Target platform to build for before push. Defaults to '${defaultBuildPlatform()}'.`, defaultBuildPlatform())
+    .option("--name <name>", "Connector name when creating a new hosted connector")
+    .option("--transport <transport>", "Transport to configure when creating a new managed connector", parseTransport)
+    .option("--startup-command <command>", "Startup command to configure when creating a new managed connector")
+    .action(async (options) => {
+    const { env, base } = program.opts();
+    ensureDockerAvailable();
+    ensureDockerBuildxAvailable();
+    if (options.platform !== defaultBuildPlatform()) {
+        console.warn(`Building for ${options.platform}. Hosted deployments typically target ${defaultBuildPlatform()}; choose a different platform only when you know the runtime is compatible.`);
+    }
+    const configPath = path.join(base, HOSTED_CONFIG_PATHS[env]);
+    const auth = await getAuth(env);
+    const hasExistingConfig = fs.existsSync(configPath);
+    const result = await withAuthRetry(env, async (client) => {
+        if (hasExistingConfig) {
+            const config = HostedConfigSchema.parse(JSON.parse(fs.readFileSync(configPath, "utf8")));
+            return await buildAndPushManagedImage({
+                client,
+                organizationId: auth.organizationId,
+                config,
+                dockerfile: options.dockerfile,
+                context: options.context,
+                buildArg: options.buildArg,
+                ...(options.target != undefined ? { target: options.target } : {}),
+                platform: options.platform,
+            });
+        }
+        return await buildAndPushManagedImageForCreate({
+            client,
+            organizationId: auth.organizationId,
+            ...(options.name != undefined ? { name: options.name } : {}),
+            ...(options.transport != undefined
+                ? { transport: options.transport }
+                : {}),
+            ...(options.startupCommand != undefined
+                ? { startupCommand: options.startupCommand }
+                : {}),
+            dockerfile: options.dockerfile,
+            context: options.context,
+            buildArg: options.buildArg,
+            ...(options.target != undefined ? { target: options.target } : {}),
+            platform: options.platform,
+        });
+    });
     fs.mkdirSync(path.dirname(configPath), { recursive: true });
-    fs.writeFileSync(configPath, JSON.stringify(newOrUpdatedConfig, null, 2));
+    fs.writeFileSync(configPath, JSON.stringify(result.config, null, 2));
+    logDeployResult(env, hasExistingConfig ? "Updated" : "Created", result);
+});
+program
+    .command("build-and-deploy")
+    .description("Build a Docker image for hosted deployment, push it, verify the target platform, and deploy it.")
+    .requiredOption("--image <ref>", "Image reference to build, push, and deploy (e.g., ghcr.io/org/repo:tag).")
+    .option("--dockerfile <path>", "Path to Dockerfile", "Dockerfile")
+    .option("--context <dir>", "Docker build context directory", ".")
+    .option("--build-arg <arg>", "Build arguments (KEY=VALUE), repeatable", collect, [])
+    .option("--target <target>", "Multi-stage build target")
+    .option("--platform <platform>", `Target platform to build for before deploy. Defaults to '${defaultBuildPlatform()}'.`, defaultBuildPlatform())
+    .option("-n, --name <name>", "Name of the hosted server. Required for new servers.")
+    .option("-t, --transport <transport>", `Transport (stdio or http). Defaults to 'http' for image-based creates. ${makeDefaultMessage("transport")}`, argParser(TransportSchema))
+    .option("--startup-command <command>", `Command that runs on hosted container to start the server (runs in bash). Required for stdio and zip-backed image deploys. ${makeDefaultMessage("startupCommand")}`)
+    .option("--mnt-data-dir <directory>", `Directory to copy to /mnt on the server. ${makeDefaultMessage("mntDataDir")}`)
+    .action(async (options) => {
+    const { env, base } = program.opts();
+    ensureDockerAvailable();
+    ensureDockerBuildxAvailable();
+    if (options.platform !== defaultBuildPlatform()) {
+        console.warn(`Building for ${options.platform}. Hosted deployments typically target ${defaultBuildPlatform()}; choose a different platform only when you know the runtime is compatible.`);
+    }
+    const buildResult = buildImage({
+        dockerfile: options.dockerfile,
+        context: options.context,
+        buildArgs: options.buildArg,
+        ...(options.target != undefined ? { target: options.target } : {}),
+        platform: options.platform,
+        imageRef: options.image,
+    });
+    pushImage(buildResult.imageRef);
+    assertImageSupportsPlatform(buildResult.imageRef, options.platform);
+    await deployWithOptions(env, base, {
+        image: buildResult.imageRef,
+        ...(options.name != undefined ? { name: options.name } : {}),
+        ...(options.transport != undefined
+            ? { transport: options.transport }
+            : {}),
+        ...(options.startupCommand != undefined
+            ? { startupCommand: options.startupCommand }
+            : {}),
+        ...(options.mntDataDir != undefined
+            ? { mntDataDir: options.mntDataDir }
+            : {}),
+    });
+});
+program
+    .command("logout")
+    .description("Clear stored credentials and sign out of the WorkOS browser session.")
+    .option("--all", "Clear all cached credentials for the current environment.")
+    .action(async (options) => {
+    const { env } = program.opts();
+    let logoutUrl;
+    const selectedAuth = await getSelectedAuth(env);
+    if (selectedAuth) {
+        const { sid } = getTokenClaims(selectedAuth.accessToken);
+        if (sid) {
+            logoutUrl = `https://api.workos.com/user_management/sessions/logout?session_id=${sid}`;
+        }
+    }
+    if (options.all) {
+        await clearAllAuth(env);
+        console.log(`All cached credentials cleared for ${env}.`);
+    }
+    else {
+        const clearedAuth = await clearSelectedAuth(env);
+        if (clearedAuth) {
+            console.log(`Cleared cached credentials for ${formatAuthSummary(clearedAuth)}.`);
+        }
+        else {
+            console.log(`No cached credentials found for ${env}.`);
+        }
+    }
+    if (logoutUrl) {
+        console.log("To fully sign out of the WorkOS browser session, visit:");
+        console.log(logoutUrl);
+    }
 });
 program.parse();
 //# sourceMappingURL=index.js.map