@rockcarver/frodo-cli 4.0.0-10 → 4.0.0-12

package/CHANGELOG.md

@@ -7,6 +7,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [4.0.0-11] - 2026-02-24
+
+## [4.0.0-10] - 2026-02-23
+
 ## [4.0.0-9] - 2026-02-23
 
 ## [4.0.0-8] - 2026-02-23
@@ -2181,7 +2185,9 @@ Frodo CLI 2.x automatically refreshes session and access tokens before they expi
 - Fixed problem with adding connection profiles
 - Miscellaneous bug fixes
 
-[unreleased]: https://github.com/rockcarver/frodo-cli/compare/v4.0.0-9...HEAD
+[unreleased]: https://github.com/rockcarver/frodo-cli/compare/v4.0.0-11...HEAD
+[4.0.0-11]: https://github.com/rockcarver/frodo-cli/compare/v4.0.0-10...v4.0.0-11
+[4.0.0-10]: https://github.com/rockcarver/frodo-cli/compare/v4.0.0-9...v4.0.0-10
 [4.0.0-9]: https://github.com/rockcarver/frodo-cli/compare/v4.0.0-8...v4.0.0-9
 [4.0.0-8]: https://github.com/rockcarver/frodo-cli/compare/v4.0.0-7...v4.0.0-8
 [4.0.0-7]: https://github.com/rockcarver/frodo-cli/compare/v4.0.0-6...v4.0.0-7

package/dist/app.cjs

@@ -28757,6 +28757,12 @@ var require_Client = __commonJS2({
       async _downloadFromWorkingDir(localDirPath) {
         await ensureLocalDirectory(localDirPath);
         for (const file of await this.list()) {
+          const hasInvalidName = !file.name || (0, path_1.basename)(file.name) !== file.name;
+          if (hasInvalidName) {
+            const safeName = JSON.stringify(file.name);
+            this.ftp.log(`Invalid filename from server listing, will skip file. (${safeName})`);
+            continue;
+          }
           const localPath = (0, path_1.join)(localDirPath, file.name);
           if (file.isDirectory) {
             await this.cd(file.name);
@@ -141687,54 +141693,70 @@ var AVAILABLE_SCOPES = {
   AMIntrospectAllTokensAnyRealm: "am-introspect-all-tokens-any-realm",
   OpenIdScope: "openid",
   ProfileScope: "profile",
-  // All Access Management APIs
   AmFullScope: "fr:am:*",
-  // All Auto Access APIs
+  //                                                All Access Management APIs
   AutoAccessFullScope: "fr:autoaccess:*",
-  // All Analytics APIs
+  //                                All Auto Access APIs
   AnalyticsFullScope: "fr:idc:analytics:*",
-  // All TLS certificate APIs
+  //                              All Analytics APIs
   CertificateFullScope: "fr:idc:certificate:*",
-  // Read TLS certificates
+  //                          All TLS certificate APIs
   CertificateReadScope: "fr:idc:certificate:read",
-  // All content security policy APIs
+  //                       Read TLS certificates
   ContentSecurityPolicyFullScope: "fr:idc:content-security-policy:*",
-  // All cookie domain APIs
+  //    All content security policy APIs
+  ContentSecurityPolicyReadScope: "fr:idc:content-security-policy:read",
+  // Read content security policy
   CookieDomainsFullScope: "fr:idc:cookie-domain:*",
-  // All custom domain APIs
+  //                      All cookie domain APIs
+  CookieDomainsReadScope: "fr:idc:cookie-domain:read",
+  //                   Read cookie domain APIs
   CustomDomainFullScope: "fr:idc:custom-domain:*",
-  // All dataset deletion APIs
+  //                       All custom domain APIs
+  CustomDomainReadScope: "fr:idc:custom-domain:read",
+  //                    Read custom domain configuration
   DatasetDeletionFullScope: "fr:idc:dataset:*",
-  // All ESV APIs
+  //                          All dataset deletion APIs
+  DatasetDeletionReadScope: "fr:idc:dataset:read",
+  //                       Read dataset deletion configuration
   ESVFullScope: "fr:idc:esv:*",
-  // Read ESVs, excluding values of secrets
+  //                                          All ESV APIs
   ESVReadScope: "fr:idc:esv:read",
-  // Create, modify, and delete ESVs
+  //                                       Read ESVs, excluding values of secrets
   ESVUpdateScope: "fr:idc:esv:update",
-  // Restart workloads that consume ESVs
+  //                                   Create, modify, and delete ESVs
   ESVRestartScope: "fr:idc:esv:restart",
-  // Create, modify, and delete Admin Federation configuration
+  //                                 Restart workloads that consume ESVs
   AdminFederationFullScope: "fr:idc:federation:*",
-  // Read Admin Federation configuration
+  //                       Create, modify, and delete Admin Federation configuration
   AdminFederationReadScope: "fr:idc:federation:read",
-  // All mTLS APIs
+  //                    Read Admin Federation configuration
   MTLSFullScope: "fr:idc:mtls:*",
-  // All configuration promotion APIs
+  //                                        All mTLS APIs
   PromotionScope: "fr:idc:promotion:*",
-  // All Proxy Connect APIs
+  //                                  All configuration promotion APIs
+  PromotionReadScope: "fr:idc:promotion:read",
+  //                           Read configuration promotion configuration
   ProxyConnectFullScope: "fr:idc:proxy-connect:*",
-  // Read Proxy Connect configuration
+  //                       All Proxy Connect APIs
   ProxyConnectReadScope: "fr:idc:proxy-connect:read",
-  // Create and update Proxy Connect configuration
+  //                    Read Proxy Connect configuration
   ProxyConnectWriteScope: "fr:idc:proxy-connect:write",
-  // All product release APIs
+  //                  Create and update Proxy Connect configuration
   ReleaseFullScope: "fr:idc:release:*",
-  // All SSO cookie APIs
+  //                                  All product release APIs
+  ReleaseReadScope: "fr:idc:release:read",
+  //                               Read product release information
   SSOCookieFullScope: "fr:idc:sso-cookie:*",
-  // All Identity Management APIs
+  //                             All SSO cookie APIs
+  SSOCookieReadScope: "fr:idc:sso-cookie:read",
+  //                          Read SSO cookie configuration
+  WSFedAdminScope: "fr:idc:ws:admin",
+  //                                    All PingFederate APIs
   IdmFullScope: "fr:idm:*",
-  // All Governance APIs
+  //                                              All Identity Management APIs
   IGAFullScope: "fr:iga:*"
+  //                                              All Governance APIs
 };
 var RETRY_EVERYTHING_KEY = "everything";
 var RETRY_NETWORK_KEY = "network";
@@ -142000,7 +142022,7 @@ function stringify(obj) {
 }
 var package_default = {
   name: "@rockcarver/frodo-lib",
-  version: "4.0.0-10",
+  version: "4.0.0-12",
   type: "commonjs",
   main: "./dist/index.js",
   module: "./dist/index.mjs",
@@ -142256,6 +142278,12 @@ var State_default = (initialState) => {
     getAuthenticationService() {
       return state2.authenticationService || process.env.FRODO_AUTHENTICATION_SERVICE;
     },
+    setConfigurationHeaderOverrides(overrides) {
+      state2.configurationHeaderOverrides = overrides;
+    },
+    getConfigurationHeaderOverrides() {
+      return state2.configurationHeaderOverrides;
+    },
     setServiceAccountId(uuid) {
       state2.serviceAccountId = uuid;
     },
@@ -142501,6 +142529,7 @@ var logger = import_winston.default.createLogger({
 });
 var globalState = {
   authenticationHeaderOverrides: {},
+  configurationHeaderOverrides: {},
   printHandler: (message) => {
     if (!message) return;
     if (typeof message === "object") {
@@ -160550,6 +160579,57 @@ function generateAmApi({
   resource,
   requestOverride = {},
   state: state2
+}) {
+  const headers2 = {
+    "User-Agent": userAgent,
+    "X-ForgeRock-TransactionId": transactionId,
+    "Content-Type": "application/json",
+    // only add API version if we have it
+    ...resource.apiVersion && { "Accept-API-Version": resource.apiVersion },
+    // only send session cookie if we know its name and value and we are not instructed to use the bearer token for AM APIs
+    ...!state2.getUseBearerTokenForAmApis() && state2.getCookieName() && state2.getCookieValue() && {
+      Cookie: `${state2.getCookieName()}=${state2.getCookieValue()}`
+    },
+    // only add authorization header if we have a bearer token and are instructed to use it for AM APIs
+    ...state2.getUseBearerTokenForAmApis() && state2.getBearerToken() && {
+      Authorization: `Bearer ${state2.getBearerToken()}`
+    }
+  };
+  const requestConfig = mergeDeep(
+    {
+      // baseURL: `${storage.session.getTenant()}/json`,
+      timeout: timeout3,
+      headers: {
+        ...headers2,
+        ...state2.getAuthenticationHeaderOverrides(),
+        ...state2.getConfigurationHeaderOverrides()
+      },
+      ...process.env.FRODO_MOCK !== "record" && process.env.FRODO_POLLY_MODE !== "record" && {
+        httpAgent: getHttpAgent(),
+        httpsAgent: getHttpsAgent(state2.getAllowInsecureConnection())
+      },
+      proxy: getProxy()
+    },
+    requestOverride
+  );
+  debugMessage({
+    message: `Generating AM API client for resource with request headers ${JSON.stringify(
+      requestConfig.headers,
+      null,
+      2
+    )}`,
+    state: state2
+  });
+  const request = createAxiosInstance(state2, requestConfig);
+  if (state2.getCurlirize()) {
+    curlirize(request, state2);
+  }
+  return request;
+}
+function generateAmAuthApi({
+  resource,
+  requestOverride = {},
+  state: state2
 }) {
   const headers2 = {
     "User-Agent": userAgent,
@@ -160582,6 +160662,14 @@ function generateAmApi({
     },
     requestOverride
   );
+  debugMessage({
+    message: `Generating AM API client for resource with request headers ${JSON.stringify(
+      requestConfig.headers,
+      null,
+      2
+    )}`,
+    state: state2
+  });
   const request = createAxiosInstance(state2, requestConfig);
   if (state2.getCurlirize()) {
     curlirize(request, state2);
@@ -160594,7 +160682,7 @@ function generateOauth2Api({
   authenticate = true,
   state: state2
 }) {
-  let headers2 = {
+  const headers2 = {
     "User-Agent": userAgent,
     "X-ForgeRock-TransactionId": transactionId,
     // only add API version if we have it
@@ -160608,26 +160696,30 @@ function generateOauth2Api({
       Authorization: `Bearer ${state2.getBearerToken()}`
     }
   };
-  if (requestOverride["headers"]) {
-    headers2 = {
-      ...headers2,
-      ...requestOverride["headers"]
-    };
-  }
-  const requestConfig = {
-    // baseURL: `${storage.session.getTenant()}/json${resource.path}`,
-    timeout: timeout3,
-    ...requestOverride,
-    headers: {
-      ...headers2,
-      ...state2.getAuthenticationHeaderOverrides()
-    },
-    ...process.env.FRODO_MOCK !== "record" && process.env.FRODO_POLLY_MODE !== "record" && {
-      httpAgent: getHttpAgent(),
-      httpsAgent: getHttpsAgent(state2.getAllowInsecureConnection())
+  const requestConfig = mergeDeep(
+    {
+      // baseURL: `${storage.session.getTenant()}/json${resource.path}`,
+      timeout: timeout3,
+      headers: {
+        ...headers2,
+        ...state2.getAuthenticationHeaderOverrides()
+      },
+      ...process.env.FRODO_MOCK !== "record" && process.env.FRODO_POLLY_MODE !== "record" && {
+        httpAgent: getHttpAgent(),
+        httpsAgent: getHttpsAgent(state2.getAllowInsecureConnection())
+      },
+      proxy: getProxy()
     },
-    proxy: getProxy()
-  };
+    requestOverride
+  );
+  debugMessage({
+    message: `Generating OAuth2 API client for resource with request headers ${JSON.stringify(
+      requestConfig.headers,
+      null,
+      2
+    )}`,
+    state: state2
+  });
   const request = createAxiosInstance(state2, requestConfig);
   if (state2.getCurlirize()) {
     curlirize(request, state2);
@@ -160647,6 +160739,7 @@ function generateIdmApi({
         "X-ForgeRock-TransactionId": transactionId,
         "Content-Type": "application/json",
         ...state2.getAuthenticationHeaderOverrides(),
+        ...state2.getConfigurationHeaderOverrides(),
         // only add authorization header if we have a bearer token
         ...state2.getBearerToken() && {
           Authorization: `Bearer ${state2.getBearerToken()}`
@@ -160660,6 +160753,14 @@ function generateIdmApi({
     },
     requestOverride
   );
+  debugMessage({
+    message: `Generating IDM API client for resource with request headers ${JSON.stringify(
+      requestConfig.headers,
+      null,
+      2
+    )}`,
+    state: state2
+  });
   const request = createAxiosInstance(state2, requestConfig);
   if (state2.getCurlirize()) {
     curlirize(request, state2);
@@ -160689,6 +160790,14 @@ function generateLogKeysApi({
     },
     requestOverride
   );
+  debugMessage({
+    message: `Generating LogKeys API client for resource with request headers ${JSON.stringify(
+      requestConfig.headers,
+      null,
+      2
+    )}`,
+    state: state2
+  });
   const request = createAxiosInstance(state2, requestConfig);
   if (state2.getCurlirize()) {
     curlirize(request, state2);
@@ -160717,6 +160826,14 @@ function generateLogApi({
     },
     requestOverride
   );
+  debugMessage({
+    message: `Generating Log API client for resource with request headers ${JSON.stringify(
+      requestConfig.headers,
+      null,
+      2
+    )}`,
+    state: state2
+  });
   const request = createAxiosInstance(state2, requestConfig);
   request.interceptors.response.use(
     (response) => {
@@ -160759,17 +160876,27 @@ function generateEnvApi({
       Authorization: `Bearer ${state2.getBearerToken()}`
     }
   };
-  const requestConfig = {
-    // baseURL: getTenantURL(storage.session.getTenant()),
-    timeout: timeout3,
-    headers: headers2,
-    ...requestOverride,
-    ...process.env.FRODO_MOCK !== "record" && process.env.FRODO_POLLY_MODE !== "record" && {
-      httpAgent: getHttpAgent(),
-      httpsAgent: getHttpsAgent(state2.getAllowInsecureConnection())
+  const requestConfig = mergeDeep(
+    {
+      // baseURL: getTenantURL(storage.session.getTenant()),
+      timeout: timeout3,
+      headers: headers2,
+      ...process.env.FRODO_MOCK !== "record" && process.env.FRODO_POLLY_MODE !== "record" && {
+        httpAgent: getHttpAgent(),
+        httpsAgent: getHttpsAgent(state2.getAllowInsecureConnection())
+      },
+      proxy: getProxy()
     },
-    proxy: getProxy()
-  };
+    requestOverride
+  );
+  debugMessage({
+    message: `Generating Environment API client for resource with request headers ${JSON.stringify(
+      requestConfig.headers,
+      null,
+      2
+    )}`,
+    state: state2
+  });
   const request = createAxiosInstance(state2, requestConfig);
   if (state2.getCurlirize()) {
     curlirize(request, state2);
@@ -160785,6 +160912,7 @@ function generateGovernanceApi({
     "User-Agent": userAgent,
     "Content-Type": "application/json",
     ...state2.getAuthenticationHeaderOverrides(),
+    ...state2.getConfigurationHeaderOverrides(),
     // only add API version if we have it
     ...resource.apiVersion && { "Accept-API-Version": resource.apiVersion },
     // only add authorization header if we have a bearer token
@@ -160792,16 +160920,26 @@ function generateGovernanceApi({
       Authorization: `Bearer ${state2.getBearerToken()}`
     }
   };
-  const requestConfig = {
-    timeout: timeout3,
-    headers: headers2,
-    ...requestOverride,
-    ...process.env.FRODO_MOCK !== "record" && process.env.FRODO_POLLY_MODE !== "record" && {
-      httpAgent: getHttpAgent(),
-      httpsAgent: getHttpsAgent(state2.getAllowInsecureConnection())
+  const requestConfig = mergeDeep(
+    {
+      timeout: timeout3,
+      headers: headers2,
+      ...process.env.FRODO_MOCK !== "record" && process.env.FRODO_POLLY_MODE !== "record" && {
+        httpAgent: getHttpAgent(),
+        httpsAgent: getHttpsAgent(state2.getAllowInsecureConnection())
+      },
+      proxy: getProxy()
     },
-    proxy: getProxy()
-  };
+    requestOverride
+  );
+  debugMessage({
+    message: `Generating Governance API client for resource with request headers ${JSON.stringify(
+      requestConfig.headers,
+      null,
+      2
+    )}`,
+    state: state2
+  });
   const request = createAxiosInstance(state2, requestConfig);
   if (state2.getCurlirize()) {
     curlirize(request, state2);
@@ -160813,20 +160951,30 @@ function generateReleaseApi({
   requestOverride = {},
   state: state2
 }) {
-  const requestConfig = {
-    baseURL: baseUrl,
-    timeout: timeout3,
-    headers: {
-      "User-Agent": userAgent,
-      "Content-Type": "application/json"
-    },
-    ...requestOverride,
-    ...process.env.FRODO_MOCK !== "record" && process.env.FRODO_POLLY_MODE !== "record" && {
-      httpAgent: getHttpAgent(),
-      httpsAgent: getHttpsAgent(state2.getAllowInsecureConnection())
+  const requestConfig = mergeDeep(
+    {
+      baseURL: baseUrl,
+      timeout: timeout3,
+      headers: {
+        "User-Agent": userAgent,
+        "Content-Type": "application/json"
+      },
+      ...process.env.FRODO_MOCK !== "record" && process.env.FRODO_POLLY_MODE !== "record" && {
+        httpAgent: getHttpAgent(),
+        httpsAgent: getHttpsAgent(state2.getAllowInsecureConnection())
+      },
+      proxy: getProxy()
     },
-    proxy: getProxy()
-  };
+    requestOverride
+  );
+  debugMessage({
+    message: `Generating Release API client for resource with request headers ${JSON.stringify(
+      requestConfig.headers,
+      null,
+      2
+    )}`,
+    state: state2
+  });
   const request = createAxiosInstance(state2, requestConfig);
   if (state2.getCurlirize()) {
     curlirize(request, state2);
@@ -161678,7 +161826,7 @@ async function step({
     state2.getHost(),
     getRealmPath(realm2)
   );
-  const { data: data2 } = await generateAmApi({
+  const { data: data2 } = await generateAmAuthApi({
     resource: getApiConfig2(),
     state: state2
   }).post(urlString, body2, config4);
@@ -174541,7 +174689,7 @@ var getServerVersionApiConfig = () => ({
 });
 async function getServerInfo({ state: state2 }) {
   const urlString = _util2.default.format(serverInfoUrlTemplate, state2.getHost(), "*");
-  const { data: data2 } = await generateAmApi({
+  const { data: data2 } = await generateAmAuthApi({
     resource: getServerInfoApiConfig(),
     requestOverride: {},
     state: state2
@@ -174554,7 +174702,7 @@ async function getServerVersionInfo({ state: state2 }) {
     state2.getHost(),
     "version"
   );
-  const { data: data2 } = await generateAmApi({
+  const { data: data2 } = await generateAmAuthApi({
     resource: getServerVersionApiConfig(),
     requestOverride: {},
     state: state2
@@ -174744,6 +174892,7 @@ var SERVICE_ACCOUNT_ALLOWED_SCOPES = [
   s2.CertificateReadScope,
   s2.ContentSecurityPolicyFullScope,
   s2.CustomDomainFullScope,
+  s2.DatasetDeletionFullScope,
   s2.ESVFullScope,
   s2.ESVReadScope,
   s2.ESVRestartScope,
@@ -174756,7 +174905,8 @@ var SERVICE_ACCOUNT_ALLOWED_SCOPES = [
   s2.ProxyConnectFullScope,
   s2.ProxyConnectReadScope,
   s2.ProxyConnectWriteScope,
-  s2.CookieDomainsFullScope
+  s2.CookieDomainsFullScope,
+  s2.WSFedAdminScope
 ];
 var SERVICE_ACCOUNT_DEFAULT_SCOPES = [
   s2.AmFullScope,
@@ -174766,13 +174916,15 @@ var SERVICE_ACCOUNT_DEFAULT_SCOPES = [
   s2.ContentSecurityPolicyFullScope,
   s2.CookieDomainsFullScope,
   s2.CustomDomainFullScope,
+  s2.DatasetDeletionFullScope,
   s2.ESVFullScope,
   s2.IdmFullScope,
   s2.IGAFullScope,
   s2.PromotionScope,
   s2.ReleaseFullScope,
   s2.SSOCookieFullScope,
-  s2.ProxyConnectFullScope
+  s2.ProxyConnectFullScope,
+  s2.WSFedAdminScope
 ];
 async function isServiceAccountsFeatureAvailable({
   state: state2
@@ -175161,6 +175313,7 @@ Specify a sub-string uniquely identifying a single connection profile host URL.`
       logApiSecret: profiles[0].encodedLogApiSecret ? await dataProtection.decrypt(profiles[0].encodedLogApiSecret) : null,
       authenticationService: profiles[0].authenticationService ? profiles[0].authenticationService : null,
       authenticationHeaderOverrides: profiles[0].authenticationHeaderOverrides ? profiles[0].authenticationHeaderOverrides : {},
+      configurationHeaderOverrides: profiles[0].configurationHeaderOverrides ? profiles[0].configurationHeaderOverrides : {},
       adminClientId: profiles[0].adminClientId ? profiles[0].adminClientId : null,
       adminClientRedirectUri: profiles[0].adminClientRedirectUri ? profiles[0].adminClientRedirectUri : null,
       svcacctName: profiles[0].svcacctName ? profiles[0].svcacctName : null,
@@ -175169,6 +175322,10 @@ Specify a sub-string uniquely identifying a single connection profile host URL.`
       svcacctScope: profiles[0].svcacctScope ? profiles[0].svcacctScope : null,
       amsterPrivateKey: profiles[0].encodedAmsterPrivateKey ? await dataProtection.decrypt(profiles[0].encodedAmsterPrivateKey) : null
     };
+    debugMessage({
+      message: `ConnectionProfileOps.getConnectionProfileByHost: retrieved connection profile for host '${host}': ${JSON.stringify(connectionProfile, null, 2)}`,
+      state: state2
+    });
     return connectionProfile;
   } catch (error2) {
     throw new FrodoError(`Error decrypting connection profile`, error2);
@@ -175200,8 +175357,21 @@ async function loadConnectionProfileByHost({
   if (conn.authenticationService && !state2.getAuthenticationService()) {
     state2.setAuthenticationService(conn.authenticationService);
   }
-  if (conn.authenticationHeaderOverrides && !state2.getAuthenticationHeaderOverrides()) {
-    state2.setAuthenticationHeaderOverrides(conn.authenticationHeaderOverrides);
+  if (conn.authenticationHeaderOverrides) {
+    state2.setAuthenticationHeaderOverrides(
+      mergeDeep(
+        state2.getAuthenticationHeaderOverrides(),
+        conn.authenticationHeaderOverrides
+      )
+    );
+  }
+  if (conn.configurationHeaderOverrides) {
+    state2.setConfigurationHeaderOverrides(
+      mergeDeep(
+        state2.getConfigurationHeaderOverrides(),
+        conn.configurationHeaderOverrides
+      )
+    );
   }
   state2.setServiceAccountId(conn.svcacctId);
   state2.setServiceAccountJwk(conn.svcacctJwk);
@@ -175349,6 +175519,19 @@ async function saveConnectionProfile({
         state: state2
       });
     }
+    if (state2.getConfigurationHeaderOverrides() && Object.entries(state2.getConfigurationHeaderOverrides()).length) {
+      profile.configurationHeaderOverrides = state2.getConfigurationHeaderOverrides();
+      printMessage({
+        message: "Advanced setting: Configuration Header Overrides: ",
+        type: "info",
+        state: state2
+      });
+      printMessage({
+        message: state2.getConfigurationHeaderOverrides(),
+        type: "info",
+        state: state2
+      });
+    }
     delete profile.tenant;
     profiles[state2.getHost()] = profile;
     const orderedProfiles = Object.keys(profiles).sort().reduce((obj, key) => {
@@ -175551,7 +175734,7 @@ async function getSessionInfo({
     state2.getHost(),
     getCurrentRealmPath(state2)
   );
-  const { data: data2 } = await generateAmApi({
+  const { data: data2 } = await generateAmAuthApi({
     resource: getApiConfig15(),
     state: state2
   }).post(
@@ -176238,7 +176421,8 @@ var CLOUD_ADMIN_DEFAULT_SCOPES = [
   s3.PromotionScope,
   s3.ReleaseFullScope,
   s3.SSOCookieFullScope,
-  s3.ProxyConnectFullScope
+  s3.ProxyConnectFullScope,
+  s3.WSFedAdminScope
 ];
 var FORGEOPS_ADMIN_DEFAULT_SCOPES = [s3.IdmFullScope, s3.OpenIdScope];
 var forgeopsAdminScopes = FORGEOPS_ADMIN_DEFAULT_SCOPES.join(" ");
@@ -212385,7 +212569,12 @@ function setup120() {
   ).addOption(
     new Option(
       "--authentication-header-overrides [headers]",
-      'Map of headers: {"host":"am.example.com:8081"}.'
+      'Map of headers: {"host":"am.example.com:8081"}. These headers are sent with all requests and can be used to override default behavior, for example to set a custom host header for Proxy Connect-protected PingOne Advanced Identity Cloud environments.'
+    )
+  ).addOption(
+    new Option(
+      "--configuration-header-overrides [headers]",
+      'Map of headers: {"X-Custom-Configuration":"critical"}. These headers are sent with all configuration requests and can be used to override default behavior, for example to set a custom configuration header for mutable PingOne Advanced Identity Cloud environments.'
     )
   ).addOption(
     new Option("--alias [name]", "Alias name for this connection profile.")
@@ -212408,6 +212597,10 @@ function setup120() {
 ` + `  $ frodo conn save --authentication-header-overrides '{"MY-SECRET-HEADER": "proxyconnect secret header value"}' ${amBaseUrl} ${username} '${password}'
 `["brightCyan"] + `  Update an existing connection profile with a custom header override for a freshly Proxy Connect-protected PingOne Advanced Identity Cloud environment:
 ` + `  $ frodo conn save --authentication-header-overrides '{"MY-SECRET-HEADER": "proxyconnect secret header value"}' ${connId}
+`["brightCyan"] + `  Save a connection profile for a mutable PingOne Advanced Identity Cloud environment:
+` + `  $ frodo conn save --configuration-header-overrides '{"X-Configuration-Type": "mutable"}' ${amBaseUrl} ${username} '${password}'
+`["brightCyan"] + `  Update an existing connection profile with a configuration header override for a freshly mutable PingOne Advanced Identity Cloud environment:
+` + `  $ frodo conn save --configuration-header-overrides '{"X-Configuration-Type": "mutable"}' ${connId}
 `["brightCyan"] + `  Update an existing connection profile to use Amster private key credentials with a custom Amster journey (PingAM classic deployments only):
 ` + `  $ frodo conn save --private-key ${amsterPrivateKey} --authentication-service ${customAmsterService} ${classicConnId}
 `["brightCyan"]
@@ -212431,6 +212624,11 @@ function setup120() {
           JSON.parse(options.authenticationHeaderOverrides)
         );
       }
+      if (options.configurationHeaderOverrides) {
+        state.setConfigurationHeaderOverrides(
+          JSON.parse(options.configurationHeaderOverrides)
+        );
+      }
       const needAmsterLogin = !!options.privateKey;
       const needSa = options.sa && !state.getServiceAccountId() && !state.getServiceAccountJwk();
       const needLogApiKey = options.logApi && !state.getLogApiKey() && !state.getLogApiSecret() && needSa;
@@ -226581,7 +226779,7 @@ var compareVersions = (v12, v2) => {
 // package.json
 var package_default2 = {
   name: "@rockcarver/frodo-cli",
-  version: "4.0.0-10",
+  version: "4.0.0-12",
   type: "module",
   description: "A command line interface to manage ForgeRock Identity Cloud tenants, ForgeOps deployments, and classic deployments.",
   keywords: [
@@ -226676,7 +226874,7 @@ var package_default2 = {
     ]
   },
   devDependencies: {
-    "@rockcarver/frodo-lib": "4.0.0-10",
+    "@rockcarver/frodo-lib": "4.0.0-12",
     "@types/colors": "^1.2.1",
     "@types/fs-extra": "^11.0.1",
     "@types/jest": "^29.2.3",