@uipath/authz-tool 1.1.0 → 1.2.0

package/dist/index.js

@@ -2800,6 +2800,7 @@ var init_open = __esm(() => {
 });
 
 // ../../filesystem/src/node.ts
+import { randomUUID } from "node:crypto";
 import { existsSync } from "node:fs";
 import * as fs6 from "node:fs/promises";
 import * as os2 from "node:os";
@@ -2881,6 +2882,90 @@ class NodeFileSystem {
   async mkdir(dirPath) {
     await fs6.mkdir(dirPath, { recursive: true });
   }
+  async acquireLock(lockPath) {
+    const canonicalPath = await this.canonicalizeLockTarget(lockPath);
+    const lockFile = `${canonicalPath}.lock`;
+    const ownerId = randomUUID();
+    const start = Date.now();
+    while (true) {
+      try {
+        await fs6.writeFile(lockFile, ownerId, { flag: "wx" });
+        return this.createLockRelease(lockFile, ownerId);
+      } catch (error) {
+        if (!this.hasErrnoCode(error, "EEXIST")) {
+          throw error;
+        }
+        const stats = await fs6.stat(lockFile).catch(() => null);
+        if (stats && Date.now() - stats.mtimeMs > LOCK_STALE_MS) {
+          const reclaimed = await fs6.rm(lockFile, { force: true }).then(() => true).catch(() => false);
+          if (reclaimed)
+            continue;
+        }
+        if (Date.now() - start > LOCK_MAX_WAIT_MS) {
+          throw new Error(`ELOCKED: timed out waiting for lock on ${canonicalPath}`);
+        }
+        await new Promise((resolve2) => setTimeout(resolve2, LOCK_RETRY_MIN_MS + Math.random() * LOCK_RETRY_JITTER_MS));
+      }
+    }
+  }
+  async canonicalizeLockTarget(lockPath) {
+    const absolute = path2.resolve(lockPath);
+    const fullReal = await fs6.realpath(absolute).catch(() => null);
+    if (fullReal)
+      return fullReal;
+    const parent = path2.dirname(absolute);
+    const base = path2.basename(absolute);
+    const canonicalParent = await fs6.realpath(parent).catch(() => parent);
+    return path2.join(canonicalParent, base);
+  }
+  createLockRelease(lockFile, ownerId) {
+    const heartbeatStart = Date.now();
+    let heartbeatTimer;
+    let stopped = false;
+    const stopHeartbeat = () => {
+      stopped = true;
+      if (heartbeatTimer)
+        clearTimeout(heartbeatTimer);
+    };
+    const scheduleNextHeartbeat = () => {
+      if (stopped)
+        return;
+      if (Date.now() - heartbeatStart >= LOCK_MAX_HOLD_MS) {
+        stopped = true;
+        return;
+      }
+      heartbeatTimer = setTimeout(() => {
+        runHeartbeat();
+      }, LOCK_HEARTBEAT_MS);
+      heartbeatTimer.unref?.();
+    };
+    const runHeartbeat = async () => {
+      if (stopped)
+        return;
+      const current = await fs6.readFile(lockFile, "utf-8").catch(() => null);
+      if (stopped)
+        return;
+      if (current !== ownerId) {
+        stopped = true;
+        return;
+      }
+      const now = Date.now() / 1000;
+      await fs6.utimes(lockFile, now, now).catch(() => {});
+      scheduleNextHeartbeat();
+    };
+    scheduleNextHeartbeat();
+    let released = false;
+    return async () => {
+      if (released)
+        return;
+      released = true;
+      stopHeartbeat();
+      const current = await fs6.readFile(lockFile, "utf-8").catch(() => null);
+      if (current === ownerId) {
+        await fs6.rm(lockFile, { force: true });
+      }
+    };
+  }
   async rm(filePath) {
     await fs6.rm(filePath, { recursive: true, force: true });
   }
@@ -2926,9 +3011,13 @@ class NodeFileSystem {
     }
   }
   isEnoent(error) {
-    return typeof error === "object" && error !== null && "code" in error && error.code === "ENOENT";
+    return this.hasErrnoCode(error, "ENOENT");
+  }
+  hasErrnoCode(error, code) {
+    return typeof error === "object" && error !== null && "code" in error && error.code === code;
   }
 }
+var LOCK_HEARTBEAT_MS = 5000, LOCK_STALE_MS = 15000, LOCK_MAX_WAIT_MS = 20000, LOCK_MAX_HOLD_MS = 60000, LOCK_RETRY_MIN_MS = 100, LOCK_RETRY_JITTER_MS = 200;
 var init_node = __esm(() => {
   init_open();
 });
@@ -2942,7 +3031,7 @@ var init_src = __esm(() => {
 
 // ../../../node_modules/@uipath/coreipc/index.js
 var require_coreipc = __commonJS((exports, module) => {
-  var __dirname = "/Users/alexandru.oltean/github/cli/node_modules/@uipath/coreipc";
+  var __dirname = "/home/runner/work/cli/cli/node_modules/@uipath/coreipc";
   /*! For license information please see index.js.LICENSE.txt */
   (function(e, t) {
     typeof exports == "object" && typeof module == "object" ? module.exports = t() : typeof define == "function" && define.amd ? define([], t) : typeof exports == "object" ? exports.ipc = t() : e.ipc = t();
@@ -21134,6 +21223,10 @@ var require_dist = __commonJS((exports) => {
   exports.RobotProxyConstructor = RobotProxyConstructor;
   __exportStar(require_agent(), exports);
 });
+// ../../auth/src/server.ts
+var init_server = __esm(() => {
+  init_constants();
+});
 
 // ../../../node_modules/commander/esm.mjs
 var import__ = __toESM(require_commander(), 1);
@@ -21153,7 +21246,8 @@ var {
 // package.json
 var package_default = {
   name: "@uipath/authz-tool",
-  version: "1.1.0",
+  license: "MIT",
+  version: "1.2.0",
   description: "CLI plugin for the UiPath Authorization service.",
   private: false,
   repository: {
@@ -21222,32 +21316,7 @@ class InvalidBaseUrlError extends Error {
     this.name = "InvalidBaseUrlError";
   }
 }
-var DEFAULT_SCOPES = [
-  "offline_access",
-  "ProcessMining",
-  "OrchestratorApiUserAccess",
-  "StudioWebBackend",
-  "IdentityServerApi",
-  "ConnectionService",
-  "DataService",
-  "DataServiceApiUserAccess",
-  "DocumentUnderstanding",
-  "EnterpriseContextService",
-  "Directory",
-  "JamJamApi",
-  "LLMGateway",
-  "LLMOps",
-  "OMS",
-  "RCS.FolderAuthorization",
-  "RCS.TagsManagement",
-  "TestmanagerApiUserAccess",
-  "AutomationSolutions",
-  "StudioWebTypeCacheService",
-  "Docs.GPT.Search",
-  "Insights",
-  "ReferenceToken",
-  "Audit.Read"
-];
+var DEFAULT_SCOPES = ["openid", "profile", "offline_access"];
 var normalizeAndValidateBaseUrl = (rawUrl) => {
   let baseUrl = rawUrl;
   if (baseUrl.endsWith("/identity_/")) {
@@ -21297,7 +21366,8 @@ var resolveConfigAsync = async ({
   if (!clientSecret && fileAuth.clientSecret) {
     clientSecret = fileAuth.clientSecret;
   }
-  const scopes = customScopes && customScopes.length > 0 ? customScopes : fileAuth.scopes && fileAuth.scopes.length > 0 ? fileAuth.scopes : DEFAULT_SCOPES;
+  const isExternalAppAuth = clientId !== DEFAULT_CLIENT_ID && Boolean(clientSecret);
+  const scopes = customScopes && customScopes.length > 0 ? customScopes : fileAuth.scopes && fileAuth.scopes.length > 0 ? fileAuth.scopes : isExternalAppAuth ? [] : DEFAULT_SCOPES;
   return {
     clientId,
     clientSecret,
@@ -21797,6 +21867,129 @@ function normalizeTokenRefreshFailure() {
 function normalizeTokenRefreshUnavailableFailure() {
   return "token refresh failed before authentication completed";
 }
+function errorMessage(error) {
+  return error instanceof Error ? error.message : String(error);
+}
+function computeExpirationThreshold(ensureTokenValidityMinutes) {
+  return new Date(Date.now() + (ensureTokenValidityMinutes ?? 0) * 60 * 1000);
+}
+async function runRefreshLocked(inputs) {
+  const {
+    absolutePath,
+    refreshToken: callerRefreshToken,
+    customAuthority,
+    ensureTokenValidityMinutes,
+    loadEnvFile,
+    saveEnvFile,
+    refreshFn,
+    resolveConfig
+  } = inputs;
+  const expirationThreshold = computeExpirationThreshold(ensureTokenValidityMinutes);
+  let fresh;
+  try {
+    fresh = await loadEnvFile({ envPath: absolutePath });
+  } catch (error) {
+    return {
+      kind: "fail",
+      status: {
+        loginStatus: "Refresh Failed",
+        hint: "Could not read the auth file while refreshing. Retry, or run 'uip login' to re-authenticate.",
+        tokenRefresh: {
+          attempted: false,
+          success: false,
+          errorMessage: `auth file read failed: ${errorMessage(error)}`
+        }
+      }
+    };
+  }
+  const freshAccess = fresh.UIPATH_ACCESS_TOKEN;
+  const freshExp = freshAccess ? getTokenExpiration(freshAccess) : undefined;
+  if (freshAccess && freshExp && freshExp > expirationThreshold) {
+    return {
+      kind: "ok",
+      accessToken: freshAccess,
+      refreshToken: fresh.UIPATH_REFRESH_TOKEN ?? callerRefreshToken,
+      expiration: freshExp,
+      tokenRefresh: { attempted: false, success: true }
+    };
+  }
+  const tokenForIdP = fresh.UIPATH_REFRESH_TOKEN ?? callerRefreshToken;
+  let refreshedAccess;
+  let refreshedRefresh;
+  try {
+    const config = await resolveConfig({ customAuthority });
+    const refreshed = await refreshFn({
+      refreshToken: tokenForIdP,
+      tokenEndpoint: config.tokenEndpoint,
+      clientId: config.clientId,
+      expectedAuthority: customAuthority
+    });
+    refreshedAccess = refreshed.accessToken;
+    refreshedRefresh = refreshed.refreshToken;
+  } catch (error) {
+    const isOAuthFailure = isTokenRefreshOAuthFailure(error);
+    const hint = isOAuthFailure ? "Run 'uip login' to re-authenticate — the stored refresh token is invalid or expired." : "Token refresh failed. Check your network connection, then retry or run 'uip login' to re-authenticate.";
+    const message = isOAuthFailure ? normalizeTokenRefreshFailure() : normalizeTokenRefreshUnavailableFailure();
+    return {
+      kind: "fail",
+      status: {
+        loginStatus: "Refresh Failed",
+        hint,
+        tokenRefresh: {
+          attempted: true,
+          success: false,
+          errorMessage: message
+        }
+      }
+    };
+  }
+  const refreshedExp = getTokenExpiration(refreshedAccess);
+  if (!refreshedExp || refreshedExp <= new Date) {
+    return {
+      kind: "fail",
+      status: {
+        loginStatus: "Refresh Failed",
+        hint: "The identity server returned an unusable token. Run 'uip login' to re-authenticate.",
+        tokenRefresh: {
+          attempted: true,
+          success: false,
+          errorMessage: "refreshed token has no valid expiration claim"
+        }
+      }
+    };
+  }
+  try {
+    await saveEnvFile({
+      envPath: absolutePath,
+      data: {
+        UIPATH_ACCESS_TOKEN: refreshedAccess,
+        UIPATH_REFRESH_TOKEN: refreshedRefresh
+      },
+      merge: true
+    });
+    return {
+      kind: "ok",
+      accessToken: refreshedAccess,
+      refreshToken: refreshedRefresh,
+      expiration: refreshedExp,
+      tokenRefresh: { attempted: true, success: true }
+    };
+  } catch (error) {
+    const msg = errorMessage(error);
+    return {
+      kind: "ok",
+      accessToken: refreshedAccess,
+      refreshToken: refreshedRefresh,
+      expiration: refreshedExp,
+      persistenceWarning: `Access token refreshed in memory but could not be written to ${absolutePath}: ${msg}. The next CLI invocation will fail until the file can be updated — run 'uip login' to re-authenticate.`,
+      tokenRefresh: {
+        attempted: true,
+        success: true,
+        errorMessage: `persistence failed: ${msg}`
+      }
+    };
+  }
+}
 var getLoginStatusWithDeps = async (options = {}, deps = {}) => {
   const {
     resolveEnvFilePath = resolveEnvFilePathAsync,
@@ -21871,73 +22064,103 @@ var getLoginStatusWithDeps = async (options = {}, deps = {}) => {
   let refreshToken = credentials.UIPATH_REFRESH_TOKEN;
   let expiration = getTokenExpiration(accessToken);
   let persistenceWarning;
+  let lockReleaseFailed = false;
   let tokenRefresh;
-  const expirationThreshold = new Date(Date.now() + (ensureTokenValidityMinutes ?? 0) * 60 * 1000);
-  if (expiration && expiration <= expirationThreshold && refreshToken) {
-    let refreshedAccess;
-    let refreshedRefresh;
+  const outerThreshold = computeExpirationThreshold(ensureTokenValidityMinutes);
+  const tryGlobalCredsHint = async () => {
+    const fs7 = getFs();
+    const globalPath = fs7.path.join(fs7.env.homedir(), envFilePath);
+    if (absolutePath === globalPath)
+      return;
+    if (!await fs7.exists(globalPath))
+      return;
     try {
-      const config = await resolveConfig({
-        customAuthority: credentials.UIPATH_URL
-      });
-      const refreshed = await refreshTokenFn({
-        refreshToken,
-        tokenEndpoint: config.tokenEndpoint,
-        clientId: config.clientId,
-        expectedAuthority: credentials.UIPATH_URL
-      });
-      refreshedAccess = refreshed.accessToken;
-      refreshedRefresh = refreshed.refreshToken;
-    } catch (error) {
-      const isOAuthFailure = isTokenRefreshOAuthFailure(error);
-      const hint = isOAuthFailure ? "Run 'uip login' to re-authenticate — the stored refresh token is invalid or expired." : "Token refresh failed. Check your network connection, then retry or run 'uip login' to re-authenticate.";
-      const errorMessage = isOAuthFailure ? normalizeTokenRefreshFailure() : normalizeTokenRefreshUnavailableFailure();
-      return {
-        loginStatus: "Refresh Failed",
-        hint,
-        tokenRefresh: {
-          attempted: true,
-          success: false,
-          errorMessage
-        }
-      };
+      const globalCreds = await loadEnvFile({ envPath: globalPath });
+      if (!globalCreds.UIPATH_ACCESS_TOKEN)
+        return;
+      const globalExp = getTokenExpiration(globalCreds.UIPATH_ACCESS_TOKEN);
+      if (globalExp && globalExp <= new Date)
+        return;
+      return `Local credentials file at ${absolutePath} has expired credentials. Valid credentials exist in ${globalPath}. Remove the local file or run 'uip login' to re-authenticate.`;
+    } catch {
+      return;
     }
-    const refreshedExp = getTokenExpiration(refreshedAccess);
-    if (!refreshedExp || refreshedExp <= new Date) {
+  };
+  if (expiration && expiration <= outerThreshold && refreshToken) {
+    let release;
+    try {
+      release = await getFs().acquireLock(absolutePath);
+    } catch (error) {
+      const msg = errorMessage(error);
+      const globalHint = await tryGlobalCredsHint();
+      if (globalHint) {
+        return {
+          loginStatus: "Expired",
+          accessToken,
+          refreshToken,
+          baseUrl: credentials.UIPATH_URL,
+          organizationName: credentials.UIPATH_ORGANIZATION_NAME,
+          organizationId: credentials.UIPATH_ORGANIZATION_ID,
+          tenantName: credentials.UIPATH_TENANT_NAME,
+          tenantId: credentials.UIPATH_TENANT_ID,
+          expiration,
+          source: "file" /* File */,
+          hint: globalHint,
+          tokenRefresh: {
+            attempted: false,
+            success: false,
+            errorMessage: `lock acquisition failed: ${msg}`
+          }
+        };
+      }
       return {
         loginStatus: "Refresh Failed",
-        hint: "The identity server returned an unusable token. Run 'uip login' to re-authenticate.",
+        hint: "Could not acquire the auth-file lock — too many concurrent `uip` processes, or a permission issue on the auth directory. Retry, or run 'uip login' to re-authenticate.",
         tokenRefresh: {
-          attempted: true,
+          attempted: false,
           success: false,
-          errorMessage: "refreshed token has no valid expiration claim"
+          errorMessage: `lock acquisition failed: ${msg}`
         }
       };
     }
-    accessToken = refreshedAccess;
-    refreshToken = refreshedRefresh;
-    expiration = refreshedExp;
+    let lockedFailure;
     try {
-      await saveEnvFile({
-        envPath: absolutePath,
-        data: {
-          UIPATH_ACCESS_TOKEN: accessToken,
-          UIPATH_REFRESH_TOKEN: refreshToken
-        },
-        merge: true
+      const outcome = await runRefreshLocked({
+        absolutePath,
+        refreshToken,
+        customAuthority: credentials.UIPATH_URL,
+        ensureTokenValidityMinutes,
+        loadEnvFile,
+        saveEnvFile,
+        refreshFn: refreshTokenFn,
+        resolveConfig
       });
-      tokenRefresh = {
-        attempted: true,
-        success: true
-      };
-    } catch (error) {
-      const msg = error instanceof Error ? error.message : String(error);
-      persistenceWarning = `Access token refreshed in memory but could not be written to ${absolutePath}: ${msg}. The next CLI invocation will fail until the file can be updated — run 'uip login' to re-authenticate.`;
-      tokenRefresh = {
-        attempted: true,
-        success: true,
-        errorMessage: `persistence failed: ${msg}`
-      };
+      if (outcome.kind === "fail") {
+        lockedFailure = outcome.status;
+      } else {
+        accessToken = outcome.accessToken;
+        refreshToken = outcome.refreshToken;
+        expiration = outcome.expiration;
+        tokenRefresh = outcome.tokenRefresh;
+        if (outcome.persistenceWarning) {
+          persistenceWarning = outcome.persistenceWarning;
+        }
+      }
+    } finally {
+      try {
+        await release();
+      } catch {
+        lockReleaseFailed = true;
+      }
+    }
+    if (lockedFailure) {
+      const globalHint = await tryGlobalCredsHint();
+      const base = globalHint ? {
+        ...lockedFailure,
+        loginStatus: "Expired",
+        hint: globalHint
+      } : lockedFailure;
+      return lockReleaseFailed ? { ...base, lockReleaseFailed: true } : base;
     }
   }
   const result = {
@@ -21952,23 +22175,13 @@ var getLoginStatusWithDeps = async (options = {}, deps = {}) => {
     expiration,
     source: "file" /* File */,
     ...persistenceWarning ? { hint: persistenceWarning, persistenceFailed: true } : {},
+    ...lockReleaseFailed ? { lockReleaseFailed: true } : {},
     ...tokenRefresh ? { tokenRefresh } : {}
   };
   if (result.loginStatus === "Expired") {
-    const fs7 = getFs();
-    const globalPath = fs7.path.join(fs7.env.homedir(), envFilePath);
-    if (absolutePath !== globalPath && await fs7.exists(globalPath)) {
-      try {
-        const globalCreds = await loadEnvFile({
-          envPath: globalPath
-        });
-        if (globalCreds.UIPATH_ACCESS_TOKEN) {
-          const globalExp = getTokenExpiration(globalCreds.UIPATH_ACCESS_TOKEN);
-          if (!globalExp || globalExp > new Date) {
-            result.hint = `Local credentials file at ${absolutePath} has expired credentials. Valid credentials exist in ${globalPath}. Remove the local file or run 'uip login' to re-authenticate.`;
-          }
-        }
-      } catch {}
+    const globalHint = await tryGlobalCredsHint();
+    if (globalHint) {
+      result.hint = globalHint;
     }
   }
   return result;
@@ -22016,6 +22229,140 @@ var getAuthContext = async (options = {}) => {
 init_src();
 // ../../auth/src/logout.ts
 init_src();
+
+// ../../auth/src/index.ts
+init_server();
+
+// ../../common/src/singleton.ts
+var PREFIX = "@uipath/common/";
+var _g = globalThis;
+function singleton(ctorOrName) {
+  const name = typeof ctorOrName === "string" ? ctorOrName : ctorOrName.name;
+  const key = Symbol.for(PREFIX + name);
+  return {
+    get(fallback) {
+      return _g[key] ?? fallback;
+    },
+    set(value) {
+      _g[key] = value;
+    },
+    clear() {
+      delete _g[key];
+    },
+    getOrInit(factory, guard) {
+      const existing = _g[key];
+      if (existing != null && typeof existing === "object") {
+        if (!guard || guard(existing)) {
+          return existing;
+        }
+      }
+      const instance = factory();
+      _g[key] = instance;
+      return instance;
+    }
+  };
+}
+
+// ../../common/src/sdk-user-agent.ts
+var USER_AGENT_HEADER = "User-Agent";
+var sdkUserAgentHostToken = singleton("SdkUserAgentHostToken");
+function userAgentPatchKey(userAgent) {
+  return Symbol.for(`@uipath/common/sdk-user-agent/${userAgent}`);
+}
+function splitUserAgentTokens(value) {
+  return value?.trim().split(/\s+/).filter(Boolean) ?? [];
+}
+function appendUserAgentToken(value, userAgent) {
+  const tokens = splitUserAgentTokens(value);
+  const seen = new Set(tokens);
+  for (const token of splitUserAgentTokens(userAgent)) {
+    if (!seen.has(token)) {
+      tokens.push(token);
+      seen.add(token);
+    }
+  }
+  return tokens.join(" ");
+}
+function getEffectiveUserAgent(userAgent) {
+  return appendUserAgentToken(sdkUserAgentHostToken.get(), userAgent);
+}
+function isHeadersLike(headers) {
+  return typeof headers === "object" && headers !== null && "get" in headers && typeof headers.get === "function" && "set" in headers && typeof headers.set === "function";
+}
+function getSdkUserAgentToken(pkg) {
+  const packageName = pkg.name.replace(/^@uipath\//, "");
+  return getEffectiveUserAgent(`${packageName}/${pkg.version}`);
+}
+function addSdkUserAgentHeader(headers, userAgent) {
+  const result = { ...headers ?? {} };
+  const effectiveUserAgent = getEffectiveUserAgent(userAgent);
+  const headerName = Object.keys(result).find((key) => key.toLowerCase() === USER_AGENT_HEADER.toLowerCase());
+  if (headerName) {
+    result[headerName] = appendUserAgentToken(result[headerName], effectiveUserAgent);
+  } else {
+    result[USER_AGENT_HEADER] = effectiveUserAgent;
+  }
+  return result;
+}
+function withSdkUserAgentHeader(headers, userAgent) {
+  const effectiveUserAgent = getEffectiveUserAgent(userAgent);
+  if (isHeadersLike(headers)) {
+    headers.set(USER_AGENT_HEADER, appendUserAgentToken(headers.get(USER_AGENT_HEADER), effectiveUserAgent));
+    return headers;
+  }
+  if (Array.isArray(headers)) {
+    const result = headers.map((entry) => {
+      const [key, value] = entry;
+      return [key, value];
+    });
+    const headerIndex = result.findIndex(([key]) => key.toLowerCase() === USER_AGENT_HEADER.toLowerCase());
+    if (headerIndex >= 0) {
+      const [key, value] = result[headerIndex];
+      result[headerIndex] = [
+        key,
+        appendUserAgentToken(value, effectiveUserAgent)
+      ];
+    } else {
+      result.push([USER_AGENT_HEADER, effectiveUserAgent]);
+    }
+    return result;
+  }
+  return addSdkUserAgentHeader(typeof headers === "object" && headers !== null ? { ...headers } : {}, effectiveUserAgent);
+}
+function withUserAgentInitOverride(initOverrides, userAgent) {
+  return async (requestContext) => {
+    const initWithUserAgent = {
+      ...requestContext.init,
+      headers: withSdkUserAgentHeader(requestContext.init.headers, userAgent)
+    };
+    const override = typeof initOverrides === "function" ? await initOverrides({
+      ...requestContext,
+      init: initWithUserAgent
+    }) : initOverrides;
+    return {
+      ...override ?? {},
+      headers: withSdkUserAgentHeader(override?.headers ?? initWithUserAgent.headers, userAgent)
+    };
+  };
+}
+function installSdkUserAgentHeader(BaseApiClass, userAgent) {
+  const prototype = BaseApiClass.prototype;
+  const patchKey = userAgentPatchKey(userAgent);
+  if (prototype[patchKey]) {
+    return;
+  }
+  if (typeof prototype.request !== "function") {
+    throw new Error("Generated BaseAPI request function not found.");
+  }
+  const originalRequest = prototype.request;
+  prototype.request = function requestWithUserAgent(context, initOverrides) {
+    return originalRequest.call(this, context, withUserAgentInitOverride(initOverrides, userAgent));
+  };
+  Object.defineProperty(prototype, patchKey, {
+    value: true
+  });
+}
+
 // ../authz-sdk/generated/src/runtime.ts
 var BASE_PATH = "http://localhost".replace(/\/+$/, "");
 
@@ -22265,6 +22612,57 @@ class VoidApiResponse {
     return;
   }
 }
+// ../authz-sdk/package.json
+var package_default2 = {
+  name: "@uipath/authz-sdk",
+  license: "MIT",
+  version: "1.2.0",
+  description: "SDK for the UiPath Authorization Service API.",
+  repository: {
+    type: "git",
+    url: "https://github.com/UiPath/cli.git",
+    directory: "packages/admin/authz-sdk"
+  },
+  publishConfig: {
+    registry: "https://npm.pkg.github.com/@uipath"
+  },
+  keywords: [
+    "uipath",
+    "authorization",
+    "authz",
+    "sdk"
+  ],
+  type: "module",
+  main: "./dist/index.js",
+  types: "./dist/src/index.d.ts",
+  exports: {
+    ".": {
+      types: "./dist/src/index.d.ts",
+      default: "./dist/index.js"
+    }
+  },
+  files: [
+    "dist"
+  ],
+  private: true,
+  scripts: {
+    build: "bun build ./src/index.ts --outdir dist --format esm --target node && tsc -p tsconfig.build.json --noCheck",
+    generate: "bun run src/scripts/generate-sdk.ts",
+    lint: "biome check ."
+  },
+  devDependencies: {
+    "@openapitools/openapi-generator-cli": "^2.31.1",
+    "@types/node": "^25.5.2",
+    "@uipath/auth": "workspace:*",
+    "@uipath/common": "workspace:*",
+    "@uipath/filesystem": "workspace:*",
+    typescript: "^6.0.2"
+  }
+};
+
+// ../authz-sdk/src/user-agent.ts
+var SDK_USER_AGENT = getSdkUserAgentToken(package_default2);
+installSdkUserAgentHeader(BaseAPI, SDK_USER_AGENT);
 
 // ../authz-sdk/generated/src/models/ActionDetailDto.ts
 function ActionDetailDtoFromJSON(json) {
@@ -22791,7 +23189,8 @@ async function resolveConfig(plane, options) {
   return {
     config: new Configuration({
       basePath,
-      accessToken: async () => bearerToken
+      accessToken: async () => bearerToken,
+      headers: addSdkUserAgentHeader(undefined, SDK_USER_AGENT)
     }),
     organizationId: status.organizationId,
     tenantId: status.tenantId,
@@ -22951,10 +23350,15 @@ async function extractErrorDetails(error, options) {
   }
   if (parsedBody?.errorCode && typeof parsedBody.errorCode === "string") {
     context.errorCode = parsedBody.errorCode;
+  } else if (parsedBody?.code && typeof parsedBody.code === "string") {
+    context.errorCode = parsedBody.code;
   }
   if (parsedBody?.requestId && typeof parsedBody.requestId === "string") {
     context.requestId = parsedBody.requestId;
   }
+  if (parsedBody?.traceId && typeof parsedBody.traceId === "string") {
+    context.traceId = parsedBody.traceId;
+  }
   if (status === 429) {
     const resp = response;
     const headersObj = resp?.headers;
@@ -22974,7 +23378,35 @@ async function extractErrorDetails(error, options) {
     }
   }
   const hasContext = Object.keys(context).length > 0;
-  return { result, message, details, ...hasContext ? { context } : {} };
+  let parsedErrors;
+  if (parsedBody?.errors && typeof parsedBody.errors === "object") {
+    const errors = {};
+    for (const [field, raw] of Object.entries(parsedBody.errors)) {
+      if (Array.isArray(raw)) {
+        const messages = raw.map((entry) => {
+          if (typeof entry === "string")
+            return entry;
+          if (entry && typeof entry === "object" && typeof entry.message === "string") {
+            return entry.message;
+          }
+          return String(entry);
+        }).filter(Boolean);
+        if (messages.length > 0)
+          errors[field] = messages;
+      } else if (typeof raw === "string") {
+        errors[field] = [raw];
+      }
+    }
+    if (Object.keys(errors).length > 0)
+      parsedErrors = errors;
+  }
+  return {
+    result,
+    message,
+    details,
+    ...hasContext ? { context } : {},
+    ...parsedErrors ? { parsedErrors } : {}
+  };
 }
 async function extractErrorMessage(error, options) {
   const { message } = await extractErrorDetails(error, options);
@@ -22986,36 +23418,6 @@ Command.prototype.examples = function(examples) {
   examplesByCommand.set(this, examples);
   return this;
 };
-// ../../common/src/singleton.ts
-var PREFIX = "@uipath/common/";
-var _g = globalThis;
-function singleton(ctorOrName) {
-  const name = typeof ctorOrName === "string" ? ctorOrName : ctorOrName.name;
-  const key = Symbol.for(PREFIX + name);
-  return {
-    get(fallback) {
-      return _g[key] ?? fallback;
-    },
-    set(value) {
-      _g[key] = value;
-    },
-    clear() {
-      delete _g[key];
-    },
-    getOrInit(factory, guard) {
-      const existing = _g[key];
-      if (existing != null && typeof existing === "object") {
-        if (!guard || guard(existing)) {
-          return existing;
-        }
-      }
-      const instance = factory();
-      _g[key] = instance;
-      return instance;
-    }
-  };
-}
-
 // ../../common/src/output-context.ts
 function createStorage() {
   const [error, mod] = catchError2(() => __require("node:async_hooks"));
@@ -28105,6 +28507,60 @@ function escapeNonAscii(jsonText) {
 function needsAsciiSafeJson(sink) {
   return process.platform === "win32" && !sink.capabilities.isInteractive;
 }
+function isPlainRecord(value) {
+  if (value === null || typeof value !== "object")
+    return false;
+  const prototype = Object.getPrototypeOf(value);
+  return prototype === Object.prototype || prototype === null;
+}
+function toLowerCamelCaseKey(key) {
+  if (!key)
+    return key;
+  if (/[_\-\s]/.test(key)) {
+    const [firstPart, ...restParts] = key.split(/[_\-\s]+/).filter(Boolean);
+    if (!firstPart)
+      return key;
+    return [
+      toLowerCamelCaseSimpleKey(firstPart),
+      ...restParts.map((part) => {
+        const normalized = toLowerCamelCaseSimpleKey(part);
+        return normalized.charAt(0).toUpperCase() + normalized.slice(1);
+      })
+    ].join("");
+  }
+  return toLowerCamelCaseSimpleKey(key);
+}
+function toLowerCamelCaseSimpleKey(key) {
+  if (/^[A-Z0-9]+$/.test(key))
+    return key.toLowerCase();
+  return key.replace(/^[A-Z]+(?=[A-Z][a-z]|\d|$)|^[A-Z]/, (match) => match.toLowerCase());
+}
+function toPascalCaseKey(key) {
+  const lowerCamelKey = toLowerCamelCaseKey(key);
+  return lowerCamelKey ? lowerCamelKey.charAt(0).toUpperCase() + lowerCamelKey.slice(1) : lowerCamelKey;
+}
+function toPascalCaseData(value) {
+  if (Array.isArray(value))
+    return value.map(toPascalCaseData);
+  if (!isPlainRecord(value))
+    return value;
+  const result = {};
+  for (const [key, nestedValue] of Object.entries(value)) {
+    result[toPascalCaseKey(key)] = toPascalCaseData(nestedValue);
+  }
+  return result;
+}
+function normalizeDataKeys(data) {
+  return toPascalCaseData(data);
+}
+function normalizeOutputKeys(data) {
+  const result = {};
+  for (const [key, value] of Object.entries(data)) {
+    const pascalKey = toPascalCaseKey(key);
+    result[pascalKey] = pascalKey === "Data" ? value : toPascalCaseData(value);
+  }
+  return result;
+}
 function printOutput(data, format = "json", logFn, asciiSafe = false) {
   if (!data) {
     logFn("Empty response object. No data to display.");
@@ -28167,7 +28623,7 @@ function wrapText(text, width) {
 function printTable(data, logFn, externalLogValue) {
   if (data.length === 0)
     return;
-  const keys = Object.keys(data[0]).filter((key) => key !== "Code" && key !== "Log");
+  const keys = Object.keys(data[0]).filter((key) => !["code", "log"].includes(key.toLowerCase()));
   const maxWidths = keys.map((key) => Math.max(key.length, ...data.map((item) => cellToString(item[key]).length)));
   const header = keys.map((key, i2) => key.padEnd(maxWidths[i2])).join(" | ");
   logFn(header);
@@ -28182,7 +28638,7 @@ function printTable(data, logFn, externalLogValue) {
   }
 }
 function printVerticalTable(data, logFn = console.log, externalLogValue) {
-  const keys = Object.keys(data).filter((key) => key !== "Code" && key !== "Log");
+  const keys = Object.keys(data).filter((key) => !["code", "log"].includes(key.toLowerCase()));
   if (keys.length === 0)
     return;
   const maxKeyWidth = Math.max(...keys.map((key) => key.length));
@@ -28198,7 +28654,7 @@ function printVerticalTable(data, logFn = console.log, externalLogValue) {
 function printResizableTable(data, logFn = console.log, externalLogValue) {
   if (data.length === 0)
     return;
-  const keys = Object.keys(data[0]).filter((key) => key !== "Code" && key !== "Log");
+  const keys = Object.keys(data[0]).filter((key) => !["code", "log"].includes(key.toLowerCase()));
   if (keys.length === 0)
     return;
   if (!process.stdout.isTTY) {
@@ -28274,8 +28730,26 @@ function printResizableTable(data, logFn = console.log, externalLogValue) {
 function toYaml(data) {
   return dump(data);
 }
+class FilterEvaluationError extends Error {
+  __brand = "FilterEvaluationError";
+  filter;
+  instructions;
+  result = RESULTS.ValidationError;
+  constructor(filter, cause) {
+    const underlying = cause instanceof Error ? cause.message : String(cause);
+    super(`Filter '${filter}' failed to evaluate: ${underlying}`);
+    this.name = "FilterEvaluationError";
+    this.filter = filter;
+    this.instructions = `The --output-filter expression '${filter}' failed at evaluation time. ` + "Note that --output-filter operates on the 'Data' field of the envelope, not the full object. " + "For example, on a list result use 'length(@)' instead of 'Data | length(@)'.";
+  }
+}
 function applyFilter(data, filter) {
-  const result = search(data, filter);
+  let result;
+  try {
+    result = search(data, filter);
+  } catch (err) {
+    throw new FilterEvaluationError(filter, err);
+  }
   if (result == null)
     return [];
   if (Array.isArray(result)) {
@@ -28292,13 +28766,18 @@ function applyFilter(data, filter) {
 }
 var OutputFormatter;
 ((OutputFormatter) => {
-  function success(data) {
+  function success(data, options) {
     data.Log ??= getLogFilePath() || undefined;
+    const normalize = !options?.preserveDataKeys;
+    if (normalize) {
+      data.Data = normalizeDataKeys(data.Data);
+    }
     const filter = getOutputFilter();
     if (filter) {
-      data.Data = applyFilter(data.Data, filter);
+      const filtered = applyFilter(data.Data, filter);
+      data.Data = normalize ? normalizeDataKeys(filtered) : filtered;
     }
-    logOutput(data, getOutputFormat());
+    logOutput(normalizeOutputKeys(data), getOutputFormat());
   }
   OutputFormatter.success = success;
   function error(data) {
@@ -28308,7 +28787,7 @@ var OutputFormatter;
       result: data.Result,
       message: data.Message
     });
-    logOutput(data, getOutputFormat());
+    logOutput(normalizeOutputKeys(data), getOutputFormat());
   }
   OutputFormatter.error = error;
   function emitList(code, items, opts) {
@@ -28329,13 +28808,14 @@ var OutputFormatter;
   function log(data) {
     const format = getOutputFormat();
     const sink = getOutputSink();
+    const normalized = toPascalCaseData(data);
     if (format === "json") {
-      const json2 = JSON.stringify(data);
+      const json2 = JSON.stringify(normalized);
       const safe = needsAsciiSafeJson(sink) ? escapeNonAscii(json2) : json2;
       sink.writeErr(`${safe}
 `);
     } else {
-      for (const [key, value] of Object.entries(data)) {
+      for (const [key, value] of Object.entries(normalized)) {
         sink.writeErr(`${key}: ${value}
 `);
       }
@@ -28344,12 +28824,16 @@ var OutputFormatter;
   OutputFormatter.log = log;
   function formatToString(data) {
     const filter = getOutputFilter();
-    if (filter && "Data" in data && data.Data != null) {
-      data.Data = applyFilter(data.Data, filter);
+    if ("Data" in data && data.Data != null) {
+      data.Data = normalizeDataKeys(data.Data);
+      if (filter) {
+        data.Data = normalizeDataKeys(applyFilter(data.Data, filter));
+      }
     }
+    const output = normalizeOutputKeys(data);
     const lines = [];
     const sink = getOutputSink();
-    printOutput(data, getOutputFormat(), (msg) => {
+    printOutput(output, getOutputFormat(), (msg) => {
       lines.push(msg);
     }, needsAsciiSafeJson(sink));
     return lines.join(`
@@ -29760,6 +30244,22 @@ JSONPath.prototype.safeVm = {
   Script: SafeScript
 };
 JSONPath.prototype.vm = vm;
+// ../../common/src/polling/types.ts
+var PollOutcome = {
+  Completed: "completed",
+  Timeout: "timeout",
+  Interrupted: "interrupted",
+  Aborted: "aborted",
+  Failed: "failed"
+};
+
+// ../../common/src/polling/poll-failure-mapping.ts
+var REASON_BY_OUTCOME = {
+  [PollOutcome.Timeout]: "poll_timeout",
+  [PollOutcome.Failed]: "poll_failed",
+  [PollOutcome.Interrupted]: "poll_failed",
+  [PollOutcome.Aborted]: "poll_aborted"
+};
 // ../../common/src/polling/terminal-statuses.ts
 var TERMINAL_STATUSES = new Set([
   "completed",
@@ -29965,17 +30465,21 @@ Command.prototype.trackedAction = function(context, fn, properties) {
     const telemetryName = deriveCommandPath(command);
     const props = typeof properties === "function" ? properties(...args) : properties;
     const startTime = performance.now();
-    let errorMessage;
+    let errorMessage2;
     const [error] = await catchError2(fn(...args));
     if (error) {
-      errorMessage = error instanceof Error ? error.message : String(error);
-      logger.error(`[trackedAction] ${telemetryName} failed: ${errorMessage}`);
+      errorMessage2 = error instanceof Error ? error.message : String(error);
+      logger.debug(`[trackedAction] ${telemetryName} failed: ${errorMessage2}`);
+      const typed = error;
+      const customInstructions = typeof typed.instructions === "string" ? typed.instructions : undefined;
+      const customResult = typeof typed.result === "string" && typed.result !== RESULTS.Success && Object.values(RESULTS).includes(typed.result) ? typed.result : undefined;
+      const finalResult = customResult ?? RESULTS.Failure;
       OutputFormatter.error({
-        Result: RESULTS.Failure,
-        Message: errorMessage,
-        Instructions: "An unexpected error occurred. Run with --log-level debug for details."
+        Result: finalResult,
+        Message: errorMessage2,
+        Instructions: customInstructions ?? "An unexpected error occurred. Run with --log-level debug for details."
       });
-      context.exit(1);
+      context.exit(EXIT_CODES[finalResult]);
     }
     const durationMs = performance.now() - startTime;
     const success = !error && (process.exitCode === undefined || process.exitCode === 0);
@@ -29984,7 +30488,7 @@ Command.prototype.trackedAction = function(context, fn, properties) {
       ...props,
       duration: String(durationMs),
       success: String(success),
-      ...errorMessage ? { errorMessage } : {}
+      ...errorMessage2 ? { errorMessage: errorMessage2 } : {}
     }));
   });
 };
@@ -30237,6 +30741,57 @@ class VoidApiResponse2 {
     return;
   }
 }
+// ../identity-sdk/package.json
+var package_default3 = {
+  name: "@uipath/identity-sdk",
+  license: "MIT",
+  version: "1.2.0",
+  repository: {
+    type: "git",
+    url: "https://github.com/UiPath/cli.git",
+    directory: "packages/admin/identity-sdk"
+  },
+  publishConfig: {
+    registry: "https://npm.pkg.github.com/@uipath"
+  },
+  keywords: [
+    "uipath",
+    "identity",
+    "sdk"
+  ],
+  type: "module",
+  main: "./dist/index.js",
+  types: "./dist/src/index.d.ts",
+  exports: {
+    ".": {
+      types: "./dist/src/index.d.ts",
+      default: "./dist/index.js"
+    }
+  },
+  files: [
+    "dist"
+  ],
+  private: true,
+  scripts: {
+    build: "bun build ./src/index.ts --outdir dist --format esm --target node && tsc -p tsconfig.build.json --noCheck",
+    generate: "bun run src/scripts/generate-sdk.ts",
+    lint: "biome check .",
+    test: "vitest run",
+    "test:coverage": "vitest run --coverage"
+  },
+  devDependencies: {
+    "@uipath/auth": "workspace:*",
+    "@uipath/common": "workspace:*",
+    "@uipath/filesystem": "workspace:*",
+    "@openapitools/openapi-generator-cli": "^2.31.1",
+    "@types/node": "^25.5.2",
+    typescript: "^6.0.2"
+  }
+};
+
+// ../identity-sdk/src/user-agent.ts
+var SDK_USER_AGENT2 = getSdkUserAgentToken(package_default3);
+installSdkUserAgentHeader(BaseAPI2, SDK_USER_AGENT2);
 
 // ../identity-sdk/generated/src/models/BulkSoftDeleteCommand.ts
 function BulkSoftDeleteCommandToJSON(json2) {
@@ -30757,19 +31312,23 @@ class UserApi extends BaseAPI2 {
 async function createIdentityConfig(options) {
   const ctx = await getAuthContext({
     ensureTokenValidityMinutes: options?.loginValidity,
-    requireOrganizationId: true,
+    requireOrganizationId: options?.organization === undefined,
     requireTenantName: true
   });
-  const identityBasePath = `${ctx.baseUrl}/${ctx.organizationId}/identity_`;
-  const headers = {
+  const organizationId = options?.organization ?? ctx.organizationId;
+  if (organizationId === undefined || organizationId.length === 0) {
+    throw new Error("Organization ID not available. Provide --organization or log in with an organization context.");
+  }
+  const identityBasePath = `${ctx.baseUrl}/${organizationId}/identity_`;
+  const headers = addSdkUserAgentHeader({
     Authorization: `Bearer ${ctx.accessToken}`
-  };
+  }, SDK_USER_AGENT2);
   return {
     config: new Configuration2({
       basePath: identityBasePath,
       headers
     }),
-    organizationId: ctx.organizationId ?? ""
+    organizationId
   };
 }
 async function createApiClient2(ApiClass, options) {