@uipath/gov-tool 0.3.0 → 1.2.0

package/dist/tool.js

@@ -1004,7 +1004,7 @@ Expecting one of '${allowedValues.join("', '")}'`);
         this._exitCallback = (err) => {
           if (err.code !== "commander.executeSubCommandAsync") {
             throw err;
-          } else {}
+          }
         };
       }
       return this;
@@ -2156,6 +2156,7 @@ import path from "node:path";
 import { fileURLToPath } from "node:url";
 import childProcess3 from "node:child_process";
 import fs5, { constants as fsConstants2 } from "node:fs/promises";
+import { randomUUID } from "node:crypto";
 import { existsSync } from "node:fs";
 import * as fs6 from "node:fs/promises";
 import * as os2 from "node:os";
@@ -2928,6 +2929,90 @@ class NodeFileSystem {
   async mkdir(dirPath) {
     await fs6.mkdir(dirPath, { recursive: true });
   }
+  async acquireLock(lockPath) {
+    const canonicalPath = await this.canonicalizeLockTarget(lockPath);
+    const lockFile = `${canonicalPath}.lock`;
+    const ownerId = randomUUID();
+    const start = Date.now();
+    while (true) {
+      try {
+        await fs6.writeFile(lockFile, ownerId, { flag: "wx" });
+        return this.createLockRelease(lockFile, ownerId);
+      } catch (error) {
+        if (!this.hasErrnoCode(error, "EEXIST")) {
+          throw error;
+        }
+        const stats = await fs6.stat(lockFile).catch(() => null);
+        if (stats && Date.now() - stats.mtimeMs > LOCK_STALE_MS) {
+          const reclaimed = await fs6.rm(lockFile, { force: true }).then(() => true).catch(() => false);
+          if (reclaimed)
+            continue;
+        }
+        if (Date.now() - start > LOCK_MAX_WAIT_MS) {
+          throw new Error(`ELOCKED: timed out waiting for lock on ${canonicalPath}`);
+        }
+        await new Promise((resolve2) => setTimeout(resolve2, LOCK_RETRY_MIN_MS + Math.random() * LOCK_RETRY_JITTER_MS));
+      }
+    }
+  }
+  async canonicalizeLockTarget(lockPath) {
+    const absolute = path2.resolve(lockPath);
+    const fullReal = await fs6.realpath(absolute).catch(() => null);
+    if (fullReal)
+      return fullReal;
+    const parent = path2.dirname(absolute);
+    const base = path2.basename(absolute);
+    const canonicalParent = await fs6.realpath(parent).catch(() => parent);
+    return path2.join(canonicalParent, base);
+  }
+  createLockRelease(lockFile, ownerId) {
+    const heartbeatStart = Date.now();
+    let heartbeatTimer;
+    let stopped = false;
+    const stopHeartbeat = () => {
+      stopped = true;
+      if (heartbeatTimer)
+        clearTimeout(heartbeatTimer);
+    };
+    const scheduleNextHeartbeat = () => {
+      if (stopped)
+        return;
+      if (Date.now() - heartbeatStart >= LOCK_MAX_HOLD_MS) {
+        stopped = true;
+        return;
+      }
+      heartbeatTimer = setTimeout(() => {
+        runHeartbeat();
+      }, LOCK_HEARTBEAT_MS);
+      heartbeatTimer.unref?.();
+    };
+    const runHeartbeat = async () => {
+      if (stopped)
+        return;
+      const current = await fs6.readFile(lockFile, "utf-8").catch(() => null);
+      if (stopped)
+        return;
+      if (current !== ownerId) {
+        stopped = true;
+        return;
+      }
+      const now = Date.now() / 1000;
+      await fs6.utimes(lockFile, now, now).catch(() => {});
+      scheduleNextHeartbeat();
+    };
+    scheduleNextHeartbeat();
+    let released = false;
+    return async () => {
+      if (released)
+        return;
+      released = true;
+      stopHeartbeat();
+      const current = await fs6.readFile(lockFile, "utf-8").catch(() => null);
+      if (current === ownerId) {
+        await fs6.rm(lockFile, { force: true });
+      }
+    };
+  }
   async rm(filePath) {
     await fs6.rm(filePath, { recursive: true, force: true });
   }
@@ -2973,16 +3058,23 @@ class NodeFileSystem {
     }
   }
   isEnoent(error) {
-    return typeof error === "object" && error !== null && "code" in error && error.code === "ENOENT";
+    return this.hasErrnoCode(error, "ENOENT");
+  }
+  hasErrnoCode(error, code) {
+    return typeof error === "object" && error !== null && "code" in error && error.code === code;
   }
 }
+var LOCK_HEARTBEAT_MS = 5000;
+var LOCK_STALE_MS = 15000;
+var LOCK_MAX_WAIT_MS = 20000;
+var LOCK_MAX_HOLD_MS = 60000;
+var LOCK_RETRY_MIN_MS = 100;
+var LOCK_RETRY_JITTER_MS = 200;
 var init_node = __esm(() => {
   init_open();
 });
 var fsInstance;
-var getFileSystem = () => {
-  return fsInstance;
-};
+var getFileSystem = () => fsInstance;
 var init_src = __esm(() => {
   init_node();
   init_node();
@@ -20789,9 +20881,13 @@ var require_dist = __commonJS2((exports) => {
   exports.RobotProxyConstructor = RobotProxyConstructor;
   __exportStar(require_agent(), exports);
 });
+var init_server = __esm(() => {
+  init_constants();
+});
 var package_default = {
   name: "@uipath/access-policy-tool",
-  version: "0.3.0",
+  license: "MIT",
+  version: "1.2.0",
   description: "Manage UiPath Access Policies, rules, and compliance evaluations.",
   private: false,
   repository: {
@@ -20828,11 +20924,137 @@ var package_default = {
     commander: "^14.0.3",
     "@uipath/common": "workspace:*",
     "@uipath/filesystem": "workspace:*",
-    "@uipath/access-policy-sdk": "workspace:*",
+    "@uipath/authz-sdk": "workspace:*",
     "@types/node": "^25.5.2",
     typescript: "^6.0.2"
   }
 };
+var PREFIX = "@uipath/common/";
+var _g = globalThis;
+function singleton(ctorOrName) {
+  const name = typeof ctorOrName === "string" ? ctorOrName : ctorOrName.name;
+  const key = Symbol.for(PREFIX + name);
+  return {
+    get(fallback) {
+      return _g[key] ?? fallback;
+    },
+    set(value) {
+      _g[key] = value;
+    },
+    clear() {
+      delete _g[key];
+    },
+    getOrInit(factory, guard) {
+      const existing = _g[key];
+      if (existing != null && typeof existing === "object") {
+        if (!guard || guard(existing)) {
+          return existing;
+        }
+      }
+      const instance = factory();
+      _g[key] = instance;
+      return instance;
+    }
+  };
+}
+var USER_AGENT_HEADER = "User-Agent";
+var sdkUserAgentHostToken = singleton("SdkUserAgentHostToken");
+function userAgentPatchKey(userAgent) {
+  return Symbol.for(`@uipath/common/sdk-user-agent/${userAgent}`);
+}
+function splitUserAgentTokens(value) {
+  return value?.trim().split(/\s+/).filter(Boolean) ?? [];
+}
+function appendUserAgentToken(value, userAgent) {
+  const tokens = splitUserAgentTokens(value);
+  const seen = new Set(tokens);
+  for (const token of splitUserAgentTokens(userAgent)) {
+    if (!seen.has(token)) {
+      tokens.push(token);
+      seen.add(token);
+    }
+  }
+  return tokens.join(" ");
+}
+function getEffectiveUserAgent(userAgent) {
+  return appendUserAgentToken(sdkUserAgentHostToken.get(), userAgent);
+}
+function isHeadersLike(headers) {
+  return typeof headers === "object" && headers !== null && "get" in headers && typeof headers.get === "function" && "set" in headers && typeof headers.set === "function";
+}
+function getSdkUserAgentToken(pkg) {
+  const packageName = pkg.name.replace(/^@uipath\//, "");
+  return getEffectiveUserAgent(`${packageName}/${pkg.version}`);
+}
+function addSdkUserAgentHeader(headers, userAgent) {
+  const result = { ...headers ?? {} };
+  const effectiveUserAgent = getEffectiveUserAgent(userAgent);
+  const headerName = Object.keys(result).find((key) => key.toLowerCase() === USER_AGENT_HEADER.toLowerCase());
+  if (headerName) {
+    result[headerName] = appendUserAgentToken(result[headerName], effectiveUserAgent);
+  } else {
+    result[USER_AGENT_HEADER] = effectiveUserAgent;
+  }
+  return result;
+}
+function withSdkUserAgentHeader(headers, userAgent) {
+  const effectiveUserAgent = getEffectiveUserAgent(userAgent);
+  if (isHeadersLike(headers)) {
+    headers.set(USER_AGENT_HEADER, appendUserAgentToken(headers.get(USER_AGENT_HEADER), effectiveUserAgent));
+    return headers;
+  }
+  if (Array.isArray(headers)) {
+    const result = headers.map((entry) => {
+      const [key, value] = entry;
+      return [key, value];
+    });
+    const headerIndex = result.findIndex(([key]) => key.toLowerCase() === USER_AGENT_HEADER.toLowerCase());
+    if (headerIndex >= 0) {
+      const [key, value] = result[headerIndex];
+      result[headerIndex] = [
+        key,
+        appendUserAgentToken(value, effectiveUserAgent)
+      ];
+    } else {
+      result.push([USER_AGENT_HEADER, effectiveUserAgent]);
+    }
+    return result;
+  }
+  return addSdkUserAgentHeader(typeof headers === "object" && headers !== null ? { ...headers } : {}, effectiveUserAgent);
+}
+function withUserAgentInitOverride(initOverrides, userAgent) {
+  return async (requestContext) => {
+    const initWithUserAgent = {
+      ...requestContext.init,
+      headers: withSdkUserAgentHeader(requestContext.init.headers, userAgent)
+    };
+    const override = typeof initOverrides === "function" ? await initOverrides({
+      ...requestContext,
+      init: initWithUserAgent
+    }) : initOverrides;
+    return {
+      ...override ?? {},
+      headers: withSdkUserAgentHeader(override?.headers ?? initWithUserAgent.headers, userAgent)
+    };
+  };
+}
+function installSdkUserAgentHeader(BaseApiClass, userAgent) {
+  const prototype = BaseApiClass.prototype;
+  const patchKey = userAgentPatchKey(userAgent);
+  if (prototype[patchKey]) {
+    return;
+  }
+  if (typeof prototype.request !== "function") {
+    throw new Error("Generated BaseAPI request function not found.");
+  }
+  const originalRequest = prototype.request;
+  prototype.request = function requestWithUserAgent(context, initOverrides) {
+    return originalRequest.call(this, context, withUserAgentInitOverride(initOverrides, userAgent));
+  };
+  Object.defineProperty(prototype, patchKey, {
+    value: true
+  });
+}
 var BASE_PATH = "http://localhost".replace(/\/+$/, "");
 
 class Configuration {
@@ -21019,10 +21241,6 @@ class ResponseError extends Error {
   constructor(response, msg) {
     super(msg);
     this.response = response;
-    const actualProto = new.target.prototype;
-    if (Object.setPrototypeOf) {
-      Object.setPrototypeOf(this, actualProto);
-    }
   }
 }
 
@@ -21032,10 +21250,6 @@ class FetchError extends Error {
   constructor(cause, msg) {
     super(msg);
     this.cause = cause;
-    const actualProto = new.target.prototype;
-    if (Object.setPrototypeOf) {
-      Object.setPrototypeOf(this, actualProto);
-    }
   }
 }
 
@@ -21045,10 +21259,6 @@ class RequiredError extends Error {
   constructor(field, msg) {
     super(msg);
     this.field = field;
-    const actualProto = new.target.prototype;
-    if (Object.setPrototypeOf) {
-      Object.setPrototypeOf(this, actualProto);
-    }
   }
 }
 function querystring(params, prefix = "") {
@@ -21094,6 +21304,54 @@ class VoidApiResponse {
     return;
   }
 }
+var package_default2 = {
+  name: "@uipath/authz-sdk",
+  license: "MIT",
+  version: "1.2.0",
+  description: "SDK for the UiPath Authorization Service API.",
+  repository: {
+    type: "git",
+    url: "https://github.com/UiPath/cli.git",
+    directory: "packages/admin/authz-sdk"
+  },
+  publishConfig: {
+    registry: "https://npm.pkg.github.com/@uipath"
+  },
+  keywords: [
+    "uipath",
+    "authorization",
+    "authz",
+    "sdk"
+  ],
+  type: "module",
+  main: "./dist/index.js",
+  types: "./dist/src/index.d.ts",
+  exports: {
+    ".": {
+      types: "./dist/src/index.d.ts",
+      default: "./dist/index.js"
+    }
+  },
+  files: [
+    "dist"
+  ],
+  private: true,
+  scripts: {
+    build: "bun build ./src/index.ts --outdir dist --format esm --target node && tsc -p tsconfig.build.json --noCheck",
+    generate: "bun run src/scripts/generate-sdk.ts",
+    lint: "biome check ."
+  },
+  devDependencies: {
+    "@openapitools/openapi-generator-cli": "^2.31.1",
+    "@types/node": "^25.5.2",
+    "@uipath/auth": "workspace:*",
+    "@uipath/common": "workspace:*",
+    "@uipath/filesystem": "workspace:*",
+    typescript: "^6.0.2"
+  }
+};
+var SDK_USER_AGENT = getSdkUserAgentToken(package_default2);
+installSdkUserAgentHeader(BaseAPI, SDK_USER_AGENT);
 function PolicyOperatorFromJSON(json) {
   return PolicyOperatorFromJSONTyped(json, false);
 }
@@ -21138,30 +21396,6 @@ function PolicyActorTypePolicyEntityRuleToJSONTyped(value, ignoreDiscriminator =
     operator: PolicyOperatorToJSON(value["operator"])
   };
 }
-function PolicyAttributeRuleFromJSON(json) {
-  return PolicyAttributeRuleFromJSONTyped(json, false);
-}
-function PolicyAttributeRuleFromJSONTyped(json, ignoreDiscriminator) {
-  if (json == null) {
-    return json;
-  }
-  return {
-    values: json["values"] == null ? undefined : json["values"],
-    operator: json["operator"] == null ? undefined : PolicyOperatorFromJSON(json["operator"])
-  };
-}
-function PolicyAttributeRuleToJSON(json) {
-  return PolicyAttributeRuleToJSONTyped(json, false);
-}
-function PolicyAttributeRuleToJSONTyped(value, ignoreDiscriminator = false) {
-  if (value == null) {
-    return value;
-  }
-  return {
-    values: value["values"],
-    operator: PolicyOperatorToJSON(value["operator"])
-  };
-}
 function ActorRuleFromJSON(json) {
   return ActorRuleFromJSONTyped(json, false);
 }
@@ -21170,8 +21404,7 @@ function ActorRuleFromJSONTyped(json, ignoreDiscriminator) {
     return json;
   }
   return {
-    values: json["values"] == null ? undefined : json["values"].map(PolicyActorTypePolicyEntityRuleFromJSON),
-    groupMemberships: json["groupMemberships"] == null ? undefined : PolicyAttributeRuleFromJSON(json["groupMemberships"])
+    values: json["values"] == null ? undefined : json["values"].map(PolicyActorTypePolicyEntityRuleFromJSON)
   };
 }
 function ActorRuleToJSON(json) {
@@ -21182,8 +21415,7 @@ function ActorRuleToJSONTyped(value, ignoreDiscriminator = false) {
     return value;
   }
   return {
-    values: value["values"] == null ? undefined : value["values"].map(PolicyActorTypePolicyEntityRuleToJSON),
-    groupMemberships: PolicyAttributeRuleToJSON(value["groupMemberships"])
+    values: value["values"] == null ? undefined : value["values"].map(PolicyActorTypePolicyEntityRuleToJSON)
   };
 }
 var PolicyExecutableType = {
@@ -21227,6 +21459,30 @@ function PolicyExecutableTypePolicyEntityRuleToJSONTyped(value, ignoreDiscrimina
     operator: PolicyOperatorToJSON(value["operator"])
   };
 }
+function PolicyAttributeRuleFromJSON(json) {
+  return PolicyAttributeRuleFromJSONTyped(json, false);
+}
+function PolicyAttributeRuleFromJSONTyped(json, ignoreDiscriminator) {
+  if (json == null) {
+    return json;
+  }
+  return {
+    values: json["values"] == null ? undefined : json["values"],
+    operator: json["operator"] == null ? undefined : PolicyOperatorFromJSON(json["operator"])
+  };
+}
+function PolicyAttributeRuleToJSON(json) {
+  return PolicyAttributeRuleToJSONTyped(json, false);
+}
+function PolicyAttributeRuleToJSONTyped(value, ignoreDiscriminator = false) {
+  if (value == null) {
+    return value;
+  }
+  return {
+    values: value["values"],
+    operator: PolicyOperatorToJSON(value["operator"])
+  };
+}
 function ExecutableRuleFromJSON(json) {
   return ExecutableRuleFromJSONTyped(json, false);
 }
@@ -21403,7 +21659,6 @@ function PolicyEvaluationApiRequestDtoToJSONTyped(value, ignoreDiscriminator = f
   return {
     organizationId: value["organizationId"],
     actorIdentifier: value["actorIdentifier"],
-    actorType: PolicyActorTypeToJSON(value["actorType"]),
     executableIdentifier: value["executableIdentifier"],
     executableType: PolicyExecutableTypeToJSON(value["executableType"]),
     resourceIdentifier: value["resourceIdentifier"],
@@ -21453,7 +21708,7 @@ function PolicyUpsertResultDtoFromJSONTyped(json, ignoreDiscriminator) {
 }
 
 class PolicyEvaluationApi extends BaseAPI {
-  async apiPolicyEvaluateTenantTenantIdPostRequestOpts(requestParameters) {
+  async apiPolicyEvaluateTenantTenantIdPostRaw(requestParameters, initOverrides) {
     if (requestParameters["tenantId"] == null) {
       throw new RequiredError("tenantId", 'Required parameter "tenantId" was null or undefined when calling apiPolicyEvaluateTenantTenantIdPost().');
     }
@@ -21475,17 +21730,13 @@ class PolicyEvaluationApi extends BaseAPI {
     }
     let urlPath = `/api/policy/evaluate/tenant/{tenantId}`;
     urlPath = urlPath.replace(`{${"tenantId"}}`, encodeURIComponent(String(requestParameters["tenantId"])));
-    return {
+    const response = await this.request({
       path: urlPath,
       method: "POST",
       headers: headerParameters,
       query: queryParameters,
       body: PolicyEvaluationApiRequestDtoToJSON(requestParameters["policyEvaluationApiRequestDto"])
-    };
-  }
-  async apiPolicyEvaluateTenantTenantIdPostRaw(requestParameters, initOverrides) {
-    const requestOptions = await this.apiPolicyEvaluateTenantTenantIdPostRequestOpts(requestParameters);
-    const response = await this.request(requestOptions, initOverrides);
+    }, initOverrides);
     return new JSONApiResponse(response, (jsonValue) => PolicyEvaluationResultDtoFromJSON(jsonValue));
   }
   async apiPolicyEvaluateTenantTenantIdPost(requestParameters, initOverrides) {
@@ -21495,7 +21746,7 @@ class PolicyEvaluationApi extends BaseAPI {
 }
 
 class PolicyManagementApi extends BaseAPI {
-  async apiPoliciesDeleteRequestOpts(requestParameters) {
+  async apiPoliciesDeleteRaw(requestParameters, initOverrides) {
     const queryParameters = {};
     if (requestParameters["policyId"] != null) {
       queryParameters["policyId"] = requestParameters["policyId"];
@@ -21512,22 +21763,18 @@ class PolicyManagementApi extends BaseAPI {
       }
     }
     let urlPath = `/api/policies`;
-    return {
+    const response = await this.request({
       path: urlPath,
       method: "DELETE",
       headers: headerParameters,
       query: queryParameters
-    };
-  }
-  async apiPoliciesDeleteRaw(requestParameters, initOverrides) {
-    const requestOptions = await this.apiPoliciesDeleteRequestOpts(requestParameters);
-    const response = await this.request(requestOptions, initOverrides);
+    }, initOverrides);
     return new VoidApiResponse(response);
   }
   async apiPoliciesDelete(requestParameters = {}, initOverrides) {
     await this.apiPoliciesDeleteRaw(requestParameters, initOverrides);
   }
-  async apiPoliciesGetRequestOpts(requestParameters) {
+  async apiPoliciesGetRaw(requestParameters, initOverrides) {
     const queryParameters = {};
     if (requestParameters["top"] != null) {
       queryParameters["top"] = requestParameters["top"];
@@ -21553,23 +21800,19 @@ class PolicyManagementApi extends BaseAPI {
       }
     }
     let urlPath = `/api/policies`;
-    return {
+    const response = await this.request({
       path: urlPath,
       method: "GET",
       headers: headerParameters,
       query: queryParameters
-    };
-  }
-  async apiPoliciesGetRaw(requestParameters, initOverrides) {
-    const requestOptions = await this.apiPoliciesGetRequestOpts(requestParameters);
-    const response = await this.request(requestOptions, initOverrides);
+    }, initOverrides);
     return new JSONApiResponse(response, (jsonValue) => PolicyDefinitionPagedResultFromJSON(jsonValue));
   }
   async apiPoliciesGet(requestParameters = {}, initOverrides) {
     const response = await this.apiPoliciesGetRaw(requestParameters, initOverrides);
     return await response.value();
   }
-  async apiPoliciesPatchRequestOpts(requestParameters) {
+  async apiPoliciesPatchRaw(requestParameters, initOverrides) {
     const queryParameters = {};
     const headerParameters = {};
     headerParameters["Content-Type"] = "application/json";
@@ -21584,24 +21827,20 @@ class PolicyManagementApi extends BaseAPI {
       }
     }
     let urlPath = `/api/policies`;
-    return {
+    const response = await this.request({
       path: urlPath,
       method: "PATCH",
       headers: headerParameters,
       query: queryParameters,
       body: PolicyDefinitionToJSON(requestParameters["policyDefinition"])
-    };
-  }
-  async apiPoliciesPatchRaw(requestParameters, initOverrides) {
-    const requestOptions = await this.apiPoliciesPatchRequestOpts(requestParameters);
-    const response = await this.request(requestOptions, initOverrides);
+    }, initOverrides);
     return new JSONApiResponse(response, (jsonValue) => PolicyUpsertResultDtoFromJSON(jsonValue));
   }
   async apiPoliciesPatch(requestParameters = {}, initOverrides) {
     const response = await this.apiPoliciesPatchRaw(requestParameters, initOverrides);
     return await response.value();
   }
-  async apiPoliciesPolicyIdGetRequestOpts(requestParameters) {
+  async apiPoliciesPolicyIdGetRaw(requestParameters, initOverrides) {
     if (requestParameters["policyId"] == null) {
       throw new RequiredError("policyId", 'Required parameter "policyId" was null or undefined when calling apiPoliciesPolicyIdGet().');
     }
@@ -21619,23 +21858,19 @@ class PolicyManagementApi extends BaseAPI {
     }
     let urlPath = `/api/policies/{policyId}`;
     urlPath = urlPath.replace(`{${"policyId"}}`, encodeURIComponent(String(requestParameters["policyId"])));
-    return {
+    const response = await this.request({
       path: urlPath,
       method: "GET",
       headers: headerParameters,
       query: queryParameters
-    };
-  }
-  async apiPoliciesPolicyIdGetRaw(requestParameters, initOverrides) {
-    const requestOptions = await this.apiPoliciesPolicyIdGetRequestOpts(requestParameters);
-    const response = await this.request(requestOptions, initOverrides);
+    }, initOverrides);
     return new JSONApiResponse(response, (jsonValue) => PolicyDefinitionFromJSON(jsonValue));
   }
   async apiPoliciesPolicyIdGet(requestParameters, initOverrides) {
     const response = await this.apiPoliciesPolicyIdGetRaw(requestParameters, initOverrides);
     return await response.value();
   }
-  async apiPoliciesPostRequestOpts(requestParameters) {
+  async apiPoliciesPostRaw(requestParameters, initOverrides) {
     const queryParameters = {};
     const headerParameters = {};
     headerParameters["Content-Type"] = "application/json";
@@ -21650,17 +21885,13 @@ class PolicyManagementApi extends BaseAPI {
       }
     }
     let urlPath = `/api/policies`;
-    return {
+    const response = await this.request({
       path: urlPath,
       method: "POST",
       headers: headerParameters,
       query: queryParameters,
       body: PolicyDefinitionToJSON(requestParameters["policyDefinition"])
-    };
-  }
-  async apiPoliciesPostRaw(requestParameters, initOverrides) {
-    const requestOptions = await this.apiPoliciesPostRequestOpts(requestParameters);
-    const response = await this.request(requestOptions, initOverrides);
+    }, initOverrides);
     return new JSONApiResponse(response, (jsonValue) => PolicyUpsertResultDtoFromJSON(jsonValue));
   }
   async apiPoliciesPost(requestParameters = {}, initOverrides) {
@@ -21691,30 +21922,7 @@ class InvalidBaseUrlError extends Error {
     this.name = "InvalidBaseUrlError";
   }
 }
-var DEFAULT_SCOPES = [
-  "offline_access",
-  "ProcessMining",
-  "OrchestratorApiUserAccess",
-  "StudioWebBackend",
-  "IdentityServerApi",
-  "ConnectionService",
-  "DataService",
-  "DataServiceApiUserAccess",
-  "DocumentUnderstanding",
-  "EnterpriseContextService",
-  "Directory",
-  "JamJamApi",
-  "LLMGateway",
-  "LLMOps",
-  "OMS",
-  "RCS.FolderAuthorization",
-  "RCS.TagsManagement",
-  "TestmanagerApiUserAccess",
-  "AutomationSolutions",
-  "StudioWebTypeCacheService",
-  "Docs.GPT.Search",
-  "Insights"
-];
+var DEFAULT_SCOPES = ["openid", "profile", "offline_access"];
 var normalizeAndValidateBaseUrl = (rawUrl) => {
   let baseUrl = rawUrl;
   if (baseUrl.endsWith("/identity_/")) {
@@ -21764,7 +21972,8 @@ var resolveConfigAsync = async ({
   if (!clientSecret && fileAuth.clientSecret) {
     clientSecret = fileAuth.clientSecret;
   }
-  const scopes = customScopes && customScopes.length > 0 ? customScopes : fileAuth.scopes && fileAuth.scopes.length > 0 ? fileAuth.scopes : DEFAULT_SCOPES;
+  const isExternalAppAuth = clientId !== DEFAULT_CLIENT_ID && Boolean(clientSecret);
+  const scopes = customScopes && customScopes.length > 0 ? customScopes : fileAuth.scopes && fileAuth.scopes.length > 0 ? fileAuth.scopes : isExternalAppAuth ? [] : DEFAULT_SCOPES;
   return {
     clientId,
     clientSecret,
@@ -21847,6 +22056,7 @@ var getTokenExpiration = (accessToken) => {
   }
 };
 var ENV_AUTH_ENABLE_VAR = "UIPATH_CLI_ENABLE_ENV_AUTH";
+var ENFORCE_ROBOT_AUTH_VAR = "UIPATH_CLI_ENFORCE_ROBOT_AUTH";
 var ENV_AUTH_VARS = {
   token: "UIPATH_CLI_AUTH_TOKEN",
   organizationName: "UIPATH_CLI_ORGANIZATION_NAME",
@@ -21862,6 +22072,7 @@ class EnvAuthConfigError extends Error {
   }
 }
 var isEnvAuthEnabled = () => process.env[ENV_AUTH_ENABLE_VAR] === "true";
+var isRobotAuthEnforced = () => process.env[ENFORCE_ROBOT_AUTH_VAR] === "true";
 var requireEnv = (name) => {
   const value = process.env[name];
   if (!value) {
@@ -21903,6 +22114,7 @@ var readAuthFromEnv = () => {
     expiration
   };
 };
+init_src();
 var DEFAULT_TIMEOUT_MS = 1000;
 var CLOSE_TIMEOUT_MS = 500;
 var NOTICE_SENTINEL = Symbol.for("@uipath/auth/robotFallbackNoticePrinted");
@@ -21914,6 +22126,35 @@ var printNoticeOnce = () => {
   catchError(() => process.stderr.write(`Using UiPath Robot credentials. Run 'uip login' for a dedicated session.
 `));
 };
+var ROBOT_USER_SERVICES_PIPE = "UiPathUserServices";
+var ROBOT_USER_SERVICES_ALTERNATE_PIPE = `${ROBOT_USER_SERVICES_PIPE}Alternate`;
+var PIPE_NAME_MAX_LENGTH = 103;
+var getRobotIpcPipeNames = async () => {
+  const fs7 = getFileSystem();
+  const username = fs7.env.getenv("USER") ?? fs7.env.getenv("USERNAME");
+  if (!username) {
+    throw new Error("Unable to determine current username");
+  }
+  const tempPath = fs7.env.getenv("TMPDIR") ?? "/tmp/";
+  return [ROBOT_USER_SERVICES_PIPE, ROBOT_USER_SERVICES_ALTERNATE_PIPE].map((baseName) => fs7.path.join(tempPath, `${baseName}_${username}`).substring(0, PIPE_NAME_MAX_LENGTH));
+};
+var defaultIsRobotIpcAvailable = async () => {
+  if (process.platform === "win32") {
+    return true;
+  }
+  const [pipeNamesError, pipeNames] = await catchError(getRobotIpcPipeNames());
+  if (pipeNamesError || !pipeNames) {
+    return false;
+  }
+  const fs7 = getFileSystem();
+  for (const pipeName of pipeNames) {
+    const [existsError, exists] = await catchError(fs7.exists(pipeName));
+    if (!existsError && exists === true) {
+      return true;
+    }
+  }
+  return false;
+};
 var withTimeout = (promise, timeoutMs) => new Promise((resolve2, reject) => {
   const timer = setTimeout(() => reject(new Error(`Robot IPC call timed out after ${timeoutMs}ms`)), timeoutMs);
   promise.then((value) => {
@@ -21945,14 +22186,20 @@ var defaultLoadModule = async () => {
 var tryRobotClientFallback = async (options = {}) => {
   if (isBrowser())
     return;
-  if (process.env.CI || process.env.GITHUB_ACTIONS) {
-    return;
-  }
-  if (process.env.UIPATH_URL) {
-    return;
+  if (!options.force) {
+    if (process.env.CI || process.env.GITHUB_ACTIONS) {
+      return;
+    }
+    if (process.env.UIPATH_URL) {
+      return;
+    }
   }
   const timeoutMs = options.timeoutMs ?? DEFAULT_TIMEOUT_MS;
+  const isRobotIpcAvailable = options.isRobotIpcAvailable ?? defaultIsRobotIpcAvailable;
   const loadModule = options.loadModule ?? defaultLoadModule;
+  if (!await isRobotIpcAvailable()) {
+    return;
+  }
   const mod = await loadModule();
   if (!mod)
     return;
@@ -22213,11 +22460,130 @@ function normalizeTokenRefreshFailure() {
 function normalizeTokenRefreshUnavailableFailure() {
   return "token refresh failed before authentication completed";
 }
-var getLoginStatusWithDeps = async (options = {}, deps = {}) => {
-  if (isEnvAuthEnabled()) {
-    return readAuthFromEnv();
+function errorMessage(error) {
+  return error instanceof Error ? error.message : String(error);
+}
+function computeExpirationThreshold(ensureTokenValidityMinutes) {
+  return new Date(Date.now() + (ensureTokenValidityMinutes ?? 0) * 60 * 1000);
+}
+async function runRefreshLocked(inputs) {
+  const {
+    absolutePath,
+    refreshToken: callerRefreshToken,
+    customAuthority,
+    ensureTokenValidityMinutes,
+    loadEnvFile,
+    saveEnvFile,
+    refreshFn,
+    resolveConfig
+  } = inputs;
+  const expirationThreshold = computeExpirationThreshold(ensureTokenValidityMinutes);
+  let fresh;
+  try {
+    fresh = await loadEnvFile({ envPath: absolutePath });
+  } catch (error) {
+    return {
+      kind: "fail",
+      status: {
+        loginStatus: "Refresh Failed",
+        hint: "Could not read the auth file while refreshing. Retry, or run 'uip login' to re-authenticate.",
+        tokenRefresh: {
+          attempted: false,
+          success: false,
+          errorMessage: `auth file read failed: ${errorMessage(error)}`
+        }
+      }
+    };
   }
-  const { envFilePath = DEFAULT_ENV_FILENAME, ensureTokenValidityMinutes } = options;
+  const freshAccess = fresh.UIPATH_ACCESS_TOKEN;
+  const freshExp = freshAccess ? getTokenExpiration(freshAccess) : undefined;
+  if (freshAccess && freshExp && freshExp > expirationThreshold) {
+    return {
+      kind: "ok",
+      accessToken: freshAccess,
+      refreshToken: fresh.UIPATH_REFRESH_TOKEN ?? callerRefreshToken,
+      expiration: freshExp,
+      tokenRefresh: { attempted: false, success: true }
+    };
+  }
+  const tokenForIdP = fresh.UIPATH_REFRESH_TOKEN ?? callerRefreshToken;
+  let refreshedAccess;
+  let refreshedRefresh;
+  try {
+    const config = await resolveConfig({ customAuthority });
+    const refreshed = await refreshFn({
+      refreshToken: tokenForIdP,
+      tokenEndpoint: config.tokenEndpoint,
+      clientId: config.clientId,
+      expectedAuthority: customAuthority
+    });
+    refreshedAccess = refreshed.accessToken;
+    refreshedRefresh = refreshed.refreshToken;
+  } catch (error) {
+    const isOAuthFailure = isTokenRefreshOAuthFailure(error);
+    const hint = isOAuthFailure ? "Run 'uip login' to re-authenticate — the stored refresh token is invalid or expired." : "Token refresh failed. Check your network connection, then retry or run 'uip login' to re-authenticate.";
+    const message = isOAuthFailure ? normalizeTokenRefreshFailure() : normalizeTokenRefreshUnavailableFailure();
+    return {
+      kind: "fail",
+      status: {
+        loginStatus: "Refresh Failed",
+        hint,
+        tokenRefresh: {
+          attempted: true,
+          success: false,
+          errorMessage: message
+        }
+      }
+    };
+  }
+  const refreshedExp = getTokenExpiration(refreshedAccess);
+  if (!refreshedExp || refreshedExp <= new Date) {
+    return {
+      kind: "fail",
+      status: {
+        loginStatus: "Refresh Failed",
+        hint: "The identity server returned an unusable token. Run 'uip login' to re-authenticate.",
+        tokenRefresh: {
+          attempted: true,
+          success: false,
+          errorMessage: "refreshed token has no valid expiration claim"
+        }
+      }
+    };
+  }
+  try {
+    await saveEnvFile({
+      envPath: absolutePath,
+      data: {
+        UIPATH_ACCESS_TOKEN: refreshedAccess,
+        UIPATH_REFRESH_TOKEN: refreshedRefresh
+      },
+      merge: true
+    });
+    return {
+      kind: "ok",
+      accessToken: refreshedAccess,
+      refreshToken: refreshedRefresh,
+      expiration: refreshedExp,
+      tokenRefresh: { attempted: true, success: true }
+    };
+  } catch (error) {
+    const msg = errorMessage(error);
+    return {
+      kind: "ok",
+      accessToken: refreshedAccess,
+      refreshToken: refreshedRefresh,
+      expiration: refreshedExp,
+      persistenceWarning: `Access token refreshed in memory but could not be written to ${absolutePath}: ${msg}. The next CLI invocation will fail until the file can be updated — run 'uip login' to re-authenticate.`,
+      tokenRefresh: {
+        attempted: true,
+        success: true,
+        errorMessage: `persistence failed: ${msg}`
+      }
+    };
+  }
+}
+var getLoginStatusWithDeps = async (options = {}, deps = {}) => {
   const {
     resolveEnvFilePath = resolveEnvFilePathAsync,
     loadEnvFile = loadEnvFileAsync,
@@ -22227,6 +22593,34 @@ var getLoginStatusWithDeps = async (options = {}, deps = {}) => {
     resolveConfig = resolveConfigAsync,
     robotFallback = tryRobotClientFallback
   } = deps;
+  if (isRobotAuthEnforced()) {
+    if (isEnvAuthEnabled()) {
+      throw new EnvAuthConfigError(`${ENV_AUTH_ENABLE_VAR}=true and ${ENFORCE_ROBOT_AUTH_VAR}=true ` + `are mutually exclusive. Unset one of them and re-run.`);
+    }
+    const robotCreds = await robotFallback({ force: true });
+    if (!robotCreds) {
+      return {
+        loginStatus: "Not logged in",
+        hint: `${ENFORCE_ROBOT_AUTH_VAR}=true but the UiPath Robot ` + `session is unavailable. Start and sign in to the Assistant, ` + `or unset ${ENFORCE_ROBOT_AUTH_VAR} to fall back to file or ` + `env-var authentication.`
+      };
+    }
+    const expiration2 = getTokenExpiration(robotCreds.accessToken);
+    return {
+      loginStatus: "Logged in",
+      accessToken: robotCreds.accessToken,
+      baseUrl: robotCreds.baseUrl,
+      organizationName: robotCreds.organizationName,
+      organizationId: robotCreds.organizationId,
+      tenantName: robotCreds.tenantName,
+      tenantId: robotCreds.tenantId,
+      expiration: expiration2,
+      source: "robot"
+    };
+  }
+  if (isEnvAuthEnabled()) {
+    return readAuthFromEnv();
+  }
+  const { envFilePath = DEFAULT_ENV_FILENAME, ensureTokenValidityMinutes } = options;
   const { absolutePath } = await resolveEnvFilePath(envFilePath);
   if (absolutePath === undefined) {
     const robotCreds = await robotFallback();
@@ -22263,73 +22657,103 @@ var getLoginStatusWithDeps = async (options = {}, deps = {}) => {
   let refreshToken = credentials.UIPATH_REFRESH_TOKEN;
   let expiration = getTokenExpiration(accessToken);
   let persistenceWarning;
+  let lockReleaseFailed = false;
   let tokenRefresh;
-  const expirationThreshold = new Date(Date.now() + (ensureTokenValidityMinutes ?? 0) * 60 * 1000);
-  if (expiration && expiration <= expirationThreshold && refreshToken) {
-    let refreshedAccess;
-    let refreshedRefresh;
+  const outerThreshold = computeExpirationThreshold(ensureTokenValidityMinutes);
+  const tryGlobalCredsHint = async () => {
+    const fs7 = getFs();
+    const globalPath = fs7.path.join(fs7.env.homedir(), envFilePath);
+    if (absolutePath === globalPath)
+      return;
+    if (!await fs7.exists(globalPath))
+      return;
     try {
-      const config = await resolveConfig({
-        customAuthority: credentials.UIPATH_URL
-      });
-      const refreshed = await refreshTokenFn({
-        refreshToken,
-        tokenEndpoint: config.tokenEndpoint,
-        clientId: config.clientId,
-        expectedAuthority: credentials.UIPATH_URL
-      });
-      refreshedAccess = refreshed.accessToken;
-      refreshedRefresh = refreshed.refreshToken;
+      const globalCreds = await loadEnvFile({ envPath: globalPath });
+      if (!globalCreds.UIPATH_ACCESS_TOKEN)
+        return;
+      const globalExp = getTokenExpiration(globalCreds.UIPATH_ACCESS_TOKEN);
+      if (globalExp && globalExp <= new Date)
+        return;
+      return `Local credentials file at ${absolutePath} has expired credentials. Valid credentials exist in ${globalPath}. Remove the local file or run 'uip login' to re-authenticate.`;
+    } catch {
+      return;
+    }
+  };
+  if (expiration && expiration <= outerThreshold && refreshToken) {
+    let release;
+    try {
+      release = await getFs().acquireLock(absolutePath);
     } catch (error) {
-      const isOAuthFailure = isTokenRefreshOAuthFailure(error);
-      const hint = isOAuthFailure ? "Run 'uip login' to re-authenticate — the stored refresh token is invalid or expired." : "Token refresh failed. Check your network connection, then retry or run 'uip login' to re-authenticate.";
-      const errorMessage = isOAuthFailure ? normalizeTokenRefreshFailure() : normalizeTokenRefreshUnavailableFailure();
+      const msg = errorMessage(error);
+      const globalHint = await tryGlobalCredsHint();
+      if (globalHint) {
+        return {
+          loginStatus: "Expired",
+          accessToken,
+          refreshToken,
+          baseUrl: credentials.UIPATH_URL,
+          organizationName: credentials.UIPATH_ORGANIZATION_NAME,
+          organizationId: credentials.UIPATH_ORGANIZATION_ID,
+          tenantName: credentials.UIPATH_TENANT_NAME,
+          tenantId: credentials.UIPATH_TENANT_ID,
+          expiration,
+          source: "file",
+          hint: globalHint,
+          tokenRefresh: {
+            attempted: false,
+            success: false,
+            errorMessage: `lock acquisition failed: ${msg}`
+          }
+        };
+      }
       return {
         loginStatus: "Refresh Failed",
-        hint,
+        hint: "Could not acquire the auth-file lock — too many concurrent `uip` processes, or a permission issue on the auth directory. Retry, or run 'uip login' to re-authenticate.",
         tokenRefresh: {
-          attempted: true,
+          attempted: false,
           success: false,
-          errorMessage
+          errorMessage: `lock acquisition failed: ${msg}`
         }
       };
     }
-    const refreshedExp = getTokenExpiration(refreshedAccess);
-    if (!refreshedExp || refreshedExp <= new Date) {
-      return {
-        loginStatus: "Refresh Failed",
-        hint: "The identity server returned an unusable token. Run 'uip login' to re-authenticate.",
-        tokenRefresh: {
-          attempted: true,
-          success: false,
-          errorMessage: "refreshed token has no valid expiration claim"
+    let lockedFailure;
+    try {
+      const outcome = await runRefreshLocked({
+        absolutePath,
+        refreshToken,
+        customAuthority: credentials.UIPATH_URL,
+        ensureTokenValidityMinutes,
+        loadEnvFile,
+        saveEnvFile,
+        refreshFn: refreshTokenFn,
+        resolveConfig
+      });
+      if (outcome.kind === "fail") {
+        lockedFailure = outcome.status;
+      } else {
+        accessToken = outcome.accessToken;
+        refreshToken = outcome.refreshToken;
+        expiration = outcome.expiration;
+        tokenRefresh = outcome.tokenRefresh;
+        if (outcome.persistenceWarning) {
+          persistenceWarning = outcome.persistenceWarning;
         }
-      };
+      }
+    } finally {
+      try {
+        await release();
+      } catch {
+        lockReleaseFailed = true;
+      }
     }
-    accessToken = refreshedAccess;
-    refreshToken = refreshedRefresh;
-    expiration = refreshedExp;
-    try {
-      await saveEnvFile({
-        envPath: absolutePath,
-        data: {
-          UIPATH_ACCESS_TOKEN: accessToken,
-          UIPATH_REFRESH_TOKEN: refreshToken
-        },
-        merge: true
-      });
-      tokenRefresh = {
-        attempted: true,
-        success: true
-      };
-    } catch (error) {
-      const msg = error instanceof Error ? error.message : String(error);
-      persistenceWarning = `Access token refreshed in memory but could not be written to ${absolutePath}: ${msg}. The next CLI invocation will fail until the file can be updated — run 'uip login' to re-authenticate.`;
-      tokenRefresh = {
-        attempted: true,
-        success: true,
-        errorMessage: `persistence failed: ${msg}`
-      };
+    if (lockedFailure) {
+      const globalHint = await tryGlobalCredsHint();
+      const base = globalHint ? {
+        ...lockedFailure,
+        loginStatus: "Expired",
+        hint: globalHint
+      } : lockedFailure;
+      return lockReleaseFailed ? { ...base, lockReleaseFailed: true } : base;
     }
   }
   const result = {
@@ -22344,23 +22768,13 @@ var getLoginStatusWithDeps = async (options = {}, deps = {}) => {
     expiration,
     source: "file",
     ...persistenceWarning ? { hint: persistenceWarning, persistenceFailed: true } : {},
+    ...lockReleaseFailed ? { lockReleaseFailed: true } : {},
     ...tokenRefresh ? { tokenRefresh } : {}
   };
   if (result.loginStatus === "Expired") {
-    const fs7 = getFs();
-    const globalPath = fs7.path.join(fs7.env.homedir(), envFilePath);
-    if (absolutePath !== globalPath && await fs7.exists(globalPath)) {
-      try {
-        const globalCreds = await loadEnvFile({
-          envPath: globalPath
-        });
-        if (globalCreds.UIPATH_ACCESS_TOKEN) {
-          const globalExp = getTokenExpiration(globalCreds.UIPATH_ACCESS_TOKEN);
-          if (!globalExp || globalExp > new Date) {
-            result.hint = `Local credentials file at ${absolutePath} has expired credentials. Valid credentials exist in ${globalPath}. Remove the local file or run 'uip login' to re-authenticate.`;
-          }
-        }
-      } catch {}
+    const globalHint = await tryGlobalCredsHint();
+    if (globalHint) {
+      result.hint = globalHint;
     }
   }
   return result;
@@ -22375,7 +22789,8 @@ var getLoginStatusAsync = async (options = {}) => {
 };
 init_src();
 init_src();
-async function resolveConfig(service, options) {
+init_server();
+async function resolveConfig(plane, options) {
   const status = await getLoginStatusAsync({
     ensureTokenValidityMinutes: options?.loginValidity
   });
@@ -22385,29 +22800,35 @@ async function resolveConfig(service, options) {
   if (!status.organizationId) {
     throw new Error("Organization ID not available. Ensure you are logged in with an organization context.");
   }
-  const basePath = `${status.baseUrl}/${status.organizationId}/${service}_`;
+  const basePath = `${status.baseUrl}/${status.organizationId}/${plane}_`;
+  const bearerToken = options?.s2sToken ?? status.accessToken;
   return {
     config: new Configuration({
       basePath,
-      headers: {
-        Authorization: `Bearer ${status.accessToken}`
-      }
+      accessToken: async () => bearerToken,
+      headers: addSdkUserAgentHeader(undefined, SDK_USER_AGENT)
     }),
-    status
+    organizationId: status.organizationId,
+    tenantId: status.tenantId,
+    tenantName: status.tenantName
   };
 }
-async function createPapApiClient(ApiClass, options) {
-  const { config } = await resolveConfig("pap", options);
-  return new ApiClass(config);
-}
-async function createPdpApiClient(ApiClass, options) {
-  const { config, status } = await resolveConfig("pdp", options);
+async function createApiClient(ApiClass, plane, options) {
+  const { config, organizationId, tenantId, tenantName } = await resolveConfig(plane, options);
   return {
     api: new ApiClass(config),
-    organizationId: status.organizationId,
-    tenantId: status.tenantId
+    organizationId,
+    tenantId,
+    tenantName
   };
 }
+async function createPapClient(ApiClass, options) {
+  return createApiClient(ApiClass, "pap", options);
+}
+async function createPdpClient(ApiClass, options) {
+  return createApiClient(ApiClass, "pdp", options);
+}
+init_src();
 function isPromiseLike2(value) {
   return value !== null && typeof value === "object" && typeof value.then === "function";
 }
@@ -22434,71 +22855,6 @@ function settlePromiseLike2(thenable) {
     undefined
   ]);
 }
-var examplesByCommand = new WeakMap;
-Command.prototype.examples = function(examples) {
-  examplesByCommand.set(this, examples);
-  return this;
-};
-var PREFIX = "@uipath/common/";
-var _g = globalThis;
-function singleton(ctorOrName) {
-  const name = typeof ctorOrName === "string" ? ctorOrName : ctorOrName.name;
-  const key = Symbol.for(PREFIX + name);
-  return {
-    get(fallback) {
-      return _g[key] ?? fallback;
-    },
-    set(value) {
-      _g[key] = value;
-    },
-    clear() {
-      delete _g[key];
-    },
-    getOrInit(factory, guard) {
-      const existing = _g[key];
-      if (existing != null && typeof existing === "object") {
-        if (!guard || guard(existing)) {
-          return existing;
-        }
-      }
-      const instance = factory();
-      _g[key] = instance;
-      return instance;
-    }
-  };
-}
-function createStorage() {
-  const [error, mod] = catchError2(() => __require2("node:async_hooks"));
-  if (error || typeof mod?.AsyncLocalStorage !== "function") {
-    return {
-      getStore: () => {
-        return;
-      },
-      run: (_store, fn) => fn()
-    };
-  }
-  return new mod.AsyncLocalStorage;
-}
-var storageSingleton = singleton("OutputStorage");
-var sinkSlot = singleton("OutputSink");
-var outputStorage = storageSingleton.getOrInit(createStorage, (v) => ("getStore" in v));
-var CONSOLE_FALLBACK = {
-  writeOut: (str) => process.stdout.write(str),
-  writeErr: (str) => process.stderr.write(str),
-  writeLog: (str) => process.stdout.write(str),
-  capabilities: {
-    isInteractive: false,
-    supportsColor: false,
-    outputWidth: 80
-  }
-};
-function getOutputSink() {
-  return outputStorage.getStore() ?? sinkSlot.get() ?? CONSOLE_FALLBACK;
-}
-var COMPLETER_SYMBOL = Symbol.for("@uipath/common/completer");
-var guardInstalledSlot = singleton("ConsoleGuardInstalled");
-var savedOriginalsSlot = singleton("ConsoleGuardOriginals");
-var DEFAULT_AUTH_TIMEOUT_MS2 = 5 * 60 * 1000;
 var DEFAULT_401 = "Unauthorized (401). Run `uip login` to authenticate.";
 var DEFAULT_403 = "Forbidden (403). Ensure the account has the required permissions.";
 var DEFAULT_405 = "Method Not Allowed (405). The endpoint may not exist or the base URL may be incorrect.";
@@ -22604,10 +22960,15 @@ async function extractErrorDetails(error, options) {
   }
   if (parsedBody?.errorCode && typeof parsedBody.errorCode === "string") {
     context.errorCode = parsedBody.errorCode;
+  } else if (parsedBody?.code && typeof parsedBody.code === "string") {
+    context.errorCode = parsedBody.code;
   }
   if (parsedBody?.requestId && typeof parsedBody.requestId === "string") {
     context.requestId = parsedBody.requestId;
   }
+  if (parsedBody?.traceId && typeof parsedBody.traceId === "string") {
+    context.traceId = parsedBody.traceId;
+  }
   if (status === 429) {
     const resp = response;
     const headersObj = resp?.headers;
@@ -22627,12 +22988,77 @@ async function extractErrorDetails(error, options) {
     }
   }
   const hasContext = Object.keys(context).length > 0;
-  return { result, message, details, ...hasContext ? { context } : {} };
+  let parsedErrors;
+  if (parsedBody?.errors && typeof parsedBody.errors === "object") {
+    const errors = {};
+    for (const [field, raw] of Object.entries(parsedBody.errors)) {
+      if (Array.isArray(raw)) {
+        const messages = raw.map((entry) => {
+          if (typeof entry === "string")
+            return entry;
+          if (entry && typeof entry === "object" && typeof entry.message === "string") {
+            return entry.message;
+          }
+          return String(entry);
+        }).filter(Boolean);
+        if (messages.length > 0)
+          errors[field] = messages;
+      } else if (typeof raw === "string") {
+        errors[field] = [raw];
+      }
+    }
+    if (Object.keys(errors).length > 0)
+      parsedErrors = errors;
+  }
+  return {
+    result,
+    message,
+    details,
+    ...hasContext ? { context } : {},
+    ...parsedErrors ? { parsedErrors } : {}
+  };
 }
 async function extractErrorMessage(error, options) {
   const { message } = await extractErrorDetails(error, options);
   return message;
 }
+var examplesByCommand = new WeakMap;
+Command.prototype.examples = function(examples) {
+  examplesByCommand.set(this, examples);
+  return this;
+};
+function createStorage() {
+  const [error, mod] = catchError2(() => __require2("node:async_hooks"));
+  if (error || typeof mod?.AsyncLocalStorage !== "function") {
+    return {
+      getStore: () => {
+        return;
+      },
+      run: (_store, fn) => fn()
+    };
+  }
+  return new mod.AsyncLocalStorage;
+}
+var storageSingleton = singleton("OutputStorage");
+var sinkSlot = singleton("OutputSink");
+var outputStorage = storageSingleton.getOrInit(createStorage, (v) => ("getStore" in v));
+var CONSOLE_FALLBACK = {
+  writeOut: (str) => process.stdout.write(str),
+  writeErr: (str) => process.stderr.write(str),
+  writeLog: (str) => process.stdout.write(str),
+  capabilities: {
+    isInteractive: false,
+    supportsColor: false,
+    outputWidth: 80
+  }
+};
+function getOutputSink() {
+  return outputStorage.getStore() ?? sinkSlot.get() ?? CONSOLE_FALLBACK;
+}
+var COMPLETER_SYMBOL = Symbol.for("@uipath/common/completer");
+var guardInstalledSlot = singleton("ConsoleGuardInstalled");
+var savedOriginalsSlot = singleton("ConsoleGuardOriginals");
+var DEFAULT_AUTH_TIMEOUT_MS2 = 5 * 60 * 1000;
 var isObject = (obj) => {
   return obj !== null && Object.prototype.toString.call(obj) === "[object Object]";
 };
@@ -27658,15 +28084,80 @@ class SuccessOutput {
     }
   }
 }
-function printOutput(data, format = "json", logFn) {
+function escapeNonAscii(jsonText) {
+  return jsonText.replace(/[\u0080-\uffff]/g, (c) => {
+    const hex = c.charCodeAt(0).toString(16).padStart(4, "0");
+    return `\\u${hex}`;
+  });
+}
+function needsAsciiSafeJson(sink) {
+  return process.platform === "win32" && !sink.capabilities.isInteractive;
+}
+function isPlainRecord(value) {
+  if (value === null || typeof value !== "object")
+    return false;
+  const prototype = Object.getPrototypeOf(value);
+  return prototype === Object.prototype || prototype === null;
+}
+function toLowerCamelCaseKey(key) {
+  if (!key)
+    return key;
+  if (/[_\-\s]/.test(key)) {
+    const [firstPart, ...restParts] = key.split(/[_\-\s]+/).filter(Boolean);
+    if (!firstPart)
+      return key;
+    return [
+      toLowerCamelCaseSimpleKey(firstPart),
+      ...restParts.map((part) => {
+        const normalized = toLowerCamelCaseSimpleKey(part);
+        return normalized.charAt(0).toUpperCase() + normalized.slice(1);
+      })
+    ].join("");
+  }
+  return toLowerCamelCaseSimpleKey(key);
+}
+function toLowerCamelCaseSimpleKey(key) {
+  if (/^[A-Z0-9]+$/.test(key))
+    return key.toLowerCase();
+  return key.replace(/^[A-Z]+(?=[A-Z][a-z]|\d|$)|^[A-Z]/, (match) => match.toLowerCase());
+}
+function toPascalCaseKey(key) {
+  const lowerCamelKey = toLowerCamelCaseKey(key);
+  return lowerCamelKey ? lowerCamelKey.charAt(0).toUpperCase() + lowerCamelKey.slice(1) : lowerCamelKey;
+}
+function toPascalCaseData(value) {
+  if (Array.isArray(value))
+    return value.map(toPascalCaseData);
+  if (!isPlainRecord(value))
+    return value;
+  const result = {};
+  for (const [key, nestedValue] of Object.entries(value)) {
+    result[toPascalCaseKey(key)] = toPascalCaseData(nestedValue);
+  }
+  return result;
+}
+function normalizeDataKeys(data) {
+  return toPascalCaseData(data);
+}
+function normalizeOutputKeys(data) {
+  const result = {};
+  for (const [key, value] of Object.entries(data)) {
+    const pascalKey = toPascalCaseKey(key);
+    result[pascalKey] = pascalKey === "Data" ? value : toPascalCaseData(value);
+  }
+  return result;
+}
+function printOutput(data, format = "json", logFn, asciiSafe = false) {
   if (!data) {
     logFn("Empty response object. No data to display.");
     return;
   }
   switch (format) {
-    case "json":
-      logFn(JSON.stringify(data, null, 2));
+    case "json": {
+      const json2 = JSON.stringify(data, null, 2);
+      logFn(asciiSafe ? escapeNonAscii(json2) : json2);
       break;
+    }
     case "yaml":
       logFn(toYaml(data));
       break;
@@ -27701,7 +28192,7 @@ function printOutput(data, format = "json", logFn) {
 function logOutput(data, format = "json") {
   const sink = getOutputSink();
   printOutput(data, format, (msg) => sink.writeOut(`${msg}
-`));
+`), needsAsciiSafeJson(sink));
 }
 function cellToString(val) {
   return val != null && typeof val === "object" ? JSON.stringify(val) : String(val ?? "");
@@ -27718,7 +28209,7 @@ function wrapText(text, width) {
 function printTable(data, logFn, externalLogValue) {
   if (data.length === 0)
     return;
-  const keys = Object.keys(data[0]).filter((key) => key !== "Code" && key !== "Log");
+  const keys = Object.keys(data[0]).filter((key) => !["code", "log"].includes(key.toLowerCase()));
   const maxWidths = keys.map((key) => Math.max(key.length, ...data.map((item) => cellToString(item[key]).length)));
   const header = keys.map((key, i2) => key.padEnd(maxWidths[i2])).join(" | ");
   logFn(header);
@@ -27733,7 +28224,7 @@ function printTable(data, logFn, externalLogValue) {
   }
 }
 function printVerticalTable(data, logFn = console.log, externalLogValue) {
-  const keys = Object.keys(data).filter((key) => key !== "Code" && key !== "Log");
+  const keys = Object.keys(data).filter((key) => !["code", "log"].includes(key.toLowerCase()));
   if (keys.length === 0)
     return;
   const maxKeyWidth = Math.max(...keys.map((key) => key.length));
@@ -27749,7 +28240,7 @@ function printVerticalTable(data, logFn = console.log, externalLogValue) {
 function printResizableTable(data, logFn = console.log, externalLogValue) {
   if (data.length === 0)
     return;
-  const keys = Object.keys(data[0]).filter((key) => key !== "Code" && key !== "Log");
+  const keys = Object.keys(data[0]).filter((key) => !["code", "log"].includes(key.toLowerCase()));
   if (keys.length === 0)
     return;
   if (!process.stdout.isTTY) {
@@ -27825,8 +28316,27 @@ function printResizableTable(data, logFn = console.log, externalLogValue) {
 function toYaml(data) {
   return dump(data);
 }
+
+class FilterEvaluationError extends Error {
+  __brand = "FilterEvaluationError";
+  filter;
+  instructions;
+  result = RESULTS.ValidationError;
+  constructor(filter, cause) {
+    const underlying = cause instanceof Error ? cause.message : String(cause);
+    super(`Filter '${filter}' failed to evaluate: ${underlying}`);
+    this.name = "FilterEvaluationError";
+    this.filter = filter;
+    this.instructions = `The --output-filter expression '${filter}' failed at evaluation time. ` + "Note that --output-filter operates on the 'Data' field of the envelope, not the full object. " + "For example, on a list result use 'length(@)' instead of 'Data | length(@)'.";
+  }
+}
 function applyFilter(data, filter) {
-  const result = search(data, filter);
+  let result;
+  try {
+    result = search(data, filter);
+  } catch (err) {
+    throw new FilterEvaluationError(filter, err);
+  }
   if (result == null)
     return [];
   if (Array.isArray(result)) {
@@ -27843,13 +28353,18 @@ function applyFilter(data, filter) {
 }
 var OutputFormatter;
 ((OutputFormatter2) => {
-  function success(data) {
+  function success(data, options) {
     data.Log ??= getLogFilePath() || undefined;
+    const normalize = !options?.preserveDataKeys;
+    if (normalize) {
+      data.Data = normalizeDataKeys(data.Data);
+    }
     const filter = getOutputFilter();
     if (filter) {
-      data.Data = applyFilter(data.Data, filter);
+      const filtered = applyFilter(data.Data, filter);
+      data.Data = normalize ? normalizeDataKeys(filtered) : filtered;
     }
-    logOutput(data, getOutputFormat());
+    logOutput(normalizeOutputKeys(data), getOutputFormat());
   }
   OutputFormatter2.success = success;
   function error(data) {
@@ -27859,7 +28374,7 @@ var OutputFormatter;
       result: data.Result,
       message: data.Message
     });
-    logOutput(data, getOutputFormat());
+    logOutput(normalizeOutputKeys(data), getOutputFormat());
   }
   OutputFormatter2.error = error;
   function emitList(code, items, opts) {
@@ -27880,11 +28395,14 @@ var OutputFormatter;
   function log(data) {
     const format = getOutputFormat();
     const sink = getOutputSink();
+    const normalized = toPascalCaseData(data);
     if (format === "json") {
-      sink.writeErr(`${JSON.stringify(data)}
+      const json2 = JSON.stringify(normalized);
+      const safe = needsAsciiSafeJson(sink) ? escapeNonAscii(json2) : json2;
+      sink.writeErr(`${safe}
 `);
     } else {
-      for (const [key, value] of Object.entries(data)) {
+      for (const [key, value] of Object.entries(normalized)) {
         sink.writeErr(`${key}: ${value}
 `);
       }
@@ -27893,13 +28411,18 @@ var OutputFormatter;
   OutputFormatter2.log = log;
   function formatToString(data) {
     const filter = getOutputFilter();
-    if (filter && "Data" in data && data.Data != null) {
-      data.Data = applyFilter(data.Data, filter);
+    if ("Data" in data && data.Data != null) {
+      data.Data = normalizeDataKeys(data.Data);
+      if (filter) {
+        data.Data = normalizeDataKeys(applyFilter(data.Data, filter));
+      }
     }
+    const output = normalizeOutputKeys(data);
     const lines = [];
-    printOutput(data, getOutputFormat(), (msg) => {
+    const sink = getOutputSink();
+    printOutput(output, getOutputFormat(), (msg) => {
       lines.push(msg);
-    });
+    }, needsAsciiSafeJson(sink));
     return lines.join(`
 `);
   }
@@ -29320,6 +29843,19 @@ function parseSafeInteger(raw, min) {
   }
   return parsed;
 }
+var PollOutcome = {
+  Completed: "completed",
+  Timeout: "timeout",
+  Interrupted: "interrupted",
+  Aborted: "aborted",
+  Failed: "failed"
+};
+var REASON_BY_OUTCOME = {
+  [PollOutcome.Timeout]: "poll_timeout",
+  [PollOutcome.Failed]: "poll_failed",
+  [PollOutcome.Interrupted]: "poll_failed",
+  [PollOutcome.Aborted]: "poll_aborted"
+};
 var TERMINAL_STATUSES = new Set([
   "completed",
   "successful",
@@ -29519,17 +30055,21 @@ Command.prototype.trackedAction = function(context, fn, properties) {
     const telemetryName = deriveCommandPath(command);
     const props = typeof properties === "function" ? properties(...args) : properties;
     const startTime = performance.now();
-    let errorMessage;
+    let errorMessage2;
     const [error] = await catchError2(fn(...args));
     if (error) {
-      errorMessage = error instanceof Error ? error.message : String(error);
-      logger.error(`[trackedAction] ${telemetryName} failed: ${errorMessage}`);
+      errorMessage2 = error instanceof Error ? error.message : String(error);
+      logger.debug(`[trackedAction] ${telemetryName} failed: ${errorMessage2}`);
+      const typed = error;
+      const customInstructions = typeof typed.instructions === "string" ? typed.instructions : undefined;
+      const customResult = typeof typed.result === "string" && typed.result !== RESULTS.Success && Object.values(RESULTS).includes(typed.result) ? typed.result : undefined;
+      const finalResult = customResult ?? RESULTS.Failure;
       OutputFormatter.error({
-        Result: RESULTS.Failure,
-        Message: errorMessage,
-        Instructions: "An unexpected error occurred. Run with --log-level debug for details."
+        Result: finalResult,
+        Message: errorMessage2,
+        Instructions: customInstructions ?? "An unexpected error occurred. Run with --log-level debug for details."
       });
-      context.exit(1);
+      context.exit(EXIT_CODES[finalResult]);
     }
     const durationMs = performance.now() - startTime;
     const success = !error && (process.exitCode === undefined || process.exitCode === 0);
@@ -29538,7 +30078,7 @@ Command.prototype.trackedAction = function(context, fn, properties) {
       ...props,
       duration: String(durationMs),
       success: String(success),
-      ...errorMessage ? { errorMessage } : {}
+      ...errorMessage2 ? { errorMessage: errorMessage2 } : {}
     }));
   });
 };
@@ -29559,7 +30099,7 @@ var withLoginValidity = (cmd) => {
   return cmd;
 };
 async function getPapApi(options) {
-  const [err, api] = await catchError2(createPapApiClient(PolicyManagementApi, {
+  const [err, client] = await catchError2(createPapClient(PolicyManagementApi, {
     loginValidity: options.loginValidity
   }));
   if (err) {
@@ -29571,7 +30111,7 @@ async function getPapApi(options) {
     processContext.exit(1);
     return null;
   }
-  return api;
+  return client.api;
 }
 async function loadPolicyDefinition(file) {
   const fs7 = getFileSystem();
@@ -29627,7 +30167,7 @@ var LIST_EXAMPLES = [
   },
   {
     Description: "Filter active policies, sorted by name",
-    Command: `uip gov access-policy list --filter "status in ('Active')" --order-by "Name asc"`,
+    Command: `uip gov access-policy list --filter "status in ('Active')" --sort-by "Name asc"`,
     Output: {
       Code: "PolicyList",
       Data: {
@@ -29731,11 +30271,11 @@ var registerAccessPolicyCommand = (program2) => {
     "Search for policies matching optional filters, with pagination.",
     "Returns a paged list (totalCount + results) of policy metadata.",
     "",
-    "Filters use OData syntax (e.g. `status in ('Active')`). Sort with --order-by using",
+    "Filters use OData syntax (e.g. `status in ('Active')`). Sort with --sort-by using",
     "`<Field> asc|desc` (e.g. `Name asc`, `CreatedOn desc`).",
     "Use the returned `id` with `access-policy get|update|delete|evaluate`."
   ].join(`
-`)).option("--limit <n>", "Page size — maximum number of policies to return. Defaults to 20.", parseNonNegativeInt, 20).option("--offset <n>", "Number of records to skip before the returned page (zero-based).", parseNonNegativeInt, 0).option("--filter <filter>", `OData-style filter expression (e.g. "status in ('Active')").`).option("--order-by <order>", "Sort expression — '<Field> asc|desc' (e.g. 'Name asc', 'CreatedOn desc').").examples(LIST_EXAMPLES)).trackedAction(processContext, async (options) => {
+`)).option("--limit <n>", "Page size — maximum number of policies to return. Defaults to 20.", parseNonNegativeInt, 20).option("--offset <n>", "Number of records to skip before the returned page (zero-based).", parseNonNegativeInt, 0).option("--filter <filter>", `OData-style filter expression (e.g. "status in ('Active')").`).option("--sort-by <order>", "Sort expression — '<Field> asc|desc' (e.g. 'Name asc', 'CreatedOn desc').").examples(LIST_EXAMPLES)).trackedAction(processContext, async (options) => {
     const api = await getPapApi(options);
     if (!api)
       return;
@@ -29743,13 +30283,13 @@ var registerAccessPolicyCommand = (program2) => {
       top: options.limit,
       skip: options.offset,
       filter: options.filter,
-      orderBy: options.orderBy
+      orderBy: options.sortBy
     }));
     if (error) {
       OutputFormatter.error({
         Result: RESULTS.Failure,
         Message: await extractErrorMessage(error),
-        Instructions: "Verify --filter uses OData syntax and --order-by is '<Field> asc|desc'. Ensure you have access to the access-policy service."
+        Instructions: "Verify --filter uses OData syntax and --sort-by is '<Field> asc|desc'. Ensure you have access to the access-policy service."
       });
       processContext.exit(1);
       return;
@@ -29885,7 +30425,7 @@ var registerAccessPolicyCommand = (program2) => {
     "why a production request was allowed/denied."
   ].join(`
 `)).addOption(new Option("--resource-type <type>", "The protected asset being accessed (e.g. the Agent being invoked).").choices(RESOURCE_TYPES).makeOptionMandatory(true)).option("--resource-id <id>", "Identifier of the specific resource instance (e.g. an Agent UUID).").option("--actor-identity-id <id>", "Identifier of the actor — only required when calling with an S2S token. With a user token the actor is inferred from the bearer.").addOption(new Option("--actor-process-type <type>", "The workflow/agent being executed on behalf of the actor, if any.").choices(EXECUTABLE_TYPES)).option("--actor-process-id <id>", "Identifier of the executable (e.g. a Flow UUID).").option("--folder-key <key>", "Folder key (UUID) scoping the request to a specific folder.").option("--trace-parent-id <id>", "W3C traceparent header value to correlate this evaluation with upstream traces.").examples(EVALUATE_EXAMPLES)).trackedAction(processContext, async (options) => {
-    const [apiErr, client] = await catchError2(createPdpApiClient(PolicyEvaluationApi, {
+    const [apiErr, client] = await catchError2(createPdpClient(PolicyEvaluationApi, {
       loginValidity: options.loginValidity
     }));
     if (apiErr) {
@@ -29977,6 +30517,7 @@ import path3 from "node:path";
 import { fileURLToPath as fileURLToPath2 } from "node:url";
 import childProcess32 from "node:child_process";
 import fs52, { constants as fsConstants22 } from "node:fs/promises";
+import { randomUUID as randomUUID2 } from "node:crypto";
 import { existsSync as existsSync2 } from "node:fs";
 import * as fs62 from "node:fs/promises";
 import * as os22 from "node:os";
@@ -30731,6 +31272,90 @@ class NodeFileSystem2 {
   async mkdir(dirPath) {
     await fs62.mkdir(dirPath, { recursive: true });
   }
+  async acquireLock(lockPath) {
+    const canonicalPath = await this.canonicalizeLockTarget(lockPath);
+    const lockFile = `${canonicalPath}.lock`;
+    const ownerId = randomUUID2();
+    const start = Date.now();
+    while (true) {
+      try {
+        await fs62.writeFile(lockFile, ownerId, { flag: "wx" });
+        return this.createLockRelease(lockFile, ownerId);
+      } catch (error) {
+        if (!this.hasErrnoCode(error, "EEXIST")) {
+          throw error;
+        }
+        const stats = await fs62.stat(lockFile).catch(() => null);
+        if (stats && Date.now() - stats.mtimeMs > LOCK_STALE_MS2) {
+          const reclaimed = await fs62.rm(lockFile, { force: true }).then(() => true).catch(() => false);
+          if (reclaimed)
+            continue;
+        }
+        if (Date.now() - start > LOCK_MAX_WAIT_MS2) {
+          throw new Error(`ELOCKED: timed out waiting for lock on ${canonicalPath}`);
+        }
+        await new Promise((resolve22) => setTimeout(resolve22, LOCK_RETRY_MIN_MS2 + Math.random() * LOCK_RETRY_JITTER_MS2));
+      }
+    }
+  }
+  async canonicalizeLockTarget(lockPath) {
+    const absolute = path22.resolve(lockPath);
+    const fullReal = await fs62.realpath(absolute).catch(() => null);
+    if (fullReal)
+      return fullReal;
+    const parent = path22.dirname(absolute);
+    const base = path22.basename(absolute);
+    const canonicalParent = await fs62.realpath(parent).catch(() => parent);
+    return path22.join(canonicalParent, base);
+  }
+  createLockRelease(lockFile, ownerId) {
+    const heartbeatStart = Date.now();
+    let heartbeatTimer;
+    let stopped = false;
+    const stopHeartbeat = () => {
+      stopped = true;
+      if (heartbeatTimer)
+        clearTimeout(heartbeatTimer);
+    };
+    const scheduleNextHeartbeat = () => {
+      if (stopped)
+        return;
+      if (Date.now() - heartbeatStart >= LOCK_MAX_HOLD_MS2) {
+        stopped = true;
+        return;
+      }
+      heartbeatTimer = setTimeout(() => {
+        runHeartbeat();
+      }, LOCK_HEARTBEAT_MS2);
+      heartbeatTimer.unref?.();
+    };
+    const runHeartbeat = async () => {
+      if (stopped)
+        return;
+      const current = await fs62.readFile(lockFile, "utf-8").catch(() => null);
+      if (stopped)
+        return;
+      if (current !== ownerId) {
+        stopped = true;
+        return;
+      }
+      const now = Date.now() / 1000;
+      await fs62.utimes(lockFile, now, now).catch(() => {});
+      scheduleNextHeartbeat();
+    };
+    scheduleNextHeartbeat();
+    let released = false;
+    return async () => {
+      if (released)
+        return;
+      released = true;
+      stopHeartbeat();
+      const current = await fs62.readFile(lockFile, "utf-8").catch(() => null);
+      if (current === ownerId) {
+        await fs62.rm(lockFile, { force: true });
+      }
+    };
+  }
   async rm(filePath) {
     await fs62.rm(filePath, { recursive: true, force: true });
   }
@@ -30776,16 +31401,23 @@ class NodeFileSystem2 {
     }
   }
   isEnoent(error) {
-    return typeof error === "object" && error !== null && "code" in error && error.code === "ENOENT";
+    return this.hasErrnoCode(error, "ENOENT");
+  }
+  hasErrnoCode(error, code) {
+    return typeof error === "object" && error !== null && "code" in error && error.code === code;
   }
 }
+var LOCK_HEARTBEAT_MS2 = 5000;
+var LOCK_STALE_MS2 = 15000;
+var LOCK_MAX_WAIT_MS2 = 20000;
+var LOCK_MAX_HOLD_MS2 = 60000;
+var LOCK_RETRY_MIN_MS2 = 100;
+var LOCK_RETRY_JITTER_MS2 = 200;
 var init_node2 = __esm2(() => {
   init_open2();
 });
 var fsInstance2;
-var getFileSystem2 = () => {
-  return fsInstance2;
-};
+var getFileSystem2 = () => fsInstance2;
 var init_src2 = __esm2(() => {
   init_node2();
   init_node2();
@@ -48592,9 +49224,13 @@ var require_dist2 = __commonJS3((exports) => {
   exports.RobotProxyConstructor = RobotProxyConstructor;
   __exportStar(require_agent2(), exports);
 });
-var package_default2 = {
+var init_server2 = __esm2(() => {
+  init_constants2();
+});
+var package_default3 = {
   name: "@uipath/aops-policy-tool",
-  version: "0.3.0",
+  license: "MIT",
+  version: "1.2.0",
   description: "CLI plugin for managing UiPath AOps governance policies.",
   private: false,
   repository: {
@@ -48636,6 +49272,132 @@ var package_default2 = {
     typescript: "^6.0.2"
   }
 };
+var PREFIX2 = "@uipath/common/";
+var _g2 = globalThis;
+function singleton2(ctorOrName) {
+  const name = typeof ctorOrName === "string" ? ctorOrName : ctorOrName.name;
+  const key = Symbol.for(PREFIX2 + name);
+  return {
+    get(fallback) {
+      return _g2[key] ?? fallback;
+    },
+    set(value) {
+      _g2[key] = value;
+    },
+    clear() {
+      delete _g2[key];
+    },
+    getOrInit(factory, guard) {
+      const existing = _g2[key];
+      if (existing != null && typeof existing === "object") {
+        if (!guard || guard(existing)) {
+          return existing;
+        }
+      }
+      const instance = factory();
+      _g2[key] = instance;
+      return instance;
+    }
+  };
+}
+var USER_AGENT_HEADER2 = "User-Agent";
+var sdkUserAgentHostToken2 = singleton2("SdkUserAgentHostToken");
+function userAgentPatchKey2(userAgent) {
+  return Symbol.for(`@uipath/common/sdk-user-agent/${userAgent}`);
+}
+function splitUserAgentTokens2(value) {
+  return value?.trim().split(/\s+/).filter(Boolean) ?? [];
+}
+function appendUserAgentToken2(value, userAgent) {
+  const tokens = splitUserAgentTokens2(value);
+  const seen = new Set(tokens);
+  for (const token of splitUserAgentTokens2(userAgent)) {
+    if (!seen.has(token)) {
+      tokens.push(token);
+      seen.add(token);
+    }
+  }
+  return tokens.join(" ");
+}
+function getEffectiveUserAgent2(userAgent) {
+  return appendUserAgentToken2(sdkUserAgentHostToken2.get(), userAgent);
+}
+function isHeadersLike2(headers) {
+  return typeof headers === "object" && headers !== null && "get" in headers && typeof headers.get === "function" && "set" in headers && typeof headers.set === "function";
+}
+function getSdkUserAgentToken2(pkg) {
+  const packageName = pkg.name.replace(/^@uipath\//, "");
+  return getEffectiveUserAgent2(`${packageName}/${pkg.version}`);
+}
+function addSdkUserAgentHeader2(headers, userAgent) {
+  const result = { ...headers ?? {} };
+  const effectiveUserAgent = getEffectiveUserAgent2(userAgent);
+  const headerName = Object.keys(result).find((key) => key.toLowerCase() === USER_AGENT_HEADER2.toLowerCase());
+  if (headerName) {
+    result[headerName] = appendUserAgentToken2(result[headerName], effectiveUserAgent);
+  } else {
+    result[USER_AGENT_HEADER2] = effectiveUserAgent;
+  }
+  return result;
+}
+function withSdkUserAgentHeader2(headers, userAgent) {
+  const effectiveUserAgent = getEffectiveUserAgent2(userAgent);
+  if (isHeadersLike2(headers)) {
+    headers.set(USER_AGENT_HEADER2, appendUserAgentToken2(headers.get(USER_AGENT_HEADER2), effectiveUserAgent));
+    return headers;
+  }
+  if (Array.isArray(headers)) {
+    const result = headers.map((entry) => {
+      const [key, value] = entry;
+      return [key, value];
+    });
+    const headerIndex = result.findIndex(([key]) => key.toLowerCase() === USER_AGENT_HEADER2.toLowerCase());
+    if (headerIndex >= 0) {
+      const [key, value] = result[headerIndex];
+      result[headerIndex] = [
+        key,
+        appendUserAgentToken2(value, effectiveUserAgent)
+      ];
+    } else {
+      result.push([USER_AGENT_HEADER2, effectiveUserAgent]);
+    }
+    return result;
+  }
+  return addSdkUserAgentHeader2(typeof headers === "object" && headers !== null ? { ...headers } : {}, effectiveUserAgent);
+}
+function withUserAgentInitOverride2(initOverrides, userAgent) {
+  return async (requestContext) => {
+    const initWithUserAgent = {
+      ...requestContext.init,
+      headers: withSdkUserAgentHeader2(requestContext.init.headers, userAgent)
+    };
+    const override = typeof initOverrides === "function" ? await initOverrides({
+      ...requestContext,
+      init: initWithUserAgent
+    }) : initOverrides;
+    return {
+      ...override ?? {},
+      headers: withSdkUserAgentHeader2(override?.headers ?? initWithUserAgent.headers, userAgent)
+    };
+  };
+}
+function installSdkUserAgentHeader2(BaseApiClass, userAgent) {
+  const prototype = BaseApiClass.prototype;
+  const patchKey = userAgentPatchKey2(userAgent);
+  if (prototype[patchKey]) {
+    return;
+  }
+  if (typeof prototype.request !== "function") {
+    throw new Error("Generated BaseAPI request function not found.");
+  }
+  const originalRequest = prototype.request;
+  prototype.request = function requestWithUserAgent(context, initOverrides) {
+    return originalRequest.call(this, context, withUserAgentInitOverride2(initOverrides, userAgent));
+  };
+  Object.defineProperty(prototype, patchKey, {
+    value: true
+  });
+}
 var BASE_PATH2 = "http://localhost".replace(/\/+$/, "");
 
 class Configuration2 {
@@ -48903,6 +49665,53 @@ class TextApiResponse {
     return await this.raw.text();
   }
 }
+var package_default22 = {
+  name: "@uipath/aops-policy-sdk",
+  license: "MIT",
+  version: "1.2.0",
+  description: "SDK for the UiPath AOps Governance API — policy management and deployment.",
+  repository: {
+    type: "git",
+    url: "https://github.com/UiPath/cli.git",
+    directory: "packages/gov/aops-policy-sdk"
+  },
+  publishConfig: {
+    registry: "https://npm.pkg.github.com/@uipath"
+  },
+  keywords: [
+    "uipath",
+    "governance",
+    "policy",
+    "sdk"
+  ],
+  type: "module",
+  main: "./dist/index.js",
+  types: "./dist/src/index.d.ts",
+  exports: {
+    ".": {
+      types: "./dist/src/index.d.ts",
+      default: "./dist/index.js"
+    }
+  },
+  files: [
+    "dist"
+  ],
+  private: true,
+  scripts: {
+    build: "bun build ./src/index.ts --outdir dist --format esm --target node && tsc -p tsconfig.build.json --noCheck",
+    generate: "bun run src/scripts/generate-sdk.ts",
+    lint: "biome check ."
+  },
+  devDependencies: {
+    "@openapitools/openapi-generator-cli": "^2.31.1",
+    "@types/node": "^25.5.2",
+    "@uipath/auth": "workspace:*",
+    "@uipath/common": "workspace:*",
+    typescript: "^6.0.2"
+  }
+};
+var SDK_USER_AGENT2 = getSdkUserAgentToken2(package_default22);
+installSdkUserAgentHeader2(BaseAPI2, SDK_USER_AGENT2);
 function AddLicenseTypeRequestToJSON(json2) {
   return AddLicenseTypeRequestToJSONTyped(json2, false);
 }
@@ -51559,30 +52368,7 @@ class InvalidBaseUrlError2 extends Error {
     this.name = "InvalidBaseUrlError";
   }
 }
-var DEFAULT_SCOPES2 = [
-  "offline_access",
-  "ProcessMining",
-  "OrchestratorApiUserAccess",
-  "StudioWebBackend",
-  "IdentityServerApi",
-  "ConnectionService",
-  "DataService",
-  "DataServiceApiUserAccess",
-  "DocumentUnderstanding",
-  "EnterpriseContextService",
-  "Directory",
-  "JamJamApi",
-  "LLMGateway",
-  "LLMOps",
-  "OMS",
-  "RCS.FolderAuthorization",
-  "RCS.TagsManagement",
-  "TestmanagerApiUserAccess",
-  "AutomationSolutions",
-  "StudioWebTypeCacheService",
-  "Docs.GPT.Search",
-  "Insights"
-];
+var DEFAULT_SCOPES2 = ["openid", "profile", "offline_access"];
 var normalizeAndValidateBaseUrl2 = (rawUrl) => {
   let baseUrl = rawUrl;
   if (baseUrl.endsWith("/identity_/")) {
@@ -51632,7 +52418,8 @@ var resolveConfigAsync2 = async ({
   if (!clientSecret && fileAuth.clientSecret) {
     clientSecret = fileAuth.clientSecret;
   }
-  const scopes = customScopes && customScopes.length > 0 ? customScopes : fileAuth.scopes && fileAuth.scopes.length > 0 ? fileAuth.scopes : DEFAULT_SCOPES2;
+  const isExternalAppAuth = clientId !== DEFAULT_CLIENT_ID2 && Boolean(clientSecret);
+  const scopes = customScopes && customScopes.length > 0 ? customScopes : fileAuth.scopes && fileAuth.scopes.length > 0 ? fileAuth.scopes : isExternalAppAuth ? [] : DEFAULT_SCOPES2;
   return {
     clientId,
     clientSecret,
@@ -51715,6 +52502,7 @@ var getTokenExpiration2 = (accessToken) => {
   }
 };
 var ENV_AUTH_ENABLE_VAR2 = "UIPATH_CLI_ENABLE_ENV_AUTH";
+var ENFORCE_ROBOT_AUTH_VAR2 = "UIPATH_CLI_ENFORCE_ROBOT_AUTH";
 var ENV_AUTH_VARS2 = {
   token: "UIPATH_CLI_AUTH_TOKEN",
   organizationName: "UIPATH_CLI_ORGANIZATION_NAME",
@@ -51730,6 +52518,7 @@ class EnvAuthConfigError2 extends Error {
   }
 }
 var isEnvAuthEnabled2 = () => process.env[ENV_AUTH_ENABLE_VAR2] === "true";
+var isRobotAuthEnforced2 = () => process.env[ENFORCE_ROBOT_AUTH_VAR2] === "true";
 var requireEnv2 = (name) => {
   const value = process.env[name];
   if (!value) {
@@ -51771,6 +52560,7 @@ var readAuthFromEnv2 = () => {
     expiration
   };
 };
+init_src2();
 var DEFAULT_TIMEOUT_MS2 = 1000;
 var CLOSE_TIMEOUT_MS2 = 500;
 var NOTICE_SENTINEL2 = Symbol.for("@uipath/auth/robotFallbackNoticePrinted");
@@ -51782,6 +52572,35 @@ var printNoticeOnce2 = () => {
   catchError3(() => process.stderr.write(`Using UiPath Robot credentials. Run 'uip login' for a dedicated session.
 `));
 };
+var ROBOT_USER_SERVICES_PIPE2 = "UiPathUserServices";
+var ROBOT_USER_SERVICES_ALTERNATE_PIPE2 = `${ROBOT_USER_SERVICES_PIPE2}Alternate`;
+var PIPE_NAME_MAX_LENGTH2 = 103;
+var getRobotIpcPipeNames2 = async () => {
+  const fs72 = getFileSystem2();
+  const username = fs72.env.getenv("USER") ?? fs72.env.getenv("USERNAME");
+  if (!username) {
+    throw new Error("Unable to determine current username");
+  }
+  const tempPath = fs72.env.getenv("TMPDIR") ?? "/tmp/";
+  return [ROBOT_USER_SERVICES_PIPE2, ROBOT_USER_SERVICES_ALTERNATE_PIPE2].map((baseName) => fs72.path.join(tempPath, `${baseName}_${username}`).substring(0, PIPE_NAME_MAX_LENGTH2));
+};
+var defaultIsRobotIpcAvailable2 = async () => {
+  if (process.platform === "win32") {
+    return true;
+  }
+  const [pipeNamesError, pipeNames] = await catchError3(getRobotIpcPipeNames2());
+  if (pipeNamesError || !pipeNames) {
+    return false;
+  }
+  const fs72 = getFileSystem2();
+  for (const pipeName of pipeNames) {
+    const [existsError, exists] = await catchError3(fs72.exists(pipeName));
+    if (!existsError && exists === true) {
+      return true;
+    }
+  }
+  return false;
+};
 var withTimeout2 = (promise, timeoutMs) => new Promise((resolve22, reject) => {
   const timer = setTimeout(() => reject(new Error(`Robot IPC call timed out after ${timeoutMs}ms`)), timeoutMs);
   promise.then((value) => {
@@ -51813,14 +52632,20 @@ var defaultLoadModule2 = async () => {
 var tryRobotClientFallback2 = async (options = {}) => {
   if (isBrowser2())
     return;
-  if (process.env.CI || process.env.GITHUB_ACTIONS) {
-    return;
-  }
-  if (process.env.UIPATH_URL) {
-    return;
+  if (!options.force) {
+    if (process.env.CI || process.env.GITHUB_ACTIONS) {
+      return;
+    }
+    if (process.env.UIPATH_URL) {
+      return;
+    }
   }
   const timeoutMs = options.timeoutMs ?? DEFAULT_TIMEOUT_MS2;
+  const isRobotIpcAvailable = options.isRobotIpcAvailable ?? defaultIsRobotIpcAvailable2;
   const loadModule = options.loadModule ?? defaultLoadModule2;
+  if (!await isRobotIpcAvailable()) {
+    return;
+  }
   const mod2 = await loadModule();
   if (!mod2)
     return;
@@ -52081,11 +52906,130 @@ function normalizeTokenRefreshFailure2() {
 function normalizeTokenRefreshUnavailableFailure2() {
   return "token refresh failed before authentication completed";
 }
-var getLoginStatusWithDeps2 = async (options = {}, deps = {}) => {
-  if (isEnvAuthEnabled2()) {
-    return readAuthFromEnv2();
+function errorMessage2(error) {
+  return error instanceof Error ? error.message : String(error);
+}
+function computeExpirationThreshold2(ensureTokenValidityMinutes) {
+  return new Date(Date.now() + (ensureTokenValidityMinutes ?? 0) * 60 * 1000);
+}
+async function runRefreshLocked2(inputs) {
+  const {
+    absolutePath,
+    refreshToken: callerRefreshToken,
+    customAuthority,
+    ensureTokenValidityMinutes,
+    loadEnvFile,
+    saveEnvFile,
+    refreshFn,
+    resolveConfig: resolveConfig2
+  } = inputs;
+  const expirationThreshold = computeExpirationThreshold2(ensureTokenValidityMinutes);
+  let fresh;
+  try {
+    fresh = await loadEnvFile({ envPath: absolutePath });
+  } catch (error) {
+    return {
+      kind: "fail",
+      status: {
+        loginStatus: "Refresh Failed",
+        hint: "Could not read the auth file while refreshing. Retry, or run 'uip login' to re-authenticate.",
+        tokenRefresh: {
+          attempted: false,
+          success: false,
+          errorMessage: `auth file read failed: ${errorMessage2(error)}`
+        }
+      }
+    };
   }
-  const { envFilePath = DEFAULT_ENV_FILENAME2, ensureTokenValidityMinutes } = options;
+  const freshAccess = fresh.UIPATH_ACCESS_TOKEN;
+  const freshExp = freshAccess ? getTokenExpiration2(freshAccess) : undefined;
+  if (freshAccess && freshExp && freshExp > expirationThreshold) {
+    return {
+      kind: "ok",
+      accessToken: freshAccess,
+      refreshToken: fresh.UIPATH_REFRESH_TOKEN ?? callerRefreshToken,
+      expiration: freshExp,
+      tokenRefresh: { attempted: false, success: true }
+    };
+  }
+  const tokenForIdP = fresh.UIPATH_REFRESH_TOKEN ?? callerRefreshToken;
+  let refreshedAccess;
+  let refreshedRefresh;
+  try {
+    const config = await resolveConfig2({ customAuthority });
+    const refreshed = await refreshFn({
+      refreshToken: tokenForIdP,
+      tokenEndpoint: config.tokenEndpoint,
+      clientId: config.clientId,
+      expectedAuthority: customAuthority
+    });
+    refreshedAccess = refreshed.accessToken;
+    refreshedRefresh = refreshed.refreshToken;
+  } catch (error) {
+    const isOAuthFailure = isTokenRefreshOAuthFailure2(error);
+    const hint = isOAuthFailure ? "Run 'uip login' to re-authenticate — the stored refresh token is invalid or expired." : "Token refresh failed. Check your network connection, then retry or run 'uip login' to re-authenticate.";
+    const message = isOAuthFailure ? normalizeTokenRefreshFailure2() : normalizeTokenRefreshUnavailableFailure2();
+    return {
+      kind: "fail",
+      status: {
+        loginStatus: "Refresh Failed",
+        hint,
+        tokenRefresh: {
+          attempted: true,
+          success: false,
+          errorMessage: message
+        }
+      }
+    };
+  }
+  const refreshedExp = getTokenExpiration2(refreshedAccess);
+  if (!refreshedExp || refreshedExp <= new Date) {
+    return {
+      kind: "fail",
+      status: {
+        loginStatus: "Refresh Failed",
+        hint: "The identity server returned an unusable token. Run 'uip login' to re-authenticate.",
+        tokenRefresh: {
+          attempted: true,
+          success: false,
+          errorMessage: "refreshed token has no valid expiration claim"
+        }
+      }
+    };
+  }
+  try {
+    await saveEnvFile({
+      envPath: absolutePath,
+      data: {
+        UIPATH_ACCESS_TOKEN: refreshedAccess,
+        UIPATH_REFRESH_TOKEN: refreshedRefresh
+      },
+      merge: true
+    });
+    return {
+      kind: "ok",
+      accessToken: refreshedAccess,
+      refreshToken: refreshedRefresh,
+      expiration: refreshedExp,
+      tokenRefresh: { attempted: true, success: true }
+    };
+  } catch (error) {
+    const msg = errorMessage2(error);
+    return {
+      kind: "ok",
+      accessToken: refreshedAccess,
+      refreshToken: refreshedRefresh,
+      expiration: refreshedExp,
+      persistenceWarning: `Access token refreshed in memory but could not be written to ${absolutePath}: ${msg}. The next CLI invocation will fail until the file can be updated — run 'uip login' to re-authenticate.`,
+      tokenRefresh: {
+        attempted: true,
+        success: true,
+        errorMessage: `persistence failed: ${msg}`
+      }
+    };
+  }
+}
+var getLoginStatusWithDeps2 = async (options = {}, deps = {}) => {
   const {
     resolveEnvFilePath = resolveEnvFilePathAsync2,
     loadEnvFile = loadEnvFileAsync2,
@@ -52095,6 +53039,34 @@ var getLoginStatusWithDeps2 = async (options = {}, deps = {}) => {
     resolveConfig: resolveConfig2 = resolveConfigAsync2,
     robotFallback = tryRobotClientFallback2
   } = deps;
+  if (isRobotAuthEnforced2()) {
+    if (isEnvAuthEnabled2()) {
+      throw new EnvAuthConfigError2(`${ENV_AUTH_ENABLE_VAR2}=true and ${ENFORCE_ROBOT_AUTH_VAR2}=true ` + `are mutually exclusive. Unset one of them and re-run.`);
+    }
+    const robotCreds = await robotFallback({ force: true });
+    if (!robotCreds) {
+      return {
+        loginStatus: "Not logged in",
+        hint: `${ENFORCE_ROBOT_AUTH_VAR2}=true but the UiPath Robot ` + `session is unavailable. Start and sign in to the Assistant, ` + `or unset ${ENFORCE_ROBOT_AUTH_VAR2} to fall back to file or ` + `env-var authentication.`
+      };
+    }
+    const expiration2 = getTokenExpiration2(robotCreds.accessToken);
+    return {
+      loginStatus: "Logged in",
+      accessToken: robotCreds.accessToken,
+      baseUrl: robotCreds.baseUrl,
+      organizationName: robotCreds.organizationName,
+      organizationId: robotCreds.organizationId,
+      tenantName: robotCreds.tenantName,
+      tenantId: robotCreds.tenantId,
+      expiration: expiration2,
+      source: "robot"
+    };
+  }
+  if (isEnvAuthEnabled2()) {
+    return readAuthFromEnv2();
+  }
+  const { envFilePath = DEFAULT_ENV_FILENAME2, ensureTokenValidityMinutes } = options;
   const { absolutePath } = await resolveEnvFilePath(envFilePath);
   if (absolutePath === undefined) {
     const robotCreds = await robotFallback();
@@ -52131,73 +53103,103 @@ var getLoginStatusWithDeps2 = async (options = {}, deps = {}) => {
   let refreshToken = credentials.UIPATH_REFRESH_TOKEN;
   let expiration = getTokenExpiration2(accessToken);
   let persistenceWarning;
+  let lockReleaseFailed = false;
   let tokenRefresh;
-  const expirationThreshold = new Date(Date.now() + (ensureTokenValidityMinutes ?? 0) * 60 * 1000);
-  if (expiration && expiration <= expirationThreshold && refreshToken) {
-    let refreshedAccess;
-    let refreshedRefresh;
+  const outerThreshold = computeExpirationThreshold2(ensureTokenValidityMinutes);
+  const tryGlobalCredsHint = async () => {
+    const fs72 = getFs();
+    const globalPath = fs72.path.join(fs72.env.homedir(), envFilePath);
+    if (absolutePath === globalPath)
+      return;
+    if (!await fs72.exists(globalPath))
+      return;
     try {
-      const config = await resolveConfig2({
-        customAuthority: credentials.UIPATH_URL
-      });
-      const refreshed = await refreshTokenFn({
-        refreshToken,
-        tokenEndpoint: config.tokenEndpoint,
-        clientId: config.clientId,
-        expectedAuthority: credentials.UIPATH_URL
-      });
-      refreshedAccess = refreshed.accessToken;
-      refreshedRefresh = refreshed.refreshToken;
+      const globalCreds = await loadEnvFile({ envPath: globalPath });
+      if (!globalCreds.UIPATH_ACCESS_TOKEN)
+        return;
+      const globalExp = getTokenExpiration2(globalCreds.UIPATH_ACCESS_TOKEN);
+      if (globalExp && globalExp <= new Date)
+        return;
+      return `Local credentials file at ${absolutePath} has expired credentials. Valid credentials exist in ${globalPath}. Remove the local file or run 'uip login' to re-authenticate.`;
+    } catch {
+      return;
+    }
+  };
+  if (expiration && expiration <= outerThreshold && refreshToken) {
+    let release;
+    try {
+      release = await getFs().acquireLock(absolutePath);
     } catch (error) {
-      const isOAuthFailure = isTokenRefreshOAuthFailure2(error);
-      const hint = isOAuthFailure ? "Run 'uip login' to re-authenticate — the stored refresh token is invalid or expired." : "Token refresh failed. Check your network connection, then retry or run 'uip login' to re-authenticate.";
-      const errorMessage = isOAuthFailure ? normalizeTokenRefreshFailure2() : normalizeTokenRefreshUnavailableFailure2();
+      const msg = errorMessage2(error);
+      const globalHint = await tryGlobalCredsHint();
+      if (globalHint) {
+        return {
+          loginStatus: "Expired",
+          accessToken,
+          refreshToken,
+          baseUrl: credentials.UIPATH_URL,
+          organizationName: credentials.UIPATH_ORGANIZATION_NAME,
+          organizationId: credentials.UIPATH_ORGANIZATION_ID,
+          tenantName: credentials.UIPATH_TENANT_NAME,
+          tenantId: credentials.UIPATH_TENANT_ID,
+          expiration,
+          source: "file",
+          hint: globalHint,
+          tokenRefresh: {
+            attempted: false,
+            success: false,
+            errorMessage: `lock acquisition failed: ${msg}`
+          }
+        };
+      }
       return {
         loginStatus: "Refresh Failed",
-        hint,
+        hint: "Could not acquire the auth-file lock — too many concurrent `uip` processes, or a permission issue on the auth directory. Retry, or run 'uip login' to re-authenticate.",
         tokenRefresh: {
-          attempted: true,
+          attempted: false,
           success: false,
-          errorMessage
+          errorMessage: `lock acquisition failed: ${msg}`
         }
       };
     }
-    const refreshedExp = getTokenExpiration2(refreshedAccess);
-    if (!refreshedExp || refreshedExp <= new Date) {
-      return {
-        loginStatus: "Refresh Failed",
-        hint: "The identity server returned an unusable token. Run 'uip login' to re-authenticate.",
-        tokenRefresh: {
-          attempted: true,
-          success: false,
-          errorMessage: "refreshed token has no valid expiration claim"
+    let lockedFailure;
+    try {
+      const outcome = await runRefreshLocked2({
+        absolutePath,
+        refreshToken,
+        customAuthority: credentials.UIPATH_URL,
+        ensureTokenValidityMinutes,
+        loadEnvFile,
+        saveEnvFile,
+        refreshFn: refreshTokenFn,
+        resolveConfig: resolveConfig2
+      });
+      if (outcome.kind === "fail") {
+        lockedFailure = outcome.status;
+      } else {
+        accessToken = outcome.accessToken;
+        refreshToken = outcome.refreshToken;
+        expiration = outcome.expiration;
+        tokenRefresh = outcome.tokenRefresh;
+        if (outcome.persistenceWarning) {
+          persistenceWarning = outcome.persistenceWarning;
         }
-      };
+      }
+    } finally {
+      try {
+        await release();
+      } catch {
+        lockReleaseFailed = true;
+      }
     }
-    accessToken = refreshedAccess;
-    refreshToken = refreshedRefresh;
-    expiration = refreshedExp;
-    try {
-      await saveEnvFile({
-        envPath: absolutePath,
-        data: {
-          UIPATH_ACCESS_TOKEN: accessToken,
-          UIPATH_REFRESH_TOKEN: refreshToken
-        },
-        merge: true
-      });
-      tokenRefresh = {
-        attempted: true,
-        success: true
-      };
-    } catch (error) {
-      const msg = error instanceof Error ? error.message : String(error);
-      persistenceWarning = `Access token refreshed in memory but could not be written to ${absolutePath}: ${msg}. The next CLI invocation will fail until the file can be updated — run 'uip login' to re-authenticate.`;
-      tokenRefresh = {
-        attempted: true,
-        success: true,
-        errorMessage: `persistence failed: ${msg}`
-      };
+    if (lockedFailure) {
+      const globalHint = await tryGlobalCredsHint();
+      const base = globalHint ? {
+        ...lockedFailure,
+        loginStatus: "Expired",
+        hint: globalHint
+      } : lockedFailure;
+      return lockReleaseFailed ? { ...base, lockReleaseFailed: true } : base;
     }
   }
   const result = {
@@ -52212,23 +53214,13 @@ var getLoginStatusWithDeps2 = async (options = {}, deps = {}) => {
     expiration,
     source: "file",
     ...persistenceWarning ? { hint: persistenceWarning, persistenceFailed: true } : {},
+    ...lockReleaseFailed ? { lockReleaseFailed: true } : {},
     ...tokenRefresh ? { tokenRefresh } : {}
   };
   if (result.loginStatus === "Expired") {
-    const fs72 = getFs();
-    const globalPath = fs72.path.join(fs72.env.homedir(), envFilePath);
-    if (absolutePath !== globalPath && await fs72.exists(globalPath)) {
-      try {
-        const globalCreds = await loadEnvFile({
-          envPath: globalPath
-        });
-        if (globalCreds.UIPATH_ACCESS_TOKEN) {
-          const globalExp = getTokenExpiration2(globalCreds.UIPATH_ACCESS_TOKEN);
-          if (!globalExp || globalExp > new Date) {
-            result.hint = `Local credentials file at ${absolutePath} has expired credentials. Valid credentials exist in ${globalPath}. Remove the local file or run 'uip login' to re-authenticate.`;
-          }
-        }
-      } catch {}
+    const globalHint = await tryGlobalCredsHint();
+    if (globalHint) {
+      result.hint = globalHint;
     }
   }
   return result;
@@ -52243,6 +53235,7 @@ var getLoginStatusAsync2 = async (options = {}) => {
 };
 init_src2();
 init_src2();
+init_server2();
 async function createGovernanceConfig(options) {
   const status = await getLoginStatusAsync2({
     ensureTokenValidityMinutes: options?.loginValidity
@@ -52258,13 +53251,15 @@ async function createGovernanceConfig(options) {
   const bearerToken = options?.s2sToken ?? status.accessToken;
   return new Configuration2({
     basePath,
-    apiKey: () => `Bearer ${bearerToken}`
+    apiKey: () => `Bearer ${bearerToken}`,
+    headers: addSdkUserAgentHeader2(undefined, SDK_USER_AGENT2)
   });
 }
-async function createApiClient(ApiClass, options) {
+async function createApiClient2(ApiClass, options) {
   const config = await createGovernanceConfig(options);
   return new ApiClass(config);
 }
+init_src2();
 function isPromiseLike22(value) {
   return value !== null && typeof value === "object" && typeof value.then === "function";
 }
@@ -52291,71 +53286,6 @@ function settlePromiseLike22(thenable) {
     undefined
   ]);
 }
-var examplesByCommand2 = new WeakMap;
-Command.prototype.examples = function(examples) {
-  examplesByCommand2.set(this, examples);
-  return this;
-};
-var PREFIX2 = "@uipath/common/";
-var _g2 = globalThis;
-function singleton2(ctorOrName) {
-  const name = typeof ctorOrName === "string" ? ctorOrName : ctorOrName.name;
-  const key = Symbol.for(PREFIX2 + name);
-  return {
-    get(fallback) {
-      return _g2[key] ?? fallback;
-    },
-    set(value) {
-      _g2[key] = value;
-    },
-    clear() {
-      delete _g2[key];
-    },
-    getOrInit(factory, guard) {
-      const existing = _g2[key];
-      if (existing != null && typeof existing === "object") {
-        if (!guard || guard(existing)) {
-          return existing;
-        }
-      }
-      const instance = factory();
-      _g2[key] = instance;
-      return instance;
-    }
-  };
-}
-function createStorage2() {
-  const [error, mod2] = catchError22(() => __require3("node:async_hooks"));
-  if (error || typeof mod2?.AsyncLocalStorage !== "function") {
-    return {
-      getStore: () => {
-        return;
-      },
-      run: (_store, fn) => fn()
-    };
-  }
-  return new mod2.AsyncLocalStorage;
-}
-var storageSingleton2 = singleton2("OutputStorage");
-var sinkSlot2 = singleton2("OutputSink");
-var outputStorage2 = storageSingleton2.getOrInit(createStorage2, (v) => ("getStore" in v));
-var CONSOLE_FALLBACK2 = {
-  writeOut: (str2) => process.stdout.write(str2),
-  writeErr: (str2) => process.stderr.write(str2),
-  writeLog: (str2) => process.stdout.write(str2),
-  capabilities: {
-    isInteractive: false,
-    supportsColor: false,
-    outputWidth: 80
-  }
-};
-function getOutputSink2() {
-  return outputStorage2.getStore() ?? sinkSlot2.get() ?? CONSOLE_FALLBACK2;
-}
-var COMPLETER_SYMBOL2 = Symbol.for("@uipath/common/completer");
-var guardInstalledSlot2 = singleton2("ConsoleGuardInstalled");
-var savedOriginalsSlot2 = singleton2("ConsoleGuardOriginals");
-var DEFAULT_AUTH_TIMEOUT_MS22 = 5 * 60 * 1000;
 var DEFAULT_4012 = "Unauthorized (401). Run `uip login` to authenticate.";
 var DEFAULT_4032 = "Forbidden (403). Ensure the account has the required permissions.";
 var DEFAULT_4052 = "Method Not Allowed (405). The endpoint may not exist or the base URL may be incorrect.";
@@ -52461,10 +53391,15 @@ async function extractErrorDetails2(error, options) {
   }
   if (parsedBody?.errorCode && typeof parsedBody.errorCode === "string") {
     context.errorCode = parsedBody.errorCode;
+  } else if (parsedBody?.code && typeof parsedBody.code === "string") {
+    context.errorCode = parsedBody.code;
   }
   if (parsedBody?.requestId && typeof parsedBody.requestId === "string") {
     context.requestId = parsedBody.requestId;
   }
+  if (parsedBody?.traceId && typeof parsedBody.traceId === "string") {
+    context.traceId = parsedBody.traceId;
+  }
   if (status === 429) {
     const resp = response;
     const headersObj = resp?.headers;
@@ -52484,12 +53419,77 @@ async function extractErrorDetails2(error, options) {
     }
   }
   const hasContext = Object.keys(context).length > 0;
-  return { result, message, details, ...hasContext ? { context } : {} };
+  let parsedErrors;
+  if (parsedBody?.errors && typeof parsedBody.errors === "object") {
+    const errors = {};
+    for (const [field, raw] of Object.entries(parsedBody.errors)) {
+      if (Array.isArray(raw)) {
+        const messages = raw.map((entry) => {
+          if (typeof entry === "string")
+            return entry;
+          if (entry && typeof entry === "object" && typeof entry.message === "string") {
+            return entry.message;
+          }
+          return String(entry);
+        }).filter(Boolean);
+        if (messages.length > 0)
+          errors[field] = messages;
+      } else if (typeof raw === "string") {
+        errors[field] = [raw];
+      }
+    }
+    if (Object.keys(errors).length > 0)
+      parsedErrors = errors;
+  }
+  return {
+    result,
+    message,
+    details,
+    ...hasContext ? { context } : {},
+    ...parsedErrors ? { parsedErrors } : {}
+  };
 }
 async function extractErrorMessage2(error, options) {
   const { message } = await extractErrorDetails2(error, options);
   return message;
 }
+var examplesByCommand2 = new WeakMap;
+Command.prototype.examples = function(examples) {
+  examplesByCommand2.set(this, examples);
+  return this;
+};
+function createStorage2() {
+  const [error, mod2] = catchError22(() => __require3("node:async_hooks"));
+  if (error || typeof mod2?.AsyncLocalStorage !== "function") {
+    return {
+      getStore: () => {
+        return;
+      },
+      run: (_store, fn) => fn()
+    };
+  }
+  return new mod2.AsyncLocalStorage;
+}
+var storageSingleton2 = singleton2("OutputStorage");
+var sinkSlot2 = singleton2("OutputSink");
+var outputStorage2 = storageSingleton2.getOrInit(createStorage2, (v) => ("getStore" in v));
+var CONSOLE_FALLBACK2 = {
+  writeOut: (str2) => process.stdout.write(str2),
+  writeErr: (str2) => process.stderr.write(str2),
+  writeLog: (str2) => process.stdout.write(str2),
+  capabilities: {
+    isInteractive: false,
+    supportsColor: false,
+    outputWidth: 80
+  }
+};
+function getOutputSink2() {
+  return outputStorage2.getStore() ?? sinkSlot2.get() ?? CONSOLE_FALLBACK2;
+}
+var COMPLETER_SYMBOL2 = Symbol.for("@uipath/common/completer");
+var guardInstalledSlot2 = singleton2("ConsoleGuardInstalled");
+var savedOriginalsSlot2 = singleton2("ConsoleGuardOriginals");
+var DEFAULT_AUTH_TIMEOUT_MS22 = 5 * 60 * 1000;
 var isObject3 = (obj) => {
   return obj !== null && Object.prototype.toString.call(obj) === "[object Object]";
 };
@@ -57515,15 +58515,80 @@ class SuccessOutput2 {
     }
   }
 }
-function printOutput2(data, format = "json", logFn) {
+function escapeNonAscii2(jsonText) {
+  return jsonText.replace(/[\u0080-\uffff]/g, (c) => {
+    const hex = c.charCodeAt(0).toString(16).padStart(4, "0");
+    return `\\u${hex}`;
+  });
+}
+function needsAsciiSafeJson2(sink) {
+  return process.platform === "win32" && !sink.capabilities.isInteractive;
+}
+function isPlainRecord2(value) {
+  if (value === null || typeof value !== "object")
+    return false;
+  const prototype = Object.getPrototypeOf(value);
+  return prototype === Object.prototype || prototype === null;
+}
+function toLowerCamelCaseKey2(key) {
+  if (!key)
+    return key;
+  if (/[_\-\s]/.test(key)) {
+    const [firstPart, ...restParts] = key.split(/[_\-\s]+/).filter(Boolean);
+    if (!firstPart)
+      return key;
+    return [
+      toLowerCamelCaseSimpleKey2(firstPart),
+      ...restParts.map((part) => {
+        const normalized = toLowerCamelCaseSimpleKey2(part);
+        return normalized.charAt(0).toUpperCase() + normalized.slice(1);
+      })
+    ].join("");
+  }
+  return toLowerCamelCaseSimpleKey2(key);
+}
+function toLowerCamelCaseSimpleKey2(key) {
+  if (/^[A-Z0-9]+$/.test(key))
+    return key.toLowerCase();
+  return key.replace(/^[A-Z]+(?=[A-Z][a-z]|\d|$)|^[A-Z]/, (match) => match.toLowerCase());
+}
+function toPascalCaseKey2(key) {
+  const lowerCamelKey = toLowerCamelCaseKey2(key);
+  return lowerCamelKey ? lowerCamelKey.charAt(0).toUpperCase() + lowerCamelKey.slice(1) : lowerCamelKey;
+}
+function toPascalCaseData2(value) {
+  if (Array.isArray(value))
+    return value.map(toPascalCaseData2);
+  if (!isPlainRecord2(value))
+    return value;
+  const result = {};
+  for (const [key, nestedValue] of Object.entries(value)) {
+    result[toPascalCaseKey2(key)] = toPascalCaseData2(nestedValue);
+  }
+  return result;
+}
+function normalizeDataKeys2(data) {
+  return toPascalCaseData2(data);
+}
+function normalizeOutputKeys2(data) {
+  const result = {};
+  for (const [key, value] of Object.entries(data)) {
+    const pascalKey = toPascalCaseKey2(key);
+    result[pascalKey] = pascalKey === "Data" ? value : toPascalCaseData2(value);
+  }
+  return result;
+}
+function printOutput2(data, format = "json", logFn, asciiSafe = false) {
   if (!data) {
     logFn("Empty response object. No data to display.");
     return;
   }
   switch (format) {
-    case "json":
-      logFn(JSON.stringify(data, null, 2));
+    case "json": {
+      const json22 = JSON.stringify(data, null, 2);
+      logFn(asciiSafe ? escapeNonAscii2(json22) : json22);
       break;
+    }
     case "yaml":
       logFn(toYaml2(data));
       break;
@@ -57558,7 +58623,7 @@ function printOutput2(data, format = "json", logFn) {
 function logOutput2(data, format = "json") {
   const sink = getOutputSink2();
   printOutput2(data, format, (msg) => sink.writeOut(`${msg}
-`));
+`), needsAsciiSafeJson2(sink));
 }
 function cellToString2(val) {
   return val != null && typeof val === "object" ? JSON.stringify(val) : String(val ?? "");
@@ -57575,7 +58640,7 @@ function wrapText2(text, width) {
 function printTable2(data, logFn, externalLogValue) {
   if (data.length === 0)
     return;
-  const keys = Object.keys(data[0]).filter((key) => key !== "Code" && key !== "Log");
+  const keys = Object.keys(data[0]).filter((key) => !["code", "log"].includes(key.toLowerCase()));
   const maxWidths = keys.map((key) => Math.max(key.length, ...data.map((item) => cellToString2(item[key]).length)));
   const header = keys.map((key, i22) => key.padEnd(maxWidths[i22])).join(" | ");
   logFn(header);
@@ -57590,7 +58655,7 @@ function printTable2(data, logFn, externalLogValue) {
   }
 }
 function printVerticalTable2(data, logFn = console.log, externalLogValue) {
-  const keys = Object.keys(data).filter((key) => key !== "Code" && key !== "Log");
+  const keys = Object.keys(data).filter((key) => !["code", "log"].includes(key.toLowerCase()));
   if (keys.length === 0)
     return;
   const maxKeyWidth = Math.max(...keys.map((key) => key.length));
@@ -57606,7 +58671,7 @@ function printVerticalTable2(data, logFn = console.log, externalLogValue) {
 function printResizableTable2(data, logFn = console.log, externalLogValue) {
   if (data.length === 0)
     return;
-  const keys = Object.keys(data[0]).filter((key) => key !== "Code" && key !== "Log");
+  const keys = Object.keys(data[0]).filter((key) => !["code", "log"].includes(key.toLowerCase()));
   if (keys.length === 0)
     return;
   if (!process.stdout.isTTY) {
@@ -57682,8 +58747,27 @@ function printResizableTable2(data, logFn = console.log, externalLogValue) {
 function toYaml2(data) {
   return dump2(data);
 }
+
+class FilterEvaluationError2 extends Error {
+  __brand = "FilterEvaluationError";
+  filter;
+  instructions;
+  result = RESULTS2.ValidationError;
+  constructor(filter, cause) {
+    const underlying = cause instanceof Error ? cause.message : String(cause);
+    super(`Filter '${filter}' failed to evaluate: ${underlying}`);
+    this.name = "FilterEvaluationError";
+    this.filter = filter;
+    this.instructions = `The --output-filter expression '${filter}' failed at evaluation time. ` + "Note that --output-filter operates on the 'Data' field of the envelope, not the full object. " + "For example, on a list result use 'length(@)' instead of 'Data | length(@)'.";
+  }
+}
 function applyFilter2(data, filter) {
-  const result = search2(data, filter);
+  let result;
+  try {
+    result = search2(data, filter);
+  } catch (err) {
+    throw new FilterEvaluationError2(filter, err);
+  }
   if (result == null)
     return [];
   if (Array.isArray(result)) {
@@ -57700,13 +58784,18 @@ function applyFilter2(data, filter) {
 }
 var OutputFormatter2;
 ((OutputFormatter3) => {
-  function success(data) {
+  function success(data, options) {
     data.Log ??= getLogFilePath2() || undefined;
+    const normalize = !options?.preserveDataKeys;
+    if (normalize) {
+      data.Data = normalizeDataKeys2(data.Data);
+    }
     const filter = getOutputFilter2();
     if (filter) {
-      data.Data = applyFilter2(data.Data, filter);
+      const filtered = applyFilter2(data.Data, filter);
+      data.Data = normalize ? normalizeDataKeys2(filtered) : filtered;
     }
-    logOutput2(data, getOutputFormat2());
+    logOutput2(normalizeOutputKeys2(data), getOutputFormat2());
   }
   OutputFormatter3.success = success;
   function error(data) {
@@ -57716,7 +58805,7 @@ var OutputFormatter2;
       result: data.Result,
       message: data.Message
     });
-    logOutput2(data, getOutputFormat2());
+    logOutput2(normalizeOutputKeys2(data), getOutputFormat2());
   }
   OutputFormatter3.error = error;
   function emitList(code, items, opts) {
@@ -57737,11 +58826,14 @@ var OutputFormatter2;
   function log(data) {
     const format = getOutputFormat2();
     const sink = getOutputSink2();
+    const normalized = toPascalCaseData2(data);
     if (format === "json") {
-      sink.writeErr(`${JSON.stringify(data)}
+      const json22 = JSON.stringify(normalized);
+      const safe = needsAsciiSafeJson2(sink) ? escapeNonAscii2(json22) : json22;
+      sink.writeErr(`${safe}
 `);
     } else {
-      for (const [key, value] of Object.entries(data)) {
+      for (const [key, value] of Object.entries(normalized)) {
         sink.writeErr(`${key}: ${value}
 `);
       }
@@ -57750,13 +58842,18 @@ var OutputFormatter2;
   OutputFormatter3.log = log;
   function formatToString(data) {
     const filter = getOutputFilter2();
-    if (filter && "Data" in data && data.Data != null) {
-      data.Data = applyFilter2(data.Data, filter);
+    if ("Data" in data && data.Data != null) {
+      data.Data = normalizeDataKeys2(data.Data);
+      if (filter) {
+        data.Data = normalizeDataKeys2(applyFilter2(data.Data, filter));
+      }
     }
+    const output = normalizeOutputKeys2(data);
     const lines = [];
-    printOutput2(data, getOutputFormat2(), (msg) => {
+    const sink = getOutputSink2();
+    printOutput2(output, getOutputFormat2(), (msg) => {
       lines.push(msg);
-    });
+    }, needsAsciiSafeJson2(sink));
     return lines.join(`
 `);
   }
@@ -59163,6 +60260,19 @@ JSONPath2.prototype.safeVm = {
   Script: SafeScript2
 };
 JSONPath2.prototype.vm = vm2;
+var PollOutcome2 = {
+  Completed: "completed",
+  Timeout: "timeout",
+  Interrupted: "interrupted",
+  Aborted: "aborted",
+  Failed: "failed"
+};
+var REASON_BY_OUTCOME2 = {
+  [PollOutcome2.Timeout]: "poll_timeout",
+  [PollOutcome2.Failed]: "poll_failed",
+  [PollOutcome2.Interrupted]: "poll_failed",
+  [PollOutcome2.Aborted]: "poll_aborted"
+};
 var TERMINAL_STATUSES2 = new Set([
   "completed",
   "successful",
@@ -59362,17 +60472,21 @@ Command.prototype.trackedAction = function(context, fn, properties) {
     const telemetryName = deriveCommandPath2(command);
     const props = typeof properties === "function" ? properties(...args) : properties;
     const startTime = performance.now();
-    let errorMessage;
+    let errorMessage22;
     const [error] = await catchError22(fn(...args));
     if (error) {
-      errorMessage = error instanceof Error ? error.message : String(error);
-      logger2.error(`[trackedAction] ${telemetryName} failed: ${errorMessage}`);
+      errorMessage22 = error instanceof Error ? error.message : String(error);
+      logger2.debug(`[trackedAction] ${telemetryName} failed: ${errorMessage22}`);
+      const typed = error;
+      const customInstructions = typeof typed.instructions === "string" ? typed.instructions : undefined;
+      const customResult = typeof typed.result === "string" && typed.result !== RESULTS2.Success && Object.values(RESULTS2).includes(typed.result) ? typed.result : undefined;
+      const finalResult = customResult ?? RESULTS2.Failure;
       OutputFormatter2.error({
-        Result: RESULTS2.Failure,
-        Message: errorMessage,
-        Instructions: "An unexpected error occurred. Run with --log-level debug for details."
+        Result: finalResult,
+        Message: errorMessage22,
+        Instructions: customInstructions ?? "An unexpected error occurred. Run with --log-level debug for details."
       });
-      context.exit(1);
+      context.exit(EXIT_CODES2[finalResult]);
     }
     const durationMs = performance.now() - startTime;
     const success = !error && (process.exitCode === undefined || process.exitCode === 0);
@@ -59381,7 +60495,7 @@ Command.prototype.trackedAction = function(context, fn, properties) {
       ...props,
       duration: String(durationMs),
       success: String(success),
-      ...errorMessage ? { errorMessage } : {}
+      ...errorMessage22 ? { errorMessage: errorMessage22 } : {}
     }));
   });
 };
@@ -59402,13 +60516,15 @@ async function readJsonFile(path32) {
 async function readRawJson(raw) {
   if (raw.status === 204)
     return null;
+  const text = await raw.text();
+  if (!text)
+    return null;
   const contentType = raw.headers.get("content-type") ?? "";
   if (!contentType.toLowerCase().includes("json")) {
-    const body = await raw.text();
-    const preview = body.length > 500 ? `${body.slice(0, 500)}…` : body;
+    const preview = text.length > 500 ? `${text.slice(0, 500)}…` : text;
     throw new Error(`Expected JSON response but got content-type '${contentType || "(none)"}' (HTTP ${raw.status}). Body: ${preview}`);
   }
-  return await raw.json();
+  return JSON.parse(text);
 }
 var GET_EXAMPLES2 = [
   {
@@ -59426,7 +60542,7 @@ var GET_EXAMPLES2 = [
 ];
 var LIST_EXAMPLES2 = [
   {
-    Description: "List every rule that applies to a (licenseType, product, tenant) for the caller",
+    Description: "List every rule that applies to a (license type, product, tenant) for the caller",
     Command: "uip gov aops-policy deployed-policy list Attended StudioX a1b2c3d4-0000-0000-0000-000000000100",
     Output: {
       Code: "AopsPolicyDeployedPolicyList",
@@ -59475,7 +60591,7 @@ var registerDeployedPolicyCommands = (aopsPolicy) => {
   ].join(`
 `));
   deployedPolicy.command("get").description([
-    "Return the single effective deployed policy for a (licenseType, product, tenant) subject.",
+    "Return the single effective deployed policy for a (license type, product, tenant) subject.",
     "",
     "Three resolution modes:",
     "  (default) — use the caller's own user token; resolves for the caller's own identity.",
@@ -59488,7 +60604,7 @@ var registerDeployedPolicyCommands = (aopsPolicy) => {
     "Output: the resolved policy's data payload, or `{ Message: 'No policy applies.' }` when the service returns 204",
     "(no rule matches and no default exists). Use `deployed-policy list` to see every rule, not just the effective one."
   ].join(`
-`)).argument("<licenseType>", "License type (e.g. Attended, Unattended). Must match a name from `license-type list`.").argument("<productName>", "Product name (e.g. StudioX). Must match a name from `product list`.").argument("<tenantIdentifier>", "Tenant GUID. From `deployment tenant list`.").option("--s2s-token <token>", "Service-to-service bearer token. Overrides the user token from 'uip login' for this call only. Still requires `uip login` for base URL / org context. For security, prefer setting the UIP_S2S_TOKEN environment variable — tokens passed as CLI arguments are visible in process listings (ps aux, /proc/*/cmdline).").option("--user-id <userId>", "Resolve the effective policy for this specific user (runs the full user→group→tenant walk). Requires --s2s-token.").option("--tenant-only", "Resolve the tenant-level policy only, ignoring user/group overrides. Requires --s2s-token.").option("--login-validity <minutes>", "Override the interactive-login token lifetime. Ignored when --s2s-token is set (the S2S token lifetime is controlled by the caller).", (v) => Number.parseInt(v, 10)).examples(GET_EXAMPLES2).trackedAction(processContext2, async (licenseType, productName, tenantIdentifier, options) => {
+`)).argument("<license-type>", "License type (e.g. Attended, Unattended). Must match a name from `license-type list`.").argument("<product-name>", "Product name (e.g. StudioX). Must match a name from `product list`.").argument("<tenantIdentifier>", "Tenant GUID. From `deployment tenant list`.").option("--s2s-token <token>", "Service-to-service bearer token. Overrides the user token from 'uip login' for this call only. Still requires `uip login` for base URL / org context. For security, prefer setting the UIP_S2S_TOKEN environment variable — tokens passed as CLI arguments are visible in process listings (ps aux, /proc/*/cmdline).").option("--user-id <userId>", "Resolve the effective policy for this specific user (runs the full user→group→tenant walk). Requires --s2s-token.").option("--tenant-only", "Resolve the tenant-level policy only, ignoring user/group overrides. Requires --s2s-token.").option("--login-validity <minutes>", "Override the interactive-login token lifetime. Ignored when --s2s-token is set (the S2S token lifetime is controlled by the caller).", (v) => Number.parseInt(v, 10)).examples(GET_EXAMPLES2).trackedAction(processContext2, async (licenseType, productName, tenantIdentifier, options) => {
     const s2sToken = resolveS2sToken(options);
     const validationError = validateGetOptions(options, s2sToken);
     if (validationError) {
@@ -59501,7 +60617,7 @@ var registerDeployedPolicyCommands = (aopsPolicy) => {
       return;
     }
     const [error, result] = await catchError22((async () => {
-      const api = await createApiClient(PolicyApi, {
+      const api = await createApiClient2(PolicyApi, {
         loginValidity: options.loginValidity,
         s2sToken
       });
@@ -59551,7 +60667,7 @@ var registerDeployedPolicyCommands = (aopsPolicy) => {
     });
   });
   deployedPolicy.command("list").description([
-    "List every rule that applies to a (licenseType, product, tenant) for the calling user.",
+    "List every rule that applies to a (license type, product, tenant) for the calling user.",
     "",
     "Unlike `deployed-policy get` (which returns only the effective top-priority policy), this returns the",
     "full set of applicable rules in priority order — useful for understanding why a particular value wins.",
@@ -59560,9 +60676,9 @@ var registerDeployedPolicyCommands = (aopsPolicy) => {
     "user or use `deployed-policy get --s2s-token --user-id <id>` for the effective single policy.",
     "Returns an empty array when no rules apply."
   ].join(`
-`)).argument("<licenseType>", "License type (e.g. Attended, Unattended). Must match a name from `license-type list`.").argument("<productName>", "Product name (e.g. StudioX). Must match a name from `product list`.").argument("<tenantIdentifier>", "Tenant GUID. From `deployment tenant list`.").option("--login-validity <minutes>", "Override the interactive-login token lifetime for this call. Rarely needed.", (v) => Number.parseInt(v, 10)).examples(LIST_EXAMPLES2).trackedAction(processContext2, async (licenseType, productName, tenantIdentifier, options) => {
+`)).argument("<license-type>", "License type (e.g. Attended, Unattended). Must match a name from `license-type list`.").argument("<product-name>", "Product name (e.g. StudioX). Must match a name from `product list`.").argument("<tenantIdentifier>", "Tenant GUID. From `deployment tenant list`.").option("--login-validity <minutes>", "Override the interactive-login token lifetime for this call. Rarely needed.", (v) => Number.parseInt(v, 10)).examples(LIST_EXAMPLES2).trackedAction(processContext2, async (licenseType, productName, tenantIdentifier, options) => {
     const [error, result] = await catchError22((async () => {
-      const api = await createApiClient(PolicyApi, {
+      const api = await createApiClient2(PolicyApi, {
         loginValidity: options.loginValidity
       });
       return await api.policyGetAllRulesForProduct({
@@ -59683,7 +60799,7 @@ var registerDeploymentGroupCommands = (deployment) => {
   ].join(`
 `)).option("--limit <n>", "Page size — how many groups to return in one call. Defaults to 20.", (v) => Number.parseInt(v, 10), 20).option("--offset <n>", "Zero-based page index (NOT a row offset). Page 0 returns rows 1..limit.", (v) => Number.parseInt(v, 10), 0).option("--login-validity <minutes>", "Override the interactive-login token lifetime for this call. Rarely needed.", (v) => Number.parseInt(v, 10)).examples(LIST_EXAMPLES22).trackedAction(processContext2, async (options) => {
     const [error, result] = await catchError22((async () => {
-      const api = await createApiClient(GroupApi, {
+      const api = await createApiClient2(GroupApi, {
         loginValidity: options.loginValidity
       });
       return await api.groupGetAllGroups({
@@ -59713,7 +60829,7 @@ var registerDeploymentGroupCommands = (deployment) => {
   ].join(`
 `)).argument("<groupIdentifier>", "Group GUID. From `deployment group list` (the `identifier` field).").option("--login-validity <minutes>", "Override the interactive-login token lifetime for this call. Rarely needed.", (v) => Number.parseInt(v, 10)).examples(GET_EXAMPLES22).trackedAction(processContext2, async (groupIdentifier, options) => {
     const [error, result] = await catchError22((async () => {
-      const api = await createApiClient(PolicyApi, {
+      const api = await createApiClient2(PolicyApi, {
         loginValidity: options.loginValidity
       });
       const response = await api.policyGetGroupPoliciesForAllProductsRaw({
@@ -59739,6 +60855,10 @@ var registerDeploymentGroupCommands = (deployment) => {
   group.command("configure").description([
     "Replace a group's per-product policy overrides with the list from a JSON file.",
     "",
+    "If the group is not yet registered with the governance service, this command",
+    "auto-registers it (via the AddGroup endpoint) in the same call. For already-",
+    "registered groups it runs as a full-replace upsert (SaveGroupPolicies).",
+    "",
     "This is a FULL replace, not a merge: products not in the input file are removed from the group's",
     "override list (members fall back to tenant inheritance unless a per-user override exists).",
     "Scope is per productIdentifier (not license-type-scoped).",
@@ -59757,7 +60877,7 @@ var registerDeploymentGroupCommands = (deployment) => {
     "  policyIdentifier = null — pins 'No Policy' at group level (blocks tenant inheritance for members).",
     "  policyIdentifier = GUID — pins that policy for this group + product."
   ].join(`
-`)).argument("<groupIdentifier>", "Group GUID to configure. From `deployment group list`, or the upstream identity provider.").requiredOption("--group <group>", "Display name stored alongside the override (surfaced in audit logs / UI).").requiredOption("--input <path>", "Path to the JSON file holding the assignment array (see command description for the shape).").option("--source <source>", "Identity-provider source for the group (e.g. 'local', 'aad', 'cloud'). Defaults to 'local'. Use the value the upstream identity provider reports.", "local").option("--login-validity <minutes>", "Override the interactive-login token lifetime for this call. Rarely needed.", (v) => Number.parseInt(v, 10)).examples(CONFIGURE_EXAMPLES).trackedAction(processContext2, async (groupIdentifier, options) => {
+`)).argument("<groupIdentifier>", "Group GUID to configure. From `deployment group list`, or the upstream identity provider.").requiredOption("--group <group>", "Display name stored alongside the override (surfaced in audit logs / UI).").requiredOption("--input <path>", "Path to the JSON file holding the assignment array (see command description for the shape).").option("--source <source>", "Identity-provider source for the group (e.g. 'local', 'aad', 'cloud'). Defaults to 'local'. Used only on the upsert path (when the group already exists in governance); on first-time registration the server resolves source from CIS.", "local").option("--login-validity <minutes>", "Override the interactive-login token lifetime for this call. Rarely needed.", (v) => Number.parseInt(v, 10)).examples(CONFIGURE_EXAMPLES).trackedAction(processContext2, async (groupIdentifier, options) => {
     const [error, result] = await catchError22((async () => {
       const raw = await readJsonFile(options.input);
       const entries = parseGroupPolicyInput(raw);
@@ -59767,22 +60887,40 @@ var registerDeploymentGroupCommands = (deployment) => {
         groupId: groupIdentifier,
         groupName: options.group
       }));
-      const groupDto = {
-        source: options.source,
+      const groupApi = await createApiClient2(GroupApi, {
+        loginValidity: options.loginValidity
+      });
+      const existingRaw = await groupApi.groupGetGroupByIdentifierRaw({
+        identifier: groupIdentifier
+      });
+      const existing = await readRawJson(existingRaw.raw);
+      if (existing?.identifier) {
+        const groupDto = {
+          source: options.source,
+          identifier: groupIdentifier,
+          name: options.group,
+          groupPolicies
+        };
+        const saved = await groupApi.groupSaveGroupPoliciesRaw({
+          groupDto
+        });
+        return await readRawJson(saved.raw);
+      }
+      const groupToAddDto = {
         identifier: groupIdentifier,
         name: options.group,
         groupPolicies
       };
-      const groupApi = await createApiClient(GroupApi, {
-        loginValidity: options.loginValidity
+      const added = await groupApi.groupAddGroupRaw({
+        groupToAddDto
       });
-      return await groupApi.groupSaveGroupPolicies({ groupDto });
+      return await readRawJson(added.raw);
     })());
     if (error) {
       OutputFormatter2.error({
         Result: RESULTS2.Failure,
         Message: await extractErrorMessage2(error),
-        Instructions: "Ensure the group exists, the input file is valid JSON, and you have governance admin permissions."
+        Instructions: "Check that the group identifier is correct, the input file is valid JSON, and you have governance admin permissions."
       });
       processContext2.exit(1);
       return;
@@ -59800,10 +60938,13 @@ var registerDeploymentGroupCommands = (deployment) => {
   ].join(`
 `)).argument("<groupIdentifier>", "Group GUID to delete. From `deployment group list`.").option("--login-validity <minutes>", "Override the interactive-login token lifetime for this call. Rarely needed.", (v) => Number.parseInt(v, 10)).examples(DELETE_EXAMPLES2).trackedAction(processContext2, async (groupIdentifier, options) => {
     const [error, result] = await catchError22((async () => {
-      const api = await createApiClient(GroupApi, {
+      const api = await createApiClient2(GroupApi, {
         loginValidity: options.loginValidity
       });
-      return await api.groupDeleteGroup({ groupIdentifier });
+      const deleted = await api.groupDeleteGroupRaw({
+        groupIdentifier
+      });
+      return await readRawJson(deleted.raw);
     })());
     if (error) {
       OutputFormatter2.error({
@@ -59846,7 +60987,7 @@ var LIST_EXAMPLES3 = [
 ];
 var GET_EXAMPLES3 = [
   {
-    Description: "Fetch a tenant's full set of (product, licenseType, policy) assignments",
+    Description: "Fetch a tenant's full set of (product, license type, policy) assignments",
     Command: "uip gov aops-policy deployment tenant get a1b2c3d4-0000-0000-0000-000000000100",
     Output: {
       Code: "AopsPolicyDeploymentTenantGet",
@@ -59937,18 +61078,23 @@ var registerDeploymentTenantCommands = (deployment) => {
 `));
   tenant.command("list").description([
     "List tenants registered in the governance system along with their current policy assignments.",
+    "",
+    "Triggers an upstream sync from OMS before returning, so the page reflects the latest",
+    "tenant catalog (new tenants, disabled/re-enabled state) — not just governance's local cache.",
     "Each entry includes the `tenantIdentifier` needed by `deployment tenant get/configure/remove`",
     "and by `deployed-policy get/list`. Results are paginated."
   ].join(`
-`)).option("--product-name <productName>", "Return only tenants that have an assignment for this product (e.g. StudioX). Matches `product list` names.").option("--limit <n>", "Page size — how many tenants to return in one call. Defaults to 20.", (v) => Number.parseInt(v, 10), 20).option("--offset <n>", "Zero-based page index (NOT a row offset). Page 0 returns rows 1..limit.", (v) => Number.parseInt(v, 10), 0).option("--login-validity <minutes>", "Override the interactive-login token lifetime for this call. Rarely needed.", (v) => Number.parseInt(v, 10)).examples(LIST_EXAMPLES3).trackedAction(processContext2, async (options) => {
+`)).option("--product-name <product-name>", "Return only tenants that have an assignment for this product (e.g. StudioX). Matches `product list` names.").option("--limit <n>", "Page size — how many tenants to return in one call. Defaults to 20.", (v) => Number.parseInt(v, 10), 20).option("--offset <n>", "Zero-based page index (NOT a row offset). Page 0 returns rows 1..limit.", (v) => Number.parseInt(v, 10), 0).option("--login-validity <minutes>", "Override the interactive-login token lifetime for this call. Rarely needed.", (v) => Number.parseInt(v, 10)).examples(LIST_EXAMPLES3).trackedAction(processContext2, async (options) => {
     const [error, result] = await catchError22((async () => {
-      const api = await createApiClient(TenantApi, {
+      const api = await createApiClient2(TenantApi, {
         loginValidity: options.loginValidity
       });
-      return await api.tenantGetAllTenants({
-        pageIndex: options.offset,
-        pageSize: options.limit,
-        productName: options.productName
+      return await api.tenantSyncAndGetAllTenants({
+        governanceQueryOptions: {
+          pageIndex: options.offset,
+          pageSize: options.limit,
+          productName: options.productName
+        }
       });
     })());
     if (error) {
@@ -59972,10 +61118,13 @@ var registerDeploymentTenantCommands = (deployment) => {
   ].join(`
 `)).argument("<tenantIdentifier>", "Tenant GUID. Obtain from `deployment tenant list` (the `identifier` field).").option("--login-validity <minutes>", "Override the interactive-login token lifetime for this call. Rarely needed.", (v) => Number.parseInt(v, 10)).examples(GET_EXAMPLES3).trackedAction(processContext2, async (tenantIdentifier, options) => {
     const [error, result] = await catchError22((async () => {
-      const api = await createApiClient(TenantApi, {
+      const api = await createApiClient2(TenantApi, {
         loginValidity: options.loginValidity
       });
-      return await api.tenantGetTenantById({ tenantIdentifier });
+      const fetched = await api.tenantGetTenantByIdRaw({
+        tenantIdentifier
+      });
+      return await readRawJson(fetched.raw);
     })());
     if (error) {
       OutputFormatter2.error({
@@ -59993,7 +61142,10 @@ var registerDeploymentTenantCommands = (deployment) => {
     });
   });
   tenant.command("configure").description([
-    "Replace a tenant's per-(product, licenseType) policy assignments with the list from a JSON file.",
+    "Replace a tenant's per-(product, license type) policy assignments with the list from a JSON file.",
+    "",
+    "Triggers an upstream sync from OMS before saving, so a freshly-created tenant (or a tenant",
+    "whose status changed) is reconciled into governance before assignments are persisted.",
     "",
     "This is a FULL replace, not a merge: entries not in the input file are removed from the tenant.",
     "To preserve existing assignments while adding new ones, start from `deployment tenant get` output.",
@@ -60009,9 +61161,9 @@ var registerDeploymentTenantCommands = (deployment) => {
     "  ]",
     "",
     "Semantics:",
-    "  Omit an (product, licenseType) entry entirely — inherits (nothing pinned at tenant level).",
+    "  Omit a (product, license type) entry entirely — inherits (nothing pinned at tenant level).",
     "  Set policyIdentifier to null — pins 'No Policy' at tenant level (blocks inheritance).",
-    "  Set policyIdentifier to a GUID — pins that policy for this (product, licenseType)."
+    "  Set policyIdentifier to a GUID — pins that policy for this (product, license type)."
   ].join(`
 `)).argument("<tenantIdentifier>", "Tenant GUID to configure. From `deployment tenant list`.").requiredOption("--tenant-name <tenantName>", "Tenant display name. Must match the tenant's name in the governance service (from `tenant get`/`tenant list`).").requiredOption("--input <path>", "Path to the JSON file holding the assignment array (see command description for the shape).").option("--login-validity <minutes>", "Override the interactive-login token lifetime for this call. Rarely needed.", (v) => Number.parseInt(v, 10)).examples(CONFIGURE_EXAMPLES2).trackedAction(processContext2, async (tenantIdentifier, options) => {
     const [error, result] = await catchError22((async () => {
@@ -60024,12 +61176,14 @@ var registerDeploymentTenantCommands = (deployment) => {
         productIdentifier: entry.productIdentifier,
         licenseTypeIdentifier: entry.licenseTypeIdentifier
       }));
-      const tenantApi = await createApiClient(TenantApi, {
+      const tenantApi = await createApiClient2(TenantApi, {
         loginValidity: options.loginValidity
       });
-      return await tenantApi.tenantSaveTenantPolicies({
+      await tenantApi.tenantSyncAndGetAllTenants({});
+      const saved = await tenantApi.tenantSaveTenantPoliciesRaw({
         tenantPolicyDto
       });
+      return await readRawJson(saved.raw);
     })());
     if (error) {
       OutputFormatter2.error({
@@ -60049,6 +61203,9 @@ var registerDeploymentTenantCommands = (deployment) => {
   tenant.command("remove").description([
     "Remove a tenant's policy assignment(s) for a product without rewriting the full list yourself.",
     "",
+    "Triggers an upstream sync from OMS before reading, so the read-modify-write sees the latest",
+    "tenant state.",
+    "",
     "The command reads the tenant's current assignments, drops entries matching --product-name",
     "(and --license-type if supplied), then re-saves the filtered list via `tenant configure`.",
     "Fails fast with 'No matching policy assignment to remove' if nothing matches.",
@@ -60059,14 +61216,19 @@ var registerDeploymentTenantCommands = (deployment) => {
     "",
     "Output includes both the removed entries and the new tenantPolicies snapshot so you can audit the change."
   ].join(`
-`)).argument("<tenantIdentifier>", "Tenant GUID. From `deployment tenant list`.").requiredOption("--product-name <productName>", "Product to unpin (e.g. StudioX). Matches the `productIdentifier` field on the tenant's saved entries.").option("--license-type <licenseType>", "Narrow the removal to one license type. Omit to remove every license-type entry for the product.").option("--login-validity <minutes>", "Override the interactive-login token lifetime for this call. Rarely needed.", (v) => Number.parseInt(v, 10)).examples(REMOVE_EXAMPLES).trackedAction(processContext2, async (tenantIdentifier, options) => {
+`)).argument("<tenantIdentifier>", "Tenant GUID. From `deployment tenant list`.").requiredOption("--product-name <product-name>", "Product to unpin (e.g. StudioX). Matches the `productIdentifier` field on the tenant's saved entries.").option("--license-type <license-type>", "Narrow the removal to one license type. Omit to remove every license-type entry for the product.").option("--login-validity <minutes>", "Override the interactive-login token lifetime for this call. Rarely needed.", (v) => Number.parseInt(v, 10)).examples(REMOVE_EXAMPLES).trackedAction(processContext2, async (tenantIdentifier, options) => {
     const [error, result] = await catchError22((async () => {
-      const tenantApi = await createApiClient(TenantApi, {
+      const tenantApi = await createApiClient2(TenantApi, {
         loginValidity: options.loginValidity
       });
-      const current = await tenantApi.tenantGetTenantById({
+      await tenantApi.tenantSyncAndGetAllTenants({});
+      const currentRaw = await tenantApi.tenantGetTenantByIdRaw({
         tenantIdentifier
       });
+      const current = await readRawJson(currentRaw.raw);
+      if (!current) {
+        throw new Error(`Tenant '${tenantIdentifier}' not found in governance.`);
+      }
       const existing = current.tenantPolicies ?? [];
       const removed = [];
       const kept = [];
@@ -60082,9 +61244,10 @@ var registerDeploymentTenantCommands = (deployment) => {
       if (removed.length === 0) {
         throw new Error("No matching policy assignment to remove.");
       }
-      const saved = await tenantApi.tenantSaveTenantPolicies({
+      const savedRaw = await tenantApi.tenantSaveTenantPoliciesRaw({
         tenantPolicyDto: kept
       });
+      const saved = await readRawJson(savedRaw.raw);
       return { removed, tenantPolicies: saved };
     })());
     if (error) {
@@ -60195,7 +61358,7 @@ var registerDeploymentUserCommands = (deployment) => {
   const user = deployment.command("user").description([
     "Override tenant-level policy assignments for an individual user.",
     "User assignments win over group and tenant at resolution time. Scope is per productIdentifier",
-    "(unlike tenant, which is per (product, licenseType))."
+    "(unlike tenant, which is per (product, license type))."
   ].join(`
 `));
   user.command("list").description([
@@ -60205,7 +61368,7 @@ var registerDeploymentUserCommands = (deployment) => {
   ].join(`
 `)).option("--limit <n>", "Page size — how many users to return in one call. Defaults to 20.", (v) => Number.parseInt(v, 10), 20).option("--offset <n>", "Zero-based page index (NOT a row offset). Page 0 returns rows 1..limit.", (v) => Number.parseInt(v, 10), 0).option("--login-validity <minutes>", "Override the interactive-login token lifetime for this call. Rarely needed.", (v) => Number.parseInt(v, 10)).examples(LIST_EXAMPLES4).trackedAction(processContext2, async (options) => {
     const [error, result] = await catchError22((async () => {
-      const api = await createApiClient(UserApi, {
+      const api = await createApiClient2(UserApi, {
         loginValidity: options.loginValidity
       });
       return await api.userGetAllUsers({
@@ -60236,7 +61399,7 @@ var registerDeploymentUserCommands = (deployment) => {
   ].join(`
 `)).argument("<userIdentifier>", "User GUID. From `deployment user list` (the `identifier` field).").option("--login-validity <minutes>", "Override the interactive-login token lifetime for this call. Rarely needed.", (v) => Number.parseInt(v, 10)).examples(GET_EXAMPLES4).trackedAction(processContext2, async (userIdentifier, options) => {
     const [error, result] = await catchError22((async () => {
-      const api = await createApiClient(PolicyApi, {
+      const api = await createApiClient2(PolicyApi, {
         loginValidity: options.loginValidity
       });
       const response = await api.policyGetUserPoliciesForAllProductsRaw({
@@ -60262,9 +61425,13 @@ var registerDeploymentUserCommands = (deployment) => {
   user.command("configure").description([
     "Replace a user's per-product policy overrides with the list from a JSON file.",
     "",
+    "If the user is not yet registered with the governance service, this command",
+    "auto-registers them (via the AddUser endpoint) in the same call. For already-",
+    "registered users it runs as a full-replace upsert (SaveUserPolicies).",
+    "",
     "This is a FULL replace, not a merge: products not in the input file are removed from the user's",
     "override list (they will fall back to group/tenant inheritance). Scope is per productIdentifier —",
-    "user overrides are not license-type-scoped (unlike tenant assignments).",
+    "user overrides are not license-type scoped (unlike tenant assignments).",
     "",
     "Input file shape (JSON array):",
     "  [",
@@ -60280,7 +61447,7 @@ var registerDeploymentUserCommands = (deployment) => {
     "  policyIdentifier = null — pins 'No Policy' at user level (blocks group/tenant inheritance).",
     "  policyIdentifier = GUID — pins that policy for this user + product."
   ].join(`
-`)).argument("<userIdentifier>", "User GUID to configure. From `deployment user list`, or the upstream identity provider.").requiredOption("--user <user>", "Display name stored alongside the override (surfaced in audit logs / UI).").requiredOption("--input <path>", "Path to the JSON file holding the assignment array (see command description for the shape).").option("--source <source>", "Identity-provider source for the user (e.g. 'local', 'aad', 'cloud'). Defaults to 'local'. Use the value the upstream identity provider reports.", "local").option("--login-validity <minutes>", "Override the interactive-login token lifetime for this call. Rarely needed.", (v) => Number.parseInt(v, 10)).examples(CONFIGURE_EXAMPLES3).trackedAction(processContext2, async (userIdentifier, options) => {
+`)).argument("<userIdentifier>", "User GUID to configure. From `deployment user list`, or the upstream identity provider.").requiredOption("--user <user>", "Display name stored alongside the override (surfaced in audit logs / UI).").requiredOption("--input <path>", "Path to the JSON file holding the assignment array (see command description for the shape).").option("--source <source>", "Identity-provider source for the user (e.g. 'local', 'aad', 'cloud'). Defaults to 'local'. Used only on the upsert path (when the user already exists in governance); on first-time registration the server resolves source from CIS.", "local").option("--email <email>", "Email used only when registering a brand-new user with the governance service. Ignored once the user is already known to governance. Defaults to --user when omitted.").option("--login-validity <minutes>", "Override the interactive-login token lifetime for this call. Rarely needed.", (v) => Number.parseInt(v, 10)).examples(CONFIGURE_EXAMPLES3).trackedAction(processContext2, async (userIdentifier, options) => {
     const [error, result] = await catchError22((async () => {
       const raw = await readJsonFile(options.input);
       const entries = parseUserPolicyInput(raw);
@@ -60290,22 +61457,40 @@ var registerDeploymentUserCommands = (deployment) => {
         userId: userIdentifier,
         userName: options.user
       }));
-      const userDto = {
-        source: options.source,
+      const userApi = await createApiClient2(UserApi, {
+        loginValidity: options.loginValidity
+      });
+      const existingRaw = await userApi.userGetUserByIdentifierRaw({
+        identifier: userIdentifier
+      });
+      const existing = await readRawJson(existingRaw.raw);
+      if (existing?.identifier) {
+        const userDto = {
+          source: options.source,
+          identifier: userIdentifier,
+          name: options.user,
+          userPolicies
+        };
+        const saved = await userApi.userSaveUserPoliciesRaw({
+          userDto
+        });
+        return await readRawJson(saved.raw);
+      }
+      const userToAddDto = {
         identifier: userIdentifier,
-        name: options.user,
+        email: options.email ?? options.user,
         userPolicies
       };
-      const userApi = await createApiClient(UserApi, {
-        loginValidity: options.loginValidity
+      const added = await userApi.userAddUserRaw({
+        userToAddDto
       });
-      return await userApi.userSaveUserPolicies({ userDto });
+      return await readRawJson(added.raw);
     })());
     if (error) {
       OutputFormatter2.error({
         Result: RESULTS2.Failure,
         Message: await extractErrorMessage2(error),
-        Instructions: "Ensure the user exists, the input file is valid JSON, and you have governance admin permissions."
+        Instructions: "Check that the user identifier is correct, the input file is valid JSON, and you have governance admin permissions."
       });
       processContext2.exit(1);
       return;
@@ -60323,12 +61508,13 @@ var registerDeploymentUserCommands = (deployment) => {
   ].join(`
 `)).argument("<userIdentifier>", "User GUID whose overrides should be cleared. From `deployment user list`.").option("--login-validity <minutes>", "Override the interactive-login token lifetime for this call. Rarely needed.", (v) => Number.parseInt(v, 10)).examples(DELETE_EXAMPLES22).trackedAction(processContext2, async (userIdentifier, options) => {
     const [error, result] = await catchError22((async () => {
-      const api = await createApiClient(UserApi, {
+      const api = await createApiClient2(UserApi, {
         loginValidity: options.loginValidity
       });
-      return await api.userDeleteUserPolicies({
+      const deleted = await api.userDeleteUserPoliciesRaw({
         userIdentifier
       });
+      return await readRawJson(deleted.raw);
     })());
     if (error) {
       OutputFormatter2.error({
@@ -60351,7 +61537,7 @@ var registerDeploymentCommands = (aopsPolicy) => {
     "Assign, remove, and inspect policy deployments on governance subjects (tenants, users, groups).",
     "",
     "Resolution order at runtime is user → group → tenant (user beats group beats tenant). A subject with no",
-    "explicit assignment for a (product, licenseType) inherits from the next level up; use `null` as the",
+    "explicit assignment for a (product, license type) inherits from the next level up; use `null` as the",
     "policyIdentifier in a configure input to explicitly pin 'No Policy' and short-circuit inheritance.",
     "",
     "Subcommand groups:",
@@ -60389,17 +61575,17 @@ var registerLicenseTypeCommands = (aopsPolicy) => {
   const licenseType = aopsPolicy.command("license-type").description([
     "Inspect the catalog of license types recognized by the governance service.",
     "License types (e.g. Attended, Unattended) are read-only — used to scope `deployment tenant configure` entries",
-    "and as the `<licenseType>` argument to `deployed-policy get/list`."
+    "and as the `<license-type>` argument to `deployed-policy get/list`."
   ].join(`
 `));
   licenseType.command("list").description([
     "List every license type known to the governance service.",
-    "The `identifier` field feeds `deployment tenant configure` entries (one policy per (product, licenseType) pair);",
-    "the display name is what `deployed-policy get/list` accept as the `<licenseType>` argument."
+    "The `identifier` field feeds `deployment tenant configure` entries (one policy per (product, license type) pair);",
+    "the display name is what `deployed-policy get/list` accept as the `<license-type>` argument."
   ].join(`
 `)).option("--login-validity <minutes>", "Override the interactive-login token lifetime for this call. Rarely needed.", (v) => Number.parseInt(v, 10)).examples(LIST_EXAMPLES5).trackedAction(processContext2, async (options) => {
     const [error, result] = await catchError22((async () => {
-      const api = await createApiClient(LicenseTypeApi, {
+      const api = await createApiClient2(LicenseTypeApi, {
         loginValidity: options.loginValidity
       });
       return await api.licenseTypeGetAllLicenseTypes();
@@ -60470,7 +61656,7 @@ var registerProductCommands = (aopsPolicy) => {
   ].join(`
 `)).option("--login-validity <minutes>", "Override the interactive-login token lifetime for this call. Rarely needed.", (v) => Number.parseInt(v, 10)).examples(LIST_EXAMPLES6).trackedAction(processContext2, async (options) => {
     const [error, result] = await catchError22((async () => {
-      const api = await createApiClient(ProductApi, {
+      const api = await createApiClient2(ProductApi, {
         loginValidity: options.loginValidity
       });
       return await api.productGetAllProducts();
@@ -60492,7 +61678,7 @@ var registerProductCommands = (aopsPolicy) => {
   });
   product.command("get").description("Fetch a single product record (name, label, identifier, flags). Use to verify a name is valid before calling `policy create` or `template get`.").argument("<productIdentifier>", "Product name (e.g. StudioX) or GUID. Either the `name` or the `identifier` from `product list` is accepted.").option("--login-validity <minutes>", "Override the interactive-login token lifetime for this call. Rarely needed.", (v) => Number.parseInt(v, 10)).examples(GET_EXAMPLES5).trackedAction(processContext2, async (productIdentifier, options) => {
     const [error, result] = await catchError22((async () => {
-      const api = await createApiClient(ProductApi, {
+      const api = await createApiClient2(ProductApi, {
         loginValidity: options.loginValidity
       });
       return await api.productGetProductByName({
@@ -62747,7 +63933,7 @@ var registerTemplateCommands = (aopsPolicy) => {
 `));
   template.command("get").description("Fetch the active Form.io policy template for one product and emit policy artifacts. " + "Pass --output-form-data to write the fillable blueprint (the object you fill in and submit back on create/update); display-only components (hidden, button, submit, HTML, content) are skipped and missing leaves get type-appropriate defaults (false for checkbox, [] for editgrid, {} for selectboxes, null for text/select). " + "Pass --output-template-locale-resource to write a human-readable reference derived from the DTO: every product-scoped locale key is replaced with its English string (with a sibling `<prop>-key` preserving the original for traceability) and `defaultData.data` is replaced with a flat annotated map ({ value, type, label, description?, tooltip? }); cross-product prefixes (e.g. `AutomationOps.submit`) are left unresolved. " + "If neither --output flag is passed, the template and form-data are returned in the stdout Success payload (`Data.template` and `Data.formData`) for piping/scripting.").argument("<productIdentifier>", "Product name or identifier (e.g. StudioX, AITrustLayer). Use 'uip gov aops-policy product list' to list options.").option("--output-form-data <path>", "Write the fillable form-data blueprint JSON (the object you edit and submit back).").option("--output-template-locale-resource <path>", "Write the locale-resolved template reference JSON (open this to understand every field, option label, description, tooltip, and validation message).").option("--login-validity <minutes>", "Login token validity in minutes", (v) => Number.parseInt(v, 10)).examples(GET_EXAMPLES6).trackedAction(processContext2, async (productIdentifier, options) => {
     const [templateError, dto] = await catchError22((async () => {
-      const api = await createApiClient(ContentApi, {
+      const api = await createApiClient2(ContentApi, {
         loginValidity: options.loginValidity
       });
       return await api.contentGetFormioTemplatesByProductIdentifier({ productIdentifier });
@@ -62806,7 +63992,7 @@ var registerTemplateCommands = (aopsPolicy) => {
   });
   template.command("list").description("Fetch every product's active Form.io template and dump a full artifact set per product. " + "For each product, writes three files under <output-dir>/<ProductName>/: " + "`form-template.json` (the raw DTO returned by the governance API, for debugging/reference); " + "`form-data.json` (the fillable blueprint — edit this and submit to create/update a policy); " + "`form-template-locale-resource.json` (the locale-resolved reference — open this first to understand each field, its options, and its validation rules before filling `form-data.json`; see `template get --help` for the file's shape). " + "Per-product fetch failures are collected and do not abort the run; the command exits 1 only if every product fails. Use this instead of looping `template get` to dump all products in one pass.").requiredOption("--output-dir <path>", "Directory under which <ProductName>/ folders (containing the three artifacts) will be created.").option("--login-validity <minutes>", "Login token validity in minutes", (v) => Number.parseInt(v, 10)).examples(LIST_EXAMPLES7).trackedAction(processContext2, async (options) => {
     const [productsError, products] = await catchError22((async () => {
-      const api = await createApiClient(ProductApi, {
+      const api = await createApiClient2(ProductApi, {
         loginValidity: options.loginValidity
       });
       return await api.productGetAllProducts();
@@ -62823,7 +64009,7 @@ var registerTemplateCommands = (aopsPolicy) => {
     const locale = en_US_default;
     const fs72 = getFileSystem2();
     const outputDir = fs72.path.resolve(options.outputDir);
-    const contentApi = await createApiClient(ContentApi, {
+    const contentApi = await createApiClient2(ContentApi, {
       loginValidity: options.loginValidity
     });
     const productList = Array.isArray(products) ? products : [];
@@ -62979,7 +64165,7 @@ var registerAopsPolicyCommand = (program2) => {
     "  license-type — list license types (feeds deployment entries).",
     "  template — fetch Form.io templates and emit the form-data blueprint you pass to create/update.",
     "  deployment — assign policies to tenants/users/groups.",
-    "  deployed-policy — resolve the effective policy for a (licenseType, product, tenant) subject.",
+    "  deployed-policy — resolve the effective policy for a (license type, product, tenant) subject.",
     "",
     "Typical flow: `template get <product>` → edit the emitted form-data.json →",
     "`policy create --product-name <product> --name <name> --input form-data.json` →",
@@ -62997,24 +64183,24 @@ var registerAopsPolicyCommand = (program2) => {
     "Use the returned `identifier` with `policy get`, `policy update`, `policy delete`, or with",
     "`deployment tenant|user|group configure` to assign the policy."
   ].join(`
-`)).option("--product-name <productName>", "Restrict results to one product (e.g. StudioX). Matches `product.name` — use `product list` to see available names.").option("--product-label <productLabel>", "Restrict results to one product by its display label (e.g. 'Studio X'). Prefer --product-name for scripting.").option("--search <searchTerm>", "Case-insensitive substring match against policy name/description.").option("--order-by <field>", "Field to sort by (e.g. name, createdOn, priority). Passed through to the governance API.").option("--order-direction <direction>", "Sort direction for --order-by: 'asc' (ascending) or 'desc' (descending). Case-insensitive.").option("--limit <n>", "Page size — how many policies to return in one call. Defaults to 20.", (v) => Number.parseInt(v, 10), 20).option("--offset <n>", "Zero-based page index (NOT a row offset). Page 0 returns rows 1..limit, page 1 returns limit+1..2*limit, etc.", (v) => Number.parseInt(v, 10), 0).option("--login-validity <minutes>", "Override the interactive-login token lifetime for this call. Rarely needed.", (v) => Number.parseInt(v, 10)).examples(LIST_EXAMPLES8).trackedAction(processContext2, async (options) => {
+`)).option("--product-name <product-name>", "Restrict results to one product (e.g. StudioX). Matches `product.name` — use `product list` to see available names.").option("--product-label <productLabel>", "Restrict results to one product by its display label (e.g. 'Studio X'). Prefer --product-name for scripting.").option("--search <searchTerm>", "Case-insensitive substring match against policy name/description.").option("--sort-by <field>", "Field to sort by (e.g. name, createdOn, priority). Passed through to the governance API.").option("--sort-order <direction>", "Sort direction for --sort-by: 'asc' (ascending) or 'desc' (descending). Case-insensitive.").option("--limit <n>", "Page size — how many policies to return in one call. Defaults to 20.", (v) => Number.parseInt(v, 10), 20).option("--offset <n>", "Zero-based page index (NOT a row offset). Page 0 returns rows 1..limit, page 1 returns limit+1..2*limit, etc.", (v) => Number.parseInt(v, 10), 0).option("--login-validity <minutes>", "Override the interactive-login token lifetime for this call. Rarely needed.", (v) => Number.parseInt(v, 10)).examples(LIST_EXAMPLES8).trackedAction(processContext2, async (options) => {
     const [error, result] = await catchError22((async () => {
       let sortOrder;
-      if (options.orderDirection) {
-        const direction = options.orderDirection.toLowerCase();
+      if (options.sortOrder) {
+        const direction = options.sortOrder.toLowerCase();
         if (direction !== "asc" && direction !== "desc") {
-          throw new Error(`Invalid --order-direction '${options.orderDirection}'. Use 'asc' or 'desc'.`);
+          throw new Error(`Invalid --sort-order '${options.sortOrder}'. Use 'asc' or 'desc'.`);
         }
         sortOrder = direction === "asc" ? SortOrder.NUMBER_0 : SortOrder.NUMBER_1;
       }
-      const api = await createApiClient(PolicyApi, {
+      const api = await createApiClient2(PolicyApi, {
         loginValidity: options.loginValidity
       });
       return await api.policyGetAllPoliciesByQueryOptions({
         productName: options.productName,
         productLabel: options.productLabel,
         searchTerm: options.search,
-        sortBy: options.orderBy,
+        sortBy: options.sortBy,
         sortOrder,
         pageIndex: options.offset,
         pageSize: options.limit
@@ -63042,7 +64228,7 @@ var registerAopsPolicyCommand = (program2) => {
   ].join(`
 `)).argument("<policyIdentifier>", "Policy GUID. Obtain from `policy list` (the `identifier` field of each returned policy).").option("--login-validity <minutes>", "Override the interactive-login token lifetime for this call. Rarely needed.", (v) => Number.parseInt(v, 10)).examples(GET_EXAMPLES7).trackedAction(processContext2, async (policyIdentifier, options) => {
     const [error, result] = await catchError22((async () => {
-      const api = await createApiClient(PolicyApi, {
+      const api = await createApiClient2(PolicyApi, {
         loginValidity: options.loginValidity
       });
       return await api.policyGetPolicyById({ policyIdentifier });
@@ -63072,7 +64258,7 @@ var registerAopsPolicyCommand = (program2) => {
     "After creation, the new policy's identifier can be passed to `deployment tenant|user|group configure`",
     "to assign it to a subject."
   ].join(`
-`)).requiredOption("--name <name>", "Human-readable policy name (must be unique within the product).").requiredOption("--product-name <productName>", "Target product (e.g. StudioX, AITrustLayer). Must match a name from `product list`.").option("--description <description>", "Optional free-text description surfaced in the governance UI.").option("--priority <n>", "Integer priority. When multiple policies apply to the same subject, higher numbers win.", (v) => Number.parseInt(v, 10)).option("--availability <n>", "Availability flag (product-specific enum). Check the governance UI or service docs for valid values.", (v) => Number.parseInt(v, 10)).option("--input <path>", "Path to a JSON file with the filled form-data object (produced by `template get --output-form-data`). Omit for a policy with no data payload.").option("--login-validity <minutes>", "Override the interactive-login token lifetime for this call. Rarely needed.", (v) => Number.parseInt(v, 10)).examples(CREATE_EXAMPLES2).trackedAction(processContext2, async (options) => {
+`)).requiredOption("--name <name>", "Human-readable policy name (must be unique within the product).").requiredOption("--product-name <product-name>", "Target product (e.g. StudioX, AITrustLayer). Must match a name from `product list`.").option("--description <description>", "Optional free-text description surfaced in the governance UI.").option("--priority <n>", "Integer priority. When multiple policies apply to the same subject, higher numbers win.", (v) => Number.parseInt(v, 10)).option("--availability <n>", "Availability flag (product-specific enum). Check the governance UI or service docs for valid values.", (v) => Number.parseInt(v, 10)).option("--input <path>", "Path to a JSON file with the filled form-data object (produced by `template get --output-form-data`). Omit for a policy with no data payload.").option("--login-validity <minutes>", "Override the interactive-login token lifetime for this call. Rarely needed.", (v) => Number.parseInt(v, 10)).examples(CREATE_EXAMPLES2).trackedAction(processContext2, async (options) => {
     const [error, result] = await catchError22((async () => {
       const data = await readPolicyDataFile(options.input);
       const createPolicyRequest = {
@@ -63083,7 +64269,7 @@ var registerAopsPolicyCommand = (program2) => {
         availability: options.availability,
         data
       };
-      const api = await createApiClient(PolicyApi, {
+      const api = await createApiClient2(PolicyApi, {
         loginValidity: options.loginValidity
       });
       return await api.policyCreatePolicyV2({
@@ -63115,7 +64301,7 @@ var registerAopsPolicyCommand = (program2) => {
     "Fails with a 'template upgrade in progress' error if the underlying Form.io template is being migrated;",
     "retry once the upgrade completes."
   ].join(`
-`)).requiredOption("--identifier <identifier>", "Policy GUID to update. From `policy list` or `policy get`.").requiredOption("--name <name>", "Policy name. Required on every update — passing the existing name preserves it.").requiredOption("--product-name <productName>", "Target product. Must match the policy's existing product (changing product on update is not supported).").option("--description <description>", "Free-text description. Full-replace: omitting this flag clears the description — re-pass the existing value from `policy get` to preserve it.").option("--priority <n>", "Integer priority. Full-replace: omitting this flag clears priority on the server — re-pass the existing value from `policy get` to preserve it.", (v) => Number.parseInt(v, 10)).option("--availability <n>", "Availability flag. Full-replace: omitting this flag clears availability — re-pass the existing value from `policy get` to preserve it.", (v) => Number.parseInt(v, 10)).option("--input <path>", "Path to a JSON file with the updated form-data object. Full-replace: omitting this flag clears the data payload — re-pass the existing data (save `policy get` output to a file) to preserve it.").option("--login-validity <minutes>", "Override the interactive-login token lifetime for this call. Rarely needed.", (v) => Number.parseInt(v, 10)).examples(UPDATE_EXAMPLES2).trackedAction(processContext2, async (options) => {
+`)).requiredOption("--identifier <identifier>", "Policy GUID to update. From `policy list` or `policy get`.").requiredOption("--name <name>", "Policy name. Required on every update — passing the existing name preserves it.").requiredOption("--product-name <product-name>", "Target product. Must match the policy's existing product (changing product on update is not supported).").option("--description <description>", "Free-text description. Full-replace: omitting this flag clears the description — re-pass the existing value from `policy get` to preserve it.").option("--priority <n>", "Integer priority. Full-replace: omitting this flag clears priority on the server — re-pass the existing value from `policy get` to preserve it.", (v) => Number.parseInt(v, 10)).option("--availability <n>", "Availability flag. Full-replace: omitting this flag clears availability — re-pass the existing value from `policy get` to preserve it.", (v) => Number.parseInt(v, 10)).option("--input <path>", "Path to a JSON file with the updated form-data object. Full-replace: omitting this flag clears the data payload — re-pass the existing data (save `policy get` output to a file) to preserve it.").option("--login-validity <minutes>", "Override the interactive-login token lifetime for this call. Rarely needed.", (v) => Number.parseInt(v, 10)).examples(UPDATE_EXAMPLES2).trackedAction(processContext2, async (options) => {
     const [error, result] = await catchError22((async () => {
       const data = await readPolicyDataFile(options.input);
       const updatePolicyRequest = {
@@ -63127,7 +64313,7 @@ var registerAopsPolicyCommand = (program2) => {
         availability: options.availability,
         data
       };
-      const api = await createApiClient(PolicyApi, {
+      const api = await createApiClient2(PolicyApi, {
         loginValidity: options.loginValidity
       });
       return await api.policyUpdatePolicyV2({
@@ -63158,7 +64344,7 @@ var registerAopsPolicyCommand = (program2) => {
   ].join(`
 `)).argument("<policyIdentifier>", "Policy GUID to delete. From `policy list`.").option("--login-validity <minutes>", "Override the interactive-login token lifetime for this call. Rarely needed.", (v) => Number.parseInt(v, 10)).examples(DELETE_EXAMPLES3).trackedAction(processContext2, async (policyIdentifier, options) => {
     const [error, result] = await catchError22((async () => {
-      const api = await createApiClient(PolicyApi, {
+      const api = await createApiClient2(PolicyApi, {
         loginValidity: options.loginValidity
       });
       return await api.policyDeletePolicy({ policyIdentifier });
@@ -63181,7 +64367,7 @@ var registerAopsPolicyCommand = (program2) => {
 };
 var metadata2 = {
   name: "aops-policy-tool",
-  version: package_default2.version,
+  version: package_default3.version,
   description: "Manage UiPath AOps governance policies.",
   commandPrefix: "gov"
 };
@@ -63189,9 +64375,10 @@ var registerCommands2 = async (program2) => {
   registerAopsPolicyCommand(program2);
 };
 // package.json
-var package_default3 = {
+var package_default5 = {
   name: "@uipath/gov-tool",
-  version: "0.3.0",
+  license: "MIT",
+  version: "1.2.0",
   description: "Manage UiPath governance (AOps and Access policies) end-to-end.",
   private: false,
   repository: {
@@ -63233,7 +64420,7 @@ var package_default3 = {
 // src/tool.ts
 var metadata3 = {
   name: "gov-tool",
-  version: package_default3.version,
+  version: package_default5.version,
   description: "Manage UiPath governance — AOps policies and Access policies.",
   commandPrefix: "gov"
 };