npm - @uipath/gov-tool - Versions diffs - 1.1.0 → 1.2.0 - Mend

@uipath/gov-tool 1.1.0 → 1.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (2) hide show

package/dist/tool.js +1301 -305
package/package.json +25 -31

package/dist/tool.js CHANGED Viewed

@@ -2156,6 +2156,7 @@ import path from "node:path";
 import { fileURLToPath } from "node:url";
 import childProcess3 from "node:child_process";
 import fs5, { constants as fsConstants2 } from "node:fs/promises";
+import { randomUUID } from "node:crypto";
 import { existsSync } from "node:fs";
 import * as fs6 from "node:fs/promises";
 import * as os2 from "node:os";
@@ -2928,6 +2929,90 @@ class NodeFileSystem {
   async mkdir(dirPath) {
     await fs6.mkdir(dirPath, { recursive: true });
   }
+  async acquireLock(lockPath) {
+    const canonicalPath = await this.canonicalizeLockTarget(lockPath);
+    const lockFile = `${canonicalPath}.lock`;
+    const ownerId = randomUUID();
+    const start = Date.now();
+    while (true) {
+      try {
+        await fs6.writeFile(lockFile, ownerId, { flag: "wx" });
+        return this.createLockRelease(lockFile, ownerId);
+      } catch (error) {
+        if (!this.hasErrnoCode(error, "EEXIST")) {
+          throw error;
+        }
+        const stats = await fs6.stat(lockFile).catch(() => null);
+        if (stats && Date.now() - stats.mtimeMs > LOCK_STALE_MS) {
+          const reclaimed = await fs6.rm(lockFile, { force: true }).then(() => true).catch(() => false);
+          if (reclaimed)
+            continue;
+        }
+        if (Date.now() - start > LOCK_MAX_WAIT_MS) {
+          throw new Error(`ELOCKED: timed out waiting for lock on ${canonicalPath}`);
+        }
+        await new Promise((resolve2) => setTimeout(resolve2, LOCK_RETRY_MIN_MS + Math.random() * LOCK_RETRY_JITTER_MS));
+      }
+    }
+  }
+  async canonicalizeLockTarget(lockPath) {
+    const absolute = path2.resolve(lockPath);
+    const fullReal = await fs6.realpath(absolute).catch(() => null);
+    if (fullReal)
+      return fullReal;
+    const parent = path2.dirname(absolute);
+    const base = path2.basename(absolute);
+    const canonicalParent = await fs6.realpath(parent).catch(() => parent);
+    return path2.join(canonicalParent, base);
+  }
+  createLockRelease(lockFile, ownerId) {
+    const heartbeatStart = Date.now();
+    let heartbeatTimer;
+    let stopped = false;
+    const stopHeartbeat = () => {
+      stopped = true;
+      if (heartbeatTimer)
+        clearTimeout(heartbeatTimer);
+    };
+    const scheduleNextHeartbeat = () => {
+      if (stopped)
+        return;
+      if (Date.now() - heartbeatStart >= LOCK_MAX_HOLD_MS) {
+        stopped = true;
+        return;
+      }
+      heartbeatTimer = setTimeout(() => {
+        runHeartbeat();
+      }, LOCK_HEARTBEAT_MS);
+      heartbeatTimer.unref?.();
+    };
+    const runHeartbeat = async () => {
+      if (stopped)
+        return;
+      const current = await fs6.readFile(lockFile, "utf-8").catch(() => null);
+      if (stopped)
+        return;
+      if (current !== ownerId) {
+        stopped = true;
+        return;
+      }
+      const now = Date.now() / 1000;
+      await fs6.utimes(lockFile, now, now).catch(() => {});
+      scheduleNextHeartbeat();
+    };
+    scheduleNextHeartbeat();
+    let released = false;
+    return async () => {
+      if (released)
+        return;
+      released = true;
+      stopHeartbeat();
+      const current = await fs6.readFile(lockFile, "utf-8").catch(() => null);
+      if (current === ownerId) {
+        await fs6.rm(lockFile, { force: true });
+      }
+    };
+  }
   async rm(filePath) {
     await fs6.rm(filePath, { recursive: true, force: true });
   }
@@ -2973,9 +3058,18 @@ class NodeFileSystem {
     }
   }
   isEnoent(error) {
-    return typeof error === "object" && error !== null && "code" in error && error.code === "ENOENT";
+    return this.hasErrnoCode(error, "ENOENT");
+  }
+  hasErrnoCode(error, code) {
+    return typeof error === "object" && error !== null && "code" in error && error.code === code;
   }
 }
+var LOCK_HEARTBEAT_MS = 5000;
+var LOCK_STALE_MS = 15000;
+var LOCK_MAX_WAIT_MS = 20000;
+var LOCK_MAX_HOLD_MS = 60000;
+var LOCK_RETRY_MIN_MS = 100;
+var LOCK_RETRY_JITTER_MS = 200;
 var init_node = __esm(() => {
   init_open();
 });
@@ -2987,7 +3081,7 @@ var init_src = __esm(() => {
   fsInstance = new NodeFileSystem;
 });
 var require_coreipc = __commonJS2((exports, module) => {
-  var __dirname3 = "/Users/alexandru.oltean/github/cli/node_modules/@uipath/coreipc";
+  var __dirname3 = "/home/runner/work/cli/cli/node_modules/@uipath/coreipc";
   /*! For license information please see index.js.LICENSE.txt */
   (function(e, t) {
     typeof exports == "object" && typeof module == "object" ? module.exports = t() : typeof define == "function" && define.amd ? define([], t) : typeof exports == "object" ? exports.ipc = t() : e.ipc = t();
@@ -20787,9 +20881,13 @@ var require_dist = __commonJS2((exports) => {
   exports.RobotProxyConstructor = RobotProxyConstructor;
   __exportStar(require_agent(), exports);
 });
+var init_server = __esm(() => {
+  init_constants();
+});
 var package_default = {
   name: "@uipath/access-policy-tool",
-  version: "1.1.0",
+  license: "MIT",
+  version: "1.2.0",
   description: "Manage UiPath Access Policies, rules, and compliance evaluations.",
   private: false,
   repository: {
@@ -20831,6 +20929,132 @@ var package_default = {
     typescript: "^6.0.2"
   }
 };
+var PREFIX = "@uipath/common/";
+var _g = globalThis;
+function singleton(ctorOrName) {
+  const name = typeof ctorOrName === "string" ? ctorOrName : ctorOrName.name;
+  const key = Symbol.for(PREFIX + name);
+  return {
+    get(fallback) {
+      return _g[key] ?? fallback;
+    },
+    set(value) {
+      _g[key] = value;
+    },
+    clear() {
+      delete _g[key];
+    },
+    getOrInit(factory, guard) {
+      const existing = _g[key];
+      if (existing != null && typeof existing === "object") {
+        if (!guard || guard(existing)) {
+          return existing;
+        }
+      }
+      const instance = factory();
+      _g[key] = instance;
+      return instance;
+    }
+  };
+}
+var USER_AGENT_HEADER = "User-Agent";
+var sdkUserAgentHostToken = singleton("SdkUserAgentHostToken");
+function userAgentPatchKey(userAgent) {
+  return Symbol.for(`@uipath/common/sdk-user-agent/${userAgent}`);
+}
+function splitUserAgentTokens(value) {
+  return value?.trim().split(/\s+/).filter(Boolean) ?? [];
+}
+function appendUserAgentToken(value, userAgent) {
+  const tokens = splitUserAgentTokens(value);
+  const seen = new Set(tokens);
+  for (const token of splitUserAgentTokens(userAgent)) {
+    if (!seen.has(token)) {
+      tokens.push(token);
+      seen.add(token);
+    }
+  }
+  return tokens.join(" ");
+}
+function getEffectiveUserAgent(userAgent) {
+  return appendUserAgentToken(sdkUserAgentHostToken.get(), userAgent);
+}
+function isHeadersLike(headers) {
+  return typeof headers === "object" && headers !== null && "get" in headers && typeof headers.get === "function" && "set" in headers && typeof headers.set === "function";
+}
+function getSdkUserAgentToken(pkg) {
+  const packageName = pkg.name.replace(/^@uipath\//, "");
+  return getEffectiveUserAgent(`${packageName}/${pkg.version}`);
+}
+function addSdkUserAgentHeader(headers, userAgent) {
+  const result = { ...headers ?? {} };
+  const effectiveUserAgent = getEffectiveUserAgent(userAgent);
+  const headerName = Object.keys(result).find((key) => key.toLowerCase() === USER_AGENT_HEADER.toLowerCase());
+  if (headerName) {
+    result[headerName] = appendUserAgentToken(result[headerName], effectiveUserAgent);
+  } else {
+    result[USER_AGENT_HEADER] = effectiveUserAgent;
+  }
+  return result;
+}
+function withSdkUserAgentHeader(headers, userAgent) {
+  const effectiveUserAgent = getEffectiveUserAgent(userAgent);
+  if (isHeadersLike(headers)) {
+    headers.set(USER_AGENT_HEADER, appendUserAgentToken(headers.get(USER_AGENT_HEADER), effectiveUserAgent));
+    return headers;
+  }
+  if (Array.isArray(headers)) {
+    const result = headers.map((entry) => {
+      const [key, value] = entry;
+      return [key, value];
+    });
+    const headerIndex = result.findIndex(([key]) => key.toLowerCase() === USER_AGENT_HEADER.toLowerCase());
+    if (headerIndex >= 0) {
+      const [key, value] = result[headerIndex];
+      result[headerIndex] = [
+        key,
+        appendUserAgentToken(value, effectiveUserAgent)
+      ];
+    } else {
+      result.push([USER_AGENT_HEADER, effectiveUserAgent]);
+    }
+    return result;
+  }
+  return addSdkUserAgentHeader(typeof headers === "object" && headers !== null ? { ...headers } : {}, effectiveUserAgent);
+}
+function withUserAgentInitOverride(initOverrides, userAgent) {
+  return async (requestContext) => {
+    const initWithUserAgent = {
+      ...requestContext.init,
+      headers: withSdkUserAgentHeader(requestContext.init.headers, userAgent)
+    };
+    const override = typeof initOverrides === "function" ? await initOverrides({
+      ...requestContext,
+      init: initWithUserAgent
+    }) : initOverrides;
+    return {
+      ...override ?? {},
+      headers: withSdkUserAgentHeader(override?.headers ?? initWithUserAgent.headers, userAgent)
+    };
+  };
+}
+function installSdkUserAgentHeader(BaseApiClass, userAgent) {
+  const prototype = BaseApiClass.prototype;
+  const patchKey = userAgentPatchKey(userAgent);
+  if (prototype[patchKey]) {
+    return;
+  }
+  if (typeof prototype.request !== "function") {
+    throw new Error("Generated BaseAPI request function not found.");
+  }
+  const originalRequest = prototype.request;
+  prototype.request = function requestWithUserAgent(context, initOverrides) {
+    return originalRequest.call(this, context, withUserAgentInitOverride(initOverrides, userAgent));
+  };
+  Object.defineProperty(prototype, patchKey, {
+    value: true
+  });
+}
 var BASE_PATH = "http://localhost".replace(/\/+$/, "");
 class Configuration {
@@ -21080,6 +21304,54 @@ class VoidApiResponse {
     return;
   }
 }
+var package_default2 = {
+  name: "@uipath/authz-sdk",
+  license: "MIT",
+  version: "1.2.0",
+  description: "SDK for the UiPath Authorization Service API.",
+  repository: {
+    type: "git",
+    url: "https://github.com/UiPath/cli.git",
+    directory: "packages/admin/authz-sdk"
+  },
+  publishConfig: {
+    registry: "https://npm.pkg.github.com/@uipath"
+  },
+  keywords: [
+    "uipath",
+    "authorization",
+    "authz",
+    "sdk"
+  ],
+  type: "module",
+  main: "./dist/index.js",
+  types: "./dist/src/index.d.ts",
+  exports: {
+    ".": {
+      types: "./dist/src/index.d.ts",
+      default: "./dist/index.js"
+    }
+  },
+  files: [
+    "dist"
+  ],
+  private: true,
+  scripts: {
+    build: "bun build ./src/index.ts --outdir dist --format esm --target node && tsc -p tsconfig.build.json --noCheck",
+    generate: "bun run src/scripts/generate-sdk.ts",
+    lint: "biome check ."
+  },
+  devDependencies: {
+    "@openapitools/openapi-generator-cli": "^2.31.1",
+    "@types/node": "^25.5.2",
+    "@uipath/auth": "workspace:*",
+    "@uipath/common": "workspace:*",
+    "@uipath/filesystem": "workspace:*",
+    typescript: "^6.0.2"
+  }
+};
+var SDK_USER_AGENT = getSdkUserAgentToken(package_default2);
+installSdkUserAgentHeader(BaseAPI, SDK_USER_AGENT);
 function PolicyOperatorFromJSON(json) {
   return PolicyOperatorFromJSONTyped(json, false);
 }
@@ -21650,32 +21922,7 @@ class InvalidBaseUrlError extends Error {
     this.name = "InvalidBaseUrlError";
   }
 }
-var DEFAULT_SCOPES = [
-  "offline_access",
-  "ProcessMining",
-  "OrchestratorApiUserAccess",
-  "StudioWebBackend",
-  "IdentityServerApi",
-  "ConnectionService",
-  "DataService",
-  "DataServiceApiUserAccess",
-  "DocumentUnderstanding",
-  "EnterpriseContextService",
-  "Directory",
-  "JamJamApi",
-  "LLMGateway",
-  "LLMOps",
-  "OMS",
-  "RCS.FolderAuthorization",
-  "RCS.TagsManagement",
-  "TestmanagerApiUserAccess",
-  "AutomationSolutions",
-  "StudioWebTypeCacheService",
-  "Docs.GPT.Search",
-  "Insights",
-  "ReferenceToken",
-  "Audit.Read"
-];
+var DEFAULT_SCOPES = ["openid", "profile", "offline_access"];
 var normalizeAndValidateBaseUrl = (rawUrl) => {
   let baseUrl = rawUrl;
   if (baseUrl.endsWith("/identity_/")) {
@@ -21725,7 +21972,8 @@ var resolveConfigAsync = async ({
   if (!clientSecret && fileAuth.clientSecret) {
     clientSecret = fileAuth.clientSecret;
   }
-  const scopes = customScopes && customScopes.length > 0 ? customScopes : fileAuth.scopes && fileAuth.scopes.length > 0 ? fileAuth.scopes : DEFAULT_SCOPES;
+  const isExternalAppAuth = clientId !== DEFAULT_CLIENT_ID && Boolean(clientSecret);
+  const scopes = customScopes && customScopes.length > 0 ? customScopes : fileAuth.scopes && fileAuth.scopes.length > 0 ? fileAuth.scopes : isExternalAppAuth ? [] : DEFAULT_SCOPES;
   return {
     clientId,
     clientSecret,
@@ -22212,6 +22460,129 @@ function normalizeTokenRefreshFailure() {
 function normalizeTokenRefreshUnavailableFailure() {
   return "token refresh failed before authentication completed";
 }
+function errorMessage(error) {
+  return error instanceof Error ? error.message : String(error);
+}
+function computeExpirationThreshold(ensureTokenValidityMinutes) {
+  return new Date(Date.now() + (ensureTokenValidityMinutes ?? 0) * 60 * 1000);
+}
+async function runRefreshLocked(inputs) {
+  const {
+    absolutePath,
+    refreshToken: callerRefreshToken,
+    customAuthority,
+    ensureTokenValidityMinutes,
+    loadEnvFile,
+    saveEnvFile,
+    refreshFn,
+    resolveConfig
+  } = inputs;
+  const expirationThreshold = computeExpirationThreshold(ensureTokenValidityMinutes);
+  let fresh;
+  try {
+    fresh = await loadEnvFile({ envPath: absolutePath });
+  } catch (error) {
+    return {
+      kind: "fail",
+      status: {
+        loginStatus: "Refresh Failed",
+        hint: "Could not read the auth file while refreshing. Retry, or run 'uip login' to re-authenticate.",
+        tokenRefresh: {
+          attempted: false,
+          success: false,
+          errorMessage: `auth file read failed: ${errorMessage(error)}`
+        }
+      }
+    };
+  }
+  const freshAccess = fresh.UIPATH_ACCESS_TOKEN;
+  const freshExp = freshAccess ? getTokenExpiration(freshAccess) : undefined;
+  if (freshAccess && freshExp && freshExp > expirationThreshold) {
+    return {
+      kind: "ok",
+      accessToken: freshAccess,
+      refreshToken: fresh.UIPATH_REFRESH_TOKEN ?? callerRefreshToken,
+      expiration: freshExp,
+      tokenRefresh: { attempted: false, success: true }
+    };
+  }
+  const tokenForIdP = fresh.UIPATH_REFRESH_TOKEN ?? callerRefreshToken;
+  let refreshedAccess;
+  let refreshedRefresh;
+  try {
+    const config = await resolveConfig({ customAuthority });
+    const refreshed = await refreshFn({
+      refreshToken: tokenForIdP,
+      tokenEndpoint: config.tokenEndpoint,
+      clientId: config.clientId,
+      expectedAuthority: customAuthority
+    });
+    refreshedAccess = refreshed.accessToken;
+    refreshedRefresh = refreshed.refreshToken;
+  } catch (error) {
+    const isOAuthFailure = isTokenRefreshOAuthFailure(error);
+    const hint = isOAuthFailure ? "Run 'uip login' to re-authenticate — the stored refresh token is invalid or expired." : "Token refresh failed. Check your network connection, then retry or run 'uip login' to re-authenticate.";
+    const message = isOAuthFailure ? normalizeTokenRefreshFailure() : normalizeTokenRefreshUnavailableFailure();
+    return {
+      kind: "fail",
+      status: {
+        loginStatus: "Refresh Failed",
+        hint,
+        tokenRefresh: {
+          attempted: true,
+          success: false,
+          errorMessage: message
+        }
+      }
+    };
+  }
+  const refreshedExp = getTokenExpiration(refreshedAccess);
+  if (!refreshedExp || refreshedExp <= new Date) {
+    return {
+      kind: "fail",
+      status: {
+        loginStatus: "Refresh Failed",
+        hint: "The identity server returned an unusable token. Run 'uip login' to re-authenticate.",
+        tokenRefresh: {
+          attempted: true,
+          success: false,
+          errorMessage: "refreshed token has no valid expiration claim"
+        }
+      }
+    };
+  }
+  try {
+    await saveEnvFile({
+      envPath: absolutePath,
+      data: {
+        UIPATH_ACCESS_TOKEN: refreshedAccess,
+        UIPATH_REFRESH_TOKEN: refreshedRefresh
+      },
+      merge: true
+    });
+    return {
+      kind: "ok",
+      accessToken: refreshedAccess,
+      refreshToken: refreshedRefresh,
+      expiration: refreshedExp,
+      tokenRefresh: { attempted: true, success: true }
+    };
+  } catch (error) {
+    const msg = errorMessage(error);
+    return {
+      kind: "ok",
+      accessToken: refreshedAccess,
+      refreshToken: refreshedRefresh,
+      expiration: refreshedExp,
+      persistenceWarning: `Access token refreshed in memory but could not be written to ${absolutePath}: ${msg}. The next CLI invocation will fail until the file can be updated — run 'uip login' to re-authenticate.`,
+      tokenRefresh: {
+        attempted: true,
+        success: true,
+        errorMessage: `persistence failed: ${msg}`
+      }
+    };
+  }
+}
 var getLoginStatusWithDeps = async (options = {}, deps = {}) => {
   const {
     resolveEnvFilePath = resolveEnvFilePathAsync,
@@ -22286,73 +22657,103 @@ var getLoginStatusWithDeps = async (options = {}, deps = {}) => {
   let refreshToken = credentials.UIPATH_REFRESH_TOKEN;
   let expiration = getTokenExpiration(accessToken);
   let persistenceWarning;
+  let lockReleaseFailed = false;
   let tokenRefresh;
-  const expirationThreshold = new Date(Date.now() + (ensureTokenValidityMinutes ?? 0) * 60 * 1000);
-  if (expiration && expiration <= expirationThreshold && refreshToken) {
-    let refreshedAccess;
-    let refreshedRefresh;
+  const outerThreshold = computeExpirationThreshold(ensureTokenValidityMinutes);
+  const tryGlobalCredsHint = async () => {
+    const fs7 = getFs();
+    const globalPath = fs7.path.join(fs7.env.homedir(), envFilePath);
+    if (absolutePath === globalPath)
+      return;
+    if (!await fs7.exists(globalPath))
+      return;
     try {
-      const config = await resolveConfig({
-        customAuthority: credentials.UIPATH_URL
-      });
-      const refreshed = await refreshTokenFn({
-        refreshToken,
-        tokenEndpoint: config.tokenEndpoint,
-        clientId: config.clientId,
-        expectedAuthority: credentials.UIPATH_URL
-      });
-      refreshedAccess = refreshed.accessToken;
-      refreshedRefresh = refreshed.refreshToken;
+      const globalCreds = await loadEnvFile({ envPath: globalPath });
+      if (!globalCreds.UIPATH_ACCESS_TOKEN)
+        return;
+      const globalExp = getTokenExpiration(globalCreds.UIPATH_ACCESS_TOKEN);
+      if (globalExp && globalExp <= new Date)
+        return;
+      return `Local credentials file at ${absolutePath} has expired credentials. Valid credentials exist in ${globalPath}. Remove the local file or run 'uip login' to re-authenticate.`;
+    } catch {
+      return;
+    }
+  };
+  if (expiration && expiration <= outerThreshold && refreshToken) {
+    let release;
+    try {
+      release = await getFs().acquireLock(absolutePath);
     } catch (error) {
-      const isOAuthFailure = isTokenRefreshOAuthFailure(error);
-      const hint = isOAuthFailure ? "Run 'uip login' to re-authenticate — the stored refresh token is invalid or expired." : "Token refresh failed. Check your network connection, then retry or run 'uip login' to re-authenticate.";
-      const errorMessage = isOAuthFailure ? normalizeTokenRefreshFailure() : normalizeTokenRefreshUnavailableFailure();
+      const msg = errorMessage(error);
+      const globalHint = await tryGlobalCredsHint();
+      if (globalHint) {
+        return {
+          loginStatus: "Expired",
+          accessToken,
+          refreshToken,
+          baseUrl: credentials.UIPATH_URL,
+          organizationName: credentials.UIPATH_ORGANIZATION_NAME,
+          organizationId: credentials.UIPATH_ORGANIZATION_ID,
+          tenantName: credentials.UIPATH_TENANT_NAME,
+          tenantId: credentials.UIPATH_TENANT_ID,
+          expiration,
+          source: "file",
+          hint: globalHint,
+          tokenRefresh: {
+            attempted: false,
+            success: false,
+            errorMessage: `lock acquisition failed: ${msg}`
+          }
+        };
+      }
       return {
         loginStatus: "Refresh Failed",
-        hint,
+        hint: "Could not acquire the auth-file lock — too many concurrent `uip` processes, or a permission issue on the auth directory. Retry, or run 'uip login' to re-authenticate.",
         tokenRefresh: {
-          attempted: true,
+          attempted: false,
           success: false,
-          errorMessage
+          errorMessage: `lock acquisition failed: ${msg}`
         }
       };
     }
-    const refreshedExp = getTokenExpiration(refreshedAccess);
-    if (!refreshedExp || refreshedExp <= new Date) {
-      return {
-        loginStatus: "Refresh Failed",
-        hint: "The identity server returned an unusable token. Run 'uip login' to re-authenticate.",
-        tokenRefresh: {
-          attempted: true,
-          success: false,
-          errorMessage: "refreshed token has no valid expiration claim"
+    let lockedFailure;
+    try {
+      const outcome = await runRefreshLocked({
+        absolutePath,
+        refreshToken,
+        customAuthority: credentials.UIPATH_URL,
+        ensureTokenValidityMinutes,
+        loadEnvFile,
+        saveEnvFile,
+        refreshFn: refreshTokenFn,
+        resolveConfig
+      });
+      if (outcome.kind === "fail") {
+        lockedFailure = outcome.status;
+      } else {
+        accessToken = outcome.accessToken;
+        refreshToken = outcome.refreshToken;
+        expiration = outcome.expiration;
+        tokenRefresh = outcome.tokenRefresh;
+        if (outcome.persistenceWarning) {
+          persistenceWarning = outcome.persistenceWarning;
         }
-      };
+      }
+    } finally {
+      try {
+        await release();
+      } catch {
+        lockReleaseFailed = true;
+      }
     }
-    accessToken = refreshedAccess;
-    refreshToken = refreshedRefresh;
-    expiration = refreshedExp;
-    try {
-      await saveEnvFile({
-        envPath: absolutePath,
-        data: {
-          UIPATH_ACCESS_TOKEN: accessToken,
-          UIPATH_REFRESH_TOKEN: refreshToken
-        },
-        merge: true
-      });
-      tokenRefresh = {
-        attempted: true,
-        success: true
-      };
-    } catch (error) {
-      const msg = error instanceof Error ? error.message : String(error);
-      persistenceWarning = `Access token refreshed in memory but could not be written to ${absolutePath}: ${msg}. The next CLI invocation will fail until the file can be updated — run 'uip login' to re-authenticate.`;
-      tokenRefresh = {
-        attempted: true,
-        success: true,
-        errorMessage: `persistence failed: ${msg}`
-      };
+    if (lockedFailure) {
+      const globalHint = await tryGlobalCredsHint();
+      const base = globalHint ? {
+        ...lockedFailure,
+        loginStatus: "Expired",
+        hint: globalHint
+      } : lockedFailure;
+      return lockReleaseFailed ? { ...base, lockReleaseFailed: true } : base;
     }
   }
   const result = {
@@ -22367,23 +22768,13 @@ var getLoginStatusWithDeps = async (options = {}, deps = {}) => {
     expiration,
     source: "file",
     ...persistenceWarning ? { hint: persistenceWarning, persistenceFailed: true } : {},
+    ...lockReleaseFailed ? { lockReleaseFailed: true } : {},
     ...tokenRefresh ? { tokenRefresh } : {}
   };
   if (result.loginStatus === "Expired") {
-    const fs7 = getFs();
-    const globalPath = fs7.path.join(fs7.env.homedir(), envFilePath);
-    if (absolutePath !== globalPath && await fs7.exists(globalPath)) {
-      try {
-        const globalCreds = await loadEnvFile({
-          envPath: globalPath
-        });
-        if (globalCreds.UIPATH_ACCESS_TOKEN) {
-          const globalExp = getTokenExpiration(globalCreds.UIPATH_ACCESS_TOKEN);
-          if (!globalExp || globalExp > new Date) {
-            result.hint = `Local credentials file at ${absolutePath} has expired credentials. Valid credentials exist in ${globalPath}. Remove the local file or run 'uip login' to re-authenticate.`;
-          }
-        }
-      } catch {}
+    const globalHint = await tryGlobalCredsHint();
+    if (globalHint) {
+      result.hint = globalHint;
     }
   }
   return result;
@@ -22398,6 +22789,7 @@ var getLoginStatusAsync = async (options = {}) => {
 };
 init_src();
 init_src();
+init_server();
 async function resolveConfig(plane, options) {
   const status = await getLoginStatusAsync({
     ensureTokenValidityMinutes: options?.loginValidity
@@ -22413,7 +22805,8 @@ async function resolveConfig(plane, options) {
   return {
     config: new Configuration({
       basePath,
-      accessToken: async () => bearerToken
+      accessToken: async () => bearerToken,
+      headers: addSdkUserAgentHeader(undefined, SDK_USER_AGENT)
     }),
     organizationId: status.organizationId,
     tenantId: status.tenantId,
@@ -22567,10 +22960,15 @@ async function extractErrorDetails(error, options) {
   }
   if (parsedBody?.errorCode && typeof parsedBody.errorCode === "string") {
     context.errorCode = parsedBody.errorCode;
+  } else if (parsedBody?.code && typeof parsedBody.code === "string") {
+    context.errorCode = parsedBody.code;
   }
   if (parsedBody?.requestId && typeof parsedBody.requestId === "string") {
     context.requestId = parsedBody.requestId;
   }
+  if (parsedBody?.traceId && typeof parsedBody.traceId === "string") {
+    context.traceId = parsedBody.traceId;
+  }
   if (status === 429) {
     const resp = response;
     const headersObj = resp?.headers;
@@ -22590,7 +22988,35 @@ async function extractErrorDetails(error, options) {
     }
   }
   const hasContext = Object.keys(context).length > 0;
-  return { result, message, details, ...hasContext ? { context } : {} };
+  let parsedErrors;
+  if (parsedBody?.errors && typeof parsedBody.errors === "object") {
+    const errors = {};
+    for (const [field, raw] of Object.entries(parsedBody.errors)) {
+      if (Array.isArray(raw)) {
+        const messages = raw.map((entry) => {
+          if (typeof entry === "string")
+            return entry;
+          if (entry && typeof entry === "object" && typeof entry.message === "string") {
+            return entry.message;
+          }
+          return String(entry);
+        }).filter(Boolean);
+        if (messages.length > 0)
+          errors[field] = messages;
+      } else if (typeof raw === "string") {
+        errors[field] = [raw];
+      }
+    }
+    if (Object.keys(errors).length > 0)
+      parsedErrors = errors;
+  }
+  return {
+    result,
+    message,
+    details,
+    ...hasContext ? { context } : {},
+    ...parsedErrors ? { parsedErrors } : {}
+  };
 }
 async function extractErrorMessage(error, options) {
   const { message } = await extractErrorDetails(error, options);
@@ -22601,34 +23027,6 @@ Command.prototype.examples = function(examples) {
   examplesByCommand.set(this, examples);
   return this;
 };
-var PREFIX = "@uipath/common/";
-var _g = globalThis;
-function singleton(ctorOrName) {
-  const name = typeof ctorOrName === "string" ? ctorOrName : ctorOrName.name;
-  const key = Symbol.for(PREFIX + name);
-  return {
-    get(fallback) {
-      return _g[key] ?? fallback;
-    },
-    set(value) {
-      _g[key] = value;
-    },
-    clear() {
-      delete _g[key];
-    },
-    getOrInit(factory, guard) {
-      const existing = _g[key];
-      if (existing != null && typeof existing === "object") {
-        if (!guard || guard(existing)) {
-          return existing;
-        }
-      }
-      const instance = factory();
-      _g[key] = instance;
-      return instance;
-    }
-  };
-}
 function createStorage() {
   const [error, mod] = catchError2(() => __require2("node:async_hooks"));
   if (error || typeof mod?.AsyncLocalStorage !== "function") {
@@ -27695,6 +28093,60 @@ function escapeNonAscii(jsonText) {
 function needsAsciiSafeJson(sink) {
   return process.platform === "win32" && !sink.capabilities.isInteractive;
 }
+function isPlainRecord(value) {
+  if (value === null || typeof value !== "object")
+    return false;
+  const prototype = Object.getPrototypeOf(value);
+  return prototype === Object.prototype || prototype === null;
+}
+function toLowerCamelCaseKey(key) {
+  if (!key)
+    return key;
+  if (/[_\-\s]/.test(key)) {
+    const [firstPart, ...restParts] = key.split(/[_\-\s]+/).filter(Boolean);
+    if (!firstPart)
+      return key;
+    return [
+      toLowerCamelCaseSimpleKey(firstPart),
+      ...restParts.map((part) => {
+        const normalized = toLowerCamelCaseSimpleKey(part);
+        return normalized.charAt(0).toUpperCase() + normalized.slice(1);
+      })
+    ].join("");
+  }
+  return toLowerCamelCaseSimpleKey(key);
+}
+function toLowerCamelCaseSimpleKey(key) {
+  if (/^[A-Z0-9]+$/.test(key))
+    return key.toLowerCase();
+  return key.replace(/^[A-Z]+(?=[A-Z][a-z]|\d|$)|^[A-Z]/, (match) => match.toLowerCase());
+}
+function toPascalCaseKey(key) {
+  const lowerCamelKey = toLowerCamelCaseKey(key);
+  return lowerCamelKey ? lowerCamelKey.charAt(0).toUpperCase() + lowerCamelKey.slice(1) : lowerCamelKey;
+}
+function toPascalCaseData(value) {
+  if (Array.isArray(value))
+    return value.map(toPascalCaseData);
+  if (!isPlainRecord(value))
+    return value;
+  const result = {};
+  for (const [key, nestedValue] of Object.entries(value)) {
+    result[toPascalCaseKey(key)] = toPascalCaseData(nestedValue);
+  }
+  return result;
+}
+function normalizeDataKeys(data) {
+  return toPascalCaseData(data);
+}
+function normalizeOutputKeys(data) {
+  const result = {};
+  for (const [key, value] of Object.entries(data)) {
+    const pascalKey = toPascalCaseKey(key);
+    result[pascalKey] = pascalKey === "Data" ? value : toPascalCaseData(value);
+  }
+  return result;
+}
 function printOutput(data, format = "json", logFn, asciiSafe = false) {
   if (!data) {
     logFn("Empty response object. No data to display.");
@@ -27757,7 +28209,7 @@ function wrapText(text, width) {
 function printTable(data, logFn, externalLogValue) {
   if (data.length === 0)
     return;
-  const keys = Object.keys(data[0]).filter((key) => key !== "Code" && key !== "Log");
+  const keys = Object.keys(data[0]).filter((key) => !["code", "log"].includes(key.toLowerCase()));
   const maxWidths = keys.map((key) => Math.max(key.length, ...data.map((item) => cellToString(item[key]).length)));
   const header = keys.map((key, i2) => key.padEnd(maxWidths[i2])).join(" | ");
   logFn(header);
@@ -27772,7 +28224,7 @@ function printTable(data, logFn, externalLogValue) {
   }
 }
 function printVerticalTable(data, logFn = console.log, externalLogValue) {
-  const keys = Object.keys(data).filter((key) => key !== "Code" && key !== "Log");
+  const keys = Object.keys(data).filter((key) => !["code", "log"].includes(key.toLowerCase()));
   if (keys.length === 0)
     return;
   const maxKeyWidth = Math.max(...keys.map((key) => key.length));
@@ -27788,7 +28240,7 @@ function printVerticalTable(data, logFn = console.log, externalLogValue) {
 function printResizableTable(data, logFn = console.log, externalLogValue) {
   if (data.length === 0)
     return;
-  const keys = Object.keys(data[0]).filter((key) => key !== "Code" && key !== "Log");
+  const keys = Object.keys(data[0]).filter((key) => !["code", "log"].includes(key.toLowerCase()));
   if (keys.length === 0)
     return;
   if (!process.stdout.isTTY) {
@@ -27864,8 +28316,27 @@ function printResizableTable(data, logFn = console.log, externalLogValue) {
 function toYaml(data) {
   return dump(data);
 }
+class FilterEvaluationError extends Error {
+  __brand = "FilterEvaluationError";
+  filter;
+  instructions;
+  result = RESULTS.ValidationError;
+  constructor(filter, cause) {
+    const underlying = cause instanceof Error ? cause.message : String(cause);
+    super(`Filter '${filter}' failed to evaluate: ${underlying}`);
+    this.name = "FilterEvaluationError";
+    this.filter = filter;
+    this.instructions = `The --output-filter expression '${filter}' failed at evaluation time. ` + "Note that --output-filter operates on the 'Data' field of the envelope, not the full object. " + "For example, on a list result use 'length(@)' instead of 'Data | length(@)'.";
+  }
+}
 function applyFilter(data, filter) {
-  const result = search(data, filter);
+  let result;
+  try {
+    result = search(data, filter);
+  } catch (err) {
+    throw new FilterEvaluationError(filter, err);
+  }
   if (result == null)
     return [];
   if (Array.isArray(result)) {
@@ -27882,13 +28353,18 @@ function applyFilter(data, filter) {
 }
 var OutputFormatter;
 ((OutputFormatter2) => {
-  function success(data) {
+  function success(data, options) {
     data.Log ??= getLogFilePath() || undefined;
+    const normalize = !options?.preserveDataKeys;
+    if (normalize) {
+      data.Data = normalizeDataKeys(data.Data);
+    }
     const filter = getOutputFilter();
     if (filter) {
-      data.Data = applyFilter(data.Data, filter);
+      const filtered = applyFilter(data.Data, filter);
+      data.Data = normalize ? normalizeDataKeys(filtered) : filtered;
     }
-    logOutput(data, getOutputFormat());
+    logOutput(normalizeOutputKeys(data), getOutputFormat());
   }
   OutputFormatter2.success = success;
   function error(data) {
@@ -27898,7 +28374,7 @@ var OutputFormatter;
       result: data.Result,
       message: data.Message
     });
-    logOutput(data, getOutputFormat());
+    logOutput(normalizeOutputKeys(data), getOutputFormat());
   }
   OutputFormatter2.error = error;
   function emitList(code, items, opts) {
@@ -27919,13 +28395,14 @@ var OutputFormatter;
   function log(data) {
     const format = getOutputFormat();
     const sink = getOutputSink();
+    const normalized = toPascalCaseData(data);
     if (format === "json") {
-      const json2 = JSON.stringify(data);
+      const json2 = JSON.stringify(normalized);
       const safe = needsAsciiSafeJson(sink) ? escapeNonAscii(json2) : json2;
       sink.writeErr(`${safe}
 `);
     } else {
-      for (const [key, value] of Object.entries(data)) {
+      for (const [key, value] of Object.entries(normalized)) {
         sink.writeErr(`${key}: ${value}
 `);
       }
@@ -27934,12 +28411,16 @@ var OutputFormatter;
   OutputFormatter2.log = log;
   function formatToString(data) {
     const filter = getOutputFilter();
-    if (filter && "Data" in data && data.Data != null) {
-      data.Data = applyFilter(data.Data, filter);
+    if ("Data" in data && data.Data != null) {
+      data.Data = normalizeDataKeys(data.Data);
+      if (filter) {
+        data.Data = normalizeDataKeys(applyFilter(data.Data, filter));
+      }
     }
+    const output = normalizeOutputKeys(data);
     const lines = [];
     const sink = getOutputSink();
-    printOutput(data, getOutputFormat(), (msg) => {
+    printOutput(output, getOutputFormat(), (msg) => {
       lines.push(msg);
     }, needsAsciiSafeJson(sink));
     return lines.join(`
@@ -29362,6 +29843,19 @@ function parseSafeInteger(raw, min) {
   }
   return parsed;
 }
+var PollOutcome = {
+  Completed: "completed",
+  Timeout: "timeout",
+  Interrupted: "interrupted",
+  Aborted: "aborted",
+  Failed: "failed"
+};
+var REASON_BY_OUTCOME = {
+  [PollOutcome.Timeout]: "poll_timeout",
+  [PollOutcome.Failed]: "poll_failed",
+  [PollOutcome.Interrupted]: "poll_failed",
+  [PollOutcome.Aborted]: "poll_aborted"
+};
 var TERMINAL_STATUSES = new Set([
   "completed",
   "successful",
@@ -29561,17 +30055,21 @@ Command.prototype.trackedAction = function(context, fn, properties) {
     const telemetryName = deriveCommandPath(command);
     const props = typeof properties === "function" ? properties(...args) : properties;
     const startTime = performance.now();
-    let errorMessage;
+    let errorMessage2;
     const [error] = await catchError2(fn(...args));
     if (error) {
-      errorMessage = error instanceof Error ? error.message : String(error);
-      logger.error(`[trackedAction] ${telemetryName} failed: ${errorMessage}`);
+      errorMessage2 = error instanceof Error ? error.message : String(error);
+      logger.debug(`[trackedAction] ${telemetryName} failed: ${errorMessage2}`);
+      const typed = error;
+      const customInstructions = typeof typed.instructions === "string" ? typed.instructions : undefined;
+      const customResult = typeof typed.result === "string" && typed.result !== RESULTS.Success && Object.values(RESULTS).includes(typed.result) ? typed.result : undefined;
+      const finalResult = customResult ?? RESULTS.Failure;
       OutputFormatter.error({
-        Result: RESULTS.Failure,
-        Message: errorMessage,
-        Instructions: "An unexpected error occurred. Run with --log-level debug for details."
+        Result: finalResult,
+        Message: errorMessage2,
+        Instructions: customInstructions ?? "An unexpected error occurred. Run with --log-level debug for details."
       });
-      context.exit(1);
+      context.exit(EXIT_CODES[finalResult]);
     }
     const durationMs = performance.now() - startTime;
     const success = !error && (process.exitCode === undefined || process.exitCode === 0);
@@ -29580,7 +30078,7 @@ Command.prototype.trackedAction = function(context, fn, properties) {
       ...props,
       duration: String(durationMs),
       success: String(success),
-      ...errorMessage ? { errorMessage } : {}
+      ...errorMessage2 ? { errorMessage: errorMessage2 } : {}
     }));
   });
 };
@@ -30019,6 +30517,7 @@ import path3 from "node:path";
 import { fileURLToPath as fileURLToPath2 } from "node:url";
 import childProcess32 from "node:child_process";
 import fs52, { constants as fsConstants22 } from "node:fs/promises";
+import { randomUUID as randomUUID2 } from "node:crypto";
 import { existsSync as existsSync2 } from "node:fs";
 import * as fs62 from "node:fs/promises";
 import * as os22 from "node:os";
@@ -30773,6 +31272,90 @@ class NodeFileSystem2 {
   async mkdir(dirPath) {
     await fs62.mkdir(dirPath, { recursive: true });
   }
+  async acquireLock(lockPath) {
+    const canonicalPath = await this.canonicalizeLockTarget(lockPath);
+    const lockFile = `${canonicalPath}.lock`;
+    const ownerId = randomUUID2();
+    const start = Date.now();
+    while (true) {
+      try {
+        await fs62.writeFile(lockFile, ownerId, { flag: "wx" });
+        return this.createLockRelease(lockFile, ownerId);
+      } catch (error) {
+        if (!this.hasErrnoCode(error, "EEXIST")) {
+          throw error;
+        }
+        const stats = await fs62.stat(lockFile).catch(() => null);
+        if (stats && Date.now() - stats.mtimeMs > LOCK_STALE_MS2) {
+          const reclaimed = await fs62.rm(lockFile, { force: true }).then(() => true).catch(() => false);
+          if (reclaimed)
+            continue;
+        }
+        if (Date.now() - start > LOCK_MAX_WAIT_MS2) {
+          throw new Error(`ELOCKED: timed out waiting for lock on ${canonicalPath}`);
+        }
+        await new Promise((resolve22) => setTimeout(resolve22, LOCK_RETRY_MIN_MS2 + Math.random() * LOCK_RETRY_JITTER_MS2));
+      }
+    }
+  }
+  async canonicalizeLockTarget(lockPath) {
+    const absolute = path22.resolve(lockPath);
+    const fullReal = await fs62.realpath(absolute).catch(() => null);
+    if (fullReal)
+      return fullReal;
+    const parent = path22.dirname(absolute);
+    const base = path22.basename(absolute);
+    const canonicalParent = await fs62.realpath(parent).catch(() => parent);
+    return path22.join(canonicalParent, base);
+  }
+  createLockRelease(lockFile, ownerId) {
+    const heartbeatStart = Date.now();
+    let heartbeatTimer;
+    let stopped = false;
+    const stopHeartbeat = () => {
+      stopped = true;
+      if (heartbeatTimer)
+        clearTimeout(heartbeatTimer);
+    };
+    const scheduleNextHeartbeat = () => {
+      if (stopped)
+        return;
+      if (Date.now() - heartbeatStart >= LOCK_MAX_HOLD_MS2) {
+        stopped = true;
+        return;
+      }
+      heartbeatTimer = setTimeout(() => {
+        runHeartbeat();
+      }, LOCK_HEARTBEAT_MS2);
+      heartbeatTimer.unref?.();
+    };
+    const runHeartbeat = async () => {
+      if (stopped)
+        return;
+      const current = await fs62.readFile(lockFile, "utf-8").catch(() => null);
+      if (stopped)
+        return;
+      if (current !== ownerId) {
+        stopped = true;
+        return;
+      }
+      const now = Date.now() / 1000;
+      await fs62.utimes(lockFile, now, now).catch(() => {});
+      scheduleNextHeartbeat();
+    };
+    scheduleNextHeartbeat();
+    let released = false;
+    return async () => {
+      if (released)
+        return;
+      released = true;
+      stopHeartbeat();
+      const current = await fs62.readFile(lockFile, "utf-8").catch(() => null);
+      if (current === ownerId) {
+        await fs62.rm(lockFile, { force: true });
+      }
+    };
+  }
   async rm(filePath) {
     await fs62.rm(filePath, { recursive: true, force: true });
   }
@@ -30818,9 +31401,18 @@ class NodeFileSystem2 {
     }
   }
   isEnoent(error) {
-    return typeof error === "object" && error !== null && "code" in error && error.code === "ENOENT";
+    return this.hasErrnoCode(error, "ENOENT");
+  }
+  hasErrnoCode(error, code) {
+    return typeof error === "object" && error !== null && "code" in error && error.code === code;
   }
 }
+var LOCK_HEARTBEAT_MS2 = 5000;
+var LOCK_STALE_MS2 = 15000;
+var LOCK_MAX_WAIT_MS2 = 20000;
+var LOCK_MAX_HOLD_MS2 = 60000;
+var LOCK_RETRY_MIN_MS2 = 100;
+var LOCK_RETRY_JITTER_MS2 = 200;
 var init_node2 = __esm2(() => {
   init_open2();
 });
@@ -30832,7 +31424,7 @@ var init_src2 = __esm2(() => {
   fsInstance2 = new NodeFileSystem2;
 });
 var require_coreipc2 = __commonJS3((exports, module) => {
-  var __dirname3 = "/Users/alexandru.oltean/github/cli/node_modules/@uipath/coreipc";
+  var __dirname3 = "/home/runner/work/cli/cli/node_modules/@uipath/coreipc";
   /*! For license information please see index.js.LICENSE.txt */
   (function(e, t) {
     typeof exports == "object" && typeof module == "object" ? module.exports = t() : typeof define == "function" && define.amd ? define([], t) : typeof exports == "object" ? exports.ipc = t() : e.ipc = t();
@@ -48632,9 +49224,13 @@ var require_dist2 = __commonJS3((exports) => {
   exports.RobotProxyConstructor = RobotProxyConstructor;
   __exportStar(require_agent2(), exports);
 });
-var package_default2 = {
+var init_server2 = __esm2(() => {
+  init_constants2();
+});
+var package_default3 = {
   name: "@uipath/aops-policy-tool",
-  version: "1.1.0",
+  license: "MIT",
+  version: "1.2.0",
   description: "CLI plugin for managing UiPath AOps governance policies.",
   private: false,
   repository: {
@@ -48676,6 +49272,132 @@ var package_default2 = {
     typescript: "^6.0.2"
   }
 };
+var PREFIX2 = "@uipath/common/";
+var _g2 = globalThis;
+function singleton2(ctorOrName) {
+  const name = typeof ctorOrName === "string" ? ctorOrName : ctorOrName.name;
+  const key = Symbol.for(PREFIX2 + name);
+  return {
+    get(fallback) {
+      return _g2[key] ?? fallback;
+    },
+    set(value) {
+      _g2[key] = value;
+    },
+    clear() {
+      delete _g2[key];
+    },
+    getOrInit(factory, guard) {
+      const existing = _g2[key];
+      if (existing != null && typeof existing === "object") {
+        if (!guard || guard(existing)) {
+          return existing;
+        }
+      }
+      const instance = factory();
+      _g2[key] = instance;
+      return instance;
+    }
+  };
+}
+var USER_AGENT_HEADER2 = "User-Agent";
+var sdkUserAgentHostToken2 = singleton2("SdkUserAgentHostToken");
+function userAgentPatchKey2(userAgent) {
+  return Symbol.for(`@uipath/common/sdk-user-agent/${userAgent}`);
+}
+function splitUserAgentTokens2(value) {
+  return value?.trim().split(/\s+/).filter(Boolean) ?? [];
+}
+function appendUserAgentToken2(value, userAgent) {
+  const tokens = splitUserAgentTokens2(value);
+  const seen = new Set(tokens);
+  for (const token of splitUserAgentTokens2(userAgent)) {
+    if (!seen.has(token)) {
+      tokens.push(token);
+      seen.add(token);
+    }
+  }
+  return tokens.join(" ");
+}
+function getEffectiveUserAgent2(userAgent) {
+  return appendUserAgentToken2(sdkUserAgentHostToken2.get(), userAgent);
+}
+function isHeadersLike2(headers) {
+  return typeof headers === "object" && headers !== null && "get" in headers && typeof headers.get === "function" && "set" in headers && typeof headers.set === "function";
+}
+function getSdkUserAgentToken2(pkg) {
+  const packageName = pkg.name.replace(/^@uipath\//, "");
+  return getEffectiveUserAgent2(`${packageName}/${pkg.version}`);
+}
+function addSdkUserAgentHeader2(headers, userAgent) {
+  const result = { ...headers ?? {} };
+  const effectiveUserAgent = getEffectiveUserAgent2(userAgent);
+  const headerName = Object.keys(result).find((key) => key.toLowerCase() === USER_AGENT_HEADER2.toLowerCase());
+  if (headerName) {
+    result[headerName] = appendUserAgentToken2(result[headerName], effectiveUserAgent);
+  } else {
+    result[USER_AGENT_HEADER2] = effectiveUserAgent;
+  }
+  return result;
+}
+function withSdkUserAgentHeader2(headers, userAgent) {
+  const effectiveUserAgent = getEffectiveUserAgent2(userAgent);
+  if (isHeadersLike2(headers)) {
+    headers.set(USER_AGENT_HEADER2, appendUserAgentToken2(headers.get(USER_AGENT_HEADER2), effectiveUserAgent));
+    return headers;
+  }
+  if (Array.isArray(headers)) {
+    const result = headers.map((entry) => {
+      const [key, value] = entry;
+      return [key, value];
+    });
+    const headerIndex = result.findIndex(([key]) => key.toLowerCase() === USER_AGENT_HEADER2.toLowerCase());
+    if (headerIndex >= 0) {
+      const [key, value] = result[headerIndex];
+      result[headerIndex] = [
+        key,
+        appendUserAgentToken2(value, effectiveUserAgent)
+      ];
+    } else {
+      result.push([USER_AGENT_HEADER2, effectiveUserAgent]);
+    }
+    return result;
+  }
+  return addSdkUserAgentHeader2(typeof headers === "object" && headers !== null ? { ...headers } : {}, effectiveUserAgent);
+}
+function withUserAgentInitOverride2(initOverrides, userAgent) {
+  return async (requestContext) => {
+    const initWithUserAgent = {
+      ...requestContext.init,
+      headers: withSdkUserAgentHeader2(requestContext.init.headers, userAgent)
+    };
+    const override = typeof initOverrides === "function" ? await initOverrides({
+      ...requestContext,
+      init: initWithUserAgent
+    }) : initOverrides;
+    return {
+      ...override ?? {},
+      headers: withSdkUserAgentHeader2(override?.headers ?? initWithUserAgent.headers, userAgent)
+    };
+  };
+}
+function installSdkUserAgentHeader2(BaseApiClass, userAgent) {
+  const prototype = BaseApiClass.prototype;
+  const patchKey = userAgentPatchKey2(userAgent);
+  if (prototype[patchKey]) {
+    return;
+  }
+  if (typeof prototype.request !== "function") {
+    throw new Error("Generated BaseAPI request function not found.");
+  }
+  const originalRequest = prototype.request;
+  prototype.request = function requestWithUserAgent(context, initOverrides) {
+    return originalRequest.call(this, context, withUserAgentInitOverride2(initOverrides, userAgent));
+  };
+  Object.defineProperty(prototype, patchKey, {
+    value: true
+  });
+}
 var BASE_PATH2 = "http://localhost".replace(/\/+$/, "");
 class Configuration2 {
@@ -48943,6 +49665,53 @@ class TextApiResponse {
     return await this.raw.text();
   }
 }
+var package_default22 = {
+  name: "@uipath/aops-policy-sdk",
+  license: "MIT",
+  version: "1.2.0",
+  description: "SDK for the UiPath AOps Governance API — policy management and deployment.",
+  repository: {
+    type: "git",
+    url: "https://github.com/UiPath/cli.git",
+    directory: "packages/gov/aops-policy-sdk"
+  },
+  publishConfig: {
+    registry: "https://npm.pkg.github.com/@uipath"
+  },
+  keywords: [
+    "uipath",
+    "governance",
+    "policy",
+    "sdk"
+  ],
+  type: "module",
+  main: "./dist/index.js",
+  types: "./dist/src/index.d.ts",
+  exports: {
+    ".": {
+      types: "./dist/src/index.d.ts",
+      default: "./dist/index.js"
+    }
+  },
+  files: [
+    "dist"
+  ],
+  private: true,
+  scripts: {
+    build: "bun build ./src/index.ts --outdir dist --format esm --target node && tsc -p tsconfig.build.json --noCheck",
+    generate: "bun run src/scripts/generate-sdk.ts",
+    lint: "biome check ."
+  },
+  devDependencies: {
+    "@openapitools/openapi-generator-cli": "^2.31.1",
+    "@types/node": "^25.5.2",
+    "@uipath/auth": "workspace:*",
+    "@uipath/common": "workspace:*",
+    typescript: "^6.0.2"
+  }
+};
+var SDK_USER_AGENT2 = getSdkUserAgentToken2(package_default22);
+installSdkUserAgentHeader2(BaseAPI2, SDK_USER_AGENT2);
 function AddLicenseTypeRequestToJSON(json2) {
   return AddLicenseTypeRequestToJSONTyped(json2, false);
 }
@@ -51599,32 +52368,7 @@ class InvalidBaseUrlError2 extends Error {
     this.name = "InvalidBaseUrlError";
   }
 }
-var DEFAULT_SCOPES2 = [
-  "offline_access",
-  "ProcessMining",
-  "OrchestratorApiUserAccess",
-  "StudioWebBackend",
-  "IdentityServerApi",
-  "ConnectionService",
-  "DataService",
-  "DataServiceApiUserAccess",
-  "DocumentUnderstanding",
-  "EnterpriseContextService",
-  "Directory",
-  "JamJamApi",
-  "LLMGateway",
-  "LLMOps",
-  "OMS",
-  "RCS.FolderAuthorization",
-  "RCS.TagsManagement",
-  "TestmanagerApiUserAccess",
-  "AutomationSolutions",
-  "StudioWebTypeCacheService",
-  "Docs.GPT.Search",
-  "Insights",
-  "ReferenceToken",
-  "Audit.Read"
-];
+var DEFAULT_SCOPES2 = ["openid", "profile", "offline_access"];
 var normalizeAndValidateBaseUrl2 = (rawUrl) => {
   let baseUrl = rawUrl;
   if (baseUrl.endsWith("/identity_/")) {
@@ -51674,7 +52418,8 @@ var resolveConfigAsync2 = async ({
   if (!clientSecret && fileAuth.clientSecret) {
     clientSecret = fileAuth.clientSecret;
   }
-  const scopes = customScopes && customScopes.length > 0 ? customScopes : fileAuth.scopes && fileAuth.scopes.length > 0 ? fileAuth.scopes : DEFAULT_SCOPES2;
+  const isExternalAppAuth = clientId !== DEFAULT_CLIENT_ID2 && Boolean(clientSecret);
+  const scopes = customScopes && customScopes.length > 0 ? customScopes : fileAuth.scopes && fileAuth.scopes.length > 0 ? fileAuth.scopes : isExternalAppAuth ? [] : DEFAULT_SCOPES2;
   return {
     clientId,
     clientSecret,
@@ -52161,6 +52906,129 @@ function normalizeTokenRefreshFailure2() {
 function normalizeTokenRefreshUnavailableFailure2() {
   return "token refresh failed before authentication completed";
 }
+function errorMessage2(error) {
+  return error instanceof Error ? error.message : String(error);
+}
+function computeExpirationThreshold2(ensureTokenValidityMinutes) {
+  return new Date(Date.now() + (ensureTokenValidityMinutes ?? 0) * 60 * 1000);
+}
+async function runRefreshLocked2(inputs) {
+  const {
+    absolutePath,
+    refreshToken: callerRefreshToken,
+    customAuthority,
+    ensureTokenValidityMinutes,
+    loadEnvFile,
+    saveEnvFile,
+    refreshFn,
+    resolveConfig: resolveConfig2
+  } = inputs;
+  const expirationThreshold = computeExpirationThreshold2(ensureTokenValidityMinutes);
+  let fresh;
+  try {
+    fresh = await loadEnvFile({ envPath: absolutePath });
+  } catch (error) {
+    return {
+      kind: "fail",
+      status: {
+        loginStatus: "Refresh Failed",
+        hint: "Could not read the auth file while refreshing. Retry, or run 'uip login' to re-authenticate.",
+        tokenRefresh: {
+          attempted: false,
+          success: false,
+          errorMessage: `auth file read failed: ${errorMessage2(error)}`
+        }
+      }
+    };
+  }
+  const freshAccess = fresh.UIPATH_ACCESS_TOKEN;
+  const freshExp = freshAccess ? getTokenExpiration2(freshAccess) : undefined;
+  if (freshAccess && freshExp && freshExp > expirationThreshold) {
+    return {
+      kind: "ok",
+      accessToken: freshAccess,
+      refreshToken: fresh.UIPATH_REFRESH_TOKEN ?? callerRefreshToken,
+      expiration: freshExp,
+      tokenRefresh: { attempted: false, success: true }
+    };
+  }
+  const tokenForIdP = fresh.UIPATH_REFRESH_TOKEN ?? callerRefreshToken;
+  let refreshedAccess;
+  let refreshedRefresh;
+  try {
+    const config = await resolveConfig2({ customAuthority });
+    const refreshed = await refreshFn({
+      refreshToken: tokenForIdP,
+      tokenEndpoint: config.tokenEndpoint,
+      clientId: config.clientId,
+      expectedAuthority: customAuthority
+    });
+    refreshedAccess = refreshed.accessToken;
+    refreshedRefresh = refreshed.refreshToken;
+  } catch (error) {
+    const isOAuthFailure = isTokenRefreshOAuthFailure2(error);
+    const hint = isOAuthFailure ? "Run 'uip login' to re-authenticate — the stored refresh token is invalid or expired." : "Token refresh failed. Check your network connection, then retry or run 'uip login' to re-authenticate.";
+    const message = isOAuthFailure ? normalizeTokenRefreshFailure2() : normalizeTokenRefreshUnavailableFailure2();
+    return {
+      kind: "fail",
+      status: {
+        loginStatus: "Refresh Failed",
+        hint,
+        tokenRefresh: {
+          attempted: true,
+          success: false,
+          errorMessage: message
+        }
+      }
+    };
+  }
+  const refreshedExp = getTokenExpiration2(refreshedAccess);
+  if (!refreshedExp || refreshedExp <= new Date) {
+    return {
+      kind: "fail",
+      status: {
+        loginStatus: "Refresh Failed",
+        hint: "The identity server returned an unusable token. Run 'uip login' to re-authenticate.",
+        tokenRefresh: {
+          attempted: true,
+          success: false,
+          errorMessage: "refreshed token has no valid expiration claim"
+        }
+      }
+    };
+  }
+  try {
+    await saveEnvFile({
+      envPath: absolutePath,
+      data: {
+        UIPATH_ACCESS_TOKEN: refreshedAccess,
+        UIPATH_REFRESH_TOKEN: refreshedRefresh
+      },
+      merge: true
+    });
+    return {
+      kind: "ok",
+      accessToken: refreshedAccess,
+      refreshToken: refreshedRefresh,
+      expiration: refreshedExp,
+      tokenRefresh: { attempted: true, success: true }
+    };
+  } catch (error) {
+    const msg = errorMessage2(error);
+    return {
+      kind: "ok",
+      accessToken: refreshedAccess,
+      refreshToken: refreshedRefresh,
+      expiration: refreshedExp,
+      persistenceWarning: `Access token refreshed in memory but could not be written to ${absolutePath}: ${msg}. The next CLI invocation will fail until the file can be updated — run 'uip login' to re-authenticate.`,
+      tokenRefresh: {
+        attempted: true,
+        success: true,
+        errorMessage: `persistence failed: ${msg}`
+      }
+    };
+  }
+}
 var getLoginStatusWithDeps2 = async (options = {}, deps = {}) => {
   const {
     resolveEnvFilePath = resolveEnvFilePathAsync2,
@@ -52235,73 +53103,103 @@ var getLoginStatusWithDeps2 = async (options = {}, deps = {}) => {
   let refreshToken = credentials.UIPATH_REFRESH_TOKEN;
   let expiration = getTokenExpiration2(accessToken);
   let persistenceWarning;
+  let lockReleaseFailed = false;
   let tokenRefresh;
-  const expirationThreshold = new Date(Date.now() + (ensureTokenValidityMinutes ?? 0) * 60 * 1000);
-  if (expiration && expiration <= expirationThreshold && refreshToken) {
-    let refreshedAccess;
-    let refreshedRefresh;
+  const outerThreshold = computeExpirationThreshold2(ensureTokenValidityMinutes);
+  const tryGlobalCredsHint = async () => {
+    const fs72 = getFs();
+    const globalPath = fs72.path.join(fs72.env.homedir(), envFilePath);
+    if (absolutePath === globalPath)
+      return;
+    if (!await fs72.exists(globalPath))
+      return;
     try {
-      const config = await resolveConfig2({
-        customAuthority: credentials.UIPATH_URL
-      });
-      const refreshed = await refreshTokenFn({
-        refreshToken,
-        tokenEndpoint: config.tokenEndpoint,
-        clientId: config.clientId,
-        expectedAuthority: credentials.UIPATH_URL
-      });
-      refreshedAccess = refreshed.accessToken;
-      refreshedRefresh = refreshed.refreshToken;
+      const globalCreds = await loadEnvFile({ envPath: globalPath });
+      if (!globalCreds.UIPATH_ACCESS_TOKEN)
+        return;
+      const globalExp = getTokenExpiration2(globalCreds.UIPATH_ACCESS_TOKEN);
+      if (globalExp && globalExp <= new Date)
+        return;
+      return `Local credentials file at ${absolutePath} has expired credentials. Valid credentials exist in ${globalPath}. Remove the local file or run 'uip login' to re-authenticate.`;
+    } catch {
+      return;
+    }
+  };
+  if (expiration && expiration <= outerThreshold && refreshToken) {
+    let release;
+    try {
+      release = await getFs().acquireLock(absolutePath);
     } catch (error) {
-      const isOAuthFailure = isTokenRefreshOAuthFailure2(error);
-      const hint = isOAuthFailure ? "Run 'uip login' to re-authenticate — the stored refresh token is invalid or expired." : "Token refresh failed. Check your network connection, then retry or run 'uip login' to re-authenticate.";
-      const errorMessage = isOAuthFailure ? normalizeTokenRefreshFailure2() : normalizeTokenRefreshUnavailableFailure2();
+      const msg = errorMessage2(error);
+      const globalHint = await tryGlobalCredsHint();
+      if (globalHint) {
+        return {
+          loginStatus: "Expired",
+          accessToken,
+          refreshToken,
+          baseUrl: credentials.UIPATH_URL,
+          organizationName: credentials.UIPATH_ORGANIZATION_NAME,
+          organizationId: credentials.UIPATH_ORGANIZATION_ID,
+          tenantName: credentials.UIPATH_TENANT_NAME,
+          tenantId: credentials.UIPATH_TENANT_ID,
+          expiration,
+          source: "file",
+          hint: globalHint,
+          tokenRefresh: {
+            attempted: false,
+            success: false,
+            errorMessage: `lock acquisition failed: ${msg}`
+          }
+        };
+      }
       return {
         loginStatus: "Refresh Failed",
-        hint,
+        hint: "Could not acquire the auth-file lock — too many concurrent `uip` processes, or a permission issue on the auth directory. Retry, or run 'uip login' to re-authenticate.",
         tokenRefresh: {
-          attempted: true,
+          attempted: false,
           success: false,
-          errorMessage
+          errorMessage: `lock acquisition failed: ${msg}`
         }
       };
     }
-    const refreshedExp = getTokenExpiration2(refreshedAccess);
-    if (!refreshedExp || refreshedExp <= new Date) {
-      return {
-        loginStatus: "Refresh Failed",
-        hint: "The identity server returned an unusable token. Run 'uip login' to re-authenticate.",
-        tokenRefresh: {
-          attempted: true,
-          success: false,
-          errorMessage: "refreshed token has no valid expiration claim"
+    let lockedFailure;
+    try {
+      const outcome = await runRefreshLocked2({
+        absolutePath,
+        refreshToken,
+        customAuthority: credentials.UIPATH_URL,
+        ensureTokenValidityMinutes,
+        loadEnvFile,
+        saveEnvFile,
+        refreshFn: refreshTokenFn,
+        resolveConfig: resolveConfig2
+      });
+      if (outcome.kind === "fail") {
+        lockedFailure = outcome.status;
+      } else {
+        accessToken = outcome.accessToken;
+        refreshToken = outcome.refreshToken;
+        expiration = outcome.expiration;
+        tokenRefresh = outcome.tokenRefresh;
+        if (outcome.persistenceWarning) {
+          persistenceWarning = outcome.persistenceWarning;
         }
-      };
+      }
+    } finally {
+      try {
+        await release();
+      } catch {
+        lockReleaseFailed = true;
+      }
     }
-    accessToken = refreshedAccess;
-    refreshToken = refreshedRefresh;
-    expiration = refreshedExp;
-    try {
-      await saveEnvFile({
-        envPath: absolutePath,
-        data: {
-          UIPATH_ACCESS_TOKEN: accessToken,
-          UIPATH_REFRESH_TOKEN: refreshToken
-        },
-        merge: true
-      });
-      tokenRefresh = {
-        attempted: true,
-        success: true
-      };
-    } catch (error) {
-      const msg = error instanceof Error ? error.message : String(error);
-      persistenceWarning = `Access token refreshed in memory but could not be written to ${absolutePath}: ${msg}. The next CLI invocation will fail until the file can be updated — run 'uip login' to re-authenticate.`;
-      tokenRefresh = {
-        attempted: true,
-        success: true,
-        errorMessage: `persistence failed: ${msg}`
-      };
+    if (lockedFailure) {
+      const globalHint = await tryGlobalCredsHint();
+      const base = globalHint ? {
+        ...lockedFailure,
+        loginStatus: "Expired",
+        hint: globalHint
+      } : lockedFailure;
+      return lockReleaseFailed ? { ...base, lockReleaseFailed: true } : base;
     }
   }
   const result = {
@@ -52316,23 +53214,13 @@ var getLoginStatusWithDeps2 = async (options = {}, deps = {}) => {
     expiration,
     source: "file",
     ...persistenceWarning ? { hint: persistenceWarning, persistenceFailed: true } : {},
+    ...lockReleaseFailed ? { lockReleaseFailed: true } : {},
     ...tokenRefresh ? { tokenRefresh } : {}
   };
   if (result.loginStatus === "Expired") {
-    const fs72 = getFs();
-    const globalPath = fs72.path.join(fs72.env.homedir(), envFilePath);
-    if (absolutePath !== globalPath && await fs72.exists(globalPath)) {
-      try {
-        const globalCreds = await loadEnvFile({
-          envPath: globalPath
-        });
-        if (globalCreds.UIPATH_ACCESS_TOKEN) {
-          const globalExp = getTokenExpiration2(globalCreds.UIPATH_ACCESS_TOKEN);
-          if (!globalExp || globalExp > new Date) {
-            result.hint = `Local credentials file at ${absolutePath} has expired credentials. Valid credentials exist in ${globalPath}. Remove the local file or run 'uip login' to re-authenticate.`;
-          }
-        }
-      } catch {}
+    const globalHint = await tryGlobalCredsHint();
+    if (globalHint) {
+      result.hint = globalHint;
     }
   }
   return result;
@@ -52347,6 +53235,7 @@ var getLoginStatusAsync2 = async (options = {}) => {
 };
 init_src2();
 init_src2();
+init_server2();
 async function createGovernanceConfig(options) {
   const status = await getLoginStatusAsync2({
     ensureTokenValidityMinutes: options?.loginValidity
@@ -52362,7 +53251,8 @@ async function createGovernanceConfig(options) {
   const bearerToken = options?.s2sToken ?? status.accessToken;
   return new Configuration2({
     basePath,
-    apiKey: () => `Bearer ${bearerToken}`
+    apiKey: () => `Bearer ${bearerToken}`,
+    headers: addSdkUserAgentHeader2(undefined, SDK_USER_AGENT2)
   });
 }
 async function createApiClient2(ApiClass, options) {
@@ -52501,10 +53391,15 @@ async function extractErrorDetails2(error, options) {
   }
   if (parsedBody?.errorCode && typeof parsedBody.errorCode === "string") {
     context.errorCode = parsedBody.errorCode;
+  } else if (parsedBody?.code && typeof parsedBody.code === "string") {
+    context.errorCode = parsedBody.code;
   }
   if (parsedBody?.requestId && typeof parsedBody.requestId === "string") {
     context.requestId = parsedBody.requestId;
   }
+  if (parsedBody?.traceId && typeof parsedBody.traceId === "string") {
+    context.traceId = parsedBody.traceId;
+  }
   if (status === 429) {
     const resp = response;
     const headersObj = resp?.headers;
@@ -52524,7 +53419,35 @@ async function extractErrorDetails2(error, options) {
     }
   }
   const hasContext = Object.keys(context).length > 0;
-  return { result, message, details, ...hasContext ? { context } : {} };
+  let parsedErrors;
+  if (parsedBody?.errors && typeof parsedBody.errors === "object") {
+    const errors = {};
+    for (const [field, raw] of Object.entries(parsedBody.errors)) {
+      if (Array.isArray(raw)) {
+        const messages = raw.map((entry) => {
+          if (typeof entry === "string")
+            return entry;
+          if (entry && typeof entry === "object" && typeof entry.message === "string") {
+            return entry.message;
+          }
+          return String(entry);
+        }).filter(Boolean);
+        if (messages.length > 0)
+          errors[field] = messages;
+      } else if (typeof raw === "string") {
+        errors[field] = [raw];
+      }
+    }
+    if (Object.keys(errors).length > 0)
+      parsedErrors = errors;
+  }
+  return {
+    result,
+    message,
+    details,
+    ...hasContext ? { context } : {},
+    ...parsedErrors ? { parsedErrors } : {}
+  };
 }
 async function extractErrorMessage2(error, options) {
   const { message } = await extractErrorDetails2(error, options);
@@ -52535,34 +53458,6 @@ Command.prototype.examples = function(examples) {
   examplesByCommand2.set(this, examples);
   return this;
 };
-var PREFIX2 = "@uipath/common/";
-var _g2 = globalThis;
-function singleton2(ctorOrName) {
-  const name = typeof ctorOrName === "string" ? ctorOrName : ctorOrName.name;
-  const key = Symbol.for(PREFIX2 + name);
-  return {
-    get(fallback) {
-      return _g2[key] ?? fallback;
-    },
-    set(value) {
-      _g2[key] = value;
-    },
-    clear() {
-      delete _g2[key];
-    },
-    getOrInit(factory, guard) {
-      const existing = _g2[key];
-      if (existing != null && typeof existing === "object") {
-        if (!guard || guard(existing)) {
-          return existing;
-        }
-      }
-      const instance = factory();
-      _g2[key] = instance;
-      return instance;
-    }
-  };
-}
 function createStorage2() {
   const [error, mod2] = catchError22(() => __require3("node:async_hooks"));
   if (error || typeof mod2?.AsyncLocalStorage !== "function") {
@@ -57629,6 +58524,60 @@ function escapeNonAscii2(jsonText) {
 function needsAsciiSafeJson2(sink) {
   return process.platform === "win32" && !sink.capabilities.isInteractive;
 }
+function isPlainRecord2(value) {
+  if (value === null || typeof value !== "object")
+    return false;
+  const prototype = Object.getPrototypeOf(value);
+  return prototype === Object.prototype || prototype === null;
+}
+function toLowerCamelCaseKey2(key) {
+  if (!key)
+    return key;
+  if (/[_\-\s]/.test(key)) {
+    const [firstPart, ...restParts] = key.split(/[_\-\s]+/).filter(Boolean);
+    if (!firstPart)
+      return key;
+    return [
+      toLowerCamelCaseSimpleKey2(firstPart),
+      ...restParts.map((part) => {
+        const normalized = toLowerCamelCaseSimpleKey2(part);
+        return normalized.charAt(0).toUpperCase() + normalized.slice(1);
+      })
+    ].join("");
+  }
+  return toLowerCamelCaseSimpleKey2(key);
+}
+function toLowerCamelCaseSimpleKey2(key) {
+  if (/^[A-Z0-9]+$/.test(key))
+    return key.toLowerCase();
+  return key.replace(/^[A-Z]+(?=[A-Z][a-z]|\d|$)|^[A-Z]/, (match) => match.toLowerCase());
+}
+function toPascalCaseKey2(key) {
+  const lowerCamelKey = toLowerCamelCaseKey2(key);
+  return lowerCamelKey ? lowerCamelKey.charAt(0).toUpperCase() + lowerCamelKey.slice(1) : lowerCamelKey;
+}
+function toPascalCaseData2(value) {
+  if (Array.isArray(value))
+    return value.map(toPascalCaseData2);
+  if (!isPlainRecord2(value))
+    return value;
+  const result = {};
+  for (const [key, nestedValue] of Object.entries(value)) {
+    result[toPascalCaseKey2(key)] = toPascalCaseData2(nestedValue);
+  }
+  return result;
+}
+function normalizeDataKeys2(data) {
+  return toPascalCaseData2(data);
+}
+function normalizeOutputKeys2(data) {
+  const result = {};
+  for (const [key, value] of Object.entries(data)) {
+    const pascalKey = toPascalCaseKey2(key);
+    result[pascalKey] = pascalKey === "Data" ? value : toPascalCaseData2(value);
+  }
+  return result;
+}
 function printOutput2(data, format = "json", logFn, asciiSafe = false) {
   if (!data) {
     logFn("Empty response object. No data to display.");
@@ -57691,7 +58640,7 @@ function wrapText2(text, width) {
 function printTable2(data, logFn, externalLogValue) {
   if (data.length === 0)
     return;
-  const keys = Object.keys(data[0]).filter((key) => key !== "Code" && key !== "Log");
+  const keys = Object.keys(data[0]).filter((key) => !["code", "log"].includes(key.toLowerCase()));
   const maxWidths = keys.map((key) => Math.max(key.length, ...data.map((item) => cellToString2(item[key]).length)));
   const header = keys.map((key, i22) => key.padEnd(maxWidths[i22])).join(" | ");
   logFn(header);
@@ -57706,7 +58655,7 @@ function printTable2(data, logFn, externalLogValue) {
   }
 }
 function printVerticalTable2(data, logFn = console.log, externalLogValue) {
-  const keys = Object.keys(data).filter((key) => key !== "Code" && key !== "Log");
+  const keys = Object.keys(data).filter((key) => !["code", "log"].includes(key.toLowerCase()));
   if (keys.length === 0)
     return;
   const maxKeyWidth = Math.max(...keys.map((key) => key.length));
@@ -57722,7 +58671,7 @@ function printVerticalTable2(data, logFn = console.log, externalLogValue) {
 function printResizableTable2(data, logFn = console.log, externalLogValue) {
   if (data.length === 0)
     return;
-  const keys = Object.keys(data[0]).filter((key) => key !== "Code" && key !== "Log");
+  const keys = Object.keys(data[0]).filter((key) => !["code", "log"].includes(key.toLowerCase()));
   if (keys.length === 0)
     return;
   if (!process.stdout.isTTY) {
@@ -57798,8 +58747,27 @@ function printResizableTable2(data, logFn = console.log, externalLogValue) {
 function toYaml2(data) {
   return dump2(data);
 }
+class FilterEvaluationError2 extends Error {
+  __brand = "FilterEvaluationError";
+  filter;
+  instructions;
+  result = RESULTS2.ValidationError;
+  constructor(filter, cause) {
+    const underlying = cause instanceof Error ? cause.message : String(cause);
+    super(`Filter '${filter}' failed to evaluate: ${underlying}`);
+    this.name = "FilterEvaluationError";
+    this.filter = filter;
+    this.instructions = `The --output-filter expression '${filter}' failed at evaluation time. ` + "Note that --output-filter operates on the 'Data' field of the envelope, not the full object. " + "For example, on a list result use 'length(@)' instead of 'Data | length(@)'.";
+  }
+}
 function applyFilter2(data, filter) {
-  const result = search2(data, filter);
+  let result;
+  try {
+    result = search2(data, filter);
+  } catch (err) {
+    throw new FilterEvaluationError2(filter, err);
+  }
   if (result == null)
     return [];
   if (Array.isArray(result)) {
@@ -57816,13 +58784,18 @@ function applyFilter2(data, filter) {
 }
 var OutputFormatter2;
 ((OutputFormatter3) => {
-  function success(data) {
+  function success(data, options) {
     data.Log ??= getLogFilePath2() || undefined;
+    const normalize = !options?.preserveDataKeys;
+    if (normalize) {
+      data.Data = normalizeDataKeys2(data.Data);
+    }
     const filter = getOutputFilter2();
     if (filter) {
-      data.Data = applyFilter2(data.Data, filter);
+      const filtered = applyFilter2(data.Data, filter);
+      data.Data = normalize ? normalizeDataKeys2(filtered) : filtered;
     }
-    logOutput2(data, getOutputFormat2());
+    logOutput2(normalizeOutputKeys2(data), getOutputFormat2());
   }
   OutputFormatter3.success = success;
   function error(data) {
@@ -57832,7 +58805,7 @@ var OutputFormatter2;
       result: data.Result,
       message: data.Message
     });
-    logOutput2(data, getOutputFormat2());
+    logOutput2(normalizeOutputKeys2(data), getOutputFormat2());
   }
   OutputFormatter3.error = error;
   function emitList(code, items, opts) {
@@ -57853,13 +58826,14 @@ var OutputFormatter2;
   function log(data) {
     const format = getOutputFormat2();
     const sink = getOutputSink2();
+    const normalized = toPascalCaseData2(data);
     if (format === "json") {
-      const json22 = JSON.stringify(data);
+      const json22 = JSON.stringify(normalized);
       const safe = needsAsciiSafeJson2(sink) ? escapeNonAscii2(json22) : json22;
       sink.writeErr(`${safe}
 `);
     } else {
-      for (const [key, value] of Object.entries(data)) {
+      for (const [key, value] of Object.entries(normalized)) {
         sink.writeErr(`${key}: ${value}
 `);
       }
@@ -57868,12 +58842,16 @@ var OutputFormatter2;
   OutputFormatter3.log = log;
   function formatToString(data) {
     const filter = getOutputFilter2();
-    if (filter && "Data" in data && data.Data != null) {
-      data.Data = applyFilter2(data.Data, filter);
+    if ("Data" in data && data.Data != null) {
+      data.Data = normalizeDataKeys2(data.Data);
+      if (filter) {
+        data.Data = normalizeDataKeys2(applyFilter2(data.Data, filter));
+      }
     }
+    const output = normalizeOutputKeys2(data);
     const lines = [];
     const sink = getOutputSink2();
-    printOutput2(data, getOutputFormat2(), (msg) => {
+    printOutput2(output, getOutputFormat2(), (msg) => {
       lines.push(msg);
     }, needsAsciiSafeJson2(sink));
     return lines.join(`
@@ -59282,6 +60260,19 @@ JSONPath2.prototype.safeVm = {
   Script: SafeScript2
 };
 JSONPath2.prototype.vm = vm2;
+var PollOutcome2 = {
+  Completed: "completed",
+  Timeout: "timeout",
+  Interrupted: "interrupted",
+  Aborted: "aborted",
+  Failed: "failed"
+};
+var REASON_BY_OUTCOME2 = {
+  [PollOutcome2.Timeout]: "poll_timeout",
+  [PollOutcome2.Failed]: "poll_failed",
+  [PollOutcome2.Interrupted]: "poll_failed",
+  [PollOutcome2.Aborted]: "poll_aborted"
+};
 var TERMINAL_STATUSES2 = new Set([
   "completed",
   "successful",
@@ -59481,17 +60472,21 @@ Command.prototype.trackedAction = function(context, fn, properties) {
     const telemetryName = deriveCommandPath2(command);
     const props = typeof properties === "function" ? properties(...args) : properties;
     const startTime = performance.now();
-    let errorMessage;
+    let errorMessage22;
     const [error] = await catchError22(fn(...args));
     if (error) {
-      errorMessage = error instanceof Error ? error.message : String(error);
-      logger2.error(`[trackedAction] ${telemetryName} failed: ${errorMessage}`);
+      errorMessage22 = error instanceof Error ? error.message : String(error);
+      logger2.debug(`[trackedAction] ${telemetryName} failed: ${errorMessage22}`);
+      const typed = error;
+      const customInstructions = typeof typed.instructions === "string" ? typed.instructions : undefined;
+      const customResult = typeof typed.result === "string" && typed.result !== RESULTS2.Success && Object.values(RESULTS2).includes(typed.result) ? typed.result : undefined;
+      const finalResult = customResult ?? RESULTS2.Failure;
       OutputFormatter2.error({
-        Result: RESULTS2.Failure,
-        Message: errorMessage,
-        Instructions: "An unexpected error occurred. Run with --log-level debug for details."
+        Result: finalResult,
+        Message: errorMessage22,
+        Instructions: customInstructions ?? "An unexpected error occurred. Run with --log-level debug for details."
       });
-      context.exit(1);
+      context.exit(EXIT_CODES2[finalResult]);
     }
     const durationMs = performance.now() - startTime;
     const success = !error && (process.exitCode === undefined || process.exitCode === 0);
@@ -59500,7 +60495,7 @@ Command.prototype.trackedAction = function(context, fn, properties) {
       ...props,
       duration: String(durationMs),
       success: String(success),
-      ...errorMessage ? { errorMessage } : {}
+      ...errorMessage22 ? { errorMessage: errorMessage22 } : {}
     }));
   });
 };
@@ -63372,7 +64367,7 @@ var registerAopsPolicyCommand = (program2) => {
 };
 var metadata2 = {
   name: "aops-policy-tool",
-  version: package_default2.version,
+  version: package_default3.version,
   description: "Manage UiPath AOps governance policies.",
   commandPrefix: "gov"
 };
@@ -63380,9 +64375,10 @@ var registerCommands2 = async (program2) => {
   registerAopsPolicyCommand(program2);
 };
 // package.json
-var package_default3 = {
+var package_default5 = {
   name: "@uipath/gov-tool",
-  version: "1.1.0",
+  license: "MIT",
+  version: "1.2.0",
   description: "Manage UiPath governance (AOps and Access policies) end-to-end.",
   private: false,
   repository: {
@@ -63424,7 +64420,7 @@ var package_default3 = {
 // src/tool.ts
 var metadata3 = {
   name: "gov-tool",
-  version: package_default3.version,
+  version: package_default5.version,
   description: "Manage UiPath governance — AOps policies and Access policies.",
   commandPrefix: "gov"
 };