@unito/integration-cli 0.64.4 → 0.64.6

package/dist/src/commands/graph.d.ts

@@ -0,0 +1,21 @@
+import { BaseCommand } from '../baseCommand';
+import * as GlobalConfiguration from '../resources/globalConfiguration';
+export default class Graph extends BaseCommand<typeof Graph> {
+    static description: string;
+    static examples: string[];
+    static args: {
+        operation: import("@oclif/core/lib/interfaces").Arg<string, Record<string, unknown>>;
+    };
+    catch(error: Error): Promise<void>;
+    static flags: {
+        path: import("@oclif/core/lib/interfaces").OptionFlag<string, import("@oclif/core/lib/interfaces").CustomOptions>;
+        port: import("@oclif/core/lib/interfaces").OptionFlag<number, import("@oclif/core/lib/interfaces").CustomOptions>;
+        environment: import("@oclif/core/lib/interfaces").OptionFlag<GlobalConfiguration.Environment, import("@oclif/core/lib/interfaces").CustomOptions>;
+        'test-account': import("@oclif/core/lib/interfaces").OptionFlag<string, import("@oclif/core/lib/interfaces").CustomOptions>;
+        'credential-payload': import("@oclif/core/lib/interfaces").OptionFlag<string | undefined, import("@oclif/core/lib/interfaces").CustomOptions>;
+        'credential-id': import("@oclif/core/lib/interfaces").OptionFlag<string | undefined, import("@oclif/core/lib/interfaces").CustomOptions>;
+        'config-path': import("@oclif/core/lib/interfaces").OptionFlag<string | undefined, import("@oclif/core/lib/interfaces").CustomOptions>;
+        output: import("@oclif/core/lib/interfaces").OptionFlag<string | undefined, import("@oclif/core/lib/interfaces").CustomOptions>;
+    };
+    run(): Promise<void>;
+}

package/dist/src/commands/graph.js

@@ -0,0 +1,144 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+const tslib_1 = require("tslib");
+const crypto_1 = tslib_1.__importDefault(require("crypto"));
+const fs_1 = tslib_1.__importDefault(require("fs"));
+const core_1 = require("@oclif/core");
+const baseCommand_1 = require("../baseCommand");
+const errors_1 = require("../errors");
+const GlobalConfiguration = tslib_1.__importStar(require("../resources/globalConfiguration"));
+const integrations_1 = require("../resources/integrations");
+const configuration_1 = require("../resources/configuration");
+const decryption_1 = require("../resources/decryption");
+const credentials_1 = require("../resources/credentials");
+class Graph extends baseCommand_1.BaseCommand {
+    static description = 'Query a running integration graph and print the response';
+    static examples = [
+        '<%= config.bin %> <%= command.id %> --path=/sobjects/Opportunity/records/abc123',
+        '<%= config.bin %> <%= command.id %> get --path=/sobjects/Opportunity --port=9201',
+    ];
+    static args = {
+        operation: core_1.Args.string({
+            description: 'Operation to perform on the graph path',
+            required: false,
+            default: 'get',
+            options: ['get', 'getItem', 'getCollection', 'createItem', 'updateItem', 'deleteItem'],
+        }),
+    };
+    async catch(error) {
+        /* istanbul ignore if */
+        if ((0, errors_1.handleError)(this, error)) {
+            this.exit(-1);
+        }
+        throw error;
+    }
+    static flags = {
+        path: core_1.Flags.string({
+            description: 'Graph path to fetch (must start with /), e.g. /sobjects/Opportunity/records/abc123',
+            required: true,
+        }),
+        port: core_1.Flags.integer({
+            description: 'Port the integration is running on',
+            default: 9200,
+        }),
+        environment: core_1.Flags.custom({
+            description: 'the environment of the platform',
+            options: Object.values(GlobalConfiguration.Environment),
+            default: GlobalConfiguration.Environment.Production,
+        })(),
+        'test-account': core_1.Flags.string({
+            description: 'test account to use',
+            options: Object.values(configuration_1.CredentialScope),
+            default: configuration_1.CredentialScope.DEVELOPMENT,
+        }),
+        'credential-payload': core_1.Flags.string({
+            description: '(advanced) credential payload to use.',
+            exclusive: ['credential-id'],
+        }),
+        'credential-id': core_1.Flags.string({
+            description: '(advanced) credential to use.',
+            exclusive: ['credential-payload'],
+        }),
+        'config-path': core_1.Flags.string({
+            summary: 'relative path to a custom ".unito.json" file',
+            description: `Use a custom configuration file instead of the default '.unito.json'.
+
+      If you want to force the CLI to use a specific configuration file, you can use this flag to specify the relative
+      path from your integration's root folder (with a leading '/').
+
+      Usage: <%= config.bin %> <%= command.id %> --config-path=/myCustomConfig.json`,
+        }),
+        output: core_1.Flags.string({
+            char: 'o',
+            description: 'Write response body to file instead of stdout',
+        }),
+    };
+    async run() {
+        (0, integrations_1.validateIsIntegrationDirectory)();
+        const { args, flags } = await this.parse(Graph);
+        const operation = args.operation ?? 'get';
+        if (operation === 'createItem' || operation === 'updateItem' || operation === 'deleteItem') {
+            this.error(`Operation "${operation}" is not yet implemented`, { exit: 1 });
+        }
+        const environment = flags.environment ?? GlobalConfiguration.Environment.Production;
+        const configuration = await (0, configuration_1.getConfiguration)(environment, flags['config-path']);
+        // Credential resolution — identical to dev.ts
+        let credentialPayload = '{}';
+        if (flags['credential-id']) {
+            const credential = await (0, credentials_1.fetchCredential)(environment, this.config.configDir, flags['credential-id']);
+            credentialPayload = JSON.stringify({
+                ...credential.payload,
+                unitoCredentialId: credential.id,
+                unitoUserId: credential.unitoUserId,
+            });
+        }
+        else if (flags['credential-payload']) {
+            credentialPayload = flags['credential-payload'];
+        }
+        else {
+            const credentials = configuration.testAccounts?.[flags['test-account']];
+            if (credentials) {
+                const decryptedEntries = await (0, decryption_1.decryptEntries)(configuration.name, environment, this.config.configDir, credentials);
+                if (decryptedEntries.failed.length) {
+                    throw new errors_1.EntryDecryptionError(decryptedEntries.failed.at(0), environment);
+                }
+                credentialPayload = JSON.stringify({
+                    ...decryptedEntries.successful,
+                    unitoCredentialId: flags['test-account'],
+                    unitoUserId: flags['test-account'],
+                });
+            }
+        }
+        // Load secrets — identical to dev.ts
+        const { successful: secrets, failed: failedSecrets } = await (0, decryption_1.decryptEntries)(configuration.name, environment, this.config.configDir, configuration.secrets ?? {});
+        if (failedSecrets.length) {
+            throw new errors_1.EntryDecryptionError(failedSecrets.at(0), environment);
+        }
+        // Build Unito request headers.
+        // Encoding: base64(JSON.stringify(payload)) — same as integrationDebugger/src/services/crawlerDriver.ts line 424.
+        const headers = {
+            'X-Unito-Credentials': Buffer.from(credentialPayload).toString('base64'),
+            'X-Unito-Secrets': Buffer.from(JSON.stringify(secrets)).toString('base64'),
+            'X-Unito-Correlation-Id': crypto_1.default.randomUUID(),
+            'Content-Type': 'application/json',
+        };
+        const url = `http://localhost:${flags.port}${flags.path}`;
+        const response = await fetch(url, { headers });
+        if (!response.ok) {
+            const body = await response.json().catch(() => undefined);
+            if (body !== undefined) {
+                this.logToStderr(JSON.stringify(body, null, 2));
+            }
+            this.error(`HTTP ${response.status} from ${url}`, { exit: response.status });
+        }
+        const body = (await response.json());
+        const json = JSON.stringify(body, null, 2);
+        if (flags.output) {
+            await fs_1.default.promises.writeFile(flags.output, json, 'utf8');
+        }
+        else {
+            this.log(json);
+        }
+    }
+}
+exports.default = Graph;

package/dist/src/hooks/init/displayLogo.js

@@ -3,7 +3,10 @@ Object.defineProperty(exports, "__esModule", { value: true });
 const tslib_1 = require("tslib");
 const core_1 = require("@oclif/core");
 const gradient = tslib_1.__importStar(require("gradient-string"));
-const displayLogo = async function () {
+const updateNotifier_1 = require("./updateNotifier");
+const displayLogo = async function ({ id }) {
+    if (id === 'graph')
+        return;
     const gradients = [
         gradient.atlas,
         gradient.mind,
@@ -33,5 +36,6 @@ const displayLogo = async function () {
         '+------------------------------------+',
     ].join('\n'));
     core_1.ux.log(UNITOCLI_LOGO);
+    (0, updateNotifier_1.checkForUpdate)(this.config.version);
 };
 exports.default = displayLogo;

package/dist/src/hooks/init/updateNotifier.d.ts

@@ -0,0 +1,19 @@
+import child_process from 'child_process';
+interface UpdateCache {
+    latest: string;
+    checkedAt: number;
+}
+export interface UpdateNotifierDeps {
+    cacheFile: string;
+    spawn: typeof child_process.spawn;
+    log: typeof console.log;
+    upgrade: () => void;
+}
+export declare function isNewerVersion(latest: string, current: string): boolean;
+export declare function readCache(cacheFile: string): UpdateCache | null;
+export declare function isCacheStale(cache: UpdateCache | null, intervalMs?: number): boolean;
+export declare function stripAnsi(str: string): string;
+export declare function formatNotification(current: string, latest: string): string;
+export declare function spawnBackgroundCheck(deps: UpdateNotifierDeps): void;
+export declare function checkForUpdate(currentVersion: string, overrides?: Partial<UpdateNotifierDeps>): void;
+export {};

package/dist/src/hooks/init/updateNotifier.js

@@ -0,0 +1,156 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.isNewerVersion = isNewerVersion;
+exports.readCache = readCache;
+exports.isCacheStale = isCacheStale;
+exports.stripAnsi = stripAnsi;
+exports.formatNotification = formatNotification;
+exports.spawnBackgroundCheck = spawnBackgroundCheck;
+exports.checkForUpdate = checkForUpdate;
+const tslib_1 = require("tslib");
+const child_process_1 = tslib_1.__importDefault(require("child_process"));
+const fs_1 = tslib_1.__importDefault(require("fs"));
+const os_1 = tslib_1.__importDefault(require("os"));
+const path_1 = tslib_1.__importDefault(require("path"));
+const core_1 = require("@oclif/core");
+const chalk_1 = tslib_1.__importDefault(require("chalk"));
+const PACKAGE_NAME = '@unito/integration-cli';
+const CHECK_INTERVAL_MS = 24 * 60 * 60 * 1000; // 24 hours
+function getDefaultCacheFile() {
+    return path_1.default.join(os_1.default.homedir(), '.cache', 'integrationcli', 'update-check.json');
+}
+function defaultUpgrade() {
+    child_process_1.default.execSync(`npm install --force --global ${PACKAGE_NAME}`, {
+        stdio: ['ignore', 'ignore', 'pipe'],
+    });
+}
+function getDefaultDeps() {
+    return {
+        cacheFile: getDefaultCacheFile(),
+        spawn: child_process_1.default.spawn,
+        log: core_1.ux.log,
+        upgrade: defaultUpgrade,
+    };
+}
+function isNewerVersion(latest, current) {
+    const latestParts = latest.split('.').map(Number);
+    const currentParts = current.split('.').map(Number);
+    for (let i = 0; i < 3; i++) {
+        if ((latestParts[i] || 0) > (currentParts[i] || 0))
+            return true;
+        if ((latestParts[i] || 0) < (currentParts[i] || 0))
+            return false;
+    }
+    return false;
+}
+function readCache(cacheFile) {
+    try {
+        const data = fs_1.default.readFileSync(cacheFile, 'utf8');
+        const parsed = JSON.parse(data);
+        if (typeof parsed?.latest !== 'string' || typeof parsed?.checkedAt !== 'number')
+            return null;
+        return parsed;
+    }
+    catch {
+        return null;
+    }
+}
+function isCacheStale(cache, intervalMs = CHECK_INTERVAL_MS) {
+    if (!cache)
+        return true;
+    return Date.now() - cache.checkedAt > intervalMs;
+}
+// eslint-disable-next-line no-control-regex
+const ANSI_PATTERN = /\u001b\[[0-9;]*m/g;
+function stripAnsi(str) {
+    return str.replace(ANSI_PATTERN, '');
+}
+function formatNotification(current, latest) {
+    const npmUrl = `https://www.npmjs.com/package/${PACKAGE_NAME}`;
+    const lines = [
+        '',
+        `  Update available ${chalk_1.default.gray(current)} ${chalk_1.default.gray('→')} ${chalk_1.default.greenBright(latest)}`,
+        `  ${chalk_1.default.cyan(npmUrl)}`,
+        '',
+        `  Run ${chalk_1.default.bold('integration-cli upgrade')} to update`,
+        '',
+    ];
+    const maxLen = Math.max(...lines.map(line => stripAnsi(line).length));
+    const border = chalk_1.default.yellowBright;
+    const boxLines = [
+        border('  ┌' + '─'.repeat(maxLen) + '┐'),
+        ...lines.map(line => {
+            const padding = maxLen - stripAnsi(line).length;
+            return border('  │') + line + ' '.repeat(padding) + border('│');
+        }),
+        border('  └' + '─'.repeat(maxLen) + '┘'),
+    ];
+    return '\n' + boxLines.join('\n') + '\n';
+}
+function spawnBackgroundCheck(deps) {
+    const cacheDir = path_1.default.dirname(deps.cacheFile);
+    const script = `
+    const https = require('https');
+    const fs = require('fs');
+
+    const cacheDir = ${JSON.stringify(cacheDir)};
+    const cacheFile = ${JSON.stringify(deps.cacheFile)};
+
+    const url = 'https://registry.npmjs.org/${PACKAGE_NAME.replace('/', '%2f')}';
+
+    const req = https.get(url, { headers: { Accept: 'application/vnd.npm.install-v1+json' } }, (res) => {
+      if (res.statusCode !== 200) return;
+      let data = '';
+      res.on('data', chunk => { data += chunk; });
+      res.on('end', () => {
+        try {
+          const pkg = JSON.parse(data);
+          const latest = pkg['dist-tags']?.latest;
+          if (!latest) return;
+          fs.mkdirSync(cacheDir, { recursive: true });
+          fs.writeFileSync(cacheFile, JSON.stringify({ latest, checkedAt: Date.now() }));
+        } catch {}
+      });
+    });
+    req.on('error', () => {});
+    req.setTimeout(10000, () => { req.destroy(); });
+  `;
+    const child = deps.spawn(process.execPath, ['-e', script], {
+        detached: true,
+        stdio: 'ignore',
+        windowsHide: true,
+    });
+    child.unref();
+}
+function checkForUpdate(currentVersion, overrides) {
+    try {
+        // Skip during upgrade command — it handles its own version messaging
+        if (process.argv[2] === 'upgrade')
+            return;
+        // Skip in non-interactive environments (CI, tests)
+        if (process.env.CI)
+            return;
+        const deps = { ...getDefaultDeps(), ...overrides };
+        const cache = readCache(deps.cacheFile);
+        // Auto-upgrade if we have a cached newer version
+        if (cache && isNewerVersion(cache.latest, currentVersion)) {
+            try {
+                deps.log(`Upgrading integration-cli ${currentVersion} → ${cache.latest}...`);
+                deps.upgrade();
+                deps.log(`Upgraded! The new version will be used on your next command.`);
+            }
+            catch (err) {
+                const reason = err instanceof Error ? err.message : String(err);
+                deps.log(chalk_1.default.yellow(`  Auto-upgrade failed: ${reason}`));
+                deps.log(formatNotification(currentVersion, cache.latest));
+            }
+        }
+        // Spawn background check if cache is stale
+        if (isCacheStale(cache)) {
+            spawnBackgroundCheck(deps);
+        }
+    }
+    catch {
+        // Never let update checking break the CLI
+    }
+}

package/dist/src/services/integrationsPlatformClient.d.ts

@@ -328,10 +328,14 @@ export declare function getCredentials({ pagination, filters, }?: {
         unitoUserId?: string;
         /** The id of the credential account for which this credential belongs to. */
         credentialAccountId?: string;
+        /** The credential was created after the provided date. */
+        createdAfter?: string;
         /** The last access to the credential account occured before the provided date. */
         lastCredentialAccountAccessAtBefore?: string;
         /** The first failure to access the credential account occured after the provided date. */
         firstFailedCredentialAccountAccessAtAfter?: string;
+        /** Whether to filter archived credentials. */
+        isArchived?: boolean;
     };
 }, opts?: Oazapfts.RequestOpts): Promise<Pagination & {
     /** The credentials. */

package/dist/src/services/oauth2.d.ts

@@ -40,6 +40,7 @@ declare class OAuth2Service {
     private tokenRequestParameters;
     private refreshRequestParameters;
     private credentialPayload;
+    private legacyRedirectUrl;
     /**
      * Constructs an instance of OAuthHelper.
      * @param clientId The client ID for your OAuth application.
@@ -49,6 +50,12 @@ declare class OAuth2Service {
      * @param providerTokenUrl The URL for the token endpoint of the provider.
      */
     constructor(authorizationInfo: Oauth2Payload, environment?: Environment, credentialPayload?: Record<string, unknown>);
+    /**
+     * Returns the redirect URI for the OAuth2 flow.
+     * When legacyRedirectUrl is configured, uses that URL (routed through maestro).
+     * Otherwise, uses the standard platformServer callback URL.
+     */
+    private get redirectUri();
     /**
      * Initiate the authorization flow and redirects the user to the provider's authorization page.
      */

package/dist/src/services/oauth2.js

@@ -32,6 +32,7 @@ class OAuth2Service {
     tokenRequestParameters;
     refreshRequestParameters;
     credentialPayload;
+    legacyRedirectUrl;
     /**
      * Constructs an instance of OAuthHelper.
      * @param clientId The client ID for your OAuth application.
@@ -41,7 +42,7 @@ class OAuth2Service {
      * @param providerTokenUrl The URL for the token endpoint of the provider.
      */
     constructor(authorizationInfo, environment = globalConfiguration_1.Environment.Production, credentialPayload) {
-        const { clientId, clientSecret, authorizationUrl, scopes, tokenUrl, grantType, requestContentType, refreshRequestParameters, tokenRequestParameters, } = authorizationInfo;
+        const { clientId, clientSecret, authorizationUrl, scopes, tokenUrl, grantType, requestContentType, refreshRequestParameters, tokenRequestParameters, legacyRedirectUrl, } = authorizationInfo;
         this.clientId = clientId;
         this.clientSecret = clientSecret;
         this.providerAuthorizationUrl = authorizationUrl;
@@ -51,12 +52,22 @@ class OAuth2Service {
         this.requestContentType = requestContentType ?? configurationTypes_1.RequestContentType.URL_ENCODED;
         this.tokenRequestParameters = tokenRequestParameters;
         this.refreshRequestParameters = refreshRequestParameters;
+        this.legacyRedirectUrl = legacyRedirectUrl;
         this.environment = environment;
         this.credentialPayload = credentialPayload;
         if (!Object.values(configurationTypes_1.RequestContentType).includes(this.requestContentType)) {
             throw new errors_1.UnsupportedContentTypeError(`Request content type not supported: ${this.requestContentType}`);
         }
     }
+    /**
+     * Returns the redirect URI for the OAuth2 flow.
+     * When legacyRedirectUrl is configured, uses that URL (routed through maestro).
+     * Otherwise, uses the standard platformServer callback URL.
+     */
+    get redirectUri() {
+        return (this.legacyRedirectUrl ??
+            `${IntegrationsPlatformClient.Servers[this.environment]}/credentials/new/oauth2/callback`);
+    }
     /**
      * Initiate the authorization flow and redirects the user to the provider's authorization page.
      */
@@ -71,12 +82,18 @@ class OAuth2Service {
         if (this.scopes) {
             authorizationParams.set('scope', this.scopes.join(' '));
         }
-        const state = Buffer.from(JSON.stringify({
+        const statePayload = {
             cliCallbackUrl: `${this.serverUrl}/oauth2/callback`,
-        })).toString('base64');
+            // When using legacyRedirectUrl, the callback is routed through maestro first.
+            // maestro checks for redirectToIPS in state and forwards to platformServer's oauth2Callback,
+            // which then detects cliCallbackUrl and forwards to the CLI via ngrok.
+            // TLDR: redirectToIPS makes maestro act as a pass-through relay instead of handling the callback itself.
+            ...(this.legacyRedirectUrl ? { redirectToIPS: 'true' } : {}),
+        };
+        const state = Buffer.from(JSON.stringify(statePayload)).toString('base64');
         authorizationParams.set('state', state);
         authorizationParams.set('response_type', 'code');
-        authorizationParams.set('redirect_uri', `${IntegrationsPlatformClient.Servers[this.environment]}/credentials/new/oauth2/callback-cli`);
+        authorizationParams.set('redirect_uri', this.redirectUri);
         const delimiter = this.providerAuthorizationUrl.includes('?') ? '&' : '?';
         const authorizationUrlTemplate = `${this.providerAuthorizationUrl}${delimiter}${authorizationParams.toString()}`;
         const authorizationUrl = (0, template_1.expandTemplate)(authorizationUrlTemplate, {
@@ -119,7 +136,7 @@ class OAuth2Service {
             ])),
             grant_type: this.grantType,
             code: req.query.code,
-            redirect_uri: `${IntegrationsPlatformClient.Servers[this.environment]}/credentials/new/oauth2/callback-cli`,
+            redirect_uri: this.redirectUri,
             ...(this.clientId && { client_id: this.clientId }),
             ...(this.clientSecret && { client_secret: this.clientSecret }),
         };
@@ -235,7 +252,7 @@ class OAuth2Service {
             bodyData.client_assertion = this.clientSecret;
             bodyData.assertion = refreshToken;
             bodyData.client_assertion_type = 'urn:ietf:params:oauth:client-assertion-type:jwt-bearer';
-            bodyData.redirect_uri = `${IntegrationsPlatformClient.Servers[this.environment]}/credentials/new/oauth2/callback-cli`;
+            bodyData.redirect_uri = `${IntegrationsPlatformClient.Servers[this.environment]}/credentials/new/oauth2/callback`;
         }
         const templateVariables = structuredClone(this.credentialPayload ?? {});
         templateVariables.clientId ??= this.clientId;

package/dist/test/commands/graph.test.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/test/commands/graph.test.js

@@ -0,0 +1,188 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+const tslib_1 = require("tslib");
+const fs_1 = tslib_1.__importDefault(require("fs"));
+const test_1 = require("@oclif/test");
+const sinon_1 = tslib_1.__importDefault(require("sinon"));
+const Configuration = tslib_1.__importStar(require("../../src/resources/configuration"));
+const Decryption = tslib_1.__importStar(require("../../src/resources/decryption"));
+const Integrations = tslib_1.__importStar(require("../../src/resources/integrations"));
+const MOCK_CONFIG = {
+    name: 'salesforce-v2',
+    testAccounts: {
+        development: { token: 'test-token' },
+    },
+    secrets: {},
+};
+const MOCK_RESPONSE = {
+    label: 'Opportunity',
+    fields: [{ name: 'Name', type: 'string' }],
+    relations: [{ name: 'tasks', semantic: 'subtasks', path: '/sobjects/Task/records?filter=WhatId=abc' }],
+};
+describe('graph', () => {
+    beforeEach(() => {
+        sinon_1.default.stub(Integrations, 'validateIsIntegrationDirectory');
+        sinon_1.default.stub(Decryption, 'decryptEntries').resolves({
+            successful: { token: 'test-token' },
+            failed: [],
+        });
+    });
+    afterEach(() => sinon_1.default.restore());
+    test_1.test
+        .stub(Configuration, 'getConfiguration', stub => stub.resolves(MOCK_CONFIG))
+        .stub(global, 'fetch', stub => stub.resolves({
+        ok: true,
+        status: 200,
+        json: () => Promise.resolve(MOCK_RESPONSE),
+    }))
+        .stdout()
+        .command(['graph', '--path=/sobjects/Opportunity/records/abc123'])
+        .it('prints pretty-printed JSON response to stdout', ctx => {
+        (0, test_1.expect)(ctx.stdout).to.contain('"label": "Opportunity"');
+        (0, test_1.expect)(ctx.stdout).to.contain('"semantic": "subtasks"');
+    });
+    test_1.test
+        .stub(Configuration, 'getConfiguration', stub => stub.resolves(MOCK_CONFIG))
+        .stub(global, 'fetch', stub => stub.resolves({
+        ok: true,
+        status: 200,
+        json: () => Promise.resolve(MOCK_RESPONSE),
+    }))
+        .stdout()
+        .command(['graph', '--path=/sobjects/Opportunity/records/abc123'])
+        .it('calls fetch with the correct default-port URL', () => {
+        const fetchStub = global.fetch;
+        (0, test_1.expect)(fetchStub.calledOnce).to.be.true;
+        const [calledUrl] = fetchStub.firstCall.args;
+        (0, test_1.expect)(calledUrl).to.equal('http://localhost:9200/sobjects/Opportunity/records/abc123');
+    });
+    test_1.test
+        .stub(Configuration, 'getConfiguration', stub => stub.resolves(MOCK_CONFIG))
+        .stub(global, 'fetch', stub => stub.resolves({
+        ok: true,
+        status: 200,
+        json: () => Promise.resolve(MOCK_RESPONSE),
+    }))
+        .stdout()
+        .command(['graph', '--path=/sobjects/Opportunity', '--port=9201'])
+        .it('uses custom port when specified', () => {
+        const fetchStub = global.fetch;
+        const [calledUrl] = fetchStub.firstCall.args;
+        (0, test_1.expect)(calledUrl).to.equal('http://localhost:9201/sobjects/Opportunity');
+    });
+    test_1.test
+        .stub(Configuration, 'getConfiguration', stub => stub.resolves(MOCK_CONFIG))
+        .stub(global, 'fetch', stub => stub.resolves({
+        ok: false,
+        status: 404,
+        json: () => Promise.resolve({ error: 'Not found' }),
+    }))
+        .stdout()
+        .stderr()
+        .command(['graph', '--path=/sobjects/NonExistent/records/abc'])
+        .catch(err => {
+        (0, test_1.expect)(err.message).to.contain('404');
+        (0, test_1.expect)(err.oclif?.exit).to.equal(404);
+    })
+        .it('exits with HTTP status code and prints error body to stderr', ctx => {
+        (0, test_1.expect)(ctx.stderr).to.contain('"error": "Not found"');
+    });
+    test_1.test
+        .stub(Configuration, 'getConfiguration', stub => stub.resolves(MOCK_CONFIG))
+        .stub(global, 'fetch', stub => stub.resolves({
+        ok: true,
+        status: 200,
+        json: () => Promise.resolve(MOCK_RESPONSE),
+    }))
+        .stdout()
+        .command(['graph', '--path=/sobjects/Opportunity'])
+        .it('sets base64-encoded X-Unito-Credentials header', () => {
+        const fetchStub = global.fetch;
+        const [, options] = fetchStub.firstCall.args;
+        const decoded = Buffer.from(options.headers['X-Unito-Credentials'], 'base64').toString('utf8');
+        const credentials = JSON.parse(decoded);
+        (0, test_1.expect)(credentials).to.have.property('token', 'test-token');
+    });
+    test_1.test
+        .stub(Configuration, 'getConfiguration', stub => stub.resolves(MOCK_CONFIG))
+        .stub(global, 'fetch', stub => stub.resolves({
+        ok: true,
+        status: 200,
+        json: () => Promise.resolve(MOCK_RESPONSE),
+    }))
+        .stub(fs_1.default.promises, 'writeFile', stub => stub.resolves())
+        .stdout()
+        .command(['graph', '--path=/sobjects/Opportunity', '--output=/tmp/response.json'])
+        .it('writes response to file when --output is provided', ctx => {
+        const writeStub = fs_1.default.promises.writeFile;
+        (0, test_1.expect)(writeStub.calledOnce).to.be.true;
+        const [path, content] = writeStub.firstCall.args;
+        (0, test_1.expect)(path).to.equal('/tmp/response.json');
+        (0, test_1.expect)(content).to.contain('"label": "Opportunity"');
+        (0, test_1.expect)(ctx.stdout).to.equal('');
+    });
+    test_1.test
+        .stub(Configuration, 'getConfiguration', stub => stub.resolves(MOCK_CONFIG))
+        .stub(global, 'fetch', stub => stub.resolves({
+        ok: true,
+        status: 200,
+        json: () => Promise.resolve(MOCK_RESPONSE),
+    }))
+        .stdout()
+        .command(['graph', '--path=/sobjects/Opportunity'])
+        .it('prints to stdout when --output is not provided', ctx => {
+        (0, test_1.expect)(ctx.stdout).to.contain('"label": "Opportunity"');
+    });
+    test_1.test
+        .stub(Configuration, 'getConfiguration', stub => stub.resolves(MOCK_CONFIG))
+        .stub(global, 'fetch', stub => stub.resolves({
+        ok: true,
+        status: 200,
+        json: () => Promise.resolve(MOCK_RESPONSE),
+    }))
+        .stdout()
+        .command(['graph', 'get', '--path=/sobjects/Opportunity'])
+        .it('accepts explicit "get" operation arg', ctx => {
+        (0, test_1.expect)(ctx.stdout).to.contain('"label": "Opportunity"');
+    });
+    test_1.test
+        .stub(Configuration, 'getConfiguration', stub => stub.resolves(MOCK_CONFIG))
+        .stub(global, 'fetch', stub => stub.resolves({
+        ok: true,
+        status: 200,
+        json: () => Promise.resolve(MOCK_RESPONSE),
+    }))
+        .stdout()
+        .command(['graph', 'getItem', '--path=/sobjects/Opportunity'])
+        .it('treats "getItem" as a get operation', ctx => {
+        (0, test_1.expect)(ctx.stdout).to.contain('"label": "Opportunity"');
+    });
+    test_1.test
+        .stub(Configuration, 'getConfiguration', stub => stub.resolves(MOCK_CONFIG))
+        .stub(global, 'fetch', stub => stub.resolves({
+        ok: true,
+        status: 200,
+        json: () => Promise.resolve(MOCK_RESPONSE),
+    }))
+        .stdout()
+        .command(['graph', 'getCollection', '--path=/sobjects/Opportunity'])
+        .it('treats "getCollection" as a get operation', ctx => {
+        (0, test_1.expect)(ctx.stdout).to.contain('"label": "Opportunity"');
+    });
+    for (const op of ['createItem', 'updateItem', 'deleteItem']) {
+        test_1.test
+            .stub(Configuration, 'getConfiguration', stub => stub.resolves(MOCK_CONFIG))
+            .command(['graph', op, '--path=/sobjects/Opportunity'])
+            .catch(err => {
+            (0, test_1.expect)(err.message).to.contain(`Operation "${op}" is not yet implemented`);
+        })
+            .it(`rejects "${op}" as not yet implemented`);
+    }
+    test_1.test
+        .stderr()
+        .command(['graph', 'put', '--path=/sobjects/Opportunity'])
+        .catch(err => {
+        (0, test_1.expect)(err.message).to.contain('Expected put to be one of');
+    })
+        .it('rejects invalid operation arg');
+});