@zapier/zapier-sdk-cli 0.46.1 → 0.48.0

package/dist/cli.mjs

@@ -1,21 +1,22 @@
 #!/usr/bin/env node
 import { Command, CommanderError, Option } from 'commander';
 import { z } from 'zod';
-import { definePlugin, createPluginMethod, buildApplicationLifecycleEvent, OutputPropertySchema, ZapierBundleError, DEFAULT_CONFIG_PATH, ZapierValidationError, ZapierUnknownError, ZapierReleaseTriggerMessageSignal, injectCliLogin, BaseSdkOptionsSchema, isCredentialsObject, batch, toSnakeCase, ZapierAbortDrainSignal, createZapierSdk as createZapierSdk$1, ZapierError, isPositional, runWithTelemetryContext, buildCapabilityMessage, formatErrorMessage, getOsInfo, getPlatformVersions, getCiPlatform, isCi, getReleaseId, getCurrentTimestamp, generateEventId } from '@zapier/zapier-sdk';
+import { definePlugin, createPluginMethod, getOrCreateApiClient, OutputPropertySchema, ZapierBundleError, DEFAULT_CONFIG_PATH, ZapierValidationError, ZapierUnknownError, ZapierReleaseTriggerMessageSignal, injectCliLogin, BaseSdkOptionsSchema, isCredentialsObject, invalidateCachedToken, buildApplicationLifecycleEvent, batch, toSnakeCase, ZapierAbortDrainSignal, createZapierSdk as createZapierSdk$1, ZapierError, isPositional, runWithTelemetryContext, buildCapabilityMessage, formatErrorMessage, getOsInfo, getPlatformVersions, getCiPlatform, isCi, getReleaseId, getCurrentTimestamp, generateEventId } from '@zapier/zapier-sdk';
 import inquirer from 'inquirer';
 import chalk7 from 'chalk';
 import ora from 'ora';
 import util from 'util';
 import wrapAnsi from 'wrap-ansi';
+import * as jwt from 'jsonwebtoken';
+import { deletePassword, getKeyring, getPassword, setPassword } from 'cross-keychain';
 import Conf from 'conf';
 import * as fs from 'fs';
 import { promises, createWriteStream, existsSync, readdirSync, rmSync, mkdirSync, writeFileSync, copyFileSync, readFileSync } from 'fs';
-import * as jwt from 'jsonwebtoken';
-import { getPassword, getKeyring, setPassword, deletePassword } from 'cross-keychain';
 import crypto, { createHash } from 'crypto';
 import * as path from 'path';
 import { resolve, join, dirname, basename, relative, extname } from 'path';
 import * as lockfile from 'proper-lockfile';
+import { hostname } from 'os';
 import open from 'open';
 import express from 'express';
 import pkceChallenge from 'pkce-challenge';
@@ -898,11 +899,18 @@ Optional fields${pathContext}:`));
     const choices = [...initialChoices];
     let nextCursor = initialCursor;
     const LOAD_MORE_SENTINEL = Symbol("LOAD_MORE");
+    const CUSTOM_VALUE_SENTINEL = Symbol("CUSTOM_VALUE");
     while (true) {
       const promptChoices = choices.map((choice) => ({
         name: choice.label,
         value: choice.value
       }));
+      if (!fieldMeta.isMultiSelect) {
+        promptChoices.unshift({
+          name: chalk7.dim("(Enter custom value)"),
+          value: CUSTOM_VALUE_SENTINEL
+        });
+      }
       if (nextCursor) {
         promptChoices.push({
           name: chalk7.dim("(Load more...)"),
@@ -928,6 +936,9 @@ Optional fields${pathContext}:`));
       };
       const answer = await inquirer.prompt([promptConfig]);
       let selectedValue = answer[fieldMeta.key];
+      if (selectedValue === CUSTOM_VALUE_SENTINEL) {
+        return await this.promptFreeForm(fieldMeta);
+      }
       const wantsMore = fieldMeta.isMultiSelect ? Array.isArray(selectedValue) && selectedValue.includes(LOAD_MORE_SENTINEL) : selectedValue === LOAD_MORE_SENTINEL;
       if (wantsMore && nextCursor && context) {
         if (fieldMeta.isMultiSelect && Array.isArray(selectedValue)) {
@@ -1138,7 +1149,7 @@ var SHARED_COMMAND_CLI_OPTIONS = [
 
 // package.json
 var package_default = {
-  version: "0.46.1"};
+  version: "0.48.0"};
 
 // src/telemetry/builders.ts
 function createCliBaseEvent(context = {}) {
@@ -2290,8 +2301,11 @@ function convertValue(value, type, elementType) {
 var login_exports = {};
 __export(login_exports, {
   AUTH_MODE_HEADER: () => AUTH_MODE_HEADER,
+  DEFAULT_AUTH_BASE_URL: () => DEFAULT_AUTH_BASE_URL,
   ZapierAuthenticationError: () => ZapierAuthenticationError,
+  clearTokensFromKeychain: () => clearTokensFromKeychain,
   createCache: () => createCache,
+  getActiveCredentials: () => getActiveCredentials,
   getAuthAuthorizeUrl: () => getAuthAuthorizeUrl,
   getAuthTokenUrl: () => getAuthTokenUrl,
   getConfig: () => getConfig,
@@ -2299,6 +2313,7 @@ __export(login_exports, {
   getLoggedInUser: () => getLoggedInUser,
   getLoginStorageMode: () => getLoginStorageMode,
   getPkceLoginConfig: () => getPkceLoginConfig,
+  getStoredClientCredentials: () => getStoredClientCredentials,
   getToken: () => getToken,
   logout: () => logout,
   unloadConfig: () => unloadConfig,
@@ -2379,6 +2394,38 @@ async function clearTokensFromKeychain({
     }
   });
 }
+var DEFAULT_AUTH_BASE_URL = "https://zapier.com";
+var config = null;
+function getConfig() {
+  if (!config) {
+    config = new Conf({ projectName: "zapier-sdk-cli" });
+    if (!config.has("login_storage_mode")) {
+      config.set(
+        "login_storage_mode",
+        existsSync(config.path) ? "config" : "keychain"
+      );
+    }
+  }
+  return config;
+}
+function resetConfig() {
+  config = null;
+}
+
+// src/login/legacy-jwt.ts
+function clearLegacyJwtConfigKeys(config2) {
+  config2.delete("login_jwt");
+  config2.delete("login_refresh_token");
+  config2.delete("login_expires_at");
+}
+async function clearLegacyJwtState() {
+  clearLegacyJwtConfigKeys(getConfig());
+  await clearTokensFromKeychain();
+}
+function hasLegacyJwtConfig() {
+  const cfg = getConfig();
+  return typeof cfg.get("login_jwt") === "string" || typeof cfg.get("login_refresh_token") === "string" || typeof cfg.get("login_expires_at") === "number";
+}
 var SERVICE2 = "zapier-sdk-cache";
 var CONFIG_KEY = "cache";
 var LOCK_UPDATE_MS = 5e3;
@@ -2506,6 +2553,163 @@ function createCache() {
     }
   };
 }
+var SERVICE3 = "zapier-sdk-cli";
+var CREDENTIALS_KEY = "credentials";
+var REGISTRY_KEY = "credentialsRegistry";
+var CredentialsEntrySchema = z.object({
+  name: z.string(),
+  clientId: z.string(),
+  createdAt: z.number(),
+  scopes: z.array(z.string()),
+  baseUrl: z.string()
+});
+function normalizeBaseUrl(baseUrl2) {
+  return baseUrl2 ?? DEFAULT_AUTH_BASE_URL;
+}
+function keychainAccount2(key) {
+  return createHash("sha256").update(key).digest("hex");
+}
+function buildKeychainKey(clientId, scopes, baseUrl2) {
+  const sortedScopes = [...scopes].sort().join(",");
+  return `zapier-sdk/client-credentials-secret/${clientId}:${sortedScopes}:${baseUrl2}`;
+}
+function findEntry(registry, name, baseUrl2) {
+  return registry.find((e) => e.name === name && e.baseUrl === baseUrl2);
+}
+function readRegistry() {
+  const stored = getConfig().get(REGISTRY_KEY);
+  if (!Array.isArray(stored)) return [];
+  return stored.flatMap((entry) => {
+    const result = CredentialsEntrySchema.safeParse(entry);
+    return result.success ? [result.data] : [];
+  });
+}
+function getActiveCredentials(options) {
+  const name = getConfig().get(CREDENTIALS_KEY);
+  if (!name) return void 0;
+  return findEntry(readRegistry(), name, normalizeBaseUrl(options?.baseUrl));
+}
+async function storeClientCredentials({
+  name,
+  clientId,
+  clientSecret,
+  scopes,
+  baseUrl: baseUrl2
+}) {
+  if (!name || typeof name !== "string") {
+    throw new Error("storeClientCredentials: name is required");
+  }
+  if (!clientId || typeof clientId !== "string") {
+    throw new Error("storeClientCredentials: clientId is required");
+  }
+  if (!clientSecret || typeof clientSecret !== "string") {
+    throw new Error("storeClientCredentials: clientSecret is required");
+  }
+  if (!Array.isArray(scopes) || scopes.length === 0) {
+    throw new Error("storeClientCredentials: scopes must be a non-empty array");
+  }
+  const sortedScopes = [...scopes].sort();
+  const resolvedBaseUrl = normalizeBaseUrl(baseUrl2);
+  const keychainKey = buildKeychainKey(clientId, sortedScopes, resolvedBaseUrl);
+  const existingEntry = findEntry(readRegistry(), name, resolvedBaseUrl);
+  const existingKeychainKey = existingEntry ? buildKeychainKey(
+    existingEntry.clientId,
+    existingEntry.scopes,
+    existingEntry.baseUrl
+  ) : void 0;
+  await enqueue(async () => {
+    await getBackendInfo();
+    await setPassword(SERVICE3, keychainAccount2(keychainKey), clientSecret);
+  });
+  const entry = {
+    name,
+    clientId,
+    createdAt: Date.now(),
+    scopes: sortedScopes,
+    baseUrl: resolvedBaseUrl
+  };
+  const registry = readRegistry().filter(
+    (e) => !(e.name === name && e.baseUrl === resolvedBaseUrl)
+  );
+  registry.push(entry);
+  const cfg = getConfig();
+  cfg.set(REGISTRY_KEY, registry);
+  cfg.set(CREDENTIALS_KEY, name);
+  if (existingEntry && existingKeychainKey !== keychainKey) {
+    await deleteKeychainSecret(existingEntry);
+  }
+}
+function credentialsNameExists({
+  name,
+  baseUrl: baseUrl2
+}) {
+  return !!findEntry(readRegistry(), name, normalizeBaseUrl(baseUrl2));
+}
+async function getStoredClientCredentials(options) {
+  const entry = options?.name ? findEntry(readRegistry(), options.name, normalizeBaseUrl(options.baseUrl)) : getActiveCredentials(options);
+  if (!entry) return void 0;
+  const keychainKey = buildKeychainKey(
+    entry.clientId,
+    entry.scopes,
+    entry.baseUrl
+  );
+  const clientSecret = await enqueue(async () => {
+    await getBackendInfo();
+    return getPassword(SERVICE3, keychainAccount2(keychainKey));
+  });
+  if (!clientSecret) return void 0;
+  return {
+    type: "client_credentials",
+    clientId: entry.clientId,
+    clientSecret,
+    baseUrl: entry.baseUrl,
+    scope: [...entry.scopes].sort().join(" ")
+  };
+}
+function deleteRegistryEntry(registry, name, baseUrl2) {
+  const idx = registry.findIndex(
+    (e) => e.name === name && e.baseUrl === baseUrl2
+  );
+  if (idx === -1) return void 0;
+  const [removed] = registry.splice(idx, 1);
+  return removed;
+}
+function unsetMatchingCredentialsKey(cfg, name) {
+  const activeName = cfg.get(CREDENTIALS_KEY);
+  if (activeName === name && !readRegistry().some((e) => e.name === name)) {
+    cfg.delete(CREDENTIALS_KEY);
+  }
+}
+async function deleteKeychainSecret(entry) {
+  const keychainKey = buildKeychainKey(
+    entry.clientId,
+    entry.scopes,
+    entry.baseUrl
+  );
+  try {
+    await enqueue(async () => {
+      await getBackendInfo();
+      await deletePassword(SERVICE3, keychainAccount2(keychainKey));
+    });
+  } catch {
+  }
+}
+async function deleteStoredClientCredentials({
+  name,
+  baseUrl: baseUrl2
+}) {
+  const registry = readRegistry();
+  const removed = deleteRegistryEntry(
+    registry,
+    name,
+    normalizeBaseUrl(baseUrl2)
+  );
+  if (!removed) return;
+  const cfg = getConfig();
+  cfg.set(REGISTRY_KEY, registry);
+  unsetMatchingCredentialsKey(cfg, name);
+  await deleteKeychainSecret(removed);
+}
 
 // src/login/index.ts
 var ZapierAuthenticationError = class extends Error {
@@ -2514,7 +2718,6 @@ var ZapierAuthenticationError = class extends Error {
     this.name = "ZapierAuthenticationError";
   }
 };
-var config = null;
 var DEFAULT_AUTH_CLIENT_ID = "grwWZD5hUWGvb4V8ODBuOtXer3h0DBEZ2HR8aay6";
 var TOKEN_REFRESH_BUFFER_MS = 5 * 60 * 1e3;
 function createDebugLog(enabled) {
@@ -2540,7 +2743,6 @@ function getAuthClientId(clientId) {
   return clientId || DEFAULT_AUTH_CLIENT_ID;
 }
 var AUTH_MODE_HEADER = "X-Auth";
-var DEFAULT_AUTH_BASE_URL = "https://zapier.com";
 function getAuthTokenUrl(options) {
   const authBaseUrl = options?.baseUrl || DEFAULT_AUTH_BASE_URL;
   return `${authBaseUrl}/oauth/token/`;
@@ -2550,29 +2752,16 @@ function getAuthAuthorizeUrl(options) {
   return `${authBaseUrl}/oauth/authorize/`;
 }
 function getPkceLoginConfig(options) {
+  const effectiveBaseUrl = options?.credentials?.baseUrl ?? options?.baseUrl;
   return {
     clientId: getAuthClientId(options?.credentials?.clientId),
-    tokenUrl: getAuthTokenUrl({ baseUrl: options?.credentials?.baseUrl }),
-    authorizeUrl: getAuthAuthorizeUrl({
-      baseUrl: options?.credentials?.baseUrl
-    })
+    tokenUrl: getAuthTokenUrl({ baseUrl: effectiveBaseUrl }),
+    authorizeUrl: getAuthAuthorizeUrl({ baseUrl: effectiveBaseUrl })
   };
 }
 var cachedLogin;
-function getConfig() {
-  if (!config) {
-    config = new Conf({ projectName: "zapier-sdk-cli" });
-    if (!config.has("login_storage_mode")) {
-      config.set(
-        "login_storage_mode",
-        existsSync(config.path) ? "config" : "keychain"
-      );
-    }
-  }
-  return config;
-}
 function unloadConfig() {
-  config = null;
+  resetConfig();
   cachedLogin = void 0;
 }
 async function updateLogin(loginData, options = {}) {
@@ -2845,9 +3034,7 @@ async function logout(options = {}) {
   await clearTokensFromKeychain();
   const cfg = getConfig();
   cfg.set("login_storage_mode", mode);
-  cfg.delete("login_expires_at");
-  cfg.delete("login_jwt");
-  cfg.delete("login_refresh_token");
+  clearLegacyJwtConfigKeys(cfg);
   onEvent?.({
     type: "auth_logout",
     payload: { message: "Logged out successfully", operation: "logout" },
@@ -2859,6 +3046,79 @@ function getConfigPath() {
   return cfg.path;
 }
 
+// src/utils/retry.ts
+function sleep(ms) {
+  return new Promise((resolve4) => setTimeout(resolve4, ms));
+}
+async function withRetry({
+  action,
+  attempts = 3,
+  initialDelayMs = 100
+}) {
+  if (attempts <= 0) {
+    throw new Error("withRetry: attempts must be greater than 0");
+  }
+  let lastError;
+  for (let i = 0; i < attempts; i++) {
+    try {
+      return await action();
+    } catch (err) {
+      lastError = err;
+      if (i < attempts - 1) {
+        await sleep(initialDelayMs * 2 ** i);
+      }
+    }
+  }
+  throw lastError;
+}
+
+// src/login/credentials-revoke.ts
+function emitAuthLogout(onEvent) {
+  onEvent?.({
+    type: "auth_logout",
+    payload: { message: "Logged out successfully", operation: "logout" },
+    timestamp: Date.now()
+  });
+}
+function isNotFoundError(err) {
+  return typeof err === "object" && err !== null && "statusCode" in err && err.statusCode === 404;
+}
+async function revokeCredentials({
+  api: api2,
+  credentials: credentials2,
+  onEvent
+}) {
+  await withRetry({
+    action: async () => {
+      try {
+        await api2.delete(
+          `/api/v0/client-credentials/${credentials2.clientId}`,
+          void 0,
+          { authRequired: true, requiredScopes: ["credentials"] }
+        );
+      } catch (err) {
+        if (isNotFoundError(err)) return;
+        throw err;
+      }
+    }
+  });
+  try {
+    await deleteStoredClientCredentials({
+      name: credentials2.name,
+      baseUrl: credentials2.baseUrl
+    });
+  } catch (err) {
+    console.warn("[revokeCredentials] Local store cleanup failed:", err);
+  }
+  await clearLegacyJwtState();
+  await invalidateCachedToken({
+    clientId: credentials2.clientId,
+    scopes: credentials2.scopes,
+    baseUrl: credentials2.baseUrl
+  });
+  emitAuthLogout(onEvent);
+}
+
 // src/utils/constants.ts
 var LOGIN_PORTS = [49505, 50575, 52804, 55981, 61010, 63851];
 var LOGIN_TIMEOUT_MS = 3e5;
@@ -2944,6 +3204,8 @@ var getCallablePromise = () => {
   };
 };
 var getCallablePromise_default = getCallablePromise;
+
+// src/utils/auth/oauth-flow.ts
 var findAvailablePort = () => {
   return new Promise((resolve4, reject) => {
     let portIndex = 0;
@@ -2978,10 +3240,9 @@ var findAvailablePort = () => {
 var generateRandomString = () => {
   const array = new Uint32Array(28);
   crypto.getRandomValues(array);
-  return Array.from(
-    array,
-    (dec) => ("0" + dec.toString(16)).substring(-2)
-  ).join("");
+  return Array.from(array, (dec) => ("0" + dec.toString(16)).slice(-2)).join(
+    ""
+  );
 };
 function ensureOfflineAccess(scope) {
   if (scope.includes("offline_access")) {
@@ -2989,17 +3250,18 @@ function ensureOfflineAccess(scope) {
   }
   return `${scope} offline_access`;
 }
-var login = async ({
+async function runOauthFlow({
   timeoutMs = LOGIN_TIMEOUT_MS,
-  credentials: credentials2
-}) => {
+  pkceCredentials,
+  baseUrl: baseUrl2
+}) {
   const { clientId, tokenUrl, authorizeUrl } = getPkceLoginConfig({
-    credentials: credentials2
+    credentials: pkceCredentials,
+    baseUrl: baseUrl2
   });
   const scope = ensureOfflineAccess(
-    credentials2?.scope || "internal credentials"
+    pkceCredentials?.scope || "internal credentials"
   );
-  await logout();
   const availablePort = await findAvailablePort();
   const redirectUri = `http://localhost:${availablePort}/oauth`;
   log_default.info(`Using port ${availablePort} for OAuth callback`);
@@ -3008,13 +3270,30 @@ var login = async ({
     resolve: setCode,
     reject: rejectCode
   } = getCallablePromise_default();
-  const app = express();
-  app.get("/oauth", (req, res) => {
-    setCode(String(req.query.code));
+  const oauthState = generateRandomString();
+  const expressApp = express();
+  expressApp.get("/oauth", (req, res) => {
     res.setHeader("Connection", "close");
+    if (req.query.state !== oauthState) {
+      rejectCode(new Error("OAuth state mismatch \u2014 possible CSRF"));
+      res.status(400).end("Invalid state. You can close this tab.");
+      return;
+    }
+    if (req.query.error) {
+      const desc = req.query.error_description ?? req.query.error;
+      rejectCode(new Error(`Authorization denied: ${desc}`));
+      res.end("Authorization was denied. You can close this tab.");
+      return;
+    }
+    if (!req.query.code) {
+      rejectCode(new Error("No authorization code received"));
+      res.end("No authorization code received. You can close this tab.");
+      return;
+    }
+    setCode(String(req.query.code));
     res.end("You can now close this tab and return to the CLI.");
   });
-  const server = app.listen(availablePort);
+  const server = expressApp.listen(availablePort);
   const connections = /* @__PURE__ */ new Set();
   server.on("connection", (conn) => {
     connections.add(conn);
@@ -3033,7 +3312,7 @@ var login = async ({
     client_id: clientId,
     redirect_uri: redirectUri,
     scope,
-    state: generateRandomString(),
+    state: oauthState,
     code_challenge: codeChallenge,
     code_challenge_method: "S256"
   }).toString()}`;
@@ -3092,36 +3371,79 @@ var login = async ({
       }
     }
   );
-  let targetStorage;
-  if (getLoginStorageMode() === "config") {
-    const { upgrade } = await inquirer.prompt([
-      {
-        type: "confirm",
-        name: "upgrade",
-        message: "Would you like to upgrade to system keychain storage? This is recommended to securely store your credentials. However, note that older SDK/CLI versions will NOT be able to read these credentials, so you will want to upgrade them to the latest version.",
-        default: true
-      }
-    ]);
-    targetStorage = upgrade ? "keychain" : "config";
-  } else {
-    targetStorage = "keychain";
-  }
+  log_default.info("Token exchange completed successfully");
+  return {
+    accessToken: data.access_token,
+    refreshToken: data.refresh_token,
+    expiresIn: data.expires_in
+  };
+}
+
+// src/utils/auth/client-credentials.ts
+var CREDENTIALS_SCOPES = ["external", "credentials"];
+async function createCredentialsOnServer(api2, name) {
+  const response = await api2.post(
+    "/api/v0/client-credentials",
+    { name, allowed_scopes: CREDENTIALS_SCOPES },
+    { authRequired: true, requiredScopes: ["credentials"] }
+  );
+  return {
+    clientId: response.data.client_id,
+    clientSecret: response.data.client_secret
+  };
+}
+async function deleteCredentialsOnServer(api2, clientId) {
+  await api2.delete(`/api/v0/client-credentials/${clientId}`, void 0, {
+    authRequired: true,
+    requiredScopes: ["credentials"]
+  });
+}
+async function setupClientCredentials({
+  api: api2,
+  name,
+  credentialsBaseUrl: credentialsBaseUrl2
+}) {
+  const { clientId, clientSecret } = await createCredentialsOnServer(api2, name);
   try {
-    await updateLogin(data, { storage: targetStorage });
-  } catch (err) {
-    if (targetStorage === "keychain") {
-      log_default.warn(
-        `Could not store credentials in system keychain. Storing in plaintext at ${getConfigPath()}.`
+    await withRetry({
+      action: () => storeClientCredentials({
+        name,
+        clientId,
+        clientSecret,
+        scopes: [...CREDENTIALS_SCOPES],
+        baseUrl: credentialsBaseUrl2
+      })
+    });
+  } catch (storeErr) {
+    try {
+      await withRetry({
+        action: () => deleteCredentialsOnServer(api2, clientId)
+      });
+    } catch {
+      console.error(
+        `Failed to roll back orphaned credential ${clientId}. Delete it manually with: zapier-sdk delete-client-credentials ${clientId}`
       );
-      await updateLogin(data, { storage: "config" });
-    } else {
-      throw err;
     }
+    throw storeErr;
   }
-  log_default.info("Token exchange completed successfully");
-  return data.access_token;
-};
-var login_default = login;
+  return { clientId };
+}
+function getBaseUrlFromResolvedCredentials(credentials2) {
+  if (credentials2 && isCredentialsObject(credentials2)) {
+    return credentials2.baseUrl;
+  }
+  return void 0;
+}
+function getBaseUrlFromOptionsCredentials(credentials2) {
+  if (credentials2 && typeof credentials2 === "object" && "baseUrl" in credentials2 && typeof credentials2.baseUrl === "string") {
+    return credentials2.baseUrl;
+  }
+  return void 0;
+}
+async function resolveCredentialsBaseUrl(context) {
+  const resolvedCredentials = "resolvedCredentials" in context ? context.resolvedCredentials : await context.resolveCredentials?.();
+  return getBaseUrlFromResolvedCredentials(resolvedCredentials) ?? getBaseUrlFromOptionsCredentials(context.options?.credentials) ?? context.options?.baseUrl;
+}
 var LoginSchema = z.object({
   timeout: z.string().optional().describe("Login timeout in seconds (default: 300)")
 }).describe("Log in to Zapier to access your account");
@@ -3138,6 +3460,105 @@ function toPkceCredentials(credentials2) {
   }
   return void 0;
 }
+async function confirmRevokeAndRelogin(activeCredentials) {
+  const { confirmed } = await inquirer.prompt([
+    {
+      type: "confirm",
+      name: "confirmed",
+      message: `You are already logged in as "${activeCredentials.name}".
+Logging out will delete these credentials and may interrupt other Zapier SDK or CLI sessions using them.
+Log out and log in again?`,
+      default: false
+    }
+  ]);
+  if (!confirmed) {
+    console.log("Login cancelled.");
+    return false;
+  }
+  return true;
+}
+async function confirmJwtMigration() {
+  const { confirmed } = await inquirer.prompt([
+    {
+      type: "confirm",
+      name: "confirmed",
+      message: "We're upgrading your login to client credentials for a simpler, more reliable experience and to support future security controls. Older Zapier SDK/CLI versions on this machine may stop working after the upgrade. Continue?",
+      default: true
+    }
+  ]);
+  if (!confirmed) {
+    console.log("Login cancelled.");
+    return false;
+  }
+  return true;
+}
+async function confirmLocalLoginReset() {
+  const { confirmed } = await inquirer.prompt([
+    {
+      type: "confirm",
+      name: "confirmed",
+      message: "Login cleanup failed. Reset local session state and continue?",
+      default: false
+    }
+  ]);
+  if (!confirmed) {
+    console.log("Login cancelled.");
+    return false;
+  }
+  return true;
+}
+function parseTimeoutSeconds(timeout) {
+  const timeoutSeconds = timeout ? parseInt(timeout, 10) : 300;
+  if (isNaN(timeoutSeconds) || timeoutSeconds <= 0) {
+    throw new Error("Timeout must be a positive number");
+  }
+  return timeoutSeconds;
+}
+async function promptCredentialsName(email, baseUrl2) {
+  const { credentialName } = await inquirer.prompt([
+    {
+      type: "input",
+      name: "credentialName",
+      message: "Enter a name to identify them:",
+      default: `${email}@${hostname()}`,
+      validate: (input) => {
+        if (!input.trim()) return "Name cannot be empty";
+        if (credentialsNameExists({ name: input.trim(), baseUrl: baseUrl2 })) {
+          return `Credentials named "${input.trim()}" already exist. Please provide a different name.`;
+        }
+        return true;
+      }
+    }
+  ]);
+  return credentialName;
+}
+function emitLoginSuccess({
+  sdk,
+  profile
+}) {
+  sdk.context.eventEmission.emit(
+    "platform.sdk.ApplicationLifecycleEvent",
+    buildApplicationLifecycleEvent(
+      { lifecycle_event_type: "login_success" },
+      {
+        customuser_id: profile.user_id,
+        account_id: profile.roles[0]?.account_id ?? null
+      }
+    )
+  );
+}
+async function getProfile(api2) {
+  return api2.get("/zapier/api/v4/profile/", {
+    authRequired: true
+  });
+}
+async function bestEffortClearLegacyJwtState() {
+  try {
+    await clearLegacyJwtState();
+  } catch (err) {
+    console.error("[login] Best-effort legacy JWT cleanup failed:", err);
+  }
+}
 var loginPlugin = definePlugin(
   (sdk) => createPluginMethod(sdk, {
     name: "login",
@@ -3145,25 +3566,61 @@ var loginPlugin = definePlugin(
     inputSchema: LoginSchema,
     supportsJsonOutput: false,
     handler: async ({ sdk: sdk2, options }) => {
-      const timeoutSeconds = options.timeout ? parseInt(options.timeout, 10) : 300;
-      if (isNaN(timeoutSeconds) || timeoutSeconds <= 0) {
-        throw new Error("Timeout must be a positive number");
-      }
+      const timeoutSeconds = parseTimeoutSeconds(options.timeout);
       const resolvedCredentials = await sdk2.context.resolveCredentials();
       const pkceCredentials = toPkceCredentials(resolvedCredentials);
-      await login_default({
+      const credentialsBaseUrl2 = await resolveCredentialsBaseUrl({
+        ...sdk2.context,
+        resolvedCredentials
+      });
+      const activeCredentials = getActiveCredentials({
+        baseUrl: credentialsBaseUrl2
+      });
+      if (activeCredentials) {
+        if (!await confirmRevokeAndRelogin(activeCredentials)) return;
+        try {
+          await revokeCredentials({
+            api: sdk2.context.api,
+            credentials: activeCredentials
+          });
+        } catch {
+          if (!await confirmLocalLoginReset()) return;
+          await deleteStoredClientCredentials({
+            name: activeCredentials.name,
+            baseUrl: activeCredentials.baseUrl
+          });
+        }
+      } else if (hasLegacyJwtConfig()) {
+        if (!await confirmJwtMigration()) return;
+      }
+      const { accessToken } = await runOauthFlow({
         timeoutMs: timeoutSeconds * 1e3,
-        credentials: pkceCredentials
+        pkceCredentials,
+        baseUrl: credentialsBaseUrl2
       });
-      const user = await getLoggedInUser();
-      sdk2.context.eventEmission.emit(
-        "platform.sdk.ApplicationLifecycleEvent",
-        buildApplicationLifecycleEvent(
-          { lifecycle_event_type: "login_success" },
-          { customuser_id: user.customUserId, account_id: user.accountId }
-        )
+      const scopedApi = getOrCreateApiClient({
+        credentials: accessToken,
+        baseUrl: credentialsBaseUrl2
+      });
+      const profile = await getProfile(scopedApi);
+      console.log(`\u{1F464} Logged in as ${profile.email}`);
+      console.log(
+        "\nGenerating credentials so this machine can make authenticated requests on your behalf."
+      );
+      const credentialName = await promptCredentialsName(
+        profile.email,
+        credentialsBaseUrl2
+      );
+      await setupClientCredentials({
+        api: scopedApi,
+        name: credentialName,
+        credentialsBaseUrl: credentialsBaseUrl2
+      });
+      await bestEffortClearLegacyJwtState();
+      console.log(
+        `\u2705 Credentials "${credentialName}" created and set as default. You are ready to use the Zapier SDK.`
       );
-      console.log(`\u2705 Successfully logged in as ${user.email}`);
+      emitLoginSuccess({ sdk: sdk2, profile });
     }
   })
 );
@@ -3176,8 +3633,36 @@ var logoutPlugin = definePlugin(
     categories: ["account"],
     inputSchema: LogoutSchema,
     supportsJsonOutput: false,
-    handler: async () => {
-      await logout();
+    handler: async ({ sdk: sdk2 }) => {
+      const credentialsBaseUrl2 = await resolveCredentialsBaseUrl(sdk2.context);
+      const activeCredentials = getActiveCredentials({
+        baseUrl: credentialsBaseUrl2
+      });
+      const onEvent = sdk2.context.options?.onEvent;
+      if (!activeCredentials) {
+        await logout({ onEvent });
+        console.log("\u2705 Successfully logged out");
+        return;
+      }
+      const { confirmed } = await inquirer.prompt([
+        {
+          type: "confirm",
+          name: "confirmed",
+          message: `Logging out will delete credentials "${activeCredentials.name}".
+This may interrupt other Zapier SDK or CLI sessions using them.
+Do you want to continue?`,
+          default: true
+        }
+      ]);
+      if (!confirmed) {
+        console.log("Logout cancelled.");
+        return;
+      }
+      await revokeCredentials({
+        api: sdk2.context.api,
+        credentials: activeCredentials,
+        onEvent
+      });
       console.log("\u2705 Successfully logged out");
     }
   })
@@ -5694,7 +6179,7 @@ var watchTriggerInboxCliPlugin = definePlugin(
 // package.json with { type: 'json' }
 var package_default2 = {
   name: "@zapier/zapier-sdk-cli",
-  version: "0.46.1"};
+  version: "0.48.0"};
 
 // src/sdk.ts
 injectCliLogin(login_exports);