npm - @zapier/zapier-sdk-cli - Versions diffs - 0.46.1 → 0.48.0 - Mend

@zapier/zapier-sdk-cli 0.46.1 → 0.48.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (39) hide show

package/CHANGELOG.md +20 -0
package/README.md +1 -1
package/dist/cli.cjs +569 -84
package/dist/cli.mjs +569 -84
package/dist/experimental.cjs +561 -86
package/dist/experimental.mjs +560 -85
package/dist/index.cjs +562 -87
package/dist/index.mjs +561 -86
package/dist/login.cjs +94 -25
package/dist/login.d.mts +29 -2
package/dist/login.d.ts +29 -2
package/dist/login.mjs +90 -25
package/dist/package.json +1 -1
package/dist/src/login/config.d.ts +4 -0
package/dist/src/login/config.js +21 -0
package/dist/src/login/credentials-revoke.d.ts +13 -0
package/dist/src/login/credentials-revoke.js +48 -0
package/dist/src/login/credentials-store.d.ts +33 -0
package/dist/src/login/credentials-store.js +142 -0
package/dist/src/login/index.d.ts +5 -2
package/dist/src/login/index.js +11 -27
package/dist/src/login/legacy-jwt.d.ts +4 -0
package/dist/src/login/legacy-jwt.js +18 -0
package/dist/src/plugins/auth/credentials-base-url.d.ts +11 -0
package/dist/src/plugins/auth/credentials-base-url.js +24 -0
package/dist/src/plugins/login/index.d.ts +6 -1
package/dist/src/plugins/login/index.js +154 -14
package/dist/src/plugins/logout/index.d.ts +14 -0
package/dist/src/plugins/logout/index.js +35 -3
package/dist/src/utils/auth/client-credentials.d.ts +16 -0
package/dist/src/utils/auth/client-credentials.js +53 -0
package/dist/src/utils/auth/oauth-flow.d.ts +12 -0
package/dist/src/utils/auth/{login.js → oauth-flow.js} +36 -58
package/dist/src/utils/parameter-resolver.js +13 -0
package/dist/src/utils/retry.d.ts +5 -0
package/dist/src/utils/retry.js +21 -0
package/dist/tsconfig.tsbuildinfo +1 -1
package/package.json +3 -3
package/dist/src/utils/auth/login.d.ts +0 -7

package/dist/experimental.cjs CHANGED Viewed

@@ -1,21 +1,22 @@
 'use strict';
-var Conf = require('conf');
-var fs = require('fs');
 var jwt = require('jsonwebtoken');
 var crossKeychain = require('cross-keychain');
+var Conf = require('conf');
+var fs = require('fs');
 var crypto = require('crypto');
 var path = require('path');
 var lockfile = require('proper-lockfile');
+var zod = require('zod');
 var experimental = require('@zapier/zapier-sdk/experimental');
+var os = require('os');
 var zapierSdk = require('@zapier/zapier-sdk');
+var inquirer = require('inquirer');
 var open = require('open');
 var express = require('express');
 var pkceChallenge = require('pkce-challenge');
 var ora = require('ora');
 var chalk3 = require('chalk');
-var inquirer = require('inquirer');
-var zod = require('zod');
 var zapierSdkMcp = require('@zapier/zapier-sdk-mcp');
 var esbuild = require('esbuild');
 var promises = require('fs/promises');
@@ -47,18 +48,18 @@ function _interopNamespace(e) {
   return Object.freeze(n);
 }
+var jwt__namespace = /*#__PURE__*/_interopNamespace(jwt);
 var Conf__default = /*#__PURE__*/_interopDefault(Conf);
 var fs__namespace = /*#__PURE__*/_interopNamespace(fs);
-var jwt__namespace = /*#__PURE__*/_interopNamespace(jwt);
 var crypto__default = /*#__PURE__*/_interopDefault(crypto);
 var path__namespace = /*#__PURE__*/_interopNamespace(path);
 var lockfile__namespace = /*#__PURE__*/_interopNamespace(lockfile);
+var inquirer__default = /*#__PURE__*/_interopDefault(inquirer);
 var open__default = /*#__PURE__*/_interopDefault(open);
 var express__default = /*#__PURE__*/_interopDefault(express);
 var pkceChallenge__default = /*#__PURE__*/_interopDefault(pkceChallenge);
 var ora__default = /*#__PURE__*/_interopDefault(ora);
 var chalk3__default = /*#__PURE__*/_interopDefault(chalk3);
-var inquirer__default = /*#__PURE__*/_interopDefault(inquirer);
 var ts__namespace = /*#__PURE__*/_interopNamespace(ts);
 var Handlebars__default = /*#__PURE__*/_interopDefault(Handlebars);
@@ -72,8 +73,11 @@ var __export = (target, all) => {
 var login_exports = {};
 __export(login_exports, {
   AUTH_MODE_HEADER: () => AUTH_MODE_HEADER,
+  DEFAULT_AUTH_BASE_URL: () => DEFAULT_AUTH_BASE_URL,
   ZapierAuthenticationError: () => ZapierAuthenticationError,
+  clearTokensFromKeychain: () => clearTokensFromKeychain,
   createCache: () => createCache,
+  getActiveCredentials: () => getActiveCredentials,
   getAuthAuthorizeUrl: () => getAuthAuthorizeUrl,
   getAuthTokenUrl: () => getAuthTokenUrl,
   getConfig: () => getConfig,
@@ -81,6 +85,7 @@ __export(login_exports, {
   getLoggedInUser: () => getLoggedInUser,
   getLoginStorageMode: () => getLoginStorageMode,
   getPkceLoginConfig: () => getPkceLoginConfig,
+  getStoredClientCredentials: () => getStoredClientCredentials,
   getToken: () => getToken,
   logout: () => logout,
   unloadConfig: () => unloadConfig,
@@ -161,6 +166,38 @@ async function clearTokensFromKeychain({
     }
   });
 }
+var DEFAULT_AUTH_BASE_URL = "https://zapier.com";
+var config = null;
+function getConfig() {
+  if (!config) {
+    config = new Conf__default.default({ projectName: "zapier-sdk-cli" });
+    if (!config.has("login_storage_mode")) {
+      config.set(
+        "login_storage_mode",
+        fs.existsSync(config.path) ? "config" : "keychain"
+      );
+    }
+  }
+  return config;
+}
+function resetConfig() {
+  config = null;
+}
+// src/login/legacy-jwt.ts
+function clearLegacyJwtConfigKeys(config2) {
+  config2.delete("login_jwt");
+  config2.delete("login_refresh_token");
+  config2.delete("login_expires_at");
+}
+async function clearLegacyJwtState() {
+  clearLegacyJwtConfigKeys(getConfig());
+  await clearTokensFromKeychain();
+}
+function hasLegacyJwtConfig() {
+  const cfg = getConfig();
+  return typeof cfg.get("login_jwt") === "string" || typeof cfg.get("login_refresh_token") === "string" || typeof cfg.get("login_expires_at") === "number";
+}
 var SERVICE2 = "zapier-sdk-cache";
 var CONFIG_KEY = "cache";
 var LOCK_UPDATE_MS = 5e3;
@@ -288,6 +325,163 @@ function createCache() {
     }
   };
 }
+var SERVICE3 = "zapier-sdk-cli";
+var CREDENTIALS_KEY = "credentials";
+var REGISTRY_KEY = "credentialsRegistry";
+var CredentialsEntrySchema = zod.z.object({
+  name: zod.z.string(),
+  clientId: zod.z.string(),
+  createdAt: zod.z.number(),
+  scopes: zod.z.array(zod.z.string()),
+  baseUrl: zod.z.string()
+});
+function normalizeBaseUrl(baseUrl) {
+  return baseUrl ?? DEFAULT_AUTH_BASE_URL;
+}
+function keychainAccount2(key) {
+  return crypto.createHash("sha256").update(key).digest("hex");
+}
+function buildKeychainKey(clientId, scopes, baseUrl) {
+  const sortedScopes = [...scopes].sort().join(",");
+  return `zapier-sdk/client-credentials-secret/${clientId}:${sortedScopes}:${baseUrl}`;
+}
+function findEntry(registry, name, baseUrl) {
+  return registry.find((e) => e.name === name && e.baseUrl === baseUrl);
+}
+function readRegistry() {
+  const stored = getConfig().get(REGISTRY_KEY);
+  if (!Array.isArray(stored)) return [];
+  return stored.flatMap((entry) => {
+    const result = CredentialsEntrySchema.safeParse(entry);
+    return result.success ? [result.data] : [];
+  });
+}
+function getActiveCredentials(options) {
+  const name = getConfig().get(CREDENTIALS_KEY);
+  if (!name) return void 0;
+  return findEntry(readRegistry(), name, normalizeBaseUrl(options?.baseUrl));
+}
+async function storeClientCredentials({
+  name,
+  clientId,
+  clientSecret,
+  scopes,
+  baseUrl
+}) {
+  if (!name || typeof name !== "string") {
+    throw new Error("storeClientCredentials: name is required");
+  }
+  if (!clientId || typeof clientId !== "string") {
+    throw new Error("storeClientCredentials: clientId is required");
+  }
+  if (!clientSecret || typeof clientSecret !== "string") {
+    throw new Error("storeClientCredentials: clientSecret is required");
+  }
+  if (!Array.isArray(scopes) || scopes.length === 0) {
+    throw new Error("storeClientCredentials: scopes must be a non-empty array");
+  }
+  const sortedScopes = [...scopes].sort();
+  const resolvedBaseUrl = normalizeBaseUrl(baseUrl);
+  const keychainKey = buildKeychainKey(clientId, sortedScopes, resolvedBaseUrl);
+  const existingEntry = findEntry(readRegistry(), name, resolvedBaseUrl);
+  const existingKeychainKey = existingEntry ? buildKeychainKey(
+    existingEntry.clientId,
+    existingEntry.scopes,
+    existingEntry.baseUrl
+  ) : void 0;
+  await enqueue(async () => {
+    await getBackendInfo();
+    await crossKeychain.setPassword(SERVICE3, keychainAccount2(keychainKey), clientSecret);
+  });
+  const entry = {
+    name,
+    clientId,
+    createdAt: Date.now(),
+    scopes: sortedScopes,
+    baseUrl: resolvedBaseUrl
+  };
+  const registry = readRegistry().filter(
+    (e) => !(e.name === name && e.baseUrl === resolvedBaseUrl)
+  );
+  registry.push(entry);
+  const cfg = getConfig();
+  cfg.set(REGISTRY_KEY, registry);
+  cfg.set(CREDENTIALS_KEY, name);
+  if (existingEntry && existingKeychainKey !== keychainKey) {
+    await deleteKeychainSecret(existingEntry);
+  }
+}
+function credentialsNameExists({
+  name,
+  baseUrl
+}) {
+  return !!findEntry(readRegistry(), name, normalizeBaseUrl(baseUrl));
+}
+async function getStoredClientCredentials(options) {
+  const entry = options?.name ? findEntry(readRegistry(), options.name, normalizeBaseUrl(options.baseUrl)) : getActiveCredentials(options);
+  if (!entry) return void 0;
+  const keychainKey = buildKeychainKey(
+    entry.clientId,
+    entry.scopes,
+    entry.baseUrl
+  );
+  const clientSecret = await enqueue(async () => {
+    await getBackendInfo();
+    return crossKeychain.getPassword(SERVICE3, keychainAccount2(keychainKey));
+  });
+  if (!clientSecret) return void 0;
+  return {
+    type: "client_credentials",
+    clientId: entry.clientId,
+    clientSecret,
+    baseUrl: entry.baseUrl,
+    scope: [...entry.scopes].sort().join(" ")
+  };
+}
+function deleteRegistryEntry(registry, name, baseUrl) {
+  const idx = registry.findIndex(
+    (e) => e.name === name && e.baseUrl === baseUrl
+  );
+  if (idx === -1) return void 0;
+  const [removed] = registry.splice(idx, 1);
+  return removed;
+}
+function unsetMatchingCredentialsKey(cfg, name) {
+  const activeName = cfg.get(CREDENTIALS_KEY);
+  if (activeName === name && !readRegistry().some((e) => e.name === name)) {
+    cfg.delete(CREDENTIALS_KEY);
+  }
+}
+async function deleteKeychainSecret(entry) {
+  const keychainKey = buildKeychainKey(
+    entry.clientId,
+    entry.scopes,
+    entry.baseUrl
+  );
+  try {
+    await enqueue(async () => {
+      await getBackendInfo();
+      await crossKeychain.deletePassword(SERVICE3, keychainAccount2(keychainKey));
+    });
+  } catch {
+  }
+}
+async function deleteStoredClientCredentials({
+  name,
+  baseUrl
+}) {
+  const registry = readRegistry();
+  const removed = deleteRegistryEntry(
+    registry,
+    name,
+    normalizeBaseUrl(baseUrl)
+  );
+  if (!removed) return;
+  const cfg = getConfig();
+  cfg.set(REGISTRY_KEY, registry);
+  unsetMatchingCredentialsKey(cfg, name);
+  await deleteKeychainSecret(removed);
+}
 // src/login/index.ts
 var ZapierAuthenticationError = class extends Error {
@@ -296,7 +490,6 @@ var ZapierAuthenticationError = class extends Error {
     this.name = "ZapierAuthenticationError";
   }
 };
-var config = null;
 var DEFAULT_AUTH_CLIENT_ID = "grwWZD5hUWGvb4V8ODBuOtXer3h0DBEZ2HR8aay6";
 var TOKEN_REFRESH_BUFFER_MS = 5 * 60 * 1e3;
 function createDebugLog(enabled) {
@@ -322,7 +515,6 @@ function getAuthClientId(clientId) {
   return clientId || DEFAULT_AUTH_CLIENT_ID;
 }
 var AUTH_MODE_HEADER = "X-Auth";
-var DEFAULT_AUTH_BASE_URL = "https://zapier.com";
 function getAuthTokenUrl(options) {
   const authBaseUrl = options?.baseUrl || DEFAULT_AUTH_BASE_URL;
   return `${authBaseUrl}/oauth/token/`;
@@ -332,29 +524,16 @@ function getAuthAuthorizeUrl(options) {
   return `${authBaseUrl}/oauth/authorize/`;
 }
 function getPkceLoginConfig(options) {
+  const effectiveBaseUrl = options?.credentials?.baseUrl ?? options?.baseUrl;
   return {
     clientId: getAuthClientId(options?.credentials?.clientId),
-    tokenUrl: getAuthTokenUrl({ baseUrl: options?.credentials?.baseUrl }),
-    authorizeUrl: getAuthAuthorizeUrl({
-      baseUrl: options?.credentials?.baseUrl
-    })
+    tokenUrl: getAuthTokenUrl({ baseUrl: effectiveBaseUrl }),
+    authorizeUrl: getAuthAuthorizeUrl({ baseUrl: effectiveBaseUrl })
   };
 }
 var cachedLogin;
-function getConfig() {
-  if (!config) {
-    config = new Conf__default.default({ projectName: "zapier-sdk-cli" });
-    if (!config.has("login_storage_mode")) {
-      config.set(
-        "login_storage_mode",
-        fs.existsSync(config.path) ? "config" : "keychain"
-      );
-    }
-  }
-  return config;
-}
 function unloadConfig() {
-  config = null;
+  resetConfig();
   cachedLogin = void 0;
 }
 async function updateLogin(loginData, options = {}) {
@@ -627,9 +806,7 @@ async function logout(options = {}) {
   await clearTokensFromKeychain();
   const cfg = getConfig();
   cfg.set("login_storage_mode", mode);
-  cfg.delete("login_expires_at");
-  cfg.delete("login_jwt");
-  cfg.delete("login_refresh_token");
+  clearLegacyJwtConfigKeys(cfg);
   onEvent?.({
     type: "auth_logout",
     payload: { message: "Logged out successfully", operation: "logout" },
@@ -641,6 +818,79 @@ function getConfigPath() {
   return cfg.path;
 }
+// src/utils/retry.ts
+function sleep(ms) {
+  return new Promise((resolve4) => setTimeout(resolve4, ms));
+}
+async function withRetry({
+  action,
+  attempts = 3,
+  initialDelayMs = 100
+}) {
+  if (attempts <= 0) {
+    throw new Error("withRetry: attempts must be greater than 0");
+  }
+  let lastError;
+  for (let i = 0; i < attempts; i++) {
+    try {
+      return await action();
+    } catch (err) {
+      lastError = err;
+      if (i < attempts - 1) {
+        await sleep(initialDelayMs * 2 ** i);
+      }
+    }
+  }
+  throw lastError;
+}
+// src/login/credentials-revoke.ts
+function emitAuthLogout(onEvent) {
+  onEvent?.({
+    type: "auth_logout",
+    payload: { message: "Logged out successfully", operation: "logout" },
+    timestamp: Date.now()
+  });
+}
+function isNotFoundError(err) {
+  return typeof err === "object" && err !== null && "statusCode" in err && err.statusCode === 404;
+}
+async function revokeCredentials({
+  api: api2,
+  credentials,
+  onEvent
+}) {
+  await withRetry({
+    action: async () => {
+      try {
+        await api2.delete(
+          `/api/v0/client-credentials/${credentials.clientId}`,
+          void 0,
+          { authRequired: true, requiredScopes: ["credentials"] }
+        );
+      } catch (err) {
+        if (isNotFoundError(err)) return;
+        throw err;
+      }
+    }
+  });
+  try {
+    await deleteStoredClientCredentials({
+      name: credentials.name,
+      baseUrl: credentials.baseUrl
+    });
+  } catch (err) {
+    console.warn("[revokeCredentials] Local store cleanup failed:", err);
+  }
+  await clearLegacyJwtState();
+  await zapierSdk.invalidateCachedToken({
+    clientId: credentials.clientId,
+    scopes: credentials.scopes,
+    baseUrl: credentials.baseUrl
+  });
+  emitAuthLogout(onEvent);
+}
 // src/utils/constants.ts
 var LOGIN_PORTS = [49505, 50575, 52804, 55981, 61010, 63851];
 var LOGIN_TIMEOUT_MS = 3e5;
@@ -754,6 +1004,8 @@ var getCallablePromise = () => {
   };
 };
 var getCallablePromise_default = getCallablePromise;
+// src/utils/auth/oauth-flow.ts
 var findAvailablePort = () => {
   return new Promise((resolve4, reject) => {
     let portIndex = 0;
@@ -788,10 +1040,9 @@ var findAvailablePort = () => {
 var generateRandomString = () => {
   const array = new Uint32Array(28);
   crypto__default.default.getRandomValues(array);
-  return Array.from(
-    array,
-    (dec) => ("0" + dec.toString(16)).substring(-2)
-  ).join("");
+  return Array.from(array, (dec) => ("0" + dec.toString(16)).slice(-2)).join(
+    ""
+  );
 };
 function ensureOfflineAccess(scope) {
   if (scope.includes("offline_access")) {
@@ -799,17 +1050,18 @@ function ensureOfflineAccess(scope) {
   }
   return `${scope} offline_access`;
 }
-var login = async ({
+async function runOauthFlow({
   timeoutMs = LOGIN_TIMEOUT_MS,
-  credentials
-}) => {
+  pkceCredentials,
+  baseUrl
+}) {
   const { clientId, tokenUrl, authorizeUrl } = getPkceLoginConfig({
-    credentials
+    credentials: pkceCredentials,
+    baseUrl
   });
   const scope = ensureOfflineAccess(
-    credentials?.scope || "internal credentials"
+    pkceCredentials?.scope || "internal credentials"
   );
-  await logout();
   const availablePort = await findAvailablePort();
   const redirectUri = `http://localhost:${availablePort}/oauth`;
   log_default.info(`Using port ${availablePort} for OAuth callback`);
@@ -818,13 +1070,30 @@ var login = async ({
     resolve: setCode,
     reject: rejectCode
   } = getCallablePromise_default();
-  const app = express__default.default();
-  app.get("/oauth", (req, res) => {
-    setCode(String(req.query.code));
+  const oauthState = generateRandomString();
+  const expressApp = express__default.default();
+  expressApp.get("/oauth", (req, res) => {
     res.setHeader("Connection", "close");
+    if (req.query.state !== oauthState) {
+      rejectCode(new Error("OAuth state mismatch \u2014 possible CSRF"));
+      res.status(400).end("Invalid state. You can close this tab.");
+      return;
+    }
+    if (req.query.error) {
+      const desc = req.query.error_description ?? req.query.error;
+      rejectCode(new Error(`Authorization denied: ${desc}`));
+      res.end("Authorization was denied. You can close this tab.");
+      return;
+    }
+    if (!req.query.code) {
+      rejectCode(new Error("No authorization code received"));
+      res.end("No authorization code received. You can close this tab.");
+      return;
+    }
+    setCode(String(req.query.code));
     res.end("You can now close this tab and return to the CLI.");
   });
-  const server = app.listen(availablePort);
+  const server = expressApp.listen(availablePort);
   const connections = /* @__PURE__ */ new Set();
   server.on("connection", (conn) => {
     connections.add(conn);
@@ -843,7 +1112,7 @@ var login = async ({
     client_id: clientId,
     redirect_uri: redirectUri,
     scope,
-    state: generateRandomString(),
+    state: oauthState,
     code_challenge: codeChallenge,
     code_challenge_method: "S256"
   }).toString()}`;
@@ -902,36 +1171,79 @@ var login = async ({
       }
     }
   );
-  let targetStorage;
-  if (getLoginStorageMode() === "config") {
-    const { upgrade } = await inquirer__default.default.prompt([
-      {
-        type: "confirm",
-        name: "upgrade",
-        message: "Would you like to upgrade to system keychain storage? This is recommended to securely store your credentials. However, note that older SDK/CLI versions will NOT be able to read these credentials, so you will want to upgrade them to the latest version.",
-        default: true
-      }
-    ]);
-    targetStorage = upgrade ? "keychain" : "config";
-  } else {
-    targetStorage = "keychain";
-  }
+  log_default.info("Token exchange completed successfully");
+  return {
+    accessToken: data.access_token,
+    refreshToken: data.refresh_token,
+    expiresIn: data.expires_in
+  };
+}
+// src/utils/auth/client-credentials.ts
+var CREDENTIALS_SCOPES = ["external", "credentials"];
+async function createCredentialsOnServer(api2, name) {
+  const response = await api2.post(
+    "/api/v0/client-credentials",
+    { name, allowed_scopes: CREDENTIALS_SCOPES },
+    { authRequired: true, requiredScopes: ["credentials"] }
+  );
+  return {
+    clientId: response.data.client_id,
+    clientSecret: response.data.client_secret
+  };
+}
+async function deleteCredentialsOnServer(api2, clientId) {
+  await api2.delete(`/api/v0/client-credentials/${clientId}`, void 0, {
+    authRequired: true,
+    requiredScopes: ["credentials"]
+  });
+}
+async function setupClientCredentials({
+  api: api2,
+  name,
+  credentialsBaseUrl
+}) {
+  const { clientId, clientSecret } = await createCredentialsOnServer(api2, name);
   try {
-    await updateLogin(data, { storage: targetStorage });
-  } catch (err) {
-    if (targetStorage === "keychain") {
-      log_default.warn(
-        `Could not store credentials in system keychain. Storing in plaintext at ${getConfigPath()}.`
+    await withRetry({
+      action: () => storeClientCredentials({
+        name,
+        clientId,
+        clientSecret,
+        scopes: [...CREDENTIALS_SCOPES],
+        baseUrl: credentialsBaseUrl
+      })
+    });
+  } catch (storeErr) {
+    try {
+      await withRetry({
+        action: () => deleteCredentialsOnServer(api2, clientId)
+      });
+    } catch {
+      console.error(
+        `Failed to roll back orphaned credential ${clientId}. Delete it manually with: zapier-sdk delete-client-credentials ${clientId}`
       );
-      await updateLogin(data, { storage: "config" });
-    } else {
-      throw err;
     }
+    throw storeErr;
   }
-  log_default.info("Token exchange completed successfully");
-  return data.access_token;
-};
-var login_default = login;
+  return { clientId };
+}
+function getBaseUrlFromResolvedCredentials(credentials) {
+  if (credentials && zapierSdk.isCredentialsObject(credentials)) {
+    return credentials.baseUrl;
+  }
+  return void 0;
+}
+function getBaseUrlFromOptionsCredentials(credentials) {
+  if (credentials && typeof credentials === "object" && "baseUrl" in credentials && typeof credentials.baseUrl === "string") {
+    return credentials.baseUrl;
+  }
+  return void 0;
+}
+async function resolveCredentialsBaseUrl(context) {
+  const resolvedCredentials = "resolvedCredentials" in context ? context.resolvedCredentials : await context.resolveCredentials?.();
+  return getBaseUrlFromResolvedCredentials(resolvedCredentials) ?? getBaseUrlFromOptionsCredentials(context.options?.credentials) ?? context.options?.baseUrl;
+}
 var LoginSchema = zod.z.object({
   timeout: zod.z.string().optional().describe("Login timeout in seconds (default: 300)")
 }).describe("Log in to Zapier to access your account");
@@ -948,6 +1260,105 @@ function toPkceCredentials(credentials) {
   }
   return void 0;
 }
+async function confirmRevokeAndRelogin(activeCredentials) {
+  const { confirmed } = await inquirer__default.default.prompt([
+    {
+      type: "confirm",
+      name: "confirmed",
+      message: `You are already logged in as "${activeCredentials.name}".
+Logging out will delete these credentials and may interrupt other Zapier SDK or CLI sessions using them.
+Log out and log in again?`,
+      default: false
+    }
+  ]);
+  if (!confirmed) {
+    console.log("Login cancelled.");
+    return false;
+  }
+  return true;
+}
+async function confirmJwtMigration() {
+  const { confirmed } = await inquirer__default.default.prompt([
+    {
+      type: "confirm",
+      name: "confirmed",
+      message: "We're upgrading your login to client credentials for a simpler, more reliable experience and to support future security controls. Older Zapier SDK/CLI versions on this machine may stop working after the upgrade. Continue?",
+      default: true
+    }
+  ]);
+  if (!confirmed) {
+    console.log("Login cancelled.");
+    return false;
+  }
+  return true;
+}
+async function confirmLocalLoginReset() {
+  const { confirmed } = await inquirer__default.default.prompt([
+    {
+      type: "confirm",
+      name: "confirmed",
+      message: "Login cleanup failed. Reset local session state and continue?",
+      default: false
+    }
+  ]);
+  if (!confirmed) {
+    console.log("Login cancelled.");
+    return false;
+  }
+  return true;
+}
+function parseTimeoutSeconds(timeout) {
+  const timeoutSeconds = timeout ? parseInt(timeout, 10) : 300;
+  if (isNaN(timeoutSeconds) || timeoutSeconds <= 0) {
+    throw new Error("Timeout must be a positive number");
+  }
+  return timeoutSeconds;
+}
+async function promptCredentialsName(email, baseUrl) {
+  const { credentialName } = await inquirer__default.default.prompt([
+    {
+      type: "input",
+      name: "credentialName",
+      message: "Enter a name to identify them:",
+      default: `${email}@${os.hostname()}`,
+      validate: (input) => {
+        if (!input.trim()) return "Name cannot be empty";
+        if (credentialsNameExists({ name: input.trim(), baseUrl })) {
+          return `Credentials named "${input.trim()}" already exist. Please provide a different name.`;
+        }
+        return true;
+      }
+    }
+  ]);
+  return credentialName;
+}
+function emitLoginSuccess({
+  sdk,
+  profile
+}) {
+  sdk.context.eventEmission.emit(
+    "platform.sdk.ApplicationLifecycleEvent",
+    zapierSdk.buildApplicationLifecycleEvent(
+      { lifecycle_event_type: "login_success" },
+      {
+        customuser_id: profile.user_id,
+        account_id: profile.roles[0]?.account_id ?? null
+      }
+    )
+  );
+}
+async function getProfile(api2) {
+  return api2.get("/zapier/api/v4/profile/", {
+    authRequired: true
+  });
+}
+async function bestEffortClearLegacyJwtState() {
+  try {
+    await clearLegacyJwtState();
+  } catch (err) {
+    console.error("[login] Best-effort legacy JWT cleanup failed:", err);
+  }
+}
 var loginPlugin = zapierSdk.definePlugin(
   (sdk) => zapierSdk.createPluginMethod(sdk, {
     name: "login",
@@ -955,25 +1366,61 @@ var loginPlugin = zapierSdk.definePlugin(
     inputSchema: LoginSchema,
     supportsJsonOutput: false,
     handler: async ({ sdk: sdk2, options }) => {
-      const timeoutSeconds = options.timeout ? parseInt(options.timeout, 10) : 300;
-      if (isNaN(timeoutSeconds) || timeoutSeconds <= 0) {
-        throw new Error("Timeout must be a positive number");
-      }
+      const timeoutSeconds = parseTimeoutSeconds(options.timeout);
       const resolvedCredentials = await sdk2.context.resolveCredentials();
       const pkceCredentials = toPkceCredentials(resolvedCredentials);
-      await login_default({
+      const credentialsBaseUrl = await resolveCredentialsBaseUrl({
+        ...sdk2.context,
+        resolvedCredentials
+      });
+      const activeCredentials = getActiveCredentials({
+        baseUrl: credentialsBaseUrl
+      });
+      if (activeCredentials) {
+        if (!await confirmRevokeAndRelogin(activeCredentials)) return;
+        try {
+          await revokeCredentials({
+            api: sdk2.context.api,
+            credentials: activeCredentials
+          });
+        } catch {
+          if (!await confirmLocalLoginReset()) return;
+          await deleteStoredClientCredentials({
+            name: activeCredentials.name,
+            baseUrl: activeCredentials.baseUrl
+          });
+        }
+      } else if (hasLegacyJwtConfig()) {
+        if (!await confirmJwtMigration()) return;
+      }
+      const { accessToken } = await runOauthFlow({
         timeoutMs: timeoutSeconds * 1e3,
-        credentials: pkceCredentials
+        pkceCredentials,
+        baseUrl: credentialsBaseUrl
       });
-      const user = await getLoggedInUser();
-      sdk2.context.eventEmission.emit(
-        "platform.sdk.ApplicationLifecycleEvent",
-        zapierSdk.buildApplicationLifecycleEvent(
-          { lifecycle_event_type: "login_success" },
-          { customuser_id: user.customUserId, account_id: user.accountId }
-        )
+      const scopedApi = zapierSdk.getOrCreateApiClient({
+        credentials: accessToken,
+        baseUrl: credentialsBaseUrl
+      });
+      const profile = await getProfile(scopedApi);
+      console.log(`\u{1F464} Logged in as ${profile.email}`);
+      console.log(
+        "\nGenerating credentials so this machine can make authenticated requests on your behalf."
+      );
+      const credentialName = await promptCredentialsName(
+        profile.email,
+        credentialsBaseUrl
       );
-      console.log(`\u2705 Successfully logged in as ${user.email}`);
+      await setupClientCredentials({
+        api: scopedApi,
+        name: credentialName,
+        credentialsBaseUrl
+      });
+      await bestEffortClearLegacyJwtState();
+      console.log(
+        `\u2705 Credentials "${credentialName}" created and set as default. You are ready to use the Zapier SDK.`
+      );
+      emitLoginSuccess({ sdk: sdk2, profile });
     }
   })
 );
@@ -986,8 +1433,36 @@ var logoutPlugin = zapierSdk.definePlugin(
     categories: ["account"],
     inputSchema: LogoutSchema,
     supportsJsonOutput: false,
-    handler: async () => {
-      await logout();
+    handler: async ({ sdk: sdk2 }) => {
+      const credentialsBaseUrl = await resolveCredentialsBaseUrl(sdk2.context);
+      const activeCredentials = getActiveCredentials({
+        baseUrl: credentialsBaseUrl
+      });
+      const onEvent = sdk2.context.options?.onEvent;
+      if (!activeCredentials) {
+        await logout({ onEvent });
+        console.log("\u2705 Successfully logged out");
+        return;
+      }
+      const { confirmed } = await inquirer__default.default.prompt([
+        {
+          type: "confirm",
+          name: "confirmed",
+          message: `Logging out will delete credentials "${activeCredentials.name}".
+This may interrupt other Zapier SDK or CLI sessions using them.
+Do you want to continue?`,
+          default: true
+        }
+      ]);
+      if (!confirmed) {
+        console.log("Logout cancelled.");
+        return;
+      }
+      await revokeCredentials({
+        api: sdk2.context.api,
+        credentials: activeCredentials,
+        onEvent
+      });
       console.log("\u2705 Successfully logged out");
     }
   })
@@ -3487,7 +3962,7 @@ var watchTriggerInboxCliPlugin = zapierSdk.definePlugin(
 // package.json with { type: 'json' }
 var package_default = {
   name: "@zapier/zapier-sdk-cli",
-  version: "0.46.1"};
+  version: "0.48.0"};
 // src/experimental.ts
 experimental.injectCliLogin(login_exports);