@zapier/zapier-sdk-cli 0.47.0 → 0.48.1

package/dist/src/login/credentials-store.js

@@ -0,0 +1,142 @@
+import { createHash } from "crypto";
+import { getPassword, setPassword, deletePassword } from "cross-keychain";
+import { z } from "zod";
+import { DEFAULT_AUTH_BASE_URL, getConfig } from "./config";
+import { enqueue, getBackendInfo } from "./keychain";
+const SERVICE = "zapier-sdk-cli";
+const CREDENTIALS_KEY = "credentials";
+const REGISTRY_KEY = "credentialsRegistry";
+const CredentialsEntrySchema = z.object({
+    name: z.string(),
+    clientId: z.string(),
+    createdAt: z.number(),
+    scopes: z.array(z.string()),
+    baseUrl: z.string(),
+});
+function normalizeBaseUrl(baseUrl) {
+    return baseUrl ?? DEFAULT_AUTH_BASE_URL;
+}
+function keychainAccount(key) {
+    return createHash("sha256").update(key).digest("hex");
+}
+function buildKeychainKey(clientId, scopes, baseUrl) {
+    const sortedScopes = [...scopes].sort().join(",");
+    return `zapier-sdk/client-credentials-secret/${clientId}:${sortedScopes}:${baseUrl}`;
+}
+function findEntry(registry, name, baseUrl) {
+    return registry.find((e) => e.name === name && e.baseUrl === baseUrl);
+}
+function readRegistry() {
+    const stored = getConfig().get(REGISTRY_KEY);
+    if (!Array.isArray(stored))
+        return [];
+    return stored.flatMap((entry) => {
+        const result = CredentialsEntrySchema.safeParse(entry);
+        return result.success ? [result.data] : [];
+    });
+}
+export function getActiveCredentials(options) {
+    const name = getConfig().get(CREDENTIALS_KEY);
+    if (!name)
+        return undefined;
+    return findEntry(readRegistry(), name, normalizeBaseUrl(options?.baseUrl));
+}
+export async function storeClientCredentials({ name, clientId, clientSecret, scopes, baseUrl, }) {
+    if (!name || typeof name !== "string") {
+        throw new Error("storeClientCredentials: name is required");
+    }
+    if (!clientId || typeof clientId !== "string") {
+        throw new Error("storeClientCredentials: clientId is required");
+    }
+    if (!clientSecret || typeof clientSecret !== "string") {
+        throw new Error("storeClientCredentials: clientSecret is required");
+    }
+    if (!Array.isArray(scopes) || scopes.length === 0) {
+        throw new Error("storeClientCredentials: scopes must be a non-empty array");
+    }
+    const sortedScopes = [...scopes].sort();
+    const resolvedBaseUrl = normalizeBaseUrl(baseUrl);
+    const keychainKey = buildKeychainKey(clientId, sortedScopes, resolvedBaseUrl);
+    const existingEntry = findEntry(readRegistry(), name, resolvedBaseUrl);
+    const existingKeychainKey = existingEntry
+        ? buildKeychainKey(existingEntry.clientId, existingEntry.scopes, existingEntry.baseUrl)
+        : undefined;
+    await enqueue(async () => {
+        await getBackendInfo();
+        await setPassword(SERVICE, keychainAccount(keychainKey), clientSecret);
+    });
+    const entry = {
+        name,
+        clientId,
+        createdAt: Date.now(),
+        scopes: sortedScopes,
+        baseUrl: resolvedBaseUrl,
+    };
+    const registry = readRegistry().filter((e) => !(e.name === name && e.baseUrl === resolvedBaseUrl));
+    registry.push(entry);
+    const cfg = getConfig();
+    cfg.set(REGISTRY_KEY, registry);
+    cfg.set(CREDENTIALS_KEY, name);
+    if (existingEntry && existingKeychainKey !== keychainKey) {
+        await deleteKeychainSecret(existingEntry);
+    }
+}
+export function credentialsNameExists({ name, baseUrl, }) {
+    return !!findEntry(readRegistry(), name, normalizeBaseUrl(baseUrl));
+}
+export async function getStoredClientCredentials(options) {
+    const entry = options?.name
+        ? findEntry(readRegistry(), options.name, normalizeBaseUrl(options.baseUrl))
+        : getActiveCredentials(options);
+    if (!entry)
+        return undefined;
+    const keychainKey = buildKeychainKey(entry.clientId, entry.scopes, entry.baseUrl);
+    const clientSecret = await enqueue(async () => {
+        await getBackendInfo();
+        return getPassword(SERVICE, keychainAccount(keychainKey));
+    });
+    if (!clientSecret)
+        return undefined;
+    return {
+        type: "client_credentials",
+        clientId: entry.clientId,
+        clientSecret,
+        baseUrl: entry.baseUrl,
+        scope: [...entry.scopes].sort().join(" "),
+    };
+}
+function deleteRegistryEntry(registry, name, baseUrl) {
+    const idx = registry.findIndex((e) => e.name === name && e.baseUrl === baseUrl);
+    if (idx === -1)
+        return undefined;
+    const [removed] = registry.splice(idx, 1);
+    return removed;
+}
+function unsetMatchingCredentialsKey(cfg, name) {
+    const activeName = cfg.get(CREDENTIALS_KEY);
+    if (activeName === name && !readRegistry().some((e) => e.name === name)) {
+        cfg.delete(CREDENTIALS_KEY);
+    }
+}
+async function deleteKeychainSecret(entry) {
+    const keychainKey = buildKeychainKey(entry.clientId, entry.scopes, entry.baseUrl);
+    try {
+        await enqueue(async () => {
+            await getBackendInfo();
+            await deletePassword(SERVICE, keychainAccount(keychainKey));
+        });
+    }
+    catch {
+        // Best-effort; key may already be gone.
+    }
+}
+export async function deleteStoredClientCredentials({ name, baseUrl, }) {
+    const registry = readRegistry();
+    const removed = deleteRegistryEntry(registry, name, normalizeBaseUrl(baseUrl));
+    if (!removed)
+        return;
+    const cfg = getConfig();
+    cfg.set(REGISTRY_KEY, registry);
+    unsetMatchingCredentialsKey(cfg, name);
+    await deleteKeychainSecret(removed);
+}

package/dist/src/login/index.d.ts

@@ -4,7 +4,7 @@
  * Handles login, logout, token cache and refresh for Zapier SDK CLI.
  * Provides getToken function that can be optionally imported by zapier-sdk.
  */
-import Conf from "conf";
+export { DEFAULT_AUTH_BASE_URL, getConfig } from "./config";
 export { createCache } from "./filesystem-cache";
 /**
  * Authentication error for token refresh failures.
@@ -64,12 +64,13 @@ export interface PkceLoginConfig {
 /**
  * Gets all configuration needed for the PKCE login flow.
  * Credentials should have baseUrl already resolved by SDK.
+ * baseUrl is a fallback used when credentials carry no baseUrl of their own.
  */
 export declare function getPkceLoginConfig(options?: {
     credentials?: PkceCredentials;
+    baseUrl?: string;
 }): PkceLoginConfig;
 export type LoginStorageMode = "keychain" | "config";
-export declare function getConfig(): Conf;
 /**
  * Drops the cached Conf instance so the next getConfig() call re-initializes
  * from disk (including re-running the pre-existing file detection).
@@ -113,3 +114,5 @@ export declare function logout(options?: Pick<AuthOptions, "onEvent">): Promise<
  * Gets the path to the configuration file.
  */
 export declare function getConfigPath(): string;
+export { getStoredClientCredentials, getActiveCredentials, } from "./credentials-store";
+export { clearTokensFromKeychain } from "./keychain";

package/dist/src/login/index.js

@@ -4,10 +4,11 @@
  * Handles login, logout, token cache and refresh for Zapier SDK CLI.
  * Provides getToken function that can be optionally imported by zapier-sdk.
  */
-import Conf from "conf";
-import { existsSync } from "fs";
 import * as jwt from "jsonwebtoken";
 import { getTokensFromKeychain, setTokensInKeychain, clearTokensFromKeychain, } from "./keychain";
+import { clearLegacyJwtConfigKeys } from "./legacy-jwt";
+import { getConfig, resetConfig, DEFAULT_AUTH_BASE_URL } from "./config";
+export { DEFAULT_AUTH_BASE_URL, getConfig } from "./config";
 export { createCache } from "./filesystem-cache";
 /**
  * Authentication error for token refresh failures.
@@ -21,7 +22,6 @@ export class ZapierAuthenticationError extends Error {
         this.name = "ZapierAuthenticationError";
     }
 }
-let config = null;
 // Default OAuth client ID
 const DEFAULT_AUTH_CLIENT_ID = "grwWZD5hUWGvb4V8ODBuOtXer3h0DBEZ2HR8aay6";
 // Buffer time before token expiration to trigger refresh (5 minutes)
@@ -58,8 +58,6 @@ function getAuthClientId(clientId) {
     return clientId || DEFAULT_AUTH_CLIENT_ID;
 }
 export const AUTH_MODE_HEADER = "X-Auth";
-// Default auth base URL
-const DEFAULT_AUTH_BASE_URL = "https://zapier.com";
 /**
  * Gets the OAuth token endpoint URL.
  * baseUrl should be the auth base URL (e.g., https://zapier.com), already resolved by SDK.
@@ -79,37 +77,23 @@ export function getAuthAuthorizeUrl(options) {
 /**
  * Gets all configuration needed for the PKCE login flow.
  * Credentials should have baseUrl already resolved by SDK.
+ * baseUrl is a fallback used when credentials carry no baseUrl of their own.
  */
 export function getPkceLoginConfig(options) {
+    const effectiveBaseUrl = options?.credentials?.baseUrl ?? options?.baseUrl;
     return {
         clientId: getAuthClientId(options?.credentials?.clientId),
-        tokenUrl: getAuthTokenUrl({ baseUrl: options?.credentials?.baseUrl }),
-        authorizeUrl: getAuthAuthorizeUrl({
-            baseUrl: options?.credentials?.baseUrl,
-        }),
+        tokenUrl: getAuthTokenUrl({ baseUrl: effectiveBaseUrl }),
+        authorizeUrl: getAuthAuthorizeUrl({ baseUrl: effectiveBaseUrl }),
     };
 }
 let cachedLogin;
-export function getConfig() {
-    if (!config) {
-        // Conf does not create the file until the first set() call.
-        config = new Conf({ projectName: "zapier-sdk-cli" });
-        // If the config file already exists but has no cache mode marker, an older
-        // SDK version created it. Set the marker to "config" so the login flow will
-        // prompt the user to upgrade to keychain cache. Otherwise, stamp "keychain"
-        // so that any future writes to the config don't leave it unmarked.
-        if (!config.has("login_storage_mode")) {
-            config.set("login_storage_mode", existsSync(config.path) ? "config" : "keychain");
-        }
-    }
-    return config;
-}
 /**
  * Drops the cached Conf instance so the next getConfig() call re-initializes
  * from disk (including re-running the pre-existing file detection).
  */
 export function unloadConfig() {
-    config = null;
+    resetConfig();
     cachedLogin = undefined;
 }
 export async function updateLogin(loginData, options = {}) {
@@ -424,9 +408,7 @@ export async function logout(options = {}) {
     await clearTokensFromKeychain();
     const cfg = getConfig();
     cfg.set("login_storage_mode", mode);
-    cfg.delete("login_expires_at");
-    cfg.delete("login_jwt");
-    cfg.delete("login_refresh_token");
+    clearLegacyJwtConfigKeys(cfg);
     onEvent?.({
         type: "auth_logout",
         payload: { message: "Logged out successfully", operation: "logout" },
@@ -440,3 +422,5 @@ export function getConfigPath() {
     const cfg = getConfig();
     return cfg.path;
 }
+export { getStoredClientCredentials, getActiveCredentials, } from "./credentials-store";
+export { clearTokensFromKeychain } from "./keychain";

package/dist/src/login/legacy-jwt.d.ts

@@ -0,0 +1,4 @@
+import type Conf from "conf";
+export declare function clearLegacyJwtConfigKeys(config: Conf): void;
+export declare function clearLegacyJwtState(): Promise<void>;
+export declare function hasLegacyJwtConfig(): boolean;

package/dist/src/login/legacy-jwt.js

@@ -0,0 +1,18 @@
+import { getConfig } from "./config";
+import { clearTokensFromKeychain } from "./keychain";
+export function clearLegacyJwtConfigKeys(config) {
+    config.delete("login_jwt");
+    config.delete("login_refresh_token");
+    config.delete("login_expires_at");
+}
+export async function clearLegacyJwtState() {
+    clearLegacyJwtConfigKeys(getConfig());
+    await clearTokensFromKeychain();
+}
+// Intentionally skips the keychain — conf keys are sufficient and a keychain probe is heavyweight.
+export function hasLegacyJwtConfig() {
+    const cfg = getConfig();
+    return (typeof cfg.get("login_jwt") === "string" ||
+        typeof cfg.get("login_refresh_token") === "string" ||
+        typeof cfg.get("login_expires_at") === "number");
+}

package/dist/src/plugins/auth/credentials-base-url.d.ts

@@ -0,0 +1,11 @@
+import { type ResolvedCredentials } from "@zapier/zapier-sdk";
+interface BaseUrlContext {
+    resolveCredentials?: () => Promise<ResolvedCredentials | undefined>;
+    resolvedCredentials?: ResolvedCredentials | undefined;
+    options?: {
+        baseUrl?: string;
+        credentials?: unknown;
+    };
+}
+export declare function resolveCredentialsBaseUrl(context: BaseUrlContext): Promise<string | undefined>;
+export {};

package/dist/src/plugins/auth/credentials-base-url.js

@@ -0,0 +1,24 @@
+import { isCredentialsObject, } from "@zapier/zapier-sdk";
+function getBaseUrlFromResolvedCredentials(credentials) {
+    if (credentials && isCredentialsObject(credentials)) {
+        return credentials.baseUrl;
+    }
+    return undefined;
+}
+function getBaseUrlFromOptionsCredentials(credentials) {
+    if (credentials &&
+        typeof credentials === "object" &&
+        "baseUrl" in credentials &&
+        typeof credentials.baseUrl === "string") {
+        return credentials.baseUrl;
+    }
+    return undefined;
+}
+export async function resolveCredentialsBaseUrl(context) {
+    const resolvedCredentials = "resolvedCredentials" in context
+        ? context.resolvedCredentials
+        : await context.resolveCredentials?.();
+    return (getBaseUrlFromResolvedCredentials(resolvedCredentials) ??
+        getBaseUrlFromOptionsCredentials(context.options?.credentials) ??
+        context.options?.baseUrl);
+}

package/dist/src/plugins/login/index.d.ts

@@ -1,10 +1,15 @@
-import type { ResolvedCredentials } from "@zapier/zapier-sdk";
+import { type ApiClient, type ResolvedCredentials } from "@zapier/zapier-sdk";
 interface CliContext {
     session_id?: string | null;
     selected_api?: string | null;
     app_id?: number | null;
     app_version_id?: number | null;
     resolveCredentials: () => Promise<ResolvedCredentials | undefined>;
+    api: ApiClient;
+    options?: {
+        baseUrl?: string;
+        credentials?: unknown;
+    };
 }
 export declare const loginPlugin: (sdk: {
     context: import("@zapier/zapier-sdk").EventEmissionContext;

package/dist/src/plugins/login/index.js

@@ -1,6 +1,12 @@
-import { createPluginMethod, definePlugin, isCredentialsObject, buildApplicationLifecycleEvent, } from "@zapier/zapier-sdk";
-import login from "../../utils/auth/login";
-import { getLoggedInUser } from "../../login";
+import { hostname } from "os";
+import { createPluginMethod, definePlugin, getOrCreateApiClient, isCredentialsObject, buildApplicationLifecycleEvent, } from "@zapier/zapier-sdk";
+import inquirer from "inquirer";
+import { clearLegacyJwtState, hasLegacyJwtConfig, } from "../../login/legacy-jwt";
+import { getActiveCredentials, credentialsNameExists, deleteStoredClientCredentials, } from "../../login/credentials-store";
+import { revokeCredentials } from "../../login/credentials-revoke";
+import { runOauthFlow } from "../../utils/auth/oauth-flow";
+import { setupClientCredentials } from "../../utils/auth/client-credentials";
+import { resolveCredentialsBaseUrl } from "../auth/credentials-base-url";
 import { LoginSchema } from "./schemas";
 function toPkceCredentials(credentials) {
     if (credentials &&
@@ -15,26 +21,160 @@ function toPkceCredentials(credentials) {
     }
     return undefined;
 }
+async function confirmRevokeAndRelogin(activeCredentials) {
+    const { confirmed } = await inquirer.prompt([
+        {
+            type: "confirm",
+            name: "confirmed",
+            message: `You are already logged in as "${activeCredentials.name}".\n` +
+                "Logging out will delete these credentials and may interrupt other Zapier SDK or CLI sessions using them.\n" +
+                "Log out and log in again?",
+            default: false,
+        },
+    ]);
+    if (!confirmed) {
+        console.log("Login cancelled.");
+        return false;
+    }
+    return true;
+}
+async function confirmJwtMigration() {
+    const { confirmed } = await inquirer.prompt([
+        {
+            type: "confirm",
+            name: "confirmed",
+            message: "We're upgrading your login to client credentials for a simpler, more reliable experience " +
+                "and to support future security controls. " +
+                "Older Zapier SDK/CLI versions on this machine may stop working after the upgrade. " +
+                "Continue?",
+            default: true,
+        },
+    ]);
+    if (!confirmed) {
+        console.log("Login cancelled.");
+        return false;
+    }
+    return true;
+}
+async function confirmLocalLoginReset() {
+    const { confirmed } = await inquirer.prompt([
+        {
+            type: "confirm",
+            name: "confirmed",
+            message: "Login cleanup failed. Reset local session state and continue?",
+            default: false,
+        },
+    ]);
+    if (!confirmed) {
+        console.log("Login cancelled.");
+        return false;
+    }
+    return true;
+}
+function parseTimeoutSeconds(timeout) {
+    const timeoutSeconds = timeout ? parseInt(timeout, 10) : 300;
+    if (isNaN(timeoutSeconds) || timeoutSeconds <= 0) {
+        throw new Error("Timeout must be a positive number");
+    }
+    return timeoutSeconds;
+}
+async function promptCredentialsName(email, baseUrl) {
+    const { credentialName } = await inquirer.prompt([
+        {
+            type: "input",
+            name: "credentialName",
+            message: "Enter a name to identify them:",
+            default: `${email}@${hostname()}`,
+            validate: (input) => {
+                if (!input.trim())
+                    return "Name cannot be empty";
+                if (credentialsNameExists({ name: input.trim(), baseUrl })) {
+                    return `Credentials named "${input.trim()}" already exist. Please provide a different name.`;
+                }
+                return true;
+            },
+        },
+    ]);
+    return credentialName;
+}
+function emitLoginSuccess({ sdk, profile, }) {
+    sdk.context.eventEmission.emit("platform.sdk.ApplicationLifecycleEvent", buildApplicationLifecycleEvent({ lifecycle_event_type: "login_success" }, {
+        customuser_id: profile.user_id,
+        account_id: profile.roles[0]?.account_id ?? null,
+    }));
+}
+async function getProfile(api) {
+    return api.get("/zapier/api/v4/profile/", {
+        authRequired: true,
+    });
+}
+async function bestEffortClearLegacyJwtState() {
+    // Don't fail the whole login over a transient keychain hiccup during cleanup.
+    try {
+        await clearLegacyJwtState();
+    }
+    catch (err) {
+        console.error("[login] Best-effort legacy JWT cleanup failed:", err);
+    }
+}
 export const loginPlugin = definePlugin((sdk) => createPluginMethod(sdk, {
     name: "login",
     categories: ["account"],
     inputSchema: LoginSchema,
     supportsJsonOutput: false,
     handler: async ({ sdk, options }) => {
-        const timeoutSeconds = options.timeout
-            ? parseInt(options.timeout, 10)
-            : 300;
-        if (isNaN(timeoutSeconds) || timeoutSeconds <= 0) {
-            throw new Error("Timeout must be a positive number");
-        }
+        const timeoutSeconds = parseTimeoutSeconds(options.timeout);
         const resolvedCredentials = await sdk.context.resolveCredentials();
         const pkceCredentials = toPkceCredentials(resolvedCredentials);
-        await login({
+        const credentialsBaseUrl = await resolveCredentialsBaseUrl({
+            ...sdk.context,
+            resolvedCredentials,
+        });
+        const activeCredentials = getActiveCredentials({
+            baseUrl: credentialsBaseUrl,
+        });
+        if (activeCredentials) {
+            if (!(await confirmRevokeAndRelogin(activeCredentials)))
+                return;
+            try {
+                await revokeCredentials({
+                    api: sdk.context.api,
+                    credentials: activeCredentials,
+                });
+            }
+            catch {
+                if (!(await confirmLocalLoginReset()))
+                    return;
+                await deleteStoredClientCredentials({
+                    name: activeCredentials.name,
+                    baseUrl: activeCredentials.baseUrl,
+                });
+            }
+        }
+        else if (hasLegacyJwtConfig()) {
+            if (!(await confirmJwtMigration()))
+                return;
+        }
+        const { accessToken } = await runOauthFlow({
             timeoutMs: timeoutSeconds * 1000,
-            credentials: pkceCredentials,
+            pkceCredentials,
+            baseUrl: credentialsBaseUrl,
+        });
+        const scopedApi = getOrCreateApiClient({
+            credentials: accessToken,
+            baseUrl: credentialsBaseUrl,
+        });
+        const profile = await getProfile(scopedApi);
+        console.log(`👤 Logged in as ${profile.email}`);
+        console.log("\nGenerating credentials so this machine can make authenticated requests on your behalf.");
+        const credentialName = await promptCredentialsName(profile.email, credentialsBaseUrl);
+        await setupClientCredentials({
+            api: scopedApi,
+            name: credentialName,
+            credentialsBaseUrl,
         });
-        const user = await getLoggedInUser();
-        sdk.context.eventEmission.emit("platform.sdk.ApplicationLifecycleEvent", buildApplicationLifecycleEvent({ lifecycle_event_type: "login_success" }, { customuser_id: user.customUserId, account_id: user.accountId }));
-        console.log(`✅ Successfully logged in as ${user.email}`);
+        await bestEffortClearLegacyJwtState();
+        console.log(`✅ Credentials "${credentialName}" created and set as default. You are ready to use the Zapier SDK.`);
+        emitLoginSuccess({ sdk, profile });
     },
 }));

package/dist/src/plugins/logout/index.d.ts

@@ -1,5 +1,18 @@
+import { type ApiClient, type ResolvedCredentials } from "@zapier/zapier-sdk";
+import { type LogoutEventEmitter } from "../../login/credentials-revoke";
+interface CliContext {
+    api: ApiClient;
+    resolveCredentials?: () => Promise<ResolvedCredentials | undefined>;
+    options?: {
+        onEvent?: LogoutEventEmitter;
+        baseUrl?: string;
+        credentials?: unknown;
+    };
+}
 export declare const logoutPlugin: (sdk: {
     context: import("@zapier/zapier-sdk").EventEmissionContext;
+} & {
+    context: CliContext;
 } & {
     context: {
         meta: Record<string, import("@zapier/zapier-sdk").PluginMeta>;
@@ -14,3 +27,4 @@ export declare const logoutPlugin: (sdk: {
     };
 };
 export type LogoutPluginProvides = ReturnType<typeof logoutPlugin>;
+export {};

package/dist/src/plugins/logout/index.js

@@ -1,13 +1,45 @@
 import { createPluginMethod, definePlugin, } from "@zapier/zapier-sdk";
-import { logout } from "../../login";
+import inquirer from "inquirer";
+import { logout as jwtLogout } from "../../login";
+import { getActiveCredentials } from "../../login/credentials-store";
+import { revokeCredentials, } from "../../login/credentials-revoke";
+import { resolveCredentialsBaseUrl } from "../auth/credentials-base-url";
 import { LogoutSchema } from "./schemas";
 export const logoutPlugin = definePlugin((sdk) => createPluginMethod(sdk, {
     name: "logout",
     categories: ["account"],
     inputSchema: LogoutSchema,
     supportsJsonOutput: false,
-    handler: async () => {
-        await logout();
+    handler: async ({ sdk }) => {
+        const credentialsBaseUrl = await resolveCredentialsBaseUrl(sdk.context);
+        const activeCredentials = getActiveCredentials({
+            baseUrl: credentialsBaseUrl,
+        });
+        const onEvent = sdk.context.options?.onEvent;
+        if (!activeCredentials) {
+            await jwtLogout({ onEvent });
+            console.log("✅ Successfully logged out");
+            return;
+        }
+        const { confirmed } = await inquirer.prompt([
+            {
+                type: "confirm",
+                name: "confirmed",
+                message: `Logging out will delete credentials "${activeCredentials.name}".\n` +
+                    "This may interrupt other Zapier SDK or CLI sessions using them.\n" +
+                    "Do you want to continue?",
+                default: true,
+            },
+        ]);
+        if (!confirmed) {
+            console.log("Logout cancelled.");
+            return;
+        }
+        await revokeCredentials({
+            api: sdk.context.api,
+            credentials: activeCredentials,
+            onEvent,
+        });
         console.log("✅ Successfully logged out");
     },
 }));

package/dist/src/plugins/mcp/index.d.ts

@@ -3,6 +3,7 @@ export declare const mcpPlugin: (sdk: {
     context: {
         options?: {
             debug?: boolean;
+            maxConcurrentRequests?: number;
         };
         extensions?: Plugin<unknown, PluginProvides>[];
         experimental?: boolean;

package/dist/src/plugins/mcp/index.js

@@ -6,16 +6,17 @@ export const mcpPlugin = definePlugin((sdk) => createPluginMethod(sdk, {
     categories: ["utility"],
     inputSchema: McpSchema,
     handler: async ({ sdk, options }) => {
-        // Forward debug + the extensions resolved at CLI startup so the MCP
-        // server's registry includes extension functions as tools. Without
-        // this forward, MCP would build a vanilla SDK and the CLI/MCP
-        // surfaces would diverge. The `experimental` flag (set by the
-        // experimental CLI factory) tells the MCP server to build against
-        // `@zapier/zapier-sdk/experimental` so experimental tools are
-        // exposed.
+        // Forward debug, the concurrency cap, and the extensions resolved at
+        // CLI startup so the MCP server's SDK matches what the user asked
+        // for at the CLI surface. Without this forward, MCP would build a
+        // vanilla SDK and the CLI/MCP surfaces would diverge. The
+        // `experimental` flag (set by the experimental CLI factory) tells
+        // the MCP server to build against `@zapier/zapier-sdk/experimental`
+        // so experimental tools are exposed.
         await startMcpServer({
             ...options,
             debug: sdk.context.options?.debug,
+            maxConcurrentRequests: sdk.context.options?.maxConcurrentRequests,
             extensions: sdk.context.extensions,
             experimental: sdk.context.experimental,
         });

package/dist/src/utils/auth/client-credentials.d.ts

@@ -0,0 +1,16 @@
+import type { ApiClient } from "@zapier/zapier-sdk";
+export interface SetupClientCredentialsOptions {
+    api: ApiClient;
+    name: string;
+    credentialsBaseUrl?: string;
+}
+export interface SetupClientCredentialsResult {
+    clientId: string;
+}
+/**
+ * Create a client credential server-side and persist it locally. If the
+ * local store fails after the server-side credential is created, attempt
+ * to roll back the orphan; if that rollback also fails, surface a
+ * manual-fix message and re-throw the original store error.
+ */
+export declare function setupClientCredentials({ api, name, credentialsBaseUrl, }: SetupClientCredentialsOptions): Promise<SetupClientCredentialsResult>;