@zapier/zapier-sdk-cli 0.52.10 → 0.53.0

package/dist/index.mjs

@@ -1,5 +1,5 @@
 import * as jwt from 'jsonwebtoken';
-import { deletePassword, getKeyring, getPassword, setPassword } from 'cross-keychain';
+import { deletePassword, setPassword, getKeyring, getPassword } from 'cross-keychain';
 import Conf from 'conf';
 import * as fs from 'fs';
 import { promises, createWriteStream, existsSync, readdirSync, rmSync, mkdirSync, writeFileSync, copyFileSync, readFileSync } from 'fs';
@@ -7,15 +7,16 @@ import crypto, { createHash } from 'crypto';
 import * as path from 'path';
 import { resolve, join, dirname, basename, relative, extname } from 'path';
 import * as lockfile from 'proper-lockfile';
+import { definePlugin, createPluginMethod, OutputPropertySchema, ZapierBundleError, DEFAULT_CONFIG_PATH, ZapierValidationError, ZapierUnknownError, ZapierReleaseTriggerMessageSignal, injectCliLogin, getOrCreateApiClient, invalidateCachedToken, batch, toSnakeCase, ZapierAbortDrainSignal, isCredentialsObject, buildApplicationLifecycleEvent, ZapierAuthenticationError, ZapierError, createZapierSdkStack, addPlugin, getOsInfo, getPlatformVersions, getCiPlatform, isCi, getReleaseId, getCurrentTimestamp, generateEventId } from '@zapier/zapier-sdk';
 import { z } from 'zod';
-import { definePlugin, createPluginMethod, getOrCreateApiClient, OutputPropertySchema, ZapierBundleError, DEFAULT_CONFIG_PATH, ZapierValidationError, ZapierUnknownError, ZapierReleaseTriggerMessageSignal, injectCliLogin, isCredentialsObject, invalidateCachedToken, buildApplicationLifecycleEvent, batch, toSnakeCase, ZapierAbortDrainSignal, ZapierError, createZapierSdk, getOsInfo, getPlatformVersions, getCiPlatform, isCi, getReleaseId, getCurrentTimestamp, generateEventId } from '@zapier/zapier-sdk';
 import { hostname } from 'os';
 import inquirer from 'inquirer';
-import open from 'open';
 import express from 'express';
-import pkceChallenge from 'pkce-challenge';
-import ora from 'ora';
+import { createInterface } from 'readline/promises';
+import open from 'open';
 import chalk3 from 'chalk';
+import ora from 'ora';
+import pkceChallenge from 'pkce-challenge';
 import { startMcpServer } from '@zapier/zapier-sdk-mcp';
 import { buildSync } from 'esbuild';
 import { mkdir, writeFile, access } from 'fs/promises';
@@ -441,12 +442,6 @@ async function deleteStoredClientCredentials({
 }
 
 // src/login/index.ts
-var ZapierAuthenticationError = class extends Error {
-  constructor(message) {
-    super(message);
-    this.name = "ZapierAuthenticationError";
-  }
-};
 var DEFAULT_AUTH_CLIENT_ID = "grwWZD5hUWGvb4V8ODBuOtXer3h0DBEZ2HR8aay6";
 var TOKEN_REFRESH_BUFFER_MS = 5 * 60 * 1e3;
 function createDebugLog(enabled) {
@@ -456,9 +451,9 @@ function createDebugLog(enabled) {
   }
   return (message, data) => {
     if (data === void 0) {
-      console.log(`[Zapier SDK CLI Login] ${message}`);
+      console.error(`[Zapier SDK CLI Login] ${message}`);
     } else {
-      console.log(`[Zapier SDK CLI Login] ${message}`, data);
+      console.error(`[Zapier SDK CLI Login] ${message}`, data);
     }
   };
 }
@@ -857,10 +852,27 @@ async function revokeCredentials({
   });
   emitAuthLogout(onEvent);
 }
+function getBaseUrlFromResolvedCredentials(credentials) {
+  if (credentials && isCredentialsObject(credentials)) {
+    return credentials.baseUrl;
+  }
+  return void 0;
+}
+function getBaseUrlFromOptionsCredentials(credentials) {
+  if (credentials && typeof credentials === "object" && "baseUrl" in credentials && typeof credentials.baseUrl === "string") {
+    return credentials.baseUrl;
+  }
+  return void 0;
+}
+async function resolveCredentialsBaseUrl(context) {
+  const resolvedCredentials = "resolvedCredentials" in context ? context.resolvedCredentials : await context.resolveCredentials?.();
+  return getBaseUrlFromResolvedCredentials(resolvedCredentials) ?? getBaseUrlFromOptionsCredentials(context.options?.credentials) ?? context.options?.baseUrl;
+}
 
-// src/utils/constants.ts
-var LOGIN_PORTS = [49505, 50575, 52804, 55981, 61010, 63851];
-var LOGIN_TIMEOUT_MS = 3e5;
+// src/utils/non-interactive.ts
+function resolveNonInteractive(options) {
+  return options.nonInteractive === true || options.skipPrompts === true || !process.stdin.isTTY || !process.stdout.isTTY;
+}
 var ZapierCliError = class extends ZapierError {
 };
 var ZapierCliUserCancellationError = class extends ZapierCliError {
@@ -888,42 +900,164 @@ var ZapierCliValidationError = class extends ZapierCliError {
   }
 };
 
-// src/utils/spinner.ts
-var spinPromise = async (promise, text) => {
-  const spinner = ora(text).start();
+// src/utils/auth/client-credentials.ts
+var CREDENTIALS_SCOPES = ["external", "credentials"];
+var EMPTY_POLICY = {
+  version: 2,
+  statements: []
+};
+async function createCredentialsOnServer(api2, name, policy) {
+  const response = await api2.post(
+    "/api/v0/client-credentials",
+    {
+      name,
+      allowed_scopes: CREDENTIALS_SCOPES,
+      ...policy !== void 0 && { policy }
+    },
+    { authRequired: true, requiredScopes: ["credentials"] }
+  );
+  return {
+    clientId: response.data.client_id,
+    clientSecret: response.data.client_secret
+  };
+}
+async function deleteCredentialsOnServer(api2, clientId) {
+  await api2.delete(`/api/v0/client-credentials/${clientId}`, void 0, {
+    authRequired: true,
+    requiredScopes: ["credentials"]
+  });
+}
+async function setupClientCredentials({
+  api: api2,
+  name,
+  credentialsBaseUrl,
+  policy
+}) {
+  const { clientId, clientSecret } = await createCredentialsOnServer(
+    api2,
+    name,
+    policy
+  );
   try {
-    const result = await promise;
-    spinner.succeed();
-    return result;
-  } catch (error) {
-    if (error instanceof ZapierCliUserCancellationError) {
-      spinner.stop();
-    } else {
-      spinner.fail();
+    await withRetry({
+      action: () => storeClientCredentials({
+        name,
+        clientId,
+        clientSecret,
+        scopes: [...CREDENTIALS_SCOPES],
+        baseUrl: credentialsBaseUrl
+      })
+    });
+  } catch (storeErr) {
+    try {
+      await withRetry({
+        action: () => deleteCredentialsOnServer(api2, clientId)
+      });
+    } catch {
+      console.error(
+        `Failed to roll back orphaned credential ${clientId}. Delete it manually with: zapier-sdk delete-client-credentials ${clientId}`
+      );
     }
-    throw error;
+    throw storeErr;
   }
+  return { clientId };
+}
+
+// src/utils/constants.ts
+var LOGIN_PORTS = [49505, 50575, 52804, 55981, 61010, 63851];
+var LOGIN_TIMEOUT_MS = 3e5;
+
+// src/utils/getCallablePromise.ts
+var getCallablePromise = () => {
+  let resolve4 = () => {
+  };
+  let reject = () => {
+  };
+  const promise = new Promise((_resolve, _reject) => {
+    resolve4 = _resolve;
+    reject = _reject;
+  });
+  return {
+    promise,
+    resolve: resolve4,
+    reject
+  };
 };
+var getCallablePromise_default = getCallablePromise;
 var log = {
   info: (message, ...args) => {
-    console.log(chalk3.blue("\u2139"), message, ...args);
+    console.error(chalk3.blue("\u2139"), message, ...args);
   },
   error: (message, ...args) => {
     console.error(chalk3.red("\u2716"), message, ...args);
   },
   success: (message, ...args) => {
-    console.log(chalk3.green("\u2713"), message, ...args);
+    console.error(chalk3.green("\u2713"), message, ...args);
   },
   warn: (message, ...args) => {
-    console.log(chalk3.yellow("\u26A0"), message, ...args);
+    console.error(chalk3.yellow("\u26A0"), message, ...args);
   },
   debug: (message, ...args) => {
     if (process.env.DEBUG === "true" || process.argv.includes("--debug")) {
-      console.log(chalk3.gray("\u{1F41B}"), message, ...args);
+      console.error(chalk3.gray("\u{1F41B}"), message, ...args);
     }
   }
 };
 var log_default = log;
+var spinPromise = async (promise, text) => {
+  const spinner = ora(text).start();
+  try {
+    const result = await promise;
+    spinner.succeed();
+    return result;
+  } catch (error) {
+    if (error instanceof ZapierCliUserCancellationError) {
+      spinner.stop();
+    } else {
+      spinner.fail();
+    }
+    throw error;
+  }
+};
+
+// src/utils/auth/oauth-callback.ts
+function getCallbackCode({
+  callbackUrl,
+  transaction,
+  recoveryMessage
+}) {
+  let parsed;
+  try {
+    parsed = new URL(callbackUrl.trim());
+  } catch {
+    throw new ZapierCliValidationError(
+      "Paste the final OAuth callback URL from your browser."
+    );
+  }
+  const expected = new URL(transaction.redirectUri);
+  if (parsed.protocol !== "http:" || parsed.hostname !== expected.hostname || parsed.pathname !== expected.pathname || parsed.port !== expected.port) {
+    throw new ZapierCliValidationError(
+      `Expected the final OAuth callback URL to start with ${transaction.redirectUri}.`
+    );
+  }
+  if (parsed.searchParams.get("state") !== transaction.state) {
+    throw new ZapierCliValidationError(
+      `OAuth state mismatch.${recoveryMessage ? ` ${recoveryMessage}` : ""}`
+    );
+  }
+  if (parsed.searchParams.has("error")) {
+    throw new ZapierCliValidationError(
+      `Authorization denied: ${parsed.searchParams.get("error_description") ?? parsed.searchParams.get("error")}.${recoveryMessage ? ` ${recoveryMessage}` : ""}`
+    );
+  }
+  const code = parsed.searchParams.get("code");
+  if (!code) {
+    throw new ZapierCliValidationError(
+      "No authorization code found in the pasted callback URL."
+    );
+  }
+  return code;
+}
 
 // src/utils/api/client.ts
 var createApiClient = () => {
@@ -954,113 +1088,351 @@ var createApiClient = () => {
 var api = createApiClient();
 var client_default = api;
 
-// src/utils/getCallablePromise.ts
-var getCallablePromise = () => {
-  let resolve4 = () => {
-  };
-  let reject = () => {
-  };
-  const promise = new Promise((_resolve, _reject) => {
-    resolve4 = _resolve;
-    reject = _reject;
+// src/utils/auth/oauth-transaction.ts
+var OAUTH_LOOPBACK_HOST = "localhost";
+function buildBrowserAuthUrl({
+  authorizeUrl,
+  entryPoint = "login"
+}) {
+  if (entryPoint === "login") return authorizeUrl;
+  const parsedAuthorizeUrl = new URL(authorizeUrl);
+  const signupUrl = new URL("/sign-up", parsedAuthorizeUrl);
+  signupUrl.searchParams.set("skipOnboarding", "true");
+  signupUrl.searchParams.set(
+    "next",
+    `${parsedAuthorizeUrl.pathname}${parsedAuthorizeUrl.search}`
+  );
+  return signupUrl.toString();
+}
+function generateRandomString() {
+  const array = new Uint32Array(28);
+  crypto.getRandomValues(array);
+  return Array.from(array, (dec) => ("0" + dec.toString(16)).slice(-2)).join(
+    ""
+  );
+}
+function ensureOfflineAccess(scope) {
+  if (scope.includes("offline_access")) return scope;
+  return `${scope} offline_access`;
+}
+async function prepareOauthTransaction({
+  pkceCredentials,
+  baseUrl,
+  redirectUri,
+  entryPoint = "login"
+}) {
+  const { clientId, tokenUrl, authorizeUrl } = getPkceLoginConfig({
+    credentials: pkceCredentials,
+    baseUrl
   });
+  const { code_verifier: codeVerifier, code_challenge: codeChallenge } = await pkceChallenge();
+  const state = generateRandomString();
+  const authUrl = `${authorizeUrl}?${new URLSearchParams({
+    response_type: "code",
+    client_id: clientId,
+    redirect_uri: redirectUri,
+    scope: ensureOfflineAccess(
+      pkceCredentials?.scope || "internal credentials"
+    ),
+    state,
+    code_challenge: codeChallenge,
+    code_challenge_method: "S256"
+  }).toString()}`;
   return {
-    promise,
-    resolve: resolve4,
-    reject
+    browserAuthUrl: buildBrowserAuthUrl({ authorizeUrl: authUrl, entryPoint }),
+    clientId,
+    codeVerifier,
+    redirectUri,
+    state,
+    tokenUrl
   };
-};
-var getCallablePromise_default = getCallablePromise;
+}
+async function exchangeOauthCode({
+  tokenUrl,
+  code,
+  redirectUri,
+  clientId,
+  codeVerifier
+}) {
+  const { data } = await client_default.post(
+    tokenUrl,
+    {
+      grant_type: "authorization_code",
+      code,
+      redirect_uri: redirectUri,
+      client_id: clientId,
+      code_verifier: codeVerifier
+    },
+    {
+      headers: {
+        [AUTH_MODE_HEADER]: "no",
+        "Content-Type": "application/x-www-form-urlencoded"
+      }
+    }
+  );
+  return {
+    accessToken: data.access_token,
+    refreshToken: data.refresh_token,
+    expiresIn: data.expires_in
+  };
+}
 
 // src/utils/auth/oauth-flow.ts
-var findAvailablePort = () => {
+var OauthFlowTimeoutError = class extends Error {
+  constructor(timeoutMs) {
+    super("OAuth flow timed out");
+    this.timeoutMs = timeoutMs;
+    this.name = "OauthFlowTimeoutError";
+  }
+};
+var OauthAuthorizationDeniedError = class extends Error {
+  constructor(reason) {
+    super("OAuth authorization denied");
+    this.reason = reason;
+    this.name = "OauthAuthorizationDeniedError";
+  }
+};
+function findAvailablePort() {
   return new Promise((resolve4, reject) => {
     let portIndex = 0;
     const tryPort = (port) => {
-      const server = express().listen(port, () => {
+      const server = express().listen(port, OAUTH_LOOPBACK_HOST, () => {
         server.close();
         resolve4(port);
       });
       server.on("error", (err) => {
-        if (err.code === "EADDRINUSE") {
-          if (portIndex < LOGIN_PORTS.length) {
-            tryPort(LOGIN_PORTS[portIndex++]);
-          } else {
-            reject(
-              new Error(
-                `All configured OAuth callback ports are busy: ${LOGIN_PORTS.join(", ")}. Please try again later or close applications using these ports.`
-              )
-            );
-          }
+        if (err.code === "EADDRINUSE" && portIndex < LOGIN_PORTS.length) {
+          tryPort(LOGIN_PORTS[portIndex++]);
+        } else if (err.code === "EADDRINUSE") {
+          reject(
+            new Error(
+              `All configured OAuth callback ports are busy: ${LOGIN_PORTS.join(", ")}. Please try again later or close applications using these ports.`
+            )
+          );
         } else {
           reject(err);
         }
       });
     };
-    if (LOGIN_PORTS.length > 0) {
-      tryPort(LOGIN_PORTS[portIndex++]);
-    } else {
-      reject(new Error("No OAuth callback ports configured"));
+    if (LOGIN_PORTS.length > 0) tryPort(LOGIN_PORTS[portIndex++]);
+    else reject(new Error("No OAuth callback ports configured"));
+  });
+}
+async function runLoginOauthFlow(options) {
+  return runOauthFlowEntryPoint({
+    ...options,
+    entryPoint: "login",
+    authAction: "log in",
+    flowName: "Login"
+  });
+}
+async function runSignupOauthFlow(options) {
+  if (options.headless) {
+    return runOauthFlowEntryPoint({
+      ...options,
+      entryPoint: "signup",
+      authAction: "sign up",
+      flowName: "Signup",
+      headless: true
+    });
+  }
+  return runOauthFlowEntryPoint({
+    ...options,
+    entryPoint: "signup",
+    authAction: "sign up",
+    flowName: "Signup"
+  });
+}
+async function runOauthFlowEntryPoint({
+  flowName,
+  ...options
+}) {
+  try {
+    return options.headless ? await runHeadlessSignupOauthFlow(options) : await runOauthFlow(options);
+  } catch (error) {
+    if (error instanceof OauthFlowTimeoutError) {
+      throw new Error(
+        withRecoveryMessage(
+          `${flowName} timed out after ${Math.round(error.timeoutMs / 1e3)} seconds.`,
+          options.recoveryMessage
+        )
+      );
+    }
+    if (error instanceof OauthAuthorizationDeniedError) {
+      throw new Error(
+        withRecoveryMessage(
+          `Authorization denied: ${error.reason}.`,
+          options.recoveryMessage
+        )
+      );
+    }
+    if (error instanceof ZapierCliUserCancellationError && !options.silent) {
+      log_default.info(`
+\u274C ${flowName} cancelled by user`);
     }
+    throw error;
+  }
+}
+function withRecoveryMessage(message, recoveryMessage) {
+  return recoveryMessage ? `${message} ${recoveryMessage}` : message;
+}
+async function runOauthFlow({
+  timeoutMs = LOGIN_TIMEOUT_MS,
+  pkceCredentials,
+  baseUrl,
+  entryPoint,
+  authAction,
+  silent = false,
+  onProgress
+}) {
+  const port = await findAvailablePort();
+  if (!silent) log_default.info(`Using port ${port} for OAuth callback`);
+  const transaction = await prepareOauthTransaction({
+    pkceCredentials,
+    baseUrl,
+    redirectUri: `http://${OAUTH_LOOPBACK_HOST}:${port}/oauth`,
+    entryPoint
   });
-};
-var generateRandomString = () => {
-  const array = new Uint32Array(28);
-  crypto.getRandomValues(array);
-  return Array.from(array, (dec) => ("0" + dec.toString(16)).slice(-2)).join(
-    ""
+  const code = await collectLocalCallbackCode({
+    transaction,
+    timeoutMs,
+    authAction,
+    silent,
+    onProgress
+  });
+  onProgress?.({ type: "callback_accepted" });
+  if (!silent) log_default.info("Exchanging authorization code for tokens...");
+  onProgress?.({ type: "token_exchange_started" });
+  const tokens = await exchangeOauthCode({ ...transaction, code });
+  if (!silent) log_default.info("Token exchange completed successfully");
+  onProgress?.({ type: "token_exchange_completed" });
+  return tokens;
+}
+async function readHeadlessCallbackUrl({
+  timeoutMs,
+  interactive,
+  recoveryMessage
+}) {
+  const timeoutMessage = withRecoveryMessage(
+    `Signup timed out after ${Math.round(timeoutMs / 1e3)} seconds.`,
+    recoveryMessage
   );
-};
-function ensureOfflineAccess(scope) {
-  if (scope.includes("offline_access")) {
-    return scope;
+  const missingCallbackUrlMessage = withRecoveryMessage(
+    "Paste the final OAuth callback URL from your browser.",
+    recoveryMessage
+  );
+  const rl = createInterface({ input: process.stdin, output: process.stderr });
+  const abortController = new AbortController();
+  const timeoutTimer = setTimeout(() => abortController.abort(), timeoutMs);
+  const readUrl = interactive ? rl.question("Paste the final OAuth callback URL: ", {
+    signal: abortController.signal
+  }) : new Promise((resolve4, reject) => {
+    let settled = false;
+    const settleResolve = (value) => {
+      settled = true;
+      resolve4(value);
+    };
+    const settleReject = (error) => {
+      if (settled) return;
+      settled = true;
+      reject(error);
+    };
+    abortController.signal.addEventListener(
+      "abort",
+      () => settleReject(new Error(timeoutMessage)),
+      { once: true }
+    );
+    rl.once("line", settleResolve);
+    rl.once(
+      "close",
+      () => settleReject(new ZapierCliValidationError(missingCallbackUrlMessage))
+    );
+    rl.once("error", settleReject);
+  });
+  try {
+    return await readUrl.catch((error) => {
+      if (error instanceof Error && error.name === "AbortError") {
+        throw new Error(timeoutMessage);
+      }
+      throw error;
+    });
+  } finally {
+    clearTimeout(timeoutTimer);
+    rl.close();
   }
-  return `${scope} offline_access`;
 }
-async function runOauthFlow({
+async function runHeadlessSignupOauthFlow({
   timeoutMs = LOGIN_TIMEOUT_MS,
   pkceCredentials,
-  baseUrl
+  baseUrl,
+  interactive = true,
+  onProgress,
+  recoveryMessage
 }) {
-  const { clientId, tokenUrl, authorizeUrl } = getPkceLoginConfig({
-    credentials: pkceCredentials,
-    baseUrl
+  const port = LOGIN_PORTS[0];
+  const transaction = await prepareOauthTransaction({
+    pkceCredentials,
+    baseUrl,
+    redirectUri: `http://${OAUTH_LOOPBACK_HOST}:${port}/oauth`,
+    entryPoint: "signup"
   });
-  const scope = ensureOfflineAccess(
-    pkceCredentials?.scope || "internal credentials"
+  console.log(
+    "Use this mode when signing up from a machine that has no browser."
   );
-  const availablePort = await findAvailablePort();
-  const redirectUri = `http://localhost:${availablePort}/oauth`;
-  log_default.info(`Using port ${availablePort} for OAuth callback`);
-  const {
-    promise: promisedCode,
-    resolve: setCode,
-    reject: rejectCode
-  } = getCallablePromise_default();
-  const oauthState = generateRandomString();
-  const expressApp = express();
-  expressApp.get("/oauth", (req, res) => {
+  console.log("Open this signup URL in a browser on another machine:");
+  console.log(transaction.browserAuthUrl);
+  console.log(
+    `When the browser lands on ${transaction.redirectUri} and cannot connect, paste the full final URL back here.`
+  );
+  const callbackUrl = await readHeadlessCallbackUrl({
+    timeoutMs,
+    interactive,
+    recoveryMessage
+  });
+  const code = getCallbackCode({
+    callbackUrl,
+    transaction,
+    recoveryMessage
+  });
+  onProgress?.({ type: "callback_accepted" });
+  console.log("Exchanging authorization code for tokens...");
+  onProgress?.({ type: "token_exchange_started" });
+  const tokens = await exchangeOauthCode({ ...transaction, code });
+  onProgress?.({ type: "token_exchange_completed" });
+  return tokens;
+}
+async function collectLocalCallbackCode({
+  transaction,
+  timeoutMs,
+  authAction,
+  silent,
+  onProgress
+}) {
+  const { promise, resolve: resolve4, reject } = getCallablePromise_default();
+  const app = express();
+  app.get("/oauth", (req, res) => {
     res.setHeader("Connection", "close");
-    if (req.query.state !== oauthState) {
-      rejectCode(new Error("OAuth state mismatch \u2014 possible CSRF"));
+    if (req.query.state !== transaction.state) {
       res.status(400).end("Invalid state. You can close this tab.");
-      return;
-    }
-    if (req.query.error) {
-      const desc = req.query.error_description ?? req.query.error;
-      rejectCode(new Error(`Authorization denied: ${desc}`));
+    } else if (req.query.error) {
+      reject(
+        new OauthAuthorizationDeniedError(
+          String(req.query.error_description ?? req.query.error)
+        )
+      );
       res.end("Authorization was denied. You can close this tab.");
-      return;
-    }
-    if (!req.query.code) {
-      rejectCode(new Error("No authorization code received"));
+    } else if (!req.query.code) {
+      reject(new Error("No authorization code received"));
       res.end("No authorization code received. You can close this tab.");
-      return;
+    } else {
+      resolve4(String(req.query.code));
+      res.end("You can now close this tab and return to the CLI.");
     }
-    setCode(String(req.query.code));
-    res.end("You can now close this tab and return to the CLI.");
   });
-  const server = expressApp.listen(availablePort);
+  const server = app.listen(
+    Number(new URL(transaction.redirectUri).port),
+    OAUTH_LOOPBACK_HOST
+  );
   const connections = /* @__PURE__ */ new Set();
   server.on("connection", (conn) => {
     connections.add(conn);
@@ -1068,183 +1440,204 @@ async function runOauthFlow({
   });
   const cleanup = () => {
     server.close();
-    log_default.info("\n\u274C Login cancelled by user");
-    rejectCode(new ZapierCliUserCancellationError());
+    reject(new ZapierCliUserCancellationError());
   };
   process.on("SIGINT", cleanup);
   process.on("SIGTERM", cleanup);
-  const { code_verifier: codeVerifier, code_challenge: codeChallenge } = await pkceChallenge();
-  const authUrl = `${authorizeUrl}?${new URLSearchParams({
-    response_type: "code",
-    client_id: clientId,
-    redirect_uri: redirectUri,
-    scope,
-    state: oauthState,
-    code_challenge: codeChallenge,
-    code_challenge_method: "S256"
-  }).toString()}`;
-  log_default.info("Opening your browser to log in.");
-  log_default.info("If it doesn't open, visit:", authUrl);
-  open(authUrl);
   let timeoutTimer;
   try {
-    await spinPromise(
-      Promise.race([
-        promisedCode,
-        new Promise((_resolve, reject) => {
-          timeoutTimer = setTimeout(() => {
-            reject(
-              new Error(
-                `Login timed out after ${Math.round(timeoutMs / 1e3)} seconds.`
-              )
-            );
-          }, timeoutMs);
-        })
-      ]),
-      "Waiting for you to login and authorize"
+    await waitForServerListening(server);
+    await openBrowser({ transaction, authAction, silent, onProgress });
+    const waitForCode = Promise.race([
+      promise,
+      new Promise((_resolve, rejectTimeout) => {
+        timeoutTimer = setTimeout(() => {
+          rejectTimeout(new OauthFlowTimeoutError(timeoutMs));
+        }, timeoutMs);
+      })
+    ]);
+    onProgress?.({ type: "callback_waiting" });
+    return silent ? await waitForCode : await spinPromise(
+      waitForCode,
+      `Waiting for you to ${authAction} and authorize`
     );
   } finally {
-    if (timeoutTimer) {
-      clearTimeout(timeoutTimer);
-    }
+    if (timeoutTimer) clearTimeout(timeoutTimer);
     process.off("SIGINT", cleanup);
     process.off("SIGTERM", cleanup);
-    await new Promise((resolve4) => {
-      const timeout = setTimeout(() => {
-        log_default.info("Server close timed out, forcing connection shutdown...");
-        connections.forEach((conn) => conn.destroy());
-        resolve4();
-      }, 1e3);
-      server.close(() => {
-        clearTimeout(timeout);
-        resolve4();
-      });
-    });
+    await closeServer({ server, connections, silent });
   }
-  log_default.info("Exchanging authorization code for tokens...");
-  const { data } = await client_default.post(
-    tokenUrl,
-    {
-      grant_type: "authorization_code",
-      code: await promisedCode,
-      redirect_uri: redirectUri,
-      client_id: clientId,
-      code_verifier: codeVerifier
-    },
-    {
-      headers: {
-        [AUTH_MODE_HEADER]: "no",
-        "Content-Type": "application/x-www-form-urlencoded"
-      }
-    }
-  );
-  log_default.info("Token exchange completed successfully");
-  return {
-    accessToken: data.access_token,
-    refreshToken: data.refresh_token,
-    expiresIn: data.expires_in
-  };
 }
-
-// src/utils/auth/client-credentials.ts
-var CREDENTIALS_SCOPES = ["external", "credentials"];
-var EMPTY_POLICY = {
-  version: 2,
-  statements: []
-};
-async function createCredentialsOnServer(api2, name, policy) {
-  const response = await api2.post(
-    "/api/v0/client-credentials",
-    {
-      name,
-      allowed_scopes: CREDENTIALS_SCOPES,
-      ...policy !== void 0 && { policy }
-    },
-    { authRequired: true, requiredScopes: ["credentials"] }
-  );
-  return {
-    clientId: response.data.client_id,
-    clientSecret: response.data.client_secret
-  };
-}
-async function deleteCredentialsOnServer(api2, clientId) {
-  await api2.delete(`/api/v0/client-credentials/${clientId}`, void 0, {
-    authRequired: true,
-    requiredScopes: ["credentials"]
+async function waitForServerListening(server) {
+  if (server.listening) return;
+  await new Promise((resolve4, reject) => {
+    const cleanup = () => {
+      server.off("listening", handleListening);
+      server.off("error", handleError);
+    };
+    const handleListening = () => {
+      cleanup();
+      resolve4();
+    };
+    const handleError = (error) => {
+      cleanup();
+      reject(error);
+    };
+    server.once("listening", handleListening);
+    server.once("error", handleError);
   });
-}
-async function setupClientCredentials({
-  api: api2,
-  name,
-  credentialsBaseUrl,
-  policy
-}) {
-  const { clientId, clientSecret } = await createCredentialsOnServer(
-    api2,
-    name,
-    policy
-  );
+}
+async function openBrowser({
+  transaction,
+  authAction,
+  silent,
+  onProgress
+}) {
+  if (!silent) {
+    log_default.info(`Opening your browser to ${authAction}.`);
+    log_default.info("If it doesn't open, visit:", transaction.browserAuthUrl);
+  }
+  onProgress?.({ type: "browser_opening", url: transaction.browserAuthUrl });
   try {
-    await withRetry({
-      action: () => storeClientCredentials({
-        name,
-        clientId,
-        clientSecret,
-        scopes: [...CREDENTIALS_SCOPES],
-        baseUrl: credentialsBaseUrl
-      })
-    });
-  } catch (storeErr) {
-    try {
-      await withRetry({
-        action: () => deleteCredentialsOnServer(api2, clientId)
-      });
-    } catch {
-      console.error(
-        `Failed to roll back orphaned credential ${clientId}. Delete it manually with: zapier-sdk delete-client-credentials ${clientId}`
+    await open(transaction.browserAuthUrl);
+    onProgress?.({ type: "browser_opened", url: transaction.browserAuthUrl });
+  } catch (err) {
+    const reason = err instanceof Error ? err.message : String(err);
+    if (!silent) {
+      log_default.info(
+        `Browser did not open automatically to ${authAction}: ${reason}`
       );
+      log_default.info("Visit this URL manually:", transaction.browserAuthUrl);
     }
-    throw storeErr;
+    onProgress?.({
+      type: "browser_open_failed",
+      url: transaction.browserAuthUrl,
+      reason
+    });
   }
-  return { clientId };
 }
-function getBaseUrlFromResolvedCredentials(credentials) {
-  if (credentials && isCredentialsObject(credentials)) {
-    return credentials.baseUrl;
-  }
-  return void 0;
+async function closeServer({
+  server,
+  connections,
+  silent
+}) {
+  await new Promise((resolve4) => {
+    const timeout = setTimeout(() => {
+      if (!silent)
+        log_default.info("Server close timed out, forcing connection shutdown...");
+      connections.forEach((conn) => conn.destroy());
+      resolve4();
+    }, 1e3);
+    server.close(() => {
+      clearTimeout(timeout);
+      resolve4();
+    });
+  });
 }
-function getBaseUrlFromOptionsCredentials(credentials) {
-  if (credentials && typeof credentials === "object" && "baseUrl" in credentials && typeof credentials.baseUrl === "string") {
-    return credentials.baseUrl;
-  }
-  return void 0;
+
+// src/utils/auth/oauth-errors.ts
+var SENSITIVE_OAUTH_FIELDS = [
+  "access_token",
+  "refresh_token",
+  "id_token",
+  "client_secret",
+  "code_verifier",
+  "code_challenge"
+];
+function getErrorMessage(error) {
+  return error instanceof Error ? error.message : String(error);
 }
-async function resolveCredentialsBaseUrl(context) {
-  const resolvedCredentials = "resolvedCredentials" in context ? context.resolvedCredentials : await context.resolveCredentials?.();
-  return getBaseUrlFromResolvedCredentials(resolvedCredentials) ?? getBaseUrlFromOptionsCredentials(context.options?.credentials) ?? context.options?.baseUrl;
+function toCamelCase(field) {
+  return field.replace(
+    /_([a-z])/g,
+    (_match, letter) => letter.toUpperCase()
+  );
 }
-
-// src/utils/non-interactive.ts
-function resolveNonInteractive(options) {
-  return (options.nonInteractive ?? options.skipPrompts) === true || !process.stdin.isTTY || !process.stdout.isTTY;
+function escapeRegExp(value) {
+  return value.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
+}
+var sensitiveOauthFieldPattern = Array.from(
+  new Set(
+    SENSITIVE_OAUTH_FIELDS.flatMap((field) => [field, toCamelCase(field)])
+  )
+).map(escapeRegExp).join("|");
+var sensitiveQueryParamPattern = new RegExp(
+  `([?&])(${sensitiveOauthFieldPattern})(=)[^&#\\s"'<>]*`,
+  "gi"
+);
+function redactSensitiveOauthErrorMessage(message) {
+  return message.replace(
+    sensitiveQueryParamPattern,
+    (_match, prefix, key, separator) => `${prefix}${key}${separator}[REDACTED]`
+  ).replace(
+    new RegExp(`"(${sensitiveOauthFieldPattern})"(\\s*:\\s*)"[^"]*"`, "g"),
+    (_match, key, separator) => `"${key}"${separator}"[REDACTED]"`
+  );
+}
+function toRedactedOauthError(error) {
+  const message = redactSensitiveOauthErrorMessage(getErrorMessage(error));
+  if (error instanceof ZapierCliValidationError) {
+    return new ZapierCliValidationError(message);
+  }
+  if (error instanceof Error) {
+    const redactedError = new Error(message);
+    redactedError.name = error.name;
+    return redactedError;
+  }
+  return new ZapierCliValidationError(message);
 }
-var LoginSchema = z.object({
-  timeout: z.string().optional().describe("Login timeout in seconds (default: 300)"),
-  useApprovals: z.boolean().optional().describe(
-    "Require approvals for actions performed with these credentials"
-  ),
-  nonInteractive: z.boolean().optional().describe(
-    "Skip interactive prompts. Uses defaults where possible; errors instead of prompting when input is required. Useful in CI, piped output, or environments where TTY detection is unreliable."
-  ),
-  /** @deprecated Use `nonInteractive` instead. */
-  skipPrompts: z.boolean().optional().meta({
-    deprecated: true,
-    deprecationMessage: "Use --non-interactive instead."
-  })
-}).describe("Log in to Zapier to access your account");
 
-// src/plugins/login/index.ts
+// src/utils/auth/account-auth.ts
+var LEGACY_JWT_UPGRADE_PROMPT = "We're upgrading your login to client credentials for a simpler, more reliable experience and to support future security controls. Older Zapier SDK/CLI versions on this machine may stop working after the upgrade. Continue?";
+var SIGNUP_RECOVERY_MESSAGE = "Restart `zapier-sdk signup` to generate a fresh signup URL and try again.";
+var HEADLESS_SIGNUP_RECOVERY_MESSAGE = "Restart `zapier-sdk signup --headless` to generate a fresh signup URL and try again.";
+function getEntryPointLabel(entryPoint) {
+  return entryPoint === "signup" ? "Signup" : "Login";
+}
+function getActiveCredentialsAction(entryPoint) {
+  return entryPoint === "signup" ? "continue signup" : "log in again";
+}
+function getCredentialsPromptMessage(entryPoint) {
+  return entryPoint === "signup" ? "Enter a name to identify these credentials:" : "Enter a name to identify them:";
+}
+function getProfileMessage(entryPoint, email) {
+  return entryPoint === "signup" ? `\u{1F464} Authenticated as ${email}` : `\u{1F464} Logged in as ${email}`;
+}
+function defaultCredentialsName(email) {
+  return `${email}@${hostname()}`;
+}
+function validateCredentialsName(name) {
+  const trimmedName = name.trim();
+  if (!trimmedName) throw new ZapierCliValidationError("Name cannot be empty");
+  return trimmedName;
+}
+async function promptCredentialsName({
+  email,
+  promptMessage
+}) {
+  const { credentialName } = await inquirer.prompt([
+    {
+      type: "input",
+      name: "credentialName",
+      message: promptMessage,
+      default: defaultCredentialsName(email),
+      validate: (input) => {
+        try {
+          validateCredentialsName(input);
+          return true;
+        } catch (err) {
+          return err instanceof Error ? err.message : String(err);
+        }
+      }
+    }
+  ]);
+  return validateCredentialsName(credentialName);
+}
+function resolveDefaultCredentialsName({
+  email
+}) {
+  return validateCredentialsName(defaultCredentialsName(email));
+}
 function toPkceCredentials(credentials) {
   if (credentials && isCredentialsObject(credentials) && !("clientSecret" in credentials)) {
     return {
@@ -1256,104 +1649,125 @@ function toPkceCredentials(credentials) {
   }
   return void 0;
 }
-async function confirmRevokeAndRelogin(activeCredentials, nonInteractive) {
-  if (nonInteractive) {
+function parseTimeoutSeconds(timeout) {
+  if (timeout === void 0) return 300;
+  const timeoutSeconds = Number(timeout);
+  if (!Number.isInteger(timeoutSeconds) || timeoutSeconds <= 0) {
     throw new ZapierCliValidationError(
-      `Already logged in as "${activeCredentials.name}". Run \`logout\` first or use an interactive terminal to re-authenticate.`
+      "Timeout must be a positive integer (seconds)."
     );
   }
+  return timeoutSeconds;
+}
+async function promptConfirm({
+  message,
+  defaultValue
+}) {
   const { confirmed } = await inquirer.prompt([
-    {
-      type: "confirm",
-      name: "confirmed",
+    { type: "confirm", name: "confirmed", message, default: defaultValue }
+  ]);
+  return confirmed;
+}
+function promptlessCredentialResetError(credentials) {
+  throw new ZapierCliValidationError(
+    `Already logged in as "${credentials.name}". Run \`logout\` first or use an interactive terminal to re-authenticate.`
+  );
+}
+function promptlessLegacyJwtUpgradeError() {
+  throw new ZapierCliValidationError(
+    "Legacy JWT login detected. Run `logout` first or use an interactive terminal to migrate to client credentials."
+  );
+}
+async function clearExistingAuthState({
+  sdk,
+  baseUrl,
+  interactive,
+  entryPoint
+}) {
+  const activeCredentials = getActiveCredentials({ baseUrl });
+  const flowLabel = getEntryPointLabel(entryPoint);
+  if (activeCredentials) {
+    const confirmed = interactive ? await promptConfirm({
+      defaultValue: false,
       message: `You are already logged in as "${activeCredentials.name}".
 Logging out will delete these credentials and may interrupt other Zapier SDK or CLI sessions using them.
-Log out and log in again?`,
-      default: false
+Log out and ${getActiveCredentialsAction(entryPoint)}?`
+    }) : promptlessCredentialResetError(activeCredentials);
+    if (!confirmed) {
+      console.log(`${flowLabel} cancelled.`);
+      return false;
     }
-  ]);
-  if (!confirmed) {
-    console.log("Login cancelled.");
-    return false;
-  }
-  return true;
-}
-async function confirmJwtMigration(nonInteractive) {
-  if (nonInteractive) {
-    throw new ZapierCliValidationError(
-      "Legacy JWT login detected. Run `logout` first or use an interactive terminal to migrate to client credentials."
-    );
-  }
-  const { confirmed } = await inquirer.prompt([
-    {
-      type: "confirm",
-      name: "confirmed",
-      message: "We're upgrading your login to client credentials for a simpler, more reliable experience and to support future security controls. Older Zapier SDK/CLI versions on this machine may stop working after the upgrade. Continue?",
-      default: true
+    try {
+      await revokeCredentials({
+        api: sdk.context.api,
+        credentials: activeCredentials
+      });
+    } catch {
+      if (!interactive) {
+        throw new ZapierCliValidationError(
+          `${flowLabel} cleanup failed and cannot be reset without confirmation. Re-run with an interactive terminal.`
+        );
+      }
+      const reset = await promptConfirm({
+        defaultValue: false,
+        message: `${flowLabel} cleanup failed. Reset local session state and continue?`
+      });
+      if (!reset) {
+        console.log(`${flowLabel} cancelled.`);
+        return false;
+      }
+      await deleteStoredClientCredentials({
+        name: activeCredentials.name,
+        baseUrl: activeCredentials.baseUrl
+      });
     }
-  ]);
-  if (!confirmed) {
-    console.log("Login cancelled.");
-    return false;
-  }
-  return true;
-}
-async function confirmLocalLoginReset(nonInteractive) {
-  if (nonInteractive) {
-    throw new ZapierCliValidationError(
-      "Login cleanup failed and cannot be reset without confirmation. Re-run with an interactive terminal."
-    );
-  }
-  const { confirmed } = await inquirer.prompt([
-    {
-      type: "confirm",
-      name: "confirmed",
-      message: "Login cleanup failed. Reset local session state and continue?",
-      default: false
+  } else if (hasLegacyJwtConfig()) {
+    const confirmed = interactive ? await promptConfirm({
+      defaultValue: true,
+      message: LEGACY_JWT_UPGRADE_PROMPT
+    }) : promptlessLegacyJwtUpgradeError();
+    if (!confirmed) {
+      console.log(`${flowLabel} cancelled.`);
+      return false;
     }
-  ]);
-  if (!confirmed) {
-    console.log("Login cancelled.");
-    return false;
   }
   return true;
 }
-function parseTimeoutSeconds(timeout) {
-  const timeoutSeconds = timeout ? parseInt(timeout, 10) : 300;
-  if (isNaN(timeoutSeconds) || timeoutSeconds <= 0) {
-    throw new Error("Timeout must be a positive number");
-  }
-  return timeoutSeconds;
+async function getProfile(api2) {
+  return api2.get("/zapier/api/v4/profile/", {
+    authRequired: true
+  });
 }
-async function promptCredentialsName(email, nonInteractive) {
-  const fallback = `${email}@${hostname()}`;
-  if (nonInteractive) {
-    return fallback;
+async function saveClientCredentials({
+  api: api2,
+  name,
+  credentialsBaseUrl,
+  useApprovals,
+  cleanupLogPrefix
+}) {
+  await setupClientCredentials({
+    api: api2,
+    name,
+    credentialsBaseUrl,
+    ...useApprovals && { policy: EMPTY_POLICY }
+  });
+  try {
+    await clearLegacyJwtState();
+  } catch (err) {
+    console.error(
+      `[${cleanupLogPrefix}] Best-effort legacy JWT cleanup failed:`,
+      err
+    );
   }
-  const { credentialName } = await inquirer.prompt([
-    {
-      type: "input",
-      name: "credentialName",
-      message: "Enter a name to identify them:",
-      default: fallback,
-      validate: (input) => {
-        if (!input.trim()) return "Name cannot be empty";
-        return true;
-      }
-    }
-  ]);
-  return credentialName;
 }
-function emitLoginSuccess({
+function emitAccountAuthSuccess({
   sdk,
   profile
 }) {
   sdk.context.eventEmission.emit(
     "platform.sdk.ApplicationLifecycleEvent",
     buildApplicationLifecycleEvent(
-      {
-        lifecycle_event_type: "login_success"
-      },
+      { lifecycle_event_type: "login_success" },
       {
         customuser_id: profile.user_id,
         account_id: profile.roles[0]?.account_id ?? null
@@ -1361,18 +1775,128 @@ function emitLoginSuccess({
     )
   );
 }
-async function getProfile(api2) {
-  return api2.get("/zapier/api/v4/profile/", {
-    authRequired: true
-  });
+function emitSignupSuccess({
+  sdk
+}) {
+  sdk.context.eventEmission.emit(
+    "platform.sdk.ApplicationLifecycleEvent",
+    buildApplicationLifecycleEvent({ lifecycle_event_type: "signup_success" })
+  );
 }
-async function bestEffortClearLegacyJwtState() {
+async function runOauthWithRedaction(runOauth) {
   try {
-    await clearLegacyJwtState();
-  } catch (err) {
-    console.error("[login] Best-effort legacy JWT cleanup failed:", err);
+    return await runOauth();
+  } catch (error) {
+    if (error instanceof ZapierCliUserCancellationError) throw error;
+    throw toRedactedOauthError(error);
+  }
+}
+async function runOauthForEntryPoint({
+  sdk,
+  entryPoint,
+  timeoutMs,
+  pkceCredentials,
+  baseUrl,
+  headless,
+  interactive
+}) {
+  if (entryPoint === "signup") {
+    return runOauthWithRedaction(
+      () => runSignupOauthFlow({
+        timeoutMs,
+        pkceCredentials,
+        baseUrl,
+        headless,
+        interactive,
+        recoveryMessage: headless ? HEADLESS_SIGNUP_RECOVERY_MESSAGE : SIGNUP_RECOVERY_MESSAGE,
+        onProgress: (event) => {
+          if (event.type === "callback_accepted") {
+            emitSignupSuccess({ sdk });
+          }
+        }
+      })
+    );
+  }
+  return runOauthWithRedaction(
+    () => runLoginOauthFlow({ timeoutMs, pkceCredentials, baseUrl })
+  );
+}
+async function runAccountAuth({
+  sdk,
+  options,
+  entryPoint
+}) {
+  const timeoutSeconds = parseTimeoutSeconds(options.timeout);
+  const interactive = !resolveNonInteractive(options);
+  const resolvedCredentials = await sdk.context.resolveCredentials();
+  const pkceCredentials = toPkceCredentials(resolvedCredentials);
+  const credentialsBaseUrl = await resolveCredentialsBaseUrl({
+    ...sdk.context,
+    resolvedCredentials
+  });
+  if (!await clearExistingAuthState({
+    sdk,
+    baseUrl: credentialsBaseUrl,
+    interactive,
+    entryPoint
+  })) {
+    return;
+  }
+  const { accessToken } = await runOauthForEntryPoint({
+    sdk,
+    entryPoint,
+    timeoutMs: timeoutSeconds * 1e3,
+    pkceCredentials,
+    baseUrl: credentialsBaseUrl,
+    headless: options.headless === true,
+    interactive
+  });
+  const scopedApi = getOrCreateApiClient({
+    credentials: accessToken,
+    baseUrl: credentialsBaseUrl
+  });
+  const profile = await getProfile(scopedApi);
+  console.log(getProfileMessage(entryPoint, profile.email));
+  console.log(
+    "\nGenerating credentials so this machine can make authenticated requests on your behalf."
+  );
+  const resolveCredentialsName = interactive ? ({ email }) => promptCredentialsName({
+    email,
+    promptMessage: getCredentialsPromptMessage(entryPoint)
+  }) : resolveDefaultCredentialsName;
+  const credentialName = await resolveCredentialsName({ email: profile.email });
+  const useApprovals = options.useApprovals === true;
+  await saveClientCredentials({
+    api: scopedApi,
+    name: credentialName,
+    credentialsBaseUrl,
+    useApprovals,
+    cleanupLogPrefix: entryPoint
+  });
+  console.log(
+    `\u2705 Credentials "${credentialName}" created and set as default. You are ready to use the Zapier SDK.`
+  );
+  if (useApprovals) {
+    console.log("\u{1F510} Approvals are enabled for these credentials.");
   }
+  emitAccountAuthSuccess({ sdk, profile });
 }
+var LoginSchema = z.object({
+  timeout: z.string().optional().describe("Login timeout in seconds (default: 300)"),
+  useApprovals: z.boolean().optional().describe(
+    "Require approvals for actions performed with these credentials"
+  ),
+  nonInteractive: z.boolean().optional().describe(
+    "Skip interactive prompts. Uses defaults where possible; errors instead of prompting when input is required. Useful in CI, piped output, or environments where TTY detection is unreliable."
+  ),
+  /** @deprecated Use `nonInteractive` instead. */
+  skipPrompts: z.boolean().optional().meta({
+    deprecated: true,
+    deprecationMessage: "Use --non-interactive instead."
+  })
+}).describe("Log in to Zapier to access your account");
+
+// src/plugins/login/index.ts
 var loginPlugin = definePlugin(
   (sdk) => createPluginMethod(sdk, {
     name: "login",
@@ -1380,68 +1904,37 @@ var loginPlugin = definePlugin(
     inputSchema: LoginSchema,
     supportsJsonOutput: false,
     handler: async ({ sdk: sdk2, options }) => {
-      const timeoutSeconds = parseTimeoutSeconds(options.timeout);
-      const nonInteractive = resolveNonInteractive(options);
-      const resolvedCredentials = await sdk2.context.resolveCredentials();
-      const pkceCredentials = toPkceCredentials(resolvedCredentials);
-      const credentialsBaseUrl = await resolveCredentialsBaseUrl({
-        ...sdk2.context,
-        resolvedCredentials
-      });
-      const activeCredentials = getActiveCredentials({
-        baseUrl: credentialsBaseUrl
-      });
-      if (activeCredentials) {
-        if (!await confirmRevokeAndRelogin(activeCredentials, nonInteractive))
-          return;
-        try {
-          await revokeCredentials({
-            api: sdk2.context.api,
-            credentials: activeCredentials
-          });
-        } catch {
-          if (!await confirmLocalLoginReset(nonInteractive)) return;
-          await deleteStoredClientCredentials({
-            name: activeCredentials.name,
-            baseUrl: activeCredentials.baseUrl
-          });
-        }
-      } else if (hasLegacyJwtConfig()) {
-        if (!await confirmJwtMigration(nonInteractive)) return;
-      }
-      const { accessToken } = await runOauthFlow({
-        timeoutMs: timeoutSeconds * 1e3,
-        pkceCredentials,
-        baseUrl: credentialsBaseUrl
-      });
-      const scopedApi = getOrCreateApiClient({
-        credentials: accessToken,
-        baseUrl: credentialsBaseUrl
-      });
-      const profile = await getProfile(scopedApi);
-      console.log(`\u{1F464} Logged in as ${profile.email}`);
-      console.log(
-        "\nGenerating credentials so this machine can make authenticated requests on your behalf."
-      );
-      const credentialName = await promptCredentialsName(
-        profile.email,
-        nonInteractive
-      );
-      const useApprovals = options.useApprovals === true;
-      await setupClientCredentials({
-        api: scopedApi,
-        name: credentialName,
-        credentialsBaseUrl,
-        ...useApprovals && { policy: EMPTY_POLICY }
-      });
-      await bestEffortClearLegacyJwtState();
-      console.log(
-        `\u2705 Credentials "${credentialName}" created and set as default. You are ready to use the Zapier SDK.`
-      );
-      if (useApprovals) {
-        console.log("\u{1F510} Approvals are enabled for these credentials.");
-      }
-      emitLoginSuccess({ sdk: sdk2, profile });
+      await runAccountAuth({ sdk: sdk2, options, entryPoint: "login" });
+    }
+  })
+);
+var SignupSchema = z.object({
+  timeout: z.string().optional().describe("Signup timeout in seconds (default: 300)"),
+  useApprovals: z.boolean().optional().describe(
+    "Require approvals for actions performed with these credentials"
+  ),
+  nonInteractive: z.boolean().optional().describe(
+    "Skip interactive prompts. Uses defaults where possible; errors instead of prompting when input is required. Useful in CI, piped output, or environments where TTY detection is unreliable."
+  ),
+  /** @deprecated Use `nonInteractive` instead. */
+  skipPrompts: z.boolean().optional().meta({
+    deprecated: true,
+    deprecationMessage: "Use --non-interactive instead."
+  }),
+  headless: z.boolean().optional().describe(
+    "Use when signing up from a machine that has no browser. Prints a signup link to open elsewhere, then accepts the pasted loopback callback URL."
+  )
+}).describe("Set up Zapier account access and SDK credentials");
+
+// src/plugins/signup/index.ts
+var signupPlugin = definePlugin(
+  (sdk) => createPluginMethod(sdk, {
+    name: "signup",
+    categories: ["account"],
+    inputSchema: SignupSchema,
+    supportsJsonOutput: false,
+    handler: async ({ sdk: sdk2, options }) => {
+      await runAccountAuth({ sdk: sdk2, options, entryPoint: "signup" });
     }
   })
 );
@@ -1508,7 +2001,8 @@ var BundleCodeSchema = z.object({
 var bundleCodePlugin = definePlugin(
   (sdk) => createPluginMethod(sdk, {
     name: "bundleCode",
-    categories: ["utility", "deprecated"],
+    categories: ["utility"],
+    deprecation: { message: "bundleCode is no longer maintained." },
     inputSchema: BundleCodeSchema,
     handler: async ({ options }) => bundleCode(options)
   })
@@ -1604,7 +2098,7 @@ async function detectTypesOutputDirectory() {
   }
   return "./zapier/apps/";
 }
-var addPlugin = definePlugin(
+var addAppsPlugin = definePlugin(
   (sdk) => createPluginMethod(sdk, {
     name: "add",
     categories: ["utility"],
@@ -3009,10 +3503,6 @@ var cliOverridesPlugin = definePlugin(
     if (sdk.context.meta.fetch) {
       meta.fetch = {
         ...sdk.context.meta.fetch,
-        categories: [
-          ...sdk.context.meta.fetch.categories || [],
-          "deprecated"
-        ],
         deprecation: {
           message: "This command is deprecated and will be removed soon. Use `curl` instead. Learn more: https://docs.zapier.com/sdk/cli-reference#curl"
         }
@@ -3976,7 +4466,7 @@ definePlugin(
 // package.json with { type: 'json' }
 var package_default = {
   name: "@zapier/zapier-sdk-cli",
-  version: "0.52.10"};
+  version: "0.53.0"};
 
 // src/sdk.ts
 injectCliLogin(login_exports);
@@ -3985,26 +4475,26 @@ function createZapierCliSdk(options = {}) {
   const extensionsContextPlugin = () => ({
     context: { extensions }
   });
-  let chain = createZapierSdk({
+  const sdk = createZapierSdkStack({
     ...sdkOptions,
     eventEmission: { ...sdkOptions.eventEmission, callContext: "cli" },
     callerPackage: { name: package_default.name, version: package_default.version }
-  }).addPlugin(extensionsContextPlugin).addPlugin(generateAppTypesPlugin).addPlugin(buildManifestPlugin).addPlugin(bundleCodePlugin).addPlugin(getLoginConfigPathPlugin).addPlugin(addPlugin).addPlugin(feedbackPlugin).addPlugin(curlPlugin).addPlugin(initPlugin).addPlugin(mcpPlugin).addPlugin(loginPlugin).addPlugin(logoutPlugin).addPlugin(cliOverridesPlugin);
+  }).use(extensionsContextPlugin).use(generateAppTypesPlugin).use(buildManifestPlugin).use(bundleCodePlugin).use(getLoginConfigPathPlugin).use(addAppsPlugin).use(feedbackPlugin).use(curlPlugin).use(initPlugin).use(mcpPlugin).use(loginPlugin).use(signupPlugin).use(logoutPlugin).use(cliOverridesPlugin, { override: true }).toSdk();
   for (const ext of extensions) {
     try {
-      chain = chain.addPlugin(ext);
+      addPlugin(sdk, ext);
     } catch (err) {
       console.warn(
         `Extension plugin failed to construct: ${err.message}; skipping.`
       );
     }
   }
-  return chain;
+  return sdk;
 }
 
 // package.json
 var package_default2 = {
-  version: "0.52.10"};
+  version: "0.53.0"};
 
 // src/telemetry/builders.ts
 function createCliBaseEvent(context = {}) {