agentlink-sh 0.26.1 → 0.30.0

package/dist/{chunk-4CW46BPC.js → chunk-KRE7FEMO.js}

@@ -1,24 +1,18 @@
 #!/usr/bin/env node
-import {
-  delay,
-  runCommand
-} from "./chunk-IV5ZSOKF.js";
 import {
   amber,
   blue,
   bold,
   dim,
   link,
-  red
-} from "./chunk-MHI6VJ75.js";
-import {
+  red,
   sb
-} from "./chunk-DM6KG5YU.js";
+} from "./chunk-KECTTRCF.js";
 
 // src/cloud.ts
-import fs from "fs";
+import fs2 from "fs";
 import os from "os";
-import path from "path";
+import path2 from "path";
 import { input, select as select2 } from "@inquirer/prompts";
 
 // src/prompts.ts
@@ -40,6 +34,187 @@ async function selectYesNo(opts) {
 
 // src/cloud.ts
 import open from "open";
+
+// src/utils.ts
+import { execSync, spawn } from "child_process";
+import crypto from "crypto";
+import fs from "fs";
+import path from "path";
+var LOG_FILE = "agentlink-debug.log";
+var debugEnabled = false;
+var logInitialized = false;
+function ensureLogFile() {
+  if (!logInitialized) {
+    fs.writeFileSync(LOG_FILE, "");
+    logInitialized = true;
+  }
+}
+function appendLog(msg, force = false) {
+  if (!debugEnabled && !force) return;
+  ensureLogFile();
+  const timestamp = (/* @__PURE__ */ new Date()).toISOString();
+  fs.appendFileSync(LOG_FILE, `[${timestamp}] ${msg}
+`);
+}
+function initLog(debug) {
+  debugEnabled = debug;
+  if (debug) {
+    ensureLogFile();
+  }
+}
+function runCommand(cmd, cwd, onData, env) {
+  appendLog(`$ ${cmd}${cwd ? ` (in ${cwd})` : ""}`);
+  return new Promise((resolve, reject) => {
+    const child = spawn(cmd, {
+      cwd,
+      stdio: ["ignore", "pipe", "pipe"],
+      shell: true,
+      env: env ? { ...process.env, ...env } : void 0
+    });
+    const stdout = [];
+    const stderr = [];
+    child.stdout.on("data", (data) => {
+      const text = data.toString();
+      stdout.push(text);
+      if (onData) {
+        for (const line of text.split("\n").filter(Boolean)) {
+          onData(line.trim());
+        }
+      }
+    });
+    child.stderr.on("data", (data) => {
+      const text = data.toString();
+      stderr.push(text);
+      if (onData) {
+        for (const line of text.split("\n").filter(Boolean)) {
+          onData(line.trim());
+        }
+      }
+    });
+    child.on("close", (code) => {
+      const out = stdout.join("").trim();
+      const errOut = stderr.join("").trim();
+      if (out) appendLog(out);
+      if (errOut) appendLog(`STDERR: ${errOut}`);
+      if (code !== 0) {
+        appendLog(`$ ${cmd}${cwd ? ` (in ${cwd})` : ""}`, true);
+        appendLog(`EXIT CODE ${code}`, true);
+        if (errOut) appendLog(`STDERR: ${errOut}`, true);
+        const detail = errOut;
+        const isUnixCacheError = detail.includes("EACCES") && detail.includes(".npm");
+        const isWindowsCacheError = detail.includes("EPERM") && detail.toLowerCase().includes("npm-cache");
+        if (isUnixCacheError || isWindowsCacheError) {
+          const fix = process.platform === "win32" ? `    npm cache clean --force` : `    sudo chown -R $(id -u):$(id -g) ~/.npm`;
+          reject(new Error(
+            `npm cache has incorrect permissions.
+
+  Fix it by running:
+
+${fix}
+
+  Then re-run the command.`
+          ));
+          return;
+        }
+        const msg = detail ? `Command failed: ${cmd}
+${detail}` : `Command failed: ${cmd}`;
+        reject(new Error(msg));
+      } else {
+        resolve(out);
+      }
+    });
+    child.on("error", (err) => {
+      appendLog(`$ ${cmd}${cwd ? ` (in ${cwd})` : ""}`, true);
+      appendLog(`SPAWN ERROR: ${err.message}`, true);
+      reject(
+        new Error(`Command failed: ${cmd}
+${err.message}`)
+      );
+    });
+  });
+}
+var GIT_CLEAN_IGNORED = /* @__PURE__ */ new Set([
+  ".agentlink-progress.json",
+  "agentlink-debug.log"
+]);
+async function assertGitClean(projectDir, allowDirty) {
+  if (allowDirty) return;
+  let status;
+  try {
+    status = await runCommand("git status --porcelain", projectDir);
+  } catch {
+    return;
+  }
+  const dirty = status.split("\n").filter((line) => {
+    if (!line.trim()) return false;
+    const filePath = line.slice(3).split(" -> ").pop()?.trim() ?? "";
+    return !GIT_CLEAN_IGNORED.has(filePath);
+  });
+  if (dirty.length > 0) {
+    throw new Error(
+      "You have uncommitted changes. Commit or stash them first so the update\nis easy to review and rollback (git diff / git checkout .).\n  git stash           \u2014 stash changes temporarily\n  git commit -am \u2026    \u2014 commit changes\n  --allow-dirty       \u2014 skip this check (rollback will be messy)"
+    );
+  }
+}
+async function listChangedFiles(projectDir) {
+  let status;
+  try {
+    status = await runCommand("git status --porcelain", projectDir);
+  } catch {
+    return [];
+  }
+  return status.split("\n").map((line) => line.trim()).filter(Boolean).map((line) => line.slice(3).split(" -> ").pop()?.trim() ?? "").filter((p) => p && !GIT_CLEAN_IGNORED.has(p));
+}
+function delay(ms) {
+  return new Promise((resolve) => setTimeout(resolve, ms));
+}
+function checkCommand(cmd) {
+  const locator = process.platform === "win32" ? "where" : "which";
+  try {
+    execSync(`${locator} ${cmd}`, { stdio: "ignore" });
+    return true;
+  } catch {
+    return false;
+  }
+}
+function skillDisplayName(skill) {
+  if (skill.includes("@")) return skill.split("@").pop();
+  const flag = skill.match(/--skill\s+(\S+)/);
+  if (flag) return flag[1];
+  return skill.split("/").pop();
+}
+function generateDbPassword(length = 32) {
+  const chars = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789";
+  const bytes = crypto.randomBytes(length);
+  return Array.from(bytes, (b) => chars[b % chars.length]).join("");
+}
+function slugifyProjectName(name) {
+  return name.toLowerCase().replace(/\s+/g, "-").replace(/[^a-z0-9.-]/g, "").replace(/-+/g, "-").replace(/^-|-$/g, "");
+}
+function validateProjectName(name, mode = "new") {
+  const slug = slugifyProjectName(name);
+  if (!slug) return "Project name is required.";
+  if (mode === "new" && fs.existsSync(slug))
+    return `Directory "${slug}" already exists.`;
+  return void 0;
+}
+function ensureGitignorePattern(cwd, pattern, comment = "Agent Link \u2014 database backups (may contain sensitive data)") {
+  const gitignorePath = path.join(cwd, ".gitignore");
+  let content = "";
+  if (fs.existsSync(gitignorePath)) {
+    content = fs.readFileSync(gitignorePath, "utf-8");
+    const patternNoSlash = pattern.replace(/\/$/, "");
+    const alreadyPresent = content.split("\n").map((l) => l.trim()).some((l) => l === pattern || l === patternNoSlash);
+    if (alreadyPresent) return;
+  }
+  const needsLeadingNewline = content.length > 0 && !content.endsWith("\n");
+  const block = (needsLeadingNewline ? "\n" : "") + (content.length > 0 ? "\n" : "") + `# ${comment}
+${pattern}
+`;
+  fs.writeFileSync(gitignorePath, content + block);
+}
+
+// src/cloud.ts
 var theme = {
   prefix: { idle: blue("?"), done: blue("\u2714") },
   style: {
@@ -52,19 +227,41 @@ var theme = {
   }
 };
 function credentialsPath() {
-  return path.join(os.homedir(), ".config", "agentlink", "credentials.json");
+  return path2.join(os.homedir(), ".config", "agentlink", "credentials.json");
 }
 function loadCredentials() {
   try {
-    return JSON.parse(fs.readFileSync(credentialsPath(), "utf-8"));
+    return JSON.parse(fs2.readFileSync(credentialsPath(), "utf-8"));
   } catch {
     return {};
   }
 }
 function saveCredentials(creds) {
   const filePath = credentialsPath();
-  fs.mkdirSync(path.dirname(filePath), { recursive: true });
-  fs.writeFileSync(filePath, JSON.stringify(creds, null, 2) + "\n", { mode: 384 });
+  fs2.mkdirSync(path2.dirname(filePath), { recursive: true });
+  fs2.writeFileSync(filePath, JSON.stringify(creds, null, 2) + "\n", { mode: 384 });
+}
+function getResendDefaults() {
+  const creds = loadCredentials();
+  const d = creds.resend_defaults;
+  if (!d || !d.api_key || !d.from_email) return null;
+  return { api_key: d.api_key, from_email: d.from_email, saved_at: d.saved_at };
+}
+function setResendDefaults(api_key, from_email) {
+  const creds = loadCredentials();
+  creds.resend_defaults = {
+    api_key,
+    from_email,
+    saved_at: (/* @__PURE__ */ new Date()).toISOString()
+  };
+  saveCredentials(creds);
+}
+function clearResendDefaults() {
+  const creds = loadCredentials();
+  if (!creds.resend_defaults) return false;
+  delete creds.resend_defaults;
+  saveCredentials(creds);
+  return true;
 }
 var _authContext = {};
 function isAuthError(err) {
@@ -77,7 +274,7 @@ async function refreshIfNeeded(entry) {
   }
   if (!entry.refresh_token) return null;
   try {
-    const { refreshOAuthToken } = await import("./oauth-JGWRORJM.js");
+    const { refreshOAuthToken } = await import("./oauth-52Q6XDJL.js");
     const tokens = await refreshOAuthToken(entry.refresh_token);
     return {
       ...entry,
@@ -93,7 +290,7 @@ async function signOut(opts = {}) {
   const notes = [];
   const filePath = credentialsPath();
   let agentlinkStoreCleared = false;
-  if (fs.existsSync(filePath)) {
+  if (fs2.existsSync(filePath)) {
     try {
       const before = loadCredentials();
       const hadAnything = !!before.oauth || Object.keys(before.oauth_by_org ?? {}).length > 0 || !!before.supabase_access_token;
@@ -111,13 +308,13 @@ async function signOut(opts = {}) {
   const envVarCleared = !!process.env.SUPABASE_ACCESS_TOKEN;
   delete process.env.SUPABASE_ACCESS_TOKEN;
   if (opts.cwd) {
-    const envPath = path.join(opts.cwd, ".env.local");
-    if (fs.existsSync(envPath)) {
+    const envPath = path2.join(opts.cwd, ".env.local");
+    if (fs2.existsSync(envPath)) {
       try {
-        let content = fs.readFileSync(envPath, "utf-8");
+        let content = fs2.readFileSync(envPath, "utf-8");
         if (/^SUPABASE_ACCESS_TOKEN=/m.test(content)) {
           content = content.replace(/^SUPABASE_ACCESS_TOKEN=.*\n?/m, "");
-          fs.writeFileSync(envPath, content);
+          fs2.writeFileSync(envPath, content);
           notes.push(`Stripped SUPABASE_ACCESS_TOKEN from ${envPath}`);
         }
       } catch (err) {
@@ -155,16 +352,51 @@ function clearAccessToken(opts = {}) {
   }
   saveCredentials(creds);
   if (opts.projectDir) {
-    const envPath = path.join(opts.projectDir, ".env.local");
-    if (fs.existsSync(envPath)) {
-      let content = fs.readFileSync(envPath, "utf-8");
+    const envPath = path2.join(opts.projectDir, ".env.local");
+    if (fs2.existsSync(envPath)) {
+      let content = fs2.readFileSync(envPath, "utf-8");
       if (/^SUPABASE_ACCESS_TOKEN=/m.test(content)) {
         content = content.replace(/^SUPABASE_ACCESS_TOKEN=.*\n?/m, "");
-        fs.writeFileSync(envPath, content);
+        fs2.writeFileSync(envPath, content);
       }
     }
   }
 }
+function isInteractiveTty() {
+  return process.stdout.isTTY === true && process.stdin.isTTY === true;
+}
+async function runOAuthLogin(opts) {
+  const { orgId, orgSlug } = opts;
+  const { oauthLogin } = await import("./oauth-52Q6XDJL.js");
+  const tokens = await oauthLogin({ organizationSlug: orgSlug });
+  process.env.SUPABASE_ACCESS_TOKEN = tokens.access_token;
+  let derivedOrg;
+  try {
+    const orgs = await listOrganizations();
+    derivedOrg = orgs[0];
+  } catch {
+  }
+  const entry = {
+    access_token: tokens.access_token,
+    refresh_token: tokens.refresh_token,
+    expires_at: Math.floor(Date.now() / 1e3) + tokens.expires_in,
+    org_name: derivedOrg?.name,
+    org_slug: derivedOrg?.slug
+  };
+  const targetOrgId = derivedOrg?.id ?? orgId;
+  const current = loadCredentials();
+  if (targetOrgId) {
+    saveCredentials({
+      ...current,
+      oauth_by_org: { ...current.oauth_by_org ?? {}, [targetOrgId]: entry }
+    });
+  } else {
+    saveCredentials({ ...current, oauth: entry });
+  }
+  console.log(`  ${blue("\u2714")} Authenticated via Supabase OAuth${derivedOrg?.name ? ` for ${derivedOrg.name}` : ""}`);
+  console.log(`  ${dim("Token stored at " + credentialsPath())}`);
+  console.log();
+}
 async function authenticatedFetch(url, init) {
   const token = process.env.SUPABASE_ACCESS_TOKEN;
   if (!token) {
@@ -173,23 +405,56 @@ async function authenticatedFetch(url, init) {
   const headers = new Headers(init?.headers);
   headers.set("Authorization", `Bearer ${token}`);
   const res = await fetch(url, { ...init, headers });
-  if (res.status === 401 || res.status === 403) {
-    console.log(`
-  ${amber("\u25B2")} Access token expired or revoked. Re-authenticating...
-`);
-    clearAccessToken({ projectDir: _authContext.projectDir, orgId: _authContext.orgId });
-    await ensureAccessToken({
-      nonInteractive: _authContext.nonInteractive,
-      projectDir: _authContext.projectDir,
-      orgId: _authContext.orgId,
-      orgSlug: _authContext.orgSlug
-    });
-    const newToken = process.env.SUPABASE_ACCESS_TOKEN;
-    const retryHeaders = new Headers(init?.headers);
-    retryHeaders.set("Authorization", `Bearer ${newToken}`);
-    return fetch(url, { ...init, headers: retryHeaders });
+  if (res.status !== 401 && res.status !== 403) return res;
+  const orgId = _authContext.orgId;
+  const initialCreds = loadCredentials();
+  const entry = orgId ? initialCreds.oauth_by_org?.[orgId] : initialCreds.oauth;
+  if (entry?.refresh_token) {
+    const { refreshOAuthToken } = await import("./oauth-52Q6XDJL.js");
+    let fresh = null;
+    try {
+      fresh = await refreshOAuthToken(entry.refresh_token);
+    } catch {
+    }
+    if (fresh) {
+      const refreshedEntry = {
+        ...entry,
+        access_token: fresh.access_token,
+        refresh_token: fresh.refresh_token,
+        expires_at: Math.floor(Date.now() / 1e3) + fresh.expires_in
+      };
+      const latest = loadCredentials();
+      if (orgId) {
+        saveCredentials({
+          ...latest,
+          oauth_by_org: { ...latest.oauth_by_org ?? {}, [orgId]: refreshedEntry }
+        });
+      } else {
+        saveCredentials({ ...latest, oauth: refreshedEntry });
+      }
+      process.env.SUPABASE_ACCESS_TOKEN = fresh.access_token;
+      const retryHeaders2 = new Headers(init?.headers);
+      retryHeaders2.set("Authorization", `Bearer ${fresh.access_token}`);
+      const retry = await fetch(url, { ...init, headers: retryHeaders2 });
+      if (retry.status !== 401 && retry.status !== 403) return retry;
+    }
   }
-  return res;
+  if (!isInteractiveTty()) {
+    throw new Error(
+      `Authentication failed and no TTY available for re-auth.
+  Run interactively: npx agentlink-sh@latest sb login` + (orgId ? `  (org: ${orgId})` : "") + `
+  Or set SUPABASE_ACCESS_TOKEN to a PAT with the required scope.`
+    );
+  }
+  console.log();
+  console.log(`  ${amber("\u25B2")} Access token expired or revoked. Re-authenticating via Supabase OAuth...`);
+  console.log();
+  clearAccessToken({ projectDir: _authContext.projectDir, orgId: _authContext.orgId });
+  await runOAuthLogin({ orgId: _authContext.orgId, orgSlug: _authContext.orgSlug });
+  const newToken = process.env.SUPABASE_ACCESS_TOKEN;
+  const retryHeaders = new Headers(init?.headers);
+  retryHeaders.set("Authorization", `Bearer ${newToken}`);
+  return fetch(url, { ...init, headers: retryHeaders });
 }
 async function authenticatedRunCommand(cmd, cwd) {
   if (!process.env.SUPABASE_ACCESS_TOKEN) {
@@ -203,20 +468,54 @@ async function authenticatedRunCommand(cmd, cwd) {
   try {
     return await runCommand(cmd, cwd);
   } catch (err) {
-    if (isAuthError(err)) {
-      console.log(`
-  ${amber("\u25B2")} Access token expired or revoked. Re-authenticating...
-`);
-      clearAccessToken({ projectDir: _authContext.projectDir, orgId: _authContext.orgId });
-      await ensureAccessToken({
-        nonInteractive: _authContext.nonInteractive,
-        projectDir: _authContext.projectDir,
-        orgId: _authContext.orgId,
-        orgSlug: _authContext.orgSlug
-      });
-      return runCommand(cmd, cwd);
+    if (!isAuthError(err)) throw err;
+    const orgId = _authContext.orgId;
+    const initialCreds = loadCredentials();
+    const entry = orgId ? initialCreds.oauth_by_org?.[orgId] : initialCreds.oauth;
+    if (entry?.refresh_token) {
+      const { refreshOAuthToken } = await import("./oauth-52Q6XDJL.js");
+      let fresh = null;
+      try {
+        fresh = await refreshOAuthToken(entry.refresh_token);
+      } catch {
+      }
+      if (fresh) {
+        const refreshedEntry = {
+          ...entry,
+          access_token: fresh.access_token,
+          refresh_token: fresh.refresh_token,
+          expires_at: Math.floor(Date.now() / 1e3) + fresh.expires_in
+        };
+        const latest = loadCredentials();
+        if (orgId) {
+          saveCredentials({
+            ...latest,
+            oauth_by_org: { ...latest.oauth_by_org ?? {}, [orgId]: refreshedEntry }
+          });
+        } else {
+          saveCredentials({ ...latest, oauth: refreshedEntry });
+        }
+        process.env.SUPABASE_ACCESS_TOKEN = fresh.access_token;
+        try {
+          return await runCommand(cmd, cwd);
+        } catch (err2) {
+          if (!isAuthError(err2)) throw err2;
+        }
+      }
     }
-    throw err;
+    if (!isInteractiveTty()) {
+      throw new Error(
+        `Authentication failed and no TTY available for re-auth.
+  Run interactively: npx agentlink-sh@latest sb login` + (orgId ? `  (org: ${orgId})` : "") + `
+  Or set SUPABASE_ACCESS_TOKEN to a PAT with the required scope.`
+      );
+    }
+    console.log();
+    console.log(`  ${amber("\u25B2")} Access token expired or revoked. Re-authenticating via Supabase OAuth...`);
+    console.log();
+    clearAccessToken({ projectDir: _authContext.projectDir, orgId: _authContext.orgId });
+    await runOAuthLogin({ orgId: _authContext.orgId, orgSlug: _authContext.orgSlug });
+    return runCommand(cmd, cwd);
   }
 }
 async function ensureAccessToken(opts = {}) {
@@ -238,6 +537,20 @@ async function ensureAccessToken(opts = {}) {
         process.env.SUPABASE_ACCESS_TOKEN = fresh.access_token;
         return;
       }
+      if (isInteractiveTty()) {
+        console.log();
+        console.log(`  ${amber("\u25B2")} OAuth token for ${orgSlug ? `"${orgSlug}"` : `org ${orgId}`} expired and could not be refreshed.`);
+        console.log(`  Re-authenticating via Supabase OAuth...`);
+        console.log();
+        clearAccessToken({ projectDir, orgId });
+        await runOAuthLogin({ orgId, orgSlug });
+        return;
+      }
+      throw new Error(
+        `OAuth token for organization ${orgId} expired and refresh failed.
+  Run interactively: npx agentlink-sh@latest sb login
+  Or set SUPABASE_ACCESS_TOKEN to a PAT with access to this org.`
+      );
     }
   }
   if (creds.oauth) {
@@ -301,7 +614,7 @@ async function ensureAccessToken(opts = {}) {
   }
   if (nonInteractive) {
     throw new Error(
-      "SUPABASE_ACCESS_TOKEN is required for cloud mode.\n  Set it via --token, SUPABASE_ACCESS_TOKEN env var, or run `agentlink sb login`."
+      "SUPABASE_ACCESS_TOKEN is required for cloud mode.\n  Set it via --token, SUPABASE_ACCESS_TOKEN env var, or run `npx agentlink-sh@latest sb login`."
     );
   }
   const method = await select2({
@@ -313,35 +626,7 @@ async function ensureAccessToken(opts = {}) {
     ]
   });
   if (method === "oauth") {
-    const { oauthLogin } = await import("./oauth-JGWRORJM.js");
-    const tokens = await oauthLogin({ organizationSlug: orgSlug });
-    process.env.SUPABASE_ACCESS_TOKEN = tokens.access_token;
-    let derivedOrg;
-    try {
-      const orgs = await listOrganizations();
-      derivedOrg = orgs[0];
-    } catch {
-    }
-    const entry = {
-      access_token: tokens.access_token,
-      refresh_token: tokens.refresh_token,
-      expires_at: Math.floor(Date.now() / 1e3) + tokens.expires_in,
-      org_name: derivedOrg?.name,
-      org_slug: derivedOrg?.slug
-    };
-    const targetOrgId = derivedOrg?.id ?? orgId;
-    const current = loadCredentials();
-    if (targetOrgId) {
-      saveCredentials({
-        ...current,
-        oauth_by_org: { ...current.oauth_by_org ?? {}, [targetOrgId]: entry }
-      });
-    } else {
-      saveCredentials({ ...current, oauth: entry });
-    }
-    console.log(`  ${blue("\u2714")} Authenticated via Supabase OAuth${derivedOrg?.name ? ` for ${derivedOrg.name}` : ""}`);
-    console.log(`  ${dim("Token stored at " + credentialsPath())}`);
-    console.log();
+    await runOAuthLogin({ orgId, orgSlug });
     return;
   }
   const tokenUrl = "https://supabase.com/dashboard/account/tokens";
@@ -497,6 +782,54 @@ function clearOrgCredential(orgId) {
     saveCredentials(creds);
   }
 }
+function listCachedOrgs() {
+  const byOrg = loadCredentials().oauth_by_org ?? {};
+  return Object.entries(byOrg).map(([id, entry]) => ({
+    id,
+    name: entry.org_name,
+    slug: entry.org_slug,
+    expiresAt: entry.expires_at
+  }));
+}
+async function refreshCachedOrg(orgId) {
+  const creds = loadCredentials();
+  const entry = creds.oauth_by_org?.[orgId];
+  if (!entry) return null;
+  const fresh = await refreshIfNeeded(entry);
+  if (!fresh) return null;
+  const discovered = (await listOrganizationsForToken(fresh.access_token))[0];
+  if (!discovered) return null;
+  const latest = loadCredentials();
+  const newByOrg = { ...latest.oauth_by_org ?? {} };
+  if (orgId !== discovered.id) delete newByOrg[orgId];
+  newByOrg[discovered.id] = {
+    ...fresh,
+    org_name: discovered.name,
+    org_slug: discovered.slug
+  };
+  saveCredentials({ ...latest, oauth_by_org: newByOrg });
+  return {
+    id: discovered.id,
+    name: discovered.name,
+    slug: discovered.slug,
+    expiresAt: newByOrg[discovered.id].expires_at
+  };
+}
+async function refreshAllCachedOrgs() {
+  const cached = listCachedOrgs();
+  const results = await Promise.allSettled(cached.map((o) => refreshCachedOrg(o.id)));
+  const refreshed = [];
+  const failed = [];
+  results.forEach((r, i) => {
+    const original = cached[i];
+    if (r.status === "fulfilled" && r.value) {
+      refreshed.push(r.value);
+    } else {
+      failed.push({ id: original.id, name: original.name });
+    }
+  });
+  return { refreshed, failed };
+}
 async function createProject(opts) {
   const out = await authenticatedRunCommand(
     `${sb()} projects create ${JSON.stringify(opts.name)} --org-id ${opts.orgId} --region ${opts.region} --db-password ${opts.dbPass} -o json`
@@ -586,6 +919,18 @@ async function updateAuthConfig(projectRef, config) {
     throw new Error(`Failed to update auth config (${res.status}): ${body}`);
   }
 }
+async function getAuthConfig(projectRef) {
+  try {
+    const res = await authenticatedFetch(
+      `https://api.supabase.com/v1/projects/${projectRef}/config/auth`,
+      { method: "GET" }
+    );
+    if (!res.ok) return null;
+    return await res.json();
+  } catch {
+    return null;
+  }
+}
 async function waitForProjectReady(ref, spinner, timeoutMs = 3e5) {
   const start = Date.now();
   while (Date.now() - start < timeoutMs) {
@@ -749,9 +1094,23 @@ async function setSecrets(projectRef, secrets) {
 
 export {
   selectYesNo,
+  initLog,
+  runCommand,
+  assertGitClean,
+  listChangedFiles,
+  delay,
+  checkCommand,
+  skillDisplayName,
+  generateDbPassword,
+  slugifyProjectName,
+  validateProjectName,
+  ensureGitignorePattern,
   credentialsPath,
   loadCredentials,
   saveCredentials,
+  getResendDefaults,
+  setResendDefaults,
+  clearResendDefaults,
   signOut,
   authenticatedFetch,
   ensureAccessToken,
@@ -764,6 +1123,9 @@ export {
   refreshOAuthEntry,
   probeTokenAuth,
   clearOrgCredential,
+  listCachedOrgs,
+  refreshCachedOrg,
+  refreshAllCachedOrgs,
   createProject,
   getProject,
   deleteProject,
@@ -771,6 +1133,7 @@ export {
   runCloudSQL,
   updatePostgrestConfig,
   updateAuthConfig,
+  getAuthConfig,
   waitForProjectReady,
   waitForDatabaseReady,
   fetchPoolerUrl,