auth0-deploy-cli 7.13.1 → 7.14.0

package/.github/dependabot.yml

@@ -9,3 +9,6 @@ updates:
     directory: "/"
     schedule:
       interval: "daily"
+    ignore:
+      - dependency-name: "*"
+        update-types: ["version-update:semver-major", "version-update:semver-patch"]

package/CHANGELOG.md

@@ -7,6 +7,17 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [7.14.0] - 2022-06-27
+
+### Added
+
+- Validation to detect unreplaced keyword mappings during import [#591]
+
+### Fixed
+
+- Detect and prevent `You are not allowed to set flag '<SOME_FLAG>' for this tenant.` errors when erroneously setting non-configurable migration flag [#590]
+- Crash when attempting to create page templates from undefined value [#592]
+
 ## [7.13.1] - 2022-06-13
 
 ### Fixed
@@ -776,7 +787,11 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 [#554]: https://github.com/auth0/auth0-deploy-cli/issues/554
 [#563]: https://github.com/auth0/auth0-deploy-cli/issues/563
 [#577]: https://github.com/auth0/auth0-deploy-cli/issues/577
-[unreleased]: https://github.com/auth0/auth0-deploy-cli/compare/v7.13.1...HEAD
+[#590]: https://github.com/auth0/auth0-deploy-cli/issues/590
+[#591]: https://github.com/auth0/auth0-deploy-cli/issues/591
+[#592]: https://github.com/auth0/auth0-deploy-cli/issues/592
+[unreleased]: https://github.com/auth0/auth0-deploy-cli/compare/v7.14.0...HEAD
+[7.14.0]: https://github.com/auth0/auth0-deploy-cli/compare/v7.13.1...v7.14.0
 [7.13.1]: https://github.com/auth0/auth0-deploy-cli/compare/v7.13.0...v7.13.1
 [7.13.0]: https://github.com/auth0/auth0-deploy-cli/compare/v7.12.3...v7.13.0
 [7.12.3]: https://github.com/auth0/auth0-deploy-cli/compare/v7.12.2...v7.12.3

package/README.md

@@ -1,65 +1,121 @@
-# Auth0 Deploy CLI
-
-Auth0 supports continuous integration and deployment (CI/CD) of Auth0 Tenants and integration into existing CI/CD pipelines by using this **auth0-deploy-cli** tool.
-
-The `auth0-deploy-cli` tool supports the importing and exporting of Auth0 Tenant configuration data.
-
-Supported Auth0 Management API resources
-
-- [x] [Actions](https://auth0.com/docs/api/management/v2/#!/Actions/get_actions)
-- [x] [Branding](https://auth0.com/docs/api/management/v2/#!/Branding/get_branding)
-- [x] [Clients (Applications)](https://auth0.com/docs/api/management/v2#!/Clients/get_clients)
-- [x] [Client Grants](https://auth0.com/docs/api/management/v2#!/Client_Grants/get_client_grants)
-- [x] [Connections](https://auth0.com/docs/api/management/v2#!/Connections/get_connections)
-- [ ] [Custom Domains](https://auth0.com/docs/api/management/v2#!/Custom_Domains/get_custom_domains)
-- [ ] [Device Credentials](https://auth0.com/docs/api/management/v2#!/Device_Credentials/get_device_credentials)
-- [x] [Grants](https://auth0.com/docs/api/management/v2#!/Grants/get_grants)
-- [x] [Hooks](https://auth0.com/docs/api/management/v2#!/Hooks/get_hooks)
-- [x] [Hook Secrets](https://auth0.com/docs/api/management/v2/#!/Hooks/get_secrets)
-- [x] [Log Streams](https://auth0.com/docs/api/management/v2#!/Log_Streams/get_log_streams)
-- [ ] [Logs](https://auth0.com/docs/api/management/v2#!/Logs/get_logs)
-- [x] [Organizations](https://auth0.com/docs/api/management/v2#!/Organizations/get_organizations)
-- [x] [Prompts](https://auth0.com/docs/api/management/v2#!/Prompts/get_prompts)
-- [x] [Resource Servers (APIs)](https://auth0.com/docs/api/management/v2#!/Resource_Servers/get_resource_servers)
-- [x] [Roles](https://auth0.com/docs/api/management/v2#!/Roles)
-- [x] [Rules](https://auth0.com/docs/api/management/v2#!/Rules/get_rules)
-- [x] [Rules Configs](https://auth0.com/docs/api/management/v2#!/Rules_Configs/get_rules_configs)
-- [ ] [User Blocks](https://auth0.com/docs/api/management/v2#!/User_Blocks/get_user_blocks)
-- [ ] [Users](https://auth0.com/docs/api/management/v2#!/Users/get_users)
-- [ ] [Users By Email](https://auth0.com/docs/api/management/v2#!/Users_By_Email/get_users_by_email)
-- [ ] [Blacklists](https://auth0.com/docs/api/management/v2#!/Blacklists/get_tokens)
-- [x] [Email Templates](https://auth0.com/docs/api/management/v2#!/Email_Templates/get_email_templates_by_templateName)
-- [x] [Emails](https://auth0.com/docs/api/management/v2#!/Emails/get_provider)
-- [x] [Guardian](https://auth0.com/docs/api/management/v2#!/Guardian/get_factors)
-- [ ] [Jobs](https://auth0.com/docs/api/management/v2#!/Jobs/get_jobs_by_id)
-- [ ] [Stats](https://auth0.com/docs/api/management/v2#!/Stats/get_active_users)
-- [x] [Tenants (Pages and Migrations)](https://auth0.com/docs/api/management/v2#!/Tenants/get_settings)
-- [ ] [Anomaly](https://auth0.com/docs/api/management/v2#!/Anomaly/get_ips_by_id)
-- [ ] [Tickets](https://auth0.com/docs/api/management/v2#!/Tickets/post_email_verification)
-- [ ] [Signing Keys](https://auth0.com/docs/api/management/v2#!/Keys/get_signing_keys)
-
-# Before you begin
-
-- This tool can be destructive to your Auth0 tenant. Please ensure you have read the documentation and tested the tool on a development tenant before using it in production.
-- Entities created using this tool may share user data with or receive user data from 3rd parties. Please see the [documentation for the individual Management endpoints](https://auth0.com/docs/api/management/v2) for details.
-
-# Documentation
-
-Please visit Auth0 Doc for this [Deploy CLI Tool](https://auth0.com/docs/deploy/deploy-cli-tool)
-
-# Integrating with popular CI/CD pipelines
-
-Please visit Auth0 Marketplace Guide for:
-
-- [Azure Pipelines](https://marketplace.auth0.com/integrations/azure-pipeline)
-- [Bitbucket Pipelines](https://marketplace.auth0.com/integrations/bitbucket-pipeline)
-- [GitLab Pipelines](https://marketplace.auth0.com/integrations/gitlab-pipeline)
-- [GitHub Actions](https://marketplace.auth0.com/integrations/github-actions)
-
-# Known issues
-
-See https://github.com/auth0/auth0-deploy-cli/issues
-
-# License
-
-MIT
+<div align="center">
+  <h1>Auth0 Deploy CLI</h1>
+
+[![npm version](https://badge.fury.io/js/auth0-deploy-cli.svg)](https://badge.fury.io/js/auth0-deploy-cli)
+[![CircleCI](https://circleci.com/gh/auth0/auth0-deploy-cli/tree/master.svg?style=svg)](https://circleci.com/gh/auth0/auth0-deploy-cli/tree/master)
+[![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT)
+
+</div>
+
+The Auth0 Deploy CLI is a tool that helps you manage your Auth0 tenant configuration. It integrates into your development workflows as a standalone CLI or as a node module.
+
+**Supported resource types:** actions, branding, client grants, clients (applications), connections, custom domains, email templates, emails, grants, guardian, hook secrets, hooks, log streams, migrations, organizations, pages, prompts, resource servers (APIs), roles, rules, rules configs, tenant settings, themes.
+
+## Highlights
+
+- **Multi-Environment Oriented:** Designed to help you test your applications' Auth0 integrations from feature branch all the way to production.
+- **Keyword Replacement:** Shared resource configurations across all environments with dynamic keyword replacement.
+- **Versatile:** Integrate into your CI/CD workflows either as a CLI or as a Node module.
+
+## Documentation
+
+- [Using as a CLI](docs/using-as-cli.md)
+- [Using as a Node Module](docs/using-as-node-module.md)
+- [Configuring the Deploy CLI](docs/configuring-the-deploy-cli.md)
+- [Keyword Replacement](docs/keyword-replacement.md)
+- [Incorporating Into Multi-environment Workflows](docs/multi-environment-workflow.md)
+- [Excluding Resources From Management](docs/excluding-from-management.md)
+- [Available Resource Formats](docs/available-resource-config-formats.md)
+- [Terraform Provider](docs/terraform-provider.md)
+- [How to Contribute](docs/how-to-contribute.md)
+
+## Getting Started
+
+This guide will help you to a working implementation of the Deploy CLI tool used as a standalone CLI. There are three main steps before the Deploy CLI can be run:
+
+1. [Create a Dedicated Auth0 Application](#create-a-dedicated-auth0-application)
+2. [Configure the Deploy CLI](#configure-the-deploy-cli)
+3. [Calling the Deploy CLI](#calling-the-deploy-cli)
+
+> ⚠️ **NOTE:** This tool can be destructive to your Auth0 tenant. It is recommended to be familiar with the [`AUTH0_ALLOW_DELETE` configuration](docs/configuring-the-deploy-cli.md#auth0allowdelete) and to test on development tenants prior to using in production.
+
+### Prerequisites
+
+- [Node](https://nodejs.dev/) version 10 or greater
+- [Auth0 Tenant](https://auth0.com/)
+
+### Install the Deploy CLI
+
+To run as a standalone command-line tool:
+
+```shell
+npm install -g auth0-deploy-cli
+```
+
+### Create a dedicated Auth0 Application
+
+In order for the Deploy CLI to call the Management API, a dedicated Auth0 application must be created to make calls on behalf of the tool.
+
+1. From the Auth0 dashboard, navigate to **Applications > Applications**
+2. Click “Create Application”
+3. On Create application page:
+   a. Name it “Deploy CLI” or similar
+   b. Select “Machine to Machine Applications” as application type
+   c. Click “Create”
+4. On the “Authorize Machine to Machine Application” page
+   a. Select “Auth0 Management API”
+   b. Select the appropriate permissions for the resources you wish to manage. Refer to the [Client Scopes](#client-scopes) section for more information.
+   c. Click “Authorize”
+
+#### Client Scopes
+
+The designated application needs to be granted scopes in order to allow the Deploy CLI to execute Management operations.
+
+The principle of least privilege is abided, so it will operate within the set of permissions granted. At a minimum, `read:clients` need to be selected, but is is recommended to select `read:`, `create:` and `update:` permissions for all resource types within management purview. To enable deletions, the `delete:` scopes are also necessary.
+
+### Configure the Deploy CLI
+
+The Deploy CLI can be configured two ways, through a `config.json` file and through environment variables. The decision to choose one or both would depend on your specific use case and preferences. More comprehensive information about configuring the tool can be found on the [Configuring the Deploy CLI](docs/configuring-the-deploy-cli.md) page. However, for this example, the simplest way to get going is by setting the following environment variables:
+
+- `AUTH0_DOMAIN`
+- `AUTH0_CLIENT_ID`
+- `AUTH0_CLIENT_SECRET`
+
+These values can be found in the “Settings” tab within the Auth0 application created in the previous step.
+
+### Calling the Deploy CLI
+
+Finally, with above complete, the Deploy CLI export command can be run:
+
+```shell
+a0deploy export --format=yaml --output_folder=local
+```
+
+Once the process completes, observe the resource configuration files generated in the `local` directory. Then, run the import command, which pushes configuration from the local machine to your Auth0 tenant:
+
+```shell
+a0deploy import -c=config.json --input_file local/tenant.yaml
+```
+
+## Issue Reporting
+
+For general support or usage questions, use the [Auth0 Community](https://community.auth0.com/tag/deploy-cli) forums or raise a [support ticket](https://support.auth0.com/). Only [raise an issue](https://github.com/auth0/auth0-deploy-cli/issues) if you have found a bug or want to request a feature.
+
+**Do not report security vulnerabilities on the public GitHub issue tracker.** The [Responsible Disclosure Program](https://auth0.com/responsible-disclosure-policy) details the procedure for disclosing security issues.
+
+## What is Auth0?
+
+Auth0 helps you to:
+
+- Add authentication with [multiple sources](https://auth0.com/docs/authenticate/identity-providers), either social identity providers such as **Google, Facebook, Microsoft Account, LinkedIn, GitHub, Twitter, Box, Salesforce** (amongst others), or enterprise identity systems like **Windows Azure AD, Google Apps, Active Directory, ADFS, or any SAML identity provider**.
+- Add authentication through more traditional **[username/password databases](https://auth0.com/docs/authenticate/database-connections/custom-db)**.
+- Add support for **[linking different user accounts](https://auth0.com/docs/manage-users/user-accounts/user-account-linking)** with the same user.
+- Support for generating signed [JSON Web Tokens](https://auth0.com/docs/secure/tokens/json-web-tokens) to call your APIs and **flow the user identity** securely.
+- Analytics of how, when, and where users are logging in.
+- Pull data from other sources and add it to the user profile through [JavaScript Actions](https://auth0.com/docs/customize/actions).
+
+**Why Auth0?** Because you should save time, be happy, and focus on what really matters: building your product.
+
+## License
+
+This project is licensed under the MIT license. See the [LICENSE](LICENSE) file for more information.

package/docs/available-resource-config-formats.md

@@ -0,0 +1,19 @@
+# Available Resource Config Formats
+
+Auth0 resource state is expressed in two available different configuration file formats: YAML and JSON (aka “directory”). When using the Deploy CLI’s export command, you will be prompted with the choice of one versus the other.
+
+## YAML
+
+The YAML format is expressed mostly as a flat `tenant.yaml` file with supplemental code files for resources like actions and email templates. The single file makes tracking changes over time in version control more straightforward. Additionally, the single file eliminates a bit of ambiguity with directory and file names, which may not be immediately obvious.
+
+## Directory (JSON)
+
+The directory format separates resource types into separate directories, with each single resource living inside a dedicated JSON file. This format allows for easier conceptual separation between each type of resource as well as the individual resources themselves. Also, the Deploy CLI closely mirrors the data shapes defined in the [Auth0 Management API](https://auth0.com/docs/api/management/v2), so referencing the JSON examples in the docs may provide useful when using this format.
+
+## How to Choose
+
+The decision to select which format to use should be primarily made off of preference. Both formats are tenable solutions that achieve the same task, but with subtly different strengths and weaknesses described above. Be sure to evaluate each in the context of your context. Importantly, **this choice is not permanent**, and switching from one to the other via the import command is an option at your disposal.
+
+---
+
+[[table of contents]](../README.md#documentation)

package/docs/configuring-the-deploy-cli.md

@@ -0,0 +1,140 @@
+# Configuring the Deploy CLI
+
+Configuring the Deploy’s CLI is essential for establishing Auth0 credentials as well as generally modifying the behavior of the tool to your specific needs. There are two ways the Deploy CLI can be configured:
+
+- Configuration file (`config.json`)
+- Environment variables
+
+## Configuration file
+
+A standalone JSON file can be used to configure Deploy CLI. This file will usually reside in the root directory of your project and be called `config.json`.
+
+Example **config.json** file:
+
+```json
+{
+  "AUTH0_DOMAIN": "<YOUR_TENANT_DOMAIN>",
+  "AUTH0_CLIENT_ID": "<YOUR_CLIENT_ID>",
+  "AUTH0_ALLOW_DELETE": false
+}
+```
+
+> ⚠️ **NOTE:** Hard-coding credentials is not recommended, and risks secret leakage should this file ever be committed to a public version control system. Instead, passing credentials as [environment variables](#Environment variables) is considered best practice.
+
+### Environment variables
+
+By default, the Deploy CLI ingests environment variables, providing the ability to pass credentials and other configurations to the tool without needing to publish to the `config.json` file. Environment variables can either be used to augment the `config.json` file or replace it altogether depending on the project needs.
+
+Non-primitive configuration values like `AUTH0_KEYWORD_MAPPING` and `AUTH0_EXCLUDED` can also be passed in through environment variables so long as these values are properly serialized JSON.
+
+To **disable** the consumption of environment variables for either the `import` or `export` commands, pass the `--env=false` argument.
+
+#### Examples
+
+```shell
+# Deploying configuration for YAML formats without a config.json file
+export AUTH0_DOMAIN=<YOUR_AUTH0_DOMAIN>
+export AUTH0_CLIENT_ID=<YOUR_CLIENT_ID> 
+export AUTH0_CLIENT_SECRET=<YOUR_CLIENT_SECRET> 
+
+a0deploy import --input_file=local/tenant.yaml
+
+# Disable environment variable ingestion
+a0deploy export -c=config.json --format=yaml --output_folder=local --env=false
+
+# Non-primitive configuration values
+export AUTH0_EXCLUDED='["actions","organizations"]'
+export AUTH0_KEYWORD_REPLACE_MAPPINGS='{"ENVIRONMENT":"dev"}'
+a0deploy export -c=config.json --format=yaml --output_folder=local
+```
+
+## Available Configuration Properties
+
+### `AUTH0_DOMAIN`
+
+String. The domain of the target Auth0 tenant.
+
+### `AUTH0_CLIENT_ID`
+
+String. The ID of the designated Auth0 application used to make API requests.
+
+### `AUTH0_CLIENT_SECRET`
+
+String. The secret of the designated Auth0 application used to make API requests.
+
+### `AUTH0_ACCESS_TOKEN`
+
+String. Short-lived access token for Management API from designated Auth0 application. Can be used in replacement to client ID and client secret combination.
+
+### `AUTH0_ALLOW_DELETE`
+
+Boolean. When enabled, will allow the tool to delete resources. Default: `false`.
+
+### `AUTH0_EXCLUDED`
+
+Array of strings. Excludes entire resource types from being managed, bi-directionally. See also: [excluding resources from management](excluding-from-management.md). Possible values: `actions`, `attackProtection`, `branding`, `clientGrants`, `clients`, `connections`, `customDomains`, `databases`, `emailProvider`, `emailTemplates`, `guardianFactorProviders`, `guardianFactorTemplates`, `guardianFactors`, `guardianPhoneFactorMessageTypes`, `guardianPhoneFactorSelectedProvider`, `guardianPolicies`, `hooks`, `logStreams`, `migrations`, `organizations`, `pages`, `prompts`, `resourceServers`, `roles`, `rules`, `rulesConfigs`, `tenant`, `triggers`
+
+#### Example
+
+```json
+{
+  "AUTH0_EXCLUDED": ["organizations", "connections", "hooks"]
+}
+```
+
+### `AUTH0_KEYWORD_REPLACE_MAPPINGS`
+
+Mapping of specific keywords to facilities dynamic replacement. See also: [keyword replacement](keyword-replacement.md).
+
+#### Example
+
+```json
+{
+  "ENVIRONMENT": "DEV",
+  "ALLOWED_ORIGINS": ["https://dev.test-site.com", "localhost"]
+}
+```
+
+### `AUTH0_EXPORT_IDENTIFIERS`
+
+Boolean. When enabled, will return identifiers of all resources. May be useful for certain debugging or record-keeping scenarios within a single-tenant context. Default: `false`.
+
+### `EXCLUDED_PROPS`
+
+Provides ability to exclude any unwanted properties from management.
+
+#### Example
+
+```json
+{
+  "connections": ["options.twilio_token"]
+}
+```
+
+### `AUTH0_AUDIENCE`
+
+String. Separate value from audience value while retrieving an access token for management API. Useful when default Management API endpoints are not publicly exposed.
+
+### `AUTH0_EXCLUDED_RULES`
+
+Array of strings. Excludes the management of specific rules by ID. **Note:** This configuration may be subject to deprecation in the future. See: [excluding resources from management](excluding-from-management.md).
+
+### `AUTH0_EXCLUDED_CLIENTS`
+
+Array of strings. Excludes the management of specific clients by ID. **Note:** This configuration may be subject to deprecation in the future. See: [excluding resources from management](excluding-from-management.md).
+
+### `AUTH0_EXCLUDED_DATABASES`
+
+Array of strings. Excludes the management of specific databases by ID. **Note:** This configuration may be subject to deprecation in the future. See: [excluding resources from management](excluding-from-management.md).
+
+### `AUTH0_EXCLUDED_CONNECTIONS`
+
+Array of strings. Excludes the management of specific connections by ID. **Note:** This configuration may be subject to deprecation in the future. See: [excluding resources from management](excluding-from-management.md).
+
+### `AUTH0_EXCLUDED_RESOURCE_SERVERS`
+
+Array of strings. Excludes the management of specific resource servers by ID. **Note:** This configuration may be subject to deprecation in the future. See: [excluding resources from management](excluding-from-management.md).
+
+---
+
+[[table of contents]](../README.md#documentation)

package/docs/excluding-from-management.md

@@ -0,0 +1,81 @@
+# Excluding Resources From Management
+
+In many cases, you may find it useful to exclude resources from being managed. This could be because your tenant has a large number of a particular resource and thus it is operationally burdensome to manage. Other times, you may wish to exclude them as your development workflow only pertains to a specific subset of resources and you’d like to omit all other resources for performance. Regardless of the use case, there are several options available for expressing exclusions in the Deploy CLI.
+
+## Excluding entire resources by type
+
+For more complex tenants, you may find yourself wanting to omit entire resource types. Some common use cases for wanting this capability:
+
+- Enterprise tenant with thousands of organizations, managing all would be operationally burdensome
+- CI/CD process only focuses on managing roles, you may wish to exclude all others
+- Feature development pertains to hook, you may wish to temporarily exclude all others to optimize performance
+
+This type of exclusion is expressed by passing an array of resource names into the `AUTH0_EXCLUDED` configuration property. This exclusion works **bi-directionally**, that is, both when export from Auth0 and importing to Auth0, regardless if resource configuration files exist or not.
+
+All supported resource values for exclusion:
+
+`actions`, `attackProtection`, `branding`, `clientGrants`, `clients`, `connections`, `customDomains`, `databases`, `emailProvider`, `emailTemplates`, `guardianFactorProviders`, `guardianFactorTemplates`, `guardianFactors`, `guardianPhoneFactorMessageTypes`, `guardianPhoneFactorSelectedProvider`, `guardianPolicies`, `hooks`, `logStreams`, `migrations`, `organizations`, `pages`, `prompts`, `resourceServers`, `roles`, `rules`, `rulesConfigs`, `tenant`, `triggers`
+
+### Example
+
+The following example excludes `clients`, `connections`, `databases` and `organizations` from being managed by the Deploy CLI. However, this example is arbitrary and your use case may require you to exclude less or more types.
+
+```json
+{
+  "AUTH0_DOMAIN": "example-site.us.auth0.com",
+  "AUTH0_CLIENT_ID": "<YOUR_AUTH0_CLIENT_ID>",
+  "AUTH0_EXCLUDED": ["clients", "connections", "databases", "organizations"]
+}
+```
+
+## Excluding single resources by ID
+
+Some resource types support exclusions of individual resource by ID. This is primarily useful if you work in a multi-environment context and wish to omit a production single, specific resource from your lower-level environments. The by-ID method of exclusion is supported for rules, clients, databases, connections and resource servers with the `AUTH0_EXCLUDED_RULES` ,`AUTH0_EXCLUDED_CLIENTS`, `AUTH0_EXCLUDED_DATABASES`, `AUTH0_EXCLUDED_CONNECTIONS`, `AUTH0_EXCLUDED_RESOURCE_SERVERS` configuration values respectively.
+
+```json
+{
+  "AUTH0_DOMAIN": "example-site.us.auth0.com",
+  "AUTH0_CLIENT_ID": "<YOUR_AUTH0_CLIENT_ID>",
+  "AUTH0_EXCLUDED_CLIENTS": ["PdmQpGy72sHksV6ueVNZVrV4GDlDDm76"],
+  "AUTH0_EXCLUDED_CONNECTIONS": ["con_O1H3KyRMFP1IWRq3", "con_9avEYuj19ihqKBOs"]
+}
+```
+
+> ⚠️ **NOTE:** Excluding resources by ID is being considered for deprecation in future major versions. See the [resource exclusion proposal](https://github.com/auth0/auth0-deploy-cli/issues/451) for more details.
+
+## Omitted vs excluded vs empty
+
+The above sections pertain to exclusion which forcefully ignore configurations bi-directionally. It is worth noting similar but very different concepts: “omissions” and “empty” states.
+
+### Omission
+
+Resource configuration that is absent, either intentionally or unintentionally, will be skipped during import. That is, if you resource configuration were deleted, those configurations would be skipped during import and will not alter the remote tenant state. There is no concept of omission for exporting; unless specifically excluded, all your tenant configurations will be written to resource configuration files.
+
+### Example of omission
+
+```yaml
+roles: # roles configuration is not omitted
+  - name: Admin
+    description: Can read and write things
+    permissions: []
+  - name: Reader
+    description: Can only read things
+    permissions: []
+# The omission of all other configurations means they'll be skipped over
+```
+
+### Empty
+
+Resource configuration that is explicitly defined as empty. For set-based configurations like hooks, organizations and actions, setting these configurations to an empty set expresses an intentional emptying of those resources. In practice, this would signal a deletion, so long as the [`AUTH0_ALLOW_DELETE` deletion configuration property](configuring-the-deploy-cli.md#AUTH0_ALLOW_DELETE) is enabled. For non-set-based resource configuration like tenant and branding, the concept of emptiness does not apply, will not trigger any deletions or removals.
+
+#### Example of emptiness
+
+```yaml
+hooks: [] # Empty hooks
+connections: [] # Empty connections
+tenant: {} # Effectively a no-op, emptiness does not apply to non-set resource config
+```
+
+---
+
+[[table of contents]](../README.md#documentation)

package/docs/how-to-contribute.md

@@ -0,0 +1,49 @@
+# How to Contribute
+
+While we may not prioritize some issues and feature requests, we are much more inclined to address them if accompanied with a code contribution. Please feel empowered to make a code contribution through a Github pull request. Please read the following for the best contributor experience.
+
+## Getting started with development
+
+The only requirement for development is having [node](https://nodejs.dev/) installed. Most modern versions will work but LTS is recommended.
+
+Once node is installed, fork the Deploy CLI repository. Once code is downloaded to local development machine, run the following commands:
+
+```shell
+npm install # Installs all dependencies
+npm run dev # Runs compiler, continuously observes source file changes
+```
+
+## Running tests
+
+In order to run the entire test suite, execute `npm run test`.
+
+To run a single test file or single test execute:
+
+```shell
+npx ts-mocha --timeout=5000 -p tsconfig.json <PATH_TO_TEST_FILE> -g=<OPTIONAL_NAME_OF_TEST>
+```
+
+### Examples
+
+```shell
+# Runs all tests within a file
+npx ts-mocha --timeout=5000 -p tsconfig.json test/tools/auth0/handlers/actions.tests.js
+
+# Runs a single test within a file
+npx ts-mocha --timeout=5000 -p tsconfig.json \
+test/tools/auth0/handlers/actions.tests.js \
+-g="should create action"
+```
+
+## Code Contribution Checklist
+
+Before finally submitting a PR, please ensure to complete the following:
+
+- [ ] All code written in Typescript and compiles
+- [ ] Accompanying tests for functional changes
+- [ ] Any necessary documentation changes to pages in the /docs directory
+- [ ] PR includes thorough description about what code does and why it was added
+
+---
+
+[[table of contents]](../README.md#documentation)

package/docs/keyword-replacement.md

@@ -0,0 +1,45 @@
+# Keyword Replacement
+
+The Deploy CLI supports dynamic keyword replacement with environment-specific values. This enables a scalable multi-tenant workflow where all tenants share the same resource configuration files but inject subtly different values.
+
+To use the keyword replacement, the `AUTH0_KEYWORD_REPLACEMENT_MAPPINGS` configuration property needs to contain the appropriate mappings. Then, in the resource configuration files, keywords can be injected through one of two ways:
+
+- `@@EXAMPLE_KEY@@`: Using the `@` symbols causes the tool to perform a `JSON.stringify` on your value before replacing it. So if your value is a string, the tool will add quotes; if your value is an array or object, the tool will add braces.
+- `##EXAMPLE_KEY##`: Using the `#` symbol causes the tool to perform a literal replacement; it will not add quotes or braces.
+
+### Example `config.json`
+
+```json
+{
+  "AUTH0_DOMAIN": "test-tenant.us.auth0.com",
+  "AUTH0_CLIENT_ID": "FOO",
+  "AUTH0_CLIENT_SECRET": "BAR",
+  "AUTH0_KEYWORD_REPLACE_MAPPINGS": {
+    "ENVIRONMENT": "dev",
+    "ALLOWED_LOGOUTS": ["https://dev-test-site.com/logout", "localhost:3000/logout"],
+    "ALLOWED_ORIGINS": ["https://dev-test-site.com", "localhost:3000"]
+  }
+}
+```
+
+### Example `tenant.yaml`
+
+```yaml
+tenant:
+  friendly_name: My ##ENVIRONMENT## tenant
+  allowed_logout_urls: @@ALLOWED_LOGOUTS@@
+  enabled_locales:
+    - en
+clients:
+  - name: Test App
+    allowed_origins: @@ALLOWED_ORIGINS@@
+    allowed_logout_urls: @@ALLOWED_LOGOUTS@@
+```
+
+## Uni-directional Limitation
+
+Currently, the Deploy CLI only preserves keywords during import. Once added, keywords are overwritten with subsequent exports. For this reason, it is recommended that if a workflow heavily depends on keyword replacement, to only perform imports in perpetuity. This limitation is noted in [this Github issue](https://github.com/auth0/auth0-deploy-cli/issues/328).
+
+---
+
+[[table of contents]](../README.md#documentation)

package/docs/multi-environment-workflow.md

@@ -0,0 +1,98 @@
+# Incorporating Into Multi-environment Workflows
+
+The Deploy CLI supports working within a multi-tenant, multi-environment context. When integrated into your CI/CD development workflows, can be used to propagate Auth0 changes from feature development all the way through production.
+
+In general, the advised workflow is as follows:
+
+- Create a separate Auth0 tenant for each environment (ex: dev, staging, prod)
+- Create a single repository of resource configuration files for all environments
+- Add a step in your CI/CD pipeline when deploying to environments that applies the Auth0 resource configurations to the appropriate Auth0 tenant
+
+## Tenant to Environment
+
+It is recommended to have a separate Auth0 tenant/account for each environment you have. For example:
+
+| Environment | Tenant        |
+| ----------- | ------------- |
+| Development | travel0-dev   |
+| Testing     | travel0-uat   |
+| Staging     | travel0-stage |
+| Production  | travel0-prod  |
+
+## Resource configuration repository
+
+When exported, your Auth0 tenant state will be represented as a set of resource configuration files, either in a [YAML or JSON format](./available-resource-config-formats.md). In a multi-environment context it is expected to have a single repository of resource configurations that is applied to all environments. In practice, this may exist as a directory in your project’s codebase or in a separate codebase altogether.
+
+You should have at least one branch for each tenant in your repository, which allows you to make changes without deploying them (the changes would only deploy when you merged your branch into the master, or primary, branch). With this setup, you can have a continuous integration task for each environment that automatically deploys changes to the targeted environment whenever the master branch receives updates.
+
+Your workflow could potentially look something like this:
+
+1. Make changes to development.
+2. Merge changes to testing (or `uat`).
+3. Test changes to `uat`. When ready, move and merge the changes to `staging`.
+4. Test `staging`. When ready, move and merge the changes to `production`.
+
+You may want to set your production environment to deploy only when triggered manually.
+
+## Uni-directional Flow
+
+The multi-environment workflow works best when changes are propagated “up” in a single direction. Changes to the resource configuration files should first be applied to the lowest level environment (ex: dev) and then incrementally applied up through all other environments until applied to production. This uni-directional practice ensures sufficient testing and approval for changes to your tenant. Once set, it is recommended to not apply configurations directly to production through other means such as the Auth0 Dashboard or Management API unless those changes are captured by a subsequent Deploy CLI export. Otherwise, those changes are subject to overwrite.
+
+## Environment-specific values
+
+While it is expected that all environments will share the same set of resource configuration files, environment-specific values can be expressed through separate tool configuration files and dynamic [keyword replacement](keyword-replacement.md).
+
+### Separate Config Files
+
+Specifying a separate tool configuration file per environment can be used to keep the resource configuration files agnostic of environment but still cater for the needs of each environment. At a minimum, you will need to provide separate credentials for each environment, but it is also possible to exclude certain resources, enable deletion and perform dynamic keyword replacement on a per-environment basis.
+
+### Example file structure
+
+```
+project-root
+│
+└───auth0
+│   │   config-dev.json   # Dev env config file
+│   │   config-test.json  # Test env config file
+│   │   config-prod.json  # Prod env config file
+│   │   ... all other resource configuration files
+│
+└───src
+    │   ... your project code
+```
+
+### Dynamic Values via Keyword Replacement
+
+Once separate configurations files are adopted for each environment, keyword replacement via the `AUTH0_KEYWORD_REPLACE_MAPPINGS` configuration property can be used to express the dynamic replacement values depending on the environment. For example, you may find it necessary to have a separate set of allowed origins for your clients (see below). To learn more, see [Keyword Replacement](keyword-replacement.md).
+
+#### Example `config-dev.json`
+
+```json
+{
+  "AUTH0_DOMAIN": "travel0-dev.us.auth0.com",
+  "AUTH0_CLIENT_ID": "PdwQpGy62sHcsV6ufZNEVrV4GDlDhm74",
+  "AUTH0_ALLOW_DELETE": true,
+  "AUTH0_KEYWORD_REPLACE_MAPPINGS": {
+    "ENV": "dev",
+    "ALLOWED_ORIGINS": ["http://localhost:3000", "http://dev.travel0.com"]
+  }
+}
+```
+
+#### Example `config-prod.json`
+
+```json
+{
+  "AUTH0_DOMAIN": "travel0.us.auth0.com",
+  "AUTH0_CLIENT_ID": "vZCEFsDYzXc1x9IomB8dF185e4cdVah5",
+  "AUTH0_ALLOW_DELETE": false,
+  "AUTH0_KEYWORD_REPLACE_MAPPINGS": {
+    "ENV": "prod",
+    "ALLOWED_ORIGINS": ["http://travel0.com"]
+  }
+}
+```
+
+---
+
+[[table of contents]](../README.md#documentation)

package/docs/terraform-provider.md

@@ -0,0 +1,20 @@
+# Auth0 Terraform Provider
+
+The Deploy CLI is not the only tool available for managing your Auth0 tenant configuration, there is also an [officially supported Terraform Provider](https://github.com/auth0/terraform-provider-auth0). [Terraform](https://terraform.io/) is a third-party tool for representing your cloud resources’s configurations as code. It has an established plug-in framework that supports a wide array of cloud providers, including Auth0.
+
+Both the Deploy CLI and Terraform Provider exist to help you manage your Auth0 tenant configurations, but each has their own set of pros and cons.
+
+You may want to consider the Auth0 Terraform Provider if:
+
+- Your development workflows already leverages Terraform
+- Your tenant management needs are granular or only pertain to a few specific resources
+
+You may **not** want to consider the Auth0 Terraform Provider if:
+
+- Your development workflow does not use Terraform, requiring extra setup upfront
+- Your development workflows are primarily concerned with managing your tenants in bulk
+- Your tenant has lots of existing resources, may require significant effort to “import”
+
+---
+
+[[table of contents]](../README.md#documentation)

package/docs/using-as-cli.md

@@ -0,0 +1,89 @@
+# Using as a CLI
+
+The Deploy CLI can be used as a standalone command line utility. Doing so provides a simple way to manage your Auth0 tenant configuration in CI/CD workflows.
+
+## `export` command
+
+Fetching configurations from Auth0 tenant to the local machine.
+
+### `--output_folder`, `-o`
+
+Path. Specifies the target directory for configuration files to be written to.
+
+### `--config_file`, `-c`
+
+Path. Specifies the user-defined configuration file (`config.json`). Refer to the list of [all configurable properties](./configuring-the-deploy-cli.md).
+
+### `--format`, `-f`
+
+Options: yaml or directory. Determines the file format of the exported resource configuration files. See: [Available Resource Config Formats](available-resource-config-formats).
+
+### `--export_ids`, `-e`
+
+Boolean. When enabled, will export the identifier fields for each resource. Default: `false`.
+
+### `--env`
+
+Boolean. Indicates if the tool should ingest environment variables or not. Default: `true`.
+
+### `--debug`
+
+Boolean. Enables more verbose error logging; useful during troubleshooting. Default: `false`.
+
+### `--proxy_url`, `-p`
+
+A url for proxying requests. Only set this if you are behind a proxy.
+
+### Examples
+
+```shell
+# Fetching Auth0 tenant configuration in the YAML format
+a0deploy export -c=config.json --format=yaml --output_folder=local
+
+# Fetching Auth0 tenant configuration in directory (JSON) format
+a0deploy export -c=config.json --format=directory --output_folder=local
+
+# Fetching Auth0 tenant configurations with IDs of all assets
+a0deploy export -c=config.json --format=yaml --output_folder=local --export_ids=true
+```
+
+## `import` command
+
+Applying configurations from local machine to Auth0 tenant.
+
+### `--input_file`, `-i`
+
+Path. Specifies the location of the resource configuration files. For YAML formats, this will point to the `tenant.yaml` file, for directory formats, this will point to the resource configuration directory.
+
+### `--config_file`, `-c`
+
+Path. Specifies the user-defined configuration file (config.json). Refer to the list of [all configurable properties](./configuring-the-deploy-cli.md).
+
+### `--env`
+
+Boolean. Indicates if the tool should ingest environment variables or not. Default: `true`.
+
+### `--proxy_url`, `-p`
+
+A url for proxying requests. Only set this if you are behind a proxy.
+
+### `--debug`
+
+Boolean. Enables more verbose error logging; useful during troubleshooting. Default: `false`.
+
+### Examples
+
+```shell
+# Deploying configuration for YAML formats
+a0deploy import -c=config.json --input_file=local/tenant.yaml
+
+# Deploying configuration for directory format
+a0deploy import -c=config.json --input_file=local
+
+# Deploying configuration with environment variables ignored
+a0deploy import -c=config.json --input_file=local/tenant.yaml --env=false
+```
+
+---
+
+[[table of contents]](../README.md#documentation)

package/docs/using-as-node-module.md

@@ -0,0 +1,114 @@
+# Using as a Node Module
+
+The Deploy CLI can not only be used as a standalone CLI, but as a node module. Doing so allows you to manage Auth0 resources within expressive node scripts.
+
+## `dump` function
+
+Fetches configurations from Auth0 tenant to the local machine.
+
+### Example
+
+```ts
+import { dump } from 'auth0-deploy-cli';
+
+dump({
+  output_folder: './local',
+  format: 'yaml',
+  config: {
+    AUTH0_DOMAIN: '<YOUR_AUTH0_TENANT_DOMAIN>',
+    AUTH0_CLIENT_ID: '<YOUR_AUTH0_CLIENT_ID>',
+    AUTH0_CLIENT_SECRET: '<YOUR_AUTH0_CLIENT_SECRET>',
+  },
+})
+  .then(() => {
+    console.log('Auth0 configuration export successful');
+  })
+  .catch((err) => {
+    console.log('Error during Auth0 configuration export:', err);
+  });
+```
+
+## Argument parameters
+
+#### `format`
+
+Options: `yaml` or `directory`. Determines the file format of the exported resource configuration files. See: [Available Resource Configuration Formats](available-resource-config-formats).
+
+#### `output_folder`
+
+Path. Specifies the target directory for configuration files to be written to.
+
+#### `config`
+
+Object. Configures behavior of utility. Refer to the list of [all configurable properties](./configuring-the-deploy-cli.md).
+
+#### `config_file`
+
+Path. Specifies the user-defined configuration file (config.json). Refer to the list of [all configurable properties](./configuring-the-deploy-cli.md).
+
+#### `export_ids`
+
+Boolean: When enabled, will export the identifier fields for each resource. Default: false.
+
+#### `env`
+
+Boolean. Indicates if the tool should ingest environment variables or not. Default: `false`.
+
+#### `proxy_url`
+
+A url for proxying requests. Only set this if you are behind a proxy.
+
+## `deploy` function
+
+Applies configurations from local machine to Auth0 tenant.
+
+### Argument parameters
+
+#### `input_file`
+
+Path. Specifies the location of the resource configuration files. For YAML formats, this will point to the tenant.yaml file. For directory formats, this will point to the resource configuration directory.
+
+#### `config`
+
+Object. Configures behavior of utility. Refer to the list of [all configurable properties](./configuring-the-deploy-cli.md).
+
+#### `config_file`
+
+Path. Specifies the user-defined configuration file (config.json). Refer to the list of [all configurable properties](./configuring-the-deploy-cli.md).
+
+#### `export_ids`
+
+Boolean: When enabled, will export the identifier fields for each resource. Default: `false`.
+
+#### `env`
+
+Boolean. Indicates if the tool should ingest environment variables or not. Default: `false`.
+
+#### `proxy_url`
+
+A url for proxying requests. Only set this if you are behind a proxy.
+
+### Example
+
+```ts
+import { deploy } from 'auth0-deploy-cli';
+
+deploy({
+  input_file: './local/tenant.yaml',
+  config: {
+    AUTH0_DOMAIN: '<YOUR_AUTH0_TENANT_DOMAIN>',
+    AUTH0_CLIENT_ID: '<YOUR_AUTH0_CLIENT_ID>',
+    AUTH0_CLIENT_SECRET: '<YOUR_AUTH0_CLIENT_SECRET>',
+  },
+})
+  .then(() => {
+    console.log('Auth0 configuration applied to tenant successful');
+  })
+  .catch((err) => {
+    console.log('Error when applying configuration to Auth0 tenant:', err);
+  });
+```
+
+---
+
+[[table of contents]](../README.md#documentation)

package/lib/commands/import.d.ts

@@ -1,2 +1,4 @@
 import { ImportParams } from '../args';
+import { Assets } from '../types';
 export default function importCMD(params: ImportParams): Promise<void>;
+export declare const findUnreplacedKeywords: (assets: Assets) => void;

package/lib/commands/import.js

@@ -12,6 +12,7 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
     return (mod && mod.__esModule) ? mod : { "default": mod };
 };
 Object.defineProperty(exports, "__esModule", { value: true });
+exports.findUnreplacedKeywords = void 0;
 const nconf_1 = __importDefault(require("nconf"));
 const configFactory_1 = require("../configFactory");
 const tools_1 = require("../tools");
@@ -40,9 +41,43 @@ function importCMD(params) {
         yield context.load();
         const config = (0, configFactory_1.configFactory)();
         config.setProvider((key) => nconf_1.default.get(key));
-        //@ts-ignore because context and assets still need to be typed TODO: type assets and type context
+        (0, exports.findUnreplacedKeywords)(context.assets);
         yield (0, tools_1.deploy)(context.assets, context.mgmtClient, config);
         logger_1.default.info('Import Successful');
     });
 }
 exports.default = importCMD;
+const findUnreplacedKeywords = (assets) => {
+    const recursiveFindUnreplacedKeywords = (target) => {
+        let unreplaced = [];
+        if (target === undefined || target === null)
+            return [];
+        if (Array.isArray(target)) {
+            target.forEach((child) => {
+                unreplaced.push(...recursiveFindUnreplacedKeywords(child));
+            });
+        }
+        else if (typeof target === 'object') {
+            Object.values(target).forEach((child) => {
+                unreplaced.push(...recursiveFindUnreplacedKeywords(child));
+            });
+        }
+        if (typeof target === 'string') {
+            const arrayMatches = target.match(/(?<=@@).*(?=@@)/g);
+            if (arrayMatches !== null) {
+                return arrayMatches;
+            }
+            const keywordMatches = target.match(/(?<=##).*(?=##)/g);
+            if (keywordMatches !== null) {
+                return keywordMatches;
+            }
+        }
+        return unreplaced;
+    };
+    const unreplacedKeywords = recursiveFindUnreplacedKeywords(assets);
+    if (unreplacedKeywords.length > 0) {
+        throw `Unreplaced keywords found: ${unreplacedKeywords.join(', ')}. Either correct these values or add to AUTH0_KEYWORD_REPLACE_MAPPINGS configuration.`;
+    }
+    return;
+};
+exports.findUnreplacedKeywords = findUnreplacedKeywords;

package/lib/context/yaml/handlers/pages.js

@@ -44,7 +44,7 @@ function dump(context) {
             // Dump html to file
             const htmlFile = path_1.default.join(pagesFolder, `${page.name}.html`);
             logger_1.default.info(`Writing ${htmlFile}`);
-            fs_extra_1.default.writeFileSync(htmlFile, page.html);
+            fs_extra_1.default.writeFileSync(htmlFile, page.html || '');
             return Object.assign(Object.assign({}, page), { html: `./pages/${page.name}.html` });
         });
         return { pages };

package/lib/tools/auth0/handlers/tenant.d.ts

@@ -1,11 +1,22 @@
 import DefaultHandler from './default';
-import { Asset, Assets } from '../../../types';
+import { Asset, Assets, Language } from '../../../types';
 export declare const schema: {
     type: string;
 };
+export declare type Tenant = Asset & {
+    enabled_locales: Language[];
+    flags: {
+        [key: string]: boolean;
+    };
+};
 export default class TenantHandler extends DefaultHandler {
+    existing: Tenant;
     constructor(options: DefaultHandler);
     getType(): Promise<Asset>;
     validate(assets: Assets): Promise<void>;
     processChanges(assets: Assets): Promise<void>;
 }
+export declare const sanitizeMigrationFlags: ({ existingFlags, proposedFlags, }: {
+    existingFlags: Tenant['flags'];
+    proposedFlags: Tenant['flags'];
+}) => Tenant['flags'];

package/lib/tools/auth0/handlers/tenant.js

@@ -41,7 +41,7 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
     return (mod && mod.__esModule) ? mod : { "default": mod };
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.schema = void 0;
+exports.sanitizeMigrationFlags = exports.schema = void 0;
 const validationError_1 = __importDefault(require("../../validationError"));
 const default_1 = __importStar(require("./default"));
 const pages_1 = require("./pages");
@@ -61,6 +61,7 @@ class TenantHandler extends default_1.default {
     getType() {
         return __awaiter(this, void 0, void 0, function* () {
             const tenant = yield this.client.tenant.getSettings();
+            this.existing = tenant;
             blockPageKeys.forEach((key) => {
                 if (tenant[key])
                     delete tenant[key];
@@ -84,10 +85,18 @@ class TenantHandler extends default_1.default {
     processChanges(assets) {
         return __awaiter(this, void 0, void 0, function* () {
             const { tenant } = assets;
-            if (tenant && Object.keys(tenant).length > 0) {
-                yield this.client.tenant.updateSettings(tenant);
+            // Do nothing if not set
+            if (!tenant)
+                return;
+            const existingTenant = this.existing || (yield this.getType());
+            const updatedTenant = Object.assign(Object.assign({}, tenant), { flags: (0, exports.sanitizeMigrationFlags)({
+                    existingFlags: existingTenant.flags,
+                    proposedFlags: tenant.flags,
+                }) });
+            if (updatedTenant && Object.keys(updatedTenant).length > 0) {
+                yield this.client.tenant.updateSettings(updatedTenant);
                 this.updated += 1;
-                this.didUpdate(tenant);
+                this.didUpdate(updatedTenant);
             }
         });
     }
@@ -96,3 +105,29 @@ __decorate([
     (0, default_1.order)('100')
 ], TenantHandler.prototype, "processChanges", null);
 exports.default = TenantHandler;
+const sanitizeMigrationFlags = ({ existingFlags = {}, proposedFlags = {}, }) => {
+    /*
+    Tenants can only update migration flags that are already configured.
+    If moving configuration from one tenant to another, there may be instances
+    where different migration flags exist and cause an error on update. This
+    function removes any migration flags that aren't already present on the target
+    tenant. See: https://github.com/auth0/auth0-deploy-cli/issues/374
+    */
+    const tenantMigrationFlags = [
+        'disable_clickjack_protection_headers',
+        'enable_mgmt_api_v1',
+        'trust_azure_adfs_email_verified_connection_property',
+        'include_email_in_reset_pwd_redirect',
+        'include_email_in_verify_email_redirect',
+    ];
+    return Object.keys(proposedFlags).reduce((acc, proposedKey) => {
+        const isMigrationFlag = tenantMigrationFlags.includes(proposedKey);
+        if (!isMigrationFlag)
+            return Object.assign(Object.assign({}, acc), { [proposedKey]: proposedFlags[proposedKey] });
+        const keyCurrentlyExists = existingFlags[proposedKey] !== undefined;
+        if (keyCurrentlyExists)
+            return Object.assign(Object.assign({}, acc), { [proposedKey]: proposedFlags[proposedKey] });
+        return acc;
+    }, {});
+};
+exports.sanitizeMigrationFlags = sanitizeMigrationFlags;

package/lib/types.d.ts

@@ -1,4 +1,5 @@
 import { PromptTypes, ScreenTypes, Prompts, PromptsCustomText, PromptSettings } from './tools/auth0/handlers/prompts';
+import { Tenant } from './tools/auth0/handlers/tenant';
 import { Theme } from './tools/auth0/handlers/themes';
 declare type SharedPaginationParams = {
     checkpoint?: boolean;
@@ -173,10 +174,8 @@ export declare type BaseAuth0APIClient = {
         getAll: () => Promise<Asset[]>;
     };
     tenant: APIClientBaseFunctions & {
-        getSettings: () => Promise<Asset & {
-            enabled_locales: Language[];
-        }>;
-        updateSettings: (arg0: Asset) => Promise<void>;
+        getSettings: () => Promise<Tenant>;
+        updateSettings: (arg0: Partial<Tenant>) => Promise<Tenant>;
     };
     triggers: APIClientBaseFunctions & {
         getTriggerBindings: () => Promise<Asset>;
@@ -266,7 +265,7 @@ export declare type Assets = Partial<{
     roles: Asset[] | null;
     rules: Asset[] | null;
     rulesConfigs: Asset[] | null;
-    tenant: Asset | null;
+    tenant: Tenant | null;
     triggers: Asset[] | null;
     exclude?: {
         [key: string]: string[];

package/lib/utils.d.ts

@@ -91,7 +91,7 @@ export declare function stripIdentifiers(auth0: Auth0, assets: Assets): {
     roles?: Asset[] | null | undefined;
     rules?: Asset[] | null | undefined;
     rulesConfigs?: Asset[] | null | undefined;
-    tenant?: Asset | null | undefined;
+    tenant?: import("./tools/auth0/handlers/tenant").Tenant | null | undefined;
     triggers?: Asset[] | null | undefined;
     exclude?: {
         [key: string]: string[];

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "auth0-deploy-cli",
-  "version": "7.13.1",
+  "version": "7.14.0",
   "description": "A command line tool for deploying updates to your Auth0 tenant",
   "main": "lib/index.js",
   "bin": {
@@ -52,7 +52,7 @@
   "devDependencies": {
     "@types/expect": "^24.3.0",
     "@types/mocha": "^9.1.0",
-    "@typescript-eslint/parser": "^5.18.0",
+    "@typescript-eslint/parser": "^5.27.0",
     "chai": "^4.3.6",
     "chai-as-promised": "^7.1.1",
     "cross-env": "^3.1.4",
@@ -69,7 +69,7 @@
     "rimraf": "^3.0.2",
     "rmdir-sync": "^1.0.1",
     "ts-mocha": "^9.0.2",
-    "typescript": "^4.6.4"
+    "typescript": "^4.7.3"
   },
   "overrides": {
     "istanbul-reports": "3.1.4"