auth0-deploy-cli 8.29.3 → 8.31.0

package/.circleci/config.yml

@@ -6,7 +6,7 @@ orbs:
 jobs:
   e2e_test_as_node_module:
     docker:
-      - image: cimg/node:22.12.0
+      - image: cimg/node:22.19.0
     working_directory: ~/repo
     steps:
       - checkout
@@ -15,7 +15,7 @@ jobs:
 
   e2e_test_as_cli:
     docker:
-      - image: cimg/node:22.12.0
+      - image: cimg/node:22.19.0
     working_directory: ~/repo
     steps:
       - checkout
@@ -45,57 +45,31 @@ jobs:
       - run: npm run test:coverage
       - persist_to_workspace:
           root: ~/repo
-          paths: .
+          paths:
+            - .
       - codecov/upload
 
-  deploy:
-    parameters:
-      v:
-        type: string
-        default: "lts"
-    docker:
-      - image: cimg/node:<< parameters.v >>
-    working_directory: ~/repo
-    steps:
-      - attach_workspace:
-          at: ~/repo
-      - run:
-          name: Authenticate with registry
-          command: echo "//registry.npmjs.org/:_authToken=$NPM_TOKEN" > ~/repo/.npmrc
-      - run:
-          name: Publish package
-          command: npm publish
-
-  deploy_beta:
-    parameters:
-      v:
-        type: string
-        default: "lts"
+  does_typescript_compile:
     docker:
-      - image: cimg/node:<< parameters.v >>
+      - image: cimg/node:22.19.0
     working_directory: ~/repo
     steps:
-      - attach_workspace:
-          at: ~/repo
-      - run:
-          name: Authenticate with registry
-          command: echo "//registry.npmjs.org/:_authToken=$NPM_TOKEN" > ~/repo/.npmrc
-      - run:
-          name: Publish beta package
-          command: npm publish --tag beta
+      - checkout
+      - run: npm i
+      - run: npx tsc --noEmit
 
-  does_typescript_compile:
+  does_format_pass:
     docker:
-      - image: cimg/node:22.12.0
+      - image: cimg/node:22.19.0
     working_directory: ~/repo
     steps:
       - checkout
       - run: npm i
-      - run: npx tsc --noEmit
+      - run: npm run format:check
 
   does_lint_pass:
     docker:
-      - image: cimg/node:22.12.0
+      - image: cimg/node:22.19.0
     working_directory: ~/repo
     steps:
       - checkout
@@ -119,6 +93,8 @@ workflows:
     jobs:
       - does_typescript_compile:
           name: Does Typescript compile?
+      - does_format_pass:
+          name: Does format pass?
       - does_lint_pass:
           name: Does lint pass?
       - unit_test:
@@ -128,48 +104,3 @@ workflows:
           name: Unit tests with Node current
           v: "22.12.0"
 
-  test_and_deploy:
-    jobs:
-      - unit_test:
-          name: Unit tests with Node LTS
-          v: "lts"
-          filters:
-            branches:
-              only: master
-            tags:
-              only: /^v.*/
-      - deploy:
-          name: Publish to NPM
-          v: "lts"
-          requires:
-            - Unit tests with Node LTS
-          filters:
-            branches:
-              ignore: /.*/
-            tags:
-              only: /^v[0-9]+\.[0-9]+\.[0-9]+$/
-          context:
-            - publish-npm
-
-  test_and_deploy_beta:
-    jobs:
-      - unit_test:
-          name: Unit tests with Node LTS (Beta)
-          v: "lts"
-          filters:
-            branches:
-              only: beta
-            tags:
-              only: /^v[0-9]+\.[0-9]+\.[0-9]+-beta\.[0-9]+$/
-      - deploy_beta:
-          name: Publish Beta to NPM
-          v: "lts"
-          requires:
-            - Unit tests with Node LTS (Beta)
-          filters:
-            branches:
-              ignore: /.*/
-            tags:
-              only: /^v[0-9]+\.[0-9]+\.[0-9]+-beta\.[0-9]+$/
-          context:
-            - publish-npm

package/.github/workflows/npm-publish.yml

@@ -0,0 +1,52 @@
+name: Publish package to npm
+
+on:
+  push:
+    tags:
+      - 'v*'
+
+permissions:
+  contents: read
+  id-token: write
+
+jobs:
+  publish:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v6
+
+      - uses: actions/setup-node@v6
+        with:
+          node-version: 22.14.0
+          registry-url: https://registry.npmjs.org
+          package-manager-cache: false
+
+      - name: Update npm for trusted publishing
+        run: npm install --global npm@11
+
+      - name: Install dependencies
+        run: npm install
+
+      - name: Build package
+        run: npm run build
+
+      - name: Determine npm dist-tag
+        id: npm_dist_tag
+        shell: bash
+        run: |
+          VERSION="${GITHUB_REF_NAME#v}"
+
+          if [[ ! "$VERSION" =~ ^[0-9]+\.[0-9]+\.[0-9]+(-beta\.[0-9]+)?$ ]]; then
+            echo "Unsupported release tag: ${GITHUB_REF_NAME}" >&2
+            exit 1
+          fi
+
+          if [[ "$VERSION" == *"-beta."* ]]; then
+            echo "value=beta" >> "$GITHUB_OUTPUT"
+          else
+            echo "value=latest" >> "$GITHUB_OUTPUT"
+          fi
+
+      - name: Publish package
+        run: npm publish --tag "${{ steps.npm_dist_tag.outputs.value }}"

package/AGENTS.md

@@ -63,7 +63,7 @@ npm run build && node lib/index.js import -c config-dev.json -i ./local-export/t
 
 ### File Structure
 
-```
+```text
 src/                                # TypeScript source
 ├── index.ts                        # CLI entry point
 ├── commands/                       # import.ts, export.ts
@@ -225,6 +225,26 @@ npm run lint
 - [ ] Tested with both YAML and directory formats if applicable
 - [ ] Checked backward compatibility
 
+### Checklist for Every Feature or Fix
+
+#### Completion
+
+- [ ] Change is complete and matches the intended feature or fix
+- [ ] TypeScript compiles and tests pass locally
+
+#### Format and behavior
+
+- [ ] Works for both YAML and directory flows when the resource supports both
+- [ ] Keyword preservation still works as expected
+- [ ] Sorted-key output stays stable; no unintended order changes were introduced
+- [ ] Exported configs do not rely on IDs by default; resources should link by names where possible
+
+#### Safety and compatibility
+
+- [ ] Dry-run output is correct and non-destructive
+- [ ] Unit tests cover the changed path and any important edge cases
+- [ ] Backward compatibility was checked and no existing behavior was unintentionally broken
+
 ### Commit Message Format
 
 Follow conventional commits style:

package/CHANGELOG.md

@@ -7,6 +7,29 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [8.31.0] - 2026-04-10
+
+### Added
+
+- Add support for `is_default` on `customDomains`. [#1330]
+- Add `AUTH0_EXPORT_ORDERED` config property and `--export_ordered` flag for stable exports. [#1335]
+
+### Fixed
+
+- Fix `clientGrants` matching when multiple grants share the same `client_id` and `audience`. [#1341]
+
+## [8.30.0] - 2026-04-02
+
+### Added
+
+- Add support for passkey enrollment in `prompts` partials. [#1328]
+- Add support for `dpop_signing_alg` validation in OIDC and Okta `connections`. [#1343]
+
+### Fixed
+
+- Fix action module fetching logic to resolve correct module IDs. [#1340]
+- Fix `AUTH0_EXCLUDED_*` options not respected during export. [#1342]
+
 ## [8.29.3] - 2026-03-25
 
 ### Fixed
@@ -1692,9 +1715,15 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 [#1320]: https://github.com/auth0/auth0-deploy-cli/issues/1320
 [#1321]: https://github.com/auth0/auth0-deploy-cli/issues/1321
 [#1322]: https://github.com/auth0/auth0-deploy-cli/issues/1322
+[#1328]: https://github.com/auth0/auth0-deploy-cli/issues/1328
 [#1333]: https://github.com/auth0/auth0-deploy-cli/issues/1333
 [#1334]: https://github.com/auth0/auth0-deploy-cli/issues/1334
-[Unreleased]: https://github.com/auth0/auth0-deploy-cli/compare/v8.29.3...HEAD
+[#1340]: https://github.com/auth0/auth0-deploy-cli/issues/1340
+[#1342]: https://github.com/auth0/auth0-deploy-cli/issues/1342
+[#1343]: https://github.com/auth0/auth0-deploy-cli/issues/1343
+[Unreleased]: https://github.com/auth0/auth0-deploy-cli/compare/v8.31.0...HEAD
+[8.31.0]: https://github.com/auth0/auth0-deploy-cli/compare/v8.30.0...v8.31.0
+[8.30.0]: https://github.com/auth0/auth0-deploy-cli/compare/v8.29.3...v8.30.0
 [8.29.3]: https://github.com/auth0/auth0-deploy-cli/compare/v8.29.2...v8.29.3
 [8.29.2]: https://github.com/auth0/auth0-deploy-cli/compare/v8.29.1...v8.29.2
 [8.29.1]: https://github.com/auth0/auth0-deploy-cli/compare/v8.29.0...v8.29.1

package/CLAUDE.md

@@ -0,0 +1,3 @@
+# For project context see
+
+- [AGENTS.md](./AGENTS.md)

package/lib/args.d.ts

@@ -16,6 +16,7 @@ type ExportSpecificParams = {
     format: 'yaml' | 'directory';
     output_folder: string;
     export_ids?: boolean;
+    export_ordered?: boolean;
 };
 export type ExportParams = ExportSpecificParams & SharedParams;
 export type ImportParams = ImportSpecificParams & SharedParams;

package/lib/args.js

@@ -83,6 +83,11 @@ function getParams() {
             type: 'boolean',
             default: false,
         },
+        export_ordered: {
+            alias: 's',
+            describe: 'Order keys in exported JSON files for consistent diffs.',
+            type: 'boolean',
+        },
     })
         .example('$0 export -c config.json -f yaml -o path/to/export', 'Dump Auth0 config to folder in YAML format')
         .example('$0 export -c config.json -f directory -o path/to/export', 'Dump Auth0 config to folder in directory format')

package/lib/commands/export.js

@@ -11,7 +11,7 @@ const logger_1 = __importDefault(require("../logger"));
 const utils_1 = require("../utils");
 const index_1 = require("../context/index");
 async function exportCMD(params) {
-    const { output_folder: outputFolder, base_path: basePath, config_file: configFile, config: configObj, export_ids: exportIds, secret: clientSecret, env: shouldInheritEnv = false, experimental_ea: experimentalEA, } = params;
+    const { output_folder: outputFolder, base_path: basePath, config_file: configFile, config: configObj, export_ids: exportIds, export_ordered: exportOrdered, secret: clientSecret, env: shouldInheritEnv = false, experimental_ea: experimentalEA, } = params;
     if (shouldInheritEnv) {
         nconf_1.default.env().use('memory');
     }
@@ -32,6 +32,10 @@ async function exportCMD(params) {
     if (exportIds) {
         overrides.AUTH0_EXPORT_IDENTIFIERS = exportIds;
     }
+    // Allow passed in export_ordered to override the configured one
+    if (exportOrdered) {
+        overrides.AUTH0_EXPORT_ORDERED = exportOrdered;
+    }
     // Overrides AUTH0_INCLUDE_EXPERIMENTAL_EA is experimental_ea passed in command line
     if (experimentalEA) {
         overrides.AUTH0_EXPERIMENTAL_EA = experimentalEA;

package/lib/context/directory/handlers/actions.js

@@ -99,8 +99,7 @@ async function dump(context) {
         // Dump template metadata
         const name = (0, utils_1.sanitize)(action.name);
         const actionFile = path_1.default.join(actionsFolder, `${name}.json`);
-        logger_1.default.info(`Writing ${actionFile}`);
-        fs_extra_1.default.writeFileSync(actionFile, JSON.stringify(mapToAction(context.filePath, action, includeIdentifiers), null, 2));
+        (0, utils_1.dumpJSON)(actionFile, mapToAction(context.filePath, action, includeIdentifiers));
     });
 }
 const actionsHandler = {

package/lib/context/directory/handlers/clientGrants.js

@@ -25,13 +25,14 @@ function parse(context) {
     };
 }
 async function dump(context) {
-    const { clientGrants } = context.assets;
+    let { clientGrants } = context.assets;
     if (!clientGrants)
         return; // Skip, nothing to dump
     const grantsFolder = path_1.default.join(context.filePath, tools_1.constants.CLIENTS_GRANTS_DIRECTORY);
     fs_extra_1.default.ensureDirSync(grantsFolder);
     if (clientGrants.length === 0)
         return;
+    const excludedClientsByNames = (context.assets.exclude && context.assets.exclude.clients) || [];
     const allResourceServers = await (0, client_1.paginate)(context.mgmtClient.resourceServers.list, {
         paginate: true,
         include_totals: true,
@@ -40,6 +41,13 @@ async function dump(context) {
         paginate: true,
         include_totals: true,
     });
+    // Filter out grants for excluded clients
+    if (excludedClientsByNames.length) {
+        const excludedClientIds = new Set(allClients
+            .filter((c) => c.name !== undefined && excludedClientsByNames.includes(c.name))
+            .map((c) => c.client_id));
+        clientGrants = clientGrants.filter((grant) => !excludedClientIds.has(grant.client_id));
+    }
     // Convert client_id to the client name for readability
     clientGrants.forEach((grant) => {
         const dumpGrant = { ...grant };

package/lib/context/directory/handlers/clients.js

@@ -36,10 +36,15 @@ function parse(context) {
     };
 }
 async function dump(context) {
-    const { clients } = context.assets;
+    let { clients } = context.assets;
     const { userAttributeProfiles, connectionProfiles } = context.assets;
     if (!clients)
         return; // Skip, nothing to dump
+    // Filter excluded clients
+    const excludedClients = (context.assets.exclude && context.assets.exclude.clients) || [];
+    if (excludedClients.length) {
+        clients = clients.filter((client) => !excludedClients.includes(client.name ?? ''));
+    }
     const clientsFolder = path_1.default.join(context.filePath, tools_1.constants.CLIENTS_DIRECTORY);
     fs_extra_1.default.ensureDirSync(clientsFolder);
     clients.forEach((client) => {

package/lib/context/directory/handlers/connections.js

@@ -40,9 +40,15 @@ function parse(context) {
     };
 }
 async function dump(context) {
-    const { connections, clientsOrig } = context.assets;
+    let { connections } = context.assets;
+    const { clientsOrig } = context.assets;
     if (!connections)
         return; // Skip, nothing to dump
+    // Filter excluded connections
+    const excludedConnections = (context.assets.exclude && context.assets.exclude.connections) || [];
+    if (excludedConnections.length) {
+        connections = connections.filter((connection) => !excludedConnections.includes(connection.name));
+    }
     const connectionsFolder = path_1.default.join(context.filePath, tools_1.constants.CONNECTIONS_DIRECTORY);
     fs_extra_1.default.ensureDirSync(connectionsFolder);
     // Convert enabled_clients from id to name

package/lib/context/directory/handlers/databases.js

@@ -65,9 +65,14 @@ function parse(context) {
     };
 }
 async function dump(context) {
-    const { databases } = context.assets;
+    let { databases } = context.assets;
     if (!databases)
         return; // Skip, nothing to dump
+    // Filter excluded databases
+    const excludedDatabases = (context.assets.exclude && context.assets.exclude.databases) || [];
+    if (excludedDatabases.length) {
+        databases = databases.filter((database) => !excludedDatabases.includes(database.name));
+    }
     const databasesFolder = path_1.default.join(context.filePath, tools_1.constants.DATABASE_CONNECTIONS_DIRECTORY);
     fs_extra_1.default.ensureDirSync(databasesFolder);
     databases.forEach((database) => {

package/lib/context/directory/handlers/resourceServers.js

@@ -24,10 +24,15 @@ function parse(context) {
     };
 }
 async function dump(context) {
-    const { resourceServers } = context.assets;
+    let { resourceServers } = context.assets;
     let { clients } = context.assets;
     if (!resourceServers)
         return; // Skip, nothing to dump
+    // Filter excluded resource servers
+    const excludedResourceServers = (context.assets.exclude && context.assets.exclude.resourceServers) || [];
+    if (excludedResourceServers.length) {
+        resourceServers = resourceServers.filter((resourceServer) => !excludedResourceServers.includes(resourceServer.name ?? ''));
+    }
     const resourceServersFolder = path_1.default.join(context.filePath, tools_1.constants.RESOURCE_SERVERS_DIRECTORY);
     fs_extra_1.default.ensureDirSync(resourceServersFolder);
     if (clients === undefined) {

package/lib/context/directory/handlers/rules.js

@@ -30,9 +30,14 @@ function parse(context) {
     };
 }
 async function dump(context) {
-    const { rules } = context.assets;
+    let { rules } = context.assets;
     if (!rules)
         return; // Skip, nothing to dump
+    // Filter excluded rules
+    const excludedRules = (context.assets.exclude && context.assets.exclude.rules) || [];
+    if (excludedRules.length) {
+        rules = rules.filter((rule) => !excludedRules.includes(rule.name));
+    }
     // Create Rules folder
     const rulesFolder = path_1.default.join(context.filePath, tools_1.constants.RULES_DIRECTORY);
     fs_extra_1.default.ensureDirSync(rulesFolder);

package/lib/context/directory/handlers/triggers.js

@@ -7,7 +7,6 @@ const path_1 = __importDefault(require("path"));
 const fs_extra_1 = __importDefault(require("fs-extra"));
 const tools_1 = require("../../../tools");
 const utils_1 = require("../../../utils");
-const logger_1 = __importDefault(require("../../../logger"));
 function parse(context) {
     const triggersFolder = path_1.default.join(context.filePath, tools_1.constants.TRIGGERS_DIRECTORY);
     if (!(0, utils_1.existsMustBeDir)(triggersFolder))
@@ -29,8 +28,7 @@ async function dump(context) {
     const triggersFolder = path_1.default.join(context.filePath, tools_1.constants.TRIGGERS_DIRECTORY);
     fs_extra_1.default.ensureDirSync(triggersFolder);
     const triggerFile = path_1.default.join(triggersFolder, 'triggers.json');
-    logger_1.default.info(`Writing ${triggerFile}`);
-    fs_extra_1.default.writeFileSync(triggerFile, JSON.stringify(triggers, null, 2));
+    (0, utils_1.dumpJSON)(triggerFile, triggers);
 }
 const triggersHandler = {
     parse,

package/lib/context/yaml/handlers/clientGrants.js

@@ -12,7 +12,7 @@ async function parse(context) {
 }
 async function dump(context) {
     let { clients } = context.assets;
-    const { clientGrants } = context.assets;
+    let { clientGrants } = context.assets;
     if (!clientGrants)
         return { clientGrants: null };
     if (clients === undefined) {
@@ -21,6 +21,14 @@ async function dump(context) {
             include_totals: true,
         });
     }
+    // Filter out grants for excluded clients
+    const excludedClientsByNames = (context.assets.exclude && context.assets.exclude.clients) || [];
+    if (excludedClientsByNames.length) {
+        const excludedClientIds = new Set((clients || [])
+            .filter((c) => c.name !== undefined && excludedClientsByNames.includes(c.name))
+            .map((c) => c.client_id));
+        clientGrants = clientGrants.filter((grant) => !excludedClientIds.has(grant.client_id));
+    }
     // Convert client_id to the client name for readability
     return {
         clientGrants: clientGrants.map((grant) => {

package/lib/context/yaml/handlers/clients.js

@@ -36,6 +36,11 @@ async function dump(context) {
     const { userAttributeProfiles, connectionProfiles } = context.assets;
     if (!clients)
         return { clients: null };
+    // Filter excluded clients
+    const excludedClients = (context.assets.exclude && context.assets.exclude.clients) || [];
+    if (excludedClients.length) {
+        clients = clients.filter((client) => !excludedClients.includes(client.name ?? ''));
+    }
     // map ids to names for user attribute profiles and connection profiles
     clients = clients.map((client) => {
         const userAttributeProfileId = client?.express_configuration?.user_attribute_profile_id;

package/lib/context/yaml/handlers/connections.js

@@ -50,9 +50,15 @@ const getFormattedOptions = (connection, clients) => {
     }
 };
 async function dump(context) {
-    const { connections, clients } = context.assets;
+    let { connections } = context.assets;
+    const { clients } = context.assets;
     if (!connections)
         return { connections: null };
+    // Filter excluded connections
+    const excludedConnections = (context.assets.exclude && context.assets.exclude.connections) || [];
+    if (excludedConnections.length) {
+        connections = connections.filter((connection) => !excludedConnections.includes(connection.name));
+    }
     return {
         connections: connections.map((connection) => {
             let dumpedConnection = {

package/lib/context/yaml/handlers/databases.js

@@ -31,9 +31,15 @@ async function parse(context) {
     };
 }
 async function dump(context) {
-    const { databases, clients } = context.assets;
+    let { databases } = context.assets;
+    const { clients } = context.assets;
     if (!databases)
         return { databases: null };
+    // Filter excluded databases
+    const excludedDatabases = (context.assets.exclude && context.assets.exclude.databases) || [];
+    if (excludedDatabases.length) {
+        databases = databases.filter((database) => !excludedDatabases.includes(database.name));
+    }
     const sortCustomScripts = ([name1], [name2]) => {
         if (name1 === name2)
             return 0;

package/lib/context/yaml/handlers/resourceServers.js

@@ -2,7 +2,7 @@
 Object.defineProperty(exports, "__esModule", { value: true });
 const client_1 = require("../../../tools/auth0/client");
 const utils_1 = require("../../../utils");
-async function dumpAndParse(context) {
+async function parse(context) {
     const { resourceServers } = context.assets;
     let { clients } = context.assets;
     if (!resourceServers) {
@@ -24,8 +24,35 @@ async function dumpAndParse(context) {
         }),
     };
 }
+async function dump(context) {
+    let { resourceServers } = context.assets;
+    let { clients } = context.assets;
+    if (!resourceServers) {
+        return { resourceServers: null };
+    }
+    // Filter excluded resource servers
+    const excludedResourceServers = (context.assets.exclude && context.assets.exclude.resourceServers) || [];
+    if (excludedResourceServers.length) {
+        resourceServers = resourceServers.filter((rs) => !excludedResourceServers.includes(rs.name ?? ''));
+    }
+    if (clients === undefined) {
+        clients = await (0, client_1.paginate)(context.mgmtClient.clients.list, {
+            paginate: true,
+            include_totals: true,
+        });
+    }
+    return {
+        resourceServers: resourceServers.map((rs) => {
+            const dumpResourceServer = { ...rs };
+            if (dumpResourceServer.client_id) {
+                dumpResourceServer.client_id = (0, utils_1.convertClientIdToName)(dumpResourceServer.client_id, clients || []);
+            }
+            return dumpResourceServer;
+        }),
+    };
+}
 const resourceServersHandler = {
-    parse: dumpAndParse,
-    dump: dumpAndParse,
+    parse,
+    dump,
 };
 exports.default = resourceServersHandler;

package/lib/context/yaml/handlers/rules.js

@@ -25,6 +25,11 @@ async function dump(context) {
     if (!rules) {
         return { rules: null };
     }
+    // Filter excluded rules
+    const excludedRules = (context.assets.exclude && context.assets.exclude.rules) || [];
+    if (excludedRules.length) {
+        rules = rules.filter((rule) => !excludedRules.includes(rule.name));
+    }
     // Create Rules folder
     const rulesFolder = path_1.default.join(context.basePath, 'rules');
     fs_extra_1.default.ensureDirSync(rulesFolder);

package/lib/context/yaml/index.js

@@ -183,7 +183,8 @@ class YAMLContext {
             cleaned = (0, utils_1.stripIdentifiers)(auth0, cleaned);
         }
         // Write YAML File
-        const raw = js_yaml_1.default.dump(cleaned);
+        const exportOrdered = Boolean(this.config.AUTH0_EXPORT_ORDERED);
+        const raw = js_yaml_1.default.dump(cleaned, { sortKeys: exportOrdered });
         logger_1.default.info(`Writing ${this.configFile}`);
         fs_extra_1.default.writeFileSync(this.configFile, raw);
     }

package/lib/tools/auth0/handlers/actions.js

@@ -249,7 +249,7 @@ class ActionHandler extends default_1.default {
         }
     }
     async calcChanges(assets) {
-        let { actions, actionModules } = assets;
+        let { actions } = assets;
         // Do nothing if not set
         if (!actions)
             return {
@@ -259,19 +259,14 @@ class ActionHandler extends default_1.default {
                 conflicts: [],
             };
         let modules = null;
-        if (actionModules && actionModules.length > 0) {
-            modules = actionModules;
+        try {
+            modules = await (0, client_1.paginate)(this.client.actions.modules.list, {
+                paginate: true,
+            });
         }
-        else {
-            try {
-                modules = await (0, client_1.paginate)(this.client.actions.modules.list, {
-                    paginate: true,
-                });
-            }
-            catch {
-                logger_1.default.debug('Skipping actions modules enrichment because action modules could not be retrieved.');
-                modules = null;
-            }
+        catch {
+            logger_1.default.debug('Skipping actions modules enrichment because action modules could not be retrieved.');
+            modules = null;
         }
         if (modules != null) {
             // Use task queue to process actions in parallel
@@ -305,12 +300,15 @@ class ActionHandler extends default_1.default {
                         moduleVersions = await moduleVersions.getNextPage();
                         allModuleVersions.push(...moduleVersions.data);
                     }
+                    const moduleVersionId = allModuleVersions?.find((v) => v.version_number === module.module_version_number)?.id;
+                    if (!moduleVersionId) {
+                        throw new Error(`Could not find action module version id for module '${module.module_name}' version '${module.module_version_number}'`);
+                    }
                     return {
                         module_name: module.module_name,
                         module_id: foundModule.id,
                         module_version_number: module.module_version_number,
-                        module_version_id: allModuleVersions?.find((v) => v.version_number === module.module_version_number)
-                            ?.id || '',
+                        module_version_id: moduleVersionId,
                     };
                 }
                 return module;

package/lib/tools/auth0/handlers/clientGrants.js

@@ -84,7 +84,9 @@ class ClientGrantsHandler extends default_1.default {
             type: 'clientGrants',
             id: 'id',
             // @ts-ignore because not sure why two-dimensional array passed in
-            identifiers: ['id', ['client_id', 'audience']],
+            // Try ['client_id', 'audience', 'subject_type'] first; falls through to
+            // ['client_id', 'audience'] when subject_type is null (falsy).
+            identifiers: ['id', ['client_id', 'audience', 'subject_type'], ['client_id', 'audience']],
             stripUpdateFields: ['audience', 'client_id', 'subject_type', 'is_system'],
         });
     }
@@ -155,6 +157,31 @@ class ClientGrantsHandler extends default_1.default {
             ...assets,
             clientGrants: formatted,
         });
+        // subject_type is immutable (in stripUpdateFields). Grants matched via the
+        // ['client_id', 'audience'] fallback with a mismatched subject_type must become
+        // DELETE + CREATE, not UPDATE, so the tenant converges to the desired state.
+        const subjectTypeMismatches = update.filter((localGrant) => {
+            // Only flag when local explicitly specifies subject_type (backward compat).
+            if (localGrant.subject_type === undefined)
+                return false;
+            const remoteGrant = (this.existing || []).find((e) => e.id === localGrant.id);
+            return (remoteGrant && (remoteGrant.subject_type ?? null) !== (localGrant.subject_type ?? null));
+        });
+        const adjustedUpdate = update.filter((u) => !subjectTypeMismatches.includes(u));
+        const adjustedDel = [
+            ...del,
+            ...subjectTypeMismatches
+                .map((u) => (this.existing || []).find((e) => e.id === u.id))
+                .filter((e) => e !== undefined),
+        ];
+        const adjustedCreate = [
+            ...create,
+            ...subjectTypeMismatches
+                .map((u) => formatted.find((f) => f.client_id === u.client_id &&
+                f.audience === u.audience &&
+                (f.subject_type ?? null) === (u.subject_type ?? null)))
+                .filter((g) => g !== undefined),
+        ];
         const filterGrants = (list) => {
             let filtered = list;
             // Filter out the current client (Auth0 Management API client)
@@ -174,11 +201,11 @@ class ClientGrantsHandler extends default_1.default {
         };
         const changes = {
             // @ts-ignore because this expects `client_id` and that's not yet typed on Asset
-            del: filterGrants(del),
+            del: filterGrants(adjustedDel),
             // @ts-ignore because this expects `client_id` and that's not yet typed on Asset
-            update: filterGrants(update),
+            update: filterGrants(adjustedUpdate),
             // @ts-ignore because this expects `client_id` and that's not yet typed on Asset
-            create: filterGrants(create),
+            create: filterGrants(adjustedCreate),
             // @ts-ignore because this expects `client_id` and that's not yet typed on Asset
             conflicts: filterGrants(conflicts),
         };

package/lib/tools/auth0/handlers/connections.d.ts

@@ -16,6 +16,11 @@ export declare const schema: {
             };
             options: {
                 type: string;
+                properties: {
+                    dpop_signing_alg: {
+                        type: string;
+                    };
+                };
             };
             enabled_clients: {
                 type: string;

package/lib/tools/auth0/handlers/connections.js

@@ -51,6 +51,14 @@ const utils_1 = require("../../utils");
 const client_1 = require("../client");
 const scimHandler_1 = __importDefault(require("./scimHandler"));
 const logger_1 = __importDefault(require("../../../logger"));
+const connectionOptionsSchema = {
+    type: 'object',
+    properties: {
+        dpop_signing_alg: {
+            type: 'string',
+        },
+    },
+};
 exports.schema = {
     type: 'array',
     items: {
@@ -58,7 +66,7 @@ exports.schema = {
         properties: {
             name: { type: 'string' },
             strategy: { type: 'string' },
-            options: { type: 'object' },
+            options: connectionOptionsSchema,
             enabled_clients: { type: 'array', items: { type: 'string' } },
             realms: { type: 'array', items: { type: 'string' } },
             metadata: { type: 'object' },

package/lib/tools/auth0/handlers/customDomains.d.ts

@@ -50,6 +50,10 @@ export declare const schema: {
                 type: string[];
                 description: string;
             };
+            is_default: {
+                type: string;
+                description: string;
+            };
         };
         required: string[];
     };
@@ -60,6 +64,7 @@ export default class CustomDomainsHadnler extends DefaultAPIHandler {
     constructor(config: DefaultAPIHandler);
     objString(item: Asset): string;
     getType(): Promise<Asset | null>;
+    validate(assets: Assets): Promise<void>;
     processChanges(assets: Assets): Promise<void>;
 }
 export {};

package/lib/tools/auth0/handlers/customDomains.js

@@ -44,6 +44,7 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.schema = void 0;
 const default_1 = __importStar(require("./default"));
+const validationError_1 = __importDefault(require("../../validationError"));
 const logger_1 = __importDefault(require("../../../logger"));
 exports.schema = {
     type: 'array',
@@ -81,6 +82,10 @@ exports.schema = {
                 type: ['string'],
                 description: 'Relying Party ID (rpId) to be used for Passkeys on this custom domain. If not provided or set to null, the full domain will be used.',
             },
+            is_default: {
+                type: 'boolean',
+                description: 'Whether this custom domain is the default domain used for email notifications.',
+            },
         },
         required: ['domain', 'type'],
     },
@@ -136,6 +141,16 @@ class CustomDomainsHadnler extends default_1.default {
             throw err;
         }
     }
+    async validate(assets) {
+        await super.validate(assets);
+        const { customDomains } = assets;
+        if (!customDomains)
+            return;
+        const defaultDomains = customDomains.filter((d) => d.is_default === true);
+        if (defaultDomains.length > 1) {
+            throw new validationError_1.default(`Only one custom domain can be set as default (is_default: true), but found ${defaultDomains.length}: ${defaultDomains.map((d) => d.domain).join(', ')}`);
+        }
+    }
     async processChanges(assets) {
         const { customDomains } = assets;
         if (!customDomains)
@@ -149,6 +164,17 @@ class CustomDomainsHadnler extends default_1.default {
         }
         const changes = await this.calcChanges(assets);
         await super.processChanges(assets, changes);
+        // If a domain is marked as is_default, set it as the tenant's default custom domain.
+        const defaultDomain = customDomains.find((d) => d.is_default === true);
+        if (defaultDomain) {
+            try {
+                await this.client.customDomains.setDefault({ domain: defaultDomain.domain });
+                logger_1.default.info(`Set default custom domain: ${defaultDomain.domain}`);
+            }
+            catch (err) {
+                throw new Error(`Problem setting default custom domain ${defaultDomain.domain}\n${err}`);
+            }
+        }
     }
 }
 exports.default = CustomDomainsHadnler;

package/lib/tools/auth0/handlers/prompts.js

@@ -161,7 +161,10 @@ const customPartialsPromptTypes = [
     'signup',
     'signup-id',
     'signup-password',
+    'passkeys',
 ];
+// Prompts that may not be available on all tenants (early access features)
+const optionalPartialsPromptTypes = ['passkeys'];
 const customPartialsScreenTypes = [
     'login',
     'login-id',
@@ -171,6 +174,8 @@ const customPartialsScreenTypes = [
     'signup-password',
     'login-passwordless-sms-otp',
     'login-passwordless-email-code',
+    'passkeys-enrollment',
+    'passkeys-enrollment-local',
 ];
 const customPartialsInsertionPoints = [
     'form-content-start',
@@ -358,6 +363,19 @@ class PromptsHandler extends default_1.default {
                 this.IsFeatureSupported = false;
                 return null;
             }
+            // Handle 400 errors for prompt types not available on all tenants (early access features)
+            // Error format: "Path validation error: 'Invalid value \"passkeys\"' on property prompt (Name of the prompt)."
+            if (error &&
+                error?.statusCode === 400 &&
+                error.message?.includes('Path validation error') &&
+                error.message?.includes('on property prompt')) {
+                // Check if the error message contains any of the optional prompt types
+                const unavailablePrompt = optionalPartialsPromptTypes.find((promptType) => error.message?.includes(promptType));
+                if (unavailablePrompt) {
+                    logger_1.default.warn(`Skipping partials for prompt type '${unavailablePrompt}' because it is not available on this tenant.`);
+                    return null;
+                }
+            }
             if (error && error.statusCode === 429) {
                 logger_1.default.error(`The global rate limit has been exceeded, resulting in a ${error.statusCode} error. ${error.message}. Although this is an error, it is not blocking the pipeline.`);
                 return null;

package/lib/tools/auth0/handlers/tenant.js

@@ -198,6 +198,11 @@ class TenantHandler extends default_1.default {
                 delete updatedTenant.flags;
             }
         }
+        if (tenant.flags?.enable_custom_domain_in_emails !== undefined) {
+            logger_1.default.warn('The "enable_custom_domain_in_emails" tenant flag is deprecated. ' +
+                'Use the "is_default" field on customDomains to configure the default domain instead. ' +
+                'The flag will still be applied for now but will be removed in a future release.');
+        }
         if (updatedTenant && Object.keys(updatedTenant).length > 0) {
             await this.client.tenants.settings.update(updatedTenant);
             this.updated += 1;

package/lib/types.d.ts

@@ -71,6 +71,7 @@ export type Config = {
     AUTH0_RETRY_MAX_DELAY_MS?: number;
     AUTH0_KEYWORD_REPLACE_MAPPINGS?: KeywordMappings;
     AUTH0_EXPORT_IDENTIFIERS?: boolean;
+    AUTH0_EXPORT_ORDERED?: boolean;
     AUTH0_CONNECTIONS_DIRECTORY?: string;
     EXCLUDED_PROPS?: {
         [key: string]: string[];

package/lib/utils.js

@@ -24,6 +24,7 @@ exports.mapClientID2NameSorted = mapClientID2NameSorted;
 exports.nomalizedYAMLPath = nomalizedYAMLPath;
 const path_1 = __importDefault(require("path"));
 const fs_extra_1 = __importDefault(require("fs-extra"));
+const nconf_1 = __importDefault(require("nconf"));
 const sanitize_filename_1 = __importDefault(require("sanitize-filename"));
 const dot_prop_1 = __importDefault(require("dot-prop"));
 const lodash_1 = require("lodash");
@@ -69,10 +70,21 @@ function loadJSON(file, opts = {
         throw new Error(`Error parsing JSON from metadata file: ${file}, because: ${e.message}`);
     }
 }
+function orderedKeysReplacer(_key, value) {
+    if (value && typeof value === 'object' && !Array.isArray(value)) {
+        const obj = value;
+        return Object.fromEntries(Object.keys(obj)
+            .sort()
+            .map((k) => [k, obj[k]]));
+    }
+    return value;
+}
 function dumpJSON(file, mappings) {
     try {
         logger_1.default.info(`Writing ${file}`);
-        const jsonBody = JSON.stringify(mappings, null, 2);
+        const exportOrdered = Boolean(nconf_1.default.get('AUTH0_EXPORT_ORDERED'));
+        const replacer = exportOrdered ? orderedKeysReplacer : undefined;
+        const jsonBody = JSON.stringify(mappings, replacer, 2);
         fs_extra_1.default.writeFileSync(file, jsonBody.endsWith('\n') ? jsonBody : `${jsonBody}\n`);
     }
     catch (e) {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "auth0-deploy-cli",
-  "version": "8.29.3",
+  "version": "8.31.0",
   "description": "A command line tool for deploying updates to your Auth0 tenant",
   "main": "lib/index.js",
   "bin": {
@@ -9,9 +9,10 @@
   "scripts": {
     "lint:fix": "eslint --fix . && kacl lint",
     "lint": "eslint . && kacl lint",
+    "format:check": "npx prettier --check .",
     "format": "npx prettier --write .",
     "test": "ts-mocha -p tsconfig.json --recursive 'test/**/*.test*' --exclude 'test/e2e/*' --timeout 20000",
-    "test:e2e:node-module": "ts-mocha -p tsconfig.json --recursive 'test/e2e/*.test*' --timeout 120000",
+    "test:e2e:node-module": "ts-mocha -p tsconfig.json --recursive 'test/e2e/*.test*' --timeout 150000",
     "test:e2e:cli": "sh ./test/e2e/e2e-cli.sh",
     "test:coverage": "nyc npm run test && nyc report --reporter=lcov",
     "build": "rimraf ./lib && npx tsc",
@@ -33,15 +34,15 @@
   "homepage": "https://github.com/auth0/auth0-deploy-cli#readme",
   "dependencies": {
     "ajv": "^6.12.6",
-    "auth0": "^5.4.0",
+    "auth0": "^5.6.0",
     "dot-prop": "^5.3.0",
     "fs-extra": "^10.1.0",
     "js-yaml": "^4.1.1",
-    "lodash": "^4.17.23",
+    "lodash": "^4.18.1",
     "mkdirp": "^1.0.4",
     "nconf": "^0.13.0",
     "promise-pool-executor": "^1.1.1",
-    "sanitize-filename": "^1.6.3",
+    "sanitize-filename": "^1.6.4",
     "undici": "^7.24.3",
     "winston": "^3.19.0",
     "yargs": "^15.4.1"
@@ -52,8 +53,8 @@
     "@types/lodash": "^4.17.24",
     "@types/mocha": "^10.0.10",
     "@types/nconf": "^0.10.7",
-    "@typescript-eslint/eslint-plugin": "^8.57.0",
-    "@typescript-eslint/parser": "^8.57.0",
+    "@typescript-eslint/eslint-plugin": "^8.58.0",
+    "@typescript-eslint/parser": "^8.58.0",
     "chai": "^4.5.0",
     "chai-as-promised": "^7.1.2",
     "eslint": "^9.39.2",