minutework 0.1.50 → 0.1.52

package/README.md

@@ -147,15 +147,17 @@ minutework deploy --preview
 
 Combined **tenant-app + sidecar** workspaces keep sidecar setup explicit. Root `pnpm install` stays Node-only and does not run `poetry install` for you. If you need the sidecar, run `pnpm run install:sidecar` from the workspace root or `cd sidecar && poetry install` yourself before `minutework dev` or `minutework test`. Sidecar-only scaffolds have no root `package.json`; install Python deps once inside `sidecar/` before running local sidecar workflows.
 
-For direct third-party web hosts such as Vercel, deploy `tenant-app` only. In Vercel, point the project Root Directory at `tenant-app`; the optional sidecar remains a separate Poetry-managed surface.
+For direct third-party web hosts such as Vercel, deploy `tenant-app` only. In Vercel, point the project Root Directory at `tenant-app`; the optional sidecar remains a separate Poetry-managed surface. To keep `@minutework/web-auth` same-origin on a bring-your-own host, set `MW_GATEWAY_BASE_URL` to the platform gateway base URL — the template's `next.config.mjs` then proxies `/_mw/*` to the gateway — and run `minutework deploy --live --host <your-domain>` so the gateway recognizes that host as your tenant's live canonical customer-web origin.
 
 `link` provisions or resolves the default published-site property for the active tenant and stores that property key in repo-local state. The SDK-based `tenant-app/.env.example` contains only the app metadata contract used by the template: `NEXT_PUBLIC_MW_APP_ID`, `MW_TEMPLATE_APP_NAME`, and optional `MW_PUBLIC_BASE_URL`. Browser auth and manifest calls use same-origin `/_mw` routes through `@minutework/web-auth`; do not add platform content tokens or public-site property vars to the tenant app.
 
-`deploy --preview` always revalidates and recompiles before submit, prints a local-vs-remote diff, requires confirmation unless `--yes` is passed, polls typed receipts until a terminal state, and persists the last known preview deploy state under `.minutework/deploy/preview/status.json`. This alpha is preview-first; live public delivery remains follow-on.
+`deploy --preview` always revalidates and recompiles before submit, prints a local-vs-remote diff, requires confirmation unless `--yes` is passed, polls typed receipts until a terminal state, and persists the last known preview deploy state under `.minutework/deploy/preview/status.json`.
+
+`deploy --live` is the self-serve lane for a **`tenant-app` customer-web** surface (browser signup/signin via `@minutework/web-auth` on same-origin `/_mw`). It provisions a customer-web property, binds a canonical live host, and activates the compiled release **only after it passes the platform publication-review attestation gate** (the same gate as `publish`); a rejected attestation prints the review findings and exits 1 without activating. Once live, the platform gateway resolves that host and serves `/_mw/auth/{csrf,signup,login,session,verify-email,logout}` for real tenant-scoped customer accounts. By default it binds a managed subdomain (`<tenant>.<customer-web-domain>`, auto-verified by the platform). Pass `--host <domain>` to bind a bring-your-own (Vercel/custom) domain: the first run prints a DNS/HTTP verification challenge; re-run with `--host <domain> --verify <challenge>` once the record is published to confirm and activate. Live activation requires an interactive token or a deploy token minted with the `deploy.live.request` scope. MinuteWork-hosted byte-hosting of the tenant-app itself remains follow-on; until then, host the built `tenant-app` yourself (see Vercel below) and use this lane to make `/_mw` work for that host.
 
 ## Machine-readable output (`--json`)
 
-`validate`, `compile`, `codegen`, `deploy --preview`, `publish`, and `gaps` accept `--json` so an IDE coding agent can drive them unattended and parse one stable shape. With `--json` the command prints a single result envelope to stdout and nothing else:
+`validate`, `compile`, `codegen`, `deploy --preview`, `deploy --live`, `publish`, and `gaps` accept `--json` so an IDE coding agent can drive them unattended and parse one stable shape. With `--json` the command prints a single result envelope to stdout and nothing else:
 
 ```json
 {

package/assets/claude-local/skills/README.md

@@ -23,6 +23,10 @@ receive:
   `useMinuteWorkSession().status`; mobile uses `@minutework/native-auth`
   bearer-token storage for its same-named password method and sends the
   configured `EXPO_PUBLIC_MW_TENANT_ID` tenant context
+- `tenant-app` browser customer auth (`/_mw` signup/login) only works on a
+  live, canonical customer-web host; reach it with self-serve
+  `minutework deploy --live` (attestation-gated), not `deploy --preview` — see
+  `tenant-app-customer-auth-deploy/SKILL.md`
 - `mw.core.site` is a runtime baseline capability
 - tenant public authoring is runtime/CMS-backed through `mw.core.site`
 - Vuilder-owned public sites use `vuilder-public-site` and public-dj CMS
@@ -58,6 +62,7 @@ Generated-workspace-first guidance should live here, especially:
 - `integration-broker-and-connectors/SKILL.md`
 - `layering-and-import-modes/SKILL.md`
 - `standalone-mobile-client/SKILL.md`
+- `tenant-app-customer-auth-deploy/SKILL.md`
 - `capability-gap-reporting/SKILL.md`
 - `shadow-participation-and-guest-threads/SKILL.md`
 - `email-ingress-and-thread-routing/SKILL.md`

package/assets/claude-local/skills/published-web-and-mw-core-site/SKILL.md

@@ -20,6 +20,12 @@ flows, or the default MinuteWork site model.
   runtime-canonical through `mw.core.site` and installed app-pack data.
 - `tenant-app` is the combined web starter for public routes plus the private
   `/app` workspace.
+- For `tenant-app` **browser customer auth** (`@minutework/web-auth` same-origin
+  `/_mw` signup/login), read `tenant-app-customer-auth-deploy/SKILL.md`: `/_mw`
+  only works on a live, canonical customer-web host, reached with self-serve
+  `minutework deploy --live` (attestation-gated). That is a distinct property
+  and host from the anonymous public-site delivery covered here, and
+  `deploy --preview` does not enable it.
 - Do not add a server-only public content token adapter to `tenant-app`.
   Public content should come from hosted published releases/snapshots or
   gateway-approved public-content routes over the MinuteWork substrate, not

package/assets/claude-local/skills/tenant-app-customer-auth-deploy/SKILL.md

@@ -0,0 +1,72 @@
+---
+name: tenant-app-customer-auth-deploy
+description: "tenant-app browser customer auth: @minutework/web-auth same-origin /_mw signup/login works only on a live, canonical customer-web host. Reach it with self-serve minutework deploy --live (attestation-gated); deploy --preview does not enable /_mw."
+---
+
+# Tenant-App Customer-Auth Deploy
+
+Use this skill when a `tenant-app` needs **browser customer signup/login** (the
+`@minutework/web-auth` SDK: `signUp` / `signInWithPassword` /
+`useMinuteWorkSession()` against same-origin `/_mw/auth/*`), or when the symptom
+is "customer auth / `/_mw` returns 404, how do I make login work / go live?".
+
+The SDK contract is already correct in the starter; the missing half is making
+the platform gateway **recognize the host** so it serves `/_mw`.
+
+## The trust gate (never bypass it)
+
+`/_mw/auth/{csrf,signup,login,session,verify-email,logout}` is served by the
+platform gateway, but only for a host that resolves to a **live, canonical,
+verified** customer-web binding plus a **live** release
+(`resolve_tenant_for_customer_web_host`: `route_role="live"`,
+`is_canonical=True`, verified `DomainBinding`, live `SiteRelease`). Preview and
+non-canonical hosts are rejected by design — customer auth creates real
+tenant-scoped accounts. Do not try to relax this, point `/_mw` at a remote
+project URL, or add per-app auth/gateway BFF routes. The fix is to reach live,
+not to work around the gate.
+
+## How to reach live: `minutework deploy --live`
+
+Run `minutework deploy --live` for the `tenant-app` workspace. It is self-serve
+and host-agnostic, and it:
+
+- provisions a **customer-web** `PublishedWebProperty` (distinct from any
+  vuilder public-site property — different `property_key` and host; do not
+  conflate them),
+- binds a **canonical live host**, and
+- activates the compiled release **live only after it passes the same
+  publication-review attestation gate as `minutework publish`** (`approved` /
+  `approved_with_warnings`). A rejected attestation prints the review findings
+  and exits 1 without activating — fix the findings, don't retry blindly.
+
+Authorize it with an interactive developer token or a deploy token minted with
+the `deploy.live.request` scope (`minutework deploy --live --json --yes` runs
+unattended; without `--yes` it returns `confirmation_required`).
+
+## Host shapes
+
+- **Managed subdomain (default):** no flag. The platform derives
+  `<tenant>.<customer-web-domain>` and auto-verifies it (it owns that DNS).
+  Single-shot: `minutework deploy --live`.
+- **Bring-your-own / custom domain (Vercel, etc.):**
+  `minutework deploy --live --host <domain>` registers the host and prints a
+  DNS/HTTP verification challenge; publish the record, then re-run
+  `minutework deploy --live --host <domain> --verify <challenge>` to confirm and
+  activate. On a BYO host, set `MW_GATEWAY_BASE_URL` in the tenant-app so the
+  template's `next.config.mjs` proxies same-origin `/_mw/*` to the gateway
+  (managed-subdomain hosts are gateway-fronted and need no rewrite).
+
+## Boundaries and current limits
+
+- `deploy --preview` is preview-only and does **not** enable `/_mw` customer
+  auth (preview ≠ live; the gateway rejects preview hosts). Use `--live`.
+- MinuteWork-hosted byte-hosting of the tenant-app bundle is follow-on. Today
+  host the built `tenant-app` yourself (e.g. Vercel) and use `--live` to make
+  `/_mw` resolve for that host; the lane only owns the host binding + live
+  activation, not the bundle hosting.
+- The web session principal is `tenant_customer` (not an operator
+  `Membership`); status precedence stays `loading -> verification_required ->
+  authenticated -> unauthenticated`.
+- For anonymous public-site content (not customer auth), use
+  `published-web-and-mw-core-site/SKILL.md` and hosted published snapshots
+  instead.

package/assets/templates/next-tenant-app/.env.example

@@ -1,3 +1,7 @@
 NEXT_PUBLIC_MW_APP_ID=tenant.app
 MW_TEMPLATE_APP_NAME=Tenant App
 MW_PUBLIC_BASE_URL=
+# Only needed when hosting this app off-platform (Vercel / custom domain). Set to the
+# MinuteWork platform gateway base URL to transparently proxy same-origin /_mw/* customer
+# auth to the gateway. Leave blank for managed-subdomain hosts (gateway-fronted).
+MW_GATEWAY_BASE_URL=

package/assets/templates/next-tenant-app/next.config.mjs

@@ -20,6 +20,15 @@ function resolveTurbopackRoot(startDirectory) {
   }
 }
 
+// Bring-your-own host support: when this tenant-app is hosted off-platform (Vercel
+// or a custom domain) instead of being fronted by the MinuteWork gateway, set
+// MW_GATEWAY_BASE_URL so same-origin `/_mw/*` customer-auth calls are transparently
+// proxied to the platform gateway. The gateway serves customer auth for this tenant's
+// live canonical customer-web host (provisioned via `minutework deploy --live`), so
+// @minutework/web-auth keeps its same-origin contract without a remote project URL.
+// Unset by default: managed-subdomain hosts are gateway-fronted and need no rewrite.
+const gatewayBaseUrl = (process.env.MW_GATEWAY_BASE_URL || "").trim().replace(/\/+$/, "");
+
 const nextConfig = {
   reactStrictMode: true,
   typedRoutes: true,
@@ -28,6 +37,13 @@ const nextConfig = {
   turbopack: {
     root: resolveTurbopackRoot(__dirname),
   },
+  ...(gatewayBaseUrl
+    ? {
+        async rewrites() {
+          return [{ destination: `${gatewayBaseUrl}/_mw/:path*`, source: "/_mw/:path*" }];
+        },
+      }
+    : {}),
 };
 
 export default nextConfig;

package/dist/customer-web.d.ts

@@ -0,0 +1,46 @@
+import type { HostedPreviewReleaseMetadata } from "@minutework/schema-compiler";
+import { type DeveloperClientDependencies, createDeveloperClient } from "./developer-client.js";
+import type { CliIo } from "./index.js";
+export declare const MINUTEWORK_CUSTOMER_WEB_PACKAGE_VERSION = "MinuteWorkCustomerWebPackageV1";
+/**
+ * Bundle a compiled tenant-app starter directory into the same gate-artifact shape
+ * the publication-review pipeline consumes (`appId`, `artifactSetDigest`,
+ * `compileGraph.documents.appManifests`, `sourceBundle.files`, `dependencyExport`).
+ * Bundling the real source is deliberate: the live customer-web gate must run the
+ * static-security/economic/ui gates over the actual tenant-app source, not an empty set.
+ */
+export declare function buildCustomerWebPackage(options: {
+    releaseMetadata: HostedPreviewReleaseMetadata;
+    workspaceRoot: string;
+}): Promise<Record<string, unknown>>;
+export type CustomerWebLiveDeployDependencies = DeveloperClientDependencies & {
+    confirmCustomerWebLiveDeploy?: (context: {
+        canonicalHost: string;
+        propertyKey: string;
+    }) => Promise<boolean>;
+};
+/**
+ * Drive a single self-serve live customer-web deploy: provision + bind the canonical
+ * host, run the tenant-app release through the live publication-review gate, and (only
+ * on an approved attestation) activate it live so the gateway serves same-origin `/_mw`.
+ */
+export declare function runCustomerWebLiveDeploy(options: {
+    client: ReturnType<typeof createDeveloperClient>;
+    customHostname?: string;
+    dependencies?: CustomerWebLiveDeployDependencies;
+    hostLabel?: string;
+    io: CliIo;
+    json: boolean;
+    releaseMetadata: HostedPreviewReleaseMetadata;
+    renderJson: (envelope: {
+        error?: {
+            message: string;
+        };
+        ok: boolean;
+        result?: unknown;
+        status: string;
+    }) => string;
+    verifyChallengeResponse?: string;
+    workspaceRoot: string;
+    yes: boolean;
+}): Promise<number>;

package/dist/customer-web.js

@@ -0,0 +1,250 @@
+import { createHash } from "node:crypto";
+import { promises as fs } from "node:fs";
+import path from "node:path";
+export const MINUTEWORK_CUSTOMER_WEB_PACKAGE_VERSION = "MinuteWorkCustomerWebPackageV1";
+const _IGNORED_DIRECTORIES = new Set([
+    ".git",
+    ".next",
+    ".turbo",
+    ".vercel",
+    "coverage",
+    "dist",
+    "node_modules",
+    "out",
+]);
+/**
+ * Bundle a compiled tenant-app starter directory into the same gate-artifact shape
+ * the publication-review pipeline consumes (`appId`, `artifactSetDigest`,
+ * `compileGraph.documents.appManifests`, `sourceBundle.files`, `dependencyExport`).
+ * Bundling the real source is deliberate: the live customer-web gate must run the
+ * static-security/economic/ui gates over the actual tenant-app source, not an empty set.
+ */
+export async function buildCustomerWebPackage(options) {
+    const starterRoot = path.join(options.workspaceRoot, options.releaseMetadata.starterPath);
+    const files = await buildSourceFiles(starterRoot);
+    const sourceBundleDigest = sha256Hex(JSON.stringify(files.map((file) => ({ path: file.path, sha256: file.sha256 }))));
+    const dependencyExport = await buildDependencyExport(starterRoot);
+    const appManifest = {
+        app_class: "combined_web",
+        app_id: options.releaseMetadata.appId,
+        app_version: options.releaseMetadata.releaseKey,
+    };
+    const artifactSetDigest = sha256Hex(JSON.stringify({
+        appManifest,
+        dependencyExport: { kind: dependencyExport.kind, sha256: dependencyExport.sha256 },
+        release: options.releaseMetadata,
+        sourceBundle: sourceBundleDigest,
+        version: MINUTEWORK_CUSTOMER_WEB_PACKAGE_VERSION,
+    }));
+    return {
+        appId: options.releaseMetadata.appId,
+        artifactSetDigest,
+        compileGraph: {
+            documents: {
+                appManifests: [appManifest],
+            },
+        },
+        dependencyExport,
+        sourceBundle: { files, sha256: sourceBundleDigest },
+        version: MINUTEWORK_CUSTOMER_WEB_PACKAGE_VERSION,
+    };
+}
+async function buildSourceFiles(root) {
+    const files = [];
+    async function visit(currentPath) {
+        const stat = await fs.lstat(currentPath);
+        if (stat.isSymbolicLink()) {
+            return;
+        }
+        if (stat.isDirectory()) {
+            const entries = await fs.readdir(currentPath);
+            await Promise.all(entries
+                .filter((entry) => !_IGNORED_DIRECTORIES.has(entry))
+                .sort()
+                .map((entry) => visit(path.join(currentPath, entry))));
+            return;
+        }
+        if (!stat.isFile()) {
+            return;
+        }
+        const relativePath = path.relative(root, currentPath).split(path.sep).join("/");
+        const contents = await fs.readFile(currentPath);
+        files.push({
+            contentBase64: contents.toString("base64"),
+            path: relativePath,
+            sha256: createHash("sha256").update(contents).digest("hex"),
+        });
+    }
+    await visit(root);
+    files.sort((left, right) => left.path.localeCompare(right.path));
+    return files;
+}
+async function buildDependencyExport(starterRoot) {
+    for (const [filename, kind] of [
+        ["pnpm-lock.yaml", "pnpm_lock"],
+        ["package-lock.json", "npm_lock"],
+        ["yarn.lock", "yarn_lock"],
+    ]) {
+        try {
+            const content = await fs.readFile(path.join(starterRoot, filename), "utf8");
+            return { content, kind, sha256: sha256Hex(content) };
+        }
+        catch (error) {
+            if (error.code !== "ENOENT") {
+                throw error;
+            }
+        }
+    }
+    return { content: "", kind: "none", sha256: sha256Hex("") };
+}
+function sha256Hex(value) {
+    return createHash("sha256").update(value).digest("hex");
+}
+/**
+ * Drive a single self-serve live customer-web deploy: provision + bind the canonical
+ * host, run the tenant-app release through the live publication-review gate, and (only
+ * on an approved attestation) activate it live so the gateway serves same-origin `/_mw`.
+ */
+export async function runCustomerWebLiveDeploy(options) {
+    const link = await options.client.linkCustomerWeb({
+        customHostname: options.customHostname,
+        hostLabel: options.hostLabel,
+    });
+    const propertyKey = link.property.property_key;
+    // Bring-your-own custom domains must clear an out-of-band DNS / HTTP challenge before
+    // they can be promoted canonical. If the host is not yet verified, surface the
+    // challenge and stop — re-run with --verify <token> once the record is in place.
+    if (link.host.verification_required && !options.verifyChallengeResponse) {
+        return renderPendingVerification({ io: options.io, json: options.json, link, renderJson: options.renderJson });
+    }
+    if (options.verifyChallengeResponse) {
+        const verified = await options.client.verifyCustomerWebDomain({
+            challengeResponse: options.verifyChallengeResponse,
+            hostname: link.host.hostname,
+            propertyKey,
+        });
+        if (verified.host.verification_status !== "verified") {
+            const message = `Custom host ${verified.host.hostname} did not verify; re-check the DNS/HTTP challenge.`;
+            if (options.json) {
+                options.io.stdout(options.renderJson({ error: { message }, ok: false, status: "verification_failed" }));
+            }
+            else {
+                options.io.stderr(message);
+            }
+            return 1;
+        }
+    }
+    const canonicalHost = link.host.canonical_host || link.host.hostname;
+    if (options.json && !options.yes) {
+        options.io.stdout(options.renderJson({
+            error: {
+                message: "Live customer-web deploy needs confirmation; re-run with --yes (required alongside --json).",
+            },
+            ok: false,
+            result: { canonicalHost, propertyKey },
+            status: "confirmation_required",
+        }));
+        return 1;
+    }
+    const confirmed = options.yes ||
+        (await (options.dependencies?.confirmCustomerWebLiveDeploy ?? defaultConfirmCustomerWebLiveDeploy)({
+            canonicalHost,
+            propertyKey,
+        }));
+    if (!confirmed) {
+        options.io.stderr("Live customer-web deploy cancelled.");
+        return 1;
+    }
+    const packagePayload = await buildCustomerWebPackage({
+        releaseMetadata: options.releaseMetadata,
+        workspaceRoot: options.workspaceRoot,
+    });
+    const response = await options.client.activateCustomerWebLive({
+        packagePayload,
+        propertyKey,
+        releaseKey: options.releaseMetadata.releaseKey,
+        runtimeContentRef: options.releaseMetadata.runtimeContentRef,
+    });
+    const succeeded = response.activated && response.resolves_live;
+    if (options.json) {
+        options.io.stdout(options.renderJson({
+            ok: succeeded,
+            result: {
+                activated: response.activated,
+                attestationState: response.attestation_state,
+                canonicalHost: response.canonical_host,
+                findings: response.findings,
+                propertyKey,
+                reason: response.reason,
+                resolvesLive: response.resolves_live,
+            },
+            status: response.attestation_state,
+        }));
+        return succeeded ? 0 : 1;
+    }
+    renderActivateResult(options.io, response);
+    return succeeded ? 0 : 1;
+}
+function renderPendingVerification(options) {
+    const host = options.link.host;
+    if (options.json) {
+        options.io.stdout(options.renderJson({
+            ok: false,
+            result: {
+                challengeToken: host.challenge_token,
+                hostname: host.hostname,
+                propertyKey: options.link.property.property_key,
+                verificationMethod: host.verification_method,
+            },
+            status: "verification_required",
+        }));
+        return 2;
+    }
+    options.io.stdout(`Registered custom customer-web host ${host.hostname} (pending verification).`);
+    options.io.stdout(`Verification method: ${host.verification_method}`);
+    options.io.stdout(`Challenge token: ${host.challenge_token}`);
+    options.io.stdout(`Publish the challenge (DNS TXT / HTTP well-known), then re-run with --host ${host.hostname} --verify ${host.challenge_token}.`);
+    return 2;
+}
+function renderActivateResult(io, response) {
+    if (response.activated && response.resolves_live) {
+        io.stdout(`Live customer-web host: https://${response.canonical_host}/`);
+        io.stdout(`Attestation: ${response.attestation_state}`);
+        io.stdout("Same-origin /_mw customer auth is now served for this host.");
+    }
+    else if (response.activated) {
+        io.stderr(`Release activated but the host is not resolving live yet (reason: ${response.reason || "unknown"}).`);
+    }
+    else {
+        io.stderr(`Live customer-web deploy rejected by the publication-review gate (attestation: ${response.attestation_state}).`);
+    }
+    if (response.findings.length > 0) {
+        io.stdout(`Review findings (${response.findings.length}):`);
+        for (const finding of response.findings) {
+            io.stdout(`  [${finding.severity}] ${finding.gate_id}/${finding.finding_kind}: ${finding.summary}`);
+            if (finding.evidence_ref) {
+                io.stdout(`    evidence: ${finding.evidence_ref}`);
+            }
+            if (finding.remediation) {
+                io.stdout(`    fix: ${finding.remediation}`);
+            }
+        }
+    }
+}
+async function defaultConfirmCustomerWebLiveDeploy(context) {
+    const { createInterface } = await import("node:readline/promises");
+    if (!process.stdin.isTTY || !process.stdout.isTTY) {
+        throw new Error("Live customer-web deploy requires confirmation. Re-run interactively or pass `--yes`.");
+    }
+    const readline = createInterface({ input: process.stdin, output: process.stdout });
+    try {
+        const answer = (await readline.question(`Activate ${context.propertyKey} live on ${context.canonicalHost}? [y/N] `))
+            .trim()
+            .toLowerCase();
+        return answer === "y" || answer === "yes";
+    }
+    finally {
+        readline.close();
+    }
+}
+//# sourceMappingURL=customer-web.js.map

package/dist/customer-web.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"customer-web.js","sourceRoot":"","sources":["../src/customer-web.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AACzC,OAAO,EAAE,QAAQ,IAAI,EAAE,EAAE,MAAM,SAAS,CAAC;AACzC,OAAO,IAAI,MAAM,WAAW,CAAC;AAY7B,MAAM,CAAC,MAAM,uCAAuC,GAAG,gCAAgC,CAAC;AAIxF,MAAM,oBAAoB,GAAG,IAAI,GAAG,CAAC;IACnC,MAAM;IACN,OAAO;IACP,QAAQ;IACR,SAAS;IACT,UAAU;IACV,MAAM;IACN,cAAc;IACd,KAAK;CACN,CAAC,CAAC;AAEH;;;;;;GAMG;AACH,MAAM,CAAC,KAAK,UAAU,uBAAuB,CAAC,OAG7C;IACC,MAAM,WAAW,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,aAAa,EAAE,OAAO,CAAC,eAAe,CAAC,WAAW,CAAC,CAAC;IAC1F,MAAM,KAAK,GAAG,MAAM,gBAAgB,CAAC,WAAW,CAAC,CAAC;IAClD,MAAM,kBAAkB,GAAG,SAAS,CAClC,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC,EAAE,IAAI,EAAE,IAAI,CAAC,IAAI,EAAE,MAAM,EAAE,IAAI,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC,CAChF,CAAC;IACF,MAAM,gBAAgB,GAAG,MAAM,qBAAqB,CAAC,WAAW,CAAC,CAAC;IAClE,MAAM,WAAW,GAAG;QAClB,SAAS,EAAE,cAAc;QACzB,MAAM,EAAE,OAAO,CAAC,eAAe,CAAC,KAAK;QACrC,WAAW,EAAE,OAAO,CAAC,eAAe,CAAC,UAAU;KAChD,CAAC;IACF,MAAM,iBAAiB,GAAG,SAAS,CACjC,IAAI,CAAC,SAAS,CAAC;QACb,WAAW;QACX,gBAAgB,EAAE,EAAE,IAAI,EAAE,gBAAgB,CAAC,IAAI,EAAE,MAAM,EAAE,gBAAgB,CAAC,MAAM,EAAE;QAClF,OAAO,EAAE,OAAO,CAAC,eAAe;QAChC,YAAY,EAAE,kBAAkB;QAChC,OAAO,EAAE,uCAAuC;KACjD,CAAC,CACH,CAAC;IACF,OAAO;QACL,KAAK,EAAE,OAAO,CAAC,eAAe,CAAC,KAAK;QACpC,iBAAiB;QACjB,YAAY,EAAE;YACZ,SAAS,EAAE;gBACT,YAAY,EAAE,CAAC,WAAW,CAAC;aAC5B;SACF;QACD,gBAAgB;QAChB,YAAY,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,kBAAkB,EAAE;QACnD,OAAO,EAAE,uCAAuC;KACjD,CAAC;AACJ,CAAC;AAED,KAAK,UAAU,gBAAgB,CAAC,IAAY;IAC1C,MAAM,KAAK,GAAuB,EAAE,CAAC;IAErC,KAAK,UAAU,KAAK,CAAC,WAAmB;QACtC,MAAM,IAAI,GAAG,MAAM,EAAE,CAAC,KAAK,CAAC,WAAW,CAAC,CAAC;QACzC,IAAI,IAAI,CAAC,cAAc,EAAE,EAAE,CAAC;YAC1B,OAAO;QACT,CAAC;QACD,IAAI,IAAI,CAAC,WAAW,EAAE,EAAE,CAAC;YACvB,MAAM,OAAO,GAAG,MAAM,EAAE,CAAC,OAAO,CAAC,WAAW,CAAC,CAAC;YAC9C,MAAM,OAAO,CAAC,GAAG,CACf,OAAO;iBACJ,MAAM,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC,oBAAoB,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;iBACnD,IAAI,EAAE;iBACN,GAAG,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE,KAAK,CAAC,CAAC,CAAC,CACxD,CAAC;YACF,OAAO;QACT,CAAC;QACD,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,EAAE,CAAC;YACnB,OAAO;QACT,CAAC;QACD,MAAM,YAAY,GAAG,IAAI,CAAC,QAAQ,CAAC,IAAI,EAAE,WAAW,CAAC,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QAChF,MAAM,QAAQ,GAAG,MAAM,EAAE,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;QAChD,KAAK,CAAC,IAAI,CAAC;YACT,aAAa,EAAE,QAAQ,CAAC,QAAQ,CAAC,QAAQ,CAAC;YAC1C,IAAI,EAAE,YAAY;YAClB,MAAM,EAAE,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC;SAC5D,CAAC,CAAC;IACL,CAAC;IAED,MAAM,KAAK,CAAC,IAAI,CAAC,CAAC;IAClB,KAAK,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE,CAAC,IAAI,CAAC,IAAI,CAAC,aAAa,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC;IACjE,OAAO,KAAK,CAAC;AACf,CAAC;AAED,KAAK,UAAU,qBAAqB,CAClC,WAAmB;IAEnB,KAAK,MAAM,CAAC,QAAQ,EAAE,IAAI,CAAC,IAAI;QAC7B,CAAC,gBAAgB,EAAE,WAAW,CAAC;QAC/B,CAAC,mBAAmB,EAAE,UAAU,CAAC;QACjC,CAAC,WAAW,EAAE,WAAW,CAAC;KAClB,EAAE,CAAC;QACX,IAAI,CAAC;YACH,MAAM,OAAO,GAAG,MAAM,EAAE,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE,QAAQ,CAAC,EAAE,MAAM,CAAC,CAAC;YAC5E,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,SAAS,CAAC,OAAO,CAAC,EAAE,CAAC;QACvD,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,IAAK,KAA+B,CAAC,IAAI,KAAK,QAAQ,EAAE,CAAC;gBACvD,MAAM,KAAK,CAAC;YACd,CAAC;QACH,CAAC;IACH,CAAC;IACD,OAAO,EAAE,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,MAAM,EAAE,MAAM,EAAE,SAAS,CAAC,EAAE,CAAC,EAAE,CAAC;AAC9D,CAAC;AAED,SAAS,SAAS,CAAC,KAAa;IAC9B,OAAO,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;AAC1D,CAAC;AASD;;;;GAIG;AACH,MAAM,CAAC,KAAK,UAAU,wBAAwB,CAAC,OAiB9C;IACC,MAAM,IAAI,GAAG,MAAM,OAAO,CAAC,MAAM,CAAC,eAAe,CAAC;QAChD,cAAc,EAAE,OAAO,CAAC,cAAc;QACtC,SAAS,EAAE,OAAO,CAAC,SAAS;KAC7B,CAAC,CAAC;IACH,MAAM,WAAW,GAAG,IAAI,CAAC,QAAQ,CAAC,YAAY,CAAC;IAE/C,sFAAsF;IACtF,+EAA+E;IAC/E,iFAAiF;IACjF,IAAI,IAAI,CAAC,IAAI,CAAC,qBAAqB,IAAI,CAAC,OAAO,CAAC,uBAAuB,EAAE,CAAC;QACxE,OAAO,yBAAyB,CAAC,EAAE,EAAE,EAAE,OAAO,CAAC,EAAE,EAAE,IAAI,EAAE,OAAO,CAAC,IAAI,EAAE,IAAI,EAAE,UAAU,EAAE,OAAO,CAAC,UAAU,EAAE,CAAC,CAAC;IACjH,CAAC;IAED,IAAI,OAAO,CAAC,uBAAuB,EAAE,CAAC;QACpC,MAAM,QAAQ,GAAG,MAAM,OAAO,CAAC,MAAM,CAAC,uBAAuB,CAAC;YAC5D,iBAAiB,EAAE,OAAO,CAAC,uBAAuB;YAClD,QAAQ,EAAE,IAAI,CAAC,IAAI,CAAC,QAAQ;YAC5B,WAAW;SACZ,CAAC,CAAC;QACH,IAAI,QAAQ,CAAC,IAAI,CAAC,mBAAmB,KAAK,UAAU,EAAE,CAAC;YACrD,MAAM,OAAO,GAAG,eAAe,QAAQ,CAAC,IAAI,CAAC,QAAQ,mDAAmD,CAAC;YACzG,IAAI,OAAO,CAAC,IAAI,EAAE,CAAC;gBACjB,OAAO,CAAC,EAAE,CAAC,MAAM,CACf,OAAO,CAAC,UAAU,CAAC,EAAE,KAAK,EAAE,EAAE,OAAO,EAAE,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,qBAAqB,EAAE,CAAC,CACrF,CAAC;YACJ,CAAC;iBAAM,CAAC;gBACN,OAAO,CAAC,EAAE,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;YAC7B,CAAC;YACD,OAAO,CAAC,CAAC;QACX,CAAC;IACH,CAAC;IAED,MAAM,aAAa,GAAG,IAAI,CAAC,IAAI,CAAC,cAAc,IAAI,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC;IACrE,IAAI,OAAO,CAAC,IAAI,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,CAAC;QACjC,OAAO,CAAC,EAAE,CAAC,MAAM,CACf,OAAO,CAAC,UAAU,CAAC;YACjB,KAAK,EAAE;gBACL,OAAO,EACL,6FAA6F;aAChG;YACD,EAAE,EAAE,KAAK;YACT,MAAM,EAAE,EAAE,aAAa,EAAE,WAAW,EAAE;YACtC,MAAM,EAAE,uBAAuB;SAChC,CAAC,CACH,CAAC;QACF,OAAO,CAAC,CAAC;IACX,CAAC;IACD,MAAM,SAAS,GACb,OAAO,CAAC,GAAG;QACX,CAAC,MAAM,CAAC,OAAO,CAAC,YAAY,EAAE,4BAA4B,IAAI,mCAAmC,CAAC,CAAC;YACjG,aAAa;YACb,WAAW;SACZ,CAAC,CAAC,CAAC;IACN,IAAI,CAAC,SAAS,EAAE,CAAC;QACf,OAAO,CAAC,EAAE,CAAC,MAAM,CAAC,qCAAqC,CAAC,CAAC;QACzD,OAAO,CAAC,CAAC;IACX,CAAC;IAED,MAAM,cAAc,GAAG,MAAM,uBAAuB,CAAC;QACnD,eAAe,EAAE,OAAO,CAAC,eAAe;QACxC,aAAa,EAAE,OAAO,CAAC,aAAa;KACrC,CAAC,CAAC;IACH,MAAM,QAAQ,GAAG,MAAM,OAAO,CAAC,MAAM,CAAC,uBAAuB,CAAC;QAC5D,cAAc;QACd,WAAW;QACX,UAAU,EAAE,OAAO,CAAC,eAAe,CAAC,UAAU;QAC9C,iBAAiB,EAAE,OAAO,CAAC,eAAe,CAAC,iBAAiB;KAC7D,CAAC,CAAC;IAEH,MAAM,SAAS,GAAG,QAAQ,CAAC,SAAS,IAAI,QAAQ,CAAC,aAAa,CAAC;IAC/D,IAAI,OAAO,CAAC,IAAI,EAAE,CAAC;QACjB,OAAO,CAAC,EAAE,CAAC,MAAM,CACf,OAAO,CAAC,UAAU,CAAC;YACjB,EAAE,EAAE,SAAS;YACb,MAAM,EAAE;gBACN,SAAS,EAAE,QAAQ,CAAC,SAAS;gBAC7B,gBAAgB,EAAE,QAAQ,CAAC,iBAAiB;gBAC5C,aAAa,EAAE,QAAQ,CAAC,cAAc;gBACtC,QAAQ,EAAE,QAAQ,CAAC,QAAQ;gBAC3B,WAAW;gBACX,MAAM,EAAE,QAAQ,CAAC,MAAM;gBACvB,YAAY,EAAE,QAAQ,CAAC,aAAa;aACrC;YACD,MAAM,EAAE,QAAQ,CAAC,iBAAiB;SACnC,CAAC,CACH,CAAC;QACF,OAAO,SAAS,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;IAC3B,CAAC;IAED,oBAAoB,CAAC,OAAO,CAAC,EAAE,EAAE,QAAQ,CAAC,CAAC;IAC3C,OAAO,SAAS,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;AAC3B,CAAC;AAED,SAAS,yBAAyB,CAAC,OAKlC;IACC,MAAM,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC;IAC/B,IAAI,OAAO,CAAC,IAAI,EAAE,CAAC;QACjB,OAAO,CAAC,EAAE,CAAC,MAAM,CACf,OAAO,CAAC,UAAU,CAAC;YACjB,EAAE,EAAE,KAAK;YACT,MAAM,EAAE;gBACN,cAAc,EAAE,IAAI,CAAC,eAAe;gBACpC,QAAQ,EAAE,IAAI,CAAC,QAAQ;gBACvB,WAAW,EAAE,OAAO,CAAC,IAAI,CAAC,QAAQ,CAAC,YAAY;gBAC/C,kBAAkB,EAAE,IAAI,CAAC,mBAAmB;aAC7C;YACD,MAAM,EAAE,uBAAuB;SAChC,CAAC,CACH,CAAC;QACF,OAAO,CAAC,CAAC;IACX,CAAC;IACD,OAAO,CAAC,EAAE,CAAC,MAAM,CAAC,uCAAuC,IAAI,CAAC,QAAQ,0BAA0B,CAAC,CAAC;IAClG,OAAO,CAAC,EAAE,CAAC,MAAM,CAAC,wBAAwB,IAAI,CAAC,mBAAmB,EAAE,CAAC,CAAC;IACtE,OAAO,CAAC,EAAE,CAAC,MAAM,CAAC,oBAAoB,IAAI,CAAC,eAAe,EAAE,CAAC,CAAC;IAC9D,OAAO,CAAC,EAAE,CAAC,MAAM,CACf,8EAA8E,IAAI,CAAC,QAAQ,aAAa,IAAI,CAAC,eAAe,GAAG,CAChI,CAAC;IACF,OAAO,CAAC,CAAC;AACX,CAAC;AAED,SAAS,oBAAoB,CAAC,EAAS,EAAE,QAAkD;IACzF,IAAI,QAAQ,CAAC,SAAS,IAAI,QAAQ,CAAC,aAAa,EAAE,CAAC;QACjD,EAAE,CAAC,MAAM,CAAC,mCAAmC,QAAQ,CAAC,cAAc,GAAG,CAAC,CAAC;QACzE,EAAE,CAAC,MAAM,CAAC,gBAAgB,QAAQ,CAAC,iBAAiB,EAAE,CAAC,CAAC;QACxD,EAAE,CAAC,MAAM,CAAC,6DAA6D,CAAC,CAAC;IAC3E,CAAC;SAAM,IAAI,QAAQ,CAAC,SAAS,EAAE,CAAC;QAC9B,EAAE,CAAC,MAAM,CACP,qEAAqE,QAAQ,CAAC,MAAM,IAAI,SAAS,IAAI,CACtG,CAAC;IACJ,CAAC;SAAM,CAAC;QACN,EAAE,CAAC,MAAM,CACP,kFAAkF,QAAQ,CAAC,iBAAiB,IAAI,CACjH,CAAC;IACJ,CAAC;IACD,IAAI,QAAQ,CAAC,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACjC,EAAE,CAAC,MAAM,CAAC,oBAAoB,QAAQ,CAAC,QAAQ,CAAC,MAAM,IAAI,CAAC,CAAC;QAC5D,KAAK,MAAM,OAAO,IAAI,QAAQ,CAAC,QAAQ,EAAE,CAAC;YACxC,EAAE,CAAC,MAAM,CAAC,MAAM,OAAO,CAAC,QAAQ,KAAK,OAAO,CAAC,OAAO,IAAI,OAAO,CAAC,YAAY,KAAK,OAAO,CAAC,OAAO,EAAE,CAAC,CAAC;YACpG,IAAI,OAAO,CAAC,YAAY,EAAE,CAAC;gBACzB,EAAE,CAAC,MAAM,CAAC,iBAAiB,OAAO,CAAC,YAAY,EAAE,CAAC,CAAC;YACrD,CAAC;YACD,IAAI,OAAO,CAAC,WAAW,EAAE,CAAC;gBACxB,EAAE,CAAC,MAAM,CAAC,YAAY,OAAO,CAAC,WAAW,EAAE,CAAC,CAAC;YAC/C,CAAC;QACH,CAAC;IACH,CAAC;AACH,CAAC;AAED,KAAK,UAAU,mCAAmC,CAAC,OAGlD;IACC,MAAM,EAAE,eAAe,EAAE,GAAG,MAAM,MAAM,CAAC,wBAAwB,CAAC,CAAC;IACnE,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,KAAK,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,KAAK,EAAE,CAAC;QAClD,MAAM,IAAI,KAAK,CAAC,uFAAuF,CAAC,CAAC;IAC3G,CAAC;IACD,MAAM,QAAQ,GAAG,eAAe,CAAC,EAAE,KAAK,EAAE,OAAO,CAAC,KAAK,EAAE,MAAM,EAAE,OAAO,CAAC,MAAM,EAAE,CAAC,CAAC;IACnF,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,CACb,MAAM,QAAQ,CAAC,QAAQ,CAAC,YAAY,OAAO,CAAC,WAAW,YAAY,OAAO,CAAC,aAAa,UAAU,CAAC,CACpG;aACE,IAAI,EAAE;aACN,WAAW,EAAE,CAAC;QACjB,OAAO,MAAM,KAAK,GAAG,IAAI,MAAM,KAAK,KAAK,CAAC;IAC5C,CAAC;YAAS,CAAC;QACT,QAAQ,CAAC,KAAK,EAAE,CAAC;IACnB,CAAC;AACH,CAAC"}

package/dist/deploy.d.ts

@@ -1,7 +1,8 @@
+import { type CustomerWebLiveDeployDependencies } from "./customer-web.js";
 import { type DeveloperClientDependencies } from "./developer-client.js";
 import type { CliIo } from "./index.js";
 import type { CliStatePaths, PlatformName } from "./paths.js";
-export type DeployDependencies = DeveloperClientDependencies & {
+export type DeployDependencies = DeveloperClientDependencies & CustomerWebLiveDeployDependencies & {
     confirmPreviewDeploy?: (context: {
         appId?: string;
         localReleaseDigest: string;
@@ -24,4 +25,4 @@ export declare function runDeployCommand(options: {
     io: CliIo;
     paths: CliStatePaths;
     platform: PlatformName;
-}): Promise<0 | 1>;
+}): Promise<number>;