refactor: derive snapshot types from OpenAPI UpdateRequest schemas

Replace all hand-written *Snapshot interfaces with types derived from
the generated OpenAPI Update*Request schemas via Required<Schemas[...]>.
This guarantees that when the API contract changes (field added, removed,
or renamed), the TypeScript compiler immediately errors in the snapshot
functions, preventing silent drift between YAML engine and API.

Key changes:
- Remove dead alwaysChanged plumbing from HandlerDef / defineHandler
- Replace 14 custom snapshot interfaces with Required<UpdateXRequest>
  type aliases (tag, environment, notificationPolicy, webhook,
  resourceGroup, monitor) or documented custom types for special cases
  (secret: hash-based, alertChannel: hash-based, dependency: split API)
- Remove 7 old normalization helpers, replace with 4 API-type-aligned
  helpers (sortAssertions, apiAssertionsToSnapshot,
  apiIncidentPolicyToSnapshot, apiTagsToSnapshot)
- Export toCreateAssertionRequest and toIncidentPolicy from transform.ts
- Centralize as-any casts into api-client.ts helper functions
- Add typed RefEntry<K> generics to resolver.ts
- Add RefTypeDtoMap to types.ts for compile-time DTO mapping
- Fix webhook snapshot to also track enabled field
- Fix resourceGroup snapshot field name (defaultAlertChannelIds →
  defaultAlertChannels) to match API contract
- Make toDesiredSnapshot / toCurrentSnapshot required (not optional)

Made-with: Cursor

Author: caballeto

docs/openapi/monitoring-api.json

@@ -1,6 +1,6 @@
 import {Command, Args} from '@oclif/core'
 import {globalFlags, buildClient} from '../../lib/base-command.js'
-import {typedPost} from '../../lib/typed-api.js'
+import {checkedFetch} from '../../lib/api-client.js'
 
 export default class AlertChannelsTest extends Command {
   static description = 'Send a test notification to an alert channel'
@@ -11,7 +11,7 @@ export default class AlertChannelsTest extends Command {
   async run() {
     const {args, flags} = await this.parse(AlertChannelsTest)
     const client = buildClient(flags)
-    const resp = await typedPost<{data?: {success?: boolean}}>(client, `/api/v1/alert-channels/${args.id}/test`)
+    const resp = await checkedFetch(client.POST('/api/v1/alert-channels/{id}/test', {params: {path: {id: args.id}}}))
     this.log(resp.data?.success ? 'Test notification sent successfully.' : 'Test notification failed.')
   }
 }

src/commands/alert-channels/test.ts

@@ -1,6 +1,6 @@
 import {Command, Args} from '@oclif/core'
 import {globalFlags, buildClient} from '../../lib/base-command.js'
-import {typedPost} from '../../lib/typed-api.js'
+import {checkedFetch} from '../../lib/api-client.js'
 
 export default class ApiKeysRevoke extends Command {
   static description = 'Revoke an API key'
@@ -11,7 +11,7 @@ export default class ApiKeysRevoke extends Command {
   async run() {
     const {args, flags} = await this.parse(ApiKeysRevoke)
     const client = buildClient(flags)
-    await typedPost(client, `/api/v1/api-keys/${args.id}/revoke`)
+    await checkedFetch(client.POST('/api/v1/api-keys/{id}/revoke', {params: {path: {id: Number(args.id)}}}))
     this.log(`API key '${args.id}' revoked.`)
   }
 }

src/commands/api-keys/revoke.ts

@@ -1,7 +1,6 @@
 import {Command, Flags} from '@oclif/core'
 import {globalFlags} from '../../lib/base-command.js'
-import {createApiClient} from '../../lib/api-client.js'
-import {typedGet} from '../../lib/typed-api.js'
+import {createApiClient, checkedFetch, apiGet} from '../../lib/api-client.js'
 import {saveContext, resolveApiUrl} from '../../lib/auth.js'
 import * as readline from 'node:readline'
 
@@ -26,9 +25,7 @@ export default class AuthLogin extends Command {
     const client = createApiClient({baseUrl: apiUrl, token})
 
     try {
-      const resp = await typedGet<{data?: {organization?: {name?: string; id?: number}; key?: {name?: string}; plan?: {tier?: string}}}>(
-        client, '/api/v1/auth/me',
-      )
+      const resp = await checkedFetch(client.GET('/api/v1/auth/me'))
       const me = resp.data
 
       saveContext({name: flags.name, apiUrl, token}, true)
@@ -45,7 +42,7 @@ export default class AuthLogin extends Command {
     }
 
     try {
-      await typedGet(client, '/api/v1/dashboard/overview')
+      await apiGet(client, '/api/v1/dashboard/overview')
       saveContext({name: flags.name, apiUrl, token}, true)
       this.log('')
       this.log(`  Authenticated successfully.`)

src/commands/auth/login.ts

@@ -1,24 +1,8 @@
 import {Command} from '@oclif/core'
 import {globalFlags, buildClient} from '../../lib/base-command.js'
-import {typedGet} from '../../lib/typed-api.js'
+import {checkedFetch} from '../../lib/api-client.js'
 import {formatOutput, OutputFormat} from '../../lib/output.js'
 
-interface AuthMeResponse {
-  data?: {
-    key?: {id?: string; name?: string; createdAt?: string; expiresAt?: string; lastUsedAt?: string}
-    organization?: {id?: number; name?: string}
-    plan?: {
-      tier?: string
-      subscriptionStatus?: string
-      trialActive?: boolean
-      trialExpiresAt?: string
-      usage?: Record<string, number>
-      entitlements?: Record<string, {value: number}>
-    }
-    rateLimits?: {requestsPerMinute?: number; remaining?: number; windowMs?: number}
-  }
-}
-
 export default class AuthMe extends Command {
   static description = 'Show current API key identity, organization, plan, and rate limits'
   static examples = ['<%= config.bin %> auth me', '<%= config.bin %> auth me --output json']
@@ -27,7 +11,7 @@ export default class AuthMe extends Command {
   async run() {
     const {flags} = await this.parse(AuthMe)
     const client = buildClient(flags)
-    const resp = await typedGet<AuthMeResponse>(client, '/api/v1/auth/me')
+    const resp = await checkedFetch(client.GET('/api/v1/auth/me'))
     const me = resp.data
 
     const format = flags.output as OutputFormat

src/commands/auth/me.ts

@@ -1,6 +1,6 @@
 import {Command, Args} from '@oclif/core'
 import {globalFlags, buildClient, display} from '../../../lib/base-command.js'
-import {typedGet} from '../../../lib/typed-api.js'
+import {checkedFetch} from '../../../lib/api-client.js'
 
 export default class DataServicesStatus extends Command {
   static description = 'Get the current status of a service'
@@ -11,7 +11,7 @@ export default class DataServicesStatus extends Command {
   async run() {
     const {args, flags} = await this.parse(DataServicesStatus)
     const client = buildClient(flags)
-    const resp = await typedGet<{data?: unknown}>(client, `/api/v1/services/${args.slug}`)
+    const resp = await checkedFetch(client.GET('/api/v1/services/{slugOrId}', {params: {path: {slugOrId: args.slug}}}))
     display(this, resp.data ?? resp, flags.output)
   }
 }

src/commands/data/services/status.ts

@@ -1,6 +1,6 @@
 import {Command, Args, Flags} from '@oclif/core'
 import {globalFlags, buildClient, display} from '../../../lib/base-command.js'
-import {typedGet} from '../../../lib/typed-api.js'
+import {apiGet} from '../../../lib/api-client.js'
 
 export default class DataServicesUptime extends Command {
   static description = 'Get uptime data for a service'
@@ -18,9 +18,9 @@ export default class DataServicesUptime extends Command {
   async run() {
     const {args, flags} = await this.parse(DataServicesUptime)
     const client = buildClient(flags)
-    const query: Record<string, unknown> = {period: flags.period}
+    const query: Record<string, string> = {period: flags.period}
     if (flags.granularity) query.granularity = flags.granularity
-    const resp = await typedGet<{data?: unknown}>(client, `/api/v1/services/${args.slug}/uptime`, query)
+    const resp = await apiGet<{data?: unknown}>(client, `/api/v1/services/${args.slug}/uptime`, {query})
     display(this, resp.data ?? resp, flags.output)
   }
 }

src/commands/data/services/uptime.ts

@@ -1,6 +1,6 @@
 import {Command, Args} from '@oclif/core'
 import {globalFlags, buildClient} from '../../lib/base-command.js'
-import {typedPost} from '../../lib/typed-api.js'
+import {checkedFetch} from '../../lib/api-client.js'
 
 export default class DependenciesTrack extends Command {
   static description = 'Start tracking a service as a dependency'
@@ -11,7 +11,7 @@ export default class DependenciesTrack extends Command {
   async run() {
     const {args, flags} = await this.parse(DependenciesTrack)
     const client = buildClient(flags)
-    const resp = await typedPost<{data?: {serviceName?: string}}>(client, `/api/v1/service-subscriptions/${args.slug}`)
-    this.log(`Now tracking '${resp.data?.serviceName}' as a dependency.`)
+    const resp = await checkedFetch(client.POST('/api/v1/service-subscriptions/{slug}', {params: {path: {slug: args.slug}}}))
+    this.log(`Now tracking '${resp.data?.name}' as a dependency.`)
   }
 }

src/commands/dependencies/track.ts

@@ -1,5 +1,6 @@
+import {hostname} from 'node:os'
 import {Command, Flags} from '@oclif/core'
-import {createApiClient} from '../lib/api-client.js'
+import {createApiClient, apiPost, apiDelete} from '../lib/api-client.js'
 import {resolveToken, resolveApiUrl} from '../lib/auth.js'
 import {loadConfig, validate, fetchAllRefs, diff, formatPlan, apply, writeState, buildState} from '../lib/yaml/index.js'
 import {checkEntitlements, formatEntitlementWarnings} from '../lib/yaml/entitlements.js'
@@ -35,6 +36,14 @@ export default class Deploy extends Command {
       description: 'Show what would change without applying (same as "devhelm plan")',
       default: false,
     }),
+    'force-unlock': Flags.boolean({
+      description: 'Force-break an existing deploy lock before acquiring',
+      default: false,
+    }),
+    'no-lock': Flags.boolean({
+      description: 'Skip deploy locking (not recommended for team use)',
+      default: false,
+    }),
     'api-url': Flags.string({description: 'Override API base URL'}),
     'api-token': Flags.string({description: 'Override API token'}),
     verbose: Flags.boolean({char: 'v', description: 'Show verbose output', default: false}),
@@ -111,27 +120,76 @@ export default class Deploy extends Command {
       }
     }
 
-    this.log('Applying changes...')
-    const applyResult = await apply(changeset, refs, client)
-
-    for (const s of applyResult.succeeded) {
-      const icon = s.action === 'delete' ? '-' : s.action === 'update' ? '~' : '+'
-      this.log(`  ${icon} ${s.resourceType} "${s.refKey}" — ${s.action}d`)
+    let lockId: string | undefined
+    if (!flags['no-lock']) {
+      lockId = await this.acquireLock(client, flags['force-unlock'])
     }
 
-    if (applyResult.failed.length > 0) {
-      this.log('')
-      for (const f of applyResult.failed) {
-        this.log(`  ✗ ${f.resourceType} "${f.refKey}" — ${f.action} failed: ${f.error}`)
+    try {
+      this.log('Applying changes...')
+      const applyResult = await apply(changeset, refs, client)
+
+      for (const s of applyResult.succeeded) {
+        const icon = s.action === 'delete' ? '-' : s.action === 'update' ? '~' : '+'
+        this.log(`  ${icon} ${s.resourceType} "${s.refKey}" — ${s.action}d`)
       }
-    }
 
-    writeState(buildState(applyResult.stateEntries))
+      if (applyResult.failed.length > 0) {
+        this.log('')
+        for (const f of applyResult.failed) {
+          this.log(`  ✗ ${f.resourceType} "${f.refKey}" — ${f.action} failed: ${f.error}`)
+        }
+      }
 
-    this.log(`\nDone: ${applyResult.succeeded.length} succeeded, ${applyResult.failed.length} failed.`)
+      writeState(buildState(applyResult.stateEntries))
 
-    if (applyResult.failed.length > 0) {
-      this.exit(2)
+      this.log(`\nDone: ${applyResult.succeeded.length} succeeded, ${applyResult.failed.length} failed.`)
+
+      if (applyResult.failed.length > 0) {
+        this.exit(2)
+      }
+    } finally {
+      if (lockId) {
+        await this.releaseLock(client, lockId)
+      }
     }
   }
+
+  private async acquireLock(client: ReturnType<typeof createApiClient>, forceUnlock: boolean): Promise<string | undefined> {
+    if (forceUnlock) {
+      try {
+        await apiDelete(client, '/api/v1/deploy/lock/force')
+      } catch {
+        // Force-unlock is best-effort; the lock may not exist
+      }
+    }
+
+    try {
+      const resp = await apiPost<{data?: {id?: string}}>(
+        client, '/api/v1/deploy/lock',
+        {lockedBy: `${process.env.USER ?? 'cli'}@${hostname()}`, ttlMinutes: 10},
+      )
+      const lockId = resp.data?.id
+      if (!lockId) {
+        this.warn('Deploy lock acquired but no lock ID returned. Proceeding without lock protection.')
+      }
+      return lockId
+    } catch (err) {
+      const msg = err instanceof Error ? err.message : String(err)
+      if (msg.includes('409') || msg.includes('Conflict') || msg.includes('lock held')) {
+        this.warn(`Deploy lock conflict: ${msg}`)
+        this.warn('Use --force-unlock to break the existing lock, or --no-lock to skip locking.')
+        this.exit(3)
+      }
+      this.warn(`Failed to acquire deploy lock: ${msg}`)
+      this.warn('Use --no-lock to skip locking if the lock service is unavailable.')
+      this.exit(3)
+    }
+  }
+
+  private async releaseLock(client: ReturnType<typeof createApiClient>, lockId: string): Promise<void> {
+    try {
+      await apiDelete(client, `/api/v1/deploy/lock/${lockId}`)
+    } catch { /* best-effort release */ }
+  }
 }