Fix CLI cloud push flows

[ChiragAgg5k]

Summary

This PR fixes several issues found while testing the CLI with OAuth access tokens and staging/regional Cloud projects.

OAuth and token handling

• Refreshes the access token once before treating a whoami/current-account request as signed out.
• Adds a forceRefresh option to getValidAccessToken() so callers can explicitly bypass a still-present access token when recovering from guest/unauthorized responses.
• Passes the active organization ID into console SDK clients used by push flows that need Console admin APIs.

Cloud region handling

• Fixes init project endpoint generation for staging projects by preserving the current Cloud environment host, so staging projects use endpoints such as https://syd.stage.cloud.appwrite.io/v1 instead of production regional hosts.
• Adds a shared getCloudEndpointRegion() helper in CLI utils.
• Keeps console deployment links non-regional while preserving staging links, e.g. https://stage.cloud.appwrite.io/... instead of https://syd.stage.cloud.appwrite.io/....
• Adds a temporary fallback for default function proxy rule creation that rewrites _APP_DOMAIN_FUNCTIONS to the project endpoint region, e.g. fra.stage.appwrite.run to syd.stage.appwrite.run.
• Adds a TODO to replace that fallback with a server-provided regional functions domain once the API exposes it.

Push behavior and diagnostics

• Creates/repairs missing default function proxy rules for existing functions, not just newly-created functions.
• Logs the proxy rule creation step so it is no longer hidden during appwrite push function.
• Uses formatted verbose error output across push commands instead of dumping raw bundled stack/source output.
• Improves push --all resource group errors by rendering per-resource-group failures instead of concatenating messages into a single line.
• Moves the site deployment prompt into the sites push step during push --all, so users are not prompted about sites before settings/tables/etc. run.
• Pushes TablesDB before tables and detects config resync cases after TablesDB deletion changes.

Project settings push

• Parallelizes service, protocol, auth method, security policy, and mock phone updates to reduce push --all settings time.
• Treats auth policy totals of 0 as null in generated config and when pushing settings, matching API docs where null disables these limits.
• Allows null for limit, sessionsLimit, and passwordHistory in CLI config validation.

Config handling

• Fixes _addDBEntity() so init tablesdb can add DB entities when the target config array does not exist yet.

Testing

• Ran php example.php cli.
• Ran npm run build:runtime from examples/cli.
• Manually verified during debugging against staging that regional function proxy rule creation succeeds when the domain suffix matches the project region, and fails with domain_owned_by_different_organization when the manager-region suffix is used against the regional API.

Notes

• examples/cli is ignored in this checkout, so this PR contains the CLI template changes. The generated CLI was still regenerated and built locally for verification.
• The regional function domain rewrite is intentionally a small fallback. The longer-term fix should be an API/server surface that returns the correct regional functions domain for a project.

[greptile-apps]

Greptile Summary

This PR fixes multiple CLI issues with OAuth token handling, staging/regional Cloud endpoint routing, push flow behaviour, and project settings updates.

• Auth & tokens: Adds a token refresh retry in getCurrentAccount before signing out on a guest/unauthorized response; introduces a forceRefresh option in getValidAccessToken and injects the active organization ID into console SDK clients used by push flows.
• Regional Cloud routing: Fixes init project to preserve the current Cloud environment host (e.g. staging) when building regional endpoints; adds getCloudEndpointRegion and getCloudConsoleHostname helpers; adds a temporary region-rewrite fallback for default function proxy rule creation.
• Push behaviour: Repairs missing default function proxy rules for existing functions (not just new ones); parallelises service/protocol/auth-method/policy settings updates; improves push --all error formatting per resource group; moves the site deployment prompt inside the sites push step; adds TablesDB resync detection before table pushes; fixes _addDBEntity for init tablesdb when the config array doesn't exist yet.

Confidence Score: 4/5

The changes are well-scoped fixes backed by manual staging verification; the two observations are non-blocking edge cases that do not affect the core flows.

The token-refresh retry in getCurrentAccount swallows all inner errors and calls removeCurrentSession() even when the refresh itself succeeded — a flaky network on the second account.get() call would silently sign the user out despite holding a fresh token. The parallel Promise.all for settings policy updates fires all requests but discards in-flight results on the first rejection, leaving the project in a partially-applied settings state with no per-field diagnostics. Both are real but low-frequency edge cases in an otherwise clean and well-tested refactor.

templates/cli/lib/auth/login.ts (token refresh error handling) and templates/cli/lib/commands/push.ts (parallel settings update rejection semantics)

Important Files Changed

Filename	Overview
templates/cli/lib/auth/login.ts	Adds a token refresh retry in getCurrentAccount before signing out on a guest/unauthorized error; broad inner catch can still remove the session on transient failures after a successful refresh
templates/cli/lib/commands/config.ts	Allows null for limit, sessionsLimit, and passwordHistory in the settings Zod schema, matching the API behaviour of treating null as no limit
templates/cli/lib/commands/init.ts	Replaces hard-coded DEFAULT_ENDPOINT with a local getRegionalCloudEndpoint helper that preserves the active Cloud environment when constructing regional project endpoints
templates/cli/lib/commands/push.ts	Large refactor adding parallel settings updates, per-resource-group error formatting, organization ID injection, default function proxy rule repair, sites prompt relocation, and TablesDB resync detection; parallel policy updates use Promise.all which silently drops results on rejection
templates/cli/lib/config.ts	Fixes _addDBEntity to correctly initialise the entity array when the target key does not exist yet
templates/cli/lib/sdks.ts	Adds a forceRefresh option to getValidAccessToken so callers can bypass a still-valid cached token when recovering from an auth failure
templates/cli/lib/utils.ts	Adds getCloudEndpointRegion and getCloudConsoleHostname helpers; fixes policyTotal to return null instead of 0, and getConsoleBaseUrl to preserve staging hostnames while stripping regional prefixes

Comments Outside Diff (1)

1. templates/cli/lib/commands/push.ts, line 1219-1310 (link)

   Parallel policy updates fire-and-forget on Promise.all rejection

   Promise.all(securityUpdates) rejects on the first API error, but the remaining in-flight calls still complete without their results being tracked. If, for example, updateSessionDurationPolicy fails, the duration is left unchanged while updateUserLimitPolicy (and others already submitted) may silently succeed. This produces a partially-applied settings state with no per-field success/failure report. The same pattern applies to mockNumberUpdates and the auth methods block. Consider using Promise.allSettled and then collecting the failures to throw a richer error, or at minimum wrapping the pattern with a comment about the partial-application risk so it is easy to revisit.

_{Reviews (1): Last reviewed commit: "Fix CLI cloud push flows" | Re-trigger Greptile}