feat: flow ai cli commands

[Gasser-Aly]

WHY are these changes introduced?

Fixes #0000

WHAT is this pull request doing?

How to test your changes?

Post-release steps

Checklist

• I've considered possible cross-platform impacts (Mac, Linux, Windows)
• I've considered possible documentation changes
• I've considered analytics changes to measure impact
• The change is user-facing — I've identified the correct bump type (patch for bug fixes · minor for new features · major for breaking changes) and added a changeset with pnpm changeset add

[Gasser-Aly]

• feat: flow ai cli commands #7501 👈 (View in Graphite)
• main

This stack of pull requests is managed by Graphite. Learn more about stacking.

[github-actions]

Differences in type declarations

We detected differences in the type declarations generated by Typescript for this branch compared to the baseline ('main' branch). Please, review them to ensure they are backward-compatible. Here are some important things to keep in mind:

• Some seemingly private modules might be re-exported through public modules.
• If the branch is behind main you might see odd diffs, rebase main into this branch.

New type declarations

We found no new type declarations in this PR

Existing type declarations

packages/cli-kit/dist/private/node/session.d.ts

@@ -41,6 +41,11 @@ interface BusinessPlatformAPIOAuthOptions {
     /** List of scopes to request permissions for. */
     scopes: BusinessPlatformScope[];
 }
+export type IdentityScope = string;
+interface IdentityOAuthOptions {
+    /** List of Identity scopes to request permissions for. */
+    scopes: IdentityScope[];
+}
 /**
  * It represents the authentication requirements and
  * is the input necessary to trigger the authentication
@@ -52,6 +57,7 @@ export interface OAuthApplications {
     partnersApi?: PartnersAPIOAuthOptions;
     businessPlatformApi?: BusinessPlatformAPIOAuthOptions;
     appManagementApi?: AppManagementAPIOauthOptions;
+    identityApi?: IdentityOAuthOptions;
 }
 export interface OAuthSession {
     admin?: AdminSession;
@@ -59,6 +65,7 @@ export interface OAuthSession {
     storefront?: string;
     businessPlatform?: string;
     appManagement?: string;
+    identity?: string;
     userId: string;
 }
 type AuthMethod = 'partners_token' | 'device_auth' | 'theme_access_token' | 'custom_app_token' | 'none';

packages/cli-kit/dist/public/node/session.d.ts

@@ -1,4 +1,4 @@
-import { AdminAPIScope, AppManagementAPIScope, BusinessPlatformScope, EnsureAuthenticatedAdditionalOptions, PartnersAPIScope, StorefrontRendererScope } from '../../private/node/session.js';
+import { AdminAPIScope, AppManagementAPIScope, BusinessPlatformScope, EnsureAuthenticatedAdditionalOptions, IdentityScope, PartnersAPIScope, StorefrontRendererScope } from '../../private/node/session.js';
 /**
  * Session Object to access the Admin API, includes the token and the store FQDN.
  */
@@ -57,6 +57,21 @@ export declare function isServiceAccount(account: AccountInfo): account is Servi
 export declare function ensureAuthenticatedUser(env?: NodeJS.ProcessEnv, options?: EnsureAuthenticatedAdditionalOptions): Promise<{
     userId: string;
 }>;
+/**
+ * Ensure that we have a valid Identity access token with the requested scopes.
+ *
+ * Use this when a first-party Shopify service validates the CLI caller directly
+ * with Identity rather than with an exchanged application token.
+ *
+ * @param scopes - Identity scopes to authenticate with.
+ * @param env - Optional environment variables to use.
+ * @param options - Optional extra options to use.
+ * @returns The Identity access token and user ID.
+ */
+export declare function ensureAuthenticatedIdentity(scopes?: IdentityScope[], env?: NodeJS.ProcessEnv, options?: EnsureAuthenticatedAdditionalOptions): Promise<{
+    token: string;
+    userId: string;
+}>;
 /**
  * Ensure that we have a valid session to access the Partners API.
  * If SHOPIFY_CLI_PARTNERS_TOKEN exists, that token will be used to obtain a valid Partners Token