feat(deploy): implement resumable deploy wizard

[wyattjoh]

Summary

Adds the first hidden clerk deploy implementation for guiding a linked Clerk app from development setup toward production. In human mode the wizard validates clone compatibility, discovers enabled OAuth providers from the development instance config, asks for a user-owned production domain, creates a production instance, guides DNS setup, collects production OAuth credentials, and prints production next steps. In agent mode the command exits early with a structured deployment prompt for noninteractive use.

Details

The hidden clerk deploy command registers with --debug, --continue, and --abort flags. Deploy API-shaped mocks live in commands/deploy/api.ts behind FIXME(deploy) markers covering the full production-instance lifecycle: clone validation, instance creation, deploy-status polling, SSL/mail retry hooks, and production config patching. Each helper is sized so it can be swapped for a live Platform API call later.

Paused deploy state persists in the CLI profile and records the app and development instance identity, production instance and domain ids, the active DNS or OAuth step, all enabled OAuth providers, and completed provider progress. The wizard supports safe pause/resume for DNS handoff, skipped OAuth setup, and prompt interruption: plain clerk deploy refuses to start a second run while a bookmark exists, and --continue validates that the bookmark belongs to the currently linked project.

OAuth credential flows are implemented for Google, GitHub, Microsoft, Apple, and Linear. Google can import a downloaded OAuth JSON file, Apple validates the selected .p8 private key file, and provider walkthroughs show the required production origins and redirect URLs. Deploy-specific copy helpers cover the plan summary, CNAME records, dashboard handoff, pause messaging, production summary, and post-deploy next steps. Spinner and log gutter rendering gain tone-aware rails for active, paused, cancelled, failed, and successful command states plus more robust prompt-exit handling. Key-shaped mock deploy values are replaced with MOCKED_NOT_REAL_FIXME so the branch does not trip secret scanning.

Reviewer notes

The command is hidden for now. The deploy lifecycle API calls are mocked by design; the only live read in the wizard is development instance config discovery via existing PLAPI plumbing. Production OAuth writes are also mocked while the production instance returned by the deploy flow is fake. The deploy README is updated with the current mocked endpoint surface, sequence diagram, OAuth credential shapes, and resume/abort behavior.

Test plan

• bun run scripts/run-tests.ts --pattern 'packages/cli-core/src/commands/deploy/index.test.ts' --concurrency 1
• bun run typecheck
• bun run lint
• CI green

[changeset-bot]

⚠️ No Changeset found

Latest commit: 17877b1

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[wyattjoh]

!snapshot

[github-actions]

Snapshot published

npm install -g clerk@1.3.1-snapshot.0dd30be

Package	Version
clerk	1.3.1-snapshot.0dd30be

Published from 0dd30be

[wyattjoh]

Stack: api-errors-and-deploy

• refactor(errors): expose structured Clerk error fields on ApiError subclasses #288
  • feat(deploy): implement resumable deploy wizard #260 👈 this PR
    • feat(deploy): recover from production_instance_exists and surface plan-feature errors #289

Part of a stacked PR chain. Do not merge manually.