Add quarto publish posit-connect-cloud provider (#14041)

* Add `quarto publish posit-connect-cloud` provider

Implements a new publish provider for Posit Connect Cloud
(connect.posit.cloud) supporting static content publishing.

Authentication uses OAuth 2.0 Device Code flow (RFC 8628) with
dual-strategy token refresh (proactive before expiry + reactive
on 401). Bundle upload follows the rsconnect pattern: create
tar.gz with manifest.json, upload to presigned URL, then trigger
revision-based deployment with polling.

Key implementation details:
- Environment-aware: production, staging, development configs
  selectable via CONNECT_CLOUD_ENVIRONMENT env var
- CI/CD support via CONNECT_CLOUD_ACCESS_TOKEN env var
- Multi-account selection when user belongs to multiple orgs
- Account creation polling for users without publishable accounts
- Content state tracking: handles deleted content gracefully

Staging-first development: defaults to staging environment while
production client_id (quarto-cli) registration is pending. The
staging client_id (quarto-cli-staging) is available now.

Closes #14027

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* docs: add publishing architecture overview for LLM context

* Move OAuth params to POST body, consume publish response, add account polling spinner

Move OAuth parameters from URL query strings to POST request body in
initiateDeviceAuth, pollForToken, and refreshAccessToken per RFC 6749
§2.3.1 best practice — keeps refresh_token out of server/proxy access
logs. Add response body consumption in publishContent to prevent
resource leak. Wrap account creation polling in withSpinner for progress
indication.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* Rename to use full name posit-connect-cloud

* Address design review: eliminate non-null assertions, use async file read

Restructure publish() to return values from withSpinner callback via
destructuring, removing all non-null assertions. Switch bundle read from
Deno.readFileSync to async Deno.readFile. Update architecture doc to
reflect posit-connect-cloud provider addition.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* Update copyright year

* Avoid duplicate disk read for stored token in publish flow

clientForAccount already called findStoredToken internally, but
publish() also called it separately. Pass the token through instead.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* Add manual test fixtures for posit-connect-cloud publishing

Minimal single document and website project for manual testing
against the staging environment.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* Fix publish bugs: document staging, server URL display, getUser 401

Use renderForPublish() instead of render() directly so single documents
are staged correctly (document.html copied to index.html). Without this,
the Connect Cloud API rejects the bundle with "Unable to locate index.html".

Set server URL in AccountToken objects so account listings show which
environment is being used (e.g. "cderv (https://staging.connect.posit.cloud)").

Wrap getUser() in try/catch to handle 401 for users who authenticated with
Posit but haven't completed Connect Cloud signup. The account creation
polling in Step 6 handles this case.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* Add gitignore for test fixtures, document renderForPublish in llm-docs

Add .gitignore to manual test fixture directories to exclude rendered
output, _publish.yml, and _site/ from version control.

Document renderForPublish() in publishing-architecture.md — providers
publishing documents must use this instead of render() directly to
ensure proper staging (HTML→index.html, PDF→pdf.js wrapper).

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* Add manual testing protocol for posit-connect-cloud publishing

Covers 12 tests: authorization, token persistence, website publishing,
content updates, account management, CI/CD mode, provider selection,
deprecation warnings, error cases, and token refresh.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* Address review findings: add debug log for 401, fix test protocol docs

Add debug trace when getUser returns 401 during authorization so the
event is visible in verbose output. Fix manual testing protocol: remove
unreferenced REFRESH_TOKEN from cleanup, add refreshToken pre-condition
to Test 10.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* Consume response body before 401 retry to prevent connection leak

In fetchWithRetry_, the original 401 response body was not consumed
before making the retry request after token refresh. Unconsumed
response bodies in Deno's fetch can leak TCP connections.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* Guard against empty accountId before content creation

Validates accountId is non-empty before calling createContent(),
preventing a confusing API error if stored token data is corrupted.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* Trim accountId in guard to also reject whitespace-only values

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* Add publishDebug wrapper, help example, and --token guard

- Centralize the [publish][posit-connect-cloud] debug prefix into a
  publishDebug() helper (exported as positConnectCloudDebug) to avoid
  repeating the prefix across 30 debug calls in two files.
- Add quarto publish posit-connect-cloud example to help text.
- Reject --token early with a clear error directing users to the
  environment variable approach for CI/CD (Connect Cloud uses
  short-lived OAuth tokens, not permanent API keys).

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* Switch default environment from staging to production

The production client_id (quarto-cli) is now registered.
Staging/development environments remain available via
POSIT_CONNECT_CLOUD_ENVIRONMENT for testing.

* Remove outdated _README.md for manual test fixtures

README.md already covers the full testing protocol with correct
production-default instructions.

* Address review findings for posit-connect-cloud provider

Fix two bugs: guard writeAccessToken on non-empty accountId to prevent
ghost tokens from env pseudo-tokens (.1), and skip proactive refresh
when expiresAt is 0 to avoid redundant refreshes for env tokens (.2).

Unify account selection after polling to match rsconnect behavior —
after account creation polling succeeds, fall through to the same
selection logic used for pre-existing accounts (.6).

Additional improvements: add listAccounts pagination comment (.4),
extract buildUrl_ helper (.5), pass stored token explicitly in
resolveTarget (.7), move timeout check before sleep in pollForToken
(.8), extract kOAuthScope constant (.9).

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* Address review findings batch 2 for posit-connect-cloud provider

- Pass siteUrl to renderForPublish for site re-publishes so canonical
  URLs and external link filtering work correctly (.11)
- Remove dead findStoredToken fallback in clientForAccount, make
  storedToken parameter explicit (.12)
- Narrow catch in account polling loop to ApiError|TypeError, rethrow
  programming bugs instead of silently swallowing them (.14)
- Add comment explaining response body drain in publishContent (.15)
- Add external link to simple-website fixture for siteUrl testability
- Add siteUrl verification items to Test 4 in manual testing README

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* Revert siteUrl pass-through for Connect Cloud rendering (.11)

During production testing, we discovered that Connect Cloud serves
content at a different domain than the dashboard URL stored in
_publish.yml:

- Dashboard URL: connect.posit.cloud/account/content/<id>
- Serving URL: <id>.share.connect.posit.cloud/

Passing the dashboard URL as siteUrl would override the correct
window.location.host fallback in linkExternalFilter, causing all
links to be misclassified as external. The same mismatch would
affect canonical URLs and Open Graph metadata.

This differs from gh-pages where the published URL and serving URL
are the same domain, making siteUrl pass-through correct there.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* Address review findings batch 3 for posit-connect-cloud provider

Three hardening fixes:
- Trim POSIT_CONNECT_CLOUD_ACCOUNT_ID env var to prevent CI/CD
  copy-paste whitespace from causing silent match failure (.17)
- Enforce minimum 5-second device code poll interval per RFC 8628 §3.5
  to prevent tight loop if server returns interval=0 (.18)
- Catch transient errors (HTTP 500, network timeouts) during 30-minute
  revision polling with consecutive error threshold before aborting,
  since ~1,800 poll calls makes transient failures likely (.19)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* Add debug log for 404 in resolveTarget, clarify Test 9b expectations

During production testing, deleted content was silently handled by
resolveTarget returning undefined (correct behavior). Added debug
logging for the 404 case to match the existing deleted-state logging.
Updated README to document the actual flow: silent detection, no
prompt for stale target, falls through to new publish.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* Fail on ambiguous account selection in non-interactive mode

Other publish providers fail when --no-prompt is set and multiple
accounts exist, via the shared resolveAccount logic. Connect Cloud
bypasses that shared path for environment token account resolution,
so it needs its own guard: throw an error when multiple publishable
accounts exist without POSIT_CONNECT_CLOUD_ACCOUNT_ID in
non-interactive mode, instead of silently picking the first.

Also add Test 6b to the manual testing protocol covering this case.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* Update publishing architecture doc for posit-connect-cloud provider

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* reduce copyright years on new files

* Extract buildHeaders helper to deduplicate auth headers in fetchWithRetry

* Add a note on where the handled error code comes from

* Use a `postFormUrlEncoded` to make clear this is the same call

* Use error helpers everywhere they should be used

* Add a note about  revision logic

---------

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>

Author: cderv

llm-docs/publishing-architecture.md

@@ -0,0 +1,243 @@
+---
+main_commit: 76b946025
+analyzed_date: 2026-02-16
+key_files:
+  - src/publish/provider-types.ts
+  - src/publish/provider.ts
+  - src/publish/publish.ts
+  - src/publish/config.ts
+  - src/publish/common/publish.ts
+  - src/publish/common/bundle.ts
+  - src/publish/common/account.ts
+  - src/publish/types.ts
+  - src/command/publish/cmd.ts
+  - src/publish/posit-connect-cloud/posit-connect-cloud.ts
+  - src/publish/posit-connect-cloud/api/index.ts
+  - src/publish/posit-connect-cloud/api/types.ts
+---
+
+# Quarto Publishing Architecture
+
+How `quarto publish` works internally. Covers the provider interface, publish patterns, account management, and the end-to-end publish flow.
+
+## Provider Interface
+
+File: `src/publish/provider-types.ts`
+
+Every publish target implements `PublishProvider`:
+
+```typescript
+export interface PublishProvider {
+  name: string;              // e.g. "netlify", "rsconnect", "quarto-pub"
+  description: string;       // Human-readable name
+  requiresServer: boolean;   // true if user provides server URL (e.g. rsconnect)
+  hidden?: boolean;          // Hide from provider selection
+  listOriginOnly?: boolean;  // Only list in origin project
+
+  accountTokens(): Promise<AccountToken[]>;
+  removeToken(token: AccountToken): void;
+  authorizeToken(options: PublishOptions, target?: PublishRecord): Promise<AccountToken | undefined>;
+  resolveTarget(account: AccountToken, target: PublishRecord): Promise<PublishRecord | undefined>;
+  publish(
+    account: AccountToken, type: "document" | "site", input: string,
+    title: string, slug: string,
+    render: (flags?: RenderFlags) => Promise<PublishFiles>,
+    options: PublishOptions, target?: PublishRecord
+  ): Promise<[PublishRecord | undefined, URL | undefined]>;
+  isUnauthorized(error: Error): boolean;
+  isNotFound(error: Error): boolean;
+}
+```
+
+Key types:
+
+- `AccountToken` — stored credential with `name`, `server?`, `token` (generic string or structured object)
+- `AccountTokenType` — `"authorized"` (user-stored) or `"environment"` (env var)
+- `PublishRecord` — entry in `_publish.yml` with `id`, `url`, `code?`
+- `PublishFiles` — `{ baseDir: string, rootFile: string, files: string[], metafiles?: string[] }`
+
+## Provider Registration
+
+File: `src/publish/provider.ts`
+
+Providers are imported and added to `kPublishProviders`:
+
+```typescript
+const kPublishProviders = [
+  quartoPubProvider,
+  ghpagesProvider,
+  rsconnectProvider,
+  netlifyProvider,
+  positConnectCloudProvider,
+  confluenceProvider,
+  huggingfaceProvider,
+];
+```
+
+Discovery functions: `publishProviders()`, `findProvider(name)`.
+
+There is also a deprecation warning for the old `posit-cloud` provider (removed in `142a8791f`) that now suggests using `posit-connect-cloud` as an alternative.
+
+## Two Publish Patterns
+
+### Pattern A: File-by-file upload
+
+Used by: `quarto-pub`, `netlify`
+
+File: `src/publish/common/publish.ts`
+
+Uses `handlePublish()` which:
+1. SHA-1 hashes each file in the rendered output
+2. Creates a deploy with a file manifest (listing all files + checksums)
+3. Server responds with which files it needs (doesn't already have)
+4. Uploads only changed files individually
+5. Activates the deploy
+
+Providers using this pattern implement `PublishHandler`:
+
+```typescript
+export interface PublishHandler {
+  name: string;
+  createSite(type, title, slug, account): Promise<[string, string]>;
+  createDeploy(siteId, account, files): Promise<PublishDeploy>;
+  getDeploy(deployId, account): Promise<PublishDeploy>;
+  uploadDeployFile(deployId, path, fileBody, account): Promise<void>;
+}
+```
+
+### Pattern B: Bundle upload
+
+Used by: `rsconnect` (Posit Connect), `posit-connect-cloud` (Posit Connect Cloud)
+
+File: `src/publish/common/bundle.ts`
+
+Uses `createBundle()` which:
+1. Creates a `manifest.json` with file checksums, `appmode`, `content_category`, etc.
+2. Packages all files + manifest into a `.tar.gz` archive
+3. Returns `{ bundlePath: string, manifest: object }`
+
+The provider then uploads the entire bundle as a single blob and triggers deployment. Each provider using this pattern has its own publish logic (not via `handlePublish()`).
+
+`createBundle()` signature:
+```typescript
+function createBundle(
+  type: "document" | "site",
+  files: PublishFiles,
+  tempContext: TempContext
+): Promise<{ bundlePath: string; manifest: Record<string, unknown> }>
+```
+
+## End-to-End Publish Flow
+
+### 1. CLI Entry
+
+File: `src/command/publish/cmd.ts`
+
+`quarto publish [provider] [path]` invokes `publishAction()`.
+
+### 2. Resolve Deployment Target
+
+File: `src/publish/config.ts`
+
+Reads `_publish.yml` to find existing publish targets. Format:
+
+```yaml
+- source: document.qmd
+  provider-name:
+    - id: site-or-content-id
+      url: https://published-url.example.com
+```
+
+### 3. Select Provider
+
+If not specified on CLI, user is prompted to choose from available providers.
+
+### 4. Resolve Account
+
+File: `src/publish/common/account.ts`
+
+Account resolution order:
+1. Environment variable tokens (via provider's `accountTokens()`)
+2. Stored tokens in `~/.quarto/publish/accounts/{provider}/accounts.json`
+3. Interactive authorization (via provider's `authorizeToken()`)
+
+Token storage functions:
+- `readAccessTokens<T>(provider)` — reads stored tokens
+- `writeAccessToken<T>(provider, token, compareFn)` — writes/updates token
+- `readAccessTokenFile(provider)` — raw file path
+
+### 5. Publish
+
+File: `src/publish/publish.ts`
+
+`publishSite()` or `publishDocument()` coordinates:
+1. Calls provider's `publish()`, passing a `render` callback
+2. Provider calls `renderForPublish()` (or `render()` directly for sites)
+3. Provider uploads and deploys
+4. Returns `[PublishRecord, URL]`
+
+**Important:** Providers publishing documents should call `renderForPublish()` instead of `render()` directly. `renderForPublish()` wraps `render()` and stages the output: for HTML documents it copies `document.html` → `index.html`, for PDFs it creates a pdf.js viewer wrapper as `index.html`. Without this staging, the primary file name won't match `index.html` and bundle-based providers will fail.
+
+### 6. Update `_publish.yml`
+
+File: `src/publish/config.ts`
+
+The returned `PublishRecord` is written back to `_publish.yml` for future republishing.
+
+## Account / Token Management
+
+File: `src/publish/common/account.ts`
+
+### Storage
+
+Tokens stored at: `~/.quarto/publish/accounts/{provider}/accounts.json`
+
+Format: JSON array of `AccountToken` objects. The `token` field is provider-specific (can be a string or structured object).
+
+### Authorization Patterns
+
+**Ticket-based auth** (quarto-pub): `authorizeAccessToken()` in `src/publish/common/account.ts`
+- Opens browser to auth URL
+- Polls a ticket endpoint until user completes auth
+- Exchanges ticket for access token
+
+**API key auth** (rsconnect): User provides API key directly or via env var.
+
+**OAuth Device Code** (posit-connect-cloud): Uses RFC 8628 Device Code flow. See `src/publish/posit-connect-cloud/api/index.ts` for implementation.
+
+### Environment Variables
+
+Each provider can check for env vars in `accountTokens()`. Convention:
+- `QUARTO_PUB_AUTH_TOKEN`
+- `CONNECT_SERVER` + `CONNECT_API_KEY` (rsconnect)
+- `NETLIFY_AUTH_TOKEN`
+- `POSIT_CONNECT_CLOUD_ACCESS_TOKEN` + `POSIT_CONNECT_CLOUD_REFRESH_TOKEN` + `POSIT_CONNECT_CLOUD_ACCOUNT_ID` (posit-connect-cloud)
+
+## Existing Providers Summary
+
+| Provider | Pattern | Auth | `requiresServer` |
+|----------|---------|------|-------------------|
+| `quarto-pub` | A (file-by-file) | Ticket-based OAuth | false |
+| `netlify` | A (file-by-file) | API key / env var | false |
+| `rsconnect` | B (bundle) | API key (`Key <key>`) | true |
+| `ghpages` | Custom (git push) | Git credentials | false |
+| `confluence` | Custom | API token | true |
+| `posit-connect-cloud` | B (bundle) | OAuth Device Code (RFC 8628) | false |
+| `huggingface` | Custom | HF token | false |
+
+## Reusable Utilities
+
+| Utility | File | Purpose |
+|---------|------|---------|
+| `createBundle()` | `src/publish/common/bundle.ts` | tar.gz bundle with manifest.json |
+| `readAccessTokens<T>()` | `src/publish/common/account.ts` | Read stored tokens |
+| `writeAccessToken<T>()` | `src/publish/common/account.ts` | Write/update token |
+| `authorizeAccessToken()` | `src/publish/common/account.ts` | Ticket-based auth flow |
+| `renderForPublish()` | `src/publish/common/publish.ts` | Render + stage documents (HTML→index.html, PDF→pdf.js wrapper) |
+| `handlePublish()` | `src/publish/common/publish.ts` | File-by-file upload orchestration |
+| `withSpinner()` | `src/core/console.ts` | Progress spinner display |
+| `completeMessage()` | `src/core/console.ts` | Success/failure messages |
+| `createTempContext()` | `src/core/temp.ts` | Temp file management |
+| `openUrl()` | `src/core/shell.ts` | Open URL in browser |
+| `isServerSession()` | `src/core/platform.ts` | Detect headless/CI environment |
+| `ApiError` | `src/publish/types.ts` | HTTP error type with status code |

news/changelog-1.9.md

@@ -119,6 +119,10 @@ All changes included in 1.9:
 
 ## Publishing
 
+### Posit Connect Cloud
+
+- ([#14027](https://github.com/quarto-dev/quarto-cli/issues/14027)): Add `quarto publish posit-connect-cloud` for publishing static content to Posit Connect Cloud.
+
 ### Confluence
 
 - ([#13414](https://github.com/quarto-dev/quarto-cli/issues/13414)): Be more forgiving when Confluence server returns malformed JSON response. (author: @m1no)

src/command/publish/cmd.ts

@@ -1,7 +1,7 @@
 /*
  * cmd.ts
  *
- * Copyright (C) 2020-2022 Posit Software, PBC
+ * Copyright (C) 2020-2026 Posit Software, PBC
  */
 
 import { existsSync } from "../../deno_ral/fs.ts";
@@ -50,6 +50,7 @@ export const publishCommand =
         " - Quarto Pub (quarto-pub)\n" +
         " - GitHub Pages (gh-pages)\n" +
         " - Posit Connect (connect)\n" +
+        " - Posit Connect Cloud (posit-connect-cloud)\n" +
         " - Netlify (netlify)\n" +
         " - Confluence (confluence)\n" +
         " - Hugging Face Spaces (huggingface)\n\n" +
@@ -113,6 +114,10 @@ export const publishCommand =
       "Publish with explicit credentials",
       "quarto publish connect --server example.com --token 01A24233E294",
     )
+    .example(
+      "Publish project to Posit Connect Cloud",
+      "quarto publish posit-connect-cloud",
+    )
     .example(
       "Publish without confirmation prompt",
       "quarto publish --no-prompt",