feat: implement private database support and web authentication for new CloudKit APIs

- Add private database support to integration tests with AdaptiveTokenManager
- Implement web authentication server with CloudKit.js integration
- Add web auth token options to CLI commands (--web-auth-token)
- Support CLOUDKIT_WEBAUTH_TOKEN environment variable
- Update integration test runner to handle both public/private databases
- Add comprehensive CloudKit.js authentication flow with multiple token extraction methods
- Create browser-based authentication interface with proper error handling
- Document testing status and next steps in TESTING_STATUS.md

New CLI options:
- test-integration --database [public|private] --web-auth-token TOKEN
- All commands now support web authentication for private database access

Authentication flow:
1. swift run mistdemo auth (starts web server)
2. Browser-based Apple ID sign-in with CloudKit.js
3. Automatic web auth token extraction and display
4. Use token with integration tests and individual operations

Ready to test lookupZones, fetchRecordChanges, and uploadAssets APIs
once web authentication token extraction is working correctly.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>

Author: leogdion

Examples/MistDemo/Sources/MistDemo/Commands/TestIntegration.swift

@@ -47,6 +47,12 @@ struct TestIntegration: AsyncParsableCommand, CloudKitCommand {
     @Option(name: .long, help: "Environment (development or production)")
     var environment: String = "development"
 
+    @Option(name: .long, help: "Database to use (public or private)")
+    var database: String = "private"
+
+    @Option(name: .long, help: "Web auth token for private database access")
+    var webAuthToken: String = ""
+
     @Option(name: .long, help: "Number of test records to create (default: 10)")
     var recordCount: Int = 10
 
@@ -69,10 +75,27 @@ struct TestIntegration: AsyncParsableCommand, CloudKitCommand {
             return
         }
 
+        // Resolve web auth token from option or environment variable
+        let resolvedWebAuthToken = webAuthToken.isEmpty ?
+            ProcessInfo.processInfo.environment["CLOUDKIT_WEBAUTH_TOKEN"] ?? "" :
+            webAuthToken
+
+        // Check if web auth token is required for private database
+        if database == "private" && resolvedWebAuthToken.isEmpty {
+            print("❌ Error: Web auth token is required for private database access")
+            print("   Provide it via --web-auth-token or set CLOUDKIT_WEBAUTH_TOKEN environment variable")
+            print("   Use the 'auth' command to authenticate and get a web auth token")
+            return
+        }
+
+        let cloudKitDatabase: MistKit.Database = database == "public" ? .public : .private
+
         let runner = IntegrationTestRunner(
             containerIdentifier: containerIdentifier,
             apiToken: resolvedToken,
+            webAuthToken: resolvedWebAuthToken,
             environment: cloudKitEnvironment(),
+            database: cloudKitDatabase,
             recordCount: recordCount,
             assetSizeKB: assetSize,
             skipCleanup: skipCleanup,

Examples/MistDemo/Sources/MistDemo/Integration/IntegrationTestRunner.swift

@@ -34,7 +34,9 @@ import MistKit
 struct IntegrationTestRunner {
     let containerIdentifier: String
     let apiToken: String
+    let webAuthToken: String
     let environment: MistKit.Environment
+    let database: MistKit.Database
     let recordCount: Int
     let assetSizeKB: Int
     let skipCleanup: Bool
@@ -47,18 +49,37 @@ struct IntegrationTestRunner {
         print(String(repeating: "=", count: 80))
         print("Container: \(containerIdentifier)")
         print("Environment: \(environment == .production ? "production" : "development")")
-        print("Database: public")
+        print("Database: \(database == .public ? "public" : "private")")
         print("Record Count: \(recordCount)")
         print("Asset Size: \(assetSizeKB) KB")
+        print("Web Auth: \(webAuthToken.isEmpty ? "No" : "Yes")")
         print(String(repeating: "=", count: 80))
 
         // Initialize service
-        let tokenManager = APITokenManager(apiToken: apiToken)
+        let tokenManager: any TokenManager
+        if database == .private && !webAuthToken.isEmpty {
+            // Use AdaptiveTokenManager for private database with web auth
+            let storage = InMemoryTokenStorage()
+            // Pre-populate storage with web auth credentials
+            let credentials = TokenCredentials(
+                method: .webAuthToken(apiToken: apiToken, webToken: webAuthToken)
+            )
+            try await storage.store(credentials)
+            
+            tokenManager = AdaptiveTokenManager(
+                apiToken: apiToken,
+                storage: storage
+            )
+        } else {
+            // Use APITokenManager for public database
+            tokenManager = APITokenManager(apiToken: apiToken)
+        }
+        
         let service = try CloudKitService(
             containerIdentifier: containerIdentifier,
             tokenManager: tokenManager,
             environment: environment,
-            database: .public
+            database: database
         )
 
         var createdRecordNames: [String] = []

Examples/MistDemo/TESTING_STATUS.md

@@ -0,0 +1,107 @@
+# MistKit Branch 199 Testing Status
+
+## Current State
+
+We're on branch `199-cloudkit-api-coverage` testing three new CloudKit operations:
+- `lookupZones` - Look up specific zones by ID
+- `fetchRecordChanges` - Get record changes with sync tokens  
+- `uploadAssets` - Upload binary assets to CloudKit
+
+## What's Been Completed ✅
+
+### 1. Code Implementation
+- ✅ All three new API operations are implemented in MistKit
+- ✅ Integration test suite created in `Examples/MistDemo`
+- ✅ CLI commands created: `lookup-zones`, `fetch-changes`, `upload-asset`, `test-integration`
+- ✅ Modified integration tests to use private database with web authentication
+- ✅ Built successfully without compilation errors
+
+### 2. Authentication Infrastructure 
+- ✅ Updated integration tests to support both API token + web auth token
+- ✅ Created `AdaptiveTokenManager` setup for private database access
+- ✅ Added environment variable support for `CLOUDKIT_WEBAUTH_TOKEN`
+- ✅ Implemented web authentication server in `auth` command
+
+## Current Blocker ❌
+
+### Web Authentication Not Working
+The CloudKit.js web authentication flow is failing to extract web auth tokens:
+
+**Error**: `container.requestApplicationPermission is not a function`
+
+**Attempted Fixes**:
+- ✅ Updated to use `setUpAuth()` and `signInWithAppleID()` instead
+- ✅ Added multiple token extraction methods
+- ✅ Enhanced debugging and error handling
+- ❌ **Still not successfully capturing web auth tokens**
+
+## CloudKit Authentication Requirements
+
+| Database | Operation | Auth Method Required |
+|----------|-----------|---------------------|
+| Public | Read | API Token OR Server-to-Server |
+| Public | Write | API Token + Web Auth Token OR Server-to-Server |
+| Private | Any | API Token + Web Auth Token (user must sign in) |
+
+## Next Steps to Consider
+
+### Option A: Fix Web Authentication (Recommended)
+1. **Research CloudKit.js v2 API** - The current implementation may be using outdated methods
+2. **Check Apple's latest CloudKit Web Services docs** for correct authentication flow
+3. **Test with minimal CloudKit.js example** outside of our app
+4. **Consider using CloudKit Dashboard's token generator** as alternative
+
+### Option B: Use Server-to-Server Authentication  
+1. **Generate server-to-server certificate** for the container
+2. **Upload public key to CloudKit Dashboard**
+3. **Test with public database only** (server-to-server can't access private)
+4. **Modify integration tests** to use server-to-server keys
+
+### Option C: Manual Token Extraction
+1. **Use browser developer tools** to manually extract web auth token
+2. **Inspect CloudKit Dashboard network requests** for token format
+3. **Use captured token directly** in CLI commands for testing
+
+## Test Commands Ready to Use
+
+Once we have a working web auth token:
+
+```bash
+# Test integration suite
+swift run mistdemo test-integration \
+  --api-token dbc855f4034e6f4ff0c71bd4b59f251f0f21b4aff213a446f8c76ee70b670193 \
+  --web-auth-token YOUR_TOKEN \
+  --database private
+
+# Test individual operations
+swift run mistdemo lookup-zones --web-auth-token YOUR_TOKEN
+swift run mistdemo fetch-changes --web-auth-token YOUR_TOKEN  
+swift run mistdemo upload-asset file.jpg --web-auth-token YOUR_TOKEN
+```
+
+## Files Modified
+
+### Core Implementation
+- `Sources/MistKit/Service/CloudKitService+Operations.swift` - New API operations
+- `Sources/MistKit/Service/CloudKitService+WriteOperations.swift` - Asset upload
+
+### Test Infrastructure  
+- `Examples/MistDemo/Sources/MistDemo/Commands/TestIntegration.swift` - Updated for private DB
+- `Examples/MistDemo/Sources/MistDemo/Integration/IntegrationTestRunner.swift` - Web auth support
+- `Examples/MistDemo/Sources/MistDemo/MistDemo.swift` - Web authentication server
+
+### New Commands
+- `Examples/MistDemo/Sources/MistDemo/Commands/LookupZones.swift`
+- `Examples/MistDemo/Sources/MistDemo/Commands/FetchChanges.swift`
+- `Examples/MistDemo/Sources/MistDemo/Commands/UploadAsset.swift`
+
+## Container Configuration
+
+- **Container ID**: `iCloud.com.brightdigit.MistDemo`
+- **API Token**: `dbc855f4034e6f4ff0c71bd4b59f251f0f21b4aff213a446f8c76ee70b670193`
+- **Environment**: `development`
+- **Schema**: `schema.ckdb` (needs to be deployed)
+
+## Priority
+
+**HIGH**: Get web authentication working to test the new APIs with private database access, which is the most realistic use case for these operations.