CLI: Update SDK to 5e56fc5d99a6a64596f09f85c1530fa51f9d7a7a and add new commands/flags

[kernel-internal]

This PR updates the Go SDK to 5e56fc5d99a6a64596f09f85c1530fa51f9d7a7a and adds CLI commands/flags for new SDK methods.

SDK Update

• Updated kernel-go-sdk to 5e56fc5d99a6a64596f09f85c1530fa51f9d7a7a

Coverage Analysis

This PR was generated by performing a full enumeration of SDK methods and CLI commands.

New Commands

• kernel deploy get for client.Deployments.Get()
• kernel invoke get, kernel invoke update, and kernel invoke delete-browsers for the corresponding invocation SDK methods
• kernel auth connections update for client.AuthConnections.Update()

New Flags

• --region for kernel deploy and kernel deploy github
• --app-version for kernel deploy history
• --since for async kernel invoke, plus --action, --deployment-id, --offset, --since, and --status for kernel invoke history
• --query for kernel app list
• --invocation-id for kernel browsers create and --include-deleted for kernel browsers get
• --name for kernel credential-providers create and kernel credential-providers update
• --sign-in-option-id and --sso-provider for kernel auth connections submit, plus the new update flags for kernel auth connections update

Triggered by: kernel/kernel-go-sdk@5e56fc5
Reviewer: @masnwilliams

Made with Cursor

---

Note

Medium Risk
Moderate risk: expands CLI surface area and request parameter mapping across deployments/invocations/auth connections, which could break workflows if flags or validation are incorrect, but changes are mostly additive and covered by new unit tests.

Overview
Updates kernel-go-sdk to a newer commit and wires newly-available API methods into the CLI.

Adds new CLI capabilities: kernel deploy get, kernel invoke get|update|delete-browsers, and kernel auth connections update, plus richer filtering/options across existing commands (e.g., app list --query, deploy --region + deploy history --app-version, invoke --since and invoke history --action/--deployment-id/--offset/--since/--status).

Extends browser and credential-provider flows with new flags (browsers create --invocation-id, browsers get --include-deleted, and required/provider --name support), tightens/clarifies auth submit modes (now exactly one of field/MFA/sign-in/SSO selector/provider), and improves “Next:” pagination hints by quoting values and using consistent pterm output; includes accompanying tests for new param mappings.

^{Written by Cursor Bugbot for commit 7bc97e1. This will update automatically on new commits. Configure here.}

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

[cursor]

Flag --output overloaded with conflicting semantics

Medium Severity

The --output flag on invocationUpdateCmd is defined to mean "Updated invocation output rendered as a JSON string" (the invocation's result payload), but every other command in the CLI uses --output / -o for display format (e.g., json for raw API response). In runInvocationUpdate, the output variable is used exclusively as the invocation payload — the function always calls printInvocationDetails() and never supports JSON display format. A user passing --output json (as they would with kernel invoke get, kernel invoke history, etc.) gets a confusing "invalid JSON for --output" error instead of JSON-formatted display output.

Additional Locations (1)

• cmd/invoke.go#L638-L682