smartcontractkit · ejacquier · Jan 30, 2026 · Jan 30, 2026 · Jan 30, 2026 · Jan 30, 2026
@@ -0,0 +1,65 @@
+package access
+
+import (
+	"context"
+	"fmt"
+
+	"github.com/rs/zerolog"
+	"github.com/spf13/cobra"
+
+	"github.com/smartcontractkit/cre-cli/internal/accessrequest"
+	"github.com/smartcontractkit/cre-cli/internal/credentials"
+	"github.com/smartcontractkit/cre-cli/internal/runtime"
+	"github.com/smartcontractkit/cre-cli/internal/ui"
+)
+
+func New(runtimeCtx *runtime.Context) *cobra.Command {
+	cmd := &cobra.Command{
+		Use:   "access",
+		Short: "Check or request deployment access",
+		Long:  "Check your deployment access status or request access to deploy workflows.",
+		Args:  cobra.NoArgs,
+		RunE: func(cmd *cobra.Command, args []string) error {
+			h := NewHandler(runtimeCtx)
+			return h.Execute(cmd.Context())
+		},
+	}
+
+	return cmd
+}
+
+type Handler struct {
+	log         *zerolog.Logger
+	credentials *credentials.Credentials
+	requester   *accessrequest.Requester
+}
+
+func NewHandler(ctx *runtime.Context) *Handler {
+	return &Handler{
+		log:         ctx.Logger,
+		credentials: ctx.Credentials,
+		requester:   accessrequest.NewRequester(ctx.Credentials, ctx.EnvironmentSet, ctx.Logger),
+	}
+}
+
+func (h *Handler) Execute(ctx context.Context) error {
+	deployAccess, err := h.credentials.GetDeploymentAccessStatus()
+	if err != nil {
+		return fmt.Errorf("failed to check deployment access: %w", err)
+	}
+
+	if deployAccess.HasAccess {
+		ui.Line()
+		ui.Success("You have deployment access enabled for your organization.")
+		ui.Line()
+		ui.Print("You're all set to deploy workflows. Get started with:")
+		ui.Line()
+		ui.Command("  cre workflow deploy")
+		ui.Line()
+		ui.Dim("For more information, run 'cre workflow deploy --help'")
+		ui.Line()
+		return nil
+	}
+
+	return h.requester.PromptAndSubmitRequest(ctx)
+}
@@ -0,0 +1,85 @@
+package access_test
+
+import (
+	"context"
+	"io"
+	"os"
+	"strings"
+	"testing"
+
+	"github.com/rs/zerolog"
+
+	"github.com/smartcontractkit/cre-cli/cmd/account/access"
+	"github.com/smartcontractkit/cre-cli/internal/credentials"
+	"github.com/smartcontractkit/cre-cli/internal/environments"
+	"github.com/smartcontractkit/cre-cli/internal/runtime"
+)
+
+func TestHandlerExecute_HasAccess(t *testing.T) {
+	// API key auth type always returns HasAccess: true
+	creds := &credentials.Credentials{
+		AuthType: "api-key",
+		APIKey:   "test-key",
+	}
+	logger := zerolog.New(io.Discard)
+	envSet := &environments.EnvironmentSet{}
+
+	rtCtx := &runtime.Context{
+		Credentials:    creds,
+		Logger:         &logger,
+		EnvironmentSet: envSet,
+	}
+
+	// Capture stdout
+	oldStdout := os.Stdout
+	r, w, _ := os.Pipe()
+	os.Stdout = w
+
+	h := access.NewHandler(rtCtx)
+	err := h.Execute(context.Background())
+
+	w.Close()
+	os.Stdout = oldStdout
+	var output strings.Builder
+	_, _ = io.Copy(&output, r)
+
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+
+	out := output.String()
+	expectedSnippets := []string{
+		"deployment access enabled",
+		"cre workflow deploy",
+	}
+	for _, snippet := range expectedSnippets {
+		if !strings.Contains(out, snippet) {
+			t.Errorf("output missing %q; full output:\n%s", snippet, out)
+		}
+	}
+}
+
+func TestHandlerExecute_NoTokens(t *testing.T) {
+	// Bearer auth with no tokens should return an error from GetDeploymentAccessStatus
+	creds := &credentials.Credentials{
+		AuthType: "bearer",
+	}
+	logger := zerolog.New(io.Discard)
+	envSet := &environments.EnvironmentSet{}
+
+	rtCtx := &runtime.Context{
+		Credentials:    creds,
+		Logger:         &logger,
+		EnvironmentSet: envSet,
+	}
+
+	h := access.NewHandler(rtCtx)
+	err := h.Execute(context.Background())
+
+	if err == nil {
+		t.Fatal("expected error for missing tokens, got nil")
+	}
+	if !strings.Contains(err.Error(), "failed to check deployment access") {
+		t.Errorf("expected 'failed to check deployment access' error, got: %v", err)
+	}
+}
@@ -3,6 +3,7 @@ package account
 import (
 	"github.com/spf13/cobra"
 
+	"github.com/smartcontractkit/cre-cli/cmd/account/access"
 	"github.com/smartcontractkit/cre-cli/cmd/account/link_key"
 	"github.com/smartcontractkit/cre-cli/cmd/account/list_key"
 	"github.com/smartcontractkit/cre-cli/cmd/account/unlink_key"
@@ -12,10 +13,11 @@ import (
 func New(runtimeContext *runtime.Context) *cobra.Command {
 	accountCmd := &cobra.Command{
 		Use:   "account",
-		Short: "Manages account",
-		Long:  "Manage your linked public key addresses for workflow operations.",
+		Short: "Manage account and request deploy access",
+		Long:  "Manage your linked public key addresses for workflow operations and request deployment access.",
 	}
 
+	accountCmd.AddCommand(access.New(runtimeContext))
 	accountCmd.AddCommand(link_key.New(runtimeContext))
 	accountCmd.AddCommand(unlink_key.New(runtimeContext))
 	accountCmd.AddCommand(list_key.New(runtimeContext))

@@ -26,6 +26,7 @@ import (
 	"github.com/smartcontractkit/cre-cli/cmd/workflow"
 	"github.com/smartcontractkit/cre-cli/internal/constants"
 	"github.com/smartcontractkit/cre-cli/internal/context"
+	"github.com/smartcontractkit/cre-cli/internal/credentials"
 	"github.com/smartcontractkit/cre-cli/internal/logger"
 	"github.com/smartcontractkit/cre-cli/internal/runtime"
 	"github.com/smartcontractkit/cre-cli/internal/settings"
@@ -187,7 +188,7 @@ func newRootCommand() *cobra.Command {
 
 				// Check if organization is ungated for commands that require it
 				cmdPath := cmd.CommandPath()
-				if cmdPath == "cre account link-key" || cmdPath == "cre workflow deploy" {
+				if cmdPath == "cre account link-key" {
 					if err := runtimeContext.Credentials.CheckIsUngatedOrganization(); err != nil {
 						if showSpinner {
 							spinner.Stop()
@@ -274,6 +275,21 @@ func newRootCommand() *cobra.Command {
 	cobra.AddTemplateFunc("styleURL", func(s string) string {
 		return ui.URLStyle.Render(s) // Chainlink Blue, underlined
 	})
+	cobra.AddTemplateFunc("needsDeployAccess", func() bool {
+		creds := runtimeContext.Credentials
+		if creds == nil {
+			var err error
+			creds, err = credentials.New(rootLogger)
+			if err != nil {
+				return false
+			}
+		}
+		deployAccess, err := creds.GetDeploymentAccessStatus()
+		if err != nil {
+			return false
+		}
+		return !deployAccess.HasAccess
+	})
 
 	rootCmd.SetHelpTemplate(helpTemplate)
 
@@ -362,6 +378,7 @@ func isLoadSettings(cmd *cobra.Command) bool {
 		"cre login":                 {},
 		"cre logout":                {},
 		"cre whoami":                {},
+		"cre account access":        {},
 		"cre account list-key":      {},
 		"cre init":                  {},
 		"cre generate-bindings":     {},

@@ -91,6 +91,12 @@
     to login into your cre account, then:
   {{styleCode "$ cre init"}}
     to create your first cre project.
+{{- if needsDeployAccess}}
+
+🔑 Ready to deploy? Run:
+  $ cre account access
+    to request deployment access.
+{{- end}}
 
 {{styleSection "Need more help?"}}
   Visit {{styleURL "https://docs.chain.link/cre"}}

@@ -88,6 +88,12 @@ func (h *Handler) Execute(ctx context.Context) error {
 		return fmt.Errorf("graphql request failed: %w", err)
 	}
 
+	// Get deployment access status
+	deployAccess, err := h.credentials.GetDeploymentAccessStatus()
+	if err != nil {
+		h.log.Debug().Err(err).Msg("failed to get deployment access status")
+	}
+
 	ui.Line()
 	ui.Title("Account Details")
 
@@ -101,6 +107,15 @@ func (h *Handler) Execute(ctx context.Context) error {
 			details)
 	}
 
+	// Add deployment access status
+	if deployAccess != nil {
+		if deployAccess.HasAccess {
+			details = fmt.Sprintf("%s\nDeploy Access:     Enabled", details)
+		} else {
+			details = fmt.Sprintf("%s\nDeploy Access:     Not enabled", details)
+		}
+	}
+
 	ui.Box(details)
 	ui.Line()
 

@@ -1,6 +1,7 @@
 package deploy
 
 import (
+	"context"
 	"encoding/base64"
 	"errors"
 	"io"
@@ -212,7 +213,7 @@ func TestCompileCmd(t *testing.T) {
 					err := handler.ValidateInputs()
 					require.NoError(t, err)
 
-					err = handler.Execute()
+					err = handler.Execute(context.Background())
 
 					w.Close()
 					os.Stdout = oldStdout

@@ -1,6 +1,7 @@
 package deploy
 
 import (
+	"context"
 	"errors"
 	"fmt"
 	"io"
@@ -13,6 +14,7 @@ import (
 	"github.com/spf13/viper"
 
 	"github.com/smartcontractkit/cre-cli/cmd/client"
+	"github.com/smartcontractkit/cre-cli/internal/accessrequest"
 	"github.com/smartcontractkit/cre-cli/internal/constants"
 	"github.com/smartcontractkit/cre-cli/internal/credentials"
 	"github.com/smartcontractkit/cre-cli/internal/environments"
@@ -62,6 +64,7 @@ type handler struct {
 	workflowArtifact *workflowArtifact
 	wrc              *client.WorkflowRegistryV2Client
 	runtimeContext   *runtime.Context
+	accessRequester  *accessrequest.Requester
 
 	validated bool
 
@@ -94,7 +97,7 @@ func New(runtimeContext *runtime.Context) *cobra.Command {
 			if err := h.ValidateInputs(); err != nil {
 				return err
 			}
-			return h.Execute()
+			return h.Execute(cmd.Context())
 		},
 	}
 
@@ -118,10 +121,16 @@ func newHandler(ctx *runtime.Context, stdin io.Reader) *handler {
 		workflowArtifact: &workflowArtifact{},
 		wrc:              nil,
 		runtimeContext:   ctx,
+		accessRequester:  accessrequest.NewRequester(ctx.Credentials, ctx.EnvironmentSet, ctx.Logger),
 		validated:        false,
 		wg:               sync.WaitGroup{},
 		wrcErr:           nil,
 	}
+
+	return &h
+}
+
+func (h *handler) initWorkflowRegistryClient() {
 	h.wg.Add(1)
 	go func() {
 		defer h.wg.Done()
@@ -132,8 +141,6 @@ func newHandler(ctx *runtime.Context, stdin io.Reader) *handler {
 		}
 		h.wrc = wrc
 	}()
-
-	return &h
 }
 
 func (h *handler) ResolveInputs(v *viper.Viper) (Inputs, error) {
@@ -177,7 +184,18 @@ func (h *handler) ValidateInputs() error {
 	return nil
 }
 
-func (h *handler) Execute() error {
+func (h *handler) Execute(ctx context.Context) error {
+	deployAccess, err := h.credentials.GetDeploymentAccessStatus()
+	if err != nil {
+		return fmt.Errorf("failed to check deployment access: %w", err)
+	}
+
+	if !deployAccess.HasAccess {
+		return h.accessRequester.PromptAndSubmitRequest(ctx)
+	}
+
+	h.initWorkflowRegistryClient()
+
 	h.displayWorkflowDetails()
 
 	if err := h.Compile(); err != nil {